diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
index da5f0f51..9c873a07 100755
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@@ -24,9 +24,9 @@
 Violations cause state drift, which causes future applies to break or silently revert changes.
 
 ## Instructions
-- **"remember X"**: Use `memory-tool store "content" --category facts --tags "tag1,tag2"` (via exec) for persistent cross-session memory. Also update this file + `AGENTS.md` (if shared knowledge), commit with `[ci skip]`. To recall: `memory-tool recall "query"`. To list: `memory-tool list`. To delete: `memory-tool delete <id>`. The native `memory_search` and `memory_get` tools are also available for searching indexed memory files. For **storing** new memories, always use the `memory-tool` CLI via exec.
-- **Apply**: Authenticate via `vault login -method=oidc`, then use `scripts/tg` (preferred — handles state decrypt/encrypt) or `terragrunt` directly. `scripts/tg` adds `-auto-approve` for `--non-interactive` applies.
-- **New services need CI/CD** and **monitoring** (Prometheus/Uptime Kuma)
+- **"remember X"**: store to the remote claude-memory store via the **`homelab memory` CLI**: `homelab memory store "content" --category facts --tags "tag1,tag2"` (also `recall "query"` / `update <id>` / `list` / `delete <id>`). For shared knowledge, also update the relevant CLAUDE.md / `AGENTS.md`. (Supersedes the old `memory-tool` CLI **and** the claude-memory MCP — both retired 2026-06-21; the homelab CLI hits the same remote HTTP API. Recall also runs automatically each turn via a UserPromptSubmit hook.)
+- **Apply**: Authenticate via `vault login -method=oidc`, then use `scripts/tg` (preferred — handles state decrypt/encrypt) or `terragrunt` directly. `scripts/tg` adds `-auto-approve` for `--non-interactive` applies, and `-lock-timeout` (default `5m`, override via `TG_LOCK_TIMEOUT`) on every state-locking verb (`plan`/`apply`/`destroy`/`refresh`) so a contended state lock **waits** instead of failing instantly with `Error acquiring the state lock`.
+- **New services need CI/CD** and **monitoring** (Prometheus/Uptime Kuma). CI = a GHA workflow on the repo's GitHub mirror (build + tests off-infra, ADR-0002); Woodpecker gets a deploy-only pipeline — never an in-cluster build.
 - **New service**: Use `setup-project` skill for full workflow
 - **Ingress**: `ingress_factory` module. **Auth** (`auth` string enum, default `"required"` — fail-closed). Pick by asking "what gates the app?":
   - `auth = "required"` — Authentik forward-auth gates every request. Use when the backend has **no built-in user auth** and Authentik is the only thing standing between strangers and the app (prowlarr, qbittorrent, netbox, phpipam, k8s-dashboard, any admin UI shipped without its own login).
@@ -38,7 +38,7 @@ Violations cause state drift, which causes future applies to break or silently r
   - **DNS**: `dns_type = "proxied"` (Cloudflare CDN) or `"non-proxied"` (direct A/AAAA). DNS records are auto-created — no need to edit `config.tfvars`. Smoke-test target: `echo.viktorbarzin.me` (auth=public, header-reflecting backend).
 - **Anubis PoW challenge** (`modules/kubernetes/anubis_instance/`): per-site reverse proxy that issues a 30-day JWT cookie after a tiny PoW solve. Use for **public, content-bearing sites without app-level auth** (blog, docs, wikis, static landing pages). Pattern: declare `module "anubis" { source = "../../modules/kubernetes/anubis_instance"; name = "X"; namespace = ...; target_url = "http://<backend>.<ns>.svc.cluster.local" }`, then in `ingress_factory` set `service_name = module.anubis.service_name`, `port = module.anubis.service_port`, `anti_ai_scraping = false`. Shared ed25519 key in Vault `secret/viktor` -> `anubis_ed25519_key`; cookie scoped to `viktorbarzin.me` so one solve covers all Anubis-fronted subdomains. **DO NOT put Anubis in front of Git/API/WebDAV/CLI endpoints** — clients without JS can't solve PoW. **Replicas default to 1** because Anubis stores in-flight challenges in process memory; a challenge issued by pod A and solved against pod B errors with `store: key not found` (HTTP 500). Bumping replicas requires wiring a shared Redis store (TODO). For path-level carve-outs (e.g. wrongmove has `/` behind Anubis but `/api` direct, blog has `/net-diag.sh` direct), declare a second `ingress_factory` with `ingress_path = ["/<path>"]` pointing at the bare backend service. Active on: blog (except `/net-diag.sh`), www, kms, travel, f1, cc, json, pb (privatebin), home (homepage), wrongmove (UI only). See `.claude/reference/patterns.md` "Anti-AI Scraping" for full layering.
 - **Docker images**: Always build for `linux/amd64`. SHA-tag rule is being phased out — see `docs/plans/2026-05-16-auto-upgrade-apps-{design,plan}.md`. New model: CI pushes `:latest` (optionally also `:<8-char-sha>` for traceability), Keel polls and triggers rollouts. Cache-staleness concern from the old rule is resolved at the nginx layer (URL-split — manifests pass through, blobs cached). Until Phase 1 of the migration completes (per the plan), follow the SHA-tag rule for new services to match existing pattern.
-- **Private registry**: `forgejo.viktorbarzin.me/viktor/<name>` (Forgejo packages, OAuth-style PAT auth). Use `image: forgejo.viktorbarzin.me/viktor/<name>:<tag>` + `imagePullSecrets: [{name: registry-credentials}]`. Kyverno auto-syncs the Secret to all namespaces. Containerd `hosts.toml` on every node redirects to in-cluster Traefik LB `10.0.20.203` (with `skip_verify = true`, since the node dials Traefik by IP but the cert is for `forgejo.viktorbarzin.me`) to avoid hairpin NAT. That redirect covers **kubelet pulls** only — in-cluster pods (notably Woodpecker buildkit build pods pushing images) resolve `forgejo.viktorbarzin.me` via a CoreDNS `rewrite name exact ... traefik.traefik.svc.cluster.local` (Corefile in `stacks/technitium/modules/technitium/main.tf`), since they do NOT use the node containerd mirror; without it, buildkit pushes intermittently timed out on the public-IP hairpin (added 2026-06-04, beads code-yh33). **Was `.200` until 2026-06-01** — Traefik's 2026-05-30 move to its dedicated `.203` left this redirect pointing at the now-dead `.200:443`, silently breaking every *fresh* forgejo pull (cached images kept running, so it stayed hidden until a new image tag was pulled). Redirect source lives in `modules/create-template-vm/k8s-node-containerd-setup.sh` (new nodes) and `scripts/setup-forgejo-containerd-mirror.sh` (existing nodes). Push-side: viktor PAT in Vault `secret/ci/global/forgejo_push_token` (Forgejo container packages are scoped per-user; only the package owner can push, ci-pusher cannot write to viktor/*). Pull-side: cluster-puller PAT in Vault `secret/viktor/forgejo_pull_token`. Retention CronJob (`forgejo-cleanup` in `forgejo` ns, daily 04:00) keeps newest 10 versions + always `:latest`; integrity probed every 15min by `forgejo-integrity-probe` in `monitoring` ns (catalog walk + manifest HEAD on every blob). See `docs/plans/2026-05-07-forgejo-registry-consolidation-{design,plan}.md` for the migration history. Pull-through caches for upstream registries (DockerHub, GHCR, Quay, k8s.gcr, Kyverno) stay on the registry VM at `10.0.20.10` ports 5000/5010/5020/5030/5040 — the old port-5050 R/W private registry was decommissioned 2026-05-07.
+- **Image registry**: **Owned images now live on `ghcr.io/viktorbarzin/<name>`** (ADR-0002, built by GHA — see the CI/CD Architecture section). The **Forgejo container registry is FROZEN + emptied** (break-glass only — `docs/runbooks/forgejo-registry-breakglass.md`); nothing pushes to it. The rest of this bullet documents the **still-live forgejo-pull DNS/mirror machinery** (it remains in place for the break-glass path + because `registry-credentials` is still Kyverno-synced; the hairpin lessons apply to any internal-registry pull). Historical usage was `image: forgejo.viktorbarzin.me/viktor/<name>:<tag>` + `imagePullSecrets: [{name: registry-credentials}]`. **Kubelet pulls** are kept off the hairpin **at the resolver, with zero node-side DNS config**: pfSense Unbound carries a domain override forwarding the whole `viktorbarzin.me` zone to Technitium (added 2026-06-10, `docs/runbooks/pfsense-unbound.md`), whose split-horizon zone CNAMEs every ingress host (auto-synced hourly by `technitium-ingress-dns-sync`) to the zone apex whose A record tracks the **live** Traefik LB IP (canary: `viktorbarzin-apex-probe`, alerts ViktorBarzinApexDrift). Nodes are stock — link DNS `10.0.20.1 94.140.14.14` via `qm set --nameserver`, no `/etc/hosts` pins, no resolved drop-ins (two same-day interim approaches on 2026-06-10 were removed the same day). The containerd `hosts.toml` mirror (`[host."https://10.0.20.203"]`, `skip_verify = true`) still exists but is **vestigial** — it can NOT keep pulls internal on its own: Traefik routes by Host/SNI and 404s the mirror's bare-IP requests, and the registry's Bearer auth realm is the absolute `https://forgejo.viktorbarzin.me/v2/token` URL fetched outside the mirror — without internal DNS every fresh pull degrades to public DNS → hairpin → intermittent `dial tcp 176.12.22.76:443: i/o timeout` ImagePullBackOff (tuya-bridge 7.5h outage 2026-06-10, tripit 2026-06-09; see `docs/post-mortems/2026-06-10-tuya-bridge-forgejo-pull-hairpin.md`). **In-cluster pods are ordinary internal clients too** (since 2026-06-10 evening) — CoreDNS's dedicated `viktorbarzin.me:53` block (Corefile in `stacks/technitium/modules/technitium/main.tf`) forwards to the Technitium ClusterIP `10.96.0.53`, so pods get the same split-horizon answers as everyone else; forgejo stays pinned to Traefik's **ClusterIP** in that block (TF-interpolated from the live Service) so CI pushes survive a Technitium outage. This relies on a k8s-1.34 behavior verified 2026-06-10: **pods CAN reach the ETP=Local Traefik LB IP** (kube-proxy short-circuits in-cluster traffic to LB IPs via the cluster path) — re-verify after major k8s upgrades; canary = the uptime-kuma `[External]` fleet going red. (The block briefly forwarded to `8.8.8.8/1.1.1.1` earlier that day, which kept pods on the WAN IP and the broken TP-Link NAT loopback — 27 non-proxied `[External]` monitors dark; beads code-yh33.) **Was `.200` until 2026-06-01** — Traefik's 2026-05-30 move to its dedicated `.203` left the mirror pointing at the now-dead `.200:443`, silently breaking every *fresh* forgejo pull; a future LB renumber is now handled by DNS (apex record + drift probe) — only the vestigial hosts.toml literal would go stale. Mirror source lives in `modules/create-template-vm/k8s-node-containerd-setup.sh` (new nodes) and `scripts/setup-forgejo-containerd-mirror.sh` (existing nodes; also cleans up the legacy 2026-06-10 node-DNS customization). Push-side: viktor PAT in Vault `secret/ci/global/forgejo_push_token` (Forgejo container packages are scoped per-user; only the package owner can push, ci-pusher cannot write to viktor/*). Pull-side: cluster-puller PAT in Vault `secret/viktor/forgejo_pull_token`. Retention CronJob (`forgejo-cleanup` in `forgejo` ns, daily 04:00) keeps newest 10 versions + always `:latest` + any buildkit `*cache*` tag — **REVERTED to DRY_RUN 2026-06-10 after its first live run orphaned OCI index children** (multi-arch/attestation children are separate *untagged* sha256 versions that sort outside the newest-10 window while their parent index is kept; broke `kms-website:latest`+`:dfc83fb`, caught by the integrity probe, healed by re-tagging latest→a794d1a + deleting the corrupt version; see `docs/post-mortems/2026-06-10-forgejo-retention-orphaned-indexes.md`). Do NOT re-enable deletes until the keep-set resolves kept indexes' child digests (or skips untagged versions, or moves to Forgejo's native container-aware cleanup rules). The registry PVC remains at its 50Gi autoresize ceiling on the HDD (we did NOT move it to SSD, see beads code-oflt), so a container-aware retention is still needed. Integrity probed every 15min by `forgejo-integrity-probe` in `monitoring` ns (catalog walk + manifest HEAD on every blob). See `docs/plans/2026-05-07-forgejo-registry-consolidation-{design,plan}.md` for the migration history. Pull-through caches for upstream registries (DockerHub, GHCR, Quay, k8s.gcr, Kyverno) stay on the registry VM at `10.0.20.10` ports 5000/5010/5020/5030/5040 — the old port-5050 R/W private registry was decommissioned 2026-05-07.
 - **LinuxServer.io containers**: `DOCKER_MODS` runs apt-get on every start — bake slow mods into a custom image (`RUN /docker-mods || true` then `ENV DOCKER_MODS=`). Set `NO_CHOWN=true` to skip recursive chown that hangs on NFS mounts.
 - **Node memory changes**: When changing VM memory on any k8s node, update kubelet `systemReserved`, `kubeReserved`, and eviction thresholds accordingly. Config: `/var/lib/kubelet/config.yaml`. Template: `stacks/infra/main.tf`. Current values: systemReserved=512Mi, kubeReserved=512Mi, evictionHard=500Mi, evictionSoft=1Gi.
 - **Node OS disk tuning** (in `stacks/infra/main.tf`): kubelet `imageGCHighThresholdPercent=70` (was 85), `imageGCLowThresholdPercent=60` (was 80), ext4 `commit=60` in fstab (was default 5s), journald `SystemMaxUse=200M` + `MaxRetentionSec=3day`.
@@ -47,7 +47,7 @@ Violations cause state drift, which causes future applies to break or silently r
 
 ## Terraform State — Two-Tier Backend
 - **Tier 0 (bootstrap)**: Local state, SOPS-encrypted in git. Stacks: `infra`, `platform`, `cnpg`, `vault`, `dbaas`, `external-secrets`. These must exist before PG is reachable.
-- **Tier 1 (everything else)**: PostgreSQL backend (`pg`) on CNPG cluster at `pg-cluster-rw.dbaas.svc.cluster.local:5432/terraform_state`. Native `pg_advisory_lock` for concurrent safety. Each stack gets its own PG schema.
+- **Tier 1 (everything else)**: PostgreSQL backend (`pg`) on CNPG cluster at `pg-cluster-rw.dbaas.svc.cluster.local:5432/terraform_state`. Native `pg_advisory_lock` for concurrent safety. Each stack gets its own PG schema. **Lock contention is non-fatal**: `scripts/tg` passes `-lock-timeout` (default `5m`) so a contended lock waits rather than hard-failing — this was the #1 cause of infra CI failures (a Woodpecker-killed run's unreaped PG lock, a concurrent local apply, or the daily drift `plan`; Tier-1 stacks have no Vault advisory-lock skip to fall back on, unlike Tier-0).
 - **Auth**: `scripts/tg` auto-fetches PG credentials from Vault (`database/static-creds/pg-terraform-state`). Humans use `vault login -method=oidc`, agents use K8s auth (role: `terraform-state`, namespace: `claude-agent`).
 - **Tier 0 workflow** (unchanged): `git pull` → `scripts/tg plan` → `scripts/tg apply` → `git push`. State sync via SOPS is transparent.
 - **Tier 1 workflow**: `vault login -method=oidc` → `scripts/tg plan` → `scripts/tg apply`. No git commit needed — PG is authoritative.
@@ -63,7 +63,7 @@ Violations cause state drift, which causes future applies to break or silently r
 - **`secret/viktor`** — go-to path for ALL personal secrets (135 keys). Contains every API key, token, password, SSH key, and config from the old terraform.tfvars. Check here first: `vault kv get -field=KEY secret/viktor`.
 - **Auth**: `vault login -method=oidc` (Authentik SSO) → `~/.vault-token` → read by Vault TF provider.
 - **Vault stack self-reads**: `data "vault_kv_secret_v2" "vault"` reads its own OIDC creds from `secret/vault`.
-- **ESO (External Secrets Operator)**: `stacks/external-secrets/` — 43 ExternalSecrets + 9 DB-creds ExternalSecrets. API version `v1beta1`. Two ClusterSecretStores: `vault-kv` and `vault-database`.
+- **ESO (External Secrets Operator)**: `stacks/external-secrets/` — chart **2.6.0 / app v2.6.0** (migrated 0.12.1→2.6.0 on 2026-06-22, one minor at a time; helm_release has `atomic=true`). **~104 ExternalSecrets across 73 files**, all on **API version `v1`** (migrated v1beta1→v1 on 2026-06-22 — there is NO v1beta1→v1 conversion webhook, so all CRs were rewritten to v1 on chart 0.16.2 before 0.17 removed v1beta1; see `docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md`). Two ClusterSecretStores: `vault-kv` and `vault-database`. (2 pre-existing dead ESs — instagram-poster, payslip-ingest — fail "cannot find secret data" on missing Vault keys, unrelated.)
 - **Plan-time pattern**: Former plan-time stacks use `data "kubernetes_secret"` to read ESO-created K8s Secrets at plan time (no Vault dependency). First-apply gotcha: must `terragrunt apply -target=kubernetes_manifest.external_secret` first, then full apply. `count` on resources using secret values fails — remove conditional counts.
 - **14 hybrid stacks** still keep `data "vault_kv_secret_v2"` for plan-time needs (job commands, Helm templatefile, module inputs). Platform has 48 plan-time refs — no migration possible without restructuring modules.
 - **Database rotation**: Vault DB engine rotates passwords every 7 days (604800s). MySQL: speedtest, wrongmove, codimd, nextcloud, shlink, grafana, phpipam. PostgreSQL: health, linkwarden, affine, woodpecker, claude_memory, crowdsec, technitium. Excluded: authentik (PgBouncer), root users. **Apps that read a rotated secret only at startup** (env var / initContainer, not a hot-reloaded mount) MUST carry a Reloader annotation (`secret.reloader.stakater.com/reload: <secret>`) or they keep the stale password and silently fail DB auth on each rotation until manually restarted — matrix's Synapse `inject-db-password` initContainer hit exactly this (found via Loki 2026-06-05, ~12.9k auth-fail lines/hr); matrix has since migrated to tuwunel (RocksDB, no Postgres) on 2026-06-08 and is no longer in the rotation list above. Technitium uses a password-sync CronJob (every 6h) to push rotated password to the Technitium app config via API, disable SQLite + MySQL logging, check PG plugin is loaded, configure PG query logging (90-day retention), and disable SQLite on secondary/tertiary instances.
@@ -78,63 +78,123 @@ Violations cause state drift, which causes future applies to break or silently r
 ## Resource Management Patterns
 - **CPU**: All CPU limits removed cluster-wide (CFS throttling). Only set CPU requests based on actual usage.
 - **Memory**: Set explicit `requests=limits` based on VPA upperBound. Target: upperBound x 1.2 for stable services, x 1.3 for GPU/volatile workloads.
-- **VPA (Goldilocks)**: Must be `Initial` mode (not `Auto`) — Auto conflicts with Terraform's declarative resource management.
+- **Right-sizing**: VPA/Goldilocks was **REMOVED 2026-06-12** (etcd-load-reduction — 349 VPAs all ran `updateMode=Off`, costing ~800 etcd objects + continuous recommender writes + a pod-creation admission webhook for dashboard-only value). Right-size **on demand with `krr`** (Robusta, Dockerized from the devvm — no cluster install, no admission webhook, no eviction risk; reads Prometheus). Set container resources explicitly in TF from krr output.
 - **LimitRange**: Tier-based defaults silently apply to pods with `resources: {}`. Always set explicit resources on containers needing more than defaults. Tier 3-edge and 4-aux now use Burstable QoS (request < limit) to reduce scheduler pressure.
 - **Democratic-CSI sidecars**: Must set explicit resources (32-80Mi) in Helm values — 17 sidecars default to 256Mi each via LimitRange. `csiProxy` is a TOP-LEVEL chart key, not nested under controller/node.
 - **ResourceQuota blocks rolling updates**: When quota is tight, scale to 0 then back to 1 instead of RollingUpdate. Or use Recreate strategy.
 - **Kyverno ndots drift**: Kyverno injects dns_config on all pods. Every `kubernetes_deployment`, `kubernetes_stateful_set`, and `kubernetes_cron_job_v1` MUST include `lifecycle { ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 }` (use `spec[0].job_template[0].spec[0].template[0].spec[0].dns_config` for CronJobs). The `# KYVERNO_LIFECYCLE_V1` marker is the canonical discoverability tag — grep for it to locate every site. A shared Terraform module was considered but `ignore_changes` only accepts static attribute paths (not module outputs, locals, or expressions), so the snippet convention is the only viable path. Full rationale and copy-paste snippets in `AGENTS.md` → "Kyverno Drift Suppression".
 - **NVIDIA GPU operator resources**: dcgm-exporter and cuda-validator resources configurable via `dcgmExporter.resources` and `validator.resources` in nvidia values.yaml.
 - **Pin database versions**: Disable Diun (image update monitoring) for MySQL, PostgreSQL, Redis.
-- **Quarterly right-sizing**: Check Goldilocks dashboard. Compare VPA upperBound to current request. Also check for under-provisioned (VPA upper > request x 0.8).
+- **Quarterly right-sizing**: Run `krr` (Dockerized, against Prometheus) for recommendations; compare to current requests and adjust in TF. (Goldilocks dashboard removed 2026-06-12.)
 
-## CI/CD Architecture — GHA Builds + Woodpecker Deploy
+## CI/CD Architecture — GHA Builds → ghcr + Woodpecker Deploy
 
-**Owned-app deploy model (build triggers the rollout — 2026-06-02):** For
-self-hosted apps **we build** (Forgejo `viktor/<name>` + Dockerfile +
-`.woodpecker.yml`), the build pipeline ALSO drives the rollout — atomic +
-deterministic, no wait for Keel's poll. Pattern (`build-and-push` tags `latest`
-+ `${CI_COMMIT_SHA:0:8}`, then a `deploy` step): `kubectl set image
-deployment/<app> <container>=<repo>:${CI_COMMIT_SHA:0:8} -n <ns>` +
-`kubectl rollout status ... --timeout=300s`. The `woodpecker-agent` SA is
-`cluster-admin`, so the `bitnami/kubectl` step needs no kubeconfig/RBAC (uses
-its in-cluster SA). **Keel stays enrolled in parallel** as a redundant net
-(finds the deployed SHA already running → no-op). Requires the Deployment to
-have `ignore_changes` on `…container[0].image` (KEEL_IGNORE_IMAGE) so CI
-`set image` doesn't fight `terragrunt apply`. CronJobs in owned apps use
-`:latest` + `imagePullPolicy: Always` (fresh pod each run) instead of a deploy
-step. **Never** `set image`/`rollout restart` operator-managed StatefulSets
-(memory id=740). Reference impls: `tuya_bridge/.woodpecker.yml`,
-`job-hunter`, `f1-stream` (viktor/f1-stream, extracted from this monorepo
-2026-06-05). This reverses decision #12 of
-`docs/plans/2026-05-16-auto-upgrade-apps-design.md` for owned (not upstream)
-images.
+**Doctrine (ADR-0002, fleet-wide as of 2026-06-13): ALL image builds + CI
+compute run OFF-infra.** Every owned image is built/linted/tested on GitHub
+Actions (public repos: free; private: 2000 free min/mo) and pushed to
+`ghcr.io/viktorbarzin/<name>`. **No in-cluster image builds or CI test runs
+exist anywhere** — the in-cluster Woodpecker buildkit and the fallback-build
+pattern were removed (clean cut). Woodpecker is **deploy-only** (plus infra
+applies + maintenance crons). Canonical CI/CD reference:
+`docs/architecture/ci-cd.md`; decision: `docs/adr/0002-all-image-builds-off-infra-gha-ghcr.md`.
+**Watch what you trigger**: after a push that fires a build chain, follow it to
+completion (GHA run → Woodpecker deploy → `rollout status`) and fix failures;
+verify via live state, not the checkmark.
 
-**Flow (GHA-migrated apps)**: `git push → GHA build+push DockerHub (8-char SHA) → POST Woodpecker API → kubectl set image`
+**The fleet pattern (every owned app):** Forgejo `viktor/<repo>` (canonical)
+push-mirrors (`sync_on_commit`) → GitHub `ViktorBarzin/<repo>` → GHA
+`.github/workflows/build.yml` (committed on Forgejo, mirrors over): `on: push:
+branches:[master]` ONLY (feature branches mirror but build/deploy nothing — the
+safety valve). The `build` job: lint/test → `svu` cuts the next `vX.Y.Z` tag to
+CANONICAL Forgejo (GHA secret `FORGEJO_GIT_TOKEN` = write:repository PAT) + bakes
+`VERSION` → `buildx` `linux/amd64` `provenance:false` (single-manifest, dodges
+the orphaned-index-children class) → push `ghcr.io/viktorbarzin/<name>:<sha8>` +
+`:latest` → `delete-package-versions` keep-10. The `deploy` job POSTs
+`ci.viktorbarzin.me/api/repos/<id>/pipelines` (the GitHub-mirror's Woodpecker
+registration, github-forge; GHA secret `WOODPECKER_TOKEN`) with `IMAGE_TAG` +
+`IMAGE_NAME` → `.woodpecker/deploy.yml` (event:**manual** ONLY, so the raw
+Forgejo→GitHub mirror pushes don't fire a tag-less deploy) runs `kubectl set
+image deployment/<app> …` in-cluster (woodpecker-agent SA = cluster-admin, no
+kubeconfig). Deployment image is `ignore_changes`/KEEL_IGNORE_IMAGE so the SHA
+sticks vs `terragrunt apply`; CronJobs track `:latest` + `imagePullPolicy:
+Always`. **Keel stays enrolled** as a redundant net (sees the SHA already
+running → no-op). **Never** `set image`/`rollout restart` operator-managed
+StatefulSets (memory id=740). Onboarding tool: `scripts/offinfra-onboard` +
+`scripts/offinfra-templates/`; mirror + workflow commits via the Forgejo API over
+the internal Traefik LB (`curl --resolve forgejo.viktorbarzin.me:443:10.0.20.203`).
+Reference impls: tripit (the original pilot), f1-stream, job-hunter, tuya_bridge.
 
-**Migrated to GHA** (9): Website, k8s-portal, claude-memory-mcp, apple-health-data, audiblez-web, plotting-book, insta2spotify, audiobook-search, council-complaints
-**Woodpecker-native owned-app build** (Forgejo registry, build->deploy in one `.woodpecker.yml`): tuya_bridge, job-hunter, f1-stream (extracted to viktor/f1-stream 2026-06-05; Woodpecker repo id 166; the old github source is archived + its GHA repo-id-10 deactivated)
-**Woodpecker-only**: travel_blog (1.4GB content too large for GHA), infra pipelines (terragrunt apply, certbot, build-cli — need cluster access)
+**Migrated apps (issues #13–#27):** f1-stream, job-hunter, tuya_bridge,
+beadboard, nextcloud-todos, claude-agent-service, **claude-memory-mcp** (GHA →
+ghcr, NOT DockerHub), kms-website, Freedify, instagram-poster, payslip-ingest,
+broker-sync (image `wealthfolio-sync`), fire-planner, recruiter-responder,
+x402-gateway — plus tripit. Earlier public-repo apps already on GHA (Website,
+apple-health-data, audiblez-web, plotting-book, insta2spotify,
+audiobook-search) now also land on ghcr.
+- **PUBLIC ghcr packages:** beadboard, nextcloud-todos, claude-agent-service,
+  claude-memory-mcp, kms-website, freedify, tuya_bridge, x402-gateway,
+  chrome-service-novnc, android-emulator.
+- **PRIVATE ghcr:** f1-stream, job-hunter, instagram-poster, payslip-ingest,
+  wealthfolio-sync, fire-planner, recruiter-responder, tripit, infra-cli,
+  infra-ci, k8s-portal. Pulled via the Kyverno-synced `ghcr-credentials` allowlist
+  (`stacks/kyverno/modules/kyverno/ghcr-credentials.tf`; NOT cluster-wide; cred
+  = Vault `secret/viktor/ghcr_pull_token`, a dedicated classic PAT scoped to
+  `read:packages` (UI-minted 2026-06-15; no longer the admin `github_pat`
+  alias). GitHub has no token-mint API, so rotation is manual: re-mint →
+  `vault kv patch secret/viktor ghcr_pull_token=…` → targeted apply
+  `module.kyverno.kubernetes_secret.ghcr_credentials` (reads Vault, dodges the
+  git-crypt tls-secret-sync landmine), Kyverno re-syncs the allowlist).
 
-**Per-project files**:
-- `.github/workflows/build-and-deploy.yml` — GHA: checkout, build, push DockerHub, POST Woodpecker API
-- `.woodpecker/deploy.yml` — Woodpecker: `kubectl set image` + Slack notify (event: `[manual, push]`)
-- `.woodpecker/build-fallback.yml` — Old full build pipeline preserved (event: `deployment` — never auto-fires)
+**Infra-owned images (issues #29/#30)** build on GHA workflows IN the infra
+repo's own `.github/workflows/` (added to the GitHub lineage via PR; the
+github↔forgejo divergence was deliberately NOT reconciled):
+`build-chrome-service-novnc.yml` + `build-android-emulator.yml` → public ghcr;
+`build-cli.yml` → DockerHub `viktorbarzin/infra` (kept) + `ghcr.io/viktorbarzin/infra-cli`;
+`build-infra-ci.yml` → `ghcr.io/viktorbarzin/infra-ci`; `build-k8s-portal.yml` →
+PRIVATE `ghcr.io/viktorbarzin/k8s-portal` (Keel-deployed; the LAST in-cluster
+Woodpecker build, migrated 2026-06-13 — completes "no local builds"). **infra-ci**
+is the image the `.woodpecker/default.yml` apply step + `drift-detection.yml` run
+in (proven by pipelines 165/166). chatterbox-tts is already built by tripit's GHA → ghcr.
+The Woodpecker `build-ci-image.yml` + `build-cli.yml` pipelines were REMOVED;
+infra-ci break-glass is a manual `.woodpecker/breakglass-infra-ci.yml` (ghcr
+pull-and-save to the registry VM).
 
-**Woodpecker API**: Uses **numeric repo IDs** (`/api/repos/2/pipelines`), NOT owner/name paths (those return HTML).
-Repo IDs: infra=1, Website=2, finance=3, health=4, travel_blog=5, webhook-handler=6, audiblez-web=9, plotting-book=43, claude-memory-mcp=78, infra-onboarding=79, council-complaints=TBD (f1-stream's old GHA-era github repo id 10 is deactivated; it's now a Woodpecker-native Forgejo build at repo id 166)
+**Forgejo container registry: FROZEN + emptied** (issue #32 wiped all `viktor/*`
+container packages). Break-glass-only now; nothing pushes. `forgejo-cleanup`
+stays DRY_RUN. Pull-through caches on `10.0.20.10` are unchanged. Runbook:
+`docs/runbooks/forgejo-registry-breakglass.md`.
+
+**Woodpecker now runs only:** per-app `deploy.yml` (manual, `kubectl set
+image`), `default.yml` (terragrunt apply), `renew-tls.yml` (certbot),
+maintenance crons (drift-detection, provision-user, registry-config-sync,
+pve-nfs-exports-sync, issue-automation, postmortem-todos), and the
+manual `breakglass-infra-ci.yml`. **No build/test pipeline on any repo — do not
+(re)introduce one.** (`.woodpecker/k8s-portal.yml`, the last in-cluster image
+build, was removed 2026-06-13 — k8s-portal now builds on GHA → ghcr, see
+Infra-owned images above.)
+
+**Decommissioned (issue #31):** travel_blog (stack destroyed + dir removed), 6
+dead builders' pipelines (terminal-lobby, webhook-handler, hmrc-sync,
+trading-bot, travel-agent, trip-planner), and all `build-fallback.yml` files
+(only Website had one).
+
+**Woodpecker API**: numeric repo IDs (`/api/repos/<id>/pipelines`), NOT
+owner/name (those return HTML). The deploy registration for each app is the
+**GitHub mirror** repo (github-forge). Infra: Forgejo forge = repo 82, legacy
+GitHub forge = repo 1.
 
 **Woodpecker YAML gotchas**:
 - Commands with `${VAR}:${VAR}` must be **quoted** — unquoted `:` triggers YAML map parsing when vars are empty
 - Use `bitnami/kubectl:latest` (not pinned versions — entrypoint compatibility issues)
 - Global secrets must have `manual` in their events list for API-triggered pipelines
 
-**GitHub repo secrets** (set on all repos): `DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN`, `WOODPECKER_TOKEN`
-
-**Infra pipelines unchanged**: `default.yml` (terragrunt apply), `renew-tls.yml` (certbot cron), `build-cli.yml` (dual registry push), `k8s-portal.yml` (path-filtered build), `provision-user.yml` — all stay on Woodpecker.
+**GitHub repo secrets** (per repo): `WOODPECKER_TOKEN` (POST deploy pipeline),
+`FORGEJO_GIT_TOKEN` (write:repository PAT for the svu tag push). ghcr push uses
+the workflow's built-in `GITHUB_TOKEN` (`packages: write`).
 
 ## Database Host
 
-**`postgresql_host`** in `config.tfvars` is `pg-cluster-rw.dbaas.svc.cluster.local` (the CNPG primary). The legacy `postgresql.dbaas` service has no endpoints — never use it. This variable is shared by ~12 stacks.
+**`postgresql_host`** in `config.tfvars` is `pg-cluster-rw.dbaas.svc.cluster.local` (the CNPG primary). The legacy `postgresql.dbaas` service is a live compatibility alias (selector `cnpg.io/instanceRole=primary`, so it also reaches the primary — authentik's PgBouncer still points at it) — but use `pg-cluster-rw` for anything new. This variable is shared by ~12 stacks.
 
 **CNPG tuning** (in `stacks/dbaas/modules/dbaas/main.tf`): `shared_buffers=512MB`, `work_mem=16MB`, `wal_compression=on`, `effective_cache_size=1536MB`, pod memory 2Gi.
 
@@ -142,8 +202,8 @@ Repo IDs: infra=1, Website=2, finance=3, health=4, travel_blog=5, webhook-handle
 - **Critical path services scaled to 3**: Traefik, Authentik, CrowdSec LAPI, PgBouncer, Cloudflared.
 - **PDBs**: minAvailable=2 on Traefik and Authentik.
 - **Fallback proxies**: basicAuth when Authentik is down, fail-open when poison-fountain is down.
-- **CrowdSec bouncer**: graceful degradation mode (fail-open on error).
-- **Rate limiting**: Return 429 (not 503). Per-service tuning: Immich/Nextcloud need higher limits.
+- **CrowdSec enforcement is out-of-band** (no Traefik plugin/middleware — the dead Yaegi `crowdsec-bouncer-traefik-plugin` was removed on Traefik 3.7.5): banned IPs are dropped **in-kernel via nftables** by the `cs-firewall-bouncer` DaemonSet on **direct** hosts (drops in BOTH the `input` and `forward` hooks — Traefik is ETP=Local so client traffic is DNAT'd to the pod via `forward`; pulls ALL decisions incl. the ~31k CAPI blocklist), and **blocked at the Cloudflare edge** for **proxied** hosts (one `crowdsec_ban` Rules List + a zone WAF block rule, fed by the `crowdsec-cf-sync` CronJob in `rybbit` ns every 2 min — excludes CAPI). Zero per-request latency; **fails open** (LAPI down → no new bans, existing drops persist, legit traffic never blocked). Whitelist covers RFC1918 + tailnet + internal CIDRs. Full as-built: `docs/architecture/security.md`.
+- **Rate limiting**: Return 429 (not 503). Per-service tuning via dedicated middleware + `skip_default_rate_limit` (default 10/s burst 50): Immich 1000/20000, ActualBudget 50/300 (app boot = ~70 parallel revalidations).
 - **Retry middleware**: 2 attempts, 100ms — in default ingress chain.
 - **Entrypoint transport timeouts** (`websecure` `respondingTimeouts`): `writeTimeout=0` (unlimited download duration), `readTimeout=3600s` (uploads ≤1h), `idleTimeout=600s`. These are **HARD total-duration caps**, not nginx-style per-read idle timeouts — a finite `writeTimeout` truncates *any* large download at that wall-clock mark (a prior `writeTimeout=60s` silently cut Immich videos at 60s). **Do NOT re-tighten `writeTimeout`**; keep `readTimeout` finite (slow-loris backstop) but ≥ longest expected upload. Full rationale: `docs/architecture/networking.md` → "Entrypoint Transport Timeouts".
 - **HTTP/3 (QUIC)**: Enabled on Traefik. Works for **direct (non-proxied) apps** via the dedicated LB IP below (ETP=Local). Proxied apps get QUIC at the Cloudflare edge.
@@ -156,16 +216,19 @@ Repo IDs: infra=1, Website=2, finance=3, health=4, travel_blog=5, webhook-handle
 |---------|--------------------------|
 | Nextcloud | MaxRequestWorkers=150, needs 8Gi limit (Apache transient memory spikes, see commit eb94144), very generous startup probe |
 | Immich | ML on SSD (CUDA), disable ModSecurity (breaks streaming), frequent upgrades. **`immich-machine-learning` MUST run with `MACHINE_LEARNING_MODEL_TTL > 0`** (set to `600` in `stacks/immich/main.tf`, env on the `immich-machine-learning` deployment). At `0`, no model ever unloads and onnxruntime's CUDA arena (OCR's dynamic input shapes inflate it to ~10 GB) is held forever on the **time-sliced T4 it shares with llama-swap/frigate/immich-server** — which has no VRAM isolation, so immich-ml starved llama-swap (qwen3-8b) and silently broke recruiter-responder triage for ~5 h on 2026-06-02 (post-mortem `docs/post-mortems/2026-06-02-immich-ml-ttl-gpu-oom-recruiter.md`). TTL>0 lets idle models (OCR, face — AND CLIP) free VRAM. The TTL is a single GLOBAL knob (no per-model pin), so CLIP would also unload after 600s idle; the `clip-keepalive` CronJob (`*/5 * * * *`, same stack) pings the CLIP textual encoder so smart-search stays warm without pinning the ad-hoc models. **Smart search has a SECOND warmth layer in Postgres** (don't conflate it with the ML model): the ~665MB vchord `clip_index` must stay resident in PG `shared_buffers`, else an ANN probe that lands on an evicted list pays a ~1.8s cold storage read vs ~4ms warm. The `postStart` hook prewarms it ONCE at pod start and `pg_prewarm.autoprewarm` only re-warms at *startup*, so the index decays out of cache over days under job buffer-pressure (observed ~33% resident after 9d uptime → slow context search, easily misattributed to the ML model). The `clip-index-prewarm` CronJob (`*/5`, same stack) re-runs `pg_prewarm('clip_index')` to pin it hot; `immich-search-probe` (`*/5`) measures live latency + residency → Pushgateway gauges (`immich_smart_search_db_seconds`, `immich_clip_index_cached_pct`) → alerts `ImmichSmartSearchSlow`/`ImmichClipIndexColdCache`/`ImmichSearchProbeStale` + cluster-health check #46 (`check_immich_search`). immich PG role is a superuser so the CronJobs can run `pg_prewarm`/`pg_buffercache`. **Video transcoding is GPU-accelerated**: `immich-server` is pinned to GPU node1 (nodeSelector `nvidia.com/gpu.present` + NoSchedule toleration + `gpu-workload` priority) with a time-sliced `nvidia.com/gpu=1` slice — the stock immich-server image's ffmpeg already ships h264/hevc_nvenc + NVDEC. Activated via `ffmpeg.accel=nvenc` + `accelDecode=true` in the **DB** system-config (`system_metadata` table, key `system-config`, JSONB — NOT Terraform; app config is DB-managed here like oauth/smtp). Direct DB edits need a pod **recreate** to reload (config is cached at boot; only API-driven changes broadcast a reload). **Streaming bitrate is capped** to keep 4K playback smooth on the contended HDD and over remote uplinks: `ffmpeg.maxBitrate=20000k` + `preset=medium` + `transcode=bitrate` (set 2026-06-01 — was uncapped `maxBitrate=0` + `ultrafast` + `targetResolution=original`, which produced 77–264 Mbps 4K transcodes that stuttered for every client, local and remote, since even a single stream needs ~10–13.5 MB/s off the shared `sdc` spindle). 4K resolution is preserved (`targetResolution=original`); originals are NEVER modified — only the `encoded-video/` streaming copy. To re-apply transcode settings to EXISTING videos (config changes only affect new/missing ones): delete the offenders' `asset_file` rows `WHERE type='encoded_video'` (derived/regenerable — never touches originals) then run videoConversion `force=false` (admin Jobs API → "Missing"); it regenerates them to the deterministic `<assetId>.mp4` path at concurrency 1 (gentle on sdc). See `docs/runbooks/immich-transcode-bitrate.md`. If Immich is ever reinstalled fresh (not restored), re-set these keys (accel, accelDecode, **maxBitrate=20000k, preset=medium, transcode=bitrate**). Thumbnails/previews live on SSD NFS (sdb) — do NOT move to block storage (HDD sdc = slower + the contended IO domain). **Background-job concurrency is capped to protect sdc** (DB-managed system-config, `system_metadata` key `system-config`, JSONB `job.*.concurrency`; re-set on fresh install): `thumbnailGeneration=2`, `metadataExtraction=2`, `library=2` — these jobs read ORIGINALS off the HDD library. Left uncapped (were 8/4/4) a library-wide job (e.g. Duplicate Detection on 2026-06-01) fans the ML/thumbnail backfill out into a read storm that saturates sdc and starves etcd → apiserver down. `sidecar`/`smartSearch`/`faceDetection` stay at Immich defaults (small `.xmp` / SSD previews). Apply via Job Settings UI or the `system-config` API; **direct DB edits need an `immich-server` pod recreate to reload** (config cached at boot). See `docs/post-mortems/2026-05-25-immich-anca-elements-io-storm.md`. |
-| CrowdSec | Pin version, disable Metabase when not needed (CPU hog), LAPI scaled to 3, **DB on PostgreSQL** (migrated from MySQL), flush config: max_items=10000/max_age=7d/agents_autodelete=30d, DECISION_DURATION=168h in blocklist CronJob |
+| CrowdSec | Pin version, disable Metabase when not needed (CPU hog), LAPI scaled to 3, **DB on PostgreSQL** (migrated from MySQL), flush config: max_items=10000/max_age=7d/agents_autodelete=30d, DECISION_DURATION=168h in blocklist CronJob. **Enforcement is out-of-band, NOT a Traefik plugin** (the Yaegi `crowdsec-bouncer-traefik-plugin` was dead on Traefik 3.7.5 and removed): `cs-firewall-bouncer` DaemonSet drops in-kernel via nftables on direct hosts (bouncer key `firewall`, v0.0.34 binary fetched at runtime, hostNetwork+NET_ADMIN, `stacks/crowdsec/modules/crowdsec/firewall_bouncer.tf`); `crowdsec-cf-sync` CronJob blocks at the CF edge for proxied hosts (bouncer key `kvsync`, `stacks/rybbit/crowdsec_edge.tf`). Both fail open. See `docs/architecture/security.md` |
 | Frigate | GPU stall detection in liveness probe (inference speed check), high CPU |
-| Authentik | 3 replicas, PgBouncer in front of PostgreSQL, strip auth headers before forwarding |
+| Authentik | 3 server replicas + 2-replica embedded outpost (PG-backed sessions), PgBouncer in front of PostgreSQL, strip auth headers before forwarding. **`authentik.*` Helm values are INERT** (existingSecret skips chart env rendering) — tune via `server.env`/`worker.env` in `modules/authentik/values.yaml`. Single-screen login (password embedded in identification stage); all first-party OIDC apps use implicit consent (2026-06-10). `/static` ingress carve-out serves assets with immutable Cache-Control. |
 | Kyverno | failurePolicy=Ignore to prevent blocking cluster, pin chart version |
 | MySQL Standalone | Raw `kubernetes_stateful_set_v1` pinned to `mysql:8.4.8` exactly (migrated from InnoDB Cluster 2026-04-16; **pinned to 8.4.8 on 2026-05-18** after Keel-driven `mysql:8.4` → 8.4.9 bump stalled the DD upgrade and required a full PVC-wipe + dump-restore — see `docs/runbooks/restore-mysql.md` and beads code-eme8/code-k40p). `skip-log-bin`, `innodb_flush_log_at_trx_commit=2`, `innodb_doublewrite=ON`. ConfigMap `mysql-standalone-cnf`. PVC `data-mysql-standalone-0` (5Gi initial → 30Gi via autoresizer, `proxmox-lvm-encrypted`). Service `mysql.dbaas` unchanged. Anti-affinity excludes k8s-node1. Bitnami charts deprecated (Broadcom Aug 2025) — use official images. |
 | phpIPAM | IPAM — no active scanning. `pfsense-import` CronJob (hourly) pulls Kea leases + ARP via SSH. `dns-sync` CronJob (15min) bidirectional sync with Technitium. Kea DDNS on pfSense handles all 3 subnets. API app `claude` (ssl_token). |
 
 ## Monitoring & Alerting
-- Alert cascade inhibitions: if node is down, suppress pod alerts on that node.
-- Exclude completed CronJob pods from "pod not ready" alerts.
+- **Alert-on-change routing** (alert-noise-reduction 2026-06-12, `route` block in `prometheus_chart_values.tpl`): warning/info notify ONCE then stay quiet while firing (`repeat_interval: 8760h` ≈ off); criticals re-ping every 6h (was 1h); `send_resolved` on. Standing state is reviewed via the daily digest, not re-pings.
+- **Daily alert digest**: CronJob `alert-digest` (monitoring ns, `alert_digest.tf` + `alert_digest.py`) posts the full current board grouped by severity + resolved-in-24h to `#alerts` at 08:00 Europe/London. Stock `python:3.12-alpine`, pure-stdlib (no pip/apk at runtime — avoids the status-page-pusher disk anti-pattern, id=559); reads Alertmanager v2 + Prometheus; reuses the Alertmanager Slack webhook via the `alert-digest` Secret. Safety net for alert-on-change.
+- **Cascade inhibitions** (`inhibit_rules`): `NodeDown` AND `NodeConditionBad`/`NodeDiskPressure` suppress downstream pod-churn alerts (PodCrashLooping/PodImagePullBackOff/PodsStuckContainerCreating/ScrapeTargetDown/*ReplicasMismatch); `T3ProbeLegDown` suppresses `T3ProbeDropBurst` for the same `leg`; plus existing NFS/Traefik/Authentik/Power/Tuya/iDRAC cascades. No `equal` on the node rules (pod alerts carry no `node` label → cluster-wide, like NodeDown).
+- **ScrapeTargetDown scrapes only Ready endpoints** (relabel `keep __meta_kubernetes_endpoint_ready=true` on both `kubernetes-service-endpoints` jobs) — completed CronJob pods lingering as NotReady EndpointSlice addresses no longer fire phantom "down" alerts (tts/tripit/beads, id=4895). Replaces the old "exclude completed CronJob pods" guidance; a Ready pod with a broken metrics endpoint still fires.
+- Alertmanager is now scraped (`extraScrapeConfigs` job `alertmanager`) → `alertmanager_notifications_total`/`_alerts`/`_notifications_failed_total` available; it had no `prometheus.io/scrape` annotation so notification volume was previously unmeasurable.
 - Every new service gets Prometheus scrape config + Uptime Kuma monitor. External monitors auto-created for Cloudflare-proxied services by `external-monitor-sync` CronJob (10min, uptime-kuma ns). Mechanism: `ingress_factory` auto-adds `uptime.viktorbarzin.me/external-monitor=true` whenever `dns_type != "none"` (see `modules/kubernetes/ingress_factory/main.tf`) — no manual action needed on new services. The `cloudflare_proxied_names` list in `config.tfvars` is a legacy fallback for the 17 hostnames not yet migrated to `ingress_factory` `dns_type`; don't check that list when debugging "is this monitored?" questions.
 - **External monitoring**: `[External] <service>` monitors in Uptime Kuma test full external path (DNS → Cloudflare → Tunnel → Traefik). Divergence metric `external_internal_divergence_count` → alert `ExternalAccessDivergence` (15min). Config: `stacks/uptime-kuma/`, targets from `cloudflare_proxied_names` in `config.tfvars` (17 remaining centrally-managed hostnames; most DNS records now auto-created by `ingress_factory` `dns_type` param).
 - Key alerts: OOMKill, pod replica mismatch, 4xx/5xx error rates, UPS battery, CPU temp, SSD writes, NFS responsiveness, ClusterMemoryRequestsHigh (>85%), ContainerNearOOM (>85% limit), PodUnschedulable, ExternalAccessDivergence, ImmichSmartSearchSlow (context-search latency / clip_index cache eviction).
@@ -177,7 +240,7 @@ Repo IDs: infra=1, Website=2, finance=3, health=4, travel_blog=5, webhook-handle
 Plan in `docs/architecture/security.md` + response playbook in `docs/runbooks/security-incident.md`. Beads epic: `code-8ywc`.
 
 - **Identity allowlist for security rules**: ONLY `me@viktorbarzin.me`. NOT `viktor@viktorbarzin.me`, NOT `emo@viktorbarzin.me` (those don't exist). emo's identity scheme is unknown — ask before assuming.
-- **Source-IP allowlist (K2, K9, V7, S1)**: `10.0.20.0/22`, `192.168.1.0/24` (Proxmox + Sofia LAN), K8s pod CIDR, K8s service CIDR, Headscale tailnet. **Policy: no public-IP access** — Vault, kube-apiserver, PVE sshd must transit LAN or Headscale.
+- **Source-IP allowlist (K2, K9, V7, S1)**: `10.0.20.0/22`, `192.168.1.0/24` (Proxmox + Sofia LAN), K8s pod CIDR, K8s service CIDR, Headscale tailnet. **Policy: no public-IP access** — Vault, kube-apiserver, PVE sshd must transit LAN or Headscale. **One documented exception (2026-06-11): break-glass SSH** — PVE sshd on a WAN-exposed `:52222`, key-only, dedicated break-glass key only (`Match LocalPort`), rate-limited + fail2ban; intentionally cluster-independent so it survives an outage. As-built `docs/runbooks/breakglass-ssh.md`. (Replaced the 2026-05-30 port-knock design — circular Vault dep caused a lockout.)
 - **Response model**: (I) Slack-only daily skim. All security alerts via Loki ruler → Alertmanager → `#security` Slack receiver. Single channel with severity labels inside (critical/warning/info). No paging.
 - **Kyverno policies (wave 1)**: `deny-privileged-containers`, `deny-host-namespaces`, `restrict-sys-admin`, `require-trusted-registries` flip Audit→Enforce with the 31-namespace exclude list (memory id=1970). `failurePolicy: Ignore` preserved. Cosign `verify-images` deferred.
 - **NetworkPolicy default-deny egress (wave 1)**: observe-then-enforce (γ approach) — Calico flow logs cluster-wide + GlobalNetworkPolicy log-only on tier 3+4, build empirical allowlist after 1 week, phased per-namespace enforce starting `recruiter-responder`. Tier 0/1/2 deferred.
@@ -292,6 +355,7 @@ resource "kubernetes_persistent_volume_claim" "data_encrypted" {
 - `/usr/local/bin/daily-backup` — Daily 05:00. Mounts LVM thin snapshots ro → rsyncs FILES to `/mnt/backup/pvc-data/<YYYY-WW>/<ns>/<pvc>/` with `--link-dest` versioning (4 weeks). Auto SQLite backup (magic number check, `?mode=ro`). Also backs up pfSense (config.xml + tar), PVE config. Prunes snapshots >7d. **Skip-list (2026-06-01)**: `nextcloud/nextcloud-data-proxmox` (orphaned pre-encryption PV).
 - `/usr/local/bin/offsite-sync-backup` — Daily 06:00 (After=daily-backup). Step 1: sda → Synology `pve-backup/` (incremental via manifest; monthly full `rsync --delete` days 1–7). Step 2: NFS direct → Synology — **immich-only on BOTH `nfs/` and `nfs-ssd/` (2026-06-01)**; ollama/llamacpp on the SSD no longer ship offsite.
 - `/usr/local/bin/lvm-pvc-snapshot` — Daily 03:00. Thin snapshots of all PVCs except dbaas+monitoring. 7-day retention. Instant restore: `lvm-pvc-snapshot restore <lv> <snap>`.
+- `/usr/local/bin/vzdump-vms` — Daily 01:00. Live `vzdump --mode snapshot` of hand-managed VMs (the ones NOT in Terraform) → `/mnt/backup/vzdump/`, keep 3 per VMID. `VZDUMP_VMIDS` default `102` (devvm) — **the only VM imaged today** (its per-user home dirs + local-only git repos, incl. the no-remote monorepo root, are otherwise irreplaceable). devvm has the guest agent (`agent: 1`) so dumps are fs-consistent. Deliberately NOT in the incremental offsite manifest (would balloon Synology); the monthly offsite full pass (days 1-7) mirrors `/mnt/backup/vzdump/`. Pushgateway job `vzdump-backup`. Added 2026-06-09 (closed the silent "VMs never imaged" DR gap). Restore: `qmrestore /mnt/backup/vzdump/vzdump-qemu-<vmid>-<ts>.vma.zst <vmid>`.
 - `nfs-change-tracker.service` — Continuous inotifywait on `/srv/nfs` + `/srv/nfs-ssd`. Logs changed file paths to `/mnt/backup/.nfs-changes.log`. Consumed by offsite-sync-backup for incremental rsync (completes in seconds instead of 30+ minutes).
 
 **Synology layout** (`192.168.1.13:/volume1/Backup/Viki/`):
@@ -316,7 +380,7 @@ resource "kubernetes_persistent_volume_claim" "data_encrypted" {
 - **CrowdSec Helm upgrade times out**: `terragrunt apply` on platform stack causes CrowdSec Helm release to get stuck in `pending-upgrade`. Workaround: `helm rollback crowdsec <rev> -n crowdsec`. Root cause: likely ResourceQuota CPU at 302% preventing pods from passing readiness probes. Needs investigation.
 - **OpenClaw config is writable**: OpenClaw writes to `openclaw.json` at runtime (doctor --fix, plugin auto-enable). Never use subPath ConfigMap mounts for it — use an init container to copy into a writable volume. Needs 2Gi memory + `NODE_OPTIONS=--max-old-space-size=1536`. **`mcp.servers` baked into the ConfigMap-loaded openclaw.json gets stripped by `doctor --fix`** — register MCP servers via `openclaw mcp set <name> <json>` in the container startup command instead (CLI-written entries persist across doctor runs). Current servers wired this way: `ha`, `context7`, `playwright` (sidecar at `localhost:3000/mcp`).
 - **OpenClaw memory-core indexes `/workspace/memory/`, not `/home/node/.openclaw/memory/`**: `/home/node/.openclaw/memory/main.sqlite` is the index store, NOT a content source. Files written under `/home/node/.openclaw/memory/projects/<x>/*.md` will NOT be indexed. To populate memory-core, write Markdown under `/workspace/memory/projects/<source>/` and run `openclaw memory index --force`. This is what the daily `memory-sync` CronJob in `stacks/openclaw/` does for claude-memory → OpenClaw sync.
-- **Goldilocks VPA sets limits**: When increasing memory requests, always set explicit `limits` too — Goldilocks may have added a limit that blocks the change.
+- **(Obsolete 2026-06-12) Goldilocks VPA**: VPA/Goldilocks was uninstalled (etcd-load-reduction); the old "Goldilocks may have added a limit that blocks the change" gotcha no longer applies. Use `krr` for right-sizing.
 
 ## User Preferences
 - **Calendar**: Nextcloud at `nextcloud.viktorbarzin.me`
diff --git a/.claude/home-assistant-sofia.py b/.claude/home-assistant-sofia.py
index b0ccdca7..d8121f6c 100644
--- a/.claude/home-assistant-sofia.py
+++ b/.claude/home-assistant-sofia.py
@@ -7,6 +7,7 @@ Control and query Home Assistant entities on ha-sofia.viktorbarzin.me.
 import argparse
 import json
 import os
+import subprocess
 import sys
 from urllib.parse import urljoin
 
@@ -17,13 +18,29 @@ except ImportError:
     print("  pip install requests")
     sys.exit(1)
 
-# Configuration from environment variables (ha-sofia specific)
-HA_URL = os.environ.get("HOME_ASSISTANT_SOFIA_URL", "").rstrip("/")
-HA_TOKEN = os.environ.get("HOME_ASSISTANT_SOFIA_TOKEN")
 
-if not HA_URL or not HA_TOKEN:
-    print("ERROR: HOME_ASSISTANT_SOFIA_URL and HOME_ASSISTANT_SOFIA_TOKEN environment variables must be set.")
-    print("These should be set when activating the Claude venv (~/.venvs/claude)")
+def _token_from_homelab():
+    """Resolve the token via the homelab CLI when the env var isn't set, so the
+    script works from any directory / unprovisioned session (see ADR-0012)."""
+    try:
+        out = subprocess.run(
+            ["homelab", "ha", "token", "--instance", "sofia"],
+            capture_output=True, text=True, timeout=30)
+        if out.returncode == 0 and out.stdout.strip():
+            return out.stdout.strip()
+    except Exception:
+        pass
+    return None
+
+
+# Configuration: prefer env vars (set by the Claude venv); otherwise fall back to
+# defaults + the homelab CLI so the script is not cwd/env dependent (ADR-0012).
+HA_URL = os.environ.get("HOME_ASSISTANT_SOFIA_URL", "").rstrip("/") or "https://ha-sofia.viktorbarzin.me"
+HA_TOKEN = os.environ.get("HOME_ASSISTANT_SOFIA_TOKEN") or _token_from_homelab()
+
+if not HA_TOKEN:
+    print("ERROR: no ha-sofia API token available.")
+    print("Set HOME_ASSISTANT_SOFIA_TOKEN, or ensure `homelab ha token` works (kubeconfig reachable).")
     sys.exit(1)
 
 HEADERS = {
diff --git a/.claude/reference/authentik-state.md b/.claude/reference/authentik-state.md
index 1adb9176..2ff86141 100644
--- a/.claude/reference/authentik-state.md
+++ b/.claude/reference/authentik-state.md
@@ -5,17 +5,26 @@
 ## Applications (11)
 | Application | Provider Type | Auth Flow |
 |-------------|--------------|-----------|
-| Cloudflare Access | OAuth2/OIDC | explicit consent |
+| Cloudflare Access | OAuth2/OIDC | implicit consent |
 | Domain wide catch all | Proxy (forward auth) | implicit consent |
-| Forgejo | OAuth2/OIDC | explicit consent |
+| Forgejo | OAuth2/OIDC | implicit consent |
 | Grafana | OAuth2/OIDC | implicit consent |
-| Headscale | OAuth2/OIDC | explicit consent |
-| Immich | OAuth2/OIDC | explicit consent |
+| Headscale | OAuth2/OIDC | implicit consent |
+| Immich | OAuth2/OIDC | implicit consent |
 | Kubernetes | OAuth2/OIDC (public) | implicit consent |
 | Kubernetes Dashboard | OAuth2/OIDC (confidential) | implicit consent |
-| linkwarden | OAuth2/OIDC | explicit consent |
+| linkwarden | OAuth2/OIDC | implicit consent |
+| Vault | OAuth2/OIDC | implicit consent |
 | wrongmove | OAuth2/OIDC | implicit consent |
 
+> **2026-06-10 — every provider now uses implicit consent.** Cloudflare
+> Access (pk 9), Forgejo (20), Immich (1), Headscale (13), linkwarden (8)
+> and Vault (53) were switched from
+> `default-provider-authorization-explicit-consent` via the API (these
+> providers are UI-managed, not in TF). All are first-party apps; the
+> expiring consent screen (re-shown every 4 weeks per app) only slowed
+> first-time signin.
+
 > **Kubernetes Dashboard** (TF-managed in `stacks/k8s-dashboard/authentik.tf`):
 > confidential client `k8s-dashboard`, built for seamless dashboard SSO via
 > oauth2-proxy. **Currently IDLE** — the apiserver rejects all OIDC tokens (see
@@ -60,8 +69,27 @@
 - All sources use `invitation-enrollment` as enrollment flow (new users require invitation)
 
 ## Authorization Flows
-- **Explicit consent** (`default-provider-authorization-explicit-consent`): Shows consent screen
-- **Implicit consent** (`default-provider-authorization-implicit-consent`): Auto-redirects
+- **Explicit consent** (`default-provider-authorization-explicit-consent`): Shows consent screen — no provider uses it since 2026-06-10
+- **Implicit consent** (`default-provider-authorization-implicit-consent`): Auto-redirects — used by ALL providers
+
+## Authentication Flow (single-screen login, 2026-06-10)
+
+`default-authentication-flow` bindings: identification (order 10) →
+mfa-validation (order 30) → user-login (order 100). The identification
+stage (`default-authentication-identification`, pk
+`32aca5ab-106e-43f4-a4cc-4513d80e57f3`) has `password_stage` set to
+`default-authentication-password`, so username + password render on ONE
+screen (one round trip instead of two). The previously separate
+password-stage binding at order 20 (pk `0fc677db-a23f-4ee7-8648-da342e14573b`)
+was DELETED via the API — authentik requires removing it when the
+identification stage embeds the password field. `password_stage` is pinned in
+Terraform (`authentik_stage_identification.default_identification` in
+`stacks/authentik/authentik_provider.tf`); all other stage fields stay
+UI-managed via `ignore_changes`. Social-login buttons remain on the same
+screen and bypass the password field, so Google/GitHub/Facebook users are
+unaffected. If a future authentik upgrade/blueprint re-adds the order-20
+binding, users would briefly see a second password prompt — delete the
+binding again.
 
 ## Invitation Enrollment Flow
 Slug: `invitation-enrollment` | PK: `7d667321-2b02-4e16-8161-148078a8dac1`
@@ -138,7 +166,8 @@ Pinned via Terraform in `stacks/authentik/`:
 
 | Knob | Value | Surface | Effect |
 |------|-------|---------|--------|
-| `UserLoginStage.session_duration` on `default-authentication-login` | `weeks=4` | `authentik_stage_user_login.default_login` in `authentik_provider.tf` | Authenticated users stay logged in 4 weeks across browser restarts. No sliding refresh — resets on each login. |
+| `UserLoginStage.session_duration` on `default-authentication-login` | `weeks=4` | `authentik_stage_user_login.default_login` in `authentik_provider.tf` | Authenticated users stay logged in 4 weeks across browser restarts. No sliding refresh — resets on each login. Used by password login (`default-authentication-flow`) AND passkey login (`webauthn` flow — both terminate on this stage). |
+| `UserLoginStage.session_duration` on `default-source-authentication-login` | `weeks=4` | `authentik_stage_user_login.default_source_login` in `authentik_provider.tf` (imported 2026-06-20, id `4c6977d2-…`) | **Social logins** (Google/GitHub/Facebook, via `default-source-authentication-flow`). Was the provider default `seconds=0`, which fell back to `UNAUTHENTICATED_AGE=hours=2` — so social logins expired every **2h** while password/passkey lasted 4 weeks. Pinned `weeks=4` on 2026-06-20 to make all login paths consistent. (Surfaced when the 2026-06-18 passkey wipe forced fallback to Google login → "re-login multiple times daily".) |
 | `ProxyProvider.access_token_validity` on `Provider for Domain wide catch all` | `weeks=4` | `authentik_provider_proxy.catchall.access_token_validity` in `authentik_provider.tf` | Cookie `Max-Age` on `authentik_proxy_*` and `expires` on rows in `authentik_providers_proxy_proxysession`. Bumped 2026-05-10 from `hours=168`. **Bumping requires `kubectl rollout restart deploy/ak-outpost-authentik-embedded-outpost`** — the gorilla session store binds the value once at outpost startup; the 5-min provider refresh logs `"reusing existing session store"` and skips rebuild. |
 | `AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE` (server + worker) | `hours=2` | `server.env` + `worker.env` in `modules/authentik/values.yaml` | Anonymous Django sessions (bots, healthcheckers, partial flows) are reaped within 2h instead of the 1d default. |
 
@@ -149,7 +178,19 @@ Notes:
 - The standalone embedded-outpost deployment needs `AUTHENTIK_POSTGRESQL__{HOST,PORT,USER,PASSWORD,NAME}` env vars to reach the dbaas cluster — codified via `kubernetes_json_patches.deployment` envFrom the shared `goauthentik` Secret. The `app.kubernetes.io/component=server` pod label is also injected via JSON patch (matches the `component:server` half of the Service selector that the controller adds for embedded outposts).
 - `ProxyProvider.remember_me_offset` stays UI-managed via `ignore_changes`.
 - The Authentik provider's resource schema does **not** expose the `Outpost.managed` field. We rely on TF's "write only fields it knows about" semantic: the server-set `goauthentik.io/outposts/embedded` value is preserved across applies because Terraform never writes `managed`. Don't change the resource provider schema expectations without verifying this assumption holds.
-- The `unauthenticated_age` env var is injected via `server.env` / `worker.env` (not `authentik.sessions.unauthenticated_age`) because we set `authentik.existingSecret.secretName: goauthentik`, which makes the chart skip rendering its own `AUTHENTIK_*` Secret. The `authentik.*` value block is therefore inert in this stack — anything new under `authentik.*` must use the `*.env` arrays instead. The same applies to the existing `authentik.cache.*`, `authentik.web.*`, `authentik.worker.*` blocks (currently inert; live values come from the orphaned, helm-keep-policy `goauthentik` Secret created by chart 2025.10.3 before `existingSecret` was introduced).
+
+## WebAuthn / Passkeys (2026-06-20)
+
+- **Passkey devices live in the DB, NOT Terraform** (`WebAuthnDevice` model). They are user-owned; no TF resource or blueprint manages them. Re-enroll via the user settings UI (Authentik → Settings → MFA Devices → register a security key / passkey).
+- **2026-06-18 wipe (root cause of the "WebAuthn broke" incident):** all 6 of Viktor's passkeys were deleted (`WebAuthnDevice.objects.count()` → 0) at 19:27 by an **ad-hoc tripit passkey E2E test** run from the devvm (`python-httpx/0.28.1`, as `akadmin`). The test cleanup did `GET /core/users/?search={demo}` (a **fuzzy** search) then `DELETE /api/v3/authenticators/admin/webauthn/{pk}/` for each device of `users[0]` — but `users[0]` resolved to the **real** account, not the intended demo user. **Lesson:** any future passkey-test cleanup MUST exact-match the demo user (`username == demo`), never `users[0]` of a fuzzy `?search=`. It was a one-off ad-hoc script (no committed/scheduled copy), so nothing auto-re-deletes — re-enrollment is safe.
+- **Passkey login path itself is intact:** the identification stage's `passwordless_flow` → `webauthn` flow (UI-managed, in `ignore_changes`); the break was purely the missing device records.
+- **Provider-schema gotcha:** the pinned authentik TF provider's `authentik_stage_identification` resource exposes **no** `webauthn_stage` or `enable_remember_me` attribute (they exist on the app *model*, not in the provider schema). Do NOT add them to `ignore_changes` — `tg plan` errors `Unsupported attribute`. They are purely UI/app-managed. (Commit `4e882989` removed them for exactly this reason; re-adding breaks every apply.)
+- ALL tuned env vars are injected via `server.env` / `worker.env` (not the `authentik.*` values block) because we set `authentik.existingSecret.secretName: goauthentik`, which makes the chart skip rendering its own `AUTHENTIK_*` Secret. The `authentik.*` value block is therefore inert in this stack — anything new under `authentik.*` must use the `*.env` arrays instead. Live base values come from the orphaned, helm-keep-policy `goauthentik` Secret created by chart 2025.10.3 before `existingSecret` was introduced. **2026-06-10:** the previously-inert tuning (`AUTHENTIK_WEB__WORKERS=3`, `AUTHENTIK_WEB__THREADS=4`, `AUTHENTIK_CACHE__TIMEOUT_FLOWS=1800`, `AUTHENTIK_CACHE__TIMEOUT_POLICIES=900`, `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE=60`, `AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS=true`, worker `AUTHENTIK_WORKER__THREADS=4`) was moved into the env arrays and is now actually live — before that, pods silently ran defaults (2 gunicorn workers, 300s caches, no persistent DB conns).
+- **Outpost (2026-06-10):** `log_level=info` (was `trace` — per-request overhead on the forward-auth hot path) and `kubernetes_replicas=2` (was 1 — single-pod hot path; safe since proxy sessions live in Postgres). Both in `authentik_outpost.embedded` config.
+- **Image tag is PINNED in values (`global.image.tag`), 2026-06-10:** Keel moves the authentik image between chart releases, while helm derives the tag from the chart appVersion — an unpinned helm apply silently DOWNGRADES live pods (caused the 2026-06-10 boot storm + shared-PG failover; see `docs/post-mortems/2026-06-10-authentik-downgrade-boot-storm.md`). Before touching this chart, check the live image tag and refresh the pin.
+- **Liveness budget (2026-06-10):** `server.livenessProbe` = 6×10s, 5s timeout (chart default 3×10s/3s kill-loops pods that queue on the DB migration advisory lock during rolling restarts).
+- **PgBouncer (2026-06-10):** `idle_transaction_timeout=300` reaps ghost `idle in transaction` sessions (a killed pod mid-migration otherwise holds the migration advisory lock forever, serializing all boots); the deployment carries a config-checksum annotation so ini changes roll the pods. Do NOT set `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE` — session-mode PgBouncer pins persistent conns 1:1 (pool saturation).
+- **Static assets (2026-06-10):** a second `ingress_factory` (`module.ingress-static`, path `/static` on the authentik host) attaches the `authentik-static-cache-headers` middleware → `Cache-Control: public, max-age=31536000, immutable`. Authentik itself serves no max-age; assets are version-fingerprinted so immutable is safe. Mainly helps split-horizon internal users (no Cloudflare edge cache on the direct path).
 
 ## Upgrade Validation Checklist
 
@@ -161,8 +202,9 @@ Run after **any** of these:
 The fragile surfaces are the `kubernetes_json_patches` and the `Outpost.managed` field — both rely on assumptions that can silently break across upgrades. The checklist exercises the same path the alerts watch, so it doubles as a smoke test for the alerts.
 
 ```bash
-# 1. Service routes to the outpost pod (NOT the server pods).
-#    Empty endpoints => auth-proxy fallback fires; expected: ONE pod IP, ports 9000/9300/9443.
+# 1. Service routes to the outpost pods (NOT the server pods).
+#    Empty endpoints => auth-proxy fallback fires; expected: TWO pod IPs
+#    (kubernetes_replicas=2 since 2026-06-10), ports 9000/9300/9443.
 kubectl -n authentik get endpoints ak-outpost-authentik-embedded-outpost
 
 # 2. Service selector still excludes the server pods. Expected: includes
diff --git a/.claude/reference/proxmox-inventory.md b/.claude/reference/proxmox-inventory.md
index f2f53758..5e308aee 100644
--- a/.claude/reference/proxmox-inventory.md
+++ b/.claude/reference/proxmox-inventory.md
@@ -92,19 +92,21 @@ Channel 3:  A4 [32G] ──── A8 [32G]  ──── A12[ 8G ]     = 72 GB
 | VMID | Name | Status | CPUs | RAM | Network | Disk | Notes |
 |------|------|--------|------|-----|---------|------|-------|
 | 101 | pfsense | running | 8 | 4GB | vmbr0, vmbr1:vlan10, vmbr1:vlan20 | 32G | Gateway/firewall |
-| 102 | devvm | running | 16 | 24GB | vmbr1:vlan10 | 100G | Development VM + t3code Workstation host. 8G swapfile (swappiness=10). Capacity budget: ~4-5G RAM/active user, max ~3-4 concurrent active Claude sessions. NOT Terraform-managed. |
+| 102 | devvm | running | 16 | 24GB | vmbr1:vlan10 | 100G | Development VM + t3code Workstation host. 14G swap (8G /swapfile + 6G /swapfile2, grown 2026-06-10; swappiness=10). Capacity budget: ~4-5G RAM/active user, max ~3-4 concurrent active Claude sessions. NOT Terraform-managed. Disk controller: `virtio-scsi-single` + `scsi0 iothread=1,aio=threads` staged 2026-06-11 after the QEMU I/O stall (was `scsihw: lsi`, the only VM on the legacy path — see `docs/post-mortems/2026-06-11-devvm-qemu-io-stall.md`); applies at next cold stop→start. |
 | 103 | home-assistant | running | 8 | 8GB | vmbr0 | 64G | HA Sofia, net0(vlan10) disabled, SSH: vbarzin@192.168.1.8 |
 | 105 | pbs | stopped | 16 | 8GB | vmbr1:vlan10 | 32G | Proxmox Backup (unused) |
-| 200 | k8s-master | running | 8 | 16GB | vmbr1:vlan20 | 64G | Control plane (10.0.20.100) |
-| 201 | k8s-node1 | running | 16 | 32GB | vmbr1:vlan20 | 256G | GPU node, Tesla T4 |
-| 202 | k8s-node2 | running | 8 | 24GB | vmbr1:vlan20 | 256G | Worker |
-| 203 | k8s-node3 | running | 8 | 24GB | vmbr1:vlan20 | 256G | Worker |
-| 204 | k8s-node4 | running | 8 | 24GB | vmbr1:vlan20 | 256G | Worker |
+| 200 | k8s-master | running | 8 | 32GB | vmbr1:vlan20 | 64G | Control plane (10.0.20.100) |
+| 201 | k8s-node1 | running | 16 | 48GB | vmbr1:vlan20 | 256G | GPU node, Tesla T4 |
+| 202 | k8s-node2 | running | 8 | 32GB | vmbr1:vlan20 | 256G | Worker |
+| 203 | k8s-node3 | running | 8 | 32GB | vmbr1:vlan20 | 256G | Worker |
+| 204 | k8s-node4 | running | 8 | 32GB | vmbr1:vlan20 | 256G | Worker |
+| 205 | k8s-node5 | running | 8 | 32GB | vmbr1:vlan20 | 256G | Worker (10.0.20.105, joined 2026-05-26) |
+| 206 | k8s-node6 | running | 8 | 32GB | vmbr1:vlan20 | 256G | Worker (10.0.20.106, joined 2026-05-26) |
 | 220 | docker-registry | running | 4 | 4GB | vmbr1:vlan20 | 64G | MAC DE:AD:BE:EF:22:22 (10.0.20.10) |
 | 300 | Windows10 | running | 16 | 8GB | vmbr0 | 100G | Windows VM |
 | ~~9000~~ | ~~truenas~~ | **stopped/decommissioned** | — | — | — | — | NFS migrated to Proxmox host (192.168.1.127) at `/srv/nfs` and `/srv/nfs-ssd` |
 
-**Total VM RAM allocated**: 196 GB of 272 GB (72%) — 76 GB free for future VMs (devvm corrected 8GB→24GB 2026-06-08)
+**Total VM RAM allocated**: ~288 GB nominal across running VMs vs 272 GB physical — OVERCOMMITTED (ballooning enabled on K8s workers, host swap in use; see memory id=535/2543). K8s rows live-verified via `kubectl get nodes` capacity 2026-06-11 (master 32G, node1 48G, node2-6 32G; the old 16/32/24GB figures predated the 2026-04-02 resize and node5/6).
 
 ## VM Templates
 | VMID | Name | Purpose |
diff --git a/.claude/reference/service-catalog.md b/.claude/reference/service-catalog.md
index 633b227f..cd7b5274 100644
--- a/.claude/reference/service-catalog.md
+++ b/.claude/reference/service-catalog.md
@@ -32,7 +32,7 @@
 |---------|-------------|-------|
 | k8s-dashboard | Kubernetes dashboard at `k8s.viktorbarzin.me`. **Forward-auth + auto-injected SA token** (apiserver OIDC blocked, see design §12). nginx token-injector (`dashboard_injector.tf`) maps `X-authentik-username` → the user's `dashboard-<user>` SA token (ns admin + read-only on namespace-list/nodes only via `dashboard-nav-readonly` — no cross-tenant reads, `rbac/.../dashboard-sa.tf`; admins → cluster-admin SA) and sets `Authorization: Bearer` → no token-paste, dashboard auto-authenticates per user. Forward-auth admits `kubernetes-*` groups for this host (`stacks/authentik/admin-services-restriction.tf`). oauth2-proxy + `k8s-dashboard` OIDC app built but idle. | k8s-dashboard |
 | reverse-proxy | Generic reverse proxy | reverse-proxy |
-| t3code | Multi-user coding-agent GUI at t3.viktorbarzin.me. `auth=required` (Authentik) → DevVM `t3-dispatch` service (`10.0.10.10:3780`, unprivileged user) maps `X-authentik-username` → that user's own `t3-serve@<u>` instance (file perms enforced by uid; wizard→:3773, emo→:3774; unmapped→403) and **auto-injects the t3 session on first visit** (mints via the root `t3-mint` wrapper, scoped sudoers → `/api/auth/bootstrap` `t3_session` cookie). **Source of truth = `infra/scripts/workstation/roster.yaml`** (os_user → authentik_user/k8s_user/tier/namespaces); `roster_engine.py` (pytest-covered) derives desired state and `t3-provision-users` (hourly systemd timer) applies it — constrained accounts, additive per-tier groups, `t3-serve@<u>` instances, and **regenerating** `/etc/ttyd-user-map` + `dispatch.json` (those two are now GENERATED — do not hand-edit). New non-admins inherit wizard's Claude config (machine-wide managed `claudeMd` in `/etc/claude-code/managed-settings.json` + per-user `~/.claude/{skills,rules}` symlinks seeded by `/etc/skel`) and get a **writable git-crypt-LOCKED** infra clone at `~/code` (code plaintext, secret files ciphertext). Tiers: admin / power-user (cluster-wide read-only) / namespace-owner. **Add a user:** one entry in `roster.yaml` → reconcile. Per-user OIDC kubeconfig, the `oidc-power-user-readonly` ClusterRole, and the Authentik `T3 Users` edge gate are applied (the gate is live — only `T3 Users` members reach t3); the emo cutover to his own locked clone is the remaining gated step. DevVM artifacts versioned in `infra/scripts/` (`t3-serve@.service`, `t3-provision-users` + `workstation/{roster.yaml,roster_engine.py,setup-devvm.sh,managed-settings.json,skel/}`, `t3-dispatch/`, `t3-mint`, `sudoers-t3-autopair`, `t3-autoupdate.*`); TF (`stacks/t3code`) owns only the ingress + Endpoints→:3780. **t3 binary tracks `nightly`** via `t3-autoupdate` (daily systemd timer; health-check + auto-rollback on a bad build; restarts only idle instances) — so new models (e.g. Opus 4.8) land as t3 ships them. Native app/app.t3.codes unsupported (cross-origin) — deferred until published. Design: `docs/plans/2026-06-01-t3-auto-provision-*`. | t3code |
+| t3code | Multi-user coding-agent GUI at t3.viktorbarzin.me. `auth=required` (Authentik) → DevVM `t3-dispatch` service (`10.0.10.10:3780`, unprivileged user) maps `X-authentik-username` → that user's own `t3-serve@<u>` instance (file perms enforced by uid; wizard→:3773, emo→:3774; unmapped→403) and **auto-injects the t3 session on first visit** (mints via the root `t3-mint` wrapper, scoped sudoers → `/api/auth/bootstrap` `t3_session` cookie). **Source of truth = `infra/scripts/workstation/roster.yaml`** (os_user → authentik_user/k8s_user/tier/namespaces); `roster_engine.py` (pytest-covered) derives desired state and `t3-provision-users` (hourly systemd timer) applies it — constrained accounts, additive per-tier groups, `t3-serve@<u>` instances, and **regenerating** `/etc/ttyd-user-map` + `dispatch.json` (those two are now GENERATED — do not hand-edit). New non-admins inherit wizard's Claude config (machine-wide managed `claudeMd` in `/etc/claude-code/managed-settings.json` + per-user `~/.claude/{skills,rules}` symlinks seeded by `/etc/skel`) and get a **writable git-crypt-LOCKED** infra clone at `~/code` (code plaintext, secret files ciphertext). Tiers: admin / power-user (cluster-wide read-only) / namespace-owner. **Add a user:** one entry in `roster.yaml` → reconcile. Per-user OIDC kubeconfig, the `oidc-power-user-readonly` ClusterRole, and the Authentik `T3 Users` edge gate are applied (the gate is live — only `T3 Users` members reach t3); the emo cutover to his own locked clone is the remaining gated step. DevVM artifacts versioned in `infra/scripts/` (`t3-serve@.service`, `t3-provision-users` + `workstation/{roster.yaml,roster_engine.py,setup-devvm.sh,managed-settings.json,skel/}`, `t3-dispatch/`, `t3-mint`, `sudoers-t3-autopair`, `t3-autoupdate.*`, `t3-safe-restart.sh`, `t3-migrate-idle.*`); TF (`stacks/t3code`) owns only the ingress + Endpoints→:3780. **t3 AUTO-TRACKS the `nightly` npm dist-tag** (Viktor 2026-06-16, reversing the post-2026-06-09 pin; churn risk accepted) — `t3-autoupdate` is a daily GATED tracker that follows `t3@nightly` but gates every bump so a bad build self-heals: downgrade-guard → pre-bump `VACUUM INTO` backup → health-check that SEEDS a copy of a real POPULATED `state.sqlite` to exercise the forward migration + the real mint→exchange→`t3_session` pairing handshake → canary-restart idle instances ONE AT A TIME with per-instance dispatch pairing verify → auto-rollback to last-good + self-freeze on failure (active-agent instances deferred, never killed; last-good in `/var/lib/t3-autoupdate/last-good`). **Deferred instances are drained overnight by `t3-migrate-idle.timer`** (every 20 min 01:00–05:40): it restarts a still-stale `t3-serve@<u>` onto the current binary only when that user's `state.sqlite` shows no in-flight turn (`active_turn_id`) + ≥15 min quiet (`T3_MIGRATE_QUIET_SECONDS`), via the shared `t3-safe-restart.sh` (the same backup→restart→verify→recover helper the canary uses) — fixing the chronic skew where a user busy at every 04:00 window never migrated and saw "Client and server versions differ". The 2026-06-09 outage was the SAME nightly channel WITHOUT these gates. Freeze/revert now: `sudo touch /etc/t3-autoupdate.freeze` (or set `T3_PIN=<ver>` to hard-pin); preview a build with `T3_DRY_RUN=1`. Channel via `T3_TRACK` in `t3-autoupdate.sh` + `setup-devvm.sh` (keep in sync). Full ops + manual rollback: `docs/runbooks/t3-version-bump.md`. `t3-dispatch` is **version-agnostic** (2026-06-09): `autoPair` tries `/api/auth/browser-session` (0.0.25) then falls back to `/api/auth/bootstrap` (0.0.24), so 0.0.24↔0.0.25 needs no dispatch change. `~/.t3` is backed up daily by `t3-backup-state` (online `VACUUM INTO`; previously unbacked — it's the only copy). Native app/app.t3.codes unsupported (cross-origin) — deferred until published. Design: `docs/plans/2026-06-01-t3-auto-provision-*`. **Drop attribution (2026-06-10):** `t3-probe` Deployment (same ns) holds differential legs — `cloudflare` (full public path via DoH-pinned DNS), `internal` (Traefik LB only), `t3serve` (devvm:3773 direct) — against dispatch's unauthenticated `/probe` carve-out (walloff-guarded); Prometheus job `t3-probe`, alerts `T3ProbeLegDown`/`T3ProbeDropBurst`, runbook `docs/runbooks/t3-drop-attribution.md`. `t3-serve@` units carry memory containment (`MemoryHigh=12G/MemoryMax=16G/MemorySwapMax=0/OOMPolicy=continue`) so a runaway agent OOMs alone instead of freezing devvm. **Connection logs (2026-06-11):** `t3-dispatch` logs every `/ws` open/close with `dur_ms` + `cause` (`downstream_closed`=client/CF/Traefik hung up → last-mile; `upstream_closed`=t3-serve closed; `graceful`); devvm journald now ships to Loki via `scripts/devvm-promtail.*` (`{job="devvm-journal"}` + `{job="sshd-devvm"}`), joining Traefik `/ws`-duration + cloudflared close events already in Loki for full per-drop attribution without a repro. **Empirical (2026-06-11):** direct-to-t3-serve held one WS 40 min (0 drops) while a real tunnel session cycled 5×/90s → drop originates above t3-serve on the public path, NOT in t3-serve itself; `t3 auth pairing create`+`/api/auth/browser-session` works, and dispatch **auto-pair was re-verified healthy on the live pin 2026-06-16** (cookieless `X-authentik-username` → 302 + `t3_session`) — the earlier transient 401 note no longer reproduces, and the new dispatch pairing logs + `T3PairingBroken`/`T3PairFallbackHigh` Loki alerts now watch pairing continuously. | t3code |
 
 ## Active Use
 | Service | Description | Stack |
@@ -41,13 +41,15 @@
 | shadowsocks | Proxy | shadowsocks |
 | webhook_handler | Webhook processing | webhook_handler |
 | tuya-bridge | Smart home bridge | tuya-bridge |
+| android-emulator | Shared Android 16 test emulator (adb 10.0.20.200:5555, noVNC android-emulator.viktorbarzin.lan) | android-emulator |
+| anisette | Self-hosted Apple anisette-data server (Dadoum/anisette-v3-server, digest-pinned) for sideloading the TripIt iOS Shell via SideStore; internal-only http://anisette.viktorbarzin.lan, auth=none, LAN-only, stateless | anisette |
 | dawarich | Location history | dawarich |
 | owntracks | Location tracking | owntracks |
 | nextcloud | File sync/share | nextcloud |
 | calibre | E-book management (may be merged into ebooks stack) | calibre |
 | onlyoffice | Document editing | onlyoffice |
-| f1-stream | F1 streaming (uses chrome-service for hmembeds verifier); source in own repo `viktor/f1-stream` (Forgejo, extracted 2026-06-05), Woodpecker-native build->deploy (repo id 166) | f1-stream |
-| chrome-service | Headed Chromium WebSocket pool (`ws://chrome-service.chrome-service.svc:3000/<token>`) for sibling services driving anti-bot embeds | chrome-service |
+| f1-stream | F1 streaming (uses chrome-service for hmembeds verifier); canonical source in own repo `viktor/f1-stream` (Forgejo, extracted 2026-06-05); GHA-built → `ghcr.io/viktorbarzin/f1-stream` (private), Woodpecker deploy-only (ADR-0002) | f1-stream |
+| chrome-service | Headed Chromium over CDP (`http://chrome-service.chrome-service.svc:9222`, `connect_over_cdp`; legacy `:3000/<token>` WS pool removed 2026-06-04) for sibling services driving anti-bot pages — snapshot-harvester CronJob + tripit fare scrape | chrome-service |
 | rybbit | Analytics | rybbit |
 | isponsorblocktv | SponsorBlock for TV | isponsorblocktv |
 | actualbudget | Budgeting (factory pattern) | actualbudget |
@@ -55,7 +57,7 @@
 | trading-bot | Event-driven trading with sentiment analysis | trading-bot |
 | claude-memory | Persistent memory MCP server | claude-memory |
 | paperless-mcp | Paperless-ngx document search MCP (barryw/PaperlessMCP). Traefik bearer auth via Aetherinox api-token-middleware. `auth=none` at ingress; gateway-level bearer enforced by `paperless-mcp/bearer-auth` Middleware CRD. Tokens + paperless API token in Vault `secret/paperless-mcp`. | paperless-mcp |
-| council-complaints | Islington civic reporting pilot | council-complaints |
+| paperless-ai | AI layer over Paperless-ngx (clusterzx/paperless-ai): semantic/RAG document search (Chat) + auto-tagging. Local embeddings (sentence-transformers MiniLM) + ChromaDB on the PVC — search is GPU-free. LLM (chat answers + tagging) via in-cluster llama-swap `qwen3-8b` (`SYSTEM_PROMPT=/no_think` to keep Qwen3 output parseable). `auth=required` (Authentik) at `paperless-ai.viktorbarzin.me`. Reads Paperless over the internal svc as a dedicated `paperless-ai` superuser. **Runtime config + app-admin live in the PVC `.env`/SQLite (written once via the app's setup flow), NOT TF env — its dotenv loader does not override `process.env`, so container env shadows the `.env`.** Vault `secret/paperless-ai` (paperless_api_token, api_key, custom_api_key, app_admin_*). | paperless-ai |
 
 ## Optional
 | Service | Description | Stack |
@@ -93,7 +95,7 @@
 | n8n | Workflow automation | n8n |
 | real-estate-crawler | Property crawler | real-estate-crawler |
 | tor-proxy | Tor proxy | tor-proxy |
-| forgejo | Git forge | forgejo |
+| forgejo | Git forge. Open native self-signup (Turnstile captcha + email confirm) + Authentik & GitHub OAuth sign-in; see `docs/runbooks/forgejo-open-signups.md` | forgejo |
 | freshrss | RSS reader | freshrss |
 | navidrome | Music streaming | navidrome |
 | networking-toolbox | Network tools | networking-toolbox |
@@ -116,7 +118,7 @@
 | status-page | Status page | status-page |
 | plotting-book | Book plotting/world-building app | plotting-book |
 | tripit | Self-hosted TripIt-clone travel-itinerary PWA (FastAPI + SvelteKit SPA, same-origin). CNPG (`tripit` db, Vault static role `pg-tripit`) + RWX NFS trip-doc vault (`/srv/nfs/tripit-documents`) + RWO `proxmox-lvm-encrypted` personal-document vault `tripit-personal-documents` (passports/IDs — AES-256-GCM app-layer envelope, master key `DOCUMENT_ENCRYPTION_KEY` in `secret/tripit`). `auth=required` (Authentik forward-auth, reads `X-authentik-email`); second `auth=none` ingress on `/api/calendar` for HMAC-token-gated `.ics` feed. Email-ingest CronJob `tripit-ingest-plans` (`*/15`) is the SOLE inbound path — forward a booking to plans@viktorbarzin.me (catch-all → spam@), polled read-only and routed ONLY to a registered user / verified linked address (no default-owner fallback; strangers ignored), parsed by local LLM (`qwen3vl-4b`), and the sender is emailed the outcome (Added to trip / Couldn't import). Plus `tripit-poll-flights`, `tripit-run-reminders`, `tripit-transport-nudge`, `tripit-weather-brief`. (The old Gmail-scrape `tripit-ingest-mail` CronJob was removed 2026-06-05.) App secrets in Vault `secret/tripit`. | tripit |
-| stem95su | STEM educational platform for **95. СУ „Проф. Иван Шишманов"** (Sofia school) at stem95su.viktorbarzin.me. Public **open** static site (`auth=none` — CrowdSec + ai-bot-block, no login). Stock `nginx:1.28-alpine` serving content **straight off PVE host NFS** `/srv/nfs/stem-site` (RWX `nfs_volume`, mounted read-only) — **NOT** image-baked, so the externally-authored (Gemini-exported) HTML/media updates with no rebuild; auto-backed-up offsite by `nfs-mirror`. **Content source = Google Drive folder "claude"** (id `1cmOI2jRyBJdnrVPgbr4kx2cx_4DY6pm_`, shared Valentina→vbarzin@gmail.com). **Deploy is ON-DEMAND, no scheduled job** (deliberate — short-term content, avoid rotting artifacts): mirror Drive→NFS via a throwaway `rclone/rclone` container using the existing `google_workspace` OAuth creds in Vault `secret/viktor` (`google_workspace_mcp_token_json`) → rsync to `/srv/nfs/stem-site` (empty-source guard). Just ask Claude to "sync stem95su from Drive" (recipe in claude-memory). Nextcloud "PVE NFS Pool"/rsync still works as a manual fallback. Dashboard `stem_board.html` served at `/` via a small nginx ConfigMap (`index`). No DB, no in-cluster secrets. Reference impl for the NFS-backed static-site pattern (see patterns.md). | stem95su |
+| stem95su | STEM educational platform for **95. СУ „Проф. Иван Шишманов"** (Sofia school) at stem95su.viktorbarzin.me. Public **open** static site (`auth=none` — CrowdSec + ai-bot-block, no login). Stock `nginx:1.28-alpine` serving content **straight off PVE host NFS** `/srv/nfs/stem-site` (RWX `nfs_volume`, mounted read-only) — **NOT** image-baked, so the externally-authored (Gemini-exported) HTML/media updates with no rebuild; auto-backed-up offsite by `nfs-mirror`. **Content source = Google Drive folder "claude"** (id `1cmOI2jRyBJdnrVPgbr4kx2cx_4DY6pm_`, shared Valentina→vbarzin@gmail.com). **Deploy = scheduled mirror** (since 2026-06-09, reversed the earlier on-demand-only call once content went active): CronJob `stem95su-gdrive-sync` (`*/10`, `stacks/stem95su/gdrive-sync.tf`) mounts the content PVC RW and `rclone sync`s the Drive folder onto it (`docker.io/rclone/rclone:1.74.3`, `scope=drive.readonly` — Drive is READ-ONLY; empty-source guard + `--max-delete 25` so a partial listing can't wipe the site). rclone creds (OAuth refresh-token) in Vault `secret/stem95su` (`rclone_conf`) → ESO secret `stem95su-rclone`. **Requires the GCP OAuth app (project home-lab-1700868541205) published to "Production"** or the refresh token expires ~weekly (re-mint + `vault kv put secret/stem95su rclone_conf=…` after publishing); a dead token surfaces as a failed Job. Manual on-demand sync still possible (throwaway rclone container from devvm; recipe in claude-memory). Nextcloud "PVE NFS Pool"/rsync is a manual fallback. Dashboard `stem_board.html` served at `/` via a small nginx ConfigMap (`index`). No DB, no in-cluster secrets. Reference impl for the NFS-backed static-site pattern (see patterns.md). | stem95su |
 | trek | **TRIAL (2026-06-05)** — self-hosted group-trip planner (upstream [TREK](https://github.com/mauriceboe/TREK), `mauriceboe/trek:3.0.22`, AGPL-3.0). Solo evaluation behind Authentik forward-auth (`auth=required`) before deciding build-vs-adopt; covers collaborative trip planning + accommodation records + activities + per-person budget splitting on free OpenStreetMap (no paid maps key). SQLite + uploads on `proxmox-lvm-encrypted` (`trek-data-encrypted` 2Gi, `trek-uploads-encrypted` 5Gi). For the trial only: `ENCRYPTION_KEY` is TREK-auto-generated onto the data PVC and the bootstrap admin (`admin@trek.local`) is printed to pod logs — NO Vault/ESO wiring (graduation TODO: move key to `secret/trek` + ESO, add an app-level SQLite backup CronJob since host file-backup can't read the LUKS PVC, wire TREK↔Authentik OIDC). Pinned image, TF-managed (no CI/Keel). Availability-poll companion (Rallly) deferred. Teardown: `tg destroy` in `stacks/trek`. | trek |
 
 ## Cloudflare Domains
diff --git a/.claude/skills/home-assistant/SKILL.md b/.claude/skills/home-assistant/SKILL.md
index fe761f8c..ab07a27f 100644
--- a/.claude/skills/home-assistant/SKILL.md
+++ b/.claude/skills/home-assistant/SKILL.md
@@ -11,8 +11,8 @@ description: |
   There are TWO Home Assistant deployments: ha-london (default) and ha-sofia.
   Always use Home Assistant for smart home control.
 author: Claude Code
-version: 2.0.0
-date: 2026-02-07
+version: 2.1.0
+date: 2026-06-24
 ---
 
 # Home Assistant Control
@@ -44,6 +44,12 @@ There are **two** Home Assistant instances:
 - Environment variables for each instance:
   - **ha-london**: `HOME_ASSISTANT_URL` and `HOME_ASSISTANT_TOKEN`
   - **ha-sofia**: `HOME_ASSISTANT_SOFIA_URL` and `HOME_ASSISTANT_SOFIA_TOKEN`
+  - If those env vars aren't set (e.g. you're not in the infra repo / Claude venv), don't hand-roll a `kubectl | base64 | jq` token pipeline — use the global **`homelab` CLI** instead (on `$PATH` in any directory):
+
+## homelab CLI (preferred — works from any directory)
+- **Token**: `homelab ha token [--instance sofia|london]` resolves the long-lived API token live from the cluster. Use it directly in curl: `curl -H "Authorization: Bearer $(homelab ha token)" https://ha-sofia.viktorbarzin.me/api/states`. (The `home-assistant-sofia.py` script also auto-falls-back to this when its env var is unset.)
+- **Host shell** (ha-sofia): `homelab ha ssh -- <cmd>` runs a command on the HA host with deterministic non-interactive ssh (no host-key prompt) — e.g. `homelab ha ssh -- "sudo docker ps"`, `homelab ha ssh -- "cat /config/configuration.yaml"`. Replaces bespoke `ssh -o StrictHostKeyChecking=no …` invocations.
+- **Cluster metrics/logs** (not HA-specific): prefer `homelab metrics query "<promql>"` / `homelab logs query "<logql>"` over hand-rolled `curl …/api/v1/query`, and `homelab claim`/`release` over calling `scripts/presence` directly.
 
 ## API Control
 
@@ -389,14 +395,27 @@ Advanced SSH, File Editor, Studio Code Server, InfluxDB, Mosquitto, Node-RED, Fr
 ## ha-london Knowledge Map
 
 ### Overview
-- **HA Version**: 2025.9.1 (Docker container on Raspberry Pi)
+- **HA Version**: 2026.5.2 on **Home Assistant OS** (HAOS — managed appliance, NOT a `docker run` container). Latest is 2026.6.4 (update available, deliberately not applied).
 - **Location**: London, UK
-- **Platform**: Raspberry Pi 4, HA OS (not Docker standalone)
-- **SSH**: `ssh hassio@192.168.8.103` (requires `sudo` for file access)
-- **Config path**: `/config/` (requires `sudo` for file access)
+- **Platform**: Raspberry Pi 4, HA OS
+- **Access from the Sofia devvm**: london is **remote** — `homelab ha ssh --instance london` generally WON'T connect (ADR-0012). Drive it via the API: `homelab ha token --instance london` + `https://ha-london.viktorbarzin.me/api/...`, and the WebSocket API `wss://ha-london.viktorbarzin.me/api/websocket` for dashboards / config-entries / HACS installs.
+- **SSH (only from the London LAN)**: `ssh hassio@192.168.8.103` (requires `sudo` for file access)
+- **Config path**: `/config/`
 - **3 tracked people**: Viktor Barzin, Anca Milea, Gheorghe Milea
 - **Zone**: London (home)
 
+### Dashboards (redesigned 2026-06-24)
+**Glossary** (HA terms — keep distinct):
+- **Dashboard** = a sidebar entry (Overview, Air Quality, Map). Sidebar *order* is a per-USER frontend preference, not in any dashboard config.
+- **View** = a tab inside a dashboard. View order is global (stored in the dashboard config).
+- **Card** = a widget inside a view.
+
+- **Overview** (`lovelace`, the default): responsive **sections** views, styled with Mushroom + mini-graph-card.
+  - **Home** tab: *Who's home* · *Comfort & Air* (CO₂/temp/humidity/PM2.5/VOC chips + CO₂ and temp/humidity trend graphs + link to Air Quality) · *Cowboy* (battery/range/last-ride) · *Energy* (5 Kasa plugs + power trend) · *Quick actions* (Netflix/Stremio/Night).
+  - **More** tab: *Network* (GL-MT6000 router) · *System* (HA version/update, last backup, RPi power) · *Phones*.
+- **Air Quality** (`air-quality`): deep-dive (views: Home, Detailed). (`detialed`→`detailed` path typo fixed 2026-06-24.)
+- Built via the WS `lovelace/config/save` API (london is remote — no SSH path).
+
 ### Key Systems
 
 #### 1. Smart Plugs (TP-Link Kasa) — Energy Monitoring
@@ -418,10 +437,15 @@ Named plugs with power/energy tracking:
 - PM1.0/2.5/4.0/10 particulate sensors
 - VOC, NOx, ammonia, CO, ethanol, hydrogen, methane, NO2 gas sensors
 
-#### 3. Cowboy E-Bike
-- `sensor.bike_state_of_charge`: Battery %
-- `sensor.bike_total_distance`: Total km
-- `sensor.bike_total_co2_saved`: CO2 saved (grams)
+#### 3. Cowboy E-Bike (`elsbrock/cowboy-ha`)
+Bike named **"Classic Performance"** → entities are `sensor.classic_performance_*` (26 total). The old `sensor.bike_*` names are GONE (they were the dead `jdejaegh` integration).
+- `sensor.classic_performance_remaining_battery`: Battery % (was `sensor.bike_state_of_charge`)
+- `sensor.classic_performance_remaining_range`: Range km
+- `sensor.classic_performance_mileage`: Total km (was `sensor.bike_total_distance`)
+- `sensor.classic_performance_saved_co2`: Lifetime CO2 saved (was `sensor.bike_total_co2_saved`)
+- Plus `_distance_today`, `_last_trip_*`, `_battery_health`, `device_tracker.classic_performance`, etc.
+- **GOTCHA**: live battery/range/mileage read `unknown` while the bike is parked/asleep — Cowboy only reports live SoC when awake (ridden/charging); trip-history + `distance_today` stay live regardless.
+- Auth: account **email+password** (no AWS Cognito — that was the dead `jdejaegh`/`cowboybike` lineage). Setup via UI config flow / REST `config_entries/flow`. Creds in Vaultwarden item **"cowboy bike"** (`homelab vault get "cowboy bike"`).
 
 #### 4. Uptime Monitoring (UptimeRobot)
 - `sensor.blog`: blog uptime
@@ -440,12 +464,17 @@ Named plugs with power/energy tracking:
 - Scripts: `script.start_netflix`, `script.start_stremio`
 - Scene: `scene.night` (turns off Livia + Michelle plugs)
 
-### Custom Components
-- **cowboy**: Cowboy e-bike integration (HACS)
-- **hildebrandglow_dcc**: UK smart meter DCC energy data (HACS)
+### Custom Components (HACS integrations)
+- **cowboy** (`elsbrock/cowboy-ha` v1.2.0): Cowboy e-bike — revived 2026-06-24. The old `jdejaegh/home-assistant-cowboy` repo is **dead (404)**; don't chase it.
+- **hildebrandglow_dcc**: UK smart meter DCC energy — **DISABLED by user** (config entry `disabled_by: user`), not broken.
+
+### HACS frontend cards (plugins)
+- **Mushroom** (`piitaya/lovelace-mushroom`), **mini-graph-card** (`kalkih/mini-graph-card`), **plotly-graph-card** (`dbuezas/lovelace-plotly-graph-card`) — used by the redesigned Overview. Install over WS `hacs/repository/download`; resources auto-register in storage mode.
 
 ### Integrations
-ESPHome, TP-Link Kasa, Tapo, UptimeRobot, Cowboy, Hildebrand Glow DCC, Oral-B BLE, Ookla Speedtest, HACS, OpenRouter (multiple free LLMs), Piper (local TTS), Whisper (local STT), Android TV/ADB
+ESPHome, TP-Link Kasa, Tapo, UptimeRobot, **Cowboy** (elsbrock), Oral-B BLE, Ookla Speedtest (exposes only an `update` entity, no live speed sensors), HACS, OpenRouter (free LLMs), Piper (TTS), Whisper (STT), Android TV/ADB.
+- **Disabled by user (NOT broken)**: `met` + `metoffice` (weather — so `weather.*` entities are ABSENT), `roomba` (Rumi vacuum), `hildebrandglow_dcc` (energy).
+- **Failing**: `tplink` **Tapo P100** projector plug — `setup_retry`, 403 KLAP handshake from 192.168.8.108 (plug off / firmware). Left as-is.
 
 ### AI / Voice Assistants
 - 5 free LLM conversation agents: Google Gemma 3 27B, Meta Llama 3.2 3B, Mistral Devstral 2, OpenAI GPT-OSS-20B, Z.AI GLM 4.5 Air
@@ -460,15 +489,8 @@ ESPHome, TP-Link Kasa, Tapo, UptimeRobot, Cowboy, Hildebrand Glow DCC, Oral-B BL
 - Anca arrival/departure notifications
 - Night scene: turns off Livia + Michelle
 
-### Docker Setup
-```bash
-docker run -d --name homeassistant --privileged \
-  -e TZ=Europe/London \
-  -v /home/pi/docker/homeAssistant:/config \
-  -v /run/dbus:/run/dbus:ro \
-  --network=host --restart=unless-stopped \
-  homeassistant/home-assistant:2025.9
-```
+### Platform (HAOS — ignore any legacy `docker run` snippet)
+ha-london runs **Home Assistant OS** (managed appliance), NOT a hand-run Docker container. There is no `docker run homeassistant/home-assistant` to manage. Install HACS components over the WebSocket API (`hacs/repository/download` with the repo's HACS id), then restart via `POST /api/services/homeassistant/restart` — a HAOS restart drops automations for ~1–2 min and resets `sensor.uptime` (use that as the "back up" marker).
 
 ### SSH Access
 ```bash
diff --git a/.claude/skills/upgrade-state/SKILL.md b/.claude/skills/upgrade-state/SKILL.md
index a2027a50..34fe4731 100644
--- a/.claude/skills/upgrade-state/SKILL.md
+++ b/.claude/skills/upgrade-state/SKILL.md
@@ -51,7 +51,7 @@ Exit codes: `0` healthy, `1` attention warranted, `2` stalled / broken.
 |---|---|---|---|
 | **Apps** | Keel polls every watched Deployment's container registry; rolls on new digest | hourly | Prom (`pending_approvals`, `registries_scanned_total`), Keel pod logs |
 | **OS** | `unattended-upgrades` in-release patching; `kured` reboots when `/var/run/reboot-required` is set | daily 02:00-06:00 London | SSH fan-out to all 5 nodes |
-| **K8s** | `k8s-version-check` CronJob detects new kubeadm patch/minor; spawns the Job-chain that drains+upgrades node-by-node | daily 12:00 UTC | Pushgateway (`k8s_upgrade_*`), `kubectl get nodes` |
+| **K8s** | `k8s-version-check` CronJob detects new kubeadm patch/minor; spawns the Job-chain that drains+upgrades node-by-node | nightly 23:00 UTC | Pushgateway (`k8s_upgrade_*`), `kubectl get nodes` |
 
 The K8s pipeline pushes a small set of gauges to the Prometheus
 Pushgateway (`prometheus-prometheus-pushgateway.monitoring:9091`):
@@ -61,8 +61,11 @@ Pushgateway (`prometheus-prometheus-pushgateway.monitoring:9091`):
 - `k8s_upgrade_in_flight` — 0/1
 - `k8s_upgrade_started_timestamp` — when the current chain started (0 when idle)
 
-`K8sUpgradeStalled` alert fires when `in_flight=1` and the chain has
-been running >90 minutes. The script raises `✗` in the same window.
+`K8sUpgradeStalled` fires when `in_flight=1` and the chain has been running
+>90 minutes. `K8sUpgradeChainJobFailed` fires when a phase Job terminally
+failed — including a **preflight that aborted before `in_flight` was set**
+(the gates exit pre-metric). The script raises `✗` for either, and reads the
+Jobs directly, so it also catches a Failed preflight that left no metric.
 
 ## Status-icon legend
 
@@ -72,7 +75,7 @@ been running >90 minutes. The script raises `✗` in the same window.
 | `→` | Update available, not yet applied (K8s patch/minor) |
 | `…` | In flight — chain currently running |
 | `⚠` | Attention: held-with-bumps, recent errors, pending approvals |
-| `✗` | Broken: pod down, alert firing, chain stalled |
+| `✗` | Broken: pod down, alert firing, chain stalled, or a chain Job failed |
 
 ## Drill-down — when a row trips, what to do
 
@@ -177,6 +180,31 @@ kubectl -n monitoring exec deploy/prometheus-server -c prometheus-server -- sh -
        --header='Content-Type: text/plain'"
 ```
 
+### K8s `✗ chain failed` — a phase Job terminally failed
+
+`K8sUpgradeChainJobFailed` would fire. Most often a **preflight** that aborted
+on a gate (a critical alert firing, a node not Ready, a kubeadm-plan mismatch) —
+these exit before `in_flight` is set, so `K8sUpgradeStalled` never sees them, and
+the deterministic name + 7d TTL blocked re-spawn (the 2026-06-12 5-day wedge).
+
+```bash
+kubectl -n k8s-upgrade get jobs
+kubectl -n k8s-upgrade describe job <failed-job>    # check the Failed reason
+# Preflight abort reasons post to Slack ONLY (not stdout), so Loki won't have
+# them. Replay the gate instead — which critical alerts were firing at the
+# failure time? (ALERTS{severity="critical"} in Prometheus, query at that ts.)
+```
+
+Recovery is now mostly automatic: the detection CronJob and `spawn_next`
+re-spawn a terminally-Failed Job on the next cycle (retry-on-failure), so a
+transient gate clears within ~24h. To expedite, delete the Failed Job and
+trigger detection:
+
+```bash
+kubectl -n k8s-upgrade delete job <failed-job>
+kubectl -n k8s-upgrade create job --from=cronjob/k8s-version-check manual-detect-$(date +%s)
+```
+
 ### K8s `✗ detection stale` — last detection >9 days
 
 ```bash
diff --git a/.github/workflows/build-android-emulator.yml b/.github/workflows/build-android-emulator.yml
new file mode 100644
index 00000000..3e9ffd5d
--- /dev/null
+++ b/.github/workflows/build-android-emulator.yml
@@ -0,0 +1,36 @@
+name: Build android-emulator
+
+# ADR-0002: infra-owned image built off-infra on GHA → ghcr (public).
+# Large image (Android SDK + emulator); on-demand workload (scaled 0). Rebuilds
+# rare → dispatch + path trigger.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'stacks/android-emulator/docker/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: stacks/android-emulator/docker
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/android-emulator:latest
+            ghcr.io/viktorbarzin/android-emulator:${{ github.sha }}
diff --git a/.github/workflows/build-chrome-service-browser.yml b/.github/workflows/build-chrome-service-browser.yml
new file mode 100644
index 00000000..9d2129c8
--- /dev/null
+++ b/.github/workflows/build-chrome-service-browser.yml
@@ -0,0 +1,39 @@
+name: Build chrome-service-browser
+
+# ADR-0002: infra-owned image built off-infra on GHA → ghcr. Playwright base +
+# real Google Chrome (proprietary H.264/AAC codecs) for the chrome-service
+# browser container, so the noVNC view can play H.264 video (Reels). Rebuilds
+# are rare → dispatch + path trigger. NOTE: after the first push, set the ghcr
+# package `chrome-service-browser` to PUBLIC (same as chrome-service-novnc) so
+# the pod pulls it without credentials.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'stacks/chrome-service/files/chrome/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: stacks/chrome-service/files/chrome
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/chrome-service-browser:latest
+            ghcr.io/viktorbarzin/chrome-service-browser:${{ github.sha }}
diff --git a/.github/workflows/build-chrome-service-novnc.yml b/.github/workflows/build-chrome-service-novnc.yml
new file mode 100644
index 00000000..78daa6e5
--- /dev/null
+++ b/.github/workflows/build-chrome-service-novnc.yml
@@ -0,0 +1,36 @@
+name: Build chrome-service-novnc
+
+# ADR-0002: infra-owned image built off-infra on GHA → ghcr (public).
+# Source Dockerfile identical on both git remotes, so the github checkout builds
+# the current image. Rebuilds are rare (stable noVNC proxy) → dispatch + path.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'stacks/chrome-service/files/novnc/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: stacks/chrome-service/files/novnc
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/chrome-service-novnc:latest
+            ghcr.io/viktorbarzin/chrome-service-novnc:${{ github.sha }}
diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml
new file mode 100644
index 00000000..f27856dc
--- /dev/null
+++ b/.github/workflows/build-cli.yml
@@ -0,0 +1,41 @@
+name: Build infra CLI
+
+# ADR-0002: infra CLI built off-infra on GHA. Replaces the Woodpecker
+# build-cli.yml. Pushes to DockerHub (public distribution, kept) + ghcr.
+# Not a cluster workload — a distributed tool image.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'cli/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: cli
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            viktorbarzin/infra:latest
+            ghcr.io/viktorbarzin/infra-cli:latest
+            ghcr.io/viktorbarzin/infra-cli:${{ github.sha }}
diff --git a/.github/workflows/build-infra-ci.yml b/.github/workflows/build-infra-ci.yml
new file mode 100644
index 00000000..f3a4614f
--- /dev/null
+++ b/.github/workflows/build-infra-ci.yml
@@ -0,0 +1,37 @@
+name: Build infra-ci
+
+# ADR-0002: the infra CI toolbox image (terraform/terragrunt/sops/kubectl/vault)
+# built off-infra on GHA → ghcr (public). BOOTSTRAP-CRITICAL: .woodpecker/default.yml's
+# apply step runs in this image. The Woodpecker build-ci-image.yml is kept until a
+# ghcr-based apply is proven, then removed.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'ci/Dockerfile'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: ci
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/infra-ci:latest
+            ghcr.io/viktorbarzin/infra-ci:${{ github.sha }}
diff --git a/.github/workflows/build-k8s-portal.yml b/.github/workflows/build-k8s-portal.yml
new file mode 100644
index 00000000..f81e13af
--- /dev/null
+++ b/.github/workflows/build-k8s-portal.yml
@@ -0,0 +1,36 @@
+name: Build k8s-portal
+
+# ADR-0002 / no-local-builds: k8s-portal (infra-owned Go portal) builds off-infra
+# on GHA → public ghcr; Keel polls ghcr:latest and rolls the deployment. Replaces
+# the in-cluster .woodpecker/k8s-portal.yml build.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'stacks/k8s-portal/modules/k8s-portal/files/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: stacks/k8s-portal/modules/k8s-portal/files
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/k8s-portal:latest
+            ghcr.io/viktorbarzin/k8s-portal:${{ github.sha }}
diff --git a/.gitignore b/.gitignore
index 3475f32a..b288aed5 100755
--- a/.gitignore
+++ b/.gitignore
@@ -103,3 +103,16 @@ stacks/terminal/clipboard-upload/clipboard-upload
 # Plaintext terraform state — NEVER commit (use SOPS-encrypted .tfstate.enc only)
 terraform.tfstate
 terraform.tfstate.backup
+
+# Per-feature git worktrees (worktree-first workflow — execution.md)
+.worktrees/
+
+# Timestamped terraform state backups (terraform.tfstate.<ts>.backup) — plaintext Tier-0
+# secrets; created by terraform state ops. The patterns above miss the timestamped form.
+terraform.tfstate.*.backup
+
+# Python test artifacts (pytest bytecode cache) — e.g. from
+# stacks/k8s-version-upgrade/scripts/test_compat_gate.py
+__pycache__/
+*.pyc
+.pytest_cache/
diff --git a/.mcp.json b/.mcp.json
index 9f39ff76..18bb4d81 100644
--- a/.mcp.json
+++ b/.mcp.json
@@ -3,10 +3,6 @@
     "ha": {
       "type": "http",
       "url": "${HA_MCP_URL}"
-    },
-    "paperless": {
-      "type": "http",
-      "url": "http://paperless-mcp.paperless-mcp.svc.cluster.local/mcp"
     }
   }
 }
diff --git a/.woodpecker/breakglass-infra-ci.yml b/.woodpecker/breakglass-infra-ci.yml
new file mode 100644
index 00000000..bbc43d7d
--- /dev/null
+++ b/.woodpecker/breakglass-infra-ci.yml
@@ -0,0 +1,31 @@
+# Break-glass: save the ghcr infra-ci image to a tarball on the registry VM
+# (10.0.20.10) so it can be `docker load`-ed onto a node if ghcr is ever
+# unreachable during a recovery. infra-ci now builds on GHA → ghcr (ADR-0002),
+# which is external + node-cached, so this is a belt-and-braces DR artifact —
+# run MANUALLY after an infra-ci rebuild (or periodically). Pulls from ghcr
+# (public, no login). Recovery: docs/runbooks/forgejo-registry-breakglass.md.
+when:
+  - event: manual
+
+steps:
+  - name: breakglass-tarball
+    image: alpine:3.20
+    failure: ignore
+    environment:
+      REGISTRY_SSH_KEY:
+        from_secret: registry_ssh_key
+    commands:
+      - apk add --no-cache openssh-client
+      - mkdir -p ~/.ssh && chmod 700 ~/.ssh
+      - printf '%s\n' "$REGISTRY_SSH_KEY" > ~/.ssh/id_ed25519
+      - chmod 600 ~/.ssh/id_ed25519
+      - ssh-keyscan -t ed25519 10.0.20.10 >> ~/.ssh/known_hosts 2>/dev/null
+      - |
+        ssh -n -o BatchMode=yes root@10.0.20.10 "
+          set -e
+          mkdir -p /opt/registry/data/private/_breakglass
+          IMAGE=ghcr.io/viktorbarzin/infra-ci:latest
+          docker pull \$IMAGE
+          docker save \$IMAGE | gzip > /opt/registry/data/private/_breakglass/infra-ci-latest.tar.gz
+          ls -lh /opt/registry/data/private/_breakglass/infra-ci-latest.tar.gz
+        "
diff --git a/.woodpecker/build-ci-image.yml b/.woodpecker/build-ci-image.yml
deleted file mode 100644
index 796426ac..00000000
--- a/.woodpecker/build-ci-image.yml
+++ /dev/null
@@ -1,88 +0,0 @@
-# Build the CI tools Docker image used by all infra pipelines.
-# Triggers on push that touches ci/Dockerfile, or manual (API/UI) so
-# rebuilds after a registry incident don't need a cosmetic Dockerfile edit.
-
-when:
-  - event: push
-    branch: master
-    path:
-      include:
-        - 'ci/Dockerfile'
-  - event: manual
-
-steps:
-  - name: build-and-push
-    image: woodpeckerci/plugin-docker-buildx
-    settings:
-      # Phase 4 of forgejo-registry-consolidation 2026-05-07 —
-      # registry.viktorbarzin.me dropped, Forgejo is the only target.
-      repo:
-        - forgejo.viktorbarzin.me/viktor/infra-ci
-      dockerfile: ci/Dockerfile
-      context: ci/
-      tags:
-        - latest
-        - "${CI_COMMIT_SHA:0:8}"
-      platforms: linux/amd64
-      logins:
-        - registry: forgejo.viktorbarzin.me
-          username:
-            from_secret: forgejo_user
-          password:
-            from_secret: forgejo_push_token
-
-  # Post-push integrity check is now redundant with the every-15min
-  # forgejo-integrity-probe in stacks/monitoring/, which walks
-  # /v2/_catalog + HEADs every blob across the entire Forgejo registry.
-  # If a corruption pattern emerges that the periodic probe misses,
-  # restore a verify step similar to the pre-Phase-4 version (see
-  # commit 49f4956f) but pointed at forgejo.viktorbarzin.me.
-
-  # Break-glass tarball: save the just-pushed infra-ci image to disk on the
-  # registry VM (10.0.20.10) so we can `docker load` it back into a node
-  # when Forgejo is unreachable. Pulls from Forgejo (the only registry now).
-  # Best-effort — failure here doesn't fail the pipeline.
-  # Recovery procedure: docs/runbooks/forgejo-registry-breakglass.md.
-  - name: breakglass-tarball
-    image: alpine:3.20
-    failure: ignore
-    environment:
-      REGISTRY_SSH_KEY:
-        from_secret: registry_ssh_key
-      FORGEJO_USER:
-        from_secret: forgejo_user
-      FORGEJO_PASS:
-        from_secret: forgejo_push_token
-    commands:
-      - apk add --no-cache openssh-client
-      - mkdir -p ~/.ssh && chmod 700 ~/.ssh
-      - printf '%s\n' "$REGISTRY_SSH_KEY" > ~/.ssh/id_ed25519
-      - chmod 600 ~/.ssh/id_ed25519
-      - ssh-keyscan -t ed25519 10.0.20.10 >> ~/.ssh/known_hosts 2>/dev/null
-      - SHA=${CI_COMMIT_SHA:0:8}
-      - |
-        ssh -n -o BatchMode=yes root@10.0.20.10 "
-          set -e
-          mkdir -p /opt/registry/data/private/_breakglass
-          IMAGE=forgejo.viktorbarzin.me/viktor/infra-ci:$SHA
-          echo \$FORGEJO_PASS | docker login forgejo.viktorbarzin.me -u \$FORGEJO_USER --password-stdin
-          docker pull \$IMAGE
-          docker save \$IMAGE | gzip > /opt/registry/data/private/_breakglass/infra-ci-$SHA.tar.gz
-          ln -sfn infra-ci-$SHA.tar.gz /opt/registry/data/private/_breakglass/infra-ci-latest.tar.gz
-          ls -t /opt/registry/data/private/_breakglass/infra-ci-*.tar.gz \
-            | grep -v 'latest' | tail -n +6 | xargs -r rm -v
-          ls -lh /opt/registry/data/private/_breakglass/
-        "
-
-  - name: slack
-    image: curlimages/curl
-    commands:
-      - |
-        curl -s -X POST -H 'Content-type: application/json' \
-          --data "{\"text\":\"CI image built: forgejo.viktorbarzin.me/viktor/infra-ci:${CI_COMMIT_SHA:0:8} (and registry-private mirror)\"}" \
-          "$SLACK_WEBHOOK" || true
-    environment:
-      SLACK_WEBHOOK:
-        from_secret: slack_webhook
-    when:
-      status: [success]
diff --git a/.woodpecker/build-cli.yml b/.woodpecker/build-cli.yml
deleted file mode 100644
index cf95da7e..00000000
--- a/.woodpecker/build-cli.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-when:
-  event: push
-
-clone:
-  git:
-    image: woodpeckerci/plugin-git
-    settings:
-      attempts: 5
-      backoff: 10s
-
-steps:
-  - name: build-image
-    image: woodpeckerci/plugin-docker-buildx
-    settings:
-      username: "viktorbarzin"
-      password:
-        from_secret: dockerhub-pat
-      # Phase 4 of forgejo-registry-consolidation 2026-05-07 —
-      # registry.viktorbarzin.me:5050 decommissioned. Push to DockerHub
-      # (the public-facing infra image) AND Forgejo (the cluster pull
-      # source). Same image, two locations.
-      repo:
-        - viktorbarzin/infra
-        - forgejo.viktorbarzin.me/viktor/infra
-      logins:
-        - registry: https://index.docker.io/v1/
-          username: viktorbarzin
-          password:
-            from_secret: dockerhub-pat
-        - registry: forgejo.viktorbarzin.me
-          username:
-            from_secret: forgejo_user
-          password:
-            from_secret: forgejo_push_token
-      dockerfile: cli/Dockerfile
-      context: cli
-      auto_tag: true
-      # cache_from/cache_to removed: registry cache corruption causes
-      # "short read: expected 32 bytes" BuildKit errors. Inline cache
-      # will be re-populated once a clean image is pushed.
-      # cache_from: "registry.viktorbarzin.me:5050/infra:latest"
-      # cache_to: "type=inline"
diff --git a/.woodpecker/default.yml b/.woodpecker/default.yml
index 5661bccd..ef94ccee 100644
--- a/.woodpecker/default.yml
+++ b/.woodpecker/default.yml
@@ -19,13 +19,34 @@ clone:
   git:
     image: woodpeckerci/plugin-git
     settings:
+      partial: false
       depth: 2
       attempts: 5
       backoff: 10s
 
 steps:
+  # Audit feed for the allow-then-audit contribution model: any master push by
+  # a NON-admin author is surfaced in Slack (Viktor's own pushes are not).
+  # Runs before apply and never blocks it. Note: [ci skip] commits never reach
+  # this step (Woodpecker skips the whole pipeline) — hence the rule that
+  # non-admins must not use [ci skip].
+  - name: notify-nonadmin-push
+    image: curlimages/curl
+    environment:
+      SLACK_WEBHOOK:
+        from_secret: slack_webhook
+    commands:
+      - |
+        case "$CI_COMMIT_AUTHOR" in
+          viktor|ViktorBarzin|wizard) echo "admin push — no notify"; exit 0 ;;
+        esac
+        SUBJECT=$(echo "$CI_COMMIT_MESSAGE" | head -1 | tr -d '"\\')
+        curl -s -X POST -H 'Content-type: application/json' \
+          --data "{\"text\":\"📝 infra master push by *$CI_COMMIT_AUTHOR*: $SUBJECT\n$CI_REPO_URL/commit/$CI_COMMIT_SHA\"}" \
+          "$SLACK_WEBHOOK" || true
+
   - name: apply
-    image: forgejo.viktorbarzin.me/viktor/infra-ci:latest
+    image: ghcr.io/viktorbarzin/infra-ci:latest
     pull: true
     backend_options:
       kubernetes:
@@ -115,6 +136,25 @@ steps:
           git fetch --deepen=1 origin master 2>/dev/null || true
         fi
 
+        # Diff base: prefer the push's true before-state (CI_PREV_COMMIT_SHA).
+        # HEAD~1 is WRONG for merge commits — it is the first parent (the
+        # feature-branch side), so the diff shows the OTHER lineage's files
+        # and silently skips the stacks this push actually changed
+        # (bit ci-pipeline-health on 2026-06-12, pipeline 128).
+        DIFF_BASE="HEAD~1"
+        if [ -n "${CI_PREV_COMMIT_SHA:-}" ] && [ "$CI_PREV_COMMIT_SHA" != "$CI_COMMIT_SHA" ]; then
+          git cat-file -e "$CI_PREV_COMMIT_SHA^{commit}" 2>/dev/null || git fetch --depth=50 origin master 2>/dev/null || true
+          # Restarted pipelines after master moved produce REVERSE diffs
+          # (CI_PREV ahead of the checked-out HEAD re-applied stale trees and
+          # reverted a sibling apply on 2026-06-12, pipeline 148). Only use
+          # CI_PREV when it is an ancestor of HEAD.
+          if git cat-file -e "$CI_PREV_COMMIT_SHA^{commit}" 2>/dev/null \
+             && git merge-base --is-ancestor "$CI_PREV_COMMIT_SHA" HEAD 2>/dev/null; then
+            DIFF_BASE="$CI_PREV_COMMIT_SHA"
+          fi
+        fi
+        echo "Diff base: $DIFF_BASE"
+
         # If still no parent, apply all platform stacks as a safe fallback
         if ! git rev-parse HEAD~1 >/dev/null 2>&1; then
           echo "Cannot determine changed files — applying ALL platform stacks"
@@ -122,14 +162,14 @@ steps:
           > .app_apply
         else
           # Check if global files changed (triggers full platform apply)
-          GLOBAL_CHANGED=$(git diff --name-only HEAD~1 HEAD | grep -E '^(modules/|config\.tfvars|terragrunt\.hcl)' || true)
+          GLOBAL_CHANGED=$(git diff --name-only "$DIFF_BASE" HEAD | grep -E '^(modules/|config\.tfvars|terragrunt\.hcl)' || true)
 
           if [ -n "$GLOBAL_CHANGED" ]; then
             echo "Global files changed — applying ALL platform stacks"
             echo "$PLATFORM_STACKS" | tr ' ' '\n' > .platform_apply
           else
             # Detect platform stacks that changed
-            git diff --name-only HEAD~1 HEAD | grep '^stacks/' | cut -d/ -f2 | sort -u > .all_changed
+            git diff --name-only "$DIFF_BASE" HEAD | grep '^stacks/' | cut -d/ -f2 | sort -u > .all_changed
             > .platform_apply
             while read -r stack; do
               if echo "$PLATFORM_STACKS" | grep -qw "$stack"; then
@@ -140,7 +180,7 @@ steps:
 
           # Detect app stacks that changed
           > .app_apply
-          git diff --name-only HEAD~1 HEAD | grep '^stacks/' | cut -d/ -f2 | sort -u | while read -r stack; do
+          git diff --name-only "$DIFF_BASE" HEAD | grep '^stacks/' | cut -d/ -f2 | sort -u | while read -r stack; do
             if echo "$PLATFORM_STACKS" | grep -qw "$stack"; then
               continue  # Skip platform stacks
             fi
diff --git a/.woodpecker/drift-detection.yml b/.woodpecker/drift-detection.yml
index 38cc60b9..b2e303ff 100644
--- a/.woodpecker/drift-detection.yml
+++ b/.woodpecker/drift-detection.yml
@@ -9,12 +9,13 @@ clone:
   git:
     image: woodpeckerci/plugin-git
     settings:
+      partial: false
       depth: 1
       attempts: 3
 
 steps:
   - name: detect-drift
-    image: forgejo.viktorbarzin.me/viktor/infra-ci:latest
+    image: ghcr.io/viktorbarzin/infra-ci:latest
     pull: true
     backend_options:
       kubernetes:
diff --git a/.woodpecker/issue-automation.yml b/.woodpecker/issue-automation.yml
index ece97dab..2bb46661 100644
--- a/.woodpecker/issue-automation.yml
+++ b/.woodpecker/issue-automation.yml
@@ -5,6 +5,7 @@ clone:
   git:
     image: woodpeckerci/plugin-git
     settings:
+      partial: false
       depth: 2
 
 steps:
diff --git a/.woodpecker/k8s-portal.yml b/.woodpecker/k8s-portal.yml
deleted file mode 100644
index 39c9ff17..00000000
--- a/.woodpecker/k8s-portal.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-when:
-  event: push
-  branch: master
-  path:
-    include:
-      - "stacks/platform/modules/k8s-portal/files/**"
-
-clone:
-  git:
-    image: woodpeckerci/plugin-git
-    settings:
-      attempts: 5
-      backoff: 10s
-
-steps:
-  - name: build-and-push
-    image: woodpeckerci/plugin-docker-buildx
-    settings:
-      username: "viktorbarzin"
-      password:
-        from_secret: dockerhub-pat
-      repo: viktorbarzin/k8s-portal
-      dockerfile: stacks/platform/modules/k8s-portal/files/Dockerfile
-      context: stacks/platform/modules/k8s-portal/files
-      platforms:
-        - linux/amd64
-      tag: ["${CI_PIPELINE_NUMBER}", "latest"]
-      cache_from: "viktorbarzin/k8s-portal:latest"
-      cache_to: "type=inline"
-
-  - name: deploy
-    image: bitnami/kubectl:latest
-    commands:
-      - "kubectl set image deployment/k8s-portal portal=viktorbarzin/k8s-portal:${CI_PIPELINE_NUMBER} -n k8s-portal"
-      - "kubectl rollout status deployment/k8s-portal -n k8s-portal --timeout=120s"
-      - "echo 'k8s-portal deployed successfully (build ${CI_PIPELINE_NUMBER})'"
-
-  - name: slack
-    image: curlimages/curl
-    commands:
-      - |
-        curl -s -X POST -H 'Content-type: application/json' \
-          --data "{\"text\":\"K8s Portal: build #${CI_PIPELINE_NUMBER} ${CI_PIPELINE_STATUS}\"}" \
-          "$SLACK_WEBHOOK" || true
-    environment:
-      SLACK_WEBHOOK:
-        from_secret: slack_webhook
-    when:
-      status: [success, failure]
diff --git a/.woodpecker/postmortem-todos.yml b/.woodpecker/postmortem-todos.yml
index 729e9a85..68330272 100644
--- a/.woodpecker/postmortem-todos.yml
+++ b/.woodpecker/postmortem-todos.yml
@@ -11,6 +11,7 @@ clone:
   git:
     image: woodpeckerci/plugin-git
     settings:
+      partial: false
       depth: 5
 
 steps:
diff --git a/.woodpecker/provision-user.yml b/.woodpecker/provision-user.yml
index 0f6d5dab..3ba7af7f 100644
--- a/.woodpecker/provision-user.yml
+++ b/.woodpecker/provision-user.yml
@@ -5,6 +5,7 @@ clone:
   git:
     image: woodpeckerci/plugin-git
     settings:
+      partial: false
       attempts: 5
       backoff: 10s
 
diff --git a/.woodpecker/pve-nfs-exports-sync.yml b/.woodpecker/pve-nfs-exports-sync.yml
index 2c26df45..54aea68a 100644
--- a/.woodpecker/pve-nfs-exports-sync.yml
+++ b/.woodpecker/pve-nfs-exports-sync.yml
@@ -23,6 +23,7 @@ clone:
   git:
     image: woodpeckerci/plugin-git
     settings:
+      partial: false
       depth: 1
       attempts: 3
 
diff --git a/.woodpecker/registry-config-sync.yml b/.woodpecker/registry-config-sync.yml
index a4f03185..aad59fbe 100644
--- a/.woodpecker/registry-config-sync.yml
+++ b/.woodpecker/registry-config-sync.yml
@@ -38,6 +38,7 @@ clone:
   git:
     image: woodpeckerci/plugin-git
     settings:
+      partial: false
       depth: 1
       attempts: 3
 
diff --git a/.woodpecker/renew-tls.yml b/.woodpecker/renew-tls.yml
index d2d8bf89..cd93fe7c 100644
--- a/.woodpecker/renew-tls.yml
+++ b/.woodpecker/renew-tls.yml
@@ -6,6 +6,7 @@ clone:
   git:
     image: woodpeckerci/plugin-git
     settings:
+      partial: false
       attempts: 5
       backoff: 10s
 
diff --git a/AGENTS.md b/AGENTS.md
index 009c5c99..7fbc838d 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -9,7 +9,7 @@
 - **Ask before `git push`** — always confirm with the user first
 
 ## Execution
-- **Apply a service**: `scripts/tg apply --non-interactive` (auto-decrypts SOPS secrets)
+- **Apply a service**: `scripts/tg apply --non-interactive` (auto-decrypts SOPS secrets; passes `-lock-timeout`, default `5m` / `TG_LOCK_TIMEOUT`, so a contended state lock waits instead of failing with `Error acquiring the state lock`)
 - **Legacy apply**: `cd stacks/<service> && terragrunt apply --non-interactive` (uses terraform.tfvars)
 - **kubectl**: `kubectl --kubeconfig $(pwd)/config`
 - **Health check**: `bash scripts/cluster_healthcheck.sh --quiet`
@@ -90,6 +90,7 @@ Terragrunt-based homelab managing a Kubernetes cluster (5 nodes, v1.34.2) on Pro
 - **Public domain**: `viktorbarzin.me` (Cloudflare) | **Internal**: `viktorbarzin.lan` (Technitium DNS)
 - **Onboarding portal**: `https://k8s-portal.viktorbarzin.me` — self-service kubectl setup + docs
 - **CI/CD**: Woodpecker CI — PRs run plan, merges to master auto-apply all stacks
+- **CI compute is external (ADR-0002, 2026-06-12)**: builds, tests, lint, and release jobs run on GitHub Actions hosted runners via each repo's GitHub mirror — never on cluster nodes. In-cluster pipelines exist only for steps that need cluster access (Woodpecker `kubectl set image` deploys, terragrunt applies, certbot). Never add an in-cluster build or test pipeline to any repo; the fallback-build pattern was deliberately removed. After pushing anything that fires a build chain, watch it end-to-end (GHA run → Woodpecker deploy → rollout) before calling the change done — verify live state, not the checkmark.
 
 ## Key Paths
 - `stacks/<service>/main.tf` — service definition
@@ -109,7 +110,8 @@ Terragrunt-based homelab managing a Kubernetes cluster (5 nodes, v1.34.2) on Pro
 - **SQLite on NFS is unreliable** (fsync issues) — always use proxmox-lvm or local disk for databases.
 - **NFS mount options**: Always `soft,timeo=30,retrans=3` to prevent uninterruptible sleep (D state).
 - **NFS export directory must exist** on the Proxmox host before Terraform can create the PV.
-- **Backup (3-2-1)**: Copy 1 = live PVCs on sdc. Copy 2 = sda `/mnt/backup` (PVC file backups, auto SQLite backups, pfSense, PVE config). Copy 3 = Synology offsite (two-tier: sda→`pve-backup/`, NFS→`nfs/`+`nfs-ssd/` via inotify change tracking).
+- **Backup (3-2-1)**: Copy 1 = live PVCs on sdc. Copy 2 = sda `/mnt/backup` (PVC file backups, auto SQLite backups, pfSense, PVE config, **VM images via `vzdump-vms`**). Copy 3 = Synology offsite (two-tier: sda→`pve-backup/`, NFS→`nfs/`+`nfs-ssd/` via inotify change tracking).
+- **vzdump-vms** (Daily 01:00): live `vzdump --mode snapshot` of hand-managed VMs (NOT in TF) → `/mnt/backup/vzdump/`, keep 3/VMID. `VZDUMP_VMIDS` default `102` (devvm) — the only VM imaged today; before this (2026-06-09) no VM was ever imaged. NOT in the incremental offsite manifest; monthly full pass mirrors it. See `docs/architecture/backup-dr.md`.
 - **daily-backup** (Daily 05:00): Auto-discovered BACKUP_DIRS (glob), auto SQLite backup (magic number + `?mode=ro`), pfSense, PVE config. No NFS mirror step (NFS syncs directly to Synology via inotify).
 - **offsite-sync-backup** (Daily 06:00): Step 1: sda→Synology `pve-backup/`. Step 2: NFS→Synology `nfs/`+`nfs-ssd/` via `rsync --files-from` (inotify change log). Monthly full `--delete`.
 - **nfs-change-tracker.service**: inotifywait on `/srv/nfs` + `/srv/nfs-ssd`, logs to `/mnt/backup/.nfs-changes.log`. Incremental syncs complete in seconds.
@@ -225,7 +227,69 @@ Per-workload opt-out: add the label `keel.sh/policy: never` on the Deployment me
 4. Viktor reviews → CI applies → Slack notification
 5. Portal: `https://k8s-portal.viktorbarzin.me/onboarding` for full guide
 
+### Non-admin workstation users — the AGENT does the git work
+
+Non-admin devvm users (power-user / namespace-owner tiers) may not know git at
+all. Their agent handles every version-control step silently — never ask them
+to commit, push, pull, or open a PR, and never surface git jargon at them.
+Their infra clone arrives preconfigured: git identity, a `forgejo` remote
+authenticated via `~/.git-credentials`, and `master` tracking `forgejo/master`
+(auto-freshened hourly and at session launch, fast-forward only).
+
+Two per-user layouts exist (`code_layout` in
+`scripts/workstation/roster.yaml`): `single` (the default) — `~/code` IS the
+locked infra clone — and `workspace` — `~/code` is a plain directory of
+per-project clones: the infra clone at `~/code/infra`, plus each roster
+`repos` entry (e.g. `~/code/tripit`) cloned from Forgejo `viktor/<name>` with
+the user's own PAT. The reconcile auto-migrates a single-layout `~/code` when
+a user is flipped to `workspace`, and keeps every clone fresh either way.
+
+The model is **allow-then-audit** (Viktor, 2026-06-10): whitelisted users (emo)
+push straight to `master` — no PR gate — and the record of *what changed and
+why* is what matters. Force-push is disabled for everyone, so master history
+is append-only.
+
+**Feature-sized work is worktree-first** (org rule, 2026-06-10): develop in an
+isolated worktree (`.worktrees/<topic>`, branch `<os-user>/<topic>` off
+`forgejo/master`) so concurrent agent sessions never collide in the clone, then
+land by merging latest master into the branch and pushing it
+(`git push forgejo HEAD:master`, or the PR fallback below if not whitelisted) —
+the audit-trail rules below apply to the branch's commit messages all the same.
+Locked (git-crypt) clones can use plain `git worktree add`. Trivial
+single-commit fixes may be committed directly on a clean `master`. Full
+lifecycle: `~/.claude/rules/execution.md` §3.
+
+To land a finished change from such a clone:
+
+1. Commit on `master`. **The commit message is the audit trail** — this matters
+   more than the change itself:
+   - subject: what changed, specific ("ha-sofia: lower fan curve bias to -5")
+   - body: WHY, in plain words — paraphrase the user's actual request and any
+     reasoning ("Emil asked for quieter fans in the evening; curve was
+     overshooting after the 2026-06-08 redesign")
+2. `git push forgejo master`. If rejected non-fast-forward: `git pull --rebase
+   forgejo master` and push again.
+3. **Never use `[ci skip]`** as a non-admin — it hides the change from the
+   Slack audit feed; a no-op CI apply on a docs-only commit is harmless.
+4. Leave the clone on clean `master` so auto-refresh keeps working.
+5. Tell the user in plain language what happened. Stack changes are
+   auto-applied by CI — verify the live result with the user's read-only
+   kubectl before saying "it's live".
+
+If a push to `master` is rejected by branch protection (user not on the
+whitelist — e.g. new users before Viktor grants it), fall back to a
+`<os-user>/<short-topic>` branch + PR with the user's own PAT
+(`write:repository` suffices — verified 2026-06-10):
+
+```bash
+TOK=$(sed -E 's#https://[^:]+:([^@]+)@.*#\1#' ~/.git-credentials)
+curl -X POST -H "Authorization: token $TOK" -H 'Content-Type: application/json' \
+  https://forgejo.viktorbarzin.me/api/v1/repos/viktor/infra/pulls \
+  -d '{"title":"<title>","head":"<os-user>/<short-topic>","base":"master","body":"<what + why>"}'
+```
+
 ## Common Operations
+- **`homelab` CLI** (`/usr/local/bin/homelab`, source `cli/`): unified infra-ops verbs — run `homelab manifest` to discover the surface (each verb tagged read/write). Infra loop: `homelab tf plan|fmt|apply <stack>` (wraps `scripts/tg`; `apply` auto-claims presence + releases on exit, warns out-of-band), `homelab claim|release <kind>:<name>`, `homelab work start|land|clean <topic>` (worktree lifecycle; `land` gates on verification, `--verify-cmd`/`--no-verify`). Kubernetes (v0.2): `homelab k8s status|get|logs|describe|debug|pf|rollout-status <app>` (read; `<app>` defaults to the namespace, target to `deploy/<app>`), `homelab k8s db <app> [--mysql] -- "<SQL>"`, `k8s exec`, `k8s restart`, `k8s rm-pod` (pods/jobs only) — config-mutation kubectl verbs are intentionally absent (Terraform-only). Memory (v0.3): `homelab memory recall "<context>"` (semantic search), `memory list|categories|tags|stats|secret`, `memory store|update|delete` — a direct HTTP client to claude-memory that works even when the memory MCP is down. CI/deploy (v0.4): `homelab ci status|watch [commit]` (Woodpecker, repo resolved from cwd), `homelab deploy wait <ns>/<deploy> [--sha]` (image-sha + rollout) — `work land` now auto-watches CI to green. Net/obs (v0.5): `homelab net check <host> [path]` (external-CF vs internal-LB reachability), `dns lookup <name>` (Technitium vs public diff), `metrics query "<promql>"` / `metrics alerts` (Prometheus via LB), `logs query "<logql>" [--since]` (Loki via LB) — endpoint resolution baked in, no port-forward. Usage telemetry (v0.6): every dispatched verb fire-and-forgets a Loki line (`{user,verb}` + exit only, NO args/secrets; opt-out `HOMELAB_TELEMETRY=0`); `homelab usage top [--since][--user]` ranks verb usage across all users — evidence for what to build next, queryable without reading anyone's home. Home Assistant (v0.7): `homelab ha token [--instance sofia|london]` (prints the long-lived API token, resolved live from k8s Secret `openclaw/openclaw-secrets` — use as `curl -H "Authorization: Bearer $(homelab ha token)"`), `homelab ha ssh [--instance sofia|london] -- <cmd>` (run a command on the HA host; deterministic non-interactive ssh, the invoking user's `~/.ssh/id_ed25519`, sofia=`vbarzin@192.168.1.8` default) — entity state/control stays with the `ha` MCP, these cover only what an API-only MCP can't (token + host shell). Full docs: `cli/README.md`.
 - **Deploy new service**: Use `stacks/<existing-service>/` as template. Create stack, add DNS in tfvars, apply platform then service.
 - **Fix crashed pods**: Run healthcheck first. Safe to delete evicted/failed pods and CrashLoopBackOff pods with >10 restarts.
 - **OOMKilled**: Check `kubectl describe limitrange tier-defaults -n <ns>`. Increase `resources.limits.memory` in the stack's main.tf.
diff --git a/CONTEXT.md b/CONTEXT.md
index c9a9d033..2b9bb8b3 100644
--- a/CONTEXT.md
+++ b/CONTEXT.md
@@ -117,9 +117,17 @@ The bare-metal load-balancer that assigns external IPs to `type=LoadBalancer` Se
 _Avoid_: calling `.200` "the cluster IP" or assuming all ingress shares one LB IP.
 
 **Calico**:
-The cluster CNI and **NetworkPolicy** engine (also GlobalNetworkPolicy + flow logs). Egress lockdown follows an **observe-then-enforce** rollout — flow logs build an empirical allowlist, then default-deny egress is enforced per-namespace, tier by tier (wave 1 began at `recruiter-responder`; Tier 0/1/2 deferred).
+The cluster CNI and **NetworkPolicy** engine (also GlobalNetworkPolicy + flow logs; live flow observability via **Goldmane / Whisker**). Egress lockdown follows an **observe-then-enforce** rollout — flow logs build an empirical allowlist, then default-deny egress is enforced per-namespace, tier by tier (wave 1 began at `recruiter-responder`; Tier 0/1/2 deferred).
 _Avoid_: "firewall" (it's pod-level policy, not a perimeter); conflating a Calico **NetworkPolicy** (enforced in the data path) with a **Kyverno policy** (enforced at admission) — different layers.
 
+**Service identity**:
+How a **Service** is named in flow/audit data — its **namespace** is the primary identity (Goldmane stamps it natively, and "one Service ≈ one namespace" holds for ~87 namespaces), refined by an explicit identity label (e.g. `service-identity`) only in the handful of genuinely multi-Service namespaces (`monitoring`, `kube-system`, `dbaas`). Deliberately NOT a per-Service **ServiceAccount** (deferred — 56% of pods share `default`; revisit only if principal-based enforcement or mTLS is adopted) and NOT a SPIFFE/mesh identity (rejected — attribution-grade audit on a trusted single-tenant cluster doesn't justify a mesh).
+_Avoid_: equating "service identity" with a workload's **ServiceAccount** (that's the deferred enforcement principal, not the attribution key) or with cryptographic/SPIFFE identity; "Service" here is the domain **Service**, not the K8s `Service` object.
+
+**Goldmane / Whisker**:
+Calico 3.30's OSS flow-observability pair — **Goldmane** aggregates identity-stamped flows (namespace/pod/workload/labels + allow-deny + policy trace) streamed from Felix over gRPC into an in-memory ~60-min ring buffer (no etcd/API writes); **Whisker** is its live web UI. The east-west "who-talks-to-whom" data plane, succeeding raw iptables-`LOG`→journald lines (which carry no identity). Durable history requires emitting Goldmane flows to **Loki**; the in-memory buffer alone is not an audit trail.
+_Avoid_: assuming Goldmane persists (it's a ring buffer — lost on restart); expecting a ServiceAccount field in its schema (it carries labels, not SA); confusing it with Cilium **Hubble** (needs the Cilium datapath, unusable on Calico) or **Kiali** (needs an Istio mesh).
+
 ### Storage
 
 **proxmox-lvm-encrypted**:
@@ -149,7 +157,7 @@ _Avoid_: bare "backup" without saying which copy you mean (a service is "backed
 
 **CNPG** / **pg-cluster**:
 **CNPG** is the CloudNativePG operator; **`pg-cluster`** is the Postgres cluster it manages — the shared Postgres substrate. Backs Tier-1 Terraform state (`pg-cluster-rw.dbaas.svc.cluster.local:5432/terraform_state`) and ~12 application databases, reached through **PgBouncer** (a **critical-path Service**) for connection pooling; app credentials rotate via the `vault-database` ClusterSecretStore.
-_Avoid_: "the database" (many DBs share one cluster); the legacy `postgresql.dbaas` Service (no endpoints — dead); conflating the CNPG operator with the `pg-cluster` it manages.
+_Avoid_: "the database" (many DBs share one cluster); the legacy `postgresql.dbaas` Service for NEW work (it is a live compatibility alias selecting the CNPG primary — authentik's PgBouncer still uses it — but `pg-cluster-rw` is the canonical name); conflating the CNPG operator with the `pg-cluster` it manages.
 
 ### Secrets
 
@@ -169,8 +177,24 @@ A user-managed secret committed to a Stack directory as `sealed-*.yaml`. Distinc
 ### CI/CD
 
 **GHA build + Woodpecker deploy**:
-The split where Docker images are built+pushed by GitHub Actions and Woodpecker only runs `kubectl set image` on a deploy-only pipeline. Repos that can't fit GHA limits stay on Woodpecker for build too.
-_Avoid_: bare "Woodpecker pipeline" — say "build" or "deploy".
+The split where every owned image is built+pushed by GitHub Actions and Woodpecker only runs `kubectl set image` on a deploy-only pipeline (ADR-0002). Woodpecker never builds images.
+_Avoid_: bare "Woodpecker pipeline" — say "build" or "deploy"; "fallback build" (the in-cluster fallback path was removed by ADR-0002).
+
+**Canonical repo**:
+The Forgejo `viktor/<name>` repo — the only place commits land, workflow files included. Every first-party repo is Forgejo-canonical *except* an explicit set of **GitHub-first repos**. A clone keeps **only** the canonical remote (ADR-0003): the **GitHub mirror** is not a second push target.
+_Avoid_: "upstream" (ambiguous); committing anywhere else; keeping both remotes on a clone and hand-pushing to each (the dual-push habit that caused the 2026-06 divergence — ADR-0003).
+
+**GitHub mirror**:
+The GitHub repo a **Canonical repo** push-mirrors to, one-way (Forgejo's `push_mirrors`, `sync_on_commit`), so GitHub Actions can build from it; anything committed on the mirror is silently overwritten by the next sync — and enabling the mirror **force-overwrites** the GitHub side, so a diverged GitHub-only commit must be merged back into Forgejo *before* the mirror is turned on or it is lost.
+_Avoid_: treating it as a second writable remote; bare "the GitHub repo" without saying mirror.
+
+**GitHub-first repo**:
+The deliberate exception to the **Canonical repo** rule — a repo whose canonical home is GitHub, so it sits outside the mirror policy. Two kinds: third-party clones/forks where GitHub is genuinely upstream (`jsoncrack.com`, `snmp_exporter`, `SparkyFitness`, `agent-rules-books`, `Plotting-Your-Dream-Book`), and a first-party repo intentionally kept public on GitHub (`health`). Single GitHub remote, never dual-pushed.
+_Avoid_: adding a Forgejo remote "for consistency"; treating one as a **Canonical repo**.
+
+**Forgejo registry**:
+Forgejo's built-in container registry — since ADR-0002 a frozen archive holding one last-known-good tag per **Service**, not a build target; owned images live on ghcr.io.
+_Avoid_: "private registry" (collides with the registry VM's pull-through caches); pushing new images to it.
 
 **Keel**:
 The **poll-driven** rollout orchestrator — watches registries for new image tags and rolls the matching Deployments automatically. The actor behind "auto-upgrade" for upstream images, and a redundant net for owned apps (already rolled on push by **Woodpecker deploy**).
@@ -192,6 +216,7 @@ A PoW reverse-proxy issuing a 30-day JWT cookie, used in front of public content
 - A **proxmox-lvm-encrypted** PVC binds to one Node at a time (RWO) and requires a Service-level backup CronJob; an **NFS volume** is RWX and is backed up at the host level via rsync.
 - **State tier** and **Namespace tier** are orthogonal — a Tier 0 Stack can deploy a Service into any Namespace tier and vice versa.
 - A **Service**'s image reaches the cluster via **Woodpecker deploy** (push-driven, on commit) or **Keel** (poll-driven, on a new registry tag); **Diun** only notifies. Operator-managed StatefulSets are rolled by neither.
+- An owned **Service**'s image is built by GitHub Actions from the **Canonical repo**'s **GitHub mirror** and hosted on ghcr.io (ADR-0002); the **Forgejo registry** keeps only a frozen last-known-good tag per **Service**.
 - Tier-1 **State tier** state and ~12 app databases share one **CNPG** `pg-cluster`, reached through **PgBouncer**; their credentials rotate via the `vault-database` store.
 
 ## Example dialogue
@@ -211,3 +236,4 @@ A PoW reverse-proxy issuing a 30-day JWT cookie, used in front of public content
 - **"secret"** spans Vault entries, K8s Secret objects, **ExternalSecrets**, and **Sealed Secrets**. Always specify which.
 - **"proxied"** / **"non-proxied"** refer to Cloudflare's CDN posture for a DNS record, _not_ Anubis or forward-auth layering.
 - **"policy"** spans **Kyverno policy** (admission-time mutate/generate/validate), **Calico NetworkPolicy** (data-path ingress/egress), Vault policy (KV access), and K8s RBAC. Always qualify which engine.
+- **"registry"** spans three things: ghcr.io (where owned images live, ADR-0002), the **Forgejo registry** (frozen last-known-good archive), and the registry VM's pull-through caches (read-only proxies of upstream registries). Name which one.
diff --git a/cli/README.md b/cli/README.md
index 48b83c93..186c1ee5 100644
--- a/cli/README.md
+++ b/cli/README.md
@@ -1,2 +1,224 @@
-# What is this?
-This is a CLI to manipulate files in the terraform repo and commit and push them
+# homelab
+
+`homelab` is the unified, agent-facing CLI for operating this homelab — one
+composable, JSON-capable surface for the operations agents run over and over,
+discovered progressively at runtime. It is grown **in place** from this
+directory (the former `infra-cli`), and the legacy webhook use-cases still work
+(see below).
+
+It encodes *actions*, never *judgment*: methodology (debugging, TDD, review) and
+third-party/owned MCP servers (e.g. phpIPAM) are deliberately out of scope.
+
+## Usage
+
+```
+homelab <command> [args]
+homelab manifest [--json]    # list every verb + its read/write tier (discovery entrypoint)
+homelab version
+```
+
+### v0.1 verbs — the infra inner-loop
+
+| Command | Tier | What it does |
+|---|---|---|
+| `claim <kind>:<name> --purpose "…"` | write | claim a shared resource on the presence board (wraps `scripts/presence`) |
+| `release <kind>:<name>` | write | release a presence claim |
+| `tf plan <stack>` | read | `scripts/tg plan` for a stack (resolved from cwd) |
+| `tf validate <stack>` | read | `scripts/tg validate` |
+| `tf fmt <stack>` | read | `terraform fmt -recursive` on the stack |
+| `tf force-unlock <stack> <lock-id>` | write | release a stuck state lock |
+| `tf apply <stack>` | write | `scripts/tg apply` — auto-claims `stack:<name>`, always releases, warns it's out-of-band |
+| `work start <topic>` | write | create `.worktrees/<topic>` on `<user>/<topic>` off `<remote>/master`; enter with native `EnterWorktree` |
+| `work land [--verify-cmd "…"] [--no-verify]` | write | merge master in → verify → push `HEAD:master` (non-ff retry; PR fallback) |
+| `work clean <topic>` | write | remove a task's worktree + branch (run from the main checkout) |
+
+### v0.2 verbs — Kubernetes
+
+Built on an **app→namespace→pod resolver**: `<app>` defaults to the namespace
+(most namespaces hold one app); the target defaults to `deploy/<app>` and lets
+kubectl resolve the pod. Override with `-n`/`--pod`/`-c`/`-l`/`--tty`. Uses the
+ambient kubeconfig.
+
+| Command | Tier | What it does |
+|---|---|---|
+| `k8s status [ns]` | read | pods (wide) + recent non-Normal events (`-A` if no ns) |
+| `k8s get <ns> <resource> […]` | read | `kubectl -n <ns> get …` passthrough |
+| `k8s logs <app>` | read | logs for `deploy/<app>` (`--tail` default 200; `-c`/`--previous`/`--since`/`-l`) |
+| `k8s describe <app> [resource]` | read | describe the deployment (or an explicit resource) |
+| `k8s debug <app>` | read | one-shot triage: pods + workloads + describe + recent logs + events |
+| `k8s pf <app> <local:remote> [target]` | read | port-forward to `svc/<app>` (or an explicit target) |
+| `k8s rollout-status <app>` | read | `rollout status deploy/<app>` |
+| `k8s db <app> [--mysql] [--db N] -- "<SQL>"` | write | exec into the dbaas DB (PG `pg-cluster-rw`, or MySQL with env-password wrapper) |
+| `k8s exec <app> [--tty] -- <cmd>` | write | exec in the app's pod |
+| `k8s restart <app>` | write | `rollout restart deploy/<app>` then wait for status |
+| `k8s rm-pod <name> -n <ns> [--job] [--force]` | write | delete a stuck **pod/job only** |
+
+Config-mutation verbs (`apply`/`edit`/`patch`/`scale`/`create`) are intentionally
+**not** exposed — they stay raw `kubectl`, per the Terraform-only policy.
+
+`tf` resolves the stack dir by walking up from cwd to the infra root and
+delegates to `scripts/tg` (which owns state decrypt/encrypt, the Vault lock, and
+the ingress auth-comment check). git-crypt filter flags are auto-injected on git
+operations in the encrypted infra repo.
+
+**`work land` refuses to push when it cannot verify** (no `--verify-cmd` and no
+auto-detected suite) unless you pass `--no-verify` — landing to master unverified
+must be deliberate. After pushing it **watches CI to green** (`ci watch` on the
+landed commit) and fails if the pipeline does; pass `--no-ci-watch` to skip.
+
+Tiers are recorded per verb so a future PreToolUse classifier can auto-allow
+reads / prompt writes; v0.1 allows everything and relies on existing gates
+(permission mode, presence claims, plan approval).
+
+### v0.3 verbs — memory
+
+A thin HTTP client over the **claude-memory** service (the same backend the
+memory MCP wraps), authed with `CLAUDE_MEMORY_API_KEY` against
+`CLAUDE_MEMORY_API_URL` (the env the hooks already set; defaults to the
+ingress). Because it hits the HTTP API directly, it **works even when the MCP
+frontend is down**.
+
+| Command | Tier | What it does |
+|---|---|---|
+| `memory recall "<context>" [--query --category --sort --limit]` | read | semantic search (server-side ranking) — the navigate workhorse |
+| `memory list [--category --tag --limit]` | read | recent memories |
+| `memory categories` / `memory tags` / `memory stats` | read | enumerate the store |
+| `memory secret <id>` | read | reveal a sensitive memory's content |
+| `memory store "<content>" [--category --tags --keywords --importance --sensitive]` | write | store a memory |
+| `memory update <id> [--content --tags --importance]` | write | edit a memory |
+| `memory delete <id>` | write | delete a memory |
+
+All read/write paths are validated against the live API (incl. a
+store→recall→delete round-trip). This gives full data-plane parity with the MCP;
+the eventual deprecation (rewiring the per-prompt auto-recall + auto-learn hooks
+to the CLI, then uninstalling the MCP) is a **separate, deliberate follow-up** —
+see `docs/adr/0008`.
+
+### v0.4 verbs — ci / deploy
+
+Watch what you trigger, without hand-rolling Woodpecker/kubectl polling. `ci`
+talks to the Woodpecker API (token from `WOODPECKER_TOKEN` or Vault
+`secret/ci/global`) via the internal Traefik LB, resolving the repo from the cwd
+remote, with retries that ride Woodpecker's intermittent empty responses.
+
+| Command | Tier | What it does |
+|---|---|---|
+| `ci status [commit]` | read | pipeline status for HEAD (or a commit) |
+| `ci watch [commit]` | read | poll the pipeline to terminal; exit non-zero on failure |
+| `deploy wait <ns>/<deploy> [--sha SHA]` | read | wait for the deployment image to match the sha, *then* rollout status (rollout status alone lies on the old ReplicaSet) |
+
+`work land` now calls `ci watch` on the landed commit automatically (skip with
+`--no-ci-watch`), closing the v0.1 "doesn't wait for CI" gap. `ci logs` (failing
+step) is deferred to v0.4.1 — Woodpecker's per-pipeline detail/log endpoints were
+the least reliable; `status`/`watch` use the list endpoint that works.
+
+### v0.5 verbs — net / dns / metrics / logs
+
+Reachability + observability probes. Their value is *endpoint resolution* — the
+non-obvious "which host, public or LB, what auth, what URL shape" reasoning you'd
+otherwise re-derive every time — not the HTTP call itself. All reach internal
+ingresses through the Traefik LB (the Go form of `curl --resolve host:443:10.0.20.203`).
+
+| Command | Tier | What it does |
+|---|---|---|
+| `net check <host> [path]` | read | probes the host two ways — external (public DNS → Cloudflare) vs internal (Traefik LB) — with status + latency, so you can tell *where* a break is (CF? app? the LB path?) |
+| `dns lookup <name> [type]` | read | resolves via Technitium (`10.0.20.201`) and public (`1.1.1.1`), diffed — surfaces split-horizon vs propagation gaps |
+| `metrics query "<promql>"` | read | Prometheus instant query (`prometheus-query.viktorbarzin.lan`); prints `value {labels}` or `--json` |
+| `metrics alerts` | read | currently-firing alerts (via the synthetic `ALERTS` series — the query frontend has no `/api/v1/alerts`) |
+| `logs query "<logql>" [--since 1h] [--limit N]` | read | Loki range query (`loki.viktorbarzin.lan`); prints log lines or `--json` |
+
+Quote the PromQL/LogQL. These hit auth-free internal ingresses — no port-forward,
+no kubectl. (In-cluster-only endpoints like Alertmanager stay out of scope; the
+firing set is reachable via `ALERTS` instead.)
+
+### v0.6 — usage telemetry (`usage top`)
+
+Makes "which verbs are actually used, by everyone" a query instead of a guess —
+so adding the *next* verb is evidence-driven, not shaped by one person's habits.
+
+Every dispatched verb emits one fire-and-forget Loki line: `{job, user, verb}`
+labels + `exit=N ver=X` — **only the verb path and exit code, never args, paths,
+flags, or secrets.** It's best-effort (tight timeout, errors swallowed, never
+affects the command) and opt-out via `HOMELAB_TELEMETRY=0`. Because the sink is
+the shared Loki, aggregate usage is queryable **without reading anyone's home** —
+the privacy-preserving answer to "what does the team use."
+
+| Command | Tier | What it does |
+|---|---|---|
+| `usage top [--since 30d] [--user U] [--json]` | read | rank verbs by invocation count across all users (or one), via `sum by (verb) (count_over_time({job="homelab-usage"}[…]))` |
+
+### v0.7 verbs — Home Assistant
+
+Cover exactly the two things the `ha` **MCP server can't**: resolving the
+long-lived API token out of the cluster, and SSH to the HA host for host-level
+work (config files, docker, add-ons). Entity state and control (`turn_on`,
+`get_state`, services) stay with the MCP — *actions an MCP already encodes are
+out of scope* (see top of this doc). The value here is the same as `net`/`dns`:
+the non-obvious *which secret, which host, which key, which flags* you'd
+otherwise re-derive every session — agents were hand-rolling a
+`kubectl | base64 | jq` token pipeline and a bespoke `ssh -o …` invocation on
+every run because the existing `home-assistant-sofia.py` needs an env var set
+and a cwd-relative path, neither of which holds in an arbitrary session.
+
+| Command | Tier | What it does |
+|---|---|---|
+| `ha token [--instance sofia\|london]` | read | print the long-lived HA API token, resolved live from the dedicated k8s Secret `openclaw/ha-tokens` (key per instance) via the ambient kubeconfig — no pre-set env var. Use as `curl -H "Authorization: Bearer $(homelab ha token)" …`. The secret is a least-privilege carve-out (`stacks/openclaw/ha_tokens.tf`): the `Home Server Admins` group can read *just* it, so non-admin operators get the HA token without the rest of `skill_secrets` (slack webhook, uptime-kuma password) |
+| `ha ssh [--instance sofia\|london] [-i KEY] -- <cmd>` | write | run `<cmd>` on the HA host over ssh with deterministic non-interactive flags (explicit key = the invoking user's `~/.ssh/id_ed25519`, no user ssh-config, no known_hosts prompt). sofia (`vbarzin@192.168.1.8`) is reachable from the devvm LAN; london is documented but generally remote |
+
+`--instance` defaults to **sofia** (the devvm shares the Sofia LAN). `ha token`
+prints the bare token to stdout so it composes in `$(…)`; it's read-tier like
+`memory secret`. `ha ssh` resolves the *invoking user's* key, so it's per-user,
+not tied to whoever first wrote the workflow (the user's key must be enrolled on
+the HA host).
+
+### v0.8 verbs — browser (headful anti-bot automation)
+
+Drive the cluster's **headful** Chrome (`chrome-service`, real Chrome under Xvfb)
+from the devvm over CDP, for sites that detect and block headless automation. The
+headless `@playwright/mcp` browser can *load* such a site and fill its forms, but
+the gated action (submit/login) silently fails — the motivating case was the
+Stirling Ackroyd Fixflo tenant portal, whose pre-submit check returned
+`net::ERR_FILE_NOT_FOUND` and hung. This path connects via `connect_over_cdp`,
+injects the same `stealth.js` the in-cluster callers use, and submits first try.
+
+The command owns only the *mechanics* (port-forward, stealth, lifecycle); the
+agent supplies the Playwright script — judgment stays out of the CLI.
+
+| Command | Tier | What it does |
+|---|---|---|
+| `browser run <script.js> [--url U] [--shared-context] [--keep-open] [--port N] [--timeout S]` | write | port-forward `svc/chrome-service:9222`, assert it's a real (non-headless) Chrome via `/json/version`, `connect_over_cdp`, `addInitScript(stealth.js)`, then run the script with `page`/`context`/`browser`/`log` in scope (top-level await ok; return a value to print it). Always tears the forward down. |
+| `browser open <url> [--shared-context] [--timeout S]` | write | open `<url>` headful and print title + visible text + a screenshot path — a quick check. |
+| `browser --help` | read | when-to-use signature + the error-code cheat-sheet (`ERR_FILE_NOT_FOUND` = automation-layer intercept, not egress; `ERR_CONNECTION_REFUSED`/`_TIMED_OUT`/`_NAME_NOT_RESOLVED` = real egress; one endpoint 500 while siblings 200 = bot rejection). |
+
+Default context is a **fresh incognito** one (closed on exit) — safe for the
+shared browser and concurrent callers (e.g. tripit's fare scrape); `--shared-context`
+reuses the warmed persistent profile when a pre-logged-in session is needed.
+`port-forward` tunnels API-server→pod, so it bypasses the `:9222` NetworkPolicy
+that gates in-cluster callers — no namespace label needed. The node CDP client is
+pinned to **`playwright-core@1.48.2`** to match the chrome-service image minor
+(Chromium 130; protocol changes between minors) and is installed once, lazily,
+into `~/.cache/homelab/browser-client/` (no per-user setup). Because the client
+runs on the devvm, `setInputFiles` streams local files to the remote browser over
+CDP — no `chmod`/staging-dir workaround. See `docs/architecture/chrome-service.md`
+and `docs/adr/0013`.
+
+## Build / install
+
+Built from source to `/usr/local/bin/homelab` during devvm provisioning
+(`scripts/workstation/setup-devvm.sh`, the `t3-dispatch` pattern); version is
+stamped from `cli/VERSION` via ldflags. Manual build:
+
+```
+cd cli && go build -ldflags "-X main.version=$(cat VERSION)" -o /usr/local/bin/homelab .
+go test ./...
+```
+
+## Legacy webhook use-cases (preserved)
+
+This binary is also the in-cluster `infra-cli` image. Invocations starting with
+`-use-case=<vpn|setup-openwrt-dns|add-email-alias|...>` fall through to the
+original flag-based path unchanged, so the webhook handler is unaffected.
+
+## Design
+
+See `infra/docs/adr/0004`–`0013` for the architecture decisions.
diff --git a/cli/VERSION b/cli/VERSION
new file mode 100644
index 00000000..85f7059b
--- /dev/null
+++ b/cli/VERSION
@@ -0,0 +1 @@
+v0.8.1
diff --git a/cli/browser.go b/cli/browser.go
new file mode 100644
index 00000000..39b6b0a0
--- /dev/null
+++ b/cli/browser.go
@@ -0,0 +1,388 @@
+package main
+
+import (
+	_ "embed"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+)
+
+// playwrightVersion pins the node CDP client to the chrome-service image minor
+// (mcr.microsoft.com/playwright:v1.48.0-noble → Chromium 130). connect_over_cdp
+// speaks the browser's CDP, so the client minor must track the server minor;
+// see docs/architecture/chrome-service.md "Image pin".
+const playwrightVersion = "1.48.2"
+
+// defaultBrowserTimeout is how long (seconds) to wait for the port-forwarded CDP
+// endpoint to become ready before giving up.
+const defaultBrowserTimeout = 60
+
+const (
+	chromeServiceNamespace = "chrome-service"
+	chromeServiceName      = "chrome-service"
+	chromeServiceCDPPort   = 9222
+)
+
+// stealthJS is vendored verbatim from stacks/chrome-service/files/stealth.js (the
+// source of truth the in-cluster callers use). TestStealthJSEmbeddedMatchesCanonical
+// guards against drift.
+//
+//go:embed browser_stealth.js
+var stealthJS string
+
+// runnerJS is the node wrapper that connects to the port-forwarded CDP endpoint,
+// installs the stealth init script, and runs the user's Playwright script.
+//
+//go:embed browser_runner.js
+var runnerJS string
+
+// browserOpts is the parsed form of `homelab browser run|open` arguments.
+type browserOpts struct {
+	mode      string // "run" | "open"
+	script    string // path to the user Playwright script (run mode)
+	url       string // initial URL (run: optional; open: required positional)
+	sharedCtx bool   // use the warmed persistent profile instead of a fresh context
+	keepOpen  bool   // leave the created context/pages open on exit
+	port      int    // explicit local port for the forward (0 = auto)
+	timeout   int    // CDP readiness timeout, seconds
+	help      bool
+}
+
+// parseBrowserArgs parses the args after `browser run` / `browser open`.
+func parseBrowserArgs(mode string, args []string) (browserOpts, error) {
+	o := browserOpts{mode: mode, timeout: defaultBrowserTimeout}
+	var positionals []string
+	atoi := func(s, flag string) (int, error) {
+		n, err := strconv.Atoi(s)
+		if err != nil {
+			return 0, fmt.Errorf("%s expects an integer, got %q", flag, s)
+		}
+		return n, nil
+	}
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		switch {
+		case a == "-h" || a == "--help":
+			o.help = true
+		case a == "--shared-context":
+			o.sharedCtx = true
+		case a == "--keep-open":
+			o.keepOpen = true
+		case a == "--url":
+			if i+1 < len(args) {
+				o.url = args[i+1]
+				i++
+			}
+		case strings.HasPrefix(a, "--url="):
+			o.url = strings.TrimPrefix(a, "--url=")
+		case a == "--port":
+			if i+1 < len(args) {
+				n, err := atoi(args[i+1], "--port")
+				if err != nil {
+					return o, err
+				}
+				o.port = n
+				i++
+			}
+		case strings.HasPrefix(a, "--port="):
+			n, err := atoi(strings.TrimPrefix(a, "--port="), "--port")
+			if err != nil {
+				return o, err
+			}
+			o.port = n
+		case a == "--timeout":
+			if i+1 < len(args) {
+				n, err := atoi(args[i+1], "--timeout")
+				if err != nil {
+					return o, err
+				}
+				o.timeout = n
+				i++
+			}
+		case strings.HasPrefix(a, "--timeout="):
+			n, err := atoi(strings.TrimPrefix(a, "--timeout="), "--timeout")
+			if err != nil {
+				return o, err
+			}
+			o.timeout = n
+		case strings.HasPrefix(a, "-"):
+			return o, fmt.Errorf("unknown flag %q (try: homelab browser --help)", a)
+		default:
+			positionals = append(positionals, a)
+		}
+	}
+	if o.help {
+		return o, nil
+	}
+	switch mode {
+	case "run":
+		if len(positionals) == 0 {
+			return o, fmt.Errorf("usage: homelab browser run <script.js> [--url URL] [--shared-context] [--keep-open] [--port N] [--timeout S]")
+		}
+		o.script = positionals[0]
+	case "open":
+		if len(positionals) == 0 {
+			return o, fmt.Errorf("usage: homelab browser open <url> [--shared-context] [--timeout S]")
+		}
+		o.url = positionals[0]
+	}
+	return o, nil
+}
+
+// cdpHealthy parses a CDP /json/version body and reports whether the endpoint is
+// a real (non-headless) Chrome — the entire reason chrome-service exists.
+func cdpHealthy(jsonBody []byte) (browser string, healthy bool, err error) {
+	var v struct {
+		Browser   string `json:"Browser"`
+		UserAgent string `json:"User-Agent"`
+	}
+	if e := json.Unmarshal(jsonBody, &v); e != nil {
+		return "", false, fmt.Errorf("parse /json/version: %w", e)
+	}
+	if v.Browser == "" {
+		return "", false, fmt.Errorf("/json/version had no Browser field")
+	}
+	healthy = strings.HasPrefix(v.Browser, "Chrome/") &&
+		!strings.Contains(v.Browser, "Headless") &&
+		!strings.Contains(v.UserAgent, "Headless")
+	return v.Browser, healthy, nil
+}
+
+// buildPortForwardArgs is the kubectl invocation that exposes chrome-service's
+// CDP locally. port-forward tunnels API-server→pod, so it bypasses the :9222
+// NetworkPolicy that gates in-cluster callers.
+func buildPortForwardArgs(localPort int) []string {
+	return []string{"-n", chromeServiceNamespace, "port-forward",
+		"svc/" + chromeServiceName, fmt.Sprintf("%d:%d", localPort, chromeServiceCDPPort)}
+}
+
+// browserClientPackageJSON is the auto-managed manifest for the pinned node CDP
+// client kept under the user cache dir.
+func browserClientPackageJSON() string {
+	return fmt.Sprintf(`{
+  "name": "homelab-browser-client",
+  "private": true,
+  "description": "Pinned CDP client for 'homelab browser' — auto-managed, do not edit.",
+  "dependencies": {
+    "playwright-core": "%s"
+  }
+}
+`, playwrightVersion)
+}
+
+// freePort asks the kernel for an unused ephemeral TCP port.
+func freePort() (int, error) {
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		return 0, err
+	}
+	defer l.Close()
+	return l.Addr().(*net.TCPAddr).Port, nil
+}
+
+// browserClientDir is where the pinned node client + managed runner files live.
+func browserClientDir() (string, error) {
+	cache, err := os.UserCacheDir()
+	if err != nil || cache == "" {
+		home, herr := os.UserHomeDir()
+		if herr != nil {
+			return "", fmt.Errorf("locate cache dir: %v / %v", err, herr)
+		}
+		cache = filepath.Join(home, ".cache")
+	}
+	return filepath.Join(cache, "homelab", "browser-client"), nil
+}
+
+// installedPlaywrightVersion reads the version of the playwright-core already
+// installed in dir, or "" if absent/unreadable.
+func installedPlaywrightVersion(dir string) string {
+	b, err := os.ReadFile(filepath.Join(dir, "node_modules", "playwright-core", "package.json"))
+	if err != nil {
+		return ""
+	}
+	var v struct {
+		Version string `json:"version"`
+	}
+	if json.Unmarshal(b, &v) != nil {
+		return ""
+	}
+	return v.Version
+}
+
+// ensureBrowserClient writes the managed runner/stealth/package files into dir
+// and lazily installs the pinned playwright-core (only when missing/mismatched),
+// so no per-user setup is needed and the client tracks the binary version.
+func ensureBrowserClient(dir string) error {
+	if err := os.MkdirAll(dir, 0o755); err != nil {
+		return err
+	}
+	files := map[string]string{
+		"package.json":      browserClientPackageJSON(),
+		"browser_runner.js": runnerJS,
+		"stealth.js":        stealthJS,
+	}
+	for name, content := range files {
+		if err := os.WriteFile(filepath.Join(dir, name), []byte(content), 0o644); err != nil {
+			return err
+		}
+	}
+	if installedPlaywrightVersion(dir) == playwrightVersion {
+		return nil
+	}
+	fmt.Fprintf(os.Stderr, "homelab browser: installing pinned playwright-core@%s (one-time, ~a few seconds)…\n", playwrightVersion)
+	cmd := exec.Command("npm", "install", "--no-audit", "--no-fund", "--silent")
+	cmd.Dir = dir
+	cmd.Stdout = os.Stderr
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("npm install playwright-core@%s in %s: %w (is node/npm installed?)", playwrightVersion, dir, err)
+	}
+	if got := installedPlaywrightVersion(dir); got != playwrightVersion {
+		return fmt.Errorf("playwright-core install mismatch in %s: want %s, got %q", dir, playwrightVersion, got)
+	}
+	return nil
+}
+
+// waitForCDP polls the local CDP endpoint until it answers as a healthy
+// (non-headless) Chrome, or the timeout elapses.
+func waitForCDP(cdpURL string, timeout time.Duration) (string, error) {
+	deadline := time.Now().Add(timeout)
+	client := &http.Client{Timeout: 3 * time.Second}
+	var lastErr error
+	for time.Now().Before(deadline) {
+		resp, err := client.Get(cdpURL + "/json/version")
+		if err != nil {
+			lastErr = err
+			time.Sleep(300 * time.Millisecond)
+			continue
+		}
+		body, _ := io.ReadAll(resp.Body)
+		resp.Body.Close()
+		browser, healthy, herr := cdpHealthy(body)
+		if herr != nil {
+			lastErr = herr
+			time.Sleep(300 * time.Millisecond)
+			continue
+		}
+		if !healthy {
+			return browser, fmt.Errorf("CDP reports %q — expected a non-headless Chrome (wrong target?)", browser)
+		}
+		return browser, nil
+	}
+	if lastErr == nil {
+		lastErr = fmt.Errorf("timed out after %s", timeout)
+	}
+	return "", lastErr
+}
+
+// runBrowser is the orchestration: pick a port, ensure the pinned client, start
+// (and ALWAYS tear down) a CDP port-forward, wait for readiness, then run node.
+func runBrowser(o browserOpts) error {
+	port := o.port
+	if port == 0 {
+		p, err := freePort()
+		if err != nil {
+			return fmt.Errorf("pick local port: %w", err)
+		}
+		port = p
+	}
+
+	dir, err := browserClientDir()
+	if err != nil {
+		return err
+	}
+	if err := ensureBrowserClient(dir); err != nil {
+		return err
+	}
+
+	// Start the forward in its own process group so the whole tree dies on cleanup.
+	pf := exec.Command("kubectl", buildPortForwardArgs(port)...)
+	pf.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
+	var pfLog strings.Builder
+	pf.Stdout = &pfLog
+	pf.Stderr = &pfLog
+	if err := pf.Start(); err != nil {
+		return fmt.Errorf("start kubectl port-forward (kubeconfig set?): %w", err)
+	}
+
+	var once sync.Once
+	teardown := func() {
+		once.Do(func() {
+			if pf.Process != nil {
+				_ = syscall.Kill(-pf.Process.Pid, syscall.SIGKILL)
+			}
+			_ = pf.Wait()
+		})
+	}
+	defer teardown()
+
+	// Tear down on Ctrl-C / SIGTERM too, then exit non-zero.
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM)
+	defer signal.Stop(sigCh)
+	go func() {
+		if _, ok := <-sigCh; ok {
+			teardown()
+			os.Exit(130)
+		}
+	}()
+
+	cdpURL := fmt.Sprintf("http://127.0.0.1:%d", port)
+	browser, err := waitForCDP(cdpURL, time.Duration(o.timeout)*time.Second)
+	if err != nil {
+		return fmt.Errorf("chrome-service CDP not ready on %s: %w\n--- port-forward log ---\n%s", cdpURL, err, pfLog.String())
+	}
+	fmt.Fprintf(os.Stderr, "homelab browser: connected to %s via %s\n", browser, cdpURL)
+
+	return runBrowserNode(dir, cdpURL, o)
+}
+
+// runBrowserNode invokes the managed node runner with inputs passed via env.
+func runBrowserNode(dir, cdpURL string, o browserOpts) error {
+	env := append(os.Environ(),
+		"HOMELAB_CDP_URL="+cdpURL,
+		"HOMELAB_BROWSER_MODE="+o.mode,
+		"HOMELAB_STEALTH_PATH="+filepath.Join(dir, "stealth.js"),
+		"NODE_PATH="+filepath.Join(dir, "node_modules"),
+	)
+	if o.url != "" {
+		env = append(env, "HOMELAB_BROWSER_URL="+o.url)
+	}
+	if o.script != "" {
+		abs, err := filepath.Abs(o.script)
+		if err != nil {
+			return err
+		}
+		if _, err := os.Stat(abs); err != nil {
+			return fmt.Errorf("script %s: %w", o.script, err)
+		}
+		env = append(env, "HOMELAB_BROWSER_SCRIPT="+abs)
+	}
+	if o.sharedCtx {
+		env = append(env, "HOMELAB_BROWSER_SHARED=1")
+	}
+	if o.keepOpen {
+		env = append(env, "HOMELAB_BROWSER_KEEP_OPEN=1")
+	}
+	if o.mode == "open" {
+		shot := filepath.Join(os.TempDir(), fmt.Sprintf("homelab-browser-%d.png", os.Getpid()))
+		env = append(env, "HOMELAB_BROWSER_SCREENSHOT="+shot)
+	}
+	cmd := exec.Command("node", filepath.Join(dir, "browser_runner.js"))
+	cmd.Env = env
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.Stdin = os.Stdin
+	return cmd.Run()
+}
diff --git a/cli/browser_runner.js b/cli/browser_runner.js
new file mode 100644
index 00000000..24a2db6b
--- /dev/null
+++ b/cli/browser_runner.js
@@ -0,0 +1,106 @@
+// homelab browser — node CDP runner (auto-managed; regenerated each run from the
+// homelab binary — DO NOT EDIT here). Connects to the port-forwarded
+// chrome-service CDP endpoint, installs the stealth init script, then runs the
+// user's Playwright script (run mode) or opens a URL (open mode). All inputs
+// arrive via HOMELAB_* env vars set by the Go CLI.
+'use strict';
+const fs = require('fs');
+const { chromium } = require('playwright-core');
+
+async function main() {
+  const cdpURL = process.env.HOMELAB_CDP_URL;
+  if (!cdpURL) throw new Error('HOMELAB_CDP_URL not set');
+  const mode = process.env.HOMELAB_BROWSER_MODE || 'run';
+  const stealthPath = process.env.HOMELAB_STEALTH_PATH || '';
+  const initURL = process.env.HOMELAB_BROWSER_URL || '';
+  const scriptPath = process.env.HOMELAB_BROWSER_SCRIPT || '';
+  const shared = process.env.HOMELAB_BROWSER_SHARED === '1';
+  const keepOpen = process.env.HOMELAB_BROWSER_KEEP_OPEN === '1';
+  const screenshotPath = process.env.HOMELAB_BROWSER_SCREENSHOT || '';
+
+  const browser = await chromium.connectOverCDP(cdpURL);
+
+  // Fresh isolated context by default (safe for the shared browser + concurrent
+  // callers); --shared-context reuses the warmed persistent profile.
+  let context;
+  let createdContext = false;
+  if (shared) {
+    const existing = browser.contexts();
+    if (existing.length) {
+      context = existing[0];
+    } else {
+      context = await browser.newContext();
+      createdContext = true;
+    }
+  } else {
+    context = await browser.newContext();
+    createdContext = true;
+  }
+
+  if (stealthPath) {
+    const stealth = fs.readFileSync(stealthPath, 'utf8');
+    if (stealth.trim()) await context.addInitScript(stealth);
+  }
+
+  const page = await context.newPage();
+  const log = (...a) => console.error('[browser]', ...a);
+
+  let exitCode = 0;
+  try {
+    if (initURL) {
+      await page.goto(initURL, { waitUntil: 'domcontentloaded' });
+    }
+    if (mode === 'open') {
+      console.log('url:    ' + page.url());
+      console.log('title:  ' + (await page.title()));
+      const text = (await page.evaluate(() => (document.body ? document.body.innerText : ''))).trim();
+      console.log('--- visible text (truncated to 4000 chars) ---');
+      console.log(text.slice(0, 4000));
+      if (screenshotPath) {
+        await page.screenshot({ path: screenshotPath, fullPage: true });
+        console.log('screenshot: ' + screenshotPath);
+      }
+    } else {
+      if (!scriptPath) throw new Error('run mode requires HOMELAB_BROWSER_SCRIPT');
+      const src = fs.readFileSync(scriptPath, 'utf8');
+      // Run the user's source with page/context/browser/log in lexical scope.
+      // AsyncFunction body permits top-level await.
+      const AsyncFunction = Object.getPrototypeOf(async () => {}).constructor;
+      const fn = new AsyncFunction('page', 'context', 'browser', 'log', src);
+      const result = await fn(page, context, browser, log);
+      if (result !== undefined) {
+        let out;
+        try {
+          out = typeof result === 'string' ? result : JSON.stringify(result, null, 2);
+        } catch (_) {
+          out = String(result);
+        }
+        console.log(out);
+      }
+    }
+  } catch (e) {
+    console.error('homelab browser: script error:', e && e.stack ? e.stack : e);
+    exitCode = 1;
+  } finally {
+    if (!keepOpen) {
+      try {
+        // Close only what we created; never tear down the shared persistent context.
+        if (createdContext) {
+          await context.close();
+        } else {
+          await page.close();
+        }
+      } catch (_) { /* ignore */ }
+    }
+    // Disconnect from the CDP endpoint; this does NOT kill the remote browser.
+    try {
+      await browser.close();
+    } catch (_) { /* ignore */ }
+  }
+  process.exit(exitCode);
+}
+
+main().catch((e) => {
+  console.error('homelab browser: fatal:', e && e.stack ? e.stack : e);
+  process.exit(1);
+});
diff --git a/cli/browser_stealth.js b/cli/browser_stealth.js
new file mode 100644
index 00000000..dfae98a8
--- /dev/null
+++ b/cli/browser_stealth.js
@@ -0,0 +1,54 @@
+// Minimal stealth init script for Playwright-driven Chromium.
+// Vendored from puppeteer-extra-plugin-stealth/evasions/* (MIT) — covers:
+//   webdriver, chrome.runtime, navigator.plugins, navigator.languages,
+//   Permissions.query, WebGL getParameter (vendor + renderer spoof).
+// Run via context.add_init_script() so it executes before any page script.
+(() => {
+  // navigator.webdriver — most common detection, removed entirely.
+  Object.defineProperty(Navigator.prototype, 'webdriver', { get: () => undefined });
+
+  // window.chrome.runtime — many sites check that real Chrome exposes this.
+  if (!window.chrome) window.chrome = {};
+  window.chrome.runtime = window.chrome.runtime || {};
+
+  // navigator.plugins — headless reports zero; spoof a plausible PDF viewer.
+  Object.defineProperty(navigator, 'plugins', {
+    get: () => [{ name: 'Chrome PDF Plugin' }, { name: 'Chrome PDF Viewer' }, { name: 'Native Client' }],
+  });
+
+  // navigator.languages — headless returns empty array.
+  Object.defineProperty(navigator, 'languages', { get: () => ['en-US', 'en'] });
+
+  // Permissions.query — headless returns 'denied' for notifications instead of 'default'.
+  const origQuery = window.navigator.permissions && window.navigator.permissions.query;
+  if (origQuery) {
+    window.navigator.permissions.query = (parameters) =>
+      parameters && parameters.name === 'notifications'
+        ? Promise.resolve({ state: Notification.permission })
+        : origQuery(parameters);
+  }
+
+  // WebGL getParameter — spoof vendor + renderer strings to a real GPU.
+  const spoofGl = (proto) => {
+    if (!proto) return;
+    const orig = proto.getParameter;
+    proto.getParameter = function (parameter) {
+      if (parameter === 37445) return 'Intel Inc.';                   // UNMASKED_VENDOR_WEBGL
+      if (parameter === 37446) return 'Intel Iris OpenGL Engine';     // UNMASKED_RENDERER_WEBGL
+      return orig.apply(this, arguments);
+    };
+  };
+  spoofGl(window.WebGLRenderingContext && window.WebGLRenderingContext.prototype);
+  spoofGl(window.WebGL2RenderingContext && window.WebGL2RenderingContext.prototype);
+
+  // disable-devtool.js (theajack/disable-devtool) auto-inits via a script
+  // tag with `disable-devtool-auto`. Its Performance detector trips under
+  // Playwright (CDP adds console.log latency vs console.table) and the
+  // redirect URL is hard-coded — for hmembeds that's google.com.
+  // Hide the auto-init marker so the library's IIFE exits early.
+  const origQS = Document.prototype.querySelector;
+  Document.prototype.querySelector = function (sel) {
+    if (typeof sel === 'string' && sel.indexOf('disable-devtool-auto') !== -1) return null;
+    return origQS.apply(this, arguments);
+  };
+})();
diff --git a/cli/cmd_browser.go b/cli/cmd_browser.go
new file mode 100644
index 00000000..4263e4d0
--- /dev/null
+++ b/cli/cmd_browser.go
@@ -0,0 +1,117 @@
+package main
+
+import "fmt"
+
+// browser verbs drive the cluster's HEADFUL Chrome (ns chrome-service) over CDP
+// from outside the cluster, for sites that detect/block headless automation.
+// The headless @playwright/mcp browser can load such sites but their gated
+// actions (submit/login) silently fail; this path submits first try. Mechanics
+// only — the agent supplies the Playwright script. See docs/adr/0013.
+
+func browserCommands() []Command {
+	return []Command{
+		{Path: []string{"browser"}, Tier: TierRead,
+			Summary: "headful cluster-Chrome automation for anti-bot sites (run `browser --help`)", Run: browserTopHelp},
+		{Path: []string{"browser", "run"}, Tier: TierWrite,
+			Summary: "run a Playwright script against headful cluster Chrome: browser run <script.js> [--url U] [--shared-context]", Run: browserRun},
+		{Path: []string{"browser", "open"}, Tier: TierWrite,
+			Summary: "open a URL in headful cluster Chrome; print title + text + screenshot: browser open <url>", Run: browserOpen},
+	}
+}
+
+func browserTopHelp([]string) error {
+	fmt.Print(browserHelp())
+	return nil
+}
+
+func browserRun(args []string) error {
+	o, err := parseBrowserArgs("run", args)
+	if err != nil {
+		return err
+	}
+	if o.help {
+		fmt.Print(browserHelp())
+		return nil
+	}
+	return runBrowser(o)
+}
+
+func browserOpen(args []string) error {
+	o, err := parseBrowserArgs("open", args)
+	if err != nil {
+		return err
+	}
+	if o.help {
+		fmt.Print(browserHelp())
+		return nil
+	}
+	return runBrowser(o)
+}
+
+// browserHelp carries the discoverability payload: WHEN to reach for this, and
+// the diagnostic cheat-sheet that lets the agent self-correct instead of
+// retrying a deterministic form blind (the failure mode that motivated this).
+func browserHelp() string {
+	return `homelab browser — drive the cluster's HEADFUL Chrome (anti-bot) over CDP
+
+The shared chrome-service (ns chrome-service) runs a REAL, headed Chrome under
+Xvfb. This connects to it via a port-forward + Playwright connect_over_cdp,
+injects the same stealth.js the in-cluster callers use, and runs your script.
+
+USAGE
+  homelab browser run <script.js> [--url URL] [--shared-context] [--keep-open] [--port N] [--timeout S]
+  homelab browser open <url> [--shared-context] [--timeout S]
+
+WHEN TO USE THIS — escalation only; DEFAULT to the headless/MCP browser
+  Default to the Playwright MCP / headless browser for ALL routine browsing and
+  automation — it's interactive (snapshot per step), fast to start, isolated.
+  Reach for THIS command ONLY when headless is demonstrably blocked: a site
+  LOADS fine but a gated action FAILS or HANGS — a submit/login/checkout spins
+  forever, or ONE request errors while its siblings 200. That is the signature
+  of headless / anti-bot detection (navigator.webdriver, UA "HeadlessChrome",
+  disable-devtool traps). It presents as a real Chrome and usually succeeds
+  first try — but it's the shared cluster browser (slower startup, one batch
+  run, no per-step feedback), so it's the escalation path, never the default.
+
+ERROR-CODE CHEAT-SHEET (diagnose BEFORE retrying)
+  ERR_FILE_NOT_FOUND (-6)   request intercepted/resolved locally by the
+                            automation layer — NOT a network/egress problem.
+                            (This is what silently broke the headless submit.)
+  ERR_CONNECTION_REFUSED /  real egress failure (DNS/route/firewall). These also
+  ERR_TIMED_OUT /           break the initial page load — if the page loaded,
+  ERR_NAME_NOT_RESOLVED     egress is fine and the cause is elsewhere.
+  one endpoint 500s while   server-side bot rejection of the automation, not
+  its siblings 200          your payload.
+
+HABITS
+  - Inspect the network panel BEFORE retrying a deterministic form; a blind
+    retry just repeats the same silent failure.
+  - Don't park a half-filled multi-step form across a user pause — the session
+    can expire; re-run the whole flow from this command in one shot.
+  - Uploads stream over CDP via setInputFiles from THIS host — no chmod/staging
+    of $HOME needed; just point setInputFiles at a local path.
+
+CONTEXT
+  Default: a FRESH incognito context, closed on exit — safe for the shared
+  browser and concurrent callers (e.g. tripit). Your script does its own login.
+  --shared-context: reuse the warmed PERSISTENT profile (cookies from a manual
+  noVNC login at chrome.viktorbarzin.me) when you need a pre-logged-in session.
+
+SCRIPT CONTRACT (run mode)
+  Your file's body runs with page, context, browser and log() already in scope
+  (top-level await allowed). Return a value to print it. Example flow.js:
+
+    await page.goto('https://portal.example.com/login');
+    await page.fill('#user', 'me'); await page.fill('#pass', process.env.PW);
+    await page.click('button[type=submit]');
+    await page.waitForURL('**/dashboard');
+    return 'logged in: ' + page.url();
+
+  Run it:  homelab browser run flow.js
+
+NOTES
+  - The Playwright client is pinned to playwright-core@` + playwrightVersion + ` to match the
+    chrome-service image (Chrome 130); installed once into ~/.cache/homelab/.
+  - The port-forward is always torn down, on success and on error.
+`
+}
diff --git a/cli/cmd_browser_test.go b/cli/cmd_browser_test.go
new file mode 100644
index 00000000..668897d3
--- /dev/null
+++ b/cli/cmd_browser_test.go
@@ -0,0 +1,172 @@
+package main
+
+import (
+	"os"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func TestParseBrowserArgsRun(t *testing.T) {
+	got, err := parseBrowserArgs("run", []string{
+		"flow.js", "--url", "https://example.com", "--shared-context",
+		"--port", "19999", "--timeout", "45", "--keep-open",
+	})
+	if err != nil {
+		t.Fatalf("parseBrowserArgs run: unexpected err: %v", err)
+	}
+	want := browserOpts{
+		mode: "run", script: "flow.js", url: "https://example.com",
+		sharedCtx: true, keepOpen: true, port: 19999, timeout: 45,
+	}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("parseBrowserArgs run =\n %+v\nwant\n %+v", got, want)
+	}
+}
+
+func TestParseBrowserArgsRunDefaults(t *testing.T) {
+	got, err := parseBrowserArgs("run", []string{"flow.js"})
+	if err != nil {
+		t.Fatalf("unexpected err: %v", err)
+	}
+	if got.script != "flow.js" || got.sharedCtx || got.keepOpen || got.port != 0 {
+		t.Fatalf("defaults wrong: %+v", got)
+	}
+	if got.timeout != defaultBrowserTimeout {
+		t.Fatalf("timeout default = %d, want %d", got.timeout, defaultBrowserTimeout)
+	}
+}
+
+func TestParseBrowserArgsRunRequiresScript(t *testing.T) {
+	if _, err := parseBrowserArgs("run", []string{"--url", "https://x"}); err == nil {
+		t.Fatalf("run without a script path should error")
+	}
+}
+
+func TestParseBrowserArgsOpenRequiresURL(t *testing.T) {
+	got, err := parseBrowserArgs("open", []string{"https://example.com"})
+	if err != nil {
+		t.Fatalf("unexpected err: %v", err)
+	}
+	if got.url != "https://example.com" || got.mode != "open" {
+		t.Fatalf("open parse wrong: %+v", got)
+	}
+	if _, err := parseBrowserArgs("open", []string{}); err == nil {
+		t.Fatalf("open without a URL should error")
+	}
+}
+
+func TestParseBrowserArgsHelp(t *testing.T) {
+	for _, a := range [][]string{{"--help"}, {"-h"}, {"flow.js", "--help"}} {
+		got, err := parseBrowserArgs("run", a)
+		if err != nil {
+			t.Fatalf("help parse %v: %v", a, err)
+		}
+		if !got.help {
+			t.Fatalf("args %v should set help", a)
+		}
+	}
+}
+
+func TestParseBrowserArgsEqualsForm(t *testing.T) {
+	got, err := parseBrowserArgs("run", []string{"flow.js", "--url=https://x", "--port=8123", "--timeout=10"})
+	if err != nil {
+		t.Fatalf("unexpected err: %v", err)
+	}
+	if got.url != "https://x" || got.port != 8123 || got.timeout != 10 {
+		t.Fatalf("--flag=value form not parsed: %+v", got)
+	}
+}
+
+func TestCDPHealthy(t *testing.T) {
+	real := []byte(`{"Browser":"Chrome/130.0.6723.31","User-Agent":"Mozilla/5.0 (X11; Linux x86_64) Chrome/130.0.0.0 Safari/537.36","webSocketDebuggerUrl":"ws://127.0.0.1/devtools/browser/x"}`)
+	browser, ok, err := cdpHealthy(real)
+	if err != nil || !ok {
+		t.Fatalf("real Chrome should be healthy: ok=%v err=%v", ok, err)
+	}
+	if !strings.HasPrefix(browser, "Chrome/") {
+		t.Fatalf("browser = %q, want Chrome/ prefix", browser)
+	}
+
+	headless := []byte(`{"Browser":"HeadlessChrome/130.0.6723.31","User-Agent":"Mozilla/5.0 HeadlessChrome/130.0.0.0"}`)
+	if _, ok, _ := cdpHealthy(headless); ok {
+		t.Fatalf("HeadlessChrome must be reported unhealthy (the whole point of chrome-service)")
+	}
+
+	if _, _, err := cdpHealthy([]byte("not json")); err == nil {
+		t.Fatalf("malformed /json/version body should error")
+	}
+}
+
+func TestBuildPortForwardArgs(t *testing.T) {
+	got := buildPortForwardArgs(18080)
+	want := []string{"-n", "chrome-service", "port-forward", "svc/chrome-service", "18080:9222"}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("buildPortForwardArgs =\n %v\nwant\n %v", got, want)
+	}
+}
+
+func TestBrowserClientPackageJSONPinsVersion(t *testing.T) {
+	pj := browserClientPackageJSON()
+	if !strings.Contains(pj, `"playwright-core": "`+playwrightVersion+`"`) {
+		t.Fatalf("package.json must pin playwright-core to %s; got:\n%s", playwrightVersion, pj)
+	}
+}
+
+func TestPlaywrightVersionPinnedToServerMinor(t *testing.T) {
+	// chrome-service runs mcr.microsoft.com/playwright:v1.48.0-noble; the CDP
+	// client minor MUST match (protocol changes between minors).
+	if !strings.HasPrefix(playwrightVersion, "1.48.") {
+		t.Fatalf("playwrightVersion = %q, must be 1.48.x to match the chrome-service image", playwrightVersion)
+	}
+}
+
+func TestBrowserHelpHasDiagnosticCheatSheet(t *testing.T) {
+	h := browserHelp()
+	for _, want := range []string{
+		"homelab browser run",
+		"ERR_FILE_NOT_FOUND",
+		"ERR_CONNECTION_REFUSED",
+		"network panel",
+		"headless",
+		"--shared-context",
+	} {
+		if !strings.Contains(h, want) {
+			t.Errorf("browser --help is missing %q (the discoverability/self-correction payload)", want)
+		}
+	}
+}
+
+func TestBrowserHelpIsTiered(t *testing.T) {
+	// --help must frame this as the ESCALATION path (default to headless first),
+	// matching ~/code/CLAUDE.md and chrome-service.md — non-conflicting agent
+	// instructions. Guard against a regression to "co-equal choice" wording.
+	h := browserHelp()
+	for _, want := range []string{"Default to the", "escalation"} {
+		if !strings.Contains(h, want) {
+			t.Errorf("browser --help must carry the tiered/default-headless framing; missing %q", want)
+		}
+	}
+}
+
+func TestStealthJSEmbeddedMatchesCanonical(t *testing.T) {
+	// The embedded copy must never drift from the source of truth that the
+	// in-cluster callers use, else the CLI's stealth and the cluster's diverge.
+	canonical, err := os.ReadFile("../stacks/chrome-service/files/stealth.js")
+	if err != nil {
+		t.Fatalf("read canonical stealth.js: %v", err)
+	}
+	if stealthJS != string(canonical) {
+		t.Fatalf("cli/browser_stealth.js has drifted from stacks/chrome-service/files/stealth.js — re-copy it")
+	}
+}
+
+func TestFreePortReturnsUsablePort(t *testing.T) {
+	p, err := freePort()
+	if err != nil {
+		t.Fatalf("freePort: %v", err)
+	}
+	if p <= 1024 || p > 65535 {
+		t.Fatalf("freePort returned %d, want an ephemeral port", p)
+	}
+}
diff --git a/cli/cmd_ci.go b/cli/cmd_ci.go
new file mode 100644
index 00000000..66d4902d
--- /dev/null
+++ b/cli/cmd_ci.go
@@ -0,0 +1,99 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"time"
+)
+
+func ciCommands() []Command {
+	return []Command{
+		{Path: []string{"ci", "status"}, Tier: TierRead,
+			Summary: "pipeline status for HEAD/a commit: ci status [commit]", Run: ciStatus},
+		{Path: []string{"ci", "watch"}, Tier: TierRead,
+			Summary: "poll the pipeline for HEAD (or a commit) to terminal; non-zero on failure", Run: ciWatch},
+	}
+}
+
+func short(s string) string {
+	if len(s) > 8 {
+		return s[:8]
+	}
+	return s
+}
+
+func firstLine(s string) string { return strings.SplitN(s, "\n", 2)[0] }
+
+// currentHEAD returns the full HEAD sha of the cwd repo (empty if not a repo).
+func currentHEAD() string {
+	cwd, _ := os.Getwd()
+	root, err := gitRepoRoot(cwd)
+	if err != nil {
+		return ""
+	}
+	sha, _ := gitOutput(root, "rev-parse", "HEAD")
+	return sha
+}
+
+func ciStatus(args []string) error {
+	commit, _ := firstPositional(args)
+	c, err := newWPClient()
+	if err != nil {
+		return err
+	}
+	id, err := c.repoID()
+	if err != nil {
+		return err
+	}
+	p, err := c.findPipeline(id, commit)
+	if err != nil {
+		return err
+	}
+	fmt.Printf("#%d %s event=%s %s %s\n", p.Number, p.Status, p.Event, short(p.Commit), firstLine(p.Message))
+	return nil
+}
+
+func ciWatch(args []string) error {
+	commit, _ := firstPositional(args)
+	if commit == "" {
+		commit = currentHEAD()
+	}
+	if commit == "" {
+		return fmt.Errorf("no commit given and not in a git repo")
+	}
+	c, err := newWPClient()
+	if err != nil {
+		return err
+	}
+	id, err := c.repoID()
+	if err != nil {
+		return err
+	}
+	timeout := 20 * time.Minute
+	deadline := time.Now().Add(timeout)
+	last := ""
+	for time.Now().Before(deadline) {
+		p, err := c.findPipeline(id, commit)
+		if err != nil {
+			if last != "waiting" {
+				fmt.Fprintf(os.Stderr, "homelab: waiting for pipeline (%s)...\n", short(commit))
+				last = "waiting"
+			}
+		} else {
+			if p.Status != last {
+				fmt.Fprintf(os.Stderr, "homelab: #%d %s\n", p.Number, p.Status)
+				last = p.Status
+			}
+			if isTerminalStatus(p.Status) {
+				fmt.Printf("#%d %s %s\n", p.Number, p.Status, short(commit))
+				if isFailureStatus(p.Status) {
+					return fmt.Errorf("pipeline #%d %s (woodpecker repo, see UI/DB for the failing step)", p.Number, p.Status)
+				}
+				return nil
+			}
+		}
+		time.Sleep(15 * time.Second)
+	}
+	return fmt.Errorf("timed out after %s waiting for CI on %s", timeout, short(commit))
+}
diff --git a/cli/cmd_claim.go b/cli/cmd_claim.go
new file mode 100644
index 00000000..e11a37db
--- /dev/null
+++ b/cli/cmd_claim.go
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+)
+
+func claimCommands() []Command {
+	return []Command{
+		{Path: []string{"claim"}, Tier: TierWrite,
+			Summary: "claim a shared infra resource on the presence board",
+			Run:     runClaim},
+		{Path: []string{"release"}, Tier: TierWrite,
+			Summary: "release a presence claim",
+			Run:     runRelease},
+	}
+}
+
+// runClaim parses `<kind>:<name> --purpose "..."` in either order (the presence
+// script takes the label first, so we can't rely on Go's flag package which
+// stops at the first positional).
+func runClaim(args []string) error {
+	var label, purpose string
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		switch {
+		case a == "--purpose" || a == "-purpose":
+			if i+1 < len(args) {
+				purpose = args[i+1]
+				i++
+			}
+		case strings.HasPrefix(a, "--purpose="):
+			purpose = strings.TrimPrefix(a, "--purpose=")
+		case !strings.HasPrefix(a, "-") && label == "":
+			label = a
+		}
+	}
+	if label == "" {
+		return fmt.Errorf(`usage: homelab claim <kind>:<name> --purpose "what + why"`)
+	}
+	return presenceClaim(label, purpose)
+}
+
+func runRelease(args []string) error {
+	var label string
+	for _, a := range args {
+		if !strings.HasPrefix(a, "-") {
+			label = a
+			break
+		}
+	}
+	if label == "" {
+		return fmt.Errorf("usage: homelab release <kind>:<name>")
+	}
+	return presenceRelease(label)
+}
diff --git a/cli/cmd_deploy.go b/cli/cmd_deploy.go
new file mode 100644
index 00000000..d5afc4a8
--- /dev/null
+++ b/cli/cmd_deploy.go
@@ -0,0 +1,51 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"time"
+)
+
+func deployCommands() []Command {
+	return []Command{
+		{Path: []string{"deploy", "wait"}, Tier: TierRead,
+			Summary: "wait for <ns>/<deploy> to roll out the current (or --sha) image: deploy wait <ns>/<deploy> [--sha SHA]", Run: deployWait},
+	}
+}
+
+// deployWait closes the "did the NEW code land" gap: rollout status alone returns
+// success on the OLD ReplicaSet, so we first wait for the deployment image to
+// reference the expected sha, THEN block on rollout status.
+func deployWait(args []string) error {
+	target, _ := firstPositional(args)
+	if target == "" || !strings.Contains(target, "/") {
+		return fmt.Errorf("usage: homelab deploy wait <ns>/<deploy> [--sha SHA] [--timeout 10m]")
+	}
+	parts := strings.SplitN(target, "/", 2)
+	ns, deploy := parts[0], parts[1]
+
+	sha := flagValue(args, "--sha")
+	if sha == "" {
+		sha = short(currentHEAD())
+	}
+	deadline := time.Now().Add(10 * time.Minute)
+
+	if sha != "" {
+		fmt.Fprintf(os.Stderr, "homelab: waiting for %s/%s image to match %s...\n", ns, deploy, sha)
+		matched := false
+		for time.Now().Before(deadline) {
+			img, _ := kubectlCapture(ns, "get", "deploy", deploy, "-o", "jsonpath={.spec.template.spec.containers[*].image}")
+			if strings.Contains(img, sha) {
+				matched = true
+				break
+			}
+			time.Sleep(10 * time.Second)
+		}
+		if !matched {
+			return fmt.Errorf("timed out: %s/%s image never matched %q", ns, deploy, sha)
+		}
+	}
+	fmt.Fprintf(os.Stderr, "homelab: rollout status %s/%s...\n", ns, deploy)
+	return kubectlStream(ns, "rollout", "status", "deploy/"+deploy, "--timeout=180s")
+}
diff --git a/cli/cmd_ha.go b/cli/cmd_ha.go
new file mode 100644
index 00000000..2309bdfc
--- /dev/null
+++ b/cli/cmd_ha.go
@@ -0,0 +1,172 @@
+package main
+
+import (
+	"encoding/base64"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// Home Assistant verbs cover the two things the `ha` MCP server can't: resolving
+// the long-lived API token out of the cluster, and SSH to the HA host for
+// host-level work (config files, docker, add-ons). Entity state/control stays
+// with the MCP — see docs/adr/0012.
+//
+// The token lives in the dedicated k8s Secret openclaw/ha-tokens (one key per
+// instance), split out of openclaw-secrets so non-admin operators (emo / "Home
+// Server Admins") can read JUST the HA token, not the full skill_secrets blob.
+// `ha token` resolves it on demand via the ambient kubeconfig, so it never
+// depends on a pre-set env var (the gap that made agents re-derive the
+// kubectl|base64|jq pipeline every session).
+
+type haInstance struct {
+	name      string // sofia | london
+	sshUser   string // SSH login on the HA host
+	sshHost   string // host reachable from the devvm (Sofia LAN)
+	secretKey string // key inside the openclaw/ha-tokens Secret holding this token
+}
+
+const (
+	haDefaultInstance = "sofia"
+	haSecretNamespace = "openclaw"
+	haSecretName      = "ha-tokens" // dedicated, least-privilege; see stacks/openclaw/ha_tokens.tf
+)
+
+// haInstances maps instance name → connection/secret facts. sofia is the default
+// because the devvm is on the Sofia LAN; london is documented but its host
+// (192.168.8.x) is only reachable remotely, so `ha ssh --instance london`
+// generally won't connect from here (token resolution still works).
+var haInstances = map[string]haInstance{
+	"sofia":  {name: "sofia", sshUser: "vbarzin", sshHost: "192.168.1.8", secretKey: "sofia"},
+	"london": {name: "london", sshUser: "hassio", sshHost: "192.168.8.103", secretKey: "london"},
+}
+
+func haCommands() []Command {
+	return []Command{
+		{Path: []string{"ha", "token"}, Tier: TierRead,
+			Summary: "reveal the HA long-lived API token from the cluster: ha token [--instance sofia|london]", Run: haToken},
+		{Path: []string{"ha", "ssh"}, Tier: TierWrite,
+			Summary: "run a command on the HA host over ssh: ha ssh [--instance sofia|london] [-i KEY] -- <cmd>", Run: haSSH},
+	}
+}
+
+// resolveHAInstance looks up an instance by name; "" yields the default (sofia).
+func resolveHAInstance(name string) (haInstance, error) {
+	if name == "" {
+		name = haDefaultInstance
+	}
+	inst, ok := haInstances[name]
+	if !ok {
+		return haInstance{}, fmt.Errorf("unknown HA instance %q (want sofia or london)", name)
+	}
+	return inst, nil
+}
+
+// decodeSecretValue base64-decodes a k8s Secret `.data.<key>` value as returned
+// by kubectl jsonpath (trailing whitespace tolerated).
+func decodeSecretValue(b64 string) (string, error) {
+	raw, err := base64.StdEncoding.DecodeString(strings.TrimSpace(b64))
+	if err != nil {
+		return "", fmt.Errorf("base64-decode secret value: %w", err)
+	}
+	return string(raw), nil
+}
+
+func haToken(args []string) error {
+	name, _ := firstPositional(args) // accept `ha token sofia` as well as `--instance sofia`
+	for i := 0; i < len(args); i++ {
+		if args[i] == "--instance" && i+1 < len(args) {
+			name = args[i+1]
+		} else if strings.HasPrefix(args[i], "--instance=") {
+			name = strings.TrimPrefix(args[i], "--instance=")
+		}
+	}
+	inst, err := resolveHAInstance(name)
+	if err != nil {
+		return err
+	}
+	b64, err := kubectlCapture(haSecretNamespace, "get", "secret", haSecretName,
+		"-o", "jsonpath={.data."+inst.secretKey+"}")
+	if err != nil {
+		return fmt.Errorf("read secret %s/%s (kubeconfig set? RBAC?): %w", haSecretNamespace, haSecretName, err)
+	}
+	if b64 == "" {
+		return fmt.Errorf("secret %s/%s has no %q key", haSecretNamespace, haSecretName, inst.secretKey)
+	}
+	tok, err := decodeSecretValue(b64)
+	if err != nil {
+		return err
+	}
+	fmt.Println(tok)
+	return nil
+}
+
+// defaultHAKeyPath is the invoking user's ed25519 key, so the verb is per-user
+// rather than tied to whoever first wrote the workflow.
+func defaultHAKeyPath() string {
+	if home, err := os.UserHomeDir(); err == nil && home != "" {
+		return filepath.Join(home, ".ssh", "id_ed25519")
+	}
+	return filepath.Join("~", ".ssh", "id_ed25519")
+}
+
+// parseHASSH reads `[--instance X] [-i|--key PATH] [-- ] <cmd...>`. Tokens after
+// `--` are taken verbatim; bare tokens before it are also the remote command.
+func parseHASSH(args []string) (inst haInstance, keyPath string, remote []string, err error) {
+	name := haDefaultInstance
+	keyPath = defaultHAKeyPath()
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		switch {
+		case a == "--":
+			remote = append(remote, args[i+1:]...)
+			i = len(args)
+		case a == "--instance":
+			if i+1 < len(args) {
+				name = args[i+1]
+				i++
+			}
+		case strings.HasPrefix(a, "--instance="):
+			name = strings.TrimPrefix(a, "--instance=")
+		case a == "--key" || a == "-i":
+			if i+1 < len(args) {
+				keyPath = args[i+1]
+				i++
+			}
+		case strings.HasPrefix(a, "--key="):
+			keyPath = strings.TrimPrefix(a, "--key=")
+		default:
+			remote = append(remote, a)
+		}
+	}
+	inst, err = resolveHAInstance(name)
+	return inst, keyPath, remote, err
+}
+
+// buildHASSHArgs assembles deterministic, non-interactive ssh args: an explicit
+// key, no user ssh config, and no known_hosts prompt/record — so it runs
+// unattended in an agent session without hanging on a host-key prompt.
+func buildHASSHArgs(inst haInstance, keyPath string, remote []string) []string {
+	args := []string{
+		"-F", "/dev/null",
+		"-o", "IdentityFile=" + keyPath,
+		"-o", "StrictHostKeyChecking=no",
+		"-o", "UserKnownHostsFile=/dev/null",
+		"-o", "ConnectTimeout=10",
+		"-o", "BatchMode=yes",
+		inst.sshUser + "@" + inst.sshHost,
+	}
+	return append(args, remote...)
+}
+
+func haSSH(args []string) error {
+	inst, keyPath, remote, err := parseHASSH(args)
+	if err != nil {
+		return err
+	}
+	if len(remote) == 0 {
+		return fmt.Errorf(`usage: homelab ha ssh [--instance sofia|london] [-i KEY] -- <command>`)
+	}
+	return runStreaming("ssh", buildHASSHArgs(inst, keyPath, remote)...)
+}
diff --git a/cli/cmd_ha_test.go b/cli/cmd_ha_test.go
new file mode 100644
index 00000000..9dc10e11
--- /dev/null
+++ b/cli/cmd_ha_test.go
@@ -0,0 +1,92 @@
+package main
+
+import (
+	"encoding/base64"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func TestResolveHAInstance(t *testing.T) {
+	// empty defaults to sofia (the devvm sits on the Sofia LAN)
+	if got, err := resolveHAInstance(""); err != nil || got.name != "sofia" {
+		t.Fatalf(`resolveHAInstance("") = %+v, %v; want sofia`, got, err)
+	}
+	if got, err := resolveHAInstance("sofia"); err != nil || got.secretKey != "sofia" {
+		t.Fatalf("sofia secretKey = %q, %v", got.secretKey, err)
+	}
+	if got, err := resolveHAInstance("london"); err != nil || got.secretKey != "london" || got.sshUser != "hassio" {
+		t.Fatalf("london = %+v, %v", got, err)
+	}
+	if _, err := resolveHAInstance("paris"); err == nil {
+		t.Fatalf("resolveHAInstance(paris) should error on unknown instance")
+	}
+}
+
+func TestDecodeSecretValue(t *testing.T) {
+	// k8s stores Secret values base64-encoded; `kubectl -o jsonpath={.data.<k>}`
+	// returns that base64, which decodeSecretValue turns back into the raw token.
+	enc := base64.StdEncoding.EncodeToString([]byte("tok-sofia"))
+	if got, err := decodeSecretValue(enc); err != nil || got != "tok-sofia" {
+		t.Fatalf("decodeSecretValue = %q, %v; want tok-sofia", got, err)
+	}
+	// trailing whitespace/newline from jsonpath output must be tolerated
+	if got, err := decodeSecretValue(enc + "\n"); err != nil || got != "tok-sofia" {
+		t.Fatalf("decodeSecretValue (trailing ws) = %q, %v; want tok-sofia", got, err)
+	}
+	if _, err := decodeSecretValue("not-base64!!"); err == nil {
+		t.Fatalf("decodeSecretValue should error on undecodable base64")
+	}
+}
+
+func TestBuildHASSHArgs(t *testing.T) {
+	inst, _ := resolveHAInstance("sofia")
+	got := buildHASSHArgs(inst, "/home/u/.ssh/id_ed25519", []string{"cat", "/config/configuration.yaml"})
+	want := []string{
+		"-F", "/dev/null",
+		"-o", "IdentityFile=/home/u/.ssh/id_ed25519",
+		"-o", "StrictHostKeyChecking=no",
+		"-o", "UserKnownHostsFile=/dev/null",
+		"-o", "ConnectTimeout=10",
+		"-o", "BatchMode=yes",
+		"vbarzin@192.168.1.8",
+		"cat", "/config/configuration.yaml",
+	}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("buildHASSHArgs =\n %v\nwant\n %v", got, want)
+	}
+}
+
+func TestParseHASSH(t *testing.T) {
+	// instance flag + everything after `--` is the verbatim remote command
+	inst, key, remote, err := parseHASSH([]string{"--instance", "sofia", "--", "docker", "ps", "-a"})
+	if err != nil {
+		t.Fatalf("parseHASSH err: %v", err)
+	}
+	if inst.name != "sofia" {
+		t.Errorf("instance = %q, want sofia", inst.name)
+	}
+	if !strings.HasSuffix(key, "/.ssh/id_ed25519") {
+		t.Errorf("default key = %q, want it to end in /.ssh/id_ed25519", key)
+	}
+	if !reflect.DeepEqual(remote, []string{"docker", "ps", "-a"}) {
+		t.Errorf("remote = %v, want [docker ps -a]", remote)
+	}
+
+	// bare args (no `--`) are also taken as the remote command; -i overrides the key
+	_, key2, remote2, err := parseHASSH([]string{"-i", "/tmp/k", "uptime"})
+	if err != nil {
+		t.Fatalf("parseHASSH err: %v", err)
+	}
+	if key2 != "/tmp/k" {
+		t.Errorf("key = %q, want /tmp/k", key2)
+	}
+	if !reflect.DeepEqual(remote2, []string{"uptime"}) {
+		t.Errorf("remote = %v, want [uptime]", remote2)
+	}
+
+	// unknown instance surfaces as an error
+	if _, _, _, err := parseHASSH([]string{"--instance", "paris", "--", "ls"}); err == nil {
+		t.Errorf("parseHASSH should error on unknown instance")
+	}
+}
diff --git a/cli/cmd_k8s.go b/cli/cmd_k8s.go
new file mode 100644
index 00000000..80f8f62d
--- /dev/null
+++ b/cli/cmd_k8s.go
@@ -0,0 +1,288 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+)
+
+func k8sCommands() []Command {
+	return []Command{
+		{Path: []string{"k8s", "status"}, Tier: TierRead,
+			Summary: "pods (wide) + recent non-Normal events for a namespace (or -A)", Run: k8sStatus},
+		{Path: []string{"k8s", "get"}, Tier: TierRead,
+			Summary: "kubectl get in a namespace: k8s get <ns> <resource> [args]", Run: k8sGet},
+		{Path: []string{"k8s", "logs"}, Tier: TierRead,
+			Summary: "logs for <app> (deploy/<app>; --tail/-c/--previous/--since/-l)", Run: k8sLogs},
+		{Path: []string{"k8s", "describe"}, Tier: TierRead,
+			Summary: "describe <app>'s deployment (or an explicit resource)", Run: k8sDescribe},
+		{Path: []string{"k8s", "debug"}, Tier: TierRead,
+			Summary: "one-shot triage for <app>: pods+deploy+describe+logs+events", Run: k8sDebug},
+		{Path: []string{"k8s", "pf"}, Tier: TierRead,
+			Summary: "port-forward: k8s pf <app> <local:remote> [svc/pod target]", Run: k8sPortForward},
+		{Path: []string{"k8s", "db"}, Tier: TierWrite,
+			Summary: `query a dbaas DB: k8s db <app> [--mysql] [--db N] -- "<SQL>"`, Run: k8sDB},
+		{Path: []string{"k8s", "exec"}, Tier: TierWrite,
+			Summary: "exec in <app>'s pod: k8s exec <app> [--tty] -- <cmd>", Run: k8sExec},
+		{Path: []string{"k8s", "rm-pod"}, Tier: TierWrite,
+			Summary: "delete a stuck pod/job ONLY: k8s rm-pod <name> -n <ns> [--job] [--force]", Run: k8sRmPod},
+		{Path: []string{"k8s", "rollout-status"}, Tier: TierRead,
+			Summary: "rollout status of deploy/<app>", Run: k8sRolloutStatus},
+		{Path: []string{"k8s", "restart"}, Tier: TierWrite,
+			Summary: "rollout restart deploy/<app> then wait for status", Run: k8sRestart},
+		{Path: []string{"k8s", "probe"}, Tier: TierRead,
+			Summary: "in-cluster reachability: ephemeral curl pod to <app>.<ns>.svc", Run: k8sProbe},
+	}
+}
+
+func k8sStatus(args []string) error {
+	t := parseK8sTarget(args)
+	ns := t.namespace() // "" when no app/ns given → cluster-wide
+	get := []string{"get", "pods", "-o", "wide"}
+	ev := []string{"get", "events", "--field-selector", "type!=Normal", "--sort-by=.lastTimestamp"}
+	if ns == "" {
+		get = append(get, "-A")
+		ev = append(ev, "-A")
+	}
+	if err := kubectlStream(ns, get...); err != nil {
+		return err
+	}
+	fmt.Fprintln(os.Stderr, "\n--- recent events (type!=Normal) ---")
+	_ = kubectlStream(ns, ev...) // best-effort
+	return nil
+}
+
+func k8sGet(args []string) error {
+	t := parseK8sTarget(args)
+	if t.app == "" || len(t.rest) == 0 {
+		return fmt.Errorf("usage: homelab k8s get <ns> <resource> [args]")
+	}
+	return kubectlStream(t.app, append([]string{"get"}, t.rest...)...)
+}
+
+func k8sLogs(args []string) error {
+	t := parseK8sTarget(args)
+	if t.app == "" {
+		return fmt.Errorf("usage: homelab k8s logs <app> [--tail N] [-c ctr] [--previous] [--since 1h] [-l sel]")
+	}
+	a := []string{"logs"}
+	if t.selector != "" {
+		a = append(a, "-l", t.selector)
+	} else {
+		a = append(a, t.objectRef())
+	}
+	if t.container != "" {
+		a = append(a, "-c", t.container)
+	}
+	if !containsPrefix(t.rest, "--tail") {
+		a = append(a, "--tail=200")
+	}
+	a = append(a, t.rest...)
+	return kubectlStream(t.namespace(), a...)
+}
+
+func k8sDescribe(args []string) error {
+	t := parseK8sTarget(args)
+	if t.app == "" {
+		return fmt.Errorf("usage: homelab k8s describe <app> [resource]")
+	}
+	if len(t.rest) > 0 {
+		return kubectlStream(t.namespace(), append([]string{"describe"}, t.rest...)...)
+	}
+	return kubectlStream(t.namespace(), "describe", t.objectRef())
+}
+
+func k8sDebug(args []string) error {
+	t := parseK8sTarget(args)
+	if t.app == "" {
+		return fmt.Errorf("usage: homelab k8s debug <app>")
+	}
+	ns := t.namespace()
+	sec := func(title string) { fmt.Fprintf(os.Stderr, "\n=== %s ===\n", title) }
+	sec("pods")
+	_ = kubectlStream(ns, "get", "pods", "-o", "wide")
+	sec("workloads")
+	_ = kubectlStream(ns, "get", "deploy,sts,ds", "-o", "wide")
+	sec("describe "+t.objectRef())
+	_ = kubectlStream(ns, "describe", t.objectRef())
+	sec("recent logs (--tail=50)")
+	_ = kubectlStream(ns, "logs", t.objectRef(), "--tail=50")
+	sec("events (type!=Normal)")
+	_ = kubectlStream(ns, "get", "events", "--field-selector", "type!=Normal", "--sort-by=.lastTimestamp")
+	return nil
+}
+
+func k8sPortForward(args []string) error {
+	t := parseK8sTarget(args)
+	if t.app == "" || len(t.rest) == 0 {
+		return fmt.Errorf("usage: homelab k8s pf <app> <local:remote> [svc/pod target]")
+	}
+	ports := t.rest[0]
+	target := "svc/" + t.app
+	if len(t.rest) > 1 {
+		target = t.rest[1]
+	}
+	return kubectlStream(t.namespace(), "port-forward", target, ports)
+}
+
+func k8sDB(args []string) error {
+	var app, dbName, sql string
+	mysql := false
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		if a == "--" {
+			sql = strings.Join(args[i+1:], " ")
+			break
+		}
+		switch {
+		case a == "--mysql":
+			mysql = true
+		case a == "--db":
+			if i+1 < len(args) {
+				dbName = args[i+1]
+				i++
+			}
+		case strings.HasPrefix(a, "--db="):
+			dbName = strings.TrimPrefix(a, "--db=")
+		case !strings.HasPrefix(a, "-") && app == "":
+			app = a
+		}
+	}
+	if app == "" {
+		return fmt.Errorf(`usage: homelab k8s db <app> [--mysql] [--db NAME] -- "<SQL>"`)
+	}
+	p := planDBExec(app, dbName, sql, mysql)
+	pod := p.pod
+	if pod == "" && p.selector != "" {
+		resolved, err := kubectlCapture(p.ns, "get", "pod", "-l", p.selector, "-o", "jsonpath={.items[0].metadata.name}")
+		if err != nil || resolved == "" {
+			return fmt.Errorf("could not resolve db pod in %s (selector %q): %v", p.ns, p.selector, err)
+		}
+		pod = resolved
+	}
+	exec := []string{"exec"}
+	if sql == "" {
+		exec = append(exec, "-it") // interactive client when no SQL given
+	}
+	exec = append(exec, pod)
+	if p.container != "" {
+		exec = append(exec, "-c", p.container)
+	}
+	exec = append(exec, "--")
+	exec = append(exec, p.argv...)
+	return kubectlStream(p.ns, exec...)
+}
+
+func k8sExec(args []string) error {
+	t := parseK8sTarget(args)
+	if t.app == "" {
+		return fmt.Errorf("usage: homelab k8s exec <app> [--pod p] [-c ctr] [--tty] -- <cmd>")
+	}
+	if len(t.rest) == 0 {
+		return fmt.Errorf("provide a command after --, e.g. homelab k8s exec %s -- env", t.app)
+	}
+	a := []string{"exec"}
+	if t.tty {
+		a = append(a, "-it")
+	}
+	a = append(a, t.objectRef())
+	if t.container != "" {
+		a = append(a, "-c", t.container)
+	}
+	a = append(a, "--")
+	a = append(a, t.rest...)
+	return kubectlStream(t.namespace(), a...)
+}
+
+func k8sRmPod(args []string) error {
+	var pod, ns, grace string
+	force, job := false, false
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		switch {
+		case a == "-n" || a == "--namespace":
+			if i+1 < len(args) {
+				ns = args[i+1]
+				i++
+			}
+		case a == "--force":
+			force = true
+		case a == "--job":
+			job = true
+		case a == "--grace":
+			if i+1 < len(args) {
+				grace = args[i+1]
+				i++
+			}
+		case !strings.HasPrefix(a, "-") && pod == "":
+			pod = a
+		}
+	}
+	if pod == "" || ns == "" {
+		return fmt.Errorf("usage: homelab k8s rm-pod <name> -n <ns> [--job] [--force] [--grace N] (pods/jobs only)")
+	}
+	kind := "pod"
+	if job {
+		kind = "job"
+	}
+	a := []string{"delete", kind, pod}
+	if grace != "" {
+		a = append(a, "--grace-period="+grace)
+	}
+	if force {
+		a = append(a, "--force")
+	}
+	return kubectlStream(ns, a...)
+}
+
+func k8sRolloutStatus(args []string) error {
+	t := parseK8sTarget(args)
+	if t.app == "" {
+		return fmt.Errorf("usage: homelab k8s rollout-status <app>")
+	}
+	return kubectlStream(t.namespace(), "rollout", "status", "deploy/"+t.app)
+}
+
+func k8sRestart(args []string) error {
+	t := parseK8sTarget(args)
+	if t.app == "" {
+		return fmt.Errorf("usage: homelab k8s restart <app>")
+	}
+	ns := t.namespace()
+	if err := kubectlStream(ns, "rollout", "restart", "deploy/"+t.app); err != nil {
+		return err
+	}
+	return kubectlStream(ns, "rollout", "status", "deploy/"+t.app)
+}
+
+func k8sProbe(args []string) error {
+	t := parseK8sTarget(args)
+	if t.app == "" {
+		return fmt.Errorf("usage: homelab k8s probe <app> [path] [--port N]")
+	}
+	ns := t.namespace()
+	url := "http://" + t.app + "." + ns + ".svc.cluster.local"
+	if port := flagValue(args, "--port"); port != "" {
+		url += ":" + port
+	}
+	if len(t.rest) > 0 {
+		p := t.rest[0]
+		if !strings.HasPrefix(p, "/") {
+			p = "/" + p
+		}
+		url += p
+	}
+	return kubectlStream(ns, "run", "homelab-probe", "--rm", "-i", "--restart=Never",
+		"--image=curlimages/curl:latest", "--",
+		"curl", "-sS", "--max-time", "10", "-w", "\n[%{http_code}] %{time_total}s\n", url)
+}
+
+// containsPrefix reports whether any arg starts with prefix.
+func containsPrefix(args []string, prefix string) bool {
+	for _, a := range args {
+		if strings.HasPrefix(a, prefix) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/cli/cmd_memory.go b/cli/cmd_memory.go
new file mode 100644
index 00000000..94f3a482
--- /dev/null
+++ b/cli/cmd_memory.go
@@ -0,0 +1,302 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"strings"
+)
+
+func memoryCommands() []Command {
+	return []Command{
+		{Path: []string{"memory", "recall"}, Tier: TierRead,
+			Summary: `semantic search of memory: memory recall "<context>" [--query …] [--category] [--sort] [--limit]`, Run: memoryRecall},
+		{Path: []string{"memory", "list"}, Tier: TierRead,
+			Summary: "list recent memories [--category C] [--tag T] [--limit N]", Run: memoryList},
+		{Path: []string{"memory", "categories"}, Tier: TierRead,
+			Summary: "list memory categories", Run: memorySimpleGet("/api/categories")},
+		{Path: []string{"memory", "tags"}, Tier: TierRead,
+			Summary: "list memory tags", Run: memorySimpleGet("/api/tags")},
+		{Path: []string{"memory", "stats"}, Tier: TierRead,
+			Summary: "memory store stats", Run: memorySimpleGet("/api/stats")},
+		{Path: []string{"memory", "secret"}, Tier: TierRead,
+			Summary: "reveal a sensitive memory's content: memory secret <id>", Run: memorySecret},
+		{Path: []string{"memory", "store"}, Tier: TierWrite,
+			Summary: `store a memory: memory store "<content>" [--category --tags --keywords --importance --sensitive]`, Run: memoryStore},
+		{Path: []string{"memory", "update"}, Tier: TierWrite,
+			Summary: "update a memory: memory update <id> [--content --tags --importance --keywords]", Run: memoryUpdate},
+		{Path: []string{"memory", "delete"}, Tier: TierWrite,
+			Summary: "delete a memory: memory delete <id>", Run: memoryDelete},
+	}
+}
+
+// printMemories renders a {memories:[…]} response as compact lines, or raw JSON.
+func printMemories(raw []byte, jsonOut bool) error {
+	if jsonOut {
+		fmt.Println(string(raw))
+		return nil
+	}
+	var r struct {
+		Memories []struct {
+			ID         int     `json:"id"`
+			Content    string  `json:"content"`
+			Category   string  `json:"category"`
+			Tags       string  `json:"tags"`
+			Importance float64 `json:"importance"`
+		} `json:"memories"`
+	}
+	if err := json.Unmarshal(raw, &r); err != nil {
+		fmt.Println(string(raw))
+		return nil
+	}
+	if len(r.Memories) == 0 {
+		fmt.Println("(no memories)")
+		return nil
+	}
+	for _, m := range r.Memories {
+		c := strings.ReplaceAll(m.Content, "\n", " ")
+		if len(c) > 240 {
+			c = c[:240] + "…"
+		}
+		fmt.Printf("#%d [%s] (%.2f) %s\n", m.ID, m.Category, m.Importance, c)
+		if m.Tags != "" {
+			fmt.Printf("       tags: %s\n", m.Tags)
+		}
+	}
+	return nil
+}
+
+func memoryRecall(args []string) error {
+	req := memRecallReq{}
+	jsonOut := false
+	var pos []string
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		switch {
+		case a == "--query":
+			if i+1 < len(args) {
+				req.ExpandedQuery = args[i+1]
+				i++
+			}
+		case a == "--category":
+			if i+1 < len(args) {
+				req.Category = args[i+1]
+				i++
+			}
+		case a == "--sort":
+			if i+1 < len(args) {
+				req.SortBy = args[i+1]
+				i++
+			}
+		case a == "--limit":
+			if i+1 < len(args) {
+				fmt.Sscanf(args[i+1], "%d", &req.Limit)
+				i++
+			}
+		case a == "--json":
+			jsonOut = true
+		case !strings.HasPrefix(a, "-"):
+			pos = append(pos, a)
+		}
+	}
+	req.Context = strings.Join(pos, " ")
+	if req.Context == "" {
+		return fmt.Errorf(`usage: homelab memory recall "<context>" [--query …] [--category C] [--sort importance|relevance|recency] [--limit N]`)
+	}
+	c, err := newMemoryClient()
+	if err != nil {
+		return err
+	}
+	raw, err := c.do("POST", "/api/memories/recall", req)
+	if err != nil {
+		return err
+	}
+	return printMemories(raw, jsonOut)
+}
+
+func memoryList(args []string) error {
+	q := url.Values{}
+	jsonOut := false
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		switch {
+		case a == "--category":
+			if i+1 < len(args) {
+				q.Set("category", args[i+1])
+				i++
+			}
+		case a == "--tag":
+			if i+1 < len(args) {
+				q.Set("tag", args[i+1])
+				i++
+			}
+		case a == "--limit":
+			if i+1 < len(args) {
+				q.Set("limit", args[i+1])
+				i++
+			}
+		case a == "--json":
+			jsonOut = true
+		}
+	}
+	c, err := newMemoryClient()
+	if err != nil {
+		return err
+	}
+	path := "/api/memories"
+	if len(q) > 0 {
+		path += "?" + q.Encode()
+	}
+	raw, err := c.do("GET", path, nil)
+	if err != nil {
+		return err
+	}
+	return printMemories(raw, jsonOut)
+}
+
+func memorySimpleGet(path string) func([]string) error {
+	return func(args []string) error {
+		c, err := newMemoryClient()
+		if err != nil {
+			return err
+		}
+		raw, err := c.do("GET", path, nil)
+		if err != nil {
+			return err
+		}
+		fmt.Println(string(raw))
+		return nil
+	}
+}
+
+func memorySecret(args []string) error {
+	id, _ := firstPositional(args)
+	if id == "" {
+		return fmt.Errorf("usage: homelab memory secret <id>")
+	}
+	c, err := newMemoryClient()
+	if err != nil {
+		return err
+	}
+	raw, err := c.do("POST", "/api/memories/"+id+"/secret", nil)
+	if err != nil {
+		return err
+	}
+	fmt.Println(string(raw))
+	return nil
+}
+
+func memoryStore(args []string) error {
+	req := memStoreReq{Category: "facts", Importance: 0.5}
+	var pos []string
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		switch {
+		case a == "--category":
+			if i+1 < len(args) {
+				req.Category = args[i+1]
+				i++
+			}
+		case a == "--tags":
+			if i+1 < len(args) {
+				req.Tags = args[i+1]
+				i++
+			}
+		case a == "--keywords":
+			if i+1 < len(args) {
+				req.ExpandedKeywords = args[i+1]
+				i++
+			}
+		case a == "--importance":
+			if i+1 < len(args) {
+				fmt.Sscanf(args[i+1], "%f", &req.Importance)
+				i++
+			}
+		case a == "--sensitive":
+			req.ForceSensitive = true
+		case !strings.HasPrefix(a, "-"):
+			pos = append(pos, a)
+		}
+	}
+	req.Content = strings.Join(pos, " ")
+	if req.Content == "" {
+		return fmt.Errorf(`usage: homelab memory store "<content>" [--category C] [--tags ...] [--keywords ...] [--importance 0.5] [--sensitive]`)
+	}
+	c, err := newMemoryClient()
+	if err != nil {
+		return err
+	}
+	raw, err := c.do("POST", "/api/memories", req)
+	if err != nil {
+		return err
+	}
+	fmt.Println(string(raw))
+	return nil
+}
+
+func memoryUpdate(args []string) error {
+	var id string
+	req := memUpdateReq{}
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		switch {
+		case a == "--content":
+			if i+1 < len(args) {
+				v := args[i+1]
+				req.Content = &v
+				i++
+			}
+		case a == "--tags":
+			if i+1 < len(args) {
+				v := args[i+1]
+				req.Tags = &v
+				i++
+			}
+		case a == "--keywords":
+			if i+1 < len(args) {
+				v := args[i+1]
+				req.ExpandedKeywords = &v
+				i++
+			}
+		case a == "--importance":
+			if i+1 < len(args) {
+				var f float64
+				fmt.Sscanf(args[i+1], "%f", &f)
+				req.Importance = &f
+				i++
+			}
+		case !strings.HasPrefix(a, "-") && id == "":
+			id = a
+		}
+	}
+	if id == "" {
+		return fmt.Errorf("usage: homelab memory update <id> [--content ...] [--tags ...] [--importance N] [--keywords ...]")
+	}
+	c, err := newMemoryClient()
+	if err != nil {
+		return err
+	}
+	raw, err := c.do("PUT", "/api/memories/"+id, req)
+	if err != nil {
+		return err
+	}
+	fmt.Println(string(raw))
+	return nil
+}
+
+func memoryDelete(args []string) error {
+	id, _ := firstPositional(args)
+	if id == "" {
+		return fmt.Errorf("usage: homelab memory delete <id>")
+	}
+	c, err := newMemoryClient()
+	if err != nil {
+		return err
+	}
+	raw, err := c.do("DELETE", "/api/memories/"+id, nil)
+	if err != nil {
+		return err
+	}
+	fmt.Println(string(raw))
+	return nil
+}
diff --git a/cli/cmd_net.go b/cli/cmd_net.go
new file mode 100644
index 00000000..6401755c
--- /dev/null
+++ b/cli/cmd_net.go
@@ -0,0 +1,83 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+	"time"
+)
+
+func netCommands() []Command {
+	return []Command{
+		{Path: []string{"net", "check"}, Tier: TierRead,
+			Summary: "reachability of <host>[/path]: external (public DNS→CF) vs internal (Traefik LB)", Run: netCheck},
+		{Path: []string{"dns", "lookup"}, Tier: TierRead,
+			Summary: "resolve <name> via Technitium (10.0.20.201) and public (1.1.1.1), diffed", Run: dnsLookup},
+	}
+}
+
+func fmtProbe(code int, d time.Duration, err error) string {
+	if err != nil {
+		return "ERR " + err.Error()
+	}
+	return fmt.Sprintf("HTTP %d  %dms", code, d.Milliseconds())
+}
+
+func netCheck(args []string) error {
+	host, rest := firstPositional(args)
+	if host == "" {
+		return fmt.Errorf("usage: homelab net check <host> [path]")
+	}
+	path := "/"
+	if len(rest) > 0 && !strings.HasPrefix(rest[0], "-") {
+		path = rest[0]
+		if !strings.HasPrefix(path, "/") {
+			path = "/" + path
+		}
+	}
+	u := "https://" + host + path
+	fmt.Printf("%s\n", u)
+
+	// external leg: resolve via public DNS, dial the public IP (tests the real CF path)
+	pubOut, _ := dig(hostOnly(host), "1.1.1.1", "")
+	if pubIP := firstLine(pubOut); pubIP != "" {
+		c, d, e := probeURL(clientDialingIP(pubIP, 10*time.Second), u)
+		fmt.Printf("  external (public %-15s) %s\n", pubIP, fmtProbe(c, d, e))
+	} else {
+		fmt.Println("  external (public)            no public A record")
+	}
+	// internal leg: dial the Traefik LB directly
+	c, d, e := probeURL(clientDialingIP(internalLBIP, 10*time.Second), u)
+	fmt.Printf("  internal (LB %-15s)     %s\n", internalLBIP, fmtProbe(c, d, e))
+	return nil
+}
+
+func dnsLookup(args []string) error {
+	name, rest := firstPositional(args)
+	if name == "" {
+		return fmt.Errorf("usage: homelab dns lookup <name> [A|AAAA|TXT|MX|PTR]")
+	}
+	rr := ""
+	if len(rest) > 0 {
+		rr = rest[0]
+	}
+	tech, _ := dig(name, "10.0.20.201", rr)
+	pub, _ := dig(name, "1.1.1.1", rr)
+	fmt.Printf("technitium (10.0.20.201): %s\n", oneLineList(tech))
+	fmt.Printf("public     (1.1.1.1)    : %s\n", oneLineList(pub))
+	if strings.TrimSpace(tech) != strings.TrimSpace(pub) {
+		fmt.Println("⚠ mismatch — split-horizon (expected for internal-only apps) or a propagation gap")
+	}
+	return nil
+}
+
+func hostOnly(h string) string { // strip any path accidentally included
+	return strings.SplitN(h, "/", 2)[0]
+}
+
+func oneLineList(s string) string {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return "(none)"
+	}
+	return strings.ReplaceAll(s, "\n", ", ")
+}
diff --git a/cli/cmd_obs.go b/cli/cmd_obs.go
new file mode 100644
index 00000000..33f16e6c
--- /dev/null
+++ b/cli/cmd_obs.go
@@ -0,0 +1,197 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+)
+
+const (
+	promHost = "prometheus-query.viktorbarzin.lan"
+	lokiHost = "loki.viktorbarzin.lan"
+)
+
+func obsCommands() []Command {
+	return []Command{
+		{Path: []string{"metrics", "query"}, Tier: TierRead,
+			Summary: `Prometheus instant query: metrics query "<promql>" [--json]`, Run: metricsQuery},
+		{Path: []string{"metrics", "alerts"}, Tier: TierRead,
+			Summary: "list currently firing Prometheus alerts", Run: metricsAlerts},
+		{Path: []string{"logs", "query"}, Tier: TierRead,
+			Summary: `Loki query (last --since, default 1h): logs query "<logql>" [--since 1h] [--limit N] [--json]`, Run: logsQuery},
+	}
+}
+
+// queryArg joins non-flag args into the query (PromQL/LogQL should normally be
+// passed as a single quoted argument; this also tolerates unquoted multi-token).
+func queryArg(args []string, valueFlags map[string]bool) string {
+	var parts []string
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		if valueFlags[a] {
+			i++
+			continue
+		}
+		if strings.HasPrefix(a, "-") {
+			continue
+		}
+		parts = append(parts, a)
+	}
+	return strings.Join(parts, " ")
+}
+
+func labelStr(m map[string]string) string {
+	name := m["__name__"]
+	var kv []string
+	for k, v := range m {
+		if k != "__name__" {
+			kv = append(kv, k+"="+v)
+		}
+	}
+	sort.Strings(kv)
+	return name + "{" + strings.Join(kv, ",") + "}"
+}
+
+func metricsQuery(args []string) error {
+	q := queryArg(args, nil)
+	if q == "" {
+		return fmt.Errorf(`usage: homelab metrics query "<promql>" [--json]`)
+	}
+	v := url.Values{}
+	v.Set("query", q)
+	body, err := lbGetBody(promHost, "/api/v1/query", v)
+	if err != nil {
+		return err
+	}
+	if containsArg(args, "--json") {
+		fmt.Println(string(body))
+		return nil
+	}
+	var r struct {
+		Data struct {
+			Result []struct {
+				Metric map[string]string `json:"metric"`
+				Value  []interface{}     `json:"value"`
+			} `json:"result"`
+		} `json:"data"`
+	}
+	if err := json.Unmarshal(body, &r); err != nil {
+		fmt.Println(string(body))
+		return nil
+	}
+	if len(r.Data.Result) == 0 {
+		fmt.Println("(no series)")
+		return nil
+	}
+	for _, s := range r.Data.Result {
+		val := ""
+		if len(s.Value) == 2 {
+			val = fmt.Sprint(s.Value[1])
+		}
+		fmt.Printf("%-14s %s\n", val, labelStr(s.Metric))
+	}
+	return nil
+}
+
+func metricsAlerts(args []string) error {
+	// prometheus-query is a query-only frontend (no /api/v1/alerts); the firing
+	// set is exposed as the synthetic ALERTS series, queryable the normal way.
+	v := url.Values{}
+	v.Set("query", `ALERTS{alertstate="firing"}`)
+	body, err := lbGetBody(promHost, "/api/v1/query", v)
+	if err != nil {
+		return err
+	}
+	if containsArg(args, "--json") {
+		fmt.Println(string(body))
+		return nil
+	}
+	var r struct {
+		Data struct {
+			Result []struct {
+				Metric map[string]string `json:"metric"`
+			} `json:"result"`
+		} `json:"data"`
+	}
+	if err := json.Unmarshal(body, &r); err != nil {
+		fmt.Println(string(body))
+		return nil
+	}
+	if len(r.Data.Result) == 0 {
+		fmt.Println("(no firing alerts)")
+		return nil
+	}
+	for _, a := range r.Data.Result {
+		m := a.Metric
+		scope := ""
+		for _, k := range []string{"namespace", "deployment", "instance", "job", "node"} {
+			if v := m[k]; v != "" {
+				scope = k + "=" + v
+				break
+			}
+		}
+		fmt.Printf("%-9s %-34s %s\n", m["severity"], m["alertname"], scope)
+	}
+	return nil
+}
+
+func logsQuery(args []string) error {
+	q := queryArg(args, map[string]bool{"--since": true, "--limit": true})
+	if q == "" {
+		return fmt.Errorf(`usage: homelab logs query "<logql>" [--since 1h] [--limit N] [--json]`)
+	}
+	since := flagValue(args, "--since")
+	if since == "" {
+		since = "1h"
+	}
+	dur, err := time.ParseDuration(since)
+	if err != nil {
+		return fmt.Errorf("bad --since %q: %w", since, err)
+	}
+	limit := flagValue(args, "--limit")
+	if limit == "" {
+		limit = "100"
+	}
+	end := time.Now()
+	v := url.Values{}
+	v.Set("query", q)
+	v.Set("limit", limit)
+	v.Set("start", strconv.FormatInt(end.Add(-dur).UnixNano(), 10))
+	v.Set("end", strconv.FormatInt(end.UnixNano(), 10))
+	body, err := lbGetBody(lokiHost, "/loki/api/v1/query_range", v)
+	if err != nil {
+		return err
+	}
+	if containsArg(args, "--json") {
+		fmt.Println(string(body))
+		return nil
+	}
+	var r struct {
+		Data struct {
+			Result []struct {
+				Values [][]string `json:"values"`
+			} `json:"result"`
+		} `json:"data"`
+	}
+	if err := json.Unmarshal(body, &r); err != nil {
+		fmt.Println(string(body))
+		return nil
+	}
+	n := 0
+	for _, s := range r.Data.Result {
+		for _, val := range s.Values {
+			if len(val) == 2 {
+				fmt.Println(val[1])
+				n++
+			}
+		}
+	}
+	if n == 0 {
+		fmt.Println("(no log lines)")
+	}
+	return nil
+}
diff --git a/cli/cmd_tf.go b/cli/cmd_tf.go
new file mode 100644
index 00000000..95e0260b
--- /dev/null
+++ b/cli/cmd_tf.go
@@ -0,0 +1,122 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"strings"
+	"sync"
+	"syscall"
+)
+
+func tfCommands() []Command {
+	return []Command{
+		{Path: []string{"tf", "plan"}, Tier: TierRead,
+			Summary: "terragrunt plan a stack (via scripts/tg)", Run: tfPassthrough("plan")},
+		{Path: []string{"tf", "validate"}, Tier: TierRead,
+			Summary: "terragrunt validate a stack", Run: tfPassthrough("validate")},
+		{Path: []string{"tf", "fmt"}, Tier: TierRead,
+			Summary: "terraform fmt a stack's files", Run: tfFmt},
+		{Path: []string{"tf", "force-unlock"}, Tier: TierWrite,
+			Summary: "release a stuck terraform state lock (needs <stack> <lock-id>)", Run: tfForceUnlock},
+		{Path: []string{"tf", "apply"}, Tier: TierWrite,
+			Summary: "terragrunt apply a stack — presence-coupled, out-of-band", Run: tfApply},
+	}
+}
+
+// firstPositional returns the first non-flag arg and the remaining args with it removed.
+func firstPositional(args []string) (string, []string) {
+	for i, a := range args {
+		if !strings.HasPrefix(a, "-") {
+			rest := append(append([]string{}, args[:i]...), args[i+1:]...)
+			return a, rest
+		}
+	}
+	return "", args
+}
+
+// resolveTfStack finds the infra root (from cwd) and the stack directory named
+// by the first positional arg, returning the remaining args.
+func resolveTfStack(args []string) (infraRoot, stackName, stackDir string, rest []string, err error) {
+	stackName, rest = firstPositional(args)
+	if stackName == "" {
+		err = fmt.Errorf("missing <stack> argument")
+		return
+	}
+	cwd, e := os.Getwd()
+	if e != nil {
+		err = e
+		return
+	}
+	infraRoot, err = findInfraRoot(cwd)
+	if err != nil {
+		return
+	}
+	stackDir, err = resolveStack(infraRoot, stackName)
+	return
+}
+
+func tgPath(infraRoot string) string { return filepath.Join(infraRoot, "scripts", "tg") }
+
+// tfPassthrough runs `scripts/tg <verb> [extra]` in the stack directory.
+func tfPassthrough(verb string) func([]string) error {
+	return func(args []string) error {
+		infraRoot, _, stackDir, rest, err := resolveTfStack(args)
+		if err != nil {
+			return err
+		}
+		return runStreamingIn(stackDir, tgPath(infraRoot), append([]string{verb}, rest...)...)
+	}
+}
+
+func tfFmt(args []string) error {
+	_, _, stackDir, _, err := resolveTfStack(args)
+	if err != nil {
+		return err
+	}
+	return runStreamingIn(stackDir, "terraform", "fmt", "-recursive", ".")
+}
+
+func tfForceUnlock(args []string) error {
+	infraRoot, _, stackDir, rest, err := resolveTfStack(args)
+	if err != nil {
+		return err
+	}
+	if len(rest) < 1 {
+		return fmt.Errorf("usage: homelab tf force-unlock <stack> <lock-id>")
+	}
+	return runStreamingIn(stackDir, tgPath(infraRoot), "force-unlock", "-force", rest[0])
+}
+
+// tfApply applies a stack out-of-band: claim the stack on the presence board,
+// ALWAYS release on exit (normal, error, or signal — fixing the claim leak),
+// and warn that CI applies canonically on push.
+func tfApply(args []string) error {
+	infraRoot, stackName, stackDir, _, err := resolveTfStack(args)
+	if err != nil {
+		return err
+	}
+	label := "stack:" + stackName
+	fmt.Fprintf(os.Stderr,
+		"homelab: out-of-band apply of %q — CI applies canonically on push to master.\n", stackName)
+
+	if err := presenceClaim(label, "homelab tf apply "+stackName); err != nil {
+		return fmt.Errorf("presence claim failed (run `vault login -method=oidc`?): %w", err)
+	}
+	// Release exactly once, whether we exit normally, on error, or on signal —
+	// sync.Once makes the defer and the signal goroutine safe to both call it.
+	var once sync.Once
+	release := func() { once.Do(func() { _ = presenceRelease(label) }) }
+	defer release()
+
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, os.Interrupt, syscall.SIGTERM)
+	go func() {
+		<-sig
+		release()
+		os.Exit(130)
+	}()
+
+	return runStreamingIn(stackDir, tgPath(infraRoot), "apply", "--non-interactive")
+}
diff --git a/cli/cmd_tf_test.go b/cli/cmd_tf_test.go
new file mode 100644
index 00000000..74f5b9bd
--- /dev/null
+++ b/cli/cmd_tf_test.go
@@ -0,0 +1,27 @@
+package main
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestFirstPositional(t *testing.T) {
+	cases := []struct {
+		args     []string
+		wantName string
+		wantRest []string
+	}{
+		{[]string{"vault"}, "vault", []string{}},
+		{[]string{"--json", "vault"}, "vault", []string{"--json"}},
+		{[]string{"vault", "abc-123"}, "vault", []string{"abc-123"}},
+		{[]string{"--foo", "monitoring", "extra"}, "monitoring", []string{"--foo", "extra"}},
+		{[]string{"--only-flags"}, "", []string{"--only-flags"}},
+	}
+	for _, c := range cases {
+		gotName, gotRest := firstPositional(c.args)
+		if gotName != c.wantName || !reflect.DeepEqual(gotRest, c.wantRest) {
+			t.Errorf("firstPositional(%v) = (%q, %v), want (%q, %v)",
+				c.args, gotName, gotRest, c.wantName, c.wantRest)
+		}
+	}
+}
diff --git a/cli/cmd_usage.go b/cli/cmd_usage.go
new file mode 100644
index 00000000..e9b7fa8e
--- /dev/null
+++ b/cli/cmd_usage.go
@@ -0,0 +1,77 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"sort"
+	"strconv"
+)
+
+func usageCommands() []Command {
+	return []Command{
+		{Path: []string{"usage", "top"}, Tier: TierRead,
+			Summary: "rank homelab verb usage across users (from Loki): usage top [--since 30d] [--user U] [--json]", Run: usageTop},
+	}
+}
+
+// usageQuery builds the LogQL metric query that counts invocations per verb.
+func usageQuery(since, user string) string {
+	sel := `job="` + usageJob + `"`
+	if user != "" {
+		sel += `, user="` + user + `"`
+	}
+	return fmt.Sprintf(`sum by (verb) (count_over_time({%s}[%s]))`, sel, since)
+}
+
+func usageTop(args []string) error {
+	since := flagValue(args, "--since")
+	if since == "" {
+		since = "30d"
+	}
+	v := url.Values{}
+	v.Set("query", usageQuery(since, flagValue(args, "--user")))
+	body, err := lbGetBody(lokiHost, "/loki/api/v1/query", v)
+	if err != nil {
+		return err
+	}
+	if containsArg(args, "--json") {
+		fmt.Println(string(body))
+		return nil
+	}
+	var r struct {
+		Data struct {
+			Result []struct {
+				Metric map[string]string `json:"metric"`
+				Value  []interface{}     `json:"value"`
+			} `json:"result"`
+		} `json:"data"`
+	}
+	if err := json.Unmarshal(body, &r); err != nil {
+		fmt.Println(string(body))
+		return nil
+	}
+	type row struct {
+		verb string
+		n    int
+	}
+	var rows []row
+	for _, s := range r.Data.Result {
+		n := 0
+		if len(s.Value) == 2 {
+			if f, e := strconv.ParseFloat(fmt.Sprint(s.Value[1]), 64); e == nil {
+				n = int(f)
+			}
+		}
+		rows = append(rows, row{s.Metric["verb"], n})
+	}
+	if len(rows) == 0 {
+		fmt.Println("(no usage recorded yet)")
+		return nil
+	}
+	sort.Slice(rows, func(i, j int) bool { return rows[i].n > rows[j].n })
+	for _, r := range rows {
+		fmt.Printf("%6d  %s\n", r.n, r.verb)
+	}
+	return nil
+}
diff --git a/cli/cmd_vault.go b/cli/cmd_vault.go
new file mode 100644
index 00000000..bf270886
--- /dev/null
+++ b/cli/cmd_vault.go
@@ -0,0 +1,663 @@
+package main
+
+import (
+	"bufio"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+	"syscall"
+)
+
+// vault verbs give each unix user no-HITL access to THEIR OWN Vaultwarden vault.
+// Identity is the kernel UID; per-user creds live in that user's isolated Vault
+// path (secret/workstation/claude-users/<user>) read via their scoped token, and
+// decryption is done by the official `bw` CLI. See
+// docs/superpowers/specs/2026-06-24-homelab-vault-design.md.
+func vaultCommands() []Command {
+	return []Command{
+		{Path: []string{"vault", "setup"}, Tier: TierWrite,
+			Summary: "one-time: store your Vaultwarden master password + API key in your Vault path", Run: vaultSetup},
+		{Path: []string{"vault", "status"}, Tier: TierRead,
+			Summary: "show whether your vault is configured/reachable (no secrets)", Run: vaultStatus},
+		{Path: []string{"vault", "list"}, Tier: TierRead,
+			Summary: "list your item names: vault list [--search Q]", Run: vaultList},
+		{Path: []string{"vault", "get"}, Tier: TierRead,
+			Summary: "fetch one item: vault get <name> [--field password|username|uri|notes|totp] [--json]", Run: vaultGet},
+		{Path: []string{"vault", "search"}, Tier: TierRead,
+			Summary: "search your item names: vault search <query>", Run: vaultSearch},
+		{Path: []string{"vault", "code"}, Tier: TierRead,
+			Summary: "current TOTP code for an item: vault code <name>", Run: vaultCode},
+		{Path: []string{"vault", "lock"}, Tier: TierWrite,
+			Summary: "lock/log out the local bw session", Run: vaultLock},
+		{Path: []string{"vault"}, Tier: TierRead,
+			Summary: "Vaultwarden access for your own vault (run `homelab vault` for help)",
+			Run:     func([]string) error { fmt.Print(vaultHelp()); return nil }},
+	}
+}
+
+// vaultHelp is shown for bare `homelab vault`.
+func vaultHelp() string {
+	return `homelab vault — read YOUR OWN Vaultwarden logins (no-HITL after one-time setup)
+
+  homelab vault setup             one-time: store your master password + API key in your Vault path
+  homelab vault status            configured / unlocked / reachable (no secrets)
+  homelab vault list [--search Q] list your item names (no secrets)
+  homelab vault get <name> [--field password|username|uri|notes|totp] [--json]
+                                  TTY → clipboard (auto-clears); piped → stdout
+  homelab vault code <name>       current TOTP code
+  homelab vault lock              lock / log out the local bw session
+
+Creds live only in your own Vault path; the admin never sees them. Identity is
+your unix UID. Security model: docs/superpowers/specs/2026-06-24-homelab-vault-design.md
+(note: anything running as your user can decrypt your vault — the accepted no-HITL trade).
+`
+}
+
+const vwUserPathPrefix = "secret/workstation/claude-users/"
+
+// vwCreds is one user's Vaultwarden auth material, read from their Vault path.
+type vwCreds struct {
+	Email          string
+	MasterPassword string
+	ClientID       string
+	ClientSecret   string
+}
+
+// cmdRunner shells out to an external command with an explicit environment and
+// returns trimmed stdout. Secrets are passed via envv, NEVER argv. Tests inject
+// a fake; realRunner is the production implementation.
+type cmdRunner func(name string, argv, envv []string) (string, error)
+
+func realRunner(name string, argv, envv []string) (string, error) {
+	cmd := exec.Command(name, argv...)
+	if envv != nil {
+		cmd.Env = envv
+	}
+	out, err := cmd.Output()
+	// Trim only the trailing newline the tool appends — NOT all whitespace, so a
+	// fetched secret with significant leading/trailing spaces is preserved.
+	return strings.TrimRight(string(out), "\r\n"), err
+}
+
+// realRunnerStdin runs a command feeding `stdin` to it, for secret values that
+// must NOT appear in argv (visible via ps / /proc/<pid>/cmdline to same-UID
+// processes). Used by setup to write the master password / client_secret.
+func realRunnerStdin(name string, argv, envv []string, stdin string) (string, error) {
+	cmd := exec.Command(name, argv...)
+	if envv != nil {
+		cmd.Env = envv
+	}
+	cmd.Stdin = strings.NewReader(stdin)
+	out, err := cmd.Output()
+	return strings.TrimRight(string(out), "\r\n"), err
+}
+
+func vwCredsPath(user string) string { return vwUserPathPrefix + user }
+
+func bwAppDataDir(uid string) string { return "/run/user/" + uid + "/homelab-bw" }
+
+// readVaultField returns one field from a KV-v2 path, "" if absent/error.
+func readVaultField(run cmdRunner, field, path string) string {
+	out, err := run("vault", []string{"kv", "get", "-field=" + field, path}, nil)
+	if err != nil {
+		return ""
+	}
+	return out
+}
+
+// loadCreds reads the four vaultwarden_* keys from the user's isolated path.
+// A missing master password means the user hasn't onboarded.
+func loadCreds(run cmdRunner, user string) (vwCreds, error) {
+	p := vwCredsPath(user)
+	c := vwCreds{
+		Email:          readVaultField(run, "vaultwarden_email", p),
+		MasterPassword: readVaultField(run, "vaultwarden_master_password", p),
+		ClientID:       readVaultField(run, "vaultwarden_client_id", p),
+		ClientSecret:   readVaultField(run, "vaultwarden_client_secret", p),
+	}
+	if c.MasterPassword == "" {
+		return vwCreds{}, fmt.Errorf("vault not configured for this user — run `homelab vault setup`")
+	}
+	return c, nil
+}
+
+// vaultCurrentUser/vaultCurrentUID are seams for tests (avoid conflict with repo.go's currentUser func).
+var vaultCurrentUser = func() string { return os.Getenv("USER") }
+var vaultCurrentUID = func() string { return fmt.Sprintf("%d", os.Getuid()) }
+
+// bwBaseEnv is the minimal non-secret environment bw/node need. We deliberately
+// do NOT inherit the full parent env (keeps stray secrets out of the child).
+func bwBaseEnv(appdata string) []string {
+	path := os.Getenv("PATH")
+	if path == "" {
+		path = "/usr/local/bin:/usr/bin:/bin"
+	}
+	return []string{
+		"PATH=" + path,
+		"HOME=" + os.Getenv("HOME"),
+		"BITWARDENCLI_APPDATA_DIR=" + appdata,
+		"BW_NOINTERACTION=true",
+	}
+}
+
+// bwSecretEnv adds the secret-bearing vars. session may be "" (pre-unlock).
+func bwSecretEnv(appdata string, c vwCreds, session string) []string {
+	env := bwBaseEnv(appdata)
+	env = append(env,
+		"BW_CLIENTID="+c.ClientID,
+		"BW_CLIENTSECRET="+c.ClientSecret,
+		"BW_PASSWORD="+c.MasterPassword,
+	)
+	if session != "" {
+		env = append(env, "BW_SESSION="+session)
+	}
+	return env
+}
+
+func bwLoginArgs() []string  { return []string{"login", "--apikey"} }
+func bwUnlockArgs() []string { return []string{"unlock", "--passwordenv", "BW_PASSWORD", "--raw"} }
+func bwGetArgs(field, name string) []string { return []string{"get", field, name} }
+func bwStatusArgs() []string { return []string{"status"} }
+
+// bwNeedsLogin parses `bw status` JSON and reports whether a `bw login` is
+// required. Unparseable/empty output → true (safer to attempt login).
+func bwNeedsLogin(statusJSON string) bool {
+	var s struct {
+		Status string `json:"status"`
+	}
+	if err := json.Unmarshal([]byte(statusJSON), &s); err != nil {
+		return true
+	}
+	return s.Status == "unauthenticated" || s.Status == ""
+}
+
+func bwListArgs(search string) []string {
+	a := []string{"list", "items"}
+	if search != "" {
+		a = append(a, "--search", search)
+	}
+	return a
+}
+
+// bwUnlock runs `bw unlock` and returns the raw session key.
+func bwUnlock(run cmdRunner, env []string) (string, error) {
+	out, err := run("bw", bwUnlockArgs(), env)
+	if err != nil {
+		return "", fmt.Errorf("bw unlock failed (wrong master password? run `homelab vault setup`): %w", err)
+	}
+	return out, nil
+}
+
+// bwGet fetches one field of one item; session must be present in env.
+func bwGet(run cmdRunner, env []string, field, name string) (string, error) {
+	return run("bw", bwGetArgs(field, name), env)
+}
+
+func returnMode(isTTY bool) string {
+	if isTTY {
+		return "clipboard"
+	}
+	return "stdout"
+}
+
+// stdoutIsTTY reports whether stdout is a character device (a terminal).
+func stdoutIsTTY() bool {
+	fi, err := os.Stdout.Stat()
+	if err != nil {
+		return false
+	}
+	return fi.Mode()&os.ModeCharDevice != 0
+}
+
+// stderrIsTTY reports whether stderr is a terminal (the OSC52 escape is written
+// to stderr, so the clipboard path is only viable when stderr is a terminal).
+func stderrIsTTY() bool {
+	fi, err := os.Stderr.Stat()
+	if err != nil {
+		return false
+	}
+	return fi.Mode()&os.ModeCharDevice != 0
+}
+
+// osc52 returns the OSC 52 escape that makes the local terminal copy payload to
+// the system clipboard (works over SSH; no X11). osc52clear copies empty.
+func osc52(payload string) string {
+	return "\x1b]52;c;" + base64.StdEncoding.EncodeToString([]byte(payload)) + "\a"
+}
+func osc52clear() string { return "\x1b]52;c;\a" }
+
+// terminalAllowed gates OSC 52: only terminals known to honor clipboard writes,
+// else we'd dump the secret's base64 into scrollback on unsupported terminals.
+func terminalAllowed(term, termProgram string) bool {
+	t := strings.ToLower(term)
+	p := strings.ToLower(termProgram)
+	for _, ok := range []string{"kitty", "alacritty", "foot", "wezterm", "ghostty", "tmux", "screen"} {
+		if strings.Contains(t, ok) || strings.Contains(p, ok) {
+			return true
+		}
+	}
+	// xterm proper supports it only when the program is a known-good emulator.
+	return false
+}
+
+// opRecord is one CLI operation. ItemName is accepted for the caller's
+// convenience but is INTENTIONALLY never rendered into the log line — auditing
+// which of your own logins you opened is itself sensitive, and per-item reads
+// are invisible server-side anyway (spec §9a).
+type opRecord struct {
+	User       string
+	Verb       string
+	PID        int
+	PPID       int
+	ParentComm string
+	ItemName   string // never logged
+}
+
+func opLogLine(r opRecord) string {
+	return fmt.Sprintf("user=%s verb=%s pid=%d ppid=%d parent=%s",
+		r.User, r.Verb, r.PID, r.PPID, r.ParentComm)
+}
+
+// parentComm reads /proc/<ppid>/comm (best-effort; "" on failure).
+func parentComm(ppid int) string {
+	b, err := os.ReadFile(fmt.Sprintf("/proc/%d/comm", ppid))
+	if err != nil {
+		return ""
+	}
+	return strings.TrimSpace(string(b))
+}
+
+// writeOpLog appends one privacy-aware line to the user's op-log (best-effort;
+// never blocks or fails the command). Goes to syslog so it ships to Loki.
+func writeOpLog(r opRecord) {
+	exec.Command("logger", "-t", "homelab-vault", opLogLine(r)).Run() // best-effort
+}
+
+func vaultLockPath(uid string) string { return "/run/user/" + uid + "/homelab-vault.lock" }
+
+// hardenProcess disables core dumps so a bw/homelab crash can't spill the master
+// password to a core file. Best-effort.
+func hardenProcess() {
+	_ = syscall.Setrlimit(syscall.RLIMIT_CORE, &syscall.Rlimit{Cur: 0, Max: 0})
+}
+
+// withUserLock serializes bw mutations for this user (concurrent Claude sessions
+// as the same user otherwise race bw's appdata). Returns an unlock func.
+func withUserLock(uid string) (func(), error) {
+	f, err := os.OpenFile(vaultLockPath(uid), os.O_CREATE|os.O_RDWR, 0600)
+	if err != nil {
+		return nil, err
+	}
+	if err := syscall.Flock(int(f.Fd()), syscall.LOCK_EX); err != nil {
+		f.Close()
+		return nil, err
+	}
+	return func() { syscall.Flock(int(f.Fd()), syscall.LOCK_UN); f.Close() }, nil
+}
+
+// session is one usable bw context: the env (with BW_SESSION) ready for `bw get`.
+type session struct {
+	env []string
+}
+
+// openSession resolves creds, ensures login, unlocks, and returns a ready env.
+// Caller must hold the user lock. appdata is created on tmpfs (0700).
+func openSession(run cmdRunner, user, uid string) (session, error) {
+	creds, err := loadCreds(run, user)
+	if err != nil {
+		return session{}, err
+	}
+	appdata := bwAppDataDir(uid)
+	if err := os.MkdirAll(appdata, 0700); err != nil {
+		return session{}, fmt.Errorf("create bw appdata %s: %w", appdata, err)
+	}
+	loginEnv := bwSecretEnv(appdata, creds, "")
+	// Ensure server is set and we're logged in (idempotent; ignore "already").
+	_, _ = run("bw", []string{"config", "server", "https://vaultwarden.viktorbarzin.me"}, loginEnv)
+	st, _ := run("bw", bwStatusArgs(), loginEnv)
+	if bwNeedsLogin(st) {
+		if _, err := run("bw", bwLoginArgs(), loginEnv); err != nil {
+			return session{}, fmt.Errorf("bw login --apikey failed (API key valid? run `homelab vault setup`): %w", err)
+		}
+	}
+	sess, err := bwUnlock(run, loginEnv)
+	if err != nil {
+		return session{}, err
+	}
+	return session{env: bwSecretEnv(appdata, creds, sess)}, nil
+}
+
+type getOpts struct {
+	name  string
+	field string
+	json  bool
+}
+
+var validGetFields = map[string]bool{"password": true, "username": true, "uri": true, "notes": true, "totp": true}
+
+func parseGetArgs(args []string) (getOpts, error) {
+	o := getOpts{field: "password"}
+	for i := 0; i < len(args); i++ {
+		a := args[i]
+		switch {
+		case a == "--json":
+			o.json = true
+		case a == "--field" && i+1 < len(args):
+			o.field = args[i+1]
+			i++
+		case strings.HasPrefix(a, "--field="):
+			o.field = strings.TrimPrefix(a, "--field=")
+		case !strings.HasPrefix(a, "-") && o.name == "":
+			o.name = a
+		}
+	}
+	if o.name == "" {
+		return o, fmt.Errorf("usage: homelab vault get <name> [--field password|username|uri|notes|totp] [--json]")
+	}
+	if !validGetFields[o.field] {
+		return o, fmt.Errorf("invalid --field %q (want password|username|uri|notes|totp)", o.field)
+	}
+	return o, nil
+}
+
+// getValue opens a session and fetches one field. Pure of I/O side effects
+// besides the runner, so it is unit-tested with a fake runner.
+func getValue(run cmdRunner, user, uid string, o getOpts) (string, error) {
+	s, err := openSession(run, user, uid)
+	if err != nil {
+		return "", err
+	}
+	return bwGet(run, s.env, o.field, o.name)
+}
+
+// clipboardDecision picks how to return a secret value. "stdout" prints it (a
+// pipe/agent — the intended machine path); "clipboard" copies via OSC52;
+// "refuse" emits nothing sensitive (would otherwise risk dumping the secret's
+// base64 into scrollback, or silently fail because the OSC52 escape goes to a
+// non-terminal stderr).
+func clipboardDecision(stdoutTTY, stderrTTY bool, term, termProgram string) string {
+	if !stdoutTTY {
+		return "stdout"
+	}
+	if terminalAllowed(term, termProgram) && stderrTTY {
+		return "clipboard"
+	}
+	return "refuse"
+}
+
+// jsonToStdoutOK reports whether `--json` may print the secret to stdout — only
+// when stdout is NOT a terminal (i.e. piped to a machine consumer).
+func jsonToStdoutOK(stdoutTTY bool) bool { return !stdoutTTY }
+
+// emitSecret returns a value TTY-aware (see clipboardDecision). Never prints the
+// secret to a terminal's stdout/scrollback.
+func emitSecret(value string) {
+	switch clipboardDecision(stdoutIsTTY(), stderrIsTTY(), os.Getenv("TERM"), os.Getenv("TERM_PROGRAM")) {
+	case "stdout":
+		fmt.Println(value)
+	case "clipboard":
+		fmt.Fprint(os.Stderr, osc52(value))
+		fmt.Fprintln(os.Stderr, "copied to clipboard; clearing in 30s")
+		clearClipboardAfter(30)
+	default: // refuse
+		fmt.Fprintln(os.Stderr, "refusing to print secret: this terminal can't do OSC52 clipboard safely; pipe the command (e.g. | cat) or use a supported terminal")
+	}
+}
+
+// clearClipboardAfter spawns a detached background clear so the secret doesn't
+// linger in the clipboard. Best-effort.
+func clearClipboardAfter(seconds int) {
+	exec.Command("sh", "-c", fmt.Sprintf("sleep %d; printf '%s'", seconds, osc52clear())).Start()
+}
+
+// listNames extracts "name (id)" from `bw list items` JSON; never values.
+func listNames(jsonOut string) []string {
+	var items []struct {
+		ID   string `json:"id"`
+		Name string `json:"name"`
+	}
+	if err := json.Unmarshal([]byte(jsonOut), &items); err != nil {
+		return nil
+	}
+	out := make([]string, 0, len(items))
+	for _, it := range items {
+		out = append(out, fmt.Sprintf("%s (%s)", it.Name, it.ID))
+	}
+	return out
+}
+
+func runList(run cmdRunner, user, uid, search string) ([]string, error) {
+	s, err := openSession(run, user, uid)
+	if err != nil {
+		return nil, err
+	}
+	out, err := run("bw", bwListArgs(search), s.env)
+	if err != nil {
+		return nil, err
+	}
+	return listNames(out), nil
+}
+
+func vaultList(args []string) error {
+	hardenProcess()
+	search := ""
+	for i := 0; i < len(args); i++ {
+		if args[i] == "--search" && i+1 < len(args) {
+			search = args[i+1]
+			i++
+		} else if strings.HasPrefix(args[i], "--search=") {
+			search = strings.TrimPrefix(args[i], "--search=")
+		}
+	}
+	uid := vaultCurrentUID()
+	unlock, err := withUserLock(uid)
+	if err != nil {
+		return err
+	}
+	defer unlock()
+	names, err := runList(realRunner, vaultCurrentUser(), uid, search)
+	if err != nil {
+		return err
+	}
+	for _, n := range names {
+		fmt.Println(n)
+	}
+	return nil
+}
+
+func vaultSearch(args []string) error {
+	if len(args) == 0 {
+		return fmt.Errorf("usage: homelab vault search <query>")
+	}
+	return vaultList([]string{"--search", strings.Join(args, " ")})
+}
+
+func vaultCode(args []string) error {
+	hardenProcess()
+	if len(args) == 0 {
+		return fmt.Errorf("usage: homelab vault code <name>")
+	}
+	name := args[0]
+	uid := vaultCurrentUID()
+	unlock, err := withUserLock(uid)
+	if err != nil {
+		return err
+	}
+	defer unlock()
+	user := vaultCurrentUser()
+	val, err := getValue(realRunner, user, uid, getOpts{name: name, field: "totp"})
+	if err != nil {
+		return err
+	}
+	// TOTP is the most sensitive op: log AND emit an ntfy-bound marker (spec §9a-d).
+	writeOpLog(opRecord{User: user, Verb: "code", PID: os.Getpid(), PPID: os.Getppid(), ParentComm: parentComm(os.Getppid()), ItemName: name})
+	exec.Command("logger", "-t", "homelab-vault-totp", "user="+user+" totp-fetch parent="+parentComm(os.Getppid())).Run()
+	emitSecret(val)
+	return nil
+}
+
+// statusSummary reports config/reachability without revealing secrets.
+func statusSummary(run cmdRunner, user, uid string) string {
+	if _, err := loadCreds(run, user); err != nil {
+		return "vault: not configured — run `homelab vault setup`"
+	}
+	s, err := openSession(run, user, uid)
+	if err != nil {
+		return "vault: configured, but unlock/login FAILED (creds stale? run `homelab vault setup`): " + err.Error()
+	}
+	if _, err := run("bw", []string{"sync"}, s.env); err != nil {
+		return "vault: configured + unlocked, but sync/reachability failed: " + err.Error()
+	}
+	return "vault: configured, unlocked, reachable ✓"
+}
+
+func vaultStatus(args []string) error {
+	hardenProcess()
+	uid := vaultCurrentUID()
+	unlock, err := withUserLock(uid)
+	if err != nil {
+		return err
+	}
+	defer unlock()
+	fmt.Println(statusSummary(realRunner, vaultCurrentUser(), uid))
+	return nil
+}
+
+func vaultLock(args []string) error {
+	uid := vaultCurrentUID()
+	unlock, err := withUserLock(uid) // logout mutates bw state — serialize with get/list
+	if err != nil {
+		return err
+	}
+	defer unlock()
+	appdata := bwAppDataDir(uid)
+	_, _ = realRunner("bw", []string{"lock"}, bwBaseEnv(appdata))
+	_, logoutErr := realRunner("bw", []string{"logout"}, bwBaseEnv(appdata))
+	if logoutErr == nil {
+		fmt.Println("locked")
+	}
+	return nil // lock/logout best-effort; never error the caller
+}
+
+// vaultPatchPublicArgs writes the non-secret identifiers via argv. Neither the
+// email nor the API client_id is a usable credential on its own.
+func vaultPatchPublicArgs(user, email, clientID string) []string {
+	return []string{"kv", "patch", vwCredsPath(user),
+		"vaultwarden_email=" + email,
+		"vaultwarden_client_id=" + clientID,
+	}
+}
+
+// vaultPatchSecretArgs writes ONE secret value via the `key=-` stdin form, so
+// the value never appears in argv (ps / /proc/<pid>/cmdline). The value is fed
+// on stdin by realRunnerStdin.
+func vaultPatchSecretArgs(user, key string) []string {
+	return []string{"kv", "patch", vwCredsPath(user), key + "=-"}
+}
+
+// writeCreds stores all four fields in the user's Vault path. The two real
+// secrets (master password, API client_secret) go via stdin — never argv.
+func writeCreds(user string, c vwCreds) error {
+	if _, err := realRunner("vault", vaultPatchPublicArgs(user, c.Email, c.ClientID), nil); err != nil {
+		return err
+	}
+	if _, err := realRunnerStdin("vault", vaultPatchSecretArgs(user, "vaultwarden_master_password"), nil, c.MasterPassword); err != nil {
+		return err
+	}
+	if _, err := realRunnerStdin("vault", vaultPatchSecretArgs(user, "vaultwarden_client_secret"), nil, c.ClientSecret); err != nil {
+		return err
+	}
+	return nil
+}
+
+// promptNoEcho reads one line without terminal echo (for the master password).
+func promptNoEcho(prompt string) (string, error) {
+	fmt.Fprint(os.Stderr, prompt)
+	exec.Command("stty", "-echo").Run()
+	defer func() { exec.Command("stty", "echo").Run(); fmt.Fprintln(os.Stderr) }()
+	r := bufio.NewReader(os.Stdin)
+	line, err := r.ReadString('\n')
+	// Trim only the line terminator — a master password / API secret may
+	// legitimately contain leading/trailing spaces.
+	return strings.TrimRight(line, "\r\n"), err
+}
+
+func promptLine(prompt string) (string, error) {
+	fmt.Fprint(os.Stderr, prompt)
+	line, err := bufio.NewReader(os.Stdin).ReadString('\n')
+	return strings.TrimSpace(line), err
+}
+
+func vaultSetup(args []string) error {
+	hardenProcess()
+	fmt.Fprintln(os.Stderr, "One-time setup. Stored ONLY in your own Vault path; the admin never sees it.")
+	fmt.Fprintln(os.Stderr, "Get your API key at https://vaultwarden.viktorbarzin.me → Settings → Security → Keys → View API key.")
+	email, err := promptLine("Vaultwarden email: ")
+	if err != nil {
+		return err
+	}
+	clientID, err := promptLine("API key client_id (user.xxxx): ")
+	if err != nil {
+		return err
+	}
+	clientSecret, err := promptNoEcho("API key client_secret: ")
+	if err != nil {
+		return err
+	}
+	master, err := promptNoEcho("Master password: ")
+	if err != nil {
+		return err
+	}
+	if master == "" || clientID == "" || clientSecret == "" {
+		return fmt.Errorf("all fields are required")
+	}
+	c := vwCreds{Email: email, MasterPassword: master, ClientID: clientID, ClientSecret: clientSecret}
+	if err := writeCreds(vaultCurrentUser(), c); err != nil {
+		return fmt.Errorf("writing creds to your Vault path failed (scoped token present?): %w", err)
+	}
+	fmt.Fprintln(os.Stderr, "Stored. Verifying unlock…")
+	uid := vaultCurrentUID()
+	unlock, err := withUserLock(uid)
+	if err != nil {
+		return err
+	}
+	defer unlock()
+	if _, err := openSession(realRunner, vaultCurrentUser(), uid); err != nil {
+		return fmt.Errorf("stored, but verification failed — double-check master password / API key: %w", err)
+	}
+	fmt.Fprintln(os.Stderr, "✓ Verified. Fetches are now AFK.")
+	return nil
+}
+
+func vaultGet(args []string) error {
+	hardenProcess()
+	o, err := parseGetArgs(args)
+	if err != nil {
+		return err
+	}
+	uid := vaultCurrentUID()
+	unlock, err := withUserLock(uid)
+	if err != nil {
+		return err
+	}
+	defer unlock()
+	user := vaultCurrentUser()
+	val, err := getValue(realRunner, user, uid, o)
+	if err != nil {
+		return err
+	}
+	writeOpLog(opRecord{User: user, Verb: "get", PID: os.Getpid(), PPID: os.Getppid(), ParentComm: parentComm(os.Getppid()), ItemName: o.name})
+	if o.json {
+		if !jsonToStdoutOK(stdoutIsTTY()) {
+			return fmt.Errorf("refusing to print a secret as JSON to a terminal; pipe it (e.g. | cat) or drop --json")
+		}
+		fmt.Printf("{%q:%q}\n", o.field, val)
+		return nil
+	}
+	emitSecret(val)
+	return nil
+}
+
diff --git a/cli/cmd_vault_test.go b/cli/cmd_vault_test.go
new file mode 100644
index 00000000..36aab1f4
--- /dev/null
+++ b/cli/cmd_vault_test.go
@@ -0,0 +1,368 @@
+package main
+
+import (
+	"encoding/base64"
+	"fmt"
+	"os"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func TestVaultCommandsRegistered(t *testing.T) {
+	want := map[string]Tier{
+		"vault setup":  TierWrite,
+		"vault status": TierRead,
+		"vault list":   TierRead,
+		"vault get":    TierRead,
+		"vault search": TierRead,
+		"vault code":   TierRead,
+		"vault lock":   TierWrite,
+	}
+	got := map[string]Tier{}
+	for _, c := range vaultCommands() {
+		got[c.name()] = c.Tier
+	}
+	for name, tier := range want {
+		if got[name] != tier {
+			t.Errorf("command %q: tier=%q, want %q (registered=%v)", name, got[name], tier, got[name] != "")
+		}
+	}
+}
+
+func TestVaultGroupInRegistry(t *testing.T) {
+	if !isCommandGroup(buildRegistry(), "vault") {
+		t.Fatal("`vault` group not wired into buildRegistry()")
+	}
+}
+
+func TestVaultCredsPath(t *testing.T) {
+	if got := vwCredsPath("emo"); got != "secret/workstation/claude-users/emo" {
+		t.Fatalf("vwCredsPath = %q", got)
+	}
+}
+
+func TestBwAppDataDir(t *testing.T) {
+	if got := bwAppDataDir("1001"); got != "/run/user/1001/homelab-bw" {
+		t.Fatalf("bwAppDataDir = %q", got)
+	}
+}
+
+// fakeRunner records calls and returns canned stdout/err keyed by argv[0]+first arg.
+type fakeRunner struct {
+	calls   [][]string
+	out     map[string]string // key: name+" "+strings.Join(argv," ") prefix-matched
+	err     map[string]error
+	lastEnv []string
+}
+
+func (f *fakeRunner) run(name string, argv, envv []string) (string, error) {
+	f.calls = append(f.calls, append([]string{name}, argv...))
+	f.lastEnv = envv
+	key := name + " " + strings.Join(argv, " ")
+	for k, v := range f.out {
+		if strings.HasPrefix(key, k) {
+			return v, f.err[k]
+		}
+	}
+	return "", f.err[key]
+}
+
+func TestLoadCredsReadsFourFields(t *testing.T) {
+	f := &fakeRunner{out: map[string]string{
+		"vault kv get -field=vaultwarden_email secret/workstation/claude-users/emo":          "emo@x.me",
+		"vault kv get -field=vaultwarden_master_password secret/workstation/claude-users/emo": "hunter2",
+		"vault kv get -field=vaultwarden_client_id secret/workstation/claude-users/emo":       "user.abc",
+		"vault kv get -field=vaultwarden_client_secret secret/workstation/claude-users/emo":   "sek",
+	}}
+	c, err := loadCreds(f.run, "emo")
+	if err != nil {
+		t.Fatalf("loadCreds: %v", err)
+	}
+	want := vwCreds{Email: "emo@x.me", MasterPassword: "hunter2", ClientID: "user.abc", ClientSecret: "sek"}
+	if !reflect.DeepEqual(c, want) {
+		t.Fatalf("loadCreds = %+v want %+v", c, want)
+	}
+}
+
+func TestLoadCredsUnconfigured(t *testing.T) {
+	f := &fakeRunner{out: map[string]string{}} // every field empty
+	if _, err := loadCreds(f.run, "emo"); err == nil || !strings.Contains(err.Error(), "not configured") {
+		t.Fatalf("want 'not configured' error, got %v", err)
+	}
+}
+
+func TestBwEnvCarriesSecretsNotArgv(t *testing.T) {
+	c := vwCreds{ClientID: "user.abc", ClientSecret: "sek", MasterPassword: "hunter2"}
+	env := bwSecretEnv("/run/user/1001/homelab-bw", c, "SESSIONKEY")
+	joined := strings.Join(env, "\n")
+	for _, want := range []string{
+		"BW_CLIENTID=user.abc", "BW_CLIENTSECRET=sek", "BW_PASSWORD=hunter2",
+		"BW_SESSION=SESSIONKEY", "BITWARDENCLI_APPDATA_DIR=/run/user/1001/homelab-bw",
+	} {
+		if !strings.Contains(joined, want) {
+			t.Errorf("bwSecretEnv missing %q", want)
+		}
+	}
+	if strings.Contains(joined, "PATH=") == false {
+		t.Error("bwSecretEnv must keep a PATH so node/bw resolve")
+	}
+}
+
+func TestBwGetArgsHasNoSessionInArgv(t *testing.T) {
+	argv := bwGetArgs("password", "github")
+	for _, a := range argv {
+		if strings.Contains(a, "SESSION") || a == "--session" {
+			t.Fatalf("session must travel via env, not argv: %v", argv)
+		}
+	}
+	if !reflect.DeepEqual(argv, []string{"get", "password", "github"}) {
+		t.Fatalf("bwGetArgs = %v", argv)
+	}
+}
+
+func TestBwListArgs(t *testing.T) {
+	if got := bwListArgs(""); !reflect.DeepEqual(got, []string{"list", "items"}) {
+		t.Fatalf("bwListArgs('') = %v", got)
+	}
+	if got := bwListArgs("git"); !reflect.DeepEqual(got, []string{"list", "items", "--search", "git"}) {
+		t.Fatalf("bwListArgs('git') = %v", got)
+	}
+}
+
+func TestBwUnlockReturnsSession(t *testing.T) {
+	f := &fakeRunner{out: map[string]string{"bw unlock": "THE-SESSION-KEY"}}
+	env := bwSecretEnv("/run/user/1001/homelab-bw", vwCreds{MasterPassword: "pw"}, "")
+	sess, err := bwUnlock(f.run, env)
+	if err != nil || sess != "THE-SESSION-KEY" {
+		t.Fatalf("bwUnlock = %q, %v", sess, err)
+	}
+	// argv must use --passwordenv + --raw, never the password literal
+	last := f.calls[len(f.calls)-1]
+	if strings.Join(last, " ") != "bw unlock --passwordenv BW_PASSWORD --raw" {
+		t.Fatalf("unlock argv = %v", last)
+	}
+}
+
+func TestReturnMode(t *testing.T) {
+	if returnMode(true) != "clipboard" || returnMode(false) != "stdout" {
+		t.Fatal("returnMode wrong")
+	}
+}
+
+func TestOSC52Encode(t *testing.T) {
+	got := osc52("secret")
+	want := "\x1b]52;c;" + base64.StdEncoding.EncodeToString([]byte("secret")) + "\a"
+	if got != want {
+		t.Fatalf("osc52 = %q want %q", got, want)
+	}
+	if osc52clear() != "\x1b]52;c;\a" {
+		t.Fatalf("osc52clear wrong: %q", osc52clear())
+	}
+}
+
+func TestTerminalAllowed(t *testing.T) {
+	allow := []struct{ term, prog string }{
+		{"xterm-kitty", ""}, {"alacritty", ""}, {"foot", ""}, {"tmux-256color", ""},
+		{"screen-256color", ""}, {"xterm-256color", "WezTerm"}, {"xterm-256color", "ghostty"},
+	}
+	for _, c := range allow {
+		if !terminalAllowed(c.term, c.prog) {
+			t.Errorf("terminalAllowed(%q,%q) = false, want true", c.term, c.prog)
+		}
+	}
+	deny := []struct{ term, prog string }{{"dumb", ""}, {"", ""}, {"vt100", ""}}
+	for _, c := range deny {
+		if terminalAllowed(c.term, c.prog) {
+			t.Errorf("terminalAllowed(%q,%q) = true, want false", c.term, c.prog)
+		}
+	}
+}
+
+func TestOpLogLineHasNoSecretOrItem(t *testing.T) {
+	line := opLogLine(opRecord{User: "emo", Verb: "get", PID: 10, PPID: 9, ParentComm: "claude", ItemName: "Chase Bank"})
+	for _, must := range []string{"user=emo", "verb=get", "ppid=9", "parent=claude"} {
+		if !strings.Contains(line, must) {
+			t.Errorf("op-log missing %q: %s", must, line)
+		}
+	}
+	for _, mustNot := range []string{"Chase", "password", "secret"} {
+		if strings.Contains(line, mustNot) {
+			t.Fatalf("op-log LEAKS %q (privacy violation): %s", mustNot, line)
+		}
+	}
+}
+
+func TestLockPath(t *testing.T) {
+	if got := vaultLockPath("1001"); got != "/run/user/1001/homelab-vault.lock" {
+		t.Fatalf("vaultLockPath = %q", got)
+	}
+}
+
+func TestParseGetArgs(t *testing.T) {
+	o, err := parseGetArgs([]string{"github", "--field", "username", "--json"})
+	if err != nil || o.name != "github" || o.field != "username" || !o.json {
+		t.Fatalf("parseGetArgs = %+v err=%v", o, err)
+	}
+	d, _ := parseGetArgs([]string{"github"})
+	if d.field != "password" || d.json {
+		t.Fatalf("defaults wrong: %+v", d)
+	}
+	if _, err := parseGetArgs([]string{}); err == nil {
+		t.Fatal("get with no name must error")
+	}
+	if _, err := parseGetArgs([]string{"x", "--field", "evil"}); err == nil {
+		t.Fatal("invalid --field must error")
+	}
+}
+
+func TestListNamesParsing(t *testing.T) {
+	// bw list items returns JSON; listNames extracts name + id only.
+	js := `[{"id":"1","name":"GitHub","login":{"username":"u"}},{"id":"2","name":"AWS"}]`
+	names := listNames(js)
+	if len(names) != 2 || names[0] != "GitHub (1)" || names[1] != "AWS (2)" {
+		t.Fatalf("listNames = %v", names)
+	}
+}
+
+func TestStatusSummaryUnconfigured(t *testing.T) {
+	f := &fakeRunner{out: map[string]string{}} // no creds
+	s := statusSummary(f.run, "emo", "1001")
+	if !strings.Contains(s, "not configured") {
+		t.Fatalf("status = %q", s)
+	}
+}
+
+func TestVaultPatchPublicArgs(t *testing.T) {
+	got := vaultPatchPublicArgs("emo", "e@x.me", "user.ci")
+	want := []string{"kv", "patch", "secret/workstation/claude-users/emo",
+		"vaultwarden_email=e@x.me", "vaultwarden_client_id=user.ci"}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("vaultPatchPublicArgs = %v", got)
+	}
+	for _, a := range got {
+		if strings.Contains(a, "master_password") || strings.Contains(a, "client_secret") {
+			t.Fatalf("secret key leaked into public argv: %v", got)
+		}
+	}
+}
+
+func TestVaultPatchSecretArgsNoValueInArgv(t *testing.T) {
+	for _, key := range []string{"vaultwarden_master_password", "vaultwarden_client_secret"} {
+		got := vaultPatchSecretArgs("emo", key)
+		want := []string{"kv", "patch", "secret/workstation/claude-users/emo", key + "=-"}
+		if !reflect.DeepEqual(got, want) {
+			t.Fatalf("vaultPatchSecretArgs(%q) = %v", key, got)
+		}
+		if got[len(got)-1] != key+"=-" {
+			t.Fatalf("secret value must be read from stdin (`%s=-`), got %v", key, got)
+		}
+	}
+}
+
+// TestNoSecretInArgvAcrossFlow is the load-bearing security test: across the
+// whole get flow (vault reads, bw config/status/login/unlock/get) NO secret
+// value may appear in any command's argv — secrets travel via env/stdin only.
+func TestNoSecretInArgvAcrossFlow(t *testing.T) {
+	uid := fmt.Sprintf("%d", os.Getuid())
+	f := &fakeRunner{out: map[string]string{
+		"vault kv get -field=vaultwarden_master_password secret/workstation/claude-users/emo": "SUPERSECRETPW",
+		"vault kv get -field=vaultwarden_client_id secret/workstation/claude-users/emo":        "user.x",
+		"vault kv get -field=vaultwarden_client_secret secret/workstation/claude-users/emo":    "CLIENTSEKRET",
+		"bw status":              `{"status":"locked"}`,
+		"bw unlock":              "SESSIONXYZ",
+		"bw get password github": "p@ss",
+	}}
+	if _, err := getValue(f.run, "emo", uid, getOpts{name: "github", field: "password"}); err != nil {
+		t.Fatalf("getValue: %v", err)
+	}
+	for _, call := range f.calls {
+		for _, arg := range call {
+			for _, s := range []string{"SUPERSECRETPW", "CLIENTSEKRET", "SESSIONXYZ"} {
+				if strings.Contains(arg, s) {
+					t.Errorf("secret %q leaked into argv: %v", s, call)
+				}
+			}
+		}
+	}
+	if !strings.Contains(strings.Join(f.lastEnv, "\n"), "BW_SESSION=SESSIONXYZ") {
+		t.Error("expected BW_SESSION in the bw get env (test would be vacuous otherwise)")
+	}
+}
+
+func TestClipboardDecision(t *testing.T) {
+	cases := []struct {
+		stdoutTTY, stderrTTY bool
+		term, prog, want     string
+	}{
+		{false, true, "xterm-kitty", "", "stdout"},
+		{true, true, "xterm-kitty", "", "clipboard"},
+		{true, true, "dumb", "", "refuse"},
+		{true, false, "xterm-kitty", "", "refuse"},
+	}
+	for _, c := range cases {
+		if got := clipboardDecision(c.stdoutTTY, c.stderrTTY, c.term, c.prog); got != c.want {
+			t.Errorf("clipboardDecision(%v,%v,%q) = %q, want %q", c.stdoutTTY, c.stderrTTY, c.term, got, c.want)
+		}
+	}
+}
+
+func TestJSONToStdoutOK(t *testing.T) {
+	if jsonToStdoutOK(true) {
+		t.Error("must refuse JSON secret on a terminal")
+	}
+	if !jsonToStdoutOK(false) {
+		t.Error("must allow JSON when piped")
+	}
+}
+
+func TestBwNeedsLogin(t *testing.T) {
+	if !bwNeedsLogin(`{"status":"unauthenticated"}`) {
+		t.Error("unauthenticated → needs login")
+	}
+	if bwNeedsLogin(`{"status":"locked"}`) {
+		t.Error("locked → no login (just unlock)")
+	}
+	if bwNeedsLogin(`{"status":"unlocked"}`) {
+		t.Error("unlocked → no login")
+	}
+	if !bwNeedsLogin(`not json`) {
+		t.Error("unparseable → attempt login")
+	}
+}
+
+func TestVaultHelpMentionsSecurity(t *testing.T) {
+	h := vaultHelp()
+	for _, want := range []string{"homelab vault get", "no-HITL", "your own", "setup"} {
+		if !strings.Contains(h, want) {
+			t.Errorf("vault help missing %q", want)
+		}
+	}
+}
+
+func TestVaultBareGroupRegistered(t *testing.T) {
+	for _, c := range vaultCommands() {
+		if len(c.Path) == 1 && c.Path[0] == "vault" {
+			return
+		}
+	}
+	t.Fatal("bare `vault` help command not registered")
+}
+
+// getValue is the testable core: given a runner + opts, returns the secret value.
+func TestGetValueFlow(t *testing.T) {
+	f := &fakeRunner{out: map[string]string{
+		"vault kv get -field=vaultwarden_master_password secret/workstation/claude-users/emo": "pw",
+		"vault kv get -field=vaultwarden_client_id secret/workstation/claude-users/emo":        "user.x",
+		"vault kv get -field=vaultwarden_client_secret secret/workstation/claude-users/emo":    "cs",
+		"bw status":              `{"status":"locked"}`,
+		"bw unlock":              "SESS",
+		"bw get password github": "p@ss",
+	}}
+	// Use real UID so os.MkdirAll(/run/user/<uid>/homelab-bw) succeeds.
+	uid := fmt.Sprintf("%d", os.Getuid())
+	val, err := getValue(f.run, "emo", uid, getOpts{name: "github", field: "password"})
+	if err != nil || val != "p@ss" {
+		t.Fatalf("getValue = %q, %v", val, err)
+	}
+}
diff --git a/cli/cmd_work.go b/cli/cmd_work.go
new file mode 100644
index 00000000..3bf44e13
--- /dev/null
+++ b/cli/cmd_work.go
@@ -0,0 +1,212 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+func workCommands() []Command {
+	return []Command{
+		{Path: []string{"work", "start"}, Tier: TierWrite,
+			Summary: "create a worktree + branch for a task (enter it with EnterWorktree)", Run: workStart},
+		{Path: []string{"work", "land"}, Tier: TierWrite,
+			Summary: "merge master in, verify, push HEAD:master (run from the worktree)", Run: workLand},
+		{Path: []string{"work", "clean"}, Tier: TierWrite,
+			Summary: "remove a task's worktree + branch (run from the main checkout)", Run: workClean},
+	}
+}
+
+// flagValue extracts `--name value` or `--name=value` from args.
+func flagValue(args []string, name string) string {
+	for i, a := range args {
+		if a == name && i+1 < len(args) {
+			return args[i+1]
+		}
+		if strings.HasPrefix(a, name+"=") {
+			return strings.TrimPrefix(a, name+"=")
+		}
+	}
+	return ""
+}
+
+func remotesOrEmpty(repoRoot string) []string {
+	r, _ := gitRemotes(repoRoot)
+	return r
+}
+
+// workStart creates .worktrees/<topic> on branch <user>/<topic> off <remote>/master.
+func workStart(args []string) error {
+	topic, _ := firstPositional(args)
+	if topic == "" {
+		return fmt.Errorf("usage: homelab work start <topic>")
+	}
+	cwd, _ := os.Getwd()
+	repoRoot, err := gitRepoRoot(cwd)
+	if err != nil {
+		return fmt.Errorf("not in a git repository: %w", err)
+	}
+	remote := preferRemote(remotesOrEmpty(repoRoot))
+	if remote == "" {
+		return fmt.Errorf("no git remote configured in %s", repoRoot)
+	}
+	flags := cryptFlagsFor(repoRoot)
+	branch := currentUser() + "/" + topic
+	wtRel := filepath.Join(".worktrees", topic)
+
+	ensureWorktreesIgnored(repoRoot)
+	if err := gitStream(repoRoot, flags, "fetch", remote); err != nil {
+		return fmt.Errorf("fetch %s failed: %w", remote, err)
+	}
+	if err := gitStream(repoRoot, flags, "worktree", "add", wtRel, "-b", branch, remote+"/master"); err != nil {
+		return fmt.Errorf("worktree add failed: %w", err)
+	}
+	wtPath := filepath.Join(repoRoot, wtRel)
+	fmt.Printf("homelab: created worktree %s (branch %s off %s/master)\n", wtPath, branch, remote)
+	fmt.Printf("homelab: enter it with the native tool: EnterWorktree(path=%q)\n", wtPath)
+	return nil
+}
+
+// workLand integrates the current branch into master: fetch, merge master in,
+// verify, push HEAD:master (retrying on non-fast-forward), with a feature-branch
+// fallback when the direct push is rejected (e.g. branch protection).
+func workLand(args []string) error {
+	verifyCmd := flagValue(args, "--verify-cmd")
+	cwd, _ := os.Getwd()
+	repoRoot, err := gitRepoRoot(cwd)
+	if err != nil {
+		return fmt.Errorf("not in a git repository: %w", err)
+	}
+	branch, err := gitOutput(repoRoot, "rev-parse", "--abbrev-ref", "HEAD")
+	if err != nil {
+		return err
+	}
+	if branch == "master" || branch == "main" {
+		return fmt.Errorf("refusing to land: already on %s", branch)
+	}
+	remote := preferRemote(remotesOrEmpty(repoRoot))
+	if remote == "" {
+		return fmt.Errorf("no git remote configured in %s", repoRoot)
+	}
+	flags := cryptFlagsFor(repoRoot)
+
+	if err := gitStream(repoRoot, flags, "fetch", remote); err != nil {
+		return fmt.Errorf("fetch failed: %w", err)
+	}
+	if err := gitStream(repoRoot, flags, "merge", "--no-edit", remote+"/master"); err != nil {
+		return fmt.Errorf("merging %s/master failed — resolve conflicts then re-run `homelab work land`: %w", remote, err)
+	}
+	if err := runVerify(repoRoot, verifyCmd, containsArg(args, "--no-verify")); err != nil {
+		return fmt.Errorf("not landing: %w", err)
+	}
+	if err := pushWithRetry(repoRoot, flags, remote, 3); err != nil {
+		return landFallback(repoRoot, flags, remote, branch, err)
+	}
+	fmt.Printf("homelab: landed %s -> %s/master.\n", branch, remote)
+	if containsArg(args, "--no-ci-watch") {
+		fmt.Println("homelab: --no-ci-watch set; not waiting for CI.")
+		return nil
+	}
+	landed, _ := gitOutput(repoRoot, "rev-parse", "HEAD")
+	fmt.Fprintln(os.Stderr, "homelab: watching CI for the landed commit...")
+	if err := ciWatch([]string{landed}); err != nil {
+		return fmt.Errorf("landed, but CI did not go green: %w", err)
+	}
+	return nil
+}
+
+// runVerify runs the explicit --verify-cmd, else auto-detects (go test). If
+// neither is available it REFUSES (returns an error) unless allowSkip is set —
+// landing to master unverified must be a deliberate choice (--no-verify).
+func runVerify(repoRoot, verifyCmd string, allowSkip bool) error {
+	if verifyCmd != "" {
+		fmt.Fprintf(os.Stderr, "homelab: verify: %s\n", verifyCmd)
+		return runStreamingIn(repoRoot, "sh", "-c", verifyCmd)
+	}
+	if isFile(filepath.Join(repoRoot, "go.mod")) {
+		fmt.Fprintln(os.Stderr, "homelab: verify: go test ./...")
+		return runStreamingIn(repoRoot, "go", "test", "./...")
+	}
+	if allowSkip {
+		fmt.Fprintln(os.Stderr, "homelab: WARNING: --no-verify set — landing without verification")
+		return nil
+	}
+	return fmt.Errorf("no verification configured for this repo — pass --verify-cmd \"...\" or --no-verify to land without verifying")
+}
+
+// pushWithRetry pushes HEAD:master, recovering from non-fast-forward rejections
+// by fetching + merging master and retrying.
+func pushWithRetry(repoRoot string, flags []string, remote string, attempts int) error {
+	var lastErr error
+	for i := 0; i < attempts; i++ {
+		if err := gitStream(repoRoot, flags, "push", remote, "HEAD:master"); err == nil {
+			return nil
+		} else {
+			lastErr = err
+		}
+		if i < attempts-1 {
+			fmt.Fprintln(os.Stderr, "homelab: push rejected — fetching + merging master, then retrying")
+			if err := gitStream(repoRoot, flags, "fetch", remote); err != nil {
+				return err
+			}
+			if err := gitStream(repoRoot, flags, "merge", "--no-edit", remote+"/master"); err != nil {
+				return err
+			}
+		}
+	}
+	return fmt.Errorf("push to %s/master failed after %d attempts: %w", remote, attempts, lastErr)
+}
+
+// landFallback pushes the feature branch when the direct master push is rejected
+// (e.g. branch protection), so the work isn't lost and a PR can be opened.
+func landFallback(repoRoot string, flags []string, remote, branch string, pushErr error) error {
+	fmt.Fprintf(os.Stderr, "homelab: direct push to master failed (%v)\n", pushErr)
+	fmt.Fprintf(os.Stderr, "homelab: falling back to pushing the feature branch %q for a PR\n", branch)
+	if err := gitStream(repoRoot, flags, "push", "-u", remote, branch); err != nil {
+		return fmt.Errorf("fallback branch push also failed: %w", err)
+	}
+	fmt.Printf("homelab: pushed %s to %s. Open a PR to land it (branch protection blocked the direct push).\n", branch, remote)
+	return nil
+}
+
+// workClean removes a task's worktree and branch. Run from the main checkout.
+func workClean(args []string) error {
+	topic, _ := firstPositional(args)
+	if topic == "" {
+		return fmt.Errorf("usage: homelab work clean <topic>  (run from the main checkout)")
+	}
+	cwd, _ := os.Getwd()
+	repoRoot, err := gitRepoRoot(cwd)
+	if err != nil {
+		return fmt.Errorf("not in a git repository: %w", err)
+	}
+	flags := cryptFlagsFor(repoRoot)
+	wtRel := filepath.Join(".worktrees", topic)
+	branch := currentUser() + "/" + topic
+
+	if err := gitStream(repoRoot, flags, "worktree", "remove", wtRel); err != nil {
+		return fmt.Errorf("worktree remove failed (uncommitted changes? run from the main checkout, not the worktree): %w", err)
+	}
+	if err := gitStream(repoRoot, flags, "branch", "-d", branch); err != nil {
+		fmt.Fprintf(os.Stderr, "homelab: note: could not delete branch %s (unmerged — use `git branch -D` if intended): %v\n", branch, err)
+	}
+	fmt.Printf("homelab: removed worktree %s and branch %s\n", wtRel, branch)
+	return nil
+}
+
+// ensureWorktreesIgnored appends .worktrees/ to .gitignore if not already ignored.
+func ensureWorktreesIgnored(repoRoot string) {
+	if _, err := gitOutput(repoRoot, "check-ignore", ".worktrees"); err == nil {
+		return
+	}
+	gi := filepath.Join(repoRoot, ".gitignore")
+	f, err := os.OpenFile(gi, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return
+	}
+	defer f.Close()
+	if _, err := f.WriteString("\n.worktrees/\n"); err == nil {
+		fmt.Fprintln(os.Stderr, "homelab: added .worktrees/ to .gitignore")
+	}
+}
diff --git a/cli/cmd_work_test.go b/cli/cmd_work_test.go
new file mode 100644
index 00000000..af573dd6
--- /dev/null
+++ b/cli/cmd_work_test.go
@@ -0,0 +1,32 @@
+package main
+
+import "testing"
+
+func TestRunVerifyRefusesWhenNothingToVerify(t *testing.T) {
+	dir := t.TempDir() // no go.mod, no verify cmd
+	if err := runVerify(dir, "", false); err == nil {
+		t.Fatal("runVerify must refuse (error) when nothing to verify and --no-verify absent")
+	}
+	if err := runVerify(dir, "", true); err != nil {
+		t.Fatalf("runVerify must skip when --no-verify set, got: %v", err)
+	}
+}
+
+func TestFlagValue(t *testing.T) {
+	cases := []struct {
+		args []string
+		name string
+		want string
+	}{
+		{[]string{"--verify-cmd", "go test ./..."}, "--verify-cmd", "go test ./..."},
+		{[]string{"--verify-cmd=make test"}, "--verify-cmd", "make test"},
+		{[]string{"topic", "--verify-cmd", "x"}, "--verify-cmd", "x"},
+		{[]string{"topic"}, "--verify-cmd", ""},
+		{[]string{"--verify-cmd"}, "--verify-cmd", ""}, // no value
+	}
+	for _, c := range cases {
+		if got := flagValue(c.args, c.name); got != c.want {
+			t.Errorf("flagValue(%v, %q) = %q, want %q", c.args, c.name, got, c.want)
+		}
+	}
+}
diff --git a/cli/command.go b/cli/command.go
new file mode 100644
index 00000000..55449788
--- /dev/null
+++ b/cli/command.go
@@ -0,0 +1,104 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"sort"
+	"strings"
+)
+
+// Tier classifies whether a command observes (read) or mutates (write) state.
+// v0.1 allows everything; the tier is recorded so a classifier hook can gate
+// writes later without restructuring (see docs/adr/0005).
+type Tier string
+
+const (
+	TierRead  Tier = "read"
+	TierWrite Tier = "write"
+)
+
+// Command is one homelab verb. Path is the token sequence that selects it,
+// e.g. ["claim"] or ["tf", "plan"]. Run receives the args after the path.
+type Command struct {
+	Path    []string
+	Tier    Tier
+	Summary string
+	Run     func(args []string) error
+}
+
+// dispatch routes args to the command whose Path is the longest matching prefix
+// of args, passing the remaining args to its Run.
+func dispatch(reg []Command, args []string) error {
+	best := -1
+	bestLen := 0
+	for i, c := range reg {
+		if len(c.Path) > len(args) {
+			continue
+		}
+		match := true
+		for j, p := range c.Path {
+			if args[j] != p {
+				match = false
+				break
+			}
+		}
+		if match && len(c.Path) >= bestLen {
+			best = i
+			bestLen = len(c.Path)
+		}
+	}
+	if best < 0 {
+		return fmt.Errorf("unknown command: %q", strings.Join(args, " "))
+	}
+	matched := reg[best]
+	runErr := matched.Run(args[bestLen:])
+	emitUsage(matched.name(), runErr) // best-effort usage telemetry; never affects the command
+	return runErr
+}
+
+// name is the space-joined verb path, e.g. "tf plan".
+func (c Command) name() string { return strings.Join(c.Path, " ") }
+
+// sortedByName returns a copy of reg ordered by verb path for stable output.
+func sortedByName(reg []Command) []Command {
+	out := make([]Command, len(reg))
+	copy(out, reg)
+	sort.Slice(out, func(i, j int) bool { return out[i].name() < out[j].name() })
+	return out
+}
+
+// manifestText renders one aligned line per command: "<path>  <tier>  <summary>".
+// This is the cheap progressive-discovery entrypoint (see docs/adr/0004).
+func manifestText(reg []Command) string {
+	cmds := sortedByName(reg)
+	width := 0
+	for _, c := range cmds {
+		if n := len(c.name()); n > width {
+			width = n
+		}
+	}
+	var b strings.Builder
+	for _, c := range cmds {
+		fmt.Fprintf(&b, "%-*s  %-5s  %s\n", width, c.name(), c.Tier, c.Summary)
+	}
+	return b.String()
+}
+
+// manifestJSON renders the registry as a JSON array of {command, tier, summary}
+// so agents can parse the full surface in one call.
+func manifestJSON(reg []Command) (string, error) {
+	type entry struct {
+		Command string `json:"command"`
+		Tier    string `json:"tier"`
+		Summary string `json:"summary"`
+	}
+	entries := make([]entry, 0, len(reg))
+	for _, c := range sortedByName(reg) {
+		entries = append(entries, entry{Command: c.name(), Tier: string(c.Tier), Summary: c.Summary})
+	}
+	b, err := json.MarshalIndent(entries, "", "  ")
+	if err != nil {
+		return "", err
+	}
+	return string(b), nil
+}
diff --git a/cli/command_test.go b/cli/command_test.go
new file mode 100644
index 00000000..e686622d
--- /dev/null
+++ b/cli/command_test.go
@@ -0,0 +1,73 @@
+package main
+
+import (
+	"encoding/json"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+// Tracer bullet: the dispatcher must route `homelab <path...> <args...>` to the
+// command whose Path is the longest matching prefix of the input tokens, and
+// hand the command the remaining args.
+func TestDispatchRoutesToLongestPrefixMatch(t *testing.T) {
+	var gotArgs []string
+	ran := ""
+	reg := []Command{
+		{Path: []string{"claim"}, Tier: TierWrite, Summary: "claim a resource",
+			Run: func(a []string) error { ran = "claim"; gotArgs = a; return nil }},
+		{Path: []string{"tf", "plan"}, Tier: TierRead, Summary: "plan a stack",
+			Run: func(a []string) error { ran = "tf plan"; gotArgs = a; return nil }},
+	}
+
+	if err := dispatch(reg, []string{"tf", "plan", "vault", "--json"}); err != nil {
+		t.Fatalf("dispatch returned error: %v", err)
+	}
+	if ran != "tf plan" {
+		t.Fatalf("routed to %q, want %q", ran, "tf plan")
+	}
+	if want := []string{"vault", "--json"}; !reflect.DeepEqual(gotArgs, want) {
+		t.Fatalf("command got args %v, want %v", gotArgs, want)
+	}
+}
+
+func TestDispatchUnknownCommandErrors(t *testing.T) {
+	reg := []Command{{Path: []string{"claim"}, Run: func(a []string) error { return nil }}}
+	if err := dispatch(reg, []string{"bogus"}); err == nil {
+		t.Fatal("expected error for unknown command, got nil")
+	}
+}
+
+// The manifest is the progressive-discovery entrypoint: one line per command
+// showing the full verb path, its tier, and summary, sorted for stable output.
+func TestManifestTextListsEveryCommandWithTier(t *testing.T) {
+	reg := []Command{
+		{Path: []string{"tf", "plan"}, Tier: TierRead, Summary: "plan a stack"},
+		{Path: []string{"claim"}, Tier: TierWrite, Summary: "claim a resource"},
+	}
+	out := manifestText(reg)
+	for _, want := range []string{"claim", "tf plan", "read", "write", "plan a stack", "claim a resource"} {
+		if !strings.Contains(out, want) {
+			t.Errorf("manifest text missing %q\n---\n%s", want, out)
+		}
+	}
+	// sorted: claim (c) must appear before tf plan (t)
+	if strings.Index(out, "claim") > strings.Index(out, "tf plan") {
+		t.Errorf("manifest not sorted by path:\n%s", out)
+	}
+}
+
+func TestManifestJSONIsParsableAndTagged(t *testing.T) {
+	reg := []Command{{Path: []string{"tf", "apply"}, Tier: TierWrite, Summary: "apply a stack"}}
+	out, err := manifestJSON(reg)
+	if err != nil {
+		t.Fatalf("manifestJSON error: %v", err)
+	}
+	var got []map[string]string
+	if err := json.Unmarshal([]byte(out), &got); err != nil {
+		t.Fatalf("manifest JSON not parsable: %v\n%s", err, out)
+	}
+	if len(got) != 1 || got[0]["command"] != "tf apply" || got[0]["tier"] != "write" {
+		t.Fatalf("unexpected manifest JSON: %v", got)
+	}
+}
diff --git a/cli/homelab.go b/cli/homelab.go
new file mode 100644
index 00000000..62c0c8aa
--- /dev/null
+++ b/cli/homelab.go
@@ -0,0 +1,98 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+)
+
+// version is stamped at build time via -ldflags "-X main.version=vX.Y.Z".
+var version = "dev"
+
+// buildRegistry returns every homelab verb. New verb-groups append here.
+func buildRegistry() []Command {
+	var reg []Command
+	reg = append(reg, claimCommands()...)
+	reg = append(reg, tfCommands()...)
+	reg = append(reg, workCommands()...)
+	reg = append(reg, k8sCommands()...)
+	reg = append(reg, memoryCommands()...)
+	reg = append(reg, ciCommands()...)
+	reg = append(reg, deployCommands()...)
+	reg = append(reg, netCommands()...)
+	reg = append(reg, obsCommands()...)
+	reg = append(reg, usageCommands()...)
+	reg = append(reg, haCommands()...)
+	reg = append(reg, browserCommands()...)
+	reg = append(reg, vaultCommands()...)
+	return reg
+}
+
+// dispatchTop handles the homelab verb surface. handled=false means the args are
+// not a homelab verb, so main() falls back to the legacy -use-case path.
+func dispatchTop(args []string) (handled bool, err error) {
+	if len(args) == 0 {
+		fmt.Print(usage())
+		return true, nil
+	}
+	switch args[0] {
+	case "help", "-h", "--help":
+		fmt.Print(usage())
+		return true, nil
+	case "version", "--version":
+		fmt.Println("homelab " + version)
+		return true, nil
+	case "manifest":
+		reg := buildRegistry()
+		if containsArg(args[1:], "--json") {
+			out, err := manifestJSON(reg)
+			if err != nil {
+				return true, err
+			}
+			fmt.Println(out)
+			return true, nil
+		}
+		fmt.Print(manifestText(reg))
+		return true, nil
+	}
+	if strings.HasPrefix(args[0], "-") {
+		return false, nil
+	}
+	reg := buildRegistry()
+	if !isCommandGroup(reg, args[0]) {
+		return false, nil
+	}
+	return true, dispatch(reg, args)
+}
+
+func isCommandGroup(reg []Command, group string) bool {
+	for _, c := range reg {
+		if len(c.Path) > 0 && c.Path[0] == group {
+			return true
+		}
+	}
+	return false
+}
+
+func containsArg(args []string, want string) bool {
+	for _, a := range args {
+		if a == want {
+			return true
+		}
+	}
+	return false
+}
+
+func usage() string {
+	var b strings.Builder
+	fmt.Fprintf(&b, "homelab %s — unified homelab operations CLI\n\n", version)
+	b.WriteString("Usage:\n  homelab <command> [args]\n\nCommands:\n")
+	for _, line := range strings.Split(strings.TrimRight(manifestText(buildRegistry()), "\n"), "\n") {
+		if line != "" {
+			b.WriteString("  " + line + "\n")
+		}
+	}
+	b.WriteString("\n  manifest [--json]   list all commands (machine-readable with --json)\n")
+	b.WriteString("  version             print version\n")
+	b.WriteString("\nLegacy webhook use-cases remain available via -use-case=<name>.\n")
+	return b.String()
+}
diff --git a/cli/k8s.go b/cli/k8s.go
new file mode 100644
index 00000000..3a2d0a5d
--- /dev/null
+++ b/cli/k8s.go
@@ -0,0 +1,138 @@
+package main
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+)
+
+// kubectl helpers use the ambient kubeconfig (no per-call auth flags).
+
+func kubectlBase(ns string, args ...string) []string {
+	var full []string
+	if ns != "" {
+		full = append(full, "-n", ns)
+	}
+	return append(full, args...)
+}
+
+func kubectlStream(ns string, args ...string) error {
+	return runStreamingIn("", "kubectl", kubectlBase(ns, args...)...)
+}
+
+// kubectlCapture runs kubectl and returns trimmed stdout (for resolving pods).
+func kubectlCapture(ns string, args ...string) (string, error) {
+	out, err := exec.Command("kubectl", kubectlBase(ns, args...)...).Output()
+	return strings.TrimSpace(string(out)), err
+}
+
+// k8sTarget is the parsed `<app>` + selectors shared by the k8s verbs.
+type k8sTarget struct {
+	app       string
+	ns        string
+	pod       string
+	container string
+	selector  string
+	tty       bool
+	rest      []string // passthrough flags and, after `--`, the exec command
+}
+
+// parseK8sTarget reads `<app> [-n ns] [--pod p] [-c ctr] [-l sel] [flags] [-- cmd]`.
+// The first bare token is the app; unknown flags pass through in rest.
+func parseK8sTarget(args []string) k8sTarget {
+	t := k8sTarget{}
+	i := 0
+	take := func() string {
+		if i+1 < len(args) {
+			i++
+			return args[i]
+		}
+		return ""
+	}
+	for i = 0; i < len(args); i++ {
+		a := args[i]
+		switch {
+		case a == "--":
+			t.rest = append(t.rest, args[i+1:]...)
+			return t
+		case a == "-n" || a == "--namespace":
+			t.ns = take()
+		case strings.HasPrefix(a, "--namespace="):
+			t.ns = strings.TrimPrefix(a, "--namespace=")
+		case a == "--pod":
+			t.pod = take()
+		case strings.HasPrefix(a, "--pod="):
+			t.pod = strings.TrimPrefix(a, "--pod=")
+		case a == "-c" || a == "--container":
+			t.container = take()
+		case strings.HasPrefix(a, "--container="):
+			t.container = strings.TrimPrefix(a, "--container=")
+		case a == "-l" || a == "--selector":
+			t.selector = take()
+		case strings.HasPrefix(a, "--selector="):
+			t.selector = strings.TrimPrefix(a, "--selector=")
+		case a == "--tty" || a == "-it" || a == "-ti":
+			t.tty = true
+		case !strings.HasPrefix(a, "-") && t.app == "":
+			t.app = a
+		default:
+			t.rest = append(t.rest, a)
+		}
+	}
+	return t
+}
+
+// namespace defaults to the app name (most namespaces hold exactly one app).
+func (t k8sTarget) namespace() string {
+	if t.ns != "" {
+		return t.ns
+	}
+	return t.app
+}
+
+// objectRef is the kubectl object for logs/exec: an explicit pod, else
+// deploy/<app> (kubectl resolves a pod from the Deployment).
+func (t k8sTarget) objectRef() string {
+	if t.pod != "" {
+		return "pod/" + t.pod
+	}
+	return "deploy/" + t.app
+}
+
+// --- database access (the dbaas exec pattern) ---
+
+type dbPlan struct {
+	ns        string
+	pod       string   // explicit pod (e.g. mysql-standalone-0)
+	selector  string   // resolve the pod by this label when pod == "" (CNPG primary)
+	container string   // "" = default container
+	argv      []string // command + args to run inside the pod
+}
+
+// planDBExec builds the in-pod command to run sql against app's database.
+// PG (default): CNPG primary POD (resolved by label — pg-cluster-rw is a
+// Service, not an exec target), psql -U postgres -d <db>.
+// MySQL: mysql-standalone-0, password from env (never on the command line).
+// dbName defaults to app. sql empty => interactive client.
+func planDBExec(app, dbName, sql string, mysql bool) dbPlan {
+	if dbName == "" {
+		dbName = app
+	}
+	if mysql {
+		inner := fmt.Sprintf(`mysql -u root -p"$MYSQL_ROOT_PASSWORD" %s`, shellQuote(dbName))
+		if sql != "" {
+			inner += " -e " + shellQuote(sql)
+		}
+		return dbPlan{ns: "dbaas", pod: "mysql-standalone-0", argv: []string{"bash", "-c", inner}}
+	}
+	argv := []string{"psql", "-U", "postgres", "-d", dbName}
+	if sql != "" {
+		argv = append(argv, "-tAc", sql)
+	}
+	return dbPlan{ns: "dbaas", selector: "cnpg.io/instanceRole=primary", container: "postgres", argv: argv}
+}
+
+// shellQuote single-quotes s for safe embedding in a bash -c string.
+func shellQuote(s string) string {
+	return "'" + strings.ReplaceAll(s, "'", `'\''`) + "'"
+}
diff --git a/cli/k8s_test.go b/cli/k8s_test.go
new file mode 100644
index 00000000..cfa356bc
--- /dev/null
+++ b/cli/k8s_test.go
@@ -0,0 +1,65 @@
+package main
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func TestParseK8sTarget(t *testing.T) {
+	got := parseK8sTarget([]string{"tripit", "-n", "prod", "--pod", "x-123", "-c", "app", "-l", "k=v", "--tail=50", "--", "ls", "-la"})
+	want := k8sTarget{app: "tripit", ns: "prod", pod: "x-123", container: "app", selector: "k=v", rest: []string{"--tail=50", "ls", "-la"}}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("parseK8sTarget =\n %+v\nwant\n %+v", got, want)
+	}
+}
+
+func TestK8sTargetNamespaceDefaultsToApp(t *testing.T) {
+	if ns := parseK8sTarget([]string{"immich"}).namespace(); ns != "immich" {
+		t.Errorf("namespace() = %q, want immich", ns)
+	}
+	if ns := parseK8sTarget([]string{"immich", "-n", "dbaas"}).namespace(); ns != "dbaas" {
+		t.Errorf("namespace() = %q, want dbaas", ns)
+	}
+}
+
+func TestK8sTargetObjectRef(t *testing.T) {
+	if r := parseK8sTarget([]string{"tripit"}).objectRef(); r != "deploy/tripit" {
+		t.Errorf("objectRef() = %q, want deploy/tripit", r)
+	}
+	if r := parseK8sTarget([]string{"tripit", "--pod", "tripit-abc"}).objectRef(); r != "pod/tripit-abc" {
+		t.Errorf("objectRef() = %q, want pod/tripit-abc", r)
+	}
+}
+
+func TestPlanDBExecPostgresDefault(t *testing.T) {
+	p := planDBExec("fire-planner", "", "SELECT 1", false)
+	// pg-cluster-rw is a Service, so the PG plan resolves the primary POD by
+	// label rather than naming an (un-exec-able) Service.
+	if p.ns != "dbaas" || p.pod != "" || p.selector != "cnpg.io/instanceRole=primary" || p.container != "postgres" {
+		t.Fatalf("unexpected pg target: %+v", p)
+	}
+	// db name defaults to the app; SQL passed via -tAc
+	joined := strings.Join(p.argv, " ")
+	if !strings.Contains(joined, "-d fire-planner") || !strings.Contains(joined, "-tAc") {
+		t.Fatalf("pg argv missing db/sql: %v", p.argv)
+	}
+}
+
+func TestPlanDBExecMysqlEnvPassword(t *testing.T) {
+	p := planDBExec("wrongmove", "wrongmove", "SHOW TABLES", true)
+	if p.pod != "mysql-standalone-0" {
+		t.Fatalf("unexpected mysql pod: %+v", p)
+	}
+	inner := strings.Join(p.argv, " ")
+	// password must come from the env var, never inline
+	if !strings.Contains(inner, `-p"$MYSQL_ROOT_PASSWORD"`) {
+		t.Fatalf("mysql must use env password wrapper: %v", p.argv)
+	}
+}
+
+func TestShellQuoteEscapes(t *testing.T) {
+	if got := shellQuote("a'b"); got != `'a'\''b'` {
+		t.Fatalf("shellQuote = %q", got)
+	}
+}
diff --git a/cli/main.go b/cli/main.go
index 3b9fee1c..a53f7672 100644
--- a/cli/main.go
+++ b/cli/main.go
@@ -26,8 +26,16 @@ var (
 )
 
 func main() {
-	err := run()
-	if err != nil {
+	// homelab verb surface (work/tf/claim/...) is tried first; if the args are
+	// not a homelab verb, fall through to the legacy webhook -use-case path.
+	if handled, err := dispatchTop(os.Args[1:]); handled {
+		if err != nil {
+			fmt.Fprintln(os.Stderr, "homelab: "+err.Error())
+			os.Exit(1)
+		}
+		return
+	}
+	if err := run(); err != nil {
 		glog.Errorf("run failed: %s", err.Error())
 		os.Exit(255)
 	}
diff --git a/cli/memory.go b/cli/memory.go
new file mode 100644
index 00000000..286ee5bb
--- /dev/null
+++ b/cli/memory.go
@@ -0,0 +1,103 @@
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+)
+
+// defaultMemoryURL is used when no env override is present (agents normally have
+// CLAUDE_MEMORY_API_URL set by the memory hooks).
+const defaultMemoryURL = "https://claude-memory.viktorbarzin.me"
+
+type memoryClient struct {
+	base string
+	key  string
+	http *http.Client
+}
+
+func firstEnv(keys ...string) string {
+	for _, k := range keys {
+		if v := os.Getenv(k); v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func resolveMemoryBase() string {
+	if b := firstEnv("CLAUDE_MEMORY_API_URL", "MEMORY_API_URL"); b != "" {
+		return strings.TrimRight(b, "/")
+	}
+	return defaultMemoryURL
+}
+
+// newMemoryClient talks straight to the claude-memory HTTP API (the same backend
+// the MCP wraps), so it works even when the MCP frontend is down.
+func newMemoryClient() (*memoryClient, error) {
+	key := firstEnv("CLAUDE_MEMORY_API_KEY", "MEMORY_API_KEY")
+	if key == "" {
+		return nil, fmt.Errorf("no memory API key — set CLAUDE_MEMORY_API_KEY (or MEMORY_API_KEY)")
+	}
+	return &memoryClient{base: resolveMemoryBase(), key: key, http: &http.Client{Timeout: 30 * time.Second}}, nil
+}
+
+func (c *memoryClient) do(method, path string, body interface{}) ([]byte, error) {
+	var r io.Reader
+	if body != nil {
+		b, err := json.Marshal(body)
+		if err != nil {
+			return nil, err
+		}
+		r = bytes.NewReader(b)
+	}
+	req, err := http.NewRequest(method, c.base+path, r)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Authorization", "Bearer "+c.key)
+	if body != nil {
+		req.Header.Set("Content-Type", "application/json")
+	}
+	resp, err := c.http.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	out, _ := io.ReadAll(resp.Body)
+	if resp.StatusCode >= 300 {
+		return nil, fmt.Errorf("memory API %s %s -> %d: %s", method, path, resp.StatusCode, strings.TrimSpace(string(out)))
+	}
+	return out, nil
+}
+
+// Request bodies mirror src/claude_memory/api/models.py.
+
+type memRecallReq struct {
+	Context       string `json:"context"`
+	ExpandedQuery string `json:"expanded_query,omitempty"`
+	Category      string `json:"category,omitempty"`
+	SortBy        string `json:"sort_by,omitempty"`
+	Limit         int    `json:"limit,omitempty"`
+}
+
+type memStoreReq struct {
+	Content          string  `json:"content"`
+	Category         string  `json:"category,omitempty"`
+	Tags             string  `json:"tags,omitempty"`
+	ExpandedKeywords string  `json:"expanded_keywords,omitempty"`
+	Importance       float64 `json:"importance"`
+	ForceSensitive   bool    `json:"force_sensitive,omitempty"`
+}
+
+type memUpdateReq struct {
+	Content          *string  `json:"content,omitempty"`
+	Tags             *string  `json:"tags,omitempty"`
+	Importance       *float64 `json:"importance,omitempty"`
+	ExpandedKeywords *string  `json:"expanded_keywords,omitempty"`
+}
diff --git a/cli/memory_test.go b/cli/memory_test.go
new file mode 100644
index 00000000..7b14ef20
--- /dev/null
+++ b/cli/memory_test.go
@@ -0,0 +1,51 @@
+package main
+
+import (
+	"encoding/json"
+	"os"
+	"strings"
+	"testing"
+)
+
+func TestResolveMemoryBase(t *testing.T) {
+	old1, old2 := os.Getenv("CLAUDE_MEMORY_API_URL"), os.Getenv("MEMORY_API_URL")
+	defer func() { os.Setenv("CLAUDE_MEMORY_API_URL", old1); os.Setenv("MEMORY_API_URL", old2) }()
+
+	os.Unsetenv("CLAUDE_MEMORY_API_URL")
+	os.Unsetenv("MEMORY_API_URL")
+	if got := resolveMemoryBase(); got != defaultMemoryURL {
+		t.Errorf("resolveMemoryBase() = %q, want default %q", got, defaultMemoryURL)
+	}
+	os.Setenv("CLAUDE_MEMORY_API_URL", "https://m.example/") // trailing slash trimmed
+	if got := resolveMemoryBase(); got != "https://m.example" {
+		t.Errorf("resolveMemoryBase() = %q, want https://m.example", got)
+	}
+}
+
+func TestMemStoreReqAlwaysSendsImportance(t *testing.T) {
+	b, _ := json.Marshal(memStoreReq{Content: "x", Category: "facts", Importance: 0.5})
+	s := string(b)
+	if !strings.Contains(s, `"content":"x"`) || !strings.Contains(s, `"importance":0.5`) {
+		t.Fatalf("memStoreReq JSON missing fields: %s", s)
+	}
+}
+
+func TestMemUpdateReqOmitsUnsetFields(t *testing.T) {
+	tags := "a,b"
+	b, _ := json.Marshal(memUpdateReq{Tags: &tags})
+	s := string(b)
+	if strings.Contains(s, "content") || strings.Contains(s, "importance") {
+		t.Fatalf("unset update fields must be omitted: %s", s)
+	}
+	if !strings.Contains(s, `"tags":"a,b"`) {
+		t.Fatalf("set field missing: %s", s)
+	}
+}
+
+func TestMemRecallReqOmitsEmptyOptionals(t *testing.T) {
+	b, _ := json.Marshal(memRecallReq{Context: "hi"})
+	s := string(b)
+	if strings.Contains(s, "expanded_query") || strings.Contains(s, "category") || strings.Contains(s, "limit") {
+		t.Fatalf("empty optionals must be omitted: %s", s)
+	}
+}
diff --git a/cli/presence.go b/cli/presence.go
new file mode 100644
index 00000000..bcf054d7
--- /dev/null
+++ b/cli/presence.go
@@ -0,0 +1,58 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// validPresenceKinds is the fixed label taxonomy accepted by the presence board.
+var validPresenceKinds = []string{"node", "host", "stack", "service", "db", "pvc", "infra"}
+
+// presenceScript locates the presence CLI — homelab WRAPS it, it does not
+// reimplement it. Override with HOMELAB_PRESENCE; defaults to ~/code/scripts/presence.
+func presenceScript() string {
+	if p := os.Getenv("HOMELAB_PRESENCE"); p != "" {
+		return p
+	}
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return "presence"
+	}
+	return filepath.Join(home, "code", "scripts", "presence")
+}
+
+// validateLabel checks a presence label is <kind>:<name> with a known kind.
+func validateLabel(label string) error {
+	parts := strings.SplitN(label, ":", 2)
+	if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+		return fmt.Errorf("label must be <kind>:<name> (e.g. stack:vault), got %q", label)
+	}
+	for _, k := range validPresenceKinds {
+		if parts[0] == k {
+			return nil
+		}
+	}
+	return fmt.Errorf("invalid label kind %q; valid kinds: %s", parts[0], strings.Join(validPresenceKinds, ", "))
+}
+
+// presenceClaim claims label on the board with a purpose note.
+func presenceClaim(label, purpose string) error {
+	if err := validateLabel(label); err != nil {
+		return err
+	}
+	args := []string{"claim", label}
+	if purpose != "" {
+		args = append(args, "--purpose", purpose)
+	}
+	return runStreaming(presenceScript(), args...)
+}
+
+// presenceRelease releases a prior claim on label.
+func presenceRelease(label string) error {
+	if err := validateLabel(label); err != nil {
+		return err
+	}
+	return runStreaming(presenceScript(), "release", label)
+}
diff --git a/cli/presence_test.go b/cli/presence_test.go
new file mode 100644
index 00000000..3d1596e1
--- /dev/null
+++ b/cli/presence_test.go
@@ -0,0 +1,24 @@
+package main
+
+import "testing"
+
+func TestValidateLabelAcceptsTaxonomy(t *testing.T) {
+	good := []string{
+		"stack:vault", "service:health", "node:k8s-node1", "db:pg-cluster",
+		"infra:gpu-operator", "host:proxmox-1", "pvc:dbaas/data",
+	}
+	for _, l := range good {
+		if err := validateLabel(l); err != nil {
+			t.Errorf("validateLabel(%q) = %v, want nil", l, err)
+		}
+	}
+}
+
+func TestValidateLabelRejectsBadLabels(t *testing.T) {
+	bad := []string{"vault", "stack:", "bogus:x", ":x", "stack", ""}
+	for _, l := range bad {
+		if err := validateLabel(l); err == nil {
+			t.Errorf("validateLabel(%q) = nil, want error", l)
+		}
+	}
+}
diff --git a/cli/probe.go b/cli/probe.go
new file mode 100644
index 00000000..25d148a0
--- /dev/null
+++ b/cli/probe.go
@@ -0,0 +1,76 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os/exec"
+	"strings"
+	"time"
+)
+
+// internalLBIP is the dedicated Traefik LB; every internal ingress routes through it.
+const internalLBIP = "10.0.20.203"
+
+// clientDialingIP returns an http.Client that dials ip for ANY host while keeping
+// the URL host as SNI (so the cert matches) — the Go form of `curl --resolve
+// host:443:ip`. TLS verification is skipped (these are reachability/observability
+// probes, not security checks; internal .lan vhosts may serve a non-matching cert).
+func clientDialingIP(ip string, timeout time.Duration) *http.Client {
+	d := &net.Dialer{Timeout: 8 * time.Second}
+	tr := &http.Transport{
+		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			if i := strings.LastIndex(addr, ":"); i >= 0 {
+				addr = ip + addr[i:]
+			}
+			return d.DialContext(ctx, network, addr)
+		},
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	return &http.Client{Timeout: timeout, Transport: tr}
+}
+
+// probeURL issues a GET and returns status code + elapsed time.
+func probeURL(c *http.Client, rawurl string) (int, time.Duration, error) {
+	start := time.Now()
+	resp, err := c.Get(rawurl)
+	dur := time.Since(start)
+	if err != nil {
+		return 0, dur, err
+	}
+	resp.Body.Close()
+	return resp.StatusCode, dur, nil
+}
+
+// lbGetBody GETs https://<host><path>?<q> through the internal LB and returns the body.
+func lbGetBody(host, path string, q url.Values) ([]byte, error) {
+	u := "https://" + host + path
+	if len(q) > 0 {
+		u += "?" + q.Encode()
+	}
+	resp, err := clientDialingIP(internalLBIP, 20*time.Second).Get(u)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	body, _ := io.ReadAll(resp.Body)
+	if resp.StatusCode >= 300 {
+		return nil, fmt.Errorf("%s -> %d: %s", path, resp.StatusCode, strings.TrimSpace(string(body)))
+	}
+	return body, nil
+}
+
+// dig runs `dig +short` against a resolver, optionally for a record type.
+func dig(name, server, rrtype string) (string, error) {
+	args := []string{"+short", "+time=3", "+tries=1"}
+	if rrtype != "" {
+		args = append(args, rrtype)
+	}
+	args = append(args, name, "@"+server)
+	out, err := exec.Command("dig", args...).Output()
+	return strings.TrimSpace(string(out)), err
+}
diff --git a/cli/probe_test.go b/cli/probe_test.go
new file mode 100644
index 00000000..bec4d132
--- /dev/null
+++ b/cli/probe_test.go
@@ -0,0 +1,49 @@
+package main
+
+import "testing"
+
+func TestQueryArg(t *testing.T) {
+	if got := queryArg([]string{"up"}, nil); got != "up" {
+		t.Errorf(`queryArg(["up"]) = %q, want "up"`, got)
+	}
+	if got := queryArg([]string{"up", "--json"}, nil); got != "up" {
+		t.Errorf(`--json should be dropped, got %q`, got)
+	}
+	// single quoted PromQL arrives as one token
+	if got := queryArg([]string{"count by (node) (up)", "--json"}, nil); got != "count by (node) (up)" {
+		t.Errorf(`quoted query mangled: %q`, got)
+	}
+	// value-flags and their values are skipped, query survives
+	vf := map[string]bool{"--since": true, "--limit": true}
+	if got := queryArg([]string{`{app="x"}`, "--since", "1h", "--limit", "50"}, vf); got != `{app="x"}` {
+		t.Errorf(`value-flag skipping failed: %q`, got)
+	}
+}
+
+func TestLabelStr(t *testing.T) {
+	got := labelStr(map[string]string{"__name__": "up", "job": "x", "instance": "y"})
+	if got != "up{instance=y,job=x}" { // __name__ extracted, rest sorted
+		t.Errorf("labelStr = %q", got)
+	}
+	if got := labelStr(map[string]string{"alertname": "Foo"}); got != "{alertname=Foo}" {
+		t.Errorf("labelStr (no __name__) = %q", got)
+	}
+}
+
+func TestOneLineList(t *testing.T) {
+	if got := oneLineList("  "); got != "(none)" {
+		t.Errorf("empty = %q, want (none)", got)
+	}
+	if got := oneLineList("a\nb"); got != "a, b" {
+		t.Errorf("multi = %q, want 'a, b'", got)
+	}
+}
+
+func TestHostOnly(t *testing.T) {
+	if got := hostOnly("foo.me/path"); got != "foo.me" {
+		t.Errorf("hostOnly = %q", got)
+	}
+	if got := hostOnly("foo.me"); got != "foo.me" {
+		t.Errorf("hostOnly = %q", got)
+	}
+}
diff --git a/cli/repo.go b/cli/repo.go
new file mode 100644
index 00000000..3e0dc4f1
--- /dev/null
+++ b/cli/repo.go
@@ -0,0 +1,101 @@
+package main
+
+import (
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"strings"
+)
+
+// preferRemote picks the canonical remote: forgejo if present, else origin,
+// else the first listed. (For infra, origin and forgejo both point at Forgejo.)
+func preferRemote(remotes []string) string {
+	has := map[string]bool{}
+	for _, r := range remotes {
+		has[r] = true
+	}
+	switch {
+	case has["forgejo"]:
+		return "forgejo"
+	case has["origin"]:
+		return "origin"
+	case len(remotes) > 0:
+		return remotes[0]
+	default:
+		return ""
+	}
+}
+
+// hasGitCryptAttr reports whether .gitattributes content enables git-crypt.
+func hasGitCryptAttr(gitattributes string) bool {
+	return strings.Contains(gitattributes, "filter=git-crypt")
+}
+
+// gitCryptFlags are the per-command flags that disable smudge/clean so git
+// operations in a git-crypt repo don't try to decrypt (NEVER persisted to config).
+func gitCryptFlags() []string {
+	return []string{
+		"-c", "filter.git-crypt.smudge=cat",
+		"-c", "filter.git-crypt.clean=cat",
+		"-c", "filter.git-crypt.required=false",
+	}
+}
+
+// gitOutput runs `git -C dir <args>` and returns trimmed stdout.
+func gitOutput(dir string, args ...string) (string, error) {
+	cmd := exec.Command("git", append([]string{"-C", dir}, args...)...)
+	out, err := cmd.Output()
+	return strings.TrimSpace(string(out)), err
+}
+
+func gitRepoRoot(dir string) (string, error) {
+	return gitOutput(dir, "rev-parse", "--show-toplevel")
+}
+
+// gitRemotes lists configured remote names for the repo at dir.
+func gitRemotes(dir string) ([]string, error) {
+	out, err := gitOutput(dir, "remote")
+	if err != nil {
+		return nil, err
+	}
+	if out == "" {
+		return nil, nil
+	}
+	return strings.Split(out, "\n"), nil
+}
+
+// isGitCryptRepo reports whether the repo at repoRoot uses git-crypt.
+func isGitCryptRepo(repoRoot string) bool {
+	b, err := os.ReadFile(filepath.Join(repoRoot, ".gitattributes"))
+	if err != nil {
+		return false
+	}
+	return hasGitCryptAttr(string(b))
+}
+
+// cryptFlagsFor returns the git-crypt filter flags when repoRoot is encrypted,
+// else nil. These are injected per-command and never persisted.
+func cryptFlagsFor(repoRoot string) []string {
+	if isGitCryptRepo(repoRoot) {
+		return gitCryptFlags()
+	}
+	return nil
+}
+
+// gitStream runs `git [cryptFlags] -C repoRoot <args>` with live output.
+func gitStream(repoRoot string, cryptFlags []string, args ...string) error {
+	full := append(append([]string{}, cryptFlags...), append([]string{"-C", repoRoot}, args...)...)
+	return runStreamingIn("", "git", full...)
+}
+
+// currentUser returns the OS username for branch naming (<user>/<topic>).
+func currentUser() string {
+	if u := os.Getenv("USER"); u != "" {
+		return u
+	}
+	if u, err := user.Current(); err == nil && u.Username != "" {
+		return u.Username
+	}
+	return "user"
+}
diff --git a/cli/repo_test.go b/cli/repo_test.go
new file mode 100644
index 00000000..76cf21a7
--- /dev/null
+++ b/cli/repo_test.go
@@ -0,0 +1,37 @@
+package main
+
+import "testing"
+
+func TestPreferRemote(t *testing.T) {
+	cases := []struct {
+		in   []string
+		want string
+	}{
+		{[]string{"origin", "forgejo"}, "forgejo"},
+		{[]string{"forgejo"}, "forgejo"},
+		{[]string{"origin"}, "origin"},
+		{[]string{"upstream"}, "upstream"},
+		{nil, ""},
+	}
+	for _, c := range cases {
+		if got := preferRemote(c.in); got != c.want {
+			t.Errorf("preferRemote(%v) = %q, want %q", c.in, got, c.want)
+		}
+	}
+}
+
+func TestHasGitCryptAttr(t *testing.T) {
+	if !hasGitCryptAttr("*.tfvars filter=git-crypt diff=git-crypt") {
+		t.Error("expected git-crypt detected")
+	}
+	if hasGitCryptAttr("*.md text\n*.png binary") {
+		t.Error("expected no git-crypt")
+	}
+}
+
+func TestGitCryptFlagsShape(t *testing.T) {
+	f := gitCryptFlags()
+	if len(f) != 6 || f[0] != "-c" || f[1] != "filter.git-crypt.smudge=cat" {
+		t.Fatalf("unexpected git-crypt flags: %v", f)
+	}
+}
diff --git a/cli/run.go b/cli/run.go
new file mode 100644
index 00000000..22e7f17a
--- /dev/null
+++ b/cli/run.go
@@ -0,0 +1,23 @@
+package main
+
+import (
+	"os"
+	"os/exec"
+)
+
+// runStreaming executes name with args, wiring std streams to this process so
+// the caller sees live output, and returns the command's error (non-nil on
+// non-zero exit — preserved so homelab's own exit code reflects the child's).
+func runStreaming(name string, args ...string) error {
+	return runStreamingIn("", name, args...)
+}
+
+// runStreamingIn is runStreaming with a working directory (empty = inherit).
+func runStreamingIn(dir, name string, args ...string) error {
+	cmd := exec.Command(name, args...)
+	cmd.Dir = dir
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.Stdin = os.Stdin
+	return cmd.Run()
+}
diff --git a/cli/stack.go b/cli/stack.go
new file mode 100644
index 00000000..1cfdd8d0
--- /dev/null
+++ b/cli/stack.go
@@ -0,0 +1,54 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+)
+
+// findInfraRoot walks up from start to the infra repo root — the directory
+// holding both terragrunt.hcl and a stacks/ directory.
+func findInfraRoot(start string) (string, error) {
+	dir := start
+	for {
+		if isFile(filepath.Join(dir, "terragrunt.hcl")) && isDir(filepath.Join(dir, "stacks")) {
+			return dir, nil
+		}
+		parent := filepath.Dir(dir)
+		if parent == dir {
+			return "", fmt.Errorf("not inside an infra checkout (no terragrunt.hcl + stacks/ found above %s)", start)
+		}
+		dir = parent
+	}
+}
+
+// resolveStack maps a bare stack name to its directory under <infraRoot>/stacks.
+func resolveStack(infraRoot, name string) (string, error) {
+	dir := filepath.Join(infraRoot, "stacks", name)
+	if isDir(dir) {
+		return dir, nil
+	}
+	avail := listStacks(infraRoot)
+	return "", fmt.Errorf("stack %q not found under stacks/; available: %s", name, strings.Join(avail, ", "))
+}
+
+// listStacks returns the sorted names of every directory under <infraRoot>/stacks.
+func listStacks(infraRoot string) []string {
+	entries, err := os.ReadDir(filepath.Join(infraRoot, "stacks"))
+	if err != nil {
+		return nil
+	}
+	var out []string
+	for _, e := range entries {
+		if e.IsDir() {
+			out = append(out, e.Name())
+		}
+	}
+	sort.Strings(out)
+	return out
+}
+
+func isFile(p string) bool { fi, err := os.Stat(p); return err == nil && !fi.IsDir() }
+func isDir(p string) bool  { fi, err := os.Stat(p); return err == nil && fi.IsDir() }
diff --git a/cli/stack_test.go b/cli/stack_test.go
new file mode 100644
index 00000000..2967dc18
--- /dev/null
+++ b/cli/stack_test.go
@@ -0,0 +1,52 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func newInfraTree(t *testing.T, stacks ...string) string {
+	t.Helper()
+	root := t.TempDir()
+	if err := os.WriteFile(filepath.Join(root, "terragrunt.hcl"), []byte("# root"), 0o644); err != nil {
+		t.Fatal(err)
+	}
+	for _, s := range stacks {
+		if err := os.MkdirAll(filepath.Join(root, "stacks", s), 0o755); err != nil {
+			t.Fatal(err)
+		}
+	}
+	return root
+}
+
+func TestFindInfraRootWalksUp(t *testing.T) {
+	root := newInfraTree(t, "vault")
+	got, err := findInfraRoot(filepath.Join(root, "stacks", "vault"))
+	if err != nil {
+		t.Fatalf("findInfraRoot error: %v", err)
+	}
+	if got != root {
+		t.Fatalf("findInfraRoot = %q, want %q", got, root)
+	}
+}
+
+func TestFindInfraRootErrorsOutsideInfra(t *testing.T) {
+	if _, err := findInfraRoot(t.TempDir()); err == nil {
+		t.Fatal("expected error outside an infra checkout")
+	}
+}
+
+func TestResolveStack(t *testing.T) {
+	root := newInfraTree(t, "vault", "monitoring")
+	dir, err := resolveStack(root, "vault")
+	if err != nil {
+		t.Fatalf("resolveStack error: %v", err)
+	}
+	if want := filepath.Join(root, "stacks", "vault"); dir != want {
+		t.Fatalf("resolveStack = %q, want %q", dir, want)
+	}
+	if _, err := resolveStack(root, "nonesuch"); err == nil {
+		t.Fatal("expected error for unknown stack")
+	}
+}
diff --git a/cli/telemetry.go b/cli/telemetry.go
new file mode 100644
index 00000000..b0bb625a
--- /dev/null
+++ b/cli/telemetry.go
@@ -0,0 +1,62 @@
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// usageJob is the Loki stream job label for homelab usage telemetry.
+const usageJob = "homelab-usage"
+
+// emitUsage best-effort records one verb invocation to Loki for cross-user
+// usage analytics. Labels are low-cardinality (job/user/verb); the line carries
+// only exit code + CLI version. NEVER args, paths, flags, or secrets. It must
+// never affect the command: all errors are swallowed and a tight timeout bounds
+// the cost. Opt out with HOMELAB_TELEMETRY=0.
+func emitUsage(verb string, runErr error) {
+	switch os.Getenv("HOMELAB_TELEMETRY") {
+	case "0", "off", "false", "no":
+		return
+	}
+	if verb == "" || strings.HasPrefix(verb, "usage") {
+		return // don't self-record the analytics reader
+	}
+	exit := 0
+	if runErr != nil {
+		exit = 1
+	}
+	body, err := json.Marshal(lokiPush{Streams: []lokiStream{{
+		Stream: map[string]string{"job": usageJob, "user": currentUser(), "verb": verb},
+		Values: [][2]string{{
+			strconv.FormatInt(time.Now().UnixNano(), 10),
+			"exit=" + strconv.Itoa(exit) + " ver=" + version,
+		}},
+	}}})
+	if err != nil {
+		return
+	}
+	req, err := http.NewRequest("POST", "https://"+lokiHost+"/loki/api/v1/push", bytes.NewReader(body))
+	if err != nil {
+		return
+	}
+	req.Header.Set("Content-Type", "application/json")
+	resp, err := clientDialingIP(internalLBIP, 800*time.Millisecond).Do(req)
+	if err != nil {
+		return
+	}
+	resp.Body.Close()
+}
+
+type lokiPush struct {
+	Streams []lokiStream `json:"streams"`
+}
+
+type lokiStream struct {
+	Stream map[string]string `json:"stream"`
+	Values [][2]string       `json:"values"`
+}
diff --git a/cli/update_viktorbarzin_me.go b/cli/update_viktorbarzin_me.go
index 1a693a25..c2c1d3f4 100644
--- a/cli/update_viktorbarzin_me.go
+++ b/cli/update_viktorbarzin_me.go
@@ -103,6 +103,6 @@ func notifyForIPChange(oldIP, newIP net.IP) error {
 	if err != nil {
 		return errors.Wrapf(err, "Error reading response")
 	}
-	glog.Infof("Response:", string(responseBody))
+	glog.Infof("Response: %s", string(responseBody))
 	return nil
 }
diff --git a/cli/usage_test.go b/cli/usage_test.go
new file mode 100644
index 00000000..052e080c
--- /dev/null
+++ b/cli/usage_test.go
@@ -0,0 +1,18 @@
+package main
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestUsageQuery(t *testing.T) {
+	got := usageQuery("30d", "")
+	want := `sum by (verb) (count_over_time({job="homelab-usage"}[30d]))`
+	if got != want {
+		t.Errorf("usageQuery(30d,\"\") = %q, want %q", got, want)
+	}
+	withUser := usageQuery("7d", "emo")
+	if !strings.Contains(withUser, `user="emo"`) || !strings.Contains(withUser, "[7d]") {
+		t.Errorf("usageQuery with user missing filter/range: %q", withUser)
+	}
+}
diff --git a/cli/woodpecker.go b/cli/woodpecker.go
new file mode 100644
index 00000000..b3a48c20
--- /dev/null
+++ b/cli/woodpecker.go
@@ -0,0 +1,191 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+)
+
+// Woodpecker is reached at ci.viktorbarzin.me but routed via the internal Traefik
+// LB (mirrors the proven `curl --resolve ci.viktorbarzin.me:443:10.0.20.203`):
+// we dial the LB IP while keeping SNI/Host = the hostname so the cert verifies.
+const (
+	wpHost = "ci.viktorbarzin.me"
+	wpLBIP = "10.0.20.203"
+)
+
+type wpClient struct {
+	base  string
+	token string
+	http  *http.Client
+}
+
+// wpToken reads WOODPECKER_TOKEN, else the canonical Vault path.
+func wpToken() string {
+	if t := firstEnv("WOODPECKER_TOKEN", "WP_TOKEN"); t != "" {
+		return t
+	}
+	out, err := exec.Command("vault", "kv", "get", "-field=woodpecker_api_token", "secret/ci/global").Output()
+	if err != nil {
+		return ""
+	}
+	return strings.TrimSpace(string(out))
+}
+
+func newWPClient() (*wpClient, error) {
+	tok := wpToken()
+	if tok == "" {
+		return nil, fmt.Errorf("no woodpecker token — set WOODPECKER_TOKEN or `vault login` (reads secret/ci/global)")
+	}
+	ip := firstEnv("HOMELAB_WP_IP")
+	if ip == "" {
+		ip = wpLBIP
+	}
+	dialer := &net.Dialer{Timeout: 8 * time.Second}
+	tr := &http.Transport{
+		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			if strings.HasPrefix(addr, wpHost+":") {
+				addr = ip + addr[strings.LastIndex(addr, ":"):]
+			}
+			return dialer.DialContext(ctx, network, addr)
+		},
+	}
+	return &wpClient{base: "https://" + wpHost, token: tok, http: &http.Client{Timeout: 20 * time.Second, Transport: tr}}, nil
+}
+
+// getJSON GETs path into v, retrying the transient empty/5xx responses the
+// Woodpecker API intermittently returns under load.
+func (c *wpClient) getJSON(path string, v interface{}) error {
+	var lastErr error
+	for attempt := 0; attempt < 5; attempt++ {
+		if attempt > 0 {
+			time.Sleep(2 * time.Second)
+		}
+		req, _ := http.NewRequest("GET", c.base+path, nil)
+		req.Header.Set("Authorization", "Bearer "+c.token)
+		resp, err := c.http.Do(req)
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		body, _ := io.ReadAll(resp.Body)
+		resp.Body.Close()
+		if resp.StatusCode >= 500 || len(strings.TrimSpace(string(body))) == 0 {
+			lastErr = fmt.Errorf("woodpecker GET %s -> %d (empty/5xx, retrying)", path, resp.StatusCode)
+			continue
+		}
+		if resp.StatusCode >= 300 {
+			return fmt.Errorf("woodpecker GET %s -> %d: %s", path, resp.StatusCode, strings.TrimSpace(string(body)))
+		}
+		return json.Unmarshal(body, v)
+	}
+	return lastErr
+}
+
+type wpPipeline struct {
+	Number  int    `json:"number"`
+	Status  string `json:"status"`
+	Event   string `json:"event"`
+	Commit  string `json:"commit"`
+	Message string `json:"message"`
+}
+
+func (c *wpClient) recentPipelines(repoID, n int) ([]wpPipeline, error) {
+	var ps []wpPipeline
+	err := c.getJSON(fmt.Sprintf("/api/repos/%d/pipelines?per_page=%d", repoID, n), &ps)
+	return ps, err
+}
+
+// findPipeline returns the pipeline for commit (prefix match), or the latest when
+// commit is empty.
+func (c *wpClient) findPipeline(repoID int, commit string) (wpPipeline, error) {
+	ps, err := c.recentPipelines(repoID, 25)
+	if err != nil {
+		return wpPipeline{}, err
+	}
+	if len(ps) == 0 {
+		return wpPipeline{}, fmt.Errorf("no pipelines for repo %d", repoID)
+	}
+	if commit == "" {
+		return ps[0], nil
+	}
+	for _, p := range ps {
+		if strings.HasPrefix(p.Commit, commit) {
+			return p, nil
+		}
+	}
+	return wpPipeline{}, fmt.Errorf("no pipeline for commit %s in the last %d", commit[:min(8, len(commit))], len(ps))
+}
+
+func (c *wpClient) repoID() (int, error) {
+	owner, repo, err := repoOwnerName()
+	if err != nil {
+		return 0, err
+	}
+	var r struct {
+		ID int `json:"id"`
+	}
+	if err := c.getJSON("/api/repos/lookup/"+owner+"/"+repo, &r); err != nil {
+		return 0, err
+	}
+	if r.ID == 0 {
+		return 0, fmt.Errorf("repo %s/%s not registered in woodpecker", owner, repo)
+	}
+	return r.ID, nil
+}
+
+// repoOwnerName derives <owner>/<repo> from the cwd git remote.
+func repoOwnerName() (string, string, error) {
+	cwd, _ := os.Getwd()
+	root, err := gitRepoRoot(cwd)
+	if err != nil {
+		return "", "", fmt.Errorf("not in a git repository: %w", err)
+	}
+	remote := preferRemote(remotesOrEmpty(root))
+	url, err := gitOutput(root, "remote", "get-url", remote)
+	if err != nil {
+		return "", "", err
+	}
+	return parseOwnerRepo(url)
+}
+
+// parseOwnerRepo extracts owner/repo from an https or ssh git remote URL.
+func parseOwnerRepo(url string) (string, string, error) {
+	u := strings.TrimSuffix(strings.TrimSpace(url), ".git")
+	u = strings.TrimSuffix(u, "/")
+	if i := strings.Index(u, "://"); i >= 0 {
+		u = u[i+3:]
+	}
+	u = strings.ReplaceAll(u, ":", "/") // git@host:owner/repo -> git@host/owner/repo
+	parts := strings.Split(u, "/")
+	if len(parts) < 2 || parts[len(parts)-1] == "" || parts[len(parts)-2] == "" {
+		return "", "", fmt.Errorf("cannot parse owner/repo from remote %q", url)
+	}
+	return parts[len(parts)-2], parts[len(parts)-1], nil
+}
+
+func isTerminalStatus(s string) bool {
+	switch s {
+	case "success", "failure", "error", "killed", "declined", "blocked":
+		return true
+	}
+	return false
+}
+
+func isFailureStatus(s string) bool {
+	return s == "failure" || s == "error" || s == "killed" || s == "declined"
+}
+
+func min(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}
diff --git a/cli/woodpecker_test.go b/cli/woodpecker_test.go
new file mode 100644
index 00000000..72c73c69
--- /dev/null
+++ b/cli/woodpecker_test.go
@@ -0,0 +1,40 @@
+package main
+
+import "testing"
+
+func TestParseOwnerRepo(t *testing.T) {
+	cases := []struct{ in, owner, repo string }{
+		{"https://forgejo.viktorbarzin.me/viktor/infra.git", "viktor", "infra"},
+		{"https://forgejo.viktorbarzin.me/viktor/infra", "viktor", "infra"},
+		{"git@github.com:ViktorBarzin/infra.git", "ViktorBarzin", "infra"},
+		{"https://github.com/ViktorBarzin/tripit/", "ViktorBarzin", "tripit"},
+	}
+	for _, c := range cases {
+		o, r, err := parseOwnerRepo(c.in)
+		if err != nil || o != c.owner || r != c.repo {
+			t.Errorf("parseOwnerRepo(%q) = (%q, %q, %v), want (%q, %q)", c.in, o, r, err, c.owner, c.repo)
+		}
+	}
+	if _, _, err := parseOwnerRepo("nonsense"); err == nil {
+		t.Error("expected error for unparseable remote")
+	}
+}
+
+func TestStatusClassification(t *testing.T) {
+	for _, s := range []string{"success", "failure", "error", "killed"} {
+		if !isTerminalStatus(s) {
+			t.Errorf("%q should be terminal", s)
+		}
+	}
+	for _, s := range []string{"running", "pending"} {
+		if isTerminalStatus(s) {
+			t.Errorf("%q should not be terminal", s)
+		}
+	}
+	if !isFailureStatus("failure") || !isFailureStatus("error") {
+		t.Error("failure/error should classify as failure")
+	}
+	if isFailureStatus("success") {
+		t.Error("success must not classify as failure")
+	}
+}
diff --git a/docs/adr/0001-android-emulator-in-cluster.md b/docs/adr/0001-android-emulator-in-cluster.md
new file mode 100644
index 00000000..aec44e9d
--- /dev/null
+++ b/docs/adr/0001-android-emulator-in-cluster.md
@@ -0,0 +1,42 @@
+---
+status: accepted
+---
+
+# The Android testing environment is a privileged KVM emulator pod in-cluster
+
+Viktor's apps are growing Android clients (first: tripit's Capacitor shell —
+see tripit ADR-0013/0014), and agents need a native Android instance to test
+changes against before shipping. All K8s nodes already run with CPU type
+`host`, so `/dev/kvm` works inside the cluster.
+
+Decision (2026-06-11): one shared **Android 16 (API 36) Google-emulator
+instance** runs as a privileged pod in namespace `android-emulator`
+(stack `stacks/android-emulator`), with `/dev/kvm` via hostPath, adb exposed
+LAN-only on the shared MetalLB IP (10.0.20.200:5555), and a noVNC screen view
+at android-emulator.viktorbarzin.lan. The SDK/system-image/AVD live on a PVC;
+the image is a slim manually-built shell.
+
+## Considered options
+
+- **devvm-local docker emulator** — rejected as the durable home: shared
+  24GB workstation, ~13GB free disk, per-machine, not shared across agents.
+- **Dedicated Proxmox VM** — rejected: burns scarce PVE host headroom 24/7
+  and adds a whole VM lifecycle for one emulator.
+- **redroid (container-native Android)** — rejected: requires binder kernel
+  modules on every node (documented binderfs incompatibilities), max
+  Android 15; most invasive for the least version coverage.
+- **budtmo/docker-android** — rejected: turnkey but capped at Android 14;
+  the native features driving the Android work (Live Updates, background
+  GPS) are Android 16 behaviors, matching the real target device.
+- **/dev/kvm device plugin instead of privileged** — deferred: a new
+  cluster component to avoid one namespace-scoped exclude-list entry; the
+  exclude pattern (kured/woodpecker/frigate/changedetection) already exists.
+
+## Consequences
+
+- `android-emulator` joins the Kyverno `security_policy_exclude_namespaces`
+  list (privileged allowed; registry policy also bypassed in-namespace).
+- adb is unauthenticated by design — the LB IP must remain LAN-only.
+- Single shared instance: concurrent agent sessions share Android state;
+  long destructive work should presence-claim `service:android-emulator`.
+- Rendering is swiftshader (CPU) — the contended T4 stays out of the path.
diff --git a/docs/adr/0002-all-image-builds-off-infra-gha-ghcr.md b/docs/adr/0002-all-image-builds-off-infra-gha-ghcr.md
new file mode 100644
index 00000000..24f25a6c
--- /dev/null
+++ b/docs/adr/0002-all-image-builds-off-infra-gha-ghcr.md
@@ -0,0 +1,24 @@
+---
+status: accepted
+date: 2026-06-12
+---
+
+# All owned images build off-infra on GitHub Actions and live on ghcr.io
+
+In-cluster Woodpecker buildkit builds repeatedly hurt the homelab: registry-push load OOMKilled Forgejo (2026-06-09), buildkit→Forgejo pushes ride a flaky hairpin, build IO lands on the shared sdc HDD, and the Forgejo registry PVC sat at its 50Gi ceiling with retention stuck in DRY_RUN. We decided every owned image is built by GitHub Actions and hosted on ghcr.io, extending the tripit pilot (2026-06-09) to the whole fleet: Forgejo stays the canonical git host, a one-way push-mirror feeds a GitHub mirror, and the mirror's workflow builds, pushes, then POSTs Woodpecker's API to deploy. The Forgejo container registry is decommissioned as a build target — one manual cleanup pass keeps a last-known-good tag per Service, after which nothing pushes to it.
+
+## Considered options
+
+- **GHA builds pushing back into the Forgejo registry** — keeps images home and the pull path unchanged, but keeps the exact failure mode that motivated the move (Forgejo OOM under blob-push load), keeps the PVC growth, and keeps the circular dependency where the images needed to repair the cluster live inside the cluster. Rejected.
+- **Per-repo in-cluster fallback builds** (the old `build-fallback.yml` pattern) — rejected in favour of a clean cut: a GitHub outage pauses image builds (running workloads are unaffected), and existing fallback files are deleted. The hedge against ghcr's "currently free" private storage ever being enforced is the visibility split (public images are permanently free) plus re-creating fallbacks if that day comes.
+- **Paid builders (Docker Build Cloud, Depot)** — solve a multi-arch/persistent-cache problem this fleet doesn't have (everything is linux/amd64). Rejected.
+
+## Consequences
+
+- DR improves: images survive homelab loss, so a dead cluster can pull everything it needs to come back — the same doctrine that keeps the monorepo on GitHub ("Forgejo dies with the cluster").
+- Private ghcr pulls bypass the registry VM's pull-through cache (it can't authenticate), so cold-node pulls of private images depend on GitHub availability; public images cache normally.
+- Visibility is decided per repo: public = generic tooling that passes a gitleaks/PII history scan; private = personal, financial, or legally-gray domains. A failed scan means the repo stays private — canonical history is never rewritten for publication. For interpreted languages repo visibility ≈ image visibility (the image ships the source).
+- Only private-repo builds consume GitHub free-plan minutes (~12 builders, well under the 2,000/mo free tier; usage is reviewed after rollout wave 2 before considering Pro).
+- Woodpecker becomes deploy-only; its agents never build. The Kyverno-synced `registry-credentials` stays (Forgejo git + frozen last-known-good images); a cluster-wide Kyverno-synced `ghcr-credentials` joins it.
+- Builders with no live consumer (terminal-lobby, webhook-handler, hmrc-sync, trading-bot, travel-agent, trip-planner) are decommissioned rather than migrated; travel_blog is decommissioned outright (service + CI). Any revival adopts this ADR's pattern.
+- Workflows build single-manifest images (`provenance: false`, linux/amd64 only) so registry retention never faces the orphaned-index-children failure class that broke Forgejo's cleanup.
diff --git a/docs/adr/0003-keep-forgejo-canonical-complete-mirror.md b/docs/adr/0003-keep-forgejo-canonical-complete-mirror.md
new file mode 100644
index 00000000..9e0e2192
--- /dev/null
+++ b/docs/adr/0003-keep-forgejo-canonical-complete-mirror.md
@@ -0,0 +1,30 @@
+# Keep Forgejo as the canonical forge; complete the one-way GitHub mirror instead of swapping to GitHub
+
+Status: accepted (extends ADR-0002)
+
+## Context
+
+Repo trees kept diverging between the Forgejo **Canonical repo** (`viktor/<name>`) and its **GitHub mirror**. A 2026-06-15 audit found the cause: an *incomplete rollout* of the Forgejo→GitHub push-mirror, not anything inherent to Forgejo. 14 repos carry **both** remotes and are hand-pushed to each (`push_mirrors = 0` on Forgejo — e.g. `infra`, `finance`, `Website`), so a human forgets one side and the trees drift; the ADR-0002-onboarded repos have a working one-way mirror (`push_mirrors = 1` — e.g. `tripit`, `recruiter-responder`) and never diverge. `infra/CONTEXT.md` already says Forgejo is the only place commits land and the GitHub mirror must never be a second writable remote — practice had simply drifted from the documented model.
+
+The trigger was a proposal to swap Forgejo out for GitHub entirely. The grilling reframed it: the pain (divergence) is a "two writable remotes" problem, and the stated preference is self-hosted-primary with the remote as backup.
+
+## Decision
+
+Do **not** swap to GitHub. Reaffirm and *complete* the model already in `CONTEXT.md`:
+
+- Every first-party repo has exactly **one** push target — its **Canonical repo** on Forgejo. GitHub is a one-way push-mirror (off-site backup + the source GitHub Actions builds from). **No repo is ever dual-pushed.**
+- A small, explicit set of **GitHub-first repos** are the exception (canonical lives on GitHub, outside the mirror policy): third-party clones/forks where GitHub is genuinely upstream (`jsoncrack.com`, `snmp_exporter`, `SparkyFitness`, `agent-rules-books`, `Plotting-Your-Dream-Book`) and the deliberately-public first-party `health`.
+- `infra` is reconciled into the standard model: its GitHub-only `.github/workflows/build-*.yml` are brought onto Forgejo-canonical (inert on Forgejo, active on the mirror), then the mirror is enabled — ending the deliberate divergence while keeping Woodpecker on the Forgejo forge.
+- Enforcement is **structural**: reconciled clones keep only the Forgejo remote, so there is no GitHub remote to habitually push to; the execution rule is "push to the canonical forge only, never the mirror."
+
+## Considered options
+
+- **Swap to GitHub (retire Forgejo).** Rejected: takes on a hard WAN dependency for *all* git ops — including `infra`, the repo you use to *recover* from outages — plus git-crypt secrets on GitHub as primary, a Woodpecker forge migration (WP authenticates against and watches Forgejo), and GitHub private-repo CI-minute/size limits. All to fix a problem that is actually an incomplete mirror, not Forgejo's existence. Contradicts the self-hosted-primary preference.
+- **GitHub canonical, Forgejo demoted to a DR pull-mirror.** Rejected for the same WAN-dependency and forge-migration cost; unnecessary once the real cause is understood.
+
+## Consequences
+
+- Divergence becomes structurally impossible — one push target per repo.
+- Forgejo stays load-bearing (canonical git + the Woodpecker forge), so every cost of the swap is avoided.
+- The GitHub-limits worry is neutralized: private code lives on Forgejo (unlimited, self-hosted); GitHub holds mirrors for CI + backup. (GitHub Free has unlimited private repos anyway; the real limits are GHA minutes and ~1 GB repo size — `travel_blog` at 1.4 GB is why it never went to GHA.)
+- One-time remediation is required and carries a data-loss footgun: the Forgejo→GitHub mirror **force-overwrites** GitHub, so for each currently-diverged repo, any GitHub-only commits must be merged into Forgejo **before** the mirror is enabled, or they are lost. Scope: the 14 dual-push repos + the `infra` reconciliation; all other repos are already single-remote and non-diverging.
diff --git a/docs/adr/0004-homelab-unified-cli.md b/docs/adr/0004-homelab-unified-cli.md
new file mode 100644
index 00000000..27cce02a
--- /dev/null
+++ b/docs/adr/0004-homelab-unified-cli.md
@@ -0,0 +1,30 @@
+# homelab: a unified infra-ops CLI grown in place from infra/cli
+
+Agents re-derive the same operational command boilerplate every session — mining
+51,116 bash commands across 2,225 past sessions showed dense, repeated patterns
+(the infra inner-loop alone is ~29%). We are building `homelab`, one CLI encoding
+the deterministic, repeated **actions** (not judgment) agents run — composable in
+bash, JSON-capable, and discovered progressively via `homelab manifest`. It is
+grown **in place** in `cli/` (the existing `infra-cli`), absorbing new verb-groups
+alongside the preserved legacy webhook use-cases. Versioned with a `cli/VERSION`
+file (the infra repo deploys continuously and does not cut semver tags).
+
+## Considered options
+
+- **Its own top-level repo** (the original plan) — rejected in favour of keeping
+  it where the Terraform/Terragrunt and `scripts/tg` it drives already live; the
+  Go source isn't git-crypt-encrypted and a provision-time build is unaffected by
+  GitOps continuous-deploy.
+- **A fresh CLI ignoring infra-cli** — rejected: strands the VPN/DNS/email
+  webhook use-cases.
+- **Raw kubectl/tg/ssh + skills + MCP only** — kept for everything outside the
+  recurring action surface (methodology skills; third-party/owned MCP such as
+  phpIPAM, which homelab does NOT duplicate).
+
+## Consequences
+
+- The binary is dual-purpose: the agent-facing `homelab` verb surface AND the
+  in-cluster `infra-cli` webhook image. `main()` front-dispatches homelab verbs
+  and falls through to the legacy `-use-case` path verbatim.
+- Distribution: built from source to `/usr/local/bin/homelab` during devvm
+  provisioning (`t3-dispatch` precedent), refreshed by `t3-autoupdate`.
diff --git a/docs/adr/0005-homelab-v01-scope.md b/docs/adr/0005-homelab-v01-scope.md
new file mode 100644
index 00000000..c1da7a95
--- /dev/null
+++ b/docs/adr/0005-homelab-v01-scope.md
@@ -0,0 +1,23 @@
+# homelab v0.1 scope: the infra inner-loop; everything allowed, tiers recorded
+
+v0.1 ships only the highest-volume surface — the infra inner-loop: `work`
+(worktree lifecycle), `tf` (terragrunt via `scripts/tg` + fmt/validate/
+force-unlock), and `claim`/`release` (presence) — because it is ~29% of all mined
+commands and where agents lose the most time and leak the most presence claims.
+
+v0.1 enforces **no** homelab-level permission gating: everything is allowed,
+relying on existing gates (harness permission mode, presence claims, plan
+approval). But every verb records a `read|write` tier (visible in `manifest`), so
+a PreToolUse classifier hook (auto-allow reads / prompt writes) can be added
+later with zero restructuring.
+
+## Considered options
+
+- **Reads-first vertical slice** (top read verb per domain) — lower risk, broad
+  value, but defers the toil that motivated the project.
+- **One domain deep (k8s)** — cleanest template, narrow day-one value.
+
+We chose the highest-volume-but-write-heavy infra loop deliberately, accepting
+the extra complexity (worktree lifecycle, git-crypt flag injection, presence
+coupling, branch-protection PR fallback) for the biggest immediate toil
+reduction. k8s/node/secret/net/ci verb-groups are deferred to later versions.
diff --git a/docs/adr/0006-homelab-work-and-tf.md b/docs/adr/0006-homelab-work-and-tf.md
new file mode 100644
index 00000000..fcdddc30
--- /dev/null
+++ b/docs/adr/0006-homelab-work-and-tf.md
@@ -0,0 +1,29 @@
+# homelab work/tf behaviour: native worktree entry, gated auto-land, presence-coupled apply
+
+Four behaviours of the infra-loop verbs are surprising enough to record:
+
+1. **`work` owns worktree create/land/clean, but session *entry* delegates to the
+   native harness worktree tool.** A CLI is a child process and cannot change the
+   agent's working directory; `EnterWorktree` can. So `homelab work start <topic>`
+   creates the worktree + branch off `<remote>/master` (git-crypt-aware) and
+   prints the path — the agent enters it with native `EnterWorktree({path})`.
+
+2. **`work land` is auto-land, but gated on verification.** It merges master in →
+   runs verification → pushes `HEAD:master` (fetch+merge+retry on
+   non-fast-forward) → falls back to pushing the feature branch for a PR when the
+   direct push is rejected (branch protection). It **refuses to push when it
+   cannot verify** (no `--verify-cmd` and no auto-detected suite) unless
+   `--no-verify` is passed — added after an accidental smoke-test land pushed
+   unverified WIP to master (benign: the infra CI applied 0 stacks because the
+   diff was `cli/`-only, but an unverified land must be deliberate, not default).
+
+3. **`tf apply` is first-class despite GitOps, and mandatorily presence-coupled.**
+   Local applies are out-of-band (CI applies canonically on push) but happen
+   constantly (~763× in the corpus). `tf apply <stack>` auto-claims `stack:<name>`,
+   delegates to `scripts/tg apply --non-interactive`, and **always releases on
+   exit** (normal, error, or signal via `sync.Once` + handler) — fixing the
+   documented ~200-claim leak — and prints an out-of-band reminder.
+
+4. **Known v0.1 limitation:** `work land` does not yet block on CI to green; that
+   arrives with the ci/deploy watch verb-group. It prints a reminder to follow
+   the pipeline manually.
diff --git a/docs/adr/0007-homelab-k8s-verbs.md b/docs/adr/0007-homelab-k8s-verbs.md
new file mode 100644
index 00000000..422b3431
--- /dev/null
+++ b/docs/adr/0007-homelab-k8s-verbs.md
@@ -0,0 +1,30 @@
+# homelab k8s verb-group: app→pod resolver, read/write split, config-mutation stays raw
+
+v0.2 adds the Kubernetes verb-group — the biggest remaining surface by far
+(mining the post-v0.1 corpus: 11,291 `kubectl` commands across 243 sessions, more
+than every other domain combined).
+
+It is built on an **app→namespace→pod resolver**: most namespaces hold exactly
+one app, so `<app>` defaults to the namespace, and the target defaults to
+`deploy/<app>` (kubectl resolves a pod from the Deployment). `-n`/`--pod`/`-c`/
+`-l`/`--tty` override; multi-pod namespaces (`dbaas`, `monitoring`) need
+specificity. The CLI uses the ambient kubeconfig — no per-call auth flags.
+
+Verbs: read — `status`, `get`, `logs`, `describe`, `debug` (one-shot triage),
+`pf`, `rollout-status`; write/operational — `db`, `exec`, `restart`, `rm-pod`.
+
+## Decisions worth recording
+
+- **Config-mutation verbs are deliberately NOT exposed** (`apply`/`edit`/`patch`/
+  `scale`/`create`). They stay raw `kubectl`, by design, per the repo's
+  Terraform-only policy — the corpus confirms they're low-frequency, and a
+  friendly verb would normalise a policy violation.
+- **`rm-pod` is restricted to pods/jobs only** — deleting Deployments/STS/PVCs is
+  config mutation and forbidden; the verb cannot target them.
+- **`db` encodes the dbaas exec pattern** (the single highest-value k8s
+  sub-pattern, ~886 dbaas ops): PG via `pg-cluster-rw -c postgres`,
+  `psql -U postgres -d <app>`; MySQL via `mysql-standalone-0` with a
+  `bash -c 'mysql -p"$MYSQL_ROOT_PASSWORD" …'` wrapper so the password comes from
+  the pod env and never appears on the command line.
+- Read verbs were smoke-tested against the live cluster; write verbs are
+  unit-tested (resolver, db-plan, shell-quoting) but not fired at live state.
diff --git a/docs/adr/0008-homelab-memory-verbs.md b/docs/adr/0008-homelab-memory-verbs.md
new file mode 100644
index 00000000..60f13850
--- /dev/null
+++ b/docs/adr/0008-homelab-memory-verbs.md
@@ -0,0 +1,30 @@
+# homelab memory verb-group: direct HTTP client to claude-memory; MCP deprecation path
+
+v0.3 adds the memory verb-group so agents can search and navigate memory from the
+CLI. `claude-memory` is a FastAPI service (Postgres-backed, `Bearer`-auth,
+ingress `auth = "none"` so programmatic clients work) — the **MCP is just one
+frontend over it**. `homelab memory` is a thin HTTP client over the same API,
+using the env the hooks already set (`CLAUDE_MEMORY_API_URL` +
+`CLAUDE_MEMORY_API_KEY`; defaults to the ingress). Because it talks to the HTTP
+API directly, it **works even when the MCP frontend is down** — the recurring
+MCP-disconnect problem that motivated claude-memory HA (and that took the MCP
+offline for the entire session this was built in).
+
+Verbs: `recall` (server-side semantic ranking), `list`, `categories`, `tags`,
+`stats`, `secret` (read); `store`, `update`, `delete` (write). Validated against
+the live API including a store→recall→delete round-trip — full data-plane parity
+with the MCP.
+
+## Deprecation path (deliberate follow-up — NOT done in v0.3)
+
+The MCP is more than tools: the **per-prompt auto-recall hook** and the
+**auto-learn hook** run on every prompt for every agent. Deprecating it safely is
+a separate, sequenced change:
+
+1. Rewire the auto-recall hook to `homelab memory recall` and the auto-learn hook
+   to `homelab memory store`.
+2. Update the CLAUDE.md memory policy to point at the CLI.
+3. Uninstall the MCP.
+
+Done CLI-first (verbs proven before touching the every-prompt path) so a
+regression can't silently break auto-recall/auto-learn fleet-wide.
diff --git a/docs/adr/0009-homelab-ci-deploy-verbs.md b/docs/adr/0009-homelab-ci-deploy-verbs.md
new file mode 100644
index 00000000..51399997
--- /dev/null
+++ b/docs/adr/0009-homelab-ci-deploy-verbs.md
@@ -0,0 +1,29 @@
+# homelab ci/deploy verbs: API-based watch, internal-LB dialer, work-land integration
+
+v0.4 adds `ci`/`deploy` — the biggest *reasoning* sink in agent sessions (watching
+a build/deploy to completion), proven during the session that built it (hours
+spent hand-rolling Woodpecker API polling, DB-schema reverse-engineering, and
+retrigger logic for a single CI incident).
+
+## Decisions
+
+- **API, not DB.** The verbs query the Woodpecker REST API (version-stable),
+  not its Postgres schema (which drifts across upgrades — column renames bit us
+  mid-incident). Reached via the internal Traefik LB by dialing `10.0.20.203`
+  while keeping SNI/Host = `ci.viktorbarzin.me` so the cert verifies (the Go
+  equivalent of the house `curl --resolve` pattern). Token from
+  `WOODPECKER_TOKEN` or Vault `secret/ci/global`; repo id resolved from the cwd
+  git remote via `/api/repos/lookup/<owner>/<repo>`.
+- **Retries are mandatory.** The Woodpecker API intermittently returns empty/5xx
+  under load (it flapped through the whole build session); `getJSON` retries
+  empties with backoff so `ci watch` is reliable exactly when it's needed.
+- **`work land` now waits for CI.** After pushing, `work land` calls `ci watch`
+  on the landed commit and fails if the pipeline does — closing the gap ADR-0005
+  deferred. `--no-ci-watch` opts out.
+- **`deploy wait` encodes the "rollout status lies" rule:** it first waits for
+  the deployment image to reference the expected sha, *then* blocks on rollout
+  status (kubectl-based; reuses the k8s helpers).
+- **`ci logs` deferred to v0.4.1.** Woodpecker's per-pipeline detail/log
+  endpoints were the least reliable this session (often empty); `status`/`watch`
+  rely on the list endpoint that works. A DB-backed `ci logs` is a possible
+  follow-up if the API path stays flaky.
diff --git a/docs/adr/0010-homelab-net-obs-verbs.md b/docs/adr/0010-homelab-net-obs-verbs.md
new file mode 100644
index 00000000..29a94a46
--- /dev/null
+++ b/docs/adr/0010-homelab-net-obs-verbs.md
@@ -0,0 +1,37 @@
+# homelab net/dns/metrics/logs verbs: endpoint resolution as the unit of value
+
+v0.5 adds `net`/`dns`/`metrics`/`logs`. These were chosen against an explicit
+test the user posed mid-build: *does the verb save reasoning, or only typing?* A
+wrapper over a command already known fluently (plain `ssh`, `vault kv get`) saves
+keystrokes but not thought. These four save thought — the reasoning they encode
+is **which endpoint, reached how, with what auth/URL shape** — re-derived every
+time otherwise. (That same test deprioritized `node ssh` aliasing and `secret
+get`, which are thin wrappers; see the session discussion.)
+
+## Decisions
+
+- **Internal ingresses, reached via the LB.** Everything routes through the
+  Traefik LB by dialing `10.0.20.203` with the URL host preserved as SNI — the
+  Go form of the house `curl --resolve host:443:10.0.20.203` pattern
+  (`probe.go: clientDialingIP`). Verified live before building: Prometheus
+  (`prometheus-query.viktorbarzin.lan`) and Loki (`loki.viktorbarzin.lan`) both
+  answer JSON over the LB with **no auth gate and no port-forward** — so these
+  stay clean HTTP clients, not kubectl wrappers.
+- **`net check` is two-legged on purpose.** It resolves the host via public DNS
+  (→ Cloudflare) AND dials the internal LB, reporting both — because the useful
+  question is *where* a break is (CF edge vs the app vs the LB path), which a
+  single curl can't answer. The external leg forces public resolution (the devvm
+  resolver is split-horizon and would otherwise hit the LB for both).
+- **`metrics alerts` uses the `ALERTS` series, not `/api/v1/alerts`.**
+  `prometheus-query.*` is a query-only frontend (404 on `/api/v1/alerts`), and
+  Alertmanager has no LB ingress (the alert-digest reads it in-cluster). Firing
+  alerts are exposed as the synthetic `ALERTS{alertstate="firing"}` time series,
+  queryable through the working endpoint — so no new dependency.
+- **Deliberately NOT built:** in-cluster-only endpoints (Alertmanager v2,
+  raw `*.svc` services) that would force port-forward/`kubectl run`. The
+  reasoning-savings there don't beat the added moving parts; kept out of scope.
+- **No `node`/`secret` group.** Same test: their high-volume parts are
+  command-wrappers (low savings); only compound node ops (serial console, VM
+  wait, fan-out) would qualify, and those are lower-frequency. Left unbuilt
+  unless a concrete pain surfaces — the high-value deterministic surface
+  (tf/work/ci/k8s/memory + these probes) is now covered.
diff --git a/docs/adr/0011-homelab-usage-telemetry.md b/docs/adr/0011-homelab-usage-telemetry.md
new file mode 100644
index 00000000..c383211b
--- /dev/null
+++ b/docs/adr/0011-homelab-usage-telemetry.md
@@ -0,0 +1,34 @@
+# homelab usage telemetry: evidence-driven verb prioritization, privacy by construction
+
+v0.6 adds `usage top` plus a fire-and-forget emit on every dispatched verb. It
+exists to answer the question that drove the whole CLI — *which verbs are worth
+adding next* — with data instead of one maintainer's habits (the earlier mining
+covered a single user's ~51k commands, so the surface is shaped to that user).
+
+## Decisions
+
+- **Emit on dispatch, in `dispatch()`.** The longest-prefix match already knows
+  the verb path; after `Run` returns we emit `{verb, exit}`. Discovery verbs
+  don't go through `dispatch()` (`manifest`/`version`/`help` are handled in
+  `dispatchTop`), so they don't self-record; `usage *` is skipped explicitly so
+  the analytics reader doesn't pollute its own data.
+- **Payload is deliberately minimal: verb path + exit code only.** Labels
+  `{job=homelab-usage, user, verb}` (all low-cardinality) + line `exit=N ver=X`.
+  **No args, paths, flags, hostnames, or secrets** ever leave the process — the
+  emit sees only the matched verb name, not the arguments. This is what makes
+  cross-user aggregation safe.
+- **Shared Loki sink → cross-user analytics WITHOUT reading homes.** Each user's
+  CLI writes its own invocations (attributed to its OS user) to the shared Loki
+  push API via the Traefik LB (verified: HTTP 204, no auth). `usage top` reads
+  back with a LogQL metric query. This is the privacy-preserving resolution to
+  "what does everyone (e.g. another user) use" — it never touches anyone's
+  `~/.claude`, which the org per-user policy bars (see the per-user red-line in
+  managed-settings; reading another user's home is off-limits even for an owner
+  in-session — a fresh session under changed MDM policy is the only legitimate
+  path, and even then this telemetry is the better answer).
+- **Best-effort, never affects the command.** All errors swallowed; an 800ms
+  client timeout bounds the cost; opt-out via `HOMELAB_TELEMETRY=0`. Telemetry
+  must never slow or break the tool it measures.
+- **Loki, not a new datastore.** Zero new infra, and it dogfoods the v0.5 `logs`
+  path (same host, same LB dial). Presence MySQL was the alternative (queryable
+  SQL) but would add a write dependency and creds; Loki needs neither.
diff --git a/docs/adr/0012-homelab-ha-verbs.md b/docs/adr/0012-homelab-ha-verbs.md
new file mode 100644
index 00000000..379f8ee5
--- /dev/null
+++ b/docs/adr/0012-homelab-ha-verbs.md
@@ -0,0 +1,54 @@
+# homelab Home Assistant verbs: token resolution + host SSH, not entity control
+
+v0.7 adds `ha token` and `ha ssh`. They were chosen by mining a heavy HA
+operator's sessions: across ~1,900 shell commands the single most-repeated line
+(420×) was a hand-rolled `kubectl … | base64 -d | python -c '…token'` pipeline,
+and a bespoke `ssh -o StrictHostKeyChecking=no -o …` invocation was redefined as
+a shell function ~30× — both re-derived from scratch every session. The existing
+`home-assistant-sofia.py` already covers the *API*, but it goes unused from an
+arbitrary cwd (it needs `HOME_ASSISTANT_SOFIA_TOKEN` set and is referenced by a
+cwd-relative path), so agents bypassed it. A global verb on `$PATH` closes that
+gap for every user in every directory.
+
+## Decisions
+
+- **Only the two gaps the `ha` MCP can't fill.** The `ha` MCP server already
+  does entity state and control (`get_state`, `call_service`, history, logs).
+  Per the CLI's founding rule — *MCP-encoded actions are out of scope* (ADR-0004)
+  — we do **not** reimplement `on`/`off`/`list`/`state`. We add only token
+  *resolution* and host *SSH*, neither of which an API-only MCP can provide. The
+  value is endpoint/secret/host resolution, exactly like `net`/`dns` (ADR-0010).
+- **`ha token` resolves live from the cluster, not from an env var.** It reads
+  the dedicated k8s Secret `openclaw/ha-tokens` (one key per instance: `sofia` /
+  `london`) via the ambient kubeconfig. This is robust to env drift — the precise
+  failure that made agents re-derive the pipeline. Read-tier, prints the bare
+  token to stdout so it composes in `$(…)`, mirroring `memory secret`.
+- **The token is split into its own least-privilege secret** (`stacks/openclaw/ha_tokens.tf`).
+  It was originally read from `openclaw-secrets` → `skill_secrets` (a JSON blob
+  also holding `slack_webhook` + `uptime_kuma_password`), which only cluster
+  admins can read — so the verb hung/failed for the non-admin operator it was
+  built for (emo = `emil.barzin@gmail.com`, group `Home Server Admins`, whose
+  OIDC identity is barred from secrets in `openclaw`). `ha-tokens` carries only
+  the HA tokens, with a Role+RoleBinding granting `get` on *just that secret* to
+  the `Home Server Admins` group (k8s RBAC can't scope to a JSON sub-key, hence
+  the separate object). openclaw's own deployment keeps reading `openclaw-secrets`
+  — this is purely additive.
+- **`ha ssh` is deterministic and per-user.** Flags are fixed for unattended
+  use: `-F /dev/null` (ignore user ssh-config), `StrictHostKeyChecking=no` +
+  `UserKnownHostsFile=/dev/null` (no host-key prompt/record — agents have no
+  TTY), `BatchMode=yes` + `ConnectTimeout=10` (fail fast, never hang). The key
+  is the **invoking user's** `~/.ssh/id_ed25519`, so the verb isn't tied to
+  whoever first wrote the workflow; that user's key must be enrolled on the HA
+  host. Write-tier (runs an arbitrary remote command).
+- **sofia is the default; london is structural.** The devvm sits on the Sofia
+  LAN, so `vbarzin@192.168.1.8` is reachable and is the default instance. london
+  (`hassio@192.168.8.103`) is in the instance map so `ha token --instance london`
+  works (a pure secret read), but `ha ssh --instance london` generally won't
+  connect from here — london is remote. We model it correctly rather than
+  pretend it's reachable.
+- **Scope held at two verbs.** `ha api` (an authenticated curl passthrough for
+  the endpoints the MCP/script don't cover — `/api/template`, `/reload`,
+  `check_config`, `/error_log`) was deferred: once `ha token` exists, raw curl is
+  already unblocked, and a generic passthrough overlaps the MCP. Re-measure via
+  `usage top` (ADR-0011); add targeted sugar verbs only if those endpoints are
+  still hand-rolled often.
diff --git a/docs/adr/0013-homelab-browser-verbs.md b/docs/adr/0013-homelab-browser-verbs.md
new file mode 100644
index 00000000..bba4e8e7
--- /dev/null
+++ b/docs/adr/0013-homelab-browser-verbs.md
@@ -0,0 +1,75 @@
+# homelab browser verbs: headful (anti-bot) web automation via cluster Chrome
+
+v0.8 adds `browser run`, `browser open`, and `browser --help`. They package a
+capability that already existed but was undiscoverable: driving the cluster's
+**headful** Chrome (`chrome-service` — real Chrome under Xvfb, CDP on
+`svc/chrome-service:9222`) from the devvm, for sites that detect and block
+headless automation.
+
+## Motivating incident (2026-06-22)
+
+Logging a washing-machine repair on the Stirling Ackroyd **Fixflo** tenant
+portal: the headless `@playwright/mcp` browser loaded the site and filled the
+entire multi-step form, but the **final submit silently failed** — Fixflo's
+pre-submit `POST /IssuePreCreationCheck` returned `net::ERR_FILE_NOT_FOUND`, the
+spinner hung, no issue was created. Root cause = headless-Chrome detection. The
+fix was to drive the headful `chrome-service` over `connect_over_cdp` — it
+submitted first try (Fixflo ref IS22657587). That capability was documented
+(`docs/architecture/chrome-service.md`) but **not packaged or discoverable**, so
+it took ~40 min, three redundant full form re-runs, and a user hint. The agent
+also misread `ERR_FILE_NOT_FOUND` as "network egress" and retried blind instead
+of inspecting the network panel.
+
+## Decisions
+
+- **Mechanics in `homelab`, not a `~/.claude` skill.** A standalone skill was
+  rejected: the CLI is run every session (so the verb is *discoverable*), is
+  versioned, multi-user, and test-covered. A private, untested skill is none of
+  those. The command owns only the deterministic *mechanics* (port-forward,
+  stealth injection, lifecycle) — the agent supplies the Playwright script, so
+  *judgment* stays out of the CLI (the founding rule, ADR-0004/0005).
+- **The failure was judgment, not setup friction**, so the CLI is paired with a
+  one-line pointer in always-in-context `~/code/CLAUDE.md` and a diagnostic
+  payload in `browser --help`: the *when-to-use* signature (a site loads but a
+  gated action fails/hangs, or one request 500s/aborts while siblings 200 →
+  suspect headless detection) and an error-code cheat-sheet (`ERR_FILE_NOT_FOUND`
+  = request resolved/intercepted by the automation layer, **not** egress;
+  egress failures are `ERR_CONNECTION_REFUSED`/`_TIMED_OUT`/`_NAME_NOT_RESOLVED`
+  and would break the page load too). A command the agent doesn't think to run is
+  useless; the cheat-sheet is the actual fix for the misdiagnosis.
+- **Reach the pod via `kubectl port-forward`, then `connect_over_cdp` to
+  localhost.** port-forward tunnels API-server→pod, so it **bypasses the `:9222`
+  NetworkPolicy** that gates in-cluster callers — the devvm needs no namespace
+  label. Readiness is asserted against `/json/version`: the endpoint must report
+  a real `Chrome/…`, never `HeadlessChrome` (the whole point). The forward is
+  **always** torn down (process-group kill + signal handler), on success and on
+  error — an acceptance requirement.
+- **Default to a fresh incognito context; `--shared-context` opts into the warmed
+  profile.** chrome-service is a single shared browser with a persistent profile.
+  A fresh, always-closed context is safe for concurrent callers (tripit's fare
+  scrape connects per-quote) and is what production already does. The warmed
+  persistent profile (cookies from a manual noVNC login) is opt-in for flows that
+  need a pre-logged-in session.
+- **Pin the node CDP client to `playwright-core@1.48.2`** to match the
+  chrome-service image minor (`mcr.microsoft.com/playwright:v1.48.0-noble`,
+  Chromium 130). `connect_over_cdp` speaks the browser's CDP, and protocol
+  changes between Playwright minors — the devvm's ambient Python Playwright was
+  1.58, a 10-minor skew. The pin makes behaviour deterministic across the fleet
+  regardless of local drift. `playwright-core` (not `playwright`) because no
+  browser binary is needed — we connect to the remote one.
+- **Self-provision the client lazily, no per-user setup.** The pinned client is
+  installed once into `~/.cache/homelab/browser-client/` (idempotent, version-
+  guarded) on first use, alongside the embedded runner + stealth files. node is
+  already fleet-wide; this avoids coupling the feature to a provisioner change
+  and keeps it self-contained and self-healing. The client runs on the devvm, so
+  `setInputFiles` streams local files to the remote browser over CDP — no
+  `chmod`/staging-dir workaround on the CDP path.
+- **Vendor `stealth.js`, guard against drift.** The CLI embeds a byte-for-byte
+  copy of `stacks/chrome-service/files/stealth.js` (the source of truth the
+  in-cluster callers use) via `go:embed`; a unit test fails if the copy drifts.
+  `go:embed` can't reach outside the package dir, hence the vendored copy rather
+  than a path reference.
+- **Scope held at two action verbs + help.** `run` (arbitrary script — the
+  workhorse) and `open` (navigate + title/text/screenshot — a quick check) cover
+  the surface. Both are write-tier; the bare `browser`/`--help` is read. Re-measure
+  via `usage top` (ADR-0011) before adding more.
diff --git a/docs/adr/0014-service-identity-and-east-west-observability.md b/docs/adr/0014-service-identity-and-east-west-observability.md
new file mode 100644
index 00000000..5eb1c83a
--- /dev/null
+++ b/docs/adr/0014-service-identity-and-east-west-observability.md
@@ -0,0 +1,29 @@
+---
+status: accepted
+date: 2026-06-24
+---
+
+# Service identity is namespace + label; east-west observability via Calico Goldmane; no service mesh
+
+As the Service count grows we want an audit-grade record of which Service talks to which — the "service mesh evaluation" `docs/plans/2026-04-20-infra-audit-design.md` flagged as never done ("worth a design doc even if the answer is no, too much complexity for the gain"). We evaluated the full design space against two constraints: the trust model is a single-tenant cluster needing **attribution-grade** forensics (reconstruct events in a cluster we trust), not cryptographic non-repudiation against a hostile pod; and we are acutely **etcd-constrained** (we removed VPA/Goldilocks for exactly this, and carry open beads `code-oflt`/`code-at4f` on etcd starvation). Decision: **service identity = the workload's namespace** (primary; Goldmane stamps it natively and "one Service ≈ one namespace" holds for ~87 of our namespaces), refined by an explicit `service-identity` label only in the few genuinely multi-Service namespaces (`monitoring`, `kube-system`, `dbaas`). **East-west observability = Calico 3.30 Goldmane + Whisker** (already in our Calico v3.30.7, currently `enabled = false` in `stacks/calico/main.tf`), with Goldmane's emitter shipping flows to **Loki** for a durable trail. **Enforcement reuses the existing Wave 1 observe-then-enforce egress track**, now selecting on namespace/label and fed by Goldmane's allow/deny + policy-trace flows. We explicitly **reject** a service mesh, mTLS, SPIFFE/SPIRE, and dedicated per-Service ServiceAccounts for now.
+
+## Considered options
+
+- **Dedicated per-Service ServiceAccount as the identity primitive** — initially chosen, then reversed. 56% of pods (257/458) run as `default`, so it is a ~116-stack rollout; and Goldmane (the chosen flow source) carries pod/namespace/workload **labels but no ServiceAccount field**, so SAs would not even reach the audit trail without a custom pod→SA mapping. The cheaper, etcd-inert path (namespace is free; a handful of static labels) delivers the same attribution. Deferred until identity-aware NetworkPolicy needs a principal finer than namespace/label, or mTLS is adopted.
+- **Service mesh (Istio / Linkerd / Cilium-mesh) + mTLS + SPIFFE/SPIRE** — the only thing that makes the trail cryptographically non-repudiable against a hostile pod. The trust model does not justify it, east-west stays single-tenant plaintext, and it is precisely the "too much complexity for the gain" the audit doc predicted. Rejected.
+- **Microsoft Retina (CNI-agnostic eBPF)** — more capable (DNS, drops, Hubble UI) and GA, runs on Calico without a CNI change. But identity-rich mode writes **one `RetinaEndpoint` CRD per pod to etcd** (continuous, pod-proportional churn — the exact axis we guard), and it is metrics-first, not log-first (no per-flow Loki records without custom glue). Rejected for this use case; noted as the fallback if DNS/drop-level detail is ever needed.
+- **Cilium Hubble** — reads Cilium's eBPF datapath maps; unusable on Calico without migrating the CNI. A CNI migration is not justified. Rejected.
+- **Kiali** — builds its graph entirely from an Istio mesh's Prometheus telemetry; no mesh, no graph. Rejected.
+- **Custom Grafana Alloy enrichment exporter over raw iptables-`LOG` flow lines** — Alloy has no IP→identity dictionary-lookup primitive (`loki.process` lacks a lookup stage; `k8sattributes` can't do per-line/dual-IP association), so this is a multi-day custom build that also has to beat pod-IP churn. Goldmane delivers identity-stamped flows natively and obviates it. Rejected.
+- **Kyverno generate+mutate to provision/assign identity** — rejected on etcd grounds: background scans + PolicyReports + UpdateRequests are continuous writes, the VPA-class cost we shed. Identity stays static.
+
+## Consequences
+
+- **No etcd cost from the flow plane.** Goldmane streams flows from Felix (the existing `calico-node` DaemonSet) over gRPC into a ~60-minute in-memory ring buffer — nothing written to etcd or the K8s API. Steady-state cost is two Deployments (`goldmane`, `whisker`) + RAM/CPU on the goldmane pod.
+- **The ring buffer is not a trail.** Durable, queryable history depends on the emitter→Loki path (reuse the 90-day security-stream retention); on a Goldmane restart the in-memory window is lost.
+- **Goldmane is tech-preview** in OSS Calico 3.30 — the main risk. Enabling it is a reversible toggle in `stacks/calico/main.tf`, but the toggle interacts with the operator-managed Installation CR (only namespaces are TF-adopted today; verify how Goldmane/Whisker are enabled before applying).
+- **Attribution is namespace-grained for free** across ~87 single-Service namespaces. Multi-Service namespaces (`monitoring`, `kube-system`, `dbaas`) need a `service-identity` label to disambiguate; most are platform/infra and already on the Wave 1 enforcement exclude list.
+- **The trail is attribution-grade, not cryptographic.** It reliably reconstructs events in a trusted cluster but cannot prove identity against a pod that spoofs its source — an accepted limit of the trust model. This ADR does not change the east-west encryption posture (still plaintext, no mTLS).
+- **Enforcement gains a better data source.** Goldmane's allow/deny + policy-trace flows build the Wave 1 empirical egress allowlist faster than the current iptables-`LOG`→journald→Loki path, and policies select on namespace/label with no SA dependency.
+- **New ubiquitous language** recorded in `CONTEXT.md`: **Service identity** and **Goldmane / Whisker**.
+- **Revisit triggers:** adopt dedicated per-Service SAs if identity-aware NetworkPolicy needs a principal finer than namespace/label, or if mTLS is ever required; reconsider Retina if DNS/drop-level flow detail becomes necessary.
diff --git a/docs/architecture/authentication.md b/docs/architecture/authentication.md
index 6806cd35..9decc8dc 100644
--- a/docs/architecture/authentication.md
+++ b/docs/architecture/authentication.md
@@ -40,10 +40,10 @@ graph TB
 
 | Component | Version | Location | Purpose |
 |-----------|---------|----------|---------|
-| Authentik Server | 2026.2.2 | `stacks/authentik/` | Core IdP application servers (2 replicas) |
+| Authentik Server | 2026.2.2 | `stacks/authentik/` | Core IdP application servers (3 replicas) |
 | Authentik Worker | 2026.2.2 | `stacks/authentik/` | Background task processors (2 replicas) |
 | PgBouncer | Latest | `stacks/authentik/` | PostgreSQL connection pooler (3 replicas) |
-| Embedded Outpost | - | Built into Authentik | Forward auth endpoint for Traefik |
+| Embedded Outpost | - | Standalone deployment, managed by Authentik | Forward auth endpoint for Traefik (2 replicas, PG-backed sessions) |
 | Traefik ForwardAuth | - | `modules/kubernetes/ingress_factory/` | Middleware attached when `auth = "required"` or `"public"` |
 | Vault OIDC Method | - | `stacks/vault/` | Human SSO authentication to Vault |
 | Vault K8s Auth | - | `stacks/vault/` | Service account JWT authentication |
@@ -64,15 +64,36 @@ Services pick an auth tier via the `auth` enum on the `ingress_factory` module (
 When `auth = "required"`, an unauthenticated request flows:
 
 1. Request hits Traefik ingress
-2. ForwardAuth middleware calls Authentik embedded outpost
-3. Authentik checks for valid session cookie
+2. ForwardAuth middleware calls the `auth-proxy` nginx (basicAuth fallback when Authentik is down), which proxies to the Authentik embedded outpost over a keepalive connection pool
+3. Authentik checks for valid session cookie (domain-level `authentik_proxy_*` cookie on `.viktorbarzin.me`, 4-week validity — one cookie covers all forward-auth apps)
 4. If missing/invalid, redirects to Authentik login page (authentik.viktorbarzin.me)
-5. User authenticates via social provider (Google/GitHub/Facebook)
+5. User authenticates on a **single screen**: username + password together (the identification stage embeds the password stage), or a social provider button (Google/GitHub/Facebook), then MFA validation
 6. Authentik creates session, sets cookie, redirects back to original URL
 7. Subsequent requests include session cookie, pass auth check, reach backend
 
 Authentik adds authentication headers (user, email, groups) to forwarded requests. These headers are stripped before reaching the backend to prevent confusion.
 
+### First-time signin performance (2026-06-10)
+
+Signin latency is dominated by screen count and round trips, not server time
+(DB avg 1.6ms). Standing decisions:
+
+- **Single-screen login**: the identification stage carries `password_stage`,
+  so username+password is one round trip. The separate password-stage binding
+  was removed from `default-authentication-flow` (required by authentik when
+  embedding). Pinned in TF: `authentik_stage_identification.default_identification`.
+- **Implicit consent everywhere**: all OIDC providers are first-party, so none
+  use the explicit-consent flow (it re-prompted every 4 weeks per app).
+- **Live tuning via `server.env`/`worker.env`** (the `authentik.*` Helm values
+  are inert due to `existingSecret`): 3 gunicorn workers, 30m flow-plan cache,
+  15m policy cache, 60s persistent DB connections.
+- **Static assets cached immutable**: `/static` ingress carve-out adds
+  `Cache-Control: public, max-age=31536000, immutable` (assets are
+  version-fingerprinted; authentik itself sends no max-age).
+- **Outpost**: 2 replicas, `log_level=info` (was 1 replica at `trace`).
+- **auth-proxy nginx**: upstream `keepalive 32` + HTTP/1.1 — no per-request
+  TCP setup on the forward-auth subrequest path.
+
 **Anti-exposure guard**: every `auth = "app"` or `auth = "none"` line MUST have a preceding `# auth = "<tier>": <reason>` comment documenting what gates the backend (for `"app"`) or why the endpoint is intentionally public (for `"none"`). The convention is enforced by `scripts/check-ingress-auth-comments.py`, which `scripts/tg` runs on every `plan/apply/destroy/refresh` and blocks the terragrunt invocation if violated. Stack-scoped — each stack documents itself.
 
 ### Social Login & Invitation Flow
diff --git a/docs/architecture/automated-upgrades.md b/docs/architecture/automated-upgrades.md
index 5d8b1c9e..c0200d84 100644
--- a/docs/architecture/automated-upgrades.md
+++ b/docs/architecture/automated-upgrades.md
@@ -4,7 +4,7 @@ This doc covers three independent automation paths:
 
 1. **Service-level upgrades** — Container image bumps for OSS apps (DIUN → n8n → claude-agent → Terraform). Most of this doc.
 2. **OS-level upgrades on K8s nodes** — `unattended-upgrades` + `kured` with sentinel-gate + Prometheus halt-on-alert. See "K8s Node OS Upgrades" section and the runbook at `docs/runbooks/k8s-node-auto-upgrades.md`.
-3. **K8s component version upgrades** (kubeadm/kubelet/kubectl) — weekly detection CronJob → chain of phase Jobs (preflight → master → worker × 4 → postflight). See "K8s Version Upgrades" section and the runbook at `docs/runbooks/k8s-version-upgrade.md`.
+3. **K8s component version upgrades** (kubeadm/kubelet/kubectl) — daily detection CronJob → chain of phase Jobs (preflight → master → one worker Job per worker, enumerated live → postflight). See "K8s Version Upgrades" section and the runbook at `docs/runbooks/k8s-version-upgrade.md`.
 
 ## Overview
 
@@ -252,7 +252,7 @@ kubeadm/kubelet/kubectl bumps (patch + minor) on all 5 K8s VMs.
 ### Architecture
 
 ```
-k8s-version-check CronJob   (Sun 12:00 UTC, k8s-upgrade ns)
+k8s-version-check CronJob   (23:00 UTC nightly, k8s-upgrade ns)
   │ probe apt-cache madison kubeadm (master) → latest available patch
   │ probe HEAD https://pkgs.k8s.io/.../v<NEXT_MINOR>/deb/Release → next minor?
   │ push k8s_upgrade_available metric to Pushgateway
@@ -262,20 +262,26 @@ envsubst on /template/job-template.yaml | kubectl apply -f -
   │ spawns Job 0 = k8s-upgrade-preflight-<target_version>
   ▼
 
-Job 0 — preflight       (pinned: k8s-node1)
-Job 1 — master upgrade  (pinned: k8s-node1)        drains k8s-master
-Job 2 — worker          (pinned: k8s-node1)        drains k8s-node4
-Job 3 — worker          (pinned: k8s-node1)        drains k8s-node3
-Job 4 — worker          (pinned: k8s-node1)        drains k8s-node2
-Job 5 — worker          (pinned: k8s-master)       drains k8s-node1  ← control-plane toleration
-Job 6 — postflight      (no pinning)
+Job 0 — preflight       (pinned: first worker)
+Job 1 — master upgrade  (pinned: first worker)     drains k8s-master
+Job 2..N — worker       (pinned: k8s-master)       drains each worker still off-target
+                                                   ← control-plane toleration; one Job
+                                                     per worker, enumerated live from
+                                                     `kubectl get nodes` (covers node5/6
+                                                     + any future node automatically)
+Job N+1 — postflight    (no pinning)
 ```
 
 Each Job runs `scripts/upgrade-step.sh`, which dispatches on `$PHASE` and ends
 by spawning the next Job (`envsubst < /template/job-template.yaml | kubectl
 apply -f -`). Job names are deterministic (`k8s-upgrade-<phase>-<target_version>[-<node>]`)
-so `apply` reconciles to a single Job per run — re-running a failed Job
-won't duplicate downstream Jobs.
+so `apply` reconciles to a single Job per run — re-running won't duplicate
+downstream Jobs. The detection CronJob and `spawn_next` additionally delete +
+re-spawn a terminally-**Failed** Job of the same name (rather than skipping it
+on existence), so a transient preflight gate self-heals on the next cycle
+instead of wedging the pipeline until the dead Job's 7d TTL expires
+(retry-on-failure, added 2026-06-17 after a spurious critical alert stalled
+1.34.9 for 5 days).
 
 ### Self-preemption history (the reason for the Job-chain rewrite)
 
@@ -304,11 +310,16 @@ each Job's pod and its drain target are always different nodes.
   ConfigMap, and a `template` ConfigMap into each Job pod.
 - **Per-node script**: `infra/scripts/update_k8s.sh`. Caller passes
   `--role master|worker --release X.Y.Z`. Piped via SSH into each node by
-  upgrade-step.sh.
-- **Three Upgrade Gates alerts**:
+  upgrade-step.sh. The master path runs `kubeadm upgrade apply` with
+  `--ignore-preflight-errors=CoreDNSMigration,CoreDNSUnsupportedPlugins
+  --skip-phases=addon/coredns` so kubeadm never touches CoreDNS (custom Corefile
+  + separately-tracked image; CoreDNS is pinned off Keel via `keel.sh/policy=never`).
+  See the runbook's "CoreDNS is NOT upgraded by kubeadm here".
+- **Four Upgrade Gates alerts**:
   - `K8sVersionSkew` — kubelet/apiserver `gitVersion` count >1 for 30m. Catches a half-done rollout.
   - `EtcdPreUpgradeSnapshotMissing` — `k8s_upgrade_in_flight==1 && k8s_upgrade_snapshot_taken==0` for 10m. Catches preflight failing silently.
   - `K8sUpgradeStalled` — `k8s_upgrade_in_flight==1 && time()-k8s_upgrade_started_timestamp > 5400` for 5m. Catches a chain Job dying without spawning its successor.
+  - `K8sUpgradeChainJobFailed` — `(kube_job_status_failed{namespace="k8s-upgrade",job_name=~"k8s-upgrade-(preflight|master|worker|postflight)-.*",reason=~"BackoffLimitExceeded|DeadlineExceeded"} > 0) unless on() (k8s_upgrade_blocked == 1)` for 15m (warning). Catches a phase Job that terminally failed **before `in_flight` was set** (the preflight gates exit pre-metric) — invisible to the two `in_flight`-based alerts above; this was the blind spot behind the 5-day 1.34.9 preflight wedge. Reason-scoped so a retry-success doesn't false-positive (and so it doesn't needlessly block kured). The `unless k8s_upgrade_blocked == 1` clause (2026-06-21) excludes a deliberate compat-gate refusal (owned by `K8sUpgradeBlocked`) so a block doesn't double-fire as a wedge.
 - **Pushgateway metrics**:
   - `k8s_upgrade_in_flight` (set in preflight, cleared in postflight)
   - `k8s_upgrade_snapshot_taken` (set after etcd snapshot Job completes with ≥1 KiB)
@@ -334,7 +345,7 @@ The cluster has a single control plane (no HA). A failed `kubeadm upgrade apply`
 
 - **Mandatory etcd snapshot before every run** (even patch). Recovery point if master breaks.
 - **Halt-on-alert before every drain**. Reuses the same Prometheus ignore-list regex kured uses — any unrelated cluster-health alert blocks. Three gate alerts catch upgrade-specific half-states (version skew, missing snapshot, stalled chain).
-- **Job pinning eliminates self-preemption**. Each Job's pod runs on a node that is NOT its drain target. k8s-node1 hosts every Job except the one that drains it (which runs on k8s-master with a control-plane toleration).
+- **Job pinning eliminates self-preemption**. Each Job's pod runs on a node that is NOT its drain target: the master-drain Job runs on the first worker; every worker-drain Job runs on k8s-master (already upgraded, control-plane toleration). The worker set is enumerated live from `kubectl get nodes`, so new nodes are covered with no script change; SSH targets are node InternalIPs (no DNS dependency).
 - **Sequential workers with 10-min inter-node soak**. Same risk-bounding as the 24h OS-reboot soak, but tightened because kubelet failures surface within minutes — not hours.
 - **Master upgrade goes first, workers last**. If master breaks, the cluster is already degraded so further worker upgrades would just delay recovery. By upgrading master first, we either succeed (workers can roll afterward) or fail loud (operator triages before any worker is touched).
 - **No auto-rollback**. kubeadm doesn't support clean downgrade; the snapshot + manual apt rollback in the runbook is the recovery path.
diff --git a/docs/architecture/backup-dr.md b/docs/architecture/backup-dr.md
index 60c1c77d..c4d0092f 100644
--- a/docs/architecture/backup-dr.md
+++ b/docs/architecture/backup-dr.md
@@ -77,6 +77,8 @@ The **bypass list** (leg 2) is just `/srv/nfs/immich/` — too big for sda (1.5
   - `Synology/Backup/Viki/nfs/` — immich only (post-2026-05-26)
   - `Synology/Backup/Viki/nfs-ssd/` — **immich-ML only (2026-06-01)**; ollama/llamacpp dropped (re-pullable models, live-only on the SSD)
 
+**VM image backups (added 2026-06-09)**: the hand-managed Linux VMs (those NOT in Terraform — see `compute.md`) were historically **not imaged at all** — only their *contents* reached backup if they happened to host a PVC/NFS path. `vzdump-vms` now takes a daily live `vzdump --mode snapshot` of each configured VMID → `/mnt/backup/vzdump/` (Copy 2), carried offsite by the monthly offsite-sync full pass (Copy 3). **Currently enabled for VMID 102 (devvm)** — the shared workstation, whose per-user home dirs + local-only git repos are otherwise irreplaceable. Extend via `VZDUMP_VMIDS` in the unit. See "VM Image Backups (vzdump)" under How It Works.
+
 ## Architecture Diagram
 
 ### Data Routing — where each path goes (post-2026-05-26)
@@ -208,13 +210,14 @@ graph LR
         T0000["00:00 LVM thin snapshots<br/>(lvm-pvc-snapshot)<br/>sdc PVCs CoW"]
         T0015["00:15 PostgreSQL per-DB dumps<br/>(CronJob)"]
         T0045["00:45 MySQL per-DB dumps<br/>(CronJob)"]
+        T0100["01:00 vzdump-vms<br/>live image of hand-managed VMs<br/>(devvm) → sda /mnt/backup/vzdump/"]
         T0200["02:00 nfs-mirror (daily)<br/>sdc /srv/nfs/* → sda /mnt/backup/<svc>/<br/>~10-20 min steady state"]
         T0500["05:00 daily-backup<br/>mount LVM snapshots ro<br/>rsync PVC files → /mnt/backup/pvc-data/<br/>+ sqlite + pfsense + pve-config"]
         T0600["06:00 offsite-sync-backup<br/>Step 1: sda → Synology /Viki/pve-backup/<br/>Step 2: sdc/immich + nfs-ssd → /Viki/nfs[-ssd]/"]
         T1200["12:00 LVM thin snapshots (midday)<br/>second daily snapshot"]
     end
 
-    T0000 --> T0015 --> T0045 --> T0200 --> T0500 --> T0600 --> T1200
+    T0000 --> T0015 --> T0045 --> T0100 --> T0200 --> T0500 --> T0600 --> T1200
     INO -.->|change events feed Step 2| T0600
 
     style Nightly fill:#ffe0b2
@@ -322,6 +325,7 @@ graph LR
 | NFS Change Tracker | Continuous (inotifywait) | PVE host: `nfs-change-tracker.service` | Logs changed NFS file paths to `/mnt/backup/.nfs-changes.log` |
 | pfSense Backup | Daily 05:00 + daily-backup | PVE host: SSH + API | config.xml + full filesystem tar |
 | Offsite Sync | Daily 06:00 (after daily-backup) | PVE host: `offsite-sync-backup` | Two-step: sda→pve-backup + NFS→nfs/nfs-ssd via inotify |
+| VM Image Backup (vzdump) | Daily 01:00, keep 3 | PVE host: `vzdump-vms` | Live `vzdump` of hand-managed VMs (devvm) → `/mnt/backup/vzdump/` |
 | PostgreSQL Backup (full) | Daily 00:00, 14d retention | CronJob in `dbaas` namespace | pg_dumpall for all databases |
 | PostgreSQL Backup (per-db) | Daily 00:15, 14d retention | CronJob in `dbaas` namespace | pg_dump -Fc per database → `/backup/per-db/<db>/` |
 | MySQL Backup (full) | Daily 00:30, 14d retention | CronJob in `dbaas` namespace | mysqldump --all-databases |
@@ -352,6 +356,20 @@ Native LVM thin snapshots provide crash-consistent point-in-time recovery for 62
 
 **Restore**: `lvm-pvc-snapshot restore <pvc-lv> <snapshot-lv>` — auto-discovers K8s workload, scales down, swaps LVs, scales back up. See `docs/runbooks/restore-lvm-snapshot.md`.
 
+### VM Image Backups (vzdump)
+
+The hand-managed Linux VMs are **intentionally not in Terraform** (telmate/bpg provider bugs — see `compute.md`) and were historically **not imaged at all**: nothing took a whole-disk backup of the VM itself. For most that is acceptable — k8s nodes are reprovisioned from cloud-init and their data lives in PVCs covered above. But **devvm** (the shared multi-user Claude Code workstation, VMID 102) holds irreplaceable state that lives nowhere else: per-user home dirs (`~/.claude`, `~/.t3`, shell history), manually-installed tooling, and **local-only git repos** — the monorepo root at `/home/wizard/code` has no git remote. A lost devvm disk = unrecoverable.
+
+**Script**: `/usr/local/bin/vzdump-vms` on PVE host (source: `infra/scripts/vzdump-vms.sh`). Deploy: `scp infra/scripts/vzdump-vms.sh root@192.168.1.127:/usr/local/bin/vzdump-vms` + `scp infra/scripts/vzdump-vms.{service,timer} root@192.168.1.127:/etc/systemd/system/`, then `systemctl daemon-reload && systemctl enable --now vzdump-vms.timer`.
+**Schedule**: Daily 01:00 via systemd timer — ahead of the other backup jobs so the fresh image is on sda before offsite-sync runs.
+**Mode**: `vzdump --mode snapshot` — live, no downtime. devvm has the qemu guest agent enabled (`agent: 1`), so the snapshot is **filesystem-consistent** (fs-freeze) rather than merely crash-consistent. Runs `Nice=10` + `IOSchedulingClass=idle` + `--ionice 7` so it never starves etcd on the contended sdc IO domain.
+**Scope**: VMIDs in `VZDUMP_VMIDS` (default `102` = devvm). Add VMIDs there to image other hand-managed VMs.
+**Retention**: `KEEP=3` newest dumps per VMID on sda (`/mnt/backup/vzdump/`); each devvm image is ~35-50 GB zstd.
+**Critical dependency**: `nfs-mirror` MUST keep `--exclude='/vzdump/'`. Its nightly `rsync -rlt --delete /srv/nfs/ → /mnt/backup/` treats any `/mnt/backup` dir with no `/srv/nfs` counterpart as an orphan and deletes it — this silently reaped the first two vzdump images at 02:00 on 2026-06-10 before the exclude was added (same reason `pvc-data`/`pfsense`/`pve-config`/`sqlite-backup` are excluded).
+**Offsite**: deliberately **NOT** appended to the incremental offsite manifest — it never deletes, so daily multi-GB images would accumulate unbounded on Synology. Instead the **monthly offsite-sync full pass (days 1-7)** mirrors all of `/mnt/backup` (including `vzdump/`) to Synology with `--delete`, bounded to local retention. So Copy 2 (sda) refreshes **daily**; Copy 3 (Synology) refreshes **monthly**.
+**Monitoring**: pushes `vzdump_last_run_timestamp` / `vzdump_last_status` / `vzdump_last_success_timestamp` to Pushgateway job `vzdump-backup`. Alerts `VzdumpBackupStale` (>~50h since last success), `VzdumpBackupNeverRun`, `VzdumpBackupFailing` (status≠0) are defined in `stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl` (the 3-2-1 group) — **effective on the next `monitoring` stack apply** (metrics already flow, so the alerts arm immediately once applied).
+**Restore**: on the PVE host, `qmrestore /mnt/backup/vzdump/vzdump-qemu-<vmid>-<ts>.vma.zst <vmid>` — restore to a spare VMID first if the original still exists, then swap disks; or use the PVE UI (add `/mnt/backup` as a dir storage with content=backup → Restore).
+
 ### Layer 2: Weekly File-Level Backup (sda Backup Disk)
 
 **Backup disk**: sda (1.1TB RAID1 SAS) → VG `backup` → LV `data` → ext4 → mounted at `/mnt/backup` on PVE host. Dedicated backup disk, independent of live storage.
@@ -527,12 +545,16 @@ The btrfs cleaner thread reclaims async — `df` may lag the snapshot-delete by
 | `/usr/local/bin/lvm-pvc-snapshot` | PVE host: LVM snapshot creation + restore |
 | `/usr/local/bin/daily-backup` | PVE host: PVC file copy + auto SQLite backup + pfSense |
 | `/usr/local/bin/offsite-sync-backup` | PVE host: two-step rsync to Synology (sda + NFS via inotify) |
+| `/usr/local/bin/vzdump-vms` | PVE host: daily live `vzdump` image of hand-managed VMs (devvm) → `/mnt/backup/vzdump/` |
 | `/mnt/backup/` | PVE host: sda mount point (1.1TB backup disk) |
+| `/mnt/backup/vzdump/` | PVE host: vzdump VM images (keep 3 per VMID), mirrored offsite monthly |
 | `/mnt/backup/.nfs-changes.log` | NFS change log from inotifywait, consumed by offsite-sync |
 | `/etc/systemd/system/nfs-change-tracker.service` | inotifywait watcher for `/srv/nfs` + `/srv/nfs-ssd` |
 | `/etc/systemd/system/lvm-pvc-snapshot.timer` | Daily 03:00 (LVM snapshots) |
 | `/etc/systemd/system/daily-backup.timer` | Daily 05:00 (file backup) |
 | `/etc/systemd/system/offsite-sync-backup.timer` | Daily 06:00 (offsite sync) |
+| `/etc/systemd/system/vzdump-vms.timer` | Daily 01:00 (VM image backup) |
+| `/etc/systemd/system/vzdump-vms.service` | oneshot: `vzdump-vms` (source `infra/scripts/vzdump-vms.{sh,service,timer}`) |
 | `/usr/local/bin/nfs-mirror` | PVE host: daily 02:00 mirror of /srv/nfs/* → sda /mnt/backup/<svc>/ (Layer 3a) |
 | `/etc/systemd/system/nfs-mirror.timer` | Daily 02:00 (NFS local mirror to sda) |
 | `stacks/dbaas/` | Terraform: PostgreSQL/MySQL backup CronJobs |
@@ -911,6 +933,9 @@ the 2026-04-22 backup_offsite_sync FAIL (node3 kubelet hiccup at
 | Uptime Kuma | ✓ | ✓ | — | ✓ | proxmox-lvm |
 | **Other apps not enumerated above** | ✓¹ | ✓¹ | varies | ✓ | proxmox-lvm / proxmox-lvm-encrypted |
 | **Postiz** (bundled bitnami PG on local-path) | — | — | ✓ daily pg_dump → NFS | ✓ | local-path + NFS |
+| **Hand-managed VMs (not in Terraform)** |
+| devvm (workstation, VMID 102) | — | — | ✓ daily vzdump image | ✓ monthly | local-lvm (sdc) |
+| Other hand-managed VMs (HA 103, registry 220, k8s nodes) | — | — | — gap² | — | local-lvm — see note² |
 | **Media (NFS)** |
 | Immich (~800GB) | — | — | — | ✓ | NFS |
 | Audiobookshelf | — | — | — | ✓ | NFS |
@@ -924,6 +949,8 @@ the 2026-04-22 backup_offsite_sync FAIL (node3 kubelet hiccup at
 
 **Note**: All proxmox-lvm and proxmox-lvm-encrypted PVCs get LVM snapshots (except `dbaas` and `monitoring` namespaces, excluded for write-amplification reasons) + file-level backup. NFS-backed media syncs directly to Synology `nfs/` and `nfs-ssd/` via inotify change tracking.
 
+² **Hand-managed VMs** — only **devvm (102)** is imaged today (`vzdump-vms`, `VZDUMP_VMIDS=102`). The k8s nodes are deliberately uncovered (reprovisioned from cloud-init; their data lives in the PVCs already backed up above). **home-assistant (103) and docker-registry (220) are a documented gap** — add their VMIDs to `VZDUMP_VMIDS` to image them (registry content is also re-pullable from upstreams; HA has its own add-on backups). pfSense (101) is covered separately by `daily-backup` (config.xml + weekly tar).
+
 ¹ **"Other apps not enumerated above"** — the table only enumerates services worth calling out. The default backup posture for any service using `proxmox-lvm` or `proxmox-lvm-encrypted` (outside `dbaas`/`monitoring`) is **automatic** Layer 1 (LVM thin snapshots, 7d retention) + Layer 2 (file backup, 4 weekly versions on sda) + Layer 3 (offsite to Synology). Auto-discovery is by LV name pattern (`vm-*-pvc-*`), so adding a new service to the cluster gets it covered without any explicit registration. Run `ssh root@192.168.1.127 lvs --noheadings -o lv_name pve | grep '^vm-.*-pvc-' | grep -v _snap_ | wc -l` to see the live count.
 
 **Known gaps** — services with PVCs not on the proxmox-lvm path lose Layer 1+2:
diff --git a/docs/architecture/chrome-service.md b/docs/architecture/chrome-service.md
index b70fe185..6f9c1ee4 100644
--- a/docs/architecture/chrome-service.md
+++ b/docs/architecture/chrome-service.md
@@ -10,9 +10,14 @@ serves two distinct populations:
    `chromium.connect_over_cdp("http://chrome-service.chrome-service.svc:9222")`
    to drive a real browser when upstream anti-bot trips a headless one
    (`disable-devtool.js` redirect-to-google trap, `navigator.webdriver`
-   checks, console-clear timing tricks). The only currently-active
-   in-cluster caller is the `chrome-service-snapshot-harvester` CronJob;
-   the `stacks/f1-stream/files/backend/playback_verifier.py` +
+   checks, console-clear timing tricks). Currently-active in-cluster
+   callers: the `chrome-service-snapshot-harvester` CronJob, and
+   **tripit's `PlaywrightFareProvider`** (since 2026-06-11, tripit issue
+   #18 / ADR-0007) — the flight-fare scrape connects per quote, opens a
+   fresh incognito context, scrapes Google Flights, and closes the
+   context; rate-limited to one attempt per 30s with a 6h fare cache, so
+   browser load is negligible. The
+   `stacks/f1-stream/files/backend/playback_verifier.py` +
    `chrome_browser.py` tree is a vestigial design — the deployed
    f1-stream image (built from `github.com/ViktorBarzin/f1-stream`)
    does not use this code path.
@@ -107,17 +112,32 @@ External caller (dev box):
   @playwright/mcp --isolated --storage-state ~/.cache/...storage-state.json
 ```
 
+## Browser binary — real Google Chrome (for proprietary codecs)
+
+The chrome-service container runs **real Google Chrome**, not the bundled
+Chromium, via the infra-owned image `ghcr.io/viktorbarzin/chrome-service-browser`
+(`files/chrome/Dockerfile` = `mcr.microsoft.com/playwright:v1.48.0-noble` +
+`google-chrome-stable`, built by `.github/workflows/build-chrome-service-browser.yml`).
+The launch resolves `CHROMIUM=/opt/google/chrome/chrome`.
+
+**Why:** the Playwright-bundled Chromium has proprietary codecs **compiled out**,
+so H.264/AAC video (Instagram Reels, X, most `.mp4`) fails in the noVNC view with
+`MEDIA_ERR_SRC_NOT_SUPPORTED` (the bytes download `200 video/mp4` but there's no
+decoder — NOT a GPU issue). Royalty-free codecs (VP9/VP8/AV1 → YouTube) always
+worked. Swapping `libffmpeg.so` does NOT help (codecs are compiled out, not just
+the lib stripped) and Chrome-for-Testing is also codec-less — only
+`google-chrome-stable` carries them.
+
 ## Image pin
 
-Both the server image (`mcr.microsoft.com/playwright:v1.48.0-noble` in
-`stacks/chrome-service/main.tf`) and the Python client
-(`playwright==1.48.0` in callers' `requirements.txt`) **must match
-minor-versions**. Bump in lockstep — Playwright protocol changes between
-minors and the client cannot connect to a mismatched server.
-
-The harvester + snapshot-server sidecar use
-`mcr.microsoft.com/playwright/python:v1.48.0-noble` — same playwright
-minor, with Python-side bindings pre-installed.
+The Playwright base + the Python client (`playwright==1.48.0` in callers'
+`requirements.txt`) and the snapshot sidecars
+(`mcr.microsoft.com/playwright/python:v1.48.0-noble`) historically had to match
+minor-versions. The chrome-service browser is now real Google Chrome (a newer
+milestone than the 1.48 Chromium), but the `connect_over_cdp` callers (tripit
+fare scrape, `homelab browser`, snapshot-harvester) attach over raw CDP, which is
+version-tolerant — verified working against this Chrome. If a future Chrome
+milestone breaks a caller, pin Chrome in the Dockerfile or bump the clients.
 
 ## Storage
 
@@ -162,7 +182,29 @@ minor, with Python-side bindings pre-installed.
   `x11vnc` (connected to Xvfb on `localhost:6099`) bridged to
   `websockify` on port 6080. Service `chrome` maps :80 → :6080 and is
   exposed via `ingress_factory` at `chrome.viktorbarzin.me`,
-  Authentik-gated.
+  Authentik-gated. The bare host serves `vnc.html` (image symlinks
+  `index.html → vnc.html`); add `?autoconnect=true&resize=scale&path=websockify`
+  to skip the Connect button. The view is **black when no browser window is
+  open** (idle) — that is normal, not a failed connection. Chrome is launched
+  with `--window-size=1280,720 --window-position=0,0` to fill the Xvfb screen
+  (no window manager runs, so without it Chrome opens at its profile-persisted
+  size and the rest of the framebuffer shows as a black cut-off).
+
+### noVNC fd-sweep gotcha (stuck "Connecting")
+
+If the noVNC client hangs on **"Connecting" forever then times out**, the cause
+is almost always x11vnc's fd-table sweep: containerd grants pods
+`RLIMIT_NOFILE = 2^31`, and x11vnc `fcntl`-sweeps the **entire** fd table on
+every client connection, so the RFB handshake never completes (websockify
+accepts the WS and logs `connecting to: localhost:5900`, but x11vnc never sends
+the `RFB 003.008` banner). Diagnose: `grep "open files" /proc/$(pgrep -n
+x11vnc)/limits` (huge = bad) and time the handshake from a sibling container
+(`python3 -c "import socket;s=socket.socket();s.connect(('127.0.0.1',5900));print(s.recv(12))"` —
+healthy <0.3s, broken hangs). **Fix: cap `ulimit -n 65536` before x11vnc starts**
+— done both in `files/novnc/entrypoint.sh` (root) and via the container `command`
+wrapper in `main.tf` (so it applies deterministically even though the image is
+`:latest`/`IfNotPresent` and won't re-pull a rebuilt entrypoint). Same bug + fix
+as the android-emulator stack.
 - **snapshot-server sidecar** (`mcr.microsoft.com/playwright/python:v1.48.0-noble`)
   serves `GET /api/snapshot` from `/profile/snapshots/storage-state.json`,
   bearer-gated by `PW_TOKEN`. Service `chrome-snapshot` maps :8088 → :8088
@@ -175,6 +217,45 @@ minor, with Python-side bindings pre-installed.
 See `stacks/chrome-service/README.md` for the recipe (label namespace,
 inject `CHROME_CDP_URL`, vendor `stealth.js`).
 
+## Driving from OUTSIDE the cluster (`homelab browser`)
+
+Agents on the devvm reach this browser through the **`homelab browser`** CLI
+(`cli/`, ADR-0013) — the packaged, discoverable form of the ad-hoc
+`connect_over_cdp` recipe. It is the **escalation path, not the default**:
+agents default to the Playwright MCP / headless browser for all routine
+automation, and reach for `homelab browser` ONLY when headless is blocked — a
+site loads but a gated action (submit/login) silently fails or hangs, the
+signature of headless / anti-bot detection. (Same tiered rule lives in
+`~/code/CLAUDE.md` and `homelab browser --help`.)
+
+```text
+devvm:  homelab browser run flow.js
+          │  kubectl port-forward svc/chrome-service :9222  (random local port)
+          ▼
+   http://127.0.0.1:<port>  ──►  chrome-service pod :9222 (CDP)
+          │  assert /json/version Browser is "Chrome/…", not "HeadlessChrome"
+          │  node + playwright-core@1.48.2 → connectOverCDP
+          │  context.addInitScript(stealth.js)   ← same vendored file as in-cluster
+          │  run the user's Playwright script with page/context/browser in scope
+          └─ port-forward always torn down (success or error)
+```
+
+Key facts:
+
+- **port-forward bypasses the `:9222` NetworkPolicy.** It tunnels
+  API-server→pod, so the devvm needs no `chrome-service.viktorbarzin.me/client`
+  label — unlike in-cluster callers.
+- **Client pinned to the image minor.** The node client is
+  `playwright-core@1.48.2` (matches `v1.48.0-noble` / Chromium 130), installed
+  lazily into `~/.cache/homelab/browser-client/`. Bump it in lockstep when the
+  server image bumps (same rule as the in-cluster Python clients — see "Image
+  pin" above).
+- **Default context is a fresh incognito one** (closed on exit), safe for the
+  shared browser; `--shared-context` reuses the warmed persistent profile.
+- **`stealth.js` is vendored** into the CLI (`cli/browser_stealth.js`) as a
+  byte-identical copy of `files/stealth.js`, guarded by a drift test — so the
+  CLI's stealth never diverges from the in-cluster callers'.
+
 ## Limits + risks
 
 - **Anti-bot vs stealth arms race** — when an upstream beats us (DRM
diff --git a/docs/architecture/ci-cd.md b/docs/architecture/ci-cd.md
index 8a5990b6..35e041e6 100644
--- a/docs/architecture/ci-cd.md
+++ b/docs/architecture/ci-cd.md
@@ -2,306 +2,378 @@
 
 ## Overview
 
-The CI/CD pipeline uses a hybrid approach: GitHub Actions for building Docker images (providing free compute for public repos) and Woodpecker CI for deployments (leveraging cluster-internal access). Git pushes trigger GHA builds that produce Docker images with 8-character SHA tags, push to DockerHub, then POST to Woodpecker's API to trigger deployments that update Kubernetes workloads via `kubectl set image`.
+**Doctrine (ADR-0002): all image builds and CI compute run OFF-infra.** Every
+owned image is built, tested, and linted on **GitHub Actions** (free on public
+repos; 2000 free min/mo on private) and pushed to **`ghcr.io/viktorbarzin/<name>`**.
+Woodpecker is **deploy-only** — a GHA job POSTs its API with the freshly-built
+image tag and Woodpecker runs `kubectl set image` from inside the cluster.
+There are **no in-cluster image builds or CI test runs anywhere** — the
+in-cluster Woodpecker buildkit and the fallback-build pattern were removed as a
+clean cut (ADR-0002, 2026-06-13). The Forgejo container registry is **frozen
+and emptied** — break-glass only.
+
+This breaks the old circular dependency (images needed to repair the cluster
+used to be built and stored *inside* it) and keeps build IO + registry pushes
+off the homelab spindle.
 
 ## Architecture Diagram
 
 ```mermaid
 graph LR
-    A[Git Push] --> B[GitHub Actions]
-    B --> C[Build Docker Image<br/>linux/amd64, 8-char SHA tag]
-    C --> D[Push to DockerHub]
-    D --> E[POST Woodpecker API]
-    E --> F[Woodpecker Pipeline]
-    F --> G[Vault K8s Auth<br/>SA JWT]
-    G --> H[kubectl set image]
-    H --> I[K8s Deployment]
-    I --> J[Pull from DockerHub<br/>or Pull-Through Cache]
+    A[git push Forgejo<br/>viktor/&lt;repo&gt; canonical] --> B[push-mirror sync_on_commit]
+    B --> C[GitHub mirror<br/>ViktorBarzin/&lt;repo&gt;]
+    C --> D[GitHub Actions<br/>.github/workflows/build.yml]
+    D --> E[lint / test]
+    E --> F[buildx linux/amd64<br/>provenance:false]
+    F --> G[push ghcr.io/viktorbarzin/&lt;name&gt;<br/>:sha8 + :latest]
+    G --> H[svu tag -> Forgejo canonical]
+    G --> I[POST Woodpecker deploy repo]
+    I --> J[.woodpecker/deploy.yml<br/>event: manual]
+    J --> K[kubectl set image<br/>in-cluster SA cluster-admin]
+    K --> L[K8s Deployment<br/>pulls from ghcr]
 
-    K[Pull-Through Cache<br/>10.0.20.10] -.-> J
-    L[forgejo.viktorbarzin.me<br/>Private Registry on Forgejo] -.-> J
-
-    style B fill:#2088ff
-    style F fill:#4c9e47
-    style K fill:#f39c12
+    style D fill:#2088ff
+    style J fill:#4c9e47
+    style G fill:#f39c12
 ```
 
 ## Components
 
-| Component | Version | Location | Purpose |
-|-----------|---------|----------|---------|
-| GitHub Actions | Cloud | `.github/workflows/build-and-deploy.yml` | Build Docker images, push to DockerHub |
-| Woodpecker CI | Self-hosted | `ci.viktorbarzin.me` | Deploy to Kubernetes cluster |
-| DockerHub | Cloud | `viktorbarzin/*` | Public image registry |
-| Private Registry | Forgejo Packages | `forgejo.viktorbarzin.me/viktor` | Private container images (PAT auth, retention CronJob) — migrated from registry.viktorbarzin.me 2026-05-07 |
-| Pull-Through Cache | Custom | `10.0.20.10:5000` (docker.io)<br/>`10.0.20.10:5010` (ghcr.io) | LAN cache for remote registries |
-| Kyverno | Cluster | `kyverno` namespace | Auto-sync registry credentials to all namespaces |
-| Vault | Cluster | `vault.viktorbarzin.me` | K8s auth for Woodpecker pipelines |
+| Component | Location | Purpose |
+|-----------|----------|---------|
+| GitHub Actions | `.github/workflows/build.yml` (per repo) | Build + lint + test + push image; trigger deploy; cut semver tag |
+| ghcr.io | `ghcr.io/viktorbarzin/*` | Container registry for ALL owned images (public + private packages) |
+| Woodpecker CI | `ci.viktorbarzin.me` | **Deploy-only** — `kubectl set image` in-cluster; plus infra applies + maintenance crons |
+| Forgejo | `forgejo.viktorbarzin.me/viktor/<repo>` | **Canonical** git source (push-mirrors to GitHub). Container registry **FROZEN** (break-glass only) |
+| Pull-Through Cache | `10.0.20.10:5000/5010/5020/5030/5040` | LAN cache for upstream registries (DockerHub, ghcr, Quay, k8s.gcr, Kyverno) |
+| Kyverno | `kyverno` namespace | Syncs `ghcr-credentials` (private-ghcr allowlist) + `registry-credentials` to namespaces |
+| Vault | `vault.viktorbarzin.me` | K8s auth for Woodpecker deploy pipelines; CI tokens in `secret/ci/global` + `secret/viktor` |
 
 ## How It Works
 
-### Build Flow (GitHub Actions)
+### The fleet pattern (every owned app)
 
-1. **Trigger**: Git push to main/master branch
-2. **Build**: GHA builds Docker image for `linux/amd64` platform only
-3. **Tag**: Image tagged with 8-character commit SHA (e.g., `viktorbarzin/app:a1b2c3d4`)
-   - `:latest` tags are **never used** to prevent stale pull-through cache issues
-4. **Push**: Image pushed to DockerHub public registry
-5. **Trigger Deploy**: POST request to Woodpecker API with repo ID and commit SHA
+1. **Canonical source = Forgejo** `viktor/<repo>`. A **push-mirror**
+   (`sync_on_commit`) pushes every commit to the GitHub mirror
+   `ViktorBarzin/<repo>`. The `.github/workflows/build.yml` is committed on
+   Forgejo and mirrors over.
+2. **GHA `build` job** (triggers `on: push: branches: [master]` ONLY — feature
+   branches mirror but build/deploy nothing, the safety valve):
+   - lint + test
+   - `svu` computes the next `vX.Y.Z` from conventional commits and pushes the
+     tag back to **canonical Forgejo** (GHA secret `FORGEJO_GIT_TOKEN` =
+     write:repository PAT); `VERSION` is baked into the image
+   - `docker buildx` `linux/amd64`, **`provenance: false`** (single-manifest —
+     avoids the orphaned-index-children failure class), push
+     `ghcr.io/viktorbarzin/<name>:<sha8>` + `:latest`
+   - `delete-package-versions` keeps the newest ~10 ghcr versions
+3. **GHA `deploy` job** POSTs `ci.viktorbarzin.me/api/repos/<id>/pipelines`
+   (the Woodpecker registration for the **GitHub mirror**, github-forge; GHA
+   secret `WOODPECKER_TOKEN`) with `IMAGE_TAG` + `IMAGE_NAME`.
+4. **`.woodpecker/deploy.yml`** (event: **manual** only, so the raw
+   Forgejo→GitHub mirror pushes don't fire a tag-less deploy) runs `kubectl set
+   image deployment/<app> <container>=<image>` in-cluster. The `woodpecker-agent`
+   SA is `cluster-admin`, so the `bitnami/kubectl` step needs no
+   kubeconfig/RBAC. The Deployment image is in `lifecycle.ignore_changes`
+   (`KEEL_IGNORE_IMAGE`) so the SHA tag sticks and `terragrunt apply` doesn't
+   fight it. CronJobs in owned apps track `:latest` + `imagePullPolicy: Always`
+   instead of a deploy step.
 
-### Deploy Flow (Woodpecker CI)
+**Keel stays enrolled** as a redundant net (finds the deployed SHA already
+running → no-op).
 
-1. **Receive Webhook**: Woodpecker API receives deployment trigger from GHA
-2. **Authenticate**: Pipeline uses Kubernetes ServiceAccount JWT to authenticate with Vault via K8s auth
-3. **Deploy**: `kubectl set image deployment/<name> <container>=viktorbarzin/<app>:<sha>`
-4. **Notify**: Slack notification on success/failure
+**Tooling**: `infra/scripts/offinfra-onboard` + `infra/scripts/offinfra-templates/`
+scaffold a repo onto this pattern (mirror, workflow, Woodpecker deploy repo,
+old-pipeline removal, default-branch flip). Mirror + workflow commits go via
+the Forgejo API over the internal Traefik LB
+(`curl --resolve forgejo.viktorbarzin.me:443:10.0.20.203`) since the devvm
+can't reach Forgejo's public hairpin.
 
-### Project Migration Status
+### ghcr package visibility
 
-**Migrated to GHA (8 projects)**:
-- Website
-- k8s-portal
-- claude-memory-mcp
-- apple-health-data
-- audiblez-web
-- plotting-book
-- insta2spotify
-- book-search (audiobook-search)
+| Visibility | Packages | Pull mechanism |
+|------------|----------|----------------|
+| **Public** | beadboard, nextcloud-todos, claude-agent-service, claude-memory-mcp, kms-website, freedify, tuya_bridge, x402-gateway, chrome-service-novnc, android-emulator | Anonymous |
+| **Private** | f1-stream, job-hunter, instagram-poster, payslip-ingest, wealthfolio-sync, fire-planner, recruiter-responder, tripit, infra-cli, infra-ci | `ghcr-credentials` dockerconfigjson |
 
-**Woodpecker-native owned-app builds** (build + push to the Forgejo private
-registry + `kubectl set image` rollout, all in one `.woodpecker.yml`; Keel
-stays enrolled as a redundant net): `tuya_bridge`, `job-hunter`, `f1-stream`.
-`f1-stream` was extracted from this monorepo to `viktor/f1-stream` on
-2026-06-05 (Woodpecker repo id 166); the old github source is archived and its
-GHA-era Woodpecker repo (id 10) is deactivated.
+Private-image pulls use the `ghcr-credentials` dockerconfigjson, cloned by the
+kyverno stack's `sync-ghcr-credentials` ClusterPolicy to an explicit
+**ALLOWLIST** of private-ghcr namespaces only (NOT cluster-wide; source
+`stacks/kyverno/modules/kyverno/ghcr-credentials.tf`). Cred = Vault
+`secret/viktor/ghcr_pull_token` (a dedicated classic PAT scoped to
+`read:packages`, UI-minted 2026-06-15 — no longer the admin `github_pat` alias.
+GitHub has no token-mint API, so rotation is manual: re-mint the classic
+`read:packages` PAT → `vault kv patch secret/viktor ghcr_pull_token=…` →
+targeted apply `module.kyverno.kubernetes_secret.ghcr_credentials` (reads Vault;
+avoids the git-crypt `tls-secret-sync` landmine on a locked clone), which
+Kyverno then re-syncs to the allowlisted namespaces).
 
-**Woodpecker-only (infra + large apps)**:
-- `travel_blog`: 5.7GB content directory exceeds GHA limits
-- Infra pipelines: require cluster access (terragrunt apply, certbot, build-cli)
+### Migrated apps (issues #13–#27)
 
-### Woodpecker Pipeline Files
+f1-stream, job-hunter, tuya_bridge, beadboard, nextcloud-todos,
+claude-agent-service, claude-memory-mcp, kms-website, Freedify,
+instagram-poster, payslip-ingest, broker-sync (image name `wealthfolio-sync`),
+fire-planner, recruiter-responder, x402-gateway — plus **tripit** (the original
+pilot, 2026-06-09). Earlier public-repo apps already on GHA (Website,
+k8s-portal, apple-health-data, audiblez-web, plotting-book, insta2spotify,
+audiobook-search) now also land on ghcr.
 
-Each project contains:
-- `.woodpecker/deploy.yml`: kubectl set image + Slack notification
-- `.woodpecker/build-fallback.yml`: Legacy full build pipeline (event: deployment, never auto-fires)
+### Infra-owned images (issues #29 / #30)
 
-### Woodpecker Repository IDs
+Images owned by the infra repo build on GHA workflows **in the infra repo's own
+`.github/workflows/`** (the github↔forgejo divergence was deliberately NOT
+reconciled — the workflows were added to the GitHub lineage via PR):
 
-Woodpecker API uses numeric IDs (not owner/name):
+| Image | Workflow | Destination |
+|-------|----------|-------------|
+| chrome-service-novnc | `build-chrome-service-novnc.yml` | public `ghcr.io/viktorbarzin/chrome-service-novnc` |
+| android-emulator | `build-android-emulator.yml` | public `ghcr.io/viktorbarzin/android-emulator` |
+| infra CLI | `build-cli.yml` | DockerHub `viktorbarzin/infra` (kept) + `ghcr.io/viktorbarzin/infra-cli` |
+| infra-ci | `build-infra-ci.yml` | private `ghcr.io/viktorbarzin/infra-ci` |
 
-| Repo | ID |
-|------|------|
-| infra | 1 |
-| Website | 2 |
-| finance | 3 |
-| health | 4 |
-| travel_blog | 5 |
-| webhook-handler | 6 |
-| audiblez-web | 9 |
-| plotting-book | 43 |
-| claude-memory-mcp | 78 |
-| infra-onboarding | 79 |
+**`infra-ci`** is the image the `.woodpecker/default.yml` apply step and
+`drift-detection.yml` run in (proven by pipelines 165/166). `chatterbox-tts` is
+already built by tripit's GHA → ghcr.
 
-### Image Registry Flow
+The Woodpecker `build-ci-image.yml` and `build-cli.yml` pipelines were
+**REMOVED**. Break-glass for infra-ci is now a manual
+`.woodpecker/breakglass-infra-ci.yml` (ghcr pull-and-save to the registry VM).
 
-1. **Containerd hosts.toml** redirects pulls from docker.io and ghcr.io to pull-through cache at `10.0.20.10`
-2. **Pull-through cache** serves cached images from LAN, fetches from upstream on cache miss
-3. **Kyverno ClusterPolicy** auto-syncs `registry-credentials` Secret to all namespaces for private registry access
-4. **Private registry** has been Forgejo's built-in OCI registry at `forgejo.viktorbarzin.me/viktor/<image>` since 2026-05-07. Auth via PAT (Vault `secret/ci/global/forgejo_push_token` for push, `secret/viktor/forgejo_pull_token` for pull). The pre-migration `registry:2.8.3`-based private registry on `registry.viktorbarzin.me:5050` was the root cause of three orphan-index incidents in three weeks (2026-04-13, 2026-04-19, 2026-05-04 — see `docs/post-mortems/2026-04-19-registry-orphan-index.md` and the full migration writeup at `docs/plans/2026-05-07-forgejo-registry-consolidation-{design,plan}.md`). The five pull-through caches on `10.0.20.10` (ports 5000/5010/5020/5030/5040) stay in place for upstream registries.
-5. **Integrity probe** (`registry-integrity-probe` CronJob in `monitoring` ns, every 15m) walks `/v2/_catalog` → tags → indexes → child manifests via HEAD and pushes `registry_manifest_integrity_failures` to Pushgateway; alerts `RegistryManifestIntegrityFailure` / `RegistryIntegrityProbeStale` / `RegistryCatalogInaccessible` page on broken state. Authoritative check (HTTP API, not filesystem).
+### Forgejo container registry — FROZEN
 
-### Infra Pipelines (Woodpecker-only)
+Issue #32 wiped all `viktor/*` container packages (~19G reclaimed, `/data`
+58%→20%). The registry is **break-glass-only** now; nothing pushes to it. The
+`forgejo-cleanup` CronJob stays in `DRY_RUN` (nothing to clean). Pull-through
+caches on the registry VM (`10.0.20.10`) are unchanged. See
+`docs/runbooks/forgejo-registry-breakglass.md`.
+
+### Image registry / pull path
+
+1. **Containerd `hosts.toml`** redirects pulls from docker.io and ghcr.io to the
+   pull-through cache at `10.0.20.10` (5000 = docker.io, 5010 = ghcr.io).
+2. **Pull-through cache** serves cached images from the LAN, fetches upstream on
+   a miss.
+3. **Kyverno ClusterPolicies** sync `ghcr-credentials` (private-ghcr allowlist)
+   and `registry-credentials` to namespaces.
+
+## Woodpecker — what it still runs
+
+Woodpecker is **deploy + cluster-touching steps only**:
 
 | Pipeline | File | Purpose |
 |----------|------|---------|
-| default | `.woodpecker/default.yml` | Terragrunt apply on push |
-| renew-tls | `.woodpecker/renew-tls.yml` | Certbot renewal cron |
-| build-cli | `.woodpecker/build-cli.yml` | Build and push to dual registries |
-| build-ci-image | `.woodpecker/build-ci-image.yml` | Build `infra-ci` tooling image (triggered by `ci/Dockerfile` change or manual); post-push HEADs every blob via `verify-integrity` step to catch orphan-index pushes |
-| k8s-portal | `.woodpecker/k8s-portal.yml` | Path-filtered build for k8s-portal subdirectory |
-| registry-config-sync | `.woodpecker/registry-config-sync.yml` | SCP `modules/docker-registry/*` to `/opt/registry/` on `10.0.20.10` when any managed file changes; bounces containers + nginx per `docs/runbooks/registry-vm.md` |
-| pve-nfs-exports-sync | `.woodpecker/pve-nfs-exports-sync.yml` | Sync `scripts/pve-nfs-exports` → `/etc/exports` on PVE host |
-| postmortem-todos | `.woodpecker/postmortem-todos.yml` | Auto-resolve safe TODOs from new `docs/post-mortems/*.md` via headless Claude agent |
-| drift-detection | `.woodpecker/drift-detection.yml` | Nightly Terraform drift detection |
-| issue-automation | `.woodpecker/issue-automation.yml` | Triage + respond to `ViktorBarzin/infra` GitHub issues |
+| per-app deploy | `.woodpecker/deploy.yml` (each repo) | `kubectl set image` + Slack notify (event: **manual**) |
+| terragrunt apply | `.woodpecker/default.yml` | Changed-stacks apply on push to master (runs in `infra-ci`) |
+| certbot | `.woodpecker/renew-tls.yml` | TLS renewal cron |
+| drift-detection | `.woodpecker/drift-detection.yml` | Nightly Terraform drift (runs in `infra-ci`) |
 | provision-user | `.woodpecker/provision-user.yml` | Add namespace-owner user from Vault spec |
+| registry-config-sync | `.woodpecker/registry-config-sync.yml` | SCP `modules/docker-registry/*` → `10.0.20.10` on change |
+| pve-nfs-exports-sync | `.woodpecker/pve-nfs-exports-sync.yml` | Sync `scripts/pve-nfs-exports` → `/etc/exports` on PVE |
+| issue-automation | `.woodpecker/issue-automation.yml` | Triage + respond to `ViktorBarzin/infra` GitHub issues |
+| postmortem-todos | `.woodpecker/postmortem-todos.yml` | Auto-resolve safe TODOs from new post-mortems |
+| k8s-portal | `.woodpecker/k8s-portal.yml` | Path-filtered deploy for the portal |
+| breakglass-infra-ci | `.woodpecker/breakglass-infra-ci.yml` | **Manual** ghcr pull-and-save of infra-ci to the registry VM |
+
+**No build/test pipeline exists on any repo.** Do not (re)introduce one.
+
+### Woodpecker API
+
+Uses **numeric repo IDs** (`/api/repos/<id>/pipelines`), NOT owner/name paths
+(those return HTML). The deploy registration for each app is the **GitHub
+mirror** repo (registered github-forge). IDs are stable across renames and must
+be looked up from the Woodpecker UI/DB.
+
+### Woodpecker YAML gotchas
+
+- Commands with `${VAR}:${VAR}` must be **quoted** — an unquoted `:` triggers
+  YAML map parsing when the vars are empty.
+- Use `bitnami/kubectl:latest` (not pinned versions — entrypoint compatibility).
+- Global secrets must include `manual` in their events list for API-triggered
+  pipelines.
+
+### GitHub repo secrets
+
+Per repo: `WOODPECKER_TOKEN` (POST the deploy pipeline), `FORGEJO_GIT_TOKEN`
+(write:repository PAT for the `svu` tag push). ghcr push uses the workflow's
+built-in `GITHUB_TOKEN` (`packages: write`).
+
+## Infra repo CI topology
+
+The infra repo runs on Woodpecker via **two** forge registrations: the Forgejo
+forge (repo id 82, registered 2026-06-08) and the legacy GitHub forge (repo id
+1). Pushes to **Forgejo** `master` fire `.woodpecker/default.yml`
+(changed-stacks terragrunt apply, in `infra-ci`) plus the `notify-nonadmin-push`
+Slack audit step. Operational facts (2026-06-10):
+
+- **Webhook URL is the IN-CLUSTER service**:
+  `http://woodpecker-server.woodpecker.svc.cluster.local/api/hook?...` (PATCHed
+  via the Forgejo API). The Woodpecker default (`https://ci.viktorbarzin.me/...`)
+  resolves to the non-proxied public A record from pods → NAT hairpin →
+  intermittent `context deadline exceeded`, silently dropping push events. If
+  Woodpecker "repairs" the repo it rewrites the hook back to `ci.viktorbarzin.me`
+  — re-apply the in-cluster URL.
+- **Repo-scoped secrets must exist on BOTH repos**: pipelines reference
+  repo-level secrets (`registry_ssh_key`, `pve_ssh_key`, `CLOUDFLARE_TOKEN`, …).
+  When registering a new forge repo for infra, clone the secret set too.
+- **Empty commits defeat path filters**: a commit with no changed files makes
+  Woodpecker include ALL workflow files (path conditions can't exclude), so every
+  repo secret must resolve. Normal commits with real files only compile the
+  matching workflows.
+
+The Forgejo trigger is not fully dependable — land infra changes by pushing
+Forgejo master (as viktor), use `[ci skip]` for docs/no-op commits, and verify
+deploys via `scripts/tg` + live cluster state rather than trusting the CI
+checkmark. The two remotes have **diverged** (parallel histories under
+different SHAs); expect github pushes to reject non-fast-forward and leave them
+— never force-push.
 
 ## Configuration
 
-### GitHub Actions
-
-**File**: `.github/workflows/build-and-deploy.yml`
+### GitHub Actions (per-app `.github/workflows/build.yml`)
 
 ```yaml
-name: Build and Deploy
+name: build
 on:
   push:
-    branches: [main, master]
+    branches: [master]
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write   # svu tag push
+      packages: write    # ghcr push
     steps:
-      - name: Build Docker image
-        run: docker build --platform linux/amd64 -t viktorbarzin/app:${SHORT_SHA} .
-      - name: Push to DockerHub
-        run: docker push viktorbarzin/app:${SHORT_SHA}
-      - name: Trigger Woodpecker Deploy
+      - uses: actions/checkout@v4
+      - name: lint + test
+        run: make lint test
+      - name: svu tag -> Forgejo
         run: |
-          curl -X POST https://ci.viktorbarzin.me/api/repos/<REPO_ID>/pipelines \
-            -H "Authorization: Bearer ${{ secrets.WOODPECKER_TOKEN }}"
+          VERSION=$(svu next)
+          # ... push tag to canonical Forgejo with FORGEJO_GIT_TOKEN
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/<name>:${{ github.sha }}
+            ghcr.io/viktorbarzin/<name>:latest
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Woodpecker deploy
+        run: |
+          curl -X POST https://ci.viktorbarzin.me/api/repos/<DEPLOY_REPO_ID>/pipelines \
+            -H "Authorization: Bearer ${{ secrets.WOODPECKER_TOKEN }}" \
+            -d '{"branch":"master","variables":{"IMAGE_TAG":"...","IMAGE_NAME":"..."}}'
 ```
 
-**Required GitHub Secrets**:
-- `DOCKERHUB_USERNAME`
-- `DOCKERHUB_TOKEN`
-- `WOODPECKER_TOKEN`
-
-### Woodpecker Deploy Pipeline
-
-**File**: `.woodpecker/deploy.yml`
+### Woodpecker deploy pipeline (per-app `.woodpecker/deploy.yml`)
 
 ```yaml
 when:
-  event: [deployment]
+  event: manual
 
 steps:
   deploy:
-    image: bitnami/kubectl:latest
+    image: bitnami/kubectl:latest   # uses the in-cluster woodpecker-agent SA (cluster-admin)
     commands:
-      - kubectl set image deployment/app app=viktorbarzin/app:${CI_COMMIT_SHA:0:8}
-    secrets: [k8s_token]
-
+      - "kubectl set image deployment/app app=${IMAGE_NAME}:${IMAGE_TAG} -n <ns>"
+      - "kubectl rollout status deployment/app -n <ns> --timeout=300s"
   notify:
     image: plugins/slack
-    settings:
-      webhook: ${SLACK_WEBHOOK}
     when:
       status: [success, failure]
 ```
 
-**YAML Gotchas**:
-- Commands with `${VAR}:${VAR}` syntax must be quoted to prevent YAML map parsing when vars are empty
-- Use `bitnami/kubectl:latest` (not pinned versions)
-- Global secrets must be manually added to `secrets:` list in pipeline
+### CI/CD secrets sync
 
-### Vault Configuration
-
-**K8s Auth for Woodpecker**:
-- Woodpecker pipelines authenticate using ServiceAccount JWT
-- Vault K8s auth mount validates JWT and issues token
-- Policies grant access to secrets and dynamic credentials
-
-### CI/CD Secrets Sync
-
-**CronJob**: Pushes `secret/ci/global` from Vault → Woodpecker API every 6 hours
-- Keeps Woodpecker global secrets in sync with Vault
-- Runs in `woodpecker` namespace
+A CronJob in the `woodpecker` namespace pushes `secret/ci/global` from Vault →
+the Woodpecker API every 6h, keeping global secrets in sync. Woodpecker deploy
+pipelines authenticate to the cluster via the in-cluster `woodpecker-agent` SA
+(cluster-admin); Vault K8s auth backs any secret reads.
 
 ## Decisions & Rationale
 
-### Why GitHub Actions + Woodpecker?
+### Why all builds off-infra (ADR-0002)?
 
-**Alternatives considered**:
-1. **Woodpecker-only**: Simple, but wastes cluster resources on builds
-2. **GHA-only**: No cluster access, requires kubectl from outside (security risk)
-3. **Hybrid (chosen)**: GHA for compute-heavy builds (free), Woodpecker for privileged deployments (secure cluster access)
+- **Breaks the circular dependency** — the images needed to repair the cluster
+  no longer live inside it (they're on ghcr, an external registry).
+- **Removes build IO + registry push load** from the contended homelab spindle.
+- GHA is free on public repos and generous on private; buildx provenance:false
+  sidesteps the orphaned-index-children failure class that plagued the
+  in-cluster registry.
+- **Clean cut** — no in-cluster fallback builds anywhere; one pattern,
+  fleet-wide.
 
-**Benefits**:
-- Free compute for builds on public repos
-- Cluster access stays internal (Woodpecker has direct K8s access)
-- Separation of concerns: build vs deploy
+### Why ghcr (not push back to Forgejo)?
 
-### Why 8-Character SHA Tags (Not :latest)?
+Forgejo's container registry repeatedly orphaned OCI index children
+(2026-04-13/19, 2026-05-04, 2026-06-10) and its retention is not container-aware.
+ghcr is external (DR-safe), free for this scale, and has native multi-arch
+handling. The Forgejo registry was frozen + emptied (issue #32).
 
-- Pull-through cache serves stale `:latest` tags indefinitely
-- SHA tags ensure every deployment pulls the correct image
-- 8 characters provide sufficient collision resistance (16^8 = 4.3 billion combinations)
+### Why Woodpecker stays for deploy?
 
-### Why Numeric Repo IDs for Woodpecker API?
+`kubectl set image` needs in-cluster privileged access; doing it from GHA would
+mean exposing kube-apiserver or a long-lived kubeconfig. Woodpecker's
+`woodpecker-agent` SA is already cluster-admin in-cluster — the deploy step
+needs no credentials.
 
-- Woodpecker API requires numeric IDs (not owner/name slugs)
-- IDs are stable across repo renames
-- Must be manually looked up from Woodpecker UI or database
+### Why `event: manual` on deploy.yml?
 
-### Why linux/amd64 Only?
+The Forgejo→GitHub push-mirror sends raw, tag-less pushes to the GitHub mirror.
+If `deploy.yml` fired on `push`, every mirror sync would trigger a deploy with no
+image tag. `manual` means only the GHA `deploy` job's explicit API POST (with
+`IMAGE_TAG`) deploys.
 
-- Cluster runs on x86_64 nodes only
-- ARM builds would waste time and storage
-- Multi-arch images add complexity without benefit
+### Why linux/amd64 only?
+
+The cluster runs on x86_64 nodes only; ARM builds waste time and storage.
 
 ## Troubleshooting
 
-### GHA Build Fails: "denied: requested access to the resource is denied"
+### GHA build fails: ghcr push "denied"
 
-**Cause**: DockerHub credentials expired or incorrect
+The workflow `GITHUB_TOKEN` needs `packages: write` permission and the package
+must allow the repo to push. Check the workflow `permissions:` block and the
+package's "Manage Actions access" settings.
+
+### Image pull fails: "ErrImagePull" / "ImagePullBackOff"
 
-**Fix**:
 ```bash
-# Regenerate DockerHub token
-# Update GitHub repo secrets: DOCKERHUB_USERNAME, DOCKERHUB_TOKEN
+# Public image — check the pull-through cache is up
+curl http://10.0.20.10:5010/v2/_catalog
+
+# Private image — verify the ghcr-credentials Secret exists in the namespace
+kubectl get secret ghcr-credentials -n <namespace>
+# It's Kyverno-synced to an allowlist; if missing, the namespace isn't on the
+# allowlist in stacks/kyverno/modules/kyverno/ghcr-credentials.tf
 ```
 
-### Woodpecker Deploy Fails: "Unauthorized"
+If the cause is the internal-DNS hairpin (fresh pulls timing out on the public
+Forgejo path), see the CoreDNS `viktorbarzin.me` carve-out in
+`docs/architecture/networking.md` and `docs/runbooks/registry-vm.md`.
 
-**Cause**: Vault K8s auth token expired or invalid
+### Deploy didn't happen after a push
 
-**Fix**:
-```bash
-# Restart Woodpecker pipeline (token auto-renewed)
-# Check Vault K8s auth role exists: vault read auth/kubernetes/role/woodpecker-deployer
-```
+Confirm the push was to **master** (feature branches build/deploy nothing).
+Check the GHA run completed the `deploy` job, then check Woodpecker received the
+manual pipeline (`ci.viktorbarzin.me`, the GitHub-mirror deploy repo). Verify
+live with `kubectl rollout status` — not the CI checkmark.
 
-### Image Pull Fails: "ErrImagePull"
+### Woodpecker deploy fails: "YAML: did not find expected key"
 
-**Cause**: Pull-through cache or registry credentials issue
-
-**Fix**:
-```bash
-# Check pull-through cache is running
-curl http://10.0.20.10:5000/v2/_catalog
-
-# Verify registry-credentials Secret exists in namespace
-kubectl get secret registry-credentials -n <namespace>
-
-# Manually sync credentials if missing
-kubectl get secret registry-credentials -n default -o yaml | \
-  sed 's/namespace: default/namespace: <namespace>/' | kubectl apply -f -
-```
-
-### Woodpecker Pipeline: "YAML: did not find expected key"
-
-**Cause**: Unquoted command with `${VAR}:${VAR}` syntax when VAR is empty
-
-**Fix**: Quote the command:
-```yaml
-commands:
-  - "kubectl set image deployment/app app=viktorbarzin/app:${SHORT_SHA}"
-```
-
-### travel_blog Build Times Out on GHA
-
-**Cause**: 5.7GB content directory exceeds GHA disk/time limits
-
-**Fix**: Keep on Woodpecker (no migration). Build uses cluster storage and resources.
-
-### CI/CD Secrets Out of Sync
-
-**Cause**: CronJob failed to sync Vault → Woodpecker
-
-**Fix**:
-```bash
-# Check CronJob status
-kubectl get cronjob -n woodpecker
-
-# Manually trigger sync
-kubectl create job --from=cronjob/sync-secrets manual-sync -n woodpecker
-```
+Unquoted command with `${VAR}:${VAR}` syntax when a VAR is empty. Quote the
+command (see the deploy.yml example above).
 
 ## Related
 
-- [Databases Architecture](./databases.md) — Database credentials via Vault
-- [Multi-Tenancy](./multi-tenancy.md) — Per-user Woodpecker access
-- Runbook: `../runbooks/deploy-new-app.md` — How to set up CI/CD for a new app
-- Runbook: `../runbooks/troubleshoot-image-pull.md` — Debug image pull issues
-- Vault documentation: K8s auth configuration
-- Woodpecker documentation: API reference
+- ADR: `../adr/0002-all-image-builds-off-infra-gha-ghcr.md` — the decision
+- [Databases Architecture](./databases.md) — database credentials via Vault
+- [Multi-Tenancy](./multi-tenancy.md) — per-user Woodpecker access
+- Runbook: `../runbooks/forgejo-registry-breakglass.md` — using the frozen registry
+- Runbook: `../runbooks/registry-vm.md` — pull-through cache VM + image-pull debugging
+- Onboarding tool: `../../scripts/offinfra-onboard` + `../../scripts/offinfra-templates/`
diff --git a/docs/architecture/compute.md b/docs/architecture/compute.md
index d4ccf6e1..0f6ff092 100644
--- a/docs/architecture/compute.md
+++ b/docs/architecture/compute.md
@@ -22,9 +22,11 @@ graph TB
         NODE2["VM 202: k8s-node2<br/>8c / 32GB"]
         NODE3["VM 203: k8s-node3<br/>8c / 32GB"]
         NODE4["VM 204: k8s-node4<br/>8c / 32GB"]
+        NODE5["VM 205: k8s-node5<br/>8c / 32GB"]
+        NODE6["VM 206: k8s-node6<br/>8c / 32GB"]
     end
 
-    subgraph K8s["Kubernetes Cluster v1.34.2"]
+    subgraph K8s["Kubernetes Cluster v1.34.8"]
         direction TB
 
         subgraph VPA["VPA (Goldilocks - Initial Mode)"]
@@ -62,7 +64,7 @@ graph TB
 | Model | Dell PowerEdge R730 |
 | CPU | 1x Intel Xeon E5-2699 v4 (22 cores / 44 threads, CPU2 unpopulated) |
 | Total Cores/Threads | 22 cores / 44 threads |
-| RAM | 272GB DDR4-2400 ECC RDIMM physical (10 DIMMs: 8x32G Samsung + 2x8G Hynix). VMs use ~176GB total (k8s-node1 48GB + 4 K8s VMs x 32GB) |
+| RAM | 272GB DDR4-2400 ECC RDIMM physical (10 DIMMs: 8x32G Samsung + 2x8G Hynix). K8s VMs use ~240GB total (k8s-node1 48GB + 6 K8s VMs x 32GB) |
 | GPU | NVIDIA Tesla T4 (16GB GDDR6, PCIe 0000:06:00.0) |
 | Storage | 1.1TB SSD + 931GB SSD + 10.7TB HDD |
 | Hypervisor | Proxmox VE |
@@ -76,8 +78,10 @@ graph TB
 | k8s-node2 | 202 | 8 | 32GB | vmbr1:vlan20 | Worker | None |
 | k8s-node3 | 203 | 8 | 32GB | vmbr1:vlan20 | Worker | None |
 | k8s-node4 | 204 | 8 | 32GB | vmbr1:vlan20 | Worker | None |
+| k8s-node5 | 205 | 8 | 32GB | vmbr1:vlan20 (10.0.20.105) | Worker (joined 2026-05-26) | None |
+| k8s-node6 | 206 | 8 | 32GB | vmbr1:vlan20 (10.0.20.106) | Worker (joined 2026-05-26) | None |
 
-**Total Cluster Resources**: 48 vCPUs, ~176GB RAM (k8s-node1 48GB + 4 nodes x 32GB)
+**Total Cluster Resources**: 64 vCPUs, ~240GB RAM (k8s-node1 16c/48GB + master and 5 workers at 8c/32GB each)
 
 > **All Linux VMs are hand-managed in Proxmox, NOT in Terraform**
 > (decided 2026-05-26, commit 44c3770a). The telmate/proxmox v3.0.2
@@ -97,7 +101,12 @@ graph TB
 > PVE host (sources in `infra/scripts/`, install pattern per
 > `architecture/backup-dr.md`). Timer fires `OnBootSec=5min` +
 > `OnCalendar=hourly`, so any drift (config restore, manual `qm
-> set`, fresh clone) self-heals within the hour. Current caps:
+> set`, fresh clone) self-heals within the hour. The script compares
+> *normalized option sets*, so an unchanged config is a true no-op —
+> until 2026-06-11 a raw string compare (defeated by `qm config`'s
+> canonical key order) re-issued `qm set` hourly against running VMs,
+> live-rewriting QEMU throttle state via QMP (implicated in the devvm
+> I/O stall; see `post-mortems/2026-06-11-devvm-qemu-io-stall.md`). Current caps:
 > 102 devvm 60/60, 103 home-assistant 40/40, 200 k8s-master 100/60,
 > 201 k8s-node1 150/120, 202 k8s-node2 150/120, 203 k8s-node3 150/120,
 > 204 k8s-node4 150/120, 220 docker-registry 40/40.
diff --git a/docs/architecture/dns.md b/docs/architecture/dns.md
index e90956d2..6150d226 100644
--- a/docs/architecture/dns.md
+++ b/docs/architecture/dns.md
@@ -258,19 +258,27 @@ The TP-Link AP (dumb AP on 192.168.1.x) does not support hairpin NAT. LAN client
 Technitium's **Split Horizon AddressTranslation** app post-processes DNS responses for 192.168.1.0/24 clients, translating the public IP to the internal Traefik LB IP:
 
 ```
-176.12.22.76 → 10.0.20.200
+176.12.22.76 → 10.0.20.203
 ```
 
+(Was `10.0.20.200` until Traefik's 2026-05-30 move to its dedicated `.203` LB IP.)
+
 **DNS Rebinding Protection** has `viktorbarzin.me` in `privateDomains` to allow the translated private IP without being stripped as a rebinding attack.
 
 ### Scope
 
 - **Affected**: Non-proxied domains (ha-sofia, immich, headscale, calibre, vaultwarden, etc.) for 192.168.1.x clients
 - **Not affected**: Cloudflare-proxied domains (resolve to Cloudflare edge IPs, no translation needed)
-- **Not affected**: 10.0.x.x and K8s clients (reach public IP via pfSense outbound NAT normally)
+- **10.0.x.x clients (k8s nodes, devvm, other VMs)** — handled at the resolver since 2026-06-10: **pfSense Unbound carries a domain override forwarding the whole `viktorbarzin.me` zone to Technitium** (`10.0.20.201`). Technitium's split-horizon zone answers with the zone apex A record, which auto-tracks the live Traefik LB IP (`technitium-ingress-dns-sync` CNAMEs every ingress host hourly; `viktorbarzin-apex-probe` is the drift canary). Every client of pfSense Unbound — all VLANs, k8s nodes included — therefore gets internal answers with **zero per-host configuration** (no `/etc/hosts` pins, no resolved drop-ins; both earlier same-day approaches were removed, nodes are stock). Names not behind Traefik keep distinct records in the zone (e.g. `mail.viktorbarzin.me → 10.0.20.1`, verified working on :993/:25; since 2026-06-10 its :443 also works internally — pfSense carries an SNI-routed HAProxy frontend on 443 that sends hostname traffic to Traefik and bare-IP/no-SNI traffic to the webGUI, which moved to :8443; see `docs/runbooks/mailserver-pfsense-haproxy.md`). See `docs/runbooks/pfsense-unbound.md` for the override config + rollback, and `docs/post-mortems/2026-06-10-tuya-bridge-forgejo-pull-hairpin.md` for the incident that motivated this (kubelet forgejo pulls riding the broken hairpin; the containerd hosts.toml mirror cannot fix it — Traefik 404s bare-IP requests and the registry auth realm is an absolute public URL).
+  - **devvm**: also covered by a `~viktorbarzin.me → 10.0.20.201` resolved routing domain (predates the pfSense override, provisioned by `setup-devvm.sh`) — redundant-but-harmless belt-and-suspenders.
+  - **in-cluster PODS are ordinary internal clients too** (since 2026-06-10 evening): CoreDNS's dedicated `viktorbarzin.me:53` block (in `stacks/technitium`, TF-managed) forwards to the Technitium ClusterIP (`10.96.0.53`, same as the `.lan` block), so pods get the same split-horizon answers as everyone else. This works because on k8s 1.34 **pods CAN reach the ETP=Local Traefik LB IP** — kube-proxy short-circuits in-cluster traffic to LB IPs via the cluster path (verified from pods on three non-Traefik nodes; re-verify after major k8s upgrades — the canary is the uptime-kuma `[External]` fleet going red). forgejo stays pinned to Traefik's **ClusterIP** in the same block so CI pushes survive a Technitium outage. History: the block briefly forwarded to `8.8.8.8/1.1.1.1` (morning of 2026-06-10), which kept pods on public IPs and the broken TP-Link NAT loopback — 27 non-proxied `[External]` uptime-kuma monitors dark (beads code-yh33). Note: in-cluster `[External]` monitors now test DNS+Traefik+service via the internal path for ALL names, including Cloudflare-proxied ones — genuine edge-path fidelity is the job of a true external vantage (ha-london), not in-cluster probes.
+  - **Trade-off**: `viktorbarzin.me` resolution via pfSense now depends on in-cluster Technitium (3 replicas). During a full cluster outage the zone SERVFAILs LAN-wide — acceptable, the services behind it are down anyway; node bootstrap images pull via the IP-addressed `10.0.20.10` mirrors, so cold-start self-unwinds.
+  - **Residual nondeterminism**: nodes keep `94.140.14.14` as a secondary resolver (netplan/qm `--nameserver`). If systemd-resolved fails over to it during a pfSense DNS blip, `.me` answers are public again until it switches back — a rare, self-healing window, accepted.
 
 Config is synced to all 3 Technitium instances by CronJob `technitium-split-horizon-sync` (every 6h).
 
+**Superset rule for the internal `viktorbarzin.me` zone**: it is authoritative for every internal client (pods included since 2026-06-10), so it must carry every record type those clients consume — not just ingress A/CNAMEs. The `technitium-ingress-dns-sync` CronJob therefore also maintains the static **mail-auth records** (apex SPF + brevo-code TXT, MX → mail.viktorbarzin.me, `_dmarc`, `mail._domainkey` DKIM), mirrored from the public Cloudflare zone. Without them, rspamd on the mailserver saw `SPF=none` for inbound `@viktorbarzin.me` mail and quarantined it (broke the Brevo email-roundtrip probe, 2026-06-10). If these records change in Cloudflare, update the sync script too.
+
 ## NodeLocal DNSCache
 
 A DaemonSet in `kube-system` (`node-local-dns`, image `registry.k8s.io/dns/k8s-dns-node-cache:1.23.1`) runs on every node including the control plane. Each pod uses `hostNetwork: true` + `NET_ADMIN` and installs iptables NOTRACK rules so it transparently serves DNS on both:
@@ -456,13 +464,21 @@ The zone-sync CronJob (runs every 30min) pushes the following to the Prometheus
 
 ### Hairpin NAT Not Working (LAN → *.viktorbarzin.me Fails)
 
-Since 2026-04-19 (Workstream D), pfSense Unbound answers LAN DNS queries
-directly instead of forwarding to Technitium, so the Technitium Split Horizon
-post-processing does NOT run for 192.168.1.x clients anymore. Non-proxied
-services break hairpin on LAN clients again. Options:
+**Since 2026-06-10 this is largely solved at the resolver**: pfSense Unbound
+carries a domain override forwarding the entire `viktorbarzin.me` zone to
+Technitium, so ANY client that queries pfSense (all VLANs + 192.168.1.x
+clients pointed at `192.168.1.2`) gets the internal Traefik answer. If
+hairpin still fails for a client, first check which resolver it actually
+uses — clients on the TP-Link's own DHCP DNS (router/ISP) bypass pfSense
+entirely. Options for those:
+
+(Historical context: 2026-04-19 Workstream D made Unbound answer LAN
+queries directly, which had removed the Technitium Split Horizon
+post-processing from the LAN path until the 2026-06-10 domain override
+restored internal answers at the zone level.)
 
 1. **Switch service to proxied Cloudflare** (preferred) — set `dns_type = "proxied"` in the `ingress_factory` module call; DNS now resolves to Cloudflare edge, hairpin-independent.
-2. **Add a local-data override on pfSense Unbound** — under `Services → DNS Resolver → Host Overrides`, set `<service>.viktorbarzin.me → 10.0.20.200` (Traefik LB IP). This is equivalent to what Split Horizon did, applied at the resolver.
+2. **Add a local-data override on pfSense Unbound** — under `Services → DNS Resolver → Host Overrides`, set `<service>.viktorbarzin.me → 10.0.20.203` (Traefik LB IP). This is equivalent to what Split Horizon did, applied at the resolver.
 3. **Revert to prior NAT rdr + Technitium Split Horizon** — documented in `docs/runbooks/pfsense-unbound.md` rollback section.
 
 K8s-side Split Horizon is still configured and applies when `*.viktorbarzin.me` queries DO reach Technitium (e.g., from pods that query via CoreDNS → Technitium forwarding for `.viktorbarzin.me` via pfSense). Verify Technitium split-horizon app:
@@ -470,7 +486,7 @@ K8s-side Split Horizon is still configured and applies when `*.viktorbarzin.me`
 1. Verify Split Horizon app is installed on all instances
 2. Check CronJob status: `kubectl get cronjob -n technitium technitium-split-horizon-sync`
 3. Run the job manually: `kubectl create job --from=cronjob/technitium-split-horizon-sync test-sh -n technitium`
-4. Test: `dig @10.0.20.201 immich.viktorbarzin.me` — should return 10.0.20.200 for 192.168.1.x source
+4. Test: `dig @10.0.20.201 immich.viktorbarzin.me` — should return 10.0.20.203 for 192.168.1.x source
 
 ### Zone Not Replicating to Secondary/Tertiary
 
diff --git a/docs/architecture/monitoring.md b/docs/architecture/monitoring.md
index 28daac25..3c75a345 100644
--- a/docs/architecture/monitoring.md
+++ b/docs/architecture/monitoring.md
@@ -119,12 +119,18 @@ no `level` stream label.
 cluster error/warn line counts (5-min window) → `sensor.cluster_log_errors_5m` /
 `sensor.cluster_log_warnings_5m`, for a compact trend card on the Барзини status
 view plus a Grafana-link button. Those sensors reach Loki via the Traefik LB IP
-`10.0.20.203` + a `Host: loki.viktorbarzin.lan` header (`verify_ssl: false`)
-because `loki.viktorbarzin.lan` has **no Technitium record yet** (the
-`technitium-ingress-dns-sync` CronJob only creates `.me` CNAMEs + pins
-`ingress.viktorbarzin.lan`). **Follow-up:** register `loki.viktorbarzin.lan` in
-Technitium (or fix the `*.viktorbarzin.lan` wildcard) so both this sensor and the
-Sofia-Pi promtail can resolve it by name instead of pinning the LB IP.
+`10.0.20.203` + a `Host: loki.viktorbarzin.lan` header (`verify_ssl: false`).
+**Update 2026-06-10:** `loki.viktorbarzin.lan` is now **registered in Technitium**
+as a CNAME → `ingress.viktorbarzin.lan` (the anchor whose A record auto-tracks the
+live Traefik LB IP), added via the Technitium API and AXFR-replicated to all 3
+instances — so it resolves by name LAN-wide. The **PVE host** promtail (see
+"External host: pve" below) uses the name directly, with **no `/etc/hosts` pin**.
+This HA sensor and the rpi-sofia promtail still pin the LB IP in their own configs
+and can drop to the name on next touch (`verify_ssl: false` / `insecure_skip_verify`
+stays — the internal `.lan` cert isn't publicly trusted). Per-host `.lan` CNAMEs
+are still added manually via the API; auto-managing them in
+`technitium-ingress-dns-sync` (today `.me`-only + the `ingress.viktorbarzin.lan`
+anchor) remains a follow-up.
 
 ### External host: rpi-sofia (Sofia Raspberry Pi)
 
@@ -140,12 +146,29 @@ Query examples (Grafana → Loki): `{job="rpi-sofia-journal"}`, `{job="rpi-sofia
 
 **Dashboard** — `dashboards/rpi-sofia.json` ("RPi Sofia", Hardware folder): status, undervoltage/throttle, SoC temp, load, memory, root-fs free + read-only, network.
 
-**Alerts** (group `RPi Sofia` in `prometheus_chart_values.tpl`): `RpiSofiaDown` (`up==0`), `RpiSofiaFilesystemReadonly` (`node_filesystem_readonly{mountpoint="/"}==1` — the SD-failure signature), `RpiSofiaUndervoltage` (`rpi_under_voltage_occurred==1`), `RpiSofiaHighTemp`.
+**Alerts** (group `RPi Sofia` in `prometheus_chart_values.tpl`): `RpiSofiaDown` (`up==0`), `RpiSofiaFilesystemReadonly` (`node_filesystem_readonly{mountpoint="/"}==1` — the SD-failure signature), `RpiSofiaUndervoltage` (`increase(rpi_under_voltage_occurred[1h])>0` — edge-triggered on the sticky bit; the live `rpi_under_voltage_now` bit is too transient to catch at 1-min sampling, so it fires on a *new* brown-out and auto-resolves ~1h later instead of latching until reboot), `RpiSofiaHighTemp`.
 
 **Recovery** — a systemd hardware watchdog (`RuntimeWatchdogSec=14s`, bcm2835 max ~15s) auto-reboots the Pi on a hard hang instead of leaving it dead for hours.
 
 > The cluster side (scrape job, alerts, Loki ingress, dashboard) is Terraform-managed in `stacks/monitoring/`. The **Pi-side** pieces (node_exporter, the textfile collector + timer, promtail, the watchdog config, and the `server=/viktorbarzin.lan/192.168.1.2` dnsmasq split-horizon forward needed to resolve the Loki ingress) are configured by hand on the Pi — it is not under Terraform — and are backed up off-box at `/home/wizard/rpi-sofia-backup/`. The real reliability fix (reflash/replace the SD card) needs on-site access.
 
+### External host: pve (Proxmox hypervisor, 192.168.1.127)
+
+`pve` is the Proxmox VE host — the hypervisor running **every** VM (pfSense, the 5 k8s nodes, the devvm, HA, Windows). It is not in the cluster. Since 2026-06-10 its **full systemd journal ships to cluster Loki**, closing a gap (the most critical host previously had no central logging) and giving the Wave-1 **S1** security rule its data source (`docs/architecture/security.md`).
+
+**Why now:** emo's Claude agent was granted **root SSH** to the host (a dedicated shared-root key `emo-pve-agent@devvm`, fingerprint `SHA256:Wd+m0EABlm4RDDykDh85PIYSqe0Al8Hr9AZ+7Ksy4HQ`, reachable as `ssh pve` from the devvm) so he can manage the host (e.g. the R730 fan daemon) via his agent. To keep an audit trail, **snoopy** (enabled via `/etc/ld.so.preload` → `libsnoopy.so`; config `scripts/pve-snoopy.ini`) logs every `execve()` to journald under identifier `snoopy`, and promtail ships it to Loki.
+
+**Logs** — `promtail` v3.5.1 (amd64) at `/usr/local/bin/promtail`, config `scripts/pve-promtail.yaml`, unit `scripts/pve-promtail.service`. Ships `/var/log/journal` to `https://loki.viktorbarzin.lan/loki/api/v1/push` (`insecure_skip_verify` — the internal `.lan` cert isn't publicly trusted; the name resolves via the Technitium CNAME above, no `/etc/hosts` pin). Relabels: `unit`, `level`, `identifier`; sshd lines (`identifier=~"sshd.*"`) are re-jobbed to `sshd-pve` so the S1 rule matches. Streams:
+- `{job="pve-journal", host="pve"}` — full host journal (kernel, pvestatd, fan-control, NFS, etc.).
+- `{job="pve-journal", identifier="snoopy"}` — **command audit** (every execve: `uid login tty sid cwd cmdline`).
+- `{job="sshd-pve"}` — sshd auth; an `Accepted publickey ... SHA256:<fp>` line ties a session to a key (e.g. emo's fp above). Feeds S1.
+
+**Attribution caveat:** all SSH is shared-root, so snoopy `uid`/`login` are always `root`; attribute a command to a person by correlating its `sid`/timestamp with the matching `{job="sshd-pve"}` Accepted-publickey line (key fingerprint). emo's agent arrives SNAT'd as `192.168.1.2`, which is in the S1 allowlist, so legitimate access does not alert.
+
+Query examples (Grafana → Loki): `{host="pve"}`, `{job="pve-journal", identifier="snoopy"}` (command audit), `{job="sshd-pve"} |= "Accepted publickey"`.
+
+> Hand-managed (not Terraform), like the rpi-sofia and fan-control pieces: the promtail binary/config/unit and the snoopy enable (`/etc/ld.so.preload`) live on the host (Loki resolves via the Technitium CNAME — no `/etc/hosts` pin). Source-of-truth files: `scripts/pve-promtail.{yaml,service}` + `scripts/pve-snoopy.ini`; deploy steps are in the `pve-promtail.yaml` header.
+
 ### Dell R730 iDRAC: SNMP-primary + Redfish remnant (migrated 2026-06-05)
 
 The R730 iDRAC (`192.168.1.4` / `idrac.viktorbarzin.lan`) is monitored by **two** Prometheus jobs, both relabeled to the `r730_idrac_*` prefix (which historically hid which source served what). Design/plan: `docs/plans/2026-06-05-idrac-snmp-migration-{design,plan}.md`.
diff --git a/docs/architecture/multi-tenancy.md b/docs/architecture/multi-tenancy.md
index 2e66ae21..c64a146c 100644
--- a/docs/architecture/multi-tenancy.md
+++ b/docs/architecture/multi-tenancy.md
@@ -541,11 +541,33 @@ Separate from the in-cluster namespace-owner model above, the **devvm** (`10.0.1
 
 **RBAC tiers:** `admin` (Viktor — cluster-admin, unlocked tree, secrets) · `power-user` (cluster-wide read-only, NO Secrets, via a dedicated `oidc-power-user-readonly` ClusterRole) · `namespace-owner` (admin in own namespace only). Each session acts as the user's **own** OIDC identity (kubelogin), never the admin's.
 
-**Config inheritance (live):** wizard authors the base (his chezmoi-versioned `~/.claude`). Two native layers carry it to every user — the enforced org `claudeMd` in `/etc/claude-code/managed-settings.json` (top precedence, all sessions) and per-user `~/.claude/{skills,rules,…}` **symlinks** to the base (seeded via `/etc/skel`; edits propagate live). Secrets stay per-user at mode 600, never symlinked.
+**Config inheritance (live):** wizard authors the base (his chezmoi-versioned `~/.claude`). Two native layers carry it to every user — the enforced org `claudeMd` in `/etc/claude-code/managed-settings.json` (top precedence, all sessions) and per-user `~/.claude/{skills,rules,…}` **symlinks** to the base (seeded via `/etc/skel`; edits propagate live). Secrets stay per-user at mode 600, never symlinked. **The managed config self-deploys from the repo** (2026-06-10): the hourly reconcile's `sync_managed_config` installs `scripts/workstation/managed-settings.json` to `/etc/claude-code/` whenever the repo copy changes — so editing the claudeMd = edit + commit, no manual install — and `refresh_codex_mirror` regenerates each user's `~/.codex/AGENTS.md` (a static mirror of the claudeMd; only files carrying the mirror header are touched, user-customized ones are left alone). Repo-level guidance (`.claude/CLAUDE.md`, `AGENTS.md`, `CONTEXT.md` in the infra repo) reaches non-admins through their auto-freshened clones — commit + push and every user has it within the hour.
 
-**Infra access:** non-admins get their own **writable, git-crypt-LOCKED** clone of the (public) infra repo at `~/code` — code/docs plaintext, secret files (`*.tfvars`, `secrets/**`) stay ciphertext. Changes are ungated (push ≠ apply); the real boundary is apply-time (`scripts/tg apply` needs an admin Vault token + cluster RBAC).
+**Memory — homelab CLI hooks (rolled out 2026-06-21, deploy-fixed 2026-06-22):** the per-user `claude_memory` MCP was retired for the **homelab-memory hooks** — the reconcile's `install_memory` (re)installs four scripts into `~/.claude/hooks/` each run (`homelab-memory-recall.py` UserPromptSubmit recall, `auto-learn.py` Stop-hook extraction, `pre-compact-backup.sh`/`post-compact-recovery.sh`), wires them into `settings.json` if-absent + additive, and removes the old `claude_memory` MCP. **The provisioner binary itself now self-deploys from the repo** (step 0: `bash -n`-gated `install` + re-exec when `scripts/t3-provision-users.sh` differs from `/usr/local/bin/t3-provision-users`, guarded against re-exec loops / DRY_RUN mutation) — added after this very rollout sat committed-but-undeployed for a day (only the manual `setup-devvm.sh` had ever deployed the binary), so the hourly reconcile kept running the pre-memory version and emo/anca silently lost memory (recall + auto-learn never wired). A latent `set -e` abort in `install_memory` (a bare `[[ -d plugin-dir ]] && …` returning non-zero) was also fixed; it had killed the reconcile after the first user the first time it actually ran. The hooks need a `MEMORY_API_KEY` (or `CLAUDE_MEMORY_API_KEY`) in the user's `settings.json` env — the `homelab` CLI defaults the API URL, so **the key is the only hard requirement**; `install_memory` reuses an existing key and only WARNs if absent (it does NOT mint one — that's an admin Vault step, see Remaining). wizard + emo carry a key from their original MCP setup; **ancamilea is keyless → her memory no-ops until a key is minted.** (`auto-learn.py`'s passive store calls the API directly, so it additionally needs `*_API_URL` in env to avoid its local-SQLite fallback; recall + manual `homelab memory store` go through the URL-defaulting CLI and need only the key.)
 
-**Status (2026-06-08):** built + verified on the live host — capacity (8 GiB swap), config inheritance, roster-driven provisioner, per-user locked clone, **per-user OIDC kubeconfig + the `oidc-power-user-readonly` ClusterRole + emo's `k8s_users` entry (applied + impersonation-verified), and the Authentik `T3 Users` edge gate (applied + verified)**. **Remaining (held / future):** the emo cutover to his own locked clone (Phase 5), the offboarding apply-side (Phase 7), per-user MCP/auth injection, and roster-reconciled `T3 Users` membership. See `../runbooks/offboard-user.md` for deprovisioning.
+**Agent skills — vendored own-copies for an allowlist (2026-06-23):** beyond the config-inheritance base (above, which symlinks the admin's `~/.claude/skills` into every user), the reconcile's `install_skills` gives users on the `SKILL_USERS` allowlist (currently `emo`) their OWN copies of a curated skill set vendored in-repo at `scripts/workstation/claude-skills/` (16: the admin's 15 `mattpocock/skills` + `find-skills` from `vercel-labs/skills`). It copies each into `~/.agents/skills/<name>` (owned by the user, parent `~/.agents` chowned too — `install -d` leaves intermediates root-owned) and points `~/.claude/skills/<name>` at it with a **relative** symlink (`../../.agents/skills/<name>` — the layout `skills add -g` produces; Claude Code reads `~/.claude/skills/`). **Vendored, NOT `npx skills add`:** upstream drifted off this exact set (`diagnose`→`diagnosing-bugs`, `write-a-skill`→`writing-great-skills` renamed; `caveman` + `zoom-out` unpublished), so npx can't reproduce it — and a per-reconcile GitHub clone + unpinned-CLI dependency has no place in the hourly root job; refresh by re-snapshotting (`claude-skills/README.md`). **if-absent keys on the user's OWN copy** (a real dir under `~/.agents/skills`), so a steady-state reconcile is a no-op AND a stale or cross-user `~/.claude/skills` symlink is healed to the own copy — emo had `grill-me`/`file-issue` symlinked into the admin's home; `grill-me` is now emo's own (`file-issue` is outside the set, left as-is). A real dir squatting a name is never clobbered. Best-effort tail (`return 0`, like `install_memory`). Extend coverage = edit `SKILL_USERS`.
+
+**Onboarding state self-heals (2026-06-15):** `~/.claude.json` is a single file that ALL of a user's concurrent `claude` processes (the ttyd terminal + their `t3-serve` instance + agent/SDK sessions) read-modify-write, so a stale writer periodically drops top-level keys — including `hasCompletedOnboarding` — which bounces the next *interactive* session back to the first-run "Choose the text style" wizard even though the user is fully logged in (credentials live in the SEPARATE `~/.claude/.credentials.json`, untouched by the race; first observed for emo 2026-06-15). The launcher (`skel/start-claude.sh`) now idempotently re-asserts `hasCompletedOnboarding` (+ `lastOnboardingVersion`) in `~/.claude.json` right before it runs `claude` — merge-only, never clobbers other keys, no-op if jq is missing or the file is empty/corrupt. And since the launcher is a per-user copy that `/etc/skel` only seeds at account creation, the reconcile's new `deploy_user_launcher` step re-copies `skel/start-claude.sh` into every non-admin home (copy-if-changed) so launcher edits now reach EXISTING users within the hour — `.tmux.conf` is deliberately NOT re-copied (terminal-lobby appends its own managed section to it).
+
+**Claude Code runtime — native, per-user (2026-06-15):** `claude` is the **native** install (`~/.local/bin/claude` → `~/.local/share/claude/versions/<v>`, self-updating; `installMethod: native`) — NOT npm-global or npx. It is the runtime for both the ttyd launcher and each `t3-serve` instance. `setup-devvm.sh` installs node ONLY for the `t3` CLI (not claude); per-user native claude is provisioned by the reconcile's `install_user_claude_native` (covers terminal + t3, idempotent, skip-if-present) and self-bootstrapped by `start-claude.sh` on first launch — both via the official `https://claude.ai/install.sh`. The legacy machine-wide `npm install -g @anthropic-ai/claude-code` bootstrap and the launcher's `npx` fallback were removed; existing users had already auto-migrated to native, and the npm-global dir was empty. **PATH (`~/.local/bin`, where the native binary lives):** ensured three ways — `/etc/profile.d/10-local-bin.sh` for login shells (machine-wide, fresh-user-safe), `start-claude.sh` itself (the launcher runs in tmux's non-login env that skips the user's shell rc), and `t3-serve@.service` (`Environment=PATH=…:/home/%i/.local/bin`).
+
+**Claude authentication — per-user, self-renewing, Vault-recoverable (2026-06-20):** every roster user logs in with their OWN Enterprise identity; shared `CLAUDE_CODE_OAUTH_TOKEN` injection was removed because environment auth outranks local login and collapses identity/audit/quota. Claude owns access-token refresh in `~/.claude/.credentials.json`. A system template timer (`claude-auth-sync@<user>.timer`, every 6h) renews a dedicated 32-day periodic Vault token, validates Claude with real non-persistent Haiku inference (`auth status` can lie during a 401), backs up only `claudeAiOauth` to `secret/workstation/claude-users/<os_user>`, and performs one atomic Vault restore/retry on failure while preserving `mcpOAuth`. Vault policy `workstation-claude-<os_user>` isolates every path; the roster generates policies for present and future users. A hard refresh-token revocation still requires the affected person to complete SSO—there is no supported noninteractive bypass. Loki alert `WorkstationClaudeAuthInvalid` surfaces exhausted recovery. Runbook: `../runbooks/claude-auth-renew-workstation.md`.
+
+**Per-user browser MCP — playwright, reproducible from git (2026-06-16):** every user (incl. the admin) gets their OWN isolated `@playwright/mcp` server so their concurrent Claude sessions don't fight over tabs (`--isolated` → a fresh browser context per MCP connection), wired into Claude in **every directory** via a user-scope `~/.claude.json` entry (`playwright → http://localhost:<PLAYWRIGHT_PORT>/mcp`). Mechanism: **system-level template units** `playwright-mcp@<user>.service` + `playwright-snapshot-refresh@<user>.{service,timer}` (`User=%i`, sourced from `scripts/workstation/playwright/`, installed by `setup-devvm.sh` §9e — system manager, so NO systemd --user / linger). `roster_engine.py` allocates a sticky per-user `PLAYWRIGHT_PORT` (`PLAYWRIGHT_BASE_PORT=8931`); the reconcile's `install_playwright()` writes it, seeds the chrome-service snapshot token if-absent (staged from Vault `secret/chrome-service` to `/etc/t3-serve/chrome-service-token` by `setup-devvm.sh` §8c, since the hourly root reconcile has no Vault token), wires `~/.claude.json` by running `claude mcp add --scope user` AS the user (clobber-proof + if-absent, so it fixes existing/new/admin without rewriting a populated config), and `enable --now`s the instances (idempotent — never restarts a running server). The `@playwright/mcp` version is **pinned** in the unit (the `@latest`-silently-rolls-the-fleet footgun — see `T3_PIN`). Replaced the earlier hand-made `~/.config/systemd/user/playwright-*` units (one-time idle-gated migration; pre-migration emo/anca had servers running but never wired into their `.claude.json`). Cookie-warming pipeline + ops: `../runbooks/chrome-service-snapshot.md`.
+
+**Infra access:** non-admins get their own **writable, git-crypt-LOCKED** clone of the (public) infra repo — code/docs plaintext, secret files (`*.tfvars`, `secrets/**`) stay ciphertext. Its location depends on the per-user `code_layout` in `roster.yaml`: `single` (default) puts the clone AT `~/code`; `workspace` makes `~/code` a plain directory of per-project clones — the infra clone at `~/code/infra` plus each roster `repos` entry cloned from Forgejo `viktor/<name>` **as the user** (their PAT authenticates, so private repos work; clone failures WARN and retry next hour). Flipping a user to `workspace` auto-migrates their existing `~/code` clone to `~/code/infra` (local branches/dirty state survive; running processes follow the moved inode). ancamilea = workspace + `tripit` since 2026-06-10. The provisioner clones infra anonymously from the public GitHub mirror; **contribute access is wired per-user on top** (see below). The apply boundary still holds (`scripts/tg apply` needs an admin Vault token + cluster RBAC), but **pushing `master` is NOT inert** — the Forgejo→Woodpecker webhook fires `.woodpecker/default.yml` (`event: push, branch: master`, `require_approval: forks` only), which terragrunt-applies changed stacks. `master` is **branch-protected on Forgejo** (force-push disabled for everyone — history is append-only; push + merge whitelists = `viktor` + explicitly granted users, deploy keys allowed). **Allow-then-audit (Viktor, 2026-06-10):** `ebarzin` (emo) is on the whitelist and pushes straight to `master` — no PR gate. The tracking burden moves to: (a) **commit messages that record what + why** (the agent instructions in AGENTS.md and the managed claudeMd require the body to paraphrase the user's request), (b) the **`notify-nonadmin-push` Slack audit step** in `.woodpecker/default.yml` — every master push by a non-admin author is posted to Slack (admin pushes are not), and (c) non-admins **never use `[ci skip]`** so every change fires the pipeline (and thus the audit feed). Users NOT on the whitelist fall back to `<user>/<topic>` branches + PRs. **Clones stay fresh automatically** (2026-06-10): the hourly `t3-provision-users` reconcile runs `refresh_user_clone` over every managed clone — the infra clone and any workspace repos (fetch all remotes + fast-forward `master`, ONLY when on master with a clean tree and an upstream — dirty trees and local commits are left alone with a WARN) — and also `wire_forgejo_remote`, which idempotently adds the documented `forgejo` remote + `forgejo/master` upstream to infra clones that predate that contract. `start-claude.sh` does the same freshen at session launch (10s fetch cap per repo so an offline remote never stalls the session; workspace layouts freshen each repo under `~/code`).
+
+**Contribute access (per non-admin, manual — the anca/tripit PAT precedent):**
+1. Add their Forgejo user as a **write** collaborator on `viktor/infra` (`PUT /api/v1/repos/viktor/infra/collaborators/<login>`).
+2. Mint a PAT — the admin REST endpoint 404s here, use the in-pod CLI: `kubectl -n forgejo exec deploy/forgejo -- su -s /bin/sh git -c "forgejo admin user generate-access-token --username <login> --token-name devvm-infra-git --scopes 'write:repository'"`.
+3. Install it in their `~/.git-credentials` (`https://<login>:<token>@forgejo.viktorbarzin.me`, mode 600) + `git config --global credential.helper store`, set `user.name`/`user.email`.
+4. The reconcile wires the clone side automatically (`wire_forgejo_remote`): `forgejo` remote + `master` tracking `forgejo/master` on every non-admin infra clone (origin stays the anonymous GitHub mirror). No manual step since 2026-06-10.
+5. (Optional — Viktor's call per user) Grant direct master push: add their login to the `master` branch-protection push + merge whitelists (`PATCH /api/v1/repos/viktor/infra/branch_protections/master`). Done for `ebarzin` 2026-06-10.
+6. Verify: branch push succeeds; a `master` push succeeds for whitelisted users and is rejected with `Not allowed to push to protected branch` otherwise.
+
+**Web-terminal session persistence (2026-06-10):** the tmux-based web terminal's named sessions (each running one Claude conversation) survive devvm reboots — `tmux-persist-save.timer` (5-min) snapshots every terminal user's sessions (name, cwd, conversation uuid from argv or the cwd-slug transcript dir) to `/var/lib/tmux-persist/<user>.tsv`, and `tmux-persist-restore.service` recreates missing sessions at boot with `claude --resume <uuid>` (per-session idempotent; also handles partial loss). The web terminal also exposes an **on-demand "Restore sessions" button** (terminal-lobby: `tmux-api` `POST /restore` → the validated root `tmux-restore-user` wrapper → `tmux-persist restore <user>`, a single-user mode of the same script): the boot-only restore service never fires when an **OOM kills a user's tmux server *without* a reboot** (the common case under multi-user memory pressure), so the button covers that gap. This is a **tmux/terminal-surface** feature, deliberately outside the t3 namespace: the t3 chat surface persists its own threads (`~/.t3` state, plus the daily `t3-backup-state` dump), and Claude conversations themselves were always durable (`~/.claude/projects/`) — what this adds is the volatile tmux wiring.
+
+**Status (2026-06-20):** built + verified on the live host — capacity (8 GiB swap), config inheritance, roster-driven provisioner, per-user locked clone, per-user OIDC kubeconfig + the `oidc-power-user-readonly` ClusterRole + emo's `k8s_users` entry (applied + impersonation-verified), the Authentik `T3 Users` edge gate, **the emo Phase-5 cutover (own clone + launcher repoint + `code-shared` removal, completed 2026-06-10) and emo's contribute access (`ebarzin` write collaborator + PAT + protected `master`)**, **per-user `code_layout` with the ancamilea workspace cutover**, per-user playwright browser MCP, and per-user Claude OAuth renewal/Vault recovery. Per the live `/etc/skel` design, non-admin `~/.claude/{rules,skills}` symlinks into the admin base are **kept**. **Remaining (held / future):** the offboarding apply-side (Phase 7), per-user `ha`/`claude_memory`/beads credential injection, and roster-reconciled `T3 Users` membership. See `../runbooks/offboard-user.md` for deprovisioning.
 
 ## Related
 
diff --git a/docs/architecture/networking.md b/docs/architecture/networking.md
index 09437069..4659038a 100644
--- a/docs/architecture/networking.md
+++ b/docs/architecture/networking.md
@@ -4,7 +4,7 @@ Last updated: 2026-04-19 (WS E — Kea DHCP pushes dual DNS per subnet; Kea DDNS
 
 ## Overview
 
-The homelab network is built on a dual-VLAN architecture with pfSense providing gateway services, Technitium for internal DNS, and Cloudflare for external DNS. Traefik serves as the Kubernetes ingress controller with a comprehensive middleware chain including CrowdSec bot protection, Authentik forward-auth, and rate limiting. All HTTP traffic flows through Cloudflared tunnels, avoiding the need for port forwarding or exposing public IPs.
+The homelab network is built on a dual-VLAN architecture with pfSense providing gateway services, Technitium for internal DNS, and Cloudflare for external DNS. Traefik serves as the Kubernetes ingress controller with a middleware chain of anti-AI bot-blocking, Authentik forward-auth, rate limiting, and retry. CrowdSec IP-reputation enforcement is **out-of-band** (not a Traefik hop): banned IPs are dropped in-kernel via nftables on direct hosts and blocked at the Cloudflare edge on proxied hosts (see `docs/architecture/security.md`). All HTTP traffic flows through Cloudflared tunnels, avoiding the need for port forwarding or exposing public IPs.
 
 ## Architecture Diagram
 
@@ -16,12 +16,14 @@ graph TB
     Traefik[Traefik Ingress<br/>3 replicas + PDB]
 
     subgraph "Middleware Chain"
-        CS[CrowdSec Bouncer<br/>fail-open]
+        AntiAI[Anti-AI bot-block<br/>fail-open]
         Auth[Authentik Forward-Auth<br/>3 replicas + PDB]
         RL[Rate Limiter<br/>429 response]
         Retry[Retry<br/>2 attempts, 100ms]
     end
 
+    CSdrop[CrowdSec drop<br/>nftables / CF edge<br/>out-of-band, pre-Traefik]
+
     subgraph "Proxmox Host (eno1)"
         vmbr0[vmbr0 Bridge<br/>192.168.1.127/24]
         vmbr1[vmbr1 Internal<br/>VLAN-aware]
@@ -53,8 +55,9 @@ graph TB
     Internet -->|DNS query| CF
     CF -->|CNAME to tunnel| CFD
     CFD --> Traefik
-    Traefik --> CS
-    CS --> Auth
+    CSdrop -.->|banned IPs dropped before Traefik| Traefik
+    Traefik --> AntiAI
+    AntiAI --> Auth
     Auth --> RL
     RL --> Retry
     Retry --> Service
@@ -82,7 +85,7 @@ graph TB
 | Cloudflare DNS | SaaS | External | ~50 public domains under viktorbarzin.me |
 | Cloudflared | Container | K8s (3 replicas) | Tunnel ingress, replaces port forwarding |
 | Traefik | Helm chart | K8s (3 replicas + PDB) | Ingress controller, HTTP/3 enabled |
-| CrowdSec | Helm chart | K8s (LAPI: 3 replicas) | Bot protection, fail-open bouncer |
+| CrowdSec | Helm chart | K8s (LAPI: 3 replicas) | IP reputation. Out-of-band enforcement: `cs-firewall-bouncer` DaemonSet (in-kernel nftables drop, direct hosts) + Cloudflare edge WAF rule (proxied hosts). Fail-open |
 | Authentik | Helm chart | K8s (3 replicas + PDB) | SSO, forward-auth middleware |
 | MetalLB | v0.15.3 Helm chart | K8s | LoadBalancer IPs (10.0.20.200-10.0.20.220), all services on 10.0.20.200 |
 | Registry Cache | Container | 10.0.20.10 | Pull-through for docker.io:5000, ghcr.io:5010 |
@@ -208,24 +211,31 @@ VMs tag traffic on vmbr1 to isolate workloads. pfSense bridges VLAN 20 to the up
 
 ### Ingress Flow
 
+CrowdSec is **not** a step in this chain — banned IPs are dropped before the
+request ever reaches Traefik (Cloudflare edge WAF rule on proxied hosts; host
+nftables on direct hosts). The flow below is for a request that survives that
+out-of-band gate.
+
 ```mermaid
 sequenceDiagram
     participant Client
-    participant Cloudflare
+    participant CFedge as Cloudflare (edge WAF: crowdsec_ban block)
     participant Cloudflared
     participant Traefik
-    participant CrowdSec
+    participant AntiAI
     participant Authentik
     participant RateLimit
     participant Retry
     participant Service
     participant Pod
 
-    Client->>Cloudflare: HTTPS request to blog.viktorbarzin.me
-    Cloudflare->>Cloudflared: Forward via tunnel (QUIC)
+    Client->>CFedge: HTTPS request to blog.viktorbarzin.me
+    Note over CFedge: banned IP → blocked here (proxied hosts)
+    CFedge->>Cloudflared: Forward via tunnel (QUIC)
     Cloudflared->>Traefik: HTTP to LoadBalancer IP
-    Traefik->>CrowdSec: Apply bouncer middleware
-    CrowdSec->>Authentik: If allowed, check auth (protected=true)
+    Note over Traefik: on direct hosts, banned IPs already dropped in-kernel (nftables forward hook)
+    Traefik->>AntiAI: anti-AI bot-block (fail-open)
+    AntiAI->>Authentik: If allowed, check auth (protected=true)
     Authentik->>RateLimit: If authenticated, check rate limit
     RateLimit->>Retry: If within limit, continue
     Retry->>Service: Forward to Service
@@ -234,24 +244,27 @@ sequenceDiagram
     Service-->>Retry: Response
     Retry-->>RateLimit: Response
     RateLimit-->>Authentik: Response (strip auth headers)
-    Authentik-->>CrowdSec: Response
-    CrowdSec-->>Traefik: Response
+    Authentik-->>AntiAI: Response
+    AntiAI-->>Traefik: Response
     Traefik-->>Cloudflared: Response
-    Cloudflared-->>Cloudflare: Response via tunnel
-    Cloudflare-->>Client: HTTPS response
+    Cloudflared-->>CFedge: Response via tunnel
+    CFedge-->>Client: HTTPS response
 ```
 
 ### Middleware Chain
 
-Every ingress created by the `ingress_factory` module follows this chain:
+CrowdSec IP-reputation enforcement is **not** in this chain — it is out-of-band
+(host nftables on direct hosts; the Cloudflare edge WAF `crowdsec_ban` rule on
+proxied hosts), so banned IPs never reach the chain and there is no per-request
+CrowdSec hop. Every ingress created by the `ingress_factory` module follows this
+Traefik chain:
 
-1. **CrowdSec Bouncer**: Checks IP against threat database. **Fail-open** mode — if LAPI is unreachable, traffic passes through to prevent outages.
+1. **Anti-AI bot-block** (`ai-bot-block` ForwardAuth, on by default via `ingress_factory`): blocks/tarpits known AI crawlers. **Fail-open** (currently a no-op `return 200` — poison-fountain scaled to 0; see `docs/architecture/security.md`).
 2. **Authentik Forward-Auth** (if `protected = true`): SSO authentication via OIDC. Non-authenticated users are redirected to login. Auth headers are stripped before forwarding to backend.
-3. **Rate Limiting**: Per-IP throttling. Returns **429 Too Many Requests** (not 503) when limit exceeded. Default limits are generous; services like Immich and Nextcloud have higher custom limits.
+3. **Rate Limiting**: Per-IP throttling. Returns **429 Too Many Requests** (not 503) when limit exceeded. Default is `rate-limit` (average 10 req/s, burst 50). Services whose clients legitimately burst harder get a dedicated middleware via `skip_default_rate_limit = true` + `extra_middlewares`: Immich (`immich-rate-limit`, 1000/20000, photo uploads) and ActualBudget (`actualbudget-rate-limit`, 50/300 — the Actual web app boots with ~70 parallel asset/migration revalidations; the default burst 429'd the tail and stalled every page load).
 4. **Retry**: 2 attempts with 100ms delay on transient failures (5xx errors, connection errors).
 
 Additional middleware:
-- **Anti-AI**: On by default via `ingress_factory`. Blocks common AI crawler user-agents.
 - **HTTP/3 (QUIC)**: Enabled globally on Traefik.
 
 ### Entrypoint Transport Timeouts
@@ -348,10 +361,10 @@ Containerd on all K8s nodes uses `hosts.toml` to redirect pulls to the local cac
 | pfSense | `stacks/pfsense/` | VM + cloud-init config |
 | Technitium | `stacks/technitium/` | Deployment, Service, PVC |
 | Traefik | `stacks/platform/` (sub-module) | Helm release, IngressRoute CRDs |
-| CrowdSec | `stacks/platform/` (sub-module) | Helm release, LAPI + bouncer |
+| CrowdSec | `stacks/crowdsec/` (+ edge in `stacks/rybbit/`) | Helm release, LAPI + agent; `cs-firewall-bouncer` DaemonSet (nftables, direct hosts) + Cloudflare edge sync (proxied hosts) |
 | Authentik | `stacks/authentik/` | Helm release, ingress, OIDC configs |
 | MetalLB | `stacks/platform/` (sub-module) | Helm release, IPAddressPool |
-| Cloudflared | `stacks/cloudflared/` | Deployment (3 replicas), tunnel config |
+| Cloudflared | `stacks/cloudflared/` | Deployment (3 replicas), tunnel config; runs `--no-autoupdate` (in-place self-updates exited the pods and severed all tunnel WebSockets, 2026-06-09/10) |
 | ingress_factory | `modules/ingress_factory/` | IngressRoute + middleware chain |
 
 ### Key Configuration Files
@@ -436,13 +449,30 @@ Containerd on all K8s nodes uses `hosts.toml` to redirect pulls to the local cac
 
 **Decision**: Technitium handles internal `.lan` domains with near-zero latency. Cloudflare handles public domains with global DNS. K8s nodes use Technitium as primary, which forwards non-.lan queries to Cloudflare.
 
-### Why Fail-Open on CrowdSec Bouncer?
+### Why CrowdSec Enforcement Is Out-of-Band (and Fails Open)
 
-**Alternatives considered**:
-1. **Fail-closed**: Maximum security, but LAPI downtime blocks all traffic.
-2. **Redundant LAPI**: Already scaled to 3 replicas, but resource pressure can still cause outages.
+CrowdSec used to enforce inline as a Traefik middleware (the
+`crowdsec-bouncer-traefik-plugin`). On Traefik 3.7.5 the Yaegi plugin handler was
+never invoked, so it enforced nothing; the plugin was removed and enforcement
+moved off the request path entirely (full history in
+`docs/architecture/security.md`). It now runs on two surfaces:
 
-**Decision**: Availability > strict bot blocking. CrowdSec LAPI is scaled to 3 replicas for resilience, but during cluster-wide resource exhaustion (e.g., memory pressure), bouncer falls back to allowing traffic. This prevents a complete service outage due to a security add-on.
+- **Direct hosts** → `cs-firewall-bouncer` DaemonSet drops banned IPs in the host
+  nftables, in **both the `input` and `forward` hooks**. The `forward` hook is
+  the load-bearing one: with Traefik on a dedicated LB IP at
+  `externalTrafficPolicy=Local`, client packets are DNAT'd to the Traefik **pod**
+  and transit the node's `forward` chain (not `input`) — which is exactly why the
+  ingress must preserve the **real client IP** end-to-end (ETP=Local + PROXY-v2
+  for IPv6; see the Traefik LB IP and IPv6 ingress notes above). Without the real
+  client IP the firewall-bouncer (and the CF edge rule) would have nothing to
+  match on.
+- **Proxied hosts** → a Cloudflare edge WAF rule (`ip.src in $crowdsec_ban`) fed
+  by the `crowdsec-cf-sync` CronJob.
+
+Both **fail open**: if LAPI is unreachable, the firewall-bouncer simply stops
+receiving new decisions (existing drops persist) and the CF sync skips a run —
+neither ever blocks legitimate traffic. Availability > strict bot blocking, and
+out-of-band enforcement adds **zero per-request latency** (no Traefik hop).
 
 ### Why HTTP/3 (QUIC)?
 
@@ -473,9 +503,10 @@ Containerd on all K8s nodes uses `hosts.toml` to redirect pulls to the local cac
 
 **Symptoms**: All ingress routes return 503, Traefik dashboard shows no backends available.
 
-**Diagnosis**: Middleware chain is blocking traffic. Check:
-1. Authentik status: `kubectl get pod -n authentik`
-2. CrowdSec LAPI status: `kubectl get pod -n crowdsec`
+**Diagnosis**: Middleware chain is blocking traffic. (CrowdSec is **not** in the
+chain — a CrowdSec/LAPI outage cannot cause 503s; it only stops new bans.) Check:
+1. Authentik status: `kubectl get pod -n authentik` (ForwardAuth fails closed if the auth server is unreachable)
+2. `bot-block-proxy` status: `kubectl get pod -n traefik -l app=bot-block-proxy` (anti-AI ForwardAuth target — also fails closed if down)
 3. Traefik logs: `kubectl logs -n kube-system deploy/traefik`
 
 **Fix**: If Authentik is down and ingress uses forward-auth, pods won't pass health checks. Scale Authentik to 3 replicas or temporarily disable forward-auth middleware.
@@ -515,11 +546,11 @@ Containerd on all K8s nodes uses `hosts.toml` to redirect pulls to the local cac
 
 ### Rate Limiter Blocks Legitimate Traffic
 
-**Symptoms**: Users report 429 errors during normal usage (e.g., Immich uploads).
+**Symptoms**: Users report 429 errors during normal usage (e.g., Immich uploads, ActualBudget's "Server returned an error while checking its status" boot screen).
 
 **Diagnosis**: Check Traefik middleware config for the affected IngressRoute.
 
-**Fix**: Increase rate limit in `ingress_factory` module. Default is 100 req/min per IP. Immich and Nextcloud use 500 req/min.
+**Fix**: Give the service a dedicated higher-limit middleware (don't loosen the shared default): define `<service>-rate-limit` in `stacks/traefik/modules/traefik/middleware.tf`, then set `skip_default_rate_limit = true` + `extra_middlewares = ["traefik-<service>-rate-limit@kubernetescrd"]` on its `ingress_factory` call. Shared default is average 10 req/s / burst 50; Immich uses 1000/20000, ActualBudget 50/300.
 
 ### Large Downloads or Uploads Truncate / Fail Partway
 
diff --git a/docs/architecture/security.md b/docs/architecture/security.md
index 6b3e794b..7d3043ea 100644
--- a/docs/architecture/security.md
+++ b/docs/architecture/security.md
@@ -2,40 +2,50 @@
 
 ## Overview
 
-The homelab implements defense-in-depth security at the application layer (L7) using CrowdSec for threat intelligence and IP reputation, Kyverno for policy enforcement and resource governance, and a 3-layer anti-AI scraping defense (reduced from 5 in April 2026 after removing the rewrite-body plugin). All security components operate in graceful degradation mode (fail-open) to prevent cascading failures. Security policies are deployed in audit mode first, then selectively enforced after validation.
+The homelab implements defense-in-depth security using CrowdSec for threat intelligence and IP reputation, Kyverno for policy enforcement and resource governance, and a 3-layer anti-AI scraping defense (reduced from 5 in April 2026 after removing the rewrite-body plugin). CrowdSec enforcement is **out-of-band** (not a per-request Traefik hop — see the CrowdSec section): banned IPs are dropped in-kernel via nftables on direct hosts, and blocked at the Cloudflare edge on proxied hosts, so enforcement adds **zero per-request latency**. All security components fail open (a CrowdSec outage stops new bans but never blocks legitimate traffic). Security policies are deployed in audit mode first, then selectively enforced after validation.
 
 ## Architecture Diagram
 
+CrowdSec enforcement is out-of-band (NOT an inline Traefik middleware hop). The
+Traefik request chain is anti-AI → Authentik ForwardAuth → rate-limit → retry;
+CrowdSec drops banned IPs *before* (direct hosts) or *off* (proxied hosts) that
+chain entirely.
+
 ```mermaid
-graph LR
+graph TB
     Internet[Internet]
-    CF[Cloudflare WAF]
+
+    subgraph "Proxied hosts (orange-cloud)"
+        CFedge[Cloudflare edge<br/>WAF rule: ip.src in $crowdsec_ban → block]
+    end
+    subgraph "Direct hosts (grey-cloud / internal)"
+        NFT[Host nftables<br/>table crowdsec/crowdsec6<br/>drop in input + forward]
+    end
+
     Tunnel[Cloudflared Tunnel]
-    CrowdSec[CrowdSec Bouncer<br/>Traefik Plugin]
-    AntiAI[Anti-AI Check<br/>poison-fountain]
-    ForwardAuth[Authentik ForwardAuth]
-    RateLimit[Rate Limit Middleware]
-    Retry[Retry Middleware<br/>2 attempts, 100ms]
+    Traefik[Traefik<br/>anti-AI → Authentik → rate-limit → retry]
     Backend[Backend Service]
 
     LAPI[CrowdSec LAPI<br/>3 replicas]
-    Agent[CrowdSec Agent]
+    Agent[CrowdSec Agent<br/>parses Traefik logs]
+    FWB[cs-firewall-bouncer<br/>DaemonSet, every node]
+    CFsync[crowdsec-cf-sync<br/>CronJob, every 2 min]
 
-    Internet -->|1| CF
-    CF -->|2| Tunnel
-    Tunnel -->|3| CrowdSec
-    CrowdSec -.->|Query| LAPI
-    Agent -.->|Report| LAPI
-    CrowdSec -->|4. Pass/Block| AntiAI
-    AntiAI -->|5. Human/Bot| ForwardAuth
-    ForwardAuth -->|6. Authenticated| RateLimit
-    RateLimit -->|7. Under Limit| Retry
-    Retry -->|8. Success/Retry| Backend
+    Internet -->|proxied| CFedge
+    Internet -->|direct| NFT
+    CFedge -->|allowed| Tunnel
+    Tunnel --> Traefik
+    NFT -->|allowed| Traefik
+    Traefik --> Backend
 
-    style CrowdSec fill:#f9f,stroke:#333
-    style AntiAI fill:#ff9,stroke:#333
-    style ForwardAuth fill:#9f9,stroke:#333
-    style RateLimit fill:#99f,stroke:#333
+    Agent -.->|report| LAPI
+    LAPI -.->|all decisions incl. CAPI| FWB
+    FWB -.->|program drop rules| NFT
+    LAPI -.->|ban/captcha decisions, CAPI excluded| CFsync
+    CFsync -.->|push IP list| CFedge
+
+    style CFedge fill:#f9f,stroke:#333
+    style NFT fill:#f9f,stroke:#333
 ```
 
 ## Components
@@ -44,7 +54,8 @@ graph LR
 |-----------|---------|----------|---------|
 | CrowdSec LAPI | Pinned | `stacks/crowdsec/` | Local API, threat intelligence aggregation (3 replicas) |
 | CrowdSec Agent | Pinned | `stacks/crowdsec/` | Log parser, scenario detection |
-| CrowdSec Traefik Bouncer | Plugin | Traefik config | Plugin-based IP reputation check |
+| cs-firewall-bouncer | v0.0.34 | `stacks/crowdsec/modules/crowdsec/firewall_bouncer.tf` | In-kernel nftables drop on every node (DIRECT hosts). Bouncer key `firewall` |
+| crowdsec-cf-sync | — | `stacks/rybbit/crowdsec_edge.tf` | LAPI→Cloudflare-IP-List sync CronJob (PROXIED hosts). Bouncer key `kvsync` |
 | Kyverno | Pinned chart | `stacks/kyverno/` | Policy engine for K8s admission control |
 | poison-fountain | Latest | `stacks/poison-fountain/` | Anti-AI bot detection and tarpit service |
 | cert-manager/certbot | - | `stacks/cert-manager/` | TLS certificate management |
@@ -54,11 +65,15 @@ graph LR
 
 ### Request Security Layers
 
-Every incoming request passes through 6 security layers:
+CrowdSec IP-reputation enforcement happens **before** a request reaches the
+Traefik chain (banned IPs are dropped in-kernel on direct hosts, or blocked at
+the Cloudflare edge on proxied hosts — see CrowdSec Threat Intelligence below).
+A request that survives that out-of-band gate then passes through the Traefik
+middleware chain:
 
-1. **Cloudflare WAF** - DDoS protection, bot detection, firewall rules (external)
-2. **Cloudflared Tunnel** - Zero Trust tunnel, hides origin IP
-3. **CrowdSec Bouncer** - IP reputation check against LAPI (fail-open on error)
+1. **Cloudflare WAF / edge** - DDoS protection, bot detection, firewall rules incl. the CrowdSec `crowdsec_ban` block rule (proxied hosts only)
+2. **Cloudflared Tunnel** - Zero Trust tunnel, hides origin IP (proxied hosts)
+3. **CrowdSec out-of-band drop** - nftables on direct hosts; *not* a Traefik hop (zero per-request latency)
 4. **Anti-AI Scraping** - 3-layer bot defense (optional per service, updated 2026-04-17)
 5. **Authentik ForwardAuth** - Authentication check (if `protected = true`)
 6. **Rate Limiting** - Per-source IP rate limits (returns 429 on breach)
@@ -80,11 +95,71 @@ CrowdSec operates in a hub-and-agent model:
 - Reports malicious IPs to LAPI
 - Shares threat intel with CrowdSec community (anonymized)
 
-**Traefik Bouncer Plugin**:
-- Integrated as Traefik middleware
-- Queries LAPI for IP reputation on each request
-- **Fail-open mode**: If LAPI unreachable, allows traffic (graceful degradation)
-- Blocks IPs on ban list, allows others
+Enforcement is split across **two out-of-band surfaces**, neither of which adds
+any per-request latency. (See "Why the Traefik bouncer plugin was removed" below
+for the supersession history — there is no longer an inline Traefik bouncer.)
+
+**Surface 1 — DIRECT (non-Cloudflare-proxied) hosts → in-kernel nftables drop**
+(`cs-firewall-bouncer` DaemonSet, `stacks/crowdsec/modules/crowdsec/firewall_bouncer.tf`):
+- Runs on **every node** (no nodeSelector). Programs the HOST nftables — `table ip
+  crowdsec` / `table ip6 crowdsec6` — with drop rules in **both the `input` AND
+  the `forward` hooks**. The `forward` hook is required because Traefik is a
+  LoadBalancer with `externalTrafficPolicy=Local`: client traffic is DNAT'd to the
+  Traefik **pod** and transits the node's `forward` hook (not `input`) with the
+  real client IP preserved. Chains use `policy accept` (only set members drop —
+  it can never blackhole normal traffic).
+- Pulls **all** decisions from LAPI, **including the CAPI community blocklist
+  (~31k IPs)**. Packets from banned IPs are dropped **in-kernel before reaching
+  Traefik** → zero per-request hops, no Traefik involvement at all.
+- **Packaging**: cs-firewall-bouncer publishes no container image, so the
+  **v0.0.34** static binary is fetched at runtime by an initContainer onto a
+  `debian:bookworm-slim` runtime container. Needs `hostNetwork` +
+  `NET_ADMIN`/`NET_RAW` to talk netlink directly. Registered bouncer key:
+  **`firewall`**.
+- **Fail-open**: if LAPI is unreachable it just stops receiving new decisions
+  (existing drop rules persist); it never blocks legitimate traffic.
+
+**Surface 2 — PROXIED (Cloudflare orange-cloud) hosts → Cloudflare edge block**
+(`stacks/rybbit/crowdsec_edge.tf` + `lapi_kv_sync.py`):
+- Proxied hosts terminate at the Cloudflare edge, so a host-level nftables drop
+  would never see them. Enforcement is instead a single Cloudflare Rules List
+  **`crowdsec_ban`** + a zone-scoped WAF custom rule `(ip.src in $crowdsec_ban)`
+  → **block** action, which covers every proxied host in the zone.
+- Fed by the **`crowdsec-cf-sync` CronJob** (namespace `rybbit`, every 2 min,
+  pure-stdlib Python in a ConfigMap). It pulls local **ban/captcha ip-scoped**
+  decisions and pushes them into the CF list, but **EXCLUDES the ~31k CAPI
+  community blocklist** — that set is far too large for a CF Rules List (the CF
+  account hard-limits to **one** list), and CAPI is already covered in-kernel on
+  direct hosts and by Cloudflare's own managed protections on proxied hosts.
+  Registered bouncer key: **`kvsync`**.
+- **Block-only**: the single-list limit precludes a separate
+  captcha/managed-challenge list, so both ban and captcha decisions are enforced
+  as a plain block at the edge.
+- **Auth carve-out:** the WAF rule excludes `authentik.viktorbarzin.me` +
+  `public-auth.viktorbarzin.me` (`… and not (http.host in {…})`). A CrowdSec hit
+  must never wall a user out of the login / WebAuthn flow they authenticate
+  through; auth keeps `traefik-rate-limit` for brute-force protection.
+
+**Whitelist** (`stacks/crowdsec/whitelist.yaml`): a CrowdSec whitelist covers
+RFC1918 + the tailnet + internal CIDRs (plus one specific external IP), so
+internal users are never enforced. Internal access uses split-horizon DNS
+straight to Traefik, and direct internal clients are RFC1918 — both whitelisted.
+
+#### Why the Traefik bouncer plugin was removed
+
+Enforcement used to run as an inline Traefik middleware — the
+`crowdsec-bouncer-traefik-plugin` (Yaegi/Lua), which queried LAPI on every
+request and could serve a Cloudflare Turnstile captcha for soft remediations.
+On **Traefik 3.7.5 the Yaegi handler was never invoked**, so the bouncer was
+registered but enforced **nothing** despite appearing healthy. Rather than chase
+the Yaegi runtime, the whole plugin path was **removed** (2026-06): the plugin
+static config + initContainer download, the `crowdsec` Middleware CRD, the
+`captcha.html` template + its ConfigMap and volume mount, and the Cloudflare
+Turnstile widget (`cloudflare_turnstile_widget.crowdsec_captcha`). It was
+replaced by the two out-of-band surfaces above, which add zero per-request
+latency and fail open. (The earlier `crowdsec-cf-sync` cursor-pagination /
+IP-List-capacity issues are also moot now that CAPI is excluded from the edge
+list and dropped in-kernel instead.)
 
 **Metabase** (disabled by default):
 - Dashboard for CrowdSec analytics
@@ -189,7 +264,7 @@ Beads epic: `code-8ywc`. **Status: partially live as of 2026-05-18.**
 | W1.2 Vault `x_forwarded_for_authorized_addrs = 10.10.0.0/16` | **LIVE** — applied via `tg apply -target=helm_release.vault` on 2026-05-18; all 3 vault pods restarted cleanly |
 | W1.2 Vault audit log shipping to Loki | **LIVE** — `audit-tail` sidecar in vault pods + Alloy DaemonSet ships to Loki with `container="audit-tail"`. Verified via `{namespace="vault",container="audit-tail"}` LogQL query. |
 | W1.1 K8s API audit policy + shipping | **LIVE** — kube-apiserver audit policy was already configured (Metadata level, `/var/log/kubernetes/audit.log`, 7d retention). Alloy DaemonSet now tolerates control-plane taint, scrapes the audit log file, ships to Loki with `job=kubernetes-audit`. K2-K9 alert rules in Loki ruler. |
-| W1.3 Source-IP anomaly rules (K9, V7, S1) | **LIVE** (K9, V7); **S1 PENDING** — fires once promtail/Alloy on PVE host ships sshd journal with `job=sshd-pve`. |
+| W1.3 Source-IP anomaly rules (K9, V7, S1) | **LIVE** (K9, V7, S1). **S1 activated 2026-06-10** — promtail on the PVE host now ships the journal to Loki (`scripts/pve-promtail.yaml`); sshd auth lands as `job=sshd-pve` (the S1 data source). The same shipper carries snoopy `execve()` command audit as `{job="pve-journal", identifier="snoopy"}` (forensic, not alerting). Deployed because emo's agent was given root SSH to the host (shared key) — see `docs/architecture/monitoring.md` → "External host: pve". |
 | W1.4 Kyverno security policies → Enforce | **LIVE** — 3 policies in Enforce mode with 35-namespace exclude list. |
 | W1.5 Kyverno trusted-registries → Enforce | **LIVE** — explicit allowlist (15 registries + 6 DockerHub library bare names + 56 DockerHub user repos). Verified by admission dry-run: `evilcorp.example/malware:v1` BLOCKED, `alpine:3.20` and `docker.io/library/alpine:3.20` ALLOWED. |
 | W1.6 Calico observe-phase (pilot: recruiter-responder) | **LIVE** (2026-05-19) — GlobalNetworkPolicy `wave1-egress-observe-recruiter-responder` with rules `[action:Log, action:Allow]`. FelixConfiguration.flowLogsFileEnabled approach abandoned (Calico Enterprise-only field, rejected by OSS v3.26). Log action emits iptables LOG with prefix `calico-packet: ` → kernel → journald → Alloy → Loki. Verified: `{job="node-journal"} \|~ "calico-packet"` returns real packet metadata (SRC/DST/PROTO). Expand to more namespaces by adding to `namespaceSelector`. |
@@ -205,7 +280,7 @@ Response model: **(I) Slack-only, daily skim.** All security alerts land in a ne
 |---|---|---|---|
 | K8s API audit log | Custom audit policy on kube-apiserver: drop `get`/`list`/`watch` at `None` for most resources, log writes at `Metadata`, secret reads at `Metadata`, `exec`/`portforward` at `RequestResponse`, exclude kubelet+controller-manager noise. Codified in `stacks/infra` kubeadm config templating. | Alloy DaemonSet tails `/var/log/kubernetes/audit/*.log` | `job=kube-audit` |
 | Vault audit log | `file` audit device on existing Vault PVC. Vault listener config sets `x_forwarded_for_authorized_addrs` trusting Traefik pod CIDR so `remote_addr` is the real client IP, not Traefik's. | Alloy tails audit log file | `job=vault-audit` |
-| PVE sshd auth log | journald `_SYSTEMD_UNIT=ssh.service` | promtail systemd unit on Proxmox host (192.168.1.127) | `job=sshd-pve` |
+| PVE sshd auth log | journald (`_SYSTEMD_UNIT=ssh.service`, `SYSLOG_IDENTIFIER=sshd-session`); promtail relabels `identifier=~"sshd.*"` → `job=sshd-pve` | promtail systemd unit on Proxmox host (192.168.1.127), `scripts/pve-promtail.yaml` — **LIVE 2026-06-10** | `job=sshd-pve` |
 | Calico flow log | `flowLogsFileEnabled: true` in Calico Felix config | Alloy (cluster-wide) | `job=calico-flow` (W1.6 only) |
 
 #### Alert rules (16 total)
@@ -255,6 +330,10 @@ Routed via **Loki ruler → Alertmanager → `#security` Slack receiver**. Same
 
 **Policy: no public-IP access ever.** Vault, kube-apiserver, PVE sshd must transit a trusted LAN or Headscale. Anything else fires an alert.
 
+**Documented exception — break-glass SSH (2026-06-11):** one deliberate carve-out. The Proxmox host's sshd listens on a WAN-exposed `:52222` (edge-router forward), **key-only**, trusting only a dedicated break-glass key (`Match LocalPort` → `authorized_keys.breakglass`), rate-limited (iptables hashlimit) + fail2ban. It is intentionally reachable from the public internet so it survives a cluster/tunnel outage with no dependency on the cluster — the one case the "must transit LAN/Headscale" rule cannot serve. Brute-force-proof (no password); the trade is Shodan-visibility. As-built: `docs/runbooks/breakglass-ssh.md`; rationale: `docs/plans/2026-06-11-breakglass-ssh-redesign-design.md`. (Replaced the 2026-05-30 port-knock variant, which was non-scannable but had a circular Vault dependency that caused a lockout.)
+
+**Two privileged footholds for the warm break-glass UI (2026-06-12):** the in-cluster `claude-breakglass` service (`breakglass.viktorbarzin.me`, warm case = devvm wedged, cluster healthy) holds one ed25519 key (Vault `secret/claude-breakglass/ssh_key`) authorising: (1) a `breakglass` user on the **devvm** with NOPASSWD sudo (`from="10.0.20.0/24"` — the Calico-SNAT node subnet); (2) a **PVE** `authorized_keys` entry pinned to `command="/usr/local/bin/breakglass-pve",restrict,from="192.168.1.2"` (pfSense's inter-VLAN SNAT IP) that only runs the verbs `status|forensics|reset|stop|start|cycle` against VM 102. The key is reachable ONLY by the breakglass pod (own namespace, no Vault role, ESO-synced); the shared `claude-agent` pod's `terraform-state` Vault policy is explicitly DENIED `secret/claude-breakglass/*`. Reset is autonomous (the agent may fire it), forensics-first. Reachable via Authentik or the basic-auth fallback — LAN-routed, not WAN-exposed. Runbook: `docs/runbooks/breakglass-ui.md`; ADR: `claude-agent-service/docs/adr/0001-breakglass-security-architecture.md`.
+
 #### Why no canary tokens
 
 Original plan included canary tokens (fake K8s Secret, Vault KV path, PVE file, sinkhole hostname). Rejected because Viktor routinely greps `secret/viktor` (135 keys) and lists `kubectl get secret -A` — any read-trigger canary self-fires. Use-based canaries (zero-RBAC SA tokens with audit alerts on use) were also considered but rejected in favor of cleaner source-IP anomaly detection (K9, V7) on REAL tokens — same threat model, no fake-token operational burden.
@@ -326,10 +405,12 @@ Beads: `code-8ywc` W1.6 + W1.7. **Status: planned.**
 
 | Path | Purpose |
 |------|---------|
-| `stacks/crowdsec/` | CrowdSec LAPI, agent, bouncer config |
+| `stacks/crowdsec/` | CrowdSec LAPI, agent config + `whitelist.yaml` |
+| `stacks/crowdsec/modules/crowdsec/firewall_bouncer.tf` | cs-firewall-bouncer DaemonSet (in-kernel nftables drop, direct hosts) |
+| `stacks/rybbit/crowdsec_edge.tf` + `lapi_kv_sync.py` | Cloudflare IP-List + WAF block rule + LAPI→CF sync CronJob (proxied hosts) |
 | `stacks/kyverno/` | Kyverno deployment + policies |
 | `stacks/poison-fountain/` | Anti-AI service + CronJob |
-| `stacks/platform/modules/traefik/middleware.tf` | Security middleware definitions |
+| `stacks/traefik/modules/traefik/middleware.tf` | Security middleware definitions (no longer includes a CrowdSec bouncer) |
 | `stacks/platform/modules/ingress_factory/` | Per-service security toggles |
 
 ### Vault Paths
@@ -439,7 +520,11 @@ spec:
 **Fix**:
 1. Check LAPI decisions: `kubectl exec -it crowdsec-lapi-0 -- cscli decisions list`
 2. Remove ban: `kubectl exec -it crowdsec-lapi-0 -- cscli decisions delete --ip <IP>`
-3. Whitelist if needed: Add to `stacks/crowdsec/whitelist.yaml`
+   — the in-kernel drop clears as soon as `cs-firewall-bouncer` reconciles (direct
+   hosts); for proxied hosts the `crowdsec-cf-sync` CronJob removes it from the
+   `crowdsec_ban` CF list within ~2 min.
+3. Whitelist if needed: Add to `stacks/crowdsec/whitelist.yaml` (RFC1918 + tailnet
+   + internal CIDRs are already whitelisted, so internal clients are never banned).
 
 ### Kyverno Policy Blocking Deployment
 
diff --git a/docs/architecture/storage.md b/docs/architecture/storage.md
index 486246a6..4b501598 100644
--- a/docs/architecture/storage.md
+++ b/docs/architecture/storage.md
@@ -17,7 +17,7 @@ All services storing sensitive data were migrated to `proxmox-lvm-encrypted` on
 - **HDD NFS**: `/srv/nfs` on ext4 LV `pve/nfs-data` (4TB) — bulk media and backup targets
 - **SSD NFS**: `/srv/nfs-ssd` on ext4 LV `ssd/nfs-ssd-data` (100GB) — high-performance data (Immich ML)
 
-Both `StorageClass: nfs-truenas` and `StorageClass: nfs-proxmox` point to the Proxmox host and are functionally identical. The `nfs-truenas` name is historical — it was retained because StorageClass names are immutable on bound PVs (48 PVs reference it) and renaming would force mass PV churn across the cluster.
+`StorageClass: nfs-truenas` is the **only** NFS StorageClass and points to the Proxmox host. The name is historical — it was retained because StorageClass names are immutable on bound PVs (48 PVs reference it) and renaming would force mass PV churn across the cluster. (A short-lived parallel `nfs-proxmox` StorageClass was removed on 2026-04-25, commit 484b4c71, during the vault NFS-hostile migration.)
 
 **Backup storage (sda)**: 1.1TB RAID1 SAS disk, VG `backup`, LV `data` (ext4), mounted at `/mnt/backup` on PVE host. Dedicated backup disk for weekly PVC file backups, auto SQLite backups, pfSense backups, and PVE config. NFS data syncs directly to Synology via inotify change tracking (not stored on sda). Independent of live storage (sdc).
 
@@ -47,7 +47,7 @@ graph TB
     end
 
     subgraph K8s["Kubernetes Cluster"]
-        CSI_NFS["nfs-csi driver<br/>StorageClass: nfs-proxmox (+ legacy nfs-truenas)<br/>soft,timeo=30,retrans=3"]
+        CSI_NFS["nfs-csi driver<br/>StorageClass: nfs-truenas (historical name)<br/>soft,timeo=30,retrans=3"]
         CSI_PVE["Proxmox CSI plugin<br/>StorageClass: proxmox-lvm<br/>StorageClass: proxmox-lvm-encrypted"]
 
         NFS_PV["NFS PersistentVolumes<br/>RWX, ~100 volumes"]
@@ -85,8 +85,7 @@ graph TB
 | Proxmox NFS (HDD) | LV `pve/nfs-data`, 4TB ext4 | 192.168.1.127:/srv/nfs | Bulk NFS data for all services |
 | Proxmox NFS (SSD) | LV `ssd/nfs-ssd-data`, 100GB ext4 | 192.168.1.127:/srv/nfs-ssd | High-performance data (Immich ML) |
 | nfs-csi | Helm chart | Namespace: nfs-csi | NFS CSI driver |
-| StorageClass `nfs-proxmox` | RWX, soft mount | Cluster-wide | NFS storage, points to Proxmox host |
-| StorageClass `nfs-truenas` | RWX, soft mount | Cluster-wide | **Historical name** — functionally identical to `nfs-proxmox`, points to the Proxmox host. Kept because SC names are immutable on 48 bound PVs. |
+| StorageClass `nfs-truenas` | RWX, soft mount | Cluster-wide | The only NFS StorageClass — **historical name**, points to the Proxmox host. Kept because SC names are immutable on 48 bound PVs. (Sibling `nfs-proxmox` SC removed 2026-04-25, commit 484b4c71.) |
 | TF module `nfs_volume` | `modules/kubernetes/nfs_volume/` | Infra repo | Static NFS PV/PVC factory |
 | ~~TrueNAS VM~~ | **DECOMMISSIONED 2026-04-13** | Was VM 9000 at 10.0.10.15 | Replaced by Proxmox NFS. VM still in stopped state pending deletion. |
 | ~~democratic-csi-iscsi~~ | **REMOVED** | Was namespace: iscsi-csi | Replaced by Proxmox CSI (2026-04-02) |
@@ -113,7 +112,7 @@ graph TB
 
 **Note**: Some legacy PVs still reference `/mnt/main/<service>` paths. These work via compatibility symlinks/bind-mounts on the Proxmox host. New PVs should use `/srv/nfs/<service>` or `/srv/nfs-ssd/<service>`.
 
-**CRITICAL**: Never use inline `nfs {}` blocks in pod specs — they default to `hard,timeo=600` which causes 10-minute hangs on network issues. Always use the `nfs-proxmox` StorageClass (or the legacy `nfs-truenas` for existing PVs) via PVCs.
+**CRITICAL**: Never use inline `nfs {}` blocks in pod specs — they default to `hard,timeo=600` which causes 10-minute hangs on network issues. Always use the `nfs-truenas` StorageClass (historical name; it points at the Proxmox host) via PVCs.
 
 ### Block Storage Flow (Proxmox CSI) — NEW
 
diff --git a/docs/plans/2026-05-30-breakglass-ssh-access-design.md b/docs/plans/2026-05-30-breakglass-ssh-access-design.md
new file mode 100644
index 00000000..1b8b2070
--- /dev/null
+++ b/docs/plans/2026-05-30-breakglass-ssh-access-design.md
@@ -0,0 +1,285 @@
+# Break-Glass SSH Access — Design
+
+> **⚠️ SUPERSEDED 2026-06-11** by `2026-06-11-breakglass-ssh-redesign-design.md`.
+> The port-knock was removed: it added no real security (the SSH key already
+> makes the port brute-force-proof) and its knock sequence lived only in
+> in-cluster Vault — unreachable in the exact cold/away scenario break-glass
+> exists for, which caused a real lockout. Retained for history. As-built:
+> `docs/runbooks/breakglass-ssh.md`.
+
+- **Date**: 2026-05-30
+- **Status**: Draft — pending user review
+- **Owner**: Viktor
+- **Related**: `docs/architecture/vpn.md`, `docs/architecture/security.md`, `infra/.claude/CLAUDE.md` (Security Posture Wave 1)
+
+## 1. Goal
+
+Provide a **cold, brute-force-proof backdoor onto the home LAN from the public
+internet** for the case where the Kubernetes cluster and every cluster-hosted
+remote-access path are down (cloudflared, Headscale/Tailscale, in-cluster
+WireGuard), but the **Proxmox host, pfSense, and the edge router are still up**.
+
+### Hard requirements (from the user)
+
+1. **Cold-survivable**: must work when the k8s cluster + all its tunnels are
+   down. The path must touch **nothing in the cluster** (no Authentik, Traefik,
+   Technitium/AdGuard DNS, cloudflared).
+2. **Full LAN access** once connected (SSH to Proxmox host, pfSense, Synology,
+   k8s API, etc.).
+3. **No brute force**: no password-guessable surface.
+4. **Client uses only software pre-installed on Linux/macOS** — no WireGuard /
+   Tailscale / fwknop client install. Stock `ssh` (+ `bash`) only.
+5. **Minimal effort**, and ideally **honor the locked Wave 1 policy**
+   (`no public-IP access — … PVE sshd must transit LAN or Headscale`).
+
+## 2. Decision
+
+**Key-only SSH to the Proxmox host, gated behind a UDP port-knock.**
+
+- The Proxmox host (`192.168.1.127`) is the entry point — it's the recovery box
+  (`virsh`/`qm` to reboot the pfSense VM, `kubectl`, full hypervisor control)
+  and it sits directly on the `192.168.1.0/24` segment, so the path **does not
+  traverse pfSense or the cluster** — it survives a wedged pfSense too, not just
+  a down cluster.
+- SSH is the only externally-usable remote tool **pre-installed on every
+  Linux/macOS box**, satisfying requirement 4.
+- **Key-only auth** (no passwords anywhere) makes password brute force
+  impossible → requirement 3.
+- A **port-knock** keeps the external SSH port **closed/invisible to scanners**
+  until a knock sequence is sent. This restores the "no standing public service"
+  property we'd have had with WireGuard and keeps us within the **intent** of the
+  Wave 1 policy (PVE sshd is not internet-scannable). The knock is sent with a
+  **bash `/dev/udp` one-liner** — zero install.
+
+### Alternatives rejected
+
+| Option | Why rejected |
+|---|---|
+| WireGuard road-warrior on pfSense | Needs a WireGuard **client app** (fails requirement 4). Was the prior design. |
+| Tailscale / Headscale | Client app + control plane is in-cluster (dies cold). |
+| Browser → web admin UI (Proxmox/pfSense/Synology) | "Pre-installed" (browser) but password-based → brute-forceable, far larger attack surface than a key-only SSH port. |
+| Plain **exposed** key-only SSH (no knock) | Brute-force-proof, but a **publicly visible** service (Shodan-catalogued) and a standing violation of the Wave 1 "no public PVE sshd" policy. The knock removes the standing exposure for ~15 min more setup. |
+| fwknop / cryptographic SPA | Strongest hiding, but needs a **client install** (fails requirement 4). |
+
+## 3. Architecture
+
+```
+  Your laptop (anywhere) — stock ssh + bash, nothing installed
+     │  (1) UDP knock sequence  →  bash: echo > /dev/udp/<pub>/<port>   (instant, no handshake)
+     │  (2) ssh -p 52222 root@<pub>
+     ▼
+  Edge router 192.168.1.1   (the box the stored password unlocks)
+     │  forwards:  UDP <k1>,<k2>,<k3>  +  TCP 52222   →   192.168.1.127
+     ▼
+  Proxmox host 192.168.1.127   ← path bypasses pfSense entirely
+     ├─ knockd (libpcap) sees the UDP knock → opens TCP 52222 for your source IP (30 s)
+     ├─ sshd listens on :22 (LAN admin, always) AND :52222 (external, knock-gated), key-only
+     └─ once in:  virsh/qm (reboot pfSense VM), kubectl, ssh -J / ssh -D → full LAN
+```
+
+**Why it meets "cold + full LAN":** the host is up by definition of the chosen
+failure mode; nothing in the path depends on k8s, pfSense, or DNS. From the host
+you reach the whole LAN either directly (it's on `192.168.1.0/24` and routes to
+the VLANs via pfSense when pfSense is up) or by using SSH's built-in
+`-J`/`-D` — both stock, no install.
+
+## 4. Components
+
+### 4.1 Edge router @ 192.168.1.1 (manual, in the browser)
+Add port-forwards (same place the existing `51821` WireGuard forward lives):
+- **TCP 52222 → 192.168.1.127:52222** (external SSH; no port rewrite — see §4.3 rationale)
+- **UDP `<k1>`, `<k2>`, `<k3>` → 192.168.1.127** (knock ports; actual numbers in Vault)
+
+If the router supports a **port range** forward, a single range covering the
+knock ports + 52222 is tidier than four rules.
+
+> **Verify (#1 implementation check):** whether `.1` **preserves the source IP**
+> on forwarded packets (typical DNAT) or **SNATs** them to `192.168.1.1`. Test by
+> knocking + connecting from an external network and checking `/var/log/auth.log`
+> + `knockd` syslog for the observed source IP. The design works either way (see
+> §4.3), but it determines knock granularity.
+
+### 4.2 SSH keys & Vault layout
+- Mint a **dedicated** break-glass keypair (ed25519), separate from
+  `secret/viktor/proxmox_ssh_key`, so it's independently revocable and clearly
+  labelled.
+- **Public key** → `/root/.ssh/authorized_keys` on the Proxmox host (no `from=`
+  restriction — break-glass is from-anywhere; the knock + key are the gate).
+- **Private key** → Vault `secret/viktor/breakglass_ssh_privkey` (for
+  re-provisioning) **and** on your laptop at `~/.ssh/breakglass_ed25519`
+  (chmod 600).
+- **Knock sequence** → Vault `secret/viktor/breakglass_knock_sequence` (kept out
+  of git — obscurity value only; see §5).
+
+### 4.3 Proxmox host — sshd hardening
+`/etc/ssh/sshd_config.d/10-breakglass.conf`:
+```
+Port 22
+Port 52222
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+PubkeyAuthentication yes
+PermitRootLogin prohibit-password     # key-only root (PVE recovery norm)
+MaxAuthTries 3
+LoginGraceTime 20
+```
+- sshd listens on **:22 (LAN admin, always allowed)** and **:52222 (external,
+  knock-gated)**. Using a dedicated external port (not a DNAT rewrite to 22)
+  lets the firewall distinguish LAN vs external **regardless of `.1` SNAT
+  behaviour** (§4.1) — LAN admin on `:22` is never affected by the gate.
+- **Default to root key-only** for recovery practicality. *Alternative for
+  review:* a dedicated `breakglass` sudo user instead of root.
+
+> **Verify (#2):** key login already works for your normal access **before**
+> `PasswordAuthentication no` is committed — no lockout. (Backup rsync jobs
+> already use keys, so this is likely already effectively true.)
+
+### 4.4 Host firewall (knock gate)
+Default-drop the external SSH port; knockd punches a per-source hole. LAN admin
+(`:22`) and established sessions are untouched:
+```
+# allow established / related
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+# LAN admin + backups: SSH on :22 always allowed
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+# external SSH on :52222 closed by default — knockd opens it per-source
+iptables -A INPUT -p tcp --dport 52222 -j DROP
+```
+- **knockd uses libpcap**, so it sees the UDP knock packets even though iptables
+  drops them — the knock ports stay **silent/closed** to scanners.
+- **pve-firewall coexistence (verify #3):** confirm whether the PVE firewall is
+  enabled. If it is, express these rules through it (or a dedicated chain) so a
+  pve-firewall reload doesn't wipe the knockd-managed rule. Default PVE installs
+  often have it off at datacenter level.
+
+### 4.5 knockd
+`apt install knockd` (Debian/PVE). `/etc/knockd.conf`:
+```
+[options]
+    UseSyslog
+    Interface = vmbr0          # the 192.168.1.127 interface
+
+[breakglass]
+    sequence      = <k1>:udp,<k2>:udp,<k3>:udp     # real ports from Vault
+    seq_timeout   = 10
+    start_command = /usr/sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 52222 -j ACCEPT
+    cmd_timeout   = 30
+    stop_command  = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 52222 -j ACCEPT
+```
+- **UDP knock** → the client knock is fire-and-forget (`/dev/udp`), no TCP-hang
+  on the client (a TCP knock to a dropped port would block until timeout).
+- Opens `:52222` for the knocker's source IP for **30 s**; an SSH session
+  established within that window **persists** via conntrack ESTABLISHED after the
+  rule is removed. Enable + start the `knockd` service.
+
+### 4.6 fail2ban (defense-in-depth)
+`apt install fail2ban`, sshd jail (watches `auth.log`, bans repeat failures).
+Local to the host, **no cluster dependency**. Catches anything that gets past the
+knock to the sshd listener.
+
+### 4.7 Client side (laptop — stock tools only)
+`~/.ssh/config`:
+```
+Host breakglass
+    HostName <public-ip-or-dyndns>
+    Port 52222
+    User root
+    IdentityFile ~/.ssh/breakglass_ed25519
+```
+Knock + connect — a shell function using **bash builtins only** (works on
+macOS `/bin/bash` + Linux; UDP send is instant):
+```sh
+bg() {
+  local host=<public-ip-or-dyndns>
+  for p in <k1> <k2> <k3>; do echo -n x > "/dev/udp/$host/$p"; sleep 0.4; done
+  sleep 0.5
+  ssh breakglass "$@"
+}
+```
+- **Full LAN, no install:** `ssh -J breakglass <internal-host>` (jump), or
+  `ssh -D 1080 breakglass` then point a browser/`curl` at SOCKS5 `127.0.0.1:1080`
+  to reach any internal IP. From the host shell you already have everything.
+- *Optional fully-transparent variant:* fold the knock into a `ProxyCommand` in
+  the `Host breakglass` block so plain `ssh breakglass` knocks automatically.
+
+### 4.8 Cold-scenario IP cheat sheet (DNS is down when the cluster is down)
+Technitium + AdGuard are in-cluster, so `.lan` resolution is gone in a cold
+event. Use IPs:
+
+| Host | IP |
+|---|---|
+| Proxmox host | `192.168.1.127` (also `10.0.10.1` VLAN10) |
+| pfSense | `10.0.20.1` (WAN `192.168.1.2`) |
+| k8s API server | `10.0.20.100` |
+| Synology NAS | `192.168.1.13` |
+| Edge router | `192.168.1.1` |
+| Traefik LB / MetalLB | `10.0.20.200` / `10.0.20.203` |
+
+## 5. Security analysis
+
+- **Brute force: solved.** No password auth anywhere → password guessing is
+  impossible; key brute force is cryptographically infeasible.
+- **Invisibility / Wave 1 intent: satisfied.** The external SSH port is
+  default-dropped and the knock ports are pcap-sniffed (never answered), so a
+  scanner sees a closed/silent host — PVE sshd is **not internet-scannable**,
+  honouring the spirit of "no public-IP access to PVE sshd".
+- **The knock is obscurity, not cryptography.** A port-knock sequence is
+  plaintext and replayable by a passive on-path observer. **The SSH key is the
+  real access control** — the knock only removes the standing/scannable surface.
+  (Cryptographic SPA = fwknop, rejected for needing a client install.) Treat the
+  knock sequence as a secret-ish convenience, not a second cryptographic factor.
+- **Residual risks** (none are brute force):
+  1. An sshd **0-day** exploitable during the 30 s open window → mitigation: keep
+     PVE patched; short `cmd_timeout`; fail2ban.
+  2. **Private key theft** → mitigation: key has a passphrase; revoke by removing
+     the line from `authorized_keys`.
+  3. If `.1` **SNATs** (§4.1), the 30 s window opens `:52222` for the shared
+     `192.168.1.1` source — anyone else arriving via `.1` in that window could
+     reach the sshd banner, but still needs your key. Mitigated by the short
+     window + key-only + fail2ban.
+- **Deliberate, documented exception** to the Wave 1 "no public-IP access"
+  policy, scoped to this single knock-gated port. To be recorded in
+  `security.md` + the Wave 1 note in `infra/.claude/CLAUDE.md` on implementation.
+
+## 6. What's automated vs manual
+
+- **I do**: generate the keypair + knock sequence, store them in Vault, produce
+  the exact `sshd_config.d` snippet, `knockd.conf`, iptables rules, the client
+  `~/.ssh/config` + `bg()` function, and write the runbook + doc updates.
+- **Manual / careful (live devices)**: the `.1` edge-router forwards are done by
+  you in the browser (out-of-Terraform, live device). The Proxmox host changes
+  (sshd, knockd, iptables, fail2ban) are applied over SSH **with key-login
+  verified first** to avoid lockout; pfSense is **not** touched. None of this is
+  a `tg apply` — pfSense and the edge router are not Terraform-managed.
+
+## 7. Testing & verification
+1. From an **external** network (phone hotspot): run `bg`; confirm knockd syslog
+   shows the sequence + opens `:52222`; SSH succeeds.
+2. **Without** knocking: `ssh -p 52222` from external → connection refused/timed
+   out (port closed). A plain port scan of `52222` + the knock ports → silent.
+3. LAN admin on `:22` still works (no regression); backup rsync jobs unaffected.
+4. Full-LAN: `ssh -J breakglass 10.0.20.1` (pfSense) and `ssh -D 1080` SOCKS to
+   an internal IP.
+5. Determine `.1` source-IP behaviour (verify #1) and adjust knock granularity
+   note accordingly.
+
+## 8. Failure modes & rotation
+- **Proxmox host down** (not just cluster): this path is gone — that's the
+  out-of-band tier (serial/IPMI/separate device), explicitly **out of scope**.
+- **`.1` router config reset**: forwards lost → re-add from this doc; consider
+  exporting the `.1` config for backup.
+- **Public IP change**: use a hostname endpoint (Cloudflare-resolved) so it
+  auto-follows; keep the raw IP as fallback.
+- **Key/knock compromise**: remove the `authorized_keys` line (kills access
+  instantly); rotate the knock sequence in `knockd.conf` + Vault.
+
+## 9. Out of scope
+- Host-down / site-down out-of-band access (IPMI, LTE) — a future tier.
+- Phone access (would need an SSH **app**, e.g. Termius — outside the
+  "pre-installed Linux/macOS" constraint; laptop is the target).
+
+## 10. Docs to update on implementation
+- `docs/architecture/vpn.md` — add a "Break-glass SSH" section.
+- `docs/architecture/security.md` + Wave 1 note in `infra/.claude/CLAUDE.md` —
+  record the deliberate knock-gated exception to "no public PVE sshd".
+- New runbook `docs/runbooks/breakglass-ssh.md` — connect + rotate procedure.
diff --git a/docs/plans/2026-05-30-breakglass-ssh-access-plan.md b/docs/plans/2026-05-30-breakglass-ssh-access-plan.md
new file mode 100644
index 00000000..c4db48e2
--- /dev/null
+++ b/docs/plans/2026-05-30-breakglass-ssh-access-plan.md
@@ -0,0 +1,395 @@
+# Break-Glass SSH Access — Implementation Plan
+
+> **⚠️ SUPERSEDED 2026-06-11** by the redesign in
+> `2026-06-11-breakglass-ssh-redesign-design.md` (port-knock removed). Retained
+> for history. As-built: `docs/runbooks/breakglass-ssh.md`.
+
+> **Execution model:** This plan mutates **live devices** (the Proxmox host's sshd, and the TP-Link edge router). It is **human-gated**, NOT for autonomous subagents. Each live step is applied with anti-lockout verification, and every edge-router change is made by Viktor (or by the browse tool with explicit per-change approval). Steps use `- [ ]` checkboxes.
+
+**Goal:** Stand up a cold, brute-force-proof SSH backdoor onto the LAN — key-only SSH to the Proxmox host (`192.168.1.127`) gated behind a UDP port-knock — then decommission the legacy Synology SSH exposure and tighten UPnP.
+
+**Architecture:** Edge router `.1` forwards a UDP knock sequence + TCP `52222` to the Proxmox host. The host runs `knockd` (libpcap) which opens `52222` for the knocker's IP for 30 s; `sshd` listens on `:22` (LAN, always) and `:52222` (external, knock-gated), key-only. Path bypasses pfSense + the k8s cluster. Client uses only stock `ssh` + `bash`.
+
+**Tech stack:** OpenSSH, knockd, iptables, fail2ban (Debian/PVE host); TP-Link Archer AX6000 UI (edge router); HashiCorp Vault (secrets); Docker (`/home/wizard/tools/insecure-browse` for any router automation).
+
+**Reference:** design doc `2026-05-30-breakglass-ssh-access-design.md`. Router audit (current `.1` forwards) recorded in task notes + `/home/wizard/tools/insecure-browse/out/`.
+
+---
+
+## Pre-flight (read before starting)
+
+- **Anti-lockout rule:** never disable password auth or reload sshd without an *already-open* root session held + a *new* session verified. Applies to every host step.
+- **Live-router rule:** all `.1` changes are made by Viktor in the UI (or browse-tool with explicit approval). No blind automation of router writes.
+- **Ordering rule:** the legacy Synology SSH forward (Rule 6) is **not** closed until break-glass is verified working from an external network (Phase 4 gates on Phase 4-pre verification).
+- **Host access:** PVE host reached as `ssh root@192.168.1.127` from the LAN.
+- **Commit gate:** the infra repo currently has unmerged conflicts + an in-progress provider/backend migration. Do NOT commit (Phase 6) until Viktor confirms the repo is clean.
+
+---
+
+## Phase 0 — Generate secrets (no live changes)
+
+### Task 0.1: Break-glass SSH keypair
+
+**Files:** none in repo (secrets → Vault).
+
+- [ ] **Step 1: Generate a dedicated ed25519 keypair (with passphrase)**
+
+```bash
+mkdir -p ~/.ssh
+ssh-keygen -t ed25519 -a 100 -C "breakglass-$(date +%Y%m%d)" -f ~/.ssh/breakglass_ed25519
+# set a passphrase when prompted (so a stolen laptop key isn't instantly usable)
+```
+
+- [ ] **Step 2: Store the private key + public key in Vault**
+
+```bash
+vault kv patch secret/viktor \
+  breakglass_ssh_privkey=@$HOME/.ssh/breakglass_ed25519 \
+  breakglass_ssh_pubkey="$(cat ~/.ssh/breakglass_ed25519.pub)"
+```
+
+- [ ] **Step 3: Verify the keys are retrievable**
+
+```bash
+vault kv get -field=breakglass_ssh_pubkey secret/viktor
+```
+Expected: prints the `ssh-ed25519 AAAA... breakglass-YYYYMMDD` line.
+
+### Task 0.2: Knock sequence
+
+- [ ] **Step 1: Generate 3 random UDP knock ports**
+
+```bash
+KNOCK="$(shuf -i 20000-60000 -n 3 | paste -sd, -)"; echo "$KNOCK"
+```
+
+- [ ] **Step 2: Store the sequence in Vault (keep it out of git)**
+
+```bash
+vault kv patch secret/viktor breakglass_knock_sequence="$KNOCK"
+vault kv get -field=breakglass_knock_sequence secret/viktor
+```
+Expected: prints three comma-separated ports, e.g. `28411,49027,33180`.
+
+---
+
+## Phase 1 — Proxmox host: key-only SSH + knock gate (LIVE host change)
+
+> Run everything in this phase **on the PVE host**. Keep your current `ssh root@192.168.1.127` session open the entire phase.
+
+### Task 1.1: Pre-checks (no changes yet)
+
+- [ ] **Step 1: Confirm key login already works (anti-lockout baseline)**
+
+From your laptop, with the break-glass key authorized later — for now confirm your *existing* admin key works:
+```bash
+ssh -o PasswordAuthentication=no root@192.168.1.127 'echo KEY_LOGIN_OK'
+```
+Expected: `KEY_LOGIN_OK` (key auth works → safe to disable passwords later). If it prompts for a password, STOP and fix key auth first.
+
+- [ ] **Step 2: Check whether the PVE firewall is active (coexistence)**
+
+```bash
+ssh root@192.168.1.127 'pve-firewall status 2>/dev/null; iptables -S | head'
+```
+Expected: note whether `Status: enabled/running`. If **enabled**, add the Phase-1.4 rules via PVE's firewall (Datacenter→Firewall) instead of raw iptables, OR disable it if unused. If **disabled** (common), proceed with the raw-iptables approach below.
+
+### Task 1.2: Authorize the break-glass key
+
+- [ ] **Step 1: Append the break-glass public key to root's authorized_keys**
+
+```bash
+PUB="$(vault kv get -field=breakglass_ssh_pubkey secret/viktor)"
+ssh root@192.168.1.127 "grep -qF '$PUB' /root/.ssh/authorized_keys || echo '$PUB' >> /root/.ssh/authorized_keys"
+```
+
+- [ ] **Step 2: Verify break-glass key logs in (on :22, still default)**
+
+```bash
+ssh -i ~/.ssh/breakglass_ed25519 -o PasswordAuthentication=no root@192.168.1.127 'echo BREAKGLASS_KEY_OK'
+```
+Expected: `BREAKGLASS_KEY_OK`.
+
+### Task 1.3: sshd dual-port + key-only
+
+**Files:** Create on host: `/etc/ssh/sshd_config.d/10-breakglass.conf`
+
+- [ ] **Step 1: Write the sshd drop-in**
+
+```bash
+ssh root@192.168.1.127 'cat > /etc/ssh/sshd_config.d/10-breakglass.conf' <<'EOF'
+Port 22
+Port 52222
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+PubkeyAuthentication yes
+PermitRootLogin prohibit-password
+MaxAuthTries 3
+LoginGraceTime 20
+EOF
+```
+
+- [ ] **Step 2: Validate config syntax (do NOT reload yet)**
+
+```bash
+ssh root@192.168.1.127 'sshd -t && echo SSHD_CONFIG_OK'
+```
+Expected: `SSHD_CONFIG_OK`. If error, fix the drop-in before reloading.
+
+- [ ] **Step 3: Reload sshd (current session stays alive)**
+
+```bash
+ssh root@192.168.1.127 'systemctl reload ssh && echo RELOADED'
+```
+Expected: `RELOADED`.
+
+- [ ] **Step 4: Verify a NEW key session works on :22 AND :52222 before trusting it**
+
+```bash
+ssh -i ~/.ssh/breakglass_ed25519 -p 22    root@192.168.1.127 'echo OK22'
+ssh -i ~/.ssh/breakglass_ed25519 -p 52222 root@192.168.1.127 'echo OK52222'
+```
+Expected: `OK22` and `OK52222`. (If `:52222` refuses, sshd may not have bound the second port — check `ss -tlnp | grep ssh` on the host.) Only after both succeed, the old session is safe to drop.
+
+### Task 1.4: Base firewall (default-drop :52222, allow :22 + established)
+
+**Files:** Create on host: `/usr/local/sbin/breakglass-firewall.sh`, `/etc/systemd/system/breakglass-firewall.service`
+
+- [ ] **Step 1: Write the idempotent base-firewall script (dedicated chain)**
+
+```bash
+ssh root@192.168.1.127 'cat > /usr/local/sbin/breakglass-firewall.sh' <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+# Idempotent: (re)build a dedicated BREAKGLASS chain hooked into INPUT.
+iptables -N BREAKGLASS 2>/dev/null || iptables -F BREAKGLASS
+iptables -C INPUT -j BREAKGLASS 2>/dev/null || iptables -I INPUT 1 -j BREAKGLASS
+# established/related always allowed
+iptables -A BREAKGLASS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+# LAN admin on :22 always allowed (.1 does NOT forward :22 to this host, so :22 is LAN-only)
+iptables -A BREAKGLASS -p tcp --dport 22 -j ACCEPT
+# external SSH on :52222 closed by default; knockd punches a per-source ACCEPT into INPUT pos 1
+iptables -A BREAKGLASS -p tcp --dport 52222 -j DROP
+EOF
+ssh root@192.168.1.127 'chmod 0755 /usr/local/sbin/breakglass-firewall.sh'
+```
+
+- [ ] **Step 2: Write a boot-time systemd unit (persists across reboot, before knockd)**
+
+```bash
+ssh root@192.168.1.127 'cat > /etc/systemd/system/breakglass-firewall.service' <<'EOF'
+[Unit]
+Description=Break-glass base firewall (SSH knock gate)
+After=network-pre.target
+Before=knockd.service
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/breakglass-firewall.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ssh root@192.168.1.127 'systemctl daemon-reload && systemctl enable --now breakglass-firewall.service && echo FW_APPLIED'
+```
+Expected: `FW_APPLIED`.
+
+- [ ] **Step 3: Verify LAN :22 still works and :52222 is now dropped from LAN**
+
+```bash
+ssh -i ~/.ssh/breakglass_ed25519 -p 22 root@192.168.1.127 'echo STILL_OK22'         # works
+nc -z -w3 192.168.1.127 52222 && echo "OPEN(bad)" || echo "CLOSED_AS_EXPECTED"      # closed pre-knock
+```
+Expected: `STILL_OK22` and `CLOSED_AS_EXPECTED`.
+
+### Task 1.5: knockd
+
+**Files:** Create/modify on host: `/etc/knockd.conf`, `/etc/default/knockd`
+
+- [ ] **Step 1: Install knockd (host daemon — must be native, not Docker, to manage host iptables)**
+
+```bash
+ssh root@192.168.1.127 'apt-get update -qq && apt-get install -y knockd && echo KNOCKD_INSTALLED'
+```
+Expected: `KNOCKD_INSTALLED`.
+
+- [ ] **Step 2: Write knockd.conf with the Vault knock sequence (UDP)**
+
+```bash
+KNOCK="$(vault kv get -field=breakglass_knock_sequence secret/viktor)"   # e.g. 28411,49027,33180
+read K1 K2 K3 <<<"$(echo "$KNOCK" | tr ',' ' ')"
+ssh root@192.168.1.127 "cat > /etc/knockd.conf" <<EOF
+[options]
+    UseSyslog
+    Interface = vmbr0
+
+[breakglass]
+    sequence      = ${K1}:udp,${K2}:udp,${K3}:udp
+    seq_timeout   = 10
+    start_command = /usr/sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 52222 -j ACCEPT
+    cmd_timeout   = 30
+    stop_command  = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 52222 -j ACCEPT
+EOF
+```
+
+- [ ] **Step 3: Enable + start knockd**
+
+```bash
+ssh root@192.168.1.127 "sed -i 's/^START_KNOCKD=.*/START_KNOCKD=1/' /etc/default/knockd 2>/dev/null || echo 'START_KNOCKD=1' >> /etc/default/knockd"
+ssh root@192.168.1.127 'systemctl enable --now knockd && systemctl is-active knockd'
+```
+Expected: `active`.
+
+### Task 1.6: fail2ban (defense-in-depth)
+
+- [ ] **Step 1: Install + enable fail2ban with the default sshd jail**
+
+```bash
+ssh root@192.168.1.127 'apt-get install -y fail2ban && systemctl enable --now fail2ban && fail2ban-client status sshd >/dev/null && echo F2B_OK'
+```
+Expected: `F2B_OK` (sshd jail active).
+
+---
+
+## Phase 2 — Edge router `.1` forwards (LIVE router change — Viktor executes)
+
+> In the AX6000 UI: **Advanced → NAT Forwarding → Port Forwarding → Add**. Do NOT remove anything yet.
+
+- [ ] **Step 1: Add the SSH break-glass forward**
+  - Name `breakglass-ssh`, External Port `52222`, Internal IP `192.168.1.127`, Internal Port `52222`, Protocol `TCP`, Enable.
+
+- [ ] **Step 2: Add the three UDP knock forwards** (values from `vault kv get -field=breakglass_knock_sequence secret/viktor`)
+  - For each of the 3 ports: Name `bg-knock-N`, External Port `<port>`, Internal IP `192.168.1.127`, Internal Port `<same port>`, Protocol `UDP`, Enable.
+
+- [ ] **Step 3: (verify #1) Determine whether `.1` preserves source IP or SNATs**
+
+After Phase 3 connects once, on the host check the observed source:
+```bash
+ssh root@192.168.1.127 'journalctl -u knockd -n 20 --no-pager | grep -i "stage\|open"'
+```
+If `%IP%` is a public IP → source preserved (per-IP granularity). If it's `192.168.1.1` → `.1` SNATs (knock opens `:52222` for the shared `.1` source during the 30 s window). Both are acceptable with the dual-port + key-only model; just note it in the runbook.
+
+---
+
+## Phase 3 — Client config (laptop, no live infra change)
+
+**Files:** Modify `~/.ssh/config`; add a shell function to `~/.zshrc`/`~/.bashrc`.
+
+- [ ] **Step 1: Add the SSH host block**
+
+```bash
+cat >> ~/.ssh/config <<'EOF'
+
+Host breakglass
+    HostName viktorbarzin.ddns.net
+    Port 52222
+    User root
+    IdentityFile ~/.ssh/breakglass_ed25519
+EOF
+```
+(`viktorbarzin.ddns.net` is the router's NO-IP DDNS name — follows the dynamic WAN IP. Raw IP `176.12.22.76` is the fallback.)
+
+- [ ] **Step 2: Add the knock+connect function**
+
+```bash
+cat >> ~/.zshrc <<'EOF'
+
+bg() {
+  local host="viktorbarzin.ddns.net"
+  local seq; seq="$(vault kv get -field=breakglass_knock_sequence secret/viktor 2>/dev/null || echo "")"
+  [ -z "$seq" ] && { echo "no knock sequence (vault?)"; return 1; }
+  for p in ${seq//,/ }; do (exec 3<>/dev/udp/$host/$p) 2>/dev/null && echo "x" >&3; sleep 0.4; done
+  sleep 0.5
+  ssh breakglass "$@"
+}
+EOF
+```
+> Note: the bash `/dev/udp` redirection works under bash (`/bin/bash` on macOS + Linux). Under zsh, `/dev/udp` is also supported by zsh's builtin in recent versions; if your zsh build lacks it, define `bg` in bash or use `nc -u -w1 $host $p </dev/null`.
+
+---
+
+## Phase 4-pre — Verify break-glass END-TO-END (gates Phase 4)
+
+> Do this from an **external** network (phone hotspot / tethered), NOT the home LAN.
+
+- [ ] **Step 1: Without knocking, the port is silent**
+
+```bash
+nc -z -w3 viktorbarzin.ddns.net 52222 && echo "OPEN(bad)" || echo "SILENT_OK"
+```
+Expected: `SILENT_OK`.
+
+- [ ] **Step 2: Knock + connect succeeds**
+
+```bash
+bg 'hostname; echo BREAKGLASS_E2E_OK'
+```
+Expected: the PVE hostname + `BREAKGLASS_E2E_OK`.
+
+- [ ] **Step 3: Full-LAN reach via the jump (no extra install)**
+
+```bash
+ssh -J breakglass root@10.0.20.1 'echo PFSENSE_REACHED' 2>/dev/null || echo "check pfSense ssh"
+ssh -J breakglass admin@192.168.1.13 'echo SYNOLOGY_REACHED' 2>/dev/null || echo "check synology ssh"
+```
+Expected: confirms you can reach pfSense + Synology *through* break-glass (so closing Rule 6 loses nothing).
+
+- [ ] **Step 4: LAN admin unaffected**
+
+From the home LAN: `ssh -p 22 root@192.168.1.127 'echo LAN22_OK'` → `LAN22_OK`.
+
+**GATE:** Only proceed to Phase 4 once Steps 1–4 pass. If any fail, fix before removing the legacy forward.
+
+---
+
+## Phase 5 — Router cleanup (LIVE router change — Viktor executes, AFTER Phase 4-pre passes)
+
+> AX6000 UI. One pass, all three changes.
+
+- [ ] **Step 1: Remove the Synology SSH exposure (Rule 6)**
+  - Advanced → NAT Forwarding → Port Forwarding → delete (or disable) rule **`HTTP` / 3333 → 192.168.1.13:22**.
+
+- [ ] **Step 2: Delete the stale Proxmox rule (Rule 3)**
+  - Delete the disabled rule **`proxmox` / 8006 → 192.168.1.127**.
+
+- [ ] **Step 3: Disable UPnP**
+  - Advanced → NAT Forwarding → UPnP → toggle **OFF**. (Tailscale on `.101` falls back to DERP relay; the `41643→pfSense` mapping drops.)
+
+- [ ] **Step 4: Verify the Synology SSH is gone from the WAN, break-glass still works**
+
+From an external network:
+```bash
+nc -z -w3 viktorbarzin.ddns.net 3333 && echo "STILL_OPEN(bad)" || echo "SYNOLOGY_SSH_CLOSED_OK"
+bg 'echo BREAKGLASS_STILL_OK'
+```
+Expected: `SYNOLOGY_SSH_CLOSED_OK` and `BREAKGLASS_STILL_OK`.
+
+---
+
+## Phase 6 — Docs + commit (AFTER infra repo is clean)
+
+- [ ] **Step 1: Update `docs/architecture/vpn.md`** — add a "Break-glass SSH" section (knock-gated SSH to PVE host, client `bg()`, cheat-sheet IPs).
+- [ ] **Step 2: Update `docs/architecture/security.md` + the Wave-1 note in `infra/.claude/CLAUDE.md`** — record the deliberate knock-gated exception; **correct the WAN-exposure inventory** (actual `.1` forwards are qbittorrent/stun/turn→pfSense + the new break-glass; Synology SSH removed; UPnP disabled; Remote Management off).
+- [ ] **Step 3: New runbook `docs/runbooks/breakglass-ssh.md`** — connect procedure, knock/key rotation, re-adding `.1` forwards after a router reset.
+- [ ] **Step 4: Commit the design + plan + doc updates** (only once Viktor confirms the repo is committable):
+
+```bash
+git -C /home/wizard/code/infra add \
+  docs/plans/2026-05-30-breakglass-ssh-access-design.md \
+  docs/plans/2026-05-30-breakglass-ssh-access-plan.md \
+  docs/architecture/vpn.md docs/architecture/security.md \
+  docs/runbooks/breakglass-ssh.md .claude/CLAUDE.md
+git -C /home/wizard/code/infra commit -m "docs+feat: break-glass knock-gated SSH; retire Synology SSH forward; disable UPnP [ci skip]"
+git -C /home/wizard/code/infra push origin master
+```
+
+---
+
+## Self-review
+
+- **Spec coverage:** key-only SSH ✅ (1.3), knock gate ✅ (1.4/1.5), invisibility ✅ (4-pre.1), full-LAN via jump ✅ (4-pre.3), no-lockout ✅ (1.1/1.3.4), Wave-1 exception doc ✅ (6.2), close legacy SSH ✅ (5.1), UPnP ✅ (5.3). All design §sections map to a task.
+- **Placeholder scan:** no TBDs; secret values are generated + Vault-stored, referenced via `vault kv get` (concrete, not placeholders).
+- **Consistency:** port `52222`, knock from `secret/viktor/breakglass_knock_sequence`, key `~/.ssh/breakglass_ed25519`, host `192.168.1.127` used consistently throughout.
+- **Open verify items** (flagged inline, non-blocking): #1 `.1` SNAT behaviour (2.3), pve-firewall coexistence (1.1.2).
diff --git a/docs/plans/2026-06-01-t3-auto-provision-design.md b/docs/plans/2026-06-01-t3-auto-provision-design.md
index 1c34e8a8..ca9a7e1f 100644
--- a/docs/plans/2026-06-01-t3-auto-provision-design.md
+++ b/docs/plans/2026-06-01-t3-auto-provision-design.md
@@ -85,12 +85,14 @@ Replaces the in-cluster nginx `t3-dispatch` (the session-mint needs `sudo` + loc
 
 Per request (Authentik forward-auth has injected a trustworthy `X-authentik-username`):
 1. Resolve `X-authentik-username` → OS user via `/etc/ttyd-user-map`. No mapping → **403**.
-2. **Has a valid t3 session cookie?** → reverse-proxy (incl. WebSocket upgrade) to `127.0.0.1:<T3_PORT>`. (Steady state — the common path.)
-3. **No cookie** (first visit / expired) → auto-pair:
+2. **Has a valid t3 session cookie?** → reverse-proxy (incl. WebSocket upgrade) to `127.0.0.1:<T3_PORT>`. (Steady state — the common path.) Sub-requests (XHR/asset/WebSocket) take the cookie at face value; on a **top-level document navigation** the cookie is verified against the instance's `GET /api/auth/session` so a present-but-dead cookie doesn't slip through.
+3. **No cookie, or an invalid cookie on a document navigation** (first visit / expired / server-side session wiped) → auto-pair:
    - `sudo -u <os_user> t3 auth pairing create --base-dir /home/<os_user>/.t3 --ttl 5m --json` → one-time token.
    - exchange it at the instance's `POST /api/auth/bootstrap` → capture the returned `Set-Cookie`.
    - relay that `Set-Cookie` to the browser + `302 /`. Browser now holds the t3 session cookie → next request is the steady-state path. **Login → straight in.**
 
+> **As-built note (2026-06-09):** the first implementation re-paired only on an *absent* cookie. After an auth-schema rollback wiped every server-side session, browsers still held live-looking-but-dead 30-day `t3_session` cookies, which the dispatcher proxied straight through → t3 rendered its pair page (the "all users must pair again" incident). Fixed by validating a present cookie via `/api/auth/session` and re-pairing on `authenticated:false` — **gated to document navigations** (`isDocumentNav`: trust `Sec-Fetch-Dest: document`, else fall back to `Accept: text/html`) so XHR/asset/WebSocket sub-requests are never answered with a `302`, and **fail-open** (proxy through) on any validation error so no new failure mode is introduced. See `scripts/t3-dispatch/main.go` (`sessionValid`, `isDocumentNav`) + `main_test.go`.
+
 Implementation: a small reverse proxy that supports WebSocket upgrade (Go `httputil.ReverseProxy`, or Python aiohttp) — chosen at plan time.
 
 ### 4. Terraform — `stacks/t3code` shrinks
diff --git a/docs/plans/2026-06-04-pve-fan-control-design.md b/docs/plans/2026-06-04-pve-fan-control-design.md
index a2d0216f..ccc972b3 100644
--- a/docs/plans/2026-06-04-pve-fan-control-design.md
+++ b/docs/plans/2026-06-04-pve-fan-control-design.md
@@ -1,10 +1,32 @@
 # PVE R730 presence-aware fan control — design
 
 **Date:** 2026-06-04
-**Status:** implemented
+**Status:** implemented; **redesigned 2026-06-08, anti-flap 2026-06-15** (see update below)
 **Scripts:** `infra/scripts/fan-control.{sh,service,env.example}`, `test-fan-control.sh`
 **Runbook:** `infra/docs/runbooks/fan-control.md`
 
+> ## Update — control moved to HA; host is a thin actuator
+>
+> - **2026-06-07:** presence/two-curve scheme replaced by a single linear curve;
+>   all garage-presence logic removed.
+> - **2026-06-08:** **all control moved into Home Assistant.** HA owns the curve
+>   thresholds, duty %, an additive **bias** (replaces the ease-down hysteresis),
+>   plus manual/lock, and publishes `sensor.r730_fan_command_pct =
+>   clamp(curve(temp)+bias, 0..100)` with an asymmetric output deadband. The host
+>   `fan-control.sh` is now a **thin actuator**: read that one number, validate,
+>   apply over IPMI — no local math. Independent host safety (CPU≥83 °C, IPMI
+>   fail, HA loss) hands the fans to Dell auto. It's a P controller, so the curve
+>   slope/offset set the steady-state equilibrium temperature (not a setpoint).
+> - **2026-06-15:** daemon **anti-flap** — on a transient HA miss it HOLDS the
+>   last applied % for `HA_GRACE_SECS` (300 s) instead of dumping to Dell auto,
+>   and `STALE_SECS` loosened 120→1800 (staleness only happens at flat temp,
+>   where the held value is still valid). Killed a ~14%-of-the-time flap to the
+>   Dell floor; verified fallback 14%→0%, command std 16→3 over 8 h.
+>
+> The HA objects (sliders, command template, display/equilibrium sensors,
+> Lock/Override, dashboard cards, REST sensors) live on ha-sofia, not this repo.
+> Sections below are retained as historical context.
+
 ## Problem
 
 The Dell R730 PVE host (192.168.1.127) runs its CPU at ~72–77°C under normal
diff --git a/docs/plans/2026-06-07-multi-user-workstation-design.md b/docs/plans/2026-06-07-multi-user-workstation-design.md
index 2148ae27..4d80eae4 100644
--- a/docs/plans/2026-06-07-multi-user-workstation-design.md
+++ b/docs/plans/2026-06-07-multi-user-workstation-design.md
@@ -110,7 +110,7 @@ The Config base / machine-wide managed layer is **secret-free**. Everything carr
 
 | Auth / token | Lives in (per-user, `0600`) | New-user provisioning (from Vault) |
 |---|---|---|
-| **Claude OAuth** | `~/.claude/.credentials.json` (or `CLAUDE_CODE_OAUTH_TOKEN`) | the shared Enterprise token (earlier decision) **or** own interactive login; emo keeps his own |
+| **Claude OAuth** | `~/.claude/.credentials.json` + isolated Vault backup | own Enterprise SSO login; Claude refreshes locally and `claude-auth-sync@<user>.timer` validates/backs up/recovers `claudeAiOauth` at `secret/workstation/claude-users/<os_user>`; shared token injection is forbidden |
 | **`claude_memory` MCP** | `~/.claude.json` mcpServers + `MEMORY_API_KEY` in `settings.json` env | **DEFERRED — not a risk now (Viktor, 2026-06-08).** Per-user memory isolation needs a service-side `_key_to_user` map edit + redeploy (claude-memory-mcp, GHA repo 78), not just a Vault write — NOT built now. For now a new user gets a simple key or omits memory; revisit if isolation becomes a concern. |
 | **`ha` MCP** (token-in-URL) | `~/.claude.json` | shared `ha_sofia_mcp_url` from Vault `secret/openclaw` (one HA instance; shared secret, per-user file) — only if HA-eligible |
 | **`playwright` MCP** | per-user systemd unit (own port) + localhost entry | existing per-user playwright pattern (id=4015); non-secret |
@@ -166,6 +166,8 @@ Design principle: **every bit of devvm setup is an idempotent git script** — n
 - **ADR-0002 — devvm Linux users, not K8s ephemeral pods.** Re-platforming is overkill at this scale; config-push is easier on one host.
 - **ADR-0003 — Config inheritance via native machine-wide layers + per-user override.** Rejected: periodic sync, OverlayFS (no live lowerdir edits), Nix (rebuild not live).
 - **ADR-0004 — Infra access via per-user writable git-crypt-locked clones (changes ungated).** Each non-admin gets their own writable, keyless (locked) clone — read + edit + push freely, no PR gate. Safe because infra apply is manual + admin-only (push ≠ apply, id=4355) and the clone can't decrypt secrets. Rejected: the shared read-only mirror (gated changes) and the shared unlocked tree (secret leak + commit entanglement). Trade: repo-local CLAUDE.md updates via pull, not live (global config inheritance stays live via §4).
+  - **AMENDED 2026-06-10 — the "push ≠ apply" premise was WRONG.** The Forgejo→Woodpecker webhook on `viktor/infra` fires `.woodpecker/default.yml` on `push` to `master` (`require_approval: forks` only), which terragrunt-applies changed stacks — so an ungated master push IS a deploy. Enforcement added instead of dropping the ADR: Forgejo **branch protection on `master`** (push + merge whitelists = `viktor`, deploy keys allowed). Non-admins keep free branch pushes + PRs; only admin merges land on master. "No PR gate" is thereby reversed for non-admins; the rest of the ADR (per-user locked clones) stands. As-built: `../architecture/multi-tenancy.md` → "Contribute access".
+  - **AMENDED AGAIN 2026-06-10 (later) — allow-then-audit.** Viktor granted emo (`ebarzin`) direct master push ("he's allowed to make any change; what matters is tracking what changed and why"). The PR gate is dropped FOR WHITELISTED USERS; tracking is enforced instead: agent-written commit messages must carry the user's plain-language intent (the WHY), a `notify-nonadmin-push` Slack step in `.woodpecker/default.yml` surfaces every non-admin master push, `[ci skip]` is forbidden for non-admins, and force-push stays disabled (append-only history). Accepted consequence: emo's pushes auto-apply changed stacks via CI. Branch protection + the PR fallback remain for non-whitelisted users.
 - **ADR-0005 — Power-user = cluster-wide read-only (no Secrets), via a NEW dedicated ClusterRole.** Re-widens cross-tenant READ for the trusted power-user tier only — but via a NEW `oidc-power-user-readonly` ClusterRole (get/list/watch, NO `secrets`), NOT the existing `oidc-power-user` (which grants read+write+Secrets and is unbound). Bound to the user's OIDC identity (kubelogin) — the apiserver accepts Authentik OIDC for the `kubernetes` audience; the dashboard's SA-token pattern is for the dashboard UI only.
 - **ADR-0006 — The roster is the single source of truth for the FULL lifecycle.** `roster.yaml` drives onboard *and* offboard; `/etc/ttyd-user-map`, `dispatch.json`, and Authentik `T3 Users` membership are *derived* from it, and tier is *validated* against `k8s_users` (fail-loud on mismatch). Rejected: hand-maintaining the four membership lists in parallel (guaranteed drift). Offboarding is first-class + staged (reversible cut → cluster revoke → gated `userdel`), not an afterthought.
 - **ADR-0007 — Add swap + a capacity budget to the devvm before onboarding active users.** A shared 24 GB / **0-swap** host OOM-kills live sessions under multi-user load (wizard alone runs ~20). Swap + a max-concurrent ceiling are prerequisites, not follow-ups.
diff --git a/docs/plans/2026-06-07-multi-user-workstation-plan.md b/docs/plans/2026-06-07-multi-user-workstation-plan.md
index 1bd3275c..50f788ed 100644
--- a/docs/plans/2026-06-07-multi-user-workstation-plan.md
+++ b/docs/plans/2026-06-07-multi-user-workstation-plan.md
@@ -129,6 +129,21 @@ users:
 
 ### Task 2.3: Inject per-user MCP + auth secrets (new users only; never clobber)
 
+> **PARTIAL — per-user playwright browser MCP DONE (2026-06-16), reproducible from git.**
+> Implemented NOT via the "write a fresh `~/.claude.json`" step below (that skips
+> EXISTING users who have a `.claude.json` lacking the entry — emo + anca were
+> exactly this: server running, never wired). Instead: `roster_engine.py` allocates
+> a sticky per-user `PLAYWRIGHT_PORT` (`PLAYWRIGHT_BASE_PORT=8931`); `setup-devvm.sh`
+> (§8c/§9e) stages the chrome-service token + installs **system-level template units**
+> (`scripts/workstation/playwright/playwright-mcp@.service` + `…-snapshot-refresh@.{service,timer}`,
+> no systemd --user / linger); `t3-provision-users.sh` `install_playwright()` (ALL
+> tiers incl. admin) seeds the token if-absent, runs `claude mcp add --scope user
+> playwright` AS the user (clobber-proof → fixes existing + new + admin), and
+> `enable --now`s the instances. Replaced the hand-made `~/.config/systemd/user/playwright-*`
+> units (one-time idle-gated migration). Runbook: `../runbooks/chrome-service-snapshot.md`
+> → "Provisioning". **Still TODO in this task:** `ha`, `claude_memory`,
+> `.credentials.json`, and the beads Dolt credential.
+
 **Files:** Modify `infra/scripts/t3-provision-users.sh` (add `install_user_secrets`)
 
 - [ ] **Step 1:** For each non-admin **without** an existing `~/.claude.json` (NEW users only — NEVER touch an existing one): write `~/.claude.json` with `playwright-shared` (localhost), `ha` (shared `ha_sofia_mcp_url` from Vault `secret/openclaw`) if HA-eligible, and `claude_memory` using a **shared/simple key (per-user memory isolation is DEFERRED — not a risk now)**. Seed `~/.claude/.credentials.json` with the shared Claude token (Vault) **or** leave absent for interactive login. **Drop the beads Dolt credential** into `~/code/.beads/` (`.beads-credential-key`, from Vault, or set `DOLT_REMOTE_PASSWORD`) so `bd` authenticates — it's git-ignored, so a fresh clone lacks it. All `0600`, owned by the user. Per-user `playwright-mcp` systemd unit on its own port (existing pattern, id=4015).
@@ -171,6 +186,8 @@ users:
 
 ### Task 5.1: Cut emo over to his own writable locked clone (opt-in, reversible)
 
+> **DONE 2026-06-10** (staged across 06-08 → 06-10), with two deviations: (1) step 4(c) **skipped deliberately** — the live `/etc/skel` shared base delivers `~/.claude/{rules,skills}` AS symlinks into the admin base, so emo's existing symlinks match the as-built design and were kept; (2) push access was **added** (not in this plan): `ebarzin` = write collaborator on Forgejo `viktor/infra` + PAT in `~/.git-credentials` + `forgejo` remote, with `master` branch-protected (see ADR-0004 amendment — push to master auto-applies via Woodpecker, so it is whitelist-gated to `viktor`). Verified: branch push OK, master push rejected, `code-shared` removed, admin tree unreadable as emo.
+
 **Files:** none (host state; an explicit one-time action — NOT the routine reconcile)
 
 - [ ] **Step 1: Prereqs.** Confirm emo inherits config (Phase 1) + has his scoped kubeconfig (Phase 2). (Phase 3 deliberately SKIPPED emo — his clone is created *here*.)
diff --git a/docs/plans/2026-06-09-workstation-authentik-membership-plan.md b/docs/plans/2026-06-09-workstation-authentik-membership-plan.md
new file mode 100644
index 00000000..1803e04d
--- /dev/null
+++ b/docs/plans/2026-06-09-workstation-authentik-membership-plan.md
@@ -0,0 +1,469 @@
+# Workstation Membership v2 — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax. This is **infra** work: the engine tasks are real pytest TDD; the host/Authentik tasks "verify" via an idempotent re-run + a smoke check with expected output. Honor the Terraform-only rule for cluster/Authentik changes (`scripts/tg apply`); devvm host scripts are the accepted exception. Claim `host:devvm` before host mutations and `stack:authentik` before applying Authentik.
+
+**Goal:** Make the Authentik `T3 Users` group membership the single source of truth for who gets a devvm workstation account, identified by email; retire `roster.yaml`.
+
+**Architecture:** The provisioner reads `T3 Users` members from the Authentik API (read-only token) instead of `roster.yaml`. A pure engine derives the Linux `os_user` from each member's email (or an `os_user` Authentik attribute override) and produces the same desired-state shape v1 already applies. Workstation access stays fully decoupled from cluster RBAC (`k8s_users` untouched). wizard is special-cased as the admin/owner.
+
+**Tech Stack:** Python (pure engine, pytest) + Bash (provisioner) + `jq`/`curl` (Authentik API) + Terraform (`stacks/authentik`: read-only token, drop HCL members).
+
+**Design:** `infra/docs/plans/2026-06-09-workstation-authentik-membership-design.md`.
+
+---
+
+## File structure
+
+- Modify: `infra/scripts/workstation/roster_engine.py` — add `derive_os_user()` + `roster_from_members()` (pure).
+- Modify: `infra/scripts/workstation/test_roster_engine.py` — tests for the two new functions.
+- Modify: `infra/scripts/t3-provision-users.sh` — source members from the Authentik API instead of `roster.yaml`.
+- Modify: `infra/scripts/workstation/setup-devvm.sh` — drop the read-only Authentik token to `/etc/t3-serve/authentik-token`.
+- Create: `infra/stacks/authentik/t3-provision-token.tf` — read-only service account + API token.
+- Modify: `infra/stacks/authentik/t3-users.tf` — drop the HCL `users` list (membership becomes Authentik-managed).
+- Delete: `infra/scripts/workstation/roster.yaml` (Task 7).
+- Modify: `infra/.claude/reference/service-catalog.md`, `infra/docs/architecture/multi-tenancy.md` (Task 7).
+
+---
+
+## Task 1: Engine — `derive_os_user()`
+
+**Files:** Modify `infra/scripts/workstation/roster_engine.py`; Test `infra/scripts/workstation/test_roster_engine.py`
+
+- [ ] **Step 1: Write the failing tests** (append to `test_roster_engine.py`)
+
+```python
+# --- derive_os_user: email/attribute -> Linux username (v2) ---
+
+def test_derive_os_user_sanitizes_email_local_part():
+    assert eng.derive_os_user("emil.barzin@gmail.com", None) == "emil_barzin"
+
+
+def test_derive_os_user_attribute_overrides():
+    assert eng.derive_os_user("emil.barzin@gmail.com", "emo") == "emo"
+
+
+def test_derive_os_user_lowercases_and_replaces_unsafe_runs():
+    assert eng.derive_os_user("Weird.Name+tag@x.com", None) == "weird_name_tag"
+
+
+def test_derive_os_user_truncates_to_32():
+    long = ("a" * 40) + "@x.com"
+    assert eng.derive_os_user(long, None) == "a" * 32
+
+
+def test_derive_os_user_blank_attribute_is_ignored():
+    assert eng.derive_os_user("emil.barzin@gmail.com", "") == "emil_barzin"
+```
+
+- [ ] **Step 2: Run to verify they fail**
+
+Run: `cd infra/scripts/workstation && python3 -m pytest test_roster_engine.py -k derive_os_user -q`
+Expected: FAIL — `AttributeError: module 'roster_engine' has no attribute 'derive_os_user'`
+
+- [ ] **Step 3: Implement** (add to `roster_engine.py`, after `RosterError`)
+
+```python
+import re
+
+_MAX_USERNAME = 32
+
+
+def derive_os_user(email: str, os_user_attr: str | None) -> str:
+    """Linux username for a workstation member: the explicit `os_user` Authentik
+    attribute if set, else the email local-part sanitized to a valid username
+    (lowercase; runs of non [a-z0-9_-] -> '_'; stripped; <=32 chars)."""
+    if os_user_attr:
+        return os_user_attr
+    local = email.split("@", 1)[0].lower()
+    cleaned = re.sub(r"[^a-z0-9_-]+", "_", local).strip("_")
+    return cleaned[:_MAX_USERNAME]
+```
+
+- [ ] **Step 4: Run to verify they pass**
+
+Run: `python3 -m pytest test_roster_engine.py -k derive_os_user -q`
+Expected: PASS (5 passed)
+
+- [ ] **Step 5: Commit**
+
+```bash
+cd /home/wizard/code/infra
+git add scripts/workstation/roster_engine.py scripts/workstation/test_roster_engine.py
+git commit -m "workstation: engine derive_os_user (email/attribute -> Linux username)"
+```
+
+---
+
+## Task 2: Engine — `roster_from_members()`
+
+Builds a `Roster` (the v1 type `derive_desired_state` already consumes) from the Authentik member list, so the existing tested derivation is reused unchanged.
+
+**Files:** Modify `roster_engine.py`; Test `test_roster_engine.py`
+
+- [ ] **Step 1: Write the failing tests**
+
+```python
+# --- roster_from_members: Authentik members -> Roster (v2) ---
+
+MEMBERS = [
+    {"email": "vbarzin@gmail.com", "os_user": "wizard"},
+    {"email": "emil.barzin@gmail.com", "os_user": "emo"},
+    {"email": "ancaelena98@gmail.com", "os_user": "ancamilea"},
+]
+ADMINS = {"vbarzin@gmail.com"}
+
+
+def test_roster_from_members_maps_identity_fields():
+    r = eng.roster_from_members(MEMBERS, ADMINS)
+    u = r.users["emo"]
+    assert u.os_user == "emo"
+    assert u.authentik_user == "emil.barzin"      # email local-part = t3-dispatch key
+    assert u.k8s_user == "emil.barzin@gmail.com"  # email = identity
+    assert u.tier == "power-user"                  # non-admin
+
+
+def test_roster_from_members_admin_by_email():
+    r = eng.roster_from_members(MEMBERS, ADMINS)
+    assert r.users["wizard"].tier == "admin"
+
+
+def test_roster_from_members_derives_os_user_when_no_override():
+    r = eng.roster_from_members([{"email": "jane.doe@x.com", "os_user": None}], set())
+    assert "jane_doe" in r.users
+    assert r.users["jane_doe"].tier == "power-user"
+
+
+def test_roster_from_members_raises_on_os_user_collision():
+    members = [{"email": "a@x.com", "os_user": "dup"}, {"email": "b@y.com", "os_user": "dup"}]
+    with pytest.raises(eng.RosterError, match="collision"):
+        eng.roster_from_members(members, set())
+
+
+def test_roster_from_members_reuses_derive_desired_state():
+    r = eng.roster_from_members(MEMBERS, ADMINS)
+    ds = eng.derive_desired_state(r, {"wizard": 3773, "emo": 3774, "ancamilea": 3775})
+    assert ds.dispatch["emil.barzin"] == {"os_user": "emo", "port": 3774}
+    assert ds.accounts["wizard"].groups == ("code-shared", "docker", "sudo")
+    assert ds.accounts["emo"].groups == ()
+```
+
+- [ ] **Step 2: Run to verify they fail**
+
+Run: `python3 -m pytest test_roster_engine.py -k roster_from_members -q`
+Expected: FAIL — `AttributeError: ... 'roster_from_members'`
+
+- [ ] **Step 3: Implement** (add to `roster_engine.py`)
+
+```python
+def roster_from_members(members: list[dict], admin_emails: set[str]) -> Roster:
+    """Build a Roster from Authentik `T3 Users` members. Each member dict has
+    `email` and optional `os_user`. tier = admin iff the email is in admin_emails,
+    else power-user (a non-admin workstation: no groups, locked clone). Raises on
+    an os_user collision (two emails resolving to the same Linux username)."""
+    users: dict[str, User] = {}
+    for m in members:
+        email = m["email"]
+        os_user = derive_os_user(email, m.get("os_user"))
+        if os_user in users:
+            raise RosterError(
+                f"os_user collision: {email!r} and {users[os_user].k8s_user!r} "
+                f"both resolve to {os_user!r} (set an os_user attribute to disambiguate)"
+            )
+        tier = "admin" if email in admin_emails else "power-user"
+        users[os_user] = User(
+            os_user=os_user,
+            authentik_user=email.split("@", 1)[0],
+            k8s_user=email,
+            tier=tier,
+            namespaces=(),
+        )
+    return Roster(users)
+```
+
+- [ ] **Step 4: Run the whole suite**
+
+Run: `python3 -m pytest test_roster_engine.py -q && ruff check roster_engine.py test_roster_engine.py`
+Expected: PASS (all, incl. the v1 tests) + ruff clean
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add scripts/workstation/roster_engine.py scripts/workstation/test_roster_engine.py
+git commit -m "workstation: engine roster_from_members (Authentik members -> Roster, reuses derive)"
+```
+
+---
+
+## Task 3: Read-only Authentik token (Terraform)
+
+**Files:** Create `infra/stacks/authentik/t3-provision-token.tf`
+
+- [ ] **Step 1: Write the resources** (service account + API token + view permissions)
+
+```hcl
+# Read-only service account whose token the devvm provisioner uses to list
+# "T3 Users" members. View-only: it can read users + groups, nothing else.
+resource "authentik_user" "t3_provision" {
+  username = "t3-provision-bot"
+  name     = "T3 Provision (read-only)"
+  type     = "service_account"
+  path     = "service-accounts"
+}
+
+resource "authentik_token" "t3_provision" {
+  identifier   = "t3-provision-readonly"
+  user         = authentik_user.t3_provision.id
+  intent       = "api"
+  description  = "devvm t3-provision-users: read T3 Users membership"
+  retrieve_key = true
+}
+
+# Global view permissions for the service account (users + groups read only).
+resource "authentik_rbac_permission_user" "t3_provision_view_user" {
+  user       = authentik_user.t3_provision.id
+  permission = "authentik_core.view_user"
+}
+
+resource "authentik_rbac_permission_user" "t3_provision_view_group" {
+  user       = authentik_user.t3_provision.id
+  permission = "authentik_core.view_group"
+}
+
+output "t3_provision_token" {
+  value     = authentik_token.t3_provision.key
+  sensitive = true
+}
+```
+
+- [ ] **Step 2: Apply** (claim first)
+
+```bash
+~/code/scripts/presence claim stack:authentik --purpose "v2: read-only t3-provision token"
+export VAULT_ADDR=https://vault.viktorbarzin.me && vault login -method=oidc
+cd /home/wizard/code/infra/stacks/authentik && ../../scripts/tg apply -target=authentik_user.t3_provision -target=authentik_token.t3_provision -target=authentik_rbac_permission_user.t3_provision_view_user -target=authentik_rbac_permission_user.t3_provision_view_group --non-interactive
+```
+Expected: 4 added. (If the `authentik_rbac_permission_user` resource/permission codename differs in the installed provider, run `../../scripts/tg console` / check the provider docs and adjust the codename; verify in Step 3.)
+
+- [ ] **Step 3: Store the token in Vault + verify it is read-only**
+
+```bash
+TOK=$(../../scripts/tg output -raw t3_provision_token)
+vault kv patch secret/authentik t3_provision_token="$TOK"
+# verify: can LIST T3 Users members...
+curl -sk -H "Authorization: Bearer $TOK" "https://authentik.viktorbarzin.me/api/v3/core/users/?groups_by_name=T3%20Users" | jq -r '.results[].email'
+# ...but CANNOT write (expect 403):
+curl -sk -o /dev/null -w '%{http_code}\n' -X PATCH -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' -d '{"name":"x"}' "https://authentik.viktorbarzin.me/api/v3/core/users/14/"
+```
+Expected: the three emails listed; the PATCH returns `403`.
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add stacks/authentik/t3-provision-token.tf
+git commit -m "workstation: read-only Authentik token for the t3-provision membership query"
+```
+
+---
+
+## Task 4: setup-devvm.sh — stage the token for the root provisioner
+
+**Files:** Modify `infra/scripts/workstation/setup-devvm.sh`
+
+- [ ] **Step 1: Add a token-staging step** (after step 6, before the final `log "OK"`). The hourly provisioner runs as root with no Vault token, so `setup-devvm.sh` (run by wizard, who can read Vault) drops it to a root-only file.
+
+```bash
+# 8) stage the read-only Authentik token for the root provisioner's membership query.
+if command -v vault >/dev/null; then
+  export VAULT_ADDR="${VAULT_ADDR:-https://vault.viktorbarzin.me}"
+  if tok="$(vault kv get -field=t3_provision_token secret/authentik 2>/dev/null)"; then
+    install -m 0600 /dev/stdin /etc/t3-serve/authentik-token <<<"$tok"
+    log "staged /etc/t3-serve/authentik-token (read-only Authentik API)"
+  else
+    log "WARN: t3_provision_token not in Vault -> Authentik membership query will be skipped"
+  fi
+fi
+```
+
+- [ ] **Step 2: Run + verify**
+
+Run: `sudo bash /home/wizard/code/infra/scripts/workstation/setup-devvm.sh 2>&1 | grep -E 'authentik-token|OK'` then `sudo stat -c '%a %U' /etc/t3-serve/authentik-token`
+Expected: "staged ... authentik-token" + `OK`; perms `600 root`.
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add scripts/workstation/setup-devvm.sh
+git commit -m "workstation: setup-devvm.sh stages the read-only Authentik token (root-only)"
+```
+
+---
+
+## Task 5: Provisioner — source members from Authentik (replace roster.yaml)
+
+**Files:** Modify `infra/scripts/t3-provision-users.sh`
+
+- [ ] **Step 1: Add a members-fetch + swap the engine call.** Replace the roster-read/derive block. Fetch members from Authentik (best-effort); build the members JSON `[{email, os_user}]`; pass to the engine via a new `--members-json` mode on `derive`.
+
+First extend the engine CLI (`roster_engine.py` `_main`): add `derive-members` that reads a members JSON + ports JSON + admin emails and emits the same desired-state JSON.
+
+```python
+# in _main(), add a subparser:
+    pm = sub.add_parser("derive-members", help="desired state from an Authentik member list")
+    pm.add_argument("--members-json", required=True)
+    pm.add_argument("--ports-json", required=True)
+    pm.add_argument("--admin-emails", default="", help="comma-separated admin emails")
+    # ...in the dispatch:
+    if args.cmd == "derive-members":
+        with open(args.members_json, encoding="utf-8") as fh:
+            members = json.load(fh)
+        with open(args.ports_json, encoding="utf-8") as fh:
+            ports = json.load(fh)
+        admins = {e for e in args.admin_emails.split(",") if e}
+        ds = derive_desired_state(roster_from_members(members, admins), ports)
+        json.dump(_desired_state_to_dict(ds), sys.stdout, indent=2, sort_keys=True)
+        sys.stdout.write("\n")
+        return 0
+```
+
+In `t3-provision-users.sh`, replace the `ROSTER`/validate/derive section with:
+
+```bash
+AUTHENTIK_URL="${AUTHENTIK_URL:-https://authentik.viktorbarzin.me}"
+TOKEN_FILE="${TOKEN_FILE:-/etc/t3-serve/authentik-token}"
+T3_GROUP="${T3_GROUP:-T3 Users}"
+ADMIN_EMAILS="${WORKSTATION_ADMIN_EMAILS:-vbarzin@gmail.com}"
+
+members_file="$(mktemp)"; trap 'rm -f "$ports_file" "$members_file" "${desired_file:-}"' EXIT
+if [[ -r "$TOKEN_FILE" ]]; then
+  tok="$(cat "$TOKEN_FILE")"
+  if curl -sf -H "Authorization: Bearer $tok" --get \
+        --data-urlencode "groups_by_name=$T3_GROUP" \
+        "$AUTHENTIK_URL/api/v3/core/users/" \
+      | jq -c '[.results[] | select(.is_active) | {email: .email, os_user: (.attributes.os_user // null)}]' \
+      > "$members_file" && [[ -s "$members_file" ]]; then
+    :
+  else
+    log "WARN: Authentik membership query failed -> no membership change this run"; echo '[]' > "$members_file"
+    SKIP_RECONCILE=1
+  fi
+else
+  log "WARN: $TOKEN_FILE absent -> no membership change this run"; echo '[]' > "$members_file"; SKIP_RECONCILE=1
+fi
+
+if [[ "${SKIP_RECONCILE:-0}" == 1 ]]; then log "reconcile skipped (no Authentik membership)"; exit 0; fi
+
+desired_file="$(mktemp)"
+python3 "$ENGINE" derive-members --members-json "$members_file" --ports-json "$ports_file" --admin-emails "$ADMIN_EMAILS" > "$desired_file"
+jq -e . "$desired_file" >/dev/null || { echo "[t3-provision] derive-members produced invalid JSON" >&2; exit 1; }
+```
+
+(Keep steps 4-6 of the existing script — accounts/groups/clone/kubeconfig, .env/enable, regen map/dispatch — unchanged; they consume `$desired_file`.)
+
+- [ ] **Step 2: shellcheck + DRY_RUN** (with the staged token present)
+
+Run: `cd /home/wizard/code/infra/scripts && shellcheck -S warning t3-provision-users.sh && sudo DRY_RUN=1 bash t3-provision-users.sh 2>&1 | grep -iE 'clone|kubeconfig|reconcile|WARN'`
+Expected: shellcheck clean; dry-run lists the current members, no account creations (all exist), "reconcile complete (DRY-RUN)".
+
+- [ ] **Step 3: Real run + verify it reproduces current state**
+
+Run: `sudo jq -S . /etc/t3-serve/dispatch.json > /tmp/d1; sudo DRY_RUN=0 bash t3-provision-users.sh >/dev/null 2>&1; sudo jq -S . /etc/t3-serve/dispatch.json > /tmp/d2; diff /tmp/d1 /tmp/d2 && echo SAME; id -nG emo`
+Expected: `SAME` (dispatch content unchanged); emo groups unchanged. Redeploy: `sudo install -m0755 t3-provision-users.sh /usr/local/bin/t3-provision-users`.
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add scripts/t3-provision-users.sh scripts/workstation/roster_engine.py scripts/workstation/test_roster_engine.py
+git commit -m "workstation: provisioner sources members from Authentik T3 Users (replaces roster.yaml)"
+```
+
+---
+
+## Task 6: Authentik — Authentik-managed membership + legacy os_user attributes
+
+**Files:** Modify `infra/stacks/authentik/t3-users.tf`; set user attributes via API.
+
+- [ ] **Step 1: Set the legacy os_user attributes** (the 3 existing accounts don't derive from their emails). Read-merge-write so existing attributes are preserved (Authentik PATCH replaces the `attributes` dict).
+
+```bash
+export VAULT_ADDR=https://vault.viktorbarzin.me
+TOK=$(vault kv get -field=tf_api_token secret/authentik)
+A=https://authentik.viktorbarzin.me/api/v3
+set_os_user() {  # $1=username  $2=os_user
+  local pk attrs
+  pk=$(curl -sk -H "Authorization: Bearer $TOK" "$A/core/users/?username=$1" | jq '.results[0].pk')
+  attrs=$(curl -sk -H "Authorization: Bearer $TOK" "$A/core/users/$pk/" | jq -c --arg o "$2" '.attributes + {os_user:$o}')
+  curl -sk -X PATCH -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' \
+    -d "{\"attributes\":$attrs}" "$A/core/users/$pk/" | jq -r '.username + " os_user=" + .attributes.os_user'
+}
+set_os_user "vbarzin@gmail.com" wizard
+set_os_user "emil.barzin@gmail.com" emo
+set_os_user "ancaelena98@gmail.com" ancamilea
+```
+Expected: three lines confirming `os_user=` each.
+
+- [ ] **Step 2: Drop the HCL `users` list** so membership is Authentik-managed. Edit `t3-users.tf`: remove the `users = [...]` argument from `resource "authentik_group" "t3_users"` (keep the `data "authentik_user"` lookups removed too if now unused). Leave the group resource (name only).
+
+```hcl
+resource "authentik_group" "t3_users" {
+  name = "T3 Users"
+  # Membership is managed in Authentik (UI/API), not Terraform — the devvm
+  # provisioner reconciles workstation accounts from this group's members.
+}
+```
+
+- [ ] **Step 3: Apply + verify members unchanged**
+
+```bash
+cd /home/wizard/code/infra/stacks/authentik && ../../scripts/tg apply -target=authentik_group.t3_users --non-interactive
+curl -sk -H "Authorization: Bearer $TOK" "$A/core/groups/?search=T3%20Users" | jq -r '.results[0].users_obj[].username'
+```
+Expected: apply shows the group updated (no member change / the `users` field no longer managed); the 3 members still listed.
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add stacks/authentik/t3-users.tf
+git commit -m "workstation: T3 Users membership is Authentik-managed (drop HCL member list)"
+```
+
+---
+
+## Task 7: Retire roster.yaml + update docs
+
+**Files:** Delete `infra/scripts/workstation/roster.yaml`; modify `service-catalog.md`, `multi-tenancy.md`.
+
+- [ ] **Step 1: Confirm nothing reads roster.yaml anymore**
+
+Run: `grep -rn 'roster.yaml\|roster_engine.*roster\b' /home/wizard/code/infra/scripts /home/wizard/code/infra/docs | grep -v 'load_roster\|test_\|design.md\|-plan.md'`
+Expected: no live references in the provisioner (the engine keeps `load_roster` for tests, that's fine).
+
+- [ ] **Step 2: Delete it + update the service-catalog t3code row** — change "Source of truth = roster.yaml" to "Source of truth = the Authentik `T3 Users` group (members → accounts via the read-only API token); `os_user` from the email or a per-user `os_user` attribute". Update the multi-tenancy Workstation section's "single source of truth" line likewise.
+
+```bash
+git rm scripts/workstation/roster.yaml
+# (edit service-catalog.md + multi-tenancy.md per above)
+```
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add scripts/workstation/roster.yaml .claude/reference/service-catalog.md docs/architecture/multi-tenancy.md
+git commit -m "workstation: retire roster.yaml — Authentik T3 Users group is the membership SSoT"
+```
+
+---
+
+## Task 8: End-to-end smoke (add + remove a throwaway member)
+
+- [ ] **Step 1: Add a throwaway test member** to `T3 Users` in Authentik (a test user, or temporarily add an existing one), set no `os_user` attribute. Run `sudo /usr/local/bin/t3-provision-users` and confirm an account `<derived>` is created (`id <derived>`), with a locked `~/code` (secret file shows `GITCRYPT`) and `~/.kube/config`.
+- [ ] **Step 2: Remove the test member** from the group; run the reconcile; confirm they drop out of `/etc/ttyd-user-map` + `dispatch.json` (the reversible cut). Leave `userdel` to the gated offboarding runbook.
+- [ ] **Step 3: Verify the 3 real users are intact** — `id emo` (groups unchanged), emo/ancamilea/wizard still in `dispatch.json`, their `t3-serve@` active, emo's locked clone + ancamilea's intact.
+
+---
+
+## Self-review
+
+- **Spec coverage:** Authentik-as-SSoT (Tasks 5,6) · email identity + os_user derive/override (Tasks 1,6) · provisioner reads the API (Task 5) · read-only token for the root timer (Tasks 3,4) · roster.yaml retires (Task 7) · k8s_users/cluster untouched (no task touches it) · wizard special-cased (admin_emails, Task 2). All covered.
+- **Type consistency:** `derive_os_user(email, os_user_attr)` and `roster_from_members(members, admin_emails)` used consistently; `members` dicts are `{email, os_user}`; reuses the existing `User`/`Roster`/`derive_desired_state`/`DesiredState`.
+- **apiserver-OIDC:** out of scope here (kubectl auth method only) — flagged in the design; the generic kubeconfig task is unchanged from v1.
+- **Open risk:** the `authentik_rbac_permission_user` resource name / permission codenames may differ in the installed provider version (Task 3) — Step 3 verifies read-works/write-403 and says to adjust if needed.
diff --git a/docs/plans/2026-06-11-breakglass-ssh-redesign-design.md b/docs/plans/2026-06-11-breakglass-ssh-redesign-design.md
new file mode 100644
index 00000000..d555d971
--- /dev/null
+++ b/docs/plans/2026-06-11-breakglass-ssh-redesign-design.md
@@ -0,0 +1,73 @@
+# Break-glass SSH — Redesign
+
+- **Date**: 2026-06-11
+- **Status**: Implemented
+- **Owner**: Viktor
+- **Supersedes**: `2026-05-30-breakglass-ssh-access-{design,plan}.md` (port-knock design)
+- **As-built runbook**: `docs/runbooks/breakglass-ssh.md`
+
+## Why redesign
+
+The 2026-05-30 design gated a key-only SSH port on the Proxmox host behind a UDP
+**port-knock** (knockd). It caused a real lockout, for a structural reason:
+
+- The knock sequence was 3 random ports stored **only** in Vault, and the client
+  helper fetched it from Vault at connect time.
+- **Vault is in-cluster** and not publicly reachable (Wave-1 policy). In the
+  exact scenario break-glass exists for — away from home, cluster/tunnels down —
+  the knock sequence is unreachable and unmemorable. Circular dependency.
+
+The knock's only benefit was hiding an already brute-force-proof port; its cost
+was that fragility. For a *recovery* path, robustness beats stealth.
+
+## Decision
+
+**Plain key-only SSH to the Proxmox host on `:52222`, openly reachable, no knock.**
+Hardened with: the exposed port trusts only a dedicated break-glass key
+(`Match LocalPort`), per-source connection rate-limiting (iptables hashlimit),
+and fail2ban. Scenario covered: *cluster + tunnels down, host + pfSense + router
+up* (the common "I'm away and need in" case — confirmed with Viktor; deeper
+"pfSense wedged" / "host down" tiers are explicitly out of scope).
+
+Alternatives considered and rejected: keeping the knock (fragile, circular);
+Tailscale-on-pfSense (briefly chosen, then dropped — reintroduces the upstream
+dependency Headscale is self-hosted to avoid, and the user preferred a
+self-contained stock-ssh path); WireGuard road-warrior (needs a client, and the
+self-contained SSH path was preferred).
+
+## Components
+
+| Layer | Change | Source of truth |
+|---|---|---|
+| sshd | dual-port `:22` (LAN, all keys) + `:52222` (WAN, break-glass key only via `Match LocalPort`, terminated by `Match all`); key-only everywhere | `scripts/sshd-10-breakglass.conf` |
+| host firewall | `BREAKGLASS` chain: `:52222` rate-limited per source, LAN bypass; replaced the knock-gated default-DROP | `scripts/breakglass-firewall.sh` (+ `breakglass-firewall.service`) |
+| fail2ban | jail fixed for Debian 13 (`journalmatch` by unit, not `_COMM=sshd`, else it never bans), bans on `:22`+`:52222` | `scripts/fail2ban-breakglass-sshd.local` |
+| knockd | **removed** (package purged, config deleted) | — |
+| edge router | `breakglass-ssh` WAN tcp/52222 → 192.168.1.127:52222; **removed** legacy Synology SSH forward (ext 3333 → .13:22) | manual (live device) |
+| Vault | `breakglass_ssh_{pub,priv}key` retained; `breakglass_knock_sequence` now dead | `secret/viktor` |
+
+## Edge-router constraints discovered (TP-Link AX6000)
+
+- **No port remapping** — external port must equal internal port (rejects e.g.
+  `22 → 52222` as a "conflict"). All forwards are ext==int; hence `:52222` both
+  sides.
+- **Port 22 is reserved** — `22 → 22` is also refused. Break-glass cannot use 22
+  (Viktor's initial preference); `:52222` is the landed port.
+- **Row delete is immediate** (no confirm dialog).
+
+## Security posture
+
+- **Brute force: impossible** (key-only, no password).
+- **Scannable: yes** — deliberate, documented Wave-1 exception (`security.md`).
+- **Residual risks:** sshd 0-day during exposure (mitigate: patch, rate-limit,
+  fail2ban, low MaxAuthTries); break-glass key theft (revoke by removing the
+  `authorized_keys.breakglass` line). Logins are audited (PVE ships sshd auth +
+  snoopy execve to Loki).
+
+## Verification (2026-06-11)
+
+- `:52222` reachable; break-glass key authenticates (`root@pve`).
+- Non-break-glass keys **rejected** on `:52222` (Match isolation works).
+- `:22` LAN admin unaffected (Match all reset confirmed — global root login intact).
+- Full WAN path: `ssh -p 52222 <WAN-IP>` with the break-glass key → `root@pve`.
+- knockd gone; fail2ban jail matches Debian 13 `sshd-session` lines.
diff --git a/docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md b/docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md
new file mode 100644
index 00000000..64a28d1c
--- /dev/null
+++ b/docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md
@@ -0,0 +1,243 @@
+# External Secrets Operator: 0.12.1 → 2.6.0 Migration (v1beta1 → v1) — Design Doc
+
+> **Status:** ✅ **COMPLETE (2026-06-22).** ESO at chart/app **2.6.0**; all 104 ExternalSecrets + 2 ClusterSecretStores on `external-secrets.io/v1`; 109 ESs SecretSynced (2 pre-existing dead); compat-gate now returns `OK: cluster is safe to upgrade to 1.35.6` (EXIT 0) — the last k8s-1.35 blocker is cleared. Executed Phase 1 (climb to 0.16.2) → Phase 2 (v1 rewrite, validated GC-survival on tandoor) → Phase 3 (climb 0.16.2→2.6.0 across the 0.17 cutoff, ES sync held at 109 every hop). Side-finding fixed: repo-wide stale `.terraform.lock.hcl` files (missing gavinbunney/kubectl + telmate/proxmox from the generated providers.tf) had broken `terragrunt apply` for ~28 stacks (this is what failed CI pipeline 332) — reconciled via `init -upgrade` + committed.
+> **Scope:** Upgrade the ESO Helm chart `0.12.1` (app `v0.12.1`) to `2.6.0` (app `v2.6.0`) and migrate every `external-secrets.io/v1beta1` custom resource to `external-secrets.io/v1`.
+> **Owner:** Viktor Barzin. **Author:** Claude (research + design only — no changes applied).
+>
+> **EXECUTION CORRECTION + STATUS (2026-06-21 — "let's do the ESO migration"):** The cluster is already on **k8s 1.34.9** (all 7 nodes), NOT ≤1.31 as §4.3 assumed. ESO 0.12 runs fine on 1.34 (the support-matrix bands are conservative *tested* ranges, not hard limits). **The entire ESO climb 0.12→2.6 therefore happens on k8s 1.34 — there is NO k8s interleave; IGNORE the "advance k8s to 1.32/1.33" steps in §4.3 / Phase 1 / Phase 3.** Only AFTER ESO reaches 2.x does the nightly version-check chain take k8s 1.34→1.35 (gate clears). Exact hop sequence (latest patch per minor): **0.13.0 → 0.14.4 → 0.15.1 → 0.16.2** [rewrite all 104 CRs to `v1` here] → **0.17.0 → 0.18.2 → 0.19.2 → 0.20.4 → 1.0.0 → 1.1.1 → 1.2.1 → 1.3.2 → 2.0.1 → 2.1.0 → 2.2.0 → 2.3.0 → 2.4.1 → 2.5.0 → 2.6.0**. Pre-flight done: CRD `storedVersions` are `["v1beta1"]` only (no v1alpha1 patch needed).
+>
+> **EXECUTION LOG:**
+> - **✅ Phase 1 DONE (2026-06-21):** ESO climbed 0.12.1 → 0.13.0 → 0.14.4 → 0.15.1 → **0.16.2**, one hop at a time, each applied + verified (controller healthy; 108 live ExternalSecrets stayed SecretSynced; 2 pre-existing dead — `instagram-poster/instagram-poster-secrets` False since 2026-05-10, `payslip-ingest/payslip-ingest-secrets` False since 2026-04-25, both missing Vault data, untouched). Added `atomic=true` + `timeout=600` to the helm_release. At 0.16.2 **both `v1beta1` and `v1` are served** (110 each) and `storedVersions = ["v1beta1","v1"]`. Committed (`eso: Phase 1 …`); state auto-committed per hop by `scripts/tg`.
+> - **⏳ Phase 2 PENDING — findings confirmed (decisive for execution):** (a) bumping a `kubernetes_manifest` ExternalSecret's apiVersion v1beta1→v1 **forces a REPLACE** (verified live on instagram-poster: `-/+ must be replaced`), NOT in-place. (b) Our ExternalSecrets use **`creationPolicy=Owner`** (default; confirmed on nextcloud) → target Secrets carry an ownerReference, so the replace's delete step can **cascade-GC the Secret** before ESO recreates it. → **Phase 2 must be done carefully, NOT a blind bulk apply:** (1) snapshot ALL target Secrets first (backstop); (2) **empirically validate on the FIRST live stack** — migrate one ES while watching its target Secret; ESO re-syncs the identical spec fast and should re-adopt before GC, but confirm before proceeding; (3) then the per-stack two-phase `-target`-then-full apply (the 15 plan-time-coupled stacks need `-target` first). If validation shows GC wins, pivot to `state rm` + `import {}` (adopts the already-v1-served object with zero delete → zero GC). Repo is clean at v1beta1 (the lone test edit was reverted, never applied).
+> - **Phase 3 PENDING:** hops 0.17.0 → 0.18.2 → 0.19.2 → 0.20.4 → 1.0.0 → 1.1.1 → 1.2.1 → 1.3.2 → 2.0.1 → 2.1.0 → 2.2.0 → 2.3.0 → 2.4.1 → 2.5.0 → 2.6.0 (all on k8s 1.34, CRs already v1). Crossing **0.17 is the point of no return**.
+
+---
+
+## 1. Goal & why
+
+ESO is the **last remaining compatibility gate blocking the autonomous k8s 1.35 upgrade** (Kyverno was cleared to 1.18.1 earlier today). The installed ESO `0.12.x` supports only Kubernetes **1.19 → 1.31** ([support matrix](https://external-secrets.io/latest/introduction/stability-support/)); the k8s-version-check chain will refuse to advance the cluster past 1.31 while ESO sits at 0.12. The `2.x` series supports **k8s 1.34–1.35**, which clears the gate.
+
+The hard part is not the chart bump itself — it is that **ESO removed the `external-secrets.io/v1beta1` API**, and every one of our ExternalSecret / ClusterSecretStore resources is currently declared `v1beta1`. If we upgrade past the removal version without first rewriting the manifests to `v1`, ESO stops reconciling and synced Secrets go stale (apps keep their last-good Secret, but rotations and new secrets break).
+
+**Downtime tolerance:** brief, recoverable downtime of the ESO *controller* is acceptable. What must NOT happen is loss/corruption of the downstream Kubernetes `Secret` objects that apps mount (DB creds, API keys). Those must survive continuously.
+
+---
+
+## 2. Current state
+
+### 2.1 Versions
+| Component | Current | Target |
+|---|---|---|
+| Helm chart `external-secrets` | **0.12.1** | **2.6.0** |
+| App / controller image | **v0.12.1** | **v2.6.0** |
+| API version of all CRs | **`external-secrets.io/v1beta1`** | **`external-secrets.io/v1`** |
+| Repo: `https://charts.external-secrets.io` | (unchanged) | (unchanged) |
+
+ESO stack: `stacks/external-secrets/main.tf`. `helm_release.external_secrets` pins `version = "0.12.1"`, namespace `external-secrets` (separate `kubernetes_namespace` resource, not `create_namespace`), and the **only** chart value set is `installCRDs = true` (via `yamlencode({ installCRDs = true })`). No webhook/replica/resource overrides.
+
+### 2.2 Inventory (live, from `stacks/`)
+| Kind | Count | apiVersion | Where |
+|---|---|---|---|
+| **ExternalSecret** (`kubernetes_manifest`) | **104** | all `v1beta1` (0 mismatches) | 73 `.tf` files |
+| **ClusterSecretStore** (definitions) | **2** | both `v1beta1` | `stacks/external-secrets/main.tf` |
+| SecretStore | 0 | — | — |
+| PushSecret | 0 | — | — |
+| ClusterExternalSecret | 0 | — | — |
+
+- **Only ONE apiVersion string exists in the whole tree:** `external-secrets.io/v1beta1` (106 occurrences = 104 ExternalSecret + 2 ClusterSecretStore). Zero `v1`, zero `v1alpha1`. → a clean single-target rewrite.
+- **`secretStoreRef` split:** 78 ExternalSecrets → `vault-kv`, 26 → `vault-database` (78 + 26 = 104). The `kind = "ClusterSecretStore"` string also appears inside every `secretStoreRef`, so a naive `grep 'kind = "ClusterSecretStore"'` returns 106 — only **2** are real store definitions.
+- **22 files carry >1 ExternalSecret** (max: `stacks/fire-planner/main.tf` = 5; then wealthfolio / real-estate-crawler / phpipam / payslip-ingest / n8n / job-hunter / ebooks = 3 each; 13 files = 2). The 104-vs-73 gap is these multi-secret files.
+- **Nested-module ExternalSecrets** (easy to miss when scripting the bump): `stacks/instagram-poster/modules/instagram-poster/main.tf`, `stacks/postiz/modules/postiz/main.tf`, `stacks/technitium/modules/technitium/main.tf`, `stacks/mailserver/modules/mailserver/main.tf`, `stacks/monitoring/modules/monitoring/grafana.tf`, `stacks/proxmox-csi/modules/proxmox-csi/main.tf`.
+- **Docs are STALE:** `.claude/CLAUDE.md` says "43 ExternalSecrets + 9 DB-creds". Live count is **104 ExternalSecrets / 73 files / 26 db-refs**. Fix in the migration PR.
+
+### 2.3 The two ClusterSecretStores (`stacks/external-secrets/main.tf`)
+Both `kubernetes_manifest`, both `external-secrets.io/v1beta1`, both `depends_on = [helm_release.external_secrets]`:
+- **`vault-kv`** → Vault KV **v2** at `path = "secret"`, server `http://vault-active.vault.svc.cluster.local:8200`, auth `kubernetes` mount `kubernetes`, role `eso`, SA `external-secrets/external-secrets`.
+- **`vault-database`** → identical except `path = "database"`, **`version = "v1"`** (Vault DB engine, KV-v1-style).
+
+ESO's Vault auth role `eso` (`stacks/vault/main.tf:486-511`): policy `eso-reader` (`secret/data/*` read+list, deny `secret/data/vault`, `database/static-creds/*` read), `token_ttl = token_period = 864000` (10d, periodic/auto-renew).
+
+### 2.4 Tier-0 / state
+ESO is **Tier-0 (bootstrap)** (`.claude/CLAUDE.md` "Terraform State — Two-Tier Backend"; root `terragrunt.hcl` `tier0_stacks = ["infra","platform","cnpg","vault","dbaas","external-secrets"]`). Tier-0 ⇒ **local SOPS-encrypted state in git** (`state/stacks/external-secrets/terraform.tfstate`), NOT the PG backend. Workflow: `git pull` → `scripts/tg plan` → `scripts/tg apply` → `git push`; SOPS decrypt via Vault Transit (primary) → age fallback. **Tier-0 must apply before PG is reachable**, so the ESO upgrade cannot depend on PG.
+
+### 2.5 Provider versions (`stacks/external-secrets/providers.tf`)
+- `required_providers` declares **only** `vault = hashicorp/vault, ~> 4.0`.
+- `provider "kubernetes"` and `provider "helm"` are declared **without version constraints** (resolve from root / `.terraform.lock.hcl`). The `helm` block already uses the **v3-style nested `kubernetes = {…}` argument** (not the legacy `kubernetes {}` block) ⇒ helm provider is **v3.x or v4.x** in the lockfile. **No `kubectl` provider** in this stack. No `required_version` pinned here.
+- ⚠️ **Verify the resolved helm provider version** in `.terraform.lock.hcl` before starting — the prompt referenced `~> 4.0` for helm; the *stack* only pins that for `vault`. Either way the v3-syntax helm block + an SDK-v3 provider is compatible with the chart (see §4.5).
+
+### 2.6 Plan-time coupling (the cross-cutting risk)
+**15 stacks read ESO-created Secrets at plan time** via `data "kubernetes_secret"` (avoids a Vault dependency at plan): `actualbudget, affine, changedetection, coturn, ebooks, fire-planner, freedify, freshrss, grampsweb, k8s-dashboard (dashboard_injector.tf), navidrome, owntracks, real-estate-crawler, servarr, technitium (modules/technitium)`.
+
+The documented **first-apply gotcha** (`.claude/CLAUDE.md`, `docs/architecture/secrets.md:360`, `stacks/fire-planner/main.tf:574`): the Secret must exist before the `data "kubernetes_secret"` plans, so on first creation you must `terragrunt apply -target=kubernetes_manifest.<external_secret>` first, then full apply. **Why this matters for the migration:** the `kubernetes_manifest` provider treats `apiVersion` as part of resource identity, so bumping `v1beta1`→`v1` **forces a replace** of all 104 ExternalSecrets. During replace there is a window where the new CR (and thus the synced Secret) may not yet be materialized when the same stack's `data "kubernetes_secret"` plans → the two-phase `-target` apply is needed **fleet-wide for the v1 rewrite step, not just fire-planner.**
+
+### 2.7 Vault DB rotation (rotation interplay)
+`stacks/vault/main.tf`: **25 `vault_database_secret_backend_static_role`, every one `rotation_period = 604800` (7 days)** (8 MySQL + 17 PostgreSQL static roles). ESO syncs these via `vault-database` → `remoteRef.key = "static-creds/<role>"`. Apps reading a rotated secret only at startup carry a Stakater Reloader annotation. **Implication:** any ESO controller downtime longer than the gap to the next rotation could leave a Secret stale across a rotation; keep controller downtime short and re-sync promptly.
+
+### 2.8 git-crypt landmine (adjacent, not in ESO stack)
+`.claude/CLAUDE.md:146` + `docs/architecture/ci-cd.md:108` + `stacks/kyverno/modules/kyverno/tls-secret-sync.tf`: on a **git-crypt-locked clone**, `kubernetes_secret.tls_secret` reads `secrets/fullchain.pem`/`privkey.pem` via `file()` which returns **ciphertext**, corrupting the wildcard TLS secret Kyverno clones cluster-wide. **The ESO stack itself has NO `file()` reads of git-crypt secrets** — so this landmine does not bite the ESO upgrade directly. It is listed here only as a guardrail: do not piggyback unrelated kyverno applies during this work, and run all applies from an **unlocked** checkout.
+
+---
+
+## 3. Target
+
+- Helm chart **`external-secrets` 2.6.0** (app **v2.6.0**), repo `https://charts.external-secrets.io`.
+- All ExternalSecret + ClusterSecretStore CRs on **`external-secrets.io/v1`**.
+- Cluster ESO compatible with **k8s 1.34–1.35** ⇒ unblocks the autonomous 1.35 upgrade.
+
+---
+
+## 4. Key findings (the decisive facts)
+
+> Sourced from ESO official docs + GitHub release notes; verbatim quotes below.
+
+### 4.1 Chart version == app version (premise check)
+The chart version and app version are released **in lockstep and are the same number**. `Chart.yaml`: `version: 0.12.1 / appVersion: v0.12.1`; `version: 2.6.0 / appVersion: v2.6.0`. The app series ran `…0.20.4 → 1.0.0 → … → 2.0.0 → … → 2.6.0`. **Crucially, the `v1.0.0` and `v2.0.0` APP releases are NOT the `external-secrets.io/v1` API** — `v1.0.0` is just "continuation after 0.20.4" (release diff `v0.20.4...v1.0.0`, no API change), and `v2.0.0`'s only breaking change is removing the unmaintained **Alibaba + Device42** providers (we use neither — only Vault). The API migration happened back at **0.16/0.17**. Source: [v1.0.0 notes](https://github.com/external-secrets/external-secrets/releases/tag/v1.0.0) · [v2.0.0 notes](https://github.com/external-secrets/external-secrets/releases/tag/v2.0.0).
+
+### 4.2 Version path: **NO skipping minors — step one minor at a time**
+Official policy, verbatim ([stability-support](https://external-secrets.io/latest/introduction/stability-support/)):
+> "**Upgrade version by version** — We strongly recommend upgrading one minor version at a time (e.g., 0.18.x → 0.19.x → 0.20.x) rather than skipping versions."
+
+Maintainer (issue [#4785](https://github.com/external-secrets/external-secrets/issues/4785), @gusfcarvalho): *"We are pre release… Every minor bump should be treated as a major bump until we go 1.0."* ⇒ **You CANNOT helm-upgrade 0.12.1 → 2.6.0 directly.** You must step each minor: `0.12 → 0.13 → 0.14 → 0.15 → 0.16 → 0.17 → 0.18 → 0.19 → 0.20 → 1.x → 2.x`.
+
+### 4.3 k8s ↔ ESO must advance roughly in lockstep
+Each ESO release targets a **narrow** k8s band ([support matrix](https://external-secrets.io/latest/introduction/stability-support/)):
+
+| ESO | k8s band |
+|---|---|
+| 0.12.x | 1.19 → 1.31 |
+| 0.16.x | 1.32 |
+| 0.17.x | 1.33 |
+| 2.0 – 2.5 | 1.34 – 1.35 |
+| 2.6 (latest) | (matrix row not yet appended; 2.x band is consistently 1.34–1.35 — see Open Questions) |
+
+**This is the single most important sequencing constraint.** ESO doesn't "support only ≤ its max k8s" in a wide range — older ESO may not run cleanly on a *much newer* k8s either. The bands imply the ESO upgrade and the k8s upgrade need to be **interleaved**, not "finish ESO, then bump k8s in one jump." Practical reading: the cluster is currently on k8s ≤1.31 (ESO 0.12 blocks past it). The 0.16/0.17 steps want k8s 1.32/1.33; the 2.x steps want 1.34/1.35. So this is a **coordinated ESO+k8s climb**, e.g. ESO→0.16 alongside k8s→1.32, ESO→0.17 alongside k8s→1.33, then ESO→2.x alongside k8s→1.34→1.35. (The k8s climb is itself sequential via the version-check chain; this doc focuses on the ESO half but flags the coupling — see Open Questions for who drives the interleave.)
+
+### 4.4 API migration: **must rewrite manifests to `v1` FIRST — there is NO v1beta1→v1 conversion webhook**
+- **`external-secrets.io/v1` promoted to STORAGE version: v0.16.0.** v0.16.0 release notes "BREAKING CHANGES": *"Promotion of ExternalSecret/v1 and SecretStore/v1 and their cluster counterparts"* and *"Removal of Conversion Webhooks and …/v1alpha1…"*. From 0.16, **etcd stores `v1`**. Source: [v0.16.0 notes](https://github.com/external-secrets/external-secrets/releases/tag/v0.16.0).
+- **`external-secrets.io/v1beta1` STOPS BEING SERVED (hard cutoff): v0.17.0.** Verbatim ([v0.17.0 notes](https://github.com/external-secrets/external-secrets/releases/tag/v0.17.0)):
+  > "v0.17.0 Stops serving `v1beta1` apis. You need to update your manifests from `v1beta1` to `v1` prior to updating from `v0.16` to `v0.17`. The only change needed is upgrading your manifests to `v1` (i.e. removing the `beta1` from `v1beta1`). … Be sure to do that to all your manifests prior to bumping to `v0.17.0`! `v0.16.2` already supports `v1` so this process should be smooth."
+- **No v1beta1→v1 conversion webhook.** The only conversion webhook that ever existed was v1alpha1→v1beta1, **removed in 0.16**. Maintainer (issue [#5478](https://github.com/external-secrets/external-secrets/issues/5478), @gusfcarvalho): the post-0.16 "drift" is simply that etcd now stores v1 — *"This isn't really a conversion issue."* ⇒ **old v1beta1 manifests do NOT keep working past 0.17 via any auto-conversion.**
+  - **Verdict: MUST-REWRITE-FIRST.** Rewrite all CRs to `v1` while on **0.16.x** (which serves *both* v1beta1 and v1), then upgrade to 0.17. Real-world confirmation (issue [#4785](https://github.com/external-secrets/external-secrets/issues/4785), @Dutchy-): *"I was able to change v1beta1 to v1 on 0.16 without issues. After that I was able to upgrade to 0.17."*
+  - There is a deprecated escape hatch in chart 2.6.0 — `unsafeServeV1Beta1: true` re-enables v1beta1 serving for stragglers — but its own values comment says *"This flag will be removed on 2026.05.01"* (i.e. **already past**, do not rely on it).
+- **Schema change is a PURE apiVersion string bump — ZERO field changes.** CRD `openAPIV3Schema` diff (v0.16.2 bundle, which serves both): ExternalSecret / SecretStore / ClusterSecretStore / ClusterExternalSecret have **byte-identical** spec field sets between v1beta1 and v1 (`{data, dataFrom, refreshInterval, refreshPolicy, secretStoreRef, target}` for ExternalSecret). Maintainer (issue #4785, @Skarlso): *"Just change your manifests to be v1 and upgrade… We don't have anything fancy that you need to do."* PushSecret only ever had `v1alpha1` (no v1beta1) — **unaffected** (we have 0 anyway).
+
+### 4.5 Helm chart values + CRD handling (0.12 → 2.6)
+- **No top-level values removed or renamed.** `values.yaml` diff 0.12.1↔2.6.0 is **additive only** (new keys: `enableHTTP2, extraInitContainers, genericTargets, grafanaDashboard, hostAliases, hostUsers, leaderElectionID, livenessProbe, openshiftFinalizers, processClusterGenerator, processClusterPushSecret, processSecretStore, readinessProbe, strategy, systemAuthDelegator, vault`). Our single value `installCRDs = true` survives.
+- **`installCRDs` still works** in 2.6.0 (defaults `true`, "install and upgrade CRDs through helm chart"). CRDs are **templated into the single `external-secrets` chart** and **upgraded by `helm upgrade`** automatically — there is **no separate CRDs subchart**, and no manual `kubectl apply` of CRDs is required by default. (Out-of-band bundle, if ever needed, lives at `deploy/crds/bundle.yaml` per release tag.) The only CRD-value change: `crds.conversion.enabled` defaults `true` in 0.12.1 (for the old v1alpha1 webhook) → `false` in 2.6.0 ("we stopped supporting v1alpha1"). We don't set it, so the new default is fine.
+- **CRD storedVersions bookkeeping (the one real pre-flight check):** v0.16.0 notes warn to ensure no CRD still lists `v1alpha1` in `.status.storedVersions` before/at 0.16, with a `kubectl patch` to set it to `["v1","v1beta1"]` if needed. This is CRD metadata hygiene, NOT secret deletion.
+- **Helm provider:** `Chart.yaml apiVersion: v2` (Helm 3 chart) in both 0.12.1 and 2.6.0; **no minimum Helm version declared** (only `kubeVersion: ">= 1.19.0-0"`). The Terraform helm provider on Helm SDK v3 (v3.x/v4.x) is compatible. **The 2.x chart does NOT require a newer helm provider than 0.12 did** — the v3-style helm block in `providers.tf` already satisfies it. (Still: pin/verify the resolved version in the lockfile; see Open Questions.)
+
+### 4.6 Data migration: **downstream Secrets survive**
+The synced Kubernetes `Secret` objects are **not deleted or force-resynced** by these upgrades. The change is an apiVersion bump on the *custom resources*, whose `spec` is schema-identical, so the controller keeps reconciling the same target Secrets. A controller restart triggers a normal **reconcile (re-assert, not delete)**. Caveat: no release note says verbatim "synced Secrets are preserved"; the conclusion is from (a) schema identity, (b) maintainers calling it "100% compatible" (issue #5478), (c) absence of any "secrets recreated/deleted" note. **Standard caution: snapshot/back up all ESO-created Secrets before the 0.16→0.17 step** (see §8 verification). Unrelated watch-item: v0.14.0 flagged a stateful-**generators** change — we use no generators, so N/A.
+
+---
+
+## 5. Migration strategy (ordered, do-this-then-that)
+
+> **Pre-reqs every step:** run from an **unlocked** infra checkout (git-crypt unlocked); `vault login -method=oidc`; ESO is **Tier-0** so use `scripts/tg plan` / `scripts/tg apply` against `stacks/external-secrets` and **`git push`** after each apply (SOPS state). Claim presence before each apply: `~/code/scripts/presence claim stack:external-secrets --purpose "ESO 0.12→2.x migration step N"`. Wait for the controller `Deployment` to roll out healthy before the next hop.
+
+### Phase 0 — Pre-flight (no changes)
+1. Confirm cluster k8s version and the version-check chain's current target; **coordinate with the k8s climb** (see §4.3 / Open Questions). Decide who drives the interleave.
+2. `kubectl get crd | grep external-secrets.io` and for each: `kubectl get crd <name> -o jsonpath='{.status.storedVersions}'` — confirm none still list `v1alpha1`. If any do, plan the `kubectl patch …/status storedVersions=["v1beta1"]` per the v0.16.0 note (do this *before* reaching 0.16).
+3. **Snapshot all ESO-managed Secrets** (rollback safety net):
+   `kubectl get externalsecrets -A` (record the 104) and `for ns/secret in <targets>: kubectl get secret -n <ns> <name> -o yaml > backup/<ns>-<name>.yaml`. Keep outside git-crypt or encrypt.
+4. Inspect `.terraform.lock.hcl` in `stacks/external-secrets` — record resolved `helm` + `kubernetes` provider versions. If helm provider < what 2.6.0 needs (it doesn't appear to need anything beyond SDK v3), bump the constraint as its own committed change first.
+5. Read `docs/architecture/secrets.md` + the fire-planner first-apply comment to re-confirm the `-target` pattern for the v1 rewrite step.
+
+### Phase 1 — Climb to 0.16.x (chart bump only, NO manifest change yet)
+ESO `0.16.x` is the **transition version** that serves *both* v1beta1 and v1. Climb to it one minor at a time, leaving all CRs as `v1beta1`:
+6. For `v` in `0.13.0, 0.14.0, 0.15.x, 0.16.2` (use latest patch of each minor): set `helm_release.external_secrets.version = "<v>"`, `scripts/tg plan` (expect: chart upgrade + CRD upgrade in place; **no `kubernetes_manifest` replacements** — apiVersion unchanged), `scripts/tg apply`, `git push`, wait for rollout, verify `kubectl get externalsecrets -A` all `SecretSynced=True`.
+   - **Interleave k8s as required:** before/at 0.16 the cluster should be on **k8s 1.32** (0.16 band). Advance k8s via the normal version-check chain to 1.32 around this point.
+   - Watch the **0.14.0** notes (generators) — N/A for us, but eyeball the plan diff anyway.
+7. **Land on 0.16.2 and STOP.** Verify both APIs are served: `kubectl get externalsecrets.v1.external-secrets.io -A` and `kubectl get externalsecrets.v1beta1.external-secrets.io -A` both work.
+
+### Phase 2 — Rewrite all 104 CRs + 2 stores to `v1` (while on 0.16.2)
+This is the MUST-DO-FIRST API migration, done in the safe window where both versions are served.
+8. **Mechanical rewrite** across `stacks/`: replace the apiVersion string `external-secrets.io/v1beta1` → `external-secrets.io/v1` in every ExternalSecret and ClusterSecretStore `kubernetes_manifest` (104 + 2 = 106 occurrences across 73 files, **including the 6 nested-module files** in §2.2). **No other field changes** (schema identical). Do this in a worktree, committed file-by-file.
+   - Leave `secretStoreRef.kind = "ClusterSecretStore"` (that's a kind reference, not an apiVersion — unaffected).
+9. **Two-phase apply because `kubernetes_manifest` replace + plan-time `data "kubernetes_secret"`:**
+   a. **Stores first:** `scripts/tg apply -target='kubernetes_manifest.css_vault_kv' -target='kubernetes_manifest.css_vault_db'` in `stacks/external-secrets` (they get replaced to v1; ESO still serves v1beta1 too, so in-flight ExternalSecrets keep syncing). `git push`.
+   b. **ExternalSecrets, per stack:** for each of the 73 stacks, `scripts/tg apply -target=kubernetes_manifest.<external_secret_name>` FIRST (materializes the replaced v1 CR + its Secret), THEN a full `scripts/tg apply` for that stack (lets the 15 plan-time `data "kubernetes_secret"` reads resolve against the now-existing Secret). The **15 plan-time-coupled stacks** (§2.6) absolutely need the `-target` first; the rest are lower-risk but follow the same pattern for safety. `git push` per stack (Tier-1 stacks use PG state; ESO stack is Tier-0).
+   - Because the spec is identical, the *replace* re-creates an identical CR; ESO reconciles and re-asserts the same target Secret (no value change) → apps keep their Secret throughout.
+10. **Verify the rewrite fully landed:** `grep -rc 'external-secrets.io/v1beta1' stacks/` returns **0**; `kubectl get externalsecrets -A -o jsonpath used to confirm all served as v1`; all `SecretSynced=True`; spot-check a rotated DB cred (e.g. `nextcloud-db-creds`) still valid.
+
+### Phase 3 — Cross the 0.17 cutoff, then climb to 2.6.0
+Only after Phase 2 is 100% applied (zero v1beta1 in repo AND in etcd):
+11. Bump chart `0.16.2 → 0.17.x`. `scripts/tg plan` (expect chart/CRD upgrade; **no manifest replacements** — already v1), apply, push, rollout, verify all synced. **k8s should be 1.33** (0.17 band) around here.
+12. Continue one minor at a time: `0.18.x → 0.19.x → 0.20.x → 1.0.0 → 1.x (latest) → 2.0.0 → … → 2.6.0`. At each: bump `version`, plan, apply, push, rollout, verify synced. **k8s reaches 1.34 then 1.35** across the 2.x steps.
+    - **At 2.0.0:** confirm the plan shows nothing odd from the Alibaba/Device42 provider removal (we use only Vault — should be a no-op).
+13. **Land on 2.6.0.** Verify: controller image `v2.6.0`, all 104 ExternalSecrets `SecretSynced=True`, both ClusterSecretStores `Valid=True`.
+
+### Phase 4 — Close the gate + docs
+14. Advance k8s to **1.35** via the version-check chain if not already; confirm the **compat-gate now lists ESO as compatible** and 1.35 is unblocked.
+15. Update `.claude/CLAUDE.md` Secrets Management section: correct counts (**104 ExternalSecrets / 73 files / 26 db-refs**), apiVersion now `v1`. Update `docs/architecture/secrets.md`. Commit as part of the work (audit trail).
+
+---
+
+## 6. Risks & mitigations
+
+| Risk | Likelihood | Mitigation |
+|---|---|---|
+| **Secret-sync outage → app DB/API auth failures** during controller restarts or the replace window | Med | Spec is identical so re-sync re-asserts the same value; keep each controller restart short; do Phase-2 replaces **per stack** (small blast radius); the 15 plan-time stacks use `-target` first so the Secret exists before dependents plan. Pre-step Secret snapshot (Phase 0.3) for instant restore. |
+| **Crossing 0.17 with any CR still v1beta1** → ESO stops reconciling those, secrets go stale | High if rushed | Phase 2 gate: `grep -rc v1beta1 stacks/` **must be 0** AND `kubectl get …v1beta1…` returns nothing live before Phase 3. Do not skip 0.16. |
+| **CRD removal/replace by helm dropping data** | Low | Chart manages CRDs in-place via `installCRDs=true` (upgrade, not delete-recreate); CRs are the data and they're untouched by a CRD *upgrade*. Snapshot anyway. Never `helm uninstall` (that can GC CRDs). |
+| **No conversion webhook safety net** (must-rewrite-first) | Certain (by design) | Whole strategy is built on rewriting at 0.16. The deprecated `unsafeServeV1Beta1` is already past its 2026-05-01 removal — do NOT rely on it. |
+| **`kubernetes_manifest` forces replace on apiVersion bump** → transient gap + plan-time read failures | High | Two-phase `-target` apply fleet-wide (Phase 2.9); identical spec ⇒ replacement CR is equivalent. |
+| **Vault 7-day DB rotation lands mid-migration** → a Secret stale across rotation if controller down | Med | Keep controller downtime < rotation gap; re-sync immediately after each hop; Reloader annotations already re-roll pods on Secret change; if a rotation is imminent, sequence the affected db stacks last and verify those creds explicitly. |
+| **git-crypt tls-secret-sync landmine** | Low (not in ESO stack) | ESO stack has no `file()` git-crypt reads; run from an **unlocked** checkout; do **not** piggyback kyverno applies during this work. |
+| **helm/k8s provider in lockfile too old for 2.x chart** | Low | Phase 0.4 verify; bump constraint as a separate committed change if needed (chart needs only Helm SDK v3, already satisfied). |
+| **k8s/ESO band mismatch** (e.g. ESO 0.12 on k8s 1.33) | Med | Interleave the climbs per §4.3; don't jump k8s far ahead of ESO or vice-versa. |
+| **Many small applies = long, error-prone session** | Med | Script the per-stack `-target`-then-full loop; checkpoint with `kubectl get externalsecrets -A` after each; the rewrite itself is a single `sed`-class change so low semantic risk. |
+
+---
+
+## 7. Rollback plan (per hop)
+
+- **During Phase 1 (chart climb, still v1beta1):** revert `version` to the previous minor in `stacks/external-secrets/main.tf`, `scripts/tg apply`, `git push`. Helm rolls the controller back; CRs unchanged. Clean.
+- **During Phase 2 (v1 rewrite, on 0.16.2):** 0.16.2 serves both APIs, so you can `git revert` the apiVersion-bump commits and re-apply — the CRs flip back to v1beta1 cleanly (both served). Secrets unaffected (identical spec). This is the **last point of easy rollback**.
+- **After Phase 3 (≥0.17, v1beta1 no longer served):** **rollback is HARD** — once etcd stores v1-only and the controller is ≥0.17, downgrading cannot re-serve v1beta1 and v1 objects can't be auto-converted back ([general guidance + maintainer position](https://github.com/external-secrets/external-secrets/issues/5478)). Treat **crossing 0.17 as the point of no return.** If you must recover: re-install 0.16.2 (serves both), restore CRs from the Phase-0 manifest snapshot, and restore Secrets from the Secret snapshot. This is a disaster-recovery path, not a routine rollback — hence the Phase-2 gate must be airtight.
+- **Always available:** the Phase-0.3 Secret backups let you `kubectl apply` the last-good Secret to keep an app authenticating while you fix ESO.
+
+---
+
+## 8. Verification
+
+**Per hop:**
+- `kubectl -n external-secrets get deploy,po` healthy; controller image tag == target.
+- `kubectl get externalsecrets -A` → all 104 `STATUS=SecretSynced` / `READY=True`.
+- `kubectl get clustersecretstores` → `vault-kv` + `vault-database` `Valid=True`.
+
+**After Phase 2 (v1 rewrite):**
+- `grep -rc 'external-secrets.io/v1beta1' stacks/` → **0**.
+- `kubectl get externalsecrets.v1beta1.external-secrets.io -A` → still served on 0.16 (sanity), but `kubectl get externalsecrets.v1.external-secrets.io -A` is the real check.
+- Spot-check a rotated DB cred end-to-end: e.g. `nextcloud-db-creds` value matches `vault read database/static-creds/mysql-nextcloud` and the app authenticates.
+
+**Final (2.6.0):**
+- Controller image `v2.6.0`; all ExternalSecrets synced; both stores valid.
+- Diff a sample of the 104 target Secrets against the Phase-0 backups → values unchanged (continuity proof).
+- App health: spot-check 3–4 high-value consumers (nextcloud, immich, grafana, a `vault-database` consumer) — pods running, no auth errors in logs.
+- **Compat-gate:** run the upgrade-state / k8s-version-check audit — ESO no longer flagged as a 1.35 blocker; k8s 1.35 upgrade proceeds.
+
+---
+
+## 9. Open questions
+
+1. **k8s/ESO interleave ownership.** §4.3 shows narrow per-version k8s bands (0.16→1.32, 0.17→1.33, 2.x→1.34-1.35). The cluster is currently ≤1.31. **Who drives the interleave** — does this migration also advance k8s step-by-step, or does the autonomous version-check chain advance k8s and we time ESO hops to it? Need the exact current k8s version and the chain's behavior when ESO is the only gate. (Decisive for sequencing Phases 1/3.)
+2. **2.6.0 ↔ k8s 1.35 explicit support.** The support matrix table currently ends at **2.5** (k8s 1.34-1.35). 2.6.0 exists on GitHub but the matrix row isn't appended yet; the whole 2.x band is consistently 1.34-1.35, so 2.6 on 1.35 is a *strong inference* not a quoted row. Confirm via `Chart.yaml` `kubeVersion` of 2.6.0 or a 2.6 release note before relying on it. ([matrix](https://external-secrets.io/latest/introduction/stability-support/))
+3. **Resolved helm provider version.** The stack only pins `vault ~> 4.0`; helm/k8s are unpinned (lockfile-resolved). Confirm the lockfile version and whether to pin it explicitly as part of this work. (Chart needs only Helm SDK v3 — likely a no-op, but verify.)
+4. **Intermediate-minor patch selection.** Use latest patch of each minor (0.13.x, 0.14.x, 0.15.x). Confirm 0.16.**2** specifically (the note says 0.16.2 already supports v1) vs a later 0.16 patch.
+5. **Per-stack apply automation.** 73 stacks × (target + full) apply is large. Acceptable to script a loop, or prefer manual per-stack with checkpoints? Some stacks have other in-flight drift that a full apply would also push — needs a clean-plan check per stack first.
+6. **Stateful generators / advanced features.** Confirmed we use none (0 SecretStore/PushSecret/ClusterExternalSecret/generators), so the v0.14 generator and v2.0 provider-removal breaking changes are N/A — but re-confirm no generator usage crept in before Phase 3.
+
+---
+
+## 10. Sources (decisive facts)
+
+- Skip-version policy + k8s support matrix: <https://external-secrets.io/latest/introduction/stability-support/>
+- `v1` promoted to storage version (0.16.0): <https://github.com/external-secrets/external-secrets/releases/tag/v0.16.0>
+- `v1beta1` removed / "rewrite manifests to v1 first" (0.17.0): <https://github.com/external-secrets/external-secrets/releases/tag/v0.17.0>
+- No conversion webhook / "not a conversion issue" (#5478): <https://github.com/external-secrets/external-secrets/issues/5478>
+- v1beta1↔v1 schema identical / "nothing fancy" (#4785): <https://github.com/external-secrets/external-secrets/issues/4785>
+- App v1.0.0 ≠ API v1: <https://github.com/external-secrets/external-secrets/releases/tag/v1.0.0>
+- v2.0.0 only removes Alibaba/Device42: <https://github.com/external-secrets/external-secrets/releases/tag/v2.0.0>
+- Chart 2.6.0 on ArtifactHub: <https://artifacthub.io/packages/helm/external-secrets-operator/external-secrets>
diff --git a/docs/plans/2026-06-21-t3-idle-migrate-design.md b/docs/plans/2026-06-21-t3-idle-migrate-design.md
new file mode 100644
index 00000000..46c43bfa
--- /dev/null
+++ b/docs/plans/2026-06-21-t3-idle-migrate-design.md
@@ -0,0 +1,140 @@
+# t3 idle-migrate — graceful overnight restart of deferred t3-serve instances — design
+
+- **Date:** 2026-06-21
+- **Status:** implemented 2026-06-21 (branch `wizard/t3-idle-migrate`; deployed + timer enabled on devvm, first overnight drain pending)
+- **Owner:** Viktor (wizard)
+- **Builds on:** the gated nightly tracker `t3-autoupdate` (re-enabled 2026-06-16, `scripts/t3-autoupdate.{sh,service,timer}`; design history in `docs/runbooks/t3-version-bump.md` + post-mortem `2026-06-09-t3-nightly-autoupdate-auth-outage.md`) and the per-user `t3-serve@<user>` systemd instances (`scripts/t3-serve@.service`).
+
+## Goal
+
+When `t3-autoupdate` **defers** a user's `t3-serve` restart because that user has an active agent at the daily 04:00–05:00 window, the user's running server keeps executing its start-time t3 version indefinitely — their client (which tracks the freshly-installed global binary) then shows *"Client and server versions differ."* For a user who is busy at every daily window (wizard: long-lived/AFK sessions overnight), the deferral never resolves and the skew persists for days.
+
+Add a **small, idle-gated overnight job that drains those deferrals**: restart a deferred `t3-serve@<user>` onto the current binary **only when nothing is actively working** in that instance, so the migration happens during a genuine quiet gap rather than killing in-flight agent turns.
+
+## Background — why the skew persists (root cause, verified 2026-06-21)
+
+- All `t3-serve@<user>` instances share ONE global `/usr/bin/t3` (→ `/usr/lib/node_modules/t3`). `t3-autoupdate` installs a new nightly to that single binary, health-gates it against a **copy** of wizard's populated `state.sqlite`, then **canary-restarts idle instances one at a time**, verifying pairing after each (`scripts/t3-autoupdate.sh` step 6).
+- Its idle check is coarse — `unit_busy()`:
+  ```sh
+  pid=$(systemctl show -p MainPID --value "$unit")
+  pgrep -aP "$pid" | grep -qiE 'claude|codex|opencode'
+  ```
+  i.e. "does the server have any `claude`/`codex`/`opencode` **child**?" But `t3 serve` keeps one such child alive per **open** session, even one idle awaiting input. Live snapshot 2026-06-21: wizard had **5 `running` provider sessions** (= 5 `claude` children) but only **3 mid-turn**, plus **89 `ready` (open-idle)** threads. So `unit_busy` is true whenever any tab is open → wizard is deferred at every window.
+- The job runs **once daily** (`OnCalendar=*-*-* 04:00:00`, `RandomizedDelaySec=1h`, `Persistent` deliberately omitted) and **only acts on a version bump** (exits early if `installed == target`). So once the binary is already current, nothing re-triggers a restart of a still-stale running server until the *next* new nightly — and only if the user happens to be idle then.
+- Confirmed in the logs: `t3-autoupdate: deferring t3-serve@wizard.service (active agent) — migrates on its next idle restart` on **both** Jun 20 and Jun 21 windows; wizard's server has been up since Jun 20 06:17 on `…20260620.605` while the binary + client are on `…20260621.613`.
+
+## Decisions (from brainstorm 2026-06-21)
+
+1. **"Safe to restart" = no turn in flight AND a quiet buffer.** Not "zero open sessions" (that would essentially never fire for wizard). Open-but-idle tabs are acceptable to drop — t3 persists thread history in `state.sqlite` and the client reconnects/resumes (the daily job already restarts idle instances routinely; restart→resume is the exercised path). To verify during implementation: the user-facing resume after a server restart.
+2. **Cadence: overnight window only.** Frequent checks within a fixed overnight window; never disconnects tabs during the working day. Migrates within ~1 night of a build landing.
+3. **Scope: all `t3-serve@<user>`, self-limiting.** The job restarts only an instance that actually *owes* a migration (a deferral marker exists). Users already migrated at the daily window have no marker → no-op. No hardcoded per-user logic.
+4. **Approach C: extract a shared safe-restart helper, reuse from both jobs.** One audited copy of the dangerous backup→restart→verify→recover logic; the new job adds only *scheduling + gating*.
+
+## Constraints (load-bearing)
+
+1. **The binary is global; migrations are forward-only and per-user-DB.** You cannot keep one user on the old version while others run the new one. A real-user forward-migration failure therefore means the build is unsafe for a real user → the only consistent recovery is the daily job's existing one (restore that user's DB + roll the **global** binary back to last-good + freeze + alert). This is a rare tail (the build was already migration-gated against a copy of wizard's real DB at install time), but the idle path must not invent a weaker recovery.
+2. **Per-user secret boundary.** A user's `~/.t3/userdata/state.sqlite` is mode 600 and may not be read as another user. The job runs as root (system service) but reads each user's DB **as that user** via `runuser -u <user> -- sqlite3 …` (the pattern `backup_all` already uses), read-only (`mode=ro`) so it never locks the live WAL.
+3. **Fail closed.** Any uncertainty about whether an instance is safe to restart (DB locked/busy/unreadable, query error, unparseable timestamp) → treat as *not safe*, skip this tick, retry in 20 min. Never restart on doubt.
+4. **Do not change the daily job's gated-install behavior.** The step-6 extraction must be behavior-preserving; health-gate, canary, downgrade-guard, freeze, and rollback stay exactly as today.
+5. **Infra-as-code via the devvm installer.** Sources live in `scripts/`; deployment is `scripts/workstation/setup-devvm.sh` (the devvm is hand-managed VM 102 — no Terraform apply). Shared-devvm deploy takes a presence claim.
+
+## Design
+
+### Components
+
+Four new files in `scripts/` + a one-line addition to the existing job:
+
+1. **`scripts/t3-safe-restart.sh`** — shared library, sourced (not executed). Holds the per-unit "dangerous" routine extracted from `t3-autoupdate.sh` step 6 as `safe_restart_unit <unit> <target>`:
+   pre-restart `VACUUM INTO` backup (as the owner) → `systemctl restart` → poll `verify_pairing` (15×2s ≈ 30s) → on failure: restore that user's DB from the pre-restart backup, `rollback_binary` to last-good, `touch $FREEZE_FILE`, log+alert. The shared helpers it needs (`LOG`, `ver`, `osusers`, `ak_for`, `verify_pairing`, `prebump_of`, `rollback_binary`, `DISPATCH`/`BACKUP_DIR`/… config) move into the lib too. Installed to `/usr/local/lib/t3-safe-restart.sh`.
+   **Contract:** returns `0` on verified success, **non-zero** after performing recovery+freeze on failure. This is the one non-verbatim change to step-6 logic — today it `exit 1`s inline; the extracted function `return`s instead so the *caller* decides (the daily job `exit 1`s on non-zero exactly as today; the idle job `break`s). Behavior is otherwise identical.
+
+2. **`scripts/t3-migrate-idle.sh`** — the new job (scheduling + gating only). Installed to `/usr/local/bin/t3-migrate-idle`. Sources the lib; per tick, drains the deferral directory (control flow below).
+
+3. **`scripts/t3-migrate-idle.service`** — `Type=oneshot`, `ExecStart=/usr/local/bin/t3-migrate-idle`. (No `EnvironmentFile` needed; env-overridable knobs have defaults.)
+
+4. **`scripts/t3-migrate-idle.timer`** — overnight window, frequent checks:
+   ```ini
+   [Timer]
+   OnCalendar=*-*-* 01..05:00/20      # fires 01:00,01:20,…,05:40; none at/after 06:00. System TZ (UTC) — tune the window.
+   Persistent=false                    # never replay a missed migrate-restart at an unpredictable time
+   RandomizedDelaySec=120
+   ```
+
+5. **One-line edit to `t3-autoupdate.sh`** — in the existing defer branch, *also record* the deferral:
+   ```sh
+   LOG "deferring $unit (active agent) — migrates on its next idle restart"
+   mkdir -p "$DEFER_DIR" 2>/dev/null; printf '%s\n' "$target" > "$DEFER_DIR/$u"   # NEW
+   deferred=$((deferred+1)); continue
+   ```
+   where `DEFER_DIR=/var/lib/t3-autoupdate/deferred`. This is the *only* behavioral change to the scarred script beyond the verbatim step-6 extraction.
+
+### Why a deferral marker (not version-introspection)
+
+The marker makes "which instances owe a restart" **exact** and decouples it from the binary-is-current problem — the daily job already *knows* it deferred wizard, so it records that fact. The idle job drains the directory; the version string in the marker is informational (a restart always picks up whatever binary is current). The marker is removed only after the restart's pairing is verified.
+
+### Control flow of `t3-migrate-idle` (per tick)
+
+```
+for marker in $DEFER_DIR/*:                       # nothing deferred → no-op
+    user = basename(marker); unit = t3-serve@<user>.service
+    [ unit is an active running service ] or { rm marker; continue }     # gone
+    if unit ActiveEnterTimestamp > mtime(marker):  rm marker; continue   # already restarted (manual/other) → just clear
+    if not safe_to_restart(user):                  continue              # mid-turn or not quiet → try next tick
+    target = contents(marker)
+    if safe_restart_unit(unit, target):            rm marker             # success: verified on new binary
+    else:                                          # helper already restored DB + rolled back binary + froze + alerted
+        break                                      # frozen: stop draining; a human investigates
+```
+
+### `safe_to_restart(user)` — the gate
+
+Single read-only query, run as the user:
+
+```sh
+runuser -u "$user" -- sqlite3 "file:/home/$user/.t3/userdata/state.sqlite?mode=ro" "
+  SELECT
+    (SELECT count(*) FROM projection_thread_sessions WHERE active_turn_id IS NOT NULL),
+    CAST((julianday('now')
+          - julianday(replace(replace(max(updated_at),'T',' '),'Z',''))) * 86400 AS INT)
+  FROM projection_thread_sessions;"
+```
+
+- Column 1 = **active turns**; must be `0`. (`active_turn_id` is set exactly while a turn runs — verified 2026-06-21.)
+- Column 2 = **idle seconds** = now − most-recent thread activity. Must be `≥ QUIET_SECONDS` (default **900** = 15 min, env-overridable). `updated_at` is ISO-8601 `…Z`; `datetime('now')`/`julianday('now')` are UTC, so normalizing `T`/`Z` away before `julianday()` keeps the arithmetic correct without depending on a newer SQLite's `Z` parsing.
+- **NULL idle** (no threads at all) ⇒ safe. **Any error / non-numeric / nonzero exit** ⇒ not safe (constraint 3).
+
+### Failure recovery
+
+Delegated entirely to `safe_restart_unit` (the extracted, already-proven path): restore the user's DB from the pre-restart backup, roll the global binary back to last-good, `touch /etc/t3-autoupdate.freeze`, log+alert. The idle job then stops draining (the freeze halts both jobs until a human clears it) — see constraint 1 for why per-user divergence isn't an option.
+
+### Observability
+
+- Structured `logger -t t3-migrate-idle` lines; extend the existing `T3AutoUpdate*` Loki ruler/alerts to also match this tag. Success → one line: `migrated t3-serve@wizard → <target> (idle restart; idle 47m)`. Failure → reuses the daily job's freeze+alert.
+- **Recommended (optional):** a Pushgateway gauge for **deferral-marker age** + an alert if a marker survives **> 3 days** — passive visibility into "busy every night for 3 days," *not* the auto-escalation/daytime-widening that was explicitly de-scoped.
+
+### Delivery
+
+- Wire into `scripts/workstation/setup-devvm.sh` alongside the existing units:
+  - `install -m 0644 "$SCRIPTS/t3-safe-restart.sh" /usr/local/lib/t3-safe-restart.sh`
+  - `install -m 0755 "$SCRIPTS/t3-migrate-idle.sh" /usr/local/bin/t3-migrate-idle`
+  - add `t3-migrate-idle.service t3-migrate-idle.timer` to the unit-install loop (→ `/etc/systemd/system/`)
+  - add `t3-migrate-idle.timer` to the `systemctl enable --now` list
+- `homelab claim host:devvm --purpose "deploy t3-migrate-idle units"` before the install + enable on the shared devvm.
+- No Terraform (hand-managed VM 102).
+
+## Testing
+
+- **TDD on the gating core (`bats`)** against fixture `state.sqlite` files: active turn → unsafe; idle-but-recent (< QUIET) → unsafe; idle + quiet → safe; empty DB → safe; locked/garbage DB / sqlite error → unsafe (fail-closed); marker drain: unit started after marker → clear+skip, before → eligible.
+- **`T3_DRY_RUN=1`** mode logs `would migrate <unit> → <target>` without acting. Roll out in dry-run first; confirm it flags wizard's server at a real overnight idle moment; then enable live.
+- **Step-6 extraction is behavior-preserving** — validate the daily job's decisions are unchanged via a dry-run diff before/after the refactor.
+
+## Out of scope (YAGNI)
+
+- Daytime restarts / "around the clock" cadence (de-scoped: overnight only).
+- Auto-escalation that widens to a daytime attempt after N stale nights (de-scoped; the optional marker-age alert covers visibility).
+- Per-user opt-out file (not needed — the job is self-limiting via markers).
+- Any change to how `t3-autoupdate` *installs/gates* a build.
+
+## Open questions
+
+None outstanding from the brainstorm. Two items to **verify during implementation** (not blockers): (a) user-facing session resume after a `t3-serve` restart; (b) the devvm's `sqlite3` parses the normalized timestamp as expected (the `replace()` normalization is the safeguard).
diff --git a/docs/plans/2026-06-21-t3-idle-migrate-plan.md b/docs/plans/2026-06-21-t3-idle-migrate-plan.md
new file mode 100644
index 00000000..ed75e234
--- /dev/null
+++ b/docs/plans/2026-06-21-t3-idle-migrate-plan.md
@@ -0,0 +1,729 @@
+# t3 idle-migrate Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Add a small idle-gated overnight job that restarts a `t3-serve@<user>` deferred by the daily autoupdate, so a chronically-busy user's server migrates onto the current t3 binary during a real quiet gap instead of staying version-skewed for days.
+
+**Architecture:** Extract the daily job's per-unit "dangerous" restart routine (backup→restart→verify→recover) into a sourced shared library `t3-safe-restart.sh`; the daily `t3-autoupdate` and a new `t3-migrate-idle` job both call it. The daily job records each deferral as a marker file; the new job drains markers overnight, restarting only when `state.sqlite` shows no in-flight turn and a quiet buffer has elapsed. Self-limiting (only acts on a recorded deferral), fail-closed.
+
+**Tech Stack:** bash, systemd timers, sqlite3 (reading t3's `state.sqlite`), the existing `t3-autoupdate` machinery. Deployed via `scripts/workstation/setup-devvm.sh` on the hand-managed devvm (no Terraform).
+
+**Design:** `docs/plans/2026-06-21-t3-idle-migrate-design.md`.
+
+---
+
+## File structure
+
+- **Create `scripts/t3-safe-restart.sh`** — sourced library: shared config defaults, `LOG`/`ver`/`osusers`/`ak_for`/`verify_pairing`/`backup_user`/`prebump_of`/`rollback_binary`, and `safe_restart_unit`. One responsibility: the audited per-unit safe restart + its recovery.
+- **Modify `scripts/t3-autoupdate.sh`** — source the lib; replace the inline helpers + step-6 body with calls into it; write/clear the deferral marker. Behavior unchanged.
+- **Create `scripts/t3-migrate-idle.sh`** — the new job: the idle gate (`gate_query`/`gate_is_safe`/`safe_to_restart`) + the marker-drain loop. Main logic behind a `main`-guard so it's source-safe for tests.
+- **Create `scripts/t3-migrate-idle.service`** + **`scripts/t3-migrate-idle.timer`** — oneshot + overnight timer.
+- **Create `tests/t3-migrate-idle-gate.test.sh`** — pure-bash TDD for the gate predicates against fixture SQLite DBs (no root, no bats).
+- **Modify `scripts/workstation/setup-devvm.sh`** — install + enable the new files.
+- **Modify `docs/runbooks/t3-version-bump.md`** + **`.claude/reference/service-catalog.md`** — document the new job.
+
+**Recovery semantics note (load-bearing):** `safe_restart_unit` is reused verbatim. In the *daily* path a canary failure happens when `last_good < target`, so its `rollback_binary` genuinely reverts the global binary (correct — a bad build is bad for everyone). In the *idle* path `last_good == installed == target` (the build was already accepted), so `rollback_binary` is a **harmless no-op reinstall** — recovery reduces to "restore the failing user's DB + freeze + alert" and does NOT downgrade other users. Known rare-tail limitation: if that user's forward migration genuinely fails at idle time (already gated against a copy of their real DB at install), their server may crashloop on the restored DB until a human acts on the freeze+alert. Documented, not hidden.
+
+---
+
+## Task 1: Shared library `t3-safe-restart.sh`
+
+**Files:**
+- Create: `scripts/t3-safe-restart.sh`
+
+- [ ] **Step 1: Create the library**
+
+```bash
+#!/usr/bin/env bash
+# t3-safe-restart.sh — SOURCED library (not executed). Shared by t3-autoupdate.sh
+# (daily gated tracker) and t3-migrate-idle.sh (overnight deferral drainer).
+#
+# Holds the per-unit "dangerous" routine — backup -> restart -> verify pairing ->
+# recover (restore DB + roll global binary back to last-good + freeze) — extracted
+# verbatim from t3-autoupdate.sh step 6, plus the small helpers it depends on.
+# The only change from the inline original: safe_restart_unit RETURNS non-zero on
+# failure (after performing recovery+freeze) instead of `exit 1`, so the CALLER
+# decides what to do (the daily job exits; the idle job stops draining).
+#
+# Callers must set, before calling safe_restart_unit: $target (version being moved
+# TO, for log lines + the prebump filename) and $last_good (rollback target).
+# Set $LOG_TAG before sourcing to tag syslog ("t3-autoupdate" / "t3-migrate-idle").
+
+# ---- shared config defaults (override via env before sourcing) ------------------
+: "${LOG_TAG:=t3-safe-restart}"
+: "${FREEZE_FILE:=/etc/t3-autoupdate.freeze}"
+: "${STATE_DIR:=/var/lib/t3-autoupdate}"
+: "${LAST_GOOD_FILE:=$STATE_DIR/last-good}"
+: "${DEFER_DIR:=$STATE_DIR/deferred}"
+: "${BACKUP_DIR:=/var/backups/t3-state}"
+: "${DISPATCH:=127.0.0.1:3780}"
+: "${USER_MAP:=/etc/ttyd-user-map}"
+: "${T3_BACKUP_TIMEOUT:=900}"
+
+LOG() { logger -t "$LOG_TAG" "$*"; echo "$LOG_TAG: $*"; }
+ver() { t3 --version 2>/dev/null | awk '{print $NF}' | sed 's/^v//'; }
+# OS users owning a ~/.t3 (RHS of each non-comment "authentik=os_user" map line).
+osusers() { awk -F= '!/^[[:space:]]*#/&&NF==2{gsub(/[[:space:]]/,"",$2);print $2}' "$USER_MAP" 2>/dev/null | sort -u; }
+# authentik username for an OS user (reverse map; first match) — for dispatch verify.
+ak_for() { awk -F= -v u="$1" '!/^[[:space:]]*#/&&NF==2{gsub(/[[:space:]]/,"",$1);gsub(/[[:space:]]/,"",$2);if($2==u){print $1;exit}}' "$USER_MAP" 2>/dev/null; }
+
+# Online consistent snapshot of ONE user's state.sqlite (run AS the owner so the
+# WAL stays owned; never stops the serve). Uses global $target for the filename.
+# Echoes the backup path on success; non-zero on failure.
+backup_user() {
+  local u="$1" src out dst ts
+  src="/home/$u/.t3/userdata/state.sqlite"; [ -f "$src" ] || return 1
+  ts="$(date +%Y%m%d-%H%M%S)"
+  out="$BACKUP_DIR/$u"; dst="$out/state-prebump-$target-$ts.sqlite"
+  install -d -o "$u" -g "$u" -m700 "$out" 2>/dev/null || mkdir -p "$out"
+  if runuser -u "$u" -- timeout "$T3_BACKUP_TIMEOUT" sqlite3 "$src" "VACUUM INTO '$dst'" 2>/dev/null && [ -s "$dst" ]; then
+    printf '%s\n' "$dst"; return 0
+  fi
+  rm -f "$dst"; return 1
+}
+
+# newest pre-bump backup for a user taken for the current $target (restore source).
+prebump_of() { ls -1t "$BACKUP_DIR/$1/state-prebump-$target-"*.sqlite 2>/dev/null | head -1; }
+
+# roll the GLOBAL binary back to last-good. In the idle path last_good==installed,
+# so this is a harmless no-op reinstall (does NOT downgrade other users).
+rollback_binary() {
+  LOG "rolling back binary $target -> $last_good"
+  if npm i -g "t3@$last_good" >/dev/null 2>&1; then LOG "rolled back to $last_good"; return 0; fi
+  LOG "ROLLBACK FAILED — could not reinstall t3@$last_good (t3 may be broken; manual fix per runbook)"; return 1
+}
+
+# verify a user's pairing through the REAL dispatch (mint -> exchange -> cookie).
+verify_pairing() {
+  local u="$1" ak out; ak="$(ak_for "$u")"; [ -n "$ak" ] || { LOG "no authentik mapping for $u — skipping dispatch verify"; return 0; }
+  out="$(curl -s -i --max-time 10 -H "X-authentik-username: $ak" -H 'Sec-Fetch-Dest: document' "http://$DISPATCH/" 2>/dev/null)"
+  printf '%s' "$out" | grep -qi '^set-cookie:[[:space:]]*t3_session='
+}
+
+# safe_restart_unit <unit> <user>: restart the unit, verify pairing; on failure
+# restore the user's DB from its pre-restart backup, roll the binary back, freeze.
+# Assumes a pre-restart backup already exists for <user> at the current $target
+# (the daily job's backup_all, or the idle job's backup_user, takes it first).
+# Returns 0 on verified success, non-zero after recovery+freeze on failure.
+safe_restart_unit() {
+  local unit="$1" u="$2" ok=0 _ bak
+  systemctl restart "$unit" || LOG "WARN: systemctl restart $unit returned non-zero"
+  for _ in $(seq 1 15); do
+    if verify_pairing "$u"; then ok=1; break; fi
+    sleep 2
+  done
+  if [ "$ok" = "1" ]; then
+    LOG "restarted $unit -> $target (pairing verified via dispatch)"; return 0
+  fi
+  LOG "HEALTH-CHECK FAILED: $u pairing broken AFTER restart onto $target — rolling back + restoring its DB"
+  rollback_binary
+  bak="$(prebump_of "$u")"
+  if [ -n "$bak" ]; then
+    systemctl stop "$unit" 2>/dev/null
+    if install -o "$u" -g "$u" -m600 "$bak" "/home/$u/.t3/userdata/state.sqlite" 2>/dev/null; then
+      rm -f "/home/$u/.t3/userdata/state.sqlite-wal" "/home/$u/.t3/userdata/state.sqlite-shm"
+      LOG "restored $u state.sqlite from $bak"
+    fi
+    systemctl start "$unit" 2>/dev/null
+  fi
+  touch "$FREEZE_FILE" 2>/dev/null
+  LOG "FROZEN ($FREEZE_FILE) after $u failed on $target; last_good stays $last_good — investigate, then remove the freeze file to resume"
+  return 1
+}
+```
+
+- [ ] **Step 2: Syntax + lint check**
+
+Run: `bash -n scripts/t3-safe-restart.sh && (command -v shellcheck >/dev/null && shellcheck -x scripts/t3-safe-restart.sh || echo "shellcheck absent — skipped")`
+Expected: no syntax errors. (shellcheck may warn on the intentional global `$target`/`$last_good` references — acceptable; they are documented caller-set globals.)
+
+- [ ] **Step 3: Source-and-define smoke test**
+
+Run:
+```bash
+bash -c 'LOG_TAG=test; . scripts/t3-safe-restart.sh; for f in LOG ver osusers ak_for backup_user prebump_of rollback_binary verify_pairing safe_restart_unit; do declare -F "$f" >/dev/null || { echo "MISSING $f"; exit 1; }; done; echo "all functions defined"'
+```
+Expected: `all functions defined` (sourcing has no side effects — no exit, no output beyond the echo).
+
+- [ ] **Step 4: Commit**
+
+```bash
+GC=(-c filter.git-crypt.smudge=cat -c filter.git-crypt.clean=cat -c filter.git-crypt.required=false)
+git "${GC[@]}" add scripts/t3-safe-restart.sh
+git "${GC[@]}" commit -m "t3-safe-restart: extract shared safe-restart library from t3-autoupdate
+
+Pull the per-unit backup->restart->verify->recover routine (and the small
+helpers it needs) out of t3-autoupdate.sh into a sourced library, so a second
+job (the upcoming idle migrator) can reuse the exact same audited recovery path
+instead of forking safety-critical code. safe_restart_unit returns non-zero on
+failure (after recovery+freeze) rather than exiting, so callers control flow.
+
+Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>"
+```
+
+---
+
+## Task 2: Refactor `t3-autoupdate.sh` to use the library + record deferrals
+
+**Files:**
+- Modify: `scripts/t3-autoupdate.sh` (config block 32–42, helpers 44–165, step 6 loop 194–225)
+
+- [ ] **Step 1: Source the library; drop the now-shared helpers**
+
+Replace lines 32–52 (the `T3_*` config block through the `newer()` helper) with — keep the autoupdate-only config, source the lib for the shared bits:
+
+```bash
+# ---- autoupdate-specific config (shared config + helpers come from the lib) -----
+T3_TRACK="${T3_TRACK:-nightly}"            # npm dist-tag to follow (nightly | latest)
+T3_PIN="${T3_PIN:-}"                        # optional HARD pin to an exact version (disables tracking)
+SMOKE_PORT="${T3_SMOKE_PORT:-3799}"
+DRY_RUN="${T3_DRY_RUN:-0}"
+TMPROOT="${T3_TMPDIR:-/var/tmp}"           # health-check scratch on DISK — /tmp is a 2G tmpfs and a populated state.sqlite (~hundreds of MB) overflows it
+
+LOG_TAG=t3-autoupdate
+# shellcheck source=scripts/t3-safe-restart.sh
+. "${T3_SAFE_RESTART_LIB:-/usr/local/lib/t3-safe-restart.sh}"
+
+# is $1 a strictly-newer version than $2 (version-sort)?
+newer() { [ "$1" != "$2" ] && [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -1)" = "$1" ]; }
+
+mkdir -p "$STATE_DIR" 2>/dev/null || true
+```
+
+(The lib now provides `FREEZE_FILE`, `STATE_DIR`, `LAST_GOOD_FILE`, `DEFER_DIR`, `BACKUP_DIR`, `DISPATCH`, `USER_MAP`, `LOG`, `ver`, `osusers`, `ak_for`, `verify_pairing`, `prebump_of`, `rollback_binary`, `backup_user`, `safe_restart_unit`.)
+
+- [ ] **Step 2: Simplify `backup_all` to call the shared `backup_user`**
+
+Replace the `backup_all()` definition (lines 90–105) with:
+
+```bash
+ADMIN_SEED=""
+backup_all() {
+  local u dst
+  for u in $(osusers); do
+    if dst="$(backup_user "$u")"; then
+      LOG "pre-bump backup: $u -> $dst ($(stat -c%s "$dst" 2>/dev/null) bytes)"
+      [ "$u" = "wizard" ] && ADMIN_SEED="$dst"
+    else
+      LOG "WARN: pre-bump backup FAILED for $u (/home/$u/.t3/userdata/state.sqlite)"
+    fi
+  done
+  [ -n "$ADMIN_SEED" ] || ADMIN_SEED="$(ls -1t "$BACKUP_DIR"/*/"state-prebump-$target-"*.sqlite 2>/dev/null | head -1)"
+}
+```
+
+Delete the now-duplicated standalone `prebump_of`, `rollback_binary`, and `verify_pairing` definitions (lines 107–108, 146–152, 160–165) — they come from the lib. Keep `health_check` and `unit_busy` (autoupdate-only).
+
+- [ ] **Step 3: Use `safe_restart_unit` + write/clear the deferral marker in step 6**
+
+Replace the step-6 loop body (lines 196–225) with:
+
+```bash
+for unit in $(systemctl list-units --type=service --state=running --no-legend 't3-serve@*' 2>/dev/null | awk '{print $1}'); do
+  u="$(printf '%s' "$unit" | sed -n 's/^t3-serve@\(.*\)\.service$/\1/p')"; [ -n "$u" ] || continue
+  if unit_busy "$unit"; then
+    LOG "deferring $unit (active agent) — migrates on its next idle restart"
+    mkdir -p "$DEFER_DIR" 2>/dev/null && printf '%s\n' "$target" >"$DEFER_DIR/$u"   # record for t3-migrate-idle
+    deferred=$((deferred+1)); continue
+  fi
+  if safe_restart_unit "$unit" "$u"; then
+    restarted=$((restarted+1))
+    rm -f "$DEFER_DIR/$u" 2>/dev/null            # now current — clear any stale marker
+  else
+    exit 1                                        # frozen by safe_restart_unit — preserve today's behavior
+  fi
+done
+```
+
+- [ ] **Step 4: Syntax check + behavior-preserving dry-run diff**
+
+Run:
+```bash
+bash -n scripts/t3-autoupdate.sh
+# Confirm the only remaining defer/restart decisions are unchanged vs HEAD~1 logic:
+git -c filter.git-crypt.smudge=cat -c filter.git-crypt.clean=cat -c filter.git-crypt.required=false diff HEAD scripts/t3-autoupdate.sh | grep -E '^\+|^-' | grep -vE 'safe_restart_unit|backup_user|DEFER_DIR|source|\. "|LOG_TAG|^\+\+\+|^---' | head -40
+```
+Expected: no syntax errors; the diff shows only the extraction (calls replacing inline bodies) + the two marker lines — no change to install/health-gate/canary decision logic.
+
+- [ ] **Step 5: Commit**
+
+```bash
+GC=(-c filter.git-crypt.smudge=cat -c filter.git-crypt.clean=cat -c filter.git-crypt.required=false)
+git "${GC[@]}" add scripts/t3-autoupdate.sh
+git "${GC[@]}" commit -m "t3-autoupdate: source the shared safe-restart lib + record deferrals
+
+Behavior-preserving refactor: the per-unit restart/recover body and small helpers
+now come from t3-safe-restart.sh (one audited copy). Additionally, when a unit is
+deferred for an active agent, write a marker under /var/lib/t3-autoupdate/deferred/
+so the new idle migrator can drain it later; clear the marker on a successful
+restart. Install/health-gate/canary logic is unchanged.
+
+Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>"
+```
+
+---
+
+## Task 3: The idle gate (TDD) — `gate_query` + `gate_is_safe`
+
+**Files:**
+- Create: `tests/t3-migrate-idle-gate.test.sh`
+- Create (incremental): `scripts/t3-migrate-idle.sh` (gate functions only this task)
+
+- [ ] **Step 1: Write the failing test**
+
+Create `tests/t3-migrate-idle-gate.test.sh`:
+
+```bash
+#!/usr/bin/env bash
+# Pure-bash unit tests for the t3-migrate-idle gate. No root, no bats, no Docker.
+# Sources t3-migrate-idle.sh (main-guarded) with the lib path pointed at the worktree.
+set -uo pipefail
+HERE="$(cd "$(dirname "$0")/.." && pwd)"   # repo root (tests/ is one level down)
+export T3_SAFE_RESTART_LIB="$HERE/scripts/t3-safe-restart.sh"
+# shellcheck source=/dev/null
+. "$HERE/scripts/t3-migrate-idle.sh"        # defines functions; main-guard prevents the drain from running
+
+pass=0; fail=0
+ok()   { if "$@"; then pass=$((pass+1)); else fail=$((fail+1)); echo "FAIL: $*"; fi; }
+notok(){ if "$@"; then fail=$((fail+1)); echo "FAIL (expected non-zero): $*"; else pass=$((pass+1)); fi; }
+
+# --- gate_is_safe <active> <idle_seconds> with QUIET_SECONDS=900 ---
+QUIET_SECONDS=900
+ok    gate_is_safe 0 1000      # idle, quiet long enough -> safe
+notok gate_is_safe 1 1000      # a turn in flight -> unsafe
+notok gate_is_safe 0 100       # idle but not quiet enough -> unsafe
+ok    gate_is_safe 0 ""        # no threads at all (NULL idle) -> safe
+notok gate_is_safe x 1000      # unparseable active -> unsafe
+notok gate_is_safe 0 -30       # negative idle (clock skew) -> unsafe
+
+# --- gate_query <db> against fixture SQLite DBs ---
+TMP="$(mktemp -d)"; trap 'rm -rf "$TMP"' EXIT
+mkfix() { # mkfix <file> ; reads rows "active_turn_id|updated_at" on stdin
+  local f="$1"; sqlite3 "$f" "CREATE TABLE projection_thread_sessions(active_turn_id TEXT, updated_at TEXT NOT NULL);"
+  while IFS='|' read -r a u; do sqlite3 "$f" "INSERT INTO projection_thread_sessions VALUES ($([ "$a" = NULL ] && echo NULL || echo "'$a'"), '$u');"; done
+}
+NOW="$(date -u +%Y-%m-%dT%H:%M:%S.000Z)"
+OLD="$(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S.000Z)"
+
+# active turn present -> "1|<small idle>"
+printf '%s\n' "abc|$NOW" "NULL|$OLD" | mkfix "$TMP/active.db"
+res="$(gate_query "$TMP/active.db")"; ok test "${res%%|*}" = "1"
+
+# all idle, last activity 1h ago -> "0|>=3500"
+printf '%s\n' "NULL|$OLD" "NULL|$OLD" | mkfix "$TMP/idle.db"
+res="$(gate_query "$TMP/idle.db")"; ok test "${res%%|*}" = "0"; ok test "${res##*|}" -ge 3500
+
+# empty table -> "0|" (NULL idle)
+sqlite3 "$TMP/empty.db" "CREATE TABLE projection_thread_sessions(active_turn_id TEXT, updated_at TEXT NOT NULL);"
+res="$(gate_query "$TMP/empty.db")"; ok test "${res%%|*}" = "0"
+
+echo "PASS=$pass FAIL=$fail"; [ "$fail" -eq 0 ]
+```
+
+- [ ] **Step 2: Run it to verify it fails**
+
+Run: `bash tests/t3-migrate-idle-gate.test.sh`
+Expected: FAIL — `scripts/t3-migrate-idle.sh` does not exist yet (source error).
+
+- [ ] **Step 3: Create `scripts/t3-migrate-idle.sh` with the gate functions + main-guard skeleton**
+
+```bash
+#!/usr/bin/env bash
+# t3-migrate-idle.sh — drains t3-autoupdate's deferral markers (via the overnight
+# t3-migrate-idle.timer). For each deferred t3-serve@<user>, if nothing is actively
+# working in that instance (no in-flight turn + a quiet buffer), restart it onto the
+# current binary using the shared safe_restart_unit, then clear the marker.
+# Why this exists: t3-autoupdate defers a user with an active agent at its single
+# daily window; a user busy every night never migrates and their client shows
+# "Client and server versions differ". See docs/plans/2026-06-21-t3-idle-migrate-*.
+set -uo pipefail
+
+LOG_TAG=t3-migrate-idle
+# shellcheck source=scripts/t3-safe-restart.sh
+. "${T3_SAFE_RESTART_LIB:-/usr/local/lib/t3-safe-restart.sh}"
+
+QUIET_SECONDS="${T3_MIGRATE_QUIET_SECONDS:-900}"   # required idle before a restart (15 min)
+DRY_RUN="${T3_DRY_RUN:-0}"
+
+# pure logic: is it safe given <active_turns> and <idle_seconds>? fail closed.
+gate_is_safe() {
+  local active="$1" idle="$2"
+  case "$active" in ''|*[!0-9]*) return 1;; esac     # unparseable/empty active -> unsafe
+  [ "$active" -eq 0 ] || return 1                     # a turn is running -> unsafe
+  [ -z "$idle" ] && return 0                          # no threads at all -> safe
+  case "$idle" in ''|*[!0-9-]*) return 1;; esac       # non-numeric -> unsafe
+  [ "$idle" -ge "$QUIET_SECONDS" ]                    # negative or < quiet -> unsafe
+}
+
+# query a state.sqlite (path or file: URI). Echoes "<active_turns>|<idle_seconds>".
+# idle_seconds is empty when there are no rows. Normalizes ISO 'T'/'Z' for julianday.
+gate_query() {
+  local db="$1"
+  sqlite3 -batch -noheader -separator '|' "$db" \
+    "SELECT
+       (SELECT count(*) FROM projection_thread_sessions WHERE active_turn_id IS NOT NULL),
+       CAST((julianday('now') - julianday(replace(replace(max(updated_at),'T',' '),'Z',''))) * 86400 AS INT)
+     FROM projection_thread_sessions;"
+}
+
+# safe_to_restart <user>: wire runuser + the user's DB into gate_query/gate_is_safe.
+safe_to_restart() {
+  local u="$1" db row
+  db="/home/$u/.t3/userdata/state.sqlite"; [ -f "$db" ] || return 1
+  row="$(runuser -u "$u" -- sqlite3 -batch -noheader -separator '|' "file:$db?mode=ro" \
+    "SELECT
+       (SELECT count(*) FROM projection_thread_sessions WHERE active_turn_id IS NOT NULL),
+       CAST((julianday('now') - julianday(replace(replace(max(updated_at),'T',' '),'Z',''))) * 86400 AS INT)
+     FROM projection_thread_sessions;" 2>/dev/null)" || return 1
+  gate_is_safe "${row%%|*}" "${row##*|}"
+}
+
+main() {
+  :   # drain loop added in Task 4
+}
+
+# main-guard: run only when executed, not when sourced (tests source this file).
+if [ "${BASH_SOURCE[0]}" = "${0}" ]; then main "$@"; fi
+```
+
+- [ ] **Step 4: Run the test to verify it passes**
+
+Run: `bash tests/t3-migrate-idle-gate.test.sh`
+Expected: `PASS=10 FAIL=0` (exit 0).
+
+- [ ] **Step 5: Commit**
+
+```bash
+GC=(-c filter.git-crypt.smudge=cat -c filter.git-crypt.clean=cat -c filter.git-crypt.required=false)
+git "${GC[@]}" add scripts/t3-migrate-idle.sh tests/t3-migrate-idle-gate.test.sh
+git "${GC[@]}" commit -m "t3-migrate-idle: idle gate (no in-flight turn + quiet buffer), TDD
+
+The gate reads t3's state.sqlite: safe to restart only when zero threads have an
+active_turn_id AND the most-recent thread activity is older than the quiet buffer
+(default 15m). Fail-closed on any parse/query error. Pure-bash unit tests cover
+the boundaries against fixture DBs (no root/bats/Docker).
+
+Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>"
+```
+
+---
+
+## Task 4: The marker-drain loop in `t3-migrate-idle.sh`
+
+**Files:**
+- Modify: `scripts/t3-migrate-idle.sh` (replace the `main()` skeleton)
+
+- [ ] **Step 1: Implement `main()` (the drain loop)**
+
+Replace the `main() { : ; }` skeleton with:
+
+```bash
+main() {
+  # a frozen build must not be auto-migrated (shared switch with t3-autoupdate)
+  if [ -e "$FREEZE_FILE" ]; then LOG "FROZEN: $FREEZE_FILE present — not draining deferrals"; exit 0; fi
+  [ -d "$DEFER_DIR" ] || exit 0                       # nothing deferred
+  last_good="$(tr -d '[:space:]' <"$LAST_GOOD_FILE" 2>/dev/null)"   # rollback target for the helper
+
+  local marker u unit started mwritten migrated=0 skipped=0
+  for marker in "$DEFER_DIR"/*; do
+    [ -e "$marker" ] || continue                      # empty-dir glob
+    u="$(basename "$marker")"; unit="t3-serve@$u.service"
+    if ! systemctl is-active --quiet "$unit"; then
+      LOG "clearing marker for $u: $unit not active"; rm -f "$marker"; continue
+    fi
+    started="$(date -d "$(systemctl show -p ActiveEnterTimestamp --value "$unit" 2>/dev/null)" +%s 2>/dev/null || echo 0)"
+    mwritten="$(stat -c %Y "$marker" 2>/dev/null || echo 0)"
+    if [ "$started" -gt "$mwritten" ]; then
+      LOG "clearing marker for $u: $unit already restarted $((started-mwritten))s after the deferral"; rm -f "$marker"; continue
+    fi
+    if ! safe_to_restart "$u"; then skipped=$((skipped+1)); continue; fi
+
+    target="$(tr -d '[:space:]' <"$marker" 2>/dev/null)"; [ -n "$target" ] || target="$(ver)"
+    if [ "$DRY_RUN" = "1" ]; then LOG "DRY_RUN: would migrate $unit -> $target (idle gate satisfied)"; continue; fi
+    if ! backup_user "$u" >/dev/null; then
+      LOG "WARN: pre-restart backup failed for $u — skipping (fail closed)"; skipped=$((skipped+1)); continue
+    fi
+    if safe_restart_unit "$unit" "$u"; then
+      LOG "migrated $unit -> $target (idle restart)"; rm -f "$marker"; migrated=$((migrated+1))
+    else
+      LOG "migrate FAILED for $unit — recovery+freeze handled by safe_restart_unit; stopping drain"; exit 1
+    fi
+  done
+  LOG "idle-migrate pass complete (migrated=$migrated skipped=$skipped)"
+}
+```
+
+- [ ] **Step 2: Re-run the gate tests (regression — main-guard still source-safe)**
+
+Run: `bash tests/t3-migrate-idle-gate.test.sh`
+Expected: `PASS=10 FAIL=0` (sourcing still defines functions without running the loop).
+
+- [ ] **Step 3: Syntax + lint**
+
+Run: `bash -n scripts/t3-migrate-idle.sh && (command -v shellcheck >/dev/null && shellcheck -x scripts/t3-migrate-idle.sh || echo "shellcheck absent — skipped")`
+Expected: no syntax errors.
+
+- [ ] **Step 4: Commit**
+
+```bash
+GC=(-c filter.git-crypt.smudge=cat -c filter.git-crypt.clean=cat -c filter.git-crypt.required=false)
+git "${GC[@]}" add scripts/t3-migrate-idle.sh
+git "${GC[@]}" commit -m "t3-migrate-idle: drain deferral markers when safe
+
+For each /var/lib/t3-autoupdate/deferred/<user> marker: skip+clear if the unit is
+gone or was already restarted after the deferral; otherwise, when the idle gate is
+satisfied, take a pre-restart backup and restart via the shared safe_restart_unit,
+clearing the marker on verified success. DRY_RUN logs decisions without acting.
+
+Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>"
+```
+
+---
+
+## Task 5: systemd units
+
+**Files:**
+- Create: `scripts/t3-migrate-idle.service`, `scripts/t3-migrate-idle.timer`
+
+- [ ] **Step 1: Create the service unit**
+
+`scripts/t3-migrate-idle.service`:
+```ini
+[Unit]
+Description=t3 idle migrator — restart deferred t3-serve instances onto the current binary when idle
+Documentation=https://forgejo.viktorbarzin.me/viktor/infra/src/branch/master/docs/plans/2026-06-21-t3-idle-migrate-design.md
+After=network.target t3-dispatch.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/t3-migrate-idle
+```
+
+- [ ] **Step 2: Create the timer unit**
+
+`scripts/t3-migrate-idle.timer`:
+```ini
+[Unit]
+Description=Overnight drain of t3-autoupdate deferrals (idle-gated t3-serve migration)
+
+[Timer]
+OnCalendar=*-*-* 01..05:00/20
+RandomizedDelaySec=120
+Persistent=false
+
+[Install]
+WantedBy=timers.target
+```
+
+- [ ] **Step 3: Validate unit syntax**
+
+Run: `systemd-analyze verify scripts/t3-migrate-idle.service scripts/t3-migrate-idle.timer 2>&1 | grep -v 'Unknown\|Cannot find' || echo "units parse OK"`
+Expected: no fatal parse errors (warnings about the `[Install]` of a non-installed unit / missing exec on a non-deployed path are acceptable in the worktree).
+
+- [ ] **Step 4: Confirm the OnCalendar expands to the intended overnight slots**
+
+Run: `systemd-analyze calendar '*-*-* 01..05:00/20' --iterations=5`
+Expected: next elapses at 01:00/01:20/01:40/02:00/… (every 20 min, hours 01–05).
+
+- [ ] **Step 5: Commit**
+
+```bash
+GC=(-c filter.git-crypt.smudge=cat -c filter.git-crypt.clean=cat -c filter.git-crypt.required=false)
+git "${GC[@]}" add scripts/t3-migrate-idle.service scripts/t3-migrate-idle.timer
+git "${GC[@]}" commit -m "t3-migrate-idle: systemd oneshot + overnight timer (01:00-05:40, /20)
+
+Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>"
+```
+
+---
+
+## Task 6: Wire into `setup-devvm.sh`
+
+**Files:**
+- Modify: `scripts/workstation/setup-devvm.sh` (9a install ~line 164; 9d unit loop ~line 200; enable ~line 218)
+
+- [ ] **Step 1: Install the lib + the new script (section 9a)**
+
+After the `install -m 0755 "$SCRIPTS/t3-autoupdate.sh" /usr/local/bin/t3-autoupdate` line, add:
+```bash
+install -m 0644 "$SCRIPTS/t3-safe-restart.sh" /usr/local/lib/t3-safe-restart.sh
+install -m 0755 "$SCRIPTS/t3-migrate-idle.sh" /usr/local/bin/t3-migrate-idle
+```
+
+- [ ] **Step 2: Install the unit files (section 9d loop)**
+
+Add to the `for u in …` unit list (after the `t3-autoupdate.service t3-autoupdate.timer \` line):
+```bash
+         t3-migrate-idle.service t3-migrate-idle.timer \
+```
+
+- [ ] **Step 3: Enable the timer (section 9 enable line)**
+
+Append `t3-migrate-idle.timer` to the `systemctl enable --now` list:
+```bash
+systemctl enable --now t3-dispatch.service \
+  t3-autoupdate.timer t3-backup-state.timer t3-provision-users.timer t3-migrate-idle.timer >/dev/null 2>&1 || \
+  log "WARN: some units failed to enable (check: systemctl status t3-dispatch t3-*.timer)"
+```
+
+- [ ] **Step 4: Syntax check**
+
+Run: `bash -n scripts/workstation/setup-devvm.sh`
+Expected: no syntax errors.
+
+- [ ] **Step 5: Commit**
+
+```bash
+GC=(-c filter.git-crypt.smudge=cat -c filter.git-crypt.clean=cat -c filter.git-crypt.required=false)
+git "${GC[@]}" add scripts/workstation/setup-devvm.sh
+git "${GC[@]}" commit -m "setup-devvm: install + enable t3-migrate-idle (lib, script, units, timer)
+
+Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>"
+```
+
+---
+
+## Task 7: Deploy to the devvm + validate (dry-run first)
+
+**Files:** none (operational). Presence-claimed, shared-host mutation.
+
+- [ ] **Step 1: Claim the host**
+
+Run: `homelab claim host:devvm --purpose "deploy t3-migrate-idle units (idle-gated t3-serve migration)"`
+Expected: claim acquired (if already held by another session, defer per CLAUDE.md).
+
+- [ ] **Step 2: Install the artifacts (mirror setup-devvm.sh 9a/9d)**
+
+Run:
+```bash
+W=/home/wizard/code/infra/.worktrees/t3-idle-migrate/scripts
+sudo install -m 0644 "$W/t3-safe-restart.sh"      /usr/local/lib/t3-safe-restart.sh
+sudo install -m 0755 "$W/t3-migrate-idle.sh"      /usr/local/bin/t3-migrate-idle
+sudo install -m 0644 "$W/t3-migrate-idle.service" /etc/systemd/system/t3-migrate-idle.service
+sudo install -m 0644 "$W/t3-migrate-idle.timer"   /etc/systemd/system/t3-migrate-idle.timer
+sudo systemctl daemon-reload
+```
+Expected: no errors.
+
+- [ ] **Step 2b: Re-point the live daily job at the installed lib (it now sources it)**
+
+The deployed `/usr/local/bin/t3-autoupdate` is the OLD inline version until setup-devvm re-runs; install the refactored one so both jobs share the lib:
+```bash
+sudo install -m 0755 "$W/t3-autoupdate.sh" /usr/local/bin/t3-autoupdate
+sudo /usr/local/bin/t3-autoupdate   # safe: same-version run exits at "already on nightly; nothing to do"
+```
+Expected: log line `already on <track>=<ver>; nothing to do` (proves the refactored daily job sources the lib and runs clean).
+
+- [ ] **Step 3: DRY-RUN the idle migrator against live state**
+
+Run: `sudo T3_DRY_RUN=1 /usr/local/bin/t3-migrate-idle; echo "exit=$?"`
+Expected: with wizard currently busy (mid-turn during the day), a `skipped` count — `idle-migrate pass complete (migrated=0 skipped=N)` — and NO restart. (If wizard happens to be idle+quiet, it logs `DRY_RUN: would migrate t3-serve@wizard …` and still does not act.)
+
+- [ ] **Step 4: Seed a deferral marker for the current skew + dry-run again**
+
+The live daily job already deferred wizard but the marker mechanism is new, so create it once to represent the existing `.605→.613` debt:
+```bash
+sudo install -d -m755 /var/lib/t3-autoupdate/deferred
+printf '%s\n' "$(t3 --version | awk '{print $NF}' | sed 's/^v//')" | sudo tee /var/lib/t3-autoupdate/deferred/wizard >/dev/null
+sudo T3_DRY_RUN=1 /usr/local/bin/t3-migrate-idle; echo "exit=$?"
+```
+Expected: the pass now considers `wizard` — either `DRY_RUN: would migrate t3-serve@wizard.service -> …613` (if idle) or counted in `skipped` (if mid-turn). Confirms marker drain + gate wiring end-to-end without acting.
+
+- [ ] **Step 5: Enable the timer (live)**
+
+Run: `sudo systemctl enable --now t3-migrate-idle.timer && systemctl list-timers t3-migrate-idle.timer --no-pager`
+Expected: timer active, next elapse in the 01:00–05:40 window.
+
+- [ ] **Step 6: Release the claim**
+
+Run: `homelab release host:devvm`
+
+> **First live migration** happens overnight at the first idle+quiet tick. Verify next session: `journalctl -u t3-migrate-idle.service --since yesterday | grep -E 'migrated|skipped|DRY|FROZEN'` and `t3 --version` vs the running server's version. (The user-facing resume-after-restart is observed here — design open-question (a).)
+
+---
+
+## Task 8: Docs
+
+**Files:**
+- Modify: `docs/runbooks/t3-version-bump.md` (add an idle-migrate section)
+- Modify: `.claude/reference/service-catalog.md` (add the unit)
+- Modify: `docs/plans/2026-06-21-t3-idle-migrate-design.md` (Status → implemented)
+
+- [ ] **Step 1: Runbook** — add a section after the autoupdate description:
+
+```markdown
+## Idle migrator (`t3-migrate-idle.timer`)
+
+`t3-autoupdate` defers a user's `t3-serve` restart when they have an active agent
+at the daily window, recording `/var/lib/t3-autoupdate/deferred/<user>`.
+`t3-migrate-idle` (overnight, every 20 min 01:00–05:40) drains those markers:
+it restarts a deferred instance onto the current binary only when that user's
+`state.sqlite` shows no in-flight turn (`active_turn_id`) and ≥15 min quiet, via
+the shared `safe_restart_unit` (same backup→verify→recover as the daily canary).
+- **Force a migration now:** `sudo systemctl start t3-migrate-idle.service` (still idle-gated).
+- **Preview without acting:** `sudo T3_DRY_RUN=1 /usr/local/bin/t3-migrate-idle`.
+- **Stop it:** the shared `/etc/t3-autoupdate.freeze` halts both jobs.
+- **Rare-tail failure:** a forward-migration failure at idle restart restores the
+  user's DB + freezes + alerts (the binary rollback is a no-op since the build was
+  already accepted); the user's server may crashloop on the restored DB until the
+  freeze is cleared. Investigate per the rollback section above.
+```
+
+- [ ] **Step 2: service-catalog** — add a row/line for `t3-migrate-idle.timer` (overnight idle-gated t3-serve migration; sources `t3-safe-restart.sh`).
+
+- [ ] **Step 3: design doc status** — change the header `Status:` to `implemented 2026-06-21 (commits on wizard/t3-idle-migrate)`.
+
+- [ ] **Step 4: Commit**
+
+```bash
+GC=(-c filter.git-crypt.smudge=cat -c filter.git-crypt.clean=cat -c filter.git-crypt.required=false)
+git "${GC[@]}" add docs/runbooks/t3-version-bump.md .claude/reference/service-catalog.md docs/plans/2026-06-21-t3-idle-migrate-design.md
+git "${GC[@]}" commit -m "docs: t3-migrate-idle runbook + service-catalog + design status
+
+Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>"
+```
+
+---
+
+## Task 9: Land
+
+- [ ] **Step 1: Merge latest master into the branch**
+
+Run:
+```bash
+GC=(-c filter.git-crypt.smudge=cat -c filter.git-crypt.clean=cat -c filter.git-crypt.required=false)
+git "${GC[@]}" fetch forgejo
+git "${GC[@]}" merge --no-edit forgejo/master
+```
+Expected: clean merge (no conflicts; the files are new or autoupdate-only). Resolve if any.
+
+- [ ] **Step 2: Re-run the gate tests post-merge**
+
+Run: `bash tests/t3-migrate-idle-gate.test.sh`
+Expected: `PASS=10 FAIL=0`.
+
+- [ ] **Step 3: Push to master**
+
+Run: `git -c filter.git-crypt.smudge=cat -c filter.git-crypt.clean=cat -c filter.git-crypt.required=false push forgejo HEAD:master`
+Expected: accepted. Non-fast-forward → fetch/merge/retry.
+
+- [ ] **Step 4: Watch CI to completion**
+
+Run: `homelab ci watch`
+Expected: green (infra apply pipeline — this change is scripts/docs only, no Terraform, so apply is a no-op for it).
+
+- [ ] **Step 5: Clean up the worktree**
+
+Run (from the main checkout):
+```bash
+git -C /home/wizard/code/infra worktree remove .worktrees/t3-idle-migrate
+git -C /home/wizard/code/infra branch -d wizard/t3-idle-migrate
+```
+
+---
+
+## Self-review
+
+- **Spec coverage:** marker mechanism (T2,T4) · shared safe-restart lib / approach C (T1) · idle gate active_turn_id+quiet (T3) · overnight timer (T5) · all-users self-limiting via markers (T4 loop) · failure recovery reuse (T1, note) · observability logs (LOG_TAG throughout) · delivery via setup-devvm (T6) · presence-claimed deploy (T7) · TDD on the gate (T3) · dry-run rollout (T7) · docs (T8). Optional Pushgateway marker-age gauge from the design is **intentionally deferred** (logged here as a follow-up, not built — keeps scope to the shipping mechanism).
+- **Placeholders:** none — every file has complete content; every command has expected output.
+- **Type/name consistency:** `safe_restart_unit`, `backup_user`, `prebump_of`, `gate_query`, `gate_is_safe`, `safe_to_restart`, `DEFER_DIR`, `QUIET_SECONDS`, `T3_SAFE_RESTART_LIB`, `LOG_TAG` used identically across tasks. `target`/`last_good` are documented caller-set globals consumed by lib functions.
diff --git a/docs/post-mortems/2026-05-25-immich-anca-elements-io-storm.md b/docs/post-mortems/2026-05-25-immich-anca-elements-io-storm.md
index f3ea2b8e..0d4d82c1 100644
--- a/docs/post-mortems/2026-05-25-immich-anca-elements-io-storm.md
+++ b/docs/post-mortems/2026-05-25-immich-anca-elements-io-storm.md
@@ -178,6 +178,16 @@ During the recovery, a second cascade was discovered that compounded the outage:
 
 **Still the real fix (from this PM, still TODO):** the P0 import-side cap, and especially the **IO-isolation** items — move k8s-master **etcd** + node OS disks off sdc onto SSD (generalize P3), and/or give the Immich library its own spindle (P1). Concurrency caps are a band-aid; sdc remains a single shared failure domain that every storm finds. Tracked in beads (see Follow-up Implementation).
 
+## Update 2026-06-16 — 6th IO-pressure incident (same `anca-elements-import` Job re-triggered)
+
+**Same direct trigger as 2026-05-25.** The original `kubernetes_job_v1.anca_elements_import` resource block was never removed from `stacks/immich/main.tf` after the 2026-05-25 import completed — despite the in-code comment instructing "After successful completion: REMOVE this resource block + apply again." Every subsequent `terragrunt apply` of the immich stack re-created the Job. On 2026-06-16 ~20:50 UTC it ran again with the original `--concurrent-tasks 20`, scanning all 21,643 Immich assets in pure read-scan mode (`Uploaded 0`) for ~51 min. Result mirrored 2026-06-01: 62 of 64 nfsd threads in D-state on `folio_wait_bit_common`, sdc 80–82% util, **etcd starved → kube-apiserver crash-loop with `start-service-ip-repair-controllers failed: unable to perform initial IP and Port allocation check`**. Cluster unreachable; PVE host load peaked at 102 of 44 threads. The 2026-06-01 server-side job concurrency caps (`thumbnailGeneration=2, metadataExtraction=2, library=2`) held — the storm was on the import side, not the ML side.
+
+**Immediate recovery**: `nfsd` throttled `64 → 8` threads on the PVE host (gave apiserver enough headroom to come back), then `kubectl delete job -n immich anca-elements-import` + force-delete the pod. Storm cleared instantly: sdc 80% → 30% util, all nfsd threads idle, apiserver `/readyz: ok`. nfsd restored to 64.
+
+**Permanent fix (this commit)**: Removed `kubernetes_job_v1.anca_elements_import` AND the `module "nfs_anca_elements_host"` PVC from `stacks/immich/main.tf`. The photo batch is complete; per user, the videos batch is not on the near roadmap, so the PVC + the comment scaffold around it are gone too. The on-disk dump at `/srv/nfs/anca-elements` on the PVE host is **kept** (browseable via Nextcloud's admin-only "PVE NFS Pool" mount); decision on deletion deferred to user. A future import would re-add the PVC + a fresh Job (or, better, a one-shot manual `kubectl create job` invocation that does not live in Terraform — see Lessons below).
+
+**Updated lesson — one-shot Jobs do NOT belong in `kubernetes_job_v1`.** TF treats Jobs as long-lived resources and re-creates them on every apply if state drift is detected. A truly one-shot import either (a) becomes a `kubernetes_cron_job_v1` with `suspend = true` (Viktor can un-suspend → run → re-suspend) or (b) lives outside TF entirely as a `kubectl create job --from=...` ad-hoc invocation captured in `docs/runbooks/`. The "REMOVE this resource block + apply again" comment failed as a control because nobody noticed it for 22 days.
+
 ## Related
 
 - 2026-05-09 IO post-mortem: `docs/post-mortems/2026-05-09-io-pressure-stale-nfs.md`
diff --git a/docs/post-mortems/2026-06-09-t3-nightly-autoupdate-auth-outage.md b/docs/post-mortems/2026-06-09-t3-nightly-autoupdate-auth-outage.md
new file mode 100644
index 00000000..5fbfdc79
--- /dev/null
+++ b/docs/post-mortems/2026-06-09-t3-nightly-autoupdate-auth-outage.md
@@ -0,0 +1,186 @@
+# Post-Mortem: t3 Nightly Auto-Update (0.0.25) Migrated `state.sqlite` Forward → mint/pairing Broke for All Devvm Users
+
+## Summary
+
+The devvm t3 auto-updater (`t3-autoupdate.timer`) pulled the `t3@nightly`
+build `0.0.25-nightly.20260608.497`. That build ran two forward schema
+migrations on every per-user `~/.t3/userdata/state.sqlite` (renaming
+`role`→`scopes` in `auth_pairing_links` + `auth_sessions`, adding
+`proof_key_thumbprint`) **and** changed the bootstrap API. The result was a
+binary-vs-schema mismatch that broke `t3-mint` (pairing-credential issuance)
+for **all** users — every fresh login landed on the t3 pairing prompt instead
+of an authenticated session.
+
+## Impact
+
+- **Who:** every devvm t3 user — `wizard` (Viktor), `emo`, `ancamilea`.
+- **What:** `t3 auth pairing create` failed (`AuthControlPlaneError:
+  Failed to create pairing link` → `PersistenceSqlError` on
+  `auth_pairing_links`), so `t3-dispatch` auto-pair returned 500/502 and the
+  browser showed the pairing prompt. Existing *already-authenticated* sessions
+  kept working (validated against `auth_sessions`, not the pairing path).
+- **When:** ~13:56 (bad nightly installed) → ~15:16 (all users verified 302).
+- **Trigger of the report:** Anca could not log in ("gets the pair prompt,
+  session broken").
+
+## Timeline (devvm clock)
+
+- **13:56** — `t3-provision-users` step 5b ran `systemctl enable --now
+  t3-autoupdate.timer`. The timer is `OnCalendar=04:00 … Persistent=true`;
+  `--now` + a missed 04:00 schedule fired the daily job **immediately**.
+- **13:56** — updater installed `t3@nightly` = `0.0.25-nightly.20260608.497`
+  (was `0.0.24`). The `GET / → 200` health-check **passed** (it never
+  exercises mint/bootstrap), so no auto-rollback. It restarted *idle* serves
+  (emo) onto 0.0.25 and deferred *active* ones (wizard, ancamilea).
+- **~14:38** — `t3-mint` (now global 0.0.25) ran migrations 31
+  (`AuthAuthorizationScopes`) + 32 (`AuthPairingProofKeyThumbprint`) against
+  each `state.sqlite` it touched → schemas moved to "level 32".
+- **~14:40** — first recovery action rolled the **binary** back to `0.0.24`.
+  This did **not** help: the DBs were still at level 32, so the level-30
+  binary's INSERT hit `no column named role` / `NOT NULL constraint failed:
+  scopes`. (Downgrading a binary after a forward migration is not a rollback.)
+- **~15:01–15:16** — diagnosed the binary-vs-schema mismatch, confirmed
+  `0.0.25` *stable* is **also** dispatch-incompatible (auto-pair → 502, the
+  bootstrap API moved), pinned to `0.0.24`, reset the two new users' disposable
+  DBs, surgically reverted wizard's two auth tables to level 30. All three
+  users verified 302 + `Set-Cookie: t3_session`.
+
+## Root Cause
+
+Three compounding factors:
+
+1. **Auto-tracking a pre-1.0 tool's nightly.** `t3-autoupdate.sh` ran
+   `npm i -g t3@nightly`. t3 ships breaking schema-migration and bootstrap-API
+   changes between builds; our `t3-dispatch` (Go) speaks a fixed bootstrap
+   contract (`POST /api/auth/bootstrap {"credential":…}` → `Set-Cookie`).
+2. **`enable --now` on a `Persistent=true` timer.** The provisioner's
+   re-assertion of the timer didn't just *arm* the schedule — it fired the
+   missed daily job on the spot, mid-afternoon, with users active.
+3. **A health-check that proves nothing about auth.** The smoke test only
+   probes `GET / → 200`. The 0.0.25 server answers 200 while its pairing/mint
+   path is incompatible, so the "auto-rollback on bad build" never triggered.
+
+Forward migrations + a binary downgrade = a DB the old binary can't write.
+`state.sqlite` also holds the precious projection tables (session history), so
+a blanket "delete and re-pair" was only safe for the brand-new users.
+
+## Detection
+
+User report (Anca on the pairing prompt). No alert fired — the auto-updater's
+own health-check is the only automated gate and it passed. **Gap:** nothing
+monitors the end-to-end pairing flow.
+
+## Fixes & Mitigations
+
+### 1. Pin t3, stop tracking nightly (DONE)
+
+`infra/scripts/t3-autoupdate.sh` is now a **pinned-version enforcer**:
+`T3_PIN="${T3_PIN:-0.0.24}"`, `npm i -g "t3@$T3_PIN"`. It re-asserts the pin
+(a no-op when already correct) instead of chasing nightly. Unit `Description`s
+updated. To move the pin: bump `T3_PIN` **and first** verify `t3-dispatch`'s
+bootstrap flow against the new build (`curl` the dispatch → expect 302 +
+`Set-Cookie: t3_session`).
+
+### 2. Drop `--now` from the provisioner (DONE)
+
+`infra/scripts/t3-provision-users.sh` step 5b now runs `systemctl enable
+t3-autoupdate.timer` (no `--now`) — it arms the 04:00 schedule without firing a
+missed job immediately.
+
+### 3. Pinned install at machine setup (DONE)
+
+`infra/scripts/workstation/setup-devvm.sh` installs `t3@$T3_PIN` directly, so a
+fresh box has the pinned t3 immediately rather than depending on the enforcer's
+first run.
+
+### 4. Recovery actions taken on the host (DONE)
+
+- Global `t3` rolled to `0.0.24`; enforcer redeployed + timer re-enabled
+  (verified the enforcer is a no-op at the pin).
+- New users (`emo` 0 threads, `ancamilea` 1 trivial thread): `state.sqlite`
+  parked aside; serve restarted → fresh level-30 DB.
+- `wizard` (96 threads, and the serve hosting the recovery session — cannot be
+  restarted): the two auth tables were atomically rebuilt to the level-30
+  schema (copied from a fresh DB) and migration records 31/32 removed.
+  `auth_sessions` had 0 rows and the 0.0.24 serve never reads `scopes`, so the
+  live session and all projection history were untouched. Backup:
+  `/home/wizard/.t3/userdata/auth-backup-*.sql`.
+
+### 5. End-to-end pairing health-check (DONE — 2026-06-09 follow-up)
+
+`t3-autoupdate.sh`'s smoke test now exercises the REAL handshake — mint →
+`POST` the credential (trying `browser-session` then `bootstrap`) → require
+`200` + a `t3_session` cookie — not just `GET / → 200`. A build that renames or
+breaks the pairing API now fails the check and **auto-rolls-back**, instead of
+shipping a pairing-broken binary to everyone.
+
+### 6. Version-agnostic dispatch + reversible bumps (DONE — "prepare for 0.0.25")
+
+So the pin can move without another outage:
+- **`t3-dispatch` is now version-agnostic** — `autoPair` tries
+  `/api/auth/browser-session` (0.0.25) and falls back to `/api/auth/bootstrap`
+  (0.0.24), so one binary pairs across the rename and through rolling-restart
+  skew. Covered by `TestAutoPairAcrossVersions`. Investigation confirmed the
+  0.0.25 break was *only* this endpoint rename — the rest of the contract
+  (credential payload, `t3_session` cookie, `/api/auth/session`) is byte-identical.
+- **`~/.t3` state is now backed up** — `t3-backup-state` (daily timer, online
+  `VACUUM INTO`, timeout-guarded) snapshots each user's `state.sqlite` (previously
+  the only copy, unbacked). This turns the one-way forward migration into a
+  *restore*, not sqlite surgery.
+- **Cutover is a checklist** — `docs/runbooks/t3-version-bump.md` (pre-flight
+  verify, pre-bump backup, enforcer install + auto-rollback, verify, restore).
+
+## Lessons
+
+- **Don't auto-track a pre-1.0 tool's nightly.** Pin to a known-good,
+  contract-verified build; upgrades are a deliberate, tested act.
+- **`enable --now` on a `Persistent=true` timer fires the missed job now.**
+  Use plain `enable` to arm a schedule without a surprise immediate run.
+- **A liveness probe (`GET /`) is not a readiness/correctness probe.** If a
+  feature (auth/pairing) can break while `/` stays 200, the health-check must
+  exercise that feature or it gives false confidence.
+- **A binary downgrade is not a schema rollback.** Once a forward migration
+  runs, the data is migrated; the old binary now mismatches its own DB.
+- **Separate disposable state from precious state before resetting.** t3's
+  `state.sqlite` mixes ephemeral auth (`auth_pairing_links`, `auth_sessions`)
+  with precious history (`projection_*`); surgical table-level repair
+  preserved 8k+ messages that a blanket reset would have destroyed.
+
+## References
+
+- `infra/scripts/t3-autoupdate.sh` (gated nightly TRACKER since 2026-06-16; was the pinned enforcer), `.service`, `.timer`
+- `infra/scripts/t3-provision-users.sh` step 5b
+- `infra/scripts/workstation/setup-devvm.sh` step 2b
+- `infra/.claude/reference/service-catalog.md` (t3 serving layer)
+- Backup of wizard's pre-repair auth tables: `/home/wizard/.t3/userdata/auth-backup-*.sql`
+
+## 2026-06-16 update: gated nightly tracking deliberately re-enabled
+
+Viktor chose to **reverse the pin** and auto-track `t3@nightly` again — accepting
+the churn risk — with the explicit requirement "make sure session auth works and
+revert if the fallback/failure rate climbs." The naive nightly tracking that
+caused this incident is now replaced by a GATED tracker that closes every gap the
+root-cause + lessons sections named:
+
+- **Detection gap (was still open)** → the dispatch now logs every pairing
+  outcome (success endpoint + fallback) and the enforcer logs rollbacks/freezes;
+  Loki alerts (`T3PairingBroken`, `T3PairFallbackHigh`, `T3AutoUpdate*`) page on
+  real breakage. The pre-existing `t3-probe` only checks `GET /api/auth/session
+  == 200`, which stays 200 even when pairing is dead — it never caught this class.
+- **"A liveness probe is not a correctness probe"** → the health-check now SEEDS
+  a throwaway serve with a COPY of a real populated `state.sqlite` and runs the
+  forward MIGRATION + real pairing handshake before trusting a build.
+- **"A binary downgrade is not a schema rollback"** → mandatory pre-bump
+  `VACUUM INTO` backup; rollback restores the DB; a canary failure auto-restores
+  + self-freezes.
+- **All-at-once blast radius** → canary rollout (idle instances one at a time,
+  pairing-verified through the dispatch; active-agent sessions deferred, never killed).
+- **`enable --now` / boot-catchup firing a missed bump mid-day** → `Persistent=true`
+  dropped from the timer.
+
+Mechanism + freeze/revert/rollback ops: `docs/runbooks/t3-version-bump.md`.
+First live cutover 2026-06-16: `0.0.26` → `0.0.28-nightly.20260616.571`, gated —
+emo + ancamilea migrated + pairing-verified, wizard deferred (active session).
+The headless `t3 serve` has **no in-app self-updater** (verified: no update-check
+/ npm shell-out in `dist/bin.mjs`), so the npm install is the sole version
+authority; the t3 UI's Stable/Nightly toggle governs the unused **desktop** app.
diff --git a/docs/post-mortems/2026-06-10-authentik-downgrade-boot-storm.md b/docs/post-mortems/2026-06-10-authentik-downgrade-boot-storm.md
new file mode 100644
index 00000000..3d5d8750
--- /dev/null
+++ b/docs/post-mortems/2026-06-10-authentik-downgrade-boot-storm.md
@@ -0,0 +1,76 @@
+# Post-mortem: Authentik downgrade boot storm + shared-PG failover (2026-06-10)
+
+**Impact:** Authentik (and therefore forward-auth for all ~67 `auth="required"`
+ingresses and every OIDC app) degraded/unavailable for ~50 minutes
+(~22:20–23:10 UTC). The auth-proxy basicAuth fallback served Emergency Access
+prompts during outpost-check failures. The shared CNPG primary failed over
+(pg-cluster-2 → pg-cluster-1, 22:40:58 UTC), briefly disturbing every PG-backed
+tenant.
+
+**Trigger:** a routine values-only `tg apply` on `stacks/authentik` (first-time
+signin speedup work — env tuning, outpost config, static-asset ingress).
+
+## Root causes (three stacked)
+
+1. **Helm/Keel version split → silent downgrade.** Keel (namespace
+   `keel.sh/enrolled` + diun annotations) had upgraded the live authentik
+   image to `2026.2.4`, while the Helm release pinned chart `2026.2.2` (whose
+   appVersion drives the image tag). The values-only apply therefore rolled
+   every server/worker pod BACK to `2026.2.2` against a `2026.2.4`-migrated
+   database. Cores never came up healthy (`failed to proxy to backend`, plus
+   Django cross-version serialized-cache warnings), and mid-storm Keel
+   re-upgraded the image, adding a third ReplicaSet to the churn.
+
+2. **Liveness budget too small for authentik's boot.** The chart-default
+   liveness probe (3×10s, 3s timeout) kills a pod ~30s after the go layer
+   passes the startup probe — but during a rolling restart the Python core
+   still waits on authentik's DB **migration advisory lock** (60–120s+ under
+   contention). kubelet kill-looped every booting pod, and each kill increased
+   lock contention for the rest (thundering herd).
+
+3. **Ghost lock holders.** Pods killed mid-migration-check left PgBouncer
+   server connections `idle in transaction` still **holding the migration
+   advisory lock** (observed twice: `SELECT * FROM authentik_version_history`
+   idle 2+ min). Every subsequent boot serialized behind a dead client.
+   PgBouncer had no `idle_transaction_timeout`, so the ghosts never expired.
+
+**Aggravator:** `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE=60` (newly made live) made
+every Django thread hold its connection persistently; with PgBouncer in
+*session* mode each one pins a server connection 1:1, so the restart churn
+saturated all 3×(20+5) pool slots (58s/s client wait observed; authentik held
+75 of 108 connections on the new primary). The shared primary's
+restart/failover at 22:40 fits this storm window.
+
+## Resolution
+
+- Scaled workers to 0 (transient) to free pool capacity; rollout converged
+  once, then re-degraded when workers returned.
+- Emergency `kubectl patch` of the server liveness probe (3×10s/3s →
+  6×10s/5s) — final state codified in Helm values in the same session.
+- `pg_terminate_backend()` on the ghost `idle in transaction` lock holders
+  (twice).
+- Scaled servers to 1 so a single `2026.2.4` pod booted uncontended, then back
+  to 3 — converged cleanly (51s boots, zero restarts).
+- Final `tg apply` reconciled everything (image tag pinned, conn_max_age
+  removed, liveness in values, pgbouncer reaper config).
+
+## Prevention (all landed in this change)
+
+| Cause | Fix |
+|---|---|
+| Helm/Keel version split | `global.image.tag` pinned in `values.yaml` to the Keel-managed live tag, with a comment requiring the pin be refreshed whenever the chart is touched. Long-term: bump the chart pin when Keel moves the image (diun notifies). |
+| Liveness kill loop | `server.livenessProbe` 6×10s / 5s timeout in values (startup probe still bounds total boot at 60×10s). |
+| Ghost advisory-lock holders | `idle_transaction_timeout = 300` in `pgbouncer.ini` + config-checksum annotation so ini changes actually roll pgbouncer pods. |
+| Pool saturation | `CONN_MAX_AGE` removed (per-request connections are ~1–2ms through local PgBouncer; not worth pinning server connections in session mode). values.yaml carries a do-not-set warning. |
+
+## Lessons
+
+- **Check the live image tag against the chart pin before ANY helm-managed
+  apply on a Keel-enrolled namespace.** `kubectl get deploy <x> -o
+  jsonpath='{..image}'` vs the chart's appVersion — a mismatch means the apply
+  is a version change, not a config change.
+- A "stuck rollout" of authentik is usually the migration advisory lock:
+  check `pg_locks` joined to `pg_stat_activity` for `idle in transaction`
+  holders before blaming probes or resources.
+- The auth-proxy basicAuth fallback worked as designed throughout (Emergency
+  Access path); without it every protected app would have hard-failed.
diff --git a/docs/post-mortems/2026-06-10-forgejo-retention-orphaned-indexes.md b/docs/post-mortems/2026-06-10-forgejo-retention-orphaned-indexes.md
new file mode 100644
index 00000000..88378ae5
--- /dev/null
+++ b/docs/post-mortems/2026-06-10-forgejo-retention-orphaned-indexes.md
@@ -0,0 +1,67 @@
+# 2026-06-10 — forgejo retention orphaned OCI index children (kms-website)
+
+## Impact
+
+- `viktor/kms-website:latest` and `:dfc83fb` unpullable (index children
+  HTTP 404). No runtime impact — the deployed tag `:a794d1a` was intact
+  and `imagePullPolicy: IfNotPresent` kept running pods unaffected.
+- `RegistryManifestIntegrityFailure` firing from ~08:30 EEST;
+  `forgejo-integrity-probe` reported 4 failures across 60 indexes.
+
+## Root cause
+
+The `forgejo-cleanup` retention CronJob (live since 2026-06-09, first
+deleting run 2026-06-10 04:00) computes its keep-set over package
+**versions**: newest `KEEP_LAST_N=10` + tag `latest` + `*cache*` tags.
+Forgejo's container registry stores multi-arch / buildx-attestation
+**index children as separate untagged sha256 versions**. For images not
+rebuilt recently, those children sort *older* than the newest-10 window
+and were deleted while their parent index (a kept tag) survived →
+orphaned indexes, children 404.
+
+The 2026-06-09 go-live verification ("0 running images on the delete
+set") checked running **pods** against the delete list — it could not
+see index→child references, so the corruption class passed review.
+
+Detection worked as designed: `forgejo-integrity-probe` (15-min catalog
+walk + manifest HEAD) caught it the same morning. Two probe-run quirks
+slowed diagnosis: runs occasionally die at startup (`apk add` during
+transient DNS blips at cron ticks, `set -eu`), so the alert's
+active-since (08:29:52) lagged the 04:00 corruption.
+
+## Fix applied (2026-06-10)
+
+1. `forgejo_cleanup_dry_run = true` (stacks/forgejo/cleanup.tf, applied)
+   — retention logs but deletes nothing until the keep-set is
+   container-aware.
+2. `:latest` re-pointed at the intact `:a794d1a` index (registry
+   manifest PUT — `a794d1a` is also the newest commit of the repo, so
+   content is correct).
+3. Corrupt, obsolete `:dfc83fb` package version deleted.
+4. Probe re-run: **0 failures across 22 repos / 63 tags / 59 indexes**.
+
+## Follow-up (required before re-enabling deletes)
+
+Pick one:
+- (a) keep-set expansion: for every kept tagged version, resolve the
+  manifest via the registry API; if it is an index, add all child
+  digests to the keep set;
+- (b) never delete untagged sha256 versions (simpler, but untagged
+  garbage accumulates and the PVC pressure that motivated retention
+  returns — registry PVC sits at its 50Gi ceiling on the HDD,
+  see beads code-oflt);
+- (c) replace the custom script with Forgejo's native per-owner package
+  cleanup rules, which are container-aware.
+
+Also worth probing beyond `TAGS_PER_REPO=5`: older tags of any
+multi-arch image may already be orphaned (only newest-5 per repo are
+verified). Harmless until someone pulls an old tag.
+
+## Lessons
+
+- "No running pod uses it" is not a safe deletion predicate for OCI
+  artifacts — reference graphs (index → child manifests) must be
+  resolved at the registry level.
+- A `set -eu` probe whose first statement is a network package install
+  conflates "registry broken" with "apk blip"; pre-bake the image or
+  tolerate install retries.
diff --git a/docs/post-mortems/2026-06-10-tuya-bridge-forgejo-pull-hairpin.md b/docs/post-mortems/2026-06-10-tuya-bridge-forgejo-pull-hairpin.md
new file mode 100644
index 00000000..a9cd8c96
--- /dev/null
+++ b/docs/post-mortems/2026-06-10-tuya-bridge-forgejo-pull-hairpin.md
@@ -0,0 +1,176 @@
+# 2026-06-10 — tuya-bridge down 7.5h: forgejo image pulls ride the public-IP hairpin
+
+## Impact
+
+- `tuya-bridge` (Flask/tinytuya bridge feeding HA-Sofia's ATS, fuse-main,
+  fuse-garage and 4 thermostat REST sensors) unavailable ~02:15–09:50 EEST.
+  HA REST sensors 503'd; the official-tuya integration devices were
+  unaffected (hybrid architecture limited the blast radius to the 3 power
+  devices' advanced telemetry + thermostats extras).
+- Third incident from the same root cause class:
+  Woodpecker buildkit pushes (2026-06-04, code-yh33), tripit
+  ImagePullBackOff on node2/node3 + devvm git timeouts (2026-06-09),
+  tuya-bridge (this one).
+
+## Timeline (EEST)
+
+- **02:15** — tuya-bridge pod rescheduled onto `k8s-node3` (its previous
+  node5/6-era home was rebuilt 14d ago; the forgejo-path image was never
+  cached on node3 — only stale `docker.io/*` copies). Kubelet must pull
+  `forgejo.viktorbarzin.me/viktor/tuya_bridge:3216c87a`.
+- **02:15→09:30** — 51 consecutive pull failures:
+  `dial tcp 176.12.22.76:443: i/o timeout` → ImagePullBackOff. HA shows
+  503s (emo observed at 02:20).
+- **09:40** — investigation: forgejo healthy via internal Traefik
+  (`10.0.20.203`), manifest exists; node3's hosts.toml mirror present and
+  correct; bare-IP request to the mirror returns **404 from Traefik**;
+  registry auth realm is the **absolute** public URL.
+- **09:48** — `/etc/hosts` pin `10.0.20.203 forgejo.viktorbarzin.me` added
+  on node3; `crictl pull` succeeds immediately; pod replaced → Running;
+  `/health` ok; all 27 device `getstatus()` calls succeed; all 7
+  `*_tuya_cloud_up` Prometheus gauges = 1.
+- **10:05** — pin rolled to all 7 nodes; provisioning scripts + docs updated.
+
+## Root cause
+
+Fresh kubelet pulls of `forgejo.viktorbarzin.me` images depend on pfSense
+NAT reflection of the public IP `176.12.22.76`, which is intermittently
+broken from the `10.0.20.0/24` network. The containerd
+`certs.d/.../hosts.toml` mirror that was *believed* to keep pulls internal
+cannot do so, for two independent reasons:
+
+1. **Traefik routes by Host/SNI.** The mirror entry
+   `[host."https://10.0.20.203"]` makes containerd dial the bare IP (no
+   SNI, `Host: 10.0.20.203`) — no Traefik router matches → **404** → con-
+   tainerd treats the mirror as a miss and falls back to
+   `server = "https://forgejo.viktorbarzin.me"` → public DNS → hairpin.
+2. **The Bearer auth realm is absolute.** `/v2/` challenges with
+   `realm="https://forgejo.viktorbarzin.me/v2/token"`; containerd fetches
+   that URL verbatim — this leg never goes through the mirror at all.
+
+So every fresh pull silently depended on hairpin luck. Cached images masked
+the problem; it only fired when a pod landed on a node without the image
+(node rebuilds, new nodes, evictions, new tags).
+
+Why DNS-side fixes don't reach this path: nodes resolve via systemd-resolved
+→ pfSense (10.0.20.1) + public fallback (94.140.14.14), so Technitium
+split-horizon (scoped to `192.168.1.0/24` clients) never applies; the
+CoreDNS forgejo rewrite (2026-06-04) covers pods only, not kubelet.
+
+## Fix
+
+**Initial mitigation (same morning):** `/etc/hosts` pin
+`10.0.20.203 forgejo.viktorbarzin.me` on every node — restored service
+immediately (resolve + token + blob legs all internal with correct SNI).
+
+**Superseded same day (Viktor: "no hardcoded IPs in nodes") by a DNS-based
+fix.** Discovery: Technitium's split-horizon zone *already* resolves
+`forgejo.viktorbarzin.me → CNAME viktorbarzin.me → A <live Traefik IP>` —
+the `technitium-ingress-dns-sync` CronJob auto-CNAMEs every ingress host
+hourly, the apex A record tracks the live Traefik LB IP, and the
+`viktorbarzin-apex-probe` canary alerts on drift. The nodes simply never
+queried Technitium (resolv chain: pfSense + public AdGuard fallback). The
+devvm already solved this with a systemd-resolved **routing domain**
+drop-in; the same was rolled to all 7 nodes:
+
+```
+# /etc/systemd/resolved.conf.d/viktorbarzin.conf
+[Resolve]
+DNS=10.0.20.201
+Domains=~viktorbarzin.me
+```
+
+The `/etc/hosts` pins were then removed (verified `getent` still returns
+the Traefik IP via DNS, and `crictl pull` succeeds). On node5/6 the
+cloud-init `global-dns.conf` (`DNS=8.8.8.8 1.1.1.1`) was demoted to
+`FallbackDNS=` only — public servers in the global set merge with and
+race the routing domain. That file's original justification ("Technitium
+NXDOMAINs forgejo.viktorbarzin.me") was obsolete: the ingress-dns-sync
+has since added forgejo to the zone — a stale comment that actively
+pointed new nodes at the hairpin.
+
+**Final architecture (same day, round 3 — Viktor: "no customization,
+everything handled by the DNS infra"):** the routing-domain drop-ins were
+ALSO removed; nodes are now completely stock. Two resolver-side changes
+replaced them:
+
+1. **pfSense Unbound domain override** `viktorbarzin.me → 10.0.20.201`
+   (forward-zone to Technitium). Every Unbound client on every VLAN gets
+   the internal split-horizon answers with zero per-host config. No
+   DNSSEC complications (zone unsigned), private-IP answers pass, mail's
+   non-Traefik record (`→ 10.0.20.1`) verified working. Runbook:
+   `docs/runbooks/pfsense-unbound.md`; on-box backup
+   `config.xml.bak-2026-06-10-pre-me-forward`.
+2. **CoreDNS pod carve-out** (TF, `stacks/technitium`): a dedicated
+   `viktorbarzin.me:53` server block pins forgejo to Traefik's
+   **ClusterIP** (interpolated from the live Service — pods cannot reach
+   the ETP=Local LB IP that pfSense now returns) and forwards all other
+   `.me` names to `8.8.8.8/1.1.1.1`, preserving pods' pre-existing
+   public-IP behavior. Replaces the old forgejo rewrite in `.:53`.
+
+   **Addendum (same day, evening):** the "pods cannot reach the
+   ETP=Local LB IP" premise was re-tested and is FALSE on k8s 1.34
+   (kube-proxy short-circuits in-cluster traffic to LB IPs via the
+   cluster path; verified from pods on three non-Traefik nodes). The
+   public-answer carve-out had meanwhile left pods as the only client
+   class still riding the TP-Link NAT loopback, which hard-died
+   2026-06-09 — 27 non-proxied `[External]` uptime-kuma monitors dark.
+   Fix: the block now forwards to the Technitium ClusterIP
+   (`10.96.0.53`) — pods are ordinary internal clients; forgejo pin
+   kept for Technitium-outage resilience. In-cluster `[External]`
+   monitors now test the internal path for all names; genuine
+   edge-path fidelity belongs to a true external vantage (ha-london).
+
+node5/6 were also re-pointed from link-DNS=Technitium to
+`10.0.20.1 94.140.14.14` (netplan + `qm set --nameserver` on PVE VMs
+205/206) for fleet parity, and their `global-dns.conf` was deleted.
+
+**Renumber hazard: resolved.** A future Traefik LB renumber propagates
+via the apex A record automatically (drift probe alerts if it doesn't);
+only the vestigial hosts.toml literal goes stale. **Trade-offs:**
+`viktorbarzin.me` resolution via pfSense depends on in-cluster Technitium
+(3 replicas) — SERVFAIL during a full cluster outage (services down
+anyway; bootstrap images pull via the IP-addressed `10.0.20.10` mirrors).
+Nodes keep `94.140.14.14` as secondary DNS: a resolved failover during a
+pfSense blip briefly re-exposes public answers — rare, self-healing,
+accepted.
+
+## Verification (final architecture)
+
+- All 7 nodes stock (no pins, no drop-ins); `getent hosts
+  forgejo.viktorbarzin.me` → `10.0.20.203` via pfSense → Technitium;
+  general resolution intact; `crictl pull` succeeds end-to-end.
+- pfSense: forgejo/immich/vault → apex CNAME → `.203`; mail →
+  `10.0.20.1` (`:993` verified); `google.com` public; `.lan` auth-zone
+  unaffected.
+- Pods: forgejo → `10.111.111.95` (Traefik ClusterIP),
+  immich → `176.12.22.76` (public, status quo) — verified in-pod after
+  CoreDNS reload.
+- tuya-bridge pod Running; `/health` `ok=true`; 27/27 devices
+  `success=true`; 7/7 `*_tuya_cloud_up` gauges = 1; no tuya-related alerts.
+
+## Lessons
+
+- A mirror that *can* fall back to a broken path is not a fix — it's a
+  latency bomb with the blast delayed until the cache misses.
+- Registry token realms are absolute URLs: any "redirect the registry"
+  scheme must also redirect the *name*, not just the endpoint.
+- Before inventing a redirect mechanism, check what the DNS authority
+  already serves: the Technitium split-horizon zone had the correct,
+  auto-maintained answer all along — the clients just weren't asking it.
+- Stale config comments are load-bearing: the obsolete "Technitium
+  NXDOMAINs forgejo" comment in cloud-init steered new nodes onto public
+  DNS, recreating the hairpin exposure on every node added after it.
+- All `10.0.x` legs are now DNS-routed (nodes + devvm via routing domain,
+  pods via CoreDNS rewrite). pfSense Unbound host overrides remain an
+  option for other LAN segments if a non-Technitium client ever needs
+  internal answers (live network device — deliberate, separate change).
+
+## Related
+
+- Beads `code-2or8` (Tuya Cloud subscription) — verified resolved during
+  this incident: subscription is active again, all gauges green; closed.
+- 2026-06-09 tripit ImagePullBackOff — same cause, self-recovered when the
+  hairpin flapped back; the two `ScrapeTargetDown[tripit]` alerts firing
+  during this investigation were scrapes of *Completed* cronjob pod
+  endpoints (separate monitoring wart, not this outage).
diff --git a/docs/post-mortems/2026-06-11-devvm-qemu-io-stall.md b/docs/post-mortems/2026-06-11-devvm-qemu-io-stall.md
new file mode 100644
index 00000000..d62ed5ff
--- /dev/null
+++ b/docs/post-mortems/2026-06-11-devvm-qemu-io-stall.md
@@ -0,0 +1,116 @@
+# 2026-06-11 — devvm dead ~90 min: QEMU-internal I/O stall on the legacy LSI disk path
+
+## Impact
+
+- devvm (VM 102, the shared multi-user Claude Code workstation) effectively
+  dead 15:21–16:48 UTC (18:21–19:48 EEST): all ssh/tmux and t3 sessions for
+  wizard/emo/anca lost, every in-flight agent killed.
+- Detection was human (~90 min) — no `up{instance="devvm"} == 0` alert
+  exists (follow-up below).
+- Recovery was manual: kill of the wedged QEMU process + `qm start` (the
+  kill left no autopsy — see "What we could not prove").
+
+## Timeline (UTC; host journal runs EEST = UTC+3)
+
+- **15:01** — hourly `apply-mbps-caps` run live-rewrites VM 102's scsi0
+  throttle via `qm set` (as it had done every hour for weeks — see Root
+  cause #4).
+- **15:18–15:20** — guest healthy by every metric: CPU 7–16% of 16 vCPUs,
+  load 1.4, 17 GiB MemAvailable, swap flat at 2.0 GiB, host `sdc` 2–8%
+  utilized. Heavy claude/bwrap sandbox activity (normal workload).
+- **15:19:08** — last journal line the guest ever writes (mid normal
+  traffic, zero kernel distress — not even a hung-task warning).
+- **15:21** — host RRD (pvestatd polling QEMU over QMP once a minute) shows
+  `diskwrite` drop to **exactly 0 and stay 0 for 87 minutes** — not even
+  journal flushes. netout collapses 380K→7K/s. **QEMU keeps answering QMP
+  the whole time** — the process and its main loop are alive; only the
+  block path is dead.
+- **15:21→15:39** — guest CPU (host's view) ramps 11% → ~50% and plateaus:
+  processes progressively piling up behind dead storage (dirty-page
+  writeback stuck → direct reclaim spins). Classic starvation cascade, not
+  a panic (a panic halts or spins flat from t=0).
+- **16:47:42** — QMP socket resets: the wedged QEMU is killed out-of-band
+  (root shell; no PVE task, no snoopy line — shell-builtin `kill`).
+- **16:48:31** — `qmstart` task; guest boots clean on kernel 6.8.0-124
+  (wedged boot ran 6.8.0-117).
+
+## Ruled out (evidence, not vibes)
+
+- **Guest CPU/memory/swap pressure** — healthy at last scrape (Prometheus)
+  and per-minute host RRD.
+- **Host storage** — `pve` thin pool 68% data / 15.5% meta; zero kernel
+  I/O errors on the host all day; `sdc` quiet through the window.
+- **Host-side kill/OOM** — no OOM-killer lines, no segfault, no QEMU crash
+  log; 113 of 114 monitored targets stayed up. Only the devvm died.
+- **Guest kernel panic** — would not keep QMP-visible blockstats frozen at
+  0 while netout ACKs trickle; and the guest kernel logged nothing.
+
+## Root cause
+
+**Class pinned, exact line unprovable** (see below): the devvm's disk I/O
+stalled *inside the QEMU process* — below the guest kernel (all guest I/O
+froze simultaneously with nothing logged) and above host storage (host
+clean, neighbors fine, QEMU main loop responsive). Contributing stack,
+unique to this VM:
+
+1. **`scsihw: lsi`** — the emulated LSI 53C895A (1997 chip, QEMU's legacy
+   default for OSes without virtio drivers). The devvm was the **only VM
+   on the host** running its disk through this path; every healthy
+   neighbor uses `virtio-scsi-pci`. The LSI model is documented as
+   hang-prone under intensive I/O.
+2. **No `iothread`** — all disk emulation ran on QEMU's single main event
+   loop, sharing it with timers and QMP.
+3. **QEMU-level mbps throttle (60/60)** — a token bucket inside QEMU whose
+   queued I/O completes only when its re-arm timer fires.
+4. **Hourly live throttle rewrites** — `apply-mbps-caps.sh`'s idempotency
+   check compared raw config strings, but `qm config` prints keys in its
+   own canonical order, so the check **never matched** and the script
+   re-issued `qm set` (→ live QMP `block_set_io_throttle` against the
+   running QEMU) every hour, 24×/day, for weeks — each poke a chance to
+   race the throttle machinery while queued I/O is in flight. The wedge
+   came 20 min after the 15:01 poke.
+
+## What we could not prove
+
+Whether the stuck queue was the LSI device model, the throttle-group
+timer, or their interaction. The discriminating evidence (QMP
+`query-block`, a stack trace of the QEMU process) existed in RAM at 16:47
+and was destroyed by the recovery kill. If a wedge recurs **autopsy before
+shooting**: `qm guest exec` will fail but `qm monitor`/QMP `query-block`,
+`query-status`, and `gdb -p <pid> -batch -ex 'thread apply all bt'` on the
+kvm process pin it to the line.
+
+## Fixes
+
+| Status | Fix |
+|---|---|
+| shipped (this commit) | `apply-mbps-caps.sh` compares **normalized option sets** — hourly runs are now true no-ops; running VMs' throttle state is no longer rewritten 24×/day. Verified: reordered-key configs compare equal, real drift still triggers `qm set`, post-restart iothread configs compare equal. |
+| staged, awaiting Viktor's cold stop→start | VM 102: `scsihw: virtio-scsi-single` + `scsi0 …,iothread=1,aio=threads` — replaces the LSI path with the paravirt controller all healthy VMs use, moves disk emulation off the main loop, swaps io_uring for boring thread-pool AIO. Guest pre-flight passed (`CONFIG_SCSI_VIRTIO=y` built-in; fstab on LVM dm-uuid/UUID). Must be a **full stop→start** — a guest reboot reuses the old QEMU process. |
+
+## Open follow-ups (discussed 2026-06-11, not yet built)
+
+- `DevvmDown` alert (`up{job="devvm"} == 0 for 3m` → Slack) — closes the
+  90-min detection gap.
+- Freeze forensics: netconsole → pve listener, serial console,
+  `kernel.panic=60`, and a capture-before-kill runbook (above) so any
+  recurrence is pinned, not mourned.
+- The recurring *crawl* class (agent storms → swap-thrash; journald
+  watchdog-killed 3× on 2026-06-10) is a separate failure mode —
+  ssh/tmux sessions remain memory-uncontained by explicit decision
+  (swap-only, 2026-06-10).
+
+## Lessons
+
+- **A VM can die of QEMU-userspace causes that no guest or host kernel log
+  will ever show.** The host's per-VM RRD (pvestatd's QMP polls) is the
+  only witness — `diskwrite=0` with a live QMP socket is the signature.
+- **"Idempotent" reconcilers must prove idempotency against the system's
+  canonical output format**, not against the string they themselves
+  constructed. A compare that never matches turns a safety net into a
+  24×/day fault injector — and its own journal said `updating scsi0`
+  every hour, in plain sight, for weeks.
+- The May-26 mbps caps fixed the sdc-saturation freeze class and
+  introduced this one's trigger surface. Layered mitigations fail in
+  layers — audit what a fix *adds*, not only what it removes.
+- pve host logs are **EEST (UTC+3)**; guest logs are UTC. Every
+  cross-machine correlation in this incident initially looked 3h off.
diff --git a/docs/post-mortems/2026-06-22-devvm-mem-io-overload-containment.md b/docs/post-mortems/2026-06-22-devvm-mem-io-overload-containment.md
new file mode 100644
index 00000000..664869fa
--- /dev/null
+++ b/docs/post-mortems/2026-06-22-devvm-mem-io-overload-containment.md
@@ -0,0 +1,131 @@
+# 2026-06-22 — devvm memory/IO overload: per-user containment + OOM backstop
+
+## Impact
+
+- devvm (VM 102, the shared multi-user Claude Code workstation) became
+  unresponsive under combined memory + IO pressure and had to be **hard-killed +
+  rebooted** by the admin on 2026-06-22 (morning). All ssh/tmux + t3 sessions for
+  wizard/emo/anca lost, in-flight agents killed.
+- Signature on the last htop before the kill: **load avg ~60** on 32 vCPU, **RAM
+  22.5/23.5G**, **swap 13.9/14.0G (full)**, a wall of **D-state** (uninterruptible
+  IO-wait) processes, and a single `ugrep` in emo's tmux holding **~10G RES /
+  64% CPU**. Many `claude --effort max/xhigh` sessions + playwright-chrome MCP
+  instances across three users on top.
+
+## This is the "crawl" class, not the QEMU-stall class
+
+The 2026-06-11 post-mortem (`2026-06-11-devvm-qemu-io-stall.md`) fixed a
+*different* failure mode — a QEMU-userspace block-path wedge on the legacy LSI
+controller. That fix shipped (verified 2026-06-22: the guest now boots on
+`virtio_scsi`, `scsihw: virtio-scsi-single + iothread`). Its post-mortem
+explicitly deferred **this** class:
+
+> The recurring *crawl* class (agent storms → swap-thrash; journald
+> watchdog-killed 3× on 2026-06-10) is a separate failure mode — ssh/tmux
+> sessions remain memory-uncontained by **explicit decision (swap-only,
+> 2026-06-10)**.
+
+That explicit decision is the root cause closed here.
+
+## Root cause
+
+Work on the devvm lives in **two independent cgroup-v2 trees per user**, and only
+one was capped:
+
+| Tree | cgroup | Cap before today |
+|---|---|---|
+| t3 web sessions | `system.slice/system-t3\x2dserve.slice/t3-serve@<user>` | `MemoryHigh=12G MemoryMax=16G MemorySwapMax=0 OOMPolicy=continue` ✓ |
+| **ssh/tmux sessions** | `user.slice/user-<uid>.slice` | **`MemoryMax=infinity`, swap unlimited** ✗ |
+
+The uncapped `user-<uid>.slice` was the hole. A runaway there (the 10G `ugrep`;
+stacked max-effort agents) grew unbounded, spilled into the **14G disk swap**, and
+swap-thrashed the **host-mbps-throttled (60/60 MB/s) virtual disk**. That is the
+overload chain:
+
+```
+uncapped tmux growth → disk-swap thrash on a throttled spindle
+   → IO storm (D-state pileup) → load ~60 → box unresponsive → hard kill
+```
+
+i.e. **memory pressure becomes the IO storm**. There was also **no global OOM
+backstop** (no systemd-oomd / earlyoom) to shed the worst offender before the
+kernel OOM or the thrash-wedge. And even the existing t3 caps don't sum safely
+(3 users × 16G = 48G > 32G RAM) — nothing reasoned about the *whole box*.
+
+## Fix (`setup-devvm.sh` §10, applied live 2026-06-22)
+
+Design decisions (interviewed with the admin via `/grill-me`): **soft-generous
+per-user caps + a hard ceiling + a kill-the-worst backstop**, maximising
+single-user utilisation while making a box-wide wedge impossible. (The backstop
+was first built on systemd-oomd, then switched to earlyoom mid-rollout when oomd
+proved inert with `swap=0` — see Verification + Lessons.)
+
+| Layer | What |
+|---|---|
+| **Per-user caps, BOTH trees** | `user-.slice.d` drop-in gives every `user-<uid>.slice` the same `MemoryHigh=12G / MemoryMax=16G / MemorySwapMax=0` the t3 tree already had. A user is now bounded in whichever surface they work in. |
+| **No disk swap for work** | `MemorySwapMax=0` on every work cgroup → a spike OOMs **locally** at the ceiling instead of thrashing the throttled disk. Kills the IO-storm-via-swap mechanism at the source. The 14G swapfile stays for system cold pages only. |
+| **earlyoom backstop (free-RAM threshold)** | New package — used **instead of systemd-oomd** (which is inert with `swap=0`; see Lessons). Watches `MemAvailable%` and SIGTERMs the biggest task at **5%**, SIGKILL at **3%**, swap ignored (`-s 100`). `--avoid` keeps sshd/systemd/dockerd/containerd/t3-dispatch/tmux off the victim list (**the admin's way in always survives**); `--prefer` targets the agent/browser hogs (python3/node/chrome/…). Swap-independent and reliable, where oomd's pressure-kill was not. |
+| **Fair-share CPU/IO** | `CPUWeight`/`IOWeight` per slice (system.slice 200, users + docker 100 each). Work-conserving — a lone user still gets all 32 cores + the full IO budget when others idle; weights only bite under contention. No hard CPU/IO caps. |
+| **Docker containment** | Containers previously landed in `system.slice` — uncapped. Now `cgroup-parent: docker.slice` in `daemon.json` routes every container into a capped (`MemoryMax=8G`, swap 0) slice, so a runaway container is cgroup-OOM'd locally instead of escaping into the uncapped `system.slice`. |
+
+Durable in `setup-devvm.sh` (survives a VM rebuild); `earlyoom` added to
+`packages.txt`. The numbers are tunable — `MemoryHigh=12G` will throttle a *lone*
+heavy user between 12–16G even with RAM free; bump to 16/20 if that bites.
+
+## Verification (live, 2026-06-22)
+
+- **Caps live on running cgroups**: all three `user-<uid>.slice` report
+  `memory.high=12G memory.max=16G memory.swap.max=0`; `docker.slice` `memory.max=8G`;
+  daemon.json kept buildkit/nvidia/insecure-registries; paperless-mcp recovered
+  under `docker.slice`.
+- **Stress test A (hard cap)** — the PRIMARY guard: a 2G-capped, swap=0 balloon was
+  killed at exactly 2G by the cgroup-local OOM (`constraint=CONSTRAINT_MEMCG`) with
+  **swap flat at 0MB throughout** — no thrash. Same mechanism protects every user
+  slice (16G) and `docker.slice` (8G).
+- **Soft cap observed**: a balloon pushed past `MemoryHigh` sat at ~220M / 99%
+  memory.pressure, throttled to a crawl, making no progress and harming nothing —
+  a runaway is throttled, not just killed.
+- **systemd-oomd disproven, then dropped**: a self-policed balloon held
+  `memory.pressure full avg10 = 96–99%` (≫ its 20% limit) for >70s but oomd never
+  killed it — `Pgscan: 0`. oomd's pressure-kill only acts on cgroups doing active
+  reclaim, which a `swap=0` anon workload never does. oomd was purged.
+- **earlyoom backstop** — verified via `--dryrun`: at the threshold it logs
+  `low memory! … mem 90% swap 100%` (fires on RAM alone, swap ignored) and selects
+  `SIGTERM … "chrome"` (a `--prefer` hog), never an `--avoid`'d daemon. Live
+  earlyoom v1.7 confirms `SIGTERM mem<=5% / SIGKILL mem<=3%, swap<=100%`.
+
+## Out of scope / follow-ups
+
+- **Alerting** (tracked, fast-follow bead): `DevvmDown` (closes the 90-min
+  detection gap the 2026-06-11 PM flagged), sustained-memory-PSI/swap pressure
+  early-warning, and an "earlyoom-killed-something" alert (earlyoom logs each kill;
+  `-N /script` can push a metric). devvm node-exporter is already scraped
+  (`job=devvm`, `10.0.10.10:9100`), so only alert *rules* are new (a
+  monitoring-stack Terraform change).
+- **zram cushion**: considered, deferred. Could let work cgroups absorb spikes in
+  compressed RAM instead of OOMing at the ceiling; not needed for the wedge fix.
+- **Per-user docker isolation**: containers share one `docker.slice` budget, not
+  per-user. Fine for current usage (krr + short-lived tools).
+- **Host-side IO**: the 60/60 mbps cap + the shared `sdc` HDD IO domain are
+  host-level (bead `code-oflt`); unchanged here.
+
+## Lessons
+
+- **"Swap as the safety valve" is an IO-storm amplifier on a throttled disk.**
+  Leaving ssh/tmux memory-uncontained (the 2026-06-10 decision) traded a clean
+  local OOM for a box-wide swap-thrash wedge. `MemorySwapMax=0` + a hard cap turns
+  the failure back into a contained, local kill.
+- **Cap the box, not one surface.** t3 sessions were capped for months while the
+  same user's tmux was unbounded — and the caps that existed didn't sum to < RAM.
+  Containment has to reason about every tree and the aggregate.
+- **A backstop must protect the operator's way in.** earlyoom `--avoid`s
+  sshd/systemd/dockerd/containerd/t3-dispatch/tmux, so the box always stays
+  reachable to recover; only the agent/browser hogs are eligible victims.
+- **systemd-oomd is the wrong backstop for a no-swap box — verify, don't assume.**
+  oomd's memory-pressure killer only fires on cgroups doing active reclaim
+  (`pgscan` rising). With `MemorySwapMax=0` + anonymous memory there is nothing to
+  reclaim, so a cgroup sat at 99% `memory.pressure` indefinitely and oomd never
+  acted (proven with `oomctl` + a balloon). The very `swap=0` that kills the IO
+  storm also neuters oomd. earlyoom (free-RAM threshold, swap-independent) is the
+  correct pairing. A famous tool that "does OOM" still has to be proven to fire
+  under *your* configuration.
diff --git a/docs/post-mortems/2026-06-24-kubeadm-oidc-drift-apiserver-upgrade-stall.md b/docs/post-mortems/2026-06-24-kubeadm-oidc-drift-apiserver-upgrade-stall.md
new file mode 100644
index 00000000..e6b11816
--- /dev/null
+++ b/docs/post-mortems/2026-06-24-kubeadm-oidc-drift-apiserver-upgrade-stall.md
@@ -0,0 +1,97 @@
+# Post-mortem: k8s 1.34→1.35 upgrade stalled — etcd IO starvation (2026-06-24)
+
+> Filename kept for inbound links. The originally-suspected cause (kubeadm-config
+> OIDC drift) turned out **not** to be the crash — see "Correction" below. The OIDC
+> drift was a real *separate* latent bug fixed in the same change.
+
+**Impact:** The autonomous k8s-version-upgrade chain (23:00 UTC nightly) reached
+the master control-plane phase for the first time — preflight passed, etcd
+snapshot taken, master cordoned + drained, etcd upgraded 3.6.5→3.6.6 — then the
+kube-apiserver upgrade to v1.35.6 **crash-looped**. kubeadm waited its 5-minute
+static-pod-hash window across all internal retries, then auto-rolled-back to
+v1.34.9. The cluster stayed healthy on 1.34.9 (apiserver, all 7 nodes Ready), but
+the run left **k8s-master cordoned** and the chain **wedged on `in_flight=1`**.
+No data loss; no user-facing outage (the master carries control-plane taints, so
+no workloads were displaced).
+
+**Trigger:** the first *minor* upgrade the chain ever attempted (1.34→1.35) — the
+first time kubeadm upgrades etcd (3.6.5→3.6.6) and regenerates the control-plane
+static pods, i.e. the first time the upgrade pushes real write-IO at etcd.
+
+## Root cause — etcd IO starvation on the shared HDD
+
+The new kube-apiserver could not establish/keep a working connection to etcd
+during the upgrade because **etcd was IO-starved**. etcd's surviving container log
+from the crash window (`/var/log/pods/.../etcd/0.log`, 23:04–23:20 UTC) shows:
+
+- **1,180** `apply request took too long` warnings in 16 minutes;
+- individual applies of **4.3s / 2.9s / 2.7s / 1.8s** (healthy is <100ms),
+  clustered at **23:18:51 UTC** — exactly when kubeadm's final attempt was trying
+  to bring the new apiserver up.
+
+A reproduced 1.35.6 apiserver with no etcd dies with
+`F instance.go:233 Error creating leases: error creating storage factory: context
+deadline exceeded` — the same failure mode a multi-second etcd produces. etcd
+lives on the contended `sdc` HDD (**beads code-oflt**: "etcd/critical VM disks on
+shared sdc HDD — recurring IO-storm root cause"). The upgrade itself piled IO onto
+that spindle:
+
+1. etcd's own upgrade-restart + WAL/db re-read (it restarted ~23:04, re-elected);
+2. kubeadm dumping a full **~400MB etcd DB backup** to
+   `/etc/kubernetes/tmp/kubeadm-backup-etcd-<ts>/` (on the same HDD) before the
+   etcd upgrade — and **145 of these had accumulated to 28GB** (kubeadm never
+   cleans them up), pushing master root fs to **73%**, above the 70% kubelet
+   image-GC threshold, so image GC churned during the drain too;
+3. master-drain pod evictions.
+
+### Correction — it was NOT the OIDC flag swap
+
+`kubeadm upgrade diff v1.35.6` showed the regenerated manifest also swaps
+`--authentication-config` (structured multi-issuer OIDC) back to legacy
+single-issuer `--oidc-*` flags (kubeadm-config drift, see secondary finding). That
+was the *first* hypothesis — but an isolated repro of the 1.35.6 apiserver with
+those exact `--oidc-*` flags **and authentik reachable** initialised OIDC cleanly
+(`oidc.go:313`, no error) and ran fine until it hit the (deliberately dead) test
+etcd. So the auth swap does **not** crash the apiserver; it was a red herring for
+the crash. Image pull (all v1.35.6 images pre-pulled), OOM (none), and disk-full
+were also ruled out.
+
+## Secondary finding (real, fixed separately) — kubeadm-config OIDC drift
+
+apiserver auth is configured in three places that must agree:
+(1) `/etc/kubernetes/pki/auth-config.yaml` (structured, two issuers: `kubernetes`
++ `k8s-dashboard`, added 2026-06-19); (2) the live static-pod manifest
+(`--authentication-config`); (3) the kubeadm-config `ClusterConfiguration` CM —
+which still carried the legacy `--oidc-*` extraArgs. `kubeadm upgrade` regenerates
+the manifest from (3), so it would have reverted structured auth → **dashboard +
+kubectl SSO break after a successful upgrade** (recoverable: the chain's
+post-master `restore.sh` re-adds the flag). This is a real bug, just not the crash.
+
+## Resolution
+
+1. **Reclaimed the 28GB kubeadm scratch** on master (`/etc/kubernetes/tmp/kubeadm-backup-*`) — root fs 73% → 23%.
+2. **Reconciled kubeadm-config live** (zero cluster impact — CM only read at upgrade time): dropped `--oidc-*`, added `--authentication-config` via `kubeadm init phase upload-config kubeadm`. `kubeadm upgrade diff` then shows only the control-plane image bumps.
+3. **Recovered:** uncordoned k8s-master, cleared the stuck `in_flight` gauge + annotation, deleted last night's Complete/Failed `1-35-6` phase jobs (a Complete preflight would otherwise make the detector idempotent-skip the re-run).
+
+## Prevention (landed in this change)
+
+| Gap | Fix |
+|-----|-----|
+| kubeadm leaks ~400MB etcd-DB backups into `/etc/kubernetes/tmp` forever (→ disk fills, image-GC churn, write-IO on etcd's spindle) | **`upgrade-step.sh` preflight now prunes** `/etc/kubernetes/tmp/kubeadm-backup-*` + `kubeadm-upgraded-manifests*` older than 3 days on master, every run. Best-effort, never aborts. |
+| kubeadm-config drift would silently break SSO after an upgrade | `apiserver-oidc.tf`'s remote script now **also reconciles kubeadm-config** (`kubeadm init phase upload-config`), delivered via the `apiserver-oidc-restore` ConfigMap the chain re-runs (CI needs no ssh) or a local `-replace` apply. Preflight **alerts** (not blocks — SSO drift is recoverable) if `kubeadm upgrade diff` would still drop `--authentication-config`. |
+| etcd on the contended `sdc` HDD starves under upgrade IO | **Durable fix is beads code-oflt** (move etcd/critical VM disks off `sdc`). Not in this change. Mitigations above reduce the upgrade's own IO; reclaimed disk removes the image-GC variable. |
+
+## Lessons
+
+- **Capture the failing component's own logs before concluding.** The `kubeadm
+  upgrade diff` made the OIDC swap look like the cause; only etcd's log (multi-second
+  applies) + an isolated apiserver repro showed the truth (etcd IO). A clean diff is
+  "what config changes," not "why it crashed."
+- **etcd on shared HDD is the cluster's recurring fragility** (immich IO storm
+  2026-05-25, this stall). Upgrades concentrate IO (etcd restart + kubeadm's 400MB
+  backup copy + drain) onto that spindle. code-oflt is the real fix.
+- **Tools that leave per-operation scratch must be reaped.** kubeadm's
+  `/etc/kubernetes/tmp` etcd backups are throwaway (real backups → NFS) but never
+  GC'd; 28GB had silently accumulated.
+- **Out-of-band control-plane edits must be written back to kubeadm-config** — else
+  `kubeadm upgrade` silently reverts them (here: SSO; could be admission/audit/API flags).
diff --git a/docs/runbooks/breakglass-ssh.md b/docs/runbooks/breakglass-ssh.md
new file mode 100644
index 00000000..348586f8
--- /dev/null
+++ b/docs/runbooks/breakglass-ssh.md
@@ -0,0 +1,158 @@
+# Runbook: Break-glass SSH
+
+Cold-survivable, brute-force-proof SSH onto the home LAN for when the Kubernetes
+cluster and its remote-access tunnels (Headscale, cloudflared) are down but the
+**Proxmox host + edge router are up**. Redesigned 2026-06-11 — the previous
+port-knock design is decommissioned (see "History" below).
+
+## Model (as built)
+
+```
+your laptop (anywhere) ── ssh -p 52222 ──▶ edge router 192.168.1.1
+                                              │ WAN tcp/52222 ─▶ 192.168.1.127:52222
+                                              ▼
+                                       Proxmox host 192.168.1.127
+                                          sshd :52222 (key-only, break-glass key ONLY)
+                                          → full LAN via ssh -J / ssh -D
+```
+
+- **No port-knock.** Plain `ssh -p 52222`. The SSH key is the only gate.
+- **Key-only**, brute-force-proof. The exposed `:52222` trusts **only** the
+  dedicated break-glass key (`/root/.ssh/authorized_keys.breakglass`), separate
+  from root's normal LAN-admin keys, so it is independently revocable and a leak
+  of any other root key does not grant internet access.
+- **Rate-limited** per source IP (iptables hashlimit) + **fail2ban**. These trim
+  scanner noise only; key-only auth is the real protection.
+- **Exposed, not hidden.** `:52222` answers on the WAN (Shodan-visible). This is
+  a deliberate, documented exception to the Wave-1 "no public-IP access" policy
+  (see `docs/architecture/security.md`), chosen for self-containment: it has **no
+  dependency on the cluster** (unlike Headscale/cloudflared) and nothing to
+  remember (unlike the old knock, whose sequence lived only in in-cluster Vault).
+
+## Secrets (Vault `secret/viktor`)
+
+| Key | Use |
+|---|---|
+| `breakglass_ssh_pubkey` | authorized on the host (`authorized_keys.breakglass`) |
+| `breakglass_ssh_privkey` | the private key (also on your laptop at `~/.ssh/breakglass_ed25519`) |
+
+The key has **no passphrase** (so it works in a true cold event without anything
+to recall). Treat the private key as the sole credential — guard the laptop copy.
+
+> Leftover: `breakglass_knock_sequence` is dead (knock decommissioned). It is
+> inert; remove it when you have a Vault token with the `patch` capability
+> (`vault kv patch` / merge-patch — the everyday token lacks it).
+
+## Connect
+
+Client `~/.ssh/config`:
+
+```
+Host breakglass
+    HostName viktorbarzin.ddns.net        # follows the dynamic WAN IP
+    Port 52222
+    User root
+    IdentityFile ~/.ssh/breakglass_ed25519
+    IdentitiesOnly yes
+```
+
+Then:
+
+```bash
+ssh breakglass                              # shell on the Proxmox host
+ssh -J breakglass root@10.0.20.1            # jump to pfSense (or any LAN host)
+ssh -D 1080 breakglass                      # SOCKS5 → reach any internal IP
+```
+
+There is **no `bg()` knock function** anymore — delete it from your shell rc if
+you added it under the old design.
+
+## Cold-event IP cheat sheet (cluster DNS is down)
+
+| Host | IP |
+|---|---|
+| Proxmox host | `192.168.1.127` |
+| pfSense | `10.0.20.1` (WAN `192.168.1.2`) |
+| k8s API | `10.0.20.100` |
+| Synology NAS | `192.168.1.13` (reach via `ssh -J breakglass`) |
+| edge router | `192.168.1.1` |
+
+## Deploy / re-provision the host config
+
+Source of truth lives in `infra/scripts/`. To (re)deploy:
+
+```bash
+# 1. break-glass key authorized for the exposed port
+PUB="$(vault kv get -field=breakglass_ssh_pubkey secret/viktor)"
+ssh root@192.168.1.127 "printf '%s\n' '$PUB' > /root/.ssh/authorized_keys.breakglass && chmod 600 /root/.ssh/authorized_keys.breakglass"
+
+# 2. sshd drop-in (dual-port, Match-isolated) — validate before reload (anti-lockout)
+scp scripts/sshd-10-breakglass.conf root@192.168.1.127:/etc/ssh/sshd_config.d/10-breakglass.conf
+ssh root@192.168.1.127 'sshd -t && systemctl reload ssh'
+
+# 3. firewall (rate-limit) + boot unit
+scp scripts/breakglass-firewall.sh root@192.168.1.127:/usr/local/sbin/breakglass-firewall.sh
+ssh root@192.168.1.127 'chmod 0755 /usr/local/sbin/breakglass-firewall.sh && systemctl enable --now breakglass-firewall.service'
+
+# 4. fail2ban jail
+scp scripts/fail2ban-breakglass-sshd.local root@192.168.1.127:/etc/fail2ban/jail.d/breakglass-sshd.local
+ssh root@192.168.1.127 'systemctl restart fail2ban && fail2ban-client status sshd'
+```
+
+The `breakglass-firewall.service` unit (oneshot, `RemainAfterExit=yes`,
+`Before=network-online`-ish ordering) is a manual host unit — recreate it if the
+host is rebuilt:
+
+```ini
+[Unit]
+Description=Break-glass base firewall (key-only SSH on :52222)
+After=network-pre.target
+Wants=network-pre.target
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/breakglass-firewall.sh
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
+```
+
+## Edge-router forward (manual — live device, not Terraform)
+
+TP-Link Archer AX6000 (`192.168.1.1`) → Advanced → NAT Forwarding → Port
+Forwarding. The break-glass rule:
+
+| Service Name | Device IP | External Port | Internal Port | Protocol |
+|---|---|---|---|---|
+| `breakglass-ssh` | `192.168.1.127` | `52222` | `52222` | TCP |
+
+**AX6000 quirks (learned 2026-06-11 — do not relearn the hard way):**
+- **External port must equal internal port.** The firmware rejects any remap
+  (e.g. `22 → 52222`) with *"External Port: This item conflicts with existed
+  ones."* Hence ext==int 52222.
+- **Port 22 is reserved** — even `22 → 22` is refused. Break-glass cannot use 22.
+- **Row delete is immediate** (no confirm dialog) — clicking the trash icon
+  removes the rule and toasts "Operation succeeded".
+- Automation: `~/wizard/tools/insecure-browse/add-forward.{sh,js}` (dockerized
+  Playwright; double-gated save `DRY_RUN=0 CONFIRM_SAVE=1`; supports
+  `RULES_JSON` add, `EDIT_RULES_JSON` protocol-edit, `DELETE_RULES_JSON`
+  identity-guarded delete). Router password: Vault
+  `secret/viktor/edge_router_192_168_1_1_password`.
+
+## Rotate / revoke
+
+- **Revoke instantly:** remove the line from `/root/.ssh/authorized_keys.breakglass`.
+- **Rotate the key:** `ssh-keygen -t ed25519 -a 100 -f ~/.ssh/breakglass_ed25519`,
+  `vault kv patch secret/viktor breakglass_ssh_privkey=@... breakglass_ssh_pubkey=...`,
+  redeploy step 1 above.
+- **Router reset wipes forwards:** re-add the `breakglass-ssh` rule above.
+
+## History
+
+- **2026-05-30:** original design — key-only SSH on `:52222` gated behind a
+  **UDP port-knock** (knockd). Decommissioned 2026-06-11: the knock added no real
+  security (the SSH key already makes the port brute-force-proof) and its only
+  benefit — hiding the port — came at the cost of a **circular dependency**: the
+  knock sequence lived only in in-cluster Vault, unreachable in the exact
+  cold/away scenario break-glass exists for. That caused a real lockout. The
+  knockd package + config + the legacy Synology SSH forward (ext 3333 → .13:22)
+  were removed.
diff --git a/docs/runbooks/breakglass-ui.md b/docs/runbooks/breakglass-ui.md
new file mode 100644
index 00000000..a79c9f14
--- /dev/null
+++ b/docs/runbooks/breakglass-ui.md
@@ -0,0 +1,114 @@
+# Runbook: devvm breakglass UI (claude-breakglass)
+
+Last updated: 2026-06-12
+
+## What this is
+
+`breakglass.viktorbarzin.me` — an in-cluster Claude-driven web UI for recovering
+the **devvm** (Proxmox VM 102) when it is wedged but the cluster is healthy (the
+**warm** case). You chat with a Claude agent that SSHes into the devvm to
+diagnose/repair it, and there are manual buttons that power-cycle the VM via the
+Proxmox host even if the Anthropic API is down.
+
+This is NOT the cold breakglass. If the **cluster or PVE host** is down, this UI
+is down too (it's a cluster workload). For that case use the cold path:
+- `ssh -p 52222 root@<wan>` → `qm stop 102 && qm start 102` (`docs/runbooks/breakglass-ssh.md`)
+- `server-lifecycle` iDRAC CLI (192.168.1.4) to power-cycle the whole host.
+
+## Architecture
+
+```
+browser ─► Cloudflare ─► Traefik ─► auth-proxy (Authentik, basic-auth fallback)
+                                      └─► claude-breakglass Service (in-cluster)
+claude-breakglass pod (ns claude-breakglass, own SA, NO Vault role):
+  • app.breakglass.server (FastAPI) serves the Svelte UI + /api
+  • chat → claude -p --agent breakglass (stream-json → SSE)
+  • ssh-agent holds the breakglass key (synced by ESO, never on disk)
+  • ssh devvm  → breakglass@10.0.10.10 (full sudo)         [diagnose/repair]
+  • ssh pve <verb> → root@192.168.1.127 forced-command     [VM 102 power verbs]
+```
+
+Image: `forgejo.viktorbarzin.me/viktor/claude-agent-service:latest` (shared with
+claude-agent-service; the deployment overrides the command with
+`/srv/docker-entrypoint-breakglass.sh`). Code: `claude-agent-service/app/breakglass/`.
+Stack: `stacks/claude-breakglass/`. ADR: `claude-agent-service/docs/adr/0001-*`.
+
+## Auth (how to get in)
+
+- **Normal:** Authentik SSO (you're already logged in to the SSO).
+- **Authentik down:** the auth-proxy falls back to HTTP basic-auth ("Emergency
+  Access"). Username `admin`; password is the shared `auth_fallback_htpasswd`
+  (Vault `secret/platform`). This same credential gates every `auth="required"`
+  app. Rotate: regenerate the htpasswd, `vault kv patch secret/platform
+  auth_fallback_htpasswd=...`, apply the `traefik` stack (the auth-proxy rolls
+  on the `checksum/auth-proxy-htpasswd` annotation).
+
+## The PVE forced-command (the reset path)
+
+The breakglass SSH key's entry in PVE `/root/.ssh/authorized_keys` is pinned to
+`command="/usr/local/bin/breakglass-pve",restrict,from="192.168.1.2"`. It only
+accepts the bare verbs **`status | forensics | reset | stop | start | cycle`**
+against VM 102 — anything else is rejected and logged to
+`/var/log/breakglass-pve.log`. Every mutating verb captures forensics first.
+
+- **cycle** = stop→start (fresh QEMU, applies staged config) — the fix for a
+  QEMU I/O stall (2026-06-11). If a clean stop fails, it kills the wedged QEMU
+  PID then starts. **Prefer `cycle` over `reset` for a wedged VM.**
+- `reset` is a warm reset (reuses QEMU) — only for a normal guest hang.
+
+Script source: `stacks/claude-breakglass/files/breakglass-pve` (deploy via
+`scp … root@192.168.1.127:/usr/local/bin/breakglass-pve`).
+
+## NAT quirks (why `from=` differs per host)
+
+Discovered during bring-up — both verified from a real in-cluster pod:
+- **pod → PVE (192.168.1.127):** pfSense SNATs inter-VLAN traffic to its
+  `192.168.1.2` interface, so PVE sees `192.168.1.2` for ALL cluster (and devvm)
+  SSH. Hence the PVE key uses `from="192.168.1.2"`. The devvm itself is NOT a
+  permitted source (it's the box being recovered).
+- **pod → devvm (10.0.10.10):** the devvm sees the Calico-SNAT **node IP**
+  (10.0.20.0/24). Hence the devvm key uses `from="10.0.20.0/24"`.
+
+## Host bootstrap (one-time; redo on devvm rebuild / key rotation)
+
+The keypair lives in Vault `secret/claude-breakglass/ssh_key`
+(`private_key`/`public_key`). To re-provision after a rebuild:
+
+```bash
+PUB=$(vault kv get -field=public_key secret/claude-breakglass/ssh_key)
+
+# devvm (full-sudo recovery user):
+sudo useradd -m -s /bin/bash breakglass 2>/dev/null || true
+sudo install -d -m700 -o breakglass -g breakglass /home/breakglass/.ssh
+printf 'from="10.0.20.0/24" %s\n' "$PUB" | sudo tee /home/breakglass/.ssh/authorized_keys
+sudo chown breakglass:breakglass /home/breakglass/.ssh/authorized_keys
+sudo chmod 600 /home/breakglass/.ssh/authorized_keys
+echo 'breakglass ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/breakglass && sudo chmod 440 /etc/sudoers.d/breakglass
+
+# PVE (forced-command power verbs):
+scp stacks/claude-breakglass/files/breakglass-pve root@192.168.1.127:/usr/local/bin/breakglass-pve
+ssh root@192.168.1.127 chmod 0755 /usr/local/bin/breakglass-pve
+# then append to /root/.ssh/authorized_keys on PVE:
+#   command="/usr/local/bin/breakglass-pve",restrict,from="192.168.1.2" <PUB>
+```
+
+Host-key checking is OFF in the pod's ssh config (a devvm rebuild rotates the
+host key; strict checking would lock the breakglass out mid-incident — trusted
+internal LAN, key auth stands).
+
+## Verify
+
+```bash
+kubectl -n claude-breakglass get pods                 # Running
+kubectl -n claude-breakglass logs deploy/claude-breakglass | grep -i ssh-add
+curl -sk https://breakglass.viktorbarzin.me/health    # (through the edge)
+# from a pod, the PVE path:  ssh pve status  → "status: running"
+```
+
+## Isolation (why a separate deployment)
+
+The shared `claude-agent` pod runs agents that ingest untrusted input
+(recruiter emails, nextcloud todos) with Bash. Co-locating the root-on-devvm key
+there would let a prompt injection exfiltrate it. The breakglass runs in its own
+namespace with its own SA and **no Vault role** (ESO syncs only its key); the
+`terraform-state` Vault policy is explicitly DENIED `secret/claude-breakglass/*`.
diff --git a/docs/runbooks/chrome-service-snapshot.md b/docs/runbooks/chrome-service-snapshot.md
index ab065503..2ebc565f 100644
--- a/docs/runbooks/chrome-service-snapshot.md
+++ b/docs/runbooks/chrome-service-snapshot.md
@@ -11,8 +11,36 @@ external Claude Code sessions on the dev box. Architecture in
 | chrome-service Deployment | `chrome-service` ns | always-on | headed chromium, CDP :9222, persistent /profile/chromium-data |
 | snapshot-server sidecar | same pod | always-on | serves `/api/snapshot`, bearer-gated, port 8088 |
 | snapshot-harvester CronJob | `chrome-service` ns | `23 * * * *` | dumps `storage_state()` via CDP → `/profile/snapshots/storage-state.json` |
-| dev-box refresh timer | each dev box | hourly | curls `chrome.viktorbarzin.me/api/snapshot` → `~/.cache/playwright-shared-storage-state.json` |
-| dev-box `playwright-mcp.service` | each dev box | always-on | `@playwright/mcp --isolated --storage-state=…` per-MCP-connection contexts |
+| dev-box refresh timer | each dev box, per OS user | hourly (`*:28`) | `playwright-snapshot-refresh@<user>.timer` curls `chrome.viktorbarzin.me/api/snapshot` → `~/.cache/playwright-shared-storage-state.json` |
+| dev-box `playwright-mcp@<user>.service` | each dev box, per OS user | always-on | pinned `@playwright/mcp@<ver> --isolated --storage-state=…` on the user's `PLAYWRIGHT_PORT`; per-MCP-connection (per-session) contexts |
+
+## Provisioning (reproducible from git)
+
+The dev-box side is **per-OS-user** and fully reproducible — no hand-setup.
+Each user gets their own isolated `@playwright/mcp` server (multiple concurrent
+Claude sessions per user, isolated by `--isolated`), wired into their Claude in
+**every directory** via a user-scope `~/.claude.json` entry
+(`playwright → http://localhost:<PLAYWRIGHT_PORT>/mcp`).
+
+- **System-level template units** (NOT `systemd --user`, so no linger needed):
+  `playwright-mcp@.service` + `playwright-snapshot-refresh@.{service,timer}`,
+  sourced from `infra/scripts/workstation/playwright/`, installed to
+  `/etc/systemd/system/` by `setup-devvm.sh` (§9e). `User=%i`; per-user
+  `PLAYWRIGHT_PORT` from `/etc/t3-serve/playwright-<user>.env`.
+- **Port allocation**: `roster_engine.py` (`PLAYWRIGHT_BASE_PORT=8931`, sticky)
+  — emitted in the derive JSON, written per-user by `t3-provision-users.sh` (§5c).
+- **Snapshot token**: `setup-devvm.sh` (§8c) stages Vault
+  `secret/chrome-service` `api_bearer_token` → root file
+  `/etc/t3-serve/chrome-service-token`; the provisioner copies it (if-absent,
+  0600) to each user's `~/.config/playwright/token` (the hourly root reconcile
+  has no Vault token, hence the staging — mirrors the Claude OAuth token in §8a).
+- **MCP wiring + enablement**: `t3-provision-users.sh` `install_playwright()` runs
+  `claude mcp add --scope user … playwright` AS the user (clobber-proof, if-absent)
+  and `systemctl enable --now` the system instances. Idempotent; never restarts a
+  running instance or rewrites an existing `~/.claude.json` entry.
+- **Pinned version**: bump `@playwright/mcp@<ver>` in
+  `scripts/workstation/playwright/playwright-mcp@.service` (the `@latest` →
+  silent-fleet-roll footgun is why; see the `T3_PIN` rationale in `setup-devvm.sh`).
 
 ## Day-to-day
 
@@ -43,14 +71,14 @@ Expected: `wrote snapshot (… bytes) to /profile/snapshots/storage-state.json`.
 ### Trigger dev-box refresh manually
 
 ```bash
-# On the dev box, as the user whose Claude Code sessions need the new state:
-systemctl --user start playwright-snapshot-refresh.service
+# On the dev box, refresh a specific user's snapshot (system template instance):
+sudo systemctl start playwright-snapshot-refresh@<user>.service
 
-# Or directly:
-/usr/local/bin/playwright-snapshot-refresh
+# Or run the script directly AS that user:
+sudo -u <user> /usr/local/bin/playwright-snapshot-refresh
 
 # Verify
-ls -la ~/.cache/playwright-shared-storage-state.json
+sudo ls -la /home/<user>/.cache/playwright-shared-storage-state.json
 ```
 
 ### Inspect the current snapshot
@@ -108,12 +136,14 @@ The bearer token in `~/.config/playwright/token` doesn't match the
 server's. Almost always means the Vault secret was rotated and the
 local cache is stale.
 
-**Fix**:
+**Fix** (re-stage centrally so a rebuild stays correct, then re-copy to the user):
 ```bash
 vault login -method=oidc  # if needed
-vault kv get -field=api_bearer_token secret/chrome-service > ~/.config/playwright/token
-chmod 600 ~/.config/playwright/token
-systemctl --user start playwright-snapshot-refresh.service
+sudo install -m 0600 <(vault kv get -field=api_bearer_token secret/chrome-service) \
+  /etc/t3-serve/chrome-service-token
+sudo install -o <user> -g <user> -m 0600 \
+  /etc/t3-serve/chrome-service-token /home/<user>/.config/playwright/token
+sudo systemctl start playwright-snapshot-refresh@<user>.service
 ```
 
 ### Dev-box `playwright-snapshot-refresh` returns 404 with "snapshot not yet available"
@@ -129,9 +159,9 @@ new context with it. **Existing MCP sessions don't hot-reload** — they
 keep the cookies they were seeded with at session start. New sessions
 get the fresh snapshot.
 
-**Fix**: restart the MCP server on the dev box to pick up the new file:
+**Fix**: restart the user's MCP server on the dev box to pick up the new file:
 ```bash
-systemctl --user restart playwright-mcp.service
+sudo systemctl restart playwright-mcp@<user>.service
 ```
 
 ### Snapshot file is suspiciously small or empty cookies array
@@ -158,13 +188,18 @@ vault kv put secret/chrome-service \
 
 # Reloader auto-restarts chrome-service pod (snapshot-server picks up new token).
 
-# On EVERY dev box that pulls the snapshot:
-vault kv get -field=api_bearer_token secret/chrome-service > ~/.config/playwright/token
-chmod 600 ~/.config/playwright/token
+# On EVERY dev box: re-stage the root file, then overwrite each user's copy
+# (the provisioner's per-user copy is if-absent, so a ROTATION must overwrite).
+sudo install -m 0600 <(vault kv get -field=api_bearer_token secret/chrome-service) \
+  /etc/t3-serve/chrome-service-token
+for u in $(ls /etc/t3-serve/playwright-*.env 2>/dev/null | sed 's#.*/playwright-##;s#\.env##'); do
+  sudo install -o "$u" -g "$u" -m 0600 \
+    /etc/t3-serve/chrome-service-token /home/"$u"/.config/playwright/token
+done
 
-# Verify the next refresh succeeds:
-systemctl --user start playwright-snapshot-refresh.service
-journalctl --user -u playwright-snapshot-refresh.service -n 20
+# Verify the next refresh succeeds for a user:
+sudo systemctl start playwright-snapshot-refresh@<user>.service
+sudo journalctl -u playwright-snapshot-refresh@<user>.service -n 20
 ```
 
 ## Restore from a backup tarball
diff --git a/docs/runbooks/claude-auth-renew-workstation.md b/docs/runbooks/claude-auth-renew-workstation.md
new file mode 100644
index 00000000..f5ce6625
--- /dev/null
+++ b/docs/runbooks/claude-auth-renew-workstation.md
@@ -0,0 +1,95 @@
+# Workstation Claude authentication renewal
+
+## Scope
+
+Every roster user authenticates Claude Code with their own Enterprise identity.
+Credentials are never shared between OS users. Claude refreshes its normal OAuth
+access token; `claude-auth-sync@<user>.timer` verifies that refresh using real
+inference every six hours and backs up only the `claudeAiOauth` object to:
+
+```text
+secret/workstation/claude-users/<os-user>
+```
+
+The user's unrelated `mcpOAuth` credentials never leave their home directory.
+Each renewal service has a distinct 32-day periodic Vault token, mode `0600`, at
+`~/.config/claude-auth-sync/vault-token`. Its policy can access only that user's
+path. The service renews the Vault token on every run.
+
+## Normal lifecycle
+
+1. Add the user to `scripts/workstation/roster.yaml` and apply the Vault stack.
+2. Run `scripts/workstation/setup-devvm.sh` as root with the admin Vault token.
+   Its foreground provisioner mints the isolated periodic token and enables the
+   user's timer. Routine hourly provisioning never needs an admin token.
+3. The user completes one initial Enterprise login:
+
+   ```bash
+   claude auth login --claudeai --sso --email <enterprise-email>
+   ```
+
+4. Start the first sync immediately instead of waiting for the timer:
+
+   ```bash
+   systemctl start claude-auth-sync@<os-user>.service
+   systemctl status claude-auth-sync@<os-user>.service
+   ```
+
+Success writes no secrets to the journal. The user's private log records `OK` in
+`~/.local/state/claude-auth-sync/sync.log`; journald receives the same status with
+`identifier=claude-auth-sync` for Loki alerting.
+
+## Automatic recovery
+
+`claude auth status` is not a sufficient health check: it can report logged in
+while inference returns HTTP 401. The service therefore runs a minimal Haiku
+inference with no session persistence. On failure it:
+
+1. reads the user's latest OAuth object from Vault;
+2. atomically merges it into `.credentials.json`, preserving MCP OAuth state;
+3. retries inference once;
+4. stores the newly refreshed OAuth object back in Vault on success.
+
+Vault KV version history remains available for audit, but the service deliberately
+does not cycle through old refresh tokens: providers commonly invalidate rotated
+refresh tokens, so replaying old versions can make recovery less deterministic.
+
+## Recovery requiring a person
+
+If both local state and the latest Vault copy fail, the refresh token was revoked,
+invalidated, or the Enterprise session requires reauthorization. Run the login as
+the affected OS user, then rerun the service:
+
+```bash
+claude auth login --claudeai --sso --email <enterprise-email>
+systemctl start claude-auth-sync@$(id -un).service
+```
+
+If the scoped Vault token expired or drift protection rejected it, rerun the root
+provisioner with an admin Vault token after confirming the matching policy exists:
+
+```bash
+export VAULT_ADDR=https://vault.viktorbarzin.me
+export VAULT_TOKEN="$(cat /home/wizard/.vault-token)"
+sudo --preserve-env=VAULT_ADDR,VAULT_TOKEN /usr/local/bin/t3-provision-users
+```
+
+Never copy another user's `.credentials.json` or scoped Vault token. Never restore
+the old shared `CLAUDE_CODE_OAUTH_TOKEN`; environment credentials outrank per-user
+login and would silently collapse all users onto one identity.
+
+## Verification
+
+```bash
+systemctl list-timers 'claude-auth-sync@*'
+systemctl status claude-auth-sync@<os-user>.service
+journalctl -t claude-auth-sync --since today
+```
+
+Inspect Vault metadata, not secret values:
+
+```bash
+vault kv metadata get secret/workstation/claude-users/<os-user>
+```
+
+Alert `WorkstationClaudeAuthInvalid` fires when any renewal agent logs `FAIL`.
diff --git a/docs/runbooks/fan-control.md b/docs/runbooks/fan-control.md
index 390c349a..d243b9fc 100644
--- a/docs/runbooks/fan-control.md
+++ b/docs/runbooks/fan-control.md
@@ -1,122 +1,103 @@
-# Runbook — PVE R730 fan-control daemon
+# Runbook — PVE R730 fan control
 
-Presence-aware IPMI fan controller on the PVE host (192.168.1.127). Runs the
-CPU cool when the garage is empty, quiet when someone's in the garage. Design:
-`infra/docs/plans/2026-06-04-pve-fan-control-design.md`.
+**The control logic lives in Home Assistant; the PVE host runs only a thin
+actuator.** HA computes the fan setpoint from the CPU temperature and the
+dashboard inputs and publishes ONE number, `sensor.r730_fan_command_pct`. The
+host daemon reads that number each loop and applies it over IPMI — it does **no**
+math. Design + history: `infra/docs/plans/2026-06-04-pve-fan-control-design.md`.
+
+> **History:** (1) 2026-06-04/05 presence-aware two-curve controller (COOL/QUIET
+> by garage door). (2) 2026-06-07 single linear curve, presence removed.
+> (3) 2026-06-08 **all control moved into HA**, host became a thin actuator,
+> additive **bias** replaced the ease-down hysteresis. (4) 2026-06-15 daemon
+> **anti-flap**: holds the last command through transient HA losses instead of
+> dumping to Dell auto.
 
 ## What it is
 
-- `/usr/local/bin/fan-control` — bash daemon (source: `infra/scripts/fan-control.sh`).
+- **HA (brain), on ha-sofia — NOT in this repo:** the `input_number` sliders, the
+  command template sensor, the display/equilibrium sensors, the Lock/Override
+  controls, and the dashboard cards. Auto-git-tracked on ha-sofia by the
+  version-control add-on.
+- `/usr/local/bin/fan-control` — bash **actuator** (source: `infra/scripts/fan-control.sh`).
 - `fan-control.service` — systemd unit (`Type=simple`, restarts on failure).
 - `/etc/fan-control.env` — config incl. the ha-sofia token (chmod 600, not in git).
 
-## HA control (Home Assistant)
+## HA brain — where the curve lives (dashboard-it → "Server" view → Fans)
 
-Drive the fans from **dashboard-it → "Server" view → Fans**. The view is
-deliberately minimal — it shows the current **fan speed** (% of capacity +
-absolute RPM) and two controls:
+`sensor.r730_fan_command_pct` (template) computes:
+`command% = clamp( curve(temp) + bias, 0..100 )`, where `curve(temp)` is a linear
+ramp from `(Temp min, Duty min)` to `(Temp max, Duty max)` over
+`sensor.r730_cpu_temperature`, plus an **asymmetric output deadband** (rise
+immediately; ease down only once it would drop ≥ Hysteresis). When **Lock** is
+on it outputs the Override % directly.
 
-- **Override %** (`input_number.r730_fan_manual_pct`) — the fan % to hold. While
-  **unlocked** it continuously mirrors the live commanded fan %, so it always
-  shows the actual *absolute* speed and updates as the fan moves (NOT a stale
-  value or a delta) — `automation.r730_fan_override_track_live_speed_while_unlocked`
-  syncs it to `sensor.r730_fan_control_target` (guarded to ignore
-  unavailable/unknown). While **locked** it stops tracking and becomes your
-  editable setpoint. A readout under the slider shows the live `% · rpm`.
-- **Lock — freeze speed** (`input_boolean.r730_fan_lock`) — turn the algorithm
-  off and hold a fixed speed. Toggling it **ON** snapshots the *current*
-  commanded % into Override and switches the daemon to `manual`
-  (`automation.r730_fan_lock_freeze_current_speed_resume_algo`); toggling it
-  **OFF** switches back to `auto`, resuming the presence curve. Fine-tune the
-  held % with Override while locked. A 🔒 reminder appears on the view while
-  locked.
+**Inputs** (`input_number` sliders): `r730_fan_temp_min`, `r730_fan_temp_max`,
+`r730_fan_duty_min`, `r730_fan_duty_max`, `r730_fan_bias` (flat % added on top —
+guarantees a floor), `r730_fan_hysteresis` (output deadband %).
+Slope = `(Duty max − Duty min)/(Temp max − Temp min)` — steeper/higher-bias/lower-Temp-min
+⇒ lower steady-state CPU temp (it's a P controller; the curve sets the equilibrium).
 
-Under the hood the daemon still reads `input_select.r730_fan_mode`
-(auto/cool/quiet/manual) + `input_number.r730_fan_manual_pct` each loop; the Lock
-toggle just drives `mode` between `manual` (locked) and `auto` (unlocked).
-`cool`/`quiet` remain valid modes if set directly (via the entity) but are no
-longer surfaced on the simplified dashboard. `CEILING` (83 °C) still overrides
-everything → Dell auto, **even when locked**. A stale non-`auto` mode left while
-*unlocked* still auto-reverts to `auto` after 60 min
-(`automation.r730_fan_mode_auto_revert`, now a dormant safety net). An HA change
-is applied within one daemon loop (~15 s).
+**Manual override:** `input_boolean.r730_fan_lock` (Lock — freeze) + `input_number.r730_fan_manual_pct` (Override %).
 
-Monitoring sensors on the same view: `sensor.r730_fan_speed` (redfish exporter),
-`sensor.r730_fan_control_target` + `sensor.r730_fan_control_mode` +
-`sensor.r730_fan_power_est` (Pushgateway). Fan **% and RPM are merged into one
-"Fan speed" card** (the two had identical trend shapes) — the % trend comes from
-the stable Pushgateway sensor, while RPM reads `sensor.r730_fan_speed` but **falls
-back to a calibrated estimate (shown with a `~` prefix) whenever the Redfish
-sensor is `unavailable`** (it blips out intermittently), so the readout never goes
-blank. `r730_fan_power_est` is an ESTIMATE of
-total fan power (the iDRAC reports no per-fan power) — modelled from RPM via the
-fan affinity law (∝ RPM³), calibrated to the power sweep (~2 W floor → ~99 W full).
+**Readout sensors:** `sensor.r730_fan_command_display` ("Fan set point", "X % (Y rpm)"),
+`sensor.r730_expected_equilibrium_temp` (predicted equilibrium at current load),
+`sensor.r730_cpu_load`, `sensor.r730_fan_speed_avg` (mean of 6 fans),
+`sensor.r730_fan_power_avg` (cube-law estimate). The Prometheus-backed REST
+sensors live in `rest_resources/idrac_redfish_exporter.yaml` on ha-sofia and have
+value-template fallbacks so they don't blink `unavailable` on a transient empty.
 
-The HA objects (helpers, the auto-revert automation, the REST sensors in
-`rest_resources/{idrac_redfish_exporter,fan_control}.yaml`, and the dashboard
-cards) live on **ha-sofia** and are auto-git-tracked there by the version-control
-add-on — they are NOT in this repo.
+## Actuator (host) — what the daemon does
+
+Loop every ~15 s, using only the existing IPMI + HA-REST methods:
+1. read `command%` from HA (`/api/states/$COMMAND_ENTITY`), validate (numeric + not stale > `STALE_SECS`);
+2. apply it via `ipmitool raw 0x30 0x30 0x02 0xff 0x<NN>` (writes only if the change clears `MIN_STEP`);
+3. read CPU temp + fan rpm for safety + telemetry (Pushgateway).
+
+**Anti-flap:** on a missing/stale command it **holds the last applied %** for up
+to `HA_GRACE_SECS` (300 s) instead of falling back; only sustained loss hands the
+fans to Dell auto.
+
+## Safety (on the host, independent of HA)
+`CPU ≥ CEILING (83 °C)`, repeated IPMI failures, sustained HA loss, or daemon
+stop/crash → hand the fans back to **Dell auto** (`raw 0x30 0x30 0x01 0x01`;
+EXIT trap + systemd `ExecStopPost`). The 83 °C ceiling uses the daemon's own
+IPMI temp read, so it protects even if HA is wrong/unreachable.
 
 ## Quick status
-
 ```bash
 ssh root@192.168.1.127 systemctl status fan-control
 ssh root@192.168.1.127 'journalctl -u fan-control -n 30 --no-pager'
-ssh root@192.168.1.127 'ipmitool sdr type fan | grep ^Fan1; ipmitool sdr type temperature | grep "^Temp "'
 ```
-Log lines look like `temp=60C ha_mode=auto eff=cool fan=50% (was 70%)`
-(`ha_mode` = the HA setpoint; `eff` = the effective curve applied).
-
-## Disable / roll back to stock firmware control
-
-```bash
-ssh root@192.168.1.127 'systemctl disable --now fan-control && ipmitool raw 0x30 0x30 0x01 0x01'
-```
-The unit's `ExecStopPost` already restores Dell auto on stop, so the explicit
-`raw ... 0x01` is belt-and-suspenders. The box is back to its stock curve.
+Log line: `temp=64C cmd=49% rpm=9380 (was -1%)` (`cmd` = the % read from HA and
+applied). `HA command miss — holding 49%` = a transient HA blip being ridden out;
+`HA command lost (...) — Dell auto` = sustained loss.
 
 ## Tune
+The whole curve (anchors + bias + hysteresis) is tuned **live from the HA
+dashboard** — no host access needed. `/etc/fan-control.env` only holds the
+actuator plumbing + safety knobs (`COMMAND_ENTITY`, `STALE_SECS`, `HA_GRACE_SECS`,
+`MIN_STEP`, `CEILING`); edit it then `systemctl restart fan-control`.
 
-Edit `/etc/fan-control.env` on the host, then `systemctl restart fan-control`.
-Common knobs:
-- `HOLD_SECS` — how long to stay quiet after the garage door last moved (default 900 = 15 min).
-- `CEILING` — temp at which we abandon manual control and let the firmware take over (default 83).
-- Curve shape: **linear anchors** near the top of the script — `COOL_T_LO/COOL_P_LO/COOL_T_HI/COOL_P_HI` (default 50°C/30% → 83°C/100%) and `QUIET_*` (68°C/20% → 83°C/100%); fan% interpolates linearly between them (replaced the old discrete step-bands). `MIN_STEP` (default 3%) = smallest fan-% change worth an IPMI write (anti-jitter); `DEADBAND` (3°C) = ease-down hysteresis. Lower `COOL_P_HI` or raise `COOL_T_HI` to run the top end quieter; steepen by raising `COOL_P_LO` / lowering `COOL_T_LO`.
-
-## Deploy / update
-
+## Deploy / update (daemon source)
 ```bash
-cd infra
-scp scripts/fan-control.sh     root@192.168.1.127:/usr/local/bin/fan-control
-ssh root@192.168.1.127 chmod +x /usr/local/bin/fan-control
-scp scripts/fan-control.service root@192.168.1.127:/etc/systemd/system/fan-control.service
-# first install only — create /etc/fan-control.env from fan-control.env.example with the HA token
-ssh root@192.168.1.127 'systemctl daemon-reload && systemctl restart fan-control'
+scp -i ~/.ssh/pve_root scripts/fan-control.sh root@192.168.1.127:/tmp/fan-control.new
+ssh -i ~/.ssh/pve_root root@192.168.1.127 'install -m0755 /tmp/fan-control.new /usr/local/bin/fan-control && systemctl restart fan-control'
 ```
-
-## HA token
-
-`/etc/fan-control.env` holds a long-lived ha-sofia token used to read
-`sensor.garage_door_state_bg`. Mint via Home Assistant → Profile → Security →
-Long-lived access tokens, or reuse the existing ha-sofia token. If the token is
-missing/empty, the daemon still runs but **COOL-only** (no quiet mode) and logs
-`ha_reachable=0`.
+(`fan-control.service` only on a unit change → also `systemctl daemon-reload`.)
 
 ## Symptoms & checks
-
 | Symptom | Check |
 |---------|-------|
-| Fans stuck loud | `journalctl -u fan-control` — is `mode=fallback`? (ceiling breach or IPMI fail). Check CPU temp. |
-| Never goes quiet | Token valid? `curl -H "Authorization: Bearer $TOKEN" http://192.168.1.8:8123/api/states/sensor.garage_door_state_bg`. Garage door reporting? |
-| Fans flapping | Increase `DEADBAND`. |
-| Service won't start | `systemctl status fan-control`; check `ipmitool` works: `ipmitool sdr type temperature`. |
+| Fans surge then crash to ~7100 then surge | flapping to Dell auto — `journalctl -u fan-control \| grep -E 'holding\|Dell auto'`; pre-2026-06-15 this was the stale-command bug (now fixed). |
+| Fans stuck loud | `journalctl` — `CEILING` breach or `HA command lost`? Check CPU temp + HA reachability. |
+| A readout blinks `unavailable` | the REST value-template fallback should hold it; a 1×/8h blip at ~02:00 (backup window) is a benign fetch hiccup. |
+| Slider changes ignored | does `sensor.r730_fan_command_pct` change in HA? token valid? |
 | Box left in manual after crash | `ipmitool raw 0x30 0x30 0x01 0x01` to force Dell auto. |
 
-## Verify presence wiring
-
+## Verify wiring
 ```bash
-# one iteration, real IPMI + HA, no daemon loop:
-ssh root@192.168.1.127 'set -a; . /etc/fan-control.env; set +a; RUN_ONCE=1 /usr/local/bin/fan-control'
+ssh -i ~/.ssh/pve_root root@192.168.1.127 'set -a; . /etc/fan-control.env; set +a; RUN_ONCE=1 /usr/local/bin/fan-control'
 ```
-With the garage closed for >15 min you should see `mode=cool`; within 15 min of
-the door moving, `mode=quiet`.
+The log `cmd=%` should equal `sensor.r730_fan_command_pct`. Move a slider so the
+HA sensor changes, re-run, and the applied `cmd=%` should follow.
diff --git a/docs/runbooks/forgejo-open-signups.md b/docs/runbooks/forgejo-open-signups.md
new file mode 100644
index 00000000..5a00d15a
--- /dev/null
+++ b/docs/runbooks/forgejo-open-signups.md
@@ -0,0 +1,168 @@
+# Runbook: Forgejo open self-service signups
+
+Last updated: 2026-06-19
+
+`forgejo.viktorbarzin.me` allows **open native self-registration** (anyone can
+create a local Forgejo account from the web form), gated against bots by two
+layers:
+
+1. **Cloudflare Turnstile** captcha on the registration form.
+2. **Mandatory email confirmation** — a new account stays inactive until the
+   user clicks an activation link emailed to the address they registered with.
+
+Two external login sources also work alongside local accounts: the pre-existing
+**Sign in with GitHub** OAuth2 login (the **Authentik OAuth2 source is now DISABLED** — see the GitHub section below) (see the GitHub
+section below). Opening local signups was additive — it did not touch SSO.
+
+Most of this is Terraform-managed in `stacks/forgejo/`. The one exception is the
+OAuth2 login *sources* (Authentik, GitHub), which live in Forgejo's own DB and
+are added via `forgejo admin auth` — there is no clean Terraform resource for
+them (their secrets are mirrored to Vault for recovery).
+
+## What is configured (and where)
+
+All on the `kubernetes_deployment.forgejo` container env in
+`stacks/forgejo/main.tf` (Forgejo reads `app.ini` keys from `FORGEJO__<section>__<KEY>`
+env vars):
+
+| Setting | Value | Effect |
+|---|---|---|
+| `service.DISABLE_REGISTRATION` | `false` | Registration is enabled |
+| `service.ALLOW_ONLY_EXTERNAL_REGISTRATION` | `false` | Native local sign-up allowed (was `true` = OAuth-only) |
+| `service.ENABLE_CAPTCHA` | `true` | Captcha required on the signup form |
+| `service.CAPTCHA_TYPE` | `cfturnstile` | Cloudflare Turnstile |
+| `service.CF_TURNSTILE_SITEKEY` | widget id | Public; rendered in the page |
+| `service.CF_TURNSTILE_SECRET` | from `forgejo-turnstile` Secret | Server-side verification |
+| `service.REGISTER_EMAIL_CONFIRM` | `true` | Account inactive until email is confirmed |
+| `mailer.*` | see below | Sends the activation email |
+| `oauth2_client.ENABLE_AUTO_REGISTRATION` | `true` | First GitHub (OAuth2) sign-in auto-creates the account |
+
+Captcha guards **registration only** — `REQUIRE_CAPTCHA_FOR_LOGIN` is left at the
+default `false`, so existing users are not captcha'd on every login.
+
+## Cloudflare Turnstile widget — `turnstile.tf`
+
+- The widget is a Terraform resource: `cloudflare_turnstile_widget.forgejo_signup`
+  (mode `managed`, domain `forgejo.viktorbarzin.me`), created with the CF Global
+  API Key already wired in `cloudflare_provider.tf`. The account id is resolved
+  via `data.cloudflare_accounts`.
+- `.id` is the **public sitekey** (passed as a plain env value). `.secret` is the
+  **secret key**, stored in the `forgejo-turnstile` K8s Secret and injected via
+  `secret_key_ref`. The secret also lives in TF state (Tier-1 PG, encrypted at
+  rest) — same trust level as the CF API key already in state.
+- Forgejo is **non-proxied** (direct A record to Traefik), but Turnstile is a
+  client-side JS widget served from `challenges.cloudflare.com`, so proxy status
+  is irrelevant — the widget works regardless.
+
+**Rotate the widget secret** (e.g. if it leaks):
+```
+cd stacks/forgejo && vault login -method=oidc
+../../scripts/tg apply --non-interactive -replace=cloudflare_turnstile_widget.forgejo_signup
+```
+This mints a new sitekey+secret, updates the `forgejo-turnstile` Secret, and (via
+the Reloader annotation) rolls the Forgejo pod. Verify the new sitekey appears in
+the `/user/sign_up` HTML afterwards.
+
+## Mailer — `email-secret.tf` + `[mailer]` env
+
+- Forgejo sends as **`noreply@viktorbarzin.me`** via **`mail.viktorbarzin.me:587`**
+  with `PROTOCOL=smtp+starttls`. This reuses the same mailserver SASL account
+  Authentik uses (`stacks/authentik/email-secret.tf`) — one credential, one
+  rotation point.
+- **The host MUST be `mail.viktorbarzin.me`, not `mailserver.mailserver.svc`**:
+  the mailserver serves the `*.viktorbarzin.me` wildcard cert, which does not
+  cover the `.svc` DNS name, so STARTTLS cert verification would fail.
+  `mail.viktorbarzin.me` resolves in-cluster (→ `10.0.20.1`) and matches the cert.
+- The password is synced from Vault `secret/authentik` → `smtp_password` by the
+  `forgejo-email` ExternalSecret (ESO `ClusterSecretStore vault-kv`) into the
+  `forgejo-email` K8s Secret (key `PASSWD`), referenced by `FORGEJO__mailer__PASSWD`.
+- The deployment carries `reloader.stakater.com/auto: "true"`, so a rotation of
+  either secret rolls the pod automatically.
+
+## GitHub sign-in (OAuth2 source)
+
+People can **sign up / sign in with GitHub** — the active Forgejo OAuth2 source. GitHub sign-up is **zero-click** (auto-registration creates the account on first login).
+
+> **Authentik is DISABLED on purpose** (2026-06-19). `ENABLE_AUTO_REGISTRATION` is GLOBAL across OAuth sources, and Authentik's `preferred_username` claim is the user's **email** — invalid as a Forgejo username, which 500'd auto-create. Viktor's Forgejo email (`me@viktorbarzin.me`) does not match his Authentik email (`vbarzin@gmail.com`), so account-linking can't bridge it. Per his directive GitHub was prioritised; the Authentik source was deactivated via `UPDATE login_source SET is_active=0 WHERE name='Authentik'` in the forgejo MySQL DB. **Re-enable** with `is_active=1` after fixing Authentik's username claim.
+
+- **Source** (Forgejo DB, *not* Terraform — added via CLI, same as Authentik):
+  ```
+  forgejo admin auth add-oauth --name github --provider github --key <client-id> --secret <client-secret>
+  ```
+  The source **name must stay `github`** — it is part of the callback URL
+  (`/user/oauth2/github/callback`) registered on the GitHub side, so renaming it
+  breaks the callback. `forgejo admin auth list` shows it (ID 2).
+- **GitHub OAuth App**: a classic OAuth App under the ViktorBarzin GitHub account
+  (Settings → Developer settings → OAuth Apps). Homepage
+  `https://forgejo.viktorbarzin.me`, callback
+  `https://forgejo.viktorbarzin.me/user/oauth2/github/callback`. GitHub has **no
+  API to create OAuth Apps** — creating it is a browser-only step.
+- **Credentials**: Vault `secret/viktor` → `forgejo_github_oauth_client_id` /
+  `forgejo_github_oauth_client_secret` (kept for recovery; the live values are in
+  Forgejo's DB).
+- **Auto-registration**: `FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION=true`
+  (`main.tf`) makes a first GitHub login create the account directly. The GitHub
+  identity is the trust gate for this path — the Turnstile captcha + email
+  confirmation only apply to the **native** signup form, not OAuth.
+
+**Rotate the GitHub client secret** — generate a new one in the GitHub OAuth App, then:
+```
+vault kv patch secret/viktor forgejo_github_oauth_client_secret=<new>
+POD=$(kubectl -n forgejo get pod -l app=forgejo -o jsonpath='{.items[0].metadata.name}')
+kubectl -n forgejo exec "$POD" -- su-exec git forgejo admin auth update-oauth --id 2 --secret <new>
+```
+(Source id from `forgejo admin auth list`.)
+
+**Recreate after a Forgejo DB loss**: the source is not in Terraform, so after a
+from-scratch restore, re-run the `add-oauth` command above with the Vault creds.
+
+## Re-closing / tightening signups
+
+Edit `stacks/forgejo/main.tf` and `scripts/tg apply` (or commit + push — CI
+applies):
+
+- **OAuth-only again** (revert this change): set
+  `FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION` back to `"true"`.
+- **No new accounts at all** (admins create them): set
+  `FORGEJO__service__DISABLE_REGISTRATION` to `"true"`.
+- **Require admin approval per signup** (strongest, instead of email confirm):
+  set `REGISTER_MANUAL_CONFIRM=true` **and** `REGISTER_EMAIL_CONFIRM=false`
+  (Forgejo makes the two mutually exclusive). New accounts then queue under Site
+  Administration → Identity & Access → Accounts until an admin activates them.
+
+## Handling spam / abuse accounts
+
+A signup that clears Turnstile + email confirmation is still a real, low-privilege
+Forgejo user. To deal with abuse:
+- **Ban/delete** via Site Administration → Identity & Access → Accounts, or
+  `forgejo admin user delete --username <name>` inside the pod
+  (`kubectl -n forgejo exec deploy/forgejo -- forgejo admin user ...`).
+- New users get Forgejo defaults (they can create repos/orgs). If abuse warrants,
+  tighten with `[service].DEFAULT_ALLOW_CREATE_ORGANIZATION=false` and/or
+  `[repository].MAX_CREATION_LIMIT` (add as env vars; out of scope for the initial
+  open-signups change).
+
+## Operational notes
+
+- The Forgejo deployment is **single-replica with `Recreate` strategy**, so any
+  config apply briefly restarts the pod (git remote + OCI registry unavailable for
+  a few seconds). Expected, not an incident.
+- The signup page is **not** behind Cloudflare's bot-fight (Forgejo is
+  non-proxied) — Turnstile + email confirmation are the bot gate. CrowdSec +
+  Traefik rate limiting still front the host.
+
+## Verify it's working
+
+```
+POD=$(kubectl -n forgejo get pod -l app=forgejo -o jsonpath='{.items[0].metadata.name}')
+# Env present:
+kubectl -n forgejo exec "$POD" -- env | grep -E 'ALLOW_ONLY_EXTERNAL|ENABLE_CAPTCHA|CAPTCHA_TYPE|CF_TURNSTILE_SITEKEY|REGISTER_EMAIL_CONFIRM|mailer__ENABLED'
+# Turnstile widget rendered on the form:
+kubectl -n forgejo exec "$POD" -- wget -qO- http://localhost:3000/user/sign_up | grep -oE 'cf-turnstile|data-sitekey="[^"]*"'
+# Secrets healthy:
+kubectl -n forgejo get externalsecret forgejo-email
+kubectl -n forgejo get secret forgejo-email forgejo-turnstile
+```
+A full real-world check is to register a throwaway account and confirm the
+activation email arrives. The mailer transport (server/port/cert/cred) is shared
+with Authentik, which is already in production for external user enrollment.
diff --git a/docs/runbooks/forgejo-registry-setup.md b/docs/runbooks/forgejo-registry-setup.md
index 16637c6d..aace9e76 100644
--- a/docs/runbooks/forgejo-registry-setup.md
+++ b/docs/runbooks/forgejo-registry-setup.md
@@ -119,8 +119,11 @@ cd infra/stacks/kyverno && scripts/tg apply
 cd infra/stacks/monitoring && scripts/tg apply
 cd infra/stacks/forgejo && scripts/tg apply
 
-# Containerd hosts.toml on each existing k8s node — VM cloud-init
-# only fires on first boot.
+# Resolved routing domain (+ vestigial containerd hosts.toml) on each
+# existing k8s node — VM cloud-init only fires on first boot. The routing
+# domain (~viktorbarzin.me -> Technitium) is what makes pulls hairpin-proof:
+# the hosts.toml mirror alone falls back to public DNS (Traefik 404s its
+# bare-IP requests, and the registry auth realm is an absolute public URL).
 infra/scripts/setup-forgejo-containerd-mirror.sh
 ```
 
@@ -135,7 +138,11 @@ docker pull alpine:3.20
 docker tag alpine:3.20 forgejo.viktorbarzin.me/viktor/smoketest:1
 docker push forgejo.viktorbarzin.me/viktor/smoketest:1
 
-# Pull from a k8s node.
+# Per-node pull path: routing domain active + name resolves to the live
+# Traefik LB (via Technitium split-horizon zone) + pull works.
+ssh wizard@<node> 'resolvectl status | grep -A2 "~viktorbarzin.me"; getent hosts forgejo.viktorbarzin.me'
+# Expect: DNS Domain ~viktorbarzin.me on server 10.0.20.201, and
+#         getent -> the current Traefik LB IP (10.0.20.203 today)
 ssh wizard@<node> sudo crictl pull forgejo.viktorbarzin.me/viktor/smoketest:1
 
 # Confirm the cluster-wide Secret was synced into a fresh namespace.
diff --git a/docs/runbooks/k8s-version-upgrade.md b/docs/runbooks/k8s-version-upgrade.md
index 847d2462..021c588f 100644
--- a/docs/runbooks/k8s-version-upgrade.md
+++ b/docs/runbooks/k8s-version-upgrade.md
@@ -2,21 +2,21 @@
 
 ## Overview
 
-Kubernetes component versions (`kubeadm`/`kubelet`/`kubectl`) on the 5 K8s
-VMs are upgraded automatically by a weekly detection CronJob that seeds a
-chain of small phase Jobs. Each Job is **pinned to a node that is NOT its
+Kubernetes component versions (`kubeadm`/`kubelet`/`kubectl`) on the 7 K8s
+nodes (k8s-master + k8s-node1..6) are upgraded automatically by a nightly
+detection CronJob that seeds a chain of small phase Jobs. Each Job is **pinned to a node that is NOT its
 drain target** — so no pod in the chain can preempt itself.
 
-The chain (Sun 12:00 UTC weekly):
+The chain (23:00 UTC nightly):
 
 ```
-detection CronJob → preflight Job → master Job → worker × 4 Jobs → postflight Job
+detection CronJob → preflight Job → master Job → one worker Job per worker (enumerated live) → postflight Job
 ```
 
 This is **independent** of the OS-side `unattended-upgrades + kured`
 pipeline (see `k8s-node-auto-upgrades.md`). They do not share rollouts.
 Schedules can overlap (kured runs daily 02:00-06:00 London; detection
-here runs Sun 12:00 UTC) — when a kured reboot lands within 24h of the
+here runs 23:00 UTC nightly) — when a kured reboot lands within 24h of the
 Sunday detection, the `RecentNodeReboot` alert in the Upgrade Gates
 group blocks the version-upgrade preflight, so the chain self-defers
 to the next Sunday rather than rolling on top of a half-fresh node.
@@ -24,7 +24,7 @@ to the next Sunday rather than rolling on top of a half-fresh node.
 ## Architecture
 
 ```
-k8s-version-check CronJob   (Sun 12:00 UTC, k8s-upgrade ns, SA: k8s-upgrade-job)
+k8s-version-check CronJob   (23:00 UTC nightly, k8s-upgrade ns, SA: k8s-upgrade-job)
   │ kubectl get nodes  → running version
   │ ssh master 'apt-cache madison kubeadm'  → latest patch (within current minor)
   │ HEAD pkgs.k8s.io/.../v<NEXT_MINOR>/deb/Release  → next minor available?
@@ -36,14 +36,17 @@ envsubst on /template/job-template.yaml  | kubectl apply -f -
   ▼
 
 Job 0 — preflight       (pinned: k8s-node1)
+  ├── compat-gate: addon/API/containerd support for target (else BLOCK+alert)
   ├── All nodes Ready + no Mem/Disk pressure
   ├── halt-on-alert (kured-style ignore-list)
   ├── 24h-quiet baseline (no Ready transitions <24h ago)
-  ├── kubeadm upgrade plan matches target
+  ├── kubeadm upgrade plan matches target (skipped when master already at target — partial-resume)
+  ├── apiserver-OIDC drift check: kubeadm upgrade diff drops --authentication-config? → Slack WARN (recoverable; not a block)
+  ├── reclaim kubeadm scratch: prune /etc/kubernetes/tmp/kubeadm-backup-* >3d on master (kubeadm leaks ~400MB etcd-db backups)
   ├── Push k8s_upgrade_in_flight=1, k8s_upgrade_started_timestamp=$(date +%s)
   ├── Trigger backup-etcd Job, wait, verify snapshot byte count
   ├── SSH master: containerd skew fix (if master < workers)
-  ├── SSH all 5 nodes: apt repo URL rewrite (only kind=minor)
+  ├── SSH all 7 nodes: apt repo URL rewrite (only kind=minor)
   └── spawn_next → k8s-upgrade-master-<target_version>
   ▼
 
@@ -76,14 +79,69 @@ Job 6 — postflight       (no pinning)
   └── Slack: ✅ K8s upgrade complete
 ```
 
-**Pin choices summarised:**
-- k8s-node1 hosts every Job that drains master or another worker. k8s-node1
-  itself is upgraded **last**.
-- k8s-master hosts Job 5 (which drains k8s-node1). Job 5's spec includes a
-  toleration for `node-role.kubernetes.io/control-plane:NoSchedule`.
-- If anyone reorders the worker sequence, the pin for Job 5 needs to track
-  whatever worker is upgraded last. The mapping is in `scripts/upgrade-step.sh`
-  → the `case "${PHASE}:${TARGET_NODE:-}"` block.
+**Pin choices summarised** (dynamic since 2026-06-17 — no hardcoded node list):
+- The **master-drain Job** runs on the first worker (the "runner"); since it
+  drains the control-plane node, it must not run there.
+- **Every worker-drain Job** runs on **k8s-master** (already upgraded by then),
+  with a `node-role.kubernetes.io/control-plane:NoSchedule` toleration — so a
+  Job never runs on the node it drains (self-preemption invariant).
+- The worker set + order come from `kubectl get nodes` at runtime
+  (`worker_nodes` / `next_pending_worker` in `scripts/upgrade-step.sh`), so
+  **adding a node needs no change** — the chain upgrades every worker still
+  off-target, then runs postflight. SSH uses node InternalIPs (no DNS needed).
+
+### Auto-upgrade compat gate
+
+The chain now attempts **patch AND minor** upgrades autonomously — but before any
+mutation, `phase_preflight` runs `compat-gate.py` **FIRST** and **REFUSES (blocks)
+the upgrade** if any of these hold for the detected target:
+
+- a **critical addon's running version doesn't support the target k8s minor**
+  (running version > the addon's highest-supported minor in the compat matrix),
+- an **in-use deprecated API is removed at/before the target** — measured live
+  from `apiserver_requested_deprecated_apis` (something is still calling a
+  group/version that the target k8s drops), or
+- a **node's containerd is below the target's floor** (the minimum containerd the
+  target k8s requires).
+
+The addon check is **scoped to minor jumps**: a target **at or below the running
+k8s minor** (a patch) crosses into no new minor, so the running cluster is itself
+proof the installed addons work there — `compat-gate.py` skips the addon ceilings
+when `target_minor <= running_minor`. (Without this a conservative ceiling such as
+ESO 0.12 → 1.31 would false-block a 1.34.x **patch** on a cluster already running
+1.34 — fixed 2026-06-20.) The deprecated-API and containerd checks are naturally
+inert for a patch (no API removal or containerd floor occurs inside a minor).
+
+This is the **"auto-upgrade when we can, halt + alert when we can't"** contract.
+
+**On a block**, the gate:
+- pushes `k8s_upgrade_blocked=1` to Pushgateway (→ the `K8sUpgradeBlocked`
+  Prometheus alert),
+- Slacks the **specific reasons** (which addon/API/node, current vs required), and
+- **halts the chain** — it exits **non-fatal** (the upgrade simply isn't safe yet,
+  this is not a failure). Because the block happens **before any mutation, no
+  rollback is involved**; nothing was changed.
+
+**To clear a block**: upgrade the named addon (or migrate the API caller off the
+deprecated group/version, or bump containerd on the named node) so the offending
+condition no longer holds. The **next nightly run then proceeds automatically** —
+no manual chain restart needed.
+
+The **compat matrix** lives in
+`stacks/k8s-version-upgrade/scripts/addon-compat.json` — a map of `addon → highest
+supported k8s minor`, populated from each addon's own compatibility docs. **Keep
+it current**; the gate reads it on every run. Gate logic:
+`stacks/k8s-version-upgrade/scripts/compat-gate.py`.
+
+> **Both** detector probes against `pkgs.k8s.io` follow the 302 redirect via `-L`:
+> the next-minor *availability* probe (`HEAD .../v<NEXT_MINOR>/deb/Release`) **and**
+> the next-minor *patch* probe (`GET .../v<NEXT_MINOR>/deb/Packages`, which resolves
+> the exact `X.Y.Z`). The Packages probe lacked `-L` until 2026-06-20 — `pkgs.k8s.io`
+> 302-redirects every request, so without it curl returned an empty body,
+> `NEXT_MINOR_PATCH` came back empty, and the detector silently fell through to
+> "No upgrade needed". That is why the **2026-06-19 nightly run no-op'd** instead of
+> resolving the 1.35 target. With both probes on `-L`, **minor versions are detected**
+> and gated behind the compat check above before the chain acts on them.
 
 ## Components
 
@@ -95,7 +153,7 @@ Job 6 — postflight       (no pinning)
 | **ConfigMap `k8s-upgrade-job-template`** | Mounts `/template/job-template.yaml` — universal Job manifest with envsubst placeholders. Rendered by upgrade-step.sh and the detection CronJob via `envsubst | kubectl apply`. |
 | **ServiceAccount `k8s-upgrade-job`** | Used by both the detection CronJob and every chain Job. ClusterRole binding grants: nodes get/list/patch, pods/eviction create, pods delete, batch/jobs CRUD, PDB list (for predrain_unstick), CronJob get (snapshot trigger), namespaces patch on `k8s-upgrade` only. Namespace-scoped Role binding grants secrets:get on `k8s-upgrade-creds`. |
 | **ExternalSecret `k8s-upgrade-creds`** | Syncs `secret/k8s-upgrade/{ssh_key, slack_webhook}` from Vault. Mounted into every Job at `/secrets/k8s-upgrade`. |
-| **CronJob `k8s-version-check`** | Sun 12:00 UTC. Probes apt + pkgs.k8s.io for target. If found, renders Job 0 from `job-template.yaml` and applies it. |
+| **CronJob `k8s-version-check`** | 23:00 UTC nightly. Probes apt + pkgs.k8s.io for target. If found, renders Job 0 from `job-template.yaml` and applies it. |
 
 ### Pushgateway metrics
 
@@ -115,7 +173,46 @@ Pushed by upgrade-step.sh during phase execution; observed by the
 - **`K8sVersionSkew`** — distinct kubelet/apiserver `gitVersion` count > 1 for 30m. Catches a half-done rollout.
 - **`EtcdPreUpgradeSnapshotMissing`** — `k8s_upgrade_in_flight==1 && k8s_upgrade_snapshot_taken==0` for 10m. Catches preflight Stage 2 failing silently.
 - **`K8sUpgradeStalled`** — `k8s_upgrade_in_flight==1 && time()-k8s_upgrade_started_timestamp > 5400` for 5m. Catches a Job in the chain dying without spawning its successor.
-- All three alerts ALSO block kured (same `--prometheus-url` halt-on-alert mechanism) so the OS-reboot pipeline can't run on top of a half-done version upgrade.
+- **`K8sUpgradeChainJobFailed`** — `(kube_job_status_failed{namespace="k8s-upgrade",job_name=~"k8s-upgrade-(preflight|master|worker|postflight)-.*",reason=~"BackoffLimitExceeded|DeadlineExceeded"} > 0) unless on() (k8s_upgrade_blocked == 1)` for 15m (warning). Catches a phase Job that **terminally failed before `k8s_upgrade_in_flight` was set** — the preflight gates exit pre-metric, so the two `in_flight`-based alerts above are blind to a failed preflight (this is what hid the 5-day 1.34.9 wedge on 2026-06-12). Reason-scoped to terminal job conditions so a retry-success doesn't false-positive (a bare failed-pod-count would otherwise also block kured for the Job's 7d TTL). The `unless k8s_upgrade_blocked == 1` clause (added 2026-06-21) excludes a preflight that failed because the **compat gate deliberately refused** the target — that's owned by `K8sUpgradeBlocked` and was double-firing here; a genuine wedge exits without setting the blocked gauge, so it still fires.
+- **`K8sUpgradeBlocked`** — `k8s_upgrade_blocked == 1` (warning). A k8s **auto-upgrade was refused** by the compat gate because a critical addon, an in-use deprecated API, or a node's containerd is too old for the detected target. The **specific reasons are in Slack**; clear it by upgrading the named addon / migrating the API caller / bumping containerd, after which the next nightly run proceeds (see "Auto-upgrade compat gate"). No upgrade was attempted, so this is not a half-done-rollout alert.
+- The first four alerts ALSO block kured (same `--prometheus-url` halt-on-alert mechanism) so the OS-reboot pipeline can't run on top of a half-done version upgrade.
+
+### Nightly upgrade report (Slack)
+
+CronJob `k8s-upgrade-nightly-report` (k8s-upgrade ns, `var.report_schedule`,
+default `7 6 * * *` = 06:07 UTC — after the 23:00 chain, before the 08:00 London
+alert-digest) posts ONE Slack summary each morning of the previous night's run:
+running version, detector freshness, detected target + kind, the outcome
+(⚪ no upgrade needed / 🔴 blocked + live blocker reasons / 🟢 upgraded /
+🟡 in progress / ⚠️ detector stale), and recent chain jobs. Read-only — it reads
+the Pushgateway gauges + live nodes/jobs and re-runs `compat-gate.py` for fresh
+blocker reasons; reuses the chain's SA + `slack_webhook` + scripts ConfigMap.
+Logic + unit tests: `scripts/nightly-report.py`, `scripts/test_nightly_report.py`.
+This is the day-to-day visibility layer (it does NOT replace the alerts above —
+those fire on problems; this reports the outcome every night). Manual run:
+`kubectl -n k8s-upgrade create job --from=cronjob/k8s-upgrade-nightly-report nightly-report-test`
+(name it WITHOUT a `k8s-upgrade-{phase}-` prefix so a failure can't trip
+`K8sUpgradeChainJobFailed`).
+
+### CoreDNS is NOT upgraded by kubeadm here
+
+CoreDNS runs a **custom split-horizon Corefile** (owned by the technitium stack)
+and its image is tracked separately — it must NOT be touched by kubeadm. The
+master `kubeadm upgrade apply` therefore runs with
+`--ignore-preflight-errors=CoreDNSMigration,CoreDNSUnsupportedPlugins
+--skip-phases=addon/coredns` (in `scripts/update_k8s.sh`), so kubeadm upgrades
+the control plane but leaves CoreDNS 100% untouched (image + Corefile). Without
+the `--skip-phases`, forcing past the preflight makes kubeadm overwrite the
+Corefile with its default and downgrade the image (verified via
+`kubeadm upgrade apply --dry-run`).
+
+**Keep CoreDNS off Keel.** On 2026-06-12 Keel had auto-bumped CoreDNS
+v1.12.1 → v1.12.4 (kube-system out-of-band annotation from the 2026-05-26 Keel
+cascade), and 1.12.4 is ahead of kubeadm 1.34.9's corefile-migration table —
+which is what blocked the 1.34.9 upgrade. CoreDNS is now `keel.sh/policy=never`
+(`kubectl -n kube-system annotate deploy/coredns keel.sh/policy=never`). If a
+future kubeadm minor ships a CoreDNS that DOES know the running version, drop the
+`--skip-phases` for that run to let kubeadm re-take ownership.
 
 ### Vault secrets
 
@@ -127,27 +224,54 @@ Exposed in K8s via ExternalSecret `k8s-upgrade-creds` in the `k8s-upgrade` names
 
 ## Common Operations
 
-### Post-upgrade: restore apiserver OIDC (REQUIRED after any control-plane bump)
+### apiserver OIDC + kubeadm upgrades (kubeadm-config reconciliation since 2026-06-24)
 
 `kubeadm upgrade apply` **regenerates `/etc/kubernetes/manifests/kube-apiserver.yaml`
-and drops the `--authentication-config` flag**, silently disabling apiserver
-OIDC (kubectl/kubelogin CLI **and** the web dashboard SSO break — tokens get
-401). This is not auto-detected (the `rbac` stack's `null_resource` trigger is a
-content hash that doesn't change). After any control-plane upgrade, re-apply:
+from kubeadm-config**. apiserver auth uses a structured multi-issuer
+`--authentication-config` (kubectl + dashboard SSO), but kubeadm-config used to
+still carry the legacy single-issuer `--oidc-*` extraArgs — so every upgrade
+reverted the flag, **silently breaking SSO after the upgrade** (the apiserver does
+NOT crash on this — verified by isolated repro; it's recoverable via the restore
+script below). NB: the **1.34→1.35 stall on 2026-06-24 was a *separate* issue —
+etcd IO starvation**, not this drift; post-mortem:
+`docs/post-mortems/2026-06-24-kubeadm-oidc-drift-apiserver-upgrade-stall.md`.
+
+**Primary fix (2026-06-24):** `stacks/rbac/modules/rbac/apiserver-oidc.tf` now
+**reconciles kubeadm-config** (`kubeadm init phase upload-config kubeadm`, rewriting
+`apiServer.extraArgs`: drop `--oidc-*`, add `--authentication-config`) as part of
+its remote script. So kubeadm regenerates a **correct** manifest and the apiserver
+upgrades with a pure image bump — `kubeadm upgrade diff <target>` shows only the
+image change. Zero live impact (the CM is read only during an upgrade).
+
+**Backstops:**
+- **Preflight check 4b** runs `kubeadm upgrade diff` and **alerts** (Slack WARN, does
+  NOT block — the drift only breaks SSO, which is recoverable) if
+  `--authentication-config` would still be dropped.
+- The `rbac` stack still publishes its restore script to the
+  `kube-system/apiserver-oidc-restore` ConfigMap, and `phase_master` re-runs it on
+  master right after `kubeadm upgrade apply` (idempotent, `/livez`-gated with
+  auto-rollback, non-fatal) — now redundant belt-and-suspenders that *also*
+  re-reconciles kubeadm-config. Self-skips when master is already at target.
+
+**Manual fallback** — only for an out-of-band/manual `kubeadm` upgrade, or if the
+chain logged `WARN: --authentication-config absent after re-apply`:
 
 ```bash
 cd stacks/rbac
 TF_VAR_ssh_private_key="$(cat ~/.ssh/id_ed25519)" \
   VAULT_ADDR=https://vault.viktorbarzin.me ../../scripts/tg apply \
-  --non-interactive -target=module.rbac.null_resource.apiserver_oidc_config
+  --non-interactive -target=module.rbac.null_resource.apiserver_oidc_config \
+  -replace=module.rbac.null_resource.apiserver_oidc_config
 ```
 
-(`ssh_private_key` must be a key authorized for `wizard@<master>`; it is not yet
-wired from Vault.) The provisioner re-writes `/etc/kubernetes/pki/auth-config.yaml`
-(both `kubernetes` + `k8s-dashboard` issuers), re-adds the flag, and
-health-gates `/livez` with auto-rollback. Verify: `curl -sk
-https://localhost:6443/livez` on the master = `ok`, and the apiserver manifest
-contains `--authentication-config`. See `docs/plans/2026-06-04-k8s-dashboard-sso-design.md`.
+(`-replace` is **required** — the `null_resource` trigger is a content hash that
+doesn't change, so a plain `-target` apply is a no-op. `ssh_private_key` must be a
+key authorized for `wizard@<master>`.) The provisioner re-writes
+`/etc/kubernetes/pki/auth-config.yaml` (both `kubernetes` + `k8s-dashboard`
+issuers), re-adds the flag, and health-gates `/livez` with auto-rollback. Verify:
+`curl -sk https://localhost:6443/livez` on the master = `ok`, and the apiserver
+manifest contains `--authentication-config`. See
+`docs/plans/2026-06-04-k8s-dashboard-sso-design.md`.
 
 ### Verify the pipeline is healthy
 ```bash
@@ -202,8 +326,18 @@ EOF
 ```
 
 ### Kill a stuck Job (chain halted mid-flight)
-The chain stalls if any Job dies without spawning its successor. `K8sUpgradeStalled`
-fires after 90 min. Recovery:
+A phase Job that dies without spawning its successor halts the chain. Two alerts
+surface it: `K8sUpgradeStalled` (a mid-chain Job that died with `in_flight=1`,
+after 90 min) and `K8sUpgradeChainJobFailed` (any phase that terminally failed,
+after 15 min — including a **preflight** that aborted before `in_flight` was set,
+which `K8sUpgradeStalled` cannot see).
+
+**Preflight failures now self-heal** (since 2026-06-17): the detection CronJob and
+`spawn_next` delete + re-spawn a terminally-Failed Job instead of skipping it on
+name-existence (retry-on-failure), so a transient preflight gate — e.g. a spurious
+critical alert like the ttyd web-terminal probe that wedged 1.34.9 for 5 days —
+clears on the next daily cycle. A mid-chain phase that keeps failing still needs
+manual recovery: fix the root cause, then:
 
 ```bash
 # 1. Identify the failed Job
@@ -323,6 +457,13 @@ kill %1
 
 ## Past Incidents
 
+### 2026-06-18 — Preflight gate-4 wedged a partial (master-ahead) chain
+- A prior 1.34.9 run upgraded k8s-master + k8s-node1, then stopped; node2-6 stayed on 1.34.8.
+- Every nightly preflight then aborted at the **kubeadm-plan-target gate**: `kubeadm upgrade plan` runs on k8s-master, already on 1.34.9, so it emitted no `kubeadm upgrade apply vX.Y.Z` line → empty `plan_target` → `'' != '1.34.9'` → `exit 1`. Deterministic, not transient (gates 1-3 all green; no critical alert was firing). The failed preflight self-cleaned each night (2026-06-17 retry-on-failure) but re-failed identically.
+- The two `in_flight`-based alerts stayed blind (preflight aborts pre-metric); `K8sUpgradeChainJobFailed` (warning) surfaced it.
+- **Collateral**: the earlier master bump had also dropped apiserver `--authentication-config` (SSO broke); restored separately via the `rbac` stack's `apiserver_oidc_config`.
+- **Mitigation**: `phase_preflight` now **skips the kubeadm-plan-target gate when k8s-master is already on TARGET_VERSION** (mirrors the at-target self-skip already in `phase_master`/`phase_worker`). Remaining workers are validated by their own phases; the detector's apt-cache probe already confirmed the target is installable.
+
 ### 2026-05-11 — Self-preemption (agent → Job-chain rewrite)
 - The v1 agent ran inside the `claude-agent-service` Deployment (replicas=1, no nodeSelector) and was scheduled to k8s-node4.
 - During Stage 6 (first worker drain) the agent ran `kubectl drain k8s-node4` — evicting itself.
@@ -336,6 +477,8 @@ kill %1
 |------|-------|
 | Stack (CronJob + ConfigMaps + SA/RBAC + ExternalSecret) | `infra/stacks/k8s-version-upgrade/main.tf` |
 | Universal phase body | `infra/stacks/k8s-version-upgrade/scripts/upgrade-step.sh` |
+| Compat gate (addon/API/containerd block logic) | `infra/stacks/k8s-version-upgrade/scripts/compat-gate.py` |
+| Compat matrix (addon → highest supported k8s minor) | `infra/stacks/k8s-version-upgrade/scripts/addon-compat.json` |
 | Job template | `infra/stacks/k8s-version-upgrade/job-template.yaml` |
 | Per-node upgrade script | `infra/scripts/update_k8s.sh` |
 | Upgrade Gates alerts | `infra/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl` (group "Upgrade Gates") |
diff --git a/docs/runbooks/mailserver-pfsense-haproxy.md b/docs/runbooks/mailserver-pfsense-haproxy.md
index 329be214..f0780caf 100644
--- a/docs/runbooks/mailserver-pfsense-haproxy.md
+++ b/docs/runbooks/mailserver-pfsense-haproxy.md
@@ -55,7 +55,7 @@ External mail (WAN) path — PROXY v2
 │  pfSense WAN:{25,465,587,993}                                       │
 │      │  NAT rdr → 10.0.20.1:{same}                                  │
 │      ▼                                                              │
-│  pfSense HAProxy  (mode tcp, 4 frontends, 4 backend pools)          │
+│  pfSense HAProxy  (mode tcp, 5 frontends, 6 backend pools)          │
 │      │  data: send-proxy-v2 → :{30125..30128}  (PROXY-aware pod)   │
 │      │  health: TCP-check    → :{30145..30147}  (no-PROXY pod)     │
 │      │  inter 5000                                                  │
@@ -113,6 +113,28 @@ kubectl logs -c docker-mailserver deployment/mailserver -n mailserver \
 # Expect external source IPs (e.g., Brevo 77.32.148.x), NOT 10.0.20.x
 ```
 
+## SNI-routed internal :443 frontend (2026-06-10)
+
+`internal_https_443` binds `10.0.20.1:443` + `10.0.10.1:443` and completes
+the internal port table of the mail front door so `mail.viktorbarzin.me`
+(internal A record → 10.0.20.1) serves webmail too. Routing (Viktor's
+design — route by what the client asked for):
+
+| Client connects with | Routed to |
+|---|---|
+| SNI = `pfsense.viktorbarzin.{lan,me}` | webgui backend `127.0.0.1:8443` |
+| any other SNI (hostnames, e.g. `mail.…`) | Traefik `10.0.20.203:443`, send-proxy-v2 |
+| no SNI (bare IP — `https://10.0.20.1`) | webgui backend `127.0.0.1:8443` |
+
+The **pfSense webGUI was moved to `:8443`** (config.xml
+`system.webgui.port`, 2026-06-10) to free the 443 socket; admin access by
+IP keeps working through the no-SNI route, and `:8443` remains a direct
+fallback if HAProxy is down. The `pfsense.viktorbarzin.me` Traefik ingress
+(stacks/reverse-proxy) targets `:8443` directly. Traefik leg mirrors the
+IPv6 bridge: send-proxy-v2 (Traefik trusts 10.0.20.1), **no health check**
+(PROXY-expecting receivers reject bare probes — gotcha above). All of this
+is declared in `pfsense-haproxy-bootstrap.php` — re-run to reset.
+
 ## Bootstrap / restore from scratch
 
 pfSense HAProxy config lives in `/cf/conf/config.xml` under
diff --git a/docs/runbooks/offboard-user.md b/docs/runbooks/offboard-user.md
index 104f4fcd..05c0c5a8 100644
--- a/docs/runbooks/offboard-user.md
+++ b/docs/runbooks/offboard-user.md
@@ -29,7 +29,26 @@ gated `userdel_archive`, which is **never** auto-applied).
    sudo systemctl disable --now t3-serve@<os_user>.service
    sudo passwd -l <os_user>
    ```
-4. **Verify:** they can no longer reach `t3.viktorbarzin.me` (302 → Authentik, then
+4. **Revoke git + group access** *(manual)*:
+   ```bash
+   # legacy secret-bearing group, if they were ever in it
+   sudo gpasswd -d <os_user> code-shared
+   # drop write access to the infra repo
+   curl -X DELETE -H "Authorization: token <admin_pat>" \
+     https://forgejo.viktorbarzin.me/api/v1/repos/viktor/infra/collaborators/<forgejo_login>
+   # if they were whitelisted for direct master push, remove them from the
+   # branch-protection whitelists (PATCH with the remaining usernames)
+   curl -X PATCH -H "Authorization: token <admin_pat>" -H 'Content-Type: application/json' \
+     https://forgejo.viktorbarzin.me/api/v1/repos/viktor/infra/branch_protections/master \
+     -d '{"push_whitelist_usernames":["viktor"],"merge_whitelist_usernames":["viktor"]}'
+   # revoke their devvm git PAT (token name: devvm-infra-git; admin PAT may
+   # manage other users' tokens — verified 2026-06-10; the CLI has no delete)
+   curl -X DELETE -H "Authorization: token <admin_pat>" \
+     https://forgejo.viktorbarzin.me/api/v1/users/<forgejo_login>/tokens/devvm-infra-git
+   ```
+   Note: their already-running sessions keep dropped groups until cycled — restart
+   `t3-serve@<os_user>` to enforce immediately.
+5. **Verify:** they can no longer reach `t3.viktorbarzin.me` (302 → Authentik, then
    denied once removed from the `T3 Users` group — Part C) and cannot log in. Nothing
    is deleted; re-adding the roster entry + reconcile fully restores them.
 
diff --git a/docs/runbooks/pfsense-unbound.md b/docs/runbooks/pfsense-unbound.md
index 19e0e5dc..bfa2a19e 100644
--- a/docs/runbooks/pfsense-unbound.md
+++ b/docs/runbooks/pfsense-unbound.md
@@ -93,6 +93,55 @@ Verify via the Technitium API:
 curl -sk "http://127.0.0.1:5380/api/zones/options/get?token=$TOK&zone=viktorbarzin.lan" | jq .response.zoneTransfer
 ```
 
+## Domain Override: viktorbarzin.me → Technitium (2026-06-10)
+
+`$config['unbound']['domainoverrides']` carries one entry forwarding the
+whole `viktorbarzin.me` zone to Technitium `10.0.20.201` (forward-zone, not
+AXFR). Every Unbound client — all VLANs + 192.168.1.x via the WAN listener —
+gets Technitium's internal split-horizon answers: ingress hosts CNAME to the
+zone apex whose A record auto-tracks the live Traefik LB IP
+(`technitium-ingress-dns-sync` + `viktorbarzin-apex-probe` canary). This is
+what keeps kubelet forgejo image pulls (and everything else on 10.0.x) off
+the broken public NAT-hairpin with zero per-host DNS config — see
+`docs/post-mortems/2026-06-10-tuya-bridge-forgejo-pull-hairpin.md`.
+
+Notes:
+
+- The domain is NOT DNSSEC-signed (no DS records), so no `domain-insecure`
+  needed; private-IP answers pass without `private-domain` custom options
+  (verified empirically — pfSense handles domain overrides correctly).
+- **Cluster-outage behavior**: the zone SERVFAILs while Technitium is down
+  (forward-zone, no local copy). Deliberate — the services are down anyway.
+  Contrast with `viktorbarzin.lan`, which is AXFR-slaved to survive outages.
+- **In-cluster pods must NOT see these answers** (Traefik LB is ETP=Local,
+  unreachable from pods). CoreDNS has a dedicated `viktorbarzin.me:53`
+  carve-out (stacks/technitium) — do not remove it while this override exists.
+- Added with the standard SSH + PHP pattern (see "host override" memories /
+  this file's style):
+
+```php
+require_once("config.inc"); require_once("unbound.inc");
+global $config;
+$config["unbound"]["domainoverrides"][] = [
+  "domain" => "viktorbarzin.me", "ip" => "10.0.20.201",
+  "descr" => "...", "tls_hostname" => "",
+];
+write_config("add viktorbarzin.me domain override -> Technitium");
+services_unbound_configure();
+```
+
+Rollback: remove the entry from the array (match on `domain`), then
+`write_config()` + `services_unbound_configure()`. Pre-change backup:
+`/cf/conf/config.xml.bak-2026-06-10-pre-me-forward` (on-box).
+
+Verify:
+
+```
+dig +short @10.0.20.1 forgejo.viktorbarzin.me   # apex CNAME + live Traefik IP
+dig +short @10.0.20.1 mail.viktorbarzin.me      # 10.0.20.1 (non-Traefik record)
+dig +short @10.0.20.1 google.com                # public, unaffected
+```
+
 ## Operational Checks
 
 ```bash
diff --git a/docs/runbooks/t3-drop-attribution.md b/docs/runbooks/t3-drop-attribution.md
new file mode 100644
index 00000000..df4cef09
--- /dev/null
+++ b/docs/runbooks/t3-drop-attribution.md
@@ -0,0 +1,126 @@
+# t3 drop attribution — "is it infra or my network?"
+
+When a t3 user reports "disconnects, then self-recovers after a few seconds",
+that is the t3 **client watchdog**: the browser heartbeats every 10s and force-
+reconnects after >20s without a response. Any stall or break anywhere on
+browser → Cloudflare → tunnel → Traefik → t3-dispatch → `t3 serve` produces
+the identical symptom. This runbook attributes a drop to a segment in minutes.
+
+## 1. Check the probe (first stop)
+
+The in-cluster `t3-probe` (stacks/t3code, scrape job `t3-probe`) holds three
+permanent legs that differ only in path segment:
+
+| leg | path under test | drop means |
+|---|---|---|
+| `cloudflare` | WAN → CF edge → tunnel → cloudflared → Traefik → dispatch | Cloudflare/WAN segment |
+| `internal` | Traefik LB (10.0.20.203) → dispatch (no Cloudflare) | Traefik / dispatch / devvm network |
+| `t3serve` | HTTP straight to devvm:3773 (`t3 serve` process) | the serve process itself (event-loop stall) |
+
+Prometheus queries:
+
+```promql
+increase(t3probe_disconnects_total[1h])          # drops per leg+reason
+t3probe_connected                                # current state per leg
+histogram_quantile(0.99, rate(t3probe_rtt_seconds_bucket{leg="t3serve"}[15m]))
+```
+
+Attribution table:
+
+- `cloudflare` drops, `internal` clean → Cloudflare edge / QUIC tunnel / WAN.
+- both WS legs drop together → Traefik, dispatch, or devvm reachability.
+- `t3serve` RTT spikes / timeouts → the user's `t3 serve` stalled (see §3).
+- **all legs clean while the user dropped → their last mile / device. Infra
+  is exonerated, with data.**
+
+Alerts `T3ProbeLegDown` / `T3ProbeDropBurst` fire on sustained breakage.
+
+## 1b. Connection logs in Loki (passive, always-on — catch a real drop)
+
+Three layers of the real path log every t3 `/ws` connection to Loki, so a drop
+the user actually experienced is attributable after the fact without a repro. A
+drop is **a short-lived `/ws` connection** (a healthy session holds one socket
+for hours); the client's 20s heartbeat watchdog reconnects on any break.
+
+| Layer | Loki stream | What it tells you |
+|---|---|---|
+| Traefik | `{job="traefik"}` ⟶ filter `t3code-t3` + `GET /ws` | per-connection **duration** (trailing `…ms`) + edge (cloudflared pod) IP |
+| cloudflared | `{job="cloudflared"}` ⟶ filter `t3.viktorbarzin.me/ws` | CF-tunnel-side close (`ended abruptly: context canceled` = browser/CF side hung up) |
+| t3-dispatch | `{job="devvm-journal",unit="t3-dispatch.service"} \|= "ws close"` | **`dur_ms` + `cause`** — the discriminator below |
+
+`cause` on the dispatch `ws close` line:
+- **`downstream_closed`** — client / Cloudflare / Traefik tore the socket down
+  (`context canceled`). Short `dur_ms` = client watchdog firing → a **last-mile /
+  network-quality** drop (or CF/tunnel blip); t3-serve was fine.
+- **`upstream_closed`** — the user's `t3 serve` closed/reset (reset by peer / EOF
+  / refused) → t3-serve stall/restart/OOM.
+- **`graceful`** — clean close from either side (e.g. the client watchdog's
+  `disconnect()` after a >20s heartbeat gap). Cross-check `dur_ms`: a ~20s+
+  graceful close with no devvm pressure spike (§3) is a heartbeat-timeout whose
+  stall was NOT on devvm → last-mile.
+
+Triage query (Grafana Explore → Loki) — every short t3 socket in a window:
+
+```logql
+{job="devvm-journal", unit="t3-dispatch.service"} |= "ws close"
+  | regexp `dur_ms=(?P<dur>[0-9]+) cause=(?P<cause>\S+)` | dur < 120000
+```
+
+Line the timestamp up against `{job="traefik"}` (duration + edge IP) and
+`{job="cloudflared"}` (CF-side close) for the same second to localise the layer.
+devvm journald (incl. `t3-serve@<user>`) ships via `scripts/devvm-promtail.*`.
+
+## 2. Server-side log recipe (per-event forensics)
+
+On devvm (timestamps in UTC):
+
+```bash
+# dispatch view — error class identifies which side died:
+#   "context canceled"                      = front/client side tore down
+#   "connection reset by peer 127.0.0.1:PORT" = that user's serve closed
+#   "connection refused"                    = that user's serve was down
+journalctl -u t3-dispatch --since "1 hour ago" | grep "proxy error"
+
+# mass-cancel bursts (many same-second cancels = shared-segment break):
+journalctl -u t3-dispatch --since "6 hours ago" \
+  | grep -oE '^.* [0-9:]+ http: proxy error: context canceled' \
+  | awk '{print $6}' | sort | uniq -c | awk '$1>=5'
+
+# serve-side starvation markers (git taking >5s = devvm frozen):
+journalctl -u t3-serve@<user> --since "6 hours ago" | grep "timed out"
+
+# tunnel-side: cloudflared pod restarts + per-connection events
+kubectl -n cloudflared get pods
+kubectl -n cloudflared logs <pod> --since=6h | grep -E "ERR|reconnect"
+```
+
+## 3. devvm pressure correlation
+
+devvm node_exporter is scraped as job `devvm` (since 2026-06-10). The known
+high-frequency drop mechanism is **memory+IO pressure on devvm**: agent
+processes live inside `t3-serve@<user>`'s cgroup; a runaway agent swap-thrashes
+the spinning root disk and freezes the box in multi-10s windows — every
+connected client's watchdog fires at once (2026-06-10: a 10.8G agent → global
+OOM → 8.5min hard outage).
+
+```promql
+rate(node_pressure_io_stalled_seconds_total{instance="devvm"}[5m])
+rate(node_pressure_memory_stalled_seconds_total{instance="devvm"}[5m])
+node_memory_SwapFree_bytes{instance="devvm"}
+```
+
+Guardrails in place (2026-06-10, `scripts/t3-serve@.service`): per-unit
+`MemoryHigh=12G`, `MemoryMax=16G`, `MemorySwapMax=0`, `OOMPolicy=continue` —
+a runaway agent now OOMs alone inside the cgroup instead of taking the box
+(and the WS server) with it.
+
+## 4. Known root causes (2026-06-10 investigation)
+
+1. **devvm memory/IO storms** (high-frequency mechanism) — §3.
+2. **cloudflared in-place autoupdate** — fixed: `--no-autoupdate`
+   (stacks/cloudflared). Before the fix every CF release exited all 3 pods
+   (code 11), severing all tunnel WebSockets.
+3. **QUIC tunnel churn** (~1–2/day, "no recent network activity") — inherent;
+   visible as `cloudflare`-leg-only blips.
+4. **t3 nightly autoupdate** — pinned after the 2026-06-09 outage, see
+   `docs/post-mortems/2026-06-09-t3-nightly-autoupdate-auth-outage.md`.
diff --git a/docs/runbooks/t3-version-bump.md b/docs/runbooks/t3-version-bump.md
new file mode 100644
index 00000000..cf8359e5
--- /dev/null
+++ b/docs/runbooks/t3-version-bump.md
@@ -0,0 +1,117 @@
+# Runbook: t3 version — gated nightly tracker (freeze / revert / roll back)
+
+t3 on the devvm **auto-tracks the `nightly` npm dist-tag** (Viktor, 2026-06-16,
+risk explicitly accepted), via the daily `t3-autoupdate` timer. Every bump is
+GATED so a bad nightly self-heals instead of repeating 2026-06-09. This reverses
+the post-incident pin decision — read `2026-06-09-t3-nightly-autoupdate-auth-outage.md`
+for why every guard below exists. t3 is still pre-1.0 and ships breaking changes
+between builds; the gate is what makes auto-tracking safe.
+
+## How the tracker gates each bump  (`scripts/t3-autoupdate.sh`)
+
+1. **Freeze gate** — `/etc/t3-autoupdate.freeze` present (or `T3_PIN=<ver>` set) →
+   hold at current, do nothing.
+2. **Resolve + downgrade-guard** — `npm view t3@nightly version`; proceed only if
+   the target is strictly newer than installed AND a `-nightly.` build (the tag is
+   mutable and can point backward).
+3. **Pre-bump backup** — online `VACUUM INTO` of every user's `state.sqlite` to
+   `/var/backups/t3-state/<u>/state-prebump-<ver>-<ts>.sqlite` (runs AS the owner;
+   never stops a serve). Rollback is then a RESTORE, not sqlite surgery.
+4. **Install + health-check** — `npm i -g t3@<ver>`, then start a throwaway serve
+   SEEDED WITH A COPY of wizard's real populated `state.sqlite` (scratch on
+   `/var/tmp`, not the 2 GB tmpfs `/tmp`) so it exercises the forward MIGRATION
+   (the 2026-06-09 failure class) + the real mint→exchange→`t3_session` pairing
+   handshake. Fail → roll back binary to last-good, exit (no serve migrated yet →
+   clean).
+5. **Canary rollout** — restart IDLE instances one at a time, verifying pairing
+   through the real dispatch after each. First failure → roll back binary +
+   restore that user's DB from the pre-bump backup + **self-freeze** (touch the
+   freeze file) so it cannot re-flap onto bad builds. Active-agent instances are
+   DEFERRED (never killed) and migrate on their next idle restart.
+6. **Last-good** — advanced to the new version only on full success
+   (`/var/lib/t3-autoupdate/last-good`); it is the rollback target.
+
+Detection backstop (real-user pairing failures / endpoint fallback): the dispatch
+logs every outcome (`paired user=.. endpoint=.. fallback=..`, plus `mint/pairing
+... failed`) → Loki alerts `T3PairingBroken` / `T3PairFallbackHigh` /
+`T3AutoUpdateRolledBack` / `T3AutoUpdateRollbackFailed` / `T3AutoUpdateFrozen` →
+Alertmanager → Slack.
+
+## Idle migrator — draining deferrals  (`scripts/t3-migrate-idle.sh`)
+
+Step 5 DEFERS any instance with an active agent, recording `/var/lib/t3-autoupdate/deferred/<user>` (= the target version). Without a drainer, a user busy at every 04:00 window never migrates and their client shows *"Client and server versions differ"* for days. `t3-migrate-idle.timer` (overnight, every 20 min 01:00–05:40) drains those markers:
+
+- Per marker: skip + clear if the unit is gone or was already restarted *after* the deferral; otherwise restart the still-stale `t3-serve@<u>` onto the current binary **only when that user is idle** — `state.sqlite` shows zero `active_turn_id` (no in-flight turn) AND ≥ `T3_MIGRATE_QUIET_SECONDS` (default 900 = 15 min) since the last thread activity — then verify pairing and clear the marker. **Fail-closed:** any query/parse doubt → skip, retry next tick.
+- It restarts via the SAME `safe_restart_unit` the daily canary uses (sourced `t3-safe-restart.sh`: backup → restart → verify → recover). The shared `/etc/t3-autoupdate.freeze` halts it too.
+- **Force / preview:**
+  ```bash
+  sudo systemctl start t3-migrate-idle.service           # run a drain pass now (still idle-gated)
+  sudo env T3_DRY_RUN=1 /usr/local/bin/t3-migrate-idle   # log decisions, act on nothing
+  ```
+- **Rare-tail failure:** if a deferred user's forward migration fails at idle restart (already gated against a copy of their real DB at install), `safe_restart_unit` restores their DB + freezes + alerts. The binary rollback is a no-op (the build was already accepted, so other users are unaffected), but that user's serve may crashloop on the restored DB until the freeze is cleared and the build investigated (manual rollback below).
+
+## Operations
+
+**Freeze / revert (stop tracking right now — the fast "make it stop"):**
+```bash
+sudo touch /etc/t3-autoupdate.freeze     # holds at the current build; next run is a no-op + fires T3AutoUpdateFrozen
+sudo rm -f /etc/t3-autoupdate.freeze     # resume tracking
+```
+
+**Pin to an exact version (instead of tracking nightly):** set `T3_PIN=<ver>` in
+the unit environment (or the `scripts/t3-autoupdate.sh` default) — the tracker
+enforces it and stops following nightly. Keep in sync with `setup-devvm.sh`.
+
+**Preview the current nightly without touching anything (no global change, no restarts):**
+```bash
+sudo T3_DRY_RUN=1 /usr/local/bin/t3-autoupdate   # installs candidate to a temp prefix, runs the full gate, reports PASS/FAIL
+```
+
+**Force a run now (instead of waiting for 04:00):**
+```bash
+sudo systemctl start t3-autoupdate.service   # runs in its own cgroup, isolated from the t3-serve@ instances it manages
+```
+
+## What a bump touches (still true)
+
+1. **Pairing API** — t3 renamed `POST /api/auth/bootstrap` → `/api/auth/browser-session`
+   in 0.0.25. `t3-dispatch` is version-agnostic (`pairEndpoints` in
+   `scripts/t3-dispatch/main.go` tries browser-session, falls back to bootstrap).
+   If a future build renames it AGAIN, the health-check + canary fail the bump and
+   self-freeze — then add the new path to `pairEndpoints`, rebuild + redeploy the
+   dispatch, and clear the freeze.
+2. **Schema** — 0.0.25+ migrate every `~/.t3/userdata/state.sqlite` FORWARD — a
+   **one-way door**. A binary downgrade alone does NOT roll it back; you must
+   restore the DB. The tracker does this automatically on a canary failure; do it
+   by hand (below) if a problem surfaces *after* a successful bump.
+
+## Manual rollback (problem surfaces after a bump the gate let through)
+
+```bash
+GOOD=$(cat /var/lib/t3-autoupdate/last-good)   # or the known-good version you want
+sudo touch /etc/t3-autoupdate.freeze           # stop the tracker FIRST
+sudo npm i -g "t3@$GOOD"
+# Restore + restart each user's serve. The wizard/admin instance: run this from
+# OUTSIDE its own t3 session (stopping the serve you're running inside kills you);
+# or just let it pick up $GOOD on its next natural restart.
+for u in $(awk -F= '!/^[[:space:]]*#/&&NF==2{gsub(/ /,"",$2);print $2}' /etc/ttyd-user-map | sort -u); do
+  bak=$(sudo ls -1t /var/backups/t3-state/$u/state-prebump-* 2>/dev/null | head -1)
+  [ -n "$bak" ] || continue
+  sudo systemctl stop t3-serve@$u
+  sudo install -o "$u" -g "$u" -m600 "$bak" /home/$u/.t3/userdata/state.sqlite
+  sudo rm -f /home/$u/.t3/userdata/state.sqlite-wal /home/$u/.t3/userdata/state.sqlite-shm
+  sudo systemctl start t3-serve@$u
+done
+```
+
+## Verify (any user pairs cleanly through the dispatch)
+
+```bash
+for u in vbarzin emil.barzin ancaelena98; do
+  curl -sI -H "X-authentik-username: $u" http://10.0.10.10:3780/ | grep -iE 'HTTP/|set-cookie: t3_session'
+done   # each must be 302 + t3_session
+t3 --version
+```
+
+(The 2026-06-09 incident had no pre-bump backup, so rollback meant per-user sqlite
+surgery. The tracker now takes a guaranteed pre-bump snapshot — rollback is a restore.)
diff --git a/modules/create-template-vm/cloud_init.yaml b/modules/create-template-vm/cloud_init.yaml
index fcd634e3..11a86b6e 100644
--- a/modules/create-template-vm/cloud_init.yaml
+++ b/modules/create-template-vm/cloud_init.yaml
@@ -8,6 +8,13 @@ users:
     sudo: ALL=(ALL) NOPASSWD:ALL
     ssh_authorized_keys:
       - ${authorized_ssh_key}
+      # k8s-upgrade pipeline key (matches Vault secret/k8s-upgrade/ssh_key_pub).
+      # The automated k8s-version-upgrade chain SSHes in as `wizard` to drain +
+      # upgrade each node; WITHOUT this a freshly-provisioned node is invisible
+      # to the upgrade pipeline (node4/5/6 hit exactly this — Permission denied —
+      # 2026-06-17). Hardcoded: it's a public key and the keypair is stable; if
+      # it's ever rotated, update this line and Vault together.
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElH9x76UNA8UNxrxTjREYz4hz1fbCdRwAXbOkJ5FnSM k8s-upgrade-pipeline
     passwd: ${passwd}
     lock_passwd: false # enable passwd login
     shell: /bin/bash
@@ -90,20 +97,24 @@ runcmd:
   - sed -i 's/#Compress=yes/Compress=yes/' /etc/systemd/journald.conf
   - systemctl restart systemd-journald
   %{if is_k8s_template}
-  # systemd-resolved global DNS fallback. Without this, only the
-  # link-level DNS from Proxmox's `qm set --nameserver` (Technitium,
-  # 10.0.20.201) is consulted — and Technitium returns NXDOMAIN for
-  # forgejo.viktorbarzin.me, so kubelet image pulls from the Forgejo
-  # registry break. Public DNS upstream + Technitium fallback matches
-  # the pre-existing manual setup on k8s-node1..4.
-  - mkdir -p /etc/systemd/resolved.conf.d
-  - |
-    cat > /etc/systemd/resolved.conf.d/global-dns.conf <<'EOF'
-    [Resolve]
-    DNS=8.8.8.8 1.1.1.1
-    FallbackDNS=10.0.20.201
-    EOF
-  - systemctl restart systemd-resolved
+  # Node DNS is intentionally STOCK — no resolved drop-ins, no /etc/hosts
+  # pins. Link nameservers come from Proxmox `qm set --nameserver
+  # "10.0.20.1 94.140.14.14"` (pfSense + public secondary; set this when
+  # cloning a new node VM). Internal split-horizon for *.viktorbarzin.me
+  # happens at pfSense Unbound: a domain override forwards the zone to
+  # Technitium (10.0.20.201), whose split-horizon zone CNAMEs every ingress
+  # host to the apex A record that auto-tracks the live Traefik LB IP — so
+  # every VLAN client, nodes included, gets internal answers with zero
+  # per-host config (2026-06-10; runbook: docs/runbooks/pfsense-unbound.md).
+  # Pods get the SAME internal answers via CoreDNS's `viktorbarzin.me:53`
+  # block forwarding to the Technitium ClusterIP (+ forgejo pinned to
+  # Traefik's ClusterIP for Technitium-outage resilience; stacks/technitium.
+  # Pods reach the ETP=Local LB IP fine on k8s 1.34 — verified 2026-06-10).
+  # History: a global-dns.conf drop-in (public DNS primary) lived here until
+  # 2026-06-10. Its rationale ("Technitium NXDOMAINs forgejo.viktorbarzin.me")
+  # had long been obsolete, and it steered fresh forgejo pulls onto the broken
+  # public NAT-hairpin (7.5h tuya-bridge outage — see
+  # docs/post-mortems/2026-06-10-tuya-bridge-forgejo-pull-hairpin.md).
   # Re-enabled 2026-05-10: unattended-upgrades is back on, but with a tight
   # Allowed-Origins list, a Package-Blacklist for k8s/containerd/runc/calico,
   # and Automatic-Reboot disabled (kured + sentinel-gate handles reboots in a
diff --git a/modules/create-template-vm/k8s-node-containerd-setup.sh b/modules/create-template-vm/k8s-node-containerd-setup.sh
index 20054876..98a71739 100755
--- a/modules/create-template-vm/k8s-node-containerd-setup.sh
+++ b/modules/create-template-vm/k8s-node-containerd-setup.sh
@@ -49,10 +49,16 @@ server = "https://ghcr.io"
   capabilities = ["pull", "resolve"]
 GHCR
 
-# Forgejo OCI registry: prefer in-cluster Traefik LB (10.0.20.200) to
-# avoid hairpin NAT. Traefik serves the *.viktorbarzin.me wildcard so
-# SNI verification succeeds. If the mirror is unreachable, fall back to
-# public DNS resolution (needs the global DNS fallback set up below).
+# Forgejo OCI registry. NOTE: this hosts.toml mirror is VESTIGIAL — it
+# cannot keep pulls off the public hairpin on its own (Traefik routes by
+# Host/SNI and 404s the mirror's bare-IP requests, and the registry's
+# Bearer auth realm is the absolute https://forgejo.viktorbarzin.me/v2/token
+# URL fetched outside the mirror). What actually keeps forgejo pulls
+# internal is the pfSense Unbound domain override forwarding
+# viktorbarzin.me -> Technitium, whose split-horizon zone serves the live
+# Traefik LB IP (no node-side DNS config at all).
+# Kept for config uniformity; harmless. See
+# docs/post-mortems/2026-06-10-tuya-bridge-forgejo-pull-hairpin.md.
 mkdir -p /etc/containerd/certs.d/forgejo.viktorbarzin.me
 cat > /etc/containerd/certs.d/forgejo.viktorbarzin.me/hosts.toml <<'FORGEJO'
 server = "https://forgejo.viktorbarzin.me"
diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf
index 0f239fb4..fc9bc9f5 100644
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@@ -107,10 +107,6 @@ variable "custom_content_security_policy" {
   type    = string
   default = null
 }
-variable "exclude_crowdsec" {
-  type    = bool
-  default = false
-}
 variable "full_host" {
   type    = string
   default = null
@@ -310,7 +306,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         "traefik-error-pages@kubernetescrd",
         var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
         var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
-        var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
         local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
         local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
         local.auth_middleware,
diff --git a/scripts/apply-mbps-caps.sh b/scripts/apply-mbps-caps.sh
index 39bfb36b..5358f7db 100755
--- a/scripts/apply-mbps-caps.sh
+++ b/scripts/apply-mbps-caps.sh
@@ -27,6 +27,12 @@ TARGETS=(
   "220:scsi0:40:40"      # docker-registry
 )
 
+# Sort a disk spec's comma-separated options so two specs with the same
+# option set but different key order compare equal.
+normalized() {
+  tr ',' '\n' <<<"$1" | LC_ALL=C sort | paste -sd, -
+}
+
 apply_one() {
   local spec="$1"
   local vmid slot rd wr
@@ -49,8 +55,13 @@ apply_one() {
   newvalue="${cleaned},mbps_rd=${rd},mbps_wr=${wr}"
 
   # Skip the qm-set call entirely when state already matches — keeps
-  # journal noise low under the hourly timer.
-  if [[ "$current" == "$newvalue" ]]; then
+  # journal noise low under the hourly timer. Compare option SETS, not raw
+  # strings: `qm config` prints keys in its own canonical order, so a raw
+  # compare never matched and every hourly run re-issued `qm set`, which
+  # live-rewrites the running VM's QEMU throttle state via QMP (implicated
+  # in the 2026-06-11 devvm I/O stall — see
+  # docs/post-mortems/2026-06-11-devvm-qemu-io-stall.md).
+  if [[ "$(normalized "$current")" == "$(normalized "$newvalue")" ]]; then
     echo "vmid $vmid: $slot already at mbps_rd=${rd},mbps_wr=${wr} — no-op"
     return 0
   fi
diff --git a/scripts/breakglass-firewall.sh b/scripts/breakglass-firewall.sh
new file mode 100644
index 00000000..51260cb9
--- /dev/null
+++ b/scripts/breakglass-firewall.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Break-glass base firewall (redesigned 2026-06-11; replaced the port-knock gate).
+#
+# Source of truth. Deploy to the PVE host with:
+#   scp scripts/breakglass-firewall.sh root@192.168.1.127:/usr/local/sbin/breakglass-firewall.sh
+#   ssh root@192.168.1.127 'chmod 0755 /usr/local/sbin/breakglass-firewall.sh && systemctl restart breakglass-firewall.service'
+# The breakglass-firewall.service oneshot runs this at boot (RemainAfterExit).
+#
+# Model: key-only SSH break-glass on :52222, openly reachable from the WAN, NO
+# port-knock. The SSH key is the gate (brute-force-proof); the rate-limit below
+# only trims scanner noise / slows a hypothetical sshd 0-day.
+#   :22    -> LAN admin (all of root's keys), always allowed.
+#   :52222 -> WAN break-glass. LAN/VLAN sources bypass the limit; external NEW
+#             connections are rate-limited per source IP, then accepted.
+iptables -N BREAKGLASS 2>/dev/null || iptables -F BREAKGLASS
+iptables -C INPUT -j BREAKGLASS 2>/dev/null || iptables -I INPUT 1 -j BREAKGLASS
+
+iptables -A BREAKGLASS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A BREAKGLASS -p tcp --dport 22 -j ACCEPT
+iptables -A BREAKGLASS -p tcp --dport 52222 -s 192.168.1.0/24 -j ACCEPT
+iptables -A BREAKGLASS -p tcp --dport 52222 -s 10.0.0.0/8 -j ACCEPT
+iptables -A BREAKGLASS -p tcp --dport 52222 -m conntrack --ctstate NEW \
+  -m hashlimit --hashlimit-name bg_ssh --hashlimit-mode srcip \
+  --hashlimit-above 6/min --hashlimit-burst 3 -j DROP
+iptables -A BREAKGLASS -p tcp --dport 52222 -j ACCEPT
diff --git a/scripts/claude-auth-sync@.service b/scripts/claude-auth-sync@.service
new file mode 100644
index 00000000..3750f295
--- /dev/null
+++ b/scripts/claude-auth-sync@.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Validate and back up Claude OAuth credentials for %i
+Documentation=https://github.com/ViktorBarzin/infra/blob/master/docs/runbooks/claude-auth-renew-workstation.md
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+User=%i
+Group=%i
+Environment=HOME=/home/%i
+Environment=PATH=/usr/local/bin:/usr/bin:/bin:/home/%i/.local/bin
+ExecStart=/usr/local/bin/claude-auth-sync
+
+# Credential and Vault access are required; keep the remaining host surface narrow.
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=-/home/%i/.claude -/home/%i/.claude.json -/home/%i/.config/claude-auth-sync -/home/%i/.local/state/claude-auth-sync
diff --git a/scripts/claude-auth-sync@.timer b/scripts/claude-auth-sync@.timer
new file mode 100644
index 00000000..b25f2ecd
--- /dev/null
+++ b/scripts/claude-auth-sync@.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Keep Claude OAuth credentials valid and recoverable for %i
+
+[Timer]
+OnBootSec=10m
+OnUnitActiveSec=6h
+Persistent=true
+RandomizedDelaySec=10m
+Unit=claude-auth-sync@%i.service
+
+[Install]
+WantedBy=timers.target
diff --git a/scripts/cluster_healthcheck.sh b/scripts/cluster_healthcheck.sh
index 49fbc61f..51a13b5d 100755
--- a/scripts/cluster_healthcheck.sh
+++ b/scripts/cluster_healthcheck.sh
@@ -1093,7 +1093,7 @@ check_helm_releases() {
     section 18 "Helm Release Health"
     local releases detail="" had_issue=false status="PASS"
 
-    releases=$(helm list -A --kubeconfig "$KUBECONFIG_PATH" -o json 2>/dev/null) || {
+    releases=$(helm list -A -a --kubeconfig "$KUBECONFIG_PATH" -o json 2>/dev/null) || {
         [[ "$QUIET" == true ]] && section_always 18 "Helm Release Health"
         warn "Cannot list Helm releases"
         json_add "helm_releases" "WARN" "Cannot list"
@@ -1108,9 +1108,14 @@ for r in data:
     name = r.get("name", "?")
     ns = r.get("namespace", "?")
     st = r.get("status", "unknown")
-    if st != "deployed":
-        level = "FAIL" if st.startswith("pending") else "WARN"
-        print(f"{level}:{ns}/{name}:{st}")
+    # helm list -a (above) surfaces pending-*/failed releases that plain
+    # `helm list` HIDES; a stuck pending-upgrade silently blocks every
+    # terragrunt apply of the stack (2026-06-16 prometheus incident, ~4 days
+    # of frozen monitoring config). Ignore deployed/uninstalled/superseded.
+    if st.startswith("pending"):
+        print(f"FAIL:{ns}/{name}:{st}")
+    elif st == "failed":
+        print(f"WARN:{ns}/{name}:{st}")
 ' 2>/dev/null) || true
 
     if [[ -z "$bad_releases" ]]; then
@@ -2026,11 +2031,16 @@ check_hardware_exporters() {
         fi
     done
 
-    # Check Prometheus scrape targets for hardware exporters
+    # Check Prometheus scrape targets for hardware exporters.
+    # last_over_time(up[15m]) instead of instant `up`: the redfish-idrac
+    # remnant scrapes every 10m (> the 5m staleness window), so an instant
+    # query returns it EMPTY ~half the time -> intermittent false "missing"
+    # (observed 2026-06-10). 15m covers the slowest job; identical answers
+    # for the 1-2m jobs.
     local prom_jobs=("snmp-idrac" "snmp-ups" "redfish-idrac" "proxmox-host")
     local up_result
     up_result=$($KUBECTL exec -n monitoring deploy/prometheus-server -- \
-        wget -q -O- 'http://localhost:9090/api/v1/query?query=up' 2>/dev/null || true)
+        wget -q -O- 'http://localhost:9090/api/v1/query?query=last_over_time(up%5B15m%5D)' 2>/dev/null || true)
 
     if [[ -n "$up_result" ]]; then
         for job in "${prom_jobs[@]}"; do
diff --git a/scripts/devvm-promtail.service b/scripts/devvm-promtail.service
new file mode 100644
index 00000000..c3bc5c79
--- /dev/null
+++ b/scripts/devvm-promtail.service
@@ -0,0 +1,17 @@
+# systemd unit for promtail on the devvm (10.0.10.10). Install to
+# /etc/systemd/system/promtail.service. See scripts/devvm-promtail.yaml for the full deploy.
+[Unit]
+Description=Promtail (ships devvm journal -> cluster Loki)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/promtail -config.file=/etc/promtail/config.yml
+Restart=on-failure
+RestartSec=5
+User=root
+Group=root
+
+[Install]
+WantedBy=multi-user.target
diff --git a/scripts/devvm-promtail.yaml b/scripts/devvm-promtail.yaml
new file mode 100644
index 00000000..fac66fad
--- /dev/null
+++ b/scripts/devvm-promtail.yaml
@@ -0,0 +1,59 @@
+# Promtail config for the devvm (10.0.10.10) — ships the systemd journal to cluster Loki.
+#
+# devvm is a standalone VM (NOT a k8s node), so its journal — including the t3
+# stack (t3-dispatch, t3-serve@<user>) — was never in Loki. Added 2026-06-11 for
+# t3 drop forensics: t3-dispatch now logs each /ws connection's open/close with
+# duration + which side hung up (downstream_closed = client/CF/Traefik went away;
+# upstream_closed = t3-serve closed/stalled; graceful = clean close). Joined with
+# Traefik's per-/ws duration (already in Loki) this attributes every drop to a layer.
+#
+# NOT Terraform-managed (devvm is outside k8s) — same hand-deployed pattern as
+# scripts/pve-promtail.* and the rpi-sofia promtail. This file is source-of-truth.
+#
+# Deploy (on devvm, as root via sudo):
+#   sudo install -d -m 0755 /etc/promtail /var/lib/promtail
+#   sudo install -m 0644 scripts/devvm-promtail.yaml    /etc/promtail/config.yml
+#   sudo install -m 0644 scripts/devvm-promtail.service /etc/systemd/system/promtail.service
+#   # Binary: grafana/loki v3.5.1 promtail-linux-amd64 -> /usr/local/bin/promtail (chmod 0755).
+#   sudo systemctl daemon-reload && sudo systemctl enable --now promtail
+#   # Loki reach: loki.viktorbarzin.lan (Technitium CNAME -> live Traefik LB; insecure cert).
+#
+# Streams produced:
+#   {job="devvm-journal"}                     — full devvm journal
+#   {job="devvm-journal", unit="t3-dispatch.service"}        — dispatch (ws open/close lines)
+#   {job="devvm-journal", unit="t3-serve@wizard.service"}    — per-user t3 serve
+#   {job="sshd-devvm"}                        — sshd auth lines (parity with sshd-pve)
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+  log_level: warn
+
+positions:
+  filename: /var/lib/promtail/positions.yaml
+
+clients:
+  - url: https://loki.viktorbarzin.lan/loki/api/v1/push
+    tls_config:
+      insecure_skip_verify: true
+
+scrape_configs:
+  - job_name: journal
+    journal:
+      max_age: 12h
+      json: false
+      path: /var/log/journal
+      labels:
+        host: devvm
+        job: devvm-journal
+    relabel_configs:
+      - source_labels: ['__journal__systemd_unit']
+        target_label: unit
+      - source_labels: ['__journal_priority_keyword']
+        target_label: level
+      - source_labels: ['__journal_syslog_identifier']
+        target_label: identifier
+      # sshd auth lines -> job=sshd-devvm (parity with the pve shipper's sshd-pve).
+      - source_labels: ['__journal_syslog_identifier']
+        regex: 'sshd.*'
+        target_label: job
+        replacement: 'sshd-devvm'
diff --git a/scripts/fail2ban-breakglass-sshd.local b/scripts/fail2ban-breakglass-sshd.local
new file mode 100644
index 00000000..19066295
--- /dev/null
+++ b/scripts/fail2ban-breakglass-sshd.local
@@ -0,0 +1,18 @@
+# Break-glass SSH fail2ban jail (redesigned 2026-06-11). Source of truth.
+# Deploy to the PVE host with:
+#   scp scripts/fail2ban-breakglass-sshd.local root@192.168.1.127:/etc/fail2ban/jail.d/breakglass-sshd.local
+#   ssh root@192.168.1.127 'systemctl restart fail2ban'
+#
+# GOTCHA (Debian 13 / OpenSSH 9.x): auth lines are logged under
+# _COMM=sshd-session, NOT _COMM=sshd. The stock Debian jail keys journalmatch on
+# `_SYSTEMD_UNIT=ssh.service + _COMM=sshd` and therefore silently NEVER bans.
+# Match by unit only so both sshd and sshd-session lines are seen. Ban on both
+# SSH ports (the WAN break-glass listener is :52222).
+[sshd]
+enabled = true
+backend = systemd
+journalmatch = _SYSTEMD_UNIT=ssh.service
+port = ssh,52222
+maxretry = 4
+findtime = 10m
+bantime = 1h
diff --git a/scripts/fan-control.env.example b/scripts/fan-control.env.example
index 3c2565c2..24394aec 100644
--- a/scripts/fan-control.env.example
+++ b/scripts/fan-control.env.example
@@ -1,21 +1,27 @@
-# /etc/fan-control.env  —  config for the fan-control daemon (chmod 600).
+# /etc/fan-control.env  —  config for the fan-control ACTUATOR (chmod 600).
 # Deployed manually to the PVE host; the real file holds a secret token and is
 # NOT committed. Copy this template, fill HA_TOKEN, scp to /etc/fan-control.env.
+#
+# The control logic lives in Home Assistant (curve + bias + hysteresis +
+# setpoint). This daemon only reads the HA-computed % and applies it over IPMI.
 
 # Long-lived ha-sofia access token (Home Assistant -> Profile -> Security ->
-# Long-lived access tokens). Empty => presence disabled, daemon runs COOL-only.
+# Long-lived access tokens). Used to read COMMAND_ENTITY. Empty/unreachable =>
+# the actuator hands the fans to Dell auto (it cannot compute a setpoint itself).
 HA_TOKEN=
 
 # --- optional overrides (defaults shown) ---
 # HA_URL=http://192.168.1.8:8123
-# GARAGE_ENTITY=sensor.garage_door_state_bg
-# GARAGE_OPEN_STATE=Отворена
-# HOLD_SECS=900            # quiet-mode hold after last garage activity (15 min)
+# COMMAND_ENTITY=sensor.r730_fan_command_pct  # HA-computed fan %; we only apply it
+# STALE_SECS=1800          # command older than this => stale. Loose on purpose:
+#                          # staleness only happens when CPU temp is flat (so the
+#                          # held value is still valid); a rising temp re-renders it.
+# HA_GRACE_SECS=300        # on a transient HA miss, HOLD the last applied % this
+#                          # long before handing the fans to Dell auto (anti-flap)
 # LOOP_INTERVAL=15
-# PRESENCE_INTERVAL=30
-# DEADBAND=3
-# CEILING=83               # degC: hand back to Dell auto at/above this
+# CEILING=83               # degC: hand back to Dell auto at/above this (hardware safety)
 # RESUME_BELOW=75
 # RESUME_STABLE=120
 # MAX_IPMI_FAILS=3
+# MIN_STEP=3               # smallest fan-% change worth an IPMI write (anti-jitter)
 PUSHGATEWAY_URL=http://10.0.20.100:30091
diff --git a/scripts/fan-control.service b/scripts/fan-control.service
index f337ff4d..3b649751 100644
--- a/scripts/fan-control.service
+++ b/scripts/fan-control.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=Presence-aware IPMI fan controller (Dell R730, garage)
+Description=IPMI fan actuator (Dell R730) — applies the HA-computed setpoint
 Documentation=https://github.com/ViktorBarzin/infra/blob/master/scripts/fan-control.sh
 After=network-online.target
 Wants=network-online.target
diff --git a/scripts/fan-control.sh b/scripts/fan-control.sh
index 07d16fa5..6c5593f7 100644
--- a/scripts/fan-control.sh
+++ b/scripts/fan-control.sh
@@ -1,20 +1,23 @@
 #!/usr/bin/env bash
-# Presence-aware IPMI fan controller for the Dell R730 PVE host (192.168.1.127).
+# IPMI fan ACTUATOR for the Dell R730 PVE host (192.168.1.127).
 #
-# The server lives in the GARAGE (memory id=1723). Two curves, picked by
-# whether someone is physically in the garage:
-#   - COOL  : garage empty -> minimise CPU temp, noise is free.
-#   - QUIET : someone in the garage -> minimise noise, accept a warmer CPU.
-# Presence comes from the ha-sofia garage-door sensor: door open now, OR it
-# last changed within HOLD_SECS, => QUIET. Otherwise COOL.
+# THIN ACTUATOR — the control logic lives entirely in Home Assistant. HA owns
+# the curve thresholds, the duty %, the bias, and the final setpoint: it
+# publishes ONE number, `sensor.r730_fan_command_pct` (= computed fan % incl.
+# bias and any manual/lock override). This daemon does NOT compute anything — it
+# just reads that command each loop and applies it over IPMI, and reads the raw
+# sensors (temp/rpm) that feed HA/Prometheus.
+#   (Until 2026-06-07 the curve+hysteresis were computed HERE; moved to HA so
+#    all tuning + the setpoint determination happen on the dashboard.)
 #
-# Safety (manual fan mode bypasses the iDRAC's own curve, so we backstop it):
+# Safety (manual fan mode bypasses the iDRAC's own curve, so we backstop it).
+# These are INDEPENDENT of HA — the actuator protects the hardware on its own:
 #   - On ANY exit (crash/stop/TERM) the EXIT trap hands fans back to Dell
-#     automatic control (raw 0x30 0x30 0x01 0x01). systemd ExecStopPost
-#     repeats this belt-and-suspenders.
+#     automatic control (raw 0x30 0x30 0x01 0x01). systemd ExecStopPost repeats.
 #   - CPU >= CEILING -> hand back to Dell auto until it recovers (RESUME_BELOW
 #     held for RESUME_STABLE s). The firmware's own emergency cooling takes over.
 #   - IPMI read failures (>= MAX_IPMI_FAILS) -> hand back to Dell auto.
+#   - HA unreachable / command missing / STALE -> hand back to Dell auto.
 #
 # Deploy: scp to /usr/local/bin/fan-control (strip .sh) + install
 # fan-control.service + /etc/fan-control.env. Same pattern as apply-mbps-caps.
@@ -26,71 +29,38 @@ set -uo pipefail
 
 # ---- configuration (override via /etc/fan-control.env) ----
 : "${IPMITOOL:=ipmitool}"
-: "${LOOP_INTERVAL:=15}"             # seconds between temperature decisions
-: "${PRESENCE_INTERVAL:=30}"         # seconds between ha-sofia garage-door polls
-: "${DEADBAND:=3}"                   # degC hysteresis applied to downward fan steps
+: "${LOOP_INTERVAL:=15}"             # seconds between apply cycles
 : "${CEILING:=83}"                   # degC: hand back to Dell auto at/above this
 : "${RESUME_BELOW:=75}"              # degC: eligible to resume manual below this...
 : "${RESUME_STABLE:=120}"            # ...once held that long
-: "${HOLD_SECS:=900}"                # quiet-mode hold after last garage activity (15 min)
 : "${HA_URL:=http://192.168.1.8:8123}"
-: "${HA_TOKEN:=}"                    # long-lived ha-sofia token; empty => presence disabled (COOL only)
-: "${GARAGE_ENTITY:=sensor.garage_door_state_bg}"
-: "${GARAGE_OPEN_STATE:=Отворена}"   # ha state string meaning "open"
-# HA control: a mode select + manual % the user drives from Home Assistant.
-# auto => garage-presence curve (default); cool/quiet => force that curve;
-# manual => hold MANUAL_ENTITY %. Empty HA_TOKEN or unreachable HA => auto.
-: "${MODE_ENTITY:=input_select.r730_fan_mode}"
-: "${MANUAL_ENTITY:=input_number.r730_fan_manual_pct}"
+: "${HA_TOKEN:=}"                    # long-lived ha-sofia token; empty => Dell auto (no control)
+: "${COMMAND_ENTITY:=sensor.r730_fan_command_pct}"  # HA-computed fan %; we only apply it
+: "${STALE_SECS:=1800}"              # command older than this => stale. Loose on purpose:
+                                     # staleness only happens when CPU temp is flat (so the
+                                     # held value is still valid); a rising temp re-renders it.
+: "${HA_GRACE_SECS:=300}"            # on a transient HA miss, HOLD the last applied % for this
+                                     # long before handing the fans to Dell auto (anti-flap)
 : "${PUSHGATEWAY_URL:=}"             # optional Prometheus Pushgateway base URL
 : "${MAX_IPMI_FAILS:=3}"
+: "${MIN_STEP:=3}"                   # min fan-% change worth an IPMI write (anti-jitter)
 : "${DRY_RUN:=0}"                    # 1 => log IPMI actions instead of executing
 : "${RUN_ONCE:=0}"                   # 1 => one iteration then exit (testing)
 
-# Continuous LINEAR fan curve (2026-06-05): fan% ramps proportionally with CPU
-# temp between (T_LO,P_LO) and (T_HI,P_HI), clamped flat outside. Replaces the old
-# discrete step-bands (which flapped at band edges — e.g. 45<->65%). Both modes
-# reach 100% right at the 83°C ceiling. Anchors are env-tunable.
-#   COOL  (garage empty):  30% @50°C .. 100% @83°C  (~2.1%/°C; equilibrium ~60°C/~51%)
-#   QUIET (someone there): 20% @68°C .. 100% @83°C  (near-silent until ~70°C)
-# Web-researched: a linear curve + 2-3°C hysteresis is the homelab standard; PID is
-# overkill for this slow thermal loop. See docs/plans/2026-06-04-pve-fan-control-design.md.
-: "${COOL_T_LO:=50}"; : "${COOL_P_LO:=30}"; : "${COOL_T_HI:=83}"; : "${COOL_P_HI:=100}"
-: "${QUIET_T_LO:=68}"; : "${QUIET_P_LO:=20}"; : "${QUIET_T_HI:=83}"; : "${QUIET_P_HI:=100}"
-: "${MIN_STEP:=3}"   # min fan-% change worth an IPMI write (anti-jitter on the smooth curve)
-
 log() { printf '%s %s\n' "$(date '+%Y-%m-%dT%H:%M:%S%z')" "$*"; }
 
 # ---- pure functions (no side effects; unit-tested) ----
 
-# fc_curve <mode> <temp> -> fan percent (continuous linear interpolation between
-# the per-mode (T_LO,P_LO)..(T_HI,P_HI) anchors; clamped flat outside the range).
-fc_curve() {
-  local mode="$1" temp="$2" tlo plo thi phi
-  if [[ "$mode" == "quiet" ]]; then tlo=$QUIET_T_LO; plo=$QUIET_P_LO; thi=$QUIET_T_HI; phi=$QUIET_P_HI
-  else tlo=$COOL_T_LO; plo=$COOL_P_LO; thi=$COOL_T_HI; phi=$COOL_P_HI; fi
-  if (( temp <= tlo )); then echo "$plo"; return 0; fi
-  if (( temp >= thi )); then echo "$phi"; return 0; fi
-  echo $(( plo + ( (temp - tlo) * (phi - plo) + (thi - tlo) / 2 ) / (thi - tlo) ))  # rounded
+# fc_num <value> <fallback> <min> <max> -> validated integer (floats truncated;
+# non-numeric => fallback; out-of-range clamped). Sanitises the HA command read.
+fc_num() {
+  local v="${1%%.*}" fb="$2" lo="$3" hi="$4"
+  [[ "$v" =~ ^-?[0-9]+$ ]] || { echo "$fb"; return 0; }
+  (( v < lo )) && v="$lo"; (( v > hi )) && v="$hi"; echo "$v"
 }
 
-# fc_decide <mode> <temp> <current_pct> <deadband> -> fan percent
-# Ramps up immediately; only steps down once the curve still wants a lower
-# percent even DEADBAND degrees hotter (prevents flapping at band edges).
-fc_decide() {
-  local mode="$1" temp="$2" current="$3" deadband="$4" target
-  target="$(fc_curve "$mode" "$temp")"
-  if (( current < 0 || target >= current )); then echo "$target"; return 0; fi
-  if (( $(fc_curve "$mode" "$((temp + deadband))") < current )); then echo "$target"; else echo "$current"; fi
-}
-
-# fc_presence_mode <state> <last_changed_epoch> <now_epoch> <hold_secs> <open_state> -> quiet|cool
-fc_presence_mode() {
-  local state="$1" lc="$2" now="$3" hold="$4" open="$5"
-  if [[ "$state" == "$open" ]]; then echo "quiet"; return 0; fi
-  if (( now - lc < hold )); then echo "quiet"; return 0; fi
-  echo "cool"
-}
+# fc_fresh <age_secs> <max_secs> -> exit 0 if fresh (age <= max), else 1.
+fc_fresh() { (( $1 <= $2 )); }
 
 # fc_parse_temp <ipmitool 'Temp' line> -> integer degC
 fc_parse_temp() {
@@ -115,18 +85,6 @@ fc_clamp() { local p="$1"; (( p < 0 )) && p=0; (( p > 100 )) && p=100; echo "$p"
 # (~2W @4800rpm · ~17W @9360 · ~42W @12720 · ~99W @16920). Integer: 0.0205·(rpm/1e3)³.
 fc_fan_watts() { echo $(( $1 * $1 * $1 * 205 / 10000000000000 )); }
 
-# fc_resolve <ha_mode> <temp> <manual_pct> <presence> <current> <deadband> -> pct
-# HA mode resolution (the hard ceiling is handled by the caller):
-#   manual      -> clamp(manual_pct), no hysteresis
-#   cool|quiet  -> that curve (with hysteresis)
-#   auto (else) -> presence-driven curve (garage door)
-fc_resolve() {
-  local ha_mode="$1" temp="$2" manual_pct="$3" presence="$4" current="$5" deadband="$6"
-  if [[ "$ha_mode" == "manual" ]]; then fc_clamp "$manual_pct"; return 0; fi
-  local eff; [[ "$ha_mode" == "auto" ]] && eff="$presence" || eff="$ha_mode"
-  fc_decide "$eff" "$temp" "$current" "$deadband"
-}
-
 # ---- side-effecting wrappers ----
 
 ipmi_manual_on=0
@@ -151,39 +109,34 @@ read_cpu_temp() {
   fc_parse_temp "$("$IPMITOOL" sdr type temperature 2>/dev/null | grep -E '^Temp ' | head -1)"
 }
 
-read_fan_rpm() {  # Fan1 RPM — representative (all 6 fans are set together)
-  "$IPMITOOL" sdr type fan 2>/dev/null | awk -F'|' '/^Fan1/{gsub(/[^0-9]/,"",$5); print $5+0; exit}'
+read_fan_rpm() {  # mean RPM across all 6 chassis fans (Fan1..Fan6). All fans run
+                  # one global duty, so the mean is representative AND a single
+                  # stalled fan won't skew it. Telemetry only — not a control input.
+  "$IPMITOOL" sdr type fan 2>/dev/null | awk -F'|' '
+    /^Fan[0-9]/ { gsub(/[^0-9]/, "", $5); if ($5 != "") { sum += $5; n++ } }
+    END { if (n > 0) printf "%d\n", (sum / n) + 0.5 }'
 }
 
-presence_cache="cool"; presence_ts=0
-get_presence() {
-  local now; now="$(date +%s)"
-  if (( now - presence_ts < PRESENCE_INTERVAL )); then echo "$presence_cache"; return 0; fi
-  presence_ts="$now"
-  [[ -z "$HA_TOKEN" ]] && { echo "$presence_cache"; return 0; }
-  local resp state lc_iso lc_epoch
-  resp="$(curl -fsS --max-time 5 -H "Authorization: Bearer $HA_TOKEN" \
-            "$HA_URL/api/states/$GARAGE_ENTITY" 2>/dev/null)" || { echo "$presence_cache"; return 0; }
-  state="$(fc_json_str_field "$resp" state)"
-  [[ -z "$state" ]] && { echo "$presence_cache"; return 0; }
-  lc_iso="$(fc_json_str_field "$resp" last_changed)"
-  lc_epoch="$(date -d "$lc_iso" +%s 2>/dev/null || echo "$now")"
-  presence_cache="$(fc_presence_mode "$state" "$lc_epoch" "$now" "$HOLD_SECS" "$GARAGE_OPEN_STATE")"
-  echo "$presence_cache"
-}
-
-# ha_entity_state <entity> -> state string (empty if HA disabled/unreachable)
-ha_entity_state() {
+# ha_command_pct -> the HA-computed fan % (0..100 int), or EMPTY when HA is
+# disabled/unreachable, the value is non-numeric, or the command is STALE
+# (last_updated older than STALE_SECS). Empty => caller hands fans to Dell auto.
+ha_command_pct() {
   [[ -z "$HA_TOKEN" ]] && return 0
-  local resp
+  local resp state lu lu_epoch now
   resp="$(curl -fsS --max-time 5 -H "Authorization: Bearer $HA_TOKEN" \
-            "$HA_URL/api/states/$1" 2>/dev/null)" || return 0
-  fc_json_str_field "$resp" state
+            "$HA_URL/api/states/$COMMAND_ENTITY" 2>/dev/null)" || return 0
+  state="$(fc_json_str_field "$resp" state)"
+  [[ "$state" =~ ^[0-9]+(\.[0-9]+)?$ ]] || return 0
+  lu="$(fc_json_str_field "$resp" last_updated)"
+  lu_epoch="$(date -d "$lu" +%s 2>/dev/null || echo 0)"; now="$(date +%s)"
+  (( lu_epoch == 0 )) && return 0
+  fc_fresh "$((now - lu_epoch))" "$STALE_SECS" || return 0
+  fc_num "$state" 0 0 100
 }
 
 push_metrics() {  # <temp> <pct> <mode> <ha_ok> <fallback> [fan_rpm] [fan_watts_est]
   [[ -z "$PUSHGATEWAY_URL" ]] && return 0
-  local mode_num; case "$3" in quiet) mode_num=1;; cool) mode_num=2;; manual) mode_num=3;; *) mode_num=0;; esac
+  local mode_num; case "$3" in applied) mode_num=2;; *) mode_num=0;; esac
   curl -fsS --max-time 5 --data-binary @- \
     "$PUSHGATEWAY_URL/metrics/job/fan_control/instance/pve-r730" >/dev/null 2>&1 <<EOF || true
 # TYPE pve_fan_control_cpu_temp_celsius gauge
@@ -204,10 +157,12 @@ EOF
 }
 
 main() {
-  log "fan-control start (loop=${LOOP_INTERVAL}s presence=${PRESENCE_INTERVAL}s hold=${HOLD_SECS}s ceiling=${CEILING}C dry_run=${DRY_RUN})"
+  log "fan-control start (actuator; loop=${LOOP_INTERVAL}s ceiling=${CEILING}C cmd=${COMMAND_ENTITY} stale=${STALE_SECS}s dry_run=${DRY_RUN})"
   trap 'log "exit — restoring Dell auto fan control"; restore_auto' EXIT
-  local current=-1 fails=0 in_fallback=0 cool_since=0
+  local current=-1 fails=0 in_fallback=0 cool_since=0 ha_down=0 ha_misses=0
   while true; do
+    local rpm fan_w; rpm="$(read_fan_rpm)"; rpm="${rpm:-0}"; fan_w="$(fc_fan_watts "$rpm")"
+
     local temp; temp="$(read_cpu_temp)"
     if [[ -z "$temp" ]]; then
       fails=$((fails + 1)); log "WARN cannot read CPU temp ($fails/$MAX_IPMI_FAILS)"
@@ -216,45 +171,53 @@ main() {
     fi
     fails=0
 
+    # Hardware ceiling — independent of HA; firmware emergency cooling takes over.
     if (( temp >= CEILING )); then
       (( in_fallback == 0 )) && { log "CEILING temp=${temp}≥${CEILING} — Dell auto"; restore_auto; current=-1; in_fallback=1; }
-      push_metrics "$temp" 0 fallback 1 1
+      push_metrics "$temp" 0 fallback 1 1 "$rpm" "$fan_w"
       (( RUN_ONCE == 1 )) && break || { sleep "$LOOP_INTERVAL"; continue; }
     fi
     if (( in_fallback == 1 )); then
       if (( temp < RESUME_BELOW )); then
         (( cool_since == 0 )) && cool_since="$(date +%s)"
         if (( $(date +%s) - cool_since >= RESUME_STABLE )); then
-          log "recovered (temp<${RESUME_BELOW}C ${RESUME_STABLE}s) — resuming manual"; in_fallback=0; cool_since=0
+          log "recovered (temp<${RESUME_BELOW}C ${RESUME_STABLE}s) — resuming HA control"; in_fallback=0; cool_since=0
         else
-          push_metrics "$temp" 0 fallback 1 1; (( RUN_ONCE == 1 )) && break || { sleep "$LOOP_INTERVAL"; continue; }
+          push_metrics "$temp" 0 fallback 1 1 "$rpm" "$fan_w"; (( RUN_ONCE == 1 )) && break || { sleep "$LOOP_INTERVAL"; continue; }
         fi
       else
-        cool_since=0; push_metrics "$temp" 0 fallback 1 1
+        cool_since=0; push_metrics "$temp" 0 fallback 1 1 "$rpm" "$fan_w"
         (( RUN_ONCE == 1 )) && break || { sleep "$LOOP_INTERVAL"; continue; }
       fi
     fi
 
-    # HA-desired mode (auto/cool/quiet/manual); unreachable/unset => auto.
-    local ha_mode ha_ok=1; ha_mode="$(ha_entity_state "$MODE_ENTITY")"; [[ -z "$HA_TOKEN" ]] && ha_ok=0
-    [[ -z "$ha_mode" ]] && ha_mode="auto"
-    case "$ha_mode" in auto|cool|quiet|manual) ;; *) ha_mode="auto" ;; esac
-    local manual_pct=0
-    if [[ "$ha_mode" == "manual" ]]; then
-      manual_pct="$(ha_entity_state "$MANUAL_ENTITY")"; manual_pct="${manual_pct%%.*}"
-      [[ "$manual_pct" =~ ^[0-9]+$ ]] || manual_pct=0
+    # The setpoint is whatever HA computed. No local math — just apply it.
+    local cmd; cmd="$(ha_command_pct)"
+    if [[ -z "$cmd" ]]; then
+      ha_misses=$((ha_misses + 1))
+      if (( current >= 0 && ha_misses * LOOP_INTERVAL < HA_GRACE_SECS )); then
+        # Transient HA loss — HOLD the last applied %; do NOT touch the fans. A brief
+        # command blip (sensor unavailable / stale / fetch hiccup) must not dump the
+        # fans to Dell auto. The 83C CEILING above (our own IPMI read) is the real
+        # overheat safety, so holding the last good % is safe.
+        (( ha_misses == 1 )) && log "HA command miss — holding ${current}% (grace ${HA_GRACE_SECS}s)"
+        push_metrics "$temp" "$current" applied 0 0 "$rpm" "$fan_w"
+      else
+        # Sustained loss (or nothing applied yet) — hand the fans to Dell auto.
+        (( ha_down == 0 )) && { log "HA command lost (${ha_misses} misses) — Dell auto"; restore_auto; current=-1; ha_down=1; }
+        push_metrics "$temp" 0 fallback 0 1 "$rpm" "$fan_w"
+      fi
+      (( RUN_ONCE == 1 )) && break || { sleep "$LOOP_INTERVAL"; continue; }
     fi
-    local presence="cool"; [[ "$ha_mode" == "auto" ]] && presence="$(get_presence)"
-    local eff; if [[ "$ha_mode" == "manual" ]]; then eff="manual"; elif [[ "$ha_mode" == "auto" ]]; then eff="$presence"; else eff="$ha_mode"; fi
-    local pct; pct="$(fc_resolve "$ha_mode" "$temp" "$manual_pct" "$presence" "$current" "$DEADBAND")"
-    # Only write when first-run or the change clears MIN_STEP (kills 1-2% jitter
-    # on the continuous curve; fc_decide already gives asymmetric hysteresis).
-    if (( current < 0 || pct - current >= MIN_STEP || current - pct >= MIN_STEP )); then
-      if set_manual "$pct"; then log "temp=${temp}C ha_mode=${ha_mode} eff=${eff} fan=${pct}% (was ${current}%)"; current="$pct"
-      else log "WARN set_manual ${pct}% failed"; fi
+    ha_misses=0
+    (( ha_down == 1 )) && { log "HA command back (${cmd}%) — resuming"; ha_down=0; }
+
+    # Only write when first-run or the change clears MIN_STEP (kills 1-2% jitter).
+    if (( current < 0 || cmd - current >= MIN_STEP || current - cmd >= MIN_STEP )); then
+      if set_manual "$cmd"; then log "temp=${temp}C cmd=${cmd}% rpm=${rpm} (was ${current}%)"; current="$cmd"
+      else log "WARN set_manual ${cmd}% failed"; fi
     fi
-    local rpm fan_w; rpm="$(read_fan_rpm)"; rpm="${rpm:-0}"; fan_w="$(fc_fan_watts "$rpm")"
-    push_metrics "$temp" "$current" "$eff" "$ha_ok" 0 "$rpm" "$fan_w"
+    push_metrics "$temp" "$current" applied 1 0 "$rpm" "$fan_w"
     (( RUN_ONCE == 1 )) && break || sleep "$LOOP_INTERVAL"
   done
 }
diff --git a/scripts/nfs-mirror.sh b/scripts/nfs-mirror.sh
index 2e322ede..3e293c03 100644
--- a/scripts/nfs-mirror.sh
+++ b/scripts/nfs-mirror.sh
@@ -54,11 +54,14 @@ PUSHGATEWAY="${NFS_MIRROR_PUSHGATEWAY:-http://10.0.20.100:30091}"
 PUSHGATEWAY_JOB=nfs-mirror
 
 EXCLUDES=(
-    # ---- /mnt/backup subtrees owned by daily-backup — leave alone ----
+    # ---- /mnt/backup subtrees owned by OTHER backup jobs — leave alone ----
+    # Without these, the top-level `rsync --delete /srv/nfs/ → /mnt/backup/` below
+    # reaps any /mnt/backup dir that has no /srv/nfs counterpart.
     --exclude='/pvc-data/'
     --exclude='/sqlite-backup/'
     --exclude='/pfsense/'
     --exclude='/pve-config/'
+    --exclude='/vzdump/'       # VM images from vzdump-vms — NOT a /srv/nfs svc (else --delete reaps them nightly)
     --exclude='/lost+found/'
 
     # ---- state files used by other backup jobs ----
@@ -90,6 +93,16 @@ EXCLUDES=(
     --exclude='*@synoeastream'
     --exclude='/.DS_Store'
     --exclude='/Thumbs.db'
+
+    # ---- transient SQLite sidecars (WAL mode) ----
+    # Created/checkpointed/deleted constantly, so they vanish mid-rsync and trip
+    # exit code 24 (root cause of NfsMirrorFailing on calibre-web-automated's
+    # queue.db, 2026-05/06). They must NEVER be in a raw mirror anyway: a -wal/-shm
+    # without an atomic .db snapshot is useless to restore from. Consistent SQLite
+    # copies are made separately by daily-backup (SQLite backup API).
+    --exclude='*-wal'
+    --exclude='*-shm'
+    --exclude='*-journal'
 )
 
 log()  { echo "[$(date -u '+%Y-%m-%dT%H:%M:%SZ')] $*" | tee -a "$LOG"; }
@@ -152,7 +165,12 @@ rsync \
 
 DST_BYTES=$(df -B1 --output=used /mnt/backup | tail -1)
 
-if [ "$RSYNC_RC" -eq 0 ]; then
+# rsync exit 24 = "some source files vanished before transfer" — benign for a
+# backup mirror: everything else copied; the vanished files are transient (e.g.
+# SQLite WAL/SHM, now mostly caught by the excludes above). Treat as success so
+# the offsite manifest still updates and NfsMirrorFailing doesn't false-fire.
+if [ "$RSYNC_RC" -eq 0 ] || [ "$RSYNC_RC" -eq 24 ]; then
+    [ "$RSYNC_RC" -eq 24 ] && warn "rsync exited 24 (source files vanished mid-transfer) — treating as success"
     # Capture files that rsync created/modified and feed them to the offsite-sync
     # manifest so daily Step 1 incremental picks them up tomorrow morning.
     # Use -cnewer (ctime), not -newer (mtime): rsync -t preserves SOURCE mtime
diff --git a/scripts/offinfra-onboard b/scripts/offinfra-onboard
new file mode 100755
index 00000000..ae811685
--- /dev/null
+++ b/scripts/offinfra-onboard
@@ -0,0 +1,255 @@
+#!/usr/bin/env bash
+# offinfra-onboard — migrate a Canonical (Forgejo) repo's image build to
+# GitHub Actions → ghcr.io (ADR-0002, PRD infra#10). Idempotent: re-running
+# skips every already-done step.
+#
+# What it does:
+#   1. Ensures the GitHub mirror repo exists (right visibility; unarchives).
+#   2. Sets GHA secrets (WOODPECKER_TOKEN, FORGEJO_GIT_TOKEN, SLACK_WEBHOOK).
+#   3. Ensures the Forgejo push-mirror (sync_on_commit) + fires an initial sync.
+#   4. Registers the mirror in Woodpecker (github forge) → deploy repo id.
+#   5. Renders .github/workflows/build.yml + .woodpecker/deploy.yml into the
+#      clone, removes the old in-cluster build pipeline.
+#   6. Commits on the FORGEJO side and pushes master (this fires the chain).
+#   7. Flips the GitHub default branch to master once the mirror has synced.
+#
+# Usage:
+#   offinfra-onboard <name> --clone <path> --visibility private|public \
+#     --namespace <ns> --deploy "<deployment>=<container>[,<container>...]" \
+#     [--image <ghcr-image-name>] [--context <docker-context>] [--dockerfile <path>] \
+#     [--test-steps <yaml-file>] [--dry-run]
+#
+#   --deploy is repeatable. --test-steps points at a YAML fragment of extra
+#   steps for the lint-and-test job (indented for a `steps:` list); omitted =
+#   a no-op test job.
+set -euo pipefail
+
+SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
+TEMPLATES="$SCRIPT_DIR/offinfra-templates"
+GH_OWNER="ViktorBarzin"
+FORGEJO_HOST="forgejo.viktorbarzin.me"
+FORGEJO_LB="10.0.20.203"
+WP_API="https://ci.viktorbarzin.me/api"
+
+NAME=${1:?usage: offinfra-onboard <name> [flags]}; shift
+CLONE="" VISIBILITY="" NAMESPACE="" IMAGE="" CONTEXT="." DOCKERFILE="Dockerfile" TEST_STEPS_FILE="" DRY_RUN=0 NO_DEPLOY=0
+DEPLOYS=()
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --clone) CLONE=$2; shift 2;;
+    --visibility) VISIBILITY=$2; shift 2;;
+    --namespace) NAMESPACE=$2; shift 2;;
+    --image) IMAGE=$2; shift 2;;
+    --context) CONTEXT=$2; shift 2;;
+    --dockerfile) DOCKERFILE=$2; shift 2;;
+    --deploy) DEPLOYS+=("$2"); shift 2;;
+    --test-steps) TEST_STEPS_FILE=$2; shift 2;;
+    --no-deploy) NO_DEPLOY=1; shift;;
+    --dry-run) DRY_RUN=1; shift;;
+    *) echo "unknown flag: $1" >&2; exit 1;;
+  esac
+done
+IMAGE=${IMAGE:-$NAME}
+[ -n "$CLONE" ] && [ -d "$CLONE/.git" ] || { echo "--clone must point at a git clone" >&2; exit 1; }
+[ "$VISIBILITY" = "private" ] || [ "$VISIBILITY" = "public" ] || { echo "--visibility private|public" >&2; exit 1; }
+[ -n "$NAMESPACE" ] || { echo "--namespace required" >&2; exit 1; }
+[ ${#DEPLOYS[@]} -gt 0 ] || [ "$NO_DEPLOY" = 1 ] || { echo "at least one --deploy required (or --no-deploy for CronJob-only repos)" >&2; exit 1; }
+
+log() { printf '\033[1m[%s]\033[0m %s\n' "$NAME" "$*"; }
+run() { if [ "$DRY_RUN" = 1 ]; then echo "DRY: $*"; else "$@"; fi; }
+
+# --- credentials ---
+export VAULT_ADDR=${VAULT_ADDR:-https://vault.viktorbarzin.me}
+WP_TOKEN=$(vault kv get -field=woodpecker_api_token secret/ci/global)
+SLACK_WEBHOOK=$(vault kv get -field=slack_webhook secret/ci/global)
+GH_PAT=$(vault kv get -field=github_pat secret/viktor)
+# Forgejo token: from the clone's forgejo remote URL (the documented contract)
+FORGEJO_REMOTE=$(git -C "$CLONE" remote -v | awk -v h="$FORGEJO_HOST" '$2 ~ h && $3 == "(push)" {print $1; exit}')
+[ -n "$FORGEJO_REMOTE" ] || { echo "no forgejo remote in $CLONE" >&2; exit 1; }
+FORGEJO_TOKEN=$(git -C "$CLONE" remote get-url "$FORGEJO_REMOTE" | sed -n 's#https://[^:]*:\([^@]*\)@.*#\1#p')
+# Fallback: clones using the credential-store helper carry no token in the URL
+[ -n "$FORGEJO_TOKEN" ] || FORGEJO_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@$FORGEJO_HOST.*#\1#p" ~/.git-credentials 2>/dev/null | head -1)
+[ -n "$FORGEJO_TOKEN" ] || { echo "could not extract forgejo token (remote URL or ~/.git-credentials)" >&2; exit 1; }
+
+FJ() { curl -sf --resolve "$FORGEJO_HOST:443:$FORGEJO_LB" -H "Authorization: token $FORGEJO_TOKEN" -H 'Content-Type: application/json' "$@"; }
+
+# Clone must be clean and CURRENT — the final push goes straight to master
+# (hit live on job-hunter: stale clone -> rejected push + rebase conflict).
+[ -z "$(git -C "$CLONE" status --porcelain)" ] || { echo "clone $CLONE is dirty — commit/stash first" >&2; exit 1; }
+git -C "$CLONE" fetch "$FORGEJO_REMOTE" >/dev/null 2>&1
+git -C "$CLONE" merge --ff-only "$FORGEJO_REMOTE/master" >/dev/null 2>&1 || { echo "clone $CLONE could not fast-forward to $FORGEJO_REMOTE/master" >&2; exit 1; }
+WP() { curl -sf -H "Authorization: Bearer $WP_TOKEN" -H 'Content-Type: application/json' "$@"; }
+
+# --- 1) GitHub mirror repo ---
+if state=$(gh api "repos/$GH_OWNER/$NAME" --jq '{archived,private}' 2>/dev/null); then
+  archived=$(jq -r .archived <<<"$state"); private=$(jq -r .private <<<"$state")
+  if [ "$archived" = "true" ]; then
+    log "GitHub repo exists but is ARCHIVED — unarchiving"
+    run gh api -X PATCH "repos/$GH_OWNER/$NAME" -F archived=false >/dev/null
+  fi
+  want_private=$([ "$VISIBILITY" = private ] && echo true || echo false)
+  if [ "$private" != "$want_private" ]; then
+    log "setting visibility -> $VISIBILITY"
+    run gh api -X PATCH "repos/$GH_OWNER/$NAME" -F private="$want_private" >/dev/null
+  else
+    log "GitHub repo visibility already $VISIBILITY — SKIP"
+  fi
+else
+  log "creating GitHub mirror repo ($VISIBILITY)"
+  run gh repo create "$GH_OWNER/$NAME" "--$VISIBILITY" \
+    --description "One-way mirror of forgejo viktor/$NAME — do NOT commit here (ADR-0002)" >/dev/null
+fi
+
+# --- 2) GHA secrets ---
+log "setting GHA secrets (WOODPECKER_TOKEN, FORGEJO_GIT_TOKEN, SLACK_WEBHOOK)"
+if [ "$DRY_RUN" = 0 ]; then
+  gh secret set WOODPECKER_TOKEN  -R "$GH_OWNER/$NAME" --body "$WP_TOKEN"
+  gh secret set FORGEJO_GIT_TOKEN -R "$GH_OWNER/$NAME" --body "$FORGEJO_TOKEN"
+  gh secret set SLACK_WEBHOOK     -R "$GH_OWNER/$NAME" --body "$SLACK_WEBHOOK"
+fi
+
+# --- 3) Forgejo push-mirror ---
+mirrors=$(FJ "https://$FORGEJO_HOST/api/v1/repos/viktor/$NAME/push_mirrors" || echo '[]')
+if printf '%s' "$mirrors" | jq -e --arg a "github.com/$GH_OWNER/$NAME" '.[] | select(.remote_address | contains($a))' >/dev/null 2>&1; then
+  log "push-mirror already configured — SKIP"
+else
+  log "creating push-mirror -> github.com/$GH_OWNER/$NAME (sync_on_commit)"
+  run FJ -X POST "https://$FORGEJO_HOST/api/v1/repos/viktor/$NAME/push_mirrors" \
+    -d "{\"remote_address\":\"https://github.com/$GH_OWNER/$NAME.git\",\"remote_username\":\"$GH_OWNER\",\"remote_password\":$(jq -Rn --arg p "$GH_PAT" '$p'),\"interval\":\"8h0m0s\",\"sync_on_commit\":true}" >/dev/null
+fi
+log "firing initial mirror sync"
+run FJ -X POST "https://$FORGEJO_HOST/api/v1/repos/viktor/$NAME/push_mirrors-sync" >/dev/null || true
+
+# --- 4) Woodpecker registration (github forge) ---
+if [ "$NO_DEPLOY" = 1 ]; then
+  log "--no-deploy: skipping Woodpecker registration (CronJob-only; :latest+Always picks up builds)"
+  WP_REPO_ID="0"
+else
+WP_ROW=$(WP "$WP_API/repos?perPage=100" | jq -c --arg n "$GH_OWNER/$NAME" '[.[] | select(.full_name == $n)] | first // empty')
+WP_REPO_ID=$(jq -r '.id // empty' <<<"$WP_ROW")
+if [ -n "$WP_REPO_ID" ] && [ "$(jq -r .active <<<"$WP_ROW")" = "true" ]; then
+  log "Woodpecker repo already registered + active (id=$WP_REPO_ID) — SKIP"
+elif [ -n "$WP_REPO_ID" ]; then
+  # Registered but INACTIVE (e.g. the old GHA-era registration was
+  # deactivated — hit live on f1-stream, repo 10): re-activate in place.
+  GH_REPO_ID=$(gh api "repos/$GH_OWNER/$NAME" --jq .id)
+  log "Woodpecker repo $WP_REPO_ID exists but is INACTIVE — re-activating"
+  run WP -X POST "$WP_API/repos?forge_remote_id=$GH_REPO_ID" >/dev/null
+else
+  GH_REPO_ID=$(gh api "repos/$GH_OWNER/$NAME" --jq .id)
+  log "registering mirror in Woodpecker (forge_remote_id=$GH_REPO_ID)"
+  if [ "$DRY_RUN" = 0 ]; then
+    WP_REPO_ID=$(WP -X POST "$WP_API/repos?forge_remote_id=$GH_REPO_ID" | jq -r .id)
+  else
+    WP_REPO_ID="DRY"
+  fi
+  log "Woodpecker repo id = $WP_REPO_ID"
+fi
+
+# Normalize repo settings: TRUSTED repos get netrc injected into EVERY step
+# container; bitnami/kubectl (non-root, HOME=/) then dies with
+# "//.netrc: Permission denied" (hit live on f1-stream repo 10, an old-era
+# registration that carried trusted=true; tripit 167 is untrusted and works).
+if [ "$DRY_RUN" = 0 ]; then
+  run WP -X PATCH "$WP_API/repos/$WP_REPO_ID" \
+    -d '{"trusted":{"network":false,"volumes":false,"security":false}}' >/dev/null \
+    && log "Woodpecker repo settings normalized (untrusted)"
+fi
+fi
+
+# --- 5) Render workflow + deploy files into the clone ---
+DEPLOY_CMDS=""
+for d in "${DEPLOYS[@]}"; do
+  dep=${d%%=*}; containers=${d#*=}
+  setargs=""
+  IFS=',' read -ra cs <<<"$containers"
+  for c in "${cs[@]}"; do setargs="$setargs $c=\${IMAGE_NAME}:\${IMAGE_TAG}"; done
+  DEPLOY_CMDS="$DEPLOY_CMDS      - \"kubectl -n $NAMESPACE set image deployment/$dep$setargs\"\n"
+  DEPLOY_CMDS="$DEPLOY_CMDS      - \"kubectl -n $NAMESPACE rollout status deployment/$dep --timeout=300s\"\n"
+done
+if [ -n "$TEST_STEPS_FILE" ]; then
+  TEST_STEPS=$(cat "$TEST_STEPS_FILE")
+else
+  TEST_STEPS='      - run: echo "no test steps configured"'
+fi
+
+export T_NAME=$NAME T_IMAGE=$IMAGE T_CONTEXT=$CONTEXT T_DOCKERFILE=$DOCKERFILE T_WPID=$WP_REPO_ID T_TEST="$TEST_STEPS" T_DEPLOY="$DEPLOY_CMDS"
+render() { # $1=template $2=dest
+  python3 - "$1" "$2" <<'PYEOF'
+import os, sys
+src, dst = sys.argv[1], sys.argv[2]
+s = open(src).read()
+s = s.replace('{{NAME}}', os.environ['T_NAME'])
+s = s.replace('{{IMAGE}}', os.environ['T_IMAGE'])
+s = s.replace('{{CONTEXT}}', os.environ['T_CONTEXT'])
+s = s.replace('{{DOCKERFILE}}', os.environ['T_DOCKERFILE'])
+s = s.replace('{{WP_REPO_ID}}', os.environ['T_WPID'])
+s = s.replace('{{TEST_STEPS}}', os.environ['T_TEST'])
+s = s.replace('{{DEPLOY_CMDS}}', os.environ['T_DEPLOY'].replace('\\n', '\n').rstrip('\n'))
+os.makedirs(os.path.dirname(dst), exist_ok=True)
+open(dst, 'w').write(s)
+PYEOF
+}
+log "rendering build.yml$([ "$NO_DEPLOY" = 1 ] && echo ' (no deploy job)' || echo ' + deploy.yml')"
+if [ "$DRY_RUN" = 0 ]; then
+  render "$TEMPLATES/build.yml.tmpl"  "$CLONE/.github/workflows/build.yml"
+  if [ "$NO_DEPLOY" = 1 ]; then
+    # CronJob-only: drop the deploy job (everything from "  deploy:" to the
+    # notify job) — :latest+Always CronJobs pick up new builds on next run.
+    python3 - "$CLONE/.github/workflows/build.yml" <<'PYDEL'
+import sys
+p=sys.argv[1]; lines=open(p).read().split("\n")
+out=[]; skip=False
+for l in lines:
+    if l.rstrip() == "  deploy:": skip=True
+    if l.rstrip() == "  notify-failure:": skip=False
+    if not skip: out.append(l)
+open(p,"w").write("\n".join(out).replace("needs: [lint-and-test, build, deploy]","needs: [lint-and-test, build]"))
+PYDEL
+    rm -f "$CLONE/.woodpecker/deploy.yml"
+  else
+    render "$TEMPLATES/deploy.yml.tmpl" "$CLONE/.woodpecker/deploy.yml"
+  fi
+fi
+
+# --- 6) Remove old in-cluster build pipeline + commit on Forgejo side ---
+cd "$CLONE"
+OLD_REMOVED=""
+for f in .woodpecker.yml .woodpecker/build.yml .woodpecker/build-fallback.yml; do
+  [ -f "$f" ] && { run git rm -q "$f"; OLD_REMOVED="$OLD_REMOVED $f"; }
+done
+run git add .github/workflows/build.yml
+[ -f .woodpecker/deploy.yml ] && run git add .woodpecker/deploy.yml
+if git diff --cached --quiet 2>/dev/null; then
+  log "no changes to commit — SKIP (already migrated)"
+else
+  log "committing + pushing to forgejo master (this fires the chain)"
+  run git commit -q -m "ci: move image build off-infra to GHA -> ghcr (ADR-0002)
+
+Generated by infra/scripts/offinfra-onboard: GHA builds+tests on the
+GitHub mirror, pushes ghcr.io/viktorbarzin/$IMAGE, then triggers the
+Woodpecker deploy (repo $WP_REPO_ID). Old in-cluster build pipeline
+removed:$OLD_REMOVED
+
+Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>"
+  run git push "$FORGEJO_REMOTE" master
+fi
+
+# --- 7) GitHub default branch -> master (after mirror sync) ---
+if [ "$DRY_RUN" = 0 ]; then
+  for i in $(seq 1 24); do
+    if gh api "repos/$GH_OWNER/$NAME/branches/master" >/dev/null 2>&1; then
+      cur=$(gh api "repos/$GH_OWNER/$NAME" --jq .default_branch)
+      [ "$cur" != "master" ] && gh api -X PATCH "repos/$GH_OWNER/$NAME" -F default_branch=master >/dev/null && log "default branch -> master"
+      break
+    fi
+    sleep 5
+  done
+fi
+
+log "DONE. Verify the chain:"
+echo "  - GHA run:    gh run list -R $GH_OWNER/$NAME --limit 3"
+echo "  - ghcr tags:  (token exchange) https://ghcr.io/v2/viktorbarzin/$IMAGE/tags/list"
+echo "  - WP deploy:  $WP_API/repos/$WP_REPO_ID/pipelines"
+echo "  - rollout:    kubectl -n $NAMESPACE get deploy"
+echo "  - pull secret: ensure the Deployment carries ghcr-credentials (Kyverno allowlist + stack imagePullSecrets)"
diff --git a/scripts/offinfra-templates/build.yml.tmpl b/scripts/offinfra-templates/build.yml.tmpl
new file mode 100644
index 00000000..ff6712e7
--- /dev/null
+++ b/scripts/offinfra-templates/build.yml.tmpl
@@ -0,0 +1,116 @@
+name: Build and Push
+
+# Off-infra build (ADR-0002). Canonical repo is Forgejo viktor/{{NAME}}, which
+# push-mirrors here; this workflow builds on GitHub-hosted runners, pushes the
+# image to GHCR, then signals the Woodpecker deploy pipeline (repo {{WP_REPO_ID}})
+# to roll the cluster — the homelab never sees build IO or registry pushes.
+#
+# Committed on the FORGEJO side (the mirror is one-way; commits made on GitHub
+# are overwritten by the next sync). Generated by infra/scripts/offinfra-onboard.
+on:
+  push:
+    branches: [master]
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+{{TEST_STEPS}}
+
+  build:
+    needs: lint-and-test
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.meta.outputs.sha }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0      # full history + tags so svu sees the last vX.Y.Z
+          fetch-tags: true
+      # Auto-semver (svu): tag-only, pushed to CANONICAL Forgejo (GitHub tags
+      # would be wiped by the next mirror sync). Best-effort: never blocks the build.
+      - name: Compute + tag semver (svu)
+        env:
+          FORGEJO_GIT_TOKEN: ${{ secrets.FORGEJO_GIT_TOKEN }}
+        run: |
+          set +e
+          git config user.email "ci@viktorbarzin.me"
+          git config user.name "{{NAME}}-ci"
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          curl -sSL https://github.com/caarlos0/svu/releases/download/v3.4.1/svu_3.4.1_linux_amd64.tar.gz | tar -xz svu
+          CUR=$(./svu current 2>/dev/null)
+          NEXT=$(./svu next 2>/dev/null)
+          echo "svu current=[$CUR] next=[$NEXT]"
+          if [ -n "$NEXT" ] && [ "$NEXT" != "$CUR" ]; then
+            git tag "$NEXT" 2>/dev/null
+            git push "https://viktor:${FORGEJO_GIT_TOKEN}@forgejo.viktorbarzin.me/viktor/{{NAME}}.git" "$NEXT" && echo "pushed tag $NEXT to forgejo" || echo "tag push failed (non-blocking)"
+          fi
+          exit 0
+      - uses: docker/setup-buildx-action@v4
+      - uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - id: meta
+        run: echo "sha=$(echo ${{ github.sha }} | cut -c1-8)" >> "$GITHUB_OUTPUT"
+      - uses: docker/build-push-action@v7
+        with:
+          context: {{CONTEXT}}
+          file: {{DOCKERFILE}}
+          push: true
+          platforms: linux/amd64
+          # Single-manifest images (no provenance/SBOM attestation children) so
+          # registry retention can never orphan index children (ADR-0002).
+          provenance: false
+          tags: |
+            ghcr.io/viktorbarzin/{{IMAGE}}:${{ steps.meta.outputs.sha }}
+            ghcr.io/viktorbarzin/{{IMAGE}}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      # Keep the newest ~10 versions on ghcr (latest rides the newest one).
+      - name: ghcr retention (keep 10)
+        uses: actions/delete-package-versions@v5
+        continue-on-error: true
+        with:
+          package-name: {{IMAGE}}
+          package-type: container
+          min-versions-to-keep: 10
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      # Signal Woodpecker (repo {{WP_REPO_ID}} = ViktorBarzin/{{NAME}} mirror) to run
+      # .woodpecker/deploy.yml — kubectl set image in-cluster (agent SA is cluster-admin).
+      - name: Trigger Woodpecker deploy
+        run: |
+          for attempt in 1 2 3; do
+            STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
+              "https://ci.viktorbarzin.me/api/repos/{{WP_REPO_ID}}/pipelines" \
+              -H "Authorization: Bearer ${{ secrets.WOODPECKER_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              -d "{\"branch\":\"master\",\"variables\":{\"IMAGE_TAG\":\"${{ needs.build.outputs.image_tag }}\",\"IMAGE_NAME\":\"ghcr.io/viktorbarzin/{{IMAGE}}\"}}")
+            if [ "$STATUS" -ge 200 ] && [ "$STATUS" -lt 300 ]; then
+              echo "Woodpecker deploy triggered (HTTP $STATUS)"; exit 0
+            fi
+            echo "Attempt $attempt failed (HTTP $STATUS), retrying in 30s..."; sleep 30
+          done
+          echo "Failed to trigger Woodpecker deploy after 3 attempts"; exit 1
+
+  notify-failure:
+    needs: [lint-and-test, build, deploy]
+    if: failure()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Slack notify
+        run: |
+          curl -sf -X POST -H 'Content-Type: application/json' \
+            -d "{\"text\":\":rotating_light: {{NAME}} off-infra build FAILED: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\"}" \
+            "${{ secrets.SLACK_WEBHOOK }}" || true
diff --git a/scripts/offinfra-templates/deploy.yml.tmpl b/scripts/offinfra-templates/deploy.yml.tmpl
new file mode 100644
index 00000000..15d5146e
--- /dev/null
+++ b/scripts/offinfra-templates/deploy.yml.tmpl
@@ -0,0 +1,19 @@
+# Auto-deploy, triggered ONLY by the GitHub Actions build POSTing to the
+# Woodpecker API (manual event, with IMAGE_TAG + IMAGE_NAME) after a successful
+# off-infra build+push to GHCR (ADR-0002). event:[manual] (NOT push) so the
+# Forgejo->GitHub mirror's raw pushes don't fire a spurious deploy.
+# The woodpecker-agent SA is cluster-admin — no kubeconfig needed.
+# Generated by infra/scripts/offinfra-onboard.
+when:
+  - event: manual
+
+steps:
+  - name: check-vars
+    image: alpine
+    commands:
+      - "[ -n \"$IMAGE_TAG\" ] || (echo 'IMAGE_TAG not set — refusing to deploy'; exit 1)"
+
+  - name: deploy
+    image: bitnami/kubectl:latest
+    commands:
+{{DEPLOY_CMDS}}
diff --git a/scripts/pfsense-haproxy-bootstrap.php b/scripts/pfsense-haproxy-bootstrap.php
index 5452b198..5b9119b2 100644
--- a/scripts/pfsense-haproxy-bootstrap.php
+++ b/scripts/pfsense-haproxy-bootstrap.php
@@ -45,6 +45,8 @@ $h['maxconn'] = '1000';
 
 // Our declared object names (anything starting with mailserver_ is ours)
 $POOL_NAMES = [
+    'webgui_traefik_443',        // SNI-routed 443: hostname traffic -> Traefik
+    'pfsense_webgui_8443',       // SNI-routed 443: no-SNI / pfsense.* -> webgui
     'mailserver_nodes',          // legacy (Phase 2/3 test)
     'mailserver_nodes_smtp',
     'mailserver_nodes_smtps',
@@ -52,6 +54,7 @@ $POOL_NAMES = [
     'mailserver_nodes_imaps',
 ];
 $FRONTEND_NAMES = [
+    'internal_https_443',        // SNI-routed internal 443 (2026-06-10)
     'mailserver_proxy_test',     // legacy (Phase 2/3 test, :2525)
     'mailserver_proxy_25',
     'mailserver_proxy_465',
@@ -185,6 +188,58 @@ $h['ha_pools']['item'][] = build_pool('mailserver_nodes_smtps', '30126', $NODES,
 $h['ha_pools']['item'][] = build_pool('mailserver_nodes_sub',   '30127', $NODES, 'TCP', '30147');
 $h['ha_pools']['item'][] = build_pool('mailserver_nodes_imaps', '30128', $NODES);
 
+// ── SNI-routed internal :443 pools (2026-06-10) ─────────────────────────
+// Completes the internal port table of 10.0.20.1 so mail.viktorbarzin.me
+// (internal A record -> 10.0.20.1) serves webmail too. Routing rule
+// (Viktor's design): TLS with a hostname (SNI present) -> Traefik; bare-IP
+// /no-SNI (admin hitting https://10.0.20.1) -> pfSense webgui, which moved
+// to :8443 to free the socket. pfsense.viktorbarzin.{lan,me} SNI is
+// excepted back to the webgui. Traefik leg mirrors the IPv6 bridge:
+// send-proxy-v2 (Traefik trusts 10.0.20.1), NO health check (PROXY-
+// expecting receivers reject bare probes — see runbook gotcha).
+$h['ha_pools']['item'][] = [
+    'name'                   => 'webgui_traefik_443',
+    'balance'                => '',
+    'check_type'             => 'none',
+    'monitor_domain'         => '',
+    'checkinter'             => '',
+    'retries'                => '',
+    'ha_servers'             => ['item' => [[
+        'name'     => 'traefik',
+        'address'  => '10.0.20.203',
+        'port'     => '443',
+        'weight'   => '10',
+        'ssl'      => '',
+        'advanced' => 'send-proxy-v2',
+        'status'   => 'active',
+    ]]],
+    'advanced_bind'          => '',
+    'persist_cookie_enabled' => '',
+    'transparent_clientip'   => '',
+    'advanced'               => '',
+];
+$h['ha_pools']['item'][] = [
+    'name'                   => 'pfsense_webgui_8443',
+    'balance'                => '',
+    'check_type'             => 'none',
+    'monitor_domain'         => '',
+    'checkinter'             => '',
+    'retries'                => '',
+    'ha_servers'             => ['item' => [[
+        'name'     => 'webgui',
+        'address'  => '127.0.0.1',
+        'port'     => '8443',
+        'weight'   => '10',
+        'ssl'      => '',
+        'advanced' => '',
+        'status'   => 'active',
+    ]]],
+    'advanced_bind'          => '',
+    'persist_cookie_enabled' => '',
+    'transparent_clientip'   => '',
+    'advanced'               => '',
+];
+
 // ── Frontends ───────────────────────────────────────────────────────────
 if (!is_array($h['ha_backends']))         $h['ha_backends']         = ['item' => []];
 if (!is_array($h['ha_backends']['item'])) $h['ha_backends']['item'] = [];
@@ -228,7 +283,36 @@ $h['ha_backends']['item'][] = build_frontend(
     'mailserver_nodes_imaps'
 );
 
-write_config('code-yiu: mailserver HAProxy — 4 production frontends + legacy :2525 test');
+// ── SNI-routed internal :443 frontend (2026-06-10) ──────────────────────
+// Binds both internal interface IPs so IP-based GUI access works from
+// either VLAN. mode tcp + SNI inspection; TLS passthrough on both legs
+// (Traefik serves the real certs; the webgui keeps its self-signed one).
+$h['ha_backends']['item'][] = [
+    'name'      => 'internal_https_443',
+    'descr'     => 'SNI-routed internal 443: hostname->Traefik (proxy-v2), no-SNI/pfsense.*->webgui:8443',
+    'status'    => 'active',
+    'secondary' => '',
+    'type'      => 'tcp',
+    'a_extaddr' => ['item' => [
+        ['extaddr' => 'custom', 'extaddr_custom' => '10.0.20.1', 'extaddr_port' => '443', 'extaddr_ssl' => '', 'extaddr_advanced' => ''],
+        ['extaddr' => 'custom', 'extaddr_custom' => '10.0.10.1', 'extaddr_port' => '443', 'extaddr_ssl' => '', 'extaddr_advanced' => ''],
+    ]],
+    'backend_serverpool' => 'pfsense_webgui_8443',
+    'ha_acls'   => ['item' => [
+        ['name' => 'sni_pfsense', 'expression' => 'custom', 'value' => 'req.ssl_sni -i -m str pfsense.viktorbarzin.lan pfsense.viktorbarzin.me', 'casesensitive' => '', 'not' => ''],
+        ['name' => 'sni_any',     'expression' => 'custom', 'value' => 'req.ssl_sni -m found', 'casesensitive' => '', 'not' => ''],
+    ]],
+    'a_actionitems' => ['item' => [
+        ['action' => 'use_backend', 'use_backendbackend' => 'pfsense_webgui_8443', 'acl' => 'sni_pfsense'],
+        ['action' => 'use_backend', 'use_backendbackend' => 'webgui_traefik_443',  'acl' => 'sni_any'],
+    ]],
+    'dontlognull'=> '',
+    'httpclose'  => '',
+    'forwardfor' => '',
+    'advanced'   => base64_encode("tcp-request inspect-delay 5s\n\ttcp-request content accept if { req.ssl_hello_type 1 } || !{ req.ssl_hello_type 1 }"),
+];
+
+write_config('mailserver HAProxy + SNI-routed internal 443 (hostname->Traefik, no-SNI->webgui:8443)');
 
 $messages = '';
 $rc = haproxy_check_and_run($messages, true);
diff --git a/scripts/publish-gate b/scripts/publish-gate
new file mode 100755
index 00000000..0bbb6fb5
--- /dev/null
+++ b/scripts/publish-gate
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+# publish-gate — gate a Canonical repo's PUBLIC flip (ADR-0002).
+# A repo may go public ONLY on a CLEAN verdict; a DIRTY verdict means it stays
+# private — canonical history is never rewritten for publication.
+#
+# Checks (full git history, not just the worktree):
+#   1. gitleaks  — secret patterns across all commits
+#   2. trufflehog (docker) — verified-credential detection across all commits
+#   3. PII heuristics — emails/phones/keys in tracked files + fixture inventory
+#
+# Usage: publish-gate <clone-path>
+# Exit: 0 = CLEAN, 1 = DIRTY, 2 = scanner error. Report: /tmp/publish-gate-<name>.txt
+set -uo pipefail
+CLONE=${1:?usage: publish-gate <clone-path>}
+CLONE=$(cd "$CLONE" && pwd)
+NAME=$(basename "$CLONE")
+REPORT="/tmp/publish-gate-$NAME.txt"
+DIRTY=0; ERR=0
+
+say() { echo "$@" | tee -a "$REPORT"; }
+: > "$REPORT"
+say "== publish-gate: $NAME @ $(git -C "$CLONE" rev-parse --short HEAD) ($(date -u +%FT%TZ)) =="
+
+# --- 1. gitleaks (full history) ---
+say ""; say "-- gitleaks (full history) --"
+if gitleaks git "$CLONE" --no-banner --redact --report-path /tmp/publish-gate-$NAME-gitleaks.json >>"$REPORT" 2>&1; then
+  say "gitleaks: CLEAN"
+else
+  rc=$?
+  if [ "$rc" = 1 ]; then say "gitleaks: LEAKS FOUND (see $REPORT + json)"; DIRTY=1
+  else say "gitleaks: scanner error rc=$rc"; ERR=1; fi
+fi
+
+# --- 2. trufflehog (verified credentials, full history) ---
+say ""; say "-- trufflehog (verified only, full history) --"
+if docker run --rm -v "$CLONE":/repo:ro trufflesecurity/trufflehog:latest \
+     git file:///repo --only-verified --fail --no-update >>"$REPORT" 2>&1; then
+  say "trufflehog: CLEAN (no verified credentials)"
+else
+  rc=$?
+  if [ "$rc" = 183 ]; then say "trufflehog: VERIFIED CREDENTIALS FOUND"; DIRTY=1
+  else say "trufflehog: scanner error rc=$rc"; ERR=1; fi
+fi
+
+# --- 3. PII heuristics on tracked files ---
+say ""; say "-- PII heuristics (tracked files) --"
+cd "$CLONE"
+EMAILS=$(git grep -hoiE '[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}' -- ':!*.lock' ':!package-lock.json' ':!pnpm-lock.yaml' ':!.beads' 2>/dev/null \
+  | grep -viE '@(viktorbarzin\.me|meta\.com|example\.(com|org|test)|test\.(com|local)|localhost|users\.noreply\.github\.com|googlegroups\.com)' \
+  | grep -viE '^(noreply|no-reply|ci|admin|info|support|hello|user|foo|bar|test.*|licensing|legal|security|sales)@' \
+  | sort -u | head -20)
+if [ -n "$EMAILS" ]; then say "real-looking emails found:"; say "$EMAILS"; say "(review: PII?)"; DIRTY=1; else say "emails: none beyond allowlist"; fi
+KEYS=$(git grep -l 'BEGIN.*PRIVATE KEY' 2>/dev/null | head -5)
+[ -n "$KEYS" ] && { say "PRIVATE KEY blocks in: $KEYS"; DIRTY=1; } || say "private keys: none"
+ENVF=$(git ls-files | grep -E '(^|/)\.env($|\.)' | head -5)
+[ -n "$ENVF" ] && { say "committed .env files: $ENVF (review)"; DIRTY=1; } || say ".env files: none"
+FIXTURES=$(git ls-files | grep -iE '(fixtures?|testdata|tests?/data|^\.beads)/' | head -10)
+if [ -n "$FIXTURES" ]; then say "fixture files present (eyeball for PII):"; say "$FIXTURES"; else say "fixtures: none"; fi
+
+say ""
+if [ "$ERR" = 1 ]; then say "VERDICT: ERROR (scanner failed — fix and re-run)"; exit 2; fi
+if [ "$DIRTY" = 1 ]; then say "VERDICT: DIRTY — repo stays PRIVATE (do not rewrite history)"; exit 1; fi
+say "VERDICT: CLEAN — public flip approved"
+exit 0
diff --git a/scripts/pve-promtail.service b/scripts/pve-promtail.service
new file mode 100644
index 00000000..0b288bfc
--- /dev/null
+++ b/scripts/pve-promtail.service
@@ -0,0 +1,17 @@
+# systemd unit for promtail on the PVE host (192.168.1.127). Install to
+# /etc/systemd/system/promtail.service. See scripts/pve-promtail.yaml for the full deploy.
+[Unit]
+Description=Promtail (ships PVE host journal -> cluster Loki)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/promtail -config.file=/etc/promtail/config.yml
+Restart=on-failure
+RestartSec=5
+User=root
+Group=root
+
+[Install]
+WantedBy=multi-user.target
diff --git a/scripts/pve-promtail.yaml b/scripts/pve-promtail.yaml
new file mode 100644
index 00000000..b923e98c
--- /dev/null
+++ b/scripts/pve-promtail.yaml
@@ -0,0 +1,53 @@
+# Promtail config for the PVE host (192.168.1.127) — ships the systemd journal to cluster Loki.
+#
+# NOT Terraform-managed (the PVE host is the hypervisor, outside k8s). Deployed by hand,
+# same pattern as scripts/fan-control.* and the rpi-sofia promtail. This file is source-of-truth.
+#
+# Deploy:
+#   scp scripts/pve-promtail.yaml    root@192.168.1.127:/etc/promtail/config.yml
+#   scp scripts/pve-promtail.service root@192.168.1.127:/etc/systemd/system/promtail.service
+#   ssh root@192.168.1.127 'mkdir -p /var/lib/promtail && systemctl daemon-reload && systemctl enable --now promtail'
+#   # Binary: grafana/loki v3.5.1 promtail-linux-amd64 -> /usr/local/bin/promtail (chmod 0755).
+#   # Loki reach: loki.viktorbarzin.lan resolves via a Technitium CNAME -> ingress.viktorbarzin.lan
+#   #   (registered 2026-06-10 via the Technitium API; auto-tracks the live Traefik LB IP, AXFR'd to all
+#   #   3 instances). NO /etc/hosts pin. insecure_skip_verify stays — the internal .lan cert isn't trusted.
+#
+# Streams produced:
+#   {job="pve-journal"}                    — full host journal (filter identifier="snoopy" for the command audit)
+#   {job="sshd-pve"}                       — sshd auth lines; feeds the Loki S1 security rule (docs/architecture/security.md)
+#   {job="pve-journal", identifier="snoopy"} — snoopy command audit (every execve on the host; see scripts/pve-snoopy.ini)
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+  log_level: warn
+
+positions:
+  filename: /var/lib/promtail/positions.yaml
+
+clients:
+  - url: https://loki.viktorbarzin.lan/loki/api/v1/push
+    tls_config:
+      insecure_skip_verify: true
+
+scrape_configs:
+  - job_name: journal
+    journal:
+      max_age: 12h
+      json: false
+      path: /var/log/journal
+      labels:
+        host: pve
+        job: pve-journal
+    relabel_configs:
+      - source_labels: ['__journal__systemd_unit']
+        target_label: unit
+      - source_labels: ['__journal_priority_keyword']
+        target_label: level
+      - source_labels: ['__journal_syslog_identifier']
+        target_label: identifier
+      # sshd auth lines (identifier sshd / sshd-session) -> job=sshd-pve so the Loki S1
+      # security rule ({job="sshd-pve"}) matches. snoopy command lines stay job=pve-journal.
+      - source_labels: ['__journal_syslog_identifier']
+        regex: 'sshd.*'
+        target_label: job
+        replacement: 'sshd-pve'
diff --git a/scripts/pve-snoopy.ini b/scripts/pve-snoopy.ini
new file mode 100644
index 00000000..931bc29d
--- /dev/null
+++ b/scripts/pve-snoopy.ini
@@ -0,0 +1,21 @@
+; snoopy config for the PVE host (192.168.1.127) — logs every execve() to journald.
+;
+; Install to /etc/snoopy.ini. Enable globally by adding the lib to /etc/ld.so.preload:
+;   apt-get install -y snoopy
+;   echo /usr/lib/x86_64-linux-gnu/libsnoopy.so > /etc/ld.so.preload   # enable (no snoopy-enable in the Debian pkg)
+;   # disable/rollback: truncate -s 0 /etc/ld.so.preload   (or remove the line)
+;
+; output=devlog writes directly to /dev/log -> journald (identifier "snoopy").
+; DO NOT use output=syslog on a systemd host — snoopy's own docs warn it can hang the system on boot.
+;
+; Shipped to Loki by promtail as {job="pve-journal", identifier="snoopy"} (scripts/pve-promtail.yaml).
+; Attribution note: all sessions run as root (shared root key), so uid/login are always root;
+; correlate a command's sid/time with the matching {job="sshd-pve"} "Accepted publickey ... SHA256:<fp>"
+; line to attribute it to a person (e.g. emo's agent key fp SHA256:Wd+m0EABlm4RDDykDh85PIYSqe0Al8Hr9AZ+7Ksy4HQ).
+[snoopy]
+output = devlog
+message_format = "snoopy uid=%{uid} login=%{login} tty=%{tty} sid=%{sid} cwd=%{cwd} : %{cmdline}"
+syslog_ident = snoopy
+syslog_facility = LOG_AUTHPRIV
+syslog_level = LOG_INFO
+filter_chain = ""
diff --git a/scripts/setup-forgejo-containerd-mirror.sh b/scripts/setup-forgejo-containerd-mirror.sh
index 975c2aa2..4c543d15 100755
--- a/scripts/setup-forgejo-containerd-mirror.sh
+++ b/scripts/setup-forgejo-containerd-mirror.sh
@@ -1,11 +1,24 @@
 #!/usr/bin/env bash
-# One-shot deployment of the forgejo.viktorbarzin.me containerd hosts.toml
-# entry across every k8s node. Cloud-init only fires on VM provision, so
-# existing nodes need this manual rollout.
+# One-shot deployment of the (vestigial) forgejo containerd hosts.toml entry
+# across every k8s node, plus cleanup of legacy node-side DNS customization.
+# Cloud-init only fires on VM provision, so existing nodes need this manual
+# rollout.
+#
+# Node DNS is intentionally STOCK: internal split-horizon for
+# *.viktorbarzin.me happens at pfSense Unbound (domain override ->
+# Technitium), whose split-horizon zone serves the live Traefik LB IP for
+# every ingress host — nodes need no resolved drop-ins or /etc/hosts pins.
+# The hosts.toml mirror alone CANNOT keep pulls internal: Traefik 404s its
+# bare-IP requests (no Host/SNI match) and the registry Bearer auth realm is
+# the absolute public URL fetched outside the mirror (2026-06-10 tuya-bridge
+# outage; see docs/post-mortems/2026-06-10-tuya-bridge-forgejo-pull-hairpin.md).
 #
 # What it does, per node:
 #   1. drain (ignore-daemonsets, delete-emptydir-data)
-#   2. ssh in: mkdir + write /etc/containerd/certs.d/forgejo.viktorbarzin.me/hosts.toml
+#   2. ssh in: remove legacy DNS customization (forgejo-internal-pin
+#      /etc/hosts lines, viktorbarzin.conf / global-dns.conf resolved
+#      drop-ins), restart systemd-resolved,
+#      write /etc/containerd/certs.d/forgejo.viktorbarzin.me/hosts.toml
 #   3. systemctl restart containerd
 #   4. uncordon
 #
@@ -38,6 +51,10 @@ for n in $NODES; do
 
   ssh -o StrictHostKeyChecking=accept-new "wizard@$n" sudo bash <<EOF
 set -euo pipefail
+sed -i '/forgejo-internal-pin/d' /etc/hosts
+rm -f /etc/systemd/resolved.conf.d/viktorbarzin.conf \
+      /etc/systemd/resolved.conf.d/global-dns.conf
+systemctl restart systemd-resolved
 mkdir -p "$CERTS_DIR"
 cat > "$CERTS_DIR/hosts.toml" <<'TOML'
 $HOSTS_TOML
diff --git a/scripts/sshd-10-breakglass.conf b/scripts/sshd-10-breakglass.conf
new file mode 100644
index 00000000..96663d2b
--- /dev/null
+++ b/scripts/sshd-10-breakglass.conf
@@ -0,0 +1,31 @@
+# Break-glass SSH drop-in (redesigned 2026-06-11). Source of truth.
+# Deploy to the PVE host with:
+#   scp scripts/sshd-10-breakglass.conf root@192.168.1.127:/etc/ssh/sshd_config.d/10-breakglass.conf
+#   ssh root@192.168.1.127 'sshd -t && systemctl reload ssh'
+#
+#   :22    = LAN admin, all of root's keys (default AuthorizedKeysFile).
+#   :52222 = WAN-exposed break-glass. The edge router forwards WAN tcp/52222 ->
+#            192.168.1.127:52222 (external port MUST equal internal port on the
+#            TP-Link AX6000 — it rejects remaps; port 22 itself is reserved).
+#            The Match LocalPort block trusts ONLY the dedicated break-glass key
+#            (authorized_keys.breakglass), so a leak of any other root key does
+#            NOT grant internet access. Rate-limited by the BREAKGLASS iptables
+#            chain + fail2ban. No port-knock.
+#
+# NOTE: the trailing `Match all` is REQUIRED. /etc/ssh/sshd_config has
+# `Include sshd_config.d/*.conf` near the top but a global `PermitRootLogin`
+# further down; without `Match all` resetting context, that later global
+# directive would be swallowed into the `Match LocalPort 52222` condition.
+Port 22
+Port 52222
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+PubkeyAuthentication yes
+PermitRootLogin prohibit-password
+MaxAuthTries 3
+LoginGraceTime 20
+
+Match LocalPort 52222
+    AuthorizedKeysFile /root/.ssh/authorized_keys.breakglass
+    PermitRootLogin prohibit-password
+Match all
diff --git a/scripts/t3-autoupdate.service b/scripts/t3-autoupdate.service
index d3306da7..7b043f13 100644
--- a/scripts/t3-autoupdate.service
+++ b/scripts/t3-autoupdate.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=Track latest t3 nightly (health-checked, idle-only restart)
+Description=Enforce pinned t3 version (health-checked, idle-only restart)
 After=network-online.target
 Wants=network-online.target
 
diff --git a/scripts/t3-autoupdate.sh b/scripts/t3-autoupdate.sh
index 962f3fc4..a3928211 100644
--- a/scripts/t3-autoupdate.sh
+++ b/scripts/t3-autoupdate.sh
@@ -1,49 +1,185 @@
 #!/usr/bin/env bash
-# Track the latest t3 nightly — with a health-check + auto-rollback (lesson from
-# the Keel auto-update incidents: never blindly trust a new build) and idle-only
-# restarts (never kill an in-flight coding session). Runs as root via the unit.
+# t3 GATED NIGHTLY TRACKER (daily, via t3-autoupdate.timer).
+#
+# t3 is pre-1.0 and ships breaking schema-migration + pairing-API changes between
+# builds. On 2026-06-09 a blind `npm i -g t3@nightly` migrated every ~/.t3
+# state.sqlite FORWARD and moved the bootstrap API, breaking pairing for ALL users
+# with no alert (post-mortem 2026-06-09-t3-nightly-autoupdate-auth-outage.md). We
+# pinned in response.
+#
+# 2026-06-16 (Viktor's call, risk explicitly accepted): re-enable nightly tracking,
+# but GATED so a bad nightly self-heals instead of breaking everyone. This script
+# now follows the `nightly` npm dist-tag (T3_TRACK) under these guards:
+#   - freeze switch (/etc/t3-autoupdate.freeze) + optional hard pin (T3_PIN) for
+#     instant manual revert; a canary failure also self-freezes;
+#   - downgrade-guard (the nightly tag is mutable — never move backward);
+#   - pre-bump per-user state.sqlite backup BEFORE install (rollback => restore,
+#     not sqlite surgery), via the same online VACUUM INTO as t3-backup-state;
+#   - a health-check that seeds a throwaway instance with a COPY of a real
+#     POPULATED state.sqlite, so it exercises the forward MIGRATION (the actual
+#     2026-06-09 failure class) + the real pairing handshake before trusting a build;
+#   - canary rollout: restart idle instances ONE AT A TIME, verifying pairing
+#     through the real dispatch after each, and roll back (binary + that user's DB)
+#     + self-freeze on the first failure — active-agent instances are deferred,
+#     never killed (deferred instances are recorded for t3-migrate-idle to drain);
+#   - rollback target is the recorded LAST-GOOD build, not "whatever was installed".
+# Detection backstop (real-user pairing failure/fallback) lives in the dispatch
+# logs + Loki alerts (T3PairingBroken / T3PairFallbackHigh / T3AutoUpdate*).
+# To stop tracking: `sudo touch /etc/t3-autoupdate.freeze` (or set T3_PIN=<ver>).
+# Full procedure + manual rollback: docs/runbooks/t3-version-bump.md.
 set -uo pipefail
-LOG() { logger -t t3-autoupdate "$*"; echo "t3-autoupdate: $*"; }
 
-ver() { t3 --version 2>/dev/null | awk '{print $NF}' | sed 's/^v//'; }
+# ---- autoupdate-specific config (shared config + helpers come from the lib) -----
+T3_TRACK="${T3_TRACK:-nightly}"            # npm dist-tag to follow (nightly | latest)
+T3_PIN="${T3_PIN:-}"                        # optional HARD pin to an exact version (disables tracking)
+SMOKE_PORT="${T3_SMOKE_PORT:-3799}"
+DRY_RUN="${T3_DRY_RUN:-0}"
+TMPROOT="${T3_TMPDIR:-/var/tmp}"           # health-check scratch on DISK — /tmp is a 2G tmpfs and a populated state.sqlite (~hundreds of MB) overflows it
 
-before=$(ver); LOG "current: ${before:-unknown}"
-npm i -g t3@nightly >/dev/null 2>&1 || { LOG "npm install failed; staying on ${before:-current}"; exit 0; }
-after=$(ver)
+LOG_TAG=t3-autoupdate
+# shellcheck source=scripts/t3-safe-restart.sh
+. "${T3_SAFE_RESTART_LIB:-/usr/local/lib/t3-safe-restart.sh}"
 
-if [[ -z "$after" || "$after" == "$before" ]]; then
-  LOG "already latest (${before:-?}); nothing to do"; exit 0
+# is $1 a strictly-newer version than $2 (version-sort)?
+newer() { [ "$1" != "$2" ] && [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -1)" = "$1" ]; }
+
+mkdir -p "$STATE_DIR" 2>/dev/null || true
+
+# ---- 0. freeze gate -------------------------------------------------------------
+if [ -e "$FREEZE_FILE" ]; then
+  LOG "FROZEN: $FREEZE_FILE present — holding at $(ver), not tracking $T3_TRACK"; exit 0
 fi
-LOG "installed $after (was $before); health-checking…"
 
-# Health-check the NEW binary on a throwaway port/base-dir before trusting it.
-SMOKE_PORT=3799; SMOKE_DIR=$(mktemp -d)
-t3 serve --host 127.0.0.1 --port "$SMOKE_PORT" --base-dir "$SMOKE_DIR" >/dev/null 2>&1 &
-smoke=$!; ok=0
-for _ in $(seq 1 15); do
-  [[ "$(curl -s -o /dev/null -w '%{http_code}' --max-time 5 "http://127.0.0.1:$SMOKE_PORT/" 2>/dev/null)" == "200" ]] && { ok=1; break; }
-  sleep 2
-done
-kill "$smoke" 2>/dev/null; wait "$smoke" 2>/dev/null; rm -rf "$SMOKE_DIR"
+current="$(ver)"
+[ -n "$current" ] || { LOG "cannot read current t3 version — aborting (is t3 installed?)"; exit 0; }
+[ -s "$LAST_GOOD_FILE" ] || echo "$current" >"$LAST_GOOD_FILE"   # seed last-good on first run
+last_good="$(tr -d '[:space:]' <"$LAST_GOOD_FILE" 2>/dev/null)"
+[ -n "$last_good" ] || last_good="$current"
 
-if [[ "$ok" != "1" ]]; then
-  LOG "HEALTH-CHECK FAILED for $after — rolling back to $before"
-  if [[ -n "$before" ]] && npm i -g "t3@$before" >/dev/null 2>&1; then
-    LOG "rolled back to $before"
-  else
-    LOG "ROLLBACK FAILED — manual fix needed (t3 may be broken)"
+# ---- 1. resolve target ----------------------------------------------------------
+if [ -n "$T3_PIN" ]; then
+  target="$T3_PIN"
+  LOG "T3_PIN=$T3_PIN set — enforcing pin (tracking disabled)"
+else
+  target="$(npm view "t3@$T3_TRACK" version 2>/dev/null | tail -1 | tr -d '[:space:]')"
+  [ -n "$target" ] || { LOG "could not resolve t3@$T3_TRACK from npm — staying on $current"; exit 0; }
+fi
+
+[ "$target" = "$current" ] && { LOG "already on $T3_TRACK=$current; nothing to do"; exit 0; }
+
+# ---- 2. downgrade + channel guard (mutable nightly tag can point backward) ------
+if [ -z "$T3_PIN" ]; then
+  newer "$target" "$current" || { LOG "resolved $T3_TRACK=$target is NOT newer than installed $current — refusing downgrade"; exit 0; }
+  if [ "$T3_TRACK" = "nightly" ]; then
+    case "$target" in *-nightly.*) : ;; *) LOG "resolved nightly target '$target' is not a nightly build — refusing"; exit 0;; esac
   fi
-  exit 1
 fi
-LOG "health OK; restarting idle instances"
+LOG "candidate: $current -> $target (track=$T3_TRACK, last_good=$last_good, dry_run=$DRY_RUN)"
 
-# Restart only IDLE per-user instances; defer any with an active agent child.
-for unit in $(systemctl list-units --type=service --state=running --no-legend 't3-serve@*' | awk '{print $1}'); do
-  pid=$(systemctl show -p MainPID --value "$unit")
-  if [[ -n "$pid" && "$pid" != 0 ]] && pgrep -aP "$pid" 2>/dev/null | grep -qiE 'claude|codex|opencode'; then
-    LOG "deferring $unit (active agent) — updates next cycle when idle"
+# ---- helpers: backup, health-check, rollback, restart-verify --------------------
+# Online consistent per-user snapshot (run AS the owner so WAL stays owned; never
+# stops the serve). Sets $ADMIN_SEED to wizard's backup for the migration health
+# check. Mirrors t3-backup-state.sh. (backup_user lives in the shared lib.)
+ADMIN_SEED=""
+backup_all() {
+  local u dst
+  for u in $(osusers); do
+    if dst="$(backup_user "$u")"; then
+      LOG "pre-bump backup: $u -> $dst ($(stat -c%s "$dst" 2>/dev/null) bytes)"
+      [ "$u" = "wizard" ] && ADMIN_SEED="$dst"
+    else
+      LOG "WARN: pre-bump backup FAILED for $u (/home/$u/.t3/userdata/state.sqlite)"
+    fi
+  done
+  [ -n "$ADMIN_SEED" ] || ADMIN_SEED="$(ls -1t "$BACKUP_DIR"/*/"state-prebump-$target-"*.sqlite 2>/dev/null | head -1)"
+}
+
+# health_check <t3bin> [seed_db]: start a throwaway serve (seeded with a copy of a
+# real populated DB if given, so the forward migration runs on real data), then do
+# the real mint -> credential-exchange -> t3_session pairing handshake with the
+# dispatch's endpoint fallback, and sniff the serve log for a migration failure.
+health_check() {
+  local t3bin="$1" seed="${2:-}" dir logf pid live=0 pair=0 migerr=0 cred ep hdr code seeded=fresh
+  dir="$(mktemp -d -p "$TMPROOT")"; mkdir -p "$dir/userdata"; logf="$dir/serve.log"
+  if [ -n "$seed" ] && [ -f "$seed" ]; then cp "$seed" "$dir/userdata/state.sqlite"; seeded=populated; fi
+  "$t3bin" serve --host 127.0.0.1 --port "$SMOKE_PORT" --base-dir "$dir" >"$logf" 2>&1 &
+  pid=$!
+  for _ in $(seq 1 15); do
+    [ "$(curl -s -o /dev/null -w '%{http_code}' --max-time 5 "http://127.0.0.1:$SMOKE_PORT/" 2>/dev/null)" = "200" ] && { live=1; break; }
+    sleep 2
+  done
+  if [ "$live" = "1" ]; then
+    cred="$("$t3bin" auth pairing create --base-dir "$dir" --ttl 5m --json 2>/dev/null | tr -d '\n ' | sed -n 's/.*"credential":"\([^"]*\)".*/\1/p')"
+    if [ -n "$cred" ]; then
+      for ep in /api/auth/browser-session /api/auth/bootstrap; do
+        hdr="$(curl -s -i --max-time 5 -X POST -H 'Content-Type: application/json' -d "{\"credential\":\"$cred\"}" "http://127.0.0.1:$SMOKE_PORT$ep" 2>/dev/null)"
+        code="$(printf '%s' "$hdr" | sed -n '1s#.* \([0-9][0-9][0-9]\).*#\1#p')"
+        [ "$code" = "404" ] && continue
+        printf '%s' "$hdr" | grep -qi '^set-cookie:[[:space:]]*t3_session=' && pair=1
+        break
+      done
+    fi
+  fi
+  grep -qiE 'migration failed|failed to migrate|no column named|NOT NULL constraint failed|PersistenceSqlError' "$logf" 2>/dev/null && migerr=1
+  kill "$pid" 2>/dev/null; wait "$pid" 2>/dev/null
+  if [ "$live" = "1" ] && [ "$pair" = "1" ] && [ "$migerr" = "0" ]; then
+    LOG "health OK ($seeded: live + pairing handshake + clean migration)"
+    rm -rf "$dir"; return 0
+  fi
+  LOG "HEALTH-CHECK FAILED ($seeded: live=$live pair=$pair migerr=$migerr); serve log: $(tail -3 "$logf" 2>/dev/null | tr '\n' '|')"
+  rm -rf "$dir"; return 1
+}
+
+# is this t3-serve@<unit> running an active agent (claude/codex/opencode)? never restart those.
+unit_busy() {
+  local unit="$1" pid; pid="$(systemctl show -p MainPID --value "$unit" 2>/dev/null)"
+  [ -n "$pid" ] && [ "$pid" != "0" ] && pgrep -aP "$pid" 2>/dev/null | grep -qiE 'claude|codex|opencode'
+}
+
+# ---- 3. DRY RUN: preview only (install candidate to temp prefix, gate it) -------
+if [ "$DRY_RUN" = "1" ]; then
+  LOG "DRY_RUN: would back up [$(osusers | tr '\n' ' ')]; testing candidate $target in a temp prefix (no global change, no restarts)"
+  tmp="$(mktemp -d -p "$TMPROOT")"
+  if npm i --prefix "$tmp" "t3@$target" >/dev/null 2>&1; then
+    seed="$(ls -1t "$BACKUP_DIR/wizard/state-"*.sqlite 2>/dev/null | head -1)"   # reuse any existing backup as seed
+    if health_check "$tmp/node_modules/.bin/t3" "$seed"; then LOG "DRY_RUN: candidate $target PASSED the gate"; else LOG "DRY_RUN: candidate $target FAILED the gate"; fi
   else
-    systemctl restart "$unit" && LOG "restarted $unit -> $after"
+    LOG "DRY_RUN: npm could not fetch t3@$target"
+  fi
+  rm -rf "$tmp"; exit 0
+fi
+
+# ---- 4. pre-bump backup, then install -------------------------------------------
+backup_all
+if ! npm i -g "t3@$target" >/dev/null 2>&1; then
+  LOG "npm install of t3@$target FAILED — staying on $current"; exit 0
+fi
+installed="$(ver)"
+[ "$installed" = "$target" ] || { LOG "post-install version is $installed, expected $target — rolling back"; rollback_binary; exit 1; }
+
+# ---- 5. gate the new binary on a POPULATED-DB migration + pairing ---------------
+if ! health_check "$(command -v t3)" "$ADMIN_SEED"; then
+  rollback_binary; exit 1   # nothing restarted yet -> binary rollback is clean
+fi
+LOG "health gate passed for $target; canary-restarting idle instances one at a time"
+
+# ---- 6. canary rollout: idle instances one-by-one, verify pairing after each ----
+restarted=0; deferred=0
+for unit in $(systemctl list-units --type=service --state=running --no-legend 't3-serve@*' 2>/dev/null | awk '{print $1}'); do
+  u="$(printf '%s' "$unit" | sed -n 's/^t3-serve@\(.*\)\.service$/\1/p')"; [ -n "$u" ] || continue
+  if unit_busy "$unit"; then
+    LOG "deferring $unit (active agent) — migrates on its next idle restart"
+    mkdir -p "$DEFER_DIR" 2>/dev/null && printf '%s\n' "$target" >"$DEFER_DIR/$u"   # record for t3-migrate-idle
+    deferred=$((deferred+1)); continue
+  fi
+  if safe_restart_unit "$unit" "$u"; then
+    restarted=$((restarted+1))
+    rm -f "$DEFER_DIR/$u" 2>/dev/null            # now current — clear any stale marker
+  else
+    exit 1                                        # frozen by safe_restart_unit — preserve today's behavior
   fi
 done
-LOG "update complete: $after"
+
+# ---- 7. success: advance last-good ----------------------------------------------
+echo "$target" >"$LAST_GOOD_FILE"
+LOG "update complete: $target (restarted=$restarted deferred=$deferred); last_good now $target"
diff --git a/scripts/t3-autoupdate.timer b/scripts/t3-autoupdate.timer
index a59135f7..65f1635a 100644
--- a/scripts/t3-autoupdate.timer
+++ b/scripts/t3-autoupdate.timer
@@ -1,10 +1,13 @@
 [Unit]
-Description=Daily t3 nightly auto-update
+Description=Daily gated t3 nightly tracker (health-checked + canary + auto-rollback)
 
 [Timer]
 OnCalendar=*-*-* 04:00:00
 RandomizedDelaySec=1h
-Persistent=true
+# Persistent deliberately OMITTED: this now installs a NEW build + migrates DBs +
+# restarts serves, so a missed 04:00 run must NOT fire on boot mid-day with users
+# active (a 2026-06-09 contributing factor). Skipping a day is fine — the next
+# 04:00 picks up the latest nightly.
 
 [Install]
 WantedBy=timers.target
diff --git a/scripts/t3-backup-state.service b/scripts/t3-backup-state.service
new file mode 100644
index 00000000..5f590942
--- /dev/null
+++ b/scripts/t3-backup-state.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Consistent backup of per-user t3 ~/.t3 state.sqlite (history + auth)
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/t3-backup-state
diff --git a/scripts/t3-backup-state.sh b/scripts/t3-backup-state.sh
new file mode 100644
index 00000000..7d9f4cd1
--- /dev/null
+++ b/scripts/t3-backup-state.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+# Consistent online backup of each t3 user's ~/.t3 state.sqlite (chat/session
+# history AND auth tables). ~/.t3 lives on the devvm local disk — NOT a K8s PVC and
+# NOT in the 3-2-1 pipeline — so without this it is the only copy and a rebuild
+# loses it. It also makes a t3 version bump REVERSIBLE: 0.0.25+ migrate the schema
+# FORWARD (a one-way door), so a clean pre-bump backup turns rollback into a restore
+# instead of per-user sqlite surgery (see runbooks/t3-version-bump.md). Runs as root
+# via t3-backup-state.timer; the per-user .backup runs AS the owning user so the live
+# WAL/-shm files keep their owner and the running t3-serve is never perturbed.
+set -uo pipefail
+DEST="${T3_BACKUP_DEST:-/var/backups/t3-state}"
+# 6 (was 14): wizard's state.sqlite grew to ~1.1GB, and the gated nightly tracker
+# adds a pre-bump snapshot per bump on top of this daily one — 14 x ~1.1GB would
+# fill the devvm root fs. 6 is ample (rollback only ever needs the most recent
+# pre-bump backup). Bump per user via T3_BACKUP_KEEP if a DB is small.
+KEEP="${T3_BACKUP_KEEP:-6}"
+MAP=/etc/ttyd-user-map
+LOG() { logger -t t3-backup-state "$*"; echo "t3-backup-state: $*"; }
+
+ts=$(date +%Y%m%d-%H%M%S)
+# RHS of each non-comment "authentik=os_user" line = an OS user owning a ~/.t3.
+mapfile -t users < <(awk -F= '!/^[[:space:]]*#/ && NF==2 { gsub(/[[:space:]]/,"",$2); print $2 }' "$MAP" 2>/dev/null | sort -u)
+[[ ${#users[@]} -gt 0 ]] || { LOG "no users in $MAP; nothing to back up"; exit 0; }
+
+rc=0
+for u in "${users[@]}"; do
+  src="/home/$u/.t3/userdata/state.sqlite"
+  if [[ ! -f "$src" ]]; then LOG "skip $u (no state.sqlite)"; continue; fi
+  out="$DEST/$u"; dst="$out/state-$ts.sqlite"
+  install -d -o "$u" -g "$u" -m 0700 "$out"
+  # VACUUM INTO takes a consistent read-snapshot copy — unlike .backup it does NOT
+  # restart when the source is written mid-copy, so it finishes in a single pass even
+  # for the actively-used instance (the admin's own live session, which .backup would
+  # loop on forever). Run as the owning user so WAL access keeps the live serve happy.
+  # timeout caps a pathologically-slow copy (huge DB + concurrent writes on a contended
+  # disk) so the daily run can never wedge — it just logs + retries next cycle. The
+  # daily 03:30 slot normally finds instances idle, where even a large DB copies fast.
+  if runuser -u "$u" -- timeout "${T3_BACKUP_TIMEOUT:-900}" sqlite3 "$src" "VACUUM INTO '$dst'" 2>/dev/null && [[ -s "$dst" ]]; then
+    LOG "backed up $u -> $dst ($(stat -c%s "$dst" 2>/dev/null) bytes)"
+  else
+    LOG "WARN: backup FAILED for $u ($src)"; rc=1; rm -f "$dst"
+  fi
+  # retention: keep newest $KEEP per user
+  ls -1t "$out"/state-*.sqlite 2>/dev/null | tail -n +$((KEEP+1)) | xargs -r rm -f
+done
+LOG "done (rc=$rc)"
+exit $rc
diff --git a/scripts/t3-backup-state.timer b/scripts/t3-backup-state.timer
new file mode 100644
index 00000000..72ac48e5
--- /dev/null
+++ b/scripts/t3-backup-state.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Daily t3 state.sqlite backup (the only copy of ~/.t3; enables version-bump rollback)
+
+[Timer]
+OnCalendar=*-*-* 03:30:00
+RandomizedDelaySec=20m
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/scripts/t3-dispatch/go.mod b/scripts/t3-dispatch/go.mod
index 26e9388b..3a0fef0f 100644
--- a/scripts/t3-dispatch/go.mod
+++ b/scripts/t3-dispatch/go.mod
@@ -1,3 +1,5 @@
 module t3-dispatch
 
 go 1.22
+
+require github.com/gorilla/websocket v1.5.3
diff --git a/scripts/t3-dispatch/go.sum b/scripts/t3-dispatch/go.sum
new file mode 100644
index 00000000..25a9fc4b
--- /dev/null
+++ b/scripts/t3-dispatch/go.sum
@@ -0,0 +1,2 @@
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
diff --git a/scripts/t3-dispatch/main.go b/scripts/t3-dispatch/main.go
index cebcc119..05e59304 100644
--- a/scripts/t3-dispatch/main.go
+++ b/scripts/t3-dispatch/main.go
@@ -59,14 +59,103 @@ func lookup(ak string) (entry, bool) {
 	return e, ok
 }
 
+// mintToken mints a one-time pairing token for osUser via the scoped sudoers
+// entry (the dispatch service can invoke nothing else). Indirected through a var
+// so tests can stub the privileged exec.
+var mintToken = func(osUser string) ([]byte, error) {
+	return exec.Command("sudo", "-n", "/usr/local/bin/t3-mint", osUser).Output()
+}
+
+var sessionClient = &http.Client{Timeout: 5 * time.Second}
+
+// sessionValid asks the user's instance whether the presented t3_session cookie
+// is still valid. Server-side sessions can be wiped/expired independently of the
+// 30-day cookie (e.g. an auth-schema rollback drops every session row), leaving
+// the browser with a live-looking but dead cookie. Fails OPEN: any error/non-200/
+// parse failure returns true so the request still proxies — a re-pair is forced
+// only on a definitive authenticated:false.
+func sessionValid(e entry, c *http.Cookie) bool {
+	req, err := http.NewRequest(http.MethodGet,
+		fmt.Sprintf("http://127.0.0.1:%d/api/auth/session", e.Port), nil)
+	if err != nil {
+		return true
+	}
+	req.AddCookie(c)
+	resp, err := sessionClient.Do(req)
+	if err != nil {
+		return true
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return true
+	}
+	var s struct {
+		Authenticated bool `json:"authenticated"`
+	}
+	if json.NewDecoder(resp.Body).Decode(&s) != nil {
+		return true
+	}
+	return s.Authenticated
+}
+
+// isDocumentNav reports whether r is a top-level browser document navigation, as
+// opposed to an XHR/fetch/asset/WebSocket sub-request. Only such requests are
+// safe to answer with a re-pair 302 — redirecting a sub-resource would corrupt
+// the SPA's fetch/WebSocket contract. Trust Sec-Fetch-Dest when present (all
+// modern browsers send it); fall back to the Accept header otherwise.
+func isDocumentNav(r *http.Request) bool {
+	if r.Method != http.MethodGet {
+		return false
+	}
+	if dest := r.Header.Get("Sec-Fetch-Dest"); dest != "" {
+		return dest == "document"
+	}
+	return strings.Contains(r.Header.Get("Accept"), "text/html")
+}
+
+// pairEndpoints are the instance's session-bootstrap paths in preference order.
+// t3 renamed /api/auth/bootstrap -> /api/auth/browser-session in 0.0.25; trying the
+// new name first and falling back to the old lets ONE dispatch binary pair against
+// either version — so the t3 pin can move forward (and survive a rolling-restart
+// skew where some instances are already on the new version) without a 502 storm.
+var pairEndpoints = []string{"/api/auth/browser-session", "/api/auth/bootstrap"}
+
+// exchangeCredential POSTs the pairing credential to the user's instance, trying
+// each pairEndpoint in turn. A 404 means "absent in this t3 version" -> try the
+// next; any other status is that endpoint's verdict, returned as-is. It also
+// returns WHICH endpoint answered, so the caller can log the browser-session ->
+// bootstrap fallback rate (a non-zero rate flags that the running t3 build moved
+// the pairing API — the 2026-06-09 contract-drift class). Caller owns resp.Body.
+func exchangeCredential(port int, credential string) (*http.Response, string, error) {
+	body, _ := json.Marshal(map[string]string{"credential": credential})
+	var lastErr error
+	for _, ep := range pairEndpoints {
+		resp, err := http.Post(fmt.Sprintf("http://127.0.0.1:%d%s", port, ep),
+			"application/json", bytes.NewReader(body))
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		if resp.StatusCode == http.StatusNotFound {
+			resp.Body.Close() // endpoint absent in this t3 version — try the next
+			continue
+		}
+		return resp, ep, nil
+	}
+	if lastErr != nil {
+		return nil, "", lastErr
+	}
+	return nil, "", fmt.Errorf("no pairing endpoint accepted the request (all returned 404)")
+}
+
 // autoPair mints a one-time pairing token for the user's instance (as that OS
-// user, via the scoped sudoers entry) and exchanges it at the instance's
-// /api/auth/bootstrap, relaying the returned t3_session Set-Cookie to the browser.
+// user, via the scoped sudoers entry) and exchanges it at the instance's pairing
+// endpoint, relaying the returned t3_session Set-Cookie to the browser.
 func autoPair(e entry, w http.ResponseWriter, r *http.Request) {
 	// t3-mint (root, via scoped sudoers) validates the OS user is in
 	// /etc/ttyd-user-map, then mints as that user. The dispatch service itself
 	// runs unprivileged and can invoke nothing else.
-	out, err := exec.Command("sudo", "-n", "/usr/local/bin/t3-mint", e.OsUser).Output()
+	out, err := mintToken(e.OsUser)
 	if err != nil {
 		log.Printf("mint for %s failed: %v", e.OsUser, err)
 		http.Error(w, "pairing mint failed", http.StatusInternalServerError)
@@ -79,22 +168,25 @@ func autoPair(e entry, w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "unparseable pairing output", http.StatusInternalServerError)
 		return
 	}
-	body, _ := json.Marshal(map[string]string{"credential": pc.Credential})
-	resp, err := http.Post(fmt.Sprintf("http://127.0.0.1:%d/api/auth/bootstrap", e.Port),
-		"application/json", bytes.NewReader(body))
+	resp, ep, err := exchangeCredential(e.Port, pc.Credential)
 	if err != nil {
+		log.Printf("pairing exchange for %s failed: %v", e.OsUser, err)
 		http.Error(w, "bootstrap request failed", http.StatusBadGateway)
 		return
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		log.Printf("bootstrap for %s returned %d", e.OsUser, resp.StatusCode)
+		log.Printf("pairing for %s returned %d (endpoint=%s)", e.OsUser, resp.StatusCode, ep)
 		http.Error(w, "bootstrap rejected", http.StatusBadGateway)
 		return
 	}
 	for _, c := range resp.Cookies() {
 		http.SetCookie(w, c) // relays t3_session (HttpOnly; Path=/; SameSite=Lax)
 	}
+	// Success line is the steady-state signal: endpoint= which pairing path won,
+	// fallback=true iff we fell back off the first-preference endpoint (running
+	// t3 build moved the pairing API). t3-probe / Loki alert on the fallback rate.
+	log.Printf("paired user=%s endpoint=%s fallback=%t", e.OsUser, ep, ep != pairEndpoints[0])
 	http.Redirect(w, r, "/", http.StatusFound)
 }
 
@@ -111,13 +203,79 @@ func handler(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "no t3 instance provisioned for this user", http.StatusForbidden)
 		return
 	}
-	if _, err := r.Cookie(cookieName); err != nil {
+	c, err := r.Cookie(cookieName)
+	if err != nil {
+		autoPair(e, w, r)
+		return
+	}
+	// A present cookie can still be server-side-invalid (sessions wiped/expired
+	// while the 30-day cookie lingers). On a top-level navigation, verify it and
+	// re-pair if dead — otherwise the instance just renders its pair page. Gated
+	// to document navs so we never 302 an XHR/asset/WebSocket sub-request.
+	if isDocumentNav(r) && !sessionValid(e, c) {
 		autoPair(e, w, r)
 		return
 	}
 	// Steady state: reverse-proxy (incl. WebSocket upgrade) to the user's instance.
 	target, _ := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", e.Port))
-	httputil.NewSingleHostReverseProxy(target).ServeHTTP(w, r)
+	proxy := httputil.NewSingleHostReverseProxy(target)
+
+	// WebSocket connection logging: t3 drops manifest as the client's 20s
+	// heartbeat watchdog reconnecting, so a flood of short-lived /ws connections
+	// IS the symptom. Log each WS open + close (duration + which side hung up) so
+	// a drop is attributable from logs alone — graceful closes otherwise leave no
+	// trace (the default ReverseProxy only logs on error). cause stays "graceful"
+	// unless ErrorHandler fires; ErrorHandler runs within ServeHTTP, so reading
+	// cause after ServeHTTP returns needs no synchronisation.
+	if isWebSocket(r) {
+		start := time.Now()
+		ip := clientIP(r)
+		cause := "graceful"
+		proxy.ErrorHandler = func(rw http.ResponseWriter, _ *http.Request, err error) {
+			cause = classifyClose(err)
+		}
+		log.Printf("ws open user=%s ip=%s", e.OsUser, ip)
+		proxy.ServeHTTP(w, r)
+		log.Printf("ws close user=%s ip=%s dur_ms=%d cause=%s",
+			e.OsUser, ip, time.Since(start).Milliseconds(), cause)
+		return
+	}
+	proxy.ServeHTTP(w, r)
+}
+
+// isWebSocket reports whether r is a WebSocket upgrade request.
+func isWebSocket(r *http.Request) bool {
+	return strings.EqualFold(r.Header.Get("Upgrade"), "websocket") &&
+		strings.Contains(strings.ToLower(r.Header.Get("Connection")), "upgrade")
+}
+
+// clientIP returns the forwarded client chain (X-Forwarded-For, set by
+// Traefik/CF) when present, else the immediate peer — for correlating a drop
+// to a specific client/edge.
+func clientIP(r *http.Request) string {
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+		return xff
+	}
+	return r.RemoteAddr
+}
+
+// classifyClose maps a reverse-proxy copy error to which side ended the socket:
+// downstream (client/CF/Traefik went away) vs upstream (the user's t3 serve
+// closed/reset). Distinguishes a last-mile/client drop from a t3-serve stall.
+func classifyClose(err error) string {
+	if err == nil {
+		return "graceful"
+	}
+	s := err.Error()
+	switch {
+	case strings.Contains(s, "context canceled"):
+		return "downstream_closed" // client / CF / Traefik tore down
+	case strings.Contains(s, "reset by peer"), strings.Contains(s, "broken pipe"),
+		strings.Contains(s, "EOF"), strings.Contains(s, "connection refused"):
+		return "upstream_closed" // t3 serve closed / unreachable
+	default:
+		return s
+	}
 }
 
 func main() {
@@ -133,6 +291,7 @@ func main() {
 	}()
 	mux := http.NewServeMux()
 	mux.HandleFunc("/healthz", func(w http.ResponseWriter, _ *http.Request) { _, _ = w.Write([]byte("ok\n")) })
+	registerProbe(mux)
 	mux.HandleFunc("/", handler)
 	log.Printf("t3-dispatch listening on %s", listenAddr)
 	log.Fatal(http.ListenAndServe(listenAddr, mux))
diff --git a/scripts/t3-dispatch/main_test.go b/scripts/t3-dispatch/main_test.go
new file mode 100644
index 00000000..8d021a24
--- /dev/null
+++ b/scripts/t3-dispatch/main_test.go
@@ -0,0 +1,399 @@
+package main
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/gorilla/websocket"
+)
+
+func portOf(t *testing.T, ts *httptest.Server) int {
+	t.Helper()
+	u, err := url.Parse(ts.URL)
+	if err != nil {
+		t.Fatalf("parse %s: %v", ts.URL, err)
+	}
+	p, err := strconv.Atoi(u.Port())
+	if err != nil {
+		t.Fatalf("port %s: %v", u.Port(), err)
+	}
+	return p
+}
+
+func TestIsDocumentNav(t *testing.T) {
+	cases := []struct {
+		name    string
+		method  string
+		headers map[string]string
+		want    bool
+	}{
+		{"GET sec-fetch-dest document", "GET", map[string]string{"Sec-Fetch-Dest": "document"}, true},
+		{"GET accept html (no sec-fetch)", "GET", map[string]string{"Accept": "text/html,application/xhtml+xml"}, true},
+		{"GET xhr empty dest beats accept", "GET", map[string]string{"Sec-Fetch-Dest": "empty", "Accept": "text/html"}, false},
+		{"GET json", "GET", map[string]string{"Accept": "application/json"}, false},
+		{"POST html", "POST", map[string]string{"Accept": "text/html"}, false},
+		{"GET no headers", "GET", map[string]string{}, false},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			r, _ := http.NewRequest(c.method, "/", nil)
+			for k, v := range c.headers {
+				r.Header.Set(k, v)
+			}
+			if got := isDocumentNav(r); got != c.want {
+				t.Errorf("isDocumentNav = %v, want %v", got, c.want)
+			}
+		})
+	}
+}
+
+func sessionServer(status int, body string) *httptest.Server {
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/api/auth/session" {
+			http.NotFound(w, r)
+			return
+		}
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(body))
+	}))
+}
+
+func TestSessionValid(t *testing.T) {
+	ck := &http.Cookie{Name: cookieName, Value: "x"}
+
+	t.Run("authenticated true -> valid", func(t *testing.T) {
+		ts := sessionServer(200, `{"authenticated":true}`)
+		defer ts.Close()
+		if !sessionValid(entry{Port: portOf(t, ts)}, ck) {
+			t.Fatal("want valid (true) for authenticated:true")
+		}
+	})
+	t.Run("authenticated false -> invalid", func(t *testing.T) {
+		ts := sessionServer(200, `{"authenticated":false}`)
+		defer ts.Close()
+		if sessionValid(entry{Port: portOf(t, ts)}, ck) {
+			t.Fatal("want invalid (false) for authenticated:false")
+		}
+	})
+	t.Run("500 -> fail-open valid", func(t *testing.T) {
+		ts := sessionServer(500, `boom`)
+		defer ts.Close()
+		if !sessionValid(entry{Port: portOf(t, ts)}, ck) {
+			t.Fatal("want fail-open true on 500")
+		}
+	})
+	t.Run("malformed json -> fail-open valid", func(t *testing.T) {
+		ts := sessionServer(200, `not json`)
+		defer ts.Close()
+		if !sessionValid(entry{Port: portOf(t, ts)}, ck) {
+			t.Fatal("want fail-open true on unparseable body")
+		}
+	})
+	t.Run("unreachable -> fail-open valid", func(t *testing.T) {
+		ts := sessionServer(200, `{"authenticated":false}`)
+		p := portOf(t, ts)
+		ts.Close() // nothing listening now
+		if !sessionValid(entry{Port: p}, ck) {
+			t.Fatal("want fail-open true on connection refused")
+		}
+	})
+}
+
+// fakeInstance serves the three endpoints the dispatcher touches: the session
+// check, the bootstrap exchange, and a catch-all standing in for the proxied app.
+func fakeInstance(authenticated bool, bootstrapCalled *bool) *httptest.Server {
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/api/auth/session":
+			if authenticated {
+				_, _ = w.Write([]byte(`{"authenticated":true}`))
+			} else {
+				_, _ = w.Write([]byte(`{"authenticated":false}`))
+			}
+		case "/api/auth/bootstrap":
+			if bootstrapCalled != nil {
+				*bootstrapCalled = true
+			}
+			http.SetCookie(w, &http.Cookie{Name: cookieName, Value: "fresh", Path: "/"})
+			_, _ = w.Write([]byte(`{"authenticated":true}`))
+		case "/api/auth/browser-session":
+			http.NotFound(w, r) // models a 0.0.24 instance: the 0.0.25 endpoint is absent
+		default:
+			_, _ = w.Write([]byte("APP"))
+		}
+	}))
+}
+
+func setTable(port int) {
+	mu.Lock()
+	table = map[string]entry{"vbarzin": {OsUser: "wizard", Port: port}}
+	mu.Unlock()
+}
+
+func TestHandlerRepairsOnInvalidCookieDocNav(t *testing.T) {
+	called := false
+	ts := fakeInstance(false, &called)
+	defer ts.Close()
+	setTable(portOf(t, ts))
+
+	orig := mintToken
+	mintToken = func(string) ([]byte, error) { return []byte(`{"credential":"tok"}`), nil }
+	defer func() { mintToken = orig }()
+
+	r := httptest.NewRequest("GET", "/", nil)
+	r.Header.Set("X-authentik-username", "vbarzin@gmail.com")
+	r.Header.Set("Sec-Fetch-Dest", "document")
+	r.AddCookie(&http.Cookie{Name: cookieName, Value: "stale"})
+	w := httptest.NewRecorder()
+
+	handler(w, r)
+
+	if w.Code != http.StatusFound {
+		t.Fatalf("stale cookie on doc-nav should re-pair (302), got %d body=%q", w.Code, w.Body.String())
+	}
+	if !called {
+		t.Fatal("expected bootstrap to be called during re-pair")
+	}
+	cookies := w.Result().Cookies()
+	if len(cookies) == 0 || cookies[0].Value != "fresh" {
+		t.Fatalf("expected fresh t3_session relayed, got %+v", cookies)
+	}
+}
+
+func TestHandlerProxiesOnValidCookie(t *testing.T) {
+	ts := fakeInstance(true, nil)
+	defer ts.Close()
+	setTable(portOf(t, ts))
+
+	r := httptest.NewRequest("GET", "/", nil)
+	r.Header.Set("X-authentik-username", "vbarzin@gmail.com")
+	r.Header.Set("Sec-Fetch-Dest", "document")
+	r.AddCookie(&http.Cookie{Name: cookieName, Value: "good"})
+	w := httptest.NewRecorder()
+
+	handler(w, r)
+
+	if w.Code != http.StatusOK || w.Body.String() != "APP" {
+		t.Fatalf("valid cookie should proxy (200 APP), got %d %q", w.Code, w.Body.String())
+	}
+}
+
+func TestHandlerProxiesXHREvenIfCookieInvalid(t *testing.T) {
+	called := false
+	ts := fakeInstance(false, &called) // session would say invalid, but XHR must NOT be re-paired
+	defer ts.Close()
+	setTable(portOf(t, ts))
+
+	r := httptest.NewRequest("GET", "/api/threads", nil)
+	r.Header.Set("X-authentik-username", "vbarzin@gmail.com")
+	r.Header.Set("Sec-Fetch-Dest", "empty") // XHR/fetch, not a document nav
+	r.AddCookie(&http.Cookie{Name: cookieName, Value: "stale"})
+	w := httptest.NewRecorder()
+
+	handler(w, r)
+
+	if called {
+		t.Fatal("must NOT re-pair (302) a non-document sub-request — would corrupt the SPA fetch contract")
+	}
+	if w.Code != http.StatusOK || w.Body.String() != "APP" {
+		t.Fatalf("XHR should proxy through, got %d %q", w.Code, w.Body.String())
+	}
+}
+
+// pairInstance simulates a t3 instance that exposes pairing at exactly one path
+// (200 + t3_session) and 404s the other known path — modeling the 0.0.25 rename of
+// /api/auth/bootstrap -> /api/auth/browser-session. records which path was hit.
+func pairInstance(pairPath string, hit *string) *httptest.Server {
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/api/auth/browser-session", "/api/auth/bootstrap":
+			if r.URL.Path != pairPath {
+				http.NotFound(w, r) // endpoint absent in this t3 version
+				return
+			}
+			if hit != nil {
+				*hit = r.URL.Path
+			}
+			http.SetCookie(w, &http.Cookie{Name: cookieName, Value: "fresh", Path: "/"})
+			_, _ = w.Write([]byte(`{"authenticated":true}`))
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+}
+
+// TestAutoPairAcrossVersions: one dispatch binary must pair against BOTH the
+// 0.0.24 endpoint (/api/auth/bootstrap) and the 0.0.25 one (/api/auth/browser-session),
+// so the pin can move forward (and survive rolling-restart skew) without a 502 storm.
+func TestAutoPairAcrossVersions(t *testing.T) {
+	orig := mintToken
+	mintToken = func(string) ([]byte, error) { return []byte(`{"credential":"tok"}`), nil }
+	defer func() { mintToken = orig }()
+
+	for _, tc := range []struct{ name, pairPath string }{
+		{"0.0.25 browser-session", "/api/auth/browser-session"},
+		{"0.0.24 bootstrap", "/api/auth/bootstrap"},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			var hit string
+			ts := pairInstance(tc.pairPath, &hit)
+			defer ts.Close()
+			setTable(portOf(t, ts))
+
+			r := httptest.NewRequest("GET", "/", nil)
+			r.Header.Set("X-authentik-username", "vbarzin@gmail.com") // no cookie -> autoPair
+			w := httptest.NewRecorder()
+			handler(w, r)
+
+			if w.Code != http.StatusFound {
+				t.Fatalf("want 302 re-pair, got %d body=%q", w.Code, w.Body.String())
+			}
+			if hit != tc.pairPath {
+				t.Fatalf("want pairing via %s, hit=%q", tc.pairPath, hit)
+			}
+			if cs := w.Result().Cookies(); len(cs) == 0 || cs[0].Value != "fresh" {
+				t.Fatalf("want fresh t3_session relayed, got %+v", cs)
+			}
+		})
+	}
+}
+
+// TestExchangeCredentialReportsEndpoint: exchangeCredential must report WHICH
+// pairing endpoint accepted the credential, so the dispatch can log it and we
+// can alert on the browser-session -> bootstrap fallback rate (a non-zero rate
+// means the running t3 build moved/renamed the pairing API — contract drift, the
+// 2026-06-09 failure class). fallback = endpoint is not the first-preference one.
+func TestExchangeCredentialReportsEndpoint(t *testing.T) {
+	for _, tc := range []struct {
+		name, pairPath, wantEP string
+		wantFallback           bool
+	}{
+		{"0.0.25 browser-session (primary)", "/api/auth/browser-session", "/api/auth/browser-session", false},
+		{"0.0.24 bootstrap (fallback)", "/api/auth/bootstrap", "/api/auth/bootstrap", true},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			var hit string
+			ts := pairInstance(tc.pairPath, &hit)
+			defer ts.Close()
+
+			resp, ep, err := exchangeCredential(portOf(t, ts), "tok")
+			if err != nil {
+				t.Fatalf("exchangeCredential: %v", err)
+			}
+			defer resp.Body.Close()
+			if resp.StatusCode != http.StatusOK {
+				t.Fatalf("status = %d, want 200", resp.StatusCode)
+			}
+			if ep != tc.wantEP {
+				t.Fatalf("endpoint = %q, want %q", ep, tc.wantEP)
+			}
+			if gotFallback := ep != pairEndpoints[0]; gotFallback != tc.wantFallback {
+				t.Fatalf("fallback = %v, want %v", gotFallback, tc.wantFallback)
+			}
+		})
+	}
+}
+
+func TestProbeHealthz(t *testing.T) {
+	mux := http.NewServeMux()
+	registerProbe(mux)
+	ts := httptest.NewServer(mux)
+	defer ts.Close()
+	resp, err := http.Get(ts.URL + "/probe/healthz")
+	if err != nil {
+		t.Fatalf("GET /probe/healthz: %v", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("status = %d, want 200", resp.StatusCode)
+	}
+}
+
+func TestProbeWSEcho(t *testing.T) {
+	mux := http.NewServeMux()
+	registerProbe(mux)
+	ts := httptest.NewServer(mux)
+	defer ts.Close()
+	wsURL := "ws" + strings.TrimPrefix(ts.URL, "http") + "/probe/ws"
+	c, _, err := websocket.DefaultDialer.Dial(wsURL, nil)
+	if err != nil {
+		t.Fatalf("dial %s: %v", wsURL, err)
+	}
+	defer c.Close()
+	for _, msg := range []string{"ping 1718000000", "ping 1718000010"} {
+		if err := c.WriteMessage(websocket.TextMessage, []byte(msg)); err != nil {
+			t.Fatalf("write: %v", err)
+		}
+		_, got, err := c.ReadMessage()
+		if err != nil {
+			t.Fatalf("read: %v", err)
+		}
+		if string(got) != msg {
+			t.Errorf("echo = %q, want %q", got, msg)
+		}
+	}
+}
+
+func TestIsWebSocket(t *testing.T) {
+	cases := []struct {
+		up, conn string
+		want     bool
+	}{
+		{"websocket", "Upgrade", true},
+		{"websocket", "keep-alive, Upgrade", true},
+		{"WebSocket", "upgrade", true},
+		{"", "keep-alive", false},
+		{"h2c", "Upgrade", false},
+		{"websocket", "keep-alive", false},
+	}
+	for _, c := range cases {
+		r, _ := http.NewRequest("GET", "/ws", nil)
+		if c.up != "" {
+			r.Header.Set("Upgrade", c.up)
+		}
+		r.Header.Set("Connection", c.conn)
+		if got := isWebSocket(r); got != c.want {
+			t.Errorf("isWebSocket(up=%q conn=%q)=%v want %v", c.up, c.conn, got, c.want)
+		}
+	}
+}
+
+func TestClassifyClose(t *testing.T) {
+	cases := []struct {
+		in   error
+		want string
+	}{
+		{nil, "graceful"},
+		{errTest("context canceled"), "downstream_closed"},
+		{errTest("read tcp 127.0.0.1:60664->127.0.0.1:3773: read: connection reset by peer"), "upstream_closed"},
+		{errTest("write: broken pipe"), "upstream_closed"},
+		{errTest("unexpected EOF"), "upstream_closed"},
+		{errTest("dial tcp 127.0.0.1:3773: connect: connection refused"), "upstream_closed"},
+		{errTest("some novel error"), "some novel error"},
+	}
+	for _, c := range cases {
+		if got := classifyClose(c.in); got != c.want {
+			t.Errorf("classifyClose(%v)=%q want %q", c.in, got, c.want)
+		}
+	}
+}
+
+type errTest string
+
+func (e errTest) Error() string { return string(e) }
+
+func TestClientIP(t *testing.T) {
+	r, _ := http.NewRequest("GET", "/ws", nil)
+	r.RemoteAddr = "10.0.0.5:1234"
+	if got := clientIP(r); got != "10.0.0.5:1234" {
+		t.Errorf("clientIP no-xff = %q", got)
+	}
+	r.Header.Set("X-Forwarded-For", "1.2.3.4, 10.10.1.1")
+	if got := clientIP(r); got != "1.2.3.4, 10.10.1.1" {
+		t.Errorf("clientIP xff = %q", got)
+	}
+}
diff --git a/scripts/t3-dispatch/probe.go b/scripts/t3-dispatch/probe.go
new file mode 100644
index 00000000..df689bce
--- /dev/null
+++ b/scripts/t3-dispatch/probe.go
@@ -0,0 +1,49 @@
+// probe.go: unauthenticated path-health surface for the in-cluster t3-probe.
+// /probe/* is carved out of Authentik (stacks/t3code `module "ingress_probe"`)
+// so a synthetic client can hold a long-lived WebSocket here via two routes
+// (Cloudflare edge vs internal Traefik) and attribute connection drops to a
+// path segment. It echoes tiny frames and reaches no t3 instance — nothing
+// user-grade is exposed.
+package main
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gorilla/websocket"
+)
+
+// Reap connections whose client went silent; the probe pings every 10s, so 90s
+// of silence means the peer is gone even if TCP never noticed.
+const probeIdleLimit = 90 * time.Second
+
+var probeUpgrader = websocket.Upgrader{
+	// No cookies or credentials are at stake on an echo endpoint, and the
+	// probe connects without a browser Origin — checking it would only break it.
+	CheckOrigin: func(*http.Request) bool { return true },
+}
+
+func registerProbe(mux *http.ServeMux) {
+	mux.HandleFunc("/probe/healthz", func(w http.ResponseWriter, _ *http.Request) {
+		_, _ = w.Write([]byte("ok\n"))
+	})
+	mux.HandleFunc("/probe/ws", func(w http.ResponseWriter, r *http.Request) {
+		c, err := probeUpgrader.Upgrade(w, r, nil)
+		if err != nil {
+			return // Upgrade has already written the HTTP error
+		}
+		defer c.Close()
+		for {
+			if err := c.SetReadDeadline(time.Now().Add(probeIdleLimit)); err != nil {
+				return
+			}
+			mt, msg, err := c.ReadMessage()
+			if err != nil {
+				return
+			}
+			if err := c.WriteMessage(mt, msg); err != nil {
+				return
+			}
+		}
+	})
+}
diff --git a/scripts/t3-migrate-idle.service b/scripts/t3-migrate-idle.service
new file mode 100644
index 00000000..97c28faa
--- /dev/null
+++ b/scripts/t3-migrate-idle.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=t3 idle migrator — restart deferred t3-serve instances onto the current binary when idle
+Documentation=https://forgejo.viktorbarzin.me/viktor/infra/src/branch/master/docs/plans/2026-06-21-t3-idle-migrate-design.md
+After=network.target t3-dispatch.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/t3-migrate-idle
diff --git a/scripts/t3-migrate-idle.sh b/scripts/t3-migrate-idle.sh
new file mode 100644
index 00000000..85835374
--- /dev/null
+++ b/scripts/t3-migrate-idle.sh
@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+# t3-migrate-idle.sh — drains t3-autoupdate's deferral markers (via the overnight
+# t3-migrate-idle.timer). For each deferred t3-serve@<user>, if nothing is actively
+# working in that instance (no in-flight turn + a quiet buffer), restart it onto the
+# current binary using the shared safe_restart_unit, then clear the marker.
+# Why this exists: t3-autoupdate defers a user with an active agent at its single
+# daily window; a user busy every night never migrates and their client shows
+# "Client and server versions differ". See docs/plans/2026-06-21-t3-idle-migrate-*.
+set -uo pipefail
+
+LOG_TAG=t3-migrate-idle
+# shellcheck source=scripts/t3-safe-restart.sh
+. "${T3_SAFE_RESTART_LIB:-/usr/local/lib/t3-safe-restart.sh}"
+
+QUIET_SECONDS="${T3_MIGRATE_QUIET_SECONDS:-900}"   # required idle before a restart (15 min)
+DRY_RUN="${T3_DRY_RUN:-0}"
+
+# pure logic: is it safe given <active_turns> and <idle_seconds>? fail closed.
+gate_is_safe() {
+  local active="$1" idle="$2"
+  case "$active" in ''|*[!0-9]*) return 1;; esac     # unparseable/empty active -> unsafe
+  [ "$active" -eq 0 ] || return 1                     # a turn is running -> unsafe
+  [ -z "$idle" ] && return 0                          # no threads at all -> safe
+  case "$idle" in ''|*[!0-9-]*) return 1;; esac       # non-numeric -> unsafe
+  [ "$idle" -ge "$QUIET_SECONDS" ]                    # negative or < quiet -> unsafe
+}
+
+# query a state.sqlite (path or file: URI). Echoes "<active_turns>|<idle_seconds>".
+# idle_seconds is empty when there are no rows. Normalizes ISO 'T'/'Z' for julianday.
+gate_query() {
+  local db="$1"
+  sqlite3 -batch -noheader -separator '|' "$db" \
+    "SELECT
+       (SELECT count(*) FROM projection_thread_sessions WHERE active_turn_id IS NOT NULL),
+       CAST((julianday('now') - julianday(replace(replace(max(updated_at),'T',' '),'Z',''))) * 86400 AS INT)
+     FROM projection_thread_sessions;"
+}
+
+# safe_to_restart <user>: wire runuser + the user's DB into gate_query/gate_is_safe.
+safe_to_restart() {
+  local u="$1" db row
+  db="/home/$u/.t3/userdata/state.sqlite"; [ -f "$db" ] || return 1
+  row="$(runuser -u "$u" -- sqlite3 -batch -noheader -separator '|' "file:$db?mode=ro" \
+    "SELECT
+       (SELECT count(*) FROM projection_thread_sessions WHERE active_turn_id IS NOT NULL),
+       CAST((julianday('now') - julianday(replace(replace(max(updated_at),'T',' '),'Z',''))) * 86400 AS INT)
+     FROM projection_thread_sessions;" 2>/dev/null)" || return 1
+  gate_is_safe "${row%%|*}" "${row##*|}"
+}
+
+main() {
+  # a frozen build must not be auto-migrated (shared switch with t3-autoupdate)
+  if [ -e "$FREEZE_FILE" ]; then LOG "FROZEN: $FREEZE_FILE present — not draining deferrals"; exit 0; fi
+  [ -d "$DEFER_DIR" ] || exit 0                       # nothing deferred
+  last_good="$(tr -d '[:space:]' <"$LAST_GOOD_FILE" 2>/dev/null)"   # rollback target for the helper
+
+  local marker u unit started mwritten migrated=0 skipped=0
+  for marker in "$DEFER_DIR"/*; do
+    [ -e "$marker" ] || continue                      # empty-dir glob
+    u="$(basename "$marker")"; unit="t3-serve@$u.service"
+    if ! systemctl is-active --quiet "$unit"; then
+      LOG "clearing marker for $u: $unit not active"; rm -f "$marker"; continue
+    fi
+    started="$(date -d "$(systemctl show -p ActiveEnterTimestamp --value "$unit" 2>/dev/null)" +%s 2>/dev/null || echo 0)"
+    mwritten="$(stat -c %Y "$marker" 2>/dev/null || echo 0)"
+    if [ "$started" -gt "$mwritten" ]; then
+      LOG "clearing marker for $u: $unit already restarted $((started-mwritten))s after the deferral"; rm -f "$marker"; continue
+    fi
+    if ! safe_to_restart "$u"; then skipped=$((skipped+1)); continue; fi
+
+    target="$(tr -d '[:space:]' <"$marker" 2>/dev/null)"; [ -n "$target" ] || target="$(ver)"
+    if [ "$DRY_RUN" = "1" ]; then LOG "DRY_RUN: would migrate $unit -> $target (idle gate satisfied)"; continue; fi
+    if ! backup_user "$u" >/dev/null; then
+      LOG "WARN: pre-restart backup failed for $u — skipping (fail closed)"; skipped=$((skipped+1)); continue
+    fi
+    if safe_restart_unit "$unit" "$u"; then
+      LOG "migrated $unit -> $target (idle restart)"; rm -f "$marker"; migrated=$((migrated+1))
+    else
+      LOG "migrate FAILED for $unit — recovery+freeze handled by safe_restart_unit; stopping drain"; exit 1
+    fi
+  done
+  LOG "idle-migrate pass complete (migrated=$migrated skipped=$skipped)"
+}
+
+# main-guard: run only when executed, not when sourced (tests source this file).
+if [ "${BASH_SOURCE[0]}" = "${0}" ]; then main "$@"; fi
diff --git a/scripts/t3-migrate-idle.timer b/scripts/t3-migrate-idle.timer
new file mode 100644
index 00000000..0c847fa6
--- /dev/null
+++ b/scripts/t3-migrate-idle.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Overnight drain of t3-autoupdate deferrals (idle-gated t3-serve migration)
+
+[Timer]
+OnCalendar=*-*-* 01..05:00/20
+RandomizedDelaySec=120
+Persistent=false
+
+[Install]
+WantedBy=timers.target
diff --git a/scripts/t3-provision-users.sh b/scripts/t3-provision-users.sh
index 33edf3fd..9cbc6c1e 100644
--- a/scripts/t3-provision-users.sh
+++ b/scripts/t3-provision-users.sh
@@ -20,29 +20,174 @@ MAP=/etc/ttyd-user-map
 DRY_RUN="${DRY_RUN:-0}"
 # Public infra repo for the locked clone (no auth; the monorepo has no remote).
 INFRA_REMOTE="${INFRA_REMOTE:-https://github.com/ViktorBarzin/infra.git}"
+# Canonical push target for non-admin infra clones (AGENTS.md "Non-admin
+# workstation users"), and the base URL for workspace-layout `repos` entries —
+# those clone AS the user so their ~/.git-credentials PAT authenticates
+# against private Forgejo repos.
+FORGEJO_INFRA_REMOTE="${FORGEJO_INFRA_REMOTE:-https://forgejo.viktorbarzin.me/viktor/infra.git}"
+REPO_REMOTE_BASE="${REPO_REMOTE_BASE:-https://forgejo.viktorbarzin.me/viktor}"
 # Per-user OIDC kubeconfig (kubelogin/PKCE; cluster server+CA copied from the admin kubeconfig).
 OIDC_ISSUER="${OIDC_ISSUER:-https://authentik.viktorbarzin.me/application/o/kubernetes/}"
 ADMIN_KUBECONFIG="${ADMIN_KUBECONFIG:-/home/wizard/.kube/config}"
+# OS users (space-separated) that receive the vendored agent skills (scripts/workstation/claude-skills).
+# Allowlist: install_skills no-ops for anyone not listed. Extend here to roll out to more users.
+SKILL_USERS="${SKILL_USERS:-emo}"
 
 log() { echo "[t3-provision] $*"; }
 run() { if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] $*"; else "$@"; fi; }
 
-# Per-non-admin writable, git-crypt-LOCKED infra clone at ~/code. Keyless +
+# Per-non-admin writable, git-crypt-LOCKED infra clone at ~/<subpath>. Keyless +
 # filter=cat ⇒ code/docs are plaintext, git-crypt'd secret files stay ciphertext.
 # Writable + ungated (push != apply; applies are admin-only). NEVER touches an
-# existing ~/code (so emo's symlink survives until the gated cutover).
+# existing target (so emo's symlink survives until the gated cutover). subpath
+# is "code" (single layout) or "code/infra" (workspace layout).
 install_locked_clone() {
-  local user="$1" home
+  local user="$1" sub="$2" home dst
   home="$(getent passwd "$user" | cut -d: -f6)"
   [[ -z "$home" ]] && return 0
-  [[ -e "$home/code" || -L "$home/code" ]] && return 0
-  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] locked infra clone -> $user:$home/code"; return 0; fi
-  log "clone locked infra -> $user:~/code"
-  runuser -u "$user" -- git clone --quiet --no-checkout "$INFRA_REMOTE" "$home/code"
-  runuser -u "$user" -- git -C "$home/code" config filter.git-crypt.smudge cat
-  runuser -u "$user" -- git -C "$home/code" config filter.git-crypt.clean cat
-  runuser -u "$user" -- git -C "$home/code" config filter.git-crypt.required false
-  runuser -u "$user" -- git -C "$home/code" checkout --quiet master
+  dst="$home/$sub"
+  [[ -e "$dst" || -L "$dst" ]] && return 0
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] locked infra clone -> $user:$dst"; return 0; fi
+  log "clone locked infra -> $user:~/$sub"
+  runuser -u "$user" -- git clone --quiet --no-checkout "$INFRA_REMOTE" "$dst"
+  runuser -u "$user" -- git -C "$dst" config filter.git-crypt.smudge cat
+  runuser -u "$user" -- git -C "$dst" config filter.git-crypt.clean cat
+  runuser -u "$user" -- git -C "$dst" config filter.git-crypt.required false
+  runuser -u "$user" -- git -C "$dst" checkout --quiet master
+}
+
+# Keep an EXISTING non-admin clone fresh (the admin's tree is never touched): fetch
+# all remotes, then fast-forward master only when that is provably safe — on master,
+# clean tree, upstream configured. Never rebases/merges; a non-ff master (local
+# commits) is the user's to reconcile and is only WARNed about. Fetch failures
+# (offline, missing credentials) are non-fatal: freshness is best-effort.
+refresh_user_clone() {
+  local user="$1" sub="$2" home dir
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  dir="$home/$sub"
+  [[ -n "$home" && -d "$dir/.git" ]] || return 0
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] refresh clone -> $user:$dir"; return 0; fi
+  runuser -u "$user" -- env GIT_TERMINAL_PROMPT=0 git -C "$dir" fetch --all --prune --quiet 2>/dev/null \
+    || { log "WARN: fetch failed for $user:$sub (offline/credentials?) — skipped"; return 0; }
+  [[ "$(runuser -u "$user" -- git -C "$dir" symbolic-ref --short -q HEAD)" == master ]] || return 0
+  [[ -z "$(runuser -u "$user" -- git -C "$dir" status --porcelain)" ]] || return 0
+  runuser -u "$user" -- git -C "$dir" rev-parse --verify -q 'master@{upstream}' >/dev/null || return 0
+  runuser -u "$user" -- git -C "$dir" merge --ff-only 'master@{upstream}' >/dev/null 2>&1 \
+    || log "WARN: $user:$sub master not fast-forwardable (local commits?) — left as-is"
+}
+
+# Non-admin infra clones are documented to carry a `forgejo` remote (the
+# canonical push target) with master tracking forgejo/master — see AGENTS.md
+# "Non-admin workstation users". Clones made before that contract only have
+# the GitHub origin; wire the remote + upstream idempotently. Best-effort: an
+# offline fetch leaves the upstream as-is.
+wire_forgejo_remote() {
+  local user="$1" sub="$2" home dir
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  dir="$home/$sub"
+  [[ -n "$home" && -d "$dir/.git" ]] || return 0
+  if ! runuser -u "$user" -- git -C "$dir" remote get-url forgejo >/dev/null 2>&1; then
+    if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] add forgejo remote -> $user:$sub"; return 0; fi
+    log "add forgejo remote -> $user:~/$sub"
+    runuser -u "$user" -- git -C "$dir" remote add forgejo "$FORGEJO_INFRA_REMOTE"
+  fi
+  [[ "$DRY_RUN" == 1 ]] && return 0
+  [[ "$(runuser -u "$user" -- git -C "$dir" rev-parse --abbrev-ref -q 'master@{upstream}' 2>/dev/null)" == forgejo/master ]] && return 0
+  runuser -u "$user" -- env GIT_TERMINAL_PROMPT=0 git -C "$dir" fetch --quiet forgejo 2>/dev/null \
+    || { log "WARN: forgejo fetch failed for $user — upstream left as-is"; return 0; }
+  runuser -u "$user" -- git -C "$dir" branch --set-upstream-to=forgejo/master master >/dev/null 2>&1 \
+    && log "set $user:~/$sub master upstream -> forgejo/master" \
+    || log "WARN: could not set $user:~/$sub master upstream to forgejo/master"
+}
+
+# Workspace layout: ~/code is a plain directory of per-project clones. A user
+# still on the single layout (~/code IS the infra clone) is migrated by moving
+# the whole clone — local branches, dirty files, untracked state all survive —
+# to ~/code/infra. Running processes follow the moved inode, so live sessions
+# keep working (their cwd lands inside ~/code/infra).
+ensure_workspace_layout() {
+  local user="$1" home tmp
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  [[ -z "$home" ]] && return 0
+  if [[ -d "$home/code/.git" ]]; then
+    if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] migrate $user:~/code (single clone) -> ~/code/infra"; return 0; fi
+    log "migrate $user: ~/code (single infra clone) -> ~/code/infra"
+    tmp="$home/.code-workspace-migrate.$$"
+    mv "$home/code" "$tmp"
+    install -d -o "$user" -g "$user" -m 0755 "$home/code"
+    mv "$tmp" "$home/code/infra"
+  elif [[ ! -e "$home/code" ]]; then
+    if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] create workspace dir $user:~/code"; return 0; fi
+    install -d -o "$user" -g "$user" -m 0755 "$home/code"
+  fi
+}
+
+# Single-layout clones often accumulated nested project clones (the old layout
+# gave users nowhere else to put them — e.g. ancamilea's tripit inside ~/code).
+# After migration such a clone would sit buried at ~/code/infra/<repo>; hoist a
+# roster repo to its workspace home instead of stranding it + cloning fresh.
+# Only untracked git dirs move — content the infra repo tracks is never touched.
+hoist_nested_repo() {
+  local user="$1" repo="$2" home src dst
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  [[ -z "$home" ]] && return 0
+  src="$home/code/infra/$repo"; dst="$home/code/$repo"
+  [[ -d "$src/.git" && ! -e "$dst" ]] || return 0
+  runuser -u "$user" -- git -C "$home/code/infra" ls-files --error-unmatch "$repo" >/dev/null 2>&1 && return 0
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] hoist nested $repo -> $user:$dst"; return 0; fi
+  log "hoist nested $repo clone -> $user:~/code/$repo"
+  mv "$src" "$dst"
+}
+
+# Extra per-project repos for workspace-layout users, cloned from Forgejo AS
+# the user (their ~/.git-credentials PAT authenticates against private repos).
+# A failed clone (no access yet, offline) is a WARN — the reconcile must never
+# abort over a single repo; the next hourly run retries.
+install_user_repo() {
+  local user="$1" repo="$2" home dst
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  [[ -z "$home" ]] && return 0
+  dst="$home/code/$repo"
+  [[ -e "$dst" || -L "$dst" ]] && return 0
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] clone $REPO_REMOTE_BASE/$repo.git -> $user:$dst"; return 0; fi
+  log "clone $repo -> $user:~/code/$repo"
+  runuser -u "$user" -- env GIT_TERMINAL_PROMPT=0 git clone --quiet "$REPO_REMOTE_BASE/$repo.git" "$dst" 2>/dev/null \
+    || log "WARN: clone of $repo failed for $user (access/offline?) — skipped"
+}
+
+# Machine-wide Claude managed config: the repo file (in the admin tree, like the
+# roster) is the authoring surface; deploying it here means a plain infra commit
+# propagates claudeMd/model edits to /etc — and thus every user's NEXT session —
+# within one reconcile cycle. No manual install step.
+sync_managed_config() {
+  local src="$WORKSTATION_DIR/managed-settings.json" dst=/etc/claude-code/managed-settings.json
+  [[ -r "$src" ]] || return 0
+  python3 -c "import json,sys; json.load(open(sys.argv[1]))" "$src" 2>/dev/null \
+    || { log "WARN: $src is invalid JSON — managed-config sync skipped"; return 0; }
+  cmp -s "$src" "$dst" 2>/dev/null && return 0
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] managed-settings.json -> $dst"; return 0; fi
+  install -D -m 0644 "$src" "$dst"
+  log "deployed managed-settings.json -> /etc/claude-code (repo copy changed)"
+}
+
+# ~/.codex/AGENTS.md is a STATIC mirror of the managed claudeMd (codex has no
+# machine-wide managed layer). Regenerate stale mirrors so codex sessions inherit
+# claudeMd edits the same way Claude sessions do. Never clobbers a user-customized
+# file: only touches files carrying the mirror header (or creates absent ones).
+refresh_codex_mirror() {
+  local user="$1" home dst tmp
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  dst="$home/.codex/AGENTS.md"
+  [[ -n "$home" && -d "$home/.codex" ]] || return 0
+  if [[ -f "$dst" ]] && ! head -1 "$dst" | grep -q '^# Codex global instructions (devvm)'; then return 0; fi
+  tmp="$(mktemp)"
+  { printf '# Codex global instructions (devvm)\n\n_Mirrors the machine-wide Claude managed policy._\n\n---\n\n'
+    python3 -c 'import json; print(json.load(open("/etc/claude-code/managed-settings.json"))["claudeMd"])'
+  } > "$tmp" 2>/dev/null || { rm -f "$tmp"; return 0; }
+  if cmp -s "$tmp" "$dst" 2>/dev/null; then rm -f "$tmp"; return 0; fi
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] codex AGENTS.md mirror -> $user"; rm -f "$tmp"; return 0; fi
+  install -o "$user" -g "$user" -m 0644 "$tmp" "$dst"; rm -f "$tmp"
+  log "refreshed codex AGENTS.md mirror -> $user"
 }
 
 # Per-user OIDC kubeconfig (kubelogin/PKCE — the `kubernetes` Authentik client is
@@ -95,18 +240,297 @@ EOF
   log "wrote OIDC kubeconfig -> $user:~/.kube/config"
 }
 
+# Idempotently set KEY=VALUE in a t3-serve env file, PRESERVING other lines — so writing
+# T3_PORT never clobbers an injected CLAUDE_CODE_OAUTH_TOKEN, and vice-versa. Mode 0600.
+env_set() {
+  local file="$1" key="$2" val="$3"
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] set $key -> $file"; return 0; fi
+  install -d -m 0755 "$(dirname "$file")"
+  if [[ -f "$file" ]] && grep -q "^${key}=" "$file"; then
+    grep -qx "${key}=${val}" "$file" || sed -i "s|^${key}=.*|${key}=${val}|" "$file"
+  else
+    printf '%s=%s\n' "$key" "$val" >> "$file"
+  fi
+  chmod 600 "$file"
+}
+
+env_unset() {
+  local file="$1" key="$2"
+  [[ -f "$file" ]] || return 0
+  grep -q "^${key}=" "$file" || return 0
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] unset $key -> $file"; return 0; fi
+  sed -i "/^${key}=.*/d" "$file"
+  chmod 600 "$file"
+  log "removed legacy shared $key -> $(basename "$file")"
+}
+
+# Install one user's isolated Claude credential renewal flow. The scoped periodic
+# Vault token is minted only when this reconcile has admin Vault access (normal
+# onboarding/deployment); routine token renewal is performed by the user service.
+install_claude_auth_sync() {
+  local user="$1" home cfg token_file token policy
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  [[ -z "$home" ]] && return 0
+  cfg="$home/.config/claude-auth-sync"
+  token_file="$cfg/vault-token"
+  policy="workstation-claude-$user"
+
+  # The service sandbox makes the rest of $HOME read-only. Pre-create every
+  # writable path before systemd enters that sandbox; ReadWritePaths cannot
+  # create a missing child beneath a read-only parent.
+  if [[ "$DRY_RUN" == 1 ]]; then
+    echo "[dry-run] ensure Claude-auth state dirs -> $user"
+  else
+    install -d -o "$user" -g "$user" -m 0700 "$cfg" "$home/.local/state/claude-auth-sync"
+  fi
+
+  if [[ ! -s "$token_file" ]]; then
+    if [[ "$DRY_RUN" == 1 ]]; then
+      echo "[dry-run] mint scoped Claude-auth Vault token -> $user"
+    elif vault token lookup >/dev/null 2>&1 && \
+      token="$(vault token create -orphan -period=768h -policy="$policy" \
+        -display-name="devvm-claude-auth-$user" -field=token 2>/dev/null)"; then
+      install -d -o "$user" -g "$user" -m 0700 "$cfg"
+      install -o "$user" -g "$user" -m 0600 /dev/stdin "$token_file" <<<"$token"
+      log "minted isolated Claude-auth Vault token -> $user"
+    else
+      log "WARN: scoped Claude-auth Vault token missing for $user (run provisioner with admin VAULT_TOKEN after vault stack apply)"
+    fi
+  fi
+  run systemctl enable --now "claude-auth-sync@$user.timer" >/dev/null 2>&1 || true
+}
+
+# Re-deploy the managed per-user Claude launcher to ~/start-claude.sh. /etc/skel only
+# seeds it at account creation (setup-devvm.sh), so without this a launcher edit never
+# reaches EXISTING users — they keep running a stale copy. Copy-if-changed from the repo's
+# skel/, owned by the user, 0755. (We deliberately do NOT re-copy .tmux.conf: terminal-lobby
+# appends a managed persistence section to each user's ~/.tmux.conf that a re-copy would clobber.)
+deploy_user_launcher() {
+  local user="$1" home src dst
+  src="$WORKSTATION_DIR/skel/start-claude.sh"
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  [[ -n "$home" && -d "$home" && -f "$src" ]] || return 0
+  dst="$home/start-claude.sh"
+  cmp -s "$src" "$dst" 2>/dev/null && return 0          # already current -> no churn
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] deploy launcher -> $dst"; return 0; fi
+  install -m 0755 "$src" "$dst"
+  chown "$user:$user" "$dst"
+  log "deployed start-claude.sh -> $user"
+}
+
+# Ensure the per-user NATIVE claude install (the recommended runtime: ~user/.local/bin/claude,
+# self-updating) — used by BOTH the terminal launcher AND the user's t3-serve instance. We do
+# NOT npm-install claude system-wide (npm/npx isn't the recommended runtime); each user gets
+# their own native install. Idempotent: skip if already present. Runs the official native
+# installer AS the user (into their ~/.local). Best-effort: a failure WARNs and retries next
+# reconcile (start-claude.sh also self-bootstraps the terminal path).
+install_user_claude_native() {
+  local user="$1" home
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  [[ -n "$home" && -d "$home" ]] || return 0
+  [[ -x "$home/.local/bin/claude" ]] && return 0          # already native -> done
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] native claude install -> $user"; return 0; fi
+  if runuser -u "$user" -- bash -lc 'curl -fsSL https://claude.ai/install.sh | bash' >/dev/null 2>&1; then
+    log "installed native claude -> $user"
+  else
+    log "WARN: native claude install failed for $user (retries next reconcile)"
+  fi
+}
+
+# Per-user playwright-mcp browser MCP — ALL tiers incl. admin (every user's Claude
+# sessions connect to their OWN isolated server; a user's concurrent sessions are
+# kept apart by the unit's --isolated). Idempotent + if-absent, so a routine
+# reconcile never disturbs a live user: (1) seed the chrome-service snapshot token
+# if the user has none; (2) wire the user-scope `playwright` MCP entry by running
+# `claude mcp add` AS the user (writes THEIR ~/.claude.json, never reads another's;
+# the CLI merges one key and REFUSES to clobber an existing one, so it's safe on a
+# populated config), guarded by `claude mcp get`; (3) `enable --now` the system
+# template instances (idempotent — does NOT restart an already-running server).
+# Needs PLAYWRIGHT_PORT already in the per-user playwright env (written by the
+# section-5c loop) + the token staged by setup-devvm.sh (section 8c).
+install_playwright() {
+  local user="$1" home port token_staged=/etc/t3-serve/chrome-service-token
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  [[ -n "$home" && -d "$home" ]] || return 0
+  port="$(grep -oE 'PLAYWRIGHT_PORT=[0-9]+' "$ENVDIR/playwright-$user.env" 2>/dev/null | cut -d= -f2 || true)"
+  [[ -n "$port" ]] || { log "WARN: no PLAYWRIGHT_PORT for $user -> skip playwright"; return 0; }
+
+  # (1) chrome-service snapshot token, if-absent (0600, owned by the user)
+  if [[ ! -f "$home/.config/playwright/token" && -r "$token_staged" ]]; then
+    if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] seed playwright token -> $user"; else
+      install -d -o "$user" -g "$user" -m 0700 "$home/.config/playwright"
+      install -o "$user" -g "$user" -m 0600 "$token_staged" "$home/.config/playwright/token"
+      log "seeded playwright snapshot token -> $user"
+    fi
+  fi
+
+  # (2) wire user-scope ~/.claude.json (AS the user, login shell so the native
+  #     ~/.local/bin/claude is on PATH; clobber-proof + if-absent via `mcp get`)
+  if [[ "$DRY_RUN" == 1 ]]; then
+    echo "[dry-run] wire playwright MCP (:$port) if-absent -> $user"
+  elif runuser -u "$user" -- bash -lc 'command -v claude >/dev/null 2>&1'; then
+    if ! runuser -u "$user" -- bash -lc 'claude mcp get playwright >/dev/null 2>&1'; then
+      runuser -u "$user" -- bash -lc "claude mcp add --scope user --transport http playwright 'http://localhost:$port/mcp' >/dev/null 2>&1" \
+        && log "wired playwright MCP (user scope, :$port) -> $user" \
+        || log "WARN: claude mcp add playwright failed for $user (retries next run)"
+    fi
+  else
+    log "WARN: claude not found for $user -> playwright MCP not wired (retries next run)"
+  fi
+
+  # (3) enable the system template instances. `enable --now` is idempotent and
+  #     does NOT restart a running unit, so a live user is undisturbed.
+  run systemctl enable --now "playwright-mcp@$user.service" >/dev/null 2>&1 || true
+  run systemctl enable --now "playwright-snapshot-refresh@$user.timer" >/dev/null 2>&1 || true
+}
+
+# Per-user homelab-memory setup — migrate off the claude-memory MCP/plugin to the
+# homelab CLI hooks (auto-recall + auto-learn + compaction backup/recovery).
+# Idempotent, if-absent, ADDITIVE: never clobbers `env` (the per-user
+# MEMORY_API_KEY) or other MCP servers; removes ONLY the `claude_memory` MCP.
+# Reuses the user's existing key — does NOT mint one (per-user isolation stays
+# deferred, design 2026-06-08). The homelab CLI (/usr/local/bin/homelab) hits the
+# same remote HTTP API the MCP used. Hook scripts: $WORKSTATION_DIR/claude-hooks.
+install_memory() {
+  local user="$1" home
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  [[ -n "$home" && -d "$home" ]] || return 0
+  local src="$WORKSTATION_DIR/claude-hooks" hooks_dst="$home/.claude/hooks" settings="$home/.claude/settings.json"
+  [[ -d "$src" ]] || { log "WARN: $src missing -> skip memory setup for $user"; return 0; }
+
+  if [[ "$DRY_RUN" == 1 ]]; then echo "[dry-run] memory: hooks + settings wire + claude_memory MCP removal -> $user"; return 0; fi
+
+  # (1) (re)install the 4 hook scripts, owned by the user (refreshed each reconcile so fixes land)
+  install -d -o "$user" -g "$user" -m 0755 "$hooks_dst"
+  local h
+  for h in homelab-memory-recall.py auto-learn.py pre-compact-backup.sh post-compact-recovery.sh; do
+    install -o "$user" -g "$user" -m 0755 "$src/$h" "$hooks_dst/$h"
+  done
+
+  # (2) wire the hooks in settings.json, if-absent + additive. Run the helper as ROOT:
+  #     it must read $src under the admin's hardened home (mode 700), which a
+  #     runuser-as-$user CANNOT traverse — so chown the result back to the user and
+  #     enforce 0600 (it holds the per-user MEMORY_API_KEY).
+  if python3 "$src/wire-memory-hooks.py" "$home" >/dev/null 2>&1; then
+    [[ -f "$settings" ]] && chown "$user:$user" "$settings" 2>/dev/null || true
+    log "memory hooks wired -> $user"
+  else
+    log "WARN: memory hook wiring failed for $user (retries next reconcile)"
+  fi
+  [[ -f "$settings" ]] && chmod 600 "$settings" || true
+
+  # (2b) reuse the user's existing key; warn (do NOT mint — needs an admin vault write) if absent.
+  if [[ -f "$settings" ]] && ! grep -q 'MEMORY_API_KEY' "$settings"; then
+    log "WARN: $user has no MEMORY_API_KEY in settings.json — homelab memory no-ops until an admin mints one"
+  fi
+
+  # (3) remove the now-superseded claude_memory MCP (AS the user, if-present) + the plugin dir.
+  if runuser -u "$user" -- bash -lc 'command -v claude >/dev/null 2>&1 && claude mcp get claude_memory >/dev/null 2>&1'; then
+    runuser -u "$user" -- bash -lc 'claude mcp remove claude_memory >/dev/null 2>&1' && log "removed claude_memory MCP -> $user" || true
+  fi
+  if [[ -d "$home/.claude/plugins/claude-memory" ]]; then
+    rm -rf "$home/.claude/plugins/claude-memory" && log "removed claude-memory plugin dir -> $user"
+  fi
+  return 0  # best-effort tail must never return non-zero, else set -euo pipefail aborts the whole reconcile
+}
+
+# Per-user agent skills, vendored from the in-repo snapshot ($WORKSTATION_DIR/claude-skills) — the
+# `npx skills` upstream drifted off this exact set, so we reproduce it offline + deterministically.
+# if-absent + ADDITIVE: copies a skill dir into ~/.agents/skills/<name> (owned by the user) and
+# symlinks ~/.claude/skills/<name> -> ../../.agents/skills/<name> (the layout `skills add -g`
+# produces; Claude Code reads ~/.claude/skills/). Scoped to SKILL_USERS. if-absent keys on the
+# user's OWN copy, so it heals a stale/cross-user ~/.claude/skills symlink but never clobbers a real
+# skill dir. Best-effort tail: must return 0 or set -euo pipefail aborts the whole reconcile.
+install_skills() {
+  local user="$1" home
+  home="$(getent passwd "$user" | cut -d: -f6)"
+  [[ -n "$home" && -d "$home" ]] || return 0
+  case " $SKILL_USERS " in *" $user "*) ;; *) return 0 ;; esac
+  local src_root="$WORKSTATION_DIR/claude-skills"
+  [[ -d "$src_root" ]] || { log "WARN: $src_root missing -> skip skills for $user"; return 0; }
+
+  if [[ "$DRY_RUN" == 1 ]]; then
+    local d names=""
+    for d in "$src_root"/*/; do [[ -d "$d" ]] && names+="$(basename "$d") "; done
+    echo "[dry-run] vendor skills if-absent -> $user: ${names}"
+    return 0
+  fi
+
+  local agents_dir="$home/.agents/skills" claude_dir="$home/.claude/skills"
+  # own the parent ~/.agents too (install -d leaves created intermediates root-owned)
+  install -d -o "$user" -g "$user" -m 0755 "$home/.agents" "$agents_dir" "$claude_dir"
+  chown "$user:$user" "$home/.agents" || true
+
+  local skill name dst link n=0
+  for skill in "$src_root"/*/; do
+    [[ -d "$skill" ]] || continue
+    name="$(basename "$skill")"
+    dst="$agents_dir/$name"
+    link="$claude_dir/$name"
+    # if-absent keys on the user's OWN copy (a real dir under ~/.agents/skills), NOT on any
+    # pre-existing ~/.claude/skills entry — so a stale or cross-user symlink gets healed.
+    if [[ ! -d "$dst" ]]; then
+      cp -a "$src_root/$name" "$dst" || { log "WARN: copy skill $name -> $user failed"; continue; }
+      chown -R "$user:$user" "$dst" || true
+      n=$((n+1))
+    fi
+    # point ~/.claude/skills/<name> at the user's own copy (replacing a stale/cross-user symlink);
+    # never clobber a real dir/file squatting that name.
+    if [[ -d "$link" && ! -L "$link" ]]; then
+      log "WARN: $claude_dir/$name is a real dir (left as-is) for $user"
+    elif [[ "$(readlink "$link" 2>/dev/null)" != "../../.agents/skills/$name" ]]; then
+      ln -sfn "../../.agents/skills/$name" "$link" && chown -h "$user:$user" "$link" || log "WARN: link skill $name -> $user failed"
+    fi
+  done
+  if [[ "$n" -gt 0 ]]; then log "vendored/healed $n skill(s) -> $user"; fi
+  return 0  # best-effort tail must never return non-zero, else set -euo pipefail aborts the reconcile
+}
+
 [[ $EUID -eq 0 ]] || { echo "t3-provision-users: must run as root" >&2; exit 1; }
 for bin in python3 jq; do command -v "$bin" >/dev/null || { echo "missing $bin" >&2; exit 1; }; done
 [[ -f "$ROSTER" && -f "$ENGINE" ]] || { echo "roster/engine not under $WORKSTATION_DIR" >&2; exit 1; }
+
+# 0) self-deploy: the repo is the authoring surface (like sync_managed_config /
+#    deploy_user_launcher below). Nothing else redeploys /usr/local/bin (only the
+#    manual setup-devvm.sh did) — so a committed edit silently never reached the
+#    hourly run until now (the homelab-memory rollout sat undeployed for a day).
+#    If the repo copy differs, install it and re-exec the fresh binary. Guarded:
+#    re-exec flag (no loop), bash -n (never deploy a broken script), DRY_RUN (no
+#    mutation), cmp (no churn when unchanged).
+SELF_SRC="$WORKSTATION_DIR/../t3-provision-users.sh"
+SELF_DST=/usr/local/bin/t3-provision-users
+if [[ -z "${T3_PROVISION_SELF_DEPLOYED:-}" && -r "$SELF_SRC" ]] && ! cmp -s "$SELF_SRC" "$SELF_DST"; then
+  if [[ "$DRY_RUN" == 1 ]]; then
+    echo "[dry-run] self-deploy $SELF_DST from repo (changed)"
+  elif bash -n "$SELF_SRC" 2>/dev/null; then
+    install -m 0755 "$SELF_SRC" "$SELF_DST"
+    log "self-deployed $SELF_DST from repo (changed) — re-exec"
+    exec env T3_PROVISION_SELF_DEPLOYED=1 "$SELF_DST" "$@"
+  else
+    log "WARN: repo t3-provision-users.sh fails 'bash -n' — keeping deployed copy"
+  fi
+fi
+
 install -d -m 0755 "$ENVDIR"
 
 # 1) current sticky ports from existing .env files -> {os_user: port}
-ports_file="$(mktemp)"; trap 'rm -f "$ports_file" "${desired_file:-}"' EXIT
+ports_file="$(mktemp)"; pw_ports_file="$(mktemp)"
+trap 'rm -f "$ports_file" "$pw_ports_file" "${desired_file:-}"' EXIT
 { echo "{}"; for f in "$ENVDIR"/*.env; do
     [[ -e "$f" ]] || continue
-    u="$(basename "$f" .env)"; p="$(grep -oE 'T3_PORT=[0-9]+' "$f" | cut -d= -f2)"
+    case "$(basename "$f")" in playwright-*) continue;; esac   # not a t3-serve env (handled below)
+    # `|| true`: grep returns non-zero on no-match, which would abort under `set -e -o pipefail`.
+    u="$(basename "$f" .env)"; p="$(grep -oE 'T3_PORT=[0-9]+' "$f" | cut -d= -f2 || true)"
     [[ -n "$p" ]] && jq -n --arg u "$u" --argjson p "$p" '{($u): $p}'
   done; } | jq -s 'add' > "$ports_file"
+# sticky PLAYWRIGHT ports from playwright-<os_user>.env (skipped by the loop above).
+# Seeds roster_engine so the live per-user assignments stick across reconciles.
+{ echo "{}"; for f in "$ENVDIR"/playwright-*.env; do
+    [[ -e "$f" ]] || continue
+    u="$(basename "$f" .env)"; u="${u#playwright-}"
+    p="$(grep -oE 'PLAYWRIGHT_PORT=[0-9]+' "$f" | cut -d= -f2 || true)"
+    [[ -n "$p" ]] && jq -n --arg u "$u" --argjson p "$p" '{($u): $p}'
+  done; } | jq -s 'add' > "$pw_ports_file"
 
 # 2) tier validation vs live k8s_users (best-effort; aborts only on a real conflict)
 if command -v vault >/dev/null; then
@@ -124,11 +548,18 @@ fi
 
 # 3) derive desired state
 desired_file="$(mktemp)"
-python3 "$ENGINE" derive --roster "$ROSTER" --ports-json "$ports_file" > "$desired_file"
+python3 "$ENGINE" derive --roster "$ROSTER" --ports-json "$ports_file" --playwright-ports-json "$pw_ports_file" > "$desired_file"
 jq -e . "$desired_file" >/dev/null || { echo "[t3-provision] derive produced invalid JSON" >&2; exit 1; }
 
+# 3b) machine-wide Claude managed config (repo -> /etc; per-user codex mirrors in the loop below)
+sync_managed_config
+
 # 4) per-account: create-if-absent + ADDITIVE tier groups (never strip) + locked clone
-while IFS=$'\t' read -r os_user tier shell groups_csv; do
+# NB: empty @tsv fields collapse under tab-IFS read (tab is IFS whitespace), so
+# the jq below emits "-" for empty groups/repos and we map it back here.
+while IFS=$'\t' read -r os_user tier shell groups_csv code_layout repos_csv; do
+  [[ "$groups_csv" == "-" ]] && groups_csv=""
+  [[ "$repos_csv" == "-" ]] && repos_csv=""
   if ! id "$os_user" >/dev/null 2>&1; then
     log "create account: $os_user (shell $shell)"
     run useradd -m -s "$shell" "$os_user"
@@ -144,21 +575,80 @@ while IFS=$'\t' read -r os_user tier shell groups_csv; do
       log "add $os_user -> group $g"; run gpasswd -a "$os_user" "$g" >/dev/null
     done
   fi
-  if [[ "$tier" != admin ]]; then            # non-admins: locked ~/code clone + OIDC kubeconfig
-    install_locked_clone "$os_user"
+  if [[ "$tier" != admin ]]; then            # non-admins: locked clone(s) (kept fresh) + kubeconfig
+    if [[ "$code_layout" == workspace ]]; then
+      ensure_workspace_layout "$os_user"
+      install_locked_clone "$os_user" code/infra
+      wire_forgejo_remote  "$os_user" code/infra   # before refresh: ff targets the canonical upstream same-pass
+      refresh_user_clone   "$os_user" code/infra
+      IFS=',' read -ra extra_repos <<< "$repos_csv"
+      for repo in "${extra_repos[@]}"; do
+        [[ -n "$repo" ]] || continue
+        hoist_nested_repo  "$os_user" "$repo"
+        install_user_repo  "$os_user" "$repo"
+        refresh_user_clone "$os_user" "code/$repo"
+      done
+    else
+      install_locked_clone "$os_user" code
+      wire_forgejo_remote  "$os_user" code         # before refresh: ff targets the canonical upstream same-pass
+      refresh_user_clone   "$os_user" code
+    fi
     install_user_kubeconfig "$os_user"
+    deploy_user_launcher "$os_user"          # keep ~/start-claude.sh current (skel only seeds new accounts)
   fi
-done < <(jq -r '.accounts[] | [.os_user, .tier, .shell, (.groups|join(","))] | @tsv' "$desired_file")
+  refresh_codex_mirror "$os_user"            # all tiers — mirror of the managed claudeMd
+  install_user_claude_native "$os_user"      # all tiers — per-user native claude (terminal + t3); no npm/npx
+  install_claude_auth_sync "$os_user"        # all tiers — own Claude identity + isolated Vault recovery
+done < <(jq -r '.accounts[] | [.os_user, .tier, .shell, (if (.groups|length)==0 then "-" else (.groups|join(",")) end), .code_layout, (if (.repos|length)==0 then "-" else (.repos|join(",")) end)] | @tsv' "$desired_file")
 
 # 5) per-user .env (sticky port) + enable t3-serve@
 while IFS=$'\t' read -r os_user port; do
   envf="$ENVDIR/$os_user.env"
-  if [[ ! -f "$envf" ]] || ! grep -qx "T3_PORT=$port" "$envf"; then
-    run bash -c "printf 'T3_PORT=%s\n' '$port' > '$envf'"
-  fi
+  env_set "$envf" T3_PORT "$port"
+  # Per-user Enterprise login is authoritative. A legacy shared setup-token has
+  # higher credential precedence and would silently defeat user isolation.
+  env_unset "$envf" CLAUDE_CODE_OAUTH_TOKEN
   id "$os_user" >/dev/null 2>&1 && run systemctl enable --now "t3-serve@$os_user.service" >/dev/null 2>&1 || true
 done < <(jq -r '.ports | to_entries[] | [.key, .value] | @tsv' "$desired_file")
 
+# 5c) per-user playwright-mcp (ALL tiers incl. admin): write the sticky
+#     PLAYWRIGHT_PORT to the per-user playwright env, then seed token + wire
+#     ~/.claude.json + enable the system template instances. if-absent /
+#     idempotent — never disturbs a live user's running server or existing config.
+while IFS=$'\t' read -r os_user pw_port; do
+  id "$os_user" >/dev/null 2>&1 || continue
+  env_set "$ENVDIR/playwright-$os_user.env" PLAYWRIGHT_PORT "$pw_port"
+  install_playwright "$os_user"
+done < <(jq -r '.playwright_ports | to_entries[] | [.key, .value] | @tsv' "$desired_file")
+
+# 5d) per-user homelab-memory (ALL users): replace the claude-memory MCP/plugin with the
+#     homelab CLI memory hooks. Idempotent + additive + if-absent; never touches the
+#     per-user MEMORY_API_KEY or other MCP servers (removes ONLY claude_memory).
+while IFS=$'\t' read -r os_user; do
+  id "$os_user" >/dev/null 2>&1 || continue
+  install_memory "$os_user"
+done < <(jq -r '.accounts[].os_user' "$desired_file")
+
+# 5e) per-user agent skills (SKILL_USERS allowlist only): vendored snapshot -> ~/.agents/skills
+#     + ~/.claude/skills symlinks. if-absent + additive; best-effort (never aborts the reconcile).
+while IFS=$'\t' read -r os_user; do
+  id "$os_user" >/dev/null 2>&1 || continue
+  install_skills "$os_user"
+done < <(jq -r '.accounts[].os_user' "$desired_file")
+
+# 5b) machine-wide (once, not per-user): keep the t3 gated nightly TRACKER timer enabled (it
+#     follows t3@nightly daily, gated; see t3-autoupdate.sh / docs/runbooks/t3-version-bump.md).
+#     NEVER --now: the tracker installs a NEW build + migrates DBs + restarts serves, so firing
+#     a missed run mid-day with users active is exactly the 2026-06-09 shape. `enable` (no --now)
+#     just arms the 04:00 schedule (the timer also dropped Persistent=true so a boot can't fire a
+#     missed bump). Fresh boxes get t3 from setup-devvm.sh's nightly install, not here.
+run systemctl enable t3-autoupdate.timer >/dev/null 2>&1 || true
+#     tmux session persistence: periodic snapshot + boot-time restore (reboot
+#     survival for users' named claude sessions). Safe to --now: save is a
+#     read-only snapshot; restore is per-session idempotent.
+run systemctl enable --now tmux-persist-save.timer >/dev/null 2>&1 || true
+run systemctl enable tmux-persist-restore.service >/dev/null 2>&1 || true
+
 # 6) regenerate /etc/ttyd-user-map + dispatch.json from the desired state (SSoT:
 #    a roster entry removed here DISAPPEARS, which is what the offboarding cut relies on)
 if [[ "$DRY_RUN" == 1 ]]; then
diff --git a/scripts/t3-safe-restart.sh b/scripts/t3-safe-restart.sh
new file mode 100644
index 00000000..63a6c455
--- /dev/null
+++ b/scripts/t3-safe-restart.sh
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+# t3-safe-restart.sh — SOURCED library (not executed). Shared by t3-autoupdate.sh
+# (daily gated tracker) and t3-migrate-idle.sh (overnight deferral drainer).
+#
+# Holds the per-unit "dangerous" routine — backup -> restart -> verify pairing ->
+# recover (restore DB + roll global binary back to last-good + freeze) — extracted
+# verbatim from t3-autoupdate.sh step 6, plus the small helpers it depends on.
+# The only change from the inline original: safe_restart_unit RETURNS non-zero on
+# failure (after performing recovery+freeze) instead of `exit 1`, so the CALLER
+# decides what to do (the daily job exits; the idle job stops draining).
+#
+# Callers must set, before calling safe_restart_unit: $target (version being moved
+# TO, for log lines + the prebump filename) and $last_good (rollback target).
+# Set $LOG_TAG before sourcing to tag syslog ("t3-autoupdate" / "t3-migrate-idle").
+
+# ---- shared config defaults (honour the original T3_* override names) -----------
+: "${LOG_TAG:=t3-safe-restart}"
+: "${FREEZE_FILE:=${T3_FREEZE_FILE:-/etc/t3-autoupdate.freeze}}"
+: "${STATE_DIR:=${T3_STATE_DIR:-/var/lib/t3-autoupdate}}"
+: "${LAST_GOOD_FILE:=$STATE_DIR/last-good}"
+: "${DEFER_DIR:=$STATE_DIR/deferred}"
+: "${BACKUP_DIR:=${T3_BACKUP_DEST:-/var/backups/t3-state}}"
+: "${DISPATCH:=${T3_DISPATCH:-127.0.0.1:3780}}"
+: "${USER_MAP:=${T3_USER_MAP:-/etc/ttyd-user-map}}"
+: "${T3_BACKUP_TIMEOUT:=900}"
+
+LOG() { logger -t "$LOG_TAG" "$*"; echo "$LOG_TAG: $*"; }
+ver() { t3 --version 2>/dev/null | awk '{print $NF}' | sed 's/^v//'; }
+# OS users owning a ~/.t3 (RHS of each non-comment "authentik=os_user" map line).
+osusers() { awk -F= '!/^[[:space:]]*#/&&NF==2{gsub(/[[:space:]]/,"",$2);print $2}' "$USER_MAP" 2>/dev/null | sort -u; }
+# authentik username for an OS user (reverse map; first match) — for dispatch verify.
+ak_for() { awk -F= -v u="$1" '!/^[[:space:]]*#/&&NF==2{gsub(/[[:space:]]/,"",$1);gsub(/[[:space:]]/,"",$2);if($2==u){print $1;exit}}' "$USER_MAP" 2>/dev/null; }
+
+# Online consistent snapshot of ONE user's state.sqlite (run AS the owner so the
+# WAL stays owned; never stops the serve). Uses global $target for the filename.
+# Echoes the backup path on success; non-zero on failure.
+backup_user() {
+  local u="$1" src out dst ts
+  src="/home/$u/.t3/userdata/state.sqlite"; [ -f "$src" ] || return 1
+  ts="$(date +%Y%m%d-%H%M%S)"
+  out="$BACKUP_DIR/$u"; dst="$out/state-prebump-$target-$ts.sqlite"
+  install -d -o "$u" -g "$u" -m700 "$out" 2>/dev/null || mkdir -p "$out"
+  if runuser -u "$u" -- timeout "$T3_BACKUP_TIMEOUT" sqlite3 "$src" "VACUUM INTO '$dst'" 2>/dev/null && [ -s "$dst" ]; then
+    printf '%s\n' "$dst"; return 0
+  fi
+  rm -f "$dst"; return 1
+}
+
+# newest pre-bump backup for a user taken for the current $target (restore source).
+prebump_of() { ls -1t "$BACKUP_DIR/$1/state-prebump-$target-"*.sqlite 2>/dev/null | head -1; }
+
+# roll the GLOBAL binary back to last-good. In the idle path last_good==installed,
+# so this is a harmless no-op reinstall (does NOT downgrade other users).
+rollback_binary() {
+  LOG "rolling back binary $target -> $last_good"
+  if npm i -g "t3@$last_good" >/dev/null 2>&1; then LOG "rolled back to $last_good"; return 0; fi
+  LOG "ROLLBACK FAILED — could not reinstall t3@$last_good (t3 may be broken; manual fix per runbook)"; return 1
+}
+
+# verify a user's pairing through the REAL dispatch (mint -> exchange -> cookie).
+verify_pairing() {
+  local u="$1" ak out; ak="$(ak_for "$u")"; [ -n "$ak" ] || { LOG "no authentik mapping for $u — skipping dispatch verify"; return 0; }
+  out="$(curl -s -i --max-time 10 -H "X-authentik-username: $ak" -H 'Sec-Fetch-Dest: document' "http://$DISPATCH/" 2>/dev/null)"
+  printf '%s' "$out" | grep -qi '^set-cookie:[[:space:]]*t3_session='
+}
+
+# safe_restart_unit <unit> <user>: restart the unit, verify pairing; on failure
+# restore the user's DB from its pre-restart backup, roll the binary back, freeze.
+# Assumes a pre-restart backup already exists for <user> at the current $target
+# (the daily job's backup_all, or the idle job's backup_user, takes it first).
+# Returns 0 on verified success, non-zero after recovery+freeze on failure.
+safe_restart_unit() {
+  local unit="$1" u="$2" ok=0 _ bak
+  systemctl restart "$unit" || LOG "WARN: systemctl restart $unit returned non-zero"
+  for _ in $(seq 1 15); do
+    if verify_pairing "$u"; then ok=1; break; fi
+    sleep 2
+  done
+  if [ "$ok" = "1" ]; then
+    LOG "restarted $unit -> $target (pairing verified via dispatch)"; return 0
+  fi
+  LOG "HEALTH-CHECK FAILED: $u pairing broken AFTER restart onto $target — rolling back + restoring its DB"
+  rollback_binary
+  bak="$(prebump_of "$u")"
+  if [ -n "$bak" ]; then
+    systemctl stop "$unit" 2>/dev/null
+    if install -o "$u" -g "$u" -m600 "$bak" "/home/$u/.t3/userdata/state.sqlite" 2>/dev/null; then
+      rm -f "/home/$u/.t3/userdata/state.sqlite-wal" "/home/$u/.t3/userdata/state.sqlite-shm"
+      LOG "restored $u state.sqlite from $bak"
+    fi
+    systemctl start "$unit" 2>/dev/null
+  fi
+  touch "$FREEZE_FILE" 2>/dev/null
+  LOG "FROZEN ($FREEZE_FILE) after $u failed on $target; last_good stays $last_good — investigate, then remove the freeze file to resume"
+  return 1
+}
diff --git a/scripts/t3-serve@.service b/scripts/t3-serve@.service
index 9cdb4ad9..4109b36b 100644
--- a/scripts/t3-serve@.service
+++ b/scripts/t3-serve@.service
@@ -15,6 +15,17 @@ WorkingDirectory=/home/%i
 ExecStart=/usr/bin/t3 serve --host 0.0.0.0 --port ${T3_PORT} --base-dir /home/%i/.t3
 Restart=on-failure
 RestartSec=5
+# Memory containment (2026-06-10): agent children live in this cgroup; a
+# runaway agent (10.8G anon on a 23G host) swap-thrashed the whole devvm —
+# every >20s stall fires the t3 client watchdog (visible "disconnects") —
+# then global-OOMed. Cap the cgroup so a runaway OOMs early and locally,
+# and forbid swap so stalls can't smear into minutes-long freezes.
+MemoryHigh=12G
+MemoryMax=16G
+MemorySwapMax=0
+# Default OOMPolicy=stop kills the WHOLE unit (8.5min outage 2026-06-10
+# 19:56) when ANY child is OOM-killed; continue = runaway dies, server stays.
+OOMPolicy=continue
 
 [Install]
 WantedBy=multi-user.target
diff --git a/scripts/test-claude-auth-sync.sh b/scripts/test-claude-auth-sync.sh
new file mode 100755
index 00000000..10f07746
--- /dev/null
+++ b/scripts/test-claude-auth-sync.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -uo pipefail
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=workstation/claude-auth-sync.sh
+source "$DIR/workstation/claude-auth-sync.sh"
+
+pass=0 fail=0
+ok() { if "${@:2}"; then pass=$((pass+1)); else fail=$((fail+1)); echo "FAIL: $1"; fi; }
+no() { if "${@:2}"; then fail=$((fail+1)); echo "FAIL: $1"; else pass=$((pass+1)); fi; }
+eq() { if [[ "$2" == "$3" ]]; then pass=$((pass+1)); else fail=$((fail+1)); echo "FAIL: $1"; fi; }
+
+tmp="$(mktemp -d)"; trap 'rm -rf "$tmp"' EXIT
+valid='{"mcpOAuth":{"server":{"accessToken":"mcp-secret"}},"claudeAiOauth":{"accessToken":"access","refreshToken":"refresh","expiresAt":123,"scopes":["user:inference"]}}'
+printf '%s\n' "$valid" > "$tmp/credentials.json"
+
+oauth="$(cas_oauth_from_credentials "$tmp/credentials.json")"
+eq "extract OAuth object" 'access' "$(jq -r .accessToken <<<"$oauth")"
+printf '{"claudeAiOauth":{"accessToken":"access","expiresAt":123}}\n' > "$tmp/bad.json"
+no "reject missing refresh token" cas_oauth_from_credentials "$tmp/bad.json"
+
+replacement='{"accessToken":"new-access","refreshToken":"new-refresh","expiresAt":456}'
+merged="$(cas_merge_oauth "$tmp/credentials.json" "$replacement")"
+eq "replace Claude access token" new-access "$(jq -r .claudeAiOauth.accessToken <<<"$merged")"
+eq "preserve MCP OAuth" mcp-secret "$(jq -r '.mcpOAuth.server.accessToken' <<<"$merged")"
+
+export CAS_USER=emo
+ok "accept own scoped Vault token" cas_vault_identity_ok token-devvm-claude-auth-emo default,workstation-claude-emo
+no "reject another user's token" cas_vault_identity_ok token-devvm-claude-auth-anca default,workstation-claude-anca
+no "reject wrong policy" cas_vault_identity_ok token-devvm-claude-auth-emo default,workstation-claude-anca
+
+printf '\n%d passed, %d failed\n' "$pass" "$fail"
+(( fail == 0 ))
diff --git a/scripts/test-fan-control.sh b/scripts/test-fan-control.sh
index a42e24a9..65fae7c6 100644
--- a/scripts/test-fan-control.sh
+++ b/scripts/test-fan-control.sh
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
-# Unit tests for the pure functions in fan-control.sh.
-# Sources the script (main is guarded), exercises curve/decide/resolve/presence/parse.
+# Unit tests for the pure functions in fan-control.sh (the thin actuator).
+# The control math lives in Home Assistant now; the daemon only validates and
+# applies the HA-computed command, so these cover the I/O-adjacent pure helpers.
 # Run: bash infra/scripts/test-fan-control.sh
 
 set -uo pipefail
@@ -14,43 +15,31 @@ eq() {  # <description> <expected> <actual>
     fail=$((fail + 1)); printf 'FAIL: %s — expected [%s] got [%s]\n' "$1" "$2" "$3"
   fi
 }
+ok() {  # <description> <cmd...>  (passes if cmd exits 0)
+  if "${@:2}"; then pass=$((pass + 1)); else fail=$((fail + 1)); printf 'FAIL: %s — expected exit 0\n' "$1"; fi
+}
+no() {  # <description> <cmd...>  (passes if cmd exits non-zero)
+  if "${@:2}"; then fail=$((fail + 1)); printf 'FAIL: %s — expected non-zero exit\n' "$1"; else pass=$((pass + 1)); fi
+}
 
-# --- COOL curve (continuous linear: 30% @50C .. 100% @83C) ---
-eq "cool <=T_LO clamps" 30  "$(fc_curve cool 40)"
-eq "cool 50 -> 30"      30  "$(fc_curve cool 50)"
-eq "cool 55 -> 41"      41  "$(fc_curve cool 55)"
-eq "cool 60 -> 51"      51  "$(fc_curve cool 60)"
-eq "cool 64 -> 60"      60  "$(fc_curve cool 64)"
-eq "cool 70 -> 72"      72  "$(fc_curve cool 70)"
-eq "cool 75 -> 83"      83  "$(fc_curve cool 75)"
-eq "cool 83 -> 100"     100 "$(fc_curve cool 83)"
-eq "cool >=T_HI clamps" 100 "$(fc_curve cool 90)"
+# --- fc_num: sanitise the HA command read (truncate floats, fallback, clamp) ---
+eq "num valid"        55 "$(fc_num 55 0 0 100)"
+eq "num float trunc"  55 "$(fc_num 55.7 0 0 100)"
+eq "num empty->fb"     0 "$(fc_num '' 0 0 100)"
+eq "num garbage->fb"   0 "$(fc_num abc 0 0 100)"
+eq "num clamp low"     0 "$(fc_num -5 0 0 100)"
+eq "num clamp high"  100 "$(fc_num 150 0 0 100)"
 
-# --- QUIET curve (continuous linear: 20% @68C .. 100% @83C) ---
-eq "quiet <=T_LO clamps" 20  "$(fc_curve quiet 60)"
-eq "quiet 68 -> 20"      20  "$(fc_curve quiet 68)"
-eq "quiet 70 -> 31"      31  "$(fc_curve quiet 70)"
-eq "quiet 75 -> 57"      57  "$(fc_curve quiet 75)"
-eq "quiet 80 -> 84"      84  "$(fc_curve quiet 80)"
-eq "quiet 83 -> 100"     100 "$(fc_curve quiet 83)"
+# --- fc_fresh: staleness gate on the command's last_updated age ---
+ok "fresh well within"   fc_fresh 30 120
+ok "fresh at boundary"   fc_fresh 120 120
+no "stale just past"     fc_fresh 121 120
+no "stale way past"      fc_fresh 600 120
 
-# --- decide: asymmetric hysteresis (ramp up now, ease down only past the deadband) ---
-eq "decide uninit -> target" 68 "$(fc_decide cool 68 -1 3)"
-eq "decide ramp up now"      68 "$(fc_decide cool 68 25 3)"
-eq "decide equal holds"      62 "$(fc_decide cool 65 62 3)"
-eq "decide down held"        72 "$(fc_decide cool 68 72 3)"   # curve(68)=68<72 but curve(71)=75 !<72 -> hold
-eq "decide down past"        60 "$(fc_decide cool 64 72 3)"   # curve(64)=60, curve(67)=66<72 -> drop
-
-# --- fc_clamp / fc_resolve: HA mode resolution ---
+# --- fc_clamp ---
 eq "clamp over 100"   100 "$(fc_clamp 150)"
 eq "clamp under 0"      0 "$(fc_clamp -5)"
 eq "clamp passthrough" 45 "$(fc_clamp 45)"
-eq "resolve manual=slider"      42 "$(fc_resolve manual 64 42 cool -1 3)"
-eq "resolve manual clamped"    100 "$(fc_resolve manual 64 150 cool -1 3)"
-eq "resolve cool=cool curve"    51 "$(fc_resolve cool 60 0 cool -1 3)"
-eq "resolve quiet=quiet curve"  73 "$(fc_resolve quiet 78 0 cool -1 3)"
-eq "resolve auto+empty=cool"    51 "$(fc_resolve auto 60 0 cool -1 3)"
-eq "resolve auto+present=quiet" 31 "$(fc_resolve auto 70 0 quiet -1 3)"
 
 # --- fc_fan_watts: estimated fan power from RPM (cube-law, calibrated to the sweep) ---
 eq "fan_watts 0"     0  "$(fc_fan_watts 0)"
@@ -59,21 +48,14 @@ eq "fan_watts 9360"  16 "$(fc_fan_watts 9360)"
 eq "fan_watts 12720" 42 "$(fc_fan_watts 12720)"
 eq "fan_watts 16920" 99 "$(fc_fan_watts 16920)"
 
-# --- presence ---
-now=1000000
-eq "presence open -> quiet"          quiet "$(fc_presence_mode Отворена 0 $now 900 Отворена)"
-eq "presence closed recent -> quiet" quiet "$(fc_presence_mode Затворена $((now - 100)) $now 900 Отворена)"
-eq "presence closed stale -> cool"   cool  "$(fc_presence_mode Затворена $((now - 1000)) $now 900 Отворена)"
-eq "presence closed edge -> cool"    cool  "$(fc_presence_mode Затворена $((now - 900)) $now 900 Отворена)"
-
 # --- temp parsing ---
 eq "parse temp line" 74 "$(fc_parse_temp 'Temp             | 0Eh | ok  |  3.1 | 74 degrees C')"
 eq "parse temp 7C"   72 "$(fc_parse_temp 'Temp             | 0Eh | ok  |  3.1 | 72 degrees C')"
 
-# --- json field (jq-free) ---
-J='{"entity_id":"sensor.garage_door_state_bg","state":"Отворена","attributes":{"friendly_name":"Garage Door State BG"},"last_changed":"2026-06-04T16:55:20.517745+00:00","last_updated":"2026-06-04T16:55:20.517745+00:00"}'
-eq "json state"        "Отворена"                          "$(fc_json_str_field "$J" state)"
-eq "json last_changed" "2026-06-04T16:55:20.517745+00:00"  "$(fc_json_str_field "$J" last_changed)"
+# --- json field (jq-free): state + last_updated parsing for the command read ---
+J='{"entity_id":"sensor.r730_fan_command_pct","state":"57","attributes":{"unit_of_measurement":"%"},"last_changed":"2026-06-08T16:55:20.517745+00:00","last_updated":"2026-06-08T16:55:25.000000+00:00"}'
+eq "json state"        "57"                                "$(fc_json_str_field "$J" state)"
+eq "json last_updated" "2026-06-08T16:55:25.000000+00:00"  "$(fc_json_str_field "$J" last_updated)"
 
 # --- hex conversion ---
 eq "hex 20"  0x14 "$(fc_pct_to_hex 20)"
diff --git a/scripts/test_tg_lock_timeout.py b/scripts/test_tg_lock_timeout.py
new file mode 100644
index 00000000..263e5a74
--- /dev/null
+++ b/scripts/test_tg_lock_timeout.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+"""Tests for scripts/tg lock-timeout injection.
+
+scripts/tg wraps terragrunt. Tier-1 stacks rely on terraform's pg-backend
+state lock; without -lock-timeout an apply fails instantly ("Error acquiring
+the state lock") whenever anything else holds the lock — a Woodpecker-killed
+run whose PG advisory lock has not been reaped yet, a concurrent local apply,
+or the daily drift `plan`. This was the single largest cause of infra CI
+failures. These tests pin that tg injects -lock-timeout for state-locking
+verbs (and still preserves -auto-approve for non-interactive applies), so a
+contended lock waits rather than fails.
+
+Hermetic: a stub `terragrunt` on PATH records the args tg forwards; PG_CONN_STR
+is pre-set so the Tier-1 Vault credential fetch is skipped (no network/Vault).
+"""
+import os
+import shutil
+import subprocess
+from pathlib import Path
+
+import pytest
+
+SCRIPTS_DIR = Path(__file__).resolve().parent
+TG = SCRIPTS_DIR / "tg"
+AUTH_CHECK = SCRIPTS_DIR / "check-ingress-auth-comments.py"
+
+
+def _run(tmp_path, *tg_args, env_extra=None):
+    """Run a copy of scripts/tg in an isolated fake repo; return forwarded args."""
+    repo = tmp_path / "repo"
+    (repo / "scripts").mkdir(parents=True)
+    shutil.copy(TG, repo / "scripts" / "tg")
+    shutil.copy(AUTH_CHECK, repo / "scripts" / "check-ingress-auth-comments.py")
+    os.chmod(repo / "scripts" / "tg", 0o755)
+    os.chmod(repo / "scripts" / "check-ingress-auth-comments.py", 0o755)
+
+    # Fake Tier-1 stack ("faketest" is NOT in TIER0_STACKS), no ingress auth lines.
+    stack = repo / "stacks" / "faketest"
+    stack.mkdir(parents=True)
+    (stack / "terragrunt.hcl").write_text("# fake\n")
+    (stack / "main.tf").write_text("# no ingress_factory auth lines here\n")
+
+    # Stub terragrunt: append every forwarded arg (one per line) to a capture file.
+    bindir = tmp_path / "bin"
+    bindir.mkdir()
+    capture = tmp_path / "tg_args.txt"
+    stub = bindir / "terragrunt"
+    stub.write_text(
+        "#!/usr/bin/env bash\n"
+        f'for a in "$@"; do echo "$a" >> "{capture}"; done\n'
+        "exit 0\n"
+    )
+    os.chmod(stub, 0o755)
+
+    env = dict(os.environ)
+    env["PATH"] = f"{bindir}:{env['PATH']}"
+    env["PG_CONN_STR"] = "postgres://stub"  # skip the Tier-1 Vault cred fetch
+    env["TF_PLUGIN_CACHE_DIR"] = str(tmp_path / "plugin-cache")
+    if env_extra:
+        env.update(env_extra)
+
+    proc = subprocess.run(
+        ["bash", str(repo / "scripts" / "tg"), *tg_args],
+        cwd=str(stack),
+        env=env,
+        capture_output=True,
+        text=True,
+    )
+    assert proc.returncode == 0, f"tg exited {proc.returncode}\nSTDERR:\n{proc.stderr}\nSTDOUT:\n{proc.stdout}"
+    return capture.read_text().splitlines() if capture.exists() else []
+
+
+def test_apply_non_interactive_has_lock_timeout_and_auto_approve(tmp_path):
+    args = _run(tmp_path, "apply", "--non-interactive")
+    assert "apply" in args
+    assert "-auto-approve" in args, "non-interactive apply must keep -auto-approve"
+    assert "-lock-timeout=5m" in args, "apply must wait for a contended state lock"
+
+
+def test_plan_has_lock_timeout_but_not_auto_approve(tmp_path):
+    args = _run(tmp_path, "plan")
+    assert "plan" in args
+    assert "-lock-timeout=5m" in args
+    assert "-auto-approve" not in args, "plan must never get -auto-approve"
+
+
+@pytest.mark.parametrize("verb", ["destroy", "refresh"])
+def test_locking_verb_gets_lock_timeout(tmp_path, verb):
+    args = _run(tmp_path, verb)
+    assert "-lock-timeout=5m" in args, f"{verb} should carry -lock-timeout"
+
+
+def test_non_locking_verb_has_no_lock_timeout(tmp_path):
+    # validate does not take a state lock — must not carry -lock-timeout.
+    args = _run(tmp_path, "validate")
+    assert "validate" in args
+    assert not any(a.startswith("-lock-timeout") for a in args)
+
+
+def test_lock_timeout_is_env_overridable(tmp_path):
+    args = _run(tmp_path, "plan", env_extra={"TG_LOCK_TIMEOUT": "2m"})
+    assert "-lock-timeout=2m" in args
diff --git a/scripts/tg b/scripts/tg
index b9e9f0da..b0574f89 100755
--- a/scripts/tg
+++ b/scripts/tg
@@ -13,6 +13,15 @@ export TF_PLUGIN_CACHE_DIR="${TF_PLUGIN_CACHE_DIR:-$HOME/.terraform.d/plugin-cac
 export TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE=1
 mkdir -p "$TF_PLUGIN_CACHE_DIR"
 
+# State-lock wait window. Tier-1 stacks lock their state via terraform's pg
+# backend (pg_advisory_lock); with no timeout an apply fails instantly
+# ("Error acquiring the state lock") the moment anything else holds the lock —
+# a Woodpecker-killed run whose lock PG hasn't reaped yet, a concurrent local
+# apply, or the daily drift `plan`. Waiting a few minutes absorbs all of those
+# (the holder finishes, or PG reaps the dead backend). This was the #1 cause of
+# infra CI failures. Override with TG_LOCK_TIMEOUT (e.g. 0 to fail fast).
+LOCK_TIMEOUT="${TG_LOCK_TIMEOUT:-5m}"
+
 # Determine stack name from cwd (relative to stacks/)
 STACK_NAME=""
 cwd="$(pwd)"
@@ -134,29 +143,30 @@ if $is_mutating && [ -n "$STACK_NAME" ] && is_tier0 "$STACK_NAME"; then
   fi
 fi
 
-# If running apply with --non-interactive, add -auto-approve for Terraform
+# Build the terragrunt invocation:
+#  - add -auto-approve right after `apply` for --non-interactive runs (CI)
+#  - add -lock-timeout for state-locking verbs (plan/apply/destroy/refresh) so
+#    a contended state lock WAITS instead of failing instantly (see
+#    LOCK_TIMEOUT above). Non-locking verbs (init/validate/output/fmt) skip it.
 args=("$@")
-has_apply=false
 has_non_interactive=false
 for arg in "${args[@]}"; do
   case "$arg" in
-    apply) has_apply=true ;;
     --non-interactive) has_non_interactive=true ;;
   esac
 done
 
-if $has_apply && $has_non_interactive; then
-  new_args=()
-  for arg in "${args[@]}"; do
-    new_args+=("$arg")
-    if [ "$arg" = "apply" ]; then
-      new_args+=("-auto-approve")
-    fi
-  done
-  terragrunt "${new_args[@]}"
-else
-  terragrunt "$@"
+tg_args=()
+for arg in "${args[@]}"; do
+  tg_args+=("$arg")
+  if [ "$arg" = "apply" ] && $has_non_interactive; then
+    tg_args+=("-auto-approve")
+  fi
+done
+if $is_tf_op; then
+  tg_args+=("-lock-timeout=$LOCK_TIMEOUT")
 fi
+terragrunt "${tg_args[@]}"
 
 # After mutating operations: encrypt+commit (Tier 0) or no-op (Tier 1 — PG is authoritative)
 if $is_mutating && [ -n "$STACK_NAME" ] && is_tier0 "$STACK_NAME"; then
diff --git a/scripts/tmux-persist-restore.service b/scripts/tmux-persist-restore.service
new file mode 100644
index 00000000..62c61d20
--- /dev/null
+++ b/scripts/tmux-persist-restore.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Restore workstation tmux sessions (resume saved claude conversations) after boot
+After=network.target local-fs.target
+# Before the save timer's first run (OnBootSec=10min) so an empty post-boot
+# state can never be snapshotted over the manifest being restored from.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/tmux-persist restore
+
+[Install]
+WantedBy=multi-user.target
diff --git a/scripts/tmux-persist-save.service b/scripts/tmux-persist-save.service
new file mode 100644
index 00000000..deecf541
--- /dev/null
+++ b/scripts/tmux-persist-save.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Snapshot workstation tmux sessions (name -> claude conversation) for reboot survival
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/tmux-persist save
diff --git a/scripts/tmux-persist-save.timer b/scripts/tmux-persist-save.timer
new file mode 100644
index 00000000..b230aee2
--- /dev/null
+++ b/scripts/tmux-persist-save.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Periodic workstation tmux session snapshot
+
+[Timer]
+OnBootSec=10min
+OnCalendar=*:0/5
+Persistent=false
+
+[Install]
+WantedBy=timers.target
diff --git a/scripts/tmux-persist.sh b/scripts/tmux-persist.sh
new file mode 100644
index 00000000..5afac3a4
--- /dev/null
+++ b/scripts/tmux-persist.sh
@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+# Persist WEB-TERMINAL (ttyd/tmux) sessions across devvm reboots.
+#
+# Scope: the tmux-based web terminal only. The t3 chat surface persists its
+# own threads (~/.t3 state.sqlite, backed up daily by t3-backup-state) — this
+# script is about the tmux sessions, which are otherwise memory-only. Users
+# come from /etc/ttyd-user-map (the terminal surface's roster-derived map).
+#
+#   save    — snapshot every roster user's live tmux sessions to
+#             /var/lib/tmux-persist/<user>.tsv (name, cwd, claude session
+#             uuid). The uuid is sniffed from the claude process's OPEN
+#             transcript fd (~/.claude/projects/<slug>/<uuid>.jsonl), so it is
+#             correct regardless of how the session was launched (fresh via
+#             start-claude.sh or an explicit --resume). Runs every 5 min via
+#             tmux-persist-save.timer. A snapshot that captures no live sessions
+#             (no server, OR a stale socket left behind by an OOM-killed server)
+#             keeps the user's last manifest, so it can't be wiped before restore.
+#   restore — recreate manifest sessions that don't currently exist, resuming
+#             each saved conversation (claude --resume <uuid>). Per-session
+#             idempotent: existing names are left alone, so it is safe both at
+#             boot (tmux-persist-restore.service) and after a partial loss.
+#
+# v1 limitation: one window/pane per session is captured (the workstation
+# usage pattern — one named claude conversation per tmux session).
+set -euo pipefail
+
+STATE_DIR=/var/lib/tmux-persist
+MAP=/etc/ttyd-user-map
+MODE="${1:-}"
+
+log() { echo "[tmux-persist] $*"; }
+
+users() { [[ -r "$MAP" ]] && cut -d= -f2 "$MAP" | sort -u; }
+
+tmux_as() { local u="$1"; shift; runuser -u "$u" -- tmux "$@"; }
+
+# First descendant of $1 whose comm is `claude` (BFS, bounded by process tree).
+claude_pid_under() {
+  local q=("$1") pid kids
+  while ((${#q[@]})); do
+    pid="${q[0]}"; q=("${q[@]:1}")
+    [[ "$(ps -o comm= -p "$pid" 2>/dev/null)" == claude ]] && { echo "$pid"; return 0; }
+    read -ra kids <<<"$(pgrep -P "$pid" 2>/dev/null | tr '\n' ' ')" || true
+    ((${#kids[@]})) && q+=("${kids[@]}")
+  done
+  return 1
+}
+
+# Conversation uuid of a claude process ($1 pid, $2 user, $3 cwd). Two sources
+# (claude does NOT hold its transcript fd open, so fd-sniffing doesn't work):
+#  1. argv `--resume <uuid>` — covers every session this script's restore (or a
+#     manual recovery) created, making the save/restore loop self-sustaining;
+#  2. newest <uuid>.jsonl in the user's cwd-slug project dir created at/after
+#     the process start — covers fresh launcher-started sessions.
+# Always returns 0; empty output means "no conversation" (restored as a shell).
+uuid_of_claude() {
+  local uuid slug dir start f
+  uuid="$(tr '\0' '\n' < "/proc/$1/cmdline" 2>/dev/null \
+          | grep -A1 -x -- '--resume' | tail -1 \
+          | grep -oE '^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$' || true)"
+  [[ -n "$uuid" ]] && { echo "$uuid"; return 0; }
+  slug="${3//\//-}"; slug="${slug//./-}"
+  dir="$(getent passwd "$2" | cut -d: -f6)/.claude/projects/$slug"
+  [[ -d "$dir" ]] || return 0
+  start=$(( $(date +%s) - $(ps -o etimes= -p "$1" 2>/dev/null | tr -d ' ' || echo 0) - 5 ))
+  f="$(find "$dir" -maxdepth 1 -name '*.jsonl' -newermt "@$start" -printf '%T@ %f\n' 2>/dev/null \
+       | sort -rn | head -1 | awk '{print $2}' || true)"
+  [[ -n "$f" ]] && echo "${f%.jsonl}"
+  return 0
+}
+
+save() {
+  install -d -m 0755 "$STATE_DIR"
+  local u uid sess pane_pid pane_cwd cpid uuid tmp n
+  for u in $(users); do
+    uid="$(id -u "$u" 2>/dev/null)" || continue
+    [[ -S "/tmp/tmux-$uid/default" ]] || continue   # no socket at all -> keep last manifest
+    tmp="$(mktemp)"
+    while IFS=$'\t' read -r sess pane_pid pane_cwd; do
+      [[ -n "$sess" ]] || continue
+      uuid=""
+      if cpid="$(claude_pid_under "$pane_pid")"; then uuid="$(uuid_of_claude "$cpid" "$u" "$pane_cwd")"; fi
+      printf '%s\t%s\t%s\n' "$sess" "$pane_cwd" "$uuid" >> "$tmp"
+    done < <(tmux_as "$u" list-panes -a -F $'#{session_name}\t#{pane_pid}\t#{pane_current_path}' 2>/dev/null \
+             | sort -u -t$'\t' -k1,1)
+    # Only overwrite the manifest when we captured >=1 live session. A socket
+    # file can outlive its server (an OOM-killed tmux server leaves
+    # /tmp/tmux-<uid>/default behind); list-panes then yields nothing, and
+    # installing that empty result would clobber a good manifest right before
+    # restore needs it. Empty capture -> keep the last good manifest.
+    n=$(wc -l < "$tmp")
+    if (( n > 0 )); then
+      install -m 0600 "$tmp" "$STATE_DIR/$u.tsv"
+      log "saved $n session(s) for $u"
+    else
+      log "no live sessions for $u (stale socket or dead server) — keeping last manifest"
+    fi
+    rm -f "$tmp"
+  done
+}
+
+restore() {
+  local only="${1:-}" u f sess cwd uuid cmd
+  # Optional single-user restore: `tmux-persist restore <user>` limits the
+  # action to one terminal user (the web-UI restore button calls this via the
+  # tmux-restore-user wrapper). No arg => restore every user (the boot service).
+  if [[ -n "$only" ]] && ! users | grep -qxF "$only"; then
+    echo "[tmux-persist] restore: '$only' is not a known terminal user" >&2
+    return 2
+  fi
+  for u in $(users); do
+    [[ -z "$only" || "$u" == "$only" ]] || continue
+    f="$STATE_DIR/$u.tsv"
+    [[ -s "$f" ]] || continue
+    while IFS=$'\t' read -r sess cwd uuid; do
+      [[ -n "$sess" ]] || continue
+      tmux_as "$u" has-session -t "=$sess" 2>/dev/null && continue   # already live
+      [[ -d "$cwd" ]] || cwd="$(getent passwd "$u" | cut -d: -f6)"
+      if [[ -n "$uuid" ]]; then
+        cmd="claude --dangerously-skip-permissions --resume $uuid --name \"$sess\"; echo; echo '  claude exited — shell preserved'; exec bash -l"
+      else
+        cmd="exec bash -l"
+      fi
+      tmux_as "$u" new-session -d -s "$sess" -c "$cwd" "$cmd" \
+        && log "restored $u:$sess${uuid:+ (resume ${uuid:0:8})}" \
+        || log "WARN: failed to restore $u:$sess"
+    done < "$f"
+  done
+}
+
+case "$MODE" in
+  save) save ;;
+  restore) restore "${2:-}" ;;
+  *) echo "usage: tmux-persist save | restore [user]" >&2; exit 1 ;;
+esac
diff --git a/scripts/update_k8s.sh b/scripts/update_k8s.sh
index 6e01d654..19abe7ef 100755
--- a/scripts/update_k8s.sh
+++ b/scripts/update_k8s.sh
@@ -82,7 +82,10 @@ sudo apt-get install -y "kubeadm=$RELEASE-*"
 
 if [[ "$ROLE" == "master" ]]; then
     echo "==> Master path: kubeadm upgrade plan + apply"
-    sudo kubeadm upgrade plan
+    # `plan` runs the same CoreDNS preflight as `apply`, so once master's kubeadm
+    # is on the new version it fails here too (under set -e) — ignore the same
+    # two CoreDNS checks. See the apply block below for the full rationale.
+    sudo kubeadm upgrade plan --ignore-preflight-errors=CoreDNSMigration,CoreDNSUnsupportedPlugins
     # The first apply may fail with "static Pod hash for component <X> did
     # not change after 5m0s" — kubeadm's 5min wait for the kubelet to reload
     # a static pod is too tight on our cluster (apiserver-to-kubelet status
@@ -98,7 +101,20 @@ if [[ "$ROLE" == "master" ]]; then
     # right version (which is the only case where this timeout fires).
     attempt=1
     extra_flags=""
-    while ! sudo kubeadm upgrade apply "v$RELEASE" -y $extra_flags; do
+    # CoreDNS is managed OUTSIDE kubeadm on this cluster: the Corefile is a
+    # custom split-horizon config owned by the technitium stack, and the image
+    # is intentionally tracked separately. kubeadm's bundled corefile-migration
+    # library rejects CoreDNS versions it doesn't know (e.g. 1.12.4 -> "start
+    # version not supported"), which HARD-FAILS `upgrade apply` at preflight.
+    # Forcing past preflight with --ignore alone is NOT enough — kubeadm would
+    # then overwrite our custom Corefile with its default AND downgrade the
+    # image (verified via `kubeadm upgrade apply --dry-run`, 2026-06-17). So we
+    # also skip the coredns addon phase entirely: kubeadm leaves CoreDNS 100%
+    # untouched and only upgrades the control-plane components. (Root fix: keep
+    # CoreDNS off Keel — keel.sh/policy=never — so it stops drifting ahead of
+    # kubeadm's migration table.)
+    coredns_flags="--ignore-preflight-errors=CoreDNSMigration,CoreDNSUnsupportedPlugins --skip-phases=addon/coredns"
+    while ! sudo kubeadm upgrade apply "v$RELEASE" -y $coredns_flags $extra_flags; do
         if (( attempt >= 3 )); then
             echo "ERROR: kubeadm upgrade apply failed after 3 attempts" >&2
             exit 1
diff --git a/scripts/upgrade_state.sh b/scripts/upgrade_state.sh
index 2e6e7faa..e5722f8b 100755
--- a/scripts/upgrade_state.sh
+++ b/scripts/upgrade_state.sh
@@ -10,7 +10,7 @@
 #              keel.sh/policy. Metrics on container :9300/metrics.
 #   2. OS    — unattended-upgrades patches in-release per node; kured
 #              reboots within a daily 02:00-06:00 London window.
-#   3. K8s   — k8s-version-check CronJob (Sun 12:00 UTC) detects new
+#   3. K8s   — k8s-version-check CronJob (23:00 UTC nightly) detects new
 #              kubeadm patch/minor releases; Job-chain drains+upgrades
 #              node-by-node. Pushgateway holds k8s_upgrade_* gauges.
 #
@@ -443,7 +443,18 @@ collect_k8s() {
         fi
     fi
 
-    K8S_NEXT="$(next_daily_noon_utc)"
+    K8S_NEXT="$(next_scheduled_run_utc)"
+
+    # Failed chain-Job detection. A preflight/phase Job can abort BEFORE pushing
+    # k8s_upgrade_in_flight=1 (the preflight gates exit pre-metric), so in-flight
+    # / stalled stay clean while the pipeline is actually wedged: the
+    # deterministic-name + 7d-TTL Job blocks re-spawn. Surface it directly.
+    # (2026-06-17: a transient critical alert wedged the 1.34.9 preflight for 5
+    # days, invisible to every metric-based check.)
+    local failed_jobs
+    failed_jobs=$($KUBECTL -n k8s-upgrade get jobs \
+        -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.conditions[?(@.type=="Failed")].status}{"\n"}{end}' 2>/dev/null \
+        | awk -F'\t' '$2=="True" && $1 ~ /^k8s-upgrade-/{print $1}' | paste -sd' ' - || true)
 
     # Status logic.
     local stalled=0
@@ -463,6 +474,10 @@ collect_k8s() {
         K8S_STATUS_ICON="✗"; K8S_STATUS_TEXT="detection stale"
         K8S_NOTES="last detection >9d ago"
         raise_exit 2
+    elif [[ -n "$failed_jobs" ]]; then
+        K8S_STATUS_ICON="✗"; K8S_STATUS_TEXT="chain failed"
+        K8S_NOTES="failed upgrade Job(s): $failed_jobs — pipeline wedged. Inspect: kubectl -n k8s-upgrade describe job <name> (the retry-on-failure guard re-spawns on the next detection cycle)"
+        raise_exit 2
     elif [[ "${in_flight:-0}" == "1" ]]; then
         K8S_STATUS_ICON="…"; K8S_STATUS_TEXT="in-flight"
         K8S_NOTES="upgrade chain running"
@@ -481,15 +496,15 @@ collect_k8s() {
     fi
 }
 
-# Next daily 12:00 UTC — pure bash date math, no croniter. Schedule was
-# weekly Sunday until 2026-05-18; now `0 12 * * *` in the
-# k8s-version-upgrade stack. If we're still before today's 12:00 UTC,
-# the next run is today; otherwise it's tomorrow.
-next_daily_noon_utc() {
+# Next daily 23:00 UTC — pure bash date math, no croniter. Schedule is
+# `0 23 * * *` in the k8s-version-upgrade stack (overnight; moved from 12:00 UTC
+# on 2026-06-17). If we're still before today's 23:00 UTC the next run is today;
+# otherwise tomorrow.
+next_scheduled_run_utc() {
     local hr days_ahead
     hr=$(date -u +%H)
-    if [[ "$hr" -lt 12 ]]; then days_ahead=0; else days_ahead=1; fi
-    date -u -d "+$days_ahead days" +"%a %Y-%m-%d 12:00 UTC"
+    if [[ "$hr" -lt 23 ]]; then days_ahead=0; else days_ahead=1; fi
+    date -u -d "+$days_ahead days" +"%a %Y-%m-%d 23:00 UTC"
 }
 
 # --- Renderers ---
diff --git a/scripts/vzdump-vms.service b/scripts/vzdump-vms.service
new file mode 100644
index 00000000..32ac8f96
--- /dev/null
+++ b/scripts/vzdump-vms.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=vzdump image backup of hand-managed VMs (devvm, …) to /mnt/backup
+Documentation=https://forgejo.viktorbarzin.me/viktor/infra/src/branch/main/docs/architecture/backup-dr.md
+After=network-online.target
+Wants=network-online.target
+RequiresMountsFor=/mnt/backup
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/vzdump-vms
+# Be gentle on the contended PVE IO domain (sdc) — backup must never starve etcd.
+Nice=10
+IOSchedulingClass=idle
+# Reading a ~77 GB disk + zstd can run long under IO contention; well above
+# normal (~15-30 min) but bounded so a hung run can't wedge the timer forever.
+TimeoutStartSec=4h
diff --git a/scripts/vzdump-vms.sh b/scripts/vzdump-vms.sh
new file mode 100644
index 00000000..8954d0e5
--- /dev/null
+++ b/scripts/vzdump-vms.sh
@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+# vzdump-vms — image-level backup of hand-managed Proxmox VMs (NOT in Terraform).
+# Deploy to PVE host at /usr/local/bin/vzdump-vms (strip the .sh).
+# Schedule: Daily 01:00 via systemd timer.
+#
+# WHY: the hand-managed Linux VMs (devvm, …) have NO image backup. nfs-mirror /
+# daily-backup / offsite-sync cover cluster PVCs, NFS, pfSense and PVE config —
+# but never the VM disks themselves. A lost devvm disk = unrecoverable home dirs
+# + local-only git repos (the monorepo root has no remote). This takes a live
+# `vzdump --mode snapshot` of each configured VMID to /mnt/backup/vzdump (sda =
+# Copy 2). The monthly offsite-sync full pass (days 1-7) mirrors /mnt/backup —
+# including this dir — to Synology with --delete (Copy 3), bounded to local
+# retention. We deliberately do NOT append to the incremental manifest: it never
+# deletes, so daily multi-GB images would accumulate unbounded on Synology.
+#
+# RESTORE: pick a dump under /mnt/backup/vzdump, then on the PVE host:
+#   qmrestore /mnt/backup/vzdump/vzdump-qemu-<vmid>-<ts>.vma.zst <new-or-same-vmid>
+# (restore to a fresh VMID first if the original still exists, then swap), or use
+# the PVE UI (Datacenter → Storage → upload dir → Restore). See backup-dr.md.
+set -euo pipefail
+
+# systemd oneshot units get a minimal PATH (/usr/bin:/bin) — qm and vzdump live
+# in /usr/sbin, so set an explicit PATH or the script silently can't find them.
+export PATH="/usr/sbin:/usr/bin:/sbin:/bin:${PATH:-}"
+
+# --- Configuration ---
+VMIDS="${VZDUMP_VMIDS:-102}"                       # space-separated. 102 = devvm. Add VMIDs here.
+DUMPDIR="${VZDUMP_DUMPDIR:-/mnt/backup/vzdump}"
+KEEP="${VZDUMP_KEEP:-3}"                           # retain N newest dumps per VMID on sda
+COMPRESS="${VZDUMP_COMPRESS:-zstd}"
+BACKUP_ROOT="/mnt/backup"
+PUSHGATEWAY="${VZDUMP_PUSHGATEWAY:-http://10.0.20.100:30091}"
+PUSHGATEWAY_JOB="vzdump-backup"
+LOCKFILE="/run/vzdump-vms.lock"
+
+# --- Logging ---
+log()  { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*"; }
+warn() { log "WARN: $*" >&2; }
+
+# --- Metrics (always returns 0 so it never trips set -e) ---
+push_metrics() {
+    local status="${1:-0}" bytes="${2:-0}" now
+    now=$(date +%s)
+    {
+        echo "vzdump_last_run_timestamp ${now}"
+        echo "vzdump_last_status ${status}"
+        echo "vzdump_last_bytes ${bytes}"
+        [ "${status}" -eq 0 ] && echo "vzdump_last_success_timestamp ${now}"
+    } | curl -s --connect-timeout 5 --max-time 10 --data-binary @- \
+        "${PUSHGATEWAY}/metrics/job/${PUSHGATEWAY_JOB}" 2>/dev/null || true
+    return 0
+}
+
+# --- Locking (push a non-success metric if systemd kills us mid-run) ---
+KILLED=""
+cleanup() {
+    rm -f "${LOCKFILE}"
+    # NB: must be `if…fi`, NOT `[ … ] && …` — a bash EXIT trap whose LAST command
+    # returns non-zero overrides the script's `exit 0`, so the `&&` short-circuit
+    # (when KILLED is empty) would falsely mark a successful backup as failed.
+    if [ -n "${KILLED}" ]; then push_metrics 2 0; fi
+}
+trap cleanup EXIT
+trap 'KILLED=1; exit 143' TERM INT
+
+if ! ( set -o noclobber; echo $$ > "${LOCKFILE}" ) 2>/dev/null; then
+    warn "Another instance running (PID $(cat "${LOCKFILE}" 2>/dev/null || echo unknown)) — exiting"
+    exit 0
+fi
+
+# --- Preconditions ---
+if ! mountpoint -q "${BACKUP_ROOT}"; then
+    warn "${BACKUP_ROOT} not mounted — aborting"; push_metrics 1 0; exit 1
+fi
+mkdir -p "${DUMPDIR}"
+
+# --- Main ---
+log "=== vzdump-vms starting (VMIDs: ${VMIDS}, keep ${KEEP}) ==="
+STATUS=0
+TOTAL_BYTES=0
+
+for vmid in ${VMIDS}; do
+    if ! qm status "${vmid}" >/dev/null 2>&1; then
+        warn "VMID ${vmid} not found on this node — skipping"
+        STATUS=1
+        continue
+    fi
+
+    log "--- vzdump ${vmid} ($(qm config "${vmid}" 2>/dev/null | sed -n 's/^name: //p')) ---"
+    if vzdump "${vmid}" \
+        --dumpdir "${DUMPDIR}" \
+        --mode snapshot \
+        --compress "${COMPRESS}" \
+        --ionice 7 \
+        --quiet 1; then
+        newest=$(ls -t "${DUMPDIR}"/vzdump-qemu-"${vmid}"-*.vma.* 2>/dev/null | grep -v '\.notes$' | head -1 || true)
+        if [ -n "${newest}" ]; then
+            sz=$(stat -c%s "${newest}" 2>/dev/null || echo 0)
+            TOTAL_BYTES=$((TOTAL_BYTES + sz))
+            log "  OK: $(basename "${newest}") ($(numfmt --to=iec "${sz}" 2>/dev/null || echo "${sz}B"))"
+        fi
+    else
+        warn "vzdump ${vmid} failed (rc=$?)"
+        STATUS=1
+    fi
+
+    # Retention: keep newest ${KEEP} per VMID (archive + its .log + .notes siblings).
+    mapfile -t archives < <(ls -t "${DUMPDIR}"/vzdump-qemu-"${vmid}"-*.vma.* 2>/dev/null | grep -v '\.notes$' || true)
+    if [ "${#archives[@]}" -gt "${KEEP}" ]; then
+        for old in "${archives[@]:${KEEP}}"; do
+            prefix="${old%.vma.*}"   # …/vzdump-qemu-<vmid>-<YYYY_MM_DD>-<HH_MM_SS>
+            log "  prune: $(basename "${prefix}")"
+            rm -f "${prefix}".vma.* "${prefix}".log 2>/dev/null || true
+        done
+    fi
+done
+
+log "=== vzdump-vms complete (status=${STATUS}, $(numfmt --to=iec "${TOTAL_BYTES}" 2>/dev/null || echo "${TOTAL_BYTES}B")) ==="
+push_metrics "${STATUS}" "${TOTAL_BYTES}"
+exit "${STATUS}"
diff --git a/scripts/vzdump-vms.timer b/scripts/vzdump-vms.timer
new file mode 100644
index 00000000..5cfefd92
--- /dev/null
+++ b/scripts/vzdump-vms.timer
@@ -0,0 +1,14 @@
+[Unit]
+Description=Daily vzdump image backup of hand-managed VMs (devvm, …)
+Documentation=https://forgejo.viktorbarzin.me/viktor/infra/src/branch/main/docs/architecture/backup-dr.md
+
+[Timer]
+# 01:00 — ahead of nfs-mirror (02:00), lvm-pvc-snapshot (03:00), daily-backup
+# (05:00) and offsite-sync (06:00), so the fresh image is on sda before the
+# monthly full offsite pass mirrors /mnt/backup to Synology.
+OnCalendar=*-*-* 01:00:00
+RandomizedDelaySec=10min
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/scripts/workstation/claude-auth-sync.sh b/scripts/workstation/claude-auth-sync.sh
new file mode 100755
index 00000000..dc3d780d
--- /dev/null
+++ b/scripts/workstation/claude-auth-sync.sh
@@ -0,0 +1,153 @@
+#!/usr/bin/env bash
+# Keep one Workstation user's Claude subscription OAuth credentials recoverable.
+# Claude owns access/refresh-token rotation in ~/.claude/.credentials.json. This
+# helper validates auth with real inference, stores only the claudeAiOauth object
+# in the user's isolated Vault path, and attempts one restore on failure.
+set -euo pipefail
+
+CAS_USER="${CLAUDE_AUTH_USER:-$(id -un)}"
+CAS_HOME="${HOME:?HOME must be set}"
+CAS_CREDENTIALS="${CLAUDE_CREDENTIALS_FILE:-$CAS_HOME/.claude/.credentials.json}"
+CAS_CONFIG_DIR="${CLAUDE_AUTH_CONFIG_DIR:-$CAS_HOME/.config/claude-auth-sync}"
+CAS_VAULT_TOKEN_FILE="${CLAUDE_AUTH_VAULT_TOKEN_FILE:-$CAS_CONFIG_DIR/vault-token}"
+CAS_VAULT_PATH="${CLAUDE_AUTH_VAULT_PATH:-secret/workstation/claude-users/$CAS_USER}"
+CAS_STATE_DIR="${CLAUDE_AUTH_STATE_DIR:-$CAS_HOME/.local/state/claude-auth-sync}"
+CAS_LOG="$CAS_STATE_DIR/sync.log"
+
+cas_log() {
+  mkdir -p "$CAS_STATE_DIR"
+  printf '%s %s\n' "$(date -Is)" "$*" >> "$CAS_LOG"
+  logger -t claude-auth-sync -- "user=$CAS_USER $*" 2>/dev/null || true
+}
+
+# Print the Claude OAuth object, or fail without exposing any token material.
+cas_oauth_from_credentials() {
+  jq -ce '.claudeAiOauth
+    | select((.accessToken | type) == "string" and (.accessToken | length) > 0)
+    | select((.refreshToken | type) == "string" and (.refreshToken | length) > 0)
+    | select((.expiresAt | type) == "number")' "$1"
+}
+
+# Merge a recovered OAuth object while preserving unrelated credentials (MCP OAuth).
+cas_merge_oauth() {
+  local credentials="$1" oauth="$2"
+  jq -ce --argjson oauth "$oauth" '.claudeAiOauth = $oauth' "$credentials"
+}
+
+cas_vault_identity_ok() {
+  local display_name="$1" policies_csv="$2"
+  [[ "$display_name" == "token-devvm-claude-auth-$CAS_USER" ]] || return 1
+  printf ',%s,' "$policies_csv" | grep -q ",workstation-claude-$CAS_USER,"
+}
+
+cas_prepare_vault() {
+  [[ -s "$CAS_VAULT_TOKEN_FILE" ]] || {
+    cas_log "FAIL missing scoped Vault token; admin must run workstation provisioning"
+    return 1
+  }
+  export VAULT_ADDR="${VAULT_ADDR:-https://vault.viktorbarzin.me}"
+  VAULT_TOKEN="$(<"$CAS_VAULT_TOKEN_FILE")"; export VAULT_TOKEN
+
+  local info display_name policies
+  info="$(vault token lookup -format=json 2>/dev/null)" || {
+    cas_log "FAIL scoped Vault token lookup failed"
+    return 1
+  }
+  display_name="$(jq -r '.data.display_name // ""' <<<"$info")"
+  policies="$(jq -r '((.data.policies // []) + (.data.identity_policies // [])) | join(",")' <<<"$info")"
+  cas_vault_identity_ok "$display_name" "$policies" || {
+    cas_log "FAIL scoped Vault token drift detected; refusing foreign token"
+    return 1
+  }
+  vault token renew -format=json >/dev/null 2>&1 || {
+    cas_log "FAIL scoped Vault token renewal failed"
+    return 1
+  }
+}
+
+# auth status is not authoritative: it reported loggedIn=true during a real 401
+# on 2026-06-20. A tiny, non-persistent inference is the feedback loop.
+cas_live_auth_ok() {
+  local out
+  out="$(timeout 60 claude -p 'Reply with exactly AUTH_OK and nothing else.' \
+    --model haiku --max-turns 1 --no-session-persistence --tools "" \
+    --disable-slash-commands --setting-sources "" 2>/dev/null)" || return 1
+  [[ "$out" == "AUTH_OK" ]]
+}
+
+cas_backup() {
+  local oauth expires
+  oauth="$(cas_oauth_from_credentials "$CAS_CREDENTIALS")" || {
+    cas_log "FAIL local Claude OAuth credential is absent or malformed"
+    return 1
+  }
+  expires="$(jq -r '.expiresAt' <<<"$oauth")"
+  vault kv put "$CAS_VAULT_PATH" \
+    claude_ai_oauth_json="$oauth" \
+    credential_expires_at_ms="$expires" \
+    backed_up_at="$(date -Is)" >/dev/null || {
+      cas_log "FAIL Vault credential backup failed"
+      return 1
+    }
+  cas_log "OK Claude auth valid; refreshed OAuth state backed up to Vault"
+}
+
+cas_restore() {
+  local oauth base tmp
+  oauth="$(vault kv get -field=claude_ai_oauth_json "$CAS_VAULT_PATH" 2>/dev/null)" || {
+    cas_log "FAIL no recoverable Claude OAuth credential in Vault"
+    return 1
+  }
+  jq -e 'select((.accessToken | type) == "string" and (.accessToken | length) > 0)
+    | select((.refreshToken | type) == "string" and (.refreshToken | length) > 0)
+    | select((.expiresAt | type) == "number")' <<<"$oauth" >/dev/null || {
+      cas_log "FAIL Vault Claude OAuth credential is malformed"
+      return 1
+    }
+
+  mkdir -p "$(dirname "$CAS_CREDENTIALS")"
+  if jq -e 'type == "object"' "$CAS_CREDENTIALS" >/dev/null 2>&1; then
+    base="$CAS_CREDENTIALS"
+  else
+    base="$(mktemp)"; printf '{}\n' > "$base"
+  fi
+  tmp="$(mktemp "${CAS_CREDENTIALS}.XXXXXX")"
+  if ! cas_merge_oauth "$base" "$oauth" > "$tmp"; then
+    rm -f "$tmp"; [[ "$base" == "$CAS_CREDENTIALS" ]] || rm -f "$base"
+    cas_log "FAIL could not merge Vault Claude OAuth credential"
+    return 1
+  fi
+  chmod 0600 "$tmp"
+  mv "$tmp" "$CAS_CREDENTIALS"
+  [[ "$base" == "$CAS_CREDENTIALS" ]] || rm -f "$base"
+  cas_log "RECOVERED restored Claude OAuth state from Vault"
+}
+
+cas_main() {
+  umask 077
+  for bin in jq vault claude timeout flock; do
+    command -v "$bin" >/dev/null || { cas_log "FAIL missing dependency: $bin"; return 1; }
+  done
+  mkdir -p "$CAS_STATE_DIR"
+  exec 9>"$CAS_STATE_DIR/lock"
+  flock -n 9 || { cas_log "SKIP another sync is already running"; return 0; }
+
+  cas_prepare_vault || return 1
+  if cas_live_auth_ok; then
+    cas_backup
+    return
+  fi
+
+  cas_log "WARN live Claude auth failed; attempting one Vault restore"
+  cas_restore || return 1
+  if cas_live_auth_ok; then
+    cas_backup
+    return
+  fi
+  cas_log "FAIL Claude auth still invalid after Vault restore; interactive SSO login required"
+  return 1
+}
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+  cas_main "$@"
+fi
diff --git a/scripts/workstation/claude-hooks/auto-learn.py b/scripts/workstation/claude-hooks/auto-learn.py
new file mode 100755
index 00000000..174431f9
--- /dev/null
+++ b/scripts/workstation/claude-hooks/auto-learn.py
@@ -0,0 +1,184 @@
+#!/usr/bin/env python3
+"""
+Stop hook (async): automatic learning extraction via haiku-as-judge.
+
+After each Claude response, sends the user message + assistant response to
+haiku to detect corrections, preferences, decisions, or facts worth storing.
+If learning events are detected, stores them via the `homelab memory` CLI — the
+only sanctioned memory path on the devvm (no direct HTTP, no local SQLite).
+
+Runs with async: true — does NOT block the user.
+"""
+
+import io
+import json
+import logging
+import os
+import shutil
+import subprocess
+import sys
+
+logger = logging.getLogger(__name__)
+
+JUDGE_PROMPT = """You are a memory extraction judge. Analyze this exchange between a user and an AI assistant.
+
+USER MESSAGE:
+{user_message}
+
+ASSISTANT RESPONSE:
+{assistant_response}
+
+Your job: determine if any of these learning events occurred:
+1. USER CORRECTION — user corrected the assistant's mistake or misunderstanding
+2. PREFERENCE — user stated a preference, habit, or "I like/prefer/want" statement
+3. DECISION — a decision was reached about how to do something
+4. FACT — user shared a durable fact about themselves, their team, tools, or environment
+
+If ANY learning event occurred, return JSON:
+{{"events": [{{"type": "correction|preference|decision|fact", "content": "concise fact to remember (one sentence)", "importance": 0.7, "expanded_keywords": "space-separated semantically related search terms for recall (minimum 5 words)", "supersedes": null}}]}}
+
+If NO learning event occurred, return:
+{{"events": []}}
+
+Rules:
+- Only extract DURABLE facts, not transient task details
+- Corrections are highest value (0.8-0.9)
+- Be conservative — false negatives are better than false positives
+- "expanded_keywords" should include synonyms, related concepts, and adjacent topics that would help find this memory later
+- "supersedes" should be a search query to find the old outdated memory, or null
+- Return ONLY valid JSON, no other text"""
+
+
+def _store_via_homelab_cli(content, category, tags, importance, expanded_keywords):
+    """Store one memory via the homelab CLI — the only sanctioned memory path on
+    the devvm (no direct HTTP, no local SQLite). The CLI defaults the API URL and
+    reads CLAUDE_MEMORY_API_KEY / MEMORY_API_KEY from the environment; if neither
+    is set (e.g. a user without a minted key) it no-ops silently."""
+    homelab = shutil.which("homelab") or "/usr/local/bin/homelab"
+    if not os.path.exists(homelab):
+        return
+    if not (os.environ.get("CLAUDE_MEMORY_API_KEY") or os.environ.get("MEMORY_API_KEY")):
+        return
+    cmd = [
+        homelab, "memory", "store", content,
+        "--category", category,
+        "--tags", tags,
+        "--importance", str(importance),
+    ]
+    if expanded_keywords:
+        # CLI wants comma-separated keywords; the judge emits space-separated terms.
+        keywords = ",".join(expanded_keywords.replace(",", " ").split())
+        if keywords:
+            cmd += ["--keywords", keywords]
+    subprocess.run(cmd, capture_output=True, text=True, timeout=15, env=os.environ)
+
+
+def main() -> None:
+    # Graceful exit if claude CLI is not available
+    if not shutil.which("claude"):
+        return
+
+    try:
+        hook_input = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        return
+
+    if isinstance(hook_input, dict) and hook_input.get("stop_hook_active", False):
+        return
+
+    transcript_path = ""
+    if isinstance(hook_input, dict):
+        transcript_path = hook_input.get("transcript_path", "")
+
+    if not transcript_path or not os.path.exists(transcript_path):
+        return
+
+    user_message = ""
+    assistant_response = ""
+    try:
+        MAX_TAIL_BYTES = 50_000
+        with open(transcript_path, "rb") as f:
+            f.seek(0, io.SEEK_END)
+            size = f.tell()
+            f.seek(max(0, size - MAX_TAIL_BYTES))
+            tail = f.read().decode("utf-8", errors="replace")
+        lines = tail.split("\n")
+
+        for line in reversed(lines):
+            line = line.strip()
+            if not line:
+                continue
+            try:
+                entry = json.loads(line)
+            except json.JSONDecodeError:
+                continue
+            role = entry.get("role", "")
+            content = entry.get("content", "")
+            if isinstance(content, list):
+                content = " ".join(
+                    b.get("text", "") for b in content
+                    if isinstance(b, dict) and b.get("type") == "text"
+                )
+            content = str(content)[:2000]
+            if role == "assistant" and not assistant_response:
+                assistant_response = content
+            elif role == "user" and not user_message:
+                user_message = content
+            if user_message and assistant_response:
+                break
+    except Exception:
+        return
+
+    if not user_message or len(user_message.strip()) < 10:
+        return
+
+    prompt = JUDGE_PROMPT.format(
+        user_message=user_message,
+        assistant_response=assistant_response[:1000],
+    )
+
+    try:
+        result = subprocess.run(
+            ["claude", "-p", prompt, "--model", "haiku"],
+            capture_output=True, text=True, timeout=30,
+            env={**os.environ, "CLAUDECODE": ""},
+        )
+        if result.returncode != 0:
+            return
+        response_text = result.stdout.strip()
+        if response_text.startswith("```"):
+            lines = response_text.split("\n")
+            lines = [l for l in lines if not l.strip().startswith("```")]
+            response_text = "\n".join(lines).strip()
+        judge_result = json.loads(response_text)
+        events = judge_result.get("events", [])
+        if not events:
+            return
+    except (subprocess.TimeoutExpired, json.JSONDecodeError, OSError):
+        return
+
+    category_map = {
+        "correction": "preferences",
+        "preference": "preferences",
+        "decision": "decisions",
+        "fact": "facts",
+    }
+
+    for event in events:
+        content = event.get("content", "")
+        if not content:
+            continue
+        event_type = event.get("type", "fact")
+        importance = max(0.0, min(1.0, float(event.get("importance", 0.7))))
+        category = category_map.get(event_type, "facts")
+        tags = f"auto-learned,{event_type}"
+        expanded_keywords = event.get("expanded_keywords", "")
+
+        try:
+            _store_via_homelab_cli(content, category, tags, importance, expanded_keywords)
+        except Exception:
+            pass  # Never crash the async hook
+
+
+if __name__ == "__main__":
+    main()
diff --git a/scripts/workstation/claude-hooks/homelab-memory-recall.py b/scripts/workstation/claude-hooks/homelab-memory-recall.py
new file mode 100755
index 00000000..7315f116
--- /dev/null
+++ b/scripts/workstation/claude-hooks/homelab-memory-recall.py
@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+"""UserPromptSubmit hook: inject relevant memories via `homelab memory recall`.
+
+Replaces the claude-memory MCP recall path. Instead of instructing the model to
+call the memory_recall MCP tool, this hook runs the homelab CLI (a direct client
+to the same claude-memory HTTP API) and injects the ACTUAL results as context —
+so recall is automatic, needs no model tool-call, and works with the MCP
+uninstalled. Best-effort: any failure exits 0 silently (recall just doesn't
+happen that turn, exactly like the MCP being unavailable).
+
+Wizard-only trial of the MCP deprecation (2026-06-20). Reversible: restore the
+plugin command in ~/.claude/settings.json (backup: settings.json.bak-pre-homelab-memory).
+"""
+
+import json
+import os
+import shutil
+import subprocess
+import sys
+
+
+def main() -> None:
+    try:
+        hook_input = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        return
+
+    prompt = ""
+    if isinstance(hook_input, dict):
+        prompt = hook_input.get("prompt") or hook_input.get("user_prompt") or ""
+        if not prompt and isinstance(hook_input.get("content"), str):
+            prompt = hook_input["content"]
+    prompt = (prompt or "").strip()
+
+    # Same gates as the original recall hook: skip short prompts, code/JSON/XML blobs.
+    if len(prompt) < 10 or prompt[0] in "`{<":
+        return
+
+    homelab = shutil.which("homelab") or "/usr/local/bin/homelab"
+    if not os.path.exists(homelab):
+        return
+    if not (os.environ.get("CLAUDE_MEMORY_API_KEY") or os.environ.get("MEMORY_API_KEY")):
+        return
+
+    try:
+        res = subprocess.run(
+            [homelab, "memory", "recall", prompt, "--limit", "5"],
+            capture_output=True, text=True, timeout=4, env=os.environ,
+        )
+    except (subprocess.TimeoutExpired, OSError):
+        return
+
+    out = (res.stdout or "").strip()
+    if res.returncode != 0 or not out:
+        return
+
+    context = (
+        "Relevant stored memories (via `homelab memory recall`) — incorporate "
+        "naturally if useful; do NOT mention this lookup to the user:\n\n" + out
+    )
+    print(json.dumps({
+        "hookSpecificOutput": {
+            "hookEventName": "UserPromptSubmit",
+            "additionalContext": context,
+        }
+    }))
+
+
+if __name__ == "__main__":
+    main()
diff --git a/scripts/workstation/claude-hooks/post-compact-recovery.sh b/scripts/workstation/claude-hooks/post-compact-recovery.sh
new file mode 100755
index 00000000..4687d951
--- /dev/null
+++ b/scripts/workstation/claude-hooks/post-compact-recovery.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+# UserPromptSubmit hook: Inject recovery context after compaction
+# This hook runs on each user prompt, but only injects context once after compaction.
+
+# Read hook input from stdin
+INPUT=$(cat)
+
+# Extract session ID
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // .sessionId // "unknown"')
+
+# Define marker path
+MEMORY_HOME="${MEMORY_HOME:-$HOME/.claude/claude-memory}"
+MARKER_DIR="${MEMORY_HOME}/state/compaction-markers"
+MARKER_FILE="${MARKER_DIR}/${SESSION_ID}.json"
+
+# Fast path: no marker means no recent compaction, exit immediately
+if [ ! -f "$MARKER_FILE" ]; then
+    exit 0
+fi
+
+# Read marker contents
+MARKER=$(cat "$MARKER_FILE")
+
+# Validate JSON before processing
+if ! echo "$MARKER" | jq -e . >/dev/null 2>&1; then
+    rm -f "$MARKER_FILE"
+    exit 0
+fi
+
+# Extract data from marker
+COMPACTED_AT=$(echo "$MARKER" | jq -r '.compactedAt // "unknown"')
+PERSONALITY=$(echo "$MARKER" | jq -r '.personalityReminder // ""')
+
+# Build remembered facts summary (limit to ~500 chars)
+FACTS_SUMMARY=$(echo "$MARKER" | jq -r '
+    .rememberedFacts[:10] |
+    map("- [\(.category // "fact")] \(.content)") |
+    join("\n")
+' 2>/dev/null || echo "")
+
+# Build recovery context (kept under 1000 tokens)
+RECOVERY_CONTEXT="[Claude Memory Recovery - Context compacted at ${COMPACTED_AT}]
+
+${PERSONALITY}
+
+Key memories from before compaction:
+${FACTS_SUMMARY}
+
+Use the memory_recall MCP tool if you need more context about past conversations."
+
+# Output JSON with additional context for injection
+cat << EOF
+{
+  "hookSpecificOutput": {
+    "hookEventName": "UserPromptSubmit",
+    "additionalContext": $(echo "$RECOVERY_CONTEXT" | jq -Rs .)
+  }
+}
+EOF
+
+# Delete marker file (one-time injection)
+rm -f "$MARKER_FILE"
+
+exit 0
diff --git a/scripts/workstation/claude-hooks/pre-compact-backup.sh b/scripts/workstation/claude-hooks/pre-compact-backup.sh
new file mode 100755
index 00000000..1194b12d
--- /dev/null
+++ b/scripts/workstation/claude-hooks/pre-compact-backup.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+# PreCompact hook: Save key memories before compaction
+set -e
+
+INPUT=$(cat)
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // .sessionId // "unknown"')
+
+MEMORY_HOME="${MEMORY_HOME:-$HOME/.claude/claude-memory}"
+MARKER_DIR="${MEMORY_HOME}/state/compaction-markers"
+MEMORY_DB="${MEMORY_HOME}/memory/memory.db"
+MARKER_FILE="${MARKER_DIR}/${SESSION_ID}.json"
+
+mkdir -p "$MARKER_DIR"
+
+TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+# Try API first, fall back to SQLite
+REMEMBERED_FACTS="[]"
+if [ -n "${MEMORY_API_KEY:-${CLAUDE_MEMORY_API_KEY:-}}" ]; then
+    API_KEY="${MEMORY_API_KEY:-${CLAUDE_MEMORY_API_KEY:-}}"
+    API_URL="${MEMORY_API_URL:-${CLAUDE_MEMORY_API_URL:-}}"
+    if [ -n "$API_URL" ]; then
+        REMEMBERED_FACTS=$(curl -sf -H "Authorization: Bearer ${API_KEY}" \
+            "${API_URL}/api/memories?limit=20" 2>/dev/null | \
+            jq '[.memories[] | {content, category, importance}]' 2>/dev/null || echo "[]")
+    fi
+elif [ -f "$MEMORY_DB" ]; then
+    REMEMBERED_FACTS=$(sqlite3 -json "$MEMORY_DB" \
+        "SELECT content, category, importance FROM memories ORDER BY importance DESC, created_at DESC LIMIT 20" 2>/dev/null || echo "[]")
+fi
+
+if ! echo "$REMEMBERED_FACTS" | jq empty 2>/dev/null; then
+    REMEMBERED_FACTS="[]"
+fi
+
+jq -n \
+  --arg sid "$SESSION_ID" \
+  --arg ts "$TIMESTAMP" \
+  --argjson facts "$REMEMBERED_FACTS" \
+  '{sessionId: $sid, compactedAt: $ts, rememberedFacts: $facts}' \
+  > "$MARKER_FILE"
+
+exit 0
diff --git a/scripts/workstation/claude-hooks/wire-memory-hooks.py b/scripts/workstation/claude-hooks/wire-memory-hooks.py
new file mode 100644
index 00000000..c33b504c
--- /dev/null
+++ b/scripts/workstation/claude-hooks/wire-memory-hooks.py
@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+"""Wire the homelab-memory hooks into a user's ~/.claude/settings.json.
+
+Part of the claude-memory MCP -> homelab CLI migration (all-users rollout).
+Two passes, idempotent, never touching `env` (the per-user MEMORY_API_KEY) or any
+other setting:
+  (0) PRUNE any hook command still pointing at the retired claude-memory plugin
+      (`plugins/claude-memory/hooks/`). install_memory() rm -rf's that dir, so
+      those entries are dangling — and a missing UserPromptSubmit hook exits 2,
+      a BLOCKING error that erases the prompt and freezes the session (devvm emo
+      incident 2026-06-22). Must run BEFORE the additive pass: the plugin shares
+      basenames with the homelab hooks, so without pruning, the "already present"
+      check below matches the dead plugin path and skips the real install.
+  (1) ADD each homelab hook group when no existing command references its script.
+
+Usage: wire-memory-hooks.py <home_dir>
+Exit 0 on success (changed or already-present); 1 only on an unreadable settings file.
+"""
+import json
+import os
+import sys
+
+home = sys.argv[1]
+settings = os.path.join(home, ".claude", "settings.json")
+hooks_dir = os.path.join(home, ".claude", "hooks")
+
+# (event, script-basename used for the if-absent check, full command, extra fields)
+WANT = [
+    ("PreCompact", "pre-compact-backup.sh", f"{hooks_dir}/pre-compact-backup.sh", {"timeout": 30}),
+    ("UserPromptSubmit", "post-compact-recovery.sh", f"{hooks_dir}/post-compact-recovery.sh", {"timeout": 10}),
+    ("UserPromptSubmit", "homelab-memory-recall.py", f"python3 {hooks_dir}/homelab-memory-recall.py", {"timeout": 8}),
+    ("Stop", "auto-learn.py", f"python3 {hooks_dir}/auto-learn.py", {"async": True}),
+]
+
+try:
+    if os.path.exists(settings) and os.path.getsize(settings) > 0:
+        with open(settings) as fh:
+            data = json.load(fh)
+    else:
+        data = {}
+except (json.JSONDecodeError, OSError) as e:
+    print(f"ERROR: cannot read {settings}: {e}", file=sys.stderr)
+    sys.exit(1)
+
+hooks = data.setdefault("hooks", {})
+changed = False
+
+# (0) Prune dead claude-memory plugin hooks (see module docstring). Must precede
+# the additive pass so shared basenames don't mask a needed install.
+DEAD_REF = "plugins/claude-memory/hooks/"
+for event in list(hooks.keys()):
+    new_groups = []
+    removed_any = False
+    for g in (hooks.get(event) or []):
+        original = g.get("hooks") or []
+        kept = [h for h in original if DEAD_REF not in (h.get("command", "") or "")]
+        if len(kept) != len(original):
+            removed_any = True
+        if kept:
+            new_groups.append({**g, "hooks": kept})
+    if removed_any:
+        changed = True
+        if new_groups:
+            hooks[event] = new_groups
+        else:
+            del hooks[event]
+
+# (1) Additively wire each homelab hook, if no command already references it.
+for event, basename, command, extra in WANT:
+    groups = hooks.setdefault(event, [])
+    already = any(
+        basename in (h.get("command", "") or "")
+        for g in groups
+        for h in (g.get("hooks", []) or [])
+    )
+    if already:
+        continue
+    entry = {"type": "command", "command": command}
+    entry.update(extra)
+    groups.append({"hooks": [entry]})
+    changed = True
+
+if changed:
+    tmp = settings + ".tmp"
+    with open(tmp, "w") as fh:
+        json.dump(data, fh, indent=2)
+    os.replace(tmp, settings)
+    print(f"wired memory hooks -> {settings}")
+else:
+    print(f"memory hooks already present -> {settings} (no change)")
diff --git a/scripts/workstation/claude-skills/README.md b/scripts/workstation/claude-skills/README.md
new file mode 100644
index 00000000..816cbcb7
--- /dev/null
+++ b/scripts/workstation/claude-skills/README.md
@@ -0,0 +1,31 @@
+# claude-skills — vendored agent-skill snapshot
+
+Point-in-time snapshot of the admin's (`wizard`) Claude Code agent skills, deployed
+per-user by `install_skills()` in `../../t3-provision-users.sh` (scoped to the
+`SKILL_USERS` allowlist). Each subdirectory is one skill (`SKILL.md` + any bundled
+references). The provisioner copies a skill into `~/.agents/skills/<name>/` (owned by
+the user) and symlinks `~/.claude/skills/<name> -> ../../.agents/skills/<name>` — the
+layout the `skills` CLI's `-g` install produces; Claude Code reads `~/.claude/skills/`.
+
+## Why vendored (not `npx skills add` at provision time)
+
+Upstream drifted from this set: on `mattpocock/skills` master, `diagnose` →
+`diagnosing-bugs` and `write-a-skill` → `writing-great-skills` were renamed, and
+`caveman` + `zoom-out` are no longer published — so `npx skills` cannot reproduce this
+exact set. Vendoring is also offline/deterministic and keeps GitHub-clone +
+unpinned-CLI dependencies out of the hourly **root** reconcile.
+
+## Sources
+
+- `mattpocock/skills` (https://github.com/mattpocock/skills) — all except `find-skills`
+- `vercel-labs/skills` (https://github.com/vercel-labs/skills) — `find-skills`
+
+## Refreshing
+
+Re-snapshot from a current install and commit the diff:
+
+```sh
+cp -a ~/.agents/skills/. scripts/workstation/claude-skills/
+```
+
+Snapshot taken 2026-06-23.
diff --git a/scripts/workstation/claude-skills/caveman/SKILL.md b/scripts/workstation/claude-skills/caveman/SKILL.md
new file mode 100644
index 00000000..85770a38
--- /dev/null
+++ b/scripts/workstation/claude-skills/caveman/SKILL.md
@@ -0,0 +1,49 @@
+---
+name: caveman
+description: >
+  Ultra-compressed communication mode. Cuts token usage ~75% by dropping
+  filler, articles, and pleasantries while keeping full technical accuracy.
+  Use when user says "caveman mode", "talk like caveman", "use caveman",
+  "less tokens", "be brief", or invokes /caveman.
+---
+
+Respond terse like smart caveman. All technical substance stay. Only fluff die.
+
+## Persistence
+
+ACTIVE EVERY RESPONSE once triggered. No revert after many turns. No filler drift. Still active if unsure. Off only when user says "stop caveman" or "normal mode".
+
+## Rules
+
+Drop: articles (a/an/the), filler (just/really/basically/actually/simply), pleasantries (sure/certainly/of course/happy to), hedging. Fragments OK. Short synonyms (big not extensive, fix not "implement a solution for"). Abbreviate common terms (DB/auth/config/req/res/fn/impl). Strip conjunctions. Use arrows for causality (X -> Y). One word when one word enough.
+
+Technical terms stay exact. Code blocks unchanged. Errors quoted exact.
+
+Pattern: `[thing] [action] [reason]. [next step].`
+
+Not: "Sure! I'd be happy to help you with that. The issue you're experiencing is likely caused by..."
+Yes: "Bug in auth middleware. Token expiry check use `<` not `<=`. Fix:"
+
+### Examples
+
+**"Why React component re-render?"**
+
+> Inline obj prop -> new ref -> re-render. `useMemo`.
+
+**"Explain database connection pooling."**
+
+> Pool = reuse DB conn. Skip handshake -> fast under load.
+
+## Auto-Clarity Exception
+
+Drop caveman temporarily for: security warnings, irreversible action confirmations, multi-step sequences where fragment order risks misread, user asks to clarify or repeats question. Resume caveman after clear part done.
+
+Example -- destructive op:
+
+> **Warning:** This will permanently delete all rows in the `users` table and cannot be undone.
+>
+> ```sql
+> DROP TABLE users;
+> ```
+>
+> Caveman resume. Verify backup exist first.
diff --git a/scripts/workstation/claude-skills/diagnose/SKILL.md b/scripts/workstation/claude-skills/diagnose/SKILL.md
new file mode 100644
index 00000000..ed55bda2
--- /dev/null
+++ b/scripts/workstation/claude-skills/diagnose/SKILL.md
@@ -0,0 +1,117 @@
+---
+name: diagnose
+description: Disciplined diagnosis loop for hard bugs and performance regressions. Reproduce → minimise → hypothesise → instrument → fix → regression-test. Use when user says "diagnose this" / "debug this", reports a bug, says something is broken/throwing/failing, or describes a performance regression.
+---
+
+# Diagnose
+
+A discipline for hard bugs. Skip phases only when explicitly justified.
+
+When exploring the codebase, use the project's domain glossary to get a clear mental model of the relevant modules, and check ADRs in the area you're touching.
+
+## Phase 1 — Build a feedback loop
+
+**This is the skill.** Everything else is mechanical. If you have a fast, deterministic, agent-runnable pass/fail signal for the bug, you will find the cause — bisection, hypothesis-testing, and instrumentation all just consume that signal. If you don't have one, no amount of staring at code will save you.
+
+Spend disproportionate effort here. **Be aggressive. Be creative. Refuse to give up.**
+
+### Ways to construct one — try them in roughly this order
+
+1. **Failing test** at whatever seam reaches the bug — unit, integration, e2e.
+2. **Curl / HTTP script** against a running dev server.
+3. **CLI invocation** with a fixture input, diffing stdout against a known-good snapshot.
+4. **Headless browser script** (Playwright / Puppeteer) — drives the UI, asserts on DOM/console/network.
+5. **Replay a captured trace.** Save a real network request / payload / event log to disk; replay it through the code path in isolation.
+6. **Throwaway harness.** Spin up a minimal subset of the system (one service, mocked deps) that exercises the bug code path with a single function call.
+7. **Property / fuzz loop.** If the bug is "sometimes wrong output", run 1000 random inputs and look for the failure mode.
+8. **Bisection harness.** If the bug appeared between two known states (commit, dataset, version), automate "boot at state X, check, repeat" so you can `git bisect run` it.
+9. **Differential loop.** Run the same input through old-version vs new-version (or two configs) and diff outputs.
+10. **HITL bash script.** Last resort. If a human must click, drive _them_ with `scripts/hitl-loop.template.sh` so the loop is still structured. Captured output feeds back to you.
+
+Build the right feedback loop, and the bug is 90% fixed.
+
+### Iterate on the loop itself
+
+Treat the loop as a product. Once you have _a_ loop, ask:
+
+- Can I make it faster? (Cache setup, skip unrelated init, narrow the test scope.)
+- Can I make the signal sharper? (Assert on the specific symptom, not "didn't crash".)
+- Can I make it more deterministic? (Pin time, seed RNG, isolate filesystem, freeze network.)
+
+A 30-second flaky loop is barely better than no loop. A 2-second deterministic loop is a debugging superpower.
+
+### Non-deterministic bugs
+
+The goal is not a clean repro but a **higher reproduction rate**. Loop the trigger 100×, parallelise, add stress, narrow timing windows, inject sleeps. A 50%-flake bug is debuggable; 1% is not — keep raising the rate until it's debuggable.
+
+### When you genuinely cannot build a loop
+
+Stop and say so explicitly. List what you tried. Ask the user for: (a) access to whatever environment reproduces it, (b) a captured artifact (HAR file, log dump, core dump, screen recording with timestamps), or (c) permission to add temporary production instrumentation. Do **not** proceed to hypothesise without a loop.
+
+Do not proceed to Phase 2 until you have a loop you believe in.
+
+## Phase 2 — Reproduce
+
+Run the loop. Watch the bug appear.
+
+Confirm:
+
+- [ ] The loop produces the failure mode the **user** described — not a different failure that happens to be nearby. Wrong bug = wrong fix.
+- [ ] The failure is reproducible across multiple runs (or, for non-deterministic bugs, reproducible at a high enough rate to debug against).
+- [ ] You have captured the exact symptom (error message, wrong output, slow timing) so later phases can verify the fix actually addresses it.
+
+Do not proceed until you reproduce the bug.
+
+## Phase 3 — Hypothesise
+
+Generate **3–5 ranked hypotheses** before testing any of them. Single-hypothesis generation anchors on the first plausible idea.
+
+Each hypothesis must be **falsifiable**: state the prediction it makes.
+
+> Format: "If <X> is the cause, then <changing Y> will make the bug disappear / <changing Z> will make it worse."
+
+If you cannot state the prediction, the hypothesis is a vibe — discard or sharpen it.
+
+**Show the ranked list to the user before testing.** They often have domain knowledge that re-ranks instantly ("we just deployed a change to #3"), or know hypotheses they've already ruled out. Cheap checkpoint, big time saver. Don't block on it — proceed with your ranking if the user is AFK.
+
+## Phase 4 — Instrument
+
+Each probe must map to a specific prediction from Phase 3. **Change one variable at a time.**
+
+Tool preference:
+
+1. **Debugger / REPL inspection** if the env supports it. One breakpoint beats ten logs.
+2. **Targeted logs** at the boundaries that distinguish hypotheses.
+3. Never "log everything and grep".
+
+**Tag every debug log** with a unique prefix, e.g. `[DEBUG-a4f2]`. Cleanup at the end becomes a single grep. Untagged logs survive; tagged logs die.
+
+**Perf branch.** For performance regressions, logs are usually wrong. Instead: establish a baseline measurement (timing harness, `performance.now()`, profiler, query plan), then bisect. Measure first, fix second.
+
+## Phase 5 — Fix + regression test
+
+Write the regression test **before the fix** — but only if there is a **correct seam** for it.
+
+A correct seam is one where the test exercises the **real bug pattern** as it occurs at the call site. If the only available seam is too shallow (single-caller test when the bug needs multiple callers, unit test that can't replicate the chain that triggered the bug), a regression test there gives false confidence.
+
+**If no correct seam exists, that itself is the finding.** Note it. The codebase architecture is preventing the bug from being locked down. Flag this for the next phase.
+
+If a correct seam exists:
+
+1. Turn the minimised repro into a failing test at that seam.
+2. Watch it fail.
+3. Apply the fix.
+4. Watch it pass.
+5. Re-run the Phase 1 feedback loop against the original (un-minimised) scenario.
+
+## Phase 6 — Cleanup + post-mortem
+
+Required before declaring done:
+
+- [ ] Original repro no longer reproduces (re-run the Phase 1 loop)
+- [ ] Regression test passes (or absence of seam is documented)
+- [ ] All `[DEBUG-...]` instrumentation removed (`grep` the prefix)
+- [ ] Throwaway prototypes deleted (or moved to a clearly-marked debug location)
+- [ ] The hypothesis that turned out correct is stated in the commit / PR message — so the next debugger learns
+
+**Then ask: what would have prevented this bug?** If the answer involves architectural change (no good test seam, tangled callers, hidden coupling) hand off to the `/improve-codebase-architecture` skill with the specifics. Make the recommendation **after** the fix is in, not before — you have more information now than when you started.
diff --git a/scripts/workstation/claude-skills/diagnose/scripts/hitl-loop.template.sh b/scripts/workstation/claude-skills/diagnose/scripts/hitl-loop.template.sh
new file mode 100644
index 00000000..40afc465
--- /dev/null
+++ b/scripts/workstation/claude-skills/diagnose/scripts/hitl-loop.template.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# Human-in-the-loop reproduction loop.
+# Copy this file, edit the steps below, and run it.
+# The agent runs the script; the user follows prompts in their terminal.
+#
+# Usage:
+#   bash hitl-loop.template.sh
+#
+# Two helpers:
+#   step "<instruction>"          → show instruction, wait for Enter
+#   capture VAR "<question>"      → show question, read response into VAR
+#
+# At the end, captured values are printed as KEY=VALUE for the agent to parse.
+
+set -euo pipefail
+
+step() {
+  printf '\n>>> %s\n' "$1"
+  read -r -p "    [Enter when done] " _
+}
+
+capture() {
+  local var="$1" question="$2" answer
+  printf '\n>>> %s\n' "$question"
+  read -r -p "    > " answer
+  printf -v "$var" '%s' "$answer"
+}
+
+# --- edit below ---------------------------------------------------------
+
+step "Open the app at http://localhost:3000 and sign in."
+
+capture ERRORED "Click the 'Export' button. Did it throw an error? (y/n)"
+
+capture ERROR_MSG "Paste the error message (or 'none'):"
+
+# --- edit above ---------------------------------------------------------
+
+printf '\n--- Captured ---\n'
+printf 'ERRORED=%s\n' "$ERRORED"
+printf 'ERROR_MSG=%s\n' "$ERROR_MSG"
diff --git a/scripts/workstation/claude-skills/find-skills/SKILL.md b/scripts/workstation/claude-skills/find-skills/SKILL.md
new file mode 100644
index 00000000..114c6637
--- /dev/null
+++ b/scripts/workstation/claude-skills/find-skills/SKILL.md
@@ -0,0 +1,142 @@
+---
+name: find-skills
+description: Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.
+---
+
+# Find Skills
+
+This skill helps you discover and install skills from the open agent skills ecosystem.
+
+## When to Use This Skill
+
+Use this skill when the user:
+
+- Asks "how do I do X" where X might be a common task with an existing skill
+- Says "find a skill for X" or "is there a skill for X"
+- Asks "can you do X" where X is a specialized capability
+- Expresses interest in extending agent capabilities
+- Wants to search for tools, templates, or workflows
+- Mentions they wish they had help with a specific domain (design, testing, deployment, etc.)
+
+## What is the Skills CLI?
+
+The Skills CLI (`npx skills`) is the package manager for the open agent skills ecosystem. Skills are modular packages that extend agent capabilities with specialized knowledge, workflows, and tools.
+
+**Key commands:**
+
+- `npx skills find [query]` - Search for skills interactively or by keyword
+- `npx skills add <package>` - Install a skill from GitHub or other sources
+- `npx skills check` - Check for skill updates
+- `npx skills update` - Update all installed skills
+
+**Browse skills at:** https://skills.sh/
+
+## How to Help Users Find Skills
+
+### Step 1: Understand What They Need
+
+When a user asks for help with something, identify:
+
+1. The domain (e.g., React, testing, design, deployment)
+2. The specific task (e.g., writing tests, creating animations, reviewing PRs)
+3. Whether this is a common enough task that a skill likely exists
+
+### Step 2: Check the Leaderboard First
+
+Before running a CLI search, check the [skills.sh leaderboard](https://skills.sh/) to see if a well-known skill already exists for the domain. The leaderboard ranks skills by total installs, surfacing the most popular and battle-tested options.
+
+For example, top skills for web development include:
+- `vercel-labs/agent-skills` — React, Next.js, web design (100K+ installs each)
+- `anthropics/skills` — Frontend design, document processing (100K+ installs)
+
+### Step 3: Search for Skills
+
+If the leaderboard doesn't cover the user's need, run the find command:
+
+```bash
+npx skills find [query]
+```
+
+For example:
+
+- User asks "how do I make my React app faster?" → `npx skills find react performance`
+- User asks "can you help me with PR reviews?" → `npx skills find pr review`
+- User asks "I need to create a changelog" → `npx skills find changelog`
+
+### Step 4: Verify Quality Before Recommending
+
+**Do not recommend a skill based solely on search results.** Always verify:
+
+1. **Install count** — Prefer skills with 1K+ installs. Be cautious with anything under 100.
+2. **Source reputation** — Official sources (`vercel-labs`, `anthropics`, `microsoft`) are more trustworthy than unknown authors.
+3. **GitHub stars** — Check the source repository. A skill from a repo with <100 stars should be treated with skepticism.
+
+### Step 5: Present Options to the User
+
+When you find relevant skills, present them to the user with:
+
+1. The skill name and what it does
+2. The install count and source
+3. The install command they can run
+4. A link to learn more at skills.sh
+
+Example response:
+
+```
+I found a skill that might help! The "react-best-practices" skill provides
+React and Next.js performance optimization guidelines from Vercel Engineering.
+(185K installs)
+
+To install it:
+npx skills add vercel-labs/agent-skills@react-best-practices
+
+Learn more: https://skills.sh/vercel-labs/agent-skills/react-best-practices
+```
+
+### Step 6: Offer to Install
+
+If the user wants to proceed, you can install the skill for them:
+
+```bash
+npx skills add <owner/repo@skill> -g -y
+```
+
+The `-g` flag installs globally (user-level) and `-y` skips confirmation prompts.
+
+## Common Skill Categories
+
+When searching, consider these common categories:
+
+| Category        | Example Queries                          |
+| --------------- | ---------------------------------------- |
+| Web Development | react, nextjs, typescript, css, tailwind |
+| Testing         | testing, jest, playwright, e2e           |
+| DevOps          | deploy, docker, kubernetes, ci-cd        |
+| Documentation   | docs, readme, changelog, api-docs        |
+| Code Quality    | review, lint, refactor, best-practices   |
+| Design          | ui, ux, design-system, accessibility     |
+| Productivity    | workflow, automation, git                |
+
+## Tips for Effective Searches
+
+1. **Use specific keywords**: "react testing" is better than just "testing"
+2. **Try alternative terms**: If "deploy" doesn't work, try "deployment" or "ci-cd"
+3. **Check popular sources**: Many skills come from `vercel-labs/agent-skills` or `ComposioHQ/awesome-claude-skills`
+
+## When No Skills Are Found
+
+If no relevant skills exist:
+
+1. Acknowledge that no existing skill was found
+2. Offer to help with the task directly using your general capabilities
+3. Suggest the user could create their own skill with `npx skills init`
+
+Example:
+
+```
+I searched for skills related to "xyz" but didn't find any matches.
+I can still help you with this task directly! Would you like me to proceed?
+
+If this is something you do often, you could create your own skill:
+npx skills init my-xyz-skill
+```
diff --git a/scripts/workstation/claude-skills/grill-me/SKILL.md b/scripts/workstation/claude-skills/grill-me/SKILL.md
new file mode 100644
index 00000000..bd04394c
--- /dev/null
+++ b/scripts/workstation/claude-skills/grill-me/SKILL.md
@@ -0,0 +1,10 @@
+---
+name: grill-me
+description: Interview the user relentlessly about a plan or design until reaching shared understanding, resolving each branch of the decision tree. Use when user wants to stress-test a plan, get grilled on their design, or mentions "grill me".
+---
+
+Interview me relentlessly about every aspect of this plan until we reach a shared understanding. Walk down each branch of the design tree, resolving dependencies between decisions one-by-one. For each question, provide your recommended answer.
+
+Ask the questions one at a time.
+
+If a question can be answered by exploring the codebase, explore the codebase instead.
diff --git a/scripts/workstation/claude-skills/grill-with-docs/ADR-FORMAT.md b/scripts/workstation/claude-skills/grill-with-docs/ADR-FORMAT.md
new file mode 100644
index 00000000..da7e78ec
--- /dev/null
+++ b/scripts/workstation/claude-skills/grill-with-docs/ADR-FORMAT.md
@@ -0,0 +1,47 @@
+# ADR Format
+
+ADRs live in `docs/adr/` and use sequential numbering: `0001-slug.md`, `0002-slug.md`, etc.
+
+Create the `docs/adr/` directory lazily — only when the first ADR is needed.
+
+## Template
+
+```md
+# {Short title of the decision}
+
+{1-3 sentences: what's the context, what did we decide, and why.}
+```
+
+That's it. An ADR can be a single paragraph. The value is in recording *that* a decision was made and *why* — not in filling out sections.
+
+## Optional sections
+
+Only include these when they add genuine value. Most ADRs won't need them.
+
+- **Status** frontmatter (`proposed | accepted | deprecated | superseded by ADR-NNNN`) — useful when decisions are revisited
+- **Considered Options** — only when the rejected alternatives are worth remembering
+- **Consequences** — only when non-obvious downstream effects need to be called out
+
+## Numbering
+
+Scan `docs/adr/` for the highest existing number and increment by one.
+
+## When to offer an ADR
+
+All three of these must be true:
+
+1. **Hard to reverse** — the cost of changing your mind later is meaningful
+2. **Surprising without context** — a future reader will look at the code and wonder "why on earth did they do it this way?"
+3. **The result of a real trade-off** — there were genuine alternatives and you picked one for specific reasons
+
+If a decision is easy to reverse, skip it — you'll just reverse it. If it's not surprising, nobody will wonder why. If there was no real alternative, there's nothing to record beyond "we did the obvious thing."
+
+### What qualifies
+
+- **Architectural shape.** "We're using a monorepo." "The write model is event-sourced, the read model is projected into Postgres."
+- **Integration patterns between contexts.** "Ordering and Billing communicate via domain events, not synchronous HTTP."
+- **Technology choices that carry lock-in.** Database, message bus, auth provider, deployment target. Not every library — just the ones that would take a quarter to swap out.
+- **Boundary and scope decisions.** "Customer data is owned by the Customer context; other contexts reference it by ID only." The explicit no-s are as valuable as the yes-s.
+- **Deliberate deviations from the obvious path.** "We're using manual SQL instead of an ORM because X." Anything where a reasonable reader would assume the opposite. These stop the next engineer from "fixing" something that was deliberate.
+- **Constraints not visible in the code.** "We can't use AWS because of compliance requirements." "Response times must be under 200ms because of the partner API contract."
+- **Rejected alternatives when the rejection is non-obvious.** If you considered GraphQL and picked REST for subtle reasons, record it — otherwise someone will suggest GraphQL again in six months.
diff --git a/scripts/workstation/claude-skills/grill-with-docs/CONTEXT-FORMAT.md b/scripts/workstation/claude-skills/grill-with-docs/CONTEXT-FORMAT.md
new file mode 100644
index 00000000..eaf2a185
--- /dev/null
+++ b/scripts/workstation/claude-skills/grill-with-docs/CONTEXT-FORMAT.md
@@ -0,0 +1,60 @@
+# CONTEXT.md Format
+
+## Structure
+
+```md
+# {Context Name}
+
+{One or two sentence description of what this context is and why it exists.}
+
+## Language
+
+**Order**:
+{A one or two sentence description of the term}
+_Avoid_: Purchase, transaction
+
+**Invoice**:
+A request for payment sent to a customer after delivery.
+_Avoid_: Bill, payment request
+
+**Customer**:
+A person or organization that places orders.
+_Avoid_: Client, buyer, account
+```
+
+## Rules
+
+- **Be opinionated.** When multiple words exist for the same concept, pick the best one and list the others under `_Avoid_`.
+- **Keep definitions tight.** One or two sentences max. Define what it IS, not what it does.
+- **Only include terms specific to this project's context.** General programming concepts (timeouts, error types, utility patterns) don't belong even if the project uses them extensively. Before adding a term, ask: is this a concept unique to this context, or a general programming concept? Only the former belongs.
+- **Group terms under subheadings** when natural clusters emerge. If all terms belong to a single cohesive area, a flat list is fine.
+
+## Single vs multi-context repos
+
+**Single context (most repos):** One `CONTEXT.md` at the repo root.
+
+**Multiple contexts:** A `CONTEXT-MAP.md` at the repo root lists the contexts, where they live, and how they relate to each other:
+
+```md
+# Context Map
+
+## Contexts
+
+- [Ordering](./src/ordering/CONTEXT.md) — receives and tracks customer orders
+- [Billing](./src/billing/CONTEXT.md) — generates invoices and processes payments
+- [Fulfillment](./src/fulfillment/CONTEXT.md) — manages warehouse picking and shipping
+
+## Relationships
+
+- **Ordering → Fulfillment**: Ordering emits `OrderPlaced` events; Fulfillment consumes them to start picking
+- **Fulfillment → Billing**: Fulfillment emits `ShipmentDispatched` events; Billing consumes them to generate invoices
+- **Ordering ↔ Billing**: Shared types for `CustomerId` and `Money`
+```
+
+The skill infers which structure applies:
+
+- If `CONTEXT-MAP.md` exists, read it to find contexts
+- If only a root `CONTEXT.md` exists, single context
+- If neither exists, create a root `CONTEXT.md` lazily when the first term is resolved
+
+When multiple contexts exist, infer which one the current topic relates to. If unclear, ask.
diff --git a/scripts/workstation/claude-skills/grill-with-docs/SKILL.md b/scripts/workstation/claude-skills/grill-with-docs/SKILL.md
new file mode 100644
index 00000000..5ea0aa91
--- /dev/null
+++ b/scripts/workstation/claude-skills/grill-with-docs/SKILL.md
@@ -0,0 +1,88 @@
+---
+name: grill-with-docs
+description: Grilling session that challenges your plan against the existing domain model, sharpens terminology, and updates documentation (CONTEXT.md, ADRs) inline as decisions crystallise. Use when user wants to stress-test a plan against their project's language and documented decisions.
+---
+
+<what-to-do>
+
+Interview me relentlessly about every aspect of this plan until we reach a shared understanding. Walk down each branch of the design tree, resolving dependencies between decisions one-by-one. For each question, provide your recommended answer.
+
+Ask the questions one at a time, waiting for feedback on each question before continuing.
+
+If a question can be answered by exploring the codebase, explore the codebase instead.
+
+</what-to-do>
+
+<supporting-info>
+
+## Domain awareness
+
+During codebase exploration, also look for existing documentation:
+
+### File structure
+
+Most repos have a single context:
+
+```
+/
+├── CONTEXT.md
+├── docs/
+│   └── adr/
+│       ├── 0001-event-sourced-orders.md
+│       └── 0002-postgres-for-write-model.md
+└── src/
+```
+
+If a `CONTEXT-MAP.md` exists at the root, the repo has multiple contexts. The map points to where each one lives:
+
+```
+/
+├── CONTEXT-MAP.md
+├── docs/
+│   └── adr/                          ← system-wide decisions
+├── src/
+│   ├── ordering/
+│   │   ├── CONTEXT.md
+│   │   └── docs/adr/                 ← context-specific decisions
+│   └── billing/
+│       ├── CONTEXT.md
+│       └── docs/adr/
+```
+
+Create files lazily — only when you have something to write. If no `CONTEXT.md` exists, create one when the first term is resolved. If no `docs/adr/` exists, create it when the first ADR is needed.
+
+## During the session
+
+### Challenge against the glossary
+
+When the user uses a term that conflicts with the existing language in `CONTEXT.md`, call it out immediately. "Your glossary defines 'cancellation' as X, but you seem to mean Y — which is it?"
+
+### Sharpen fuzzy language
+
+When the user uses vague or overloaded terms, propose a precise canonical term. "You're saying 'account' — do you mean the Customer or the User? Those are different things."
+
+### Discuss concrete scenarios
+
+When domain relationships are being discussed, stress-test them with specific scenarios. Invent scenarios that probe edge cases and force the user to be precise about the boundaries between concepts.
+
+### Cross-reference with code
+
+When the user states how something works, check whether the code agrees. If you find a contradiction, surface it: "Your code cancels entire Orders, but you just said partial cancellation is possible — which is right?"
+
+### Update CONTEXT.md inline
+
+When a term is resolved, update `CONTEXT.md` right there. Don't batch these up — capture them as they happen. Use the format in [CONTEXT-FORMAT.md](./CONTEXT-FORMAT.md).
+
+`CONTEXT.md` should be totally devoid of implementation details. Do not treat `CONTEXT.md` as a spec, a scratch pad, or a repository for implementation decisions. It is a glossary and nothing else.
+
+### Offer ADRs sparingly
+
+Only offer to create an ADR when all three are true:
+
+1. **Hard to reverse** — the cost of changing your mind later is meaningful
+2. **Surprising without context** — a future reader will wonder "why did they do it this way?"
+3. **The result of a real trade-off** — there were genuine alternatives and you picked one for specific reasons
+
+If any of the three is missing, skip the ADR. Use the format in [ADR-FORMAT.md](./ADR-FORMAT.md).
+
+</supporting-info>
diff --git a/scripts/workstation/claude-skills/handoff/SKILL.md b/scripts/workstation/claude-skills/handoff/SKILL.md
new file mode 100644
index 00000000..28bfb3ab
--- /dev/null
+++ b/scripts/workstation/claude-skills/handoff/SKILL.md
@@ -0,0 +1,13 @@
+---
+name: handoff
+description: Compact the current conversation into a handoff document for another agent to pick up.
+argument-hint: "What will the next session be used for?"
+---
+
+Write a handoff document summarising the current conversation so a fresh agent can continue the work. Save it to a path produced by `mktemp -t handoff-XXXXXX.md` (read the file before you write to it).
+
+Suggest the skills to be used, if any, by the next session.
+
+Do not duplicate content already captured in other artifacts (PRDs, plans, ADRs, issues, commits, diffs). Reference them by path or URL instead.
+
+If the user passed arguments, treat them as a description of what the next session will focus on and tailor the doc accordingly.
diff --git a/scripts/workstation/claude-skills/improve-codebase-architecture/DEEPENING.md b/scripts/workstation/claude-skills/improve-codebase-architecture/DEEPENING.md
new file mode 100644
index 00000000..ecaf5d7d
--- /dev/null
+++ b/scripts/workstation/claude-skills/improve-codebase-architecture/DEEPENING.md
@@ -0,0 +1,37 @@
+# Deepening
+
+How to deepen a cluster of shallow modules safely, given its dependencies. Assumes the vocabulary in [LANGUAGE.md](LANGUAGE.md) — **module**, **interface**, **seam**, **adapter**.
+
+## Dependency categories
+
+When assessing a candidate for deepening, classify its dependencies. The category determines how the deepened module is tested across its seam.
+
+### 1. In-process
+
+Pure computation, in-memory state, no I/O. Always deepenable — merge the modules and test through the new interface directly. No adapter needed.
+
+### 2. Local-substitutable
+
+Dependencies that have local test stand-ins (PGLite for Postgres, in-memory filesystem). Deepenable if the stand-in exists. The deepened module is tested with the stand-in running in the test suite. The seam is internal; no port at the module's external interface.
+
+### 3. Remote but owned (Ports & Adapters)
+
+Your own services across a network boundary (microservices, internal APIs). Define a **port** (interface) at the seam. The deep module owns the logic; the transport is injected as an **adapter**. Tests use an in-memory adapter. Production uses an HTTP/gRPC/queue adapter.
+
+Recommendation shape: *"Define a port at the seam, implement an HTTP adapter for production and an in-memory adapter for testing, so the logic sits in one deep module even though it's deployed across a network."*
+
+### 4. True external (Mock)
+
+Third-party services (Stripe, Twilio, etc.) you don't control. The deepened module takes the external dependency as an injected port; tests provide a mock adapter.
+
+## Seam discipline
+
+- **One adapter means a hypothetical seam. Two adapters means a real one.** Don't introduce a port unless at least two adapters are justified (typically production + test). A single-adapter seam is just indirection.
+- **Internal seams vs external seams.** A deep module can have internal seams (private to its implementation, used by its own tests) as well as the external seam at its interface. Don't expose internal seams through the interface just because tests use them.
+
+## Testing strategy: replace, don't layer
+
+- Old unit tests on shallow modules become waste once tests at the deepened module's interface exist — delete them.
+- Write new tests at the deepened module's interface. The **interface is the test surface**.
+- Tests assert on observable outcomes through the interface, not internal state.
+- Tests should survive internal refactors — they describe behaviour, not implementation. If a test has to change when the implementation changes, it's testing past the interface.
diff --git a/scripts/workstation/claude-skills/improve-codebase-architecture/HTML-REPORT.md b/scripts/workstation/claude-skills/improve-codebase-architecture/HTML-REPORT.md
new file mode 100644
index 00000000..8adc368f
--- /dev/null
+++ b/scripts/workstation/claude-skills/improve-codebase-architecture/HTML-REPORT.md
@@ -0,0 +1,123 @@
+# HTML Report Format
+
+The architectural review is rendered as a single self-contained HTML file in the OS temp directory. Tailwind and Mermaid both come from CDNs. Mermaid handles graph-shaped diagrams reliably; hand-built divs and inline SVG handle the more editorial visuals (mass diagrams, cross-sections). Mix the two — don't lean on Mermaid for everything, it'll start to look generic.
+
+## Scaffold
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <title>Architecture review — {{repo name}}</title>
+    <script src="https://cdn.tailwindcss.com"></script>
+    <script type="module">
+      import mermaid from "https://cdn.jsdelivr.net/npm/mermaid@11/dist/mermaid.esm.min.mjs";
+      mermaid.initialize({ startOnLoad: true, theme: "neutral", securityLevel: "loose" });
+    </script>
+    <style>
+      /* small custom layer for things Tailwind doesn't cover cleanly:
+         dashed seam lines, hand-drawn-feeling arrow heads, etc. */
+      .seam { stroke-dasharray: 4 4; }
+      .leak { stroke: #dc2626; }
+      .deep { background: linear-gradient(135deg, #0f172a, #1e293b); }
+    </style>
+  </head>
+  <body class="bg-stone-50 text-slate-900 font-sans">
+    <main class="max-w-5xl mx-auto px-6 py-12 space-y-12">
+      <header>...</header>
+      <section id="candidates" class="space-y-10">...</section>
+      <section id="top-recommendation">...</section>
+    </main>
+  </body>
+</html>
+```
+
+## Header
+
+Repo name, date, and a compact legend: solid box = module, dashed line = seam, red arrow = leakage, thick dark box = deep module. No introduction paragraph — straight into the candidates.
+
+## Candidate card
+
+The diagrams carry the weight. Prose is sparse, plain, and uses the glossary terms ([LANGUAGE.md](LANGUAGE.md)) without ceremony.
+
+Each candidate is one `<article>`:
+
+- **Title** — short, names the deepening (e.g. "Collapse the Order intake pipeline").
+- **Badge row** — recommendation strength (`Strong` = emerald, `Worth exploring` = amber, `Speculative` = slate), plus a tag for the dependency category (`in-process`, `local-substitutable`, `ports & adapters`, `mock`).
+- **Files** — monospaced list, `font-mono text-sm`.
+- **Before / After diagram** — the centrepiece. Two columns, side by side. See patterns below.
+- **Problem** — one sentence. What hurts.
+- **Solution** — one sentence. What changes.
+- **Wins** — bullets, ≤6 words each. e.g. "Tests hit one interface", "Pricing logic stops leaking", "Delete 4 shallow wrappers".
+- **ADR callout** (if applicable) — one line in an amber-tinted box.
+
+No paragraphs of explanation. If the diagram needs a paragraph to be understood, redraw the diagram.
+
+## Diagram patterns
+
+Pick the pattern that fits the candidate. Mix them. Don't make every diagram look the same — variety is part of the point.
+
+### Mermaid graph (the workhorse for dependencies / call flow)
+
+Use a Mermaid `flowchart` or `graph` when the point is "X calls Y calls Z, and look at the mess." Wrap it in a Tailwind-styled card so it doesn't feel parachuted in. Style with classDef to colour leakage edges red and the deep module dark. Sequence diagrams work well for "before: 6 round-trips; after: 1."
+
+```html
+<div class="rounded-lg border border-slate-200 bg-white p-4">
+  <pre class="mermaid">
+    flowchart LR
+      A[OrderHandler] --> B[OrderValidator]
+      B --> C[OrderRepo]
+      C -.leak.-> D[PricingClient]
+      classDef leak stroke:#dc2626,stroke-width:2px;
+      class C,D leak
+  </pre>
+</div>
+```
+
+### Hand-built boxes-and-arrows (when Mermaid's layout fights you)
+
+Modules as `<div>`s with borders and labels. Arrows as inline SVG `<line>` or `<path>` elements positioned absolutely over a relative container. Reach for this when you want the "after" diagram to feel like one thick-bordered deep module with greyed-out internals — Mermaid won't render that with the right weight.
+
+### Cross-section (good for layered shallowness)
+
+Stack horizontal bands (`h-12 border-l-4`) to show layers a call passes through. Before: 6 thin layers each doing nothing. After: 1 thick band labelled with the consolidated responsibility.
+
+### Mass diagram (good for "interface as wide as implementation")
+
+Two rectangles per module — one for interface surface area, one for implementation. Before: interface rectangle is nearly as tall as the implementation rectangle (shallow). After: interface rectangle is short, implementation rectangle is tall (deep).
+
+### Call-graph collapse
+
+Before: a tree of function calls rendered as nested boxes. After: the same tree collapsed into one box, with the now-internal calls shown faded inside it.
+
+## Style guidance
+
+- Lean editorial, not corporate-dashboard. Generous whitespace. Serif optional for headings (`font-serif` works well with stone/slate).
+- Colour sparingly: one accent (emerald or indigo) plus red for leakage and amber for warnings.
+- Keep diagrams ~320px tall so before/after sits comfortably side by side without scrolling.
+- Use `text-xs uppercase tracking-wider` for module labels inside diagrams — they should read as schematic, not as UI.
+- The only scripts are the Tailwind CDN and the Mermaid ESM import. The report is otherwise static — no app code, no interactivity beyond Mermaid's own rendering.
+
+## Top recommendation section
+
+One larger card. Candidate name, one sentence on why, anchor link to its card. That's it.
+
+## Tone
+
+Plain English, concise — but the architectural nouns and verbs come straight from [LANGUAGE.md](LANGUAGE.md). Concision is not an excuse to drift.
+
+**Use exactly:** module, interface, implementation, depth, deep, shallow, seam, adapter, leverage, locality.
+
+**Never substitute:** component, service, unit (for module) · API, signature (for interface) · boundary (for seam) · layer, wrapper (for module, when you mean module).
+
+**Phrasings that fit the style:**
+
+- "Order intake module is shallow — interface nearly matches the implementation."
+- "Pricing leaks across the seam."
+- "Deepen: one interface, one place to test."
+- "Two adapters justify the seam: HTTP in prod, in-memory in tests."
+
+**Wins bullets** name the gain in glossary terms: *"locality: bugs concentrate in one module"*, *"leverage: one interface, N call sites"*, *"interface shrinks; implementation absorbs the wrappers"*. Don't write *"easier to maintain"* or *"cleaner code"* — those terms aren't in the glossary and don't earn their place.
+
+No hedging, no throat-clearing, no "it's worth noting that…". If a sentence could be a bullet, make it a bullet. If a bullet could be cut, cut it. If a term isn't in [LANGUAGE.md](LANGUAGE.md), reach for one that is before inventing a new one.
diff --git a/scripts/workstation/claude-skills/improve-codebase-architecture/INTERFACE-DESIGN.md b/scripts/workstation/claude-skills/improve-codebase-architecture/INTERFACE-DESIGN.md
new file mode 100644
index 00000000..3197723a
--- /dev/null
+++ b/scripts/workstation/claude-skills/improve-codebase-architecture/INTERFACE-DESIGN.md
@@ -0,0 +1,44 @@
+# Interface Design
+
+When the user wants to explore alternative interfaces for a chosen deepening candidate, use this parallel sub-agent pattern. Based on "Design It Twice" (Ousterhout) — your first idea is unlikely to be the best.
+
+Uses the vocabulary in [LANGUAGE.md](LANGUAGE.md) — **module**, **interface**, **seam**, **adapter**, **leverage**.
+
+## Process
+
+### 1. Frame the problem space
+
+Before spawning sub-agents, write a user-facing explanation of the problem space for the chosen candidate:
+
+- The constraints any new interface would need to satisfy
+- The dependencies it would rely on, and which category they fall into (see [DEEPENING.md](DEEPENING.md))
+- A rough illustrative code sketch to ground the constraints — not a proposal, just a way to make the constraints concrete
+
+Show this to the user, then immediately proceed to Step 2. The user reads and thinks while the sub-agents work in parallel.
+
+### 2. Spawn sub-agents
+
+Spawn 3+ sub-agents in parallel using the Agent tool. Each must produce a **radically different** interface for the deepened module.
+
+Prompt each sub-agent with a separate technical brief (file paths, coupling details, dependency category from [DEEPENING.md](DEEPENING.md), what sits behind the seam). The brief is independent of the user-facing problem-space explanation in Step 1. Give each agent a different design constraint:
+
+- Agent 1: "Minimize the interface — aim for 1–3 entry points max. Maximise leverage per entry point."
+- Agent 2: "Maximise flexibility — support many use cases and extension."
+- Agent 3: "Optimise for the most common caller — make the default case trivial."
+- Agent 4 (if applicable): "Design around ports & adapters for cross-seam dependencies."
+
+Include both [LANGUAGE.md](LANGUAGE.md) vocabulary and CONTEXT.md vocabulary in the brief so each sub-agent names things consistently with the architecture language and the project's domain language.
+
+Each sub-agent outputs:
+
+1. Interface (types, methods, params — plus invariants, ordering, error modes)
+2. Usage example showing how callers use it
+3. What the implementation hides behind the seam
+4. Dependency strategy and adapters (see [DEEPENING.md](DEEPENING.md))
+5. Trade-offs — where leverage is high, where it's thin
+
+### 3. Present and compare
+
+Present designs sequentially so the user can absorb each one, then compare them in prose. Contrast by **depth** (leverage at the interface), **locality** (where change concentrates), and **seam placement**.
+
+After comparing, give your own recommendation: which design you think is strongest and why. If elements from different designs would combine well, propose a hybrid. Be opinionated — the user wants a strong read, not a menu.
diff --git a/scripts/workstation/claude-skills/improve-codebase-architecture/LANGUAGE.md b/scripts/workstation/claude-skills/improve-codebase-architecture/LANGUAGE.md
new file mode 100644
index 00000000..530c2763
--- /dev/null
+++ b/scripts/workstation/claude-skills/improve-codebase-architecture/LANGUAGE.md
@@ -0,0 +1,53 @@
+# Language
+
+Shared vocabulary for every suggestion this skill makes. Use these terms exactly — don't substitute "component," "service," "API," or "boundary." Consistent language is the whole point.
+
+## Terms
+
+**Module**
+Anything with an interface and an implementation. Deliberately scale-agnostic — applies equally to a function, class, package, or tier-spanning slice.
+_Avoid_: unit, component, service.
+
+**Interface**
+Everything a caller must know to use the module correctly. Includes the type signature, but also invariants, ordering constraints, error modes, required configuration, and performance characteristics.
+_Avoid_: API, signature (too narrow — those refer only to the type-level surface).
+
+**Implementation**
+What's inside a module — its body of code. Distinct from **Adapter**: a thing can be a small adapter with a large implementation (a Postgres repo) or a large adapter with a small implementation (an in-memory fake). Reach for "adapter" when the seam is the topic; "implementation" otherwise.
+
+**Depth**
+Leverage at the interface — the amount of behaviour a caller (or test) can exercise per unit of interface they have to learn. A module is **deep** when a large amount of behaviour sits behind a small interface. A module is **shallow** when the interface is nearly as complex as the implementation.
+
+**Seam** _(from Michael Feathers)_
+A place where you can alter behaviour without editing in that place. The *location* at which a module's interface lives. Choosing where to put the seam is its own design decision, distinct from what goes behind it.
+_Avoid_: boundary (overloaded with DDD's bounded context).
+
+**Adapter**
+A concrete thing that satisfies an interface at a seam. Describes *role* (what slot it fills), not substance (what's inside).
+
+**Leverage**
+What callers get from depth. More capability per unit of interface they have to learn. One implementation pays back across N call sites and M tests.
+
+**Locality**
+What maintainers get from depth. Change, bugs, knowledge, and verification concentrate at one place rather than spreading across callers. Fix once, fixed everywhere.
+
+## Principles
+
+- **Depth is a property of the interface, not the implementation.** A deep module can be internally composed of small, mockable, swappable parts — they just aren't part of the interface. A module can have **internal seams** (private to its implementation, used by its own tests) as well as the **external seam** at its interface.
+- **The deletion test.** Imagine deleting the module. If complexity vanishes, the module wasn't hiding anything (it was a pass-through). If complexity reappears across N callers, the module was earning its keep.
+- **The interface is the test surface.** Callers and tests cross the same seam. If you want to test *past* the interface, the module is probably the wrong shape.
+- **One adapter means a hypothetical seam. Two adapters means a real one.** Don't introduce a seam unless something actually varies across it.
+
+## Relationships
+
+- A **Module** has exactly one **Interface** (the surface it presents to callers and tests).
+- **Depth** is a property of a **Module**, measured against its **Interface**.
+- A **Seam** is where a **Module**'s **Interface** lives.
+- An **Adapter** sits at a **Seam** and satisfies the **Interface**.
+- **Depth** produces **Leverage** for callers and **Locality** for maintainers.
+
+## Rejected framings
+
+- **Depth as ratio of implementation-lines to interface-lines** (Ousterhout): rewards padding the implementation. We use depth-as-leverage instead.
+- **"Interface" as the TypeScript `interface` keyword or a class's public methods**: too narrow — interface here includes every fact a caller must know.
+- **"Boundary"**: overloaded with DDD's bounded context. Say **seam** or **interface**.
diff --git a/scripts/workstation/claude-skills/improve-codebase-architecture/SKILL.md b/scripts/workstation/claude-skills/improve-codebase-architecture/SKILL.md
new file mode 100644
index 00000000..c12b263b
--- /dev/null
+++ b/scripts/workstation/claude-skills/improve-codebase-architecture/SKILL.md
@@ -0,0 +1,81 @@
+---
+name: improve-codebase-architecture
+description: Find deepening opportunities in a codebase, informed by the domain language in CONTEXT.md and the decisions in docs/adr/. Use when the user wants to improve architecture, find refactoring opportunities, consolidate tightly-coupled modules, or make a codebase more testable and AI-navigable.
+---
+
+# Improve Codebase Architecture
+
+Surface architectural friction and propose **deepening opportunities** — refactors that turn shallow modules into deep ones. The aim is testability and AI-navigability.
+
+## Glossary
+
+Use these terms exactly in every suggestion. Consistent language is the point — don't drift into "component," "service," "API," or "boundary." Full definitions in [LANGUAGE.md](LANGUAGE.md).
+
+- **Module** — anything with an interface and an implementation (function, class, package, slice).
+- **Interface** — everything a caller must know to use the module: types, invariants, error modes, ordering, config. Not just the type signature.
+- **Implementation** — the code inside.
+- **Depth** — leverage at the interface: a lot of behaviour behind a small interface. **Deep** = high leverage. **Shallow** = interface nearly as complex as the implementation.
+- **Seam** — where an interface lives; a place behaviour can be altered without editing in place. (Use this, not "boundary.")
+- **Adapter** — a concrete thing satisfying an interface at a seam.
+- **Leverage** — what callers get from depth.
+- **Locality** — what maintainers get from depth: change, bugs, knowledge concentrated in one place.
+
+Key principles (see [LANGUAGE.md](LANGUAGE.md) for the full list):
+
+- **Deletion test**: imagine deleting the module. If complexity vanishes, it was a pass-through. If complexity reappears across N callers, it was earning its keep.
+- **The interface is the test surface.**
+- **One adapter = hypothetical seam. Two adapters = real seam.**
+
+This skill is _informed_ by the project's domain model. The domain language gives names to good seams; ADRs record decisions the skill should not re-litigate.
+
+## Process
+
+### 1. Explore
+
+Read the project's domain glossary and any ADRs in the area you're touching first.
+
+Then use the Agent tool with `subagent_type=Explore` to walk the codebase. Don't follow rigid heuristics — explore organically and note where you experience friction:
+
+- Where does understanding one concept require bouncing between many small modules?
+- Where are modules **shallow** — interface nearly as complex as the implementation?
+- Where have pure functions been extracted just for testability, but the real bugs hide in how they're called (no **locality**)?
+- Where do tightly-coupled modules leak across their seams?
+- Which parts of the codebase are untested, or hard to test through their current interface?
+
+Apply the **deletion test** to anything you suspect is shallow: would deleting it concentrate complexity, or just move it? A "yes, concentrates" is the signal you want.
+
+### 2. Present candidates as an HTML report
+
+Write a self-contained HTML file to the OS temp directory so nothing lands in the repo. Resolve the temp dir from `$TMPDIR`, falling back to `/tmp` (or `%TEMP%` on Windows), and write to `<tmpdir>/architecture-review-<timestamp>.html` so each run gets a fresh file. Open it for the user — `xdg-open <path>` on Linux, `open <path>` on macOS, `start <path>` on Windows — and tell them the absolute path.
+
+The report uses **Tailwind via CDN** for layout and styling, and **Mermaid via CDN** for diagrams where a graph/flow/sequence reliably communicates the structure. Mix Mermaid with hand-crafted CSS/SVG visuals — use Mermaid when relationships are graph-shaped (call graphs, dependencies, sequences), and hand-built divs/SVG when you want something more editorial (mass diagrams, cross-sections, collapse animations). Each candidate gets a **before/after visualisation**. Be visual.
+
+For each candidate, the same template as before, but rendered as a card:
+
+- **Files** — which files/modules are involved
+- **Problem** — why the current architecture is causing friction
+- **Solution** — plain English description of what would change
+- **Benefits** — explained in terms of locality and leverage, and how tests would improve
+- **Before / After diagram** — side-by-side, custom-drawn, illustrating the shallowness and the deepening
+- **Recommendation strength** — one of `Strong`, `Worth exploring`, `Speculative`, rendered as a badge
+
+End the report with a **Top recommendation** section: which candidate you'd tackle first and why.
+
+**Use CONTEXT.md vocabulary for the domain, and [LANGUAGE.md](LANGUAGE.md) vocabulary for the architecture.** If `CONTEXT.md` defines "Order," talk about "the Order intake module" — not "the FooBarHandler," and not "the Order service."
+
+**ADR conflicts**: if a candidate contradicts an existing ADR, only surface it when the friction is real enough to warrant revisiting the ADR. Mark it clearly in the card (e.g. a warning callout: _"contradicts ADR-0007 — but worth reopening because…"_). Don't list every theoretical refactor an ADR forbids.
+
+See [HTML-REPORT.md](HTML-REPORT.md) for the full HTML scaffold, diagram patterns, and styling guidance.
+
+Do NOT propose interfaces yet. After the file is written, ask the user: "Which of these would you like to explore?"
+
+### 3. Grilling loop
+
+Once the user picks a candidate, drop into a grilling conversation. Walk the design tree with them — constraints, dependencies, the shape of the deepened module, what sits behind the seam, what tests survive.
+
+Side effects happen inline as decisions crystallize:
+
+- **Naming a deepened module after a concept not in `CONTEXT.md`?** Add the term to `CONTEXT.md` — same discipline as `/grill-with-docs` (see [CONTEXT-FORMAT.md](../grill-with-docs/CONTEXT-FORMAT.md)). Create the file lazily if it doesn't exist.
+- **Sharpening a fuzzy term during the conversation?** Update `CONTEXT.md` right there.
+- **User rejects the candidate with a load-bearing reason?** Offer an ADR, framed as: _"Want me to record this as an ADR so future architecture reviews don't re-suggest it?"_ Only offer when the reason would actually be needed by a future explorer to avoid re-suggesting the same thing — skip ephemeral reasons ("not worth it right now") and self-evident ones. See [ADR-FORMAT.md](../grill-with-docs/ADR-FORMAT.md).
+- **Want to explore alternative interfaces for the deepened module?** See [INTERFACE-DESIGN.md](INTERFACE-DESIGN.md).
diff --git a/scripts/workstation/claude-skills/prototype/LOGIC.md b/scripts/workstation/claude-skills/prototype/LOGIC.md
new file mode 100644
index 00000000..526ecb18
--- /dev/null
+++ b/scripts/workstation/claude-skills/prototype/LOGIC.md
@@ -0,0 +1,79 @@
+# Logic Prototype
+
+A tiny interactive terminal app that lets the user drive a state model by hand. Use this when the question is about **business logic, state transitions, or data shape** — the kind of thing that looks reasonable on paper but only feels wrong once you push it through real cases.
+
+## When this is the right shape
+
+- "I'm not sure if this state machine handles the edge case where X then Y."
+- "Does this data model actually let me represent the case where..."
+- "I want to feel out what the API should look like before writing it."
+- Anything where the user wants to **press buttons and watch state change**.
+
+If the question is "what should this look like" — wrong branch. Use [UI.md](UI.md).
+
+## Process
+
+### 1. State the question
+
+Before writing code, write down what state model and what question you're prototyping. One paragraph, in the prototype's README or a comment at the top of the file. A logic prototype that answers the wrong question is pure waste — make the question explicit so it can be checked later, whether the user is watching now or returning to it AFK.
+
+### 2. Pick the language
+
+Use whatever the host project uses. If the project has no obvious runtime (e.g. a docs repo), ask.
+
+Match the project's existing conventions for tooling — don't add a new package manager or runtime just for the prototype.
+
+### 3. Isolate the logic in a portable module
+
+Put the actual logic — the bit that's answering the question — behind a small, pure interface that could be lifted out and dropped into the real codebase later. The TUI around it is throwaway; the logic module shouldn't be.
+
+The right shape depends on the question:
+
+- **A pure reducer** — `(state, action) => state`. Good when actions are discrete events and state is a single value.
+- **A state machine** — explicit states and transitions. Good when "which actions are even legal right now" is part of the question.
+- **A small set of pure functions** over a plain data type. Good when there's no implicit current state — just transformations.
+- **A class or module with a clear method surface** when the logic genuinely owns ongoing internal state.
+
+Pick whichever shape best fits the question being asked, *not* whichever is easiest to wire to a TUI. Keep it pure: no I/O, no terminal code, no `console.log` for control flow. The TUI imports it and calls into it; nothing flows the other direction.
+
+This is what makes the prototype useful past its own lifetime. When the question's been answered, the validated reducer / machine / function set can be lifted into the real module — the TUI shell gets deleted.
+
+### 4. Build the smallest TUI that exposes the state
+
+Build it as a **lightweight TUI** — on every tick, clear the screen (`console.clear()` / `print("\033[2J\033[H")` / equivalent) and re-render the whole frame. The user should always see one stable view, not an ever-growing scrollback.
+
+Each frame has two parts, in this order:
+
+1. **Current state**, pretty-printed and diff-friendly (one field per line, or formatted JSON). Use **bold** for field names or section headers and **dim** for less important context (timestamps, IDs, derived values). Native ANSI escape codes are fine — `\x1b[1m` bold, `\x1b[2m` dim, `\x1b[0m` reset. No need to pull in a styling library unless one is already in the project.
+2. **Keyboard shortcuts**, listed at the bottom: `[a] add user  [d] delete user  [t] tick clock  [q] quit`. Bold the key, dim the description, or vice-versa — whatever reads cleanly.
+
+Behaviour:
+
+1. **Initialise state** — a single in-memory object/struct. Render the first frame on start.
+2. **Read one keystroke (or one line)** at a time, dispatch to a handler that mutates state.
+3. **Re-render** the full frame after every action — don't append, replace.
+4. **Loop until quit.**
+
+The whole frame should fit on one screen.
+
+### 5. Make it runnable in one command
+
+Add a script to the project's existing task runner (`package.json` scripts, `Makefile`, `justfile`, `pyproject.toml`). The user should run `pnpm run <prototype-name>` or equivalent — never need to remember a path.
+
+If the host project has no task runner, just put the command at the top of the prototype's README.
+
+### 6. Hand it over
+
+Give the user the run command. They'll drive it themselves; the interesting moments are when they say "wait, that shouldn't be possible" or "huh, I assumed X would be different" — those are the bugs in the _idea_, which is the whole point. If they want new actions added, add them. Prototypes evolve.
+
+### 7. Capture the answer
+
+When the prototype has done its job, the answer to the question is the only thing worth keeping. If the user is around, ask what it taught them. If not, leave a `NOTES.md` next to the prototype so the answer can be filled in (or filled in by you, if you've watched the session) before the prototype gets deleted.
+
+## Anti-patterns
+
+- **Don't add tests.** A prototype that needs tests is no longer a prototype.
+- **Don't wire it to the real database.** Use an in-memory store unless the question is specifically about persistence.
+- **Don't generalise.** No "what if we wanted to support X later." The prototype answers one question.
+- **Don't blur the logic and the TUI together.** If the reducer / state machine references `console.log`, prompts, or terminal escape codes, it's no longer portable. Keep the TUI as a thin shell over a pure module.
+- **Don't ship the TUI shell into production.** The shell is optimised for being driven by hand from a terminal. The logic module behind it is the bit worth keeping.
diff --git a/scripts/workstation/claude-skills/prototype/SKILL.md b/scripts/workstation/claude-skills/prototype/SKILL.md
new file mode 100644
index 00000000..64f3e611
--- /dev/null
+++ b/scripts/workstation/claude-skills/prototype/SKILL.md
@@ -0,0 +1,30 @@
+---
+name: prototype
+description: Build a throwaway prototype to flesh out a design before committing to it. Routes between two branches — a runnable terminal app for state/business-logic questions, or several radically different UI variations toggleable from one route. Use when the user wants to prototype, sanity-check a data model or state machine, mock up a UI, explore design options, or says "prototype this", "let me play with it", "try a few designs".
+---
+
+# Prototype
+
+A prototype is **throwaway code that answers a question**. The question decides the shape.
+
+## Pick a branch
+
+Identify which question is being answered — from the user's prompt, the surrounding code, or by asking if the user is around:
+
+- **"Does this logic / state model feel right?"** → [LOGIC.md](LOGIC.md). Build a tiny interactive terminal app that pushes the state machine through cases that are hard to reason about on paper.
+- **"What should this look like?"** → [UI.md](UI.md). Generate several radically different UI variations on a single route, switchable via a URL search param and a floating bottom bar.
+
+The two branches produce very different artifacts — getting this wrong wastes the whole prototype. If the question is genuinely ambiguous and the user isn't reachable, default to whichever branch better matches the surrounding code (a backend module → logic; a page or component → UI) and state the assumption at the top of the prototype.
+
+## Rules that apply to both
+
+1. **Throwaway from day one, and clearly marked as such.** Locate the prototype code close to where it will actually be used (next to the module or page it's prototyping for) so context is obvious — but name it so a casual reader can see it's a prototype, not production. For throwaway UI routes, obey whatever routing convention the project already uses; don't invent a new top-level structure.
+2. **One command to run.** Whatever the project's existing task runner supports — `pnpm <name>`, `python <path>`, `bun <path>`, etc. The user must be able to start it without thinking.
+3. **No persistence by default.** State lives in memory. Persistence is the thing the prototype is _checking_, not something it should depend on. If the question explicitly involves a database, hit a scratch DB or a local file with a clear "PROTOTYPE — wipe me" name.
+4. **Skip the polish.** No tests, no error handling beyond what makes the prototype _runnable_, no abstractions. The point is to learn something fast and then delete it.
+5. **Surface the state.** After every action (logic) or on every variant switch (UI), print or render the full relevant state so the user can see what changed.
+6. **Delete or absorb when done.** When the prototype has answered its question, either delete it or fold the validated decision into the real code — don't leave it rotting in the repo.
+
+## When done
+
+The _answer_ is the only thing worth keeping from a prototype. Capture it somewhere durable (commit message, ADR, issue, or a `NOTES.md` next to the prototype) along with the question it was answering. If the user is around, that capture is a quick conversation; if not, leave the placeholder so they (or you, on the next pass) can fill in the verdict before deleting the prototype.
diff --git a/scripts/workstation/claude-skills/prototype/UI.md b/scripts/workstation/claude-skills/prototype/UI.md
new file mode 100644
index 00000000..f3b6e640
--- /dev/null
+++ b/scripts/workstation/claude-skills/prototype/UI.md
@@ -0,0 +1,112 @@
+# UI Prototype
+
+Generate **several radically different UI variations** on a single route, switchable from a floating bottom bar. The user flips between variants in the browser, picks one (or steals bits from each), then throws the rest away.
+
+If the question is about logic/state rather than what something looks like — wrong branch. Use [LOGIC.md](LOGIC.md).
+
+## When this is the right shape
+
+- "What should this page look like?"
+- "I want to see a few options for this dashboard before committing."
+- "Try a different layout for the settings screen."
+- Any time the user would otherwise spend a day picking between three vague mockups in their head.
+
+## Two sub-shapes — strongly prefer sub-shape A
+
+A UI prototype is much easier to judge when it's **butting up against the rest of the app** — real header, real sidebar, real data, real density. A throwaway route on its own is a vacuum: every variant looks fine in isolation. Default to sub-shape A whenever there's a plausible existing page to host the variants. Only reach for sub-shape B if the prototype genuinely has no nearby home.
+
+### Sub-shape A — adjustment to an existing page (preferred)
+
+The route already exists. Variants are rendered **on the same route**, gated by a `?variant=` URL search param. The existing data fetching, params, and auth all stay — only the rendering swaps. This is the default; pick it unless there's a specific reason not to.
+
+If the prototype is for something that doesn't yet have a page but *would naturally live inside one* (a new section of the dashboard, a new card on the settings screen, a new step in an existing flow) — that's still sub-shape A. Mount the variants inside the host page.
+
+### Sub-shape B — a new page (last resort)
+
+Only use this when the thing being prototyped genuinely has no existing page to live inside — e.g. an entirely new top-level surface, or a flow that can't be embedded anywhere sensible.
+
+Create a **throwaway route** following whatever routing convention the project already uses — don't invent a new top-level structure. Name it so it's obviously a prototype (e.g. include the word `prototype` in the path or filename). Same `?variant=` pattern.
+
+Before committing to sub-shape B, sanity-check: is there really no existing page this could be embedded in? An empty route hides design problems that a populated one would expose.
+
+In both sub-shapes the floating bottom bar is identical.
+
+## Process
+
+### 1. State the question and pick N
+
+Default to **3 variants**. More than 5 stops being radically different and starts being noise — cap there.
+
+Write down the plan in one line, in the prototype's location or a top-of-file comment:
+
+> "Three variants of the settings page, switchable via `?variant=`, on the existing `/settings` route."
+
+This works whether the user is here to push back or not.
+
+### 2. Generate radically different variants
+
+Draft each variant. Hold each one to:
+
+- The page's purpose and the data it has access to.
+- The project's component library / styling system (TailwindCSS, shadcn, MUI, plain CSS, whatever).
+- A clear exported component name, e.g. `VariantA`, `VariantB`, `VariantC`.
+
+Variants must be **structurally different** — different layout, different information hierarchy, different primary affordance, not just different colours. Three slightly-tweaked card grids isn't a UI prototype, it's wallpaper. If two drafts come out too similar, redo one with explicit "do not use a card grid" guidance.
+
+### 3. Wire them together
+
+Create a single switcher component on the route:
+
+```tsx
+// pseudo-code — adapt to the project's framework
+const variant = searchParams.get('variant') ?? 'A';
+return (
+  <>
+    {variant === 'A' && <VariantA {...data} />}
+    {variant === 'B' && <VariantB {...data} />}
+    {variant === 'C' && <VariantC {...data} />}
+    <PrototypeSwitcher variants={['A','B','C']} current={variant} />
+  </>
+);
+```
+
+For sub-shape A (existing page): keep all the existing data fetching above the switcher; only the rendered subtree changes per variant.
+
+For sub-shape B (new page): the throwaway route under `/prototype/<name>` mounts the same switcher.
+
+### 4. Build the floating switcher
+
+A small fixed-position bar at the bottom-centre of the screen with three pieces:
+
+- **Left arrow** — cycles to the previous variant (wraps around).
+- **Variant label** — shows the current variant key and, if the variant exports a name, that name too. e.g. `B — Sidebar layout`.
+- **Right arrow** — cycles forward (wraps around).
+
+Behaviour:
+
+- Clicking an arrow updates the URL search param (use the framework's router — `router.replace` on Next, `navigate` on React Router, etc) so the variant is shareable and reload-stable.
+- Keyboard: `←` and `→` arrow keys also cycle. Don't intercept arrow keys when an `<input>`, `<textarea>`, or `[contenteditable]` is focused.
+- Visually distinct from the page (e.g. high-contrast pill, subtle shadow) so it's obviously not part of the design being evaluated.
+- Hidden in production builds — gate on `process.env.NODE_ENV !== 'production'` or an equivalent check, so a stray prototype merge can't ship the bar to users.
+
+Put the switcher in a single shared component so both sub-shapes can reuse it. Locate it wherever shared UI lives in the project.
+
+### 5. Hand it over
+
+Surface the URL (and the `?variant=` keys). The user will flip through whenever they get to it. The interesting feedback is usually **"I want the header from B with the sidebar from C"** — that's the actual design they want.
+
+### 6. Capture the answer and clean up
+
+Once a variant has won, write down which one and why (commit message, ADR, issue, or a `NOTES.md` next to the prototype if running AFK and the user hasn't responded yet). Then:
+
+- **Sub-shape A** — delete the losing variants and the switcher; fold the winner into the existing page.
+- **Sub-shape B** — promote the winning variant to a real route, delete the throwaway route and the switcher.
+
+Don't leave variant components or the switcher lying around. They rot fast and confuse the next reader.
+
+## Anti-patterns
+
+- **Variants that differ only in colour or copy.** That's a tweak, not a prototype. Real variants disagree about structure.
+- **Sharing too much code between variants.** A shared `<Header>` is fine; a shared `<Layout>` defeats the point. Each variant should be free to throw out the layout.
+- **Wiring variants to real mutations.** Read-only prototypes are fine. If a variant needs to mutate, point it at a stub — the question is "what should this look like", not "does the backend work".
+- **Promoting the prototype directly to production.** The variant code was written under prototype constraints (no tests, minimal error handling). Rewrite it properly when you fold it in.
diff --git a/scripts/workstation/claude-skills/setup-matt-pocock-skills/SKILL.md b/scripts/workstation/claude-skills/setup-matt-pocock-skills/SKILL.md
new file mode 100644
index 00000000..1ebc6e14
--- /dev/null
+++ b/scripts/workstation/claude-skills/setup-matt-pocock-skills/SKILL.md
@@ -0,0 +1,121 @@
+---
+name: setup-matt-pocock-skills
+description: Sets up an `## Agent skills` block in AGENTS.md/CLAUDE.md and `docs/agents/` so the engineering skills know this repo's issue tracker (GitHub or local markdown), triage label vocabulary, and domain doc layout. Run before first use of `to-issues`, `to-prd`, `triage`, `diagnose`, `tdd`, `improve-codebase-architecture`, or `zoom-out` — or if those skills appear to be missing context about the issue tracker, triage labels, or domain docs.
+disable-model-invocation: true
+---
+
+# Setup Matt Pocock's Skills
+
+Scaffold the per-repo configuration that the engineering skills assume:
+
+- **Issue tracker** — where issues live (GitHub by default; local markdown is also supported out of the box)
+- **Triage labels** — the strings used for the five canonical triage roles
+- **Domain docs** — where `CONTEXT.md` and ADRs live, and the consumer rules for reading them
+
+This is a prompt-driven skill, not a deterministic script. Explore, present what you found, confirm with the user, then write.
+
+## Process
+
+### 1. Explore
+
+Look at the current repo to understand its starting state. Read whatever exists; don't assume:
+
+- `git remote -v` and `.git/config` — is this a GitHub repo? Which one?
+- `AGENTS.md` and `CLAUDE.md` at the repo root — does either exist? Is there already an `## Agent skills` section in either?
+- `CONTEXT.md` and `CONTEXT-MAP.md` at the repo root
+- `docs/adr/` and any `src/*/docs/adr/` directories
+- `docs/agents/` — does this skill's prior output already exist?
+- `.scratch/` — sign that a local-markdown issue tracker convention is already in use
+
+### 2. Present findings and ask
+
+Summarise what's present and what's missing. Then walk the user through the three decisions **one at a time** — present a section, get the user's answer, then move to the next. Don't dump all three at once.
+
+Assume the user does not know what these terms mean. Each section starts with a short explainer (what it is, why these skills need it, what changes if they pick differently). Then show the choices and the default.
+
+**Section A — Issue tracker.**
+
+> Explainer: The "issue tracker" is where issues live for this repo. Skills like `to-issues`, `triage`, `to-prd`, and `qa` read from and write to it — they need to know whether to call `gh issue create`, write a markdown file under `.scratch/`, or follow some other workflow you describe. Pick the place you actually track work for this repo.
+
+Default posture: these skills were designed for GitHub. If a `git remote` points at GitHub, propose that. If a `git remote` points at GitLab (`gitlab.com` or a self-hosted host), propose GitLab. Otherwise (or if the user prefers), offer:
+
+- **GitHub** — issues live in the repo's GitHub Issues (uses the `gh` CLI)
+- **GitLab** — issues live in the repo's GitLab Issues (uses the [`glab`](https://gitlab.com/gitlab-org/cli) CLI)
+- **Local markdown** — issues live as files under `.scratch/<feature>/` in this repo (good for solo projects or repos without a remote)
+- **Other** (Jira, Linear, etc.) — ask the user to describe the workflow in one paragraph; the skill will record it as freeform prose
+
+**Section B — Triage label vocabulary.**
+
+> Explainer: When the `triage` skill processes an incoming issue, it moves it through a state machine — needs evaluation, waiting on reporter, ready for an AFK agent to pick up, ready for a human, or won't fix. To do that, it needs to apply labels (or the equivalent in your issue tracker) that match strings *you've actually configured*. If your repo already uses different label names (e.g. `bug:triage` instead of `needs-triage`), map them here so the skill applies the right ones instead of creating duplicates.
+
+The five canonical roles:
+
+- `needs-triage` — maintainer needs to evaluate
+- `needs-info` — waiting on reporter
+- `ready-for-agent` — fully specified, AFK-ready (an agent can pick it up with no human context)
+- `ready-for-human` — needs human implementation
+- `wontfix` — will not be actioned
+
+Default: each role's string equals its name. Ask the user if they want to override any. If their issue tracker has no existing labels, the defaults are fine.
+
+**Section C — Domain docs.**
+
+> Explainer: Some skills (`improve-codebase-architecture`, `diagnose`, `tdd`) read a `CONTEXT.md` file to learn the project's domain language, and `docs/adr/` for past architectural decisions. They need to know whether the repo has one global context or multiple (e.g. a monorepo with separate frontend/backend contexts) so they look in the right place.
+
+Confirm the layout:
+
+- **Single-context** — one `CONTEXT.md` + `docs/adr/` at the repo root. Most repos are this.
+- **Multi-context** — `CONTEXT-MAP.md` at the root pointing to per-context `CONTEXT.md` files (typically a monorepo).
+
+### 3. Confirm and edit
+
+Show the user a draft of:
+
+- The `## Agent skills` block to add to whichever of `CLAUDE.md` / `AGENTS.md` is being edited (see step 4 for selection rules)
+- The contents of `docs/agents/issue-tracker.md`, `docs/agents/triage-labels.md`, `docs/agents/domain.md`
+
+Let them edit before writing.
+
+### 4. Write
+
+**Pick the file to edit:**
+
+- If `CLAUDE.md` exists, edit it.
+- Else if `AGENTS.md` exists, edit it.
+- If neither exists, ask the user which one to create — don't pick for them.
+
+Never create `AGENTS.md` when `CLAUDE.md` already exists (or vice versa) — always edit the one that's already there.
+
+If an `## Agent skills` block already exists in the chosen file, update its contents in-place rather than appending a duplicate. Don't overwrite user edits to the surrounding sections.
+
+The block:
+
+```markdown
+## Agent skills
+
+### Issue tracker
+
+[one-line summary of where issues are tracked]. See `docs/agents/issue-tracker.md`.
+
+### Triage labels
+
+[one-line summary of the label vocabulary]. See `docs/agents/triage-labels.md`.
+
+### Domain docs
+
+[one-line summary of layout — "single-context" or "multi-context"]. See `docs/agents/domain.md`.
+```
+
+Then write the three docs files using the seed templates in this skill folder as a starting point:
+
+- [issue-tracker-github.md](./issue-tracker-github.md) — GitHub issue tracker
+- [issue-tracker-gitlab.md](./issue-tracker-gitlab.md) — GitLab issue tracker
+- [issue-tracker-local.md](./issue-tracker-local.md) — local-markdown issue tracker
+- [triage-labels.md](./triage-labels.md) — label mapping
+- [domain.md](./domain.md) — domain doc consumer rules + layout
+
+For "other" issue trackers, write `docs/agents/issue-tracker.md` from scratch using the user's description.
+
+### 5. Done
+
+Tell the user the setup is complete and which engineering skills will now read from these files. Mention they can edit `docs/agents/*.md` directly later — re-running this skill is only necessary if they want to switch issue trackers or restart from scratch.
diff --git a/scripts/workstation/claude-skills/setup-matt-pocock-skills/domain.md b/scripts/workstation/claude-skills/setup-matt-pocock-skills/domain.md
new file mode 100644
index 00000000..c97d6a6d
--- /dev/null
+++ b/scripts/workstation/claude-skills/setup-matt-pocock-skills/domain.md
@@ -0,0 +1,51 @@
+# Domain Docs
+
+How the engineering skills should consume this repo's domain documentation when exploring the codebase.
+
+## Before exploring, read these
+
+- **`CONTEXT.md`** at the repo root, or
+- **`CONTEXT-MAP.md`** at the repo root if it exists — it points at one `CONTEXT.md` per context. Read each one relevant to the topic.
+- **`docs/adr/`** — read ADRs that touch the area you're about to work in. In multi-context repos, also check `src/<context>/docs/adr/` for context-scoped decisions.
+
+If any of these files don't exist, **proceed silently**. Don't flag their absence; don't suggest creating them upfront. The producer skill (`/grill-with-docs`) creates them lazily when terms or decisions actually get resolved.
+
+## File structure
+
+Single-context repo (most repos):
+
+```
+/
+├── CONTEXT.md
+├── docs/adr/
+│   ├── 0001-event-sourced-orders.md
+│   └── 0002-postgres-for-write-model.md
+└── src/
+```
+
+Multi-context repo (presence of `CONTEXT-MAP.md` at the root):
+
+```
+/
+├── CONTEXT-MAP.md
+├── docs/adr/                          ← system-wide decisions
+└── src/
+    ├── ordering/
+    │   ├── CONTEXT.md
+    │   └── docs/adr/                  ← context-specific decisions
+    └── billing/
+        ├── CONTEXT.md
+        └── docs/adr/
+```
+
+## Use the glossary's vocabulary
+
+When your output names a domain concept (in an issue title, a refactor proposal, a hypothesis, a test name), use the term as defined in `CONTEXT.md`. Don't drift to synonyms the glossary explicitly avoids.
+
+If the concept you need isn't in the glossary yet, that's a signal — either you're inventing language the project doesn't use (reconsider) or there's a real gap (note it for `/grill-with-docs`).
+
+## Flag ADR conflicts
+
+If your output contradicts an existing ADR, surface it explicitly rather than silently overriding:
+
+> _Contradicts ADR-0007 (event-sourced orders) — but worth reopening because…_
diff --git a/scripts/workstation/claude-skills/setup-matt-pocock-skills/issue-tracker-github.md b/scripts/workstation/claude-skills/setup-matt-pocock-skills/issue-tracker-github.md
new file mode 100644
index 00000000..cce77ecb
--- /dev/null
+++ b/scripts/workstation/claude-skills/setup-matt-pocock-skills/issue-tracker-github.md
@@ -0,0 +1,22 @@
+# Issue tracker: GitHub
+
+Issues and PRDs for this repo live as GitHub issues. Use the `gh` CLI for all operations.
+
+## Conventions
+
+- **Create an issue**: `gh issue create --title "..." --body "..."`. Use a heredoc for multi-line bodies.
+- **Read an issue**: `gh issue view <number> --comments`, filtering comments by `jq` and also fetching labels.
+- **List issues**: `gh issue list --state open --json number,title,body,labels,comments --jq '[.[] | {number, title, body, labels: [.labels[].name], comments: [.comments[].body]}]'` with appropriate `--label` and `--state` filters.
+- **Comment on an issue**: `gh issue comment <number> --body "..."`
+- **Apply / remove labels**: `gh issue edit <number> --add-label "..."` / `--remove-label "..."`
+- **Close**: `gh issue close <number> --comment "..."`
+
+Infer the repo from `git remote -v` — `gh` does this automatically when run inside a clone.
+
+## When a skill says "publish to the issue tracker"
+
+Create a GitHub issue.
+
+## When a skill says "fetch the relevant ticket"
+
+Run `gh issue view <number> --comments`.
diff --git a/scripts/workstation/claude-skills/setup-matt-pocock-skills/issue-tracker-gitlab.md b/scripts/workstation/claude-skills/setup-matt-pocock-skills/issue-tracker-gitlab.md
new file mode 100644
index 00000000..f54da955
--- /dev/null
+++ b/scripts/workstation/claude-skills/setup-matt-pocock-skills/issue-tracker-gitlab.md
@@ -0,0 +1,23 @@
+# Issue tracker: GitLab
+
+Issues and PRDs for this repo live as GitLab issues. Use the [`glab`](https://gitlab.com/gitlab-org/cli) CLI for all operations.
+
+## Conventions
+
+- **Create an issue**: `glab issue create --title "..." --description "..."`. Use a heredoc for multi-line descriptions. Pass `--description -` to open an editor.
+- **Read an issue**: `glab issue view <number> --comments`. Use `-F json` for machine-readable output.
+- **List issues**: `glab issue list -F json` with appropriate `--label` filters.
+- **Comment on an issue**: `glab issue note <number> --message "..."`. GitLab calls comments "notes".
+- **Apply / remove labels**: `glab issue update <number> --label "..."` / `--unlabel "..."`. Multiple labels can be comma-separated or by repeating the flag.
+- **Close**: `glab issue close <number>`. `glab issue close` does not accept a closing comment, so post the explanation first with `glab issue note <number> --message "..."`, then close.
+- **Merge requests**: GitLab calls PRs "merge requests". Use `glab mr create`, `glab mr view`, `glab mr note`, etc. — the same shape as `gh pr ...` with `mr` in place of `pr` and `note`/`--message` in place of `comment`/`--body`.
+
+Infer the repo from `git remote -v` — `glab` does this automatically when run inside a clone.
+
+## When a skill says "publish to the issue tracker"
+
+Create a GitLab issue.
+
+## When a skill says "fetch the relevant ticket"
+
+Run `glab issue view <number> --comments`.
diff --git a/scripts/workstation/claude-skills/setup-matt-pocock-skills/issue-tracker-local.md b/scripts/workstation/claude-skills/setup-matt-pocock-skills/issue-tracker-local.md
new file mode 100644
index 00000000..a2f08fb0
--- /dev/null
+++ b/scripts/workstation/claude-skills/setup-matt-pocock-skills/issue-tracker-local.md
@@ -0,0 +1,19 @@
+# Issue tracker: Local Markdown
+
+Issues and PRDs for this repo live as markdown files in `.scratch/`.
+
+## Conventions
+
+- One feature per directory: `.scratch/<feature-slug>/`
+- The PRD is `.scratch/<feature-slug>/PRD.md`
+- Implementation issues are `.scratch/<feature-slug>/issues/<NN>-<slug>.md`, numbered from `01`
+- Triage state is recorded as a `Status:` line near the top of each issue file (see `triage-labels.md` for the role strings)
+- Comments and conversation history append to the bottom of the file under a `## Comments` heading
+
+## When a skill says "publish to the issue tracker"
+
+Create a new file under `.scratch/<feature-slug>/` (creating the directory if needed).
+
+## When a skill says "fetch the relevant ticket"
+
+Read the file at the referenced path. The user will normally pass the path or the issue number directly.
diff --git a/scripts/workstation/claude-skills/setup-matt-pocock-skills/triage-labels.md b/scripts/workstation/claude-skills/setup-matt-pocock-skills/triage-labels.md
new file mode 100644
index 00000000..b716855d
--- /dev/null
+++ b/scripts/workstation/claude-skills/setup-matt-pocock-skills/triage-labels.md
@@ -0,0 +1,15 @@
+# Triage Labels
+
+The skills speak in terms of five canonical triage roles. This file maps those roles to the actual label strings used in this repo's issue tracker.
+
+| Label in mattpocock/skills | Label in our tracker | Meaning                                  |
+| -------------------------- | -------------------- | ---------------------------------------- |
+| `needs-triage`             | `needs-triage`       | Maintainer needs to evaluate this issue  |
+| `needs-info`               | `needs-info`         | Waiting on reporter for more information |
+| `ready-for-agent`          | `ready-for-agent`    | Fully specified, ready for an AFK agent  |
+| `ready-for-human`          | `ready-for-human`    | Requires human implementation            |
+| `wontfix`                  | `wontfix`            | Will not be actioned                     |
+
+When a skill mentions a role (e.g. "apply the AFK-ready triage label"), use the corresponding label string from this table.
+
+Edit the right-hand column to match whatever vocabulary you actually use.
diff --git a/scripts/workstation/claude-skills/tdd/SKILL.md b/scripts/workstation/claude-skills/tdd/SKILL.md
new file mode 100644
index 00000000..7a989411
--- /dev/null
+++ b/scripts/workstation/claude-skills/tdd/SKILL.md
@@ -0,0 +1,109 @@
+---
+name: tdd
+description: Test-driven development with red-green-refactor loop. Use when user wants to build features or fix bugs using TDD, mentions "red-green-refactor", wants integration tests, or asks for test-first development.
+---
+
+# Test-Driven Development
+
+## Philosophy
+
+**Core principle**: Tests should verify behavior through public interfaces, not implementation details. Code can change entirely; tests shouldn't.
+
+**Good tests** are integration-style: they exercise real code paths through public APIs. They describe _what_ the system does, not _how_ it does it. A good test reads like a specification - "user can checkout with valid cart" tells you exactly what capability exists. These tests survive refactors because they don't care about internal structure.
+
+**Bad tests** are coupled to implementation. They mock internal collaborators, test private methods, or verify through external means (like querying a database directly instead of using the interface). The warning sign: your test breaks when you refactor, but behavior hasn't changed. If you rename an internal function and tests fail, those tests were testing implementation, not behavior.
+
+See [tests.md](tests.md) for examples and [mocking.md](mocking.md) for mocking guidelines.
+
+## Anti-Pattern: Horizontal Slices
+
+**DO NOT write all tests first, then all implementation.** This is "horizontal slicing" - treating RED as "write all tests" and GREEN as "write all code."
+
+This produces **crap tests**:
+
+- Tests written in bulk test _imagined_ behavior, not _actual_ behavior
+- You end up testing the _shape_ of things (data structures, function signatures) rather than user-facing behavior
+- Tests become insensitive to real changes - they pass when behavior breaks, fail when behavior is fine
+- You outrun your headlights, committing to test structure before understanding the implementation
+
+**Correct approach**: Vertical slices via tracer bullets. One test → one implementation → repeat. Each test responds to what you learned from the previous cycle. Because you just wrote the code, you know exactly what behavior matters and how to verify it.
+
+```
+WRONG (horizontal):
+  RED:   test1, test2, test3, test4, test5
+  GREEN: impl1, impl2, impl3, impl4, impl5
+
+RIGHT (vertical):
+  RED→GREEN: test1→impl1
+  RED→GREEN: test2→impl2
+  RED→GREEN: test3→impl3
+  ...
+```
+
+## Workflow
+
+### 1. Planning
+
+When exploring the codebase, use the project's domain glossary so that test names and interface vocabulary match the project's language, and respect ADRs in the area you're touching.
+
+Before writing any code:
+
+- [ ] Confirm with user what interface changes are needed
+- [ ] Confirm with user which behaviors to test (prioritize)
+- [ ] Identify opportunities for [deep modules](deep-modules.md) (small interface, deep implementation)
+- [ ] Design interfaces for [testability](interface-design.md)
+- [ ] List the behaviors to test (not implementation steps)
+- [ ] Get user approval on the plan
+
+Ask: "What should the public interface look like? Which behaviors are most important to test?"
+
+**You can't test everything.** Confirm with the user exactly which behaviors matter most. Focus testing effort on critical paths and complex logic, not every possible edge case.
+
+### 2. Tracer Bullet
+
+Write ONE test that confirms ONE thing about the system:
+
+```
+RED:   Write test for first behavior → test fails
+GREEN: Write minimal code to pass → test passes
+```
+
+This is your tracer bullet - proves the path works end-to-end.
+
+### 3. Incremental Loop
+
+For each remaining behavior:
+
+```
+RED:   Write next test → fails
+GREEN: Minimal code to pass → passes
+```
+
+Rules:
+
+- One test at a time
+- Only enough code to pass current test
+- Don't anticipate future tests
+- Keep tests focused on observable behavior
+
+### 4. Refactor
+
+After all tests pass, look for [refactor candidates](refactoring.md):
+
+- [ ] Extract duplication
+- [ ] Deepen modules (move complexity behind simple interfaces)
+- [ ] Apply SOLID principles where natural
+- [ ] Consider what new code reveals about existing code
+- [ ] Run tests after each refactor step
+
+**Never refactor while RED.** Get to GREEN first.
+
+## Checklist Per Cycle
+
+```
+[ ] Test describes behavior, not implementation
+[ ] Test uses public interface only
+[ ] Test would survive internal refactor
+[ ] Code is minimal for this test
+[ ] No speculative features added
+```
diff --git a/scripts/workstation/claude-skills/tdd/deep-modules.md b/scripts/workstation/claude-skills/tdd/deep-modules.md
new file mode 100644
index 00000000..0d9720cf
--- /dev/null
+++ b/scripts/workstation/claude-skills/tdd/deep-modules.md
@@ -0,0 +1,33 @@
+# Deep Modules
+
+From "A Philosophy of Software Design":
+
+**Deep module** = small interface + lots of implementation
+
+```
+┌─────────────────────┐
+│   Small Interface   │  ← Few methods, simple params
+├─────────────────────┤
+│                     │
+│                     │
+│  Deep Implementation│  ← Complex logic hidden
+│                     │
+│                     │
+└─────────────────────┘
+```
+
+**Shallow module** = large interface + little implementation (avoid)
+
+```
+┌─────────────────────────────────┐
+│       Large Interface           │  ← Many methods, complex params
+├─────────────────────────────────┤
+│  Thin Implementation            │  ← Just passes through
+└─────────────────────────────────┘
+```
+
+When designing interfaces, ask:
+
+- Can I reduce the number of methods?
+- Can I simplify the parameters?
+- Can I hide more complexity inside?
diff --git a/scripts/workstation/claude-skills/tdd/interface-design.md b/scripts/workstation/claude-skills/tdd/interface-design.md
new file mode 100644
index 00000000..a0a20ca4
--- /dev/null
+++ b/scripts/workstation/claude-skills/tdd/interface-design.md
@@ -0,0 +1,31 @@
+# Interface Design for Testability
+
+Good interfaces make testing natural:
+
+1. **Accept dependencies, don't create them**
+
+   ```typescript
+   // Testable
+   function processOrder(order, paymentGateway) {}
+
+   // Hard to test
+   function processOrder(order) {
+     const gateway = new StripeGateway();
+   }
+   ```
+
+2. **Return results, don't produce side effects**
+
+   ```typescript
+   // Testable
+   function calculateDiscount(cart): Discount {}
+
+   // Hard to test
+   function applyDiscount(cart): void {
+     cart.total -= discount;
+   }
+   ```
+
+3. **Small surface area**
+   - Fewer methods = fewer tests needed
+   - Fewer params = simpler test setup
diff --git a/scripts/workstation/claude-skills/tdd/mocking.md b/scripts/workstation/claude-skills/tdd/mocking.md
new file mode 100644
index 00000000..71cbfee6
--- /dev/null
+++ b/scripts/workstation/claude-skills/tdd/mocking.md
@@ -0,0 +1,59 @@
+# When to Mock
+
+Mock at **system boundaries** only:
+
+- External APIs (payment, email, etc.)
+- Databases (sometimes - prefer test DB)
+- Time/randomness
+- File system (sometimes)
+
+Don't mock:
+
+- Your own classes/modules
+- Internal collaborators
+- Anything you control
+
+## Designing for Mockability
+
+At system boundaries, design interfaces that are easy to mock:
+
+**1. Use dependency injection**
+
+Pass external dependencies in rather than creating them internally:
+
+```typescript
+// Easy to mock
+function processPayment(order, paymentClient) {
+  return paymentClient.charge(order.total);
+}
+
+// Hard to mock
+function processPayment(order) {
+  const client = new StripeClient(process.env.STRIPE_KEY);
+  return client.charge(order.total);
+}
+```
+
+**2. Prefer SDK-style interfaces over generic fetchers**
+
+Create specific functions for each external operation instead of one generic function with conditional logic:
+
+```typescript
+// GOOD: Each function is independently mockable
+const api = {
+  getUser: (id) => fetch(`/users/${id}`),
+  getOrders: (userId) => fetch(`/users/${userId}/orders`),
+  createOrder: (data) => fetch('/orders', { method: 'POST', body: data }),
+};
+
+// BAD: Mocking requires conditional logic inside the mock
+const api = {
+  fetch: (endpoint, options) => fetch(endpoint, options),
+};
+```
+
+The SDK approach means:
+- Each mock returns one specific shape
+- No conditional logic in test setup
+- Easier to see which endpoints a test exercises
+- Type safety per endpoint
diff --git a/scripts/workstation/claude-skills/tdd/refactoring.md b/scripts/workstation/claude-skills/tdd/refactoring.md
new file mode 100644
index 00000000..8a444392
--- /dev/null
+++ b/scripts/workstation/claude-skills/tdd/refactoring.md
@@ -0,0 +1,10 @@
+# Refactor Candidates
+
+After TDD cycle, look for:
+
+- **Duplication** → Extract function/class
+- **Long methods** → Break into private helpers (keep tests on public interface)
+- **Shallow modules** → Combine or deepen
+- **Feature envy** → Move logic to where data lives
+- **Primitive obsession** → Introduce value objects
+- **Existing code** the new code reveals as problematic
diff --git a/scripts/workstation/claude-skills/tdd/tests.md b/scripts/workstation/claude-skills/tdd/tests.md
new file mode 100644
index 00000000..ff22f809
--- /dev/null
+++ b/scripts/workstation/claude-skills/tdd/tests.md
@@ -0,0 +1,61 @@
+# Good and Bad Tests
+
+## Good Tests
+
+**Integration-style**: Test through real interfaces, not mocks of internal parts.
+
+```typescript
+// GOOD: Tests observable behavior
+test("user can checkout with valid cart", async () => {
+  const cart = createCart();
+  cart.add(product);
+  const result = await checkout(cart, paymentMethod);
+  expect(result.status).toBe("confirmed");
+});
+```
+
+Characteristics:
+
+- Tests behavior users/callers care about
+- Uses public API only
+- Survives internal refactors
+- Describes WHAT, not HOW
+- One logical assertion per test
+
+## Bad Tests
+
+**Implementation-detail tests**: Coupled to internal structure.
+
+```typescript
+// BAD: Tests implementation details
+test("checkout calls paymentService.process", async () => {
+  const mockPayment = jest.mock(paymentService);
+  await checkout(cart, payment);
+  expect(mockPayment.process).toHaveBeenCalledWith(cart.total);
+});
+```
+
+Red flags:
+
+- Mocking internal collaborators
+- Testing private methods
+- Asserting on call counts/order
+- Test breaks when refactoring without behavior change
+- Test name describes HOW not WHAT
+- Verifying through external means instead of interface
+
+```typescript
+// BAD: Bypasses interface to verify
+test("createUser saves to database", async () => {
+  await createUser({ name: "Alice" });
+  const row = await db.query("SELECT * FROM users WHERE name = ?", ["Alice"]);
+  expect(row).toBeDefined();
+});
+
+// GOOD: Verifies through interface
+test("createUser makes user retrievable", async () => {
+  const user = await createUser({ name: "Alice" });
+  const retrieved = await getUser(user.id);
+  expect(retrieved.name).toBe("Alice");
+});
+```
diff --git a/scripts/workstation/claude-skills/teach/GLOSSARY-FORMAT.md b/scripts/workstation/claude-skills/teach/GLOSSARY-FORMAT.md
new file mode 100644
index 00000000..9cae84c4
--- /dev/null
+++ b/scripts/workstation/claude-skills/teach/GLOSSARY-FORMAT.md
@@ -0,0 +1,35 @@
+# GLOSSARY.md Format
+
+`GLOSSARY.md` is the canonical language for this teaching workspace. All explainers, exercises, and learning records should adhere to its terminology. Building it is itself part of learning: compressing a concept into a tight definition is evidence the user understands it.
+
+## Structure
+
+```md
+# {Topic} Glossary
+
+{One or two sentence description of the topic this glossary covers.}
+
+## Terms
+
+**Hypertrophy**:
+Muscle growth driven by mechanical tension and metabolic stress over repeated training sessions.
+_Avoid_: Bulking, getting big
+
+**Progressive overload**:
+Systematically increasing the demand on a muscle over time — via load, volume, or intensity.
+_Avoid_: Pushing harder, levelling up
+
+**RPE (Rate of Perceived Exertion)**:
+A 1–10 self-rating of how hard a set felt, where 10 is failure and 8 means two reps left in the tank.
+_Avoid_: Effort score, intensity rating
+```
+
+## Rules
+
+- **Add a term only when the user understands it.** The glossary is a record of compressed knowledge, not a dictionary the user reads to learn. If the user has just been introduced to a concept, wait until they can use it correctly before promoting it here.
+- **Be opinionated.** When several words exist for the same concept, pick the best one and list the rest as aliases to avoid. This is how language compresses.
+- **Keep definitions tight.** One or two sentences. Define what the term IS, not what it does or how to do it.
+- **Use the glossary's own terms inside definitions.** Once a term is in the glossary, prefer it everywhere — including inside other definitions. This is what makes complex terms easier to grasp later.
+- **Group under subheadings** when natural clusters emerge (e.g. `## Anatomy`, `## Programming`). A flat list is fine when terms cohere.
+- **Flag ambiguities explicitly.** If a term is used loosely in the wider field, note the resolution: "In this workspace, 'set' always means a working set — warm-ups are tracked separately."
+- **Revise as understanding deepens.** A definition the user wrote in week one may be wrong by week six. Update in place; do not leave stale entries.
diff --git a/scripts/workstation/claude-skills/teach/LEARNING-RECORD-FORMAT.md b/scripts/workstation/claude-skills/teach/LEARNING-RECORD-FORMAT.md
new file mode 100644
index 00000000..2faa7c98
--- /dev/null
+++ b/scripts/workstation/claude-skills/teach/LEARNING-RECORD-FORMAT.md
@@ -0,0 +1,46 @@
+# Learning Record Format
+
+Learning records live in `./learning-records/` and use sequential numbering: `0001-slug.md`, `0002-slug.md`, etc. Create the directory lazily — only when the first record is written.
+
+They are the teaching equivalent of ADRs: they capture non-obvious lessons, key insights, and stated prior knowledge that will steer future sessions. They are used to calculate the zone of proximal development.
+
+## Template
+
+```md
+# {Short title of what was learned or established}
+
+{1-3 sentences: what was learned (or what prior knowledge was established), and why it matters for future sessions.}
+```
+
+That is the whole format. A learning record can be a single paragraph. The value is recording _that_ this is now known and _why_ it changes what to teach next — not in filling out sections.
+
+## Optional sections
+
+Only include these when they add genuine value. Most records won't need them.
+
+- **Status** frontmatter (`active | superseded by LR-NNNN`) — useful when an earlier understanding turns out to be wrong and is replaced.
+- **Evidence** — how the user demonstrated the understanding (a question answered, an exercise completed, prior experience cited). Useful when the claim might be revisited.
+- **Implications** — what this unlocks or rules out for future sessions. Worth recording when non-obvious.
+
+## Numbering
+
+Scan `./learning-records/` for the highest existing number and increment by one.
+
+## When to write a learning record
+
+Write one when any of these is true:
+
+1. **The user demonstrated genuine understanding of something non-trivial** — not just exposure, but evidence they can use the concept correctly. This sets a new floor for what to teach next.
+2. **The user disclosed prior knowledge** — "I already know X." Record it so future sessions don't re-teach it. Also record the _depth_ claimed.
+3. **A misconception was corrected** — the user previously believed something wrong and now sees why. These are high-value: they predict future stumbling blocks for related topics.
+4. **The mission shifted in response to learning** — the user discovered they cared about something different than they thought. Cross-link to [[MISSION.md]] and update it.
+
+### What does _not_ qualify
+
+- Material that was merely covered. Coverage is not learning. Wait for evidence.
+- Anything already captured tersely in [[GLOSSARY.md]] as a term definition. Don't duplicate.
+- Session-by-session activity logs. Learning records are not a journal — they are decision-grade insights.
+
+## Supersession
+
+When a later record contradicts an earlier one (the user's understanding deepened or corrected), mark the old record `Status: superseded by LR-NNNN` rather than deleting it. The history of how understanding evolved is itself useful signal.
diff --git a/scripts/workstation/claude-skills/teach/MISSION-FORMAT.md b/scripts/workstation/claude-skills/teach/MISSION-FORMAT.md
new file mode 100644
index 00000000..5dac184a
--- /dev/null
+++ b/scripts/workstation/claude-skills/teach/MISSION-FORMAT.md
@@ -0,0 +1,31 @@
+# MISSION.md Format
+
+`MISSION.md` lives at the workspace root. It captures the _reason_ the user is learning this topic. Every teaching decision — what to teach next, which resources to surface, which exercises to design — should trace back to this document.
+
+## Template
+
+```md
+# Mission: {Topic}
+
+## Why
+{1-3 sentences. The concrete real-world goal the user is chasing. What changes in their life or work when they have this skill? Avoid abstract framings like "to understand X" — push for the underlying outcome.}
+
+## Success looks like
+- {A specific, observable thing the user will be able to do}
+- {Another specific thing}
+- {…}
+
+## Constraints
+- {Time, budget, prior commitments, learning preferences, anything that bounds the approach}
+
+## Out of scope
+- {Adjacent topics the user explicitly does not want to chase right now — protects the zone of proximal development}
+```
+
+## Rules
+
+- **One mission per workspace.** If the user wants to learn two unrelated things, that is two workspaces.
+- **Concrete over abstract.** "Run a half marathon by October" beats "get fitter." "Ship a Rust CLI to my team" beats "learn Rust."
+- **Push back on vagueness.** If the user cannot articulate why, interview them before writing anything. A bad mission is worse than no mission.
+- **Revise when reality shifts.** Missions change. When the user's goal moves, update this file — don't leave a stale mission steering future sessions.
+- **Keep it short.** If `MISSION.md` runs past a screen, it has stopped being a compass and started being a plan.
diff --git a/scripts/workstation/claude-skills/teach/RESOURCES-FORMAT.md b/scripts/workstation/claude-skills/teach/RESOURCES-FORMAT.md
new file mode 100644
index 00000000..c94aac6a
--- /dev/null
+++ b/scripts/workstation/claude-skills/teach/RESOURCES-FORMAT.md
@@ -0,0 +1,32 @@
+# RESOURCES.md Format
+
+`RESOURCES.md` is the curated set of trusted sources for this topic. Knowledge for explainers should be drawn from here, not from parametric guesses. Wisdom comes from the communities listed here.
+
+## Structure
+
+```md
+# {Topic} Resources
+
+## Knowledge
+
+- [Book: _The Science and Practice of Strength Training_ — Zatsiorsky & Kraemer](https://example.com)
+  Foundational text on programming and adaptation. Use for: anything to do with periodisation, recovery, intensity zones.
+- [Article: "How Much Should I Train?" — Greg Nuckols (Stronger By Science)](https://example.com)
+  Evidence-based review of volume landmarks. Use for: weekly set targets per muscle group.
+
+## Wisdom (Communities)
+
+- [r/weightroom](https://reddit.com/r/weightroom)
+  High-signal subreddit, moderated against bro-science. Use for: programme critique, plateau troubleshooting.
+- Local: Tuesday strength class at {gym name}
+  Use for: real-time coaching feedback on lifts.
+```
+
+## Rules
+
+- **High-trust only.** Prefer primary sources, recognised experts, peer-reviewed work, and communities with strong moderation. If a resource is marketing dressed as education, leave it out.
+- **Annotate every entry.** A bare link is useless in three months. Add one line: what it covers and when to reach for it.
+- **Group by Knowledge / Wisdom.** Mirrors the philosophy in [SKILL.md](./SKILL.md). It is fine for a resource to appear in only one group.
+- **Surface gaps explicitly.** If no good resource exists for an area the mission needs, write a `## Gaps` section listing what is missing. This drives future search.
+- **Prune ruthlessly.** A resource that turned out to be wrong, shallow, or off-mission should be removed, not buried. Better five sharp sources than thirty mediocre ones.
+- **Record community preferences.** If the user has opted out of joining communities, note it here so future sessions don't keep proposing them.
diff --git a/scripts/workstation/claude-skills/teach/SKILL.md b/scripts/workstation/claude-skills/teach/SKILL.md
new file mode 100644
index 00000000..2fad9a36
--- /dev/null
+++ b/scripts/workstation/claude-skills/teach/SKILL.md
@@ -0,0 +1,131 @@
+---
+name: teach
+description: Teach the user a new skill or concept, within this workspace.
+disable-model-invocation: true
+argument-hint: "What would you like to learn about?"
+---
+
+The user has asked you to teach them something. This is a stateful request - they intend to learn the topic over multiple sessions.
+
+## Teaching Workspace
+
+Treat the current directory as a teaching workspace. The state of their learning is captured in this directory in several files:
+
+- `MISSION.md`: A document capturing the _reason_ the user is interested in the topic. This should be used to ground all teaching. Use the format in [MISSION-FORMAT.md](./MISSION-FORMAT.md).
+- `./reference/*.html`: A directory of reference materials. These are the compressed learnings from the lessons - cheat sheets, reference algorithms, syntax, yoga poses, glossaries. They are the raw units of learning. They should be beautiful documents which print out well, and are designed for quick reference.
+- `RESOURCES.md`: A list of resources which can be explored to ground your teaching in contextual knowledge, or to acquire knowledge and wisdom. Use the format in [RESOURCES-FORMAT.md](./RESOURCES-FORMAT.md).
+- `./learning-records/*.md`: A directory of learning records, which capture what the user has learned. These are loosely equivalent to architectural decision records in software development - they capture non-obvious lessons and key insights that may need to be revised later, or drive future sessions. These should be used to calculate the zone of proximal development. They are titled `0001-<dash-case-name>.md`, where the number increments each time. Use the format in [LEARNING-RECORD-FORMAT.md](./LEARNING-RECORD-FORMAT.md).
+- `./lessons/*.html`: A directory of lessons. A **lesson** is a single, self-contained HTML output that teaches one tightly-scoped thing tied to the mission. This is the primary unit of teaching in this workspace.
+- `NOTES.md`: A scratchpad for you to jot down user preferences, or working notes.
+
+## Philosophy
+
+To learn at a deep level, the user needs three things:
+
+- **Knowledge**, captured from high-quality, high-trust resources
+- **Skills**, acquired through highly-relevant interactive lessons devised by you, based on the knowledge
+- **Wisdom**, which comes from interacting with other learners and practitioners
+
+Before the `RESOURCES.md` is well-populated, your focus should be to find high-quality resources which will help the user acquire knowledge. Never trust your parametric knowledge.
+
+Some topics may require more skills than knowledge. Learning more about theoretical physics might be more knowledge-based. For yoga, more skills-based.
+
+### Fluency vs Storage Strength
+
+You should be careful to split between two types of learning:
+
+- **Fluency strength**: in-the-moment retrieval of knowledge
+- **Storage strength**: long-term retention of knowledge
+
+Fluency can give the user an illusory sense of mastery, but storage strength is the real goal. Try to design lessons which build long-term retention by desirable difficulty:
+
+- Using retrieval practice (recall from memory)
+- Spacing (distributing practice over time)
+- Interleaving (mixing up different but related topics in practice - for skills practice only)
+
+## Lessons
+
+A lesson is the main thing you produce — the unit in which knowledge and skills reach the user. Each lesson is one self-contained HTML file, saved to `./lessons/` and titled `0001-<dash-case-name>.html` where the number increments each time.
+
+A lesson should be **beautiful** — clean, readable typography and layout — since the user will return to these later to review. Think Tufte.
+
+The lesson should be short, and completable very quickly. Learners' working memory is very small, and we need to stay within it. But each lesson should give the user a single tangible win that they can build on. It should be directly tied to the mission, and should be in the user's zone of proximal development.
+
+If possible, open the lesson file for the user by running a CLI command.
+
+Each lesson should link via HTML anchors to other lessons and reference documents.
+
+Each lesson should recommend a primary source for the user to read or watch. This should be the most high-quality, high-trust resource you found on the topic.
+
+Each lesson should contain a reminder to ask followup questions to the agent. The agent is their teacher, and can assist with anything that's unclear.
+
+## The Mission
+
+Every lesson should be tied into the mission - the reason that the user is interested in learning about the topic.
+
+If the user is unclear about the mission, or the `MISSION.md` is not populated, your first job should be to question the user on why they want to learn this.
+
+Failing to understand the mission will mean knowledge acquisition is not grounded in real-world goals. Lessons will feel too abstract. You will have no way of judging what the user should do next.
+
+Missions may change as the user develops more skills and knowledge. This is normal - make sure to update the `MISSION.md` and add a learning record to capture the change. Confirm with the user before changing the mission.
+
+## Zone Of Proximal Development
+
+Each lesson, the user should always feel as if they are being challenged 'just enough'.
+
+The user may specify an exact thing they want to learn. If they don't, figure out their zone of proximal development by:
+
+- Reading their `learning-records`
+- Figuring out the right thing to teach them based on their mission
+- Teach the most relevant thing that fits in their zone of proximal development
+
+## Knowledge
+
+Lessons should be designed around a skill the user is going to learn. The knowledge in the lesson should be only what's required to acquire that skill. You teach the knowledge first, then get the user to practice the skills via an interactive feedback loop.
+
+Knowledge should first be gathered from trusted resources. Use `RESOURCES.md` to keep track of them. Lessons should be littered with citations - links to external resources to back up any claim made. This increases the trustworthiness of the lesson.
+
+For acquiring knowledge, difficulty is the enemy. It eats working memory you need for understanding.
+
+## Skills
+
+If knowledge is all about acquisition, skills are about durability and flexibility. Make the knowledge stick.
+
+For skill acquisition, difficulty is the tool. Effortful retrieval is what builds storage strength. Skills should be taught through interactive lessons. There are several tools at your disposal:
+
+- Interactive lessons, using quizzes and light in-browser tasks
+- Lessons which guide the user through a list of real-world steps to take (for instance, yoga poses)
+
+Each of these should be based on a **feedback loop**, where the user receives feedback on their performance. This feedback loop should be as tight as possible, giving feedback immediately - and ideally automatically.
+
+For quizzes, each answer should be exactly the same number of words (and characters, if possible). Don't give the user any clues about the answer through formatting.
+
+## Acquiring Wisdom
+
+Wisdom comes from true real-world interaction - testing your skills outside the learning environment.
+
+When the user asks a question that appears to require wisdom, your default posture should be to attempt to answer - but to ultimately delegate to a **community**.
+
+A community is a place (online or offline) where the user can test their skills in the real world. This might be a forum, a subreddit, a real-world class (budget permitting) or a local interest group.
+
+You should attempt to find high-reputation communities the user can join. If the user expresses a preference that they don't want to join a community, respect it.
+
+## Reference Documents
+
+While creating lessons, you should also create reference documents. Lessons can reference these documents - they are useful for tracking raw units of knowledge useful across lessons.
+
+Lessons will rarely be revisited later - reference documents will be. They should be the compressed essence of the lesson, in a format designed for quick reference.
+
+Some learning topics lend themselves to reference:
+
+- Syntax and code snippets for programming
+- Algorithms and flowcharts for processes
+- Yoga poses and sequences for yoga
+- Exercises and routines for fitness
+- Glossaries for any topic with its own nomenclature
+
+Glossaries, in particular, are an essential reference. Once one is created, it should be adhered to in every lesson.
+
+## `NOTES.md`
+
+The user will sometimes express preferences of how they want to be taught, or things you should keep in mind. This is the place to record those preferences, so you can refer back to them when designing lessons or working with the user.
diff --git a/scripts/workstation/claude-skills/to-issues/SKILL.md b/scripts/workstation/claude-skills/to-issues/SKILL.md
new file mode 100644
index 00000000..9f6efbfe
--- /dev/null
+++ b/scripts/workstation/claude-skills/to-issues/SKILL.md
@@ -0,0 +1,83 @@
+---
+name: to-issues
+description: Break a plan, spec, or PRD into independently-grabbable issues on the project issue tracker using tracer-bullet vertical slices. Use when user wants to convert a plan into issues, create implementation tickets, or break down work into issues.
+---
+
+# To Issues
+
+Break a plan into independently-grabbable issues using vertical slices (tracer bullets).
+
+The issue tracker and triage label vocabulary should have been provided to you — run `/setup-matt-pocock-skills` if not.
+
+## Process
+
+### 1. Gather context
+
+Work from whatever is already in the conversation context. If the user passes an issue reference (issue number, URL, or path) as an argument, fetch it from the issue tracker and read its full body and comments.
+
+### 2. Explore the codebase (optional)
+
+If you have not already explored the codebase, do so to understand the current state of the code. Issue titles and descriptions should use the project's domain glossary vocabulary, and respect ADRs in the area you're touching.
+
+### 3. Draft vertical slices
+
+Break the plan into **tracer bullet** issues. Each issue is a thin vertical slice that cuts through ALL integration layers end-to-end, NOT a horizontal slice of one layer.
+
+Slices may be 'HITL' or 'AFK'. HITL slices require human interaction, such as an architectural decision or a design review. AFK slices can be implemented and merged without human interaction. Prefer AFK over HITL where possible.
+
+<vertical-slice-rules>
+- Each slice delivers a narrow but COMPLETE path through every layer (schema, API, UI, tests)
+- A completed slice is demoable or verifiable on its own
+- Prefer many thin slices over few thick ones
+</vertical-slice-rules>
+
+### 4. Quiz the user
+
+Present the proposed breakdown as a numbered list. For each slice, show:
+
+- **Title**: short descriptive name
+- **Type**: HITL / AFK
+- **Blocked by**: which other slices (if any) must complete first
+- **User stories covered**: which user stories this addresses (if the source material has them)
+
+Ask the user:
+
+- Does the granularity feel right? (too coarse / too fine)
+- Are the dependency relationships correct?
+- Should any slices be merged or split further?
+- Are the correct slices marked as HITL and AFK?
+
+Iterate until the user approves the breakdown.
+
+### 5. Publish the issues to the issue tracker
+
+For each approved slice, publish a new issue to the issue tracker. Use the issue body template below. These issues are considered ready for AFK agents, so publish them with the correct triage label unless instructed otherwise.
+
+Publish issues in dependency order (blockers first) so you can reference real issue identifiers in the "Blocked by" field.
+
+<issue-template>
+## Parent
+
+A reference to the parent issue on the issue tracker (if the source was an existing issue, otherwise omit this section).
+
+## What to build
+
+A concise description of this vertical slice. Describe the end-to-end behavior, not layer-by-layer implementation.
+
+Avoid specific file paths or code snippets — they go stale fast. Exception: if a prototype produced a snippet that encodes a decision more precisely than prose can (state machine, reducer, schema, type shape), inline it here and note briefly that it came from a prototype. Trim to the decision-rich parts — not a working demo, just the important bits.
+
+## Acceptance criteria
+
+- [ ] Criterion 1
+- [ ] Criterion 2
+- [ ] Criterion 3
+
+## Blocked by
+
+- A reference to the blocking ticket (if any)
+
+Or "None - can start immediately" if no blockers.
+
+</issue-template>
+
+Do NOT close or modify any parent issue.
diff --git a/scripts/workstation/claude-skills/to-prd/SKILL.md b/scripts/workstation/claude-skills/to-prd/SKILL.md
new file mode 100644
index 00000000..ee758fdc
--- /dev/null
+++ b/scripts/workstation/claude-skills/to-prd/SKILL.md
@@ -0,0 +1,74 @@
+---
+name: to-prd
+description: Turn the current conversation context into a PRD and publish it to the project issue tracker. Use when user wants to create a PRD from the current context.
+---
+
+This skill takes the current conversation context and codebase understanding and produces a PRD. Do NOT interview the user — just synthesize what you already know.
+
+The issue tracker and triage label vocabulary should have been provided to you — run `/setup-matt-pocock-skills` if not.
+
+## Process
+
+1. Explore the repo to understand the current state of the codebase, if you haven't already. Use the project's domain glossary vocabulary throughout the PRD, and respect any ADRs in the area you're touching.
+
+2. Sketch out the seams at which you're going to test the feature. Existing seams should be preferred to new ones. Use the highest seam possible. If new seams are needed, propose them at the highest point you can.
+
+Check with the user that these seams match their expectations.
+
+3. Write the PRD using the template below, then publish it to the project issue tracker. Apply the `ready-for-agent` triage label - no need for additional triage.
+
+<prd-template>
+
+## Problem Statement
+
+The problem that the user is facing, from the user's perspective.
+
+## Solution
+
+The solution to the problem, from the user's perspective.
+
+## User Stories
+
+A LONG, numbered list of user stories. Each user story should be in the format of:
+
+1. As an <actor>, I want a <feature>, so that <benefit>
+
+<user-story-example>
+1. As a mobile bank customer, I want to see balance on my accounts, so that I can make better informed decisions about my spending
+</user-story-example>
+
+This list of user stories should be extremely extensive and cover all aspects of the feature.
+
+## Implementation Decisions
+
+A list of implementation decisions that were made. This can include:
+
+- The modules that will be built/modified
+- The interfaces of those modules that will be modified
+- Technical clarifications from the developer
+- Architectural decisions
+- Schema changes
+- API contracts
+- Specific interactions
+
+Do NOT include specific file paths or code snippets. They may end up being outdated very quickly.
+
+Exception: if a prototype produced a snippet that encodes a decision more precisely than prose can (state machine, reducer, schema, type shape), inline it within the relevant decision and note briefly that it came from a prototype. Trim to the decision-rich parts — not a working demo, just the important bits.
+
+## Testing Decisions
+
+A list of testing decisions that were made. Include:
+
+- A description of what makes a good test (only test external behavior, not implementation details)
+- Which modules will be tested
+- Prior art for the tests (i.e. similar types of tests in the codebase)
+
+## Out of Scope
+
+A description of the things that are out of scope for this PRD.
+
+## Further Notes
+
+Any further notes about the feature.
+
+</prd-template>
diff --git a/scripts/workstation/claude-skills/triage/AGENT-BRIEF.md b/scripts/workstation/claude-skills/triage/AGENT-BRIEF.md
new file mode 100644
index 00000000..2efecdfe
--- /dev/null
+++ b/scripts/workstation/claude-skills/triage/AGENT-BRIEF.md
@@ -0,0 +1,168 @@
+# Writing Agent Briefs
+
+An agent brief is a structured comment posted on a GitHub issue when it moves to `ready-for-agent`. It is the authoritative specification that an AFK agent will work from. The original issue body and discussion are context — the agent brief is the contract.
+
+## Principles
+
+### Durability over precision
+
+The issue may sit in `ready-for-agent` for days or weeks. The codebase will change in the meantime. Write the brief so it stays useful even as files are renamed, moved, or refactored.
+
+- **Do** describe interfaces, types, and behavioral contracts
+- **Do** name specific types, function signatures, or config shapes that the agent should look for or modify
+- **Don't** reference file paths — they go stale
+- **Don't** reference line numbers
+- **Don't** assume the current implementation structure will remain the same
+
+### Behavioral, not procedural
+
+Describe **what** the system should do, not **how** to implement it. The agent will explore the codebase fresh and make its own implementation decisions.
+
+- **Good:** "The `SkillConfig` type should accept an optional `schedule` field of type `CronExpression`"
+- **Bad:** "Open src/types/skill.ts and add a schedule field on line 42"
+- **Good:** "When a user runs `/triage` with no arguments, they should see a summary of issues needing attention"
+- **Bad:** "Add a switch statement in the main handler function"
+
+### Complete acceptance criteria
+
+The agent needs to know when it's done. Every agent brief must have concrete, testable acceptance criteria. Each criterion should be independently verifiable.
+
+- **Good:** "Running `gh issue list --label needs-triage` returns issues that have been through initial classification"
+- **Bad:** "Triage should work correctly"
+
+### Explicit scope boundaries
+
+State what is out of scope. This prevents the agent from gold-plating or making assumptions about adjacent features.
+
+## Template
+
+```markdown
+## Agent Brief
+
+**Category:** bug / enhancement
+**Summary:** one-line description of what needs to happen
+
+**Current behavior:**
+Describe what happens now. For bugs, this is the broken behavior.
+For enhancements, this is the status quo the feature builds on.
+
+**Desired behavior:**
+Describe what should happen after the agent's work is complete.
+Be specific about edge cases and error conditions.
+
+**Key interfaces:**
+- `TypeName` — what needs to change and why
+- `functionName()` return type — what it currently returns vs what it should return
+- Config shape — any new configuration options needed
+
+**Acceptance criteria:**
+- [ ] Specific, testable criterion 1
+- [ ] Specific, testable criterion 2
+- [ ] Specific, testable criterion 3
+
+**Out of scope:**
+- Thing that should NOT be changed or addressed in this issue
+- Adjacent feature that might seem related but is separate
+```
+
+## Examples
+
+### Good agent brief (bug)
+
+```markdown
+## Agent Brief
+
+**Category:** bug
+**Summary:** Skill description truncation drops mid-word, producing broken output
+
+**Current behavior:**
+When a skill description exceeds 1024 characters, it is truncated at exactly
+1024 characters regardless of word boundaries. This produces descriptions
+that end mid-word (e.g. "Use when the user wants to confi").
+
+**Desired behavior:**
+Truncation should break at the last word boundary before 1024 characters
+and append "..." to indicate truncation.
+
+**Key interfaces:**
+- The `SkillMetadata` type's `description` field — no type change needed,
+  but the validation/processing logic that populates it needs to respect
+  word boundaries
+- Any function that reads SKILL.md frontmatter and extracts the description
+
+**Acceptance criteria:**
+- [ ] Descriptions under 1024 chars are unchanged
+- [ ] Descriptions over 1024 chars are truncated at the last word boundary
+      before 1024 chars
+- [ ] Truncated descriptions end with "..."
+- [ ] The total length including "..." does not exceed 1024 chars
+
+**Out of scope:**
+- Changing the 1024 char limit itself
+- Multi-line description support
+```
+
+### Good agent brief (enhancement)
+
+```markdown
+## Agent Brief
+
+**Category:** enhancement
+**Summary:** Add `.out-of-scope/` directory support for tracking rejected feature requests
+
+**Current behavior:**
+When a feature request is rejected, the issue is closed with a `wontfix` label
+and a comment. There is no persistent record of the decision or reasoning.
+Future similar requests require the maintainer to recall or search for the
+prior discussion.
+
+**Desired behavior:**
+Rejected feature requests should be documented in `.out-of-scope/<concept>.md`
+files that capture the decision, reasoning, and links to all issues that
+requested the feature. When triaging new issues, these files should be
+checked for matches.
+
+**Key interfaces:**
+- Markdown file format in `.out-of-scope/` — each file should have a
+  `# Concept Name` heading, a `**Decision:**` line, a `**Reason:**` line,
+  and a `**Prior requests:**` list with issue links
+- The triage workflow should read all `.out-of-scope/*.md` files early
+  and match incoming issues against them by concept similarity
+
+**Acceptance criteria:**
+- [ ] Closing a feature as wontfix creates/updates a file in `.out-of-scope/`
+- [ ] The file includes the decision, reasoning, and link to the closed issue
+- [ ] If a matching `.out-of-scope/` file already exists, the new issue is
+      appended to its "Prior requests" list rather than creating a duplicate
+- [ ] During triage, existing `.out-of-scope/` files are checked and surfaced
+      when a new issue matches a prior rejection
+
+**Out of scope:**
+- Automated matching (human confirms the match)
+- Reopening previously rejected features
+- Bug reports (only enhancement rejections go to `.out-of-scope/`)
+```
+
+### Bad agent brief
+
+```markdown
+## Agent Brief
+
+**Summary:** Fix the triage bug
+
+**What to do:**
+The triage thing is broken. Look at the main file and fix it.
+The function around line 150 has the issue.
+
+**Files to change:**
+- src/triage/handler.ts (line 150)
+- src/types.ts (line 42)
+```
+
+This is bad because:
+- No category
+- Vague description ("the triage thing is broken")
+- References file paths and line numbers that will go stale
+- No acceptance criteria
+- No scope boundaries
+- No description of current vs desired behavior
diff --git a/scripts/workstation/claude-skills/triage/OUT-OF-SCOPE.md b/scripts/workstation/claude-skills/triage/OUT-OF-SCOPE.md
new file mode 100644
index 00000000..cc8ea257
--- /dev/null
+++ b/scripts/workstation/claude-skills/triage/OUT-OF-SCOPE.md
@@ -0,0 +1,101 @@
+# Out-of-Scope Knowledge Base
+
+The `.out-of-scope/` directory in a repo stores persistent records of rejected feature requests. It serves two purposes:
+
+1. **Institutional memory** — why a feature was rejected, so the reasoning isn't lost when the issue is closed
+2. **Deduplication** — when a new issue comes in that matches a prior rejection, the skill can surface the previous decision instead of re-litigating it
+
+## Directory structure
+
+```
+.out-of-scope/
+├── dark-mode.md
+├── plugin-system.md
+└── graphql-api.md
+```
+
+One file per **concept**, not per issue. Multiple issues requesting the same thing are grouped under one file.
+
+## File format
+
+The file should be written in a relaxed, readable style — more like a short design document than a database entry. Use paragraphs, code samples, and examples to make the reasoning clear and useful to someone encountering it for the first time.
+
+```markdown
+# Dark Mode
+
+This project does not support dark mode or user-facing theming.
+
+## Why this is out of scope
+
+The rendering pipeline assumes a single color palette defined in
+`ThemeConfig`. Supporting multiple themes would require:
+
+- A theme context provider wrapping the entire component tree
+- Per-component theme-aware style resolution
+- A persistence layer for user theme preferences
+
+This is a significant architectural change that doesn't align with the
+project's focus on content authoring. Theming is a concern for downstream
+consumers who embed or redistribute the output.
+
+```ts
+// The current ThemeConfig interface is not designed for runtime switching:
+interface ThemeConfig {
+  colors: ColorPalette; // single palette, resolved at build time
+  fonts: FontStack;
+}
+```
+
+## Prior requests
+
+- #42 — "Add dark mode support"
+- #87 — "Night theme for accessibility"
+- #134 — "Dark theme option"
+```
+
+### Naming the file
+
+Use a short, descriptive kebab-case name for the concept: `dark-mode.md`, `plugin-system.md`, `graphql-api.md`. The name should be recognizable enough that someone browsing the directory understands what was rejected without opening the file.
+
+### Writing the reason
+
+The reason should be substantive — not "we don't want this" but why. Good reasons reference:
+
+- Project scope or philosophy ("This project focuses on X; theming is a downstream concern")
+- Technical constraints ("Supporting this would require Y, which conflicts with our Z architecture")
+- Strategic decisions ("We chose to use A instead of B because...")
+
+The reason should be durable. Avoid referencing temporary circumstances ("we're too busy right now") — those aren't real rejections, they're deferrals.
+
+## When to check `.out-of-scope/`
+
+During triage (Step 1: Gather context), read all files in `.out-of-scope/`. When evaluating a new issue:
+
+- Check if the request matches an existing out-of-scope concept
+- Matching is by concept similarity, not keyword — "night theme" matches `dark-mode.md`
+- If there's a match, surface it to the maintainer: "This is similar to `.out-of-scope/dark-mode.md` — we rejected this before because [reason]. Do you still feel the same way?"
+
+The maintainer may:
+
+- **Confirm** — the new issue gets added to the existing file's "Prior requests" list, then closed
+- **Reconsider** — the out-of-scope file gets deleted or updated, and the issue proceeds through normal triage
+- **Disagree** — the issues are related but distinct, proceed with normal triage
+
+## When to write to `.out-of-scope/`
+
+Only when an **enhancement** (not a bug) is rejected as `wontfix`. The flow:
+
+1. Maintainer decides a feature request is out of scope
+2. Check if a matching `.out-of-scope/` file already exists
+3. If yes: append the new issue to the "Prior requests" list
+4. If no: create a new file with the concept name, decision, reason, and first prior request
+5. Post a comment on the issue explaining the decision and mentioning the `.out-of-scope/` file
+6. Close the issue with the `wontfix` label
+
+## Updating or removing out-of-scope files
+
+If the maintainer changes their mind about a previously rejected concept:
+
+- Delete the `.out-of-scope/` file
+- The skill does not need to reopen old issues — they're historical records
+- The new issue that triggered the reconsideration proceeds through normal triage
diff --git a/scripts/workstation/claude-skills/triage/SKILL.md b/scripts/workstation/claude-skills/triage/SKILL.md
new file mode 100644
index 00000000..3dee68f9
--- /dev/null
+++ b/scripts/workstation/claude-skills/triage/SKILL.md
@@ -0,0 +1,103 @@
+---
+name: triage
+description: Triage issues through a state machine driven by triage roles. Use when user wants to create an issue, triage issues, review incoming bugs or feature requests, prepare issues for an AFK agent, or manage issue workflow.
+---
+
+# Triage
+
+Move issues on the project issue tracker through a small state machine of triage roles.
+
+Every comment or issue posted to the issue tracker during triage **must** start with this disclaimer:
+
+```
+> *This was generated by AI during triage.*
+```
+
+## Reference docs
+
+- [AGENT-BRIEF.md](AGENT-BRIEF.md) — how to write durable agent briefs
+- [OUT-OF-SCOPE.md](OUT-OF-SCOPE.md) — how the `.out-of-scope/` knowledge base works
+
+## Roles
+
+Two **category** roles:
+
+- `bug` — something is broken
+- `enhancement` — new feature or improvement
+
+Five **state** roles:
+
+- `needs-triage` — maintainer needs to evaluate
+- `needs-info` — waiting on reporter for more information
+- `ready-for-agent` — fully specified, ready for an AFK agent
+- `ready-for-human` — needs human implementation
+- `wontfix` — will not be actioned
+
+Every triaged issue should carry exactly one category role and one state role. If state roles conflict, flag it and ask the maintainer before doing anything else.
+
+These are canonical role names — the actual label strings used in the issue tracker may differ. The mapping should have been provided to you - run `/setup-matt-pocock-skills` if not.
+
+State transitions: an unlabeled issue normally goes to `needs-triage` first; from there it moves to `needs-info`, `ready-for-agent`, `ready-for-human`, or `wontfix`. `needs-info` returns to `needs-triage` once the reporter replies. The maintainer can override at any time — flag transitions that look unusual and ask before proceeding.
+
+## Invocation
+
+The maintainer invokes `/triage` and describes what they want in natural language. Interpret the request and act. Examples:
+
+- "Show me anything that needs my attention"
+- "Let's look at #42"
+- "Move #42 to ready-for-agent"
+- "What's ready for agents to pick up?"
+
+## Show what needs attention
+
+Query the issue tracker and present three buckets, oldest first:
+
+1. **Unlabeled** — never triaged.
+2. **`needs-triage`** — evaluation in progress.
+3. **`needs-info` with reporter activity since the last triage notes** — needs re-evaluation.
+
+Show counts and a one-line summary per issue. Let the maintainer pick.
+
+## Triage a specific issue
+
+1. **Gather context.** Read the full issue (body, comments, labels, reporter, dates). Parse any prior triage notes so you don't re-ask resolved questions. Explore the codebase using the project's domain glossary, respecting ADRs in the area. Read `.out-of-scope/*.md` and surface any prior rejection that resembles this issue.
+
+2. **Recommend.** Tell the maintainer your category and state recommendation with reasoning, plus a brief codebase summary relevant to the issue. Wait for direction.
+
+3. **Reproduce (bugs only).** Before any grilling, attempt reproduction: read the reporter's steps, trace the relevant code, run tests or commands. Report what happened — successful repro with code path, failed repro, or insufficient detail (a strong `needs-info` signal). A confirmed repro makes a much stronger agent brief.
+
+4. **Grill (if needed).** If the issue needs fleshing out, run a `/grill-with-docs` session.
+
+5. **Apply the outcome:**
+   - `ready-for-agent` — post an agent brief comment ([AGENT-BRIEF.md](AGENT-BRIEF.md)).
+   - `ready-for-human` — same structure as an agent brief, but note why it can't be delegated (judgment calls, external access, design decisions, manual testing).
+   - `needs-info` — post triage notes (template below).
+   - `wontfix` (bug) — polite explanation, then close.
+   - `wontfix` (enhancement) — write to `.out-of-scope/`, link to it from a comment, then close ([OUT-OF-SCOPE.md](OUT-OF-SCOPE.md)).
+   - `needs-triage` — apply the role. Optional comment if there's partial progress.
+
+## Quick state override
+
+If the maintainer says "move #42 to ready-for-agent", trust them and apply the role directly. Confirm what you're about to do (role changes, comment, close), then act. Skip grilling. If moving to `ready-for-agent` without a grilling session, ask whether they want to write an agent brief.
+
+## Needs-info template
+
+```markdown
+## Triage Notes
+
+**What we've established so far:**
+
+- point 1
+- point 2
+
+**What we still need from you (@reporter):**
+
+- question 1
+- question 2
+```
+
+Capture everything resolved during grilling under "established so far" so the work isn't lost. Questions must be specific and actionable, not "please provide more info".
+
+## Resuming a previous session
+
+If prior triage notes exist on the issue, read them, check whether the reporter has answered any outstanding questions, and present an updated picture before continuing. Don't re-ask resolved questions.
diff --git a/scripts/workstation/claude-skills/write-a-skill/SKILL.md b/scripts/workstation/claude-skills/write-a-skill/SKILL.md
new file mode 100644
index 00000000..7339c8a3
--- /dev/null
+++ b/scripts/workstation/claude-skills/write-a-skill/SKILL.md
@@ -0,0 +1,117 @@
+---
+name: write-a-skill
+description: Create new agent skills with proper structure, progressive disclosure, and bundled resources. Use when user wants to create, write, or build a new skill.
+---
+
+# Writing Skills
+
+## Process
+
+1. **Gather requirements** - ask user about:
+   - What task/domain does the skill cover?
+   - What specific use cases should it handle?
+   - Does it need executable scripts or just instructions?
+   - Any reference materials to include?
+
+2. **Draft the skill** - create:
+   - SKILL.md with concise instructions
+   - Additional reference files if content exceeds 500 lines
+   - Utility scripts if deterministic operations needed
+
+3. **Review with user** - present draft and ask:
+   - Does this cover your use cases?
+   - Anything missing or unclear?
+   - Should any section be more/less detailed?
+
+## Skill Structure
+
+```
+skill-name/
+├── SKILL.md           # Main instructions (required)
+├── REFERENCE.md       # Detailed docs (if needed)
+├── EXAMPLES.md        # Usage examples (if needed)
+└── scripts/           # Utility scripts (if needed)
+    └── helper.js
+```
+
+## SKILL.md Template
+
+```md
+---
+name: skill-name
+description: Brief description of capability. Use when [specific triggers].
+---
+
+# Skill Name
+
+## Quick start
+
+[Minimal working example]
+
+## Workflows
+
+[Step-by-step processes with checklists for complex tasks]
+
+## Advanced features
+
+[Link to separate files: See [REFERENCE.md](REFERENCE.md)]
+```
+
+## Description Requirements
+
+The description is **the only thing your agent sees** when deciding which skill to load. It's surfaced in the system prompt alongside all other installed skills. Your agent reads these descriptions and picks the relevant skill based on the user's request.
+
+**Goal**: Give your agent just enough info to know:
+
+1. What capability this skill provides
+2. When/why to trigger it (specific keywords, contexts, file types)
+
+**Format**:
+
+- Max 1024 chars
+- Write in third person
+- First sentence: what it does
+- Second sentence: "Use when [specific triggers]"
+
+**Good example**:
+
+```
+Extract text and tables from PDF files, fill forms, merge documents. Use when working with PDF files or when user mentions PDFs, forms, or document extraction.
+```
+
+**Bad example**:
+
+```
+Helps with documents.
+```
+
+The bad example gives your agent no way to distinguish this from other document skills.
+
+## When to Add Scripts
+
+Add utility scripts when:
+
+- Operation is deterministic (validation, formatting)
+- Same code would be generated repeatedly
+- Errors need explicit handling
+
+Scripts save tokens and improve reliability vs generated code.
+
+## When to Split Files
+
+Split into separate files when:
+
+- SKILL.md exceeds 100 lines
+- Content has distinct domains (finance vs sales schemas)
+- Advanced features are rarely needed
+
+## Review Checklist
+
+After drafting, verify:
+
+- [ ] Description includes triggers ("Use when...")
+- [ ] SKILL.md under 100 lines
+- [ ] No time-sensitive info
+- [ ] Consistent terminology
+- [ ] Concrete examples included
+- [ ] References one level deep
diff --git a/scripts/workstation/claude-skills/zoom-out/SKILL.md b/scripts/workstation/claude-skills/zoom-out/SKILL.md
new file mode 100644
index 00000000..1e7a5dc7
--- /dev/null
+++ b/scripts/workstation/claude-skills/zoom-out/SKILL.md
@@ -0,0 +1,7 @@
+---
+name: zoom-out
+description: Tell the agent to zoom out and give broader context or a higher-level perspective. Use when you're unfamiliar with a section of code or need to understand how it fits into the bigger picture.
+disable-model-invocation: true
+---
+
+I don't know this area of code well. Go up a layer of abstraction. Give me a map of all the relevant modules and callers, using the project's domain glossary vocabulary.
diff --git a/scripts/workstation/managed-settings.json b/scripts/workstation/managed-settings.json
index aa259ff7..de214a1b 100644
--- a/scripts/workstation/managed-settings.json
+++ b/scripts/workstation/managed-settings.json
@@ -1,3 +1,4 @@
 {
-  "claudeMd": "# Viktor Barzin homelab — shared multi-user Claude Code Workstation (devvm)\n\nYou are running as a specific OS user on a SHARED devvm Workstation, not as the admin. These org-wide rules apply to EVERY user and sit at the top of settings precedence (they cannot be overridden by a user's own config):\n\n- Respect your permission tier. Your kubectl, Vault, and infra access are scoped to your RBAC tier (admin / power-user / namespace-owner). Do not attempt to escalate privileges or reach another user's resources.\n- Secrets are per-user. Never read another user's home directory, credentials, tokens, or ~/.claude secrets. Your own secrets live in your home at mode 600.\n- Infrastructure changes go through Terraform/Terragrunt (scripts/tg apply) — never direct kubectl apply/edit/patch. Pushing to git does NOT deploy; applies are manual and admin-gated, so your edits cannot take effect without an admin apply.\n- Follow the engineering rules in ~/.claude/rules/ (execution, planning, quality) and every CLAUDE.md in the repo tree.\n- The monorepo is at ~/code. Non-admins get a git-crypt-LOCKED clone: secret files read as ciphertext — that is expected, not an error."
+  "claudeMd": "# Viktor Barzin homelab — shared multi-user Claude Code Workstation (devvm)\n\nYou are running as a specific OS user on a SHARED devvm Workstation, not as the admin. These org-wide rules apply to EVERY user and sit at the top of settings precedence (they cannot be overridden by a user's own config):\n\n- Respect your permission tier. kubectl, Vault, and infra access are scoped to your RBAC tier (admin / power-user / namespace-owner). Do not attempt to escalate privileges or reach another user's resources.\n- Secrets are per-user. Never read another user's home directory, credentials, tokens, or ~/.claude secrets. Your own secrets live in your home at mode 600.\n- Infrastructure changes go through Terraform/Terragrunt — never direct kubectl apply/edit/patch. Committed stack changes are auto-applied by CI on push to master; verify the live result with your read-only kubectl.\n- The AGENT does ALL git mechanics silently — the user may not know git, so never ask them to commit, push, pull, or open anything, and never surface git jargon. Lifecycle (worktrees, landing, cleanup): ~/.claude/rules/execution.md. Org red-lines on top:\n  - THE COMMIT MESSAGE IS THE AUDIT TRAIL — subject says WHAT changed; body says WHY in plain words (paraphrase the user's actual request).\n  - Never use [ci skip] as a non-admin (it hides the change from the audit feed).\n  - Push rejected by branch protection (user not whitelisted) → fall back to a <os-user>/<topic> branch + PR via the Forgejo API (token = password field in ~/.git-credentials).\n  - Keep every clone on a clean master when done; tell the user in plain words what happened.\n  - Full recipe: AGENTS.md → \"Non-admin workstation users\" in your infra clone.\n- Follow the engineering rules in ~/.claude/rules/ (execution, planning) and every CLAUDE.md in the repo tree.\n- Code lives under ~/code in one of two per-user layouts: either ~/code IS the git-crypt-LOCKED infra clone (single layout), or ~/code is a workspace directory of per-project clones — the locked infra clone at ~/code/infra plus other project repos alongside it. [ -d ~/code/.git ] means single. In locked infra clones secret files read as ciphertext — that is expected, not an error.\n",
+  "model": "claude-opus-4-8"
 }
diff --git a/scripts/workstation/packages.txt b/scripts/workstation/packages.txt
index 6b7c3451..f578ee90 100644
--- a/scripts/workstation/packages.txt
+++ b/scripts/workstation/packages.txt
@@ -15,12 +15,32 @@ python3
 python3-yaml
 python3-pip
 podman
+# build/runtime deps of setup-devvm.sh itself (added 2026-06-10 reproducibility audit):
+golang-go        # builds the t3-dispatch binary (setup-devvm.sh section 9)
+unzip            # extracts the kubelogin release zip (section 3; python3 zipfile is the fallback)
+build-essential  # cgo + npm native-module builds
+# core workstation tools (were manually-installed, not captured in the manifest):
+rsync
+wget
+tree
+shellcheck
+# resource containment — earlyoom backstop (setup-devvm.sh §10, 2026-06-22): a
+# free-RAM-threshold OOM killer used INSTEAD of systemd-oomd, which is inert with
+# swap=0 (its pressure-kill needs reclaim/pgscan that no-swap anon workloads never
+# produce; verified live — 99% mem.pressure, pgscan=0, no kill). earlyoom watches
+# MemAvailable% and is swap-independent.
+earlyoom
 
 # --- installed by setup-devvm.sh via NON-apt paths (not apt-installable) ---
 # nodejs + npm                -> NodeSource repo (claude-code needs node >= 18; distro nodejs is too old)
+# gh (GitHub CLI)             -> GitHub's own apt repo (cli.github.com), NOT in the default Ubuntu repos
 # @anthropic-ai/claude-code   -> npm install -g
 # kubectl                     -> k8s apt repo OR pinned binary (already present on devvm)
 # vault                       -> HashiCorp apt repo OR pinned binary (already present on devvm)
 # kubelogin (kubectl oidc-login) -> `kubectl krew install oidc-login` or int128/kubelogin release.
 #                                NOTE: the apt package literally named "kubelogin" is the AZURE
 #                                tool, NOT the OIDC one we need -- do not apt-install it.
+
+# Scraped by Prometheus job `devvm` (stacks/monitoring) — pressure/swap/load
+# history for t3 drop attribution (docs/runbooks/t3-drop-attribution.md).
+prometheus-node-exporter
diff --git a/scripts/workstation/playwright/playwright-mcp@.service b/scripts/workstation/playwright/playwright-mcp@.service
new file mode 100644
index 00000000..8bc4dd7f
--- /dev/null
+++ b/scripts/workstation/playwright/playwright-mcp@.service
@@ -0,0 +1,35 @@
+[Unit]
+# Per-user isolated playwright-mcp HTTP server — the browser MCP each user's
+# Claude Code sessions connect to (user-scope `.claude.json` entry "playwright"
+# -> http://localhost:<PLAYWRIGHT_PORT>/mcp). System-level TEMPLATE unit (one
+# committed file, one instance per OS user: playwright-mcp@<user>.service), so
+# it is reproducible from git and root-manageable WITHOUT systemd --user / linger.
+# Installed to /etc/systemd/system by setup-devvm.sh; enabled per-user by
+# t3-provision-users.sh. Supersedes the hand-made ~/.config/systemd/user units.
+Description=Per-user isolated playwright-mcp HTTP server (%i)
+After=network-online.target playwright-snapshot-refresh@%i.service
+Wants=network-online.target playwright-snapshot-refresh@%i.service
+
+[Service]
+Type=simple
+User=%i
+# PLAYWRIGHT_PORT is written per-user by t3-provision-users.sh from roster_engine
+# (PLAYWRIGHT_BASE_PORT, sticky allocation). Required (no `-`): a missing port
+# file should fail loudly rather than start npx with an empty --port.
+EnvironmentFile=/etc/t3-serve/playwright-%i.env
+Restart=on-failure
+RestartSec=5
+# --isolated: each MCP HTTP connection (= each Claude Code session) gets a fresh
+#   ephemeral BrowserContext, so a single user's concurrent sessions never share
+#   tabs. --storage-state seeds each context from the hourly cookie snapshot
+#   harvested from in-cluster chrome-service (warm logged-in state).
+# Version PINNED (see the T3_PIN rationale in setup-devvm.sh): @latest re-resolves
+#   on every restart, so an upstream breaking release would silently roll the
+#   whole fleet. Bump deliberately in git. %h is NOT used (it resolves to /root
+#   in a system unit even with User=); the home path is spelled out as /home/%i.
+ExecStart=/usr/bin/npx -y @playwright/mcp@0.0.76 --port ${PLAYWRIGHT_PORT} --host localhost --headless --browser chrome --isolated --storage-state /home/%i/.cache/playwright-shared-storage-state.json
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
diff --git a/scripts/workstation/playwright/playwright-snapshot-refresh b/scripts/workstation/playwright/playwright-snapshot-refresh
new file mode 100755
index 00000000..5a816a0d
--- /dev/null
+++ b/scripts/workstation/playwright/playwright-snapshot-refresh
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# Refresh the local cookie+localStorage snapshot served by chrome-service.
+#
+# Run per-user by the hourly playwright-snapshot-refresh@<user>.timer systemd
+# unit (as that user, so $HOME resolves to the user's home). Per-session Claude
+# Code MCP contexts (`@playwright/mcp --isolated --storage-state=…`) read this
+# file on each connection — fresh state is visible to NEW sessions, existing
+# ones keep what they were seeded with.
+#
+# Token: cached at ~/.config/playwright/token. Seeded per-user (if-absent) by
+#   t3-provision-users.sh from the root-staged /etc/t3-serve/chrome-service-token
+#   (which setup-devvm.sh writes from Vault `secret/chrome-service`
+#   api_bearer_token). Rotate by re-staging + re-copying; the snapshot endpoint
+#   reloads the token via Reloader, local caches must be refreshed.
+set -euo pipefail
+
+URL="${PLAYWRIGHT_SNAPSHOT_URL:-https://chrome.viktorbarzin.me/api/snapshot}"
+TOKEN_FILE="${PLAYWRIGHT_SNAPSHOT_TOKEN:-$HOME/.config/playwright/token}"
+DEST="${PLAYWRIGHT_SNAPSHOT_PATH:-$HOME/.cache/playwright-shared-storage-state.json}"
+
+if [ ! -r "$TOKEN_FILE" ]; then
+  echo "ERROR: token file $TOKEN_FILE missing or unreadable" >&2
+  exit 1
+fi
+
+mkdir -p "$(dirname "$DEST")"
+TMP="$DEST.new.$$"
+trap 'rm -f "$TMP"' EXIT
+
+TOKEN="$(cat "$TOKEN_FILE")"
+
+HTTP_CODE=$(curl -sS \
+  -H "Authorization: Bearer $TOKEN" \
+  -o "$TMP" \
+  -w '%{http_code}' \
+  --max-time 30 \
+  "$URL")
+
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "ERROR: HTTP $HTTP_CODE from $URL" >&2
+  cat "$TMP" >&2
+  exit 1
+fi
+
+# Sanity: response must be valid JSON with at least the cookies/origins keys.
+python3 - "$TMP" <<'PY' || { echo "ERROR: response is not a valid storageState JSON" >&2; exit 1; }
+import json, sys
+with open(sys.argv[1]) as f:
+    data = json.load(f)
+if "cookies" not in data or "origins" not in data:
+    raise SystemExit("missing required keys")
+PY
+
+mv -f "$TMP" "$DEST"
+trap - EXIT
+chmod 600 "$DEST"
+echo "snapshot refreshed: $DEST ($(stat -c %s "$DEST") bytes)"
diff --git a/scripts/workstation/playwright/playwright-snapshot-refresh@.service b/scripts/workstation/playwright/playwright-snapshot-refresh@.service
new file mode 100644
index 00000000..2b8d425b
--- /dev/null
+++ b/scripts/workstation/playwright/playwright-snapshot-refresh@.service
@@ -0,0 +1,22 @@
+[Unit]
+# Per-user oneshot that pulls the warm cookie+localStorage snapshot from
+# in-cluster chrome-service into ~/.cache/playwright-shared-storage-state.json,
+# which playwright-mcp@%i seeds every new session from. System-level TEMPLATE
+# (one instance per user); runs the shared /usr/local/bin script as the user.
+Description=Refresh %i's playwright storage-state snapshot from chrome-service
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+User=%i
+# Runs as %i, so the script's $HOME-relative paths (token, cache dest) resolve to
+# the user's home. $HOME/$USER are set by systemd because User= is set.
+ExecStart=/usr/local/bin/playwright-snapshot-refresh
+StandardOutput=journal
+StandardError=journal
+# Don't hang if chrome-service is unreachable — the timer retries next hour.
+TimeoutStartSec=60
+
+[Install]
+WantedBy=multi-user.target
diff --git a/scripts/workstation/playwright/playwright-snapshot-refresh@.timer b/scripts/workstation/playwright/playwright-snapshot-refresh@.timer
new file mode 100644
index 00000000..24b82e85
--- /dev/null
+++ b/scripts/workstation/playwright/playwright-snapshot-refresh@.timer
@@ -0,0 +1,16 @@
+[Unit]
+Description=Hourly refresh of %i's playwright storage-state snapshot from chrome-service
+After=network-online.target
+
+[Timer]
+# 5 minutes after the in-cluster snapshot-harvester CronJob (runs at :23 every
+# hour) so the file we pull is the freshest one. Also once shortly after boot so
+# a freshly-booted box doesn't wait until the next :28 to populate the cache.
+OnCalendar=*-*-* *:28:00
+OnBootSec=2min
+Persistent=true
+RandomizedDelaySec=30
+Unit=playwright-snapshot-refresh@%i.service
+
+[Install]
+WantedBy=timers.target
diff --git a/scripts/workstation/roster.yaml b/scripts/workstation/roster.yaml
index 0319c824..b9059760 100644
--- a/scripts/workstation/roster.yaml
+++ b/scripts/workstation/roster.yaml
@@ -10,6 +10,14 @@
 #   power-user      - cluster-wide READ (no Secrets) via oidc-power-user-readonly; locked clone
 #   namespace-owner - admin in their own namespace(s) only; locked clone
 #
+# Optional per-user code layout (non-admins):
+#   code_layout: single (default) - ~/code IS the locked infra clone
+#   code_layout: workspace        - ~/code is a directory of per-project clones:
+#                                   the locked infra clone at ~/code/infra, plus
+#                                   each `repos` entry cloned from Forgejo
+#                                   viktor/<name> with the user's own PAT.
+#                                   A single-layout ~/code is auto-migrated.
+#
 # wizard IS listed (as admin): the reconcile REGENERATES /etc/ttyd-user-map +
 # dispatch.json from this file, so omitting him would drop his t3 instance. The
 # provisioner skips account/group/clone mutations for already-existing users, so
@@ -17,5 +25,5 @@
 users:
   wizard:    {authentik_user: vbarzin,     k8s_user: wizard, tier: admin}                                          # base config author + cluster-admin
   emo:       {authentik_user: emil.barzin, k8s_user: emo,    tier: power-user}                                     # NET-NEW k8s_users entry (add as power-user before provisioning)
-  ancamilea: {authentik_user: ancaelena98, k8s_user: anca,   tier: namespace-owner, namespaces: [plotting-book]}   # ALREADY provisioned in-cluster -- assert, don't re-create
+  ancamilea: {authentik_user: ancaelena98, k8s_user: anca,   tier: namespace-owner, namespaces: [plotting-book], code_layout: workspace, repos: [tripit]}   # ALREADY provisioned in-cluster -- assert, don't re-create
 # gheorghe:  {authentik_user: vabbit81,    k8s_user: vabbit81, tier: namespace-owner, namespaces: [vabbit81]}      # already a cluster ns-owner; uncomment to give him a devvm workstation
diff --git a/scripts/workstation/roster_engine.py b/scripts/workstation/roster_engine.py
index d9e7dd71..2c984556 100644
--- a/scripts/workstation/roster_engine.py
+++ b/scripts/workstation/roster_engine.py
@@ -13,6 +13,7 @@ per person and are recorded explicitly (no email->username derivation).
 from __future__ import annotations
 
 import json
+import re
 import sys
 from dataclasses import dataclass, field
 from typing import Iterable
@@ -20,7 +21,20 @@ from typing import Iterable
 import yaml
 
 BASE_PORT = 3773
+# Per-user playwright-mcp HTTP port (the browser MCP each user's Claude sessions
+# connect to). Distinct range from T3_PORT, allocated for EVERY roster user incl.
+# the admin (wizard is listed). Sticky from existing, so the live in-session
+# assignments (wizard 8931, emo 8932, ancamilea 8933) are preserved across
+# reconciles once seeded; a fresh box allocates from 8931 in sorted order.
+PLAYWRIGHT_BASE_PORT = 8931
 VALID_TIERS = ("admin", "power-user", "namespace-owner")
+# single    - ~/code IS the locked infra clone (the original non-admin layout)
+# workspace - ~/code is a plain directory of per-project clones; the locked
+#             infra clone lives at ~/code/infra and `repos` clone alongside it
+VALID_CODE_LAYOUTS = ("single", "workspace")
+# Repo names become root-executed clone/mv paths under ~/code — plain
+# leading-alphanumeric names only (no separators, dotfiles, or option-like names).
+_REPO_NAME_RE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9._-]*$")
 # Tier -> supplementary groups the reconcile ENSURES (additive-only; never stripped).
 TIER_GROUPS: dict[str, tuple[str, ...]] = {
     "admin": ("code-shared", "docker", "sudo"),
@@ -48,6 +62,8 @@ class User:
     k8s_user: str
     tier: str
     namespaces: tuple[str, ...] = ()
+    code_layout: str = "single"
+    repos: tuple[str, ...] = ()
 
 
 @dataclass(frozen=True)
@@ -62,6 +78,8 @@ class Account:
     shell: str
     login_locked: bool
     groups: tuple[str, ...]
+    code_layout: str = "single"
+    repos: tuple[str, ...] = ()
 
 
 @dataclass(frozen=True)
@@ -70,6 +88,7 @@ class DesiredState:
     ttyd_user_map: str
     dispatch: dict[str, dict]
     ports: dict[str, int]
+    playwright_ports: dict[str, int] = field(default_factory=dict)
 
 
 @dataclass(frozen=True)
@@ -98,7 +117,31 @@ def _parse_user(os_user: str, spec: dict) -> User:
         raise RosterError(f"user {os_user!r}: namespace-owner requires namespaces")
     if tier != "namespace-owner" and namespaces:
         raise RosterError(f"user {os_user!r}: only namespace-owner may set namespaces")
-    return User(os_user, spec["authentik_user"], spec["k8s_user"], tier, namespaces)
+    code_layout = spec.get("code_layout", "single")
+    if code_layout not in VALID_CODE_LAYOUTS:
+        raise RosterError(
+            f"user {os_user!r}: unknown code_layout {code_layout!r} "
+            f"(valid: {list(VALID_CODE_LAYOUTS)})"
+        )
+    repos = tuple(spec.get("repos") or ())
+    if repos and code_layout != "workspace":
+        raise RosterError(f"user {os_user!r}: repos require code_layout: workspace")
+    for repo in repos:
+        if not _REPO_NAME_RE.match(repo):
+            raise RosterError(f"user {os_user!r}: unsafe repo name {repo!r}")
+    if "infra" in repos:
+        raise RosterError(
+            f"user {os_user!r}: infra is implicit at ~/code/infra — drop it from repos"
+        )
+    return User(
+        os_user,
+        spec["authentik_user"],
+        spec["k8s_user"],
+        tier,
+        namespaces,
+        code_layout,
+        repos,
+    )
 
 
 def load_roster(text: str) -> Roster:
@@ -167,13 +210,18 @@ def has_blocking_errors(issues: list[ValidationIssue]) -> bool:
 # --------------------------------------------------------------------------
 
 
-def _allocate_ports(roster: Roster, existing_ports: dict[str, int]) -> dict[str, int]:
+def _allocate_ports(
+    roster: Roster, existing_ports: dict[str, int], base: int = BASE_PORT
+) -> dict[str, int]:
+    """Sticky port allocation: keep every roster user's existing port, then assign
+    each new user the next free port from `base`. Used for both T3_PORT (base 3773)
+    and the per-user playwright-mcp port (base 8932)."""
     ports = {u: existing_ports[u] for u in roster.users if u in existing_ports}
     used = set(ports.values())
     for os_user in sorted(roster.users):
         if os_user in ports:
             continue
-        candidate = BASE_PORT
+        candidate = base
         while candidate in used:
             candidate += 1
         ports[os_user] = candidate
@@ -188,9 +236,14 @@ _TTYD_MAP_HEADER = (
 
 
 def derive_desired_state(
-    roster: Roster, existing_ports: dict[str, int]
+    roster: Roster,
+    existing_ports: dict[str, int],
+    existing_playwright_ports: dict[str, int] | None = None,
 ) -> DesiredState:
     ports = _allocate_ports(roster, existing_ports)
+    playwright_ports = _allocate_ports(
+        roster, existing_playwright_ports or {}, base=PLAYWRIGHT_BASE_PORT
+    )
     ordered = sorted(roster.users.values(), key=lambda u: ports[u.os_user])
     ttyd_lines = [f"{u.authentik_user}={u.os_user}" for u in ordered]
     ttyd_user_map = _TTYD_MAP_HEADER + "\n".join(ttyd_lines) + "\n"
@@ -205,10 +258,12 @@ def derive_desired_state(
             shell=DEFAULT_SHELL,
             login_locked=True,
             groups=TIER_GROUPS[u.tier],
+            code_layout=u.code_layout,
+            repos=u.repos,
         )
         for u in roster.users.values()
     }
-    return DesiredState(accounts, ttyd_user_map, dispatch, ports)
+    return DesiredState(accounts, ttyd_user_map, dispatch, ports, playwright_ports)
 
 
 def groups_to_add(desired: Iterable[str], current: Iterable[str]) -> list[str]:
@@ -257,12 +312,15 @@ def _desired_state_to_dict(ds: DesiredState) -> dict:
                 "shell": a.shell,
                 "login_locked": a.login_locked,
                 "groups": list(a.groups),
+                "code_layout": a.code_layout,
+                "repos": list(a.repos),
             }
             for name, a in ds.accounts.items()
         },
         "ttyd_user_map": ds.ttyd_user_map,
         "dispatch": ds.dispatch,
         "ports": ds.ports,
+        "playwright_ports": ds.playwright_ports,
     }
 
 
@@ -278,7 +336,11 @@ def _main(argv: list[str]) -> int:
     pv.add_argument("--k8s-users-json", required=True, help="JSON map {k8s_user: tier}")
     pd = sub.add_parser("derive", help="emit desired state as JSON")
     pd.add_argument("--roster", required=True)
-    pd.add_argument("--ports-json", required=True, help="JSON map {os_user: port}")
+    pd.add_argument("--ports-json", required=True, help="JSON map {os_user: T3_PORT}")
+    pd.add_argument(
+        "--playwright-ports-json",
+        help="JSON map {os_user: PLAYWRIGHT_PORT} (optional; sticky allocation)",
+    )
     args = parser.parse_args(argv)
 
     roster = load_roster_file(args.roster)
@@ -289,7 +351,12 @@ def _main(argv: list[str]) -> int:
             print(f"{issue.severity.upper()}: {issue.message}", file=sys.stderr)
         return 1 if has_blocking_errors(issues) else 0
     with open(args.ports_json, encoding="utf-8") as fh:
-        desired = derive_desired_state(roster, json.load(fh))
+        existing_ports = json.load(fh)
+    existing_playwright_ports = {}
+    if args.playwright_ports_json:
+        with open(args.playwright_ports_json, encoding="utf-8") as fh:
+            existing_playwright_ports = json.load(fh)
+    desired = derive_desired_state(roster, existing_ports, existing_playwright_ports)
     json.dump(_desired_state_to_dict(desired), sys.stdout, indent=2, sort_keys=True)
     sys.stdout.write("\n")
     return 0
diff --git a/scripts/workstation/setup-devvm.sh b/scripts/workstation/setup-devvm.sh
index 9e0284b6..2969b803 100755
--- a/scripts/workstation/setup-devvm.sh
+++ b/scripts/workstation/setup-devvm.sh
@@ -14,14 +14,22 @@ CONFIG_BASE="${WORKSTATION_CONFIG_BASE:-/home/wizard/.claude}"
 [[ $EUID -eq 0 ]] || { echo "setup-devvm.sh: must run as root" >&2; exit 1; }
 log() { echo "[setup-devvm] $*"; }
 
-# 1) apt toolset (declarative manifest; comments/blank lines stripped)
-mapfile -t PKGS < <(grep -vE '^[[:space:]]*(#|$)' "$HERE/packages.txt")
+# 1) apt toolset (declarative manifest; full-line AND inline comments stripped).
+# Passing an inline comment through makes apt treat the whole remainder as part
+# of the package name (e.g. "golang-go # builds ..."), breaking every rebuild.
+mapfile -t PKGS < <(sed -E 's/[[:space:]]+#.*$//' "$HERE/packages.txt" | grep -vE '^[[:space:]]*(#|$)')
 log "apt: ensuring ${#PKGS[@]} packages present"
 export DEBIAN_FRONTEND=noninteractive
 apt-get update -qq
 apt-get install -y "${PKGS[@]}" >/dev/null
 
-# 2) node >= 18 + claude-code (claude-code requires node >= 18)
+# 2) node >= 18 — needed for the t3 CLI (npm-global, below). NOT for claude-code:
+#    claude-code is the per-user NATIVE install (the recommended, self-updating
+#    ~/.local/bin/claude), provisioned per user by t3-provision-users
+#    (install_user_claude_native) and self-bootstrapped by start-claude.sh on first launch.
+#    We deliberately do NOT `npm install -g @anthropic-ai/claude-code` — npm/npx is not the
+#    recommended runtime, and a system-wide npm copy just shadows/duplicates the per-user
+#    native installs everyone auto-migrates to anyway.
 need_node=1
 if command -v node >/dev/null; then
   [[ "$(node -v | sed 's/^v\([0-9]*\).*/\1/')" -ge 18 ]] && need_node=0
@@ -31,13 +39,53 @@ if [[ $need_node -eq 1 ]]; then
   curl -fsSL https://deb.nodesource.com/setup_22.x | bash - >/dev/null
   apt-get install -y nodejs >/dev/null
 fi
-command -v claude >/dev/null || { log "npm: installing @anthropic-ai/claude-code"; npm install -g @anthropic-ai/claude-code >/dev/null; }
 
-# 3) kubelogin (kubectl oidc-login) system-wide — NOT the apt 'kubelogin' (= Azure tool)
+# 2a) ~/.local/bin on PATH for all LOGIN shells (machine-wide). The native claude install
+#     lives at ~/.local/bin; this guarantees login shells (SSH, etc.) find it regardless of
+#     whether the per-user native-installer rc edit ran. (The terminal launcher sets PATH
+#     itself, and t3-serve@.service hard-sets PATH in the unit.)
+install -d -m 0755 /etc/profile.d
+cat > /etc/profile.d/10-local-bin.sh <<'PROFILE_EOF'
+# Native per-user installs (e.g. claude-code) live in ~/.local/bin — put it on PATH.
+# Guarded so it never duplicates. Sourced by login shells (bash via /etc/profile; zsh
+# login via /etc/zsh/zprofile -> /etc/profile).
+case ":$PATH:" in
+  *":$HOME/.local/bin:"*) ;;
+  *) export PATH="$HOME/.local/bin:$PATH" ;;
+esac
+PROFILE_EOF
+chmod 0644 /etc/profile.d/10-local-bin.sh
+log "/etc/profile.d/10-local-bin.sh (~/.local/bin on PATH for login shells)"
+
+# 2b) t3 (the per-user coding surface) — GATED NIGHTLY TRACKER (2026-06-16; was pinned).
+#     t3 is pre-1.0 and ships breaking auth-schema + bootstrap-API changes (2026-06-09
+#     outage: a blind nightly auto-update broke pairing for ALL users). The daily
+#     t3-autoupdate now FOLLOWS t3@nightly but GATES each bump (populated-DB health-check
+#     + canary + auto-rollback + self-freeze) so a bad nightly self-heals. A fresh box has
+#     no user state to migrate or sessions to break, so install the current nightly
+#     directly; the gated tracker owns it thereafter. Keep T3_TRACK in sync with
+#     t3-autoupdate.sh. To freeze/revert: `touch /etc/t3-autoupdate.freeze`.
+T3_TRACK="${T3_TRACK:-nightly}"
+want_t3="$(npm view "t3@$T3_TRACK" version 2>/dev/null | tail -1)"
+if [[ -n "$want_t3" && "$(t3 --version 2>/dev/null | awk '{print $NF}' | sed 's/^v//')" != "$want_t3" ]]; then
+  log "npm: installing t3@$T3_TRACK ($want_t3)"; npm install -g "t3@$want_t3" >/dev/null
+fi
+
+# 2c) Bitwarden CLI — backs `homelab vault` (per-user no-HITL Vaultwarden access).
+#     npm-global so every user's PATH resolves it. Pinned major; best-effort (a
+#     failure only disables `homelab vault`, nothing else on the box).
+if ! command -v bw >/dev/null; then
+  log "npm: installing @bitwarden/cli (homelab vault backend)"
+  npm install -g "@bitwarden/cli@^2024" >/dev/null 2>&1 || log "WARN: @bitwarden/cli install failed; homelab vault unavailable"
+fi
+
+# 3) kubelogin (kubectl oidc-login) system-wide — NOT the apt 'kubelogin' (= Azure tool).
+#    PINNED (not 'latest/download') so two fresh boxes built weeks apart are byte-identical.
+KUBELOGIN_VER="${KUBELOGIN_VER:-v1.36.2}"
 if [[ ! -x /usr/local/bin/kubelogin ]]; then
-  log "kubelogin: installing int128/kubelogin"
+  log "kubelogin: installing int128/kubelogin $KUBELOGIN_VER"
   tmp="$(mktemp -d)"
-  curl -fsSL -o "$tmp/kl.zip" https://github.com/int128/kubelogin/releases/latest/download/kubelogin_linux_amd64.zip
+  curl -fsSL -o "$tmp/kl.zip" "https://github.com/int128/kubelogin/releases/download/${KUBELOGIN_VER}/kubelogin_linux_amd64.zip"
   ( cd "$tmp" && { unzip -o kl.zip kubelogin >/dev/null 2>&1 || python3 -m zipfile -e kl.zip .; } )
   install -m 0755 "$tmp/kubelogin" /usr/local/bin/kubelogin
   ln -sf /usr/local/bin/kubelogin /usr/local/bin/kubectl-oidc_login
@@ -63,8 +111,11 @@ for d in skills rules agents commands; do
 done
 log "skel: launcher + tmux + inheritance symlinks (base=$CONFIG_BASE)"
 
-# 6) deploy the roster-driven provisioner to /usr/local/bin (run hourly by
-#    t3-provision-users.timer). Re-deployed here so its logic is reproducible.
+# 6) BOOTSTRAP-deploy the roster-driven provisioner to /usr/local/bin (run hourly
+#    by t3-provision-users.timer). This seeds the binary on a fresh box; ongoing
+#    edits self-deploy from the repo on the next reconcile (the script's step 0),
+#    so a committed change no longer needs a manual setup-devvm.sh re-run to land
+#    (the gap that left the homelab-memory rollout undeployed for a day).
 install -m 0755 "$HERE/../t3-provision-users.sh" /usr/local/bin/t3-provision-users
 log "t3-provision-users -> /usr/local/bin/ (roster-driven)"
 
@@ -77,4 +128,245 @@ if [[ -d "$ADMIN_CODE" ]]; then
   log "hardened $ADMIN_CODE (o-rx — not world-readable)"
 fi
 
+# 8) /etc/t3-serve (per-user .env + dispatch config dir; also holds the staged tokens
+#    below) + shared service auth pulled from Vault. install -m alone does NOT create the
+#    parent dir, so a fresh box needs this mkdir before the token writes below.
+install -d -m 0755 /etc/t3-serve
+if command -v vault >/dev/null; then
+  export VAULT_ADDR="${VAULT_ADDR:-https://vault.viktorbarzin.me}"
+  # setup-devvm runs as root (no ~/.vault-token); borrow the admin's token to read Vault.
+  if [[ -z "${VAULT_TOKEN:-}" && -r /home/wizard/.vault-token ]]; then
+    VAULT_TOKEN="$(cat /home/wizard/.vault-token)"; export VAULT_TOKEN
+  fi
+  # 8a) Claude auth is deliberately NOT shared. Each roster user signs in with their own
+  #     Enterprise identity; claude-auth-sync backs up only their OAuth object to an
+  #     isolated Vault path. The provisioner mints its scoped Vault token when this admin
+  #     VAULT_TOKEN is present.
+  # 8b) Shared Codex auth -> /opt/codex-shared/auth.json (the codex wrapper symlinks each
+  #     user's ~/.codex/auth.json here). Previously a manual host change that did NOT survive
+  #     a rebuild even though the Vault key existed — now reproducible from Vault.
+  if codex_auth="$(vault kv get -field=codex_shared_auth_json secret/workstation 2>/dev/null)"; then
+    getent group codex-shared >/dev/null || groupadd codex-shared
+    install -d -m 2770 -g codex-shared /opt/codex-shared
+    install -m 0660 -g codex-shared /dev/stdin /opt/codex-shared/auth.json <<<"$codex_auth"
+    log "staged /opt/codex-shared/auth.json (shared Codex auth)"
+  else
+    log "WARN: secret/workstation codex_shared_auth_json absent -> shared Codex auth not staged"
+  fi
+  # 8c) chrome-service snapshot bearer token -> root file the provisioner copies
+  #     per-user (if-absent) to ~/.config/playwright/token, which the per-user
+  #     playwright-snapshot-refresh reads. One token for all users (single shared
+  #     warm profile, by design). 0600: the snapshot it fetches holds cookies.
+  if cs_tok="$(vault kv get -field=api_bearer_token secret/chrome-service 2>/dev/null)"; then
+    install -m 0600 /dev/stdin /etc/t3-serve/chrome-service-token <<<"$cs_tok"
+    log "staged /etc/t3-serve/chrome-service-token (playwright snapshot auth)"
+  else
+    log "WARN: secret/chrome-service api_bearer_token absent -> playwright snapshot refresh will 401"
+  fi
+fi
+
+# 9) service layer: install + enable the machine-wide systemd units (sources in
+#    infra/scripts/) so a rebuild reproduces them — previously hand-scp'd, they would
+#    NOT survive a fresh box. Per-user t3-serve@ INSTANCES are enabled by the
+#    provisioner; the ttyd terminal-lobby chain ships from its own repo
+#    (forgejo viktor/terminal-lobby, scripts/deploy.sh) — not duplicated here.
+SCRIPTS="$HERE/.."
+# 9a) scripts the units exec (t3-provision-users already deployed in section 6)
+install -m 0755 "$SCRIPTS/t3-autoupdate.sh"   /usr/local/bin/t3-autoupdate
+install -m 0644 "$SCRIPTS/t3-safe-restart.sh" /usr/local/lib/t3-safe-restart.sh   # sourced lib (t3-autoupdate + t3-migrate-idle)
+install -m 0755 "$SCRIPTS/t3-migrate-idle.sh" /usr/local/bin/t3-migrate-idle
+install -m 0755 "$SCRIPTS/t3-backup-state.sh" /usr/local/bin/t3-backup-state
+install -m 0755 "$SCRIPTS/t3-mint"            /usr/local/bin/t3-mint
+install -m 0755 "$HERE/claude-auth-sync.sh"   /usr/local/bin/claude-auth-sync
+# 9b) t3-dispatch: unprivileged system account + compiled Go binary (build-if-absent)
+id -u t3-dispatch >/dev/null 2>&1 || useradd --system --no-create-home --shell /usr/sbin/nologin t3-dispatch
+if [[ ! -x /usr/local/bin/t3-dispatch ]]; then
+  if command -v go >/dev/null; then
+    log "building t3-dispatch (Go)"; ( cd "$SCRIPTS/t3-dispatch" && go build -o /usr/local/bin/t3-dispatch . )
+  else
+    log "WARN: go absent -> cannot build t3-dispatch; install golang-go or deploy the binary"
+  fi
+fi
+# 9b2) homelab: unified infra-ops CLI (agent-facing verbs + the in-cluster
+#      infra-cli webhook image). Rebuilt from cli/ each run so it tracks the
+#      repo; version stamped from cli/VERSION. See cli/README.md + docs/adr/0004-0006.
+if command -v go >/dev/null; then
+  _hl_src="$SCRIPTS/../cli"
+  _hl_ver="$(cat "$_hl_src/VERSION" 2>/dev/null || echo dev)"
+  log "building homelab CLI ($_hl_ver)"
+  ( cd "$_hl_src" && go build -ldflags "-X main.version=$_hl_ver" -o /usr/local/bin/homelab . ) \
+    || log "WARN: homelab CLI build failed"
+else
+  log "WARN: go absent -> cannot build homelab CLI"
+fi
+# 9c) sudoers: t3-dispatch may run ONLY t3-mint as root. A malformed file in
+#     /etc/sudoers.d breaks ALL sudo, so validate with visudo when available.
+if ! command -v visudo >/dev/null || visudo -cf "$SCRIPTS/sudoers-t3-autopair" >/dev/null; then
+  install -m 0440 "$SCRIPTS/sudoers-t3-autopair" /etc/sudoers.d/t3-autopair
+else
+  log "WARN: sudoers-t3-autopair failed visudo validation -> NOT installed"
+fi
+# 9d) unit files + enablement. Timers self-heal; t3-dispatch is long-running.
+#     t3-serve@ is a TEMPLATE (enabled per-user by the provisioner, not here).
+for u in t3-serve@.service \
+         claude-auth-sync@.service claude-auth-sync@.timer \
+         t3-autoupdate.service t3-autoupdate.timer \
+         t3-migrate-idle.service t3-migrate-idle.timer \
+         t3-backup-state.service t3-backup-state.timer \
+         t3-provision-users.service t3-provision-users.timer \
+         t3-dispatch.service; do
+  install -m 0644 "$SCRIPTS/$u" "/etc/systemd/system/$u"
+done
+log "claude auth: per-user sync script + template units installed"
+# 9e) per-user playwright-mcp browser MCP: system-level TEMPLATE units (one
+#     instance per OS user) + the snapshot-refresh script. Reproducible-from-git
+#     replacement for the hand-made ~/.config/systemd/user/playwright-* units
+#     (no systemd --user / linger needed). Enabled per-user by the provisioner;
+#     PLAYWRIGHT_PORT (roster_engine) + the chrome-service token (8c) feed them.
+install -m 0755 "$HERE/playwright/playwright-snapshot-refresh" /usr/local/bin/playwright-snapshot-refresh
+for u in playwright-mcp@.service playwright-snapshot-refresh@.service playwright-snapshot-refresh@.timer; do
+  install -m 0644 "$HERE/playwright/$u" "/etc/systemd/system/$u"
+done
+log "playwright: template units + snapshot-refresh script installed (per-user enable in provisioner)"
+systemctl daemon-reload
+systemctl enable --now t3-dispatch.service \
+  t3-autoupdate.timer t3-backup-state.timer t3-provision-users.timer t3-migrate-idle.timer >/dev/null 2>&1 || \
+  log "WARN: some units failed to enable (check: systemctl status t3-dispatch t3-*.timer)"
+log "service units installed + enabled (t3-dispatch + 3 timers; t3-serve@ per-user)"
+
+# 10) RESOURCE CONTAINMENT (2026-06-22): bound per-user memory + an OOM backstop so
+#     ONE user's runaway can never IO/memory-overload the shared box. History: the
+#     2026-06-10 "swap-only, ssh/tmux memory-uncontained" decision let a single
+#     user's runaway (a 10G `ugrep`; agent storms) swap-thrash the 60/60-throttled
+#     virtual disk into an IO storm + multi-minute freeze (hard-killed 2026-06-22).
+#     t3-serve@ was already capped (its [Service] block); the HOLE was the uncapped
+#     user-<uid>.slice (all ssh/tmux work). Design — per user, on BOTH trees:
+#     MemoryHigh=12G soft (throttles a runaway to a crawl), MemoryMax=16G hard,
+#     MemorySwapMax=0 (work never touches disk swap → no thrash; it OOMs locally at
+#     the ceiling instead), plus fair-share CPU/IO weights.
+#     BACKSTOP = earlyoom, NOT systemd-oomd. We first shipped systemd-oomd but it is
+#     INERT with swap=0: its pressure-kill only acts on cgroups doing active reclaim
+#     (pgscan rising), and a no-swap anon workload never reclaims — verified live, a
+#     cgroup at 99% memory.pressure / pgscan=0 was never killed. earlyoom instead
+#     watches FREE RAM (MemAvailable%) and SIGTERMs the biggest process at 5% / -k 3%,
+#     swap-independent and reliable. It --avoids sshd/systemd/dockerd (your way in
+#     stays alive) and --prefers the agent/browser hogs. earlyoom pkg = packages.txt
+#     (§1). Per-cgroup MemoryMax is the PRIMARY guard; earlyoom is the aggregate net.
+#     Post-mortem: docs/post-mortems/2026-06-22-devvm-mem-io-overload-containment.md
+
+# 10a) per-user caps + fair-share weights on EVERY user-<uid>.slice (ssh/tmux)
+install -d -m 0755 /etc/systemd/system/user-.slice.d
+cat > /etc/systemd/system/user-.slice.d/50-devvm-resource.conf <<'SLICE_EOF'
+# Per-user containment for the shared devvm (setup-devvm.sh §10, 2026-06-22).
+# Applies to EACH user-<uid>.slice = all of one user's ssh/tmux work. Mirrors the
+# t3-serve@.service caps so a user is bounded in whichever surface they work in.
+[Slice]
+MemoryAccounting=yes
+MemoryHigh=12G
+MemoryMax=16G
+MemorySwapMax=0
+CPUAccounting=yes
+CPUWeight=100
+IOAccounting=yes
+IOWeight=100
+SLICE_EOF
+
+# 10b) earlyoom backstop config — RAM-threshold, swap-INDEPENDENT (see header note
+#      on why systemd-oomd is inert with swap=0). The Debian unit reads /etc/default.
+cat > /etc/default/earlyoom <<'EARLYOOM_EOF'
+# devvm aggregate OOM backstop (setup-devvm.sh §10, 2026-06-22). Watches FREE RAM
+# (MemAvailable%) and kills the biggest task before the box exhausts. Unlike
+# systemd-oomd it needs NO swap/reclaim, so it works with our swap=0 work cgroups.
+#   -m 5,3     SIGTERM the victim at MemAvailable<5%, SIGKILL at <3%
+#   -s 100,100 ignore swap in the decision (RAM-only; work cgroups are swap=0)
+#   --avoid    never the box's nervous system / your way back in
+#   --prefer   target the agent/browser/build hogs that actually exhaust RAM
+#   -r 3600    hourly memory report (the 60s default is log spam)
+EARLYOOM_ARGS="-m 5,3 -s 100,100 -r 3600 --avoid ^(systemd|systemd-.*|sshd|dockerd|containerd|init|t3-dispatch|tmux.*)$ --prefer ^(python3|node|chrome|chromium|ugrep|rg|go|claude)$"
+EARLYOOM_EOF
+
+# 10c) capped docker.slice (top-level sibling of system/user slices); daemon.json
+#      cgroup-parent (10d) makes EVERY container land here under one bounded budget.
+cat > /etc/systemd/system/docker.slice <<'DOCKER_SLICE_EOF'
+# All docker containers live here (cgroup-parent in /etc/docker/daemon.json) so
+# they share one bounded budget and a runaway container is capped at MemoryMax
+# (cgroup-OOM'd locally) instead of escaping into the uncapped system.slice.
+# setup-devvm.sh §10, 2026-06-22.
+[Unit]
+Description=Docker containers slice (capped)
+[Slice]
+MemoryAccounting=yes
+MemoryHigh=6G
+MemoryMax=8G
+MemorySwapMax=0
+CPUAccounting=yes
+CPUWeight=100
+IOAccounting=yes
+IOWeight=100
+DOCKER_SLICE_EOF
+
+# 10d) point dockerd at docker.slice (idempotent JSON merge; flag a needed restart).
+#      python preserves the rest of daemon.json (buildkit, nvidia runtime, etc.).
+docker_restart=0
+# if-condition form so the deliberate non-zero exit (10=changed) does NOT trip the
+# script's `set -e`; $? in the else branch is the python exit code.
+if python3 - <<'PY'
+import json, os, sys
+p = "/etc/docker/daemon.json"
+try:
+    d = json.load(open(p)) if os.path.exists(p) else {}
+except Exception:
+    sys.exit(2)                       # malformed -> don't touch
+if d.get("cgroup-parent") == "docker.slice":
+    sys.exit(0)                       # already correct -> no restart
+d["cgroup-parent"] = "docker.slice"
+json.dump(d, open(p, "w"), indent=4)
+sys.exit(10)                          # changed -> restart needed
+PY
+then rc=0; else rc=$?; fi
+case $rc in
+  0) : ;;
+  10) docker_restart=1 ;;
+  *) log "WARN: could not patch /etc/docker/daemon.json — docker.slice NOT wired" ;;
+esac
+
+# 10e) t3-serve@ instances need no extra drop-in: their per-instance MemoryMax /
+#      MemorySwapMax caps live in t3-serve@.service [Service]; earlyoom (10b) is the
+#      box-wide net. (The earlier oomd slice-policing drop-in was removed — inert.)
+
+# 10f) give system.slice a priority edge so sshd/services stay snappy under
+#      contention (weights are work-conserving — users still get idle CPU/IO).
+install -d -m 0755 /etc/systemd/system/system.slice.d
+cat > /etc/systemd/system/system.slice.d/50-devvm-priority.conf <<'SYS_EOF'
+# Keep the box's nervous system responsive under contention (setup-devvm.sh §10).
+[Slice]
+CPUAccounting=yes
+CPUWeight=200
+IOAccounting=yes
+IOWeight=200
+SYS_EOF
+
+# 10g) activate: reload, arm earlyoom, restart dockerd ONLY if daemon.json changed.
+systemctl daemon-reload
+# earlyoom reads /etc/default/earlyoom (10b); enable + restart so new args take effect
+# even on a re-run where it was already running.
+systemctl enable --now earlyoom.service >/dev/null 2>&1 \
+  || log "WARN: earlyoom failed to enable — is the package installed? (packages.txt §1)"
+systemctl restart earlyoom.service 2>/dev/null || true
+# systemd-oomd is inert with swap=0 (see header) — ensure it isn't also running from
+# an earlier iteration of this section. No-op if the package was never installed.
+systemctl disable --now systemd-oomd.service >/dev/null 2>&1 || true
+if [[ $docker_restart -eq 1 ]] && systemctl is-active --quiet docker; then
+  log "restarting dockerd to apply cgroup-parent=docker.slice (running containers bounce briefly)"
+  systemctl restart docker || log "WARN: docker restart failed"
+fi
+log "§10 resource containment: per-user 12G/16G swap=0, earlyoom RAM backstop, docker.slice"
+
+# Run one foreground reconcile while the admin Vault token borrowed in section 8
+# is still available. This is what mints new roster users' isolated periodic
+# Vault tokens; the hourly no-admin-token reconcile only maintains existing ones.
+if [[ -n "${VAULT_TOKEN:-}" ]]; then
+  /usr/local/bin/t3-provision-users || log "WARN: foreground provisioner failed; scoped Claude-auth tokens may need a retry"
+fi
+
 log "OK (idempotent)"
diff --git a/scripts/workstation/skel/start-claude.sh b/scripts/workstation/skel/start-claude.sh
index 7c86cc58..b3e25744 100755
--- a/scripts/workstation/skel/start-claude.sh
+++ b/scripts/workstation/skel/start-claude.sh
@@ -11,6 +11,14 @@ echo "  Starting Claude Code in $HOME/code ..."
 echo "  (Right-click for tmux menu, or Ctrl+B then | or - to split)"
 echo ""
 
+# The native claude install lives in ~/.local/bin. This launcher runs in tmux's non-login
+# env, which does NOT source the user's shell rc (where the native installer added it to
+# PATH) — so `claude` would appear missing here. Put it on PATH ourselves; guarded/idempotent.
+case ":$PATH:" in
+  *":$HOME/.local/bin:"*) ;;
+  *) export PATH="$HOME/.local/bin:$PATH" ;;
+esac
+
 name_args=()
 if [ -n "${TMUX:-}" ]; then
   sess="$(tmux display-message -p '#{session_name}' 2>/dev/null)"
@@ -19,19 +27,78 @@ fi
 
 cd "$HOME/code" 2>/dev/null || cd "$HOME"
 
-# Prefer the system-wide `claude` (installed by setup-devvm.sh); fall back to npx.
-launch() {
-  if command -v claude >/dev/null 2>&1; then
-    claude "$@"
-  else
-    npx @anthropic-ai/claude-code "$@"
+# Freshen the user's clone(s) at session start so they begin on current upstream
+# state (the hourly t3-provision-users reconcile does the same in the background).
+# Single layout freshens ~/code itself; workspace layout freshens each repo under
+# ~/code. Fast-forward only, and only when safe (on master + clean tree); hard
+# 10s fetch cap per repo so an offline remote never stalls the launch.
+freshen_repo() {
+  GIT_TERMINAL_PROMPT=0 timeout 10 git -C "$1" fetch --all --prune --quiet 2>/dev/null || true
+  # ff whatever branch is checked out (master, main, ...) when that is provably
+  # safe: on a branch, clean tree, upstream configured. Never rebases/merges.
+  if [ -n "$(git -C "$1" symbolic-ref --short -q HEAD)" ] \
+     && [ -z "$(git -C "$1" status --porcelain 2>/dev/null)" ] \
+     && git -C "$1" rev-parse --verify -q '@{upstream}' >/dev/null 2>&1; then
+    git -C "$1" merge --ff-only '@{upstream}' >/dev/null 2>&1 || true
   fi
 }
+if [ -d "$HOME/code/.git" ]; then
+  freshen_repo "$HOME/code"
+else
+  for repo_git in "$HOME"/code/*/.git; do
+    [ -d "$repo_git" ] && freshen_repo "${repo_git%/.git}"
+  done
+fi
+
+# Run the NATIVE `claude` (the recommended install: ~/.local/bin/claude, self-updating).
+# No npm/npx. If the native binary is missing (a fresh account before the hourly reconcile
+# has provisioned it), bootstrap it with the official native installer, then run it.
+launch() {
+  if ! command -v claude >/dev/null 2>&1; then
+    echo "  Installing Claude Code (native) for $(id -un) …"
+    curl -fsSL https://claude.ai/install.sh | bash || return 127
+    export PATH="$HOME/.local/bin:$PATH"
+  fi
+  claude "$@"
+}
+
+# Re-assert Claude Code's first-run onboarding flag before launch. ~/.claude.json is a
+# SINGLE file that ALL of a user's concurrent claude processes (this terminal, their
+# t3-serve instance, agent/SDK sessions) read-modify-write; a stale writer periodically
+# drops top-level keys — including hasCompletedOnboarding — which throws the next
+# interactive session back to the "Choose the text style" wizard even though the user is
+# fully logged in (credentials live in the SEPARATE ~/.claude/.credentials.json, which is
+# never affected). Idempotent, runs as the user right before launch, never clobbers other
+# keys. Best-effort: no-op if jq is missing or the file is empty/corrupt (claude self-heals).
+ensure_onboarding() {
+  command -v jq >/dev/null 2>&1 || return 0
+  local cfg="$HOME/.claude.json" ver tmp
+  ver="$(claude --version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
+  if [ -s "$cfg" ]; then
+    jq -e . "$cfg" >/dev/null 2>&1 || return 0                                     # corrupt -> leave for claude
+    [ "$(jq -r '.hasCompletedOnboarding // false' "$cfg")" = "true" ] && return 0  # already set -> no write
+  elif [ -e "$cfg" ]; then
+    return 0                                                                       # empty (mid-write?) -> leave it
+  fi
+  tmp="$(mktemp "${cfg}.XXXXXX")" || return 0
+  if [ -f "$cfg" ]; then
+    jq --arg v "$ver" '.hasCompletedOnboarding = true
+      | (if $v != "" then .lastOnboardingVersion = $v else . end)' "$cfg" > "$tmp" 2>/dev/null \
+      && chmod 600 "$tmp" && mv "$tmp" "$cfg" || rm -f "$tmp"
+  else
+    jq -n --arg v "$ver" '{hasCompletedOnboarding: true}
+      + (if $v != "" then {lastOnboardingVersion: $v} else {} end)' > "$tmp" 2>/dev/null \
+      && chmod 600 "$tmp" && mv "$tmp" "$cfg" || rm -f "$tmp"
+  fi
+}
+ensure_onboarding
 
 # Deliberately not `exec` so we can branch on the exit code: clean quit ends the
 # pane (ttyd closes the terminal); a crash drops to a shell so the tmux session
 # isn't destroyed-and-recreated in a ttyd auto-reconnect loop.
-launch --dangerously-skip-permissions --model claude-opus-4-8 "${name_args[@]}"
+# No --model flag: inherit the org-wide default from /etc/claude-code/managed-settings.json
+# (an explicit --model would override that managed default for every launched session).
+launch --dangerously-skip-permissions "${name_args[@]}"
 code=$?
 [ "$code" -eq 0 ] && exit 0
 
diff --git a/scripts/workstation/test_roster_engine.py b/scripts/workstation/test_roster_engine.py
index fe19c90e..183096da 100644
--- a/scripts/workstation/test_roster_engine.py
+++ b/scripts/workstation/test_roster_engine.py
@@ -86,6 +86,97 @@ def test_missing_users_key_is_valid_empty():
     assert _roster("{}").users == {}
 
 
+# --------------------------------------------------------------------------
+# code_layout + repos: per-user workspace layout (~/code/<repo> clones)
+# --------------------------------------------------------------------------
+
+
+def test_code_layout_defaults_to_single_with_no_repos():
+    r = _roster("users: {emo: {authentik_user: e, k8s_user: emo, tier: power-user}}")
+    assert r.users["emo"].code_layout == "single"
+    assert r.users["emo"].repos == ()
+
+
+def test_workspace_layout_carries_repos():
+    r = _roster(
+        """
+        users:
+          ancamilea: {authentik_user: ancaelena98, k8s_user: anca,
+                      tier: namespace-owner, namespaces: [plotting-book],
+                      code_layout: workspace, repos: [tripit]}
+        """
+    )
+    u = r.users["ancamilea"]
+    assert u.code_layout == "workspace"
+    assert u.repos == ("tripit",)
+
+
+def test_rejects_unknown_code_layout():
+    with pytest.raises(eng.RosterError, match="code_layout"):
+        _roster(
+            "users: {bob: {authentik_user: b, k8s_user: b, tier: power-user, "
+            "code_layout: flat}}"
+        )
+
+
+def test_repos_require_workspace_layout():
+    # repos clone to ~/code/<name>, which only exists under the workspace layout.
+    with pytest.raises(eng.RosterError, match="workspace"):
+        _roster(
+            "users: {bob: {authentik_user: b, k8s_user: b, tier: power-user, "
+            "repos: [tripit]}}"
+        )
+
+
+@pytest.mark.parametrize("bad", ["../evil", "a/b", "", ".hidden", "-flag"])
+def test_rejects_path_unsafe_repo_name(bad):
+    # Repo names become root-executed clone/mv paths — reject anything that
+    # isn't a plain leading-alphanumeric name.
+    with pytest.raises(eng.RosterError, match="repo"):
+        _roster(
+            "users: {bob: {authentik_user: b, k8s_user: b, tier: power-user, "
+            f"code_layout: workspace, repos: ['{bad}']" "}}"
+        )
+
+
+def test_rejects_infra_in_repos():
+    # The infra clone is implicit at ~/code/infra for workspace users.
+    with pytest.raises(eng.RosterError, match="implicit"):
+        _roster(
+            "users: {bob: {authentik_user: b, k8s_user: b, tier: power-user, "
+            "code_layout: workspace, repos: [infra]}}"
+        )
+
+
+def test_derive_accounts_carry_code_layout_and_repos():
+    r = _roster(
+        """
+        users:
+          emo:       {authentik_user: e, k8s_user: emo, tier: power-user}
+          ancamilea: {authentik_user: a, k8s_user: anca, tier: namespace-owner,
+                      namespaces: [plotting-book], code_layout: workspace,
+                      repos: [tripit]}
+        """
+    )
+    ds = eng.derive_desired_state(r, {})
+    assert ds.accounts["emo"].code_layout == "single"
+    assert ds.accounts["emo"].repos == ()
+    assert ds.accounts["ancamilea"].code_layout == "workspace"
+    assert ds.accounts["ancamilea"].repos == ("tripit",)
+
+
+def test_desired_state_dict_includes_code_layout_and_repos():
+    # The JSON adapter is the contract the bash provisioner consumes via jq.
+    r = _roster(
+        "users: {ancamilea: {authentik_user: a, k8s_user: anca, "
+        "tier: namespace-owner, namespaces: [plotting-book], "
+        "code_layout: workspace, repos: [tripit]}}"
+    )
+    d = eng._desired_state_to_dict(eng.derive_desired_state(r, {}))
+    assert d["accounts"]["ancamilea"]["code_layout"] == "workspace"
+    assert d["accounts"]["ancamilea"]["repos"] == ["tripit"]
+
+
 # --------------------------------------------------------------------------
 # validate_tiers: roster tier vs live k8s_users (fail-loud, module #1)
 # --------------------------------------------------------------------------
@@ -205,6 +296,53 @@ def test_derive_is_deterministic():
     )
 
 
+# --------------------------------------------------------------------------
+# derive_desired_state: per-user playwright-mcp ports (reproducible browser MCP)
+# --------------------------------------------------------------------------
+
+# wizard (admin) IS a roster user, so playwright ports are allocated for every
+# user incl. the admin, from PLAYWRIGHT_BASE_PORT=8931. The live in-session
+# assignment is wizard 8931, emo 8932, ancamilea 8933.
+LIVE_PLAYWRIGHT_PORTS = {"wizard": 8931, "emo": 8932, "ancamilea": 8933}
+
+
+def test_derive_allocates_playwright_ports_for_all_users_incl_admin():
+    ds = eng.derive_desired_state(_roster(THREE), {})
+    # fresh box: sorted os_user order (ancamilea, emo, wizard) from 8931
+    assert ds.playwright_ports == {"ancamilea": 8931, "emo": 8932, "wizard": 8933}
+
+
+def test_derive_preserves_existing_sticky_playwright_ports():
+    # Seeded with the live assignment -> preserved exactly (nobody's port moves).
+    ds = eng.derive_desired_state(
+        _roster(THREE), {}, existing_playwright_ports=LIVE_PLAYWRIGHT_PORTS
+    )
+    assert ds.playwright_ports == LIVE_PLAYWRIGHT_PORTS
+
+
+def test_derive_allocates_next_free_playwright_port_for_new_user():
+    # Existing users sticky; a brand-new user gets the next free port from 8931.
+    ds = eng.derive_desired_state(
+        _roster(THREE), {}, existing_playwright_ports={"wizard": 8931, "emo": 8932}
+    )
+    assert ds.playwright_ports["wizard"] == 8931
+    assert ds.playwright_ports["emo"] == 8932
+    assert ds.playwright_ports["ancamilea"] == 8933  # next free, skipping 8931/8932
+
+
+def test_playwright_ports_are_disjoint_from_t3_ports():
+    ds = eng.derive_desired_state(_roster(THREE), LIVE_PORTS, LIVE_PLAYWRIGHT_PORTS)
+    assert set(ds.ports.values()).isdisjoint(ds.playwright_ports.values())
+
+
+def test_desired_state_dict_includes_playwright_ports():
+    # The JSON adapter is the contract the bash provisioner consumes via jq.
+    d = eng._desired_state_to_dict(
+        eng.derive_desired_state(_roster(THREE), {}, LIVE_PLAYWRIGHT_PORTS)
+    )
+    assert d["playwright_ports"] == LIVE_PLAYWRIGHT_PORTS
+
+
 # --------------------------------------------------------------------------
 # groups_to_add: the additive-only invariant (module #1)
 # --------------------------------------------------------------------------
diff --git a/stacks/actualbudget/.terraform.lock.hcl b/stacks/actualbudget/.terraform.lock.hcl
index 0fa50ca1..a19b4cd4 100644
--- a/stacks/actualbudget/.terraform.lock.hcl
+++ b/stacks/actualbudget/.terraform.lock.hcl
@@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
+  hashes = [
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
 provider "registry.terraform.io/goauthentik/authentik" {
   version     = "2024.12.1"
   constraints = "~> 2024.10"
@@ -47,61 +55,36 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.8.1"
+  version = "3.9.0"
   hashes = [
-    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
-    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
-    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
-    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
-    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
-    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
-    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
-    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
+    "zh:161ad0bd9a75768c82f53fb6e7172a9d8be2d4889b012645a34795031aaf1bf1",
+    "zh:19dc9a5b17729725ccfc4f45b0500af0ee5bc6b6b160c7adb8f2bf617d2c80ea",
+    "zh:269eda8fe42daa7974d5a34d166c3ba9defe80cde86c01e4dadcfdf2e1f05e5f",
+    "zh:373f7c65566f8f2cc7f45d698654feb9d988996957e1266a69ca00c52d6d16d0",
+    "zh:5599d16804c41c83009ec621b6d6b6f74e102f5827678a4750f8809055546b61",
+    "zh:583be0440469a22bff70dcfa56593b01566860b29607437264adb51060cf46fc",
+    "zh:5f211d8ec3f2e1f414870d9584bfe26e6995560ef81c748f8447a48164767398",
     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
-    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
-    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
-    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
-    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+    "zh:7b547fd16216761ef86efc3ed516ac5ac0c5c42b7c7eb24a08cef2d93f69ed5e",
+    "zh:7e7c0679daf2a382151d05068c8c3f0dae6b7b7dccf818827b73dd08638df2ef",
+    "zh:8089dec888a8038b9b4fb23b3df7e1057293dbc5b60b42cc47ff690d69d4b61b",
+    "zh:c51f15a031edfd6f23ce8ced3446ca7f8d8d647e2499890d7d5d10d5016d7257",
+    "zh:c94784f005708890dc6895afd53636ec00ec1e430b15d41e5aebfb1d4b39bd04",
   ]
 }
 
@@ -125,3 +108,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/actualbudget/factory/main.tf b/stacks/actualbudget/factory/main.tf
index d458857d..3a7df141 100644
--- a/stacks/actualbudget/factory/main.tf
+++ b/stacks/actualbudget/factory/main.tf
@@ -183,6 +183,11 @@ module "ingress" {
   tls_secret_name   = var.tls_secret_name
   dns_type          = "proxied"
   extra_annotations = var.homepage_annotations
+  # Actual's app boot fires ~70 parallel asset/migration revalidations
+  # (max-age=0); the default 10/50 limiter 429s the tail and stalls every
+  # load. Dedicated higher-burst limiter, same pattern as Immich.
+  skip_default_rate_limit = true
+  extra_middlewares       = ["traefik-actualbudget-rate-limit@kubernetescrd"]
 }
 
 
diff --git a/stacks/actualbudget/main.tf b/stacks/actualbudget/main.tf
index 7e93ef3a..33012033 100644
--- a/stacks/actualbudget/main.tf
+++ b/stacks/actualbudget/main.tf
@@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "actualbudget-secrets"
diff --git a/stacks/affine/.terraform.lock.hcl b/stacks/affine/.terraform.lock.hcl
index fabbc047..b22b977e 100644
--- a/stacks/affine/.terraform.lock.hcl
+++ b/stacks/affine/.terraform.lock.hcl
@@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
+  hashes = [
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
 provider "registry.terraform.io/goauthentik/authentik" {
   version     = "2024.12.1"
   constraints = "~> 2024.10"
@@ -33,29 +41,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -79,3 +74,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf
index c7144f28..bc63381c 100644
--- a/stacks/affine/main.tf
+++ b/stacks/affine/main.tf
@@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "affine-secrets"
@@ -43,7 +43,7 @@ data "kubernetes_secret" "eso_secrets" {
 # Provides DATABASE_URL that auto-updates when password rotates
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "affine-db-creds"
diff --git a/stacks/android-emulator/README.md b/stacks/android-emulator/README.md
new file mode 100644
index 00000000..ebc42144
--- /dev/null
+++ b/stacks/android-emulator/README.md
@@ -0,0 +1,103 @@
+# android-emulator — shared in-cluster Android testing instance
+
+Android 16 (API 36, `google_apis/x86_64`) emulator running under KVM in the
+cluster, so agents can natively test app/PWA changes before shipping (first
+tenant: tripit). Decision record: `docs/adr/0001-android-emulator-in-cluster.md`.
+
+## On-demand lifecycle (since 2026-06-12)
+
+The emulator **scales to zero when idle** (no user interaction for 6h —
+taps/keys/app-launches/noVNC clicks, read from `dumpsys power` by the
+`android-emulator-idle-sleeper` CronJob) and **wakes on visit**: the wake
+gate owns `/` on both hostnames. Warm boot is ~90s. Idle is measured from
+real interaction, not connection count, so a forgotten `adb connect` (left
+ESTABLISHED) no longer keeps it awake — but `adb disconnect` anyway.
+
+- Humans: open https://android-emulator.viktorbarzin.me — it wakes the
+  emulator if needed, shows a self-refreshing boot page, then hands over to
+  the noVNC screen.
+- Agents (before adb): wake + poll, then connect:
+
+      curl -ks --resolve android-emulator.viktorbarzin.lan:443:10.0.20.203 https://android-emulator.viktorbarzin.lan/wake
+      until curl -ks --resolve android-emulator.viktorbarzin.lan:443:10.0.20.203 https://android-emulator.viktorbarzin.lan/status | grep -q '"ready": 1'; do sleep 5; done
+      adb connect 10.0.20.200:5555
+
+## Endpoints
+
+| What | Where |
+|---|---|
+| adb | `adb connect 10.0.20.200:5555` (LAN only; adb is unauthenticated — never expose publicly) |
+| Screen (noVNC) | <https://android-emulator.viktorbarzin.lan/vnc.html> (LAN only) |
+
+## Agent quickstart (from a devvm)
+
+```bash
+# one-time: user-local platform-tools
+wget -qO /tmp/pt.zip https://dl.google.com/android/repository/platform-tools-latest-linux.zip
+unzip -q /tmp/pt.zip -d ~/android-sdk   # → ~/android-sdk/platform-tools/adb
+
+adb="$HOME/android-sdk/platform-tools/adb"
+$adb connect 10.0.20.200:5555
+$adb -s 10.0.20.200:5555 install app-debug.apk          # install an APK
+$adb -s 10.0.20.200:5555 shell am start -a android.intent.action.VIEW -d https://tripit.viktorbarzin.me   # open a URL
+$adb -s 10.0.20.200:5555 shell input tap 540 1200        # drive the UI
+$adb -s 10.0.20.200:5555 exec-out screencap -p > /tmp/screen.png   # screenshot
+```
+
+The emulator is a single shared instance — `adb shell pm list packages`,
+uninstall your test app when done, and presence-claim
+(`presence claim service:android-emulator`) for long destructive sessions
+(wipes, system-image changes).
+
+## How it works
+
+- The container image (built from `docker/`) holds only JDK 17, cmdline-tools,
+  emulator native libs, Xvfb/x11vnc/noVNC and socat — ~1GB.
+- The SDK proper (platform-tools, emulator, system image, AVD, snapshots)
+  lives on the `android-emulator-sdk` PVC (`proxmox-lvm`); the entrypoint
+  installs it idempotently. **First boot downloads ~2.5GB (≈9GB unpacked on the PVC) and takes ~15 min**
+  (startup probe allows 30); subsequent restarts boot in ~1–2 min.
+- The emulator runs on the GPU node (k8s-node1) with a T4 time-slice
+  (qemu holds ~100 MiB VRAM while awake; scale-to-zero keeps it transient).
+  Guest GL is deliberately SOFTWARE (llvmpipe): rendering into Xvfb pins GL
+  to the X stack, and true NVIDIA headless GL would need -no-window plus the
+  emulator's own streaming instead of x11vnc — not worth it at the measured
+  CPU numbers below.
+
+## Rebuilding the image (rare — tool/library bumps only)
+
+```bash
+cd stacks/android-emulator/docker
+docker build -t forgejo.viktorbarzin.me/viktor/android-emulator:<new-tag> .
+docker push forgejo.viktorbarzin.me/viktor/android-emulator:<new-tag>
+# then bump var.image_tag default in variables.tf and land via CI
+```
+
+Built manually from a devvm on purpose: it changes rarely, and a one-off push
+doesn't warrant CI plumbing (the off-infra-CI rule targets *repeated* build IO).
+
+## Troubleshooting
+
+- Pod CrashLoops with `FATAL: /dev/kvm not present` → node lost the device or
+  the privileged/Kyverno exclude regressed (`android-emulator` must be in
+  `security_policy_exclude_namespaces`, stacks/kyverno).
+- Wedged Android (won't boot, storage full) → delete the PVC + pod: next boot
+  re-downloads cleanly. Snapshots/AVD state are disposable by design.
+- Different API level: set `API_LEVEL` env on the deployment (entrypoint
+  installs that system image on the same PVC) or recreate the AVD.
+
+## Resource profile (measured 2026-06-12, v6 on node1)
+
+- **Asleep (scaled to zero)**: nothing — the gate (~10m CPU/13Mi) is the only
+  standing cost.
+- **Awake**: settles to **~0.5–1.3 cores** with a static screen (on or off),
+  ~4.8–5.2 Gi memory (limit 8 Gi, requests 3 Gi), ~100 MiB T4 VRAM. Boot
+  bursts 5–9 cores for the first few minutes (dex2oat etc.).
+- **Disk**: ~7 G of the 30 Gi PVC.
+- Etiquette still applies for long sessions with animated content:
+  `adb -s 10.0.20.200:5555 shell input keyevent KEYCODE_SLEEP` when done.
+
+## Remote access
+
+https://android-emulator.viktorbarzin.me (Cloudflare-proxied, Authentik-gated)
+serves the same noVNC screen for off-LAN use. adb stays LAN-only by design.
diff --git a/stacks/android-emulator/docker/Dockerfile b/stacks/android-emulator/docker/Dockerfile
new file mode 100644
index 00000000..e4879329
--- /dev/null
+++ b/stacks/android-emulator/docker/Dockerfile
@@ -0,0 +1,44 @@
+# Android emulator runner — slim on purpose: the SDK proper (platform-tools,
+# emulator, system image, AVD) lives on the stack's PVC and is installed by
+# entrypoint.sh on first boot, so this image carries only the JDK,
+# cmdline-tools and the native libraries the emulator needs at runtime.
+#
+# Rebuild + push (rare — only when tool/library versions bump):
+#   docker build -t forgejo.viktorbarzin.me/viktor/android-emulator:api36-v8 .
+#   docker push forgejo.viktorbarzin.me/viktor/android-emulator:api36-v8
+FROM eclipse-temurin:17-jdk-jammy
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    # emulator runtime deps (Qt window into Xvfb)
+    libpulse0 libgl1 libglu1-mesa libnss3 libasound2 libfontconfig1 \
+    libx11-6 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 \
+    libxfixes3 libxi6 libxrandr2 libxrender1 libxtst6 libxkbcommon0 \
+    libegl1 libgles2 \
+    libxkbfile1 libsm6 libice6 libdbus-1-3 \
+    # virtual display + browser viewing
+    xvfb x11vnc novnc websockify openbox wmctrl xdotool \
+    # adb TCP forwarding + fetch tooling
+    socat wget unzip ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Android cmdline-tools (sdkmanager/avdmanager). Pinned; SDK packages they
+# install land on the PVC at /sdk, not in this image.
+ARG CMDLINE_TOOLS_VERSION=13114758
+RUN mkdir -p /opt/android/cmdline-tools && \
+    wget -q "https://dl.google.com/android/repository/commandlinetools-linux-${CMDLINE_TOOLS_VERSION}_latest.zip" -O /tmp/clt.zip && \
+    unzip -q /tmp/clt.zip -d /opt/android/cmdline-tools && \
+    mv /opt/android/cmdline-tools/cmdline-tools /opt/android/cmdline-tools/latest && \
+    rm /tmp/clt.zip
+
+ENV ANDROID_SDK_ROOT=/sdk \
+    ANDROID_USER_HOME=/sdk/.android \
+    ANDROID_AVD_HOME=/sdk/.android/avd \
+    PATH="/opt/android/cmdline-tools/latest/bin:/sdk/platform-tools:/sdk/emulator:${PATH}"
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+# 5555 adb (socat → emulator adbd), 6080 noVNC web UI
+EXPOSE 5555 6080
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/stacks/android-emulator/docker/entrypoint.sh b/stacks/android-emulator/docker/entrypoint.sh
new file mode 100644
index 00000000..0c59e17a
--- /dev/null
+++ b/stacks/android-emulator/docker/entrypoint.sh
@@ -0,0 +1,174 @@
+#!/usr/bin/env bash
+# Boot sequence: ensure SDK + AVD on the PVC (/sdk), bring up a virtual
+# display with browser viewing (Xvfb → x11vnc → noVNC :6080), start the
+# emulator windowed into it, and expose its adbd on :5555 for the LAN.
+set -euo pipefail
+
+# Containerd grants an effectively unbounded RLIMIT_NOFILE (2^31); x11vnc's
+# connection handling sweeps the whole fd table with fcntl per fd, so every
+# VNC connect hung for ages. Cap it for everything we launch.
+ulimit -n 65536
+
+API_LEVEL="${API_LEVEL:-36}"
+SYSTEM_IMAGE="system-images;android-${API_LEVEL};google_apis;x86_64"
+# Pinned emulator build (36.1.9). The sdkmanager-latest emulator (36.6.11)
+# hangs before executing a single guest instruction in this pod (KVM and TCG
+# alike, all gpu modes) — debugged 2026-06-11; 36.1.9 boots fine. Bump only
+# after verifying a newer build actually boots here.
+EMULATOR_BUILD="${EMULATOR_BUILD:-13823996}"
+AVD_NAME="${AVD_NAME:-lab}"
+EMULATOR_RAM_MB="${EMULATOR_RAM_MB:-4096}"
+SCREEN_GEOMETRY="${SCREEN_GEOMETRY:-1080x2280x24}"
+
+[ -e /dev/kvm ] || { echo "FATAL: /dev/kvm not present — pod needs the kvm hostPath + privileged"; exit 1; }
+
+mkdir -p "$ANDROID_USER_HOME"
+
+# --- SDK packages on the PVC (idempotent; first boot downloads ~2.5GB) ------
+# A directory existing is NOT proof of a complete install (an interrupted
+# sdkmanager leaves partial trees that avdmanager rejects with "Valid system
+# image paths are: null") — so completion is tracked with a marker file
+# written only after sdkmanager succeeds.
+MARKER="/sdk/.sdk-install-complete-android-${API_LEVEL}"
+if [ ! -f "$MARKER" ]; then
+  echo "Installing SDK packages into /sdk (first boot or prior partial install)..."
+  rm -rf "/sdk/system-images/android-${API_LEVEL}"
+  # (yes || true): yes dies of SIGPIPE (141) when sdkmanager stops reading,
+  # which set -o pipefail would otherwise turn into a fatal error.
+  (yes || true) | sdkmanager --sdk_root=/sdk --licenses >/dev/null
+  for attempt in 1 2 3; do
+    if sdkmanager --sdk_root=/sdk "platform-tools" "emulator" "$SYSTEM_IMAGE"; then
+      break
+    fi
+    echo "sdkmanager attempt $attempt failed; retrying in 10s..." >&2
+    [ "$attempt" = 3 ] && exit 1
+    sleep 10
+  done
+  # the package manifest is what avdmanager actually validates against
+  test -f "/sdk/system-images/android-${API_LEVEL}/google_apis/x86_64/package.xml"
+  touch "$MARKER"
+fi
+
+# --- pin the emulator build (replaces whatever sdkmanager installed) ---------
+if [ ! -f "/sdk/.emulator-pinned-${EMULATOR_BUILD}" ]; then
+  echo "Pinning emulator build ${EMULATOR_BUILD}..."
+  wget -q "https://dl.google.com/android/repository/emulator-linux_x64-${EMULATOR_BUILD}.zip" -O /sdk/emu.zip
+  rm -rf /sdk/emulator
+  unzip -qo /sdk/emu.zip -d /sdk && rm -f /sdk/emu.zip
+  rm -f /sdk/.emulator-pinned-*
+  touch "/sdk/.emulator-pinned-${EMULATOR_BUILD}"
+fi
+
+# --- AVD (idempotent) --------------------------------------------------------
+# avdmanager IGNORES ANDROID_SDK_ROOT (and has no --sdk_root): it derives the
+# SDK root from its own toolsdir. Run it from a copy of cmdline-tools seeded
+# INSIDE /sdk so it resolves the PVC as the root — otherwise it looks under
+# /opt/android and reports "Valid system image paths are: null".
+if [ ! -x /sdk/cmdline-tools/latest/bin/avdmanager ]; then
+  mkdir -p /sdk/cmdline-tools
+  cp -a /opt/android/cmdline-tools/latest /sdk/cmdline-tools/latest
+fi
+AVDMANAGER=/sdk/cmdline-tools/latest/bin/avdmanager
+if ! "$AVDMANAGER" list avd -c | grep -qx "$AVD_NAME"; then
+  echo "Creating AVD '$AVD_NAME' (${SYSTEM_IMAGE}, pixel_7)..."
+  (echo no || true) | "$AVDMANAGER" create avd -n "$AVD_NAME" -k "$SYSTEM_IMAGE" --device pixel_7
+  cat >> "${ANDROID_AVD_HOME}/${AVD_NAME}.avd/config.ini" <<EOF
+hw.ramSize=${EMULATOR_RAM_MB}
+disk.dataPartition.size=8192M
+hw.keyboard=yes
+EOF
+fi
+
+# --- noVNC defaults: scaled view, autoconnect, self-reconnect ----------------
+cat > /usr/share/novnc/defaults.json <<'JSON'
+{
+  "autoconnect": true,
+  "reconnect": true,
+  "reconnect_delay": 2000,
+  "resize": "scale",
+  "shared": true
+}
+JSON
+
+# --- virtual display + browser viewing ---------------------------------------
+export DISPLAY=:0
+Xvfb :0 -screen 0 "$SCREEN_GEOMETRY" -nolisten tcp &
+sleep 1
+openbox &
+x11vnc -display :0 -nopw -forever -shared -quiet -nolookup -bg
+websockify --web /usr/share/novnc 6080 localhost:5900 &
+
+# --- emulator -----------------------------------------------------------------
+# Use the host GPU when the NVIDIA runtime injected one (driver libs +
+# /dev/nvidia* appear when the pod requests nvidia.com/gpu), otherwise
+# swiftshader (CPU rendering). If the GPU launch dies early, fall back to
+# swiftshader automatically so the worst case equals CPU rendering.
+GPU_FLAG="swiftshader_indirect"
+[ -e /dev/nvidiactl ] && GPU_FLAG="host"
+echo "Emulator GPU mode: $GPU_FLAG"
+
+launch_emulator() {
+  emulator -avd "$AVD_NAME" \
+    -gpu "$1" -accel on \
+    -memory "$EMULATOR_RAM_MB" \
+    -no-audio -no-boot-anim \
+    &
+  EMU_PID=$!
+}
+
+launch_emulator "$GPU_FLAG"
+if [ "$GPU_FLAG" = "host" ]; then
+  sleep 25
+  if ! kill -0 "$EMU_PID" 2>/dev/null; then
+    echo "GPU launch (-gpu host) died early — falling back to swiftshader." >&2
+    rm -f "${ANDROID_AVD_HOME}/${AVD_NAME}.avd"/*.lock
+    launch_emulator swiftshader_indirect
+  fi
+fi
+
+adb wait-for-device
+echo "Emulator up; waiting for boot completion..."
+until [ "$(adb shell getprop sys.boot_completed 2>/dev/null | tr -d '\r')" = "1" ]; do
+  sleep 3
+done
+echo "Boot completed."
+
+# --- fit the emulator window to the whole virtual display ---------------------
+# The emulator's Qt window opens small (it picks a conservative scale for a
+# headless display) and floats inside the 1080x2280 Xvfb, so noVNC's
+# resize=scale was scaling mostly black space. Background fitter: dismiss the
+# one-shot "nested virtualization" warning dialog, undecorate + fill the phone
+# window, and park the control strip off the right edge. Re-runs for a while to
+# catch the window/dialog appearing, then periodically in case they recreate.
+( export DISPLAY=:0
+  fit_once() {
+    # auto-OK the nested-virt warning if it is up
+    for w in $(xdotool search --name "Nested Virtualization" 2>/dev/null); do
+      xdotool windowactivate --sync "$w" key --clearmodifiers Return 2>/dev/null || true
+    done
+    emu=$(wmctrl -l 2>/dev/null | awk "/Android Emulator - /{print \$1; exit}")
+    [ -z "$emu" ] && return 1
+    # fill the display minus a sliver for the control strip
+    xdotool windowmove "$emu" 0 0 2>/dev/null
+    xdotool windowsize "$emu" 1010 2280 2>/dev/null
+    for t in $(wmctrl -l 2>/dev/null | awk "{ if (\$4 == \"Emulator\") print \$1 }"); do
+      xdotool windowmove "$t" 1015 0 2>/dev/null || true
+    done
+    return 0
+  }
+  # aggressive for the first ~2 min (window + dialog timing), then keep tidy
+  for _ in $(seq 1 60); do fit_once && break; sleep 2; done
+  while true; do fit_once; sleep 30; done
+) &
+
+# Expose the emulator's adbd (localhost:5555) to the pod network. Plain TCP,
+# no auth — reachable only inside the LAN via the MetalLB IP. Bind to the pod
+# IP only: the emulator itself already listens on 127.0.0.1:5555, so a
+# wildcard bind fails with EADDRINUSE.
+POD_IP=$(hostname -i | awk '{print $1}')
+socat "TCP-LISTEN:5555,bind=${POD_IP},fork,reuseaddr" TCP:127.0.0.1:5555 &
+
+# Supervise: if any background process dies, exit so the pod restarts.
+wait -n
+echo "A supervised process exited; restarting pod." >&2
+exit 1
diff --git a/stacks/android-emulator/gate.py b/stacks/android-emulator/gate.py
new file mode 100644
index 00000000..6057aaf8
--- /dev/null
+++ b/stacks/android-emulator/gate.py
@@ -0,0 +1,117 @@
+"""Wake gate for the android-emulator deployment.
+
+Owns `/` on the emulator hostnames: if the emulator is up, redirect to the
+noVNC screen; if it is scaled to zero, scale it to 1 and show a self-refreshing
+"waking up" page. Agents use GET /status (JSON) + GET /wake. Pure stdlib —
+runs on a stock python image with no installs.
+"""
+import json
+import os
+import ssl
+import urllib.error
+import urllib.request
+from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+
+NS = os.environ.get("NAMESPACE", "android-emulator")
+DEPLOY = os.environ.get("DEPLOYMENT", "android-emulator")
+# Use the injected env vars, not DNS: kubernetes.default.svc failed to
+# resolve from this alpine/musl pod (ndots + injected dns_config quirk).
+API = "https://%s:%s" % (
+    os.environ.get("KUBERNETES_SERVICE_HOST", "kubernetes.default.svc"),
+    os.environ.get("KUBERNETES_SERVICE_PORT", "443"),
+)
+TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+CA_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+VNC_PATH = "/vnc.html?autoconnect=1&resize=scale"
+
+WAKING_PAGE = """<!doctype html><html><head><title>Android emulator</title>
+<meta http-equiv="refresh" content="10">
+<style>body{font-family:sans-serif;display:flex;align-items:center;justify-content:center;
+height:100vh;background:#111;color:#eee}div{text-align:center}</style></head>
+<body><div><h1>&#128241; Waking the emulator&hellip;</h1>
+<p>Boot takes about 90 seconds from a warm disk.</p>
+<p>This page refreshes automatically and will hand over to the screen when ready.</p>
+<p style="color:#888">state: {state}</p></div></body></html>"""
+
+
+def kube(method: str, path: str, body=None):
+    with open(TOKEN_PATH) as f:
+        token = f.read()
+    req = urllib.request.Request(API + path, method=method)
+    req.add_header("Authorization", "Bearer " + token)
+    data = None
+    if body is not None:
+        data = json.dumps(body).encode()
+        req.add_header("Content-Type", "application/strategic-merge-patch+json")
+    ctx = ssl.create_default_context(cafile=CA_PATH)
+    with urllib.request.urlopen(req, data=data, context=ctx, timeout=10) as r:
+        return json.load(r)
+
+
+def deployment_state():
+    d = kube("GET", f"/apis/apps/v1/namespaces/{NS}/deployments/{DEPLOY}")
+    spec = d["spec"].get("replicas") or 0
+    ready = d["status"].get("readyReplicas") or 0
+    return spec, ready
+
+
+def wake():
+    # Direct replicas patch on the named deployment — same path the idle
+    # sleeper uses to scale DOWN; needs only `deployments` patch, not
+    # `deployments/scale`. Idle is now measured from dumpsys power, so there
+    # is no idle-counter annotation to reset here.
+    kube(
+        "PATCH",
+        f"/apis/apps/v1/namespaces/{NS}/deployments/{DEPLOY}",
+        {"spec": {"replicas": 1}},
+    )
+
+
+class Handler(BaseHTTPRequestHandler):
+    def _respond(self, code: int, body: bytes, ctype: str, extra=None):
+        self.send_response(code)
+        self.send_header("Content-Type", ctype)
+        self.send_header("Cache-Control", "no-store")
+        for k, v in (extra or {}).items():
+            self.send_header(k, v)
+        self.end_headers()
+        self.wfile.write(body)
+
+    def do_GET(self):  # noqa: N802 (stdlib naming)
+        if self.path == "/healthz":
+            return self._respond(200, b"ok", "text/plain")
+        try:
+            spec, ready = deployment_state()
+            if self.path.startswith("/status"):
+                return self._respond(
+                    200,
+                    json.dumps({"replicas": spec, "ready": ready}).encode(),
+                    "application/json",
+                )
+            woke = False
+            if spec == 0:
+                wake()
+                woke = True
+            if self.path.startswith("/wake"):
+                return self._respond(
+                    200,
+                    json.dumps({"replicas": 1, "ready": ready, "woke": woke}).encode(),
+                    "application/json",
+                )
+            # default: human path
+            if ready >= 1:
+                return self._respond(302, b"", "text/plain", {"Location": VNC_PATH})
+            state = "starting" if not woke else "scaled up just now"
+            page = WAKING_PAGE.replace("{state}", state)
+            return self._respond(200, page.encode(), "text/html")
+        except urllib.error.HTTPError as e:
+            return self._respond(502, f"kube api error: {e.code}".encode(), "text/plain")
+        except Exception as e:  # surface anything else readably
+            return self._respond(500, f"gate error: {e}".encode(), "text/plain")
+
+    def log_message(self, fmt, *args):
+        print("%s - %s" % (self.address_string(), fmt % args), flush=True)
+
+
+if __name__ == "__main__":
+    ThreadingHTTPServer(("0.0.0.0", 8080), Handler).serve_forever()
diff --git a/stacks/android-emulator/gate.tf b/stacks/android-emulator/gate.tf
new file mode 100644
index 00000000..2300888c
--- /dev/null
+++ b/stacks/android-emulator/gate.tf
@@ -0,0 +1,244 @@
+# On-demand lifecycle: the emulator scales to ZERO when idle and wakes on
+# visit. The gate (tiny stdlib-python HTTP server) owns `/` on both emulator
+# hostnames — it scales the deployment up and hands the browser to noVNC once
+# ready; agents use GET /wake + /status. The idle CronJob scales back to zero
+# after ~1h with no adb/VNC connections. Decision: Viktor 2026-06-12 —
+# dev-only usage, and an always-on GPU emulator would permanently hold T4
+# VRAM that the LLM jobs need.
+
+resource "kubernetes_service_account" "gate" {
+  metadata {
+    name      = "android-emulator-gate"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+  }
+}
+
+resource "kubernetes_role" "gate" {
+  metadata {
+    name      = "android-emulator-gate"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+  }
+  rule {
+    api_groups     = ["apps"]
+    resources      = ["deployments"]
+    resource_names = ["android-emulator"]
+    verbs          = ["get", "patch"]
+  }
+  rule {
+    api_groups = [""]
+    resources  = ["pods"]
+    verbs      = ["get", "list"]
+  }
+  rule {
+    api_groups = [""]
+    resources  = ["pods/exec"]
+    verbs      = ["create"]
+  }
+}
+
+resource "kubernetes_role_binding" "gate" {
+  metadata {
+    name      = "android-emulator-gate"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Role"
+    name      = kubernetes_role.gate.metadata[0].name
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.gate.metadata[0].name
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+  }
+}
+
+resource "kubernetes_config_map" "gate" {
+  metadata {
+    name      = "android-emulator-gate"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+  }
+  data = {
+    "gate.py" = file("${path.module}/gate.py")
+  }
+}
+
+resource "kubernetes_deployment" "gate" {
+  metadata {
+    name      = "android-emulator-gate"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+    labels = {
+      app = "android-emulator-gate"
+    }
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = { app = "android-emulator-gate" }
+    }
+    template {
+      metadata {
+        labels = { app = "android-emulator-gate" }
+        annotations = {
+          "checksum/gate" = sha1(file("${path.module}/gate.py"))
+        }
+      }
+      spec {
+        service_account_name = kubernetes_service_account.gate.metadata[0].name
+        container {
+          name    = "gate"
+          image   = "python:3.12-alpine"
+          command = ["python", "/app/gate.py"]
+          env {
+            name  = "NAMESPACE"
+            value = kubernetes_namespace.android-emulator.metadata[0].name
+          }
+          env {
+            name  = "DEPLOYMENT"
+            value = "android-emulator"
+          }
+          port {
+            container_port = 8080
+          }
+          volume_mount {
+            name       = "app"
+            mount_path = "/app"
+          }
+          resources {
+            requests = {
+              cpu    = "10m"
+              memory = "64Mi"
+            }
+            limits = {
+              memory = "64Mi"
+            }
+          }
+          readiness_probe {
+            http_get {
+              path = "/healthz"
+              port = 8080
+            }
+            period_seconds = 10
+          }
+        }
+        volume {
+          name = "app"
+          config_map {
+            name = kubernetes_config_map.gate.metadata[0].name
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+  }
+}
+
+resource "kubernetes_service" "gate" {
+  metadata {
+    name      = "android-emulator-gate"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+  }
+  spec {
+    selector = {
+      app = "android-emulator-gate"
+    }
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 8080
+    }
+  }
+}
+
+# Sleep side: every 15 min, ask the emulator how long since it was actually
+# USED — dumpsys power's last user-activity time (taps/keys/app-launches,
+# including noVNC clicks) vs guest uptime. No activity for 6h → scale the
+# deployment to zero. This deliberately IGNORES open adb/noVNC connections:
+# a forgotten adb transport (connect with no disconnect) stays ESTABLISHED
+# forever, so the old connection-count check kept resetting and the emulator
+# never slept (up 6+ days while idle ~5). Reads activity via `kubectl exec`
+# (the SA has pods/exec) and scales down with a direct replicas patch on the
+# named deployment — the SAME path the wake gate scales UP — so it needs only
+# the existing `deployments` patch grant, NOT `deployments/scale` (which the
+# SA lacks; the old `kubectl scale` here failed Forbidden). Stateless: no
+# idle-counter annotation. Fail-safe: any read error → do NOT sleep.
+resource "kubernetes_cron_job_v1" "idle_sleeper" {
+  metadata {
+    name      = "android-emulator-idle-sleeper"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+  }
+  spec {
+    schedule                      = "*/15 * * * *"
+    concurrency_policy            = "Forbid"
+    successful_jobs_history_limit = 1
+    failed_jobs_history_limit     = 2
+    job_template {
+      metadata {}
+      spec {
+        backoff_limit              = 0
+        ttl_seconds_after_finished = 3600
+        template {
+          metadata {}
+          spec {
+            service_account_name = kubernetes_service_account.gate.metadata[0].name
+            restart_policy       = "Never"
+            container {
+              name    = "sleeper"
+              image   = "bitnami/kubectl:latest"
+              command = ["/bin/bash", "-c"]
+              args = [<<-EOT
+                set -eu
+                NS=android-emulator
+                DEPLOY=android-emulator
+                IDLE_LIMIT_SECONDS=21600   # 6h with no user activity -> sleep
+                spec=$(kubectl -n $NS get deploy $DEPLOY -o jsonpath='{.spec.replicas}')
+                [ "$spec" = "0" ] && { echo "already asleep"; exit 0; }
+                pod=$(kubectl -n $NS get pods -l app=$DEPLOY --field-selector=status.phase=Running -o jsonpath='{.items[0].metadata.name}')
+                [ -z "$pod" ] && { echo "no running pod (booting?) — not sleeping"; exit 0; }
+                # How long since the emulator was actually used? Compare the last
+                # user-activity time from dumpsys power (taps/keys/app-launches,
+                # incl. noVNC clicks) with current guest uptime, both in ms on
+                # the guest uptime clock. Capture first, then parse: NO pipefail
+                # and no early `exit` in awk, so a streaming `dumpsys` can't
+                # SIGPIPE the exec and trip set -e (that bug made every run die
+                # 141 with no output). Fail-safe: a still-booting emulator (adb
+                # not ready) yields empty values -> do NOT sleep.
+                uptime_raw=$(kubectl -n $NS exec $pod -- adb shell cat /proc/uptime 2>/dev/null || true)
+                dump=$(kubectl -n $NS exec $pod -- adb shell dumpsys power 2>/dev/null || true)
+                uptime_ms=$(printf '%s' "$uptime_raw" | awk '{printf "%d", $1*1000}')
+                last_ms=$(printf '%s' "$dump" | awk -F= '/mLastUserActivityTime\(excludingAttention\)/{v=$2} END{gsub(/[^0-9]/,"",v); print v}')
+                if [ -z "$uptime_ms" ] || [ -z "$last_ms" ]; then
+                  echo "could not read activity (emulator booting / adb not ready) — not sleeping"
+                  exit 0
+                fi
+                idle_s=$(( (uptime_ms - last_ms) / 1000 ))
+                echo "idle for $idle_s s (limit $IDLE_LIMIT_SECONDS s / 6h)"
+                if [ "$idle_s" -ge "$IDLE_LIMIT_SECONDS" ]; then
+                  echo "idle >= 6h with no user activity — scaling to zero"
+                  kubectl -n $NS patch deploy $DEPLOY --type=merge -p '{"spec":{"replicas":0}}'
+                else
+                  echo "used within 6h — staying up"
+                fi
+              EOT
+              ]
+              resources {
+                requests = {
+                  cpu    = "10m"
+                  memory = "64Mi"
+                }
+                limits = {
+                  memory = "128Mi"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+  }
+}
diff --git a/stacks/android-emulator/main.tf b/stacks/android-emulator/main.tf
new file mode 100644
index 00000000..8ca67428
--- /dev/null
+++ b/stacks/android-emulator/main.tf
@@ -0,0 +1,327 @@
+# Android emulator — shared in-cluster Android 16 (API 36) testing instance.
+# Agents drive it over adb (10.0.20.200:5555); humans watch the screen at
+# https://android-emulator.viktorbarzin.lan (noVNC). The SDK + system image +
+# AVD live on the PVC; the container image is just JDK + cmdline-tools + libs
+# (built manually from docker/, see README.md).
+#
+# Decision record: docs/adr/0001-android-emulator-in-cluster.md
+# - privileged + /dev/kvm hostPath (namespace is on the Kyverno exclude list)
+# - swiftshader rendering — deliberately NOT on the contended T4 GPU node
+
+resource "kubernetes_namespace" "android-emulator" {
+  metadata {
+    name = "android-emulator"
+    labels = {
+      "istio-injection" : "disabled"
+      tier = local.tiers.cluster
+    }
+  }
+  lifecycle {
+    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
+  }
+}
+
+module "tls_secret" {
+  source          = "../../modules/kubernetes/setup_tls_secret"
+  namespace       = kubernetes_namespace.android-emulator.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}
+
+# SDK + system image + AVD + snapshots. First boot downloads ~2.5GB (≈9GB
+# unpacked) into here;
+# subsequent pod restarts reuse it (boot in ~1 min instead of ~15).
+# DELIBERATE deviation from the proxmox-lvm backup convention: no backup
+# CronJob — everything on this PVC is a regenerable download/cache (wipe the
+# PVC and the next boot rebuilds it; that's also the documented recovery path).
+resource "kubernetes_persistent_volume_claim" "sdk" {
+  wait_until_bound = false
+  metadata {
+    name      = "android-emulator-sdk"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+    annotations = {
+      "resize.topolvm.io/threshold"     = "10%"
+      "resize.topolvm.io/increase"      = "50%"
+      "resize.topolvm.io/storage_limit" = "60Gi"
+    }
+  }
+  spec {
+    access_modes       = ["ReadWriteOnce"]
+    storage_class_name = "proxmox-lvm"
+    resources {
+      requests = {
+        storage = "30Gi"
+      }
+    }
+  }
+  lifecycle {
+    # Autoresizer grows requests.storage up to storage_limit; PVCs can't shrink.
+    ignore_changes = [spec[0].resources[0].requests]
+  }
+}
+
+resource "kubernetes_deployment" "android-emulator" {
+  metadata {
+    name      = "android-emulator"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+    labels = {
+      app = "android-emulator"
+    }
+  }
+  spec {
+    # Scaled to 0 (2026-06-12): the emulator's ~4.7-core swiftshader CPU burn
+    # on node3 saturated the single PVE host and starved etcd on the k8s-master
+    # VM → control-plane (scheduler/controller-manager/kyverno) leader-election
+    # crashloop. It is a shared TEST instance, not a 24/7 service: spin up
+    # on-demand (replicas = 1) for a testing session, return to 0 when done.
+    # Durable relief pending the structural etcd-protection fix (PVE CPU weight
+    # / etcd WAL on SSD).
+    replicas = 0
+    strategy {
+      type = "Recreate" # RWO PVC — old pod must release it first
+    }
+    selector {
+      match_labels = { app = "android-emulator" }
+    }
+    template {
+      metadata {
+        labels = { app = "android-emulator" }
+      }
+      spec {
+        node_selector = {
+          "nvidia.com/gpu.present" : "true"
+        }
+        toleration {
+          key      = "nvidia.com/gpu"
+          operator = "Equal"
+          value    = "true"
+          effect   = "NoSchedule"
+        }
+        image_pull_secrets {
+          name = "registry-credentials"
+        }
+        container {
+          name  = "emulator"
+          image = "ghcr.io/viktorbarzin/android-emulator:${var.image_tag}"
+
+          security_context {
+            privileged = true # /dev/kvm access
+          }
+
+          env {
+            # The GPU operator injects only compute,utility by default — the
+            # NVIDIA EGL/GL libraries need the graphics capability, otherwise
+            # the emulator's -gpu host silently falls back to Mesa llvmpipe
+            # (software GL) inside the container.
+            name  = "NVIDIA_DRIVER_CAPABILITIES"
+            value = "all"
+          }
+
+          port {
+            name           = "adb"
+            container_port = 5555
+          }
+          port {
+            name           = "novnc"
+            container_port = 6080
+          }
+
+          volume_mount {
+            name       = "sdk"
+            mount_path = "/sdk"
+          }
+          volume_mount {
+            name       = "kvm"
+            mount_path = "/dev/kvm"
+          }
+
+          resources {
+            # No CPU limit (cluster-wide rule — CFS throttling). Burstable on
+            # memory: the tier-1 quota caps requests.memory at 4Gi per
+            # namespace, so requests stay under it while the limit gives the
+            # emulator (qemu -memory 4096 + guest overhead + Xvfb/VNC + JVM
+            # sdkmanager on first boot) room to peak — same Burstable pattern
+            # tiers 3/4 use deliberately.
+            requests = {
+              cpu    = "2"
+              memory = "3Gi"
+            }
+            limits = {
+              memory           = "8Gi"
+              "nvidia.com/gpu" = "1" # T4 time-slice; ~0.5-1GiB VRAM while awake
+            }
+          }
+
+          # First boot downloads the system image + cold-boots Android: allow
+          # up to ~30 min before the pod is declared failed.
+          startup_probe {
+            exec {
+              command = ["/bin/bash", "-c", "/sdk/platform-tools/adb shell getprop sys.boot_completed | grep -q 1"]
+            }
+            period_seconds    = 20
+            failure_threshold = 90
+          }
+          readiness_probe {
+            exec {
+              command = ["/bin/bash", "-c", "/sdk/platform-tools/adb shell getprop sys.boot_completed | grep -q 1"]
+            }
+            period_seconds    = 30
+            failure_threshold = 3
+          }
+          liveness_probe {
+            exec {
+              command = ["/bin/bash", "-c", "/sdk/platform-tools/adb shell getprop sys.boot_completed | grep -q 1"]
+            }
+            period_seconds    = 60
+            failure_threshold = 10 # generous — don't reboot mid-test on a hiccup
+          }
+        }
+
+        volume {
+          name = "sdk"
+          persistent_volume_claim {
+            claim_name = kubernetes_persistent_volume_claim.sdk.metadata[0].name
+          }
+        }
+        volume {
+          name = "kvm"
+          host_path {
+            path = "/dev/kvm"
+            type = "CharDevice"
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      # the wake gate + idle sleeper own replicas (scale-to-zero on demand);
+      # an apply must not resurrect or kill the emulator.
+      spec[0].replicas,
+    ]
+  }
+}
+
+# adb endpoint for agents/devvms: `adb connect 10.0.20.200:5555`.
+# Unauthenticated by nature — LAN-only via MetalLB, never exposed publicly.
+resource "kubernetes_service" "adb" {
+  metadata {
+    name      = "android-emulator-adb"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+    annotations = {
+      "metallb.universe.tf/loadBalancerIPs" = "10.0.20.200"
+      "metallb.io/allow-shared-ip"          = "shared"
+    }
+  }
+  spec {
+    type = "LoadBalancer"
+    selector = {
+      app = "android-emulator"
+    }
+    port {
+      name        = "adb"
+      port        = 5555
+      target_port = 5555
+    }
+  }
+}
+
+resource "kubernetes_service" "novnc" {
+  metadata {
+    name      = "android-emulator"
+    namespace = kubernetes_namespace.android-emulator.metadata[0].name
+    labels = {
+      app = "android-emulator"
+    }
+  }
+  spec {
+    selector = {
+      app = "android-emulator"
+    }
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 6080
+    }
+  }
+}
+
+# Ingress layout, same on both hostnames: the wake gate owns `/` (visiting
+# wakes a sleeping emulator), while the noVNC asset/socket paths go straight
+# to the emulator service. LAN (.lan) is unauthenticated local-only for
+# agents; public (.me) is Authentik-gated for humans.
+locals {
+  novnc_paths = [
+    "/vnc.html", "/app", "/core", "/vendor",
+    "/websockify", "/package.json", "/defaults.json", "/mandatory.json",
+  ]
+}
+
+module "ingress-internal-gate" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": LAN-only (allow_local_access_only) wake gate + screen for
+  # the shared test emulator — no user data behind it; agents need cookie-free
+  # curl access and Authentik would break the noVNC websocket flow.
+  auth                    = "none"
+  namespace               = kubernetes_namespace.android-emulator.metadata[0].name
+  name                    = "android-emulator"
+  root_domain             = "viktorbarzin.lan"
+  service_name            = kubernetes_service.gate.metadata[0].name
+  tls_secret_name         = var.tls_secret_name
+  allow_local_access_only = true
+  ssl_redirect            = false
+  extra_annotations = {
+    "gethomepage.dev/enabled" = "false"
+  }
+}
+
+module "ingress-internal-novnc" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": LAN-only noVNC paths (see ingress-internal-gate above).
+  auth                    = "none"
+  namespace               = kubernetes_namespace.android-emulator.metadata[0].name
+  name                    = "android-emulator-novnc"
+  host                    = "android-emulator"
+  root_domain             = "viktorbarzin.lan"
+  service_name            = kubernetes_service.novnc.metadata[0].name
+  ingress_path            = local.novnc_paths
+  tls_secret_name         = var.tls_secret_name
+  allow_local_access_only = true
+  ssl_redirect            = false
+  # noVNC loads ~60 unbundled ES modules in parallel; the default 10/50
+  # limiter 429s the tail and the loader hangs forever.
+  skip_default_rate_limit = true
+  extra_middlewares       = ["traefik-android-emulator-rate-limit@kubernetescrd"]
+  extra_annotations = {
+    "gethomepage.dev/enabled" = "false"
+  }
+}
+
+# Remote (off-LAN) access — Authentik-gated at the edge; WebSockets work
+# through forward-auth same-origin (proven by stacks/terminal's ttyd).
+# adb (5555) deliberately stays LAN-only: it is unauthenticated.
+module "ingress-public-gate" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  auth            = "required"
+  dns_type        = "proxied"
+  namespace       = kubernetes_namespace.android-emulator.metadata[0].name
+  name            = "android-emulator-public"
+  host            = "android-emulator"
+  service_name    = kubernetes_service.gate.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}
+
+module "ingress-public-novnc" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  auth            = "required"
+  namespace       = kubernetes_namespace.android-emulator.metadata[0].name
+  name            = "android-emulator-public-novnc"
+  host            = "android-emulator"
+  service_name    = kubernetes_service.novnc.metadata[0].name
+  ingress_path    = local.novnc_paths
+  tls_secret_name = var.tls_secret_name
+  # see ingress-internal-novnc — noVNC's parallel module storm needs the
+  # dedicated limiter.
+  skip_default_rate_limit = true
+  extra_middlewares       = ["traefik-android-emulator-rate-limit@kubernetescrd"]
+}
diff --git a/stacks/travel_blog/secrets b/stacks/android-emulator/secrets
similarity index 100%
rename from stacks/travel_blog/secrets
rename to stacks/android-emulator/secrets
diff --git a/stacks/android-emulator/terragrunt.hcl b/stacks/android-emulator/terragrunt.hcl
new file mode 100644
index 00000000..6b17754a
--- /dev/null
+++ b/stacks/android-emulator/terragrunt.hcl
@@ -0,0 +1,10 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+# apply-trigger: non-merge commit so the stack detector sees this stack
+# (merge-commit diffs hide stacks from it — same issue as the tts 798b0255 fix)
+
+# apply-trigger 2026-06-12: non-merge commit so the detector sees this stack
+
+# apply-trigger 2026-06-12b: non-merge commit for the GPU+gate rollout
diff --git a/stacks/android-emulator/variables.tf b/stacks/android-emulator/variables.tf
new file mode 100644
index 00000000..822b7527
--- /dev/null
+++ b/stacks/android-emulator/variables.tf
@@ -0,0 +1,10 @@
+variable "tls_secret_name" {
+  type      = string
+  sensitive = true
+}
+
+variable "image_tag" {
+  type        = string
+  default     = "latest"
+  description = "android-emulator image tag at ghcr.io/viktorbarzin/android-emulator. Built by GHA (.github/workflows/build-android-emulator.yml) on changes to stacks/android-emulator/docker/ (ADR-0002). :latest tracks the newest build."
+}
diff --git a/stacks/anisette/main.tf b/stacks/anisette/main.tf
new file mode 100644
index 00000000..c7dad0ba
--- /dev/null
+++ b/stacks/anisette/main.tf
@@ -0,0 +1,189 @@
+# anisette — self-hosted Apple anisette-data server for SideStore/AltStore.
+#
+# Purpose (infra issue #40): the TripIt iOS Shell is sideloaded with SideStore
+# using a free Apple ID. SideStore needs an "anisette" server to broker the
+# Apple-ID auth dance; the public community anisette servers see every login,
+# so we run our own. Stateless HTTP service on a stable INTERNAL endpoint
+# (anisette.viktorbarzin.lan) that SideStore points at.
+#
+# Image: Dadoum/anisette-v3-server — the de-facto standard anisette-v3 server
+# for SideStore/AltStore (the same project SideStore's own docs point at).
+# Upstream publishes ONLY a mutable :latest tag (no GitHub releases, no semver,
+# no date/sha tags — verified 2026-06-14), so we pin by MANIFEST DIGEST instead
+# (immutable, honours the "never :latest" rule). DockerHub is pulled
+# transparently via the registry-VM pull-through cache, same as echo/cyberchef.
+# To bump: `docker buildx imagetools inspect dadoum/anisette-v3-server:latest`,
+# then replace the digest below.
+#
+# Stateless: the container caches Apple provisioning libraries under
+# /home/Alcoholic/.config/anisette-v3/lib (a regenerable download — re-fetched
+# if absent — and per upstream issue #23 it does NOT preserve client auth across
+# restarts anyway). So an emptyDir is the honest fit: keeps that path writable
+# without taking on a backup-pipeline obligation. No PVC, no Vault secret.
+
+variable "tls_secret_name" {
+  type      = string
+  sensitive = true
+}
+
+resource "kubernetes_namespace" "anisette" {
+  metadata {
+    name = "anisette"
+    labels = {
+      "istio-injection" : "disabled"
+      tier = local.tiers.aux
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
+    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
+  }
+}
+
+module "tls_secret" {
+  source          = "../../modules/kubernetes/setup_tls_secret"
+  namespace       = kubernetes_namespace.anisette.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_deployment" "anisette" {
+  metadata {
+    name      = "anisette"
+    namespace = kubernetes_namespace.anisette.metadata[0].name
+    labels = {
+      app  = "anisette"
+      tier = local.tiers.aux
+    }
+  }
+  # anisette downloads + initializes Apple's CoreADI provisioning library on
+  # first start (slow, memory-spiky). wait_for_rollout=false so the apply never
+  # blocks on — and never strands out of terraform state — a pod that is still
+  # warming up (mirrors tts/llama-cpp). Pod health is still gated by the
+  # readiness probe below, so the Service only routes once it's actually up.
+  wait_for_rollout = false
+  spec {
+    replicas = 1
+    selector {
+      match_labels = {
+        app = "anisette"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "anisette"
+        }
+        annotations = {
+          # Diun notify-only watch. Upstream tags only :latest, so watch the
+          # digest of :latest rather than a semver pattern.
+          "diun.enable"       = "true"
+          "diun.watch_repo"   = "false"
+          "diun.include_tags" = "^latest$"
+        }
+      }
+      spec {
+        container {
+          # Pinned by digest — upstream ships only a mutable :latest (no tags).
+          # The `docker.io/` prefix is REQUIRED, not cosmetic: the Kyverno
+          # require-trusted-registries policy allowlists `docker.io/*` but NOT a
+          # bare `dadoum/*` prefix (only enumerated DockerHub user repos like
+          # mendhak/*, mpepping/* are listed in
+          # stacks/kyverno/modules/kyverno/security-policies.tf). A bare
+          # `dadoum/anisette-v3-server@...` is denied at admission; the explicit
+          # docker.io/ registry matches the allowlist and still pulls via the
+          # 10.0.20.10 pull-through cache.
+          image = "docker.io/dadoum/anisette-v3-server@sha256:1e20384985d3c49965f444bef39d627768dacc39ea0dca91f2a535edb7591ba3"
+          name  = "anisette"
+          port {
+            name           = "http"
+            container_port = 6969
+          }
+          # The image runs as the non-root user "Alcoholic" and writes its
+          # provisioning-library cache here; back it with an emptyDir so the
+          # path is writable (stateless — wiped on restart, re-downloaded).
+          volume_mount {
+            name       = "provisioning-cache"
+            mount_path = "/home/Alcoholic/.config/anisette-v3/lib"
+          }
+          resources {
+            requests = {
+              cpu    = "10m"
+              memory = "256Mi"
+            }
+            limits = {
+              # anisette downloads + initializes Apple's CoreADI provisioning
+              # library at startup, which spikes past 128Mi → OOMKilled (exit
+              # 137) before it can bind :6969. 512Mi gives headroom; steady
+              # state is much lower.
+              memory = "512Mi"
+            }
+          }
+          readiness_probe {
+            http_get {
+              path = "/"
+              port = 6969
+            }
+            period_seconds        = 15
+            initial_delay_seconds = 5
+          }
+          liveness_probe {
+            http_get {
+              path = "/"
+              port = 6969
+            }
+            period_seconds    = 30
+            failure_threshold = 6
+          }
+        }
+        volume {
+          name = "provisioning-cache"
+          empty_dir {}
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+    ]
+  }
+}
+
+resource "kubernetes_service" "anisette" {
+  metadata {
+    name      = "anisette"
+    namespace = kubernetes_namespace.anisette.metadata[0].name
+    labels = {
+      "app" = "anisette"
+    }
+  }
+  spec {
+    selector = {
+      app = "anisette"
+    }
+    port {
+      name        = "http"
+      port        = "80"
+      target_port = "6969"
+    }
+  }
+}
+
+module "ingress" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": SideStore is a native iOS client — it can't replay the
+  # Authentik forward-auth cookie dance, so Authentik would break it (same
+  # reasoning as android-emulator's adb). Internal-only: anisette.viktorbarzin.lan,
+  # allow_local_access_only locks it to the LAN, and it brokers no user data of
+  # ours (it just relays Apple-ID anisette data). Never publicly exposed.
+  auth                    = "none"
+  namespace               = kubernetes_namespace.anisette.metadata[0].name
+  name                    = "anisette"
+  root_domain             = "viktorbarzin.lan"
+  tls_secret_name         = var.tls_secret_name
+  allow_local_access_only = true
+  ssl_redirect            = false
+  extra_annotations = {
+    "gethomepage.dev/enabled" = "false"
+  }
+}
diff --git a/stacks/anisette/secrets b/stacks/anisette/secrets
new file mode 120000
index 00000000..ca54a7cf
--- /dev/null
+++ b/stacks/anisette/secrets
@@ -0,0 +1 @@
+../../secrets
\ No newline at end of file
diff --git a/stacks/travel_blog/terragrunt.hcl b/stacks/anisette/terragrunt.hcl
similarity index 100%
rename from stacks/travel_blog/terragrunt.hcl
rename to stacks/anisette/terragrunt.hcl
diff --git a/stacks/authentik/admin-services-restriction.tf b/stacks/authentik/admin-services-restriction.tf
index 2dcc1ca2..806dd417 100644
--- a/stacks/authentik/admin-services-restriction.tf
+++ b/stacks/authentik/admin-services-restriction.tf
@@ -49,6 +49,17 @@ resource "authentik_policy_expression" "admin_services_restriction" {
 
     host = request.context.get("host", "")
 
+    # chrome-service noVNC (chrome.viktorbarzin.me) exposes Viktor's LIVE
+    # logged-in browser sessions, so lock it to Viktor's own accounts ONLY.
+    # "Home Server Admins" is NOT sufficient — emo (emil.barzin@gmail.com) is a
+    # member. akadmin kept as break-glass. The homelab-browser CDP path is
+    # already RBAC-gated (emo = oidc-power-user-readonly, no pods/portforward),
+    # so this closes the only remaining, human, noVNC path. Match username OR
+    # email so neither attribute alone can lock Viktor out.
+    CHROME_ALLOWED = {"akadmin", "akadmin@viktorbarzin.me", "vbarzin@gmail.com"}
+    if host == "chrome.viktorbarzin.me":
+        return request.user.username in CHROME_ALLOWED or request.user.email in CHROME_ALLOWED
+
     # t3 Workstation edge gate: only members of "T3 Users" may reach t3.
     # Placed BEFORE the ADMIN_ONLY_HOSTS early-return (t3 is intentionally not in
     # that set — it must not require Home-Server-Admins, just T3 Users membership).
diff --git a/stacks/authentik/authentik_provider.tf b/stacks/authentik/authentik_provider.tf
index 9a20a4ee..12b934a8 100644
--- a/stacks/authentik/authentik_provider.tf
+++ b/stacks/authentik/authentik_provider.tf
@@ -91,14 +91,21 @@ resource "authentik_outpost" "embedded" {
   protocol_providers = [authentik_provider_proxy.catchall.id]
   service_connection = "99e227a7-4562-4888-9660-4c27da678c50"
   config = jsonencode({
-    log_level                        = "trace"
-    docker_labels                    = null
-    authentik_host                   = "https://authentik.viktorbarzin.me/"
-    docker_network                   = null
-    container_image                  = null
-    docker_map_ports                 = true
-    refresh_interval                 = "minutes=5"
-    kubernetes_replicas              = 1
+    # info, not trace: the outpost sits on the hot path of every request to
+    # every auth="required" ingress — trace logging is per-request overhead
+    # with no operational value (request access lines are emitted at info).
+    log_level        = "info"
+    docker_labels    = null
+    authentik_host   = "https://authentik.viktorbarzin.me/"
+    docker_network   = null
+    container_image  = null
+    docker_map_ports = true
+    refresh_interval = "minutes=5"
+    # 2 replicas: removes the single-pod hot path for all forward-auth
+    # subrequests. Safe since sessions moved to the shared Postgres backend
+    # (authentik_providers_proxy_proxysession, 2026-05-10) — no pod-local
+    # session state anymore.
+    kubernetes_replicas              = 2
     kubernetes_namespace             = "authentik"
     authentik_host_browser           = ""
     object_naming_template           = "ak-outpost-%(name)s"
@@ -198,3 +205,76 @@ resource "authentik_stage_user_login" "default_login" {
     ]
   }
 }
+
+# -----------------------------------------------------------------------------
+# Source (social-login) User Login stage — bound to default-source-authentication-flow.
+# Adopted into Terraform 2026-06-20: its session_duration was the provider default
+# "seconds=0", which falls back to AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE (hours=2).
+# So Google/GitHub/Facebook logins expired every 2h while password and passkey
+# logins (default-authentication-login) lasted weeks=4. After the 2026-06-18 passkey
+# wipe forced fallback to Google login, this 2h cap became the "re-login multiple
+# times daily" symptom. Pinning weeks=4 makes every login path consistent.
+# See docs/architecture/authentication.md.
+# -----------------------------------------------------------------------------
+import {
+  to = authentik_stage_user_login.default_source_login
+  id = "4c6977d2-eaae-4033-b1db-21b48c6b47f0"
+}
+
+resource "authentik_stage_user_login" "default_source_login" {
+  name             = "default-source-authentication-login"
+  session_duration = "weeks=4"
+  lifecycle {
+    # Pin only session_duration; everything else stays UI-managed (same pattern
+    # as authentik_stage_user_login.default_login above).
+    ignore_changes = [
+      remember_me_offset,
+      terminate_other_sessions,
+      geoip_binding,
+      network_binding,
+    ]
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Default Identification stage — adopted 2026-06-10 to embed the password
+# field on the identification screen (single-screen login: one round trip and
+# one screen instead of two). Per authentik docs, when an Identification stage
+# carries a password stage the Password stage must NOT be bound separately —
+# the redundant order-20 binding on default-authentication-flow (pk
+# 0fc677db-a23f-4ee7-8648-da342e14573b) was deleted via the API in the same
+# change. Social-login users are unaffected: source buttons stay on the same
+# screen and bypass the password field.
+# -----------------------------------------------------------------------------
+
+data "authentik_stage" "default_authentication_password" {
+  name = "default-authentication-password"
+}
+
+resource "authentik_stage_identification" "default_identification" {
+  name           = "default-authentication-identification"
+  password_stage = data.authentik_stage.default_authentication_password.id
+  lifecycle {
+    # Pin only password_stage; everything else stays UI-managed (same pattern
+    # as authentik_stage_user_login.default_login above).
+    # NOTE: do NOT add webauthn_stage / enable_remember_me here — the pinned
+    # authentik TF provider's authentik_stage_identification resource exposes no
+    # such attributes (verified 2026-06-20: `tg plan` => "Unsupported attribute").
+    # They exist on Authentik's IdentificationStage *model* but not in the
+    # provider schema, so Terraform never manages or nulls them; they are purely
+    # UI/app-managed and need no ignore_changes entry. Commit 4e882989 removed
+    # them for exactly this reason — re-adding them breaks every apply.
+    ignore_changes = [
+      user_fields,
+      case_insensitive_matching,
+      show_matched_user,
+      show_source_labels,
+      sources,
+      enrollment_flow,
+      recovery_flow,
+      passwordless_flow,
+      pretend_user_exists,
+      captcha_stage,
+    ]
+  }
+}
diff --git a/stacks/authentik/email-secret.tf b/stacks/authentik/email-secret.tf
new file mode 100644
index 00000000..b3a7f201
--- /dev/null
+++ b/stacks/authentik/email-secret.tf
@@ -0,0 +1,40 @@
+# SMTP password for Authentik's signup-verification + recovery email (tripit
+# ADR-0020). Synced from Vault secret/authentik.smtp_password into the authentik
+# namespace as the `authentik-email` Secret, referenced by
+# AUTHENTIK_EMAIL__PASSWORD in values.yaml (server.env + worker.env). The sender
+# account is noreply@viktorbarzin.me (a mailserver SASL account); host/port/from
+# are non-secret and live in values.yaml. The reloader annotation rolls the
+# authentik pods if the password ever changes.
+resource "kubernetes_manifest" "authentik_email_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "authentik-email"
+      namespace = "authentik"
+    }
+    spec = {
+      refreshInterval = "1h"
+      secretStoreRef = {
+        name = "vault-kv"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "authentik-email"
+        template = {
+          metadata = {
+            annotations = {
+              "reloader.stakater.com/match" = "true"
+            }
+          }
+        }
+      }
+      data = [
+        {
+          secretKey = "AUTHENTIK_EMAIL__PASSWORD"
+          remoteRef = { key = "authentik", property = "smtp_password" }
+        },
+      ]
+    }
+  }
+}
diff --git a/stacks/authentik/guest.tf b/stacks/authentik/guest.tf
index 63724ab4..66fb406c 100644
--- a/stacks/authentik/guest.tf
+++ b/stacks/authentik/guest.tf
@@ -211,7 +211,6 @@ module "ingress_public_outpost" {
   tls_secret_name  = var.tls_secret_name
   dns_type         = "proxied"
   anti_ai_scraping = false
-  exclude_crowdsec = true
   homepage_enabled = false
   depends_on       = [authentik_outpost.public]
 }
diff --git a/stacks/authentik/modules/authentik/main.tf b/stacks/authentik/modules/authentik/main.tf
index 92b1f132..3ae6d7c6 100644
--- a/stacks/authentik/modules/authentik/main.tf
+++ b/stacks/authentik/modules/authentik/main.tf
@@ -29,7 +29,7 @@ resource "kubernetes_namespace" "authentik" {
     labels = {
       tier                               = var.tier
       "resource-governance/custom-quota" = "true"
-      "keel.sh/enrolled" = "true"
+      "keel.sh/enrolled"                 = "true"
     }
   }
   lifecycle {
@@ -109,5 +109,45 @@ module "ingress-outpost" {
   ingress_path     = ["/outpost.goauthentik.io"]
   tls_secret_name  = var.tls_secret_name
   anti_ai_scraping = false
-  exclude_crowdsec = true
+}
+
+# Immutable caching for the flow-executor static assets. Authentik serves
+# /static/dist/* with version-fingerprinted filenames (e.g. poly-2026.2.4.js)
+# but no max-age, so browsers re-validate the login JS bundle on every signin
+# — and split-horizon internal users (direct to Traefik, no Cloudflare) get no
+# edge cache at all. Long-lived immutable caching is safe: every authentik
+# upgrade changes the asset URLs.
+resource "kubernetes_manifest" "static_cache_headers" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "static-cache-headers"
+      namespace = kubernetes_namespace.authentik.metadata[0].name
+    }
+    spec = {
+      headers = {
+        customResponseHeaders = {
+          "Cache-Control" = "public, max-age=31536000, immutable"
+        }
+      }
+    }
+  }
+}
+
+module "ingress-static" {
+  source = "../../../../modules/kubernetes/ingress_factory"
+  # Same-host path carve-out of the public authentik UI ingress above, only
+  # adding the cache-headers middleware for the static asset prefix.
+  # auth = "none": versioned static assets of the (already public) Authentik login UI.
+  auth              = "none"
+  namespace         = kubernetes_namespace.authentik.metadata[0].name
+  name              = "authentik-static"
+  host              = "authentik"
+  service_name      = "goauthentik-server"
+  ingress_path      = ["/static"]
+  tls_secret_name   = var.tls_secret_name
+  anti_ai_scraping  = false
+  homepage_enabled  = false
+  extra_middlewares = ["authentik-static-cache-headers@kubernetescrd"]
 }
diff --git a/stacks/authentik/modules/authentik/pgbouncer.ini b/stacks/authentik/modules/authentik/pgbouncer.ini
index 8148ab53..74fbbf10 100644
--- a/stacks/authentik/modules/authentik/pgbouncer.ini
+++ b/stacks/authentik/modules/authentik/pgbouncer.ini
@@ -12,3 +12,7 @@ default_pool_size = 20
 reserve_pool_size = 5
 reserve_pool_timeout = 5
 ignore_startup_parameters = extra_float_digits
+; Reap server connections stuck "idle in transaction" (e.g. an authentik pod
+; killed mid-migration leaves a ghost transaction holding the migration
+; advisory lock, serializing every subsequent pod boot — 2026-06-10 incident).
+idle_transaction_timeout = 300
diff --git a/stacks/authentik/modules/authentik/pgbouncer.tf b/stacks/authentik/modules/authentik/pgbouncer.tf
index 3029852f..ca018335 100644
--- a/stacks/authentik/modules/authentik/pgbouncer.tf
+++ b/stacks/authentik/modules/authentik/pgbouncer.tf
@@ -48,6 +48,11 @@ resource "kubernetes_deployment" "pgbouncer" {
         labels = {
           app = "pgbouncer"
         }
+        annotations = {
+          # pgbouncer reads its ini only at startup (subPath mount never
+          # propagates updates anyway) — roll the pods on config change.
+          "checksum/pgbouncer-config" = sha1(kubernetes_config_map.pgbouncer_config.data["pgbouncer.ini"])
+        }
       }
 
       spec {
@@ -157,7 +162,8 @@ resource "kubernetes_deployment" "pgbouncer" {
       metadata[0].annotations["keel.sh/trigger"],
       metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
       metadata[0].annotations["keel.sh/match-tag"],
-      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
+      spec[0].template[0].spec[0].container[0].image,             # KEEL_IGNORE_IMAGE — Keel manages tag updates
+      spec[0].template[0].spec[0].container[0].image_pull_policy, # Keel flip-flops this between Always/IfNotPresent
       metadata[0].annotations["kubernetes.io/change-cause"],
       metadata[0].annotations["deployment.kubernetes.io/revision"],
       spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
diff --git a/stacks/authentik/modules/authentik/values.yaml b/stacks/authentik/modules/authentik/values.yaml
index e621d76e..bfe755cd 100644
--- a/stacks/authentik/modules/authentik/values.yaml
+++ b/stacks/authentik/modules/authentik/values.yaml
@@ -1,4 +1,10 @@
 authentik:
+  # NOTE: because we set existingSecret below, the chart does NOT render the
+  # authentik.* values into an AUTHENTIK_* env Secret — the live env comes
+  # from the orphaned, helm-keep-policy `goauthentik` Secret created by chart
+  # 2025.10.3. Anything under authentik.* here is effectively INERT. All new
+  # or tuned config MUST go through server.env / worker.env instead (see
+  # .claude/reference/authentik-state.md).
   log_level: warning
   # log_level: trace
   secret_key: ""
@@ -14,38 +20,73 @@ authentik:
     port: 6432
     user: authentik
     password: ""
-    # Persistent client-side connections (safe with PgBouncer session mode;
-    # must be < pgbouncer server_idle_timeout=600s). Cuts Django connection
-    # setup overhead off the ~70 sequential ORM ops per flow stage.
-    conn_max_age: 60
-    conn_health_checks: true
-  cache:
-    # Cache flow plans for 30m and policy evaluations for 15m. Authentik 2026.2
-    # moved cache storage from Redis to Postgres, so a TTL hit is still a
-    # SELECT — but a single indexed lookup beats re-evaluating PolicyBindings.
-    timeout_flows: 1800
-    timeout_policies: 900
-  web:
-    # Gunicorn: 3 workers × 4 threads per server pod (default 2×4).
-    # Pairs with the server memory bump to 2Gi (each worker preloads Django ~500Mi).
-    workers: 3
-    threads: 4
-  worker:
-    # Celery-equivalent worker threads per pod (default 2, renamed from
-    # AUTHENTIK_WORKER__CONCURRENCY in 2025.8).
-    threads: 4
 
 server:
   replicas: 3
-  # Anonymous Django sessions (no completed login: bots, healthcheckers,
-  # partial flows) expire in 2h. Default is days=1. Once login completes,
-  # UserLoginStage.session_duration takes over via request.session.set_expiry.
-  # Injected via server.env (not authentik.sessions.*) because we use
-  # authentik.existingSecret.secretName, which makes the chart skip
-  # rendering the AUTHENTIK_* secret — so the values block doesn't reach env.
   env:
+    # Anonymous Django sessions (no completed login: bots, healthcheckers,
+    # partial flows) expire in 2h. Default is days=1. Once login completes,
+    # UserLoginStage.session_duration takes over via request.session.set_expiry.
+    # Injected via server.env (not authentik.sessions.*) because we use
+    # authentik.existingSecret.secretName, which makes the chart skip
+    # rendering the AUTHENTIK_* secret — so the values block doesn't reach env.
     - name: AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE
       value: "hours=2"
+    # Gunicorn: 3 workers × 4 threads per server pod (defaults 2×4).
+    # Pairs with the server memory limit of 2Gi (each worker preloads
+    # Django ~500Mi).
+    - name: AUTHENTIK_WEB__WORKERS
+      value: "3"
+    - name: AUTHENTIK_WEB__THREADS
+      value: "4"
+    # Cache flow plans for 30m and policy evaluations for 15m (defaults 300s).
+    # Authentik 2026.2 stores cache in Postgres, so a TTL hit is still a
+    # SELECT — but a single indexed lookup beats re-planning the flow
+    # (~70 sequential ORM ops per flow stage POST).
+    - name: AUTHENTIK_CACHE__TIMEOUT_FLOWS
+      value: "1800"
+    - name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
+      value: "900"
+    # SMTP for signup verification + recovery email (tripit ADR-0020): send as
+    # noreply@viktorbarzin.me (SASL, 587/STARTTLS); password from the
+    # authentik-email ExternalSecret (Vault secret/authentik.smtp_password). Set
+    # on server AND worker — the worker runs the email tasks, the server
+    # validates the Email stage config.
+    # HOST is the PUBLIC name mail.viktorbarzin.me, NOT the in-cluster svc
+    # (mailserver.mailserver.svc): the mailserver serves the *.viktorbarzin.me
+    # wildcard cert, which does not cover the svc DNS name, and Authentik
+    # verifies the STARTTLS hostname strictly (unlike most of our apps' SMTP
+    # clients) — the svc name fails CERTIFICATE_VERIFY_FAILED. mail.viktorbarzin.me
+    # resolves in-cluster (10.0.20.1) and matches the cert.
+    - name: AUTHENTIK_EMAIL__HOST
+      value: "mail.viktorbarzin.me"
+    - name: AUTHENTIK_EMAIL__PORT
+      value: "587"
+    - name: AUTHENTIK_EMAIL__USE_TLS
+      value: "true"
+    - name: AUTHENTIK_EMAIL__USERNAME
+      value: "noreply@viktorbarzin.me"
+    - name: AUTHENTIK_EMAIL__FROM
+      value: "TripIt <noreply@viktorbarzin.me>"
+    - name: AUTHENTIK_EMAIL__PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: authentik-email
+          key: AUTHENTIK_EMAIL__PASSWORD
+    # Do NOT set AUTHENTIK_POSTGRESQL__CONN_MAX_AGE here. With PgBouncer in
+    # session mode every persistent Django connection pins a server connection
+    # 1:1, so the 3x(20+5) pool saturated during the 2026-06-10 rolling
+    # restart (58s pool waits, readiness flapping, and the shared CNPG primary
+    # failed over mid-storm). The ~1-2ms/request connection-setup saving is
+    # not worth that risk on the shared PG substrate.
+  # Liveness budget sized for slow boots (2026-06-10 incident): during a
+  # rolling restart pods queue on authentik's DB migration lock; the go layer
+  # answers /-/health/live before the core is up, so with the default 3x10s
+  # budget kubelet kill-looped every booting pod and amplified the contention.
+  # Startup probe still bounds total boot time (60x10s).
+  livenessProbe:
+    failureThreshold: 6
+    timeoutSeconds: 5
   strategy:
     type: RollingUpdate
     rollingUpdate:
@@ -76,17 +117,55 @@ server:
     minAvailable: 2
 global:
   addPrometheusAnnotations: true
+  image:
+    # Pin to the Keel-managed live tag. Keel (diun-annotated, keel.sh/enrolled
+    # namespace) bumps the IMAGE between chart releases, while helm defaults
+    # the tag to the chart appVersion — so any helm upgrade silently
+    # DOWNGRADES the running pods to the chart pin (2026-06-10: a values-only
+    # apply rolled live 2026.2.4 back to 2026.2.2 against a 2026.2.4-migrated
+    # DB → boot storm, see docs/post-mortems/2026-06-10-authentik-downgrade-
+    # boot-storm.md). Keep this tag in sync with what Keel has deployed when
+    # touching this chart; clear it only when bumping the chart version itself.
+    tag: "2026.2.4"
 
 worker:
   # 2 replicas: workers handle background tasks (LDAP sync, email,
   # certificate renewal) — no user-facing traffic, so 2-of-3 isn't
   # needed for availability. Drop saves ~100m sustained CPU.
   replicas: 2
-  # Same unauthenticated_age cap as server — both the server (Django session
-  # middleware) and worker (cleanup tasks) need to see the value.
   env:
+    # Same unauthenticated_age cap as server — both the server (Django session
+    # middleware) and worker (cleanup tasks) need to see the value.
     - name: AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE
       value: "hours=2"
+    # Dramatiq worker threads per pod (default 2).
+    - name: AUTHENTIK_WORKER__THREADS
+      value: "4"
+    # Keep cache settings in lockstep with server.env. (No CONN_MAX_AGE —
+    # see the server.env note: session-mode PgBouncer pins persistent conns.)
+    - name: AUTHENTIK_CACHE__TIMEOUT_FLOWS
+      value: "1800"
+    - name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
+      value: "900"
+    # SMTP (same as server.env, incl. the mail.viktorbarzin.me-not-svc-name cert
+    # reason) — the worker runs Authentik's email tasks, so it needs the
+    # transport too (tripit ADR-0020). noreply@viktorbarzin.me; password from the
+    # authentik-email ExternalSecret.
+    - name: AUTHENTIK_EMAIL__HOST
+      value: "mail.viktorbarzin.me"
+    - name: AUTHENTIK_EMAIL__PORT
+      value: "587"
+    - name: AUTHENTIK_EMAIL__USE_TLS
+      value: "true"
+    - name: AUTHENTIK_EMAIL__USERNAME
+      value: "noreply@viktorbarzin.me"
+    - name: AUTHENTIK_EMAIL__FROM
+      value: "TripIt <noreply@viktorbarzin.me>"
+    - name: AUTHENTIK_EMAIL__PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: authentik-email
+          key: AUTHENTIK_EMAIL__PASSWORD
   strategy:
     type: RollingUpdate
     rollingUpdate:
diff --git a/stacks/authentik/vault-authz-binding.tf b/stacks/authentik/vault-authz-binding.tf
new file mode 100644
index 00000000..619eba2c
--- /dev/null
+++ b/stacks/authentik/vault-authz-binding.tf
@@ -0,0 +1,27 @@
+# Vault OIDC authorization fence (ADR-0020). The "Vault" Authentik application had
+# NO authorization binding (audit 2026-06-15: any authenticated identity could
+# complete Vault OIDC login and receive Vault's built-in `default`-policy token —
+# token self-management/cubbyhole, no secret access, but still more than an
+# outside user should hold). Bind it to "Allow Login Users" so only established
+# homelab users can log in: they inherit that base group via its children
+# (Home Server Admins / Headscale Users / Wrongmove Users — verified live that
+# `User.all_groups()` includes the parent), while publicly self-enrolled
+# "TripIt External" users (deliberately PARENTLESS, so NOT in Allow Login Users)
+# are denied at the Vault consent step. Closes the one OIDC app the forward-auth
+# fence cannot reach; the other sensitive OIDC apps already bind a trusted group.
+#
+# The Vault application itself stays UI-managed (like the other OIDC apps); this
+# adds ONLY the authorization binding. policy_engine_mode on the app is "any", so
+# one group binding == membership in that group is required to authorize.
+#
+# UUIDs are PINNED as literals: this provider version has NO
+# `data "authentik_application"` data source (CI pipeline 198 failed on it), and
+# both objects are UI-managed and stable. To re-fetch if either is recreated, run
+# `ak shell` in the goauthentik-server pod and read
+# `Application.objects.get(name="Vault").pbm_uuid` and
+# `Group.objects.get(name="Allow Login Users").group_uuid`.
+resource "authentik_policy_binding" "vault_allow_login_users" {
+  target = "fe5698e3-b6b1-4475-98fa-ce2bae22f4dd" # Authentik application "Vault" (pbm_uuid)
+  group  = "b4823cd7-8ed8-4d2f-8f94-bc285138f853" # group "Allow Login Users" (group_uuid)
+  order  = 0
+}
diff --git a/stacks/beads-server/main.tf b/stacks/beads-server/main.tf
index 0a24b058..5b71373e 100644
--- a/stacks/beads-server/main.tf
+++ b/stacks/beads-server/main.tf
@@ -8,13 +8,14 @@ variable "beadboard_image_tag" {
   default = "17a38e43"
 }
 
-# Mirrors `local.image_tag` in stacks/claude-agent-service/main.tf — keep in
-# sync when the claude-agent-service image is rebuilt. Reused here because the
-# dispatcher + reaper CronJobs only need bd, curl, and jq, which that image
-# already ships.
+# Tracks claude-agent-service `:latest` (stacks/claude-agent-service/main.tf uses
+# image_tag "latest" + KEEL_IGNORE_IMAGE). Reused here because the dispatcher +
+# reaper CronJobs only need bd, curl, and jq, which that image already ships.
+# Was pinned to SHA "2fd7670d", which Forgejo retention pruned → ImagePullBackOff
+# (fixed 2026-06-12); ":latest" stays in sync automatically and can't go stale.
 variable "claude_agent_service_image_tag" {
   type    = string
-  default = "2fd7670d"
+  default = "latest"
 }
 
 # Kill switch for auto-dispatch. When false, both CronJobs are suspended. The
@@ -28,7 +29,7 @@ resource "kubernetes_namespace" "beads" {
   metadata {
     name = "beads-server"
     labels = {
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
       "keel.sh/enrolled" = "true"
     }
   }
@@ -71,7 +72,7 @@ resource "kubernetes_config_map" "dolt_init" {
     namespace = kubernetes_namespace.beads.metadata[0].name
   }
   data = {
-    "01-create-beads-user.sql" = <<-EOT
+    "01-create-beads-user.sql"     = <<-EOT
       CREATE USER IF NOT EXISTS 'beads'@'%' IDENTIFIED BY '';
       GRANT ALL PRIVILEGES ON *.* TO 'beads'@'%' WITH GRANT OPTION;
     EOT
@@ -132,7 +133,7 @@ resource "kubernetes_deployment" "dolt" {
       }
       spec {
         container {
-          name  = "dolt"
+          name = "dolt"
           # Pinned to 2.0.3 — :latest currently resolves to 0.50.10 on dolthub
           # (different versioning stream) whose docker-entrypoint.sh references
           # an undefined docker_process_sql function and crash-loops on every
@@ -210,7 +211,7 @@ resource "kubernetes_deployment" "dolt" {
   }
   lifecycle {
     ignore_changes = [
-      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      spec[0].template[0].spec[0].dns_config,         # KYVERNO_LIFECYCLE_V1
       spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
       # Keel annotations are codified in metadata.annotations above (policy=never
       # opts this deployment out of auto-updates — see the comment there).
@@ -335,7 +336,7 @@ resource "kubernetes_deployment" "workbench" {
       }
       spec {
         init_container {
-          name  = "seed-config"
+          name = "seed-config"
           # Pinned 2026-05-26: Keel rolled :latest → :0.1.0 on 2026-05-17,
           # which speaks an old GraphQL schema (missing `type` arg on
           # addDatabaseConnection) → seed-config fails, UI can't add the
@@ -368,7 +369,7 @@ resource "kubernetes_deployment" "workbench" {
         }
 
         container {
-          name  = "workbench"
+          name = "workbench"
           # Pinned 2026-05-26: Keel rolled :latest → :0.1.0 on 2026-05-17,
           # which speaks an old GraphQL schema (missing `type` arg on
           # addDatabaseConnection) → seed-config fails, UI can't add the
@@ -483,7 +484,7 @@ resource "kubernetes_deployment" "workbench" {
       metadata[0].annotations["kubernetes.io/change-cause"],
       metadata[0].annotations["deployment.kubernetes.io/revision"],
       spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
-      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
+      spec[0].template[0].spec[0].container[0].image,                     # KEEL_IGNORE_IMAGE
     ]
   }
 }
@@ -520,14 +521,13 @@ module "tls_secret" {
 }
 
 module "ingress" {
-  source           = "../../modules/kubernetes/ingress_factory"
-  dns_type         = "proxied"
-  namespace        = kubernetes_namespace.beads.metadata[0].name
-  name             = "dolt-workbench"
-  tls_secret_name  = var.tls_secret_name
+  source          = "../../modules/kubernetes/ingress_factory"
+  dns_type        = "proxied"
+  namespace       = kubernetes_namespace.beads.metadata[0].name
+  name            = "dolt-workbench"
+  tls_secret_name = var.tls_secret_name
   # auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
-  auth             = "none"
-  exclude_crowdsec = true
+  auth = "none"
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Dolt Workbench"
@@ -602,7 +602,7 @@ resource "kubernetes_config_map" "beadboard_config" {
 # dispatch agent jobs via the in-cluster HTTP API.
 resource "kubernetes_manifest" "beadboard_agent_service_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "beadboard-agent-service"
@@ -678,7 +678,7 @@ resource "kubernetes_deployment" "beadboard" {
         container {
           name = "beadboard"
           # Phase 3 cutover 2026-05-07 — Forgejo registry consolidation.
-          image = "forgejo.viktorbarzin.me/viktor/beadboard:${var.beadboard_image_tag}"
+          image = "ghcr.io/viktorbarzin/beadboard:${var.beadboard_image_tag}"
 
           port {
             name           = "http"
@@ -765,7 +765,7 @@ resource "kubernetes_deployment" "beadboard" {
       metadata[0].annotations["kubernetes.io/change-cause"],
       metadata[0].annotations["deployment.kubernetes.io/revision"],
       spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
-      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
+      spec[0].template[0].spec[0].container[0].image,                     # KEEL_IGNORE_IMAGE
     ]
   }
 }
@@ -791,13 +791,12 @@ resource "kubernetes_service" "beadboard" {
 }
 
 module "beadboard_ingress" {
-  source           = "../../modules/kubernetes/ingress_factory"
-  dns_type         = "proxied"
-  namespace        = kubernetes_namespace.beads.metadata[0].name
-  name             = "beadboard"
-  tls_secret_name  = var.tls_secret_name
-  auth             = "required"
-  exclude_crowdsec = true
+  source          = "../../modules/kubernetes/ingress_factory"
+  dns_type        = "proxied"
+  namespace       = kubernetes_namespace.beads.metadata[0].name
+  name            = "beadboard"
+  tls_secret_name = var.tls_secret_name
+  auth            = "required"
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "BeadBoard"
@@ -846,7 +845,7 @@ resource "kubernetes_config_map" "beads_metadata" {
 
 locals {
   # Phase 3 cutover 2026-05-07 — Forgejo registry consolidation.
-  claude_agent_service_image = "forgejo.viktorbarzin.me/viktor/claude-agent-service:${var.claude_agent_service_image_tag}"
+  claude_agent_service_image = "ghcr.io/viktorbarzin/claude-agent-service:${var.claude_agent_service_image_tag}"
   beadboard_internal_url     = "http://${kubernetes_service.beadboard.metadata[0].name}.${kubernetes_namespace.beads.metadata[0].name}.svc.cluster.local"
 
   beads_script_prelude = <<-EOT
diff --git a/stacks/broker-sync/main.tf b/stacks/broker-sync/main.tf
index 5b04a1cc..2de168a1 100644
--- a/stacks/broker-sync/main.tf
+++ b/stacks/broker-sync/main.tf
@@ -29,7 +29,7 @@ resource "kubernetes_namespace" "broker_sync" {
 #   imap_host, imap_user, imap_password, imap_directory — for InvestEngine + Schwab email ingest
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "broker-sync-secrets"
diff --git a/stacks/calico/main.tf b/stacks/calico/main.tf
index 19484b08..39550024 100644
--- a/stacks/calico/main.tf
+++ b/stacks/calico/main.tf
@@ -131,3 +131,84 @@ resource "kubectl_manifest" "wave1_egress_observe_tier34" {
 # CI retrigger v5 2026-05-16T23:10:38Z
 
 # CI retrigger v6 2026-05-16T23:18:58Z
+
+# ---------------------------------------------------------------------------
+# tigera-operator under Terraform via the official Helm chart (chart vX.Y.Z ==
+# Calico vX.Y.Z). Manages ONLY the operator: installation.enabled=false keeps
+# the live Installation CR operator-managed, so Helm NEVER touches the data
+# plane (calico-node). Adopted in place at the running 3.26.1 (existing operator
+# Deployment/SA/ClusterRole/ClusterRoleBinding pre-stamped with Helm ownership
+# metadata 2026-06-19 — a transient migration step), then upgraded by bumping
+# `version` one step at a time: 3.26 -> 3.28 -> 3.30 (restores a SUPPORTED k8s
+# 1.34 pairing) -> 3.32 (supports k8s 1.36). The ~22 Calico CRDs live in the
+# chart's crds/ dir, which `helm upgrade` never modifies (pre-3.32). resources
+# preserves the operator's existing 256Mi limit. Apply MANUALLY + supervised
+# (watch calico-node roll, maxUnavailable:1); gate each hop on tigerastatus +
+# calico-node 7/7 + cross-pod connectivity. See docs/runbooks/k8s-version-upgrade.md.
+resource "helm_release" "tigera_operator" {
+  name             = "calico"
+  namespace        = kubernetes_namespace.tigera_operator.metadata[0].name
+  create_namespace = false
+  repository       = "https://docs.tigera.io/calico/charts"
+  chart            = "tigera-operator"
+  version          = "v3.30.7"
+
+  values = [yamlencode({
+    installation = { enabled = false }
+    apiServer    = { enabled = false }
+    # Goldmane (flow aggregator) + Whisker (observability UI), new in Calico
+    # 3.30, are kept disabled IN HELM on purpose: on a helm UPGRADE their CRs
+    # render before their crds/ (which helm skips on upgrade) -> "ensure CRDs
+    # are installed first". We instead enable them via the operator CRs applied
+    # directly below (kubectl_manifest) now that the CRDs exist — see ADR-0014.
+    goldmane  = { enabled = false }
+    whisker   = { enabled = false }
+    # 512Mi (was 256Mi): the operator idles at ~38Mi but its STARTUP spike
+    # (re-listing resources to build informer caches) exceeded 256Mi and
+    # OOM-crashlooped on 2026-06-23 the first time the pod restarted (a latent
+    # landmine — any restart would have triggered it). 512Mi covers the spike;
+    # data plane (calico-node) is unaffected by an operator restart.
+    resources = { limits = { memory = "512Mi" } }
+  })]
+}
+
+# ---------------------------------------------------------------------------
+# Goldmane + Whisker (Calico 3.30 OSS flow observability) — ADR-0014.
+#
+# Enabled via the operator CRs directly (NOT the Helm goldmane/whisker flags,
+# which stay false above): the goldmanes/whiskers.operator.tigera.io CRDs are
+# already installed (operator adopted them 2026-06-19), so we sidestep the
+# helm-upgrade "CRs render before crds/" ordering issue by applying the CRs
+# ourselves — the running operator reconciles them. Same kubectl_manifest
+# pattern as the wave1 GNP above (no plan-time CRD requirement).
+#
+# Creating the Goldmane CR makes the operator re-render calico-node with the
+# FELIX_FLOWLOGSGOLDMANESERVER env (operator auto-wires Felix — do NOT patch
+# FelixConfiguration) => a supervised calico-node DaemonSet roll. Goldmane:
+# Deployment + Service goldmane:7443 (gRPC/mTLS) in calico-system. Whisker:
+# Deployment + Service whisker:8081 in calico-system; its backend dials
+# goldmane, so Goldmane must exist first (depends_on). notifications=Disabled
+# so the UI does not call the external Tigera notifications endpoint.
+#
+# NOTE: durable Loki persistence is NOT these CRs. The Goldmane emitter is
+# Calico Cloud/Enterprise-gated (no OSS knob to aim it at Loki), so the trail
+# is a separate consumer of goldmane's gRPC Flows API (ADR-0014 / issue #58).
+# Whisker alone is a ~60-min in-memory live view. Reversible: delete to disable.
+resource "kubectl_manifest" "goldmane" {
+  depends_on = [helm_release.tigera_operator]
+  yaml_body = yamlencode({
+    apiVersion = "operator.tigera.io/v1"
+    kind       = "Goldmane"
+    metadata   = { name = "default" }
+  })
+}
+
+resource "kubectl_manifest" "whisker" {
+  depends_on = [kubectl_manifest.goldmane]
+  yaml_body = yamlencode({
+    apiVersion = "operator.tigera.io/v1"
+    kind       = "Whisker"
+    metadata   = { name = "default" }
+    spec       = { notifications = "Disabled" }
+  })
+}
diff --git a/stacks/changedetection/.terraform.lock.hcl b/stacks/changedetection/.terraform.lock.hcl
index 05f8a359..5982c332 100644
--- a/stacks/changedetection/.terraform.lock.hcl
+++ b/stacks/changedetection/.terraform.lock.hcl
@@ -70,41 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/changedetection/main.tf b/stacks/changedetection/main.tf
index 7974e884..ee203e7b 100644
--- a/stacks/changedetection/main.tf
+++ b/stacks/changedetection/main.tf
@@ -20,7 +20,7 @@ resource "kubernetes_namespace" "changedetection" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "changedetection-secrets"
diff --git a/stacks/chrome-service/files/chrome/Dockerfile b/stacks/chrome-service/files/chrome/Dockerfile
new file mode 100644
index 00000000..383912fd
--- /dev/null
+++ b/stacks/chrome-service/files/chrome/Dockerfile
@@ -0,0 +1,27 @@
+# chrome-service browser image (ADR-0002, infra-owned, built off-infra on GHA).
+#
+# The Playwright base provides Xvfb + every browser runtime dep + fonts. On top
+# we install REAL Google Chrome for its licensed proprietary codecs (H.264/AAC):
+# the bundled open-source Chromium ships with those codecs COMPILED OUT, so
+# H.264/AAC video (Instagram Reels, X, most .mp4) fails in the noVNC view with
+# MEDIA_ERR_SRC_NOT_SUPPORTED. Swapping libffmpeg.so does NOT help (Playwright's
+# Chromium has the codecs compiled out, not just the lib stripped), and Chrome
+# for Testing is also codec-less — only google-chrome-stable carries them.
+#
+# main.tf launches /opt/google/chrome/chrome instead of the bundled
+# /ms-playwright/chromium-*/chrome. connect_over_cdp callers (tripit fare scrape,
+# homelab browser, snapshot-harvester) attach to whatever Chrome runs here.
+FROM mcr.microsoft.com/playwright:v1.48.0-noble
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends wget gnupg ca-certificates \
+ && wget -qO- https://dl.google.com/linux/linux_signing_key.pub \
+      | gpg --dearmor -o /usr/share/keyrings/google-chrome.gpg \
+ && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome.gpg] https://dl.google.com/linux/chrome/deb/ stable main" \
+      > /etc/apt/sources.list.d/google-chrome.list \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends google-chrome-stable \
+ && rm -rf /var/lib/apt/lists/*
+
+# Fail the build if Chrome isn't runnable / the path moved.
+RUN /opt/google/chrome/chrome --version
diff --git a/stacks/chrome-service/files/novnc/entrypoint.sh b/stacks/chrome-service/files/novnc/entrypoint.sh
index 1ec6657f..fae5c641 100644
--- a/stacks/chrome-service/files/novnc/entrypoint.sh
+++ b/stacks/chrome-service/files/novnc/entrypoint.sh
@@ -3,6 +3,13 @@
 # and serve the noVNC HTML5 client + websockify bridge on :6080.
 set -e
 
+# Containerd grants pods an effectively unbounded RLIMIT_NOFILE (2^31). x11vnc
+# sweeps the WHOLE fd table with fcntl on every client connection, so each VNC
+# connect hangs for ~forever and the noVNC client sits on "Connecting" until it
+# times out. Cap it before launching x11vnc. (Same fix as the android-emulator
+# stack; see docs/architecture/chrome-service.md "noVNC fd-sweep".)
+ulimit -n 65536
+
 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do
   if echo > /dev/tcp/127.0.0.1/6099 2>/dev/null; then
     echo "Xvfb TCP up after attempt $i"
diff --git a/stacks/chrome-service/main.tf b/stacks/chrome-service/main.tf
index 7a063bb6..2f679c00 100644
--- a/stacks/chrome-service/main.tf
+++ b/stacks/chrome-service/main.tf
@@ -42,7 +42,7 @@ resource "kubernetes_namespace" "chrome_service" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "chrome-service-secrets"
@@ -178,8 +178,12 @@ resource "kubernetes_deployment" "chrome_service" {
         }
 
         container {
-          name              = "chrome-service"
-          image             = local.image
+          name = "chrome-service"
+          # Real Google Chrome (Playwright base + google-chrome-stable) for
+          # proprietary H.264/AAC codecs — see files/chrome/Dockerfile. The
+          # snapshot sidecars still use local.python_image (playwright minor
+          # pin) and connect_over_cdp; verified compatible with this Chrome.
+          image             = "ghcr.io/viktorbarzin/chrome-service-browser:latest"
           image_pull_policy = "IfNotPresent"
 
           # Direct chromium launch (NOT `playwright launch-server`). Reason:
@@ -203,16 +207,16 @@ resource "kubernetes_deployment" "chrome_service" {
           args = [
             <<-EOT
             set -e
-            # Locate chromium in the Microsoft image. The path is
-            # /ms-playwright/chromium-XXXX/chrome-linux/chrome where XXXX
-            # is the playwright-pinned build; resolve at runtime so a minor
-            # bump of the image doesn't break the launch line.
-            CHROMIUM=$(find /ms-playwright -maxdepth 4 -name 'chrome' -type f -executable -path '*/chrome-linux/*' 2>/dev/null | head -1)
-            if [ -z "$CHROMIUM" ]; then
-              echo "ERROR: chromium binary not found under /ms-playwright" >&2
+            # Real Google Chrome (proprietary H.264/AAC codecs) baked into the
+            # chrome-service-browser image at a fixed path — so H.264 video
+            # (Reels) plays in the noVNC view. The bundled Chromium under
+            # /ms-playwright lacks those codecs (MEDIA_ERR_SRC_NOT_SUPPORTED).
+            CHROMIUM=/opt/google/chrome/chrome
+            if [ ! -x "$CHROMIUM" ]; then
+              echo "ERROR: google-chrome not found at $CHROMIUM (wrong image?)" >&2
               exit 1
             fi
-            echo "[chrome-service] using chromium: $CHROMIUM"
+            echo "[chrome-service] using browser: $($CHROMIUM --version 2>/dev/null || echo "$CHROMIUM")"
 
             # -listen tcp enables localhost:6099 so the noVNC sidecar can
             # attach over the pod's shared network ns (Ubuntu 24.04
@@ -252,6 +256,8 @@ resource "kubernetes_deployment" "chrome_service" {
               --disable-dev-shm-usage \
               --password-store=basic \
               --use-mock-keychain \
+              --window-position=0,0 \
+              --window-size=1280,720 \
               about:blank
             EOT
           ]
@@ -324,8 +330,16 @@ resource "kubernetes_deployment" "chrome_service" {
         container {
           name = "novnc"
           # Phase 3 cutover 2026-05-07 — Forgejo registry consolidation.
-          image             = "forgejo.viktorbarzin.me/viktor/chrome-service-novnc:v4"
+          image             = "ghcr.io/viktorbarzin/chrome-service-novnc:latest"
           image_pull_policy = "IfNotPresent"
+          # Cap RLIMIT_NOFILE before the entrypoint runs. Containerd grants pods
+          # nofile=2^31; x11vnc sweeps the whole fd table on each client connect,
+          # so every VNC connection hangs on "Connecting" until it times out
+          # (fd-sweep bug, same as android-emulator). entrypoint.sh now also sets
+          # this, but the image is :latest/IfNotPresent so a rebuilt entrypoint
+          # isn't guaranteed to be pulled — this wrapper applies the cap
+          # deterministically on every rollout off the cached image.
+          command = ["bash", "-c", "ulimit -n 65536; exec /entrypoint.sh"]
           port {
             name           = "http"
             container_port = 6080
@@ -439,8 +453,16 @@ resource "kubernetes_deployment" "chrome_service" {
       metadata[0].annotations["keel.sh/trigger"],
       metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
       metadata[0].annotations["keel.sh/match-tag"],
-      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
-      spec[0].template[0].spec[0].container[1].image,
+      # container[0]=chrome-service (MS Playwright, pinned via local.image) and
+      # container[1]=novnc (ghcr:latest, ADR-0002 #29) are BOTH TF-managed now.
+      # container[0].image was previously KEEL_IGNORE'd here; that let a stray
+      # clobber to the novnc image stick (chromium-not-found crashloop 2026-06-16)
+      # because TF could not revert the ignored field. Removed so TF re-asserts the
+      # pinned image. Keel is inert (keel.sh/policy=never) and no deploy step touches these.
+      # NOTE: the LIVE pod's container order had drifted to [novnc, chrome-service,
+      # snapshot] vs this file's [chrome-service, novnc, snapshot]; a TF apply reorders
+      # them to match here (harmless), so `containers[0]` differs between live and TF
+      # until the next apply lands — don't be alarmed reading it back mid-reconcile.
       spec[0].template[0].spec[0].init_container[0].image,
       metadata[0].annotations["kubernetes.io/change-cause"],
       metadata[0].annotations["deployment.kubernetes.io/revision"],
diff --git a/stacks/ci-pipeline-health/files/sweep.sh b/stacks/ci-pipeline-health/files/sweep.sh
new file mode 100644
index 00000000..beba2315
--- /dev/null
+++ b/stacks/ci-pipeline-health/files/sweep.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+# ci-pipeline-health — daily sweep of the off-infra CI chain (ADR-0002, PRD infra#10).
+# Deterministic (no LLM): GitHub Actions runs + Woodpecker pipelines + GHA minutes.
+# Healthy => one quiet Slack line. Issues => Slack alert + comment on infra#10.
+# POSIX sh + curl + jq only (runs on the Alpine claude-agent-service image).
+# Exit 0 = sweep ran (even with findings); exit 2 = the sweep itself errored,
+# which surfaces through the existing CronJob-failure alerting.
+
+GH_API="https://api.github.com"
+WP_API="https://ci.viktorbarzin.me/api"
+WP_UI="https://ci.viktorbarzin.me"
+
+NOW_EPOCH=$(date -u +%s)
+SINCE_EPOCH=$((NOW_EPOCH - 86400))
+SINCE_ISO=$(date -u -d "@${SINCE_EPOCH}" +%Y-%m-%dT%H:%M:%SZ)
+PUSH_CUTOFF=$(date -u -d "@$((NOW_EPOCH - 259200))" +%Y-%m-%dT%H:%M:%SZ)
+
+ISSUES=$(mktemp)
+NOTES=$(mktemp)
+trap 'rm -f "$ISSUES" "$NOTES"' EXIT
+gha_checked=0
+wp_checked=0
+sweep_errors=0
+
+gh_get() { curl -sf --max-time 30 -H "Authorization: Bearer ${GITHUB_PAT}" -H "Accept: application/vnd.github+json" "$1"; }
+wp_get() { curl -sf --max-time 30 -H "Authorization: Bearer ${WOODPECKER_API_TOKEN}" "$1"; }
+
+# --- 1) GitHub Actions runs across owned repos with a recent push ---
+repos=$(gh_get "${GH_API}/user/repos?affiliation=owner&sort=pushed&per_page=60" \
+  | jq -r --arg cutoff "$PUSH_CUTOFF" '.[] | select(.pushed_at >= $cutoff) | .full_name')
+if [ $? -ne 0 ]; then
+  echo "sweep: failed to list GitHub repos" >>"$ISSUES"; sweep_errors=1; repos=""
+fi
+for repo in $repos; do
+  runs=$(gh_get "${GH_API}/repos/${repo}/actions/runs?created=%3E%3D${SINCE_ISO}&per_page=50")
+  if [ $? -ne 0 ]; then echo "sweep: failed to list runs for ${repo}" >>"$ISSUES"; sweep_errors=1; continue; fi
+  n=$(printf '%s' "$runs" | jq '.workflow_runs | length')
+  gha_checked=$((gha_checked + n))
+  printf '%s' "$runs" | jq -r '.workflow_runs[]
+      | select(.conclusion == "failure" or .conclusion == "timed_out" or .conclusion == "cancelled" or .conclusion == "action_required")
+      | "GHA: \(.repository.full_name) #\(.run_number) [\(.name)] \(.conclusion) \(.html_url)"' >>"$ISSUES"
+  printf '%s' "$runs" | jq -r --argjson now "$NOW_EPOCH" '.workflow_runs[]
+      | select(.status == "in_progress" or .status == "queued")
+      | select(($now - ((.run_started_at // .created_at) | fromdateiso8601)) > 7200)
+      | "GHA stuck >2h: \(.repository.full_name) #\(.run_number) [\(.name)] \(.status) \(.html_url)"' >>"$ISSUES"
+done
+
+# --- 2) Woodpecker pipelines (deploy chain) ---
+wrepos=$(wp_get "${WP_API}/repos?perPage=100" | jq -r '.[] | select(.active == true) | "\(.id) \(.full_name)"')
+if [ $? -ne 0 ]; then
+  echo "sweep: failed to list Woodpecker repos" >>"$ISSUES"; sweep_errors=1; wrepos=""
+fi
+printf '%s\n' "$wrepos" | while IFS=' ' read -r id name; do
+  [ -z "$id" ] && continue
+  pls=$(wp_get "${WP_API}/repos/${id}/pipelines?perPage=10")
+  if [ $? -ne 0 ]; then echo "sweep: failed pipelines for ${name}" >>"$ISSUES"; continue; fi
+  printf '%s' "$pls" | jq -r --argjson since "$SINCE_EPOCH" --arg name "$name" --arg ui "$WP_UI" --arg id "$id" '
+      [.[] | select(.created >= $since)][]
+      | select(.status == "failure" or .status == "error" or .status == "killed")
+      | "Woodpecker: \($name) #\(.number) \(.status) (\(.event)) \($ui)/repos/\($id)/pipeline/\(.number)"' >>"$ISSUES"
+  printf '%s' "$pls" | jq --argjson since "$SINCE_EPOCH" '[.[] | select(.created >= $since)] | length' >>"$NOTES.wpcount" 2>/dev/null || true
+done
+wp_checked=$(awk '{s+=$1} END {print s+0}' "$NOTES.wpcount" 2>/dev/null || echo 0)
+rm -f "$NOTES.wpcount"
+
+# --- 3) GHA minutes vs free tier (enhanced billing API; old endpoint is 410-gone) ---
+YM_Y=$(date -u +%Y); YM_M=$(date -u +%-m)
+billing=$(gh_get "${GH_API}/users/ViktorBarzin/settings/billing/usage?year=${YM_Y}&month=${YM_M}")
+if [ $? -eq 0 ]; then
+  used=$(printf '%s' "$billing" | jq '[.usageItems[] | select(.product=="actions" and .unitType=="Minutes") | .quantity] | add // 0 | floor')
+  included=2000
+  pct=$((used * 100 / included))
+  echo "GHA minutes (month): ${used}/${included} (${pct}%)" >>"$NOTES"
+  [ "$pct" -ge 75 ] && echo "GHA minutes at ${pct}% of the free tier (${used}/${included}) — check for runaway workflows or consider Pro" >>"$ISSUES"
+else
+  echo "minutes check unavailable" >>"$NOTES"
+fi
+
+# v1 scope (deliberate, not silent): Forgejo→GitHub mirror-gap detection (a
+# Forgejo push that produced no GHA run) is NOT implemented yet — it needs the
+# per-repo mirror inventory that lands with the offinfra-onboard rollout (#13+).
+
+# --- Report ---
+issue_count=$(grep -c . "$ISSUES" || true)
+summary="ci-pipeline-health: checked ${gha_checked} GHA runs + ${wp_checked} Woodpecker pipelines (24h). $(tr '\n' '; ' <"$NOTES")"
+
+if [ "$issue_count" -eq 0 ]; then
+  text=":white_check_mark: ${summary}"
+else
+  text=":rotating_light: ci-pipeline-health: ${issue_count} issue(s)
+$(sed 's/^/• /' "$ISSUES")
+${summary}"
+  body="Daily CI sweep found ${issue_count} issue(s):
+
+$(sed 's/^/- /' "$ISSUES")
+
+_${summary}_"
+  printf '%s' "$body" | jq -Rs '{body: .}' \
+    | curl -sf --max-time 30 -X POST -H "Authorization: Bearer ${GITHUB_PAT}" \
+        -H "Accept: application/vnd.github+json" \
+        -d @- "${GH_API}/repos/ViktorBarzin/infra/issues/10/comments" >/dev/null \
+    || { echo "sweep: failed to comment on infra#10"; sweep_errors=1; }
+fi
+
+printf '%s' "$text" | jq -Rs '{text: .}' \
+  | curl -sf --max-time 30 -X POST -H 'Content-Type: application/json' -d @- "$SLACK_WEBHOOK" >/dev/null \
+  || { echo "sweep: failed to post to Slack"; sweep_errors=1; }
+
+echo "$text"
+[ "$sweep_errors" -ne 0 ] && exit 2
+exit 0
diff --git a/stacks/ci-pipeline-health/main.tf b/stacks/ci-pipeline-health/main.tf
new file mode 100644
index 00000000..17378f84
--- /dev/null
+++ b/stacks/ci-pipeline-health/main.tf
@@ -0,0 +1,165 @@
+# ci-pipeline-health — daily sweep of the off-infra CI chain (ADR-0002).
+#
+# Viktor's standing instruction (2026-06-12): monitor the pipelines closely
+# during/after the off-infra builds migration (PRD infra#10). Deterministic
+# shell sweep (files/sweep.sh) on the claude-agent-service image: GitHub
+# Actions failures/stuck runs across owned repos, Woodpecker pipeline
+# failures, GHA free-tier minutes burn. Healthy => one quiet Slack line;
+# issues => Slack alert + a comment on infra#10.
+#
+# Runs IN-CLUSTER (not a claude.ai cloud routine) because Vault and the
+# Woodpecker token are LAN-only — cloud agents can't reach them.
+#
+# First apply rode the DIFF_BASE fix (pipeline-128 merge-commit detection bug).
+
+variable "schedule" {
+  type = string
+  # 07:30 UTC = 08:30 London in summer (07:30 in winter — acceptable drift,
+  # CronJob schedules are UTC-only).
+  default = "30 7 * * *"
+}
+
+# :latest + Always per the owned-app CronJob convention. NOTE: the registry
+# no longer holds the sha tag the other claude-agent-service CronJobs pin
+# (2fd7670d) — they survive on node image caches only. When issue infra#19
+# migrates claude-agent-service to ghcr, repoint this image too.
+variable "image_tag" {
+  type    = string
+  default = "latest"
+}
+
+locals {
+  namespace = "ci-pipeline-health"
+  image     = "ghcr.io/viktorbarzin/claude-agent-service:${var.image_tag}"
+  labels = {
+    app = "ci-pipeline-health"
+  }
+}
+
+resource "kubernetes_namespace" "ci_pipeline_health" {
+  metadata {
+    name = local.namespace
+    labels = {
+      tier = local.tiers.aux
+    }
+  }
+}
+
+# github_pat (NOT the ghcr_pull_token alias): the sweep reads Actions runs +
+# billing on PRIVATE mirrors, which a future scoped read:packages rotation of
+# the alias could not do. Blast radius = this single-CronJob namespace.
+resource "kubernetes_manifest" "external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "ci-pipeline-health-creds"
+      namespace = kubernetes_namespace.ci_pipeline_health.metadata[0].name
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-kv"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "ci-pipeline-health-creds"
+      }
+      data = [
+        {
+          secretKey = "GITHUB_PAT"
+          remoteRef = { key = "viktor", property = "github_pat" }
+        },
+        {
+          secretKey = "WOODPECKER_API_TOKEN"
+          remoteRef = { key = "ci/global", property = "woodpecker_api_token" }
+        },
+        {
+          secretKey = "SLACK_WEBHOOK"
+          remoteRef = { key = "ci/global", property = "slack_webhook" }
+        },
+      ]
+    }
+  }
+}
+
+resource "kubernetes_config_map" "sweep_script" {
+  metadata {
+    name      = "ci-pipeline-health-sweep"
+    namespace = kubernetes_namespace.ci_pipeline_health.metadata[0].name
+  }
+  data = {
+    "sweep.sh" = file("${path.module}/files/sweep.sh")
+  }
+}
+
+resource "kubernetes_cron_job_v1" "sweep" {
+  metadata {
+    name      = "ci-pipeline-health"
+    namespace = kubernetes_namespace.ci_pipeline_health.metadata[0].name
+    labels    = local.labels
+  }
+  spec {
+    schedule                      = var.schedule
+    concurrency_policy            = "Forbid"
+    successful_jobs_history_limit = 3
+    failed_jobs_history_limit     = 3
+    job_template {
+      metadata {
+        labels = local.labels
+      }
+      spec {
+        backoff_limit              = 1
+        active_deadline_seconds    = 600
+        ttl_seconds_after_finished = 86400
+        template {
+          metadata {
+            labels = local.labels
+          }
+          spec {
+            restart_policy = "Never"
+            image_pull_secrets {
+              name = "registry-credentials"
+            }
+            container {
+              name              = "sweep"
+              image             = local.image
+              image_pull_policy = "Always"
+              command           = ["/bin/sh", "/scripts/sweep.sh"]
+              env_from {
+                secret_ref {
+                  name = "ci-pipeline-health-creds"
+                }
+              }
+              volume_mount {
+                name       = "sweep-script"
+                mount_path = "/scripts"
+                read_only  = true
+              }
+              resources {
+                requests = {
+                  cpu    = "50m"
+                  memory = "64Mi"
+                }
+                limits = {
+                  memory = "128Mi"
+                }
+              }
+            }
+            volume {
+              name = "sweep-script"
+              config_map {
+                name = kubernetes_config_map.sweep_script.metadata[0].name
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config]
+  }
+  depends_on = [kubernetes_manifest.external_secret]
+}
diff --git a/stacks/ci-pipeline-health/terragrunt.hcl b/stacks/ci-pipeline-health/terragrunt.hcl
new file mode 100644
index 00000000..0510b748
--- /dev/null
+++ b/stacks/ci-pipeline-health/terragrunt.hcl
@@ -0,0 +1,9 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+# ExternalSecret hits ESO which needs to be alive when the manifest applies.
+dependency "external_secrets" {
+  config_path  = "../external-secrets"
+  skip_outputs = true
+}
diff --git a/stacks/claude-agent-service/main.tf b/stacks/claude-agent-service/main.tf
index 5b840346..9f8b6478 100644
--- a/stacks/claude-agent-service/main.tf
+++ b/stacks/claude-agent-service/main.tf
@@ -11,7 +11,7 @@ data "vault_kv_secret_v2" "viktor_secrets" {
 locals {
   namespace = "claude-agent"
   # Phase 3 cutover 2026-05-07 — see infra/docs/plans/2026-05-07-forgejo-registry-consolidation-plan.md.
-  image     = "forgejo.viktorbarzin.me/viktor/claude-agent-service"
+  image     = "ghcr.io/viktorbarzin/claude-agent-service"
   image_tag = "latest"
   labels = {
     app = "claude-agent-service"
@@ -39,7 +39,7 @@ resource "kubernetes_namespace" "claude_agent" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "claude-agent-secrets"
diff --git a/stacks/claude-breakglass/files/breakglass-pve b/stacks/claude-breakglass/files/breakglass-pve
new file mode 100644
index 00000000..8629a856
--- /dev/null
+++ b/stacks/claude-breakglass/files/breakglass-pve
@@ -0,0 +1,115 @@
+#!/bin/bash
+# breakglass-pve — forced-command wrapper for the in-cluster claude-breakglass
+# service. Installed in the Proxmox host's /root/.ssh/authorized_keys behind a
+#   command="/usr/local/bin/breakglass-pve",restrict,from="<cluster CIDRs>"
+# entry, so the breakglass SSH key can ONLY run the verbs below against VM 102
+# (the devvm) — never a free shell on the hypervisor.
+#
+# The requested verb arrives in $SSH_ORIGINAL_COMMAND. Anything that is not a
+# single bare verb from the allowlist is rejected and logged. Every MUTATING
+# verb captures forensics first, unconditionally, so an erroneous reset never
+# destroys the evidence of why the devvm was wedged.
+#
+# Deployed via scp (see docs/runbooks/breakglass-ui.md); not Terraform-managed
+# (PVE host config is out-of-band, like fan-control / pve-nfs-exports).
+set -euo pipefail
+
+VMID=102
+LOG=/var/log/breakglass-pve.log
+
+ts()  { date -u +%Y-%m-%dT%H:%M:%SZ; }
+log() { echo "$(ts) [breakglass-pve] $*" >>"$LOG" 2>/dev/null || true; }
+
+verb="${SSH_ORIGINAL_COMMAND:-}"
+src="${SSH_CLIENT%% *}"
+
+# Only a single bare verb is accepted — no arguments, no shell metacharacters,
+# no second VMID. This is the whole security boundary of the forced command.
+case "$verb" in
+  status|forensics|reset|stop|start|cycle) : ;;
+  *)
+    log "REJECTED verb='$verb' from=$src"
+    echo "breakglass-pve: rejected '$verb'. allowed: status|forensics|reset|stop|start|cycle (VM $VMID only)" >&2
+    exit 2
+    ;;
+esac
+
+forensics() {
+  echo "=== breakglass forensics $(ts) — VM $VMID on $(hostname) ==="
+  echo "--- qm status ---";            qm status "$VMID" 2>&1 || true
+  echo "--- qm config ---";            qm config "$VMID" 2>&1 || true
+  echo "--- qm pending (staged) ---";  qm pending "$VMID" 2>&1 || true
+  echo "--- guest agent ping ---";     timeout 5 qm agent "$VMID" ping 2>&1 || echo "(no guest-agent response)"
+  echo "--- qmp query-status ---";     echo "info status" | timeout 5 qm monitor "$VMID" 2>&1 || true
+  echo "--- qmp block jobs ---";       echo "info block-jobs" | timeout 5 qm monitor "$VMID" 2>&1 || true
+  echo "--- host uptime/load ---";     uptime 2>&1 || true
+  echo "--- host memory ---";          free -h 2>&1 || true
+  echo "--- host io (1s) ---";         ( command -v iostat >/dev/null && iostat -dx 1 2 2>/dev/null | tail -n +4 ) || echo "(iostat unavailable)"
+  echo "=== end forensics ==="
+}
+
+# Wait until VM reaches 'stopped', up to ~timeout seconds. Returns 0 if stopped.
+wait_stopped() {
+  local timeout="$1" i
+  for ((i=0; i<timeout; i+=2)); do
+    qm status "$VMID" 2>/dev/null | grep -q 'status: stopped' && return 0
+    sleep 2
+  done
+  return 1
+}
+
+log "verb=$verb from=$src"
+
+case "$verb" in
+  status)
+    qm status "$VMID"
+    ;;
+
+  forensics)
+    forensics
+    ;;
+
+  stop|reset|start|cycle)
+    # Forensics-first: emit to the caller AND persist on the host.
+    F="$(forensics)"
+    printf '%s\n' "$F"
+    printf '%s\n' "$F" | sed "s/^/$(ts) [forensics] /" >>"$LOG" 2>/dev/null || true
+
+    case "$verb" in
+      start)
+        qm start "$VMID"
+        ;;
+      reset)
+        # Warm reset — reuses the QEMU process. Does NOT apply staged config.
+        qm reset "$VMID"
+        ;;
+      stop)
+        qm stop "$VMID"
+        ;;
+      cycle)
+        # Cold stop->start: spawns a FRESH QEMU process, so staged config
+        # (qm pending) is applied — the fix class for the 2026-06-11 I/O stall.
+        # If a wedged QEMU ignores a clean stop, escalate to killing the
+        # process (matches the 2026-06-11 manual recovery), then start.
+        echo "$(ts) cycle: requesting clean stop of VM $VMID"
+        qm stop "$VMID" >/dev/null 2>&1 || true
+        if wait_stopped 40; then
+          echo "$(ts) cycle: clean stop OK"
+        else
+          log "cycle: clean stop FAILED — killing wedged QEMU for $VMID"
+          echo "$(ts) cycle: clean stop failed, killing wedged QEMU"
+          pid="$(cat "/var/run/qemu-server/$VMID.pid" 2>/dev/null || true)"
+          if [[ -n "$pid" ]]; then
+            kill -9 "$pid" 2>/dev/null || true
+          else
+            pkill -9 -f -- "-id $VMID" 2>/dev/null || true
+          fi
+          sleep 3
+          qm unlock "$VMID" 2>/dev/null || true
+        fi
+        qm start "$VMID"
+        ;;
+    esac
+    log "verb=$verb COMPLETE"
+    ;;
+esac
diff --git a/stacks/claude-breakglass/main.tf b/stacks/claude-breakglass/main.tf
new file mode 100644
index 00000000..6b996b9e
--- /dev/null
+++ b/stacks/claude-breakglass/main.tf
@@ -0,0 +1,361 @@
+# claude-breakglass — in-cluster emergency-recovery UI for the devvm.
+#
+# A SEPARATE deployment from claude-agent-service (own namespace, own
+# ServiceAccount, NO Vault K8s-auth role) that runs ONLY the breakglass agent.
+# It shares the claude-agent-service image but overrides the command with the
+# breakglass entrypoint. The untrusted-input agents (recruiter-triage,
+# nextcloud-todos) never share this process or these credentials.
+# See claude-agent-service/docs/adr/0001-breakglass-security-architecture.md.
+#
+# Scope is the WARM case: devvm wedged while the cluster is healthy. The cold,
+# cluster-down path is the break-glass SSH on PVE :52222 (docs/runbooks/breakglass-ssh.md)
+# + the server-lifecycle iDRAC CLI — out of scope here.
+
+variable "tls_secret_name" {
+  type      = string
+  sensitive = true
+}
+
+locals {
+  namespace = "claude-breakglass"
+  # Same image as claude-agent-service — the breakglass code lives in that repo
+  # under app/breakglass/, and the deployment below overrides the command.
+  image     = "ghcr.io/viktorbarzin/claude-agent-service"
+  image_tag = "latest"
+  labels = {
+    app = "claude-breakglass"
+  }
+}
+
+# --- Namespace ---
+
+resource "kubernetes_namespace" "breakglass" {
+  metadata {
+    name = local.namespace
+    labels = {
+      tier = local.tiers.aux
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: goldilocks/vpa-mode label stamping (harmless if absent)
+    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
+  }
+}
+
+resource "kubernetes_service_account" "breakglass" {
+  metadata {
+    name      = "claude-breakglass"
+    namespace = kubernetes_namespace.breakglass.metadata[0].name
+  }
+}
+
+# --- Secrets (synced by ESO; the pod itself has NO Vault access) ---
+
+# SSH private key (devvm sudo + PVE forced-command). Mounted as a file the
+# entrypoint loads into ssh-agent. Dedicated path secret/claude-breakglass/* —
+# the claude-agent namespace's terraform-state Vault policy is explicitly
+# DENIED this path (see stacks/vault/main.tf) so the shared, prompt-injectable
+# pod can never read it.
+resource "kubernetes_manifest" "external_secret_ssh" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "breakglass-ssh"
+      namespace = local.namespace
+    }
+    spec = {
+      refreshInterval = "1h"
+      secretStoreRef  = { name = "vault-kv", kind = "ClusterSecretStore" }
+      target          = { name = "breakglass-ssh" }
+      data = [
+        {
+          secretKey = "private_key"
+          remoteRef = { key = "claude-breakglass/ssh_key", property = "private_key" }
+        },
+      ]
+    }
+  }
+  depends_on = [kubernetes_namespace.breakglass]
+}
+
+# Env secrets: the Anthropic OAuth token (shared with claude-agent-service —
+# same account) and the app bearer token (in-cluster/CLI fallback caller auth).
+resource "kubernetes_manifest" "external_secret_env" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "breakglass-env"
+      namespace = local.namespace
+    }
+    spec = {
+      refreshInterval = "1h"
+      secretStoreRef  = { name = "vault-kv", kind = "ClusterSecretStore" }
+      target          = { name = "breakglass-env" }
+      data = [
+        {
+          secretKey = "CLAUDE_CODE_OAUTH_TOKEN"
+          remoteRef = { key = "claude-agent-service", property = "claude_oauth_token" }
+        },
+        {
+          secretKey = "API_BEARER_TOKEN"
+          remoteRef = { key = "claude-breakglass", property = "api_bearer_token" }
+        },
+      ]
+    }
+  }
+  depends_on = [kubernetes_namespace.breakglass]
+}
+
+# --- Deployment ---
+
+resource "kubernetes_deployment" "breakglass" {
+  metadata {
+    name      = "claude-breakglass"
+    namespace = kubernetes_namespace.breakglass.metadata[0].name
+    labels    = local.labels
+  }
+
+  spec {
+    replicas = 1
+    strategy { type = "Recreate" }
+    selector { match_labels = local.labels }
+
+    template {
+      metadata { labels = local.labels }
+
+      spec {
+        service_account_name = kubernetes_service_account.breakglass.metadata[0].name
+
+        image_pull_secrets {
+          name = "registry-credentials"
+        }
+
+        # Survive the very pressure event the breakglass exists to fix: high
+        # priority (resist eviction), tolerate node pressure, and prefer NOT to
+        # land on the contended GPU node1. Pull policy is Always: nodes already
+        # cache the OLD claude-agent-service:latest (no breakglass entrypoint),
+        # so IfNotPresent would run stale code. A registry-down-on-restart is
+        # the cluster-down (cold) case, which this UI doesn't cover anyway.
+        priority_class_name = "tier-0-core"
+
+        toleration {
+          key      = "node.kubernetes.io/memory-pressure"
+          operator = "Exists"
+          effect   = "NoSchedule"
+        }
+        toleration {
+          key      = "node.kubernetes.io/disk-pressure"
+          operator = "Exists"
+          effect   = "NoSchedule"
+        }
+        toleration {
+          key                = "node.kubernetes.io/not-ready"
+          operator           = "Exists"
+          effect             = "NoExecute"
+          toleration_seconds = 300
+        }
+        toleration {
+          key                = "node.kubernetes.io/unreachable"
+          operator           = "Exists"
+          effect             = "NoExecute"
+          toleration_seconds = 300
+        }
+
+        affinity {
+          node_affinity {
+            preferred_during_scheduling_ignored_during_execution {
+              weight = 100
+              preference {
+                match_expressions {
+                  key      = "kubernetes.io/hostname"
+                  operator = "NotIn"
+                  values   = ["k8s-node1"]
+                }
+              }
+            }
+          }
+        }
+
+        security_context {
+          run_as_user  = 1000
+          run_as_group = 1000
+          fs_group     = 1000
+        }
+
+        # Seed the breakglass agent into the fresh ~/.claude emptyDir and make
+        # the session dir writable by uid 1000.
+        init_container {
+          name  = "seed-agent"
+          image = "${local.image}:${local.image_tag}"
+          command = ["sh", "-c", <<-EOT
+            set -e
+            mkdir -p /home/agent/.claude/agents /workspace/sessions
+            cp /usr/share/agent-seed/breakglass.md /home/agent/.claude/agents/breakglass.md
+            chown -R 1000:1000 /home/agent/.claude /workspace
+          EOT
+          ]
+          image_pull_policy = "Always"
+          security_context {
+            run_as_user = 0
+          }
+          volume_mount {
+            name       = "claude-home"
+            mount_path = "/home/agent/.claude"
+          }
+          volume_mount {
+            name       = "sessions"
+            mount_path = "/workspace"
+          }
+          resources {
+            requests = { memory = "32Mi" }
+            limits   = { memory = "64Mi" }
+          }
+        }
+
+        container {
+          name              = "claude-breakglass"
+          image             = "${local.image}:${local.image_tag}"
+          image_pull_policy = "Always"
+
+          # Override the image's default CMD (the claude-agent-service uvicorn)
+          # with the breakglass entrypoint: ssh-agent bootstrap + ssh aliases,
+          # then uvicorn app.breakglass.server:app.
+          command = ["/srv/docker-entrypoint-breakglass.sh"]
+
+          port { container_port = 8080 }
+
+          # OAuth token (claude -p) + app bearer token.
+          env_from {
+            secret_ref { name = "breakglass-env" }
+          }
+
+          env {
+            name  = "BREAKGLASS_KEY_PATH"
+            value = "/secrets/breakglass/private_key"
+          }
+          env {
+            name  = "BREAKGLASS_SESSIONS_DIR"
+            value = "/workspace/sessions"
+          }
+          env {
+            name  = "HOME"
+            value = "/home/agent"
+          }
+
+          liveness_probe {
+            http_get {
+              path = "/health"
+              port = 8080
+            }
+            initial_delay_seconds = 10
+            period_seconds        = 30
+          }
+          readiness_probe {
+            http_get {
+              path = "/health"
+              port = 8080
+            }
+            initial_delay_seconds = 5
+            period_seconds        = 10
+          }
+
+          volume_mount {
+            name       = "claude-home"
+            mount_path = "/home/agent/.claude"
+          }
+          volume_mount {
+            name       = "sessions"
+            mount_path = "/workspace"
+          }
+          volume_mount {
+            name       = "breakglass-ssh"
+            mount_path = "/secrets/breakglass"
+            read_only  = true
+          }
+
+          resources {
+            requests = {
+              cpu    = "200m"
+              memory = "512Mi"
+            }
+            limits = {
+              memory = "4Gi"
+            }
+          }
+        }
+
+        volume {
+          name = "claude-home"
+          empty_dir {}
+        }
+        volume {
+          name = "sessions"
+          empty_dir {}
+        }
+        volume {
+          name = "breakglass-ssh"
+          secret {
+            secret_name = "breakglass-ssh"
+            # 0440 + fsGroup 1000 ⇒ readable by uid 1000; the entrypoint copies
+            # to a 0600 tmpfs file before ssh-add (which rejects group-readable).
+            default_mode = "0440"
+          }
+        }
+      }
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+  }
+
+  depends_on = [
+    kubernetes_manifest.external_secret_ssh,
+    kubernetes_manifest.external_secret_env,
+  ]
+}
+
+# --- Service ---
+
+resource "kubernetes_service" "breakglass" {
+  metadata {
+    name      = "claude-breakglass"
+    namespace = kubernetes_namespace.breakglass.metadata[0].name
+    labels    = local.labels
+  }
+  spec {
+    selector = local.labels
+    port {
+      port        = 8080
+      target_port = 8080
+    }
+    type = "ClusterIP"
+  }
+}
+
+# --- Ingress: breakglass.viktorbarzin.me ---
+# auth = "required": Authentik forward-auth via the resilience proxy, which
+# FALLS BACK to HTTP basic-auth when Authentik is down — the whole point, so the
+# breakglass is reachable during an auth-stack outage. CrowdSec + rate-limit are
+# attached by default (not excluded). The app additionally accepts the injected
+# X-authentik-username header (or a bearer) as its own gate.
+module "ingress" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  name            = "breakglass"
+  service_name    = kubernetes_service.breakglass.metadata[0].name
+  port            = 8080
+  namespace       = kubernetes_namespace.breakglass.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+  auth            = "required"
+  dns_type        = "proxied"
+
+  extra_annotations = {
+    "gethomepage.dev/enabled"     = "true"
+    "gethomepage.dev/name"        = "devvm breakglass"
+    "gethomepage.dev/description" = "Emergency recovery UI for the devvm"
+    "gethomepage.dev/icon"        = "proxmox.png"
+    "gethomepage.dev/group"       = "Infrastructure"
+  }
+}
diff --git a/stacks/claude-breakglass/terragrunt.hcl b/stacks/claude-breakglass/terragrunt.hcl
new file mode 100644
index 00000000..d877449c
--- /dev/null
+++ b/stacks/claude-breakglass/terragrunt.hcl
@@ -0,0 +1,20 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+# Platform (Traefik/ingress middlewares), Vault (ESO reads secrets), and
+# external-secrets (the ClusterSecretStore) must exist first.
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+dependency "vault" {
+  config_path  = "../vault"
+  skip_outputs = true
+}
+
+dependency "external-secrets" {
+  config_path  = "../external-secrets"
+  skip_outputs = true
+}
diff --git a/stacks/claude-memory/main.tf b/stacks/claude-memory/main.tf
index c7506150..18c21fe5 100644
--- a/stacks/claude-memory/main.tf
+++ b/stacks/claude-memory/main.tf
@@ -18,7 +18,7 @@ resource "kubernetes_namespace" "claude-memory" {
   metadata {
     name = "claude-memory"
     labels = {
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
       "keel.sh/enrolled" = "true"
     }
   }
@@ -30,7 +30,7 @@ resource "kubernetes_namespace" "claude-memory" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "claude-memory-secrets"
@@ -58,7 +58,7 @@ resource "kubernetes_manifest" "external_secret" {
 # DB credentials from Vault database engine (rotated every 24h)
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "claude-memory-db-creds"
@@ -150,7 +150,11 @@ resource "kubernetes_deployment" "claude-memory" {
     }
   }
   spec {
-    replicas = 1
+    # 2 replicas (stateless FastAPI over shared CNPG PG) so node drains, Keel
+    # bumps, Reloader restarts (7d DB rotation), CI deploys, and descheduler
+    # evictions become zero-downtime rolling events instead of hard outages —
+    # the latter were surfacing as recurring memory-MCP "disconnects".
+    replicas = 2
     selector {
       match_labels = {
         app = "claude-memory"
@@ -163,6 +167,10 @@ resource "kubernetes_deployment" "claude-memory" {
         }
         annotations = {
           "dependency.kyverno.io/wait-for" = "postgresql.dbaas:5432"
+          # Skip descheduler eviction — it bounced this pod every ~5min
+          # (LowNodeUtilization). The PDB below keeps drains/Keel/CI safe at
+          # 2 replicas; this just stops the needless churn of the MCP backend.
+          "descheduler.alpha.kubernetes.io/evict" = "false"
         }
       }
       spec {
@@ -182,7 +190,7 @@ resource "kubernetes_deployment" "claude-memory" {
           name = "claude-memory"
           # Phase 3 cutover 2026-05-07 — moved off DockerHub to Forgejo as
           # part of the registry consolidation. Old: viktorbarzin/claude-memory-mcp:17
-          image = "forgejo.viktorbarzin.me/viktor/claude-memory-mcp:17"
+          image = "ghcr.io/viktorbarzin/claude-memory-mcp:latest"
 
           port {
             container_port = 8000
@@ -261,8 +269,24 @@ resource "kubernetes_deployment" "claude-memory" {
   }
 }
 
-# PDB removed — single replica with minAvailable=1 blocks all node drains.
-# claude-memory is non-critical and recovers quickly after rescheduling.
+# PDB restored alongside replicas=2 (2026-06-18). The old reason for removing it
+# — a 1-replica minAvailable=1 PDB deadlocks node drains — no longer applies at
+# 2 replicas: minAvailable=1 lets one pod be drained/evicted while the other
+# serves, so voluntary disruptions never take the MCP backend to zero.
+resource "kubernetes_pod_disruption_budget_v1" "claude-memory" {
+  metadata {
+    name      = "claude-memory"
+    namespace = kubernetes_namespace.claude-memory.metadata[0].name
+  }
+  spec {
+    min_available = "1"
+    selector {
+      match_labels = {
+        app = "claude-memory"
+      }
+    }
+  }
+}
 
 resource "kubernetes_service" "claude-memory" {
   metadata {
diff --git a/stacks/cloudflared/modules/cloudflared/main.tf b/stacks/cloudflared/modules/cloudflared/main.tf
index a913c683..8501e278 100644
--- a/stacks/cloudflared/modules/cloudflared/main.tf
+++ b/stacks/cloudflared/modules/cloudflared/main.tf
@@ -64,9 +64,13 @@ resource "kubernetes_deployment" "cloudflared" {
         }
         container {
           # image = "wisdomsky/cloudflared-web:latest"
-          image   = "cloudflare/cloudflared"
-          name    = "cloudflared"
-          command = ["cloudflared", "tunnel", "run"]
+          image = "cloudflare/cloudflared"
+          name  = "cloudflared"
+          # --no-autoupdate: without it cloudflared self-updates in place and
+          # exits (code 11) when CF ships a release, severing every WebSocket
+          # riding the tunnel (observed as t3/terminal drops, 2026-06-09/10).
+          # Image updates are handled by pod rollouts, not in-place binaries.
+          command = ["cloudflared", "tunnel", "--no-autoupdate", "run"]
           env {
             name  = "TUNNEL_TOKEN"
             value = var.cloudflare_tunnel_token
diff --git a/stacks/coturn/.terraform.lock.hcl b/stacks/coturn/.terraform.lock.hcl
index 5b74a7af..b22b977e 100644
--- a/stacks/coturn/.terraform.lock.hcl
+++ b/stacks/coturn/.terraform.lock.hcl
@@ -24,43 +24,33 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.2.0"
+  hashes = [
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.0.1"
+  version = "3.2.0"
   hashes = [
-    "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=",
-    "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=",
-    "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281",
-    "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba",
-    "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7",
-    "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6",
-    "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4",
-    "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249",
-    "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090",
-    "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97",
-    "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8",
-    "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119",
-    "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -84,3 +74,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/coturn/main.tf b/stacks/coturn/main.tf
index c323ff56..caeb9a66 100644
--- a/stacks/coturn/main.tf
+++ b/stacks/coturn/main.tf
@@ -6,7 +6,7 @@ variable "public_ip" { type = string }
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "coturn-secrets"
diff --git a/stacks/crowdsec/main.tf b/stacks/crowdsec/main.tf
index 70f01eea..ca768356 100644
--- a/stacks/crowdsec/main.tf
+++ b/stacks/crowdsec/main.tf
@@ -29,4 +29,11 @@ module "crowdsec" {
   crowdsec_dash_machine_id       = data.vault_kv_secret_v2.secrets.data["crowdsec_dash_machine_id"]
   crowdsec_dash_machine_password = data.vault_kv_secret_v2.secrets.data["crowdsec_dash_machine_password"]
   slack_webhook_url              = data.vault_kv_secret_v2.secrets.data["alertmanager_slack_api_url"]
+  # Same key the traefik-stack bouncer middleware uses — seeded into LAPI so the
+  # bouncer authenticates and pulls decisions (was unregistered → 403 → fail-open).
+  ingress_bouncer_key = data.vault_kv_secret_v2.secrets.data["ingress_crowdsec_api_key"]
+  # Real enforcement replacing the dead Traefik plugin: kvsync feeds the proxied
+  # edge Worker via Cloudflare KV; firewall is the direct-host nftables bouncer.
+  kvsync_bouncer_key   = data.vault_kv_secret_v2.secrets.data["kvsync_bouncer_key"]
+  firewall_bouncer_key = data.vault_kv_secret_v2.secrets.data["firewall_bouncer_key"]
 }
diff --git a/stacks/crowdsec/modules/crowdsec/crowdsec-ingress-bouncer.yaml b/stacks/crowdsec/modules/crowdsec/crowdsec-ingress-bouncer.yaml
deleted file mode 100644
index fe8ba008..00000000
--- a/stacks/crowdsec/modules/crowdsec/crowdsec-ingress-bouncer.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-controller:
-  extraVolumes:
-    - name: crowdsec-bouncer-plugin
-      emptyDir: {}
-  extraInitContainers:
-    - name: init-clone-crowdsec-bouncer
-      image: crowdsecurity/lua-bouncer-plugin
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: API_URL
-          value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" # crowdsec lapi service-name
-        - name: API_KEY
-          value: "<API KEY>" # generated with `cscli bouncers add -n <bouncer_name>
-        - name: BOUNCER_CONFIG
-          value: "/crowdsec/crowdsec-bouncer.conf"
-        - name: CAPTCHA_PROVIDER
-          value: "recaptcha" # valid providers are recaptcha, hcaptcha, turnstile
-        - name: SECRET_KEY
-          value: "<your-captcha-secret-key>" # If you want captcha support otherwise remove this ENV VAR
-        - name: SITE_KEY
-          value: "<your-captcha-site-key>" # If you want captcha support otherwise remove this ENV VAR
-        - name: BAN_TEMPLATE_PATH
-          value: /etc/nginx/lua/plugins/crowdsec/templates/ban.html
-        - name: CAPTCHA_TEMPLATE_PATH
-          value: /etc/nginx/lua/plugins/crowdsec/templates/captcha.html
-      command:
-        [
-          "sh",
-          "-c",
-          "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/",
-        ]
-      volumeMounts:
-        - name: crowdsec-bouncer-plugin
-          mountPath: /lua_plugins
-  extraVolumeMounts:
-    - name: crowdsec-bouncer-plugin
-      mountPath: /etc/nginx/lua/plugins/crowdsec
-      subPath: crowdsec
-  config:
-    plugins: "crowdsec"
-    lua-shared-dicts: "crowdsec_cache: 50m"
-    server-snippet: |
-      lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; # If you want captcha support otherwise remove this line
-      resolver local=on ipv6=off;
diff --git a/stacks/crowdsec/modules/crowdsec/firewall_bouncer.tf b/stacks/crowdsec/modules/crowdsec/firewall_bouncer.tf
new file mode 100644
index 00000000..a64200e9
--- /dev/null
+++ b/stacks/crowdsec/modules/crowdsec/firewall_bouncer.tf
@@ -0,0 +1,253 @@
+# =============================================================================
+# cs-firewall-bouncer — in-kernel (nftables) enforcement DaemonSet
+# =============================================================================
+# CrowdSec currently enforces NOTHING at the network layer: the Traefik Yaegi
+# (lua) bouncer plugin is dead, so banned IPs still reach Traefik. For DIRECT
+# (non-Cloudflare-proxied) hosts we drop banned source IPs IN-KERNEL via
+# cs-firewall-bouncer's nftables backend — the packet is dropped before it ever
+# reaches Traefik, costing zero per-request hops.
+#
+# Topology this respects (do NOT change without re-reading docs/architecture/networking.md):
+#   - Calico CNI + kube-proxy in IPTABLES mode (NOT eBPF).
+#   - Traefik is a LoadBalancer Service at 10.0.20.203, externalTrafficPolicy=Local
+#     (real client IP preserved — that's the whole point of the dedicated .203 IP).
+#   - LB traffic is DNAT'd to the Traefik POD, so the original source IP survives
+#     into the `forward` netfilter hook. The drop rule MUST therefore cover the
+#     `forward` hook, not only `input` (a pod-destined packet traverses forward,
+#     not input, on the node). Hence nftables_hooks: [input, forward] below.
+#
+# Packaging: cs-firewall-bouncer publishes NO container image. We pin the
+# official release binary (v0.0.34, 2025-08-04 — latest stable) and fetch it at
+# runtime: an initContainer (curlimages/curl — has curl + tar, alpine) downloads
+# + extracts the static binary into an emptyDir; the main container
+# (debian:bookworm-slim) runs it. The nftables backend talks netlink DIRECTLY
+# via github.com/google/nftables (go.mod + pkg/nftables/nftables.go: no os/exec)
+# and the docs confirm "mode nftables relies on github.com/google/nftables to
+# create table, chain and set" — so NO `nft` userspace CLI is needed and a plain
+# slim base image suffices. The binary is built CGO_ENABLED=0 / -extldflags
+# -static (Makefile), so it runs on glibc (debian) or musl (alpine) alike.
+#
+# Source: https://github.com/crowdsecurity/cs-firewall-bouncer
+#         https://docs.crowdsec.net/u/bouncers/firewall/
+#
+# Runs cluster-wide (no nodeSelector): the DaemonSet schedules on every untainted
+# node, covering all MetalLB-VIP-eligible workers so direct-host enforcement
+# survives a Traefik VIP failover to any node. One-node validation on k8s-node2
+# is complete (see the note in the pod spec below).
+
+locals {
+  # Pin a specific stable release. Bump deliberately (re-validate on one node first).
+  firewall_bouncer_version  = "v0.0.34"
+  firewall_bouncer_tgz_url  = "https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/${local.firewall_bouncer_version}/crowdsec-firewall-bouncer-linux-amd64.tgz"
+  firewall_bouncer_bin_path = "/opt/firewall-bouncer/crowdsec-firewall-bouncer"
+  firewall_bouncer_cfg_path = "/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml"
+
+  # Rendered firewall-bouncer config. Lives in a Secret (NOT a ConfigMap) because
+  # it embeds api_key. Key names/structure verified against the reference config
+  # (config/crowdsec-firewall-bouncer.yaml @ v0.0.34):
+  #   - `set-only` uses a HYPHEN (not set_only).
+  #   - `nftables_hooks` is a TOP-LEVEL list (sibling of `nftables:`, underscore).
+  #   - `deny_action` values are uppercase DROP / REJECT.
+  #   - `log_mode: stdout` sends logs to the container's stdout (default is `file`).
+  #   - api_url carries a trailing slash (matches the reference default).
+  firewall_bouncer_yaml = <<-YAML
+    mode: nftables
+    update_frequency: 10s
+    log_mode: stdout
+    log_level: info
+    api_url: http://crowdsec-service.crowdsec.svc.cluster.local:8080/
+    api_key: ${var.firewall_bouncer_key}
+    insecure_skip_verify: false
+    disable_ipv6: false
+    deny_action: DROP
+    deny_log: true
+    nftables:
+      ipv4:
+        enabled: true
+        set-only: false
+        table: crowdsec
+        chain: crowdsec-chain
+        priority: -10
+      ipv6:
+        enabled: true
+        set-only: false
+        table: crowdsec6
+        chain: crowdsec6-chain
+        priority: -10
+    nftables_hooks:
+      - input
+      - forward
+  YAML
+}
+
+resource "kubernetes_secret" "firewall_bouncer_config" {
+  metadata {
+    name      = "crowdsec-firewall-bouncer-config"
+    namespace = kubernetes_namespace.crowdsec.metadata[0].name
+    labels = {
+      "app.kubernetes.io/name" = "crowdsec-firewall-bouncer"
+      tier                     = var.tier
+    }
+    annotations = {
+      # Rotate the pods if the API key / config ever changes (the binary reads
+      # the config only at startup).
+      "reloader.stakater.com/match" = "true"
+    }
+  }
+  data = {
+    "crowdsec-firewall-bouncer.yaml" = local.firewall_bouncer_yaml
+  }
+  type = "Opaque"
+}
+
+resource "kubernetes_daemon_set_v1" "firewall_bouncer" {
+  metadata {
+    name      = "crowdsec-firewall-bouncer"
+    namespace = kubernetes_namespace.crowdsec.metadata[0].name
+    labels = {
+      "app.kubernetes.io/name" = "crowdsec-firewall-bouncer"
+      tier                     = var.tier
+    }
+  }
+  spec {
+    selector {
+      match_labels = {
+        "app.kubernetes.io/name" = "crowdsec-firewall-bouncer"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          "app.kubernetes.io/name" = "crowdsec-firewall-bouncer"
+          tier                     = var.tier
+        }
+        annotations = {
+          # Bounce pods when the config Secret changes (api_key rotation etc.).
+          "secret.reloader.stakater.com/reload" = kubernetes_secret.firewall_bouncer_config.metadata[0].name
+        }
+      }
+      spec {
+        priority_class_name = "tier-1-cluster"
+
+        # Program the HOST's nftables ruleset (not the pod netns) — the bouncer's
+        # drop rules must live in the host network namespace where DNAT'd LB
+        # traffic transits the forward hook.
+        host_network = true
+        dns_policy   = "ClusterFirstWithHostNet"
+
+        # ---- CLUSTER-WIDE (validation passed) ----------------------------------
+        # One-node validation on k8s-node2 passed: kernel nftables sets were
+        # created in BOTH the input and forward chains (policy accept), ~31k
+        # decisions loaded, a known banned scanner confirmed in the drop set, and
+        # the pod stayed stable 4h+ with no collateral. The nodeSelector is now
+        # removed so the DaemonSet runs on every (untainted) node — covering all
+        # MetalLB-VIP-eligible workers, so direct-host enforcement survives a
+        # Traefik VIP failover to any node.
+        # ------------------------------------------------------------------------
+
+        # initContainer fetches + extracts the pinned release binary into the
+        # shared emptyDir. curlimages/curl is alpine and ships curl + tar.
+        init_container {
+          name  = "fetch-bouncer"
+          image = "curlimages/curl:8.10.1"
+          command = [
+            "sh", "-c",
+            <<-EOT
+              set -eu
+              echo "Downloading cs-firewall-bouncer ${local.firewall_bouncer_version}..."
+              curl -fsSL "${local.firewall_bouncer_tgz_url}" -o /tmp/fb.tgz
+              # Archive layout (verified @ v0.0.34): a single versioned top dir
+              # `crowdsec-firewall-bouncer-vX.Y.Z/` containing the binary plus
+              # config/, scripts/, install.sh. The curl image is BusyBox, whose
+              # tar lacks GNU --wildcards/--strip-components selection — so extract
+              # everything to a scratch dir, then cp ONLY the binary out via a
+              # shell glob (`*/` matches the single versioned top dir).
+              mkdir -p /tmp/fb-extract
+              tar -xzf /tmp/fb.tgz -C /tmp/fb-extract
+              cp /tmp/fb-extract/*/crowdsec-firewall-bouncer ${local.firewall_bouncer_bin_path}
+              chmod +x ${local.firewall_bouncer_bin_path}
+              echo "Fetched: $(ls -l ${local.firewall_bouncer_bin_path})"
+            EOT
+          ]
+          volume_mount {
+            name       = "binary"
+            mount_path = "/opt/firewall-bouncer"
+          }
+          resources {
+            requests = {
+              cpu    = "10m"
+              memory = "32Mi"
+            }
+            limits = {
+              memory = "64Mi"
+            }
+          }
+        }
+
+        container {
+          name  = "firewall-bouncer"
+          image = "debian:bookworm-slim"
+          command = [
+            local.firewall_bouncer_bin_path,
+            "-c", local.firewall_bouncer_cfg_path,
+          ]
+
+          # nftables backend needs NET_ADMIN to program the host ruleset. NET_RAW
+          # is the proven-safe companion the reference container images add. We
+          # deliberately AVOID full `privileged: true` — these two caps are
+          # sufficient for the netlink nftables path (no iptables/ipset shell-out
+          # here). If validation shows rules are NOT being installed, the next
+          # thing to try is privileged:true (see checklist) — but start minimal.
+          security_context {
+            capabilities {
+              add = ["NET_ADMIN", "NET_RAW"]
+            }
+          }
+
+          volume_mount {
+            name       = "binary"
+            mount_path = "/opt/firewall-bouncer"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "config"
+            mount_path = local.firewall_bouncer_cfg_path
+            sub_path   = "crowdsec-firewall-bouncer.yaml"
+            read_only  = true
+          }
+
+          # No liveness probe: the bouncer runs as PID 1, so a crash — or a bad
+          # config that makes it exit non-zero at startup — surfaces on its own as
+          # a pod restart / CrashLoopBackOff. This avoids coupling pod liveness to
+          # a periodic LAPI round-trip (a brief LAPI blip must NOT bounce the pod).
+
+          resources {
+            requests = {
+              cpu    = "10m"
+              memory = "64Mi"
+            }
+            # crowdsec-quota enforces limits.memory on every pod in the ns.
+            limits = {
+              memory = "128Mi"
+            }
+          }
+        }
+
+        volume {
+          name = "binary"
+          empty_dir {}
+        }
+        volume {
+          name = "config"
+          secret {
+            secret_name = kubernetes_secret.firewall_bouncer_config.metadata[0].name
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
+    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+  }
+}
diff --git a/stacks/crowdsec/modules/crowdsec/main.tf b/stacks/crowdsec/modules/crowdsec/main.tf
index 3022e518..b126805e 100644
--- a/stacks/crowdsec/modules/crowdsec/main.tf
+++ b/stacks/crowdsec/modules/crowdsec/main.tf
@@ -16,6 +16,21 @@ variable "tier" { type = string }
 variable "slack_webhook_url" { type = string }
 variable "mysql_host" { type = string }
 variable "postgresql_host" { type = string }
+variable "ingress_bouncer_key" {
+  type        = string
+  sensitive   = true
+  description = "API key for the Traefik CrowdSec bouncer plugin. Seeded into LAPI via BOUNCER_KEY_traefik so the bouncer authenticates and pulls decisions — the same key the traefik-stack middleware presents."
+}
+variable "kvsync_bouncer_key" {
+  type        = string
+  sensitive   = true
+  description = "API key for the LAPI->Cloudflare-KV sync job (proxied-edge control plane). Seeded into LAPI via BOUNCER_KEY_kvsync; the rybbit-stack CronJob presents the same key to pull decisions."
+}
+variable "firewall_bouncer_key" {
+  type        = string
+  sensitive   = true
+  description = "API key for the cs-firewall-bouncer DaemonSet (direct-host in-kernel enforcement). Seeded into LAPI via BOUNCER_KEY_firewall; the DaemonSet presents the same key to stream decisions."
+}
 
 module "tls_secret" {
   source          = "../../../../modules/kubernetes/setup_tls_secret"
@@ -97,6 +112,15 @@ resource "kubernetes_config_map" "crowdsec_whitelist" {
         reason: "Trusted IP - never block"
         ip:
           - "176.12.22.76"
+        cidr:
+          # Never ban internal/cluster/LAN/tailnet sources. Enforcement (edge
+          # Worker + firewall-bouncer) drops on real source IP, so an internal
+          # range slipping into a decision could blackhole legit traffic — this
+          # makes that structurally impossible at the decision layer.
+          - "10.0.0.0/8"        # k8s nodes/pods/services + VLAN 10/20
+          - "172.16.0.0/12"     # RFC1918
+          - "192.168.0.0/16"    # LAN (192.168.1.0/24) + Sofia
+          - "100.64.0.0/10"     # Headscale tailnet (CGNAT)
       ---
       name: viktor/immich-asset-paths-whitelist
       description: "Don't penalise legit Immich timeline bursts (mobile scrub, web grid)"
@@ -148,7 +172,7 @@ resource "helm_release" "crowdsec" {
   repository = "https://crowdsecurity.github.io/helm-charts"
   chart      = "crowdsec"
 
-  values        = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url, mysql_host = var.mysql_host, postgresql_host = var.postgresql_host })]
+  values        = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url, mysql_host = var.mysql_host, postgresql_host = var.postgresql_host, INGRESS_CROWDSEC_API_KEY = var.ingress_bouncer_key, KVSYNC_CROWDSEC_API_KEY = var.kvsync_bouncer_key, FIREWALL_CROWDSEC_API_KEY = var.firewall_bouncer_key })]
   timeout       = 1200
   wait          = true
   wait_for_jobs = true
@@ -279,13 +303,12 @@ resource "kubernetes_service" "crowdsec-web" {
   }
 }
 module "ingress" {
-  source           = "../../../../modules/kubernetes/ingress_factory"
-  dns_type         = "proxied"
-  namespace        = kubernetes_namespace.crowdsec.metadata[0].name
-  name             = "crowdsec-web"
-  auth             = "required"
-  tls_secret_name  = var.tls_secret_name
-  exclude_crowdsec = true
+  source          = "../../../../modules/kubernetes/ingress_factory"
+  dns_type        = "proxied"
+  namespace       = kubernetes_namespace.crowdsec.metadata[0].name
+  name            = "crowdsec-web"
+  auth            = "required"
+  tls_secret_name = var.tls_secret_name
 }
 
 # CronJob to import public blocklists into CrowdSec
diff --git a/stacks/crowdsec/modules/crowdsec/values.yaml b/stacks/crowdsec/modules/crowdsec/values.yaml
index 8407ac37..f03dfb22 100644
--- a/stacks/crowdsec/modules/crowdsec/values.yaml
+++ b/stacks/crowdsec/modules/crowdsec/values.yaml
@@ -126,6 +126,23 @@ lapi:
         secretKeyRef:
           name: crowdsec-lapi-secrets
           key: dbPassword
+    # Register the Traefik bouncer at LAPI startup with the SAME API key the
+    # traefik-stack middleware uses (Vault `ingress_crowdsec_api_key`). Before
+    # this the bouncer was never registered → LAPI returned 403 → the plugin
+    # failed open (updateMaxFailure=-1) and enforced NOTHING (no bans, no
+    # captcha). Idempotent across the 3 LAPI replicas / restarts, and
+    # re-registers automatically if the LAPI DB is ever wiped (the root cause:
+    # the prior manual registration was lost in the MySQL→PostgreSQL migration).
+    - name: BOUNCER_KEY_traefik
+      value: "${INGRESS_CROWDSEC_API_KEY}"
+    # Real enforcement path that replaces the dead Traefik Yaegi plugin:
+    #   kvsync   -> LAPI->Cloudflare-KV sync CronJob (proxied hosts, edge Worker)
+    #   firewall -> cs-firewall-bouncer DaemonSet (direct hosts, in-kernel nftables drop)
+    # Registered at LAPI startup (idempotent across the 3 replicas / restarts).
+    - name: BOUNCER_KEY_kvsync
+      value: "${KVSYNC_CROWDSEC_API_KEY}"
+    - name: BOUNCER_KEY_firewall
+      value: "${FIREWALL_CROWDSEC_API_KEY}"
   dashboard:
     enabled: true
     env:
diff --git a/stacks/dawarich/.terraform.lock.hcl b/stacks/dawarich/.terraform.lock.hcl
index fabbc047..b22b977e 100644
--- a/stacks/dawarich/.terraform.lock.hcl
+++ b/stacks/dawarich/.terraform.lock.hcl
@@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
+  hashes = [
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
 provider "registry.terraform.io/goauthentik/authentik" {
   version     = "2024.12.1"
   constraints = "~> 2024.10"
@@ -33,29 +41,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -79,3 +74,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/dawarich/main.tf b/stacks/dawarich/main.tf
index 92fef613..2432e9c3 100644
--- a/stacks/dawarich/main.tf
+++ b/stacks/dawarich/main.tf
@@ -24,7 +24,7 @@ resource "kubernetes_namespace" "dawarich" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "dawarich-secrets"
diff --git a/stacks/dbaas/modules/dbaas/main.tf b/stacks/dbaas/modules/dbaas/main.tf
index 3fc44f94..479263ed 100644
--- a/stacks/dbaas/modules/dbaas/main.tf
+++ b/stacks/dbaas/modules/dbaas/main.tf
@@ -427,7 +427,7 @@ resource "kubernetes_cron_job_v1" "mysql-backup" {
     failed_jobs_history_limit = 5
     schedule                  = "30 0 * * *"
     # schedule                      = "* * * * *"
-    starting_deadline_seconds     = 10
+    starting_deadline_seconds     = 600
     successful_jobs_history_limit = 10
     job_template {
       metadata {}
@@ -519,7 +519,7 @@ resource "kubernetes_cron_job_v1" "mysql-backup-per-db" {
     concurrency_policy            = "Replace"
     failed_jobs_history_limit     = 3
     schedule                      = "45 0 * * *"
-    starting_deadline_seconds     = 10
+    starting_deadline_seconds     = 600
     successful_jobs_history_limit = 3
     job_template {
       metadata {}
@@ -1607,7 +1607,12 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" {
     failed_jobs_history_limit = 5
     schedule                  = "0 0 * * *"
     # schedule                      = "* * * * *"
-    starting_deadline_seconds     = 10
+    # 600s (was 10s): a 10s deadline silently DROPPED the 2026-06-13 00:00 run
+    # when the CronJob controller was late at the midnight backup/IO-storm tick,
+    # leaving the last full dump 37h old (fired PostgreSQLBackupStale). 600s lets
+    # a brief controller lag still launch the job. Same fix on the other three
+    # dbaas backup crons (they share the midnight window).
+    starting_deadline_seconds     = 600
     successful_jobs_history_limit = 10
     job_template {
       metadata {}
@@ -1695,7 +1700,7 @@ resource "kubernetes_cron_job_v1" "postgresql-backup-per-db" {
     concurrency_policy            = "Replace"
     failed_jobs_history_limit     = 3
     schedule                      = "15 0 * * *"
-    starting_deadline_seconds     = 10
+    starting_deadline_seconds     = 600
     successful_jobs_history_limit = 3
     job_template {
       metadata {}
diff --git a/stacks/descheduler/values.yaml b/stacks/descheduler/values.yaml
index dca0d0fc..fe0578f3 100644
--- a/stacks/descheduler/values.yaml
+++ b/stacks/descheduler/values.yaml
@@ -52,7 +52,7 @@ namespaceOverride: ""
 commonLabels: {}
 
 cronJobApiVersion: "batch/v1"
-schedule: "*/5 * * * *"
+schedule: "0 * * * *"  # hourly (was */5; 2026-06-12 etcd-load-reduction — fewer list/evict cycles, rebalancing isn't time-critical)
 suspend: false
 # startingDeadlineSeconds: 200
 successfulJobsHistoryLimit: 10
diff --git a/stacks/diun/.terraform.lock.hcl b/stacks/diun/.terraform.lock.hcl
index 5b74a7af..b22b977e 100644
--- a/stacks/diun/.terraform.lock.hcl
+++ b/stacks/diun/.terraform.lock.hcl
@@ -24,43 +24,33 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.2.0"
+  hashes = [
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.0.1"
+  version = "3.2.0"
   hashes = [
-    "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=",
-    "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=",
-    "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281",
-    "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba",
-    "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7",
-    "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6",
-    "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4",
-    "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249",
-    "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090",
-    "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97",
-    "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8",
-    "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119",
-    "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -84,3 +74,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/diun/main.tf b/stacks/diun/main.tf
index 083a8125..9933f064 100644
--- a/stacks/diun/main.tf
+++ b/stacks/diun/main.tf
@@ -21,7 +21,7 @@ resource "kubernetes_namespace" "diun" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "diun-secrets"
diff --git a/stacks/ebooks/main.tf b/stacks/ebooks/main.tf
index 0e0474fc..a5754590 100644
--- a/stacks/ebooks/main.tf
+++ b/stacks/ebooks/main.tf
@@ -21,7 +21,7 @@ resource "kubernetes_namespace" "ebooks" {
 # ExternalSecrets for all three sources
 resource "kubernetes_manifest" "calibre_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "calibre-secrets"
@@ -48,7 +48,7 @@ resource "kubernetes_manifest" "calibre_external_secret" {
 
 resource "kubernetes_manifest" "audiobookshelf_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "audiobookshelf-secrets"
@@ -75,7 +75,7 @@ resource "kubernetes_manifest" "audiobookshelf_external_secret" {
 
 resource "kubernetes_manifest" "servarr_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "servarr-secrets"
diff --git a/stacks/external-secrets/main.tf b/stacks/external-secrets/main.tf
index 291c67b9..5356a437 100644
--- a/stacks/external-secrets/main.tf
+++ b/stacks/external-secrets/main.tf
@@ -17,7 +17,14 @@ resource "helm_release" "external_secrets" {
   namespace  = kubernetes_namespace.external_secrets.metadata[0].name
   repository = "https://charts.external-secrets.io"
   chart      = "external-secrets"
-  version    = "0.12.1"
+  # ESO 0.12->2.6 migration (2026-06-21, docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md).
+  # Stepped one minor at a time on k8s 1.34; rewrite all 104 CRs v1beta1->v1 at 0.16.2 before 0.17.
+  version = "2.6.0"
+
+  # Added for the migration: auto-rollback a failed hop's helm upgrade (ESO had no
+  # rollback safety net) and wait for the controller Deployment to be Ready first.
+  atomic  = true
+  timeout = 600
 
   values = [yamlencode({
     installCRDs = true
@@ -28,7 +35,7 @@ resource "helm_release" "external_secrets" {
 
 resource "kubernetes_manifest" "css_vault_kv" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ClusterSecretStore"
     metadata   = { name = "vault-kv" }
     spec = {
@@ -58,7 +65,7 @@ resource "kubernetes_manifest" "css_vault_kv" {
 
 resource "kubernetes_manifest" "css_vault_db" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ClusterSecretStore"
     metadata   = { name = "vault-database" }
     spec = {
diff --git a/stacks/f1-stream/.terraform.lock.hcl b/stacks/f1-stream/.terraform.lock.hcl
index 05f8a359..5982c332 100644
--- a/stacks/f1-stream/.terraform.lock.hcl
+++ b/stacks/f1-stream/.terraform.lock.hcl
@@ -70,41 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf
index 5365b363..a62ad01a 100644
--- a/stacks/f1-stream/main.tf
+++ b/stacks/f1-stream/main.tf
@@ -34,7 +34,7 @@ resource "kubernetes_namespace" "f1-stream" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "f1-stream-secrets"
@@ -63,7 +63,7 @@ resource "kubernetes_manifest" "external_secret" {
 # Secret so the verifier can reach the in-cluster Playwright pool.
 resource "kubernetes_manifest" "chrome_service_client_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "chrome-service-client-secrets"
@@ -128,7 +128,7 @@ resource "kubernetes_deployment" "f1-stream" {
       }
       spec {
         container {
-          image             = "forgejo.viktorbarzin.me/viktor/f1-stream:${var.image_tag}"
+          image             = "ghcr.io/viktorbarzin/f1-stream:${var.image_tag}"
           image_pull_policy = "Always"
           name              = "f1-stream"
           # Right-sized 2026-06-05: was 1Gi (bundled-Chromium era). The image is
@@ -195,6 +195,11 @@ resource "kubernetes_deployment" "f1-stream" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+        # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
       }
     }
   }
@@ -296,7 +301,6 @@ module "ingress" {
   service_name      = module.anubis.service_name
   port              = module.anubis.service_port
   tls_secret_name   = var.tls_secret_name
-  exclude_crowdsec  = true
   anti_ai_scraping  = false
   extra_middlewares = ["traefik-x402@kubernetescrd"]
   extra_annotations = {
diff --git a/stacks/fire-planner/main.tf b/stacks/fire-planner/main.tf
index 6af26754..21503a37 100644
--- a/stacks/fire-planner/main.tf
+++ b/stacks/fire-planner/main.tf
@@ -13,11 +13,16 @@ variable "tls_secret_name" {
 
 locals {
   namespace = "fire-planner"
-  # Phase 3 cutover 2026-05-07. NOTE: the registry-private repo for
-  # fire-planner has 0 tags — first build via Woodpecker on the new Forgejo
-  # repo (viktor/fire-planner, Dockerfile + .woodpecker.yml added 2026-05-07)
-  # must succeed BEFORE the next pod restart, otherwise pulls will 404.
-  image = "forgejo.viktorbarzin.me/viktor/fire-planner:${var.image_tag}"
+  # ADR-0002 off-infra builds (2026-06-13, issue infra#26): GHA on the GitHub
+  # mirror builds + pushes ghcr.io/viktorbarzin/fire-planner (:sha8 + :latest);
+  # Woodpecker is deploy-only. PRIVATE ghcr package — every pod spec pulls via
+  # the ghcr-credentials Secret (kyverno sync-ghcr-credentials allowlist).
+  # registry-credentials stays alongside so the currently-running sha-pinned
+  # forgejo image remains pullable until the first ghcr deploy lands.
+  # (Applied via the 2026-06-13 re-trigger commit: the original pipeline 150
+  # was auto-killed by a concurrent nextcloud-todos master push before its
+  # apply step ran, and the successor's diff base excluded this stack.)
+  image = "ghcr.io/viktorbarzin/fire-planner:${var.image_tag}"
   labels = {
     app = "fire-planner"
   }
@@ -49,7 +54,7 @@ resource "kubernetes_namespace" "fire_planner" {
 #   secret/fire-planner -> property `recompute_bearer_token`
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "fire-planner-secrets"
@@ -111,7 +116,7 @@ resource "kubernetes_manifest" "external_secret" {
 # as DB_CONNECTION_STRING.
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "fire-planner-db-creds"
@@ -155,7 +160,7 @@ resource "kubernetes_manifest" "db_external_secret" {
 # fire-planner ingest reads those tables via this role.
 resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "wealthfolio-sync-db-creds"
@@ -230,6 +235,9 @@ resource "kubernetes_deployment" "fire_planner" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
 
         init_container {
           name              = "alembic-migrate"
@@ -390,6 +398,9 @@ resource "kubernetes_cron_job_v1" "fire_planner_recompute" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
               name    = "recompute"
               image   = local.image
@@ -473,6 +484,9 @@ resource "kubernetes_cron_job_v1" "fire_planner_col_refresh" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
               name    = "col-refresh"
               image   = local.image
@@ -648,7 +662,7 @@ variable "run_examples_bulk_ingest" {
 # Reddit OAuth creds pulled from Vault secret/viktor.
 resource "kubernetes_manifest" "external_secret_examples_reddit" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "fire-planner-examples-reddit"
@@ -688,7 +702,7 @@ resource "kubernetes_manifest" "external_secret_examples_reddit" {
 # is decoupled from the Reddit creds.
 resource "kubernetes_manifest" "external_secret_examples_claude" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "fire-planner-examples-claude"
@@ -738,6 +752,9 @@ resource "kubernetes_job_v1" "examples_bulk_ingest" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
         container {
           name              = "ingest"
           image             = local.image
@@ -859,6 +876,9 @@ resource "kubernetes_cron_job_v1" "examples_weekly_delta" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
               name              = "ingest"
               image             = local.image
diff --git a/stacks/forgejo/.terraform.lock.hcl b/stacks/forgejo/.terraform.lock.hcl
index d5c3672c..1558f94e 100644
--- a/stacks/forgejo/.terraform.lock.hcl
+++ b/stacks/forgejo/.terraform.lock.hcl
@@ -70,41 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -128,3 +103,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/forgejo/cleanup.tf b/stacks/forgejo/cleanup.tf
index add332d3..ba528b5a 100644
--- a/stacks/forgejo/cleanup.tf
+++ b/stacks/forgejo/cleanup.tf
@@ -4,9 +4,17 @@
 # it's per-user runtime state inside the Forgejo DB. Driving retention from
 # a CronJob hitting the public API keeps the policy versioned in this repo.
 #
-# Auth: a write:package PAT belonging to ci-pusher (same user that pushes
-# from CI). DELETE on packages requires write:package scope. PAT lives in
-# Vault at secret/viktor/forgejo_cleanup_token.
+# Auth: a write:package PAT belonging to VIKTOR (the package OWNER). PAT
+# lives in Vault at secret/viktor/forgejo_cleanup_token.
+#
+# CORRECTION 2026-06-09: this previously said the PAT belonged to ci-pusher.
+# That was wrong and silently broke retention — Forgejo container packages
+# are scoped per-user, so ci-pusher gets HTTP 403 on DELETE of viktor/*
+# (the dry-run only does GETs, which DO work, so the 403 stayed hidden until
+# the first live run). DELETE requires a write:package PAT owned by viktor.
+# forgejo_cleanup_token is therefore set to viktor's write:package PAT (today
+# the same value as secret/ci/global/forgejo_push_token). IF that push token
+# is ever regenerated, re-mirror it here or retention silently 403s again.
 
 data "vault_kv_secret_v2" "forgejo_viktor" {
   mount = "secret"
@@ -14,7 +22,21 @@ data "vault_kv_secret_v2" "forgejo_viktor" {
 }
 
 locals {
-  # Flip to false after first 7 days of dry-run logs look correct.
+  # REVERTED TO DRY-RUN 2026-06-10: the first live runs ORPHANED OCI indexes.
+  # The keep-set is computed over package VERSIONS (newest 10 + tag "latest"
+  # + *cache* tags), but multi-arch/attestation index CHILDREN are separate
+  # UNTAGGED sha256 versions — for images not rebuilt recently they fall
+  # outside the newest-10 window and get deleted while their parent index is
+  # kept. Result: index children 404 (viktor/kms-website :latest + :dfc83fb,
+  # caught by forgejo-integrity-probe / RegistryManifestIntegrityFailure,
+  # 2026-06-10). Do NOT re-enable until the script either (a) resolves each
+  # kept index's child digests via the registry API and adds them to the
+  # keep set, or (b) skips untagged sha256 versions entirely, or (c) is
+  # replaced by Forgejo's native per-owner package cleanup rules (container-
+  # aware). The 2026-06-09 "0 running images on the delete set" verification
+  # checked running PODS, not index child references — insufficient.
+  # History: activated 2026-06-09 (would prune 317 stale versions); registry
+  # PVC pressure concern remains (HDD, no SSD move — see beads code-oflt).
   forgejo_cleanup_dry_run = true
 }
 
diff --git a/stacks/forgejo/email-secret.tf b/stacks/forgejo/email-secret.tf
new file mode 100644
index 00000000..034d45f2
--- /dev/null
+++ b/stacks/forgejo/email-secret.tf
@@ -0,0 +1,40 @@
+# SMTP password for Forgejo's open-signup email-confirmation + notification
+# mail (main.tf: FORGEJO__service__REGISTER_EMAIL_CONFIRM + [mailer]). Synced
+# from Vault secret/authentik -> smtp_password into the forgejo namespace as the
+# `forgejo-email` Secret (key PASSWD), referenced by FORGEJO__mailer__PASSWD.
+# Reuses the same noreply@viktorbarzin.me mailserver SASL account Authentik uses
+# (stacks/authentik/email-secret.tf) — one credential, one rotation point. The
+# reloader annotation rolls the Forgejo pod if the password is ever rotated.
+resource "kubernetes_manifest" "forgejo_email_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "forgejo-email"
+      namespace = "forgejo"
+    }
+    spec = {
+      refreshInterval = "1h"
+      secretStoreRef = {
+        name = "vault-kv"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "forgejo-email"
+        template = {
+          metadata = {
+            annotations = {
+              "reloader.stakater.com/match" = "true"
+            }
+          }
+        }
+      }
+      data = [
+        {
+          secretKey = "PASSWD"
+          remoteRef = { key = "authentik", property = "smtp_password" }
+        },
+      ]
+    }
+  }
+}
diff --git a/stacks/forgejo/files/cleanup.sh b/stacks/forgejo/files/cleanup.sh
index 61bb7a96..5efc6cce 100644
--- a/stacks/forgejo/files/cleanup.sh
+++ b/stacks/forgejo/files/cleanup.sh
@@ -2,8 +2,13 @@
 # Forgejo container-package retention.
 #
 # For each container package owned by ${FORGEJO_OWNER}, keep newest
-# ${KEEP_LAST_N} versions + always keep tag "latest". Deletes the rest via
+# ${KEEP_LAST_N} versions + always keep tag "latest" + always keep any
+# buildkit cache tag (matches "cache", e.g. tripit:cache — these back
+# --cache-from/--cache-to and must survive retention or every build is a
+# cold rebuild). Deletes the rest via
 # DELETE /api/v1/packages/{owner}/container/{name}/{version}.
+# (Note: an 8-char SHA tag is pure hex and cannot contain "cache" — 'h' is
+#  not a hex digit — so the cache match never catches a real image tag.)
 #
 # DRY_RUN=true logs what would be deleted but issues no DELETE calls.
 #
@@ -72,9 +77,11 @@ for NAME in $NAMES; do
   N_VERSIONS=$(jq 'length' "$TMPDIR/$NAME.json")
   echo "[$NAME] $N_VERSIONS version(s)"
 
-  # Build the keep set: top $KEEP + anything tagged 'latest'.
+  # Build the keep set: top $KEEP + always 'latest' + any buildkit cache tag.
   jq -r --argjson keep "$KEEP" '
-    [.[0:$keep][].version] + [.[] | select(.version == "latest") | .version]
+    [.[0:$keep][].version]
+    + [.[] | select(.version == "latest") | .version]
+    + [.[] | select(.version | test("cache"; "i")) | .version]
     | unique
     | .[]
   ' "$TMPDIR/$NAME.json" > "$TMPDIR/$NAME.keep"
diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf
index 2778f555..c43a3af1 100644
--- a/stacks/forgejo/main.tf
+++ b/stacks/forgejo/main.tf
@@ -9,8 +9,14 @@ resource "kubernetes_namespace" "forgejo" {
     name = "forgejo"
     labels = {
       "istio-injection" : "disabled"
-      tier = local.tiers.edge
+      tier               = local.tiers.edge
       "keel.sh/enrolled" = "true"
+      # Opt out of the auto-generated tier-3-edge ResourceQuota (caps
+      # requests.memory at 4Gi). Forgejo's own pod requests 4Gi (the
+      # git + OCI-registry backbone, Guaranteed QoS), which pegged that
+      # tier quota at 100% and fired KubeQuotaAlmostFull. The
+      # forgejo-specific quota below gives headroom. Same pattern as dbaas.
+      "resource-governance/custom-quota" = "true"
     }
   }
   lifecycle {
@@ -19,6 +25,26 @@ resource "kubernetes_namespace" "forgejo" {
   }
 }
 
+# Custom ResourceQuota — replaces the tier-3-edge auto quota (opted out via the
+# resource-governance/custom-quota label above). requests.memory is 8Gi so the
+# 4Gi Forgejo pod sits at ~50% (clears KubeQuotaAlmostFull + the healthcheck
+# resourcequota check) with room for a transient migration/sidecar pod. To
+# raise Forgejo's memory limit past 4Gi later, bump requests.memory here too.
+resource "kubernetes_resource_quota" "forgejo" {
+  metadata {
+    name      = "forgejo-quota"
+    namespace = kubernetes_namespace.forgejo.metadata[0].name
+  }
+  spec {
+    hard = {
+      "requests.cpu"    = "4"
+      "requests.memory" = "8Gi"
+      "limits.memory"   = "32Gi"
+      pods              = "30"
+    }
+  }
+}
+
 module "tls_secret" {
   source          = "../../modules/kubernetes/setup_tls_secret"
   namespace       = kubernetes_namespace.forgejo.metadata[0].name
@@ -66,8 +92,16 @@ resource "kubernetes_deployment" "forgejo" {
       # from 11.0.14 → 1.18 on 2026-05-24 (same bug as memory id=1933).
       # TF owns the tag now; bump it manually here when upgrading.
       "keel.sh/policy" = "never"
+      # Roll the pod when the signup secrets (forgejo-email password from Vault,
+      # forgejo-turnstile secret) change — env vars are read at boot, not
+      # hot-reloaded. Stakater Reloader watches all referenced secrets/CMs.
+      "reloader.stakater.com/auto" = "true"
     }
   }
+  # The forgejo-email Secret is materialised by the External Secrets operator
+  # from the forgejo-email ExternalSecret (email-secret.tf); ensure the CR
+  # exists before this deployment references it on a from-scratch apply.
+  depends_on = [kubernetes_manifest.forgejo_email_secret]
   spec {
     replicas = 1
     strategy {
@@ -94,7 +128,7 @@ resource "kubernetes_deployment" "forgejo" {
           fs_group = 1000
         }
         container {
-          name  = "forgejo"
+          name = "forgejo"
           # Pinned to 11.0.14 (latest 11.x as of 2026-05-12) — was on
           # floating `:11`. On 2026-05-24T15:35:37Z Keel force-policy
           # rewrote the tag from `11.0.14 → 1.18` (Gitea-era Forgejo
@@ -116,14 +150,21 @@ resource "kubernetes_deployment" "forgejo" {
             name  = "FORGEJO__server__ROOT_URL"
             value = "https://forgejo.viktorbarzin.me"
           }
-          # Disable local registration — only allow OAuth2 (Authentik)
+          # Open self-service registration. Native local sign-up is allowed
+          # (ALLOW_ONLY_EXTERNAL_REGISTRATION=false) alongside the existing
+          # Authentik OAuth2 login. Bot abuse is gated by Cloudflare Turnstile
+          # (ENABLE_CAPTCHA below) + mandatory email confirmation
+          # (REGISTER_EMAIL_CONFIRM below). To re-close signups: set
+          # DISABLE_REGISTRATION=true, or flip ALLOW_ONLY_EXTERNAL_REGISTRATION
+          # back to "true" for OAuth-only. Runbook:
+          # docs/runbooks/forgejo-open-signups.md
           env {
             name  = "FORGEJO__service__DISABLE_REGISTRATION"
             value = "false"
           }
           env {
             name  = "FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION"
-            value = "true"
+            value = "false"
           }
           env {
             name  = "FORGEJO__openid__ENABLE_OPENID_SIGNIN"
@@ -164,17 +205,149 @@ resource "kubernetes_deployment" "forgejo" {
             name  = "FORGEJO__repository__DISABLE_DOWNLOAD_SOURCE_ARCHIVES"
             value = "true"
           }
+          # --- Mirror / git-op resilience (2026-06-19 incident). The tripit
+          # push-mirror to GitHub silently stopped: `git cat-file --batch-all-objects`
+          # over the NFS-backed repo blew the default git-op deadline (~360s) once
+          # loose objects piled up (~4500). Forgejo's git_gc_repos cron only runs
+          # `gc --auto`, whose 6700-loose threshold hadn't fired, so the repo stayed
+          # unpacked and enumeration kept slowing until the mirror aborted with
+          # "context deadline exceeded". Two-part durable fix:
+          #   1) raise git-op timeouts so a slow enumeration never aborts a
+          #      mirror/gc ([git.timeout], seconds);
+          #   2) lower gc.auto so post-push autogc + the cron keep repos PACKED —
+          #      the real fix ([git.config] gc.auto).
+          # Dotted section/key names use the _0X2E_ env-to-ini escape.
+          # (Re-applied 2026-06-19: the original commit's CI apply skipped this
+          # stack via the changed-stack-diff race, so this touch re-triggers it.)
+          env {
+            name  = "FORGEJO__git_0X2E_timeout__DEFAULT"
+            value = "3600"
+          }
+          env {
+            name  = "FORGEJO__git_0X2E_timeout__MIRROR"
+            value = "3600"
+          }
+          env {
+            name  = "FORGEJO__git_0X2E_timeout__GC"
+            value = "1800"
+          }
+          env {
+            name  = "FORGEJO__git_0X2E_config__gc_0X2E_auto"
+            value = "1000"
+          }
+          # --- Open-signup bot prevention + mailer (appended so the diff vs the
+          # pre-signup deployment stays purely additive). ---
+          # Cloudflare Turnstile captcha on the registration form (widget
+          # managed in turnstile.tf). Sitekey is public (rendered in the page);
+          # the secret is injected from the forgejo-turnstile Secret. Guards
+          # registration only — not every login (REQUIRE_CAPTCHA_FOR_LOGIN left
+          # at the default false).
+          env {
+            name  = "FORGEJO__service__ENABLE_CAPTCHA"
+            value = "true"
+          }
+          env {
+            name  = "FORGEJO__service__CAPTCHA_TYPE"
+            value = "cfturnstile"
+          }
+          env {
+            name  = "FORGEJO__service__CF_TURNSTILE_SITEKEY"
+            value = cloudflare_turnstile_widget.forgejo_signup.id
+          }
+          env {
+            name = "FORGEJO__service__CF_TURNSTILE_SECRET"
+            value_from {
+              secret_key_ref {
+                name = kubernetes_secret.forgejo_turnstile.metadata[0].name
+                key  = "cf-turnstile-secret"
+              }
+            }
+          }
+          # Mandatory email confirmation: new accounts stay inactive until the
+          # user clicks an emailed activation link (kills throwaway-email bots).
+          env {
+            name  = "FORGEJO__service__REGISTER_EMAIL_CONFIRM"
+            value = "true"
+          }
+          # Mailer: reuse the noreply@viktorbarzin.me mailserver SASL account
+          # (same as Authentik). MUST use the public host mail.viktorbarzin.me,
+          # NOT mailserver.mailserver.svc — the mailserver serves the
+          # *.viktorbarzin.me wildcard cert which does not cover the svc DNS
+          # name, so STARTTLS verification would fail. mail.viktorbarzin.me
+          # resolves in-cluster (10.0.20.1) and matches the cert. Password from
+          # the forgejo-email ESO Secret (Vault secret/authentik ->
+          # smtp_password; see email-secret.tf).
+          env {
+            name  = "FORGEJO__mailer__ENABLED"
+            value = "true"
+          }
+          env {
+            name  = "FORGEJO__mailer__PROTOCOL"
+            value = "smtp+starttls"
+          }
+          env {
+            name  = "FORGEJO__mailer__SMTP_ADDR"
+            value = "mail.viktorbarzin.me"
+          }
+          env {
+            name  = "FORGEJO__mailer__SMTP_PORT"
+            value = "587"
+          }
+          env {
+            name  = "FORGEJO__mailer__FROM"
+            value = "Forgejo <noreply@viktorbarzin.me>"
+          }
+          env {
+            name  = "FORGEJO__mailer__USER"
+            value = "noreply@viktorbarzin.me"
+          }
+          env {
+            name = "FORGEJO__mailer__PASSWD"
+            value_from {
+              secret_key_ref {
+                name = "forgejo-email"
+                key  = "PASSWD"
+              }
+            }
+          }
+          # Zero-click sign-up for GitHub (OAuth2): auto-create the local
+          # account on first login (GitHub's username claim is valid). This is a
+          # GLOBAL [oauth2_client] setting, so the Authentik OAuth2 source is kept
+          # DISABLED (login_source.is_active=0, set out-of-band — sources are
+          # DB-managed, not TF): Authentik's preferred_username is the user's email,
+          # an invalid Forgejo username that 500'd auto-create. Re-enable Authentik
+          # only after fixing its username claim. docs/runbooks/forgejo-open-signups.md
+          env {
+            name  = "FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION"
+            value = "true"
+          }
           volume_mount {
             name       = "data"
             mount_path = "/data"
           }
+          # Bumped 1Gi -> 3Gi 2026-06-09, then 3Gi -> 4Gi 2026-06-13.
+          # OOMKilled again (exit 137) at the 3Gi cap on 2026-06-13 (2
+          # restarts; briefly took the git remote + OCI registry down and
+          # spiked ingress TTFB/4xx). Steady-state ~2.2Gi but it spiked past
+          # the 3Gi cap. 4Gi is the CEILING here: the forgejo namespace
+          # tier-quota caps requests.memory at 4Gi and Guaranteed QoS means
+          # request == limit, so a pod can request at most 4Gi. A first
+          # attempt at 6Gi was REJECTED (FailedCreate: exceeded quota) and
+          # left forgejo with 0 pods until reverted -- do NOT raise memory
+          # past 4Gi without ALSO raising the tier-quota. The 6/9 OOM driver
+          # (tripit buildkit registry pushes) is gone now that the Forgejo
+          # registry was frozen + emptied 2026-06-13 (ADR-0002, ghcr), so the
+          # remaining spike is git ops / integrity-probe catalog walk / a
+          # possible leak; 4Gi should suffice. If it still OOMs, raise the
+          # tier-quota and this limit together.
+          # requests=limits (Guaranteed QoS) per the repo memory convention.
           resources {
             requests = {
               cpu    = "15m"
-              memory = "1Gi"
+              memory = "4Gi"
             }
             limits = {
-              memory = "1Gi"
+              memory = "4Gi"
             }
           }
           port {
@@ -202,7 +375,7 @@ resource "kubernetes_deployment" "forgejo" {
       metadata[0].annotations["keel.sh/match-tag"],
       metadata[0].annotations["keel.sh/trigger"],
       metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
-      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
+      spec[0].template[0].spec[0].container[0].image,  # KEEL_IGNORE_IMAGE — Keel manages tag updates
       metadata[0].annotations["kubernetes.io/change-cause"],
       metadata[0].annotations["deployment.kubernetes.io/revision"],
       spec[0].template[0].metadata[0].annotations["keel.sh/update-time"],
diff --git a/stacks/forgejo/turnstile.tf b/stacks/forgejo/turnstile.tf
new file mode 100644
index 00000000..de98833f
--- /dev/null
+++ b/stacks/forgejo/turnstile.tf
@@ -0,0 +1,31 @@
+# Cloudflare Turnstile widget guarding the open Forgejo signup form
+# (main.tf: FORGEJO__service__ENABLE_CAPTCHA + CAPTCHA_TYPE=cfturnstile).
+# Managed here so the sitekey/secret are IaC rather than a dashboard artifact.
+# The CF Global API Key (cloudflare_provider.tf) has account-wide access, so it
+# can manage Turnstile. The widget secret is sensitive and lands in TF state
+# (Tier-1 PG, encrypted at rest) — same trust level as the API key already in
+# state. Forgejo is non-proxied, but Turnstile is a client-side JS widget served
+# from challenges.cloudflare.com, so proxy status is irrelevant.
+data "cloudflare_accounts" "main" {}
+
+resource "cloudflare_turnstile_widget" "forgejo_signup" {
+  account_id = data.cloudflare_accounts.main.accounts[0].id
+  name       = "forgejo-signup"
+  domains    = ["forgejo.viktorbarzin.me"]
+  # "managed" = Cloudflare adaptively decides whether to show an interactive
+  # challenge; lowest friction for real users, strong against bots.
+  mode = "managed"
+}
+
+# Turnstile secret -> K8s Secret consumed by the Forgejo deployment via
+# secret_key_ref (FORGEJO__service__CF_TURNSTILE_SECRET). The sitekey is public
+# and passed as a plain env value in main.tf.
+resource "kubernetes_secret" "forgejo_turnstile" {
+  metadata {
+    name      = "forgejo-turnstile"
+    namespace = kubernetes_namespace.forgejo.metadata[0].name
+  }
+  data = {
+    "cf-turnstile-secret" = cloudflare_turnstile_widget.forgejo_signup.secret
+  }
+}
diff --git a/stacks/freedify/.terraform.lock.hcl b/stacks/freedify/.terraform.lock.hcl
index 1445955c..b22b977e 100644
--- a/stacks/freedify/.terraform.lock.hcl
+++ b/stacks/freedify/.terraform.lock.hcl
@@ -41,29 +41,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/freedify/factory/main.tf b/stacks/freedify/factory/main.tf
index 172dfb1f..96b56b5f 100755
--- a/stacks/freedify/factory/main.tf
+++ b/stacks/freedify/factory/main.tf
@@ -105,8 +105,12 @@ resource "kubernetes_deployment" "freedify" {
           name = "registry-credentials"
         }
         container {
-          # Phase 3 cutover 2026-05-07 — Forgejo registry consolidation.
-          image = "forgejo.viktorbarzin.me/viktor/freedify:${var.tag}"
+          # ADR-0002 off-infra builds (2026-06-12, infra#22): GHA on the GitHub
+          # mirror pushes ghcr.io/viktorbarzin/freedify; the Woodpecker deploy
+          # pipeline rolls :sha8 via kubectl set image. Public package — no
+          # pull secret needed. The image is ignore_changes'd below so applies
+          # don't revert the deployed :sha8; this literal only seeds creates.
+          image = "ghcr.io/viktorbarzin/freedify:${var.tag}"
           name  = "freedify"
 
           port {
@@ -194,7 +198,10 @@ resource "kubernetes_deployment" "freedify" {
     }
   }
   lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config,         # KYVERNO_LIFECYCLE_V1
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — CI deploy pipeline sets :sha8 (ADR-0002)
+    ]
   }
 }
 
diff --git a/stacks/freedify/main.tf b/stacks/freedify/main.tf
index 4113948e..3e2cf8b4 100644
--- a/stacks/freedify/main.tf
+++ b/stacks/freedify/main.tf
@@ -4,7 +4,7 @@ variable "tls_secret_name" {
 }
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "freedify-secrets"
diff --git a/stacks/freshrss/.terraform.lock.hcl b/stacks/freshrss/.terraform.lock.hcl
index 05f8a359..5982c332 100644
--- a/stacks/freshrss/.terraform.lock.hcl
+++ b/stacks/freshrss/.terraform.lock.hcl
@@ -70,41 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/freshrss/main.tf b/stacks/freshrss/main.tf
index 37393b77..31c5d20e 100644
--- a/stacks/freshrss/main.tf
+++ b/stacks/freshrss/main.tf
@@ -19,7 +19,7 @@ resource "kubernetes_namespace" "immich" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "freshrss-secrets"
diff --git a/stacks/goldmane-edge-aggregator/main.tf b/stacks/goldmane-edge-aggregator/main.tf
new file mode 100644
index 00000000..2e71885e
--- /dev/null
+++ b/stacks/goldmane-edge-aggregator/main.tf
@@ -0,0 +1,488 @@
+# =============================================================================
+# goldmane-edge-aggregator — durable who-talks-to-whom audit trail (ADR-0014 / #58)
+# =============================================================================
+# A small Go service that streams Calico Goldmane's gRPC Flows API (mTLS) and
+# upserts the unique service-to-service edge set into Postgres, plus a daily
+# Slack digest CronJob of first-seen edges. Code lives in the standalone
+# `goldmane-edge-aggregator` repo; the authoritative deploy spec is its
+# DEPLOY.md. This stack is the infra side of that spec.
+#
+# Goldmane runs as `Service goldmane:7443` (gRPC/mTLS) in calico-system, enabled
+# via the operator CR in stacks/calico/main.tf. The durable Loki path is NOT
+# the operator CRs — this service IS the durable trail.
+#
+# Structure mirrors stacks/claude-memory (the canonical Tier-1 pattern): a
+# per-service namespace, a CNPG Postgres DB + role + Vault 7-day rotation +
+# ExternalSecret -> DATABASE_URL, the Reloader annotation, and the
+# Terragrunt-generated backend.tf/providers.tf/tiers.tf layout. The novel bit is
+# minting an mTLS client cert from the Tigera CA (hashicorp/tls; see versions.tf).
+#
+# IMAGE: ghcr.io/viktorbarzin/goldmane-edge-aggregator is PRIVATE. Onboarding
+# MUST add the "goldmane-edge-aggregator" namespace to the ghcr-credentials
+# Kyverno allowlist (stacks/kyverno/modules/kyverno/ghcr-credentials.tf,
+# local.ghcr_private_namespaces) so the Kyverno-synced `ghcr-credentials` secret
+# is cloned into this namespace — otherwise the pulls 401. The imagePullSecrets
+# reference below assumes that entry exists.
+# =============================================================================
+
+variable "postgresql_host" { type = string }
+
+# Plan-time root creds for the idempotent DB-init Job (mirrors claude-memory).
+data "vault_kv_secret_v2" "secrets" {
+  mount = "secret"
+  name  = "goldmane-edge-aggregator"
+}
+
+# -----------------------------------------------------------------------------
+# 1. Namespace
+# -----------------------------------------------------------------------------
+resource "kubernetes_namespace" "goldmane_edge_aggregator" {
+  metadata {
+    name = "goldmane-edge-aggregator"
+    labels = {
+      name = "goldmane-edge-aggregator"
+      # Tier 4-aux: a small off-path consumer service, like claude-memory.
+      tier               = local.tiers.aux
+      "keel.sh/enrolled" = "true"
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
+    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
+  }
+}
+
+# -----------------------------------------------------------------------------
+# 2. Goldmane mTLS client certificate (minted from the Tigera CA)
+# -----------------------------------------------------------------------------
+# The aggregator dials goldmane:7443 over mutual TLS. We mint a client cert
+# signed by the Tigera CA (the same CA that issues Goldmane's serving cert), so
+# Goldmane requires mutual TLS on :7443 and verifies the client cert chains to
+# the Tigera CA — it does NOT authorize by client identity, so ANY Tigera-CA-
+# signed cert is accepted. Rather than copy the Tigera CA PRIVATE KEY into TF
+# state to mint our own (a needless CA-key exposure; the hashicorp/tls provider
+# is also incompatible with this repo's global generate-providers/lockfile
+# pattern), we REUSE the operator-minted, Tigera-CA-signed client cert
+# `whisker-backend-key-pair` (calico-system). We never touch the CA key.
+# Trade-off: if the operator rotates that cert, re-apply to re-sync (hardening
+# follow-up: mint an own-identity cert in-namespace if Whisker is ever removed).
+data "kubernetes_secret" "whisker_backend" {
+  metadata {
+    name      = "whisker-backend-key-pair"
+    namespace = "calico-system"
+  }
+}
+
+# The CA bundle that verifies Goldmane's serving cert. It lives ONLY in
+# calico-system (verified: ConfigMap `tigera-ca-bundle`, 2 keys present —
+# `ca-bundle.crt` AND `tigera-ca-bundle.crt`, both the trusted bundle). We read
+# it and recreate it as a ConfigMap in this namespace so the pod can mount it
+# (a ConfigMap cannot be cross-namespace-mounted).
+data "kubernetes_config_map" "tigera_ca_bundle" {
+  metadata {
+    name      = "tigera-ca-bundle"
+    namespace = "calico-system"
+  }
+}
+
+resource "kubernetes_config_map" "tigera_ca_bundle" {
+  metadata {
+    name      = "tigera-ca-bundle"
+    namespace = kubernetes_namespace.goldmane_edge_aggregator.metadata[0].name
+  }
+  # Copy the upstream bundle verbatim. We mount the `tigera-ca-bundle.crt` key
+  # at /etc/tigera-ca/tigera-ca-bundle.crt so the service's default
+  # CA_CERT_PATH (/etc/tigera-ca/tigera-ca-bundle.crt) resolves with no override.
+  data = data.kubernetes_config_map.tigera_ca_bundle.data
+}
+
+# Client cert + key for mTLS to goldmane:7443, mounted at TLS_CERT_PATH /
+# TLS_KEY_PATH defaults (/etc/goldmane-client-tls/tls.crt and .../tls.key).
+# Sourced verbatim from the operator's whisker-backend client key-pair (read
+# above) — already Tigera-CA-signed, which is all Goldmane verifies. No CA key
+# is touched and no cross-namespace CA RBAC is needed.
+resource "kubernetes_secret" "goldmane_client_tls" {
+  metadata {
+    name      = "goldmane-client-tls"
+    namespace = kubernetes_namespace.goldmane_edge_aggregator.metadata[0].name
+  }
+  type = "Opaque"
+  data = {
+    "tls.crt" = data.kubernetes_secret.whisker_backend.data["tls.crt"]
+    "tls.key" = data.kubernetes_secret.whisker_backend.data["tls.key"]
+  }
+}
+
+# -----------------------------------------------------------------------------
+# 3. Postgres: DB + role `goldmane_edges`, Vault 7-day rotation, DATABASE_URL
+# -----------------------------------------------------------------------------
+# Idempotent create of the role + DB using the CNPG root creds from Vault
+# (dbaas_root_password), exactly mirroring claude-memory's db_init Job. The
+# service creates the `edge` table itself at startup (migrations/0001_edge.sql),
+# so no migration Job is needed.
+resource "kubernetes_job" "db_init" {
+  metadata {
+    name      = "goldmane-edges-db-init"
+    namespace = kubernetes_namespace.goldmane_edge_aggregator.metadata[0].name
+  }
+  spec {
+    template {
+      metadata {}
+      spec {
+        container {
+          name  = "db-init"
+          image = "postgres:16-alpine"
+          command = [
+            "sh", "-c",
+            <<-EOT
+              set -e
+              # -d postgres: psql defaults the database name to the username;
+              # the root user has no root-named database, so be explicit.
+              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -d postgres -tc "SELECT 1 FROM pg_roles WHERE rolname='goldmane_edges'" | grep -q 1 || \
+                PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -d postgres -c "CREATE ROLE goldmane_edges WITH LOGIN PASSWORD '${data.vault_kv_secret_v2.secrets.data["db_password"]}'"
+              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -d postgres -tc "SELECT 1 FROM pg_database WHERE datname='goldmane_edges'" | grep -q 1 || \
+                PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -d postgres -c "CREATE DATABASE goldmane_edges OWNER goldmane_edges"
+              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -d postgres -c "GRANT ALL PRIVILEGES ON DATABASE goldmane_edges TO goldmane_edges"
+              echo "Database init complete"
+            EOT
+          ]
+        }
+        restart_policy = "Never"
+      }
+    }
+    backoff_limit = 3
+  }
+  wait_for_completion = true
+  timeouts {
+    create = "2m"
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: Kyverno injects dns_config (ndots=2); ignore it so
+    # this idempotent Job isn't replaced (Jobs are immutable) on every apply.
+    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+  }
+}
+
+# ExternalSecret projecting the Vault-rotated (7-day) credential into a K8s
+# Secret as DATABASE_URL. The Vault DB static role `pg-goldmane-edges` and its
+# place in the CNPG connection allowlist are added in stacks/vault/main.tf
+# (see this stack's terragrunt.hcl note). remoteRef key: static-creds/pg-goldmane-edges.
+resource "kubernetes_manifest" "db_external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "goldmane-edges-db-creds"
+      namespace = kubernetes_namespace.goldmane_edge_aggregator.metadata[0].name
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-database"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "goldmane-edges-db-creds"
+        template = {
+          data = {
+            DATABASE_URL = "postgresql://goldmane_edges:{{ .password }}@${var.postgresql_host}:5432/goldmane_edges"
+          }
+        }
+      }
+      data = [{
+        secretKey = "password"
+        remoteRef = {
+          key      = "static-creds/pg-goldmane-edges"
+          property = "password"
+        }
+      }]
+    }
+  }
+  depends_on = [kubernetes_namespace.goldmane_edge_aggregator]
+}
+
+# -----------------------------------------------------------------------------
+# 4. Slack webhook (reuse the alert-digest incoming webhook)
+# -----------------------------------------------------------------------------
+# The monitoring alert-digest CronJob posts with the Slack incoming webhook at
+# Vault secret/monitoring -> key `alertmanager_slack_api_url`
+# (stacks/monitoring/modules/monitoring/alert_digest.tf). Project that same URL
+# into this namespace as SLACK_WEBHOOK_URL via an ExternalSecret (no new
+# webhook). The digest CronJob defaults to #security.
+resource "kubernetes_manifest" "slack_external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "goldmane-edges-slack"
+      namespace = kubernetes_namespace.goldmane_edge_aggregator.metadata[0].name
+    }
+    spec = {
+      refreshInterval = "1h"
+      secretStoreRef = {
+        name = "vault-kv"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "goldmane-edges-slack"
+      }
+      data = [{
+        secretKey = "SLACK_WEBHOOK_URL"
+        remoteRef = {
+          key      = "viktor"
+          property = "alertmanager_slack_api_url"
+        }
+      }]
+    }
+  }
+  depends_on = [kubernetes_namespace.goldmane_edge_aggregator]
+}
+
+# -----------------------------------------------------------------------------
+# 5. aggregate — Deployment (long-running gRPC stream -> Postgres upserts)
+# -----------------------------------------------------------------------------
+resource "kubernetes_deployment" "aggregate" {
+  depends_on = [
+    kubernetes_job.db_init,
+    kubernetes_manifest.db_external_secret,
+  ]
+  metadata {
+    name      = "goldmane-edge-aggregator"
+    namespace = kubernetes_namespace.goldmane_edge_aggregator.metadata[0].name
+    labels = {
+      app  = "goldmane-edge-aggregator"
+      tier = local.tiers.aux
+    }
+    annotations = {
+      # Credential is env-injected and read only at startup; the 7-day rotation
+      # must bounce the pod or it keeps the stale password and silently fails
+      # DB auth (infra CLAUDE.md Reloader rule).
+      "secret.reloader.stakater.com/reload" = "goldmane-edges-db-creds"
+    }
+  }
+  spec {
+    # 1 replica: the edge set is a global upsert keyed on (src_ns, dst_ns,
+    # action); a second replica only doubles writes for no benefit (Goldmane
+    # streams per-flow). Stateless (no PVC) so RollingUpdate is fine.
+    replicas = 1
+    selector {
+      match_labels = {
+        app = "goldmane-edge-aggregator"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "goldmane-edge-aggregator"
+        }
+      }
+      spec {
+        # PRIVATE ghcr image — cloned into this namespace by the Kyverno
+        # sync-ghcr-credentials allowlist policy (add this ns to that list).
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
+        container {
+          name = "aggregate"
+          # CI (GHA -> ghcr) overwrites this to :<sha8> via `kubectl set image`;
+          # the image tag is in ignore_changes below so the SHA sticks across
+          # `terragrunt apply` (fleet image-pin convention). Placeholder :latest
+          # until the deploy pipeline runs.
+          image = "ghcr.io/viktorbarzin/goldmane-edge-aggregator:latest"
+          args  = ["aggregate"]
+
+          # Goldmane mTLS. GOLDMANE_HOST default host sans port =>
+          # ServerName "goldmane.calico-system.svc.cluster.local", which is a SAN
+          # on the live Goldmane serving cert (verified 2026-06-24:
+          # DNS:goldmane{,.calico-system{,.svc{,.cluster.local}}}). So no
+          # GOLDMANE_SERVER_NAME override and no GOLDMANE_TLS_INSECURE needed.
+          env {
+            name  = "GOLDMANE_HOST"
+            value = "goldmane.calico-system.svc.cluster.local:7443"
+          }
+          # TLS_CERT_PATH / TLS_KEY_PATH / CA_CERT_PATH are left at their image
+          # defaults (/etc/goldmane-client-tls/tls.{crt,key} and
+          # /etc/tigera-ca/tigera-ca-bundle.crt) — the mounts below match them.
+
+          env {
+            name = "DATABASE_URL"
+            value_from {
+              secret_key_ref {
+                name = "goldmane-edges-db-creds"
+                key  = "DATABASE_URL"
+              }
+            }
+          }
+
+          volume_mount {
+            name       = "goldmane-client-tls"
+            mount_path = "/etc/goldmane-client-tls"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "tigera-ca"
+            mount_path = "/etc/tigera-ca"
+            read_only  = true
+          }
+
+          resources {
+            # Idles low: a single gRPC stream + periodic upserts. requests=limits
+            # per the repo memory rule; no CPU limit (CFS throttling). Right-size
+            # later with krr.
+            requests = {
+              cpu    = "10m"
+              memory = "64Mi"
+            }
+            limits = {
+              memory = "64Mi"
+            }
+          }
+        }
+
+        volume {
+          name = "goldmane-client-tls"
+          secret {
+            secret_name = kubernetes_secret.goldmane_client_tls.metadata[0].name
+          }
+        }
+        volume {
+          name = "tigera-ca"
+          config_map {
+            name = kubernetes_config_map.tigera_ca_bundle.metadata[0].name
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      # CI pipeline owns the image tag (kubectl set image from GHA/Woodpecker).
+      spec[0].template[0].spec[0].container[0].image,
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      metadata[0].annotations["keel.sh/match-tag"],
+      metadata[0].annotations["kubernetes.io/change-cause"],
+      metadata[0].annotations["deployment.kubernetes.io/revision"],
+      spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
+    ]
+  }
+}
+
+# -----------------------------------------------------------------------------
+# 6. digest — daily CronJob (first-seen edges -> Slack)
+# -----------------------------------------------------------------------------
+resource "kubernetes_cron_job_v1" "digest" {
+  depends_on = [
+    kubernetes_job.db_init,
+    kubernetes_manifest.db_external_secret,
+    kubernetes_manifest.slack_external_secret,
+  ]
+  metadata {
+    name      = "goldmane-edges-digest"
+    namespace = kubernetes_namespace.goldmane_edge_aggregator.metadata[0].name
+    labels = {
+      app  = "goldmane-edge-aggregator"
+      tier = local.tiers.aux
+    }
+  }
+  spec {
+    # Daily 08:00 Europe/London — aligns with the alert-digest cadence.
+    schedule                      = "0 8 * * *"
+    timezone                      = "Europe/London"
+    concurrency_policy            = "Forbid"
+    successful_jobs_history_limit = 3
+    failed_jobs_history_limit     = 3
+    starting_deadline_seconds     = 600
+
+    job_template {
+      metadata {
+        labels = {
+          app = "goldmane-edge-aggregator"
+        }
+        annotations = {
+          # 7-day DB rotation: bounce the Job pod's stale env (Reloader rule).
+          "secret.reloader.stakater.com/reload" = "goldmane-edges-db-creds"
+        }
+      }
+      spec {
+        backoff_limit              = 2
+        active_deadline_seconds    = 300
+        ttl_seconds_after_finished = 86400
+
+        template {
+          metadata {
+            labels = {
+              app = "goldmane-edge-aggregator"
+            }
+          }
+          spec {
+            restart_policy = "OnFailure"
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
+            container {
+              name = "digest"
+              # CronJobs track :latest + imagePullPolicy: Always (fleet
+              # convention) so the daily run picks up the current image.
+              image             = "ghcr.io/viktorbarzin/goldmane-edge-aggregator:latest"
+              image_pull_policy = "Always"
+              args              = ["digest"]
+
+              env {
+                name = "DATABASE_URL"
+                value_from {
+                  secret_key_ref {
+                    name = "goldmane-edges-db-creds"
+                    key  = "DATABASE_URL"
+                  }
+                }
+              }
+              env {
+                name = "SLACK_WEBHOOK_URL"
+                value_from {
+                  secret_key_ref {
+                    name = "goldmane-edges-slack"
+                    key  = "SLACK_WEBHOOK_URL"
+                  }
+                }
+              }
+              env {
+                name  = "SLACK_CHANNEL"
+                value = "#security"
+              }
+
+              resources {
+                requests = {
+                  cpu    = "10m"
+                  memory = "64Mi"
+                }
+                limits = {
+                  memory = "64Mi"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1 (CronJob path): Kyverno mutates dns_config with ndots=2.
+    ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config]
+  }
+}
+
+# -----------------------------------------------------------------------------
+# 7. Egress (default-deny consideration)
+# -----------------------------------------------------------------------------
+# Goldmane's own NetworkPolicy already allows INGRESS on 7443 from anywhere, so
+# nothing is needed on the Goldmane side. No egress policy is declared here:
+# this namespace is default-allow egress today. IF/WHEN it is brought under the
+# wave-1 default-deny egress enforcement (per-namespace allowlists), add
+# (Global)NetworkPolicy egress rules permitting:
+#   - goldmane.calico-system.svc.cluster.local:7443 (the flow stream)
+#   - pg-cluster-rw.dbaas.svc.cluster.local:5432    (Postgres)
+#   - hooks.slack.com:443                            (digest -> Slack, internet)
+#   - kube-dns / CoreDNS :53                         (DNS, every namespace)
diff --git a/stacks/goldmane-edge-aggregator/terragrunt.hcl b/stacks/goldmane-edge-aggregator/terragrunt.hcl
new file mode 100644
index 00000000..a1889d9e
--- /dev/null
+++ b/stacks/goldmane-edge-aggregator/terragrunt.hcl
@@ -0,0 +1,24 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+# Tier-1 stack (PG state backend). The root terragrunt.hcl generates backend.tf
+# (pg backend, schema_name = "goldmane-edge-aggregator"), providers.tf,
+# cloudflare_provider.tf and tiers.tf automatically — do NOT hand-write those.
+# This stack adds the hashicorp/tls provider via a local versions.tf (merged
+# into the generated required_providers).
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+dependency "vault" {
+  config_path  = "../vault"
+  skip_outputs = true
+}
+
+# The Vault DB static role pg-goldmane-edges (7-day rotation) and the CNPG
+# connection allowlist entry live in the vault stack (stacks/vault/main.tf).
+# The vault dependency above orders this stack after it so the ExternalSecret
+# can materialize the rotated credential on first apply.
diff --git a/stacks/grampsweb/.terraform.lock.hcl b/stacks/grampsweb/.terraform.lock.hcl
index 7959dc66..16af0cd7 100644
--- a/stacks/grampsweb/.terraform.lock.hcl
+++ b/stacks/grampsweb/.terraform.lock.hcl
@@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
+  hashes = [
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
 provider "registry.terraform.io/goauthentik/authentik" {
   version     = "2024.12.1"
   constraints = "~> 2024.10"
@@ -33,49 +41,23 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.8.1"
+  version = "3.9.0"
   hashes = [
-    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
-    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
-    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
-    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
-    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
-    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
-    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
-    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
-    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
-    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
-    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
-    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
   ]
 }
 
@@ -99,3 +81,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf
index 8d8a059d..2d434ec7 100644
--- a/stacks/grampsweb/main.tf
+++ b/stacks/grampsweb/main.tf
@@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "grampsweb-secrets"
diff --git a/stacks/hackmd/.terraform.lock.hcl b/stacks/hackmd/.terraform.lock.hcl
index a1ca7484..b22b977e 100644
--- a/stacks/hackmd/.terraform.lock.hcl
+++ b/stacks/hackmd/.terraform.lock.hcl
@@ -24,30 +24,33 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.2.0"
+  hashes = [
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -71,3 +74,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/hackmd/main.tf b/stacks/hackmd/main.tf
index 3dd913b7..bbe6db40 100644
--- a/stacks/hackmd/main.tf
+++ b/stacks/hackmd/main.tf
@@ -209,7 +209,7 @@ module "ingress" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "hackmd-secrets"
diff --git a/stacks/health/.terraform.lock.hcl b/stacks/health/.terraform.lock.hcl
index a1ca7484..b22b977e 100644
--- a/stacks/health/.terraform.lock.hcl
+++ b/stacks/health/.terraform.lock.hcl
@@ -24,30 +24,33 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.2.0"
+  hashes = [
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -71,3 +74,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/health/main.tf b/stacks/health/main.tf
index 979b2dd0..36fd17d6 100644
--- a/stacks/health/main.tf
+++ b/stacks/health/main.tf
@@ -9,7 +9,7 @@ resource "kubernetes_namespace" "health" {
   metadata {
     name = "health"
     labels = {
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
       "keel.sh/enrolled" = "true"
     }
   }
@@ -128,6 +128,15 @@ resource "kubernetes_deployment" "health" {
             name  = "COOKIE_SECURE"
             value = "true"
           }
+          env {
+            # ADR-0008 (health repo): identity for the internal LAN test host.
+            # Only reached when no X-authentik-email header is present — i.e. via
+            # the auth="none" test ingress below. The public host's forward-auth
+            # fails closed, so requests arriving there always carry the real
+            # header and never fall back to this value.
+            name  = "DEV_AUTH_EMAIL"
+            value = "vbarzin@gmail.com"
+          }
 
           volume_mount {
             name       = "uploads"
@@ -197,6 +206,15 @@ module "ingress" {
   name            = "health"
   tls_secret_name = var.tls_secret_name
   max_body_size   = "100m"
+  # The redesigned SPA bursts well past the default 10/50 limiter on each page
+  # load (shell + fonts + a 5-8 call API burst). Swap the shared limiter for a
+  # health-specific one (100/1000), mirroring tripit/immich/actualbudget.
+  # The ref MUST carry the middleware's namespace prefix: the CRD lives in the
+  # `traefik` ns, so it's `traefik-health-rate-limit@kubernetescrd` (same form as
+  # traefik-tripit-rate-limit). Without the prefix Traefik can't resolve it and
+  # 404s the whole router.
+  skip_default_rate_limit = true
+  extra_middlewares       = ["traefik-health-rate-limit@kubernetescrd"]
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Health"
@@ -207,9 +225,33 @@ module "ingress" {
   }
 }
 
+# https://health-test.viktorbarzin.lan — internal LAN-only test host for
+# automated/E2E testing + manual screenshots without the Authentik SSO dance
+# (ADR-0008). Same `health` deployment; acts as DEV_AUTH_EMAIL=vbarzin@gmail.com.
+module "ingress_test" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": LAN-only (allow_local_access_only) test host — no public
+  # exposure; the public health.viktorbarzin.me ingress above stays
+  # auth="required". No user data gate here by design — it serves the real app
+  # as DEV_AUTH_EMAIL since no X-authentik-email is injected (ADR-0008).
+  auth                    = "none"
+  namespace               = kubernetes_namespace.health.metadata[0].name
+  name                    = "health-test"
+  root_domain             = "viktorbarzin.lan"
+  service_name            = kubernetes_service.health.metadata[0].name
+  tls_secret_name         = var.tls_secret_name
+  allow_local_access_only = true
+  ssl_redirect            = false
+  max_body_size           = "100m"
+  anti_ai_scraping        = false
+  extra_annotations = {
+    "gethomepage.dev/enabled" = "false"
+  }
+}
+
 resource "kubernetes_manifest" "external_secret_db" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "health-db-secrets"
@@ -243,7 +285,7 @@ resource "kubernetes_manifest" "external_secret_db" {
 
 resource "kubernetes_manifest" "external_secret_kv" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "health-kv-secrets"
diff --git a/stacks/hermes-agent/main.tf b/stacks/hermes-agent/main.tf
index dced38c4..1293d7a5 100644
--- a/stacks/hermes-agent/main.tf
+++ b/stacks/hermes-agent/main.tf
@@ -38,7 +38,7 @@ module "tls_secret" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "hermes-agent-secrets"
diff --git a/stacks/immich/.terraform.lock.hcl b/stacks/immich/.terraform.lock.hcl
index 60a2173c..7acb241a 100644
--- a/stacks/immich/.terraform.lock.hcl
+++ b/stacks/immich/.terraform.lock.hcl
@@ -70,40 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.2"
+  version = "3.2.0"
   hashes = [
-    "h1:lIuknMfM7+QTzPWs8VBocstZF0B3TpEMIj/bw+dLAOs=",
-    "zh:1086b24b20d94afc331eb38c52b70848899fd0efaed46d9f4646180b96e9dffd",
-    "zh:28bebd04f8d0c44291dc961597c89de5be1e62153191b8b466dbbfb254c696aa",
-    "zh:49a7dd287c2c80621ba0c25834b1afac88c45d47ad3a24cd0aed634d78b1bbd4",
-    "zh:574e146b128be51cd4d9ee66cb8352eac82c7e3be2dbf53a51516ca701bb8b7c",
-    "zh:68285c8987affaa635c9590a0cefe238ba277e12532b64cb2d7ffec570ade064",
-    "zh:6ce12b5eb8f1d9aa61c4d336905e0186f9ea82c8767169533be5b206e4bd33f4",
-    "zh:83b7743951c989732f191cb429549296bca6faecffed492094bef92bec5c9dcb",
-    "zh:84fe2d11907b4e9d0c536d8b50bb63ad4056f60a73c4b734d5de7435784e53a7",
-    "zh:c8a25498bfbde4916f178d6880d9ee56ed9ceb88bef4842cd47360faadbb3dfb",
-    "zh:dfad553c09b36a7df68c3622c78b835669e69aaf954735802e85375a8df01dff",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:fd6f36da732f442e421d2b90ed3925a1c9ad0992c380a61fe7681d90b34aa5f3",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/immich/frame.tf b/stacks/immich/frame.tf
index ab375aa4..c86a47eb 100644
--- a/stacks/immich/frame.tf
+++ b/stacks/immich/frame.tf
@@ -17,15 +17,20 @@ resource "kubernetes_config_map" "mailserver_config" {
     "Settings.yml" = <<-EOF
     General:
         Layout: single
-        Interval: 10
-        ImageZoom: false
+        Interval: 30
+        ImageZoom: true
         ShowAlbumName: false
         ShowProgressBar: false
+        ClockFormat: "HH:mm"
+        PhotoDateFormat: "dd/MM/yyyy"
+        WeatherApiKey: ${data.vault_kv_secret_v2.secrets.data["frame_weather_api_key"]}
+        UnitSystem: metric
+        WeatherLatLong: "51.5074,-0.1278"
+        Language: en
     Accounts:
         - ImmichServerUrl: http://immich.viktorbarzin.me
           ApiKey: ${data.vault_kv_secret_v2.secrets.data["frame_api_key"]}
-          Albums: 
-            - 1aa98849-bbd5-452b-aac0-310b210a8597 # china
+          ImagesFromDays: 730
     EOF
   }
 }
diff --git a/stacks/immich/main.tf b/stacks/immich/main.tf
index 8ee67b11..3009be5e 100644
--- a/stacks/immich/main.tf
+++ b/stacks/immich/main.tf
@@ -124,19 +124,6 @@ module "nfs_ml_cache_host" {
   nfs_path   = "/srv/nfs-ssd/immich/machine-learning"
 }
 
-# Read-only source for one-shot bulk imports into individual users' accounts
-# (currently: Anca's WD Elements dump, mirrored to /srv/nfs/anca-elements from
-# her Synology). Consumed only by the import Job below — NOT mounted into the
-# immich-server Deployment. PVC stays after the Job is removed so videos can
-# follow in batch 2.
-module "nfs_anca_elements_host" {
-  source     = "../../modules/kubernetes/nfs_volume"
-  name       = "immich-anca-elements-host"
-  namespace  = kubernetes_namespace.immich.metadata[0].name
-  nfs_server = var.proxmox_host
-  nfs_path   = "/srv/nfs/anca-elements"
-}
-
 resource "kubernetes_namespace" "immich" {
   metadata {
     name = "immich"
@@ -176,7 +163,7 @@ resource "kubernetes_resource_quota" "immich" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "immich-secrets"
@@ -1178,123 +1165,6 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" {
   }
 }
 
-# One-shot bulk import of Anca's Synology Elements photo archive into her
-# Immich account. Reads /srv/nfs/anca-elements via the RO PVC above and posts
-# assets to immich-server in-cluster (bypasses ingress + CrowdSec entirely).
-#
-# Auth: Anca's personal Immich API key. Add to Vault `secret/immich` under key
-# `anca_api_key`, then force-refresh the existing `immich-secrets` ExternalSecret:
-#   kubectl annotate externalsecret immich-secrets -n immich \
-#     force-sync=$(date +%s) --overwrite
-#
-# After successful completion: REMOVE this resource block + apply again. The
-# PVC stays for a videos batch later. Filters target a photo-only subset of
-# the dump (videos / installers / docs / courses banned); EXIF is preserved
-# end-to-end since immich-go uploads originals byte-for-byte.
-resource "kubernetes_job_v1" "anca_elements_import" {
-  metadata {
-    name      = "anca-elements-import"
-    namespace = kubernetes_namespace.immich.metadata[0].name
-    labels = {
-      app  = "anca-elements-import"
-      tier = local.tiers.gpu
-    }
-  }
-
-  # Don't block `terragrunt apply` on the multi-hour upload — TF returns once
-  # the Job is created; monitor via `kubectl logs -n immich -f job/...`.
-  wait_for_completion = false
-
-  spec {
-    backoff_limit              = 20
-    ttl_seconds_after_finished = 604800
-    template {
-      metadata {
-        labels = {
-          app = "anca-elements-import"
-        }
-      }
-      spec {
-        restart_policy = "OnFailure"
-        container {
-          name  = "immich-go"
-          image = "alpine:3.20"
-          command = [
-            "/bin/sh",
-            "-c",
-            <<-EOT
-              set -eu
-              apk add --no-cache curl tar ca-certificates >/dev/null
-
-              IMMICH_GO_VERSION="v0.31.0"
-              cd /tmp
-              echo "Downloading immich-go $${IMMICH_GO_VERSION}…"
-              curl -sL "https://github.com/simulot/immich-go/releases/download/$${IMMICH_GO_VERSION}/immich-go_Linux_x86_64.tar.gz" \
-                | tar -xz
-              chmod +x ./immich-go
-
-              echo "Starting upload from /data → http://immich-server.immich.svc.cluster.local:2283 …"
-              exec ./immich-go upload from-folder /data \
-                --server http://immich-server.immich.svc.cluster.local:2283 \
-                --api-key "$${IMMICH_API_KEY}" \
-                --include-extensions .jpg,.jpeg,.png,.heic,.heif,.gif,.tif,.tiff,.webp,.nef,.cr2,.dng,.raw \
-                --into-album "Poze (Elements)" \
-                --ban-file "filme/" --ban-file "Music/" --ban-file "carti/" \
-                --ban-file "cursuri/" --ban-file "Adobe.*/" \
-                --ban-file "Fullstack Web Development*/" \
-                --ban-file "Contracte and CV/" --ban-file "Cv/" \
-                --ban-file "docum/" --ban-file "finance/" \
-                --ban-file "download/" --ban-file "kit/" \
-                --ban-file "csp/" --ban-file "KOREAN/" \
-                --ban-file "System Volume Information/" \
-                --pause-immich-jobs=false \
-                --concurrent-tasks 20 \
-                --client-timeout 1h \
-                --no-ui \
-                --on-errors continue
-            EOT
-          ]
-          env {
-            name = "IMMICH_API_KEY"
-            value_from {
-              secret_key_ref {
-                name = "immich-secrets"
-                key  = "anca_api_key"
-              }
-            }
-          }
-          volume_mount {
-            name       = "anca-elements"
-            mount_path = "/data"
-            read_only  = true
-          }
-          resources {
-            requests = {
-              cpu    = "500m"
-              memory = "1Gi"
-            }
-            limits = {
-              memory = "1Gi"
-            }
-          }
-        }
-        volume {
-          name = "anca-elements"
-          persistent_volume_claim {
-            claim_name = module.nfs_anca_elements_host.claim_name
-            read_only  = true
-          }
-        }
-      }
-    }
-  }
-  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
-  }
-  depends_on = [kubernetes_manifest.external_secret]
-}
-
 # POWER TOOLS
 
 # resource "kubernetes_deployment" "powertools" {
diff --git a/stacks/insta2spotify/main.tf b/stacks/insta2spotify/main.tf
index 39edac87..9770afd3 100644
--- a/stacks/insta2spotify/main.tf
+++ b/stacks/insta2spotify/main.tf
@@ -21,7 +21,7 @@ resource "kubernetes_namespace" "insta2spotify" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "insta2spotify-secrets"
diff --git a/stacks/instagram-poster/modules/instagram-poster/main.tf b/stacks/instagram-poster/modules/instagram-poster/main.tf
index 343bbfba..7dc3f846 100644
--- a/stacks/instagram-poster/modules/instagram-poster/main.tf
+++ b/stacks/instagram-poster/modules/instagram-poster/main.tf
@@ -1,9 +1,12 @@
 locals {
   namespace = "instagram-poster"
-  # Forgejo registry consolidation (2026-05-07): all custom service images
-  # live under forgejo.viktorbarzin.me/viktor/<name>. The old 10.0.20.10
-  # private registry was decommissioned the same day.
-  image = "forgejo.viktorbarzin.me/viktor/instagram-poster:${var.image_tag}"
+  # Off-infra CI (ADR-0002, issue #23): GHA builds on the GitHub mirror and
+  # pushes ghcr.io/viktorbarzin/instagram-poster (private — pulls need the
+  # ghcr-credentials Secret cloned in by the kyverno sync-ghcr-credentials
+  # ClusterPolicy). Replaces the forgejo.viktorbarzin.me/viktor base.
+  # (Applied via the 2026-06-13 re-trigger commit: the original pipeline 146
+  # was auto-killed by a concurrent master push before its apply step ran.)
+  image = "ghcr.io/viktorbarzin/instagram-poster:${var.image_tag}"
   labels = {
     app = "instagram-poster"
   }
@@ -32,8 +35,16 @@ resource "kubernetes_namespace" "instagram_poster" {
 #     - immich_tag_instagram      (optional — auto-resolved if missing)
 #     - immich_tag_posted         (optional — auto-resolved if missing)
 resource "kubernetes_manifest" "external_secret" {
+  # The external-secrets controller takes server-side-apply ownership of
+  # .spec.refreshInterval, so a plain TF apply conflicts. force_conflicts lets
+  # TF win (values match, so it's stable) — same pattern as grafana/woodpecker/
+  # traefik/k8s-version-upgrade. Surfaced 2026-06-24 by the first IG apply since
+  # the ESO v1 migration (the scale-to-0 push).
+  field_manager {
+    force_conflicts = true
+  }
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "instagram-poster-secrets"
@@ -136,8 +147,13 @@ resource "kubernetes_manifest" "external_secret" {
 # ESO refreshes the K8s Secret every 15m. `reloader.stakater.com/match`
 # bounces the pod when the password changes.
 resource "kubernetes_manifest" "benchmark_db_external_secret" {
+  # See external_secret above — ESO owns .spec.refreshInterval; force_conflicts
+  # lets the TF apply win instead of erroring on the field-manager conflict.
+  field_manager {
+    force_conflicts = true
+  }
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "instagram-poster-benchmark-db"
@@ -224,7 +240,11 @@ resource "kubernetes_deployment" "instagram_poster" {
   }
 
   spec {
-    replicas = 1
+    # Scaled to 0 (2026-06-24): Instagram Graph integration is unused and its
+    # ExternalSecret is dead (missing ig_graph_long_lived_token /
+    # ig_business_account_id in Vault secret/instagram-poster). Set back to 1
+    # after minting a Meta long-lived token and populating those keys.
+    replicas = 0
     # RWO PVC — cannot rolling-update.
     strategy {
       type = "Recreate"
@@ -244,9 +264,18 @@ resource "kubernetes_deployment" "instagram_poster" {
       }
 
       spec {
+        # registry-credentials (forgejo) kept for the transition — the live
+        # pod runs the last forgejo-built image until the first GHA→ghcr
+        # deploy lands. ghcr-credentials is cloned into this namespace by the
+        # kyverno stack's sync-ghcr-credentials ClusterPolicy (allowlisted
+        # private-ghcr namespaces only — ADR-0002). Source of truth:
+        # stacks/kyverno/modules/kyverno/ghcr-credentials.tf.
         image_pull_secrets {
           name = "registry-credentials"
         }
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
 
         # PVC mounts as root by default; pod runs as uid/gid 10001 (poster).
         # fs_group makes kubelet chown the volume to gid 10001 on mount.
diff --git a/stacks/job-hunter/cronjob.tf b/stacks/job-hunter/cronjob.tf
index 968266b5..aa7009d0 100644
--- a/stacks/job-hunter/cronjob.tf
+++ b/stacks/job-hunter/cronjob.tf
@@ -40,6 +40,11 @@ resource "kubernetes_cron_job_v1" "job_hunter_refresh" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+            # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
 
             init_container {
               name              = "alembic-migrate"
@@ -147,6 +152,11 @@ resource "kubernetes_cron_job_v1" "job_hunter_alert" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+            # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
               name              = "alert"
               image             = local.image
diff --git a/stacks/job-hunter/main.tf b/stacks/job-hunter/main.tf
index 8b84dfe5..a008e83c 100644
--- a/stacks/job-hunter/main.tf
+++ b/stacks/job-hunter/main.tf
@@ -9,7 +9,7 @@ variable "postgresql_host" { type = string }
 locals {
   namespace = "job-hunter"
   # Phase 3 cutover 2026-05-07 — see infra/docs/plans/2026-05-07-forgejo-registry-consolidation-plan.md.
-  image = "forgejo.viktorbarzin.me/viktor/job-hunter:${var.image_tag}"
+  image = "ghcr.io/viktorbarzin/job-hunter:${var.image_tag}"
   labels = {
     app = "job-hunter"
   }
@@ -42,7 +42,7 @@ resource "kubernetes_namespace" "job_hunter" {
 #     digest_from_address   — From: header for the digest
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "job-hunter-secrets"
@@ -106,7 +106,7 @@ resource "kubernetes_manifest" "external_secret" {
 # Template builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING.
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "job-hunter-db-creds"
@@ -175,6 +175,11 @@ resource "kubernetes_deployment" "job_hunter" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+        # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
 
         init_container {
           name    = "alembic-migrate"
@@ -321,7 +326,7 @@ resource "kubernetes_service" "job_hunter" {
 # Grafana whenever ESO updates this secret (every 7d on rotation).
 resource "kubernetes_manifest" "grafana_job_hunter_db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "grafana-job-hunter-pg-creds"
diff --git a/stacks/k8s-dashboard/.terraform.lock.hcl b/stacks/k8s-dashboard/.terraform.lock.hcl
index 6c9afb10..31e1c607 100644
--- a/stacks/k8s-dashboard/.terraform.lock.hcl
+++ b/stacks/k8s-dashboard/.terraform.lock.hcl
@@ -70,61 +70,23 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.8.1"
+  version = "3.9.0"
   hashes = [
-    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
-    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
-    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
-    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
-    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
-    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
-    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
-    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
-    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
-    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
-    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
-    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
   ]
 }
 
diff --git a/stacks/k8s-dashboard/oauth2_proxy.tf b/stacks/k8s-dashboard/oauth2_proxy.tf
index 31e07bed..5ed73793 100644
--- a/stacks/k8s-dashboard/oauth2_proxy.tf
+++ b/stacks/k8s-dashboard/oauth2_proxy.tf
@@ -6,7 +6,7 @@
 
 resource "kubernetes_manifest" "oauth2_proxy_externalsecret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "oauth2-proxy"
diff --git a/stacks/k8s-portal/modules/k8s-portal/files/Dockerfile b/stacks/k8s-portal/modules/k8s-portal/files/Dockerfile
index aa694722..9ef4ba0c 100644
--- a/stacks/k8s-portal/modules/k8s-portal/files/Dockerfile
+++ b/stacks/k8s-portal/modules/k8s-portal/files/Dockerfile
@@ -1,7 +1,7 @@
 FROM node:22-alpine AS build
 WORKDIR /app
 COPY package*.json ./
-RUN npm ci
+RUN npm install --no-audit --no-fund
 COPY . .
 RUN npm run build
 
diff --git a/stacks/k8s-portal/modules/k8s-portal/files/package-lock.json b/stacks/k8s-portal/modules/k8s-portal/files/package-lock.json
new file mode 100644
index 00000000..474c5a3b
--- /dev/null
+++ b/stacks/k8s-portal/modules/k8s-portal/files/package-lock.json
@@ -0,0 +1,1068 @@
+{
+	"name": "files",
+	"version": "0.0.1",
+	"lockfileVersion": 3,
+	"requires": true,
+	"packages": {
+		"node_modules/@esbuild/linux-x64": {
+			"version": "0.27.3",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
+			"integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@jridgewell/gen-mapping": {
+			"version": "0.3.13",
+			"resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz",
+			"integrity": "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/sourcemap-codec": "^1.5.0",
+				"@jridgewell/trace-mapping": "^0.3.24"
+			}
+		},
+		"node_modules/@jridgewell/remapping": {
+			"version": "2.3.5",
+			"resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
+			"integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/gen-mapping": "^0.3.5",
+				"@jridgewell/trace-mapping": "^0.3.24"
+			}
+		},
+		"node_modules/@jridgewell/resolve-uri": {
+			"version": "3.1.2",
+			"resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
+			"integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6.0.0"
+			}
+		},
+		"node_modules/@jridgewell/sourcemap-codec": {
+			"version": "1.5.5",
+			"resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
+			"integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/@jridgewell/trace-mapping": {
+			"version": "0.3.31",
+			"resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz",
+			"integrity": "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/resolve-uri": "^3.1.0",
+				"@jridgewell/sourcemap-codec": "^1.4.14"
+			}
+		},
+		"node_modules/@polka/url": {
+			"version": "1.0.0-next.29",
+			"resolved": "https://registry.npmjs.org/@polka/url/-/url-1.0.0-next.29.tgz",
+			"integrity": "sha512-wwQAWhWSuHaag8c4q/KN/vCoeOJYshAIvMQwD4GpSb3OiZklFfvAgmj0VCBBImRpuF/aFgIRzllXlVX93Jevww==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/@rollup/plugin-commonjs": {
+			"version": "29.0.0",
+			"resolved": "https://registry.npmjs.org/@rollup/plugin-commonjs/-/plugin-commonjs-29.0.0.tgz",
+			"integrity": "sha512-U2YHaxR2cU/yAiwKJtJRhnyLk7cifnQw0zUpISsocBDoHDJn+HTV74ABqnwr5bEgWUwFZC9oFL6wLe21lHu5eQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@rollup/pluginutils": "^5.0.1",
+				"commondir": "^1.0.1",
+				"estree-walker": "^2.0.2",
+				"fdir": "^6.2.0",
+				"is-reference": "1.2.1",
+				"magic-string": "^0.30.3",
+				"picomatch": "^4.0.2"
+			},
+			"engines": {
+				"node": ">=16.0.0 || 14 >= 14.17"
+			},
+			"peerDependencies": {
+				"rollup": "^2.68.0||^3.0.0||^4.0.0"
+			},
+			"peerDependenciesMeta": {
+				"rollup": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/@rollup/plugin-commonjs/node_modules/is-reference": {
+			"version": "1.2.1",
+			"resolved": "https://registry.npmjs.org/is-reference/-/is-reference-1.2.1.tgz",
+			"integrity": "sha512-U82MsXXiFIrjCK4otLT+o2NA2Cd2g5MLoOVXUZjIOhLurrRxpEXzI8O0KZHr3IjLvlAH1kTPYSuqer5T9ZVBKQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@types/estree": "*"
+			}
+		},
+		"node_modules/@rollup/plugin-json": {
+			"version": "6.1.0",
+			"resolved": "https://registry.npmjs.org/@rollup/plugin-json/-/plugin-json-6.1.0.tgz",
+			"integrity": "sha512-EGI2te5ENk1coGeADSIwZ7G2Q8CJS2sF120T7jLw4xFw9n7wIOXHo+kIYRAoVpJAN+kmqZSoO3Fp4JtoNF4ReA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@rollup/pluginutils": "^5.1.0"
+			},
+			"engines": {
+				"node": ">=14.0.0"
+			},
+			"peerDependencies": {
+				"rollup": "^1.20.0||^2.0.0||^3.0.0||^4.0.0"
+			},
+			"peerDependenciesMeta": {
+				"rollup": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/@rollup/plugin-node-resolve": {
+			"version": "16.0.3",
+			"resolved": "https://registry.npmjs.org/@rollup/plugin-node-resolve/-/plugin-node-resolve-16.0.3.tgz",
+			"integrity": "sha512-lUYM3UBGuM93CnMPG1YocWu7X802BrNF3jW2zny5gQyLQgRFJhV1Sq0Zi74+dh/6NBx1DxFC4b4GXg9wUCG5Qg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@rollup/pluginutils": "^5.0.1",
+				"@types/resolve": "1.20.2",
+				"deepmerge": "^4.2.2",
+				"is-module": "^1.0.0",
+				"resolve": "^1.22.1"
+			},
+			"engines": {
+				"node": ">=14.0.0"
+			},
+			"peerDependencies": {
+				"rollup": "^2.78.0||^3.0.0||^4.0.0"
+			},
+			"peerDependenciesMeta": {
+				"rollup": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/@rollup/pluginutils": {
+			"version": "5.3.0",
+			"resolved": "https://registry.npmjs.org/@rollup/pluginutils/-/pluginutils-5.3.0.tgz",
+			"integrity": "sha512-5EdhGZtnu3V88ces7s53hhfK5KSASnJZv8Lulpc04cWO3REESroJXg73DFsOmgbU2BhwV0E20bu2IDZb3VKW4Q==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@types/estree": "^1.0.0",
+				"estree-walker": "^2.0.2",
+				"picomatch": "^4.0.2"
+			},
+			"engines": {
+				"node": ">=14.0.0"
+			},
+			"peerDependencies": {
+				"rollup": "^1.20.0||^2.0.0||^3.0.0||^4.0.0"
+			},
+			"peerDependenciesMeta": {
+				"rollup": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/@rollup/rollup-linux-x64-gnu": {
+			"version": "4.57.1",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.57.1.tgz",
+			"integrity": "sha512-ABca4ceT4N+Tv/GtotnWAeXZUZuM/9AQyCyKYyKnpk4yoA7QIAuBt6Hkgpw8kActYlew2mvckXkvx0FfoInnLg==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-x64-musl": {
+			"version": "4.57.1",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.57.1.tgz",
+			"integrity": "sha512-HFps0JeGtuOR2convgRRkHCekD7j+gdAuXM+/i6kGzQtFhlCtQkpwtNzkNj6QhCDp7DRJ7+qC/1Vg2jt5iSOFw==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@standard-schema/spec": {
+			"version": "1.1.0",
+			"resolved": "https://registry.npmjs.org/@standard-schema/spec/-/spec-1.1.0.tgz",
+			"integrity": "sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/@sveltejs/acorn-typescript": {
+			"version": "1.0.9",
+			"resolved": "https://registry.npmjs.org/@sveltejs/acorn-typescript/-/acorn-typescript-1.0.9.tgz",
+			"integrity": "sha512-lVJX6qEgs/4DOcRTpo56tmKzVPtoWAaVbL4hfO7t7NVwl9AAXzQR6cihesW1BmNMPl+bK6dreu2sOKBP2Q9CIA==",
+			"dev": true,
+			"license": "MIT",
+			"peerDependencies": {
+				"acorn": "^8.9.0"
+			}
+		},
+		"node_modules/@sveltejs/adapter-auto": {
+			"version": "7.0.1",
+			"resolved": "https://registry.npmjs.org/@sveltejs/adapter-auto/-/adapter-auto-7.0.1.tgz",
+			"integrity": "sha512-dvuPm1E7M9NI/+canIQ6KKQDU2AkEefEZ2Dp7cY6uKoPq9Z/PhOXABe526UdW2mN986gjVkuSLkOYIBnS/M2LQ==",
+			"dev": true,
+			"license": "MIT",
+			"peerDependencies": {
+				"@sveltejs/kit": "^2.0.0"
+			}
+		},
+		"node_modules/@sveltejs/adapter-node": {
+			"version": "5.5.3",
+			"resolved": "https://registry.npmjs.org/@sveltejs/adapter-node/-/adapter-node-5.5.3.tgz",
+			"integrity": "sha512-yeWbKXBL9vqDb/7R8ebvRHeuBHN4cRYYBSquNJSMQtS6rIYkXxsVSveaMTUaLvHYQsb1zNa+nH2iLTOMawBohA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@rollup/plugin-commonjs": "^29.0.0",
+				"@rollup/plugin-json": "^6.1.0",
+				"@rollup/plugin-node-resolve": "^16.0.0",
+				"rollup": "^4.9.5"
+			},
+			"peerDependencies": {
+				"@sveltejs/kit": "^2.4.0"
+			}
+		},
+		"node_modules/@sveltejs/kit": {
+			"version": "2.52.0",
+			"resolved": "https://registry.npmjs.org/@sveltejs/kit/-/kit-2.52.0.tgz",
+			"integrity": "sha512-zG+HmJuSF7eC0e7xt2htlOcEMAdEtlVdb7+gAr+ef08EhtwUsjLxcAwBgUCJY3/5p08OVOxVZti91WfXeuLvsg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@standard-schema/spec": "^1.0.0",
+				"@sveltejs/acorn-typescript": "^1.0.5",
+				"@types/cookie": "^0.6.0",
+				"acorn": "^8.14.1",
+				"cookie": "^0.6.0",
+				"devalue": "^5.6.2",
+				"esm-env": "^1.2.2",
+				"kleur": "^4.1.5",
+				"magic-string": "^0.30.5",
+				"mrmime": "^2.0.0",
+				"sade": "^1.8.1",
+				"set-cookie-parser": "^3.0.0",
+				"sirv": "^3.0.0"
+			},
+			"bin": {
+				"svelte-kit": "svelte-kit.js"
+			},
+			"engines": {
+				"node": ">=18.13"
+			},
+			"peerDependencies": {
+				"@opentelemetry/api": "^1.0.0",
+				"@sveltejs/vite-plugin-svelte": "^3.0.0 || ^4.0.0-next.1 || ^5.0.0 || ^6.0.0-next.0",
+				"svelte": "^4.0.0 || ^5.0.0-next.0",
+				"typescript": "^5.3.3",
+				"vite": "^5.0.3 || ^6.0.0 || ^7.0.0-beta.0"
+			},
+			"peerDependenciesMeta": {
+				"@opentelemetry/api": {
+					"optional": true
+				},
+				"typescript": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/@sveltejs/vite-plugin-svelte": {
+			"version": "6.2.4",
+			"resolved": "https://registry.npmjs.org/@sveltejs/vite-plugin-svelte/-/vite-plugin-svelte-6.2.4.tgz",
+			"integrity": "sha512-ou/d51QSdTyN26D7h6dSpusAKaZkAiGM55/AKYi+9AGZw7q85hElbjK3kEyzXHhLSnRISHOYzVge6x0jRZ7DXA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@sveltejs/vite-plugin-svelte-inspector": "^5.0.0",
+				"deepmerge": "^4.3.1",
+				"magic-string": "^0.30.21",
+				"obug": "^2.1.0",
+				"vitefu": "^1.1.1"
+			},
+			"engines": {
+				"node": "^20.19 || ^22.12 || >=24"
+			},
+			"peerDependencies": {
+				"svelte": "^5.0.0",
+				"vite": "^6.3.0 || ^7.0.0"
+			}
+		},
+		"node_modules/@sveltejs/vite-plugin-svelte-inspector": {
+			"version": "5.0.2",
+			"resolved": "https://registry.npmjs.org/@sveltejs/vite-plugin-svelte-inspector/-/vite-plugin-svelte-inspector-5.0.2.tgz",
+			"integrity": "sha512-TZzRTcEtZffICSAoZGkPSl6Etsj2torOVrx6Uw0KpXxrec9Gg6jFWQ60Q3+LmNGfZSxHRCZL7vXVZIWmuV50Ig==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"obug": "^2.1.0"
+			},
+			"engines": {
+				"node": "^20.19 || ^22.12 || >=24"
+			},
+			"peerDependencies": {
+				"@sveltejs/vite-plugin-svelte": "^6.0.0-next.0",
+				"svelte": "^5.0.0",
+				"vite": "^6.3.0 || ^7.0.0"
+			}
+		},
+		"node_modules/@types/cookie": {
+			"version": "0.6.0",
+			"resolved": "https://registry.npmjs.org/@types/cookie/-/cookie-0.6.0.tgz",
+			"integrity": "sha512-4Kh9a6B2bQciAhf7FSuMRRkUWecJgJu9nPnx3yzpsfXX/c50REIqpHY4C82bXP90qrLtXtkDxTZosYO3UpOwlA==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/@types/estree": {
+			"version": "1.0.8",
+			"resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
+			"integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/@types/resolve": {
+			"version": "1.20.2",
+			"resolved": "https://registry.npmjs.org/@types/resolve/-/resolve-1.20.2.tgz",
+			"integrity": "sha512-60BCwRFOZCQhDncwQdxxeOEEkbc5dIMccYLwbxsS4TUNeVECQ/pBJ0j09mrHOl/JJvpRPGwO9SvE4nR2Nb/a4Q==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/@types/trusted-types": {
+			"version": "2.0.7",
+			"resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+			"integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/acorn": {
+			"version": "8.15.0",
+			"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
+			"integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
+			"dev": true,
+			"license": "MIT",
+			"bin": {
+				"acorn": "bin/acorn"
+			},
+			"engines": {
+				"node": ">=0.4.0"
+			}
+		},
+		"node_modules/aria-query": {
+			"version": "5.3.2",
+			"resolved": "https://registry.npmjs.org/aria-query/-/aria-query-5.3.2.tgz",
+			"integrity": "sha512-COROpnaoap1E2F000S62r6A60uHZnmlvomhfyT2DlTcrY1OrBKn2UhH7qn5wTC9zMvD0AY7csdPSNwKP+7WiQw==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">= 0.4"
+			}
+		},
+		"node_modules/axobject-query": {
+			"version": "4.1.0",
+			"resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-4.1.0.tgz",
+			"integrity": "sha512-qIj0G9wZbMGNLjLmg1PT6v2mE9AH2zlnADJD/2tC6E00hgmhUOfEB6greHPAfLRSufHqROIUTkw6E+M3lH0PTQ==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">= 0.4"
+			}
+		},
+		"node_modules/chokidar": {
+			"version": "4.0.3",
+			"resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.3.tgz",
+			"integrity": "sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"readdirp": "^4.0.1"
+			},
+			"engines": {
+				"node": ">= 14.16.0"
+			},
+			"funding": {
+				"url": "https://paulmillr.com/funding/"
+			}
+		},
+		"node_modules/clsx": {
+			"version": "2.1.1",
+			"resolved": "https://registry.npmjs.org/clsx/-/clsx-2.1.1.tgz",
+			"integrity": "sha512-eYm0QWBtUrBWZWG0d386OGAw16Z995PiOVo2B7bjWSbHedGl5e0ZWaq65kOGgUSNesEIDkB9ISbTg/JK9dhCZA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/commondir": {
+			"version": "1.0.1",
+			"resolved": "https://registry.npmjs.org/commondir/-/commondir-1.0.1.tgz",
+			"integrity": "sha512-W9pAhw0ja1Edb5GVdIF1mjZw/ASI0AlShXM83UUGe2DVr5TdAPEA1OA8m/g8zWp9x6On7gqufY+FatDbC3MDQg==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/cookie": {
+			"version": "0.6.0",
+			"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
+			"integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 0.6"
+			}
+		},
+		"node_modules/deepmerge": {
+			"version": "4.3.1",
+			"resolved": "https://registry.npmjs.org/deepmerge/-/deepmerge-4.3.1.tgz",
+			"integrity": "sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=0.10.0"
+			}
+		},
+		"node_modules/devalue": {
+			"version": "5.6.2",
+			"resolved": "https://registry.npmjs.org/devalue/-/devalue-5.6.2.tgz",
+			"integrity": "sha512-nPRkjWzzDQlsejL1WVifk5rvcFi/y1onBRxjaFMjZeR9mFpqu2gmAZ9xUB9/IEanEP/vBtGeGganC/GO1fmufg==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/esbuild": {
+			"version": "0.27.3",
+			"resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
+			"integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
+			"dev": true,
+			"hasInstallScript": true,
+			"license": "MIT",
+			"bin": {
+				"esbuild": "bin/esbuild"
+			},
+			"engines": {
+				"node": ">=18"
+			},
+			"optionalDependencies": {
+				"@esbuild/aix-ppc64": "0.27.3",
+				"@esbuild/android-arm": "0.27.3",
+				"@esbuild/android-arm64": "0.27.3",
+				"@esbuild/android-x64": "0.27.3",
+				"@esbuild/darwin-arm64": "0.27.3",
+				"@esbuild/darwin-x64": "0.27.3",
+				"@esbuild/freebsd-arm64": "0.27.3",
+				"@esbuild/freebsd-x64": "0.27.3",
+				"@esbuild/linux-arm": "0.27.3",
+				"@esbuild/linux-arm64": "0.27.3",
+				"@esbuild/linux-ia32": "0.27.3",
+				"@esbuild/linux-loong64": "0.27.3",
+				"@esbuild/linux-mips64el": "0.27.3",
+				"@esbuild/linux-ppc64": "0.27.3",
+				"@esbuild/linux-riscv64": "0.27.3",
+				"@esbuild/linux-s390x": "0.27.3",
+				"@esbuild/linux-x64": "0.27.3",
+				"@esbuild/netbsd-arm64": "0.27.3",
+				"@esbuild/netbsd-x64": "0.27.3",
+				"@esbuild/openbsd-arm64": "0.27.3",
+				"@esbuild/openbsd-x64": "0.27.3",
+				"@esbuild/openharmony-arm64": "0.27.3",
+				"@esbuild/sunos-x64": "0.27.3",
+				"@esbuild/win32-arm64": "0.27.3",
+				"@esbuild/win32-ia32": "0.27.3",
+				"@esbuild/win32-x64": "0.27.3"
+			}
+		},
+		"node_modules/esm-env": {
+			"version": "1.2.2",
+			"resolved": "https://registry.npmjs.org/esm-env/-/esm-env-1.2.2.tgz",
+			"integrity": "sha512-Epxrv+Nr/CaL4ZcFGPJIYLWFom+YeV1DqMLHJoEd9SYRxNbaFruBwfEX/kkHUJf55j2+TUbmDcmuilbP1TmXHA==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/esrap": {
+			"version": "2.2.3",
+			"resolved": "https://registry.npmjs.org/esrap/-/esrap-2.2.3.tgz",
+			"integrity": "sha512-8fOS+GIGCQZl/ZIlhl59htOlms6U8NvX6ZYgYHpRU/b6tVSh3uHkOHZikl3D4cMbYM0JlpBe+p/BkZEi8J9XIQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/sourcemap-codec": "^1.4.15"
+			}
+		},
+		"node_modules/estree-walker": {
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-2.0.2.tgz",
+			"integrity": "sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/fdir": {
+			"version": "6.5.0",
+			"resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
+			"integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=12.0.0"
+			},
+			"peerDependencies": {
+				"picomatch": "^3 || ^4"
+			},
+			"peerDependenciesMeta": {
+				"picomatch": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/function-bind": {
+			"version": "1.1.2",
+			"resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+			"integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+			"dev": true,
+			"license": "MIT",
+			"funding": {
+				"url": "https://github.com/sponsors/ljharb"
+			}
+		},
+		"node_modules/hasown": {
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+			"integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"function-bind": "^1.1.2"
+			},
+			"engines": {
+				"node": ">= 0.4"
+			}
+		},
+		"node_modules/is-core-module": {
+			"version": "2.16.1",
+			"resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz",
+			"integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"hasown": "^2.0.2"
+			},
+			"engines": {
+				"node": ">= 0.4"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/ljharb"
+			}
+		},
+		"node_modules/is-module": {
+			"version": "1.0.0",
+			"resolved": "https://registry.npmjs.org/is-module/-/is-module-1.0.0.tgz",
+			"integrity": "sha512-51ypPSPCoTEIN9dy5Oy+h4pShgJmPCygKfyRCISBI+JoWT/2oJvK8QPxmwv7b/p239jXrm9M1mlQbyKJ5A152g==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/is-reference": {
+			"version": "3.0.3",
+			"resolved": "https://registry.npmjs.org/is-reference/-/is-reference-3.0.3.tgz",
+			"integrity": "sha512-ixkJoqQvAP88E6wLydLGGqCJsrFUnqoH6HnaczB8XmDH1oaWU+xxdptvikTgaEhtZ53Ky6YXiBuUI2WXLMCwjw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@types/estree": "^1.0.6"
+			}
+		},
+		"node_modules/kleur": {
+			"version": "4.1.5",
+			"resolved": "https://registry.npmjs.org/kleur/-/kleur-4.1.5.tgz",
+			"integrity": "sha512-o+NO+8WrRiQEE4/7nwRJhN1HWpVmJm511pBHUxPLtp0BUISzlBplORYSmTclCnJvQq2tKu/sgl3xVpkc7ZWuQQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/locate-character": {
+			"version": "3.0.0",
+			"resolved": "https://registry.npmjs.org/locate-character/-/locate-character-3.0.0.tgz",
+			"integrity": "sha512-SW13ws7BjaeJ6p7Q6CO2nchbYEc3X3J6WrmTTDto7yMPqVSZTUyY5Tjbid+Ab8gLnATtygYtiDIJGQRRn2ZOiA==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/magic-string": {
+			"version": "0.30.21",
+			"resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.21.tgz",
+			"integrity": "sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/sourcemap-codec": "^1.5.5"
+			}
+		},
+		"node_modules/mri": {
+			"version": "1.2.0",
+			"resolved": "https://registry.npmjs.org/mri/-/mri-1.2.0.tgz",
+			"integrity": "sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=4"
+			}
+		},
+		"node_modules/mrmime": {
+			"version": "2.0.1",
+			"resolved": "https://registry.npmjs.org/mrmime/-/mrmime-2.0.1.tgz",
+			"integrity": "sha512-Y3wQdFg2Va6etvQ5I82yUhGdsKrcYox6p7FfL1LbK2J4V01F9TGlepTIhnK24t7koZibmg82KGglhA1XK5IsLQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=10"
+			}
+		},
+		"node_modules/nanoid": {
+			"version": "3.3.11",
+			"resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz",
+			"integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/ai"
+				}
+			],
+			"license": "MIT",
+			"bin": {
+				"nanoid": "bin/nanoid.cjs"
+			},
+			"engines": {
+				"node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1"
+			}
+		},
+		"node_modules/obug": {
+			"version": "2.1.1",
+			"resolved": "https://registry.npmjs.org/obug/-/obug-2.1.1.tgz",
+			"integrity": "sha512-uTqF9MuPraAQ+IsnPf366RG4cP9RtUi7MLO1N3KEc+wb0a6yKpeL0lmk2IB1jY5KHPAlTc6T/JRdC/YqxHNwkQ==",
+			"dev": true,
+			"funding": [
+				"https://github.com/sponsors/sxzz",
+				"https://opencollective.com/debug"
+			],
+			"license": "MIT"
+		},
+		"node_modules/path-parse": {
+			"version": "1.0.7",
+			"resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz",
+			"integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/picocolors": {
+			"version": "1.1.1",
+			"resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
+			"integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
+			"dev": true,
+			"license": "ISC"
+		},
+		"node_modules/picomatch": {
+			"version": "4.0.3",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+			"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=12"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/jonschlinkert"
+			}
+		},
+		"node_modules/postcss": {
+			"version": "8.5.6",
+			"resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
+			"integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "opencollective",
+					"url": "https://opencollective.com/postcss/"
+				},
+				{
+					"type": "tidelift",
+					"url": "https://tidelift.com/funding/github/npm/postcss"
+				},
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/ai"
+				}
+			],
+			"license": "MIT",
+			"dependencies": {
+				"nanoid": "^3.3.11",
+				"picocolors": "^1.1.1",
+				"source-map-js": "^1.2.1"
+			},
+			"engines": {
+				"node": "^10 || ^12 || >=14"
+			}
+		},
+		"node_modules/readdirp": {
+			"version": "4.1.2",
+			"resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.1.2.tgz",
+			"integrity": "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 14.18.0"
+			},
+			"funding": {
+				"type": "individual",
+				"url": "https://paulmillr.com/funding/"
+			}
+		},
+		"node_modules/resolve": {
+			"version": "1.22.11",
+			"resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.11.tgz",
+			"integrity": "sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"is-core-module": "^2.16.1",
+				"path-parse": "^1.0.7",
+				"supports-preserve-symlinks-flag": "^1.0.0"
+			},
+			"bin": {
+				"resolve": "bin/resolve"
+			},
+			"engines": {
+				"node": ">= 0.4"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/ljharb"
+			}
+		},
+		"node_modules/rollup": {
+			"version": "4.57.1",
+			"resolved": "https://registry.npmjs.org/rollup/-/rollup-4.57.1.tgz",
+			"integrity": "sha512-oQL6lgK3e2QZeQ7gcgIkS2YZPg5slw37hYufJ3edKlfQSGGm8ICoxswK15ntSzF/a8+h7ekRy7k7oWc3BQ7y8A==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@types/estree": "1.0.8"
+			},
+			"bin": {
+				"rollup": "dist/bin/rollup"
+			},
+			"engines": {
+				"node": ">=18.0.0",
+				"npm": ">=8.0.0"
+			},
+			"optionalDependencies": {
+				"@rollup/rollup-android-arm-eabi": "4.57.1",
+				"@rollup/rollup-android-arm64": "4.57.1",
+				"@rollup/rollup-darwin-arm64": "4.57.1",
+				"@rollup/rollup-darwin-x64": "4.57.1",
+				"@rollup/rollup-freebsd-arm64": "4.57.1",
+				"@rollup/rollup-freebsd-x64": "4.57.1",
+				"@rollup/rollup-linux-arm-gnueabihf": "4.57.1",
+				"@rollup/rollup-linux-arm-musleabihf": "4.57.1",
+				"@rollup/rollup-linux-arm64-gnu": "4.57.1",
+				"@rollup/rollup-linux-arm64-musl": "4.57.1",
+				"@rollup/rollup-linux-loong64-gnu": "4.57.1",
+				"@rollup/rollup-linux-loong64-musl": "4.57.1",
+				"@rollup/rollup-linux-ppc64-gnu": "4.57.1",
+				"@rollup/rollup-linux-ppc64-musl": "4.57.1",
+				"@rollup/rollup-linux-riscv64-gnu": "4.57.1",
+				"@rollup/rollup-linux-riscv64-musl": "4.57.1",
+				"@rollup/rollup-linux-s390x-gnu": "4.57.1",
+				"@rollup/rollup-linux-x64-gnu": "4.57.1",
+				"@rollup/rollup-linux-x64-musl": "4.57.1",
+				"@rollup/rollup-openbsd-x64": "4.57.1",
+				"@rollup/rollup-openharmony-arm64": "4.57.1",
+				"@rollup/rollup-win32-arm64-msvc": "4.57.1",
+				"@rollup/rollup-win32-ia32-msvc": "4.57.1",
+				"@rollup/rollup-win32-x64-gnu": "4.57.1",
+				"@rollup/rollup-win32-x64-msvc": "4.57.1",
+				"fsevents": "~2.3.2"
+			}
+		},
+		"node_modules/sade": {
+			"version": "1.8.1",
+			"resolved": "https://registry.npmjs.org/sade/-/sade-1.8.1.tgz",
+			"integrity": "sha512-xal3CZX1Xlo/k4ApwCFrHVACi9fBqJ7V+mwhBsuf/1IOKbBy098Fex+Wa/5QMubw09pSZ/u8EY8PWgevJsXp1A==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"mri": "^1.1.0"
+			},
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/set-cookie-parser": {
+			"version": "3.0.1",
+			"resolved": "https://registry.npmjs.org/set-cookie-parser/-/set-cookie-parser-3.0.1.tgz",
+			"integrity": "sha512-n7Z7dXZhJbwuAHhNzkTti6Aw9QDDjZtm3JTpTGATIdNzdQz5GuFs22w90BcvF4INfnrL5xrX3oGsuqO5Dx3A1Q==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/sirv": {
+			"version": "3.0.2",
+			"resolved": "https://registry.npmjs.org/sirv/-/sirv-3.0.2.tgz",
+			"integrity": "sha512-2wcC/oGxHis/BoHkkPwldgiPSYcpZK3JU28WoMVv55yHJgcZ8rlXvuG9iZggz+sU1d4bRgIGASwyWqjxu3FM0g==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@polka/url": "^1.0.0-next.24",
+				"mrmime": "^2.0.0",
+				"totalist": "^3.0.0"
+			},
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/source-map-js": {
+			"version": "1.2.1",
+			"resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
+			"integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
+			"dev": true,
+			"license": "BSD-3-Clause",
+			"engines": {
+				"node": ">=0.10.0"
+			}
+		},
+		"node_modules/supports-preserve-symlinks-flag": {
+			"version": "1.0.0",
+			"resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz",
+			"integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 0.4"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/ljharb"
+			}
+		},
+		"node_modules/svelte": {
+			"version": "5.51.3",
+			"resolved": "https://registry.npmjs.org/svelte/-/svelte-5.51.3.tgz",
+			"integrity": "sha512-3+ni7BMjiEQeMCa1fDQzHy2ESAebgQDVOTuE4jlj2/QOAB2grRta8ew80p95miWE+ZmimpL7B3t9SSO4rv0aqQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/remapping": "^2.3.4",
+				"@jridgewell/sourcemap-codec": "^1.5.0",
+				"@sveltejs/acorn-typescript": "^1.0.5",
+				"@types/estree": "^1.0.5",
+				"@types/trusted-types": "^2.0.7",
+				"acorn": "^8.12.1",
+				"aria-query": "^5.3.1",
+				"axobject-query": "^4.1.0",
+				"clsx": "^2.1.1",
+				"devalue": "^5.6.2",
+				"esm-env": "^1.2.1",
+				"esrap": "^2.2.2",
+				"is-reference": "^3.0.3",
+				"locate-character": "^3.0.0",
+				"magic-string": "^0.30.11",
+				"zimmerframe": "^1.1.2"
+			},
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/svelte-check": {
+			"version": "4.4.0",
+			"resolved": "https://registry.npmjs.org/svelte-check/-/svelte-check-4.4.0.tgz",
+			"integrity": "sha512-gB3FdEPb8tPO3Y7Dzc6d/Pm/KrXAhK+0Fk+LkcysVtupvAh6Y/IrBCEZNupq57oh0hcwlxCUamu/rq7GtvfSEg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/trace-mapping": "^0.3.25",
+				"chokidar": "^4.0.1",
+				"fdir": "^6.2.0",
+				"picocolors": "^1.0.0",
+				"sade": "^1.7.4"
+			},
+			"bin": {
+				"svelte-check": "bin/svelte-check"
+			},
+			"engines": {
+				"node": ">= 18.0.0"
+			},
+			"peerDependencies": {
+				"svelte": "^4.0.0 || ^5.0.0-next.0",
+				"typescript": ">=5.0.0"
+			}
+		},
+		"node_modules/tinyglobby": {
+			"version": "0.2.15",
+			"resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
+			"integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"fdir": "^6.5.0",
+				"picomatch": "^4.0.3"
+			},
+			"engines": {
+				"node": ">=12.0.0"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/SuperchupuDev"
+			}
+		},
+		"node_modules/totalist": {
+			"version": "3.0.1",
+			"resolved": "https://registry.npmjs.org/totalist/-/totalist-3.0.1.tgz",
+			"integrity": "sha512-sf4i37nQ2LBx4m3wB74y+ubopq6W/dIzXg0FDGjsYnZHVa1Da8FH853wlL2gtUhg+xJXjfk3kUZS3BRoQeoQBQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/typescript": {
+			"version": "5.9.3",
+			"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+			"integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"bin": {
+				"tsc": "bin/tsc",
+				"tsserver": "bin/tsserver"
+			},
+			"engines": {
+				"node": ">=14.17"
+			}
+		},
+		"node_modules/vite": {
+			"version": "7.3.1",
+			"resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz",
+			"integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"esbuild": "^0.27.0",
+				"fdir": "^6.5.0",
+				"picomatch": "^4.0.3",
+				"postcss": "^8.5.6",
+				"rollup": "^4.43.0",
+				"tinyglobby": "^0.2.15"
+			},
+			"bin": {
+				"vite": "bin/vite.js"
+			},
+			"engines": {
+				"node": "^20.19.0 || >=22.12.0"
+			},
+			"funding": {
+				"url": "https://github.com/vitejs/vite?sponsor=1"
+			},
+			"optionalDependencies": {
+				"fsevents": "~2.3.3"
+			},
+			"peerDependencies": {
+				"@types/node": "^20.19.0 || >=22.12.0",
+				"jiti": ">=1.21.0",
+				"less": "^4.0.0",
+				"lightningcss": "^1.21.0",
+				"sass": "^1.70.0",
+				"sass-embedded": "^1.70.0",
+				"stylus": ">=0.54.8",
+				"sugarss": "^5.0.0",
+				"terser": "^5.16.0",
+				"tsx": "^4.8.1",
+				"yaml": "^2.4.2"
+			},
+			"peerDependenciesMeta": {
+				"@types/node": {
+					"optional": true
+				},
+				"jiti": {
+					"optional": true
+				},
+				"less": {
+					"optional": true
+				},
+				"lightningcss": {
+					"optional": true
+				},
+				"sass": {
+					"optional": true
+				},
+				"sass-embedded": {
+					"optional": true
+				},
+				"stylus": {
+					"optional": true
+				},
+				"sugarss": {
+					"optional": true
+				},
+				"terser": {
+					"optional": true
+				},
+				"tsx": {
+					"optional": true
+				},
+				"yaml": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/vitefu": {
+			"version": "1.1.1",
+			"resolved": "https://registry.npmjs.org/vitefu/-/vitefu-1.1.1.tgz",
+			"integrity": "sha512-B/Fegf3i8zh0yFbpzZ21amWzHmuNlLlmJT6n7bu5e+pCHUKQIfXSYokrqOBGEMMe9UG2sostKQF9mml/vYaWJQ==",
+			"dev": true,
+			"license": "MIT",
+			"workspaces": [
+				"tests/deps/*",
+				"tests/projects/*",
+				"tests/projects/workspace/packages/*"
+			],
+			"peerDependencies": {
+				"vite": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0-beta.0"
+			},
+			"peerDependenciesMeta": {
+				"vite": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/zimmerframe": {
+			"version": "1.1.4",
+			"resolved": "https://registry.npmjs.org/zimmerframe/-/zimmerframe-1.1.4.tgz",
+			"integrity": "sha512-B58NGBEoc8Y9MWWCQGl/gq9xBCe4IiKM0a2x7GZdQKOW5Exr8S1W24J6OgM1njK8xCRGvAJIL/MxXHf6SkmQKQ==",
+			"dev": true,
+			"license": "MIT"
+		}
+	}
+}
diff --git a/stacks/k8s-portal/modules/k8s-portal/files/package.json b/stacks/k8s-portal/modules/k8s-portal/files/package.json
new file mode 100644
index 00000000..6018d9b1
--- /dev/null
+++ b/stacks/k8s-portal/modules/k8s-portal/files/package.json
@@ -0,0 +1,24 @@
+{
+	"name": "k8s-portal",
+	"private": true,
+	"version": "0.0.1",
+	"type": "module",
+	"scripts": {
+		"dev": "vite dev",
+		"build": "vite build",
+		"preview": "vite preview",
+		"prepare": "svelte-kit sync || echo ''",
+		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
+		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch"
+	},
+	"devDependencies": {
+		"@sveltejs/adapter-auto": "^7.0.0",
+		"@sveltejs/adapter-node": "^5.5.3",
+		"@sveltejs/kit": "^2.50.2",
+		"@sveltejs/vite-plugin-svelte": "^6.2.4",
+		"svelte": "^5.49.2",
+		"svelte-check": "^4.3.6",
+		"typescript": "^5.9.3",
+		"vite": "^7.3.1"
+	}
+}
diff --git a/stacks/k8s-portal/modules/k8s-portal/main.tf b/stacks/k8s-portal/modules/k8s-portal/main.tf
index 60057635..e32fd519 100644
--- a/stacks/k8s-portal/modules/k8s-portal/main.tf
+++ b/stacks/k8s-portal/modules/k8s-portal/main.tf
@@ -9,7 +9,7 @@ resource "kubernetes_namespace" "k8s_portal" {
   metadata {
     name = "k8s-portal"
     labels = {
-      tier = var.tier
+      tier               = var.tier
       "keel.sh/enrolled" = "true"
     }
   }
@@ -40,6 +40,15 @@ resource "kubernetes_deployment" "k8s_portal" {
   metadata {
     name      = "k8s-portal"
     namespace = kubernetes_namespace.k8s_portal.metadata[0].name
+    # ADR-0002 / no-local-builds: image now GHA-built -> ghcr:latest
+    # (.github/workflows/build-k8s-portal.yml). Keel polls ghcr:latest and rolls
+    # this deployment (replaces the removed Woodpecker in-cluster build+deploy).
+    annotations = {
+      "keel.sh/policy"       = "force"
+      "keel.sh/trigger"      = "poll"
+      "keel.sh/pollSchedule" = "@every 5m"
+      "keel.sh/match-tag"    = "true"
+    }
     labels = {
       app  = "k8s-portal"
       tier = var.tier
@@ -66,9 +75,16 @@ resource "kubernetes_deployment" "k8s_portal" {
       }
 
       spec {
+        # GHCR pull secret: the ghcr-credentials Secret in this namespace is
+        # cloned in by the kyverno stack's sync-ghcr-credentials ClusterPolicy
+        # (allowlisted private-ghcr namespaces only — ADR-0002). Source of
+        # truth: stacks/kyverno/modules/kyverno/ghcr-credentials.tf.
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
         container {
           name  = "portal"
-          image = "viktorbarzin/k8s-portal:latest"
+          image = "ghcr.io/viktorbarzin/k8s-portal:latest"
           port {
             container_port = 3000
           }
@@ -121,7 +137,8 @@ resource "kubernetes_deployment" "k8s_portal" {
     # DRIFT_WORKAROUND: CI pipeline owns image tag (kubectl set image from Woodpecker/GHA); Kyverno mutates dns_config for ndots. Reviewed 2026-04-18.
     ignore_changes = [
       spec[0].template[0].spec[0].dns_config,         # KYVERNO_LIFECYCLE_V1
-      spec[0].template[0].spec[0].container[0].image, # CI updates image tag
+      spec[0].template[0].spec[0].container[0].image, # Keel manages ghcr:latest digest
+      metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1 (Keel stamps on roll)
     ]
   }
 }
@@ -172,5 +189,5 @@ module "ingress_setup_script" {
   ingress_path    = ["/setup/script", "/agent"]
   tls_secret_name = var.tls_secret_name
   # auth = "none": Setup script + agent endpoint must be curl-able without auth (no cookies preserved in automation).
-  auth            = "none"
+  auth = "none"
 }
diff --git a/stacks/k8s-version-upgrade/main.tf b/stacks/k8s-version-upgrade/main.tf
index e91592aa..857d08e2 100644
--- a/stacks/k8s-version-upgrade/main.tf
+++ b/stacks/k8s-version-upgrade/main.tf
@@ -4,11 +4,12 @@
 # Job's pod runs on a node that is NOT its drain target — eliminates the
 # self-preemption bug that killed the agent-based v1 (2026-05-11 incident).
 #
-# Chain (Job 0 → Job 6):
-#   preflight  (pinned: k8s-node1)
-#   master     (pinned: k8s-node1; drains k8s-master)
-#   worker     (pinned: k8s-node1; drains k8s-node4 → 3 → 2)
-#   worker     (pinned: k8s-master + control-plane toleration; drains k8s-node1 last)
+# Chain (dynamic length — one worker Job per worker node, enumerated live):
+#   preflight  (pinned: first worker)
+#   master     (pinned: first worker; drains k8s-master)
+#   worker     (pinned: k8s-master + control-plane toleration; drains each worker)
+#              ↳ repeats for EVERY worker still off-target (kubectl-derived, so
+#                new nodes like node5/node6 are included automatically)
 #   postflight (no pinning)
 #
 # Each phase Job's container runs scripts/upgrade-step.sh which:
@@ -25,13 +26,14 @@
 #   - infra/scripts/update_k8s.sh (per-node upgrade body)
 
 variable "schedule" {
-  type    = string
-  # Daily 12:00 UTC — outside kured window (kured runs 02:00-06:00
-  # London). Was weekly Sunday until 2026-05-18; daily picks up upstream
-  # patch releases the same day they land. Concurrency is bounded by the
-  # CronJob's Forbid policy + Job-name idempotency (the detection job
-  # skips spawning a preflight Job if one already exists).
-  default = "0 12 * * *"
+  type = string
+  # Nightly 23:00 UTC (00:00 London) — overnight / low cluster usage, and clear
+  # of the kured OS-reboot window (01:00-05:00 UTC = 02:00-06:00 London) so the
+  # two drain-pipelines never overlap. Moved from 12:00 UTC noon on 2026-06-17
+  # (Viktor: disruptive node drains should run overnight). Was weekly Sunday
+  # until 2026-05-18. Concurrency bounded by the CronJob's Forbid policy +
+  # retry-on-failure Job-name idempotency.
+  default = "0 23 * * *"
 }
 
 variable "enabled" {
@@ -39,12 +41,21 @@ variable "enabled" {
   default = true
 }
 
+# Nightly upgrade-report CronJob schedule. 06:07 UTC (07:07 London) — safely
+# after the 23:00 chain has finished (worst case ~02:00) and before the 08:00
+# London alert-digest, so the morning Slack skim shows last night's upgrade
+# outcome + any live blocker. Posts once/day; read-only.
+variable "report_schedule" {
+  type    = string
+  default = "7 6 * * *"
+}
+
 # Mirrors `local.image_tag` in stacks/claude-agent-service/main.tf — bump
 # in lockstep with claude-agent-service rebuilds. The image ships kubectl,
 # ssh-client, curl, jq, envsubst — everything the upgrade Jobs need.
 variable "image_tag" {
   type    = string
-  default = "2fd7670d"
+  default = "latest"
 }
 
 # When true, detection runs but does NOT spawn the preflight Job.
@@ -55,7 +66,7 @@ variable "detection_dry_run" {
 
 locals {
   namespace = "k8s-upgrade"
-  image     = "forgejo.viktorbarzin.me/viktor/claude-agent-service:${var.image_tag}"
+  image     = "ghcr.io/viktorbarzin/claude-agent-service:${var.image_tag}"
   labels = {
     app = "k8s-version-upgrade"
   }
@@ -67,7 +78,7 @@ resource "kubernetes_namespace" "k8s_upgrade" {
   metadata {
     name = local.namespace
     labels = {
-      tier = local.tiers.cluster
+      tier               = local.tiers.cluster
       "keel.sh/enrolled" = "true"
     }
   }
@@ -87,7 +98,7 @@ resource "kubernetes_namespace" "k8s_upgrade" {
 # No claude-agent bearer needed — the chain no longer POSTs to that service.
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "k8s-upgrade-creds"
@@ -120,6 +131,15 @@ resource "kubernetes_manifest" "external_secret" {
       ]
     }
   }
+
+  # ESO 2.x took SSA ownership of .spec.refreshInterval (it normalizes the value),
+  # which conflicts with terraform's apply of this ExternalSecret. force_conflicts
+  # lets terraform reassert its spec — the interval is semantically identical, so
+  # this is benign. Surfaced after the ESO 0.12->2.6 migration (2026-06-24); the
+  # same pattern affects all migrated ExternalSecrets fleet-wide.
+  field_manager {
+    force_conflicts = true
+  }
 }
 
 # --- Unified ServiceAccount + RBAC ---
@@ -162,6 +182,17 @@ resource "kubernetes_cluster_role" "k8s_upgrade_job" {
     resources  = ["pods"]
     verbs      = ["get", "list", "delete"]
   }
+  # Read the etcd-snapshot Job's pod logs — preflight verifies the snapshot
+  # size by parsing the backup Job's log (`kubectl logs job/...`). `pods/log`
+  # is a SEPARATE subresource not covered by the `pods` rule above. Missing
+  # this grant aborts preflight step 6 with a Forbidden on pods/log in the
+  # `default` ns (2026-06-17 — surfaced after a stale out-of-band grant was
+  # reconciled away by `terragrunt apply`).
+  rule {
+    api_groups = [""]
+    resources  = ["pods/log"]
+    verbs      = ["get"]
+  }
   # Read PDBs to find drain-blocking pods
   rule {
     api_groups = ["policy"]
@@ -208,6 +239,15 @@ resource "kubernetes_cluster_role" "k8s_upgrade_job" {
     resource_names = [local.namespace]
     verbs          = ["get", "patch", "update"]
   }
+  # Read the apiserver-OIDC restore script (published by the rbac stack to
+  # kube-system) so phase_master can re-apply --authentication-config after a
+  # kubeadm control-plane upgrade drops it. Name-scoped get only.
+  rule {
+    api_groups     = [""]
+    resources      = ["configmaps"]
+    resource_names = ["apiserver-oidc-restore"]
+    verbs          = ["get"]
+  }
 }
 
 resource "kubernetes_cluster_role_binding" "k8s_upgrade_job" {
@@ -275,8 +315,11 @@ resource "kubernetes_config_map" "k8s_upgrade_scripts" {
     labels    = local.labels
   }
   data = {
-    "upgrade-step.sh" = file("${path.module}/scripts/upgrade-step.sh")
-    "update_k8s.sh"   = file("${path.module}/../../scripts/update_k8s.sh")
+    "upgrade-step.sh"   = file("${path.module}/scripts/upgrade-step.sh")
+    "update_k8s.sh"     = file("${path.module}/../../scripts/update_k8s.sh")
+    "compat-gate.py"    = file("${path.module}/scripts/compat-gate.py")
+    "addon-compat.json" = file("${path.module}/scripts/addon-compat.json")
+    "nightly-report.py" = file("${path.module}/scripts/nightly-report.py")
   }
 }
 
@@ -396,7 +439,7 @@ resource "kubernetes_cron_job_v1" "k8s_version_check" {
                 NEXT_MINOR_NUM=$(( $(echo "$RUNNING_MINOR" | cut -d. -f2) + 1 ))
                 NEXT_MINOR="1.$NEXT_MINOR_NUM"
                 NEXT_MINOR_AVAILABLE="no"
-                if curl -sIo /dev/null -w '%%{http_code}' \
+                if curl -sILo /dev/null -w '%%{http_code}' \
                     "https://pkgs.k8s.io/core:/stable:/v$NEXT_MINOR/deb/Release" \
                     | grep -q '^200$'; then
                   NEXT_MINOR_AVAILABLE="yes"
@@ -411,7 +454,7 @@ resource "kubernetes_cron_job_v1" "k8s_version_check" {
                   KIND="patch"
                 elif [ "$NEXT_MINOR_AVAILABLE" = "yes" ]; then
                   NEXT_MINOR_PATCH=$($SSH wizard@k8s-master.viktorbarzin.lan \
-                    "curl -sf 'https://pkgs.k8s.io/core:/stable:/v$NEXT_MINOR/deb/Packages' \
+                    "curl -sfL 'https://pkgs.k8s.io/core:/stable:/v$NEXT_MINOR/deb/Packages' \
                       | grep -oE 'Version: [0-9.-]+' \
                       | awk '{print \$2}' | sed 's/-.*//' \
                       | sort -V | tail -1" || echo "")
@@ -451,9 +494,22 @@ resource "kubernetes_cron_job_v1" "k8s_version_check" {
                 #    Idempotency: deterministic name reconciles via `apply`.
                 JOB_NAME="k8s-upgrade-preflight-$${TARGET//./-}"
 
+                # Retry-on-failure idempotency: skip only if an existing preflight
+                # Job is Active/Complete. A *Failed* preflight (aborted on a
+                # transient gate, e.g. a spurious critical alert) is deleted and
+                # re-spawned — otherwise its deterministic name + 7d TTL wedges
+                # the entire pipeline until it ages out. (Stuck-pipeline fix
+                # 2026-06-17: a transient critical alert wedged 1.34.9 for 5 days.)
                 if /usr/local/bin/kubectl -n k8s-upgrade get job "$JOB_NAME" >/dev/null 2>&1; then
-                  slack "Preflight Job $JOB_NAME already exists (rerunning detection mid-flight?)"
-                  exit 0
+                  JOB_FAILED=$(/usr/local/bin/kubectl -n k8s-upgrade get job "$JOB_NAME" \
+                    -o jsonpath='{.status.conditions[?(@.type=="Failed")].status}' 2>/dev/null || true)
+                  if [ "$JOB_FAILED" = "True" ]; then
+                    slack "Preflight Job $JOB_NAME exists but FAILED — deleting and re-spawning"
+                    /usr/local/bin/kubectl -n k8s-upgrade delete job "$JOB_NAME" --wait=true >/dev/null 2>&1 || true
+                  else
+                    slack "Preflight Job $JOB_NAME already exists (active/complete) — skipping"
+                    exit 0
+                  fi
                 fi
 
                 export JOB_NAME PHASE_NEXT=preflight TARGET_NODE_NEXT="" \
@@ -511,6 +567,98 @@ resource "kubernetes_cron_job_v1" "k8s_version_check" {
   }
 }
 
+# --- Nightly upgrade report ---
+#
+# Each morning, after the 23:00 chain has finished, posts ONE concise Slack
+# report of last night's upgrade outcome (no-op / blocked+reasons / upgraded /
+# in-progress) so the autonomous upgrader's nightly result — and any live
+# blocker — is visible at a glance. Read-only: reads the chain's Pushgateway
+# gauges + live nodes/jobs and re-runs compat-gate.py for fresh blocker reasons.
+# Reuses the same SA, creds secret (slack_webhook), and scripts ConfigMap as the
+# chain. Logic + unit tests: scripts/nightly-report.py, scripts/test_nightly_report.py.
+resource "kubernetes_cron_job_v1" "k8s_upgrade_nightly_report" {
+  metadata {
+    name      = "k8s-upgrade-nightly-report"
+    namespace = kubernetes_namespace.k8s_upgrade.metadata[0].name
+    labels    = local.labels
+  }
+  spec {
+    schedule                      = var.report_schedule
+    concurrency_policy            = "Forbid"
+    successful_jobs_history_limit = 3
+    failed_jobs_history_limit     = 3
+    starting_deadline_seconds     = 600
+    suspend                       = !var.enabled
+    job_template {
+      metadata {
+        labels = local.labels
+      }
+      spec {
+        backoff_limit              = 1
+        ttl_seconds_after_finished = 86400
+        template {
+          metadata {
+            labels = local.labels
+          }
+          spec {
+            service_account_name = kubernetes_service_account.k8s_upgrade_job.metadata[0].name
+            restart_policy       = "Never"
+            image_pull_secrets {
+              name = "registry-credentials"
+            }
+            volume {
+              name = "creds"
+              secret {
+                secret_name  = "k8s-upgrade-creds"
+                default_mode = "0444"
+              }
+            }
+            volume {
+              name = "scripts"
+              config_map {
+                name         = kubernetes_config_map.k8s_upgrade_scripts.metadata[0].name
+                default_mode = "0755"
+              }
+            }
+            container {
+              name    = "report"
+              image   = local.image
+              command = ["python3", "/scripts/nightly-report.py"]
+              env {
+                name  = "HOME"
+                value = "/tmp"
+              }
+              volume_mount {
+                name       = "creds"
+                mount_path = "/secrets/k8s-upgrade"
+                read_only  = true
+              }
+              volume_mount {
+                name       = "scripts"
+                mount_path = "/scripts"
+                read_only  = true
+              }
+              resources {
+                requests = {
+                  cpu    = "50m"
+                  memory = "128Mi"
+                }
+                limits = {
+                  memory = "256Mi"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
+    ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config]
+  }
+}
+
 # CI retrigger 2026-05-16T13:42:57+00:00 — bulk enrollment apply (pipeline #689 killed)
 # CI retrigger v2 2026-05-16T13:46:35+00:00
 
@@ -521,3 +669,8 @@ resource "kubernetes_cron_job_v1" "k8s_version_check" {
 # CI retrigger v5 2026-05-16T23:10:38Z
 
 # CI retrigger v6 2026-05-16T23:18:58Z
+
+# CI retrigger 2026-06-17 — apply D1 retry-on-failure. The two-commit landing
+# of fb638cd8 left the changed-stack detection diffing against HEAD~1 (commit 2,
+# monitoring-only), so this stack's changes (commit 1) were never applied; a
+# fresh single commit guarantees the diff includes stacks/k8s-version-upgrade.
diff --git a/stacks/k8s-version-upgrade/scripts/addon-compat.json b/stacks/k8s-version-upgrade/scripts/addon-compat.json
new file mode 100644
index 00000000..5e1afdd8
--- /dev/null
+++ b/stacks/k8s-version-upgrade/scripts/addon-compat.json
@@ -0,0 +1,57 @@
+{
+  "_comment": "Addon -> highest k8s minor each addon version supports. The preflight compat-gate (compat-gate.py) reads the RUNNING version of each addon and blocks a k8s upgrade whose target minor exceeds what that running version supports — so the chain auto-halts + alerts instead of breaking on an unsupported addon. Keep current; sources are the addons' own k8s compat matrices (last refreshed 2026-06-19 for the 1.34->1.36 catch-up). max_k8s keys are addon-version floors (major.minor); value is the highest k8s minor that floor supports.",
+  "addons": [
+    {
+      "name": "calico",
+      "namespace": "calico-system",
+      "kind": "daemonset",
+      "resource": "calico-node",
+      "image_re": "node:v?([0-9]+\\.[0-9]+)",
+      "max_k8s": {
+        "3.26": "1.28",
+        "3.27": "1.29",
+        "3.28": "1.30",
+        "3.29": "1.32",
+        "3.30": "1.35",
+        "3.31": "1.35",
+        "3.32": "1.36"
+      }
+    },
+    {
+      "name": "external-secrets",
+      "namespace": "external-secrets",
+      "kind": "deployment",
+      "resource": "external-secrets",
+      "image_re": "external-secrets:v?([0-9]+\\.[0-9]+)",
+      "max_k8s": {
+        "0.12": "1.31",
+        "2.0": "1.35"
+      }
+    },
+    {
+      "name": "kyverno",
+      "namespace": "kyverno",
+      "kind": "deployment",
+      "resource": "kyverno-admission-controller",
+      "image_re": "kyverno:v?([0-9]+\\.[0-9]+)",
+      "max_k8s": {
+        "1.16": "1.34",
+        "1.18": "1.35"
+      }
+    },
+    {
+      "name": "gpu-operator",
+      "namespace": "nvidia",
+      "kind": "deployment",
+      "resource": "gpu-operator",
+      "image_re": "gpu-operator:v?([0-9]+\\.[0-9]+)",
+      "max_k8s": {
+        "25.10": "1.35",
+        "26.3": "1.36"
+      }
+    }
+  ],
+  "containerd_min": {
+    "1.37": "2.0"
+  }
+}
diff --git a/stacks/k8s-version-upgrade/scripts/compat-gate.py b/stacks/k8s-version-upgrade/scripts/compat-gate.py
new file mode 100644
index 00000000..22c95ac2
--- /dev/null
+++ b/stacks/k8s-version-upgrade/scripts/compat-gate.py
@@ -0,0 +1,167 @@
+#!/usr/bin/env python3
+"""
+Preflight compatibility gate for the k8s version-upgrade chain.
+
+Decides whether it is SAFE to auto-upgrade Kubernetes to a target version, so the
+chain can "upgrade whenever it can, and halt + alert when it can't" without a
+human in the loop. Reads the addon-compat matrix (JSON on stdin) and checks three
+classes of blocker:
+
+  1. addon compat  — every critical addon's RUNNING version must support the
+                     target k8s minor (Calico is the usual blocker)
+  2. removed APIs  — no in-use API (Prometheus apiserver_requested_deprecated_apis)
+                     is removed at/before the target minor
+  3. containerd    — every node's containerd >= the target's floor, if the matrix
+                     declares one (e.g. the 1.7.x -> k8s 1.37 cliff)
+
+Exit 0  = safe, proceed.
+Exit 2  = BLOCKED — prints one human reason per line (caller pushes
+          k8s_upgrade_blocked=1, Slacks the reasons, and halts the chain).
+Exit 3  = the gate itself errored — caller treats as a block (fail safe).
+
+Read-only: kubectl get + one Prometheus query. No mutations. PROM is overridable
+via $PROM for local testing (cluster DNS isn't resolvable off-cluster).
+"""
+import json
+import os
+import re
+import subprocess
+import sys
+import urllib.request
+
+PROM = os.environ.get("PROM", "http://prometheus-server.monitoring.svc.cluster.local:80")
+
+
+def minor(v):
+    """'v1.35.6' | '1.35.6' | '1.35' -> (1, 35); None if unparseable."""
+    m = re.search(r"(\d+)\.(\d+)", v or "")
+    return (int(m.group(1)), int(m.group(2))) if m else None
+
+
+def kget(args):
+    try:
+        r = subprocess.run(["kubectl", *args], capture_output=True, text=True, timeout=30)
+        return r.stdout.strip()
+    except Exception:
+        return ""
+
+
+def running_minor():
+    """Oldest kubelet minor across all nodes, as a (major, minor) tuple.
+
+    Mirrors the detector's "oldest kubelet" choice so a partially-upgraded
+    cluster is judged by its lowest node, not its newest. RUNNING_K8S overrides
+    for local testing. None if undeterminable (treated as a minor jump → the
+    addon checks run in full, fail-safe)."""
+    env = os.environ.get("RUNNING_K8S")
+    if env:
+        return minor(env)
+    out = kget(["get", "nodes", "-o",
+                "jsonpath={range .items[*]}{.status.nodeInfo.kubeletVersion}{\"\\n\"}{end}"])
+    minors = [minor(line) for line in out.splitlines() if minor(line)]
+    return min(minors) if minors else None
+
+
+def check_addons(matrix, tgt, running):
+    # A target at or below the RUNNING minor (a patch, or a same/lower minor)
+    # crosses into no new k8s minor, so every installed addon is already
+    # empirically proven on it — addon ceilings only constrain a true minor jump.
+    # Without this guard an addon whose matrix ceiling sits below the running
+    # minor (e.g. ESO 0.12 → 1.31 on a cluster already running 1.34) would
+    # false-block legitimate patch upgrades, defeating autonomous patching.
+    if running and tgt <= running:
+        return []
+    reasons = []
+    for a in matrix.get("addons", []):
+        img = kget(["-n", a["namespace"], "get", a["kind"], a["resource"],
+                    "-o", "jsonpath={.spec.template.spec.containers[*].image}"])
+        m = re.search(a["image_re"], img or "")
+        if not m:
+            # Fail safe: if we can't read the running version, don't upgrade blind.
+            reasons.append(f"addon {a['name']}: could not read running version "
+                           f"(img='{img or 'not found'}') — refusing to upgrade blind")
+            continue
+        running = m.group(1)  # e.g. "3.26"
+        # max_k8s maps an addon-version floor -> highest supported k8s minor.
+        # Pick the highest floor that is <= the running version.
+        max_k8s = None
+        for floor, mk in sorted(a["max_k8s"].items(), key=lambda kv: minor(kv[0]), reverse=True):
+            if minor(running) >= minor(floor):
+                max_k8s = mk
+                break
+        if max_k8s is None:
+            reasons.append(f"addon {a['name']} v{running}: below the lowest version "
+                           f"in the compat matrix — unknown k8s support")
+            continue
+        if tgt > minor(max_k8s):
+            reasons.append(f"addon {a['name']} v{running} supports k8s <= {max_k8s}; "
+                           f"target {tgt[0]}.{tgt[1]} exceeds it — upgrade {a['name']} first")
+    return reasons
+
+
+def check_removed_apis(tgt):
+    reasons = []
+    try:
+        url = PROM + "/api/v1/query?query=apiserver_requested_deprecated_apis"
+        data = json.load(urllib.request.urlopen(url, timeout=20))
+        for s in data.get("data", {}).get("result", []):
+            lbl = s["metric"]
+            rr = lbl.get("removed_release", "")
+            if rr and minor(rr) and tgt >= minor(rr):
+                g = lbl.get("group") or "core"
+                reasons.append(f"deprecated API {g}/{lbl.get('version')} "
+                               f"{lbl.get('resource')} is in use and is removed in "
+                               f"k8s {rr} (target {tgt[0]}.{tgt[1]}) — migrate callers first")
+    except Exception as e:
+        reasons.append(f"removed-API check could not query Prometheus ({e}) — "
+                       f"refusing to upgrade blind")
+    return reasons
+
+
+def check_containerd(matrix, tgt):
+    reasons = []
+    floor = matrix.get("containerd_min", {}).get(f"{tgt[0]}.{tgt[1]}")
+    if not floor:
+        return reasons
+    out = kget(["get", "nodes", "-o",
+                "jsonpath={range .items[*]}{.metadata.name}{\" \"}"
+                "{.status.nodeInfo.containerRuntimeVersion}{\"\\n\"}{end}"])
+    for line in out.splitlines():
+        if not line.strip():
+            continue
+        name, _, ver = line.partition(" ")
+        cv = ver.replace("containerd://", "")
+        if minor(cv) and minor(cv) < minor(floor):
+            reasons.append(f"node {name} containerd {cv} < required {floor} "
+                           f"for k8s {tgt[0]}.{tgt[1]} — bump containerd first")
+    return reasons
+
+
+def main():
+    if len(sys.argv) < 2:
+        print("usage: compat-gate.py <target-k8s-version>  (matrix JSON on stdin)")
+        sys.exit(3)
+    tgt = minor(sys.argv[1])
+    if not tgt:
+        print(f"bad target version '{sys.argv[1]}'")
+        sys.exit(3)
+    try:
+        matrix = json.load(sys.stdin)
+    except Exception as e:
+        print(f"could not parse compat matrix JSON: {e}")
+        sys.exit(3)
+
+    running = running_minor()
+    reasons = (check_addons(matrix, tgt, running)
+               + check_removed_apis(tgt)
+               + check_containerd(matrix, tgt))
+    if reasons:
+        for r in reasons:
+            print(r)
+        sys.exit(2)
+    print(f"compat-gate OK: cluster is safe to upgrade to {sys.argv[1]}")
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/stacks/k8s-version-upgrade/scripts/nightly-report.py b/stacks/k8s-version-upgrade/scripts/nightly-report.py
new file mode 100644
index 00000000..63b862ea
--- /dev/null
+++ b/stacks/k8s-version-upgrade/scripts/nightly-report.py
@@ -0,0 +1,224 @@
+#!/usr/bin/env python3
+"""Nightly k8s-upgrade report -> Slack.
+
+Runs each morning (CronJob k8s-upgrade-nightly-report) after the 23:00 UTC
+version-check chain has finished. Reads the chain's Pushgateway gauges + live
+cluster state and posts ONE concise, actionable report to Slack so the
+autonomous upgrader's nightly outcome — and any blocker holding it back — is
+visible at a glance during the upgrade-cleanup window.
+
+Outcomes it distinguishes:
+  ⚪ no upgrade needed     — cluster already at the latest supported patch
+  🔴 BLOCKED              — compat gate refused the target; lists live reasons
+  🟢 UPGRADED             — all nodes now on the detected target
+  🟡 in progress / passed — gate passed, chain mid-flight (or partial)
+  ⚠️  detector STALE       — the 23:00 detector did not run last night
+
+Read-only. The pure helpers (parse_metrics / select / fmt_age / compose_report)
+are unit-tested in test_nightly_report.py; all I/O (kubectl, Pushgateway, the
+compat-gate subprocess, Slack) lives in thin wrappers below them.
+"""
+import json
+import os
+import re
+import subprocess
+import sys
+import urllib.request
+
+PUSHGW = os.environ.get("PUSHGW", "http://prometheus-prometheus-pushgateway.monitoring:9091/metrics")
+SLACK_FILE = os.environ.get("SLACK_FILE", "/secrets/k8s-upgrade/slack_webhook")
+SCRIPTS_DIR = os.environ.get("SCRIPTS_DIR", "/scripts")
+STALE_SECONDS = 90000  # ~25h: a nightly detector older than this didn't run last night
+
+_METRIC_RE = re.compile(r"^(?P<name>\w+)(?:\{(?P<labels>[^}]*)\})?\s+(?P<value>[-+0-9.eE]+)\s*$")
+_LABEL_RE = re.compile(r'(\w+)="([^"]*)"')
+
+
+# ---------------------------------------------------------------- pure helpers
+def parse_metrics(text):
+    """Prometheus text exposition -> list of (name, {labels}, float value)."""
+    out = []
+    for line in (text or "").splitlines():
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+        m = _METRIC_RE.match(line)
+        if not m:
+            continue
+        labels = dict(_LABEL_RE.findall(m.group("labels") or ""))
+        try:
+            val = float(m.group("value"))
+        except ValueError:
+            continue
+        out.append((m.group("name"), labels, val))
+    return out
+
+
+def select(metrics, name):
+    """All (labels, value) tuples for a given metric name."""
+    return [(lbl, val) for (n, lbl, val) in metrics if n == name]
+
+
+def fmt_age(seconds):
+    if seconds < 0:
+        return "in the future?!"
+    if seconds < 3600:
+        return f"{int(seconds // 60)}m ago"
+    if seconds < 86400:
+        return f"{seconds / 3600:.1f}h ago"
+    return f"{seconds / 86400:.1f}d ago"
+
+
+def compose_report(now_ts, nodes, metrics, blocker_reasons, jobs):
+    """Build the Slack message text from gathered facts. PURE.
+
+    nodes: list of (name, kubeletVersion). metrics: parse_metrics() output.
+    blocker_reasons: multi-line str (compat-gate output) or None.
+    jobs: list of {name, status, age_s}.
+    """
+    # kubelet reports "v1.35.6" but the gauges carry "1.35.6" — normalise so the
+    # UPGRADED comparison against the target actually matches.
+    versions = sorted({v.lstrip("v") for _, v in nodes})
+    if len(versions) == 1:
+        node_line = f"Running: *{versions[0]}* (all {len(nodes)} nodes uniform)"
+    elif versions:
+        node_line = f"Running: *MIXED* {', '.join(versions)} across {len(nodes)} nodes"
+    else:
+        node_line = "Running: *unknown* (could not read nodes)"
+
+    lr = select(metrics, "k8s_version_check_last_run_timestamp")
+    stale = False
+    if lr:
+        age = now_ts - lr[0][1]
+        stale = age > STALE_SECONDS
+        run_line = f"Last detector run: {fmt_age(age)} ({'STALE ⚠️' if stale else 'fresh ✓'})"
+    else:
+        run_line = "Last detector run: *unknown* (no metric)"
+        stale = True
+
+    avail = [(lbl, val) for lbl, val in select(metrics, "k8s_upgrade_available") if val == 1]
+    blocked = any(val == 1 for _, val in select(metrics, "k8s_upgrade_blocked"))
+
+    if avail:
+        lbl = avail[0][0]
+        target = lbl.get("target", "?")
+        kind = lbl.get("kind", "?")
+        tgt_line = f"Detected target: *{target}* ({kind})"
+        if blocked:
+            headline = f"🔴 BLOCKED — compat gate refused {target}"
+        elif len(versions) == 1 and target == versions[0]:
+            headline = f"🟢 UPGRADED — all nodes now on {target}"
+        else:
+            headline = f"🟡 IN PROGRESS / gate passed for {target}"
+    else:
+        target = None
+        tgt_line = "Detected target: none"
+        headline = "⚪ No upgrade needed (cluster at latest supported patch)"
+
+    if stale:
+        headline = "⚠️ Detector did not run last night — " + headline
+
+    msg = [f"*[k8s-upgrade nightly]* {headline}", node_line, run_line, tgt_line]
+
+    if blocked and blocker_reasons:
+        msg.append("Blockers (live):")
+        for r in blocker_reasons.splitlines():
+            r = r.strip()
+            if r:
+                msg.append(f"  • {r}")
+
+    if jobs:
+        msg.append("Chain jobs (recent):")
+        for j in jobs:
+            msg.append(f"  • {j['name']}: {j['status']} ({fmt_age(j['age_s'])})")
+
+    return "\n".join(msg)
+
+
+# ----------------------------------------------------------------------- I/O
+def _kubectl_json(args):
+    try:
+        r = subprocess.run(["kubectl", *args], capture_output=True, text=True, timeout=30)
+        return json.loads(r.stdout) if r.stdout.strip() else {}
+    except Exception:
+        return {}
+
+
+def get_nodes():
+    d = _kubectl_json(["get", "nodes", "-o", "json"])
+    return [(it["metadata"]["name"],
+             it.get("status", {}).get("nodeInfo", {}).get("kubeletVersion", "?"))
+            for it in d.get("items", [])]
+
+
+def _job_status(it):
+    st = it.get("status", {})
+    for c in st.get("conditions", []):
+        if c.get("type") == "Failed" and c.get("status") == "True":
+            return "Failed"
+        if c.get("type") == "Complete" and c.get("status") == "True":
+            return "Complete"
+    if st.get("active"):
+        return "Active"
+    return "Pending"
+
+
+def get_jobs(now_ts):
+    import datetime
+    d = _kubectl_json(["-n", "k8s-upgrade", "get", "jobs", "-o", "json"])
+    out = []
+    for it in d.get("items", []):
+        ct = it["metadata"].get("creationTimestamp")
+        try:
+            age = now_ts - datetime.datetime.strptime(
+                ct, "%Y-%m-%dT%H:%M:%SZ").replace(tzinfo=datetime.timezone.utc).timestamp()
+        except Exception:
+            age = 0
+        if age <= 93600:  # last 26h only
+            out.append({"name": it["metadata"]["name"], "status": _job_status(it), "age_s": age})
+    return sorted(out, key=lambda j: j["age_s"])
+
+
+def get_blocker_reasons(target):
+    try:
+        with open(f"{SCRIPTS_DIR}/addon-compat.json") as f:
+            matrix = f.read()
+        r = subprocess.run(["python3", f"{SCRIPTS_DIR}/compat-gate.py", target],
+                           input=matrix, capture_output=True, text=True, timeout=60)
+        return r.stdout.strip()
+    except Exception as e:
+        return f"(could not run compat-gate: {e})"
+
+
+def post_slack(text):
+    if os.environ.get("DRY_RUN"):
+        return  # main() always prints the message; DRY_RUN just skips the POST
+    with open(SLACK_FILE) as f:
+        url = f.read().strip()
+    data = json.dumps({"text": text}).encode()
+    req = urllib.request.Request(url, data=data, headers={"Content-Type": "application/json"})
+    urllib.request.urlopen(req, timeout=20)
+
+
+def main():
+    import time
+    now_ts = float(os.environ.get("NOW_TS", "")) if os.environ.get("NOW_TS") else time.time()
+    try:
+        metrics_txt = urllib.request.urlopen(PUSHGW, timeout=20).read().decode()
+    except Exception:
+        metrics_txt = ""
+    metrics = parse_metrics(metrics_txt)
+    nodes = get_nodes()
+    jobs = get_jobs(now_ts)
+
+    avail = [(lbl, val) for lbl, val in select(metrics, "k8s_upgrade_available") if val == 1]
+    blocked = any(val == 1 for _, val in select(metrics, "k8s_upgrade_blocked"))
+    reasons = get_blocker_reasons(avail[0][0].get("target", "")) if (avail and blocked) else None
+
+    msg = compose_report(now_ts, nodes, metrics, reasons, jobs)
+    post_slack(msg)
+    print(msg)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/stacks/k8s-version-upgrade/scripts/test_compat_gate.py b/stacks/k8s-version-upgrade/scripts/test_compat_gate.py
new file mode 100644
index 00000000..3b688f6e
--- /dev/null
+++ b/stacks/k8s-version-upgrade/scripts/test_compat_gate.py
@@ -0,0 +1,97 @@
+"""Unit tests for the k8s-upgrade compat gate (compat-gate.py).
+
+Run: pytest stacks/k8s-version-upgrade/scripts/test_compat_gate.py
+
+The module filename has a hyphen so it is loaded via importlib rather than a
+plain import. kget() (kubectl) is monkeypatched so the addon checks read a
+controlled "running" image without a live cluster.
+"""
+import importlib.util
+import pathlib
+
+HERE = pathlib.Path(__file__).parent
+_spec = importlib.util.spec_from_file_location("compat_gate", HERE / "compat-gate.py")
+cg = importlib.util.module_from_spec(_spec)
+_spec.loader.exec_module(cg)
+
+# Single-addon matrices keep each test's intent obvious.
+ESO_MATRIX = {
+    "addons": [{
+        "name": "external-secrets",
+        "namespace": "external-secrets",
+        "kind": "deployment",
+        "resource": "external-secrets",
+        "image_re": r"external-secrets:v(\d+\.\d+)",
+        "max_k8s": {"0.12": "1.31", "2.0": "1.35"},
+    }]
+}
+CALICO_MATRIX = {
+    "addons": [{
+        "name": "calico",
+        "namespace": "calico-system",
+        "kind": "daemonset",
+        "resource": "calico-node",
+        "image_re": r"node:v(\d+\.\d+)",
+        "max_k8s": {"3.26": "1.28", "3.30": "1.35", "3.32": "1.36"},
+    }]
+}
+
+
+def _img(monkeypatch, image):
+    monkeypatch.setattr(cg, "kget", lambda args: image)
+
+
+def test_minor_jump_blocks_when_addon_ceiling_below_target(monkeypatch):
+    # running 1.34, target 1.35: ESO 0.12 ceiling 1.31 < 1.35 -> block.
+    _img(monkeypatch, "external-secrets/external-secrets:v0.12.1")
+    reasons = cg.check_addons(ESO_MATRIX, (1, 35), (1, 34))
+    assert any("external-secrets" in r for r in reasons), reasons
+
+
+def test_patch_within_running_minor_not_blocked(monkeypatch):
+    # running 1.34, target 1.34.x patch: ceiling 1.31 < 1.34, BUT the cluster
+    # already runs ESO 0.12 on 1.34, so a patch is empirically safe -> no block.
+    _img(monkeypatch, "external-secrets/external-secrets:v0.12.1")
+    reasons = cg.check_addons(ESO_MATRIX, (1, 34), (1, 34))
+    assert reasons == [], reasons
+
+
+def test_target_below_running_not_blocked(monkeypatch):
+    # defensive: a target minor below running is never addon-blocked.
+    _img(monkeypatch, "external-secrets/external-secrets:v0.12.1")
+    reasons = cg.check_addons(ESO_MATRIX, (1, 33), (1, 34))
+    assert reasons == [], reasons
+
+
+def test_same_minor_addon_supports_target(monkeypatch):
+    # running 1.34, target 1.35, calico 3.30 supports 1.35 -> no block.
+    _img(monkeypatch, "quay.io/calico/node:v3.30.7")
+    reasons = cg.check_addons(CALICO_MATRIX, (1, 35), (1, 34))
+    assert reasons == [], reasons
+
+
+def test_unreadable_addon_failsafe_on_minor_jump(monkeypatch):
+    # can't read running version on a real minor jump -> fail safe (block).
+    _img(monkeypatch, "")
+    reasons = cg.check_addons(ESO_MATRIX, (1, 35), (1, 34))
+    assert any("upgrade blind" in r or "could not read" in r for r in reasons), reasons
+
+
+def test_unreadable_addon_ignored_on_patch(monkeypatch):
+    # patch within running minor: addon checks are skipped entirely, so an
+    # unreadable image must NOT fail-safe-block a legitimate patch.
+    _img(monkeypatch, "")
+    reasons = cg.check_addons(ESO_MATRIX, (1, 34), (1, 34))
+    assert reasons == [], reasons
+
+
+def test_running_minor_env_override(monkeypatch):
+    monkeypatch.setenv("RUNNING_K8S", "1.34.9")
+    assert cg.running_minor() == (1, 34)
+
+
+def test_running_minor_from_kubectl(monkeypatch):
+    monkeypatch.delenv("RUNNING_K8S", raising=False)
+    # oldest kubelet wins (mirrors the detector): node2 on 1.33 is the floor.
+    monkeypatch.setattr(cg, "kget", lambda args: "v1.34.9\nv1.33.5\nv1.34.9")
+    assert cg.running_minor() == (1, 33)
diff --git a/stacks/k8s-version-upgrade/scripts/test_nightly_report.py b/stacks/k8s-version-upgrade/scripts/test_nightly_report.py
new file mode 100644
index 00000000..11c7e4d1
--- /dev/null
+++ b/stacks/k8s-version-upgrade/scripts/test_nightly_report.py
@@ -0,0 +1,81 @@
+"""Unit tests for nightly-report.py (pure helpers only).
+
+Run: pytest stacks/k8s-version-upgrade/scripts/test_nightly_report.py
+Loaded via importlib because the filename has a hyphen.
+"""
+import importlib.util
+import pathlib
+
+HERE = pathlib.Path(__file__).parent
+_spec = importlib.util.spec_from_file_location("nightly_report", HERE / "nightly-report.py")
+nr = importlib.util.module_from_spec(_spec)
+_spec.loader.exec_module(nr)
+
+LAST_RUN = 1781996424.0  # 2026-06-20T23:00:24Z — matches last night's gauge
+METRICS_BLOCKED = f"""# TYPE k8s_upgrade_available gauge
+k8s_upgrade_available{{instance="",job="k8s-version-check",kind="minor",running="1.34.9",target="1.35.6"}} 1
+k8s_upgrade_blocked{{instance="",job="k8s-version-upgrade"}} 1
+k8s_version_check_last_run_timestamp{{instance="",job="k8s-version-check"}} {LAST_RUN}
+"""
+NODES_UNIFORM = [(f"k8s-node{i}", "v1.34.9") for i in range(7)]
+
+
+def test_parse_metrics_basic():
+    m = nr.parse_metrics(METRICS_BLOCKED)
+    names = {n for n, _, _ in m}
+    assert names == {"k8s_upgrade_available", "k8s_upgrade_blocked", "k8s_version_check_last_run_timestamp"}
+    avail = nr.select(m, "k8s_upgrade_available")
+    assert avail[0][0]["target"] == "1.35.6"
+    assert avail[0][0]["kind"] == "minor"
+    assert avail[0][1] == 1.0
+
+
+def test_parse_metrics_ignores_comments_and_junk():
+    assert nr.parse_metrics("# HELP foo\n\ngarbage line\n") == []
+
+
+def test_fmt_age():
+    assert nr.fmt_age(120) == "2m ago"
+    assert nr.fmt_age(7200) == "2.0h ago"
+    assert nr.fmt_age(172800) == "2.0d ago"
+
+
+def test_compose_blocked_lists_reasons():
+    m = nr.parse_metrics(METRICS_BLOCKED)
+    reasons = ("addon external-secrets v0.12 supports k8s <= 1.31; target 1.35 exceeds it\n"
+               "addon kyverno v1.16 supports k8s <= 1.34; target 1.35 exceeds it")
+    out = nr.compose_report(LAST_RUN + 30000, NODES_UNIFORM, m, reasons, [])
+    assert "🔴 BLOCKED" in out and "1.35.6" in out
+    assert "external-secrets" in out and "kyverno" in out
+    assert "all 7 nodes uniform" in out
+    assert "fresh ✓" in out
+
+
+def test_compose_noop_when_no_target():
+    m = nr.parse_metrics(f'k8s_version_check_last_run_timestamp{{}} {LAST_RUN}\n')
+    out = nr.compose_report(LAST_RUN + 30000, NODES_UNIFORM, m, None, [])
+    assert "⚪ No upgrade needed" in out
+
+
+def test_compose_upgraded_when_nodes_match_target():
+    m = nr.parse_metrics(f"""k8s_upgrade_available{{kind="minor",target="1.35.6"}} 1
+k8s_upgrade_blocked{{}} 0
+k8s_version_check_last_run_timestamp{{}} {LAST_RUN}
+""")
+    nodes = [(f"k8s-node{i}", "v1.35.6") for i in range(7)]
+    out = nr.compose_report(LAST_RUN + 30000, nodes, m, None, [])
+    assert "🟢 UPGRADED" in out and "1.35.6" in out
+
+
+def test_compose_stale_detector_flagged():
+    m = nr.parse_metrics(METRICS_BLOCKED)
+    out = nr.compose_report(LAST_RUN + 200000, NODES_UNIFORM, m, "x", [])  # ~55h later
+    assert "Detector did not run last night" in out
+    assert "STALE" in out
+
+
+def test_compose_includes_recent_jobs():
+    m = nr.parse_metrics(METRICS_BLOCKED)
+    jobs = [{"name": "k8s-upgrade-preflight-1-35-6", "status": "Failed", "age_s": 3600}]
+    out = nr.compose_report(LAST_RUN + 30000, NODES_UNIFORM, m, "x", jobs)
+    assert "k8s-upgrade-preflight-1-35-6: Failed" in out
diff --git a/stacks/k8s-version-upgrade/scripts/upgrade-step.sh b/stacks/k8s-version-upgrade/scripts/upgrade-step.sh
index b10b395d..d393862c 100644
--- a/stacks/k8s-version-upgrade/scripts/upgrade-step.sh
+++ b/stacks/k8s-version-upgrade/scripts/upgrade-step.sh
@@ -1,25 +1,23 @@
 #!/usr/bin/env bash
 #
 # Universal upgrade-step body. Each Job in the k8s-version-upgrade chain runs
-# this once, dispatching on $PHASE. On success it computes the next phase and
-# spawns the next Job. The chain is:
+# this once, dispatching on $PHASE. On success it computes the next phase from
+# LIVE cluster state and spawns the next Job. The chain is:
 #
-#   preflight  (run on k8s-node1)
+#   preflight  (run on the first worker)
 #     ↓
-#   master     (drains k8s-master; run on k8s-node1)
-#     ↓
-#   worker k8s-node4   (run on k8s-node1)
-#     ↓
-#   worker k8s-node3   (run on k8s-node1)
-#     ↓
-#   worker k8s-node2   (run on k8s-node1)
-#     ↓
-#   worker k8s-node1   (drains k8s-node1; run on k8s-master with control-plane toleration)
+#   master     (drains k8s-master; run on the first worker = the "runner")
 #     ↓
+#   worker <W> (drains <W>; run on k8s-master w/ control-plane toleration)   ── repeats
+#     ↓         for EVERY worker still off-target, enumerated from kubectl
 #   postflight (no node pinning)
 #
-# k8s-node1 hosts every Job except the one that drains k8s-node1 itself.
-# k8s-node1 is therefore upgraded LAST.
+# The worker list is derived dynamically (worker_nodes / next_pending_worker),
+# so newly-added nodes are upgraded with no script change — the old hardcoded
+# master→node4→3→2→1 chain silently skipped node5/node6 (added 2026-05-26).
+# Self-preemption invariant: a Job never runs on the node it drains — the
+# master-drain Job runs on a worker; each worker-drain Job runs on the
+# already-upgraded master. SSH targets are node InternalIPs (no DNS dependency).
 #
 # Required env vars (set on the Job pod by job-template.yaml):
 #   PHASE              preflight | master | worker | postflight
@@ -39,13 +37,11 @@ KUBECTL=kubectl
 JOB_TEMPLATE=/template/job-template.yaml
 UPDATE_K8S_SH=/scripts/update_k8s.sh
 
-# Pod-side DNS: the cluster's CoreDNS has search domains
-# `<ns>.svc.cluster.local svc.cluster.local cluster.local` (plus ndots=2 via
-# Kyverno mutation). Unqualified `k8s-master` falls through all of these and
-# then queries the upstream DNS (Technitium) for bare `k8s-master`, which
-# returns NXDOMAIN. The FQDN `k8s-master.viktorbarzin.lan` is what Technitium
-# actually serves. Suffix every node SSH target with this domain.
-NODE_DOMAIN=".viktorbarzin.lan"
+# SSH targets are node InternalIPs, resolved live from `kubectl get nodes` (see
+# ssh_target() below) — the pipeline has NO dependency on node DNS records
+# (`k8s-node<N>.viktorbarzin.lan`). This is what lets a freshly-joined node be
+# upgraded with zero DNS/Kea provisioning. (Was FQDN-based until 2026-06-17:
+# node5/node6 had no .viktorbarzin.lan records, which blocked the 1.34.9 chain.)
 
 # SSH key must be 0400 — refresh from secret mount (defaultMode does this but
 # bind-mount semantics can preserve loose perms; chmod is idempotent).
@@ -92,6 +88,19 @@ push() {
     | curl -sS --data-binary @- "$PG" || echo "warn: pushgateway push failed"
 }
 
+# Auto-upgrade safety: a preflight compat-gate refusal is a BLOCK, not a crash —
+# the cluster simply isn't ready for this target yet (an addon / in-use API /
+# containerd is too old). Record it (k8s_upgrade_blocked=1 -> K8sUpgradeBlocked
+# alert), Slack the reasons, and halt so a human clears the blocker (or a later
+# run proceeds once it's cleared). This is the "upgrade when we can, alert when
+# we can't" contract.
+block() {
+  push k8s_upgrade_blocked 1
+  slack "BLOCKED preflight (target v$TARGET_VERSION) — auto-upgrade halted, needs attention:\n$1"
+  echo "BLOCKED: $1" >&2
+  exit 1
+}
+
 halt_on_alert_query() {
   local extra_ignore="${1:-}"
   # ALLOWLIST design (refactored 2026-05-23 from a denylist): halt only on
@@ -183,36 +192,66 @@ drain_node() {
 }
 
 # ---------------------------------------------------------------------------
-# Chain definition — what comes after the current phase
+# Cluster topology — derived live so new nodes are covered automatically
+# ---------------------------------------------------------------------------
+# The old chain hardcoded master→node4→3→2→1 and silently skipped node5/node6
+# (added 2026-05-26). Everything below enumerates nodes from `kubectl get nodes`
+# instead, and SSHes by InternalIP (no .viktorbarzin.lan DNS record needed), so
+# a freshly-joined worker is upgraded with ZERO pipeline changes.
+#
+# Self-preemption invariant preserved: a phase Job never runs on the node it
+# drains. The master-drain Job runs on a worker (the "runner"); every
+# worker-drain Job runs on the (already-upgraded) master.
+worker_nodes() { $KUBECTL get nodes -l '!node-role.kubernetes.io/control-plane' \
+  -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}' | sort; }
+all_nodes() { { echo k8s-master; worker_nodes; } | sed '/^$/d'; }
+# SSH target = the node's InternalIP (avoids any DNS dependency).
+ssh_target() { echo "wizard@$($KUBECTL get node "$1" \
+  -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')"; }
+# First worker not yet on $TARGET_VERSION, excluding $1 (the node the current
+# phase is upgrading — still pending when this runs). Empty → all workers done.
+next_pending_worker() {
+  local n v exclude="${1:-}"
+  while read -r n; do
+    [ -z "$n" ] && continue
+    [ "$n" = "$exclude" ] && continue
+    v=$($KUBECTL get node "$n" -o jsonpath='{.status.nodeInfo.kubeletVersion}' 2>/dev/null | tr -d v)
+    [ "$v" != "$TARGET_VERSION" ] && { echo "$n"; return 0; }
+  done < <(worker_nodes)
+  # No worker left off-target. Explicit success — the loop's final `read` exits
+  # 1 at EOF, and `next_w="$(next_pending_worker …)"` under `set -e` would abort
+  # the chain BEFORE the postflight branch (cluster upgraded but no cleanup /
+  # in_flight reset / success). Verified blocker — keep this return 0.
+  return 0
+}
+
+# ---------------------------------------------------------------------------
+# Chain definition — what comes after the current phase (dynamic)
 # ---------------------------------------------------------------------------
 
 NEXT_PHASE=""
 NEXT_TARGET_NODE=""
 NEXT_RUN_ON=""
 
-case "${PHASE}:${TARGET_NODE:-}" in
-  preflight:)
+case "$PHASE" in
+  preflight)
+    # master upgrade drains the control-plane node → its Job runs on a worker.
     NEXT_PHASE=master
-    NEXT_RUN_ON=k8s-node1 ;;
-  master:)
-    NEXT_PHASE=worker; NEXT_TARGET_NODE=k8s-node4
-    NEXT_RUN_ON=k8s-node1 ;;
-  worker:k8s-node4)
-    NEXT_PHASE=worker; NEXT_TARGET_NODE=k8s-node3
-    NEXT_RUN_ON=k8s-node1 ;;
-  worker:k8s-node3)
-    NEXT_PHASE=worker; NEXT_TARGET_NODE=k8s-node2
-    NEXT_RUN_ON=k8s-node1 ;;
-  worker:k8s-node2)
-    NEXT_PHASE=worker; NEXT_TARGET_NODE=k8s-node1
-    NEXT_RUN_ON=k8s-master ;;  # control-plane toleration required
-  worker:k8s-node1)
-    NEXT_PHASE=postflight
-    NEXT_RUN_ON="" ;;          # no node pinning for postflight
-  postflight:)
-    NEXT_PHASE="" ;;           # end of chain
+    NEXT_RUN_ON="$(worker_nodes | head -1)" ;;
+  master | worker)
+    # Next worker still off-target (excluding the one this phase handled). Its
+    # Job runs on the already-upgraded master (k8s-master, control-plane
+    # toleration). Dynamic → every worker incl. node5/6 + any future node.
+    next_w="$(next_pending_worker "${TARGET_NODE:-}")"
+    if [ -n "$next_w" ]; then
+      NEXT_PHASE=worker; NEXT_TARGET_NODE="$next_w"; NEXT_RUN_ON=k8s-master
+    else
+      NEXT_PHASE=postflight; NEXT_RUN_ON=""   # all workers on target
+    fi ;;
+  postflight)
+    NEXT_PHASE="" ;;                          # end of chain
   *)
-    echo "ERROR: unknown phase/target combo: ${PHASE}/${TARGET_NODE:-}" >&2
+    echo "ERROR: unknown phase: $PHASE" >&2
     exit 2 ;;
 esac
 
@@ -222,9 +261,23 @@ spawn_next() {
   local job_name="k8s-upgrade-${NEXT_PHASE}-${TARGET_VERSION//./-}"
   [ -n "${NEXT_TARGET_NODE:-}" ] && job_name="${job_name}-${NEXT_TARGET_NODE}"
 
+  # Retry-on-failure idempotency: skip an existing next-Job ONLY if it is
+  # Active or Complete. A *Failed* Job (a phase that aborted on a transient
+  # gate) is deleted and re-created — otherwise its deterministic name plus
+  # ttlSecondsAfterFinished (7d) would block the whole chain from re-running
+  # that phase until the dead Job aged out. (Stuck-pipeline fix 2026-06-17:
+  # a transient critical alert wedged the 1.34.9 preflight for 5 days.)
   if $KUBECTL -n "$NS" get job "$job_name" >/dev/null 2>&1; then
-    echo "Next Job $job_name already exists; idempotent skip."
-    return 0
+    local job_failed
+    job_failed=$($KUBECTL -n "$NS" get job "$job_name" \
+      -o jsonpath='{.status.conditions[?(@.type=="Failed")].status}' 2>/dev/null || true)
+    if [ "$job_failed" = "True" ]; then
+      echo "Next Job $job_name exists but FAILED — deleting and re-spawning."
+      $KUBECTL -n "$NS" delete job "$job_name" --wait=true >/dev/null 2>&1 || true
+    else
+      echo "Next Job $job_name already exists (active/complete); idempotent skip."
+      return 0
+    fi
   fi
 
   local scheduling_block=""
@@ -259,6 +312,19 @@ spawn_next() {
 phase_preflight() {
   slack "Starting preflight (target v$TARGET_VERSION, kind=$KIND)"
 
+  # 0. Auto-upgrade compat gate (compat-gate.py): refuse the upgrade if a critical
+  #    addon, an in-use deprecated API, or a node's containerd is too old for the
+  #    target. Runs FIRST — before any mutation (etcd snapshot, drains) — so a
+  #    block is cheap. Reset the blocked gauge for this run; block() sets it to 1
+  #    only on a refusal. This is what makes unattended minor upgrades safe: the
+  #    chain proceeds when the cluster supports the target and halts+alerts when
+  #    it doesn't (e.g. Calico/ESO/kyverno behind, or a removed API still in use).
+  push k8s_upgrade_blocked 0
+  local gate_out gate_rc=0
+  gate_out=$(python3 /scripts/compat-gate.py "$TARGET_VERSION" < /scripts/addon-compat.json 2>&1) || gate_rc=$?
+  if [ "$gate_rc" -ne 0 ]; then block "$gate_out"; fi
+  echo "compat-gate passed for v$TARGET_VERSION"
+
   # 1. All nodes Ready + no pressure
   local bad_nodes
   bad_nodes=$($KUBECTL get nodes -o json | jq -r '
@@ -292,25 +358,95 @@ phase_preflight() {
   # reboot for an hour. 10min is sufficient for kubelet/control-plane to
   # stabilise; the kured-sentinel-gate DaemonSet enforces the broader
   # 24h-between-cluster-reboots invariant.
-  local recent=0
+  local recent=0 now_ep ts_ep
+  now_ep=$(date -u +%s)
   while IFS= read -r ts; do
     [ -z "$ts" ] && continue
-    local diff=$(( $(date +%s) - $(date -d "$ts" +%s) ))
-    if [ "$diff" -lt 600 ]; then recent=1; break; fi
+    # Portable ISO8601(UTC) -> epoch. GNU `date -d` parses ISO8601 directly;
+    # busybox `date` (the ghcr claude-agent-service base) does NOT and needs an
+    # explicit -D format. Before 2026-06-17 the bare `date -d "$ts"` silently
+    # failed on busybox, making this whole settle-window check a no-op. On
+    # parse failure, warn + skip the node (never silently treat it as quiet).
+    ts_ep=$(date -u -d "$ts" +%s 2>/dev/null || true)
+    if [ -z "$ts_ep" ]; then ts_ep=$(date -u -D '%Y-%m-%dT%H:%M:%SZ' -d "$ts" +%s 2>/dev/null || true); fi
+    if [ -z "$ts_ep" ]; then echo "WARN quiet-baseline: cannot parse Ready ts '$ts' (date impl?); skipping"; continue; fi
+    if [ "$(( now_ep - ts_ep ))" -lt 600 ]; then recent=1; break; fi
   done < <($KUBECTL get nodes -o jsonpath='{range .items[*]}{range .status.conditions[?(@.type=="Ready")]}{.lastTransitionTime}{"\n"}{end}{end}')
   if [ "$recent" -eq 1 ]; then
     slack "ABORT preflight — node transitioned Ready <10min ago (settle window)"
     exit 1
   fi
 
-  # 4. kubeadm upgrade plan matches target
-  local plan_target
-  plan_target=$(ssh "${SSH_OPTS[@]}" "wizard@k8s-master$NODE_DOMAIN" 'sudo kubeadm upgrade plan' \
-    | grep -oE 'kubeadm upgrade apply v[0-9]+\.[0-9]+\.[0-9]+' \
-    | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1 | tr -d v)
-  if [ "$plan_target" != "$TARGET_VERSION" ]; then
-    slack "ABORT preflight — kubeadm plan target $plan_target ≠ requested $TARGET_VERSION"
-    exit 1
+  # 4. kubeadm upgrade plan matches target. `plan` runs the same CoreDNS
+  # preflight as `apply`; once master's kubeadm is on the new version it errors
+  # on a Keel-drifted CoreDNS (start version unsupported) and, under pipefail,
+  # aborts this whole check. Ignore the two CoreDNS checks here too so plan
+  # still emits its "kubeadm upgrade apply vX.Y.Z" line. (See update_k8s.sh.)
+  #
+  # SKIP this gate when k8s-master is ALREADY on TARGET_VERSION — a partial-chain
+  # resume (master + earlier workers done, later workers still pending). `kubeadm
+  # upgrade plan` run on an at-target master prints NO "kubeadm upgrade apply
+  # vX.Y.Z" line, so the parse below yields an EMPTY plan_target and the `!=`
+  # check aborts every run — even though the chain just needs to finish the
+  # remaining workers (phase_master self-skips an at-target master the same way,
+  # below). Confirmed root cause of the 1.34.9 preflight aborts (2026-06-18):
+  # master was already on 1.34.9 while node2-6 lagged on 1.34.8, so every nightly
+  # preflight died here with an empty `plan target  ≠ requested 1.34.9`.
+  local master_kubelet_v
+  master_kubelet_v=$($KUBECTL get node k8s-master -o jsonpath='{.status.nodeInfo.kubeletVersion}' 2>/dev/null | tr -d v)
+  if [ "$master_kubelet_v" = "$TARGET_VERSION" ]; then
+    slack "preflight — k8s-master already on v$TARGET_VERSION; skipping kubeadm-plan-target gate (workers still pending)"
+    echo "k8s-master already on v$TARGET_VERSION — skipping kubeadm-plan-target gate"
+  else
+    # Pass the EXPLICIT target version. Without it, `kubeadm upgrade plan` (run by
+    # the OLD kubeadm still on master) auto-proposes only the current minor's
+    # latest patch — fine for a patch upgrade, but for a MINOR upgrade it never
+    # proposes the next minor, so plan_target came back as 1.34.x (or empty,
+    # "falling back to stable-1.34") and this gate ABORTED every 1.35 attempt
+    # (blocked last night's 1.34.9->1.35.6 run even though the compat gate passed,
+    # 2026-06-24). `kubeadm upgrade plan v1.35.6` correctly emits the
+    # "kubeadm upgrade apply v1.35.6" line (verified on master). Works for patches too.
+    local plan_target
+    plan_target=$(ssh "${SSH_OPTS[@]}" "$(ssh_target k8s-master)" "sudo kubeadm upgrade plan v$TARGET_VERSION --ignore-preflight-errors=CoreDNSMigration,CoreDNSUnsupportedPlugins" \
+      | grep -oE 'kubeadm upgrade apply v[0-9]+\.[0-9]+\.[0-9]+' \
+      | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1 | tr -d v)
+    if [ "$plan_target" != "$TARGET_VERSION" ]; then
+      slack "ABORT preflight — kubeadm plan target $plan_target ≠ requested $TARGET_VERSION"
+      exit 1
+    fi
+  fi
+
+  # 4b. apiserver-OIDC drift check (backstop for the rbac stack's kubeadm-config
+  # reconciliation). A `kubeadm upgrade` REGENERATES the apiserver manifest from
+  # kubeadm-config; if kubeadm-config still carries the legacy single-issuer
+  # --oidc-* args instead of --authentication-config, the regenerated apiserver
+  # loses structured multi-issuer auth → kubectl + dashboard SSO break AFTER the
+  # upgrade. This is RECOVERABLE (the apiserver does NOT crash — verified by an
+  # isolated repro 2026-06-24; the chain's post-master restore.sh re-adds the flag,
+  # and the rbac stack reconciles kubeadm-config so it won't recur) — so this is an
+  # ALERT, not a block. (NB the 2026-06-24 stall was NOT this — it was etcd IO
+  # starvation; see docs/post-mortems/2026-06-24-kubeadm-oidc-drift-apiserver-upgrade-stall.md.)
+  # Skip on an at-target master (resume — no apiserver regen).
+  if [ "$master_kubelet_v" != "$TARGET_VERSION" ]; then
+    local apiserver_diff
+    apiserver_diff=$(ssh "${SSH_OPTS[@]}" "$(ssh_target k8s-master)" "sudo kubeadm upgrade diff v$TARGET_VERSION 2>/dev/null" || true)
+    if echo "$apiserver_diff" | grep -qE '^-[[:space:]].*--authentication-config'; then
+      slack "WARN preflight — kubeadm upgrade will DROP --authentication-config (kubeadm-config OIDC drift). SSO breaks post-upgrade until restore.sh re-adds it; re-apply the rbac stack to reconcile kubeadm-config. Proceeding (recoverable, not a crash)."
+    fi
+  fi
+
+  # 4c. Reclaim kubeadm scratch on master. `kubeadm upgrade apply` dumps a full
+  # ~400MB etcd DB backup into /etc/kubernetes/tmp/kubeadm-backup-etcd-<ts>/ before
+  # every etcd upgrade and NEVER cleans it up — 145 dirs / 28GB had accumulated by
+  # 2026-06-24, pushing master root fs to 73% (image-GC churn + extra write IO on
+  # the shared HDD where etcd lives — a contributor to the etcd IO starvation that
+  # stalled that run, see post-mortem). Real etcd backups go to NFS, so these are
+  # throwaway. Prune ones >3 days old (keeps a short rollback window). Best-effort;
+  # never aborts the chain.
+  if [ "$master_kubelet_v" != "$TARGET_VERSION" ]; then
+    ssh "${SSH_OPTS[@]}" "$(ssh_target k8s-master)" \
+      "sudo find /etc/kubernetes/tmp -maxdepth 1 -type d \( -name 'kubeadm-backup-*' -o -name 'kubeadm-upgraded-manifests*' \) -mtime +3 -exec rm -rf {} + 2>/dev/null; echo -n 'master root after prune: '; df -h / | awk 'NR==2{print \$5\" used, \"\$4\" free\"}'" \
+      || echo "kubeadm-scratch prune skipped (ssh/df failed) — non-fatal"
   fi
 
   # 5. Push in-flight + started_timestamp metrics + ns annotations
@@ -346,16 +482,18 @@ phase_preflight() {
 
   # 7. Containerd skew fix on master (if master < workers)
   local master_ctr worker_max=0.0.0
-  master_ctr=$(ssh "${SSH_OPTS[@]}" "wizard@k8s-master$NODE_DOMAIN" "containerd --version | awk '{print \$3}' | tr -d v")
-  for n in k8s-node1 k8s-node2 k8s-node3 k8s-node4; do
+  master_ctr=$(ssh "${SSH_OPTS[@]}" "$(ssh_target k8s-master)" "containerd --version | awk '{print \$3}' | tr -d v")
+  local n
+  while read -r n; do
+    [ -z "$n" ] && continue
     local v
-    v=$(ssh "${SSH_OPTS[@]}" "wizard@$n$NODE_DOMAIN" "containerd --version | awk '{print \$3}' | tr -d v")
+    v=$(ssh "${SSH_OPTS[@]}" "$(ssh_target "$n")" "containerd --version | awk '{print \$3}' | tr -d v")
     [ "$(printf '%s\n%s' "$v" "$worker_max" | sort -V | tail -1)" = "$v" ] && worker_max="$v"
-  done
+  done < <(worker_nodes)
   if [ "$(printf '%s\n%s' "$master_ctr" "$worker_max" | sort -V | head -1)" = "$master_ctr" ] \
      && [ "$master_ctr" != "$worker_max" ]; then
     slack "Master containerd $master_ctr < workers $worker_max — bumping"
-    ssh "${SSH_OPTS[@]}" "wizard@k8s-master$NODE_DOMAIN" \
+    ssh "${SSH_OPTS[@]}" "$(ssh_target k8s-master)" \
       "sudo apt-mark unhold containerd.io && sudo apt-get install -y containerd.io='$worker_max-1' \
        && sudo apt-mark hold containerd.io && sudo systemctl restart containerd"
     wait_for_node_ready k8s-master "$($KUBECTL get node k8s-master -o jsonpath='{.status.nodeInfo.kubeletVersion}' | tr -d v)" \
@@ -366,14 +504,15 @@ phase_preflight() {
   # 8. Apt repo URL rewrite (minor only)
   if [ "$KIND" = "minor" ]; then
     local target_minor="${TARGET_VERSION%.*}"
-    for n in k8s-master k8s-node1 k8s-node2 k8s-node3 k8s-node4; do
-      ssh "${SSH_OPTS[@]}" "wizard@$n$NODE_DOMAIN" \
+    while read -r n; do
+      [ -z "$n" ] && continue
+      ssh "${SSH_OPTS[@]}" "$(ssh_target "$n")" \
         "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v$target_minor/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list \
          && curl -fsSL 'https://pkgs.k8s.io/core:/stable:/v$target_minor/deb/Release.key' \
               | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg --batch --yes \
          && sudo apt-get update"
-    done
-    slack "Apt repo rewritten to v$target_minor/deb on all 5 nodes"
+    done < <(all_nodes)
+    slack "Apt repo rewritten to v$target_minor/deb on all nodes"
   fi
 
   slack "Preflight clean. Snapshot at nfs://...$snap_file ($size bytes). Dispatching master Job."
@@ -411,19 +550,24 @@ phase_master() {
   # keeps running unchanged — only the OPERATOR (a config reconciler) goes away
   # briefly. Restored at the end of the phase below.
   #
-  # If the chain dies between quiesce and restore (e.g. kubeadm fails),
-  # manually restore with:
-  #   kubectl -n tigera-operator scale deploy tigera-operator --replicas=1
-  #
   # Long-term fix: HA control plane (3 masters) so apiserver never goes down
   # — see docs/plans/2026-05-21-ha-control-plane-{design,plan}.md (beads code-n0ow).
-  echo "Quiescing tigera-operator before master upgrade (it crashes on apiserver outage)"
-  $KUBECTL -n tigera-operator scale deploy tigera-operator --replicas=0 2>&1 || true
-
   drain_node k8s-master
 
+  # Quiesce tigera-operator ONLY for the kubeadm window. Drain happens FIRST (it
+  # doesn't blip the apiserver — only the static-pod swaps in `kubeadm upgrade
+  # apply` do), then quiesce right before that. The EXIT trap GUARANTEES the
+  # operator is restored even if any step below aborts: on 2026-06-17 the master
+  # run aborted on a post-upgrade gate AFTER quiescing, the idempotent retry then
+  # skipped the (now already-on-target) master phase, and the operator sat at 0
+  # for ~1.5h. The trap is set AFTER drain_node so drain_node's own EXIT trap
+  # (background predrain-watcher cleanup) can't clobber it.
+  echo "Quiescing tigera-operator for the kubeadm window (it crashes on apiserver outage)"
+  $KUBECTL -n tigera-operator scale deploy tigera-operator --replicas=0 2>&1 || true
+  trap '$KUBECTL -n tigera-operator scale deploy tigera-operator --replicas=1 >/dev/null 2>&1 || true' EXIT
+
   slack "Running update_k8s.sh on k8s-master (--role master --release $TARGET_VERSION)"
-  ssh "${SSH_OPTS[@]}" "wizard@k8s-master$NODE_DOMAIN" 'bash -s' \
+  ssh "${SSH_OPTS[@]}" "$(ssh_target k8s-master)" 'bash -s' \
     < "$UPDATE_K8S_SH" -- --role master --release "$TARGET_VERSION"
 
   $KUBECTL uncordon k8s-master
@@ -444,9 +588,37 @@ phase_master() {
   alerts=$(halt_on_alert_query "RecentNodeReboot|IngressTTFBCritical")
   [ -n "$alerts" ] && { slack "ABORT master — alerts firing post-upgrade: $alerts"; exit 1; }
 
-  # Restore tigera-operator (quiesced before drain). It reconciles in seconds.
+  # Re-apply apiserver OIDC. `kubeadm upgrade apply` regenerates the apiserver
+  # static-pod manifest and DROPS --authentication-config, silently breaking SSO
+  # (kubectl/kubelogin + the dashboard) until re-applied — historically a manual
+  # `tg apply` of the rbac stack after every control-plane bump. Automate it here
+  # while tigera-operator is STILL quiesced, so the flag-add apiserver restart
+  # cannot crashloop the operator. Single source of truth: the rbac stack
+  # publishes the exact script its own null_resource runs to a kube-system
+  # ConfigMap; it is idempotent and health-gates /livez with auto-rollback, and a
+  # failure here is NON-FATAL (the version upgrade already succeeded — only SSO
+  # would lag until the next rbac apply).
+  local oidc_restore
+  oidc_restore=$($KUBECTL -n kube-system get configmap apiserver-oidc-restore \
+    -o jsonpath='{.data.restore\.sh}' 2>/dev/null || true)
+  if [ -n "$oidc_restore" ]; then
+    slack "Re-applying apiserver OIDC after master upgrade"
+    printf '%s' "$oidc_restore" | ssh "${SSH_OPTS[@]}" "$(ssh_target k8s-master)" 'bash -s' \
+      || slack "WARN: apiserver OIDC re-apply exited non-zero — verify SSO"
+    if ssh "${SSH_OPTS[@]}" "$(ssh_target k8s-master)" \
+         'sudo grep -q -- "--authentication-config=" /etc/kubernetes/manifests/kube-apiserver.yaml'; then
+      slack "apiserver OIDC restored (--authentication-config present)"
+    else
+      slack "WARN: --authentication-config absent after re-apply — SSO down; run the rbac apiserver_oidc_config apply"
+    fi
+  else
+    slack "WARN: apiserver-oidc-restore ConfigMap missing — skipping OIDC re-apply (apply the rbac stack)"
+  fi
+
+  # Restore tigera-operator (happy path) + clear the safety-net EXIT trap.
   echo "Restoring tigera-operator"
   $KUBECTL -n tigera-operator scale deploy tigera-operator --replicas=1 2>&1 || true
+  trap - EXIT
 
   slack "Master on v$TARGET_VERSION, control-plane Running. Dispatching worker chain."
 }
@@ -481,7 +653,7 @@ phase_worker() {
   drain_node "$TARGET_NODE"
 
   slack "Running update_k8s.sh on $TARGET_NODE (--role worker --release $TARGET_VERSION)"
-  ssh "${SSH_OPTS[@]}" "wizard@$TARGET_NODE$NODE_DOMAIN" 'bash -s' \
+  ssh "${SSH_OPTS[@]}" "$(ssh_target "$TARGET_NODE")" 'bash -s' \
     < "$UPDATE_K8S_SH" -- --role worker --release "$TARGET_VERSION"
 
   $KUBECTL uncordon "$TARGET_NODE"
@@ -513,7 +685,13 @@ phase_worker() {
 phase_postflight() {
   slack "Running postflight"
 
-  # All 5 nodes at target
+  # Belt-and-suspenders: ensure tigera-operator is back to 1 at chain end. The
+  # master phase's EXIT trap already restores it, but a master phase that was
+  # skipped-on-retry (master already on target) never quiesces OR restores, so
+  # if an earlier aborted attempt left it down this is the final guarantee.
+  $KUBECTL -n tigera-operator scale deploy tigera-operator --replicas=1 >/dev/null 2>&1 || true
+
+  # All nodes at target
   local versions wrong
   versions=$($KUBECTL get nodes -o jsonpath='{range .items[*]}{.metadata.name}:{.status.nodeInfo.kubeletVersion}{"\n"}{end}')
   # `grep -v` returns 1 when all nodes are on target (the happy path —
@@ -537,6 +715,60 @@ phase_postflight() {
             --data-urlencode 'query=sum(kube_pod_status_ready{condition="true"}) / sum(kube_pod_status_phase{phase="Running"})' \
           | jq -r '.data.result[0].value[1] // "0"')
 
+  # ---------------------------------------------------------------------------
+  # Deeper smoke tests — catch a cluster that's "all pods Running" but actually
+  # broken after the upgrade (dead apiserver health endpoints, broken
+  # CoreDNS/in-cluster DNS, or a control-plane component that's only superficially
+  # up). Uses ONLY the chain's existing permissions: read-only kubectl raw API
+  # reads + this pod's own resolver. No new pods/exec/images/RBAC. We do NOT
+  # rollback — kubeadm can't downgrade — we halt loudly for a human.
+  local smoke_failed=0
+
+  # 1. apiserver health endpoints. `kubectl get --raw` exits non-zero on a
+  #    non-200, which under `set -e` would abort — capture rc explicitly.
+  local readyz_out readyz_rc=0 livez_out livez_rc=0
+  readyz_out=$($KUBECTL get --raw='/readyz' 2>&1) || readyz_rc=$?
+  if [ "$readyz_rc" -ne 0 ] || [ "$readyz_out" != "ok" ]; then
+    smoke_failed=1
+    slack "postflight smoke FAIL — apiserver /readyz not ok (rc=$readyz_rc, body='${readyz_out:0:200}')"
+  fi
+  livez_out=$($KUBECTL get --raw='/livez' 2>&1) || livez_rc=$?
+  if [ "$livez_rc" -ne 0 ] || [ "$livez_out" != "ok" ]; then
+    smoke_failed=1
+    slack "postflight smoke FAIL — apiserver /livez not ok (rc=$livez_rc, body='${livez_out:0:200}')"
+  fi
+
+  # 2. In-cluster DNS resolution from THIS pod's resolver. If CoreDNS / kube-dns
+  #    is broken after the upgrade, resolving the apiserver's cluster service
+  #    name fails here even though pods may still look Running.
+  local dns_rc=0
+  python3 -c 'import socket; socket.gethostbyname("kubernetes.default.svc.cluster.local")' >/dev/null 2>&1 || dns_rc=$?
+  if [ "$dns_rc" -ne 0 ]; then
+    smoke_failed=1
+    slack "postflight smoke FAIL — in-cluster DNS broken (could not resolve kubernetes.default.svc.cluster.local; CoreDNS down?)"
+  fi
+
+  # 3. Core kube-system pods Running: control-plane statics (apiserver,
+  #    controller-manager, scheduler, etcd) AND CoreDNS. `grep -v Running`
+  #    returns 1 when everything is Running (the happy path) → wrap in `|| true`
+  #    so pipefail doesn't abort us at the moment of success.
+  local comp not_running
+  for comp in kube-apiserver kube-controller-manager kube-scheduler etcd coredns; do
+    not_running=$($KUBECTL -n kube-system get pods --no-headers 2>/dev/null \
+      | { grep -E "(^|[[:space:]])${comp}-" || true; } \
+      | { grep -v Running || true; } | wc -l)
+    if [ "$not_running" -gt 0 ]; then
+      smoke_failed=1
+      slack "postflight smoke FAIL — $not_running kube-system '$comp' pod(s) not Running after upgrade"
+    fi
+  done
+
+  if [ "$smoke_failed" -ne 0 ]; then
+    slack "postflight smoke tests FAILED — upgrade left the cluster unhealthy, halting for a human (no rollback; kubeadm can't downgrade)"
+    exit 1
+  fi
+  echo "postflight smoke tests passed (apiserver health + DNS + core kube-system pods)"
+
   # Clear annotations + gauges
   $KUBECTL annotate ns "$NS" \
     'viktorbarzin.me/k8s-upgrade-in-flight-' \
diff --git a/stacks/kms/.terraform.lock.hcl b/stacks/kms/.terraform.lock.hcl
index 05f8a359..5982c332 100644
--- a/stacks/kms/.terraform.lock.hcl
+++ b/stacks/kms/.terraform.lock.hcl
@@ -70,41 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf
index fd2db35f..59b691d6 100644
--- a/stacks/kms/main.tf
+++ b/stacks/kms/main.tf
@@ -54,7 +54,7 @@ resource "kubernetes_deployment" "kms-web-page" {
           name = "registry-credentials"
         }
         container {
-          image             = "forgejo.viktorbarzin.me/viktor/kms-website:${var.image_tag}"
+          image             = "ghcr.io/viktorbarzin/kms-website:${var.image_tag}"
           name              = "kms-web-page"
           image_pull_policy = "IfNotPresent"
           resources {
@@ -305,7 +305,7 @@ resource "kubernetes_config_map" "kms_slack_notifier" {
 
 resource "kubernetes_manifest" "kms_slack_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "kms-slack-webhook"
diff --git a/stacks/kms/variables.tf b/stacks/kms/variables.tf
index d36ff6c7..c71d4e4b 100644
--- a/stacks/kms/variables.tf
+++ b/stacks/kms/variables.tf
@@ -1,5 +1,5 @@
 variable "image_tag" {
   type        = string
   default     = "latest"
-  description = "kms-website image tag pushed to forgejo.viktorbarzin.me/viktor/kms-website. Use 8-char git SHA in CI."
+  description = "kms-website image tag pushed to ghcr.io/viktorbarzin/kms-website (ADR-0002 off-infra builds). Use 8-char git SHA in CI."
 }
diff --git a/stacks/kyverno/modules/kyverno/ghcr-credentials.tf b/stacks/kyverno/modules/kyverno/ghcr-credentials.tf
new file mode 100644
index 00000000..781f9d62
--- /dev/null
+++ b/stacks/kyverno/modules/kyverno/ghcr-credentials.tf
@@ -0,0 +1,108 @@
+# =============================================================================
+# ghcr.io pull credentials — synced ONLY to namespaces running PRIVATE ghcr
+# images (ADR-0002 off-infra builds)
+# =============================================================================
+# The credential is Viktor's admin PAT (Vault secret/viktor/ghcr_pull_token —
+# an alias of github_pat: GitHub has no API to mint tokens, so a UI-minted
+# read:packages token can replace the alias value later with no TF change).
+# Because the PAT is broad, this is a positive allowlist, NOT cluster-wide
+# like registry-credentials: any workload in a listed namespace can read the
+# secret, so every entry widens the blast radius. Public-image namespaces
+# need no credentials — keep this list to private-image consumers only.
+
+locals {
+  ghcr_private_namespaces = [
+    "tripit",
+    # tuya-bridge runs a PUBLIC-decision image, but new ghcr packages default
+    # PRIVATE until their visibility is flipped (UI) — safety net so pulls
+    # work from the first deploy; prune once the package is public.
+    "tuya-bridge",
+    "f1-stream",
+    "job-hunter",
+    "instagram-poster",
+    "payslip-ingest",
+    "wealthfolio",
+    "fire-planner",
+    "recruiter-responder",
+    # openclaw's install-recruiter-plugin init container pulls the PRIVATE
+    # ghcr.io/viktorbarzin/recruiter-responder:latest image (infra#27).
+    "openclaw",
+    # k8s-portal: last in-cluster image build, migrated to GHA→ghcr (ADR-0002,
+    # "no local builds"). ghcr.io/viktorbarzin/k8s-portal:latest is PRIVATE
+    # (infra repo default); the deployment references the cloned secret.
+    "k8s-portal",
+    # goldmane-edge-aggregator: PRIVATE ghcr image pulled by the aggregate
+    # Deployment + digest CronJob (ADR-0014, infra#58).
+    "goldmane-edge-aggregator",
+  ]
+}
+
+resource "kubernetes_secret" "ghcr_credentials" {
+  metadata {
+    name      = "ghcr-credentials"
+    namespace = kubernetes_namespace.kyverno.metadata[0].name
+  }
+  type = "kubernetes.io/dockerconfigjson"
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "ghcr.io" = {
+          username = "ViktorBarzin"
+          password = try(data.vault_kv_secret_v2.viktor.data["ghcr_pull_token"], "")
+          auth     = base64encode("ViktorBarzin:${try(data.vault_kv_secret_v2.viktor.data["ghcr_pull_token"], "")}")
+        }
+      }
+    })
+  }
+}
+
+resource "kubectl_manifest" "sync_ghcr_credentials" {
+  # Kyverno's validate-policy webhook DENIES in-place changes to a generate
+  # rule's spec ("changes of immutable fields ... is disallowed"), so any
+  # allowlist edit must delete+recreate the policy. Generated secrets survive
+  # policy deletion; generateExisting re-adopts them on recreate.
+  force_new = true
+  yaml_body = yamlencode({
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "sync-ghcr-credentials"
+    }
+    spec = {
+      rules = [
+        {
+          name = "sync-ghcr-secret"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  names = local.ghcr_private_namespaces
+                }
+              }
+            ]
+          }
+          generate = {
+            generateExisting = true
+            apiVersion       = "v1"
+            kind             = "Secret"
+            name             = "ghcr-credentials"
+            namespace        = "{{request.object.metadata.name}}"
+            synchronize      = true
+            clone = {
+              namespace = "kyverno"
+              name      = "ghcr-credentials"
+            }
+          }
+        }
+      ]
+    }
+  })
+
+  depends_on = [
+    helm_release.kyverno,
+    kubernetes_secret.ghcr_credentials,
+    kubernetes_cluster_role_binding.kyverno_admission_secret_manager,
+    kubernetes_cluster_role_binding.kyverno_background_secret_manager,
+  ]
+}
diff --git a/stacks/kyverno/modules/kyverno/main.tf b/stacks/kyverno/modules/kyverno/main.tf
index 84ea7d63..e199b296 100644
--- a/stacks/kyverno/modules/kyverno/main.tf
+++ b/stacks/kyverno/modules/kyverno/main.tf
@@ -21,7 +21,13 @@ resource "helm_release" "kyverno" {
 
   repository = "https://kyverno.github.io/kyverno/"
   chart      = "kyverno"
-  version    = "3.6.1"
+  # Stepped upgrade to clear the k8s-1.35 compat-gate block (kyverno <=1.34 -> 1.35).
+  # 3.6.1 (app 1.16) -> 3.7.2 (1.17) -> 3.8.1 (1.18, supports k8s 1.35), one minor at
+  # a time per the kyverno upgrade guide (per-minor CRD notes). atomic=true rolls back
+  # a failed rollout; forceFailurePolicyIgnore keeps admissions open if the webhook is
+  # mid-roll. Each hop verified: 17 ClusterPolicies stay Ready + webhook responds.
+  # 3.6.1->3.7.2 done 2026-06-21 (clean). Now 3.7.2 (1.17.2) -> 3.8.1 (1.18.1).
+  version = "3.8.1"
 
   values = [yamlencode({
     # When Kyverno is unavailable, allow pod creation to proceed without
@@ -30,9 +36,24 @@ resource "helm_release" "kyverno" {
       forceFailurePolicyIgnore = {
         enabled = true
       }
+      # Reporting fully disabled (2026-06-12, etcd-load-reduction). policyReports
+      # were already off, so admission/aggregate/background reporting generated
+      # ephemeralreports + an hourly all-resource etcd re-scan for NO user-facing
+      # output. Admission enforcement (deny-* policies) and Keel mutation are
+      # independent of reporting; policy violations surface via Loki->Slack. This
+      # removes a steady-state etcd write/scan load (control-plane flap mitigation).
       policyReports = {
         enabled = false
       }
+      admissionReports = {
+        enabled = false
+      }
+      aggregateReports = {
+        enabled = false
+      }
+      backgroundScan = {
+        enabled = false
+      }
     }
 
     reportsController = {
diff --git a/stacks/kyverno/modules/kyverno/resource-governance.tf b/stacks/kyverno/modules/kyverno/resource-governance.tf
index 855128f1..eaa5891c 100644
--- a/stacks/kyverno/modules/kyverno/resource-governance.tf
+++ b/stacks/kyverno/modules/kyverno/resource-governance.tf
@@ -15,6 +15,15 @@
 locals {
   governance_tiers    = ["0-core", "1-cluster", "2-gpu", "3-edge", "4-aux"]
   excluded_namespaces = ["kube-system", "metallb-system", "kyverno", "calico-system", "calico-apiserver"]
+
+  # GPU-priority injection exclude list. Adds `tts` to the base set so the
+  # `inject-gpu-workload-priority` policy does NOT stamp the immich-equal
+  # gpu-workload (1,200,000) priority on Chatterbox-TTS pods. Chatterbox is a
+  # best-effort off-peak batch tenant on the shared T4: it must keep its
+  # tier-2-gpu (600,000) priority so it is ALWAYS the pod evicted under GPU-node
+  # pressure, never immich-ml/frigate/llama-swap. See the tts stack
+  # (stacks/tts/) + docs/plans/2026-06-08-chatterbox-tts-infra.md §3.
+  gpu_priority_excluded_namespaces = concat(local.excluded_namespaces, ["tts"])
 }
 
 # -----------------------------------------------------------------------------
@@ -905,7 +914,10 @@ resource "kubectl_manifest" "mutate_gpu_priority" {
             any = [
               {
                 resources = {
-                  namespaces = local.excluded_namespaces
+                  # tts added so Chatterbox-TTS keeps tier-2-gpu priority (it's a
+                  # best-effort off-peak batch tenant — must be evicted first,
+                  # not promoted to immich-equal gpu-workload). See locals above.
+                  namespaces = local.gpu_priority_excluded_namespaces
                 }
               }
             ]
@@ -1158,3 +1170,9 @@ resource "kubectl_manifest" "mutate_strip_cpu_limits" {
     }
   })
 }
+
+# Apply re-trigger 2026-06-11: 87702bdc landed with [ci skip], so this stack was
+# never CI-applied; tripit#26 (tour-guide redo) needs the tts GPU-priority
+# exclusion live before the tts stack applies. No functional change in this commit.
+
+# (See stacks/tts/main.tf — same apply-trigger note, tripit#26.)
diff --git a/stacks/kyverno/modules/kyverno/security-policies.tf b/stacks/kyverno/modules/kyverno/security-policies.tf
index 2bee1757..446b4745 100644
--- a/stacks/kyverno/modules/kyverno/security-policies.tf
+++ b/stacks/kyverno/modules/kyverno/security-policies.tf
@@ -23,10 +23,11 @@ locals {
     "xray", "infra-maintenance", "metrics-server", "tigera-operator", "frigate",
     # Additions discovered during wave 1 enforce flip — these contain workloads
     # that legitimately need privileged / hostNetwork / SYS_ADMIN:
-    "kured",           # kured DaemonSet is privileged (manages node reboots)
-    "default",         # etcd backup + defrag CronJobs use hostNetwork
-    "changedetection", # uses SYS_ADMIN for chromium sandbox
-    "woodpecker",      # CI pipeline pods (wp-*) run privileged docker builds
+    "kured",            # kured DaemonSet is privileged (manages node reboots)
+    "default",          # etcd backup + defrag CronJobs use hostNetwork
+    "changedetection",  # uses SYS_ADMIN for chromium sandbox
+    "woodpecker",       # CI pipeline pods (wp-*) run privileged docker builds
+    "android-emulator", # emulator pod is privileged for /dev/kvm (ADR-0001)
   ]
 }
 
@@ -329,8 +330,9 @@ resource "kubectl_manifest" "policy_require_trusted_registries" {
                   "docker.n8n.io/*", "registry.gitlab.com/*",
                   # Private
                   "forgejo.viktorbarzin.me/*", "10.0.20.10*",
-                  # Legacy private registry (decommissioned 2026-05-07 per CLAUDE.md
-                  # but council-complaints still references — migrate to Forgejo).
+                  # Legacy private registry (decommissioned 2026-05-07 per CLAUDE.md).
+                  # No live workload pulls from it; only stale completed Job records
+                  # (e.g. old wealthfolio-sync jobs) still carry the image ref.
                   "registry.viktorbarzin.me/*",
                   # DockerHub library (bare image names without slash)
                   "alpine*", "busybox*", "kong*", "mysql*", "nginx*", "postgres*", "python*",
diff --git a/stacks/linkwarden/.terraform.lock.hcl b/stacks/linkwarden/.terraform.lock.hcl
index 7959dc66..16af0cd7 100644
--- a/stacks/linkwarden/.terraform.lock.hcl
+++ b/stacks/linkwarden/.terraform.lock.hcl
@@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
+  hashes = [
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
 provider "registry.terraform.io/goauthentik/authentik" {
   version     = "2024.12.1"
   constraints = "~> 2024.10"
@@ -33,49 +41,23 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.8.1"
+  version = "3.9.0"
   hashes = [
-    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
-    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
-    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
-    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
-    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
-    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
-    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
-    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
-    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
-    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
-    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
-    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
   ]
 }
 
@@ -99,3 +81,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/linkwarden/main.tf b/stacks/linkwarden/main.tf
index 23c8fd16..efae9c1f 100644
--- a/stacks/linkwarden/main.tf
+++ b/stacks/linkwarden/main.tf
@@ -30,7 +30,7 @@ resource "kubernetes_namespace" "linkwarden" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "linkwarden-secrets"
@@ -58,7 +58,7 @@ resource "kubernetes_manifest" "external_secret" {
 # DB credentials from Vault database engine (rotated every 24h)
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "linkwarden-db-creds"
diff --git a/stacks/mailserver/modules/mailserver/extra/aliases.txt b/stacks/mailserver/modules/mailserver/extra/aliases.txt
index 61df501c..284c7061 100644
--- a/stacks/mailserver/modules/mailserver/extra/aliases.txt
+++ b/stacks/mailserver/modules/mailserver/extra/aliases.txt
@@ -10,3 +10,12 @@ vaultwarden@viktorbarzin.me me@viktorbarzin.me
 # catch-all does NOT, so an explicit entry is required). Also keeps inbound
 # plans@ routing to spam@ for the tripit mail-ingest poller.
 plans@viktorbarzin.me spam@viktorbarzin.me
+
+# trips@ -> spam@: same send-as grant for tripit's NATIVE auth email (ADR-0028 —
+# signup-verification + account-recovery mail). tripit authenticates SMTP as
+# spam@ and sends From: trips@viktorbarzin.me; SPOOF_PROTECTION's
+# smtpd_sender_login_maps union exact-matches this alias to spam@ (the @domain
+# catch-all does NOT). MUST be applied + verified BEFORE tripit flips SMTP_FROM
+# to trips@, or every verification/recovery send is rejected (550 sender). Also
+# routes any inbound trips@ to spam@.
+trips@viktorbarzin.me spam@viktorbarzin.me
diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf
index b76de3f2..7f134144 100644
--- a/stacks/mailserver/modules/mailserver/main.tf
+++ b/stacks/mailserver/modules/mailserver/main.tf
@@ -801,7 +801,7 @@ resource "kubernetes_service" "mailserver_proxy" {
 # `env_from { secret_ref {} }` block.
 resource "kubernetes_manifest" "email_roundtrip_monitor_secrets" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "mailserver-probe-secrets"
diff --git a/stacks/matrix/.terraform.lock.hcl b/stacks/matrix/.terraform.lock.hcl
index 05f8a359..5982c332 100644
--- a/stacks/matrix/.terraform.lock.hcl
+++ b/stacks/matrix/.terraform.lock.hcl
@@ -70,41 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/matrix/main.tf b/stacks/matrix/main.tf
index 97b04057..38604917 100644
--- a/stacks/matrix/main.tf
+++ b/stacks/matrix/main.tf
@@ -26,7 +26,7 @@ resource "kubernetes_namespace" "matrix" {
 # later (e.g. to add family) without regenerating it.
 resource "kubernetes_manifest" "secrets_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "matrix-secrets"
diff --git a/stacks/monitoring/imports.tf b/stacks/monitoring/imports.tf
new file mode 100644
index 00000000..0e565da5
--- /dev/null
+++ b/stacks/monitoring/imports.tf
@@ -0,0 +1,16 @@
+# One-shot adoption of two alert-digest resources that exist in-cluster but fell
+# out of Terraform state — the monitoring apply was create-failing on every push
+# with `configmaps "alert-digest-script" already exists` and `secrets
+# "alert-digest" already exists` (pre-existing: pipelines 203 AND 204). Importing
+# reconciles them into state so `terraform apply` UPDATES instead of failing to
+# create. These blocks are idempotent (a no-op once the resources are in state)
+# and may be removed after the next green apply. Defs: modules/monitoring/alert_digest.tf.
+import {
+  to = module.monitoring.kubernetes_config_map.alert_digest_script
+  id = "monitoring/alert-digest-script"
+}
+
+import {
+  to = module.monitoring.kubernetes_secret.alert_digest
+  id = "monitoring/alert-digest"
+}
diff --git a/stacks/monitoring/modules/monitoring/alert_digest.py b/stacks/monitoring/modules/monitoring/alert_digest.py
new file mode 100644
index 00000000..cc7fdb09
--- /dev/null
+++ b/stacks/monitoring/modules/monitoring/alert_digest.py
@@ -0,0 +1,230 @@
+#!/usr/bin/env python3
+"""Daily alert digest -> Slack.
+
+Posts a once-a-day "state of the lab" summary to the #alerts Slack channel:
+the full current board of firing alerts grouped by severity, plus a one-line
+list of what fired-and-cleared in the last 24h.
+
+This is the safety net for the "alert on change" routing model (warnings/info
+no longer re-notify while firing; criticals re-ping slowly). The digest is the
+recurring reminder of everything still firing, reviewed once each morning.
+
+Pure stdlib (urllib + json) on purpose: the CronJob runs stock python:alpine
+with NO pip/apk install at runtime, so it has none of the per-run disk-write
+footprint that got status-page-pusher disabled (infra memory id=559).
+
+Sources:
+  * Current board  -> Alertmanager v2 (/api/v2/alerts): active, not silenced,
+    not inhibited == exactly what a human would otherwise be paged about, with
+    the human-readable `summary` annotation. Falls back to Prometheus ALERTS
+    if Alertmanager is unreachable.
+  * Resolved-in-24h -> Prometheus (alertnames seen firing in the last 24h that
+    are not firing now). Best-effort; skipped silently if Prometheus errors.
+
+Env (all have in-cluster defaults):
+  ALERTMANAGER_URL   default http://prometheus-alertmanager.monitoring.svc.cluster.local:9093
+  PROMETHEUS_URL     default http://prometheus-server.monitoring.svc.cluster.local:80
+  SLACK_WEBHOOK_URL  Slack incoming-webhook URL. If empty (or DRY_RUN set),
+                     the payload is printed to stdout instead of posted.
+  SLACK_CHANNEL      default "#alerts"
+  DRY_RUN            if set (any value), print instead of posting.
+"""
+import datetime
+import json
+import os
+import sys
+import urllib.parse
+import urllib.request
+
+ALERTMANAGER_URL = os.environ.get(
+    "ALERTMANAGER_URL",
+    "http://prometheus-alertmanager.monitoring.svc.cluster.local:9093",
+).rstrip("/")
+PROMETHEUS_URL = os.environ.get(
+    "PROMETHEUS_URL",
+    "http://prometheus-server.monitoring.svc.cluster.local:80",
+).rstrip("/")
+SLACK_WEBHOOK_URL = os.environ.get("SLACK_WEBHOOK_URL", "").strip()
+SLACK_CHANNEL = os.environ.get("SLACK_CHANNEL", "#alerts")
+DRY_RUN = bool(os.environ.get("DRY_RUN", "")) or not SLACK_WEBHOOK_URL
+
+SEV_ORDER = ["critical", "warning", "info"]
+SEV_EMOJI = {"critical": ":red_circle:", "warning": ":large_yellow_circle:", "info": ":large_blue_circle:"}
+
+
+def _get_json(url, timeout=30):
+    req = urllib.request.Request(url, headers={"Accept": "application/json"})
+    with urllib.request.urlopen(req, timeout=timeout) as resp:
+        return json.load(resp)
+
+
+def _humanize(seconds):
+    seconds = int(max(seconds, 0))
+    d, rem = divmod(seconds, 86400)
+    h, rem = divmod(rem, 3600)
+    m, _ = divmod(rem, 60)
+    if d:
+        return "%dd%dh" % (d, h)
+    if h:
+        return "%dh%dm" % (h, m)
+    if m:
+        return "%dm" % m
+    return "<1m"
+
+
+def _now_utc():
+    return datetime.datetime.now(datetime.timezone.utc)
+
+
+def _age(starts_at):
+    if not starts_at:
+        return ""
+    try:
+        ts = starts_at.replace("Z", "+00:00")
+        # Trim sub-second precision beyond microseconds if present.
+        started = datetime.datetime.fromisoformat(ts)
+        return _humanize((_now_utc() - started).total_seconds())
+    except ValueError:
+        return ""
+
+
+def fetch_current_from_alertmanager():
+    """Active, non-silenced, non-inhibited alerts with their summaries."""
+    q = urllib.parse.urlencode(
+        {"active": "true", "silenced": "false", "inhibited": "false", "unprocessed": "false"}
+    )
+    data = _get_json("%s/api/v2/alerts?%s" % (ALERTMANAGER_URL, q))
+    alerts = []
+    for a in data:
+        if a.get("status", {}).get("state") != "active":
+            continue
+        labels = a.get("labels", {})
+        ann = a.get("annotations", {})
+        alerts.append(
+            {
+                "alertname": labels.get("alertname", "?"),
+                "severity": (labels.get("severity") or "info").lower(),
+                "lane": labels.get("lane", ""),
+                "summary": ann.get("summary", ""),
+                "age": _age(a.get("startsAt", "")),
+            }
+        )
+    return alerts
+
+
+def fetch_current_from_prometheus():
+    """Fallback: firing alerts from Prometheus (no summaries, includes inhibited)."""
+    url = "%s/api/v1/query?%s" % (
+        PROMETHEUS_URL,
+        urllib.parse.urlencode({"query": 'ALERTS{alertstate="firing"}'}),
+    )
+    data = _get_json(url)
+    alerts = []
+    for s in data.get("data", {}).get("result", []):
+        m = s.get("metric", {})
+        alerts.append(
+            {
+                "alertname": m.get("alertname", "?"),
+                "severity": (m.get("severity") or "info").lower(),
+                "lane": m.get("lane", ""),
+                "summary": "",
+                "age": "",
+            }
+        )
+    return alerts
+
+
+def fetch_resolved_last_24h(active_names):
+    """Alertnames that fired in the last 24h but are not firing now."""
+    try:
+        url = "%s/api/v1/query?%s" % (
+            PROMETHEUS_URL,
+            urllib.parse.urlencode(
+                {"query": 'count by (alertname) (max_over_time(ALERTS{alertstate="firing"}[24h]))'}
+            ),
+        )
+        data = _get_json(url)
+        seen = {s["metric"].get("alertname", "?") for s in data.get("data", {}).get("result", [])}
+        return sorted(seen - active_names)
+    except Exception:
+        return []
+
+
+def build_message(alerts, resolved):
+    today = _now_utc().strftime("%a %d %b %Y")
+    by_sev = {s: [] for s in SEV_ORDER}
+    for a in alerts:
+        by_sev.setdefault(a["severity"], []).append(a)
+
+    n = len(alerts)
+    counts = " ".join("%s %d" % (s, len(by_sev.get(s, []))) for s in SEV_ORDER if by_sev.get(s))
+
+    if n == 0:
+        header = ":white_check_mark: *Daily alert digest* — %s\nAll clear: nothing firing." % today
+    else:
+        header = ":bar_chart: *Daily alert digest* — %s\nFiring now: *%d*%s" % (
+            today,
+            n,
+            (" (" + counts + ")") if counts else "",
+        )
+
+    lines = [header]
+    for sev in SEV_ORDER:
+        items = sorted(by_sev.get(sev, []), key=lambda a: a["alertname"])
+        if not items:
+            continue
+        lines.append("")
+        lines.append("%s *%s (%d)*" % (SEV_EMOJI.get(sev, ""), sev.capitalize(), len(items)))
+        for a in items:
+            lock = ":lock: " if a["lane"] == "security" else ""
+            age = (" _(%s)_" % a["age"]) if a["age"] else ""
+            summary = (" — %s" % a["summary"]) if a["summary"] else ""
+            lines.append("• %s*%s*%s%s" % (lock, a["alertname"], summary, age))
+
+    # Any non-standard severities (defensive — shouldn't happen).
+    extra = [s for s in by_sev if s not in SEV_ORDER and by_sev[s]]
+    for sev in sorted(extra):
+        lines.append("")
+        lines.append("*%s (%d)*" % (sev, len(by_sev[sev])))
+        for a in sorted(by_sev[sev], key=lambda a: a["alertname"]):
+            lines.append("• *%s* — %s" % (a["alertname"], a["summary"]))
+
+    if resolved:
+        lines.append("")
+        lines.append(":white_check_mark: Resolved in last 24h (%d): %s" % (len(resolved), ", ".join(resolved)))
+
+    return "\n".join(lines)
+
+
+def post_to_slack(text):
+    payload = {"channel": SLACK_CHANNEL, "text": text}
+    if DRY_RUN:
+        print("[DRY_RUN] would POST to Slack channel %s:\n%s" % (SLACK_CHANNEL, text))
+        return
+    body = json.dumps(payload).encode("utf-8")
+    req = urllib.request.Request(
+        SLACK_WEBHOOK_URL, data=body, headers={"Content-Type": "application/json"}
+    )
+    with urllib.request.urlopen(req, timeout=30) as resp:
+        if resp.status >= 300:
+            raise RuntimeError("Slack POST failed: HTTP %d" % resp.status)
+
+
+def main():
+    try:
+        alerts = fetch_current_from_alertmanager()
+        source = "alertmanager"
+    except Exception as e:
+        sys.stderr.write("alertmanager fetch failed (%s); falling back to prometheus\n" % e)
+        alerts = fetch_current_from_prometheus()
+        source = "prometheus-fallback"
+
+    active_names = {a["alertname"] for a in alerts}
+    resolved = fetch_resolved_last_24h(active_names)
+    text = build_message(alerts, resolved)
+    sys.stderr.write("digest: %d firing (source=%s), %d resolved-24h\n" % (len(alerts), source, len(resolved)))
+    post_to_slack(text)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/stacks/monitoring/modules/monitoring/alert_digest.tf b/stacks/monitoring/modules/monitoring/alert_digest.tf
new file mode 100644
index 00000000..ef82f713
--- /dev/null
+++ b/stacks/monitoring/modules/monitoring/alert_digest.tf
@@ -0,0 +1,127 @@
+# =============================================================================
+# Daily alert digest -> #alerts Slack
+# =============================================================================
+# Companion to the "alert on change" routing model (alert-noise-reduction
+# 2026-06-12). Warning/info alerts no longer re-notify while they stay firing
+# (repeat_interval is effectively off) and criticals only re-ping every 6h, so
+# Slack reflects *changes*, not steady state. This CronJob is the safety net:
+# once a day it posts the full current board of firing alerts grouped by
+# severity (+ what cleared in the last 24h) so the standing state is reviewed
+# on a schedule, the way the #security lane is skimmed daily.
+#
+# Implementation: stock python:3.12-alpine running a pure-stdlib script
+# (alert_digest.py, mounted from a ConfigMap). NO pip/apk at runtime — once a
+# day, zero per-run package-install disk writes (the footprint that got
+# status-page-pusher disabled, memory id=559). Queries the in-cluster
+# Alertmanager v2 API for the current board (respects silences + inhibitions)
+# and Prometheus for the resolved-in-24h line.
+# =============================================================================
+
+resource "kubernetes_config_map" "alert_digest_script" {
+  metadata {
+    name      = "alert-digest-script"
+    namespace = kubernetes_namespace.monitoring.metadata[0].name
+  }
+  data = {
+    "alert_digest.py" = file("${path.module}/alert_digest.py")
+  }
+}
+
+# Reuses the same Slack incoming-webhook the Alertmanager receivers post with
+# (var.alertmanager_slack_api_url) — no new webhook, just a namespaced Secret so
+# the URL isn't a literal in the pod spec.
+resource "kubernetes_secret" "alert_digest" {
+  metadata {
+    name      = "alert-digest"
+    namespace = kubernetes_namespace.monitoring.metadata[0].name
+  }
+  type = "Opaque"
+  data = {
+    SLACK_WEBHOOK_URL = var.alertmanager_slack_api_url
+  }
+}
+
+resource "kubernetes_cron_job_v1" "alert_digest" {
+  metadata {
+    name      = "alert-digest"
+    namespace = kubernetes_namespace.monitoring.metadata[0].name
+    labels = {
+      app  = "alert-digest"
+      tier = var.tier
+    }
+  }
+  spec {
+    concurrency_policy            = "Forbid"
+    failed_jobs_history_limit     = 3
+    successful_jobs_history_limit = 3
+    schedule                      = "0 8 * * *"
+    timezone                      = "Europe/London"
+    starting_deadline_seconds     = 600
+    job_template {
+      metadata {}
+      spec {
+        backoff_limit              = 2
+        ttl_seconds_after_finished = 86400
+        template {
+          metadata {
+            labels = {
+              app = "alert-digest"
+            }
+          }
+          spec {
+            restart_policy = "OnFailure"
+            container {
+              name              = "alert-digest"
+              image             = "docker.io/library/python:3.12-alpine"
+              image_pull_policy = "IfNotPresent"
+              command           = ["python3", "/scripts/alert_digest.py"]
+              env {
+                name = "SLACK_WEBHOOK_URL"
+                value_from {
+                  secret_key_ref {
+                    name = kubernetes_secret.alert_digest.metadata[0].name
+                    key  = "SLACK_WEBHOOK_URL"
+                  }
+                }
+              }
+              env {
+                name  = "SLACK_CHANNEL"
+                value = "#alerts"
+              }
+              volume_mount {
+                name       = "script"
+                mount_path = "/scripts"
+                read_only  = true
+              }
+              resources {
+                requests = {
+                  cpu    = "10m"
+                  memory = "48Mi"
+                }
+                limits = {
+                  memory = "96Mi"
+                }
+              }
+            }
+            volume {
+              name = "script"
+              config_map {
+                name = kubernetes_config_map.alert_digest_script.metadata[0].name
+              }
+            }
+            dns_config {
+              option {
+                name  = "ndots"
+                value = "2"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
+    ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config]
+  }
+}
diff --git a/stacks/monitoring/modules/monitoring/authentik_walloff_probe.tf b/stacks/monitoring/modules/monitoring/authentik_walloff_probe.tf
index 583900fe..5244db0e 100644
--- a/stacks/monitoring/modules/monitoring/authentik_walloff_probe.tf
+++ b/stacks/monitoring/modules/monitoring/authentik_walloff_probe.tf
@@ -57,6 +57,9 @@ locals {
     "instagram-poster-image" = "https://instagram-poster.viktorbarzin.me/image"
     # trading-bot app root (auth="app"): WebAuthn/JWT in-app; was walled, now 200.
     "trading-bot-app" = "https://trading.viktorbarzin.me/"
+    # t3 dispatch probe surface (auth="none" path carve-out on /probe): WS echo
+    # + healthz for the t3-probe drop-attribution client (stacks/t3code).
+    "t3-probe-ws" = "https://t3.viktorbarzin.me/probe/healthz"
     # NOTE: openclaw task-webhook (auth="none") is intentionally NOT probed — it
     # has no public DNS record (NXDOMAIN, external_monitor=false), so there is no
     # externally GET-able URL to probe. Its carve-out is internal-only.
diff --git a/stacks/monitoring/modules/monitoring/dashboards/wealth.json b/stacks/monitoring/modules/monitoring/dashboards/wealth.json
index 55ef9637..183d478b 100644
--- a/stacks/monitoring/modules/monitoring/dashboards/wealth.json
+++ b/stacks/monitoring/modules/monitoring/dashboards/wealth.json
@@ -305,7 +305,7 @@
       },
       "gridPos": {
         "h": 4,
-        "w": 5,
+        "w": 4,
         "x": 0,
         "y": 5
       },
@@ -398,8 +398,8 @@
       },
       "gridPos": {
         "h": 4,
-        "w": 5,
-        "x": 5,
+        "w": 4,
+        "x": 4,
         "y": 5
       },
       "fieldConfig": {
@@ -491,8 +491,8 @@
       },
       "gridPos": {
         "h": 4,
-        "w": 5,
-        "x": 10,
+        "w": 4,
+        "x": 8,
         "y": 5
       },
       "fieldConfig": {
@@ -584,8 +584,8 @@
       },
       "gridPos": {
         "h": 4,
-        "w": 5,
-        "x": 15,
+        "w": 4,
+        "x": 12,
         "y": 5
       },
       "fieldConfig": {
@@ -678,7 +678,7 @@
       "gridPos": {
         "h": 4,
         "w": 4,
-        "x": 20,
+        "x": 16,
         "y": 5
       },
       "fieldConfig": {
@@ -759,1429 +759,1562 @@
         }
       ]
     },
+    {
+      "id": 9216,
+      "title": "Price freshness",
+      "description": "Quote freshness for each held position (one value per holding, worst first): days since quote_latest.day (the last quote we mirrored from Wealthfolio's SQLite). Green <=4d tolerates weekend/bank-holiday gaps; amber 5-9d = the price feed may be lagging; red >=10d = the feed has stopped updating that symbol and its valuation is frozen. A held position with no quote at all sorts as max-stale. Values are humanised (e.g. '2 months').",
+      "type": "stat",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 4,
+        "x": 20,
+        "y": 5
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "dtdurations",
+          "decimals": 0,
+          "color": {
+            "mode": "thresholds"
+          },
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "yellow",
+                "value": 432000
+              },
+              {
+                "color": "red",
+                "value": 864000
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "center",
+        "orientation": "horizontal",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "value_and_name"
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "grafana-postgresql-datasource",
+            "uid": "wealth-pg"
+          },
+          "rawQuery": true,
+          "editorMode": "code",
+          "format": "time_series",
+          "rawSql": "SELECT now() AS \"time\", a.symbol AS metric, COALESCE(CURRENT_DATE - q.day, 9999) * 86400 AS value FROM positions_latest p JOIN assets a ON a.id = p.asset_id LEFT JOIN quote_latest q ON q.asset_id = p.asset_id ORDER BY value DESC"
+        }
+      ]
+    },
     {
       "type": "row",
       "title": "Net worth over time",
-      "collapsed": true,
+      "collapsed": false,
       "id": 9301,
       "gridPos": {
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 9
+        "y": 14
       },
-      "panels": [
+      "panels": []
+    },
+    {
+      "id": 9202,
+      "title": "Net worth: contribution vs market value (+ growth)",
+      "description": "Merged: net contribution + market value (net worth) lines; Growth = the gap between them.",
+      "type": "timeseries",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 24,
+        "x": 0,
+        "y": 15
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "currencyGBP",
+          "decimals": 0,
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 2,
+            "fillOpacity": 0,
+            "showPoints": "never"
+          }
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Growth"
+            },
+            "properties": [
+              {
+                "id": "custom.fillOpacity",
+                "value": 15
+              },
+              {
+                "id": "custom.lineWidth",
+                "value": 1
+              }
+            ]
+          }
+        ]
+      },
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom",
+          "calcs": [
+            "last"
+          ]
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "targets": [
         {
-          "id": 9202,
-          "title": "Net worth: contribution vs market value (+ growth)",
-          "description": "Merged: net contribution + market value (net worth) lines; Growth = the gap between them.",
-          "type": "timeseries",
+          "refId": "A",
           "datasource": {
             "type": "grafana-postgresql-datasource",
             "uid": "wealth-pg"
           },
-          "gridPos": {
-            "h": 9,
-            "w": 24,
-            "x": 0,
-            "y": 10
+          "format": "time_series",
+          "editorMode": "code",
+          "rawQuery": true,
+          "rawSql": "WITH active_count AS (SELECT COUNT(*) AS n FROM accounts), max_complete AS (SELECT MAX(valuation_date) AS d FROM (SELECT d.valuation_date, COUNT(*) AS c FROM dav_corrected d JOIN accounts a ON a.id = d.account_id GROUP BY d.valuation_date) x WHERE c >= (SELECT n FROM active_count)) SELECT valuation_date::timestamp AS \"time\", SUM(net_contribution) AS \"Net contribution\", SUM(total_value) AS \"Market value (net worth)\", (SUM(total_value)-SUM(net_contribution)) AS \"Growth\" FROM dav_corrected WHERE $__timeFilter(valuation_date) AND valuation_date <= (SELECT d FROM max_complete) GROUP BY valuation_date ORDER BY valuation_date"
+        }
+      ]
+    },
+    {
+      "id": 8,
+      "title": "Per-account stacked \u2014 total value",
+      "description": "Stacked area showing each account's contribution to total net worth over time. Useful for spotting which account drives the trajectory.",
+      "type": "timeseries",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 0,
+        "y": 24
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
           },
-          "fieldConfig": {
-            "defaults": {
-              "unit": "currencyGBP",
-              "decimals": 0,
-              "custom": {
-                "drawStyle": "line",
-                "lineWidth": 2,
-                "fillOpacity": 0,
-                "showPoints": "never"
-              }
+          "unit": "currencyGBP",
+          "decimals": 2,
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 1,
+            "fillOpacity": 70,
+            "pointSize": 3,
+            "showPoints": "never",
+            "spanNulls": true,
+            "axisPlacement": "auto",
+            "stacking": {
+              "group": "A",
+              "mode": "normal"
+            }
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "legend": {
+          "calcs": [
+            "last"
+          ],
+          "displayMode": "table",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "grafana-postgresql-datasource",
+            "uid": "wealth-pg"
+          },
+          "rawQuery": true,
+          "editorMode": "code",
+          "format": "time_series",
+          "rawSql": "WITH active_count AS (SELECT COUNT(*) AS n FROM accounts), max_complete AS (SELECT MAX(valuation_date) AS d FROM (SELECT d.valuation_date, COUNT(*) AS c FROM daily_account_valuation d JOIN accounts a ON a.id = d.account_id GROUP BY d.valuation_date) x WHERE c >= (SELECT n FROM active_count)) SELECT d.valuation_date::timestamp AS \"time\", a.name AS metric, d.total_value AS value FROM daily_account_valuation d JOIN accounts a ON a.id = d.account_id WHERE $__timeFilter(d.valuation_date) AND d.valuation_date <= (SELECT d FROM max_complete) ORDER BY d.valuation_date, a.name"
+        }
+      ]
+    },
+    {
+      "id": 9,
+      "title": "Cash vs invested (stacked)",
+      "description": "Daily breakdown of uninvested broker cash vs market value of investments. WORKPLACE_PENSION accounts (Fidelity) are reclassified entirely as invested \u2014 Wealthfolio dumps pension wrappers into cash_balance because it doesn't track the underlying fund holdings, but they are not actually cash.",
+      "type": "timeseries",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 12,
+        "y": 24
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "unit": "currencyGBP",
+          "decimals": 2,
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 1,
+            "fillOpacity": 70,
+            "pointSize": 3,
+            "showPoints": "never",
+            "spanNulls": true,
+            "axisPlacement": "auto",
+            "stacking": {
+              "group": "A",
+              "mode": "normal"
+            }
+          }
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "cash"
             },
-            "overrides": [
+            "properties": [
               {
-                "matcher": {
-                  "id": "byName",
-                  "options": "Growth"
-                },
-                "properties": [
-                  {
-                    "id": "custom.fillOpacity",
-                    "value": 15
-                  },
-                  {
-                    "id": "custom.lineWidth",
-                    "value": 1
-                  }
-                ]
+                "id": "color",
+                "value": {
+                  "mode": "fixed",
+                  "fixedColor": "#FADE2A"
+                }
+              },
+              {
+                "id": "displayName",
+                "value": "Cash"
               }
             ]
           },
-          "options": {
-            "legend": {
-              "displayMode": "list",
-              "placement": "bottom",
-              "calcs": [
-                "last"
-              ]
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "invested"
             },
-            "tooltip": {
-              "mode": "multi",
-              "sort": "desc"
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
-              },
-              "format": "time_series",
-              "editorMode": "code",
-              "rawQuery": true,
-              "rawSql": "WITH active_count AS (SELECT COUNT(*) AS n FROM accounts), max_complete AS (SELECT MAX(valuation_date) AS d FROM (SELECT d.valuation_date, COUNT(*) AS c FROM dav_corrected d JOIN accounts a ON a.id = d.account_id GROUP BY d.valuation_date) x WHERE c >= (SELECT n FROM active_count)) SELECT valuation_date::timestamp AS \"time\", SUM(net_contribution) AS \"Net contribution\", SUM(total_value) AS \"Market value (net worth)\", (SUM(total_value)-SUM(net_contribution)) AS \"Growth\" FROM dav_corrected WHERE $__timeFilter(valuation_date) AND valuation_date <= (SELECT d FROM max_complete) GROUP BY valuation_date ORDER BY valuation_date"
-            }
-          ]
-        },
-        {
-          "id": 8,
-          "title": "Per-account stacked \u2014 total value",
-          "description": "Stacked area showing each account's contribution to total net worth over time. Useful for spotting which account drives the trajectory.",
-          "type": "timeseries",
-          "datasource": {
-            "type": "grafana-postgresql-datasource",
-            "uid": "wealth-pg"
-          },
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 0,
-            "y": 19
-          },
-          "fieldConfig": {
-            "defaults": {
-              "color": {
-                "mode": "palette-classic"
-              },
-              "unit": "currencyGBP",
-              "decimals": 2,
-              "custom": {
-                "drawStyle": "line",
-                "lineWidth": 1,
-                "fillOpacity": 70,
-                "pointSize": 3,
-                "showPoints": "never",
-                "spanNulls": true,
-                "axisPlacement": "auto",
-                "stacking": {
-                  "group": "A",
-                  "mode": "normal"
-                }
-              }
-            },
-            "overrides": []
-          },
-          "options": {
-            "legend": {
-              "calcs": [
-                "last"
-              ],
-              "displayMode": "table",
-              "placement": "bottom"
-            },
-            "tooltip": {
-              "mode": "multi",
-              "sort": "desc"
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
-              },
-              "rawQuery": true,
-              "editorMode": "code",
-              "format": "time_series",
-              "rawSql": "WITH active_count AS (SELECT COUNT(*) AS n FROM accounts), max_complete AS (SELECT MAX(valuation_date) AS d FROM (SELECT d.valuation_date, COUNT(*) AS c FROM daily_account_valuation d JOIN accounts a ON a.id = d.account_id GROUP BY d.valuation_date) x WHERE c >= (SELECT n FROM active_count)) SELECT d.valuation_date::timestamp AS \"time\", a.name AS metric, d.total_value AS value FROM daily_account_valuation d JOIN accounts a ON a.id = d.account_id WHERE $__timeFilter(d.valuation_date) AND d.valuation_date <= (SELECT d FROM max_complete) ORDER BY d.valuation_date, a.name"
-            }
-          ]
-        },
-        {
-          "id": 9,
-          "title": "Cash vs invested (stacked)",
-          "description": "Daily breakdown of uninvested broker cash vs market value of investments. WORKPLACE_PENSION accounts (Fidelity) are reclassified entirely as invested \u2014 Wealthfolio dumps pension wrappers into cash_balance because it doesn't track the underlying fund holdings, but they are not actually cash.",
-          "type": "timeseries",
-          "datasource": {
-            "type": "grafana-postgresql-datasource",
-            "uid": "wealth-pg"
-          },
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 12,
-            "y": 19
-          },
-          "fieldConfig": {
-            "defaults": {
-              "color": {
-                "mode": "palette-classic"
-              },
-              "unit": "currencyGBP",
-              "decimals": 2,
-              "custom": {
-                "drawStyle": "line",
-                "lineWidth": 1,
-                "fillOpacity": 70,
-                "pointSize": 3,
-                "showPoints": "never",
-                "spanNulls": true,
-                "axisPlacement": "auto",
-                "stacking": {
-                  "group": "A",
-                  "mode": "normal"
-                }
-              }
-            },
-            "overrides": [
+            "properties": [
               {
-                "matcher": {
-                  "id": "byName",
-                  "options": "cash"
-                },
-                "properties": [
-                  {
-                    "id": "color",
-                    "value": {
-                      "mode": "fixed",
-                      "fixedColor": "#FADE2A"
-                    }
-                  },
-                  {
-                    "id": "displayName",
-                    "value": "Cash"
-                  }
-                ]
+                "id": "color",
+                "value": {
+                  "mode": "fixed",
+                  "fixedColor": "#56A64B"
+                }
               },
               {
-                "matcher": {
-                  "id": "byName",
-                  "options": "invested"
-                },
-                "properties": [
-                  {
-                    "id": "color",
-                    "value": {
-                      "mode": "fixed",
-                      "fixedColor": "#56A64B"
-                    }
-                  },
-                  {
-                    "id": "displayName",
-                    "value": "Invested"
-                  }
-                ]
+                "id": "displayName",
+                "value": "Invested"
               }
             ]
+          }
+        ]
+      },
+      "options": {
+        "legend": {
+          "calcs": [
+            "last"
+          ],
+          "displayMode": "table",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "grafana-postgresql-datasource",
+            "uid": "wealth-pg"
           },
-          "options": {
-            "legend": {
-              "calcs": [
-                "last"
-              ],
-              "displayMode": "table",
-              "placement": "bottom"
-            },
-            "tooltip": {
-              "mode": "multi",
-              "sort": "desc"
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
-              },
-              "rawQuery": true,
-              "editorMode": "code",
-              "format": "time_series",
-              "rawSql": "WITH active_count AS (SELECT COUNT(*) AS n FROM accounts), max_complete AS (SELECT MAX(valuation_date) AS d FROM (SELECT d.valuation_date, COUNT(*) AS c FROM daily_account_valuation d JOIN accounts a ON a.id = d.account_id GROUP BY d.valuation_date) x WHERE c >= (SELECT n FROM active_count)) SELECT d.valuation_date::timestamp AS \"time\", SUM(CASE WHEN a.account_type = 'WORKPLACE_PENSION' THEN 0 ELSE d.cash_balance END) AS cash, SUM(CASE WHEN a.account_type = 'WORKPLACE_PENSION' THEN d.cash_balance + d.investment_market_value ELSE d.investment_market_value END) AS invested FROM daily_account_valuation d JOIN accounts a ON a.id = d.account_id WHERE $__timeFilter(d.valuation_date) AND d.valuation_date <= (SELECT d FROM max_complete) GROUP BY d.valuation_date ORDER BY d.valuation_date"
-            }
-          ]
+          "rawQuery": true,
+          "editorMode": "code",
+          "format": "time_series",
+          "rawSql": "WITH active_count AS (SELECT COUNT(*) AS n FROM accounts), max_complete AS (SELECT MAX(valuation_date) AS d FROM (SELECT d.valuation_date, COUNT(*) AS c FROM daily_account_valuation d JOIN accounts a ON a.id = d.account_id GROUP BY d.valuation_date) x WHERE c >= (SELECT n FROM active_count)) SELECT d.valuation_date::timestamp AS \"time\", SUM(CASE WHEN a.account_type = 'WORKPLACE_PENSION' THEN 0 ELSE d.cash_balance END) AS cash, SUM(CASE WHEN a.account_type = 'WORKPLACE_PENSION' THEN d.cash_balance + d.investment_market_value ELSE d.investment_market_value END) AS invested FROM daily_account_valuation d JOIN accounts a ON a.id = d.account_id WHERE $__timeFilter(d.valuation_date) AND d.valuation_date <= (SELECT d FROM max_complete) GROUP BY d.valuation_date ORDER BY d.valuation_date"
         }
       ]
     },
     {
       "type": "row",
       "title": "Returns & contributions",
-      "collapsed": true,
+      "collapsed": false,
       "id": 9302,
       "gridPos": {
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 29
+        "y": 34
       },
-      "panels": [
-        {
-          "id": 9203,
-          "title": "Yearly: contributions / market gain / return %",
-          "description": "Merged yearly view. Contributions + market gain as bars (left \u00a3 axis); return % as a line (right % axis). timeFrom=10y so it always shows full history.",
-          "type": "timeseries",
-          "datasource": {
-            "type": "grafana-postgresql-datasource",
-            "uid": "wealth-pg"
-          },
-          "gridPos": {
-            "h": 10,
-            "w": 24,
-            "x": 0,
-            "y": 30
-          },
-          "fieldConfig": {
-            "defaults": {
-              "unit": "currencyGBP",
-              "decimals": 0,
-              "custom": {
-                "drawStyle": "bars",
-                "fillOpacity": 80,
-                "lineWidth": 1
-              }
-            },
-            "overrides": [
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "Return %"
-                },
-                "properties": [
-                  {
-                    "id": "custom.drawStyle",
-                    "value": "line"
-                  },
-                  {
-                    "id": "custom.lineWidth",
-                    "value": 2
-                  },
-                  {
-                    "id": "custom.fillOpacity",
-                    "value": 0
-                  },
-                  {
-                    "id": "unit",
-                    "value": "percent"
-                  },
-                  {
-                    "id": "custom.axisPlacement",
-                    "value": "right"
-                  },
-                  {
-                    "id": "custom.axisLabel",
-                    "value": "Return %"
-                  },
-                  {
-                    "id": "color",
-                    "value": {
-                      "mode": "fixed",
-                      "fixedColor": "yellow"
-                    }
-                  }
-                ]
-              }
-            ]
-          },
-          "options": {
-            "legend": {
-              "displayMode": "list",
-              "placement": "bottom",
-              "calcs": [
-                "last"
-              ]
-            },
-            "tooltip": {
-              "mode": "multi",
-              "sort": "desc"
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
-              },
-              "format": "time_series",
-              "editorMode": "code",
-              "rawQuery": true,
-              "rawSql": "WITH active_count AS (SELECT COUNT(*) n FROM accounts), mc AS (SELECT MAX(valuation_date) d FROM (SELECT valuation_date, COUNT(*) c FROM dav_corrected GROUP BY valuation_date) x WHERE c>=(SELECT n FROM active_count)), daily AS (SELECT valuation_date, SUM(total_value) nw, SUM(net_contribution) contrib FROM dav_corrected WHERE valuation_date<=(SELECT d FROM mc) GROUP BY valuation_date), ye AS (SELECT DISTINCT ON (date_trunc('year',valuation_date)) date_trunc('year',valuation_date)::date yr, nw, contrib FROM daily ORDER BY date_trunc('year',valuation_date), valuation_date DESC), dd AS (SELECT yr, nw, contrib, lag(nw) OVER (ORDER BY yr) pnw, lag(contrib) OVER (ORDER BY yr) pc FROM ye) SELECT yr::timestamp AS \"time\", round((contrib-pc)::numeric,0) AS \"Contributions\", round(((nw-pnw)-(contrib-pc))::numeric,0) AS \"Market gain\", round((((nw-pnw)-(contrib-pc))/NULLIF(pnw+0.5*(contrib-pc),0)*100)::numeric,2) AS \"Return %\" FROM dd WHERE pnw IS NOT NULL ORDER BY yr"
-            }
-          ],
-          "timeFrom": "10y"
+      "panels": []
+    },
+    {
+      "id": 9203,
+      "title": "Yearly: contributions / market gain / return %",
+      "description": "Merged yearly view. Contributions + market gain as bars (left \u00a3 axis); return % as a line (right % axis). timeFrom=10y so it always shows full history.",
+      "type": "timeseries",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 24,
+        "x": 0,
+        "y": 35
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "currencyGBP",
+          "decimals": 0,
+          "custom": {
+            "drawStyle": "bars",
+            "fillOpacity": 80,
+            "lineWidth": 1
+          }
         },
-        {
-          "id": 25,
-          "title": "Monthly contributions vs market gain",
-          "description": "Each month's net contributions vs market gain as two lines. Where the green (market) line crosses above the blue (contributions) line is when investments out-earn savings for that month. Months below zero on the green line = market drawdowns.",
-          "type": "timeseries",
-          "datasource": {
-            "type": "grafana-postgresql-datasource",
-            "uid": "wealth-pg"
-          },
-          "gridPos": {
-            "h": 10,
-            "w": 24,
-            "x": 0,
-            "y": 40
-          },
-          "fieldConfig": {
-            "defaults": {
-              "color": {
-                "mode": "palette-classic"
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Return %"
+            },
+            "properties": [
+              {
+                "id": "custom.drawStyle",
+                "value": "line"
               },
-              "unit": "currencyGBP",
-              "decimals": 0,
-              "custom": {
-                "drawStyle": "line",
-                "lineWidth": 2,
-                "fillOpacity": 0,
-                "pointSize": 5,
-                "showPoints": "auto",
-                "spanNulls": true,
-                "axisPlacement": "auto",
-                "stacking": {
-                  "group": "A",
-                  "mode": "none"
+              {
+                "id": "custom.lineWidth",
+                "value": 2
+              },
+              {
+                "id": "custom.fillOpacity",
+                "value": 0
+              },
+              {
+                "id": "unit",
+                "value": "percent"
+              },
+              {
+                "id": "custom.axisPlacement",
+                "value": "right"
+              },
+              {
+                "id": "custom.axisLabel",
+                "value": "Return %"
+              },
+              {
+                "id": "color",
+                "value": {
+                  "mode": "fixed",
+                  "fixedColor": "yellow"
                 }
               }
-            },
-            "overrides": [
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "contributions"
-                },
-                "properties": [
-                  {
-                    "id": "color",
-                    "value": {
-                      "mode": "fixed",
-                      "fixedColor": "blue"
-                    }
-                  },
-                  {
-                    "id": "displayName",
-                    "value": "Net contributions"
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "market_gain"
-                },
-                "properties": [
-                  {
-                    "id": "color",
-                    "value": {
-                      "mode": "fixed",
-                      "fixedColor": "#56A64B"
-                    }
-                  },
-                  {
-                    "id": "displayName",
-                    "value": "Market gain"
-                  }
-                ]
-              }
             ]
-          },
-          "options": {
-            "legend": {
-              "calcs": [
-                "last",
-                "sum"
-              ],
-              "displayMode": "table",
-              "placement": "bottom"
-            },
-            "tooltip": {
-              "mode": "multi",
-              "sort": "desc"
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
-              },
-              "rawQuery": true,
-              "editorMode": "code",
-              "format": "time_series",
-              "rawSql": "WITH active_count AS (SELECT COUNT(*) AS n FROM accounts), max_complete AS (SELECT MAX(valuation_date) AS d FROM (SELECT d.valuation_date, COUNT(*) AS c FROM dav_corrected d JOIN accounts a ON a.id = d.account_id GROUP BY d.valuation_date) x WHERE c >= (SELECT n FROM active_count)), daily AS (SELECT valuation_date, SUM(total_value) AS nw, SUM(net_contribution) AS contrib FROM dav_corrected WHERE valuation_date <= (SELECT d FROM max_complete) GROUP BY valuation_date), month_end AS (SELECT DISTINCT ON (date_trunc('month', valuation_date)) date_trunc('month', valuation_date)::date AS month, nw, contrib FROM daily ORDER BY date_trunc('month', valuation_date), valuation_date DESC), deltas AS (SELECT month, nw, contrib, lag(nw) OVER (ORDER BY month) AS prev_nw, lag(contrib) OVER (ORDER BY month) AS prev_contrib FROM month_end) SELECT month::timestamp AS time, ROUND((contrib - prev_contrib)::numeric, 0) AS contributions, ROUND(((nw - prev_nw) - (contrib - prev_contrib))::numeric, 0) AS market_gain FROM deltas WHERE prev_nw IS NOT NULL ORDER BY month"
-            }
+          }
+        ]
+      },
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom",
+          "calcs": [
+            "last"
           ]
         },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "targets": [
         {
-          "id": 14,
-          "title": "Per-account ROI %",
-          "description": "(market value \u2212 net contribution) / net contribution \u00d7 100, latest snapshot. Excludes accounts with zero/negative net contribution (Schwab \u2014 RSU vests sold = negative contribution distorts the ratio). Pension shows 0% because Wealthfolio doesn't track underlying fund holdings, so cost_basis = 0 and 'growth' is just the cash balance reported.",
-          "type": "barchart",
+          "refId": "A",
           "datasource": {
             "type": "grafana-postgresql-datasource",
             "uid": "wealth-pg"
           },
-          "gridPos": {
-            "h": 10,
-            "w": 24,
-            "x": 0,
-            "y": 50
+          "format": "time_series",
+          "editorMode": "code",
+          "rawQuery": true,
+          "rawSql": "WITH active_count AS (SELECT COUNT(*) n FROM accounts), mc AS (SELECT MAX(valuation_date) d FROM (SELECT valuation_date, COUNT(*) c FROM dav_corrected GROUP BY valuation_date) x WHERE c>=(SELECT n FROM active_count)), daily AS (SELECT valuation_date, SUM(total_value) nw, SUM(net_contribution) contrib FROM dav_corrected WHERE valuation_date<=(SELECT d FROM mc) GROUP BY valuation_date), ye AS (SELECT DISTINCT ON (date_trunc('year',valuation_date)) date_trunc('year',valuation_date)::date yr, nw, contrib FROM daily ORDER BY date_trunc('year',valuation_date), valuation_date DESC), dd AS (SELECT yr, nw, contrib, lag(nw) OVER (ORDER BY yr) pnw, lag(contrib) OVER (ORDER BY yr) pc FROM ye) SELECT yr::timestamp AS \"time\", round((contrib-pc)::numeric,0) AS \"Contributions\", round(((nw-pnw)-(contrib-pc))::numeric,0) AS \"Market gain\", round((((nw-pnw)-(contrib-pc))/NULLIF(pnw+0.5*(contrib-pc),0)*100)::numeric,2) AS \"Return %\" FROM dd WHERE pnw IS NOT NULL ORDER BY yr"
+        }
+      ],
+      "timeFrom": "10y"
+    },
+    {
+      "id": 25,
+      "title": "Monthly contributions vs market gain",
+      "description": "Each month's net contributions vs market gain as two lines. Where the green (market) line crosses above the blue (contributions) line is when investments out-earn savings for that month. Months below zero on the green line = market drawdowns.",
+      "type": "timeseries",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 24,
+        "x": 0,
+        "y": 45
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
           },
-          "fieldConfig": {
-            "defaults": {
-              "color": {
-                "mode": "thresholds"
+          "unit": "currencyGBP",
+          "decimals": 0,
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 2,
+            "fillOpacity": 0,
+            "pointSize": 5,
+            "showPoints": "auto",
+            "spanNulls": true,
+            "axisPlacement": "auto",
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            }
+          }
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "contributions"
+            },
+            "properties": [
+              {
+                "id": "color",
+                "value": {
+                  "mode": "fixed",
+                  "fixedColor": "blue"
+                }
               },
-              "unit": "percent",
-              "decimals": 2,
-              "thresholds": {
-                "mode": "absolute",
-                "steps": [
-                  {
-                    "color": "red",
-                    "value": null
-                  },
-                  {
-                    "color": "yellow",
-                    "value": 0
-                  },
-                  {
-                    "color": "green",
-                    "value": 10
-                  }
-                ]
-              },
-              "custom": {
-                "axisPlacement": "auto",
-                "axisLabel": "",
-                "fillOpacity": 80,
-                "gradientMode": "none",
-                "lineWidth": 1
+              {
+                "id": "displayName",
+                "value": "Net contributions"
               }
-            },
-            "overrides": []
+            ]
           },
-          "options": {
-            "barRadius": 0,
-            "barWidth": 0.6,
-            "groupWidth": 0.7,
-            "orientation": "horizontal",
-            "showValue": "always",
-            "stacking": "none",
-            "xField": "account",
-            "legend": {
-              "displayMode": "list",
-              "placement": "bottom"
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "market_gain"
             },
-            "tooltip": {
-              "mode": "single",
-              "sort": "none"
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
+            "properties": [
+              {
+                "id": "color",
+                "value": {
+                  "mode": "fixed",
+                  "fixedColor": "#56A64B"
+                }
               },
-              "rawQuery": true,
-              "editorMode": "code",
-              "format": "table",
-              "rawSql": "WITH latest AS (SELECT DISTINCT ON (d.account_id) a.name, d.total_value, d.net_contribution FROM dav_corrected d JOIN accounts a ON a.id = d.account_id ORDER BY d.account_id, d.valuation_date DESC) SELECT name AS account, ROUND(((total_value - net_contribution) / NULLIF(net_contribution, 0) * 100)::numeric, 2) AS roi_pct FROM latest WHERE net_contribution > 0 ORDER BY roi_pct DESC"
-            }
-          ]
+              {
+                "id": "displayName",
+                "value": "Market gain"
+              }
+            ]
+          }
+        ]
+      },
+      "options": {
+        "legend": {
+          "calcs": [
+            "last",
+            "sum"
+          ],
+          "displayMode": "table",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "grafana-postgresql-datasource",
+            "uid": "wealth-pg"
+          },
+          "rawQuery": true,
+          "editorMode": "code",
+          "format": "time_series",
+          "rawSql": "WITH active_count AS (SELECT COUNT(*) AS n FROM accounts), max_complete AS (SELECT MAX(valuation_date) AS d FROM (SELECT d.valuation_date, COUNT(*) AS c FROM dav_corrected d JOIN accounts a ON a.id = d.account_id GROUP BY d.valuation_date) x WHERE c >= (SELECT n FROM active_count)), daily AS (SELECT valuation_date, SUM(total_value) AS nw, SUM(net_contribution) AS contrib FROM dav_corrected WHERE valuation_date <= (SELECT d FROM max_complete) GROUP BY valuation_date), month_end AS (SELECT DISTINCT ON (date_trunc('month', valuation_date)) date_trunc('month', valuation_date)::date AS month, nw, contrib FROM daily ORDER BY date_trunc('month', valuation_date), valuation_date DESC), deltas AS (SELECT month, nw, contrib, lag(nw) OVER (ORDER BY month) AS prev_nw, lag(contrib) OVER (ORDER BY month) AS prev_contrib FROM month_end) SELECT month::timestamp AS time, ROUND((contrib - prev_contrib)::numeric, 0) AS contributions, ROUND(((nw - prev_nw) - (contrib - prev_contrib))::numeric, 0) AS market_gain FROM deltas WHERE prev_nw IS NOT NULL ORDER BY month"
+        }
+      ]
+    },
+    {
+      "id": 14,
+      "title": "Per-account ROI %",
+      "description": "(market value \u2212 net contribution) / net contribution \u00d7 100, latest snapshot. Excludes accounts with zero/negative net contribution (Schwab \u2014 RSU vests sold = negative contribution distorts the ratio). Pension shows 0% because Wealthfolio doesn't track underlying fund holdings, so cost_basis = 0 and 'growth' is just the cash balance reported.",
+      "type": "barchart",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 24,
+        "x": 0,
+        "y": 55
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "unit": "percent",
+          "decimals": 2,
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "red",
+                "value": null
+              },
+              {
+                "color": "yellow",
+                "value": 0
+              },
+              {
+                "color": "green",
+                "value": 10
+              }
+            ]
+          },
+          "custom": {
+            "axisPlacement": "auto",
+            "axisLabel": "",
+            "fillOpacity": 80,
+            "gradientMode": "none",
+            "lineWidth": 1
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "barRadius": 0,
+        "barWidth": 0.6,
+        "groupWidth": 0.7,
+        "orientation": "horizontal",
+        "showValue": "always",
+        "stacking": "none",
+        "xField": "account",
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "grafana-postgresql-datasource",
+            "uid": "wealth-pg"
+          },
+          "rawQuery": true,
+          "editorMode": "code",
+          "format": "table",
+          "rawSql": "WITH latest AS (SELECT DISTINCT ON (d.account_id) a.name, d.total_value, d.net_contribution FROM dav_corrected d JOIN accounts a ON a.id = d.account_id ORDER BY d.account_id, d.valuation_date DESC) SELECT name AS account, ROUND(((total_value - net_contribution) / NULLIF(net_contribution, 0) * 100)::numeric, 2) AS roi_pct FROM latest WHERE net_contribution > 0 ORDER BY roi_pct DESC"
         }
       ]
     },
     {
       "type": "row",
       "title": "Income vs market",
-      "collapsed": true,
+      "collapsed": false,
       "id": 9303,
       "gridPos": {
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 61
+        "y": 66
       },
-      "panels": [
-        {
-          "id": 32,
-          "title": "Net pay vs market gain (${grain})",
-          "description": "Active vs passive income. Net pay (payslips) vs market gain (portfolio). $grain = cumulative / yearly / monthly.",
-          "type": "timeseries",
-          "datasource": {
-            "type": "datasource",
-            "uid": "-- Mixed --"
+      "panels": []
+    },
+    {
+      "id": 32,
+      "title": "Net pay vs market gain (${grain})",
+      "description": "Active vs passive income. Net pay (payslips) vs market gain (portfolio). $grain = cumulative / yearly / monthly.",
+      "type": "timeseries",
+      "datasource": {
+        "type": "datasource",
+        "uid": "-- Mixed --"
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 24,
+        "x": 0,
+        "y": 67
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
           },
-          "gridPos": {
-            "h": 10,
-            "w": 24,
-            "x": 0,
-            "y": 62
-          },
-          "fieldConfig": {
-            "defaults": {
-              "color": {
-                "mode": "palette-classic"
-              },
-              "unit": "currencyGBP",
-              "decimals": 0,
-              "custom": {
-                "drawStyle": "line",
-                "lineWidth": 2,
-                "fillOpacity": 10,
-                "gradientMode": "opacity",
-                "pointSize": 5,
-                "showPoints": "never",
-                "spanNulls": true,
-                "axisPlacement": "auto",
-                "stacking": {
-                  "group": "A",
-                  "mode": "none"
-                }
-              }
+          "unit": "currencyGBP",
+          "decimals": 0,
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 2,
+            "fillOpacity": 10,
+            "gradientMode": "opacity",
+            "pointSize": 5,
+            "showPoints": "never",
+            "spanNulls": true,
+            "axisPlacement": "auto",
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            }
+          }
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "net_pay_cum"
             },
-            "overrides": [
+            "properties": [
               {
-                "matcher": {
-                  "id": "byName",
-                  "options": "net_pay_cum"
-                },
-                "properties": [
-                  {
-                    "id": "displayName",
-                    "value": "Net pay earned (cumulative)"
-                  },
-                  {
-                    "id": "color",
-                    "value": {
-                      "mode": "fixed",
-                      "fixedColor": "blue"
-                    }
-                  }
-                ]
+                "id": "displayName",
+                "value": "Net pay earned (cumulative)"
               },
               {
-                "matcher": {
-                  "id": "byName",
-                  "options": "market_gain_cum"
-                },
-                "properties": [
-                  {
-                    "id": "displayName",
-                    "value": "Market gains (cumulative)"
-                  },
-                  {
-                    "id": "color",
-                    "value": {
-                      "mode": "fixed",
-                      "fixedColor": "#56A64B"
-                    }
-                  }
-                ]
+                "id": "color",
+                "value": {
+                  "mode": "fixed",
+                  "fixedColor": "blue"
+                }
               }
             ]
           },
-          "options": {
-            "legend": {
-              "calcs": [
-                "last",
-                "max"
-              ],
-              "displayMode": "table",
-              "placement": "bottom"
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "market_gain_cum"
             },
-            "tooltip": {
-              "mode": "multi",
-              "sort": "desc"
-            }
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Market gains (cumulative)"
+              },
+              {
+                "id": "color",
+                "value": {
+                  "mode": "fixed",
+                  "fixedColor": "#56A64B"
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "options": {
+        "legend": {
+          "calcs": [
+            "last",
+            "max"
+          ],
+          "displayMode": "table",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "grafana-postgresql-datasource",
+            "uid": "payslips-pg"
           },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "payslips-pg"
-              },
-              "format": "time_series",
-              "editorMode": "code",
-              "rawQuery": true,
-              "rawSql": "WITH p AS (SELECT date_trunc(CASE '$grain' WHEN 'yearly' THEN 'year' ELSE 'month' END, pay_date) bucket, SUM(net_pay) np FROM payslip_ingest.payslip GROUP BY 1) SELECT bucket::timestamp AS \"time\", CASE WHEN '$grain'='cumulative' THEN SUM(np) OVER (ORDER BY bucket) ELSE np END AS \"Net pay\" FROM p ORDER BY bucket"
-            },
-            {
-              "refId": "B",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
-              },
-              "format": "time_series",
-              "editorMode": "code",
-              "rawQuery": true,
-              "rawSql": "WITH active_count AS (SELECT COUNT(*) n FROM accounts), mc AS (SELECT MAX(valuation_date) d FROM (SELECT valuation_date, COUNT(*) c FROM dav_corrected GROUP BY valuation_date) x WHERE c>=(SELECT n FROM active_count)), daily AS (SELECT valuation_date, SUM(total_value) nw, SUM(net_contribution) contrib FROM dav_corrected WHERE valuation_date<=(SELECT d FROM mc) GROUP BY valuation_date), pe AS (SELECT DISTINCT ON (date_trunc(CASE '$grain' WHEN 'yearly' THEN 'year' ELSE 'month' END, valuation_date)) date_trunc(CASE '$grain' WHEN 'yearly' THEN 'year' ELSE 'month' END, valuation_date)::date bucket, nw, contrib FROM daily ORDER BY date_trunc(CASE '$grain' WHEN 'yearly' THEN 'year' ELSE 'month' END, valuation_date), valuation_date DESC), dd AS (SELECT bucket, (nw-lag(nw) OVER (ORDER BY bucket))-(contrib-lag(contrib) OVER (ORDER BY bucket)) mg FROM pe) SELECT bucket::timestamp AS \"time\", CASE WHEN '$grain'='cumulative' THEN SUM(mg) OVER (ORDER BY bucket) ELSE mg END AS \"Market gain\" FROM dd WHERE mg IS NOT NULL ORDER BY bucket"
-            }
-          ]
+          "format": "time_series",
+          "editorMode": "code",
+          "rawQuery": true,
+          "rawSql": "WITH p AS (SELECT date_trunc(CASE '$grain' WHEN 'yearly' THEN 'year' ELSE 'month' END, pay_date) bucket, SUM(net_pay) np FROM payslip_ingest.payslip GROUP BY 1) SELECT bucket::timestamp AS \"time\", CASE WHEN '$grain'='cumulative' THEN SUM(np) OVER (ORDER BY bucket) ELSE np END AS \"Net pay\" FROM p ORDER BY bucket"
+        },
+        {
+          "refId": "B",
+          "datasource": {
+            "type": "grafana-postgresql-datasource",
+            "uid": "wealth-pg"
+          },
+          "format": "time_series",
+          "editorMode": "code",
+          "rawQuery": true,
+          "rawSql": "WITH active_count AS (SELECT COUNT(*) n FROM accounts), mc AS (SELECT MAX(valuation_date) d FROM (SELECT valuation_date, COUNT(*) c FROM dav_corrected GROUP BY valuation_date) x WHERE c>=(SELECT n FROM active_count)), daily AS (SELECT valuation_date, SUM(total_value) nw, SUM(net_contribution) contrib FROM dav_corrected WHERE valuation_date<=(SELECT d FROM mc) GROUP BY valuation_date), pe AS (SELECT DISTINCT ON (date_trunc(CASE '$grain' WHEN 'yearly' THEN 'year' ELSE 'month' END, valuation_date)) date_trunc(CASE '$grain' WHEN 'yearly' THEN 'year' ELSE 'month' END, valuation_date)::date bucket, nw, contrib FROM daily ORDER BY date_trunc(CASE '$grain' WHEN 'yearly' THEN 'year' ELSE 'month' END, valuation_date), valuation_date DESC), dd AS (SELECT bucket, (nw-lag(nw) OVER (ORDER BY bucket))-(contrib-lag(contrib) OVER (ORDER BY bucket)) mg FROM pe) SELECT bucket::timestamp AS \"time\", CASE WHEN '$grain'='cumulative' THEN SUM(mg) OVER (ORDER BY bucket) ELSE mg END AS \"Market gain\" FROM dd WHERE mg IS NOT NULL ORDER BY bucket"
         }
       ]
     },
     {
       "type": "row",
       "title": "Holdings",
-      "collapsed": true,
+      "collapsed": false,
       "id": 9304,
       "gridPos": {
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 73
+        "y": 78
       },
-      "panels": [
-        {
-          "id": 26,
-          "title": "Positions",
-          "description": "Currently-held positions: shares, cost basis, latest market price, and unrealised return. Latest holdings_snapshots TOTAL aggregate + latest quote per asset.",
-          "type": "table",
-          "datasource": {
-            "type": "grafana-postgresql-datasource",
-            "uid": "wealth-pg"
-          },
-          "gridPos": {
-            "h": 10,
-            "w": 12,
-            "x": 0,
-            "y": 74
-          },
-          "fieldConfig": {
-            "defaults": {
-              "custom": {
-                "align": "auto",
-                "displayMode": "auto"
-              }
-            },
-            "overrides": [
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "shares"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "avg cost"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "currencyGBP"
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "last"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "currencyGBP"
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "market value"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "currencyGBP"
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "cost"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "currencyGBP"
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "gain"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "currencyGBP"
-                  },
-                  {
-                    "id": "custom.cellOptions",
-                    "value": {
-                      "type": "color-text"
-                    }
-                  },
-                  {
-                    "id": "thresholds",
-                    "value": {
-                      "mode": "absolute",
-                      "steps": [
-                        {
-                          "color": "red",
-                          "value": null
-                        },
-                        {
-                          "color": "green",
-                          "value": 0
-                        }
-                      ]
-                    }
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "return %"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "percent"
-                  },
-                  {
-                    "id": "custom.cellOptions",
-                    "value": {
-                      "type": "color-text"
-                    }
-                  },
-                  {
-                    "id": "thresholds",
-                    "value": {
-                      "mode": "absolute",
-                      "steps": [
-                        {
-                          "color": "red",
-                          "value": null
-                        },
-                        {
-                          "color": "green",
-                          "value": 0
-                        }
-                      ]
-                    }
-                  }
-                ]
-              }
-            ]
-          },
-          "options": {
-            "cellHeight": "sm",
-            "footer": {
-              "show": false
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
-              },
-              "rawQuery": true,
-              "editorMode": "code",
-              "format": "table",
-              "rawSql": "SELECT a.symbol, a.name, p.quantity AS shares, p.average_cost AS \"avg cost\", q.close AS \"last\", (p.quantity * q.close) AS \"market value\", p.total_cost_basis AS cost, ((p.quantity * q.close) - p.total_cost_basis) AS gain, CASE WHEN p.total_cost_basis > 0 THEN ((p.quantity * q.close) / p.total_cost_basis - 1) * 100 END AS \"return %\", p.currency, q.day AS \"as of\" FROM positions_latest p LEFT JOIN assets a ON a.id = p.asset_id LEFT JOIN quote_latest q ON q.asset_id = p.asset_id ORDER BY (p.quantity * q.close) DESC NULLS LAST"
-            }
-          ]
+      "panels": []
+    },
+    {
+      "id": 26,
+      "title": "Positions",
+      "description": "Currently-held positions: shares, cost basis, latest market price, and unrealised return. Latest holdings_snapshots TOTAL aggregate + latest quote per asset.",
+      "type": "table",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 79
+      },
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "align": "auto",
+            "displayMode": "auto"
+          }
         },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "shares"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "avg cost"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              },
+              {
+                "id": "unit",
+                "value": "currencyGBP"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "last"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              },
+              {
+                "id": "unit",
+                "value": "currencyGBP"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "market value"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              },
+              {
+                "id": "unit",
+                "value": "currencyGBP"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "cost"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              },
+              {
+                "id": "unit",
+                "value": "currencyGBP"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "gain"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              },
+              {
+                "id": "unit",
+                "value": "currencyGBP"
+              },
+              {
+                "id": "custom.cellOptions",
+                "value": {
+                  "type": "color-text"
+                }
+              },
+              {
+                "id": "thresholds",
+                "value": {
+                  "mode": "absolute",
+                  "steps": [
+                    {
+                      "color": "red",
+                      "value": null
+                    },
+                    {
+                      "color": "green",
+                      "value": 0
+                    }
+                  ]
+                }
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "return %"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              },
+              {
+                "id": "unit",
+                "value": "percent"
+              },
+              {
+                "id": "custom.cellOptions",
+                "value": {
+                  "type": "color-text"
+                }
+              },
+              {
+                "id": "thresholds",
+                "value": {
+                  "mode": "absolute",
+                  "steps": [
+                    {
+                      "color": "red",
+                      "value": null
+                    },
+                    {
+                      "color": "green",
+                      "value": 0
+                    }
+                  ]
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "options": {
+        "cellHeight": "sm",
+        "footer": {
+          "show": false
+        }
+      },
+      "targets": [
         {
-          "id": 10,
-          "title": "Activity log",
-          "description": "Recent activities (BUY / SELL / DEPOSIT / WITHDRAWAL / DIVIDEND / etc.) across all accounts. Limited to 100 most recent.",
-          "type": "table",
+          "refId": "A",
           "datasource": {
             "type": "grafana-postgresql-datasource",
             "uid": "wealth-pg"
           },
-          "gridPos": {
-            "h": 10,
-            "w": 12,
-            "x": 12,
-            "y": 74
-          },
-          "fieldConfig": {
-            "defaults": {
-              "custom": {
-                "align": "auto",
-                "displayMode": "auto"
-              }
+          "rawQuery": true,
+          "editorMode": "code",
+          "format": "table",
+          "rawSql": "SELECT a.symbol, a.name, p.quantity AS shares, p.average_cost AS \"avg cost\", q.close AS \"last\", (p.quantity * q.close) AS \"market value\", p.total_cost_basis AS cost, ((p.quantity * q.close) - p.total_cost_basis) AS gain, CASE WHEN p.total_cost_basis > 0 THEN ((p.quantity * q.close) / p.total_cost_basis - 1) * 100 END AS \"return %\", p.currency, q.day AS \"as of\" FROM positions_latest p LEFT JOIN assets a ON a.id = p.asset_id LEFT JOIN quote_latest q ON q.asset_id = p.asset_id ORDER BY (p.quantity * q.close) DESC NULLS LAST"
+        }
+      ]
+    },
+    {
+      "id": 10,
+      "title": "Activity log",
+      "description": "Recent activities (BUY / SELL / DEPOSIT / WITHDRAWAL / DIVIDEND / etc.) across all accounts. Limited to 100 most recent.",
+      "type": "table",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 79
+      },
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "align": "auto",
+            "displayMode": "auto"
+          }
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "amount"
             },
-            "overrides": [
+            "properties": [
               {
-                "matcher": {
-                  "id": "byName",
-                  "options": "amount"
-                },
-                "properties": [
-                  {
-                    "id": "unit",
-                    "value": "currencyGBP"
-                  }
-                ]
+                "id": "unit",
+                "value": "currencyGBP"
               }
             ]
+          }
+        ]
+      },
+      "options": {
+        "cellHeight": "sm",
+        "footer": {
+          "show": false
+        }
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "grafana-postgresql-datasource",
+            "uid": "wealth-pg"
           },
-          "options": {
-            "cellHeight": "sm",
-            "footer": {
-              "show": false
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
-              },
-              "rawQuery": true,
-              "editorMode": "code",
-              "format": "table",
-              "rawSql": "SELECT a.activity_date AS \"date\", acc.name AS \"account\", a.activity_type AS \"type\", a.asset_id AS \"asset\", a.quantity AS \"qty\", a.unit_price AS \"unit_price\", a.amount AS \"amount\", a.currency AS \"ccy\", a.notes AS \"notes\" FROM activities a LEFT JOIN accounts acc ON acc.id = a.account_id WHERE $__timeFilter(a.activity_date) ORDER BY a.activity_date DESC LIMIT 100"
-            }
-          ]
+          "rawQuery": true,
+          "editorMode": "code",
+          "format": "table",
+          "rawSql": "SELECT a.activity_date AS \"date\", acc.name AS \"account\", a.activity_type AS \"type\", a.asset_id AS \"asset\", a.quantity AS \"qty\", a.unit_price AS \"unit_price\", a.amount AS \"amount\", a.currency AS \"ccy\", a.notes AS \"notes\" FROM activities a LEFT JOIN accounts acc ON acc.id = a.account_id WHERE $__timeFilter(a.activity_date) ORDER BY a.activity_date DESC LIMIT 100"
         }
       ]
     },
     {
       "type": "row",
       "title": "RSUs (META)",
-      "collapsed": true,
+      "collapsed": false,
       "id": 9305,
       "gridPos": {
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 85
+        "y": 90
       },
-      "panels": [
+      "panels": []
+    },
+    {
+      "id": 30,
+      "title": "META vest cadence \u2014 value vs share count (per vest event)",
+      "description": "Per-vest event timeline. Left axis (USD): vest value = shares \u00d7 vest-day META price. Right axis: number of shares vested. Each point is one vest date (sometimes a single date has multiple BUY rows \u2014 aggregated here).",
+      "type": "timeseries",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 0,
+        "y": 91
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "decimals": 0,
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 2,
+            "lineInterpolation": "linear",
+            "fillOpacity": 10,
+            "pointSize": 7,
+            "showPoints": "always",
+            "spanNulls": true,
+            "axisPlacement": "auto",
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            }
+          }
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "vest value"
+            },
+            "properties": [
+              {
+                "id": "unit",
+                "value": "currencyUSD"
+              },
+              {
+                "id": "color",
+                "value": {
+                  "mode": "fixed",
+                  "fixedColor": "blue"
+                }
+              },
+              {
+                "id": "custom.axisLabel",
+                "value": "Vest value (USD)"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "shares"
+            },
+            "properties": [
+              {
+                "id": "unit",
+                "value": "short"
+              },
+              {
+                "id": "color",
+                "value": {
+                  "mode": "fixed",
+                  "fixedColor": "orange"
+                }
+              },
+              {
+                "id": "custom.axisPlacement",
+                "value": "right"
+              },
+              {
+                "id": "custom.axisLabel",
+                "value": "Shares vested"
+              }
+            ]
+          }
+        ]
+      },
+      "options": {
+        "legend": {
+          "calcs": [
+            "sum",
+            "max"
+          ],
+          "displayMode": "table",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "targets": [
         {
-          "id": 30,
-          "title": "META vest cadence \u2014 value vs share count (per vest event)",
-          "description": "Per-vest event timeline. Left axis (USD): vest value = shares \u00d7 vest-day META price. Right axis: number of shares vested. Each point is one vest date (sometimes a single date has multiple BUY rows \u2014 aggregated here).",
-          "type": "timeseries",
+          "refId": "A",
           "datasource": {
             "type": "grafana-postgresql-datasource",
             "uid": "wealth-pg"
           },
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 0,
-            "y": 86
+          "rawQuery": true,
+          "editorMode": "code",
+          "format": "time_series",
+          "rawSql": "SELECT activity_date::date::timestamp AS \"time\", SUM(quantity*unit_price) AS \"vest value\", SUM(quantity) AS \"shares\" FROM activities WHERE asset_id='4f60833d-0bfb-484f-8ee6-f129af72e137' AND activity_type='BUY' GROUP BY activity_date::date ORDER BY activity_date::date"
+        }
+      ]
+    },
+    {
+      "id": 31,
+      "title": "META vests \u2014 realized PNL (FIFO-matched against sells)",
+      "description": "One row per vest with realized P&L computed by FIFO-matching that vest's shares against subsequent sells. Each vest's shares may be spread across multiple sells; the matched sell-price column is the weighted average. 'Avg days held' is the average gap between this vest's date and the sell dates that consumed its shares. Compare against panel 28 to see realized vs hypo-if-held.",
+      "type": "table",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 12,
+        "w": 12,
+        "x": 12,
+        "y": 91
+      },
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "align": "auto",
+            "displayMode": "auto"
           },
-          "fieldConfig": {
-            "defaults": {
-              "color": {
-                "mode": "palette-classic"
+          "decimals": 2
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "shares sold"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "vest price"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
               },
-              "decimals": 0,
-              "custom": {
-                "drawStyle": "line",
-                "lineWidth": 2,
-                "lineInterpolation": "linear",
-                "fillOpacity": 10,
-                "pointSize": 7,
-                "showPoints": "always",
-                "spanNulls": true,
-                "axisPlacement": "auto",
-                "stacking": {
-                  "group": "A",
-                  "mode": "none"
+              {
+                "id": "unit",
+                "value": "currencyUSD"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "vest value"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              },
+              {
+                "id": "unit",
+                "value": "currencyUSD"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "avg sell price"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              },
+              {
+                "id": "unit",
+                "value": "currencyUSD"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "sell value"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              },
+              {
+                "id": "unit",
+                "value": "currencyUSD"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "realized PNL"
+            },
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 2
+              },
+              {
+                "id": "unit",
+                "value": "currencyUSD"
+              },
+              {
+                "id": "custom.cellOptions",
+                "value": {
+                  "type": "color-text"
+                }
+              },
+              {
+                "id": "thresholds",
+                "value": {
+                  "mode": "absolute",
+                  "steps": [
+                    {
+                      "color": "red",
+                      "value": null
+                    },
+                    {
+                      "color": "green",
+                      "value": 0
+                    }
+                  ]
                 }
               }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "PNL %"
             },
-            "overrides": [
+            "properties": [
               {
-                "matcher": {
-                  "id": "byName",
-                  "options": "vest value"
-                },
-                "properties": [
-                  {
-                    "id": "unit",
-                    "value": "currencyUSD"
-                  },
-                  {
-                    "id": "color",
-                    "value": {
-                      "mode": "fixed",
-                      "fixedColor": "blue"
-                    }
-                  },
-                  {
-                    "id": "custom.axisLabel",
-                    "value": "Vest value (USD)"
-                  }
-                ]
+                "id": "decimals",
+                "value": 1
               },
               {
-                "matcher": {
-                  "id": "byName",
-                  "options": "shares"
-                },
-                "properties": [
-                  {
-                    "id": "unit",
-                    "value": "short"
-                  },
-                  {
-                    "id": "color",
-                    "value": {
-                      "mode": "fixed",
-                      "fixedColor": "orange"
+                "id": "unit",
+                "value": "percent"
+              },
+              {
+                "id": "custom.cellOptions",
+                "value": {
+                  "type": "color-text"
+                }
+              },
+              {
+                "id": "thresholds",
+                "value": {
+                  "mode": "absolute",
+                  "steps": [
+                    {
+                      "color": "red",
+                      "value": null
+                    },
+                    {
+                      "color": "green",
+                      "value": 0
                     }
-                  },
-                  {
-                    "id": "custom.axisPlacement",
-                    "value": "right"
-                  },
-                  {
-                    "id": "custom.axisLabel",
-                    "value": "Shares vested"
-                  }
-                ]
+                  ]
+                }
               }
             ]
           },
-          "options": {
-            "legend": {
-              "calcs": [
-                "sum",
-                "max"
-              ],
-              "displayMode": "table",
-              "placement": "bottom"
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "days held (avg)"
             },
-            "tooltip": {
-              "mode": "multi",
-              "sort": "none"
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
+            "properties": [
+              {
+                "id": "decimals",
+                "value": 0
               },
-              "rawQuery": true,
-              "editorMode": "code",
-              "format": "time_series",
-              "rawSql": "SELECT activity_date::date::timestamp AS \"time\", SUM(quantity*unit_price) AS \"vest value\", SUM(quantity) AS \"shares\" FROM activities WHERE asset_id='4f60833d-0bfb-484f-8ee6-f129af72e137' AND activity_type='BUY' GROUP BY activity_date::date ORDER BY activity_date::date"
-            }
+              {
+                "id": "unit",
+                "value": "d"
+              }
+            ]
+          }
+        ]
+      },
+      "options": {
+        "cellHeight": "sm",
+        "footer": {
+          "show": true,
+          "reducer": [
+            "sum"
+          ],
+          "fields": [
+            "shares sold",
+            "vest value",
+            "sell value",
+            "realized PNL"
           ]
-        },
+        }
+      },
+      "targets": [
         {
-          "id": 31,
-          "title": "META vests \u2014 realized PNL (FIFO-matched against sells)",
-          "description": "One row per vest with realized P&L computed by FIFO-matching that vest's shares against subsequent sells. Each vest's shares may be spread across multiple sells; the matched sell-price column is the weighted average. 'Avg days held' is the average gap between this vest's date and the sell dates that consumed its shares. Compare against panel 28 to see realized vs hypo-if-held.",
-          "type": "table",
+          "refId": "A",
           "datasource": {
             "type": "grafana-postgresql-datasource",
             "uid": "wealth-pg"
           },
-          "gridPos": {
-            "h": 12,
-            "w": 12,
-            "x": 12,
-            "y": 86
-          },
-          "fieldConfig": {
-            "defaults": {
-              "custom": {
-                "align": "auto",
-                "displayMode": "auto"
-              },
-              "decimals": 2
-            },
-            "overrides": [
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "shares sold"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "vest price"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "currencyUSD"
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "vest value"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "currencyUSD"
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "avg sell price"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "currencyUSD"
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "sell value"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "currencyUSD"
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "realized PNL"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 2
-                  },
-                  {
-                    "id": "unit",
-                    "value": "currencyUSD"
-                  },
-                  {
-                    "id": "custom.cellOptions",
-                    "value": {
-                      "type": "color-text"
-                    }
-                  },
-                  {
-                    "id": "thresholds",
-                    "value": {
-                      "mode": "absolute",
-                      "steps": [
-                        {
-                          "color": "red",
-                          "value": null
-                        },
-                        {
-                          "color": "green",
-                          "value": 0
-                        }
-                      ]
-                    }
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "PNL %"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 1
-                  },
-                  {
-                    "id": "unit",
-                    "value": "percent"
-                  },
-                  {
-                    "id": "custom.cellOptions",
-                    "value": {
-                      "type": "color-text"
-                    }
-                  },
-                  {
-                    "id": "thresholds",
-                    "value": {
-                      "mode": "absolute",
-                      "steps": [
-                        {
-                          "color": "red",
-                          "value": null
-                        },
-                        {
-                          "color": "green",
-                          "value": 0
-                        }
-                      ]
-                    }
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "days held (avg)"
-                },
-                "properties": [
-                  {
-                    "id": "decimals",
-                    "value": 0
-                  },
-                  {
-                    "id": "unit",
-                    "value": "d"
-                  }
-                ]
-              }
-            ]
-          },
-          "options": {
-            "cellHeight": "sm",
-            "footer": {
-              "show": true,
-              "reducer": [
-                "sum"
-              ],
-              "fields": [
-                "shares sold",
-                "vest value",
-                "sell value",
-                "realized PNL"
-              ]
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
-              },
-              "rawQuery": true,
-              "editorMode": "code",
-              "format": "table",
-              "rawSql": "WITH lots AS (SELECT id, activity_date::date AS vest_date, quantity, unit_price AS vest_price, SUM(quantity) OVER (ORDER BY activity_date, id) AS lot_end, SUM(quantity) OVER (ORDER BY activity_date, id) - quantity AS lot_start FROM activities WHERE asset_id='4f60833d-0bfb-484f-8ee6-f129af72e137' AND activity_type='BUY'), sells AS (SELECT activity_date::date AS sell_date, quantity AS sell_qty, unit_price AS sell_price, SUM(quantity) OVER (ORDER BY activity_date, id) AS sell_end, SUM(quantity) OVER (ORDER BY activity_date, id) - quantity AS sell_start FROM activities WHERE asset_id='4f60833d-0bfb-484f-8ee6-f129af72e137' AND activity_type='SELL'), matched AS (SELECT l.vest_date, l.vest_price, s.sell_date, s.sell_price, GREATEST(LEAST(l.lot_end, s.sell_end) - GREATEST(l.lot_start, s.sell_start), 0::numeric) AS qty FROM lots l CROSS JOIN sells s WHERE LEAST(l.lot_end, s.sell_end) > GREATEST(l.lot_start, s.sell_start)) SELECT vest_date, SUM(qty) AS \"shares sold\", (SUM(qty*vest_price)/NULLIF(SUM(qty),0)) AS \"vest price\", SUM(qty*vest_price) AS \"vest value\", (SUM(qty*sell_price)/NULLIF(SUM(qty),0)) AS \"avg sell price\", SUM(qty*sell_price) AS \"sell value\", SUM(qty*(sell_price-vest_price)) AS \"realized PNL\", (SUM(qty*(sell_price-vest_price))/NULLIF(SUM(qty*vest_price),0)*100) AS \"PNL %\", AVG((sell_date-vest_date)) AS \"days held (avg)\" FROM matched GROUP BY vest_date ORDER BY vest_date"
-            }
-          ]
+          "rawQuery": true,
+          "editorMode": "code",
+          "format": "table",
+          "rawSql": "WITH lots AS (SELECT id, activity_date::date AS vest_date, quantity, unit_price AS vest_price, SUM(quantity) OVER (ORDER BY activity_date, id) AS lot_end, SUM(quantity) OVER (ORDER BY activity_date, id) - quantity AS lot_start FROM activities WHERE asset_id='4f60833d-0bfb-484f-8ee6-f129af72e137' AND activity_type='BUY'), sells AS (SELECT activity_date::date AS sell_date, quantity AS sell_qty, unit_price AS sell_price, SUM(quantity) OVER (ORDER BY activity_date, id) AS sell_end, SUM(quantity) OVER (ORDER BY activity_date, id) - quantity AS sell_start FROM activities WHERE asset_id='4f60833d-0bfb-484f-8ee6-f129af72e137' AND activity_type='SELL'), matched AS (SELECT l.vest_date, l.vest_price, s.sell_date, s.sell_price, GREATEST(LEAST(l.lot_end, s.sell_end) - GREATEST(l.lot_start, s.sell_start), 0::numeric) AS qty FROM lots l CROSS JOIN sells s WHERE LEAST(l.lot_end, s.sell_end) > GREATEST(l.lot_start, s.sell_start)) SELECT vest_date, SUM(qty) AS \"shares sold\", (SUM(qty*vest_price)/NULLIF(SUM(qty),0)) AS \"vest price\", SUM(qty*vest_price) AS \"vest value\", (SUM(qty*sell_price)/NULLIF(SUM(qty),0)) AS \"avg sell price\", SUM(qty*sell_price) AS \"sell value\", SUM(qty*(sell_price-vest_price)) AS \"realized PNL\", (SUM(qty*(sell_price-vest_price))/NULLIF(SUM(qty*vest_price),0)*100) AS \"PNL %\", AVG((sell_date-vest_date)) AS \"days held (avg)\" FROM matched GROUP BY vest_date ORDER BY vest_date"
         }
       ]
     },
     {
       "type": "row",
       "title": "Projections",
-      "collapsed": true,
+      "collapsed": false,
       "id": 9306,
       "gridPos": {
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 99
+        "y": 104
       },
-      "panels": [
+      "panels": []
+    },
+    {
+      "id": 9103,
+      "title": "Net worth \u2014 ${horizon_years}-year projection",
+      "description": "Projected net worth at Low/Base/High fixed rates plus your trailing-3y historical return, all compounding from today with your auto monthly contribution (set $monthly_contribution=0 for pure compounding; 'Base, no new contributions' shows the same base rate with zero contributions). NOTE: set the time range to include the future (use the links above) to see the projection.",
+      "type": "trend",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 12,
+        "w": 24,
+        "x": 0,
+        "y": 105
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "currencyGBP",
+          "decimals": 0,
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 2,
+            "fillOpacity": 0,
+            "showPoints": "never",
+            "lineInterpolation": "smooth"
+          }
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byRegexp",
+              "options": "^(Low|Base \\(|High|Historical)"
+            },
+            "properties": [
+              {
+                "id": "custom.lineStyle",
+                "value": {
+                  "fill": "dash",
+                  "dash": [
+                    10,
+                    10
+                  ]
+                }
+              },
+              {
+                "id": "custom.lineWidth",
+                "value": 1
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Base, no new contributions"
+            },
+            "properties": [
+              {
+                "id": "custom.lineStyle",
+                "value": {
+                  "fill": "dot",
+                  "dash": [
+                    2,
+                    6
+                  ]
+                }
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Years from today"
+            },
+            "properties": [
+              {
+                "id": "unit",
+                "value": "none"
+              },
+              {
+                "id": "custom.axisLabel",
+                "value": "Years from today"
+              }
+            ]
+          }
+        ]
+      },
+      "options": {
+        "xField": "Years from today",
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
         {
-          "id": 9103,
-          "title": "Net worth \u2014 ${horizon_years}-year projection",
-          "description": "Projected net worth at Low/Base/High fixed rates plus your trailing-3y historical return, all compounding from today with your auto monthly contribution (set $monthly_contribution=0 for pure compounding; 'Base, no new contributions' shows the same base rate with zero contributions). NOTE: set the time range to include the future (use the links above) to see the projection.",
-          "type": "trend",
+          "refId": "A",
           "datasource": {
             "type": "grafana-postgresql-datasource",
             "uid": "wealth-pg"
           },
-          "gridPos": {
-            "h": 12,
-            "w": 24,
-            "x": 0,
-            "y": 100
-          },
-          "fieldConfig": {
-            "defaults": {
-              "unit": "currencyGBP",
-              "decimals": 0,
-              "custom": {
-                "drawStyle": "line",
-                "lineWidth": 2,
-                "fillOpacity": 0,
-                "showPoints": "never",
-                "lineInterpolation": "smooth"
-              }
+          "format": "table",
+          "editorMode": "code",
+          "rawQuery": true,
+          "rawSql": "WITH active_count AS (SELECT COUNT(*) n FROM accounts), mc AS (SELECT MAX(valuation_date) d FROM (SELECT valuation_date, COUNT(*) c FROM dav_corrected GROUP BY valuation_date) x WHERE c >= (SELECT n FROM active_count)), latest AS (SELECT DISTINCT ON (account_id) account_id, total_value, net_contribution FROM dav_corrected WHERE valuation_date <= (SELECT d FROM mc) ORDER BY account_id, valuation_date DESC), agg AS (SELECT SUM(total_value) nw0, SUM(net_contribution) c_now FROM latest), ago AS (SELECT SUM(x.nc) c_ago FROM latest l LEFT JOIN LATERAL (SELECT net_contribution nc FROM dav_corrected dd WHERE dd.account_id=l.account_id AND dd.valuation_date <= (SELECT d FROM mc) - INTERVAL '12 months' ORDER BY dd.valuation_date DESC LIMIT 1) x ON true), yearly AS (SELECT EXTRACT(YEAR FROM valuation_date)::int yr, valuation_date, SUM(total_value) nw, SUM(net_contribution) contrib FROM dav_corrected WHERE valuation_date <= (SELECT d FROM mc) GROUP BY valuation_date), ep AS (SELECT yr, (array_agg(nw ORDER BY valuation_date))[1] nw_s, (array_agg(nw ORDER BY valuation_date DESC))[1] nw_e, (array_agg(contrib ORDER BY valuation_date))[1] c_s, (array_agg(contrib ORDER BY valuation_date DESC))[1] c_e, COUNT(*) days FROM yearly GROUP BY yr), r3 AS (SELECT (nw_e-nw_s-(c_e-c_s))/NULLIF(nw_s+0.5*(c_e-c_s),0) ret FROM ep WHERE (nw_s+0.5*(c_e-c_s))>0 AND days>=300 ORDER BY yr DESC LIMIT 3), params AS (SELECT (SELECT nw0 FROM agg) nw0, COALESCE(NULLIF('$monthly_contribution','auto')::numeric, ((SELECT c_now FROM agg)-(SELECT c_ago FROM ago))/12.0) cm, ($rate_low::float)/100 rl, ($rate_base::float)/100 rb, ($rate_high::float)/100 rh, (SELECT exp(avg(ln(1+ret)))-1 FROM r3) rhist), m AS (SELECT generate_series(0, ${horizon_years}*12) n) SELECT round((m.n/12.0)::numeric,2) AS \"Years from today\", round((nw0*power(1+(power(1+rl,1/12.0)-1),m.n) + cm*((power(1+(power(1+rl,1/12.0)-1),m.n)-1)/NULLIF((power(1+rl,1/12.0)-1),0)))::numeric,0) AS \"Low ($rate_low%)\", round((nw0*power(1+(power(1+rb,1/12.0)-1),m.n) + cm*((power(1+(power(1+rb,1/12.0)-1),m.n)-1)/NULLIF((power(1+rb,1/12.0)-1),0)))::numeric,0) AS \"Base ($rate_base%)\", round((nw0*power(1+(power(1+rb,1/12.0)-1),m.n))::numeric,0) AS \"Base, no new contributions\", round((nw0*power(1+(power(1+rh,1/12.0)-1),m.n) + cm*((power(1+(power(1+rh,1/12.0)-1),m.n)-1)/NULLIF((power(1+rh,1/12.0)-1),0)))::numeric,0) AS \"High ($rate_high%)\", round((nw0*power(1+(power(1+rhist,1/12.0)-1),m.n) + cm*((power(1+(power(1+rhist,1/12.0)-1),m.n)-1)/NULLIF((power(1+rhist,1/12.0)-1),0)))::numeric,0) AS \"Historical (trailing 3y)\" FROM m, params"
+        }
+      ]
+    },
+    {
+      "id": 9220,
+      "title": "Spend-down to \u00a30 at age 100 (today's \u00a3)",
+      "description": "How much you can spend in TODAY'S MONEY (constant purchasing power, inflation-adjusted) to drain your net worth (pension included) to \u00a30 by your 100th birthday (2098-10-04). Each row holds your spending power flat for life \u2014 the actual pounds withdrawn rise with inflation (assumed 3%/yr). Rows differ by how the pot grows in NOMINAL terms: No growth (0%), Inflation (3%), Market (7%). Die-with-zero annuity at the real rate (1+g)/1.03\u22121; a no-growth pot has a negative real return (loses to inflation) so it's lowest. Rates hardcoded (one-line SQL edit). Computed live.",
+      "type": "table",
+      "datasource": {
+        "type": "grafana-postgresql-datasource",
+        "uid": "wealth-pg"
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 9,
+        "x": 0,
+        "y": 9
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "currencyGBP",
+          "decimals": 0,
+          "custom": {
+            "align": "auto",
+            "displayMode": "auto"
+          }
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Scenario"
             },
-            "overrides": [
+            "properties": [
               {
-                "matcher": {
-                  "id": "byRegexp",
-                  "options": "^(Low|Base \\(|High|Historical)"
-                },
-                "properties": [
-                  {
-                    "id": "custom.lineStyle",
-                    "value": {
-                      "fill": "dash",
-                      "dash": [
-                        10,
-                        10
-                      ]
-                    }
-                  },
-                  {
-                    "id": "custom.lineWidth",
-                    "value": 1
-                  }
-                ]
+                "id": "unit",
+                "value": "string"
               },
               {
-                "matcher": {
-                  "id": "byName",
-                  "options": "Base, no new contributions"
-                },
-                "properties": [
-                  {
-                    "id": "custom.lineStyle",
-                    "value": {
-                      "fill": "dot",
-                      "dash": [
-                        2,
-                        6
-                      ]
-                    }
-                  }
-                ]
-              },
-              {
-                "matcher": {
-                  "id": "byName",
-                  "options": "Years from today"
-                },
-                "properties": [
-                  {
-                    "id": "unit",
-                    "value": "none"
-                  },
-                  {
-                    "id": "custom.axisLabel",
-                    "value": "Years from today"
-                  }
-                ]
+                "id": "custom.align",
+                "value": "left"
               }
             ]
+          }
+        ]
+      },
+      "options": {
+        "showHeader": true,
+        "cellHeight": "sm",
+        "footer": {
+          "show": false,
+          "reducer": [
+            "sum"
+          ],
+          "countRows": false,
+          "fields": ""
+        }
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "grafana-postgresql-datasource",
+            "uid": "wealth-pg"
           },
-          "options": {
-            "xField": "Years from today",
-            "legend": {
-              "displayMode": "list",
-              "placement": "bottom"
-            },
-            "tooltip": {
-              "mode": "multi"
-            }
-          },
-          "targets": [
-            {
-              "refId": "A",
-              "datasource": {
-                "type": "grafana-postgresql-datasource",
-                "uid": "wealth-pg"
-              },
-              "format": "table",
-              "editorMode": "code",
-              "rawQuery": true,
-              "rawSql": "WITH active_count AS (SELECT COUNT(*) n FROM accounts), mc AS (SELECT MAX(valuation_date) d FROM (SELECT valuation_date, COUNT(*) c FROM dav_corrected GROUP BY valuation_date) x WHERE c >= (SELECT n FROM active_count)), latest AS (SELECT DISTINCT ON (account_id) account_id, total_value, net_contribution FROM dav_corrected WHERE valuation_date <= (SELECT d FROM mc) ORDER BY account_id, valuation_date DESC), agg AS (SELECT SUM(total_value) nw0, SUM(net_contribution) c_now FROM latest), ago AS (SELECT SUM(x.nc) c_ago FROM latest l LEFT JOIN LATERAL (SELECT net_contribution nc FROM dav_corrected dd WHERE dd.account_id=l.account_id AND dd.valuation_date <= (SELECT d FROM mc) - INTERVAL '12 months' ORDER BY dd.valuation_date DESC LIMIT 1) x ON true), yearly AS (SELECT EXTRACT(YEAR FROM valuation_date)::int yr, valuation_date, SUM(total_value) nw, SUM(net_contribution) contrib FROM dav_corrected WHERE valuation_date <= (SELECT d FROM mc) GROUP BY valuation_date), ep AS (SELECT yr, (array_agg(nw ORDER BY valuation_date))[1] nw_s, (array_agg(nw ORDER BY valuation_date DESC))[1] nw_e, (array_agg(contrib ORDER BY valuation_date))[1] c_s, (array_agg(contrib ORDER BY valuation_date DESC))[1] c_e, COUNT(*) days FROM yearly GROUP BY yr), r3 AS (SELECT (nw_e-nw_s-(c_e-c_s))/NULLIF(nw_s+0.5*(c_e-c_s),0) ret FROM ep WHERE (nw_s+0.5*(c_e-c_s))>0 AND days>=300 ORDER BY yr DESC LIMIT 3), params AS (SELECT (SELECT nw0 FROM agg) nw0, COALESCE(NULLIF('$monthly_contribution','auto')::numeric, ((SELECT c_now FROM agg)-(SELECT c_ago FROM ago))/12.0) cm, ($rate_low::float)/100 rl, ($rate_base::float)/100 rb, ($rate_high::float)/100 rh, (SELECT exp(avg(ln(1+ret)))-1 FROM r3) rhist), m AS (SELECT generate_series(0, ${horizon_years}*12) n) SELECT round((m.n/12.0)::numeric,2) AS \"Years from today\", round((nw0*power(1+(power(1+rl,1/12.0)-1),m.n) + cm*((power(1+(power(1+rl,1/12.0)-1),m.n)-1)/NULLIF((power(1+rl,1/12.0)-1),0)))::numeric,0) AS \"Low ($rate_low%)\", round((nw0*power(1+(power(1+rb,1/12.0)-1),m.n) + cm*((power(1+(power(1+rb,1/12.0)-1),m.n)-1)/NULLIF((power(1+rb,1/12.0)-1),0)))::numeric,0) AS \"Base ($rate_base%)\", round((nw0*power(1+(power(1+rb,1/12.0)-1),m.n))::numeric,0) AS \"Base, no new contributions\", round((nw0*power(1+(power(1+rh,1/12.0)-1),m.n) + cm*((power(1+(power(1+rh,1/12.0)-1),m.n)-1)/NULLIF((power(1+rh,1/12.0)-1),0)))::numeric,0) AS \"High ($rate_high%)\", round((nw0*power(1+(power(1+rhist,1/12.0)-1),m.n) + cm*((power(1+(power(1+rhist,1/12.0)-1),m.n)-1)/NULLIF((power(1+rhist,1/12.0)-1),0)))::numeric,0) AS \"Historical (trailing 3y)\" FROM m, params"
-            }
-          ]
+          "rawQuery": true,
+          "editorMode": "code",
+          "format": "table",
+          "rawSql": "WITH latest AS (SELECT DISTINCT ON (d.account_id) d.account_id, d.total_value FROM dav_corrected d JOIN accounts a ON a.id=d.account_id ORDER BY d.account_id, d.valuation_date DESC), nw AS (SELECT SUM(total_value) AS pv FROM latest), hz AS (SELECT pv, (DATE '2098-10-04' - CURRENT_DATE)::float8/365.25 AS years FROM nw), r AS (SELECT ord,label,(1+g)/1.03-1 AS rr FROM (VALUES (1,'No growth',0.0::float8),(2,'Inflation (3%)',0.03::float8),(3,'Market (7%)',0.07::float8)) AS s(ord,label,g)), calc AS (SELECT ord,label, CASE WHEN abs(rr)<1e-9 THEN pv/years ELSE pv*rr/(1-power(1+rr,-years)) END AS annual FROM r, hz) SELECT label AS \"Scenario\", round((annual/365.25)::numeric,0) AS \"Per day\", round((annual/12)::numeric,0) AS \"Per month\", round(annual::numeric,0) AS \"Per year\" FROM calc ORDER BY ord"
         }
       ]
     }
@@ -2336,4 +2469,4 @@
   "title": "Wealth",
   "uid": "wealth",
   "version": 1
-}
\ No newline at end of file
+}
diff --git a/stacks/monitoring/modules/monitoring/grafana.tf b/stacks/monitoring/modules/monitoring/grafana.tf
index 7ce6bb8c..d7af906f 100644
--- a/stacks/monitoring/modules/monitoring/grafana.tf
+++ b/stacks/monitoring/modules/monitoring/grafana.tf
@@ -71,8 +71,17 @@ resource "kubernetes_persistent_volume" "alertmanager_pv" {
 # DB credentials from Vault database engine (rotated automatically)
 # Provides GF_DATABASE_PASSWORD that auto-updates when password rotates
 resource "kubernetes_manifest" "grafana_db_creds" {
+  # The external-secrets controller takes server-side-apply ownership of
+  # .spec.refreshInterval, so a plain TF apply conflicts ("conflict with
+  # external-secrets ... .spec.refreshInterval"). force_conflicts lets TF win
+  # (values match, so it's stable) — same pattern as the woodpecker/traefik/
+  # k8s-version-upgrade stacks. Surfaced 2026-06-24: the first monitoring apply
+  # in a while exposed this latent conflict (prior pushes were docs-only).
+  field_manager {
+    force_conflicts = true
+  }
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "grafana-db-creds"
diff --git a/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml b/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml
index 2bcd474e..50ae668b 100644
--- a/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml
+++ b/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml
@@ -32,7 +32,7 @@ ingress:
   enabled: "true"
   ingressClassName: "traefik"
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
     traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Grafana"
diff --git a/stacks/monitoring/modules/monitoring/loki.tf b/stacks/monitoring/modules/monitoring/loki.tf
index bf333463..6c6b67ea 100644
--- a/stacks/monitoring/modules/monitoring/loki.tf
+++ b/stacks/monitoring/modules/monitoring/loki.tf
@@ -194,6 +194,102 @@ resource "kubernetes_config_map" "loki_alert_rules" {
             },
           ]
         },
+        {
+          # t3 session-auth + auto-upgrade health (devvm host scripts → journald →
+          # Loki). Backstops the gated-nightly t3 tracker: the dispatch logs every
+          # real-user pairing outcome (success endpoint + fallback) and the enforcer
+          # logs every rollback/freeze. These catch a bad nightly that broke pairing
+          # for real users between the tracker's own bump-time gate runs — the
+          # 2026-06-09 failure class (mint/bootstrap broke, all users on the pair
+          # prompt). Route: Loki ruler → Alertmanager → default #alerts Slack.
+          # Runbook: docs/runbooks/t3-version-bump.md.
+          name = "t3 Auth & Upgrades"
+          rules = [
+            {
+              # Real users failing to pair: mint error, exchange transport error, or
+              # a non-2xx from the instance pairing API. Threshold >3/10m rides out a
+              # benign single-instance restart race; sustained = pairing is broken.
+              alert  = "T3PairingBroken"
+              expr   = "sum(count_over_time({job=\"devvm-journal\", unit=\"t3-dispatch.service\"} |~ \"mint for .* failed|pairing exchange for .* failed|pairing for .* returned [0-9]\" [10m])) > 3"
+              for    = "5m"
+              labels = { severity = "critical" }
+              annotations = {
+                summary     = "t3 dispatch pairing is failing for real users (>3/10m)"
+                description = "t3-dispatch is failing to mint/exchange session cookies — users land on the t3 pair prompt instead of their workspace. Likely a bad t3 build broke the pairing API/schema (2026-06-09 class). Freeze the tracker (touch /etc/t3-autoupdate.freeze) and roll back per the runbook."
+                runbook     = "docs/runbooks/t3-version-bump.md"
+              }
+            },
+            {
+              # The dispatch fell back off its first-preference pairing endpoint
+              # (browser-session) to the legacy one — the running build moved/renamed
+              # the pairing API. Pin-compatible today (the fallback works), but it
+              # signals contract drift that a future build could break entirely.
+              alert  = "T3PairFallbackHigh"
+              expr   = "sum(count_over_time({job=\"devvm-journal\", unit=\"t3-dispatch.service\"} |~ \"paired .* fallback=true\" [30m])) > 0"
+              for    = "0m"
+              labels = { severity = "warning" }
+              annotations = {
+                summary     = "t3 dispatch is using the FALLBACK pairing endpoint — t3 moved the pairing API"
+                description = "A t3 build is pairing via the legacy /api/auth/bootstrap because the preferred /api/auth/browser-session 404s. Still works via fallback, but add the new endpoint to pairEndpoints in scripts/t3-dispatch/main.go before a future build drops the legacy one."
+                runbook     = "docs/runbooks/t3-version-bump.md"
+              }
+            },
+            {
+              # The enforcer's health-check failed a build and auto-rolled-back the
+              # binary. The gate worked — but a bad nightly shipped, so you should know.
+              alert  = "T3AutoUpdateRolledBack"
+              expr   = "sum(count_over_time({job=\"devvm-journal\", identifier=\"t3-autoupdate\"} |~ \"rolling back|rolled back\" [15m])) > 0"
+              for    = "0m"
+              labels = { severity = "warning" }
+              annotations = {
+                summary     = "t3 auto-update rolled back a bad build (gate worked)"
+                description = "The t3 enforcer installed a new build, its pairing health-check failed, and it auto-rolled-back. Investigate the bad build before the next cycle retries it; pin T3_PIN to a known-good if it recurs."
+                runbook     = "docs/runbooks/t3-version-bump.md"
+              }
+            },
+            {
+              # Rollback itself failed (npm couldn't reinstall the previous build):
+              # the box may be left on a broken t3. Manual fix needed.
+              alert  = "T3AutoUpdateRollbackFailed"
+              expr   = "sum(count_over_time({job=\"devvm-journal\", identifier=\"t3-autoupdate\"} |~ \"ROLLBACK FAILED\" [15m])) > 0"
+              for    = "0m"
+              labels = { severity = "critical" }
+              annotations = {
+                summary     = "t3 auto-update rollback FAILED — t3 may be broken on the devvm"
+                description = "The enforcer detected a bad build but could not reinstall the previous version. t3 may be broken for all users. Fix manually per the runbook (set T3_PIN to last-good, npm i -g, restore state if migrated)."
+                runbook     = "docs/runbooks/t3-version-bump.md"
+              }
+            },
+            {
+              # The tracker refused to advance (pre-run auth gate tripped, or the
+              # /etc/t3-autoupdate.freeze switch is set). Surfaces a stuck-on-purpose
+              # tracker so it isn't silently frozen forever.
+              alert  = "T3AutoUpdateFrozen"
+              expr   = "sum(count_over_time({job=\"devvm-journal\", identifier=\"t3-autoupdate\"} |~ \"FROZEN\" [25h])) > 0"
+              for    = "0m"
+              labels = { severity = "warning" }
+              annotations = {
+                summary     = "t3 auto-update is FROZEN (not tracking nightly)"
+                description = "The t3 tracker froze — either the pre-run pairing gate tripped or /etc/t3-autoupdate.freeze is set. t3 is held at the last-good pin and is NOT picking up new builds until cleared. Confirm pairing is healthy, then remove the freeze."
+                runbook     = "docs/runbooks/t3-version-bump.md"
+              }
+            },
+            {
+              # Per-user Claude refresh/backup/restore exhausted its automatic
+              # recovery path. This is actionable: that user needs interactive SSO,
+              # or the scoped Vault token/bootstrap needs repair.
+              alert  = "WorkstationClaudeAuthInvalid"
+              expr   = "sum by (unit) (count_over_time({job=\"devvm-journal\", identifier=\"claude-auth-sync\"} |~ \"FAIL\" [15m])) > 0"
+              for    = "0m"
+              labels = { severity = "warning" }
+              annotations = {
+                summary     = "Per-user Claude authentication recovery failed on {{ $labels.unit }}"
+                description = "The Workstation renewal agent could not validate Claude auth, renew its scoped Vault token, or recover from the Vault backup. Follow the per-user SSO recovery runbook."
+                runbook     = "docs/runbooks/claude-auth-renew-workstation.md"
+              }
+            },
+          ]
+        },
         {
           # Wave 1 security alerts (beads code-8ywc). Routed via Loki ruler →
           # prometheus-alertmanager → #security Slack receiver. Allowlist CIDRs:
@@ -405,6 +501,39 @@ resource "kubernetes_config_map" "loki_alert_rules" {
               }
             },
           ]
+        },
+        {
+          # Vaultwarden vault CLI (`homelab vault`) traceability. The audit SPINE
+          # is the Vault audit device (reads of secret/data/workstation/claude-users/*
+          # are already captured in the vault-tail stream above). These add
+          # visibility/anomaly alerts off the per-user CLI op-log
+          # (`logger -t homelab-vault[-totp]` → devvm-journal). A true "Vault
+          # creds-read with NO matching CLI op-log = direct bypass" alert needs
+          # cross-stream correlation the Loki ruler can't express — tracked as a
+          # follow-up (small correlation CronJob). lane=security → #security.
+          name = "Vaultwarden vault CLI"
+          rules = [
+            {
+              alert  = "VaultwardenTOTPFetched"
+              expr   = "sum by (user) (count_over_time({job=\"devvm-journal\", identifier=\"homelab-vault-totp\"} | logfmt [5m])) > 0"
+              for    = "0m"
+              labels = { severity = "info", lane = "security" }
+              annotations = {
+                summary     = "Vaultwarden TOTP (2nd factor) fetched via homelab vault by {{ $labels.user }}"
+                description = "A TOTP code was retrieved with `homelab vault code`. A stored TOTP co-located with its password collapses that downstream account's 2FA to 1FA under a same-UID compromise — confirm this fetch was expected."
+              }
+            },
+            {
+              alert  = "VaultwardenFetchVolumeHigh"
+              expr   = "sum by (user) (count_over_time({job=\"devvm-journal\", identifier=\"homelab-vault\"} | logfmt | verb=~\"get|code\" [10m])) > 100"
+              for    = "0m"
+              labels = { severity = "warning", lane = "security" }
+              annotations = {
+                summary     = "Unusually high homelab vault fetch volume (>100/10m) for {{ $labels.user }}"
+                description = "A burst of credential fetches for one user — possible runaway loop or exfiltration. Cross-check the op-log parent process and the Vault audit stream (namespace=vault,container=audit-tail) for reads of secret/data/workstation/claude-users/{{ $labels.user }}."
+              }
+            },
+          ]
         }
       ]
     })
diff --git a/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl b/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
index b3c53062..a504cedc 100755
--- a/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
+++ b/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
@@ -15,7 +15,7 @@ alertmanager:
     enabled: true
     ingressClassName: "traefik"
     annotations:
-      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
       traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
       gethomepage.dev/enabled: "true"
       gethomepage.dev/name: "Alertmanager"
@@ -51,7 +51,12 @@ alertmanager:
       group_by: ["alertname"]
       group_wait: 30s
       group_interval: 5m
-      repeat_interval: 4h
+      # alert-on-change (2026-06-12): warning/info no longer re-notify while they
+      # stay firing — a 1y repeat is effectively "notify once, then only on a
+      # membership change or resolve". The daily alert-digest CronJob
+      # (alert_digest.tf) carries standing state. Criticals keep a slow re-ping
+      # (see the severity=critical child route).
+      repeat_interval: 8760h
       receiver: slack-warning
       routes:
         # Wave 1 security lane — matches alerts that set `lane = "security"`
@@ -68,14 +73,19 @@ alertmanager:
         - receiver: slack-critical
           group_wait: 10s
           group_interval: 1m
-          repeat_interval: 1h
+          # alert-on-change tier (2026-06-12): criticals still re-ping, but every
+          # 6h not 1h — a slow nag so a real prod-down issue isn't forgotten,
+          # minus the hourly drip. Warnings/info don't re-ping at all.
+          repeat_interval: 6h
           matchers:
             - severity = critical
           continue: false
         - receiver: slack-info
           group_wait: 5m
           group_interval: 30m
-          repeat_interval: 12h
+          # alert-on-change (2026-06-12): info never re-pings while firing; the
+          # daily digest carries standing state.
+          repeat_interval: 8760h
           matchers:
             - severity = info
           continue: false
@@ -175,6 +185,28 @@ alertmanager:
           - alertname = KubeletImagePullErrors
         target_matchers:
           - alertname =~ "PodsStuckContainerCreating|DeploymentReplicasMismatch|StatefulSetReplicasMismatch|DaemonSetMissingPods"
+      # A node under DiskPressure/MemoryPressure/PIDPressure evicts pods and
+      # stalls image GC + pulls — the resulting pod-churn alerts are downstream
+      # symptoms. The 2026-06-12 midday cascade fired 25 PodCrashLooping + 14
+      # PodImagePullBackOff uninhibited because only NodeDown (not node pressure)
+      # was a source. NodeConditionBad already matches all three pressures; keep
+      # NodeDiskPressure too for redundancy. No `equal` (matches the NodeDown
+      # rule above): the pod-churn alertnames carry no `node` label, and a
+      # multi-node pressure event is exactly when cluster-wide suppression helps.
+      - source_matchers:
+          - alertname =~ "NodeConditionBad|NodeDiskPressure"
+        target_matchers:
+          - alertname =~ "PodCrashLooping|ContainerOOMKilled|PodImagePullBackOff|PodsStuckContainerCreating|ScrapeTargetDown|DeploymentReplicasMismatch|StatefulSetReplicasMismatch|DaemonSetMissingPods"
+      # Two t3 path-probe alerts describe one leg-down condition: T3ProbeLegDown
+      # (connected==0, root) and T3ProbeDropBurst (>6 disconnects/15m, symptom).
+      # A down leg both reads disconnected AND disconnects repeatedly — suppress
+      # the burst for that same leg so one alert fires, not two. ~3,400 alert-min
+      # of overlap in the 24h before this (the #1 noise source).
+      - source_matchers:
+          - alertname = T3ProbeLegDown
+        target_matchers:
+          - alertname = T3ProbeDropBurst
+        equal: [leg]
     receivers:
       - name: slack-critical
         slack_configs:
@@ -367,7 +399,7 @@ server:
     enabled: true
     ingressClassName: "traefik"
     annotations:
-      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
       traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
 
       gethomepage.dev/enabled: "true"
@@ -501,6 +533,16 @@ serverFiles:
             regex: true
             source_labels:
               - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow
+          # Only scrape Ready endpoints. Completed CronJob pods linger in the
+          # service's EndpointSlice as NotReady addresses (their labels still
+          # match the Service selector) and were scraped as down targets,
+          # firing ScrapeTargetDown false positives (tts/tripit/beads, memory
+          # id=4895). Dropping NotReady here kills that whole class; a Ready pod
+          # whose metrics endpoint is genuinely broken still fires.
+          - action: keep
+            regex: true
+            source_labels:
+              - __meta_kubernetes_endpoint_ready
           - action: replace
             regex: (https?)
             source_labels:
@@ -554,6 +596,12 @@ serverFiles:
             regex: true
             source_labels:
               - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow
+          # Only scrape Ready endpoints — see kubernetes-service-endpoints above
+          # (drops lingering completed-CronJob NotReady pods → no ScrapeTargetDown FP).
+          - action: keep
+            regex: true
+            source_labels:
+              - __meta_kubernetes_endpoint_ready
           - action: replace
             regex: (https?)
             source_labels:
@@ -831,12 +879,17 @@ serverFiles:
             annotations:
               summary: "rpi-sofia rootfs is READ-ONLY — failing SD card (the silent-journal failure mode from this incident). Reflash/replace the card."
           - alert: RpiSofiaUndervoltage
-            expr: rpi_under_voltage_occurred{instance="rpi-sofia"} == 1
+            # Edge-trigger on the sticky firmware bit (rpi_under_voltage_now is too
+            # transient to catch at 1-min sampling — 0 hits in 14d). Fires on a NEW latch
+            # and auto-resolves ~1h later instead of latching until reboot; counter-reset
+            # handling makes a clean reboot a no-op. Since-boot state + history: Grafana "RPi Sofia".
+            expr: increase(rpi_under_voltage_occurred{instance="rpi-sofia"}[1h]) > 0
             for: 5m
             labels:
               severity: warning
             annotations:
-              summary: "rpi-sofia under-voltage detected since last boot — check PSU/USB power cable"
+              summary: "rpi-sofia under-voltage event in the last hour — check PSU/USB power cable + SD card"
+              description: "A new under-voltage brown-out latched on rpi-sofia within the last 1h (repeat/sustained events risk SD-card corruption). Sticky since-boot flag + history on Grafana 'RPi Sofia' (Hardware)."
           - alert: RpiSofiaHighTemp
             expr: rpi_soc_temp_celsius{instance="rpi-sofia"} > 75
             for: 10m
@@ -1634,7 +1687,9 @@ serverFiles:
               summary: "LVM PVC snapshot job has never reported metrics to Pushgateway"
           - alert: LVMSnapshotFailing
             expr: lvm_snapshot_last_status{job="lvm-pvc-snapshot"} != 0
-            for: 0m
+            # for: 5m (was 0m) — ride out a single Pushgateway status flip; a real
+            # failure persists until the next run overwrites it (alert-noise 2026-06-12)
+            for: 5m
             labels:
               severity: critical
             annotations:
@@ -1656,7 +1711,7 @@ serverFiles:
               summary: "Daily backup is {{ $value | humanizeDuration }} old (threshold: 9d)"
           - alert: WeeklyBackupFailing
             expr: daily_backup_last_status{job="daily-backup"} != 0
-            for: 0m
+            for: 5m
             labels:
               severity: warning
             annotations:
@@ -1677,7 +1732,7 @@ serverFiles:
               summary: "Offsite backup sync is {{ $value | humanizeDuration }} old (threshold: 9d)"
           - alert: OffsiteBackupSyncFailing
             expr: offsite_sync_last_status{job="offsite-backup-sync"} != 0
-            for: 0m
+            for: 5m
             labels:
               severity: warning
             annotations:
@@ -1691,11 +1746,33 @@ serverFiles:
               summary: "NFS local mirror to sda is {{ $value | humanizeDuration }} old (threshold: 16d / 2 weekly cycles)"
           - alert: NfsMirrorFailing
             expr: nfs_mirror_last_status{job="nfs-mirror"} != 0
-            for: 0m
+            for: 5m
             labels:
               severity: warning
             annotations:
               summary: "NFS local mirror last run failed (status={{ $value }})"
+          - alert: VzdumpBackupStale
+            expr: (time() - vzdump_last_success_timestamp{job="vzdump-backup"}) > 180000
+            for: 30m
+            labels:
+              severity: warning
+            annotations:
+              summary: "vzdump VM image backup is {{ $value | humanizeDuration }} old (threshold: ~50h / 2 daily cycles)"
+              description: "vzdump-vms.timer on 192.168.1.127 hasn't produced a fresh devvm image. Check: ssh root@192.168.1.127 systemctl status vzdump-vms. Runbook: docs/architecture/backup-dr.md (VM Image Backups)."
+          - alert: VzdumpBackupNeverRun
+            expr: absent(vzdump_last_run_timestamp{job="vzdump-backup"})
+            for: 48h
+            labels:
+              severity: warning
+            annotations:
+              summary: "vzdump VM image backup job has never reported metrics to Pushgateway"
+          - alert: VzdumpBackupFailing
+            expr: vzdump_last_status{job="vzdump-backup"} != 0
+            for: 5m
+            labels:
+              severity: warning
+            annotations:
+              summary: "vzdump VM image backup last run failed (status={{ $value }})"
           - alert: BackupDiskFull
             expr: (1 - node_filesystem_avail_bytes{job="proxmox-host", mountpoint="/mnt/backup"} / node_filesystem_size_bytes{job="proxmox-host", mountpoint="/mnt/backup"}) > 0.85
             for: 15m
@@ -2152,6 +2229,63 @@ serverFiles:
               severity: critical
             annotations:
               summary: "K8s upgrade has been in flight for >90 min — chain is stuck. Check: kubectl -n k8s-upgrade get jobs"
+          # K8sUpgradeChainJobFailed: catches a TERMINALLY-failed phase Job even
+          # when it aborts BEFORE pushing k8s_upgrade_in_flight=1 (the preflight
+          # gates — nodes-ready, halt-on-alert, settle-window, kubeadm-plan — all
+          # exit pre-metric). K8sUpgradeStalled and EtcdPreUpgradeSnapshotMissing
+          # both need in_flight=1, and upgrade_state.sh was metric-blind too, so a
+          # failed preflight was invisible: exactly how a transient critical alert
+          # wedged 1.34.9 for 5 days (2026-06-12). Scoped to the terminal
+          # job-condition reasons (BackoffLimitExceeded/DeadlineExceeded), NOT a
+          # bare failed-pod count, so a phase whose 1st pod failed but whose retry
+          # SUCCEEDED does not fire — important because every firing alert also
+          # halts kured (OS-reboot pipeline), and a bare-count false-positive would
+          # block all node reboots for the Job's 7d TTL. With the retry-on-failure
+          # idempotency guard the next detection cycle deletes + re-spawns the
+          # Failed Job (clearing this within ~24h); a sustained firing means it
+          # re-failed — investigate the root cause.
+          # Scoped to the four chain PHASE jobs (preflight|master|worker|
+          # postflight) — NOT a bare `k8s-upgrade-.*`, which would also match
+          # helper jobs in the namespace like k8s-upgrade-nightly-report-* and
+          # false-fire if one of those failed.
+          # `unless on() k8s_upgrade_blocked == 1` excludes the case where the
+          # preflight terminally failed because the compat gate deliberately
+          # REFUSED the target: block() exits 1 (so the Failed Job re-spawns
+          # nightly) but a refusal is not a wedge — that case is owned by
+          # K8sUpgradeBlocked below, and firing here too is a duplicate false
+          # alarm (observed 2026-06-21: a 1.35.6 block tripped BOTH). A genuine
+          # wedge / crash / halt-on-alert exits 1 WITHOUT pushing
+          # k8s_upgrade_blocked=1, so it still fires. The gauge stays 1 from the
+          # block until the next run's preflight resets it to 0, so the exclusion
+          # holds for the whole blocked period.
+          - alert: K8sUpgradeChainJobFailed
+            expr: (kube_job_status_failed{namespace="k8s-upgrade", job_name=~"k8s-upgrade-(preflight|master|worker|postflight)-.*", reason=~"BackoffLimitExceeded|DeadlineExceeded"} > 0) unless on() (k8s_upgrade_blocked == 1)
+            for: 15m
+            labels:
+              severity: warning
+              subsystem: k8s-upgrade
+            annotations:
+              summary: "K8s upgrade chain Job {{ $labels.job_name }} terminally failed ({{ $labels.reason }}) — pipeline wedged. kubectl -n k8s-upgrade get jobs ; kubectl -n k8s-upgrade describe job {{ $labels.job_name }}"
+          # K8sUpgradeBlocked: the k8s-version-upgrade chain pushes
+          # `k8s_upgrade_blocked=1` when the preflight compat gate REFUSES the
+          # target version — the cluster isn't ready (a critical addon lags the
+          # target's support window, an in-use API is deprecated/removed at the
+          # target, or a node's containerd predates the target's minimum). This
+          # is the designed "halt + alert" outcome, NOT a crash: the chain stops
+          # cleanly and the specific blocking reasons are posted to Slack by the
+          # upgrade chain. Same bare-metric pushgateway selector as
+          # K8sUpgradeStalled (job label "k8s-version-upgrade"). To clear: bump
+          # the named addon / migrate the deprecated API usage / upgrade the
+          # node's containerd, then the next nightly run proceeds automatically.
+          - alert: K8sUpgradeBlocked
+            expr: k8s_upgrade_blocked == 1
+            for: 10m
+            labels:
+              severity: warning
+              subsystem: k8s-upgrade
+            annotations:
+              summary: "K8s auto-upgrade refused by the preflight compat gate — cluster not ready for the target version. Blocking reasons were posted to Slack by the upgrade chain."
+              description: "An automated Kubernetes upgrade was REFUSED (not crashed) by the preflight compatibility gate because the cluster isn't ready for the target version — a critical addon lags the target's support window, an in-use deprecated API would be removed at the target, or a node's containerd is too old. The specific reasons were posted to Slack by the k8s-version-upgrade chain. This is the intended halt-and-alert. To clear it: bump the named addon / migrate the deprecated API usage / upgrade the node's containerd, then the next nightly run proceeds automatically."
       - name: "Traefik Ingress"
         rules:
           - alert: TraefikDown
@@ -2519,6 +2653,22 @@ serverFiles:
               severity: warning
             annotations:
               summary: "Email round-trip monitor never reported - check CronJob in mailserver namespace"
+          - alert: T3ProbeLegDown
+            expr: t3probe_connected{job="t3-probe"} == 0
+            for: 5m
+            labels:
+              severity: warning
+            annotations:
+              summary: "A t3 path-probe leg has been down >5m (leg label says which)"
+              description: "cloudflare-only = Cloudflare/WAN segment; cloudflare+internal = Traefik/dispatch/devvm; t3serve = the serve process. See docs/runbooks/t3-drop-attribution.md."
+          - alert: T3ProbeDropBurst
+            expr: increase(t3probe_disconnects_total{job="t3-probe"}[15m]) > 6
+            for: 1m
+            labels:
+              severity: warning
+            annotations:
+              summary: "A t3 path-probe leg is dropping repeatedly (>6 in 15m; see leg/reason labels)"
+              description: "Users on the same segment are seeing 'disconnected, reconnecting' at this rate. Compare legs to attribute; correlate with devvm node_pressure_* metrics."
           - alert: ViktorBarzinApexDrift
             expr: viktorbarzin_apex_correct{job="viktorbarzin-apex-probe"} == 0
             for: 10m
@@ -2686,7 +2836,9 @@ serverFiles:
           # current value (fresh /tmp each run), so the alert could never fire.
           - alert: DNSQuerySpike
             expr: dns_anomaly_total_queries > 2 * avg_over_time(dns_anomaly_total_queries[1h] offset 15m) and dns_anomaly_total_queries > 1000
-            for: 0m
+            # for: 5m (was 0m) — a single 15-min scrape spike self-clears; a real
+            # spike persists across scrapes (alert-noise 2026-06-12)
+            for: 5m
             labels:
               severity: warning
             annotations:
@@ -2700,7 +2852,7 @@ serverFiles:
               summary: "DNS query volume dropped: {{ $value | printf \"%.0f\" }} queries (<50% of 1h avg) — upstream clients may be failing to reach Technitium"
           - alert: DNSHighErrorRate
             expr: dns_anomaly_server_failure > 100
-            for: 0m
+            for: 5m
             labels:
               severity: warning
             annotations:
@@ -2750,15 +2902,23 @@ serverFiles:
             annotations:
               summary: "MAM ratio is {{ $value | printf \"%.2f\" }} for 24h (target: >= 1.0)"
           - alert: MAMFarmingStuck
+            # Metric source: stacks/servarr/mam-farming/files/freeleech-grabber.py
+            # Heartbeat-based: fires only when the grabber CronJob has not COMPLETED
+            # a run in >4h (the original failure mode: Forbid-blocked / wedged in
+            # ContainerCreating). The grabber heartbeats mam_grabber_last_run_timestamp
+            # on every completed run — including legit dry runs that grab 0 (its random
+            # search offset lands on an empty/over-filtered page, which is normal). The
+            # old increase(mam_farming_grabbed[4h])==0 could not tell "didn't run" from
+            # "ran, nothing to grab" (Pushgateway serves the last value forever), so a
+            # dry freeleech period false-fired. Cookie-expiry and qBittorrent-down have
+            # their own alerts (MAM session cookie / QBittorrentDisconnected).
             expr: |
-              increase(mam_farming_grabbed[4h]) == 0
-              and mam_farming_total_seeding < 150
-              and mam_ratio >= 1.2
-            for: 4h
+              time() - mam_grabber_last_run_timestamp > 4 * 3600
+            for: 15m
             labels:
               severity: warning
             annotations:
-              summary: "Grabber has added 0 torrents in 4h despite healthy ratio ({{ $value | printf \"%.2f\" }})"
+              summary: "MAM freeleech grabber has not completed a run in {{ $value | humanizeDuration }} — CronJob stuck/blocked"
           - alert: MAMJanitorStuckBacklog
             expr: mam_janitor_skipped_active > 400
             for: 6h
@@ -2978,10 +3138,15 @@ serverFiles:
           - alert: WebterminalTtydUnreachable
             # In-cluster probe to ttyd Service. Bypasses Cloudflare/Traefik/
             # Authentik, so non-200 means ttyd itself is down on the DevVM.
+            # severity=warning (was critical until 2026-06-17): ttyd is a DevVM
+            # developer-convenience web terminal, not cluster infrastructure.
+            # As `critical` it tripped the k8s-upgrade preflight's halt-on-alert
+            # gate and — with the old no-retry idempotency — wedged the 1.34.9
+            # upgrade for 5 days. It is not upgrade-blocking; warning is correct.
             expr: webterminal_probe_ttyd_status{job="webterminal-probe"} != 200 and on() (time() - process_start_time_seconds{job="prometheus"}) > 900
             for: 10m
             labels:
-              severity: critical
+              severity: warning
               subsystem: webterminal
             annotations:
               summary: "ttyd in-cluster probe got HTTP {{ $value }} (expected 200) — ttyd on the DevVM (10.0.10.10:7681) is down. `systemctl status ttyd` on devvm."
@@ -3047,6 +3212,16 @@ serverFiles:
               description: "The must-stay-public URL {{ $labels.instance }} (carve-out `{{ $labels.service }}`) is failing its blackbox probe — most likely it now 302-redirects to Authentik SSO. A path-scoped `auth = \"none\"` carve-out probably regressed (TF revert / deploy / ingress_factory auth default flipping back to \"required\"). Native-client / public / webhook / WebSocket / SPA-XHR traffic to this endpoint is broken for strangers and machines. Check the owning stack's ingress_factory `auth` + `ingress_path`, and curl the URL: `curl -sI '{{ $labels.instance }}'` — a Location to authentik.viktorbarzin.me confirms the regression. Probe config + target list: stacks/monitoring/modules/monitoring/authentik_walloff_probe.tf."
 
 extraScrapeConfigs: |
+  # Alertmanager self-metrics. The bundled Alertmanager Service carries no
+  # prometheus.io/scrape annotation, so kubernetes-service-endpoints never
+  # discovered it — there was NO alertmanager_notifications_total / _alerts /
+  # _notifications_failed_total series until this job (alert-noise-reduction
+  # 2026-06-12), i.e. notification volume was unmeasurable. Static target = the
+  # in-cluster Alertmanager service.
+  - job_name: 'alertmanager'
+    static_configs:
+      - targets:
+        - 'prometheus-alertmanager.monitoring.svc.cluster.local:9093'
   # Authentik walling-off guard. Probes each must-stay-public carve-out URL via
   # blackbox-exporter's `http_no_authentik_redirect` module (no_follow_redirects +
   # fail_if_header_matches on a Location -> Authentik). probe_success == 0 for a
@@ -3088,6 +3263,30 @@ extraScrapeConfigs: |
       - source_labels: [__address__]
         target_label: instance
         replacement: 'pve-node-r730' # Giving it a friendly name
+  # devvm: the shared workstation VM hosting per-user t3-serve + Claude agents.
+  # Its node_exporter ran unscraped until 2026-06-10 — the t3 disconnect
+  # root-cause work had NO memory/IO-pressure history for the very box whose
+  # stalls fire every t3 client's watchdog. Pressure/swap/load here is the
+  # primary correlate for t3probe drop events.
+  - job_name: 'devvm'
+    static_configs:
+      - targets:
+        - "10.0.10.10:9100"
+        labels:
+          node: 'devvm'
+    metrics_path: '/metrics'
+    relabel_configs:
+      - source_labels: [__address__]
+        target_label: instance
+        replacement: 'devvm' # Giving it a friendly name
+  # t3-probe: differential t3 path-health prober (stacks/t3code). Legs:
+  # cloudflare (full public path), internal (Traefik only), t3serve (the
+  # serve process). See docs/runbooks/t3-drop-attribution.md.
+  - job_name: 't3-probe'
+    static_configs:
+      - targets:
+        - "t3-probe.t3code.svc.cluster.local:9108"
+    metrics_path: '/metrics'
   # rpi-sofia: external Raspberry Pi 3 at the Sofia home site (Frigate camera
   # DNAT passthrough + solar inverter path + HA MQTT sensors). node_exporter
   # installed via apt; the rpi_* metrics come from a vcgencmd textfile collector
diff --git a/stacks/n8n/.terraform.lock.hcl b/stacks/n8n/.terraform.lock.hcl
index e9db626a..5f64801b 100644
--- a/stacks/n8n/.terraform.lock.hcl
+++ b/stacks/n8n/.terraform.lock.hcl
@@ -55,40 +55,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/n8n/main.tf b/stacks/n8n/main.tf
index 272ec646..4f9b0921 100644
--- a/stacks/n8n/main.tf
+++ b/stacks/n8n/main.tf
@@ -27,7 +27,7 @@ resource "kubernetes_namespace" "n8n" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "n8n-secrets"
@@ -54,7 +54,7 @@ resource "kubernetes_manifest" "external_secret" {
 
 resource "kubernetes_manifest" "external_secret_claude_agent" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "claude-agent-token"
@@ -85,7 +85,7 @@ resource "kubernetes_manifest" "external_secret_claude_agent" {
 # Workflows in stacks/n8n/workflows/instagram-*.json reference these env vars.
 resource "kubernetes_manifest" "external_secret_instagram_pipeline" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "instagram-pipeline-secrets"
diff --git a/stacks/navidrome/.terraform.lock.hcl b/stacks/navidrome/.terraform.lock.hcl
index 6f436f69..515a317b 100644
--- a/stacks/navidrome/.terraform.lock.hcl
+++ b/stacks/navidrome/.terraform.lock.hcl
@@ -24,29 +24,33 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
   hashes = [
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.2.0"
+  hashes = [
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -69,3 +73,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/navidrome/main.tf b/stacks/navidrome/main.tf
index c02a1428..5826b417 100644
--- a/stacks/navidrome/main.tf
+++ b/stacks/navidrome/main.tf
@@ -20,7 +20,7 @@ resource "kubernetes_namespace" "navidrome" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "navidrome-secrets"
diff --git a/stacks/netbox/.terraform.lock.hcl b/stacks/netbox/.terraform.lock.hcl
index e8910be1..16af0cd7 100644
--- a/stacks/netbox/.terraform.lock.hcl
+++ b/stacks/netbox/.terraform.lock.hcl
@@ -24,50 +24,40 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.2.0"
+  hashes = [
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.8.1"
+  version = "3.9.0"
   hashes = [
-    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
-    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
-    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
-    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
-    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
-    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
-    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
-    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
-    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
-    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
-    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
-    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
   ]
 }
 
@@ -91,3 +81,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/netbox/main.tf b/stacks/netbox/main.tf
index 2e621476..7dbbe6cf 100644
--- a/stacks/netbox/main.tf
+++ b/stacks/netbox/main.tf
@@ -22,7 +22,7 @@ resource "kubernetes_namespace" "netbox" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "netbox-secrets"
diff --git a/stacks/nextcloud-todos/main.tf b/stacks/nextcloud-todos/main.tf
index 1ecc8538..a299f29f 100644
--- a/stacks/nextcloud-todos/main.tf
+++ b/stacks/nextcloud-todos/main.tf
@@ -13,7 +13,11 @@ variable "tls_secret_name" {
 
 locals {
   namespace = "nextcloud-todos"
-  image     = "forgejo.viktorbarzin.me/viktor/nextcloud-todos:${var.image_tag}"
+  # ADR-0002 (infra#18): built on GHA from the public GitHub mirror, pushed to
+  # ghcr (public package — anonymous pulls). Running tag is managed by the
+  # Woodpecker deploy (kubectl set image); both image refs below are
+  # ignore_changes'd, so this base only matters on (re)create.
+  image     = "ghcr.io/viktorbarzin/nextcloud-todos:${var.image_tag}"
   labels = {
     app = "nextcloud-todos"
   }
@@ -55,7 +59,7 @@ resource "kubernetes_namespace" "nextcloud_todos" {
 # managed via the Vault database engine — see static-creds/pg-nextcloud-todos.
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "nextcloud-todos-secrets"
@@ -94,7 +98,7 @@ resource "kubernetes_manifest" "external_secret" {
 # `nextcloud_todos`, and Vault role `static-creds/pg-nextcloud-todos`.
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "nextcloud-todos-db-creds"
diff --git a/stacks/nextcloud/.terraform.lock.hcl b/stacks/nextcloud/.terraform.lock.hcl
index 05f8a359..5982c332 100644
--- a/stacks/nextcloud/.terraform.lock.hcl
+++ b/stacks/nextcloud/.terraform.lock.hcl
@@ -70,41 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf
index 066058a8..40c4b7fa 100644
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@@ -126,7 +126,7 @@ resource "kubernetes_namespace" "nextcloud" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "nextcloud-secrets"
@@ -155,7 +155,7 @@ resource "kubernetes_manifest" "external_secret" {
 # Nextcloud Helm chart reads password at runtime via existingSecret reference
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "nextcloud-db-creds"
diff --git a/stacks/novelapp/main.tf b/stacks/novelapp/main.tf
index 71aaf119..454cedef 100644
--- a/stacks/novelapp/main.tf
+++ b/stacks/novelapp/main.tf
@@ -5,7 +5,7 @@ variable "tls_secret_name" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "novelapp-secrets"
diff --git a/stacks/onlyoffice/.terraform.lock.hcl b/stacks/onlyoffice/.terraform.lock.hcl
index 16ae99b6..b22b977e 100644
--- a/stacks/onlyoffice/.terraform.lock.hcl
+++ b/stacks/onlyoffice/.terraform.lock.hcl
@@ -41,16 +41,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.2"
+  version = "3.2.0"
   hashes = [
-    "h1:lIuknMfM7+QTzPWs8VBocstZF0B3TpEMIj/bw+dLAOs=",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/onlyoffice/main.tf b/stacks/onlyoffice/main.tf
index 1a9d14f2..7cacf149 100644
--- a/stacks/onlyoffice/main.tf
+++ b/stacks/onlyoffice/main.tf
@@ -25,7 +25,7 @@ resource "kubernetes_namespace" "onlyoffice" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "onlyoffice-secrets"
diff --git a/stacks/openclaw/.terraform.lock.hcl b/stacks/openclaw/.terraform.lock.hcl
index d13a6188..609a3be7 100644
--- a/stacks/openclaw/.terraform.lock.hcl
+++ b/stacks/openclaw/.terraform.lock.hcl
@@ -70,41 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/openclaw/ha_tokens.tf b/stacks/openclaw/ha_tokens.tf
new file mode 100644
index 00000000..6f81ee9b
--- /dev/null
+++ b/stacks/openclaw/ha_tokens.tf
@@ -0,0 +1,52 @@
+# Dedicated secret holding ONLY the Home Assistant API tokens, split out of
+# openclaw-secrets so the `homelab ha token` CLI verb can serve non-admin
+# operators (emo = emil.barzin@gmail.com, group "Home Server Admins") WITHOUT
+# granting them read on the full skill_secrets blob (which also carries
+# slack_webhook + uptime_kuma_password). openclaw's own deployment keeps reading
+# openclaw-secrets — this is purely an additive, least-privilege carve-out for
+# the CLI. See infra/cli/cmd_ha.go + docs/adr/0012.
+resource "kubernetes_secret" "ha_tokens" {
+  metadata {
+    name      = "ha-tokens"
+    namespace = kubernetes_namespace.openclaw.metadata[0].name
+  }
+  data = {
+    # keys match the homelab `ha token --instance <sofia|london>` mapping
+    sofia  = local.skill_secrets["home_assistant_sofia_token"]
+    london = local.skill_secrets["home_assistant_token"]
+  }
+  type = "Opaque"
+}
+
+# get on JUST the ha-tokens secret (resource_names pins it to this one object),
+# bound to the "Home Server Admins" OIDC group — the group emo authenticates
+# into. Scope deliberately excludes openclaw-secrets and every other secret.
+resource "kubernetes_role" "ha_tokens_reader" {
+  metadata {
+    name      = "ha-tokens-reader"
+    namespace = kubernetes_namespace.openclaw.metadata[0].name
+  }
+  rule {
+    api_groups     = [""]
+    resources      = ["secrets"]
+    resource_names = [kubernetes_secret.ha_tokens.metadata[0].name]
+    verbs          = ["get"]
+  }
+}
+
+resource "kubernetes_role_binding" "ha_tokens_reader" {
+  metadata {
+    name      = "ha-tokens-reader"
+    namespace = kubernetes_namespace.openclaw.metadata[0].name
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Role"
+    name      = kubernetes_role.ha_tokens_reader.metadata[0].name
+  }
+  subject {
+    kind      = "Group"
+    name      = "Home Server Admins"
+    api_group = "rbac.authorization.k8s.io"
+  }
+}
diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf
index 7d5be480..6947f89e 100644
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@@ -38,7 +38,7 @@ module "tls_secret" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "openclaw-secrets"
@@ -429,6 +429,15 @@ resource "kubernetes_deployment" "openclaw" {
       spec {
         service_account_name = kubernetes_service_account.openclaw.metadata[0].name
 
+        # GHCR pull secret for the install-recruiter-plugin init container —
+        # ghcr.io/viktorbarzin/recruiter-responder is a PRIVATE package
+        # (ADR-0002, infra#27). Cloned into this namespace by the kyverno
+        # stack's sync-ghcr-credentials ClusterPolicy (openclaw allowlisted).
+        # Forgejo-registry images in this pod keep pulling anonymously.
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
+
         # Init 0: fix /workspace ownership so node user can write
         init_container {
           name    = "fix-workspace-perms"
@@ -502,9 +511,12 @@ resource "kubernetes_deployment" "openclaw" {
         # recruiter-responder image into NFS extensions/. Plugin lifecycle
         # is coupled to the recruiter-responder image tag — bumping that
         # tag re-installs the plugin on next openclaw pod restart.
+        # Image moved forgejo -> ghcr (PRIVATE, ADR-0002 infra#27): the
+        # forgejo-side build is gone, so its :latest is frozen — ghcr is
+        # where new builds land. Pull auth via the pod-level ghcr-credentials.
         init_container {
           name  = "install-recruiter-plugin"
-          image = "forgejo.viktorbarzin.me/viktor/recruiter-responder:latest"
+          image = "ghcr.io/viktorbarzin/recruiter-responder:latest"
           command = ["sh", "-c", <<-EOT
             set -eu
             mkdir -p /home/node/.openclaw/extensions/recruiter-api
@@ -541,7 +553,7 @@ resource "kubernetes_deployment" "openclaw" {
           # IfNotPresent: a cached stale :latest meant the plugin manifest
           # (configSchema fix) never got pulled. An uncached SHA forces the
           # pull. Bump this when the openclaw plugin in nextcloud-todos changes.
-          image           = "forgejo.viktorbarzin.me/viktor/nextcloud-todos:f85c6de1"
+          image             = "ghcr.io/viktorbarzin/nextcloud-todos:latest"
           image_pull_policy = "Always"
           command = ["sh", "-c", <<-EOT
             set -eu
@@ -1151,7 +1163,7 @@ resource "kubernetes_deployment" "openclaw" {
 
         # Main container: OpenClaw
         container {
-          name  = "openclaw"
+          name = "openclaw"
           # Pinned back to 2026.2.26 (2026-06-04): 2026.5.4's gateway writes a
           # model `agentRuntime` key for the openai-codex provider that it then
           # rejects on startup ("Invalid config ... Unrecognized key:
diff --git a/stacks/owntracks/.terraform.lock.hcl b/stacks/owntracks/.terraform.lock.hcl
index 9fbd2e13..f7844694 100644
--- a/stacks/owntracks/.terraform.lock.hcl
+++ b/stacks/owntracks/.terraform.lock.hcl
@@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
+  hashes = [
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
 provider "registry.terraform.io/goauthentik/authentik" {
   version     = "2024.12.1"
   constraints = "~> 2024.10"
@@ -47,41 +55,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -105,3 +88,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf
index b5c20645..976b8714 100644
--- a/stacks/owntracks/main.tf
+++ b/stacks/owntracks/main.tf
@@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "owntracks-secrets"
@@ -49,7 +49,7 @@ resource "kubernetes_namespace" "owntracks" {
     name = "owntracks"
     labels = {
       "istio-injection" : "disabled"
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
       "keel.sh/enrolled" = "true"
     }
   }
@@ -249,7 +249,7 @@ module "ingress" {
   tls_secret_name = var.tls_secret_name
   port            = 80
   extra_annotations = {
-    "traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
+    "traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd"
     "gethomepage.dev/enabled"                          = "true"
     "gethomepage.dev/name"                             = "OwnTracks"
     "gethomepage.dev/description"                      = "Location tracking"
diff --git a/stacks/paperless-ai/main.tf b/stacks/paperless-ai/main.tf
new file mode 100644
index 00000000..3c9f8a75
--- /dev/null
+++ b/stacks/paperless-ai/main.tf
@@ -0,0 +1,322 @@
+variable "tls_secret_name" {
+  type      = string
+  sensitive = true
+}
+
+locals {
+  namespace = "paperless-ai"
+}
+
+resource "kubernetes_namespace" "paperless_ai" {
+  metadata {
+    name = local.namespace
+    labels = {
+      tier = local.tiers.aux
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
+    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
+  }
+}
+
+# paperless-ai secrets pulled from Vault (secret/paperless-ai) by ESO:
+#   paperless_api_token — token for the dedicated `paperless-ai` Paperless
+#                         superuser (reads + tags ALL documents).
+#   api_key             — M2M key between the Node UI and the Python RAG service.
+#   custom_api_key      — placeholder bearer for llama-swap (no auth, field required).
+resource "kubernetes_manifest" "external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "paperless-ai-secrets"
+      namespace = local.namespace
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-kv"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "paperless-ai-secrets"
+      }
+      dataFrom = [{
+        extract = {
+          key = "paperless-ai"
+        }
+      }]
+    }
+  }
+  depends_on = [kubernetes_namespace.paperless_ai]
+}
+
+module "tls_secret" {
+  source          = "../../modules/kubernetes/setup_tls_secret"
+  namespace       = kubernetes_namespace.paperless_ai.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}
+
+# /app/data holds the SQLite DB, the embedded ChromaDB vector store
+# (rag_data/), the cached local embedding model, thumbnails and the
+# persisted .env. Sensitive (document-derived vectors + the Paperless
+# token) -> encrypted block storage. Autoresizes 2Gi -> 10Gi.
+resource "kubernetes_persistent_volume_claim" "data_encrypted" {
+  wait_until_bound = false
+  metadata {
+    name      = "paperless-ai-data-encrypted"
+    namespace = local.namespace
+    annotations = {
+      "resize.topolvm.io/threshold"     = "10%"
+      "resize.topolvm.io/increase"      = "100%"
+      "resize.topolvm.io/storage_limit" = "10Gi"
+    }
+  }
+  spec {
+    access_modes       = ["ReadWriteOnce"]
+    storage_class_name = "proxmox-lvm-encrypted"
+    resources {
+      requests = {
+        storage = "2Gi"
+      }
+    }
+  }
+  lifecycle {
+    # pvc-autoresizer grows requests.storage up to storage_limit; PVCs
+    # cannot shrink, so ignore drift to keep applies idempotent.
+    ignore_changes = [spec[0].resources[0].requests]
+  }
+}
+
+resource "kubernetes_deployment" "paperless_ai" {
+  metadata {
+    name      = "paperless-ai"
+    namespace = local.namespace
+    labels = {
+      app  = "paperless-ai"
+      tier = local.tiers.aux
+    }
+    annotations = {
+      "reloader.stakater.com/auto" = "true"
+    }
+  }
+  # The image bundles PyTorch + Surya OCR (multi-GB); the first pull can
+  # exceed the provider's rollout-wait. Don't block apply on readiness —
+  # rollout is verified out-of-band with kubectl.
+  wait_for_rollout = false
+  spec {
+    replicas = 1
+    # RWO encrypted PVC -> never run two pods against it at once.
+    strategy {
+      type = "Recreate"
+    }
+    selector {
+      match_labels = {
+        app = "paperless-ai"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "paperless-ai"
+        }
+      }
+      spec {
+        # The image runs as PUID/PGID 1000; fsGroup makes the encrypted
+        # PVC group-writable so the app can persist to /app/data.
+        security_context {
+          fs_group = 1000
+        }
+        container {
+          name  = "paperless-ai"
+          image = "docker.io/clusterzx/paperless-ai:3.0.9"
+
+          # Node UI (proxied by the Service) + Python RAG service (in-pod only).
+          port {
+            container_port = 3000
+            name           = "http"
+          }
+          port {
+            container_port = 8000
+            name           = "rag"
+          }
+
+          # Configuration model: paperless-ai persists ALL behavioural config
+          # (Paperless URL, AI provider, scan interval, tagging flags) + the
+          # app-admin account to /app/data/.env + SQLite on the PVC, written
+          # once via its setup flow. The PVC .env is the SINGLE source of truth
+          # for behaviour — we deliberately do NOT set those as container env,
+          # because the image's dotenv loader does NOT override process.env, so
+          # a container env silently shadows the .env (PROCESS_PREDEFINED_DOCUMENTS
+          # set here once forced the scan to no-op). Only infrastructural env +
+          # the Vault-sourced secrets (which mirror the .env copies) are set.
+          # App-admin creds + Paperless token live in Vault secret/paperless-ai.
+          env {
+            name  = "PUID"
+            value = "1000"
+          }
+          env {
+            name  = "PGID"
+            value = "1000"
+          }
+          env {
+            name  = "PAPERLESS_AI_PORT"
+            value = "3000"
+          }
+          env {
+            name  = "RAG_SERVICE_URL"
+            value = "http://localhost:8000"
+          }
+          env {
+            name  = "RAG_SERVICE_ENABLED"
+            value = "true"
+          }
+
+          # Persist the HuggingFace / sentence-transformers embedding model
+          # (paraphrase-multilingual-MiniLM-L12-v2) onto the PVC so it is
+          # not re-downloaded on every pod restart.
+          env {
+            name  = "HF_HOME"
+            value = "/app/data/hf-cache"
+          }
+          env {
+            name  = "SENTENCE_TRANSFORMERS_HOME"
+            value = "/app/data/st-cache"
+          }
+
+          # Vault-sourced secrets (mirror the .env copies the setup flow wrote).
+          env {
+            name = "PAPERLESS_API_TOKEN"
+            value_from {
+              secret_key_ref {
+                name = "paperless-ai-secrets"
+                key  = "paperless_api_token"
+              }
+            }
+          }
+
+          env {
+            name = "CUSTOM_API_KEY"
+            value_from {
+              secret_key_ref {
+                name = "paperless-ai-secrets"
+                key  = "custom_api_key"
+              }
+            }
+          }
+
+          # M2M key between the Node UI and the Python RAG service.
+          env {
+            name = "API_KEY"
+            value_from {
+              secret_key_ref {
+                name = "paperless-ai-secrets"
+                key  = "api_key"
+              }
+            }
+          }
+
+          volume_mount {
+            name       = "data"
+            mount_path = "/app/data"
+          }
+
+          resources {
+            requests = {
+              cpu    = "200m"
+              memory = "2Gi"
+            }
+            limits = {
+              # torch + the sentence-transformers model load in-process for
+              # the RAG service; 4Gi covers Node + Python + ChromaDB.
+              memory = "4Gi"
+            }
+          }
+
+          # The image presents a setup wizard / login that 30x-redirects on
+          # `/`, so an HTTP probe is brittle pre-setup. A TCP probe on the
+          # Node port is the robust readiness signal (same approach as the
+          # paperless-mcp stack).
+          startup_probe {
+            tcp_socket {
+              port = 3000
+            }
+            failure_threshold = 60
+            period_seconds    = 5
+          }
+          readiness_probe {
+            tcp_socket {
+              port = 3000
+            }
+            initial_delay_seconds = 10
+            period_seconds        = 15
+          }
+          liveness_probe {
+            tcp_socket {
+              port = 3000
+            }
+            initial_delay_seconds = 60
+            period_seconds        = 30
+          }
+        }
+        volume {
+          name = "data"
+          persistent_volume_claim {
+            claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+    ]
+  }
+}
+
+resource "kubernetes_service" "paperless_ai" {
+  metadata {
+    name      = "paperless-ai"
+    namespace = local.namespace
+    labels = {
+      app = "paperless-ai"
+    }
+  }
+  spec {
+    selector = {
+      app = "paperless-ai"
+    }
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 3000
+      protocol    = "TCP"
+    }
+  }
+}
+
+module "ingress" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "required": private admin UI. paperless-ai has its own login but
+  # Authentik forward-auth is the primary gate (defence in depth). It only
+  # polls Paperless outbound (no inbound API consumers), so the Authentik
+  # 302 dance does not break it.
+  auth            = "required"
+  namespace       = kubernetes_namespace.paperless_ai.metadata[0].name
+  name            = "paperless-ai"
+  service_name    = "paperless-ai"
+  host            = "paperless-ai"
+  dns_type        = "proxied"
+  tls_secret_name = var.tls_secret_name
+  port            = 80
+  extra_annotations = {
+    "gethomepage.dev/enabled"     = "true"
+    "gethomepage.dev/description" = "AI document search & tagging"
+    "gethomepage.dev/group"       = "Productivity"
+    "gethomepage.dev/icon"        = "paperless-ngx.png"
+    "gethomepage.dev/name"        = "Paperless-AI"
+    "gethomepage.dev/pod-selector" = ""
+  }
+}
diff --git a/stacks/paperless-ai/secrets b/stacks/paperless-ai/secrets
new file mode 120000
index 00000000..ca54a7cf
--- /dev/null
+++ b/stacks/paperless-ai/secrets
@@ -0,0 +1 @@
+../../secrets
\ No newline at end of file
diff --git a/stacks/paperless-ai/terragrunt.hcl b/stacks/paperless-ai/terragrunt.hcl
new file mode 100644
index 00000000..f9a36787
--- /dev/null
+++ b/stacks/paperless-ai/terragrunt.hcl
@@ -0,0 +1,26 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+dependency "vault" {
+  config_path  = "../vault"
+  skip_outputs = true
+}
+
+# Reads the Paperless API over the in-cluster service.
+dependency "paperless-ngx" {
+  config_path  = "../paperless-ngx"
+  skip_outputs = true
+}
+
+# LLM (chat/answer generation + auto-tagging) is served by llama-swap's
+# OpenAI-compatible endpoint; embeddings/semantic search are local in-pod.
+dependency "llama-cpp" {
+  config_path  = "../llama-cpp"
+  skip_outputs = true
+}
diff --git a/stacks/paperless-mcp/main.tf b/stacks/paperless-mcp/main.tf
index f3f2f7fc..851659fb 100644
--- a/stacks/paperless-mcp/main.tf
+++ b/stacks/paperless-mcp/main.tf
@@ -29,7 +29,7 @@ resource "kubernetes_namespace" "paperless-mcp" {
 # by ESO; the pod reads it via secret_key_ref.
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "paperless-mcp-secrets"
diff --git a/stacks/paperless-ngx/.terraform.lock.hcl b/stacks/paperless-ngx/.terraform.lock.hcl
index 9fbd2e13..f7844694 100644
--- a/stacks/paperless-ngx/.terraform.lock.hcl
+++ b/stacks/paperless-ngx/.terraform.lock.hcl
@@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
+  hashes = [
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
 provider "registry.terraform.io/goauthentik/authentik" {
   version     = "2024.12.1"
   constraints = "~> 2024.10"
@@ -47,41 +55,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -105,3 +88,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/paperless-ngx/main.tf b/stacks/paperless-ngx/main.tf
index 2e6f48a8..46d7b9cb 100644
--- a/stacks/paperless-ngx/main.tf
+++ b/stacks/paperless-ngx/main.tf
@@ -35,7 +35,7 @@ resource "kubernetes_namespace" "paperless-ngx" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "paperless-ngx-secrets"
diff --git a/stacks/payslip-ingest/main.tf b/stacks/payslip-ingest/main.tf
index 652bf16b..ed911b53 100644
--- a/stacks/payslip-ingest/main.tf
+++ b/stacks/payslip-ingest/main.tf
@@ -8,10 +8,16 @@ variable "postgresql_host" { type = string }
 
 locals {
   namespace = "payslip-ingest"
-  # Phase 3 of forgejo-registry-consolidation — image= flipped to Forgejo
-  # 2026-05-07. registry-private kept image at the same path, so the new
-  # Forgejo URL is `viktor/<name>` under forgejo.viktorbarzin.me.
-  image = "forgejo.viktorbarzin.me/viktor/payslip-ingest:${var.image_tag}"
+  # Image built OFF-INFRA by GitHub Actions, pushed to GHCR (private) — ADR-0002,
+  # 2026-06-13 (issue #24): Forgejo viktor/payslip-ingest push-mirrors -> private
+  # ViktorBarzin/payslip-ingest GitHub repo -> GHA builds + pushes
+  # ghcr.io/viktorbarzin/payslip-ingest. The running Deployment tag is set via
+  # `kubectl set image` by the Woodpecker deploy pipeline (image is
+  # KEEL_IGNORE_IMAGE below); the CronJob tracks :latest with pull policy Always.
+  # (Re-applied 2026-06-13: infra pipeline 148 — a restart of the auto-killed
+  # 146 — diffed in reverse and re-applied this stack from a pre-migration
+  # tree, stripping the ghcr config above. This touch re-asserts it.)
+  image = "ghcr.io/viktorbarzin/payslip-ingest:${var.image_tag}"
   labels = {
     app = "payslip-ingest"
   }
@@ -53,7 +59,7 @@ resource "kubernetes_namespace" "payslip_ingest" {
 #                                       (same as Viktor's sync_id)
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "payslip-ingest-secrets"
@@ -128,7 +134,7 @@ resource "kubernetes_manifest" "external_secret" {
 # Template builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING.
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "payslip-ingest-db-creds"
@@ -200,6 +206,11 @@ resource "kubernetes_deployment" "payslip_ingest" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+        # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
 
         init_container {
           name    = "alembic-migrate"
@@ -376,10 +387,19 @@ resource "kubernetes_cron_job_v1" "actualbudget_payroll_sync" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+            # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
-              name    = "sync"
-              image   = local.image
-              command = ["python", "-m", "payslip_ingest", "sync-meta-deposits"]
+              name  = "sync"
+              image = local.image
+              # Fleet convention for owned-app CronJobs (ADR-0002): track
+              # :latest and re-pull on every run. Replaces the dead SHA pin
+              # (:4f70681d) on the decommissioned Forgejo image path.
+              image_pull_policy = "Always"
+              command           = ["python", "-m", "payslip_ingest", "sync-meta-deposits"]
 
               env_from {
                 secret_ref {
@@ -431,7 +451,7 @@ resource "kubernetes_cron_job_v1" "actualbudget_payroll_sync" {
 # Grafana whenever ESO updates this secret (every 7d on rotation).
 resource "kubernetes_manifest" "grafana_payslips_db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "grafana-payslips-pg-creds"
diff --git a/stacks/payslip-ingest/terragrunt.hcl b/stacks/payslip-ingest/terragrunt.hcl
index 030b05f8..528c68b3 100644
--- a/stacks/payslip-ingest/terragrunt.hcl
+++ b/stacks/payslip-ingest/terragrunt.hcl
@@ -18,7 +18,11 @@ dependency "external-secrets" {
 }
 
 inputs = {
-  # payslip-ingest repo HEAD — includes migrations 0004 + 0005, bonus-dedup,
-  # and the Woodpecker path-filter fix. Bump on every deploy.
-  image_tag = "4f70681d"
+  # :latest — CI drives the rollout (ADR-0002, issue #24): every master push
+  # builds :<sha8> + :latest on ghcr, then the Woodpecker deploy pipeline sets
+  # the Deployment to the concrete SHA (image is KEEL_IGNORE_IMAGE'd in the
+  # stack). The actualbudget-payroll-sync CronJob tracks :latest with
+  # imagePullPolicy Always — the old SHA pin (4f70681d, a Forgejo-only tag)
+  # is retired so the cron can never reference the dead registry path.
+  image_tag = "latest"
 }
diff --git a/stacks/phpipam/main.tf b/stacks/phpipam/main.tf
index ce74ae1d..9a4622f2 100644
--- a/stacks/phpipam/main.tf
+++ b/stacks/phpipam/main.tf
@@ -29,7 +29,7 @@ resource "kubernetes_namespace" "phpipam" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "phpipam-secrets"
@@ -58,7 +58,7 @@ resource "kubernetes_manifest" "external_secret" {
 
 resource "kubernetes_manifest" "external_secret_pfsense_ssh" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "phpipam-pfsense-ssh"
@@ -87,7 +87,7 @@ resource "kubernetes_manifest" "external_secret_pfsense_ssh" {
 
 resource "kubernetes_manifest" "external_secret_admin" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "phpipam-admin-password"
diff --git a/stacks/plotting-book/.terraform.lock.hcl b/stacks/plotting-book/.terraform.lock.hcl
index fabbc047..b22b977e 100644
--- a/stacks/plotting-book/.terraform.lock.hcl
+++ b/stacks/plotting-book/.terraform.lock.hcl
@@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
+  hashes = [
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
 provider "registry.terraform.io/goauthentik/authentik" {
   version     = "2024.12.1"
   constraints = "~> 2024.10"
@@ -33,29 +41,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -79,3 +74,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/plotting-book/main.tf b/stacks/plotting-book/main.tf
index a0e8f3d9..3b810ad5 100644
--- a/stacks/plotting-book/main.tf
+++ b/stacks/plotting-book/main.tf
@@ -8,7 +8,7 @@ resource "kubernetes_namespace" "plotting-book" {
     name = "plotting-book"
     labels = {
       "istio-injection" : "disabled"
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
       "keel.sh/enrolled" = "true"
     }
   }
@@ -20,7 +20,7 @@ resource "kubernetes_namespace" "plotting-book" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "plotting-book-secrets"
@@ -122,8 +122,10 @@ resource "kubernetes_deployment" "plotting-book" {
           }
         }
         container {
-          image = "ancamilea/book-plotter:latest"
-          # image = "viktorbarzin/book-plotter:7"
+          # Baseline only — CI owns the live tag (GHA builds viktorbarzin/book-plotter:<sha8>,
+          # Woodpecker repo 43 set-images it; see ignore_changes above). :latest is pushed by
+          # the same GHA build, so a from-scratch apply starts on current code.
+          image             = "viktorbarzin/book-plotter:latest"
           name              = "plotting-book"
           image_pull_policy = "Always"
           env {
diff --git a/stacks/poison-fountain/main.tf b/stacks/poison-fountain/main.tf
index 16fd20c9..6872a5c0 100644
--- a/stacks/poison-fountain/main.tf
+++ b/stacks/poison-fountain/main.tf
@@ -9,8 +9,8 @@ resource "kubernetes_namespace" "poison_fountain" {
   metadata {
     name = "poison-fountain"
     labels = {
-      "istio-injection" = "disabled"
-      tier              = local.tiers.cluster
+      "istio-injection"  = "disabled"
+      tier               = local.tiers.cluster
       "keel.sh/enrolled" = "true"
     }
   }
@@ -228,7 +228,6 @@ module "ingress" {
   port                    = 8080
   tls_secret_name         = var.tls_secret_name
   skip_default_rate_limit = true
-  exclude_crowdsec        = true
   anti_ai_scraping        = false
   # Deployment is scaled to 0 (see replicas above). Opt the ingress out of
   # Uptime Kuma external monitoring so the sync CronJob deletes the orphaned
diff --git a/stacks/portal-assistant/main.tf b/stacks/portal-assistant/main.tf
new file mode 100644
index 00000000..10020d47
--- /dev/null
+++ b/stacks/portal-assistant/main.tf
@@ -0,0 +1,230 @@
+# =============================================================================
+# portal-assistant gateway — voice orchestrator (STT -> Brain -> TTS)
+# =============================================================================
+# The single service the Client app talks to: POST /v1/talk takes a WAV + a
+# client id, runs Speaches STT -> the claude-agent-service conversational Brain
+# -> Piper TTS, and returns the spoken reply. v1: ClusterIP only (E2E tested
+# in-cluster). In-memory sessions (no SESSION_DB_DSN). See portal-assistant
+# ADR-0001/0002/0003. Public Cloudflare ingress + device-token edge is the next
+# increment.
+# =============================================================================
+
+data "vault_kv_secret_v2" "viktor" {
+  mount = "secret"
+  name  = "viktor"
+}
+
+data "vault_kv_secret_v2" "cas" {
+  mount = "secret"
+  name  = "claude-agent-service"
+}
+
+data "vault_kv_secret_v2" "pa" {
+  mount = "secret"
+  name  = "portal-assistant"
+}
+
+locals {
+  namespace = "portal-assistant"
+  labels    = { app = "portal-assistant-gateway" }
+  image     = "ghcr.io/viktorbarzin/portal-assistant-gateway:latest"
+}
+
+resource "kubernetes_namespace" "portal_assistant" {
+  metadata {
+    name = local.namespace
+    labels = {
+      tier               = local.tiers.edge
+      "istio-injection"  = "disabled"
+      "keel.sh/enrolled" = "true"
+    }
+  }
+  lifecycle {
+    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
+  }
+}
+
+# Pull secret — the gateway image is a PRIVATE ghcr package. Uses the read-only
+# ghcr_pull_token (secret/viktor), the same cred the cluster-wide allowlist uses.
+resource "kubernetes_secret" "ghcr" {
+  metadata {
+    name      = "ghcr-pull"
+    namespace = kubernetes_namespace.portal_assistant.metadata[0].name
+  }
+  type = "kubernetes.io/dockerconfigjson"
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "ghcr.io" = {
+          username = "viktorbarzin"
+          password = data.vault_kv_secret_v2.viktor.data["ghcr_pull_token"]
+          auth     = base64encode("viktorbarzin:${data.vault_kv_secret_v2.viktor.data["ghcr_pull_token"]}")
+        }
+      }
+    })
+  }
+}
+
+# Tokens the gateway needs: BRAIN_TOKEN = claude-agent-service's bearer (to call
+# the conversational endpoint); DEVICE_TOKEN = the per-Client secret the Portal
+# app carries to authenticate to /v1/talk.
+resource "kubernetes_secret" "gateway" {
+  metadata {
+    name      = "portal-assistant-gateway-secrets"
+    namespace = kubernetes_namespace.portal_assistant.metadata[0].name
+  }
+  data = {
+    BRAIN_TOKEN  = data.vault_kv_secret_v2.cas.data["api_bearer_token"]
+    DEVICE_TOKEN = data.vault_kv_secret_v2.pa.data["device_token"]
+  }
+}
+
+resource "kubernetes_deployment" "gateway" {
+  metadata {
+    name      = "portal-assistant-gateway"
+    namespace = kubernetes_namespace.portal_assistant.metadata[0].name
+    labels    = merge(local.labels, { tier = local.tiers.edge })
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = { app = "portal-assistant-gateway" }
+    }
+    template {
+      metadata {
+        labels = { app = "portal-assistant-gateway" }
+      }
+      spec {
+        image_pull_secrets {
+          name = kubernetes_secret.ghcr.metadata[0].name
+        }
+        container {
+          name              = "gateway"
+          image             = local.image
+          image_pull_policy = "Always"
+          port {
+            container_port = 8000
+            name           = "http"
+          }
+          # STT -> Speaches; TTS -> Piper; Brain -> claude-agent-service.
+          env {
+            name  = "STT_URL"
+            value = "http://portal-stt.portal-stt.svc.cluster.local:8000"
+          }
+          env {
+            name  = "STT_MODEL"
+            value = "deepdml/faster-whisper-large-v3-turbo-ct2"
+          }
+          env {
+            name  = "TTS_URL"
+            value = "http://portal-tts.portal-tts.svc.cluster.local:8000"
+          }
+          # portal-tts now serves Microsoft edge-tts neural voices (Piper's
+          # Bulgarian was garbled; 2026-06-17). The gateway maps detected lang
+          # bg/en -> these edge voice names, which openai-edge-tts accepts directly.
+          env {
+            name  = "TTS_VOICE_BG"
+            value = "bg-BG-KalinaNeural"
+          }
+          env {
+            name  = "TTS_VOICE_EN"
+            value = "en-US-AvaNeural"
+          }
+          env {
+            name  = "BRAIN_URL"
+            value = "http://claude-agent-service.claude-agent.svc.cluster.local:8080"
+          }
+          env {
+            name = "BRAIN_TOKEN"
+            value_from {
+              secret_key_ref {
+                name = kubernetes_secret.gateway.metadata[0].name
+                key  = "BRAIN_TOKEN"
+              }
+            }
+          }
+          env {
+            name = "DEVICE_TOKEN"
+            value_from {
+              secret_key_ref {
+                name = kubernetes_secret.gateway.metadata[0].name
+                key  = "DEVICE_TOKEN"
+              }
+            }
+          }
+          readiness_probe {
+            http_get {
+              path = "/health"
+              port = 8000
+            }
+            period_seconds = 10
+          }
+          liveness_probe {
+            http_get {
+              path = "/health"
+              port = 8000
+            }
+            initial_delay_seconds = 15
+            period_seconds        = 30
+          }
+          resources {
+            requests = {
+              cpu    = "50m"
+              memory = "256Mi"
+            }
+            limits = {
+              memory = "512Mi"
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+    ]
+  }
+}
+
+# ClusterIP — the only externally-exposed component (ADR-0001) gets its public
+# Cloudflare ingress in the next increment; here it's reachable in-cluster for
+# the E2E smoke. /metrics scraped by Prometheus.
+resource "kubernetes_service" "gateway" {
+  metadata {
+    name      = "portal-assistant-gateway"
+    namespace = kubernetes_namespace.portal_assistant.metadata[0].name
+    labels    = local.labels
+    annotations = {
+      "prometheus.io/scrape" = "true"
+      "prometheus.io/path"   = "/metrics"
+      "prometheus.io/port"   = "8000"
+    }
+  }
+  spec {
+    type     = "ClusterIP"
+    selector = { app = "portal-assistant-gateway" }
+    port {
+      name        = "http"
+      port        = 8000
+      target_port = 8000
+    }
+  }
+}
+
+# Public Cloudflare ingress — the Portal app reaches the gateway at
+# https://portal-assistant.viktorbarzin.me/v1/talk. tls-secret is Kyverno-synced
+# into the namespace. The gateway holds its own edge auth (the DEVICE_TOKEN
+# bearer), so no Authentik in front.
+module "ingress" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  name            = "portal-assistant"
+  namespace       = kubernetes_namespace.portal_assistant.metadata[0].name
+  service_name    = kubernetes_service.gateway.metadata[0].name
+  port            = 8000
+  tls_secret_name = "tls-secret"
+  # auth = "app": the gateway enforces its own DEVICE_TOKEN bearer on /v1/talk; Authentik would break the native Portal client (it has no browser login).
+  auth          = "app"
+  dns_type      = "proxied"
+  max_body_size = "25m" # audio (WAV) uploads
+}
diff --git a/stacks/portal-assistant/terragrunt.hcl b/stacks/portal-assistant/terragrunt.hcl
new file mode 100644
index 00000000..222cd339
--- /dev/null
+++ b/stacks/portal-assistant/terragrunt.hcl
@@ -0,0 +1,13 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+# portal-assistant gateway — the voice-assistant orchestrator (STT -> Brain ->
+# TTS). v1 is ClusterIP-only (E2E proven in-cluster); the public Cloudflare
+# ingress for the Portal app is added next. In-memory sessions for now (no
+# SESSION_DB_DSN); CNPG Postgres is a later add. portal-assistant issue #10.
diff --git a/stacks/portal-realtime/main.tf b/stacks/portal-realtime/main.tf
new file mode 100644
index 00000000..53ba1a3a
--- /dev/null
+++ b/stacks/portal-realtime/main.tf
@@ -0,0 +1,253 @@
+# =============================================================================
+# portal-realtime — full-duplex voice agent (Pipecat) over a WebSocket
+# =============================================================================
+# v2 of the portal-assistant brain path. Instead of the v1 tap-to-talk
+# request/response gateway, this is a persistent conversation: the Portal opens
+# ONE WebSocket (/ws) and streams raw PCM16 mic audio continuously; the Pipecat
+# pipeline does Silero VAD turn-taking -> Whisper STT (portal-stt) -> streaming
+# Claude brain (claude-agent-service /v1/chat/completions) -> edge-tts
+# (portal-tts) -> audio out, with barge-in. All three upstreams are REUSED
+# cluster services (nothing new spun up); the brain streams token-by-token over
+# the free CLI/subscription (no API key). Bilingual bg/en: the TTS voice follows
+# the reply's script.
+#
+# EXPOSURE: a single public Cloudflare ingress (proxied, WebSocket) at
+# wss://portal-realtime.viktorbarzin.me/ws. The agent enforces its own edge auth
+# (the DEVICE_TOKEN the Portal carries as ?token=), so auth="app" — Authentik
+# would break the native Portal client (no browser login). NO buffering
+# middleware (max_body_size unset): Traefik's Buffering middleware would break
+# the streaming WebSocket.
+#
+# IMAGE: ghcr.io/viktorbarzin/portal-assistant-realtime (PRIVATE ghcr package,
+# pulled with the read-only ghcr_pull_token). Built from the portal-assistant
+# repo's realtime/ dir. :latest + Keel auto-roll (namespace is keel-enrolled).
+# =============================================================================
+
+data "vault_kv_secret_v2" "viktor" {
+  mount = "secret"
+  name  = "viktor"
+}
+
+data "vault_kv_secret_v2" "cas" {
+  mount = "secret"
+  name  = "claude-agent-service"
+}
+
+# Reuse the portal-assistant device token — same physical Portal device, same
+# edge secret; no need for a separate credential.
+data "vault_kv_secret_v2" "pa" {
+  mount = "secret"
+  name  = "portal-assistant"
+}
+
+locals {
+  namespace = "portal-realtime"
+  labels    = { app = "portal-realtime" }
+  image     = "ghcr.io/viktorbarzin/portal-assistant-realtime:latest"
+}
+
+resource "kubernetes_namespace" "portal_realtime" {
+  metadata {
+    name = local.namespace
+    labels = {
+      tier               = local.tiers.edge
+      "istio-injection"  = "disabled"
+      "keel.sh/enrolled" = "true"
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label.
+    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
+  }
+}
+
+# Pull secret — the realtime image is a PRIVATE ghcr package. Uses the read-only
+# ghcr_pull_token (secret/viktor), same cred the cluster-wide allowlist uses.
+resource "kubernetes_secret" "ghcr" {
+  metadata {
+    name      = "ghcr-pull"
+    namespace = kubernetes_namespace.portal_realtime.metadata[0].name
+  }
+  type = "kubernetes.io/dockerconfigjson"
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "ghcr.io" = {
+          username = "viktorbarzin"
+          password = data.vault_kv_secret_v2.viktor.data["ghcr_pull_token"]
+          auth     = base64encode("viktorbarzin:${data.vault_kv_secret_v2.viktor.data["ghcr_pull_token"]}")
+        }
+      }
+    })
+  }
+}
+
+# Tokens: BRAIN_TOKEN = claude-agent-service's bearer (to call the streaming
+# conversational endpoint); DEVICE_TOKEN = the per-Portal secret the app carries
+# as ?token= on the WebSocket, which the agent verifies before accepting.
+resource "kubernetes_secret" "realtime" {
+  metadata {
+    name      = "portal-realtime-secrets"
+    namespace = kubernetes_namespace.portal_realtime.metadata[0].name
+  }
+  data = {
+    BRAIN_TOKEN  = data.vault_kv_secret_v2.cas.data["api_bearer_token"]
+    DEVICE_TOKEN = data.vault_kv_secret_v2.pa.data["device_token"]
+  }
+}
+
+resource "kubernetes_deployment" "realtime" {
+  metadata {
+    name      = "portal-realtime"
+    namespace = kubernetes_namespace.portal_realtime.metadata[0].name
+    labels    = merge(local.labels, { tier = local.tiers.edge })
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = { app = "portal-realtime" }
+    }
+    template {
+      metadata {
+        labels = { app = "portal-realtime" }
+      }
+      spec {
+        image_pull_secrets {
+          name = kubernetes_secret.ghcr.metadata[0].name
+        }
+        container {
+          name              = "realtime"
+          image             = local.image
+          image_pull_policy = "Always"
+          port {
+            container_port = 8000
+            name           = "http"
+          }
+
+          # STT/Brain/TTS base URLs carry the /v1 suffix: the agent's OpenAI-SDK
+          # clients append /audio/transcriptions, /chat/completions, /audio/speech.
+          env {
+            name  = "STT_URL"
+            value = "http://portal-stt.portal-stt.svc.cluster.local:8000/v1"
+          }
+          env {
+            name  = "STT_MODEL"
+            value = "deepdml/faster-whisper-large-v3-turbo-ct2"
+          }
+          env {
+            name  = "BRAIN_URL"
+            value = "http://claude-agent-service.claude-agent.svc.cluster.local:8080/v1"
+          }
+          env {
+            name  = "BRAIN_MODEL"
+            value = "sonnet" # latency over smartness for live conversation
+          }
+          env {
+            name  = "TTS_URL"
+            value = "http://portal-tts.portal-tts.svc.cluster.local:8000/v1"
+          }
+          # edge-tts neural voices; the agent switches per reply script (bg/en).
+          env {
+            name  = "TTS_VOICE_BG"
+            value = "bg-BG-KalinaNeural"
+          }
+          env {
+            name  = "TTS_VOICE_EN"
+            value = "en-US-AvaNeural"
+          }
+          env {
+            name = "BRAIN_TOKEN"
+            value_from {
+              secret_key_ref {
+                name = kubernetes_secret.realtime.metadata[0].name
+                key  = "BRAIN_TOKEN"
+              }
+            }
+          }
+          env {
+            name = "DEVICE_TOKEN"
+            value_from {
+              secret_key_ref {
+                name = kubernetes_secret.realtime.metadata[0].name
+                key  = "DEVICE_TOKEN"
+              }
+            }
+          }
+
+          readiness_probe {
+            http_get {
+              path = "/health"
+              port = 8000
+            }
+            initial_delay_seconds = 10
+            period_seconds        = 10
+          }
+          liveness_probe {
+            http_get {
+              path = "/health"
+              port = 8000
+            }
+            initial_delay_seconds = 20
+            period_seconds        = 30
+          }
+
+          resources {
+            # Pipecat + onnxruntime (Silero VAD) per live connection. No CPU
+            # limit (cluster CFS-throttling policy) — request only. Burstable
+            # memory (tier-edge). VERIFY with krr after real traffic.
+            requests = {
+              cpu    = "200m"
+              memory = "512Mi"
+            }
+            limits = {
+              memory = "1Gi"
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config,         # KYVERNO_LIFECYCLE_V1
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel rolls :latest; don't let TF revert the digest
+    ]
+  }
+}
+
+# ClusterIP — fronted by the ingress below. No /metrics endpoint on the agent;
+# kept out of the annotation scrape set (Pipecat metrics are internal only).
+resource "kubernetes_service" "realtime" {
+  metadata {
+    name      = "portal-realtime"
+    namespace = kubernetes_namespace.portal_realtime.metadata[0].name
+    labels    = local.labels
+  }
+  spec {
+    type     = "ClusterIP"
+    selector = { app = "portal-realtime" }
+    port {
+      name        = "http"
+      port        = 8000
+      target_port = 8000
+    }
+  }
+}
+
+# Public Cloudflare ingress — wss://portal-realtime.viktorbarzin.me/ws. Traefik
+# upgrades WebSocket on the standard HTTP router (no special annotation needed);
+# the entrypoint writeTimeout=0 keeps long-lived streams open. tls-secret is
+# Kyverno-synced into the namespace. NO max_body_size: a Buffering middleware
+# would break the streaming WebSocket.
+module "ingress" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  name            = "portal-realtime"
+  namespace       = kubernetes_namespace.portal_realtime.metadata[0].name
+  service_name    = kubernetes_service.realtime.metadata[0].name
+  port            = 8000
+  tls_secret_name = "tls-secret"
+  # auth = "app": the agent enforces its own DEVICE_TOKEN edge gate on /ws;
+  # Authentik would break the native Portal client (it has no browser login).
+  auth     = "app"
+  dns_type = "proxied"
+}
diff --git a/stacks/portal-realtime/terragrunt.hcl b/stacks/portal-realtime/terragrunt.hcl
new file mode 100644
index 00000000..da842ec8
--- /dev/null
+++ b/stacks/portal-realtime/terragrunt.hcl
@@ -0,0 +1,17 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+# portal-realtime — the v2 full-duplex voice agent (Pipecat). One persistent
+# WebSocket per conversation: continuous mic audio -> Silero VAD turn-taking ->
+# Whisper STT (portal-stt) -> streaming Claude brain (claude-agent-service) ->
+# edge-tts (portal-tts) -> audio out, with barge-in. Reuses all three upstream
+# cluster services; nothing new is spun up. Public Cloudflare ingress (proxied,
+# WebSocket) with the app's own DEVICE_TOKEN as the edge gate. Sibling to
+# portal-assistant (the v1 tap-to-talk gateway, still live). portal-assistant
+# realtime Phase 3.
diff --git a/stacks/portal-stt/main.tf b/stacks/portal-stt/main.tf
new file mode 100644
index 00000000..9d6ea38e
--- /dev/null
+++ b/stacks/portal-stt/main.tf
@@ -0,0 +1,354 @@
+# =============================================================================
+# portal-stt — Speaches STT (Whisper large-v3-turbo int8) for portal-assistant
+# =============================================================================
+#
+# DRAFT for operator review (portal-assistant issue #2). HITL apply: an agent
+# drafts; the operator applies via GitOps (presence-claimed) and verifies the
+# rollout. Do NOT `terragrunt apply` this from a worktree.
+#
+# WHAT: a single WARM-RESIDENT Speaches deployment (OpenAI-compatible
+# faster-whisper server) serving `large-v3-turbo` int8, multilingual (Bulgarian
+# + English), on the shared Tesla T4 (one time-slice). ClusterIP only — audio
+# never leaves the LAN; the portal-assistant Gateway is the only externally
+# exposed component (ADR-0001), so no ingress/auth here.
+#
+# WHY WARM-RESIDENT, NOT THE CHATTERBOX DEMAND-GATE:
+#   The TTS (chatterbox) stack scales 0<->1 behind a free-VRAM CronJob gate
+#   because it is a best-effort BATCH tenant (tripit narration) that can wait.
+#   STT here is INTERACTIVE voice — every Turn would pay a multi-second cold
+#   model load (download/mmap + CUDA init) if we scaled to zero. So this stack
+#   keeps the model permanently loaded: replicas=1 + Speaches STT_MODEL_TTL=-1
+#   (never unload) + PRELOAD_MODELS (load at startup). See portal-assistant
+#   CONTEXT.md "Warm window" + ADR-0003.
+#
+# OOM HISTORY / VRAM MATH — the binding constraint is the shared T4 (16 GiB,
+# time-sliced across immich-ml / frigate / llama-swap / android-emulator with
+# NO per-tenant VRAM isolation). See
+# docs/post-mortems/2026-06-02-immich-ml-ttl-gpu-oom-recruiter.md (immich-ml's
+# unbounded onnxruntime arena starved llama-swap's qwen3-8b -> recruiter down).
+#
+#   Live residents measured 2026-06-17 (gpu_pod_memory_used_bytes):
+#     immich-ml        ~2.1 GiB  (capped: MACHINE_LEARNING_MODEL_TTL=600)
+#     frigate (8 proc) ~1.9 GiB  (detector + ffmpeg decode)
+#     android-emulator ~0.15 GiB
+#     llama-swap        0 idle, but loads qwen3-8b on demand = ~4.35 GiB peak
+#                       (cudaMalloc 4455 MiB, per the post-mortem)
+#   Worst-case concurrent baseline (everything hot): 2.1 + 1.9 + 0.15 + 4.35
+#                                                   = ~8.5 GiB.
+#   Speaches large-v3-turbo int8 weights ~= 0.8 GiB on disk; resident CTranslate2
+#   int8 + CUDA context + decode buffers budget conservatively to ~1.5 GiB
+#   (VERIFY at apply against gpu_pod_memory_used_bytes{namespace="portal-stt"}).
+#
+#   8.5 (residents) + 1.5 (this) = ~10.0 GiB used  =>  ~6 GiB T4 headroom.
+#   That headroom is the safety margin against onnxruntime arena drift (the
+#   exact failure mode from 2026-06-02). If a future resident grows, this is the
+#   FIRST place to re-measure. The conservative int8 (not fp16) choice halves
+#   our weight footprint precisely to protect this margin.
+#
+# GPU PRIORITY: this pod requests nvidia.com/gpu, so the Kyverno
+# `inject-gpu-workload-priority` ClusterPolicy auto-stamps the immich-equal
+# `gpu-workload` (1,200,000) priority — portal-stt is NOT in that policy's
+# exclude list (only `tts` is, to keep chatterbox demotable). That is CORRECT
+# here: warm interactive STT is a first-class GPU resident, never the first
+# evicted. We also set priority_class_name explicitly so intent is legible at
+# the call site and survives a policy fail-open. (Contrast tts/main.tf, which
+# pins tier-2-gpu precisely so chatterbox IS evicted first.)
+# =============================================================================
+
+variable "nfs_server" {
+  type        = string
+  description = "NFS server (Proxmox host). From config.tfvars (192.168.1.127)."
+}
+
+variable "speaches_image" {
+  type = string
+  # ghcr.io/speaches-ai/speaches CUDA build. The live registry currently
+  # publishes 0.9.0-rc.3-cuda (+ sha-/cuda-12.x variants) and a moving
+  # :latest-cuda; there is no published :0.8.3-cuda for the last stable. Pinned
+  # to the rc.3 CUDA tag (immutable-ish, beats :latest for the OOM/Keel-churn
+  # history). CUDA 12.4/12.6 image runtime is fine under our 570.195.03 driver
+  # (CUDA 12.8, backward-compatible). OPEN ITEM for operator: confirm this tag
+  # still resolves at apply, or bump to the newest -cuda tag.
+  default     = "ghcr.io/speaches-ai/speaches:0.9.0-rc.3-cuda"
+  description = "Speaches CUDA image. Pin a -cuda tag, not :latest-cuda."
+}
+
+variable "stt_model_id" {
+  type = string
+  # HF repo id of the CTranslate2 large-v3-turbo conversion. deepdml's is the
+  # canonical community ct2 build of openai large-v3-turbo (multilingual,
+  # incl. Bulgarian) and is what ADR-0003's FLEURS-bg bake-off measured at
+  # 8.3% WER. Speaches resolves whisper models by HF repo id.
+  default     = "deepdml/faster-whisper-large-v3-turbo-ct2"
+  description = "HuggingFace repo id of the warm-resident whisper model."
+}
+
+locals {
+  namespace = "portal-stt"
+  labels    = { app = "portal-stt" }
+
+  # Speaches is configured via env vars (pydantic-settings): scalars map from
+  # UPPER_SNAKE, nested whisper.* settings from WHISPER__FIELD. The three knobs
+  # that make this WARM-RESIDENT and int8:
+  #   PRELOAD_MODELS          — JSON list, loaded sequentially at startup so the
+  #                             first Turn is never cold (pod won't go Ready until
+  #                             the model is in VRAM).
+  #   STT_MODEL_TTL=-1        — never unload an idle STT model (0=immediate,
+  #                             default 300s). This is the warm-resident lever.
+  #   WHISPER__COMPUTE_TYPE   — int8 (conservative VRAM; default "default"=fp16).
+  #   WHISPER__INFERENCE_DEVICE — cuda (default "auto").
+  # HF cache is redirected onto the NFS-SSD PVC so weights download once and
+  # persist across pod restarts (image default cache is /home/ubuntu/.cache/
+  # huggingface/hub — ephemeral). Speaches runs as uid 1000 (ubuntu).
+}
+
+resource "kubernetes_namespace" "portal_stt" {
+  metadata {
+    name = local.namespace
+    labels = {
+      tier               = local.tiers.gpu
+      "istio-injection"  = "disabled"
+      "keel.sh/enrolled" = "true"
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
+    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
+  }
+}
+
+# portal-stt is ClusterIP-only (no ingress) — the Gateway is the sole
+# externally-exposed component (ADR-0001), so there is NO TLS secret / no
+# setup_tls_secret module here (it would demand secrets/fullchain.pem that this
+# stack does not ship).
+
+# Model + HF cache on NFS-SSD (fast first-load, persists across restarts). Path
+# /srv/nfs-ssd/portal-stt on the Proxmox host (192.168.1.127). Mirrors the
+# chatterbox nfs_models pattern. RWX so a future seed/inspect pod can touch it.
+module "nfs_models" {
+  source     = "../../modules/kubernetes/nfs_volume"
+  name       = "portal-stt-models"
+  namespace  = kubernetes_namespace.portal_stt.metadata[0].name
+  nfs_server = var.nfs_server
+  nfs_path   = "/srv/nfs-ssd/portal-stt"
+  storage    = "10Gi" # large-v3-turbo ct2 (~0.8Gi) + HF cache headroom
+}
+
+# One-shot bootstrap: /srv/nfs-ssd is exported whole-tree but the portal-stt
+# SUBDIR must exist before kubelet can bind-mount it (chatterbox hit exit 32 on
+# a missing subdir the first window — see stacks/tts/main.tf). Mount the export
+# ROOT (which exists) and mkdir the subtree; kubelet's mount retry then heals
+# the main pod. Idempotent; immutable-once-created.
+resource "kubernetes_job" "models_dir_init" {
+  metadata {
+    name      = "portal-stt-models-dir-init"
+    namespace = kubernetes_namespace.portal_stt.metadata[0].name
+    labels    = local.labels
+  }
+  spec {
+    backoff_limit              = 3
+    ttl_seconds_after_finished = 86400
+    template {
+      metadata { labels = local.labels }
+      spec {
+        restart_policy = "Never"
+        container {
+          name    = "mkdir"
+          image   = "busybox:1.37"
+          command = ["sh", "-c", "mkdir -p /mnt/portal-stt/hub && ls -la /mnt/portal-stt"]
+          volume_mount {
+            name       = "nfs-ssd-root"
+            mount_path = "/mnt"
+          }
+        }
+        volume {
+          name = "nfs-ssd-root"
+          nfs {
+            server = var.nfs_server
+            path   = "/srv/nfs-ssd"
+          }
+        }
+      }
+    }
+  }
+  wait_for_completion = true
+  timeouts { create = "3m" }
+}
+
+# Warm-resident Speaches. replicas=1, NEVER scaled to zero (no off-peak gate,
+# unlike tts) — the model stays in VRAM so interactive Turns never pay a cold
+# load. wait_for_rollout left default (true): a plain apply SHOULD block until
+# the model is loaded and the pod is Ready, surfacing a bad image/model early.
+resource "kubernetes_deployment" "portal_stt" {
+  metadata {
+    name      = "portal-stt"
+    namespace = kubernetes_namespace.portal_stt.metadata[0].name
+    labels    = merge(local.labels, { tier = local.tiers.gpu })
+  }
+  spec {
+    replicas = 1
+    # RWO is not in play (model PVC is RWX NFS), but Recreate avoids two pods
+    # briefly double-loading the model into the shared T4 during a rollout.
+    strategy { type = "Recreate" }
+    selector {
+      match_labels = { app = "portal-stt" }
+    }
+    template {
+      metadata {
+        labels = { app = "portal-stt" }
+      }
+      spec {
+        node_selector = { "nvidia.com/gpu.present" = "true" }
+        toleration {
+          key      = "nvidia.com/gpu"
+          operator = "Equal"
+          value    = "true"
+          effect   = "NoSchedule"
+        }
+        # First-class GPU resident (warm interactive STT) — same priority as
+        # immich-ml. Kyverno would stamp this anyway (portal-stt is not in the
+        # gpu-priority exclude list); set explicitly for legibility + fail-open
+        # safety. NOT tier-2-gpu (that is chatterbox's evict-first demotion).
+        priority_class_name = "gpu-workload"
+
+        container {
+          name  = "portal-stt"
+          image = var.speaches_image
+
+          # --- warm-resident + int8 + cuda config (see locals) ---
+          env {
+            name  = "PRELOAD_MODELS"
+            value = jsonencode([var.stt_model_id])
+          }
+          env {
+            name  = "STT_MODEL_TTL"
+            value = "-1" # never unload — the warm-resident lever
+          }
+          env {
+            name  = "WHISPER__INFERENCE_DEVICE"
+            value = "cuda"
+          }
+          env {
+            name  = "WHISPER__COMPUTE_TYPE"
+            value = "int8" # conservative VRAM (vs fp16 default)
+          }
+          env {
+            name  = "LOG_LEVEL"
+            value = "info" # image default is debug
+          }
+          # Persist the HF model cache on the NFS-SSD PVC (image default cache
+          # dir is ephemeral). Speaches/HF honour HF_HUB_CACHE + HF_HOME.
+          env {
+            name  = "HF_HUB_CACHE"
+            value = "/data/hub"
+          }
+          env {
+            name  = "HF_HOME"
+            value = "/data"
+          }
+
+          port {
+            container_port = 8000
+            name           = "http"
+          }
+
+          volume_mount {
+            name       = "models"
+            mount_path = "/data"
+          }
+
+          # /health is Speaches' liveness/readiness path. Generous startup
+          # allowance: the first boot downloads large-v3-turbo to the PVC before
+          # the server reports healthy (PRELOAD blocks startup). After the model
+          # is cached on NFS-SSD, subsequent boots load in seconds.
+          startup_probe {
+            http_get {
+              path = "/health"
+              port = 8000
+            }
+            period_seconds    = 10
+            failure_threshold = 60 # up to ~10 min for the first model download
+          }
+          readiness_probe {
+            http_get {
+              path = "/health"
+              port = 8000
+            }
+            period_seconds    = 15
+            failure_threshold = 4
+          }
+          liveness_probe {
+            http_get {
+              path = "/health"
+              port = 8000
+            }
+            initial_delay_seconds = 30
+            period_seconds        = 30
+            failure_threshold     = 5
+          }
+
+          resources {
+            requests = {
+              cpu    = "200m"
+              memory = "2Gi"
+            }
+            limits = {
+              memory           = "4Gi"
+              "nvidia.com/gpu" = "1" # ONE time-slice (operator advertises 100), NOT the whole card
+            }
+          }
+        }
+
+        volume {
+          name = "models"
+          persistent_volume_claim {
+            claim_name = module.nfs_models.claim_name
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      # image is TF-OWNED (pinned -cuda tag) — Keel can manage the digest on
+      # this tag if desired, so ignore keel's annotation churn but NOT the image
+      # itself (we want tag pins to apply). Mirrors tts: keel annotations only.
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      metadata[0].annotations["keel.sh/match-tag"],
+      metadata[0].annotations["kubernetes.io/change-cause"],
+      metadata[0].annotations["deployment.kubernetes.io/revision"],
+      spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
+    ]
+  }
+}
+
+# ClusterIP — in-cluster only (the Gateway calls this; audio stays on the LAN).
+# No ingress, no Authentik: the Gateway is the only externally exposed component
+# (ADR-0001) and holds the edge auth. OpenAI transcription path is
+# http://portal-stt.portal-stt.svc.cluster.local:8000/v1/audio/transcriptions
+resource "kubernetes_service" "portal_stt" {
+  metadata {
+    name      = "portal-stt"
+    namespace = kubernetes_namespace.portal_stt.metadata[0].name
+    labels    = local.labels
+    annotations = {
+      # Speaches exposes Prometheus metrics at /metrics — wire annotation-based
+      # scrape (Ready-endpoint relabeling already filters non-Ready pods).
+      "prometheus.io/scrape" = "true"
+      "prometheus.io/path"   = "/metrics"
+      "prometheus.io/port"   = "8000"
+    }
+  }
+  spec {
+    type     = "ClusterIP"
+    selector = { app = "portal-stt" }
+    port {
+      name        = "http"
+      port        = 8000
+      target_port = 8000
+    }
+  }
+}
diff --git a/stacks/portal-stt/terragrunt.hcl b/stacks/portal-stt/terragrunt.hcl
new file mode 100644
index 00000000..b35880be
--- /dev/null
+++ b/stacks/portal-stt/terragrunt.hcl
@@ -0,0 +1,33 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+# portal-stt: in-cluster speech-to-text for the portal-assistant Gateway
+# (portal-assistant issue #2, ADR-0003). One Deployment of Speaches
+# (ghcr.io/speaches-ai/speaches, OpenAI-compatible faster-whisper) serving
+# `large-v3-turbo` int8, multilingual (Bulgarian + English), behind a single
+# ClusterIP Service `portal-stt.portal-stt.svc:8000`. Transcription path:
+# /v1/audio/transcriptions. Requests ONE time-slice of the shared T4
+# (nvidia.com/gpu=1) — a slice, not the card.
+#
+# WARM-RESIDENT (NOT the tts/chatterbox demand-gate): replicas=1, never scaled
+# to zero. The model is preloaded at startup (PRELOAD_MODELS) and never unloaded
+# (STT_MODEL_TTL=-1) so interactive voice Turns never pay a cold model load.
+# Chatterbox can scale 0<->1 because it is best-effort batch narration; STT is
+# latency-critical and must stay warm. See portal-assistant CONTEXT.md
+# "Warm window".
+#
+# VRAM safety on the shared T4 (16 GiB, no per-tenant isolation): int8 weights
+# budget ~1.5 GiB; worst-case alongside immich-ml (~2.1) + frigate (~1.9) +
+# llama-swap qwen3-8b (~4.35) leaves ~6 GiB headroom. This pod is NOT excluded
+# from the kyverno gpu-priority policy, so it correctly gets the immich-equal
+# `gpu-workload` priority (first-class resident, never evicted first) — the
+# inverse of tts. Full VRAM math + the OOM post-mortem reference are in main.tf.
+#
+# HITL: agent drafts; operator presence-claims the T4 and applies via GitOps,
+# then verifies the rollout + a bg/en transcription smoke test.
diff --git a/stacks/portal-tts/main.tf b/stacks/portal-tts/main.tf
new file mode 100644
index 00000000..39bfbcbd
--- /dev/null
+++ b/stacks/portal-tts/main.tf
@@ -0,0 +1,205 @@
+# =============================================================================
+# portal-tts — edge-tts (CPU, always-on) for the portal-assistant Gateway
+# =============================================================================
+#
+# WHAT: a single ALWAYS-ON openai-edge-tts deployment (travisvn/openai-edge-tts),
+# an OpenAI-compatible /v1/audio/speech proxy over Microsoft edge-tts neural
+# voices, serving Bulgarian (bg-BG-KalinaNeural) AND English (en-US-AvaNeural),
+# the voice chosen PER REQUEST by the Gateway, behind a ClusterIP Service
+# `portal-tts.portal-tts.svc:8000`. CPU-only — no GPU, no NFS model store.
+#
+# WHY edge-tts (REPLACED Piper / openedai-speech on 2026-06-17): the local Piper
+# Bulgarian voice (bg_BG-dimitar-medium, espeak-ng phonemes) was garbled and
+# unintelligible — espeak mangles Bulgarian consonants (a synth->Whisper
+# round-trip turned "Добър ден" into "Обърден"; a user heard pure gibberish).
+# ADR-0003 always named Microsoft edge-tts as the online Bulgarian-quality
+# fallback; the operator chose it for BOTH languages (validated 2026-06-17: edge
+# bg round-trips through Whisper verbatim — "Добър ден! Как сте днес? ..."). The
+# assistant already depends on the internet for the Claude brain, so an online
+# TTS adds no new failure mode. English moved to edge too (one engine, higher
+# quality) — the previous local Piper English worked but is no longer needed.
+#
+# NO GPU, NO NFS, NO SECRETS: edge-tts fetches voices from Microsoft on demand
+# (nothing to persist), so the NFS model PVC + download init-container + voice
+# ConfigMap of the old Piper design are all gone. The container needs EGRESS to
+# speech.platform.bing.com (verified reachable from this namespace). The Service
+# is ClusterIP-only and the Gateway is the sole externally-exposed component
+# (ADR-0001) holding the edge auth, so REQUIRE_API_KEY=False here (the Gateway's
+# TTSClient sends no Authorization to TTS).
+#
+# API SHAPE (unchanged Gateway contract): OpenAI /v1/audio/speech
+#   POST /v1/audio/speech
+#   { "model":"tts-1", "input":"<text>", "voice":"<edge voice name>",
+#     "response_format":"wav" }  -> 200, body = raw PCM16 wav bytes
+# The Gateway maps detected lang bg/en -> TTS_VOICE_BG / TTS_VOICE_EN (the edge
+# voice names, set on the gateway Deployment), and openai-edge-tts accepts edge
+# voice names directly. The `-ffmpeg` image variant is REQUIRED for wav output
+# (the base image only emits mp3; ffmpeg transcodes to PCM16 wav).
+# =============================================================================
+
+variable "edge_tts_image" {
+  type = string
+  # openai-edge-tts, the OpenAI-compatible edge-tts proxy. The `-ffmpeg` variant
+  # bundles ffmpeg so response_format=wav (PCM16) works. Floating tag (no semver
+  # discipline upstream) — the namespace is Keel-enrolled so digest bumps roll in
+  # automatically; TF owns only the tag string.
+  # docker.io/ prefix is REQUIRED: Kyverno require-trusted-registries blanket-
+  # trusts docker.io/* but a bare `travisvn/...` is unenumerated → blocked.
+  default     = "docker.io/travisvn/openai-edge-tts:latest-ffmpeg"
+  description = "openai-edge-tts image (ffmpeg variant — needed for wav output)."
+}
+
+variable "bg_voice" {
+  type        = string
+  default     = "bg-BG-KalinaNeural"
+  description = "Microsoft edge-tts neural Bulgarian voice (the Gateway's TTS_VOICE_BG must match)."
+}
+
+variable "en_voice" {
+  type        = string
+  default     = "en-US-AvaNeural"
+  description = "Microsoft edge-tts neural English voice (the Gateway's TTS_VOICE_EN must match)."
+}
+
+locals {
+  namespace = "portal-tts"
+  labels    = { app = "portal-tts" }
+}
+
+resource "kubernetes_namespace" "portal_tts" {
+  metadata {
+    name = local.namespace
+    labels = {
+      tier               = local.tiers.aux # CPU-only best-effort helper, not a GPU tenant
+      "istio-injection"  = "disabled"
+      "keel.sh/enrolled" = "true"
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
+    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
+  }
+}
+
+# Always-on openai-edge-tts. replicas=1, never scaled to zero (no GPU to free,
+# negligible idle cost — it's a thin proxy to Microsoft edge-tts). CPU-only: NO
+# node_selector / toleration / nvidia.com/gpu. No init container and no volumes:
+# voices are fetched from Microsoft per request, so the pod is stateless.
+resource "kubernetes_deployment" "portal_tts" {
+  metadata {
+    name      = "portal-tts"
+    namespace = kubernetes_namespace.portal_tts.metadata[0].name
+    labels    = merge(local.labels, { tier = local.tiers.aux })
+  }
+  spec {
+    replicas = 1
+    strategy { type = "Recreate" }
+    selector {
+      match_labels = { app = "portal-tts" }
+    }
+    template {
+      metadata {
+        labels = { app = "portal-tts" }
+      }
+      spec {
+        container {
+          name  = "portal-tts"
+          image = var.edge_tts_image
+
+          # openai-edge-tts listens on :5050 by default; the Service maps 8000 ->
+          # 5050 so the Gateway's TTS_URL (:8000) is unchanged.
+          port {
+            container_port = 5050
+            name           = "http"
+          }
+          # No API key: ClusterIP-only, the Gateway holds edge auth and sends no
+          # Authorization header to TTS. DEFAULT_VOICE is a fallback only — every
+          # request carries an explicit voice + response_format.
+          env {
+            name  = "REQUIRE_API_KEY"
+            value = "False"
+          }
+          env {
+            name  = "DEFAULT_VOICE"
+            value = var.en_voice
+          }
+
+          # TCP probes — uvicorn binds :5050 only once the app is ready. No model
+          # download, so startup is fast; egress to Microsoft happens per request.
+          startup_probe {
+            tcp_socket { port = 5050 }
+            period_seconds    = 5
+            failure_threshold = 24 # ~2 min
+          }
+          readiness_probe {
+            tcp_socket { port = 5050 }
+            period_seconds    = 15
+            failure_threshold = 4
+          }
+          liveness_probe {
+            tcp_socket { port = 5050 }
+            initial_delay_seconds = 20
+            period_seconds        = 30
+            failure_threshold     = 5
+          }
+
+          resources {
+            # Thin HTTP proxy to Microsoft edge-tts + ffmpeg transcode. Light on
+            # CPU (no CPU limit — cluster CFS-throttling policy). VERIFY with krr
+            # after real traffic and tighten.
+            requests = {
+              cpu    = "50m"
+              memory = "256Mi"
+            }
+            limits = {
+              memory = "512Mi"
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      # Keel is enrolled (floating tag) — ignore its annotation churn but let the
+      # tag string keep applying from TF.
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      metadata[0].annotations["keel.sh/match-tag"],
+      metadata[0].annotations["kubernetes.io/change-cause"],
+      metadata[0].annotations["deployment.kubernetes.io/revision"],
+      spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
+    ]
+  }
+}
+
+# ClusterIP — in-cluster only (the Gateway calls this; audio stays on the LAN
+# until the Gateway speaks it to the Portal). No ingress, no Authentik: the
+# Gateway is the only externally exposed component (ADR-0001). OpenAI speech path:
+# http://portal-tts.portal-tts.svc.cluster.local:8000/v1/audio/speech
+resource "kubernetes_service" "portal_tts" {
+  metadata {
+    name      = "portal-tts"
+    namespace = kubernetes_namespace.portal_tts.metadata[0].name
+    labels    = local.labels
+    annotations = {
+      # openai-edge-tts has no /metrics; annotation-based scrape kept on a live
+      # path so the Service stays in the scrape set (Ready-endpoint relabeling
+      # filters non-Ready pods). /v1/models is the OpenAI model list.
+      "prometheus.io/scrape" = "true"
+      "prometheus.io/path"   = "/v1/models"
+      "prometheus.io/port"   = "8000"
+    }
+  }
+  spec {
+    type     = "ClusterIP"
+    selector = { app = "portal-tts" }
+    port {
+      name        = "http"
+      port        = 8000
+      target_port = 5050
+    }
+  }
+}
diff --git a/stacks/portal-tts/terragrunt.hcl b/stacks/portal-tts/terragrunt.hcl
new file mode 100644
index 00000000..8e25ac63
--- /dev/null
+++ b/stacks/portal-tts/terragrunt.hcl
@@ -0,0 +1,33 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+# portal-tts: in-cluster text-to-speech for the portal-assistant Gateway
+# (portal-assistant issue #3, ADR-0003). One ALWAYS-ON Deployment of Piper
+# (ghcr.io/matatonic/openedai-speech-min, OpenAI-compatible /v1/audio/speech)
+# serving Bulgarian `bg_BG-dimitar-medium` + English `en_US-lessac-medium`, voice
+# chosen PER REQUEST, behind a single ClusterIP Service
+# `portal-tts.portal-tts.svc:8000`. Speech path: /v1/audio/speech.
+#
+# CPU-ONLY: Piper is a fast CPU neural TTS — NO GPU node selector / toleration /
+# nvidia.com/gpu request. This deliberately keeps TTS off the OOM-prone shared
+# T4 (the two GPU siblings tts/chatterbox + portal-stt already contend for it);
+# Bulgarian isn't available on chatterbox anyway (ADR-0003). replicas=1, never
+# scaled to zero — no off-peak gate needed when there's no GPU to free.
+#
+# Voices live on an NFS-SSD PVC, downloaded from rhasspy/piper-voices by an init
+# container on first boot (both .onnx + .onnx.json), then persist. A ConfigMap
+# supplies voice_to_speaker.yaml mapping request voice "bg"/"en" -> .onnx model.
+#
+# PLUGGABLE: ADR-0003 keeps TTS a swappable backend with edge-tts as an online
+# Bulgarian fallback — that switch is Gateway-side; nothing here changes for it.
+#
+# nfs_server comes from config.tfvars (192.168.1.127) via the root inputs.
+#
+# HITL: agent drafts; operator applies via GitOps, then verifies the rollout +
+# a bg/en /v1/audio/speech smoke test (curl returns audio bytes).
diff --git a/stacks/postiz/modules/postiz/main.tf b/stacks/postiz/modules/postiz/main.tf
index 9e6684b6..91a55649 100644
--- a/stacks/postiz/modules/postiz/main.tf
+++ b/stacks/postiz/modules/postiz/main.tf
@@ -73,7 +73,7 @@ resource "kubernetes_persistent_volume_claim" "uploads" {
 # this Secret in via `envFrom: secretRef: postiz-secrets`.
 resource "kubernetes_manifest" "external_secret_jwt" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "postiz-jwt-secret"
diff --git a/stacks/proxmox-csi/modules/proxmox-csi/main.tf b/stacks/proxmox-csi/modules/proxmox-csi/main.tf
index ec6b03f2..8ca6216f 100644
--- a/stacks/proxmox-csi/modules/proxmox-csi/main.tf
+++ b/stacks/proxmox-csi/modules/proxmox-csi/main.tf
@@ -208,7 +208,7 @@ resource "kubernetes_cluster_role_binding" "pve_snapshot_admin" {
 # Referenced by the proxmox-lvm-encrypted StorageClass for node-stage and node-expand.
 resource "kubernetes_manifest" "external_secret_encryption" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "proxmox-csi-encryption"
diff --git a/stacks/rbac/modules/rbac/apiserver-oidc.tf b/stacks/rbac/modules/rbac/apiserver-oidc.tf
index f88bf924..f2d9b4be 100644
--- a/stacks/rbac/modules/rbac/apiserver-oidc.tf
+++ b/stacks/rbac/modules/rbac/apiserver-oidc.tf
@@ -10,16 +10,29 @@
 # match the existing RBAC subjects (kind: User, name: <raw email>; group names
 # verbatim). Do NOT add a prefix or existing bindings break.
 #
-# DRIFT WARNING: this edits the kube-apiserver static-pod manifest on the single
-# master. A `kubeadm upgrade` regenerates that manifest and DROPS this flag (this
-# is exactly how OIDC silently broke before — the flag was wiped and the
-# content-hash trigger never re-fired). After any k8s control-plane upgrade,
-# re-apply the rbac stack to restore apiserver OIDC. See
-# docs/plans/2026-06-04-k8s-dashboard-sso-design.md.
+# DRIFT WARNING (and how it's now handled): apiserver auth lives in THREE places
+# that must stay in sync, because a `kubeadm upgrade` REGENERATES the static-pod
+# manifest from kubeadm-config:
+#   1. /etc/kubernetes/pki/auth-config.yaml         — the structured authn file
+#   2. the live kube-apiserver static-pod manifest  — references it via the flag
+#   3. the kubeadm-config ClusterConfiguration CM   — what kubeadm regenerates from
+# Originally only (1)+(2) were managed, so every kubeadm upgrade rewrote the
+# manifest from the STALE CM, reverting --authentication-config to single-issuer
+# --oidc-* flags. The consequence is SSO breakage AFTER the upgrade: kubectl +
+# dashboard lose multi-issuer auth (the apiserver does NOT crash on this — verified
+# by an isolated repro 2026-06-24; the 2026-06-24 v1.35 upgrade *stall* was a
+# separate etcd IO-starvation issue, see
+# docs/post-mortems/2026-06-24-kubeadm-oidc-drift-apiserver-upgrade-stall.md). The
+# remote script below now ALSO reconciles (3) via `kubeadm init phase
+# upload-config`, so a future kubeadm upgrade regenerates a CORRECT manifest. The
+# k8s-version-upgrade chain additionally ALERTS (does not block — SSO drift is
+# recoverable) via `kubeadm upgrade diff` in preflight if --authentication-config
+# would still be dropped.
 #
 # SAFETY: the remote script health-gates on /livez and AUTO-ROLLS-BACK the
 # manifest from a timestamped backup if the apiserver does not recover, so a
-# malformed config cannot leave the single master down.
+# malformed config cannot leave the single master down. Reconciling kubeadm-config
+# is zero-impact on the running cluster (the CM is only read during an upgrade).
 
 variable "k8s_master_host" {
   type    = string
@@ -97,6 +110,40 @@ locals {
     print('flag-inserted' if done else 'ANCHOR-NOT-FOUND')
   PY
 
+  # Reconciles the kubeadm-config ClusterConfiguration's apiServer.extraArgs:
+  # drops the stale single-issuer --oidc-* args and ensures --authentication-config
+  # is present (anchored after --authorization-mode). Stdlib-only (the master is
+  # only guaranteed python3, not pyyaml/yq). Idempotent; preserves all other
+  # fields (etcd args, audit args, extraVolumes) verbatim. Exits 3 if the
+  # authorization-mode anchor is missing (fail loud, leave the CM untouched).
+  kubeadm_oidc_reconcile_py = <<-PY
+    import sys
+    lines = sys.stdin.read().split('\n')
+    out, i, n = [], 0, len(lines)
+    have_authn = any('name: authentication-config' in l for l in lines)
+    inserted = have_authn
+    while i < n:
+        ln = lines[i]; s = ln.strip()
+        if s.startswith('- name: oidc-'):
+            i += 2 if (i + 1 < n and lines[i + 1].strip().startswith('value:')) else 1
+            continue
+        out.append(ln)
+        if (not inserted) and s == '- name: authorization-mode':
+            indent = ln[:len(ln) - len(ln.lstrip())]
+            if i + 1 < n and lines[i + 1].strip().startswith('value:'):
+                out.append(lines[i + 1]); i += 2
+            else:
+                i += 1
+            out.append(indent + '- name: authentication-config')
+            out.append(indent + '  value: /etc/kubernetes/pki/auth-config.yaml')
+            inserted = True
+            continue
+        i += 1
+    if not inserted:
+        sys.stderr.write('ANCHOR-NOT-FOUND: authorization-mode\n'); sys.exit(3)
+    sys.stdout.write('\n'.join(out))
+  PY
+
   # Whole remote operation, base64-embedded for byte-exact transfer (no
   # heredoc/escaping hazards across SSH).
   apiserver_auth_remote_script = <<-SH
@@ -137,6 +184,30 @@ locals {
       echo "rolled back to previous manifest"; exit 1
     fi
     echo "kube-apiserver healthy with multi-issuer --authentication-config"
+
+    # 5. Reconcile kubeadm-config so a FUTURE `kubeadm upgrade` regenerates the
+    #    apiserver manifest WITH --authentication-config instead of reverting to
+    #    the stale single-issuer --oidc-* flags. Without this, kubeadm rewrote the
+    #    manifest from kubeadm-config on every control-plane upgrade and the
+    #    regenerated apiserver crash-looped (the 2026-06-24 v1.35 upgrade stall).
+    #    Zero live impact (the CM is only read at upgrade time); idempotent;
+    #    best-effort (the chain's `kubeadm upgrade diff` preflight gate is the
+    #    backstop if this cannot run).
+    KC="sudo kubectl --kubeconfig /etc/kubernetes/admin.conf"
+    CC=$($KC -n kube-system get cm kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' 2>/dev/null || true)
+    if [ -n "$CC" ] && { echo "$CC" | grep -q 'oidc-issuer-url' || ! echo "$CC" | grep -q 'authentication-config'; }; then
+      echo "Reconciling kubeadm-config (oidc-* -> authentication-config) so kubeadm upgrade keeps structured auth"
+      echo '${base64encode(local.kubeadm_oidc_reconcile_py)}' | base64 -d > /tmp/reconcile_kubeadm_oidc.py
+      if printf '%s' "$CC" | python3 /tmp/reconcile_kubeadm_oidc.py > /tmp/kubeadm-cc-new.yaml \
+         && sudo kubeadm init phase upload-config kubeadm --config /tmp/kubeadm-cc-new.yaml; then
+        echo "kubeadm-config reconciled: future control-plane upgrades keep --authentication-config"
+      else
+        echo "WARN: kubeadm-config reconcile failed; the upgrade-chain preflight gate will block the next upgrade"
+      fi
+      rm -f /tmp/reconcile_kubeadm_oidc.py /tmp/kubeadm-cc-new.yaml
+    else
+      echo "kubeadm-config already uses --authentication-config (no oidc drift)"
+    fi
   SH
 }
 
@@ -155,6 +226,33 @@ resource "null_resource" "apiserver_oidc_config" {
   }
 
   triggers = {
+    # Intentionally hash ONLY the issuer config, NOT the remote script. CI applies
+    # the rbac stack with no ssh_private_key (var defaults to ""), so a re-run of
+    # this SSH provisioner in CI would fail — hence the null_resource must stay a
+    # no-op on a plain CI apply. Script changes (e.g. the 2026-06-24 kubeadm-config
+    # reconciliation) reach the cluster via the apiserver-oidc-restore ConfigMap
+    # below (a plain k8s resource, no ssh) which the upgrade chain re-runs. To force
+    # this provisioner to re-run after a script change, apply locally with
+    # `-replace` + TF_VAR_ssh_private_key (see docs/runbooks/k8s-version-upgrade.md).
     auth_config = sha256(local.apiserver_auth_config_yaml)
   }
 }
+
+# Publish the restore script to a ConfigMap so the k8s-version-upgrade chain can
+# re-apply apiserver OIDC on master immediately after a `kubeadm upgrade` (which
+# regenerates the apiserver manifest and drops --authentication-config → breaks
+# SSO). This is the SAME script the null_resource above runs over SSH, so the
+# rbac stack stays the single source of truth — the chain just re-runs it
+# post-upgrade (phase_master in
+# stacks/k8s-version-upgrade/scripts/upgrade-step.sh) instead of waiting for a
+# manual `tg apply`. Content is config (issuer URLs + claim mappings), not
+# secrets, so a ConfigMap is appropriate.
+resource "kubernetes_config_map_v1" "apiserver_oidc_restore" {
+  metadata {
+    name      = "apiserver-oidc-restore"
+    namespace = "kube-system"
+  }
+  data = {
+    "restore.sh" = local.apiserver_auth_remote_script
+  }
+}
diff --git a/stacks/real-estate-crawler/.terraform.lock.hcl b/stacks/real-estate-crawler/.terraform.lock.hcl
index 1445955c..b22b977e 100644
--- a/stacks/real-estate-crawler/.terraform.lock.hcl
+++ b/stacks/real-estate-crawler/.terraform.lock.hcl
@@ -41,29 +41,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf
index bb2a41d0..2b8d7cf5 100644
--- a/stacks/real-estate-crawler/main.tf
+++ b/stacks/real-estate-crawler/main.tf
@@ -8,7 +8,7 @@ variable "mysql_host" { type = string }
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "real-estate-crawler-secrets"
@@ -37,7 +37,7 @@ resource "kubernetes_manifest" "external_secret" {
 # Provides DB_CONNECTION_STRING that auto-updates when password rotates
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "realestate-crawler-db-creds"
@@ -86,7 +86,7 @@ data "kubernetes_secret" "eso_secrets" {
 # (Sprig `b64enc`) so the PAT never sits in K8s in cleartext.
 resource "kubernetes_manifest" "dockerhub_pull_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "dockerhub-pull-secret"
diff --git a/stacks/recruiter-responder/main.tf b/stacks/recruiter-responder/main.tf
index 6f6c8c01..e552ea46 100644
--- a/stacks/recruiter-responder/main.tf
+++ b/stacks/recruiter-responder/main.tf
@@ -13,7 +13,10 @@ variable "tls_secret_name" {
 
 locals {
   namespace = "recruiter-responder"
-  image     = "forgejo.viktorbarzin.me/viktor/recruiter-responder:${var.image_tag}"
+  # GHA builds + pushes ghcr.io/viktorbarzin/recruiter-responder (PRIVATE,
+  # ADR-0002 off-infra builds, infra#27). Canonical repo stays on Forgejo;
+  # the GitHub mirror runs the build and the Woodpecker deploy moves the tag.
+  image = "ghcr.io/viktorbarzin/recruiter-responder:${var.image_tag}"
   labels = {
     app = "recruiter-responder"
   }
@@ -53,7 +56,7 @@ resource "kubernetes_namespace" "recruiter_responder" {
 # DB user: created via Vault database engine — see static-creds/pg-recruiter-responder.
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "recruiter-responder-secrets"
@@ -105,7 +108,7 @@ resource "kubernetes_manifest" "external_secret" {
 # `recruiter_responder`, and Vault role `static-creds/pg-recruiter-responder`.
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "recruiter-responder-db-creds"
@@ -175,6 +178,12 @@ resource "kubernetes_deployment" "recruiter_responder" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        # GHCR pull secret: the ghcr-credentials Secret in this namespace is
+        # cloned in by the kyverno stack's sync-ghcr-credentials ClusterPolicy
+        # (allowlisted namespace) — the ghcr package is PRIVATE (ADR-0002).
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
 
         init_container {
           name    = "alembic-migrate"
diff --git a/stacks/resume/.terraform.lock.hcl b/stacks/resume/.terraform.lock.hcl
index 522ec0cc..b22b977e 100644
--- a/stacks/resume/.terraform.lock.hcl
+++ b/stacks/resume/.terraform.lock.hcl
@@ -41,29 +41,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -87,3 +74,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/resume/main.tf b/stacks/resume/main.tf
index 25bde022..7b482655 100644
--- a/stacks/resume/main.tf
+++ b/stacks/resume/main.tf
@@ -42,7 +42,7 @@ module "tls_secret" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "resume-secrets"
diff --git a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
index 850675d5..3ee18e8e 100644
--- a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
@@ -211,7 +211,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         "traefik-retry@kubernetescrd",
         var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
         var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
-        "traefik-crowdsec@kubernetescrd",
         var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
         var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
         var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
index ebb145e9..b891139f 100644
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@@ -31,12 +31,15 @@ module "tls_secret" {
 
 # https://pfsense.viktorbarzin.me/
 module "pfsense" {
-  source           = "./factory"
-  dns_type         = "proxied"
-  name             = "pfsense"
-  external_name    = "pfsense.viktorbarzin.lan"
-  tls_secret_name  = var.tls_secret_name
-  port             = 443
+  source          = "./factory"
+  dns_type        = "proxied"
+  name            = "pfsense"
+  external_name   = "pfsense.viktorbarzin.lan"
+  tls_secret_name = var.tls_secret_name
+  # webGUI moved to :8443 on 2026-06-10 — :443 on pfSense is now the
+  # SNI-routed HAProxy frontend (hostname->Traefik, no-SNI->GUI). Direct
+  # backend port avoids a Traefik->HAProxy->GUI double hop.
+  port             = 8443
   backend_protocol = "HTTPS"
 
   extra_annotations = {
@@ -160,7 +163,7 @@ module "docker-registry-ui" {
   depends_on      = [kubernetes_namespace.reverse-proxy]
   extra_annotations = {
     # Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags
-    "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+    "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
     "gethomepage.dev/enabled"                          = "true"
     "gethomepage.dev/name"                             = "Docker Registry"
     "gethomepage.dev/description"                      = "Container registry"
@@ -235,8 +238,10 @@ resource "kubernetes_manifest" "ha_sofia_rate_limit" {
     }
     spec = {
       rateLimit = {
-        average = 100
-        burst   = 200
+        # Bumped 100/200 -> 200/500 (2026-06-17): a cold HA-frontend load from a
+        # new, empty-cache client bursts dozens of JS/icon chunks and 429'd.
+        average = 200
+        burst   = 500
       }
     }
   }
@@ -339,6 +344,27 @@ module "music-assistant" {
   }
 }
 
+# Rate limit for ha-london — cold HA-frontend loads from a new, empty-cache
+# client (e.g. the repurposed Portal) burst dozens of JS/icon chunks at once;
+# the global 10/50 default 429'd them, blanking the dashboards. Generous own
+# limit, mirroring ha-sofia. (2026-06-17)
+resource "kubernetes_manifest" "ha_london_rate_limit" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "ha-london-rate-limit"
+      namespace = "reverse-proxy"
+    }
+    spec = {
+      rateLimit = {
+        average = 200
+        burst   = 500
+      }
+    }
+  }
+}
+
 # https://ha-london.viktorbarzin.me/
 module "ha-london" {
   source          = "./factory"
@@ -347,8 +373,17 @@ module "ha-london" {
   external_name   = "ha-london.viktorbarzin.lan"
   port            = 8123
   tls_secret_name = var.tls_secret_name
-  depends_on      = [kubernetes_namespace.reverse-proxy]
-  protected       = false
+  # depends_on on the rate-limit manifest avoids a dangling-reference window
+  # that would 404 ha-london traffic (see ha-sofia / memory 768).
+  depends_on = [
+    kubernetes_namespace.reverse-proxy,
+    kubernetes_manifest.ha_london_rate_limit,
+  ]
+  protected              = false
+  skip_global_rate_limit = true
+  extra_middlewares = [
+    "reverse-proxy-ha-london-rate-limit@kubernetescrd",
+  ]
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Home Assistant London"
diff --git a/stacks/rybbit/.terraform.lock.hcl b/stacks/rybbit/.terraform.lock.hcl
index 6c9afb10..31e1c607 100644
--- a/stacks/rybbit/.terraform.lock.hcl
+++ b/stacks/rybbit/.terraform.lock.hcl
@@ -70,61 +70,23 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.8.1"
+  version = "3.9.0"
   hashes = [
-    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
-    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
-    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
-    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
-    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
-    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
-    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
-    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
-    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
-    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
-    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
-    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
   ]
 }
 
diff --git a/stacks/rybbit/crowdsec_edge.tf b/stacks/rybbit/crowdsec_edge.tf
new file mode 100644
index 00000000..692c3711
--- /dev/null
+++ b/stacks/rybbit/crowdsec_edge.tf
@@ -0,0 +1,318 @@
+# =============================================================================
+# CrowdSec edge enforcement for Cloudflare-PROXIED hosts — control plane
+# =============================================================================
+# Proxied hosts terminate at the Cloudflare edge, so the in-cluster CrowdSec
+# bouncer (which keys on the real client IP seen by Traefik) never gets to
+# decide on them. To enforce CrowdSec bans/captchas on proxied traffic we push
+# the decision INTO the Cloudflare edge as a SINGLE account-level IP List + one
+# zone-scoped WAF custom rule:
+#
+#   * ONE account IP List — `crowdsec_ban` — holds BOTH the banned AND captcha'd
+#     source IPs (empty in TF; populated at runtime). The CF account hard-limits
+#     to ONE Rules List, so captcha decisions are downgraded to block at the
+#     edge and folded into this same list (block-only enforcement).
+#   * A zone-scoped WAF ruleset in the http_request_firewall_custom phase
+#     blocks `(ip.src in $crowdsec_ban)`. Because it's a ZONE rule it enforces
+#     across ALL proxied hosts in the zone (~135), not just the handful a
+#     Worker would route. (The previous Worker+KV design only covered the ~27
+#     hosts the rybbit Worker routed; the analytics Worker in worker/ is
+#     unrelated and stays.)
+#
+# This file is the CONTROL PLANE that keeps that list in sync with LAPI:
+#   1. the single empty IP List (list ITEMS are owned by the CronJob at runtime,
+#      NOT by Terraform — see the lifecycle ignore_changes on `item`),
+#   2. a LEAST-PRIVILEGE Cloudflare API token (account Filter-Lists edit only,
+#      scoped to this account) the sync job authenticates with,
+#   3. a CronJob running lapi_kv_sync.py every 2 min to full-reconcile LAPI
+#      decisions (ban + captcha) into the one list (mirrors
+#      monitoring/alert_digest.tf: stock python:3.12-alpine + pure-stdlib script
+#      from a ConfigMap, no pip/apk at runtime).
+#
+# Cloudflare provider is pinned v4.52.7 (~> 4) — v4 schema is used throughout
+# (v5 differs greatly: policy is a block here not a `policies = [...]` list;
+# resources is a map not a jsonencode'd string; ruleset `rules` is a repeatable
+# block; list items use `item { value { ip = ... } }`; permission groups are
+# looked up via data.cloudflare_api_token_permission_groups, not a v5 *_list
+# data source). context7 only indexes v5, so the v4 arguments below were
+# verified against the v4.52.7 provider docs (github tag v4.52.7) — items
+# FLAGGED ### VERIFY for tg-plan are noted inline.
+# =============================================================================
+
+data "cloudflare_accounts" "main" {}
+
+locals {
+  cf_account_id = data.cloudflare_accounts.main.accounts[0].id
+}
+
+# -----------------------------------------------------------------------------
+# IP List — empty shell. The CronJob owns the items at runtime via the CF
+# Rules-Lists API; TF must NOT manage items or every 2-min sync would fight the
+# next `terragrunt apply` (apply would try to delete the runtime items).
+#
+# ### VERIFY (v4.52.7): cloudflare_list args account_id/name/kind/description;
+#     kind="ip" is one of {ip, redirect, hostname, asn}. The optional items
+#     block is named `item` (singular, Block Set) with `item { value { ip=... }
+#     comment=... }`. We declare NO `item` blocks (empty list) and
+#     ignore_changes=[item] so runtime items don't show as drift.
+#     NOTE: list `name` must match /^[a-zA-Z0-9_]+$/ (underscores ok, no dashes)
+#     — hence crowdsec_ban (underscore, not dash).
+# -----------------------------------------------------------------------------
+resource "cloudflare_list" "crowdsec_ban" {
+  account_id  = local.cf_account_id
+  name        = "crowdsec_ban"
+  kind        = "ip"
+  description = "CrowdSec ban decisions (synced from LAPI)"
+
+  lifecycle {
+    # The crowdsec-cf-sync CronJob adds/removes items at runtime; TF owns only
+    # the empty list shell. Without this, every apply would delete live bans.
+    ignore_changes = [item]
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Zone-scoped WAF custom ruleset — the actual enforcement. One ruleset, one
+# block rule, applied to EVERY proxied host in the zone.
+#
+# ### VERIFY (v4.52.7): cloudflare_ruleset with zone_id + kind="zone" +
+#     phase="http_request_firewall_custom"; `rules` is a repeatable block with
+#     action/expression/description/enabled. action "block" is valid. List
+#     references in WAF expressions use the list NAME with a `$` prefix (NOT the
+#     list id): ($crowdsec_ban). Both ban and captcha decisions land in this one
+#     list (the CF account allows only one Rules List), so a single block rule
+#     covers everything — captcha is enforced as block at the edge.
+#
+# zone_id is the viktorbarzin.me zone — the single zone id used repo-wide
+# (default of var.cloudflare_zone_id in modules/kubernetes/ingress_factory and
+# hardcoded the same in stacks/kms/main.tf; source of truth is the git-crypt'd
+# config.tfvars). Hardcoded here (with the conventional marker comment) because
+# the rybbit stack does not import the ingress_factory module.
+# -----------------------------------------------------------------------------
+# Cloudflare allows only ONE entrypoint ruleset per zone+phase, and the zone
+# already has the stock `default` http_request_firewall_custom ruleset (created
+# out-of-band, id 106a1342bc88454ea59c47ad3431fe0e). Creating a second one fails
+# the singleton constraint, so we IMPORT the existing ruleset and manage all of
+# its rules here: our CrowdSec ban/captcha rules FIRST, and the pre-existing
+# (currently disabled) skip rule preserved verbatim below it.
+import {
+  to = cloudflare_ruleset.crowdsec
+  id = "zone/fd2c5dd4efe8fe38958944e74d0ced6d/106a1342bc88454ea59c47ad3431fe0e"
+}
+
+resource "cloudflare_ruleset" "crowdsec" {
+  zone_id = "fd2c5dd4efe8fe38958944e74d0ced6d" # cloudflare_zone_id (viktorbarzin.me)
+  name    = "default"
+  kind    = "zone"
+  phase   = "http_request_firewall_custom"
+
+  # The WAF rule references the IP list by name ($crowdsec_ban), so the list
+  # must exist before this ruleset is created/updated.
+  depends_on = [cloudflare_list.crowdsec_ban]
+
+  # CrowdSec ban — block every IP in the single edge list, EXCEPT on the
+  # Authentik auth hosts. The sync (lapi_kv_sync.py) now writes ONLY "ban"
+  # decisions into crowdsec_ban — captcha is no longer downgraded to a hard
+  # block. The auth-host carve-out guarantees a CrowdSec hit can never wall a
+  # user out of the login / WebAuthn flow they authenticate through: without it,
+  # a false-positive ban would 403 the passkey ceremony + session-refresh XHRs
+  # on every proxied host, auth included. 2026-06-20.
+  rules {
+    action      = "block"
+    expression  = "(ip.src in $crowdsec_ban) and not (http.host in {\"authentik.viktorbarzin.me\" \"public-auth.viktorbarzin.me\"})"
+    description = "CrowdSec: block banned IPs (auth hosts carved out)"
+    enabled     = true
+  }
+  # Pre-existing rule, imported and preserved verbatim (currently disabled).
+  # NOTE: Cloudflare auto-attaches logging{enabled=true} to skip rules. It must
+  # be declared here to match live, otherwise editing the OTHER rule re-sends
+  # this one too and the v4 provider errors "Provider produced inconsistent
+  # result after apply: .rules[1].logging block count changed from 0 to 1"
+  # (hit 2026-06-20 when adding the auth-host carve-out above).
+  rules {
+    action      = "skip"
+    expression  = "(http.host contains \"viktorbarzin.me\")"
+    description = "skip"
+    enabled     = false
+    action_parameters {
+      phases   = ["http_ratelimit", "http_request_firewall_managed", "http_request_sbfm"]
+      products = ["uaBlock", "bic", "hot", "securityLevel", "rateLimit", "waf", "zoneLockdown"]
+      ruleset  = "current"
+    }
+    logging {
+      enabled = true
+    }
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Least-privilege API token for the sync job: account-level Filter-Lists edit
+# ONLY, scoped to this single account (no zone/DNS/Workers access). The token
+# value is sensitive and lands in TF state (Tier-1 PG, encrypted at rest) and
+# in the rybbit Secret below — same trust level as the CF Global API Key
+# already in state.
+#
+# ### VERIFY (v4.52.7): cloudflare_api_token with a repeatable `policy` block
+#     (effect / permission_groups = Set of String / resources = Map of String);
+#     token secret is exposed as `.value` (sensitive).
+#
+# ### VERIFY — PERMISSION GROUP NAME (highest-risk item). v4.52.7 deprecates
+#     the flat `.permissions[...]` map ("some permissions overlap resource
+#     scope"); the non-deprecated lookup is the scoped `.account[...]` map.
+#     Cloudflare's current permissions reference calls the account list-edit
+#     group "Account Filter Lists Edit" (and read "Account Filter Lists Read").
+#     An OLDER community gist instead shows "Account Rule Lists Read/Write" —
+#     Cloudflare has renamed this group over time. If `tg plan` errors with a
+#     missing key, try (in order): .account["Account Filter Lists Edit"] ->
+#     .account["Account Rule Lists Write"], or enumerate the live names with:
+#       terraform console
+#       > data.cloudflare_api_token_permission_groups.all.account
+#     Read is not strictly required for edit (Edit = full CRUDL) but the sync
+#     job GETs items, so we include Read too to be safe.
+# -----------------------------------------------------------------------------
+data "cloudflare_api_token_permission_groups" "all" {}
+
+resource "cloudflare_api_token" "list_sync" {
+  name = "rybbit-crowdsec-list-sync"
+
+  policy {
+    effect = "allow"
+    permission_groups = [
+      data.cloudflare_api_token_permission_groups.all.account["Account Rule Lists Write"],
+      data.cloudflare_api_token_permission_groups.all.account["Account Rule Lists Read"],
+    ]
+    resources = {
+      "com.cloudflare.api.account.${local.cf_account_id}" = "*"
+    }
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Pure-stdlib sync script, mounted into the CronJob from a ConfigMap (the
+# alert_digest pattern — no per-run package installs).
+# -----------------------------------------------------------------------------
+resource "kubernetes_config_map" "crowdsec_cf_sync_script" {
+  metadata {
+    name      = "crowdsec-cf-sync-script"
+    namespace = "rybbit"
+  }
+  data = {
+    "lapi_kv_sync.py" = file("${path.module}/lapi_kv_sync.py")
+  }
+}
+
+# Secrets consumed by the sync job: the LAPI bouncer key (registered in LAPI,
+# stored in Vault secret/platform -> kvsync_bouncer_key) and the minted CF
+# token value. Account id and list ids are NOT secret and are passed as plain
+# env values on the CronJob.
+resource "kubernetes_secret" "crowdsec_cf_sync" {
+  metadata {
+    name      = "crowdsec-cf-sync"
+    namespace = "rybbit"
+  }
+  type = "Opaque"
+  data = {
+    LAPI_KEY     = data.vault_kv_secret_v2.cf_platform.data["kvsync_bouncer_key"]
+    CF_API_TOKEN = cloudflare_api_token.list_sync.value
+  }
+}
+
+resource "kubernetes_cron_job_v1" "crowdsec_cf_sync" {
+  metadata {
+    name      = "crowdsec-cf-sync"
+    namespace = "rybbit"
+    labels = {
+      app  = "crowdsec-cf-sync"
+      tier = local.tiers.aux
+    }
+  }
+  spec {
+    concurrency_policy            = "Forbid"
+    failed_jobs_history_limit     = 3
+    successful_jobs_history_limit = 3
+    schedule                      = "*/2 * * * *"
+    starting_deadline_seconds     = 110
+    job_template {
+      metadata {}
+      spec {
+        backoff_limit              = 2
+        ttl_seconds_after_finished = 3600
+        template {
+          metadata {
+            labels = {
+              app = "crowdsec-cf-sync"
+            }
+          }
+          spec {
+            restart_policy = "OnFailure"
+            container {
+              name              = "crowdsec-cf-sync"
+              image             = "docker.io/library/python:3.12-alpine"
+              image_pull_policy = "IfNotPresent"
+              command           = ["python3", "/scripts/lapi_kv_sync.py"]
+              env {
+                name = "LAPI_KEY"
+                value_from {
+                  secret_key_ref {
+                    name = kubernetes_secret.crowdsec_cf_sync.metadata[0].name
+                    key  = "LAPI_KEY"
+                  }
+                }
+              }
+              env {
+                name = "CF_API_TOKEN"
+                value_from {
+                  secret_key_ref {
+                    name = kubernetes_secret.crowdsec_cf_sync.metadata[0].name
+                    key  = "CF_API_TOKEN"
+                  }
+                }
+              }
+              env {
+                name  = "CF_ACCOUNT_ID"
+                value = local.cf_account_id
+              }
+              env {
+                name  = "CF_BAN_LIST_ID"
+                value = cloudflare_list.crowdsec_ban.id
+              }
+              env {
+                name  = "PUSHGATEWAY_URL"
+                value = "http://prometheus-prometheus-pushgateway.monitoring:9091"
+              }
+              volume_mount {
+                name       = "script"
+                mount_path = "/scripts"
+                read_only  = true
+              }
+              resources {
+                requests = {
+                  cpu    = "10m"
+                  memory = "48Mi"
+                }
+                limits = {
+                  memory = "96Mi"
+                }
+              }
+            }
+            volume {
+              name = "script"
+              config_map {
+                name = kubernetes_config_map.crowdsec_cf_sync_script.metadata[0].name
+              }
+            }
+            dns_config {
+              option {
+                name  = "ndots"
+                value = "2"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
+    ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config]
+  }
+}
diff --git a/stacks/rybbit/lapi_kv_sync.py b/stacks/rybbit/lapi_kv_sync.py
new file mode 100644
index 00000000..01eb1c89
--- /dev/null
+++ b/stacks/rybbit/lapi_kv_sync.py
@@ -0,0 +1,346 @@
+#!/usr/bin/env python3
+"""Sync CrowdSec LAPI decisions -> ONE Cloudflare account IP List (block-only).
+
+Cloudflare-PROXIED hosts terminate at the CF edge, so the in-cluster CrowdSec
+bouncer (which keys on the client IP Traefik sees) never decides on them. We
+push the decisions into the edge instead: a zone-scoped WAF custom rule blocks
+`(ip.src in $crowdsec_ban)` across EVERY proxied host in the zone (the Authentik
+auth hosts are carved out in crowdsec_edge.tf so a ban can't break login). This
+job is the control plane that keeps that one IP List in sync with LAPI.
+
+Enforcement is BAN-ONLY: only scope=="ip" decisions of type "ban" are synced.
+"captcha" decisions are deliberately NOT pushed — the CF account allows only ONE
+Rules List with a single block action, so folding captcha in would hard-block a
+soft challenge across every proxied host. Captcha remediation stays at the
+in-cluster Traefik bouncer (Turnstile) for non-proxied apps. (Changed 2026-06-20
+from the prior ban+captcha fold that downgraded captcha to a hard edge block.)
+
+(Filename kept as lapi_kv_sync.py for path/ConfigMap continuity with the prior
+Workers-KV design; it no longer touches KV — it reconciles a CF Rules List.)
+
+Design notes:
+  * Pure Python stdlib (no pip/apk at runtime) — runs on stock python:3.12-alpine
+    mounted from a ConfigMap, the alert_digest pattern.
+  * FULL RECONCILE each run: read the complete decision set from LAPI, take the
+    UNION of ban + captcha (scope=="ip") as the single desired set, then compute
+    add (desired - existing) and remove (existing - desired) against the one
+    crowdsec_ban list and apply both. A `cscli decisions delete` therefore
+    clears from the edge within one interval (<=2 min).
+  * FAIL-SAFE on LAPI: if LAPI can't be read we SKIP the run (list untouched,
+    exit 0). A LAPI outage thus freezes the edge state rather than wiping the
+    block list — degrade toward the last-known-good block set, never toward
+    all-block or a thundering un-ban. (Decisions linger only until the next
+    successful sync, not their TTL — we reconcile to LAPI truth, we don't
+    expire entries.)
+  * FAIL-LOUD on Cloudflare: any CF API error is logged and the job exits
+    non-zero so the failure is visible (CronJob backoff + missing success
+    metric + the next run retries).
+
+Cloudflare Rules-Lists API (account-level IP list items), verified against the
+official API reference (developers.cloudflare.com, 2026):
+  * GET    /accounts/{acct}/rules/lists/{list}/items   -> paginated; next page
+           cursor at result_info.cursors.after, passed back as ?cursor=. Each
+           item = {"id","ip","created_on",...}.
+  * POST   /accounts/{acct}/rules/lists/{list}/items   -> body JSON ARRAY
+           [{"ip":"1.2.3.4"},...]. APPENDS/upserts (does NOT replace the list).
+           ASYNCHRONOUS: returns {"result":{"operation_id":...}}.
+  * DELETE /accounts/{acct}/rules/lists/{list}/items   -> body {"items":[{"id":
+           "<item_id>"},...]} (delete by item id, not ip). ASYNCHRONOUS.
+  * GET    /accounts/{acct}/rules/lists/bulk_operations/{op_id} -> status in
+           {pending,running,completed,failed} (failed carries `error`).
+  ASYNC HANDLING: Cloudflare allows only ONE pending bulk operation per ACCOUNT.
+  So we must NOT fire add+delete concurrently — we serialize and poll each
+  operation_id to a terminal state (short bounded timeout) before the next
+  mutation. If a poll times out we stop mutating for this run and report
+  partial success (the next 2-min run reconciles the rest); we never abandon an
+  in-flight op and immediately issue another (that would 409/reject).
+"""
+import json
+import os
+import sys
+import time
+import urllib.error
+import urllib.parse
+import urllib.request
+
+LAPI_URL = os.environ.get(
+    "LAPI_URL", "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
+).rstrip("/")
+LAPI_KEY = os.environ["LAPI_KEY"]  # kvsync bouncer key, registered in LAPI
+CF_ACCOUNT_ID = os.environ["CF_ACCOUNT_ID"]
+CF_API_TOKEN = os.environ["CF_API_TOKEN"]  # scoped: Account Filter Lists Edit
+CF_BAN_LIST_ID = os.environ["CF_BAN_LIST_ID"]
+PUSHGATEWAY = os.environ.get("PUSHGATEWAY_URL", "").rstrip("/")  # optional
+
+CF_API = "https://api.cloudflare.com/client/v4"
+# Cloudflare item objects expose the ip differently between list and create
+# responses; for an IP-kind list each GET item carries a top-level "ip".
+# Batch sizes: no official per-request cap is documented, so keep batches
+# generous but bounded (well under the global 1200 req / 5 min limit).
+BATCH = 1000
+# Async op polling: 1 pending bulk op per account, so poll to terminal state.
+POLL_TIMEOUT = 25  # seconds to wait for one bulk op (the run has ~110s budget)
+POLL_INTERVAL = 1.0
+
+
+class CFError(Exception):
+    """Cloudflare API failure -> job should exit non-zero (fail loud)."""
+
+
+def _req(url, *, method="GET", headers=None, data=None, timeout=20):
+    req = urllib.request.Request(url, method=method, headers=headers or {}, data=data)
+    with urllib.request.urlopen(req, timeout=timeout) as resp:
+        body = resp.read()
+    return json.loads(body) if body else None
+
+
+def _cf(url, *, method="GET", payload=None, timeout=20):
+    """Call the CF API with the bearer token; raise CFError on any failure."""
+    headers = {"Authorization": f"Bearer {CF_API_TOKEN}"}
+    data = None
+    if payload is not None:
+        headers["Content-Type"] = "application/json"
+        data = json.dumps(payload).encode()
+    try:
+        res = _req(url, method=method, headers=headers, data=data, timeout=timeout)
+    except urllib.error.HTTPError as e:
+        detail = ""
+        try:
+            detail = e.read().decode(errors="replace")[:500]
+        except Exception:
+            pass
+        raise CFError(f"{method} {url} -> HTTP {e.code} {detail}") from e
+    except urllib.error.URLError as e:
+        raise CFError(f"{method} {url} -> {e}") from e
+    if res is not None and not res.get("success", True):
+        raise CFError(f"{method} {url} -> not success: {res.get('errors')}")
+    return res
+
+
+# --------------------------------------------------------------------------- #
+# LAPI
+# --------------------------------------------------------------------------- #
+def fetch_decisions():
+    """Return the desired set of IPs to BLOCK at the edge.
+
+    Only scope=="ip" decisions of type "ban" are projected (the WAF rule keys on
+    ip.src). "captcha" decisions are deliberately NOT pushed to the edge: the CF
+    account allows only ONE Rules List with a single block action, so folding
+    captcha in would HARD-BLOCK a soft challenge across every proxied host (and,
+    before the auth-host carve-out in crowdsec_edge.tf, could lock a user out of
+    Authentik itself). Edge enforcement is therefore ban-only; captcha
+    remediation stays at the in-cluster Traefik bouncer (Turnstile) for
+    non-proxied apps. Raises on transport/HTTP error so the caller can SKIP the
+    run (fail-safe). 2026-06-20.
+    """
+    data = _req(
+        f"{LAPI_URL}/v1/decisions",
+        headers={"X-Api-Key": LAPI_KEY, "Accept": "application/json"},
+    )
+    block = set()
+    skipped_capi = 0
+    for d in data or []:
+        if (d.get("scope") or "").lower() != "ip":
+            continue
+        # EXCLUDE the CAPI community blocklist: ~31k IPs, far over a CF IP
+        # List's capacity, and ALREADY enforced in-kernel for direct hosts by
+        # the cs-firewall-bouncer DaemonSet. The edge list carries only our
+        # HIGH-SIGNAL local + curated decisions (own scenarios, cscli-import,
+        # subscribed lists).
+        if (d.get("origin") or "").upper() == "CAPI":
+            skipped_capi += 1
+            continue
+        ip = d.get("value")
+        if not ip:
+            continue
+        dtype = (d.get("type") or "").lower()
+        if dtype == "ban":
+            block.add(ip)
+        # captcha / throttle / other remediation types are ignored at the edge
+        # (ban-only enforcement — see the docstring above)
+    if skipped_capi:
+        print(f"[info] excluded {skipped_capi} CAPI decisions (enforced at L3 by "
+              f"the firewall-bouncer; too many for a CF list)")
+    # Safety cap: a CF IP List can't hold unbounded entries. Never push more
+    # than this — keep a bounded, deterministic subset and warn.
+    MAX_ITEMS = 9000
+    if len(block) > MAX_ITEMS:
+        print(f"[warn] desired {len(block)} exceeds {MAX_ITEMS} cap; truncating "
+              f"(consider a CF plan with a higher list limit)", file=sys.stderr)
+        block = set(sorted(block)[:MAX_ITEMS])
+    return block
+
+
+# --------------------------------------------------------------------------- #
+# Cloudflare list items
+# --------------------------------------------------------------------------- #
+def cf_list_items(list_id):
+    """Return {ip: item_id} for every item currently in the list (paginated)."""
+    out = {}
+    cursor = ""
+    while True:
+        # per_page max for the list-items endpoint is 500; 1000 returns a
+        # misleading HTTP 400 "invalid or expired cursor" (CF error 10027).
+        url = f"{CF_API}/accounts/{CF_ACCOUNT_ID}/rules/lists/{list_id}/items?per_page=500"
+        if cursor:
+            url += f"&cursor={urllib.parse.quote(cursor)}"
+        res = _cf(url)
+        for it in (res.get("result") or []):
+            ip = it.get("ip")
+            if ip:
+                out[ip] = it.get("id")
+        cursor = (((res.get("result_info") or {}).get("cursors") or {}).get("after")) or ""
+        if not cursor:
+            return out
+
+
+def _wait_for_op(op_id):
+    """Poll a bulk operation to a terminal state. Returns True if completed,
+    False if it timed out (still pending/running). Raises CFError if it failed.
+
+    We must reach a terminal state before issuing the next mutation: CF allows
+    only one pending bulk op per account, so firing another while this is
+    in-flight would be rejected.
+    """
+    if not op_id:
+        return True
+    deadline = time.time() + POLL_TIMEOUT
+    url = f"{CF_API}/accounts/{CF_ACCOUNT_ID}/rules/lists/bulk_operations/{op_id}"
+    while time.time() < deadline:
+        res = _cf(url)
+        status = ((res.get("result") or {}).get("status") or "").lower()
+        if status == "completed":
+            return True
+        if status == "failed":
+            raise CFError(f"bulk op {op_id} failed: {(res.get('result') or {}).get('error')}")
+        time.sleep(POLL_INTERVAL)
+    print(f"[warn] bulk op {op_id} still {status or 'pending'} after {POLL_TIMEOUT}s; "
+          f"stopping further mutations this run (next run reconciles)", file=sys.stderr)
+    return False
+
+
+def _op_id(res):
+    return ((res or {}).get("result") or {}).get("operation_id")
+
+
+def cf_add_items(list_id, ips):
+    """POST new IPs to the list (append). Returns the operation_id (async)."""
+    # If callers ever exceed one batch, each POST is a separate bulk op and the
+    # single-pending-op rule forces us to wait between them.
+    last_op = None
+    for i in range(0, len(ips), BATCH):
+        chunk = [{"ip": ip} for ip in ips[i : i + BATCH]]
+        res = _cf(
+            f"{CF_API}/accounts/{CF_ACCOUNT_ID}/rules/lists/{list_id}/items",
+            method="POST",
+            payload=chunk,
+        )
+        last_op = _op_id(res)
+        if i + BATCH < len(ips):  # more chunks coming -> serialize
+            if not _wait_for_op(last_op):
+                return last_op  # timed out; bail (partial), next run continues
+    return last_op
+
+
+def cf_delete_items(list_id, item_ids):
+    """DELETE items by id. Returns the operation_id (async)."""
+    last_op = None
+    for i in range(0, len(item_ids), BATCH):
+        chunk = {"items": [{"id": iid} for iid in item_ids[i : i + BATCH]]}
+        res = _cf(
+            f"{CF_API}/accounts/{CF_ACCOUNT_ID}/rules/lists/{list_id}/items",
+            method="DELETE",
+            payload=chunk,
+        )
+        last_op = _op_id(res)
+        if i + BATCH < len(item_ids):
+            if not _wait_for_op(last_op):
+                return last_op
+    return last_op
+
+
+def reconcile(label, list_id, desired):
+    """Reconcile one list to `desired` (a set of IPs).
+
+    Returns (added, removed). Serializes add->wait->delete so we respect the
+    one-pending-bulk-op-per-account limit. Raises CFError on hard failure.
+    """
+    existing = cf_list_items(list_id)  # {ip: item_id}
+    existing_ips = set(existing)
+    to_add = sorted(desired - existing_ips)
+    to_remove_ids = [existing[ip] for ip in (existing_ips - desired)]
+
+    added = removed = 0
+    if to_add:
+        op = cf_add_items(list_id, to_add)
+        if _wait_for_op(op):
+            added = len(to_add)
+        else:
+            # add op didn't finish; skip the delete this run to avoid stacking a
+            # second pending op, and report what we attempted.
+            print(f"[warn] {label}: add op not confirmed; deferring deletes", file=sys.stderr)
+            return added, removed
+    if to_remove_ids:
+        op = cf_delete_items(list_id, to_remove_ids)
+        if _wait_for_op(op):
+            removed = len(to_remove_ids)
+    print(f"[ok] {label}: +{added} / -{removed} (desired={len(desired)}, was={len(existing_ips)})")
+    return added, removed
+
+
+# --------------------------------------------------------------------------- #
+# Metrics (best-effort)
+# --------------------------------------------------------------------------- #
+def push_metrics(block_n, ok):
+    if not PUSHGATEWAY:
+        return
+    payload = (
+        "# TYPE crowdsec_cf_list_ban_count gauge\n"
+        f"crowdsec_cf_list_ban_count {block_n}\n"
+        "# TYPE crowdsec_cf_list_sync_success gauge\n"
+        f"crowdsec_cf_list_sync_success {1 if ok else 0}\n"
+        "# TYPE crowdsec_cf_list_sync_last_run_seconds gauge\n"
+        f"crowdsec_cf_list_sync_last_run_seconds {int(time.time())}\n"
+    )
+    try:
+        _req(
+            f"{PUSHGATEWAY}/metrics/job/crowdsec-cf-list-sync",
+            method="PUT",
+            headers={"Content-Type": "text/plain"},
+            data=payload.encode(),
+            timeout=10,
+        )
+    except Exception as e:  # metrics are best-effort, never fail the job
+        print(f"[warn] pushgateway: {e}", file=sys.stderr)
+
+
+# --------------------------------------------------------------------------- #
+def main():
+    # 1. Desired state from LAPI. Any failure here = SKIP (fail-safe).
+    try:
+        block = fetch_decisions()
+    except Exception as e:
+        print(
+            f"[skip] LAPI unreadable ({e}); leaving the CF list untouched "
+            f"(fail-safe: freeze last-known edge state).",
+            file=sys.stderr,
+        )
+        push_metrics(0, ok=False)
+        return 0
+
+    print(f"[info] LAPI desired: {len(block)} block (ban-only, ip-scope)")
+
+    # 2. Reconcile the single block list. CF errors fail loud (non-zero exit).
+    try:
+        reconcile("block", CF_BAN_LIST_ID, block)
+    except CFError as e:
+        print(f"[error] Cloudflare API failure: {e}", file=sys.stderr)
+        push_metrics(len(block), ok=False)
+        return 1
+
+    push_metrics(len(block), ok=True)
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/stacks/rybbit/main.tf b/stacks/rybbit/main.tf
index 812a0883..f1053bc4 100644
--- a/stacks/rybbit/main.tf
+++ b/stacks/rybbit/main.tf
@@ -26,7 +26,7 @@ resource "kubernetes_namespace" "rybbit" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "rybbit-secrets"
diff --git a/stacks/servarr/.terraform.lock.hcl b/stacks/servarr/.terraform.lock.hcl
index 43293c06..642296bf 100644
--- a/stacks/servarr/.terraform.lock.hcl
+++ b/stacks/servarr/.terraform.lock.hcl
@@ -55,59 +55,23 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.8.1"
+  version = "3.9.0"
   hashes = [
-    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
-    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
-    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
-    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
-    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
-    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
-    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
-    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
-    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
-    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
-    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
   ]
 }
 
diff --git a/stacks/servarr/aiostreams/main.tf b/stacks/servarr/aiostreams/main.tf
index 7bb03b2e..05b60741 100644
--- a/stacks/servarr/aiostreams/main.tf
+++ b/stacks/servarr/aiostreams/main.tf
@@ -186,7 +186,7 @@ resource "kubernetes_service" "aiostreams" {
 
 resource "kubernetes_manifest" "probe_secrets" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "aiostreams-probe-secrets"
diff --git a/stacks/servarr/main.tf b/stacks/servarr/main.tf
index 90123848..6165afbf 100644
--- a/stacks/servarr/main.tf
+++ b/stacks/servarr/main.tf
@@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "servarr-secrets"
diff --git a/stacks/servarr/mam-farming/files/freeleech-grabber.py b/stacks/servarr/mam-farming/files/freeleech-grabber.py
index 3c7064c7..160a160e 100644
--- a/stacks/servarr/mam-farming/files/freeleech-grabber.py
+++ b/stacks/servarr/mam-farming/files/freeleech-grabber.py
@@ -134,6 +134,7 @@ def main():
             profile_metrics
             + f'mam_grabber_skipped_reason{{reason="{reason}"}} 1\n'
             + f"mam_farming_grabbed 0\n"
+            + f"mam_grabber_last_run_timestamp {int(time.time())}\n"
         )
         return
 
@@ -153,7 +154,11 @@ def main():
         ).json()
     except Exception as e:
         print(f"qBittorrent unreachable: {e}", file=sys.stderr)
-        push(profile_metrics + "mam_farming_grabbed 0\n")
+        push(
+            profile_metrics
+            + "mam_farming_grabbed 0\n"
+            + f"mam_grabber_last_run_timestamp {int(time.time())}\n"
+        )
         sys.exit(1)
 
     farming = [t for t in all_torrents if t.get("category") == "mam-farming"]
@@ -264,6 +269,7 @@ def main():
         + f"mam_farming_grabbed {grabbed}\n"
         + f"mam_farming_total_seeding {len(farming) + grabbed}\n"
         + f"mam_farming_size_bytes {total_size}\n"
+        + f"mam_grabber_last_run_timestamp {int(time.time())}\n"
     )
     push(metrics)
     print(f"Done: grabbed={grabbed}")
diff --git a/stacks/shadowsocks/.terraform.lock.hcl b/stacks/shadowsocks/.terraform.lock.hcl
index 5b74a7af..b22b977e 100644
--- a/stacks/shadowsocks/.terraform.lock.hcl
+++ b/stacks/shadowsocks/.terraform.lock.hcl
@@ -24,43 +24,33 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.2.0"
+  hashes = [
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.0.1"
+  version = "3.2.0"
   hashes = [
-    "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=",
-    "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=",
-    "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281",
-    "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba",
-    "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7",
-    "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6",
-    "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4",
-    "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249",
-    "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090",
-    "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97",
-    "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8",
-    "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119",
-    "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -84,3 +74,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/shadowsocks/main.tf b/stacks/shadowsocks/main.tf
index 65dd776b..9e1ca8eb 100644
--- a/stacks/shadowsocks/main.tf
+++ b/stacks/shadowsocks/main.tf
@@ -22,7 +22,7 @@ resource "kubernetes_namespace" "shadowsocks" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "shadowsocks-secrets"
diff --git a/stacks/speedtest/.terraform.lock.hcl b/stacks/speedtest/.terraform.lock.hcl
index e8910be1..16af0cd7 100644
--- a/stacks/speedtest/.terraform.lock.hcl
+++ b/stacks/speedtest/.terraform.lock.hcl
@@ -24,50 +24,40 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.2.0"
+  hashes = [
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.8.1"
+  version = "3.9.0"
   hashes = [
-    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
-    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
-    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
-    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
-    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
-    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
-    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
-    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
-    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
-    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
-    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
-    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
   ]
 }
 
@@ -91,3 +81,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/speedtest/main.tf b/stacks/speedtest/main.tf
index 002ede72..167312b5 100644
--- a/stacks/speedtest/main.tf
+++ b/stacks/speedtest/main.tf
@@ -21,7 +21,7 @@ resource "kubernetes_namespace" "speedtest" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "speedtest-secrets"
diff --git a/stacks/stem95su/gdrive-sync.tf b/stacks/stem95su/gdrive-sync.tf
new file mode 100644
index 00000000..a10bcf84
--- /dev/null
+++ b/stacks/stem95su/gdrive-sync.tf
@@ -0,0 +1,119 @@
+# Automatic Google Drive -> site sync (added 2026-06-09; supersedes the
+# earlier on-demand-only model now that content is actively maintained).
+#
+# A CronJob mirrors the READ-ONLY Drive folder "claude" (servable content in
+# subfolder "stem claude/files/") onto the NFS content volume every 10 min via
+# rclone. rclone is delta-aware: an unchanged run lists ~33 files' metadata and
+# transfers nothing, so the schedule is cheap (not a 24MB re-download). nginx
+# keeps serving the same volume read-only; updates appear within ~5s (actimeo).
+#
+# Drive is treated strictly READ-ONLY: scope=drive.readonly and rclone only ever
+# reads the remote (sync gdrive: -> /data), never writes back.
+#
+# TOKEN LONGEVITY: the GCP OAuth app (project home-lab-1700868541205) MUST be
+# published to "Production" or its refresh token expires ~weekly and this job
+# fails. After publishing, re-mint the token and refresh
+# `secret/stem95su.rclone_conf`. A failed run surfaces as a failed Job.
+
+resource "kubernetes_manifest" "rclone_external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "stem95su-rclone"
+      namespace = kubernetes_namespace.stem95su.metadata[0].name
+    }
+    spec = {
+      refreshInterval = "1h"
+      secretStoreRef = {
+        name = "vault-kv"
+        kind = "ClusterSecretStore"
+      }
+      target = { name = "stem95su-rclone" }
+      data = [{
+        secretKey = "rclone.conf"
+        remoteRef = {
+          key      = "stem95su"
+          property = "rclone_conf"
+        }
+      }]
+    }
+  }
+  depends_on = [kubernetes_namespace.stem95su]
+}
+
+resource "kubernetes_cron_job_v1" "gdrive_sync" {
+  metadata {
+    name      = "stem95su-gdrive-sync"
+    namespace = kubernetes_namespace.stem95su.metadata[0].name
+    labels    = { run = "stem95su", component = "gdrive-sync" }
+  }
+  spec {
+    schedule                      = "*/10 * * * *"
+    concurrency_policy            = "Forbid"
+    successful_jobs_history_limit = 2
+    failed_jobs_history_limit     = 3
+    job_template {
+      metadata {}
+      spec {
+        backoff_limit              = 1
+        ttl_seconds_after_finished = 86400
+        template {
+          metadata { labels = { run = "stem95su", component = "gdrive-sync" } }
+          spec {
+            restart_policy = "OnFailure"
+            container {
+              name  = "rclone"
+              image = "docker.io/rclone/rclone:1.74.3"
+              # Mirror Drive folder -> /data. Guard: hard-fail on auth/list error
+              # (so an expired token is visible); skip quietly if the source is
+              # empty / missing the dashboard (never wipe the live site);
+              # --max-delete caps catastrophic deletes from a partial listing.
+              command = ["/bin/sh", "-c", <<-EOT
+                set -eu
+                cp /config/rclone.conf /tmp/rc.conf
+                SRC="gdrive:stem claude/files"
+                LIST=$(rclone --config /tmp/rc.conf lsf "$SRC" --files-only) || { echo "FATAL: Drive list failed (auth/network)"; exit 1; }
+                N=$(printf '%s\n' "$LIST" | grep -c . || true)
+                if [ "$N" -lt 1 ] || ! printf '%s\n' "$LIST" | grep -qx "stem_board.html"; then
+                  echo "GUARD: source N=$N / stem_board.html missing -- skipping, site untouched"; exit 0
+                fi
+                echo "source OK ($N files) -- mirroring to /data"
+                rclone --config /tmp/rc.conf sync "$SRC" /data --exclude ".DS_Store" --fast-list --transfers 4 --max-delete 25 -v
+              EOT
+              ]
+              resources {
+                requests = { cpu = "10m", memory = "64Mi" }
+                limits   = { memory = "192Mi" }
+              }
+              volume_mount {
+                name       = "rclone-config"
+                mount_path = "/config"
+                read_only  = true
+              }
+              volume_mount {
+                name       = "content"
+                mount_path = "/data"
+              }
+            }
+            volume {
+              name = "rclone-config"
+              secret { secret_name = "stem95su-rclone" }
+            }
+            volume {
+              name = "content"
+              persistent_volume_claim {
+                claim_name = module.nfs_content.claim_name
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
+    ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config]
+  }
+  depends_on = [kubernetes_manifest.rclone_external_secret]
+}
diff --git a/stacks/t3-afk/files/dispatcher.js b/stacks/t3-afk/files/dispatcher.js
new file mode 100644
index 00000000..6cc9a800
--- /dev/null
+++ b/stacks/t3-afk/files/dispatcher.js
@@ -0,0 +1,136 @@
+// t3-afk auto-pair dispatcher
+// ----------------------------------------------------------------------------
+// Replicates the devvm t3-dispatch experience for the single in-cluster T3
+// instance. The ingress is Authentik-gated (auth=required), so every request
+// that reaches here is already authenticated. On a cookieless *document*
+// navigation we mint a one-time pairing credential (`t3 auth pairing create`)
+// and exchange it at the t3 server's /api/auth/browser-session endpoint for the
+// `t3_session` cookie, then 302 back — so the user never sees the manual
+// /pair#token screen. Everything else (incl. WebSocket upgrades for the cockpit
+// live stream + terminals) is reverse-proxied straight through to t3 serve.
+//
+// Single upstream, same pod (localhost) — kept dependency-free (Node stdlib).
+'use strict';
+const http = require('http');
+const net = require('net');
+const { execFile } = require('child_process');
+
+const UPSTREAM_HOST = '127.0.0.1';
+const UPSTREAM_PORT = Number(process.env.T3_UPSTREAM_PORT || 3773);
+const LISTEN_PORT = Number(process.env.DISPATCHER_PORT || 8080);
+const T3_BIN = process.env.T3_BIN || '/data/npm-global/bin/t3';
+const BASE_DIR = process.env.T3CODE_HOME || '/data/t3';
+const COOKIE = 't3_session';
+const childEnv = { ...process.env, PATH: '/data/npm-global/bin:' + (process.env.PATH || ''), HOME: '/home/node' };
+
+const hasSession = (req) =>
+  (req.headers.cookie || '').split(/;\s*/).some((c) => c.startsWith(COOKIE + '='));
+
+const isDocNav = (req) => {
+  if (req.method !== 'GET') return false;
+  const dest = req.headers['sec-fetch-dest'];
+  if (dest) return dest === 'document';
+  return (req.headers['accept'] || '').includes('text/html');
+};
+
+const mintCredential = () =>
+  new Promise((resolve, reject) => {
+    execFile(
+      T3_BIN,
+      ['auth', 'pairing', 'create', '--base-dir', BASE_DIR, '--ttl', '5m', '--json'],
+      { env: childEnv, timeout: 15000 },
+      (err, stdout) => {
+        if (err) return reject(err);
+        try {
+          const cred = JSON.parse(stdout).credential;
+          cred ? resolve(cred) : reject(new Error('no credential in pairing output'));
+        } catch (e) {
+          reject(e);
+        }
+      },
+    );
+  });
+
+const exchange = (credential) =>
+  new Promise((resolve, reject) => {
+    const body = JSON.stringify({ credential });
+    const r = http.request(
+      {
+        host: UPSTREAM_HOST,
+        port: UPSTREAM_PORT,
+        path: '/api/auth/browser-session',
+        method: 'POST',
+        headers: { 'content-type': 'application/json', 'content-length': Buffer.byteLength(body) },
+      },
+      (resp) => {
+        const setCookie = resp.headers['set-cookie'] || [];
+        resp.resume();
+        resp.on('end', () =>
+          resp.statusCode === 200 && setCookie.length
+            ? resolve(setCookie)
+            : reject(new Error('browser-session exchange returned ' + resp.statusCode)),
+        );
+      },
+    );
+    r.on('error', reject);
+    r.write(body);
+    r.end();
+  });
+
+const proxyHttp = (req, res) => {
+  const up = http.request(
+    { host: UPSTREAM_HOST, port: UPSTREAM_PORT, path: req.url, method: req.method, headers: req.headers },
+    (r) => {
+      res.writeHead(r.statusCode, r.headers);
+      r.pipe(res);
+    },
+  );
+  up.on('error', () => {
+    if (!res.headersSent) res.writeHead(502);
+    res.end('bad gateway');
+  });
+  req.pipe(up);
+};
+
+const server = http.createServer(async (req, res) => {
+  if (req.url === '/healthz') {
+    res.writeHead(200);
+    return res.end('ok');
+  }
+  if (!hasSession(req) && isDocNav(req)) {
+    try {
+      const cred = await mintCredential();
+      const setCookie = await exchange(cred);
+      res.writeHead(302, { location: req.url || '/', 'set-cookie': setCookie, 'cache-control': 'no-store' });
+      return res.end();
+    } catch (err) {
+      // Fall through to a plain proxy; the cockpit's own /pair screen is the
+      // fallback if auto-pair ever fails, so we never hard-fail the request.
+      console.error('auto-pair failed, proxying through:', err.message);
+    }
+  }
+  proxyHttp(req, res);
+});
+
+// WebSocket / Upgrade passthrough — the cockpit's live orchestration stream and
+// terminals need this. Reconstruct the upgrade request and splice the sockets.
+server.on('upgrade', (req, socket, head) => {
+  const up = net.connect(UPSTREAM_PORT, UPSTREAM_HOST, () => {
+    up.write(
+      `${req.method} ${req.url} HTTP/1.1\r\n` +
+        Object.entries(req.headers)
+          .map(([k, v]) => `${k}: ${v}`)
+          .join('\r\n') +
+        '\r\n\r\n',
+    );
+    if (head && head.length) up.write(head);
+    socket.pipe(up);
+    up.pipe(socket);
+  });
+  up.on('error', () => socket.destroy());
+  socket.on('error', () => up.destroy());
+});
+
+server.listen(LISTEN_PORT, '0.0.0.0', () =>
+  console.log(`t3-afk dispatcher listening on :${LISTEN_PORT} -> ${UPSTREAM_HOST}:${UPSTREAM_PORT}`),
+);
diff --git a/stacks/t3-afk/files/issue-implementer-CLAUDE.md b/stacks/t3-afk/files/issue-implementer-CLAUDE.md
new file mode 100644
index 00000000..995c701f
--- /dev/null
+++ b/stacks/t3-afk/files/issue-implementer-CLAUDE.md
@@ -0,0 +1,59 @@
+# issue-implementer — autonomous AFK coding agent
+
+You are **issue-implementer**, an autonomous agent that implements ONE GitHub
+issue end-to-end and lands it, with no human at the keyboard. This file is your
+standing behaviour; the specific task arrives as your prompt. You run inside a
+T3 Code thread in `full-access` mode (skip-permissions) — there is no one to
+answer questions mid-run.
+
+## Autonomy — non-negotiable (you will hang otherwise)
+
+- **Never enter plan mode and never call `ExitPlanMode`.** It is intercepted and
+  will stall this thread forever.
+- **Never ask clarifying questions / never call `AskUserQuestion`.** No human is
+  watching. Make the most reasonable assumption, state it in a commit/your final
+  message, and proceed.
+- If you hit something you genuinely cannot resolve safely, **stop and write a
+  precise blocker report as your final message** (what you tried, what's
+  unresolved, what you'd need). Do not thrash. The orchestrator escalates it to a
+  human — that is the only "ask for help" channel you have.
+
+## What to do
+
+1. **Understand the task.** Your prompt contains the issue (number, what to
+   build, acceptance criteria). Read the issue's AGENT-BRIEF if present.
+2. **Work in the prepared worktree.** You are already in a git worktree on a
+   branch off `master`. Read the repo's own `CLAUDE.md`, `CONTEXT.md`, and any
+   `docs/adr/` in the area you touch — use its domain vocabulary and respect its
+   decisions.
+3. **Test-first (TDD).** Write a failing test that captures the desired
+   behaviour, make it pass, then refactor. Prefer property/parameterized tests.
+   Run the repo's actual test suite and get it green before you commit. Do not
+   test implementation details — test external behaviour.
+4. **Commit.** Subject = what changed; body = why, paraphrasing the issue in
+   plain words. Include `Closes #<issue-number>` and the trailer
+   `Implemented-by: issue-implementer (AFK)`. Stage files by name — never
+   `git add -A`/`.`. Never skip hooks.
+5. **Land it.** Push your branch to `master` (`git push origin HEAD:master`). If
+   the push is rejected non-fast-forward, fetch, merge `origin/master`, re-run
+   the tests, and push again. Pushing to `master` is the intended behaviour —
+   CI builds and deploys from there.
+6. **Report.** Your final message is a concise summary: what you built, the
+   commit, and anything a reviewer should know. (CI/deploy watching and any
+   fix-forward/freeze handling are done by the control plane, not by you — once
+   you've pushed green code, your job is done.)
+
+## Guardrails (hard limits)
+
+- **Never force-push** to `master`.
+- **Never delete PVCs/PVs**, drop database tables, or run destructive data ops.
+- **Never edit Vault directly**, and never commit secrets.
+- **Infrastructure changes go through Terraform/Terragrunt only** — never
+  `kubectl apply/edit/patch` as the final state.
+- **Never use `[ci skip]`** — it hides the change from the audit feed.
+- Stay within the issue's scope. Don't refactor adjacent code beyond what the
+  task needs.
+
+## Done means
+
+Tests green **and** pushed to `master`. Not "code written" — landed.
diff --git a/stacks/t3-afk/main.tf b/stacks/t3-afk/main.tf
new file mode 100644
index 00000000..a2f73a67
--- /dev/null
+++ b/stacks/t3-afk/main.tf
@@ -0,0 +1,412 @@
+# =============================================================================
+# t3-afk — dedicated, in-cluster T3 Code instance: the EXECUTOR + COCKPIT for the
+# AFK implementation pipeline (slice #2 of claude-agent-service PRD #1).
+#
+# claude-agent-service (control plane) dispatches issues INTO this T3 instance
+# over its orchestration HTTP API; T3 runs the issue-implementer agent in a git
+# worktree and shows every worker in its cockpit. See:
+#   claude-agent-service/docs/2026-06-14-afk-implementation-pipeline-design.md
+#   claude-agent-service/docs/adr/0003-t3-thin-executor-and-cockpit.md
+#
+# PILOT SHORTCUT (chosen 2026-06-14): no custom-built image. We run stock
+# `node:24` (the full image ships git + python3/make/g++ for node-pty) and an
+# init container installs PINNED npm packages (t3@0.0.27 + the Claude CLI) onto
+# the SSD PVC, cached across restarts. Formalize a digest-pinned built image
+# post-GO. T3 is version-pinned (npm) and NOT Keel-enrolled.
+# =============================================================================
+
+# No plan-time Vault reads — every secret flows through the ExternalSecret below
+# (CLAUDE_CODE_OAUTH_TOKEN / GITHUB_TOKEN / FORGEJO_TOKEN), injected as env at
+# runtime. Nothing here needs a secret value at plan time.
+
+# Wildcard TLS secret name — value comes from config.tfvars; consumed by the
+# ingress factory (every stack that uses the factory declares this).
+variable "tls_secret_name" {}
+
+locals {
+  namespace = "t3-afk"
+  # Stock node base — the FULL node:24 (not -slim) is buildpack-deps-based, so it
+  # ships git + build-essential (python3/make/g++) that node-pty + the agent need.
+  # Fully-qualified (docker.io/library/...) to satisfy the Kyverno
+  # require-trusted-registries allowlist via `docker.io/*` — bare `node*` is NOT
+  # on the bare-DockerHub-library list (alpine*/busybox*/python* are).
+  image = "docker.io/library/node:24"
+  # Pinned npm versions installed at startup (the reproducibility anchor for the
+  # pilot until a digest-pinned image exists).
+  t3_version         = "0.0.27"
+  claude_cli_version = "latest" # @anthropic-ai/claude-code
+  labels = {
+    app = "t3-afk"
+  }
+}
+
+# --- Namespace ---
+
+resource "kubernetes_namespace" "t3_afk" {
+  metadata {
+    name = local.namespace
+    labels = {
+      tier = local.tiers.aux
+    }
+  }
+}
+
+# --- Secrets ---
+# The Claude provider authenticates with CLAUDE_CODE_OAUTH_TOKEN (T3 passes the
+# environment straight through to the embedded claude-agent-sdk + claude CLI).
+# GITHUB_TOKEN / FORGEJO_TOKEN authenticate the agent's `git push` from worktrees
+# (wired into ~/.gitconfig insteadOf rewrites in the container command).
+
+resource "kubernetes_manifest" "external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "t3-afk-secrets"
+      namespace = local.namespace
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-kv"
+        kind = "ClusterSecretStore"
+      }
+      target = { name = "t3-afk-secrets" }
+      data = [
+        {
+          secretKey = "CLAUDE_CODE_OAUTH_TOKEN"
+          remoteRef = { key = "claude-agent-service", property = "claude_oauth_token" }
+        },
+        {
+          secretKey = "GITHUB_TOKEN"
+          remoteRef = { key = "viktor", property = "github_pat" }
+        },
+        {
+          # Shared viktor-scoped admin PAT (also used by Woodpecker + the
+          # claude-agent pod). Lets the agent git push / open PRs on Forgejo.
+          secretKey = "FORGEJO_TOKEN"
+          remoteRef = { key = "ci/global", property = "forgejo_push_token" }
+        },
+      ]
+    }
+  }
+  depends_on = [kubernetes_namespace.t3_afk]
+}
+
+# issue-implementer behaviour is intentionally NOT mounted as ~/.claude/CLAUDE.md:
+# T3's SDK invocation doesn't honor it, and mounting a subPath into ~/.claude
+# makes that dir root-owned and breaks the agent's Bash session-env. The control
+# plane injects the behaviour as a dispatch message preamble instead;
+# files/issue-implementer-CLAUDE.md is kept as the canonical source for that text.
+
+# Auto-pair dispatcher script (run by the sidecar container below). Mirrors the
+# devvm t3-dispatch: on a cookieless, Authentik-gated page load it mints a
+# pairing credential and exchanges it for the t3_session cookie, so the user
+# never sees the manual /pair screen. Reverse-proxies everything else (incl.
+# WebSockets) to t3 serve.
+resource "kubernetes_config_map" "dispatcher" {
+  metadata {
+    name      = "t3-afk-dispatcher"
+    namespace = kubernetes_namespace.t3_afk.metadata[0].name
+  }
+  data = {
+    "dispatcher.js" = file("${path.module}/files/dispatcher.js")
+  }
+}
+
+# --- Storage ---
+# SSD-NFS (small-file friendly) for the T3 base dir: state.sqlite + the
+# server-signing-key (losing it invalidates every issued bearer), per-thread git
+# worktrees, the npm global install, and caches. ADR 0004.
+module "data" {
+  source     = "../../modules/kubernetes/nfs_volume"
+  name       = "t3-afk-data"
+  namespace  = kubernetes_namespace.t3_afk.metadata[0].name
+  nfs_server = "192.168.1.127"
+  nfs_path   = "/srv/nfs-ssd/t3-afk-data"
+  storage    = "30Gi"
+}
+
+# --- Deployment ---
+
+resource "kubernetes_deployment" "t3_afk" {
+  # Slow first start (image pull + npm install init + ESO secret sync) can
+  # exceed the default rollout-wait timeout; verify pod readiness out-of-band.
+  wait_for_rollout = false
+
+  metadata {
+    name      = "t3-afk"
+    namespace = kubernetes_namespace.t3_afk.metadata[0].name
+    labels    = local.labels
+    # keel.sh/policy=never must be a DEPLOYMENT-level annotation — that's where
+    # Keel reads it. (A pod-template label is ignored by Keel, which is why the
+    # earlier attempt failed.) The cluster's Kyverno inject-keel-annotations
+    # policy is opt-OUT: it stamps policy=patch on any workload that doesn't
+    # carry its own keel.sh/policy — and Keel then "patch"-downgraded
+    # node:24 -> node:24.0.2 (below t3@0.0.27's required node >=24.10), which
+    # crash-looped `t3 serve`. ADR 0003 (Keel-excluded).
+    annotations = {
+      "keel.sh/policy" = "never"
+    }
+  }
+
+  spec {
+    # PARKED 2026-06-15: scaled to 0 — no current plans to run the AFK executor.
+    # Everything else is preserved (the SSD PVC with state.sqlite + repo
+    # checkouts, the Service, Ingress, and ExternalSecret), so reviving the
+    # in-cluster T3 cockpit is just flipping this back to 1 and applying.
+    replicas = 0
+    # Single-writer state.sqlite — never run two pods against the same base dir.
+    strategy {
+      type = "Recreate"
+    }
+
+    selector {
+      match_labels = local.labels
+    }
+
+    template {
+      metadata {
+        labels = local.labels
+      }
+
+      spec {
+        security_context {
+          run_as_user  = 1000 # node
+          run_as_group = 1000
+          fs_group     = 1000
+        }
+
+        # NFS mounts land root-owned; make /data writable by uid 1000.
+        init_container {
+          name    = "fix-perms"
+          image   = "busybox:1.37"
+          command = ["sh", "-c", "mkdir -p /data && chown -R 1000:1000 /data && chmod 0775 /data"]
+          security_context {
+            run_as_user = 0
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/data"
+          }
+          resources {
+            requests = { memory = "32Mi" }
+            limits   = { memory = "64Mi" }
+          }
+        }
+
+        # Install pinned t3 + Claude CLI onto the PVC (cached; skipped if already
+        # present). Runs as uid 1000 so the install is owned by the runtime user.
+        init_container {
+          name  = "install-t3"
+          image = local.image
+          command = ["bash", "-c", <<-EOF
+            set -e
+            export npm_config_cache=/data/npm-cache
+            export npm_config_prefix=/data/npm-global
+            mkdir -p /data/npm-global /data/npm-cache
+            if [ ! -x /data/npm-global/bin/t3 ]; then
+              echo "installing t3@${local.t3_version} + claude CLI ..."
+              npm install -g "t3@${local.t3_version}" "@anthropic-ai/claude-code@${local.claude_cli_version}"
+            else
+              echo "t3 already installed: $(/data/npm-global/bin/t3 --version 2>/dev/null || echo unknown)"
+            fi
+          EOF
+          ]
+          volume_mount {
+            name       = "data"
+            mount_path = "/data"
+          }
+          resources {
+            requests = { cpu = "200m", memory = "512Mi" }
+            limits   = { memory = "1Gi" }
+          }
+        }
+
+        container {
+          name  = "t3"
+          image = local.image
+
+          # Configure git auth for the agent's pushes, then run T3 headless.
+          # $$ escapes Terraform interpolation so the shell expands the env vars.
+          command = ["bash", "-c", <<-EOF
+            set -e
+            export PATH=/data/npm-global/bin:$$PATH
+            export npm_config_cache=/data/npm-cache
+
+            # git identity + token rewrites so the agent can push from worktrees.
+            git config --global user.name "issue-implementer (AFK)"
+            git config --global user.email "afk-agent@viktorbarzin.me"
+            git config --global url."https://$${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
+            git config --global url."https://$${GITHUB_TOKEN}@github.com/".insteadOf "git@github.com:"
+            if [ -n "$${FORGEJO_TOKEN}" ]; then
+              git config --global url."https://$${FORGEJO_TOKEN}@forgejo.viktorbarzin.me/".insteadOf "https://forgejo.viktorbarzin.me/"
+            fi
+
+            exec t3 serve --mode web --host 0.0.0.0 --port 3773 --base-dir /data/t3
+          EOF
+          ]
+
+          port {
+            container_port = 3773
+          }
+
+          env_from {
+            secret_ref {
+              name = "t3-afk-secrets"
+            }
+          }
+
+          env {
+            name  = "HOME"
+            value = "/home/node"
+          }
+          env {
+            name  = "T3CODE_HOME"
+            value = "/data/t3"
+          }
+
+          # T3's API needs auth even for liveness; use a TCP probe on the port.
+          liveness_probe {
+            tcp_socket {
+              port = 3773
+            }
+            initial_delay_seconds = 30
+            period_seconds        = 30
+          }
+          readiness_probe {
+            tcp_socket {
+              port = 3773
+            }
+            initial_delay_seconds = 15
+            period_seconds        = 10
+          }
+
+          volume_mount {
+            name       = "data"
+            mount_path = "/data"
+          }
+          # NOTE: do NOT mount anything into /home/node/.claude — a subPath
+          # mount makes that dir root-owned, which blocks the agent (uid 1000)
+          # from creating its Bash session-env there and breaks ALL Bash/git for
+          # the agent (root cause of the 2026-06-15 "agent never commits"). T3's
+          # SDK invocation doesn't honor ~/.claude/CLAUDE.md anyway, so the
+          # issue-implementer behaviour is injected via the dispatch message
+          # preamble by the control plane instead.
+
+          # Burstable (tier-aux). A live agent thread (node + claude) is memory
+          # heavy; size for a small number of concurrent threads on this pilot
+          # instance. No CPU limit per cluster policy.
+          resources {
+            requests = {
+              cpu    = "1"
+              memory = "2Gi"
+            }
+            # Capped at the tier-aux LimitRange max (4Gi/container). If real
+            # workloads OOM, opt the namespace out via the
+            # resource-governance/custom-limitrange label (as claude-agent-service
+            # does) and raise this.
+            limits = {
+              memory = "4Gi"
+            }
+          }
+        }
+
+        # Auto-pair dispatcher (sidecar). The Service points at this (:8080); it
+        # reverse-proxies to t3 serve (:3773) and injects the session cookie so
+        # the browser experience matches t3.viktorbarzin.me. Shares /data so it
+        # can exec the t3 CLI to mint pairing credentials.
+        container {
+          name    = "dispatcher"
+          image   = local.image
+          command = ["node", "/scripts/dispatcher.js"]
+          port {
+            container_port = 8080
+          }
+          env {
+            name  = "HOME"
+            value = "/home/node"
+          }
+          readiness_probe {
+            http_get {
+              path = "/healthz"
+              port = 8080
+            }
+            initial_delay_seconds = 10
+            period_seconds        = 10
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/data"
+          }
+          volume_mount {
+            name       = "dispatcher"
+            mount_path = "/scripts"
+          }
+          resources {
+            requests = { cpu = "50m", memory = "64Mi" }
+            limits   = { memory = "256Mi" }
+          }
+        }
+
+        volume {
+          name = "data"
+          persistent_volume_claim {
+            claim_name = module.data.claim_name
+          }
+        }
+
+        volume {
+          name = "dispatcher"
+          config_map {
+            name = kubernetes_config_map.dispatcher.metadata[0].name
+          }
+        }
+      }
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      # Kyverno's inject-keel-annotations stamps pollSchedule/trigger alongside
+      # the policy; we own keel.sh/policy=never above, but ignore these two so
+      # they don't perpetually drift the plan.
+      metadata[0].annotations["keel.sh/pollSchedule"],
+      metadata[0].annotations["keel.sh/trigger"],
+    ]
+  }
+}
+
+# --- Service ---
+
+resource "kubernetes_service" "t3_afk" {
+  metadata {
+    name      = "t3-afk"
+    namespace = kubernetes_namespace.t3_afk.metadata[0].name
+    labels    = local.labels
+  }
+  spec {
+    selector = local.labels
+    # Route to the auto-pair dispatcher sidecar (:8080), which reverse-proxies
+    # to t3 serve (:3773) after injecting the t3_session cookie.
+    port {
+      port        = 3773
+      target_port = 8080
+    }
+    type = "ClusterIP"
+  }
+}
+
+# --- Ingress ---
+# The cockpit has no built-in user auth, so Authentik forward-auth is the gate.
+module "ingress" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  auth            = "required"
+  dns_type        = "proxied"
+  namespace       = kubernetes_namespace.t3_afk.metadata[0].name
+  name            = "t3-afk"
+  service_name    = kubernetes_service.t3_afk.metadata[0].name
+  port            = 3773
+  tls_secret_name = var.tls_secret_name
+}
diff --git a/stacks/t3-afk/terragrunt.hcl b/stacks/t3-afk/terragrunt.hcl
new file mode 100644
index 00000000..6b746c65
--- /dev/null
+++ b/stacks/t3-afk/terragrunt.hcl
@@ -0,0 +1,18 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+dependency "vault" {
+  config_path  = "../vault"
+  skip_outputs = true
+}
+
+dependency "external-secrets" {
+  config_path  = "../external-secrets"
+  skip_outputs = true
+}
diff --git a/stacks/t3code/main.tf b/stacks/t3code/main.tf
index 9e23ff1f..75a8e542 100644
--- a/stacks/t3code/main.tf
+++ b/stacks/t3code/main.tf
@@ -94,3 +94,118 @@ module "ingress" {
     "gethomepage.dev/pod-selector" = ""
   }
 }
+
+# === Drop-attribution probe surface ==========================================
+# /probe/* on the t3 host is dispatch's unauthenticated echo surface (see
+# scripts/t3-dispatch/probe.go) for the t3-probe below. Guarded against
+# Authentik re-walling by `authentik_walloff_targets` in stacks/monitoring.
+module "ingress_probe" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": WS echo + healthz for the in-cluster path-health probe; no
+  # user data, no t3 instance reachable — auth would break the synthetic client.
+  auth             = "none"
+  anti_ai_scraping = false  # the probe IS a bot; PoW/UA filtering would block it
+  dns_type         = "none" # main `module.ingress` owns the DNS record for this host
+  namespace        = kubernetes_namespace.t3code.metadata[0].name
+  name             = "t3-probe"
+  service_name     = kubernetes_service.t3code.metadata[0].name
+  full_host        = "t3.viktorbarzin.me"
+  ingress_path     = ["/probe"]
+  tls_secret_name  = var.tls_secret_name
+}
+
+# t3-probe: differential WS/HTTP prober (see probe.py docstring for the
+# attribution model). Runs in-cluster so it measures the shared path WITHOUT
+# any user's last mile; Prometheus scrapes it via the static `t3-probe` job
+# in stacks/monitoring.
+resource "kubernetes_config_map_v1" "t3_probe" {
+  metadata {
+    name      = "t3-probe"
+    namespace = kubernetes_namespace.t3code.metadata[0].name
+  }
+  data = {
+    "probe.py" = file("${path.module}/probe.py")
+  }
+}
+
+resource "kubernetes_deployment_v1" "t3_probe" {
+  metadata {
+    name      = "t3-probe"
+    namespace = kubernetes_namespace.t3code.metadata[0].name
+    labels    = { app = "t3-probe" }
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = { app = "t3-probe" }
+    }
+    template {
+      metadata {
+        labels = { app = "t3-probe" }
+        annotations = {
+          "checksum/probe" = sha256(file("${path.module}/probe.py"))
+        }
+      }
+      spec {
+        container {
+          name  = "probe"
+          image = "python:3.12-alpine"
+          # Long-running pod, not a high-cadence CronJob: a one-time pinned
+          # pip install at start (with retries against transient DNS) is the
+          # lightweight alternative to owning a registry image for ~200 lines.
+          command = ["sh", "-c", <<-EOT
+            for i in 1 2 3 4 5; do
+              pip install --no-cache-dir --quiet aiohttp==3.9.5 prometheus-client==0.20.0 && break
+              echo "pip attempt $i failed; retrying" >&2; sleep 10
+            done
+            exec python /app/probe.py
+          EOT
+          ]
+          port {
+            container_port = 9108
+            name           = "metrics"
+          }
+          volume_mount {
+            name       = "app"
+            mount_path = "/app"
+            read_only  = true
+          }
+          resources {
+            requests = {
+              cpu    = "10m"
+              memory = "64Mi"
+            }
+            limits = {
+              memory = "192Mi"
+            }
+          }
+        }
+        volume {
+          name = "app"
+          config_map {
+            name = kubernetes_config_map_v1.t3_probe.metadata[0].name
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+  }
+}
+
+resource "kubernetes_service" "t3_probe" {
+  metadata {
+    name      = "t3-probe"
+    namespace = kubernetes_namespace.t3code.metadata[0].name
+    labels    = { app = "t3-probe" }
+  }
+  spec {
+    selector = { app = "t3-probe" }
+    port {
+      name        = "metrics"
+      port        = 9108
+      target_port = 9108
+    }
+  }
+}
diff --git a/stacks/t3code/probe.py b/stacks/t3code/probe.py
new file mode 100644
index 00000000..120daf35
--- /dev/null
+++ b/stacks/t3code/probe.py
@@ -0,0 +1,204 @@
+"""t3-probe: differential path-health probe behind the t3 drop attribution.
+
+Holds long-lived WebSockets to t3-dispatch's /probe/ws echo endpoint via two
+routes that differ ONLY in the Cloudflare segment, plus an HTTP heartbeat
+against the t3-serve process itself:
+
+  leg=cloudflare  wss://T3_HOST/probe/ws connected to the address PUBLIC DNS
+                  returns (DoH @1.1.1.1) -> WAN -> CF edge -> tunnel ->
+                  cloudflared -> Traefik -> t3-dispatch
+  leg=internal    same URL pinned to the internal Traefik LB -> Traefik ->
+                  t3-dispatch (no Cloudflare)
+  leg=t3serve     GET http://DEVVM:3773/api/auth/session every 10s; an
+                  event-loop stall in the user's `t3 serve` delays/times-out
+                  this regardless of auth
+
+Attribution: cloudflare drops alone -> Cloudflare/WAN segment; cloudflare +
+internal together -> Traefik/dispatch/devvm network; t3serve latency spikes ->
+the serve process (memory/IO stalls); all legs clean while a human drops ->
+their last mile, infra exonerated. Mirrors the real t3 client's resilience
+protocol (10s heartbeat, ~20s watchdog) so probe drops mean a real client
+would have dropped too.
+"""
+
+import asyncio
+import json
+import logging
+import time
+
+import aiohttp
+from aiohttp.abc import AbstractResolver
+from prometheus_client import Counter, Gauge, Histogram, start_http_server
+
+T3_HOST = "t3.viktorbarzin.me"
+TRAEFIK_LB = "10.0.20.203"
+DEVVM = "10.0.10.10"
+T3_SERVE_PORT = 3773
+DOH_URL = "https://1.1.1.1/dns-query"
+HEARTBEAT_SECONDS = 10
+RTT_TIMEOUT_SECONDS = 20  # mirror the t3 client watchdog
+METRICS_PORT = 9108
+
+log = logging.getLogger("t3probe")
+
+CONNECTED = Gauge("t3probe_connected", "1 while the leg's connection is up", ["leg"])
+DISCONNECTS = Counter(
+    "t3probe_disconnects_total", "Connection deaths by leg and reason", ["leg", "reason"]
+)
+RTT = Histogram(
+    "t3probe_rtt_seconds",
+    "Heartbeat round-trip (WS echo / HTTP GET) per leg",
+    ["leg"],
+    buckets=[0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 20],
+)
+CONNECTION_AGE = Histogram(
+    "t3probe_connection_age_seconds",
+    "Age of a WS connection when it died",
+    ["leg"],
+    buckets=[10, 30, 60, 300, 900, 3600, 14400, 86400],
+)
+LAST_DISCONNECT = Gauge(
+    "t3probe_last_disconnect_timestamp", "Unix time of the leg's last death", ["leg"]
+)
+
+
+class PinnedResolver(AbstractResolver):
+    """Resolve T3_HOST to one fixed address; Host/SNI/cert stay hostname-true."""
+
+    def __init__(self, address):
+        self.address = address
+
+    async def resolve(self, host, port=0, family=0):
+        return [
+            {
+                "hostname": host,
+                "host": self.address,
+                "port": port,
+                "family": 2,  # AF_INET
+                "proto": 0,
+                "flags": 0,
+            }
+        ]
+
+    async def close(self):
+        pass
+
+
+class DoHResolver(AbstractResolver):
+    """Resolve via Cloudflare DoH so the answer is the PUBLIC (proxied) one.
+
+    The cluster's own DNS is split-horizon since 2026-06-10 (pods get internal
+    answers for *.viktorbarzin.me), which would silently collapse this leg
+    onto the internal route — public resolution must bypass it.
+    """
+
+    async def resolve(self, host, port=0, family=0):
+        async with aiohttp.ClientSession() as s:
+            async with s.get(
+                DOH_URL,
+                params={"name": host, "type": "A"},
+                headers={"accept": "application/dns-json"},
+                timeout=aiohttp.ClientTimeout(total=10),
+            ) as resp:
+                answers = (await resp.json(content_type=None)).get("Answer", [])
+        addrs = [a["data"] for a in answers if a.get("type") == 1]
+        if not addrs:
+            raise OSError(f"DoH returned no A records for {host}")
+        return [
+            {
+                "hostname": host,
+                "host": addrs[0],
+                "port": port,
+                "family": 2,
+                "proto": 0,
+                "flags": 0,
+            }
+        ]
+
+    async def close(self):
+        pass
+
+
+async def ws_leg(leg, resolver):
+    url = f"wss://{T3_HOST}/probe/ws"
+    attempts = 0
+    while True:
+        CONNECTED.labels(leg).set(0)
+        established = None
+        reason = "connect_failed"
+        try:
+            connector = aiohttp.TCPConnector(resolver=resolver, force_close=True)
+            # total=None: a session-level total timeout would kill the
+            # long-lived WS; only connection establishment is bounded.
+            async with aiohttp.ClientSession(
+                connector=connector,
+                timeout=aiohttp.ClientTimeout(total=None, connect=15, sock_connect=15),
+            ) as session:
+                async with session.ws_connect(url, heartbeat=None) as ws:
+                    established = time.monotonic()
+                    attempts = 0
+                    CONNECTED.labels(leg).set(1)
+                    log.info("%s: connected", leg)
+                    while True:
+                        sent = time.monotonic()
+                        await ws.send_str(f"ping {time.time_ns()}")
+                        msg = await ws.receive(timeout=RTT_TIMEOUT_SECONDS)
+                        if msg.type != aiohttp.WSMsgType.TEXT:
+                            reason = f"closed_{msg.type.name.lower()}"
+                            break
+                        RTT.labels(leg).observe(time.monotonic() - sent)
+                        await asyncio.sleep(HEARTBEAT_SECONDS)
+        except asyncio.TimeoutError:
+            reason = "rtt_timeout" if established else "connect_timeout"
+        except (aiohttp.ClientError, OSError) as e:
+            reason = "connect_failed" if not established else "io_error"
+            log.warning("%s: %s: %s", leg, reason, e)
+        CONNECTED.labels(leg).set(0)
+        DISCONNECTS.labels(leg, reason).inc()
+        LAST_DISCONNECT.labels(leg).set(time.time())
+        if established is not None:
+            CONNECTION_AGE.labels(leg).observe(time.monotonic() - established)
+            log.info("%s: died after %.0fs (%s)", leg, time.monotonic() - established, reason)
+        attempts += 1
+        await asyncio.sleep(min(3 * attempts, 30))
+
+
+async def t3serve_leg():
+    leg = "t3serve"
+    url = f"http://{DEVVM}:{T3_SERVE_PORT}/api/auth/session"
+    timeout = aiohttp.ClientTimeout(total=RTT_TIMEOUT_SECONDS)
+    async with aiohttp.ClientSession(timeout=timeout) as session:
+        while True:
+            sent = time.monotonic()
+            try:
+                async with session.get(url) as resp:
+                    await resp.read()
+                    RTT.labels(leg).observe(time.monotonic() - sent)
+                    CONNECTED.labels(leg).set(1 if resp.status == 200 else 0)
+                    if resp.status != 200:
+                        DISCONNECTS.labels(leg, f"http_{resp.status}").inc()
+                        LAST_DISCONNECT.labels(leg).set(time.time())
+            except asyncio.TimeoutError:
+                CONNECTED.labels(leg).set(0)
+                DISCONNECTS.labels(leg, "rtt_timeout").inc()
+                LAST_DISCONNECT.labels(leg).set(time.time())
+            except (aiohttp.ClientError, OSError) as e:
+                CONNECTED.labels(leg).set(0)
+                DISCONNECTS.labels(leg, "connect_failed").inc()
+                LAST_DISCONNECT.labels(leg).set(time.time())
+                log.warning("%s: %s", leg, e)
+            await asyncio.sleep(HEARTBEAT_SECONDS)
+
+
+async def main():
+    logging.basicConfig(level=logging.INFO, format="%(asctime)s %(message)s")
+    start_http_server(METRICS_PORT)
+    await asyncio.gather(
+        ws_leg("cloudflare", DoHResolver()),
+        ws_leg("internal", PinnedResolver(TRAEFIK_LB)),
+        t3serve_leg(),
+    )
+
+
+if __name__ == "__main__":
+    asyncio.run(main())
diff --git a/stacks/tandoor/.terraform.lock.hcl b/stacks/tandoor/.terraform.lock.hcl
index 6c9afb10..31e1c607 100644
--- a/stacks/tandoor/.terraform.lock.hcl
+++ b/stacks/tandoor/.terraform.lock.hcl
@@ -70,61 +70,23 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.8.1"
+  version = "3.9.0"
   hashes = [
-    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
-    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
-    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
-    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
-    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
-    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
-    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
-    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
-    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
-    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
-    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
-    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
   ]
 }
 
diff --git a/stacks/tandoor/main.tf b/stacks/tandoor/main.tf
index 822576ab..5c08d440 100644
--- a/stacks/tandoor/main.tf
+++ b/stacks/tandoor/main.tf
@@ -23,7 +23,7 @@ resource "kubernetes_namespace" "tandoor" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "tandoor-secrets"
diff --git a/stacks/technitium/modules/technitium/main.tf b/stacks/technitium/modules/technitium/main.tf
index 087cef3b..ef00506e 100644
--- a/stacks/technitium/modules/technitium/main.tf
+++ b/stacks/technitium/modules/technitium/main.tf
@@ -33,6 +33,18 @@ module "tls_secret" {
   tls_secret_name = var.tls_secret_name
 }
 
+# Traefik Service ClusterIP for the CoreDNS viktorbarzin.me block below.
+# Pods cannot use the Traefik LB IP (.203, externalTrafficPolicy=Local — only
+# nodes with a local Traefik endpoint answer), so in-cluster answers must
+# target the ClusterIP. Read from the live Service so a recreate can never
+# leave a stale literal (same pattern as the woodpecker-server hostAlias fix).
+data "kubernetes_service" "traefik" {
+  metadata {
+    name      = "traefik"
+    namespace = "traefik"
+  }
+}
+
 # CoreDNS Corefile - manages cluster DNS resolution
 # The viktorbarzin.lan block forwards to Technitium via ClusterIP (stable, LB-independent).
 # A template regex in the viktorbarzin.lan block short-circuits junk queries
@@ -60,15 +72,6 @@ resource "kubernetes_config_map" "coredns" {
               fallthrough in-addr.arpa ip6.arpa
               ttl 30
           }
-          # Pin forgejo.viktorbarzin.me to the in-cluster Traefik Service so pod
-          # builds/pulls/pushes resolve to its ClusterIP, not the public IP that
-          # hairpins through the WAN gateway and intermittently times out buildkit
-          # pushes (woodpecker build pods don't use the node containerd mirror that
-          # fixes kubelet pulls). Service-name target auto-tracks the ClusterIP (no
-          # rot); Traefik's *.viktorbarzin.me wildcard keeps SNI/TLS valid. The
-          # woodpecker-server hostAlias (main.tf) becomes belt-and-suspenders.
-          # (beads code-yh33 — in-cluster *.viktorbarzin.me hairpin)
-          rewrite name exact forgejo.viktorbarzin.me traefik.traefik.svc.cluster.local
           prometheus :9153
           forward . 10.0.20.1 8.8.8.8 1.1.1.1 {
               policy sequential
@@ -84,6 +87,40 @@ resource "kubernetes_config_map" "coredns" {
           reload
           loadbalance
       }
+      # Dedicated zone for *.viktorbarzin.me as seen by PODS. Pods are
+      # ordinary internal clients: same split-horizon answers as every
+      # node/VM/laptop (ingress hosts CNAME -> apex -> live Traefik LB;
+      # mail -> 10.0.20.1; vlmcs -> 10.0.20.202). Forwards to the SAME
+      # Technitium ClusterIP the viktorbarzin.lan block below uses.
+      # Verified 2026-06-10 on k8s 1.34: pods DO reach the ETP=Local LB IP
+      # (kube-proxy short-circuits in-cluster traffic to LB IPs via the
+      # cluster path) — re-verify after major k8s upgrades; the canary is
+      # the uptime-kuma [External] monitor fleet going red.
+      # forgejo stays pinned to Traefik's ClusterIP (hosts plugin) so CI
+      # pushes survive a Technitium outage; the kubernetes plugin isn't in
+      # this block so a Service-name rewrite cannot resolve here.
+      # History: until 2026-06-10 (evening) this block forwarded to public
+      # 8.8.8.8/1.1.1.1, which sent pods to the WAN IP and the broken
+      # TP-Link NAT loopback — 27 non-proxied [External] monitors dark
+      # (beads code-yh33 — in-cluster *.viktorbarzin.me hairpin).
+      viktorbarzin.me:53 {
+        errors
+        hosts {
+          ${data.kubernetes_service.traefik.spec.0.cluster_ip} forgejo.viktorbarzin.me
+          fallthrough
+        }
+        forward . 10.96.0.53 {
+            policy sequential
+            health_check 5s
+            max_fails 2
+        }
+        cache {
+          success 10000 300 6
+          denial 10000 300 60
+          serve_stale 86400s
+        }
+        reload
+      }
       viktorbarzin.lan:53 {
         #log
         errors
@@ -383,7 +420,7 @@ module "ingress" {
 # ExternalSecret for Technitium MySQL password (Vault auto-rotation)
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "technitium-db-creds"
@@ -920,6 +957,48 @@ resource "kubernetes_cron_job_v1" "technitium_ingress_dns_sync" {
                 done
                 echo "Sync complete. Created $$CREATED new records."
 
+                # Static mail-auth records (SPF / brevo verification / MX /
+                # DMARC / DKIM) mirrored from the PUBLIC Cloudflare zone.
+                # The internal zone is authoritative for viktorbarzin.me, and
+                # since 2026-06-10 the MAILSERVER pods resolve the domain
+                # through it (CoreDNS viktorbarzin.me:53 -> Technitium).
+                # Without these, rspamd's SPF/DKIM/DMARC checks on inbound
+                # @viktorbarzin.me mail (e.g. the Brevo email-roundtrip probe)
+                # see SPF=none/DKIM=fail and quarantine it (EmailRoundtrip*
+                # alerts, 2026-06-10). Internal zone must be a SUPERSET of the
+                # public one for every record type clients consume. Idempotent:
+                # checked against the zone dump before adding. If these change
+                # in Cloudflare, update here too (slow-moving).
+                ZONE_DUMP=$$(curl -sf "$$TECH_API/api/zones/records/get?token=$$TOKEN&zone=$$ZONE&domain=$$ZONE&listZone=true")
+                add_txt() {
+                  NAME="$$1"; MARK="$$2"; VALUE="$$3"
+                  if echo "$$ZONE_DUMP" | grep -q "$$MARK"; then echo "mail-auth: $$NAME ($$MARK) present"; return; fi
+                  R=$$(curl -sf -G "$$TECH_API/api/zones/records/add" --data-urlencode "token=$$TOKEN" --data-urlencode "zone=$$ZONE" --data-urlencode "domain=$$NAME" --data-urlencode "type=TXT" --data-urlencode "text=$$VALUE" --data-urlencode "ttl=3600") || true
+                  echo "$$R" | grep -q '"status":"ok"' && echo "mail-auth: added TXT $$NAME ($$MARK)" || echo "mail-auth: FAILED TXT $$NAME -- $$R"
+                }
+                add_txt "$$ZONE" "v=spf1" "v=spf1 include:spf.brevo.com ~all"
+                add_txt "$$ZONE" "brevo-code" "brevo-code:a6ef1dd91b248559900246eb4e7ceebd"
+                add_txt "_dmarc.$$ZONE" "v=DMARC1" "v=DMARC1; p=quarantine; pct=100; fo=1; ri=3600; sp=quarantine; adkim=r; aspf=r; rua=mailto:dmarc@viktorbarzin.me,mailto:adb84997@inbox.ondmarc.com; ruf=mailto:dmarc@viktorbarzin.me,mailto:adb84997@inbox.ondmarc.com,mailto:postmaster@viktorbarzin.me;"
+                add_txt "mail._domainkey.$$ZONE" "v=DKIM1" "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs9XHeFBKhUAEJSikXx+P49Q3nEBbnaSpn6h/9TqIhKaZWSVa2uGUGYQieNdon7DEJZ0VFo0Tvm3/UFsy2qF7ZmF+E/+N8EmkcPrMlxgJT281dpk5DxrZ+kbzw/DosfHH71K6vCLB4rSexzxJHaAx0AUddI3bFUJGjMgCXXCMZF+p8YCx+DDGPIXz2FOTtlJlR7aeZ2xXavwE/lBfI3MLnsq7X+GhPjQEax070nndOdZI0S8HpZkVxdGWl1N2Ec6LukYm2RiUkEMMQHSYX7WF3JBc+CGqUyd706Iy/5oeC3UGwZSM2uLkrp8YBjmw/h1rAeyv/ITt6ZXraP/cIMRiVQIDAQAB"
+                # Brevo DKIM selectors are CNAMEs to Brevo-hosted keys; rspamd
+                # resolves them when verifying inbound Brevo-signed mail
+                # (R_DKIM_PERMFAIL +4.5 without them — the actual junk-score
+                # driver in the 2026-06-10 roundtrip breakage).
+                add_cname() {
+                  NAME="$$1"; TARGET="$$2"
+                  if echo "$$ZONE_DUMP" | grep -q "$$TARGET"; then echo "mail-auth: $$NAME present"; return; fi
+                  R=$$(curl -sf -G "$$TECH_API/api/zones/records/add" --data-urlencode "token=$$TOKEN" --data-urlencode "zone=$$ZONE" --data-urlencode "domain=$$NAME" --data-urlencode "type=CNAME" --data-urlencode "cname=$$TARGET" --data-urlencode "ttl=3600") || true
+                  echo "$$R" | grep -q '"status":"ok"' && echo "mail-auth: added CNAME $$NAME -> $$TARGET" || echo "mail-auth: FAILED CNAME $$NAME -- $$R"
+                }
+                add_cname "brevo1._domainkey.$$ZONE" "b1.viktorbarzin-me.dkim.brevo.com"
+                add_cname "brevo2._domainkey.$$ZONE" "b2.viktorbarzin-me.dkim.brevo.com"
+                if ! echo "$$ZONE_DUMP" | grep -q '"type":"MX"'; then
+                  R=$$(curl -sf -G "$$TECH_API/api/zones/records/add" --data-urlencode "token=$$TOKEN" --data-urlencode "zone=$$ZONE" --data-urlencode "domain=$$ZONE" --data-urlencode "type=MX" --data-urlencode "exchange=mail.viktorbarzin.me" --data-urlencode "preference=1" --data-urlencode "ttl=3600") || true
+                  echo "$$R" | grep -q '"status":"ok"' && echo "mail-auth: added MX" || echo "mail-auth: FAILED MX -- $$R"
+                else
+                  echo "mail-auth: MX present"
+                fi
+
                 # Pin the .lan ingress anchor A record to the LIVE Traefik LB IP.
                 # *.viktorbarzin.lan ingress hosts CNAME to ingress.viktorbarzin.lan,
                 # so a Traefik LB IP move that misses the .lan zone silently breaks
diff --git a/stacks/terminal/main.tf b/stacks/terminal/main.tf
index c2f3f50b..3737817d 100644
--- a/stacks/terminal/main.tf
+++ b/stacks/terminal/main.tf
@@ -225,8 +225,11 @@ module "ingress_ro" {
 #   https://forgejo.viktorbarzin.me/viktor/terminal-lobby
 #
 # That repo's ./scripts/deploy.sh ships everything to wizard@10.0.10.10
-# and restarts ttyd / ttyd-ro / tmux-api / clipboard-upload. This stack
-# only owns the Kubernetes side: Services, Endpoints pointing at
+# and restarts ttyd / ttyd-ro / tmux-api / clipboard-upload. Deploy is
+# MANUAL via that script — there is no CI pipeline (the lobby's
+# .woodpecker.yml was removed under ADR-0002, issue #31; it builds no
+# image, so it is not part of the GHA->ghcr fleet). This stack only owns
+# the Kubernetes side: Services, Endpoints pointing at
 # 10.0.10.10:{7681,7682,7683,7684}, the IngressRoutes, and the Traefik
 # middlewares that gate everything behind Authentik forward-auth.
 #
diff --git a/stacks/trading-bot/main.tf b/stacks/trading-bot/main.tf
index e26e728a..871269e0 100644
--- a/stacks/trading-bot/main.tf
+++ b/stacks/trading-bot/main.tf
@@ -50,7 +50,7 @@ module "tls_secret" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "trading-bot-secrets"
@@ -104,7 +104,7 @@ resource "kubernetes_manifest" "external_secret" {
 # DB credentials from Vault database engine (rotated every 24h)
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "trading-bot-db-creds"
diff --git a/stacks/traefik/main.tf b/stacks/traefik/main.tf
index 7bb68f97..0210b030 100644
--- a/stacks/traefik/main.tf
+++ b/stacks/traefik/main.tf
@@ -16,7 +16,6 @@ data "vault_kv_secret_v2" "viktor" {
 module "traefik" {
   source                 = "./modules/traefik"
   tier                   = local.tiers.core
-  crowdsec_api_key       = data.vault_kv_secret_v2.secrets.data["ingress_crowdsec_api_key"]
   redis_host             = var.redis_host
   tls_secret_name        = var.tls_secret_name
   auth_fallback_htpasswd = data.vault_kv_secret_v2.secrets.data["auth_fallback_htpasswd"]
diff --git a/stacks/traefik/modules/traefik/error-pages.tf b/stacks/traefik/modules/traefik/error-pages.tf
index 54346a07..7f2e614c 100644
--- a/stacks/traefik/modules/traefik/error-pages.tf
+++ b/stacks/traefik/modules/traefik/error-pages.tf
@@ -57,6 +57,19 @@ resource "kubernetes_deployment" "error_pages" {
             value = "shuffle"
           }
 
+          env {
+            # fasthttp's per-connection read buffer ALSO caps total request
+            # header size (default 5120 bytes). Authentik forward-auth sets
+            # one authentik_proxy_* cookie per protected service, all scoped
+            # to .viktorbarzin.me — 30+ services puts the aggregate Cookie
+            # header way past 5KB, so every error-middleware dispatch here
+            # answered 431 "Too big request header" instead of the styled
+            # error page (same cookie-bloat class as the 2026-06-01 openresty
+            # buffer fixes on bot-block-proxy/auth-proxy).
+            name  = "READ_BUFFER_SIZE"
+            value = "131072"
+          }
+
           liveness_probe {
             http_get {
               path = "/healthz"
@@ -89,7 +102,18 @@ resource "kubernetes_deployment" "error_pages" {
   }
 
   lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      # KEEL_LIFECYCLE_V1: keel.sh annotations + tier label are stamped on the
+      # live object (keel enrollment / resource-governance) — don't strip them.
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"],
+      metadata[0].annotations["keel.sh/match-tag"],
+      metadata[0].labels["tier"],
+      spec[0].template[0].metadata[0].annotations["keel.sh/update-time"],
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
+    ]
   }
 }
 
@@ -177,7 +201,6 @@ resource "kubernetes_manifest" "ingressroute_catchall" {
         priority = 1
         middlewares = [
           { name = "rate-limit", namespace = kubernetes_namespace.traefik.metadata[0].name },
-          { name = "crowdsec", namespace = kubernetes_namespace.traefik.metadata[0].name },
         ]
         services = [{
           name      = "error-pages"
diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf
index 8cfbacd2..1d72be22 100644
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@@ -1,8 +1,4 @@
 variable "tier" { type = string }
-variable "crowdsec_api_key" {
-  type      = string
-  sensitive = true
-}
 variable "redis_host" { type = string }
 variable "tls_secret_name" {}
 variable "auth_fallback_htpasswd" {
@@ -44,8 +40,14 @@ resource "helm_release" "traefik" {
   name             = "traefik"
   repository       = "https://traefik.github.io/charts"
   chart            = "traefik"
-  atomic           = true
-  timeout          = 600
+  # Pin to the deployed chart version. Was unpinned, so a refreshed helm repo
+  # index silently tries to upgrade to the latest chart on the next apply —
+  # chart 41.0.0 rejects this values block's `logs` key ("Additional property
+  # logs is not allowed"). Bump deliberately (with values migration), never
+  # implicitly. Deployed since 2026-05-30 (release rev 57).
+  version = "40.2.0"
+  atomic  = true
+  timeout = 600
 
   values = [yamlencode({
     deployment = {
@@ -68,13 +70,10 @@ resource "helm_release" "traefik" {
         command = ["sh", "-c", join("", [
           "set -e; ",
           "STORAGE=/plugins-storage; ",
-          "mkdir -p \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\"; ",
-          "wget -q -T 30 -O \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/v1.4.2.zip\" ",
-          "\"https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/archive/refs/tags/v1.4.2.zip\"; ",
           "mkdir -p \"$STORAGE/archives/github.com/Aetherinox/traefik-api-token-middleware\"; ",
           "wget -q -T 30 -O \"$STORAGE/archives/github.com/Aetherinox/traefik-api-token-middleware/v0.1.4.zip\" ",
           "\"https://github.com/Aetherinox/traefik-api-token-middleware/archive/refs/tags/v0.1.4.zip\"; ",
-          "printf '{\"github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\":\"v1.4.2\",\"github.com/Aetherinox/traefik-api-token-middleware\":\"v0.1.4\"}' ",
+          "printf '{\"github.com/Aetherinox/traefik-api-token-middleware\":\"v0.1.4\"}' ",
           "> \"$STORAGE/archives/state.json\"; ",
           "echo \"Plugins pre-downloaded successfully\"",
         ])]
@@ -189,10 +188,6 @@ resource "helm_release" "traefik" {
     # Plugins
     experimental = {
       plugins = {
-        crowdsec-bouncer = {
-          moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-          version    = "v1.4.2"
-        }
         # Static-token bearer/header auth middleware. Used by services that
         # need gateway-level API-key/bearer enforcement without app-layer auth
         # (e.g. paperless-mcp, which has no native auth). Plugin key
@@ -494,7 +489,16 @@ resource "kubernetes_deployment" "bot_block_proxy" {
   }
   lifecycle {
     # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config,
+      # KEEL_LIFECYCLE_V1: keel.sh annotations + tier label are stamped on the
+      # live object (keel enrollment / resource-governance) — don't strip them.
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"],
+      metadata[0].annotations["keel.sh/match-tag"],
+      metadata[0].labels["tier"],
+    ]
   }
 }
 
@@ -563,7 +567,7 @@ resource "kubernetes_deployment" "x402_gateway" {
         }
         container {
           name  = "x402-gateway"
-          image = "forgejo.viktorbarzin.me/viktor/x402-gateway:d9b83125"
+          image = "ghcr.io/viktorbarzin/x402-gateway:latest"
           port {
             name           = "http"
             container_port = 8923
@@ -653,7 +657,19 @@ resource "kubernetes_deployment" "x402_gateway" {
 
   lifecycle {
     # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config,
+      # KEEL_IGNORE_IMAGE: the GHA->ghcr build (ADR-0002 infra#28) set-images
+      # the running :sha8 tag; don't let terragrunt revert it to :latest.
+      spec[0].template[0].spec[0].container[0].image,
+      # KEEL_LIFECYCLE_V1: keel.sh annotations + tier label are stamped on the
+      # live object (keel enrollment / resource-governance) — don't strip them.
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"],
+      metadata[0].annotations["keel.sh/match-tag"],
+      metadata[0].labels["tier"],
+    ]
   }
 }
 
@@ -720,6 +736,11 @@ resource "kubernetes_config_map" "auth_proxy_config" {
     "default.conf" = <<-EOT
       upstream authentik {
           server ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000;
+          # Reuse connections to the outpost. Without this every forward-auth
+          # subrequest (= every request to every auth="required" ingress) opens
+          # a fresh TCP connection. Requires HTTP/1.1 + cleared Connection
+          # header on the proxy_pass locations below.
+          keepalive 32;
       }
       server {
           listen 9000;
@@ -734,6 +755,8 @@ resource "kubernetes_config_map" "auth_proxy_config" {
 
           location /outpost.goauthentik.io/auth/traefik {
               proxy_pass http://authentik;
+              proxy_http_version 1.1;
+              proxy_set_header Connection "";
               proxy_connect_timeout 3s;
               proxy_read_timeout 5s;
               proxy_send_timeout 5s;
@@ -764,6 +787,8 @@ resource "kubernetes_config_map" "auth_proxy_config" {
 
           location /outpost.goauthentik.io/ {
               proxy_pass http://authentik;
+              proxy_http_version 1.1;
+              proxy_set_header Connection "";
               proxy_connect_timeout 3s;
               proxy_read_timeout 10s;
               proxy_set_header Host $host;
@@ -820,6 +845,15 @@ resource "kubernetes_deployment" "auth_proxy" {
         labels = {
           app = "auth-proxy"
         }
+        annotations = {
+          # nginx only reads its config at startup — roll the pods whenever
+          # the ConfigMap content changes.
+          "checksum/auth-proxy-config" = sha1(kubernetes_config_map.auth_proxy_config.data["default.conf"])
+          # The emergency-fallback htpasswd is a subPath secret mount, which
+          # does NOT auto-update on change — roll the pods when it rotates so a
+          # regenerated emergency password actually takes effect.
+          "checksum/auth-proxy-htpasswd" = sha1(var.auth_fallback_htpasswd)
+        }
       }
       spec {
         topology_spread_constraint {
@@ -908,7 +942,16 @@ resource "kubernetes_deployment" "auth_proxy" {
   }
   lifecycle {
     # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config,
+      # KEEL_LIFECYCLE_V1: keel.sh annotations + tier label are stamped on the
+      # live object (keel enrollment / resource-governance) — don't strip them.
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"],
+      metadata[0].annotations["keel.sh/match-tag"],
+      metadata[0].labels["tier"],
+    ]
   }
 }
 
diff --git a/stacks/traefik/modules/traefik/middleware.tf b/stacks/traefik/modules/traefik/middleware.tf
index bd09b67e..befeb6bf 100644
--- a/stacks/traefik/modules/traefik/middleware.tf
+++ b/stacks/traefik/modules/traefik/middleware.tf
@@ -183,34 +183,6 @@ resource "kubernetes_manifest" "middleware_security_headers" {
   depends_on = [helm_release.traefik]
 }
 
-# CrowdSec bouncer plugin middleware
-resource "kubernetes_manifest" "middleware_crowdsec" {
-  manifest = {
-    apiVersion = "traefik.io/v1alpha1"
-    kind       = "Middleware"
-    metadata = {
-      name      = "crowdsec"
-      namespace = kubernetes_namespace.traefik.metadata[0].name
-    }
-    spec = {
-      plugin = {
-        crowdsec-bouncer = {
-          crowdsecLapiKey            = var.crowdsec_api_key
-          crowdsecLapiHost           = "crowdsec-service.crowdsec.svc.cluster.local:8080"
-          crowdsecMode               = "stream"
-          updateMaxFailure           = -1 # fail-open: serve from cache when LAPI is unreachable
-          redisCacheEnabled          = true
-          redisCacheHost             = var.redis_host
-          redisCacheUnreachableBlock = false                            # don't block traffic if Redis is also unreachable
-          clientTrustedIPs           = ["10.0.20.0/24", "10.10.0.0/16"] # node + pod CIDRs bypass CrowdSec
-        }
-      }
-    }
-  }
-
-  depends_on = [helm_release.traefik]
-}
-
 # TLS option for mTLS (client certificate auth)
 resource "kubernetes_manifest" "tls_option_mtls" {
   manifest = {
@@ -294,6 +266,81 @@ resource "kubernetes_manifest" "middleware_immich_rate_limit" {
   depends_on = [helm_release.traefik]
 }
 
+# ActualBudget-specific rate limit. The Actual web app boots with ~70
+# near-parallel requests (55 /data/migrations/*.sql + statics, all served
+# max-age=0 so every load re-validates them); the default 10/50 limiter
+# 429s the tail and stalls every page load with retry backoff (the
+# "Server returned an error while checking its status" screen). Burst must
+# absorb a few simultaneous device boots from one client IP.
+resource "kubernetes_manifest" "middleware_actualbudget_rate_limit" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "actualbudget-rate-limit"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      rateLimit = {
+        average = 50
+        burst   = 300
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}
+
+# TripIt-specific rate limit. The trip Photos tab proxies every Immich
+# thumbnail through tripit's own /api — scrolling a few-hundred-photo trip
+# fires that many parallel image GETs from one client IP, and the default
+# 10/50 limiter 429s the tail (fourth instance of the parallel-asset
+# pattern, after ha-sofia, ActualBudget, and noVNC). Burst must absorb a
+# full trip-gallery scroll plus lightbox prefetches.
+resource "kubernetes_manifest" "middleware_tripit_rate_limit" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "tripit-rate-limit"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      rateLimit = {
+        average = 100
+        burst   = 1000
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}
+
+# Health-specific rate limit. The redesigned, data-dense SPA loads the shell
+# (JS chunks + two self-hosted Geist woff2) plus a 5-8 call API burst per page,
+# and fast tab-to-tab navigation from one client IP blows past the default
+# 10/50 limiter — 429ing the tail so cards/pages render empty (fifth instance
+# of the burst pattern, after ha-sofia, ActualBudget, noVNC and tripit). Burst
+# absorbs a couple of full page loads back-to-back.
+resource "kubernetes_manifest" "middleware_health_rate_limit" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "health-rate-limit"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      rateLimit = {
+        average = 100
+        burst   = 1000
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}
+
 # Compress responses to clients at the entrypoint level (outermost).
 # Applied at websecure entrypoint so all responses get compressed.
 # Uses includedContentTypes (whitelist) instead of excludedContentTypes:
@@ -428,3 +475,27 @@ resource "kubernetes_manifest" "middleware_retry" {
 
   depends_on = [helm_release.traefik]
 }
+
+# android-emulator noVNC rate limit. noVNC 1.3 ships unbundled: vnc.html
+# pulls ~60 ES modules in parallel on every page open, and the default
+# 10/50 limiter 429s the tail — the loader then waits forever on the
+# missing modules ("stuck on loading", verified 38x429 at a 90-request
+# burst on 2026-06-12). Same remedy as actualbudget/immich.
+resource "kubernetes_manifest" "middleware_android_emulator_rate_limit" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "android-emulator-rate-limit"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      rateLimit = {
+        average = 50
+        burst   = 300
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}
diff --git a/stacks/traefik/terragrunt.hcl b/stacks/traefik/terragrunt.hcl
index 4f16dddf..728c4d47 100644
--- a/stacks/traefik/terragrunt.hcl
+++ b/stacks/traefik/terragrunt.hcl
@@ -6,3 +6,8 @@ dependency "infra" {
   config_path  = "../infra"
   skip_outputs = true
 }
+
+# apply-trigger 2026-06-12 (android-emulator-rate-limit middleware): non-merge
+# commit so the changed-stack detector sees this stack (merge-diff blindness).
+
+# apply-trigger 2026-06-12: error-pages READ_BUFFER_SIZE rollout (merge-blind detector)
diff --git a/stacks/travel_blog/.terraform.lock.hcl b/stacks/travel_blog/.terraform.lock.hcl
deleted file mode 100644
index 7b0b0924..00000000
--- a/stacks/travel_blog/.terraform.lock.hcl
+++ /dev/null
@@ -1,94 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/cloudflare/cloudflare" {
-  version     = "4.52.7"
-  constraints = "~> 4.0"
-  hashes = [
-    "h1:pPItIWii5oymR+geZB219ROSPuSODPLTlM4S/u8xLvM=",
-    "zh:0c904ce31a4c6c4a5b3bf7ff1560e77c0cc7e2450c8553ded8e8c90398e1418b",
-    "zh:36183d310c36373fe4cb936b83c595c6fd3b0a94bc7827f28e5789ccbf59752e",
-    "zh:556a568a6f0235e8f41647de9e4d3a1e7b1d6502df8b19b54ec441f1c653ea10",
-    "zh:633ebbd5b0245e75e500ef9be4d9e62288f97e8da3baaa51323892a786d90285",
-    "zh:6acfe60cf52a65ba8f044f748548d2119e7f4fd7f8ebcb14698960d87c68f529",
-    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
-    "zh:904acc31ebb9d6ef68c792074b30532ee61bf515f19e0a3c75b46f126cca1f13",
-    "zh:a1d0a81246afc8750286d3f6fe7a8fbe6460dd2662407b28dbfbabb612e5fa9d",
-    "zh:a41a36fe253fc365fe2b7ffc749624688b2693b4634862fda161179ab100029f",
-    "zh:a7ef269e77ffa8715c8945a2c14322c7ff159ea44c15f62505f3cbb2cae3b32d",
-    "zh:b01aa3bed30610633b762df64332b26f8844a68c3960cebcb30f04918efc67fe",
-    "zh:b069cc2cd18cae10757df3ae030508eac8d55de7e49eda7a5e3e11f2f7fe6455",
-    "zh:b2d2c6313729ebb7465dceece374049e2d08bda34473901be9ff46a8836d42b2",
-    "zh:db0e114edaf4bc2f3d4769958807c83022bfbc619a00bdf4c4bd17faa4ab2d8b",
-    "zh:ecc0aa8b9044f664fd2aaf8fa992d976578f78478980555b4b8f6148e8d1a5fe",
-  ]
-}
-
-provider "registry.terraform.io/goauthentik/authentik" {
-  version     = "2024.12.1"
-  constraints = "~> 2024.10"
-  hashes = [
-    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
-  hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.0.1"
-  hashes = [
-    "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=",
-    "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=",
-    "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281",
-    "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba",
-    "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7",
-    "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6",
-    "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4",
-    "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249",
-    "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090",
-    "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97",
-    "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8",
-    "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119",
-    "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/vault" {
-  version     = "4.8.0"
-  constraints = "~> 4.0"
-  hashes = [
-    "h1:GPfhH6dr1LY0foPBDYv9bEGifx7eSwYqFcEAOWOUxLk=",
-    "h1:aHqgWQhDBMeZO9iUKwJYMlh4q+xNMUlMIcjRbF4d02Y=",
-    "zh:269ab13433f67684012ae7e15876532b0312f5d0d2002a9cf9febb1279ce5ea6",
-    "zh:4babc95bf0c40eb85005db1dc2ca403c46be4a71dd3e409db3711a56f7a5ca0e",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:86e27c1c625ecc24446a11eeffc3ac319b36c2b4e51251db8579256a0dbcf136",
-    "zh:a32f31da94824009e26b077374440b52098aecb93c92ff55dc3d31dd37c4ea25",
-    "zh:be0a18c6c0425518bab4fbffd82078b82036a88503b5d76064de551c9f646cbf",
-    "zh:be5a77fdfd36863ebeec79cd12b1d13322ffad6821d157a0b279789fa06b5937",
-    "zh:be8317d142a3caad74c7d936039ae27076a1b2b8312ef5208e2871a5f525977c",
-    "zh:c94a84895a3d9954b80e983eed4603330a5cdbbd8eef5b3c99278c2d1402ef3c",
-    "zh:de1fb712784dd8415f011ca5346a34f87fab6046c730557615247e511dbc7d98",
-    "zh:e3eafae7da550f86cae395d6660b2a0e93ec8d2b0e0e5ef982ec762e961fc952",
-    "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
-  ]
-}
diff --git a/stacks/travel_blog/main.tf b/stacks/travel_blog/main.tf
deleted file mode 100644
index 1bc274d6..00000000
--- a/stacks/travel_blog/main.tf
+++ /dev/null
@@ -1,152 +0,0 @@
-variable "tls_secret_name" {
-  type      = string
-  sensitive = true
-}
-
-
-resource "kubernetes_namespace" "travel-blog" {
-  metadata {
-    name = "travel-blog"
-    labels = {
-      "istio-injection" : "disabled"
-      tier = local.tiers.aux
-      "keel.sh/enrolled" = "true"
-    }
-  }
-  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
-    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
-  }
-}
-
-module "tls_secret" {
-  source          = "../../modules/kubernetes/setup_tls_secret"
-  namespace       = kubernetes_namespace.travel-blog.metadata[0].name
-  tls_secret_name = var.tls_secret_name
-}
-
-resource "kubernetes_deployment" "blog" {
-  metadata {
-    name      = "travel-blog"
-    namespace = kubernetes_namespace.travel-blog.metadata[0].name
-    labels = {
-      app  = "travel-blog"
-      tier = local.tiers.aux
-    }
-  }
-  spec {
-    replicas = 0 # Scaled down — clears ExternalAccessDivergence alert
-    selector {
-      match_labels = {
-        app = "travel-blog"
-      }
-    }
-    template {
-      metadata {
-        labels = {
-          app = "travel-blog"
-        }
-      }
-      spec {
-        container {
-          image = "viktorbarzin/travel_blog:latest"
-          name  = "travel-blog"
-          resources {
-            limits = {
-              memory = "64Mi"
-            }
-            requests = {
-              cpu    = "10m"
-              memory = "64Mi"
-            }
-          }
-          port {
-            container_port = 80
-          }
-        }
-
-        # container {
-        #   image = "nginx/nginx-prometheus-exporter"
-        #   name  = "nginx-exporter"
-        #   args  = ["-nginx.scrape-uri", "http://127.0.0.1:8080/nginx_status"]
-        #   port {
-        #     container_port = 9113
-        #   }
-        # }
-      }
-    }
-  }
-  lifecycle {
-    ignore_changes = [
-      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
-      metadata[0].annotations["keel.sh/policy"],
-      metadata[0].annotations["keel.sh/trigger"],
-      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
-      metadata[0].annotations["keel.sh/match-tag"],
-      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
-      metadata[0].annotations["kubernetes.io/change-cause"],
-      metadata[0].annotations["deployment.kubernetes.io/revision"],
-      spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
-    ]
-  }
-}
-
-resource "kubernetes_service" "travel-blog" {
-  metadata {
-    name      = "travel-blog"
-    namespace = kubernetes_namespace.travel-blog.metadata[0].name
-    labels = {
-      app = "travel-blog"
-    }
-  }
-
-  spec {
-    selector = {
-      app = "travel-blog"
-    }
-    port {
-      name        = "http"
-      port        = "80"
-      target_port = "80"
-    }
-  }
-}
-
-module "anubis" {
-  source           = "../../modules/kubernetes/anubis_instance"
-  name             = "travel"
-  namespace        = kubernetes_namespace.travel-blog.metadata[0].name
-  target_url       = "http://${kubernetes_service.travel-blog.metadata[0].name}.${kubernetes_namespace.travel-blog.metadata[0].name}.svc.cluster.local"
-  shared_store_url = "redis://redis-master.redis.svc.cluster.local:6379/11"
-}
-
-module "ingress" {
-  source            = "../../modules/kubernetes/ingress_factory"
-  auth              = "none" # Anubis-fronted; PoW challenge gates bots, no Authentik
-  namespace         = kubernetes_namespace.travel-blog.metadata[0].name
-  name              = "travel"
-  tls_secret_name   = var.tls_secret_name
-  service_name      = module.anubis.service_name
-  port              = module.anubis.service_port
-  extra_middlewares = ["traefik-x402@kubernetescrd"]
-  anti_ai_scraping  = false
-  extra_annotations = {
-    "gethomepage.dev/enabled"      = "true"
-    "gethomepage.dev/name"         = "Travel Blog"
-    "gethomepage.dev/description"  = "Travel stories"
-    "gethomepage.dev/icon"         = "ghost.png"
-    "gethomepage.dev/group"        = "Other"
-    "gethomepage.dev/pod-selector" = ""
-  }
-}
-
-# CI retrigger 2026-05-16T13:42:57+00:00 — bulk enrollment apply (pipeline #689 killed)
-# CI retrigger v2 2026-05-16T13:46:35+00:00
-
-# CI retrigger v3 2026-05-16T14:06:39Z
-
-# CI retrigger v4 2026-05-16T14:13:59Z
-
-# CI retrigger v5 2026-05-16T23:10:38Z
-
-# CI retrigger v6 2026-05-16T23:18:58Z
diff --git a/stacks/travel_blog/providers.tf b/stacks/travel_blog/providers.tf
deleted file mode 100644
index 012af700..00000000
--- a/stacks/travel_blog/providers.tf
+++ /dev/null
@@ -1,37 +0,0 @@
-# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
-terraform {
-  required_providers {
-    vault = {
-      source  = "hashicorp/vault"
-      version = "~> 4.0"
-    }
-    cloudflare = {
-      source  = "cloudflare/cloudflare"
-      version = "~> 4"
-    }
-    authentik = {
-      source  = "goauthentik/authentik"
-      version = "~> 2024.10"
-    }
-  }
-}
-
-variable "kube_config_path" {
-  type    = string
-  default = "~/.kube/config"
-}
-
-provider "kubernetes" {
-  config_path = var.kube_config_path
-}
-
-provider "helm" {
-  kubernetes = {
-    config_path = var.kube_config_path
-  }
-}
-
-provider "vault" {
-  address          = "https://vault.viktorbarzin.me"
-  skip_child_token = true
-}
diff --git a/stacks/tripit/authentik.tf b/stacks/tripit/authentik.tf
new file mode 100644
index 00000000..34e4ca91
--- /dev/null
+++ b/stacks/tripit/authentik.tf
@@ -0,0 +1,99 @@
+# Authentik OAuth2 provider for the TripIt App (the native Android Shell) —
+# tripit ADR-0017, viktor/tripit#49. The Shell does an Authorization Code +
+# PKCE login in the system browser and lands back in the app via the
+# custom-scheme redirect; the backend validates the issued RS256 JWTs itself
+# (AUTH_MODE=hybrid, tripit slice 2). client_type "public": an APK cannot keep
+# a client secret, PKCE is the binding. The bearer-only ingress host this
+# pairs with is module.ingress_api in main.tf.
+
+data "vault_kv_secret_v2" "authentik_tf" {
+  mount = "secret"
+  name  = "authentik"
+}
+
+provider "authentik" {
+  url   = "https://authentik.viktorbarzin.me"
+  token = data.vault_kv_secret_v2.authentik_tf.data["tf_api_token"]
+}
+
+data "authentik_flow" "default_authorization_implicit_consent" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+# NOTE: invalidation_flow is pinned to the literal UUID on tripit_app below,
+# not read via this data source — under the goauthentik 2024.x provider vs
+# 2026.2 server skew the flow data source intermittently resolves null in CI
+# (pipeline 244: "invalidation_flow is required, but no definition was found"),
+# which silently blocked every tripit-stack apply. The pinned UUID is exactly
+# what this slug ("default-provider-invalidation-flow") resolves to.
+
+data "authentik_certificate_key_pair" "signing" {
+  name = "authentik Self-signed Certificate"
+}
+
+data "authentik_property_mapping_provider_scope" "openid" {
+  managed = "goauthentik.io/providers/oauth2/scope-openid"
+}
+
+data "authentik_property_mapping_provider_scope" "profile" {
+  managed = "goauthentik.io/providers/oauth2/scope-profile"
+}
+
+data "authentik_property_mapping_provider_scope" "email" {
+  managed = "goauthentik.io/providers/oauth2/scope-email"
+}
+
+# offline_access is what makes Authentik issue a refresh token — the Shell
+# stores only that and re-derives short-lived access tokens. Looked up by
+# scope_name (the managed identifier is version-dependent).
+data "authentik_property_mapping_provider_scope" "offline_access" {
+  scope_name = "offline_access"
+}
+
+resource "authentik_provider_oauth2" "tripit_app" {
+  name        = "tripit-app"
+  client_id   = "tripit-app"
+  client_type = "public"
+  # sub = the user's EMAIL, not the default hashed_user_id: tripit prod users
+  # are email-keyed (forwardauth provisioned id == email), and the backend's
+  # hybrid bearer arm must resolve the SAME user row, not mint a hash-keyed
+  # twin (review finding, tripit #50).
+  sub_mode = "user_email"
+
+  authorization_flow = data.authentik_flow.default_authorization_implicit_consent.id
+  invalidation_flow  = "b0a43377-0fa6-45d1-89fc-ed298bb1bb53" # default-provider-invalidation-flow (pinned; see note above)
+
+  allowed_redirect_uris = [
+    {
+      matching_mode = "strict"
+      url           = "me.viktorbarzin.tripit://callback"
+    },
+    {
+      # "Log in with Authentik" on the website: TripIt is the OIDC client and
+      # mints its own session on callback (tripit ADR-0028, #90). Same public
+      # tripit-app provider as the Shell — just the web redirect URI added.
+      matching_mode = "strict"
+      url           = "https://tripit.viktorbarzin.me/api/auth/callback/authentik"
+    },
+  ]
+
+  access_token_validity      = "hours=1"
+  refresh_token_validity     = "days=90"
+  include_claims_in_id_token = true
+  signing_key                = data.authentik_certificate_key_pair.signing.id
+
+  property_mappings = [
+    data.authentik_property_mapping_provider_scope.openid.id,
+    data.authentik_property_mapping_provider_scope.profile.id,
+    data.authentik_property_mapping_provider_scope.email.id,
+    data.authentik_property_mapping_provider_scope.offline_access.id,
+  ]
+}
+
+resource "authentik_application" "tripit_app" {
+  name               = "TripIt App"
+  slug               = "tripit-app"
+  protocol_provider  = authentik_provider_oauth2.tripit_app.id
+  meta_launch_url    = "https://tripit.viktorbarzin.me"
+  policy_engine_mode = "any"
+}
diff --git a/stacks/tripit/main.tf b/stacks/tripit/main.tf
index 197a80d0..1c8de495 100644
--- a/stacks/tripit/main.tf
+++ b/stacks/tripit/main.tf
@@ -15,7 +15,12 @@ variable "tls_secret_name" {
 
 locals {
   namespace = "tripit"
-  image     = "forgejo.viktorbarzin.me/viktor/tripit:${var.image_tag}"
+  # Image now built OFF-INFRA by GitHub Actions, pushed to GHCR (private), 2026-06-09:
+  # Forgejo viktor/tripit push-mirrors -> private ViktorBarzin/tripit GitHub repo ->
+  # GHA builds + pushes ghcr.io/viktorbarzin/tripit. Removes both the build IO and the
+  # Forgejo/sdc registry push from the homelab. Running tag is set via `kubectl set
+  # image` (image is KEEL_IGNORE_IMAGE below); CronJobs track :latest.
+  image = "ghcr.io/viktorbarzin/tripit:${var.image_tag}"
   labels = {
     app = "tripit"
   }
@@ -23,14 +28,32 @@ locals {
   # Env shared by the Deployment app container and the worker CronJobs.
   # Real integrations: FLIGHT_PROVIDER=aerodatabox + RAIL_PROVIDER=realtimetrains
   # (keys via the tripit-secrets ExternalSecret), WEATHER_PROVIDER=openmeteo,
-  # GEOCODER_PROVIDER=openmeteo, PUSH_PROVIDER=webpush. LLM_MODE=fake and
-  # MAIL_INGEST_ENABLED=false here (the ingest-plans CronJob overrides both).
-  # AUTH_MODE=forwardauth: the backend trusts the Authentik-injected
-  # X-authentik-email header (forward-auth at the ingress). STORAGE_DIR points
-  # at the RWX NFS PVC — the app's default ./var is not writable by the
-  # non-root user.
+  # GEOCODER_PROVIDER=openmeteo, PUSH_PROVIDER=webpush. LLM_MODE=llamacpp
+  # (qwen3vl-8b + the ADR-0033 claude-agent fallback) so the Deployment can run
+  # real extraction for in-app reel-URL paste (#120) and booking share; the reel
+  # route uses REEL_GEOCODER_PROVIDER=nominatim. MAIL_INGEST_ENABLED=false here
+  # (the ingest-plans CronJob overrides it to true).
+  # AUTH_MODE=normal (tripit ADR-0028, #96): the backend authenticates ONLY its
+  # own TripIt session (cookie or Bearer JWT) — the legacy Authentik OIDC-bearer
+  # and forward-auth arms were removed once the Shell moved onto TripIt sessions
+  # (#94) and the cutover stopped injecting X-authentik-*. OIDC_* below stays: the
+  # "Log in with Authentik" web login and the Shell's /api/auth/exchange validate
+  # Authentik tokens against the same JWKS only to MINT a TripIt session.
+  # STORAGE_DIR points at the RWX NFS PVC — the app's default ./var is not
+  # writable by the non-root user.
   app_env = {
-    AUTH_MODE            = "forwardauth"
+    AUTH_MODE     = "normal"
+    # Open-signup abuse controls sit behind Traefik (tripit ADR-0028, #95): trust
+    # the proxy's X-Forwarded-For so the per-IP rate-limit keys on the real client,
+    # not the shared ingress pod IP. (The PoW captcha is the primary control.)
+    TRUST_FORWARDED_FOR = "true"
+    OIDC_ISSUER   = "https://authentik.viktorbarzin.me/application/o/tripit-app/"
+    OIDC_JWKS_URL = "https://authentik.viktorbarzin.me/application/o/tripit-app/jwks/"
+    OIDC_AUDIENCE = "tripit-app"
+    # OTA Web bundles (ADR-0014): the signed zip URL must point at the
+    # bearer-only host — the in-app request-derived base would be wrong
+    # behind the proxy (uvicorn doesn't trust forwarded headers).
+    BUNDLE_PUBLIC_BASE   = "https://tripit-api.viktorbarzin.me"
     SERVE_FRONTEND_DIR   = "/app/frontend_build"
     STORAGE_DIR          = "/data/documents"
     PERSONAL_STORAGE_DIR = "/data/personal-documents"
@@ -49,22 +72,109 @@ locals {
     # (Open-Meteo keyless geocoding API; results cached in the geocode_cache table).
     GEOCODER_PROVIDER   = "openmeteo"
     PUSH_PROVIDER       = "webpush"
-    LLM_MODE            = "fake"
+    # Real LLM on the Deployment too (was fake): in-app reel-URL paste (#120) and
+    # booking share run ingest in the web pod. llama-cpp primary + claude-agent
+    # fallback (ADR-0033). qwen3-8b segfaults on the current llama-swap image, so
+    # use qwen3vl-8b (matches the ingest-plans CronJob).
+    LLM_MODE            = "llamacpp"
+    LLM_MODEL           = "qwen3vl-8b"
+    LLM_ENDPOINT        = "http://llama-swap.llama-cpp.svc.cluster.local:8080"
+    # Reel-route POI geocoding (ADR-0031/0033) for the in-app paste path too.
+    REEL_GEOCODER_PROVIDER = "nominatim"
+    # The REEL FETCHER (ADR-0031): anonymous IG/TikTok read via yt-dlp (the IG
+    # internal-API path is an optional optimisation gated on IG_GRAPHQL_DOC_ID;
+    # unset = yt-dlp only, which works). Was UNSET -> FakeReelExtractor returned a
+    # CANNED caption, so every pasted/forwarded reel produced a DUMMY place.
+    # Verified: yt-dlp reads a real IG /p/ caption from the cluster, no doc_id.
+    REEL_PROVIDER = "anonymous"
     MAIL_INGEST_ENABLED = "false"
-    # Outbound mail (linked-email verification + trip-share invites) — submitted
-    # via the cluster mailserver authenticated as spam@ (SMTP_USER), but sent
-    # From: plans@viktorbarzin.me (SMTP_FROM). docker-mailserver SPOOF_PROTECTION
-    # requires the login to "own" the From; an explicit plans@ -> spam@ virtual
-    # alias grants that (see mailserver extra/aliases.txt) and keeps inbound
-    # plans@ routing to spam@. Relays out via Brevo. SMTP_PASSWORD comes from
-    # tripit-secrets (the existing PLANS_IMAP_PASSWORD = spam@'s password).
+    # Outbound mail (native-auth signup-verification + account recovery, linked-
+    # email verification, trip-share invites) — submitted via the cluster
+    # mailserver authenticated as spam@ (SMTP_USER), but sent From:
+    # trips@viktorbarzin.me (SMTP_FROM; tripit ADR-0028). docker-mailserver
+    # SPOOF_PROTECTION requires the login to "own" the From; an explicit
+    # trips@ -> spam@ virtual alias grants that (see mailserver extra/aliases.txt)
+    # and routes inbound trips@ to spam@. Relays out via Brevo. SMTP_PASSWORD comes
+    # from tripit-secrets (the existing PLANS_IMAP_PASSWORD = spam@'s password).
     # PUBLIC_BASE_URL builds the links mailed to recipients.
     EMAIL_PROVIDER  = "smtp"
     SMTP_HOST       = "mailserver.mailserver.svc"
     SMTP_PORT       = "587"
     SMTP_USER       = "spam@viktorbarzin.me"
-    SMTP_FROM       = "plans@viktorbarzin.me"
+    SMTP_FROM       = "trips@viktorbarzin.me"
     PUBLIC_BASE_URL = "https://tripit.viktorbarzin.me"
+    # Narrator audio (ADR-0004): Chatterbox via the in-cluster `tts` stack.
+    # OpenAI-compatible /v1/audio/speech; the bake POSTs best-effort synth
+    # requests, so a down/Pending Chatterbox is a clean skip (browser-TTS
+    # fallback), never a bake error. ClusterIP-only → no token. Note: the mode
+    # is `openai_compatible` (tripit renamed it from `chatterbox`); TTS_MODEL is
+    # still the `chatterbox` family string tripit sends as the OpenAI `model`.
+    TTS_MODE     = "openai_compatible"
+    TTS_BASE_URL = "http://chatterbox-tts.tts.svc.cluster.local:8000"
+    TTS_MODEL    = "chatterbox"
+    # Live flight-fare scrape (tripit ADR-0007, issue #18): Playwright driving
+    # the SHARED chrome-service browser over CDP (no per-pod browser). The
+    # provider rate-limits (30s min interval), caches 6h, backs off 300s on
+    # failure, and degrades to manual entry — never blocks the grid. NOTE:
+    # FareMode `playwright` only exists in images >= the #18 slice; setting
+    # this against an older image crash-loops on the unknown enum (old pods
+    # keep serving), so the env landed AFTER that image rolled out.
+    FARE_PROVIDER = "playwright"
+    FARE_CDP_URL  = "http://chrome-service.chrome-service.svc.cluster.local:9222"
+    # Live lodging-price scrape (tripit ADR-0025, issue #78): the lodging twin of
+    # FARE_PROVIDER — Playwright driving the SHARED chrome-service browser over CDP
+    # to read Booking.com + Airbnb nightly rates. Same rate-limit/cache/back-off +
+    # degrade-to-manual contract; reuses the chrome-service NetworkPolicy admission
+    # on the namespace below (no per-pod browser). LodgingMode `playwright` only
+    # exists in images >= the #78 slice (live in 03973b5), so this env lands after
+    # that rollout — same image-first hold-order as FARE/CALENDAR/RESEARCH above.
+    LODGING_PROVIDER = "playwright"
+    LODGING_CDP_URL  = "http://chrome-service.chrome-service.svc.cluster.local:9222"
+    # Calendar-conflict column (tripit issue #19): read the owner's Nextcloud
+    # calendar over CalDAV to flag date clashes on a planning Option. Base +
+    # user are non-secret; the app-password arrives via tripit-secrets. Same
+    # image-first hold-order as FARE_PROVIDER — `nextcloud` mode only exists in
+    # images >= the #19 slice (older images crash-loop on the unknown enum).
+    CALENDAR_CONFLICT_PROVIDER = "nextcloud"
+    NEXTCLOUD_CALDAV_BASE      = "https://nextcloud.viktorbarzin.me/remote.php/dav"
+    NEXTCLOUD_CALDAV_USER      = "admin"
+    # Live "Research this" agent (tripit issue #23, ADR-0008): opt-in per-Decision
+    # research via the in-cluster claude-agent-service (the `trip-planner` agent),
+    # budget-capped ~$2/run, bounded to a wall-clock deadline so a slow agent
+    # degrades to "found nothing" rather than a 504. Reuses CLAUDE_AGENT_TOKEN
+    # (already in tripit-secrets, shared with the tour ScriptWriter + planner bot)
+    # — shares the Anthropic OAuth quota, hence opt-in not always-on. Flipped live
+    # 2026-06-11 after a prod-pod behaviour review (country_when proposed
+    # not-yet-visited countries + real UK bank-holiday leave windows + fares).
+    # `claude_agent` mode requires images >= the #23 slice (already deployed).
+    RESEARCH_PROVIDER = "claude_agent"
+    # Stay cover photos (tripit issue #47, ADR-0017): auto-fetch each picked
+    # city's Wikipedia lead image (keyless REST summary API, "City, Country"
+    # first), downloaded into the app's STORAGE_DIR (never hotlinked) and
+    # served by the backend; editable per Stay (URL/upload). Fetches run
+    # post-commit under an 8s budget and degrade to a placeholder — never
+    # block trip creation. `wikipedia` mode requires images >= the #47 slice
+    # (older images crash-loop on the unknown enum) — landed after that
+    # image rolled out, same hold-order as FARE/CALENDAR/RESEARCH above.
+    CITY_IMAGE_PROVIDER = "wikipedia"
+    # Re-applied 2026-06-14: a69847a0 (the commit that added this) was never
+    # terraform-applied — its CI run skipped the tripit stack (changed-stack
+    # diff race), so the env never landed in-cluster and the provider fell back
+    # to the fake 1x1-PNG, leaving every trip/stay cover blank. This touch forces
+    # the tripit stack to re-apply and reconcile the drift.
+    # Tour-guide content pipeline (tripit#24/#25): these three default to `fake`
+    # in tripit's config, which is what shipped dark on 2026-06-08 — prod only
+    # ever showed the placeholder "Sight 1". Real providers: Wikipedia GeoSearch
+    # discovery, the five web story sources, and the claude-agent-service script
+    # writer (CLAUDE_AGENT_TOKEN already in tripit-secrets).
+    # wikipedia+llm = GeoSearch merged with claude-agent-service "what's worth
+    # seeing here" proposals (tripit#29); the place resolver backs manual sight
+    # search AND LLM-proposal resolution — its fake default is the same class of
+    # gap that shipped the feature dark, so set it explicitly.
+    SIGHT_DISCOVERY_PROVIDER = "wikipedia+llm"
+    STORY_SOURCE_MODE        = "web"
+    SCRIPT_WRITER_MODE       = "chat"
+    PLACE_RESOLVER_MODE      = "wikipedia"
   }
 }
 
@@ -76,6 +186,10 @@ resource "kubernetes_namespace" "tripit" {
       "istio-injection" = "disabled"
       # Opt into Keel auto-update (inject-keel-annotations ClusterPolicy).
       "keel.sh/enrolled" = "true"
+      # Admit this namespace through chrome-service's CDP NetworkPolicy
+      # (chrome-service-ws-ingress) — the fare scrape (#18) drives the
+      # shared browser on :9222.
+      "chrome-service.viktorbarzin.me/client" = "true"
     }
   }
   lifecycle {
@@ -84,6 +198,11 @@ resource "kubernetes_namespace" "tripit" {
   }
 }
 
+# GHCR pull secret: the ghcr-credentials Secret in this namespace is cloned in
+# by the kyverno stack's sync-ghcr-credentials ClusterPolicy (allowlisted
+# private-ghcr namespaces only — ADR-0002). Source of truth:
+# stacks/kyverno/modules/kyverno/ghcr-credentials.tf.
+
 # App secrets — seed these in Vault before applying:
 #   secret/tripit
 #     VAPID_PUBLIC_KEY      — Web Push (VAPID) public key for push subscriptions
@@ -97,7 +216,7 @@ resource "kubernetes_namespace" "tripit" {
 # DB user: created via Vault database engine — see static-creds/pg-tripit.
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "tripit-secrets"
@@ -120,10 +239,17 @@ resource "kubernetes_manifest" "external_secret" {
         }
       }
       data = [
+        # HS256 key signing TripIt's OWN session JWTs (tripit ADR-0028, #90).
+        # Delivered via env_from -> SESSION_SIGNING_KEY env; the app fails closed
+        # (TripIt sessions disabled) until this real key replaces the dev default.
+        { secretKey = "SESSION_SIGNING_KEY", remoteRef = { key = "tripit", property = "SESSION_SIGNING_KEY" } },
         { secretKey = "VAPID_PUBLIC_KEY", remoteRef = { key = "tripit", property = "VAPID_PUBLIC_KEY" } },
         { secretKey = "VAPID_PRIVATE_KEY", remoteRef = { key = "tripit", property = "VAPID_PRIVATE_KEY" } },
         { secretKey = "VAPID_SUBJECT", remoteRef = { key = "tripit", property = "VAPID_SUBJECT" } },
         { secretKey = "CALENDAR_TOKEN_SECRET", remoteRef = { key = "tripit", property = "CALENDAR_TOKEN_SECRET" } },
+        # HMAC secret signing the short-lived OTA Web-bundle zip URLs (ADR-0014
+        # addendum; the Shell's native downloader can't send auth headers).
+        { secretKey = "BUNDLE_TOKEN_SECRET", remoteRef = { key = "tripit", property = "BUNDLE_TOKEN_SECRET" } },
         { secretKey = "DOCUMENT_ENCRYPTION_KEY", remoteRef = { key = "tripit", property = "DOCUMENT_ENCRYPTION_KEY" } },
         { secretKey = "IMAP_PASSWORD", remoteRef = { key = "tripit", property = "IMAP_PASSWORD" } },
         # spam@viktorbarzin.me password — used only by the ingest-plans CronJob
@@ -149,6 +275,11 @@ resource "kubernetes_manifest" "external_secret" {
         { secretKey = "TREK_USER", remoteRef = { key = "tripit", property = "TREK_USER" } },
         { secretKey = "TREK_PASSWORD", remoteRef = { key = "tripit", property = "TREK_PASSWORD" } },
         { secretKey = "CLAUDE_AGENT_TOKEN", remoteRef = { key = "tripit", property = "CLAUDE_AGENT_TOKEN" } },
+        # Read-only Nextcloud app-password for the calendar-conflict column
+        # (tripit issue #19) — CalDAV PROPFIND/REPORT only. Single-account: this
+        # is the owner's (admin's) calendar, so every tripit user's conflict
+        # check reflects viktor's availability (v1 caveat, documented in-app).
+        { secretKey = "NEXTCLOUD_CALDAV_APP_PASSWORD", remoteRef = { key = "tripit", property = "NEXTCLOUD_CALDAV_APP_PASSWORD" } },
       ]
     }
   }
@@ -161,7 +292,7 @@ resource "kubernetes_manifest" "external_secret" {
 # role `static-creds/pg-tripit`.
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "tripit-db-creds"
@@ -277,6 +408,9 @@ resource "kubernetes_deployment" "tripit" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
 
         init_container {
           name    = "alembic-migrate"
@@ -452,10 +586,24 @@ locals {
       suspend            = false
       imap_pw_secret_key = "PLANS_IMAP_PASSWORD"
       extra_env = {
-        LLM_MODE            = "llamacpp"
-        LLM_ENDPOINT        = "http://llama-swap.llama-cpp.svc.cluster.local:8080"
-        LLM_MODEL           = "qwen3vl-4b"
+        LLM_MODE     = "llamacpp"
+        LLM_ENDPOINT = "http://llama-swap.llama-cpp.svc.cluster.local:8080"
+        # Text body extraction uses an 8B model (reliably emits flight_number);
+        # boarding-pass image attachments use the 4B vision model. llama-swap loads
+        # each on demand. Was qwen3vl-4b for both, which dropped flight numbers and
+        # duplicated schedule-change emails (2026-06-16). Switched qwen3-8b ->
+        # qwen3vl-8b (2026-06-22): the qwen3-8b GGUF SEGFAULTS on the current
+        # llama-swap :cuda image ("failed to create context"), which broke ALL mail
+        # ingest; qwen3vl-8b loads and extracts flight numbers + places reliably.
+        # (ADR-0033 adds a claude-agent-service fallback for the next llama outage.)
+        LLM_MODEL           = "qwen3vl-8b"
+        LLM_VISION_MODEL    = "qwen3vl-4b"
         MAIL_INGEST_ENABLED = "true"
+        # Reel→Wishlist ingest (tripit ADR-0031): geocode forwarded-reel venues at
+        # POI level via Nominatim (venue -> lat/lon + city + country), isolated from
+        # the global GEOCODER_PROVIDER=openmeteo which stays city-level for
+        # weather/tours. Only this CronJob runs the reel route (ingest-mail).
+        REEL_GEOCODER_PROVIDER = "nominatim"
         IMAP_HOST           = "mailserver.mailserver.svc.cluster.local"
         IMAP_PORT           = "993"
         IMAP_USER           = "spam@viktorbarzin.me"
@@ -497,6 +645,27 @@ locals {
         DAWARICH_BASE_URL = "https://dawarich.viktorbarzin.me"
       }
     }
+    # Tour-guide overnight audio fill (tripit#30, ADR-0011): synthesizes the
+    # narration audio queue against Chatterbox, which the tts stack scales up
+    # 02:00–06:00 Europe/London behind a free-VRAM preflight. 02:20 gives the
+    # scale-up + first model load headroom; the 04:30 pass re-runs the same
+    # idempotent worker as insurance (skipped window / mid-window guard yield /
+    # slow FP16 synthesis). Outside the window the worker records a
+    # `tts_unreachable` run and exits quietly — that is the normal daytime state.
+    fill-tour-audio = {
+      schedule  = "20 2 * * *"
+      timezone  = "Europe/London"
+      command   = ["python", "-m", "tripit_api", "fill-tour-audio"]
+      suspend   = false
+      extra_env = {}
+    }
+    fill-tour-audio-retry = {
+      schedule  = "30 4 * * *"
+      timezone  = "Europe/London"
+      command   = ["python", "-m", "tripit_api", "fill-tour-audio"]
+      suspend   = false
+      extra_env = {}
+    }
   }
 }
 
@@ -533,6 +702,9 @@ resource "kubernetes_cron_job_v1" "tripit_worker" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
               name    = "worker"
               image   = local.image
@@ -630,15 +802,82 @@ resource "kubernetes_service" "tripit" {
 # Kyverno ClusterPolicy `sync-tls-secret` auto-clones the wildcard TLS
 # secret into every namespace, so we don't need a setup_tls_secret module.
 
-# Main host — Authentik forward-auth gates every request. The backend reads
-# the injected X-authentik-email header (AUTH_MODE=forwardauth) for multi-user
-# SSO; it ships no own login, so Authentik is the gate.
+# Main host — the SPA shell is served PUBLICLY so an unauthenticated visitor
+# gets the app's own landing page (Log in / Sign up) instead of a forced
+# Authentik 302 (tripit ADR-0020). The app gates itself (it probes /api/me); all
+# data + the authenticated surface live under /api, which module.ingress_app_api
+# below keeps behind forward-auth. The static SPA assets carry no secrets and no
+# auth-trusting code, and strip-auth-headers ensures a spoofed X-authentik-* can
+# never reach the backend through this public path.
 module "ingress" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": serves the public SPA shell + landing page; the app gates
+  # itself and every data route lives behind /api (kept under forward-auth by
+  # module.ingress_app_api). Static assets are non-sensitive.
+  auth             = "none"
+  anti_ai_scraping = false # installable PWA, not scrapable content — Anubis PoW would break it
+  dns_type         = "proxied"
+  namespace        = kubernetes_namespace.tripit.metadata[0].name
+  name             = "tripit"
+  port             = 8080
+  tls_secret_name  = var.tls_secret_name
+  # Photos tab bursts hundreds of thumbnail GETs (now via the gated /api host);
+  # keep the dedicated 100/1000 limiter here too for the SPA's own asset bursts.
+  skip_default_rate_limit = true
+  extra_middlewares = [
+    "traefik-strip-auth-headers@kubernetescrd",
+    "traefik-tripit-rate-limit@kubernetescrd",
+  ]
+}
+
+# /api is served by TripIt's OWN authentication now (ADR-0028 #96 cutover):
+# Authentik forward-auth is REMOVED so the website can carry a TripIt session
+# cookie (the outpost would 302 a cookie-only request away). The app
+# self-authenticates — get_current_user accepts a TripIt session FIRST; a request
+# with no session 401s and the SPA shows the landing page. strip-auth-headers is
+# REQUIRED here: with forward-auth gone, AUTH_MODE=hybrid's forward-auth arm would
+# otherwise trust a client-injected X-authentik-email — stripping inbound
+# X-authentik-* closes that header-injection bypass. (The Shell keeps using
+# Authentik bearers on the separate tripit-api.* host until #94; the full
+# AUTH_MODE collapse to TripIt-session-only follows then.) anti_ai_scraping=false
+# so Anubis PoW doesn't break programmatic API calls. The auth=none carve-outs
+# below (calendar, emails/confirm, planner/slack) are longer prefixes and keep
+# winning for their own sub-paths.
+module "ingress_app_api" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": /api self-authenticates via TripIt's own session (ADR-0028 #96);
+  # strip-auth-headers (below) blocks any client-injected X-authentik-* so the
+  # hybrid forward-auth arm cannot be tricked. No session => 401 => SPA landing.
+  auth             = "none"
+  anti_ai_scraping = false
+  dns_type         = "none" # main module.ingress owns the DNS record for this host
+  namespace        = kubernetes_namespace.tripit.metadata[0].name
+  name             = "tripit-app-api"
+  service_name     = "tripit"
+  full_host        = "tripit.viktorbarzin.me"
+  ingress_path     = ["/api"]
+  port             = 8080
+  tls_secret_name  = var.tls_secret_name
+  # Same photo-thumbnail burst profile as before — keep the dedicated limiter.
+  skip_default_rate_limit = true
+  extra_middlewares = [
+    "traefik-strip-auth-headers@kubernetescrd",
+    "traefik-tripit-rate-limit@kubernetescrd",
+  ]
+}
+
+# /metrics stays gated behind forward-auth (it is scraped in-cluster via the
+# Service and never needs to be public); split out of the /api ingress by the
+# #96 cutover, which made /api self-authenticated.
+module "ingress_metrics" {
   source          = "../../modules/kubernetes/ingress_factory"
   auth            = "required"
-  dns_type        = "proxied"
+  dns_type        = "none"
   namespace       = kubernetes_namespace.tripit.metadata[0].name
-  name            = "tripit"
+  name            = "tripit-metrics"
+  service_name    = "tripit"
+  full_host       = "tripit.viktorbarzin.me"
+  ingress_path    = ["/metrics"]
   port            = 8080
   tls_secret_name = var.tls_secret_name
 }
@@ -701,3 +940,32 @@ module "ingress_planner_slack" {
   port             = 8080
   tls_secret_name  = var.tls_secret_name
 }
+
+# Bearer-only API host for the native Shell (tripit ADR-0017, viktor/tripit#49):
+# the Shell's WebView can't do the forward-auth cookie dance, and CORS
+# preflights would die at the outpost, so this host carries no Authentik
+# middleware at all.
+module "ingress_api" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": requests are gated by the backend itself — it validates
+  # OIDC bearer JWTs from the tripit-app Authentik provider (AUTH_MODE=hybrid,
+  # tripit slice 2; 401 for everything else). strip-auth-headers deletes
+  # inbound X-authentik-* so the hybrid fallback header can never be spoofed
+  # through this host.
+  auth             = "none"
+  anti_ai_scraping = false
+  dns_type         = "proxied"
+  namespace        = kubernetes_namespace.tripit.metadata[0].name
+  name             = "tripit-api"
+  service_name     = "tripit"
+  port             = 8080
+  tls_secret_name  = var.tls_secret_name
+  # Same photo-grid burst profile as the main tripit host (the Android Shell's
+  # gallery fetches thumbnails through this host) — share the dedicated
+  # 100/1000 tripit-rate-limit instead of the default 10/50.
+  skip_default_rate_limit = true
+  extra_middlewares = [
+    "traefik-strip-auth-headers@kubernetescrd",
+    "traefik-tripit-rate-limit@kubernetescrd",
+  ]
+}
diff --git a/stacks/tts/README.md b/stacks/tts/README.md
new file mode 100644
index 00000000..f5a972dd
--- /dev/null
+++ b/stacks/tts/README.md
@@ -0,0 +1,149 @@
+# tts — Chatterbox TTS (tripit narration)
+
+In-cluster text-to-speech for tripit's "Tour guide". Runs the
+[devnen/Chatterbox-TTS-Server](https://github.com/devnen/Chatterbox-TTS-Server)
+(Resemble AI Chatterbox under an OpenAI-compatible HTTP server) as a single
+Deployment + ClusterIP Service `chatterbox-tts.tts.svc.cluster.local:8000`,
+requesting **one time-slice** of the shared Tesla T4 (`nvidia.com/gpu: 1`).
+
+Full design + rationale (Option-A off-peak control, OOM analysis, ADR links):
+`docs/plans/2026-06-08-chatterbox-tts-infra.md` (in the tripit-tour-guide repo)
+and `infra/docs/post-mortems/2026-06-02-immich-ml-ttl-gpu-oom-recruiter.md`.
+
+> This stack mirrors `infra/stacks/llama-cpp/`. The scaffolding files
+> (`backend.tf`, `providers.tf`, `cloudflare_provider.tf`, `tiers.tf`,
+> `.terraform.lock.hcl`) are **generated by Terragrunt** on `init` and are
+> git-ignored — only `main.tf`, `terragrunt.hcl` and this README are tracked.
+
+---
+
+## What this stack creates
+
+- `kubernetes_namespace.tts` — tier `2-gpu`, keel-enrolled, istio off.
+- `module.nfs_models` — RWX NFS-SSD PVC at `/srv/nfs-ssd/chatterbox`, mounted at
+  `/data` (predefined voices, narrator reference WAVs, **and** the HuggingFace
+  model cache via `HF_HOME=/data/hf_cache`, so weights download once and persist
+  across the per-window pod recreation).
+- `kubernetes_config_map.chatterbox_config` — `config.yaml`: `server.port=8004`,
+  `model.repo_id=chatterbox-multilingual`, `tts_engine.device=cuda`, voices /
+  reference paths under `/data`.
+- `kubernetes_deployment.chatterbox` — **starts at `replicas=0`**; the off-peak
+  CronJobs own the replica count at runtime. `TTS_BF16=off` (T4 = Turing, no
+  bf16). `priority_class_name=tier-2-gpu` (the polite-tenant demotion).
+- `kubernetes_service.chatterbox` — ClusterIP, **`port 8000 → targetPort 8004`**
+  so tripit's default `TTS_BASE_URL` works unchanged. Prometheus scrape
+  annotations.
+- **Off-peak control** (SA + Role + RoleBinding + 3 CronJobs): see below.
+
+## Off-peak control (Option A — window + free-VRAM gate)
+
+The T4 is time-sliced with **zero VRAM isolation** (post-mortem 2026-06-02), so
+`nvidia.com/gpu: 1` buys a scheduling turn, NOT memory. Chatterbox must only
+allocate VRAM when the card is actually free. Implemented as three CronJobs
+(all `Europe/London`), each a `bitnami/kubectl` pod using the namespace SA:
+
+| CronJob | Schedule (default) | Action |
+|---|---|---|
+| `chatterbox-window-up`   | `0 2 * * *`     | **Preflight**: scrape `gpu_pod_memory_used_bytes` from `gpu-pod-exporter.nvidia.svc:80/metrics`, compute `free = 16 GiB − Σused`; scale to **1 only if** `free ≥ vram_free_floor_bytes`. |
+| `chatterbox-vram-guard`  | `*/5 2-5 * * *` | **Guard**: every 5 min in-window, scale to **0** if `free < floor` (a resident woke; yield the card mid-bake). |
+| `chatterbox-window-down` | `0 6 * * *`     | **Window end**: scale to **0** unconditionally. |
+
+`tripit`'s bake is best-effort + cached-forever (ADR-0002/0004) — a skipped or
+aborted window simply backfills on the next one. No latency SLA.
+
+### The free-VRAM floor — YOU MUST MEASURE THIS
+
+`var.vram_free_floor_bytes` defaults to **6 GiB** (a conservative guess:
+~4 GiB assumed multilingual FP16 peak + ~2 GiB headroom for the
+read→`cudaMalloc` race). **The real T4 peak of `chatterbox-multilingual` is not
+published upstream.** Capture it during the first bake:
+
+```bash
+# while a real synth is running on the freed T4:
+kubectl -n monitoring exec deploy/prometheus -- \
+  promtool query instant http://localhost:9090 \
+  'sum(gpu_pod_memory_used_bytes{namespace="tts"})'
+# or read the gauge straight from the exporter:
+kubectl -n nvidia exec ds/gpu-pod-exporter -- \
+  sh -c 'curl -s localhost:9401/metrics | grep "namespace=\"tts\""'
+```
+
+Then set the floor to `measured_peak + ~2 GiB` (pass `-var` or add to the stack
+tfvars). If the peak is too high to coexist even off-peak, switch
+`model.repo_id` in `main.tf` to `chatterbox` (English, lighter) or
+`chatterbox-turbo`, or escalate to Option B (scale `immich-machine-learning` to
+0 for the window).
+
+---
+
+## Build + push the image (do this BEFORE the first apply)
+
+`devnen/Chatterbox-TTS-Server` ships **no published image** — build from the
+repo's **cu128** target (matches the cluster's pinned 570.195.03 / CUDA 12.8
+driver) and push to the private Forgejo registry. The devvm docker is pre-authed
+to `forgejo.viktorbarzin.me`. Run on the devvm (large CUDA image — needs disk +
+bandwidth):
+
+```bash
+# 1. Clone the upstream server repo (outside the monorepo).
+git clone https://github.com/devnen/Chatterbox-TTS-Server /tmp/chatterbox-tts-server
+cd /tmp/chatterbox-tts-server
+
+# 2. Build the cu128 variant (Dockerfile.cu128 — PyTorch 2.9.0+cu128, the target
+#    the repo's docker-compose-cu128.yml uses) for linux/amd64.
+SHA="$(git rev-parse --short=8 HEAD)"
+docker build \
+  --platform linux/amd64 \
+  --build-arg RUNTIME=nvidia \
+  -f Dockerfile.cu128 \
+  -t forgejo.viktorbarzin.me/viktor/chatterbox-tts:latest \
+  -t "forgejo.viktorbarzin.me/viktor/chatterbox-tts:${SHA}" \
+  .
+
+# 3. Push both tags. (If docker isn't authed: log in with the viktor push PAT
+#    from Vault — `vault kv get -field=forgejo_push_token secret/ci/global` —
+#    `docker login forgejo.viktorbarzin.me -u viktor`.)
+docker push forgejo.viktorbarzin.me/viktor/chatterbox-tts:latest
+docker push "forgejo.viktorbarzin.me/viktor/chatterbox-tts:${SHA}"
+```
+
+> If `Dockerfile.cu128` is not a clean `docker build` target (e.g. it relies on
+> build args defined only in `docker-compose-cu128.yml`), lift those args onto
+> the `docker build` line or `docker compose -f docker-compose-cu128.yml build`
+> then `docker tag` the resulting `chatterbox-tts-server:cu128` image to the
+> Forgejo ref above before pushing.
+
+---
+
+## Apply (admin-gated — run in order)
+
+```bash
+vault login -method=oidc
+~/code/scripts/presence claim node:k8s-node1 --purpose "chatterbox-tts first apply (GPU)"
+~/code/scripts/presence claim stack:tts      --purpose "chatterbox-tts stack apply"
+
+# 1. The polite-tenant hardening (exclude tts from gpu-workload priority).
+~/code/scripts/tg plan  --stack kyverno
+~/code/scripts/tg apply --stack kyverno
+
+# 2. This stack.
+~/code/scripts/tg plan  --stack tts
+~/code/scripts/tg apply --stack tts        # apply does NOT wake the GPU (replicas=0)
+
+# 3. Flip tripit narration on.
+~/code/scripts/tg plan  --stack tripit
+~/code/scripts/tg apply --stack tripit
+```
+
+See `docs/plans/2026-06-08-chatterbox-tts-infra.md` §5 for the full go-live
+checklist (seed voices on NFS-SSD, smoke-test a synth, watch the neighbours).
+
+## Rollback (instant, no data loss)
+
+- **Narration off:** set `TTS_MODE=none` (or drop the three `TTS_*` lines) in
+  `stacks/tripit/main.tf` → `tg apply --stack tripit`. The bake makes no audio;
+  playback falls back to browser TTS. Cached `story_audio` rows are harmless.
+- **Chatterbox off the GPU:** `kubectl -n tts scale deploy/chatterbox-tts
+  --replicas=0` (transient) and/or `tg destroy --stack tts`. Best-effort synth
+  means tripit bakes keep running audio-less — no error.
+- Neither touches the resident GPU tenants (Option A never modifies them).
diff --git a/stacks/tts/main.tf b/stacks/tts/main.tf
new file mode 100644
index 00000000..e8c4d76e
--- /dev/null
+++ b/stacks/tts/main.tf
@@ -0,0 +1,647 @@
+variable "image_tag" {
+  type = string
+  # Pinned to the devnen upstream sha the GHA build was dispatched against
+  # (tripit .github/workflows/build-chatterbox.yml). NOT :cu128/:latest — the
+  # original Forgejo-registry push is unpullable (corrupt layer blob, 500 on
+  # HEAD), which is also why the image moved to GHCR.
+  default     = "915ae289"
+  description = "chatterbox-tts GHCR image tag (devnen upstream short sha)."
+}
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Option-A off-peak control (see docs/plans/2026-06-08-chatterbox-tts-infra.md §3).
+# The Deployment sits at replicas=0; a CronJob scales it to 1 at the window start
+# ONLY IF a free-VRAM preflight passes, and another scales it back to 0 at window
+# end. A guard CronJob yields the card mid-window if free VRAM drops below the
+# floor (a resident woke up). tripit's bake is best-effort + idempotent, so a
+# skipped/aborted window simply backfills on the next one (ADR-0002/0004).
+# ─────────────────────────────────────────────────────────────────────────────
+
+variable "vram_free_floor_bytes" {
+  type = number
+  # OPEN ITEM — must be measured (§5 smoke test / §3.X). This is the minimum free
+  # VRAM the preflight requires before it will scale Chatterbox up, and the floor
+  # the guard yields below. Default = 6 GiB ≈ (a conservative guess for
+  # chatterbox-multilingual FP16 peak ~4 GiB + ~2 GiB headroom for the
+  # read→cudaMalloc race). RAISE/LOWER once the real T4 peak is captured from
+  # gpu_pod_memory_used_bytes{namespace="tts"} during a real synth.
+  default     = 6442450944
+  description = "Minimum free GPU VRAM (bytes) required before scaling Chatterbox up; guard yields below it."
+}
+
+variable "gpu_total_bytes" {
+  type        = number
+  default     = 17179869184 # Tesla T4 = 16 GiB
+  description = "Total VRAM on the shared GPU. Free = this minus sum(gpu_pod_memory_used_bytes)."
+}
+
+variable "offpeak_window_up_schedule" {
+  type        = string
+  default     = "0 2 * * *" # 02:00 Europe/London (see timezone on the CronJob)
+  description = "Cron schedule that fires the free-VRAM preflight + scale-up at window start."
+}
+
+variable "offpeak_window_down_schedule" {
+  type        = string
+  default     = "0 6 * * *" # 06:00 Europe/London
+  description = "Cron schedule that scales Chatterbox back to 0 at window end."
+}
+
+variable "offpeak_guard_schedule" {
+  type = string
+  # ALL-DAY since the demand gate (2026-06-12): live synthesis can hold the
+  # card at any hour, so the yield-on-VRAM-pressure guard must watch at any
+  # hour too. A guard tick while replicas=0 is a no-op.
+  default     = "*/5 * * * *"
+  description = "Cron schedule for the guard that yields the card if free VRAM drops below the floor."
+}
+
+locals {
+  namespace = "tts"
+  labels    = { app = "chatterbox-tts" }
+  image     = "ghcr.io/viktorbarzin/chatterbox-tts:${var.image_tag}"
+
+  # config.yaml rendered into a ConfigMap, mounted at /app/config.yaml (the
+  # server's WORKDIR is /app). Voices, reference audio and the HF model cache
+  # all live on the NFS-SSD PVC (mounted at /data) so weights persist across
+  # restarts and load fast. server.port stays at the devnen default 8004; the
+  # Service remaps 8000->8004 so tripit's default TTS_BASE_URL works unchanged.
+  #
+  # model.repo_id = chatterbox-multilingual (ADR-0004; 23 languages for
+  # worldwide place-names). If the measured T4 VRAM peak is too high to coexist
+  # even off-peak, fall back to "chatterbox" (English, lighter) — a one-line
+  # change here (§3.X / §6 decision 3).
+  chatterbox_config = yamlencode({
+    server = {
+      host = "0.0.0.0"
+      port = 8004
+    }
+    model = {
+      repo_id = "chatterbox-multilingual"
+    }
+    tts_engine = {
+      device = "cuda"
+      # Predefined voices come from the IMAGE's bundled set (28 reference WAVs
+      # under the devnen server's /app/voices) rather than the NFS PVC: nobody
+      # can seed /data/voices without NFS-host shell access, and an empty
+      # predefined dir means /v1/audio/voices serves nothing (it gates the
+      # readiness probe). tripit's Voice catalog (tripit#30) names a subset of
+      # these stems. /data keeps reference_audio (future cloning) + HF cache.
+      predefined_voices_path = "/app/voices"
+      reference_audio_path   = "/data/reference_audio"
+    }
+  })
+
+  # Shared script for the off-peak CronJobs. Reads the in-cluster
+  # gpu_pod_memory_used_bytes gauge (the per-namespace gauge the 2026-06-02
+  # post-mortem built — host-PID attribution, no new exporter needed), sums it,
+  # and computes free = GPU_TOTAL - used. Pure POSIX + awk; curl is baked into
+  # the curl image. ACTION is "up" | "down" | "guard".
+  #   up    — scale to 1 ONLY IF free >= FLOOR (positive admission).
+  #   guard — scale to 0 IF free < FLOOR (a resident woke mid-window; yield).
+  #   down  — scale to 0 unconditionally (window end).
+  # Heredoc escaping: only `$${...}` (literal `${...}`) is escaped — Terraform
+  # would otherwise try to interpolate it. Bare `$(...)`, `$((...))` and awk's
+  # `$NF` are literal `$` and pass through unescaped.
+  vram_gate_script = <<-EOT
+    set -eu
+    : "$${ACTION:?}" "$${FLOOR:?}" "$${GPU_TOTAL:?}"
+    METRICS_URL="http://gpu-pod-exporter.nvidia.svc.cluster.local:80/metrics"
+
+    # Sum gpu_pod_memory_used_bytes across all pods. Missing metric / empty
+    # scrape => used=0 (card idle). -f so a non-200 scrape is a hard error we
+    # treat conservatively (skip scale-up).
+    if ! BODY="$(curl -sf -m 10 "$${METRICS_URL}")"; then
+      echo "WARN: could not scrape $${METRICS_URL}"
+      if [ "$${ACTION}" = "up" ] || [ "$${ACTION}" = "demand" ]; then
+        echo "$${ACTION}: scrape failed -> NOT scaling up (fail-safe)"; exit 0
+      fi
+      # For down/guard a failed scrape must NOT block yielding the card.
+      BODY=""
+    fi
+    USED="$(printf '%s\n' "$${BODY}" \
+      | awk '/^gpu_pod_memory_used_bytes\{/ { s += $NF } END { printf "%d", s }')"
+    USED="$${USED:-0}"
+    FREE="$(( GPU_TOTAL - USED ))"
+    echo "GPU VRAM: used=$${USED} free=$${FREE} floor=$${FLOOR} (total=$${GPU_TOTAL})"
+
+    case "$${ACTION}" in
+      up)
+        if [ "$${FREE}" -ge "$${FLOOR}" ]; then
+          echo "preflight PASS: free >= floor -> scaling chatterbox-tts to 1"
+          kubectl -n tts scale deploy/chatterbox-tts --replicas=1
+        else
+          echo "preflight SKIP: free < floor -> leaving chatterbox-tts at 0 (retry next window)"
+        fi
+        ;;
+      guard)
+        if [ "$${FREE}" -lt "$${FLOOR}" ]; then
+          echo "guard TRIP: free < floor -> yielding the card, scaling chatterbox-tts to 0"
+          kubectl -n tts scale deploy/chatterbox-tts --replicas=0
+        else
+          echo "guard OK: free >= floor -> chatterbox-tts may keep running"
+        fi
+        ;;
+      down)
+        echo "window end -> scaling chatterbox-tts to 0"
+        kubectl -n tts scale deploy/chatterbox-tts --replicas=0
+        ;;
+      demand)
+        # GPU-gated LIVE narration (tripit#24 amendment, 2026-06-12): scale up
+        # whenever tripit has audio waiting AND the card has room; idle back
+        # down when the queue empties (even inside the nightly window — done is
+        # done, free the card early). The 02:00 window-up stays the guaranteed
+        # nightly catch-up for days the daytime card never had room.
+        # A FAILED probe must not read as "queue empty": defaulting to 0 idled
+        # the deployment the very minute it first went Ready (2026-06-12 20:30
+        # UTC — one transient curl failure, 27 items still queued). Fail-safe
+        # is NO ACTION; worst case a stale-up deployment idles until the 06:00
+        # window-down. (This also covers a 404 from an older tripit image.)
+        if ! QBODY="$(curl -sf -m 10 "$${QUEUE_URL}")"; then
+          echo "demand: queue probe failed -> no action (fail-safe)"; exit 0
+        fi
+        QUEUED="$(printf '%s\n' "$${QBODY}" \
+          | sed -n 's/.*"queued"[^0-9]*\([0-9][0-9]*\).*/\1/p')"
+        if [ -z "$${QUEUED}" ]; then
+          echo "demand: unparseable queue response -> no action (fail-safe)"; exit 0
+        fi
+        REPLICAS="$(kubectl -n tts get deploy/chatterbox-tts -o jsonpath='{.spec.replicas}')"
+        echo "demand: queued=$${QUEUED} replicas=$${REPLICAS}"
+        if [ "$${QUEUED}" -gt 0 ] && [ "$${REPLICAS}" = "0" ]; then
+          if [ "$${FREE}" -ge "$${FLOOR}" ]; then
+            echo "demand: audio waiting + room on the card -> scaling chatterbox-tts to 1"
+            kubectl -n tts scale deploy/chatterbox-tts --replicas=1
+          else
+            echo "demand: audio waiting but free < floor -> staying down (nightly window catches up)"
+          fi
+        elif [ "$${QUEUED}" -eq 0 ] && [ "$${REPLICAS}" != "0" ]; then
+          echo "demand: queue empty -> idling chatterbox-tts back to 0"
+          kubectl -n tts scale deploy/chatterbox-tts --replicas=0
+        fi
+        ;;
+    esac
+  EOT
+
+  # Common spec for the three off-peak CronJobs. Each runs one bitnami/kubectl
+  # pod (in-cluster SA, no kubeconfig) executing the shared gate script with a
+  # different ACTION. timezone pins the window to Europe/London regardless of
+  # node TZ.
+  offpeak_cronjobs = {
+    chatterbox-window-up = {
+      schedule = var.offpeak_window_up_schedule
+      action   = "up"
+    }
+    chatterbox-window-down = {
+      schedule = var.offpeak_window_down_schedule
+      action   = "down"
+    }
+    chatterbox-vram-guard = {
+      schedule = var.offpeak_guard_schedule
+      action   = "guard"
+    }
+    # GPU-gated live narration: every 3 min, scale up when tripit's audio queue
+    # is non-empty and the VRAM preflight passes; idle down when it empties.
+    chatterbox-demand-gate = {
+      schedule = "*/3 * * * *"
+      action   = "demand"
+    }
+  }
+
+  # tripit's unauthenticated in-cluster queue probe (count only, non-sensitive).
+  # Probe failures (incl. a 404 from an older tripit image) make the demand
+  # gate take NO action — only an explicit parsed count scales anything.
+  tripit_queue_url = "http://tripit.tripit.svc.cluster.local:8080/api/tour/tts-queue"
+}
+
+resource "kubernetes_namespace" "tts" {
+  metadata {
+    name = local.namespace
+    labels = {
+      tier               = local.tiers.gpu
+      "istio-injection"  = "disabled"
+      "keel.sh/enrolled" = "true"
+    }
+  }
+  lifecycle {
+    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
+  }
+}
+
+# Model weights + voices on NFS-SSD (fast load), RWX so a seed Job / kubectl cp
+# can write the predefined voices + narrator reference WAV while the Deployment
+# mounts it. Path /srv/nfs-ssd/chatterbox on the Proxmox host. Mirrors
+# llama-cpp's nfs_models. First start downloads the model into /data/hf_cache
+# (HF_HOME below), so weights persist across pod restarts.
+module "nfs_models" {
+  source     = "../../modules/kubernetes/nfs_volume"
+  name       = "chatterbox-models"
+  namespace  = kubernetes_namespace.tts.metadata[0].name
+  nfs_server = "192.168.1.127"
+  nfs_path   = "/srv/nfs-ssd/chatterbox"
+  storage    = "20Gi" # multilingual weights + HF cache + voices headroom
+}
+
+# One-shot bootstrap: /srv/nfs-ssd is exported whole-tree, but the chatterbox
+# SUBDIR never existed on the host (a manual go-live step nobody with NFS-host
+# shell access ran), so kubelet's subdir mount failed with exit 32 forever
+# (observed first window, 2026-06-12). Mount the export ROOT — which exists —
+# and mkdir the subtree; kubelet's periodic mount retry then self-heals the
+# chatterbox pod. mkdir -p is idempotent; the Job is immutable-once-created.
+resource "kubernetes_job" "models_dir_init" {
+  metadata {
+    name      = "chatterbox-models-dir-init"
+    namespace = kubernetes_namespace.tts.metadata[0].name
+    labels    = local.labels
+  }
+  spec {
+    backoff_limit              = 3
+    ttl_seconds_after_finished = 86400
+    template {
+      metadata { labels = local.labels }
+      spec {
+        restart_policy = "Never"
+        container {
+          name    = "mkdir"
+          image   = "busybox:1.37"
+          command = ["sh", "-c", "mkdir -p /mnt/chatterbox/hf_cache /mnt/chatterbox/reference_audio && ls -la /mnt/chatterbox"]
+          volume_mount {
+            name       = "nfs-ssd-root"
+            mount_path = "/mnt"
+          }
+        }
+        volume {
+          name = "nfs-ssd-root"
+          nfs {
+            server = "192.168.1.127"
+            path   = "/srv/nfs-ssd"
+          }
+        }
+      }
+    }
+  }
+  wait_for_completion = true
+  timeouts { create = "3m" }
+}
+
+# Pull secret for the PRIVATE ghcr.io/viktorbarzin/chatterbox-tts image (built
+# off-infra by tripit's build-chatterbox.yml GHA workflow — the Forgejo registry
+# copy is unpullable, corrupt layer blob). Mirrors stacks/tripit's ghcr secret.
+data "vault_kv_secret_v2" "viktor" {
+  mount = "secret"
+  name  = "viktor"
+}
+
+resource "kubernetes_secret" "ghcr_credentials" {
+  metadata {
+    name      = "ghcr-credentials"
+    namespace = kubernetes_namespace.tts.metadata[0].name
+  }
+  type = "kubernetes.io/dockerconfigjson"
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "ghcr.io" = {
+          username = "ViktorBarzin"
+          password = data.vault_kv_secret_v2.viktor.data["github_pat"]
+          auth     = base64encode("ViktorBarzin:${data.vault_kv_secret_v2.viktor.data["github_pat"]}")
+        }
+      }
+    })
+  }
+}
+
+resource "kubernetes_config_map" "chatterbox_config" {
+  metadata {
+    name      = "chatterbox-config"
+    namespace = kubernetes_namespace.tts.metadata[0].name
+    labels    = local.labels
+  }
+  data = {
+    "config.yaml" = local.chatterbox_config
+  }
+}
+
+# Single Deployment running the devnen Chatterbox-TTS-Server (OpenAI-compatible
+# /v1/audio/speech). Sits at replicas=0 — the off-peak CronJobs below scale it
+# to 1 only when the free-VRAM preflight passes (Option A), and back to 0 at
+# window end. wait_for_rollout=false so apply never blocks on a pod that is
+# intentionally scaled to 0.
+resource "kubernetes_deployment" "chatterbox" {
+  metadata {
+    name      = "chatterbox-tts"
+    namespace = kubernetes_namespace.tts.metadata[0].name
+    labels    = merge(local.labels, { tier = local.tiers.gpu })
+  }
+  wait_for_rollout = false
+  spec {
+    # Off-peak control owns the replica count at runtime (CronJobs scale 0<->1).
+    # Declare 0 here so a plain `tg apply` outside the window doesn't wake the
+    # card. ignore_changes on replicas (below) stops apply from fighting the
+    # CronJob's scale.
+    replicas = 0
+    strategy { type = "Recreate" }
+    selector {
+      match_labels = { app = "chatterbox-tts" }
+    }
+    template {
+      metadata {
+        labels = { app = "chatterbox-tts" }
+        annotations = {
+          "checksum/config" = sha256(local.chatterbox_config)
+        }
+      }
+      spec {
+        node_selector = { "nvidia.com/gpu.present" = "true" }
+        toleration {
+          key      = "nvidia.com/gpu"
+          operator = "Equal"
+          value    = "true"
+          effect   = "NoSchedule"
+        }
+        # C-hardening (§3.RECOMMENDATION.3): Chatterbox is a polite, best-effort
+        # batch tenant — give it the regular tier-2-gpu priority (600000) so it
+        # is ALWAYS the pod evicted under GPU-node pressure, never immich-ml /
+        # frigate / llama-swap. This relies on the `tts` namespace being EXCLUDED
+        # from the Kyverno `inject-gpu-workload-priority` policy (which would
+        # otherwise stamp the immich-equal gpu-workload=1,200,000 priority on any
+        # nvidia.com/gpu pod). That exclusion is the two-line edit to the kyverno
+        # stack flagged in the PR. Without it, this priority_class_name is
+        # overwritten on pod CREATE and Chatterbox would compete as an equal.
+        priority_class_name = "tier-2-gpu"
+
+        image_pull_secrets { name = "registry-credentials" }
+        image_pull_secrets {
+          name = kubernetes_secret.ghcr_credentials.metadata[0].name
+        }
+
+        # tripit's voice catalog sends bare stems ("Emily"); the server resolves
+        # the voice as a LITERAL filename in predefined_voices_path THEN in
+        # reference_audio (404 otherwise, observed 2026-06-12: all 27 queued
+        # narrations failed with "Voice file 'Emily' not found"). Upstream HEAD
+        # (= our pinned sha) has no stem fallback, and symlinks can't bridge it
+        # because safe_resolve_within() .resolve()s them out of the containment
+        # check. So seed REAL extension-less copies of the bundled voices into
+        # reference_audio on the PVC (the second lookup path). Same image as the
+        # main container = no extra pull; idempotent; ~15 MB once. The engine
+        # sniffs audio content, not extensions.
+        init_container {
+          name  = "seed-stem-voices"
+          image = local.image
+          command = ["sh", "-c", <<-EOC
+            set -eu
+            mkdir -p /data/reference_audio
+            for f in /app/voices/*.wav /app/voices/*.mp3; do
+              [ -e "$f" ] || continue
+              stem="$(basename "$f")"; stem="$${stem%.*}"
+              [ -e "/data/reference_audio/$stem" ] || cp "$f" "/data/reference_audio/$stem"
+            done
+            echo "reference_audio seeded:"; ls /data/reference_audio
+          EOC
+          ]
+          volume_mount {
+            name       = "models"
+            mount_path = "/data"
+          }
+        }
+
+        container {
+          name  = "chatterbox-tts"
+          image = local.image
+          port {
+            container_port = 8004
+            name           = "http"
+          }
+
+          # T4 is Turing — NO bf16 (ADR-0004). Pin off; run FP16/FP32.
+          env {
+            name  = "TTS_BF16"
+            value = "off"
+          }
+          # Park the HuggingFace cache on the NFS-SSD PVC so model weights
+          # download once and persist across pod restarts (the pod is recreated
+          # every window). The devnen compose mounts HF cache at /app/hf_cache;
+          # point HF_HOME at the PVC instead.
+          env {
+            name  = "HF_HOME"
+            value = "/data/hf_cache"
+          }
+          env {
+            name  = "HF_HUB_CACHE"
+            value = "/data/hf_cache"
+          }
+
+          volume_mount {
+            name       = "config"
+            mount_path = "/app/config.yaml"
+            sub_path   = "config.yaml"
+          }
+          volume_mount {
+            name       = "models"
+            mount_path = "/data"
+          }
+
+          # TCP probes, deliberately NOT http: the server synthesizes chunks
+          # as a BLOCKING call inside its async handler, so the event loop —
+          # and any HTTP probe — hangs for the whole multi-minute story. The
+          # http liveness probe killed the container mid-synthesis (exit 137,
+          # observed 2026-06-12 20:48–20:53: every drain pass then faced a
+          # cold engine and timed out forever). TCP keeps the original
+          # semantics where it matters: uvicorn only binds 8004 AFTER the
+          # lifespan hook finishes loading the model ("Application startup
+          # complete" precedes "Uvicorn running"), so a TCP readiness pass
+          # still means "model loaded", while a GPU-busy server stays alive.
+          readiness_probe {
+            tcp_socket {
+              port = 8004
+            }
+            initial_delay_seconds = 20
+            period_seconds        = 15
+            failure_threshold     = 12
+          }
+          liveness_probe {
+            tcp_socket {
+              port = 8004
+            }
+            initial_delay_seconds = 120
+            period_seconds        = 30
+            failure_threshold     = 5
+          }
+          resources {
+            requests = {
+              cpu    = "200m"
+              memory = "2Gi"
+            }
+            limits = {
+              memory           = "8Gi"
+              "nvidia.com/gpu" = "1" # ONE time-slice (operator advertises 100), NOT the whole card
+            }
+          }
+        }
+
+        volume {
+          name = "config"
+          config_map {
+            name = kubernetes_config_map.chatterbox_config.metadata[0].name
+          }
+        }
+        volume {
+          name = "models"
+          persistent_volume_claim {
+            claim_name = module.nfs_models.claim_name
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [
+      # Off-peak CronJobs own the replica count — don't let apply reset it.
+      spec[0].replicas,
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      # image is TF-OWNED (pinned GHCR sha tag) — NOT keel-managed: keel can't
+      # poll the private GHCR repo, and the 2026-06-12 registry switch must apply.
+      metadata[0].annotations["keel.sh/match-tag"],
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      metadata[0].annotations["kubernetes.io/change-cause"],
+      metadata[0].annotations["deployment.kubernetes.io/revision"],
+      spec[0].template[0].metadata[0].annotations["keel.sh/update-time"],
+    ]
+  }
+}
+
+resource "kubernetes_service" "chatterbox" {
+  metadata {
+    name      = "chatterbox-tts"
+    namespace = kubernetes_namespace.tts.metadata[0].name
+    labels    = local.labels
+    annotations = {
+      # Prometheus annotation-based scrape (mirrors tripit). The devnen server
+      # has no /metrics; this monitors liveness via the blackbox path and keeps
+      # the Service in the scrape set if a /metrics endpoint is added later.
+      "prometheus.io/scrape" = "true"
+      "prometheus.io/path"   = "/v1/audio/voices"
+      "prometheus.io/port"   = "8000"
+    }
+  }
+  spec {
+    type     = "ClusterIP" # in-cluster only — never ingressed (no token needed)
+    selector = { app = "chatterbox-tts" }
+    port {
+      name        = "http"
+      port        = 8000 # tripit's default TTS_BASE_URL port
+      target_port = 8004 # the devnen server's actual listen port
+    }
+  }
+}
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Option-A off-peak control: SA + Role (scale the Deployment) + RoleBinding +
+# three CronJobs (window-up preflight, mid-window guard, window-down). Mirrors
+# the nextcloud-watchdog in-cluster-kubectl pattern (SA → Role → bitnami/kubectl
+# CronJob, no kubeconfig).
+# ─────────────────────────────────────────────────────────────────────────────
+
+resource "kubernetes_service_account" "offpeak" {
+  metadata {
+    name      = "chatterbox-offpeak"
+    namespace = kubernetes_namespace.tts.metadata[0].name
+  }
+}
+
+resource "kubernetes_role" "offpeak" {
+  metadata {
+    name      = "chatterbox-offpeak"
+    namespace = kubernetes_namespace.tts.metadata[0].name
+  }
+  # get + patch on the deployment scale subresource is all the gate needs.
+  rule {
+    api_groups = ["apps"]
+    resources  = ["deployments", "deployments/scale"]
+    verbs      = ["get", "patch"]
+  }
+}
+
+resource "kubernetes_role_binding" "offpeak" {
+  metadata {
+    name      = "chatterbox-offpeak"
+    namespace = kubernetes_namespace.tts.metadata[0].name
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Role"
+    name      = kubernetes_role.offpeak.metadata[0].name
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.offpeak.metadata[0].name
+    namespace = kubernetes_namespace.tts.metadata[0].name
+  }
+}
+
+resource "kubernetes_cron_job_v1" "offpeak" {
+  for_each = local.offpeak_cronjobs
+
+  metadata {
+    name      = each.key
+    namespace = kubernetes_namespace.tts.metadata[0].name
+    labels    = local.labels
+  }
+  spec {
+    schedule                      = each.value.schedule
+    timezone                      = "Europe/London"
+    concurrency_policy            = "Forbid"
+    starting_deadline_seconds     = 120
+    successful_jobs_history_limit = 1
+    failed_jobs_history_limit     = 3
+    job_template {
+      metadata { labels = local.labels }
+      spec {
+        backoff_limit              = 1
+        active_deadline_seconds    = 120
+        ttl_seconds_after_finished = 300
+        template {
+          metadata { labels = local.labels }
+          spec {
+            service_account_name = kubernetes_service_account.offpeak.metadata[0].name
+            restart_policy       = "Never"
+            container {
+              name    = "vram-gate"
+              image   = "bitnami/kubectl:latest"
+              command = ["/bin/bash", "-c", local.vram_gate_script]
+              env {
+                name  = "ACTION"
+                value = each.value.action
+              }
+              env {
+                name  = "FLOOR"
+                value = tostring(var.vram_free_floor_bytes)
+              }
+              env {
+                name  = "GPU_TOTAL"
+                value = tostring(var.gpu_total_bytes)
+              }
+              env {
+                name  = "QUEUE_URL"
+                value = local.tripit_queue_url
+              }
+              resources {
+                requests = { cpu = "20m", memory = "64Mi" }
+                limits   = { memory = "128Mi" }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    # KYVERNO_LIFECYCLE_V1: Kyverno mutates dns_config with ndots=2 on CronJobs.
+    ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config]
+  }
+}
+
+# Apply trigger 2026-06-11 (tripit#26): the previous push was a merge commit, so
+# the changed-stack detector (git diff HEAD~1 HEAD = first-parent diff) missed
+# stacks/tts entirely. Non-merge commit so the diff names this stack.
diff --git a/stacks/tts/terragrunt.hcl b/stacks/tts/terragrunt.hcl
new file mode 100644
index 00000000..6bc02966
--- /dev/null
+++ b/stacks/tts/terragrunt.hcl
@@ -0,0 +1,36 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+dependency "vault" {
+  config_path  = "../vault"
+  skip_outputs = true
+}
+
+# tts: in-cluster text-to-speech for tripit's "Tour guide" narration.
+# One Deployment of `forgejo.viktorbarzin.me/viktor/chatterbox-tts` (devnen
+# Chatterbox-TTS-Server, OpenAI-compatible /v1/audio/speech) at a single
+# ClusterIP Service `chatterbox-tts.tts.svc:8000` (server listens on 8004;
+# the Service remaps). Requests ONE time-slice of the shared T4
+# (nvidia.com/gpu=1) — a slice, not the card.
+#
+# OOM-avoidance (Option A, docs/plans/2026-06-08-chatterbox-tts-infra.md §3):
+# the Deployment sits at replicas=0; an off-peak CronJob scales it to 1 at the
+# 02:00–06:00 Europe/London window ONLY IF a free-VRAM preflight passes
+# (gpu_pod_memory_used_bytes from gpu-pod-exporter), a guard CronJob yields the
+# card mid-window if a resident wakes, and a window-down CronJob scales back to
+# 0. tripit's bake is best-effort + cached-forever (ADR-0002/0004), so a
+# skipped/aborted window simply backfills next time — no latency SLA.
+#
+# Polite-tenant hardening: the `tts` namespace must be EXCLUDED from the kyverno
+# `inject-gpu-workload-priority` policy (a separate two-line edit to the kyverno
+# stack) so Chatterbox keeps tier-2-gpu priority (600000) and is always the pod
+# evicted under pressure — never immich-ml/frigate/llama-swap.
+#
+# Image is built from the devnen repo + pushed to Forgejo — see this stack's
+# README.md for the exact docker build + push commands.
diff --git a/stacks/tuya-bridge/.terraform.lock.hcl b/stacks/tuya-bridge/.terraform.lock.hcl
index 05f8a359..5982c332 100644
--- a/stacks/tuya-bridge/.terraform.lock.hcl
+++ b/stacks/tuya-bridge/.terraform.lock.hcl
@@ -70,41 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/tuya-bridge/main.tf b/stacks/tuya-bridge/main.tf
index 85b1a0b5..f81d9f4a 100644
--- a/stacks/tuya-bridge/main.tf
+++ b/stacks/tuya-bridge/main.tf
@@ -3,7 +3,7 @@ resource "kubernetes_namespace" "tuya-bridge" {
     name = "tuya-bridge"
     labels = {
       "istio-injection" : "disabled"
-      tier = local.tiers.cluster
+      tier               = local.tiers.cluster
       "keel.sh/enrolled" = "true"
     }
   }
@@ -15,7 +15,7 @@ resource "kubernetes_namespace" "tuya-bridge" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "tuya-bridge-secrets"
@@ -75,8 +75,13 @@ resource "kubernetes_deployment" "tuya-bridge" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        # ghcr image (ADR-0002 off-infra builds); secret cloned by the kyverno
+        # sync-ghcr-credentials policy (safety net while the package is private).
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
         container {
-          image             = "forgejo.viktorbarzin.me/viktor/tuya_bridge:${var.image_tag}"
+          image             = "ghcr.io/viktorbarzin/tuya_bridge:${var.image_tag}"
           image_pull_policy = "IfNotPresent"
           name              = "tuya-bridge"
           port {
diff --git a/stacks/tuya-bridge/variables.tf b/stacks/tuya-bridge/variables.tf
index 5c2be4d3..58e0a005 100644
--- a/stacks/tuya-bridge/variables.tf
+++ b/stacks/tuya-bridge/variables.tf
@@ -6,5 +6,5 @@ variable "tls_secret_name" {
 variable "image_tag" {
   type        = string
   default     = "latest"
-  description = "tuya_bridge image tag pushed to forgejo.viktorbarzin.me/viktor/tuya_bridge. Each Woodpecker run does `kubectl set image` to the 8-char git SHA; this variable is only used on initial create / TF recreate (image is in lifecycle.ignore_changes)."
+  description = "tuya_bridge image tag at ghcr.io/viktorbarzin/tuya_bridge (built by GHA, ADR-0002). The GHA deploy job drives a Woodpecker `kubectl set image` to the 8-char git SHA; this variable is only used on initial create / TF recreate (image is in lifecycle.ignore_changes)."
 }
diff --git a/stacks/uptime-kuma/CONTEXT.md b/stacks/uptime-kuma/CONTEXT.md
new file mode 100644
index 00000000..e8d2c981
--- /dev/null
+++ b/stacks/uptime-kuma/CONTEXT.md
@@ -0,0 +1,29 @@
+# Uptime Kuma — Context
+
+Glossary for the uptime-kuma monitoring context. Terms only — no implementation
+detail. Decisions live in `docs/adr/`.
+
+## Glossary
+
+**Active check (poll)** — Uptime Kuma actively probes a target on an interval
+(HTTP / TCP / ping / DB). This is *polling*, not "scraping." Prometheus *scrapes*
+exporters; Kuma *polls* targets. (Note: Prometheus does **not** scrape Kuma — a
+separate monitoring lane.)
+
+**Monitor** — one configured target plus its check definition.
+
+**Internal monitor** — probes a service on its in-cluster address
+(`*.svc.cluster.local`). Answers "is the service itself healthy?"
+
+**`[External]` monitor** — probes a service via its full public path
+(DNS → Cloudflare → cloudflared tunnel → Traefik). Answers "is the service
+reachable the way users reach it?" Maintained one-per-externally-reachable-service
+by deliberate choice (see ADR-0001).
+
+**Heartbeat** — one recorded check result (up/down + latency), persisted to the
+datastore.
+
+**External-access divergence** — the condition where a service is healthy
+*internally* but its `[External]` path is down — i.e. the shared
+Cloudflare/tunnel/Traefik path is broken while the service itself is fine.
+Surfaced by the `ExternalAccessDivergence` alert.
diff --git a/stacks/uptime-kuma/docs/adr/0001-uptime-kuma-sizing-and-placement.md b/stacks/uptime-kuma/docs/adr/0001-uptime-kuma-sizing-and-placement.md
new file mode 100644
index 00000000..80db84ac
--- /dev/null
+++ b/stacks/uptime-kuma/docs/adr/0001-uptime-kuma-sizing-and-placement.md
@@ -0,0 +1,45 @@
+# ADR-0001: Uptime Kuma is intentionally lean — sizing & placement
+
+## Status
+Accepted (2026-06-13)
+
+## Context
+A review was prompted by a suspicion that Kuma was "scraping too much / causing
+unnecessary traffic," itself triggered by a socket.io login-timeout incident on
+the monitor-sync CronJobs. Measured state at review time:
+
+- **227 active monitors**; 209 of them at 300s intervals; **~1 check/sec** aggregate.
+- Datastore: the **shared `mysql.dbaas`** (MariaDB), **~77 MB**, ~1 heartbeat
+  write/sec, 30-day retention.
+- **122 `[External]` monitors** (full public path) + ~105 internal.
+
+The data did **not** support a load problem — Kuma is already lean. The
+login-timeout incident was a Kuma 2.x socket.io quirk (kuma's single Node event
+loop briefly stalling), fixed separately by wrapping login in a retry — not a
+load issue.
+
+## Decisions
+1. **Keep Kuma as-is; do not reflexively cut monitors or intervals.** Poll rate
+   (~1/s) and DB footprint (77 MB) are modest.
+2. **`[External]` monitors stay per-service** (one per externally-reachable
+   service), **not** a small canary set. Rejected cutting to ~6-10 canaries:
+   although the Cloudflare → tunnel → Traefik path is shared infra that fails as a
+   unit, per-service external probes also catch *single-service* external
+   misconfig (one service's DNS / auth carve-out / route), which canaries miss.
+   The ~35k Cloudflare requests/day this generates is accepted for that coverage.
+3. **Datastore stays on the shared `mysql.dbaas`.** Rejected moving to
+   self-contained SQLite or a dedicated DB. The coupling — Kuma depends on the
+   single-instance MySQL it also helps monitor, including during that MySQL's
+   8.4.9 wipe-maintenance (bead code-963q) — is acknowledged but accepted as
+   low-impact for now.
+
+## Consequences
+- All three decisions are **cheap to reverse**; revisit if measured load on
+  `mysql.dbaas` or Cloudflare ever becomes a real (not gut-feel) problem. This
+  ADR exists mainly so that review isn't re-run from scratch.
+- **Known gap:** the *internal* monitor-sync creates/updates monitors but does
+  **not** prune orphans (the external sync does). Internal monitors for deleted
+  services linger and need periodic manual cleanup — e.g. the stale
+  "Goldilocks (VPA)" monitor (target removed with VPA on 2026-06-12) was deleted
+  by hand on 2026-06-13. A *scoped* internal-prune (only deleting monitors the
+  sync owns, never hand-made ones) is a possible future improvement.
diff --git a/stacks/uptime-kuma/modules/uptime-kuma/main.tf b/stacks/uptime-kuma/modules/uptime-kuma/main.tf
index faa7d2d3..0921bc24 100644
--- a/stacks/uptime-kuma/modules/uptime-kuma/main.tf
+++ b/stacks/uptime-kuma/modules/uptime-kuma/main.tf
@@ -503,8 +503,27 @@ except (urllib.error.URLError, OSError, KeyError, ValueError) as e:
 
 print(f"Loaded {len(targets)} external monitor targets (source={source})")
 
-api = UptimeKumaApi(UPTIME_KUMA_URL, timeout=120, wait_events=0.2)
-api.login("admin", UPTIME_KUMA_PASS)
+api = None
+for _login_try in range(1, 6):
+    try:
+        api = UptimeKumaApi(UPTIME_KUMA_URL, timeout=120, wait_events=0.2)
+        api.login("admin", UPTIME_KUMA_PASS)
+        break
+    except Exception as _login_err:
+        # kuma 2.x's single Node event loop intermittently stalls under its
+        # ~300 monitors, so the socket.io login handshake times out. Retry a
+        # few times across a ~60s window to ride out the stall instead of
+        # failing the whole sync job (which fired JobFailed -> Slack noise).
+        print(f"WARN: Kuma login attempt {_login_try}/5 failed: {_login_err!r}")
+        if api is not None:
+            try:
+                api.disconnect()
+            except Exception:
+                pass
+            api = None
+        if _login_try == 5:
+            raise
+        time.sleep(15)
 
 monitors = api.get_monitors()
 existing_external = {}
@@ -818,8 +837,27 @@ UPTIME_KUMA_PASS = os.environ["UPTIME_KUMA_PASSWORD"]
 with open("/config/targets.json") as f:
     targets = json.load(f)
 
-api = UptimeKumaApi(UPTIME_KUMA_URL, timeout=120, wait_events=0.2)
-api.login("admin", UPTIME_KUMA_PASS)
+api = None
+for _login_try in range(1, 6):
+    try:
+        api = UptimeKumaApi(UPTIME_KUMA_URL, timeout=120, wait_events=0.2)
+        api.login("admin", UPTIME_KUMA_PASS)
+        break
+    except Exception as _login_err:
+        # kuma 2.x's single Node event loop intermittently stalls under its
+        # ~300 monitors, so the socket.io login handshake times out. Retry a
+        # few times across a ~60s window to ride out the stall instead of
+        # failing the whole sync job (which fired JobFailed -> Slack noise).
+        print(f"WARN: Kuma login attempt {_login_try}/5 failed: {_login_err!r}")
+        if api is not None:
+            try:
+                api.disconnect()
+            except Exception:
+                pass
+            api = None
+        if _login_try == 5:
+            raise
+        time.sleep(15)
 
 existing = {m["name"]: m for m in api.get_monitors()}
 
diff --git a/stacks/url/.terraform.lock.hcl b/stacks/url/.terraform.lock.hcl
index 05f8a359..5982c332 100644
--- a/stacks/url/.terraform.lock.hcl
+++ b/stacks/url/.terraform.lock.hcl
@@ -70,41 +70,16 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
diff --git a/stacks/url/main.tf b/stacks/url/main.tf
index 4544a0a1..d3c7a8f8 100644
--- a/stacks/url/main.tf
+++ b/stacks/url/main.tf
@@ -36,7 +36,7 @@ resource "kubernetes_namespace" "shlink" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "url-secrets"
@@ -68,7 +68,7 @@ resource "kubernetes_manifest" "external_secret" {
 # kubernetes_secret can be removed.
 resource "kubernetes_manifest" "db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "url-db-creds"
diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf
index 394a6577..99c45aff 100644
--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@@ -598,6 +598,19 @@ resource "vault_policy" "terraform_state" {
     path "secret/metadata/vault" {
       capabilities = ["deny"]
     }
+    # Explicit deny on the breakglass SSH key (added with the claude-breakglass
+    # stack, 2026-06-12). That key grants root-on-devvm + PVE VM-102 power
+    # verbs; it must NOT be readable by the shared claude-agent pod, whose
+    # agents (recruiter-triage, nextcloud-todos-exec) ingest untrusted input
+    # with Bash. The breakglass pod runs in its own namespace with NO Vault
+    # role and gets the key via ESO only. See
+    # claude-agent-service/docs/adr/0001-breakglass-security-architecture.md.
+    path "secret/data/claude-breakglass/*" {
+      capabilities = ["deny"]
+    }
+    path "secret/metadata/claude-breakglass/*" {
+      capabilities = ["deny"]
+    }
   EOT
 }
 
@@ -661,6 +674,7 @@ resource "vault_database_secret_backend_connection" "postgresql" {
     "pg-recruiter-responder", "pg-tripit",
     "pg-nextcloud-todos",
     "pg-technitium",
+    "pg-goldmane-edges",
   ]
 
   postgresql {
@@ -878,6 +892,17 @@ resource "vault_database_secret_backend_static_role" "pg_technitium" {
   rotation_period = 604800
 }
 
+# goldmane-edge-aggregator (ADR-0014 / infra #58) — 7-day rotation for the
+# goldmane_edges CNPG role. Consumed by stacks/goldmane-edge-aggregator via a
+# vault-database ExternalSecret -> DATABASE_URL (remoteRef static-creds/pg-goldmane-edges).
+resource "vault_database_secret_backend_static_role" "pg_goldmane_edges" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-goldmane-edges"
+  username        = "goldmane_edges"
+  rotation_period = 604800
+}
+
 # =============================================================================
 # Kubernetes Secrets Engine — Dynamic K8s Credentials
 # =============================================================================
@@ -1003,6 +1028,11 @@ data "vault_kv_secret_v2" "platform" {
 locals {
   k8s_users = jsondecode(data.vault_kv_secret_v2.platform.data["k8s_users"])
 
+  # Workstation roster is the source of truth for Claude credential isolation.
+  # Each user's renewal agent receives a periodic Vault token carrying exactly
+  # one of these policies; no user can read another user's OAuth state.
+  workstation_users = yamldecode(file("${path.module}/../../scripts/workstation/roster.yaml")).users
+
   # Flatten user -> namespace pairs for namespace-owners
   namespace_owner_namespaces = flatten([
     for name, user in local.k8s_users : [
@@ -1021,6 +1051,26 @@ locals {
   ]))
 }
 
+resource "vault_policy" "workstation_claude" {
+  for_each = local.workstation_users
+
+  name   = "workstation-claude-${each.key}"
+  policy = <<-EOT
+    path "secret/data/workstation/claude-users/${each.key}" {
+      capabilities = ["create", "read", "update"]
+    }
+    path "secret/metadata/workstation/claude-users/${each.key}" {
+      capabilities = ["read"]
+    }
+    path "auth/token/lookup-self" {
+      capabilities = ["read"]
+    }
+    path "auth/token/renew-self" {
+      capabilities = ["update"]
+    }
+  EOT
+}
+
 resource "kubernetes_namespace" "user_namespace" {
   for_each = nonsensitive(local.user_namespaces)
 
diff --git a/stacks/vpa/main.tf b/stacks/vpa/main.tf
index b4abe0a5..d51e2f67 100644
--- a/stacks/vpa/main.tf
+++ b/stacks/vpa/main.tf
@@ -1,7 +1,15 @@
 variable "tls_secret_name" { type = string }
 
-module "vpa" {
-  source          = "./modules/vpa"
-  tls_secret_name = var.tls_secret_name
-  tier            = local.tiers.cluster
-}
+# VPA / Goldilocks REMOVED 2026-06-12 (etcd-load-reduction; reverses the re-add
+# after memory 2431, ties to code-oflt). All 349 VPAs ran updateMode=Off (no
+# auto-right-sizing) yet cost ~800 etcd objects, continuous recommender writes,
+# and a pod-creation admission webhook — pure etcd overhead feeding only the
+# dashboard. Right-size on demand with krr (Dockerized, no cluster footprint).
+#
+# The `module "vpa"` block was removed so `scripts/tg apply` DESTROYS the helm
+# releases (vpa, goldilocks), the goldilocks-vpa-auto-mode ClusterPolicy, the
+# dashboard ingress, and the vpa namespace. The chart-installed VPA CRDs (Helm
+# keeps CRDs on uninstall) and any leftover VPA/checkpoint CRs are removed
+# post-apply (cascade) via:
+#   kubectl delete crd verticalpodautoscalers.autoscaling.k8s.io \
+#                      verticalpodautoscalercheckpoints.autoscaling.k8s.io
diff --git a/stacks/vpa/modules/vpa/main.tf b/stacks/vpa/modules/vpa/main.tf
deleted file mode 100644
index dd73540a..00000000
--- a/stacks/vpa/modules/vpa/main.tf
+++ /dev/null
@@ -1,175 +0,0 @@
-variable "tls_secret_name" {
-  type      = string
-  sensitive = true
-}
-variable "tier" { type = string }
-
-resource "kubernetes_namespace" "vpa" {
-  metadata {
-    name = "vpa"
-    labels = {
-      tier = var.tier
-      "keel.sh/enrolled" = "true"
-    }
-  }
-}
-
-module "tls_secret" {
-  source          = "../../../../modules/kubernetes/setup_tls_secret"
-  namespace       = kubernetes_namespace.vpa.metadata[0].name
-  tls_secret_name = var.tls_secret_name
-}
-
-# -----------------------------------------------------------------------------
-# VPA — Vertical Pod Autoscaler (Fairwinds Helm chart)
-# -----------------------------------------------------------------------------
-resource "helm_release" "vpa" {
-  namespace        = kubernetes_namespace.vpa.metadata[0].name
-  create_namespace = false
-  name             = "vpa"
-  atomic           = true
-
-  repository = "https://charts.fairwinds.com/stable"
-  chart      = "vpa"
-
-  values = [yamlencode({
-    recommender = {
-      enabled = true
-      resources = {
-        requests = {
-          cpu    = "50m"
-          memory = "200Mi"
-        }
-        limits = {
-          memory = "200Mi"
-        }
-      }
-    }
-    updater = {
-      enabled = true
-      resources = {
-        requests = {
-          cpu    = "50m"
-          memory = "200Mi"
-        }
-        limits = {
-          memory = "200Mi"
-        }
-      }
-    }
-    admissionController = {
-      enabled = true
-      resources = {
-        requests = {
-          cpu    = "50m"
-          memory = "200Mi"
-        }
-        limits = {
-          memory = "200Mi"
-        }
-      }
-    }
-  })]
-}
-
-# -----------------------------------------------------------------------------
-# Goldilocks — VPA dashboard (Fairwinds Helm chart)
-# -----------------------------------------------------------------------------
-resource "helm_release" "goldilocks" {
-  namespace        = kubernetes_namespace.vpa.metadata[0].name
-  create_namespace = false
-  name             = "goldilocks"
-  atomic           = true
-
-  repository = "https://charts.fairwinds.com/stable"
-  chart      = "goldilocks"
-
-  values = [yamlencode({
-    controller = {
-      flags = {
-        on-by-default = "true"
-      }
-    }
-    dashboard = {
-      replicaCount = 1
-      flags = {
-        on-by-default = "true"
-      }
-    }
-  })]
-
-  depends_on = [helm_release.vpa]
-}
-
-# -----------------------------------------------------------------------------
-# Ingress — Goldilocks dashboard at goldilocks.viktorbarzin.me
-# -----------------------------------------------------------------------------
-module "ingress" {
-  source          = "../../../../modules/kubernetes/ingress_factory"
-  dns_type        = "proxied"
-  namespace       = kubernetes_namespace.vpa.metadata[0].name
-  name            = "goldilocks"
-  service_name    = "goldilocks-dashboard"
-  port            = 80
-  tls_secret_name = var.tls_secret_name
-  auth            = "required"
-  extra_annotations = {
-    "gethomepage.dev/enabled"      = "true"
-    "gethomepage.dev/name"         = "Goldilocks"
-    "gethomepage.dev/description"  = "Resource recommendations"
-    "gethomepage.dev/icon"         = "mdi-scale-balance"
-    "gethomepage.dev/group"        = "Core Platform"
-    "gethomepage.dev/pod-selector" = ""
-  }
-
-  depends_on = [helm_release.goldilocks]
-}
-
-# -----------------------------------------------------------------------------
-# Kyverno policy — label namespaces for VPA observe-only mode
-# -----------------------------------------------------------------------------
-# Goldilocks reads the goldilocks.fairwinds.com/vpa-update-mode label on
-# namespaces to decide the updateMode for VPA objects it creates.
-# All namespaces get "off" — Terraform is the authoritative source of truth
-# for container resources. Goldilocks provides recommendations only.
-
-resource "kubernetes_manifest" "vpa_auto_mode_label" {
-  manifest = {
-    apiVersion = "kyverno.io/v1"
-    kind       = "ClusterPolicy"
-    metadata = {
-      name = "goldilocks-vpa-auto-mode"
-      annotations = {
-        "policies.kyverno.io/title"       = "Goldilocks VPA Observe-Only Mode"
-        "policies.kyverno.io/description" = "Sets VPA update mode to off for all namespaces. Terraform owns container resources; Goldilocks provides recommendations only."
-      }
-    }
-    spec = {
-      rules = [
-        {
-          name = "label-vpa-off-all"
-          match = {
-            any = [
-              {
-                resources = {
-                  kinds = ["Namespace"]
-                }
-              }
-            ]
-          }
-          mutate = {
-            patchStrategicMerge = {
-              metadata = {
-                labels = {
-                  "goldilocks.fairwinds.com/vpa-update-mode" = "off"
-                }
-              }
-            }
-          }
-        },
-      ]
-    }
-  }
-
-  depends_on = [helm_release.goldilocks]
-}
diff --git a/stacks/wealthfolio/.terraform.lock.hcl b/stacks/wealthfolio/.terraform.lock.hcl
index 6c9afb10..31e1c607 100644
--- a/stacks/wealthfolio/.terraform.lock.hcl
+++ b/stacks/wealthfolio/.terraform.lock.hcl
@@ -70,61 +70,23 @@ provider "registry.terraform.io/goauthentik/authentik" {
 }
 
 provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+  version = "3.2.0"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.8.1"
+  version = "3.9.0"
   hashes = [
-    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
-    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
-    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
-    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
-    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
-    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
-    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
-    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
-    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
-    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
-    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
-    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+    "h1:UlBuNVuCGJ39tTv2c5gz2NRZnQbXfbIWbTzWcth5o74=",
   ]
 }
 
diff --git a/stacks/wealthfolio/main.tf b/stacks/wealthfolio/main.tf
index fd8e2e98..a291778e 100644
--- a/stacks/wealthfolio/main.tf
+++ b/stacks/wealthfolio/main.tf
@@ -22,7 +22,7 @@ resource "kubernetes_namespace" "wealthfolio" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "wealthfolio-secrets"
@@ -52,7 +52,7 @@ resource "kubernetes_manifest" "external_secret" {
 # the K8s Secret every 15m so the sidecar always has a valid password.
 resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "wealthfolio-sync-db-creds"
@@ -679,6 +679,10 @@ resource "kubernetes_cron_job_v1" "wealthfolio_sync" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            # Private ghcr image (ADR-0002) — cloned by sync-ghcr-credentials.
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
               name = "sync"
               # Phase 4 of forgejo-registry-consolidation 2026-05-07 +
@@ -686,7 +690,7 @@ resource "kubernetes_cron_job_v1" "wealthfolio_sync" {
               # produced by /home/wizard/code/broker-sync (Forgejo
               # viktor/broker-sync, DockerHub viktorbarzin/broker-sync,
               # Forgejo viktor/wealthfolio-sync as the cluster pull path).
-              image = "forgejo.viktorbarzin.me/viktor/wealthfolio-sync:latest"
+              image = "ghcr.io/viktorbarzin/wealthfolio-sync:latest"
               env {
                 name = "IMAP_HOST"
                 value_from {
@@ -774,7 +778,7 @@ resource "kubernetes_cron_job_v1" "wealthfolio_sync" {
 # Grafana whenever ESO updates this secret (every 7d on rotation).
 resource "kubernetes_manifest" "grafana_wealth_db_external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "grafana-wealth-pg-creds"
diff --git a/stacks/webhook_handler/.terraform.lock.hcl b/stacks/webhook_handler/.terraform.lock.hcl
index a1ca7484..b22b977e 100644
--- a/stacks/webhook_handler/.terraform.lock.hcl
+++ b/stacks/webhook_handler/.terraform.lock.hcl
@@ -24,30 +24,33 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
   hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.2.0"
+  hashes = [
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -71,3 +74,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/webhook_handler/main.tf b/stacks/webhook_handler/main.tf
index 3e71c84f..8e5a22ab 100644
--- a/stacks/webhook_handler/main.tf
+++ b/stacks/webhook_handler/main.tf
@@ -292,7 +292,7 @@ module "ingress" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "webhook-handler-secrets"
diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf
index afe7d009..ba84f9e4 100644
--- a/stacks/woodpecker/main.tf
+++ b/stacks/woodpecker/main.tf
@@ -64,7 +64,7 @@ module "tls_secret" {
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "woodpecker-secrets"
@@ -103,7 +103,7 @@ resource "kubernetes_manifest" "db_external_secret" {
     force_conflicts = true
   }
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "woodpecker-db-creds"
diff --git a/stacks/ytdlp/.terraform.lock.hcl b/stacks/ytdlp/.terraform.lock.hcl
index 6f436f69..515a317b 100644
--- a/stacks/ytdlp/.terraform.lock.hcl
+++ b/stacks/ytdlp/.terraform.lock.hcl
@@ -24,29 +24,33 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
   hashes = [
-    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.2.0"
+  hashes = [
+    "h1:CTWVDQxyq1cQJR/9RJSkXii/gz5zMjxszSw9LmptDh4=",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.1.0"
+  version = "3.2.0"
   hashes = [
-    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "h1:OjMar8kVp0LcDtwgRs877g/K/KPAEDVhFewpE3Tp7l8=",
   ]
 }
 
@@ -69,3 +73,11 @@ provider "registry.terraform.io/hashicorp/vault" {
     "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+  ]
+}
diff --git a/stacks/ytdlp/main.tf b/stacks/ytdlp/main.tf
index 361fd53b..bf19ce2a 100644
--- a/stacks/ytdlp/main.tf
+++ b/stacks/ytdlp/main.tf
@@ -7,7 +7,7 @@ variable "nfs_server" { type = string }
 
 resource "kubernetes_manifest" "external_secret" {
   manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
     kind       = "ExternalSecret"
     metadata = {
       name      = "ytdlp-secrets"
diff --git a/state/stacks/external-secrets/terraform.tfstate.enc b/state/stacks/external-secrets/terraform.tfstate.enc
index 8493a789..8bd95b97 100644
--- a/state/stacks/external-secrets/terraform.tfstate.enc
+++ b/state/stacks/external-secrets/terraform.tfstate.enc
@@ -1,169 +1,272 @@
 {
-	"version": "ENC[AES256_GCM,data:Gg==,iv:gVeyGdd55pCtvdx3tqsMSkiZr+j28SDsWYJkpm3eGdk=,tag:6g9KYycKOAlfO+NTFscRug==,type:float]",
-	"terraform_version": "ENC[AES256_GCM,data:O9tqGhc=,iv:QMk6CjkgYGA1NZjovtzjWUr3oP10KltoBlR2tf9oe7w=,tag:r/qzmoBKcZ7EDY31PWRkdA==,type:str]",
-	"serial": "ENC[AES256_GCM,data:MQ==,iv:+XZ4RMFGZwka/g3x0Ypqo/wlrMBiO9I8zdwzeZrSWIU=,tag:B2oYSg7vkkyWnvIVA8IA4A==,type:float]",
-	"lineage": "ENC[AES256_GCM,data:Xt257+PU9Pd4DjgYhATwHdGlq6Y+K/ofskTfy0PUR9Xqlo7s,iv:BiJo4b5z5ewBDPcqz8IB3Zy+LqxcroYZf3Vq7ifPutM=,tag:o157GwtGcvG//h7zwrS0Lg==,type:str]",
+	"version": "ENC[AES256_GCM,data:Ew==,iv:i7oT2kd/43TCS58qPoG6TAsj3w+SdJ8v1mRUxC8uU3o=,tag:ofb1xBfrAnnCFL1oyNarzg==,type:float]",
+	"terraform_version": "ENC[AES256_GCM,data:ulkS6AbD,iv:XlQ31adgNqLEfozPuN1WnlYL1iJiaso73ovT8ngKSrQ=,tag:JoIFriVzay4fDo/tEksgJQ==,type:str]",
+	"serial": "ENC[AES256_GCM,data:0AY=,iv:uWfH/pF7GyKUXUgJMm3WGYq+peRIgiT0KcT1FhxJK8M=,tag:FsmR65LbyecF2DnQcL0EKw==,type:float]",
+	"lineage": "ENC[AES256_GCM,data:DcPxrNQyXV2UW1izHMEdt/ItJOC5cUftsPnZzw/FktSWhILQ,iv:CsPZB4BeuU7g7bMDqaSCNZeM0JLl5q0b+cM/5rANvLM=,tag:89l0aRYo2e9zH7olM9H3eg==,type:str]",
 	"outputs": {},
 	"resources": [
 		{
-			"mode": "ENC[AES256_GCM,data:8EmnmbR+Qw==,iv:5EWXGThm2QiXfFsRXUNGwghWCtfVe1tLoezBR8UDqCc=,tag:EcM2hHvRKubZ7SOHoBu+zQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:Q86kkJVg/UaJR0Sy,iv:BRSVhuPg0X5SeNpZ82VzHj3kMLIomrmz+nE/FklDmfg=,tag:vBCBTkxk/lVlgWdVmhariQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:2jL5DOlR1YwbJiTKcA97mQ==,iv:qJr4JwxsYThNdMVuu3fYOqrWZj40yBYE6tHFzQdlrfI=,tag:Bq8p0OiYd0YzRzQx95cyYA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:Pctf7yjkqBzdFUc6AXWdxLLOnG3lVw7vgYkPNVk+PDfDYZ85cc6dM8tRH7fDK1+9,iv:8AN+4b+lX6cQXC8yg6n9KTAhe8OL4CnhgejYzJgmETk=,tag:/Rjy2x7lNWOr+S6ZXDiXBQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:pRmbQQ==,iv:rpzjfutN2GWADu2WAAfyP3xYqEdPKvb5inlC1ggOK4M=,tag:ZoUyyHL7E9IHzQrs8O4zQg==,type:str]",
+			"type": "ENC[AES256_GCM,data:+zfM+2jffNtSI86LgU8Ml+Mo,iv:3rh2nIKdZo6QLc71oxoM8ViV1PJsHGIwZyBhu7JtUNI=,tag:PQMtjEAQ6cDhdyfVVcY8RQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:RXhVtGYPpu1E8do=,iv:eYNdBg5RAfi2Csw3oFt8Adsc8mYO8w0SvWY7CWNNHCs=,tag:JAecHR6Ombk+VWAH07TaQQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:d9Wgn09LiJ6iamLBBZvQ7ZFN553TrWwLqDGqtzZ9iudGNrXocFWHHGdxgNf3fPbBqQ==,iv:X7Gx09lKGF1HRJTWYii6o0JpYk6olaFa49kFL26lWa4=,tag:SJVpwrcu/ve2ExiCQVETtw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:ZA==,iv:fFkBWP85VgKD+oLcOA77sMIaZhhYnaE/ARo1J2KuezQ=,tag:xUsquecTr3rxHk+z/U6I7w==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Sw==,iv:687ZE2EzFCXbn8fGkP5DN/1Co1K++Rf5Os1C4kW5E20=,tag:ZMMzVKafji5vebloU4r3nA==,type:float]",
 					"attributes": {
-						"atomic": "ENC[AES256_GCM,data:J9RglnY=,iv:CiO2XYn+fFPaBJAGJZzY/BUfZo6lh0CwjL8dx+09eEg=,tag:s1enVM11xD1eTg2a0Jx2XQ==,type:bool]",
-						"chart": "ENC[AES256_GCM,data:rrHceGl0wY8EovpBACyS1g==,iv:/oduYEFkoiqDPXC1vavWRrbk8iVRF3XFK1dMXHJz8Hg=,tag:awiCj6d/NG1tsI77SGx75A==,type:str]",
-						"cleanup_on_fail": "ENC[AES256_GCM,data:qCK576Y=,iv:4sLSRAh4HW/6oiBY20H15iXHLcmv3DPPn2Dj0scU/EE=,tag:J067KkkHHH8dwSpm9+NpMw==,type:bool]",
-						"create_namespace": "ENC[AES256_GCM,data:07LEudE=,iv:1DQqIH6TvGmc18DFV62K/fYx6WfMidIJQ4W6zUx4gYg=,tag:zwBNnFqZfsK6FexiOyUzVg==,type:bool]",
-						"dependency_update": "ENC[AES256_GCM,data:lGMMD8w=,iv:qgyj7dojHezoGL8l4dSBatyif2VSODZdCghicmm6Ez8=,tag:INP3jahMaRoTrWnt2VwrbA==,type:bool]",
+						"created_time": "ENC[AES256_GCM,data:J3RYt1jYUr7jl7REmbmyFq6QdbE1VVIFoOMRzEeQ,iv:r5jPEMIAFTSkxPNY0RyCVYKatiHD5/TKGCIDPmIwVXo=,tag:S/xcB86r/KRVD7k1J+w07g==,type:str]",
+						"custom_metadata": null,
+						"data": {
+							"alertmanager_account_password": "ENC[AES256_GCM,data:BC3fjXc2Ro1/NxKNnO5laJ0lktk=,iv:yxVrSSMxMZM8J3ZJ0Xb42hKZi84B4AOinNJEII708qw=,tag:qOR6LfVegpmPsjRTv+r/tQ==,type:str]",
+							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:y1HhU15WfyNd2FkS2oaunTNXZHnhTHCLyAwepmcs5B7s+FO1yG8v+JZI9JcjqM4BPj8Co6DuMZUJ8JNnAlFVG0L1xJpfUal5sJlqtkI4MYgr,iv:twDLuJQoXOUnD4Q+PUvhbx0ad4Yqewsy96A1+RWy9Ck=,tag:f+0cjt0VU+ppJmbu2+Ne9Q==,type:str]",
+							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:SHJyGlkQfIEay4mSOqAqOQPqMzxd7LpINX9SnL1ImCS5pOFPW1oPx01Fzhr6ecfy3c7z/yzRzHvVRFhDE5o4Ogho,iv:6ngBtNVtqSPFiMRFfvq46qKlbBagkKU/4cG/3XB/Z1A=,tag:Fw7hIri4IeFXu1zhKBsoHw==,type:str]",
+							"authentik_postgres_password": "ENC[AES256_GCM,data:DPnSJkBMWeN4r+61cDRMIg==,iv:vaEcfWp7ALntdYwn4hzOdzV5SVx2NwZSiUTlI4fNlNQ=,tag:XOIfacjx1UdOZcHTLzPGcg==,type:str]",
+							"authentik_secret_key": "ENC[AES256_GCM,data:jx5K/J3nWvVxEUgRwps767ovS8/h3aDv5+zCo+rZ+Q9Gvw+p45LDSgCim1ktT0+IGStr,iv:B1mUnB7swTfcJt1DZ2uqycQeYR1Et9WCrLHwxmbMO0c=,tag:j+MAZd0wiSX6PN7Q0UNVjw==,type:str]",
+							"cloudflare_api_key": "ENC[AES256_GCM,data:9z7QqGcurotkQe1UsopUfnOHDxC3g8+nRBZZrG/uastgWTvfJQ==,iv:BLzPFbvtNW4Y735rx7aHCGSvx2r9l4OIazgVqwvQgdE=,tag:f10itWlh/NDj0p4rV/K1gA==,type:str]",
+							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:8E1rvv/qgiu/lG/CNV6wJrWqXvcgtRLIVeL1oN2sMN+uyzgBI9fXFxyL54ZfxfQNLS2u2bnx4Lw3cyahkP6NTH+fh97wZTxHf+YjcH8q1ZNeYwBIZv/pUzxlomYr2mx3PfS5pfMCCxcAjy8i6x4pOOB0ZLxIeVpKVudg2BhbT5inr3o9Ur79+5D6UYL1PFCr7B/Xbxa7wiIU2gcR7LBE49u+ppYP01v66BGIuwQHCBB0s3ML/1Xi5g==,iv:XznPKSsDsQLCaMd+SDhEuUqGmrNFXhSp6t+iYCyrYcw=,tag:2o8GYb8DfyJ7RM25OTUjWQ==,type:str]",
+							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:nRZrCc0XUPPa9PMo26NeCboZCDPy0g2VxjqewOc/MpeNOKnuA87GbUMCGQ==,iv:x06rC0UdORR/AFhfWTf8I+5YyD6jqa+0F1ZfdwaqUqs=,tag:Zsn47/rp6Dqq/BZkA8xkaA==,type:str]",
+							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:5jgMO6iM98CzWV9GJ/LPJ+UZ46+N/PzESn1Wtj0=,iv:CCDUyVd8GS6Bje6qPKU+k+YVIbjo2H8vSe0ruBGLmmo=,tag:GVAnh3/sw9hMeaPZuq2WnQ==,type:str]",
+							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:tjS4bJPvnufybb0yHE9ntfQxfR/BI9Sf58pGebzcpMGLYjie+8U+yMMDmm9x4mrdPjaUDbYIBwgOWp2s5M588g==,iv:NdUxLhIb9FAj/yTB20od/SAZQDfD6pDAw5opDZU8qwE=,tag:xY74udx5HoxtxcQGTS6VhQ==,type:str]",
+							"crowdsec_db_password": "ENC[AES256_GCM,data:nUTRX27qHEfj9k90VU0=,iv:O9qHuXcdZXCpd+JRyzTeCqUBRY1cufDBcOdfInkBpsc=,tag:ymOnVzkCSY8mNrIPtmDhzw==,type:str]",
+							"crowdsec_enroll_key": "ENC[AES256_GCM,data:sqVURMAdgYsuR3MD0jiDbnng3HZgcNFHyA==,iv:QRAtuyavGTRlloToJR5fCH9vzYECwtrkuvDIKuX7XYg=,tag:9HTic1Q9iVVUiY0IhUtWmA==,type:str]",
+							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:x+nbJJSJBw04nJz1mFsdzxiwl9KkHnSGEblvaVGha80=,iv:KmsYnc+Hu4uj6kMwgy0Qot/Y62gI1e6mywHPIUKuiWs=,tag:RhBiKUmUFPEVawHzZcQjvw==,type:str]",
+							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:liDV7tLObEiG8N9bqFW8roA32Q0L1DRPS5g=,iv:5WoLVLB4Y0EXipwazW8XjCPNvPqkSLo6/HRizBIpfmI=,tag:VU+4N2pTytbxlll/Xp073Q==,type:str]",
+							"dbaas_root_password": "ENC[AES256_GCM,data:XtQe93+gs/donWykmQYNhJnGig4jKMaSIxlEGg==,iv:lw92oU7TaP9wR1Lvy8liEdfVO28hlSjKJvSR6eHjnx0=,tag:ei04tyOxeXEnis5GSslDUg==,type:str]",
+							"firewall_bouncer_key": "ENC[AES256_GCM,data:qZZuQCRg4vi0jFN610BMPPhnQqsFI/KSQKZl0Wdzm8qlBTKeHz9XanoH9Rn/5QSk5p8Nq1caqGVZNrt2WFaMhg==,iv:cclc3E9cLboS4X95ltMzHo40pdd0gdJ8KDjT70C4+lg=,tag:w7QIsoqVXFu8BMSjaX0ggQ==,type:str]",
+							"grafana_admin_password": "ENC[AES256_GCM,data:pthLEfjM3voFyLQqjsh2waDwstw=,iv:7dFeJ+dTvUonmR7KJTgjRePn4HzXLJMmAFwGS8JR4vk=,tag:Lbjc7Jtazm9YaRGvcOQ7IA==,type:str]",
+							"grafana_db_password": "ENC[AES256_GCM,data:zOWEU2zpvsKwbtv9ze87C1m6972S,iv:BboqAI/d7ZS285ssgV3Or6YICbt1sNXfAzwFGefw5W0=,tag:o73Vq98cnRQR0Z6QBCBppA==,type:str]",
+							"haos_api_token": "ENC[AES256_GCM,data:2yH5JprYr+UEsrIWCSp4MqP9kavuwvRpxnYNtVCpYAmZ4HwRGK7lTou42/GKX477tzbUxCZtJNaXM6h7cBD9rAKaiEOQYkApekYTPKWyzeiwAFS/0zskSU6gyjMEBqlKYc/7Nc5ikpTPaJcXkeaEgI3tgWslG/P/wq329PeXqQFfZ30dgqr2q2a5BTzeKsa+FNv2asBTH/jeSOjMB9eBz4s//IRNp4aEwCeaxMJrWsY7J75qaSW2,iv:t4o8B0FKUGrpZxOb3QASi38cwSveDFXugPcfFAGtquE=,tag:pt/PrfMs0OXiPwWQnfiS6A==,type:str]",
+							"headscale_acl": "ENC[AES256_GCM,data:rtIOU37ee4LE3eff5dJSB2L6NAbSi/UAJfXimN3dpRcySKiqz40fBS8nFWI7wHHKRrXcqegft3sNhStk8gm6BOgdCapez7lNBOgbjUZ5k3exDKnGC4nSy3VSwxMOBMwtSe2redBz+w6gS6Cu5uC3LkyrtH1dF33YowO7euthtxb8Ru5r7uPb5DTn5rA938t9fgknb46lfAKZpeLjzOcSODmK8UuJ2JmzO9Lc8Xe+ZoQftJR7juZMg+PzeCsRzVxAWOxlpdeUuyGgDLqmRp7BvTQx+G6XOPIPBB+LxRE4mOJhlEEdi3Tr1G9gk84M4/f9azLlr17xHlk2UI0aINx5C8WSZajdud4jEjoxg5YCPv1ZePUVDbwdueYR/17VGN/rzwIKSmH8fHuSybvwttyIa7B6Hs9Gm3o8kZcFcJtiV8gj8/PG9C5xfMQ1q+nsOnTDD1x4wR3nBTRRhbK4hWu2KQQZGkg61Oc6EXjEIRfK1OnYFfuz44KnG6RXrOdmNn608a8sqcfk7At3mTzJGZw17BViJycJ9f1dFgSZstpLKLTIsalVGZA85+ZVze0JHVNWc35cv+HqCPeULzImTqsFTipHdVdrZvjPAifzxUS21oc6l/k6cMuKg5ku3RQhsV108Ob6TH1XcVTj7593idQJeRKO2W4s2s4GyYfTHZOmLzSIcrZL4QB4WW+r06A1LhFlRwSAgPYTzByeK87DVSE0TGQ8SqdZBB+/S4pr2cUl8WVmREhaTH5/mkzqMtVk2y4TofP3IOQiwulcNF4mDaPMXt+F0i7cWM16mrlqBpfscXaMinIZpr/YUGc9WL+SuNyccy9a6TIIc627zprCNrGHt+LXAvwrhxlx5R1V7ALK+KSWzq95e6MG2TkrxMiIR4ZHjLIbrdqusC+SX0Ej3+vPGDrt22o4Pro1U/QkAsQlvy2dBWRDLBoNSN/VARGK+Z+GV4u4lERk7xG5Sd9K/lJ+jNroWBiS+216cGtRvV5NLjgRwbDq5sYPg4ckg9uVIdTJ0pRhLGBCUQKbEfj3wJX3pQv8yvlWjTBKKq3R8AtWnMRkGp+r4kQ0H0JRniN+gmhD1T/FTCExvqUqDRyLiXtQb1Qg8K7fev3OI4WMWPOPvCHfN202I8I6StYo5NCZmi2UY87r0/6jftTLh5IaGPwc5fpmQlupNuM9W9agzsiRDlXLEXHJ7ZvmT/IZxlJZGBdv8pbpge/HKg/s2IKsmWEUJI68pgpsow7Zn7m9jl9GjpQ9ZyU5pS3x1eers78H7fqXS7vLc1Dytfj2kkx+MGwu1354v8nLhy2Ms6vPO45ztWnaKnSUzFZJAilrBLEphD/Fixxk9UXy6t/aJ6ocd5y1vyybszaLLIUagPUn9gO5kICcmTeQ8JSTKFoJTWSFiC2shReNfx0P+/VonKHsr8YqoQVuwRL0aehOK3lO0QGWd902aCu38lRgEzfAqpDGvzSQ9+L6pGiJfbLhto0gnz3Nsoc8NHkfU29EUCqpUn3rTVHcG9skoPCgD4SPXS/xlhfbkXfW/y9CmK8ubxBG0wWdnLY9q2D/AoN7osfzYdD2RKV2jddHl+5w5Td4DmkkQll7V/YzwRTPIzmBN27uAQpXsn8gxPLyCP96LRZmEuv9PnIngaCAaOkdYGOoQ973BhfdpPc46LJZq6a6LKh+gXbpsieHstEh+gJvg5exwrahiZxQ8sMt/JVgj8PqOMFZbouhwBL3RQdC0zGr7+tWghcJZYc3RorVIQpsdYiZsOCbCC718rhTal0nGPbSHe+EfLOl0phDZIuoQB2jbx/8J4CEIUecMyc/uJC0MYGC7bhyjghP+kJjP2Twfo78CMFSDAVAudbKVSmbczk08HUcWPh7kkXerPgUT9GIzbkD1RBZRZWQnV5oj7cqg+RC58LSUoOKQXAGnDJPTaiPiIU5x76WAfGHGu8398n/gUerPuxeJ+9NfOo6kjmll47gHL2ZJJQ1jyxYo4M9sE4Ch/pSw503XFTLH8nHKLsu3uJzsBvIwitaHkLqOpch+lkCsyqh6SqsYKr3aA5i/1oxI/z11Oxk/RMwcyUo+2R+OgtR6yXeOW4XJPrhI674cDsJzk+R08y+qXA6foxcUio/fxxqaKqlY7xAjny9xFPSiY9RNUJ7G3HVmXaDDvCKiGX47zOnMbKyf4zk9WRhfgKICsYHXthS6f2DsfAM9F5W7oH0IJS4Ntf4k3wAcOcXPdmYnc8Ux+9R2FsgzO+6kNaRC4ir4CwWI3FDLNymZEz0pnIMLy0WVpr87rSIn87h9JJ288GrcKhqiYE7yPlD2jLNJqS41ROI9dZBfd6RFeJGugZmuzVuEu7tu94RkcBCLsrjUzEM98WvwISHvXAKM33RDLeMhOUOec9nCzQ676wqYYHRj905g0log/stpuJga68nuYZnlsmZAhxFyMYyTp/b36Tml1P/Ee/NxFPDz6EIRA9DOux81xh0XC9iVnFwNKVpEME09AVMRA9IEoXKA6BuhzRqkjfpZWLmyVQq6TD1W/WeTIHqAhbglAmb+2coSuyG/10mr/pCGmXywxerckXLOGstVdjbK+8nI6zKagLw+KwxMwE60ZlP3BLmzu2JSQvfozRdDfHeNjPrbUuWnevUk5+kTCNadHykqejp85OFLa6MCE2AZSTY3svtZnfgWQdh5K2mvDPctIRn1l0NwGaY3jBuZz1I9nw9Fw07VMq+7Pp61NIKrIiMbxc1q0uTnpRt0Mnw9iAsiCN+mo5Tj4YuG++SA5NmPCu88aYGyrktq16jf+eoVXYGxQlMWQMPEqH+y/kP+wiQr6IAiku/RVSY4omgoTeVPcnyruecuSWbO+l6sOxOdjMs8+HcLRwvpxu32+lyHn9Tt+dVFZTPKlpqHFfTWjW7GUKHwnaYfXH1HbrzGiQz9KEkpmVQ501/8SsLIgUj8vDXzGvNpqyQM2AdHGSBOGcjxg7KtxkP46EZYaEM5n+2zEQuHh+JKkoP/EgjlEJ6swZBNekj5Ka1c06uQ5hDeJqSvx8JYUpwFdTaYyQHTAyAz6sqS3scBFKyRX8XVpWzVmSm1FX6ADmYmzqRAhuYbAAMqzef5AEoXOLxCB+zENTQhxBRRSuMJdVXJpMqCUgipnPAyJhq5uSQWQg5xVElLtzx7/oRt5t7Q+2OeH6HsAdFl1Kb9IHJZvV+1bl79PPd/5XmnNChoT3uCdM2mc1GrABvigTLEuwvZPHfPnSjDxcJMaj5tPMdBlvRhLw0LsHF2/GdgydJkEFxgod4/j09bZU47orseX+UX7yc0y8WpECuwvIPLKzD5lWYcvwVBtbd5chbRcm/aA0WmX0BG0uN563tojmbJSAG/9gW+opxnDOO1rarXbzntE73smvSfRy7IFRuNFWmRm01Qv9NZ7ogO6ylOhOY5a3Beb1xeE6Q2R6G4bNF5uhlPFN8OFkfgQPKWj6LnaynxiIYbPiIyP/qRkuHEZzrTyAdX6ir+mB3HNOhfSrQggTgxr0D6seeH0lm9OL1JwHrW9L+UFvk8EA2C2rfHWCeHOCREOqEq3xIJC9YxsmXFL3H+wv2aeCSzZjcCJUvLT5yn4/hWDyIiTT/PgB8Ccu3DYswwyUZpF1QnNI9SYr7UDsHU/wZYw0nm3yjd1ANUGymPvlTMszv6YpI6WJC+nI44TA9UWgxflQK3HCPwjT6Hm2GOCvcUmXy92h4N4VjuoG9tKx2P2KbsdLqW9pUbFs8hyPRXDOGlx/QsGhPI01SUJ4CpnsLTuzquL6GBzZSgmIPoSQQF2JGnPvMCxUq6LTgvJ85/hMCyFG0qlxnxoK6M5082ZiDMOL8erBJC1hxUG9TfYDaRFqHrxYc5cQZWKSfWARLsjmxPzug26GnuDEfFbVLQL69YfuLhaGoXf95WjnZXGWCsyDD791VSxPJpUFAuToP3NESO263s2zoHUFiDLoxiEkXCA9ZH6Nmp1kjKZrefLOCY1b1UB2ZF+aoE1kESEuAzVjNW9SO1uomRZDqBorHgMd2k3BpJvb2dSpiCd5Bjgv8qU2eq2HnGhu/ux3NZg5uyVruLoRm2l2gHGwUZN62IpWo1nQR24nttrVulAkVmY+WBIMSE5TJz7h0CzTEuCqVtGlUL7iuk4LRmabSVgOUhRqUyWmaqTvZjA57MsuJBU6dOAd4aYSXPUQ1sI2fqDbtXiRohMiGhnl38LdYAF4Wb6U4OGx35iD5O1fRvwwDcApsHqgFLekEA0yJhxmjdQNN5f1NvR+HqmZJrfYXXxdN/xoa93qrxfUXmNJhlN8tQJcuWwEXscIzh1dJhJTC9OE8fh50yYwDCITQmiG7A5m6abOLLEqUMtHuA7GH+52B6uq+n5eiHP6ecMZS3514RaKFyzL9oQCNOSP4LiXnOoiC0MtrdZS4l6vExBWGzwdSxV338Gl/yiduKYPBqoMPDs41WTpyWBvzpoACepbDbiYso6jOYtZhzD5eLdPXauJmLOthw7p0BHftV84pqTXYpgBj6wUuH2n7jKmDxdM1d8BQ2kWUlSm7YGbs1hzb5axjBtjpu/zwLxCzU8m6EDkexX6R40kQ0PZZCnXuRl7G/d7jC6zLf/2dRwP14thudDznWX+qYoX5jtav92fqWVJWc2WI0hZ4pmr4Zivqi8favYMWPfVCFqrNVx2AxEhGmo/968OzrPdbzKU2RqJ+Nyau68qgRXn4XtZ0hv0RMeMJZokxUq+1BbmMk74b8ZWXLQKVOiAfgOZ/gA1wXLS2RYPVks1ic70efYQkDfBqgOvBarkZSZ3JBb7p5pVDKugQZV62k91RR1XW1v7zJbPzRmxzxq136jeaa9iCVobxXZ7H+ZuIQp/hi/W4Yq5j+hV2Dc3WSj81SGt1S1swXUZe,iv:wD6DK04GsJm1rO44/VEqVvhZjeMyNnZ4i3mKIC2jxRA=,tag:n8LZiHi1meSWHJf0u4HWQw==,type:str]",
+							"headscale_config": "ENC[AES256_GCM,data:iHmlHRfClHHHwqE0AKtCs4HyB7rMfwhCABeUiH2EeAgzbzPu6Jx8XjT6zZfRAukUOmWYRnuWc7ifFPI6KDMYTL+G7vAaim5OE5n+Veiq+PTDfdGB1nIMrotV0OdWba2LKVl2sq0fOZLcqPNFxoGhZF0zWtIj6jwORNv4t551PxwJc0sh8uXaWhtRpktSh33RdbBCVTTikizeEtbtUBQkW+g3SsEiRw1tbzk3F7LPIOr7MF6HMqSLvTDuMkjlGLOOy53tk0tzSX0HNQVNe4sMab89r9oLdoEmlH0h7RwtOwNJQhiirrfiLcK+UfI78Ac8x5NuEQ2PGPjNxupob7toMlHQQNWsVsEcR0ICdTTN09JANVnGHqowfkUaKlAf7f2kE9tHxkI7Xi/za1nisJOB5HYIMtIkPqZ1NnNAJyOXoTKvvOpgum6kPGLYs2ue8ZiPCD7d6L8pFLBTw7OoTLW8kCWU2T9dXV0f2CGDX9+MqHG3WZW8BB1qNbOEzLd3i2Uv6gCKAQglVru3ozjXAgAYUcYTlRKiBkNC2yNvuag9tMxpaVP2q4lA3mH5hKpUXh15VydQ7VkZBl/+lgmasI1Ao+hjjNTxSa/ZVGM/KI6PPl+n43SYz3Cof/Y4eOc9x9j1RPL57ka08oCI9y/tSV6Gx7CcQp8YH6boQFxm9CPmIfWJRIziYZ23r2J4uBgu4vAJQB+aWVWa/vTQoUBQ5Xlc/oBJ4M8vL4W32l30fdqqGNOQcJIIpu5GuG71GM5DUXwpafJE13t+QoBiACxSJtyQn4Se+Y3stXY3x9+mV+gvvcwt7uTIC5wHFiRXO2r7LWjHuq7V1A1BO8nxyS5DyaryK9KvJZuuQRDsuZG7iYDL9x7wU8HR4ZdNuvI0R3ADc4dPYVMk0A2A0q6kSbJ5R5khzsqd66WLhmsH9tDqNOJdNSJJ0u6In8KF8QVV4ySasPB63sKP80IloNoe+ZRSA/NxPIIkifmjGsjmkzCzi1TxZkP9IxZRC3RGFQuUlsm6npTR+5opUxtANtYFVjIk2qA172HuVqxWzvwO+NTpcoEY2FFc/zmw2PgKWpb4OliCnXyOZYDcWFy0LqcEgozqiKlPypYS17oZ91K1mn73HsGWpFfhXwROsyiIVjlRmY+EK9Ja3V3Lay6jtn4/9t94rLb7Pzge4ClLU8e7Hx1l2wqD3kCyf4mV4XcdutP25KDbzW1gxRD819vbu0W7nDeZgcejDx5e9YVMP9sYWO/diVBO2ymjDZ1x0Q4VnRvtgd0Z8Nd/qGDtCfvYGXk4ndnQj7R/3vSBjf7tKwUyz8luy9vnPBXcyX9eUWNNFHXr9YIzemSOiS16mEEf8snL9EnYJtsRKvVgHjqnBHigtEkXhVvVIcu4D5C9aw67PEHJ6tMLJ0xw/V+3NIZrmJpUOAf6zKIVVBWLCHdNp82VgiGp62Jh2tRJA1W1rzObzrckdq2ja2mfx0rsU7asu3kkI9mRRXYNi/T9psPg8qABIILkxvY/jkg0U15yMKc9tp9gunI90yvtdxnKJe5SAfSeQmcSxFnMmj0acbAp0pxDpG8rc4OuPeWpeWlnBarZ0SnPAf98k6jcQ3SQNxsVf/6kQm//oc+MMa6cv94xcJelp/ZplWnGC7tjx8a562ONfY15DrjSL+Br69uN4CrzgD6ZNCa/On03iI//UJWBeFOwcobdXQiNiyLnXskF8xh2+lF/GtojwCJiA3dTG1AycSDPrEHaYazlMDQh2tKnjfrE2o+SYPSpA1mupYLJboosnvB09nyEljb9cOHtqGMthfoH8qe8h5oju1qjrTGjj8KLzWtwFXWqL///942rvSJc8LwgZiPoMUHaCQifg0jccazyFPMZ30Avqj0BXShTpbYJ2dnBcvZfY1rynK2PGQvo/3GBLzPnX6LHbJGrYaInLpPDsubGc29vKyCLt06gmZREhWAN5/u3XgTJ9UwNbt/+Q6qFjcv5wd9G4zWATtJvFNpZcTEcXDS848XvSfB/mkhsfhRktdneNREX2DQmCFkArxFd/kJr5rzYlUpQhBxxkZHnumzrGyi8HFDH16i8oQ1aQNJvjT6tM1Ut7zpg+MpPyNwjhDq+QFQcoCuQ+7A/kUfozy8rIqIsljILxVPP5ljQDQGoeQ3G7WpdSZ+f8Xrc2z5axYnd5/87DrX/T5J42qgP149hycEVrHR4sZ9cJ6EVEVssrnddhZALd6AXk6TuCu4vUraqkQ80jFqBnYBemSduiQUl71sectmksF1VSHDxQW3Y6xr1rUtxbFmuovfC9miup3YfYQ+GOA2sQCYSaO6SZfU/+hgMR7zmqNUH5xjmgDelmWauIhLo9hJqN+AwER499R68gNxz+Pg8g+hRpKtAyM5IQyq98/Sou0X3STp2PDBVBhzLvME+vwixTEFQb6LXlq2vdCCddIV8+W9rcg7PocP/MpI7uwK6ZkCMvsX9UKmieGgST+JADMevCduBelkU2/oSvnEV0AvcRA9BesWM0BGnmhCgpEl6SXLC/zNUrO6AbrR4mgnxgFWNqtcNb5X/eGfeJt+JxkonDMcnGCVwbp6EdybgEX8aEBpflc/3770CDdCaRFTsGHHTMDcpkFvWsR4mdFd/xnZ0qw+8i5gPb9p7PZEegsH72Hm2a7V0spArzEdryplhEqmyK8lxD1EM9uRfPRMFOXBgRRIPHpq1xjYcrdOiD5zfETJr/jxCskOAOrYUv7EXsUc8RuVqVKQ6/HTQx+PVO+JsWDsKgUhwCy+llGPA/ICrMjQTEbPpzpCJJ7puuBV3EnsTR16aWHMWutyYNsKNQbE15UW7/rAffjwNqgT+RMqYAx4wMMFjMZUSgUgsHhuAlAHklaeirQrO5RPLJwhXx4lKF7cNsyY9uWFuA9tkkCPBaqltZCTg35MyFdJdmi6dpiniN4F+ccNXA9qpmoCaegrl1WM0R0+8dpcl99uGMGdRX9oJ4NWa0LmpEwgV7W17XeSBUf4NBUx14eD49SmtqPk7ZjXneVrtbQHl1IHJipb8w+iiLx/2VXlrrVaGjVwEFgRL2RfVXJMw9JSvgjMfkp9yQxIv3loo8RIkwqjK9IjZIOG6Xyr7/BoZhobPaW3Ud0LH1PTOSsio91PDzzem1KxPIOg2+7R3c/cFhLF8LlVnkhCSIYfr6XXn0AYPnO2u2hNh0C18gqKkHveEqwgJ1gjDr0SjcNPAeUIroADzPU7SdV2QwlG5AZi8NwtY1BMwykV5X+ZW3kzFWGKuBH55soH69UFw5/HRqIwKFzIFF/5NHij4j5+Hk4KN/8lEXCqf3B2Wk+H0/1RXuj28IsSLscpuDBK+kIzOvWtg9/wqtOgYZL+luzbiYCb3Kh5KmUsr8+Ua7zruC6Urdol/kT4DEhk15OJCoHjLRwQB25gIt57J7b8vltlnVK5wTEHWHuYDocl3dJ+4yX0cKTqYYN+FREAyAgJZLirpIBnVZ/FKWM6paOo537YW15otSV8nNeaUc/zxctonr8nzL93wnbhMSAYdYxjejWxRXgAl2GUbHqBKv5TZ6IcjYKP2akunRampqEUDmLZG4MInIQTIZutyW3VSBb2QPWiC+P1FdZOYkPb9juJ+mqZGkY0NjvBCksivaHAlbmg3wSHqH8KwedDVJQlJhw61zu9Jt94EiB1csu3C9mI78s1WIoCSa6WXxjpVFO4nIXa+QBwO5zMm5wzdt+0Du51cnFuKdGUH705gtJTRiWETrBah/WUqTSZ6Xc1ZMySQcDAHOhrkh90M8INsQEskm/VMmLigv8mKcNS5S+T5GQQH5UMJdGLG5r+ybPAZoWtPeo8fHQEnfE+qtDwN8A7zwWgu9ehdubMWxQAeqZ1Px38ScUA49ALEZprg9V0poY/Nb/iqNSBqk5oiUj03nQgleqZ43qJmrwbQHrmWgbC8KTRCafZ3bCLhV5JasUf9rNf6c+SI5TPlYiWMGMXbDavPxZPPjpJQGDhHZmPcvUd+Y8EObWZnM1g4UBaB2X/7CXOGCtIjI3AAULsilhiFfrAeD4uYhTuxHqb4LMdNYtQ21aI4J+lWm2Ia7OXpEn0OfYHN9oOLwrd3I4Uik5UlDoH4xcfRZEUnKp6n9oLjNLGMRQlK+NPeWYreGUaodz4NVCLgDB0F46ekZhb9uT6T1PmcoJb48eGW2tEJsQzqRA/ijTcD09+ezpHRncQHWAWO9DjjsIqSzQBpH7PpTErJCubpgVCUxUxDTl3LN93PrfM+h3xqYZdOdNrMbz8HTDzYGWKOmfdDy86US5JlpIScNJH93CpU0NSddgi5dd3fgyARIq9fBXe9zAjp1SUCty7wj90MyrLFvz94HtIxkUVvTtboJMLzTEpFo1I+niWsGAUckbW6HDCv28eb7PTQYYZJaTmEL5L0x7JldQErrHQcPWmT76YOY6e0+NL8xdx5veuIQcpOgkmzBR+rtBeAcP3eVZcCRPo5P11G6D6F9uqTf43J5Q9f07nzHmpbxpWhsHJmOFRzWPKW2OJt7gzD1hZ7Xop3unkqD5aqBcT1b4gwwMliy1h732Ew6zi7To8SK8DWD5e46KBxg+gg6OlY4tbKHog9UgUepAsfa6HD+TRh2DysQfWE1wjIoQxdlalARq43aeLM4ejbF18/PEdCYrWWO9cfLw/zDhZFb2dKQwjAKICyUKqbPajQvQQb4ipIcWzaApRy3oT7oaOOJ/fVV58PEHV7SKD4bx3HGMUQ5Bx8PrXKAGyEtN/RFlaVA/9u3+1grBYlmrOUx2Xqy9S0ESYON5NsnK1G7sEuJeFb4JmZKbr//6CVhuRw2Uifj7g3h2Lz2W9H6AN7ttwneBqYzTkuB6lKo455QovEeAlRe385yRXh7+6G07pbalpSwXpk3H6ysH2xfkJiJuTdsZSyJX/p22o36xZbIIQ1QwIZ5tYJqN3JUW+4Mxx7j/gyCsMp8wf58bhhR/Fud5kcXYJvWwlPQ8PbPlMeLfJX+GOYZpGrPbuEV0rC0RW41joaDiDhLELlFlgHSZTPG7/Y64ydAqO8+XHDNAslWUSLmE/6lWfscPe2xl9p7nMdnxgVN/oqHrXV3A5cdjzu41DvjC/g5YVzSFe7by8p2PR+dzBdqmhC0LwS9K5HrUHjw1hy9F450IoCOLT/3SqKBPfAd7446JaCCV9yOHQiGXjaanQ3G2bxU0MYm6qbgoUqF8TyCb1AgfEaBuoLB0ZVawCvZkNBdiOGGDSp9NXUU9FgrL6I9xCAQSjvyFDtqjNj14xcKlcs0WiiMyyAdN/GRrZO4ounY3jGVTH7a+viwIWmZsJyJULQpxOrG0qht2tB6nLKIm/0bFfJzO0sss/8NWDGQlPjUo1gMsjQusVZCoKMnZ2PmfvZYrbX/rmlnZd8AH6eiP/PrV5xkWijuszn/d+lEJQd6MScXeRIq+aN+uUVyldeZJoyFHgw60jlCV2x19qpidPoUQWxQfKqXz0YRCL19eFjypVQfsSi7XwL9VUJdW4ysiV3V+WSQ4PxuLSJ94uEdFKyYle1wrUbi0KOjuHnhm04PT7MBt8VtPMfxBi+blpDDCmpYHG4PqKe/Yya5TNbRuH5vuTnwQg/+UyRAbbdjfNQKhklel3ncvhRQqktu+23M6nY9pETakPpJvKcghmoDxpltzSlZTkboHIHhZh+dLl6NdDA/a1kR7poFgBMo3RnLwuKpXjZ86bxjQHSft+w+KptDEKdAC4pogkBygMPvzXFruItUnls8KBZzdUnrdpm8EnP6PV6FKnHltlyW4s4JYbPm0S3+OhTlXLlAdogt3ZTmsHS0qRhfkOz9EIlJg7m3DuV76w8lCRR0t5lf/KC1qR7IhMAyC8aUyk7RofBhEsOvlqkpDFbPt8UfGzAOudpnjiozOmLEQ6/8iuO0El13LrzerFA+hs6Tmwpe3EnRRSYQXFoKybilG5Us/SHjTcSQGDq1ZtvnBT158AstD5s9+qgLddw0ycSx4CQgTQOxgehjOHMhcY7bdw3NPlCZmsRaHLtKceuQEy0Vbw9XnWBX4G46GYG81QiLlzdxjFfC2cZHvQB4JJzVTUWwcZACMvqrqcz5G4iFZeiI8pbBTyq2eTNsfbjO+a3JjMJ2wZ6i9TNhqe5qqpEE4kYWBviZzfr81mXDuFkaguu2OEl8Cj7/HM4hDPmKp8krKyf3+Xc1TipM+bKEkqRSr6T9pdTwxHSP4KuLyNJQzHtz6kIQy2mXLHRgy9zu1jYG+E63WMGqxI4q26zCAVfLxmQXoNFaj9c3n78KFAUlo9dZlh3O8BcuxgxOV6+YYfRYpW5C65rpdKdmy1YPg/cgBgfTA2CjSFaHzuC4cmPngALpWThwJG5rcSu5PuTdhks00KsbcKrHbYWVkH5e22j8pGtdU4wAwgrTIpDpg+pujmgtYXQoh4cRQE9p8iZgcxYD5GScskBHn2MyUuVi02gPWDv81adJJWAB66CHg+jpdZa4DtfSgIorVm6wMkrQyRbe5XoKbIjie2pKhdaP8gnMH1wxQKu0I7NrH7Ww5Gy18WnB5A38Ei3ewK3di8eNf7+nHoSHSqiW1aFhvpR8QdWYTup2YBOQ/EQmGnerq8N75Et0Lf8arFSHqdLyux/vJhhLXQjj+K+7Ljqgk9AMWcCzETteuhvFaJhEeuU0e4xyW+RPPYuAY2vgmsh2J7SomtTwaGbm9fqUMB+z/sZJwGgtKJ4vWQdtvIkV7jSkX6qmhKFqO3HismLQdXBfdxqxgNhtoF9af/3zmtv5KluQhmICagCqExYSNxmC9m7SasTByc9TKy1AA+sZj+o6vIiYQwqr63yYzN3qZakJlqgoIafXDnyzX2Z/WMH3I3tltRFxMvEe00xI5DFYjiRmVzcloqtfNIJGKKp9G+tzVKcRHcrojL0sQrnNPdeEKSAqmt0jacLNDrDjp+NcKpwOKbSpftRrligK5z0Jbbet+pnkXCDr20qsx/Ju/G+odtuG35ytqFZ34/OPmmi9aRt86SgEVEQjAD3bhqRjQUtOYdU3IU+wPPO7n9EbqDv8jSUkyKpItxLCzjyOEV9C/A0RXa0Cg5qZ3Emtd94SXMjZQOV2Akp36ipfdBrVa29/7s2IOK+Dt9P+YTTEKGIAYPwYQWD5/b0wroM7gjdZnTN4JHnqxX8NowcQ9E1AuwnPn3znFuo4J0wbK/rHW1AVftkCLdAm8+LmcU5Ab6pkTb3gMezfiA5vJVMBOSAWB3md70ci15AOrFyqiwkBGmGsjw6ZVsCCBDYfSh2mRmI5wKpJ4oKvQm4U5GD/UJdpPQp52eRSt+xdOkV1acdtx9zTrVNYZ8yXzpFtx7S//4U7yf5lws1c4Reux8U+vf8yhazC9mIfkukolWH1l6lZhFLF4WyY31bfTln/nbc0sfElNGEjburlPeGZpb7N/iwHOHbWCMy2wI9LtHSbSvHBXhx2f2xdrzOLWDdOQMPthie5NqmtBr7wTiIMv/jkFseyRegtXPSACBVOQ9niRuufCPAD2TnP4vmF+mkOqzkA714UA3hTsyPjjbRB0LaDm99llF25FiTbPqT1rK5Ql4TlYAR7viAp10tqBoHFwzKRS4qgLYDnMWw4ef156dVG+G5TvCaWNvxupUiogr4JHwOENZASfDcSneICZBL4PiFxd1HYsxwDNQL82EQi1XGfRGGTdLaRmzBiqV8+WYmlkwzgs6DO1d+3w/kd36O0KnwtOqfxzfNZY8saOoiPPw/xCY+R1k0qtldQ4KQOYj0UYmOldbt6uh463PUMy9h/mopkrRw/MICjCRYSt+d9uN94hn/cn0UWYZyawDaco0aVW3Nr3sgwQ/8zdGs4tbvNNTS4ljBhM5CdQTVrNjoVcTKfMoxRhCBSUr1NpvPr8iWyyp2RXG6TGyg5cb5nZMggSbWzZNRY64aLNdpXxV+xZXFkeJNffCCXu40xjxf5r0CCZiawqq8CBuFUg0lEUkzGSz5G3ko/qaTQE+cvx9V+R8uv5QXKoZHq0J1w9GuVjesLc/3ADQJiKF7xzi+n7ZY3ofsmPGj6pYPeQpLUdS7CH4WgtDP9F5bNj3006XjH+rD19DJ2RuHilaszqN0aAZuxx9yiTrPyh6GaSYkybUlwQvyiTtzHMDXTIQgZhvFT101LMtdlB3CUAmentuSc7/y+cnF6FsnZ9mKmJxmYckNZH+9omWyON7gXaTevTSjfJAFBlQcWuQ0nW/eMYaz+XxwosW3zsCacHlrovSrzRR43HNHfngUzFEnDbRuRsBvPMk9cdwVWtBaa5bFN7gPVVCo9D+SKUrCozhYKEgi3nsX/Pgn8bZdVst1vbEGsBPdRIBul4RQzvA8xappYKsamwLDpFh4bB457A5Wqh7SOfstc/tCkxEhwIItGuWSozRZeIs2YZTGzozTGNTUzgxXWPsU+pkv+8pv+rOcQtv07nFR4EvnPujkhFpN3WmLu+UKj+7Sks+wMOUQuder1+nwFd9RzhazhpdSrrhMfTf1mVle24/9avt4QTo9OUQSX3YoHv1Z+9Zm9AmJqGZpFTuKIHleqqZdimoxVyenPFPX2bsjFQdkcB5rJYi+fNppL5wDfyb6jxxWrx1dlVm6ygwRuYHG7t7fQyq3WMoaV9NXCr68AbBkSnkvwOPaVljYN3h4Cas4a5DEU63ZpeI5vNvTUx+1UtC2O8V98vNTtUMDoW41kKUMNvIC3p7Nh/rlQP+lauJzqBbBczXt85L26QU0W0GnDJErryomnTdqNR6i2LXv4zf/ABAlwVjImzBSCTSfvZ5932f1Qk+T9mnaCKpbnZd/cGQg9bhNb6SUMM8+i8xZfrNYWhjIExDiqw48S4ZYzBaP6WPX2SPdBwG8gMHU128r15upRQJHaOHRqkMVsRNeoKpN+W5RLlHk9wPsNxn28yIcX4uxT2bFw2PHch8GDXwVPoLgoHTHVDMVNUTOWDGYtxsUQlkBJaIQj67cAIVgU+dVyh0XxmOWCmU/w6EdRxLswkaIb981KAQfMZflK+ATpcpcBaz4iAcoAuDuvCOmsLZdunemU8RchFuyzN/L/wr/whR6ySk5kB8tx7Lipgq476uW8mk7bOVRn5BaANSiuhp8wdMA4dC+PpqAlYmpppCZLpaYhb06dRIZYXlXGgghnTV9lGM8AaWaVqZr1qGT7EtV+HavBkRbUjcZdiqwMDt+S35WCC2FPgCGeP5AnU/oGsVlYxpvLQiqADXQZfQfIRtIZrJ6Vl3Q3KB5a9qVXmyLezyrvSLfoEhgKjuOGJPBC7iCr6B+JX5wwVPEPsXnscKuSd2olcJrpzxC0p4BQ4q+tcLpC9Nqd/GPaO7vrjAy0vOHuzakaJTKbrsjjvsZGy6YMHlRV7d2WmExqPpE9tz22BtNebv9Fj/pWHVQFPnyWpoG8s5LlnYa35vVdR3i0G9EA1t7HDAzmd6IYATnhHieyuZr8+xJfGigC2RgXtEJhfH/BL9BBp6NgLruBArC0ztpZ7UvVFGRD+JQvLimM5c6KsLd5Sz+PvxUzpUS8MrcJQYYRzx6LEBeLbRyEHXuyuqitCHXYqmS8jJZqduE8ZJbWCyQDFseSzPRiyEMBJLYjrfVpKucrqbzxtzefjbgKTkJOeNfNb0W277ZDuCJtWreAnkjkn1N60C3H9lVoKpDM8+9m7zjfuyFpgwXhPJ0JgARcTr+pz6vq3srVGZhAc9+DlEZpLBm6eCx1jKOi2qn4l4Bwv5DNMMDHbdDdlWKmhKnGKot+xNxUC2K0wivvAPlMhuI4HmVMnRSTfwuJJfNpghfFPXEnP7nvtJJQCCS01doxZabqY5cbZ/UH+Vycgcez57A6+XcIqgZZY/dvc0DN8/BeSOX/AIVMbR6qWGk2Uzvhc4WMs0gLr6lbK0rd9LRTFmOmJ60+EeCJhNm+XM8a4I0Tsc+y3ugXNYcuB5yLSRXaNF4u+ABevio6aG8N5MLiaBPjG3Y3vmmXC2wyGsrXGCiF/hgh/gKmmFnADOs9GXHAc8rxFr5rA/uZ3nqsvjNywWdJRlIvAXu0No5guBMSQCC7qJvVpp0b/bT3Bju9kFEara7nLjmRXUrYOJjgKGh/qVGAsbBvYnuCEikEowHnoyiJVYCZH8cHfM9lNhjJmSSWk9HRGr6+RV10i59+DQeldt4cdK5G7J/C7jXwz/3DbBG8HoX5Ddt3+QJpltNT/myh7ILcg6ckcjU8/shx44Q/B9C3Jppz3H58ILdM9nhEl7EAPHLpGDDCP5GHt/tRJWj+RdS6EhS56K8A+djpDMdt7iz8fsbT9TCnQrS7TfWpuXkcUjcaASBn7cRDj79lL9uF1+FA9iLYquvF72ex5JC7P3q0/FJhHqUD6s3jgIbWtHA7WIB+lVnn05775VsNpYQEOIYfBWCYH0uAlr9vGEhlLj8NL1UxUgIzqVRSfh77/B4TaLTQXFPGYcQ94J1Iq9og/6ST8DzujELtFRVYMw/15qlTLPFgsJBwYWQTDw0fP9kw+oi2R/f19n06wNYTGP4ly7pZecrI7WdV0urCzRlKDETKreLHByzkCkOze/u08z/1grdgcGI69zH8gRFZlnHbpXlV9m4r1iwJCLeNTd5tLc1yLAnJf28vbA6C29WzqWAhwMZrMdvZIFA/IwuaxxmABGjRZQ/35VOPzHJ+Tw1rbRHLr9a+OI9KJ/NSCzc//nMDCr2CYfBabmb2iTxAEAe81MMSxeLifADlDlJRzFhoA/FaaCThpOTPtsKLablrFfM0NwuJ30HPIjPU8NrBHEivWH8nRCb54VNykfFsooRtZDcfHB7KRRICen7q4cZyY/6wNcJa2w0LbMOCsBqBQJTiIx/T7Ftp+TEn2tYNDzR+Y2KIwbD14THobZX1ZB5S977DCunM8N4bDyjBxs4fOQR1MctTJl1xP/V3YJniQbQk+KykrglsWw6enlJOqXZoCeW399jEGgSpBWiDlFYNbmqa15VrxXkLRzPzz+5ToRZFfHqY4fVNHcDX9fCxMrtHFd81QSMxRqEJZslJ6UPlyqv09A8rINUB1wUsnx9aLVN7djLvrZKyW3NVXa2UOuiM6g0HLJ4FaiZZ589q9/RD2qge9GnT6/p6m7rV0oJsoW5kiJ1xCUgo0pCZwDFuvUjnZqOA5BeUEp4ob5CkydAS6onAnPXbYTbaMusHHzNIVMnaFi85J0YQG3uYextivI+ng/qRVBltjkmLPbMlNWwKEE5xf5wZhkrEMJjaWXZmD5QJtpdzNa8BQoFTolPcBWKu3cFtEXsJIa0i8I3grnFWKaH4oIHpIz3UihQmvSs889xJrtB5jJc2CQL3z9ky3c95UEA8mJR8jMRET0sB/i6yFvl4EtWJ6+/rQjgBDKsXmlLZ7ArDNyXSnXy3mP7exf8xok5LVWHAfzCVs+PXlWo6cd9dHjXlV9ELlHbmi1Tt/5ui59ip3v0F6k5Ftcbm2w24bHduR7QOyN9hlQW9fdBKqFFXl+cF9FyxVlnypq1HaJ4a+LcXSsDHw3y98kr1wFecRngCabDuQKH5mpF6D5TFSnk5BCIizAHKyP0jl2E3JB9gkhifWG1cji36qcNDdoGIv51m6yv8gr2mf8PQHrUTgaB1FaMNUxEWBEu8/OjEoym3lUxNdGH8lZnDB7Z+w9o1zmPu5XsNKAN40zlWCsq+q9yHQGtfjwEaaMOl0l8pQ+FJuYQgy64Oa5pWhMw67AQhc8nWlCWxOGGeM45mFKb0KX0Jjsz6EgBefxt2MyEYhplrm7qbF3ZRgvJfALApCcUQ8k1x3DF2eWfVeO7ybxesD8ijZxGVYUTf366VC28niGz0+16eMq2RnFhKyjM5gWC8In5Nvx+Dqn22nZucicF7JL4KggvY9XDMRnDS+6i7KsA451T8PQA/3FzeifL+nyvrp2YYlNPVL//9JIxDFVeL56pgBZbAlC7LBszUrTnOafGqal0KjnRrc1pozlKhfp5hNT5WdYsXuRtlsSBiEkwopbylR+wuW//CmmyJ59mPTT+am4DvoBr4hXnRHqk/4wusl77nO1NiDkhlBwWOGUVBmtvqT/fLTCyxp9U3piWnN7tgUC9OkOGv3aXfbWacuslZBw6R9fK4L7NRGS4reDAAr6lKLxeqrsKUGhYZ7Fkjf46QpPRqzQc0bMAaA2FqjfiFGi9ZFRJB/fQt+kBKTjW0gkrXWXOSakc/WuRNKuBvgKMZqQvlPsUzj8JE3sw45MR4ZduyX/0BKSpRBUOB0nRzassjdFolqoM7Y5WGOow4iNRUvC07G7IyqlQ29+eXIPKplr/+HeJ7SSROjuAwoVBV61rIIS0ETGbKG8eTqLLfKTZ9YDTdmSkp7VXjj2lEG9EcFXG/jl28Bf/AeobUeSGblQxpKsPsTNqfrv4G9Ts5EoP5pcOYRJlvjcSCRntqTJJNfDqNuHA9Z+sv16bA94eG2t6ox4xn3lDzVlCJnMwo2iCxzfX9q0hXCP5FQtDnKEZLj/rh87BqbMQYjo2GYue76h0qw2bIaEeYgBr4lh55nmFbLmjxGuJd2lfFymA+K3AW+VqGPaWeQ4ABmGXLSO5RdKYa5gMDnbgxOVEWqXRyK6QMPC0jYfN2ILHCzQKSbhAMOc2x7fGUtn+3SI+PdbLxiwP4VsqC83N8jewIbNCzKRvkFXrMXmlEVsdjxOInOLzvQboV0BzfAV0BiDSqCJpQClgnrAOfKM/MCmsguXa2Nc9usj+wBQ4xk2vZXlS30ZWg7rtfM17nT65OWF6bHZNlwxJTwJJ9nSYqy2pNExj75jI/SNQP6RDqphLGMwC0eTdvZgjNyQ48Wt3+F36to1wNS1mJt981uJ5OAF0XqQH+wnS4bmqgEM+5yWWWV9YuffneAaI+YMBTwB4xPJHgENtlhtiSL3GW01iXCnE0pKuaxuL+CnndspKAHeCXYYx0Z9pnxre67Bl98qUGRm7CAkEdcA26QfRtTuwbnF5KZ9xXf/8fLsCVG6ENMT+Y2Y6DUXI+OehPcHkqRgnZZuf0WaUf6mPK25bZtT6WtqdowPt5FogD0ZTnjnDe8teu4P0KdWmZlzqbR/I3gaxWMWR9tQco/9RML7anC2Xrqhk2CUZMkMK0tajtfKwIejZjBA6AQF+umGhs83A8UHx3X6NGOfvMaxbKiBe2kjnGpvJnTteBKiC0ozKXLHtdzF0Pfnlegc84fJcq243hxxH4NgzJcE0SJcAez9eBpckzLev9Q+E87A7R3SujBGJsYGIgXd0MMxGmwIEHZBi5+LceXbl+1Dyj3WunQk5J9W0/U3hAPQFWPD3IsYwVh6aNYjXWapNo4fwND1vfePScqjPTIxqMTy7BU+42TIubfzVEMfLma1ZNaWKWb+G7OU/tZEr02oguY/NiF/MuRCww3cmFKqvV6H5SnnJGqiMiavZPemIlJZY/nm0TKfqQf+TAucFSZQXqp7rTUOzJJjW0UQTa4Smi4KBrTbHY8cGFkeAEuPByqRvNaHj/0bEW3oQdUn2nDtNYcHRo0cBhXYXrX9tWIW4QZjxfhJ15TiOMo7753qFofxXy70Yc/m40mB8VYxbqnmJDs+qVKQylA781fTQCyij6G00qY6Mp/2IjKyxAjDU2DLLPNgvx+c9EyQBpUMOiOokBCqNOlecPqzoZFtJfc8rBWJCXicMTa+r0OgYJA+N/mW9lzb11toWV72pKMfcuZQb/BivfjfEvNAg6teTVtnJjcezy0LztKplJCB5U/wCbYs/gDmEsMQN2k+NVNV1u3wgq4LFlUsLoQBA2VFs1RWTxLlyo3qm0o+MKIrtBpnlLCDWbw94zJ2XPzw0PeLsZkiKE9Qdt7xvuB7tDlmnQW0ez+mXMaPsVpLai9QFhFtcwvzv800WtNizh0dqnvlv3sUAImkY17KHyVe4xh7TLrM3qOs4c8Z6bbKDemZymjsQWpyWcvuuLgdMb981NCOQZbjhJvt8ILYCQ6A1CGRrqv4oCHjZqCt9tt1N8FbJX7dXcCbhiv3kGQtpZI++V3BvPezKgGEMYPTnQQjr9yfG1HLVeiE+iPKMOh5ds5HD3HlhhJhmlrCFP1cF0K9AvZWEvTBBs3BAKwDy087qlcivYXBmPiVaU5IZDdwURetPaIq8W8I42jvqQceVpfjaW/qBJDisZqpcYQhLwazXuSr57behSj3zxTGuM6hIHBbaKpiU1naXKu/Dczq2BoGdTyQcqvLwfIxC6z3uE5EeckY37Kx5lA9zpAouCMh7Xcw8p53NG3RcEOnJfznoy4ZjpFuZrgp1Iuxe/wT0VLWnH4Lg18lwsb1o/2il9d8982zXDKBZEElU0aifOLVtIWtDYBM6nglHfMYtQV9MDUipnT/kMhEeqsXxda4IlflWHvXBr0ir91ICKsOY1R/WTOO651KHmwxixKr03PHlW8JNbspK5dRKr4zD7OCvBsM1ANx+HyyXhn6lEZ4OO5PleoGFa0ZEqTDuNf0O2dEYzZEwbO37q5032KpIIHQegha4r+T0/agqC9g3gHRtJ4/bajfEiElr4i7F2NuDjWM6NWL7e5YQf/Z4xgfr0zoziwl/HYhYoPU81M4BBa0t/Xaco1uTLTFyXMi0/Qz9YvxNSv1AcpIdoageWn0hOqczjOYbF/wadC99aB/EJatct44Et3ff0gaBh35mZyogsEsjUabQjHb8sepQV9JBYhzi5uPvw9Qmkz0HouHJIaxuPLyartZd0Hgz6UIvHBtlLLwy9ZIxPishFSl8GaBCVtQ97reWZ2L0SnEj8h/0a4ywoPDUBgwoN9jPrFQPj/GwnTC25UiYkh7Uu3abcYrg0roOdi2eguniwmubsmzN3U+tekDdjnKU0Koh0adnNaHxlFGgJ71+fsOpXy9i6AbV0tN41kHJApF23CN+4UfiRq8ThgJ/VO4+q5sYIg4VK+wwD3WBZ5WBU1b0JK7eJkhBEvQQY40eZGLaPXRd2kz1/PC+lTkZEzlhe3IrBvwXnJwW/WMHxDZS5V6vrYsJxSdDwbTTjxhFcY6HAsqj/8DhkC2JWxmA9/alVtIHyV8etwz9I8lTcHLL1VrDvdJVtxk4pFZKziJCODAQ8jvBz/jg2wZyu7Ur0CAWjLB3X0yxJJ1nvFk+yn9gMZAARhnBPkOIsJbUFPOn7uj0arIMi4BnnwS+IOtfuSdok+/dwKhtB2tel0L3YidUyIUd0k+mxdXeJRQNh7b8+D44xkOnu5IwZ4gwYEtNIYIClhiMvwUZu5+AXUqBuP7QvzSSWMqqHfqHcCbSiFfyCIVEORrhjv5CSaxgMw/7gQrAMoDUbCBawcj/cNnWdg948/I9GZdZVzy1AAyiVADH6vaYsjZ2kvW5BOF0tPy8CZrHkmXXUtPlsAXmH7JU0jOeuNRyDN6j7HNZ3/NIZD0LztSmpDo56/kWl72jMtvssTTcoqoBJAawZdAI8TRnLb3XDb/QBu7zRGjzku0PrVkTcg+WQLmkvPLzgBNtLfmriJkibF7G1Pvuxhg66qoBXqKIf93PSeSSN5pEYy5L921pNwIbzKGHZxs1Nv5gowU9p98VBpe586qN1wF9uHqbXCFbG4RfVRCwew+BtZzZqCJ1sMmJTQxfDSkhk/KpKbMOahYD+4ge+wto6iNI4TJhb1n9ZKi2JQFdYdp1PXFwdwy27QTduuNOdLJa2JzNSJb5ln/GM7a3KIwJiLxRRr8rgmL+KHiuiFgexe4N9yXECxRPh+E/j+VcRdUvQy5N2aKUuhP6t+CSQ2VWZEUU6cLU6/yvnswhqfEYnEUVNHH2ifSSCqAkqcnz6QIurN7I1lrzWvdz3QHV/2nq+ZrnzI5qZjbmihduG//GNjuvcR/9QbOZiAiQMwiNxpPSJoCUhnZQ3mo+Wh9JYvzmAWpYE+pD6HNhcXBrewa5jK/kMIekfKM8I0goqkB5nkVS8XqatR9qbNSXi1qm+9srbm8+HE52lR5YzN1lQ50w+FSMRi1GVZKGN9N2Qofc0ffLw2HWX9KAwT0EVgrs4arCKs/CZsKyhSaxRfoCskEmMeNlUEvAoq5qMpUNjSQz1IrmlTeNPIvJj1WpnhlP4NTlZb3qrfsZy+XmkjN/A21ZFMJR3ULJnnxMcJeM57J1DZNPjOP5T32JB+ApE/IrR6h8L9nXxDsEpCwG517QOOc3waiBHcz7byfpoMbUEi5QfydHUaGEZVzGRk1LHD0O+y6hOS/wLOZah3YDE8zuWjDrhdHOxejCAYs20uy3hIhHwoqn6Fb4PGY2WLVFx9P+5CB7CH72vsQycmezT8HE5PPYSksj9SO3JtEpNr07H7AvP2fHx8ZzYHo7xuKRn1RYr0hx7l/TcwNo6QO8NUrTrTQsQTjvDyxckKLukYwWy26Q2gPrFzJu+soNpouruynkG9FFMxL4T8vu/kVBkFgNB9q3gYXDD6qbA3SdXniuGIqmUQ171T/nC8o+K5FROU0hkISjRRt+g8QJhpsvEF25rlA+OwduLAUdsVoDJAIskXgiShJbvL7nq3uA1bE2xRIiJPZoNewbJ1Giczlhyv4drFlicTKmx0vn7DGe+2JK/IJL5b/nY1iKXKxfnqDw+cvkOKixugnfIEni1hQnF3zoDHCszTCnVemxJp52uLJ29Fz3oxdsv2uz4fmZHl5BUAo6LAKmZ5mMTucN0js6NveCr2s9LpfJAioJeHcYf60i5yBGyiHqVcl62e7OxtpiA3P9ll2+swrlGYqW7XjOkkUXfqXwGHjHHnJHO4sqxKbHzjZsO1FcPqTyxlMsdsQUoERQMA+1uVoXW75GuNB2+B7YUgtbY7+RU8tj8TnoIK+OSciSEc7bipFkRAH1gHHc9hY5+IIMGzN4Go4JbW2styFWi3VvMGcVeYQsDjlo5FjLvkUx2Z2XPXecZS7bQi9xhbTFsiAinpiFNlyldbIpO89Pkeh/Rj/egbB9jNcb7rSWkGgQDl1x+o6vzVqsWZjC22jcDKpPEl5vxiKA/bVUSxpQvWydCl74y8r24fVRVSquBCzsOV/17SSXn2FP3OOKJMNR1/IfPslL+Jn+vgXaglpk+1GSNmx+++VbIpM/0gT7mpDhSXLDplUsXBgFf4+Vte9dvHIgGxQEx9JILZrGuisZ+nsI8KQFzg2f3fYSAT8slDGBUC0IBswl69/mvBRBK/cUEGh/2lKWlsMRb9BaCz3hzDbarZ5Rc+ifhi84KNE7MrJnWChEky/NiYXRJOvKAKw0ZRjbzbyzXruYYkZtTjotDlsLBGx5/QTOCdz5nLZQP0XQvkQinE8BBLS9FNkH7Jdh+lmMxHleKq2hbsIR+x/EPpgCE/Lk5OxVXkKF47SQvvY4m/zrcavYKn0tKRH+HbjRgxiiu8y9XH9e1FmCY0KnAJBTcx//Ahh3sWqhu+1iBhYgQcRjbmku4oIu00WrF6tpxdwXew3JHfezHQMth2vBUg==,iv:J2LHdTKA/vavQyET25fX3KCVtRLY5nak75e8p2Ipwyw=,tag:qsDQMIKjamQKrzc/O8nIQg==,type:str]",
+							"headscale_derp_map": "ENC[AES256_GCM,data:VoVMgtEfxqY2lqd78mp4gWvQ+C5jY9pQp4EMOL2eJhb70v6CmGPLrY8zWh6Gd3V8gPbcVxnYbwDummXItgIn/+QUYp2pj7SqRWd0GvCK8UGQ7PqZrIxLGp+R7PtmGNYrZMtYpjJjsW3ZZ5yzdLRYN/2YWQKY2saEl2EfxJJbxYTZaPBXnuLrXB9WiljHQd+ItgTpVdK8DKCaV4Mwpu9QFSusaT9sngqYcFSl3BWCOKgizgh3cdveZ3zSHwEOIgR9XbOlPCRICAxEyvGRbsQGgkIFk3Q03tuUfbea3aukBjSini/0kRQ6/3o76SjhMyeI7MhJKpDFTTHIKCjW5FLUa8v8ic3qjsaaFRWXCFcVP9W/4iVRppAmwIqA6CpQCOXgqa7TndkG5xyGz2tpGM5i8kgV0nF55A5AqOcoFr00lODP2p2gtsdnUu/u2chHBx/FrsDWEq6/g75JdS2fz6oJPcSO4uZgMCYXXxsLd4StuHjranA6qi0ePelOlZtclKLZNsgEuimYGzBGsSaX3ug6jSlN0rCvyKDS4fgsr6Os9tYWZls+zfItF8wZYHI9sBG8K2tSUa6k/AqoG3KCC5C/+gCfDyoTbgkVCXvPfi/lu4vtlN5ieOIf3fgPmUNZHMdqOAe1Vvng6hHtqFnP8PVVNBUU7vwTZQJH48EgiqEh4G731aAIsm7Kxyw6z+W0+dbk1Ab5gU/K9RPuLfKjVmEt5lMlCx3gG+VG3TqT9YYRuyZIA+nBKFg+PGjY9nRpdVZvHQoopeZU/I/EUvZJP7fFNtfwOQ+lvUq1VA6v6U2IB95Es3wPkaVWa7oTnjj3m0N1/uBydFHmqiJznTs1W5k16kiYzfGZpVRhdyJ21FB4exo674XumRir7EfO39KPoz6gnNQJ0X7+cy40YASJJxKSSnZcvhlbequsRufTAIidzvKhh+ixPz8JaNclAA7MGXkqVikAu2gExTyGj5eejmCfVLddPhvbzCXKhG85+0bkfLG0LyT4zhf5uWvR2urUa5e1zu/cHZ31kp1aWYvahXnqgKCdKInxL2P0uDxOesi1lvdSmOo/8NCa9v3dbNf6tkCUMCErdNBXjeTylzMqXb1nrzwd//sWYKbpKjkyhJv27dBXxJKcY9o/Rqj71iopHRxg95Lx0G/9kkWcdUBQ+zO9WpfvA8AZQjrVKJs7AvpoxVk052iOl1YBiM3y1a2zPrHgTjs6KHlfnaImXtxXOUCQcGkKq/SHhM21778IWRyecngzefMpvsxgulH8zzN7hwaDbXWJK213UNUzHjo+3q/UFViCHmldnCCwuozSHzMcupTehTxD6UKxz4h2E2Utf95mkYuSCpo6yuqEHX1RynXruKEVzdSfnCbUVe7TX4t2tn67fDjHg/Nd3vSsruIKA+N1ooa8gh+xFe8Qucg4E58U7vMqPrXrWuwAPfVFZM3XDytP89+ioPPEqtm66MmuvE2Ky+3ZJ0k2Vhrqfluew5Wcone1AHDLM33mX3HMDVkAxrTxgtRh9SnUS3JqxGxOVxbYJlaakbNAafSsUr94zmYT5sQavsfr+xgZ3vREuArAyu8FDSsd6sUG1jsaMi226aE/7mGqYvzF7OyeGRWtW/nN/xwKTRnTjx+t7BiCG+8NNvGrAwZKrT3hkRF7fQH8sW1Of0t3ewYp1iQjIgtwtJFzpH+oGy91A0Ae28Kk/WbHLN/zGDysZi5xd7ttg1G/A3/286IEt1Lp3+j21hwsu2zIWHW1tD+T8UmPqAcAC/YnLQvFp1K0uxWGQbrt1P67zprDhcM+bhyHA89y3or1UeU51J0Vag+uZYOfGXcW8rp3We/IRUErip85hWvciQ+HcocM8XrWo2eeqHns0nRTW8RdwNvBG23RHPLrXabqtQEf0UcM1y/Jy7VZkrqVJVsNOHty3hl/UX0FWHSvodTGGggOi7/HYNRKyRHXFGrOleQc4ScxhfbiIwstzHA++i5avT0o9sZHVg4JuqQvPwKs65TfxoTfiVarDoKtZaH7dL4S32DiLYyTPIX7ubBHEb/C5eqISqOpyi7moZS+wb0LAogb230VS9GjT77Fyb5ZvmpCWdSk2AWaTk9UWcMF/Nbdn2rfL/LRRNjRKCLc6dsKCdUaIqy5sFBfZR3dlYM1r0L86bsK5RQtBVcEskqZwUq/p1XzG3llBclh6/y/WJnKcPcKTOmWRS7KQ26rvBdmtGu3WtZ1ZnmLOZcL/VQAVBI+ZeGDX9GfSHRNGRgd4DwIs0mdsKtRxFyHWCIofTXIxHV0fH3gw1fZCM8U+xSRq/1fqzeBzb++g8ChF+w0bV1QaFv+2RmRdeJlWINqbIo4bYUlie4XakL1Q8YyLPHY37bJFIebRDOu+B22tv7ZtmmBoHAnQzL9BrhiXE1q1+KNzYdkGrK/vQmGZ20348ez7HPZdPwaQZFVzCShEcwfumpZJfXylNl2+rCIYgUAwArJKlv8fBvRtBVPo8UMW1SZ12SYe2bpZFTtK47YjmdQsAD3MCy0JfoR0bS4vLeWaklHysk7T8sHsJlHMgNGZVW0QhH7jJx7+oauGulmizu/bgaGEyzr/CHJ8OSJDfIlpZZMhV9IHriDjZARQGtulrE9e+1WSS7dkL3RlwrTqewWSPePWIUu4AAloeIJ1xTzEfhm5kLBJjViqMDUubZzRPqG67r61YJnfLWhqM+NsIJ6Ymx1CUVQf0G+S51Adp1aBvNS5YI1fLaojyOULiIONfWsJ9FmRZ312+75c/ARgK8W1OeI+6BVIsNXX+iPIJwWrSd9UXuT9mbDj9oM+8wsUg5dknkIaVEikxf56IaFMn+Rx/jv2rurk8exICsEKpS/qL2TtQytvQ9IQfJMA68ieGpWQ8Idb14uPNCaXY6lALZ6WxnV8ae7l8G6SYGdGZI4WjL6e+XvbbA0CSJpSwfvx14GRnDgcWbimaDHYLaqTCWnaXVpBFkcVt0WlI5eDaeRUar90NqhQeCVeqT52qGNxFtgP9veopusbKiP2YHEbfOqWN1jDBPF1oJ1xOvwUilpPqrvt39B8YfRIc1EOrq/v0UkwIh+2+unE1CUJ4hywkNf0dJOLChQci0k+P08pSQxJ7ioylgyhpstyUk6lOukA0A8xXEEI8Ao+vqlELaVu5tJFaDxcW7r1DykBAD0mMgTUFXBymjIchBQBmxtN2dgNyLpfBjvsGDqQMz+OcgtovqmZJohTrGdFghdHPIyM2I/iBYt05v0X2kr5oGJWktXDeRqWwBlL0efvWewdKK8NN/dCW4V3VAEEqJd6bMLJ2xx8oi3o92KATHriNvJsQRQsFMTxw2UYddS1oK8v/XBx0D62orGPk3SgFOTZ7Pq380peQxvoPw9i7d52+POZBIjr2qF8NTOK55kR9vGHV4WtYjSObJTyixOH02ACJB1rlT7FeyEj5xY72o7z21QvEQ6C4sUYEvTLkhjb2eXhyLQh/KWOghQcLQrPAO//MhCuE4SyAajfyW7O8o8aK8WE2k2ICJ//gte0jrwaSJITXZf/7Oweh5Nr8NQ24CSQRkwZNa0VxxUf+RTTEF1zashEEg2Zqu9UZa8xyqEvgi8jkLIYQzp7Vk6BAK9s9KNfSrmh+PcfcRnXbw9ozJ9zA+GLeTp2Mmnl621/nSHsg/flLjRDfr48S32snOBU+6K+doMOFuZICHAlMzHHVwo3rrB1clFyvHoQWIEJD4GNAwv5fub+I5cL2wzF3BKaLNhk/3IouBGYp6HENh0FXe+wsXFOcpVv32zsZeAzOc4/IABrR72Zdt3P25QMLcKOc7oxWczba8bElms/5WP6LMe7jcxLiwBJf5tX4ruTe4ur7mUhumsuNT2vU9v4CuQ9zKdz7l3rdnXtysv2lYoaVaZ24mFoeLgy3k5465aWD33GCG7XzTRqb4cT7Jzplx9h37wMyovOT5Mju5UNSstvWUEoOjnNEx92RCcvV7KHcSG0hUI1p41ZaoWZ3X+vdq5oOw3mndwtzIdVg2db+JDkr2oLjnGLh3WbKxYU3Sk1+IU7G9CGDO1GsGPCHx5eI441t+1BAKv/QffJ/QT9cpIl2xoiSgdHYjimjAKEXX6Ee5UXwIluh/svYBORvJPTTRNwzhxKdS8ncez35wd/A4JRLPdAqSCOUAkwcBN1LogJyNtfdYPtss4DQXI6hdd6yPfouHwBA/r5h4NQHn0lqj2W5kHlIMQLha5HlivHkztRZKeMoclNlDR7eX5OdUzkVKXGAvd8oTNWMMpAW0Xbo9S0tscltO3LH3aRtexqURhI9b5efAYmE2lY+8dYh0IRk8kN+txMmn7Ybygo8lVw3KMIti5IvVLUI9BpXl4muv0hNlfBawxl6oulQvbjodNpgAEq42o11KxEGNWsonFQkYd1op8VuOLZFE1vzTUzr8GLh4Tr0fSoL2AtMgfB5GPLTUfsUKgHW7D7lJnYX9uQNDUWdPmXa7sVdxc3OMitwa9oBtzjLCJhXnpHwZsJTPP3ukyfoQqA2D67l7oCHAvgFdyq4y2Upipa8MYgPhOmwyvf6hvEbgLgwyEczHmdn34WJTkoJxenIDgwXl6BLFla8t/lspb8btbRZHNzc8raA22Fc1XByRFnlVU7H6Wi4nEyg1WwRrYiYayDJlSlMPhKHY3l5t350umqvXayTuR3y4htyYR+OOenar74fwrea28qIss2Uquy+cx/InB9Ks1PQjk6+Ufx1PZTIsu8jURmdUOcwClZ7MTzFDg2uklEqpyZix+x50PHELq5ZsdpeKT+6fZO3ykzJgB/DZfUgN1SLoKlPgJaGtaHyhU4MKEsxzNIe5zKRrgeRlVe7/bwq8Dw5DUMYg39X0Nt2G3R2ebMaUDccpjmGJLZmkYFvyfa0VBSkoBTiiGMOmJIt8if5uK1vLWohDVYnz3+VcoubHKPpxOBsPc3DaP0P6zmKc/a0lRPlPgvLWdohq8XcyGMgruslU/JdM26g5rafleyhXd7a6ltz3hJPVWrH8Y/ahHIEFOufiRMtGh3ZZ/jAKIArYKh6erVh4IEprMhuQ/g9DL/Qnj9+v5TvuCJX5DnNYmIGj262GBZ+GclbHhGjYjVYG3qw+//PHUj8ehe61wSg5qsiApkZBE3bCnC6MgUTJ4pbPo14vfIcUr5eGAgh9Li/Hu2sZKfi0maxRqLBcYmZ+BsDsybUINkzdS0R5lRLIHWe2XkbvODI++Hw9SNNEi8StfrM4RiYjRwWat5jLQjg6f4Lnq85xq6UBJWzPYTaYMZBMutZ2K2qjtpMAojAzoNq0LEAEDxpkwKLoVkq4hU4/aG0+MEPxYyLPbwEd9mvk7LE66wIVuMzQJQfYn402gHa3MRdvLeyEQLZWo41ibbElpglqBZJ7IZ1wIMlpT1+kLMcvWTRibg7bPJ4aeOcIv79cWwvd4SNI0yDmb/LAY7CZzAldiaHc/bj9yXu5cBDXCIyClQO6diDe6P2e4pV4c5AG57Md4RJrvLoCDULY7KvMGkJWOPPgtVQ4gAi6kit1xw51fZN0WnJ0TR+5oSJ0y8dNQqbtHaVr5Q2BUaUkKgUUfXrEuX2IjtpGVC6npDe0BTuv6oIjpHtv0fUYqp7P9qqf51PTdsXEqwwtyyM3AxaUS9moFpiMf/YxE9LixNgLVKLAl6oJON4CGH0uVnrwDueRjmr7PUZ29TKMq9fboHci3DpVGrBn1LHCp+/Sa+M8qNgntNUAFykBJpmCQBhaqTMBsQoNBZpbFyMW7+81BIc325vCY0Kygr632JRnTFxsZIGHW2ABQT76N0BJh2IHk/APJ0yFvrl4f1kCO32LWjtCr+TEJRP0dV+cbqsmW9ccisDjPmNcAgLVnPkKM5bh1yOVBiN6X8tXBCM/qwR0Ec0cepc2mL3xoXFv3I6Q3oW1tifsoeriA2W/g92J7L0gTXA+yvA8DN75ncIgG8+GOoe0e58OYVmYoJqH7BicW6INw7L+gW8Dv7DnlQL3p+YytqIR6EI09xx2ggZRyLWVyIx7x+vK2N6WpglSg+EktDja8tG70ajrdLMAlZY65v95NycND3EsGqz2DotOMDyFIjGUOiohlWb/Dp5cbVNk9F9mfFixKNFxqDXR+4NuNso1U+OtLfVav5GSq8aa3/nx5kRcOTziwHrYz0IRRjXPyJedugMa0O9jlaG/oX9WpVFsMmTlST2IyBDmT2ceNVuxewR+/QGXZLa7wKbk0m8Xi63QK2YOgZZw2JVJBj8QXBNKwkRjbjSTpJTQNpXYSWc+bBLD7/+AOyxcFjkXT1e5PYi9FVnYCQEzYajRNx5AwA5ju0IOT9nN41WnzZJ1n2J1zPZb3lo/6dMHc1ngT9QTI9rFksnFRp916EV+Ch36Bl0N2D6SEmBvKO6hjBBwSWBncKBujMDExKEOPQCtddvwwfa9OJPt/1IzBPW3iJsKLrI+LSUSI1tmqgccx2VSTareC356fJhhDUYcy2zRNTDiz5MArXnezpVNv9aBOjt4i4Xv+ZkGB2f8tOOKLYA0kqDhZK8OfoZxpe43hTLqdsgnYNa31dqCjpFrj2ey47sNyFbd442S2JUZSaSnk/f1TuUJJeM/Ts2+zPnxJu8U6cBAiM041yXrfn4f92fYbKhuaWPHzTjh9GUYPKSWfJbdsYuBcOabQ/OSL3xOzx17qlcjXzXwTFfB7EzxCoLGIxePqUvLH6YrxCIOEj9kgufde02/+w/CJPL8mleUYdY4+HtKmu664byoLhROvRlOMFnWZBYfu1mGo8Wf73zQVrJP1fEVhrNmFKXXg7inD749gYGgQqW2k1oLsUtK1GRwqODonn/k9iVaUwoIzavSc+A7sgoFNr26m9w8bPlojbHc4QKX/RQhqCioT8YTRuw8g9N8x3xu9bf7FX/UG9CwPmpmsOkOnXttcrvyJ51lAs4gq8LQ/UVe82y5kl1c86tDbvvFJDWRycbK19oC6ZXxLPfryyi3WKs5iuj14YH6NNaI8nYhDZpVM5DdyzhI6ak79PYbu5xhbRVuMCmDJnSUb8uOGY0tOKTl8/jRXsActwna+c7YEGfoLAryCHSv5xOaZMXzm0ZMuJee0zhHmVJmV6GrU0rSlRIr/M9Ojy4RLnZ1qoSoO2JvZeh+KZH9y/OvgJzNJtSb7SfsSQGplcW2yPc0iPPjC5VC1AAph07rmUQdmnTOeIu3G8ZmYxtXeG1BhrWRfJdIk5JP5luOJKTKy1DUlhVpp8eeidDHQo5KaB3Qx7cN6gorwmZXRN0/1+YjrMkEw06pACreucD80RYNpUObBxLQaGMWRDQ4KCYqdNOSQlggxflDN59A5DO+OSiv6DO3MpS+Mq8t7uSXBiXIpxn5Ls+ElmW0TmIhpGswy1niczT/Be4WGSLO8BLpWz2j2xfNFb8+QW5RNXaSep8tI+VoWX8byFy1Qq8+GS/ksjeYxt6IYfRN7Hf3kN9pu4Z+bU707Zl+yf/AUG4xDagA8f5+OEWaA20yrWMQLKQCUs36LNJKZdfkeTgzrsfeB0Lgnnsk3POBAX7T4UtOJeI2RtmW8pSQjfc1nXRmMlQlUI4DtBHWsi71yu7vwWBTcbCafs0s5QoCHEUDkUX39d1Uju/TDy3D7rrXpTYjjH6QBgcUi6Fy0qp5pg3ofmS34VVJmP26gVHANfReEdBJz1HaPXvYB/hL2AVpVmfg7/e/WYRmdRyZ/Dcy6VvctwleuQOHmhlV12SD4jcrljAD+Mm0yiZcJeeHoz2Y+NraWu+McthBbHG4pOno4DMDl2ahCGnbTQInj9kQ6mQSKOMAyi0Hri5WBTDdi0TRv0bM/3GQt2eP8EkX+qnvpKjI4W9U4WLcSZjBhuWsoRXmLjCSwsWiGETVB4U9JQMlBDWzOdze/oPbLQViXgKrU//lRl+YhodgF7syQY+cLJUiQ8ELZlTwX5k5lQ3mnWXetGMjGaZ2iEfwDHCJZxgrR8RfVrK1ntFqnX74DTyAwtUBy6BciKtjQu46DL9CY54Sf480uT+ZRQ1uhsleWmBxlWg/xRBb49Pa8QPONKYlL4Xup3Luvaz9Q+bS/1lWwwi2TnBkTZ6AnC3ya8g9H6Qjfq0cyyzRXHBg4NoEyLWnX6KijwKgPa92esMcz5clK6+9CmGDfEShG/kwnnQI8449Zp/4+lxwG2KhDr4DreBwHDqJkZ7sf0NKH5Wy48o8IE8lyb+uUy87VV/0d1ZLEHP8n0WJu/6DSy5QbWl+usb6gwlAlPmuCE11KZH6rkshfBQe2S6j2n2gpLw6t3HVLOUUn8PoaX37w5ry5/VqIzFdZvWOEKE7SQHsTM9nKdHwyjgYyTk37kBP6PaBamiCMmly0DIunuROnuPYVfTLjnhdY78p+flAupSH+oWyna45cHuoPddDqyKSuZvUgOai5Y9ToN8TSC6ixgR/hb+QQB+5jwPgwjkOALdtk2WoSMT+l5wOzcrfRpnPRBQDV+yP9svNv3BMyYKoX0Xd4LUjmRTXj3QKCr82YUDgTMxuzoEE9nZqGgjXaAKny16pS5Zbb/eNdlaeJUC1PKNUSZfRhLEA4tQmDpNYkF2k0Uv7MSQMeJVTRcI+hNkcijXuWAN66sXOrlvF7QW7qx4sdnTpkDx36h7maO/J3xYcGTX41NngphzCBt1jSiPNMdY+GZzcicYca/rtgEk2b1XGrKCEZolcZBrFUge4CKlZBrfw62OaJFYnBS7+qNLjDeOpY2HcMNSYL+GHJwvTMG2ZBeHOFADOtSdpm0vNXUcnyQqVubm7LGRLbmHUwafNOVTYQ+Sf+05jtD9ezNpeiEwrr+y0EHqc14/XDwQyOnSNgwMULoUvvv4DRhGFCmrlOZQMXijWSCLBkWicFXq6taKIlxrvNl8ZRGZVj18dL5oiHvYrxdBGWswlSN/xjgA9KY/NozzZCSAvp4VZqpN2CNyJr0K85O5631ymAE2gLOPx3lrV3bTQ9bDhqxCocS9Rf+t1z1dnqydqoejUkKLkkaGZTJXmf6gM7gOZ2XWPglfsC41VY3/vhdIRUhutV609Lreqt3gloKI6qawdFtiJ46yMmtk+bleqOY4iC18yT0oEqLlCcYSBRfru3qCGUhsWQFD28+2CCH7zs6y6f2oAUnZlvVCDIajDMexcvhEu0KzbZ9h1E8BpT9ADztEiyA3jyjLRwz3AsLXi3ppH/iOW0eW3ED3sBoGxAMd73QbB0xaUeAWsWxQYArRsgKfTcxySfziIqclT7lRcMf4mYxUeQzU63OAHLJvZrlaDglL7iQ/c+A7t6GYgeaGb/TW6itkOeQeW8+XooKg/LZNp91OHuxfXTR7uLIS0NDhpPFGUjFAm9xNSqWi8/4PdFLKT4EpXwSiEIWxv5qysB9Rp+4bRK9OUZrpHutbIPIi9YlbeypSJEy4wszNN8OaKDOeuyQJ7q9xqq8gkKsyp4fu3ftb9G4L/O13aU7gr5jyHZ2wq0/G9XewOSVXeEPZpFR4i2A7wu9ddk5EcczP+ttHGlUb4PSp4XxKOLGdelBXq89Ffi9U5FHHJ0PZ7p/cJAS+6H39SDJZD2EM+QT/k415MUKNZ2YrpV9q3NrLyTOeHVO8YutEHRMXwDFAI5TAnPCKDOkc+5CsO2RXLyEpbqR+sQBnjeQBnGdYo/Wu+1m4SIZH8EISAaOV84S4GVudbYD5Cy5b2coFXZ88jLSzKdOxYiew6JJlUIS9DbrQVNJ/GYus0VB4otbqcPiiGoEiCdQK4UjXO2P2CZ0EzMFSQmRcaR4H71SNKIOsTTD19f6Lx/dSHcuArGGZWBp2fN3284IdjTmDbtwYiUCYJAm2a69TzHAurBwuWrFvZi7ZbkO7vou5sPwk/7fYGC6hlpB6Mgp+bVjW5M23hDwCoThOp0MmHhJZ8J8dbJUki8VeYgda+nSK8BkV0xZs560cK71t8=,iv:IQmdLj/mTli+estpVZRtKVE6CiubcOrMSHklfliaOpA=,tag:LTH6wBKOwOd8Xs/GLjgNGg==,type:str]",
+							"headscale_ui_api_key": "ENC[AES256_GCM,data:lJox7xrWxvMi0v/zgknOS5xgmR20hbPDvTxJ1U80qJgrnCaC+RJsfqtP5jdrvWod28ARQWdpEE9GWIQcX0snfQ==,iv:Fx5O3PqYncDJSt9k5coj6/opAHUI9313fWl+Tp6CLlY=,tag:e54eZBvpReOdyLJcyxKbxQ==,type:str]",
+							"headscale_ui_cookie_secret": "ENC[AES256_GCM,data:G+EL6Y1M8wCllfxTyOtJFaStNP0xIoVcSkPyUOwhKAFqR1oefmHY8EcxAbjeNKloP62qPzsvt3dZDYEDgEjV4Q==,iv:z7vzJTXzZ+rlP+Vg/Jc096bCq5p2Huwp2nRgMghhOhA=,tag:v1KXMAJ0q7LGFx84/fqKJA==,type:str]",
+							"homepage_credentials": "ENC[AES256_GCM,data:zxmvz+adk3eFQ2vwS3LhmX+aLK53B5Un/IxGqGAcGtx6mWUfarhl/JwcxvmAzrUN7V9Cq20cxdM8AO45S5YptqP26sWY0sLRrGTSDhLfxOa4RrFrUCABfzM77XAhbUb6jBldgWkk+RU8bRWeja/DOJV7F8vCaGOEofdIs0cIJRN57Tc9Yczk7MTlcv6wwJSinPllqvg2apbjk2VHA/DRysnXqP9fKpdaCMw0gU7QAYfxlk4osREIX/AJKUxFTaQKpM5HFJ/eK3otPXPYT3o6m+aViZKyoV6P3fGjzh+NCI/5ed6M7BMIv5DnE3L1apjLwjaUxj/d7rjT1obcDLvUj3NXK5Rw2xEUt0bBKQ94FG/F1kI2YAmB1mC6NWkY00g1T6htb63zNJN0g2IkD+S3CE63yaSBGdIPLBy4vD+NOCbBhwxkY+xZmudpVT/IHZjhkOyDO8K6m07aDGNDteSArUd4nezVxRCFqDuoF+A9c3U69cmXasJfD8WLZWzuD9ffohRIoSRDziCjPJ63aT5C9yVkrEJAvk9Bfit+eat5jZaQIRFf0602GG6bsl3qBlvbjiWDlKDVIwAPhG/mLF9g+w7c3saTC760OfYzQ9OARKhwldVo0p9vJ29X2q5GxakZVNhfknW0TltTl0poxZPytyqi6xlK5HZ+q7LB549DbNRuFMAPAV70UjccJ77xsFKsISWBGZhTIXq1ff6fSMsr0BgAASnwqWqWvnEyHayTVnUfGFxZ+tc70ZvRNK1cqt6GPajr5H3p8hYoF10lfBlvHXxs0ML+rQceMxvYbGCnvIWUULlITia2iahaEXntie9j4quZlbtOw1C23gSDhdGLB0/Xwehf7O9LZZ6ZAtcot0fmAKALHvWEPFB7adC/q7mIJCGyz1knzsPMAgLY9044DmghxEml5jl2FCcSJ6u3rLaE5Ns8kwBc2w4BxcAZ4achkk0HGyh7S2VclhOdyh8BIf2kInn0avy2ko/5wFbqKEigyb1pI5XJzFqCJmADddoIDX2XoQKNviIGqjrKa2rss5rTlgQj/F7wA4nWh0hnWQcJQYqaMViOJsx3h9lGhZHJEZgIXXjO+5EvDBITFRrhS6tt8L1r7E1IoVdEm/qWIptuova0Xx5wlbSFbXOa54yVjCE0wzxBUfMAWhqLikyHEmfA8Tysf+seWOKcgl4c/L3HCcGcaUkQjpS2N+cXrEVfhgzqZ00818n7rG9d/2D+RIQdPE9eLn7wantHoY+GtJlr7Mnyhk/qeExtptXw/MQpLo7DYw0MGhgsLN9zGcul5r6K18CgoeVXzG5gGGHYGzkYkzmfzE/qQcdFaC278xbMGbJaaSWYYO+DgFzxbxtCi8MhSGBiZMVLYeIdCfI1/y5mJt5AFUGkbhyEIBE5y+Lkgb+QlyVtfziODwyvkxCIkG03Gni2zpMuE+mzpy8+HGAlZrNck6Lge9acLXCNbhR/UPDGvne8iOaBcy+Owj9tTKrnT+E37MzSbUT0+hnOTceNStkFzoPc+SkxMIYnt+4oX1Kkbv5QrOB+MhlUTByf9SRX83G2Q+STT3cK0b+gcM6vueSRngnfNSewedQJjyft8zCOkC1jhQol6f7aBL/rVNRuTZIHnJvcyWTPyOe/9lhormOEDPLnihDHv6lMwTY5ihGbZ5BJgECdbECL0D++HkxugzYDYOA62zA9viqjM/toZCPITDsS27jG62P+DREb6pXD5TkJTCPwbc6jQkmSsGfcLK/w+7IdRPCnGRnIFN/GwQucpwF6gEofB39JExg7NQACW3uF4fKZp6kF+lisBQh5rZLXT1ksBhdBRRtGhWt50hWDj6o0JwKz51THuM84lqkZUY/1gNVLRq8c6fwFi/WTkhwTj+x+bbRwJ8qFEsb7dvIQ9+LMi/JhD0oUTgbk3bIfbo7+YBrqDahX2RUjnguO87xvRBKiETaysuNt/d6K1cBYba+BY8yL1imKHXt8i4ft2Hc5EKvUGLWG3lbIfHC14pTd9r1yqhK9fR7hb43GLY7Ulfdc8FwUIceSGqqA0CBnp2k5NAIpND/+4wFIn+w5XqbHcx2P4THC1rRtc/0kCyNDt3hfi8vVAdhv2tGu2F++C3aPiE7xToqBIK5t7OZNk8K/TvMWfkksLsmWvO3jekWNAankRhKe1cPyQRGsupfF+RksRUSIz5LK8oh3BA7lVu6/eQjrID52jVjxsvwcHW4v7EZ4yjAmEGJOpfE+r2HQH0zt3cyBuJ+DneJPYQDMhTiu8eutSG1Obm+f9Xl5p2W53Q4KeDNISqsAcKT6BKFdKf64kKKG9ab8ZanBzphDNPPQmtRTMoyp29sT8UMG6wPW/ci7bb32qp/Q27gvgXc2lOShRq5KqLvkn0u+DZedLu0vcQ9Elp5qhztPMEP8A5gNQm0vqnD3FWbUpyrI3L2dN8X2jYp4nrV3aiO+SsgpHU+eWKLGmm+dpSeqG5ftCwvshYd1ybYu2Do1S0Rgjnq5b66hUuLSqBPIjw36tYJXp31xm3vvC3T2E3r6muaX1OHc/bBk0cLwtB3ox3TXO2pEr6pSLdtK1dJ3sYmFqZhVESB2DZeXOh9G9DX8zHTcVK/ZBKjOAZkC8pERnyS6wYUb0l+3ic70OcrGr6evLNq1GkL5UWxPIDTYqG/nGtyNIjOhGloE95Uce7JY1vTCAxpemWfOdaMoTRgozV/FiPN9ZYh/2VwRcR9qkWPF2YPZjtkXVepb4W8DgDy/Chz4Y/g=,iv:LNaxrFPhRXXd4xGfsRAgmz5BYqpySTSOL9twu74PF8E=,tag:xnbgOigEa+BkaC4J8WImFA==,type:str]",
+							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:O8FfWzwaEOSYw+iou2o7m1JMQ0mlxMQkDchJhhxl/oUgfXYN8hoP9GVyng==,iv:td0B2xl5QE0NpzPUwCdET1/GXpsmnvbzh3WLAEYka/Q=,tag:E2IKiMr4rwCpj0FfEt5rFg==,type:str]",
+							"k8s_users": "ENC[AES256_GCM,data:KyKUZ3rx7xjHDwt4/zOUYuVxSslbyj4kltxjt1P+LEiqPvjsQVqUQ9s9aqp2M+RqWxDIS3GxCDnpr9GcXQCEOJUWrRQ/+WuM4r8DKvl0SqWotmEbUUozr6IXyGVqEurr165iUGLtdZ/mTuybgJeWR05eRJK19foejYiui7RgaNS32gwCzRovn/CWFS9mywW34a1Sw/ti5pdMpG0PT5KtClFLJELCN+4kMzloXCiYAZecU4WZgePLQQb55Jeb66w/n0cKDRsP/mxa3wfvpWshm0yGfWCO5Q10+bJT8xPBUmUoThMMVosDXszJXr9mbmxp/yaWBkILwXr50ptO7rr75qHaHXymmjLxg3QqVCb5HMtFhrVvS9vjUcMTFEBhLnBd6j/1v1TwLdVvFbfFUIHYRfAc7u3GMxAP8ryboyCYPL5LOmwdLvogxOHAwy4wsLAOKjzLqth+FlhR/n/o4TswLWP/286e5VVyIKRl9IYSK3NpuHxQqi8FfiOyhqHTLBEL7W3ka0YsxY7WTUCYrBuP8dkMN9doqDokTk9PKxPZETvjKAr1PyN+gX/G,iv:PmHM6PGPYTqYUHCSHajfqYhf26uUAwVVeTuv/JQBzNo=,tag:AulfDb+8X7aTuPzuwh2VpA==,type:str]",
+							"kvsync_bouncer_key": "ENC[AES256_GCM,data:W9zy8cBzADhAdVYbLwEtXpHrwzyfg/Ug7gjSc27iVU9Mcyq3fYr8EOg2Hd+SggsxuBBALyfLq127akI6OFWzrg==,iv:lRdwU9HjvFUGO52jznsbKGe/tZpfl/u5a5VfTRvBDBs=,tag:MBPiiWaMLA6bLyqUbunNUA==,type:str]",
+							"mailserver_accounts": "ENC[AES256_GCM,data:bNIEY+swlMHoDC72lpVPv2L+KWm8PpkwOXYa+W2Ysrd09u/3gf0Ec/jpgZxYffaUefJ9SjyuW49sEmBQOik2OdvIEhSbHxavFCbeD84OZAEYlyI0KMTVGlIBCZFgwpZcT4ZweYIsanYXkWnekr2qOvJcxjZRzssTFn5C7To7Jf1Ny2HvaczLCCI3G3+DDpLYtu61cv7sqGCFDdKjWZ/A0KIWQhfcTgPIWGIq9PwmWbzxnDpJgMMZY4RGrva/juJlS4LC+oJnvUcpdSCiU3sKBj85hMqkquRgCQDY6PPGvM1dJiyo2e83xJVu48ydurhO0zzsrepCpo/lziQCDl7H8UQzgmIMSmlCFTKPLSJAp92DxOMPHS74L9gojPLO1WD12tHlMwaHyg8nttJPRoJJKyEzaYzfKmrGYuC+IydtDrWiU5Ivx7tsaVnWeF/LZaCATrfnstoRRa3/QceC4PMrZOpA4waNco0gNDovmz4tHF9YsXzPOxD0jX3J6v1wkKtgcSZ8zWd6U/1/Tabff381X3CKSqKpJp1zg3NX8FoxWr8Xu03va6ZdhjqVC6L86D9hPbGGNR30qN1Se58ktn+cdnZBUNtRw2jaJAunI+LI1mM04RfDAEXCTleaWYieDmfmbsfpI5MtQI0GhoTIzLgcDUWk9me49dyNOW/g2N0x/I/B2QV8bhqi6Y9xODHCQi5xGCX5GwVuxSYKzqBTFZFy3cobG6L+F7aPIDdiILvfeA2wJL/Vlix7+DMBK6yDE/pZlfX9J7jFoxmN1ZwruJ+j3pjzLdBjXyGHi7R9aGqdnNXn2rLOktii7uVMRHpPGTdeAstOTq/wBUSb6oqFJYlhOqfMhSMbpKF9LOX4P6/BVcGf3vqdN1KbLVSr6B4+8Hnqh6rK7+6sSjb2XSkbngFl4fBzRumFps6hDsVsx1fh3AFN4qhgWNwUef7C5rp6pz41410NRWyIq8iXB+lzegA8MCFwL08+Z8sA+RuNDoUgrx0KrV+bMVgd94vn1XhwM61+25+z,iv:0Y0mk9BUxFaRyzHR7IYzKPLUvNFMsn53CVyhjpfY1Xk=,tag:kTN9bRg+Lg+567DJgFQdtw==,type:str]",
+							"mailserver_aliases": "ENC[AES256_GCM,data:qFVAgd+MjexYKVjErdFEW9ooMu2C4fIhVetqc0q0d5SjNgTicQrc/ITmFyhTv6F9y43FSgZCnz+Chweeiq15FQp+Qlih114c935OYVGLa8M5IoxDjJGA2nn2uEH9Zvuy3HaWWqURgfiFOwVDIlKwsfqcXyJtPKtU8Tweu2OHwM74dH1epDd5HeQ9xK8KjH159m0/FvryZ1LCiEAK4mnd7ASE7BXGfRr10YaBbW33NfIJZASztzk9MtkrE+rBhvv10Tp757MucEJ8UCXco/pKHGUjXRK8CCXT2DghVlgzpEI5BjnsaWGXG0S8wIQ13COxjhg+IHZj384ZMwEPrMSf5scrfXUZxxvA8Gp01kavf5OtTJxOJi81SKxvRp8daxFWsJX9ffvnKE5YcUiFRwmYJbyfDUYG6atzWf0tXpBnZ8slObcGUyzzALb7YXNSTynTSmT/0XVooRkvOUXAXMVdFk1ek1Bs/2/YAfBdAaC8VnX1e2YV/a3y4U5GLcuxAOl6gt85zDxZHAGJXzb9vY7G3b7GcradxdOKwHJZA9iyj4pR1JOYtna8BkSVKGqFruqMbUfolo0qU445JZhaCD6u/7c2qEMs,iv:TWIhJoMdyTkz8X2+nbGF4KusUaRiPxfxVLn3/t3sjlw=,tag:yPwF0fwj1uDMs5lcz8U19w==,type:str]",
+							"mailserver_opendkim_key": "ENC[AES256_GCM,data:j5TDgDUdjHpAHqMxB2RDB/unEZid+zFMmi5oxE2bsBJb5wcNqcXx/ITFbpNjxqC0VUMuivqQyZ2mMiD1WIN4rcP0b/okZzMJtd2aUHv43iSu8QfQ07M46bvqDZOXjK33bVGq+ba5IFlehihBYfzE5pN18dfkZO5LS9MUJuyJ/TZ/woXlVI6WlM8ODCNonWu/zRmMIhUG5eDozg1VLlVxF7evk9c8IY8Sdo0VcV3KAUQ8wtvflS/WQmX6xQtzfuB8O4ELwMdyHLgi+C6ArsAJEpume0vGvg/3V/dt2+mHGXvLF1fopEoFa9gxGVlFZEfbSM2sBUswn02mjPDKwX+4mswjp/1DZLaVQubkhbv3MJiPoA5k1NStoG2CDtaYTmA2woL+831mjh2yTf/buWrpxsHOEDtrd7HT0dj7VSUy8DdXCVnNzjKQHzMv/KHF+d+22Gv1lWVVgAXWM90xhRvzTOQJKnhI5gf3o2U/dzyJGjg0Eb0NXflpYNxJLRpASfNtphlMaWzwedvMAU0eNgsLQ5V64RsB//+G+0ucqF7dFh8gDA1ArZQkGOMdeDvqgaH389g35KjJE9dBsn0Aw9GzfX4XRYitA54Zfcefi8vKEutKtNbk4ySbB6k9dWSrMilxyWIPPLPLiEixs80PHo3GQ6wCnkAq6tylqUplbxaUpqMMYKimMUfjK8D3b1wQ3XWqQU9ORLlDNfb+GrZBmvQSdHqn5gnuVHkVsHdjqB1NoC24CgI0omEJV9M83evhwMjeFluFKjmk+optYWk4iNKHzJ+kJ8klKiCdFrNV2v49lP55wusSeenoKJ+gCNmf/5DVaYcWK04KEmw9tyEpZ/l0UWYZ8+XN1Vvf0FH5D1wHv3b7yRoRpFa/dr+Tjdo3qXbSxXOeTlPuhMxmhewhOV9xKf2TtNq21fjc1WnDkNiObAUSnozNlaB5RL1nF8E8R09NNh7+5Rty99zjF2vDQ43NXqqt59dbaRJIYEfRsxiIKRvoLcsYWGQru+H669SjJ6DpGHZYB0AXh8BsLsyk7/uj4pLPUFwhAQ57XWZpDnr9+Q8evVT44+Ec0nyKfbSjFCACRgwML+7aRtjJVGv5EWJlhU0C9bVgfII7EJwzKxvWgl9BJ+hur78MXfVJT4g06XQ5DB+yFqdxHT+tKgIeLXE1uBOfAbl5DBl83fB0agPV8zwzHn2We2nsynYFMoIL0q+s9GwYDNK+lWgSJsuVipTj0s5pT7YwCy/UEXyu10dfv4Ki56INKYaAQF2nXmtLifgpIN9dOseytLky1xSVw/X6+Vb2UCqSGck0tnsQTPaF8V4GASDOcHEp2y2/b55OhkzolxS93ntIdGhxj9lcM+mIoUaY2rvO8wfR4dumK0CKa6hDGYbRFQQ7kCQRULvJ1vSrz4Z4pR7bIrMmDp8aOAHl+5tG9EhR2jCxFyuBqrE1AVwc9ImFllz523winWu0X15h7nW/91LCzb4UUIKtjkv82NL2YKpuq32URG7LOvXZONMOTvttJke0LoY8x3oMVdwRjdqoD/5SXGoy62cS7YIS7+C3Yau6gRezhOZG0CxCpgUwB6YRl0d7y0a07t6jS2ztt7spSKTOqI/lOCWVVonHfpqDK+Pl6yaDvuy7VuIi1sOr9vJfm6nCnsC/DOAyOsdFw25cA534OOWaFRH3odshWNm/sLfatb4GIjwjLAN2+pJd2BZiH3AzT0tHHu8Zec/mHZrFXY4vhbHh4De1O48w0jbtvg2Y9ovL+jVs7azjU5B4c90MYLx/B81Luli9TymKTZlHntLMDzC2PMd8wKw+fZ/lSVmRjYeCjHiRNWTyM7S932K1GkF4zk71wpTSQ90vSIh8n2AcWb37I2eNDjRm51yegvrdIgEuiZgy4XgExb9/Ocl51nlwHLLSzvmPVGyDPDAFh81XGokmi3NrE0wlVhUgxlTq6E+yZDzBBTOyopMOgDp2CV2eDXNq9TFoLXBD5BDlsgnGreECNU6vd+9vp2TeIwmPW+WS7JIRPuJ51AfNwPv+hNcW/OUbhhO5olN+1XLfg0Z95xgNg0geX0b4vrriAUjjZ74SA/FYD+BkZabRuWHWwGpZu6gMcELSg5B8LKJmEhl5wZ+7rHr2nkMRC8GyLufgbpHviUap8iiZ9YPfp1Ky0DSaxiVvEl0TUiNgWQKn2bWv97bENCd06WYsGMyaHwoGiyovaKXhqbQhSD9uc15RHlkLwYTeLgxEfmem2qWI2pTR7cjaj9LEEJQuo++3VCSNjUvw2m0GLg==,iv:dkM124LJD46/NnxDPLMWdigHwL4fzSAmLVi3v6/rW8M=,tag:7zeGicCRZjBifTynO9KwJw==,type:str]",
+							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:dHkwP66VD167+rlY3ZM=,iv:RPUBQnYZH/oMBPUFhCGABWKsbL/HyEZBuWhQjBzfZZM=,tag:EbJoLk6DMuJmy5oXE/ReIg==,type:str]",
+							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:4LzOVr4w5J3uPCC1BiJlaNBRx5ee8mwSmZTy9vDo5zuOsfY/7T322ix9fIZsuTRehsGYy8i7jdxdHbERqU43UCqOS25xXhmL8FXf64itgLx17dnQQOGL9ojRIDfuSVNGP9j97FL0PEiADK6uzEvChzHPiOnproz4OlOFLBUIUbzN1k4yGag5sNlvmT06UczZPJw=,iv:n1GZM8wNlBgEQa5uQgD/+Nw2JUuaRuz/zSuO44WWo84=,tag:eCtrzQBezQMXLW2PLFUQWw==,type:str]",
+							"monitoring_idrac_password": "ENC[AES256_GCM,data:6HUenXG6,iv:hXaojBpYLkl+JhxXXoSiyHgnnQxLWOOz18ZHUyObpPQ=,tag:iXoCf+ohI6pr6SY/KcJC8A==,type:str]",
+							"pve_password": "ENC[AES256_GCM,data:BKOcEt7o9XcO5csM9RxVClVArYfyurF6SNw3nw==,iv:K9AD4yAfucMKktIuu8mQKdY3YsgvMNY9kd25TS+ONwc=,tag:obPAsItwnguiF5ehJf1SBQ==,type:str]",
+							"technitium_db_password": "ENC[AES256_GCM,data:bJjw2MVwCsxZm3+zBg0=,iv:rLSwr8JA83xLIOtsuZw0zn9564snlnVIMgZee2MV5N8=,tag:GBcxKsyh/SJte+OyVubBMw==,type:str]",
+							"technitium_password": "ENC[AES256_GCM,data:qz8ffrZER77SVB+CahKHJprD9D3f7Bc=,iv:pClOwOcqICUsdWpp7BIiATyNkQw07AHX+tus5z4+zhM=,tag:m7FSmAR/Rj9KbgFOojOGpQ==,type:str]",
+							"technitium_username": "ENC[AES256_GCM,data:MSgO2oo=,iv:Ufg9zFncKI5uzV5ZLmzLQ85jZjPY3PDn/oVS8xRCfis=,tag:fyx6wNyCrswu4W/yV+aCOA==,type:str]",
+							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:LposGhn+5KSygkrydCxDtL7tKKFDVA==,iv:pyTpv8UT+D1y5e6jdxLLX+F9QmqEGsD7J/eUYCpNHFU=,tag:SsGKDpN76pH9/Iod9h1MQQ==,type:str]",
+							"truenas_api_key": "ENC[AES256_GCM,data:iQ+spUP7OTOO78eKnHDAF8+82oPUmWOGfvwXecRimlwEsTH0TWunP7Q7sLmrQCgjsSUlb84phSztAr7au9crROBK,iv:pUDHE9wfopNTFGXUCACUuxMlu69ZpOpGkaAZu3Yw5jw=,tag:wP/EUKfXi1/UFPtruywPGg==,type:str]",
+							"truenas_ssh_private_key": "ENC[AES256_GCM,data:+4R5xmVYohiDqgRqedSKZXJzYiDn41Toh9dbmee/dIoUlb462zBfeiJvizi9P1B59+SjMMK2a8iBsSA1B6341/Zb28pYM5J7i+7V5CDzkAAeCkUbtkbQDiEQmYzzeY7c4GRxvKwKjyicgom6kwT9g9842lXbVK5cTPYL3qWirjc7kuCDiG1oFGRDicYVVN2Z09SYt8zLrGin9bUki591z6F8c0BGC7bhysrxZKRJOP82YsOPE9NvcsKXMbzGaxDZHh/bNezyxINqPTXu5REFjva8/CgO+lKiEuME6lzAg7AYeUkJlwVDTALv9/SSOSymVrnLjHhShL4yUIeNYnTlGWlEict2O1HFOB2OTUSPq+KXw3FnF9IffIDlnoGEpOYOcbbUgRFIHQuiKnRY6LhkLiiht5NE5x7NQPEFqbCxc1HgHk01UGibi9W9NXZAh+5h92/Xz79uUE8zEW0366K999AO+v2iGwxkTj+Wh5Mre9usInRzldxoR9Wb2HfDP5acktGjna7VyeBekV0772Dk8pKx2Jw/AGKt+7qB,iv:Db7fVrHc1WGUiVfapucH44eFfQwLAO/NLs25krwMecM=,tag:YGUifmwRY2jptuPsT/uW3w==,type:str]",
+							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:bJrWwMl7dLVeVwFd2JCcMLjFYpg=,iv:BIutuTIjaS3QSg+mzmnybAyEujAvGlL7ync9cPrdGCo=,tag:pthKndr6fs9LURi8cSDpzA==,type:str]",
+							"webhook_handler_git_token": "ENC[AES256_GCM,data:7dL/TF2ue9hqUFmgaVl9W7UQ+QpNBV0FcaRgQA764MzlI4l0PVeN2Q==,iv:RS24z2G6XIUriSs5E7SEKf5M1kRXtUBtUfN3t81QUKA=,tag:cs5NiMntlS8VL+2VffH6oQ==,type:str]",
+							"webhook_handler_git_user": "ENC[AES256_GCM,data:F43GgNpQ2lBcG8f9,iv:/NpqOQ9tIZN1oUCDHycGB5fDAWlM3Y3Z8QZMttg2GJw=,tag:SK9RZ3Ww3HveGO4m2TFDjg==,type:str]",
+							"wireguard_firewall_sh": "ENC[AES256_GCM,data:fgfHVZ9k6A2G8rMmeIh2goS6N/1l/p4xJedJFBMT4TZ0Lno0Z7Nya6zFxbyIc9DXIygwGmPHXJqfKufhwZRsrjvjtMe1NMTU20xfZjkYHmDB4Vx5w9v2mu4KKaaQ1Pf5EQBRad605scEJVXp71SZE4/cCcZq1DYY3M5h71hpJC6pmL0o5AdqK8L48eJy8sud3YzzbJjYMG8PU7mEu6f81EtaENm0i/zPKpmFPmTsuuYldLr2I4EmHQrcDhn5ZwYUh0Hlefm9Gf+2jgl7ijA/h6MmUMLfM6RUv8v+Vk+2LxhPrmNrrz4bhSIKdKfZzdHRJUd4HtqPV0olLgTMV25eUxmNY5ISAcAC9IMwN5hcxOQZxjrjEKTfSNJuDa4tvjA+lUskc4N35VtuVCrXiGLmYgxpXTPX+hL3Wnjh0wXqxbDxBwFsW63j2Ztp51gT5/PAzb0Y3N+AL+PVdqOjYk2ceTjROOBP+In1B69EN2vCnpCqzsRf/K+OsMrAE+ltN8D/zAECv182IPL71d1769RAO33bmRhm8dAc8UKAPg==,iv:rjbZ/0zOuV3bYWPeV5/bKVNx+m+0R0NHrtpiXA1CG/8=,tag:ZibwXTE9SZULbleHZXxPVg==,type:str]",
+							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:v3gP+Ryws+NYAXjg0i6to6n3s+DCp79xy39qxQA3u3rHoKnGlCAExiRiTo6uwQaZvKf4w9YiIrEXLPh9QMYgB1IMK0wJ98+V3kmEJyAbIRbJclNSod1gfuo8ocScCdZUkG6QpfqUimDOhi+dOug5tiF+gztHdO7sqfxuh0iBSBjE9Ww5kTl90PUu6RSYwHpsLMDwL6z0gYpTGptr8X7mv6/gl9q3sG/RQOPY5nviBqjSeVFas9iaRl0exCtL5NXeccBHCCT7r+qironGe9wCAm9xMu81yrd3zB8vz3fdPRYMAfLvNzsfGE9obpVSp0KW/HRBUEvDAPTTxD4k6GFbQFU1RdFq0dkBxmi/+roRG6Ri2XI7oMu9NpcKex2NS4t89LIuxab9ZTZudjgbFgHxZbhIuOfEIYhGHfNZXWfgxQxxvSgXM/+3ay5OWGs0RKiLXmWw1Xx3vouhKrPAWdFdPJue+RUEPJ71Ia91rffXiSq4zFRH851kfr+aIowAifbcR4XxTNr8MD4iY6cEzyZA3Jgp5hWFj69KqCseSBzOdRAvgW6p3ZVkx55K4EbPkCpfOUAczkOuO1R1ddAe+dD5VD3vRjn+iNVisMyTa2hcnhvzom2cD+s9XrhdsBse6wounPqJZkzQ4JTDuZxvCAWhDmPxWMAzcppJwezvh4V+m79Uw3EDTFeKVwEFduMvIOBL6iTG1AxTjPJyCf+cDoYAskHsA95nu7OYVDtIKp9+2Dr4zsOV8Bv1F5Dvr6My5shwAhyxt/IO2R1SamtiadnbKH/dUQckXfhsdQJLbKMuN8wWvJlb/35/GmUSiYwNhF1O8H0C7SUzNJIV4Hf169l1HB4yXPZtW8pIlM/3Zy8aseFeoPtc0FjZmQPB0xerY1Ow9hRs/PsW7XaeoBtyoUnDpCBuGeyn+8tJ35xPI2oZr2Fomf5wayU2fob0TQvTBX++G8xp4lD6CP+yWjly5Exj/7ARt0NdPbhWEm6EL015XoPas8A3mOux3/znYvo0BdS6XhrCE0o3ksBM/HPT9By1uQ1bSWC1Fc8dWhuLeLXwM0swvfMCnfiOcCXNhbBf6ZTtblFBlrOqgx9Bz/yiP5cPKBqPbOu/cFFXroz29bXRI7bC0sIuMHvZMvtSCEFrApnHawLAze3gHNXit9utWTJEzLpS+dINZ5WR/qkE6hbXOxFWYoSj49F6t0yXtpSil7nneSH2co5nQVuKUxAIcEy3ii4QieoAUKb1S+n1cc5Cl1PIgLC5zkDJc48bYix5R530LWbfOnK4z1rrokd6ypXSL13uExnzBmoUTZVLYUNcRoS9xXObneb+pnW5mpBVjWO+wuNWhEvVmf53w3W04xnlgPPqzEPcBiov4ZgKVrXmuEeFh0W6kpfgssCufUAlt3R+yIVWRgsL1WW4qwoH0mwqy1Zqqee4Cqj597HqsGy/6BsO016V2qMDISQ+dJA5ipdWq/fDOZYrYRXFX6vjZCoOHHsRIJWaNpPMbwOPxdYmGYSsIgS6lj11C8uqNnnKexoMpu5hRaaHJ/ncfGwvDkVdWU2wI6wJlhJ0pNkqTSzFbOEZ2wxr+TJFPWpo5DyiJk2D5dXaFGG+pgLf7RXfAM11URniZpDWRCKpIt0i6cbyN7NvxsM4Eur486v4MTWDKMDpj5gtR4PcZe4aXonYidjItJOYtjk7mIVb8U9DkEGcHZjXbV+pRzSr7mJAtgyIRbBt7iDI/BqkVVMIurZ/gOaCfTQERCBXjN+4sbQFN+nktWbhftiX4bUSRQtr5tQgITYIg5Jmve+xaEUzE/rgLydZq27h0av7HHVCqeJeKrWLOQzL6fPO/s2M/SP/Y6+TKoP2E6f832U/n2E66IVvLsXNlN6kKfrYWG8Jd0cVshh6KsSeGZ29/LkjckBGr/YZgj+SR7J5xHLQZlaZMPV33Wn9snD0KoH2rJU3QigFNbElsSV8ZjTSx3chsST6AREBIAV4AqnOQF3RjXPELXM5brwmxJ1YZCzZE2ucipptsxMyGtXxBc0v4sXNi7oEnKvQCrluOGDaw4yaGxmUddzrLmBiDtx5W9YT4lq4m9lXrFuc0lFcHo2OaKbxNgi7Z2WotKi3aBG0KTwN4+xxw2hE7UMcZU81U0G79mKVTW17SmXJH29eK0a1vX9XlRE5XxXCXahgbKpoA0aNMuT+MtXJtj12paeV7+w1WdD+6gjkXmSbde98Wjt6BDhUYLCIt4zM4JJOlG1N3JjirbQGfVFsGU2SqTfSzM+ORbrs30MsAORM20vvleY6s8L1duvvuzAPpZylyWgK5GRqp63x0xAhiZTqArxZdRmFFl2gH10F/Arkf1Co0gGUiYF+5Q6YW4TeflqI9Bn3LA1P+XAsp3TNvzyFnJWf7WK2rZbPQqOcMI7cc1oCJnzIcBmTYjSJ6su9gifwbU1dbllojgTkcn3RtY14IsQA9oGRCsjaS1Fn95GouEBWIfK9fQMgkC9vDyh6vRo0hXK9dc14C243ce5oESDpZsY7VvceHjQ3BVexyi4PiHtZUeZbQ8HWTLysJ2oNO2ZDfmFC3yZSQdWVUFUBlYf2gBxowN0l20bbJXgHE76CCy2UO5elyYv4P25VW7DtYpEGok84SOGPTcOaz86rN9kamSy/90AtwXBj0IEOErhnwiR0RnWDEulRLirVW/uQo/mvxcvPXY+VvKgb+mLirz8gXLNznlL4+47btKP4qIBn2LxG8KSBPlXsRYP9GBsWaVqm2edXiiw4mk6Za4JkTz2gKLg5S1OgAK4hvTJkMSvlObkxr6oVe3i9jCdwW9pDyV7/T0fKg7T69nLfnwKniy8jc/Moc7P8/hb5qgo5JM/A600NLJYNItrwaX61tfP/v2uumFIkus1UYWNfCENH6efEOBVYCrAuAtcAL6rTJ4RFO0qACLFXebSACS4g3oZR3Kn7TpA8OlzBSgVmDWjdUdc1NFBOlz4X55GfJ308+Rpb9E5m9zNsXSCu6joHDaiITmt15kCJDfJT7Wkb4et6nvYm3VXjuQu9DNQIvSHFqSSAFbWI0hQvlGRjIGA5oifXZ+wdEsaGYz1EKxFW62aWLWlTLjkRsYnoZFNRBwl5qduBwNSo/2ljPDhyLFN/0XuzxD80aOhwHSBCYZgNIqLnk9IWCIl47qxGBSeEffxLBnybC4LgzMUcnDZys1/gr3vgDOxwD6OqXZJe2LSWKpMcKR1tOluyzu9Kbh3kE2xIr4IxKTZx3Sl/fW7Rx1V6k/6CL5cIMTxmI7gXVp9jJ4mmPoS3/fvSwj664z90SiHMRwwcUxD7gRfN7Q/JfLWGeX/VDJ5X3pCw8kfPgXpcB0bkyM3Do/NLTUiMMEk5sXFVVJ0vf9jpgEgs05gX1AM2IrPep6u8J9fH4DT9cDTdwmdj9+VDY0O4K8taE6AbPeuBb5FH2N8uPItp/Bua299Q6v1a4Qxbdle6n/tjOCYkfA==,iv:oOXCxv7MTtCzMWmkGXaVUnuIshSfSs+iVhinK+eS0Nk=,tag:ijXNw/DraGly2eM89ndZMw==,type:str]",
+							"wireguard_wg_0_key": "ENC[AES256_GCM,data:JP97n8XH55hExSkGC8dV9KNxB148FuKO3JoFCFHnNh5usGOkQyokUyBtcug=,iv:Nxec/H9Nj6cfZPBPNNVkhMRtlpPZrTG+1mCAPX7mdHk=,tag:w+hFm3+LtFIjWRDjWr2cvg==,type:str]",
+							"xray_reality_clients": "ENC[AES256_GCM,data:Dj/XxPHnngdgv37R1ol4kzqxM0K3oLYO+URD2jGhOJDI3YTWJ10ATFkLfn/YKNU=,iv:IAn9YjyrhXy5N+Nf3DSaln3EZKR7pY0QtChs3i+bYHA=,tag:QKieUohE7HGoaUAyFUUZBA==,type:str]",
+							"xray_reality_private_key": "ENC[AES256_GCM,data:oCLPmRkXpBWOHhEimyjKJI2CH2mikoPPAJuqU1rfn2C40XBmnI2mFQLYcQ==,iv:NwMlduYQje96rDnPoH2BSAuiQHcbchUTk2kmDjOq0HQ=,tag:/0ZWmchWabMMbcq5Kzh6Gg==,type:str]",
+							"xray_reality_short_ids": "ENC[AES256_GCM,data:RCGXQ/dfSBn4JWeyHCQgXMUPHvcIFOyqc2Aw+RD8hJx7t9ULv1pfczdA2r6UfgARqozhIHPR+UuSksrUt+TDC5g=,iv:rfX3h9Nu444/mGwO2OEVvCtGTsnFUCbVw1I3gY1q/z4=,tag:nY3R3XVNL/bXst7H+J2HJA==,type:str]"
+						},
+						"data_json": "ENC[AES256_GCM,data:FdonAl61H0UccVit74+e/nKnDPgBiIveGkz4O6vXurkGJC6Pe6+x+i8VDKx+D8WIlDgJ4Pw6slTDzITC2fo3LMR6JhFmCCQcPZwx4/vZ4yHJhfOZTnZSN/bWklKy7U8H98tjhJxTzQ8Axz/I8iLeNHk3sWLbJYLFC9fW13PNUlBBAWNl9T9XIQ74QgwjG1nXiBI6ysAt6h9+JpZ8pZJJ19J0WgJM2ZPjXB2ug8IpaKCgAY4rekcebQam4XmOOTzGCjmV5QGQQRyT5wflz7p0mK0ABzRww6oWuMMHhPG6QkllYyhpNv+o+nNDIGOKbW68HV3fLBx3bMsIFel4ur4el2Wd5I2f/9OPRFPfqt427sGhw8C6BuycWFIB7E1Zf8Ps7rc6H6PXkKxPLIJpPwn/eQDipF87x8xOdSYVvHLNKaRt+8nS9EXcmv3B/jdchNl/Bv/nKHRjm0BK3mXKuB9+pQ8NOTT5OSXUmwH7G/sZxnmyHI7DJoOas8nZ6OSy34/SUw411w22+/ismIOgIoWclqCToPpJuSoiQx6jIGYBrevqv101TIIwBUEZqDFnMVLuGkDCurCwxxrBTPMahOl5lQ4iA6YRT+Zv7S98fmg9HgRwTtyYLzaKPWDRUo/yHBvreuhu1eFqoPZwsn7nTKX/je3g+sX984CVqnw3bNF8OxEIIFvvDvJxr/GRkTs4q+ZzRWYQWccuCeHBolnv3QZwAOzaeIxS7vFwYGKxqYHiPKyJsF8SN51UDtvpoINB0hUKc/ublLd2TjBpeF1HWOntNk5vr+IY8ucl5iWOq6bKj3+uxe0g5fqzENBVWpEIEh3CJLwyv/+58CjsbTWEi+HziLAjNwM7fgFzmYmLsN5QWU7bvm1OrNLMDCJBPhHkOyV+CE4Yxc7H3AXEEKJ6E9RQttpwKbzXr3X6tKVtCrwyHWiO8CRirJJuBJF52hbjypLvhYMO4JN/V+cLcvQ1BYhuWfVARa6MBBz/ck/Imgei6zQfmHdG6VHBGJIDuisNYLbr9EaeAzeTTF4wfTtRAcwzevINVnY6wHjakKpeElzbU4WGXGA4pDsXbLAEAoBFGIOhxZZE/I37NhZYjKtq0F5pAWT6Y16nCdImvHm3fd+x11OvzvgTIX2JV51THsSUgqaHv6Le7L97hyKhyASkz2h8GFbfImLZA6bVWJA0fi8rBKFg+QJjCv9GJ2kp1p9W2P18DiCa4p8zREEVfhCV3OK5tvswLi1EwHPeI6LmsfDckdeCCp/LX1QKnglPqMxJRO8mb2hQ+hr3ETNSTppeTSr1v6TxZ6blIk0iybWHpjhdS5FDUU9DKgwQZUOE8RO9dPqyPqmBN4La2+Zs8SX+jOg1i5En5R2dQW3M7ZpYSnIVAGW3l0JGAhVcZgTSNJYperAYgoC+GJLjNuhN6VGlfbx4CdCGE9g6xdf5kPwPCP7IY7MGdPnt98l3IwCbo/LMvBxnwNP3ue98yFhEM9A5NyLS6beCATDtoHMqsng9XqJWg5BajLqAIK4aws2Qsm7X29Z4n2yFNBoNe2is5ulX1ke/F8b0Qb7gCLvfU1VMT13rBsIbKVtxxHcCsTeeP2TWE5ATpdsNLZ5qv8Bvw/ZETk4Jf0VIUU/ZQRYNLDm/Ug5J2IJm+04AZmlgQ3YkAjInOt4Fk83F8uUYb7KHEvlVZL+oX+vpPGkZ5QLzR43TmODanf1Sq4Z2H/OnCceSnFxF+ogJ6bCLPepBTmyjLN35NeUWWqUo5oSVkaz5+fwzjws4mgzwDKB0dPaoAQCeiZUomTnakWtwjvbp6H6s+nKi7SE9DNhx9txEIrooPrVmrtvNOO0Bg57+yVrh3IpJv8UviGLMd7NesKWxlLwtnb4FvkTV+t5xB4m4mO7II4hV2qeS8MHDspa+XQ+0JHHlXLaeZuYhS4LHDivdECUJ/8pg8S4FdI5PWbRlzvK7IdC8d7BhcAu0RvgqSE0d1q8/K7+klenfsR6inRwAubTK3qIeA3q1mSmxjaQ4ieP5MA1kYDpTVK7uuXoTpA86eJoLnhqJDGa0oOJbqYnonSwLWdMYNUpyWKIRKYs/25A3lxKuDMC9WRoDTqKYp5PDMxmvj+4yJ9EBvQ3Nre465amgAz2FrI/osXzTB3B8UJ9nnqChamdF/+G9vn+Yl4hhDVilh0N45gE5qlYx0zWVBHolDM11PZdpqIaIKO9YKc/K+E/gE8vH93/rcSZvtFlcUbZaWpcszMrCwBUAhHjsiVdAHMsdwQttgJ0TbL+NgXZ5DlUaP1GbU0hmhrkz0TsK6mgejst83QkjdK+VnSWsTJ9to7eDofvZ79IAzfzuVELo4Zzz1iOepZOlrRSgjsazU4lzpnr++F2zrAmz4HIGZV6DaBZbB3+vyX/jxJ0InUWGrM6fSi6Hg7si/35QffwQlBmuJ1OUCgWzB6gkhhDWbEqaJRaSKWhELBA9pCiZds7RfLZzgHVWGtqNNgjtdjshoPvK5Ljz/jO/eqB8F8MUOOe+AxICuGKe5FNCHRbbqMW1vcX3DI6ZxQS5f6LUv/8ofecbhQHlB6psGiRVzLb9p17KVkvdn2uGz8kpV3pMP9XF3XsDnPDip3vs18iVKCVks7zoH8OeEgY7tnDhf6UHslWd5Y4Xdti70pxTSjoZ+gTAxk3H5V0wS+BvHoFaqc0YeJaWVUwrKdI/95ArEDJKnPhjiXeF7d9WLpc0+Ot4lCFRaMTPX+uRt4Npwnqh3jwoFDquTP4rX+e4p3RiH3V0M+NR9jiOVF4e1VRzdOKEbWC/5OnWjHKwP43pn04gE3y0xf+xVjtgtZhmR9CaHiC7OkyVF3mzFtVqNClih0gIx30oMIoV7wDEg2B3grMBMrJ3dNBIpsqqzwuCDbTqCg+L27CFt3Gqvesbk2m/lx3GWlkcmIQUPpjoepjz//5vdOLfszvHWPb9wr5e/4TImM5az+5ZuJfePjgLbRyAepgc5uHDe0RgKKHRAnwStASSbS9vpV7bbml6pwwlpfzAyA34tjgQmTaoVOZLJ2xZ+8Fb8mafFcXQFoTUiVPmaeofvaRP6oV71NqNMq3xfWcVL+4tj+57CV+rxdrXddS9021r1vO2hiW12pbsac9SQsTttIffEO8ywVPXthCRwWRfAUxpFDncSe+GBlvB+Iw5uKSZuxd3CsPhBl/VCYGUGOmItzXOJjUNeuWubv+uUjmsT1PZUTONx51IQr7A86IVIY/JlvzW89YavoIETZ46feSUxdQh1A4onMTHk/1gu3nViEUR5lO7FiCQLTGNEMuteGPyGrGwbj2d9tgtge66cmFzFzbWXe8sxH332kft70qAONckLrroRV6NXX0FXHy6s6Y9AMWDjAgCrmz+awpMcmoohbxiRQl05sKhQOvpOv8cjDZPMYNW1TnzMEjVtcY34M39EhC/iLcnSx1wdWIAQ8hbIk6jB6sIVBm8ozcSKvCqNjmoDK7JKcNcygJxeNSF4hA4cp/9XMLO7un5zrU91kSjmTA1iuG8iH5J4x6TT3b5brjFQ4EiHRogsEtL4ioeFfb53nsnresaPeehxtuWVvDhaDs2Q/C4VGHx+qq0GUdPX4hFsUqpDTtf6h3pxv8sAZZY9pot7b3U3nwwHx3inpis+CDfEBK9R3Gn8ahGYaTqyqEGUJRhu22XQHiqd3Q98dvwdhQeH/K+YqUtqyJk/8ReO2gyzO92+RMl4k0zErC+4yq26ECOUpzmTSlbM08fYPIRupRJxL5XDbI78Smevh12gJohTnOb2v8+oKTe+uzS6McMZZaxjPzfM59vfm6zR7DdrQc0J1VzyVgQ2ybFm1GnM5GEpekqv6/x0+3SPD2ud1OGehZoxcI2t+IdQP3JBz2pU4JQpW74BacGoBVoJ8DLRklCYaw/a3kH5orXvGRTq/kRKUrmFGYxWY5wzdsXVjJnNp+DU13VRdvMGip2POS2DX+h9pU/x5552+H6r4Px5EwTW72nT9JRP97bHOk8FemLV8E2uLyAe96aF0z9BZkvfBEeIWjv2x2p7N/i19PrU+EzX4E1QunmMzkEYlfAWBhpuf4GyzEHVSYYojkBnCBAJmHZAA7Du9hGSYp0mI5KHrS9d1cZlPnvKTRTBbCk+nnXFvyG1xbwSCUYlB+I3qyZIc8YEfnf6E5XqV06uMLWR4uvkP1GZSh+eyryBSObsrOEyzO1g3404mHPyz2gV3CoHtdQ9HnWngvb9sKKIZSe2yxudYc0uIpbnWFcgDNiA0lRkIRKETfMqapAI7ERwuTIW+8zmz4qa7ugAyDNIOgwVSPXnUF/vo/+bPOyz3M/4KLYkoDnPnqCEGGJs4Q3K0DEEhIO0gtXL6+XGEjffRHE4fMAi/1yMY4ikSn1a1toGJwObF6Y6DrmoYhAiHHXLvlxJfBPv7LK1mWqjPDijn+aJ2SUtu2SZ1hUbsHBq4ow8eHSot47yY9sCXfnR7fcLHhxcUtjpzTL/6NR+VUjtzrxatDsZvZBhGmyTJaV9t9EK1lZt11oBa6ZgYGj68vibsUKoZELQnoxcKFVnOk2mXjQcgNGCxh/o4QmuQImmOauAuJaKWhm9Pu6fZF/6Xu/sfrioUPMBtV2n220paT+x2Xvb66bbRMepTuwdxMZHK7fVkqgpE6Jr2K1AQrZkJiEfhuXPTPGho0uBH2vbJBicnD8Xf2hxxYz77mLAiy8RWgZvPlJGgATTnrrbLjPSAvKjt1yxDXA9nUwjYthaUYQYoWMA9jmOV4Pqte5L1luZxIPySGBv2aqf742mr3fL9UDjMWWyAnVt3SdNAgvDR+ITneWrrbBO58XQFQVCmgCW1E/lqVoGIA9cF9V9Agy2JHSm0aQVtAfdmhYyZIM797JpwfsqKtfV5WMLyjoMPp+O2vOM60Us9KVS2Sbr5f56OLERfTrBgURGncJO5uLARhdYqOFtjyW9JxtzCS6JIZOKKcg++nCls5qvZ2zCHt7b+1vPPGPOV59GLLDAH27Zwi1yqJdUzpWMPQb9Yk9JtWKpaesSxwmfcAxMonaY1ChMrkW8BfFpK026sxt0bMQZAh3HDq/Mqa+e5BEm5YD0rYzHGIEnRjgN1PVMBIsvPhcJ9PhR3JZKByiHlNZ3WZadLRgvM4LNdAUG1wV6g3Mc+VrEv6wHe18kw5wgfLUbVGgenRUC0cUOvc7Pw4Il+GME8JrBit17juGBfkGkCKr6+DZ7EyIJx6SGU9NVn2eaW8iW5U1eAzPOl3meC2JAhQOYGPfc0Mya+jl+UzrwtvUsDZLxFBmaZeeSKFd4Mc5ndwHensYaoMZhnSvSMo0niLev8EkgTx5bD/HVF7Q5GjgiRpVUxtS94edm1XHRZmftIXKMSIY1iRkXvKPUm3uMu4llqYk9dkr3O9x9ky5quis4fAl5RG0Y7PYaReZ/RpdqmgPkM59U7YgZayDtdZ22Wx5zt2ffnvalncpQhm0KumlMWGCZng56+g98Rxbd5o41UecRSxc1C8bA59CS5gTnN4EFOdWQayzoRs4lzZWNzE5AGsMUF1j5S6TBB0/jTPozF4jyKQFpPD6lHEAJCCna6hlNTWGv/REbm1D/fsHiyrPwItgL2K2vQOieSW4ERsn0p/l6VdCDj1GFcg72a7jUhOe0JHnibHbS/G4WO4nNOJziPCcB3MUZZPVTu/Pt+3eH0u0oMzBoDeIxNdcHMEkx1a3jNOQ5TpsXnOwvaMj4a0raRUAZmjG44aLd89VCnBIAYTWzWv7qAtypAVvVmUTlCnLMDVIYEisKlhfZK9C4fexiC1jyfLjljooR88jtN8JlScUG1M8Sp1CARHaZiENDOwkNjkutx3cmF/pPpPUp9Dc5MW9kR/tZBeRDQb2BCY71GngWZ6KxodhW42hdtXPz5AvIXRoPO/midUkdvHb0A/4PVfKJiasB6MK4yNFRcDtwPUeo56F+Nftqk15Zef84eKRBNB/JAPqEW4ch0sV2oMQawZ47lmBn3Q6MYcE6Yr0v6wDfpz8PrDejFcPpnsyJuNdWzs0gbwVFpF79y/WapCUH8bTPkTUjrvxnOxoGKvQcXYvvf2hOa3TOJClX1ULPKs8yaClGSSytKQNtNt6KiCL7hBVXPHReKIMrriWpWp3MIiNU51iFWxo/ZoqwXe3cFuiwCIvw7Bvj4aWJ+1wXlmcSmTwaMu04X4QUJUDKCslB9EfGU/ikohZD0E81m+f7colu5JSt2p/Ek1RxPjsgMvWLEF4J/uTTBhY7gek2kS3xIaaGr8AL0WApQ5oRiKdWsjb0XwzQOv+d+e55pTT7QrjrDR/CKDp+DLOp0Ufod85vxlF9x4B7jVy9hHbG+Ceoq6jhxU55dkn9Pc/yjm+aZvC60wZD3fiurrTfCdsZ8FVUNGT0gA6VqwL2xEaRdeXmZ+E2ddOZNW1ye7bNy6UTaDgv6JB8jRGj5qX1Y4iUMSXv7WLohUAnXwUefIGtPha82178Z27laoHaT4mFBmS0fhg7OAAWks5bM4fLXCsQiiMRtPUCexQ0YAKhTiv1JFWfh0XZxod/fGWUcUpSFqbUNC97v7c3iOSW21q/zpqpfog2FFDz1AQogc2AnW+xN0xu5x5mnHiFJHR3vfsYF8VGzcKSKLovL8/CsXOaOSO7Vhq3GRxmqIdRbdCx43GBBGAZRynhlJSo3OGvSzSeuXv4nmpYQG7GbtTFmSqWkflYauS2iYwDWyE26WGV2Fx6C6fGjN3szbuf5AM7fqeRmy4KKuqbd45Yvx92ny5o7Wzd+dwNFDFwv3/scpD5eTrQRIAYmntOvpXENcdShF0o9kNmOivPszM0BXdY6JSP7gV5kPRFuasH7MruezPAWAdxY9bzxLciZSTOCuQ8Bp75KYaSQLtjhQHhOo8c/hEvoEE3tU23jbZDJaYbcSipe1RwofhNdy+2C/VZlZPfkWjZCp+ZfAjSy+KSVSUnKoeMhWpX+ce5WzkS+8VE9Pk7SmwyGzD12EPXxD5183cnFntCxsQsWmejtKxNdYDDEMpARrujRA13rRvbJ+oWUPsxT+fCOoJ33PbKOxIFpXFhXSiZuWur90mDk3nckPJW0FoJWaptrbFo0TjQTPZknWFMhR9Ud8oWUJpGklme/0LHInn/qH0RgiuLxKvc62nTYkvkuGMWRnRRUrC8B7pciqukqKbP3Lw/+hIkbGw0rwbuolMLQo5+1JIqurepzrQf5D7m6IiRVHcGj8hu6xhsJMF6D7idXefQV2fOHmOEpPOKRYpYVftXa4mmhYsS+0HUpwd4yalrpXGnYrZOzQ+L9ZPFeSuDteuk/QPnDwmnQeGq0Ff/UpVRa9CM8idEhh2Ao4zuiwExmnT7ZaAdjgvhdMI0mT7pTZnQa4Y8jUDx0lnWXDcmyuxWv3X3O5LD7dh/JoFI0bfI/f4F+euiHK5F9RVFsCT6oNomP8MW3elzkA3FTJmbKbDhhRPOG4wQK4FiMaWHcdu32nJNKf4KZJfl4Cao0oXnhJZvAfsFUM33mxOOKrNHXrLxpNv3TX5rAgi0oMeCfywAUCrSw29OSVK5UWeV2BMMN9MGK3MTPWfSlICWeYVVpGt3yK0qybWh6dU1XwMe6/9s5yZz2kn67gl2jcSjIr73ncsMosrltEHBXq8jvNjmwwEZO/EJg/SncQOrlhSTIg+W5vi2yQhkt6gwNv9FVCqqEIMT9bbu377IzB/yfshFzuK36xSzHIyDeEumOe6zeNlVcAEQSHmPH7QlLU+LZyDfYDKclV8Bs4QEuVfoyYVe9wK8tBKQfjGCurHkG+db0zW/vGSUs+JYGdmNRrtR1uVmUKkuhTHsF9W1OAFaPnUYzjsYimR9OXrR1DgI4i8vSE6zVpb+wPAAIJunWd5mIcSGPQ5IhHD6Lc/ugf7jeGCK32w0BQIsgGOIHHxjBfHZSwpf+pnZBsHIzFSfqNojLEZqYNzxCvh46ILGoYpfDy34HmUUS04dzs/sl8WBjRPZcaWAKikcnnHVPTTZPjkgJcGQ1hGW2XQ/U++7A9snoRfaX/I+av8VvjSwX4ZqADV0U5/wFxY0D4os3BDkURrUOfciqqWe9dOSSZ3s1ESNxcOkgaqRrXc2XMe6zIIh6y82WbVYX8A3AHkTn4kdajNizGVzb/2AqVh1os2kAk0EU92EKanyx1E91HABpFl7h92BsT1fUU4HM0YpR7Y2QsEM048fS7Jf2fkUQo/P072tO7HOjJ/u4QgHro+eJuGqDlro0Iy4LCXpgqMBKs8Cd4AUcrEoNo0a0YpdH9nnWoEPrPgMPQ8UJ75z2p7ZUEsr8jhKMLjWBM4UlqBztyjKVXhsPOgMP0M6Sy9mgv9Xo+hrlf/hGi7Jstz+0LzQyTpoMrje3BlpeH4omJj54Qh5gUy+MSPldp6/Mp8eFR4eR8AROtSsngGTkeDdZc6OWyNGjV1r2BN4k+D7SOYLyag05GdRSvxMO37xOtijA2iUkWBuIXVZBlU6VjuwQ62W+8rkjwa4CPGVPqNRjmEaFrC7RSSLplWSKfuvVq6UX4o3xc9Yc5wSkXoSZA10ohxNzKMx1eh/OgGJDktqWnpJvBdcMJdWkk34ofAAsjpseJvXLJC1L8aOhxd+4g8gTJLSshzSkSEEOs9qs0CgRU4Jz/kj2jRdIkuDg9V4ZyAsi8zkjDFLJmnBiFcdCZBrdmc3wCatWo9b5YTDiXRsjvbaZXcc7hjQX5pm0dexWoQP5nX6cgBdICPprk7TafsxhwOru7WzuGyPDsOF7w2JcPiOCLaac3f7d4zyIWk/ZIU2uS3vSDNnpKearT+4rRB+8ND4cSQNURo3Moe+PNcEski7DkunccSceVz+SdaRRnCyTY2N/LcTZDXYppek8xQMR+SXOpVjtETxw2zPeUnqhsxcdS/X8n0uD2mR+RrE2DpRxZHY4gZLt9bIxndtthATi8ZHa0W9mC/BHz1flfV/VrfkPqPmuJ16RzDt1QG/y3BBmwaYeROJVgnEeVQbSeHtqAv2I0oOCE1YyrE2P6L0vvMAgT1Uyrm5/nfwRtOAirC6o4Jt+NJQV2Wt7ORh/8eHiWapaAAFgQMRvbQZYskg60OAGTrf3V1aEtHY3TD0xj2SWI9FDTur9ZQqktns/k6DKQlSEZX1mPOOpz/EMa5wKZN5VbTXBkOZVSMG66bXEqpEnl4grDDojO/C4tyFP2TrwRx/umahdxGsagRYuUttAog3kGo+E2RB+Yak85Ht7vs+zul3M6ycTK6XD0djgZyicGKVB6ExXMCoXpalgUnM7klMr17/C1nOOM2jVncHBqcEwwoqKZj3RwS1SYp5mF5uIOuOkPoE5HuyOQVcTPuqowtvUWftgk9lThjuzWX3LPiAxq94MowVqXVfhp/Rcvln/2+bgJJwpQA2AUTjqiBrJZ9yw/nWOAoZaINkowV//sEYWaD3JrDq2CoVN4vVeiYgXvCyrbNOuVgtls080AGrB3lr55IwHkoUwBrVC5XP2rz7UwwYgeTeN0tLl6snOBNYEVS+0DH53VmHjE2n9JBzeNcffpacQkZqvM1B5xKsmFl+k8Pjf5i27hrWAe68gaz60iDhLPWnhimF4FJ6y7Cp+CAV9R+vCQU+xREjFAsqECdE35tX0+FKfkFlxZoeUGveNKS9zQGzHXvOu3A5IYCZTaoo/+1MKUnF7nyAf47NOAbak0ZNNJa1rJLc24vS64Q4+1Zn56Og95Hyh7bUtpZGBjfGAxLR47t5gOQ6HHKQSftsjwBeu2NckJ8c2OrTmgueWNZ+y+v0CYxL6DU13KpcPVPj7e2jIyWPbHKZVXIOiQ9+d2yH554XaojFZHnPJF3A6PgWYdEQitXWvXXh5w5dLa8k4iopb0PBBiZ3+I/DvCXTJ9YxUF8Gs6+vI2dRqmSaTK51lthF5rc36SLeZCkMXL02DGCL35s+goewA2jvX05IZonS5i3BNsI2XDA4q4g3MrlNQSudvx32iuSLCYL7v3eyCO/xOo1SKKGjTp5sODXNP1Nb3iME14DtAM4ukCS4EF4TWOPEsBQbn64hQ5XtgSS+KH7p6COzV6tDI87Spo9Xi4EPVjERf1Om9TSJ3YadeMgT47hET9hiKbubJYnLIMrcr2DmOVK1LF1T4et66q79ZF91uW3DRWgUnqgKUB6LUrmyEUbtubWMyE23IoajJR0n4Gcfdc3XeMtk3XM7gbc5T3AFG/abh724lm2xWrkj0C4K34I2MLl3qJPZcB++xsaAQcwz8YT3U/882EfjBNA33dnzgu7fbjChu7IxwZkvz+ptCK/h/XGRMuGM6qB0jf382zDKEqR9S6mAyg+GmYEQNFCdDG1gNhse+/zvcoFAq7Teor68hd++SRJiP16IG0MLM3s4OvF4/LpisSFUJGWDnk4MYiZgaNAm4RQiM7AJMZQ7c59Bm6FSLR2BdXiWyihBWbJ5PpeyvC1U8CXPcPSEnWTTWpq8/nrJ+DUGAkSjii6Wfggq+VMMIUfEwDpCtyI6pHduLn1LddqmC/hISpOavvV3X2GjEJEH2NZAsEZeZxgIwEJD1lcEWTn6KOI/r4zNmQcoRJSkVLHFqYeLCc8qp3Ih9kHeFQhCDcP91f81/F+Qxc+KXIAJ2dhsv9H1fXwWk5w7RQoFbshvxNfKBfdSh1Z+Xz7p62uhURBMWAni4y/UqyvLKEa8BW6Wqf1LplM0ofYQjsjY456B/O7WXF4UqG4raukpfZUHAcnQJEqwvZqZtUS3RMovAmu/yCNPH9K5ElS5J/Rj5YocY/mpEWPFMlCViHbuwGTBj98wIDOqSDRTS7PHTDEcLtOrDcLWBDpa83qp8vHAmK/U7vURtli39STVuITvdL2bPndfKEvoAkMrrN2kmweCojE9zXi6lKV+CcQ07PQKH4OL+qP+BCX6C0PFpgsXHs12psjqVfpvM+9nlbS1rucbTNYwjqtVfQnS/diQpp3rxwzch8h8lnStxxAC7pCBxVvulcVB+laCjoK5RY0H0IrsgpGyJfIICkCIiMflO9/ICLtrocB42vXdfFc95LZtjWXfHVVb40FeU/RwVzfPeocL6XUBQgrofmLpp+P+WdKzWedtwE1Re14YfFU7iIsi5kgI6B8SGlRp3MVNUbNiJWyZ0QrnE05Ip+lQ4K54ifqaEYvO8hAJnGtk3ygf8W+dtG9ORSxvG8fPjBF6dxZF6YUi/9HQNR5wfygdC/DzVKT1gexrHCyNYK4LO8wRfWMBXZK+j8bUOtd2awidGG7qgP4vQW9gVrYg2TlWH8hH8Vo2Ti9Zn1EsDthzlrzbtKar9lBqej+4Avzpx9YaYZYdfan13MqjVjWba0Jm2dNx+DwzvYejWNU+wpoQMM1llSUjczrmhdouWbASYNV+ludAqa3JjfToOI/U8rojTBa8EfqZo/IuPh3mIAES22tq4zCOLW+CRFARA/b1EVqiF4zqs4W5yIZ4vnWF/pPgehw4fZ4yHAS/1Iok3RTdRopZiiEk0wMYqmhAR+gjaV7GfiMtnOk0QB+IyUAQTfaFCxHGjIrqFEJ1sN+4fkChnMo7DR8felg2E7zv8VIHAAWhk06M5wZHhlD7lB2vhMY3TfqSToEkwFA9+Ecsi4oan04oc+M9Vt9fg1TLBauNV6r2eAi/9LZhKGGrLerm6ogYMf+cSvk1887Go+Odp9n5dKeeXJEcBZWUaKPotw7O/IlHF6RymOmPebIcoySl0tXhb+7ZLGnCLrr1InkkMbRiDOeaz1Uc0LrCTnLwiQsfIChSTlCr5kGQIZcxBozzbsZETJzhcqUzmte+rgnNw0vKMCXeRbcnCWKYKOBdxZkT0DN58j3qSxGMLH2gSBA2us3b8/xjt+HuUB78hg6yJpzc0JYOkhW0XrYy2hfmeWxSrr/HKBuLJLZxTyQ5CzFT94Fj4PlhRxKHe3VKtp15XipwaLnjFFxJLkQMcp0wJ7Sq+4jaXzfFSwgKtZ8lsJ3As3yuQZZ170/dixMaVBJx62ePTKlRXN1oj5l5LHzwrsDa8n9cvEZ0mSDnPh37cSTEppeierLNqt05jIiWlM+dzKw7ipsFEbkdqFLLVo4FsQAyfbwFuulbgriTSXT2UF8cBY5xl5WM2KcQoFHEOVJ7mvtB+Omxu0+VkQkmb6cnm3xpV0m2DNfwUAx2F7UiNO/uftEc6yTyxh01irc9IhI3yppM+QTFr8TZeayXqE1hiYAbCCGeqWwQ9i3iSlkSLsl1xe4vRpLZBAtiesEqtI+DExo1xh88L4Qvmw0DDdLq5z25su3C7/Ikh6QIUJ+QHjxfkIlRqMHtOcKxiwRMD36TD7n2IPK63iRXQgUpg6sZJIHPgohAh5mAevBac1u906wsDeg5vuhC9ig0txpWp2LPS6Gs8NPXKTTwxwBVEKgtWv8O+c5WM5rVGHiwn2+Jq3xkHcTkT3RCaY3R70NWWvf5LFA0/yr1tU0+h+kwWBTNHnST5sY927eMdQ9c2NdTnc5qE8Pl3KPV1S+8V6JNremjo2gas9+s9JEAmCxtuQvGupWsULp89w1VFPCFDXLnVy82Pjfc3Si5aml/Y1k7NPYoedZEPEHCJkZxTKwMWNn/UxeENe94iNTFDQfEqLoNhONRBBSV4WwGl6UcOBuTZ40ToBfLNr7paYHkmZpzSEiSSs2lPokiru8DBP6kTjDlN751sglHB789gCQpzft906E3S39l0vHU+wMn1lDzFeo75W23AXEDSkXvblX8cwtel/nwC4k7U9abTeP7hZisLTucb8aDJo+B699NR2mC33AtAhL0MlYpCCG4rrKAHv8jK56AJXNoLR3I2/+kwZwmNKKbeIWF5PMCn0pi3YZqMrVKq9CUoK/Uzws+/hCX/adm9IL5dUvlWNuzmEt70JadOG7rYtaFGJTMT3PNX1f6i2zE/bkheZcRytEcjeFkSxhwxJZmXmIFr3O1Z/I+tN+hINwZLWpdG9BDI5DxF7pf79TRBZFxt8/w4V4zG8uOqtxEEMJOk8+N5SxY9GT0Bp4VO7cZ6izOXKBHG+EUJHVyp5e+/vLbcKUzFXouGVnxjRJGnz8IUC0Sm7V7CSXrSi0Ng3IUB9M6ErppR7Hf9Xq118afSII4oOktQEQlyXE4S4l5IebWedRRL2N7lNrPz3e7TXMs+LxRwmbRX6ffEZ/zzMj+zNLHvkJ8F04dhKlzlPSNsKN5oW+x+Owi3MuKbmW++czMYvrM0ytxOJ1NMWBz1w4Sub8Metl4lDs9P167AbboJX8HUTArs1KUstao7x8OURpHd4Ik8fYra8OCz/R0D+V558HO9/4N8bztZ8LZ95DsThftct/hv7b286LlCp3RfpT61FMd7SddhGPtpXqkwDWp6VZ+1Ovz333QuSk+KrZ/rryXmbKLbI1GzdqcfPAUBeEr6sqIAeZ6UClTipsaFXVuAFd8R3plXr0YsS1uKrkudk6y2LchbIS5QETYDPg/9vfcle7hGNh5SHIDNGo0gK0vv7npmZvJ1IlSpCQ3ZYcpZYxlv+qjG7qvxDigwVqrLdAiER1kuwjXJ99dfdqheKZVqBs0cx/QY7TI0TbQusjQh17ZfAerB5Hc9B+vsGQhFAURHePcGMDeaFZvoxRET0K9oJagRAnCPDiKZ9l1qKeMasE1+DvzQJbbD4RSdYD22MSoedhOYIv4LXXeuT+tF04K6kuBBFg71iPJaxJ7jJMTFoAQoRBpNEoBXfXYMX0e7bEoF3eN1lR1XRprdjIAm9++OlOMZVRGRVmWE2swTPY6YdbyrY64V19cxTSGar7c3NB2WVhfW8TZcHiIktGwbQWiOaIWXEKbAHFjdyE1sWhHJNh8ZL+D1xer1lePBI3uA65fTO9xepwYEXrb0DysUZyegjjiIGwuHkzU4O6iiGm2hd4GOJXiR223NuwcI0EWdQuYw4nVhUa1Dv4n9aoJrTtZ7Nd1j6YBEUJVnRhRsNOm1X1KXtqGbjVgMmylK4YiiF2HcCVrYjn8d20eV3h0rsuKfWy/bXbM3BWu3m9X8S4NeU9WPTSB+ljdWeYHO7rjXIiOO59VC4c2KTFvNBYiuJqwQUvrlt9ZAKp+QyUokSnxW/xixugYIBhoqCsF73CvTlX1KDLz4+eyjWH3DS0Pcg7ndAzCzp+4uYK0EWsZgjY4yvHFIt+QZJIYNPwsb13uvzZm42NGkdTBSxG9lshfVRWwVVrM63ov/TTeNUXmNAWAuJrrecagX0WRucEs2v1HupeqiYNMxRs4QzSodZUdY1ZtPz759QG2B7ybb03ZwosOGWBWeA1fd3poXcV6T0mKfMxJ3MDaoIo71o/PKbrUksTUJeypO3sW6DYm8UFEamLolnMv+8+RxaPmKxU18CnhoUoV6grL8koFNGNra4Ig9ne7jGRv+bxU2qHXoXnm+tXnr55IqvHJlKkAbdErT5wSA0nhv6CvQc8bo8Qc1H0vKCkBuUrb2E0+LA3RgrMOLkM32Ijomb25nOEALagdszB8rEK2GHSJhX0VIqTqOR76nFpu85V5rDK2eryIJdNGagAF67iCXIjd2RracmqXZ/jVmrFrueIIMeV28q3sNe0dVlA5c3tYoivN7ihHTjbPvQQPa5+jlO/qwnVuMpxLzL3Ek1pbfQfCh7U04QvuaB8TOuvc2KkBMPuRZrfg7nl6kILwr2rvrdGUErGA3YGOGc18Peb0olaWd8o0O038PEORerxDBO6HpQ8Zr0Exh5slTBxU5eTLsA0xR2T1D6mw8CCTOBmgV+awQkuqAtIN1AcCPzkqmyNXg60jikIVAhCNHFXR8hz3g9v9NiJxw4f1oOOZyIYnff6w5SyLprjh3QbLC2KpVHj2zBcx2ugFWs9mIoMGCfFgkrgpQ5wJPwqDdO03bGrq4ZHpSsU+PkdnOdBUtiVQ/DmdTkhI1XRmQisI6wFINMTkVkjWju9gu0I+OsUB7PV2KLQZp9xNx6twyDSoQAgWd1ueYPZRF9Mpkb0nCSG406fByGbfAn3kcR5iF/UMTFTCNUvLms+iy9xCQ/iCoeNbKvd3wLkxO/8W9BSg+Q4lS9/IUpETwREQDpEgbEQRdkrtntk050Fd3K4U+fIra764MJnreLf+sAiadqLlDdTMvFkPqfxvKnJvb+3OcWU2ykkBwNyHvkufZCfdY5l+vOmZlw3fedT3g/qJV2srpBicmL63fBjZIkAJaWXqqfDzrhY5ETKISndUDRvC/yZAs5RpuHd7BRgj9XXuMwCBVTLEd9Ff/rc91RIfq8O2BV1EaoPDs/WwARyYORPlII4i3rwl7C/3AWCpdBncYFQCJTot8AITEcuQIJWtP/2Hv2bBow7lJXFQ8vV7DoJxe/JDeTEPTeSHX8Ng7bWHRIRsJpr9klQfbxL/vWdMy4SfXF+5vB23C+B/olIDRfNACGUW2/RDH7fnsFTlqO8NMmU+vzfqV+xCP1fUi5h2nTzhUMOIGsjO4ZlxPOVDGj5H03guzfBbUg9uqbQw4N2qVxRqxQk/r+uYC9OtgwwAKrokT8OoSCLH2m4eTVQpVrrwrDC0X3dSiXXLYghH6oK6FXSYsSUf0Gp6iqCnlbf9PN76R8aX8XlIiWzw3k/OFb4zh0CoBTaJkNo3vCcLrPWqvx2VtUFYwxZTL+Q8M6U5s07DaXJIlNvwWO7nsaopscJtkgxoDPQ8eQnshaUA8PsugGZP5I2dg4/z67Tc0NrlwQ3U/BECPw3v3czuCiINjVfnQstXwSYFblEq1rxqMmwY4d5Z4yliZ0DGD/BvGgxXyxlmYrmBdWP7lQLYX9VtTPPqLe7f9WLzKOXEcnegqHD0HB/hhfSPLsedVEAodndatCLMTuQKDPJSDRgH3cpx85lAen/w18WBVGhc0u0+tqby0Vm/4UFSItX/tRMXO2RWVtzTzrdSuVV2/2qGnXels3YVgANCoSAWTODBlWNbH8jNaseW0UKoY6GQuwli7QMpz+EIctrbiSOdjYKoexcZ1r6vjgzWcHDdoTPVwf1tIUUY4aekXldzbSg7g6PO9wDWvQQNM4FtjvagB8K20Jlk4bqxzLsTKQEl1th7sBiJWcYxVaWkBwr7yU84SMiiTfCbnLLnVuxbZHXpDDIc/i/5KVMgtEC1hdgXE1bBSCsf714oPXHqPUVv+adNYcUyDEzvVdi1piyv7Xge7bGukOdB20ld04tsVbkKQIaG8JHswlhtVplxija55R0yGonBzQAmlw0PRaWbHYWD4cIHVYu4RLJpY2/Lz/OBJGsS21cAFlQ/7qb3dhBN7TJRXiJVINUQV00V4Kwl1UcVpgEMis025srsSg55oqdKDKQu4q4G5Zg47ouuzqlmz9yROpvRi+xbmkDwvzUGNSthNp/vAYETDTFed/OVqG/YqWJ6gYcQFv4G/nOpXGHVgl20iKwBMT2rdg+Ktve+XUHqaOHZQIcxeaBylwwwAIRf057ObT6i7KFPFcCircSad8LRlz1NGXtFSmLbvnC2HxUdB7bSEb+pXBg26hu2L+f0U53AxEjRdsNqXu+fLBQojfH21eN87cMZUUlGumT4SjjTPXWWPO74dAB+3sYXmFm+fqFXfgsD21BoJz7kDZApMxzhC77TSYa53s81PtUxGguYeQ3qt7tVKzPj/csDELwBqRAqyf/Wjsz8vrJWlkoEELJ+MAbFLdKB8HUAqKbq/F3322mHr+wSp2oFXFFf5VbcD7sG0TDd8dQrKyONrA243M6Zyj84goy76szv5wGJuJou9TmpKL+tpTT4HquLxTQ/GOWRQPRFTfr8NbbGNwHrVXaa3vj8yhopJnsKeEgiQwzvF9JW1h6oXa3V2OFZZO71L2N1HLQdQAH40vETGN+LFi6YPJ5OhjMOT/ltPZDH22p17BjOu4kiwbHTaDaPdjMpCN+lMknySGOjWEhFV+7Vne/EB6gc/FZf8vrft+bcKYgktgCZl3615XpvM1mQw/zgeHV/hG3YKS5fTjBMn2mfgtEsJlYGDl3ksG7clYNXiCTs9dPN2N5Jsxbh6DHh5J1YyNK0VeTvgCWCv7KY6EZH7lvbT/e2FYxSYAEvkssUl9sti9HvTt4J0txAdqDYrOmv1/uwgd3sN/64Gy95eNuThuqqn9QjUo9GWbB859RM2W93c7mOw+eaCdxpLFmAHop9Us3GecOL8B1lEay1BTF/4XSWGNxPY/Re4uUGSBUV/kBT3mkPrNSPpRIiurFzaTN0W17lgZFkSCxEEGdVi4y+vVPWni18/Ik8yCFtb+vkdq1/WlG9mqYqRBdw4JxyzD8HUo/0lFWLy6XqSoPRWM6n76FTXKzlC0OmcMchzgTliLj+mWp9dUpdNQwoFE/TyLAqHAn2vZssNC0pCnxvS9mjtojNani7gan9/JMCtZC3tjZBDGVpFpsrAEsN/WnebwYf1ugm2J6yzm3JafdsSAAVkjEZDw644qHTtxJWnMI+bP46+U2w7bYlvqwNElNax+ItTLlsvnPadC1UxKxJ6ZQ/qVE/m411YuKsF2pNUVuJYI9/U02OG23zWgnw1GE4pXJfzTOMAkMYmu/p/+Ylb9LGAdDqeDO/+Jfy3J6bNijTuJzGGj2ufNi7lG6WUbJxibSOSPRk+bfzXC+jeJR25t8C2FVXVNSKQqJeYY14tCct4MfT1E6bgjR8X1gzK21tmLNxqqJjzl+xNnTqgBWwkDzbbaliVYkoyLW6jpxhjVp1tJIAOv3EjbKml2iK3g2zJzScKV9YqXz+sTcZxBQ/2pJvLElV4jx7r9B4u+HAIepKg4+YSdi15PeLSFd30tPnlTUgg6Z7Bhxhgb+wQqJK50lDLlBFSBlX0JvKugnP4dS2YoQUvLGkH6XZVQevhr3U1W9mLA4yj201nb7f/O8ebiStndcT28mOPfrVt0Mtqg9ag3daoEfP+m54BzpNGnk7uzBvF2VmFE/CtNKjt/S3UszMLbt+xDSZT7oHWF6HIiuO0oKSDwvwSYx7Ahxnt2f70wC0KlFZVEaSmHkhyEHXNfwiuOM28gCY5Xfplzxp+/lGqMatz6d4xeGR19cxBdkdktD+sUIi8LxnZ8t5hTyjF0xoZvzEkELebMTn6k4TmOnPmFYYp1tmkxHb/zdxHy1Dd0UvvYry/aqkW2v0+DxMR4pnyBQkIObF4+6MnWCTGu/5L6We3SIQDgZApAAv00UL1RVjq+aoV0ekJyWFlIYWVix0l1cNIT99P3leJWJTJiK/fOyrVr3/uCCrzpJF9ovuPyoBaLmbFotAbqtavdA9BVcYd64GBaZ2vJXERSbk4XK8vJuriKuJJmPyz7uIhc2lvqiNu5QGyc8g5thG8OJLXtI3n0uOJVWhrapNI8+49hLk9fjFE4FlPOxC3FUSeoAsJln1NFp0iY3IZBwG/oFMFDL13YAql3qVcfkV1tgqwYGeQzVvRfEfaOuOr86btnw13vnMwh8TEw2RuWGwZUuzhMdLDiWaE172sv1SDSikFhSDiBR/erTmRJTHYlJZb0moL5GogVT7/JbNNOpFbT7uMHlfeVRU+tz4aeU+mVpkuFSVFnc5x6q9yhrT7xIsUzsOYgrayYaWbC/RTS7TyCrm4O5TX4eGy6ZvW4h5ArOcdrj1D8to9okCvq7bpqLAl4j2pG+VdqQMYW4qMt8yqMT0iMiFiIGAqPZ3dU7ZAwavGddbRm7ddWfC+43KEE9batRBoI89P9W8lpgdlIVJHuo/KFVAoYZONLna8jj5r4iIss6H6UfH3afpPwWs1qVxFHcapT07iFNgwsy7zhanRskDKV8fmRtKsTO9mFAGVYlzlY8tNYKUxUJ8sSiSQvcSCsAMsF2yAuKiYOfFyST9ec2Nq82cN2QSkrc4atyAeX8N0yodKpSXMlU7nrEqKbO+NaDCDDf7L9jt/W4cUoZBbtDp7BHaVY68hkYRAv6cVaAH0cJwnpxFsiRJ3V11qdswdzD13/9u99MBluSaBSWLYSLmR17sU1LykFa25UDTSHtdCpb3a7DVf+VIp7/Oo1dDS6DU7ruLVfeJrYAxU5whfrCQIEeCQIpx2QLQojXRuyz1bqDmj9w9Wb3NCtu4VIvJpZPCzRwE08LndpVmCFg5a13SQ7CCZe0uoDZP3CMOU8nEg3At7VvpDJfcBe1T7lkOerBTdWrVu8KHZvywoaq29q9j7xxWvqR0dkKZFYaAzWJs4R9P+SHPhzUb8FbfnTaGPPgaGYmExrTct3Q3hgs7igrEFDz8lFVgq5bCPSUwpv1fcL0njHXT7IbOIx/NdLyQb9UOzwFMtkd72GbqrHgE8+Ld/uMQRF4mGH7XqFFTpQowgKDeNQkL7D7WHjiLAorUSuQqKn2iKpJucXrPOoS+0czai1plFcKj5aR0cTga0P5Dd+AV6ylJ+GMQsxAOdzgQR5rMKCJ/1mDzt5Hz6Q2mbGddD0eliD8iwMY6YzV2ItNVRt6sTal/D4pvs1xSgyvmWrOGAryCYpqiAZrAslBqiVuaj1YjQ8fRk7XrTi/Y+bBqt2Io5O3DBRkovrO1vmt9gPChRsdUOKEHA54gP+zfY5TUGPCkNONFqB5Ca6zPP8MpyVpUJ3uUFXBNgQeixTUwhK9+QUwq84J6zlIQc0H1+IYEAyhuW1ycOlMGi1aJ7OQzhxPyt88ae5zje2ExJpMe1HSDyx9bJYik0tyPSUo/wGLCugyG5/OoE9/F/NZMP44Oz+zhCHdJ20gBCnPEydUSxpprCMcP87IA66JPBRFN08KYJHWZcT3Bj6JniGii26KKMcTtlzpkH8hprObMv04smkSwG9oUXAPhkGs3N7iSk3c2I43P9doqImmR6VnJGh23VQu5I1pJEFhH9OVbEXilVAPW7DTL5EISj9VVGzuv7Q2240EHLDPcCrpthDxtlo7ilLPqN8dpXLCValBegyjI1JioX5hooyA+6ge2Mzz5gMmcBQejCGK8Rr/M969UiXILdIPZqCy7qUn10ymAS8b0lG9Q4ePNH4MtprwoaGg7BEFBDWspMgSGZg8HM/tiKuoBUUxFZVBp5iygQdxWG80CFf4WRD84mtwz2tUoj/dsBQoxkgb1+aCA6fcpbUllG/9JaLYbq1ve500VeUy3vubLXUmmsl4n3dD4iUy0VRXMgftC1+pNUo5D941bMR00YrdNrTCqpk0sXMTj0w/OoYbfrBstLSHveEt/4fTVWFPlXiPZyZWMG4GFbryan8Rmkvi017fxArNZTqooazQ+Ift4CIfDpvDv7UiZMRR4I8bMcenI6VQty56GM/L5wu6pvXhwYL0CiwLKa/QGRC+Ngcz5H+smVs81Yn4TAqZqklbb+mdmMXBlMkl53ywcZiJ7/tlVNBw1SuvnHbyIpNlgWqyD0mRONZl+cdq85TJddsifeF5tEF5gUI9EHcwPGrTwHMid//6qCVYHsVEmfhHt8bgblFmS7bnp4yXN72Zq758wbKIXuHDSPRdoYUX/UqYJkWM/ptsOtisccSPlSmY/Vtv32fEA5I4OupBekH/gNfCDJnSND77AIPtrdZrVBVhaHyI3FgIPi+z7GlspZXcUo0+Ypru+mHUguutCtfDTxjmbc5IVsVXjGDSojeXLJYefSSGNiWNJontcxwrfTDdpes+a/FpjJOW3KRgVEYMWxYrgccMYCGwfwsfLvtEUL4qu3R1LtLS+JtU5439354LLedxg2Qb5kTt0Qo3tQhsTOOlAU4AxQbRdabJZt3qzxS6V1CY7KzVWjm615XsFIA25qWJzS9+lv7mp+W90TOm8xM3ycmVIgvWN6o0ozAcC88TQ6Kj7ib8oTPbE077qfaIUv1Eo2Mo6YVn5JbiItiWrXsYP0fHhmcNuCwb/zzWnHfD+J63RBL5fni4eQ4DqDBdR9tDdQaIZ8HpbzRkWnmfRO/Eix6jxvePjG3F/qWNn/iJ/FhVnQJOqQjsc0lG4itvzU1tsQqR28em/p1F215E2AxZXNFf7SOtIt5XSf4RGhSfG8SaZyd2V9kYsA0asvfUkb7/cna4tiCHojDnOIoNcqW7wc/CmXcYM5iZbtirgDoXlHRcZagBMNTMFbFizCsbwgYz+VuFn7sSNjdPgCEIKhcAltMjGcwwR3c0qj5Ndwl4aYCsQ85t2KDBVuTPADm8Q/2F1CBiDep+f70eee6Y190e2Qj5k3X6SSWoYaPQ1u2+4MiXBqv9cajfJU7e2tA3IYcEuiVmPsmTDqOvrHVh9iQKfu4j1HxdhQ6v2A0UqFViT+4cyvaFhPNZxt9SkABXJrfYeeu2OY+/0tLjZyo4U3z3Pj2+W87P1ANSjsRvQhcs+2cWSNr1i8YMcVPQe4xYJ4uwmRaey3YeEuJW5gYa7dJxCkuAQCcVqaYe4OR/11imRbytpTGjZxliv+1hKAJf3eF7ayg2e/piTDDkxLO9PoRG+sqpfouTijTue51i9PfDX1jVpARyNLgfPzWJGsYWiJWV5A2Xb0U09elGxXDEkwQDM5+y0qKipGhBT/NvqfAbh94xkZ0VUs0wAolPOWL/voyAT3OcJ+2hLQJv+MQCERHFxM7znZgDq78g+vlpuqQ4+0iezAzYhgQaVV/zMI5c8dFPMJEwU3ejj02u6wREmHHVZT1Wj2LF5Lnb1yxLcMV9jZLSWkyg0eAKOmtbq9YjTnD+VUwEVf51gH9CoWh5sN4O12wb9TdwueaLaYvcuqNcAJ/YINz0cltItAZ8sQI6J9bEhQ8UPFye9HVklUrSsOmqOKjezODN49yJ4/uMPAbrRgNCkg4XufFa65kDspIwks9U+xo1QBmKz/PVCH+Nw655qYzlqNIn5dydHdfC5bK5YdMjqQEVSlF704+fTZDS+8nqeD9+Gll719ZjuTobUePSongHdDz8e3atCoRSy4ecGkFYMMk4M4tZPVKLRgZHfqGpG/r+ZqnkGSCYmvBvZZDTiB8D6BMBKVKDujtB15RKCVQC9zAysaVzrN8OigMxTvTyf0ZOKl1XIBNtKQqYAhOfNrNfwpNkysE4pBrJ40AgQZDV8zBt012WdbKq6pR4ECscsy0p4Hk2Nv7rGyG3vyVcAVoFrdMEEq3KmrvfcBswfCLQDz1K9GJdl7z+0DF8ZltL86rrYiYQpXuyErSb0lr52AtfoZOmJjIwpUoquM6yHJix9EL0xuPU5VopACNsIHFIN/JbdwB0lb0Rk3l+j3HZl/fwEeCujLSL3Cc3AcVKpnocacZQqEsFW7M+fVHduANSg2sDCjG04UV1vcQjosfK1GOsDowsRKxjQRb9XKe4xEwikl81nIry1Yd9t/jZhQcLPQxG+PC8SVshZrJQZPiTMFTbvskbEYsjliN/UaEoXzVGivCDHs6pNBYnZ4DXM3R2xh63nwLgs6J6J8DQFD4DZr0r/G0PbeZk1SCHWVLq3qbu/jN7qH92J0fGzbzDZf8ZxVtFpYYQvzVJ8acpldETBlZfMQMCo4+7VnQyoyYtzzKQn6xCHO+9TAo62oiShR+MamXYYDgSDpKCiA8C4qhSyJS1rdv7LJqXE9MX8oxamUCjeShYFNrf417MFxF59GT6St3pRj1Y7nsDnHiq5ENn7YIxX9CNuQ9QO6jOq+CpvWOrBM3CgJZN/UJsSLkJ1HhGLvN5LKopjw5LC4fNdHzeWn/z5nPbppFc1lpSvvIR0mkgP9LHt101vv14+Gd+Rn0jvN/mx0wqh/DCqKyNR3CrRE9/ztYXy3VfWDyHwmc0K0iD56o+AvdNJEGPquXGYHNEWQcGHSemN++oRjmpym8WVvBUUMxV18QQjznebNSuu6Ap66ni+I1OA5KWsPI2iJLvLdQg+UrVsTaZFZOm7fL3wFtTgIKpNERp37b8ITIZN6WZuqzRGz8XlVsBd41u9zWvDYYtYbxhswAgrs4eOMk9LRRfBvg/2fRJZAgA7wghDTCpchRSLOn1I6bFOc/wy067UcysU/WBUjALXClUuLrakA1ImzwzlC3ALln5vkT8fEnp0xTfewHkjnHAIwemgxk5e6JaqmmMPmkMgYJA/OqvKqMnkP1D7oiObQ+CI4ETA6yN0zyFlMrL1gTQfU7V3RtF54NIKB4LOX2t16jnloAWwiHZYdeNaduaaL7ZYmBDIkMhlnSsdBANwX53FfgpFdQANGj4FQ4hFiIFajcRZ3+BFckcWcxDwgqCre5XNvocNHT0OwBtuVY9ma599imzr9ycDeik7p5zB6DlhQ2a1NFYFLxRuWCB5hC9rilCVRN6o3yXrEXLpLMNpT3T22GUlwd/+NX+xZYvhoaXcgAv7edY5exkEJA8cKPQiJf9KtUccQNhgdzDPiJJm6uTSxWeZwLUbBQk/ShtyLG7klwaQAV1bd1QODWEzmCivgE4r2c3civVh7wNixo7mbTCOyyDdz0mXfjpYZsGKDZg6FtEs5Ipq58JqWhkLmuv4FJDfVyIC8lLKDzl4fI4X8G1liebSYbkDII5h1BeJ+kUtoFZg0rYdA0qscJBF+ElEl7mWOdu06GIdyx6yaI+rD5W0Iq1O8Ct/tX7KciFGy4tE0TcNPhRyouXw3GkuEkLFfG9e7N6k4NHWkKLIOKx54vX3wL2q1QCz2yiIxveoFrKig7jJAlhKjQ6gpV2HxhubEgPocR4/iPFDYvlQODiWtilgQKpFtVmXPnFcqwGmtAjHA7hglGMUli+AWEbHuZ1ozHjIPPwYURkgtEaq0Cf9jHeeNvHQVjlOn2jj9JtKeozbOiwMEDli1TqEoxZRpklu/pltty2T4amPisAx66ZqzoD0gT8BU0Xv8WhldNfyQTlbE7+kww5WYiL+nZHzUgJWJ55WAnIwxd9IYWc5XD3H+29pqXnopY9xfJHfDxPQ/LF+dtp3waiKjNX5/+D66RZWESIeS13l5KPFsZdOE8nrRaDic6sgzzzOC6d9JDzsV9QQFtH+TepmSgg7UTDj6CTa/dYAf1iSvk+v/OsiW57tIIScnbqYlaAqHjOzBXogx+Ic1JN/QGPGd9VcIde0OwDUcAki8hy4xOzHYca34CnYg9rt3nuENAs7NO3V02NSJ2o/cYvSjS+Qpn4aPEtIR2hgvXXm7pOtRxRibRwj4pB35c49j/vWFN4S/uF5B93ApsDxfd8REl4I73alD52O7RPzwfS39jUKuI9s1hGxMB0W+VEcotC9uW3dLL15Hkp36xDrOMiGQpEiQANRUcK91vDUCiLXT+6Fn/kYmqyjBazY8SNEIEfazlx+FcpFfL7xbBSr7VhKmruPQdebtmxwco9Jq3iKRKSzfE9vn6Hd1X1lxZ/FJWtwK+UR50+DIqiiDwMshivyjwXUnhhATtelu7KZnK43QJWx52xOIY5viv4hCRGDus8DTH0FTmPANNpfTIY2Y0AdRqe+zTNzyb8/R18oFDYgAhTPj1DyOOVs9RiFwn16sQI8hdWzS5mnXZs1M7Mor8xqrZebXeLKXxm4u6Vfo8KmtGXiXtVycy6TM5bFLg5Y+h3XJz0owawdvICgOC/FPEO5zyrCDCTKQYRrA2DFC0zqfJwTayBunQ+kxGA0J3ALbXYxeBc/3Ux8bRiVffroEDAAj5oeHhjYq/V9MoRBU/9MRhQCUwj4b0V3dkaCKDtDgF8AQEOs1Ng/2El+B1pwxtXj5odO+qqYUpe55uvmLNmVX3+fRwgPNoHgeRWtLpV9eq3jaRYlbCNuw6xoVrEEo2ZW3a1lNBRaWjuSTUMF+Tk/aW6uOBeGNhDRcIgCp985FJUmBc4O/UJLMSiv2V+9Bss9VL10iGJcxxLA8uA/Y837xUOZkNIjo6X/2U7jN+tqB/AacNrpeFZ1Ccms6x69DTgep2Aht6JmuNB26FQusPtGD1izLdH9BaNSxT5brAIDtXVFkR6UGnNE7LY6bAYpIWDPFFYP21np5L2HGtAcYpIQOOAEug8zJWFwU1bwO1B1m3YZFvemNf2+YpbtQnhyurP77aY/EL23cvhTOl/YD9B6NboBWkOlR6Awy6p/jzUgYU4UFyN/CIh8m+DlHdQWv2k63UDLYi5zZ7VC/zeyBY3ZC8gkGLkaE3/kxtaSlcyJVeVZbQoN8u/l267RQQw+/Pm8T+P39OCiwRMeSMa3H70ymZXtdUL/QgN45FPQ1ry6q3P+ZCAWjA47OtvJ3xp2Js9T5M2jTEVXo8QVywiQvmVSWLQ2FWWyCKX1yP/9wqawUDYHZByIkwnNzOkEuIX8bDbsZMwN/NRH6hrvMLMeAsX5lxZ4/Uvr9wM+L90ktisvUGzgUWw8wg1v7ZRQHYysvcpi/tjJ/rvA8g2j2rBTj274nNSjAp9dx/1L6Xs3pZibL9RWnkNM125zCrnvCntrNDcecwL0WmTj9u5PBEErtfxOb9sNq6y8tRwu87gQQzxsAnePp5lEUZf7/886ofV0XjOXF89uEjyLbnf7wzUTFHYhLVSGFMPRbZ7nK6cvBei15YzwrCY5QM9b2MtGYf96DJK9RZVOuKu3ZOVN0J57JRjUfP2vjdO5fzYsiznpL1BBuFCN6V99D3q+a81Tmw4WPzSUhk3xr+NWjMgfFb2jIxdYwquhBQnUPa2oTWrBrhlFk2ilsL8msNMUGVabkRlXHIttxXrKWixPNWInHD+5k+Z3yuj96mTBich7OR4haZs4v+xOddYuHxg5B8tcZ0UjXgBuMgJPmDsr7jEE7pvrBaUIvUKjs2JrOUy3Kf3NnoICvMLmkGASPiVKYiMXb2MhLSkfvQL8+jBTp8+abSpVuDP2VWUNL7yyXaQQ47i3JABkvP+8B1AMmMjm0jiZ/53EPQuoDuHSpGmanC/9SgLDTuz7QSu9fUPI4CW/stlYMzB1cNMFNdbYLzpEiZwfE1rmJy4XvoAe31pICCwjhFEpk6tkXIOfz8A36rI9pfgrMLvFNVThCZv+q0HIfZBrgL7Qi7U88YtjWhNQugc/scpop/Y1rr2mkE2Ci4tFXuU64wSlesZgqruZZ8ZMy5U3eOHeK2Vgkh7Uq/iMcOmTFjSL4T49f9GuA3jYwVB6hTJaWYHksf5Jg5sj/ueizK0fJeM3WFEH9Prc3vtpzLTcREwSMIcesOttd/Mz4AYjYlvOU857WHy2pSy1X1TjceBLjCRZcY6cA1yWWWhk3y2eXfUaylLBbLfCEQHVO9SV/Fb+i1A57p9PkfIzxCm+yhoUv+1JZxdOGRhhwQjXD2VukH2Gk1GuGpEAZH8l/bLsEC+zaJ4tLP/Clp6KvddOopUHmRiRfii1QIZLaAj2AXxivKFeCQvZFa/PfW3eoYbREVtNgdQ8HL091w8lGHunHnRT6wbgnGU+DFlHMxnGoon5Gw8iYCxLlg3NLS6ibiSje4gO2qda55ryWjmXDf6V3rGh4F++meAdwz1EeEdACAO2lWYTyzKvU94LeVkvBDndQOSX7P+pHBvvMcxI9jhbZvQQDFvstQxkBrIE2yCVvym9LLgmSM/KSKk+ymwGuImsMpGKPgi7fhOUDBt869N+mezrVHukgTE/BJUR8GQmCE0yYvBXuhOZHejzxGW5/anJaf6rc4/N/rOBlm+e3yz810fhAqcEVgP25scw4pkF68RURDMswFJ7TgZAuNRCHrjoMdY/9AC/wolrzxJFRZQTV+2MX+S/YdMx/QRK09iVb/1Ttff1+y87zOy9N/KSET/x9mtBMyUAUq4yjPSKmGf+W3eBgsxKd0b6LI1mZ00xuB2nITpbKa3oX9ewpitZ9fQHhtrSJ6JLt3Zyqtx/HhVzs6qvCb5jJ0taIyyVsz5rwikHv3dCcDI9YAUGiPFmN3F9bg+rRKzHAaFu0xbW2r/5HKmZ0c1bHWt2UexVtUpj2v08WxsFKjjwBjByehq1oJ4wzgSerVNiMYzlSZw4HvNvDq60gT0z+CRhW8MFXMQxvRDdgGh6pODUgOiPkKUa1h0Y2w/1CZf2JqQWAm5ImpqVZxHhISOY39Hv6YEKasFk+2kZo2IHDBsf1uKtuAg1EgeCVw/lnSpDf01087wZexjYwi78JIiF/BkwjNtqt3632+PqPXPPRaDZQATj3QELMuulnO4I2dLSWnithUmafeILh91F9kCztekKpUkXH+3sUCKrRPtiCxZ6hXQuxWa4GqHZ9dac196j9noB8hlvU6iUp/7B3r0cKW9SocupYT/MGmFTOwAZ/KAhsqDP5mJQO183+maEfhicAy7mBRF3gJu2HvHNs8Yt2uQSoL4gi1bDgiaKaNUZS+Inxz+rlfItqmHpbwDFrLsLBNRu8K6B41S/3po4Vaygv8xZ/oY+fLFpUgFtQvVn3FuyS1FqN2MfCuAUwxL1mzUetsylow4GxV/ErRVrlyFRV57qnJlji5bP6rXvE9CD5WM3+V2Du5Cln1zLAIoWpa9ivr0HCC93Dxuf5l90BuWditClR0WVF4ckGHNEaIcQjs5r0ElaspMkk2iPsll/XaqUsV+VB8XmeGlqCrekFfrBrN8HEW9/+1CJxTtgeqgy5u61O5IfYW9dFo9vHqeLxvrv4e+EbpQtyIaIQ48koQ/+IcRLxzIi5LG5NUjcvXcc3sx0yE4V2Eu2U18br43Jxmo/naf/lvyvyCD0U20ANSCHyMyJub9pYz0fISM1t+Wt19uiHT/SCIWdThKFK8TjoYn4BIHoSWhDOjLcR8lE8VArOIN6MuEEnNXoCRw9O07e0JoVrGtXcLveDZmCmLS5ylLdY06enN0BHfxyO1iwRofi92ugz7si+BG5K3f5/gquLoM+oJuv3qkkb5w21Qxzyk1uEZvWv5OaWIooDnvSq+dlUF0o1atbwAYV0e3lz4y0qpw3MwKcq2G0+p9N2E6ZGn7oQrmQhjJwW1NMYcLoYiBD7V3eFxvWbRy9QtiCvfiENrVe7acmMQRtovNZNSXd4qTyGf3k2K4dn+AlekJ2hxEIT/nxqqB1cSXCyHjg/9qfx5LlVqj3FgXcGO4K4brA1ilLazOZyQKwkMSkTauWWkxYkDXA2hk+Sgh9dZWwqkdjQOdR7TO6Fz49Oux5oJNfNLTCO97BmYXv6nRdvLzRX46/m6ldTaCZzGqL44lgu7heQgBje8GW9J93rt0LcltR97tzLRlEp2sfy7vJNBRNCXhSsVR6OvlBJQv8CYnhaACqY4QaYkwjPjFM/8VWdukVt9iYjVfrJI+al0iy1zE94Mfz+xuqrkX1UKsgIHhyMke7JgEuEhejooxZuMPjfKe5VDgsGnPkf5jI4FV2gZETG4f+/4iRY/Lpw5RVdTpST6UMlFG+QeP8vPuxuemswbOO9jsarloc51rfLA5AibqFrVxhxkX8uBqtPXhd/G/YlKN/gVlB3wsz45E5qBSOuuOjoZZJuMUZ2F1WQ2mmGUGy5//fOsF6i+61QMvMJmT4hEJaQ7gWkWVSJTixVCEvc4jhT30evgA21YDY7Jv769CwXyyzCxDSBYB5PXHkX299GM2cqmwQDzPGvrNlM5b2oqIw8pGpOsboZxzKKRN4vKS8wTreg6vGC0O8Alg0X2Ivw2Vawn8Z51BY2X89zD/zWcyIJ1yR60AJZewUYbmeBw4BXZCZMLialOXAp/4IjtLp+ksC79hH6UzT70r5L1YW4wV153TtPy2r39qPAyBl7wYslq7KT8cJ8Nd8+T9awkIjYmP3ZFQDD3IRMZMA1ZQLGcgg6B28mZ1zVm/K+UNzVTD86KWaLb4eSScx9mMmCAVu29RjHXYuLemHHSdDLYKoaeb1ZCuc/ErskmGAlP4IvaHNsuT0PzTmq/v5qmpVXrsxFO3Zvp0HXDQOpo6GyHx6IADMpqPDqm5LL+mTCeWP7bBWykWDN52iqskgHhkIn0C5GsZo4mRqLJEa25Ef6ugKXTTLdnXuDMnvxokvH+KaO4MsBS1HMikL1owyJhUn7CU4likZyXxm3nBA9zZmqazytocv/FYwgfTAvNMPd4SOcKFIL8RlT90FJr8jGSwlNoi4gyOd4j59gG2ujH8tI5NDlBBQKYkbTF1S1q5gmNov5Tw48GxLhOsrT0JGidrfzud98KJCEk0WVYbfkhmnSBYpiwsBciZOx5UpQdwHViORtfqRAUMGHIzSC2RiJxS6l6QNn4AyGmjrkUpNYSXQdeEt4E7NDdoXhHkSwg7wwEnFzDipI6ZRpXsDI1ZGF2HtwZzf+j5ZHD+iPfjrsHZ6V52c8O8RXA8Ii9U0DWhRNJigMJjogHcEnxu0RUt2cMyowAd78avBfxB+i8xwXt94JC0boHteduZLfuM6rwd3FWhxDA2l4sRE5W5s2UHs+SmJiSoHibLd9IsVKP/cpcc2AnlFhgQtTgjm8+9wHh89G2UptZJfplR1RjZl+sB9M6/CgY7dzTrmOgA6xuVbFyDmDMsvHhsYHD38ymJ36JYhZRxYzvTOqjaksJH1toq8qoETUb3g9noJ4hVD1Jggk64Wk+yjcZe7CMbmRHZuJm1VsyGgm3mcR4pJkunQadU4Shi0boLGqaUlTSPjh5UKA+8VQ5qJbbKVy5yJuZ396hEawj76IoODJWpkuAobXz4bYfJKC1iIwffAG1uuJTfdF7g0I0jSyTl7gXpP7CzOSobfFRUZ77dAzVmmobdwdMWG4/ixTt61GHBjVz/U+rQacQH6cn/AwwkRauo3sj9askNV6Hu9DkdciNyxvQx3/ZQ0BSoRJFQ1bAuLQK1QOkbfIDyG77xOgrrDRceH9dIsjdDywANticZIaE8X5xDmRrDwHC1a8NKlvlYfu7RnSIgTgAsRl8dGm0uUyZh9j+m++NjV5m1jj/aU01D5Iui829IccZFvpuxDo4EGL/2ejvAtVbQHWAxzUiMkIgVUxc/4aNEKllHFjZQHRhtMi1nKrHGz0XopaXDnYM6OWcveYXundP36uPVZJ0X9aM6xluifnr9ux8YPLLsQtQYStUgp4mAuLdyOAymIEXABgkhjGVNvpPoBu69OmSjLFsnz/GJnZiJ7Bl0oUzBKB/mFxEwckjvzfXew3anP6JGhdmxI4NZA9F+KbsgJdZCu1ESEMGDrWUnkmkeO44Pracc0UKCOdoXTTvQ+AfSlqiexCU7mRwQF/2ciOPdTC0SRT+6eBgqPZ9kRIuRCUNItBdt1zv1gDKh3k1Gf7OCl8+vEKFG83G5j2E6T68EeLfmbXUHFUV1iRnsn28SDbBYCea8LR/PDYVQ9VhYPb/R4y3+0YUEW1aYU1dNp3YHN4oSZ0qVLYXFt/dWIqr4T5s2OsHlpxXPvq8WxSLZFpvjgGDQ61w++RzvgSNMfxkQy3hUNJhmKd9y2PacvNZ6QCrPRpT7r/qp9TLCZg8ZWspUTHMkIC0k5szWIQV4E+h382OONnyn346wWONQ/J1RpMBqtwrU3JjdNBuI+GZ8qkTS3d7+gkYBIkBY2FZAxfl+DZp6maLx+538xlfYi1oD5c0tzFOdJTB/Cki321X+oKLyoYXXvkedPqIm25nfhdUDOl6WP5TDNAMJ6slaqP1gD3zXFQl2ub7rNWErK5hYZEHYDUPFwy/gsAyCcwWSIbdf8R+gZbTZE+2ApIaTCjo73MRJOwmnsTI3EgMbJrD3kxy0Upd6Hp+/Q5vgEcTF/4m7trRU2PX/QhC97mCVVAUS1Pw6R2RhGuv1WPe/PlX0NeoyhcFmzz5Ch+up220BZgvGKwkVTu6LZ7YNjZoZKlqzDHc49M6RK0phM6EIOu0Df99wOZR3lAMJf9iUOsGTyMx0UC3W0w6XBV9B1KjLJTukt6DtHsjRL6BVinR07Ejk8ktjfK97Iyt0wpo+75HG6mppgvf8rXdEH83cyAQFDw9yGi/Kg3MtKcimJeuLJjKZxn0WX1SkTWAfd/vxar5FFsABgUNe+JEmkkDNDPVTotv5seX3T9o8lQcXL7fdnF54dQcYnsjD8SKaps95XICkkxpdjlADBGFuI9lK9cAiFsiyK7KYC5Qw15ZfEFmQtiOQoMqgn+q19VJGcaQmwfwP38CEshoSMKJwzndhKjQew8QKzTkT7BY51ujCqqpovs5jb5rKhgRR+VkObOeSNrP2/X/tdlGfOcLOAz8qHSyeJY1e8yQjlNNjoPmvABtTY3LL8tGRqPpNCmkUftrQzoAOmBP4sP8bDn1i8NkTA3DbARFYTscVkQmS6xqkhAgaDdcL+vOw2YCdSgou2hQZAUvvoECDNPYWnosT+ZU5jWJ6fBiND/+TiZ0mIbKgcXtGQzAPm5d1grGjqvH0Hkvw1zvV4UZ+f9Wm+ccsnLJCPGvwNUSzPrtp7Ii2Q1DzRXyi5xw9gqLHefbW2+V01bCUri9YfLXH0inWQXHU1BHn7fNVcO0RXxXxzIbCEORsPxSYny+4XLBUzBhhjXpkMtqLM4bd0dpsh7xekHaoTq06HN94cUjkXovmb6HGQUIVdCnCzif1blETFk/BPJvOOuEtgCiF26TO9g0ayH3toQ42mdgjPKqQ6VSpkYpCCDk7nxytczLIZWQzMQhzEv+GHKUeUls6ABjhJKGsXPLJoR1MlkzRvtjz/aQv5dsRX0jWrQbia8dM4INDuG41GtApdvBLIFY2qNIztmfYamiiJI51l8uWFeInt77bnhNWNsv3Wvyflk2yXrjwt5q/IWyY+UOJN3khKy519VN3JVgjz0VvBhaVAQdg+f1HKqfBnOdrLRewsx5kcofeHk3NoN6JQIJBgv1cdKm24YfVTZaVphU4qsJmoHh2c5yOLwmQcPAYK/IY7soPICR/X2z8jUisHQ+y3aABOfC/PyYD7MkX22kPfRlm83GG8oeRKsCRfA5/hSV1J+mKaAaaukJpnWPGl240o9ETl25STD9GTWuaSigIFYnck8Ju0k3WJoe3gjCFIDBsETBm4bax8xdn1n//zXp4dPwC6NMlNHSz891IslGfR+Ud6R5yqVrw0zmdDNpbYYAWkMj32Nd/IQcKAztui1kjZnlZQ9zAl0yBErmrmw3gGxIIcmd1lbBEyG2N4C1a7WKu+6QVpsNJ5yCXf4Z/MYzlDtmspIyOZL6mYpCxViGLYRv7yYVS/9vge6UnJlVDxeyxF9BdbaNH5Ovji+F6GNbyC8ZkpOjahR/+euwJouPXBJbYaL/9UunZB4YWBJeElqrmRPPFx6r5tL8hUKHj7KXB1l2KMOwZIZJ5GWX/uAnWhzi9nHSIKoDAu/S/LS1pRphW9Z0N0U9ch343+FiyDG55R+AHDJzEkvPXLWQzNd9blEPI6ptZNV8ckzvlb7CF5Iwp0IumVcR6+xrq+Vw5eXmllYstMM4PlkWsZGo+uOO07thLZCP9ODvjhAETGuC10iBVmvZR/iY5NkflEpmZRgvoj8oqqiKKtem7buu316DHLYGqNVbpL4Gk3mjKaIrUuqPoaeIBiDCAnCDaI0YTyrk50WbO59KhCHpPihS7mvS57jtjM/F56tUoKfjCBG91VRSFrFhd74XOwIvbtUJUOoVCKxUc/N6Wv4RBtC2EBlPo/f9fCiWHYAOMYcUzwctERbWC2ohBk3ae2lY/XYrRx7gOYalRUTIyiJpgSWa/fEAbStfHalb5JnMvFwjKPeQYp3nE/gYviUcxzIYjja2i8fusYLrbOgiL4XuKjfU2kmh8+Cm2USJrKQM3mDbcMu8r6SPEghw8Alf/Ba6NmU0fsu9P4bPN7F66fKl7MxOG1CmcnnX7SIV+6p9reTZQnOwHDAqwAq1PM4RCtEsl8gTEeVb0Nybk/crkDKGRZZnsd85lsP0JF397smKybmIWGRiUYu+HJu0BkeNKRRhC494AJFb4EqatbcmphotKepsadNijj3BiETsW61+Zy0pxwmVNjhm+1qmZr1bXBSUynndtBljcTM5qu20CgnOCkJE+O3635+wI1AYpNjbQk68N1coUTBK5VNp/p1IzQD6NHqJFcePmbZY8k7W6GgGzXeNlwUp3E/pgzS7bIoWdpzsU/3oe+lXPEcVNYlGVDyrq+Ogc8sjQy8QXAolZriJu6AAx8lBF2qWYjHwkI7Ck8kESKKjaqHaeejp6VXEGoUrPLbydDsykhbLbFhW8wU2Oi/6IpBIjGotv2arzipq86mlWMMkqrDZvlbHJXs8bG4/2/9tjJEByYZ407frHRUHO8f5cObBzatnLkJUfHPrYetkL1ptpoLLLr1totzphSd+WGEBA6qPxFR1L5MMgz5qjOLf6zhoGvOdQQbXnj4WaDIiPv4iHeYu6EJAp1nqFaFt2jhnZJgWiYiOCJNb83IZe7isnfROzmOIZMvQ5xhDSzQ7gYsRX4XBuqE7qrGHtFNk2qC1a5VQOqnaKMwty7x5VjP8yJzopjottP5dD9nAcYSVg5bVJ5f47FbQPyUkMB7YV5UUit/3NfnCibR+yXfdF5n36xN+jVk9mjG6eVxXiu1JYVsyyTWw9uoSIKCEcsvBvUE3shpockKwbXZecb2+uGRmnLzF2QNVYnqlRcV1FrKkh+AQC3MacNlqthEyrQT0XzSr9ywiucdSwX57jtCoZ3ZfoJHTZd3rMpQGMoNN0nSaQJ323E4KICFqJOdaj7Ob4/AXySgzOuHtt+QFtl4dS+xmzoD5WCVeE48oP2Ewj4Vpr54Yr9DVReqle2K4zEfrMNk9RhT3LzT7LooT0HIYSxH/tXgBxrEA3/bJ9k13dsIsagiynYWgxK1E6/CYyv4uv3Gz+ZxDbKKAFlq5wfsEXEXjkUNIdJG83bKwPbZxx7Z/nbTWsOSrHWrc9lgKbXkyjGcReb/j7Y/KVfJ7BiFWRfPJSVj+1Oj31n2n40abGtIp/fROkwWP1AzMS+iRWvhyPgjZEr4Q2njB11Gf4bcJ/P7+zHifC60hfzhJtrOm3m10X5bKPd7rDqqVK1aKQNDx03HqnrSxE44ZeKWtNYc4JPVogXwP9K2F9ru7d79SrrltsydYPwXPTuOblxe0EOEoydQT1pfpyemExCjx41RvM2eeb4FYEYf0evHfxWWxj2uWhYjktj9ht5xP++lg5HJr9I31JRP8RUV8EZfyfP/tdg/FJ/BHceJYF3MUx8uI/4TDtbQk6AU++5B7Zyn5jkdOs1bVk8+C8rzupc+O2nHsThrcIzWw/1fgiYxFnlb/N3uJqdxTWfrzgsER4rS4V0VRw+VM3lY8s2Np88Nk1Mqiggwmm+rGspVbrOG+Puhk1ln6SORM2C4+DBeZ/xehmXgJ0gVG3CbKIkMM4Jd8HvRucxoN/rPPWMKSZnDHE20Io6EaPdtXKTRsI7k0tvj9iWyNRrYBcrSAYzdywiYd6+kpYo95Jg6jxuDg7tK7Jfs3Gh8FjzAOkDmjlGVr5dTVy/co5k2zSKsbPXSNSld2ddUrlErA3dPZKTu6w6M7tDgHbGMEE7dlf7z7L/76EGzHfiFhMcYB5vuOp1vUEAnUZQRuvChk4KK0DF0Ywjr4RQygL4nHv+DuW/az69kFrhuBRaqG7rxTC/NPnoFERWCPe+eCDQPUVJX8EETp2/GUst0OiuWWysSpmytfMQlEin4I0eDjf7zDr+aW5a5xjKNAyB55BGUfX1fhJHGAx0Hii5U5DbkawWjC3sisr1aSunLsGzn45SdZs2NW9YjHjvYhIyCKET1qmEqhUsJngYx971GjmieHZtrLdtdxeVBuaeoph3SuWhxuyLmFC6ki6kG1qD2ZlgDkvgYHHyGBCDfzRxU0VjHPCgHX6TQZEjC3LRwTbhTi5ecawJ/msDRlfcE4Q//05jVo5G8bZ/k3m/sYc+I47rJrX91/R0joUDpEDZ6fiUzPVIQakMK1cD6tAD1FsysFo/DOm0FChptzf8D40c53Ky19w+n4JZiQIr2ehWGlKpzQG6sTEfMC41Tz+JGt0dIxwP9fMb6U0nuB2fiJ6H0qDPYi1g7HirXW9xzHHvHyKsrqDWVgufm7I8ibpMSz/DmPXpsvFQOG/gSpTdQPDSSZgiRuwKRQMyf/tKuFiebC/e/oXiYc3x458fNDGknStkip1RimrJzZOuoDObB5K7OsbvjX4xs003/mkFUiU0mlYWDWagzZLaI6GY+lAwmXA6fSTva2K7qOICXIFNLvYdzofTZ4jqCMj4cCAY7aBS9ZbIz6QFQMy39UrU4PAbWaoW0tyU5esuUIC5TikmBv6gF2fq2fw+e9tG5FXl5hkzcnqGixFI0xiAwkf/zqRb9XZJiekyts7R+LG+eaDw7ZQwfptJzUxicKLFSYf0s2k1udpBgiU55N47ZgVwvvRhys8vLVpqutnRcyHe7FPPoAbs21SLSvofxGhgzdNYvmwN1opeQPTgQ06JyPZ1xD89Lr2UMgONLZrOaLF0d816vYj5EppG+DByzCvL0RLEzcfE3BqS+wvQJxYQDGihbPeYF0qzgP9WIi5zFzA3YATchMRQvzheX2EvQDA4kCIQGqHK+Po2Tbk+1bLhA+/JADV9NOffxcRnpeGs3mWLcrZvev/4+KO2qmdRYQ6SND6WCZPEARzbSAjA4Vjs4ZRMU41+vUodCyVBxpvzMOyLQzhvCYSefHrwaHa09a9kTq8kzdesc/5SwSubkZOiDyGwS+atqj97HTGXV4YP2U7HxifnaDfRILEWKNk1YlBukhfX/hNtpOLPdoKHhwy1KVVpfj8bT0PIrcEaLo+wghZLgSvI5tFy6yOEl5xzhOnyFIAmDreqsp9akBcJfxBJMAMmu3Ao7qoAv82fVNs0rcKZxqTr1V5T8iRtoWJHy8pPAXReI7zJElXdNOROaJLEI79XuJSywy1Ie/aDHZy1SKs9IZNnTRBqoUI8UfrY2nbFKKM7vzgm2tI8N5gH5N8Km8hc5k0df9sIBzichGOhHRszGXDs3aLqlVGaQyClxNI0nYSlEDVkzYCV+jMhfqHJ7jWKkCk5W1dWHQy4w4REoGOgXfdSinYV4GA85SA/0BHL8QfGl11OLpAe26lQpRljnrW4tarjcouK3oVSSrhr8z/ag06HNcZocPPCWVid1XscF8tSPPa/ES/KI+U2hUK8Ur/Toy21fZExJk14f6rjrVMWpAE+lh5jkt9rYH3+ScHQ/A7vzIqXwKLbi1WRlbGUXbc3DSyrhtF7+Ge75fgmsYN6rFSjCTTLm8aKB2Awx8Fp6CLK4xF1BZwBWdCVl23ALGS+uruoSF2cshw5S5Iss75DS4BCS783Rt91u5VwLlSSoMcprfCkV+Za8dD/fjlUEczx9Ncj/KMvGdCYooPZOA0C95p/dPFvbG50S8yjvHuvjwOJDgI83Ffb5FGgnktpIiovmowQ2sQ5WbWPjYkss3auwTYGpqyTEcx8SZV12dq7mnoIwT4kojtMQF8OAvvFDzdTqs5E7MXQ3RiKVFnUiPOhey0dt7ouk28VsIUihNW0p/oFxwI8HKyFyjwrH3Jg2swQuloc6TtmncWOvJGW39BgHpyTMTMcxOshaXknHciPvZf/Suz5yZjNcUPgIDfrK6QIs/v39Dv11j1jrqecRrA33oFU8UoycRS1nCOiiU2Qk/tNX9EVuNgdpoi1K1wAhaxTn8z0gpHBA2rZJXtsugl1V7bq/9PLT9SEs0we1SsOpWAbtREVqJC4N0Uck6/cBXvIUJu2Zd998GlRiRjah2gFrZGuaXRx2uY5/ukDTmFBGvgDKgkfcsdNw7fPb0xWL6FwFoIN/ztH+/oqQwMCPYFbxANF83EcI+kGe/Lj6OoG7OeZfJT7zl7H+c9GAKC8asln2YqDEz8Q6+yPtHOs4sw5XUvOSmjk+5X1fVtfwF2H4vI7lHrw1MBnJQDG+v0c9nb+Cj7bLk6nzpke0qzBf+6kk8qvvuBVVWP9rBh/EeLUail9Upb28cq4YtyNa4SoPVklGCNrkvbHXQF3OHMaq0NCtzAri4/zAF95+bQRgOc9k1cv0Siq0pNXhzAVWjRLtUrEm/Ea5vMbCFWrzTtMG3L91Jy4BQ2Nm8fy82BH42PXRc0IZlnRhzPBD3owOSUpz+hLkPJSRUVJh/7HNDSjAWeBfqavnlhBzPO9xHVkMoodicpZUJp33agGVp2h+tWF695P8pPtbX2ETz/KipRsNZCXU/LuQdbE4ceJz5TYlJMdiWX/ZuWo9JV03E6ZQejur4Qg/XPWvKQBABsGbXGr/CbWfvx+ScNfJntet9JXH7E57F5xwAf9czQiRWSv/YulGcYx2ueCtQzifHKqlqfwA5ZR+Z0GsIfrQXSMrFreFuobBeduB6qaPQfC5iH4nAYBApdvzNenqX99YB3NryWyRibvUyZpqvuMcuAOitt0pYvsV4Q/YvbmD8VQNVDOMcbd4x/pC9jv3sTaPvODuUO00JPtRU6/7kauajbOFDsqG6cI+9jbrZ4x/FXfyf13yz2sc+tn09izZwMjDwmAh6t3MDPMk2Dbk2+wBQiAQJB9LGesw5di90AHqJslIeKGeovsQTEJXBp9tmUlMjZfohC3AeI+wg7qBKgzDXKmU2Js2sbb7gw0leFpSteoUXOUBBonUu0MZ2tScBTKEg2EDMIH/bdijwvczwctdM/YXw2/lQ3MrG8QYQ3L2AelmL0Wr8ScXZxW1z8o+J2tngNh/0nm3ivodzEoLpzLJI+N17jDQmnIEQRb15otKbMmHMzUyme/26RXApdUzhoaHvr41VU6wOE9gZXccbPt4iXT5nDQFF5hTlX5QuvtDbV1tE/FX7uIR1zma7yujQbczEgepEN20O+YQNf0pAZfHRopoU7L/hwARznCg6Sv9j1N9WeUS/+fqHaufBgpPlmARJJLn/1mJNUoERGAaq5SQ5B/RqVtmyU9xUM8oXIYmIhjO4M6J1htFRW0IT85R6ms11/WCGnQ+o9lxHKz8EVWhdbyYIc3MokzkEByeOu5Rg8fPM11rKWVK8PyyOQ4JPEM2A2xbT6KPqaX1bPhsgGD4nrCNMPwseWLp14M41RfOjtElaAdem7TtNo1Z6D1wvEgWhkX6pfTU+5qS0Gs7EA0VWjUd3tE5WHu+4Au/5ncJbC7wdz/+AHlBoqp+bMnd6oSh1EsmIBj5/ZiS4QpEO7Od+nGEzIueZVjt9JfMQ3giXWU+9c3AC/WgQyVTCbMi5speZUnO5AgU1gWz5y4TOxkMtf07tf3sm5MBn/9xyyF0uG1bOpVFpAyfk934XzTP/ebSaYIDGNjXYpGDgnD1uH6gt7vOgyhOQ6SKo0lxeqDqzq5MOExC4HXn0lXP/AXUapRyauu26aJAp7yrFqblVlxtJ7gcEfISmi8yE1fXoMMFbnIRqZLaN7Q8c9rFq9HbYKsCmbB4yFUGHMMriosIS33dv58SiLZiGmvzOs3XeBJ5gO3kQ+eid+kzhc+QETvWBD8+7KFi0odIqC4B6Yt8f8SJ3BcVoh/QOsJPJnXzkVmaivWXgiB10g0PtElT4dVMLgDypESB6OYgSFn5DAhSyPCPDo9+HJUI2uZA8B01MxqB9algxqHTHuJqAWp4/oyMvj8zLzevTPSKuMQdnjx6uB0hbpiZveXDRi4n1tPnl11IP3GEVpNshtH3wC3j6fLkImEwvr6O/sDMapKditYS/nxr0zc9dsnitrzTtrRetCwhqy/TPACOV2xj8WSdh1s44/MSS9QSoUTWjzoC77bsSnBbmhzGPHy8bXFX+UyJefJqhOnZpRfp352yuQuiDzV5sv794/zliKqzu3Vc/cHBD4rzEu5RUkEedS4VLfONueINpmz1kxSFpjwKi/YhyQ6fYerrzLS3gsUVlE6xnEy11SBCFcnJdlQWPABgxy7Uw/RcJJKVOwsjIZa3JjYCUrf8vSTdAFxB62oHHyNek1IG8t9Ele7x+HLmRAEREo5fmN3fGvjaLLb997jXCYrqCRNV+ZMsi2+jvR8NYGcdd9x/5GlJOvZy8xEPcEc1V+HrrUBRGX6ngjUX/q1wS5uTHdoMIGys5ZdRggdBf5rnnOKjsSpp/k+nTZnKGEaUkCw25h4CTkTCrddHZlNzW2SEkaeZEgcR+GGaos5TNiNX6fhaKFA7QAJqfs7m+vkVo7W3ZjyIFD7GDLJQDWKeXK13LnpyxjBs1Jvb6PGDuuw0phjAJ6I1BL/c+UiaYyHXpKCYyXR2iH8arMSQmkhfz6DVaWCc6Yta6VVPY1sCwHOJX8JyM5hDCE0JHOJqRbpuE83uKd9r6eitfDBuQ4qm+/FMeJ/dp+rKM6B29oLZIIoJ35ILxAAQpeFnxXjHSHgDeUC1plLx34uHjDcENwTfG1TYdiYKAgnTm1dclWglfFmIAYj1PZDWOqJPQi7ns3sZbjOWSyF23ZoUCU4+WYIRiFDm5Srqi7rYhAwr6BrA8PPVeKoq3d9BNt0PiNLYhvtHZn3XpOBiJsfE14cApqNKoPy5vuYEZDDDhCDPLsmZo7GrO5mdfoh+NgVl3MfuIyp4W37y+Kc55asvKiPZHqg9Fu04Ckl7hzVOMzW82Mvjo3NRYZ1vr6ZQljDzfjd7MJzmZBZ8HOW5aX7qsNoc5B0+q9YwzR8EbTzqrwmZqqUD0HDn4QxOPWpGTEOdJ+NEGw22DkkzVJE/hlbYGl328NzpCvk/D8Dg4jcJ5r27bDnjh6JQWvIFxkJ+jCone/eY+irCL04+Qf3M5FO88V8IbBNyRIG8f11iRCpCXmedBAukohaLJbxLLnaQ75cim5gT3IVtsSt31LW2rlv30TeI8K++XNzYoXyZotcQ7S7CF98FmqkDO6mKuYe3tuQ91T1HfDE29XwxT2UG4TnrScHVJKPkin36YQTiY0XdzKNOEGNwi2LwsWzrhkH6lEpYhwrOQUPiZ2OqCxjgnX7xPmwTdXXau3+RduWOG3C7eNzWHz5KV00ymSRwPNaytxxfsef/4YIV5Vx7c1VsRqL8wN4OfFeavvbqGboINgXG5G3Y9i7PPIM0+PEWyhFQnB3AMJ+W6jQSilf39nkVHCnchnBPDKgkLTsdXQ8OAzPfz9v0iLHcfvJCywf4gbwLfKGOC86rpN0XKTP5Xr59CgfAgTsLwKTfV6qrJO+pAMCvdEee7YNPwFoRiDN8wv6EMC7ciAkOBstK75wEgR/Gsygny/2eJpWhc6htAH2kvXuVMo4NwH3rqK6Rox2ZBSU91tlKJI26X1TRzuDZpxnNM/FXw2Z8M9f2aPgZ8em8l9bqkgJ19VxYyMFBFGOnOelBuKOJg8yEVf9a2sAvBZ7xUObuP/i21+nD9G2z8sKo/BtmacVbntcnYVdGPugIYWWrjbCQ4pOq4bexH6myxaJkxYIErpR/+afLADwzKrZHZGumKkJNA7ClCrgg69N8BndOz26rEcZaDWj1RstYWA+73Z4geQp03xAY5Vi7m/Ed+aqkV6CJNIYirCsPEzgBGcZhV5KSq6L5j+KY/Y3IfAGR04E+8p9R5U+yFjM8Y0ubfrTZxaCt/8Sd1ggBR/7pyhVDpXDMFI/slsfE90CHI2ExQj1mQweumCnjYtLijx9x2c9kCNSv2Q52KuQcRa19H2b4NZx7OD/u4A4uB99NjINSesVvrA/EsmZDZ33kwUT/bxRwy1BuV30cQRJRTBfsbFmfF2K0suJVoeuAO06Qeg0wrIL+ROLPh6ZJAcw/kIEKpyN3txQX5NtbfVmLXD7zHz0m+Ln2nwCDVram6CzeKoUL8QiAFV8MIlrZ+bpHpffCh8w6hVZTKRmtwd2wS1NMRBuiuTKtlBNqplG/ud/8dPIPmPvbM0Ars1mlpsp5pWZB+j5tV7ZIuulIGUfXxUEIzRRSYwENnpyUmgbmIdTNk8ELTDS2CqPXPNlYZxZGwuFo5wzDyOnsLEp7smAy7ZDEomjjhkkfWUc7tE2E9ZsiGoQktD06PUPjafZOMfj0fNSY1djdnZOuhdjROT4gffAO0uxsTO8CxCZ8YZQOwqu5ug8nafUEkhA2H4qM/jAfpoeBfTWBSuRn6mzT5mUgWb/z+kaXsRxw1eP9cCK8t0hRg6yfcpUyvW20Mlfh9UOEWg0lCx/lQ8HfLKgY+zYO7UySesipizLnHtKYJBK8dEZ4IYgM2bhZRjFEtbHTfHhV2qUkzEKJ/TnKiXnmvOPQcqNjA1Po6sWy4+bUwFvVhXiqPY7nn83DbN7bhwpMp3OpdKdqSBXXv/3dZ4VziqOzM6nFbQO+Jh2NRMwZYk7/zURGxUBO28u8N7eOt94jsyqHNuAsEYu6YE9+SFpa2t3W5sgUITC8Mbw4ElyzmhWKvWOETwj9AM9Czm2QjBaxW7ioVYQcpOQp7OxyFGfhdSYwBNYBMgyFF/KzxOWd2LHNjdms8bGjhcTnX4mc0jBX3kDC/oVKVj1IQUTNzLMsJIywezjSZr3eMYZY9nJFO6AjEKHlNHr1sZdSgjjZVMo9JSf+muQka20/bgmaowLBXjhNHzPE5IRkG1YYwR/Hbie/XHtV/YPMAz6lQNfhIvYUCT/qFTN6Rx1d8LpE7n/1glXkbQqInABxzl8VVb0yl5axopt26X8nckbXFyeiHV8IZEkq/FSr7IkjDxkDa1Oov89gh576qMgq88gcoKsqYTP49hLE+QjeqyozZKhCj+6OmtVEHsQm5kYJOiPi184zOJLV1d/SQoR0yEgRIECfHRuw33SHVsZcsS8eKdq6txufCEzT3qPHmpTls1GUa5ZdLS2/tBu8nkkLrlAasCE8TAmIyxTZM0VXJzH6/ATxxxGULw72ldJwrtyipPqY2WgfTq8gKTxlYwtQUxVkYMxJxoFhqgGaRDQlQ5D3XV7dNG7PU+KIyAft4UyVC2TN/xPxismGnWKgpsohDx7aaQYYkM/VrgdXCSKL6wSIdIx10uvPFQ4kp0Zgveh3EC8CsvzpZcbOb4S29GiH/rPGydoL2PZCR/cSQxWSTPtQ8fJWdnazqRD2sec/ZViCNMXl1ETPK2Jq6EwEqtrtEErJ9Q6PQ2/lBioxjAncyVoz1yUkuGlYQdz5CyuzjhOMvJZMwAULqrVABIhsDhDiMrL1LUeoP5PkAZjMBH9xH5XxYcfxLv06q+8Um+jRsXhbYkSykTRjGkTHvnO0zNFsfAENlKDyHMJnENoFpjrSHBn05nhH5l3nfbGPnmSpNoHBtyawBnXfssHvYMH/546GCYDihLUe+gywxT5z/79BSZpVXnCfPCaC85IXFA4WwIjgFAgVcC5SDeREvBO7YvN8bPnoU3wtfQxckK3BWH157PRYg7i4yyoDDEaRR/I49Ag9tOyXzoba5Pj+zSABCoaxpBgkBZP8VQXMbSUBmtGV2FazUM+CFfAm/Uq9YrPAVksSdR6sJ6NRT7FwM6hZwXqj3y55b6gRn6QfMjIDzZVaSUzSBiuzMVZcChWbzYU9eDjYZhCmBjMCeJNkeD/c1+kVkyj9vLB6WYBEu99sO3G0xrrg6SJzngLMdH2y3m2ZLW5FA/pHbaL7o+iK4lY2gJscC+6YRtwE9vhJ+f41/ldYtH2yG9N8kpE8+0MZiQKUMWnTBL435PkSO4scOywuRpOAQwhuALMb4/aoPwlQ+OBNXVWk4A1iJoMaCtSU7INB2UiJZB/eND5pf8riMuBsDGgobHfnL4PwGG7EXCUKi+a1gMhMIZ3T80pV4xAWAHMUf0lxVl9VT+eCMZQkUnArJTWXlZRoOAICOn7gziYWlpPfELU630y92QEN7fonffIk+bxnAJJcThX6FuVoVixO6VPRWfwoVhJaPY5ZlFzmAoQYU54SbdGeHXvyrX51L4drMEyTPRAl2HDgjO+D+uWUobR8YtU3AXwyp9EkYUWSCgzB7ipU987SqeNVgMDoYEgwTS2xqGUi+mIYTSI4zDbG9Qsw3dGKqsAx8i0Q546oZrCI6hBxxBvKXSkUkTIVomxs5u0eetICSw5Nv+KFJ2gAZS20yKtp5a6opezQCagcUeEj3TDia6M/sJmIrqtwukg18PnscRFONIaBqf0A5JVU6rdruQRmAGVkOcwb1Py+GhMhQtaaAnws0UMGcvobh75CybBuHB35s2LZoUm8Aa09AOyhsVD8OdMek8TUHhuwrDfAkOYOEk/wPAARylrprLpjQuuANX1By+Qu8Zj4pnbfUjILzi0EeG6NDWnqAeEStKLTvBMuJP/U6c4WlB59PyFDp1br8BaWNK9EptlsqM+synX76Kc8a0fYEmzamag4yJvIlZTFM5ou4fekTRH/LuzfYd20v02CIsqQgpWgCvJDlhrSOgPZSq/AuDQ1P+AI+3boMuGWphJWpiuL6c19cpbv6fEh38bVte7j8jUEhzg9B+60jV1Mef05VorQ9a5FGyKIsZs7RGZjxyK0tg1XXOyrGhzH/NO8wAqNwXzoNuLptNzz9x6hNwJuHim4zWISxVn05G9+aIqmn1IQf+OmJ7DGsYHGJ8Wse5WHDBmK6dv3pHHFdVWoyIcr2N+7IY5Hz78Z8FBDon2tTrYVodr5D7MMwkRYJeR7lF11H67PYoVJbYGXzv7cjFjWBnkAiIaJlZhB4V0Tb8/upC5qE4a9t3dMyoBHzIpUSNiLWw+AVcWywiUj1FYSwnxrJINluLS1PplUHgYUL8BoNHprtqHx2XkCm3NiD1TL/IYF7hkkFDFVIFs2vgeFBvqeXo0T0dB9iYoMpzCvCjwxsR3AhpvQkCLRVw58ZtejPEabfhy2g9KGdLDZBvxLenVjr/6Tt/Z4f19rK0hvi3Nd6i7XIoTqgNakmf+ice/VyyUL2VHATu7R5X6hqQ6QT5VKuwfQWPZYsXGoLOFPzA7wXZFVJXAunra4XzeZmU6YNWVkRSCKUovxPUxaZlfajf/8rxrDdkmZeXzqflfSwSDA/lOld9ll621cKRrHKnqn18/RaP5yE3dFFKMiMH+ZSmibkidvgGpWUzr57aqMgWP/sTU96v84mpzBSUVpKchYUwEKiFARWl+qN8bJ4FESpnNJ1ipbPIVxYFbN2qqw2nX73Hxw4qT0xAAPY2DJaxEfmZcsOa1Jm5HBPaqFRyHwWLO20pjW7TPaTBFtNdUvixUcAbjMh+y7U3gFnzARtj+yHCrwrsf09/XyC8VocFUivTvi3xRJZVeMVOQiwc8IwuZ1bot9wrRYnujXr1MzyysPcouzNHUFlvp+e9k/9H4oI5fj7UyZV6CIrV1xLz/vFVPTDgMTJUXx3WUQONVjSUwv8JzeEYT+QlpYzXPgakT2mHBNhtJjz8TdA2X27igjpB14rV6gczE3hLX84bTX0O+wTh+XzHZuDtLlaUKMBCtZSBt3vMVE20BgVAbEaKfcieQSJjSMWhkQgGeGc4oJ2zOjPDa1tBfJVWEm6MZkcczPiaUFQz0C3OAXu208x7b8h0h7ALURU9BdJ95tdpRxhO4xMDldvn8+KF2g3L4tcVCn1Lc0HhlznqzxxfTgGif8GsqE2pfQfgviiDGsZdKNU2wi75a3t8dbcaENpYQ+ua3eEFY/G5/J4C4vNtUPXGXHl9WIWUG/X8VFoGrok/zYdwDuUQCaQlTIOKMsn06vkNT1rLjiGrFBKICnv6ccF0G3jdf4StfsSUjV88EmKgiSU47uqn5oGsW9mW4qaLYAa57SqYDJFzGEVN1PlXOBDyobSxt56e3wPGLxuaFHxyN3GpbcG+CEKFUyQxvysuRbYIWCaZuqYKHQYxPIDFUiA8vzcKAqWJC2iWJKt3vb6ekUPpBZ3K7F2JyNH1IWyFFe4S1eq6E57iwN8NegVaT0dos7VqvCdSONZ5hw59wgT/fDMMGXC89mLMNSwcJCkThaMyPz5YfJD7CsLExhu152qxv5Zkl8f3JCnwDTRtcdkdf481EQnrQz3wK1ewxugJKTiJmhwm8nU4HBhPVJKapnAWYpYe0AFwikcg8KlJLikNl4P0Zoh2hLwiXM6O6AEEuTdujcA381olL6g2DB4vLCiDwM7hvCMgHdV45pr8lcRnZXY9go6HULDzxPA7NHDcwThsQYDJQlOXsjlE9hgFmnYNsDDSotCVNwnEpQFwgC7XLe4J4ird75PDVmOSxLduyw48q+mPfR8u59OHzwV/KPUG9pMThGwyxGNn8RZcmwqncrxI4qMNe219udFjBhYVRyZmiGDipdI6ddUbQX/hZTrX38r92dGZqsr6EQ6E0Cin9V0cJBpBWEWPuZp5sYHJlzEwlgf1iogyQQ59wByWtQE6VUqo4OPau9plu0du4porUkgSSiH0sJMDw7E5AvaEFk2eon9rnnHWh/+F+XN5HB7WTYCvpHCU01LdujZjaBBsmEHQP8JSUzo3+eNA++DGqRguPXV3kgcvJOUHbxiXEyxLkxXtOx6kBCzlzmegrOVRf2ymTy2xTeQ1j9wSu5Ca6fIkyA6dhGmqfEcL51sQR6XIRWw3frif+l1Wo/xrXB32M1+LQANekZ4b0hGu0VxQmpVFZuUSXKKq+Yy+2pF9SR5rvx36YEjC+MfnkEtSFqgv9A0sy7TP81REfZ6Bnwmq/tY3FuxqVeL9MMJsU3gEzARxP+EvKM8wBmb+hrj39DyQCPlN+9nTIM2WTkvnGAqWoUMJ1WxikCqlwzKdk/ks6FSO++vU7jjHRqmO5C1ufU7F2CMEIxSBxPKNaZovH7z8TRYV952kx43Wi4uu8HGUeXWes2NQYbBqupmQQM75WY4iG5+b1uDDf4j6TAx3cBV5TK4tPXp7NmRoidvfy2E1Fqh4lF9E6mFmtTXjeJzKS5YWlibHcHHhnGKpgJzEh0LbdicU7+7V2Gzn9eDuVXxd0WLbsUOKHglxZ9iPU+aGU9xn5Dt8GvMuWbjNwJazi2Yu9nQ7KgAIah7b3qfxLtGviDD0xjVTP3y/86g6maEGYUhnQnR5vm77Y0E3XCC24UQ2L9cViXzunTIe3ApVFYFzNZkgvyvHYLrWgrd6xewEBf4zDFTC/xMYCqAPSHhwvaQUncmwn52ozKyHe4nT8An+pNa7RaiufG9sQvIdIyuPHvq1pyVlTmGHmwTmI8Z9tVoD3Gt4cOpKAMkS5T0J0B23STQnoXH2CcMWY5saZThn1JGHVRUr5XI9ZFeGU0wl+gQZTHT6TzQlI7QS+VoTHXG6XftIfs83mmR4SjVHs+LbRQ+MrE97a+GcKH8dg2EuNxasWRoihhLZUKC/FCu/gQ5OwYt2IovH/skd9adMkMme3ntKixu1qK14lwDG45ZrIbxSJNI2UOcn3+APwgs3kx2BMf2uNLalOa6JChbVKTLYfP2eDNMT1SArcStsVwfx1ppypBTzv+T6NTpmihA1QI0ukcj0KBHTMozjamP4+1qcQGRmKpCESkrHC+rm3+51kNfdHY4jItycJDONukQeTxMxHQa92/rQwOKybIb1Cxda7xjg5iLBDTes1hzlFxynkYCZCmzlg0D4K3awW1PPxDaG3WA/sTTHsAkdz8CQG1xJnIJlrC5BSBRdb/4DlQ6SaozzPGppxDaAEzNZBX2XIXZH7SUcyOyBQ+aVlLlkUwOYUS26fJ2CGB+e3faqbxbLhcn8aDDDiM6kDDxakNhszanr0A1HQklyjT0XyJ/lE94wEOtkVew3UcWhPaGqZWSRiGiu+tRnurKFz1+IrS8JpIH1WsBR7WaayhBDa4PbNXKwWj0ZkOnUIlxkNvU5kuQnbf1aV7X3TC5b4pQAZijivRZQ6/KhiFYm30XKSPXI+2xc8+50xQ/DMkUJpwT7nFwUqIc6vCWv9kboe8VdqRp2+NUoZu87xOOseBvMPqZA9Umg1YPzXR7xzDMATTTCofqYYnfhb9lfP2/2Tp4GW/UkVBk1TcDkGkq5Yh0WJgiHLnsHuJq8xfCYVqao20x0g1wkWE7u+g0T2j7HYrEPS2nV17pY5mUBJ4pEqCCBQQb7eS07kwOFVyE6FmHY0mfcH2JA0AhVbtjQ665aP35dtogy1LTpfcSDQJmjHodWfPSF62yUzG1k6YWKz4AKlzrNaIUnqubEyEk+jkDH2oFX9vcIzy+P9x68ldzS5wYUklMp1QjRM0G8y1ju+QjiV6luALPSkLOGzuWlp+M+pvDuNySGiWz5Mx9uw8+Vdq3rmP2ikTfoA6QSwd/jdrAfkAXX2Bs7IVnFSzGbXKNaIYPdG0oKJbVW/y22UqAIZh2xW3k3LzmMzsd7IlLtEYm25T0Rd616JdexOuo7wK3HXSzVTzFabmnQ38hZpd2fJu1PVIdjns44aQIZxWcExA7XPlZ549YKnoNt9vWRVUXP0qq3KKhEX538HnyI+Ow0JDPbaFVPjdWr4YJuQ/vzevpYOrO5EvslI+8gclgK9crcdcnCvWIFh32v/12p7XTLeHb5WEk9/jftkTqFdpwXkpgngE89hgNDKKI2oRvc5/YXydYlx2R5vB5tSrsxVuA9Y6k/F/4yXgvDxedWZkU2xHO8Gl2xw5nZanbb+3vHSilhP/B8bQxFk+uvTgbqUkdBSCZWPmxw7cegUwGqBS/RNiTp1TgV600dAxTHiG4OziprVfv+5xmOTyt4b7KFXcfT6I+6aaAsB8213mEg6UJTM/kMhVMHDL3ddw3QfdUvEBgvOGxO8lwuQ2X49ppA6DLuLjbt9gJHDDTYrLUOFv5z9bxTfg6D0lECpLVQxmsxxiEDppIouvCyGQn75T6CWwJFS4H/r6Vkz10uuQgg1I3cmr3QzUiPBWPsp3QT3CoMQKE/UsehWEtLF2qg0W4RUblx+rvpka38D2BnDyTjB3ANsF3t1b+TBtfNumu3NF7X9fq2Hj2Tk056W9VtnEvI3lSqdP0zggy27x7CzXa9OpQe/GOSOTOmxFmPO83/8D+4vfBhMI461uozD1MZ6KUnQEs8QtHbiS9IbJmviU0hpRD5gRVr2nUz+uFtvZs9O92PmxF2YmusBj6Ewg7T+tQHc9KFlBK+mgvYep9mGNefrdBahzwF1nPhKQIom21zXGzTmTNq4EjqYBwbT769hYvcfacDNbLqlQTP5X4OkC2/bd1sGeNWKs89y6yMt9LEIOsEJXYOXwKkr0WauvNOVz+WtCc53aZDeurnlX/50D8nChzj9WPeEUBgd7zylhmPp1YuNuEqNzLrONv4qVL2vUPH0kVeFsxOS2ImdBN8IriwX2mgS4uQAbGhh26kfuBmeBgtIpyJaqRL5zalZo4u0vYJQopGiYzmihaHHQld8LJBLsqykCDFPEi9WUJP7uuQVWHBNvuMKnnaKmhHz4dJx4PZU+S8ZtGuQRnNfxssy6A/e1/dTk8QK5qaEJ6ldr3XsmdXjCtk3YivtfmLgddNfdA/9Kj2yu++B/XnRBMmr6O5ay3z+8d3hO5xsCdK1/lTEpxAQs01GId5jx86lY7Pk+hBMyJez+Cl8540mOM8BbVCzEOvjqCW/saVTM/SMuluYcE5fDtAUcu990sydO52M142ooJPrYrIrgKdEXAU85H0/py/fx5eWpl6+4Gb0BZztRCar4vfG/RBc2IDMBhNWmbjUvAI/IwXrQiCFp+j2nBGWJ5NoSUiMsCkZWjNX+tIEp1+kjRQyRfavMRKljxiOgN+Ou/R8+6dDSXYTQGWVDUYQrFolaOZ4cR0pf9ppsIVgW9gyo2YmzVu6g3eVaYPrH31U+fkAf4qREwQdsQDoVJCgEw9QP9l70tdYjXHNAEqKEOKYMYPM7O3/HxNVFWcwGH0z+2Idyj694INtv0WpKQ2RSFK1UixR2UUHXKmZimw4YD+C1A7t9M0Ttypu+i80l6N3sHClR3PatkYIcmF7BB38wzrlZvAYAf7TSKO8j0loM8dty+KbV4y726s6n9YGQLKTgk1wZ46w1ykUmsKDt8B1KGN8KWU5yFJz3FQrt30hzHQMEKDq2+EbiDzGqi9uIxTAegVAkSkMnzW7U14rjizD/a4mgWfroNWZmTvw2MktT+3ZrxHTlFRmCXJqLKPMumyS1pDHWDyJmuhOBDrnKkF3EvM0Omq1udMnKDDqz9ntUhozXQpcTJxzPmy3kOXQfGdaEcx4mzZoVRTaFEbA3H/KpPZhbhrtaG14aQCMFDHLqW58lomP7gUw8x8DeZLvdooxqa0pjkqJN57c6RD+yHdDSRh5I1MGHObD3MNaizvsBeVzpFr5baBPj/Tw6VQ3xgmbrlS4mpWuLdTPnqxeyEHal6+aHreh9tgfjOqLnMqJm4xtxZSxYiMEQqBgi7xIqlcHD4MSY8s3S924ztBM4dvr0RHw8gGVs9grRdpf+c7V5+IL5XdjXLRPE1jvXnLfLgHIZxwCvQnOxT3lyS8Uj0tHTnw9w1hMxCuRiRrW/PeCHLsIkVdPlTkTIL38Mab+dzaKuLr28eprfjZpCBs+y7Gx4o8tybjUCs7rivfIQAuFRTIobxtAzYnBmjvREMy1EL+jgX6jcP8iTaC7l7fJ8GemRbrYHmWVM9MBYa+pI+gCOoscb3woyRuwwwMrrUSpZ34Jte1e57e1UEuL8v3ycdsbhgyrSFJWJMlaIKhkBjKCPnIs/EKZ1taJYFHYMy1Vs9u/Xl6vOyMZEnQW3IqUnoLA0k81GeH0Y4CPetKiQb/eWCjhfYNm1O1diJxitOXY1yIMoLrV7/rKcgWDzRoseOHxJ8Q/PwLSOwTw/Fq0d01NKmruzzK5LiDqKxjtarPie2fkwyg4RJHm8D8TdkjtbKIR4WY6xTJB7sbsNYGnwL/ANb1b+L0cAbYheM9VPxyNIuYXyESw4RmjsC6hcbJRady2OYAbPTlPGWEl1GFcRBCYNX/ujwiGyOHDKs4BxmO11V/7jEn4ThCpXKPYPmUyM9muUJrTJMo0kaap4zzafFueifbsL3QsMZXZVaBWcwoiKKEKG6slJipAKGWVL02S+HZMFBchKaEmJvD61S6t7/RSVCBeaHEkbm+RqpUa83KVXFZVDlsPb/OFjCl5P4yXrHwsunqZP8SUb7xr9TbEJVy0Mec0HzsfxSOeP62n660H/DhBWS53hfvyN9nRI1z6fcf/jPiK6o5ME5fa2hYjkgGumQFEFUqfhZox8UFfxYApzVMfib8/KQTyfR24kzTTJtxrLBz7h8BP4xjpq8P+bkdVpp5ydyWY7DvIpDm9CgebegJ2W16BTGJSLefeHbf6gAon9uHO/Sy0p/bMoPz49jS9xZP2gOpH4c48yfuOEVPRCNlJvE6/qEnCdzscVIxPfggdGNFnNeCEp3kgDlyCbgAi9khZGEh3y/Ndpx4IdBpORTJX86xYs46jcN9kjVke1qpNAgHhm1Aycfh7N0iP2Z77kMU0PazvD6io4ChmFaJBdagBgemXN6dKP40+Z1xrpe0N+mJwDsxeVeQKc5oJrpWRwmy/LhDBSQW66ZuVdCELxS2/wuQueaq8I5T/DByP2RTrsEtR1M1N2KoqCgf6YS+VHXOcvGg72tKQzMDgNtutkEbS07f6A8PdT4dq6+eXZDbZElom1Q//cJE6vmGLXv3popa74ag0Oy2Z7ih4rPus/we2XykbsqM/XPjy76RRr7ig5VDxcMVn5jPQq5IabfFzJCZbFtX5+dF/HWvTZzZaX6qanMVCvGoiIH7UGjcO3wzbPMmkYF1Vsw+fthgbLL6FtcyO7NXY40iA4dMr84/7Gfw662278YUbrGvaiSgKLniVDV/vMZPNHvjs/jQQI4hHET6B0XRb0jqyUm8S8j3MbgKAqSfhN2h9Oo+APuxuaINb0GBatqLFZRQh5czZnGb4rO7rgkb9CYvTLhhaohTqZSVYO8dv8nWKwrlghCCKs4ISeFX3RnJqNNKgfv/3cjW2rTOtoPiJ1IifdY1W7ZCBO8X4cL3c4x3Vu8IWLr+3ZTFEi7VcUrOE91fBhmVKg723WoZ7piqTZJlWYZcMnuXJQNt5i+3y8Kp53Fz6+UpXOYYPpMqXJUPjCGD8dMapb9g3g5a1K1FtwWqVRndGY8x63pFw/C6KkIAk5N2ordqOSRCfVFAeRLMDrmDRtThVsJwNGFDJWnNV9SE94hFyIffHxevOZb+ctdjva7Ub923h8N5zuRz3mxLsBj5/SXka0Pl0dTAxW09jJN801ew/IjW4Ao3j8Oas4rOaxz6KASEXFXLlqFE6yBOXV6ehfwbwVACKQV/E0mgrgBTAz3KkVb09Wy9zQr4wjRluN7Qe3PZsAMCaSqo1fLfxqfVkjClcwBG+CXrj1t4TRMluF1rcBtgKpEdDpX6MzeTIPvxxpLEbAuDI9b7jOzvZsIvGNiANYHnmTCr8bRveOD9jXuXLjVsrS+E/jsOWcdyoeQeuAFuG6dIevbMjUgb2FRQ+ApHZoD3+0A445BZ52wSQsriaORZmjg0HvinuOufzkozWN6q09KL6sYP4i5aFUPAPJXeR9nW59QXyhP9Zgj4JENHdyCpmGfHFzTXhQhoVj9Ekptn/i25culoKJS2uE3dK/ZuCC4VoA86eFT3uqzsId+1QhHICJFXqeW4VBbLiUqFN0x/Hui/EJ6YfYyU3uB79DfNooGsll0MzgFfNSEfbgXZ/nFLGuAt+rkr5V7XEU4XK7oABtRTMko1sXhbI/I4UvnqeqWU6YyhaBs/xNPRVP/6kvfbkNFulUYc4olAXYcb41g0jRFh2NuV8JKkmlq7rcSPVPgMtTdtBq9kZvyOZqhui9REPSQVPS0qjHY46qEhT1auUMy/J35GbqgY0lK9TclLGTUpRSeRe9EJwDoa9GmMTPFlehIGG5eun2FdPYduHpd3dt0f69VU9ESZVgnJBwPFjLEpvyItmZMFj814MBxhl9PHEFlcA5WlodDyyVzaBgZ+Wh7macOCpxDusJgPYKyspYIsPHC3LgMeFeAkq7I2ojIHMFYoeqmTmeTUIxQGEEnvwTlqa4owDkw9a9mU1rVdRvzcoqmt3wc7LGxtzNbnXvEV3iCIPKZB3dgblds4kXk6ecosbg3oa4hzQkqr/GUzw1771TQ9Zdry94Fh5BTgaVntTQ8Bqq/c2fcN5/DV295cNouJRSOrZEUhCte0VSS7NxwTsfpraRN5u03RyxCWQlYlywiszC+BVrKqRu2d1k7PbN1LKYVxbcXHnpXZcFyVtqS2Yz6FOxLADwIITikm0DdKAjBp0WbmzzofGZvJH8p7lgChWYCdeTD4OYyb60deSuwj6/RRcHVSnudGYI1nt4mFtxlEcm+nUpDd9DxG7utLPnOb96o0chhB/kHZM+k=,iv:0prgLyIPSKVoviyh0e6//9CBc+Isfx49gCbtsymfEzM=,tag:0rqTV+3O3fzr+8wr6WD1fg==,type:str]",
+						"deletion_time": "",
+						"destroyed": "ENC[AES256_GCM,data:U1UxK3s=,iv:sWb0MO5GUTuoPF+mkSiKBW8EHTnW9ZFheRI7fD36zKY=,tag:bA62PRaD2SlkmSTI7OrDrQ==,type:bool]",
+						"id": "ENC[AES256_GCM,data:kswQhttYXUA8t1dZ/+vCbqYMKgE=,iv:2LYsSkysLvT+rKAi/zQ96x76G5jnAr4BcjdPrEJ2dEg=,tag:wrn7GiGdyCH8gduFfoYUkQ==,type:str]",
+						"mount": "ENC[AES256_GCM,data:KMrWokFm,iv:vALr/HMzrheyXdfOT4pJX/znwJt31gTP5S/FOU3Rfy0=,tag:9+ITbPnGZ0K8J5cVQfg8hw==,type:str]",
+						"name": "ENC[AES256_GCM,data:+aae/ljmKxs=,iv:LojgpavHn6N2b5jsozQXKZ6u5lgtRVQfl4YmUlSS2vY=,tag:tTnpVn/uiOWwYwA/Im678w==,type:str]",
+						"namespace": null,
+						"path": "ENC[AES256_GCM,data:Oq9+tt+MyHYCNWD5igwoXbzX/qI=,iv:rAY8TEMVZ9XoN6IjEYdXAzuuBeJ+FF/X1c5OEugFZsw=,tag:AcbsJDEK1XBOLC7kaQhjXA==,type:str]",
+						"version": "ENC[AES256_GCM,data:wF0=,iv:al0ekFv0CuxQT+q0/vSdvb5IFFO1IOUzPR6SvaRoqDM=,tag:J36XhWAsVl5tcMsBf7Q/oA==,type:float]"
+					},
+					"sensitive_attributes": [
+						[
+							{
+								"type": "ENC[AES256_GCM,data:nKDzbejibH4=,iv:glnWaKPULMBprNZuCLZBFJHNLBAIylFDaeo5yjUsVSA=,tag:OwWY42koeEdVvrih6Thn8Q==,type:str]",
+								"value": "ENC[AES256_GCM,data:KT/HbQ==,iv:k4pYznDQTZtyCJvFGfnf3oY7jTXgzpn+k1Z+PE2jeDI=,tag:oZTzohamlLEIZZzn2kz6lw==,type:str]"
+							}
+						],
+						[
+							{
+								"type": "ENC[AES256_GCM,data:VwBLtP+jmtI=,iv:RhjhiDX/hFpas56fKuwtD4RZ5RpwUWHpf6ruxnFT9qc=,tag:TD0RhXJwfeWQ8vbIUNHHIA==,type:str]",
+								"value": "ENC[AES256_GCM,data:JrSJZlT5CeHQ,iv:oR4WUZZIZIhanxCTR9iVUXuXwUMXrUI7zSxeBlEPKdU=,tag:d6KDCJlz3e7RfuzjOQXgtg==,type:str]"
+							}
+						]
+					],
+					"identity_schema_version": "ENC[AES256_GCM,data:eQ==,iv:z4CQXF3UF8MvC8J5hfpFsGB5+7eqk4Hg5WJ9Y2MqGng=,tag:ozuA/qomv9yujcNMbCIMag==,type:float]"
+				}
+			]
+		},
+		{
+			"mode": "ENC[AES256_GCM,data:JMRd23eRUg==,iv:Hkcz0ERtmeFllI1LtoRBNOQbPPfYHJ6LNVDdPJAsgu8=,tag:1dn5N2iZGok3vzcI4uMY6A==,type:str]",
+			"type": "ENC[AES256_GCM,data:oO0k1LDJSH26ooTX,iv:VdVYc/YrCBTWXt94MNo+xlyO4YTw+hXias8JpBAZ5aE=,tag:sRtAnclaZ/7E7DAvTNq4kA==,type:str]",
+			"name": "ENC[AES256_GCM,data:53YfDQOhWLElzpS5imfEfA==,iv:FRhdEmET72SyebK7myYrvtyBzmBIw9JvFYM32uC/Xb4=,tag:dLx4e8QnafPEJCw0qxQAKw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:us1uLvv0JPbCtwGLuDh4aORkEvL4Ds3tfELZOQ0Rf5U2N2+WO/36Z6Td9VqAR49h,iv:Svp+HFKxTynrBqRgwh90t0LOYsuTTqRmvSLnpZwh6K4=,tag:uhTD73TfM8Ba1eUhtHOxuA==,type:str]",
+			"instances": [
+				{
+					"schema_version": "ENC[AES256_GCM,data:pQ==,iv:IXe+ib7hZSp05izwAd9ZaWGdajG0qRMESmA5zXgaLpE=,tag:71AZJfFmLmVOiGyDCiWVkA==,type:float]",
+					"attributes": {
+						"atomic": "ENC[AES256_GCM,data:Uxpc1Q==,iv:WimiJh3LKRrgSCoHoHM5u2XgarMGHVfLQncQzCzrteE=,tag:mDNGpW4cDsv0JY7W4pwpYw==,type:bool]",
+						"chart": "ENC[AES256_GCM,data:sdWx4RspAR3QJwtxTliQ6Q==,iv:xTgshN1n4vsnWozkwCq+9Jh5JqDF1dT5d27eEK7QL74=,tag:pYi4vE9xOSC3PjkVdlHhxQ==,type:str]",
+						"cleanup_on_fail": "ENC[AES256_GCM,data:DHVQTjo=,iv:aHlsj2IF+e1U71z/7mZS+jlaHAL3vfiUt2ac1QORj9Y=,tag:iJLDwNsAqlBaUEGQDS7ETg==,type:bool]",
+						"create_namespace": "ENC[AES256_GCM,data:aQkY850=,iv:yPbKxbk6DU+LC8g3GZUkI8wcpM89UBK5V9tcsdH/W/8=,tag:t6G85Bs+LuYucBrvciHpLg==,type:bool]",
+						"dependency_update": "ENC[AES256_GCM,data:PSsseUY=,iv:nNbiPvNy/i3t6CbwN7PELimf+E3Q2E0oRFMGkDWqijU=,tag:XjvwSwBwB6pCqCkntORpZg==,type:bool]",
 						"description": null,
 						"devel": null,
-						"disable_crd_hooks": "ENC[AES256_GCM,data:zv6ck3Y=,iv:RyCG0aYXUUOQEUG2VoCaZlUrcV4RlNh6yWwwjt222qU=,tag:O4n1mTLWXiCGtgpZO7bx1w==,type:bool]",
-						"disable_openapi_validation": "ENC[AES256_GCM,data:R1sv08Q=,iv:vXyA9FDkviOlx9BahCT+saZrFuIVbyDskhTNxGklAzo=,tag:5UDiJgW6AlOFO8v960cc+Q==,type:bool]",
-						"disable_webhooks": "ENC[AES256_GCM,data:oQ4ytk4=,iv:ugpzYgx6jrN2AdmbH+KIS5fBC7F6Y0jdqCqpkAHVxeg=,tag:X91vQzUJuTZ+pfs2nAHr8g==,type:bool]",
-						"force_update": "ENC[AES256_GCM,data:8SAP+0k=,iv:fMsBlKrn4Oij9vT4mKalMNyvqNPhxN+TOBHiZXUA1ms=,tag:FOgd7Hap7fULzGqjH6qCtA==,type:bool]",
-						"id": "ENC[AES256_GCM,data:zSf3Q+p18zavAmJ+W7guMA==,iv:wlmIVVmDvxje9MpDuIIGnIZrI8uuXaPhpl4mPTSGTpA=,tag:vgsLh1fiNXONBWz81FyZ7g==,type:str]",
+						"disable_crd_hooks": "ENC[AES256_GCM,data:hQb3028=,iv:NOklygBCfmCbLb1Q9vzWMNl5YMF6pSo+1v7lBQtX/pk=,tag:zDab/pJ/jDJacnXCfJETWw==,type:bool]",
+						"disable_openapi_validation": "ENC[AES256_GCM,data:74ynCmU=,iv:4D6MBLBjMYlXzKf1OrskCyR33BflvRU4xp+cmXvNwHQ=,tag:7Et6g5Lu3XYUu/gzEAk1Xw==,type:bool]",
+						"disable_webhooks": "ENC[AES256_GCM,data:O0p5en0=,iv:Vxvw2FrB4l/yKoXR6IMFRX1KbhF63ZKdD8WngDx2r78=,tag:c2sd/pxDp6K9hlh+hyXAXg==,type:bool]",
+						"force_update": "ENC[AES256_GCM,data:eZmzKY0=,iv:h8DtTcQy+ulPNq4jifOJVs+N1YPh03GJev7ZEwTJw+I=,tag:ZwZycn9Q2HauagKtx4tKcw==,type:bool]",
+						"id": "ENC[AES256_GCM,data:PnvPWiADm/npFZm2FniMYA==,iv:7GzHMNDZTP0yURF11CTVzPOwVWlgDJ+4v+VHDlrgY10=,tag:bO1iHwqemHW9Hi+eGfyHjQ==,type:str]",
 						"keyring": null,
-						"lint": "ENC[AES256_GCM,data:x3GuyO8=,iv:MVLG1M4hRyK6x5yk3gdiJ8bgl5fif4dfSnNGEQ1t3nY=,tag:ECpFunclFWqPM0V0Y+ddVA==,type:bool]",
+						"lint": "ENC[AES256_GCM,data:sNm+Xk4=,iv:PRE4skv+7XH1tjAVBPD4mD4uBiuE+c2bGHWI5Zuu20A=,tag:K0dQOuECGSJCSPWDyH27yw==,type:bool]",
 						"manifest": null,
-						"max_history": "ENC[AES256_GCM,data:Gw==,iv:qW9FX4eWrFXGVi2i0Y4DDD7KyoE8fz+S3cLgV/LQ19k=,tag:WhaEv24DWW74eJAHWxeLsA==,type:float]",
+						"max_history": "ENC[AES256_GCM,data:Kg==,iv:JfPJGKsRSzwXJDtrXbGhtGjUIkN/7TewLsoJoihhgXM=,tag:pyzscf7A9rz0oZfG5RHr/Q==,type:float]",
 						"metadata": {
-							"app_version": "ENC[AES256_GCM,data:T/8I0laBIg==,iv:9hhlWoJpZopCAorKQ4Ma4m9BkskmPIyAN0jZZ96F7mY=,tag:P0J7NtaMDRDRp5pCs5zlbw==,type:str]",
-							"chart": "ENC[AES256_GCM,data:j8Yd1GLX1z+Vh8qonFVU0w==,iv:si85/nQa8c8Tw1/7CGRv5bAwdkH0Q4gtAMWi4b7h5Hs=,tag:IJewJ6UMtl2cZEksMH2Xzg==,type:str]",
-							"first_deployed": "ENC[AES256_GCM,data:+fzBS8GKrCRk6A==,iv:LsyVSlzZSWvOARsL1pgx3+sq1boSj86uLWRD3MAvgF4=,tag:1TLqTEqzDHa0HH5Hrdq6Ww==,type:float]",
-							"last_deployed": "ENC[AES256_GCM,data:gG+CLEckl+Ab7Q==,iv:KzyuT9CliriHjdaleBp/Vee4BUCWJbgXYJ7LxAuSiXY=,tag:gagUWBz1QclyPjvRt50iXA==,type:float]",
-							"name": "ENC[AES256_GCM,data:TseIykoHx4EfRCEcjE8Btw==,iv:S+WOaOWEBLZoWURpmrNTCRXRcmlnlihnTLmxO5zyjz4=,tag:sMAXnDKATPM89ShCAUHoAQ==,type:str]",
-							"namespace": "ENC[AES256_GCM,data:2dm353/1PnxX1RieMqT9QA==,iv:hgA+R2oI01IXiJMxhuWx/vIpQpVVUk4BQURCSLypHYs=,tag:OPI6z7CeBL85p2bcfUR2uQ==,type:str]",
-							"notes": "ENC[AES256_GCM,data:1hs79E8PR/2Tf2IaT9RT4HTvyRQ7VVeXUMRgapo27tXoGKfkYD7wmbU0k9MNIWJ0rVTBkbPzWtuRQMDBHwaHDlzSI8bZvUAGqIaFJIfdPLF4+yIbQ951vwNoLfPtn7oBEQJogDBwe0Ox7Mb3d1UyqQqyxsBxnO+yaVsy6SUYgr35wJUQ66HbRJHPQpPcgdiBl4j/Lrk691nX8WdszLJ7qsPUu+62cExSD1j/9HTA9/A0hiOA14hldUVmvp0h/3g7bD6kJ/mVtqPHTnj1RmgM3FutpDU8CCjoMdWXcIfOhPdXZo2U05WefAioCGXNLpDc4aNkpfF75x+ihGKCB6Bw2oOo7MyK4dmCBYt8IoI3I4PJhpfibKPuZNvBhtIizhgB2M62gNM6wsiW3FWBGeg9cseN6lmWwC1V4eOBdtB2TNOUS467H8BXfxJfbuphDbJKb4CzcSeXsoE3gBe1pA58/IQ3CUOvYZNxmC7Xzum+f2v4ec36w0Hf421++j9C51Lq0JKNPrI6F/J/qNoIAJbgtEb3BWk=,iv:chABbDo5Gh1QhzZAFhGwGLeMBk/Jkmk9CJMrc0xY7GY=,tag:OoD7wrJTy0CZBOVFUuYpJg==,type:str]",
-							"revision": "ENC[AES256_GCM,data:Tw==,iv:7neoxWJrAygIad/0Yu2jVqmoBTIDCUxviJf+N1pDDlU=,tag:6OoN32xLA8rpzOPJf2zekQ==,type:float]",
-							"values": "ENC[AES256_GCM,data:NFAZNDr1eptktp/nBIbQ9nAf9iw=,iv:yFFT+JazhB/IpuvrKiT1MZ4yNllVp6vd/713aYayrNQ=,tag:mh2SOKhUKdDBXHn3Ms5bbg==,type:str]",
-							"version": "ENC[AES256_GCM,data:bfmVJ5Ky,iv:Af8+jGtb5ok3ftazk49Sfph6w2TTtFq0RoV2emq+cPs=,tag:71mIUwuMqFXNFyRMsrNZsQ==,type:str]"
+							"app_version": "ENC[AES256_GCM,data:IqpVhbWo,iv:zScAvLbLTUJTpf1jceT2goOfFiztj0kk6PMlhuVsrFs=,tag:ZbgYZ8MjICYuNQ/MoexD4A==,type:str]",
+							"chart": "ENC[AES256_GCM,data:74Gtte4DVTffcsVCIBiRyQ==,iv:Fra2XqXf62rvHIqTDxY/4fLzbbwBAP6gMKUDk9/9bLE=,tag:fmyEwl74b9QlVYOHKQr7cQ==,type:str]",
+							"first_deployed": "ENC[AES256_GCM,data:afC+P656QBq1KA==,iv:WAj0JGekpeXVJL3UgfVgHH7pSiNAcjOwqhhI4mHigLY=,tag:YSxUpRtj239Bi1KV2duGFQ==,type:float]",
+							"last_deployed": "ENC[AES256_GCM,data:d9hT3yM0WPn/Yw==,iv:rj7znwu7hRrZw61KL7MHvJOSDdqeZLYrHAfAf5zLwRY=,tag:RRmdLxpa1qwUCEweVEGkvQ==,type:float]",
+							"name": "ENC[AES256_GCM,data:pNnpIYI+zXddhgy0SX5bJg==,iv:P5CZeYf785aCLj5gG1/CIgVH8c6gWuNz5+tsX1o4gYE=,tag:SJPgyV+EUNeV4zxqIGIIOw==,type:str]",
+							"namespace": "ENC[AES256_GCM,data:tgw0KFh+2JLTlE8P+OJ+Fw==,iv:rDwxOEKrH8vzwL/orKucb6Cr4nb2jghO7Yt3212Rxgk=,tag:KQCmOh/yzcbXJWpwu/IwOg==,type:str]",
+							"notes": "ENC[AES256_GCM,data:jXbyfcht7tOPRL42RWMM3mLf1m/LqYYuJcG/c4pEZlyn5DvoUJrugHxdZjIUQKxkqLAndWyNq1LP161GwBKXxTTNBSikzNxlzwV+0sEdq2Sq2IeBUB8DJpA4wqBSLbOB46HtzIYzCHWsRFyaMbEI5vpeWz0NlR5poBDFGrg2xVC0IFV1A0nmlB/bFCqBcHUZS7GYLwlwPEyJR0KDjs8AZhGmBaf+OnjK/fuA4wa3VmALieBS8yt23zrHar0h+2goxSjnDPopKTHM2bpf6cI+D4zoFL3PKSxYLfP9zGD+r67BV0LsxiN9mieUHWY38OVykY1JSmEhyr52Num7gUYjcNQ9+YuLYP1sYbvXrYYiz49QkLYEtHwGexqB5hbVYkjvZ+E4YA7YYzmJqxDplMpoKdf5x6Y/i1ugBxySrhVu8bCiMLUzIlVhBkX6QsXByXNyNgBrJ0VEgnX/6SWfoHxy/+66CXQB4LrsqkUiFkp4bDNXz3BYOyT66Go8qYvQtLToy05f6F1J+XxoLKaV7s7YhRsi+IQ=,iv:ZbWjv3XDa0vkXFvmNEtZK1JprjQqfep7Gu7PWezXEjE=,tag:UK+5v8yz7Kbq1zG0x+gfzQ==,type:str]",
+							"revision": "ENC[AES256_GCM,data:6q0=,iv:XCUxjuAjuQtG99KhgkJG6ncLu8xVIR918uAMOBysOkY=,tag:LDDIu+84x93KCwQQBlfh0g==,type:float]",
+							"values": "ENC[AES256_GCM,data:qpK9ONbfCV+E6QbUYhEkVwu26IE=,iv:TKI+RbV1LC6TRUSlgc8X+pVMmCiUHCpHIpHh/8qQqgc=,tag:Tw1aFJAEHJ5cJ9IL33yofA==,type:str]",
+							"version": "ENC[AES256_GCM,data:xDMHir8=,iv:rDhqZ9Vfm4+1r9/0EVKRPx5cfihQiZs1fwLFUYundOA=,tag:X5EztOQn/QVSBAjkAKpOxw==,type:str]"
 						},
-						"name": "ENC[AES256_GCM,data:EwXjBodQ9KHqD5JpEFeECA==,iv:dWcDwwoEkWgdvpIJYVg7IG3S5boa2XjTX7Uw+Ekpu3s=,tag:OCAOhjxpmXQpm77PDVl5KQ==,type:str]",
-						"namespace": "ENC[AES256_GCM,data:SNB1t3gEQi61+EDxlfEg0A==,iv:hQT8IfWAmgs8Dz81WQpmxjfsbfWJMzWDIVa0gMqD/4o=,tag:gOzOl8qj024/km0BYneWDw==,type:str]",
-						"pass_credentials": "ENC[AES256_GCM,data:VzK7dtA=,iv:dbBNWl3wpWR7Qod5gGVqWELLZZCxWxuM77nDZh+3l9I=,tag:7Of60+XBiHKeQ6YUjvl8MQ==,type:bool]",
+						"name": "ENC[AES256_GCM,data:sd91/9WrusiouVn5Kcnffg==,iv:4i5FkVs5AvxM8ZC5QB6m2n1wuW+58sinSRRTGRiRDG0=,tag:o+ErflVIvMm8QP9eXH7PMw==,type:str]",
+						"namespace": "ENC[AES256_GCM,data:0SLUnRKxjm+D1B9BszqpLQ==,iv:bMJeZ4MJ+n9G5qmz8RgHBhudUAS+CKsDkyZYdRfbYig=,tag:KmxS17n1Rxuep+4xpWsK3A==,type:str]",
+						"pass_credentials": "ENC[AES256_GCM,data:sLGzTaQ=,iv:g+n/fBU2AhqXUtrEIghix1StxWPom64SQvujyAjtefE=,tag:jLjwupjkSVTcL5M+/AlbNA==,type:bool]",
 						"postrender": null,
-						"recreate_pods": "ENC[AES256_GCM,data:3qjwwN8=,iv:mnyQCWzR4KQi26jQiNZnEy8PXzAoxxxABHK3P4qAqsE=,tag:3j1Zuzp0us9NoLvnrL2O3Q==,type:bool]",
-						"render_subchart_notes": "ENC[AES256_GCM,data:gn+p8g==,iv:4JIeoetEO2CV3zYewlvi1R/bKJXpBgIjNJ69yRBqucc=,tag:rYhb9QC6GIt7qpp7KelLDg==,type:bool]",
-						"replace": "ENC[AES256_GCM,data:6O12bzk=,iv:erkGoBGvEs5x9tI9bYbs6jUU9w3Cy3uXV1KhSo7GGqA=,tag:MSL6usB8t+ztRabfLpjAFg==,type:bool]",
-						"repository": "ENC[AES256_GCM,data:nAp4SsXg00gff+n/K0fNjrPZhknRGm8dzry6jijtUJbKNg==,iv:4XCxHMcg+t/uLtQHMPY4URqnUtX0czJmcSLgcGs9zqo=,tag:9epdmlz+149Ig+jOVVLu1g==,type:str]",
+						"recreate_pods": "ENC[AES256_GCM,data:819XN+U=,iv:bFG9GDGM0eL+V2VFI1p2czktEO94HQjnYsPDmbHvQCg=,tag:jvry5R+AMyQyK1ngvE/FWQ==,type:bool]",
+						"render_subchart_notes": "ENC[AES256_GCM,data:IyULbg==,iv:h6v/Fd6sRvxmGBFf/yrReKHsrZaiawn7chFAhPNh5aI=,tag:3qnzO00h7BzOklJ6QqNoPg==,type:bool]",
+						"replace": "ENC[AES256_GCM,data:kgBWxTg=,iv:DOoAAfXihUL9gzFYygDvbL0hR7HJH4YSpCatwCdTFxo=,tag:cGtTl3Wwrz37eFBxtvyCLw==,type:bool]",
+						"repository": "ENC[AES256_GCM,data:L6qDttTbhkCxcqGplM304W3KAmTSaH4cgtUJrR/jGuYjjw==,iv:2MwxjoZjK/wPhxxLwi+VtCVbtJUeeOevwKqy1cLPNt4=,tag:vN0suSkCqnZNt6zLc/FD0A==,type:str]",
 						"repository_ca_file": null,
 						"repository_cert_file": null,
 						"repository_key_file": null,
 						"repository_password": null,
 						"repository_username": null,
-						"reset_values": "ENC[AES256_GCM,data:ga0bFUk=,iv:uQXNy1Ro3gKRvb3cm5D3UJ9RWdRpfCBZb9ZrXJPD5zo=,tag:1FtEMdfqYhHoCJ/7hInOzg==,type:bool]",
+						"reset_values": "ENC[AES256_GCM,data:vxqCxSI=,iv:NgSE8qQzSK9+AEkfcj3Y9u7f5tHqKY8TloEYSSj+kdE=,tag:QRKv0f9pW/NiffqZCAF0Gw==,type:bool]",
 						"resources": null,
-						"reuse_values": "ENC[AES256_GCM,data:5shaXUE=,iv:2IZHCIWY3HVeCs+NU83caD9gDPyvNmTPqFId4ek/uA0=,tag:JL7jxoGytEzsnVo/YDKwIg==,type:bool]",
+						"reuse_values": "ENC[AES256_GCM,data:PCZN0ms=,iv:y0dB2RZvUeBLe4rR1GHgHnHHm4E28wLUXGdm4dhiOuw=,tag:ZCemxiKLTljCWvvQGCx+PQ==,type:bool]",
 						"set": null,
 						"set_list": null,
 						"set_sensitive": null,
 						"set_wo": null,
 						"set_wo_revision": null,
-						"skip_crds": "ENC[AES256_GCM,data:WyJH91s=,iv:nI0Sj4kEvpid1T09XiSGy5GpbOhSA3BklRU7j0V/Z9U=,tag:Pj/fFw2uOIzqWRHH8rehEQ==,type:bool]",
-						"status": "ENC[AES256_GCM,data:u7+uhadO+sE=,iv:t7Fk28zxdqbABZLVDiS5VY+mPFUTDWCrr6RQ6xrjE7I=,tag:DSW6oQbh4ESDmQIa2iVWbQ==,type:str]",
-						"take_ownership": "ENC[AES256_GCM,data:nV/Mo8E=,iv:JIouKc6ZaKUigMozdM5378P+NfDwMl22s+jV9soylm8=,tag:9vhjqtflw2P6EzmTvQEVJQ==,type:bool]",
-						"timeout": "ENC[AES256_GCM,data:rdcG,iv:bTQYGuvlPuNVAWLVOalLXAfBYImvGS0jcCG0FpSjNEM=,tag:uNfiRR9r5kjWFP5ninYTig==,type:float]",
+						"skip_crds": "ENC[AES256_GCM,data:nA2qTkw=,iv:V9+AX/pb5oFQXRTiv+ksXz/ugOJ1aUUz4KB3tE/SkAo=,tag:up5OBNpyVgHXAc5i11d7xg==,type:bool]",
+						"status": "ENC[AES256_GCM,data:XStGsviHojY=,iv:oQjdLNxqH+7MXKvGmhc/Ij55I+FhwnOESBaF1z5h3ho=,tag:QFgY3hfzHim7QNcOfzKegQ==,type:str]",
+						"take_ownership": "ENC[AES256_GCM,data:69yYrRY=,iv:ZuBnT6m2jU2Q9QBUgl8AKMAZRk0v0I9V5QQ1rfryI+Y=,tag:HUjPXRUDEeNvu//Eyw5jbg==,type:bool]",
+						"timeout": "ENC[AES256_GCM,data:A9Xj,iv:Ql4tYmVV7XUhmMr5WhdZ86akcGqTQqMnQZe5rDh/D2Q=,tag:zsQicm1FrAPIGtvj0Q4QiQ==,type:float]",
 						"timeouts": null,
-						"upgrade_install": "ENC[AES256_GCM,data:UBdu7iY=,iv:n1nntA7X6gYEmPrCX01xzV/DCtOVKa+bFNKyfUeYLYg=,tag:zo879c8QLetJn6yt146L6A==,type:bool]",
+						"upgrade_install": "ENC[AES256_GCM,data:XPHpHuQ=,iv:z7qG5RinG6s1gab5xO3zUXlIGDfM0wkLYhBSCF4MScc=,tag:NvmEM1n5mHbzD3ex0rB0dQ==,type:bool]",
 						"values": [
-							"ENC[AES256_GCM,data:Tolr4jxdpxSyrykBTpjLbUILVKc=,iv:oFvAqjm/W/gL/WLXs4gZgJXUa1u6VON6Imb7qIIJmVs=,tag:nQVWKYXbQjcksSP+oHrmAQ==,type:str]"
+							"ENC[AES256_GCM,data:t9W6jM6uwXB8TgNGCcBAL59pMY0=,iv:7imWRw+LYRzUqQpn+lW+ebq1fEhH132nPG6Cc5TIQKY=,tag:Po0a9oTWlir7aHctW5yJbA==,type:str]"
 						],
-						"verify": "ENC[AES256_GCM,data:vLFxKp0=,iv:ehBAPzszEQdTpGqSFEd7ydZnzGoL6UrxaR4tk378XXE=,tag:+ypKinUz7CzItA9eOyR8mQ==,type:bool]",
-						"version": "ENC[AES256_GCM,data:uJJmsUCs,iv:fqpgEEaS3cUFN6J6v09c+7P4M9/8PSguCS9qZh4dkS4=,tag:N1+NesF2AkdDFMMMznaXqg==,type:str]",
-						"wait": "ENC[AES256_GCM,data:ZIEtBA==,iv:A1oA6IERmvsccHRdU4tmAQc24vdyOjR4pKlO8o7jHdo=,tag:E3RtzuynagSXub3LU3GrCg==,type:bool]",
-						"wait_for_jobs": "ENC[AES256_GCM,data:Q09ku/I=,iv:KTf5r4KRyEKkx/lxnT06qLYlIJCvsHkxIACW9sjWakI=,tag:ZGa8ceaxLTiwkwUQAarCRw==,type:bool]"
+						"verify": "ENC[AES256_GCM,data:Iwr8EIo=,iv:ZesyS+vpMMN0VKqbB/fd5AdbV8VhDOphHjXU1BNqk3Y=,tag:LAzyo4bMBzErdpbYBEoWGw==,type:bool]",
+						"version": "ENC[AES256_GCM,data:7aoDb+8=,iv:ER0Btj1FtehZ665Wl7CivZdKYe0msjuu1y44+vexXfU=,tag:jq1xCYwTlj4dRh6qzNEorA==,type:str]",
+						"wait": "ENC[AES256_GCM,data:jt8EHg==,iv:xbj/BTlkzYgn+wvASjl3UUH/k+zhBWddk/hx9X7LUyw=,tag:e7JwA5vPWKuJrsz4hsYK5A==,type:bool]",
+						"wait_for_jobs": "ENC[AES256_GCM,data:ilNPqjM=,iv:au8pZvINB+TSWZyXkaSnSYgAhJBUznzyDtKEAV0P1Kw=,tag:qEotD5gvjqQeHXv3zjA3EQ==,type:bool]"
+					},
+					"sensitive_attributes": [
+						[
+							{
+								"type": "ENC[AES256_GCM,data:RAiX1XBzGqQ=,iv:yjLzUPIxKHFCyYVBGfJcMB9IDJ8e7xe1CypqiXWo3W0=,tag:0jXLhlG6+D79c8tMnViNCg==,type:str]",
+								"value": "ENC[AES256_GCM,data:nKkc0SW9V8jAhTabOLI34CllLA==,iv:4rdIrMGYQf8cEhSKNQKDGWSSC3HT3tijKiDcGfvrWRI=,tag:SIzHPMHuLGz/Y2XWuOGw7Q==,type:str]"
+							}
+						]
+					],
+					"identity_schema_version": "ENC[AES256_GCM,data:HQ==,iv:wNBOFR+AC4Gxz3joiwsmwhqfEKR0yWmld9F62XaSYbM=,tag:fJvAg+nTawgLtY73llZHAg==,type:float]",
+					"identity": {
+						"namespace": "ENC[AES256_GCM,data:61/lYRBpPeRJ0w1UzLirRg==,iv:XrcolEB3pehVxLYQ0mz8Jujjsb9y8wpw72hPyQ2eu/I=,tag:shwPx03B7+s3pdqWrMm/5A==,type:str]",
+						"release_name": "ENC[AES256_GCM,data:f8FAKVWfLwC/GThR2yDZwg==,iv:TpEd05Q6RWz+I33q5bW6x1/mej8UHb3ZZxIL6VgkyYA=,tag:5ebHXU5/W+CLhe02QAQh5A==,type:str]"
 					},
-					"sensitive_attributes": [],
 					"dependencies": [
-						"ENC[AES256_GCM,data:mH+MU/pJHF5Xvkkm+g1zvva7Na22JZot3yBTVLT1y9td+/qOAQ==,iv:zJzqJvE+usIkLaIEfydh1t5ohcP7uOXWuPBCfBWEVFI=,tag:uB9Ap54kRoEVOPHA1rDmkg==,type:str]"
+						"ENC[AES256_GCM,data:ZCcYXx0zTAZQBIjNP4WCJ+qhB102h43Wis+SjsnKCbZs8OYy9w==,iv:2YNeczbcKVcIdburFVPwaVRn8qZhIrWfDib/DUNAXnc=,tag:CjfEpBujkNP2BaVfvIpxlg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:/1y2J+vYZA==,iv:iN0IjDlpLKfZcbwvU/8RAdyei+Hz7ENBbmOAXvuZza8=,tag:TwUpURi6jUVTTRx1OgKU1w==,type:str]",
-			"type": "ENC[AES256_GCM,data:NU5yIOxpHVbDxDpKIwsAWFxt1Q==,iv:4UuOBt3CpEDx9n2iVXR0D/dKsIYJ82CloArNPf26V/g=,tag:n9sbx7Z3repXxtnzMt/guQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:38MFAafpkrxKqtH0,iv:i8XVYtzm9DkfwQO2mXKy04RwFWKk7cSepEd4iW/GDww=,tag:rkGsrxfAbRku1oOqRPJihA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:+NRPeuvVJm4EAzaLVIbbxUtcLxo6B2y/9+6eKxRAtgAvibz+MjrV0iLV3Y89gOu6WSXEpDWU,iv:gPE8v5CxCMTmWf9DVqbCbujEKPP3pY+22tGdEA9lVLU=,tag:+q7ZBdPABdmN53DVJen5Uw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:P0IdijBRHA==,iv:VjErxmzon/Rg19PdI9tB7Y35EGCJELs2lHvbecwiuyM=,tag:uNNX+RKi0JlRT8oclH3XRQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:jZL4GifKxV1E3kV1wqCgFxewPQ==,iv:7wyeKaQJLxQbd4C3qgYtv1uQgfn/hHtzxFrFQbsKzS0=,tag:L/6IkO4FcEaNhbrqeaQr8A==,type:str]",
+			"name": "ENC[AES256_GCM,data:mybJyzZFq4thUp9Y,iv:ux8zEi8xQNK93Uqyi0nPGW3qsZt/ScQFW1VSIpQPsns=,tag:i5BJPciXjBevh/sq63rp2Q==,type:str]",
+			"provider": "ENC[AES256_GCM,data:E50TReIIZuqV67v5Y/hrLXs0nyOPy62/WufARguPF9Wz7DEjThIJYZziU15W1O9AtRhkdcJ3,iv:+nFpbMU9S2MjOPZenvpPIwxeLTQjGAMmaaN7cuL4IcU=,tag:/eTp14kCuaqGaievctp6fw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:tQ==,iv:gw++pIOj9+madwO4F6yyIxcpx/nMqfCng/jSERtr6CU=,tag:k1mLgBy8QHLaYJWJIa0QSQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:7A==,iv:3KbrrjT/G/CEC30mdxoehTGpw3vGtJx11C7fxU7Xwi4=,tag:Q6wk8Sn77Oz3ZaolyntO2w==,type:float]",
 					"attributes": {
 						"computed_fields": null,
 						"field_manager": [],
 						"manifest": {
 							"value": {
-								"apiVersion": "ENC[AES256_GCM,data:DszEBvS4JYm1FJJ9wOvWBhJbQQlYVd8WUwA0,iv:/CobiiGj5C5TLYk/GkrS+hu7BoZcagCrCGPhDPbjBT0=,tag:F4sIvHZQ7GKn6+A9wVp/cQ==,type:str]",
-								"kind": "ENC[AES256_GCM,data:SYqDZkv7726oi6gHjXReRZIk,iv:2cCHS0ZusvxOmlh5Uh7IUYn8dw/ELNy8A2DTEG/Z56k=,tag:Fz296/tp0D4X5waSq3yLKw==,type:str]",
+								"apiVersion": "ENC[AES256_GCM,data:fFl6JVN5hhPfB4wK0NgRutt3Lq5i/A==,iv:IAagldtB9gOtKGag68qTz45ol21+/EAbj7ylBEQUwtI=,tag:zBivgClfh0RKj6ECmVZ0yw==,type:str]",
+								"kind": "ENC[AES256_GCM,data:60YTi416eiOXPZAjEwBdmEG6,iv:2ilWHrtz4VwBFK3QlF2c5nBoRT9+Wkc0Y42FuVsIvaE=,tag:GyhPj6Kgg0ko2UIO/i2wCQ==,type:str]",
 								"metadata": {
-									"name": "ENC[AES256_GCM,data:X8rYPKu/GfHOzDKQ6Q4=,iv:HaM0KdRAb5JSl1X6q1os/ET3NVoPpNoxrnwFYZ2G9vM=,tag:Uq4gCprWiYlEB4qJMgF5jQ==,type:str]"
+									"name": "ENC[AES256_GCM,data:vC+ns9hSWdcOk+FI50A=,iv:l/ne8twJnczeKUaIbSuALLcKvURl5P9Z9x7egztPt+A=,tag:WYCPDJ032qpj68EwNJskcw==,type:str]"
 								},
 								"spec": {
 									"provider": {
 										"vault": {
 											"auth": {
 												"kubernetes": {
-													"mountPath": "ENC[AES256_GCM,data:kF2E/IaY8dZxfA==,iv:26v+CJ6IncGtCQieUiLj5hY+m5c3CgPQMSEH0xN42VE=,tag:zREvYR6JbC1avrd+y55mGQ==,type:str]",
-													"role": "ENC[AES256_GCM,data:OW5D,iv:ntZSyp2Tlfbx8XlKxug5VXbfP+/5dqSHVVI+WystQHY=,tag:BJGMjAb7Lht2q+oS5PMr6w==,type:str]",
+													"mountPath": "ENC[AES256_GCM,data:OUJaAGrWB1lVTg==,iv:zf7W51fbC08hw1jxNkuyOHrCs6T0kNHrVAAqKjUaRpY=,tag:qLa/aqycG0kVbVZGBzw8Mg==,type:str]",
+													"role": "ENC[AES256_GCM,data:8D/J,iv:yJ3j9a09zVphrt3e6Rn/Vgk2k5jvN+CSn8Vged6zetA=,tag:39aYUM5q60nTY3B/0vA84A==,type:str]",
 													"serviceAccountRef": {
-														"name": "ENC[AES256_GCM,data:5NvuSOPYXUl7uq8VEC7R5A==,iv:arf9Obg/4FZ5OrbSMuHuBZrLcXAYGftv4a3pVTvvPWM=,tag:Ycb7vPS8LLq7qKvEaGxKFg==,type:str]",
-														"namespace": "ENC[AES256_GCM,data:inTE+OID7tV75qYjdvKBHA==,iv:0e4p8xOYLGKdACOObiqwaPe/gelULyojFJYB3+JEs/M=,tag:MmI/oJ4dkXd7y5zCrx+lvg==,type:str]"
+														"name": "ENC[AES256_GCM,data:uRcOHDqMPXBuvIbA5TUk3w==,iv:PZ+8KjH7c/viIweGOhZThOocSVr5PKAAQl/IGR4tQMQ=,tag:GLnb4ZsIumdAyCl/ZYB6Sg==,type:str]",
+														"namespace": "ENC[AES256_GCM,data:Egmn6Cu3GNFyU4YYOjNGlA==,iv:RgOywDW7UpIMKInjPyqiPsep0qSfdQH4s5aQsBu1oOI=,tag:RoXboL/NMF4b0fGRNNQY8g==,type:str]"
 													}
 												}
 											},
-											"path": "ENC[AES256_GCM,data:Mz6ggGT22rM=,iv:sdA/wDhI8I/QKwmzwEbHqj+v5bASlP66a0w1A7EC7Nw=,tag:TRekcoDbhLSvltLmpHq4Cg==,type:str]",
-											"server": "ENC[AES256_GCM,data:62OUZ3zAfn/ylyNdMCIVr5ecq2ZR5ZPN3Pg0BWs5qB3XSXT8zFcrYLy4x1csyXW5,iv:vEqK/SZvGhMbdG16FnEoiWCRDkuqUcCCDnN1rZ865SQ=,tag:ltVXmcIvUZps393RQDN6IA==,type:str]",
-											"version": "ENC[AES256_GCM,data:RoM=,iv:OCmSe1jpbQioxud5r6WFHePqIzrmhw6h412kfvyUIhw=,tag:hDoejLyYMncBkbzpBb+PXw==,type:str]"
+											"path": "ENC[AES256_GCM,data:0zH1v9ssb50=,iv:K8hPoOPTVzaFNYb8JGOJOtBVE9CUXaXkrDWFmJfJeI8=,tag:NyYmcBDYyojfQmZBCsj9fA==,type:str]",
+											"server": "ENC[AES256_GCM,data:Vvt6O0ZmbqQgcB1YgR2LFoLE5tdtjOmXr3u+m6Nc1RCcQbAW6fj9z75J+hPJ7PTQ,iv:YmSWFvLqcUV9aQF/zCzJOKtTHo1bsP8uqYbyHC7uEg4=,tag:XilAtZ4a1AmKArPLMb9Fkw==,type:str]",
+											"version": "ENC[AES256_GCM,data:ktE=,iv:QQzPX3VfnVOCp2BKq+RvILZXfX33VSQk3psqMdWFjy8=,tag:k/q9NGLzPZnP1a4pL8nO6A==,type:str]"
 										}
 									}
 								}
 							},
 							"type": [
-								"ENC[AES256_GCM,data:2wWn88DJ,iv:aT+4BsBL1y70Hy+DgX8E479rvhOjwHOzsH6VGt9Xxec=,tag:hXxsMQboV9JZZcDkg/JDgw==,type:str]",
+								"ENC[AES256_GCM,data:XiTUDj9c,iv:evD7A/Ii6fPCjcgPe2JWb9swXFwgRA4ZZFqzo0Tceeo=,tag:p4uxyIaqgekZIqszGIn5Gg==,type:str]",
 								{
-									"apiVersion": "ENC[AES256_GCM,data:a55/qVGp,iv:NfYiVizjvLH3jNrvZfneodEVyVlq1LgSUFTMTj6A8II=,tag:RHunfbzIPEJvWSh9UoMvWw==,type:str]",
-									"kind": "ENC[AES256_GCM,data:3K9OucoL,iv:AEER5ARMhIZScGNVIjxJ1RHM5UeepYTyyLpxvrEnYRE=,tag:TlH7030jiwQ9qwICQVKi9w==,type:str]",
+									"apiVersion": "ENC[AES256_GCM,data:aEU/UGoj,iv:4WWnvTfcz909B8prNSDQyXLYwZIijLZyn5YLtOixFKs=,tag:Fph/+xaRKtFLsHDHvE4DJA==,type:str]",
+									"kind": "ENC[AES256_GCM,data:HY6h2HVp,iv:b39N+0j4pIhebUa0A+lQMa+69yehTgBVByj3MJ2NJuU=,tag:U8JVl5XxjPfrt70Lieay9g==,type:str]",
 									"metadata": [
-										"ENC[AES256_GCM,data:/y96H9TF,iv:xliZVmgZiDwsjnk/u0C1zQEBzgwx5f7xHh+3cQanKCg=,tag:J6xqGNoB935Ozf7cnKi7/A==,type:str]",
+										"ENC[AES256_GCM,data:Y2+1tplM,iv:Ht+eI2SgeMlfAeckxyIuqBrXed7s6NMREjCLExeBLdE=,tag:TH3iFQSO/cqAwR1EIedHhA==,type:str]",
 										{
-											"name": "ENC[AES256_GCM,data:4ZNtI+P+,iv:G+jPecS2XPS7BMccGF65P67g52PfapaaZRcgJswRlas=,tag:5nTXW+pwo1LRtYdL8kYUXA==,type:str]"
+											"name": "ENC[AES256_GCM,data:yYv0IInX,iv:sEceRwu+ercXkC1XJ1Bd7QqOj4JNeFSpBOh0zpUPEyE=,tag:p9H9DK31P3EtNepuQD2XKg==,type:str]"
 										}
 									],
 									"spec": [
-										"ENC[AES256_GCM,data:r/St9koV,iv:6/x66PgV1atl7fQOpoROauPmsuNl/Bhp/t6IYPCW/Fg=,tag:/RmiqNrKHRI67NnarU1+rw==,type:str]",
+										"ENC[AES256_GCM,data:cwmrs5Wl,iv:8QL9n1xZt8iH6okF1Y5v8Xtm5ZV46YFNgxoGWhFfHZI=,tag:k38fk33Rsp+mWys91EHBow==,type:str]",
 										{
 											"provider": [
-												"ENC[AES256_GCM,data:Vf5eubTT,iv:Mjm6uM3Aoi0aALttfZnR9otcjuSRXzEHDw1JFUzveEY=,tag:K1twGnTKmZ17/VocZBDWWQ==,type:str]",
+												"ENC[AES256_GCM,data:RLiybHeT,iv:0n/eBprt0TdA/Q8+1S2netmeaRJ31ihWo4TXP4Ei8D4=,tag:ztB8JrcE917TJE/ItjeJ+A==,type:str]",
 												{
 													"vault": [
-														"ENC[AES256_GCM,data:4i8BAaJ6,iv:jx6NSU/RfeKM0Yl1DfxvJ0xebVSYto6uDUf8vr8E8rU=,tag:OtmbtTdkM+rcyhOtFdzlzg==,type:str]",
+														"ENC[AES256_GCM,data:sogZq54a,iv:ZLQupCVrEmZym59k+F8ucSWcq+KWVfKurOrswJFHVug=,tag:GeSjCj03k5S2fuEs4XNVrA==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:CpZD41dF,iv:FkiHLOlmOQXVsZmHMHK34h4dbzKJAX5NG2/kOpoyAUw=,tag:CiQX6AVWfVC62KZbYLv0LQ==,type:str]",
+																"ENC[AES256_GCM,data:6JZCHSX6,iv:jI7IkSxBpI/me5LU8Wh6ybmoHYulYuRTaUkvYxF0qbk=,tag:7Clv3hUVonpjILCAbf79gg==,type:str]",
 																{
 																	"kubernetes": [
-																		"ENC[AES256_GCM,data:/l6Gcm5M,iv:X+ytpPoWU2RSe367zBDGd5704C1PvzAA+E4IWWurRmw=,tag:2L+aMw2nlKFe9+6w1uLooQ==,type:str]",
+																		"ENC[AES256_GCM,data:N52zPdsd,iv:YYh3HrIadbokB/DNRoq93X+9wHF2156QWMWcRdXQ2rI=,tag:8NW/o0lKklKCZi+Et2BZmw==,type:str]",
 																		{
-																			"mountPath": "ENC[AES256_GCM,data:qMYQK4qs,iv:B1ILB1WuQSXCaM0tqCvaAIPBWLDYZSFWmmbORa0yGz4=,tag:epQclU7yGNmT61olBKlC6w==,type:str]",
-																			"role": "ENC[AES256_GCM,data:m49xEkR3,iv:AbU7/d4GQ1F7Yrey7QcA4oVPAmxs2RngPm+7cQ1HqfA=,tag:BEwI6bm/6zDVHWPQwLVCeQ==,type:str]",
+																			"mountPath": "ENC[AES256_GCM,data:cDeDl/oy,iv:eDK7EkmWs8oPEFJqu64hB1rjZw9ufgncUTF2oXfjUd8=,tag:kRtWw/bi3VCOYOePDAb0pw==,type:str]",
+																			"role": "ENC[AES256_GCM,data:7IEhPMoN,iv:n5XiT7Hl08e7jYsYFUkimNee/V23xbl5GlepdWkbwJA=,tag:XGniGoAi6C1GCX+OuX26bQ==,type:str]",
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:Q+dFgupC,iv:f6VyrDzbRztS+JBJGZQXTGR9ndpfQ0QrV5BCtZcsuNw=,tag:v3GQUSlXjvC8mHSrECfZug==,type:str]",
+																				"ENC[AES256_GCM,data:Q1O9kuQ2,iv:j8zRor7oypHUjzk2Y8LAbEb0/+KVXETgolUiARIDqKY=,tag:WyYdUUpDudBnxSjy3da+IA==,type:str]",
 																				{
-																					"name": "ENC[AES256_GCM,data:bvoOLtBB,iv:O3Cxg5MCuQpIxzZ1y+AlyueVZVl7EggqVcz1H2aBRVc=,tag:LGJjyZLrpaa3Brvogt+GmA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:QbIX7RQf,iv:u+9bJfOH8Y0alorifxUbee42+VuT5bdSrSwvXzXB+Ik=,tag:VRt7oRubrYCdZMx069BDKw==,type:str]"
+																					"name": "ENC[AES256_GCM,data:vHgy3/pR,iv:AWYM/EeWZ4XdvXDIOZuX35jnHDbf4ZIPvWXZzNuCet0=,tag:MDhrn3BOsCjdktyVXvGwjQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:540EE1D3,iv:GxoekwRJgeGgwSDbKrpTTQOZsKZSvGU29yBEypakaRc=,tag:s0qS2vUOQywwfNnoNvI0Pw==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"path": "ENC[AES256_GCM,data:kKXmc3BP,iv:FSqomTasnsFRUpGwRznAK0OOkS/dGOlajfts21I1zkc=,tag:gZRgV9cX6uRZzrlmB8jZDQ==,type:str]",
-															"server": "ENC[AES256_GCM,data:QU1N2i/h,iv:ocf/0NxVjdxyzttK7NAHtCCBSjHPMslaX2emBunEUpQ=,tag:rGJPXPlMH3W5mp72Gdd/sg==,type:str]",
-															"version": "ENC[AES256_GCM,data:yvCoN1SN,iv:EDZHETraHeCwNPzCYo3rq2IVDUTV9o3wEXsnLGoClVM=,tag:UI0ZBRbCXB90PllMPj1T1Q==,type:str]"
+															"path": "ENC[AES256_GCM,data:uTwlgeO1,iv:ezMLvNnhRan4oPepAW9hajOjZnpUXZBaemsyLJpbaUU=,tag:6q0vUvMbPg6TkMuhWVfCDQ==,type:str]",
+															"server": "ENC[AES256_GCM,data:MAAEnbV9,iv:NqkhyBWwKPuoOQ6tzcQU4i5FeUXFTTdAD6Ie/uvfKiI=,tag:A7pKS8ipK5xFpCNDlDmfYw==,type:str]",
+															"version": "ENC[AES256_GCM,data:nii0ZxPQ,iv:IAfi+BpT0c9OyN08srnhIG/wo0suSOrAPCTI/wCD5hM=,tag:HnGpV+bPpiRczMBEqu++UQ==,type:str]"
 														}
 													]
 												}
@@ -175,8 +278,8 @@
 						},
 						"object": {
 							"value": {
-								"apiVersion": "ENC[AES256_GCM,data:YrJ5qQcBDJYUIDwn1oE7yhILDq5lT2u78IaY,iv:8KJZ+liXPQAQ2tcl1d5JurdarZPN8Q3IJS2UnyxWum0=,tag:xrz1FrvpsfQ58DXphHbxCQ==,type:str]",
-								"kind": "ENC[AES256_GCM,data:5oK8qRxwUmQZEoF69o0FyzM0,iv:4cFMHr/La7UuehEmYE8O98eDnDwxd3AQG1ElvBGyVWQ=,tag:/DWhAPFac3MA4dk7hGBD0Q==,type:str]",
+								"apiVersion": "ENC[AES256_GCM,data:HLvr8VJggIhIpNXgKpgme3mIw8TgPg==,iv:3fvoqAQaWkfnoY5/kOLRgeQpYhf0tPH9Gg9Tse3dGvc=,tag:CRh9Z+Un/TgHOr6JdHSdlQ==,type:str]",
+								"kind": "ENC[AES256_GCM,data:vDgK5VChARMaqcFC9MV3j9LW,iv:qUI3+Sf7sahd/Z+9a7IArpStcrLx4aOt5ihiB1Ej12Y=,tag:cQD6xRztMHb25EYP2y/oKg==,type:str]",
 								"metadata": {
 									"annotations": null,
 									"creationTimestamp": null,
@@ -187,7 +290,7 @@
 									"generation": null,
 									"labels": null,
 									"managedFields": null,
-									"name": "ENC[AES256_GCM,data:onIWCdZQQTlCOCcHIZg=,iv:6FPZS6oWgGbJvh6Zkg5m6U6L9QuTq8FQS0bdmjCOrrk=,tag:5+nNqA1iZiphjquO5NaIlA==,type:str]",
+									"name": "ENC[AES256_GCM,data:aljwlCr8lDDzWQCG88M=,iv:jaAbDlKsE5fo1rmbhs1TWCqGFjfxcNvhGZpVymBOYWM=,tag:7u14cW5YiSysTJ0J4daxQA==,type:str]",
 									"namespace": null,
 									"ownerReferences": null,
 									"resourceVersion": null,
@@ -241,29 +344,6 @@
 												"type": null
 											}
 										},
-										"alibaba": {
-											"auth": {
-												"rrsa": {
-													"oidcProviderArn": null,
-													"oidcTokenFilePath": null,
-													"roleArn": null,
-													"sessionName": null
-												},
-												"secretRef": {
-													"accessKeyIDSecretRef": {
-														"key": null,
-														"name": null,
-														"namespace": null
-													},
-													"accessKeySecretSecretRef": {
-														"key": null,
-														"name": null,
-														"namespace": null
-													}
-												}
-											},
-											"regionID": null
-										},
 										"aws": {
 											"additionalRoles": null,
 											"auth": {
@@ -292,6 +372,7 @@
 													}
 												}
 											},
+											"customSessionTags": null,
 											"externalID": null,
 											"prefix": null,
 											"region": null,
@@ -302,6 +383,7 @@
 											},
 											"service": null,
 											"sessionTags": null,
+											"sessionTagsPolicy": null,
 											"transitiveTagKeys": null
 										},
 										"azurekv": {
@@ -328,6 +410,12 @@
 												}
 											},
 											"authType": null,
+											"customCloudConfig": {
+												"activeDirectoryEndpoint": null,
+												"keyVaultDNSSuffix": null,
+												"keyVaultEndpoint": null,
+												"resourceManagerEndpoint": null
+											},
 											"environmentType": null,
 											"identityId": null,
 											"serviceAccountRef": {
@@ -336,8 +424,32 @@
 												"namespace": null
 											},
 											"tenantId": null,
+											"useAzureSDK": null,
 											"vaultUrl": null
 										},
+										"barbican": {
+											"auth": {
+												"password": {
+													"secretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"username": {
+													"secretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"value": null
+												}
+											},
+											"authURL": null,
+											"domainName": null,
+											"region": null,
+											"tenantName": null
+										},
 										"beyondtrust": {
 											"auth": {
 												"apiKey": {
@@ -383,7 +495,9 @@
 											},
 											"server": {
 												"apiUrl": null,
+												"apiVersion": null,
 												"clientTimeOutSeconds": null,
+												"decrypt": null,
 												"retrievalType": null,
 												"separator": null,
 												"verifyCA": null
@@ -425,6 +539,23 @@
 											"serverUrl": null,
 											"username": null
 										},
+										"cloudrusm": {
+											"auth": {
+												"secretRef": {
+													"accessKeyIDSecretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"accessKeySecretSecretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
+											"projectID": null
+										},
 										"conjur": {
 											"auth": {
 												"apikey": {
@@ -486,20 +617,17 @@
 											"tld": null,
 											"urlTemplate": null
 										},
-										"device42": {
+										"doppler": {
 											"auth": {
-												"secretRef": {
-													"credentials": {
-														"key": null,
+												"oidcConfig": {
+													"expirationSeconds": null,
+													"identity": null,
+													"serviceAccountRef": {
+														"audiences": null,
 														"name": null,
 														"namespace": null
 													}
-												}
-											},
-											"host": null
-										},
-										"doppler": {
-											"auth": {
+												},
 												"secretRef": {
 													"dopplerToken": {
 														"key": null,
@@ -513,8 +641,28 @@
 											"nameTransformer": null,
 											"project": null
 										},
+										"dvls": {
+											"auth": {
+												"secretRef": {
+													"appId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"appSecret": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
+											"insecure": null,
+											"serverUrl": null,
+											"vault": null
+										},
 										"fake": {
-											"data": null
+											"data": null,
+											"validationResult": null
 										},
 										"fortanix": {
 											"apiKey": {
@@ -544,10 +692,50 @@
 														"name": null,
 														"namespace": null
 													}
+												},
+												"workloadIdentityFederation": {
+													"audience": null,
+													"awsSecurityCredentials": {
+														"awsCredentialsSecretRef": {
+															"name": null,
+															"namespace": null
+														},
+														"region": null
+													},
+													"credConfig": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"externalTokenEndpoint": null,
+													"gcpServiceAccountEmail": null,
+													"serviceAccountRef": {
+														"audiences": null,
+														"name": null,
+														"namespace": null
+													}
 												}
 											},
 											"location": null,
-											"projectID": null
+											"projectID": null,
+											"secretVersionSelectionPolicy": null
+										},
+										"github": {
+											"appID": null,
+											"auth": {
+												"privateKey": {
+													"key": null,
+													"name": null,
+													"namespace": null
+												}
+											},
+											"environment": null,
+											"installationID": null,
+											"orgSecretVisibility": null,
+											"organization": null,
+											"repository": null,
+											"uploadURL": null,
+											"url": null
 										},
 										"gitlab": {
 											"auth": {
@@ -559,6 +747,13 @@
 													}
 												}
 											},
+											"caBundle": null,
+											"caProvider": {
+												"key": null,
+												"name": null,
+												"namespace": null,
+												"type": null
+											},
 											"environment": null,
 											"groupIDs": null,
 											"inheritFromGroups": null,
@@ -573,6 +768,7 @@
 													"tokenLocation": null
 												},
 												"secretRef": {
+													"iamEndpoint": null,
 													"secretApiKeySecretRef": {
 														"key": null,
 														"name": null,
@@ -584,6 +780,129 @@
 										},
 										"infisical": {
 											"auth": {
+												"awsAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"azureAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"resource": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"gcpIamAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"serviceAccountKeyFilePath": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"gcpIdTokenAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"jwtAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"jwt": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"kubernetesAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"serviceAccountTokenPath": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"ldapAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"ldapPassword": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"ldapUsername": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"ociAuthCredentials": {
+													"fingerprint": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"privateKey": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"privateKeyPassphrase": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"region": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"tenancyId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"userId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"tokenAuthCredentials": {
+													"accessToken": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
 												"universalAuthCredentials": {
 													"clientId": {
 														"key": null,
@@ -597,9 +916,17 @@
 													}
 												}
 											},
+											"caBundle": null,
+											"caProvider": {
+												"key": null,
+												"name": null,
+												"namespace": null,
+												"type": null
+											},
 											"hostAPI": null,
 											"secretsScope": {
 												"environmentSlug": null,
+												"expandSecretReferences": null,
 												"projectSlug": null,
 												"recursive": null,
 												"secretsPath": null
@@ -611,7 +938,8 @@
 												"name": null,
 												"namespace": null
 											},
-											"folderID": null
+											"folderID": null,
+											"getByTitleFallback": null
 										},
 										"kubernetes": {
 											"auth": {
@@ -657,6 +985,43 @@
 												"url": null
 											}
 										},
+										"nebiusmysterybox": {
+											"apiDomain": null,
+											"auth": {
+												"serviceAccountCredsSecretRef": {
+													"key": null,
+													"name": null,
+													"namespace": null
+												},
+												"tokenSecretRef": {
+													"key": null,
+													"name": null,
+													"namespace": null
+												}
+											},
+											"caProvider": {
+												"certSecretRef": {
+													"key": null,
+													"name": null,
+													"namespace": null
+												}
+											}
+										},
+										"ngrok": {
+											"apiUrl": null,
+											"auth": {
+												"apiKey": {
+													"secretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
+											"vault": {
+												"name": null
+											}
+										},
 										"onboardbase": {
 											"apiHost": null,
 											"auth": {
@@ -687,6 +1052,24 @@
 											"connectHost": null,
 											"vaults": null
 										},
+										"onepasswordSDK": {
+											"auth": {
+												"serviceAccountSecretRef": {
+													"key": null,
+													"name": null,
+													"namespace": null
+												}
+											},
+											"cache": {
+												"maxSize": null,
+												"ttl": null
+											},
+											"integrationInfo": {
+												"name": null,
+												"version": null
+											},
+											"vault": null
+										},
 										"oracle": {
 											"auth": {
 												"secretRef": {
@@ -715,6 +1098,40 @@
 											},
 											"vault": null
 										},
+										"ovh": {
+											"auth": {
+												"mtls": {
+													"caBundle": null,
+													"caProvider": {
+														"key": null,
+														"name": null,
+														"namespace": null,
+														"type": null
+													},
+													"certSecretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"keySecretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"token": {
+													"tokenSecretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
+											"casRequired": null,
+											"okmsTimeout": null,
+											"okmsid": null,
+											"server": null
+										},
 										"passbolt": {
 											"auth": {
 												"passwordSecretRef": {
@@ -728,6 +1145,13 @@
 													"namespace": null
 												}
 											},
+											"caBundle": null,
+											"caProvider": {
+												"key": null,
+												"name": null,
+												"namespace": null,
+												"type": null
+											},
 											"host": null
 										},
 										"passworddepot": {
@@ -764,6 +1188,24 @@
 												}
 											},
 											"apiUrl": null,
+											"auth": {
+												"accessToken": {
+													"secretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"oidcConfig": {
+													"expirationSeconds": null,
+													"organization": null,
+													"serviceAccountRef": {
+														"audiences": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
 											"environment": null,
 											"organization": null,
 											"project": null
@@ -790,6 +1232,14 @@
 											}
 										},
 										"secretserver": {
+											"caBundle": null,
+											"caProvider": {
+												"key": null,
+												"name": null,
+												"namespace": null,
+												"type": null
+											},
+											"domain": null,
 											"password": {
 												"secretRef": {
 													"key": null,
@@ -843,10 +1293,40 @@
 														"name": null,
 														"namespace": null
 													},
+													"path": null,
 													"secretRef": {
 														"key": null,
 														"name": null,
 														"namespace": null
+													},
+													"vaultRole": null
+												},
+												"gcp": {
+													"location": null,
+													"path": null,
+													"projectID": null,
+													"role": null,
+													"secretRef": {
+														"secretAccessKeySecretRef": {
+															"key": null,
+															"name": null,
+															"namespace": null
+														}
+													},
+													"serviceAccountRef": {
+														"audiences": null,
+														"name": null,
+														"namespace": null
+													},
+													"workloadIdentity": {
+														"clusterLocation": null,
+														"clusterName": null,
+														"clusterProjectID": null,
+														"serviceAccountRef": {
+															"audiences": null,
+															"name": null,
+															"namespace": null
+														}
 													}
 												},
 												"iam": {
@@ -900,8 +1380,8 @@
 													}
 												},
 												"kubernetes": {
-													"mountPath": "ENC[AES256_GCM,data:A5/SV/PCqo2tHQ==,iv:FZZaD+nC7Wqrkx4Z+mgWcnqU+OPNm2W26TMTlmzMHwk=,tag:Wf50JLU5iinXxAN0muxLrg==,type:str]",
-													"role": "ENC[AES256_GCM,data:KIZj,iv:OFpWKFYM8GxOI2qMB7Vf4pJ7hRrmWHiSjXlDuRJLfzg=,tag:n+S89ojKEGFB+oKgpZuXLA==,type:str]",
+													"mountPath": "ENC[AES256_GCM,data:bbrfeLaFLrIh1Q==,iv:itmYIVo9P94r2IcZwcI+hYI526GWOGFphLF9qDlQ8I4=,tag:gt1JVtT5s3T7kHYDcWlJKw==,type:str]",
+													"role": "ENC[AES256_GCM,data:OD3Y,iv:IR1VX16Aab9XL4HRnwr0AmWSwkq2+NOi+CpHSp7yan4=,tag:zQFkiYt8aUCqZ0/1brGnmg==,type:str]",
 													"secretRef": {
 														"key": null,
 														"name": null,
@@ -909,8 +1389,8 @@
 													},
 													"serviceAccountRef": {
 														"audiences": null,
-														"name": "ENC[AES256_GCM,data:7pK7dADjvDlsUaFzRi+bqA==,iv:/JAOt+7gLK/KkWMANxwWtGsunB+cJHf4SU7CxO3mjzM=,tag:nGqDkWP8RKw81TCd0FAf0Q==,type:str]",
-														"namespace": "ENC[AES256_GCM,data:TGYjYdWVn6relX7JbejqwQ==,iv:kXO+w16F0pAla7xuO5zeH9n50uMm2wdJMDUOOwveIH0=,tag:JKTi4dBN0/Sp0vljK2cXAQ==,type:str]"
+														"name": "ENC[AES256_GCM,data:bbX/HDajeviMsYhz4TZ1dQ==,iv:d8LmtU42sQwmQP/vRoBzWVoTTj/XZS5JbpYV64KOW+E=,tag:CRSn8ZSluBeDu/SfV5k+UA==,type:str]",
+														"namespace": "ENC[AES256_GCM,data:/4FGP89fdm5qMwrsHeU90w==,iv:F8voKPHzo0qOrJahGi3V3f3VRvbDsMbzas9W1rM6bRc=,tag:xoansEvuJ7GeCQQ9Sg1b+w==,type:str]"
 													}
 												},
 												"ldap": {
@@ -945,12 +1425,15 @@
 												"namespace": null,
 												"type": null
 											},
+											"checkAndSet": {
+												"required": null
+											},
 											"forwardInconsistent": null,
 											"headers": null,
 											"namespace": null,
-											"path": "ENC[AES256_GCM,data:AeozXaYmaLk=,iv:KhbU9qZI9VTw1eNfwrb/g0udeRSL8ZrLuR+8lOtMw4o=,tag:gPx1Z4UJinFxyy3ELU8R0w==,type:str]",
+											"path": "ENC[AES256_GCM,data:V6i2UZ0m6p0=,iv:GaEI7NWPs0cnuyhGePAUnP/d0r/m1rNfA581E4mI1Y0=,tag:54ayXhE4c3c2Q0pbUJiXaw==,type:str]",
 											"readYourWrites": null,
-											"server": "ENC[AES256_GCM,data:hmjuUTpFYJkwBXqdD7mzH+0s685WKD4lax/P7hrIV+XdVs/e+2RUkp5Vbbulv1QZ,iv:sgYXEVD0KEgFp4K5AML7SSYrd0z2xnWzJXPk8iZ/8/E=,tag:seYFDFeNVNQBMGcw5cDuXw==,type:str]",
+											"server": "ENC[AES256_GCM,data:/VKoI/aKEPbzkEwrAG30PZHMgP0TcBE2AHSYYo66S5+sg1RDU3yESZrHuFPK048d,iv:w7cjpg/TLB2QGwo5hHfss4eMWBTNh4/HDZ6TBN3ugXs=,tag:YsBQsvGG9Yj4q90/TdpLKA==,type:str]",
 											"tls": {
 												"certSecretRef": {
 													"key": null,
@@ -963,9 +1446,45 @@
 													"namespace": null
 												}
 											},
-											"version": "ENC[AES256_GCM,data:pWc=,iv:GCV9fjNM8XZ0I4dDtPNgmlWcenYmGRLn/RiSsMgIHYQ=,tag:P5EPOKVX9jXhFBatUsmSfw==,type:str]"
+											"version": "ENC[AES256_GCM,data:WnY=,iv:J5JcLqE4yVmcr4caKQeFqI/LSGvk0Pfo8m5BsUZWHa8=,tag:YDc2/8azZCZYJLhzQPr5Pw==,type:str]"
+										},
+										"volcengine": {
+											"auth": {
+												"secretRef": {
+													"accessKeyID": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"secretAccessKey": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"token": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
+											"region": null
 										},
 										"webhook": {
+											"auth": {
+												"ntlm": {
+													"passwordSecret": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"usernameSecret": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
 											"body": null,
 											"caBundle": null,
 											"caProvider": {
@@ -998,6 +1517,12 @@
 													"name": null,
 													"namespace": null
 												}
+											},
+											"fetching": {
+												"byID": null,
+												"byName": {
+													"folderID": null
+												}
 											}
 										},
 										"yandexlockbox": {
@@ -1015,6 +1540,12 @@
 													"name": null,
 													"namespace": null
 												}
+											},
+											"fetching": {
+												"byID": null,
+												"byName": {
+													"folderID": null
+												}
 											}
 										}
 									},
@@ -1026,932 +1557,1309 @@
 								}
 							},
 							"type": [
-								"ENC[AES256_GCM,data:n74fGL0s,iv:5qeOjSO4qVDDxpscDb5DhC6d5cWkxPz+XkVMzMDF7sg=,tag:CxpifW0GnkIyO5dSzZqdlA==,type:str]",
+								"ENC[AES256_GCM,data:dmOOQ263,iv:rCxon5PigIZf7YNbtkGD2ZcJtBthRSUL/dwRqozim1w=,tag:6uebhTQg573oGkQz2JUopw==,type:str]",
 								{
-									"apiVersion": "ENC[AES256_GCM,data:FIAds+03,iv:vnZPzYWXWyh0+vDeGGQj+qToAd982hwQXU9e6uSHgxE=,tag:1Tushg1ug/NmpLfcGR/2MQ==,type:str]",
-									"kind": "ENC[AES256_GCM,data:8UCETy2/,iv:8Ji38X2j+Yq5XTeffssDsxqpXaHhX4tCijEER7z31ho=,tag:9+qN9dRgZuAwOeOuFF6g0g==,type:str]",
+									"apiVersion": "ENC[AES256_GCM,data:Bfz2vmVB,iv:k6Zr/5QYpJLoAXKxYxp1YWj9fCsmj/w8qI5es1TnNIk=,tag:KKxL/a1AmCRKH+pIYh8E+A==,type:str]",
+									"kind": "ENC[AES256_GCM,data:ihl9Hn3Z,iv:sLQx3OVSqD18S86NFSvVqykLkxQhABRvpS4EgpA2R88=,tag:8OEab87LuKnaTs++/oKd5Q==,type:str]",
 									"metadata": [
-										"ENC[AES256_GCM,data:bA3/aaxT,iv:5Cz9FwXiB+KrzJY7pyoVa3RGTziG2gHr/XoLPmdjEV0=,tag:9rN9TXOWMLHHYWSk7QGbyQ==,type:str]",
+										"ENC[AES256_GCM,data:8ggbt/zR,iv:QTwLZlnPIIAU+Ef8MXF/FMl7AQRek5h6Js2n5Wjq9go=,tag:L0/Vqm8LFv5tRr3rFQfyCw==,type:str]",
 										{
 											"annotations": [
-												"ENC[AES256_GCM,data:ReLo,iv:3wG47Oq0Iw1TW+T7kML5FeELn1wJ0Ts7q3ypb457w7Q=,tag:1LyW/zgk9dXGcaN7AINAgQ==,type:str]",
-												"ENC[AES256_GCM,data:1sISaxUp,iv:9AF/eyYK0s2UK0+yxkHrniFpJho8e3uNPNNLScKmll4=,tag:c8Agk7IX3gHGEBmi/6Dbng==,type:str]"
+												"ENC[AES256_GCM,data:QjXl,iv:Pwiz0G3hHmSqvFTBG7CtMqgnsL+lXsQcowmgVP8+CiY=,tag:x2IwnCxbf988ZtrnGXUE8A==,type:str]",
+												"ENC[AES256_GCM,data:Mq6I1lhT,iv:YbBUhLjLFRwTyT4JwDfBm49UQX9qaWIWHOAF/0mDlaA=,tag:f3Q1Z/yu9OyFjSjj+sD7Uw==,type:str]"
 											],
-											"creationTimestamp": "ENC[AES256_GCM,data:MdUA0QIx,iv:j1IObp2lAabx0RR3G67AaGtfCOI73uRKOGEwRTysPIs=,tag:DOL3sPdEWlLH+TvcD8C/hA==,type:str]",
-											"deletionGracePeriodSeconds": "ENC[AES256_GCM,data:zadD3Bgk,iv:mXVhuad0t9qC+dRUjnbOjO03b9qkQE0+7DPvFtAyBe0=,tag:9UzLOvml9owIB6rPw8LqZw==,type:str]",
-											"deletionTimestamp": "ENC[AES256_GCM,data:XbFOaniS,iv:pwcsludu/tylEC9LAFzQqmNpp1+ooiTlsU6WvH50XBE=,tag:Umbp6s10yOcPAS5H0AAPfQ==,type:str]",
+											"creationTimestamp": "ENC[AES256_GCM,data:qO+RAlKt,iv:Y9/3n2WKx4HM70KrwTGFFsUZUrpihLiWDrm4WWWeScM=,tag:8F+tlNVXYI5CLl9bS0Atuw==,type:str]",
+											"deletionGracePeriodSeconds": "ENC[AES256_GCM,data:vkkhVwjs,iv:rit/XJkn7HTPCPsNWVESMo/Zg9oSuMYRxsd63sT95Fc=,tag:BnwnW3sPGoPU8N/wXtZsyQ==,type:str]",
+											"deletionTimestamp": "ENC[AES256_GCM,data:cLaQa3+5,iv:DJDnrUszGRAyqExnmh09kCSl1/gsldD9ezF5KnC8QgQ=,tag:nxuIkjLAxZw6M8BGCZdOGA==,type:str]",
 											"finalizers": [
-												"ENC[AES256_GCM,data:skV03Q==,iv:KFW7/CqxxZCy6SD6mg0gb/KaZ+cAMjCr6KcNXWLWi7M=,tag:dpo7D2TGDrnoM7hqrpBWTw==,type:str]",
-												"ENC[AES256_GCM,data:mfFWNfXj,iv:apbkloDSQF/yjyRx/dc+oR5odN4s9INlrACUgEnd82M=,tag:lOZ1iozG+pN3z9qRG8aRsw==,type:str]"
+												"ENC[AES256_GCM,data:4mYakA==,iv:9/jY68UWGB3mVVMhbNaBeVZR+B+nQL892kelUhJMWas=,tag:1LlOCBjLWGUyKOEEbT4CjQ==,type:str]",
+												"ENC[AES256_GCM,data:tE5YmL7J,iv:RtnttEmHaLwrj4KsR4MIt31Z70PpcVxmMp3hv8o+Lgc=,tag:9BRbieAlwsGahwvNE/TmeA==,type:str]"
 											],
-											"generateName": "ENC[AES256_GCM,data:YtqYlnZ0,iv:N0rApmwpjbGpM902hyiANjteQtfvkuO4IXFhZkvN24o=,tag:8HPCYICh5VAH4k6kcUabMw==,type:str]",
-											"generation": "ENC[AES256_GCM,data:/yDqkrFL,iv:ob0XbnS3qb4PJly5waprmduKwRCVPPBaLKqBbvbKwrs=,tag:TR4R1RzLl+vO91xPTdoLew==,type:str]",
+											"generateName": "ENC[AES256_GCM,data:k8ij8qQ7,iv:fCD5I0tIRVR7zHdf+Yb5UvzZuPMEx/C3e1yXFj/NPdQ=,tag:AseDjsaaKVG+zWMQsruYVw==,type:str]",
+											"generation": "ENC[AES256_GCM,data:csX7WFjX,iv:WaNRYt3/E4PqLSYkvNyIF29QrlVaTziQc+udvKFmLXc=,tag:bvwhAA+3xYmPU0Mqyrg04A==,type:str]",
 											"labels": [
-												"ENC[AES256_GCM,data:8fUr,iv:lvx354BocEkWHVuGKiAuhJgW58r9ihXhy2US/pCEgm0=,tag:fYXmNb3a3uY8uMx10V6raQ==,type:str]",
-												"ENC[AES256_GCM,data:vG3Smzbw,iv:856vqshu8MIX+zjtoEg6vdA1HsX8Gq4Br83MWolj2ZU=,tag:1vOl1wnHjJSiXTPTwFcPcg==,type:str]"
+												"ENC[AES256_GCM,data:jRHr,iv:vNMj37UNGmLN4Z8NF/BH9atJJoyFSIODbyqu+phxrOA=,tag:nyk0I9qe9DWP67/hEWPi+Q==,type:str]",
+												"ENC[AES256_GCM,data:oawBxLSp,iv:2z58NhYXZrbvFQQoNnAXtUZJzrNQ18JwRRB5kmcnXKA=,tag:IrrQM2iUv1tAjEvn9OHleA==,type:str]"
 											],
 											"managedFields": [
-												"ENC[AES256_GCM,data:4GxJHjg=,iv:ZuEPm8A5yE3JzL63r4oOugZAFp68XnhvHccAJltZohA=,tag:Ehsxet6RTCvKhBu90Ghgbw==,type:str]",
+												"ENC[AES256_GCM,data:A26TSsQ=,iv:f2oisfoh8e9p2/m66qhiP/DE44ub9u70n97Axxg0t94=,tag:6y0i3KrdR6vlJOjvNSFrgA==,type:str]",
 												[
 													[
-														"ENC[AES256_GCM,data:nZ5hP/b5,iv:NgDqFWKARJCTsUqxprLtQ9tjBdPUVasYclwmsNat4Os=,tag:YwhI89aurm8B3v90y6owZw==,type:str]",
+														"ENC[AES256_GCM,data:TCwPCbuM,iv:TPw+dq9QE75wvW2eYsXBUIBkL1MjR81/WIITBuhLfRg=,tag:oQRF8CI2OsyOrFliY1JyoQ==,type:str]",
 														{
-															"apiVersion": "ENC[AES256_GCM,data:/HvlFfiW,iv:5W4NgbsggJK3Qx9zJtiLJ9QAUfTXnoOnvWPaVDw64Xs=,tag:wxXfiDMANCOvNPYkEFwKjA==,type:str]",
-															"fieldsType": "ENC[AES256_GCM,data:xaLyoaLW,iv:4CWOuwQoUVc8kVPjFTTx/cT9obOpYYgZIIXnFmdox4Y=,tag:k5EEVYLthNNvW4PSNB7N9A==,type:str]",
-															"fieldsV1": "ENC[AES256_GCM,data:0Y8D4MF/uw==,iv:0VxHXX+s60RHH8hB/KQNi57lFdEHICHLnKAsa4ACIOs=,tag:MDlv8j5w9A3VnnE4r/df4g==,type:str]",
-															"manager": "ENC[AES256_GCM,data:zsFS84D1,iv:ITZgtiWPLiu8mZyrsSCTbJ2AUChdk8DgogGPfaQXDwY=,tag:0N0MmMf0S+wMBLkK21yrzA==,type:str]",
-															"operation": "ENC[AES256_GCM,data:kl7/ytRZ,iv:clP3m/dsBg9WLbpWr2/VlGhVu60pee7unm2qbnzvgBk=,tag:+XalPYPdcMVALAzP3Cdh8g==,type:str]",
-															"subresource": "ENC[AES256_GCM,data:GpXaqobb,iv:2zvwkcMd7Wp1shIZW/xjfsUFZHR7VNTty+FHIwLP/pc=,tag:vp4JiIa2y9O/UZVrfksK2A==,type:str]",
-															"time": "ENC[AES256_GCM,data:dC56wcVg,iv:EAH8mKgoOnpj5vHn5Axvzuwr0msr5Ek9FJ03Yk9kGew=,tag:ThAeRHNOe2f/nIrXVYncOA==,type:str]"
+															"apiVersion": "ENC[AES256_GCM,data:hDVqqxZb,iv:6QwGkw8CwPTU/Qe4xAuvgHw11d/3mipgnVjr7GG4jJ4=,tag:/02wEBFP9NVnmoX/ugQD0g==,type:str]",
+															"fieldsType": "ENC[AES256_GCM,data:yFaHVBoq,iv:X+bBFMFhhncHiAcps/160/cGzNqLEipmO4qI0xGPG8g=,tag:INbuZaVNLYLaVR7yeE190Q==,type:str]",
+															"fieldsV1": "ENC[AES256_GCM,data:883u7F2nrg==,iv:UoaKfSqOVSRaOsT8TmrY5vvQmtaxdcq5EkHUN/xHKVQ=,tag:zEnCIWM+SI8dxo2I2zlW+Q==,type:str]",
+															"manager": "ENC[AES256_GCM,data:REgaGBE7,iv:NfblU+IektMaXuSB0iEM5kUPMis1q/AREpL5p37Kdhg=,tag:4duu6T4NZeLptlcxx7I3yA==,type:str]",
+															"operation": "ENC[AES256_GCM,data:hUqieZ7r,iv:zhsOK9IrD7sOGc+1t1NhlXaNx275yzjetQ/RZVDhfv8=,tag:ey1A9VY2iFGgf/Yv1xWN4w==,type:str]",
+															"subresource": "ENC[AES256_GCM,data:SmmAe9re,iv:e81nho/HctPDafDODIc9m3/E2kdBy5s2QpQOe0rEpP4=,tag:1+dqjagi26+rRbY7QbS/Kg==,type:str]",
+															"time": "ENC[AES256_GCM,data:/TTEW9Yv,iv:TZaF5j8eJorqpFDHetXjzBbv63DU4mOxjSbYMXw9rps=,tag:6NBsaFKe4J1x3nrVzs2wOg==,type:str]"
 														}
 													]
 												]
 											],
-											"name": "ENC[AES256_GCM,data:iohuHeyJ,iv:da8szpZXNVpWrADHrH/k1ZBVaJ0ll26FHI5cfmlui8I=,tag:dXbUlUjB3bAdVHYQUjjEoA==,type:str]",
-											"namespace": "ENC[AES256_GCM,data:pAuwDRhf,iv:pcc8kskQ7fIzOSqavCG0fBIa2G0qBCWWV5fQ4kvPNRM=,tag:KQmA1jMaWg7voNHN66G5jA==,type:str]",
+											"name": "ENC[AES256_GCM,data:/CHK/Dk9,iv:fi3g4tNCH+RVv5BuUWYl16VtetfRJs/wKIQ/M/AT0Cc=,tag:4xodlcdlcR0cxk4W795YqA==,type:str]",
+											"namespace": "ENC[AES256_GCM,data:7t8PsVnp,iv:ovT1T4hJCHJLdm+J0wXXyaGtj4Cq/XSxzJOAlpqWJTM=,tag:0D7I1/hWK10Q18WxRfw7Bg==,type:str]",
 											"ownerReferences": [
-												"ENC[AES256_GCM,data:YjJ23A==,iv:kgo0Zj/ytPZTtdiLwjJdPg1GhvmlBegwO28mifgPEmI=,tag:NguknRiac2eLB8lafmYt5g==,type:str]",
+												"ENC[AES256_GCM,data:8olJdQ==,iv:8v0BdJ6GIK9nX9llQGqMkVHaCS+Cna1iadiJVuj1yxI=,tag:o0F8Im0/Y4kSlmsXi7JIJA==,type:str]",
 												[
-													"ENC[AES256_GCM,data:+4wQKSn7,iv:8BCxp9Uky5dDskTG8fphsZe4Wkeub6l+Es34ZtjPOLA=,tag:zaPrn+OEoKA0g2ZSddrmCg==,type:str]",
+													"ENC[AES256_GCM,data:cbJgnVC7,iv:roHLml1kkHyNbl/kpdGPrbFYNQcm/s4xQVyWXOYuW00=,tag:nCulN+iiFmIjfDUOpV8RmQ==,type:str]",
 													{
-														"apiVersion": "ENC[AES256_GCM,data:dySTmv5i,iv:6DYDL6Rh9RxJxnG6JMJqT+D2XqTnWjrX+KL9ZB48lBg=,tag:L6RCDq5Yob4f10BjaiUz5A==,type:str]",
-														"blockOwnerDeletion": "ENC[AES256_GCM,data:dwbFDA==,iv:pfev783aIbI5gM4tC3IvIwJEIpoHYYI4wm0UsZYRJjk=,tag:RQZFVAqOeREat2Vx+Amo8w==,type:str]",
-														"controller": "ENC[AES256_GCM,data:qn2lOQ==,iv:SSbzrtGbXfA8W9eOhwjU1TncBzdivBst+wqmzv1GAcg=,tag:L/ewKJN0FUNDjBKkAgLoug==,type:str]",
-														"kind": "ENC[AES256_GCM,data:pzasbZbI,iv:b6vIbutHhxKQRlg9EMfNK3628UNZnLOfnkAWon8WpbE=,tag:rVlRER/C5F9qSYjq6b+Etw==,type:str]",
-														"name": "ENC[AES256_GCM,data:Rdo05qMy,iv:ItE/zzOKv7jPWwbI73pTObwfQcRj36FzRVQOIgNq35E=,tag:cFSw83A3kClzTp25PL/qYg==,type:str]",
-														"uid": "ENC[AES256_GCM,data:mtgK2I+M,iv:AIpdyeGFy2c1Jwu5fhDXCAUkGzf8dY9cL7pfrb2/pbs=,tag:E9Xic/Z3U0f0ie7zx7OQKQ==,type:str]"
+														"apiVersion": "ENC[AES256_GCM,data:twtXpb8B,iv:YVocRbpSf0enY+HcikibqOZ4T5V32vzpkLgORvbyC4c=,tag:gDbqGARTKN9z8l0OrNEBLw==,type:str]",
+														"blockOwnerDeletion": "ENC[AES256_GCM,data:0oQVMg==,iv:wcgq4UI/WTuoh5QKJjM0Ro/jjYsaLq03itA553i/2lk=,tag:dPGBqXehVvei1xUYa+NEfA==,type:str]",
+														"controller": "ENC[AES256_GCM,data:3UqhZQ==,iv:q+Okx7SPzpj9Ae4Hlsv4OGwKtxHXnxPReh6GqKrDfBE=,tag:XjLYAB2qW5EHkOqGUf4qOw==,type:str]",
+														"kind": "ENC[AES256_GCM,data:lT8JfFxm,iv:U8Q1EiU7o9QpONYGZrci5ax4BVz16zt12gDVGk1EZCs=,tag:wpibHetJGIkfT3oT8fxZLw==,type:str]",
+														"name": "ENC[AES256_GCM,data:Q+Jq59S+,iv:tAd5stqEw36ghIsqJg6japM0nYSBrUmUtPOPtZFmM9U=,tag:jYxkhrPnT0oWNKWmUvDdmA==,type:str]",
+														"uid": "ENC[AES256_GCM,data:LjX3ojJx,iv:Pn8XWv1/eOtWzlK4JLq6yzeoj2XcXNRYOcamd+XtheA=,tag:gZgDRxkzmpPAoThYdz9k5w==,type:str]"
 													}
 												]
 											],
-											"resourceVersion": "ENC[AES256_GCM,data:y8ykxi7C,iv:qDzZa5gHplQs2YvW11Zhnl4Occmgq97L0m3ks8ASBs8=,tag:HmY2dPaUVJhicJImWq8egw==,type:str]",
-											"selfLink": "ENC[AES256_GCM,data:nszvMzgL,iv:OdYX+nnTuuPBjpLvosMUm5BVI6gQeMl41YttbL0kxbo=,tag:LB4eIypSiqh0oJI8pXSu6w==,type:str]",
-											"uid": "ENC[AES256_GCM,data:SBJfyka2,iv:/gRmGurWx7ILypdk1nPt3TAEXX6BsbQhRps+wMpbMWc=,tag:+MVip8yKn07NiZlpkwCkrA==,type:str]"
+											"resourceVersion": "ENC[AES256_GCM,data:QYdBxRWT,iv:ZGck8xPDvmChDGR3utHJ38bDmU3/rE5QQrbFrx1QJyQ=,tag:NjHI2FF4tNrJejuP+eoEgg==,type:str]",
+											"selfLink": "ENC[AES256_GCM,data:nwGGeV3h,iv:KLRtzYPqghq9rRNXh/fblmB+s6eYQuq5BfuTz4BKWds=,tag:9yj2cPCp9Q2zUlecS+HahA==,type:str]",
+											"uid": "ENC[AES256_GCM,data:lymff6kO,iv:h6cRds8hxhkCzFJTAoHEfUvz8qhrRCqIAKkJwjPCgkw=,tag:Yy+XsxVOl9WbB3Rz9v4syg==,type:str]"
 										}
 									],
 									"spec": [
-										"ENC[AES256_GCM,data:V+DqFNiH,iv:W4rqVHx4fPDhTan3Igxa2HPpNOchQcq+Sg8KsGWaXa0=,tag:OQm957j96adx3aviEVpnyA==,type:str]",
+										"ENC[AES256_GCM,data:f5kfppPB,iv:3cGSKTKF/i2GpiEAdwYL4qvXSR+ogXH/Yxpv3HWPDwc=,tag:kEYSTWUwv54xIAVPVZMZ/g==,type:str]",
 										{
 											"conditions": [
-												"ENC[AES256_GCM,data:uIHGHA==,iv:/fPcE9WQ0vKte44vxr+bvky3/YfFH0xDR2q0hGgvvhc=,tag:M9Ul6azVAgUdhuTC3oJw6w==,type:str]",
+												"ENC[AES256_GCM,data:SH4nAA==,iv:Cfa4DPBcKIGydQ8PW5SAJWzNy1T5limxSqJAmuj9a1E=,tag:SWtJKXoMRXMxYQNduczCww==,type:str]",
 												[
-													"ENC[AES256_GCM,data:g07kIDRw,iv:xzHGzrMv8TtGLQ+mkaR8yp5zRF3zA7YpBJ6HIEwjcDY=,tag:EW0KnUubXy1ltxhw+8vbkg==,type:str]",
+													"ENC[AES256_GCM,data:WIS94XtX,iv:39DYDZMlZrvOtCzxqu+daLCe8WRidUUUYs8RaYAkd0w=,tag:PDAgSeOlAuSb12fhDg6rfg==,type:str]",
 													{
 														"namespaceRegexes": [
-															"ENC[AES256_GCM,data:8gv5xw==,iv:sxWpOfCPdk65auzAYGinFTp+7Ge/jsXLQV9a6jYxcvA=,tag:vL2WDsdW5qrqM3s+iJfbng==,type:str]",
-															"ENC[AES256_GCM,data:knLZt5nF,iv:gHni1B5V9NfxwnTTzlPej4lh1Xjhan3eyXii52yVaUQ=,tag:RAg6yFDHaUuQfg8iGgbc6g==,type:str]"
+															"ENC[AES256_GCM,data:3ckQ9A==,iv:Oi4YPIqH4PVAdRoQYOXpyJiW4OWIlt9j5czoOTW5kRc=,tag:GgSLBlsVQDfyIbMrgijbag==,type:str]",
+															"ENC[AES256_GCM,data:H7SqOTUj,iv:tWV2Unolv7Xghg+A5Bm4s9fDiaIO8LxOOpbfzqKUg80=,tag:VUxwbReNW06vifSzWSFElA==,type:str]"
 														],
 														"namespaceSelector": [
-															"ENC[AES256_GCM,data:g0gaO4Wp,iv:T8thYKcEqLsJKgS15oBmD+PmTiVpt3cRBd5Jxzk7TG0=,tag:TKxdayucW66S9g44mNlsUQ==,type:str]",
+															"ENC[AES256_GCM,data:GgnX+2gM,iv:aTvs0k+KjtENqOahdTQ9FUXW3JLFQd1t4eposTcrpOo=,tag:oknqJGL48gcecPFjNYP4dg==,type:str]",
 															{
 																"matchExpressions": [
-																	"ENC[AES256_GCM,data:3Q2njA==,iv:ZDZs6Q/aBlwF6vroWdKjikNfyJZA0eaPORAtMOMqplQ=,tag:3NYF6fwiOoof7/xyVVY3rA==,type:str]",
+																	"ENC[AES256_GCM,data:O0X4kQ==,iv:LeJ9zgv72SRS4+0Oa/fW/aYcb27JpkspqP9pfS9t3O0=,tag:F/2RbttkUzugNOttTRraXg==,type:str]",
 																	[
-																		"ENC[AES256_GCM,data:DdaHxU06,iv:CYdqy4Nm2MAhS9MXCoYOagD03sFib58EMQ6WP8Q+ni8=,tag:r5nbfktLO0rznCwwe/snyQ==,type:str]",
+																		"ENC[AES256_GCM,data:PqQWW2yc,iv:GWHDv44y6nAqBCovNQ3oHj9MocPK3Imuq0zTt6wH1Kg=,tag:rIuB5VwIeZT8UBwDhlLjFQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:V+os7XlE,iv:2HvzLI3R1FEdPD+DNGDGV/cM+RuCIx783CVSyb6YCLs=,tag:QUDFOboBkkKodwY6wtEAKg==,type:str]",
-																			"operator": "ENC[AES256_GCM,data:P2oVeMBm,iv:lF1tGAIxnx7hJGfo65mbJAxaLU2N5o9P0ffvGHuFmFA=,tag:Gfvi1AqDT1IplzoDs+9reA==,type:str]",
+																			"key": "ENC[AES256_GCM,data:O412SNp/,iv:g87OwWysT6buiFEnveIgIfLULuswC4FPtqedN1uEK9M=,tag:kpWipGjGpXW7jVGDMZHpvw==,type:str]",
+																			"operator": "ENC[AES256_GCM,data:C9Qj9zpv,iv:jmGxUpF72xc1W48igjrcppgJBBj5BnhQt7ftr7L35cY=,tag:OXw3WPZarBsvNebRx8XAAw==,type:str]",
 																			"values": [
-																				"ENC[AES256_GCM,data:Lk1NzA==,iv:OFo2y8pMLL9GZ6f1B+Y6XTmbA7bz38qL/B/guB4V1n0=,tag:msHlD9VBP5MUzH7w4un5nw==,type:str]",
-																				"ENC[AES256_GCM,data:5ySBhfwM,iv:MnvsWSw1jlca5ukSNMCsan2QDSCIIbHTORcgM0n7Els=,tag:Mn7/5lxaPhvcrLW4Fd5Z4g==,type:str]"
+																				"ENC[AES256_GCM,data:/S1EGg==,iv:VtHoi3Os2DLqZeIClLB4w0IvSbcmpsombHMS7J9V+14=,tag:YQzuayP7ZKeBgXngAMYxWw==,type:str]",
+																				"ENC[AES256_GCM,data:UsKmb9Ez,iv:YDwHRnisj84DzigK1l9dZNtFILafFKWedENjHZpENsI=,tag:0VTDH+3NtS49UItC4TZPMg==,type:str]"
 																			]
 																		}
 																	]
 																],
 																"matchLabels": [
-																	"ENC[AES256_GCM,data:TEEV,iv:hMTjOTPiFjYwzM0i3vrVTjAsoPq3BqxpdHOzi1UfcbY=,tag:bKFZie5H66gtzVOO70ju4Q==,type:str]",
-																	"ENC[AES256_GCM,data:qQm/jJGz,iv:3edNvalNDqd6aLVONwZoXmaDgBvjVjX2lw6cCrvgouI=,tag:lZ4fvntTI4mM/JBlm/F1dg==,type:str]"
+																	"ENC[AES256_GCM,data:uZcH,iv:n1snKlhAn2tdjsJiTKxEy2uoM+kfYaZw9oBlUz/2164=,tag:NXOXicFfwEO0fji5GmevsQ==,type:str]",
+																	"ENC[AES256_GCM,data:Z55NeZKw,iv:9hT5YqpMqwEKEVunD8gPrFisHxIHc1mgP0oJTnIZwks=,tag:8JE7lrNcP/ThKFLlzFQCqA==,type:str]"
 																]
 															}
 														],
 														"namespaces": [
-															"ENC[AES256_GCM,data:gz3/7A==,iv:CW5uePH3o80b9gq3hOPOXywwgpaesHdhrykym725fuk=,tag:XJO8mp6WNfp42JRDV0ShiQ==,type:str]",
-															"ENC[AES256_GCM,data:K+ONLHUT,iv:1LMiqiR4q5yNp+Ls5SYH4aZr4SurxqK8Ljm131VeNeE=,tag:mBM0Rf/o+EWQpsvmMjTUlA==,type:str]"
+															"ENC[AES256_GCM,data:4TBSjA==,iv:6WsGY+QVbsfhdqkLHk35MFLDnk+zcLVP/yn8/Bh/m84=,tag:Orm2Ev6aFqMCzLH0fM94Vg==,type:str]",
+															"ENC[AES256_GCM,data:6Cjkm3sn,iv:pgRcddDVqlHEvs7v0x15HXBTHN1U7yqnWgc1VMGfmHA=,tag:0o1cFNx+BN6X0pejHDL8Hw==,type:str]"
 														]
 													}
 												]
 											],
-											"controller": "ENC[AES256_GCM,data:MCuFKR+Q,iv:7ApNnc/f021V96rJzyAXNj57uRZUOqVsIGbNqzv6QTY=,tag:QTa/5vUSdo3gWPG4Sltc4Q==,type:str]",
+											"controller": "ENC[AES256_GCM,data:N0h4iPPF,iv:Uf6KuReCJxtsXmzJ8ZbhVT8otvg0AIadbb9MpMpMam8=,tag:b6NnKwRqQHJe8mTIln44NQ==,type:str]",
 											"provider": [
-												"ENC[AES256_GCM,data:QZe9t3+k,iv:deIGltVGKNVGF0NY++mW/OgoWEAgL64kSSAj2rwCb6M=,tag:xImNOkLtPH2TufnZj6Bgvg==,type:str]",
+												"ENC[AES256_GCM,data:xl08yCeF,iv:yxw/KEUVc08dfi4KiYk4y8PvQ5J0Q5RtS9yq0c8rJ1c=,tag:vSUilS5/wt43AsomcyeYdA==,type:str]",
 												{
 													"akeyless": [
-														"ENC[AES256_GCM,data:eb3uQA9C,iv:orNYD2VTPWo1b42U14BIvNrZ0FXDnVEzCl0ke38EZ+E=,tag:QNtI5SuuNiWXrQ/7OZbP9Q==,type:str]",
+														"ENC[AES256_GCM,data:IO88gx4R,iv:z7dLPyEA5bRuQS9CSk3tlMK56f7YPbSG9vChDns2GKU=,tag:tsk3fAYW22qra7ZBIXeFPA==,type:str]",
 														{
-															"akeylessGWApiURL": "ENC[AES256_GCM,data:G/Tv/3Tn,iv:kJT0ffZYE3pEKasXbJVWE6ZK5zL1FAm6lZgYf5AhAOE=,tag:XBmU8wF4G6KpVN4ImMlEtg==,type:str]",
+															"akeylessGWApiURL": "ENC[AES256_GCM,data:VJkdcjdq,iv:kqEY+2nUtFLSHrvnVuDDzy89BD6BT51ygvCT3nbC+WY=,tag:vb3Z9xWGzW2NbUE6QODYsg==,type:str]",
 															"authSecretRef": [
-																"ENC[AES256_GCM,data:yjKsm092,iv:arM5nWJlWfUpe0APKA3d3TSmujiQgNVH6foJFzROMU0=,tag:ZGGNFC+zr6hnbqs00lN6TA==,type:str]",
+																"ENC[AES256_GCM,data:q3ZdO7ns,iv:PhK05mp7Xy+EPL9OMc4YGYSrz4J3Qfu0FeGDnVw3jWY=,tag:DfsVvxSGUYxXv4SuK7dqhw==,type:str]",
 																{
 																	"kubernetesAuth": [
-																		"ENC[AES256_GCM,data:DfBdKnV8,iv:DoFljC2CnRiEJfPhd0wMWAkTlMVYoj0ymnrWkg69N3w=,tag:12IqsDTjmkVgvuSgEnzlHg==,type:str]",
+																		"ENC[AES256_GCM,data:HFP8yYhy,iv:41GzPaaqAb1W85jFK9HSI39PjGX5G1irKbgVd5KtcUk=,tag:jf9EXy/6x/EN4Kj7PM7mQw==,type:str]",
 																		{
-																			"accessID": "ENC[AES256_GCM,data:+TOH31I9,iv:7WeBHYCU71ODu1mwlsaL0WU2X51tUHeWFfzZHItjgkU=,tag:+YqkgbTjBXzrrKUetTXDbA==,type:str]",
-																			"k8sConfName": "ENC[AES256_GCM,data:o6tw7fUM,iv:yB29pDW+WEf4Tcaw+rWKAamtuIjaMbWVDOXTax2UR+4=,tag:kHry3IMX17cm2PLerVFUQA==,type:str]",
+																			"accessID": "ENC[AES256_GCM,data:HGgvbm1V,iv:j8QOoVvOwXPjdczq8wiQA2UWwmXna3Hk3APV1EgBbRk=,tag:aIVlhh+MpiLTSFPYhdAvSQ==,type:str]",
+																			"k8sConfName": "ENC[AES256_GCM,data:UJbJXHpu,iv:IOO6RyrBdYRuqaN0HU0bep6yf0KXZHFIxM7cOA3xltg=,tag:4kZQOj8A+4C8WdGMPGdeWg==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:q594UGS6,iv:jcEfp7YF7z5pA9jhiXgY3Y6Pa8fiPrvilp8XssFBjFA=,tag:0BM5eYvIThf7G+b2o0inJQ==,type:str]",
+																				"ENC[AES256_GCM,data:wht/VYkh,iv:gc/bF7yYKhSgjnN0gFWZuB+gPrOQO5FHxFr7vR5a+dc=,tag:HN5lZaFOop1Ht2CJpsFK7Q==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:Ysg5RQie,iv:E44lCRo3vVuItjeZa0u5FASQNqfFjHUtt3c2lfPQDnU=,tag:T95EwhLA4AFm8ZGuKedRdA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:ym38uG8G,iv:aG4m6mNefJSsXxSGwzfbt6EfB+QXnRT31w02JJWdy+k=,tag:/9wC1+v3fi0Zrp02iodzAQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:NzF5XgBx,iv:CD8HHB336vKOZUVL9vIjmwxZ3nwjosuBsyc7ONLW3Ho=,tag:2NFXw9dMwZnKXzWvcSFG1w==,type:str]"
+																					"key": "ENC[AES256_GCM,data:2kn6y45K,iv:Emo8aFzWxpUKA+Op6F4UVcTKdz6yHQq/eIFGem9Q2ik=,tag:mwLCAKB4VuNILbstpY0DWA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:lAoDMqXT,iv:x3naWLJ8muVTmBBxCwUt/yEvKsIAuPVO/zao8kK2P4w=,tag:sp5I0gUXHTsRkK8uukF4yQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:q8Y/n0l2,iv:EzO5tky/cJTkOvw2orc1Tz6FTOo8OlRJO1DMdUoJacA=,tag:MFEgVUkrxj1v4h4EVVJevA==,type:str]"
 																				}
 																			],
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:Wvhtse2Q,iv:I/SVEgVKpeBJiyyrn8aHDxdOtN6XFdkbRKykQZrZiAo=,tag:YGlsBJeMKV8DI+801I2QRg==,type:str]",
+																				"ENC[AES256_GCM,data:9l7Fz5GH,iv:roWTM+RoY6mr3j4opB5MX/fVjQZVCD/n/mSmFJJvyCU=,tag:VVe1MSAbIPNz8SMt5znOwQ==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:LhwtVQ==,iv:DtXxAJTRvGwBe886aADcpJ0pYHqacNhKDTShBTakNL4=,tag:6JwlzSEioqSjcxrQgeifKw==,type:str]",
-																						"ENC[AES256_GCM,data:cZsZkjUV,iv:qzm+QIZpo9HqfPVApMnesnk1ODtY0mw6lbdBZ7iOKCo=,tag:BPsp4VEP5qfFRLix0cSBiw==,type:str]"
+																						"ENC[AES256_GCM,data:XmFSQg==,iv:XSi5t3fiw8DoOTiI7Dwav0YGXBNUpFzu9/B7HpBV68E=,tag:TmD+GMcSylhDRGMMyjmeTw==,type:str]",
+																						"ENC[AES256_GCM,data:TrZvOGR1,iv:5ew5I2tOzNXU6ncJEvp4btJIlsksfuZUgeukwCX5wQg=,tag:IjScqH4X5dDexDcSPGAYiw==,type:str]"
 																					],
-																					"name": "ENC[AES256_GCM,data:efhWiVNi,iv:qxZOexFVs7MvtgQ072VvB0ckKZhXzi+mUzJhotdoMgs=,tag:vq3w2UzLPck6Q7UtBRMnIg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:S6kNo4Ny,iv:jByoIc+KKHOZ5SERWn9CzF9OEQdGF7I+WXNJ1RfbqUs=,tag:86CX4b0a0+VtZDX6AKzhvg==,type:str]"
+																					"name": "ENC[AES256_GCM,data:Xcp8Jdyd,iv:KZyb8dEphbX4Yfg3BQNRBVQUiM9IazJlZcUKI5mkqQQ=,tag:Gttie5n/euQ4tkn3tT7GMA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:orPjsN+w,iv:I/urSQSH4iCZGE8O7g7IgS2jjT6Yo8pAAT91+38Yp9Q=,tag:sF94VhIfJDl6B5V/9/5fag==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:NLDFy5Eq,iv:+z8XDdlGDBQGOBjXm9BKxsN6/geZsJ7gUQaWGLahjc8=,tag:ycQWy9QhDPTdc7BOme0UFA==,type:str]",
+																		"ENC[AES256_GCM,data:XPQOuk3B,iv:GtBPCN1qMQR2/yD17iNL7zu4Np4vECpokjdUpjYwZXY=,tag:KTFrQ3XPV66rL+GlAVl66w==,type:str]",
 																		{
 																			"accessID": [
-																				"ENC[AES256_GCM,data:hC3n4OVg,iv:8GFet/96bRPXn2sV/wU94AM8zFWMgZZ1FBIv4VtTgXE=,tag:Ixiw/jLkmQOh3wmLTPjw+g==,type:str]",
+																				"ENC[AES256_GCM,data:dJFPE4/Z,iv:6hj1BdclZPaeg9QUQdvzyVBvKnZcic1r0474kkbVSi0=,tag:VJ7dJSDUjCOMBrYM5N0S5A==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:XuJreaPF,iv:KUyIaTLNEp7BBM0Lwb5vSoQxuhaJlDbq/HP45qegLKM=,tag:YnoQnLzEmLdvAYQcpT7pAA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:ih7LTT1k,iv:zBRLHfkrJ3YqaG9sE3WUciwbu3ss1YjpZYB9fiFFOb4=,tag:F/7h/zNAZD/3CwZt2OEbSg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:PaP44S0E,iv:Aij3eXGrT8f2HjpJbEo3UwrZ34QIR4bTa44k3X1p3zQ=,tag:dlLiEkB97G6qmYSp/9Kzbg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:urpYkZyF,iv:NNYI4eJhaXA89Gr2TYqZKcsewBYHXxZR6oN3NcHGFvw=,tag:oDI9JnQfW0MK+n43hjLLzg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:LVV1/S4N,iv:NNWs7Tj5nXKNmEjePM0Bi+/xd7QcW5jMPtuygZCppSk=,tag:39siiT4MhwfA5ZRKAy4RKw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:HgCTdUh/,iv:YwG0WhOcNi06TQmchdpU/TFas6eionjcnLix+ruXT30=,tag:A3a9N/VgKCHaJMALBM0LZg==,type:str]"
 																				}
 																			],
 																			"accessType": [
-																				"ENC[AES256_GCM,data:1OQ5n1XM,iv:tiP1ajAcXJuB36DsB0f3w8aG/sYoOKE9QKUZ2UdkqlM=,tag:vmnwNcjXNkb0wqeE8xVXGg==,type:str]",
+																				"ENC[AES256_GCM,data:g+ST62t/,iv:FcZ+MEZrnZCiTNokPescbDaXnnYYjykqZI7x1RnccA0=,tag:zKs+id5DzteUZPE18nlqAQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:oaXP2c7W,iv:/muXcjWXd3kPUl32O2yWBCFEA5YyJJY4/gLkQDtnyAo=,tag:3l1qe97ntehjNPHJgJRKxA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:HA7z1FNv,iv:+EiIfdXf8YCqxL1jq28Kva4S2donFDPPUFyPMqnE/CY=,tag:zYQuCImvb151rTRQNc2ZMQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:5a739m65,iv:yiN5wq1wlssE9LXwYE6PWBJVNQOKPUHMLRfDbvwEaS8=,tag:1lCXyFy59VR/vNwpcPILCQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:szUbBPTa,iv:Nmwf1PBGC85ZHMijfh8b5/SJA75lKV7SsZKnyr8YVoI=,tag:p7UFVIFnnhTsWIJXb9pgOg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:7kiPPzD5,iv:4APfgvOvDOHfz8Ogs7rEAnCquomsHgs9csqhCTOc+5Q=,tag:+39ePFZasGZUiMvwhd1nZg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:Wee36OSl,iv:9dEr8yD0wtbgMqPETwAX60Mh4mPtarVT0j6oNuvapOo=,tag:YgFbMMenbvka354lKrBGlQ==,type:str]"
 																				}
 																			],
 																			"accessTypeParam": [
-																				"ENC[AES256_GCM,data:tet28tqo,iv:iekK3R2dY5P9HDGa+7Fig4F63dx0obRAJSt8UAYs8a4=,tag:QBOlRn/kBs+ycyahX+7+EQ==,type:str]",
+																				"ENC[AES256_GCM,data:EI8RER1v,iv:ddlJEe9Ii/A4QZEj//ugWUOdt9Hal8dy6VD1KbKaE+k=,tag:5D/f3M9LVnY8dcG1T83YIQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:r4P1ofPJ,iv:jlpm+XBaa9XLtpeL6hSvuoD/H2ULi94XuF8VHVyHEAA=,tag:/rpqEShA5Qtqpdb2pr7tKA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:2yG+vP5i,iv:Bv/0uZocaD5j/OVfzt3BhUzyJw36sOuXGrOUqJNHtF0=,tag:IDlSZL3Wh8ThoExQKoQwIg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:obaYSCY7,iv:/t37hJr48O/DxzJ2GoIVObBi+SU0NgbMk3omr5Lptrg=,tag:XFHJKVbPXl/QddBTaVj14w==,type:str]"
+																					"key": "ENC[AES256_GCM,data:IGGgh63D,iv:UGWc3qkPSQ6ts9PwnYQu16ODw6QOzlUe6oP3kUT3J/s=,tag:MFgfN1iEIN5DiR05jGkKjQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:dWHf1W1e,iv:eKY9dMlIF6gBEZMQhOgaU/poDok/C3racu+d66GCdwc=,tag:FS3GoNkEjCvFwJAB9J2EqQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:+QVoHo6H,iv:JwO92UTByAT0WASY6Gm7k2emI4s6G4JD6uJ1Jl5BlFg=,tag:2GzQubbEyiEsDDZbrYy5ow==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"caBundle": "ENC[AES256_GCM,data:mccR3Qgu,iv:8UIIM5qCPBwrd3OVLbaeDfPUTIpXduEw1pUrJX0+KfM=,tag:veYmzQl2ndoSQCwl5PXZCQ==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:n/6DqpG9,iv:u/UUY5kmXzEKhe5BJaLMWbNBbVIdRBAOB7Qmk+s23Js=,tag:QPcxKwO7DZ7x4sW9Oy63VA==,type:str]",
 															"caProvider": [
-																"ENC[AES256_GCM,data:f2l7BfCF,iv:FrK11p3s8Q9K0o5Y9fOrwTyzgSZB0y+I6l86ZFM+ARI=,tag:LrrEpzQfnJHaOIgaguwt1Q==,type:str]",
+																"ENC[AES256_GCM,data:RvxQNmPE,iv:BdpFIWLWBlflQnivh1OKbTy2rWLVpxxodpD+lBuM06s=,tag:JgOVx2yo6Iq1O2vfJu1z/g==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:XRIM72t9,iv:eQYuD7fNlq/X4JtfbqE5bhKRzcC8HIeMqpBd+jezAeU=,tag:GvP+s10uEWPUL2MWwCTbDw==,type:str]",
-																	"name": "ENC[AES256_GCM,data:l7JzNmkV,iv:qyIZOJnUpu+LlT6AEoyOiFvHwEvexIfRr0alq6T6w3k=,tag:a+H5tYsMzJeTJ8C6642fiA==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:KDOt8sEv,iv:ZF9QSVJfnQ8aH4TWcJX09r4UofriiY2f2GXgemlNX1Q=,tag:Gg8o4R91HBLoCS9jJKtveA==,type:str]",
-																	"type": "ENC[AES256_GCM,data:teLmyP3J,iv:m90pxQLY4X7d6NFSNv2bGr0LKEI/YtcbgwBjRoIQYx8=,tag:fLWnIIgh3lbN0jrDsfBNQg==,type:str]"
+																	"key": "ENC[AES256_GCM,data:hoCqeVeX,iv:fyV9SQJ15xWUCn1CuqhsDKdYN5Zy9Mv8gCCA+iA3YnI=,tag:+rj2uBJabjwyClAZJes80Q==,type:str]",
+																	"name": "ENC[AES256_GCM,data:XsEu+AuQ,iv:04m6JamhTjlhxUFv/x1k84o7xG01ovY+ET8IVOiQVTo=,tag:adCDGOB8DofI18avjn9Z2w==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:UQOSg7OG,iv:47mIVro2RpHFbOYtAQU56YJ4krV+Q+rBKnDkHPUtn7M=,tag:QxPjhkfO5kwA4ckF/CBhsQ==,type:str]",
+																	"type": "ENC[AES256_GCM,data:4d5tv3w7,iv:1npCf29UcCmnJ8vA+xYv/D29KPb9qhTN2l6jEs2bbIU=,tag:k6a0JYWJU4wm7przYOEfWQ==,type:str]"
 																}
 															]
 														}
 													],
-													"alibaba": [
-														"ENC[AES256_GCM,data:V4sX7Roh,iv:0Kua+TMpNOAQtduscl1RaCZ8UPYTUVgtva+G1GIy67k=,tag:HDj4Fsv8ShwckT5WALqcZQ==,type:str]",
-														{
-															"auth": [
-																"ENC[AES256_GCM,data:Nnhi6CSm,iv:gdEG/AXWlJvoWnunEz0WJt5hp7QrQ1ZG4kwQN3ofY3o=,tag:hvSWVs1WTrQHe5dAfF/+Xw==,type:str]",
-																{
-																	"rrsa": [
-																		"ENC[AES256_GCM,data:CrIgoVU1,iv:8Q6Ie+q3VxkzBzewYPzmiGSLb9g5/p/3QZzkeSMSI+4=,tag:T06glojXEzJEMeVpqsIfjQ==,type:str]",
-																		{
-																			"oidcProviderArn": "ENC[AES256_GCM,data:9o4I2iVb,iv:wcSD1kryEOw3IosAOjOJrsfip6Uuh0X8l5+g1iycAZM=,tag:A4KhLF0DQdZelHuPGoJJCg==,type:str]",
-																			"oidcTokenFilePath": "ENC[AES256_GCM,data:1lO05H9F,iv:XIasSZTbF2FuP3Jmy62QFPZX5myLrql9hnPZ+2OmCjo=,tag:Vv0K94cgUi9oqYMF4X8aIg==,type:str]",
-																			"roleArn": "ENC[AES256_GCM,data:sPx4O172,iv:VG0zPu/T+rce1dC7MLSXS53B/JWQpmc8dqJb6ZBjVLM=,tag:LZcF21wnEslSV24V8Y9fWw==,type:str]",
-																			"sessionName": "ENC[AES256_GCM,data:cqUYlM5q,iv:tMfOrvUrGXpjw5zTSg1HlV20pdb+dkd00XAW5P6SuPI=,tag:x3fymD5xQgxcvi1yPCKlSg==,type:str]"
-																		}
-																	],
-																	"secretRef": [
-																		"ENC[AES256_GCM,data:moQIcQAI,iv:nrh6XApTLol5qIPzqKT90m1KNAYQw5HVGptSvex2Ga8=,tag:DsEuvR+f9npPhA8iJSS3/Q==,type:str]",
-																		{
-																			"accessKeyIDSecretRef": [
-																				"ENC[AES256_GCM,data:ZJI1Kc3G,iv:9blrdLh3l0cGW6Hi/WMUAj0Z5NxQBm7d49hiaPjGul4=,tag:/q0+tI1W2eQ3LvBFtQ8zBA==,type:str]",
-																				{
-																					"key": "ENC[AES256_GCM,data:EH5T7Vfl,iv:8XrJIvjyvLL2IEPRZ6RsV1mx8XWzTq7khl0qJ6InW1s=,tag:+iDvbE0R3hX9Lgyz/ncZ+g==,type:str]",
-																					"name": "ENC[AES256_GCM,data:IiwbYXR1,iv:8EINYaMtiE6x+2rAtgbINRYxdZknYSHEbhZR4CjYWBM=,tag:5n+trHFOa4VcJGvLaHft+Q==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:gNC1Fmqt,iv:FL6A1MLpT/XO3cKc2HmcyXHpr6i3cza0UrXDGCwIG2E=,tag:3zl4eaX/fd31e3emFby8rQ==,type:str]"
-																				}
-																			],
-																			"accessKeySecretSecretRef": [
-																				"ENC[AES256_GCM,data:LTJ5wFMc,iv:q9x1upXE/jbqg8FC247u9O6Fhss2sr1If0NpZfR5gZ8=,tag:Lf/+JU0hmlrhTgIQxefhZA==,type:str]",
-																				{
-																					"key": "ENC[AES256_GCM,data:O3fQP7qt,iv:XYUaKruyEfli3f/aThZ/OK67Z9InKrSP7XHqPwAqzL0=,tag:R9kxmjFk2jX7pAmc28+oUQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:+sOjioZR,iv:D0NwGsqcPEJOLtUZTdrCgPIaM9ladqyA/jbbcT7eUKg=,tag:TAGXzdkUqCehqOuJMbzQyg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:P5EkSmoF,iv:mqnTjvMM/dfDp0v9OC1pOUrjhn2OwM7SHUaqnw+cy0E=,tag:l5gseiyQay3PdRigHVg6tQ==,type:str]"
-																				}
-																			]
-																		}
-																	]
-																}
-															],
-															"regionID": "ENC[AES256_GCM,data:hW/kKvvk,iv:0chg1dlMwucxbCY38k3WN5SkI70LGR3gWy45JUqb13M=,tag:2PRTVImNtRaxUSzj39+O3g==,type:str]"
-														}
-													],
 													"aws": [
-														"ENC[AES256_GCM,data:rJfC3lDt,iv:NjKxJ4r7QFnFsjbj9CxZwjGrBejc4OTb2VZb0n2c5S8=,tag:peZFHOxD8JNMeB8D2MXOqg==,type:str]",
+														"ENC[AES256_GCM,data:Wiax90do,iv:V1lf5Gz6Wrj4aAARNW/IyIG3b0KsltRf4qFvQrEfseE=,tag:DzRvf7hGNekBk38lGm1gjg==,type:str]",
 														{
 															"additionalRoles": [
-																"ENC[AES256_GCM,data:UUL8gw==,iv:OR7/A+T/2oI70tZchrwFupStYtPuuFQKAsSZxP1GT+I=,tag:+tfigCzqI3Unqc9zZW6XVg==,type:str]",
-																"ENC[AES256_GCM,data:TgFY86K1,iv:gND++iwUXxyht1MR7WgjpXYfj0H/SKxmvrgeX2T9u+A=,tag:AOLYvE4wtMaalRWmDE60tQ==,type:str]"
+																"ENC[AES256_GCM,data:w4wv2Q==,iv:msFbySC1nTP/egoABIPiJw0hb40S94Zq/PDyNCX1XqQ=,tag:W6gQIitSfRLjHRUTMCmcmw==,type:str]",
+																"ENC[AES256_GCM,data:AmZClnZs,iv:M/Q3/g/RT675ydCnF8jn9Z1k9I46ipOPi43X0Ec2J80=,tag:1UkhX0qAWD2VcsHR6UJfDA==,type:str]"
 															],
 															"auth": [
-																"ENC[AES256_GCM,data:dyBV1mBu,iv:RNo05W1i4l5/FaOpk1/T34bqgfecrZfaKCf/CJnos1Q=,tag:LqVLAELQ+SxRT8NyHAYj3w==,type:str]",
+																"ENC[AES256_GCM,data:caBmy7PG,iv:ZhuC0T1ZVMrTp7gS5INYxIWZm+0XHGie63emTAxUl8w=,tag:uCAVc+OwwtH+skWpeKm+xQ==,type:str]",
 																{
 																	"jwt": [
-																		"ENC[AES256_GCM,data:/j98fjTZ,iv:194kcAcFywB/SPX0HKkWWBNXhYlll2PT9+D8l0g0s3E=,tag:oeOe8Ul7pWJx/LgKho4UiQ==,type:str]",
+																		"ENC[AES256_GCM,data:E6SRb968,iv:4kpJ2oVyz2kwwIClcUv75xVF64rGlTb0dkfPGFwd6O0=,tag:soQLwb5bPuRd3LRynzVIrA==,type:str]",
 																		{
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:pXuEmrUC,iv:LzLmpfoDMt6oJfDJD/xrxUjrWXVKj7G0afoZidDEkDk=,tag:xKQHfOoGJthxomrV4E1a7Q==,type:str]",
+																				"ENC[AES256_GCM,data:ry66+xjJ,iv:5ZEis6vyS7BUzbzMOlN3GkN+Tw6Umez0Mv9G6zE/ArU=,tag:lV0pYKgKaO8eC1fWAlkq5Q==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:uEJTLQ==,iv:3y6JoJu7Yohqnsx+eiqmT5hmRO8hY+At6gPHBfnrozs=,tag:1jTzRUaIZu2gZsm3AZhebw==,type:str]",
-																						"ENC[AES256_GCM,data:qrIvAFFg,iv:o7uKTfuYPAr4i/bhVdT8SN/xvQNeaH1/p4jRx/KKwTM=,tag:/YyYyjmYX0moOZmNpHX+Ag==,type:str]"
+																						"ENC[AES256_GCM,data:myegXg==,iv:jJVCGi+1ZJq2i/dERPHqABkxmLYIZDY14I+v9y4IKU0=,tag:0YI1Kx/43L+ABkS6E9AeVA==,type:str]",
+																						"ENC[AES256_GCM,data:8toXJa5H,iv:U4DS9PCie7x4uvBdggM7SpeV2nUNLyLNbfb5FoBBK8A=,tag:cAyJ7MlpuaHFQjK/CU0w6w==,type:str]"
 																					],
-																					"name": "ENC[AES256_GCM,data:xMsU8Jv9,iv:Ihj7PTR8NzeI8N7P8rcTIYcxlNbxq3cT1JVPk6gUFEo=,tag:NheDCvsLVK2LM9qwk4uyzg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:Tt8Q1idh,iv:JxgDwDNF7/Sz+ZyJjdmDw0kuLTINdSib+MzCX4ZWANA=,tag:THNmjnT9InInM8zyQKJO3A==,type:str]"
+																					"name": "ENC[AES256_GCM,data:Vla1Ddg1,iv:pGoDBOhUZFeC/gJuFw7OwNJpdBgsrGnCCPTrhir8tEE=,tag:fuowScqtkvCC1azgrbaMAA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:/Ac5xJCY,iv:ec0iw4VFesXYnOhR9t/cV3g67SBHsLOy7UxRFmKjmNk=,tag:4HWFmJeuhdf3ZVDEk2bR+g==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:go2cBXl4,iv:Id3Y2opdyxiIAKzx7iPi5O5CGQYkUumlQesvjUUtE/o=,tag:s+BGNdOg5QC3YCHomqpDdg==,type:str]",
+																		"ENC[AES256_GCM,data:FhdEGM1f,iv:hruH++Vn5BUGmZr+oDvOxoFu63yGIF/GavkT7Y1lguE=,tag:THRhN6/4S37IJrKGAOdxNQ==,type:str]",
 																		{
 																			"accessKeyIDSecretRef": [
-																				"ENC[AES256_GCM,data:UeySO084,iv:nKeKZTLc8bSYhkxHjn7ovAq8CBgxb8brNCu/pEMbkAI=,tag:0QSZ0vo6u3b4kKdMPh0F+A==,type:str]",
+																				"ENC[AES256_GCM,data:g7k7ysl6,iv:8RXxudy+QSRc1hTJOJSozbzXM7QZiN4k/Ypp5i9JtUs=,tag:r8mtBYvCuA2rOf9vZBb79A==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:eCza7YdT,iv:MEMy3AvEr8BbL8uIB2Mf3mfkHoBniFeuWkJ9UiCjZyg=,tag:eoIF3mg9ptZ46InoAc6BLA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:IHfhLk9n,iv:aq48c1CsLvhvifHJx/lOwYe8ULIj8pfGaolQdc82vDI=,tag:Z2ZbXNb5UhG1D8NjkkgJbw==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:QYPdKWOy,iv:zTOkLI0MjdWsKob1hT6Bx7idumjTpPNDjglatymlOSY=,tag:YsDJbKPS0OrfiX5M8jl8EA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:bfXd9wpz,iv:CePThBmFJuQbrp4hN8CHU+t5g8SYvsmZm1cmrUDXoZ4=,tag:W4jkZVJ1DrfIXHApwHlYHQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:d2wTKkXW,iv:5pHX9IaSR0RsPctCOL9GASjPaSKh3OkrAd97eBmO5nQ=,tag:NJkOL50UQFdFkr1UNwm9fA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:yvcl7tBp,iv:aZP+qCg6bMGneBXNvUdM3+i9olYA6S8q71HG4dplyT8=,tag:3rSD8ofl6UfRIN+K123ngQ==,type:str]"
 																				}
 																			],
 																			"secretAccessKeySecretRef": [
-																				"ENC[AES256_GCM,data:iYPk58Co,iv:gOc3eq6SqEPq9WpU0rvTGW4qiypKmgX8ltk5Fg1zllY=,tag:ScrNCj6SUbMfE9qo1Rcz5w==,type:str]",
+																				"ENC[AES256_GCM,data:g9LjkKyW,iv:zRYlLksR0MPF/yzON2YjSAfeCn976R87yDKJpHfQr+E=,tag:SHHusE4985pNnwVneNGw0g==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:0GqJJzjw,iv:8NvmemZ14IVYgSbyeBqTLRNS8rrpbel3uGrGlixiNnU=,tag:b9N6VS3HeNldWGftuykROA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:icVLCqo1,iv:x/lpX/JvJNzv+dtbC+GWOanbAG0scuFaRH9wxM1bNKw=,tag:WXInsBVAno7VCOAb2uI1xw==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:W+tFyDvI,iv:9FG9oUVfyE0eJldRIVtE2OPk3tILYl0abBT8J1U9Zkc=,tag:Z2jq5eQSZqGanCfmMIMhmA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:XQM/TdaR,iv:k2CIIEd+M05tAKodkOBcUKh5A9JFuJKcxA3y3iAWsYQ=,tag:HFRnfR8IfNmgGyXpRLJ9rQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:6gEVQwFQ,iv:XaM9sFOuiZ/eOOXGQDRSMT7yXBk51A3KAr7jyh+4b+Y=,tag:Ip7xRseEGz3Dkpb58n+94A==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:uJfs1CV7,iv:riMftczq+4kAk/uW2NP73B+5/q1Ji6B4ryfOnnMOaBs=,tag:vZ4UXYlvC+Bg1ifddOHbdA==,type:str]"
 																				}
 																			],
 																			"sessionTokenSecretRef": [
-																				"ENC[AES256_GCM,data:uwRZ4730,iv:otkMSURNi6HIiH/w/ViQs3lyt+sTBBwxgtN2GoMD72I=,tag:+hPso6LSnc+7E95FJ+CLHQ==,type:str]",
+																				"ENC[AES256_GCM,data:xByv0OzW,iv:WDEvJb2YhAilSNMbb51XjNL3Iwni0/A4AWBanqdT6DY=,tag:QPOfe24kRtquyI1YOEtPUQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:nWMIom4y,iv:H/WsfEoxNlieKm158gQHjNX5ujqgvPsBgLByadqIUek=,tag:HS4OYZhoIu9cDzAUJLp44w==,type:str]",
-																					"name": "ENC[AES256_GCM,data:74VGfLzb,iv:M3Hx9jGyR5hwzgH0gNKT4FhHwduI0CDByOZxmj9bjFc=,tag:zJw237+spspgQOV5YfWZgA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:EzMSJlG0,iv:1jxIhYzEAQmSlvG4V/zAvcWZbCOKVMv6JzGSst2RR9M=,tag:VVdNLcZFYQwr/1woX/d/Aw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:29WHXyXZ,iv:36bCll4jTrVq8mWUdrjcVt3nSpq8WK/Wt+NUH7RXyqE=,tag:4CMN+yaiu+WfAhcx4wcGEA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:HVEvWWit,iv:HkVnfjri/1ubgODE9l28isWGQVapRbKFAHyH5UWMteg=,tag:RjM9rrvp+OLHRUC5C+p3ew==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:ID+Z7clt,iv:vibKaQffiXLyseqeoU5hOtVrdsYxdpvjb+dfB35xckc=,tag:2hZwfPtdoh6Znj0eR2xDeQ==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"externalID": "ENC[AES256_GCM,data:qK1os0Oo,iv:GSYIrGoZxCY8Sic+skO9lO3juNN0a1VBJBjk2R9efjU=,tag:b1FT6jifFLozRBYKAQDdng==,type:str]",
-															"prefix": "ENC[AES256_GCM,data:xMMd6xfp,iv:ys1R7fz0Bqq0Zfl4zdpO1Ogf4YTEpU6LIGHoPFsqLok=,tag:qV3lL4eIg8wpMht4vp/a2g==,type:str]",
-															"region": "ENC[AES256_GCM,data:YC7vAARo,iv:fqcQeWifZOvR4OAUPoebNUfobG7G0sF5DYBw5qQnytA=,tag:d5K43S0TcA/jTx52zdrANQ==,type:str]",
-															"role": "ENC[AES256_GCM,data:O3dY7jvd,iv:EsfvZpCOlUC7yVyPu2wGQotzBIoIi8/WKoJdEhbxjPA=,tag:yS30a+dSxPlOs+UVTUtOFw==,type:str]",
+															"customSessionTags": [
+																"ENC[AES256_GCM,data:LOZG,iv:GRQtKgMsKKgucC9Q6c0Ik1czcan2nZz0vwiAInQchwo=,tag:3PRtVDwA4CRrvVG4XNXqFg==,type:str]",
+																"ENC[AES256_GCM,data:xZ1OGErM,iv:xQ3+jyek76zVLvteM3V0X4NLhX92ND6lTVobijBBkHQ=,tag:2A3nbquMdLPogij89MSfvA==,type:str]"
+															],
+															"externalID": "ENC[AES256_GCM,data:/I+GBZNw,iv:eHXzlgIc9fioj5/1IcgDwwwWu78nDvP5cLal7vTP8Y4=,tag:VrlcZUSQ+Heeyc9Nt2X56g==,type:str]",
+															"prefix": "ENC[AES256_GCM,data:pMsa46tN,iv:o9gn6MsMXoN/aA/5xbVjvbZqLt5xk3a82pYckLVxaS8=,tag:xknafJ0Qr/vIYEpZAAlgZQ==,type:str]",
+															"region": "ENC[AES256_GCM,data:bx6Ti9jT,iv:vGg5WqE5fYgeKdt1x35uoctg4dHaFgDTPDLCV/xsSgY=,tag:vs5TdWkHwqfskiR69Wac1A==,type:str]",
+															"role": "ENC[AES256_GCM,data:PcqUe6Jn,iv:+FtmqWWnYseWqGOaW2MCuL0oAdM93SBb3iSjFNSwyec=,tag:zZQfbDDAstWAOEXBCA4XxQ==,type:str]",
 															"secretsManager": [
-																"ENC[AES256_GCM,data:fes3BitX,iv:JnwUBJjezJY5RenIsYyUsObTWeF323tck43PPPabSoo=,tag:+pvZOybfrqOVIjhzY9+SKA==,type:str]",
+																"ENC[AES256_GCM,data:ljtpcicx,iv:0emP5Wf6w2/qWTeMzLSYpyZEFiCc5AKFwmh9hThxD1I=,tag:IIewHQMaR30SgTVACR9ZgA==,type:str]",
 																{
-																	"forceDeleteWithoutRecovery": "ENC[AES256_GCM,data:aZ88XA==,iv:twp/wRyThrJLt4fEuji1dLZdff1LDThmoE9J5ng5/6U=,tag:9qXhQbSeO2i0oVwJUPpIbA==,type:str]",
-																	"recoveryWindowInDays": "ENC[AES256_GCM,data:AP7awuqX,iv:/7WI7LE1cTXMO7yt/JDOz6veRToQ3IM/2iPYVGYgynw=,tag:QrfKaTifvsWJaT0tYsUEVg==,type:str]"
+																	"forceDeleteWithoutRecovery": "ENC[AES256_GCM,data:hpJwbA==,iv:soUJm6WtBmoXgOXfsZk9WJt8LFc/Mohhg423pufjBUk=,tag:Mz9AvgywmrCXQJBFV8ntrg==,type:str]",
+																	"recoveryWindowInDays": "ENC[AES256_GCM,data:jGlK9MXr,iv:d7Fltnp0epAGiw0cnhu3vrYZTTAY5+KnZAfTCyBq7yA=,tag:5SoMM+AdVFkAY3XVF1f29Q==,type:str]"
 																}
 															],
-															"service": "ENC[AES256_GCM,data:Xh5CZsYX,iv:6UhLeywlUMf1H4AwSJeRaxma/7iDlCf63FOmQ6LpNr0=,tag:U0YtXvauRJYM3uRIgb2wig==,type:str]",
+															"service": "ENC[AES256_GCM,data:AJhlfoVl,iv:FxOLP+47gcWXmdxOYu7odWTXakQOK8VskZWl0POOL1g=,tag:v7IdB9Cgc5KX4mgLtDMqKQ==,type:str]",
 															"sessionTags": [
-																"ENC[AES256_GCM,data:jikNJQ==,iv:3pxWRIDN1KIgg+Xr0J91dbLx79UchJkGDpS65yLntG0=,tag:902fsyyj0pktgInm9X5amg==,type:str]",
+																"ENC[AES256_GCM,data:7MVwvA==,iv:n6zVyhtcieMGGW1P5NquOSEanAgg4SRoYgkNwP+HdB4=,tag:Z/BWKCZAB0rBD1bfrd5V7w==,type:str]",
 																[
-																	"ENC[AES256_GCM,data:aoNUmPc+,iv:ck3gqQq0UFNwXPz+ejud8+7JxajuNFLLl54ecLTPVSA=,tag:MayvzR67Z/JzH4Z6Cj5ABA==,type:str]",
+																	"ENC[AES256_GCM,data:EDfoQRzl,iv:E7SiVOhLGCQ8UQklRnhtXvdfLEifMGQBsKb3CxrujVM=,tag:aWc8TWq2M039xB0G5XriEw==,type:str]",
 																	{
-																		"key": "ENC[AES256_GCM,data:UJJ3Cssw,iv:GgA+UmLEoBQm6wYF/U3QO/fz9tjCpeCPf0sbnUF6GbI=,tag:i6GHzj7gviVKS1FbRKWiMg==,type:str]",
-																		"value": "ENC[AES256_GCM,data:lAcjmy6u,iv:+ylMfpbPAb0yqUKKAn5piDFBNL7Z1YfB5j2bQz+TjuI=,tag:Wz5K5QqOzNb/wPNAQj0REA==,type:str]"
+																		"key": "ENC[AES256_GCM,data:e4xkunA0,iv:HlBeCzB+SFfrfCdnlbAiksc2UNBjH7+cT6hUc2fScrA=,tag:wPILobx3CJB2X69sC3RJFA==,type:str]",
+																		"value": "ENC[AES256_GCM,data:6+R6pp15,iv:xenNjm8AwnsTmkbGE/Opmy56AgHTP8V6a5f/5PLfGbc=,tag:Sw5E1/z9owlYZgWYewNh5Q==,type:str]"
 																	}
 																]
 															],
+															"sessionTagsPolicy": "ENC[AES256_GCM,data:Q/OxIFRX,iv:Re+8StJYZvrT7GVQvXxPKar9PVm59hmXk5mMlruORJE=,tag:9rpZxSMSZw4rVEkwc22edg==,type:str]",
 															"transitiveTagKeys": [
-																"ENC[AES256_GCM,data:Utrxug==,iv:coZElVTb3ydoqyJCwLes0lNIxK2hs0DyAXfnLIwHQ2o=,tag:Mrp9xf/OahN3/nbnmrD+6A==,type:str]",
-																"ENC[AES256_GCM,data:MYJb/I78,iv:SontTHfJEMXstG0mt9yILyCo8/923/dRy4bxZCOiwV8=,tag:jUJFxLu2w0QZsefPp8uVxA==,type:str]"
+																"ENC[AES256_GCM,data:85DJ0A==,iv:lV3uBOiCymKWe3K/xpfS/EiPAWTuNzZhJKtPtGbeqJs=,tag:WigaZyxGTLbk4wMJz51jzg==,type:str]",
+																"ENC[AES256_GCM,data:2Lm70Ul+,iv:Hh0NQ1/ZqW4s5qyDOhoLN70M3Ug+AVvJxWVmRXDxtkQ=,tag:aPKhknkAKwN6ScVUCI07KQ==,type:str]"
 															]
 														}
 													],
 													"azurekv": [
-														"ENC[AES256_GCM,data:YNQVXsEo,iv:Oon6gJEXVlWsZ1b7+H/hcPZt+7qXvbjuJJw/xDcdDuc=,tag:FvuHrcQ+9RuM7JctkBS9Nw==,type:str]",
+														"ENC[AES256_GCM,data:E1+2OOr2,iv:j0COT3LQzxepcAfKmW7n2Nx4Mbm4wDXgn7972Xv5Djk=,tag:MFiBwa5I4Sf7mV8zEVXqJw==,type:str]",
 														{
 															"authSecretRef": [
-																"ENC[AES256_GCM,data:cVc5Fh3w,iv:R1ffYP9Dkg7rk7rNOeMW0hRG3NPSQA7zl5QeArRKu0s=,tag:ip7DGz/7JiFbrHuW2EZG9g==,type:str]",
+																"ENC[AES256_GCM,data:Pxo9am/B,iv:dYvOXf6xf+aBDryDnba+J0vhyeITr6d1RFcDEy/osG0=,tag:uYDF5dmFobSa+0yrc700bQ==,type:str]",
 																{
 																	"clientCertificate": [
-																		"ENC[AES256_GCM,data:dLRBDK5g,iv:vqV7mH6u2ml1MZ35//Vx/8RnA4fwzo9R19DNynZnwTE=,tag:YCYRXROX3uvUrh91cslYKg==,type:str]",
+																		"ENC[AES256_GCM,data:TSml3k5b,iv:Pkc9xnUM4yqX1iVAjH5mr9Cd+ypwrpBA4rikaAjQ+UA=,tag:o0TOtLwfyS+EIgE5576LEQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:0P6LDlPW,iv:iOr6QlGvEe5OCq7Y7NrRm0K3ZCAgVdJBpM+Ig914ZF0=,tag:hpiujrmla39325kfKoqZOg==,type:str]",
-																			"name": "ENC[AES256_GCM,data:owgpd74v,iv:G2mRGRBz1TMoiRvC1RHAhmUrlPwtu2o3v3pcmW0E2wc=,tag:ABMOiqsqhY1BPaKFLWcsVw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:uLGZOQj2,iv:4JHvDAO4FO+IryCnYQX8Sdqden3fsbjnB8eKZuKc5d4=,tag:BlbQSHtKPDm7iqUvIHDqFg==,type:str]"
+																			"key": "ENC[AES256_GCM,data:oeXli1+y,iv:dIpYrHZH8B2/Ag+VGBQOT50lBmB5652GUH60pKIazBI=,tag:szb9XP9QU80swR5Y8iYDNw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:B1KVf66/,iv:qjvODc+cKpVkcCIyLsJqK1Jb8QFxUj7AYUPOQkhvZNc=,tag:u2zV1gkon+CuygLg5i5Ryw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:sMSToumi,iv:l1UqpnRflvM6gRNgnWpyU11vn6+t/v1igYmgF5/CHVM=,tag:ED1qDzHHyaRhVwksxG7n5w==,type:str]"
 																		}
 																	],
 																	"clientId": [
-																		"ENC[AES256_GCM,data:/Xeyop1g,iv:Ez8YOKitRM4E82DQXMeKB5Ze2hd3ZOSVjHacrlDwdC8=,tag:BAVLid08a6Lq5gchIk5sVQ==,type:str]",
+																		"ENC[AES256_GCM,data:vC15w/1r,iv:CsB20QOKcac/O6lQR5Tcd5KXaHTjzjWV7NAiOBGwITg=,tag:VQ10nmwXcME+BNMnRB3lNQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:A3xH290t,iv:kE69+gz41xq9IC0n2Z19WWMI/dkF2NSGN6ui7XDe+xk=,tag:2WTxB/5Cj3fIph2tmYC/CQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:Sqj1SoDk,iv:wz8ZKKFsJuxJcvEWsQBLgjmwQKXoDzZ8zvyk4ARlMtM=,tag:IR+VE+fgK2T3TAE2k4RqpQ==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:2Hn2DQUD,iv:jypFwvvRiBmJIoRprSYqpeINRdLXfkbknBkzB8ghv68=,tag:htOjeaMCnmSh48sspKQVbA==,type:str]"
+																			"key": "ENC[AES256_GCM,data:Zr8Xvg/F,iv:Uh9YBQ2MpxPk4SAlrmEIVsXyElayCVN3WPM/rKqYFFY=,tag:kTv5fbFxYIrOH6ms4zoUKg==,type:str]",
+																			"name": "ENC[AES256_GCM,data:shk8gdky,iv:YwlmbN8b7xCKYimU4OmT1yiO/cNKD5WckWGwWHQA2eY=,tag:oSpe86JcKdZ9EkrQ7Q5K2Q==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:1ZuuOpsE,iv:VTpOddaZ+m4ONAIGdNUgopHRA8MfkI5cbw3xsNemyQc=,tag:dUf7gSBXkaN3pwva3QO+Ow==,type:str]"
 																		}
 																	],
 																	"clientSecret": [
-																		"ENC[AES256_GCM,data:njEN99Bu,iv:lUQ5r3OofTCd8No9Xx4EzzimIgH4o9Ox3YXuz8RWi/M=,tag:j/QMVa4PrFADT0AskfoTFA==,type:str]",
+																		"ENC[AES256_GCM,data:l16nO7kS,iv:QXhIMxm/8fI97gpAhQtxaxQcmuiS74EZzw3wu2GaJlw=,tag:YOBK7ATFIl8Ku5NVIdnRwg==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:nMWY0qnX,iv:7hFIUtHWvDDku7d5k+BuWnDad6slVtefXP3f6dMwSX0=,tag:MFocqp4OevG8BT+NEm/yQQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:AaECWIDT,iv:4iYswDbVkiBL6wC9dYQwWzhyll6qkLdLzxa/tGXEmb0=,tag:HR7rQSV174ur1uGgK38i3A==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:LCE95XQh,iv:lHxPoyJkjVJdhfC6DtE5V5VkjrfSM/aRW7Xw3L9FsFg=,tag:0j2KsOz6WLEWrcih2NlsLw==,type:str]"
+																			"key": "ENC[AES256_GCM,data:sjUET+cu,iv:mSUz7wVunMkjEgSVfyMnfKXUUHoxqDTa9aCTsAqEhMw=,tag:OXP/XMewWeTcldGu3jkPDw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:Iw8ThUBQ,iv:gQQzPafX7R4d4KOSxBfHgtbkNtufao2knBmJ7/Ogz5k=,tag:ARcNo5mtjaFECUKXgXEhtg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:VfreSYXr,iv:AnNFN4UxSYQ1YJbx/S3qyAX2r5c5kX8Z4++6GFeNXNM=,tag:LD531Yz5o1hTk24MvUFvmQ==,type:str]"
 																		}
 																	],
 																	"tenantId": [
-																		"ENC[AES256_GCM,data:BGmFyyCk,iv:u/18Lp6gmH81e0o93lq31UqPSlmT10KzHyeB+El+6lg=,tag:SJ2iC+Y6mOMz1UEK7sDbXg==,type:str]",
+																		"ENC[AES256_GCM,data:WnYGQ86e,iv:2yRgueFNqVfyGKjd6e3bJtIayMZyEA2xwGpccXdeYpE=,tag:Ig+yMyck9j89Ue8bgr6ldQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:cFXeqdAQ,iv:P9Fbtrb+QueDLZlfTomRPFO/hZFVMJclPNh9xtmyCoE=,tag:9+iOHi1kgi/yULe5bXcerg==,type:str]",
-																			"name": "ENC[AES256_GCM,data:0zOlAXyK,iv:dcEaJfT8eS6E5z2rSVgA1vhLB9zzDiK7Rq6jKpRoCYk=,tag:UXJxHar8M04ESkqeATPpGA==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:XLaENOmy,iv:oKYda01iWNOp+9tIGKaLMKwmF/ZGgBiw3R3HBpxe/NE=,tag:W7wRRpn8bCw0xSGVD1je0Q==,type:str]"
+																			"key": "ENC[AES256_GCM,data:SStBsjHe,iv:hPlFNRwVvKc3iZ3j8SAxJ3wQhpZPEUfMi7tWztQYRYA=,tag:aO9rSrJ7dv8Be/Ejk5WErg==,type:str]",
+																			"name": "ENC[AES256_GCM,data:5dFdWEl8,iv:AI9h6cJuUCSeYEcb34LeoFunTNFe00G00GEgyVT+FU4=,tag:vUsGYJ7iWSu0Q3i/2QzU8Q==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:4KcHWiu0,iv:Ti2H3vKLfnVWzGmpfuclBlVZetKtKcRtAEYyuFvsy0A=,tag:rgvL+wZuWiqYwO6s68IqOw==,type:str]"
 																		}
 																	]
 																}
 															],
-															"authType": "ENC[AES256_GCM,data:nLfltAgu,iv:l9Ev5NalNIE+51VoUPdcIW1tEvKUwVqLdDQsHM+DpAk=,tag:rOtumYNgE9L5i7SyreJkMA==,type:str]",
-															"environmentType": "ENC[AES256_GCM,data:JmjlbJFl,iv:EhSFGxbtpRpH0h+bz0BcjN4QStJZ+SQUx92yW7yl40A=,tag:Iu1XZBaTj9d5kokF2hMY7A==,type:str]",
-															"identityId": "ENC[AES256_GCM,data:hTxOpALZ,iv:CpB8amjC3LymZfmFuZGBMCMXYEK+prCoE5GKURH4XNA=,tag:qc8SGMCAgXgFzOC1Q62jxw==,type:str]",
-															"serviceAccountRef": [
-																"ENC[AES256_GCM,data:9EFJau0c,iv:qVL9+UWXostLMTkRTNae67ljtKHb3DmLF6+1YoDcHpc=,tag:Dtssj/FLJhx7CjQa1wjpWw==,type:str]",
+															"authType": "ENC[AES256_GCM,data:oUy/UzrZ,iv:GjjTiwmPLbGMLwVHx6u4Jbu88fpqEA+e6tGLvgnu7Js=,tag:ghB8h7sGctzcK7jucZFBrA==,type:str]",
+															"customCloudConfig": [
+																"ENC[AES256_GCM,data:0gABljgZ,iv:SFqmoBUCJE89m9CBob0tKJzuDgUS0mfC0AtcMtzI9tM=,tag:oxBH+UqO2G7pRwNshmmS7w==,type:str]",
 																{
-																	"audiences": [
-																		"ENC[AES256_GCM,data:D1HE2Q==,iv:TnHAVdKU31+lHRq4AL5xkAsIBHx7+j+h9dq9l73qGqo=,tag:mppGINLL8dCj+P4cyOErYQ==,type:str]",
-																		"ENC[AES256_GCM,data:cn3Qfp8d,iv:yGYuqSpVp6NpLIZkgDjN/K9MAsp11qRqIeA70VpxRV0=,tag:KSow6urlkZagbHsweWfgtw==,type:str]"
-																	],
-																	"name": "ENC[AES256_GCM,data:fSL4ymEK,iv:ajtHoVMpcwPB1weTKx3tuVp3Mj6FPGpUsnfwgSbmRtU=,tag:b7ASN7+Naa7l12e3qQQevw==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:AYlToHRu,iv:PW03tyOO93P+5i8sZ79qaqx2scPiEUa2i06rljiQ4wM=,tag:7lpeVwvm8w5ITYd/v/fEKQ==,type:str]"
+																	"activeDirectoryEndpoint": "ENC[AES256_GCM,data:Cks6uzVp,iv:TVner6CzmoIr2fvEJTgD46tqfmDAppDSHkEW2OfLEto=,tag:5Zjf404QoKSAD/l29ImR8A==,type:str]",
+																	"keyVaultDNSSuffix": "ENC[AES256_GCM,data:FUf6Xx+S,iv:Ov1Dnp1FdhGaaqvoJtqttQURiTHhJOd6z+ZGWPJeXOY=,tag:UonZZdwc83+71n6ioqHTxA==,type:str]",
+																	"keyVaultEndpoint": "ENC[AES256_GCM,data:8R70nJeR,iv:RNNcwS8tcR9KjXMO0yigehhtZzJaYSxPjMdcZp4HWXU=,tag:5MpYQbSutBFM23x1dhZylg==,type:str]",
+																	"resourceManagerEndpoint": "ENC[AES256_GCM,data:+xb8GYbv,iv:iEUPz63YGAqppHlF3zWgGP1ucNwDjgedLgtRFtlukR4=,tag:x2pA+2eHYQCFvScH8GVSYA==,type:str]"
 																}
 															],
-															"tenantId": "ENC[AES256_GCM,data:nZZOkywR,iv:rnRvFJNXc4ODLgK7kZ9Ty9WTVUGRc/06WOLDAl9Q4wY=,tag:0NTSBiEfhlonfQnrEnFh2g==,type:str]",
-															"vaultUrl": "ENC[AES256_GCM,data:s3Ldn1zq,iv:7mvMAEwzaNWUVSmka2OJjylPNU3CAkMdBKDP9pVd+BE=,tag:UZdsgSoq+zsz+AoJCmguHQ==,type:str]"
+															"environmentType": "ENC[AES256_GCM,data:u0gbJzT9,iv:lXu6Eo0BjejxDAp5Pglz59Am79Uv3O2d3lVRpgwDCZ4=,tag:eQENwwgMwbH/Mv1d0etJWg==,type:str]",
+															"identityId": "ENC[AES256_GCM,data:oRw+GCDZ,iv:SVxbd34J5v6NURl8ChBoOvNdURM+7G43j1fDBjx0sxg=,tag:40/yB0gh05d/U1WLtmyaJw==,type:str]",
+															"serviceAccountRef": [
+																"ENC[AES256_GCM,data:7z7jx2Bu,iv:NecLQ/RehyM9I+YmuFICIVDsTCKxy/QtU+7Ey/xmk+E=,tag:4lIQn9nyg/nUUh284T90ig==,type:str]",
+																{
+																	"audiences": [
+																		"ENC[AES256_GCM,data:tCXzwQ==,iv:cEu17QD/lJA50feMQV1VpirMumNtFvyKPOhGIN8VCQk=,tag:mTpMUbfkHCVLMulxNa5pTA==,type:str]",
+																		"ENC[AES256_GCM,data:1TP4mbzy,iv:uxx5coOvlvX5Vz7M50u5rJt4qhySnhiDQ5AKtR1GD+I=,tag:q6JVUCgtn1pER7XPXRN3HA==,type:str]"
+																	],
+																	"name": "ENC[AES256_GCM,data:3RnPzJzW,iv:i95GQdlryJXyDhJKGM6IUG5WEXg9JCKOOEC2YEPHRGM=,tag:XQpGowuX5UzvG7VhFbN1Vg==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:cjI3Awv/,iv:b4EtwYrU3cBNdr8jPi/sOaZyGkuhgzaSPhCndJy/vLA=,tag:oNRfFn0fIyhdcgnjpZy3QQ==,type:str]"
+																}
+															],
+															"tenantId": "ENC[AES256_GCM,data:f5fFh/Ch,iv:H11sMMXTgN+CatQ7CU3sVwa/E+hTRFL8NOR5Ew8Z/wY=,tag:dG7tV6LESYN+uzZlvhc4LQ==,type:str]",
+															"useAzureSDK": "ENC[AES256_GCM,data:glFnPQ==,iv:a0EQ7GUcaBA/+D2BGVo7Ht6m3mGvpL8jEhPS6bIgdpY=,tag:7EhvDfaLshe9dtaXT32M/w==,type:str]",
+															"vaultUrl": "ENC[AES256_GCM,data:naoj39iQ,iv:rir+WWDMJo2qZCGtf9/tnNmWOTa5BUWDHHggLLKP690=,tag:tNnTBPhRVkK4yux0N7ztqQ==,type:str]"
+														}
+													],
+													"barbican": [
+														"ENC[AES256_GCM,data:EviOJmVa,iv:YEwpNOMvMywyhg81elklx5QqunBXkGCsiOr05pugc00=,tag:FvTPzdK4PMa0g6IqgzUDgw==,type:str]",
+														{
+															"auth": [
+																"ENC[AES256_GCM,data:1jQ2SXpD,iv:nuqA9ycJd9aoei0alkyWu4PzKjFZ/dssl2X1+XvDQQA=,tag:FzXQx1ty5UEPiZw6PijTXA==,type:str]",
+																{
+																	"password": [
+																		"ENC[AES256_GCM,data:oJSs2Oa0,iv:99TI3my5T2sRz/MMQW3x9I8xUPQQOnA1LkK11QGDjqM=,tag:O3gbELQUPMHBJz6gYTxqAQ==,type:str]",
+																		{
+																			"secretRef": [
+																				"ENC[AES256_GCM,data:WsisBIfv,iv:glrDhGvIyEzPZ55a5cjtsON5jI4QtDFokGwD51s/ALc=,tag:9tZK1gTAnGikBvxpAye/4g==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:XmKkTHUI,iv:og8pL6seqwIR3zSkQjpVk3PKeoOTk88NN/O1Cc/YeuA=,tag:TmzwPmJNpPEOJPmdhk1Vzg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:PGO+1U0B,iv:+oN+at2icZbCkEuL4U4S7Br5vqEuKbksVQcgm+f9wy8=,tag:eoDqrUYzVkZ2jKa51iNQfQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:2UogxbvS,iv:jv3dMe8SQuURhc2/0hu8hAcDOYGHGfMzCZiOrC9/Syc=,tag:+MJaWBC1IHhmrqOghR1SjA==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"username": [
+																		"ENC[AES256_GCM,data:TuspvhyW,iv:uOnqAm/G+IXs4TdhV/WqfZF1sx2XC7rxb+1rAUk8EqE=,tag:m5+TOgbN6SkAGMCedTVSdg==,type:str]",
+																		{
+																			"secretRef": [
+																				"ENC[AES256_GCM,data:zO2bqncN,iv:j4n+COJ6lXMn9ZPcLsKtaylBfc/aDG/f7TjaRfRvqqc=,tag:LTsxWIyn+ofvzDiHsxEiag==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:2CcVNUsq,iv:D6cQ3IGM29Ru2nTfDnrNssSb7VpSyjqNWJje9zXtOIY=,tag:qr4076kJLl3il6U9hRi9lQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:vqHGiy6a,iv:ux7SFv3z+1NSUPY7p+WEivXka+Jl83A4wq/ebWaNrcQ=,tag:G8akyvgIAHSWo6/FagUh6A==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:H+Z9WL9M,iv:a+xnfHD2DlYu9YmRnvXhPU44JborwYyZ9lo4yU6zfOA=,tag:460u9w1b3B6aNEO/Wj+IiA==,type:str]"
+																				}
+																			],
+																			"value": "ENC[AES256_GCM,data:QiZGQA7j,iv:Gb6kUFEifCGiSSzDKWWekUbjQMcR2vgdpSjMKeeqzhw=,tag:sla7nfCzVxLsrQePNEUseg==,type:str]"
+																		}
+																	]
+																}
+															],
+															"authURL": "ENC[AES256_GCM,data:AQdBz5CE,iv:bhiXe8Cr0HZHbVS+3c0OTFTZ+6BVQDvmG05eNvnw8iw=,tag:yJEE0R+c33WvrKVlK4h/Nw==,type:str]",
+															"domainName": "ENC[AES256_GCM,data:QV5FH6Qh,iv:Iw19YyzyKjX+0FNmxolu4zSWVPshGDrB/ugucFvzgSw=,tag:sF4L/jLtxMzpXoBXF0acXg==,type:str]",
+															"region": "ENC[AES256_GCM,data:WeRsoQGa,iv:iNKns7MJKnWu+tpfa31zfn6e20XzfMB1T9bx53ZaOmw=,tag:GUzN13qAKp630B0qEx+mYA==,type:str]",
+															"tenantName": "ENC[AES256_GCM,data:DpTX9UgY,iv:sm+sFMUNuW/oRM56iw5qcshW9AFrLk/oinx6cPOZRQ0=,tag:6s0iET4VFOpJzUkcW94XpA==,type:str]"
 														}
 													],
 													"beyondtrust": [
-														"ENC[AES256_GCM,data:Q7y+eI2G,iv:cdQEAvXkJpxU2ayNdPJOASGOzKBMeqre/KWxgdZtzuc=,tag:tzGmB1zz5aYDRsA08NvlyQ==,type:str]",
+														"ENC[AES256_GCM,data:bY1ZXsFL,iv:1Pb30Z6TnTKycLczsqYQ/Ccp3zcwMyhAk5ak/VWv8wY=,tag:rS8XX3ED+fKmnOZdkGZvFA==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:CfWX85Ei,iv:1mhFzdQwR6TRzVY2z9R7C65gvNTE6I0A7rnI7/XmDoo=,tag:IKrnAvYKlVEhy+bQTP6q+w==,type:str]",
+																"ENC[AES256_GCM,data:ie82Pusn,iv:ltdltRuBADBDdGl9/+OtnOtTO83gNJgkXspLcNwwEkU=,tag:qhpmFN+KtUJJ10AIySkgTw==,type:str]",
 																{
 																	"apiKey": [
-																		"ENC[AES256_GCM,data:/pk7YWnV,iv:licEXWEi+yNGJwYu0+xhep7hsemNkk1MexudjgGLL4s=,tag:9PBjtYRL7h8to0d6G044zg==,type:str]",
+																		"ENC[AES256_GCM,data:7GOGQDxM,iv:e4tuUgS4LzGKfkldI07Yzb5S7XMPy3Tc0izN7xkqt1w=,tag:tSPWpFD7A0T5//2GIlJLIQ==,type:str]",
 																		{
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:vzAE9yPI,iv:StZjCJCwwVE9fEd1OtgfSKLWF+1IpHRl/woJbtzYQvs=,tag:2Dd+QrSwseCjMuhJ6WUDPA==,type:str]",
+																				"ENC[AES256_GCM,data:J29bcjNt,iv:+bug+ol8G7Ai8iVCFt1OdX8bpeFxYWYWz80Q/lgBcq0=,tag:akaH4tjjYm9Vq+Lw1Us+/A==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:CWApl0V/,iv:JHO7mACjdEW9XyEXphIyGuzcrzwWm17uVjQWk6S3wE8=,tag:xTzg03tL739Sw4G12hwuDA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:mcJSka9j,iv:TKzmtyKfzK7Wsr1N9Y+pV5S9Alj38GehnvoExqA0Cqc=,tag:4ONWfGn09yIPMwOHcJiZ2A==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:asZ9h83d,iv:5Tg/PizJo0nv3y14VxmqOn/OXFFQNCyu28GQb0/jsUc=,tag:3OEXYSWrceCdGW2rDyo5lA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:qI1yR+Pm,iv:iyU9BzZXc7I7Lp1QgCiuvAtnbA+ilzcGXSe/+Onp3eQ=,tag:2pRcj4aAK0Es0bsIUG1YSg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:yeNNC6Ju,iv:rtM11QLRWhUqamN2KUsrapkq9LovTa5xMBDZfzz4h4Q=,tag:lG2p3oGuTcn84zLRr9pqrw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:ujtcza9X,iv:DbmUS234fEoXf9L13NA+mNZ6tSSMLIKZTFDxIoVHO4M=,tag:HJYybTA9vo9w6DmeaE+Z1Q==,type:str]"
 																				}
 																			],
-																			"value": "ENC[AES256_GCM,data:UA5PMslL,iv:VKgZfTqpV85HpQXxmB9ffbJ4AQGv2aUc0bHdZMcysjM=,tag:BE0CIdMuWDx5BwHFgpsPSA==,type:str]"
+																			"value": "ENC[AES256_GCM,data:SuZytbNv,iv:zR9vweXH6WsrHfc1BJyTZ/EPtjT4zgTOJPCnr3Hn2+c=,tag:pgWZvHc5igcNWC324UbhwQ==,type:str]"
 																		}
 																	],
 																	"certificate": [
-																		"ENC[AES256_GCM,data:/QisI0xg,iv:RrGok0PhZYlO20Vr8vW3R+1VMOsL9KwhhLYO4XBuOXw=,tag:4B2r3kvst+99vP1ulvP7Qw==,type:str]",
+																		"ENC[AES256_GCM,data:F6ymad4V,iv:ozmvIrnEdRiZwC6HAIRNwNcvQkgl9QUOzonlCddI3UY=,tag:zXRTMl36YCkzQvN6grLJqg==,type:str]",
 																		{
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:YF6OfMfG,iv:EGC7hsrsf+XNTvanTnjtKgS2T4fIeyeatZrGlMzivXQ=,tag:QREnWfjBSY0kgnWWziisFw==,type:str]",
+																				"ENC[AES256_GCM,data:ShlCRtjs,iv:nWyMgfzB2JUYYrt90KcCYRM/pPbxbxhpT9EbFpgP0Io=,tag:FS0/poeo/WoJjlOSBU+Jnw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:iTbRJwo4,iv:CEfPkdbu9vEV8nCIC8/jBAWgBzIVaNEchCH4NRVsUSM=,tag:4/0oPqD7hvEN25HaQxTubw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:DPi7YCjw,iv:hM6ZLlYm7MZXLK48JShLasCoHPiMrZFcYzBfSbVtEMU=,tag:xbIJK0mUfEL+aSQGD3wqDQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:8VaE6LXo,iv:cUYtwyb9XlwyXj2QFEV/R4M1/sMGQdm21vrB+HNFBqg=,tag:E/duQZSorv9R8yisreUgLw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:g3NyMBmG,iv:B0Gqyb9oWybyDuF9bI7wLlUrao7HBMa3cpRptCA+NiY=,tag:uetyl1KjutpI3gfWHEWkLg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:/6vRR837,iv:nJAD7vgz1wrB0J79DYK7j76Xk15BaLXrrC4EUJgvb3c=,tag:uFxXFJq4V/WTU6mNgrBMHg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:5VnVrWOJ,iv:60acf/hPfPL9a/OgXSpAQzBtkNwhsRM/yAQ5OJi3JSQ=,tag:GhBBlEb8+Cx3QRZvCWoJ6A==,type:str]"
 																				}
 																			],
-																			"value": "ENC[AES256_GCM,data:ElMFkA+i,iv:4iUPMxdcS8tqE7SMrJUnW0UXhMCqCV2V2TkLcEEjhhM=,tag:pUWwdGV0srVmh2e6cil2mQ==,type:str]"
+																			"value": "ENC[AES256_GCM,data:ulGDU6PK,iv:gTcc+zw408P8BE8w4Vttk6fhA+twyFid8zc2ae3Py4w=,tag:D3pSH8JWq1vA1CsYLczBbQ==,type:str]"
 																		}
 																	],
 																	"certificateKey": [
-																		"ENC[AES256_GCM,data:2BhDNCrO,iv:0b6uw+QWJl/rO0oOBme+AAL/HnaxFmyOqHchk4AKNy4=,tag:FtJB8cTHe8rkTNO5qtfFOg==,type:str]",
+																		"ENC[AES256_GCM,data:tLUcNIkI,iv:vDEuAx2iFIHpWX6pFa3znStKA3kUE1PBIMXScOoeWHk=,tag:5NGPnDWFMOFDIetR+/oNrw==,type:str]",
 																		{
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:+QiZokgX,iv:KQ4rFezNxgIyoNDt4iLJaMyq71QVUVmWShfYSv2ZfOE=,tag:XRSdRy9useO78QbP8QP3sQ==,type:str]",
+																				"ENC[AES256_GCM,data:ZPfZvVEC,iv:9pP5CXKanRax+RoUAM+xqkTbFmJJBvP6FaDN0J4SSy4=,tag:VhWd9d26a+ENNjyda1sGFA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:6YqNRC0n,iv:EYt/MKILv8omPVsILzucoJ0ZQZ8er5ACkDmHWm37VEI=,tag:hkWrd75VgNmwBRctAbFZlQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:a4iahW/d,iv:N4vtLzTxnrUM/KwQ3uwyTnOuk0V0tL/42yuwtPlWgNY=,tag:QmJ31iLoIHLRzeRcKOJrZg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:ddYkt0Is,iv:YCfF8EPSMcgFYp90a60R31DvTrdXEEeqmVH91hBY00I=,tag:uNvK26yVlfdPNFzEwwaAaA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:2WDLNox7,iv:PRvZgSbognmtP3VS6RMqTPZZ40EvT287IPJjFC405Ko=,tag:F+iL94RfxriCxf4Zu8FRhA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:gt8h+mzL,iv:Hrh2YQUZFZQskKVPOvIlFuZrf3nWEqQV7Fd/bgNEanY=,tag:seZyxzCOMOeaMriYYpN9Fw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:zR6Y5OU7,iv:3MYqjOeoq4gUxb6VsOgXK9N7gO/fH1hyP1DXeflc3Tk=,tag:w4eROsx1swhBNOp8r1RZdw==,type:str]"
 																				}
 																			],
-																			"value": "ENC[AES256_GCM,data:O3KXktyG,iv:jF2jl5gmra0W61KuDvR3MeDiDH4NP9NidBXNW6yAwT0=,tag:z5ZpAlxMW1QC+oegswX3LA==,type:str]"
+																			"value": "ENC[AES256_GCM,data:Q9sGp+mr,iv:kUjHPiBEYEwR/NOB4DfUamhlc3FSfskGK8/zZILI+8E=,tag:VI2lWbAThWFUxpCopZprtg==,type:str]"
 																		}
 																	],
 																	"clientId": [
-																		"ENC[AES256_GCM,data:c0U8obnz,iv:XVBW6pmYNR44Mzr7BGe1qdAHifHkikQ0lV2kuP4J6x0=,tag:um+7hHxQpSaByvaqP5V2vw==,type:str]",
+																		"ENC[AES256_GCM,data:G5v8PWb9,iv:G/9blw+xnSR3P+X8sY19t4+G1HxgZ2Vw35hW2AKtTN8=,tag:U/WtMDK0ImHSJ/WlzGdk2g==,type:str]",
 																		{
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:7fUYp/E4,iv:O0ILOprqE/p6ZZvs+ORDu0BdEqUTKQajfFl8b81EaCU=,tag:FXCDI0O3L2W+CtG4/s08Kg==,type:str]",
+																				"ENC[AES256_GCM,data:h5h2AvOG,iv:i1kt3j93S3DWR8CTJqk6bc0CBP4Cp0JkbqkN9raG1/g=,tag:MP8qyBEZPabIaJwG6iclxg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:jMZ6RjOE,iv:IA5joKhLnh+iwg0P8Fm+CqYyQSOzec93j2eDt2RXKJE=,tag:wEkPrjAIn5qxqVqOZjNoWQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:dr73T6Dh,iv:Fl2dCTpEiXLbN9osX5kpiOKuC49giLlDowt515/f1Ak=,tag:e7HXztV/GQETaLxJYiFIcQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:76ns/zzz,iv:p/YNgp5pF1aFWfn35GUoa1yWN5XwUxPk7bRYpilxiOQ=,tag:3QUmSnkHFJStKhUn/wS2PQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:irj1aHAR,iv:Q/JwmdOMSfEk69nOuYmHNJGv51YqJlT0EykC7+Zg2+k=,tag:gKAPfw7e90zkRTmYBEltkw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Ce7i5EmY,iv:+fCE6D8Cv2tK/Mf0v6YOZcuKTPV/weVLiLHzYyLCErI=,tag:E8hJYTrAVRt5DErl+S0evw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:6XUftl/9,iv:06CXJa9alaY8qXqxFkdUgrtBsORhLzxWAjVUC/zHiM0=,tag:QMESJezCY/KAtBpF1DHSqQ==,type:str]"
 																				}
 																			],
-																			"value": "ENC[AES256_GCM,data:Omy6Z9/f,iv:/gRvTb8PvyS1t6lnu6G5qK28dgeBWYhNJmmfK6BXxRU=,tag:RJBi1UFLn2SI7aZczMrHCA==,type:str]"
+																			"value": "ENC[AES256_GCM,data:DBF34uzI,iv:Dx2JcJs3Ft2Waqycm91OYHnYNUqJsxW/VIFM2/hrF+k=,tag:+/HyAWsEfxseSqQXUt7uaQ==,type:str]"
 																		}
 																	],
 																	"clientSecret": [
-																		"ENC[AES256_GCM,data:4ceLcQ8/,iv:OW+Uax+ScL+BnMIbhgHAWITbtpSkwAH3ZT+9fTr/6RI=,tag:TQpf4kCh2qkN4c/mjz0quQ==,type:str]",
+																		"ENC[AES256_GCM,data:N9R9hleN,iv:zMUhSrjyHOf97dsdtJPxW6UsKQfsLpkDYNRtnYsab4U=,tag:WhWxFV8/WNRUE2SiVFUy2w==,type:str]",
 																		{
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:ytYr8bW9,iv:smu4OZFcVkPoZ427mj/7Js+p1fAYDWFEr7kMd1Zktmk=,tag:aD2QD8Me9pO64w6LoMw1UQ==,type:str]",
+																				"ENC[AES256_GCM,data:VTj20wlZ,iv:UOa5qu6kkrIcGAhIw5MdKslma1lEmI/w10PDRqF7pNQ=,tag:KSS0mf/BBJNznravA6+38Q==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:7dkY6iGS,iv:4aAJu3mv01aJb9ccThgROgGQZuPq9RErQ2aJ7C4EqMM=,tag:feTzpIeoQQ3sjPQtzWWHYA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:krGVa9QF,iv:HIrrpuNVCV6f8SNuWPNnCvwCi+xaj+11Yuaz11MB4vI=,tag:oI6BB7Qjb2e89V+1mfGApA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:juo/9Azf,iv:1uAKkrDWlHWn4G0MSGxr1CRsB7qg4unz0Jxe241UF1s=,tag:z7sVvPhgANYNvaL20NjJ0A==,type:str]"
+																					"key": "ENC[AES256_GCM,data:wLsusazP,iv:wL6+8uDWgzD1+4FAaxcS+H9KI80jnBbZq0QX+llcGdY=,tag:RrChnJyeVFSxrSXAMa7Kkw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:1OcBQv5d,iv:r92ZW9xmMKX23rUSkwtpmGNwjMZ2adRAvOdPMKnNVDQ=,tag:O8X1247OolCIhtZ/WtJr6g==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:O+MkRG7j,iv:dLIcmEpOLFMNZs4oDfs7xGydcEAvfEbIv3GBSrBSH6o=,tag:0Cg4t6aHp8AfImnqQ3sJ7w==,type:str]"
 																				}
 																			],
-																			"value": "ENC[AES256_GCM,data:qjpHjxOi,iv:COOr4maHlEoA9JDylVzjE269sH+o14dx/eHgelAh6P4=,tag:MMlaTHZKWgxajkMNhbrlNA==,type:str]"
+																			"value": "ENC[AES256_GCM,data:bixYsiMn,iv:gWx9OjJUOlr3oHLe1NqObGMHaTa0/KT/34X3saIRB68=,tag:49KwULNEkV9camo5bbS8TQ==,type:str]"
 																		}
 																	]
 																}
 															],
 															"server": [
-																"ENC[AES256_GCM,data:eB8X2+V+,iv:IP2ng2/YHnlHtVqxhvyJV//CkKjVvmspyaWbOUzIGJ4=,tag:FunT+cDJdqIP67lwvfa34g==,type:str]",
+																"ENC[AES256_GCM,data:D03dlOQG,iv:eQZ4yiHScB59DXFe+ARiZ5YhjHNeWVt2FcVzZ51zsac=,tag:CFut+iEjyUrazZgHP1HyrA==,type:str]",
 																{
-																	"apiUrl": "ENC[AES256_GCM,data:EWej1y/s,iv:JqtyqXM2r6sxBAqTzwK6e70qEHFYUAKlSRn7wJcRRRY=,tag:mrQb3URkNV3P3bO3sUYZ0g==,type:str]",
-																	"clientTimeOutSeconds": "ENC[AES256_GCM,data:JX1eDR6t,iv:C/SEB1jxSYNBudqm4eloltXbqaxOE/Q4iKsfFgfJyn0=,tag:jQzd49wR5We+HkKz4ICdZg==,type:str]",
-																	"retrievalType": "ENC[AES256_GCM,data:PvAyNgyc,iv:yaiDDgWNQkNiXAr1kOx7NfX3ezntyyY4woBU8HYw94c=,tag:RXqbKtPwItdfi1+sUnA/+g==,type:str]",
-																	"separator": "ENC[AES256_GCM,data:wOZGK6L7,iv:TjH/1zgvq7+xbNRxeOVleCukK7hCSh4L/DVL77+UKc8=,tag:vV1fcLUqWAK7krRf/VRhSQ==,type:str]",
-																	"verifyCA": "ENC[AES256_GCM,data:mjXvEg==,iv:PvrAncGhASlOXu01BJT29/y5JYC2za+M7awb0pPhI/0=,tag:xVTIIH52yzV7RBmzm7lFIQ==,type:str]"
+																	"apiUrl": "ENC[AES256_GCM,data:HV/AUfN+,iv:38zytr4LEdzuA6Rt8Vrh5elVj6dJm3g0+dMOMnA/k9I=,tag:F3XO3mw+PKAXJfYFA7CgzA==,type:str]",
+																	"apiVersion": "ENC[AES256_GCM,data:K3nh7P2p,iv:LxgiwGiye9weBPPGHXNmYaTNLEjKMw+YbTiNm8szNdo=,tag:LF0KETenlIcdzUJoSju2Og==,type:str]",
+																	"clientTimeOutSeconds": "ENC[AES256_GCM,data:ZeezDsqe,iv:dSIPPbsrwEDYAPxCbA51GKcz9ee7rpljtUZC7/VoJhQ=,tag:J6ADBbmGhjBOJYydsEo8QQ==,type:str]",
+																	"decrypt": "ENC[AES256_GCM,data:80/lQA==,iv:n5jz24iMpA7qrjneoLgBJIZ8izmXAsdlnfz938YKJEo=,tag:nUTg/FaJMRveDuB91xE66g==,type:str]",
+																	"retrievalType": "ENC[AES256_GCM,data:I3SalPCe,iv:Cssjyr/lfErMl5d48akuruYwo/WSopRkFZjLZ/TsGh0=,tag:C5MvZhRx23J+1KarL2Z6rw==,type:str]",
+																	"separator": "ENC[AES256_GCM,data:b5vTvld6,iv:It+w3zEKcZF4tfaFGJQMcZE0UAhllPXYgcMoyNbid6U=,tag:VLB3e++FiqLb1KOTd1XN3Q==,type:str]",
+																	"verifyCA": "ENC[AES256_GCM,data:YmnFzQ==,iv:WnGhFAjBh0QN9uBFoHYp9o1OBqUdsf0vyZVgYgDniV4=,tag:UqxflZkvjNECEwJWE2vp9w==,type:str]"
 																}
 															]
 														}
 													],
 													"bitwardensecretsmanager": [
-														"ENC[AES256_GCM,data:dd40eCzy,iv:U6sDVIqW+xSVOhEcK7XPZgyRYMcO9aA4CyHTVZCVpPo=,tag:bAHHpQn5I0dz0dVZyrAfsA==,type:str]",
+														"ENC[AES256_GCM,data:lNtWJWH2,iv:Smd+DPC4JGhIsLofBTVd9YjzDfmaqJlB1sEbq4e/ukY=,tag:8172V4sQuglz2xfR8omhqA==,type:str]",
 														{
-															"apiURL": "ENC[AES256_GCM,data:hGCuE5Ek,iv:djqLZwDPlwqC2C++4eaqR+aDZaCTX3tr75LosyJj1eU=,tag:NhY0+mj3aaYKFW91jFrWnA==,type:str]",
+															"apiURL": "ENC[AES256_GCM,data:4EvKDhiT,iv:SIWENya1pe6shK5knNPUWv3yCMKqZH60vbqjgsE2tnY=,tag:kWQa19Mb5JncRGSqZilLuw==,type:str]",
 															"auth": [
-																"ENC[AES256_GCM,data:gCdbK6od,iv:COdCWOvsB7ycO8DIL0brzwvIlsYKSgeEox3Jbbc4WA4=,tag:HD/w3YJZWh0NdrL63gl4LA==,type:str]",
+																"ENC[AES256_GCM,data:K+FxOJVg,iv:5+4YySGg4fI1V8DuLWG8hEcIgXxhOojEzaz5A6wlaWY=,tag:h/TJCTe3DVch+09OhoicKA==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:zQJEJVGm,iv:4p9ekgutLIa9PSkjDtmxEY1DtAvx0cbQImlmnTe8s5E=,tag:zwH9KE67vFuntLARHDuWxQ==,type:str]",
+																		"ENC[AES256_GCM,data:jiAv8kqO,iv:ga2xmsSYU4XtYdN+AKG6CAbci4bYqfq092yhshn0IfQ=,tag:wa2JwFWgB1D+GtA5DcoGbw==,type:str]",
 																		{
 																			"credentials": [
-																				"ENC[AES256_GCM,data:3mGkQLes,iv:YhSNte/AxhkVc3JgnFzGX5DhDCzW+Myum1XnTKGqLak=,tag:uR9JU+YFvX39/L2gR9Iydg==,type:str]",
+																				"ENC[AES256_GCM,data:tPUdg4Jj,iv:tFwtWdTqukCvKuUiYGxotR260U8KITfYJblynqQlJTg=,tag:2K0QsyMKl3zA5voCqkgYXA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:qwgvIEFg,iv:sZTSiITayxEEgovDFSoxkyrMeNC4AlwuAz+fBlNcQ+w=,tag:1PJE38eAZnjS3+HtI1zITw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:xKokjetw,iv:IlVMqQmEKFDQn7FMZqiX7Smyd7+6/x4SXspolmRZ/eA=,tag:FXJBmS6CIVKkENx4ItPL9A==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:fc3rFdCj,iv:qnrdoKrc1bNKimGV1K/fIMfi8sfzj8LzUSvkbHqjnaI=,tag:iFRSnG5TbNdgHgbsmgGnyQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:o6XCQEMt,iv:dePgi3XUMydVh4dF56nugReXIcxu5lmJ6ti4aeoGZ7w=,tag:A8uH0vbdytmPdCMmElQKxQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:mlKyhhrE,iv:638d3b7MTBzOmS2KPAAPaTxv2WghsGNyNxlo4WG+UVs=,tag:j4h/f2IYz/InW83OtYBOsg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:4A9V0s0e,iv:RuzH0OY5gIkolEwHf/uiG5gvi4ooOEREKr7M6ufe8vM=,tag:IWc+mR5EdtnZJZtgUO0nXw==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"bitwardenServerSDKURL": "ENC[AES256_GCM,data:dmLJA7pv,iv:nKy1v2RPYdTkXeR+ytl/P1Ddq90d9LnYAmbRNDNp1TY=,tag:znNi+IpT/rT6vDqPKgmAlQ==,type:str]",
-															"caBundle": "ENC[AES256_GCM,data:LuGzgQJM,iv:71OeB77/ht2JLNzHPVu+GG7gkrf+mO4MYkHKMeJ+im0=,tag:/alfrIf1Edi7dJF+ZvvNJA==,type:str]",
+															"bitwardenServerSDKURL": "ENC[AES256_GCM,data:O6D8bOp1,iv:p6g7D48sXFOI/Kn3zRq5SP0H+k6eCHFMTt3kxfKsUgg=,tag:EIBYnYUDKqnITJsr+BJeCQ==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:4Bz/jQMo,iv:VzxQ9pac4kMkg68bws2D/cduIGRMVHV84ry5IpjWEEI=,tag:rH/QIE8UR8dAql3WI8Ig4w==,type:str]",
 															"caProvider": [
-																"ENC[AES256_GCM,data:cLXqV5gc,iv:GjYcLP5Neeb2cwtamY6NtAfFhdoxzv3yPbfxji5dkrU=,tag:9fqMP7dokwZKkJ8xm49wag==,type:str]",
+																"ENC[AES256_GCM,data:HO1sQQXu,iv:504LmlSrLrNFi0+pZxrfmQlqXMqCzqCSsq9eHvwxf+Y=,tag:/5Qzv9oS74g71YKuWh/gMA==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:UimYAs/s,iv:l4D0fFcnEGVgo36GuNCmszPNSKPgoOUXi2k5rYDDB8s=,tag:8fWYN19nzAOtr24ceAgUOw==,type:str]",
-																	"name": "ENC[AES256_GCM,data:EZVkXmaz,iv:RWH9+F4xPPtLvqI1eZ6kZLqBLbWNYXwhcsKbje/KvT4=,tag:7mZ1b+IK21FxbDMJITgSuQ==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:tj2muXZU,iv:KbDVMFC4kHtnqZDMUVlAwygXr4+rC6mXYNWxY2dP9Zo=,tag:0geMRMHm3f/UttqLzQpyVw==,type:str]",
-																	"type": "ENC[AES256_GCM,data:VYq4NawG,iv:sSfBuuUhcx/+87PnvVbwVDXSdyXwr/+/WNIPf3/EJ+k=,tag:6ppK8SzwO5OLOC727yRiKA==,type:str]"
+																	"key": "ENC[AES256_GCM,data:34xuYidy,iv:kxIMZvV16BIwVgOk2gdeEA9ZHZipywTwtbbOTc3aYr8=,tag:XlMZXs8e1cLDUr5yTqI0wg==,type:str]",
+																	"name": "ENC[AES256_GCM,data:msfj+Gtm,iv:q8C7ZGiZatkCm8Owbc21qnci5ZgaeGYfGY60cK18U+o=,tag:imkyZyMvZiRMLjnFbTI2bQ==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:B/HLTRc0,iv:NqfERXq9Jstpzd0b3lJKCIokJlN6KitVSdzWPhdz0mU=,tag:Qr6vqTseXKIjlbvnLgKagQ==,type:str]",
+																	"type": "ENC[AES256_GCM,data:Yx/vkgTj,iv:Iz3uv61WMOngMh0XI4H97Vg4mpTPHsDHj0Dc+UyLlNg=,tag:5rpgjm8o9hrdTHZy5Z2URg==,type:str]"
 																}
 															],
-															"identityURL": "ENC[AES256_GCM,data:PIxU9JN/,iv:nuqq900tbwk/AeAyU7tuLHLcKYOwOMHDGDkRMsHmvwo=,tag:ayuexUkvU0CbJo8uHGxMtw==,type:str]",
-															"organizationID": "ENC[AES256_GCM,data:onvxaA2V,iv:RG+VlTz/gMeOxlPo+/CMoejkP7rC8YKMIF82TYfq0G0=,tag:4RpY+LE2plofhaNVqOFFjg==,type:str]",
-															"projectID": "ENC[AES256_GCM,data:iTNNiCiX,iv:Z0rhcRYLoHGHkd/+emo1/wjS+EdhAuqLQ7MV6K8VcUc=,tag:475JDTvKijT0kbERbtX+2Q==,type:str]"
+															"identityURL": "ENC[AES256_GCM,data:0u5xgj4M,iv:hRqZzJh0AmBc02ednKiTlIuDDoB1hifiKbHcFW5xEEc=,tag:M7dWZn2av8od7fAq+SOkyw==,type:str]",
+															"organizationID": "ENC[AES256_GCM,data:3eXD4r0j,iv:YY+5Y4d9uPveLeyYAXkKLS7YVC98/6vKzQ/deOdN+pw=,tag:m0Y+/lHF/5oc738qTEIszA==,type:str]",
+															"projectID": "ENC[AES256_GCM,data:5Lq8uheB,iv:YXGTKG7TouvS9mXR5MME1ixG+pAr/66ZD2PaBqucL0g=,tag:9EdERZZgv75vhI9duHwP6w==,type:str]"
 														}
 													],
 													"chef": [
-														"ENC[AES256_GCM,data:p2ugLcO/,iv:/TZHhOmB9S4KvN4oDULzqXGVIPjudFHl+NBxMe5teUI=,tag:r3h/MBrS3kSFCVAjKUVQ8w==,type:str]",
+														"ENC[AES256_GCM,data:aOfX54Jq,iv:Ycih8BrJpMnkPsKNjC7ZHUWLaWl3Zb0c5R9TcmorxKo=,tag:ARb8wxPXAMvdsLuTglE8Tg==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:IA0Ie6Yg,iv:Vl1e5cjhnkd4tObjb/BLMBnfF2QP7GTDBS+FRABOY9c=,tag:rXZIuJXxLjk2tItmJ9L7lA==,type:str]",
+																"ENC[AES256_GCM,data:aiNorpG6,iv:ZO6f9F8uV/n3OR1c1UUrsOfqDBCzOinjlnWP5FvEhL0=,tag:YsCuYKNZMLtuG2y9/J5KPA==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:05IVCdLJ,iv:5QUEtjLcjb/MVxMTLmJhJIUJ60QGu++A21iD5y0OvFo=,tag:+VjlQAAi98ZORSI0Tub4Kw==,type:str]",
+																		"ENC[AES256_GCM,data:6kuQ+gNQ,iv:Ftwcsk+Frg5xcm/YlumuF7KruKKDMDTgr2AuORKhrho=,tag:YN1ISuqS6gdJSMAAbxNbOA==,type:str]",
 																		{
 																			"privateKeySecretRef": [
-																				"ENC[AES256_GCM,data:jnRwXcyB,iv:Bt6VfDQQ5aqWQhTWEIcVmqvvVYFCTAG7n8t2eIOt/Wk=,tag:3zT2f/QV9kGlzwYs9Z/v/g==,type:str]",
+																				"ENC[AES256_GCM,data:2C66DFhe,iv:mmh+Rhxt3j2quZzS2m0p/sVxIon2J/zCf8yEbYPaudE=,tag:PvWtfoPUowlKULC7pvx6CA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:tg1vN8we,iv:EwdxhLTm2WsSFUl9N/rc2rI8W8J9Tw5I9v2R6nZoOOU=,tag:HWlUjKJgnD4LfrJ5yMflsg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:H2EVbv5g,iv:RySsuLy28N0H+WABapDBoM4fh628J0WUhvLUctTSq3Y=,tag:aynVVaBc62bwDkrazVOFDg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:cpXtjroC,iv:qwjs7vg9OthsFR8igN343/+RinEiLAkOW9pLnW/IWgA=,tag:TflP/OMGrOxw68EHJ7hikA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:KioxcDzJ,iv:C4DvtLt/UVY3HggywcdIyOmM/wf7KSg/deYWV5QCVrI=,tag:Q7fsM7L45qxGimVcckAp/A==,type:str]",
+																					"name": "ENC[AES256_GCM,data:dbWLb1Nx,iv:+0FU9ERHlcSR+aqKANKpxwtAvqyqquRrq9GiYZCZg6E=,tag:1xO/ossIxRHtq5fvo6I/cw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:qu0MlknT,iv:mIcNLh3rZFMVTkSIqaPqxtwBuRc4YoksXRkGFbgeHf4=,tag:4+tm//i4Rouhz7LzkTh+8Q==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"serverUrl": "ENC[AES256_GCM,data:N+sC8+wB,iv:iIAet0eWMzD5vcjIedW5kYLDYq+/s5UROJN9hxZXwko=,tag:X2Sj/nkki+urwYjFFtNMSQ==,type:str]",
-															"username": "ENC[AES256_GCM,data:1mL+Cvc1,iv:tcEW0+1HnPhFAO0W0wcvc8gjp5pUu8MJVq2Wtwzo5TU=,tag:3ugKJxZ8+u1JcqO5x5VjHg==,type:str]"
+															"serverUrl": "ENC[AES256_GCM,data:C6nEl1y7,iv:7YWLVi2k1yRndvWjO4sXzxVVG1lSlyu7HhNA8UC8m0E=,tag:iQhf1JhgxKoCp//zM4XgRg==,type:str]",
+															"username": "ENC[AES256_GCM,data:Loo5BbgU,iv:vRdpzJn99Gwlklt2j4VYwL5K9ZEvAslNzxeNN3Iq5Lo=,tag:NZVeblLYUefMUsDQc12K6A==,type:str]"
+														}
+													],
+													"cloudrusm": [
+														"ENC[AES256_GCM,data:QsR8/fDO,iv:vz+D0+um3mYCBFjkX0OWYslVKJ8+uY7FONami1KGeag=,tag:3rXH6K+oIvsI9jI79H3XGg==,type:str]",
+														{
+															"auth": [
+																"ENC[AES256_GCM,data:D09iKX57,iv:v1Swr8GUlq0ftXGWMs4q4ZhyhguXJjiLaY7w/ffCspw=,tag:ye51RW/c/PW2j2GrIkLaeg==,type:str]",
+																{
+																	"secretRef": [
+																		"ENC[AES256_GCM,data:T4u6A/dU,iv:o2Sw71IyGm5enoD0Xf65uKrM2ecMl7D5zrZZD7Js1BQ=,tag:JICQ/ySlLWn4/Pw6GrPflQ==,type:str]",
+																		{
+																			"accessKeyIDSecretRef": [
+																				"ENC[AES256_GCM,data:96SjC2Lz,iv:eVRRTtfoTZ6lcP0DgK4LhYwkvXPZzle0K3CxQdstA6c=,tag:kTfN0OmHr8DcYJykigvmMw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:azQlQhQe,iv:vs+GFv1u8T9fOjIRlSWA9RRYZwmbUhYGe2g16unT9D4=,tag:PjxFpAhQF0EWnTXi9BO6Hg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:n30pDT3j,iv:S5ZvCrVXHdS1sOh5s8M+ACnsL4DFjG6DXZsyWDSREoA=,tag:McZ/VoJzdfN2Ht2CIJtaLQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:HDDo/FZx,iv:CnZgRavhmUYR5IK/X/AKyYjSTI3/k0X8M3DlXA6RTv0=,tag:WLL7bg6XzjR5zfVDo7DGOw==,type:str]"
+																				}
+																			],
+																			"accessKeySecretSecretRef": [
+																				"ENC[AES256_GCM,data:h60+aX9u,iv:zdbx8ZQnovsfIk0vN56/RKh5RXIRgkJj5SFPZ/1RD4I=,tag:BaKvt6M/1aHAvKldxADaKw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:vd1ERzQe,iv:PY0LJ+Mq3DGBuQVlorVOuHm6JkFyHgClKSA7pqyMVdo=,tag:ppFVFxjkC+Gu5oYt201EIA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:JxFJjIA/,iv:29rZrLv8/opk3+lVbllutGH5S0qBl4jYXh835V1nU+I=,tag:N7JmygiUJL1Ol+FBoPqD7A==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:CmA77L6E,iv:oN02pfxyvRnAeSTZbjV+6RdfCzmeLC0j/Nb49jKIHF8=,tag:ulQK1C7h9A2tiWgvg2rvVA==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"projectID": "ENC[AES256_GCM,data:oUSBX/Fn,iv:ybjMFo1Gg5/XkmtkkMwO16iv2yRc88cI2QllE1vHCuM=,tag:s+CnA2XOYQr7X9P3fvdq5A==,type:str]"
 														}
 													],
 													"conjur": [
-														"ENC[AES256_GCM,data:Mzpu/BkP,iv:6h4BBH/ic3tc9mUqEAG6pE/PU6lzOVX2rJ2eTYu9LOg=,tag:1qDSpVSeeMAWMvwhMm/Wvg==,type:str]",
+														"ENC[AES256_GCM,data:dlxHJXbT,iv:cF+AzXvaBq1v8TkKMX6LkVU3fZMEp1oGB0jZ59ZomAQ=,tag:KXGFHf1xkEJj4vGHZaT1Og==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:lYaGYM3e,iv:6u3ihd1gGZIRw9Po7QlQyFy8OuY1RjdjenQf0+Atp1A=,tag:6y0qkMdrD7xIcygiJDi2MQ==,type:str]",
+																"ENC[AES256_GCM,data:8FK18LFx,iv:Pqk2ytnFtHjKywpD2aN80F6LHNzgfEoB8Q3yiLtdHCk=,tag:qKGGALSFt8LLxTETbvCuSA==,type:str]",
 																{
 																	"apikey": [
-																		"ENC[AES256_GCM,data:k9wG5IFl,iv:+cnVtHOQbJuhyOIH/dtF/qL6lCNRQ3yS4tIdJqyd2KM=,tag:1B66crvxaXWO8xqalM4AVQ==,type:str]",
+																		"ENC[AES256_GCM,data:uUJA4tKI,iv:EygMeznFM+uK8t+cfsk7wdAW3QrhXHzmwrFWHwAGpH4=,tag:DMNCKE5fbSGI+dVfKFpVIA==,type:str]",
 																		{
-																			"account": "ENC[AES256_GCM,data:2o3JaPhb,iv:vP4PnHBEnFUVUSLRYF9+CJNXFHp2KMUcp/jUxgBiw/g=,tag:h53yL8dMJUvDXJGPoEtRng==,type:str]",
+																			"account": "ENC[AES256_GCM,data:CtgT516O,iv:Yi3EVWwuct74T13v5fC+hkmq4coCxVO/GEWmmmI4oR4=,tag:88F1FH2/L4niv+CmGlVIuw==,type:str]",
 																			"apiKeyRef": [
-																				"ENC[AES256_GCM,data:AdOmBHpI,iv:pTtU8vhWb3yMhdIFxPr2C9tnuPBVLrek1Y4AxUZLE9I=,tag:RmQdA5FXudJXa0X46x3L8w==,type:str]",
+																				"ENC[AES256_GCM,data:yhnS5a6m,iv:cYc+kTKBa+xrIR+3YQy6hlZ2dhY6Mex0lHweR9AU7/A=,tag:L9PEWVkIxHHDSTzd+zCHuw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:WjbdwA1E,iv:MkhzTfmnP/WXHyqfQs7ylZEC89L2c5oM3qMWvr8tqXw=,tag:v055fhOyP6zBZ7+oePjKag==,type:str]",
-																					"name": "ENC[AES256_GCM,data:q926w+SH,iv:/SBqxqQVPn4nQo3hNItZ/Sg5BLIv4ykzFobHpCcWm0w=,tag:CLLeblvONdTymvVgT3/g9g==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:6Z+pj4Me,iv:mx0Q3I4iFC85EUTaLrRGjtSgvCd8BuJ2+FI5zHpvRt4=,tag:OZEY2dTpe5LlFmZabgLS2Q==,type:str]"
+																					"key": "ENC[AES256_GCM,data:dFw4MaHp,iv:16B0TYwNMXbtJMCpZN5RfINi0ZXnp5eDEnQTVv3ulF0=,tag:5pkXkX6qcXe40ty21tpRWA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:8YCTkJ9v,iv:Jmhe9JDoHvb281gRNqNzGlATwOMNoCZoWJlNJ4SXflc=,tag:PivQSNuP8CtsjvkwMce56g==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:s4+oTwxk,iv:GqyUUX5SBu4dOigk93moHzKdE+cuB5VCGeA7bE7VPSA=,tag:fKDsulTaidb4BMTlYyWB5g==,type:str]"
 																				}
 																			],
 																			"userRef": [
-																				"ENC[AES256_GCM,data:o6JIPp1g,iv:VgmGp8YbNamUD+Mh7Q2rp7iQQDP7r7XZYJ5gmAuvBnM=,tag:t6CiBAbX1YBsKeTyoRx1XQ==,type:str]",
+																				"ENC[AES256_GCM,data:cT9HWgxz,iv:o3aWtVMgPEnBx6WTozff+49zA1SZexx7Nh8odQd6hog=,tag:PLarlJ11/bWfzMkuaaNe+w==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:jcbZdnWf,iv:n7GmPeLv6g2+NG7ChjSTDKnbwDR8My75fPpXn0S+ugw=,tag:j7W3IXkgW3X1BLWpqimbqg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:FjoEKq5T,iv:FDm7mjB85fOqubfXxn3b5FnRp7fJTZKlvq7Kfj57rJs=,tag:PJa9dOLYkOYXBQ1pOPrr4Q==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:MIBXIudU,iv:3GJXLBqZsbaDKabb3RsH/+imyMfzlrw6pepNtwHXUQs=,tag:G9aH2crTBOnqoe7ao8hvdA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:lmsLUR1k,iv:d1kZqxtij3+q+6tGmAJYV69nfTy1g9g83MN73Zc05bo=,tag:Z6wBy7pZTzeZ3cLF6NKxig==,type:str]",
+																					"name": "ENC[AES256_GCM,data:S89JzWaE,iv:NouOIyj1487dJ7B7SaLLyXug4H0TNxd8HdKO1bEEdOk=,tag:ysMDlcTy33suyTho0RqcDA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:olWIu7vh,iv:UISVRHXQtxTwrvrA4GOJftJo9zB1vFwe93gAUYkPWc4=,tag:KmH8UkOebU7ZeTfPe4Osvg==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"jwt": [
-																		"ENC[AES256_GCM,data:65p3CqVx,iv:PXzATijMR0mp2dB2OHnslLAmySDo+uyrpkFTx8iTpCw=,tag:SJTygpgS2SLNXszC/zK2TA==,type:str]",
+																		"ENC[AES256_GCM,data:EKDBYKvK,iv:le+6NBE/fRIAprDnIW7hP8HhJwxIrZl00yPjVilar2U=,tag:ghMZ++isj7zM34LVioCbGA==,type:str]",
 																		{
-																			"account": "ENC[AES256_GCM,data:8982ECO4,iv:jNFhgyFfclIqZIiZwf7VmYwx8kbzLBTQy95l2WtiY6Q=,tag:A2XLtpQ4QcToigDTtO9ARA==,type:str]",
-																			"hostId": "ENC[AES256_GCM,data:Z7FU9F5K,iv:YjBV/4tjjc9WBdVx04NcHiUA/JmCBylnsmugPlkgOzM=,tag:TtmFYZ58K7rsItSwmyDkYQ==,type:str]",
+																			"account": "ENC[AES256_GCM,data:yfSa7M9J,iv:B6y4jT5CBqr/bgrpB/oZ+woZcSohwxB9a8ivXwjXWjc=,tag:anSYKfdMrY+su+GZnbgojg==,type:str]",
+																			"hostId": "ENC[AES256_GCM,data:fKbe7WUe,iv:XzDyf0E0/eA5Fia6v5PR/cU2vhbe8ja7pUpW9YEcaLY=,tag:cfAvLpKC/6WuOUdQNGo5UA==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:S0qQeOtU,iv:1E6KRwPT09jqruiHWt60+QsIo3BA0lF7+uYzTLGIvfU=,tag:j+f4eT5Ml2XK8GHidPPWEw==,type:str]",
+																				"ENC[AES256_GCM,data:IsSFXA7L,iv:XWNuz/ikmk9S4t+p9As3oL84msFqTBF3b5oTY9Bj5sk=,tag:58J5eAOMEp7HDN82WLep4g==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:DYHxxmKP,iv:19OdoWcfygql/CilDYMe9uFq/lbPt41N0Q4H5J7H9hM=,tag:METJ5n6ewDoCUyZbD1kw6g==,type:str]",
-																					"name": "ENC[AES256_GCM,data:HS39iztO,iv:vX1YSHCJPhTXuORylP525Z0b5xV3FvU1St5jTwSqgmM=,tag:2ZIGsT7e/w0LtrLWcLle2w==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:APbcc2Ds,iv:Pi5Psqp9xi+iT5nVc83H0kXDuPxLz5gT7Kt5GqIq6QU=,tag:RoMBBHrx9IrTdWXmoeHf5w==,type:str]"
+																					"key": "ENC[AES256_GCM,data:Lx9/oGkR,iv:za7r/yLg1hPfc6aePqk3phXZysnYS/c4V5uDK8aCm+I=,tag:5QLdNzmLCao80hJQQD1OlA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:eoQDQ+Rg,iv:izvmcriIiHIWNKSh0w0D9Et9Be+uDW47cnUfWVC09v4=,tag:sSC7Sz/W/cTuSMYbSRJgXQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:3QnT0XbT,iv:tvaZbBKJ7QnXDTU9Zboh5jYegShhjogxxn/Me5Ts/Vw=,tag:5KSIlSq4IIx/4C026rrpsg==,type:str]"
 																				}
 																			],
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:+TiN0S2r,iv:1d+TZZXG/HrObDjOQtGIFngxN5lV74VX6yc+cTOcyGw=,tag:ZjVG9dhUI7xyAInSIMb9KA==,type:str]",
+																				"ENC[AES256_GCM,data:iWWFj/fw,iv:q6YcQABHDZtNlDm/WazdMKADFBzCAClDuyxTaNXKz/8=,tag:yiMCwjuXXZ2J7VpUu8Y+og==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:It3xJw==,iv:ZVEKDELjv0675MPNtcVrz6hEyW70WEyXpU2wLw4RQMY=,tag:3/rMBcEDErGXsRUsRzTHAA==,type:str]",
-																						"ENC[AES256_GCM,data:E3YY8QFd,iv:OByI8dzHotze+GdEPXS1ZOMP7sdt499UfE9cVqEwmXM=,tag:XpFv2VVluDJPuls957OMgw==,type:str]"
+																						"ENC[AES256_GCM,data:ZFDW5Q==,iv:55NY6WFX7oFzRs+WHoEoh3zZXQcqLbSp2fzfufXadtc=,tag:HQHyu9misvzWnpaAvNTMSQ==,type:str]",
+																						"ENC[AES256_GCM,data:s6LGs84K,iv:bxDowXoqN9nrTrJ4dtFZU3tKVN2zemuDR0P+xCLt2lA=,tag:24BQAnm74pUKI6Xrt3fCJA==,type:str]"
 																					],
-																					"name": "ENC[AES256_GCM,data:pxIRUARb,iv:l+mDFyuhtJpak2wJWfppkkL8R9QVTkjfeFBjEcy2+vc=,tag:wOPyt01fcV1cLB4U/AFvsA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:u1APa9N+,iv:+pSeNpshKp2zxyAxyH/sF0mxNXVwL+jP5EfUB3+KIxA=,tag:8kYZb0G9FKZaEdfA1QwvGQ==,type:str]"
+																					"name": "ENC[AES256_GCM,data:yIlf5hmP,iv:Kbas9mnefq6ienh+Saakq2o2S9b29o+42sqZ+rImruU=,tag:uRlQTy4R2RlEJ0zrWA6DqA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:bLkOGUno,iv:zj2sqyO1kufACjt0PrZ4musievJiX5+AHATckBu5ge4=,tag:Zz+t0ESwe33qH4v2+3MJkg==,type:str]"
 																				}
 																			],
-																			"serviceID": "ENC[AES256_GCM,data:PmF/qp6i,iv:gHH6HayKQ7J6MTXuJbdZX5ad0QYQ0fmirIpz8tfi8HQ=,tag:ugTuCRily9gRPr1bZGdAug==,type:str]"
+																			"serviceID": "ENC[AES256_GCM,data:NEL49XSx,iv:6apkyHnoZBCFiLKh8e4SXq3QjOzOMyrMoUxm1dP+AkY=,tag:5kY/chEgcfuyg+l3uH/pOw==,type:str]"
 																		}
 																	]
 																}
 															],
-															"caBundle": "ENC[AES256_GCM,data:oUlE2DpD,iv:yWjc16sO9T6lLwfoK9WNh8QlNjuk8I6yhhCNBpCZOj4=,tag:iFkxdDoAQSQScYiJ7rkBhg==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:23oDx6yF,iv:LkZn1+EOMAmYNlrNrS7k8R1eJuZ+cJ0iJCzfYK2frjI=,tag:OkdIM8yGdymBEVEn4TVMBg==,type:str]",
 															"caProvider": [
-																"ENC[AES256_GCM,data:QLUwCfbt,iv:p4+U7tiT8MRLyaw19GRW/CHLL4ualo/C3TwcgL7wEQ4=,tag:cQyENZDiOTeRI90gHU1KZA==,type:str]",
+																"ENC[AES256_GCM,data:BABIQY9n,iv:A4Fl/f96gk+tSAL6FAj0SJDYcMhQ5Mfztg979fYenb0=,tag:V/CUH2gpu8BoultgXER3nA==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:YtDOJtrX,iv:+iiUM244M7vj8kfiS+TGss0hRIrL7B+RDjvNrov+eT4=,tag:vEOQ65Liz4ILF+MRJqpgrw==,type:str]",
-																	"name": "ENC[AES256_GCM,data:IVQA+wGj,iv:qCIJJ5Zu7nFcQ5AaiA1cHnYpz1uN3U6qkXY8Y/6PXXI=,tag:6B7KnFei+U+ralYrOT5ryQ==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:oX010F0O,iv:6saZScgO9qoA5GpAjoR04wo1Wapkwy7g8Ia3f8GGj2s=,tag:DpcfNCSXhr8RbHCr9B/tLw==,type:str]",
-																	"type": "ENC[AES256_GCM,data:XEFfvwN8,iv:zEAKlofOcj7cDzhn1Qr75Ab7nLwldrUT6BDAVZ6nGLs=,tag:DCDdXgoEhuI70tbukLEz3w==,type:str]"
+																	"key": "ENC[AES256_GCM,data:yXrHK1Vr,iv:c6WYwJP9jFQAIiNJgEbH1vW8OMvLWSjOgFrNDMMALrU=,tag:YbIX8cUnhtagp5oIzV47Sg==,type:str]",
+																	"name": "ENC[AES256_GCM,data:a6OSb2vC,iv:nczPc6LxaUhsuVwzP3cHMqiDZHUdzIRsTiOGJOxW8OA=,tag:EjGSl4W5FDvcV4amWe+cAg==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:eCCZ662r,iv:ywsCusD8Yl/Eqxx0lz14znaaRCt8KSpOjJJokCPE0PU=,tag:Z586FHavuStBg5VYlcbL7w==,type:str]",
+																	"type": "ENC[AES256_GCM,data:azuP6Evk,iv:BggMLmlcH3Rf8yUlxRxlB6/zWqeFOVU0JNvjG2uLQ7Y=,tag:WGU1y8gxVE9ZEr9FngDEhw==,type:str]"
 																}
 															],
-															"url": "ENC[AES256_GCM,data:T29BuUW9,iv:JKx9zIqKwY593ORDP5B1sTmDQWAH7YxOvoGYzpyXQuk=,tag:pGXM0in5f/L5rIxqVmgoBg==,type:str]"
+															"url": "ENC[AES256_GCM,data:8AefE8ca,iv:sgy7Eyez5t8rklIphTwyw/CnJ0RBLiMfGIiSmfoPBpY=,tag:vAF+dFTquYFE6CO9LY47gw==,type:str]"
 														}
 													],
 													"delinea": [
-														"ENC[AES256_GCM,data:O7zWrCkb,iv:3sTEAh80/Hsh5hL4w3vL59prH8pV/ZC/8xo6JO1hz/U=,tag:pK4IXMdw6/n9sJPl+mH3yQ==,type:str]",
+														"ENC[AES256_GCM,data:1yr02k9g,iv:8bk7HUn+HOb1GyvprTb/o0mYUlG4mrGPlYXdV9Qs9Yg=,tag:v4Jm8zcTkRF2xuvAi6bGnw==,type:str]",
 														{
 															"clientId": [
-																"ENC[AES256_GCM,data:3/qvqyXi,iv:1H6H3IPLXKyFayrGYBqwDOi/LNTUYRwk9JNd7CDwIdg=,tag:q0Y6Fz5TXYuo0qjhcBHi4A==,type:str]",
+																"ENC[AES256_GCM,data:BzLKbRCB,iv:kSlGzFHom8KFdTxfkDrveff6+B1FtKDE0OLderUA3H4=,tag:BDgBs1Q7yNgi7ocHIdUrsw==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:tC8O+yjc,iv:G/QT32x2LW2kU9jEcE2EhfN9SdlBiOu5emeyjdrLamE=,tag:6dAaALqkdSFTjTLolzV/HA==,type:str]",
+																		"ENC[AES256_GCM,data:Abee+Y51,iv:Djt9R60mDhMswuNrR/XvBwiBR4SyoNtsBO0U0WK8Alk=,tag:k1HIE8NOqieV5hP0OoE9RQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:cwG6vnKG,iv:SQWJkiGt1s1i1OjOQ/c9FK7kh9BepNUZV36s8Yt3J1U=,tag:Gi2f03ZkJGsjP2GEwcTA+g==,type:str]",
-																			"name": "ENC[AES256_GCM,data:ED2wgLwe,iv:WqrJq8f07r86yw3mV2eNZWh0lHctzOygbTz6tUzDpog=,tag:B62qyq36vJQIqART2r4K4w==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:kvyOCBS/,iv:LP+6h2ZnqrESQ40HLBx03uuQrTCblw8Jsyn1MWiTNxg=,tag:wrHuIUjmcn0Ax52d0hopyQ==,type:str]"
+																			"key": "ENC[AES256_GCM,data:As+B2eSm,iv:+GUOWhftvz12e16gf2OpPylqD56sJ8qrBCvEE3ntlgU=,tag:QGF6wAEw3ikdplusfDA+Uw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:sWAsmbWw,iv:EAswALaT/PbWySlIU/gpm2uG6pXseDdd/PpwgH1daU0=,tag:G7drs9K+tV/oqUhHxMsM7A==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:0YqBAa6w,iv:RMXiCQtZ4/2h+MIrrvUoTAE6ryLHLtcZAdlDtIa/eg8=,tag:gq0Ls2m9gsGHjV0AtJeMWg==,type:str]"
 																		}
 																	],
-																	"value": "ENC[AES256_GCM,data:RXrFLFmo,iv:h4UBs+O0UZOP8cMHMc1DeWldgt3Eq7TgUjtvToYPPPU=,tag:WwZm+ZUHdGD6TSAmCRLHhA==,type:str]"
+																	"value": "ENC[AES256_GCM,data:Crn4Gc7E,iv:Y05Ke50XyCrcMj7xpk5b6b9DV6ObQGSKXIN+SSGLLjs=,tag:KwV0nw2HpMjqipTldTADHQ==,type:str]"
 																}
 															],
 															"clientSecret": [
-																"ENC[AES256_GCM,data:nMTjvbPV,iv:UGQdqTtvs6qXg2vlmwNNPP3yMJr/5z7DExtLD5ZZ86U=,tag:EKeBi8YGHBRuGJXd6vspUA==,type:str]",
+																"ENC[AES256_GCM,data:3iPBmy5B,iv:jCpZXq+0IYhr0iskjCzd3T/Wi4te2TxKNLcFoc8hRYc=,tag:bdHNXpmqHPk5yeW2t3nbDA==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:8rVSJKor,iv:RJqdyUQD9emk3fqm+RSPF5bBJbopGdnC3vxJ5JM0yKY=,tag:RS9sG1agiMVFL8aAm72HyQ==,type:str]",
+																		"ENC[AES256_GCM,data:JL9N67Wn,iv:E62BTsIZLqcB5hL2XwCkikbWRdpxzHz0Hzhpek4MlwM=,tag:vdwZC+waHXxyPX3DY9zL8Q==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:X1Xj58cP,iv:Huwln4bhvnnT5CQsdCTI3imCTOuM0C24zwNNA96ii0s=,tag:jz/5vXjIb4zYobz3nXbZPg==,type:str]",
-																			"name": "ENC[AES256_GCM,data:BaFPb2X7,iv:jpquWDYlbnhBR3cxME7xzyO6yWzXSWq0eeSw4vBcvpc=,tag:Pr3ND38HY44b3VuEvogh+A==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:c+jf1JF5,iv:6FtpcPfa6GF5HerUEwbGQt5jKVfvg6XbZZZEyV85KyA=,tag:+3yF2f49vGVMFjUKuA1heA==,type:str]"
+																			"key": "ENC[AES256_GCM,data:FbSIeI9a,iv:b+DwaEw/DlLIMu0ZBFG8LZ6UYcCzSljqmr3ujZCaptg=,tag:r2isBeo2kMowN8wF9nhn9Q==,type:str]",
+																			"name": "ENC[AES256_GCM,data:6sYQwckI,iv:20Ad2LDi6HHOqJt/fe1O5DX3vFnvXBQpJbeX191WZz0=,tag:G7YtBpZLyqZe2vQWmMLoUA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:8ovVNRX5,iv:rwW1N3cditcVRinUXhq8Zct/4JjqEkHdWT2Y4GKGUwA=,tag:dswXnyDDbhbkXQyPTARsvg==,type:str]"
 																		}
 																	],
-																	"value": "ENC[AES256_GCM,data:bdujOhm+,iv:4aceqEogNnKSjmLY9KBOco89D4ddNfV+CyAxwVddmlk=,tag:XtnFnr3LTWKySMGdPkmX8g==,type:str]"
+																	"value": "ENC[AES256_GCM,data:BtHbXcT8,iv:1FMEyDolv9asw6cIkkdGXuIw6b0UTuGtDcgQ1nbmlxE=,tag:PBkBRaBcBG3vbEAzWMZ8wQ==,type:str]"
 																}
 															],
-															"tenant": "ENC[AES256_GCM,data:UvTtJQM6,iv:lxPQuMDNNMWMLUXwUcGko8nX3J/5P8SX6xFFnSrSq/8=,tag:MWjDc1zIjFiSNTv5ZhBE0Q==,type:str]",
-															"tld": "ENC[AES256_GCM,data:YhEjNmcb,iv:qomeBeY23buOuREhPtbK0g77r+F6vL8KXNdbtoPI+vs=,tag:8F4RmDz4ryiw2Jh4ecF0Tg==,type:str]",
-															"urlTemplate": "ENC[AES256_GCM,data:/DTjzwPP,iv:MCGpSvAx0Mn5qoEkKkF8jAz6o+fyc3KDzPzW6g2vlLg=,tag:P0E1E3obN9dxSdpdbRa8WA==,type:str]"
-														}
-													],
-													"device42": [
-														"ENC[AES256_GCM,data:JNVXg0si,iv:834ZAaae260XoBQ9ro3Jbc1oG80WoqowIMl1yVe6KyY=,tag:HyxFpjf7rWUc7EAsONQ13g==,type:str]",
-														{
-															"auth": [
-																"ENC[AES256_GCM,data:bNLQXG48,iv:ITw5kkaLbodd/08HSjZWIPXHoX2SABOEpWaNELm+Ycw=,tag:XlTsYe92Rd+eAbGSt3XfMA==,type:str]",
-																{
-																	"secretRef": [
-																		"ENC[AES256_GCM,data:QTvp0RNH,iv:vB/oS5rZCgDOSGgaceoYytvtCxq+HLYVHNkXKRgPRqQ=,tag:JQ7pd0R8xQd2wJ5+LjB0mw==,type:str]",
-																		{
-																			"credentials": [
-																				"ENC[AES256_GCM,data:xEIdR9rK,iv:dGQtlSpmimglxne0TwY6sw4C7bE/B7BP4cZw+9MwvZE=,tag:641PW+B/6gLM2iObdylpcw==,type:str]",
-																				{
-																					"key": "ENC[AES256_GCM,data:yOHK1ri7,iv:RX8s5mCnbOWSLfts69LWtvbd+ibc4XbAiSxahhn8VCc=,tag:EMhM/0FoihO+GZ+7RdBLvQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:VCETNRBu,iv:7DDcrwVJKaL2jb2T2hsIZagCaa3sZf1sxbCKO14ed+4=,tag:mENj5mpSH64Z3nbbF5JTsg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:O3nNcdqB,iv:l21rR9uKjT0Xv1ZI6ZVpJtZ8OuT2ZUtLKJLt4D8inOU=,tag:3vD95eB+pY/QRoTDATgqnA==,type:str]"
-																				}
-																			]
-																		}
-																	]
-																}
-															],
-															"host": "ENC[AES256_GCM,data:niztEj8y,iv:/bsewZ/hZHPmKTyY3HyQfhqi3w06xK5ScLcjd3wKC84=,tag:KxYyF1ZVuGl/Y2Z6KYkr2w==,type:str]"
+															"tenant": "ENC[AES256_GCM,data:/g7RVJVx,iv:hhejOOR5Bx+yADNZGBJB/5P9tlwKLeSjAdI4Rsgd3ps=,tag:LwGxJ+OB95Q+5H25x8mlmw==,type:str]",
+															"tld": "ENC[AES256_GCM,data:ssE2q//S,iv:NOVZGQJFY1RyIZ2tXspD5b1LzS2j0u+s3dvau4ZB5rk=,tag:eNa1LFNWcVqZrUnrKk8wvg==,type:str]",
+															"urlTemplate": "ENC[AES256_GCM,data:UR/CYqFW,iv:m7fl4Fxb68OxWypRV9EKXHOR2ffM1lDkws261wqbwV0=,tag:85NamPUq3Zr7t+CoDbmTKw==,type:str]"
 														}
 													],
 													"doppler": [
-														"ENC[AES256_GCM,data:jSgTMbzx,iv:vpF/EAds3ybgCEM7kZQ1H1jUnVB/40x9hvAXnMsd40c=,tag:fkaGWVJhGN8RNeyIUK33Ag==,type:str]",
+														"ENC[AES256_GCM,data:ykD1qMYA,iv:yVQgmReqjKynZiBg2TxiTagqBxR9k/ZRMC//50pteic=,tag:FXQJy4+aluJUA+LVsh8P/Q==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:SWwhFKzr,iv:S9LxYdjhgPFtpCSpMO2uIFklg20cSSYli0wqf2bjntI=,tag:PanL18kIKub0kRURrp4t7A==,type:str]",
+																"ENC[AES256_GCM,data:CXh+hypr,iv:Pij8lf6Orps+uAWlUecgHsO2qyvQbyERWF4ixXqF8ds=,tag:UxKkkZPvrwHMlIalxwb9gw==,type:str]",
 																{
+																	"oidcConfig": [
+																		"ENC[AES256_GCM,data:vAlrOU1v,iv:/Jrxeyy38+EK2A38q9Hw/zZOV9N2Y12ZmW56dHRWY/o=,tag:kYXg8ybqmOYw2ifh8uU2KQ==,type:str]",
+																		{
+																			"expirationSeconds": "ENC[AES256_GCM,data:l/asOVah,iv:QGLpUZpu64AGH4NU9THZPCfFt27UlTZr0IXWyQD/85c=,tag:Va0anUILDk3jQ2w27Rd/Gw==,type:str]",
+																			"identity": "ENC[AES256_GCM,data:zpKwKFrG,iv:jUC/dabf75HchxRWRf4kKRGr+ce7KUjCCIONjnS+U24=,tag:B/yM/kkqU8tKWwWiyVp/LQ==,type:str]",
+																			"serviceAccountRef": [
+																				"ENC[AES256_GCM,data:8SjkaCzW,iv:tDVhvij8C/6JvGZ4lukZa3gmcphzWIvQRiRGREJva6o=,tag:SkmscEWJh+pWXLMrfWcMZg==,type:str]",
+																				{
+																					"audiences": [
+																						"ENC[AES256_GCM,data:oRHCnQ==,iv:11dVPzTVLwFirCd7vF1KwMoIrLjJyHiAqWJDhpP0yxY=,tag:UvTR5YEr3JdnN4T339xjNw==,type:str]",
+																						"ENC[AES256_GCM,data:xmEXXe9X,iv:BaXXw/tN2O8UxvkVEA/z5k94YkV16vBWyU4v+VVAmvA=,tag:olXvY05T9dBs2EqLu8cGHg==,type:str]"
+																					],
+																					"name": "ENC[AES256_GCM,data:YJxUkQOb,iv:ilMXq8W/ZXHa9qvRuvOs2NSK9y64WOQBjhTj6yBY4/8=,tag:uakHZIl1Qy4xLpTYlixCAg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:BNpLWUUn,iv:Yv4fVUsBv1XUZfzi4+tJx/CDvksEiqcFR3Z1mUijkLQ=,tag:j1UWERs9qtnF8XtQCY02ag==,type:str]"
+																				}
+																			]
+																		}
+																	],
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:THCUG/xa,iv:Nj6blihn2DeV97YWiwvdNNICmHY7AmCL1ptLhvXfOW0=,tag:Odk6v85EGzTmAgie7wtX3w==,type:str]",
+																		"ENC[AES256_GCM,data:WqGNo61p,iv:Ei0s4JybUiasXU5qj3wRbJVAWbZkDVmNIyHJwVyjyLc=,tag:wzJRyKablYrwuRd9EB55JA==,type:str]",
 																		{
 																			"dopplerToken": [
-																				"ENC[AES256_GCM,data:r5ixFj/X,iv:sOlhTHAkfaHK8I6CoNDum2vlogxGejp9+ZAeIMngHZM=,tag:13Ndun6QJx+AGo4SaOlrnw==,type:str]",
+																				"ENC[AES256_GCM,data:8J3oAxIv,iv:LE0q3zUg5tTb7FJHhWXtt+R1tghWXT4Zstm6KvcpW0k=,tag:LLH+wy57duymbaxJmyqr9Q==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:QU4GViKd,iv:64NuucCHPrlZJlSdCgZ4AGqcQVv5dy3yfjkplokVS9w=,tag:4kpyLiL3OYQzp3LsaHAokQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:7vf0oa/H,iv:9Myfyr8UfRYYBCs5QFjOyObixHEohVAQ7VHZ9wvzlJM=,tag:8Iyk6AR8sFP9S13VueCeaQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:RihP4jHI,iv:/cTifwd7tGmGJOOFstaTNlj7nil2SbuCpfMNMyvd9LI=,tag:GG/RIlBqft/JMNAGwt2+HQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:vLA+gJru,iv:PmNI6G7HmWMfWNWC/+M0J9db26CtkUovqRe6ZP4MHVs=,tag:FekAGlCf1+kI0WtO05twYw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:cI7PiPar,iv:foNFJF4WcfggU/oDiS4q+cKTM+UKpYgMfzIg1mvQN7w=,tag:bp5ZBbHIMv6gWhchseMW3w==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:MAdjD8XZ,iv:/t7lQ5P2lHY7U1ynSmhifFnn1amuigQnIMGvi27wOpU=,tag:wuMO03n44pg+XmbLqPhSwA==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"config": "ENC[AES256_GCM,data:yjGmokFK,iv:RjM5v0//2xlqn8a06Wx34mAZWwlGE+JZlxd3y5CrNOM=,tag:ShBR24Sdsur9Aamaxn9y9A==,type:str]",
-															"format": "ENC[AES256_GCM,data:GSp8HQCr,iv:GJYdLyKmBLtrHMQILw1DKgHAX65smK8bB0jXXNxD35M=,tag:9RPU3MAHBEXGXFhklRQc3w==,type:str]",
-															"nameTransformer": "ENC[AES256_GCM,data:ErgwbzDD,iv:senGxujtSJeWVw9wqUNJvAWnxcKxtfYdyuUQs/mzuFE=,tag:z26OLqYcjdWviD3OmYSQqA==,type:str]",
-															"project": "ENC[AES256_GCM,data:BxeKqDhw,iv:IufTPO2G6TXLVxt0d9J6cefl9nv4AB970ZycC+k9Stk=,tag:ZzUy9f1hrEiR8aZ1+k0lhA==,type:str]"
+															"config": "ENC[AES256_GCM,data:XW8B3n+w,iv:lFkJhT5CwfEtZv2lgSe93dlLTunPl6k8jjj4HMXMzPo=,tag:VUQHgn0aITJIOIGGQsNWXQ==,type:str]",
+															"format": "ENC[AES256_GCM,data:yG2NUmb7,iv:5/cHdJCT/kE+qNbJQutBijvsxOQBMakdKpevxVeMxUk=,tag:w/xE8mo5xw7kHCi2Cthvng==,type:str]",
+															"nameTransformer": "ENC[AES256_GCM,data:W96PXwLU,iv:0MGzdZwxKjDalUf/3HBHkwWZB6/SP1ZuTvhLZh1akTw=,tag:QWCYMyqergI0F/35DoS+LA==,type:str]",
+															"project": "ENC[AES256_GCM,data:h6+RomlK,iv:fhiOy/4h/Enc5JsNCO1WqOsYC1lfSThQcEgYoik2X3U=,tag:P1KwWXEv2fFoNNjpPCusfA==,type:str]"
 														}
 													],
-													"fake": [
-														"ENC[AES256_GCM,data:oPDxBuWd,iv:FDbuhNXQMjGMk5F/qKyfvIe2VUnH8RnkfqNwxMx37N0=,tag:qPf+ShyRC21rrYr0AMu9Ig==,type:str]",
+													"dvls": [
+														"ENC[AES256_GCM,data:M7Zs0ntD,iv:NieT5uOyDfsqbw4zZI77GkDtDFKZPy3tNIOgLmfU5ik=,tag:4YynNxlHTAAJZ9ZQkzFnSw==,type:str]",
 														{
-															"data": [
-																"ENC[AES256_GCM,data:ijJXwA==,iv:lNTmj09JuoUJTEm3xDbMdapp/FCQzrMOdUVajdYFDmg=,tag:MgYSdH2fuDrHKE5Jst7gaw==,type:str]",
-																[
-																	"ENC[AES256_GCM,data:9UaKRC/R,iv:pMfBROCJLoB0X7qd2Wx4uLwduZugZqzCnrBSh1RCKkQ=,tag:SrG4DAKwiE4v6DL0N819bw==,type:str]",
-																	{
-																		"key": "ENC[AES256_GCM,data:yKvJIt+p,iv:MXYM0a/SExyBVgGfpCY+S0+CNdUFZtugiiqaoel9ttM=,tag:q0MP83cNwYBZ37yc39xRSg==,type:str]",
-																		"value": "ENC[AES256_GCM,data:zTJQbQV3,iv:67/JsNr+dmAWDn3iW+sQO4N2IgtVWErxoleW888H4S0=,tag:47U2LmVHcJ/t9KyNYto4ew==,type:str]",
-																		"valueMap": [
-																			"ENC[AES256_GCM,data:/cdg,iv:8ZKYjLl1oLZp6mbkYdOt0KmVUPSG1wYdhYScfcH2fZo=,tag:FoiyWxAT4RdI8joWhysQ1A==,type:str]",
-																			"ENC[AES256_GCM,data:zJ+HaKwZ,iv:fogZo3VHjdSVL9Y+Y/1K6ZgOGKEyaR4WKLG6kAQya5c=,tag:e/E0+fQPPoVqniZ38K9w4A==,type:str]"
-																		],
-																		"version": "ENC[AES256_GCM,data:Dym8MDgd,iv:Arg/K3c0Dix6CiAx6ydkiV65j4PbvkObNeaRkPIm0eg=,tag:ivJuCNESNBGiyBtbfE0iBA==,type:str]"
-																	}
-																]
-															]
-														}
-													],
-													"fortanix": [
-														"ENC[AES256_GCM,data:f8KmfItj,iv:m0htlADMeokjEUk30CZ/9tbPsaRtQN/JqJWZ13RQXc8=,tag:FqdNiTIjWjV0zpJrSRFsCA==,type:str]",
-														{
-															"apiKey": [
-																"ENC[AES256_GCM,data:sMy+ZK3N,iv:AufuNDvhqtDYzp2UKdMEto+N96s49cGco5wLh9lcnu8=,tag:6jCj4N1sPy6ljMP50Y8ONQ==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:xZz46hiZ,iv:2w9oxy3ZxkCvIspEaSE8C4XAebsxoEICZLucyQhr3fU=,tag:l1AtKhCOewEfyuDV07ieCw==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:eQKqOYGJ,iv:i2ba2576yV79ffD9hEUhR/awpvRvijpnN10GscwnGdY=,tag:jdiSQ/92h/uRyBQLp2ANpA==,type:str]",
+																		"ENC[AES256_GCM,data:OuEJlHIT,iv:93WgxR1fSI3idK69+hXkgsIH7s4kZgOAhYw7w3IFcI0=,tag:mj+eafBhyHYm4dtKLfcylw==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:z6gtaqll,iv:4r8BSZpE+P/elNNOQ4p1BUMLtiEOo7fRQ2aS2IqVuAI=,tag:y6Bvq4bSrPnoUKlzEDcsiA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:X79xJyLP,iv:H8wGSdcjK3zVzwwyaIub58sZtYsg6o5JlhcyHjZd2Es=,tag:2+Egc1IqRCUQr280ncje6g==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:TT9JsNFk,iv:JtpCwqkv8/ttGDd658ar+KCHuSET6HXZzT7i2eLpLD0=,tag:ewRHewYaev89Xh9FPR+XaQ==,type:str]"
+																			"appId": [
+																				"ENC[AES256_GCM,data:InY27f/E,iv:/iKNRWV9ZCwmmJTY2B50IxuS/GRnx9b2H2CWKKpItbU=,tag:DLxCDK3tutEqMS7Chjw7rg==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:tJVAtVMC,iv:JSMYsNIVXcnp0oSygy2mzAWjuSERJ4pwyVgLFXYXOkI=,tag:D9hZG8NYVlCpXc7FljYHmA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:F2yp7odI,iv:fN10CiZQdWIDin9CkQPvDdmSJ3CrGNHiOHA4hVXD0ag=,tag:TeAL0XfKr8L7y9aoTElWfQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:kVppy8Z5,iv:TD8qcuarZX7QOU/may0/UtEPCWht1/LgCHvPR6nZ0ZQ=,tag:vrkvWe8zsi49srlYo/1WBg==,type:str]"
+																				}
+																			],
+																			"appSecret": [
+																				"ENC[AES256_GCM,data:fmTZUCN7,iv:r9Pka/aDzNhkQ/ihPzXKd070SBzA8pyWcdzZroorofc=,tag:1MgOQJmVfOpf3+L4wSNdMg==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:0Hyd1Yo6,iv:99tLZatrMoyE4Hw2MSrQ3ZVt6SMbflJH+Qu1guYt14g=,tag:sqY3of8yR0yS6r0z3q31mQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Q5MBj81a,iv:8dNghqeyl2gOGStNovanuSm8GibfEHHV2BBMumnbSIw=,tag:RUmN+d09s6Q9CUl4ohcSlw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:2ZqO/RNC,iv:56wNYNNBHRecq/OJaZBsVZmUGovmfm/ytzLj0ldh2AE=,tag:ToZ/UgciXVo3noqk4Oq5DQ==,type:str]"
+																				}
+																			]
 																		}
 																	]
 																}
 															],
-															"apiUrl": "ENC[AES256_GCM,data:+vwSm78K,iv:zfCY6zVR0jnp02bloMM6oN9+DPzFxFy4ZT2wSoqIwrU=,tag:KiJ1lzhqrjFcMeBssiyf0w==,type:str]"
+															"insecure": "ENC[AES256_GCM,data:FWaUGQ==,iv:asUQt1zdMCsUUndRydQucRwjrVV4ywo2IAgWT2559Lc=,tag:ZQeJ2Njdqe3XDCfeCiBhGA==,type:str]",
+															"serverUrl": "ENC[AES256_GCM,data:35fr0fW3,iv:a/dlNIaz0eryF+PZQkQShhLll7udVCSvjGQCwihIKs0=,tag:/emi6tIpH4cfA1zGduexxQ==,type:str]",
+															"vault": "ENC[AES256_GCM,data:eX3D+E61,iv:5YQe4/lThYlGV0pU+iwK4xU0nYycezITMdoW1N7zhQM=,tag:UtVrckUXT3ZmcvmMzE30mw==,type:str]"
+														}
+													],
+													"fake": [
+														"ENC[AES256_GCM,data:6JLGeiL6,iv:1rKWgwUJmnYNZ3aplt3VqILqGdpvz+cfC9izmDBZ4Lc=,tag:y+j16k4MqMTwsndyaxuv+w==,type:str]",
+														{
+															"data": [
+																"ENC[AES256_GCM,data:4SUF/w==,iv:rNYLdsskGqnto0Ys4VQ9IN23maBawO3D1quua8wCkAc=,tag:3FYaU8RJa9vE7EDCX7uU1g==,type:str]",
+																[
+																	"ENC[AES256_GCM,data:6fYIA82A,iv:dPzFuUUUqJSm358CAXD6T2bKT+EmUjHWsjWFG5PNqwE=,tag:7CbvcorEOVBIfUmtZjeVUA==,type:str]",
+																	{
+																		"key": "ENC[AES256_GCM,data:H+JqFZzp,iv:gnlh/Xb4uMB8tPTT7BNVukH5eghL0oq7Y/xSgJNBGMY=,tag:tWGBX3AwUhtilU86+aa8hQ==,type:str]",
+																		"value": "ENC[AES256_GCM,data:h5acxeID,iv:yNo3nVqZNprt1MUIGRiaR5SBUhv40CJifq7wdYLbwE4=,tag:4Fvntwq5pe6jAdC2ZnFKhw==,type:str]",
+																		"version": "ENC[AES256_GCM,data:z6kCwPq4,iv:tWyefKoFPODwc1VgSf6268SdwjbzF0jaiB6846WtQZM=,tag:aB2LQQ9nWya8sH1tk6kHRw==,type:str]"
+																	}
+																]
+															],
+															"validationResult": "ENC[AES256_GCM,data:u3PCeL0/,iv:PYTQvC42yUIo1vzsZ/uCctzpIj2v5xk5/Jaz+dqcdPI=,tag:th+bIBkEfUvBUm9MoJA94A==,type:str]"
+														}
+													],
+													"fortanix": [
+														"ENC[AES256_GCM,data:Y1X5Ib8u,iv:1Wi2eCbdtYbbgQsx59dFHfg0W1BTJ/jdCBdjvwinCUw=,tag:6wIKKCH4zcqWAe5ezYnXnQ==,type:str]",
+														{
+															"apiKey": [
+																"ENC[AES256_GCM,data:7K9yJf0h,iv:ZV18j5PzpsNfbAuO5f37KpGjTHS/skvdpwoCge42RyM=,tag:JT6Hyp7DD8qXJzNtTrIt5w==,type:str]",
+																{
+																	"secretRef": [
+																		"ENC[AES256_GCM,data:qUk7BFJV,iv:YtdQQu8ebyd3N4rP78FgBl9mKRiYuX6vrwC2lxiH7bw=,tag:Q5KegyT70JSNwWAuZ34WxA==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:pJuNfNNq,iv:9urnWfNGTdq2QMyXtcw2VE74jlNtIQLhgMM3Gx9jlQQ=,tag:V+t7dOkfTQT7Pc/lo6Uokw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:Uis5GjsS,iv:OwR8a11XCGIjhNe0+gCAA6hYaURenmWOPfk56uFZznM=,tag:Swf9WPV2+h8Z+/oV6E1Cew==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:yMhBdqCW,iv:UqMuNvGtK6V23WL9DnVM3WPL3qiUAc4DS9nly7Jikcc=,tag:7+nKvH2b7eKLhohlBJtOdQ==,type:str]"
+																		}
+																	]
+																}
+															],
+															"apiUrl": "ENC[AES256_GCM,data:Dh63jg9/,iv:RbnoxZso7e8lNkoqI9ckriVyj6zCnyHNS8rfLvfwbRU=,tag:zXMeByv8loii5o79JJmeDA==,type:str]"
 														}
 													],
 													"gcpsm": [
-														"ENC[AES256_GCM,data:zPloqmUt,iv:bk8QIK5QIUUJAjhCO3SS65PxTGAgmZXIIRdxrCyPoUg=,tag:qnQIqlW4vZXjvPEosZ1YNQ==,type:str]",
+														"ENC[AES256_GCM,data:2kH4aZ0W,iv:6/PxpGZdGgRUJkzblW5woM2NZLy8w9mGKyiEtSfAY54=,tag:sh7Yb9Vms2ngPkOp1Ri7Ow==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:yk0q6Yj5,iv:LCD0KU+79QK/Tl9B+JP0T8ATQ8zKzrifjIAq9LDlXIk=,tag:FjDi9HSwL6nMjQ26mmQ2Dw==,type:str]",
+																"ENC[AES256_GCM,data:KBahmDMh,iv:8TDWvGo48HYtBaXWFgA5luJ/fwEwWHhBpX8Pj68DM6A=,tag:tWz3ekBPQ/2PqvKMk0HJCg==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:GWykx+6I,iv:QYXGMARc6rKdPbtm7BLZwKJ2fyPJb/gzVbtELPNng4Y=,tag:cdP7xHWTPUHzfolUlCyBXQ==,type:str]",
+																		"ENC[AES256_GCM,data:FgYQzfxi,iv:Tky0bYqX5dJwfo4lW991KwkK9XUCgcVbUzQtPgUTC0w=,tag:+jl86VVcYBYqQmSM6eoM6A==,type:str]",
 																		{
 																			"secretAccessKeySecretRef": [
-																				"ENC[AES256_GCM,data:fApRHzoP,iv:BDfhAnLwTixbvJq0Q4OKD6ZisuVzz3OZfeRzCwTIles=,tag:kFMQ2EICP0zkmCNL/AFJgw==,type:str]",
+																				"ENC[AES256_GCM,data:jU3ka+IJ,iv:xhq3fSAN0uGRk/K1RzfPShO00WW7HnYHFiWMsPvFdhg=,tag:ggL9evwPYSJrelB/eT2BLA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:ZKH64tIj,iv:6wESXtSV6eHithWvZIu7iEgYp6Cm6TPdnszuhR/UH8E=,tag:w2ku92DSXG1alKtzaizn0w==,type:str]",
-																					"name": "ENC[AES256_GCM,data:MFDuQAI9,iv:7hOrxHcgOR/0U3jKkgyllKOxudiPJTLRTYixFJxExxc=,tag:15OCO1d/IQPgtZ9HM4oNWg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:b2JPn6t+,iv:u5Mp6fUD2/t2GA8mE5HdHW4forABIqM4OhYoSCyzTGQ=,tag:6L25NG8atAiJoWWvtiMlQA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:Oue4H1rL,iv:wjm2BFJrqIoROeTPV/7mncy2osSkX8mbC5j5nquTec8=,tag:nTEx1K5ri1jIGN7E6hxfIA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:u7d/4zap,iv:IuZYJXq91VptH4sU8UaYnjZQHzh30QDCF6cEZKQzIUM=,tag:6Pb3+M9OCF9cJZXNrnpN8g==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:u5CaHBZX,iv:ny9XJEqOfm9wEo7rmnjKxjQj8tvFQp7YboaOKFpV2ck=,tag:p6e+8ues6t4NuVfSJ92uqA==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"workloadIdentity": [
-																		"ENC[AES256_GCM,data:kvZA9az0,iv:Z4yMig0qt/Oz3V8IIo0CurQgKdN7LT+/Abnj5C35QAQ=,tag:TqyVct6MGoX8NYFQDjDC8g==,type:str]",
+																		"ENC[AES256_GCM,data:4KWDBPJD,iv:QelFY5Lc9LI1+mjVDvgv+qfb1gAbKdWpdmnJqxGei1o=,tag:uSK2XLRNP0vXJxeVVUhQHw==,type:str]",
 																		{
-																			"clusterLocation": "ENC[AES256_GCM,data:jFcQXHhw,iv:mJyCtloQ5/K1urR4mifVDte/dcqfyxAP1LYW6sUy2eI=,tag:c5Wdsab69rZUmBlUV332Lg==,type:str]",
-																			"clusterName": "ENC[AES256_GCM,data:OcT8SXjZ,iv:4J0avLTC7I94nPqECO0pIhtjc8Qt3Pw0vb6iNgTlY/o=,tag:xMt1nEWl+9fbeRamOWihHQ==,type:str]",
-																			"clusterProjectID": "ENC[AES256_GCM,data:P+e8cEaF,iv:VKGCx+F3PX7ob5Ab7UEY75zeI4fPmB/QEnSn0NKuWmU=,tag:KY/+ZfMe8wElEkOrNl5yxg==,type:str]",
+																			"clusterLocation": "ENC[AES256_GCM,data:rCDcFBhY,iv:L2EEEIZja+xUD5DR5BUrKqf1ldHdkVVij7CRAuwMM9U=,tag:r1N4mZcT7qS+11gi8I05Fw==,type:str]",
+																			"clusterName": "ENC[AES256_GCM,data:jMcVA7Rd,iv:UJcBGd/C4Cyns+bgM09LBojWaIyN82deDhaUv+b2DSE=,tag:IoxMEC4GkcBiSExY9eQAQw==,type:str]",
+																			"clusterProjectID": "ENC[AES256_GCM,data:pydadwVE,iv:bss4kF0TDrxT+q6p25rxjxjs96qqz5vxRLL7n/4vhAk=,tag:t78U6kxa4wy0pvFkWthPdA==,type:str]",
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:e9dqZlHv,iv:LQelfdfTJnJdufeH/kFEHC9PFDUBZmuz86yDvczZpR0=,tag:7BllDw0QPyK7eS7FrB4ogw==,type:str]",
+																				"ENC[AES256_GCM,data:HORthDkv,iv:c5ANEW4VLazV9xMnYumDKjrWdIFsMF11AbqIjc0XnyQ=,tag:n8htTIsArQ4xBzkU23T+Mg==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:iEuj7A==,iv:SVLMRImHuO+aZkfxe5tdZ9lNN8Gu/fSh38snPFYA/DY=,tag:KXqP1/MZ0eFTos2OSBXuTw==,type:str]",
-																						"ENC[AES256_GCM,data:mEhr9Agj,iv:nldc1WfZ97wyVwBUHKXhNuWI0dGFmyv7uf9vzr0ShoQ=,tag:HhuQK4qfiXFp0CrQYw7dGg==,type:str]"
+																						"ENC[AES256_GCM,data:J0IBoA==,iv:XdDu0URh0kqFP2H8Uf3is/DVJca8TBRB0FXudlPS/wk=,tag:ydq9kXrYBBMnXyph0PgRTQ==,type:str]",
+																						"ENC[AES256_GCM,data:i8s5LZv/,iv:UwPXe5wVJYcYwZuewKz8byzk7ZcPt80KReLeNhoRLOM=,tag:ChozD5vMvEwPmJPYc0ac2w==,type:str]"
 																					],
-																					"name": "ENC[AES256_GCM,data:TMXc0Ygy,iv:DkSAejmVjGvmLQhRD4uF37LjHpROERX4wHo35xBmbMQ=,tag:/PDkWq/Grrlxgxyb16vB+Q==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:cmTn82Hg,iv:oHUwAjrX1U17Zpx2MGaVa7c9HZa2MVSrQ+hvop/LESQ=,tag:xywkuRmZJFQQQK4GmN9jVg==,type:str]"
+																					"name": "ENC[AES256_GCM,data:ln74/LCz,iv:xNDgA23XIjrUKGBOEMli0OoK2+Un23DPQSeYrWaub7w=,tag:1s3AqD0DSadwKCJFAXs3xQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:vhSSfGbA,iv:H/bgiGwdYz5iBWJu2bmF1uoMMwXRMRpya+itAGBp8YU=,tag:pkBsI0pec43fiKvpwWkY/A==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"workloadIdentityFederation": [
+																		"ENC[AES256_GCM,data:V5NUS62T,iv:103/ZRSMkUoR6xOL8Fcf5kF1L6GE5CZnOm/ZtalzaeE=,tag:9ll0pZFh+fRVDDHGFULhsw==,type:str]",
+																		{
+																			"audience": "ENC[AES256_GCM,data:oKlTBBvl,iv:JrdrDtLY8si1+WK+ZgVvBNR9xHVEG+MGNT0bKe/Qazw=,tag:Nc/Y9nkIPljeLAbtL9NDiw==,type:str]",
+																			"awsSecurityCredentials": [
+																				"ENC[AES256_GCM,data:RJiEe/Sm,iv:Ul35ERP2Fvz/NuLpgsM/LccOosQgA4lnbkhXvzKxi+M=,tag:CXt4XE8wcpKyrrOBv9S3rA==,type:str]",
+																				{
+																					"awsCredentialsSecretRef": [
+																						"ENC[AES256_GCM,data:cwxjCSis,iv:PH5RPNI6jue5kXbpHdWlUv0SADBCHYHwxweDASl07YQ=,tag:+ure94/fcwBF/lEoWUa7CQ==,type:str]",
+																						{
+																							"name": "ENC[AES256_GCM,data:bQ2puCy0,iv:H2kyvPwiQ/G89Gf06b/7u8wNCuG8+v56fez7powsEkU=,tag:xILhKd3hgnzxgZeshkgs5A==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:oSPlDM9h,iv:NyhGhX73LFGRPaE318KMfFawn0y6TUw18Wnvkn3G9qM=,tag:ar9NdP+CmjqihNRSTzm0Mg==,type:str]"
+																						}
+																					],
+																					"region": "ENC[AES256_GCM,data:6w4suxbR,iv:VV5KeWOO7JsZ7x6+fETbcFlAhyEscqikesgFRSqWB04=,tag:OOQrK4FGxGRKJsslwLy4kQ==,type:str]"
+																				}
+																			],
+																			"credConfig": [
+																				"ENC[AES256_GCM,data:duCwecSc,iv:qqpe+ILfyHClZbLW8mFBjM1e5zS9bQjodIBxptjF5kk=,tag:NmH2D4zd4kWJh2//RRPcTw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:u4j82d3R,iv:qejXwApOFHFj9zQ/PwARVHeXFAOxDzVSRpI/m6Qmflc=,tag:nSDcQfwfsViaaJlKHfQcLA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:sCpUEZgS,iv:AMLKJt8BzoY1XOt423OsD6/snCdGaIKCrxbzynW5JOo=,tag:jIaYZjKLiCxvjTWtL+bMyA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:NWQ+D0s/,iv:HHL49oEmDQVVfpfkjmHfEGJWbrmQNhqDCGuxQ2MWyI4=,tag:6ai8l0ZxsxixH8GV3zClsg==,type:str]"
+																				}
+																			],
+																			"externalTokenEndpoint": "ENC[AES256_GCM,data:Tw3C7dsu,iv:0s6uuXaVhqBpiJO1eQRxBBCyvkBHpGbSE+okhmDK6j0=,tag:V5Y5WsLB4TtzXtpG3hHqCw==,type:str]",
+																			"gcpServiceAccountEmail": "ENC[AES256_GCM,data:78ZQD0aJ,iv:duKYYDUiXrLQkdr6gE9pEqRrVyqVPwIPPKQej5cU968=,tag:hlKuPY990ZSW6BxNepC27w==,type:str]",
+																			"serviceAccountRef": [
+																				"ENC[AES256_GCM,data:H1UJPgWV,iv:9ql0Au5qPgRYlC1X/9gjxciyUxBU1WhpdK9iO3pTp/g=,tag:oBVOYkoIvkNfwtmLwcSRRA==,type:str]",
+																				{
+																					"audiences": [
+																						"ENC[AES256_GCM,data:FsfV2g==,iv:I8/aqBXTP2pYPbkbVpa/JsB5PX49MRyYs498lxo24UA=,tag:rt3FmlYi6vMBQAKpBRPoVg==,type:str]",
+																						"ENC[AES256_GCM,data:dyRFNYfd,iv:ldvHPEVhodQ+kPjed6yeaK6PESKDq+oueWYzndtlRo4=,tag:XQwFw7mKzAxyqx57ibiZVQ==,type:str]"
+																					],
+																					"name": "ENC[AES256_GCM,data:dQu/h3JS,iv:s4vL9GENacMxO3xQInfwZlv2rOb657wjuedgvWC/VyA=,tag:/CPmuylrmUMCAB2vuDClKw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:Vm7at53C,iv:nO+nPmrxu55UMXzEeLQhRU2TNmlltGvUfsa8hqoGTGM=,tag:z0V9U8tzmkPXfnMSveAW5Q==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"location": "ENC[AES256_GCM,data:w/tnr4lc,iv:Cf/r6hyvN/zwEFfkQjVOJPLHUKMAutKqmglxIYwMHMo=,tag:sUaKsK8z+Uc32RfYteqoyQ==,type:str]",
-															"projectID": "ENC[AES256_GCM,data:9eej6DCf,iv:Trs9Zn3oysUZjI9dXdwfKyj0rLbyZwNqvbSIJIf7+aI=,tag:+XXA9PG/EkkGc9xI451UzA==,type:str]"
+															"location": "ENC[AES256_GCM,data:5d+4jIGn,iv:tZZYAPvCzaUvFn7MQpCj4jv9O/OxfiMM5yKsO4+JPcg=,tag:spoqx2suuWeT7M1A+HSX4g==,type:str]",
+															"projectID": "ENC[AES256_GCM,data:DJuUeCA9,iv:JKHKh96axcEEZlj1r6oF7ka7fge/Q5kncGwns2rDtJw=,tag:BqohsrTi6c88GYEMuZO/yg==,type:str]",
+															"secretVersionSelectionPolicy": "ENC[AES256_GCM,data:5Qpypfoq,iv:aVl0HLuoi8y/1FKkP28d+1O4zCziZeb0a8FTJpuL6eg=,tag:IhIFll6rVy6FYE9jgHStkw==,type:str]"
+														}
+													],
+													"github": [
+														"ENC[AES256_GCM,data:KetvnVsF,iv:fJGkXSWCJEPQ4fyd1lgaBnnbmr00QUet8PTVmj4rehk=,tag:lTZBfubIzQYgRfiZQMD/aw==,type:str]",
+														{
+															"appID": "ENC[AES256_GCM,data:03dN1Q0C,iv:MzQtc3BvRAy4n4UK1AzgbrdMBSFXSpEa1I/ocs89H6E=,tag:c5AM7r7xTJig88QNw/S6CQ==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:qVDSIQv3,iv:qkELWKiSLQR3RNsmEy4by8HGmQcd3I1ZGxuS9GU+n2o=,tag:JZ/mGXISdVbwWxNeftCoZg==,type:str]",
+																{
+																	"privateKey": [
+																		"ENC[AES256_GCM,data:r4ANiX6K,iv:sNjpv2RGN8dwSum1cvmO1Jg30ImCKmxJ6xJ9udh9LY0=,tag:aoeKxmAO0ImgrynglECZpQ==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:Qgh6OfFi,iv:Lpa6d3QLaKARPG5yv1AUiWMe+oJpnQPRXdxWALaGwyM=,tag:cCl3hlu7bhtxj3pUwrxwKw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:R44c86So,iv:J1AKWnEg901WzNgScYKqa0Ytft4nF/kJlpMu01kLpvE=,tag:DZaHGJfXZcZ97QaaDIgDdQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:JyyWOchr,iv:3nOmpFpjyZn2aOjQIUwuICCDcByD98SF/5xrVeGijJ8=,tag:ux+ajsx1x/YbzhxlGt9w0g==,type:str]"
+																		}
+																	]
+																}
+															],
+															"environment": "ENC[AES256_GCM,data:dvzMpeiV,iv:V00hZ5BYGhuTYteyw9JuOHx0kgrkHIYNC4hT4KmMnks=,tag:hsepEIeU1pccAiOof+cJBQ==,type:str]",
+															"installationID": "ENC[AES256_GCM,data:lq6lJJda,iv:4zosk6k6Z3kXFg8zGDlumMpPCWorpVPywYWBMaVD6+4=,tag:AZR9H18GdV17zimUUbpXOQ==,type:str]",
+															"orgSecretVisibility": "ENC[AES256_GCM,data:rD7om1KN,iv:DLRDl7GX6Or6oXgXQ+AVXM92brHPAN/SiC5CIhPwsqo=,tag:lMhUno5d5iv8KZY4OzrPXw==,type:str]",
+															"organization": "ENC[AES256_GCM,data:GX7a3raz,iv:91ui7trReFOh4+6Kkpb+gXwn0zGhLq3/0xl/ld20BTE=,tag:qkVSyOjUk/62AqtLk/f5cA==,type:str]",
+															"repository": "ENC[AES256_GCM,data:/hcBJ1ZD,iv:5aDGnsWBSYCP95RJ5a19ud3/weHhT8fPdRYyf9K9e+c=,tag:QO3LxiPjaYSlixslNG/dJg==,type:str]",
+															"uploadURL": "ENC[AES256_GCM,data:OqlzEupY,iv:K8GnRYz1AHmfN5H+QSNrXa+tD1AuziB+AO7qfL4Tkeg=,tag:OrXMROSdu+RXu92pTnsEYA==,type:str]",
+															"url": "ENC[AES256_GCM,data:yOUX/GGm,iv:iPLLWIjkMDwgdll0ik4t0EHuwxk7vMJh+wFBPwW2voQ=,tag:2vXObn99DE59i8S7Xmnf2Q==,type:str]"
 														}
 													],
 													"gitlab": [
-														"ENC[AES256_GCM,data:xHfahWxJ,iv:roc4XzfSBa9hvpEcPTn1qejvcitwkjlo28p9XdeYxH8=,tag:Mp0PYHH6mh1s+BMV5yAy2A==,type:str]",
+														"ENC[AES256_GCM,data:t24EkBJJ,iv:id/tuYXjPfwvyoWRNQ/B29OZ5o+jV6MGswH42pmO3Ns=,tag:h0e8sP3ZYWIYbLWV9HTMhQ==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:fMlobwBU,iv:o61Ju+C42sQeaNG8+X1B1mvRESNY5nOvXF2smPEWrqM=,tag:dmnFvUGVQwLEcpNWVEfG6A==,type:str]",
+																"ENC[AES256_GCM,data:SAbBlP6x,iv:BjIs2Xj6Iw9LiNbsGmWBVQdMwilmUF+WYgPv5GcL+Tw=,tag:/uFfiJnaDgzRxUJ9yBx4TQ==,type:str]",
 																{
 																	"SecretRef": [
-																		"ENC[AES256_GCM,data:V222NT4D,iv:jxTR1umctinxQpYxpJzVbjQL/Wmp9877rPbUFdhC1aM=,tag:sYA8nMUxyKFKuZSHA7f9Eg==,type:str]",
+																		"ENC[AES256_GCM,data:wwOLyvXx,iv:XxlVPyctKw7+2euhaPm8lmsyRsDHTzM7SSE4mDMrFO0=,tag:hR2QZ3F67sFE8yVAyabfMw==,type:str]",
 																		{
 																			"accessToken": [
-																				"ENC[AES256_GCM,data:DvWAN0qL,iv:vEd0zS/bhF8bKLVCZhYYkCYYjYRvFWPRKBp1GkGP0xg=,tag:aYzcZP4L3Zxs40RbQdtFLA==,type:str]",
+																				"ENC[AES256_GCM,data:ppRvuMEr,iv:qOk89cGxnpb4ZHTXlWLLFZLKKssNGSDZRrLEzGAnLeM=,tag:IcIUBb3Bxc6iUDFHUYPGlw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:ChQTvcWC,iv:i0+ZMQcDSU4GLnWOIvSci1BiUCzCCTzq8ZFl90I0gFI=,tag:JBT0p+SAB3w2DXlVZW4pmQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:q2QfE167,iv:2AqAvI+3oRD9l2doXFi974GzDjXqVu6Kqpi6TzhM960=,tag:m/occHoHspyWuG9CMSghBA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:DJipbgY0,iv:Wv2dnw0VDDzKqX3VzKEDy+DYUkByS7Ner7yyD8D6VmA=,tag:GfGKG+huHx7QJpkrtccogg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:W6HbC1KO,iv:H8UfPe4ISE/3o8tfZsZfm2XWUVVARYu8DTq80IXPaNk=,tag:JwBLX/ulN48lAyV1s43A8w==,type:str]",
+																					"name": "ENC[AES256_GCM,data:zuH5TjmV,iv:4JczlCl5dAZVdlhwwvDbEaCc7ei2nqXVXdwDT5RgJ3M=,tag:aI+QBI/Sjl/PWGzKIT+KXw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:j8/h0Hps,iv:u0OzhHPQkGrjm2XIe7faA9jakIoYOsqUgV5K2oIYOI0=,tag:ZinBn9Jk9BpCFIvbM7biIQ==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"environment": "ENC[AES256_GCM,data:Cy8egOtY,iv:UhVpib/CpVC6H8KGQs6J7qMM9HnGxiDzbTc7IQlv7Rc=,tag:igCK7nozzGC23xMZUOwGBw==,type:str]",
-															"groupIDs": [
-																"ENC[AES256_GCM,data:XDOiLw==,iv:4Z/TNp6bghDfvq1KHNMcXiwAruAJ9N0xwVFHD5vijsA=,tag:uP25QSlWnrTejS/GX+BOzg==,type:str]",
-																"ENC[AES256_GCM,data:QTfShRnW,iv:vLVNzJMvqD3JExGOH9uCEbyATeWnxwKytko33nMyQQg=,tag:YgL5xYEMgFQC1TdQ5LC+1g==,type:str]"
+															"caBundle": "ENC[AES256_GCM,data:08lPm0Dx,iv:VcNYhfrNkI0i0fP0D06t3XTV1mD7LM9Ln433Nfo0SKk=,tag:SWeXWf7+eBswTlw2ImzT9Q==,type:str]",
+															"caProvider": [
+																"ENC[AES256_GCM,data:wqs+gbGy,iv:C7x6oWPvBismHUEi87/IVfpfHbMvaZ8LzgUDnjwSDX4=,tag:j9OtJ+8V7ij5yZD+03goPA==,type:str]",
+																{
+																	"key": "ENC[AES256_GCM,data:MFQTiNyy,iv:95MFlG8H5jdtuGJ9N6D+gicmwEMG/OIAAIrxnBxImh4=,tag:blqVYCSifbkKm3w24xJCYw==,type:str]",
+																	"name": "ENC[AES256_GCM,data:jMAmh/m4,iv:JPS1HUxl7AkMNKeXG/On1b9f8z4Rv3H1KXcWRuzckUk=,tag:Pr98PVV5EDZjHG5/w/ebkg==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:IYgre/RN,iv:6CTk7pV/F7WkIZsZkzCsr5AwS5ej5f9X9T6R+LfA0Z4=,tag:tHNGtf5cOa9WIvMWiysfIg==,type:str]",
+																	"type": "ENC[AES256_GCM,data:KFCHzMJL,iv:gDWfigDc/CI1yXnTTrG0Cy0i7x5sJLdD8mK7eQ4OVqQ=,tag:IGA67WW81cXdFZJC36KhZw==,type:str]"
+																}
 															],
-															"inheritFromGroups": "ENC[AES256_GCM,data:RkBpBw==,iv:zTve8IQlFHKZo88433YlFVTVgykW6SXKYVEilM5fyRU=,tag:s/Wdog8e7HM0vd/ghitXng==,type:str]",
-															"projectID": "ENC[AES256_GCM,data:j9FDelIM,iv:ZMWXjnbDhvS/G6Xnu0yiGx3FDEN6ZQD/Cjp/O5Vz1VE=,tag:oSpQ5D5rtZo03DahTsANmg==,type:str]",
-															"url": "ENC[AES256_GCM,data:DjKV9QP/,iv:znXOQb22VTtNqQwf4X/Y8Kp+CWo5paBtUf5Zv35vHgk=,tag:JK1EvJeueKwAs7zy1dc2YQ==,type:str]"
+															"environment": "ENC[AES256_GCM,data:1fBvIS6C,iv:oelvfZXfrSvRe1m9h2BU7Jo1iI/suqYgN+MIxy8OaSw=,tag:kiqILzxP5Z5+tv8iHc9QXA==,type:str]",
+															"groupIDs": [
+																"ENC[AES256_GCM,data:+7v4EQ==,iv:0ld7urzfwjV+XBJ2j2+KpsewqwPmbIep3PkwxEG/hyA=,tag:y3SsNJwutOnitFbLlKp6FA==,type:str]",
+																"ENC[AES256_GCM,data:NL2dVCmo,iv:qEOjxyf1YVR4G1xoSY2DLXLY2poP+ntMa5zNUsIl37U=,tag:+3LgSvAllTMq3O4aYsfKfw==,type:str]"
+															],
+															"inheritFromGroups": "ENC[AES256_GCM,data:ApkWOw==,iv:Rq/1TrXYSQ0emkb+gVwJCc6YJmYmzfcauL/Vy6mafb8=,tag:CUVeymNcWD1VVMUKOu7wow==,type:str]",
+															"projectID": "ENC[AES256_GCM,data:FPfbvLNC,iv:0Cp2q0HCcOSVdgORxcTyp2GMs3hp/uLwvTbiaQ+5h3g=,tag:1in3Ztx04lQeoAU0ev3w5g==,type:str]",
+															"url": "ENC[AES256_GCM,data:oQGeO5jS,iv:FmhuYJVlcLhjtpb89DCg/NkYd++r9R488AOveTrUmeE=,tag:5HD7vPhvOvizoh8XPuyPBA==,type:str]"
 														}
 													],
 													"ibm": [
-														"ENC[AES256_GCM,data:WovVBGUP,iv:jIXoJTN8HdVhDclNPeXZ2xPf+6UPM2qW0TDERu+ch8g=,tag:kGUAOrF51Iw36Y2+LWeQ4w==,type:str]",
+														"ENC[AES256_GCM,data:6jQ1to4x,iv:kuFtlojbnHBAhFTWDHmNN1jlaIFHq+oChfnWCJhmgw4=,tag:ov2fZWnpYEPI+yfFO25jIw==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:l7dsB5IO,iv:I8UgwZDxHG6nzeJq9Yyxe7GdISzSX61nzNag6v24wxk=,tag:j0JaJad5c8P/lg+uck8t0A==,type:str]",
+																"ENC[AES256_GCM,data:9ZlYr3Zd,iv:8H6YVR5bn7ZLksL3MewjCqOHXE5P2WWkt2dbNZ2jFGg=,tag:HRhGc8YmtMocsRFzbaJiVQ==,type:str]",
 																{
 																	"containerAuth": [
-																		"ENC[AES256_GCM,data:AxYPLzZL,iv:g61b16aPu/TubcMvFKOBGtrXwTI2alPBr8OCEJnXm+0=,tag:80Y69hxpf/XuDZY5W8iLGA==,type:str]",
+																		"ENC[AES256_GCM,data:UiEeFv/K,iv:oWhVXWiOggv+8y5EVt70TL0/SzU7Cu49OOcJB1SoRNE=,tag:DvZZy2uaXiOVSyNSaNrjdQ==,type:str]",
 																		{
-																			"iamEndpoint": "ENC[AES256_GCM,data:9ZBJFYzX,iv:EEfNPDLpQ0OYKy+vqCRXi0dQ4nyXP/G6V2JGFKJ14dQ=,tag:P+LGXrqjb8mHxUp+NkTQfQ==,type:str]",
-																			"profile": "ENC[AES256_GCM,data:RdMRA1Aa,iv:Xi0TopjIDqG24l/UAXvj60n+/j9jS15qRxStbh1JCOE=,tag:0LSLVE+xZgqOBGDvdARC+g==,type:str]",
-																			"tokenLocation": "ENC[AES256_GCM,data:Rn6zRj/G,iv:YOMJ+Rcu9ctOblvW9ZPUGjfbIF2I4AoThavncsSbGFc=,tag:3FUZmia9TfpkN11MhB7LkA==,type:str]"
+																			"iamEndpoint": "ENC[AES256_GCM,data:AQXSF97B,iv:KV0kh7ats4ETZZdtuvstniPfqk/3Tqep11HZDcLyzPs=,tag:f8ggk9VygoLNnOkL4tQmfQ==,type:str]",
+																			"profile": "ENC[AES256_GCM,data:UmsOWHHI,iv:jVHPUyIsUInPeRcdItygreM9i/TZ9zqHxKFVMLpvfc8=,tag:sf6S7IGD/XE1NIWUHvFFhg==,type:str]",
+																			"tokenLocation": "ENC[AES256_GCM,data:vYMr6tVZ,iv:vvFYKsHr2dVc16XDLpOVXsbjN2W795wpepOzxCBbcjQ=,tag:EBpJDvdCj1aarEQsSRM9zA==,type:str]"
 																		}
 																	],
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:XBc1k5J4,iv:e+kPZ2TjytqzNOii7Ohq9BtzYorez1LG3QZgx0SZWgc=,tag:qhXKcpzN97zeyUXYiipRpA==,type:str]",
+																		"ENC[AES256_GCM,data:aCnF4PuH,iv:ydTyW1idOjq+gVQ4llXICGnnh16XuG42eIi0Fh/s6/M=,tag:QbNMBy+HeBkMgeSeYYzajQ==,type:str]",
 																		{
+																			"iamEndpoint": "ENC[AES256_GCM,data:JQjpFd3z,iv:POP414/YngUGE9QwJ4NcOJMOj09LA/Qs2Z5x/pptuqw=,tag:gHFGmEoueDK9YAcdYK1C2A==,type:str]",
 																			"secretApiKeySecretRef": [
-																				"ENC[AES256_GCM,data:REE6qsGX,iv:aY7zwDXq1J6fYpuAgQxbzugCCT2LBJVotHefM3NdWE0=,tag:fCNRJRh5CfAs4bvWDeJKTg==,type:str]",
+																				"ENC[AES256_GCM,data:VXtxFx0/,iv:cMLvz1lXkSPOI+lFrl/qAB72xu21470gQSGHx5P+qdY=,tag:tfg1ECn4/zQLJFb5Z9bKeA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:Xv/bvC6D,iv:4Y9F+MWbeD1Ca7YBSLXnM+DmCsLDZfSW4s4vn1MB7L4=,tag:0J3Bb4czFmdW/5rLN5gWBA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:kAjJ9Ato,iv:o7e87FWvJHwqhBkOzz7Rtpyx3tXrAlh5vbXMOcZesJM=,tag:PQR+6B5hgHaZJNWZH0OotQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:716Kx3KY,iv:LO9ye4vtujgTV/YnUiqJVFcaKa5UlAg5GuJrTnIK4Vc=,tag:7Z9f/7siy1O7ODSCZuzLGg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:/j4U2ITI,iv:oWwNVvowOQ5KpFxqcK2aFqlBHD9QS+jjjYtXFpATv/M=,tag:KCWjZ3quRjCf/JSKIQ0GKw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:EkITAR3J,iv:v/F0RTQCXCWMEcTtUYEdj+frCB3WppNJKKmTsrudlnQ=,tag:MTI+FP12Eh1rfjYWrLhByQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:xSeJ+TOB,iv:1v+ICV/EJeX6SY3C9FLzSriKJxvo+rGRYBM8ySN0qfo=,tag:drEEyJ7kbvA3WjpI7PUMXg==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"serviceUrl": "ENC[AES256_GCM,data:uLpbJD3G,iv:DVvuz9kP3XQZuL09p2HIo/wdPbdIQg/wkLKBUgAaZVE=,tag:Los/Mc4RHa6fA2ozqJV2sQ==,type:str]"
+															"serviceUrl": "ENC[AES256_GCM,data:tiQhv1h6,iv:Afj5L9bPsmO/sBuVZ8DtMlPQ71wwXaD2ZhHZKkuxGpY=,tag:NP/aJ5TcdYeUbJ/tQhWxTQ==,type:str]"
 														}
 													],
 													"infisical": [
-														"ENC[AES256_GCM,data:1jyaU3si,iv:Gpx+KoOP4fXgN+n7T/2Kh65x6wWc2FQQdnzepjY3fIA=,tag:T2akTRiE3to4wj+8bovkjA==,type:str]",
+														"ENC[AES256_GCM,data:j57KZpCE,iv:9H0TWZ7CvOhPp96xJt1jjX8oknVNFY/DcTA77dVEu5s=,tag:0z7YQJksyztvWprjfu5WLQ==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:WfX2VbF7,iv:T3LvzOwKuYIgemIjNxor5jLME0xLtTR5eHoTbmd2/QM=,tag:9sKnsdd5Fz1FqMWANAzhLw==,type:str]",
+																"ENC[AES256_GCM,data:lcbp1jvE,iv:7oNt51EmrmO0lm8iVNEYic7TKbLeI6u6Vo3V9apTFpM=,tag:35uGa+jsVQ1Y/v/HzxdMMA==,type:str]",
 																{
+																	"awsAuthCredentials": [
+																		"ENC[AES256_GCM,data:Fvl5MIIF,iv:4w7OCuI4eHOTrQ/GDhsyZXSOb/zoDfp49sDlZgzfgt0=,tag:pkZHCuMn8Xva56NVhSNEsQ==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:l2OML2VE,iv:5JkbB9sFiSqr+yDnV8M+jPQx9Zr/pir7qry2b5ruiQE=,tag:SOlcKSuWjyoAaqmGfr25OQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:kkXPF9W7,iv:VVFxtx0wOe5xVAMguVyqc6xcmTTCT6K27k2XQoGxK48=,tag:XLCuXjVxsT+0iO4c50VuyQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:k9SNrWyZ,iv:RUX8dCAejR0KnO6WyuDVNTYuUyoAdLUcLwbrRY5S9oY=,tag:v3OfT0m2xKb1y2C3EwKdlQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:vEPHdqbd,iv:fm6gPAQbycEfxLRZPc+awK2mU3ZaIXBj+FrDB7fgTmw=,tag:rNdIaDyIcplqCUXzaN2wVg==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"azureAuthCredentials": [
+																		"ENC[AES256_GCM,data:PvDqKjsp,iv:9rfuB2uCeYfm4tku8uqeK2BDsTAc/5fQ9u5pzZYlMjM=,tag:s6QBxAHGx8iWj0A4buEJBA==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:+8pTJxEj,iv:k1QgNfaCBXqlxRLEXN1oBQJuozaegqE9n26dxE4ufRU=,tag:CODw8oTweAHxFGBOtP7LGQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:mFx1g0Mi,iv:E3ZauoixNJt2CElDywhkJvav0jvVZf5uo08LmszmWOU=,tag:sMxMFFYEFXQC1XV9BC0qgw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:kERDfh0p,iv:Ao70D4xmPQWVseyuHzpUezFL/zLcIItzmhoztXAPkBM=,tag:S+ZwCwxhsWAHaVceGpwBKw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:3YdWpH7m,iv:J4M/igU2ivf4u8G8hRA9s44wBt+nTw4wWiKjvC1XbUE=,tag:nrTvx9ty8IoXk1By6DTd7w==,type:str]"
+																				}
+																			],
+																			"resource": [
+																				"ENC[AES256_GCM,data:yMY8NrT9,iv:XxBPnH0b1F+fVC9ufUgJVkoMRMaVU2uXhDPQcTemznI=,tag:EHIBSnmZUjhLC40x0rbo+A==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:PTX2uf4O,iv:pEmEfTVyBreUf82VL9EqaxOKvLlrPU2+PNJxa/IKsNA=,tag:ORllsZRYJ+ZlYokhMCIMvA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:SG/0cVkc,iv:i6Vq93lffxLuAI6UfdJtLJ+RGBoaYpR7MrZO43cgbNU=,tag:NdgwBIXnyV/jcVHcY9MTOA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:WS8Q/KDl,iv:YYcA+9Xb/VVO09T07WzNkPv+UkXVwCjXWG+O+vs4USA=,tag:TYDYZdRlOiaVEh0ky+yoZw==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"gcpIamAuthCredentials": [
+																		"ENC[AES256_GCM,data:CEH4+PTJ,iv:ttNXjHOc1AGhpalKX5mHElZtkuSYiCrbaNsRUn+Dvj4=,tag:oBxSRiMMbvk7wmci1/YrIQ==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:59CELONo,iv:8RgRmwDQgwQrwfTSkE0W6O7HHp8DqtCOgyogKMH9xWM=,tag:bZ80k5FHWAEbwOVtSP42kw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:zP5Fagaq,iv:mTM4ixfajUQ0ZWHB5B4YlZJpQZc99TE4zOuW+w6d/nI=,tag:+z7NNgLpQAFpSwNY/1ahFg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:k5HgyVZn,iv:Ix4p6PhTKNe8ZBh+o8NZeOglM5TOrsV4EzP4UKOUsRM=,tag:Gq8DK9af/jIYAYhFoJryCw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:oKT5XQre,iv:qnC2Q448DOcxnX8zoAhmnI9Ch1FOJk7g8y6J0PKQxoI=,tag:N53ad6aXyxoTXo5rxDVp5A==,type:str]"
+																				}
+																			],
+																			"serviceAccountKeyFilePath": [
+																				"ENC[AES256_GCM,data:482FmeMg,iv:G+KbOnoFF1HVKMU2ulsw3eO6xxWGiRRb2sJqh6ZzBXA=,tag:RPJXQwQ4H0tB27Y4ilXLYQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:9Ibc2F0o,iv:cRbNtzGy8CQjXJaJDJFztoupi8ZSATFp7LbJu4/gii8=,tag:jt+ystLkSXyKDatAwgBRzw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:bL9+D8XQ,iv:IjPmvXzbZQbWF1AR/I5z2fXN74txTpWcFCiyvs6jUUU=,tag:/4lFwPodzNa7QOv+bdND1A==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:cv4oRZ3f,iv:baORoQ8llffOl3w20APzqnl9nA3pgLBxraffT/F3sWM=,tag:80ax2qZ4t5/4REBpEiT6lQ==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"gcpIdTokenAuthCredentials": [
+																		"ENC[AES256_GCM,data:UAtdRo8j,iv:V6eKijpnyd4CDLTP88r/RaZcyVKu4WyvIW9uUH6h2zI=,tag:Uoz6W23nfjRq+YbczJHZOg==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:2qLdJxGq,iv:vx4WD2WqyH40qOpd+oKjSPPJIOimS5aAUS4VMSlGubs=,tag:gIwdANc84xe6hxhfRNOHVw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:BEbC0xXi,iv:0VRyMkr+7f+sK5kwxtSoB16Snxs9FDitL3tB4lmLFws=,tag:RIXba4M4EUsCu/KzddFO4Q==,type:str]",
+																					"name": "ENC[AES256_GCM,data:KRwjo+0M,iv:HnISVmk8B104Vu9q0uUOOKRGBHQpFX0OVPZzulcxPSQ=,tag:MfGnnaV9ZZhxPH3UcGUrkQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:8Ff7svA6,iv:WEp+l5QTSKDgd3sV/UKX7PtK36M3PQ9r3iyiIlq5/n0=,tag:hp+db0o7JNsdpPRGWQ/jhQ==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"jwtAuthCredentials": [
+																		"ENC[AES256_GCM,data:7xGxFCwo,iv:EHonPuBD4nBALWo8uEDGGsT4pBsNpCD0pWGzyu4jvdk=,tag:i00E8Vf5zDZ+oS7LbV+4gQ==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:0hJeh3YR,iv:3SXJZjriuyulrbEr72UhNtjGRtEWgX5dgODvol/TTo0=,tag:ZiYgDDRat9vgDOON1OMRZQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:Os7zFIQ+,iv:b8M8bWcugts1Xbd3w2VNG7xKFAJYwiFdfPy++Zix+nA=,tag:RYPFiWvWkOjWPlIRwshNrw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Q/HiqsbM,iv:T4NSNuboVMIIngQO9B2oE+sKraVq1w+NFhr94wXf6ek=,tag:F2NiPn4FZ70SHAbYMqXeDA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:1YrFMbe9,iv:KlQutoTBNMALyiGDSnKurYx0GlnG2eYEkhTqVKlyR9o=,tag:wahh9NKIrzx6MRr269/CLA==,type:str]"
+																				}
+																			],
+																			"jwt": [
+																				"ENC[AES256_GCM,data:YaD5iia1,iv:aNfVmnkXbMCg99h92l4DRxzSMLhfdLBaC7KtV+0dkSo=,tag:qQg1gOHRmfSmXFEaTBAGxA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:uPkYtiZy,iv:HE+niSKd6q9ez8amKHeIUfP3D64X7/RqcClLstFPPsM=,tag:zgWE/cmb7R2LJXX/Oe60yQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:eJpZysmz,iv:pXt4/RbZ4fTxoJIoFcmw/AMbB6h5TH4sAkOobZIEOy8=,tag:8g9c5xKbn3gp74jIGaBrxw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:jyGm4Cu1,iv:/s/HMBr70469H+StDgG+/53bLQgNgH2/1Smo4Qdoj+k=,tag:JpGW4fmPl6KKOqHklBIPtg==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"kubernetesAuthCredentials": [
+																		"ENC[AES256_GCM,data:YOsO7gC4,iv:fPj2qBwUkuMIibfBdDEWgWB4BftXOZ8yrlhEeKgwc2o=,tag:l0xbfy7hqYKFU717PKm+rg==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:/A12jrHS,iv:7SwLPmCTPmAd1w/rwttximWYTN07wThJwgCc+nouvuc=,tag:jWE0Dtur0k1/8mVOVS6B0g==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:eVj8QrG9,iv:8b65Vhh3PeBCPjMEUm051nSGSZeg/qzL/5fRtzIKw3c=,tag:25nibEax5/DGXnLaycwmEA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:ghEspTfH,iv:9uUiFRdW/VpXPX3elHEC46QbYiu/r6iLepi31lmAXXU=,tag:0UVg1HzM4LVay7puBh/Xng==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:y3H/Pg/g,iv:6YYLxi7WM3pThkGuC1skPC8sCOykVz92egh1IR/evg8=,tag:sYjnmyKpL8eTWunLXxxGLw==,type:str]"
+																				}
+																			],
+																			"serviceAccountTokenPath": [
+																				"ENC[AES256_GCM,data:uI69cuXd,iv:3Ckp2PX8nwyHffIm+d4pIUlHKVv0YMI6VGVjEejHFD8=,tag:7TBnAd4Ri5tlWl+W04pziw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:Ad0jKPR9,iv:92Rq9F2PvZXr0Qgc3WzxccGhbE9HBZ1MkeE11jHihqY=,tag:lAY/Co+gWXWUbObVfUY3+Q==,type:str]",
+																					"name": "ENC[AES256_GCM,data:UmpCXPLJ,iv:+ZdbrpfG3xxmQjgg3bkZCN2vZkWY7ZjC01v9LU+zygE=,tag:Hwyic/CxbORPwkCxqdAk0A==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:SMGfF7go,iv:CFpS5JJRE78dyPllHYP4No/DbWYI+GWdxY6yybp7IrA=,tag:EFgaMP/ub1WoRhqhU/7aSw==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"ldapAuthCredentials": [
+																		"ENC[AES256_GCM,data:5YZm2WcS,iv:qNfUlrTWxZKWOYiWLPKeX5kuGKB75nMmvoum8jmS2kc=,tag:LLZTGRQrV84lvVMVndNHww==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:19BB67YX,iv:1GagUi6tOLy5tF5hk74Uyr/GffU3CJH0CJLTtMc5zjM=,tag:sk4NvPWZRLzxjdozpQcBHg==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:XRwaKCjE,iv:v+IQDKzzB7NoxoVLWyTCPyvKw7Z+mBiRegyfjbuvlyQ=,tag:81URd6Xzw+KS/dpt3cDyXg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:mAhAIzYG,iv:c/RMepaQs7RbQJ0ZRDO8vuk8fqEV01hSpHfjG6p+OrU=,tag:frHYJGnce64gurrVJ5fTyA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:kzVMbQvr,iv:W4wr63u5Kc514imcLnzXh6gZ0DO2IRvVoS7y6eDd7lc=,tag:eXZFMAVmgj4hmIjV/Y3ZrQ==,type:str]"
+																				}
+																			],
+																			"ldapPassword": [
+																				"ENC[AES256_GCM,data:l5cmxMZu,iv:1G4IfdxLtP6TGCrtPgZyFzAtY0qWmzQgKu3Fmu8KzGk=,tag:6PIKVC3u19SV1REx+ifqXw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:HzBSVG0l,iv:FpYnrlr3TrotXdx0RGS9qaJj1UGh1mQkXwj6FHPzxU4=,tag:ApFRbNwgZwnGsgKtau1dwQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:NlMgugfW,iv:FyeqS26lZBP62/xqWBFPFsn2YUmJamZAQxRghwlnGMM=,tag:xsjHzl59//usBdtmUisjjQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:dcni6j8a,iv:aZzkijzBvfCC/kUlgLbM7MbAdZGTZZaJOnjpehougmU=,tag:BLXU4FVKfp6bMaV+/OIC8w==,type:str]"
+																				}
+																			],
+																			"ldapUsername": [
+																				"ENC[AES256_GCM,data:sY4ZCbt8,iv:OwicSp1yrJyfbSkXTzWekFKcHRSy9Y2ZFKD+dEplup4=,tag:JGcgDUBUwc0wR6G144Y6Ug==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:xUfHwxu4,iv:TFLxGeib3j412HKp/6wSXcDzfq9sso8fNDymaCz1q+Q=,tag:HoELHQNcTCW86301SiKvWA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:niEsqaiQ,iv:J8h8Y/c8iq5Cnz4SSR4Gk7VF8OE5m3kPeLOqxxcbfJo=,tag:6fKssYzflCtfUN/8hJRDbw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:RoEhJBlo,iv:lXW5kPUsuuzl/BGbem1fCPI+rfIXdIAMWjmt/yt5NZE=,tag:bnfsWhqSXK6urDPwIuULgw==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"ociAuthCredentials": [
+																		"ENC[AES256_GCM,data:HqiaOErN,iv:4pv98fdM7H+J9Ly5DMH9cz8Yp0qhq0i8F4NAnZFDNeM=,tag:C1bJOsp0LSrbxMWKPE8Yzw==,type:str]",
+																		{
+																			"fingerprint": [
+																				"ENC[AES256_GCM,data:gD3SYJpa,iv:vshPoX4zjaFUTYQkNJqsaNSs9AM2RsYWJmLNtE7q/9w=,tag:OWmsuZvnIVsL0f+cqCXrow==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:otD+7b9Q,iv:etRcjtY7tTK0yyhQ9cNngH+5CSNZPn0HTnNkkZR9epY=,tag:u/CEl8vXnwLi6ROyiboTGg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:cOP1VXiL,iv:jtLu6LGrkS3hInYSyt9Xm9+XCFlBSNbV8tY7kUmdTek=,tag:/2uUijLIhIWSmvLrOos/1w==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:IZ38RzWj,iv:zq0mqiuxIx5Pmn2ByARnMrVfxOuCZzMJzrZ8Bl8XGLQ=,tag:aWHQgZiGFvsc3TSlcHysvA==,type:str]"
+																				}
+																			],
+																			"identityId": [
+																				"ENC[AES256_GCM,data:+ufaS5UK,iv:XfMHE33yhKhZ05g8rC1HRMg89ZSR+PeP/eMhcS8aBjU=,tag:1cgCzWMT/8xfyaPwNCQb+g==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:rhCBGoM2,iv:rAgjmRLGekesFV3NiQ3oEZ20rvlabwv8KRmKWJ6aqhE=,tag:dS2Rv7XPetfxNBGOxJgGYg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:fJIEtOBb,iv:+vowF68y5AZaTD9/FyIn9zBr0eiXEHM2rW9rAXNOpvM=,tag:6bNx9kdBaj4TgSU99u+67Q==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:8TSMtXWC,iv:flHpKoDGsCkjczrtw3/hqco4cZ18MuuIcgjophpBNWI=,tag:uQ8h4EMSqYRSHjU7eIuuww==,type:str]"
+																				}
+																			],
+																			"privateKey": [
+																				"ENC[AES256_GCM,data:kcydaRgS,iv:+u+zAf+8xZ8Use0Lz0WRZD4zx6btp9fIr8ZbNO62T8E=,tag:xMu/V54ER8qD6fZlDzYTxw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:UXpm/1im,iv:p8gyTJVApUOdCCOxkklgvsXkRgTOWWkIAFwNVN5C8u4=,tag:v+JzagHgyebSRvpV1F5OTg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Cr0HmEV3,iv:hukfPoTOHcgY6LVo8EEootKJYN8m/lqL4Bd6M1tqAAQ=,tag:qhA593dpXc5eZ0z9Fmw/fA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:PbCa1VBL,iv:JVFQG283dZfB59DF0ms+0HaJOQw/XTt3XflBfV0tcaY=,tag:ZDGRN/M1lKBFBcZg6tDuHw==,type:str]"
+																				}
+																			],
+																			"privateKeyPassphrase": [
+																				"ENC[AES256_GCM,data:NrH3VYje,iv:P39UqOnXy04eECpMLep4L6g6N2kqSNkL1Cv9CPxzC0I=,tag:gyifr9XWjwQ/y2hzbHewHw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:k24yL+pV,iv:gVx/AfSHzz8PtJ6CexpoHhWTxEaQKgEiFQBhWbPb1PA=,tag:RTwwYkuvatk8eJLcRy3jpw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:98wFtIB/,iv:qoHrYvksuuXr11uA4+Rc8m6R/QFdp09bWzIfjevQk3I=,tag:Ou/0tW6yZSc8zeikBcpTuA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:a7inogAP,iv:CC0cpH0A7e9a3y6OkRuaIj8OSva7UElVHGbLz/D3yro=,tag:4vZTWFCbi72zIRBr5AH9ow==,type:str]"
+																				}
+																			],
+																			"region": [
+																				"ENC[AES256_GCM,data:nuCWz7yU,iv:wlCEsUUnXtgDSGbbeCMG+B+8M6mYZjscqCAIfRx4rxQ=,tag:dHTg3UmyeeKB0Zwv8Hoh4A==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:u1j64ir4,iv:eHJhg9CBTTsG8p81y2vv5Htk4jLpNuVz5pfX+l7a454=,tag:rw4QyyGhWlsEvo80AOZoOw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:ACejxD4n,iv:YRlApE91Y+xjbOBGpQoybhR8cvxZGP4694LAiLCvQKw=,tag:BQELQxh/RAG9y+cz2hmXaA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:3Yy49Jgp,iv:l/Ieo1HVGMolRjlavGerrPB/UMJluGeM52+7Jj+gwvM=,tag:LGggC7BXWf1ineR9Q1F7kw==,type:str]"
+																				}
+																			],
+																			"tenancyId": [
+																				"ENC[AES256_GCM,data:dB73GWM8,iv:JhNTTktYCh+mEzGhs93818DwNUyJbJIGvVkINCh6sNo=,tag:oz+vZ3O8pXY5vpQxkmTq+w==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:x09uvlxg,iv:PJQGCkl1aM2lofLQ7b5E7lAvAX9HJ5aaAYRh6F6MOgU=,tag:RwSwcKKSBJrtcyZH9xInSg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:WK9sHGJk,iv:3aTFKAoFM/CisbAfQ19iZks7KTg20/XBMu1XU6aZ1oE=,tag:CRriecvzybCI+yWmwu7G0A==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:Dcv5SBIY,iv:ddsPbTM5TkWM+h2g5PiAJE02adLD1oFKBVkJAwXpnVs=,tag:dH9XCdq821szbUq0P5LZpg==,type:str]"
+																				}
+																			],
+																			"userId": [
+																				"ENC[AES256_GCM,data:HpCAfFmU,iv:buNnvKcFAMEeAwz/s75tfF4KlMtELe3gMCyGROM1VDY=,tag:VW0+dKvoqDxyMnPV5YOnMA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:YCqlZHeC,iv:A8X6JDo/RoLqGUFXbfIhn9m0c0aW4Rer8cxRUh6TNyo=,tag:CVn6FI5bPAjJRiVMkOI4Nw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:7Ziw5QPQ,iv:Fj5uG+vvFz+M6j3DQLNnPOQ+NdU7J8fHrKmUsSotEc4=,tag:aVXnHMx9wbs9LdaUANAQbg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:wi8L/RCP,iv:hmW3V8p+axf54lwKrz4aoI80D7eCs7R1NJAy0GJCXaA=,tag:J8JGi/+oeC+GcVUeRCkyJg==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"tokenAuthCredentials": [
+																		"ENC[AES256_GCM,data:+N7/r2P2,iv:xY4KeAn1+jcvgAxuKLHOkguXogWGSDeu7fgvJkjvQyQ=,tag:61S61JMJjySbX0Vx/a/uRw==,type:str]",
+																		{
+																			"accessToken": [
+																				"ENC[AES256_GCM,data:3XqYsC8w,iv:ox8+MP4WH6TMm45U58DyTsRFW88ZIw1dt8DiEgRwj0E=,tag:PRS9RlrzOyjL3Ivt9nd6wA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:BeaAhbL/,iv:odA3vEEXp+XJrd+TjBlvxKP1978+xLeZQMiQQctKS7U=,tag:r+PEM+2UAHDqLbYdFTVglA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:lLVcQL/b,iv:FZhkzGLR1UHn/0dfwuIdbPBPG7fgVFYw6j/sY/syy3g=,tag:5o/K9iAk63Mm85k8L1i4dw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:DG6kaTr2,iv:JdIdGo0heb3vsKLS7z6JUWUKE3/GAKaKuHniAcFbsCY=,tag:4+usDlNodh9sQfM38NAQRQ==,type:str]"
+																				}
+																			]
+																		}
+																	],
 																	"universalAuthCredentials": [
-																		"ENC[AES256_GCM,data:neLNqMwH,iv:wdPFuGtcIypgPenfbnSQHr2ccKrV2jrZRRyKaxjjNOc=,tag:Be/bka8hZdq/kZlI7Tn5SQ==,type:str]",
+																		"ENC[AES256_GCM,data:akipf2eO,iv:lE+Zh0XOReimB2r+RjJH/c+d9BB/tqPmqoyE/jbB/Dc=,tag:AVsdThSqa/KhC3+y3bsEGw==,type:str]",
 																		{
 																			"clientId": [
-																				"ENC[AES256_GCM,data:6fUX/n87,iv:RzdIgEenn3SCXYmK4s3KoEy6ObGikVMp8VZzp/etfdM=,tag:NBKh3LENAIwqNtQe5qmHOg==,type:str]",
+																				"ENC[AES256_GCM,data:+nuWdnSB,iv:KvTOcnrfONirIgkbNqFLJtzpgIYLdZ/HaBu9QSyeMpM=,tag:qNjAqiPECAwjQwDHHXTbyA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:M613RWhm,iv:wtSmNdJ4KgV/vpDU8e1GduTxkeQ3oC1ZEyTlkrjlraI=,tag:65eGrbZVpxqJq7pbH6fa8g==,type:str]",
-																					"name": "ENC[AES256_GCM,data:KAI+qdj6,iv:318tLFuMYxmKKJCavXVLuy/BathjhjyjZ7oZjxIog/o=,tag:GOvhWNu4aIqg9AJJOr2wbg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:r+v8Y3b1,iv:nY/lTXp+tlKbbBAy6DqlDMxIAc9hYsVyF7WjasbPNgs=,tag:ez4K+HqGTTSKTQ52nlrtcQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:S72d71pS,iv:6Brczuru/kEPElH0vZPWkae7ID5HY4oCrtEbI16wxes=,tag:doe88YCEtlQqXXQPDVk3zg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:oTz56Ma1,iv:/9aHV1V3n8G+4TdmuwqJsUnLETTIWfzGocXMQ95BQzY=,tag:QLCccz+cBc7otFRw0lYumg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:n6qn8Vkq,iv:JGdCQJNxcLG/YUjRpyToYmsrrCavQv3cdzX6ut9wuFo=,tag:zd5B53QxQGLSE4k+cM3diw==,type:str]"
 																				}
 																			],
 																			"clientSecret": [
-																				"ENC[AES256_GCM,data:uyzFjGTz,iv:E4g6OU6McEvZ9erlIYHMmGtdEH/PJ9KOCK7wGoouO+c=,tag:QOlKWWs9uUVboyJM/fgQVw==,type:str]",
+																				"ENC[AES256_GCM,data:KNifo7yb,iv:5+eAw4E51fHFrCRYPDTmaIdMSwGMa+CzTsicj7j1zoQ=,tag:IAw5shjD6VX1thKa3HW61Q==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:BY/bohpL,iv:tPtEmrxmnBtbCjlXgj1wt27uLNY33ob5pHklvEItaI4=,tag:CS2dvKqmRYlxvqz8cg0SGg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:+BX/e+lN,iv:sImt5JBLg+hAwRkz2ULhn8tHedFinK96s9bRNVTn+es=,tag:QiC2WPi7Yd/KwU3N1wAieg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:k9J/9o4p,iv:Ts345ekFA8V9H6j4w3v6XZTo/EPCx9WVXfo1fu4gg6E=,tag:r+0Pd55JiDwxRfCtVnQKXA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:shsQtgzx,iv:EEX09TFxn20PXIhijgW9fUhjtq33Qu0QpboaVDgEos0=,tag:1J/tTu8byqrWkMuy6D5fCQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:EUEoqeIM,iv:vVomzdkoW4ICh/Vfu5YXp3UlkLAK0u4iCKdhtCzovh4=,tag:KH7ZgZ8xbj9S2L7U19amfQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:QZHdw1TG,iv:bwE+TdGuqErPzLCRqyUnHDKahpdkcBeTSo8vhj3ncG8=,tag:z42uVy0BX0D3W56QNsnQXw==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"hostAPI": "ENC[AES256_GCM,data:ILBcxW01,iv:y2JQZV5OrSPm/11KdOuLsjI5vyfR1XLj9EptIDvhhHk=,tag:86VTXUPb/rYvOdcY9P/lzA==,type:str]",
-															"secretsScope": [
-																"ENC[AES256_GCM,data:Vjy95QeJ,iv:FEyMxCjdZBtEY8XMihQiMuVH6tZZvPlZZRyZkTRQGWw=,tag:ouRx1h5Y3wMuTgbEZS702Q==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:FwNWfZGJ,iv:WKydcJ2NYhp6xjxwFzjX64ObCBxOaMIKnartg3w7QSo=,tag:j5GZCn4j2z7bP6cUZK6eXw==,type:str]",
+															"caProvider": [
+																"ENC[AES256_GCM,data:WzTm2YXu,iv:f6yKF/e3ntbVz6zOosbSpROLcL+A6PMHM+DMBOE6Rig=,tag:/2WxRHQWD5w3pjw5sVgPJw==,type:str]",
 																{
-																	"environmentSlug": "ENC[AES256_GCM,data:O9lKN30g,iv:vUbaddoMyCy+c3OKIsrP4pwZ3Ck40k81OcIFVn579dw=,tag:QxaLQhTyNxBstm2B9/ia9w==,type:str]",
-																	"projectSlug": "ENC[AES256_GCM,data:kzGbcDdp,iv:YzXbi7wqjYvVihNFb3nIVu2Log0BOUwIVvCPlDfxXk0=,tag:b+EwkJgO9gu238+svMZt2Q==,type:str]",
-																	"recursive": "ENC[AES256_GCM,data:/vcxXQ==,iv:t0b7/8kY9wbrL3lz90C/m93QR5IPSG43T7iFNkFbvCk=,tag:mef2zs/6HX9z1EqaKeD7aw==,type:str]",
-																	"secretsPath": "ENC[AES256_GCM,data:JHJLodYK,iv:KV65dPcXIa6PKVMCMVSmQ4LPs6Pp0NwGzq9BxN1jXRE=,tag:E0aYCu+MrChMy0FWIFQKGA==,type:str]"
+																	"key": "ENC[AES256_GCM,data:P43LDSYW,iv:hY6BVVI4nL0iCQmgNl1it0uDrSxDcNtm9QQkxQz/MhI=,tag:FbZO0Vt6oSeZey5tzsWDqg==,type:str]",
+																	"name": "ENC[AES256_GCM,data:ojo1Ybfo,iv:tRk3qi6i+xrGN+w74rQiwozo+f7fg3HreTJpsbMtI8k=,tag:SB5LwVKnB/PzBw/IvvQK2w==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:025C53QS,iv:35057RjwaDfbL2AsojEBFj/0mDLQZN0upvxQ+F4bbp8=,tag:BHi9eElNVqSFmifYG5dWhw==,type:str]",
+																	"type": "ENC[AES256_GCM,data:PuDmPQwn,iv:Z/cgvHRkY4GlSz05gxgiMf/G7ThlxqogMU4lrblJA9c=,tag:00cffNskO5/yobHkDQnaYA==,type:str]"
+																}
+															],
+															"hostAPI": "ENC[AES256_GCM,data:Hkx/b29G,iv:SPxWaCDSMg50P2KxSGa2wI7x1Ms4zEaIzgsZhDWaf+w=,tag:dtuvDozM4kYTVERJ275UFQ==,type:str]",
+															"secretsScope": [
+																"ENC[AES256_GCM,data:WDscdXqk,iv:8Q8RxFv6xddgkxm1VfgvHIW+zByvXl2yYEBwUx1Dcw0=,tag:ryYv7kyuSPydoLySE4zbOA==,type:str]",
+																{
+																	"environmentSlug": "ENC[AES256_GCM,data:QL9aue4c,iv:JVUXVOznei5FiWPm5ULnszQFvaOSeMI2b6CSnfvoThM=,tag:Ei2kPPVaf/wjJKilCSp4DA==,type:str]",
+																	"expandSecretReferences": "ENC[AES256_GCM,data:88rMqg==,iv:/EaKFINudRaOWD1eYE0wb30Wppzpd8a+wOFsj3rX99g=,tag:MAU1kzs2Bg8tyTAjBYg6/Q==,type:str]",
+																	"projectSlug": "ENC[AES256_GCM,data:beSh2sKb,iv:5iDhQMRC/6CtfnyirTr6lHl3PcipBKEuZp5i7gajDXs=,tag:Baa7KAyBwyYlVIAKUCJ8Xg==,type:str]",
+																	"recursive": "ENC[AES256_GCM,data:mD5HLQ==,iv:jS0JglEYS90l0pL38a4G7PdzuebGm6vr232oCzZD8tc=,tag:XthlZbWwZqTnZMj1Gda19Q==,type:str]",
+																	"secretsPath": "ENC[AES256_GCM,data:IeiOopaK,iv:nZYI16XooiQunyk5ybJdeY8P/9CAzgpzdjlhO3d1RAg=,tag:lMNGjOP1wj/vN08jTRFQAA==,type:str]"
 																}
 															]
 														}
 													],
 													"keepersecurity": [
-														"ENC[AES256_GCM,data:Ty/RKdkk,iv:ZcrqaxYmmC9SisW/37nSO4zZaH3wWgNOJM73pwOqDNg=,tag:DtddPpO1HlUhCdH9yq7Afw==,type:str]",
+														"ENC[AES256_GCM,data:0VnMUoiZ,iv:PizSVAgk7/1r7atBdCYseoV3ivCr1Zyg8I5QzGy0z60=,tag:YH8z/H4+2Mp6Z+PWOj8gMg==,type:str]",
 														{
 															"authRef": [
-																"ENC[AES256_GCM,data:L2Q456Dy,iv:RVK/EO1Gv1VapzXOqr1Yv6CXEZcj3bDP1Y2LeCpbLxs=,tag:0otRNgXvjE1O1jUQEfzUUg==,type:str]",
+																"ENC[AES256_GCM,data:W8zGFddS,iv:RePwLA9OTLBNkYpOtaNZ+n1n6dOW7NcfSe6LI2sFE8c=,tag:JSqf+t17SIzkZPxQ13jrSQ==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:i7FSqA1d,iv:E6x4imSSbQklzL3mPl14TUqHG8lx/Dfw/AjtslZfGAU=,tag:SCEzjddTlMFvXxi003lHzA==,type:str]",
-																	"name": "ENC[AES256_GCM,data:G5iUTfEO,iv:8JLLEM7doKCh2VpqM45xWjhVhZmjbWrCTAZj1Uihuts=,tag:y/XhhY+kILTYAF2+Yxo04w==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:coGXSEPu,iv:m8wdh2UyprEv4eEITH1usxfMt8sxRUX5x+iJYKKkw+I=,tag:jpiVP4/leMY6UtteF5mZ1g==,type:str]"
+																	"key": "ENC[AES256_GCM,data:3fj2VUE7,iv:49lIWsxtJbrqsjZCBi1OzaB7HLUZQQEllWXa6bNc3gM=,tag:2zUkr0jCe/yKl+MhpvKXKA==,type:str]",
+																	"name": "ENC[AES256_GCM,data:10beM2iU,iv:vSaZwgTBRaI15du0AUHR0LYdu8RsB3UrW5zI5rergRE=,tag:c+r2Y1xk7o+83XDReJ7HFg==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:ytKU32mk,iv:+AZqBRbES9H7JlpvMggugJ0imvc8OrLCEyyOftTvQAI=,tag:35Iy7YTQyCdjoknzEhyPkQ==,type:str]"
 																}
 															],
-															"folderID": "ENC[AES256_GCM,data:ExtPfka7,iv:M6FzEADbg9/N6jCTFkZZCUEww2czLjnPwX3q5GRwq24=,tag:UZ2IyznnZBcCZCHq6+p6Fg==,type:str]"
+															"folderID": "ENC[AES256_GCM,data:mGQ4pz5c,iv:FJXunEaF2Lbpi4zQ2EHVP6/XCazHkLg5YBYIGADBJ1A=,tag:eKBDJ4YAe3oKGjPIhr8JFA==,type:str]",
+															"getByTitleFallback": "ENC[AES256_GCM,data:fAOiog==,iv:BILd6TxscPQvxZ/E+P3aZrNK0fosx07Mi9ud0IGz6w4=,tag:/24XpFgbeQi5Vf0TdWekJw==,type:str]"
 														}
 													],
 													"kubernetes": [
-														"ENC[AES256_GCM,data:9zgqOwRk,iv:OD5graWaCp80iKmqXvkB9uHhwnORcFVLBJNqygoe+DY=,tag:xc8wVSpvPlGk+VZDj5QZZA==,type:str]",
+														"ENC[AES256_GCM,data:GUVlcMc1,iv:auoA/gs/szP3h/9GU7Y2AThEXjLb+Cd4JHNyv2VRITo=,tag:3GixhjcIeUeG2jqw3GpDlw==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:zt5uz+cQ,iv:VvKZ0am32SD1zumzpl9lrPNcPDNVc8eZpbRwyrfNgP0=,tag:dRNMlXo/dsg+6SSGj9O8Sg==,type:str]",
+																"ENC[AES256_GCM,data:Rssth31h,iv:UhycHGtUmS1gmXc1FkxmNm8Y/qrkpeUXqpWjk6Qd0bk=,tag:nR7QHTQEni2NrHccILppug==,type:str]",
 																{
 																	"cert": [
-																		"ENC[AES256_GCM,data:8NC+IG27,iv:ZGkZWUPcka/S8Lch3t3i66Fhosc9JrwDkvT9RXLXpuQ=,tag:adhc7Owq/VQMccnfcWuKYQ==,type:str]",
+																		"ENC[AES256_GCM,data:q1PsK9QQ,iv:zj3JT76l6jFFgoR44ptJ1H7M1ag42NAqTkAou5m70IM=,tag:37Yf5+wvo6vm9+IS6/MgXw==,type:str]",
 																		{
 																			"clientCert": [
-																				"ENC[AES256_GCM,data:Zx2UprX1,iv:9TNdYznYzX3PVPJWeGjtPyKzVxDVjolGrQE8RyqWCDc=,tag:JGptap8cq+9EwgI6kNIq/Q==,type:str]",
+																				"ENC[AES256_GCM,data:FwjhWU4S,iv:bD9zlBvbBrC8XVChCOgFW04Nh4G5zW1T5AB2YHsyqe0=,tag:Oy11sUlNCZCbBc0GojTwIQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:9qd5auSC,iv:ZufuP9+BiJmghSwjAFMpsI20uf4eE/ZQXiyPPkvJqVg=,tag:NmgPK1CdDZPk84EtpAwpBw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:RS8vjPsg,iv:QqHfIRzSnCpxxXG2JoD/8BDNVXqKJuWlcUx+KEyMHU4=,tag:x5BpxsrGyQIOqfjcB4123A==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:VkqbSHz6,iv:Yky5qrPcp4x1ZZWQXYQ75N9J8CH/DcQoMcZROV/qxDQ=,tag:cSdHbYbqa5Kjzx3VjczUeQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:7DtiE3h6,iv:KZ25ESlM2SyN9ZTuxH4cfQm+CHtyPeSDW0vLDvBtF1U=,tag:y6ZjyXcvlEB7t+0X32DyTw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:2NJMmPrX,iv:2gaBVGiRib4xPCr1D5bX/D30RDhBsq97QFgedIzDO2I=,tag:7j1yznHqVW+BkuZ+l581ew==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:WDC3V8ed,iv:cZJd7TBOT/unGwWZ0sG4YeSacZ9DyG5ngORrsRWquE0=,tag:lRXjtDKhm4pg9KLt9zl0uA==,type:str]"
 																				}
 																			],
 																			"clientKey": [
-																				"ENC[AES256_GCM,data:0b9vfIXS,iv:eI5fa+uwdCW6T8ITSS0UvEm4kEvaBbg2xCufV9XdurU=,tag:2V+ip+XdTfCZ2sIos4ddeA==,type:str]",
+																				"ENC[AES256_GCM,data:FGrpaNMm,iv:YOIFHZVvHBjBPnopWEdcOVomlnJOppDXV55N9Aw7IXc=,tag:S3Dbb6qbZovTkBq8dc++HQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:Eq4oQefW,iv:QmNoFz/KBNANxXXS02LsB8zOiZnV44zBUFbuKt3rHto=,tag:jSAwLEKXVrkBXwjULoLRVQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:OVtqIF79,iv:gYkQTPwnQF/u1qYiDQJxLtEn9QSlLx6bVMHn4DUFCkw=,tag:C7f5BYM6gBnBMbJnQNVGxQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:zpG3LY+K,iv:zC0qJxLIojozCANQp/2tYNkqdA4pFLhbJFHzuIDx41Q=,tag:DehMsYJDt9lh+0YDrS/SSw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:2oO41BGB,iv:zap9otzVMXZFd2IkScF79PYlYDbPkmZxP3V4r/7GRks=,tag:P8AhIQQY0qBTL4Pykmv0NQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:I5TjMis+,iv:3YAsO6cgOsU7zdcfNgSXkTrCxV3dNmksmkcwDCMEzl4=,tag:4PzESnhAR1cUOknsKFdXBg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:+4TH+ANO,iv:IFHiSZwFms6M3r2TtzgTI0W3lLgWzsbWAWY78MCrf3s=,tag:R6XSINX9wmEJ9Mx08/7qDg==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"serviceAccount": [
-																		"ENC[AES256_GCM,data:3wCT+eF/,iv:pLzGWbKhsedM/7RMSue5Vvie1Lmwv1X/F4GFQf2sR6U=,tag:iiNC0rq9oIqlnJtIplwkgA==,type:str]",
+																		"ENC[AES256_GCM,data:Y8MTQ/DV,iv:f2sJh9AwzpReJKbA3fTJTz27equnjKCrdBI8DinQbXg=,tag:ZLH7rG9ANEY1JncWmiIEfQ==,type:str]",
 																		{
 																			"audiences": [
-																				"ENC[AES256_GCM,data:844Zdg==,iv:yt7+/Yz0G+Dw4myJi7arYCSrJmqmzuQQOIrFzlBsrNs=,tag:IOG2e5qY0PgkCAuW078J1w==,type:str]",
-																				"ENC[AES256_GCM,data:KtQb+JyC,iv:kwUmegihracVPzkvK7kAqYGAiwiCXUztOWwkAOodmBs=,tag:pMQvQzV1i7LKWT2X1x6Gbg==,type:str]"
+																				"ENC[AES256_GCM,data:+/w9rw==,iv:3hAY1vpCQleOQh24noIl/liIVHRtEp8JjQxmi02x7TI=,tag:cXU4eQpTavc969LDM0dEuQ==,type:str]",
+																				"ENC[AES256_GCM,data:7nyltRL4,iv:iJyujK2/bZmSKbcNxa6pqIDj86PpqofUy5LG33VRv9c=,tag:7n+XhscZusyhWCoqA9NM4w==,type:str]"
 																			],
-																			"name": "ENC[AES256_GCM,data:50X+sN70,iv:gaOyFnhlFIvnlvfqnRgST93svlfrSIgmHH8+XCQOkkU=,tag:JGaCtx9rIT055rJ4190VbA==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:PLY6wPxh,iv:E5woG6BRQNqjN4hYBuB57ELActwpl2DbR6qB5yhGY4M=,tag:0kfgcIyo7qHd5IpK4M2SBQ==,type:str]"
+																			"name": "ENC[AES256_GCM,data:8rPNL2Qg,iv:WbKkCKB9yAMtBk0G8DGqm4runKrqLhgN1bWBXWer5Hs=,tag:Y0Z2qi7AfPeYXp5PkMFXvg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:pzG3wOwp,iv:jhKiOde7RwXxlVtl9+LvmlpF/ujtOO7lF886+Z7C6ok=,tag:77GlZ92TqDTff+sfsG2OUg==,type:str]"
 																		}
 																	],
 																	"token": [
-																		"ENC[AES256_GCM,data:XKtp+rlf,iv:ypL0rn048aNG6AkCWrCLwnEDNNRv66BTi6mOtsSGG28=,tag:g5eIyPqbjJOs+9xDOrn5RA==,type:str]",
+																		"ENC[AES256_GCM,data:xr+1LusR,iv:ACZQICOd21MSTen8ZBt+zByEPYqngnMxezf/K1bZ7cI=,tag:lZbNe+hiy03ktBK+162UNQ==,type:str]",
 																		{
 																			"bearerToken": [
-																				"ENC[AES256_GCM,data:046HPWGu,iv:JBGaXhNXnOVbEiBdTrxFGoRbjqWzNBqclKsLzlnrSQ4=,tag:O3vbE+12N6z3IbxbmW1q3A==,type:str]",
+																				"ENC[AES256_GCM,data:eHQITzAW,iv:vwpvUEz26wCXEHZSpL8ustw6cH9apd4+Gh7jY/A1Hh4=,tag:fVb/jknzgcmhAEbKa8KROg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:LnyZPXEO,iv:DLHaA0mo/qJNDYVLCzIL/ufuKE9ZEUsqV5Xya3MO/Kk=,tag:84q2PSBFAsD+h1JkUg5E3A==,type:str]",
-																					"name": "ENC[AES256_GCM,data:ccNJNnHc,iv:HCgY5mmoRXBtbQD3pFHdF19o3oHb81gvvTwTQ5teYRQ=,tag:2O9p2m7m/Fg2wVgHNYHF9g==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:DxgFpCCJ,iv:waj6feHnv+ufJX2uIBv1Reb2axWmrteja6bec/Ga7nI=,tag:pWLK3WRLMIrS8Yo8/0QOeg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:MI1dy/EX,iv:EJXIowBev9G+DgjTpfFSPz3g2ThcQhAQu9wbUMTG4xQ=,tag:nkL5L8cBteeK4Fvru6X1JQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:p1ZYTKRC,iv:ut+mXELnFgNI8BhIqk7ZkGsrpZEWOsh463kjtyeUcok=,tag:RwPadqWOYryg3n1jGYXYNg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:AbNVYSbw,iv:k/p6TDhubdjIzWXxDvEr7fyWA8XzUzJ6QUMh64fKk7s=,tag:kYvBjmtwchZR8c2PRraAmA==,type:str]"
 																				}
 																			]
 																		}
@@ -1959,652 +2867,1008 @@
 																}
 															],
 															"authRef": [
-																"ENC[AES256_GCM,data:V29CvviD,iv:3UVTezE5erBKEUhDMnFnKtmhRiENj3s8dElUW+bpZ94=,tag:/d7jtYnUEeg7csjkwJL1WA==,type:str]",
+																"ENC[AES256_GCM,data:j29VvBhe,iv:9n4HmWUkpCmoY11U2Iq3mmrbNTVTKmOsXmcZNhaA+GM=,tag:kCpBhoCBwsx5GTH2UAuTLA==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:cMsje6i6,iv:EMaGgoH9RJ3NnZ4O0Dk1llQgl2Nxf2bCymcSGd+zUaE=,tag:D7RgSxe3cRrwn7J4Ncfm9w==,type:str]",
-																	"name": "ENC[AES256_GCM,data:IIE/ip8l,iv:7pVinl5WzbfX/QCPNe4o2YIYDZZBQtjFMJxXilx5IgA=,tag:HFmogCJvREqpxJOiJ5Q2OQ==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:7hArWgJy,iv:2jMMVxHm+jeYzRgC0uvHPWg/eRtdiyCqMVGcWJv6ITA=,tag:AmSRTJx19jYk2qIoRuUx6Q==,type:str]"
+																	"key": "ENC[AES256_GCM,data:ZFwUYYov,iv:gF/RXCNYBTxSlTPtrgrj8S7eFokwSmFJHr9BwpHxRnU=,tag:WHT4dr5edKzhWNr6rvne9g==,type:str]",
+																	"name": "ENC[AES256_GCM,data:Etqk+mPv,iv:ik0xGXyc+BAdmKBvcTS5B5Mu5vF80v326G+NP+dUWO4=,tag:NgmTTm9teN/53muY6S7UPA==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:bgj69gEc,iv:S19IcIy0jyZza3C7jt6xgM3M5tr02L0jzkv31uhv5BE=,tag:cdrTXstUmSFCa6ToKCnW0Q==,type:str]"
 																}
 															],
-															"remoteNamespace": "ENC[AES256_GCM,data:wA8SgKQu,iv:ikDjHiwd09Gnc/kESqDV8siKrApY9NJs6SmukCOXX6U=,tag:rFvfTAJJa5D559zHPpWzag==,type:str]",
+															"remoteNamespace": "ENC[AES256_GCM,data:2p9V8YdX,iv:KzoKZWOqDCLFsGbIhjRvXeVfi9FWilEEcC7l3+21UxU=,tag:aRgbiitA5ypocw6fr7j1fw==,type:str]",
 															"server": [
-																"ENC[AES256_GCM,data:EQi64zaM,iv:axTwmJbSp3HXD90NjbWF5UTVpK+4OqHNfuHQWGOQHX0=,tag:14t3LOjv4KtnrnsqEfqC0A==,type:str]",
+																"ENC[AES256_GCM,data:rwpekLYL,iv:KHPTtU26CGqpvimJlSex/OpHdcEyHuXA97op1dVrOKQ=,tag:9e6/W5MhVz/JV+98RTYTwA==,type:str]",
 																{
-																	"caBundle": "ENC[AES256_GCM,data:3AZx1q+0,iv:skk+bghuhd8rIh57aqSM5jpp4jW5LSQPWGCn/BnL3YU=,tag:0SSQ8WYDlYtykuvrpz7piA==,type:str]",
+																	"caBundle": "ENC[AES256_GCM,data:8bkOOdzD,iv:91/rB+/W6+sxUxy0oYodV8VcH4HifwNGSYnRjSkz8DU=,tag:A1PLJEVGR5wHDbTUt5I2yg==,type:str]",
 																	"caProvider": [
-																		"ENC[AES256_GCM,data:aIIjHpCw,iv:KUzxFErVL4qNoNA5xJ34nxoLbROyqPCcMt/PPwt8uvI=,tag:NB6bXk7ooOgvaTbTP00rXg==,type:str]",
+																		"ENC[AES256_GCM,data:ZOh23VOt,iv:NIyEfLrkOhKaER/IypboRrM99EB8S18nZUK5x98u1rw=,tag:naOQS+xB7R2/dw1dcDD4TQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:sJTXw+n7,iv:7mvy1yzP7LxPgmKfoSZJ+s8T9nLZf7JypOtuM42XV9E=,tag:3k/ATjYU5JDglg8Zc1GrhQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:YPgnTame,iv:GuoeA4fC79uloFZpuZNei9NTWJkz8R3o4kDL9yhJ+yQ=,tag:VJW43+rCEddcrFUnPtU2uw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:dlvDjDGj,iv:Aq49uuLYM3HnaYuqQnF3WDVttXK63igyasYjwJ2LzC4=,tag:bEZ6TB4WK5c7IuyFD5mtag==,type:str]",
-																			"type": "ENC[AES256_GCM,data:a2kZ2v7r,iv:DYMVdP9XyDbXiFJnZl2dBOIWIcNfNeH8mVNzvBTv6VM=,tag:EbgWLkvnm/XqAEJGCS4e5A==,type:str]"
+																			"key": "ENC[AES256_GCM,data:hZgn4YpY,iv:BoYekK2uTx7/ZRGsptRj44K4WV1mO/9GA760+gZpEf8=,tag:0Yq38rQY6uWKtChEKvptLQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:c7HYcjLm,iv:axoiFPsDxlEVZG/9pvAg/avDYG4sEWzcNQEV9I3bNCI=,tag:S5HUC6F3SM51srTMcPV3cQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:C+H+3+Op,iv:rWTjYX4HCCI84YXqS5Fjc8D+OY1sW6EIgITmxQww68g=,tag:yCyHsHwadQNaeFRx7SGYpA==,type:str]",
+																			"type": "ENC[AES256_GCM,data:kfgnJ4Ve,iv:UC8YBYpHONgaAeRAuOEGmZC3jxJ+spGhCjtzwKRfre8=,tag:piiHlXM/EMUXp9zmaue1bQ==,type:str]"
 																		}
 																	],
-																	"url": "ENC[AES256_GCM,data:ZO0v/keF,iv:1/xBNurcJj8CJnYibLJyYhBKQNs2miQjQjGQrGGLL0w=,tag:bIbG+1o2p2fUAaZl928sLA==,type:str]"
+																	"url": "ENC[AES256_GCM,data:eYJdKFLK,iv:dgijdFaNIKsTgzGJV0cWjGGiAjmP+rlCydWIIbnGmBI=,tag:uQ/2b7ltnUVy7h4+3LmWpA==,type:str]"
+																}
+															]
+														}
+													],
+													"nebiusmysterybox": [
+														"ENC[AES256_GCM,data:Jb+8GkNb,iv:p7IOI8WnvGBduetK02+bQdVHKShiPn8z4xen1Kt9uWM=,tag:Tl8OppwDzDnz2I3ZChYH6A==,type:str]",
+														{
+															"apiDomain": "ENC[AES256_GCM,data:k1Db7nYD,iv:s0ewwnXY1ssk3mnx0TBpfj8iDlHQWYDNM35BHgYg/pU=,tag:O5f+AiRpHZ6y1cjLK8hD3A==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:aa1suab6,iv:rozhVieSqgP4SosLZhIphy+KERTCD6AIeqGxZJI7dhs=,tag:LkCUEt4e7uHoualtdRVDCw==,type:str]",
+																{
+																	"serviceAccountCredsSecretRef": [
+																		"ENC[AES256_GCM,data:ZlA0/I1A,iv:jKseGmULu+xYoTH+6eU5QR51+Yl5ea7pu/3n1EFOCns=,tag:2gdclslwCS5dXEypxmpU2w==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:C31RQ/+t,iv:BbB/NnUitSmLWkXDDdIiCrrcGNl2cAHNSsoVddnf030=,tag:MJC8VJtC2ucOhyk7po5Zbg==,type:str]",
+																			"name": "ENC[AES256_GCM,data:NxJk65+Q,iv:xV3V68cT95UhN3TsvtjiOXy5W0D39quDmC81dU4Voas=,tag:apqSuU3NvacFKwXbM6oNkw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:RQ3EIX9m,iv:Az1HW6HxjyTMICZuhQLCfGkzyJXj1LtAVyruHbA4Q5o=,tag:vD0J+J5OCCk9Zf4CRtYIWA==,type:str]"
+																		}
+																	],
+																	"tokenSecretRef": [
+																		"ENC[AES256_GCM,data:ks7BdDxO,iv:gQqJrAhBUQsWTIGthrp4vdegqC7d7Zhr/N6wS8IqjQE=,tag:hBIIG7IPO40+v7grQ6p8YA==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:GnGOOa9G,iv:zuQ5SOprpUBB2k+WgkvC0DytO6MbASVms9fZfehowOU=,tag:IVw7ngALwiOIR7kdwVTxqg==,type:str]",
+																			"name": "ENC[AES256_GCM,data:WmZ0ejXO,iv:4G1K4bKgP83V77RbkFwaBOIxPsXPpAxAtl5V68bPG5I=,tag:juoYiR+MFncLSR58/pjOSw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:B8vwypGo,iv:yfT9/FDp36omlivlM0frekXMSc17F4qBk7G/OkxIvLs=,tag:xDx8LoboacFhh2vmHJqYIg==,type:str]"
+																		}
+																	]
+																}
+															],
+															"caProvider": [
+																"ENC[AES256_GCM,data:mw/5mTz5,iv:yPpaxauyB5X4sqN+z21hqpgVLFjBXTXzUmhFKX8Vi94=,tag:Q9ob7o0hw8s/XIBDvXM7ig==,type:str]",
+																{
+																	"certSecretRef": [
+																		"ENC[AES256_GCM,data:57DnelfO,iv:4Fz+MyTa24a9ty65j873BvRWQqH3nSXzXFLJAPqoqf0=,tag:W4cLlLnVzAldiUKa3n4Vwg==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:j2UC0wA3,iv:6abOme3Wv4xuxQC4VOK0yr1f9jqacWmvbgxXPj3zfxs=,tag:XQ8UXzdX1l3urxFd+5IW4A==,type:str]",
+																			"name": "ENC[AES256_GCM,data:PS0V1EIJ,iv:NdV+swn4IvjQU7ydJnKKdckxfgghcQTjCiRZdUqjJZ0=,tag:kpb2uvw+yGvcLpvJK5AitA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:pNTxJesM,iv:Nu9Vkptf+QV+oQ4EiHhADmuEO0nJjZexWIdUmr9AbTY=,tag:C45OlM1qcTK5AXOCZFJoBw==,type:str]"
+																		}
+																	]
+																}
+															]
+														}
+													],
+													"ngrok": [
+														"ENC[AES256_GCM,data:y17ox9nT,iv:Ja7IJ5YVpIbBlVlzFIyeksKY8h1cj5cP6dJxZQr/spw=,tag:+djPvrh6RQiupE/5dttuMQ==,type:str]",
+														{
+															"apiUrl": "ENC[AES256_GCM,data:UMMC5q09,iv:dcUkiGltLXIl2x6q74jVTm6nazecB+F8PFbfv/SGwj4=,tag:9pT9I36mkDhW9TQNogpSpg==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:2hMANXWJ,iv:chKSYw40xcW3K66BL3JnG80IC/KgBz+QhM2HLUT+myM=,tag:eHuds0MpXcej0AahLP7AYw==,type:str]",
+																{
+																	"apiKey": [
+																		"ENC[AES256_GCM,data:TMzp2Lbz,iv:JlF8llJnXUrsqHsF7iAYrL34bB2nz8Iun4UQY9eLnHI=,tag:PFp6f4V3Hts7W6OS8Gmp5A==,type:str]",
+																		{
+																			"secretRef": [
+																				"ENC[AES256_GCM,data:SkH8xVtx,iv:AwfugHlifHW7NCdxS1GuHxWGvZnOnqDlzYKCRKobaX4=,tag:ffXfyKzXy03Fb6fC66YQZQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:P79Twc3n,iv:tkIubKWOGPmntR0lQAaewEH68N5fQ2gptAaaYnla8u8=,tag:VXvqV2SJ37YyFQcLT8n5cw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:bp18LmZR,iv:0N1ugWm4vh2c3bTn5+KsS+0w0g46QqmTpuWAtXYKrI0=,tag:m3/2bSCF+AmhVvXhbRuz9A==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:5kYDbXjN,iv:gRpO8d/pZH4LF4ul/BlZpuY885ep0AQUXpCAaJy7Fvo=,tag:09Cwk0xw7eIzq5834GkQoA==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"vault": [
+																"ENC[AES256_GCM,data:ST2BXEzW,iv:+kfXdIgYfZlfhWxRTjMT4XXA7MY9Xlzsgem2XP09AYA=,tag:GFDZeOzawD+iuskVeqq6Ug==,type:str]",
+																{
+																	"name": "ENC[AES256_GCM,data:2TLt4XDO,iv:i1Ocpp6NNv1X7D1G8DuVbRjas1HdFjs3zzezfNovO6Q=,tag:0aWdFYUHL10hiT0BNWY6nA==,type:str]"
 																}
 															]
 														}
 													],
 													"onboardbase": [
-														"ENC[AES256_GCM,data:QZfoiwgp,iv:DDHkmQCRjPn1l0E6r/gmWiOpEIZ3CRvap5oFR51AA0A=,tag:UTclzE9QRuCBKwITMvhMtg==,type:str]",
+														"ENC[AES256_GCM,data:cg9f6PPK,iv:4N2p3+q63TO9y72yoHMH77fG7dpkpeoXEhUPpd3b+K4=,tag:AFUbGhk6pbN8XuJSBlSK2w==,type:str]",
 														{
-															"apiHost": "ENC[AES256_GCM,data:9tG9gBe9,iv:Wu1pfcFI5d4NrXXXmZV572xCFRwXYJ7g8y3lWbkKT3E=,tag:wyn64CDPFPY/lFZxLj1fFQ==,type:str]",
+															"apiHost": "ENC[AES256_GCM,data:OFrBEeeE,iv:Jebx8wi6kJR4SuEIMxy9Am55Yew9U8aBrlBqQY/nJpM=,tag:ETba1xnW7dago8ixAjZYSw==,type:str]",
 															"auth": [
-																"ENC[AES256_GCM,data:PEgRx+O7,iv:mOG3g3lZAzduYZ01iVxl2UE42FPfQCfHCIUqcKK41E8=,tag:8hi02Rmqm9dNW9CAff6mDg==,type:str]",
+																"ENC[AES256_GCM,data:zSJgAVKW,iv:gEATELzsdtFOWUBtWNHTbnaXQyEmx35jVMZAlqmAP04=,tag:n/y6wsmK3Cwlx9R9zqcmTw==,type:str]",
 																{
 																	"apiKeyRef": [
-																		"ENC[AES256_GCM,data:hmSUF9qL,iv:m5MANMFv90KqTjq1w2xYlwpkM2q19xifsnY0inhWFrY=,tag:ROvJ/hIA4BGaQbbD0cTnsQ==,type:str]",
+																		"ENC[AES256_GCM,data:nt0CLMKp,iv:Plxr03nhgRipiMGywuVw0gws/Ic71buCUH0TrMQ5IKM=,tag:dRv9DzYPsuEW8lNkvsOFag==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:9m2iMaXy,iv:qnkQ6VKs9F8+lMyCCG4hErs8+JfH3hpSgADWfdV0oLE=,tag:Ij2HRy925yPDGerumDqZFg==,type:str]",
-																			"name": "ENC[AES256_GCM,data:VfQ5y6Lb,iv:Vzihi3LpPTALUbe5F40I2MiLb4XmzmzgCMBlboxcYXo=,tag:etjvLWSpGo4P5fX39pPfgw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:8swXztxi,iv:A4eSO13Ve8NEChxrUMkh2pqJAFkiUfop7zyntn/3V5Y=,tag:Y4vr+y5yxjtktAw540Ndyg==,type:str]"
+																			"key": "ENC[AES256_GCM,data:RFAaj8Fq,iv:YfRt1gDVcOk1bI+ke4LMQaONCw7Db84Kn0LOkD9xOhA=,tag:oVViF/29Vm3CBkvO1JdT1w==,type:str]",
+																			"name": "ENC[AES256_GCM,data:Y8CEOwu4,iv:zkNY6XzEx5HLjypLq1Zf5/sPpCLXA65xOjA3upE1aHc=,tag:MOPcT4/jRCguE/nB7Pwbbw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:vrW1Hhr+,iv:Wy8v//NWdnAVQiESnZEjh6Wxcgq7YgARYgMKbJEn840=,tag:8B+b8KgpGpr3KRh7k/d4gg==,type:str]"
 																		}
 																	],
 																	"passcodeRef": [
-																		"ENC[AES256_GCM,data:Z8jOUhli,iv:AAvMHKoBK4eLJsVj6z1s8yY1pl4CCm4etHFxuYxR7Cw=,tag:zCzjHUDNWs1PwPvS8ORXFg==,type:str]",
+																		"ENC[AES256_GCM,data:AaRyRjdo,iv:utKEVZ3EyQajBGdSfaRyvFllIFlTkAYq1k96E9/bCe4=,tag:pZ2wqg71UySwrsKgZrbfMQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:wUgLgK7Z,iv:R+YJIx3g3yvXLuYnxyJLJCLIjaKvvOPc4kxRwh7pksA=,tag:LvJJwIaQ+OAKZiOKGyNFTA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:vsozU9GI,iv:NnuYW4pwK8ZTydmDuTl5cGXqbxdvrGRlj22NSzniH6Y=,tag:1Tr9jONYV/w7eE3dJzkeJw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:qjr/EnYo,iv:mSbQ284L1qWeymmz+aWvNQ6faDFX9CgJTEp3935hqfQ=,tag:TtIBId+7YXwyjoICGAB9WA==,type:str]"
+																			"key": "ENC[AES256_GCM,data:9dzFEbEO,iv:WWoKsVStL6T3EIe8Zgti/lj8w9WGlYLrYJMxJ/Q9m6I=,tag:Aky+UNdMlTQbcTDs1cJvYw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:BEsSGUHP,iv:nbpCSaA/qy7knmy6Kp+bD0JsGxyQDiwTXdjRSMCh+Xo=,tag:hcUoFzlLKyLbDtSrp+aeQw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:r9eQuyw/,iv:nR8jss0ZvfmNoksgx1MH+730dnDJ95lMheUoR/kC8o8=,tag:xaFbLXTg8Jy3NDsJjMofKA==,type:str]"
 																		}
 																	]
 																}
 															],
-															"environment": "ENC[AES256_GCM,data:R8wn745/,iv:7WwlBEN0mTrauH5WScQtfeJ+Oq4SJXLfV7YidUbYkIk=,tag:Yz7TeNT7/C+M3lfaGYbE1g==,type:str]",
-															"project": "ENC[AES256_GCM,data:itfsVVrj,iv:S6PGkeYyE0MWr0h/Wxyuv4SvR7BGN65KqbRkPjgYglA=,tag:XBtpPAdrKzZqBiR8eD0uIw==,type:str]"
+															"environment": "ENC[AES256_GCM,data:LfD6imwd,iv:23GE0BXnOj9mtwzypm8meVA0KmFvQAT1w1I0fEpWDyg=,tag:eAQRvObaHnPOdzzYDxeBQQ==,type:str]",
+															"project": "ENC[AES256_GCM,data:T2wx75Si,iv:ERcChK1gHBOKRw0zd0cjR7ZlMj2Gyc+XmlcDS0dETKc=,tag:qiEj/Ps/TMtfvwWZOltSHw==,type:str]"
 														}
 													],
 													"onepassword": [
-														"ENC[AES256_GCM,data:A0/rroY3,iv:5T3cJPbsNrS3s91gEjB5J1EMiWFwHMl1KHEzSH4C48Q=,tag:iM14z7Ivr0890P7nv7W6Iw==,type:str]",
+														"ENC[AES256_GCM,data:DfXgDCNs,iv:E0VwweXME4cvim3veHRUECl/rSLYCA/YApE4NKF7OQI=,tag:p/PXZETqNlkOlWNE5A7CHw==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:eALcum8Y,iv:8NB3cKlLkIiG2bYVvXD6VVZZhI028WrAygpAvhyoRhc=,tag:WAMy3/kiINxuVO/1BqCpFA==,type:str]",
+																"ENC[AES256_GCM,data:O1FUakKu,iv:ODvh9U8lPicAmoCY8AxDMJYZ9BfvSYsDYZTrlRgjtb0=,tag:B2768iiT3V1Wy31dsEHwiw==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:MrXMO9xJ,iv:DbjJXWlY0uUYrHdPAhQmBDuxHSzkmOeO8RI/YZGxYY4=,tag:Ual8uhlKqVwkPmF7E/e4sQ==,type:str]",
+																		"ENC[AES256_GCM,data:+5QVyguU,iv:VunCyYofvP8j/txXULijmSSmfDaA2r2l7D2lqOAS6aA=,tag:rqCGomTC5/uCeFcN8V9M0g==,type:str]",
 																		{
 																			"connectTokenSecretRef": [
-																				"ENC[AES256_GCM,data:xqp9exgq,iv:UEd2QsQq60YaLsWzz0j21sOCE0oqFqcB9wxOQS3qwJ8=,tag:pt/onn83KSU3Uv0cbpHRdw==,type:str]",
+																				"ENC[AES256_GCM,data:Y+ZU1Y2x,iv:b9bY/9MyHeowN9Lb9MSBqMp32rR2wj+xsl66ptqr9vE=,tag:S9x9r7ti5ii6Y31D/wo/7w==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:mHnmg77p,iv:dP+/Hclng9KFiX41x2iN7xqJ+jZLPySNhaotg2sagf4=,tag:NB/saGU4sZokv7F+bRv92A==,type:str]",
-																					"name": "ENC[AES256_GCM,data:k5O4mJtV,iv:lnee+NsQZ+XwhsxY7q4V9RUoWXGjINRriYW+VEKfFVE=,tag:7yXD/h7IAMGIZE+pGQ1lmA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:1YBJKCdu,iv:6YUOaoHtpnqMg+mgHNcLufhzAGHqp0czR5Om3DLI2yI=,tag:PMbxsnoq1FNHfbFCkpCtcg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:o9E2OCTZ,iv:SeXiERup7wVsBUL1xwcjBxu9xWHyaIUrx/rHpmBWslA=,tag:seiws0IzGlhRD2dFpXNESw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Zi3sxu8Z,iv:GGpMqyIAZDRqeO3/xo0YUbF89Zk/4iNGJH7qBBKVqEQ=,tag:CS2GKH/irFmZus7H5pxDXA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:S0htSAV7,iv:ICPZdH2Uv+PgLkUXYWO/iAlPcKwKm/9TbrA6CCGwGUE=,tag:R6zJOfF+KlXVDMuHhptHEg==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"connectHost": "ENC[AES256_GCM,data:87nTY+f4,iv:lsi7tHVVoosP+iyYQbxYDPCG5Vu/gYVqeNUb41I1fG8=,tag:LajnolQhTqGYBi5cPawf1w==,type:str]",
+															"connectHost": "ENC[AES256_GCM,data:6fcoEd7+,iv:qv3H7Ls3JgR2IL2nddzqh5ryYLfXEzbx4Q3hAW2U5Dg=,tag:+t31NyoywclBl9fe7/6uxg==,type:str]",
 															"vaults": [
-																"ENC[AES256_GCM,data:kjcZ,iv:YF0eptA28ablJoxQzMG43vUc0bnqgnY5SxwNi/IowoY=,tag:EB3/jLLNFBZjT9+W5L7GCw==,type:str]",
-																"ENC[AES256_GCM,data:UJAvt4fq,iv:se0PEA2UnLMKeeSakcrBS07cDlyqBtc53mYJp6kK5hU=,tag:WH2PZrFMq+fhtZ8kMJztaA==,type:str]"
+																"ENC[AES256_GCM,data:Z5Yj,iv:KKZiHAR+uHF1tSUxM2bJurf5JqSDtU1twUQ83o0WrgI=,tag:/OUi1FwqvHAXgDgbsxyrmg==,type:str]",
+																"ENC[AES256_GCM,data:lFQfJHzM,iv:nJBuWzgo4n1XZPnUOZs0JiSfM8ts1qFS2pjud65WpvI=,tag:5Bd0+OAeqB46clpKsx8tTg==,type:str]"
 															]
 														}
 													],
-													"oracle": [
-														"ENC[AES256_GCM,data:NnOLn9bL,iv:w905w9KVcm5gL80surZ6SmwS090X9artmxEpo0BdQsk=,tag:8nys17mk4Lqnh5xcg7m/OQ==,type:str]",
+													"onepasswordSDK": [
+														"ENC[AES256_GCM,data:rD829nRO,iv:OK25IFjx3CqQR5Y9NDmPw9Z9U0aoW090K6dsURaq6ag=,tag:6fpJiAtDgXdGsIDeMLrqbQ==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:ONjQ9SvM,iv:Bqg2Yn0Ubh5rfaHVmwtPG28BI9m0/aiW5WijUjBhwFY=,tag:/t4PJPG3mJP9kWdUi48+5w==,type:str]",
+																"ENC[AES256_GCM,data:WrTpSM7x,iv:MXecn7TPpkr6A/l5D3qrGfO4i/3rzgCVsnKpdF7Ub+U=,tag:FvJ2X8x+CD5Po3Tjdhe7Qg==,type:str]",
+																{
+																	"serviceAccountSecretRef": [
+																		"ENC[AES256_GCM,data:niQlKv+c,iv:U6u7/Ei4/BpkxZrXdDPc/17qLeUyfZqj/nkFxaOYrX4=,tag:bcAE7hEWKXICMAdxDDiAAw==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:HPSWJt2s,iv:PHzaichIIkDTZU87c+YcUPZZeAG0KhQv2sxVmK6sDnU=,tag:Lk31EEAGohwIPfaKXBAV9A==,type:str]",
+																			"name": "ENC[AES256_GCM,data:xx002gZW,iv:pO9FeiLwOzkyERdOKEwkxE9WogQoffrl9YVPmSmqMIg=,tag:JNfHE9Aed3t13mtQdoR8Hg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:ideM4gLM,iv:rDl5iYfzTapnrMAgJMSGNKyCdhZQZJkqJZwIWe6+BXk=,tag:eyIzWEqDV0dqAkloFM69VQ==,type:str]"
+																		}
+																	]
+																}
+															],
+															"cache": [
+																"ENC[AES256_GCM,data:Hx/tWBMG,iv:tnb7VR5gTvp9Yl//unja9Y/Pynttbf0AieZepGlgG+4=,tag:5zLfDds7t3BrchgBZWtQzg==,type:str]",
+																{
+																	"maxSize": "ENC[AES256_GCM,data:wXqaNQLf,iv:xvWYBIvg0b0tAqScsylaHjwjONlNQKtHQpwY1pGvkfU=,tag:mrzRYGhaf7zv+swsJh9d+A==,type:str]",
+																	"ttl": "ENC[AES256_GCM,data:+mdXii/u,iv:es0M7bih+ZB78iWKhcnOj97q2RBTe2lbsAfZ9uXpOEA=,tag:v1QT2N77+1IspxtNy06AkQ==,type:str]"
+																}
+															],
+															"integrationInfo": [
+																"ENC[AES256_GCM,data:jFL0aVkp,iv:n33wyUlBKkUeLPBMnb6ZwjP1seq23Xy4cOK7cagklpE=,tag:FoMJ7FVSIM1FLrSgbaKjBA==,type:str]",
+																{
+																	"name": "ENC[AES256_GCM,data:cv15zxrV,iv:SIiZvL+73tu34/uMJONkqr1EgehqV+28zcSEwmthq/s=,tag:t+RxhK4qgOXIZzSth7CWIA==,type:str]",
+																	"version": "ENC[AES256_GCM,data:J7/+ABc5,iv:FvVaePXez/3YYtqKxNnakdvtkXygga7KaeP9zW4N22g=,tag:O5IaW8TjVRuv9GkFYuTx/w==,type:str]"
+																}
+															],
+															"vault": "ENC[AES256_GCM,data:Jdnso/+l,iv:VmUlclguA/pQTo9ezEk21mBD1HMmv2KovELPdtAD1Nw=,tag:pUmFXncRYt0Xao++XowOFw==,type:str]"
+														}
+													],
+													"oracle": [
+														"ENC[AES256_GCM,data:wsLvY5y3,iv:V+aN3fv/Piz1r5+5AYSpFjIWolxZHOYm1oTe/kuyw/I=,tag:qgGTFABQMUPdYb3WD0iQeQ==,type:str]",
+														{
+															"auth": [
+																"ENC[AES256_GCM,data:h0rYaEIW,iv:jk8qYqlvEszQjOBoat20Amjj40pSF3SZR8ptj6qeiGQ=,tag:9KdFWs0KoAqqOpHmDfJRDg==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:XzuNp0/n,iv:k5iBqusIqvZx+mGZo63v3zw9lOgsbJlNWej7TMSnq90=,tag:gqVpDNnNODOqRTN6jzLDzg==,type:str]",
+																		"ENC[AES256_GCM,data:GeJ2LIcD,iv:sQHRmQ8VVlkaTZBqMLij66F6wWiNVh/UtvQ6+b9rBtQ=,tag:B5xFuuib85CY0dFSHd0M/w==,type:str]",
 																		{
 																			"fingerprint": [
-																				"ENC[AES256_GCM,data:ZeNOAI+S,iv:QmtW+/GwZ0fQHzlRvUDGJ4RJq8WddWlUSGPntt3sjMY=,tag:E+Lf1Gruo6n6OsaLe635Fg==,type:str]",
+																				"ENC[AES256_GCM,data:2xWLgPxl,iv:yAPbVx4grGUBOp0fTauCsT/qGjIVTUGexYwS9sGBCY8=,tag:swiXfGsY93BlnFE9jQd4Yw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:an5DFV6R,iv:Vm1J1ZNuLJKMS55/jvB1m66e1bv6knqGbblm8HfMT70=,tag:lg2J+2cc28a0fKgGNuNxBw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:4JEbyt+z,iv:Kcl7phNLr5NCmGC9w28JXsCxaFb1GM6fpj3MdBEN0yY=,tag:+BLH2I0moA3eKGYgpA2VeQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:gU5N1Jbu,iv:dAm2aHobJMMF07+LBkWRne5zTSLx+VVPV6R5LxMY36g=,tag:Umt61ksmgqCB5e/VOLNoDA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:6S0Pb6kQ,iv:NoaviyE/HVyGPsXqnIxgz75Z5L5EKtg+RNs9FmNq1+w=,tag:bwsZub+UjJY35ra1acscpQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:QBy5bZkA,iv:ByxEbg19KIqNHcM3fcspCpmvIq6wRt7LGCpJwSvBk0o=,tag:3XMZS7lZMATqesd+r8B3Lg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:Xze8/tWB,iv:sGX/bPRH+Y4cc9PXitLQo7xpX4FSYRIckqyMHzJphXw=,tag:o3h8Q7xHIVpyXrTog3XU7w==,type:str]"
 																				}
 																			],
 																			"privatekey": [
-																				"ENC[AES256_GCM,data:J5WsFAbJ,iv:/7pibb2QNI07ZG7Ok5zb/ieNhvkhqhsWjGggsIsJqO8=,tag:4ji+Ny2RSgnFCI2iDMI5Qw==,type:str]",
+																				"ENC[AES256_GCM,data:IgyGEmFH,iv:vZVJigOufplmtNtKDBO7VR9X8xaFJ1WemE1gh9nrqsY=,tag:xljF36M2rr3Kv3FqmPNadQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:ZYLEpR6X,iv:ElL3wRH4V1uMG1pCfoWdeyOkudjLtjQTErZcgW4Q/Nk=,tag:M5v4rmTMapoQgYvBQpj64Q==,type:str]",
-																					"name": "ENC[AES256_GCM,data:RKQRzhob,iv:+poofVnH6UPQkNVDXKfNBYCealC+r861wGPN30fKRKs=,tag:qxjcj3Ch3buA/qDaFWbAZQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:069Cwj3w,iv:GVEEdF+vm4kCghCc0KSlije2sg6HiGXiJiB0PEnx3Tk=,tag:RHMxOHe95C/V9ytQgPGeog==,type:str]"
+																					"key": "ENC[AES256_GCM,data:r1a/eGSj,iv:FhgVOyr0QfECl+kudnKr95ydjIn/et8avBbiXwde9cE=,tag:yVYMRpd1AFznULA8H4bw+w==,type:str]",
+																					"name": "ENC[AES256_GCM,data:ExiI4lPH,iv:weeCpH26l4gvG0rPmtNQB73cKVWzRoz5c5YB7PKw5dQ=,tag:6J2pFjnUtLkpVZP0GAm8Sw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:KfuaDMEF,iv:YLqGEnla/0nsLAZYUKUM8HjfhBDiTKvTcTwmyDhCzE4=,tag:Hjkp2K8GruNYCTPAwie2dA==,type:str]"
 																				}
 																			]
 																		}
 																	],
-																	"tenancy": "ENC[AES256_GCM,data:fZq/m6c6,iv:B9XINxkMwlmi3k/4f62JCXtHNWUJKvQbk3SBQ40BThI=,tag:VrEguLDv2AymKFBuTdPxFA==,type:str]",
-																	"user": "ENC[AES256_GCM,data:0pROClxp,iv:99GIcaWL7IyOVkR+QGV7ssSlUdS+jwamBXZfOI/CVz4=,tag:H6c7RmiVd74b9QLdcwDYpA==,type:str]"
+																	"tenancy": "ENC[AES256_GCM,data:aIZZNT4C,iv:6zfNWilCe9vZTLGrOw0QCGOICZqP4Nf1NtuMPLrCTFI=,tag:3BU8Ex7k1ptsIlHjyCyIzQ==,type:str]",
+																	"user": "ENC[AES256_GCM,data:EZ+iHeG1,iv:88XdWvIzwxfenAdiQAzuhpc0dfPkIuQ9VI/cqdu6K10=,tag:hwnc3ym6WIBU/ym4rx1/mA==,type:str]"
 																}
 															],
-															"compartment": "ENC[AES256_GCM,data:85ZmlaCH,iv:A5/AZPAxBHIGKK9pHhStuWyfYrKf9y+03zoOYwOGvjc=,tag:LpZZPpCYJC9iMD5BToFonA==,type:str]",
-															"encryptionKey": "ENC[AES256_GCM,data:qoe44cud,iv:MNVVIQcnWTAlT3axJ8uMC/wxK3whC18DvZgL+YPcZag=,tag:T83OlmgjHRj+A9vwKR2HNQ==,type:str]",
-															"principalType": "ENC[AES256_GCM,data:0PTF7S9G,iv:RmzwqANcmMKJl3gPl2+CZN8ARiDNRQsTzGB+4xplMAE=,tag:neeMLcBnjm+ZYphOx80ECg==,type:str]",
-															"region": "ENC[AES256_GCM,data:yoFeqAxu,iv:+3LoU2r0jE2WXCfCW6gU4Z43x5lcgeziWAYywpuCAjw=,tag:qJTCPIbu33A64WnHqI8Jug==,type:str]",
+															"compartment": "ENC[AES256_GCM,data:NUdfuwLw,iv:izAVTy/kVc7e/dTqd8dnBqxlzvrcWO+pMDoteK+meLk=,tag:OFygospVxyGmShvEOfYNYA==,type:str]",
+															"encryptionKey": "ENC[AES256_GCM,data:ea0cgXZV,iv:qZYR+MQkzF3IFRsT+GuiD6e85imBAF/8kb0nUM2TI3g=,tag:WBOtRRR9Qo9p/4ooFtZurg==,type:str]",
+															"principalType": "ENC[AES256_GCM,data:HQqWkLzB,iv:ML+7XDS9Zh+5l/s6uF7kezErBRM1KoljRMQUj7K2+C0=,tag:S9/rrrw2s/0OcI3M016+3w==,type:str]",
+															"region": "ENC[AES256_GCM,data:5tkmxk67,iv:IwNyZQ6J/KdDSvSi0ZeZ6IZMUMSbmhzGCd33RdpYnpg=,tag:2lu/vewgqlwop5Qj7+Fpvg==,type:str]",
 															"serviceAccountRef": [
-																"ENC[AES256_GCM,data:dVxQXSPM,iv:KoilDxQjMH7D1KiQl06+jsDuZccmGCB/81vdD43395w=,tag:0LGz/9WQPIeS9am0p3koaQ==,type:str]",
+																"ENC[AES256_GCM,data:9vZNOl6I,iv:Am2OTLWmIUejq6/RbDv/xb5TdV1rrXkYxlbUR4z0bNw=,tag:qs93nQ9w4cnbudEJ8ahHwQ==,type:str]",
 																{
 																	"audiences": [
-																		"ENC[AES256_GCM,data:G1JAEA==,iv:IXrz2Fh+C6yaUPJc52RreKq4IlPeR29nSFN7JgvRVZw=,tag:iYzR6mpcsodoFq1+LzfrKw==,type:str]",
-																		"ENC[AES256_GCM,data:/rNfBaON,iv:tcVPvUsEGtYHbjKthTrnQ2WGKTlWPiPC94V8WmY+yVw=,tag:9Zs9+iRFfum3mpo6nQebyw==,type:str]"
+																		"ENC[AES256_GCM,data:12G63w==,iv:gpNxQBD3EQJpOvsnRPxctfx0oo/Qc1QKKRbjHGbmkNA=,tag:4kkfYCiu1ycBA3RYpgoBWA==,type:str]",
+																		"ENC[AES256_GCM,data:fKutkJ6m,iv:Kvbob5MSuzshBvxoUSK00E7haAPuhHmkFsDtu1LsS7U=,tag:GHhlKQm4IkHlTEwlknq8+g==,type:str]"
 																	],
-																	"name": "ENC[AES256_GCM,data:pb36MhHw,iv:IOQh2rBm4oyunfNljDdVldcldELayLVRpjkrf/mLbYw=,tag:z1J0H1qmDNoMCCh3ZCNLAQ==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:huhdxMl6,iv:g4xOe/J6CE+Hy88tGte22OAhQG8aIuYzsK22307KXpY=,tag:KYUFjlUxYn81ZniVNOyC6w==,type:str]"
+																	"name": "ENC[AES256_GCM,data:rU242YhA,iv:CawSg77cQAK2cwNTjmhHRBBWCAzq4HPOof1y/qnZQ/w=,tag:v9pxvZneUuZDZ4xZc56xWw==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:/bM+iHxG,iv:yoIz+MUvCQEL2lWVg/bJ0neh/IV6cEAe30IX4fFyVJs=,tag:89/DIzykADMZvGds2An3/w==,type:str]"
 																}
 															],
-															"vault": "ENC[AES256_GCM,data:eQIAgcY+,iv:K+2rEsU/r3GqdeNlWnc3U1R/JSp4P3aw7B2EFmtvYcM=,tag:WLZqTes2rC7lABo6Q1EUXg==,type:str]"
+															"vault": "ENC[AES256_GCM,data:e3Lf5sjx,iv:pObgxxb3MiSWz0U8AaPDEhk1KTxWl90FsVEMnu4AAWM=,tag:kRJs3gSO3p3u/pSeeDTRjg==,type:str]"
+														}
+													],
+													"ovh": [
+														"ENC[AES256_GCM,data:Xk4+8Lbd,iv:x0gWwS0mje3edmQk+HkTQqNVV0QSw9AteBdoTT9VbZU=,tag:zv62fPwqn65zpvFTgMXoPw==,type:str]",
+														{
+															"auth": [
+																"ENC[AES256_GCM,data:d2EJm6aL,iv:dNpdvqKRcYZepCpDN4UubXsNb8/We1Ywgk7FY3F+x14=,tag:gfA4uAQKkicuRzC/Flp+Sw==,type:str]",
+																{
+																	"mtls": [
+																		"ENC[AES256_GCM,data:Gl+qbgO4,iv:+kqdEgkuUGcGhlLvk21ApXMWjFaJ65nPGlsx6T/Lpbs=,tag:+K4Jko/p2ornAIm8IGjRsQ==,type:str]",
+																		{
+																			"caBundle": "ENC[AES256_GCM,data:0G1HqMcK,iv:kc/NpnRTsSFa0aQ+5T+nnaC0Q5LEriSIgil9cXD83xY=,tag:ta9JfkACRtb3BsgmjwyGLQ==,type:str]",
+																			"caProvider": [
+																				"ENC[AES256_GCM,data:qS3Y+37W,iv:k5eEi+SgF1+hYqwxwZoUZak0hgAqRcNG7f+W88/TG3g=,tag:qSTUpb/OFfS50T+EUj0sKA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:GY0MDCwI,iv:KZ4BrYM/q9ALQRRAGAZKXfpMcwy01xvy4vNVgMkClX4=,tag:8PjfdNiXPjLqJDkdGETpsg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:f9VKfSJO,iv:2LutuoVPuKxHLFS6tP7SJxy10J2rRxkcMhK5ohzrGyE=,tag:aPl6mX9q+r9zQ/fZuNoEdA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:sF6MX6SB,iv:XbKVyGCq8HUz32NgPcoFHgQ26DXTgGL2JnVhVG65+Xo=,tag:tp1nwC5OA9RK7EEca8TK2A==,type:str]",
+																					"type": "ENC[AES256_GCM,data:0LWNMp+t,iv:Qfv8pOwgdAlkuRV9to2IurPxwY/yYtXhbCgH4voM2FA=,tag:qESvvCM97ZalFe3fjuE5zg==,type:str]"
+																				}
+																			],
+																			"certSecretRef": [
+																				"ENC[AES256_GCM,data:5CHtHiyx,iv:c95m0ja3oyyPpBCLCXJuWj8/fNt3j1WJHFpKKd5K0wU=,tag:1CxD6WjRjBHyYPInGuhGhg==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:IUBFCYwQ,iv:mH2BRH4U0JMnmN0aRk7RbbYNPCuTgXW+RihKzRRYwG4=,tag:RY4CZ1PLlhY/LcZ6jJ2aYA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:LopzqY8J,iv:Sz+G1KogMwbMKn12ii37mwa9L0JIR5iL8QHrhSoVA+s=,tag:otMSsUmHVkq4lIIPRmJOkw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:reR/ADLH,iv:LkCpBUE1cnB2xxSmjKLFdRLn7UcoLfCOeXAkd73FpY4=,tag:ssaclZnVnHKNKzm/gvan+g==,type:str]"
+																				}
+																			],
+																			"keySecretRef": [
+																				"ENC[AES256_GCM,data:DV9sldwM,iv:OEJM/a7e7IiuNobGaeJ8jZvyGsep8AxvnRMffWegUzw=,tag:vrGDmowzjjDd7lrpkAVLUw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:WxB0Tq2S,iv:qRHT0oTcFgJ9BbvlaIYIp/1+yB3Y0Iu80TX+BO05KaU=,tag:pWhUGWUAnIyKjSm/VTXAfg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:sV8Q1tHP,iv:vVk2dGSOYlJo1SPSQKpbMEnJB6iJtLnUM7eIXrSoJ8U=,tag:YLFqR53j5mskQsZjHUqGpQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:VSn3UCEa,iv:jQW/JMonofnE00Gz/PpGhy2RLNhyMYmcInQpugQKDhw=,tag:jzjend7SHN3g/4xc/O3kTg==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"token": [
+																		"ENC[AES256_GCM,data:EoDnyCNI,iv:JyGjJyt3YGiV873AapzQ5LbheT7XRBee5AH632P1Q2Q=,tag:2YsPo3oXW9aAKVUcGaJH+w==,type:str]",
+																		{
+																			"tokenSecretRef": [
+																				"ENC[AES256_GCM,data:gd56PpUn,iv:gQRYRCJuPaI7IC1kdPnC47cJWDu8VkSed8beeBOXUnk=,tag:J93jUj2zwrIJbuSGJS1ZsQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:sWxTpAOO,iv:82o6f85kk3IPgHh8V1B5D+q5Egh4DziyOv8Uy5J9P8k=,tag:g7Tp09B8LIobG9EaUD0aAw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:QVowtvjv,iv:Ix7sXoPMRUPSxDaYn14WYooZghiA3zE+xqCBPsZ1Il4=,tag:QrnbvvkweFWWoDVmqZF2LA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:WYtMwtdU,iv:XSmJ9GW6z0rHSWMi4nHv8WYdEyJYCB2RXxPZgjr6y/8=,tag:eym72Tt1FG315CsPLs4oZw==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"casRequired": "ENC[AES256_GCM,data:20dxdg==,iv:3Jcu7LtQxmVOYX16NGb5Nj+gS0Q8Lp4aon65LcSEDuA=,tag:KxmUuGUgE8q0nxl1cV+nUA==,type:str]",
+															"okmsTimeout": "ENC[AES256_GCM,data:EeNml7kX,iv:WLo8R02D/0EQQlBGGGFYvXl6bzHRV4w1EJgbGpZRVeM=,tag:XUlDj33tXONm2gWDSxPL9Q==,type:str]",
+															"okmsid": "ENC[AES256_GCM,data:Uu19olYH,iv:UhB+N9KVeeKgTnIr+nW+dBjy4SN5oX0Zw8U8JD5tmKw=,tag:cyrRhaYYOO3VKHnS6PzhaQ==,type:str]",
+															"server": "ENC[AES256_GCM,data:7LBwweQo,iv:rsQJ4S5HY8f6At3whdDGycL+lHOyTTNOja4Ny4RgBRo=,tag:+eoJ7SRFnCYXn4dQprpeiQ==,type:str]"
 														}
 													],
 													"passbolt": [
-														"ENC[AES256_GCM,data:fxjgG+Mz,iv:b2gVvEtxumSrEZCHu26CS+g7JWwGX1NmaYyqQ4IuzEw=,tag:mKj83EkXQY/ktT0EeoE+VQ==,type:str]",
+														"ENC[AES256_GCM,data:T8tp0aZd,iv:nFuWAAaz3GDkbHGNQzlN1lATmlw6Is4Tx8qHuG3V9Hg=,tag:ZVszZoaPvZmylwMV6jNxig==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:fNLBXTnk,iv:iMk9oOmPoaLug7O0R39Mmnmc6dtjgwlGaS3hNLP2Reg=,tag:zVQ0jmJ79wqDUZXegVwJhw==,type:str]",
+																"ENC[AES256_GCM,data:2BB67KBX,iv:fdr1lOgQdEQI/ImfqAEFg30Z69h9E0ZLYWGZbteLR0M=,tag:WLZx18dORfudyG7m1bKxNQ==,type:str]",
 																{
 																	"passwordSecretRef": [
-																		"ENC[AES256_GCM,data:GVRt/95f,iv:435J+6ccz1Wkg0zHbFBuRS7jtwiYPthT854YBCdZDw4=,tag:ckqIwJb/lrsrOs3wEct1qQ==,type:str]",
+																		"ENC[AES256_GCM,data:S2RbpJbY,iv:J+jVA+4CrC8IRYRcQarETDf+URkCouwm+4Jvvar7yEE=,tag:vZLiGVE+jZNpNmuWNWZRTg==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:BES67M0N,iv:+5aequ+ZK7q1oFTENpBBRWPs20R/3KvsXGbh0N41MTk=,tag:EDduv/e849G3Y+rqSuAkIg==,type:str]",
-																			"name": "ENC[AES256_GCM,data:/Bb9Rpfq,iv:SJA7h3trv5R2PW1gl3WVRYwKys00YSWK2afN0uugas4=,tag:y2WSOlLf3idjBQHbinp0Gg==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:pFPh7FUq,iv:GyShsVjncHuNH8R6wm0zIIVr5BTqxTKu13tqFfavYE8=,tag:V+q+6F9B+0nq/C2dbmdPVg==,type:str]"
+																			"key": "ENC[AES256_GCM,data:cEI8S1U4,iv:BvrUuSG0L4D1qi2ErXPabX2FsHyp4pyKBeXI4u9efCQ=,tag:Ii+JYi+7cre3Bhe/CWKSxw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:MOgyi9pG,iv:UzPOaX+183qLot7KrXXM/ArTBACkRqPTA73JdhiAufw=,tag:xSJzwjcgCKNTkLRJqc76hA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:tKdHBDt7,iv:939jeA4jdwaeh+xy1g52XPvQWcQ0XSkU/q/UQAun+xY=,tag:Ny1ymf/6HOGk6GxdaUU3qg==,type:str]"
 																		}
 																	],
 																	"privateKeySecretRef": [
-																		"ENC[AES256_GCM,data:+CmJUDfX,iv:WRxpL8nzjYUHmDuP+FRnwS/N12Dd3hiQdlaoIisN9cE=,tag:aXbRFNyxwcqvVNZvnLM2Ew==,type:str]",
+																		"ENC[AES256_GCM,data:3yYfow9K,iv:0VcQX5yplmfkd3D/k+lG071283QiJUrsSxMPR6w6GPU=,tag:5uOo76oMl3qS6SMB8tqxvQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:WtMv1OEg,iv:VXUEdYI1NcTwOAJZrK/hZZw3q5+7L8wPKjUrpXJQDU8=,tag:qo1V1GRur/C8YIuK6MShqA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:g3VkdKUh,iv:wtmCwNS7POu+1M5vjZeRHH5qFCX9bxkF8IdH2URsLNw=,tag:gCGK/Fp1NkEqNHJhz2x3gQ==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:homODH5p,iv:FkjDQ8CFiRFh901hs9LspV005MKn1vAXlurqm2FInIA=,tag:upiNGd/j+I2j5oV4OHFEOQ==,type:str]"
+																			"key": "ENC[AES256_GCM,data:JQZluc/R,iv:+gJq0U3gPH97HXFJXiryr70hr5x9lMkxB71gdY5GdLw=,tag:nhXpP797FKpcuf0s2nbE1g==,type:str]",
+																			"name": "ENC[AES256_GCM,data:dti9gneE,iv:eX5btYsTcjGRn1iZqm1T6nzKf9RTJzO2GiYZ7CsusLQ=,tag:0kc0L6uyQwrrn+4FjmPB+w==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:cBY9A8yf,iv:jDTiCyr6su9OvY5xmB+KHt9nG6ojk2OQdoAZLOLhICI=,tag:+qVCxEAcqFilR8UmtZYkyg==,type:str]"
 																		}
 																	]
 																}
 															],
-															"host": "ENC[AES256_GCM,data:0CQx0GLr,iv:frDr5A29GT5uhWJn58UhMbbKnCR9SqrCjhZPJ1327Vc=,tag:eQq84akNypyfcJ/5MpCYwA==,type:str]"
+															"caBundle": "ENC[AES256_GCM,data:1PGlZ1A6,iv:Sp7oqsGPC3X3tAdFObSMRt7Op4W1gdkhqXlP3elsa0U=,tag:AmWAI5gqXX772+7H6/fM9w==,type:str]",
+															"caProvider": [
+																"ENC[AES256_GCM,data:0zZQ1Ky/,iv:QXXJpRozYzgAt9+R5kSug0jzRk2GcSYWFNc+JOwj5dM=,tag:XKyOifNDRB4LjUhTW9ug9g==,type:str]",
+																{
+																	"key": "ENC[AES256_GCM,data:0d0mPSqw,iv:hdzi3TppEpSf6bLxtlpnbtq4DF7SaB3Zn5qF5vN2dJc=,tag:b1lFYfpK5qV0K3HjNk/ZQw==,type:str]",
+																	"name": "ENC[AES256_GCM,data:gx08uWQi,iv:M4rPlFcZ4kPcWi1W462rmuFr2rvs6dXWEaJNktlnq/E=,tag:nMf5fUphHKXq15kiRMZwzA==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:Ic6ybbFu,iv:3p4iz0HK0LZVz+Dg3QMxG0aTurt8iAabhiiPTDipDm0=,tag:YCte1C7pHbIpiWdypaH5RA==,type:str]",
+																	"type": "ENC[AES256_GCM,data:bM0z4qLP,iv:MyNfN0uwA1MMzhveYsdrEM19NmUtK7Mmh4rmkJ3yzeM=,tag:CURxcaodQQ+AELDK6FfC0w==,type:str]"
+																}
+															],
+															"host": "ENC[AES256_GCM,data:ZjEeyisq,iv:5foOgnBbBb1gdqH8UlcmwSlZrcyLMyB/5yebgRlbuaU=,tag:OUkClnvmEbdxOHvF5XYxbQ==,type:str]"
 														}
 													],
 													"passworddepot": [
-														"ENC[AES256_GCM,data:O3cG7QnS,iv:3bqmwdyaRtiE+IVeS27qWAiCLKSOV4x50p64iZNSjU4=,tag:8dhTO7NHAy0ZQVqat92F5g==,type:str]",
+														"ENC[AES256_GCM,data:hludv5cj,iv:/IkdzCBHB3x4zJf/vxVhY7HqGdlnXYg18jjXXpScMz8=,tag:UNfHd7IHqMEXh53d3+tmHA==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:gDylFS34,iv:zGEpTdw5OXq3SsVs8cO0I7z7X661PIPHSJrLfBY2IXs=,tag:5xSEFvUGds6jZmpv8i5E7g==,type:str]",
+																"ENC[AES256_GCM,data:Aoz9JYky,iv:Dm3Di3uR/TE6KRsn0kfcHon6avKVjI72r1xv2TCClSg=,tag:lWOSqghBPa5gt0q9P3/Hdg==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:XEYVysmL,iv:GgtyB1zaDFa5INGHx56/kDm6hbAMXqmt5FUyTahKHFY=,tag:3+yIV1M4yCs4wR9BEZD1/A==,type:str]",
+																		"ENC[AES256_GCM,data:1tv/zo0a,iv:IspbLot7X13BXWBeAWVQoW8KrQTPcyG+lSMao4TSJ2o=,tag:9W1rNfUzc0rpVItdNyEQsA==,type:str]",
 																		{
 																			"credentials": [
-																				"ENC[AES256_GCM,data:cs47vEAh,iv:UbKovZsH+XM3m7VcuSIeo64djUBg5Bu0SRiEyR04BBM=,tag:2/hPA8PGuJ5ElUSLBlzepA==,type:str]",
+																				"ENC[AES256_GCM,data:k7vUg+Km,iv:UoAcSi2tdHc+NdOIRWg5vn1iG7VakXo9gEvw+6+hQLg=,tag:/is3cOAm59UxFYFuXgp0DA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:yplwtwTK,iv:PxWKQJdG6FB978Y9vCYsXFSA5mbH9mlXVR68ct4rBxo=,tag:cXLTB0kwjb44PwN+FE/i4Q==,type:str]",
-																					"name": "ENC[AES256_GCM,data:jKN0bwlc,iv:5wN07Fxz49VE3iTRh7Z0N8m/qy9FkgKjn0LrW51WPNM=,tag:RYPp1tO+a8eKyUgzS3He6g==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:ntlWK3TJ,iv:Yk9jJY519Sa0NVHX8LEmh8R3AVOKQZsQVKgmFzqqksY=,tag:UuT/XPRtMBXlUb+KGmh+lA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:gN1ONTz1,iv:vPBuns60ATCCuF6rWcKxnMg0u0n52odCeD3BXSVcFVw=,tag:w1dT5lUSoOJs41iiBYCyfg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:qaH24oDa,iv:YBmDR79/eLaJ4uD85hH5BENpJ9KagDyOtxXxNMs1IOo=,tag:ekcN7izJXkCKAH2dyd0wfg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:sM19qjkd,iv:bDWlsRLbFk8iODZo3VO72puKNcI862nvqddECQd37Zw=,tag:JIbYvZBw1YntQiOw/LZJmw==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"database": "ENC[AES256_GCM,data:upObF5Cb,iv:CcDnuP/2UkgPChX99C//GwY5FCqmuVCUZvtEUVT9ZPo=,tag:35NUd2Zr/y7HCZ2/Mi3WiA==,type:str]",
-															"host": "ENC[AES256_GCM,data:1BCCMhcB,iv:RXbbfD+Pi3Pnjys+IP8nWXJfwqtcDPYAu6ogxbMj0uY=,tag:Lv2epXjc5M/Fkqt+V/nRfw==,type:str]"
+															"database": "ENC[AES256_GCM,data:9h9LYbjY,iv:pxCIc8Io87OLBeEFFZNWAbk+9mDlLCKxY+6QnPgPOno=,tag:NpGiKXK9b+/McA2HSP5qGA==,type:str]",
+															"host": "ENC[AES256_GCM,data:nDYVmfWF,iv:sGaUTc9C2K3nmLf2KOQhSVhEDFfA3Z6NMplq9WyEIRE=,tag:+xlugb4GSe6T9uKBigYipg==,type:str]"
 														}
 													],
 													"previder": [
-														"ENC[AES256_GCM,data:r45Nfkzk,iv:c1r8VWIMv+qEyA1q4oLf9C2OZcGejJQRDgISvj54GP4=,tag:O5vfyVehSTcBAloZhg9Dgw==,type:str]",
+														"ENC[AES256_GCM,data:P/P2HJ+o,iv:f+SJex6UsQAgK/NBsdSul9Vpe3M8o8FQL9BWk3V3FmU=,tag:I6G15Jflb4X4WL2RNJxqTA==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:uiu935XH,iv:D22Lr7bSmk/w93jZNNaU6KDls6nj2QaC+nZwCHNYdT4=,tag:+KRMUdzv/j4w4mgy+GPmxQ==,type:str]",
+																"ENC[AES256_GCM,data:Nx9mskbU,iv:RhxqpM1lE0tG8B/xWf44gBy73FTlC295bhMTDzJPOnI=,tag:9wL2bdYNA+j67s3arFGedQ==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:wwhLL2Qh,iv:sOXXf1CcT2/ao/lVvwIhugIJFyHM86yj2VSMd7fDX6U=,tag:nS4uAUenMoLmsq/BqZ/PwQ==,type:str]",
+																		"ENC[AES256_GCM,data:QU2lHKy9,iv:leEivohhEJeETA1yoVEQueTrJLB4HOf2wJG0ypixi20=,tag:qNwTH1RaiDHsNk5/hnwXDw==,type:str]",
 																		{
 																			"accessToken": [
-																				"ENC[AES256_GCM,data:PoXKrrEP,iv:B+3vl0zs4L4xDPjZ5x2MrUAK21Ga/hdY4N/c2yKtosY=,tag:3olQY4mxensn09MZfC8SVQ==,type:str]",
+																				"ENC[AES256_GCM,data:LBTa74DT,iv:OHFYCjMUSPs+FiPVErHzCKqOe1YK1jSe9oBqAv2Zei0=,tag:ldXYvli5F09sI/e+z9kyvg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:JDp5DQu4,iv:9M5fSCwbCIVzhpBdTocyaGT//9qGIsaMQ1svZ3m2+Ig=,tag:WZEKwy65NydqY9Bc9Qi24A==,type:str]",
-																					"name": "ENC[AES256_GCM,data:MCblTo6m,iv:BJR2fKHZv+lyF1E9BWDg2qU7LWlSqDtTndhSW0TBjRg=,tag:3X3uslDgzaDP7vYtxPgJ6A==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:M2u32jO9,iv:Ad2LK3F7tmZv4M8zCJyJNYfU4n4DczLMUD98K/WpHkA=,tag:3wF9YvK+vBJwtyoE2zdSNw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:E4xpriwO,iv:bg2rTsj5DTiPU5yBCho8iVAFb0gr+diyOjfJatkqrqs=,tag:VmQFwfVwKftRVwa6qN3BhQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:nGts2IK1,iv:3t66yZs9ZKGBk4oj9OQL6Vr2EbMu0MjoR8LfI3q0JhU=,tag:0dgNBoT/Xjie2v4JlQljwQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:/i21trLS,iv:2JVzBGoDJMXmmbZS1KGkmbj0AbCpZmHJd6qMz25Feug=,tag:YCnzXBJN+m8/VLj2mfC7SQ==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"baseUri": "ENC[AES256_GCM,data:MgwdbtS4,iv:Iu5BDftz2X5pB9dnJPl+7iO2LbBBCBtmRvrjjHg7o6g=,tag:Vvd+rUW0ZBEBNiTk22bEZQ==,type:str]"
+															"baseUri": "ENC[AES256_GCM,data:0Z51zRa9,iv:atS4x/NBwyzQaqq3UTaM54s1+izNhsHSV5fWbyNlrLs=,tag:+Y0ksv1qr+3v59zpsM1Mnw==,type:str]"
 														}
 													],
 													"pulumi": [
-														"ENC[AES256_GCM,data:5n73kVdW,iv:9WbizghZyKvfgiL/NhnVlyqpV6Yc1Q5JKpWwek2CHAA=,tag:NuBikGZu8P4eGcHUgR1BiQ==,type:str]",
+														"ENC[AES256_GCM,data:px8z88K4,iv:Y/AomrMGotmAjYfAxZPb1yHm7mAanYCR24His7CY6uo=,tag:FPb9780HrCQz6860tO9Lxg==,type:str]",
 														{
 															"accessToken": [
-																"ENC[AES256_GCM,data:j/rAyvoH,iv:XKsovbTuO+3jNEP8U0rBrnFt3T1EgQf6WzV33L/vToc=,tag:QJHMwkTomaS2yixXzwG2Xw==,type:str]",
+																"ENC[AES256_GCM,data:aqm652ib,iv:cOrcR3qF7PDozEhEfwD2FJX6XylKZn9Id/lDq52Kluc=,tag:C0xFQBNjkbzadf6LbiXaqA==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:gjZNxIsu,iv:pdJAVlS8jO+WFHi7rePpRnVKzI/GSwaec6eyBAC76Q4=,tag:ibA3AIpU7LucNzHzq56arw==,type:str]",
+																		"ENC[AES256_GCM,data:RYhnwNrW,iv:g/at49mLSBXy7X0nTPfXacGLnpfITFebLOkQBA20T7A=,tag:xeeETWeO7XHnEXZ7vWUSQg==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:aps6t74V,iv:Mo9tpCNgymlgpo5irENbyE2f+mh98NCgCPwRgibVA5A=,tag:FkzJ1Ufy1Q3YU4oeJWAGOg==,type:str]",
-																			"name": "ENC[AES256_GCM,data:mxci1TYv,iv:123/j8i7rlibczpMmLb5klon9wewLoWE6q1suLKzNck=,tag:hCX/CAdgZoBjNspmb+1KqQ==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:fiWNIrKc,iv:6XV8UQJMAzzXm1upGI3OmW6f1gSbJgq3uT993wsWyXs=,tag:G2XN/wW91IsXEokssEfUbg==,type:str]"
+																			"key": "ENC[AES256_GCM,data:I6ye7G/6,iv:nUm94vbRoT3Uc4X65xtBvjLff+3xv6ItmEZey5b1f3w=,tag:xOAZhUEISPqBABmD/fq2GQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:gJkPhjCH,iv:Lsz5Bxykpv7A3hbGhWRodKO7oh2siqb/VNROVsDD5Ng=,tag:yWyJROp9LoFGzCTVtW22rQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:x7qV5swx,iv:V2A33HIyYOVel2pXsMajtnW8RC0Wn7Zjn8gMtvKovZQ=,tag:r8xUWrXsysV0y3gaDdOCzg==,type:str]"
 																		}
 																	]
 																}
 															],
-															"apiUrl": "ENC[AES256_GCM,data:IduOue+w,iv:+Ok83fnDs5HTAJqJXCMjSXKUoa+AcMvgg3o5rO95wMw=,tag:ejrvrP9nCM+yWOrXVbzYIw==,type:str]",
-															"environment": "ENC[AES256_GCM,data:1o+lVXqM,iv:pyVz0Q5GGK1BiegRsccNsKLpKaCoJidgEH0gA5IREXw=,tag:+wmuGMUfUOvscNXJCc+Haw==,type:str]",
-															"organization": "ENC[AES256_GCM,data:3vkhUJc6,iv:jnHP4dYuuXpGs+pmjRkzmuvzVw1cIbSPJBi+mJM7PE4=,tag:Q9ZgtyigkvADmcr6bslJNg==,type:str]",
-															"project": "ENC[AES256_GCM,data:hcbKBsxJ,iv:QY0wmWhmDXqCLqiWczxXYe+YUqUPi7X+Ig6YGKQRCBw=,tag:QFxG3WKM8tXKKHlAJXf3AQ==,type:str]"
+															"apiUrl": "ENC[AES256_GCM,data:4IHG9EUV,iv:f5B/fDj1IVOYc3LGc9MDfdpkUFYRG91WgWL6PuxSjwc=,tag:xgeE5Q9yVQ9RquKGeuh/dg==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:jpxEsNmu,iv:6QzBoVkf4qSniT6uADaYiY1IP3bYmnu9Sm2/XVCxzeY=,tag:ZkINISpwt68i6cMmwhCbTg==,type:str]",
+																{
+																	"accessToken": [
+																		"ENC[AES256_GCM,data:dj/USRHm,iv:Wq4Qvm5VK/ftW0I83Ctfc1PxmPMN4OrQ/zWlImMlPow=,tag:Rj62xQBpDMYFa2LEciFxiw==,type:str]",
+																		{
+																			"secretRef": [
+																				"ENC[AES256_GCM,data:QzMrJ+TH,iv:A0zr7nzrdzBXmX+Wmd642BVbgO2HLR3ao4DSMfjY5dY=,tag:BxgSvAwv/WOGVF67ecf+ew==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:MFEVCq5Z,iv:61lyk9gm6Ch/uWmKpiyFcTL8ztTnnesap9o2mgzIfq8=,tag:vS8Keskvw6HEpmZ6n4U6xA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:T4Qrda1+,iv:k4ZGielAqAU+FP0p1ETUXcRpz5c/91w/s1FEAxW11QU=,tag:musxc3p9I94g1HOiU54Yfg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:knbECSIe,iv:EevBcC6Ctv3lSUcMCZ5lC4JHTywbLUxhZZjwz5Xbrgo=,tag:ldTA3Kb4i5fqjz/XV94wRg==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"oidcConfig": [
+																		"ENC[AES256_GCM,data:QMfYHo6+,iv:0LOoClLsQSzG9qOl2l72ksy2e9WsVfNxoTlfMvXsGHU=,tag:9q67cCop9JlTynH+taf2yg==,type:str]",
+																		{
+																			"expirationSeconds": "ENC[AES256_GCM,data:GMrvz9q6,iv:W/BGwajNZaZO4wFx9ZC/4yJQOhtcsaEcRSuaWlrrYUo=,tag:GkdyeT4/VFoSfwPmAj/ZCQ==,type:str]",
+																			"organization": "ENC[AES256_GCM,data:AklulE9I,iv:y7VDWxQ+RJB9teZq4Xwn2Cx7nR+VQXQ4Qjiwxp0yNwI=,tag:7eTRl2kRW22jutxvlMPbHw==,type:str]",
+																			"serviceAccountRef": [
+																				"ENC[AES256_GCM,data:semaUcKQ,iv:UXexycmjtmuCDOY/e0M8Hp2fgZQvrquerLAW8EOkHNM=,tag:V0+6YRdMoNSMO9XLA6awjg==,type:str]",
+																				{
+																					"audiences": [
+																						"ENC[AES256_GCM,data:H5jVTQ==,iv:IZ3cHjyFRASDEz6iAPYSJyaa3wSepQ93PMNtxFEW8cg=,tag:Ouu2G/SNFAam5WATFRBvNg==,type:str]",
+																						"ENC[AES256_GCM,data:UUK+ryPm,iv:qJz6y4jK61PHCQpEKeZbR85b1fcqRblsBkC8R5Nr4QQ=,tag:2u98r6d4EqwoH4g0SxUcyQ==,type:str]"
+																					],
+																					"name": "ENC[AES256_GCM,data:sXepO+EP,iv:tuYT8rbogL9GLq24seRUsqtePxkYhVoi++A2as6fNMc=,tag:pIFmWlQKNVDRUPP1+Cgf+g==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:po65/L1t,iv:nQTVeUlTULg5NpvWHIS2VIpsuTEQyHMgLDI4x4awtLg=,tag:YmROnvcpgY+pzCrPBK3NNg==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"environment": "ENC[AES256_GCM,data:iNLozJcI,iv:Gp/IaFR0pyyOUygkwh6+nYxnxH5xXH0DwjDhL1N23w0=,tag:QlbWEGQaHorMGy+JpWU+wA==,type:str]",
+															"organization": "ENC[AES256_GCM,data:MMd2nGsc,iv:TgPt6dB/rUmqyADn4Bzf9aI2yL4xRN4nCCjySJJIar0=,tag:PVaOFT9r4htAN/C0BjRxCA==,type:str]",
+															"project": "ENC[AES256_GCM,data:A5tkWlSA,iv:4xSvhZA4g7RQjCRYlqU5yrK2RX7V1dJD6VVALTkUiY0=,tag:VYL8PtHA820it0QikMhVmA==,type:str]"
 														}
 													],
 													"scaleway": [
-														"ENC[AES256_GCM,data:kIgyBB0d,iv:PLJkyrR7Ls9ijegXGTx6x8mgn5rh7iPkq+Z8eP8XZ4k=,tag:EXDfPUIrHxrkCGYmxAMX5Q==,type:str]",
+														"ENC[AES256_GCM,data:TXtxOnSs,iv:e8TpfG5du2Bm5YmCTTQx3A/D/WdqWmS07pHAKLAb4gA=,tag:qxIznnPWY/RdzOB8Fp2Axg==,type:str]",
 														{
 															"accessKey": [
-																"ENC[AES256_GCM,data:rc8r6iEC,iv:/1VKw4v9pLQFZH7XZmZM8xAmPJAqyci8DeOSmTv1D5A=,tag:hKGS8aGbbgEDbbwldyyg/A==,type:str]",
+																"ENC[AES256_GCM,data:x6tRYuAX,iv:9ZFN6aIzogl530lQRabbPh0msF9Wqw+4oe3CJRyG9z4=,tag:kXFQf8qudUb56gYrgfYTbQ==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:cRv++bRL,iv:uc2s3DKyupkMKGvsiCaaQxTV+swjXQ4pAeqLzUqbYUg=,tag:gxJLUDQ0F/FADNYHkyjRiA==,type:str]",
+																		"ENC[AES256_GCM,data:UHJVS2B2,iv:rxT6IUVfIrMziALVGo47BvQmB38tOBG//KjG5b7fm2k=,tag:371DFIxpsUW2vTM25rejsQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:gBS74tQ5,iv:uHRgK+UJMyOXCJM9jYlES950pusBnwp1TDDxkwtSNKU=,tag:KtceOKIzlrzHyt1chsX+JA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:uGcd9p5l,iv:XN6DxxvhrGLgsRvtz750I5vxikoyH7FhJm8LHA+JdeM=,tag:hYGKv5e/RHydz92JQBJKIg==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:1v3KvnFQ,iv:Xk09MCUBbz4BoRDcQuwVPM8KX7/qpR64TfvGm+EzfY4=,tag:JWa/qVAmGvGv/KoobjlOVQ==,type:str]"
+																			"key": "ENC[AES256_GCM,data:d2sB0jXb,iv:FkPNmNgOXVRiV//tbwhMkNCKWd2sTSBfM76DfSfFq9A=,tag:xlNsO+zG7oyT6hRpwRSd3Q==,type:str]",
+																			"name": "ENC[AES256_GCM,data:YhfK2zk/,iv:yLSEioOPvkStYZ9gVSf4OX6SJXm+yEYvhh1Zlodejyk=,tag:iW10FOvHL2yvN6jeKH6yLA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:sV9yWxe5,iv:RLM9aSmabrOnyWgihBhYTuqmi1RqS6+Mcwro9VZLf/g=,tag:nL0XFXdATao+207BINMrtA==,type:str]"
 																		}
 																	],
-																	"value": "ENC[AES256_GCM,data:seObWMYo,iv:w3EUfpk0YJ2PvntpYgEKgup/56a3kphtGtyzAseKs3A=,tag:3gCZOZTc+eKI1pEesZJVEg==,type:str]"
+																	"value": "ENC[AES256_GCM,data:g8itTx9G,iv:OzDq4sQE/n4+lzZ0S+m+SD0uuTx/g63JRREdnCPL+7M=,tag:aDRyY4FofQhxKhIQ6EWzKg==,type:str]"
 																}
 															],
-															"apiUrl": "ENC[AES256_GCM,data:YzspcjTD,iv:SaNOlvme3pRsgYgERFSUrs9GnWhaczUEen2LSJtg73Q=,tag:eXS89yYrCKeeSzOt+OMrfg==,type:str]",
-															"projectId": "ENC[AES256_GCM,data:b19py64d,iv:wBJtH53e5p8IUweX47Rb98nwFdwmq+UBkByTizrL1YY=,tag:BusQKdYzIXVQ/4wvf+FjTQ==,type:str]",
-															"region": "ENC[AES256_GCM,data:YgKt0+Wh,iv:Abj8/t1b2ga4iJpEvx9RVm1VMpwQI5HZqXkk26IxVw8=,tag:PMlwQJ/zGv2ZK9i5U2Edow==,type:str]",
+															"apiUrl": "ENC[AES256_GCM,data:EznQvwdM,iv:BYWM90GOLYxA0cHfEOM0kiJxQTXk2RvJzIb62qR77GI=,tag:2re2l1eqIKyXynAZvDV02A==,type:str]",
+															"projectId": "ENC[AES256_GCM,data:8DbZzdbY,iv:KsTOwQGGZhzIV9NwXMUyW6m8kqRbqxv5+IcRIIu5ymA=,tag:/79pV5isNE4Nr+XCkBTaUg==,type:str]",
+															"region": "ENC[AES256_GCM,data:UmgbEELr,iv:CDR1G3MhWkhXZXgFsa/ccj3VwgMxUyr83oE5IZ2OwLA=,tag:v6LmYd/JFIZHbtDO4SNjvQ==,type:str]",
 															"secretKey": [
-																"ENC[AES256_GCM,data:3UX88gHO,iv:LejzXfqLjLA0GUd5FTKhyCnlCAXU/3+QYifntYvHhpI=,tag:xr2g/T+AfcL/R5/etcI21g==,type:str]",
+																"ENC[AES256_GCM,data:XJh6ua+/,iv:TXz7NOuCBIAbmpeyf7T8H6kOLm8v0eLQbK7PknGh8Y8=,tag:iSnKOYeZ3K/2Xk6ofcN8Zw==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:ld106/X1,iv:zJyfBreMrVbxBK1mv8F/7PgVT4aU1RsF34YQV0ylH3E=,tag:mm25Z4PPxKnxlMiwwH9Pfw==,type:str]",
+																		"ENC[AES256_GCM,data:5KwDSHU+,iv:THfnU723jXZQXzn/FOSwjXIySL0T5t5iMtyfb3jdjy4=,tag:gtSQjInCCx0pFfKJmDhQBA==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:47NzNsk2,iv:Hxmk9xv3O/7x5G8AALzKsGrO0W8FpIEmFcINEI3DRpQ=,tag:8/sidLxcyGrcBtChXdLQkA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:qgfapkZa,iv:lb5lJDjN9nNkgRoaig2e7wqsAjTDOZ4b2ZBrvqPDJ5k=,tag:2rp/ilkncjf81oMCNRLw/A==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:NPXkFLHN,iv:9lRUhXd6zipKC2ITb64j/NYYwRQhfs4ISPhTkXHTFZs=,tag:9PkyBK7GBSMjbdukVim3OQ==,type:str]"
+																			"key": "ENC[AES256_GCM,data:NLDxoKF1,iv:wOlBcmQtXGkaTz1kSe8Yy78yvOJCMaiUl6wj9nJp2gI=,tag:YxKSWnsFnlc1iHzxxHPFYw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:BWTQmByk,iv:26k2kzeL4cBBEygWvrom3J842JbzdS1RJ2RkgIUOcFg=,tag:31URNw+llILvb+pWriT89A==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:IMyKsMep,iv:4lBKQhk4Y1SapvxT8WlPViiL7dg+j2A2zcqRpIpKjSo=,tag:h/1NK5J79QpV1Ydr5jM5AQ==,type:str]"
 																		}
 																	],
-																	"value": "ENC[AES256_GCM,data:42PR2EY/,iv:CR1TnauAz6eEVhnpHlzAclHlj76+f1yrjoGDUyepzRU=,tag:b/6HhvUpvJESTT5RKxludQ==,type:str]"
+																	"value": "ENC[AES256_GCM,data:pL47wcHJ,iv:LlTV3ta0uxvsiqti7SdqaoXUXXQaUjS17s0a/iFDBWE=,tag:yRUMOjPux2v7QxXewi//Rw==,type:str]"
 																}
 															]
 														}
 													],
 													"secretserver": [
-														"ENC[AES256_GCM,data:mLxNrOuS,iv:cQVxzvbq2ah4Z9yxXk6wz5y+g9+YjqnMsWCWvB7FKqU=,tag:eHoFNghksQuwROUw6+1dOg==,type:str]",
+														"ENC[AES256_GCM,data:hCoikLOu,iv:9qpuLltGPElY8DzgOe4+MTv+cy/vfWauqibyHISsQEs=,tag:HuERTr5Z8VFooYfXmgmp4Q==,type:str]",
 														{
-															"password": [
-																"ENC[AES256_GCM,data:WFXbRhlG,iv:fFFhCDzNRVTH68bsIaSk1H3CssREVIxpa17G3xUQUk4=,tag:J1nftEbmhK0OEYFL5dzRaQ==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:LgDWmraP,iv:/IKXjOs8BeC+EDf2ykbcg9mCCtyUJLIkYhvlV320Y7w=,tag:KWMq7NYsm1nK20FQL7K+6w==,type:str]",
+															"caProvider": [
+																"ENC[AES256_GCM,data:PtF1DIkb,iv:nS8wboyL8qoXI/x3mMtTA3P6Lw+8ow8U4wEP4ZgCI2c=,tag:ReoaX9bf96ucdTRgzjuQVA==,type:str]",
 																{
-																	"secretRef": [
-																		"ENC[AES256_GCM,data:4s/POA6U,iv:fi8j4SDE6R22iI4se7YFBp0K7giMHwWPSqy0jtXlrxI=,tag:NTaSz1lWNBFp58a+aRhZtQ==,type:str]",
-																		{
-																			"key": "ENC[AES256_GCM,data:i6VzyhDX,iv:eszgjVQIrgkpMmn5NOHctSldaKXE+KzU9qaU1eutZ0I=,tag:WR+029RdO5rUApmW4AhmZg==,type:str]",
-																			"name": "ENC[AES256_GCM,data:IM84pep2,iv:3jZrsTtFDU01dXMsM9Ldru4aMT8cxwAtxp02IhSF/Oo=,tag:8Fy2cLh3o5R7kqXzLyNLxw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:/tqXQBeU,iv:ZYJR6onMog9DQx1uso5tvFwVTDfBjL9viC2808hVBvU=,tag:lLzfAPlcyLGmQNdkrhuzkw==,type:str]"
-																		}
-																	],
-																	"value": "ENC[AES256_GCM,data:7tFgJp+b,iv:3yrLQUNiNNbfKwlbrzyDAC6CsjKIsXZQ1iR4U/IxRfk=,tag:4+Mzd2hmNdC603CCc+brWw==,type:str]"
+																	"key": "ENC[AES256_GCM,data:e2UNYeGa,iv:G51veOgjt06hRrqmIhtoiN4bxobH0SA7MCubvEmn0SE=,tag:LUarXmEf3b09tD+bQDIBrg==,type:str]",
+																	"name": "ENC[AES256_GCM,data:VgxY9esN,iv:d+IPx4wKKmcG2048KIZ6VP+J9i9NMBaBkkXET883Lic=,tag:GFZlTgKQoTSBcpQJuKQA6A==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:Qq/3CWAe,iv:/ZjJ55SH8fwOz6DVV8TNgE+Jf9qyPtUyyVubvZIxOwg=,tag:drmYLvfSrGYHCiN53+PGIA==,type:str]",
+																	"type": "ENC[AES256_GCM,data:7vqR2652,iv:dCWcnCIyOpYbyVbizt9nYmNzGhODkTNPYCL8qo7yOKA=,tag:mPHV1fg1dIohI/oqoOgnuA==,type:str]"
 																}
 															],
-															"serverURL": "ENC[AES256_GCM,data:umC9ey3a,iv:nw60P7psveELp0/75hy8HQdzaIMbm4y7aAdwxnl2SOA=,tag:gIa0utaF2B1R+LweNTigxA==,type:str]",
-															"username": [
-																"ENC[AES256_GCM,data:+LOVS827,iv:IhQTzwKA4Du9gmLIm3KsHXkaJwBgfplP+T1LM8w9p4E=,tag:u3pOW3C8VAr6EiiqCnF5Uw==,type:str]",
+															"domain": "ENC[AES256_GCM,data:hgZ69oL/,iv:nuTofZmgBMZWBZfCKT5VBc7xdTV6TLtSQjgRbrTzFUU=,tag:yQ6g/+RJWk8M2lH5MEKIvA==,type:str]",
+															"password": [
+																"ENC[AES256_GCM,data:DtXFy2Zd,iv:te+t6xwE/P3HuHK8fxUwr8A0UbAX7H2xkpVm4UvRHI8=,tag:XLeroYXDuD/oS3wHkJq9fQ==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:4B2ly6+P,iv:OCDpIvUei2UvApLiw4JIWBzeZ8mgNM8qKdCjGSeOq0A=,tag:VJ8DtKyvhgFeE6oP8oHfEA==,type:str]",
+																		"ENC[AES256_GCM,data:1OnCnunZ,iv:mxxvhICWvpf1+7l0bQXLurMqQvN/FanSdBTSJTlPWKY=,tag:f4M55IYg9GKM2vpwqWdkLQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:VhCIcYIk,iv:opbUIYfa5KGIpJDmT2U5Dcmd+jle+7C6bj1sKJUKBw4=,tag:ykQJvD5MQ4e9pnTf6xZiDw==,type:str]",
-																			"name": "ENC[AES256_GCM,data:O2N8GSl4,iv:R8w3VYJabdovm8jLCRFid5ouKDDpDPKw2TcBrxDeGBc=,tag:JOFvnZ06hREqrNfZ4zvOOQ==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:qlKjZnVN,iv:qa6m0GnIvshAIUkyFgH5batcJ2ofmHWsuP0I9fBjOqk=,tag:fS0hI0++vOyEtmv5McJn7g==,type:str]"
+																			"key": "ENC[AES256_GCM,data:BsVeP6Hn,iv:aMxbGPwp2CgIOjXWd9wuO/J05mi0c6u0kfZm6iC/JyY=,tag:Jcv5UAHlLetaTzkPdUEDSw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:ON/Rx1RZ,iv:yGdNXOE/oBexp1IVofnSOjELFBbOb0iOGqJ5skiB19Y=,tag:IToQ5OqndzJIlDBwp7UqIg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:Nm274qxf,iv:7XmdKxzs9pbDC2ahDgKr8/FsOVVNaLogc9amOM+56Gg=,tag:izm4kuB8JDPnAk6lQO8AAQ==,type:str]"
 																		}
 																	],
-																	"value": "ENC[AES256_GCM,data:z4yYjoOW,iv:FxRhNQceGEgzhFZPSWThU2IBTZ6K/reJkL2nPqTzwFo=,tag:Ag75ySX/3NZdoOa61Acscw==,type:str]"
+																	"value": "ENC[AES256_GCM,data:qXnJmV2y,iv:q2tDLyMCGF1qpeRsnpmVKNOxxN+sZ+3Ed+dFa9XYSSc=,tag:MjvwmIpdcALm1kf00t54wg==,type:str]"
+																}
+															],
+															"serverURL": "ENC[AES256_GCM,data:ReQAG+uB,iv:MeMFUmVhgvZ0vzcWKRFchz9Mkdh/xhlSGtG3JN9tO84=,tag:QSan8ZAjNuBhN+fFbai3oA==,type:str]",
+															"username": [
+																"ENC[AES256_GCM,data:hoU9E7dh,iv:eE6BanbUry4h9jdl5T7MnNIQuOre57DRD022EzBlsbg=,tag:6qzNZGPlJQMOeav1f1Bjag==,type:str]",
+																{
+																	"secretRef": [
+																		"ENC[AES256_GCM,data:c4F1pnmC,iv:V384c83f9vE/L4vCf6byHqt01tXZABMFAVuh5icy+JY=,tag:sxq+Vhhgxns0IwlK9z+TuQ==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:/hVtjiTx,iv:CYu8MCBhHqXPtbTQugV8kTxApkKSLH4LvoDAG6/jh5M=,tag:yqlFBcVHqlTXOVcsrffFvQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:BQMPkRoD,iv:b5Q5r06yCP6W/bBa4vyRLtpRyD6Lx7bSx+dx4cuSxX4=,tag:NcQ8Hx+YiiI54pgjOMBEPw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:UGk6Sr5C,iv:NYGcPBSZ88yvUQtNuuM6YLFBA0Q2i4yYZfCWIdh5eps=,tag:S3tKYDckJr0QUB3CcigMWw==,type:str]"
+																		}
+																	],
+																	"value": "ENC[AES256_GCM,data:3P+3UpXB,iv:Ugk15SaXkZInavfeHiOUdfJEBUp5bYBGhr0lV6gRUu4=,tag:dR/xoM2Z45TACgwlkg21BQ==,type:str]"
 																}
 															]
 														}
 													],
 													"senhasegura": [
-														"ENC[AES256_GCM,data:SDtRcVF0,iv:EWUyt9KhMHiB1d/eWYUtp4rjkT9MpyX6eBDD1HyeIrM=,tag:lLbSaP6E/bNYP47DRwyxmg==,type:str]",
+														"ENC[AES256_GCM,data:7QbdoQ5B,iv:o+0gbCr8aj3gAcQTLqnSO6raGMF1XLEYiuTNQmqze8k=,tag:NW2ewxNOHvOnMLWWs8SYYQ==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:T3xAbvq1,iv:cX7JezyeMJzidTpkbVeueWvmXZT06Vt3NF/eknenQ5s=,tag:3jTSF12Z7lJkEm+oFkD3SA==,type:str]",
+																"ENC[AES256_GCM,data:EvXwPIxo,iv:ioJBwoejeH2NeSvxmlCW7bRB/UBKsukHc7TqNJfDZTE=,tag:bxXgumpLUNs0iIi7Usjm7w==,type:str]",
 																{
-																	"clientId": "ENC[AES256_GCM,data:SyaYqn5d,iv:NPdNmvKuahmiBSIdxzmDWfxxXmxbgV2e54is7lBFV6I=,tag:jwzOAQ5YwXT7MFdc2Inz2A==,type:str]",
+																	"clientId": "ENC[AES256_GCM,data:+Xunp3Qg,iv:NX5xInpGaF8eeIjOvcSnggayJZweDK9ntYI5ZybfK/s=,tag:6p9LzjNukTcdEZQ917gzWg==,type:str]",
 																	"clientSecretSecretRef": [
-																		"ENC[AES256_GCM,data:k+8PbJeP,iv:Bk6uNI4U4No6XJx11fVVlDlnFyeHsWvpseEzq61HZHQ=,tag:Go0VKgyIDNTs7HIXkNp8bg==,type:str]",
+																		"ENC[AES256_GCM,data:Zlj3QSHi,iv:o7t8QSfirjnTSkvQ/A7Gzy/AQN6/HSQturSzxCmFqUE=,tag:/Bd/N6x3boNFvIHIq3MK7Q==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:zxjBBc4M,iv:h6DI5K4/7mw0to3moBK+SLcwek213c4NX0SaUyzh8uY=,tag:YkDOrfoTK7iWnZJ7ia0Prw==,type:str]",
-																			"name": "ENC[AES256_GCM,data:2eAAxjE1,iv:ZE8qKXyBCm8VIVy/jHHw//a/hXryBSVotqL5i9V6Ic4=,tag:duJilzKoaRQl3I31ejaqAg==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:pUlaDB4r,iv:ySN8SxKfa12wmbkFUDcFO8aMC71GfLxbI4UGgOjtzw0=,tag:SUpPkd8GZ81m4GaBRqw1OQ==,type:str]"
+																			"key": "ENC[AES256_GCM,data:E7AE1ksO,iv:aqi6zvLwRGl2gS7cx522ohLonU8ZtC3IvA65mSgYV2k=,tag:1oUWGnJW3ACQ26U6X8vXYQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:pDd7I+Y0,iv:jo0AZbYiCW2spMzbyESOlg18ilGV4jz07SVTkpNZMvk=,tag:TGMxH63t1SQrDpOhx22QFQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:lSsde2kJ,iv:XTeDVu2byhEovwKT3/ejRTE3lylX+boraSkOdoS4tfE=,tag:7qa60/A4ZbfH5z5QxEjnFQ==,type:str]"
 																		}
 																	]
 																}
 															],
-															"ignoreSslCertificate": "ENC[AES256_GCM,data:lgm7fA==,iv:Z9AIamvfzs0LFd3d8eCDW4j43ETCsuYOV1LVUew/Zro=,tag:j59Lc2QlWUiynYFzng2Dwg==,type:str]",
-															"module": "ENC[AES256_GCM,data:763QhD8k,iv:8TFJIy3waJDyVLY7g0HyedD5Mzt9Bk8CqIpyW5uREY0=,tag:IUwd3pNwIFTNE3xJkT5VBQ==,type:str]",
-															"url": "ENC[AES256_GCM,data:oQejUNSW,iv:zXcuAedd+hvfPEF0yHXbAI/VIYtZFugSoEMrl10NJ0c=,tag:iBictjZHlQhqr4JYyppVxg==,type:str]"
+															"ignoreSslCertificate": "ENC[AES256_GCM,data:PbGBtg==,iv:2wm2663Yarx4Au7suSQiKgWWiIL7Btlt7SFCcMASKts=,tag:Mu3RQgaVxy1PND9xgd1L4A==,type:str]",
+															"module": "ENC[AES256_GCM,data:7oA+rwQU,iv:dWvUEgAd/mZc58IuMWj5dhS/06QUuzVkQu0PNk0Ym5w=,tag:pNjH+C0QGS+e6eGZstZDSg==,type:str]",
+															"url": "ENC[AES256_GCM,data:cuW0wxzn,iv:pm/Pv2rizdbLhAhtQ+Qg9OdT0e0ZbQroPTW3IwJA648=,tag:x0FHiJJ0vrg+rCsNd9XC3Q==,type:str]"
 														}
 													],
 													"vault": [
-														"ENC[AES256_GCM,data:T9uJZibt,iv:ddRBvQrWudVLLOHyzdliPkRf79AWtPzdhLlry87vWzs=,tag:2eokcr9CukkzV28G7lnZhg==,type:str]",
+														"ENC[AES256_GCM,data:FV1KsiyA,iv:atcYk03gRoz84ihKYlbPPsEwjqpRfFun70rsL9QOHic=,tag:RpzVPP0/5TGgkN9lsU8BKA==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:ejdxsoi2,iv:WA2P5MIiWTEnK09RQ1dC0oY3w1dE+IgwvKju5fXlZ2M=,tag:XSt7mer80EB4lsC2B3T3UQ==,type:str]",
+																"ENC[AES256_GCM,data:mEF4Hi2J,iv:rQyf02AXjqEMaMeEBiyaY8y44St7iacew5u3+dmEz7w=,tag:PTjXNHd+a8S8X7Z0YU7Feg==,type:str]",
 																{
 																	"appRole": [
-																		"ENC[AES256_GCM,data:QEBNPzBF,iv:i1hoou5WmGmLC1p2GqKd+pMPLSfXHiiiCAdnKsrN/sk=,tag:vF8hYBFBITabg91M5aOfGw==,type:str]",
+																		"ENC[AES256_GCM,data:AFVvUH0l,iv:9y/c6jydQuFTng3kP47tQ8YoRMCj21SAvKqNhheBfeQ=,tag:3CAkcMY/lwRO1PZ6qzMchg==,type:str]",
 																		{
-																			"path": "ENC[AES256_GCM,data:wpFHpdJz,iv:irXuH7QcnhbDK+bNWKA8PtNjEppkVjB4pXHnD7ezjjw=,tag:R9v0n7+mH7onIV5xih9vWw==,type:str]",
-																			"roleId": "ENC[AES256_GCM,data:6+LTSDOg,iv:esoRYZ9PkWWHaKp+h/uLBkwuqOQoqqw+UisUWBOOD5A=,tag:aBHmcjoCVfPNoSmtEtDTag==,type:str]",
+																			"path": "ENC[AES256_GCM,data:H5hMEU+Q,iv:F+cmvK2mQdv0i/9o3aPDPHbfndKH7QQiTAVRFHOHPEE=,tag:3RN46nzV+VALk8S1ha9Fxw==,type:str]",
+																			"roleId": "ENC[AES256_GCM,data:lLYYekHG,iv:aWSx5tXf4+5mcVvUyaknikQc7zKosvNbV1lyycZmRt8=,tag:07QPfkuXrUC91rF7yVUOmw==,type:str]",
 																			"roleRef": [
-																				"ENC[AES256_GCM,data:2qxUsSO5,iv:33nsNBLQL5GjUIwjKvwAUWvDu+xJkFHB/F9Rn2FjgiA=,tag:FJqeY/v+edKIXJJCft20Ow==,type:str]",
+																				"ENC[AES256_GCM,data:hUeWHjkh,iv:AkdrUxBatBlcwAmdBBGsgkbzcMcOHEEADQS1BbDsjQQ=,tag:y2sEqmH6qHXm+1waaFS/og==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:vvmwPpa5,iv:bpINuV+u1Av4ZWwfpP2P+Gvz6vaYM28+k9/II4bM2PA=,tag:UQAwA68gS4A3gYS8Vt53uw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:dpThekMl,iv:0y/FFm8wAoGv/vaBm1PfyrPC3UG/M+yv7ZvdLUS7TdQ=,tag:gFenEV/GfbE7ju96kquEVQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:mUOxHOCV,iv:xPPdnolmlCesIQhJuKgwOwFCDo4SuBIMjallBvmLx5o=,tag:UGnQoJVNqxKnQ4iDK/Qbfw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:XxnY7pHj,iv:shsEhYYws/qk4kpBW6CbdkNIQXnS61sS5SxEXuS8QpM=,tag:8gzBuUW5ILK2ag8fMpmO0w==,type:str]",
+																					"name": "ENC[AES256_GCM,data:5D/eVm2X,iv:eSNACXHKPMHO/NdSJqEvHB4P/NK1fHL3zEajU/RNKj0=,tag:DeqJ1Gv1Jpl9F4l0xPexvA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:BAjaEbqj,iv:FOgZQETzQ8VrQAdVbxYwIyyg0UFtsdTBUu7E32u2ZcI=,tag:+KObHhDL1v+2HtDsyoV34Q==,type:str]"
 																				}
 																			],
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:GpcreXEn,iv:nAcTi/Ya1d0D4LYqkdLgjsNcXiPaXDN0piWCTQuJhhU=,tag:uCj7g1OUmbfOyr+3R9AGKw==,type:str]",
+																				"ENC[AES256_GCM,data:VmIPvseO,iv:e5cdkyI+jS30kjPAPLRbqRG+3xFY+RIo3sOCX5e8NPA=,tag:sME7xAUqAL9/XWc+5KkT/Q==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:465tBRUz,iv:FdrLPHy0bgcoLoCX3sqR8jdabZ2wQ00vrhwXT/wS/SQ=,tag:NmtSHFbuvhZ3jU0lNrxtbQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:nTSEbWzw,iv:OpXu+z8jyaLA8TZBl53xr4IbQQPTynZk+t8ifSnn79I=,tag:fDmuBpQZzKQz69n+DZ4log==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:9f+GNAxb,iv:e3i4Hp/KE/DSUXY+SU+W/VBbchxUOeEzjca9KmSLhDw=,tag:sQkJfZPxAtItYkeT3qArrw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:qnQOAIYW,iv:Tze0h7VfQKnSqYLgiPwgvQsxf4MqVyglVPC7PokXAvY=,tag:wH5OCRfIKV7z9gdOs0NC3g==,type:str]",
+																					"name": "ENC[AES256_GCM,data:WrMtvbVe,iv:Pup/n/8Qlnp4fhf2h0/Q/2+izAn8Co6BVfHXrTto4Rw=,tag:nkW0GDpGAz8P7nnl+ZbDcA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:CeU0y7n/,iv:1QpZ9tokxd+1H8PXBHc8LBKuBqqUflaBcSthA1kXEUQ=,tag:TXmYTfa14hMu1EZynaSbDQ==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"cert": [
-																		"ENC[AES256_GCM,data:faR1yLMm,iv:Gi1M+mXWZ6uenz7DYUzCGCmwzRx8FhIBhoXr/QBcN14=,tag:fUz/AHlrWxaJSTtcpXEWjQ==,type:str]",
+																		"ENC[AES256_GCM,data:YEegR2x+,iv:2yvdZD3O/Owzj2O7ZYZmhcr+CgK6hHkD1OXwzdU21w8=,tag:Yqm5tT/TuCtKzgn6M7vRPA==,type:str]",
 																		{
 																			"clientCert": [
-																				"ENC[AES256_GCM,data:sas0gv7k,iv:xaCPioNUd9Ud59WQ1zEMsOnGQACwWujyczH3Vh9yqOs=,tag:NRK+N7PP6Yi+d0yAGwvT4g==,type:str]",
+																				"ENC[AES256_GCM,data:HSx3g6Z+,iv:1JfXSrcUpR/t0dFdw5khwHQZCIeQQrr9Bmdet4rLXvM=,tag:CHU/ApYWJmGrWA0+BwRu9g==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:2Ox/F+oY,iv:yIAt8msvQ2kMGVPwZuACCa8vzqlpJDaCX7RptymDBxE=,tag:/Ab4SPd/miibOJ4d8ccPmw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:vD7GPTHW,iv:I2OOkwbRLAjcwKtrFziwbNGI7rXA10iPruM2+pyoALo=,tag:Vwxwg6bY3drEidZyN9zrsA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:qirHmHhS,iv:065t3WMEhDYk48VnPhjTUo7/TQ/9LWfqt0Sx5x1EH8A=,tag:F/J7/o1TSGYiqkOkfDaFSg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:/MSXp3CG,iv:l3BVgVJa/LjkEJ6GWSY0ygKYGKykbu4vLe7Efnzv7Ko=,tag:EPUnZhu/TmTR6e7/dFoSuw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:t6tMvVPI,iv:YKOo6ERs9gnu2YDyFGtTUsjGjatb2ha4CrDvd9Fy4kU=,tag:jnBbrxrF0SuAbjCzwdYSJA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:yKolqI5a,iv:T5z5QYGiqqlvl4bTSnAsbn8CZU9RwpJ7/zFgd7NtM3g=,tag:F4qRt7jwe0oVG9wOmA0Xog==,type:str]"
 																				}
 																			],
+																			"path": "ENC[AES256_GCM,data:PLqbVHkT,iv:CLCSolWt0UiyOqWWSYiGIziQJZh+wAq6ZQSIKiNiXQU=,tag:L+JOcl9nwTO427XQc6HqNg==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:dh6vh/XM,iv:aGgpW92MPBKJbD8w0XayPK6CxqC+/vExwJWd1PLoKFo=,tag:qvYiuGMoGih/T227Dxbkmw==,type:str]",
+																				"ENC[AES256_GCM,data:s7aYWjzP,iv:YAJnSMB3UUHnM/lhb7A6RexTH8EH8RDXg79TBvma/js=,tag:34ij6UZ74sH6aY4NcopMow==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:HSLu3Kot,iv:ZvNnlJ2o77yywPv1nxEArnnb0LRZmYqFNnHf2klrtB4=,tag:djaD/qyDtjcaLMZ4qufb3w==,type:str]",
-																					"name": "ENC[AES256_GCM,data:sWodtcmO,iv:AxQoqZijr9Hi2VvVmzWMiXTuhOqKJnu8uQm16nqbk+E=,tag:LEimqrxn3kn9+XDf2qRTKA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:vxfh2uV5,iv:ZMj5O5LJpbl01rdOZXiAlUTUikJlAfvJPTbbFRFw5l0=,tag:Zk7utMPjDo8e67s2qjSXvQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:QAGEXBih,iv:4N5RjJI6UrM3TH44MF2uApoeHAacYeX2NUXvvWjl6ms=,tag:qt3GbTMYweFYLoR53n/J4Q==,type:str]",
+																					"name": "ENC[AES256_GCM,data:IQiMtZuk,iv:HQBqKkxNs6/KlTp6Dv24XOo+NnE5IIwrSLggThD2gHg=,tag:9SRy/oqncxuepL/viTfi4Q==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:jAOvfBER,iv:hwT9B1z6TSw5DGVCy9mSboYDVvPnvdWgWWDu72pJFw8=,tag:iq3Gw4Gb8efDpu9HFTqBKA==,type:str]"
+																				}
+																			],
+																			"vaultRole": "ENC[AES256_GCM,data:cOghD3RS,iv:h/XU3fYy7v/9Ne8TBA3c7/O2hy5J5UqWt/y3+7K5H1A=,tag:DzDEeu6WgkCkCyJeWGKrYA==,type:str]"
+																		}
+																	],
+																	"gcp": [
+																		"ENC[AES256_GCM,data:7XanxQ9A,iv:QDPFAeztjYWcLS1nkB1pKUJP0bl0mQ/a/rOyp07ua3k=,tag:xED6m3lNu1d2EKvQ+zPo9g==,type:str]",
+																		{
+																			"location": "ENC[AES256_GCM,data:dKbttcBg,iv:CqFcMKLPWz+6GGRxN9XNVbTsf3EPB+NuStbWw5mmCEA=,tag:kHJvTD6317qhKYpvRau8/w==,type:str]",
+																			"path": "ENC[AES256_GCM,data:LX9t8fEz,iv:ypQCYq/Kw7gr1EDDEoqU3pXK7glIhIPmFuaVovxT1WY=,tag:ZrQy6z6M32RpPggYB+aWIw==,type:str]",
+																			"projectID": "ENC[AES256_GCM,data:75tabVLP,iv:k4e0UFxFQzfO2OGrx5hxoe6MuYPcGH5BJfiiQYwhA6Q=,tag:7g+qjpI22VJWSuu+r+62Dg==,type:str]",
+																			"role": "ENC[AES256_GCM,data:6XotE1L6,iv:yo6XgUTMbKFxtemLaD4RfMNrspdirzKL/R64yVQUXzE=,tag:0c3LgC66O/tDz/WjNU4HEA==,type:str]",
+																			"secretRef": [
+																				"ENC[AES256_GCM,data:pnUFcORQ,iv:8FWIE4QVM0tLqNyCSOlVLwGKIK24J8GfEBRhdA+3nes=,tag:U4oxmETUL4OL9yVTfi2KmA==,type:str]",
+																				{
+																					"secretAccessKeySecretRef": [
+																						"ENC[AES256_GCM,data:AwtcZ5Gx,iv:JWawgHHxfrCwc1Wahp5tj4TDCJSYNZfavZ4ci+NXZ58=,tag:69YYt5CCQe7ZY98/sEwDJw==,type:str]",
+																						{
+																							"key": "ENC[AES256_GCM,data:RURThvEJ,iv:R0iThI9kgDEWHLbEZYrVv1OYekVrutMvA3FwzIb3+QY=,tag:cCfmKMXHwpToxz/HOa50Bw==,type:str]",
+																							"name": "ENC[AES256_GCM,data:C0GAyvxM,iv:zqyf/wGT+O5weSheFa7rhgxzJU2HFzYBsAZqz8bXymQ=,tag:QOx7JvqVaCs+tvkNb66YPw==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:SMwHcKlU,iv:L/6Qg+8p6vTf1g6L6puoCB0iJK7AS9Dw8X2aOwWCL1A=,tag:fChRjH865R8DoEvZW+tbUQ==,type:str]"
+																						}
+																					]
+																				}
+																			],
+																			"serviceAccountRef": [
+																				"ENC[AES256_GCM,data:pym21nUq,iv:TRbdJw2OPxZVU6xYa1yup9yi9NiVu7JER6/7dREuVnw=,tag:zjB7dP+6Y/eJqO5WQAfquA==,type:str]",
+																				{
+																					"audiences": [
+																						"ENC[AES256_GCM,data:mqsR9A==,iv:4Y5UE4QWVLhSigAVirXP+cvfe03a5Fkgyf5KRv940OU=,tag:W8npj6w6mEQHGrjuP+YblQ==,type:str]",
+																						"ENC[AES256_GCM,data:WJzVpasL,iv:NpoI9fecxHEfWKPGjZ76IQTFgd2jVvDv65rOJvzM4V4=,tag:KYShKzHrsInk8jKccSntlA==,type:str]"
+																					],
+																					"name": "ENC[AES256_GCM,data:BA3jYjUl,iv:uRycAx11e5ZEm5T7rXVCctyNsEWxidanP74tebn0ke4=,tag:K1pMNZ0KLs0sOo+k6E3ilQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:QPqqTmWO,iv:2QIFWZxk9znt/uduZrBIfynWAqS8P2FTHwmx5/q8uvQ=,tag:I4w+0Le+IB+jG5OqE9LheQ==,type:str]"
+																				}
+																			],
+																			"workloadIdentity": [
+																				"ENC[AES256_GCM,data:wZDVRtMz,iv:v+uaAYZLTdIPyr/Epnl0D2jTKYv8ujGCOED2ydHXnDc=,tag:VQAZac8KuYOAHXHpNpABUA==,type:str]",
+																				{
+																					"clusterLocation": "ENC[AES256_GCM,data:7eoD4SbP,iv:XjEWchYICG+7irWCEgZY0G6XCy5K7DVVTVQqWA+KBVc=,tag:Mb4/bVmxmgveCb09fp6C2Q==,type:str]",
+																					"clusterName": "ENC[AES256_GCM,data:1neswDbl,iv:ftJ/GrrH+imUv6fduZCM7Vxl7MPYAO/6vYT3QTvZktc=,tag:T/l2jDzwOiceSIFuqieASA==,type:str]",
+																					"clusterProjectID": "ENC[AES256_GCM,data:CHM2k5sN,iv:HywT01jS39Fz4oc4/6mDfHpVMDxCeWVGnPrTBnMKYwU=,tag:X2JTi+oKljfLf0QHrTwBIA==,type:str]",
+																					"serviceAccountRef": [
+																						"ENC[AES256_GCM,data:YUZMKFhY,iv:8ehp2AwHyJKBpdXQjnUNb6GHhrT+j1Mzxb7AFFP11pY=,tag:TZLpsI9PyDy49I+t5AZObA==,type:str]",
+																						{
+																							"audiences": [
+																								"ENC[AES256_GCM,data:T7LCGg==,iv:7+0sdsne/VH3Fr6gLjr3OYJ8Iw/Ahjw92cMaQ5Ypb/Y=,tag:NrioxF7AHEYSmX58iveMBA==,type:str]",
+																								"ENC[AES256_GCM,data:pWijo6Wb,iv:CWmkqDFO1JkxM1UUdSVpaBBLB+ari+tGIHAsaKK08Go=,tag:EVruY1DF5GtiGXClQ609rQ==,type:str]"
+																							],
+																							"name": "ENC[AES256_GCM,data:GTzerZQD,iv:GbPHPQ+ZSMizriZUKXeYKBwjC98RK+qNkMguG4rye0U=,tag:Pf2no55C+gWD2G2tr6eDLQ==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:ayrEy50M,iv:Vg2KJFEHLEyIo5OarM/CrDymWRCBUrsxGUpGrZe3RjE=,tag:vY6KWXl7g3KpEXThpGSM3g==,type:str]"
+																						}
+																					]
 																				}
 																			]
 																		}
 																	],
 																	"iam": [
-																		"ENC[AES256_GCM,data:hdF8khIn,iv:lJie9SZCD2F/EYQ/738k8ERs02mDElTR2UdGf6wY7oo=,tag:0Rt3RVm5HrMkah/p5J/PcQ==,type:str]",
+																		"ENC[AES256_GCM,data:nscRL/0t,iv:PADf/o1KHE5TH7/sWo+hvrzZx1kpxSdC1P86Kqbj7mI=,tag:0Y8vqZHgrDH0/xafpjXcsw==,type:str]",
 																		{
-																			"externalID": "ENC[AES256_GCM,data:KRXXb0MS,iv:/HYEKv4GyALjq3V+nCmQ5WZBVStbLhGJjHDzbdIgyNk=,tag:uhCssIk4elO/plDwhu16Ow==,type:str]",
+																			"externalID": "ENC[AES256_GCM,data:hEFXcdX/,iv:nUFmZBl0M7KvH8Hsd/2hMUe2TjH05F8Gv3kM6kvw18k=,tag:13W6s7VjSeCsSiUjpZGsxA==,type:str]",
 																			"jwt": [
-																				"ENC[AES256_GCM,data:Zdm86tWJ,iv:oUYWTrualfpcBAe8f2/rOT/FUCaxrKbV8rL4HxyOu+0=,tag:1BiJtYpbvuj9RppENDrs9Q==,type:str]",
+																				"ENC[AES256_GCM,data:soB9q+GX,iv:oXecVsg1oZMLVY46nV7btaVGjS0xITumIB9Yy2XDOpE=,tag:b4LZBHqPge5Ev3vIO4kR2Q==,type:str]",
 																				{
 																					"serviceAccountRef": [
-																						"ENC[AES256_GCM,data:apoQufNS,iv:Ag5LI0VVfTffNJBNL/i8T37kAqXuwTvPEQZdeKTQiBo=,tag:ReHlriBPskXWRKnq7wFXbg==,type:str]",
+																						"ENC[AES256_GCM,data:8ijekoYG,iv:ijyrL4nGNAav8YwIwb+blwWPb41abJrUrE67uBIBrtg=,tag:UaX3wtG2WHkPENp6INst8g==,type:str]",
 																						{
 																							"audiences": [
-																								"ENC[AES256_GCM,data:6NvDeg==,iv:Ukzaq4FJCO6mjnbbhjuIht11ivksPhEQdM0ENt1ACQ4=,tag:2PciH/BAsLzJc5ViXX0+Yw==,type:str]",
-																								"ENC[AES256_GCM,data:q9OVhPLo,iv:0HkcpRCWcp7OfT1fYLar8A8/al7Sy0rHmk1U55NTr1s=,tag:seimsBNvEjMsFkruraoO1w==,type:str]"
+																								"ENC[AES256_GCM,data:ALiH/A==,iv:004ywoa8E7SKKFcHAo+dhs922+vo29R0Vi9yZ+GBNJM=,tag:U7Ykvehyc/IFDrPpt3Oo5A==,type:str]",
+																								"ENC[AES256_GCM,data:7pUxp/34,iv:cdEcADVIiN5N+QT1++tPa+FFb9iyMbe4pDwjzpGQEkI=,tag:64nJ5yraIBliZAjV/eTT4g==,type:str]"
 																							],
-																							"name": "ENC[AES256_GCM,data:IS08QiGd,iv:Wz2PQ3BYrqYXkXka8IyZEptXml3bASbCnEYu8on9Cgo=,tag:86rmikwnMd9eOdMRkLMn4A==,type:str]",
-																							"namespace": "ENC[AES256_GCM,data:84Yj7nhU,iv:ojKPSSxAypI6WkbOU1EfrrB7F9+FoKykGyjLZgBUvj8=,tag:3s6KJWdr0CrFHDgnrBpkng==,type:str]"
+																							"name": "ENC[AES256_GCM,data:WYgcmdFm,iv:DuWOqPJpkYJvjzL2/gtXS/3oWqcf1EK7HkhVKzPnn18=,tag:t9OUi4utobTr7wLVB8aeEg==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:33ASayCU,iv:SNJYcvE6A+P12j0iOQ0xQxnqFw3+xS8IuA/fTsXHepE=,tag:KJ+7XHxjN1Vgr3gnaFDqKA==,type:str]"
 																						}
 																					]
 																				}
 																			],
-																			"path": "ENC[AES256_GCM,data:TU2ZTHgZ,iv:z/eLvryx3ggph3ngjgMOtQDv1hK/6tGP+Qhdn+kBmtA=,tag:h1yhsCg6NbahpeR/8SLm6A==,type:str]",
-																			"region": "ENC[AES256_GCM,data:PSVV9Gw7,iv:6y9B0lmWk8+lEquJBhTxOtmPXyoX5NmWtyfHqzT2QyA=,tag:xRxNrIBDs6aBJlfK9buxXg==,type:str]",
-																			"role": "ENC[AES256_GCM,data:uZqHqHWK,iv:hQ66RWb5nifn5IcXlCJ7Si17aHOxWF+KgJgqjufeuRY=,tag:G3b6eP9af0k3Ha82LQz9gw==,type:str]",
+																			"path": "ENC[AES256_GCM,data:9tIB8tnm,iv:Lagp7j6XYD9Xgi6zE3i6yNykFIOkMoE/i+vwemCNyDs=,tag:Zk8f9y1RRzuNg9PFOvwU4g==,type:str]",
+																			"region": "ENC[AES256_GCM,data:VUjNa3MF,iv:Q5tVZck09t00PG34MIPV33/6HHt65vu/7lGJOdtIhlQ=,tag:1628ZNOTFxKQeGSWhW6LWA==,type:str]",
+																			"role": "ENC[AES256_GCM,data:bBVR9qrE,iv:jtaErTtpW6H7ESuw4BSm3DWga2WLvkBb6LOk54sJSRQ=,tag:pq7hmEBWIAugpvww+sbG9g==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:Cuuzhr0n,iv:DlPpN8GpIUISFG6XID/cWwPFTE54MRJZLBolv7+vOFo=,tag:n9nqUbjGa/2N0HSUW7c9xw==,type:str]",
+																				"ENC[AES256_GCM,data:Orr7Pycz,iv:73qLf27tTbDkY4tjaB9EAwXD3qseVNrZwXxo6nR1Occ=,tag:cgz7vU2rRvK5dRLUZF84sg==,type:str]",
 																				{
 																					"accessKeyIDSecretRef": [
-																						"ENC[AES256_GCM,data:oVrWa1VE,iv:H1LI1XkXcGfhXuEOif5p44OCRxPNsIHsGB3nil41GYs=,tag:Azxm88GwmvsymhdfQKSDXQ==,type:str]",
+																						"ENC[AES256_GCM,data:NYdhOCXf,iv:tb/pE9VJzAcPSpemXAvdcGVWaBtr4iVcXarXSWOwSSI=,tag:svZdbeia/qV+NvA5GDXvKA==,type:str]",
 																						{
-																							"key": "ENC[AES256_GCM,data:Ai20710w,iv:GN+bhA/px81hjOlO7A4k1CtCHuYk84PTyol8EPkvGu8=,tag:cRBs83erXALbe1yNyKUokA==,type:str]",
-																							"name": "ENC[AES256_GCM,data:XOIwbDU3,iv:mG1et9udDDhtBoxUFVDktHL+SsUbJWRLFhaHr/3Wk68=,tag:PSiVZIHrX1e26Yh6rLOBXw==,type:str]",
-																							"namespace": "ENC[AES256_GCM,data:dJ3wSam0,iv:1CG9qq23gNg4oZSh4eRKf8fSFPiUQu42ZCVstLhP6L8=,tag:5bNmAo+2BPLavyT8ql+Ymg==,type:str]"
+																							"key": "ENC[AES256_GCM,data:mRd9KZ2q,iv:bPkYZHFdiw1+Zml2UBGTaxXdG5LCRHzqMOdDFsuvCbU=,tag:JcWHdNCOzu9Rq03Vjoj1UQ==,type:str]",
+																							"name": "ENC[AES256_GCM,data:k1+QwDWB,iv:v5RfPKmMTZzRCAJ9HLJzRQAY8qdr44G6Lo2isyPSCL0=,tag:WSstePo/xeOCcscx5dlyfw==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:5bCzpofR,iv:BUKRSHBTWLOiWn2/KhvXiNDq2vEgxVS+jQwXQlI9ws0=,tag:jxPmzY92pwsWch5EvkK06A==,type:str]"
 																						}
 																					],
 																					"secretAccessKeySecretRef": [
-																						"ENC[AES256_GCM,data:v5eOJs91,iv:GZYqBgXfpGgwEETK0aMOQroZaVzX8LyKI2zq61arcLE=,tag:NStbeslH3NEGQ7a4qFCToA==,type:str]",
+																						"ENC[AES256_GCM,data:JHyKdXCh,iv:SGMl3FFMUw80bVyEO36aOVNz6P0WvPVeO0v3bHk5ZJk=,tag:iJjtLI9d1bLwcWNur/Febg==,type:str]",
 																						{
-																							"key": "ENC[AES256_GCM,data:mr/JIq+q,iv:DnAs8Re6zZ/GuFsq+1a2bk/mW+DFJHy8JKkCLcADdcI=,tag:ERP18CJsjS2vsFWXYX9Gsg==,type:str]",
-																							"name": "ENC[AES256_GCM,data:pcLTWj2C,iv:KiKj+B5wy3eUN2AKXxh1qEuXFqo9BRajiVjJh30krrw=,tag:T8bz4XAIlhj8bvVZDD0MjQ==,type:str]",
-																							"namespace": "ENC[AES256_GCM,data:iagv01VA,iv:fEVtdT7p4YtdxWzIemeBDX8as9PqjFsiJZppWM4Uu0s=,tag:kXJ34DYYmzQHziXJpsnQVw==,type:str]"
+																							"key": "ENC[AES256_GCM,data:fvG1HfqZ,iv:AFNhTSg/sItxom3xIeCykZZz7tI3ORw3rulH2mrqJXw=,tag:GAhoiPo7R9BJ9tPvfZyZNg==,type:str]",
+																							"name": "ENC[AES256_GCM,data:tmDTBfdn,iv:BfAR76Dz2r5QPKZYukrOa0psRJMf6BAtKwAXexL93K4=,tag:NhVOcmPqPpWAzzH7ejS9Jg==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:DGxIKC1F,iv:RYUE+Eeil2Mi+IinzMp4K9E/sTT6KO+b9Qo9n5ylEQ4=,tag:8Gm01HTW1U4xaWxO1bm6dw==,type:str]"
 																						}
 																					],
 																					"sessionTokenSecretRef": [
-																						"ENC[AES256_GCM,data:BTlaMUh0,iv:fUGauoJzv9+Ke22jkBwoQSLL76C6PxX8/R+0wLvw8A0=,tag:5RivZKhCV/HQIdF2hd/HxA==,type:str]",
+																						"ENC[AES256_GCM,data:cZP3LN3e,iv:pJv9uf/oNx5dlXqv92ukH3D0+wbGvziDHRssMPPew1o=,tag:uwn4FTStUKOyo3tnpYsRhA==,type:str]",
 																						{
-																							"key": "ENC[AES256_GCM,data:Plx8i7S1,iv:U9/3D9VpmPjH1IT28ka6y4hTVFVUFfky3bUXmGkWjbc=,tag:MFLL793gX6gn4lovZlEwfQ==,type:str]",
-																							"name": "ENC[AES256_GCM,data:cwP9g7sz,iv:03Wqsm6tt/+0h8sZTkks9yE9tbL2GvJOCXw/A7H+cJQ=,tag:Od4gpuctL/2o8m7SEJYLaQ==,type:str]",
-																							"namespace": "ENC[AES256_GCM,data:rufl9XDm,iv:mFwR2LGo9zNTani1MCUf0bR/y+v9nBOGtAvDgBGDckU=,tag:OyQgwvYGCGYOJhFfvmfrjw==,type:str]"
+																							"key": "ENC[AES256_GCM,data:zjDxcwyH,iv:afQw7F1upca7zj92HnWzhFCUeH0ZwAaecf9Y2p0SQhI=,tag:fiabi7f4zX43Wl24/NOP+A==,type:str]",
+																							"name": "ENC[AES256_GCM,data:Lud2uEMA,iv:/q+/HnGjnPZwald9L8tE0rjfhPtxf2a9r7wgiQh4xFQ=,tag:vMXbame70kn4LNUwb7NrYw==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:7HyJ2b7H,iv:u01tckGVlBVKcAEsOY4wTxIF05Weeuwoz6dSjYFmzsc=,tag:eKNkjUuE7AR8rP6zeSxlKg==,type:str]"
 																						}
 																					]
 																				}
 																			],
-																			"vaultAwsIamServerID": "ENC[AES256_GCM,data:QiyUN6LF,iv:OEhTLgJJZ44+3Qln1ueFpyUSVItYe7uxvFFNGSGo74Q=,tag:3tmfZT07oH7KODrlLPuqvw==,type:str]",
-																			"vaultRole": "ENC[AES256_GCM,data:43LZQq6U,iv:cYMfTEMlmYKiMS+R5ZGE1k8wCaqM091guvwyAA4blyM=,tag:roItKjQ6vXiWo/nETfvj8g==,type:str]"
+																			"vaultAwsIamServerID": "ENC[AES256_GCM,data:Q4CKWZwm,iv:2eB5Wz8IUR1QTlfvP+Sams/zftG+K9vk2bEU8nUasGo=,tag:5zZc5HAbJ2b0+hSurY6Wqw==,type:str]",
+																			"vaultRole": "ENC[AES256_GCM,data:FM1oGdNe,iv:/Ayp2CpBeztx5un5Hx8V94SK2YjkoDqnDyXWtBgHpFw=,tag:BldTMctcJZjBc2WrcyHmhQ==,type:str]"
 																		}
 																	],
 																	"jwt": [
-																		"ENC[AES256_GCM,data:f6k7wDkw,iv:2GVJOBWDI5LpAilTW+c6nwg8JLjcwignd5c6JAGQobA=,tag:J0LVefC2sitIibPh8b0LVw==,type:str]",
+																		"ENC[AES256_GCM,data:wdY/Rj/A,iv:8oQiOUvUiuF+Z6XOMmoqZel7kEVvUoU1pp0Tjyj8MXU=,tag:EIsnhTyJ7T9j3atG7zoTng==,type:str]",
 																		{
 																			"kubernetesServiceAccountToken": [
-																				"ENC[AES256_GCM,data:mc+C1Gvm,iv:IGK+heDPcEPAgBNY5F7i80JurZdldCnY5cI+lPUN07g=,tag:AepOIzV31Lr49tStY0Tk/w==,type:str]",
+																				"ENC[AES256_GCM,data:9aJetLxM,iv:BEbytcn7Hj20htgPg1J1jtiJPOsuy5N1sF8rWB/yW2k=,tag:+4qsHHowsd9iRdwVx64c2w==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:bOvvZw==,iv:u+NfJBaz3uhtzvJfxLEcjG4if4R6qnqHIxxWHQkNCcQ=,tag:xUZzFj5yh99bCYn8rGp42A==,type:str]",
-																						"ENC[AES256_GCM,data:jKvvRyAm,iv:a6zJHanlJO5/yCg0YBikpfPRnPQK4TwGf8vAQ5FOalw=,tag:WSeZ6Lq1VlpfJX+F5X6+Aw==,type:str]"
+																						"ENC[AES256_GCM,data:ZAWekQ==,iv:wOB42yP3xEDfHDyCHJHTlV8Frnbgf9OcOqBePCM4hzw=,tag:Y2gevUAUDI0nP0bNSuipdQ==,type:str]",
+																						"ENC[AES256_GCM,data:yTPn6U2O,iv:6P95uekvI0qzlTbfVDxQG6phqiAATNAHiLISliENY5w=,tag:EO9O1f7e/g32kMeok9gSHw==,type:str]"
 																					],
-																					"expirationSeconds": "ENC[AES256_GCM,data:UPswiKRo,iv:HEWNh+LkW+76zna7LUaPgnthde69xSHBplTYfZoljr8=,tag:ouj9rwbYZcg9hKYipTCfYA==,type:str]",
+																					"expirationSeconds": "ENC[AES256_GCM,data:8TA+gLU6,iv:y7CZTkcR09aWA//uvI/kdoL13Yd2rJ5e4QgFIOuR0Y8=,tag:CoxLfg2WwekvKqcPi0ewBA==,type:str]",
 																					"serviceAccountRef": [
-																						"ENC[AES256_GCM,data:7AmBEzP6,iv:fao21EaXilQ/xBp/LhJyCBOye/KuFJDXCltKDPd1Syk=,tag:i1csQ9mFaZavDc1NmSuTvA==,type:str]",
+																						"ENC[AES256_GCM,data:Tczc97nG,iv:l1haxb1ZaIDjbZqE1uiMy2eOzKHLif9jbcWG8z5TmHI=,tag:QQQVbRdK5RcEOJTY/ZxAiw==,type:str]",
 																						{
 																							"audiences": [
-																								"ENC[AES256_GCM,data:gxL4LA==,iv:pSgFJ0ZejGElcGBfZBe8FUDGTGzJjSjoNDasqpBQvUU=,tag:4GoQ9/THTlhv4XGobYdroA==,type:str]",
-																								"ENC[AES256_GCM,data:pFv/e0Ig,iv:UMsq1rR35vvfcZva8HXwvHycdLCHaz+huLQ86fBdv6w=,tag:CHT+uBafUlKQMm+/iNt3Ew==,type:str]"
+																								"ENC[AES256_GCM,data:46FJ4A==,iv:xJNrV5sIawr/64yNKfswjJQs3+WiHkX4ixQ6AV5kF94=,tag:2O2vGFF7in344bxe+QUi7w==,type:str]",
+																								"ENC[AES256_GCM,data:B1B1zLp/,iv:xOojoygqkJPMchehTq+qpIJ7VdrAsx/RjPhZOayQP38=,tag:1UvanV/Bq5M628OewbIdbA==,type:str]"
 																							],
-																							"name": "ENC[AES256_GCM,data:HP5oDty4,iv:IoH4u9p1Y3ySlKA6KrSyh7dcv4UO/a+iQmtkJOA4T4I=,tag:7cwgGbFOjV5K9Uqjoc5qaw==,type:str]",
-																							"namespace": "ENC[AES256_GCM,data:XEweymoS,iv:1gQztRr2ABkAoW83V2s+d/TnnTBwYiUuahDUJQ6jF0M=,tag:wGqh/yXc3gBijR4S+DJlrg==,type:str]"
+																							"name": "ENC[AES256_GCM,data:/K9aTb83,iv:oZE6/E83ykuzNsF/DHRza64LIS3A1xjsRU55IG6ErVM=,tag:Cei6medMU06Hfxnni/+wIQ==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:N7Plv0Eg,iv:tOd3LyoostuQV6cp5km8D6e7TKsAiSSbyXw6qDXjzzw=,tag:jKAMiQmIeyKWotSpSveOSQ==,type:str]"
 																						}
 																					]
 																				}
 																			],
-																			"path": "ENC[AES256_GCM,data:j6MogQxA,iv:Zz7ZHPKxZoyC9YXvdnEz00sSZ9tOKbYowhYfENFQ3Oo=,tag:Bv+2u/FjeK3Jb8c9F15o6A==,type:str]",
-																			"role": "ENC[AES256_GCM,data:VPJ4uWTX,iv:/z8SpFTkcnqmz8w/kXV4P+tPYdYibxx4CPpfSrPGM0k=,tag:zcEh/QVr5bEicZ1cHbHjhw==,type:str]",
+																			"path": "ENC[AES256_GCM,data:54s7Yvel,iv:NybufzEgamDqPWLFOrZIWp+DDra84nL3HTRWzCEvBgg=,tag:H5r8XUoYyGHp2enP9xxCcA==,type:str]",
+																			"role": "ENC[AES256_GCM,data:qMZDkgOB,iv:D2b7uGN/Q6j9gupkJkWUkLUaVL2H55Z9+zZ7H4X+a+o=,tag:moBuOIm9wvp2Y8BKyul/Og==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:0nhBKGxq,iv:Qv18pKx/SIYv+rspWAfHN6WT4S293aGcO1FZ23LfVd4=,tag:i3aJNORm/zKKHMoEWx9BWQ==,type:str]",
+																				"ENC[AES256_GCM,data:zA2qjHMj,iv:cd05KiblI98sV+wCtzJIE1AUCVc2cNyQLVdPsc2EKxc=,tag:nXBG7QVnBib+S1u2jAxmLg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:DIR10qlu,iv:GVmPQ1ghirGH7NJCVrmF2zHQlyuXGwSZrxt5vVnKeDw=,tag:aPYaKIjhha98Vyz3wc11nA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:citXTXqx,iv:LIXQKFtaJNWKIqoJiqf0baGvrsd2Uymo7TgM24M9EWk=,tag:KMklEjF17MSe74xbBbXPRg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:tqziHSV+,iv:uMnREUNMIaPzGt7axA4bZM/s2ICEVKcI/SR4lrdxxD0=,tag:+Rqw07mpppSd6xPdezRUiw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:K/hTcR2s,iv:xksAC/LEjd4J0E5vN1evl4k2Q/HKzKVP3CsXjKsbV7k=,tag:Lz5AdQkbEdsxwu7D7W5I0A==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Ws7hMJQi,iv:maq5ee6btxzS1xOfCUaHQP83tnXf4tSnBek7i1jRGBw=,tag:7MwQdmDItBtPXLogl1+H2w==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:PmVuPW4L,iv:v2elQrZ1fR+bBcvu+MkVOvSXe+36t3Ya4Zq2GQWr2Hg=,tag:tT5mZI9Bh1GTrdlX7dEe2A==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"kubernetes": [
-																		"ENC[AES256_GCM,data:Ue7jdCD+,iv:RiJ6+o4rZUelAWS/pfkTntpxnGTwg8ni+V7SZNy8mEM=,tag:0PZw4mJWdk0+hWYp13R5HQ==,type:str]",
+																		"ENC[AES256_GCM,data:/2boggMm,iv:/wwSjg+LSGf5iv2B4FyI139ncIssdEC/u92X1sfUbZQ=,tag:k+YsUwvikWK80k0tR8349Q==,type:str]",
 																		{
-																			"mountPath": "ENC[AES256_GCM,data:g097e5tr,iv:0BpMKQYD1Xq1dk7zaJGw7fU/xq1hXEF2oaYPyp6ZIDI=,tag:ISSFwZj+8ZRDUnXX8ZD+aQ==,type:str]",
-																			"role": "ENC[AES256_GCM,data:5+tYS5xp,iv:mf5+4f5wayiNhHAh8NvmdTcL9/ZHXloDGKs+6IsCiOU=,tag:o/Wg7OnmWZtu0P8wmsUabw==,type:str]",
+																			"mountPath": "ENC[AES256_GCM,data:Mv+JVwNz,iv:SaFNQtCDSSLvIyRMuFpOnxrijJFgxLO2hQbPg2QSAn8=,tag:z07kMYUeESRuVvJY1Si4Hg==,type:str]",
+																			"role": "ENC[AES256_GCM,data:3heLWD/B,iv:iOuEfwGG6wKo7GGYLNtXx1jsaIxbsoQwJ9pMHQHybh8=,tag:FPwcGSdPgwkc+bPPSjJlaQ==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:iUkmLB0S,iv:ph8VskIouG151Yz2CkZRG9gqOwMxvoTvWw2A/Vpoo6A=,tag:1R29jyRG4QGU7Mh76aeLwA==,type:str]",
+																				"ENC[AES256_GCM,data:e8oIdd7N,iv:+Z1ovp0LQCFt/iB4v54Wts5dKcP03LmL6bAoH67LQYo=,tag:HdjYy+7j3UVHT4O2U1vfqA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:l/V7gxt5,iv:u9w3CPlMIsM6zmaOK29d3bA7ESWVCCJedm/VArxBzDE=,tag:7H1Z4bEB3URgwBanTokDGQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:XEedDpEd,iv:DgMBBSSbDhZ6qXGBNqMRaLfoXJ96VEKRePMXOqButak=,tag:PkmeYvmZjjlcujxwj65TiQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:uVEPhwlu,iv:HlAysIIHTZJ/e0V9AFd4gHifVim5lwNUEp+hqrdBZwM=,tag:t27Wr8In8ubCuqyNgVPnJA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:BAww3FJN,iv:+x6XXXc9teD+BrN6hHKmOl8grkDoihnHldUyYtX7Hv8=,tag:Ye4NZz995fzeawd1wiZ0LQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:FUgZjRrf,iv:89G9j/prp6UsaYnWdArKg6B/qPylWFmvol0pGfNcuRw=,tag:biAY+px9u0lqclQc2hdU6Q==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:dFqLN/K9,iv:EzCjmoaYfIE8lhMatq07JpsSadcCEoqXVagdkfiuW2E=,tag:US08oST/ENIQthh5k2RM0Q==,type:str]"
 																				}
 																			],
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:Zi5s8YVf,iv:xJWGKEkgiGLNdAbEGA/XnFCef+d4E6egxc3Uc6yFSpE=,tag:yo1cdqyGhmArz0d4r2HhbQ==,type:str]",
+																				"ENC[AES256_GCM,data:44uR02II,iv:Zy5lQOt89Ho0urqrModkvDne821ANP/EkrycnRZuzBI=,tag:6A9tmj2ITLGqsOrTTwzc7w==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:M7u2Iw==,iv:l5yyEcIHuA1FtyBQ0pwYz/X6A9tIHG4RxLtfeVa/5Vc=,tag:2xJXFPW46vrqhKSJKcE38g==,type:str]",
-																						"ENC[AES256_GCM,data:Pz0TGyol,iv:XTmn/MEzaLSBQEyeL6yOGtdnzs8jw9bl4v60xWGhzgs=,tag:+ac0fd/ua6ClClM0UorhJg==,type:str]"
+																						"ENC[AES256_GCM,data:gBE6og==,iv:Xap7vcK8McOLzMnrKoWtrd1OSj19Q+3sMxXKfJwh9eQ=,tag:i06Kjog/+MOqdy6Q41QmWw==,type:str]",
+																						"ENC[AES256_GCM,data:h8txE7Z7,iv:WGOQ3D5onrZV97cgr+u4/KSMP2rnEL9lO9RulRmeOq4=,tag:+bFaywpmWbzi0suw+3ff9Q==,type:str]"
 																					],
-																					"name": "ENC[AES256_GCM,data:IPtCLUiD,iv:x72NLIaT5MBfaXJ8lEBueECXmN0rZcVH0R6idW6km9o=,tag:Jb9yn7zGi6pUH7xzTWn9Wg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:IKBoN/85,iv:gcj9/GmRa/1ddR3NV0QZduXzb+6Wb/cKNRYJ0QdGCl8=,tag:GMYdQXx7Ow/BMELzym3tQg==,type:str]"
+																					"name": "ENC[AES256_GCM,data:j+SHll0f,iv:Fm79oYwhnHqa/W14G+nLfw/Frm2XVFzwboMAUv9Q/2g=,tag:X2xwo0TUpV5aB1uHmRoxAg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:0IKopz5U,iv:WOiOpCw7EHkgs8VMz9xZMOBxmWCbDpG2tmcL1q+0kHA=,tag:r1FGwWLE0vM5u42B2xOtIA==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"ldap": [
-																		"ENC[AES256_GCM,data:wjxTI78a,iv:4rPsGJ0kyLOXgPTHjOWHhXsw4hIi+jUriJ04W6sylZ0=,tag:Pop1ifQlDez3Ifm4iG2bOg==,type:str]",
+																		"ENC[AES256_GCM,data:NxnmN7WK,iv:VUl8SGMU6DdMfXuqGFhoEBXV9dDSbuHaTBjFjMAp0A8=,tag:lDrD9saCnJ15IB/eGnqdLg==,type:str]",
 																		{
-																			"path": "ENC[AES256_GCM,data:78Px5EC2,iv:aYV23j8AW3oFl7QvzREvZWtfG63lQoBRiL8ho35V9YA=,tag:SW4KUW/iuJ29dgnbiT7Skg==,type:str]",
+																			"path": "ENC[AES256_GCM,data:8xmxsXMr,iv:HH9YHLY8BHMGyTv2AlWynCUxmrE+5fNrlfmx073VVqU=,tag:o9ndiwtFZi65+duVCmUQsw==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:gQNYRCAL,iv:ki3dCIzXqDHsQFBibeKHUOMnpTVaIKWVE4kYK6sKXU8=,tag:8+QDM+OlWTxaPhPbpldZQQ==,type:str]",
+																				"ENC[AES256_GCM,data:hYblG3xr,iv:CF5KEqd3qsBfK7R3Z+W56XIQf0nMorwlqPZDWZoavvA=,tag:0+liHv7Acjkm8Fsr6ATQWg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:QIpXM1Sr,iv:nWTYmxxr+YaQ/tfoFZMCbdhgYBNUoMHs0CodUehBnxE=,tag:Ebb1X+DcZULeLuLa8RESmQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:hK9NfxQv,iv:mLusSamEnedR1ubjB+1K2cy3eDXNoK9NMKuw1a0EsI8=,tag:8TBRbwufbXmbypV1qh1rtg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:XRGUNEqc,iv:eADzrNkbjjpqbsnNsxwkT6UcV3fF+R6z6GYyYcWmRrQ=,tag:YZ/b4o34dB7tmceT+HLcRw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:qXr1OFpv,iv:fHWSwsvq2/eazaTyh7ETXwWMd9DzDRhCwuBIqgpsISg=,tag:Cjbr7XnmV3mfCrKNOqtyBw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:eVDFA3X1,iv:IcAzuXJeUsG1Dp3I8y/WFzpgweKVjLs4ERQ3vNX7f9w=,tag:MfNmCjrssRORDHfoT51uHg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:arlUrC5C,iv:HByKYKFF4vUmCGpUX5sCTrviGNlOwV1gwcAff/bNB6c=,tag:0/J3IXPFCTDoNHAWrHPj4A==,type:str]"
 																				}
 																			],
-																			"username": "ENC[AES256_GCM,data:D/OAmC4v,iv:7T9f+S7/+eyMe8s57JIud/IeDkJ03KnVDWGR5Nxosbs=,tag:CQhLvtlHzRiU+WzZ9goG6w==,type:str]"
+																			"username": "ENC[AES256_GCM,data:mrrpyVIV,iv:zWE5Cyspb8gEw3HdZy8mRXGF6FSFBy9P5ccdJzi4l1k=,tag:G0+ZiOS6nbPTfMfrlcrH6A==,type:str]"
 																		}
 																	],
-																	"namespace": "ENC[AES256_GCM,data:DkeAr8R1,iv:MSsGPUmwdWh0xPwNxjzXv+Lc8f+oDJZCihtvdWwdRPU=,tag:vejbMVEePb3n1/fKbx5Mig==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:voJ/z5bF,iv:1UC5/0eeq2lkSEPfZ8ymuSqI1ln6lhKIWtO/HBj+suA=,tag:DkvKsB1PuoeRUFHfpE6LcA==,type:str]",
 																	"tokenSecretRef": [
-																		"ENC[AES256_GCM,data:E84FNZYS,iv:oVRh7pQY44yx+8WDNtlSwgAAslfDX7n/bTcfx0z2ydQ=,tag:4T8OmTuHmW42Vbe97XyjUA==,type:str]",
+																		"ENC[AES256_GCM,data:rvlcMbMe,iv:8HvqyEOYyup6BWyjvp/lULERLMFKY+PSLRinalJefPI=,tag:jMas6rQIS2zk8cLeaSNu/Q==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:kZ6SCp9X,iv:8BhrjiIQbG/28yZCePV6DDgo8tg3gxNAX9GIdE14EcI=,tag:zRGX79AcYzOUEYk33uiiIQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:W54qY02A,iv:CJhgeoMAaQXPXVTG4meJR7LB5mXVsjj/6tY13W8RVV8=,tag:bcQU2S8W92uqIKk0jCg/1Q==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:xb6gHZ/C,iv:KqraSR3QfNhEHyJ6UYpHU7YsynO0W4zOQ6aFaTmc3Bw=,tag:59/o/t1pTs8h+MAcODXHeA==,type:str]"
+																			"key": "ENC[AES256_GCM,data:1TkuFq8t,iv:BZm45pzLOazrjZaz1Lb/STF3YuTec6gv+833+JlLzcI=,tag:hso3KO816m13FnIoOaBJuA==,type:str]",
+																			"name": "ENC[AES256_GCM,data:yeuHRuMv,iv:t2opGJFVeud0M+isKLYM4642Wl/oboDnD6QJ7gSRM1w=,tag:2ODS6A1iTJ3osfkF5mmSqQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:ToRCoQ9q,iv:9GdaXaUHCa2NcfHPIHVtKso9P9L+O1mqUhzm23+SSTE=,tag:ozglLilQ/VJ6mv9KZ8QVVA==,type:str]"
 																		}
 																	],
 																	"userPass": [
-																		"ENC[AES256_GCM,data:nfAzLpfq,iv:1qRG2jYk3MHKK7r8GBz0YM2TEHi78czhBpnqinA181M=,tag:rXJj4Ux0yqTrzuEAO+XBRQ==,type:str]",
+																		"ENC[AES256_GCM,data:RQD5rgz9,iv:vHOmFOyXAvq/d88LyQlQMaQS4nVb98ZjmSPMiRIqGaA=,tag:R/qEVpawaMcNLP7m7FyTGQ==,type:str]",
 																		{
-																			"path": "ENC[AES256_GCM,data:m9wofGBN,iv:aIV9rzRf7p9lGei5FY7qlu5C2MGIh5HIFW7hr3vlmuE=,tag:NjL2uT5javBrE7ajiojyFw==,type:str]",
+																			"path": "ENC[AES256_GCM,data:1pibv1B+,iv:9/LTDD9RKu+HSFPCSi7BOD6UFIj1KenlfbnYFMvUNGc=,tag:zjXFuRcAN8pAECYNmogUYA==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:NN+hR9n/,iv:ZQe1o4T24ZakmXqfdX9HuGJPLFzU1A2oTWSBtaScKX4=,tag:0xUWWnYRk0iCR2ylNCGvyQ==,type:str]",
+																				"ENC[AES256_GCM,data:t+2lquMx,iv:9lLfP75sUrhlVwgaNPUoSf8rg4D3ZSN1mviP4REta7s=,tag:tLfyVrWPEJGXhfZ5NCu1/A==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:osHYQw6l,iv:rFGUaqJoYq+e+qquILf4JkKQm7QEsZZLACKjNHDQOAc=,tag:GGi2+9B7U2LqlsMItzD6lQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:8VlyvaRp,iv:ahdXMpWjUHgTIYsPf0mPd80TH+Ev/jeIluOTB0Ww1AQ=,tag:QUsMk3F35X3WhaCyRhCs4A==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:tOSDX5Nb,iv:2MffHL5a4sulu8YzswT40FJt6Bf5qx2NGRF5MQamu+w=,tag:fkoxL7kcsT3SYlNU/e0/CA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:XUW7RanR,iv:bw/+SxiDKElze72BD0v6sMD2vY5DIh9eLXbjcltRimw=,tag:+p4soCfw+N7J1dQVIUKWAQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:G4D2Q1iV,iv:JOfqW+GBTu+KzKk4iqV7JW33pwkvkA4n+RrWwXsXAZI=,tag:2aguaiIuDLt0MHhyhB4Spw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:OhVRnn8W,iv:2CFYqABAgUwYRa1NBwbL06Nu9D5cL2CIQAtWZDFBZj0=,tag:41YhL8+4qxn396Hp8L1XiA==,type:str]"
 																				}
 																			],
-																			"username": "ENC[AES256_GCM,data:vUzx38En,iv:Jpjq2FLbtGs61fKkref9+zsbf14JfnfNmbYlUOHB+AU=,tag:LGgZrt8f6hsXUE2y8f7tEw==,type:str]"
+																			"username": "ENC[AES256_GCM,data:AfD30aFL,iv:fFlACvGtWQkxZaHbP1jt+6SqsohiOkFBHqKT8NuJVcM=,tag:S9AcJziUp1bDuB6XlfCFow==,type:str]"
 																		}
 																	]
 																}
 															],
-															"caBundle": "ENC[AES256_GCM,data:zxAI0+9g,iv:1Ih8yNPXqENPUvbbxVJRLh/QGy05Ne3MVoHJDdCdjPk=,tag:JQ/OCFg3LrZW5yhmaAFblw==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:aVtGvniK,iv:iVQdj7C/9lIwrS3vcRdaW2Ic4GZ77+bPd/A3ym/EKOk=,tag:gyzGEqyTzMHPQoZH5opzvw==,type:str]",
 															"caProvider": [
-																"ENC[AES256_GCM,data:pHDvtGAm,iv:ijGcX23OEPCpeprNwd8p+qozlvJCUyGFbTocv8TG9Wc=,tag:MBQzF/fq7V7Cu4NA/SJInA==,type:str]",
+																"ENC[AES256_GCM,data:r24WBA7K,iv:TdQ0FgHNeXoeJ7V7K4YUFOcD7abYOBe0OsvTpAq+p40=,tag:GmuW63Bsp7OEoOQxGj1QQg==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:v8k1/KRZ,iv:Gi49iwXk+0DXlc2Fn8t9U4uAvTR7/WnhQ+PlRFIedlw=,tag:5q2foLR4PybIJfzUhI32hQ==,type:str]",
-																	"name": "ENC[AES256_GCM,data:SPNGw8U6,iv:UQVZYgm2hW6f9AE4MZSx7+PxhZn7gQsaUQENqtTBwgg=,tag:JwF0z0JD/BVdxCTa/UiAdw==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:+kVVbln8,iv:3NSdrM3+ZjYWj8+mSWgwathhgqsNPVBwvcxOg4PVYAY=,tag:bC5Z7r1jObQIzMRgOcC2Uw==,type:str]",
-																	"type": "ENC[AES256_GCM,data:kWygLvbP,iv:agMJHs0U6gdqwibEKTJ+e92vrH/ipPBdylbbbr/Kajk=,tag:0ivvZ0FthKJS1wk/5FWSrA==,type:str]"
+																	"key": "ENC[AES256_GCM,data:AqcZJAkz,iv:YpHWbggv2kq8/Rk5XooQKV6z9fv0XkLsoAkv2IWreyQ=,tag:ac4xaKXmz3UzFGSzJ2BYkw==,type:str]",
+																	"name": "ENC[AES256_GCM,data:VPdCeiXr,iv:esGFQ77I9uQc//2cURluYeNdWLowdm+6Y38kPsCUp88=,tag:xrSl4T1CsemK/65Pem6MvA==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:B3ECpASF,iv:jyoNiGvTuL7jgZKRERNsubEb0R0VTdNs/UxBzuBancA=,tag:tg27iZaljGuTV4Nr/6V62w==,type:str]",
+																	"type": "ENC[AES256_GCM,data:S/upQqP0,iv:/p8iAxMYMIwTETna/unTrziYGkzAnHMHMaahQWIUyWY=,tag:lr9yz9+61Wm9snssTEpRWQ==,type:str]"
 																}
 															],
-															"forwardInconsistent": "ENC[AES256_GCM,data:Hd3fFA==,iv:DqQ3ePNUd5iQ4FctRajBocvgIJSRwPfgBlAlCISS94I=,tag:MXN4RZH3FgKpRgn1mgwCJg==,type:str]",
-															"headers": [
-																"ENC[AES256_GCM,data:y4d0,iv:PAZBw7AfE4Tt/FWlRvk/2NIjjQeiTEv2jZ+Fe9v5BxA=,tag:zC8wLyiqFCplXEOLK44AAg==,type:str]",
-																"ENC[AES256_GCM,data:xfLQpZez,iv:ksuxkZKYSwJ4p62upRUHj2n4Y/SEMVF6SGrB+wU+phE=,tag:Ny9T0M05OZLRyYzh7Su87w==,type:str]"
+															"checkAndSet": [
+																"ENC[AES256_GCM,data:Z8BdAiK6,iv:+bY52D4KvK412dQEg2ZjKF+X0nPw3g5eB+Zb62+Pafc=,tag:Hidv6iO4ygjqou1P4lpNuQ==,type:str]",
+																{
+																	"required": "ENC[AES256_GCM,data:HKq8fA==,iv:tgLTo7COmlAmi1dAwISYjJEJS75uJ7PZ8Bo4Uy4CoXU=,tag:57sSDb//3BXw70MbwJ+3LA==,type:str]"
+																}
 															],
-															"namespace": "ENC[AES256_GCM,data:c36jvuSj,iv:UUOgo13QhGZEiwRyj+x7sO3LiG9p3QI9/Wy9+cUVv9Y=,tag:kUdurng/JLPIMYK/juD8Og==,type:str]",
-															"path": "ENC[AES256_GCM,data:d2VGP1CX,iv:OiMyR5M0rK9PdpNc7n8uzeIItWy7dJ4JmRUdg14CheU=,tag:mFyaQ+fcL8cvnHLvUYTTbA==,type:str]",
-															"readYourWrites": "ENC[AES256_GCM,data:z3Ym/w==,iv:SiruHNiwbqirziWkQMf34moTWn7Durs5rgMhIb/TBQY=,tag:ZKo9mMKRezzjMttO8fnSXg==,type:str]",
-															"server": "ENC[AES256_GCM,data:MqGQijIP,iv:uoJvew6bSCIsli0nWRFlKSyIkIwkPA0QIbdTuUOxbZo=,tag:cJpvr5BrU6ZYIB+T4OKTaA==,type:str]",
+															"forwardInconsistent": "ENC[AES256_GCM,data:9lrY/g==,iv:qfeYYhGyHRQD9iGr7/pPalRPq/fwYJhf8v/GjCGTeoI=,tag:efidgyUSMmSZ91vdgrPmYg==,type:str]",
+															"headers": [
+																"ENC[AES256_GCM,data:Oc63,iv:CB5t7/NVEdYpZhbPF0u0cDM+Q0B3hnlFLmn3d5QfwW8=,tag:5ZUURPSKhfC6tMc6rwAR9A==,type:str]",
+																"ENC[AES256_GCM,data:CtgmsS79,iv:bayYgxucmF3JPwmjTGsrfWgwsPtpvHjf47jT3MgfF+8=,tag:J7OMV09+G9S6BKtaLP39AQ==,type:str]"
+															],
+															"namespace": "ENC[AES256_GCM,data:gjSRlZ8l,iv:Om/fuiAyRdr9KGRWap/q1/p3ZwHMWe3RvWmLznrN/EQ=,tag:asMnjZsLkXlS6bBiPU7nKg==,type:str]",
+															"path": "ENC[AES256_GCM,data:+UzanIIn,iv:sxOq9KqkZivg8i8eUct1psg+Iic+/hre4Og8zugrO2A=,tag:QjyUfCJ+YjhqBO08WV1VWQ==,type:str]",
+															"readYourWrites": "ENC[AES256_GCM,data:WYue3Q==,iv:fgdlaB3YIjeGJK3sJgf9imLvUOGbIhWlAYS14DxofyM=,tag:gaBCqP0Y8t5aacTLtFxOJw==,type:str]",
+															"server": "ENC[AES256_GCM,data:Avf+N0UX,iv:k1W70pu3tbqcAtGpmSRRjjl1DK1qxU3y3iACuRqpNU4=,tag:ClpMaWVQCOCeMSmE+ZZoBQ==,type:str]",
 															"tls": [
-																"ENC[AES256_GCM,data:01l9wX58,iv:96HcD9uXGXbGYmTr2RKbEO0T0NzTWhBSB5DJRMe712A=,tag:5KtO8DH7stYFkrjtkNovXw==,type:str]",
+																"ENC[AES256_GCM,data:Im1hA69N,iv:tkjV/07SKGkfuiLdtzD4P/QM9Y0fJ2SgdgdseN3DWC4=,tag:S1uHDtpK3leJHDR5Iw483g==,type:str]",
 																{
 																	"certSecretRef": [
-																		"ENC[AES256_GCM,data:I+Wg4Cga,iv:4C4/uvPtqVROG7IQ8gsl8N57HC9OT6z7l0rXF9ElNuQ=,tag:5DAWjWDuGkCjXTjaPGnemA==,type:str]",
+																		"ENC[AES256_GCM,data:ksjcl1d+,iv:545seHZde6s6fHC/batzZcP6KnCil0dmEUMClfVecH8=,tag:qhwQ2oqcNtvVOzRmq5BB7w==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:LrnqeC0T,iv:O8dVFtBuRQn26JiNZ04QuThPbDogs4ePW6bmgdAqj+A=,tag:o5agIZDBD9rfwLlMT1NU2A==,type:str]",
-																			"name": "ENC[AES256_GCM,data:r4ZqiiW4,iv:q7U7mYZGydxQvjIvtAIQQtn6+QybnHKNZWA8QoNvWIc=,tag:cPwD0Cjp7CQ/QFtW0mG1/A==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:MvEQdIew,iv:f5b7Vmqk2j8RwSMgk3kqC490VIQMg9rxX4Z1qXPCj24=,tag:Nh6sbvzLGZBZx1pjoEySoQ==,type:str]"
+																			"key": "ENC[AES256_GCM,data:74Fm0t7D,iv:KZsvFpNTmCxm1o4YEQsIMAiN6sjoEKQxV/uNoXY/Jnw=,tag:bzd+3+CkGj0Tq9RHVnSiYw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:83dLa/zp,iv:dT0j+GrrKfQ21Z+ieB82rL9KTV6SV5L38as55D8Uqm8=,tag:9r6wibblC/7tQMJHx8KybA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:jNLw0MPy,iv:P6flwWnGhl4zripiRN0mjKfc7spaBG8MhiRH2N7hgyE=,tag:UoKKL0wj/qUiUbsniXRiAg==,type:str]"
 																		}
 																	],
 																	"keySecretRef": [
-																		"ENC[AES256_GCM,data:1XrEDOCO,iv:cQfDiRHhzfOlQ+QuucyTqmVPjA7VRha3RnGDhaHqSN8=,tag:3LcZxeKFhM4Zr4MpM4Smow==,type:str]",
+																		"ENC[AES256_GCM,data:fwNUNkcW,iv:W3D9Pi+OGpgVEgIPNeUUUf2pR6TzolJIH/SXDEMLJbo=,tag:wdxBejtU0SgAWyjpQhdBPw==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:fjUwiF8G,iv:nIxovRtGsNU8Rr5phqUuO5J4kKkWAJhClPPSd7jPd2A=,tag:1M7tm1/9WNjpYXxxWNQflw==,type:str]",
-																			"name": "ENC[AES256_GCM,data:vV9wuup0,iv:R8qTMURnMca2CCh5e7BORbA0SkpWNf1jDBevM0QqiQ4=,tag:w7qfYDoRaYCJdyWlowcElA==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:3cWJQG5a,iv:bEwRt+ILeVfwm8Kh0/WC2GCrXHQFU7w7h+sfesVhqu8=,tag:aYjS5u7zspR+9cp5MUAv5w==,type:str]"
+																			"key": "ENC[AES256_GCM,data:sPLtbx0o,iv:JM2WW/pwj85z9/vo/1HQ6M0eIZeXS2TsLiFIcRZDLTM=,tag:s/wiuOLfxkYh4TecyGQ6QQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:t6Gnxw2d,iv:qUv2izU/wWewml9SOD8juDNIo70xZO0kmRu5KFdPUT8=,tag:OrWYbxUEmCBvsbnDbHHcbQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:gcPwsM7J,iv:WDAiX2k4Vo6LljMC+P6RV1h/2L84cRk1GNQgl1caUVM=,tag:Gr6h4eZtWARS023nvJ5SZA==,type:str]"
 																		}
 																	]
 																}
 															],
-															"version": "ENC[AES256_GCM,data:IvO+Qfi/,iv:ZBQ/WrnmmrEyt9bTB9KI7CGF38jOD6cF8QqooAR+XZY=,tag:3aK6tFXK31OHkfMmEqnEaA==,type:str]"
+															"version": "ENC[AES256_GCM,data:nDcJBvQX,iv:If3S8Q/M8O8EHmuI/6eeZh4eU7UL3Er9wZ+nu/KA3Gc=,tag:+01YmHBH19T8qhvipT3kIg==,type:str]"
+														}
+													],
+													"volcengine": [
+														"ENC[AES256_GCM,data:X60x/95n,iv:e/u1j79u1JNfj+ZkrBCNSwbZtXZUnPN/0s6uUTEOCLw=,tag:Qp0vjpHAL/SJUOtbnsWf3Q==,type:str]",
+														{
+															"auth": [
+																"ENC[AES256_GCM,data:dySszy0O,iv:hN9JmyCI9Ar0iqEO+EgNC2jaGjOFWx3RGpp4J/QoMbE=,tag:kZb/EV2PXdpQOrZy2QVqyg==,type:str]",
+																{
+																	"secretRef": [
+																		"ENC[AES256_GCM,data:BrbtO6yL,iv:rHjh3IJIBJVdkMqNZfLb4QGM84xTORgG7L/HJpAKNTA=,tag:ef4cwqCL7NmAv9Y5kezoSw==,type:str]",
+																		{
+																			"accessKeyID": [
+																				"ENC[AES256_GCM,data:gxCpZNm+,iv:3n/u/eCqEAn4uS7cJwz3g7Y+ra9QxxJJljUEOsFAoIc=,tag:k0HBH9MHfJObftdBWIPEQA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:V8i7Arom,iv:P0TVIcHVrfT3QiGNbVi9kTT1BN0DhRAQrixWThpsIRc=,tag:JHuSe1lvRbQbbBs0zwkBDg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:gdATTYel,iv:oRIEA3N/b8AAzR0rremXGCk7aWxIes9bxXzhFpSYxYc=,tag:QT6HyDoVD95m1PPHMuSqTQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:6RQVKaGR,iv:3v7WFEQrZZbbsXv8eQrxabJu5uhHQiFvGuEr9qyqLbQ=,tag:ZJ+MpgypBPKKtlJJqBYwnQ==,type:str]"
+																				}
+																			],
+																			"secretAccessKey": [
+																				"ENC[AES256_GCM,data:MMNMJNBR,iv:Wg5KIwqjrxqQYk0U17WiYAuvNG4ex/H/sa98Q8kO15Q=,tag:y6s4PIyEAce8+/C6B6dLrw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:Wbwtpb5F,iv:Z+GdyMNcj2dC4/efjgzjRczJf46vx1vXyeV1Y/IJtlU=,tag:YKXyW4cCfQntKpf2PG19kQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:tBjN9H4c,iv:d5RFqM97SnWWFLy5XEBzsAcj7Zh3SzPyfM4y4W8687E=,tag:iQ1/haiTNteGj0DGs+naOQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:eNUo0N7v,iv:T7r1JNPPZ7P13GRaXnzbYTlM1MXLsfM10eXYcEhMS8M=,tag:Nb2XXe3DXLxp7r1QVOc/CA==,type:str]"
+																				}
+																			],
+																			"token": [
+																				"ENC[AES256_GCM,data:lUEtx0cY,iv:jt3vBPKCvPuk1fdjfblOxFuwjZxYZ7dqyLTuj252v2E=,tag:fJcdcXCGpA9BOHSVf77yUQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:R5kL52Fa,iv:Ht2mro2d8X/CaJnRoGalufNNX3CWeS7giwT/ma1/rX0=,tag:q4r7hnHa4TuAYiTPJjyfyw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:ia6iCBcn,iv:lbsSNJe7znZ+jj1NEYu3CFkjS5wGmgEASNwfedXe6d8=,tag:Ky7aLwcPKFHuKE0Fts168Q==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:8xaYT4X0,iv:LjCy5RoOjWryQ6mr2fU4CuQU2mnuqZVrByZHnXs5QDY=,tag:Au8ezkgQ73TPcwK0KAjDrQ==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"region": "ENC[AES256_GCM,data:onEtJT9x,iv:xmDyaOsolhlf5lXs8Z5w9xUaKyo765GI+KW/t78vYgU=,tag:q4IIGqFQPmo+Li4a7TEgVA==,type:str]"
 														}
 													],
 													"webhook": [
-														"ENC[AES256_GCM,data:V5VClH3L,iv:OHax1NXOVYsWmFYkhkMWOe8Spalwo+SBm5CLwlu/JYs=,tag:cfL4wO6LBoRXZ3y2R2+iFw==,type:str]",
+														"ENC[AES256_GCM,data:TghBGI9v,iv:yEQ2S1yrOOTz5e2b583o5n9r+BkMkERv5dntuIoykF8=,tag:zklRK7SjIaPbdL5GJfoSjA==,type:str]",
 														{
-															"body": "ENC[AES256_GCM,data:cA6MxpHM,iv:7VwfoSjixnyfDGzL9nJkx1vpYxTk0ZNUVrcVxkDz83o=,tag:ElrWSOWFQ3BNXrD2mUlKfw==,type:str]",
-															"caBundle": "ENC[AES256_GCM,data:KE0Hs2b7,iv:9qZyrTygKKfdNJwYdpQokd1LTv+vGw6iP0GV6LH+SJM=,tag:ObtlGCVCUMBuja4EwhOdaA==,type:str]",
-															"caProvider": [
-																"ENC[AES256_GCM,data:Du/ytmBF,iv:Tw24LjIYahassn+78Cl7x1DExNvqvwf96HtqcCxPePs=,tag:wY/VtlfsNp2vF3G8U3zUIA==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:0yR+sYIv,iv:yyQUd5BEnu/IheRcBp6ZTyABZBE3ncjzhvk/s6RcCdA=,tag:hiBAiIeLOcZl4/NtzzpyNg==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:fLQ5DBnL,iv:4XldzhERI/k6VEYOikBa30udxDa2LYCZyvqeA+8zDKw=,tag:cBf5IV6pjvjcMTHJWlAo+Q==,type:str]",
-																	"name": "ENC[AES256_GCM,data:JfXa7DOX,iv:GFGMMx5NuMuO81ak4ihHRDm3URBYLzi8yBy/RstZEEc=,tag:Fj+Skdbit0+B6yY/X/eBfw==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:oHZjQ4Xq,iv:H9952964pZXfavnCagXoROdWk3Jt/DxbOHfnQKPHJRI=,tag:WAIb13SF1lug861a7pX/7w==,type:str]",
-																	"type": "ENC[AES256_GCM,data:MB9P3F0Z,iv:O95lAlHu3B8WaSL3RuQsAncyD9tKrAagWl3l8gStk+w=,tag:f/1nz6yS3xxYZ/CzaEUVwA==,type:str]"
+																	"ntlm": [
+																		"ENC[AES256_GCM,data:YBn1InHT,iv:iAlzgP9VPhKXAUtOnYzuxbX5fMtlMm1LTpaWJeJtFYo=,tag:4jg0WBcUTk0Pptt3/ASZBg==,type:str]",
+																		{
+																			"passwordSecret": [
+																				"ENC[AES256_GCM,data:bqNFR7aq,iv:t0HRfFMjcqf3lMxax78RhRrzqdpD50HAJ5rkbrhyjfk=,tag:p/ng7P/gPGp/8k1+09j03Q==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:ZbXogLim,iv:r1wtt+avbd+NlePD2LyJJkXeDu7I8hVhlwyP5GqxVyY=,tag:pbNf1eB/KDefHIsrrqAKZQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Kh6e+cim,iv:2XJOstEgh0nDb7r9eqPi5QbSA4Jqv6sCWug14PQxDBI=,tag:1k6UiHFnW4jAktYRvoTc/g==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:b6Ho3glk,iv:Ltm0uT9IrjJrYLY+o2LioVixqdwu3wWfzyNupUOLot4=,tag:3AxXwr5Bfv86RiUc60J8ag==,type:str]"
+																				}
+																			],
+																			"usernameSecret": [
+																				"ENC[AES256_GCM,data:7Ka2zixv,iv:x9teyKs/Z3Wp5R5ZHZTaDNzxyXvJhrfEf54DkvEC+iI=,tag:p8SQrO/i0XNnwjwy9S2wRg==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:HBASYYu3,iv:qoUPIyrQXcL+9GX+TP7ZMvXBkSXSfbVl+6o/Odh/WEY=,tag:mfttd0pg8gue/UcLKHFuwA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:9aXIP5uk,iv:gUMRZiUKQa5HBDVK9dScTM8jE/H95UbX828RhImTTnc=,tag:8ajbmlALZ5EooQwxbxUIGw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:mqwZU5nP,iv:61bR6CVlIpSb58qlRi5niPttulbyEt2C9rlzjOhXVqA=,tag:i56N5lJ0wempVHMl7tQKUA==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"body": "ENC[AES256_GCM,data:TMZMgKAw,iv:j6Ws9olOxWCV9U1vyAC2s2QeLggL97ME6bEBkKauq0I=,tag:eMDgDjsXNEp7gXDVyko5wA==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:wuirwpvl,iv:pI/d6Afk1awNS0FuJ7JrxBU1V3ilQYl865vIAGmMH8E=,tag:v8b6YXNbjY78huXWMVqs7w==,type:str]",
+															"caProvider": [
+																"ENC[AES256_GCM,data:CSP66qDZ,iv:ExZDn7/KFI/dtfulB9+cTrjga66b2PKV5r+U8th9fKk=,tag:4U9pjJ2bwRoY8U1Jw7tfow==,type:str]",
+																{
+																	"key": "ENC[AES256_GCM,data:lLl2I/MG,iv:WWDGG3cRKDIKTb6jYcmAc2fMyZ+UL7ciDYNLIfqEUuE=,tag:3EIWeHLPqRGN/LX+hJmksg==,type:str]",
+																	"name": "ENC[AES256_GCM,data:bhoxWQFF,iv:hUA0HaAaoSs0GOGT9+23NtV5GgWA09zZPaZpPBdPr7k=,tag:t9IXuwXvQ958ZunCBGUJYQ==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:2RjbKadn,iv:p+I4HLKrbJ07HNUKRuX7yDxY0rnDyfwKMRcHuOsxc3o=,tag:Yl2JIM+KhuFO748GB5nkRA==,type:str]",
+																	"type": "ENC[AES256_GCM,data:z9SFdXfd,iv:+cylkIwxjAyB2101w+iJXOVSLlcHmHa+kXyDblyMAhI=,tag:EsB0sdlJXVwClbaL/LeaAQ==,type:str]"
 																}
 															],
 															"headers": [
-																"ENC[AES256_GCM,data:f+Du,iv:QqhcT97jG5xxTcEriV+kvvgY6MbQsrogQnQUdHJJF+U=,tag:XFh4tgI1U9aTV/ZVWDeJ4Q==,type:str]",
-																"ENC[AES256_GCM,data:qAtzCvOv,iv:JusV0IzYobhAX9XRbfP+jrEqFxK320PYS4Y/dJuxL3k=,tag:A7ZTfzEjLcKmfsZI7Wq5CA==,type:str]"
+																"ENC[AES256_GCM,data:6/aU,iv:DYbnn+myWkCYd2MG6nQj6xlAL0Jx+3wU3Kx3WfgiAp0=,tag:TnxuZs3B8+BfQ6Ldy7NZQA==,type:str]",
+																"ENC[AES256_GCM,data:mALbyrC+,iv:pgo30hRqHNqKX7gUNntl9epsZ0S5KB3Wz/UxTj7ERH4=,tag:kCams//lhTawIrmu3gsmiA==,type:str]"
 															],
-															"method": "ENC[AES256_GCM,data:e7rOAeE3,iv:6+mA1QJv+tNLPEYG1AG3n24K/zqhe9OSiDb+LikClYc=,tag:BMEjaMe4FUwcg3NW+2W89A==,type:str]",
+															"method": "ENC[AES256_GCM,data:Uuh7kO1R,iv:wGVvl+WImAx4owR+FkiZvMxBZ/6uki0F3lfx3Xv8bRk=,tag:Npwqd2y63H5MGJZEtlYyww==,type:str]",
 															"result": [
-																"ENC[AES256_GCM,data:Siv6RlM2,iv:eRWEVLFY4Dlm28AJdspDUjcZmFTioiiG/T1ficOOtT0=,tag:k4eMcmjtHQ7Wjy7o4TbLlQ==,type:str]",
+																"ENC[AES256_GCM,data:8q3EMunt,iv:SxLBkPAP3BAc+NlK/zj2nUnPfarfdrkCIGSYIQA9uNw=,tag:4ncPyT/EZBghBii2M5jjjw==,type:str]",
 																{
-																	"jsonPath": "ENC[AES256_GCM,data:U8yzNi54,iv:cBX7PbOwVnwxtq/srKENew/0lJdAZF/TDX1sM1HG6h4=,tag:zq2zZTYd40zIxJCSmXLGwA==,type:str]"
+																	"jsonPath": "ENC[AES256_GCM,data:ghR1RB1E,iv:LoHm9eoM2DZmpDXMBhIgRprpZitEN/MA0ZrssxooWmk=,tag:2t8dOHDyf1oODYSiCUzlfA==,type:str]"
 																}
 															],
 															"secrets": [
-																"ENC[AES256_GCM,data:7hudlQ==,iv:KRkNmYzEb/OTz7IOLmZ3wVompBmQKUWsdJoVL/NYIAg=,tag:83AjlXGpDmYfaHh50oSbPg==,type:str]",
+																"ENC[AES256_GCM,data:bxHh0g==,iv:wbSbVUU27XezDsnuZ6LiCqNqLRN94VN0S4mFNriA8X0=,tag:8yf7Tq0gUPI/ynJ338fEcQ==,type:str]",
 																[
-																	"ENC[AES256_GCM,data:geDXO8xA,iv:AsVhSosPV83hWNgO5F/joMAyl99UDMolcX4C3HETLDA=,tag:9lDrv2OrOPHGMr93/a/Cdw==,type:str]",
+																	"ENC[AES256_GCM,data:ShtNm/Qt,iv:wu0mdJKiUNRpXh9xGBNCRJwpB3R9tI2p/XJjDbL/8wE=,tag:SCU4PbWK1kJBP5ddkxstCw==,type:str]",
 																	{
-																		"name": "ENC[AES256_GCM,data:5xJJSDc/,iv:xWgWNwCvHlEchO3NwYXgS66EroNHWmVrKR3z2z9gEjk=,tag:byokuTLeRYSIngINtR7JAQ==,type:str]",
+																		"name": "ENC[AES256_GCM,data:sXIsQsvw,iv:6Ee3vziNboj3L8lKXBHDIxmU2Jq9s80E5lUW6CzewhI=,tag:gx9Px3Q91aUOovqULlBQOA==,type:str]",
 																		"secretRef": [
-																			"ENC[AES256_GCM,data:N6MovR2N,iv:NQaVQG5x72nlsY+8fTnKh+TM2M1vntWnz0DP0UjzT3w=,tag:YrRlHqqFfW+c8/ztWNwX4w==,type:str]",
+																			"ENC[AES256_GCM,data:oVOLshle,iv:1PMIrX+5LtdCZbramNGaL7NR6uaD/f6jk03MNQUEsac=,tag:pAmnr+2UJFSjxzRtM2tSdw==,type:str]",
 																			{
-																				"key": "ENC[AES256_GCM,data:ZloHbpU8,iv:qVixncKRndCKnxbSuXRO94WpLVMuJFs6+UXKB40IGwU=,tag:JzlpeqpqMEikM9Q0TdVeVQ==,type:str]",
-																				"name": "ENC[AES256_GCM,data:AVCrbDXG,iv:iZeVhvfSKj0LcUmNvvgb7DsL4F7TkwVqlSAA0F0DwXA=,tag:xiv9Njrvy3ZzNpccE8m7fw==,type:str]",
-																				"namespace": "ENC[AES256_GCM,data:cdpjdOXg,iv:Xh1Md2JxGt31CA6C77tFwFaqJezeju6BM4I7U4iGC8E=,tag:OTzV1tD6bwpid3g5iWZAeQ==,type:str]"
+																				"key": "ENC[AES256_GCM,data:jZk1nned,iv:1aZNy0sF98nmhvnXqDjYMV5AMJhdlBt1WcIFIhrPTd4=,tag:j86RDaSLnj6OW8vOO/LQlA==,type:str]",
+																				"name": "ENC[AES256_GCM,data:fJsiA/pY,iv:es2+wNkM72KjCAOwaA94/8h/JAXiKdK38njqPcrc95E=,tag:yY5YxVPxgb6ZuLcTBWdZrA==,type:str]",
+																				"namespace": "ENC[AES256_GCM,data:AQ9u9tU/,iv:qNW3CEkbnR2q0nq9RkZC1bP0oxh8MpxswupPpFz/WYc=,tag:tipaZdOg9SQEyRVr6JO4mg==,type:str]"
 																			}
 																		]
 																	}
 																]
 															],
-															"timeout": "ENC[AES256_GCM,data:x+XkdktA,iv:ZHDIVeF8xKdRqkyFsCNbU66tCTqNZqUshntQGDh3Zz8=,tag:G7KQwYJio/zXYXuRwhfb1Q==,type:str]",
-															"url": "ENC[AES256_GCM,data:JfQVoOsw,iv:HDb/tdPReW8bVCOUF+UQLVHBayoJJOIsNTtHyWGBsyM=,tag:yV36r2llPT+Y3G7UcPduTQ==,type:str]"
+															"timeout": "ENC[AES256_GCM,data:32NoaSsc,iv:NnlNOxSw8d1ILuv3kYEZ27UFPcfm56vhGjcAQQRGZjk=,tag:GUp8hmBXC949/mc42V7HSQ==,type:str]",
+															"url": "ENC[AES256_GCM,data:YH5yjyje,iv:SgRFHvihEpVzWWxGHZPI2VhKYHfs7AcRogRqXn3aHcQ=,tag:pIlQVQQ7Efr4UeClTcLb8Q==,type:str]"
 														}
 													],
 													"yandexcertificatemanager": [
-														"ENC[AES256_GCM,data:+zHnXb6l,iv:XJkrOkFYRdd7Ky3tftEnTu9D41yC055YSbVLUJQmTpI=,tag:TF8UQ7xBcM1/2FAcYd6pMQ==,type:str]",
+														"ENC[AES256_GCM,data:9YpzbanY,iv:+FdgO2xu5FnIoFYPSrLWp6t//NfPU2dNNCVs/ppwXA4=,tag:pBSqIejD1ZbQke00KVg7ZQ==,type:str]",
 														{
-															"apiEndpoint": "ENC[AES256_GCM,data:neyWYIvj,iv:Lu4ZVxRWKLRAX5vDWUbh+loJA3ngw9wGdcLaRxg0IPc=,tag:VD0kavUrhch3vqLu5BYD/g==,type:str]",
+															"apiEndpoint": "ENC[AES256_GCM,data:sMDBzx53,iv:4CEY5ytXG4Noc+f2FOF0xguuw+kMeKXEBAvCPj0uF58=,tag:DsJKepcA4s1zhnh9qh0yLw==,type:str]",
 															"auth": [
-																"ENC[AES256_GCM,data:ihOp858/,iv:7B5Ojzk7K+NUAVJdUaPOvwCtGEQbi4Am/+aHJm8X2gc=,tag:x7O5G1mJE2CUwMznDJWPpw==,type:str]",
+																"ENC[AES256_GCM,data:shhDQl4h,iv:yC5BHhU7jUebaFNTQ13e+YDI2VUxgObZJcI0gXALr6M=,tag:Q8IEyRVnknRU9jMVIuCkHw==,type:str]",
 																{
 																	"authorizedKeySecretRef": [
-																		"ENC[AES256_GCM,data:arRUJd0k,iv:Qlpt8eE8GiY7eYW2oLgeS1KAmeoq4+Dr7ZqL9OhWilA=,tag:hPZteTLV7EAhgs6s6T0cdA==,type:str]",
+																		"ENC[AES256_GCM,data:iak9Og+S,iv:RLHi5K9512Ce1mH+J/oSQcmWK4mgT2FP9IZ/cFLI3t4=,tag:LAXpJLqQf6FYA1RQuKfw7g==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:5SfssZsQ,iv:r8X4ZX5UnVLQm4n3fqf/ezyJBWQR5Kfbk2BlN06ce5w=,tag:98DWysFF3C+DV7m/Yq+Gsw==,type:str]",
-																			"name": "ENC[AES256_GCM,data:cqe5H727,iv:NxBbvvBBr8Kop3emjfUUmzfIYsMqjz+NfdAmjsrQu+E=,tag:ew75VgR+ZUDMXoDwP5BQuw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:m5uhUn2P,iv:gk7ObGQn2GndX2Y/SQL/vrMNbmCW+dYLJj/itBhV1o8=,tag:43QYLRf11DxTsoTSYAb7hw==,type:str]"
+																			"key": "ENC[AES256_GCM,data:G6LGBhw+,iv:bUPWQxA9Z+xag4OXowaL6eMByNPU8rOlneaP6tw0c+M=,tag:7qb3EJUhouaGwE1LbTxs6w==,type:str]",
+																			"name": "ENC[AES256_GCM,data:jGG3OPT2,iv:ejjqZ8zNd8ExBqTwW+MZjJhjDmzNUC/HNfWQZV8xENc=,tag:pa44XFZJmGSstwATYaYjjw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:1pXgPEJm,iv:+n6JP+iIK13umj7cul+69K+PrlzJitNrcCWfRs3wT/o=,tag:NyTrvjv5w7Dq5rf2C87J7Q==,type:str]"
 																		}
 																	]
 																}
 															],
 															"caProvider": [
-																"ENC[AES256_GCM,data:BUEZsDTO,iv:p/q70jE19cx3+eRnirWeHV3Y+W0JSsSGWaPPCUnQVis=,tag:oM0G65470+i7Ig0wpyqsvA==,type:str]",
+																"ENC[AES256_GCM,data:zW63ZtDm,iv:d0/m4x8BBey7MUQ/U1XdslH2cMxZlmlIZkIOG/qGb/4=,tag:NmawPW8DwurxEKqdbUQy5w==,type:str]",
 																{
 																	"certSecretRef": [
-																		"ENC[AES256_GCM,data:4ptMyVoW,iv:UUeyn//BFg11SRByfWeoo4JKuALwvokbUSvcwbggwOE=,tag:b5P+kjf0JxVWXDDwWW8Gug==,type:str]",
+																		"ENC[AES256_GCM,data:ijMNte5e,iv:6VsDDjgaOiAxvlGI8TPsKXzFcciJu8fGAPbWf8a8WtE=,tag:6QOQPXEajQeGKcgQegCwPw==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:jW4z3XEi,iv:jMDTzDh+MWJNBvt0vYxrgsR1WT+LWKz90JA1RvxmSg4=,tag:7XTrs2FgkTgX/H8Bwc5v7g==,type:str]",
-																			"name": "ENC[AES256_GCM,data:pQWSdacJ,iv:lGVyNWquFmDmoEFF5OyIhzQvy1pAaJEeDQStdtG1soY=,tag:eTzY57pKopu67llVR+Vxaw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:JFpUQIaV,iv:ZdaillnlJM375A5HE1ilO3sQ19PD+S5ny8dQ9KT5EOE=,tag:sPc+sdo+bXr4FJe9Xz7rIQ==,type:str]"
+																			"key": "ENC[AES256_GCM,data:CMk/7JyN,iv:UwxnWktqRsukqj5PKKwW0RpzoGQdmuXC96/sCndSaOA=,tag:pYgYWGVdAfQXNxULRPA4Kw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:Ql18nBEx,iv:GGRWLgAnkOw6gJ1PBJGVZvwruBmblHWBNNGYWU95Gmg=,tag:sSYGbs9zjVHYt4FqWUi9kQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:6r05V+6b,iv:U4YTnrS3DKCOjNV5ikaHYM8uXYSe3dmg8ngNwJ8Twlw=,tag:XwEn3x/9uVY0/cErqRzscA==,type:str]"
+																		}
+																	]
+																}
+															],
+															"fetching": [
+																"ENC[AES256_GCM,data:8UZWBcAj,iv:wqI2LlTk21l9SF0QyedQhn3NDI8HneVXEuBjguYTLqE=,tag:UhDf5RiOPh74aHxiFFd2vg==,type:str]",
+																{
+																	"byID": "ENC[AES256_GCM,data:SY0b+Ox5Pg==,iv:0FbDKR6D43+VhF5s36TnJEIRSm1B2Gn13JRd895LswA=,tag:IZQ9/wI8820hTr2fD/zdYw==,type:str]",
+																	"byName": [
+																		"ENC[AES256_GCM,data:WaRicAHQ,iv:W5w3RtHcNcZrgQNDB7L2xbCVXT9g6b/YkZ+F0TitYew=,tag:xYlTBiwvLzZYCHxTWcfCAA==,type:str]",
+																		{
+																			"folderID": "ENC[AES256_GCM,data:i04D7DgD,iv:+W6VmoEUpKY4TafJmf6teO6LS4ejwOJS65y1ksQBOPk=,tag:wiaNZphx/YGDT+Kcuyi6ag==,type:str]"
 																		}
 																	]
 																}
@@ -2612,31 +3876,43 @@
 														}
 													],
 													"yandexlockbox": [
-														"ENC[AES256_GCM,data:iz876bxv,iv:+McbDodtSp83NMvg06RiugW76ePZzWsXtXxqrmV/imA=,tag:FrDyvkz76oJa0TcuHzH3LQ==,type:str]",
+														"ENC[AES256_GCM,data:sVoEooVt,iv:8yYMyTDwIUzYxizV9Pfbp3v00v5nxDLWXzyXq3TclIo=,tag:iTRyd2aMiv43oF7NcIYFGQ==,type:str]",
 														{
-															"apiEndpoint": "ENC[AES256_GCM,data:GWDALFSa,iv:hXSDFAqBtcge+a12GNSUZrmYCdESZqknqn1SdaV9t2Y=,tag:ClE3M8NCnfYfanM6xP2y3Q==,type:str]",
+															"apiEndpoint": "ENC[AES256_GCM,data:/+D6JC9T,iv:EGI8FVunOXbMcos3taG/ora21s57J09QXyFGMA/rUYE=,tag:uaM4o/yn8MsIl5IKd6oGpQ==,type:str]",
 															"auth": [
-																"ENC[AES256_GCM,data:2QALzIzu,iv:7cl5Wy1XGfX0PPQAigqbWrzU0oGEX4g+73KvMVkpw+M=,tag:rC1Bi5Sqd7JLx5og9WMadg==,type:str]",
+																"ENC[AES256_GCM,data:9Oall/Fv,iv:WC52fvMSlql2W/gYzDza+oweQgeBKfym6DVq3Gjuqgo=,tag:wYT0hBmgY2Kvp7dkEqhfAg==,type:str]",
 																{
 																	"authorizedKeySecretRef": [
-																		"ENC[AES256_GCM,data:E/PgiT+5,iv:1uwHzem+ymqTBBCy4wN+jMEqJSyJin6pUs0ivSB15y4=,tag:DQkLYZlELRUcJ0j+sYUP0Q==,type:str]",
+																		"ENC[AES256_GCM,data:1trp4/ln,iv:xIiZ34uCNpvNw1OCyfe/bHv5aY3cVmYLp/pUSIFh6SE=,tag:eHpYWMKY2Lv11oZtQsyXcA==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:UrEtG9pV,iv:i3mbatX8Qs1G9u3CHw1HU2moXLWm1e7Nbl0tSWqn0M8=,tag:DpBkVn1RXgI3BtoGRUq7MA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:vFR+2ahb,iv:QGxo5V+7LK8Wis0epdsEuBtIdF1UL8xcfdw11DtwsQY=,tag:wamzVrGAKtemLZSKPJyFRA==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:K5abXooj,iv:GILCbUih9JVpI+a4UEKcHHC4kSgJvnwmRb6ScT7pI30=,tag:7811pJEl1jL+LOq4JpMy3Q==,type:str]"
+																			"key": "ENC[AES256_GCM,data:EcMN8+oN,iv:S95ZaQcVSmmriPohdGLvzbB9+hOB11Ada7mbyJyFUX8=,tag:wGMILnlK9K+JQm3hqgZIpA==,type:str]",
+																			"name": "ENC[AES256_GCM,data:K8Wyr1y6,iv:p7MWdEKpduB3AM0WEV6Pcw4bho9UqOJl3+VguMF0u90=,tag:tIXqlNf1IIugFFJYKMQ1Lw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:xMMN1I8a,iv:sm/2Bqv/ozI0xMx+8AuyOQqOULvE8crZpcj9rlzLFBI=,tag:1tr21++ccqqYD7W2QMpLdQ==,type:str]"
 																		}
 																	]
 																}
 															],
 															"caProvider": [
-																"ENC[AES256_GCM,data:KV4l9h50,iv:ioWjbD4dbu9ZsBNU8MM5U4p4jVwNygm1S+orL1FrqRo=,tag:9Kw4R0NZt9mx/cIA+6Ptpw==,type:str]",
+																"ENC[AES256_GCM,data:wiFDSCcq,iv:tyX8oIshYWQOkucJIy3iXjHQyimtzPlDUYq4z3PgAqw=,tag:GMUdzNSGF2xVOPVJkdXrIg==,type:str]",
 																{
 																	"certSecretRef": [
-																		"ENC[AES256_GCM,data:u7rXmC2/,iv:IEsq/79PIyrUrpOdiefymWrLb9CbgEUoAnDNnPdrwK4=,tag:xVcVcgW8NNmJqYrVsl+ojw==,type:str]",
+																		"ENC[AES256_GCM,data:kL9y0JeC,iv:7ETYaa9qeolbeW6dwG3nktLurwsyfdo/FV0MYo/D+q0=,tag:74VOIyxzV3MLy/cLmmp1Cw==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:kLmh2y22,iv:f1dUB9q1ij1PL0ahOAG9celKgtuXS74lfzlpUsdj01Y=,tag:RrxWqYjKe6NfXEFM0cieoQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:SBou+8E2,iv:BZ7zewpUYUvgNEURi3fuGGZgmjrYk/azbVuQLVyjqiw=,tag:pQBkCrH2oGvijcUIf+AkVw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:Gxu14Bxe,iv:/mq8h1VR/0d34G6fiFD+icQ5y8FJrFIaw56bOcpak2c=,tag:2jAmtlsVsXjol0/K0MXUGQ==,type:str]"
+																			"key": "ENC[AES256_GCM,data:qk5bNatT,iv:FePlKgXs+t+OGlCtf8tZ+ZqLp2GGP8ZQEdgt0A9/MV8=,tag:kb8ZYKn7f1XVJWWNjbji0A==,type:str]",
+																			"name": "ENC[AES256_GCM,data:GqrxxUmY,iv:j/l1YLxXwgdF9LoiF+D4pZPoBOkzCfUXvGCWlr6DFBI=,tag:orZtiKARv8o8I9eRHZnXKw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:D8EHK6ZT,iv:iDNubSg2gpmccHICYCAytAxJP/MZ3Vw/Mof9wTEWoeM=,tag:SVAKCF+5WUh7A+zJ7fQbkQ==,type:str]"
+																		}
+																	]
+																}
+															],
+															"fetching": [
+																"ENC[AES256_GCM,data:m+IlYewb,iv:M0kuiFxa3FG0is4LTcACBjMW0VwyfoZuJJfGsgJrs6Q=,tag:h8tqJoHr4+RYQv01d8rZ7A==,type:str]",
+																{
+																	"byID": "ENC[AES256_GCM,data:4oYyD5yQOw==,iv:udurQDaEpyTABPHqQOaXpD/wd7bBdCOeVpd+/SykNZE=,tag:73fGApgASDHmMtf8R6od7Q==,type:str]",
+																	"byName": [
+																		"ENC[AES256_GCM,data:Hk+QgIfp,iv:xHHjQHfyOp6t9YZaWpP1VZON/FIAatJHLz4F1a0PbPk=,tag:3v+9DOusHWp91eQs782g/g==,type:str]",
+																		{
+																			"folderID": "ENC[AES256_GCM,data:Mu3f4L48,iv:Rszjlew/lqCF9/gItaA3c4BC4XbZJ0j9d1tN70jss+4=,tag:b211BFNQRdAKnSixY2sO9w==,type:str]"
 																		}
 																	]
 																}
@@ -2645,12 +3921,12 @@
 													]
 												}
 											],
-											"refreshInterval": "ENC[AES256_GCM,data:6yFvodx8,iv:lc1XlrFFKYeSztMcmpD5ZBKr67+FlqenCNLu03PREyQ=,tag:ppUHkzsCzxyPW5KnkILE7Q==,type:str]",
+											"refreshInterval": "ENC[AES256_GCM,data:iz9Kujog,iv:1a4fNHtdeSHH4Xtk16LcSIB17LpcteBKScYtXYXm4/w=,tag:kiRQBU6AM2m175rkzSTHyQ==,type:str]",
 											"retrySettings": [
-												"ENC[AES256_GCM,data:fGUSDV6c,iv:M+i+Ib1nwXknJsiSWVuVPxdxt7ChVl7W9o0K3WNn/oY=,tag:CEMhr7tPkBj7EtXwuXH2Jg==,type:str]",
+												"ENC[AES256_GCM,data:lylbd7GF,iv:+nd0oBm3dp6aenCPhNFON9VPjgSdV/nqI0A8xwjKeg0=,tag:KU3W8yPnw+g0efbycMBoLQ==,type:str]",
 												{
-													"maxRetries": "ENC[AES256_GCM,data:WrEro0za,iv:BjpaADBpREKpxlXQ1QUdzsbw49iW8ZYxmJuvtzwovCc=,tag:heNJ5Tyz0fA/tXoTdUknhg==,type:str]",
-													"retryInterval": "ENC[AES256_GCM,data:SfKJnf+K,iv:0wfxWH5H0TLrzBg6ESvTJJ1Ovb20xUsJQ+Z5YVXP8DM=,tag:0UglU4vGM+hJTiU5QI+fsA==,type:str]"
+													"maxRetries": "ENC[AES256_GCM,data:fiqkpVii,iv:cabArzB/cBHydOe45RyuRJBTygBi1ayA3FBeJmAGtFk=,tag:rnIg2pWlgyszAwE83gRGiA==,type:str]",
+													"retryInterval": "ENC[AES256_GCM,data:x98fTXHt,iv:l3xIjZKShugw9yfoG0Ln9q8JhcFrUzps2dqIPgcis08=,tag:HWbp5aHsKWYrJtOuJQ6+nQ==,type:str]"
 												}
 											]
 										}
@@ -2663,93 +3939,100 @@
 						"wait_for": null
 					},
 					"sensitive_attributes": [],
+					"identity_schema_version": "ENC[AES256_GCM,data:lA==,iv:lm1Vp0rT/EGDxg0wwWfwRqFGm52OsCipgHcKYvvUSgI=,tag:RBdv9MUxCuFq0K5SWf04qA==,type:float]",
+					"identity": {
+						"api_version": "ENC[AES256_GCM,data:sOZ+82m8S6GSz1eYo4ICkDHzmqOM8w==,iv:yzkziLUKQalHdGAc/0UpBxB3QMrj27bnSfG/8IBLXFQ=,tag:jd42kgRRiMNsAZpFOVyEDA==,type:str]",
+						"kind": "ENC[AES256_GCM,data:LTc8fbWOQsIRrg/1cR7sVCqq,iv:I8XefKwrGHoDxnvVyTjg+Z9XCZK21us2goqPeYsgWWY=,tag:lChsPSq5GC1P3brMJxNokg==,type:str]",
+						"name": "ENC[AES256_GCM,data:c9hncHOsJUybBIMqCZc=,iv:JXX0If2h3ov3rz6Mu9H6pVVRaQOG9U7MwUw3gFA4gUM=,tag:PUQl2kSkzvSblGhVcj7GpQ==,type:str]",
+						"namespace": ""
+					},
 					"dependencies": [
-						"ENC[AES256_GCM,data:BvvK27OBirlaTaHTQ+upnSuILsYS9FL1pQvL3eQ=,iv:M1iIeNg9vmtpRIltiIXid8EANp5cgXNr1wYoOQ7wjSo=,tag:TM8AEcXW2ekoDbQYYlQKYw==,type:str]",
-						"ENC[AES256_GCM,data:XBiyWAhRYhS0pbjIwm8fIwe74ty3VUUSRL22lgMXtu8Q/+Udpw==,iv:CigUbucuOSANmEokgq7ARVoLWUDN+zDjmQEplzrtEzk=,tag:fLZJeQAei/Q2ZO8f7/Spfw==,type:str]"
+						"ENC[AES256_GCM,data:hDehJXMwhfkhumjWdy5yF3rVdkv7DetCfG5joYY=,iv:LNE6W0FHA0yDCbpb4LW4u3/H3Kc6FzupxxyDZ8xJWg4=,tag:RKo3MSEQDcxuVByYyBujVQ==,type:str]",
+						"ENC[AES256_GCM,data:JfU5+oTVPlW++zyEk5XhCMw0qO503mv0YpG2cdW1O+BbN5ur9Q==,iv:cTeIWkDO/lz9CvN+TDAxg6Zv7cM29vRDdxv7XHbLqU0=,tag:ErF0HSHFWiiLqCKLkHCG3A==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:6gPDOH5WoQ==,iv:iCEelkeqwKGlrjTOXJwymSwbcRxSbWRh8W0xUKZIhDw=,tag:knFeNHhHT5EljOaNvSZUXw==,type:str]",
-			"type": "ENC[AES256_GCM,data:diejkez5RE72kcHElO1xnelSYg==,iv:Np0kwvfGyuYA3DyOrP/QeE//0/+nVHASsFyCLtLho2k=,tag:BGIxGMj+Y5dQByVUtaT09g==,type:str]",
-			"name": "ENC[AES256_GCM,data:NXiWYxvnwJDScuAH,iv:xnpundy7DSMeOdTw12vYNIOjT6CueeLSGptNCykWE6U=,tag:SLC1bdLScfbvCS2ZNMbiwQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:LCEdy5OWmLqiglnfMOaB+3g9ubHF7WVrOMaYAKIvdBXxh6KV8OY+/3h3ICfV/6Lnehwas+1P,iv:aw+U8SGMwrc6xa5QPWW1QCP0BdM1h5kecPGdV1UEMYs=,tag:rPF1CFfrVlBWKNdoeB7n6A==,type:str]",
+			"mode": "ENC[AES256_GCM,data:ZHKMFUts1A==,iv:kCzEvc6/Y4zOZlfSNfX+xYxY1TWYDzJadG9ripwR+uo=,tag:CAfP4BNdnkI6ha6Wymi8nw==,type:str]",
+			"type": "ENC[AES256_GCM,data:iUm8Mk5DXPzTTsi0rJToWg/Fvw==,iv:VV621BZC1O0I1n4iBRYLvLal9O39he+qJ9j822Imnmc=,tag:+4oQkdbBvsaYrRjiEy/6vg==,type:str]",
+			"name": "ENC[AES256_GCM,data:mWPEkNGIr/8MFtbN,iv:bDYZJtQvr/Mvq0iBdFDI0YnuWmJ2cqN+J1Ayuq6rr34=,tag:pSTESdI6s35zVd8pb58KbQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:6EfB9/8D4Wr+ibj63ilvQBGwT1BJqPTvnXP3+/cJz3Ktyu0goPgKMqWv8dXYINwZ2Zv+IIOs,iv:M2P8GRgn4tTGtmlql0DkBctVWktvZU1yrmIuO+8q8x8=,tag:HmbrQhZPi7/aGQrUTxu2RA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Mw==,iv:E+p0APyJaEiGZbLrxJUmPd0E3mJ6tN5S/69PYz9u+7k=,tag:9QCsU5HOhiYlnbDzj/D02g==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:GA==,iv:2HKnq3awv/1UlIPo+Muzw+iA2m+T4qflcqTjL+Bc3Qo=,tag:DMUv1RSU4FQBZR4qkwnQaw==,type:float]",
 					"attributes": {
 						"computed_fields": null,
 						"field_manager": [],
 						"manifest": {
 							"value": {
-								"apiVersion": "ENC[AES256_GCM,data:BjNeecLXYGnZ1GDOBXzq4F/1azny4H/t1Ba3,iv:2ST4xOto/woJ1gOSQs9ZJ85oGb09J6dasTDBlF4/WaA=,tag:ckxIWzajInfdW8Fbf6t99Q==,type:str]",
-								"kind": "ENC[AES256_GCM,data:k8e+jujtEbtZvhkpNvAUTJpQ,iv:AM0ZMijx+7vamTCEAYdGs4LEuLGBam6qIoXJYrxZ2sU=,tag:KuCf+Vi8NzQHdfRV7tS2qQ==,type:str]",
+								"apiVersion": "ENC[AES256_GCM,data:DZMOJAyuvPK4tWf3Fh5iYOqtBh/Nsg==,iv:rhwdkRCvPsyw/f16ulXJwu3zsJH1HRP02pT1sH6rGtk=,tag:csX7dDJVVQbqGYLkthZTiA==,type:str]",
+								"kind": "ENC[AES256_GCM,data:vTk268W4JuVtUp4p5FYyBo4B,iv:+9KauleQWAR+xWaFh55coNvByNLfj+wKyjj65AoqWGM=,tag:wT7u9xdW18RKaPl6hoVOyA==,type:str]",
 								"metadata": {
-									"name": "ENC[AES256_GCM,data:CripAv+Ig+8=,iv:IQvf0AF+v4/fc9LhDwSTnRybrdV/+UZot1L/AxwD+Eg=,tag:xdcYcUzzTJedhqhdVmqLdQ==,type:str]"
+									"name": "ENC[AES256_GCM,data:sgFDaBk59o8=,iv:eP35Q5XadM/R+a5kUeFeIvHddhbK6UBf823imCTP2AA=,tag:C+POIR1JNlxUUdTMLFzyNQ==,type:str]"
 								},
 								"spec": {
 									"provider": {
 										"vault": {
 											"auth": {
 												"kubernetes": {
-													"mountPath": "ENC[AES256_GCM,data:yT9bVwjM976Uwg==,iv:kKGXDX+/yY8XUqBZssOu0CmmPGBndLt/rJH7VppUENY=,tag:qlvhxQ+YOswmV5GytC3EsQ==,type:str]",
-													"role": "ENC[AES256_GCM,data:xe/O,iv:9ufqVDzj1ZW7HajN3rbCfBH8b6ADLSgcLbJSCeTRfgg=,tag:0TPvtJXWyX/5BUd7UYAW9g==,type:str]",
+													"mountPath": "ENC[AES256_GCM,data:CLEEGHgXEGPkeA==,iv:/I/QSWTom8ZB26RAj+fl2+WoRBSDmUk4KTkcjRebZqQ=,tag:Y7Yy8/553RB2HbPjKvJe9w==,type:str]",
+													"role": "ENC[AES256_GCM,data:Ltk1,iv:XovllIZjzBpvKSj0TNduPXVnQxvcZT1HhTkyPLPenTQ=,tag:ls5BOtMtoxGzbIQngdpp3A==,type:str]",
 													"serviceAccountRef": {
-														"name": "ENC[AES256_GCM,data:O6RUeLpFdfle1xtamcxFvw==,iv:LbSgDjlhk8gcTzMkwg69NhPHBYptuKbkIERz08MLPqo=,tag:ANbf1YMUcJ4Ye6hYR5Oa4Q==,type:str]",
-														"namespace": "ENC[AES256_GCM,data:uaRgVEj8gZCtHkii3QBuig==,iv:ggmBexeYUjTONRxgf7h2l0cSVFaQwDhweqT/bSN87B8=,tag:dvBq8JxSH8/rQMfPWJfFCA==,type:str]"
+														"name": "ENC[AES256_GCM,data:Xpn4DMfxmxPE314wteXCaw==,iv:ZeMxyQefFrCrlxNuJqvO40r4hYpgxyxsGYz4CZJR0fk=,tag:Y8idf0jnkbFf0IfuUR0BTQ==,type:str]",
+														"namespace": "ENC[AES256_GCM,data:X6BuveW5Yyp6YtJFHXRiuA==,iv:ZppeQw9GLpvzCwaUF+66elXBpeX0HKg+tAlHQjHGtfk=,tag:ra9n5rG6Xgbgj1gXmDTzoA==,type:str]"
 													}
 												}
 											},
-											"path": "ENC[AES256_GCM,data:X0Ia8Ln4,iv:SFpexDER/xAvkMuKzg5KFjtd0nVPFNXEvSKzyqSm5OE=,tag:2LOC4zRcC+w1v2eui6uSnQ==,type:str]",
-											"server": "ENC[AES256_GCM,data:nAegQKFOz1bRInj5x+7qXmtJTQSEoNILk62Slr876abgSGZfjXmvg9w7lm/A2olz,iv:+aGvi+jT3NPuwVNuOpminLX7LddHjpa136f1F9u9WkQ=,tag:mtikRQaRUYoP01Uo7ReEoA==,type:str]",
-											"version": "ENC[AES256_GCM,data:BZU=,iv:Y+RdtZACnWqm9fHQmB3K+dcUFg0G/jqEHY2RaRYHbIg=,tag:7RZTwnDN5KO+LZlcasMv9g==,type:str]"
+											"path": "ENC[AES256_GCM,data:Pz3GJ0mY,iv:UqXlx1gJ/JoAAOo6m/5nag3/Kb5F3Br6Lai+GDlV54Y=,tag:UeG92SkZ3aNUg1s1qL/0+w==,type:str]",
+											"server": "ENC[AES256_GCM,data:dJiqqZUzivxXxfrZQXlytdZI3cE6vUeZhJNGMhut1KnYV1ZKoJM2+Sw8ZDxg0Dhm,iv:NnykJliGtZOX/pTASV0SyUmKCl8giuveO1paKYM7UmQ=,tag:VIE1RBIHz8mPNz3iW3C47g==,type:str]",
+											"version": "ENC[AES256_GCM,data:cK0=,iv:hAD2P6OippWCUMRovu+55x2Int1ufsj6BdC10QQHbSI=,tag:RX9n1P61pjCqwrRiXGuT2g==,type:str]"
 										}
 									}
 								}
 							},
 							"type": [
-								"ENC[AES256_GCM,data:moq6F1Qy,iv:/9pPjCX4mTB0nvwHuYTwqYDSaT5c5n0I13ZyHbGoS3o=,tag:T5OG4ySrjx/+OOVGM3LHhQ==,type:str]",
+								"ENC[AES256_GCM,data:emFiMVxJ,iv:CJWMUtn+hb3QuYEePy9HAGkt+pN/+xKdtKcD5ufHAxs=,tag:HVvmC3H8WTbtB0DylJ7yCw==,type:str]",
 								{
-									"apiVersion": "ENC[AES256_GCM,data:YqJSRNe5,iv:vcTafMjjT5Cle6IbF7A/iw9n5Ulj415OzdW+uRXfnbA=,tag:ZxEcbxDGzWm2F6YY7QAD1Q==,type:str]",
-									"kind": "ENC[AES256_GCM,data:F6PzapcR,iv:GmXXZjynKZJ+AfF75yLcNXp6BoweGyFgFEqYyUNXhzw=,tag:UbCouzG2gLQQd/EhhU7LFw==,type:str]",
+									"apiVersion": "ENC[AES256_GCM,data:ADGsh2yy,iv:NIo2MVN1TaASfIPIhbi2s5+5OihPwOoCaUdo1q5bvSg=,tag:1dtrBJRF63+EDVnab4c9Hg==,type:str]",
+									"kind": "ENC[AES256_GCM,data:27zlWPsq,iv:WUxONat71ZEJ87FJYxoSjGabeGabGGS/RVRDzoJffhg=,tag:+f9Hxk793vJ+IZplTIYULw==,type:str]",
 									"metadata": [
-										"ENC[AES256_GCM,data:BVdeZ/1t,iv:E0DympMazhVkpJu1KPmfcJXUO4R7En8sc6li2FJhksY=,tag:sbrW1IKoJLaNGqX+GiANeA==,type:str]",
+										"ENC[AES256_GCM,data:qvbB+0g6,iv:RfvmZ5IHyGL4MYqggdtYhXU+XttBv0UOh6n1GnAXUaY=,tag:9sgh2mAN/jTVrZiq6lGF6w==,type:str]",
 										{
-											"name": "ENC[AES256_GCM,data:RRhje5Ls,iv:BcDVAupELB8Ua2eDmnNyEzd9UEEWUAW4Ypoac6wJRZM=,tag:gwm9/HM9+CEBrTTbBPBn4w==,type:str]"
+											"name": "ENC[AES256_GCM,data:KSbzDDwV,iv:4H+x1322mDNtYssOxBuK076ScSNw9e/XP/UQ69Zhp2Y=,tag:b+vUikI6tRXJtGsMk3H7mA==,type:str]"
 										}
 									],
 									"spec": [
-										"ENC[AES256_GCM,data:rbloYumf,iv:+29krUdN/SMX8WF4RZq9EhZGQ27bm0/HTKhbRqgdRlI=,tag:GPbLW6gh/xJhc9Yn7/Derg==,type:str]",
+										"ENC[AES256_GCM,data:k+epNvkW,iv:NsYhskM5i+eP0j4T8g4K3SIg3xWNSKOnzFwnH4uaf24=,tag:e5Y0LcyPcl/jYUVvRW/3Nw==,type:str]",
 										{
 											"provider": [
-												"ENC[AES256_GCM,data:9yQJpt4s,iv:MuDs9wM4u2Ma5Sz/j2hD2E60loFGVHaG4G/cCmUxvkY=,tag:tU0WB02EivoDxQWYkZz23g==,type:str]",
+												"ENC[AES256_GCM,data:+ugDP/fR,iv:Wb+GXgEe7+pvc8QKob81PRruLgozX3sLaCUoqSYXr1Q=,tag:iW9RrRGvZnYToT+QyKZp/w==,type:str]",
 												{
 													"vault": [
-														"ENC[AES256_GCM,data:ODlB4ett,iv:hR8BlXsoBikp6WTowrOjJgOMWb6Wg8Z2peAYB+NAcRI=,tag:CgpSW2aRO6+320EFMkKWQQ==,type:str]",
+														"ENC[AES256_GCM,data:vSGudsEs,iv:2LzNtFH2bDQ4PdSNzScR/i4oIDlyZwXputoIsPmQ0/s=,tag:0tCi+SXsAk6pHCMcVrj7vQ==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:4OtXZyyQ,iv:n81fTU6MydrPe/wl3CCm4liq+ygR4j6tSK3vT+pbxzg=,tag:pxRtlYBBqC+N5rMPylSpVg==,type:str]",
+																"ENC[AES256_GCM,data:VfehCZVq,iv:jGvNUIAXBTVXmEI6m5JhNvNt+GhC+rneIJWvaXrptts=,tag:cSRpmYCXssy+Jma6Ca9pkg==,type:str]",
 																{
 																	"kubernetes": [
-																		"ENC[AES256_GCM,data:86H++Xgj,iv:EJhBar6J0VxBQ6mPMeVRfYI+IzzgPpAV1mEQvaaKYoo=,tag:n2mokFI/m+QfXNbaLdB6Cw==,type:str]",
+																		"ENC[AES256_GCM,data:9aw01wu4,iv:69D3c2LjjRYU9djsG0e2KjQye1l4mWrfddajEfsGFwc=,tag:nTPbih5zf/htIwe+aMLMwg==,type:str]",
 																		{
-																			"mountPath": "ENC[AES256_GCM,data:ncFpTBxU,iv:Rx305GGAFNWOx7EoX4/RkPHHFI0IwAxrUvGVnIGELJo=,tag:bRKI0pWbXbTtDiqZL0G4XA==,type:str]",
-																			"role": "ENC[AES256_GCM,data:35rWFrA2,iv:JpqSs+dwFSQXKerPNehMhFEfIPCRCZiCcQReMerkr8E=,tag:oPs5ccZihVR+6z5RbLJBPw==,type:str]",
+																			"mountPath": "ENC[AES256_GCM,data:5tm/Pl94,iv:dXTTh19zCVfPLwTNvQKeOvyI8LP2mD62Ywo+Q/EEGdA=,tag:sNMI47xBjxuxf3zr2HqU1g==,type:str]",
+																			"role": "ENC[AES256_GCM,data:+yxCjS25,iv:iNj1BIb1A+edW46Q+vDLryPZWSGgsoRwadr9eEjY0cM=,tag:uIbv7VYZO0JnRdCO9fpydQ==,type:str]",
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:ubZM9AV9,iv:roRpPBdjYXXeiCZw/P3D0Lu3axjVsyL/7uKvGUtNwJo=,tag:SAhbWsV9Kd72sBnpJ1fE4w==,type:str]",
+																				"ENC[AES256_GCM,data:jridJLCu,iv:LkLxKsc7/YuV807ii2MCXBoIsZF8FHcNwZLVV0w+5vw=,tag:NJSU4jk5r+CrxjnkDcc13A==,type:str]",
 																				{
-																					"name": "ENC[AES256_GCM,data:2BfKcJVH,iv:eNYR8hGgqmqdetomA8GlytN0IRg2tN4QtH7iGG2gdPA=,tag:uX9iJqSPeOgdZ1rxhNsgYA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:O3hu4W5w,iv:1BHD1bopdglW7gnL5yseXDja2KZOD+DmvdVJca1/Exg=,tag:j25bijMD2YVnyWIcRt7RNw==,type:str]"
+																					"name": "ENC[AES256_GCM,data:ePaIf5Di,iv:VPNsu9Y1WLxFI+qP3hhs0fK/Y8aYpkVJSaFeqSYK9zs=,tag:aZeieqD9letY5BXA8rqeeg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:ubkWs9zY,iv:y6htTXXZkV8u5D/TC7qCkeZUGmvgqL6KffPQ/oOmm/g=,tag:c29506X1EHDyzV3bG2ZDWg==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"path": "ENC[AES256_GCM,data:VPjjRbin,iv:to51VpJqDlLtElQ6ZfcXCdabmpm5B9J1EAS0B0dfk9g=,tag:hzCcDJWrTi/+JmVjOlyFqA==,type:str]",
-															"server": "ENC[AES256_GCM,data:EcfOZ/pV,iv:nyJeJmvcX0BSZf1wZaq0Bch01dz7GLdCIA7k41pM2LY=,tag:rionYMMFGkpq8SUD/XcaVg==,type:str]",
-															"version": "ENC[AES256_GCM,data:c20d5uKs,iv:gHB4N3uRG51C4m1bPvDahLi/0GaulpxwzmcmSeu71Dg=,tag:kqIV1r7vxZCJDqe4JDG34g==,type:str]"
+															"path": "ENC[AES256_GCM,data:+oI05vKv,iv:uE85EvLjsDaoaCdacGjAfBSt+BaoeUq+60RXsGk3IBI=,tag:kqZimMcdRFeTkv1QNN82CA==,type:str]",
+															"server": "ENC[AES256_GCM,data:BwJtKb4C,iv:eUCrLscskVG1DVI8VaqmcD3efpx2opa5Aqfvmzl0kZg=,tag:wVIp9MRiQqGwA+ad08kDug==,type:str]",
+															"version": "ENC[AES256_GCM,data:xoaFKOgN,iv:ReDEqZgdtMkvyf5wC+YtJyp5r63GXsYTdWZIJCaWkJM=,tag:eirYrMxFHsViXDIIsNfHrg==,type:str]"
 														}
 													]
 												}
@@ -2761,8 +4044,8 @@
 						},
 						"object": {
 							"value": {
-								"apiVersion": "ENC[AES256_GCM,data:k3uVLRlFo4Ubekd//F7aG+8Xgjwl2LQ7CoSg,iv:Gk1G8NXKii7h1oN07aHhOf0IlZh62dIATLdAl7SWGl4=,tag:els80FLC3Fkt6Gc/87KgGA==,type:str]",
-								"kind": "ENC[AES256_GCM,data:fv59xBM7w1s2o5MrEv2JgF3Z,iv:ojuEUcX76LPWl5RSNBUn/NnZYu+V9l7EgQ3KblY47OA=,tag:zgAzrtfGLa2zUqIToRUx6A==,type:str]",
+								"apiVersion": "ENC[AES256_GCM,data:6Cn8P/WBD/zKUOyFpVvmhhhGgeaqnw==,iv:ZQOnzt8H9nPWGlATJITCubTRDIKE+UPwapjTyEYskIY=,tag:1PL5zOwX+nvUUlGLVYYuuQ==,type:str]",
+								"kind": "ENC[AES256_GCM,data:qtdhr5V9ShNTvQVuFTmPOiow,iv:B1wRIgaYB1153c0Sx+I6zD3bcAXGbVC9l3tNuMhrkx0=,tag:ffBfAN5D90Z7nf/+IC01Bg==,type:str]",
 								"metadata": {
 									"annotations": null,
 									"creationTimestamp": null,
@@ -2773,7 +4056,7 @@
 									"generation": null,
 									"labels": null,
 									"managedFields": null,
-									"name": "ENC[AES256_GCM,data:U2/cSjtRT8c=,iv:iLnntYQHvoGjZrSwhSLfXZuWgTMIAVUKW/Xw3IPYsao=,tag:FIlOzMpAxzpPgzHSuqBYyQ==,type:str]",
+									"name": "ENC[AES256_GCM,data:a55RbRi34UA=,iv:deuS6o/n8LBZ9JpDjC14lx6BtwyPGJxjJneqV/V2hhU=,tag:RxyPHP548iPPLg3f1sv2mw==,type:str]",
 									"namespace": null,
 									"ownerReferences": null,
 									"resourceVersion": null,
@@ -2827,29 +4110,6 @@
 												"type": null
 											}
 										},
-										"alibaba": {
-											"auth": {
-												"rrsa": {
-													"oidcProviderArn": null,
-													"oidcTokenFilePath": null,
-													"roleArn": null,
-													"sessionName": null
-												},
-												"secretRef": {
-													"accessKeyIDSecretRef": {
-														"key": null,
-														"name": null,
-														"namespace": null
-													},
-													"accessKeySecretSecretRef": {
-														"key": null,
-														"name": null,
-														"namespace": null
-													}
-												}
-											},
-											"regionID": null
-										},
 										"aws": {
 											"additionalRoles": null,
 											"auth": {
@@ -2878,6 +4138,7 @@
 													}
 												}
 											},
+											"customSessionTags": null,
 											"externalID": null,
 											"prefix": null,
 											"region": null,
@@ -2888,6 +4149,7 @@
 											},
 											"service": null,
 											"sessionTags": null,
+											"sessionTagsPolicy": null,
 											"transitiveTagKeys": null
 										},
 										"azurekv": {
@@ -2914,6 +4176,12 @@
 												}
 											},
 											"authType": null,
+											"customCloudConfig": {
+												"activeDirectoryEndpoint": null,
+												"keyVaultDNSSuffix": null,
+												"keyVaultEndpoint": null,
+												"resourceManagerEndpoint": null
+											},
 											"environmentType": null,
 											"identityId": null,
 											"serviceAccountRef": {
@@ -2922,8 +4190,32 @@
 												"namespace": null
 											},
 											"tenantId": null,
+											"useAzureSDK": null,
 											"vaultUrl": null
 										},
+										"barbican": {
+											"auth": {
+												"password": {
+													"secretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"username": {
+													"secretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"value": null
+												}
+											},
+											"authURL": null,
+											"domainName": null,
+											"region": null,
+											"tenantName": null
+										},
 										"beyondtrust": {
 											"auth": {
 												"apiKey": {
@@ -2969,7 +4261,9 @@
 											},
 											"server": {
 												"apiUrl": null,
+												"apiVersion": null,
 												"clientTimeOutSeconds": null,
+												"decrypt": null,
 												"retrievalType": null,
 												"separator": null,
 												"verifyCA": null
@@ -3011,6 +4305,23 @@
 											"serverUrl": null,
 											"username": null
 										},
+										"cloudrusm": {
+											"auth": {
+												"secretRef": {
+													"accessKeyIDSecretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"accessKeySecretSecretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
+											"projectID": null
+										},
 										"conjur": {
 											"auth": {
 												"apikey": {
@@ -3072,20 +4383,17 @@
 											"tld": null,
 											"urlTemplate": null
 										},
-										"device42": {
+										"doppler": {
 											"auth": {
-												"secretRef": {
-													"credentials": {
-														"key": null,
+												"oidcConfig": {
+													"expirationSeconds": null,
+													"identity": null,
+													"serviceAccountRef": {
+														"audiences": null,
 														"name": null,
 														"namespace": null
 													}
-												}
-											},
-											"host": null
-										},
-										"doppler": {
-											"auth": {
+												},
 												"secretRef": {
 													"dopplerToken": {
 														"key": null,
@@ -3099,8 +4407,28 @@
 											"nameTransformer": null,
 											"project": null
 										},
+										"dvls": {
+											"auth": {
+												"secretRef": {
+													"appId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"appSecret": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
+											"insecure": null,
+											"serverUrl": null,
+											"vault": null
+										},
 										"fake": {
-											"data": null
+											"data": null,
+											"validationResult": null
 										},
 										"fortanix": {
 											"apiKey": {
@@ -3130,10 +4458,50 @@
 														"name": null,
 														"namespace": null
 													}
+												},
+												"workloadIdentityFederation": {
+													"audience": null,
+													"awsSecurityCredentials": {
+														"awsCredentialsSecretRef": {
+															"name": null,
+															"namespace": null
+														},
+														"region": null
+													},
+													"credConfig": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"externalTokenEndpoint": null,
+													"gcpServiceAccountEmail": null,
+													"serviceAccountRef": {
+														"audiences": null,
+														"name": null,
+														"namespace": null
+													}
 												}
 											},
 											"location": null,
-											"projectID": null
+											"projectID": null,
+											"secretVersionSelectionPolicy": null
+										},
+										"github": {
+											"appID": null,
+											"auth": {
+												"privateKey": {
+													"key": null,
+													"name": null,
+													"namespace": null
+												}
+											},
+											"environment": null,
+											"installationID": null,
+											"orgSecretVisibility": null,
+											"organization": null,
+											"repository": null,
+											"uploadURL": null,
+											"url": null
 										},
 										"gitlab": {
 											"auth": {
@@ -3145,6 +4513,13 @@
 													}
 												}
 											},
+											"caBundle": null,
+											"caProvider": {
+												"key": null,
+												"name": null,
+												"namespace": null,
+												"type": null
+											},
 											"environment": null,
 											"groupIDs": null,
 											"inheritFromGroups": null,
@@ -3159,6 +4534,7 @@
 													"tokenLocation": null
 												},
 												"secretRef": {
+													"iamEndpoint": null,
 													"secretApiKeySecretRef": {
 														"key": null,
 														"name": null,
@@ -3170,6 +4546,129 @@
 										},
 										"infisical": {
 											"auth": {
+												"awsAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"azureAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"resource": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"gcpIamAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"serviceAccountKeyFilePath": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"gcpIdTokenAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"jwtAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"jwt": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"kubernetesAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"serviceAccountTokenPath": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"ldapAuthCredentials": {
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"ldapPassword": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"ldapUsername": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"ociAuthCredentials": {
+													"fingerprint": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"identityId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"privateKey": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"privateKeyPassphrase": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"region": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"tenancyId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"userId": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"tokenAuthCredentials": {
+													"accessToken": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
 												"universalAuthCredentials": {
 													"clientId": {
 														"key": null,
@@ -3183,9 +4682,17 @@
 													}
 												}
 											},
+											"caBundle": null,
+											"caProvider": {
+												"key": null,
+												"name": null,
+												"namespace": null,
+												"type": null
+											},
 											"hostAPI": null,
 											"secretsScope": {
 												"environmentSlug": null,
+												"expandSecretReferences": null,
 												"projectSlug": null,
 												"recursive": null,
 												"secretsPath": null
@@ -3197,7 +4704,8 @@
 												"name": null,
 												"namespace": null
 											},
-											"folderID": null
+											"folderID": null,
+											"getByTitleFallback": null
 										},
 										"kubernetes": {
 											"auth": {
@@ -3243,6 +4751,43 @@
 												"url": null
 											}
 										},
+										"nebiusmysterybox": {
+											"apiDomain": null,
+											"auth": {
+												"serviceAccountCredsSecretRef": {
+													"key": null,
+													"name": null,
+													"namespace": null
+												},
+												"tokenSecretRef": {
+													"key": null,
+													"name": null,
+													"namespace": null
+												}
+											},
+											"caProvider": {
+												"certSecretRef": {
+													"key": null,
+													"name": null,
+													"namespace": null
+												}
+											}
+										},
+										"ngrok": {
+											"apiUrl": null,
+											"auth": {
+												"apiKey": {
+													"secretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
+											"vault": {
+												"name": null
+											}
+										},
 										"onboardbase": {
 											"apiHost": null,
 											"auth": {
@@ -3273,6 +4818,24 @@
 											"connectHost": null,
 											"vaults": null
 										},
+										"onepasswordSDK": {
+											"auth": {
+												"serviceAccountSecretRef": {
+													"key": null,
+													"name": null,
+													"namespace": null
+												}
+											},
+											"cache": {
+												"maxSize": null,
+												"ttl": null
+											},
+											"integrationInfo": {
+												"name": null,
+												"version": null
+											},
+											"vault": null
+										},
 										"oracle": {
 											"auth": {
 												"secretRef": {
@@ -3301,6 +4864,40 @@
 											},
 											"vault": null
 										},
+										"ovh": {
+											"auth": {
+												"mtls": {
+													"caBundle": null,
+													"caProvider": {
+														"key": null,
+														"name": null,
+														"namespace": null,
+														"type": null
+													},
+													"certSecretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"keySecretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"token": {
+													"tokenSecretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
+											"casRequired": null,
+											"okmsTimeout": null,
+											"okmsid": null,
+											"server": null
+										},
 										"passbolt": {
 											"auth": {
 												"passwordSecretRef": {
@@ -3314,6 +4911,13 @@
 													"namespace": null
 												}
 											},
+											"caBundle": null,
+											"caProvider": {
+												"key": null,
+												"name": null,
+												"namespace": null,
+												"type": null
+											},
 											"host": null
 										},
 										"passworddepot": {
@@ -3350,6 +4954,24 @@
 												}
 											},
 											"apiUrl": null,
+											"auth": {
+												"accessToken": {
+													"secretRef": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												},
+												"oidcConfig": {
+													"expirationSeconds": null,
+													"organization": null,
+													"serviceAccountRef": {
+														"audiences": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
 											"environment": null,
 											"organization": null,
 											"project": null
@@ -3376,6 +4998,14 @@
 											}
 										},
 										"secretserver": {
+											"caBundle": null,
+											"caProvider": {
+												"key": null,
+												"name": null,
+												"namespace": null,
+												"type": null
+											},
+											"domain": null,
 											"password": {
 												"secretRef": {
 													"key": null,
@@ -3429,10 +5059,40 @@
 														"name": null,
 														"namespace": null
 													},
+													"path": null,
 													"secretRef": {
 														"key": null,
 														"name": null,
 														"namespace": null
+													},
+													"vaultRole": null
+												},
+												"gcp": {
+													"location": null,
+													"path": null,
+													"projectID": null,
+													"role": null,
+													"secretRef": {
+														"secretAccessKeySecretRef": {
+															"key": null,
+															"name": null,
+															"namespace": null
+														}
+													},
+													"serviceAccountRef": {
+														"audiences": null,
+														"name": null,
+														"namespace": null
+													},
+													"workloadIdentity": {
+														"clusterLocation": null,
+														"clusterName": null,
+														"clusterProjectID": null,
+														"serviceAccountRef": {
+															"audiences": null,
+															"name": null,
+															"namespace": null
+														}
 													}
 												},
 												"iam": {
@@ -3486,8 +5146,8 @@
 													}
 												},
 												"kubernetes": {
-													"mountPath": "ENC[AES256_GCM,data:NzKweOMFnPWDVw==,iv:nVNs3IzDSlbqtu3QG1LiV86ZA2dAHAt84SHEBlv0zo8=,tag:qu0HYPJMfzogRbCdf9O8HA==,type:str]",
-													"role": "ENC[AES256_GCM,data:jKEr,iv:HHNkzo/qawIyc+TQAOkYDTZJd9T5astpfbL07BUGNl4=,tag:HwefJ6DlKV8PSqoUJiVZow==,type:str]",
+													"mountPath": "ENC[AES256_GCM,data:3XvJbJNGoD7oVQ==,iv:AZJvGtaIDpZMEzjrgmiGE68sCFWvfmvasYK2mCNyXbw=,tag:mdjhvtwoV1TmtiNT23GBHA==,type:str]",
+													"role": "ENC[AES256_GCM,data:yHiu,iv:EbG4Unw39MKouuKeMMjkGys1IbvHkBRxicq5dCsqdvM=,tag:j62geIIPMwJFeiklJ3L44Q==,type:str]",
 													"secretRef": {
 														"key": null,
 														"name": null,
@@ -3495,8 +5155,8 @@
 													},
 													"serviceAccountRef": {
 														"audiences": null,
-														"name": "ENC[AES256_GCM,data:mOVgJ13I0lisaK9ERMSwJg==,iv:oDqe0I0rfnDw19VfTj6Xb3yd/mpzeM7AelDNLmnbvr0=,tag:3BEhZaNQ3hwp7Idj5xaktQ==,type:str]",
-														"namespace": "ENC[AES256_GCM,data:/AV2uIOzNpWhW7039/GrbQ==,iv:8BbBkY42BTa/IqGoJXGgW+NajgXqczAveWGfVfTWagM=,tag:IZ0ywoPcqQri54Bck1xjqQ==,type:str]"
+														"name": "ENC[AES256_GCM,data:DEbKULEgOit/nErKyHfPVg==,iv:Atf60VT7AfwOAUAr0OPM/V3fan/gtKv/2kmwLI5qEIU=,tag:KOvk3dckLwvOCZQf8JG6Cg==,type:str]",
+														"namespace": "ENC[AES256_GCM,data:KiCr2RN5XtU1mwMh9LN2Tg==,iv:sb9YLg0/la9ADJF2zwDktd3LPXpXrO4Fqa3Nygq2i1M=,tag:iG73mFmk8lzyD2yQEx/vFA==,type:str]"
 													}
 												},
 												"ldap": {
@@ -3531,12 +5191,15 @@
 												"namespace": null,
 												"type": null
 											},
+											"checkAndSet": {
+												"required": null
+											},
 											"forwardInconsistent": null,
 											"headers": null,
 											"namespace": null,
-											"path": "ENC[AES256_GCM,data:qfkb2T64,iv:6H4MXs8S/f6u3Ui0YW9i+vGrES9CGPQETwDX9wIrRIQ=,tag:DBhuvEbyWVf0C61Gf8mV+g==,type:str]",
+											"path": "ENC[AES256_GCM,data:2gfz67L/,iv:+VBdJLyUmHOvz6+m9DQdKIOIoOGGIA3zSGu3h+CCe6E=,tag:2Aah5W4RUhi3R0oB07TpyA==,type:str]",
 											"readYourWrites": null,
-											"server": "ENC[AES256_GCM,data:bu0SPA7MazA1SjLoWkGDImo3utFPifMnAC0Jm21T7DXM14M+gFomom2eopTSk1B3,iv:y5WG3fiFzYATKFxRDeNcmg8LmV4/WBTBoO5FwV6bgJI=,tag:Rb0EYfUmNgHH1/et9qvrMw==,type:str]",
+											"server": "ENC[AES256_GCM,data:Pf8ab0UMD+XxgUpPK4iJPnkv4zJKZ2W2PGGWgL/ECNCffCPNV+AzdTfZUpPpplrf,iv:PI1aNxPoPdffUQx7hdg5Nw8/40Pf0BzQULmXbLRn7Gc=,tag:I9ccXeUI94FOUhdrTHGXwg==,type:str]",
 											"tls": {
 												"certSecretRef": {
 													"key": null,
@@ -3549,9 +5212,45 @@
 													"namespace": null
 												}
 											},
-											"version": "ENC[AES256_GCM,data:sEs=,iv:vu6n53i35EO8kPxa3uu3EoZj8oXIsraYY4rVtQJLcUs=,tag:SiiEwF+Qf6/CSSr/fOY0mw==,type:str]"
+											"version": "ENC[AES256_GCM,data:ksU=,iv:k3Nc0RBUyvamd940J1q5dSlqfYLKqLTcy/0qzv4BJaU=,tag:TZRFZwibtnU/wzDPoe9yKQ==,type:str]"
+										},
+										"volcengine": {
+											"auth": {
+												"secretRef": {
+													"accessKeyID": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"secretAccessKey": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"token": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
+											"region": null
 										},
 										"webhook": {
+											"auth": {
+												"ntlm": {
+													"passwordSecret": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													},
+													"usernameSecret": {
+														"key": null,
+														"name": null,
+														"namespace": null
+													}
+												}
+											},
 											"body": null,
 											"caBundle": null,
 											"caProvider": {
@@ -3584,6 +5283,12 @@
 													"name": null,
 													"namespace": null
 												}
+											},
+											"fetching": {
+												"byID": null,
+												"byName": {
+													"folderID": null
+												}
 											}
 										},
 										"yandexlockbox": {
@@ -3601,6 +5306,12 @@
 													"name": null,
 													"namespace": null
 												}
+											},
+											"fetching": {
+												"byID": null,
+												"byName": {
+													"folderID": null
+												}
 											}
 										}
 									},
@@ -3612,932 +5323,1309 @@
 								}
 							},
 							"type": [
-								"ENC[AES256_GCM,data:J1O74HR8,iv:RKaXI9uf6YPJq7MFiL9enEpvoZg78VsDxaRGhnNbr50=,tag:rb8Nae/mZw6gYdnOivRvuA==,type:str]",
+								"ENC[AES256_GCM,data:Z2JDjAfv,iv:FKuCGQacggDELZqGWBdC40/NvssHwKc7AUrJVlHaN9A=,tag:hc2wEtWlge34IwY51sLF6Q==,type:str]",
 								{
-									"apiVersion": "ENC[AES256_GCM,data:wZNGoHcY,iv:ZxjQVLMvoGKirNaQY0lPamlo1uVIJtKLCIJszQ49HiY=,tag:calQ/EFfy9EN5rkV8rgtqA==,type:str]",
-									"kind": "ENC[AES256_GCM,data:2WllzEYa,iv:ZfwbvQJqVgHVyuC7yiuPaRzYKLqC/JW8/QGdZgy1b7U=,tag:mFegI447Mmawk4C//86DJw==,type:str]",
+									"apiVersion": "ENC[AES256_GCM,data:LVkIcBHf,iv:vXv6CMynvjmAX+WuWKTtMl0Tprek/j8j0A5Zrat7WE0=,tag:owytV7rVyfpdJG+5v4XXbw==,type:str]",
+									"kind": "ENC[AES256_GCM,data:sBazBg90,iv:KNt4t0sTe6kxMKyECiytO1ASro52RW7d4r+t79u0x3A=,tag:MYr/jWI14EkQoF4BmQuMhg==,type:str]",
 									"metadata": [
-										"ENC[AES256_GCM,data:MdaDEpmd,iv:p4aSfSnwstMmC/jKRzwoYitGwvYqsl9fThU+QpCAycA=,tag:LwUqwNNdPp1I3AQIdUJnyQ==,type:str]",
+										"ENC[AES256_GCM,data:XvLyOUHC,iv:T1+YAclbgIPnVha6fU/jE7E8uJ+o7xuDxFlVLGHP4JE=,tag:5V6kRJek0DTbfseOaOG/Hg==,type:str]",
 										{
 											"annotations": [
-												"ENC[AES256_GCM,data:mFDW,iv:pnkKkcuRBe1PKqhM84xFgYMY501d2bKCXEWL+OTMEGk=,tag:31bapTMRb2oePVev8OhnmQ==,type:str]",
-												"ENC[AES256_GCM,data:3i7bDQ21,iv:c7v/ZZ30NB+zVssjH7znTpfvnmmjH1aOmvdzYX3++co=,tag:jd1V6tXq58eiotl0hGirAw==,type:str]"
+												"ENC[AES256_GCM,data:qvhV,iv:NNKV5WdKT55wpZK8DwK8mYjXnG1l6CJWa5qr7ggHdLA=,tag:2PGtBV9lYTx7qr5dnu9oTQ==,type:str]",
+												"ENC[AES256_GCM,data:VdViAsz1,iv:09IQd7eHkOf4CzATxI7COxBzsoFUGxaovglZrBM5Vts=,tag:Nac5sX8qPSO94zF5TfgGhw==,type:str]"
 											],
-											"creationTimestamp": "ENC[AES256_GCM,data:nrTDYikZ,iv:gmDCL0MxzMRfiYs6EdPFIl5wvI29VKN0X1pVT1XUqNc=,tag:M8C5Kyajtnp1YX20yd8uCA==,type:str]",
-											"deletionGracePeriodSeconds": "ENC[AES256_GCM,data:dpdyTsf4,iv:7PWoyam9yPY4X3j3sG2PkohFenA6XD/dXi0xop9fGGo=,tag:eb1aTt0A9NnYrfL7OF91qQ==,type:str]",
-											"deletionTimestamp": "ENC[AES256_GCM,data:DIqa9R4C,iv:X8XPhYnIgXviYJ/+P7cVtuHv0UO8Qh9PiabTH4yxrIc=,tag:yhmFBRs0ylOlWSWLH098GQ==,type:str]",
+											"creationTimestamp": "ENC[AES256_GCM,data:sJDE5DCR,iv:xuBDEwYgumlbMlIiVjx9THQMk7JCxftU9Lii8PNgnKw=,tag:oLuouhp3AQf4toQ93FmsjA==,type:str]",
+											"deletionGracePeriodSeconds": "ENC[AES256_GCM,data:uCNy/HZy,iv:37HwrGI+MOcWb9lkkXZ43qOfKISt+nBefg1b4EiXKG0=,tag:IkLG26z7jljSaA12x7oM/Q==,type:str]",
+											"deletionTimestamp": "ENC[AES256_GCM,data:FlHyV8AH,iv:yuqzIbSTBaHWyGsRVl7DPt3So38B9REtR4WWVKgBCWk=,tag:E6AJusBQRz5eF77RzSrSnQ==,type:str]",
 											"finalizers": [
-												"ENC[AES256_GCM,data:W15Qag==,iv:wdDUy3FtrAriaeO53AxQUxsngNt3dmnHnEZOqGBDVUA=,tag:YidPjEpzgVJ761GoKZbN8w==,type:str]",
-												"ENC[AES256_GCM,data:1kvri6PX,iv:rYuXAbPVqmsgEC4OqCFN0ni5A3aaGY7seRXl1cFQftA=,tag:GbbndnH5bIscJYK77BpNIA==,type:str]"
+												"ENC[AES256_GCM,data:4UkdUw==,iv:dXLyAk5MHwIz3BPDkpgPG3fWxmo6+TXQnGGdfgMSGqI=,tag:puiIuW/OcDmuoZbkBlkfaw==,type:str]",
+												"ENC[AES256_GCM,data:4Y02puSw,iv:SgvS2hTL0K+8eqysdmS/7wT0MgKI4IL0biVq3g1+A/I=,tag:irwZMXRP6u7iJRv/F1WqGA==,type:str]"
 											],
-											"generateName": "ENC[AES256_GCM,data:jwSrwWqk,iv:Ub4TBafUX5xNZ1fib2erRwfzEXJQ/5YOacu9ijkUZ9E=,tag:OFn83tszAznsPnhLTyoF0A==,type:str]",
-											"generation": "ENC[AES256_GCM,data:d9bnObKp,iv:Qa4vWja5xTFZsEMCEM8ZPHX1HAY1cPYdQu6BFr9QqBA=,tag:OrmffN30KZ/Ex9YkxsuDKw==,type:str]",
+											"generateName": "ENC[AES256_GCM,data:3qj7uNdd,iv:ZlSq+A+Dt0+W7+mwmIppqGNFvt4JZYmDOFts7mONl6w=,tag:Z0b/4XHYP5z9xQqI+lqOcA==,type:str]",
+											"generation": "ENC[AES256_GCM,data:PB4GHcWN,iv:nDDHQDvdP7OEQRgwMAZtq2q6pRS7CIBZsFSMoHOGLYo=,tag:If5gEv+HZYqDZ1S/FxAbCQ==,type:str]",
 											"labels": [
-												"ENC[AES256_GCM,data:KHNt,iv:/Jb+fktCXyWaz7xizdkq49+01lEgarYxU7IcC3PJkKU=,tag:D3ZEnZ8HA9n4/JcPScy7JA==,type:str]",
-												"ENC[AES256_GCM,data:21ni00+n,iv:/ueltjSExJpG+JceQS6UFxhv7evE68l492PkajzLo9U=,tag:6Sh+nK5VY2WJrkY0ndpG2w==,type:str]"
+												"ENC[AES256_GCM,data:oX+w,iv:yrJ0YUIanMpADYKXvBW6EyyHRd5qK1JXluGlbY150bQ=,tag:c7PMAGxxx06htnLy1l0v2g==,type:str]",
+												"ENC[AES256_GCM,data:Yf8EYIOv,iv:QRTp201oXKe2LOVfbbLXCGjwUiKLxO1FnIo4nB2tbK8=,tag:xLgHHUWxnKFQ711TqgTPZg==,type:str]"
 											],
 											"managedFields": [
-												"ENC[AES256_GCM,data:JTttJCE=,iv:fKbKERgBUYdLmA7KU9+bqp33g5zck6vepnu9y3on7cY=,tag:JeOvOiA6uvOfgpUPuvuRPg==,type:str]",
+												"ENC[AES256_GCM,data:VDUOo4c=,iv:yIV/jtvVmMUyQH19eCkPU/GimtsU30AquiRS4fLFThQ=,tag:u0kVAoINEILX+rhEvFA4Ng==,type:str]",
 												[
 													[
-														"ENC[AES256_GCM,data:LDQu7J5s,iv:z8AFVysgyHIIKvmEzJXZtf5tARW6vDoUJN+zesL05i8=,tag:ehgNAS0EeLqFDMoYC9vG0g==,type:str]",
+														"ENC[AES256_GCM,data:Na9R3MND,iv:nUPQMma7df/r4/HbdMcOQkoNfdzVYQPr1NgTaF3bK0E=,tag:5Wt1zrh+5OqpD1FeAi+JyA==,type:str]",
 														{
-															"apiVersion": "ENC[AES256_GCM,data:7PyeZ9ol,iv:n41dSOlsIFFCMBCQOdt6qDs9lBhTcKMuHNErM0z7EAw=,tag:whV5lu1G9qAalVKg07Aukg==,type:str]",
-															"fieldsType": "ENC[AES256_GCM,data:7abWP/c5,iv:Swox301B5pakdeddp1Cxto70Dv+rszYfhST8y+8dwjA=,tag:HCkXZZ5lEKKDDGCvaf5R1A==,type:str]",
-															"fieldsV1": "ENC[AES256_GCM,data:L1Ll0cKOvQ==,iv:naMgEDrLXmeQFtPz62byYwrv6k/he0GNHSJB8B9QEG0=,tag:rlo/mTNY6gFZmTc9Mf8Y0A==,type:str]",
-															"manager": "ENC[AES256_GCM,data:RQAzWeF7,iv:c0QzsSsi8aGa+tmrYleJwjWM4N1bWCAVJLVqzFVLRIo=,tag:5fg47HvAQDkij+sJ+Mx5bg==,type:str]",
-															"operation": "ENC[AES256_GCM,data:SZ5E0bQR,iv:SNXNctCOCa3I+AkGk037r+9mkwJuGJCYt5hKJkz7XrQ=,tag:sg2GUGYf8Zj2ZckEb6yxsA==,type:str]",
-															"subresource": "ENC[AES256_GCM,data:EymOVDM3,iv:wVJ1Z0jVEP5Mvy6x5yqGgOHx/Ky/nf90t52yT3sCsJw=,tag:rN5l83KY9jMfxKorJb8jxg==,type:str]",
-															"time": "ENC[AES256_GCM,data:IsBIIUKQ,iv:4rke6pXNxkfhWlBFXY7B9BHwl/KfPPMEFmL2JgoPofk=,tag:89scmrhPTQop2zzw6Wog6w==,type:str]"
+															"apiVersion": "ENC[AES256_GCM,data:Q0gQAioq,iv:MMNWyKnCiNz2IP9i2iS4ZBxNjkjCDiIPuWT0uHxKqYk=,tag:qMfW3JZMMaR/91XjDm4xIQ==,type:str]",
+															"fieldsType": "ENC[AES256_GCM,data:nDVeMB6S,iv:ogWQUF8+lE2U1HkkIq8NuQ32Yn+VICtvEIWM7LxqTHw=,tag:DOFMa25k5FMS1Mr7SZ5WVA==,type:str]",
+															"fieldsV1": "ENC[AES256_GCM,data:lJoJXV+vzg==,iv:Lw23DCMh7yyB90O1TCaHzcRBcEBGeZ6JiMh4PY6HQHU=,tag:D3VXQg2o8yvvcJBuKT8fhQ==,type:str]",
+															"manager": "ENC[AES256_GCM,data:xpnJ2VKW,iv:ih6Ze2qC8nAAdGcy3ZvdS2ep4OW7ETMe3yrKHm6dS5M=,tag:I0Wkcwvg/+LD7wlBP9QsBw==,type:str]",
+															"operation": "ENC[AES256_GCM,data:PGF5op6k,iv:Uh49n4V8zf2ijZ7fOU6ZkGNGtK2Fba9Scfm4EM2tyts=,tag:aXczOESNLoAkLn9WH1Hn6g==,type:str]",
+															"subresource": "ENC[AES256_GCM,data:sqDnd0uk,iv:XlCPDVoiobpKhApUr9bgcOclELCkiphJ/4sNes6pAdM=,tag:Sup5IVpfSJAlbbnZhkmgMg==,type:str]",
+															"time": "ENC[AES256_GCM,data:RwhMV9I4,iv:edIa2CdCFol8Deh0NX+piJqTTmI4UobVyNgcxHtCXNo=,tag:3EKpK5rfa6Ny9KWv4mUUgw==,type:str]"
 														}
 													]
 												]
 											],
-											"name": "ENC[AES256_GCM,data:Oct+ERHS,iv:aoJd+exBGbtsQ9MS130jgqsVapd4pZbTqY6cyuonQzM=,tag:lbp+aEkA8pe2m5ZPDXKISg==,type:str]",
-											"namespace": "ENC[AES256_GCM,data:DJpH3nvV,iv:y292olrbBPm/SYrWe/xjdD1hCLGd7gPbZXvEfe+TmRQ=,tag:lmkV/KOL3cjR1BlmLKuj3w==,type:str]",
+											"name": "ENC[AES256_GCM,data:FL2e8IYT,iv:DNesCI8p2o5T2aol6jRr818sMykRj3nLD/wK+SzHf2M=,tag:PcWqFhWgxb3S7pPdE3MtnQ==,type:str]",
+											"namespace": "ENC[AES256_GCM,data:M9n9MFzB,iv:zGikBL0/TYtWEiakbtzsgSzcsi0VLQE5Vuag7eP10Jg=,tag:qNmBMiN8PAR3P1rFpEizgQ==,type:str]",
 											"ownerReferences": [
-												"ENC[AES256_GCM,data:r3Br3g==,iv:iYE6RD0cLyOlfnRYt23hP96Xe22tgNX0MSc9HqumWxM=,tag:Xc7K9/iuN8/2730Z27ZS3A==,type:str]",
+												"ENC[AES256_GCM,data:bNOAoQ==,iv:BsWsqxjQFJvd6F9uU9XsTnaviTrvAY3qoUAVUvKptOE=,tag:eeoc8g+60EvVgV06jdI/2A==,type:str]",
 												[
-													"ENC[AES256_GCM,data:udI1J5Hb,iv:EBwxKKM6xp7A/yt/oFOVsPrb5mC2dPSIxwmPKqYaJu0=,tag:0DOIQ4Cw67upe7nojnTKwQ==,type:str]",
+													"ENC[AES256_GCM,data:FRWkxW2/,iv:KWbBO/s7ZCU55tZvI2Qe1Ydgn2zyldUnCqCQRixE7lE=,tag:kRrnfzN8o/zSWyVbAL6iLw==,type:str]",
 													{
-														"apiVersion": "ENC[AES256_GCM,data:GDCsWPlR,iv:dt4hvUhSqRvL7kmm/SA3gHMmsvGJeojdIpQ8sBAPJM8=,tag:6XLSotktZaycspqUmiMFxg==,type:str]",
-														"blockOwnerDeletion": "ENC[AES256_GCM,data:cUPdww==,iv:X/mNL9mmlok+72WEjmGMBhgZ0a30Cc9UdbcCfnX7hNk=,tag:nbJVKMfnOH0EDIYKb4WNkg==,type:str]",
-														"controller": "ENC[AES256_GCM,data:r+tJ9A==,iv:JANL6Vhb8KORIql0vw6orIYZe0odynHcSVU20bRiNhg=,tag:KGIdHgUzH6J6MgXzNLgXtA==,type:str]",
-														"kind": "ENC[AES256_GCM,data:jl1zZjPv,iv:4d5rnj6MFarbAgMBe1kjzxRn3lvg5N0JHw70Ld6j/q8=,tag:ovDTMcPDrRGIC1tUGBly+g==,type:str]",
-														"name": "ENC[AES256_GCM,data:cC1EJdWw,iv:KJKKTmZDaZ5cL8U5Xaj+IMmaTQWjfCNeIkqSSfw5a3w=,tag:1UDu2FVPe3yn0X9mxoFxbw==,type:str]",
-														"uid": "ENC[AES256_GCM,data:3kdF24Aa,iv:ectgOzT3on/SmUmBw70okiHk6c7omdnB+FZCU2cUC0s=,tag:mAozY1ufCYueFSJ/KebTjw==,type:str]"
+														"apiVersion": "ENC[AES256_GCM,data:0Vxr5Gsx,iv:6dXuimidx/OMfEUN4xEyWDL24KvotARmIxe2I2CO/NI=,tag:bXGcua0t4Azb+Se7Woz5ww==,type:str]",
+														"blockOwnerDeletion": "ENC[AES256_GCM,data:6vg91A==,iv:y8KiXJlzTdcKMOOdNcBQ4ikeFoxWOu1Wx2MZ1P1tl1g=,tag:DjPUJ/pky1f4tKxbliccFQ==,type:str]",
+														"controller": "ENC[AES256_GCM,data:Km1Vlg==,iv:iYSCu9JXNqmZPYJU92cEZCCsuyFlrDvMd4BnHQFTcLM=,tag:v+mojXCW299isWQINkbuew==,type:str]",
+														"kind": "ENC[AES256_GCM,data:G2WVqC72,iv:/8zGKBmwvCtSU3HGMmvYkLCG0InOPzdVVzjq3q0eDjo=,tag:JCZSbi5AGkX2G8GJdT2Ycw==,type:str]",
+														"name": "ENC[AES256_GCM,data:KYYfHSyi,iv:JD94V92wrHl5+eEhkFHOAzY4b8bJuafbIQHoNoyr5T4=,tag:+LdRXgH4nOeGJroOdECJ6Q==,type:str]",
+														"uid": "ENC[AES256_GCM,data:NKGadTZ7,iv:G3XNG/3tw9wIah9ZrCmi24nyRAqJoE2K5XdWGNw/b6g=,tag:PFbi1aldJ2z1X20bIX1vWg==,type:str]"
 													}
 												]
 											],
-											"resourceVersion": "ENC[AES256_GCM,data:j64TNh/q,iv:1NhUrk/aGScxH1p01yuUM7IVeux3Nn9aH0+tk8JgyfM=,tag:dUrwjbZEiQFouAFynMzDRQ==,type:str]",
-											"selfLink": "ENC[AES256_GCM,data:RpISVgni,iv:RzwfcaMADBDB2BhnIb+bJkZSeyZ5pBPMsCwVQUjcug0=,tag:oRv1IuiaxIbJtM3HR+ZRwA==,type:str]",
-											"uid": "ENC[AES256_GCM,data:5bCiQVzv,iv:E19xPionKySorxYCDkmKGDHIqV/203v51V4vonIXGPU=,tag:UNm6538BXTq9cLsBCSEUOw==,type:str]"
+											"resourceVersion": "ENC[AES256_GCM,data:q3QbiO5l,iv:72Luq8h/TLzMuyHzIduVNSiDS5aZeCSAKo1nyzNye2U=,tag:D14hRK0phHKt3iIfQ3i4tg==,type:str]",
+											"selfLink": "ENC[AES256_GCM,data:+rOZG68p,iv:yGVrmJka0suA/F0RC5JnMnydvAF+KVn5JemLZTAiqTw=,tag:iiOMo2D2/RbREq12JCL7gQ==,type:str]",
+											"uid": "ENC[AES256_GCM,data:e8hnDH6d,iv:YHJrsw5fJNnJZtUsl3uxdjC3UCesYiSU5uHsSk6bMtg=,tag:aeFMIU0+OTs2LBxJZnCURQ==,type:str]"
 										}
 									],
 									"spec": [
-										"ENC[AES256_GCM,data:4WHJwZVw,iv:gWe/LB3iN2ziF6afpHBQ58N3k5XKudUjVU1o7Uh5nWM=,tag:h+LezuT2/l7b2ssAlmNPTA==,type:str]",
+										"ENC[AES256_GCM,data:gq7UwHIM,iv:g1SeWXX6RopfeYq5t6rf+Dld+uOEoY3wqQcf+/mPK1E=,tag:zQEBJ1MDpDRPb9f7Zwvh8A==,type:str]",
 										{
 											"conditions": [
-												"ENC[AES256_GCM,data:oC5aLg==,iv:sRswu2wy++WNlEViFPL1B7+Tp8BiOpB69G4PdGEfQbE=,tag:a08WRWm6ucb1i+eN9qfWZQ==,type:str]",
+												"ENC[AES256_GCM,data:gyXHVQ==,iv:Ls3Gio37SLb7mMVcVifDdUhcNe5eLeNtWMa2MxY1Q0c=,tag:LO1PTbxhgUHM0qt5fedQjg==,type:str]",
 												[
-													"ENC[AES256_GCM,data:bGMjmrY7,iv:BrM9BxltVWAB3ll+lAXpid1QcLFnUX45XNvDXxrePKs=,tag:Ef6I8XbYqE8dOJLSPUBr9g==,type:str]",
+													"ENC[AES256_GCM,data:VHJXsyKY,iv:rzwwxPjNmMHJYbniCyCUG8mT1P9AyDJssqLjEHKffhM=,tag:dyDyLI2+M0EvjxTU72y/IA==,type:str]",
 													{
 														"namespaceRegexes": [
-															"ENC[AES256_GCM,data:uT+cmg==,iv:iH/xRge5x5KTyyEEAR4MeUqOMCxNXfYkD3SrlhOnXus=,tag:FHn+5A2Z4//z5Bq351adHA==,type:str]",
-															"ENC[AES256_GCM,data:t92MWJLo,iv:2qBHNOd07yU0nk1rL6q8Uz5JTEafTyonPiTs67FCabo=,tag:wNaR4zsXjVz/13QoAZyMlA==,type:str]"
+															"ENC[AES256_GCM,data:wz8TwQ==,iv:Y0/eCM7srzsRUgf86Mkd1gLqSb9pKMlBb0l2RjQyYco=,tag:HQfqRY/rcTxjfYbEFTLazw==,type:str]",
+															"ENC[AES256_GCM,data:pUryi2D1,iv:RpdX6DTW/s0OM8BuIqMgTP6Ot0fjE59eHHe0LH8/dMQ=,tag:Kt3BBwekh6PVddwPPYD+Fg==,type:str]"
 														],
 														"namespaceSelector": [
-															"ENC[AES256_GCM,data:0EQKANmh,iv:FnRjj0dgG4YxSKM14N7GXePtHG5StmyafdXitPZqV5k=,tag:lR4rcS+uJsJgqsqSYzC35Q==,type:str]",
+															"ENC[AES256_GCM,data:bV7wtYaw,iv:lAHkRyGy8QZAyyxPvppuC9gQ4WnOQsGNSkcZ0E2es6c=,tag:/1Ja34TCnV6DbL0I/kU2sA==,type:str]",
 															{
 																"matchExpressions": [
-																	"ENC[AES256_GCM,data:UVOo7w==,iv:gl1pe5MfXiA/m/3UWhfmNPFvowyDBKWf8z1UfqTLstY=,tag:8/RVaXuqmvhvLANmZZYFDg==,type:str]",
+																	"ENC[AES256_GCM,data:hXJkSg==,iv:wU3oSt8YJxQmHva2m1qb9kHGIfQG+Gus9q+BfZHGlDo=,tag:5E9XlH/US+wUgWKpAwfRNw==,type:str]",
 																	[
-																		"ENC[AES256_GCM,data:0T7I0442,iv:GG4Yvu6VQuOjOwbbt9GvCGY0ncfXGro5V8j1DcKIcXM=,tag:cu7u5oriTcaAxskiMygcqQ==,type:str]",
+																		"ENC[AES256_GCM,data:q6ff4WdS,iv:yR8r1gfMkGpQvV5EdO3epkiOfuUE8r1y3uC1TLifZ7c=,tag:8Q/iDnYBlfwBER4ip232+A==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:z0yGIhn9,iv:czyfmxowofJvI4M4FOIuf2ZFPyldOMxdxlVCoVCm1zk=,tag:CqNqHS3AyvphromLVDgpYQ==,type:str]",
-																			"operator": "ENC[AES256_GCM,data:tOHfXSC9,iv:nZPoOswZsaZoypaX/pW7LVoiNIXA8/tYx6HXu6ZWIlA=,tag:6AY0QZRyNW3NU55gD58Gfg==,type:str]",
+																			"key": "ENC[AES256_GCM,data:4X8Xyk5v,iv:YvY/cjZ0PuYXp21zY9zyDN39MDwy7fN74VBj8NicnPg=,tag:GGnRe6BXapu7o8QfWLLeFA==,type:str]",
+																			"operator": "ENC[AES256_GCM,data:j3pE4coN,iv:3iUHBIXXqDXPyBlEbEqFOH5st9uqd0bVn84ujo7uazc=,tag:ySX1gu+RkYAbyvOiCnLLFg==,type:str]",
 																			"values": [
-																				"ENC[AES256_GCM,data:NgjT3g==,iv:QXFyhZt1wVKQxQJsbPBRDLdJKXjZUc01mEGdVQBT4eI=,tag:avs42dtmhCWCAq6iLrlNZw==,type:str]",
-																				"ENC[AES256_GCM,data:+OeE/Zd/,iv:GfwUK58YKYA5jIuTVvn1O9CPbkDWO7xee/JxkHvunx8=,tag:BHlhvrw2nKrmm9X3d3+z9A==,type:str]"
+																				"ENC[AES256_GCM,data:RFlSOw==,iv:yW3Dbg55XAOMOB1x1hYumT78BqbnDQvMyG8hviaCfBU=,tag:uLset3BfwUuFDvlsiOJ96w==,type:str]",
+																				"ENC[AES256_GCM,data:LtNEPOtR,iv:Yet+AKjPNy9LmK5VPtd7TlpzVVkZ8WZNNm5Sec3XgcM=,tag:SpMfI1D+D1F70hRktcPoVA==,type:str]"
 																			]
 																		}
 																	]
 																],
 																"matchLabels": [
-																	"ENC[AES256_GCM,data:8v+d,iv:OqP7rQBcWd70VcCxOeJM5m77aBCRtuV/htjDFP9r/Vw=,tag:co44em3DHl9UQ/0gwKfOVA==,type:str]",
-																	"ENC[AES256_GCM,data:gtM1CHPx,iv:KVisMpSz4rQZm7/E4YCxzGeXNhskPyN8utbqD/EPKOc=,tag:QRXO8gKBMCsVtS0mcUWmdg==,type:str]"
+																	"ENC[AES256_GCM,data:5NDK,iv:hl8aMsnwrXSy+OPR3BuuyfboWQ/y2gqcug8r7NVmD2c=,tag:3m5l6y6hYIVdimeQIerIfA==,type:str]",
+																	"ENC[AES256_GCM,data:Ywj+uOEu,iv:CcWuDBCD0gXgDXoykLub9XR6RXmBOZV/3qb3MJMt8Xg=,tag:aJyqiUiGblGTW0J/xNUIWw==,type:str]"
 																]
 															}
 														],
 														"namespaces": [
-															"ENC[AES256_GCM,data:uKhB/w==,iv:4c767c8WtWcaC27iX8Yms16AxLLXyo7cRBZE3n/M9k4=,tag:sTnoC25WCExf5O/NWh0+dg==,type:str]",
-															"ENC[AES256_GCM,data:z8Fjfrs7,iv:9yNA1bQsSQeB32JANA7j9R7uZFm513YBDUcIwjDgFm8=,tag:IbEa4F9Lpgo4eHJtEv0ePA==,type:str]"
+															"ENC[AES256_GCM,data:USd3Zw==,iv:p8iZBBbw9AfXqfgbs4EUaK4Qn4XzDxZq9/i7Y3sYzv8=,tag:dzT9Y5vZRSnR1nF8vHl/ag==,type:str]",
+															"ENC[AES256_GCM,data:JoW02ndx,iv:H7Y0DybBnoCcChiASvQiKhPXUms3bCbhss+rX509reo=,tag:lYOwLJVgh5X7UAy4jRcRuA==,type:str]"
 														]
 													}
 												]
 											],
-											"controller": "ENC[AES256_GCM,data:hOf2gE5T,iv:WKZb6Cy+9rehOgXs4Z0qCEyAzWwDmZey5aeCG1SE/nQ=,tag:E9d+kSW+7MlGPwd65eG8tQ==,type:str]",
+											"controller": "ENC[AES256_GCM,data:FlPHGx6+,iv:uUMVbtbmdlcRp89JCZ35+ltd+C+tX2IY+sWHPflVOn4=,tag:Y9kHv8ooLNvNDHWiB8SXDA==,type:str]",
 											"provider": [
-												"ENC[AES256_GCM,data:oGUgxByy,iv:msNAI3EyhTMBiCf3qUnu/ItXwjMp6ZtFWbsP5bPRkSs=,tag:+tnOxFyXiUK+2YJtMQ+ssg==,type:str]",
+												"ENC[AES256_GCM,data:K6NNL2q4,iv:1pb1tzItYK5gM/87dtbpORBCQpdJJc58IbCh6qYO6rY=,tag:A2V0yOl6iiqAckS9ADHZ+A==,type:str]",
 												{
 													"akeyless": [
-														"ENC[AES256_GCM,data:wFwaOwH0,iv:Dz+EDFrX9svtg18h8eRRJYQDcRj1DL3tnfHYMK+xBRc=,tag:mMgghxV4wLmlE5nQPyn6FA==,type:str]",
+														"ENC[AES256_GCM,data:mgLwu4yu,iv:xsLwlw0Ft6djxJr/cOV6JNRVSiaM8+HgNL10IAxK9wE=,tag:tp7uOYQtkR+uUcvjKAONfg==,type:str]",
 														{
-															"akeylessGWApiURL": "ENC[AES256_GCM,data:PDdrK+pk,iv:2PKSamiZQuobH5LJUSK7cRGvtQpArMJitQQkhwxK308=,tag:xLzgThJTysBR4X+9a24fIQ==,type:str]",
+															"akeylessGWApiURL": "ENC[AES256_GCM,data:6g0fNPm6,iv:aItEFd0iDQm4Lgt3++ceUG9qcqZoqhcOMiRL+i9kq90=,tag:neizz/X7xQhQQAIuj94g+w==,type:str]",
 															"authSecretRef": [
-																"ENC[AES256_GCM,data:IwIeAkTL,iv:Fa8KamrfebPKMkvPORHnqK6RozACnS4IA1tEN542Wiw=,tag:AHomn70vGMvsZpVrxkCM0Q==,type:str]",
+																"ENC[AES256_GCM,data:633zaTiC,iv:UquiddKRliSZtCHaM/NpIzj1rXV5kObLAf+TQMeeZM4=,tag:RplC2vfK/QWtCbt0klucaw==,type:str]",
 																{
 																	"kubernetesAuth": [
-																		"ENC[AES256_GCM,data:XV2EvY1F,iv:6seNf8E9xwvXR/MXwDkB5jSNuBuBnLJtNEWktX8nWbo=,tag:arpDwJFTUPr8KpVnpo/9yw==,type:str]",
+																		"ENC[AES256_GCM,data:m5voGm2I,iv:K+hsFP1k31PrpqbSL1daabzoRrG9J23OdKxoR3PF7Fc=,tag:juQvDBiWRIsvh5i7k2Rqvg==,type:str]",
 																		{
-																			"accessID": "ENC[AES256_GCM,data:jFY5MLzw,iv:Hj0xoOZZJ0hOYwaMd1SNpOBcnwlqyGsPizNXsfFkFzc=,tag:tFO5I+aw6GAXmulOHcsmjw==,type:str]",
-																			"k8sConfName": "ENC[AES256_GCM,data:pc8D6oSV,iv:2GmjFddEXytOWZwdu5D2yDVA0IeOCA9i4HJDQS5cpv4=,tag:Jl6q7LNwxjAmiEcXO5X1hQ==,type:str]",
+																			"accessID": "ENC[AES256_GCM,data:8Ap+6ow4,iv:5bbkMJdt9P7WhQsGE8Iz64fLx45YYFTsPchYd/obKWk=,tag:ZHGmtTHGLUSW7S9UEl41DA==,type:str]",
+																			"k8sConfName": "ENC[AES256_GCM,data:M4Y4zBaq,iv:StfKsEO/+vd673F+T/6hItOXevw2FrBw3uPIoBU700A=,tag:lmZNgd67IyXeVooiMqKlSQ==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:oJy8cK/d,iv:GEZTZsyXShkSMMtUjA2E3CLy/PewVm1Q4oe5nsLaYPE=,tag:AJQ3ewVaNhzDHTjsYaGqpQ==,type:str]",
+																				"ENC[AES256_GCM,data:uuVtwTq8,iv:rCV0GOPuUwaDZsUJU5WMAcE0kT9kina8r1TW6rou2Uc=,tag:KmfKg13/5fhK8diXNHl1Vg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:89UVNPZU,iv:LcPEa5xoykJTfpRocQQcp00La6r9Pocbq6rDNfHrtbQ=,tag:4QS8F88kz/qZ1XKQmM0Mbw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:V/Fw1NnE,iv:UUwwr0LtRkpc8fhMJUQ7YDHjcqKd0XX2EKcnpsYaUoI=,tag:lNkgQ9KqKD7dqezJe/h7+w==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:x4dqXcYp,iv:zruI9izpCctn1kETrFOoEa30yaI5CsnvCXItCZqAq80=,tag:YCJYPiucazQXlVi/mYKaEQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:H/i5Q1Lz,iv:UB1fETNWDw4HSONI94Wqjimt17j7GTMWnlLzOzSD/dc=,tag:UvjoT4klPX9I3lJOa9COEA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:FyKpSHzH,iv:Zr5Tgul6EoVfXI0xydsTfTSupI1lZ/Za7cqzxQoM2oQ=,tag:S4mbJre3CfswlJnbKx6xPw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:ZTRdPCfK,iv:K5xFe5uR0tIaIHUPk+ntmIo33w7i2vX6fvc3WzM5KpU=,tag:aUwSKjt72bj1FWoPDLkwNw==,type:str]"
 																				}
 																			],
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:GIAuczkR,iv:qsMxFIN+oIraofotQltLrY0R7rMaDLyOmfQgTf0ZhSU=,tag:XDiKjdwRpdt07rWuuAPHgQ==,type:str]",
+																				"ENC[AES256_GCM,data:uVfN3h6l,iv:y2mqd6fnShBy36RpGZJaC0ZfG0TJiicLF40izM0o4rU=,tag:l9805fddo20xFzCstPfNLw==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:nMhQHQ==,iv:hlD9jMOc8mnKqWnyf3lCgyjZ2tSaMpMNkWCvJLZoG5I=,tag:vFieMdaoCfLLgIQ37/TXHA==,type:str]",
-																						"ENC[AES256_GCM,data:+YydgR1L,iv:i4LStgGChjQVhBtTIKjTFR5IyIV7w9POaIGXsi2CfsU=,tag:6eN/7doCf7gjabpIk5KCSg==,type:str]"
+																						"ENC[AES256_GCM,data:03UwLA==,iv:9gHpfffloMguZsoz7qKLtNIjlgeg85uG7einydpUrZ8=,tag:miKswfgAiJ08KIuPCsVvuQ==,type:str]",
+																						"ENC[AES256_GCM,data:gXoQX9pU,iv:5yEotkcPxij9l21BIsJGzmuCVZpCPRFSh97FT/klN8g=,tag:ZW3KRhZl7gXyHdM8DlCNjg==,type:str]"
 																					],
-																					"name": "ENC[AES256_GCM,data:0gIFres/,iv:9sVDffVA4/lVrFmmrdTCOnUorlfAGHo/eVJsO6e9gKg=,tag:UYDZoDFgm4XbHM+q6eLQ5Q==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:MYVNtJ24,iv:WcdUospB9Eg09+MFf0E72X3PQGXoZoypFAHmHRmnTj4=,tag:Tj7eIcgeoXMp1VsitzlQIw==,type:str]"
+																					"name": "ENC[AES256_GCM,data:9yzEnaKu,iv:0sQ5og2mNVGRIA0SL7/PEKHKhC4vFNrzVhVc+ULmKXI=,tag:CjzIu+JzjsbeslsxHoRtfA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:AJCdSLul,iv:M7pU1F2l4oWLgg4iKlkvReEl5CsESuKxmTzqL6CkH4k=,tag:Gm+8CgXK7XDtyeO7uJr+QA==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:E97NpWm7,iv:aCNEPw1TZLRqvpbWX4/Fg/YOoA6REzTY67C6BZu5wdc=,tag:Y8L8//WW6/3uxBzKzWzlKA==,type:str]",
+																		"ENC[AES256_GCM,data:oiRlNFcJ,iv:+2o7Uv0eOHubAUgqoWwIn3baxmILRzkxmRFDBLAkjJ8=,tag:MhL8GJZc3hfgTfkCUmiJ7w==,type:str]",
 																		{
 																			"accessID": [
-																				"ENC[AES256_GCM,data:x8LnRaDw,iv:A6zvw3vOZ57SQoxVYp9V78/XkiwT2KKf+d6vjvcny8I=,tag:icyhxLm/zRP3WcGeD1Iz0A==,type:str]",
+																				"ENC[AES256_GCM,data:LfU2tyct,iv:++c5HtYq6SIq76/iTKGVXI89+t1JvbKOfaHfCk/6S4g=,tag:6OTAcnnSaAIsJKxBox4nlA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:5hvIAkeG,iv:zYAhZEkcsj2PdWvzi+aErwDJq/zYfVjai42ZyHnKlyI=,tag:7iHeHRS0lad2Wfn8OQxhLQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:aiPau69H,iv:syl1YikZEJDjq/O1hbU9dkT+NeJsnDOXacNEGiDxuhs=,tag:IrgluNTKoLsQpHxWRDmlJw==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:UEQ4/7vI,iv:hku3+9/ubsD/Tf/hO78SSFdNwyETEdlMlU8H62s6R+U=,tag:ovYFK3L/iRNDuM1QEodrPw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:BwP0xVhm,iv:o+fHPWHQGgSzQ2+OIWd9DyBQVvHfPjsXJxgXPNSBJQU=,tag:2bY/HhgzVFr7crr2olVhUA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:otbp43s+,iv:agrvJWPGjj6rZ/Z8ZqdC4uVCRX7P3Fsba2TnUrapnsc=,tag:8mL7T17ItIpiWk71jgo1VA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:7vlPleSH,iv:N+rjBxlKl8FXJCXoQXEduOIPh6wTQkzSDHyPs/41z7s=,tag:JcpuIzzT0WHs+8FOifjXBQ==,type:str]"
 																				}
 																			],
 																			"accessType": [
-																				"ENC[AES256_GCM,data:vW59KakZ,iv:jdZcyAurOF1jD7AfhQc8i6X3rjTPUkasLXDHhECdrnc=,tag:dUtUuivEwtqitnHEW7fMKg==,type:str]",
+																				"ENC[AES256_GCM,data:iPcXJ+Ai,iv:NYFgfCkopMP/yF98T+ZwqTdrzTjpKffS1YISY2+nww4=,tag:TnfZHR/6uvT8afeh5bl+cw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:cEYjQlma,iv:8kSA98iedHyeu79XZAFpScyMTDVlkQ83NWLGutDQ/H8=,tag:Y3ZlM6rxpHg7vNaSmZqh7Q==,type:str]",
-																					"name": "ENC[AES256_GCM,data:FF3UPmy8,iv:rhdPLTg7p3KU6z0Ln3pKfgwNDZwODHs7HTah5eiSchA=,tag:t0v2R1nxPNa1dgquAvPHnA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:GcVgnXEy,iv:SIkm+qXyvsR1BHUNz2lnoM8saDuOLmXc/lZOaVWWwb0=,tag:Uofr+ZB44mgJXmCbd3AKUQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:QduoUcOX,iv:XGWkd7rec196P0dIrzvHwqqiwFLri7biwd8nT+1l0Yw=,tag:fEIB7V3awrH32gYZ5+76Mg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:0QkPeZFH,iv:nHrR5JHVX1Mph0y8QTO6oV8ZEUpoDIEBTfnW7340ne8=,tag:ame4fjh83S9DUuNHTFDzSQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:Zy7clC1e,iv:nVI0+P2g4A6pLg2QbAe182Y5kI+T5r2pChC8iH9uII0=,tag:j3pSRTECr7592dKXHU1V4Q==,type:str]"
 																				}
 																			],
 																			"accessTypeParam": [
-																				"ENC[AES256_GCM,data:sdsrTx5k,iv:Dki3halr8wM5PpH33s54wapOaMkhUptXjpW1aB/0tQ4=,tag:yhXgyqKMsMsh3qnl+wfMmA==,type:str]",
+																				"ENC[AES256_GCM,data:MkO3wAQ4,iv:OpQlqFlyaqdoVfK1v9g8xL8CzSmU7IFoZiiJGJdtgx0=,tag:Ck1a9rQN3jFVZk6d04bcuw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:dRPZY96j,iv:0iBSOVq6WS86ISOugkYiiQdEn20H2Vpcest4FLMFESE=,tag:806HroxSY5t759dPgEYf6Q==,type:str]",
-																					"name": "ENC[AES256_GCM,data:vJ3M6AfF,iv:yRHFzU6wz6Oc/Xl/4AvvsH02FjmiaSzUeBPZtcA1Sj0=,tag:haLFUOT90/LHgLC94GANqQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:Pahq6U+r,iv:C7Gp+yD8kAPrOlfjUnU/N/zIpfDwTG3Kqw5zOh6hsH4=,tag:wCG5ILXMHTK8xEjb0qw6nQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:VE/kiUFO,iv:GbyElezAQuXqEsSGtranUgKvMZD6V8wjOHLI02XUskM=,tag:JH5vRsQup5sMgSBA4o3kOQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Fhp3017y,iv:8/7eSbYQ0HTTIWDNmQF0qIjVS8mV9vBEbjrVRRgTlYE=,tag:fJPSL4myrKHAubleWZpfYA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:7x4yVa3j,iv:bs6yrtrzGQWQljo8hXTGKF4dT2m7BqcmVjkQTNpn82U=,tag:YYr7k49mOQhWe/PX4RhmhA==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"caBundle": "ENC[AES256_GCM,data:paDoyjZR,iv:wZxvm8f1GHD3ftHpYZwg4R5wBqTDwNWbBi675N4K3jo=,tag:K+kAQbqJpihV6sW7RAM57A==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:zFSjFuCR,iv:zPNh4wqxJwtS2iOT1TEa7zGbs1uD3prSD8vIgyyO6JU=,tag:Y6zzTBnIjzjNFxvm742Mvw==,type:str]",
 															"caProvider": [
-																"ENC[AES256_GCM,data:DRf84OPm,iv:iM+BPNYiDitLcJq6gyQMxTsMXh+CAMUOk8j6+4mqjCk=,tag:QUHbfiQn0WKT9OMTf68W6w==,type:str]",
+																"ENC[AES256_GCM,data:Z01sd/hh,iv:CbdAfG0iX9C2j66d18vf0P5uaQDmzKtzq1VGCIUYyRI=,tag:G79b/bCP/JoV9AVIvQ1LWw==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:P73D+MOo,iv:s+jtH9CDVOIMRy47eVr5JqIfFxxsBUl1mPWac+6Gv/8=,tag:zWIPv5vjyGxV7aca4ZQmYA==,type:str]",
-																	"name": "ENC[AES256_GCM,data:mAkkpeph,iv:eiGkyKbr836uKkCQbSrOPFFLKpFALEsh8YnwO79XnxY=,tag:/njxdKPd4D3NMv9WWM6zgA==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:6hm0yXwZ,iv:Dcbg6zwoIbxa0XLDJMJCOyh6X79gtbZszJUqUkwJ/SU=,tag:+Wd3M0RCUX5Zq1GI/juuUA==,type:str]",
-																	"type": "ENC[AES256_GCM,data:5cfgyjqQ,iv:TEFcotxywNpBQ7GCdC7suVrN3XIvHSog+mecQ/xnL2g=,tag:h7aDgre0WTL+g5JbzQY0eg==,type:str]"
+																	"key": "ENC[AES256_GCM,data:1ZAPeGq5,iv:yzRYuNKdqBLGTDJ5Khkm/H9Om6Z8CeMjz/yTe9zgmJM=,tag:aVuoqsdbVbFGzZhrml83Cg==,type:str]",
+																	"name": "ENC[AES256_GCM,data:UvPdrjNE,iv:nnNSxBJggsVek5MGuoG9jZCSoMTS+1u8u4hSHmojczU=,tag:paZxAH1y5GZIj0/aahy0lg==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:45LheOSf,iv:thMn38FymVL3j1M5D/7bpKu2VUmvQxXhyQW+LAQ9U+w=,tag:kowCUL9WFBWZN6sK7P6+CA==,type:str]",
+																	"type": "ENC[AES256_GCM,data:jb5JEH0m,iv:PpHiSt94N5NOkzwS1UXcGpadCMVkIo0j4ZyuCdc8KGI=,tag:vXljq9QvGQbJNWRSjqzs+g==,type:str]"
 																}
 															]
 														}
 													],
-													"alibaba": [
-														"ENC[AES256_GCM,data:NW5g7QNr,iv:rXorlHlce/sFUOrKPz/5D96o/XMYkmfSPRwbSALlokU=,tag:PGwkAypRQmouRkWkIeZDrA==,type:str]",
-														{
-															"auth": [
-																"ENC[AES256_GCM,data:Fsm+GVo2,iv:BdJNVEtN41Ci/FevpJrAJScDVl2JREETr4/PZfJtRjQ=,tag:+gGyNvG/YUVFySFD4gtZoA==,type:str]",
-																{
-																	"rrsa": [
-																		"ENC[AES256_GCM,data:v3ZQ/3CC,iv:I2Gf5XyPqGl1CdCFP9CGxAgEqHeZzaGrQQfPR3Zflmo=,tag:XdaGXlhacJaJWGVCH/tAIw==,type:str]",
-																		{
-																			"oidcProviderArn": "ENC[AES256_GCM,data:QHxfS8cc,iv:4bo7BnjFhuxBjkY6Ho0vFzUzHTEaYIjQDe44VHT0948=,tag:V/DvoLQWNdhEO+W1877Hvg==,type:str]",
-																			"oidcTokenFilePath": "ENC[AES256_GCM,data:Cg8vJf0M,iv:pxtYsZ5gpjbWDAcw4VNAjDRvK5X8vDJIYNe+bAqUO4s=,tag:yh69U9GxvTC+nOwGiy9CkA==,type:str]",
-																			"roleArn": "ENC[AES256_GCM,data:inIP2s/0,iv:00YQCqYdK+rz2J48croBrVtEvvLzSFf1yIe2MaMqstY=,tag:ooDRN9stNw4S4PhJGlQXng==,type:str]",
-																			"sessionName": "ENC[AES256_GCM,data:4+7Y/Gcz,iv:pYRHeEP8dWBq4zFzQ4lXwvpnx3tBoQxSFEmviPnJCtE=,tag:5PQtdWpPWQNjV0IKyZ3OBQ==,type:str]"
-																		}
-																	],
-																	"secretRef": [
-																		"ENC[AES256_GCM,data:uQbC0FuP,iv:DnUQHhh3NbG2pbjlonXeC2Zu85ge8J01R0FOqeaBZ4o=,tag:IyDKR5AuG/FtkQvb2wJUKQ==,type:str]",
-																		{
-																			"accessKeyIDSecretRef": [
-																				"ENC[AES256_GCM,data:wn4XZfFE,iv:xWmxDeOyeMB1B0fQUhU6x3SeSddmi11kZp9d9CDJQgM=,tag:6X5k2WOdjeH/IzWhpsemog==,type:str]",
-																				{
-																					"key": "ENC[AES256_GCM,data:+vtfJZKG,iv:Yq9QNw5MXEH7ly6BDfNgzinWxTU96Io8N9VpqPiqMMs=,tag:vs8eCq0azKiVWmjYJYYqgA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:QsaQwvPT,iv:eF8cb3GkDlamWGJQgex1qBszEKQZeGpeqE6BB3dqe14=,tag:N7e7b7t2Z+ZCMOA4zcY1/A==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:SsH1vC2c,iv:Af0wgjXrpee6wLpSDaj/vTghEXCE/1NB5s81LcMuxOc=,tag:KhCnlDi6UFL/CWejUxe0uw==,type:str]"
-																				}
-																			],
-																			"accessKeySecretSecretRef": [
-																				"ENC[AES256_GCM,data:1Raw2w29,iv:8NCdyoZojhXoBsWQ0idR4tkvH0CaylB+X4LpljcsI2Y=,tag:WQu0vghjohQ8J2cvvcFPqQ==,type:str]",
-																				{
-																					"key": "ENC[AES256_GCM,data:DEAEY0iG,iv:sXAOlF9QW3Lnu94uLVUdjdrnj7iF84Cf/IdlTw82Wbo=,tag:ws9/KEx0FawMlHAds5hP/g==,type:str]",
-																					"name": "ENC[AES256_GCM,data:WPp8F+jP,iv:EP7Ti1M225+tULaluPxKLXdk4jxqRmJGDEAgDbyx0ss=,tag:4YOqN5AJXIHp+BGZTvLp9w==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:lMpNIe76,iv:hIIXNqjyUUUlgyUJLyDiU6bolR+z4wpsPZ5H8VCBImg=,tag:87mkr4XWcfhsEN6nGLzBqQ==,type:str]"
-																				}
-																			]
-																		}
-																	]
-																}
-															],
-															"regionID": "ENC[AES256_GCM,data:8F3TQ7s4,iv:OOyMgPCdXWV47nZIZo72doP/gAv54fgNAy+TZrdjd2M=,tag:f9ikdOsuX2NOi/cT4GBiRA==,type:str]"
-														}
-													],
 													"aws": [
-														"ENC[AES256_GCM,data:fY3cPxYW,iv:Ixz6gAqobe5YugQ7NXQwcg/cGYfWVfVtJU51A8zHGKQ=,tag:xKlj17rZouErBDW9Kcza+w==,type:str]",
+														"ENC[AES256_GCM,data:cUL7JK3B,iv:ARlfdJJMFlCMcHFh/pO+E1gavp+qXfvjbIC5K+v0AkI=,tag:goYudRtBWKwM2d0ITZZkHQ==,type:str]",
 														{
 															"additionalRoles": [
-																"ENC[AES256_GCM,data:PywAyg==,iv:bDc5ot6V/X3kU3jkR0zsQiBZrApoqL90F2xvIswTqYo=,tag:10zQv0yppka69JXvsSCFxQ==,type:str]",
-																"ENC[AES256_GCM,data:TcBxvQDJ,iv:f+FwCbUPrVB2yFW8dDWcENlDh7quthy8dQkQRMZF4oE=,tag:ypsmwPPxjSD1MI2+yTDhRQ==,type:str]"
+																"ENC[AES256_GCM,data:POQpXQ==,iv:m0/EZzDKh1XXZN4zgMc6MwUq2WNa0kmAXsF8Bw0N1p4=,tag:wmnWx+itWmK94YpmibrhIg==,type:str]",
+																"ENC[AES256_GCM,data:5oun6ois,iv:NB4IWhtqK3YTgBemoxK05z1M1MGn4ACRwERFjLAwGvA=,tag:K8A1eEA7OnLSeGnWbY0r1w==,type:str]"
 															],
 															"auth": [
-																"ENC[AES256_GCM,data:nlmnN+X1,iv:2FVr4g1D4DWSNYoy+QMYI6ozyJ5NESQEVmRtrzbe9pY=,tag:DkywMvu75OvHI24fTEZ9fg==,type:str]",
+																"ENC[AES256_GCM,data:ehRoGWOs,iv:bUlCjiMORTGsyF5V0o1wju93kvBGmF+NJPMRPVQie7s=,tag:nbW58QBegV0PfkNr2WoMMg==,type:str]",
 																{
 																	"jwt": [
-																		"ENC[AES256_GCM,data:ghnsy5gM,iv:tlPLC/Q9CNRChumH/3PlS9pPRHFwJdyWj7FtuF8RHbQ=,tag:+egRo8bCg+lFkwD6/3t8qA==,type:str]",
+																		"ENC[AES256_GCM,data:tH96aDGh,iv:TCyh8VsHe9jwogpd2ILAcICHVKH16QxomnES6+thIoI=,tag:UJ4aLMr3UWRyQ5KNobenvw==,type:str]",
 																		{
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:hkvAoubK,iv:DDmQi3jpIM0gu77GqoJUYInfq0R4254tk6XBl9BsPkY=,tag:ySEpqIv3LlsRXkOFwthoMA==,type:str]",
+																				"ENC[AES256_GCM,data:aT9GyFxc,iv:3nDjU8eChb9FLGkINpxLSIRPoE1m2Yo8/DRrh+QOQ0c=,tag:XV8iu9gRJqx18dgDx7XK5Q==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:BRCq5g==,iv:oa6ZjlM+iV14No83HweyQXIbPl1UU/oCjJIBIgPlIwY=,tag:N49RuxFwp4v1bFVo4cGrtQ==,type:str]",
-																						"ENC[AES256_GCM,data:CivUZksc,iv:eWCTQoNx0ig06Mlt6+M+FHUAF7olcJId8j607hd3aPM=,tag:vqLp2ADEITodpWd7KngcLg==,type:str]"
+																						"ENC[AES256_GCM,data:+NtOXg==,iv:HyE1evRV/bmxrHfsySdD4aoQmAue6FgHhijdrBEHJjI=,tag:ir24e5qW97kru003K5hG8A==,type:str]",
+																						"ENC[AES256_GCM,data:rlOr4IiB,iv:J/29mEPiMXRhsBa/fWGAveyfpRYabUC8T/RiAkl7xck=,tag:FJrwS/WHlEF4es8cKlPzkg==,type:str]"
 																					],
-																					"name": "ENC[AES256_GCM,data:FxMWhZ8h,iv:rrukI+aifWMb4Jr5GFudYlkkvidEidXxU3zbCfCt1yY=,tag:Qm9GWIuMmqdO6J81rQQIGw==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:hXBAlcfH,iv:HkXp3yZ349Ii9tdstBMgGkmwkCQ9Np3MJB9/uGyrq1U=,tag:cgloXEuit9RYthASEUynMg==,type:str]"
+																					"name": "ENC[AES256_GCM,data:vFBZWUqN,iv:I9ZbxbITmuo72vsVIXiKt/18ReUj+L0H7I/KJw7Vp8M=,tag:szopBQjHtUMxScSJpTus3A==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:gZo6ybn0,iv:QhEeVHjF7QbJ0BhmdlQK02NgZ/nDHvUBFUIDaZ1Q2/Y=,tag:Zh6InCxqyx5FhKQyTue3Hg==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:0Ep0hTlK,iv:F/tKVDRE5BeabuC0ZRKudkkFhMTD81vi9njJkAxTtjk=,tag:pdF5kUNChvTV7EUq/5EfLQ==,type:str]",
+																		"ENC[AES256_GCM,data:koDfJIca,iv:BtMmkqfQk3NIUS6o92rckUvsqNKneQBdZKiK3/Cs4z4=,tag:ZEHqAsmC6VZt4mMltmhn7w==,type:str]",
 																		{
 																			"accessKeyIDSecretRef": [
-																				"ENC[AES256_GCM,data:Q5zLRPYu,iv:oSOsD85Ej33m+U0y+JL9FJ8wo3NoCQLkrMPB8fP0yiM=,tag:T3nZK31s8f2/rVj9sm/5Aw==,type:str]",
+																				"ENC[AES256_GCM,data:+G/JTN7m,iv:alGCSELqotMUsbgPVXNw5ku9PxNG99G3jvE/M8eiZuU=,tag:4t0aCGer5KdGwDhlly4TBA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:yfeMQ8h1,iv:nCftqsLCXNHyIugneIRr8MYGgc5EouJwTy73/D7onz4=,tag:5vYvygNJFvoMQhOD4IgBUw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:bKIbTM/S,iv:0N8y/oy8PmjrJ2rO/SE1lS/iiWVWSAFj3S0yvh37v5I=,tag:iVwbPgfGx7D6VDk8c0W3dg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:rPsBtUJC,iv:UM9U05v+QnCh+kS410gX77t2eoD9IKxq7wvxadn4Mjw=,tag:ls4xmdUX0uZMhycT848r7w==,type:str]"
+																					"key": "ENC[AES256_GCM,data:8BoSMyj1,iv:cv/2anU+0vmXMwTpW+NcTm9cKqcuow+vbbbDkj5/lbU=,tag:0664jpoJKl3abIcLOZ4iaw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:MRGhopz7,iv:cTKLIhhkAjbmWqlFA4gYoN8Jx2C4IL0f6Syl+6eHKB4=,tag:IFzWYDcz6Y8vnh3VZGM3HA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:6IPwsfd7,iv:Lv6jQhueNShNpSrvabDbxxQf39MoHZu/Djs0I6VwJxk=,tag:/E1KRxhnc3XfrJV93rT/dg==,type:str]"
 																				}
 																			],
 																			"secretAccessKeySecretRef": [
-																				"ENC[AES256_GCM,data:mTATnnH6,iv:mki8PIyy+kvgCxrWUeAHK+HH4QRylsaBTyozA7RYSis=,tag:sfll5EfFKXw/LUyqoF+8GQ==,type:str]",
+																				"ENC[AES256_GCM,data:1IdbTdsM,iv:ow/hbsD+PxlgW0oFg9b7FU9ay96lZplH1fqd3NTRBVY=,tag:AAOfTllutDRE6PSW1xStNQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:mOsNGBWG,iv:R0liaK6QPvPqHFOftWnk9MOfLNfjU3UuVFZ919xaPoE=,tag:dn56OZCLlRkesbCJqgK1+A==,type:str]",
-																					"name": "ENC[AES256_GCM,data:5Qri6vs3,iv:ICXVSclTOGCvqBBuMHCvx41CjsUCRnTk6gOmB9jsjmY=,tag:qQrW7sXbUACGYH+Ct4Uxkg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:2jW+ko5I,iv:/cFubIo3QNrXfC/Z1xXTQfOZos4Y3SMzZ5iIecaxMuA=,tag:Ri+DIY0SRKIZs6PgaEP6Pg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:xDrN531w,iv:w755ShSeI/cDk/nCOCp7mCaP7MvPaivmhjNhji413jg=,tag:pnUVGm42EYzBhos/WrnKrQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Eu58WqAI,iv:uSN6wmC3Zc9ITLfzZ1jhgTFaGb4/Gf3ziczNr0SbMiE=,tag:lfLPxfFOmAeSIwOmxJQ0FA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:/JL+SYtF,iv:n71YtZrD4mzcEcjJPdqDpi4c3oB6iDuVjaKlPPonWXo=,tag:wESgYqAS7f04gvlxYpT7wg==,type:str]"
 																				}
 																			],
 																			"sessionTokenSecretRef": [
-																				"ENC[AES256_GCM,data:LW3VQM4p,iv:4eAnsvBZ7oVt+594gnakbzeU2z8Gk9OuRyHHXuMq1lg=,tag:DUHJCzKCKTDrlpOTHPgFyQ==,type:str]",
+																				"ENC[AES256_GCM,data:7wois4f5,iv:yOd6x4t2AIGbm/YuT7la9l58YpwpN5mGWG45/o8XA1E=,tag:lP34aRh7eVur7gBW2Vwq0Q==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:tikI/Ppe,iv:BMjgwxHngMxH8YBsLxjDuiWBifT8vWbdRTVPsjlu01M=,tag:X3y2BOniAPgmgnONhsoWNg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:zJbrIdU9,iv:qO7fXE/hHn91Ql1yNRp1MuZ9GLkqj8MuuDGDBfsomNQ=,tag:JfqBi40w6HQiwaHlsipF/A==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:JY4AfIEg,iv:0DX2DBFBmg6tlT0603HKnQLmL4xoqNr6mbae0tJCMKo=,tag:leQ83KuO6ciEb5gbPN+dng==,type:str]"
+																					"key": "ENC[AES256_GCM,data:QVaTu2Wk,iv:C0KUqlkLu+NTe2In0Ai1jn/7Ir3cioRbOLnpx+gokb8=,tag:6vrJs4MFoqyEwLcEFgewdg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:EwciGtWh,iv:BOJTKRzeD2pjBe1GA1rMgZiTgpPuyOD+SQjvw/p1s28=,tag:TKPkHgA/bodZ2s3de4c2wQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:CWQITJfs,iv:KQShstTaohcf2aHOfa5rQaRV46D011HVKE9ahbfo8kk=,tag:pImFECXguLW6+QMrneydVA==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"externalID": "ENC[AES256_GCM,data:8suxHXNY,iv:g7Zq5Ptl4xOUpe7uvWf5CsPa8Gr2hUhvi3unfcQOGJc=,tag:XjfPUjd6zJuOZmrn5pI/+Q==,type:str]",
-															"prefix": "ENC[AES256_GCM,data:hryqdTOU,iv:MWvANdRwkpD+or4L7QjNc5WLVBmRDVfJCFhKW2VAhQk=,tag:CTA5bd1L+9vb0oE5UyThNg==,type:str]",
-															"region": "ENC[AES256_GCM,data:NPL/A0xX,iv:IcVqLpmfet6TDUqnST1sPBPK/zJAYGsNzFcrOoiIe+s=,tag:mFBtfoc295qCLTqQ5SQFwA==,type:str]",
-															"role": "ENC[AES256_GCM,data:RIMLLNOb,iv:0bTm6qvYOY5AiKpIgO2aoo9TYolPrxVr4wvuDAcv/ZA=,tag:hiFSeoKdsFFauSiyEqD+aw==,type:str]",
+															"customSessionTags": [
+																"ENC[AES256_GCM,data:mL2u,iv:+Vb9aUed4ngPQul73duzso7aAi2IP9ENhQuFOvt3mH4=,tag:558o30ZcMhM9nJfPhyWMjQ==,type:str]",
+																"ENC[AES256_GCM,data:C3oaYgdY,iv:TqYkC5MhhgWcZpCmkxbManTr4BsWwItBmAVCA7yaWZA=,tag:GOoGbxuAGgu0ehAQowY2zg==,type:str]"
+															],
+															"externalID": "ENC[AES256_GCM,data:1uhPcgvQ,iv:dlvThc5wSTiUTjrCaew+HPJvP1nsZWZLOoTfG0t2Opc=,tag:Zti+GtY/jIJJx+0ZC8Oi4A==,type:str]",
+															"prefix": "ENC[AES256_GCM,data:xTZrVGY8,iv:ADidVZKWx68aUrftWJNSFWORpcU2E1BDqOk2SuIBEho=,tag:zBRyBt+Cx7eRuFrGjHidLw==,type:str]",
+															"region": "ENC[AES256_GCM,data:Rv8VZAmD,iv:LEV/IfEUDkUT06mFrEY7nPl5Gxg/xBo1FaIDxurohwg=,tag:Z1+HLbobUTGy+dMQJeXeEg==,type:str]",
+															"role": "ENC[AES256_GCM,data:uvM5ExA6,iv:fNfNBcxX8L5i8bTgW9mWHibuiGlJ22/m6Odm0o8YUmw=,tag:3SPeaBB3XLAU9uMhPDlmHQ==,type:str]",
 															"secretsManager": [
-																"ENC[AES256_GCM,data:47sI1GqN,iv:Sr3z8uW94oLBjrTtpaSumkOEvGVrZEn5YorVou+ozSM=,tag:6SlBaohTaEkC0COZ6uJNgA==,type:str]",
+																"ENC[AES256_GCM,data:cdpBcPqY,iv:M6kSyGk5ynWOF4kuYNbU8PPVQMBFfx8+i9/Ar1+5ERY=,tag:wA1Ez2U4l3Jarojjb8tswA==,type:str]",
 																{
-																	"forceDeleteWithoutRecovery": "ENC[AES256_GCM,data:RqVmXA==,iv:AsTQ6f7JMACCgcBskIXwiGWO1AbuxsMROiT+vIYbAuA=,tag:fqsXT1xAYMLaoPzTnI6nQQ==,type:str]",
-																	"recoveryWindowInDays": "ENC[AES256_GCM,data:rWuiQA+z,iv:MCPX4fODXa3W4SIel71Q1v6Hj3AySpAJdUj3Csb/eVI=,tag:h2wZGYfi/cfp8N4NVG/j6A==,type:str]"
+																	"forceDeleteWithoutRecovery": "ENC[AES256_GCM,data:I389rw==,iv:iZfR0PS8v6ZZSozJ/CB4n1K8cegDA3U1uFkFRkAZGro=,tag:ED0Ar8jEeEk7guTGyaL2aw==,type:str]",
+																	"recoveryWindowInDays": "ENC[AES256_GCM,data:q+T9BFqN,iv:eiDpuqfc9rfvvShik8ph4z5AUniGVnLrVZey62rGQIM=,tag:AgANlfTzL1BBK0BOTBjthw==,type:str]"
 																}
 															],
-															"service": "ENC[AES256_GCM,data:uppaVqLb,iv:VH7mTkRo9HdwGvozO0Dw4CEnLClTC6HlH+w0pdxC71I=,tag:XJqKlKBqkzDhtHB6MGKKBw==,type:str]",
+															"service": "ENC[AES256_GCM,data:aSyvfZ2P,iv:FtgKJDorsA7b+WoJtMnMFgVyGsDUkS1+YdPNT14RPFw=,tag:+UHvWbWoUTJVV7ZdEmg3cA==,type:str]",
 															"sessionTags": [
-																"ENC[AES256_GCM,data:hXK1jA==,iv:eKnJ2bxdBEgvLOzINNjGuAPnp+fJOHAtRv3iG0cqyN8=,tag:Mrdfrfys97LKAjxhFqzmew==,type:str]",
+																"ENC[AES256_GCM,data:G1RGeg==,iv:TgiZMe88zss+kce7ygwhnkQq4NGY5rykSv+YPMafFkg=,tag:nPjCX5JiqAQ50HR35s5ivA==,type:str]",
 																[
-																	"ENC[AES256_GCM,data:9x62Gq1Z,iv:ZGiW10lYxR+slFadtCZBq6hbxAitNUypWlZppmhzP9E=,tag:NhLziYgb68Nlu1C8VkWQzQ==,type:str]",
+																	"ENC[AES256_GCM,data:M+nBpWMQ,iv:LQlhn52/kUmqwHypUUdxFwPSfEI46N85I16r8nV73kY=,tag:UD5nNRrv3vbqp3YpbAQfdw==,type:str]",
 																	{
-																		"key": "ENC[AES256_GCM,data:L4sousOM,iv:yCrB9ON5EvMTsUFiUwzxHCjs2ODmHK5LcE9o9BKhrck=,tag:udI0Su7Mfnaiw8IYsSpDEQ==,type:str]",
-																		"value": "ENC[AES256_GCM,data:Av18OCGr,iv:StjCmACRjlj1ONQEPvOnaMYkmXwEI4T8KgU9CgY4Q08=,tag:+uFTTirL7GD/f4pRlKCxbw==,type:str]"
+																		"key": "ENC[AES256_GCM,data:IUlZ1xcw,iv:h6SVv3mI+F5idRxZblASAPVQvcuy8oVrgv2xByqgDmQ=,tag:smWg/yGygtZPdmA7G8iaSQ==,type:str]",
+																		"value": "ENC[AES256_GCM,data:9wz9Kw13,iv:hiSvHrR1ZuOHuWn2X70wzVMcyeNvuhK1KEY3EAb6u8E=,tag:Gex122unyKaO3PLMIUZL7g==,type:str]"
 																	}
 																]
 															],
+															"sessionTagsPolicy": "ENC[AES256_GCM,data:xmamUClD,iv:LkY5uxallQ0P+l374G/NSYnOzs51Nf7gBRb3bo9bcxY=,tag:X0GuiWZV4Lt3KtmKJYNv7g==,type:str]",
 															"transitiveTagKeys": [
-																"ENC[AES256_GCM,data:GWqYIA==,iv:WMq3AvgUg6YmaBb9/7YtkbqwYdKGrJZA3NXVD32JxY4=,tag:/zcNzVoRSuXcP5bDnN1PDA==,type:str]",
-																"ENC[AES256_GCM,data:xaYp5pgw,iv:lXTjWBvkGtZB+V+P24QGTxpMwLu5ICTVyTQVq6zw4DM=,tag:2fPr/7Ulznj8r9+TtuufMA==,type:str]"
+																"ENC[AES256_GCM,data:LLx7zA==,iv:bC7Ppq6iIfYzDXBxFAkL/YlDJLZRgx/Ec6F0hGjZzak=,tag:YXPM7Zy/lifXxw7Esg93Lw==,type:str]",
+																"ENC[AES256_GCM,data:kzaSyrav,iv:YPjudhXFrdybA4nQqeMkXhCefm0PWEZlt3plABi2K6U=,tag:uFn7MvjHEOid59mwYXjGaQ==,type:str]"
 															]
 														}
 													],
 													"azurekv": [
-														"ENC[AES256_GCM,data:m62Xe7Dl,iv:38aI0MwXvIN68bEQp2mIwTbpVLed3eIGuiGrdIsXX80=,tag:UU5qBAU6qSmsXh82esRIyw==,type:str]",
+														"ENC[AES256_GCM,data:3eOZuc/v,iv:NKPLhlcHdlC1uimWJ4ILdWlPe67u35mxi8T6Fy5pmSg=,tag:aPrp4MPIGUZny+f86sfnqg==,type:str]",
 														{
 															"authSecretRef": [
-																"ENC[AES256_GCM,data:ERs+SmtJ,iv:Cx3iuILu2sJ09fsh8AqWKWYAmbx2KFkmUT6hCCGjpkM=,tag:ywiIf4tvAjmz3G9aVsI6Xw==,type:str]",
+																"ENC[AES256_GCM,data:FdCXPxrC,iv:kqejGIzP/jchv02iRUTNES0ES8Joqa+2PWMPUkejRqU=,tag:mLQUB+/2CPHAC1idOEZo+Q==,type:str]",
 																{
 																	"clientCertificate": [
-																		"ENC[AES256_GCM,data:dPEd39Al,iv:F6tOyxvtfJjZ62jpMnZvakkNgiFfvl7JSDfcHFe2MdQ=,tag:GUkmO1hH4QdaXaE1u6MHsg==,type:str]",
+																		"ENC[AES256_GCM,data:znMr2QZP,iv:59dJ0GfYwfT1xIkvC8i+D9Z/ujxIgjcTgrW+sup+iPI=,tag:L67L4gjZSc3To1qFuX20MA==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:Nv5+jxZh,iv:rP6TZn5fB3cPw9MTe0N/b/x/dnISCBEzv70Qg/tE3PQ=,tag:JikNio+8LYQRyKkn5QCnFw==,type:str]",
-																			"name": "ENC[AES256_GCM,data:Hx4uoVBx,iv:SmqzPxloq3BTTNEwTUNyvdU2GROqklP5ep6vbvK4HaQ=,tag:wXW6osHCzFY0eBCvqiSYxA==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:HO/9FhvU,iv:B6jl/SC0d7RTRgYTHUaj4C4x9EQzMrWXbYAktLxjjF4=,tag:No6YeLg3lYfkst80fm8s6w==,type:str]"
+																			"key": "ENC[AES256_GCM,data:KIF4cD55,iv:aAH/otIJ8qHseHoOtvjaxLv+8PqIi6mitZ2mBREouFc=,tag:CYEt+qERowDJ8OgFbg4B2w==,type:str]",
+																			"name": "ENC[AES256_GCM,data:xEEKBxKv,iv:bUa7u+EBoTjLC8Om6r7QtAxbKsWRBidjsNa2uj13BRo=,tag:5BFwq1YlwzUjmV7vrlBZjg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:D+93tTiJ,iv:cDQ5VuHypPo3J0xGp9+fbAR7J06qgVt7JLKx0MqRLy8=,tag:6dE54OZ/fC+lMLdJyVInsA==,type:str]"
 																		}
 																	],
 																	"clientId": [
-																		"ENC[AES256_GCM,data:ztDBZ5n9,iv:RIXzLDrr3JcBUbI6tOnHWadtn9HWK2r7+zRmlFeW4dU=,tag:VIsQtCqoHxpVRA/S3zetNw==,type:str]",
+																		"ENC[AES256_GCM,data:VavAfgdk,iv:dexTLhIW3TmZQv6Zd5lYDHXBVBZfJBJ7il7aedfGwBk=,tag:NjNodWFLUVco9S06TWqWjg==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:FwhfHPE8,iv:/wxRqKDD73cK4ISJJhCX6D1O1jog4n0h6GlYNJZqriM=,tag:T1jlaK3ui8HLQwsOuMqQCw==,type:str]",
-																			"name": "ENC[AES256_GCM,data:rSKMBqp1,iv:ZumTD0pK0B4itSqiXx3DBkUJo/y/tXmqEvKd4sPOGfg=,tag:A/KGPJxw4n01Ld8qn0jSbw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:HNHSbtWZ,iv:TNLOYt2Diyzf15iHkO7yxz3m5P81yZKnKAQjb9fVSMU=,tag:Eg5dCtKcHh13thqPD47Gqw==,type:str]"
+																			"key": "ENC[AES256_GCM,data:/83rVONt,iv:nnA1FDMTBxV5GHPdWAMlcvFE4LMZp4K+baOcsSm2Kks=,tag:dTp9y/WcQKXcP71Z49QyZw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:ur5CaMVO,iv:1f8LQkjsJcTsbDAjt5sDK3w2qL5A4uWoNoCG0yPzIbg=,tag:9ZKQ5ztIb9FCKPd/n6pKpw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:CwvMvzS5,iv:UKc/iYC0gYoNQgJOFOrFPII9ZjtPowyb82A8S82+Bdw=,tag:TicVOlU+qmyxCWHgEpyNkQ==,type:str]"
 																		}
 																	],
 																	"clientSecret": [
-																		"ENC[AES256_GCM,data:/eXvWXry,iv:LaJQu/7fKIln7Re5OOMQlyU05Do3a/RxQYfVEOyOynY=,tag:JEq4s/f6IKJAKC1z9Dm+fA==,type:str]",
+																		"ENC[AES256_GCM,data:XQRxwkag,iv:YEi7G6zvDM1Fyb5OOk+/eO0BGi4qU3Iu4D66/0ZVsmU=,tag:yZd360I8hwlNlvmjpC64Aw==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:HJRVxKEg,iv:xokEX9wtxyeXbsSYKPhd4jxZelKAS3yEcqqE6SS3uDU=,tag:Vq0ZGo+CK1MmKbpp3oEf2g==,type:str]",
-																			"name": "ENC[AES256_GCM,data:doMH28vK,iv:BU2yqzXQKN0jipq0zFYMMFxFGUOzwiGWQhVgL5MYdG4=,tag:PxP1dwPBJAfv6pgz2VU3Pg==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:GdNp+zJg,iv:w/W6XZ/J/TGmY61Y4qQ0+TMRj8+MMQU+w/q3qBewUiU=,tag:wOgPaRwS4OWeyCWpsPCD7A==,type:str]"
+																			"key": "ENC[AES256_GCM,data:3+lh2RJ7,iv:2WUJ8tUgJJNFmzbKx8sSKQFJzRhW+pAaDjl8z1nhHTU=,tag:v9XH8viS/Hdy7HVq0MsohQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:9pTlz72I,iv:25GzwnQGrHJ9bmVzjJgIX0Lz0mdswl6QLwPQf1Y8XzU=,tag:VWKMIjKPlqXC8FcJT7X+KQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:mu6dbu5f,iv:T24YFwJr2IHmZr/fSOZcQBPpH83CK/meX2FRiBDxQNQ=,tag:GwBKg+g/kVPSY6XhXrMOMA==,type:str]"
 																		}
 																	],
 																	"tenantId": [
-																		"ENC[AES256_GCM,data:xzWgPmnF,iv:JzTheUDmnaquA9A0+0UJ47InNBAPnwdN+bsv9FK3x+I=,tag:NO7/krTmSuLfY50KF53VLA==,type:str]",
+																		"ENC[AES256_GCM,data:yITVazx2,iv:dEn1AVkW7y2KWM2gmcWQFZg6mNZN0spQ6pFC7/5Oze8=,tag:F8jk7hWlHwd03HwnWuWF1w==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:hxbnSaDG,iv:cskiX4PX8OVylRht4H9frSHErz4qUvAT4B0CKAKwAG0=,tag:/+wfpdlRv9b5Ya2yBAQpVA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:jaefbtpd,iv:a7/EiNx4NEpsOWRjY9ji2g5i4HxVJkxw4axMS5USwhk=,tag:ptgdTjmeAvEwp3V2SJ/xeQ==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:U9jX1q3p,iv:4BrrhJqyzoAEunjLLbrGkngC58PaKIB+RRGs9oiQkEM=,tag:UZdIwGYuDjAjvKjiHtmJHA==,type:str]"
+																			"key": "ENC[AES256_GCM,data:aQbT2CR6,iv:wZFAwl0LFULWn5ClRVZRdcQnUHXJwtAT6WoPTAyI/i4=,tag:KpO/GYN8NAmNSAFE/inx4Q==,type:str]",
+																			"name": "ENC[AES256_GCM,data:6CBw9nWV,iv:/GrIfI2fAOdVj87dmP37aHwIbYmtMrS/6Shfb/6gIiw=,tag:5QPOjs97a+2VuOm07nVRUg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:vJQmI6QS,iv:Gf4+8CngPmilGMJjJXEfNoiuseYg3Zx+BotlEuqaQSM=,tag:MToadZIQ0MsfTuEo6Lkq5g==,type:str]"
 																		}
 																	]
 																}
 															],
-															"authType": "ENC[AES256_GCM,data:k1/dB0BY,iv:fRvofNlEvRJNtSiFc+vGJjszF5Lf88xt6LcDTUqwqNE=,tag:6xYJmKTKpTo4zn4D2qO1ng==,type:str]",
-															"environmentType": "ENC[AES256_GCM,data:td7UyY+f,iv:HbeUVUg1iyU+OnjTpHpzqUV3OKr8c96BeldyVd6IjBY=,tag:XSrK3fop+MjCZVoL9VEnMw==,type:str]",
-															"identityId": "ENC[AES256_GCM,data:c/URIbvO,iv:v2sXco6HxPCyQohHE0DOUu5SokMfkZnRfbPl9SLd8vo=,tag:YV/e86+rsm3KRfEdm2Ahvg==,type:str]",
-															"serviceAccountRef": [
-																"ENC[AES256_GCM,data:T7r6Ox8s,iv:qx+zMFWV7YxXbaDCd1ucE1GDw47IMKw56zYeOmqDvqs=,tag:hqzFrYJsPPEwqn3zdA9Dsg==,type:str]",
+															"authType": "ENC[AES256_GCM,data:s3a3U6Nc,iv:QWrhZo0UG/Vq8bzGdFKYgFECKVrVO3Q1wbl2EmdHE/0=,tag:P9/A7KFScXNvgyB5JDcP1A==,type:str]",
+															"customCloudConfig": [
+																"ENC[AES256_GCM,data:ecxCXVfB,iv:WgdzNbIjiuVzN8S6afKt+4HjruM3ouzDV8NG1OV8LY0=,tag:T1voL0rrQ0pvdEZKm4EemQ==,type:str]",
 																{
-																	"audiences": [
-																		"ENC[AES256_GCM,data:mhMlSA==,iv:1XcuSwQp1C8REM4qjHCPTsJoY6Yl9MEkevZ9VwxYEIQ=,tag:4AJXn26wnJj9AHysLDIkog==,type:str]",
-																		"ENC[AES256_GCM,data:qtfzQrYD,iv:bcZ1kItvo5mYsrf5PGJtyi9ZRNlQJLPPrZEm1tGpAtw=,tag:JTip+rtWbjpzud2DqWEquQ==,type:str]"
-																	],
-																	"name": "ENC[AES256_GCM,data:iuHJYOeT,iv:K0P2vqhQXtfUyrYOUY/Ct5e07tkqzEjRikWsUvhiD34=,tag:QWhVoDY/eEH+owL9xuPH4A==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:vfM/rBkU,iv:s/W6FZfsV5elUMh8KGsqK96YAezWpVl5qmIazyS6z7U=,tag:1UbQETvo6uqhkxfz6DKqKw==,type:str]"
+																	"activeDirectoryEndpoint": "ENC[AES256_GCM,data:P4Jet7Ch,iv:8mozq2Gg74U0//JcyHxxUPnTjtTnqWw5zn/9KSeVpks=,tag:SdzwiDXmDx+JO0ePB7yimw==,type:str]",
+																	"keyVaultDNSSuffix": "ENC[AES256_GCM,data:7/AfrjwV,iv:jA0NSmiS4yAP12bsHt36UUuChbXLQktA+nsAyCPh4uY=,tag:Mut/j5Txrqf/AcQ+IiSJIA==,type:str]",
+																	"keyVaultEndpoint": "ENC[AES256_GCM,data:u0o8G+in,iv:r/4nRNRtwrPzdvY2Pf7ZYQPTp2gYdwoT/JB0xyDflJY=,tag:6xmopQrQJMkIbzcyTKEgRQ==,type:str]",
+																	"resourceManagerEndpoint": "ENC[AES256_GCM,data:QQ41yJh6,iv:0cC9olHCBdfD0Avy7r5CZLSOu8VT2i86BP1oTMi/H28=,tag:u79O/NrfRk/8bdG1bSbNMw==,type:str]"
 																}
 															],
-															"tenantId": "ENC[AES256_GCM,data:N2iGXyS0,iv:/w7tFgX5Q2Q6omc1w/uAgSH/YvxK6JBMz3bEq4preyc=,tag:AA/bC78AcCyaQH8+m+/jCA==,type:str]",
-															"vaultUrl": "ENC[AES256_GCM,data:nC3OusbM,iv:+P//oRAUmJWI+90TYJaXNwb/va0HVjMQJl3bjEwSs84=,tag:WAyshSLdw44Wl040sYCh2Q==,type:str]"
+															"environmentType": "ENC[AES256_GCM,data:ySM3V6Rm,iv:3lx6P+CHkJfWTGjGl9jMhKw6PLuvbmJHO8OEXkhKHAc=,tag:E8ha0edUIbPB+sGI9egMbg==,type:str]",
+															"identityId": "ENC[AES256_GCM,data:bYEH2ybG,iv:MIVkej9xPILQJEBNYZXoOnGrzXogD/DtJnCWhIHa3Nc=,tag:8ZpT0NXMKzoBgOgIaxEUzQ==,type:str]",
+															"serviceAccountRef": [
+																"ENC[AES256_GCM,data:+bjIIRtx,iv:ej3vP4s5Dg2R0C1+LgsQY9wD1f1J3uYc09p0DIqpJMM=,tag:aW1HFVJhUwylW9SZqE83bQ==,type:str]",
+																{
+																	"audiences": [
+																		"ENC[AES256_GCM,data:d2Phig==,iv:9o75DAJ3/W9uS5DdrMIqhMio7MQFEQ0vRHJWIGh+gtw=,tag:2v64SnSoHu5p42ucj73OMA==,type:str]",
+																		"ENC[AES256_GCM,data:lC9BrX4Q,iv:OL1tJzaZsA/FySkALcICLGYiBYGxfv5RwofhsGFlJvM=,tag:LJC/socJLvISLgkfNYIH1A==,type:str]"
+																	],
+																	"name": "ENC[AES256_GCM,data:5pV4ucjs,iv:ubsNgtOViaPj7Hh22JGkSUHfENwx7B0a0q2G8JpUAIY=,tag:dVnWJ9GXBoXZZLnWcjRyZw==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:HNq2GV4V,iv:duLQ/JFm0HLbwWyuWSnu8QW8zR5y2SeJ/38B4VNGciw=,tag:e3wGbzEZAEp9y/uj7EY9Ig==,type:str]"
+																}
+															],
+															"tenantId": "ENC[AES256_GCM,data:qGSDA9Ue,iv:hsGYuDaezK9qt2K472oo4nhmPeZk+hJx4U3wtsK0yz0=,tag:HJE79iRtH17z79QXYmxiaA==,type:str]",
+															"useAzureSDK": "ENC[AES256_GCM,data:7riO3A==,iv:S2V3D5J9sXhSpHJihUAPsKt+Y+eObe7BlnTukGz2vjY=,tag:71N/IQg4K3GG7Mn2i11hIQ==,type:str]",
+															"vaultUrl": "ENC[AES256_GCM,data:TFnEM8Tj,iv:9b0rLyL/5/Ag6eN49AwQhCuVLa2TGil7AtGDSOlsHDo=,tag:Sh3DeK7c93HbwhGZ2g1g7g==,type:str]"
+														}
+													],
+													"barbican": [
+														"ENC[AES256_GCM,data:T1VMurvg,iv:ndfC4Ssz4Wt1Ic/Fbyp3p0ADZBIh0EIU2iQZrfO3r6o=,tag:AF9v1hhZLCHQFvGIdk8zAg==,type:str]",
+														{
+															"auth": [
+																"ENC[AES256_GCM,data:Ikp+9eSk,iv:OTrrrJ8aZZdSy88sCAO8LUaRx+Cc254bLzGMMoO/Pxs=,tag:4E+PQ/JsvmRfbtQ2DG8OpQ==,type:str]",
+																{
+																	"password": [
+																		"ENC[AES256_GCM,data:KAVU6sec,iv:e5oB0eNkwXwqR3KNKHvg7ZnrY1M5WJz+C65Alkgj1OM=,tag:OMeIFx3uf7V6WFkJyTcLAg==,type:str]",
+																		{
+																			"secretRef": [
+																				"ENC[AES256_GCM,data:v4oNfMyx,iv:KhCYyvWINibbcDQwBU2bfSCKnefyvjGFVAk2kFaBJPM=,tag:yw7CLBVJzCYIvOwkLGgKag==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:QRE1z8pc,iv:Ilxn5JfL0bG3VwRHW2amB55PHejk4MDOEwuxxzqEtxY=,tag:pKP1XwIBb+1qUIJA7Fq9sQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:24PVdunR,iv:caDlwsM9HARGq2gduv59ZRK/6cvF42X4E9q9Qqscbio=,tag:ZQ7Nnjve8YXqAoEgdsO3Mg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:rilO18jC,iv:WT7fHm8d86Z044bf/0DcpA9AJijTQggSpzDkBMG3fHc=,tag:w5e1gdIaf7n9ePptEsDeCQ==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"username": [
+																		"ENC[AES256_GCM,data:i9UU/2fi,iv:mW8D/D7no8f0/EDamO1xjePM/T/k5rUM9vd1SzXfq7g=,tag:3ooT8X7EIVWjPOHceIsn8w==,type:str]",
+																		{
+																			"secretRef": [
+																				"ENC[AES256_GCM,data:r8ys1Tbd,iv:+EAEe9WTKMUjHo5GiCU2KxBYwOMPUSQHmilgMSgYwu0=,tag:APY8j0ovvr48e2SX4L2VUA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:+V4o9Km6,iv:sZSijk7uyRgkCV8ZGyXBRlllnKjX9Itn68sASvKcpYs=,tag:7fvzuigvUrvVGgNp11T0HA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:xNZ/PRy3,iv:mNEozs9n2L4oJ1E6XUCZhRJ5sNKDYoUzlOnYT7dKLR8=,tag:Trd25S3ngDGaMdfeGx2lXQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:6UNMZjiM,iv:FwEGpzaOx/qt/YZbe7SeswDi/KpNbxxkqzx3NfOcnIU=,tag:sEfHavB1fds5izRSJg3k7A==,type:str]"
+																				}
+																			],
+																			"value": "ENC[AES256_GCM,data:w6EQYhIl,iv:YkHsDUWWK9roVL3RjkkWa/mQ6ISoystvVwVVVrRfRFU=,tag:O4Dc+itbHO32CHKH/VzxsQ==,type:str]"
+																		}
+																	]
+																}
+															],
+															"authURL": "ENC[AES256_GCM,data:zcPVAhbQ,iv:arvj3TLbk8K8nyFQpnh2M3z25Htbp0ixKiqtLAIwN+A=,tag:uNdPEk2AkUBB4MuWbABz7A==,type:str]",
+															"domainName": "ENC[AES256_GCM,data:o9ZvzRXf,iv:KRj0q6nxugpov6bfcMa0CsjTLDnma/4xHJw9msBuL2I=,tag:vDUaznaFw+ydCHz5mouH3A==,type:str]",
+															"region": "ENC[AES256_GCM,data:4Uh0Ryrc,iv:3nj4FTupcVy90fK9sM3QIV3zNmQUDsBwwSrkc5u6Ax0=,tag:+HXBDcyBsA4J6V2OxdG3nQ==,type:str]",
+															"tenantName": "ENC[AES256_GCM,data:WZj5mTln,iv:Hd4PB7x2rWakmWfFP7gsK0Kgvn1a8+6RcYnYknAjH8M=,tag:1pjeXqmO7ABwjpBkBqPu9w==,type:str]"
 														}
 													],
 													"beyondtrust": [
-														"ENC[AES256_GCM,data:e/PFS9Dk,iv:Jw2f8r5r+7hhy5iKpbMjVvdw91wYcfClQa2+wvZW120=,tag:8AUL1J2W7t/FbP56pveOcw==,type:str]",
+														"ENC[AES256_GCM,data:FGlcjdKd,iv:jatf0S0/abNu5loGIpmuwlhYvAnJIaKZoyPPXOV59KI=,tag:/YQ9AdgkiKYW6E1phrV0KA==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:sH1BgBxv,iv:lpL1VWvAf5Bc0pWgIHiullTKmzDfc8u1rr1mgn208JE=,tag:7GBnlPmxn7tguKKY2F8SFA==,type:str]",
+																"ENC[AES256_GCM,data:/wjRUhP/,iv:/b7oGPR+ih+ZKHez6K+BYJdp0wUp+YBwPDXYvhghwZo=,tag:0XE57Kb01ZWF67FFGU4zjg==,type:str]",
 																{
 																	"apiKey": [
-																		"ENC[AES256_GCM,data:tStkUOX+,iv:8J+wMYX1HH/GeiFacjWyrW9iMAdvBkSYJTuQNylpLps=,tag:/p3aM6a8tAHChv4PGNUYuA==,type:str]",
+																		"ENC[AES256_GCM,data:7K8cgWeA,iv:gzMT81fLuMPFHRfL+E73HQJyMwtpdLj58obmLxz8RsE=,tag:vTvgQ0emvMYo0Ih1kxvqUQ==,type:str]",
 																		{
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:2WxEdouZ,iv:Bnjx11ztCuRup60gSIAIZdbbId4RT26ngUnZZx/Y2W8=,tag:dVNjfnc2Lf7ophx0lt9EYg==,type:str]",
+																				"ENC[AES256_GCM,data:JO8v9LHJ,iv:mLJdmJWyE+2SCGcOMBXe0YO4apeqfwe50ur8WSQO8sE=,tag:EnXxVa8+0BM2KpDgX/0vlg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:syZY77nt,iv:wne3UAQ/lIPwZCsbmJLlBxSdsN22HVOxhSBFXLKcbPM=,tag:P7VS7zkNZ6GhzkqF8u9X3w==,type:str]",
-																					"name": "ENC[AES256_GCM,data:M3uXjNTI,iv:77J1x22s/9aSRPNcjwIslBA9h2HVBgspJYaip9+mChw=,tag:T6ZZJ+Y93QQfLrp9HLtaQw==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:GhpehfPb,iv:fYQVlzArqeGtWwqGYxn9cUZYsUQPxMy2idndQ1ZxYkQ=,tag:pMnEvdGy6IJs5fp/cS4MCQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:SsOtfjdp,iv:+QKD8jghY4vQPKX8viliLkEkKh680v8iJfVInrTWRvE=,tag:DVDHJOpfP/pamz/q6hhLfw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:cIFDeVZx,iv:eHNtfRHJd4UjMSnDAdCbuv2CJromy9ES8GyZ9JCtq3A=,tag:mFn3Jrjuq7pVBG+2I9z9mg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:apvAcHJk,iv:oGlw5l4tBdiBMDDNbTybgivATNuK7tey22K6V0evPA8=,tag:FGcw4sUf+00JEf9RL+Q1lQ==,type:str]"
 																				}
 																			],
-																			"value": "ENC[AES256_GCM,data:1Qqs2oa6,iv:h0RgpGSM9kAtWqdhFjBnz/d/TCrctXrW0wa7LvKA99I=,tag:0nHFA6Xc0u8fKQGAQUxs7Q==,type:str]"
+																			"value": "ENC[AES256_GCM,data:3Xz10tvP,iv:uVV9k/nso7YW6+gnjHKIkDG2fByrL/scWx8uZvAtcKw=,tag:gu2fZhqwS7aHNe4xeVZwmA==,type:str]"
 																		}
 																	],
 																	"certificate": [
-																		"ENC[AES256_GCM,data:7C4qfKfp,iv:NdmfglbV1A8qEy4f9BppBKEhYrIXq7t4Z+kscKKyrDA=,tag:/jTVUMWq9zCRzFw2Bov2DQ==,type:str]",
+																		"ENC[AES256_GCM,data:gofrGwkm,iv:Et/+E+alhomKIdrQO1oo1zUno6nJWNemEaZMDMGqld0=,tag:byu+0s40RMCK6gzecjSg7g==,type:str]",
 																		{
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:Dx9fJomq,iv:4SeFKOwUVNG005lUY3rLHti2EX7cLzx0cyr9EBYI368=,tag:Sb8JBtj+RuqCC1ZT/8V3fw==,type:str]",
+																				"ENC[AES256_GCM,data:6CTHN6S+,iv:FfP/jAwPRw7SwnbGnl5UjFN+nVGk3BZJ1KvI8UjYg6s=,tag:WHvLwCZJSBUXwIOBQ7iZkQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:YPUkNtk3,iv:2Pj421WMRqwtp0uHx4LOMwtxrRYUJ191ePXKqFGv86Q=,tag:mb6KKoxJay5ExNZssfuDrA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:nVb7hs5C,iv:NjcOPNWD00MJd306+F7ZOxzdzpMBHeElzxU7/PQjZbw=,tag:DZzd9n1pLMnXPhRaDy9HlA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:RUuzhcdY,iv:lqz30Tf3pWsVplQCkIvGq3bDMd9P+lkVR4IS1mOsZW0=,tag:iT/Ck6bnSjdR4vp25X/2MA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:Ozde2Oky,iv:IVCE1F4M5VbTGMKL+FuTQjWtdG+r3KoAJaKiXGbKyAU=,tag:HRUOM0qJ+CT6scsCGAcAbg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:OWMVgu4d,iv:B5ZVoxfQFk8BI8Gz7JBI22nEuEKMi+gTAMZjoiEjeAU=,tag:St6xIsrcoChqW+UYkMziKQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:8JdOD2Yd,iv:r4JOqHEc+GrXX/pElfrQtZwUGhbPxipnPn53hYxgXNA=,tag:m97B5/r4mNKcoWH0nBCFMg==,type:str]"
 																				}
 																			],
-																			"value": "ENC[AES256_GCM,data:Y7XqKni5,iv:yHaxoCWF6rNmqDbzCmHIdFjv4jLiLTC+9dL6FuioRcw=,tag:xbZldgO1R1VPfrl1zl1YBw==,type:str]"
+																			"value": "ENC[AES256_GCM,data:2iVjBqMT,iv:lHAMBHIcBmjKcmiSbqt0rBDFbRw4A0umQixMOwgwXew=,tag:BUIfasPjiL+Docrmgr/iPw==,type:str]"
 																		}
 																	],
 																	"certificateKey": [
-																		"ENC[AES256_GCM,data:Kj3mHXeS,iv:ynnlGXNBkKe/CZ+dLBqmW8kFmhCoonP0BRTUGKMvuhg=,tag:/f93m2/lCNzpNOskCaskBw==,type:str]",
+																		"ENC[AES256_GCM,data:7Q0LJnqG,iv:oZGDXWW3iB4rQ8wfpjqXCSKtJWaTLJmf3QkVtomAccA=,tag:K5ST8dOrk2F1Y0Ub7tg3Jw==,type:str]",
 																		{
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:WGVhH84h,iv:jP3UGblH6wVtb+/3DSDW+KsIcEbj1KnRxyy0XLE1aC0=,tag:IrMY5SC84C5iU4h3t4NxsQ==,type:str]",
+																				"ENC[AES256_GCM,data:aeG02M+k,iv:iKrTx9g+0s/Qpc4hjExysRrEjTsTsVy0y00+JcZTs9U=,tag:Ut3E5BDubxZeTQ/pyi1wnQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:hDe+B2AW,iv:uEQBAZb36ZdE0gdzj6Nmj3kNQzY4hGc024osn7sTJtA=,tag:WBgqQkjRJeKteC3qIT73tw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:bYRrR/VH,iv:hS7dGHtIkdGr3lXI/kQEWoSYqRHk/rBG+Gqu+Gu21Pw=,tag:UvHMDAD1xfuKSEqGtnAnSw==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:Vf4AxawY,iv:YsAvWScCi2HkVQLWimOxZVK3B8ho7ig57PDIO1BO+NE=,tag:7qIFpn0CLei5dFntNfudOw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:bsFiPNE1,iv:XUpPm25DNWjBoqdvPOwJhgRJ0YwIXlBoWS87QpRpfmE=,tag:Sb+/5e67P00cCA279PHbfA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:igFZVehQ,iv:LxaKcTbILgVJA/qqTQVBz9cb3EtqltFtjFABxvl6/9U=,tag:TYE2ynt/uLTj3m6zv2egQw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:tyrTDXv4,iv:JO3QmMBZ/8cgUU5HI3u/t7iQ7M1UJ2UBGLdyaUl+U08=,tag:sQcpn+lw/2oC7dm/m7BwMw==,type:str]"
 																				}
 																			],
-																			"value": "ENC[AES256_GCM,data:6Z46tLbL,iv:BraMmbidUFdyputfvUA9LWZnxjCYgYXRazq9sKQ/JBQ=,tag:viRa6TbSynTyIlil8t8bQQ==,type:str]"
+																			"value": "ENC[AES256_GCM,data:wpCUoi7b,iv:xm4NiwLtkngS9Px6L8ZiRVDMwdgHlET4pdESe6Icuk4=,tag:qiNqwMm/nfqYwrI0LrKtIg==,type:str]"
 																		}
 																	],
 																	"clientId": [
-																		"ENC[AES256_GCM,data:X3FjlgMz,iv:szTMXMrOT/noqDULLTFvfWbfofeVpf1u8KHwnformgI=,tag:BRf6v8JGmSrUHNPDBDRz4A==,type:str]",
+																		"ENC[AES256_GCM,data:duYrngDA,iv:RRCTsYHiRW4I86nqtsbW5ejVv40YUf2opFotE6FMuJ4=,tag:9wi07fhGsWovctIJfAYKAQ==,type:str]",
 																		{
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:2jroKHHN,iv:/Qw6a5U/suiV9tpJDn9PTbfmfyaZLtF8pfUWxs03ihE=,tag:Dfbrg1/tXnZUWW3yWvbx6w==,type:str]",
+																				"ENC[AES256_GCM,data:TIT0Q4o3,iv:t4jl1wblUXoy2rwMJ/qjYqMnyr/XtPrHoMbP0aD5LQw=,tag:apGuJcUcDfPmkv/S/zASZg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:pMTpqBiy,iv:9Nm58IxDSir7l0WyX2+uvNsXqOFl6ktQuBJywxrNXRk=,tag:KnHGx7xaMPQr3eIe49pxmA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:qGrPiwP9,iv:ey8lTaAsugS4OlsULw+OQUxbckZFZd+FI2Ag0Epy4cU=,tag:V/Q8/jfUp9Ny0Riq5PaffQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:Els4N5uv,iv:/jFsUNs9orHp6FKqelkQoTV8OdgO9Q7RD76RGLk0Dsk=,tag:zN7kgDp2BRuMm9Lo+FDc4g==,type:str]"
+																					"key": "ENC[AES256_GCM,data:fcMY6/JM,iv:tk7eWJIfq//nOwacDvWTArW0k1d9Ocp6f2iGJMmeK74=,tag:mbp2P2eWZIevBw3cLVINMQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:w14c/DFp,iv:vlWMtDtMuu2NlEJUbP6m3EmCjZb0jZ5tiICOLPIDqXc=,tag:6ZfGrH4JYYIXqOYH/EoP4w==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:deXvszeN,iv:KEhp4W63/ZQES7rb0O4DhrjXXLEBmTSciSS3iBc8lLc=,tag:2KbH2Vb5BHgCFZsfvaNRQA==,type:str]"
 																				}
 																			],
-																			"value": "ENC[AES256_GCM,data:Z6BhdlJs,iv:I32oLObM0zLs64YXFA5MiprJfI0f7UuqMOUVvJpI59w=,tag:Q0DOrbtlKyISky0bgNnSmg==,type:str]"
+																			"value": "ENC[AES256_GCM,data:8NQofD+l,iv:Y+F9p2xEOw9BUuOURW9Q6iNuo0QOqZA65j3q99DGTDQ=,tag:m4nkU3M6rxtUXpIuxuwRDA==,type:str]"
 																		}
 																	],
 																	"clientSecret": [
-																		"ENC[AES256_GCM,data:7ckMw18k,iv:4gBwEWsfuhVAJrkwD/4Jgm67DfwsGLjDGi6mvfICkes=,tag:3jL2pGKS7fDEIIFILQthmw==,type:str]",
+																		"ENC[AES256_GCM,data:dUVDrou0,iv:cWblZhHMZcK5FKaff93wUdmtuMqUu2g3fC6Ba8g+hO8=,tag:yPcoT/OsTi/ejZGUHvuNCg==,type:str]",
 																		{
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:tydcU29T,iv:YJtYZkDp38MywF08AJ2pq+5HGmDkZgWTo4Sts0gcaN4=,tag:6yh0+qWHRxf6ii/HmRxihw==,type:str]",
+																				"ENC[AES256_GCM,data:9JZb/T58,iv:eyC8A271qBVXUyDyq1ESBna4itHIbbm+G3GPO3tAL64=,tag:mVjIpANycQa56oQPgUY/6Q==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:O5QmsBCT,iv:wFCQyicA/4/XcEO38gWejCnbwx8i+C+54vDB2fSpQ9Q=,tag:8SpYKx+QrQNLZXNgRuW26w==,type:str]",
-																					"name": "ENC[AES256_GCM,data:B3A725N4,iv:3g3Y2sfg0LZffg5+068Fggq4N/FN2nUjJSO8tXp7iaw=,tag:+eeCyD8erb+cRBDK5fvYiA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:cJWDNhCw,iv:FXsCFK5R8DtWra+2WNPwCbh4KljmRJsL5x2QQ5IuYDI=,tag:+ZVqM2tHgBJJgiQ5Ky8TMA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:9luxmiuq,iv:FhOQuyDI0ZzkUjUGCv2r5qZGKp5uTY939KeDI6oC+bI=,tag:4Cd7LQp6qO3X3GVK4ds6qg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:iE6QR1GD,iv:jOhAJv07zb8noeYO5qdsrs0NuS8+pTJSAzqRCbgZI9o=,tag:xxSOHBRGbc2oQvCz1CAPWQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:FqY+kh2K,iv:Bsso0oXadcX1fZI1NmPerKSFYqdC7bkm4ewfm8SnKCQ=,tag:eCHvAY06WNPt5dlInL/+rw==,type:str]"
 																				}
 																			],
-																			"value": "ENC[AES256_GCM,data:Our2DGXd,iv:Q/FT9A3Sh6OLn6F8yN4L+aWmwRqISb84dSBSptHpUpg=,tag:ZOgCgqq+tuTY+4c+w9mc3g==,type:str]"
+																			"value": "ENC[AES256_GCM,data:QGq5xdLn,iv:bj3U7xUlLktHgU0M2EMhrBsYMwx5yA3L7p8cKkQW7Qg=,tag:cYieDugsidTywDZoc/rcMw==,type:str]"
 																		}
 																	]
 																}
 															],
 															"server": [
-																"ENC[AES256_GCM,data:QO6iokwn,iv:SiNKRGkscC5YMGOL4iajlwdC1uzOa2l+a2lm3NI0/P8=,tag:VUWrWFtUGR6aJDjUwkV9ZQ==,type:str]",
+																"ENC[AES256_GCM,data:+HpZB3oP,iv:6I/98Qej1nw97rqYummGcTg8Nwjb0a12AcVrcAvRZsk=,tag:09YgSl97e6Ce7TFJh5ouxQ==,type:str]",
 																{
-																	"apiUrl": "ENC[AES256_GCM,data:K0CqXRgv,iv:WVsdEa4nQ+aDSgB2KKHHVP7bNf4wVAWyk3eKvNyicVg=,tag:yPJ/GSjlZHSuBtHvwjbSjw==,type:str]",
-																	"clientTimeOutSeconds": "ENC[AES256_GCM,data:0QEVoaZ4,iv:bM/UeepNpCkVO/LMbO89oajJdIS5rxqqcOFvkRX1Ll0=,tag:C0NU0+9VaikQMFoTlAnmAQ==,type:str]",
-																	"retrievalType": "ENC[AES256_GCM,data:C4k32atW,iv:7mBKF9Civ1RNZvLK69QC0ixagN810c5TNNxx/KDwKRo=,tag:CUNf77JTF9V/ojFqHVb1xg==,type:str]",
-																	"separator": "ENC[AES256_GCM,data:58hh62I8,iv:porWCLMhMSZmG4qsS3CWMXmfQKVStxb5Z7Ks6XDP/ak=,tag:SVjgxfL2ZWJ9Sa6+KIusvQ==,type:str]",
-																	"verifyCA": "ENC[AES256_GCM,data:rW7nfQ==,iv:Yht9hnAtbeF0XjSWB1FsEoGrlOZWgzbDB4UKLFdPnK8=,tag:2wKEUMC86PvreMbGGPbN8A==,type:str]"
+																	"apiUrl": "ENC[AES256_GCM,data:Uof8LlcW,iv:iwoUO95vP+57t4WNT+1H2b8VY/VCcLdrpwQDk6jXW5c=,tag:Egh0hA5fBs80ceDSXzB3lg==,type:str]",
+																	"apiVersion": "ENC[AES256_GCM,data:sI/Gxrry,iv:oB/MImiW+sa9maes+gMlCpJpz1oQqmEbXHpajtEECfM=,tag:rmeHp5a7Xi9hebjLUMmB6Q==,type:str]",
+																	"clientTimeOutSeconds": "ENC[AES256_GCM,data:Hvr5hWiu,iv:VcFC/QEncGvg8uFvPN3H2RGEBEYDMPVR5BYzcpo3LlE=,tag:HqmcfJdxJbsg7P4u9sR8hA==,type:str]",
+																	"decrypt": "ENC[AES256_GCM,data:BFE6HA==,iv:Hu3oc+HcfXQdAbhEga4oPPFcRi7+6vCLMYvNoDA9PNw=,tag:GLM9smE8v2VILY0n6/ct6g==,type:str]",
+																	"retrievalType": "ENC[AES256_GCM,data:iiYGwByI,iv:QcwFrJEVtpKDhOZsmxKW1jpJ/Qu+Bq1Br/xA2Ft4wy8=,tag:aFt/TnEcTP3Uf9KxnehPww==,type:str]",
+																	"separator": "ENC[AES256_GCM,data:U7QCuR11,iv:8vrud2YSfRsT3voqmDLEJ47RPHT6T4PVroYj6gWAg/c=,tag:zA+eUwM1fnAp+hyIm8mGLg==,type:str]",
+																	"verifyCA": "ENC[AES256_GCM,data:6Wh19g==,iv:l+5/rMRA7oMMIsj/4+qKY0DiHpoMTLQBuyRL+rkSFuI=,tag:sMShdhMuNdCNBPiYIkNpoA==,type:str]"
 																}
 															]
 														}
 													],
 													"bitwardensecretsmanager": [
-														"ENC[AES256_GCM,data:ZLl3f9fB,iv:XRT68gyzPSr9rHDjIaGvPl3QWbumkJNSaVtYvZYgwM4=,tag:n6ZDaWKtcwN+2UCoaMZzGQ==,type:str]",
+														"ENC[AES256_GCM,data:7ypb7gay,iv:7apZgWHIRxu74YiOYkSzgLfgKVgUTzQemKjhLT6J0HI=,tag:cGeX0y+tIXtfj+j7jSvJKA==,type:str]",
 														{
-															"apiURL": "ENC[AES256_GCM,data:Dpx/L2Gz,iv:rJJsVFCv17chNmbbhvdTeVOxZlDcoYjhMsNzf+Dsi3s=,tag:eZIR4eT53GdjCtUYTN9HoQ==,type:str]",
+															"apiURL": "ENC[AES256_GCM,data:yCgT0h1P,iv:TKDhKNnOSenimKvDB4nq/ZIa1Mugcp361PY/GEmDlHs=,tag:H0sGBlR0mlvJTJi9bO+FwQ==,type:str]",
 															"auth": [
-																"ENC[AES256_GCM,data:Ig6C2eVI,iv:FbV/Dd8vx4AZbQpp8GJlPGd1PXrjDYcMNbk3/g2A8j8=,tag:QhyRNqEBQz3xJEyXQ48cHQ==,type:str]",
+																"ENC[AES256_GCM,data:uTmzOV0o,iv:UQH4W9NcjUBpv0KUQ5Vi24jIxMNglCBX/LgBYmnVz60=,tag:XmK4X1QQG7EGJiyZJex2Yw==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:e4wr5C4I,iv:EhLxrbB7f1A1NAtIO81Xh96FpRpG2sAdhY6GmRw622s=,tag:6yVzxRThfEh8SOjMlDOdIQ==,type:str]",
+																		"ENC[AES256_GCM,data:RINFRCmI,iv:Tr/OghjZxArOkYAm4tPwa37yYPrJvQkcRV4rXaTvHt8=,tag:2FLA3P+4/32YEOGFyCR8fw==,type:str]",
 																		{
 																			"credentials": [
-																				"ENC[AES256_GCM,data:WgbM+SPQ,iv:2ZpYU3FB9K9X8sb6WfSLPgZEXoyW4i9pcIUqD1lQzhQ=,tag:csAJa7QD33N3ajLPn0MGdg==,type:str]",
+																				"ENC[AES256_GCM,data:Pp+M/MT9,iv:10SzPaYt60+HnTdqLIrxsP+fBfARJ/hw0QmwVxZqgrU=,tag:NLUibwYQdgSurrT73dhI0A==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:cuL0RFxv,iv:WN7jrCP6aDRmaNwhqnin4dSO06RK2s290rNgY3lEPuA=,tag:/nRnhWVrAoLrFWOFXCyFMQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:uQ54Y06U,iv:JlroGCNX/DK/4pn9MZWemtB+Mdji1hFoxdLeg3BnJqs=,tag:tkWG2cOAkr2WCuAxI/CoGw==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:QwufNGrp,iv:i9dp150vjhqN6UwWnMyVZDPOuY2Yklu6VZ4Xgz6tyPk=,tag:pQWNypnV/RR+xu1+lQftBA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:lujujxnm,iv:cPKWGA41DyusLtdYYPCA5CgB78BKMrxbWRBynnsf/4A=,tag:6o/hn6Ty7pMXa//a/Ltf8Q==,type:str]",
+																					"name": "ENC[AES256_GCM,data:kjJKtOGx,iv:3sYIGwuWVK4ra1LQeyd4rX7X//UlS+9wkPrz5u1N42E=,tag:wTHVAejTmJS0NdxYf1hAQw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:JoZxWXv+,iv:/RJEgU5Sf/39EatWJFg57/x32VYFOwzoklU670KsMn8=,tag:ijAGDLT7XupeLXh2m5adWA==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"bitwardenServerSDKURL": "ENC[AES256_GCM,data:xO1YtdX0,iv:CAVOR41bOGo5SSwoTIDyuXJsQD1OlkChor3z5AZ4g+A=,tag:Pva8leuLHVpv4mUlh6R/Gw==,type:str]",
-															"caBundle": "ENC[AES256_GCM,data:rccScMiz,iv:3gCse9+JXuHL9doJAJ5DYipLu1RvEg5MqFHxiQctzUg=,tag:gEE53tib2QBwhmtNjrM44Q==,type:str]",
+															"bitwardenServerSDKURL": "ENC[AES256_GCM,data:wVbQEbfG,iv:/UCcZg/ArTaY9llsx4s0eCLw9g86bjzu0avfUdRb0Hs=,tag:2xh9Vu3xF8R4mC2xLX6lfw==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:IYVg+nAl,iv:YHkin+AOHFitdqg2cVInEGAW2UJHTBh6Q2XwI5kpEcw=,tag:4rJhWiuGmFKu83hEmk+28Q==,type:str]",
 															"caProvider": [
-																"ENC[AES256_GCM,data:KPTi78a8,iv:oCsJN5xiZEKJ03oBnERAV4iZZPBCKIKUk2xlB4gs7iw=,tag:bXyEHRSDPOw2VKch5fKc8w==,type:str]",
+																"ENC[AES256_GCM,data:/KHkf0SB,iv:KMnyYKZX6wGkFxpN2JOqEiF7Y6cBT3qViNgfTcStoas=,tag:YTrxd707pMqPZyqyni1NZQ==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:Z22Ji2u8,iv:ZwB4+ysdedFPWxp31EDFInFvpZb7se6p6w/VnLViOQ8=,tag:slKJhDyXnuGzasniPHW57w==,type:str]",
-																	"name": "ENC[AES256_GCM,data:kuHl/cyX,iv:ww4Np+Ll+HQv3i4vvDImgHIsZMxyg4Jj4n3RHMlmOXg=,tag:K794xGII6XCSjqKok8n7Ag==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:Zs3LjwaK,iv:2JT/6vYCUb6mlFN0iF9UWLSxWIhuRfzJlBGFZ+r6nZ4=,tag:1bNEjVdpZyXg0NlLkyi8eA==,type:str]",
-																	"type": "ENC[AES256_GCM,data:NqP2Srhd,iv:m+eSA+udt7P8RIfxV9v1T4YRQaPMfqEc8Iijluwg22M=,tag:gzQtEMNqFN5+hckluVwKew==,type:str]"
+																	"key": "ENC[AES256_GCM,data:xR7TVfQ/,iv:HqnscwWb8LiXi+JiyY7LCxOEp5HrdegNuAGOWozDUps=,tag:YRBrJIIUiSVp6MpUVOoUkA==,type:str]",
+																	"name": "ENC[AES256_GCM,data:f7u4L8dz,iv:CuTUGBRpi+BO2L4zC01WUwuuhSjadTNajq81yVbYbN0=,tag:vAwX9VjCiuxQGiQQL/qLqA==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:YRVmOM3S,iv:lw7v1c2888dgijqXIXrgVGymWx2FimFlbH+7ad5KbYA=,tag:sOg08e7JhMg+XrCGFY3wyQ==,type:str]",
+																	"type": "ENC[AES256_GCM,data:8KYLZtLb,iv:3dU/YItDTX9IuuXDLz57+cgWtVOru0fY7yfeM0hxNXQ=,tag:V23T/GC48dX5tWmZdM05XA==,type:str]"
 																}
 															],
-															"identityURL": "ENC[AES256_GCM,data:P4vFtvB/,iv:U9dIEULVxl4gEwFsuF/G0dMs0c8RxNf6qosUgRE1+AI=,tag:5uGoRhw9CQVEYvOAw5BU6g==,type:str]",
-															"organizationID": "ENC[AES256_GCM,data:4IhP64nA,iv:5cMtrI7RrVMKx6DRMmYhOKcL6ZbPzR7m0B0r28CMsBE=,tag:0EjnXlNWIiCFRo49HBarTQ==,type:str]",
-															"projectID": "ENC[AES256_GCM,data:tkfsR64C,iv:IyD3ffIfjwBh2Ke2wbM0000LU8HPQC1UDazXI5dmVHk=,tag:QjZ+qB7nofmfNplKhxDLAw==,type:str]"
+															"identityURL": "ENC[AES256_GCM,data:zl2NpFB5,iv:a9zy0wbRBk1I1Lq22MgSAgHXJ3EE0lJwNvxwTECUywI=,tag:zvtnxS93ViLcIVirVwU6gg==,type:str]",
+															"organizationID": "ENC[AES256_GCM,data:rp1Se5ql,iv:vHRgfJuepC2ddpRiYMvpDu3manvjO4iD3MwLOfd/Ejw=,tag:rmrwK8lzjm4FuCr46m7J/Q==,type:str]",
+															"projectID": "ENC[AES256_GCM,data:HeSQMDg2,iv:Uh4s5b71MBr/6NtHTL15EtDOOXAFtIBAxsVz7WRPBOg=,tag:HLk5fC98no1uu6clisSULw==,type:str]"
 														}
 													],
 													"chef": [
-														"ENC[AES256_GCM,data:PA/SEyGg,iv:C0oBV+8m9wjRNPZs0lliJTK0nEhmGz8cyUE9kmWGyq8=,tag:1lZbjVt0gP9y8dl2O/wuOg==,type:str]",
+														"ENC[AES256_GCM,data:8x10hoWe,iv:uyvhOy/4YsX1BljH5xGeUKc7ceUwcBqijinkJBxYBsQ=,tag:KC/JIe/CYFiVFXN9qj9H7g==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:dERnySLf,iv:8em02SpNPBfNt4cAHXDGy0aEZow85bD9K6BDAbsfA0k=,tag:6Sp+RbGRJDh0Tg4CcCfPHA==,type:str]",
+																"ENC[AES256_GCM,data:4QUvlqgr,iv:a2Lj3jTvLhkRREEylUPyIiiH5MBYBpCOzmqxlki9HF4=,tag:CYzCqEZEr4OdCI7RoGDBeg==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:kXOomqrM,iv:oYcmIHxFJHOrGBlKgH55wHuDxzWLHXIWqxH04R7N9tI=,tag:SbCu/Ns+pAmS4e1Oggna2Q==,type:str]",
+																		"ENC[AES256_GCM,data:pt+iGmx2,iv:jUVTYI+X3iLw7HtnwVUwX4bZdkLsfHx8B3B/WcYlqu0=,tag:5+jdNpqU2DBSyK76RhkwRQ==,type:str]",
 																		{
 																			"privateKeySecretRef": [
-																				"ENC[AES256_GCM,data:ZvkA4pVv,iv:xKQn+PrRQ9RrX+YyRnZfFHEoEZ9DUEO7/iHKQtEBKcc=,tag:NKZVIW7Cwny66O4DC42BWQ==,type:str]",
+																				"ENC[AES256_GCM,data:XAxI5CeF,iv:Ij5VWFZ78ky80mMHWnboUz6mRvTYx/vild5bgjgGTcc=,tag:gXa2Wd40+X940Rd3F8YFbw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:s2onda2+,iv:Tqpu071BYaGFWBeNDJYlwSxqheW26YpsOUaLHvmlVyE=,tag:ETvKI/ilIGTEAEW/w8Ze5g==,type:str]",
-																					"name": "ENC[AES256_GCM,data:JKB04lfD,iv:Szj+tOYs0azB+YxCSgIezkBFN/5NtW4OHk+mzHrjVwQ=,tag:EC18PkJTyyfxj/7H5VgxSw==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:txoHuaIx,iv:BQaKWU4+IGpnB6syJuZZTRlgMSFbGDki92oeeXL8kaQ=,tag:6yOCBt5bzFSi5IulDNRqkw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:BENukEDp,iv:1r+GCBu4T2xM4EEoB925VE9Pz+/cqGbbvKmpgzJTW9g=,tag:uzfEbw9sCg4sYEcr/aScYg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:uSvnLQwl,iv:XRTTspms1dB2sKTIv0TCiRSMZQWqIDnad2U3zU1QFX4=,tag:A6F+MnL7KBl4alm7T+HijQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:dQw7ATcu,iv:7q0TRJuaP79b4OLfPoeUTrkk2EdwYWDaH1zBHj7QmxA=,tag:5ISEKmdRVMJKcN+xouT8UQ==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"serverUrl": "ENC[AES256_GCM,data:bYT5P6lp,iv:NQGl5W3Hp/klUp6DFwd4ASqEvF+OrZaNj4dZArNtE8c=,tag:5qYB1F5bR5KyL5GuVBWeBw==,type:str]",
-															"username": "ENC[AES256_GCM,data:+1omC2pm,iv:1MT8/1a+JAH48bdQS/nFELFVOxWy11gcWT41USSM2Dk=,tag:6+2BzhgktjhOBUiMzJgHXw==,type:str]"
+															"serverUrl": "ENC[AES256_GCM,data:dHBYHtcD,iv:U6Lke5QAaOt+vIWnW8rFUKCvKTOPNK2tS/124Q4hUcI=,tag:NlkubvcLfZ1Lr7mL7m+Ypg==,type:str]",
+															"username": "ENC[AES256_GCM,data:/kU8bP2q,iv:Mj/156z1FkETgLqsljtXIaUnav71PV0VwwwS7bYu6tA=,tag:HnVdEJiMhCqF7F1Uy+44gA==,type:str]"
+														}
+													],
+													"cloudrusm": [
+														"ENC[AES256_GCM,data:VtKPHHT5,iv:CLWUuwaTaQCjPg8JOj/XJaoPIM6AtewwUl2zK27d0Fk=,tag:rYccDkExVQ8WpLAb8LuJaw==,type:str]",
+														{
+															"auth": [
+																"ENC[AES256_GCM,data:Px8hWlof,iv:l/JU5k5MXGjZvOZc4muPa9JuklHUG23zqpBsWYfzXyc=,tag:lZVaOqp2M9SbcRC36tnIYA==,type:str]",
+																{
+																	"secretRef": [
+																		"ENC[AES256_GCM,data:r3pHS66N,iv:QUJsJadZQO+249SzfBIGDK0bHxbJ0RESx6tRXzjJ8jI=,tag:3IA5YhAkrIXw7F/i3EagQQ==,type:str]",
+																		{
+																			"accessKeyIDSecretRef": [
+																				"ENC[AES256_GCM,data:zPJE/Gbe,iv:OD51wEkonUpqiCKmKpfmvCALbfblHRfuhJEX1ffPvZo=,tag:4pgEAYYM0wYSJmi9PJxyAQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:Q4QoDqPz,iv:6UVk6VyV7nSWSAQYTzMbiICy48HIKiWLFGPMvg29wbg=,tag:MH9qphhjOY1EDtKkHA8xPg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:eRltxkge,iv:xOMcxKyQ+Gf73YEzIxz6+XOpxsbCgkIScTLCyhkfstk=,tag:WsnGKE42JnHuvdjWxl76zA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:WXh0xxkH,iv:BpiJ4GML+gAb/VyE1CjZ7uJjENzf89JkxdT0qAn1F2g=,tag:jLDtkkevNPQtRse4TpVRlg==,type:str]"
+																				}
+																			],
+																			"accessKeySecretSecretRef": [
+																				"ENC[AES256_GCM,data:0U1k1WMr,iv:fGRmgsgRvsi93I10kzeEXucMcvYI3ihJnrSZmQg7zWk=,tag:efODw8tD33MauzjAYBK/mQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:/G7QiPpV,iv:PQSidaf2QU46l99TfLoUncchBnMAtPNPkolDdDIxF8c=,tag:X3stbj0rNvXSTWapHp5IQA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:hkbFnlCQ,iv:Q3hly7oyBqPV5PxNS1R1J81CQRdQK4OcNODMGgGLZkc=,tag:bqJAqfYjrME7NG+ZTjdHDQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:Ecvvm91G,iv:x1qRuunuRV4i7+JwYt0zSPvqCDbnPG0pfDob7ICZWi0=,tag:HEcSnG8QOQn2APiUWIhm1A==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"projectID": "ENC[AES256_GCM,data:w9LJDlo+,iv:EhaEaq2nHFLL2SL42P7qVQt3jIzVieQP/jiMWVSvGCA=,tag:QJeF7OHz5huqCWzUNMIUMA==,type:str]"
 														}
 													],
 													"conjur": [
-														"ENC[AES256_GCM,data:jwxiY85e,iv:hbkcoa8HLYiQM95yUOxkS2BL+cSFFot3gG5e/2i/vwk=,tag:z3ty2gkEnQDcecj7jrRUGQ==,type:str]",
+														"ENC[AES256_GCM,data:YftlskMu,iv:YeA2x+EqUhqCjK+U+axaNT5c2PonE2WA+zdPAp2VHTE=,tag:bfhwaeB1tP32WY9q2jTfgg==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:v0CQYtR2,iv:cmc+eiNM8gBYfCsGT6tVoNsjoy0rVt0Cr+XrJEXZi38=,tag:MBBQ7C9AWIDX+u7ALcqPCg==,type:str]",
+																"ENC[AES256_GCM,data:MV7GID85,iv:t+VqWSgKSl3lALPl1s/9rwCd64piJpg4r96J/mkH/ZI=,tag:YjrAtv+b2R7K6Od4mugj3Q==,type:str]",
 																{
 																	"apikey": [
-																		"ENC[AES256_GCM,data:o4A0FLMH,iv:cpaoDaCeO2wmjgDVxWYoLkd5nJJ8KTSV+Zx3Tu2F6vM=,tag:e0VKZLDi1xzDF2zbj/ijuQ==,type:str]",
+																		"ENC[AES256_GCM,data:ANoXHmPQ,iv:tEvWcRMmk8yGvm2QfRElSenJTBpDOG86i2eDtlI3fdM=,tag:hkyzOysli8XQGzILYgXYHg==,type:str]",
 																		{
-																			"account": "ENC[AES256_GCM,data:QUrwv2/+,iv:eeKWWPc9xdrz8J10nMLiyOUIhvvUxE4PCN0NdBiIvjE=,tag:TAChwptyS/zJzb9WRZgrIw==,type:str]",
+																			"account": "ENC[AES256_GCM,data:jjpRinZq,iv:Of2Svx6ihUtO696hlWqgmFKBbGfdze8wnBlFxCcw0eA=,tag:vAAw3+GITmrXpVWfIvvayw==,type:str]",
 																			"apiKeyRef": [
-																				"ENC[AES256_GCM,data:nq7zgKe1,iv:H5Pg4k+K8iLQwEzAZRCyU6O2QwbSaJbVOOELYONOHEU=,tag:xR7lPpbAWZ8JbChFy/OS9Q==,type:str]",
+																				"ENC[AES256_GCM,data:0rhWkagc,iv:o7CFBl49lzBEMrHxBEI14pKZvcfuKX/aALG4nwiYIs4=,tag:B6Fo1CGsXzpMe1RLF861WA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:DTUnS5vD,iv:FP3YMAvI3rxk7yIunyrEWokIg/8Zz8DikYkyRCJeK04=,tag:5in55n1F4UrPefk/dEgNKQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:NoDvMrjJ,iv:FI4RdvvA7RNhKVwRzr1OxBtj18GbiRrIwYyt4jQUkn8=,tag:qHqa6SSlchGJgZgJ1v2YKQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:rxcy8DV8,iv:bsVgpIHv/IJPrVFDkdThRVQbvV+n6M1KsHVhDBJ2kps=,tag:odfHmCBZ5oCKFCdPVQXvTg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:8HR0fEGs,iv:Y77FPzv8nz2xeQFcFOKEzgdWdhAs4SFH9qUQ2H4hw2Y=,tag:8kfPJieE5g3bQYJUh37zrQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:kKQWYIiF,iv:viyT5y4vIhKYB96C40w5XXQw1WK63dFbiofYbKIwKzw=,tag:uu7oHYwzzSdP4wp9arA3LA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:HHffiaPk,iv:RWVvQtm7OlpMRNoRd35BIAfhQhQ9YQKkyf1P+TQ5r/k=,tag:VRoCChzON0tmjpSXVzDStQ==,type:str]"
 																				}
 																			],
 																			"userRef": [
-																				"ENC[AES256_GCM,data:QrPZPmAW,iv:o59uUTfyh+26DfWhUhZiB2I1w50Z/JW26NT3EnUWfxg=,tag:yB5B4FWbHctocJ196hSTxw==,type:str]",
+																				"ENC[AES256_GCM,data:2ODjYzSG,iv:DuQKobP45EAxTjK61mSHIgm125hW7E8m+8nxoph/2Ew=,tag:4OKgXB/Yszk4TYUX7m/tmA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:03gzJu52,iv:TTOmcM0isq44nIgEtG8qUQaecHrSMtF0x50p3KyTVdI=,tag:j8T69KAcKPs/MWXgkehW/A==,type:str]",
-																					"name": "ENC[AES256_GCM,data:q81bHULd,iv:SaY4Zk19cz5KLI9SfqSx49QAoObKOXH7at55K97Grbc=,tag:V0fYh3PzBHMce5nagp3h7A==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:8ecpmATO,iv:gKyWujqb87VmBfkPGscS36nee4Ou7JOfdbBORQe89tk=,tag:qLEuqlfzgoW5HDc4/qXgyg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:iQuDRfnN,iv:QPjGu7keap5XfNjUnkdaROytaX4Ho9JTWzHzizeXYKI=,tag:DyEONZhYFkIRRz50fqSlDA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:p5uYLGjw,iv:9UPUYq8lGKje2qh4KCh/a6zUmywym02M2exsR2w7ft4=,tag:dT/AEIMkTCmBecv3pOmSDQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:pTI+AW0M,iv:vnUU7a/kAPC3c9xEB5de2g6xT1ndYtAj4nqPcVgJjLs=,tag:YD5R/NN3uXLWk2suzTqudA==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"jwt": [
-																		"ENC[AES256_GCM,data:d7uVyMuu,iv:nH8mgHmJ6SHXyVuVhSo3pmZS9+VItzlyUUuc20ce5gA=,tag:xyNP7/EJ1J8GAAqWCiR+6Q==,type:str]",
+																		"ENC[AES256_GCM,data:p3TcT2Dv,iv:CdhwtgxZbyQpyIXPac7sO/0KM1kkbXYsRfZEgxySFFI=,tag:LtIHK52EqBVriN77EZsR8w==,type:str]",
 																		{
-																			"account": "ENC[AES256_GCM,data:se7d9sfO,iv:5NO3CVRc49md04HGWmCwjUNqswxwcOzMubYCtQhlfwU=,tag:LHZG33wi2jSJOuCbHC9ozA==,type:str]",
-																			"hostId": "ENC[AES256_GCM,data:sbNs9k27,iv:SoUsm+pqGmMNTKHh8uevz69ZCFRA5QmnKtDspYgVgNU=,tag:1g/DQGU8GTMBoz9Yiu2FUw==,type:str]",
+																			"account": "ENC[AES256_GCM,data:sgqH06Dn,iv:ip6RVEvso96ebX8MnJmCq6wADONst35tL/rggK8axz4=,tag:adNYxsSa5C6glooCBJi+lQ==,type:str]",
+																			"hostId": "ENC[AES256_GCM,data:Hwj8zK/b,iv:zuhMQ+63sZATHYXeO22LR/T6bewIks7Yu/EYLg9zBGw=,tag:+MTRhBtglVI/3X7mCnS2GA==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:IfmdZiAH,iv:95LKHPATwLGUYSfuYjl8lcKBfeGhKJyg1yLQr5/HMKI=,tag:BjxLUOsdFpSA4sqiHfgNdQ==,type:str]",
+																				"ENC[AES256_GCM,data:cMLPXDF0,iv:1SnfrhtG56VPqlINTaNtE77Xux4jX7aw3U4+G1P7hPk=,tag:cX0Y46cFvK/sQTOK/66Y5g==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:isf0VrPN,iv:F9DcnXLySedz185NoW1iucb0lw1NMax/ScO7tLW4Guo=,tag:cV2cFEd2M8ycfi3/5e1gkQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:TzN2igAO,iv:aFHKm9Psjo9oRnxoGrpqbAiyS0GvkTS4EWzODMmvl8w=,tag:2n0kqcJ7JY7EUeJAOOqaig==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:rnKaeq/j,iv:LYErsKFMUMKpYdinjKQX71ylnuUqx6dZYMvd8cu3ZjM=,tag:1qregscZ6cIeXBzcm3bVUw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:oROCSzFW,iv:d2jlN0FZP7C6PkdrRzz0q8XIJalcMX5WiBxRQA1JFI0=,tag:+ni1IH1f5P7gY0VMA0vMUw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:B512Rm13,iv:JNu8TT0LL7sLdcOuaeo7odhzvgapg0WR9CyP7LIPbNQ=,tag:jLNOKmUVk/G9ePssVwcPag==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:qUUxXXdg,iv:A0Qr350w9FIUrDCzRxlZu2BF0v/4gf25BSx5318X1Jg=,tag:PeQTnQJsCq4k1pY1MsHgvg==,type:str]"
 																				}
 																			],
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:IGhhqOu3,iv:nKDhkk0Z10tiq1FIm9v6QuqYo43AJbOmFyZhKVY7pAU=,tag:0sOC0Aja1UzMKARRiMY3Lg==,type:str]",
+																				"ENC[AES256_GCM,data:M/ASD6kg,iv:FxFGD/+6cKDKik5RHjAlgpv6dgiPkecjy2RzBNXb4P4=,tag:xvGoRQbq02nL2xD80zMJ0w==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:HA5ITQ==,iv:vKVrapPjCXrf7YptRHRBqxsgZf6cyZUpif261MejJf4=,tag:FKol/7ZCQRyII5fyXW5p+w==,type:str]",
-																						"ENC[AES256_GCM,data:bCiKS3Mg,iv:VnYfD/27+bRJfXZHjskuWM6YGDZH5LbPMC2rszx3UTM=,tag:ZLssGnY1eGaIqOlqqZgs2Q==,type:str]"
+																						"ENC[AES256_GCM,data:g6E10g==,iv:IwxmWHBfMS4wKAEYnEQJM4zFgJl9VUXz4F2HAUl3iSw=,tag:GCHd64kUlJyfc8QoJ6w+GQ==,type:str]",
+																						"ENC[AES256_GCM,data:LZOU1zGf,iv:oRzpnBvze6CR2JnPeHRTECqhR+0FQCEoT8DOZvnvW48=,tag:96TpyWA8WaUG2OFk5W/MHA==,type:str]"
 																					],
-																					"name": "ENC[AES256_GCM,data:BuA+MrgX,iv:WHooC8cVNhg5Mwd6OyO45tCpr14a5QUeYVZbEveVLbY=,tag:WpeWNhhb4weAON49kQLHkQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:mtzYXQqV,iv:lmTQ0ZzC1/xOMC8XFQxc98IPy/B3OIDHApRMjd9QyKU=,tag:Q1PN0/x6LXSNeKKRYCUMcw==,type:str]"
+																					"name": "ENC[AES256_GCM,data:Q+KWFAuZ,iv:92bbTBTxbQTnHu05tHhsbIHTKKswjGwiEqEtbbydOZo=,tag:pXSxhShW9PuWb05fx9U8/g==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:erlEMqiB,iv:4rlAleyNxO/kZW/DG8XaSwgfgg5VrKeE0JXte1EOjs4=,tag:MFMBk8OybFidaOsnqaME4w==,type:str]"
 																				}
 																			],
-																			"serviceID": "ENC[AES256_GCM,data:EF7OVWEr,iv:qRJ7JrL7Txj3ZGGXIp1sYEWbwI9lv/pvTZq+Fucmzaw=,tag:TRwrl4CE2ef1H0VYupIsWQ==,type:str]"
+																			"serviceID": "ENC[AES256_GCM,data:xNEMlDcm,iv:0FXlSS/WeZopnH2ppfy/x7H4ikyEpnlR5x4tlLoCl/g=,tag:VcnsFcw3LxMFNuqNDO1IBg==,type:str]"
 																		}
 																	]
 																}
 															],
-															"caBundle": "ENC[AES256_GCM,data:DaxGE2Lu,iv:klJt6Q5jMImFlw548O/soee68HGgDEiKTnVRdYzvV+8=,tag:cR+ZKbRfd4zKuJFb9Zl7dg==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:F06yPwUn,iv:35LfY6Ws2IN4rGITad67eudHkEYFmeS4FzW7tPMMAeI=,tag:mrH28qar+WEb2v2gg+7xTA==,type:str]",
 															"caProvider": [
-																"ENC[AES256_GCM,data:o166Ob1H,iv:KyFjOOr4rRfgTVjMtWSSU1tfTBi0qPs6L3ZWrdBUtAs=,tag:cGge4DjAUNnrUXy4R/lzCA==,type:str]",
+																"ENC[AES256_GCM,data:nnJKt4AX,iv:kdqpBsa7HzMTuHK8ur2Zih1As+lq+qQBSDjYFIW81qA=,tag:hGwFigyGOx5jT0bz52c74Q==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:H61zZlfA,iv:kNqhglBb7TaAN8SywsFdaZxGLSMdsSAaxxkGlWbkFYA=,tag:wK/hYhRUDXjJC1ymSYFFFw==,type:str]",
-																	"name": "ENC[AES256_GCM,data:GFQVJDXt,iv:kw86SxeVkoAppwuREIiTagPQqnUK2N6f50s+JkXLwK4=,tag:NqO2YBfQrkqtvDfIc0BpUw==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:w7YZh7QL,iv:wmJmb0HRfY3rwJjniQHdNbngFcM/SIng+AVUpMHOGX0=,tag:siamL5+FpIu9xuyseVrrzQ==,type:str]",
-																	"type": "ENC[AES256_GCM,data:kTftNf3P,iv:zBXaSUrq65FxnwOxZ3wU08f0kDiMEmuFXDHZbJ80LNM=,tag:VX1YUzyia+2FLcfAqBwaSA==,type:str]"
+																	"key": "ENC[AES256_GCM,data:y1v+4+/y,iv:z7lbMCYSvMX1Qn+3g3SHjhCGxzkP4WFB5ZlRChNgk3I=,tag:dLiyZRsqxxWe6/nsEa12dQ==,type:str]",
+																	"name": "ENC[AES256_GCM,data:RchYlh50,iv:xNoqTUsGIC8H9PE2PwulyeDg7uH5Py3WFSHSdhs67Is=,tag:OPjs3TbpFHAbITNvkXSzVA==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:3l3tA8Z/,iv:6mQuRX8UKGhC8fkI83ecIAkYiBjRHgA7SyVG9sCAL7Y=,tag:DBLB+34j5o5P0KIbAwIHyw==,type:str]",
+																	"type": "ENC[AES256_GCM,data:6emxiDMp,iv:D3H86K8Sk/c3zP0ouxFpPuviGvBZxtlRTTaww5D0Yqo=,tag:0bfyi27LxeffL8AKvqYXig==,type:str]"
 																}
 															],
-															"url": "ENC[AES256_GCM,data:HgYiadhz,iv:exLAt0Uxk41E9s9KuJgQzPouAXDDURSUf9PBOPSUULw=,tag:kO0gusZ6J+USmYUU65eJpA==,type:str]"
+															"url": "ENC[AES256_GCM,data:/DFhrYEm,iv:3LPYlXMHij4g9h0xReMnK/uTnXWU1b2/U1KLHCxIt7g=,tag:eaxc/ckA5F0he3hqYmZ48g==,type:str]"
 														}
 													],
 													"delinea": [
-														"ENC[AES256_GCM,data:Crvcr0zA,iv:BhdmFiYXnOvAw4G0S78wGBAKd2t2yvJ9Xe45ArRCKf8=,tag:A2T3wWvLjelHasuRG8ivIw==,type:str]",
+														"ENC[AES256_GCM,data:MhYiWxGI,iv:rtK0Q+kaot2wETX5liFDlXLlai81wDdeOQCts3CuEj8=,tag:+WU7BXFF9wZRWeDD08ALUA==,type:str]",
 														{
 															"clientId": [
-																"ENC[AES256_GCM,data:JcNHfTuU,iv:VhQhec+u/LzS5xzcgCy3unxRTa/v/zOIvgTKdcGu4rs=,tag:TEM6GmETEhmRP1ygR+q1zw==,type:str]",
+																"ENC[AES256_GCM,data:y4IEtG0p,iv:nYHSeFpbT9xATzmqJoDG/kznOLf48rEvdUjsKkG5OFY=,tag:WseJ75r26hLV/ah8f8oPyQ==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:gezk9P9R,iv:NWyR6MK8H0L0s1DOFnM32bXsxa76nbHkfiGGMtYStVA=,tag:XNANfAzzn1P64yfGgoaa5Q==,type:str]",
+																		"ENC[AES256_GCM,data:KtXdBSKR,iv:IZgnLkETfORmTpQnxpgNn/osjxzm5TV3gq9dOLopaCE=,tag:1/M1bDe7UjdrZUsTdpOMWA==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:h+saPesC,iv:fUnVo/V0wUl+5f33eoYJB1bb8cvToQi4RS1edSXq9iQ=,tag:O9n3q5nqEjFx30gdVxZevQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:a9jreyur,iv:ImWuTMwzXJIMxeqrVlOyy8bV0M+tslAJIZ6uuURdYT0=,tag:xez0AtmwQpcVdTE9SSIjWw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:qE4qWBe4,iv:pKPJwkZddJnVPpvspGBb9BdQxJTjzStakIjmdUBiQQ8=,tag:uYyeeW623qBg68hV0Gloew==,type:str]"
+																			"key": "ENC[AES256_GCM,data:7UhVoPit,iv:F3jw2YmZLFWhFYurGhk6hT9FnFt+PGHeWAnmAD6dJFU=,tag:HO1oYlK8Te5Sw/KO5MOzFg==,type:str]",
+																			"name": "ENC[AES256_GCM,data:Eu9bqekJ,iv:s8DXloTqXflHO2uc1wGG6aY8OoZ8H1xbq8P0WVc0B7k=,tag:zxSyldFCHb2N4ZU2UweGpw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:DgUG2vWX,iv:hbjkJkh5KI2TefX5lj1sKLnASVZ3x18YU3NkSaBp0Ws=,tag:Fitx9S7eau5rEa4kxQEOwg==,type:str]"
 																		}
 																	],
-																	"value": "ENC[AES256_GCM,data:FiJCB2Cj,iv:TqT83eDzLtzxI2PCRjtyjhxnBpoPBTLIUhBfeEd2hgk=,tag:npiqnJOFuR+Nxlp3NLESHA==,type:str]"
+																	"value": "ENC[AES256_GCM,data:NRECdF8b,iv:refyL65/JTmmA9rC8bb2zfKGfrUI8ZfWzc3RYhHJNcc=,tag:RXGBxQhf0nwU6fdE2IilKw==,type:str]"
 																}
 															],
 															"clientSecret": [
-																"ENC[AES256_GCM,data:5qYRI7n8,iv:S4OiOnBgvo3Zy7UP6BC1pC9B4oNyPQWYjZhojVKoQlk=,tag:v2AHlXWEe/IPSkcaPs/A9w==,type:str]",
+																"ENC[AES256_GCM,data:mT1kQG9Y,iv:zBlrnIXUKgbnxuHwGI3rkYhAhcmuCDS+fBWuaeG5WKQ=,tag:J7XLNfb4bQzz46Q++EJkOw==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:pV56kpN5,iv:5VDv7raoY+9bl/X+2g9sD2Z38nxvwUK3L3JvyjWlToY=,tag:i2/BZbwtts3/0xcoYs5BtQ==,type:str]",
+																		"ENC[AES256_GCM,data:Q3thpAYB,iv:VTHRgGqv8dsva1ceaqsPQTEAdmiw3g044HH/v10I4T0=,tag:0YsK6Xirs3+gWwynI3WEYQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:bTKbHAUy,iv:XGDbXM0uMYxcGDrcxMyGJSdTkRV0tDk3gYdaVwWC6SE=,tag:pDugmr6P7psL0H0q0l+nyg==,type:str]",
-																			"name": "ENC[AES256_GCM,data:t7fCNRzS,iv:A6iSkpuQJ7DhOggcr0XnlSrl7xcecUI3k+KBLUrWZ8w=,tag:odjhINWceUrH+eWsZbKUMw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:I4Zhwli8,iv:y9F6WZJF7kGgs7K6XjUfzErm2MSgWdbrxGcnCWr7sRQ=,tag:OPYVDK34X+X1X8nH1Bz6Sg==,type:str]"
+																			"key": "ENC[AES256_GCM,data:S1lu/NJD,iv:DXOhgogVEidG6ppC1H5Vf1PdWdbmlbQtvpcdQmR8I0c=,tag:njQt2fSKhOPMnB1wTWYcqQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:OcYxMMl7,iv:BETbtxn58e1i8uc7fm8akBbPeE1wKQ0YpBp4NI0gM3U=,tag:lrkiI1HwxISxeFWptDp85w==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:yISz6Lkc,iv:vQl6FEHGZ95wbwUuTV3KUbUttOurRIoYTjy1zrsCmYE=,tag:dXa2T2K8e1ty97NTaqIHEQ==,type:str]"
 																		}
 																	],
-																	"value": "ENC[AES256_GCM,data:n6yJwLFj,iv:IS5e7iJb13Y305pNaTvJQyAFvHnjBmHgBRJ0QLp8WEM=,tag:5sD0hwfbispz+S0spr/yHA==,type:str]"
+																	"value": "ENC[AES256_GCM,data:Y4HuR4Yz,iv:X0I9nQqU/AxNpugL/j/b1vobTubGz60LoiRzl1OXfpo=,tag:w7l7+ZmHJPUBw9ABrIJogg==,type:str]"
 																}
 															],
-															"tenant": "ENC[AES256_GCM,data:HTojYFAB,iv:/BWzL0RnMv/+zjz15HI22snaeJ/aUf+e4Oiul0fKJyc=,tag:JMDV+B5/RlZOtoucXxFIgw==,type:str]",
-															"tld": "ENC[AES256_GCM,data:a9DztI62,iv:5G1t13dRvLkn+h6DYV8ESgM1hqbRGBK/Q/nFUVtvG+w=,tag:em7d26qOq8HVsN+Hb8+ung==,type:str]",
-															"urlTemplate": "ENC[AES256_GCM,data:9zJk2yBD,iv:6ca8/H0XShDdlyfQMypSycWKmTyq57DTsRYJp5v9EIs=,tag:91gcV/ntbLLkdOhPYJeBcQ==,type:str]"
-														}
-													],
-													"device42": [
-														"ENC[AES256_GCM,data:RZeUd34M,iv:YbxV11wFXTo/HR7wJF10qudofl4r4pKBsOQL+yKpe+Q=,tag:Cr3xaGHkDWdgdQiWmgfelA==,type:str]",
-														{
-															"auth": [
-																"ENC[AES256_GCM,data:wWmPn8PL,iv:mRe0fZpJhjTzKCteYgv/hxD8UqfqO+jg13wWkvIFSsE=,tag:c84v2j1FYsh2sUhIMNCDvg==,type:str]",
-																{
-																	"secretRef": [
-																		"ENC[AES256_GCM,data:K6ThwZWr,iv:QdHfQZHdue2TNFcqUnmXidI4eePxkeDHZzFrA9dWlU4=,tag:raZEpWk2xEGlPfbTPj3dHg==,type:str]",
-																		{
-																			"credentials": [
-																				"ENC[AES256_GCM,data:vbvft4zV,iv:4vYxYSpNvsyDRyPB942g64P1DS2P2Z0yn0iNAFcwRA0=,tag:HRfvhvxgDpZpuofoShPeww==,type:str]",
-																				{
-																					"key": "ENC[AES256_GCM,data:omo6duKF,iv:PHkAfufULa2EEh8qx2n6Aj/hbkWl8WGGzcCButL6M24=,tag:AQm4LfCamQSSppW096iC0Q==,type:str]",
-																					"name": "ENC[AES256_GCM,data:9PXVWSs0,iv:6jmbmCf8ELGcHDnFRvXGK68P2tlI8U6DvvPy2LrDSyo=,tag:E6BosgdjdfGaKBV5fic8uA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:BzSKA9iu,iv:2ZDE06SN/5RXlfihtkN4jAL4fTe9r2/jR/HRD1CGqAk=,tag:g8WEtf5AgMpXkxUivz0xfw==,type:str]"
-																				}
-																			]
-																		}
-																	]
-																}
-															],
-															"host": "ENC[AES256_GCM,data:QXkPPXBi,iv:6WzSAZyVh1NsaXsWEguwPRNm5/I6k1ACkGTm+E1qwp4=,tag:iSKpaA5RGxi2dgSae2+AKg==,type:str]"
+															"tenant": "ENC[AES256_GCM,data:Egj5YzO3,iv:GZTWi0MD97HwOUNoVNv0CcE3fgn7O6WQHK+EbcQmnj4=,tag:6CarC46YlhBZoPFqclXqcg==,type:str]",
+															"tld": "ENC[AES256_GCM,data:UPVsZtxB,iv:q8KQB0Jj2olCkCr70+Os8QZvQBpHQFQ+zZE0FED/zkE=,tag:MBrxl1uLm4Qcju9fjVnGHg==,type:str]",
+															"urlTemplate": "ENC[AES256_GCM,data:m4kMC+d8,iv:uQWXqmOZl6QFdnQkpzt6dDlKGm+6cPdwaoC1l3apRfw=,tag:tHM5EMPYh87tGXzGXL8MRg==,type:str]"
 														}
 													],
 													"doppler": [
-														"ENC[AES256_GCM,data:7OfkHrm9,iv:TkRFvtUv3zqY3/BNSjzqXC79NDPqZkWylQbbc6mykzg=,tag:ChwyBDn5TUlZDtAV9t60ig==,type:str]",
+														"ENC[AES256_GCM,data:FhTlR0e5,iv:nr92Qrd4OoAeQppggJ/dLbAS296qO65TwXyGvt2n2i0=,tag:MkhpuzocOI9AkMQ5JAMWNA==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:qaSzz2vV,iv:z12406FmadWo7RkUKDQYXqn4JsfxH3dz50OG5hx8DAs=,tag:SGMqprXViUd6PSK880ZBoQ==,type:str]",
+																"ENC[AES256_GCM,data:p6ixWKE9,iv:Q/n6r2IIxs4E11fAt6KdAgiJDe6BrVInhlrY/OFwui0=,tag:GAUiin1bBqM+BgSDuTnvbA==,type:str]",
 																{
+																	"oidcConfig": [
+																		"ENC[AES256_GCM,data:1p9cmTgD,iv:ZnJmlnKwUjt/gg8hdWgUGIr00as08i6+20XqJxsSWuQ=,tag:EZ5Hxw4iG7oRHIBdryz51A==,type:str]",
+																		{
+																			"expirationSeconds": "ENC[AES256_GCM,data:Ph6l+fQV,iv:ZDSduvQMlks2cPXSbtWRt5UYMUxpHZcmziHGzLxwKZg=,tag:x49SF/oeb3bF62d2eAhzUQ==,type:str]",
+																			"identity": "ENC[AES256_GCM,data:l4YLZ1dC,iv:PEOjSGtMvWoFEQuNhstNqCDGn/zoNSYEK5GwW1Gknho=,tag:m9sukUSs4QKZswttQsCvsw==,type:str]",
+																			"serviceAccountRef": [
+																				"ENC[AES256_GCM,data:bac4/9ld,iv:XaIWyaE+XBy5PfJC7ccb0jr2LQY31drqKhDyF6hm2u8=,tag:cn/7RpqaVoCELBwp6Lu3MA==,type:str]",
+																				{
+																					"audiences": [
+																						"ENC[AES256_GCM,data:2W/Agw==,iv:KCM96fjW5TuDeKFIomIgWoNP+pymPEfha4gC6mD8w3Y=,tag:D162iO5QYs97uSf/CaZcbw==,type:str]",
+																						"ENC[AES256_GCM,data:LDrV2t5K,iv:BHtLX+9DuH4ln6Wl9Pu1S4e8O/6Fo7AX1Si4Aqt8E6k=,tag:oGw+eYKuhTeOglhp3V9p6g==,type:str]"
+																					],
+																					"name": "ENC[AES256_GCM,data:joJZjlJ3,iv:vq6S2T97uSxs/olRShvmwrkNwUqetGV9b1VZ0B45XYI=,tag:+O/c0/UpVcu7DemBuczZRA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:DcorCPF7,iv:27KNEhFMbY1AzhVLvZOXuBidn/SRIuLI+hXpF89PoUI=,tag:IyLNX9SyObK4WGFIbhnvmg==,type:str]"
+																				}
+																			]
+																		}
+																	],
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:WfPQ2Iny,iv:0u4+zvOWAOYlVsIEaDHY3ssdn/7d1QnYqzllZhAzDl4=,tag:Gw0SueDdpoM4/GV1LiOJmA==,type:str]",
+																		"ENC[AES256_GCM,data:rY+2nQTn,iv:fKne0Qgu9dV4fXvvfy6QZ2RCl1tt4SwD6Q3DJgvHxB0=,tag:sBwLDg8N24M6KNqo5csSUQ==,type:str]",
 																		{
 																			"dopplerToken": [
-																				"ENC[AES256_GCM,data:7Upc3GMj,iv:kUK/jTkVnR9iKlVBaPhAAdfyHk+wSTtsT4m75+5HRWM=,tag:lhQq5bHcXqhAnbzRB1Gq8g==,type:str]",
+																				"ENC[AES256_GCM,data:eSH16vJ9,iv:uNUfs4tZL33+Ks+KIY/I8s+eNY6KWsLF3dTn/uetsqM=,tag:kj1PdJf7XP32AYITbLMbeg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:78+F92Fd,iv:si+fEAPUhQVbXtwopprXrwFunNvR/2x6Oa022ZluyEE=,tag:hAg+QgIIt/c6CIrV+RfvmQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:dw1D4vwi,iv:NebkL3dP5NzjfQ+zWtH+e31IA4gq5NetF8GgcBOMfi8=,tag:EUlHEKDRyhLxavqXxYyCvA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:oGLx6Mya,iv:gfnRLcuXI0zGgJxn8lYL9k1w/yxRlIG4CNmal+wp9C8=,tag:NnMB3Tozmol9/2lzEWPpyQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:1KT6IH1m,iv:JbBItI4rYvKHTdVjJQ6DQBa0vCOT/1KUh9ibBNFAgiE=,tag:QRtQh53UWZEoXBgRx2Y1GA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:ceHNJN+K,iv:nncHyNqje2pL+50ozL/cAvMD9RJj1lCAK72+bXi/e6U=,tag:lJTJ7cyqTR6qSJcdWvTOGw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:Y5apCggk,iv:VTJtIw5k6Z1T/KnTuXsiCCmR2V+nzYrCZYOqBBWgi48=,tag:f0D7iCx65UCuVj0YaA+pBQ==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"config": "ENC[AES256_GCM,data:JvmiUQdu,iv:M7H1dR6V+0qmBjOxVAQpZY6haxH35mfs0dqCa1/RSEU=,tag:xzxgUQvTFW08/+q0k0hT2Q==,type:str]",
-															"format": "ENC[AES256_GCM,data:02P7Io/g,iv:X2267lBFCAWw4UEQCPFCWwmqyTUQst0BzuxQachlyuk=,tag:YX8thEOEKghL5vx7pADurQ==,type:str]",
-															"nameTransformer": "ENC[AES256_GCM,data:wfmJSN+K,iv:kdqwj/TDWSDsfQ542lcRcdW2Lp8HdQ71EVgpNgWxUlk=,tag:5/0TaXSXscnqv1pJQ2M9LA==,type:str]",
-															"project": "ENC[AES256_GCM,data:rcv2yJ52,iv:gSQrWjQxIuPI5Wj3xkk45yult/VpB0i4JwfCFysFqWc=,tag:7MHfKyDh9zknH4xIzynl2g==,type:str]"
+															"config": "ENC[AES256_GCM,data:jB6k6E1s,iv:5wd5u1FsRFXfaltBJ6hljwIir0YeeqrYUcTyEuisD+8=,tag:exDrMP5e2MVlCNug/5UwBw==,type:str]",
+															"format": "ENC[AES256_GCM,data:ERoY/CV6,iv:g+7duA5u1tqGxN8VDKZ3bYP9kSUailEdIQU7eGO8Rmw=,tag:bD8n8zLVV3JhteN/ifYc2Q==,type:str]",
+															"nameTransformer": "ENC[AES256_GCM,data:MZYJQtzi,iv:DHzRAe1obSs3qGida5SjHpc5CLRyxqFF9YvUefTeZOg=,tag:LWiAmC8+HLLbNggelBqmwQ==,type:str]",
+															"project": "ENC[AES256_GCM,data:NfxEAlVp,iv:H1J1fvQuQmVdhaAtrHLouDnIr5bX1BE0Psmv9+H6k8o=,tag:lBQJCgL0yUUzPkABQYq/jw==,type:str]"
 														}
 													],
-													"fake": [
-														"ENC[AES256_GCM,data:4fIfG9SA,iv:vQmC8f8njVn6w1ysOuoH5RchSFtGDyO+colAa6wR1OQ=,tag:cthveaUda6dn9NLhbhTMKA==,type:str]",
+													"dvls": [
+														"ENC[AES256_GCM,data:dxdXMd0v,iv:gFkDuQiE9LZzy296iGtge2cRk2RjiAvFlM5pAiDsq3k=,tag:OnLqK0yviSDNCOcpJyZRug==,type:str]",
 														{
-															"data": [
-																"ENC[AES256_GCM,data:ieg11w==,iv:yNUWQBh1vXLYdv4kuLUzZO9LB5AdIwp4wN8XoKoi+PI=,tag:6FOr0gMGuMrDw7FoL+c90A==,type:str]",
-																[
-																	"ENC[AES256_GCM,data:lQZUi2D9,iv:9ZfVIekRYix9AErp8TGIME5+16Zmfq0wQ/4uS/5wJVA=,tag:Z7/ssdxrtczR+G/wuqVNgA==,type:str]",
-																	{
-																		"key": "ENC[AES256_GCM,data:sIiBqjds,iv:AZwV13b6eR2E+e2MqV5iR4M6C+lOZu47tDGIz7vk+k0=,tag:WOooL1h1TEghHFlGNt8p2Q==,type:str]",
-																		"value": "ENC[AES256_GCM,data:3Wmtb1sy,iv:25tqVYLQgybwxB4qgmexEK3EnOgbnW7aYYkzUrg92+0=,tag:vqcoVw+XdDDTAd9zfTzWGQ==,type:str]",
-																		"valueMap": [
-																			"ENC[AES256_GCM,data:hCF+,iv:pWfAaDb+NGdOWOeXKhth1dEAm6oUNWuyFC2C5fJG55A=,tag:VLyp4oOdWVMN1UODK3f5Ig==,type:str]",
-																			"ENC[AES256_GCM,data:OoJl/0W6,iv:rM0R9m/33r95PMRGd4vCMhNoOogn4aop0RtofVoABzk=,tag:m1W8np2PSDiZvjN6fVNX+Q==,type:str]"
-																		],
-																		"version": "ENC[AES256_GCM,data:xtwycetd,iv:WcstYr6Eb8wWYyaBK8c1MutjGb87sLwWRJRKZfxsfh4=,tag:vQbjpCuSJqjXfWK1TV5f8w==,type:str]"
-																	}
-																]
-															]
-														}
-													],
-													"fortanix": [
-														"ENC[AES256_GCM,data:po/mxl8V,iv:vkOf62NwuVSRI4E6RaLh230NJsS/Dn2l2GHPyDWxGws=,tag:HFn9ReVFxZzccu+0+QwJqg==,type:str]",
-														{
-															"apiKey": [
-																"ENC[AES256_GCM,data:OooM7XgY,iv:VATaOI33Sed8TPYpMC2ttR1ok0qF5p8JVyTFnUGOnpE=,tag:bgk4qK266l3r1t3DiXHbZA==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:bl/1Fm4K,iv:3nzJ7ftovCO3t4ilEiS005qxftL8MRqwTN8u+ruQetk=,tag:nHLO49Lmvu/hRNODy8lT5g==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:8dTPLvha,iv:fAJN0/d6j+v70sjjfBKabnVRk9syzHgQcAgRIGwZVhg=,tag:wrLjPXPgLnHHw/0JClAmKw==,type:str]",
+																		"ENC[AES256_GCM,data:yyvJlV9c,iv:DgElZeodszmwtDvTXfmxK0pOnHumqbmkDdI0jDH8ezc=,tag:7T9lEdrEqY3D2N7If8IsTw==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:cx0CpmF9,iv:x/bEwjCjVK2vnOvx9PuQcV+cUBP+qSAkjevPcgSSY2w=,tag:9RsGczx568+FAqc/Fm7SGQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:HpNNAFc0,iv:9Ypv7gft387E2bPKoPahEXEFfEP2lrGUsc1qaLx3Ftc=,tag:Lh5/7ga7bQgIC5ZEJUVgFw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:TkQSYGQf,iv:0PhsnCAQHglA+6kQUr3Zw4HPAzXBle0D9KJDmJln4mo=,tag:mBPoXRnmk8rMvHu5QDWWNg==,type:str]"
+																			"appId": [
+																				"ENC[AES256_GCM,data:YLBdCPvO,iv:JGJdhVDnt+8kYE+8Ecg5D7BnSX0dZCLalpkHV7L6YQE=,tag:LxhMAzOL/hkMj8FJsiOxlw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:hfQBQb00,iv:T/NyuSCIyZGmMDX9FMT3MKfODCCoFtrDqFKV3VFfTtI=,tag:ohf0oDnKx2PoOPDwWRA+PA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:hIwGrLfI,iv:EV3nZxnvTCzPMGTT05n9iEQAuMUnsLeYOrNoJ3+cQxs=,tag:AaROWYdRXmFZ9svOd5XgHg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:CrX92pvA,iv:gxQ+E2Ir15aVDaZ3H7aJoTRuKmuPlK2j1/ifoQNg4CA=,tag:/Spqw5gEqoZwnGELic6DHQ==,type:str]"
+																				}
+																			],
+																			"appSecret": [
+																				"ENC[AES256_GCM,data:e8mpdcRw,iv:5ETzitLDLJ2FE8S2EgfbzKt6gDs55jgbOzVxkeemyiE=,tag:sk0DapI14tnGUIBXgFFzeQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:5Tlg9R1Q,iv:MZXLj7BXyE2MNN7t4LhUSyF0o5wuURohrOO6JF2dU3k=,tag:np83blawScyJU3mttD6opQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:ryo0A0nL,iv:TvdplLGGUwvGMhRMhn4FWNMqzZwP+aJNRqP2LWrMppI=,tag:Sf+Wm1SCaL4yMcQA5XZMvg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:/ns4ZUCw,iv:ALuU/t+kfxck8TuHd0WRay3qlDXJQeAYtoDNr8ExQbg=,tag:ZSGpJx0JvI2WPA3DRnMpHw==,type:str]"
+																				}
+																			]
 																		}
 																	]
 																}
 															],
-															"apiUrl": "ENC[AES256_GCM,data:ZCuItKuk,iv:1lGwoZeapg5C/ENGWpd54PPMLC8OezzMDzx+ev4ewl8=,tag:bQRIM6+YVyszPScUtb6mnQ==,type:str]"
+															"insecure": "ENC[AES256_GCM,data:gowxzA==,iv:Mah5DoqLYZdbrmk9ni0r9j3QCQw26XxEk5wEawVKIlQ=,tag:BjJeUFOKWICZycyb9vWKNA==,type:str]",
+															"serverUrl": "ENC[AES256_GCM,data:uAZJQ9vm,iv:65ApWccdswR+V34IV5iqZy9tCSp/+n8rZ39kRTPfDFU=,tag:dNJyyoYIPwndXyOJc6u1Rg==,type:str]",
+															"vault": "ENC[AES256_GCM,data:f5xBDQoN,iv:8Tucbgkta5MmNw25lp3SJPzYJEonx6UWFDTR5VfatoE=,tag:umkJqWauyCO+NZeLDnny/g==,type:str]"
+														}
+													],
+													"fake": [
+														"ENC[AES256_GCM,data:miPyFXsI,iv:WqlL3pmfH/3KRaqMlPM+V0/uHLBzXwkWybE/2uZQPI0=,tag:hRLHqWh32CjKZlw6SUotGw==,type:str]",
+														{
+															"data": [
+																"ENC[AES256_GCM,data:/S9Ntg==,iv:rIJNz5rxwvi/2EHfvU8YkT3qmnu6iP6WoStWYmyEQ6s=,tag:tfYY+nGxz/5uemRUkg0vyw==,type:str]",
+																[
+																	"ENC[AES256_GCM,data:WI9iINsf,iv:xSE4YWPkrj+anL29LaGEGhGJp9B7YW2NJAlYz+0m1D0=,tag:gczFv9ZLN3dGJxsmlMg8CA==,type:str]",
+																	{
+																		"key": "ENC[AES256_GCM,data:zdrEmG86,iv:gsLI/7IsMnWumwvMbgluUbt8j2EzRFmSb8F0KCJTzWY=,tag:4e9NPei1WUbRf+OpdU1Thg==,type:str]",
+																		"value": "ENC[AES256_GCM,data:WVamYnP8,iv:vgqnxIsxT6q3URtO9fqDC/dcxo8OyVXCsUgRlFAf454=,tag:j2FZr05rMkK6D2hnFbcX3g==,type:str]",
+																		"version": "ENC[AES256_GCM,data:jgYAWA/V,iv:4eP9clSzYIjoF6UiPE+oIO9C7RlwZO8b5xInpn2gz3M=,tag:uEaNGtIBBmkaXxpyPHJqbQ==,type:str]"
+																	}
+																]
+															],
+															"validationResult": "ENC[AES256_GCM,data:xDcVt/EY,iv:lcftS1vKPAZOwEuz86Ok1kmr0g/2iaahmRv/BJbryn0=,tag:MF7ecQz4nSxMQKX0xTbhKw==,type:str]"
+														}
+													],
+													"fortanix": [
+														"ENC[AES256_GCM,data:acFAdpw5,iv:Pm3goO/8A7j7HkX05bIX+5ik5sr4AuVM8Qj2NwNhMgw=,tag:5/n3VKCkdvBxJtmLYxDYJw==,type:str]",
+														{
+															"apiKey": [
+																"ENC[AES256_GCM,data:yF6Y5jcM,iv:ThMEVyOnfnEKBhGI8c7Nr4Hbg6F/Uwk8JvdGcv/GNmk=,tag:hmgHV3LWAHrUJ1p34oCRuQ==,type:str]",
+																{
+																	"secretRef": [
+																		"ENC[AES256_GCM,data:7sdUEkdm,iv:buKQ3QiZeCJkqLvpioyIUttzHUbruMSjjz7YoYC3axA=,tag:gx5lz7YYGQ+LbZ1OcO6G0A==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:0NjOvtX8,iv:de+k9oQjYZPb5f82QU5Z38qmQ6lRnx//FyVlTZta1uo=,tag:KO2Wgy06rWu6cZ+u614l6w==,type:str]",
+																			"name": "ENC[AES256_GCM,data:SVGTtwSH,iv:iKkndhhQcW2aTEVb2R83+wzcHkibYI5iFuu2Jz0yL5E=,tag:7KH1Seh81QnRGOlXQyyPtg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:QJoThd9l,iv:KdfrKJ0oHhDd7/mvZS9KSzCYscn2P+7GE6uDepsrc0Y=,tag:mTyuuTtUM6rDh3+VVcjpcw==,type:str]"
+																		}
+																	]
+																}
+															],
+															"apiUrl": "ENC[AES256_GCM,data:54r9VIIN,iv:hCk94D8xs1JgnO6M8EunFvPb78oxgsbfwnp4aUjthEY=,tag:z1ygXy5cySm835gNw6XeSg==,type:str]"
 														}
 													],
 													"gcpsm": [
-														"ENC[AES256_GCM,data:X/ZSQZmB,iv:cSPiuEvBrIM1AmxgbX0Tf6q7/7jHs1Peb2+pA0p0qUk=,tag:djVNmTQh3Z1mbiXJP/jWjA==,type:str]",
+														"ENC[AES256_GCM,data:K76Duf5A,iv:gFaiQzKop1DM9j7nKL8zGNVpabrbadu8TWMe3fCxkk4=,tag:8jKyLd2NiIPTVveXlCXZ3g==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:XOfPnMj8,iv:p31L/jnWK6HW9hWFmVZZj5TNGdfuHuYa6gSTiuIawOo=,tag:qWYpVKyKFR6uWmiI9ebo6w==,type:str]",
+																"ENC[AES256_GCM,data:uRXNJtJb,iv:90rNCc6oPcJqTaVnALCnsFZpI5nMjAxTxwvtWmVjJvo=,tag:a5ctFQjN+ex2Vn4HhkUvow==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:aZz74/tG,iv:+LuyR7OjmDYqpMwNCaK5i6fJUvzPnPcXL5jqoLMQPe0=,tag:tKAU0Tg7Haz/SXTI9lK4SQ==,type:str]",
+																		"ENC[AES256_GCM,data:WRPDz4lL,iv:gwGmYdpm105E2Q4k4NjXTOiZTFN2KPEC5+DaYTOLdnI=,tag:WhwvWCgSLhehbjno7zzayQ==,type:str]",
 																		{
 																			"secretAccessKeySecretRef": [
-																				"ENC[AES256_GCM,data:/8U/eCxO,iv:rRjdD9IiQjb3xVzsqL3zmvugNfNto3n08glKTGf5vs8=,tag:cWAS63DQ57e7h31y/aQDxA==,type:str]",
+																				"ENC[AES256_GCM,data:J656xsNs,iv:eC5GBUUeGQzw/Ni+CEeQ2J/G1YzXdtFlZqzsLxI5Z3M=,tag:hNB/Ia/2iSGfZ4zzgwkHIg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:IToUY0up,iv:9FQjz+M/SYwnXj2aTGMKxdmuEb9dTGMXLlOJr2QiRkM=,tag:hKe828b8XhMIej6tUiqOsQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:oy/+mFGr,iv:M2O3LIaqxbRa0F+3KzH/H6HLQE13XrmBkjX4bcTj7jU=,tag:J31RES6TvIX/Q62ee1TTWg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:cel6ItL2,iv:Nb+On3hFulbiq0k6ypAh42R/0ARCoD9WrRapxKQAVSE=,tag:DbpRld87LMZhAsro+XL9Uw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:1T8BDSIj,iv:n608kAz+59mYKVIvAWN0dIAYxehbxJQbon7jvXUY7DE=,tag:Rmidoj8HCBoWQHWutZwnbw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:aeEKCnK6,iv:yXsruo/9aSX0uwDADHbsPtP+THuG6uWth9xRmgwwG6I=,tag:+JOPMuuwJX2JN+Axf5sjqg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:JYmUuRmR,iv:0yl6LHN2zJKtm1P5t4rBanyLzvJeglNEqMq7pg6F3pI=,tag:+VvLBhxLfccQ9n9lKvsfBQ==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"workloadIdentity": [
-																		"ENC[AES256_GCM,data:Z/6jpeoZ,iv:v483HyVA/f7swr/coNDSLpwYVaxwsEA2yt4Gw+0c8NY=,tag:r/bdYzCaE+uPht0CkwBK3A==,type:str]",
+																		"ENC[AES256_GCM,data:qnO65bgG,iv:GWcEjfRnP9fjlucQHRPLbE3+GQNlJL4QwwpLu9nuqcU=,tag:M9JcBFkKgIMM1oVBK4FnYw==,type:str]",
 																		{
-																			"clusterLocation": "ENC[AES256_GCM,data:/sN9/OC1,iv:ht5aSWoSTqW65YTe4gKhDGFF8h9zA0YFqyfYVwuf8IY=,tag:WYs/HWNWRGFPrmL8u3NoMg==,type:str]",
-																			"clusterName": "ENC[AES256_GCM,data:TekRGn3x,iv:fpfBTugNpnoG2afUBAPak7BK072ty1joklJ7fvuHtM0=,tag:+/hmhpNzLt/f5yWSDxxNvg==,type:str]",
-																			"clusterProjectID": "ENC[AES256_GCM,data:DC+mDznU,iv:Yx7TPMBaxHm9MSPNHGTBOsius2v66w7jcS4SM1AyZ0Q=,tag:DUfOGnO0/KM2GgWW+lhZCA==,type:str]",
+																			"clusterLocation": "ENC[AES256_GCM,data:pP02D2lU,iv:IR+Dozp72KOcIrYNCwgNg4SWiJY/HgvF3LScQ/fnl9s=,tag:Gfm8MeYP9UStsvIWbasy9Q==,type:str]",
+																			"clusterName": "ENC[AES256_GCM,data:Pfk1h1Bu,iv:IVXBScFVZlZl3SOOBIVSrGlQ3YizeLe0B60TSrJLJEI=,tag:LZ5kFeWa5JT1gB0GcYavfQ==,type:str]",
+																			"clusterProjectID": "ENC[AES256_GCM,data:LuWI4bku,iv:XF6446yYiLtoWwWoxLHfNHWIbSGtgLpC0FRMBDxpREQ=,tag:JYe8qmGHHqLp2uaFAg46xA==,type:str]",
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:UpHXNJcC,iv:pq3gRZl9ZeEz/QXlBF+axOXB27K4GuEoJqJwx9gwOms=,tag:v6GjE4e1DlQ2RbtfPigoyg==,type:str]",
+																				"ENC[AES256_GCM,data:OScT/HKW,iv:2HiODZBYbf+JprZ0Ra4ELH2ZIFfbZI/r+xUFKEXIwz0=,tag:mIoXKIOYzgKCQwNKw3q5VA==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:t7w/Xg==,iv:Skc5BHa4oCAECDTwE7YkCYZWboQv5S2cOQFW3Hk7tKo=,tag:J9rs0q8+7RHydCr38K0lng==,type:str]",
-																						"ENC[AES256_GCM,data:b+KrIigw,iv:HtMMs9qZ1pC1bF5e1R4Yz99i97EO3W8GHq7r/hkGO2E=,tag:4MTrN+s355en9gprWeHXew==,type:str]"
+																						"ENC[AES256_GCM,data:Vw1YGA==,iv:oR0ULjqZwJoMTsDz87AWjxRZ4JVi/ILC0zM2TdgnyE0=,tag:HVwIMqt+3mgztn8LNMnsuw==,type:str]",
+																						"ENC[AES256_GCM,data:sTfntkmp,iv:o2cPClombFSBl/AnNMRnq4v+poZwX0lb97aLOg7pV5s=,tag:LDzXLhCvikF/4FbMPZbmRw==,type:str]"
 																					],
-																					"name": "ENC[AES256_GCM,data:OLX0Us4l,iv:+n2t7aX+jPzECV0rS1g/rrmc7fE/RvP7eCUEqwAbUsA=,tag:6ySCGQLSXehkMu15GV2P3g==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:KQkfg6Pq,iv:NDj5SwgMntCAz1HH1HriZhEKX8KexyALD3ai1v1DQGw=,tag:4bNCNIgH2/iDTciFQjsPUA==,type:str]"
+																					"name": "ENC[AES256_GCM,data:SPMOXDki,iv:2l6Zbrp1c2ireTPhlzUMGteKb0r0LztcopBBJhgSy8c=,tag:ebXYJSXk2h9/i/POWIlgQw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:2kEfMSUz,iv:dG3deUy7rihvYzEgpYIvEqBVQwovbdU6leAKhRCnk+A=,tag:yQHqpFxcs4K3ughNXSJHhw==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"workloadIdentityFederation": [
+																		"ENC[AES256_GCM,data:bIflSD8D,iv:ijpTd18w/RUy+4MoqNqlz4NVaMP0NT6zLiUVc1q39J0=,tag:lqY5OtdkHChPmS60ajvU7w==,type:str]",
+																		{
+																			"audience": "ENC[AES256_GCM,data:0qOVOZn7,iv:FfQEtdMsBCsfRquU87ebPqhGuG9kMn1eDOOXVX1M/yY=,tag:SddlSeXC8r/yxtWHEOGREQ==,type:str]",
+																			"awsSecurityCredentials": [
+																				"ENC[AES256_GCM,data:T9QXl1MF,iv:Fn0teeE2BIBaYAw/zj9lcq0UjkD60tVFDsFeR0cZ1kE=,tag:d5TTsPvrdnbHAYu2OFV/2A==,type:str]",
+																				{
+																					"awsCredentialsSecretRef": [
+																						"ENC[AES256_GCM,data:pX82fNql,iv:Rb9LNEhpey5jeq1UmMpW3rzPPKxhxpXCfctkqx0/pkM=,tag:5rylXQY1ISrbckj5fKDjWg==,type:str]",
+																						{
+																							"name": "ENC[AES256_GCM,data:atQOXMJJ,iv:/CYaS7M3Q/j4Vk5b9GwnjXM7mGMPZlK1nYrLjWpzm2s=,tag:IuigHN73CHkjNkIa4aXFoA==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:NKrSSXpS,iv:HtHyjuVfB58cH3S68LZEVNxfn6HxzpeU7KMptEB/ptk=,tag:hSoo/GASTmkZ51J5cOE/Ag==,type:str]"
+																						}
+																					],
+																					"region": "ENC[AES256_GCM,data:JVP7C2eX,iv:MglSZ4vtw8vpjHP8LuAiJ1L8aeOS5qCCMJWJY+ZCJa0=,tag:wPKOYisHpos9Wf7iNakjxQ==,type:str]"
+																				}
+																			],
+																			"credConfig": [
+																				"ENC[AES256_GCM,data:ynv2C0Pg,iv:aS+GdINfIIVokdO7MM+Lq2jbGI1wGbSkrczXdfWrlak=,tag:QDA0bTsAv+Fe/tySelF9qQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:zQcgYNNs,iv:B/9Ix7ILizY+k5UuEwz/QhqtmZbaX0hPQH2ildv1oro=,tag:G14AdrBstgWoe8dV5EeGkQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:ny0xZQHL,iv:x7jpwc0EYUxd3glRcWCxRLgZppMJz9YYj8k6mgbDAR8=,tag:no+rOzXKDV8EOeCHWCxt/w==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:VSaJdD/L,iv:/LnsY/2xAd6VE/qsAjx7GQO8rvKrETdQRAtouJoHdeY=,tag:DnouMCYygL6lf59vFj75KQ==,type:str]"
+																				}
+																			],
+																			"externalTokenEndpoint": "ENC[AES256_GCM,data:Ts3fm906,iv:m9IHP3Dnqx4k/1sbVxL7QEw8bfTDo6It+8H7fcX7oDw=,tag:B0H5fPR9FaxZ6cKGsTxvBg==,type:str]",
+																			"gcpServiceAccountEmail": "ENC[AES256_GCM,data:NFWB3pZT,iv:HiXLoixIjy4dAmuAOaJOhOIzSosCqPEMWe1/TVF9T6Q=,tag:GAXvvW7+0LbSs74+evwVZQ==,type:str]",
+																			"serviceAccountRef": [
+																				"ENC[AES256_GCM,data:j2R50i3I,iv:IQGrAhs9clhDE5W3Hq4xNpIOzGIjxiCatrTh4QmFwdc=,tag:/y1/kpluXUI12NJ/8wQApg==,type:str]",
+																				{
+																					"audiences": [
+																						"ENC[AES256_GCM,data:TfH+Bg==,iv:cS+6mPzRE5qEp3pjSosGXIu6EdoWRBHkzFRyRaRluJg=,tag:CUh0f8vgckU2W1QGCkTk/Q==,type:str]",
+																						"ENC[AES256_GCM,data:QrnsEbYy,iv:nQHtuYtmev9u9KZcN+u6L5BLq/Me1CFmG9oSVxaYLJg=,tag:4mypoJ93NaEv4/6XzTwQ4g==,type:str]"
+																					],
+																					"name": "ENC[AES256_GCM,data:dHsuSmy9,iv:ZMy8AqpmaciDols1ToIS0bLWCuYgQeDAksXN9B/v1DU=,tag:UtiHepH6Y3zpCy2qQCffjw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:H1mzO94Q,iv:mTUZu3YxWO6hWb+1jgetmDVM7ZS5fzZCJ9pe8RxGs7U=,tag:iIa6wa/G2k2v/wAE861OzQ==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"location": "ENC[AES256_GCM,data:9ELIvi+R,iv:9wzUo9T1R3Uni4j0c3CDfTfe1+jAnZo4+ioaiWpfOXs=,tag:toEtv4YfSeSAeXLDBiWtSA==,type:str]",
-															"projectID": "ENC[AES256_GCM,data:NskE3HP7,iv:HQtmeocZy5cL1yf3zP7+zFvJuofDw4+ZfN/AkoPXjEc=,tag:zwBKQXmevvyfI16AU1A7+w==,type:str]"
+															"location": "ENC[AES256_GCM,data:cAY6urKf,iv:XAwLTvBzVlDfXQFz/IQ2JXldmYBLEEYmRidNv2NEmvw=,tag:BuY5ONqy4rRJI1fwhnhAcQ==,type:str]",
+															"projectID": "ENC[AES256_GCM,data:3FYBCKgT,iv:bcALpWyJCwzzLiKQ3tWYsCdXIqHzohPJ/32UAIrgdPU=,tag:nxguBu/KMqGm7R1eBwAf2w==,type:str]",
+															"secretVersionSelectionPolicy": "ENC[AES256_GCM,data:+6w2dCdW,iv:eKgZdyMGP0RWUCJSanirvmnKNzOw0kbOh+8Z7n8s5QI=,tag:YJc4QWOVcMC8Ic7HT4NYNg==,type:str]"
+														}
+													],
+													"github": [
+														"ENC[AES256_GCM,data:DIL3mVJ5,iv:wqoslOXGiNAyj5pdCdKJCRqLUbfnQvDgsBLOUmQaL8I=,tag:Yg5gChnmCGaU1DSBeGFq4w==,type:str]",
+														{
+															"appID": "ENC[AES256_GCM,data:TR4wblUF,iv:2LivsqfHiLsl8eiJ1JXWfBc8jLLNbXCpXzVbjyacxHE=,tag:AZbmpyAC4Bd3Awu1VAeNcQ==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:ekdznCb6,iv:xKRV1WLvUjW3+ZJfGb2UthtvPC6pfRpF7b3RRSpDPxc=,tag:DOHNLhWFeFSKDu6f5h6Q/g==,type:str]",
+																{
+																	"privateKey": [
+																		"ENC[AES256_GCM,data:8Syb56MP,iv:sTIhP35a5LkxnNSHyCl25oOwfGlZTJmht60V9G5HCeU=,tag:35ZU8nBqk+r8+igt+Dw1dw==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:qpInV08O,iv:BRCBimmNYUYL87O0mTfbN9KJsA99ErekTAiAlcQVjf0=,tag:rE9wMbnRgdmBA+IWCF9hqw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:pK+W7z1Z,iv:JbfW5re/AyekIvgA23ImFUNkL/j7rwc+EFpBG1hhceA=,tag:U99580HNxvyIfZVIl71OYQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:+zBvfWpb,iv:0CQomPCOLNTJhQ1D1FHawL1q1WQaAzj5X0z2RVQ22Ss=,tag:W6AzBuChTlAxPoN3TLyqLg==,type:str]"
+																		}
+																	]
+																}
+															],
+															"environment": "ENC[AES256_GCM,data:fQvm123q,iv:OjYRxppyqAS8S6gfgATq/NVURA+9BlWrrXbwoPtX/K4=,tag:x0vhBzWicZz5uXt9IQ6nSw==,type:str]",
+															"installationID": "ENC[AES256_GCM,data:lxAdugD8,iv:fBpQSwpbrub4awzEyeqYTtR+iikMsQASbcI5fL/+AKY=,tag:1889BDc9EVPDa5ZSofJODA==,type:str]",
+															"orgSecretVisibility": "ENC[AES256_GCM,data:bvv8In3Y,iv:Qyb9ag6FocF3GlgTpHUUi0/JXER1irhFshNRDg1J41w=,tag:U1JYE9Tjz8iKqXpY6z2kkA==,type:str]",
+															"organization": "ENC[AES256_GCM,data:ZzjTrR6V,iv:2SRN9xkVi1X9x7MDwQNUtbC/P4qyQ9h6Kww2SizxNDQ=,tag:d450l0PPcVM3NOmVGdw1Ug==,type:str]",
+															"repository": "ENC[AES256_GCM,data:lELz3rcu,iv:v0EfoYnRYQmNPvCxOAwuclnxeU/+SAWJELp7bqR8N6Y=,tag:cE5iTzN39qO0DqEsXmp/fA==,type:str]",
+															"uploadURL": "ENC[AES256_GCM,data:8obNHv3Y,iv:Czwx2GANhQ2gzVIwmo5AeN6Sb3w4Xkby04RsKVOp5/8=,tag:dL06Va2ZoMXtSvLIT2QWrg==,type:str]",
+															"url": "ENC[AES256_GCM,data:gGMwuFwA,iv:zg2uY8f48mnzfmKOkeM380LmjnNGTjWMCNJ1V0nYblc=,tag:rAHogSp8ue5nbXl5exZdvQ==,type:str]"
 														}
 													],
 													"gitlab": [
-														"ENC[AES256_GCM,data:BjXmJQ1e,iv:Ta+W64UrMGV3eLfnYvE//frm8ETjveVOqRgvC0alMMs=,tag:0veAaajCWVrikkX44FRAvQ==,type:str]",
+														"ENC[AES256_GCM,data:2Bc8nsoh,iv:5RMS9MBN0FRWhIhNV2oD0X5+G/aGr1lSbSdQ4+j5k78=,tag:LwCzFuBXwcYnKHELAGClvA==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:jbvuYrXj,iv:3Y7dHBgAerEHtkqYqCH0kOn3tA9mIhvAvNL7BDUTrMo=,tag:RVx4/2sd9TMrPIK1POtrrg==,type:str]",
+																"ENC[AES256_GCM,data:1beuGPkq,iv:QzFkpOqNuZL9fSz/8gikUN0rQNyx7lEzFlSxe1OP284=,tag:rPYAD/yFNZkppu+Lz6SILQ==,type:str]",
 																{
 																	"SecretRef": [
-																		"ENC[AES256_GCM,data:JYuV9OMo,iv:gXeVuabBSelpQFZt/dIGbk0uBD7IB6+pUdziU8iMLxA=,tag:olXM3FuZmc3zk//4En5iEg==,type:str]",
+																		"ENC[AES256_GCM,data:eXZsYNv2,iv:+3qyJJ1zyPWN24+c90lF8+tH3w2swRIgJvdQpeTSX0Y=,tag:tKIw9ZxLsP0eUL67+VdmwQ==,type:str]",
 																		{
 																			"accessToken": [
-																				"ENC[AES256_GCM,data:WtgtZrKY,iv:bb7ePxCy0FimxIaS1gPiY4wMPXOxbg7qv6vEVl2O1Jc=,tag:iPWOYPFEbwyI3GkNp6FA1w==,type:str]",
+																				"ENC[AES256_GCM,data:SGkvwA1/,iv:ZMksc7u7ZKyHRFPeKmC3Th2b9DnDkCo4W5HsKw83XSA=,tag:p0Cgk6PbQXCTHDKSlRr6Yg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:cH0Ys9rD,iv:cP6xQ7gTo+j7hQxZ8oZiAKF+7A9x6RpGFSm4cv6OAdo=,tag:3xTVd57vHVbk6qKaTInzrQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:tHPaWs/T,iv:4VP/TXbAd7h5uK5EQhu2r3yS7ISEvPQyoODxswSt0Dg=,tag:vIZyBIzZIcTFfKc3IJyUdQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:o7ILmGX1,iv:ngxdsyqoQU8H3kJ8pDkVq5CeD4hMkjF+YML2cVD4WDg=,tag:4IbSoj7oexLw/DzH3mCgXw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:FBgoMYfl,iv:dzbpDKKx2955G+5/7ZEbTKC8c+EDSChB5De20EVkfXI=,tag:Z/JM7fDOeFWk1KwPk/SJUw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:fqhRZc6P,iv:TgYx72syzlFB5xgpOhClJdkCL4ff0QsG3rX8pQbmdGc=,tag:ibrBGV0rZx/DmMMhrKUNYQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:H4Y5MTFk,iv:7gB4TweR9F022YixRpuKGWYkhZZ4yKlSUQJb/9VR5Mw=,tag:317TfD4q9u6bxvoJOP6izA==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"environment": "ENC[AES256_GCM,data:CvuwyYD0,iv:2Xur8HId8MM93wnAgrl7dcK9sXvZ3u3J1XExUnjy720=,tag:9JkLNLVcYittTwNRKb37oA==,type:str]",
-															"groupIDs": [
-																"ENC[AES256_GCM,data:E62iXQ==,iv:IuVqLfPgRZK4m2t1pyduj9ZixEWBR5dFcMJqc1z0z+0=,tag:biGaOjBZ4cwRAAq8eR5liw==,type:str]",
-																"ENC[AES256_GCM,data:cWgTWcdu,iv:KoplI/GLci7ssFwfWFhHGiGRTiRrDcSKjjzyE4sTl/w=,tag:rXwzMsrw45I8ZCYnMunq2Q==,type:str]"
+															"caBundle": "ENC[AES256_GCM,data:9GtJ0yK4,iv:FPpysU/Bh2Cp+vX0Up90F9Ybj5RQEfGwnWOnSqj0O7Y=,tag:G7VWdISVyVTswVA8Pyvgjg==,type:str]",
+															"caProvider": [
+																"ENC[AES256_GCM,data:byfZ7AUx,iv:2pBOHZV9KIdGG5KMcdbN2VMXeVis/KFZ/ReRb5i1eOQ=,tag:7y+yConp1mAeJR83bQLKow==,type:str]",
+																{
+																	"key": "ENC[AES256_GCM,data:Aqfe3GGe,iv:3xS+tqnzzGNJcgb2TI52P2GtdU3uDINlYT/1hHAaeHU=,tag:EEVeLJP4JzhXRC4ldUo01A==,type:str]",
+																	"name": "ENC[AES256_GCM,data:neIgJESo,iv:vYzYj8soLBPXfqbOQSv3K3uIGgHgtMiS0LPQNMgw8zY=,tag:IWTwT2AVWUFsKF8AB2ITXw==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:tTNQS5Cf,iv:iSkCzW7RetlFYkXuk7YmXdvBdikqF131OBbHGNJLae0=,tag:tnkag/9rmHr+wX90GxI7CQ==,type:str]",
+																	"type": "ENC[AES256_GCM,data:XJJI91/v,iv:XJ+kc0ars6jsAYWwEZGJJY66SiPjlp7ShmhRAVIFR+A=,tag:sbrU77Tx5rLDLDc+JgRniQ==,type:str]"
+																}
 															],
-															"inheritFromGroups": "ENC[AES256_GCM,data:4O8plg==,iv:29BVspt9GSQuSB11wrSXBWFAi0GBoEb6poxOxK8tHTo=,tag:7o+a0I0X+CyIRnjgi/CKUA==,type:str]",
-															"projectID": "ENC[AES256_GCM,data:tPWK/juk,iv:Jty8GjouwvJq9qEffKpETibP2PgRjXlxWW0m11BfIXQ=,tag:ZlP0XUmOaHHIsK96LAhcKA==,type:str]",
-															"url": "ENC[AES256_GCM,data:Frf+KHFr,iv:Mkl/niVlfP61/6SUoMo7EGJeDiNrdot6CyXzeJa7L8w=,tag:opqPMSUxf93mZ2Oe+dGfMg==,type:str]"
+															"environment": "ENC[AES256_GCM,data:OEmZ8wCu,iv:xW2myS5cNVL/bDYLRCDsWZ4REk4d6uk+sarvgmVcyXA=,tag:Q4kXXtRHoz5Mdz0UPSAmSg==,type:str]",
+															"groupIDs": [
+																"ENC[AES256_GCM,data:EWN4xA==,iv:yLXduWfXSG1Iwlr9e7hLYVSTZ6wlULGxETDQUONjuH0=,tag:BAhiySrjAbnLXK0a9i4D6w==,type:str]",
+																"ENC[AES256_GCM,data:rn4tjtfd,iv:12SiowJUgYrppg5/3zGDrrhnuWest/KOLbAn8wI+rYM=,tag:Fa1wU7oZZh44RfN7YKTSyg==,type:str]"
+															],
+															"inheritFromGroups": "ENC[AES256_GCM,data:JaLgHw==,iv:no3I4Y3jrnXnq0ollKu28Fqln7F7QAuPNYGFFq7lINQ=,tag:upZ1gYsOqn9U34W1KoZXnw==,type:str]",
+															"projectID": "ENC[AES256_GCM,data:W+14tvke,iv:iajldmdUr6uxUuby6f9QGIn6SGwq8YMYtI2n3qlLmFs=,tag:N44FBMO+viiBTyMao4xNwQ==,type:str]",
+															"url": "ENC[AES256_GCM,data:2vi/vFd+,iv:hDjIxV9mNdV+ruM/eviklyz+us5mRWoCmRntniQgP5M=,tag:ePVZKTgTpRr6Y2qMLEFaCA==,type:str]"
 														}
 													],
 													"ibm": [
-														"ENC[AES256_GCM,data:Mu46ILta,iv:ZW/16uJV5YeEngyksbeAnp/LO9hPszBCgaM0h3Rhg+w=,tag:6YaE/TFfEc+8+U2sk3p+Fw==,type:str]",
+														"ENC[AES256_GCM,data:7lw+tRJ3,iv:ohIjz0GNrqKoXPmcWCK7zGrwNIQCYA8NMzZnacevOgs=,tag:+eifqH5t/25+eii49p9qLQ==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:eqOALDz5,iv:QSV2sVToSBelNh4wnrka8+hhuBnyJdLW5ttUdOV8DuU=,tag:JgVBYHG8Vkt/5gh+CmovQg==,type:str]",
+																"ENC[AES256_GCM,data:6+mzQkQe,iv:VSYje6fR8aX14aK9fDamM4T4njbqrLsxBFza9QgyemE=,tag:PJc9ogifaylGb6gG72qxbQ==,type:str]",
 																{
 																	"containerAuth": [
-																		"ENC[AES256_GCM,data:AK3emaoU,iv:Afe4Blde9KdFXp/9XVAh34sXYU7tkRcVz9xmwbguyuQ=,tag:ryqzqHRSw8pEvkhLUMB+RQ==,type:str]",
+																		"ENC[AES256_GCM,data:pkVMXNtI,iv:2li8B3Q7jhY3lrQuHJvWlOgdmhxk6I1HDAsTpuiX2m0=,tag:u+TzvFd71eKvY2+q+/uhRA==,type:str]",
 																		{
-																			"iamEndpoint": "ENC[AES256_GCM,data:OXfpSXvB,iv:DCJDmVLRYakY6WV1fw4Q2xr/phMqNQe6P47LDJse6oQ=,tag:zUCdKekShtMbrWa3jSrtZw==,type:str]",
-																			"profile": "ENC[AES256_GCM,data:OIhhyjjm,iv:sFSrWHD2EFz1H8VTkHyG2cgZCtv05U34UwFbJu+7lS8=,tag:QC+xqx8BNIXJ8ti3IFp3oA==,type:str]",
-																			"tokenLocation": "ENC[AES256_GCM,data:73+QpeRv,iv:5ClpS6LUeZEeiMWUlG4btFS7aD0e+vzbDKGihFGG8fI=,tag:q+7KDNdff9iFDxnZ7Kkz0w==,type:str]"
+																			"iamEndpoint": "ENC[AES256_GCM,data:ClGxHLTp,iv:Q37tY0cnjhuUwEZC/A3ilWeLohRDHD0mWHIsYdauyF4=,tag:Z5NwTuULb8ePkemcgy13Ug==,type:str]",
+																			"profile": "ENC[AES256_GCM,data:IvfvkiKl,iv:ObFFJOazkXNke/d42idtea6xXYkYyCCD2ovDqcJ/JIw=,tag:nXEQ8EKHNpcPlYGf2vn83g==,type:str]",
+																			"tokenLocation": "ENC[AES256_GCM,data:e86euOd0,iv:N5vFRkKBGvZ5Nhpxm/LkqXiWm/oXHIhZv5mEurzPOyk=,tag:cX8H8rKXqrzvcSLZteIAEA==,type:str]"
 																		}
 																	],
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:DDgbAvdy,iv:hwjyuzqZ3+qgeEUYa2woevOH+z73w6Y/OpstrBDHSRk=,tag:+1+DS4uJa41YyOUkZTum1w==,type:str]",
+																		"ENC[AES256_GCM,data:iN4CxsaM,iv:cjzfR93bAbHebDSWYSgtMfvi480gkG2R4kgx+VDUlTI=,tag:MbvGAe+lxJWaeN9B6R/PSg==,type:str]",
 																		{
+																			"iamEndpoint": "ENC[AES256_GCM,data:+tyxgNqB,iv:0SHCGXHfOCX7/RfFoAc/fLNMxblohCaQv3Ra7u1hdjI=,tag:sOrkHL0uHIyZgt4AH+YuHQ==,type:str]",
 																			"secretApiKeySecretRef": [
-																				"ENC[AES256_GCM,data:qvM/3HHy,iv:GS7hFen3JV72w7p6P2e+IalqbEIHTwgq8SDmJ5faYWg=,tag:i+WTfx57waD3B85txb09ow==,type:str]",
+																				"ENC[AES256_GCM,data:ScD455Ro,iv:GBQMw5T4oxcvzpJAvEwdKRrXYrprF1aaOOiLHnbrNd8=,tag:XJUspfBA8CnTRxFzBgyLig==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:pA/rZd4h,iv:R4YtU1fV75U1Ve+r2EfFsGMjXlob80gFITB59WZx8CA=,tag:q0Psd5VfOxewHTfUMGZnEg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:I2gZe+1N,iv:JN8dndhXsqcKmO1Wck3kwownH2f1rLv6OHgKHYnRH1k=,tag:u/cQiGoL+oxpzthy/EwnTg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:8QpLjkYU,iv:1ELVH7TODHgOKFKmf72pJN3vtXHGm4Zf2Qv1HNqevlY=,tag:Bgx/tNo9axRZA8dDRKPVXg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:2KerWYPw,iv:oS24c95s1cs5AUHoenG1wUcfZ40O/fpOJ4DKWZBaucs=,tag:9w9SzYRIOWI7IaTK8972JA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:tfGuMYpo,iv:ZrI3L6DLAMSMRdzKabzly7jSfY2rZaE6fIZGOPxf5NY=,tag:nrUN5H2REJm2cdmamP7SHQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:tOBb9HIE,iv:7Uv5cpTG3NVEWBHU9j3TkU5Jc1U2Gczg3eg77j0fa8U=,tag:3+BnH++85lk25nfhPu2FmQ==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"serviceUrl": "ENC[AES256_GCM,data:fyAhhiec,iv:U355V7mInwCwAws2YX+MMWu8p7SXzspbbEieM5hHYl0=,tag:cC7j93trZLAWdRB9FGzwGQ==,type:str]"
+															"serviceUrl": "ENC[AES256_GCM,data:OJxF+1Pn,iv:PoblWQtC2xONh9F5S2P9w2QKlA3+VECkkEXqGobTG+0=,tag:6mdbwIca8tkcFaCMozMSMA==,type:str]"
 														}
 													],
 													"infisical": [
-														"ENC[AES256_GCM,data:MEuciDnO,iv:LvWKf7x/vkH2ezjr43z4jcQevNxSB8PSMwKiGLSTfrU=,tag:iAy1W36qxw++Ryxgedm6IQ==,type:str]",
+														"ENC[AES256_GCM,data:bhchsRhM,iv:YZ4cJnbeIIwaBqrEwlWqWW1lzNvDlWVpBS9D0snVI+0=,tag:WKWDo5WNLqy0Ubri4fvEzw==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:usgsyImq,iv:g0HJFM2JMFSV3rfiCXReICcKzqM9YG9hNp/ybcLrCwk=,tag:Yc+PuLbVWLZ/Q8q0YxJwPQ==,type:str]",
+																"ENC[AES256_GCM,data:4W/9OwRQ,iv:uhFuK7Ng4Y7QamYhD6cXBkaf9ZwqzhCYfYWv7mruuV8=,tag:3UvIj8hAJby9MtSiMKSrLw==,type:str]",
 																{
+																	"awsAuthCredentials": [
+																		"ENC[AES256_GCM,data:pEDntJVG,iv:xkPXQHzT1pt1pwj4Y+dmzUAxBhrDc9zP/N+EUeEKU2E=,tag:ss9ffXuzFCNsyz0l0NUtDQ==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:xvMaG6XD,iv:ubZckHHCsKced/xaCTt5Ci06BV9Rc9vtzZMU8yDHCuQ=,tag:mnqc86uu/x1JN3kiXMw4DA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:FKfA0+E/,iv:upFXl/tmu9U6lc9zuSzZ63JeZLOBj0WSQ1LgsPvFb1k=,tag:JscWVGxUcVYm860kX2I8kg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:KiDvgmnB,iv:myAfDKJeZbwN2L6Exo1nWYQ4Og8FAsTUBVZd0GetPDE=,tag:f8XIKsrjb3IXggFLbZkcmQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:jJ67eRyq,iv:X3kMfDO04crXdDtj9b0wjoEHNHb8xl3yUTvpmDLLrPQ=,tag:UHx84PcwyM4SOkkBuRstIA==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"azureAuthCredentials": [
+																		"ENC[AES256_GCM,data:UM/tqfsi,iv:2xMrcGPr10aW8o+PMjGGonVCjyOJDGxiu8kmWSj0tIs=,tag:te6CjSJiLwA6h9j4XSG2bw==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:VEYHxXQG,iv:1Rl0niIA7MiwjiXckZd3NDvtXiwJk6xRGo5+IuYF9do=,tag:xM4IRU5728kwBXgH0O2C9A==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:WX7kKbu8,iv:xP2IhV7xN9f614RZyMWdcX+tK29JrZNecFwWSv4Ic1g=,tag:hfu37YDX/CMVdZA6s3/Mlw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:lrEA0A0p,iv:v+3swy/lLpF0iN8mKwjRCZkaHq83h2wnNBHceJFZMQk=,tag:xfNfSDrYzTxhfx9iEDuVyg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:EMUhJE3O,iv:ifrhwSlAGErrD03FI7wFlHFkwz7bUuwd5Nrn1lXEl0c=,tag:XVC1Ixbp8f7sQpZHyPHrcw==,type:str]"
+																				}
+																			],
+																			"resource": [
+																				"ENC[AES256_GCM,data:oj2BWT4Q,iv:grZvTJL71FGcYS6zjIG5HpULleOOGqjbyJeQtlHYNVY=,tag:n/oHER8dU5l4I08rkAqAjw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:jnLj9xwo,iv:3OfH15rLG4oN6bzbdFEVAD3Gl5fy9/DPYdeZXYAZpgU=,tag:tB0SwYlvCvw2h8HJ+wQPug==,type:str]",
+																					"name": "ENC[AES256_GCM,data:u1MvQ9d8,iv:qHM4AjOmQsaHCAaDvGyzAcEB3ty1TiypR920k0VR7OA=,tag:HbiXJPXROODV4ziCdptJMQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:6XOT/AMo,iv:CKpTGg4pW4XRqM0UbTc7sOq6V+pg2LoBCisudHc99Bo=,tag:5mw2ezwviPxyPLepZ2GVUg==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"gcpIamAuthCredentials": [
+																		"ENC[AES256_GCM,data:BG5el1jW,iv:+97T13n0qp6T8NcCOGlxnh4mCXZ+0Yve4S2biYqU8bQ=,tag:PopCnti/CGDh/nZ7jJohZw==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:KqXMeYW6,iv:Ykp/xPzxkDfRavdXLmg5ilgpcwOQy/Dv4qZYPLnbqqs=,tag:mOhCrQ8eJskZZHx94yF2iw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:yXMbkUyU,iv:GQW2lPCK2vDIqLBOEDQnjQKWbug8+PeZs+oZLfhIYmo=,tag:S2Cmh6zthQ/7Uiw9Z3EeWg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:yBvrYh6q,iv:a8MMbNV3EgjR2SWvckZMe9hFVbSNH3ZeA/QK/8wbS0c=,tag:TS2/51FhiziIAW9Q03NW2A==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:btoaC6BI,iv:S0PPXcbxhXIiRvj1dK3gNKq+UiJiMEtMc4X6giidXII=,tag:nP7QJj/JTNU1Oywc9h0GVA==,type:str]"
+																				}
+																			],
+																			"serviceAccountKeyFilePath": [
+																				"ENC[AES256_GCM,data:gjSgt/Mq,iv:8jujW/wA8e4w6sOEdYlR9pqCU7fo6b6kNnInngHuGkM=,tag:H/66q2ZMBUlnxA54idpi8g==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:ot8Rox2a,iv:SxlRQ/qeMuoFXEw1fF+Upxplxjbjdws0bg9nssH34gE=,tag:uIqeX0QcYXpwxsvDecd4ng==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Y0msl78X,iv:EKn/HX7PzYiAyBVJRBJXQ/4Zp8JemiOthGEjKad+GZ8=,tag:gxtCMi5ombbnq1bGB76zFQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:0orwQDZx,iv:V1/4ek4hzAfd248eNH1IILCc20fOF9WHtHDf2tzaUC0=,tag:uZTGQf5sZ83CfNugrc3EOg==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"gcpIdTokenAuthCredentials": [
+																		"ENC[AES256_GCM,data:nNNSLohX,iv:yOnZrrMgifO35yCMXTB1+2WzY9hILiqlZlMIz39D84w=,tag:cT0ziNHfaZKrZz43ZCasHg==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:Y0mFAbDC,iv:TLUprhXKgyPNwBdP7UQx9M8QguUb2zR13GovU8CDTKU=,tag:RNpzVBBgqGuL0fGcVpfv0Q==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:a1kJH+wh,iv:gSgZUDArjqaUNPF39uuKWApXTiJfkHOUViIiuq8vt7M=,tag:+yLYsyLklYmVvoeoBzcUtw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:q8Q2G6rM,iv:TW4wRKqKJguOuaOd+cgTANu9zY9mRHzbeCb4mlMrWJo=,tag:+y7jz1Ghvo8wyjkaElj0XQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:jvwlIvxt,iv:ZbW19RYjtke2vcQA+n2GaR0Vy0FEPlQyUFxUBNMgpq8=,tag:gm5KEv3yFpjJF6fctNIjug==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"jwtAuthCredentials": [
+																		"ENC[AES256_GCM,data:/kO228cG,iv:+V51TG1IPn4SLcae5euTIjJtKv+lPgoYbhZ8T5rOJD0=,tag:Mci8uYsxiR1SbsZAQ8C04Q==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:9OCA+rbS,iv:YjFuSE0FijK+wLr2DxNpS3vnDp6RKOq/B5LNVmNTBvg=,tag:oDVjBHDe6ICbXuzKodWsWg==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:XgQHn7pK,iv:/2qJqkqgd3FBs2KiWVRQjNDptCQBNLCZheWZbKTdECk=,tag:rxTNVIGRJXAvKnzCiQO2gw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:alKsUOrP,iv:Am4Ae82KyKEplDFft46i84rHAqPAMvI99YUg86C/nlQ=,tag:R9dx4D9/FOJbb/wAfqmkyg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:RoMp35ij,iv:TE4YQrlNQM9CvnnzSzOj4rtPA/Sk3LYCYixzKqOrSQM=,tag:Idj1Yqyp+P4VZ6cUFe8Fsg==,type:str]"
+																				}
+																			],
+																			"jwt": [
+																				"ENC[AES256_GCM,data:QcxSG8tD,iv:s47cPvvbXJQmjpv5y8RbrdRxfSupd6F+dNAUPrSweBo=,tag:6G2+C+3BswqJO5yPf3FCLA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:fblvrHMP,iv:Vc9J7RdOaKXyYPzmFd863ZrZHw3m7Y0C8rGG9aQHElE=,tag:FS9qJVY0jxkGIAA4+4RRYQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Z+tuVsr8,iv:l/CddVj439ac7tWkOyxbT0MUTGK3QzmNkWk963AD1u4=,tag:jQNe23O5dK/Cb0VgAjC9VQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:9/Qtixar,iv:82fZvCUSw6CB/cSMZdP4wB96Nz5WmFA4PGl6Cb6YBl0=,tag:5Vg7KYQb3TAkENeeKLwwDA==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"kubernetesAuthCredentials": [
+																		"ENC[AES256_GCM,data:w/PSLL1g,iv:TaW0hJbzD+v8jfdtqBxb/GqBSgy8lUKO2qFhGAxRn24=,tag:YmuiX0oQtSR3m2ZParpQiA==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:HTN/zt/A,iv:hINRafey1OOwGgVmcCj/gJkX7+217VF5iJ5UCPEnq/w=,tag:52uW63UXEaVFzzQ11WEJjQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:lwafSqLF,iv:LuhFCRbKtt0LnNtb2YzQvC2pzqnpsV8C7Ag0SbdCXRE=,tag:mvnBkmJm68X1bSRuvJVg/Q==,type:str]",
+																					"name": "ENC[AES256_GCM,data:t54StEhS,iv:Jd1kutc4AVqAgliiW/d70Q9g1KqyzRkaZnpWowXYU2E=,tag:NXIDfO6ky+J4Z9DdA4KOJw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:9sLQxJWw,iv:rNQWPD6OEJwM9c4BaTIkGF7c98bed+g9sCeaSzgpjq0=,tag:YJhAkzKed19j1FGC5Q0XBg==,type:str]"
+																				}
+																			],
+																			"serviceAccountTokenPath": [
+																				"ENC[AES256_GCM,data:6njJUPhw,iv:XErZWEaFy+n8KUJxksZov8qIudNXbVAfPyQZfwHCXA4=,tag:Gi4OLq8qzZokZ4lw1LHodQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:HAUA6vNk,iv:LtJM6ld8bRjFVBt8RQgFpQ+OzT/0TqjBzgGiVkXdYvQ=,tag:dkHYFJKTkxKgq1hiNDP9jw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:W4AUP7Ax,iv:9hp3NdLaA1JuVkXkv58o579Q2kB8WUgeFYTQ5xQn0jM=,tag:9Hjln/+pxKstP+UuLmHPDw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:vc+iXXOh,iv:0Abh4zLCi+RHZCLkjB8kl7JtYSiheFRnMLQkT2kSXEA=,tag:bCFT2kn+cov5KQyZxa/Q4Q==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"ldapAuthCredentials": [
+																		"ENC[AES256_GCM,data:DjSinufd,iv:UHt26UZg6DptcoFkq+kHIRxrL5YWiWoPJ3mTPN32+x8=,tag:o+qVVE2j8mkTnCAtvJ9O1g==,type:str]",
+																		{
+																			"identityId": [
+																				"ENC[AES256_GCM,data:DmkcZXk2,iv:JEp+OklPnRg4nqqc9ucDmuq7eBllqw251JRNgL8VQ84=,tag:SqhPtVxIgdF2zFeiR7aTlQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:LskxDgpF,iv:qEDLH9xfTPXh2nirGPb4Ff/+y9heG5dB2hrkvOOfH7w=,tag:F6lVgxmFcPn9Eoz/Fio3iw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Xx1h6IfL,iv:PW1+aSW04RPySy9Bx7FHRgw1JsyL6GPqhVDS8i1hXvU=,tag:9mbkvCxn3mw4UXZ9P86b4Q==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:srGyWQdy,iv:PFkTz4OeSnFhXPj73d9lcEpLB9To3fmbTuZmSZHrEKI=,tag:MeFjEcepKwHB55OIL9FiDQ==,type:str]"
+																				}
+																			],
+																			"ldapPassword": [
+																				"ENC[AES256_GCM,data:B0yTu+IW,iv:ZAghnFPYWfcfMoMBXSZqWAKU2d/SArlbMKynpvVzxWw=,tag:i7tozfYbk522Prl5FP+qfQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:B7stJ6FX,iv:vV1bj3GTvjENCJCerk/wBJ49yOf1TJhZtqEg4fiWN6Q=,tag:uGPvGqWOm+MWldQBcDus0Q==,type:str]",
+																					"name": "ENC[AES256_GCM,data:ppoaysQk,iv:8VvmZGg4vJmuoPZ96jIds4JONiIpQD4Lo8J06Sq8tno=,tag:SLUO2JQzjVSn4g+6Q1k3yA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:SIf+K5zz,iv:s+LfEi7y9/bRGyeV4cbTLOXOZNcVPxo2/e6Elba39t8=,tag:A8qQW05QxvueEmWA+iFcbQ==,type:str]"
+																				}
+																			],
+																			"ldapUsername": [
+																				"ENC[AES256_GCM,data:SaGvBYfV,iv:OqweQX2RMLJjTXzFHGpowhC4r+fX0JwBjRNj4mW72wM=,tag:1To3luRAmMbRF2/OJGabJw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:VXlbHLvi,iv:AXqF19PNL3C7nTcntijBwKqCDZRltTBgT1iSRs/Y5dk=,tag:4QtKXK8Hfq9BLKNzLCV8rQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:aXogH6FS,iv:fXw2mTDQv/SsKzyf6DKAN9fhFW9DrOLQa0YhmBf0YAU=,tag:ulLxVWD80Cz/d6tev2XRpg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:2VrDXSzx,iv:KArdwYr/+w8EpsjfOuc+5lWs7dpPU6dkshqlW68OJdg=,tag:dLrriqJkCuCwwuMkXqglew==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"ociAuthCredentials": [
+																		"ENC[AES256_GCM,data:kZwBrSFR,iv:AfA6pUGf7WaEPuwbetqFcSL2LeMIYX800xNg3p0Mibk=,tag:Yftar0v7imjp6dXCbAXX0Q==,type:str]",
+																		{
+																			"fingerprint": [
+																				"ENC[AES256_GCM,data:ZmTgK8qc,iv:q8ZmwMmViRdKjobB4FE3E94rEN32u/cxWFWoAvt2A1s=,tag:jZQcTg+th8XYJ7YjvU9tXQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:xPZ2fpgl,iv:UYJKaakv4sOpTzF09uIN1ypdyG3jIQ/kxwuaCHC8TP0=,tag:M7S0UVmctWVacDp5Vj01yQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:wgnt2GLa,iv:4x3QJltSBxXLh926/Gkb38x2Lge07Q3Jwaf1kW+TjTM=,tag:kdrElUShGWvHe1EgmdR1KA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:f6onPXRC,iv:D5+UL58I6HDFo4V2cznfNK/R8PZyY5UprxOKR6FxaeI=,tag:oRDkajoan71ZyjJAUHjpyg==,type:str]"
+																				}
+																			],
+																			"identityId": [
+																				"ENC[AES256_GCM,data:0Z9og2iL,iv:Lga7ETZjccOyIBzOCmjlAKRnU8bMMycfXKBHXCaQg6k=,tag:i5RUaQkFCwe3EZ19f4voHA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:iem048ai,iv:Y2v3fcQbjRLeReRn7BSNHgIRigHECTlC6BPAVMvo9ac=,tag:B5gwBA10yZR8HaRjWp4t0w==,type:str]",
+																					"name": "ENC[AES256_GCM,data:N9zRLIXM,iv:zd42YTDi9xp6lUhnNn2zE5fRk8PSNOq1bij2HRk9Kvo=,tag:xas5tJjiJ2ewxUfIf9ZrIw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:1ILwtaTt,iv:u3zQ3RUxxdQQDE7h1UdqLwz7zHhQ41rqmdUlEbAvUjc=,tag:GLmQ4rrn/6/na9di/j/+Jg==,type:str]"
+																				}
+																			],
+																			"privateKey": [
+																				"ENC[AES256_GCM,data:k0+n7zTi,iv:qmmKMQLhRF8wHWwEdw08BTxiyvLJe4DH5j/cLTakXi4=,tag:2lnC/JnAufhLRQCkfsgPXQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:lwQX1BFM,iv:YZw0Gu1MqmxOP+zlQpe5gHWQ8MuoWKumo5X0vXM43q0=,tag:7+zqlufhpEBq+iYIkRmVtA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:4BJ2TG6x,iv:UUh4CaHDNAUzMBu+QQR5rWqd8IuEc8FXWE7Wpdoi7So=,tag:J6fIxaYltDjDQS7n2LT2+w==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:+veavRBz,iv:g9iiW1J/mJE0nKgDk4VysTpBxmdUfmRKnDcRBxbaKDQ=,tag:vCNkXRjK9mFyT35HsHPdVA==,type:str]"
+																				}
+																			],
+																			"privateKeyPassphrase": [
+																				"ENC[AES256_GCM,data:CmzCzcT7,iv:wdmejHs+rnuNtKeOS0dvSF0eyRRl+Yfq/6Jfg1i3yv0=,tag:7BVWiikF7SDacNkdKVKycg==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:JNXzGZmp,iv:epJHFi6ir+aiGN+Kq7iKD/dJ6SGLFlUk+r4/u0pEIYU=,tag:XrPXZgnOlq45+eLEZSWc2A==,type:str]",
+																					"name": "ENC[AES256_GCM,data:9iL+pyP2,iv:+67flKcKwGEyXZH80C6g157TS+ypiO+phqs6rbywqrQ=,tag:/6HE6/hKhX0/QVFEWTExpw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:4SUowLqD,iv:YK0PZpzta7MYdCtfQvr6q5lQqpVaYoQV1KFpH2UVdbM=,tag:TVE7p+dgQbT0xLpP/8eDFA==,type:str]"
+																				}
+																			],
+																			"region": [
+																				"ENC[AES256_GCM,data:fmdR5m1B,iv:3M7b2BrYyIKpusxv5C0xu0wglgUZHexdyqdbZ/xx6RM=,tag:8wmxyBLmtbJOTSPlY7LTrw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:tr37zO85,iv:uTca2dCyEv8/R7rHc+iwFSjI3BEMq75Rx+did3MIBdk=,tag:Q9/NyzPCeVyAUD5mO/OmkQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Grx3WYTL,iv:/xElDe36SVylpy+SIgny7UAQVl94YJRwx7Wre733xCw=,tag:tknqt36xvxiC51WvOZncYA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:mcKmbPtp,iv:f/0I8VfrRFTuOYvh1feOemPKsLOKzpaXT6hOlzMQvGk=,tag:X9FAouo7Aw2UYlM03sXjIw==,type:str]"
+																				}
+																			],
+																			"tenancyId": [
+																				"ENC[AES256_GCM,data:ijwfzW3W,iv:gfaPyhoZ76zasopkv84JZUNEHQTfAtco+J2ZGLL0zxg=,tag:mIqBE9BLhrOxeJlL75E/fQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:csMbVNTx,iv:rL5jX9VZlpKf0J+BrhpVmKNf4B3C7XdRxKxiE+pheV4=,tag:AqCeIMiVERfpzSxlUgo3XQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:GucQL1sL,iv:/gsqvdO5lqJUAzGIEut731SSmiIWg54Q2cfWLF1MIqI=,tag:9nWoVMfaRgj/Vg9KVShgmg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:YSgYs0CI,iv:gyCNmVZ3IkTJQs6E2bJUTd0gnv9ioKoZQQkqkLIlSm8=,tag:hJX+FYPecZ4TyefHSEWdkg==,type:str]"
+																				}
+																			],
+																			"userId": [
+																				"ENC[AES256_GCM,data:oNXtWlFt,iv:+oFrz3XgxA5sEQLxJK2XdQSbeQNsOuQuirtwg+KIA1s=,tag:NkCqoWEnccWjlMiWfjbTZg==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:VwO/x6LW,iv:N2I/xYmekuXq/EVUdUdGhFAk65cpVhWtsI5dOI7yhMk=,tag:IMiom1lPKXKXC0i7Adlkiw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:VyW+jEv/,iv:K2yIcrPOcZx53PcI2B5VLo0ahDye/0tbDHbaFCWze5Y=,tag:DKzOEdgr8GWHG+oWhxCMXw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:k85GcPy9,iv:2lOqFkNY5GiRgsJ6zaulDAtXCOSWfVs4eh96xswYPTw=,tag:i0YV71kKOjPNxcBiMQanVQ==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"tokenAuthCredentials": [
+																		"ENC[AES256_GCM,data:v7+VVVva,iv:usghc818rPFXVhaq00h+5skeivssvkNiob0QJBl19CY=,tag:RNv/Re+cDN1Fn1j933uyvA==,type:str]",
+																		{
+																			"accessToken": [
+																				"ENC[AES256_GCM,data:aqvILHfO,iv:QqIcP94l9s3zfsd+FfDrzxO6xr00o129zbCulWmyr1g=,tag:DF9fv/t0ATuoN9fHo7Qv9w==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:9RSTJY41,iv:uex8xuT41MGycP3rd1SXjT5ft97dS/P4QhH9IIOkRDA=,tag:dL4KnfwWgffNaRdYKF2FqQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:I7TRCo83,iv:exn4r3PhCh+spoVyVEdnxZHS78nZIQh/fpSVwWERgds=,tag:IcpdnqPFkSaPhLqlklFJbw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:iTlUZPwQ,iv:aVJCYHx4H82gvzL8X9qqER2pgU/cs5v+52nxrjIg1uk=,tag:vdQZGfU0FqR4WjPjhwJdRw==,type:str]"
+																				}
+																			]
+																		}
+																	],
 																	"universalAuthCredentials": [
-																		"ENC[AES256_GCM,data:PmrPp5+Y,iv:YeiytB2yX683kcpzE1R5W5XzhoW4j8VDgb2KHeaBfwY=,tag:tr9Gt0+TueKb5uv1atS8Jg==,type:str]",
+																		"ENC[AES256_GCM,data:Y42TNTgO,iv:RwIgVMC898E2K+53NuN4NbLSl6wmecv/0qffF4aWy3s=,tag:ZFvHNXpyxK6cVAPH4KUAlw==,type:str]",
 																		{
 																			"clientId": [
-																				"ENC[AES256_GCM,data:qHipIbAG,iv:oWLZXl4vjf0NTdrnOp61rp3TRBX2QNgV7t/uPepLdM4=,tag:X5eBNd+Av9uTSlN9dTWF8A==,type:str]",
+																				"ENC[AES256_GCM,data:OoYd+uM8,iv:43rh2fEkOMxYlsiDNTtdMO2Z/JTpTKDaB5G+LQ4+j6s=,tag:wTJEBnPSQi9S0JXT7kQsRw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:g29pLVFQ,iv:ZM72NQ0UfE2O23+cnBTv3+ARwRpcTxSTPKfO+myrAgI=,tag:JRZlRpcV/XNwdtEVfku6QA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:3pOqCLQU,iv:dxZ3ZfmBedZLqgh0izUaIuskdj0hlK6Nnl608PbKmDs=,tag:WSWuM9H5YVm4xAmmi+KYng==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:or3kEIhe,iv:auLeEcBNUZOnXfPqYBa65bfoV2zxduR/DsH/SwzsGYI=,tag:v7ETOx+dzEy/dzBPj8UzjA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:wBrStjGy,iv:Tpazh8AsRbvnX5oVlrZlFPMr7Zz+Ka+6djbdxvhZohQ=,tag:PuZmXsuWhUDzhg18QdnW2Q==,type:str]",
+																					"name": "ENC[AES256_GCM,data:JlZoDQxS,iv:mB8XGSfBuHlogrfNpVPNG3luQeZK4kHMimLnPx89LgM=,tag:gQaZosCaSdEgRAOpiGSFMw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:6+3f6Z0u,iv:SuzhhxRT1av0JSLBFlDbi02jeVI+3fR1Hx4Xe23C8yE=,tag:wLLinOAEA5xgQbUjSzMd3Q==,type:str]"
 																				}
 																			],
 																			"clientSecret": [
-																				"ENC[AES256_GCM,data:46JNHc+o,iv:TeLENafGSO0ln1Z1dmfSOb68yrbu72GBbpK2N56KvSo=,tag:Kf2VKa8vOvXQCd77HBGwzQ==,type:str]",
+																				"ENC[AES256_GCM,data:hNHrk5Wi,iv:RUIfVOtLLWPs6rt0HT/+7KTsmfAwD4FuunYDi1kTneQ=,tag:8mQ+smL5rbicWzGC0muOBA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:LDvxJ4zn,iv:GVxcs2JuIzOvWC7P0lP8GdXiSbq+5b5RqrxH6fPAay8=,tag:NJ+MJoZSdWtd3hZEnVJwQw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:+dEWrQ0V,iv:bwJXPm9jVLhwiZLbsw3EobDGB0A1xz2ZV91tMAg1DNY=,tag:cmu+WHe2RvWtC9+YoptmcQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:x6MI8jlf,iv:IQNkTGSqWQutpSlLHl9vWKcmD+0aH74Qe1axg9KfN78=,tag:NXrxUFf4lSzJgVjW0o4Lig==,type:str]"
+																					"key": "ENC[AES256_GCM,data:ppzJ5IyC,iv:JF6B19vHxUbfEtrbTl57RGaAR4023ofJWyXL4tMTHlc=,tag:gSlAeyYacjhrelc4XhNuhg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:IFDsrrIY,iv:eOu0D4dJTH2j7K1G48X5wU8zsMGFuqhV6sFOOA7Ioqo=,tag:rFPjBKgZmqtpJg7FxHb74g==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:YhDCd1rv,iv:VYJie3P+2ihnl0/+3vjV+ncjpIwmX3fykgGhW47Luew=,tag:23dzKfFv58ci7T9yEM8lUg==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"hostAPI": "ENC[AES256_GCM,data:0Ln1lD4k,iv:eVF/qxri0/WNq5d5wfh7Rgr2HU1Vsqq1IJnok7YGBZg=,tag:Mc9uwegPNH2mVdF1RiGa3w==,type:str]",
-															"secretsScope": [
-																"ENC[AES256_GCM,data:wAZBvnOf,iv:77GGwauOqdEogp3dlaPsBRKLwcY2dgDnLtngU5kxsc4=,tag:fkaEirBfwW2FA7l+g0iEPQ==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:Mjps0Y5o,iv:e+25zDrxMefU8kG34scFbvE54v4uchZ0S/Hw52YeX48=,tag:C3gk33DVyEVwD1yQ/aw7tA==,type:str]",
+															"caProvider": [
+																"ENC[AES256_GCM,data:crjSIQ2J,iv:Y7aFDR/C690ZWJJd9YrJP/VwI2AFUZw1w/NoopRLd6A=,tag:ZSbbutFILbOMJ7djbZzieA==,type:str]",
 																{
-																	"environmentSlug": "ENC[AES256_GCM,data:I+4+0mOa,iv:Dx5TyvWef9pjY/Dt5DTo+unshdjpL9wZbLNdKes1Ir8=,tag:RVLDLEd4YfnFJjluQ6VpaQ==,type:str]",
-																	"projectSlug": "ENC[AES256_GCM,data:DImbukXv,iv:wVRtrqunthw+3v2cq/mmaxjO6L7AthVM4scVbHQZPfA=,tag:Vms8ncc4t/toXNfihTcBkQ==,type:str]",
-																	"recursive": "ENC[AES256_GCM,data:/ZqIeQ==,iv:xL5YmkWP7tglBgGT/EcK+9FuSyaiidCSYp2VtGY1ZVE=,tag:+CrW8/ynQ+PZjA+mk3Qf5Q==,type:str]",
-																	"secretsPath": "ENC[AES256_GCM,data:k9hlIDS2,iv:NLR8ybex/k3tXZYh/rkt994qUHTHAGHKIdkaLSUGzb8=,tag:Jt3+6uKTwb7SPT/045B1vA==,type:str]"
+																	"key": "ENC[AES256_GCM,data:OjtLNqP5,iv:hIGK3U2eB+dlc6H4FOEREFfqEoy/j4dXIZLXYQbca4U=,tag:RjZDcVwiZIPRpaC7vFrd7Q==,type:str]",
+																	"name": "ENC[AES256_GCM,data:yb4Q9VZe,iv:hqIVA9ktikNjToJoguYoMHrHdfx/4iW90w+knyk33+4=,tag:/XOKjP8VcL8n2etWHJRDDA==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:7zynFwx2,iv:osDLk1qCQmzPgcRssbvxtpWo4Tsoyv60jCNzEh28AuY=,tag:rVfqnwM2yq/9ybt9m2MJJA==,type:str]",
+																	"type": "ENC[AES256_GCM,data:OzfBwycB,iv:dUdfRhddMGcfQokGruX7sbtUgzW0j8uAsTxbhT7ntv0=,tag:+f6HgodVR43O/rtDZVXvkQ==,type:str]"
+																}
+															],
+															"hostAPI": "ENC[AES256_GCM,data:4MkO5PPV,iv:FuGJn/zbC+B7nERqJFGXcKtEbEL0JaewbBpFBd/CT9E=,tag:6i076RnXxlB8XP5TWJ+o2Q==,type:str]",
+															"secretsScope": [
+																"ENC[AES256_GCM,data:qjWimmuE,iv:ic9OvBIk9MEu4LkgzFxByjZ4CeoWmShP7XH4HZf1nh8=,tag:YUOakU2eQnpEKkPwzrNWBg==,type:str]",
+																{
+																	"environmentSlug": "ENC[AES256_GCM,data:UXxvmRdo,iv:fYgdETjNG7MmUNcikIl9IZKkv+r0WLQwrZfq8GlsmX8=,tag:GqUxLvasN7RMc18OiUXqlg==,type:str]",
+																	"expandSecretReferences": "ENC[AES256_GCM,data:IYlEKg==,iv:gy/JT/VCudcjEIjDNrnq7dzzflKh3utLm7nqL540UfQ=,tag:kejjGkgw3OXlYTiiufUm6g==,type:str]",
+																	"projectSlug": "ENC[AES256_GCM,data:+ioFJbrE,iv:GTBy6+ej+tBk23DXzeWC47BS/0H2QQRZ36Pp5xQ/4i0=,tag:JPY437wHcWYz1aRxYga0DQ==,type:str]",
+																	"recursive": "ENC[AES256_GCM,data:gXUIuw==,iv:u4yXc/8U1p/pDbbBdIpoefCI5G3dRmG66svpbGYcow8=,tag:+Y+CwJL8WtXcm0Bn4BmwLQ==,type:str]",
+																	"secretsPath": "ENC[AES256_GCM,data:o2ypUY6d,iv:/okmnW2AMMU58edZFnr/29xcYDJwuEUbc9wSI/rZQM4=,tag:vCz34bfrDldqz1+2Twjytw==,type:str]"
 																}
 															]
 														}
 													],
 													"keepersecurity": [
-														"ENC[AES256_GCM,data:d8NzZ2rN,iv:eagsGtsDGmLp62WuKZPvwSlERahDiV8lx3wHLV+CGxU=,tag:1x+54k/nzbLT3FsmV7pTAw==,type:str]",
+														"ENC[AES256_GCM,data:0S90cf5n,iv:yctPqowmZlYJL7RTOtoC53VHgUI2ONcVEjF75MoojLM=,tag:nDqUOMuS1MUCGk1+13d8+w==,type:str]",
 														{
 															"authRef": [
-																"ENC[AES256_GCM,data:b98nX+pP,iv:52/Ez44uDc+XWkI/vAcNigoGAGHsX4M2jfhJSPUm16I=,tag:qy3urSGds/jEcA4rzMXayQ==,type:str]",
+																"ENC[AES256_GCM,data:vg/iQ8oz,iv:iqBxuTb+rd/OsO4P3+d3m1jWn0TY1IoJkc9DKsntM3I=,tag:dbj3LTcbQjW6v7Inaka3mw==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:TUq5zBtx,iv:WjIEQ4s5xFkAZ0huOJQ1bSNGjwyoSk3EJZgNPc/MMD4=,tag:3SrktLYdyBTJxwZ6fZx/Zg==,type:str]",
-																	"name": "ENC[AES256_GCM,data:mvJdeSyB,iv:KTF+Ah4eMFHQm3nMQTvGTP0xuhAr+MnOLUXzniTvw7w=,tag:1G7l4LllrKYytFXheW954Q==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:ISw5mWkq,iv:iAyfxKhnu1Je+w7eYncTbBlqXw+2q2S5T7azT0Izb4g=,tag:LyCgV+FJgVTCHSXCNRdq9g==,type:str]"
+																	"key": "ENC[AES256_GCM,data:GEoj6wtv,iv:2z7Z8AXwfZ0IMOG57c2Pjq4siV8LlCphnYocPwvNTuI=,tag:fE1ipAv7GYS4nRmk1W79hw==,type:str]",
+																	"name": "ENC[AES256_GCM,data:jwUxylE3,iv:IDkRhL6CfsgoU+MDmvVMBJCKVEN6xkxZ77bJ0Pu6KWM=,tag:ZSOaGyZqJdpEWzxcFrPB3w==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:Abge3E7G,iv:dssqXEQOprc+CcZRwzX3xW4TiUwlzEKylhRQf8y2oNM=,tag:+QdfH+s62enw7AzrzgBvcw==,type:str]"
 																}
 															],
-															"folderID": "ENC[AES256_GCM,data:zqwNiJoQ,iv:3vUmzcwb3d4odarxnxXZqPB4mkmVp+J4XcqI3mUkGI0=,tag:ww3V6kht9Falp8hVaNbmlA==,type:str]"
+															"folderID": "ENC[AES256_GCM,data:teiKbdWn,iv:Ef4fxq6CE5GzJXOfVyOs+CpfDytdwQc2kIDjvfQZ244=,tag:eu+7S58JXzCS2S4vS9PYbA==,type:str]",
+															"getByTitleFallback": "ENC[AES256_GCM,data:VpPRQA==,iv:YMb4PKti2Rglz4oEK61ly+LWDhFtLvCzLWuiHpnMofQ=,tag:uDjtY4Ynk+HJ6gqyduaZ3Q==,type:str]"
 														}
 													],
 													"kubernetes": [
-														"ENC[AES256_GCM,data:pRrT6ZPJ,iv:kjvfAmEsGD2gL/syRy6IEras0d+5mzFwwha5512W6lY=,tag:iIZGYmkfp7hgIpZc7plM1Q==,type:str]",
+														"ENC[AES256_GCM,data:H3DtB4wn,iv:iOjuozU24dqk2ZR9cJl8rKJ/42lu7yEnQGngFAbRJMU=,tag:98xrgIbag9xupTcjAtkTSw==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:Sly5Pu5n,iv:GZWmXvbFo+2YeE+62NShjbq/AxkEPrKYYosSgngE+Ok=,tag:aXCor2QwTRVhtNo02h5QJQ==,type:str]",
+																"ENC[AES256_GCM,data:NG9dAWR2,iv:wOZ+b9882R6GmY5Xj7vrvhDdK8/RFqeZ8bS2gA52axA=,tag:tePmhTIvW/vFnx4RrwOgKA==,type:str]",
 																{
 																	"cert": [
-																		"ENC[AES256_GCM,data:CJDfPTGL,iv:6iEX/uiawzmg/jvKxBUumtw7CtdivNcdiCacuLNDPAQ=,tag:57Ay6DeEgeRI4y14q8fMwQ==,type:str]",
+																		"ENC[AES256_GCM,data:gpopyY+i,iv:H0+bZ9UK1dGQbNG7XQv6qYP+d2WVFsRY+u5yjEfZlh8=,tag:II2E2jrqn5bvgsF5olOgCQ==,type:str]",
 																		{
 																			"clientCert": [
-																				"ENC[AES256_GCM,data:FFch4ch2,iv:MGbGmh96q3pIZ7vrfRFYBDSW3xHDiS2zB27W9tK/lt8=,tag:qeMFr7QdFBLgFnX+mKjM/A==,type:str]",
+																				"ENC[AES256_GCM,data:gpiJw30x,iv:PhkpFDZLGs3M2QTXgW6RwKx7SOo45ieiR2cA7lrHo/Q=,tag:1vz/0VoHcI+BHRq3xs/x1Q==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:GYNZ//Nv,iv:NK2wL82cD8a8p+lNkj++gEOKrp7+924nT1ygeMIQ6Bg=,tag:BpvaFWRCeC9yfQsWAscW6g==,type:str]",
-																					"name": "ENC[AES256_GCM,data:dYrozD+2,iv:HLzsBjKc40slk53KFwFWKeIKpMuZ+8nYxPdsn+RGHC4=,tag:A/G8Wc3F6MpK44Lvmjr5BA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:Wn2eFAE9,iv:RhQhuIGyXfVhFJbW45SkDAeZOlViXP7wn5rBXWgW2tA=,tag:wpkIhxWotk69suN3lOrKmQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:h0d2lVYX,iv:uJJMypaMZX6oJDRrcuT3rj8OFvkEHMHgcLzLOXR9EY4=,tag:YzzfncnwmWO+IQmBlwpyCg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:eB4ue30z,iv:eJSSsurbNySlq1zyAlP9ItX3RigQ81GycpazRBLSvig=,tag:XcBB0ai+6av+i5HdSrL4vw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:op9epKXJ,iv:SD6WUmsa+UVMYfR3zyHE/dA76KjZgOdRPtCb1OYfA60=,tag:ab5tlIblffGXM4XpgtmH4w==,type:str]"
 																				}
 																			],
 																			"clientKey": [
-																				"ENC[AES256_GCM,data:QTP8Czx0,iv:w4Txkjd55sBc6XFsyPFAIyagNBLV3wQdZGpBbEfCRAg=,tag:BHUuqcoXLAhalKDJdJK3Zg==,type:str]",
+																				"ENC[AES256_GCM,data:fUSJcxdw,iv:s487UusHoRFaLRqrBj3KX9xHQFEyGjXuHYbZwGyZy3g=,tag:j1fAY4j9VRUPkSwcLN6ysw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:P1VL21ne,iv:xvh2UR8OO6L12D0JGSuTILHI/crCEi2eOsnM8B+vTeI=,tag:/Z06m29FORUe+qHRD3GFXw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:9Qygn249,iv:yeM2q2Y4xb6I3eXBuWNXAMegL0X48KaMlRRsaY162Q4=,tag:BllKGtbzzvbYgZu4jJXVRA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:Fklhc2iG,iv:OFgdEzjwqB1YNTlnIG/ruxMDXhmeGTPvnkCt0WKH1/I=,tag:H3xE7mL3JS6X8AZeI1vzwA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:mw4wxRfw,iv:Eq46Y1GdvQ3ySQAk8kEm4w33Xeh8eAgzdN/Et95i2hY=,tag:nO7l2yucO+hhvqeWAaa5nw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:8pvM0TpE,iv:w+/B+xCpCLEmLwjKBdYV6jHjJ//4V6tL+b9QkS7pX3k=,tag:B5uHNFhPLk+Ba56FZ6Rgqg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:DpTRGPu8,iv:aSE5p18ANShtav95HqILwBHiOZXJqOvviz+r94wx2oA=,tag:bCrkDNX7kn/sqWt2ghQ9nA==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"serviceAccount": [
-																		"ENC[AES256_GCM,data:ioLw21YO,iv:7c8q6cnH5IbauxCbelvk419yXhnsgkhxIPLGQ8uBM9k=,tag:r9YuSI24YTE+QQtPvO+5lw==,type:str]",
+																		"ENC[AES256_GCM,data:okGgXli5,iv:5NecqxVfHlOx9zo7Acb7cAvumiyos9jzyOeJCvJQK50=,tag:8qffhP3VN58rz9eu3u26NQ==,type:str]",
 																		{
 																			"audiences": [
-																				"ENC[AES256_GCM,data:kyRlVA==,iv:qPo5XAk/QPeqcy3U4pLSyFvmukEGr0URav+6DKeucnQ=,tag:dBAH9F+yzpkhWYZt6QCG9g==,type:str]",
-																				"ENC[AES256_GCM,data:fDZWpoQY,iv:WbX7G1mk67vSmNeiGPD4VwCN5bJ6SlJfRVHjxRNyiKg=,tag:b2qqy00KHDIAgE5l3vSO/A==,type:str]"
+																				"ENC[AES256_GCM,data:t6qLhQ==,iv:VMMN37dQx1h4/ccL4RzqumHaxthgLkAWuPzDTRvTyj0=,tag:e27zBoexqAo7NBH55zROZQ==,type:str]",
+																				"ENC[AES256_GCM,data:k4txx21K,iv:8C1r3UtG3a25YRZ1Vwpyu0YI/Pm38SF4+BZIGgmznHY=,tag:xzH0+4VFhOt6TH5shuEpZA==,type:str]"
 																			],
-																			"name": "ENC[AES256_GCM,data:IN6OFDen,iv:NyY0d1agLt2GCshEV3OHaHA8kMpqYqKy0jrONJ+Ve60=,tag:n0FKCbT1YnhUuJ2sgxMpHQ==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:lJU7+EAx,iv:WoPa7EHSk1jxsy1VQYh+s9UqMcTqGWbtOkzjUA3cQeI=,tag:rIz8xwBn98z3FvjAh/bhsA==,type:str]"
+																			"name": "ENC[AES256_GCM,data:czo9bkuj,iv:gSB8BVG/CB4TLdBgGebNAAlcxrO/x7k/Vkat2qC68Hw=,tag:jodE+8S5GFwPmt9krp9FYA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:ZHJvgL8A,iv:b486+/iF6S1hnunvPnjRDBjgM/q20LkgqBCciBdLXXw=,tag:mBSVlhUpHcZA/L07/mIjzA==,type:str]"
 																		}
 																	],
 																	"token": [
-																		"ENC[AES256_GCM,data:Rr4BeiLX,iv:sgeE7V7N+Kc5762MaJSfnrIfD5ZjUAJiE6vfNw0vQyk=,tag:KGbcVdggNL2yKNw5O2fTag==,type:str]",
+																		"ENC[AES256_GCM,data:VeiKAqpz,iv:TP0O6eiaYMiVKDCIS6WLgX7UuD9ZhrF/itJXkzVcSkQ=,tag:oHrVHyY09OgZUe5NRs6g2A==,type:str]",
 																		{
 																			"bearerToken": [
-																				"ENC[AES256_GCM,data:Ct5rCrz/,iv:POXA/deXFlGDUDoSpaTU1GchadkwXnC+YPLwoViEFgo=,tag:lHCoIImNGMzV0HGE5qaklg==,type:str]",
+																				"ENC[AES256_GCM,data:6NYztCwV,iv:nJg1f4DaryU5rH9aaZiXb4Rd/bumKm/XqVOziLe6mPc=,tag:GsCCJOdyqYCUUcsaXFl0Bw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:WbJ0o8TR,iv:W+DtyHJ8HVoI13mNjupsdSUnEn+mu1GVewMmb7noAUk=,tag:s075TksH9uWbhYtAlhupDg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:ke5EaPV1,iv:b3LLScgCabGzdDUAoF9eczLpMVnDb7vpL8/NHihPysA=,tag:cFA75BZ1fgu/y+gQVpFZ0Q==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:sWAUSp3R,iv:yTlAH3SPV2QJBxJ+Sc7rHOUhnlcl1xruzwgqFfyGlko=,tag:gQJkDzlxqcBzGbD+0CcWWg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:XmkpwFS7,iv:epax9R5GrJtG3yyIvcQkENDfrH+7xB/dD8uDTHflHIA=,tag:yFHtYlK52RD2GPsIE6frpg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:QWY1xcux,iv:e67lJ+wVX8DzLubUzJ2CLGaejsFLDq0QvAf701bPzWA=,tag:zB8jXwZyiW5FHimBDJEg2Q==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:COFFD9an,iv:iOS1jDCi+Zorb3IfiH6ZycHmrCfUzO6xr7o1pnmgQDQ=,tag:7lnAdBzWeddVImKNcI6YSg==,type:str]"
 																				}
 																			]
 																		}
@@ -4545,652 +6633,1008 @@
 																}
 															],
 															"authRef": [
-																"ENC[AES256_GCM,data:F/en4Wle,iv:N2m7SoB6AW9v/KWAz8TCEMINiLtXCktyTG4rb3oqcf0=,tag:HiR/O8EsKZDbRGBCNBRBMQ==,type:str]",
+																"ENC[AES256_GCM,data:8AW06Nhe,iv:cV7yjiylR9cIbt6A7OApVY3iVb8V+uJoo5xdjORaM/M=,tag:i7mi5FfGrxxcnlSS8CmuPA==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:IyMtlpAE,iv:EQMDZHS9WOAJfPMmCe9kpplmIqm15oSXwzWNI4UFMAo=,tag:zq8Y7zcsAsZ4Bfx6u25ofw==,type:str]",
-																	"name": "ENC[AES256_GCM,data:7CqaoElH,iv:5/xLQtM36AP6tI+XtCcieF4qwAWr0v0EynrIFoOv03Q=,tag:RBmhRdrFtxbVO0zSrJnvJQ==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:OsVHePiA,iv:kDSKecNqcTDBXg4FjJRvkrs01tD0WeiMHxthsrB4+d0=,tag:ATHBIC+o826BjdwRFdbpjg==,type:str]"
+																	"key": "ENC[AES256_GCM,data:3SGG/we/,iv:IU3f3MrMjkQFQGYdW39UGOAQ3xq1hfYbE0Oz6jkWZ2Q=,tag:vlxffPymWIXc2KOAdx49ew==,type:str]",
+																	"name": "ENC[AES256_GCM,data:xI/a3Fx2,iv:kMIFHhAYeNOylC9AIbHD5pdIkYl76rSbTGJh0SSIegw=,tag:UW1LXqUz7WwHxhOZ+f+BBA==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:oQO329JY,iv:B/CoZOAD/PwnUlBlK/NYF10HEdZASdKsDVgDjgsqfOA=,tag:1kJt2Vrm3XCfJ2jwo9ZBgA==,type:str]"
 																}
 															],
-															"remoteNamespace": "ENC[AES256_GCM,data:zD5r+Kun,iv:msU4JeTRM6w42+4g1BRvb1zf2M6KXYEy3qAObh5EYpI=,tag:9mEPidBmw7Yfx+yvKVi8/Q==,type:str]",
+															"remoteNamespace": "ENC[AES256_GCM,data:cUD9zD7f,iv:/qWgdk84Z1VDF//ntgYZbbsj5o7zGtxNtXFgrBat31Y=,tag:1peWwJt6sRmkS92cDNiivg==,type:str]",
 															"server": [
-																"ENC[AES256_GCM,data:6XbGDB9v,iv:bpsBK5HqIRAJuZsXxEuKbnTz1Nmb9YsCygZXbd0pAI8=,tag:1P0g8SwJhIT0HYpydQegXQ==,type:str]",
+																"ENC[AES256_GCM,data:/AJB8Te1,iv:5wH7Ut04OSBFMT9+VNzfZ7JsEWXIu2n4i/zZLDdUe0M=,tag:IFURXkL6Oo+jw++n0ivc3A==,type:str]",
 																{
-																	"caBundle": "ENC[AES256_GCM,data:kv3zhkSc,iv:8ZpwlzU/Q5kTrdCvy+r7reYqkZt8apLj/mv85edUorQ=,tag:yTMPI3/uVbgTCiD1JtrIjw==,type:str]",
+																	"caBundle": "ENC[AES256_GCM,data:hOvNQHnX,iv:Inxv9xeEMWz3v2KZ5/wZ8yrhQa2/pO7hjEAaVI2s4R8=,tag:iutNzaGcTRbmzHsSqHQucg==,type:str]",
 																	"caProvider": [
-																		"ENC[AES256_GCM,data:HxhS0w0o,iv:YxzH7YJ04P+1y0j9VsMcFHvbP3HpMa4qIFCTHZjc5mA=,tag:a5OYg2xEBiIzJ2MaPbiQHw==,type:str]",
+																		"ENC[AES256_GCM,data:SagDN59i,iv:EFpmehU/rTAisYpNUF69Ai1LTZsc5vhxP8wgXPgxnDg=,tag:hMX3U4UeBsPLWO0sGOdFyQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:t2NVG5/b,iv:LKbZyjCieOWFn4ksN3ibXaMp/xejBL8+4M44Pk+DZ4w=,tag:5PTuqrQvEmz81lCCGkdjlA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:LJuDyx/2,iv:PSxjR5gFXqHXJ7l8HqjNbefQyAQZJhJfxcD0wG73Evs=,tag:sVRobzYVvwbqO4CR6ybQ1w==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:aAzShneP,iv:Tl6WzDITLkYSoVfprmR9VwJets9d7i4kS1A9cFu6Mwk=,tag:VDqdPSKPoB5DDICUFWcmtA==,type:str]",
-																			"type": "ENC[AES256_GCM,data:2/wapVq2,iv:vaqGQL0T4m1ZhRwh3uffU24RBYKP6pZc9U5AqlNvUFE=,tag:gjgBPG8Gh/sK62D/kWGUPQ==,type:str]"
+																			"key": "ENC[AES256_GCM,data:CwlHnVEI,iv:0Ee/KkD17JqOd/gRw+HvFFGJ9EK5Q8sSCz4GK6zaM9A=,tag:hvBHsavtEm9E0BwowzUndQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:xXyh2NOv,iv:dsS7ci59hryRXzayU0JkgHgRnCKt26PHcELuYtOLDmE=,tag:6Tzpp1+Pnacmef14px1kUg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:JdeB+/Br,iv:hF4Ah23XNtg6FUJEkoBMNVd7qpOi8p7tSxGB4MNvNFI=,tag:Q8bOos5P67auMZmgHBSG5g==,type:str]",
+																			"type": "ENC[AES256_GCM,data:269jl1F2,iv:NbguYSm4EtFJjsUewZsQB0/5/nhIifK1VBX5v0Ldla4=,tag:dr793ghMNzRwEjzwN/wNBw==,type:str]"
 																		}
 																	],
-																	"url": "ENC[AES256_GCM,data:X1moB9Dw,iv:UgfvpA6LumDOU7iOduokR+8QCzOmJhbjGG1ErULK3wE=,tag:eZglNvaDdEs+rwMBTNtZDw==,type:str]"
+																	"url": "ENC[AES256_GCM,data:pKjvv1cN,iv:yv9VYPoA+1r8KjaTUSh4ILtg1rkYgWpqTnvezGwwNW4=,tag:501E7T3hkeJyWh8qWWWtjw==,type:str]"
+																}
+															]
+														}
+													],
+													"nebiusmysterybox": [
+														"ENC[AES256_GCM,data:JWybGY/C,iv:CgXtgKMFyvCnxdlFQp19422WL/OdNBwUDED21l5xsnc=,tag:j8bQgueF9HASqK/Lxr+uNw==,type:str]",
+														{
+															"apiDomain": "ENC[AES256_GCM,data:9rybFjAp,iv:T/UBV8LbAf3tnKIX5CVkOp89JWlQ/zeXxJloPCy6nMM=,tag:mjLH7m/ynC8p7t+siLAXgg==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:Yl8h90Cf,iv:xtl2tdchFttLgo5MZRn6cuUHZYy8VrN2liiCWDkFHx0=,tag:Y/6wxiTYpndybURXYieNGA==,type:str]",
+																{
+																	"serviceAccountCredsSecretRef": [
+																		"ENC[AES256_GCM,data:VzzHXRZX,iv:1yBwEuUiW2/BQ2TuNaXw+HslMzPNO82Et0LmLbxlQG4=,tag:F/eFl2Q6RAoK7AOM8y8cpg==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:+qkz9wNa,iv:H155N+I3wVl3pP/OFsByUGJR6VCJGiwJAhEc5GepGQY=,tag:WB1NwXEwmllTv8IGRC+XFQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:nMLyd0jV,iv:QL1opbjraR+Nf+duGF4r/cYVjk8gsVWyMV8dRLGSOEU=,tag:aDhySInO64HRRbu4rrn32w==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:++OYw09c,iv:8swmHoXhXRIibBzjzpUeIxvGBTQvJc1dPWW043ozyc4=,tag:Iaao3MsayIlMOJU9AECL9Q==,type:str]"
+																		}
+																	],
+																	"tokenSecretRef": [
+																		"ENC[AES256_GCM,data:lHvz8CtQ,iv:ZLZIECA8VYE78TQ5HYq3UkMI3utkT8KM9BcMbyMPh5w=,tag:+Jh9UeuZ7Toryq20Zp8lDw==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:wbm4iquW,iv:DKbwELER0uDPafkdtI8E6v7Pi5ljM40HabXw/ONe8AE=,tag:RBQiTekwFrEgVP0RXquZAQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:rOZT+Cae,iv:5oKNmrYuFXmgvHw/OylvMZzqYbGYCke2C8zqqjGUq80=,tag:N0onCAgQ/iws7qardqwNZA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:3KCL1fWM,iv:4tnMBFdo8rdjtn0Fvfhc3/PDOI2l8KJDKU8D7b/IdLY=,tag:J5JK27jITfc8Cv77ag+6Gg==,type:str]"
+																		}
+																	]
+																}
+															],
+															"caProvider": [
+																"ENC[AES256_GCM,data:dlKGCTze,iv:rU7F4nM8PI0TOYWqugB/vlojRdpnre6sxg9UPypxp6A=,tag:wPQDp/GlbzWQMgDiehDKUw==,type:str]",
+																{
+																	"certSecretRef": [
+																		"ENC[AES256_GCM,data:ul+JjqAq,iv:X6ODzLOCca4jmc3mLxW/IB4oe60PXQJkvT4OLcvLxHM=,tag:40Qy/FYiosKmrZL2yqogrg==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:16/raevZ,iv:gN+eqFFsmikT+QYoxjtYQLSvhJyKbwTAGcJE6F3RXBw=,tag:zMufIDz6QpEbr8rpj4rR7w==,type:str]",
+																			"name": "ENC[AES256_GCM,data:egG4GI5p,iv:xUEddAy32qdR/j3aamf3ertXTrwUpCF7fZMhxpBKW/U=,tag:staS6jlIvuWVPYo2s1EqMw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:qVAYRx7X,iv:plNqOE69KKJ4EEW9I4WWEsVN0alqNCccbPn8Yq7k2/E=,tag:nJr+gx2kqWKsTRcQSdcwtA==,type:str]"
+																		}
+																	]
+																}
+															]
+														}
+													],
+													"ngrok": [
+														"ENC[AES256_GCM,data:dpAm2GLF,iv:9gRtza8hcoU9i171a1zZDsgued72rUCxkC4MwHHfHrU=,tag:NcX2tKIqg/0Rfp/uhjUBVQ==,type:str]",
+														{
+															"apiUrl": "ENC[AES256_GCM,data:2tr0gG65,iv:aQs2PYssnId0gMCo3HM3QhvUMTbZVig1lB3Bzm9F47A=,tag:FIij14IuoZ7wvERG+7qlNQ==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:+KRkG4/z,iv:XkHmD/tso1pwvQ+ccRTwGIKHVysskixlX0A7Q3MOqeM=,tag:VDclAWNL+OLhAi5tANHaBw==,type:str]",
+																{
+																	"apiKey": [
+																		"ENC[AES256_GCM,data:8kv8TfMu,iv:kROWAEZ1lWH7QvfSFIomnGGng5WMktnhXcM+OIQz2Ts=,tag:LrY2DqOwqU3NtiiL76jjLQ==,type:str]",
+																		{
+																			"secretRef": [
+																				"ENC[AES256_GCM,data:T1C33qFb,iv:fhG5tPPWuUoAGwF2d986gda9jTy6ymOUNxj2AVrBpzA=,tag:inYYjbwXm0JhyQcGYKm0gA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:L+xkb+JG,iv:52L2Twd4AAg9Z/7KORroSUe5wIUdlG7LeJrnudhQuTQ=,tag:9+In3QjnNH+P1b0sItMBew==,type:str]",
+																					"name": "ENC[AES256_GCM,data:BpyIUqn3,iv:qUWV8VuqMMGUJpSlsTgrAxr0oJpK7PZFhPPAOfvJwhM=,tag:L/yYS7t+P56GW9cKtyZJIA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:Rma7hbVz,iv:YWla9s2oYfcyQ6zOT3THYfN8O4H0s94MYPhdah6ntPo=,tag:oPgFRlsG91ARoVV1NuY5Bw==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"vault": [
+																"ENC[AES256_GCM,data:bbUGqVAP,iv:uUa8rH3rAnrElWKItrgJt1u8Q6mZ0zeFwAJTaypxnWo=,tag:7QF908Le6mqo8dOmkvlfDA==,type:str]",
+																{
+																	"name": "ENC[AES256_GCM,data:S7uHCOC6,iv:bLWd6o3T9YfU/uP2Qc4/pAT9byHNTsRcWJwwu4jZXVU=,tag:A6zWjmj6tlgmHXToyn0FdQ==,type:str]"
 																}
 															]
 														}
 													],
 													"onboardbase": [
-														"ENC[AES256_GCM,data:jQZBwifC,iv:HRZGgGDoUHRF5R6sSWBGMbCoCdjeW7S1dnhIW69Ggjc=,tag:qNrmIHLeoFGILXBI/rG2Zw==,type:str]",
+														"ENC[AES256_GCM,data:v8Ve3h0r,iv:lXRYlJbnY6t/u217+m5Ha6OGChumb4FsFHaZkfEmzls=,tag:v1Dx/AsEHoTFKLSOoEQF+Q==,type:str]",
 														{
-															"apiHost": "ENC[AES256_GCM,data:haEPymSO,iv:dTJt+KkV1QYZbonPt1e7a1pxGgiBS0/JEnR1f74sZKc=,tag:JAyTowiqr/2OYLFm0pYuSA==,type:str]",
+															"apiHost": "ENC[AES256_GCM,data:rcmr2L82,iv:PCoavhPF6DRpNdyvHrklAGG7/Qp4Atp9SZWAY0LxA2U=,tag:qwCvQkyjYnr7Mpxuoz/w1w==,type:str]",
 															"auth": [
-																"ENC[AES256_GCM,data:EtGMKf9H,iv:GmGDeVBAmgZ0MXATxkBgLEZIQnFfcbeoTt5S4E90lYE=,tag:g6nlxMggU12lSxTKv5HYmw==,type:str]",
+																"ENC[AES256_GCM,data:vmpDoPaQ,iv:6hAP76jO6K1R7AACgfbqymfrMDjNOEIZ9OYws5T8DN0=,tag:t0JgNwzfJwQmp9FLA8cDMw==,type:str]",
 																{
 																	"apiKeyRef": [
-																		"ENC[AES256_GCM,data:CNJoOh0L,iv:a2ECIZBddC0OsgOKRysbMRNKDZm8NDjXDJeKFNC87xE=,tag:ny9t2T7yKc8Mb65xfOWoKQ==,type:str]",
+																		"ENC[AES256_GCM,data:18yIAMuD,iv:/D69F7zP8paE1ibRLTF8lsrLXrxeUtRzyU9MGIM9TTw=,tag:qxXu7sENbX+giKSr0aBKXA==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:rlD7tPaA,iv:o3DC5QGXdOtQN6YrGsl4POSwSEz13biReHaNO7fClSg=,tag:Jq5qTJ0ZrFScAyb9BD9ceQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:l6cssTxO,iv:gTwX92bBzsP0jYTp/BSPfWmI7MqAN0rmsGFKx7uM2WU=,tag:zRkV3FCj6BZkmeKh6E116w==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:9JS0UIEX,iv:vvX6S0q+4WcNPOw51qJMv56SrA5JnfprZn10hSVPBzo=,tag:LqEnVnjDNOEKpPWYTC4C2A==,type:str]"
+																			"key": "ENC[AES256_GCM,data:6Z/gPMuM,iv:O4MxunmfhmNb87SH1M0io3XtBP7u4cvetVkBQl5hdAk=,tag:DoMY9wRDgCpqBhd+iq1G1g==,type:str]",
+																			"name": "ENC[AES256_GCM,data:iwP+oSEb,iv:X1nYJEu81T7E4bWH1fq3GoWcFMV3rhEz11GSZ/R4+GY=,tag:FHXoh0SNrG8mP6CrCrdDAg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:uFot9Jd+,iv:/kOU+hBtYxHwkB4hzdqpdF3aqV4Gagp+3xZb+HFbzhU=,tag:dirDFYAAuUvKQNhdJFNuXg==,type:str]"
 																		}
 																	],
 																	"passcodeRef": [
-																		"ENC[AES256_GCM,data:lW0YrL7O,iv:irGuc1mIJfN0LYpQMUURUKrcrA8bF8Xhkat3ZdoM4dQ=,tag:kyfv3pQ0+pVCn60HkPJozg==,type:str]",
+																		"ENC[AES256_GCM,data:bCuq/5cW,iv:gm8wWFwA80IK/PavhhfBRcTcZqywYPd1ubJtil0IO/I=,tag:FTPbToKTpDyWr/LP9NFNMw==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:RYRbTyRB,iv:qhFXOUJ0PDiP0GHFQI3j/vE1zUrBP5TIhIeO5guUzfk=,tag:G7TVwz1chFXLLC8NQybncg==,type:str]",
-																			"name": "ENC[AES256_GCM,data:q3zWQDmP,iv:t7uRxpdJAKHvEyJw8fR3yUIiA8uYjuxvsRFKONxhzyE=,tag:H4w0EiCR5QB4KEYkAg0EGA==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:e9VQa972,iv:jOo5nPU1qp771kr3+kiRNuqrWytODUuJpqEmQJdXJhU=,tag:E2c3jahWa85QISafJtkEng==,type:str]"
+																			"key": "ENC[AES256_GCM,data:8RZ/Uoez,iv:+tdeDQWbHDWYR7dEkLiqL+9Lt429WuBYMejSJ+ZEGBQ=,tag:DfChsE5XEkx4Qyy1WcQL4A==,type:str]",
+																			"name": "ENC[AES256_GCM,data:i30diEnq,iv:SbmiQEmoqxPIUqj+p4PJ2zl4j0ZuF0tuDntZjo2moDw=,tag:N4bP139yH+c422HN0g6K5Q==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:1VUwNasv,iv:eZdGAgLLDmIMaddSmyKbH37VAmzjJoEka61caQi3bko=,tag:hTI2bxE5tYrOkiS43QFZKQ==,type:str]"
 																		}
 																	]
 																}
 															],
-															"environment": "ENC[AES256_GCM,data:lgLXb3kC,iv:cagD59DrblbEp0iWpXXLMmCgwwoYmNPpDCT4A1q7hfw=,tag:Nc/Haj9OfP8GIvA34OW1WQ==,type:str]",
-															"project": "ENC[AES256_GCM,data:yvWPbwvA,iv:mhOx8NBFuYq44EwO5HkLjsmwLBbWG5GCR6iAThEydBY=,tag:14KZ8epfojXmJsJllAL7wA==,type:str]"
+															"environment": "ENC[AES256_GCM,data:G3//keoe,iv:1ctSEBqI7kEasEX3h0w7nvL0y1ve8IWCeF/EaPFYLYw=,tag:E20PlORw/9jO3058ByNh2g==,type:str]",
+															"project": "ENC[AES256_GCM,data:Ix/iHhHA,iv:MG4GBjGUUdseSiHONVN3SFOEyCI735yi4PTWKnAo9DE=,tag:vThV9sLPSwqVIacBucXfPA==,type:str]"
 														}
 													],
 													"onepassword": [
-														"ENC[AES256_GCM,data:TLbNnhsW,iv:N/2sp4qOS0ZpEhnzx5qLj17of4fAj8wu9y5kUcu1IJ4=,tag:caJd2ZxGw5ePhIrxztdUvw==,type:str]",
+														"ENC[AES256_GCM,data:l/pv/KM1,iv:EVwE6pM4VN1uPRlSu33OKixfaOJRiJBx/oXRRVFKL20=,tag:SMGqvrCTg0Tym9kHCp7J+g==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:hkZky4CW,iv:7Uw0GLJ0ITw28Og0zvJKPmyllZdQ42vChC/332kEzn8=,tag:9MpXH7QuKSpmfbeOC55DJQ==,type:str]",
+																"ENC[AES256_GCM,data:5hUORH/4,iv:c1IAkhBEJJHE81aMr4gmpkZTEGN1WJ1VXlDRbd5ICsY=,tag:227X6fjsHd5o5zjJ8po9vQ==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:e/g618EU,iv:1XLlLeoxwXyS70SUlb17o+BZ0zqAHo5fqu8TguqdAVw=,tag:LMinFtA5shB2oMP5gDgycA==,type:str]",
+																		"ENC[AES256_GCM,data:Z5PLhekD,iv:T3pyqRpIujuNNTRrfrL+fhPl7AOq5/agIoCtc9Ac4qk=,tag:jHiVmZdniJ19HHSoMiNASg==,type:str]",
 																		{
 																			"connectTokenSecretRef": [
-																				"ENC[AES256_GCM,data:4lWiMB/m,iv:U9aT8yPl+8jCr+y4Kc+BR2laH3RitNDYz7lg9onzFhk=,tag:rOfK3DD/d7rG+9UNyCBREA==,type:str]",
+																				"ENC[AES256_GCM,data:PJici50E,iv:aKOFn1F4R4PWn/arB9k52QCGimyg11LBvZ4iVIkCebM=,tag:O0xpKnVtBo9Z7q/Qt5w3BQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:Lwj4leWq,iv:mHhzt737nNEziYucO4DcOX1ULuEJesW5VonUyV/QFPQ=,tag:RpqiWK6tCM2w2hGCTpDBtQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:/uyyYYhW,iv:8RdclE3WaIKusMkw016T9NE8NsfjNYb2VC2vfApJCes=,tag:wk/6+eT0K5rgeVYUeQSSBA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:V9sNyqeY,iv:xM4e3QNM0eD0F3ltSIHNFOhplMKuG3T33IET0cE9fD8=,tag:omQk8vzBlEMKmekIn27NSw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:nnIeGj4q,iv:ggWLi/erFf75Wwq4oBdJalK0zNCePs7RKXhOGzsN98A=,tag:fcnOLDhutcqiXR0Hwhw6nA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:b7bW4gxP,iv:dywNHP6I3K768EvyBK6XUVz1l0VwDNQojh4geZVrNM0=,tag:dxOMQpSgS9fWPnMMqfVqeA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:sdNm/Hp1,iv:5kk7YejDm3zMMOTIXMc0cZcuOSBtsPGPNon6u8blUgM=,tag:YUbqVu3c1UGeCZ8gJkAgeg==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"connectHost": "ENC[AES256_GCM,data:CGa4b8AQ,iv:XZeX08fKjmEc9qITeUIdzfsGqAYJfMMHIaWJmaSC1EA=,tag:KUQbXZWUipdrbNXO7Qq/3Q==,type:str]",
+															"connectHost": "ENC[AES256_GCM,data:/AQRLf4P,iv:K1DrWcq3lmMDgL3uLC0t4IDuqeXUQQZ/Cj/fJox+MXI=,tag:YY0sOqkpgVFwOZQ3frLzfA==,type:str]",
 															"vaults": [
-																"ENC[AES256_GCM,data:R4+i,iv:AkGEbMW+blxN9KLx3/KiOyDIQ1NAwo1+3Rd5TFdw0nk=,tag:kaUIrJF9d6Cc4EN/Icq3UQ==,type:str]",
-																"ENC[AES256_GCM,data:1RAb+nY7,iv:5fauOowqHMl//U3J9p3WazzYkxBuDCBsW8r1JspSPu8=,tag:AfbCKqFIRCH+zwXGuomLHA==,type:str]"
+																"ENC[AES256_GCM,data:840m,iv:U9MUU+PGa49CqNn6FHOQcgMLIbBAI76fVRF68UY4gR4=,tag:b3CaeaNfUL+tPVpO8EPAqg==,type:str]",
+																"ENC[AES256_GCM,data:muXz33b1,iv:ZCH/A8nIvOZMCy4tPs143Nhkq+PUepN2OuHAzAuyjmg=,tag:wuytL/Yi6adONXUmJhFTdw==,type:str]"
 															]
 														}
 													],
-													"oracle": [
-														"ENC[AES256_GCM,data:PZqCm0Xn,iv:vNZdcxQBE2vLLtZ/YlXC7fL1EtdF27ISznHlto9+1wM=,tag:gejjO8RRjlpDbZ27EPR0SA==,type:str]",
+													"onepasswordSDK": [
+														"ENC[AES256_GCM,data:TTJhGxmC,iv:yJztbnbwYnCeKFUMJNqCooTxmjwxJnkVYDU05WSeuMk=,tag:9Am44rp/fXP9T2FcZKvxqA==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:ZwhyI8Qt,iv:Dph1zWnv7nWA3jjbExfc8Uklxgljlzt+f7W3xUf+K7I=,tag:8G8npLqQ1tIlLNJzHm7daA==,type:str]",
+																"ENC[AES256_GCM,data:sn0Cwk/J,iv:yiGEfwtiz90bUUbxNGrqEWEdZMhFwJv3YWKPA5q4KJg=,tag:LUxri2PL2eS7K1qg2CMq/g==,type:str]",
+																{
+																	"serviceAccountSecretRef": [
+																		"ENC[AES256_GCM,data:WNdfiRtl,iv:92nilOCDuCHPnMNXn2d9dL/SH/cBgzUBIOQDzk+t/8g=,tag:qwvuT8ERJ1gWe0Y6SXot+A==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:nc57rxu4,iv:cBe05UT1oyW4Mg/+oukDtJ9OxlJn7o60nP0Idi85Dkg=,tag:2qQ48CKo07taAii9h3VHKg==,type:str]",
+																			"name": "ENC[AES256_GCM,data:ZrIsiVyU,iv:OwF6qP76hw0w6j+xBzXzcZxGwzwKDTfgeghNuDgdMpw=,tag:5jkXymtUD55S9WOOMYdCCg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:SSxZxXW7,iv:L29GohrxmBQ8xEyIr+HdtkKyCgvsR3lNWebkDTDDpOY=,tag:M+qG9BH5prxeHuZDx+oTEQ==,type:str]"
+																		}
+																	]
+																}
+															],
+															"cache": [
+																"ENC[AES256_GCM,data:9uzISJCj,iv:p6i7zQnF3MiKc6GeFkiT8KwQoKuqYLkMX6fZcwQV4Ns=,tag:edWl+FH/KlATLtTQerWL4A==,type:str]",
+																{
+																	"maxSize": "ENC[AES256_GCM,data:F27nhypN,iv:0qbE0wZwvdlcbvCvXZS78aafdSexr4H8rQjbHwHuC54=,tag:LuYGKJjmXIHRRp0xVzFwzw==,type:str]",
+																	"ttl": "ENC[AES256_GCM,data:VX1T3H4K,iv:+aItPrQDyV9OQhpfgHNNlCXEMwx7E5tblsMTGwspa/0=,tag:SBa/Kdr4n/HSSsS+tv4QFg==,type:str]"
+																}
+															],
+															"integrationInfo": [
+																"ENC[AES256_GCM,data:OwmDhIKU,iv:kTzAywB6B9/wtqfy/UzC8+CTAqRlDev/a5Jj42Ah2+0=,tag:bbyVg8S0RGF6qo4FR+wEmA==,type:str]",
+																{
+																	"name": "ENC[AES256_GCM,data:GyKlSHId,iv:kkvNieFfzQtrn5tv1vgcFVFmoXWCJLFvfa1U5OeEciI=,tag:5QNwNNTCl/M6kDDqCab/Ug==,type:str]",
+																	"version": "ENC[AES256_GCM,data:UnyzDj/f,iv:wCxqcsVdeFcvkZqXDkUTQQNSIaNY+gBTLT36nAbk6E4=,tag:PT67NXPnjO7FZRw75gg8zw==,type:str]"
+																}
+															],
+															"vault": "ENC[AES256_GCM,data:P1y1m9Or,iv:1XoTBWs+oQykR1t5/t/lfRfE5A32sSqTRSSaWAauHkU=,tag:vXItaoejr/kxbD9g5qVk4w==,type:str]"
+														}
+													],
+													"oracle": [
+														"ENC[AES256_GCM,data:faBCE2WK,iv:XW78z1tkKrtB1Ydxg/S78f8oNuvIWHumVoRX1u2ZwXE=,tag:M8I3+U40zFvz5iR53ej/EA==,type:str]",
+														{
+															"auth": [
+																"ENC[AES256_GCM,data:yTE0cIEn,iv:1efR3rAm+Mry+MeAX8yWO+J3rC4bdi2TtUef/Ulz2jo=,tag:ARxetBKJoCNT4NYL5l6gpg==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:KrIJXrAX,iv:+qlwEpgP4FBAgrH+K/ljuB+Vdr+1L2gXXH1NxWv5Vhk=,tag:iZsvfcE3wZdRxc1z2EUBkw==,type:str]",
+																		"ENC[AES256_GCM,data:qd/YTgay,iv:a6YD+CACwbIJDuJ8wd8scI45wVHGAZ8+W/fKeshrGts=,tag:hbrjtCD6hOfDHgQ5WJP7eA==,type:str]",
 																		{
 																			"fingerprint": [
-																				"ENC[AES256_GCM,data:hOxxMU7e,iv:iYUN+e1eSN1d0DsVEV+XsM4j/E5xiDYQiKVZh6umAuQ=,tag:sMyrL7XW/zvDHUIODCpJbg==,type:str]",
+																				"ENC[AES256_GCM,data:kAho89X9,iv:UjLK+DSJA0toSFFxW7IU8ZMPYtv/eE/zfmaJeCqD8Dk=,tag:mKHnxPATlpCe7elrwmlf2w==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:LwVce+QD,iv:0vh8DZ0tkOB+YAfS45Gk+32IQ0ALXuUl/m8MmN6cTpk=,tag:I2hbujOj7FLx6He0zdIFuQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:gByqR8Wo,iv:BrKcwckXyU4O3iO2Rnebbiw0Y/qdsPg5n6C11CcIh9E=,tag:Fu791x2lIUZu7azBF3QBmg==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:+KiBqD/A,iv:+emw3oOlkKGjEInSBRUTWr+O8J+m2tcBBe+c75RrTm8=,tag:xbrczjfqFLHctO0PbCdJ3A==,type:str]"
+																					"key": "ENC[AES256_GCM,data:cLq+vsh6,iv:rwlAb40RW0w/NX6h8dSF2razAFlviOANOLo3BeLNBOI=,tag:WyQ8MvNyv4+ncy6yKUbePA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:D5SeqKOT,iv:fFE9u3bmbl9IHdc5NEjVOdR/dac/g0L8Do68802hYbc=,tag:M0mRoyoj9sWAwg3M5J/q7Q==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:eELDKf01,iv:YUWFzg3AnyE/JiJ2YgpLZaPxd8Iu/spRDY98a6JbDiI=,tag:2230CmUI8tLsQ6JtzH9kMg==,type:str]"
 																				}
 																			],
 																			"privatekey": [
-																				"ENC[AES256_GCM,data:l1WqDTB/,iv:V3rOK6viYwW9umFdiJHv8k1EOAipmSYWAz371/0FZ6g=,tag:tkYX5MPBj02E0aR32Oa4WA==,type:str]",
+																				"ENC[AES256_GCM,data:t1s7nfLf,iv:LMSPDTg6YOlpemoMtD8buQA1NcFTGKiHWDEuiXEKTA8=,tag:1zgkEKD9t++a3XuPctdDzg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:0HheIA/o,iv:RHYUR6urxhOlz63CiTis2E60+wan/rCDLm4ukQ/b49o=,tag:a4Xg5ONBBcKKMKOAV1+aQg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:ck7SNWTh,iv:Il/0MV1Nh1B1mhxBPKQT8dIhyFwhAOyChtyvm/wDX1g=,tag:6oDXi1o2w2lP1CtZ123VsA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:tfeAo+w8,iv:OH5wz6WJWaOVdEajalsdbMIZ6JiaHlYUbfaA5YAdd3g=,tag:DWlrFZbUfkutN6JgoxfpTQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:PPa1yZgW,iv:SF2lvQHm9YZgd/uuTaB9PG/FbggdIgEQ1V0d+a8ynGg=,tag:T8NBpoICx7ydRNMsy2hS/A==,type:str]",
+																					"name": "ENC[AES256_GCM,data:T8BIoPEU,iv:b2EKavHFHtQ8sUrNVHbOHNtVT6CuodHL7tF+HshiO04=,tag:IOxGLMo2gwwxki/yrkAnvg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:4gJOjHqo,iv:up/ug2ptZ+UIm93RaZlsg/2U7aZ/dzBasYdVUOfiTIQ=,tag:k2dYKhvKU8htcHMxmYvfyA==,type:str]"
 																				}
 																			]
 																		}
 																	],
-																	"tenancy": "ENC[AES256_GCM,data:wP7nTZP4,iv:M0ObYKtvvfrtrIwI6wAF4pJTixr1PVaHMOsRM6ijsk4=,tag:6RIxBfRPlSeBjxxSnlmgbw==,type:str]",
-																	"user": "ENC[AES256_GCM,data:3XeO02t1,iv:TAx55aDY3+2nTpZV4F1IQnn+K/wEplbWlA4VAWGHMUU=,tag:Iu3vkW/qZPvCwjBXBENZ7A==,type:str]"
+																	"tenancy": "ENC[AES256_GCM,data:NyGbRDvp,iv:3MQHHJLx1To3O4VWkJX1qwHKiIwylpROsaXtXmPQfVA=,tag:LLx511+mwuZG2HKA+BX/2w==,type:str]",
+																	"user": "ENC[AES256_GCM,data:/GMjx2/p,iv:9ujR0C+Ij6oXA5quY6s3TaKdO+p+uUI1OuH/eqRku0w=,tag:3dhPqwX0lseCOTk4uwEIag==,type:str]"
 																}
 															],
-															"compartment": "ENC[AES256_GCM,data:8fP8Fasx,iv:Yk1HNmR9lvyjuyCGt5sWkWyQk0r4waz2SltlELt5nN8=,tag:hs2ecPU5ioCEEX8M/MBPmg==,type:str]",
-															"encryptionKey": "ENC[AES256_GCM,data:77DIP4DL,iv:E3tLZ+tILsETRU8YdBloWtoRMWmpaJJKamaSIoV5P3k=,tag:LhUgYNfeV2vEgQ3KrVz1XA==,type:str]",
-															"principalType": "ENC[AES256_GCM,data:9DhD3mmK,iv:oH3fOK+cHgJLeIHABn4C7aPJuHdkY7GQnLWYOjFaVPk=,tag:qVuL3PnT0zeB4zM42eGp5A==,type:str]",
-															"region": "ENC[AES256_GCM,data:MObbZkBb,iv:BJaYQW+HhG7XQI0cTdDHktN/krBb9sTa8qwoDlg2qyY=,tag:UMvQ8ajF1SYhYGdZtPNxgg==,type:str]",
+															"compartment": "ENC[AES256_GCM,data:k4725/+N,iv:iWIXV/rFVLzmbY4iQsyon00nwUUcEKB2xet5vMWGTFY=,tag:b1bXxC/uwzS+/r4zAJJDtw==,type:str]",
+															"encryptionKey": "ENC[AES256_GCM,data:Z0COQH5F,iv:Zg5dFFAaaSVAZCBt6bbOqp+aR9A6YrPSjkhut7r+Kos=,tag:YFHJg9M10KPDThRmWjIQKQ==,type:str]",
+															"principalType": "ENC[AES256_GCM,data:vXcZMfqf,iv:U7en4SJVFAGSjQlgO9ZYgkpCx7gVKB6Vwavrvzg/TuE=,tag:jK+PXyaD3L3R3OCCWjIZEg==,type:str]",
+															"region": "ENC[AES256_GCM,data:a8j4fAtO,iv:h+afxWGSogLdhM8SJtdq/cIs8ErDSVlre2uPgmhpdUA=,tag:mgR6j+FMfk9mZO8yAXjY7w==,type:str]",
 															"serviceAccountRef": [
-																"ENC[AES256_GCM,data:lhDrD59d,iv:B/aLqDW8gpeQc3LsiSW3LP7qKhOY6tmVsUFmrR7XWAY=,tag:ZEqF5NUZQ19KmhhXeYsAFg==,type:str]",
+																"ENC[AES256_GCM,data:DH9NWgLO,iv:EujPB40fMAf24MY7myao4QRIFrWYIlpXWOA7hmaof0A=,tag:3RBzkN/R4MMZADbzpD59gA==,type:str]",
 																{
 																	"audiences": [
-																		"ENC[AES256_GCM,data:4zKJ+Q==,iv:oUWJWNjRLpV0DElaHN0ps5NeEtH1qdemJxDOOHe8qGY=,tag:1wRIe8pCOF++JA76HsvtEw==,type:str]",
-																		"ENC[AES256_GCM,data:/ydcsRa6,iv:hZIFqxr/X8YAQW2mt0CddzejCZUVlOXoUF0MsxC0ncw=,tag:/qSU1Nbl6b6Pkbxo6SV+0g==,type:str]"
+																		"ENC[AES256_GCM,data:GUy3iw==,iv:UVL7+xkUMHkeaIA6HMCr/dcTLRcIIpvPObytsn8kzR8=,tag:SNGrJ98ZUQ1ulskkxgjTGA==,type:str]",
+																		"ENC[AES256_GCM,data:l9nQZCXe,iv:ZzSMsIcSAWe+CH6RkF+fEqkKPcafBvffJSr1Eckf9ts=,tag:LeWXpeX5EqH2c6fOcsndSw==,type:str]"
 																	],
-																	"name": "ENC[AES256_GCM,data:adioAVlO,iv:PU2pP+tKe9/PFCvkb52xrmQGMLPxxSR/KtruX7TV5Fg=,tag:zBU9AdQcEIOv3DMALdC1hQ==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:yzcmiPsR,iv:QkLYD3poBeD1KUgCjO1VGVU/QgH/77ormPNeOAQn+pM=,tag:tryMrAyk9nS1jdIeQZrVWQ==,type:str]"
+																	"name": "ENC[AES256_GCM,data:Z+jRWIlm,iv:GYgaaP+aRQqQQaDF2Y8fsEgqQDzU3H9wZV2sf2EATMk=,tag:BWuT3Puo/m2un/Eqrp7JgA==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:RNcGmVed,iv:acu0Lulb8QPJhbPVvB162Y9rZ0FyC4Bm5thvMoa3RuY=,tag:+BtBKN+Q0Y/fi9W7hY4rfg==,type:str]"
 																}
 															],
-															"vault": "ENC[AES256_GCM,data:HIOOMCJz,iv:wziCKIVe5GNfLMdpfgCa9cnRqfwGyCA/O/zwgq8mC/A=,tag:vMVJzaddzxkJkO0nCjTiHQ==,type:str]"
+															"vault": "ENC[AES256_GCM,data:wCtOVUK9,iv:Aod+FUGiKQxpvuvXeneCqwJIIkuLJ3ECekGO+PW0opY=,tag:qLIA83V7bYxwsxjrxy4vLg==,type:str]"
+														}
+													],
+													"ovh": [
+														"ENC[AES256_GCM,data:Zj+dTMFR,iv:s4GxpuKNUhXfi7X3hfp3X/5zZqmIDK4phPHTxL10/oE=,tag:DsaVFpUdQLx/wDZlTVrEZA==,type:str]",
+														{
+															"auth": [
+																"ENC[AES256_GCM,data:YzwTUPr/,iv:w9pk6wlPnX0s7GFoeA2DB7TtHJvafFnXGW3e0NOVZDA=,tag:GR99ra0EW5HgmBmBu17BRA==,type:str]",
+																{
+																	"mtls": [
+																		"ENC[AES256_GCM,data:0Ljo/MkN,iv:e5rhHUwXFByzFJ1Cs1HIEnWe82KMlXIHX04q3kwbgWs=,tag:SxXPQe14YejKc496nesBBA==,type:str]",
+																		{
+																			"caBundle": "ENC[AES256_GCM,data:V4UZhR5B,iv:rZsA9kBOwDMNKSUEBkCx7306uk/GUDSN3qhl00w5xuU=,tag:IBGd2BUnn1bNXwEQJrr27A==,type:str]",
+																			"caProvider": [
+																				"ENC[AES256_GCM,data:tRnSi4Zy,iv:kl0JDaTk7kWUDYnog/DEzWcfx8mW9L1MtsGHGv43rLU=,tag:ZQN2HAQQYcpPHfXeqwoNgA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:aEpKf5L5,iv:oxMkZzWfKIsAeSQZ9ivQbxiuiWcozx/l+jkF5F87kL8=,tag:QkndNjRSh8Ua+9i3MxTJug==,type:str]",
+																					"name": "ENC[AES256_GCM,data:N5soJ6ci,iv:b7IigybJZcPCMg4p6fZ+ASxjV3KXUKUa88WiIyGAWHs=,tag:uikKNqBvBO96MrzemwM+nA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:qPpu46O3,iv:ddCY+l0r1FDyR0nZEEg05SksJzhBsq5qo4n5MZavtIY=,tag:6PqKH3VAYXN4VTVn2q+UBQ==,type:str]",
+																					"type": "ENC[AES256_GCM,data:xQK0hoAc,iv:j1Bh2654vJKaGZHkOD+Ig/YZOLZt98UsZQ92av4URNg=,tag:wUBMQi4oB89/WWQ21JgVfA==,type:str]"
+																				}
+																			],
+																			"certSecretRef": [
+																				"ENC[AES256_GCM,data:YC30PSKy,iv:zqPqHPfYqnCt9U+Kscprq6jdxHChWMtxUWgVSA7Jjx0=,tag:bxJLDe+qoKYfbLUfkQWNag==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:DJljeZWP,iv:CIsMg6Uh+WBVqyRBZD20sjPi3d/GUBQKESxe3t1YzSE=,tag:STcu3DG6x2uSzCA0ix33Ww==,type:str]",
+																					"name": "ENC[AES256_GCM,data:hxg8IOsQ,iv:fArJVEjVdpgLFaWHpPa577fBTdjqw33kNx/4YC8yHTY=,tag:O+hAd/01FYz1LEEAsfgSXQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:RTtQ7l/1,iv:5n1NQQWUa9sYBoJTzgxvmN3t7avU0GWnws/lbYjwcto=,tag:jfluPMVrgB6ZD2LgPewi8Q==,type:str]"
+																				}
+																			],
+																			"keySecretRef": [
+																				"ENC[AES256_GCM,data:lT5gW2tQ,iv:GPKGdR8/mWMBwaVqGfoXNE8O2TpsBkP5NFD74MFvXfg=,tag:Gj3tp5waUriA8oA3VzQGBA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:tMgZVjS6,iv:st+Vp3PqSygIsUwKmpWkdBnyBMHGS5UZJE2cBSZTZh0=,tag:bEZWz00yiqPLkdpR2r1iXg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:+w/4fOOI,iv:eBAuQ+oRaFwF02TaRkoFdV287zBBjLXhG3IsLhVTAxU=,tag:HmrHrfsbGWPaw6YcbzD+fg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:Q8bll+dP,iv:azJrux25hFwG5SgmHE9UvM/k0Uq8koNG/8JI0FkIH2k=,tag:TuSmjdpZ4nVuOzN6wmry8g==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"token": [
+																		"ENC[AES256_GCM,data:mo/mHKbF,iv:IIoa5pGORgzEBW+UroB9oNiZILCqjb5CWwCBKLfZQN4=,tag:ShtwCI0bfpes6Bf8Ap+dmA==,type:str]",
+																		{
+																			"tokenSecretRef": [
+																				"ENC[AES256_GCM,data:Nk6fsDLG,iv:qIABnEmNpTC5HMdO5biFQeNLzqlaSy3flOXWhT01fbs=,tag:AyziOMp3aaqawCCQhX+SHA==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:zWjG9L4h,iv:We4Cg7JU0Ql61qSFMS4nUbKOQxH+jE7hbImIWn9hASI=,tag:S0tmjefDZfX2xorqfpGNKA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:nGfRgALO,iv:f6bih1s6f8RUtAqAdoPzaxdnvGZG6GMxjKOWV5rRPIU=,tag:DceDnBrOu5smpOZGn0Co2g==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:guHwfhID,iv:vw/oQtBTRSev3kokf0JFbG3OMajHpgVtk2dFPqV/lWQ=,tag:3uNm8D+WxVz94W25GGTqLg==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"casRequired": "ENC[AES256_GCM,data:0vbmBg==,iv:y9Env1LXElWjyIK90j7oP/NKeoqU3PPvdasGQUGghCM=,tag:sGQNaDkKypLQjXkCwQ/E8g==,type:str]",
+															"okmsTimeout": "ENC[AES256_GCM,data:/bFQpzb+,iv:BklBVegiqam+hf7VnebnM1TVL+168/v2fXgMJMOMpbQ=,tag:JufXLYjcTlzSinGDzDx3tw==,type:str]",
+															"okmsid": "ENC[AES256_GCM,data:BsDw9pfu,iv:yfi3OVCovIIjAkpUevNkU9BARdxjTsIw6HkgLM2wf50=,tag:EuaO52pLD1SDRSvTQ/GOdg==,type:str]",
+															"server": "ENC[AES256_GCM,data:zxZnKuaP,iv:/PFPn1V/FTL3J+JQ7CXiAUWajimxU/VbT/ao7hV9W08=,tag:r6oAIKwlZsbynBy3b3uIJg==,type:str]"
 														}
 													],
 													"passbolt": [
-														"ENC[AES256_GCM,data:DvBv6ctm,iv:zfGECEVLgkFZb0vwfCLP9w/EuG+S014AaDt4bQsXIb0=,tag:CuC7ezk1kCMdKoNdod3xFQ==,type:str]",
+														"ENC[AES256_GCM,data:+KZKOLFx,iv:aSP3anoJ9UqcansTWUIiWbcmXiQSI26RjCDg+2clmCM=,tag:73grBwt9M/yl/TjF/Lwn6w==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:TGCW3qcl,iv:aeFbQDBylvM0S3f0j3bwy8SrY60/+CB2CEC7rYa+ado=,tag:UhpjyDYDhGsP+RU6Oa5tmg==,type:str]",
+																"ENC[AES256_GCM,data:nUxdrkXJ,iv:IH5IvQBf07vQFnFyGbnDeZ8on7Mg/hQ/dUTCeOQeVLo=,tag:Fo/oVdclNr5RHffNPrQ9bA==,type:str]",
 																{
 																	"passwordSecretRef": [
-																		"ENC[AES256_GCM,data:wrSaKMrv,iv:o0/Pe7QAAnMEea/9nb6DNm2xHfJxCQMHoxfgM4H2Dd8=,tag:X9MW6eGGSj9J/ydsfyoCRA==,type:str]",
+																		"ENC[AES256_GCM,data:hK3R+f9P,iv:rEXgofcc3UI5JyR7MaJ1S8oer1ssaRDJ4ZuGhGqIbsE=,tag:FijwQErTuVsXCCc6qpXB6Q==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:kjbVnldG,iv:ggSSnhc/GETqIGysKv803WgJbG7JH/1M6nfU/QGBx+A=,tag:go9oieh8WdPMaCgSPTkM1A==,type:str]",
-																			"name": "ENC[AES256_GCM,data:JIWX8FMA,iv:xereAuL6E4m7lNjzCunftYB1Y/FrkqGWz113bNjzEqM=,tag:XL0iLvRxcKZjymVsN+B1nA==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:RWPSzwgk,iv:T8LlO2jQ9dPcWFVd/HBEX93nsph9pgPld6ZoQMw8KGM=,tag:qdZo2kdsZw/WcNJHRd30vA==,type:str]"
+																			"key": "ENC[AES256_GCM,data:ly1CyfIe,iv:lLJpj/dw2Zg3sUhngfPJRF6r+1kqD9SL0b8KPx2yMeE=,tag:nqqu4h4fuH0yq2C/i059Lg==,type:str]",
+																			"name": "ENC[AES256_GCM,data:TU3kBoFy,iv:PL7qttc3GETegCG6OomQemPnGwZLKZMJuM3lOgh0Pdg=,tag:F6Pe3Gfj2A5uHApaEyr7SA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:b6dWIsR/,iv:6zlbamS9J3BYxDk45m1TOX0brbgBRE96fa0nW2RaCKU=,tag:DiWsXkAyc3GemSvBVWuWRQ==,type:str]"
 																		}
 																	],
 																	"privateKeySecretRef": [
-																		"ENC[AES256_GCM,data:U4FwYHqA,iv:AAf2fUwevteHrXSh+j5pIxg3C4Tu9zIc2xEfgCMKKm0=,tag:taYEKIBcaS9YJNuUDZabaA==,type:str]",
+																		"ENC[AES256_GCM,data:cRICpIlt,iv:1ZI2L2/QY4N7inUD29W9Me+nQXUHz+qmaPNQyX/HKuY=,tag:A/sGYO9/0EjUHVoUk9hyow==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:yvkncs35,iv:XAS6nobhp49/skv/pU3G3WQ0BOsFJeAaCF4kvp6JNxs=,tag:BVOShgetazAdddh/4vxMCA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:WUIjWVpW,iv:vsI7zzLACPGzz75l4lEOIC2au2PMKHbNBdONAZom3zE=,tag:yMwQJgmS5wPef2bnxIq8UQ==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:tYISY901,iv:ug1e52kJQbQz0ldrnaFRERM7gS1YLvw57M+2XJocrFY=,tag:JDZhbjNB23x66IW3D7pOew==,type:str]"
+																			"key": "ENC[AES256_GCM,data:uyYMPDLJ,iv:I0tS+GrxlDsTlpPphqKoV2330UhI454O0fYrOYSXmoM=,tag:3vD74Iv2cz922U9vUu7njQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:+3Nsf5si,iv:cCR2ygJIQUWHDr8sgYXUhjvK8PPmRI8DEzDc3/3sIFc=,tag:8j5OhXvr4NvZSy8kEHEfIw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:Cuh39OsI,iv:sRmw5Wj3VbhI9IiGAdOD4kFdhmS2Ku1SFQdg9owfSSE=,tag:MDUx3RQDwmjc6B/WYd9/ug==,type:str]"
 																		}
 																	]
 																}
 															],
-															"host": "ENC[AES256_GCM,data:5lUUG9Ca,iv:J6QSz9Fop29uZJw4ksg363gInBTNXM1XjTiLrLmGXOo=,tag:QsfqiUCLYsIgMnrmKO91GQ==,type:str]"
+															"caBundle": "ENC[AES256_GCM,data:0rIdeZq2,iv:R7Dy7DTvHi9hr8u5mmK75OmFI13eDBKGaqvaEQu39Fc=,tag:VSNjUku1auD1MVIyD4xZBw==,type:str]",
+															"caProvider": [
+																"ENC[AES256_GCM,data:hFkFiEeb,iv:9RXp71ikqGOgygKhhcoGcK4eVzSdKVeCriqMaIXpH7s=,tag:WyFXBqhH/iqvY0CZt29IuA==,type:str]",
+																{
+																	"key": "ENC[AES256_GCM,data:jXNFjSLh,iv:uaBObLjRIthQoZOPNDK2npheeyLOHsJkN/KVZRY/Aq8=,tag:IRhlo8won/PdsrLgqJfaHQ==,type:str]",
+																	"name": "ENC[AES256_GCM,data:UZSNIu7t,iv:d12MKmYvdnb0/lgFEpyIQnDcOVSviLuoy1tmEhE7q0g=,tag:cwElE6X3eUMYvHwuTUcmHg==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:ctRWOMsU,iv:01clDBCWZK1R2rrF3glynIY3+ubwTL3NfVaPS4+74Gw=,tag:iyyr1K5kE5lMMJpa4gewlQ==,type:str]",
+																	"type": "ENC[AES256_GCM,data:b3ly6TUX,iv:JcZ4LAjn9vTTP4qZ/4ay70PGlsgTm6PbFsgwe99lG20=,tag:8aA2peCSRxu2sdPzcq542w==,type:str]"
+																}
+															],
+															"host": "ENC[AES256_GCM,data:6DYWyjxF,iv:x2qbMyhIW+uaqi0lc/QhHTTnHykokTixnr/WnZX3eqE=,tag:HjIrCuh7LAv/XoztrXNQdg==,type:str]"
 														}
 													],
 													"passworddepot": [
-														"ENC[AES256_GCM,data:G5NrI5FL,iv:JYUcjVxuaC1gSWoOZlvHiq3Am1wvMjT/ENsXDV0G3oE=,tag:q9xaed9tZBRg8tMdrXSRHA==,type:str]",
+														"ENC[AES256_GCM,data:T5i9wXzg,iv:1Nl32sc5zbbAQoYPNNT3ZQ6YvDpH27K2itTKefmQgnI=,tag:nz5sxw50tN5r9oYlLMi92g==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:YHNLsFYD,iv:P8PDvpUb0XiH7CxDLtGOgfjtG+RdvLhKD7Q8V/oJMug=,tag:vtaYYHxBpgnH3Ektr+snhQ==,type:str]",
+																"ENC[AES256_GCM,data:/+8pIxaB,iv:9fXh5QzBZIJ1tWLObhNAdimtDsjmRtNTBO0qlDNISpA=,tag:p1VomI3xS622PxdjyWI1kg==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:L36th0av,iv:WAQ1WMumOF+4pdWq1maBz2b9uN0sBGMiK7HO3yYlxVg=,tag:V5eIF12I+mhHTpqFwAWrZA==,type:str]",
+																		"ENC[AES256_GCM,data:WGPb6r9y,iv:GkhHxK+RtdZA4G0UUkFycHQ4Piyii7prBu7Rn7J/+C0=,tag:1C6cl4WOFplZGkBSPJnsdQ==,type:str]",
 																		{
 																			"credentials": [
-																				"ENC[AES256_GCM,data:2obj1AVs,iv:9Vi4tUP/SmpmQyCv9Fl/uG14sHvMCIlubVMk1q0xpCA=,tag:INF9qrDAYQqQ66UovENjzA==,type:str]",
+																				"ENC[AES256_GCM,data:wcYwH521,iv:j8x/ROugzclD33DuukQkk4N8y18ajeCDCVEECkZkoug=,tag:rmuEQhzR2Xsbjs5X2Pdc/Q==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:P+H+WQUE,iv:2w5k52RuK+dhu2LSClauaiCrPnnitSJgyJkhOnVG8Mo=,tag:enADbfXtVPLLcDG45AM92w==,type:str]",
-																					"name": "ENC[AES256_GCM,data:6a17w75L,iv:T2CBD2ll13U9SiJXlRtPk6mlJvz2fG+9N1xv8QQpbLM=,tag:0FWZAdFLr6ccBphOQF7mmQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:c9Y2wIXV,iv:YqY7jrfMf0jzZBciaNFV5v99hix2idsvkhdapkC6P6o=,tag:gLMz+spG4hgx9xVMLUPEGw==,type:str]"
+																					"key": "ENC[AES256_GCM,data:wg5+urav,iv:r4TqpSijjx3Dxy6Y9lOhVsu6pEXlLgGQlEYahM2PG/k=,tag:Ys2U6jNvpm8iGKcUvuTx6g==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Ut2lYob8,iv:7/0EfnR6XBCop+Ou2G0ZuascuSB8k1vJp+IHzGQE/6M=,tag:dmiv+6G/NGLxwxhpPWXyow==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:FjSFzLzo,iv:RFXRIiGZIwVFO9ZLjkMAvghO6YfJgi2tfZ+HGt7EGAc=,tag:2xXMyzuhmPC2ziZcOIDcCQ==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"database": "ENC[AES256_GCM,data:xi3Rju8h,iv:eEx71OJhNHou0nprCb0vXf99br1x1Wbjswas8rXskuI=,tag:MyDPsxJwix0o3Hq8nTc6dA==,type:str]",
-															"host": "ENC[AES256_GCM,data:Cim0sTNh,iv:ctiVNodVyntOkRnqbcxitdhGUgIMfucPU5VfjbEkt4A=,tag:Vnkugmp7i8XnD78b5mjPZQ==,type:str]"
+															"database": "ENC[AES256_GCM,data:vSoFQ5Ma,iv:VrGS45vVA5NM6Lj1mvbqjKSDZXMkfSBbsq8ksT5tyMY=,tag:o/GxWfzp9uA1Hxf5Q2pBIQ==,type:str]",
+															"host": "ENC[AES256_GCM,data:n4OHoTI2,iv:PUmA7FNwrgwT2FTgT29AU9PE1zXitHHLm4laLf/aAOE=,tag:0JhFDcQ61TMm0BJ39j4Iug==,type:str]"
 														}
 													],
 													"previder": [
-														"ENC[AES256_GCM,data:bhmYYxx4,iv:48cUriCz5qqiERrUjUsXlev0uBw/sc7Ed22m5XbvqTg=,tag:Koq2uB6cBrluVIkryGX0Kg==,type:str]",
+														"ENC[AES256_GCM,data:dqn2rkVf,iv:uVraHpgJj+LS8zZwhqQzbfjkl0gucQtRqRuUFIBo28s=,tag:sf+VrHCn4jDf2/jpTlrF/w==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:P+yhBUnX,iv:1fma4B9nLOyI+slLFA1Q/Z40EzrMKHVheMdvg2Pbr+w=,tag:v2+leVX0guQrfMZAGmR9Xw==,type:str]",
+																"ENC[AES256_GCM,data:R1eBgMCp,iv:3q1/dNtDKdm2EQ1djjy3wYQoZgarQwAmMGuNzuf86G4=,tag:+1eoheUSZi59RsitVNL+Hg==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:3zJAEPus,iv:INteaI7qK/Ur8412ebLhY03Y+L6yd7gRIbpg2ztM60k=,tag:La/dec/h1N2fbs9/ANDh9g==,type:str]",
+																		"ENC[AES256_GCM,data:mTmo1Zh1,iv:R78uv4XEZNZwcMvMkAbCowegvD0wXjsTqQnlXRR+V2I=,tag:WVOT/1McObdy8eKk8OCTlQ==,type:str]",
 																		{
 																			"accessToken": [
-																				"ENC[AES256_GCM,data:2xx3fEY1,iv:xVRhsegF+ZlCgelPnCttb9aqhQa5eF++QbdIn3VFjD4=,tag:PA0qaLqH9Ek1nj2Kyq+QJg==,type:str]",
+																				"ENC[AES256_GCM,data:fyqF1VKr,iv:2DzlOrpvYLn9gzSQEn2zmOB9xRp9azYWSmHd5l2qTKw=,tag:QRuw94CX3ZMFx4dzuEUEQA==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:PHSzkG7r,iv:IbcFEwxLoEpTJJDH0Bhs3phwn6rpA8mjJd0zZFgJ7q4=,tag:qazqitzqhRVp3zUOHJJ5Qg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:hYiQOeTR,iv:nBlwiERNL9LzaomterdkBVhBaD4M+vFtq8fh1nit6PQ=,tag:X3oDTHPKJerkbaIAUsxmpw==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:9XN2rX0R,iv:uIFtHSEJm3pTkMW5P72LZHCNUW0q9O+Iq6Th1GDmc7I=,tag:fiYjEjHA0qi1al1so49ECg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:1433bMs+,iv:lfbtIWiz+SEwHZKgv4Uuw4zMe+ncpjyTFP9cGzoQTbM=,tag:+4SNTH1t4y1YIEXyrtMMIQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:DFCS5M9Q,iv:wQWU88g7UxIQeDpPsXvN2NVkJ7hM3SyejsqF/Hkaaz4=,tag:vFriAW3a48GI/bY544cMcA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:02AQV1sy,iv:6P4L9k+9y1HJjKnF8L4vDaAsoOcf1tE5WjkEdb00YH4=,tag:gqp2sNjTd8VOJeD9ZrOl4w==,type:str]"
 																				}
 																			]
 																		}
 																	]
 																}
 															],
-															"baseUri": "ENC[AES256_GCM,data:2NKPGx36,iv:KxyJr4ciwHvcVIDwXl1MCacYj89nU0M8jVQSPN1upjg=,tag:4PQKkSF6Ddlgn3eDOTeqFw==,type:str]"
+															"baseUri": "ENC[AES256_GCM,data:mcZqL/nb,iv:GFoq0wpD+fs27EZgzPTb6H3qErG+iQVIxWblJbf8+eY=,tag:dpgDNW6wOMQhdeKMU4e0lQ==,type:str]"
 														}
 													],
 													"pulumi": [
-														"ENC[AES256_GCM,data:ydfX4PCf,iv:wDSR9qUsiJkkuB8JAmjldeRhjHwR2KgxjHe+UEBXaKQ=,tag:Ya/t9j65RailAsxKFOVqeA==,type:str]",
+														"ENC[AES256_GCM,data:cwtDCNCA,iv:UDnRX2vMoMsHw0c2nPTy7x/g3TOpNfOymWfggXEv6Fk=,tag:eyYU4gHUwTJB5+YS2c0qPg==,type:str]",
 														{
 															"accessToken": [
-																"ENC[AES256_GCM,data:WhtO/H3/,iv:42smG2wqSbkQjjjFpw4GeshAAmHEElxUXsnR8gwfemA=,tag:O+JeESstA0Ocp1zCCLWPcQ==,type:str]",
+																"ENC[AES256_GCM,data:7RC6aX36,iv:B24yxT5+/0/xxNkzQ3Of/DWvdMcu+TehTMYhgqDPhhA=,tag:R+yY6egwU5S0zcFfFHZntA==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:LLEQQmDy,iv:DNFGl+w80DK110ECj6QFyyvtRTU8VMejGNqKOJotGZ8=,tag:8IVyY1wsTdB50SFbH+OZDg==,type:str]",
+																		"ENC[AES256_GCM,data:WY3N77q0,iv:4E5h7EpKY2wLqh6z9cZ+8ZtYSNSeWswu88COTojQLr4=,tag:Bo/T2StrPxjrZc52sIzQJg==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:cb8vkqfV,iv:++AhJg2HNyIlFoc/MZeHGBsEdvkjGYO68LZapqGngCw=,tag:N/GzzxqU/QfS81dx9I2nNQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:HDTjfiEU,iv:pQHDy2KFKQHvFj7iFnloJvhMYc1BW7IdUN875xPRKIU=,tag:6Km42hP8cm6hqbLDZXM/hQ==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:rz1zqyp3,iv:sGNqjVbmF+iFHd0qOHVbIS6ii7kyIhvVQ3sUWc9ZFsU=,tag:P6eA5xeO8R+ApAL8HPmjDw==,type:str]"
+																			"key": "ENC[AES256_GCM,data:MrJgAjY7,iv:vZ/yHHU1UKr4Db36CFf+SYxZnb5qL8atoseQdjS1HoU=,tag:XbHjABrft8wSyF8jr1agew==,type:str]",
+																			"name": "ENC[AES256_GCM,data:jcir+MoF,iv:qOwrLofvsUOd7UniWO8SId0Ig8IC0UKbAA2Le7QPZ4c=,tag:u/jUI3eCKCyY7O0/5XLGPA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:9pgOiG20,iv:TxXL7xu68jjA8KHZnJI579UJ635cfgsNkVrdS24Tjm4=,tag:ysW8PUyT6D+vItjxYIlglw==,type:str]"
 																		}
 																	]
 																}
 															],
-															"apiUrl": "ENC[AES256_GCM,data:AdkwmVVa,iv:gBRwzT14GEBthbBOZ2JSYSeQSPvnQoRcQpaU0sN9Q6w=,tag:JKJZEeaBITeOClJ/oxJzJA==,type:str]",
-															"environment": "ENC[AES256_GCM,data:Op9gg58O,iv:Efk1pCEIG8G1keg3aEoNyVO3oCCS31q35Gq640ws9Bs=,tag:xWD2oNztULoV/sOcTi4k8A==,type:str]",
-															"organization": "ENC[AES256_GCM,data:5At1/dhO,iv:lJGAk5qNGFlxUie/57xp6XQ1LpqgDOSRpnCbpei6BOM=,tag:CAqZsiN5Q1oY2jVcIYVI6Q==,type:str]",
-															"project": "ENC[AES256_GCM,data:GsMnxkxX,iv:c45+mkaaNdeEFx0zqWLFvGQHWPGKg7vtwT3K2v6Ohxg=,tag:Jr7Zh8fINTA6rc4gkTZ2XA==,type:str]"
+															"apiUrl": "ENC[AES256_GCM,data:kTuwvgig,iv:L+DYnibugN9Tm+9wiyY5+iFH/uGwVz1uxz1HtkYbbUw=,tag:bRxKXwS1p0elT19j7e1XDg==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:aqU8LLA8,iv:3T7XvPqK5rrOhdq4sucV21j0z3r+Liz2UyeccplBXyg=,tag:u7rLz/Soxm7UrskLbBFuDw==,type:str]",
+																{
+																	"accessToken": [
+																		"ENC[AES256_GCM,data:PpxYJsG7,iv:dl5s3FGQ0PHRBm9jUr1DgBV3mHWxE357TiXLbC94tyI=,tag:AyCktxDBM1IjesKMAiIa+g==,type:str]",
+																		{
+																			"secretRef": [
+																				"ENC[AES256_GCM,data:pu6UXQrh,iv:TuFDkWDTOh3u3095IXru7KmQGidnyn8bemIwMsMywf8=,tag:znKhrLX85xKSEWP6UstHcw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:Gxe7Zc6Z,iv:+jj8HSQL/imUycrfvxSt6r5bk16Ewx0moX5O7Qdm1Ls=,tag:V10AofqwaxGy8wisncwfkA==,type:str]",
+																					"name": "ENC[AES256_GCM,data:EgoqX8hZ,iv:+AiVyR8jHoaFCAHK3icNsL20irZDQNgPfO6in4QEVcc=,tag:rUVA9KnXnkpnnr4zNSUI9g==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:OQN4+lGT,iv:K5+8fLHV/vjQ1EKQIiHFIq1CPloZBCNWBfDsZhV0ym0=,tag:pDyVPlOZLq7jorB7K1m2Uw==,type:str]"
+																				}
+																			]
+																		}
+																	],
+																	"oidcConfig": [
+																		"ENC[AES256_GCM,data:/UBSFd64,iv:eH/MU94Y1dd7jCPgf5+PHUcp38E806F9pgCfoLUIHZo=,tag:Q8OeVDVHKVE+m5MSde+v/w==,type:str]",
+																		{
+																			"expirationSeconds": "ENC[AES256_GCM,data:qkYgakM1,iv:4cTnwPISg9YvhepAEEYXbHDSs1BONkBNzy2R9hGEZCU=,tag:JwunGnaUWL1maHrUv1cpRw==,type:str]",
+																			"organization": "ENC[AES256_GCM,data:f5A8Nu11,iv:IiEAUdtNIWEKismgkiOIUom/1qk6yZ+moMkEoCCHCMA=,tag:O0Y5J48oqSqJsZGHE5Vldg==,type:str]",
+																			"serviceAccountRef": [
+																				"ENC[AES256_GCM,data:Ec+uvGx9,iv:YW5JV7cmMJfvyLX3TrQZkrBCLsaJ8ER+QNCQkOivzWI=,tag:8Lucmy8qlTT8YhDtqKrtsQ==,type:str]",
+																				{
+																					"audiences": [
+																						"ENC[AES256_GCM,data:5UIKqA==,iv:Y/QUGRgbmVolhyop8wXT2ta0Bp3YrC+jIxz21erGDpU=,tag:zx7bFZ+K8O1k7dN6Uj6FIQ==,type:str]",
+																						"ENC[AES256_GCM,data:KoR5cxbY,iv:z1sx2mfCPbsGDUqAXKaRKfXoO5i8ZXwghSbzHrmieaM=,tag:VQC2ZxqGEXPqQbpRzmulpg==,type:str]"
+																					],
+																					"name": "ENC[AES256_GCM,data:eoCp1KoU,iv:hIIJur10l6BTNKW2I/iaYAMBbJfI9qNrGTF119vCVlk=,tag:VftOYr39EAZker3qxMbwJg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:49Ohm+0y,iv:UI3KGhGQA08fowX91nCNiLSL++5OSyGIZjuUjvFM8AE=,tag:7b1TJDgzs/RzX8p6pcj5EQ==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"environment": "ENC[AES256_GCM,data:NaniEEk9,iv:vaVbE4J/wm5ihIvuF8N9gcToKcJHqlgLp+l/5vNOmV0=,tag:Fvf+tm/y0aDzIpdiX/U1tA==,type:str]",
+															"organization": "ENC[AES256_GCM,data:YoJnqF/N,iv:XJZZwf60VayqSaRoA89fmPT3vb46II2V1QsgvszetoI=,tag:PneeHZGyO9R18CdMJu/zDQ==,type:str]",
+															"project": "ENC[AES256_GCM,data:a4zN9TvO,iv:CR98aGVFaIQphvvp5i43h0HsyR4XeQJ1Ckg2sHI2dq8=,tag:OPSCYNcjQJ2pfqoPla6Myg==,type:str]"
 														}
 													],
 													"scaleway": [
-														"ENC[AES256_GCM,data:0OOZ6p6R,iv:3KUJPCweUrVQxYL4RV6wLLzNDFbChpGt0df7tENWPwM=,tag:uUZQcKWKfcKNk2W5T2Sjzg==,type:str]",
+														"ENC[AES256_GCM,data:+pKci4dv,iv:eyOMTO0SvZZyWp38Q0cjegOHItyqpO/np+c/3OFdDng=,tag:e4C2KlqzLjozjfjic2xJEA==,type:str]",
 														{
 															"accessKey": [
-																"ENC[AES256_GCM,data:vOYnqzTe,iv:MR71b/0Zupq6bL9AZS0mTvxzD4i6RYB9dYBep4dcT4I=,tag:5reU/chT+85wV9yog4SL7Q==,type:str]",
+																"ENC[AES256_GCM,data:6bjjC9uq,iv:zNWEWCk6G3WOaZcktNItKHBSJ5TdEiH0KtI07QE9MTs=,tag:PfMA5JlEWaFq40Nt+7HvXQ==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:nsQyq8bc,iv:A8Nxm6aOAW8FQYbBJNBkd6i7itZ7pIs85nbQxIo7xZA=,tag:NlhH6O/aQ9z0mD5Q+TE9AQ==,type:str]",
+																		"ENC[AES256_GCM,data:7l8xS/8a,iv:3/FscLTRKc4wrxrxiY/cw89OcT3CdKcecWYbkfLhF9Q=,tag:u2nGiOz5D7pWAdqIZkhMhw==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:GfB6G/OS,iv:YR3g2bajXpjlASiEQzpUA/dbZxzQeMQvjauLS6D+93c=,tag:flJMchJO4GxgKJXGCEXWGA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:/x+TCB9T,iv:chKbqywHOEeuQAubTbKGdKEMKG7mY0/WDvfgD+H5x/A=,tag:LwvEIf0tEXCdIu3d23VtCw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:kNurjcpH,iv:wLncbcg0Cks1J9o+ArsoJCB7Y9sE/lI4tbm6gN178OQ=,tag:a9u8a+DJ3w1lhwhvrchWxw==,type:str]"
+																			"key": "ENC[AES256_GCM,data:jsahAb9O,iv:/gbtyilJAcQahwRhLjFOilx8GfT+nerXBfFT3t5Dd04=,tag:EYWnq0GY+PZ/6UoPxvI0nQ==,type:str]",
+																			"name": "ENC[AES256_GCM,data:hWN/nQXc,iv:ze0+D0r1N1k/NUnOtLjlznhlBwGY0/ybB/HfBjOb770=,tag:fb1E4QQqAo9UjfbmIcLrlw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:WtBuYfAC,iv:6J3bAxTf7k8HUAsy9Ls8rkVl3dy9Jsx4V8ips/r15iI=,tag:Btci+l3AES/zTh2JbBOMGw==,type:str]"
 																		}
 																	],
-																	"value": "ENC[AES256_GCM,data:woEENyHa,iv:CxapoiAPAOrbfCYo+T5YelvL4NZ/7UUAUXLUg1DqW7I=,tag:t5LdWCn8Yiu17XxD0Bk9lA==,type:str]"
+																	"value": "ENC[AES256_GCM,data:/n/Q+Ec3,iv:YhYZdG0R9Z6FMIBNtovB87QykRmyYgLeRohQXvSGUpw=,tag:ulzs3OcNs4JJXJ1IAWzmew==,type:str]"
 																}
 															],
-															"apiUrl": "ENC[AES256_GCM,data:jZkbkwJd,iv:v+DJuygomLGwNxeKN4AuaD24PelW7wo3JGAQM1N3nuc=,tag:9ZuNeozk8dH6fwM7T56WpA==,type:str]",
-															"projectId": "ENC[AES256_GCM,data:4Kayz6rF,iv:Ff2AZLtS/FxdqdsGLm7bsOl9t4d6ZnSKwtuojvgU+b0=,tag:h2qaKUBlZBGdwfhi+Yk/Lg==,type:str]",
-															"region": "ENC[AES256_GCM,data:8HrePHbL,iv:kxJXRpZOAq4r4drnAMEyOZDax059n+X3HPsHmjO+X+0=,tag:ol94H6QuHp8bZm1qivygnQ==,type:str]",
+															"apiUrl": "ENC[AES256_GCM,data:0AmQ3xEu,iv:T6EoqQbBmSGbTCBbanXzbZ1yWCxWNh7U356alrkgass=,tag:Y1WM9GOnVvhGMV6wS2IuXw==,type:str]",
+															"projectId": "ENC[AES256_GCM,data:Pj7MtExh,iv:kQeub1ePR2ZBdWgcAzWaqRx02CGPs+e7re3qcQE0sWE=,tag:BXXxdyGs+AoPvmOjJjASgA==,type:str]",
+															"region": "ENC[AES256_GCM,data:2x6zP3KG,iv:hWU6oY9CnAaEJbQ8Rj2tyKbVLw1xpLH5zWp70KZ45Vo=,tag:yGA5oH/167X/MkxYy45KCg==,type:str]",
 															"secretKey": [
-																"ENC[AES256_GCM,data:jppSQr1b,iv:Ee4LNrzF5Ffth1h79b2P8BEWkEcaiUB/Dw4PC7rqdGw=,tag:mWAzlYIaupekvOEesYUMWA==,type:str]",
+																"ENC[AES256_GCM,data:+lFT3oTd,iv:+VGFrnjop1Z5r36Cmx2vWjz/xXBEhbFzjC+/BGxJLOU=,tag:vmbB8k18O8/18A6QJC2JrA==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:qTkg2pFj,iv:np5OTedc3N/whR3tNzJHRQafZoD2dvsNHy9DBWD8Zd4=,tag:EaoKRjWmfNS8nVge5OdV8Q==,type:str]",
+																		"ENC[AES256_GCM,data:8p8Wu/ib,iv:mYej59pvd2iHQWxZ6892Hk30oBcfVNE3F3kcdRX/NtI=,tag:pIX9adLzEsViSrjhSBtzhw==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:Vju+bgPX,iv:anAXZTgqjCXlwFG+7B1tYYDNwnapPg9Ez7yKDrRegZM=,tag:2JlfW6Wz2AY9PETJOU8kBw==,type:str]",
-																			"name": "ENC[AES256_GCM,data:7bC0/Ehw,iv:O6gnsyW1GY7lG1E5L7z8Y6ofOswLKbTvVwYTE4KX23w=,tag:mh7VZP2bMwjegPyJ3/KoZg==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:f45jrToZ,iv:iDw9WF7y1f9TQcEofx+rUpTE7SOgiNCFadpbD4zWrQI=,tag:fkMRXnnDsIGIPjO45AIr3w==,type:str]"
+																			"key": "ENC[AES256_GCM,data:gercZEL5,iv:dyzcZOW8pA4uUDx6jpKolBfxXLeZ0ADkejCY+OAMK9Y=,tag:nJdcwGPkHq9CFvA9nkoEVA==,type:str]",
+																			"name": "ENC[AES256_GCM,data:Ln53eUKN,iv:lyuwslphzdwauK1xYg7/ksXxr2OPSGlhUYV6kKpCEpA=,tag:+2C7ZU/f7PxBsrTGDbI0CQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:t42Il2rl,iv:WkamzFQmdeH2GZdJZ9yEpgOVCs21L5wG22avmo4LrGA=,tag:dORsvlRWvhL81NLRBAC24w==,type:str]"
 																		}
 																	],
-																	"value": "ENC[AES256_GCM,data:XQ4IxyLB,iv:hhesgyQZVeFtkl/4+4zmy6ewpLP7U2R0CNlhgLaYY60=,tag:2S1Tt50uwGmhSBlr7rc7HQ==,type:str]"
+																	"value": "ENC[AES256_GCM,data:P02Td9+Y,iv:wA8aM/UOjOu5u14QVrKWXB9B1GMSqm7ixL81W3pGtSc=,tag:wvBG859a8Mp9VQNq6sMufw==,type:str]"
 																}
 															]
 														}
 													],
 													"secretserver": [
-														"ENC[AES256_GCM,data:ZA4mdqsB,iv:eZaDZOyBtOsC4iquZZ392HsYrLa24cwyjjovZsmSVN4=,tag:8WilH47qDdbRQpuC+WPkJg==,type:str]",
+														"ENC[AES256_GCM,data:+lET2RCs,iv:xXKIzuD5bgHDrnT8KNuA+fcdsvNlK7kG8nUjcYXlU9k=,tag:MYEFJD7I5/diei3fdFqozQ==,type:str]",
 														{
-															"password": [
-																"ENC[AES256_GCM,data:ZXQQA8X6,iv:hN7RglstTZk8en3jIoz2wWlFp08qq5s9Y9r6EcoPRS8=,tag:h1lZMXu2haBZgbOXpphhhw==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:dsoIasQt,iv:eBBEKZGMddy0lt+uRdTGIXHw+NGVOuYyFzaiM4f40hs=,tag:5YhpRqkWozR048R9ul8Y6g==,type:str]",
+															"caProvider": [
+																"ENC[AES256_GCM,data:2zeGeDwG,iv:pwxnBQ+TelVJdzo93G9Nh3Eieb0FK9zOYmQiCKvfjEw=,tag:ruygKbFgBbAasCZBQP3UPQ==,type:str]",
 																{
-																	"secretRef": [
-																		"ENC[AES256_GCM,data:pFCk44LA,iv:l1Od4vtjEuL0oWPs42j/3joK+ArZvllsL3rP9buFSys=,tag:uhNp1f2lYd7KfFi2Q5BVaA==,type:str]",
-																		{
-																			"key": "ENC[AES256_GCM,data:SxD6qC6U,iv:IKuTuQVZRcEJAvOl9jooTyaKsxrQPZjZTx2BbsDGHnI=,tag:PjvzGvMLnqUEVkuqyO20pg==,type:str]",
-																			"name": "ENC[AES256_GCM,data:mV7P6zO6,iv:g6NzgnujMBHdqTIXXT+q2Kc6P0nsi6+3KVmRM73nyU8=,tag:99q343+echldszry6bNwzA==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:iEu9VZPi,iv:bMwQzqCXb54qf72i0VjLTQuiFANiaHGgSwSPaWeB89I=,tag:ePN1txEsRPEqO50JJalivg==,type:str]"
-																		}
-																	],
-																	"value": "ENC[AES256_GCM,data:YyBfjIa+,iv:MIds8wUKigg2Um8KHqw3V1uuu5pJwBA7RcQVB2lozZ4=,tag:PC6LXTZ1WRfspjUcwL4jsA==,type:str]"
+																	"key": "ENC[AES256_GCM,data:/LeKWEAk,iv:71RSLwC253Scz+NaLyCQamQSdXvhxIrSGe/Gy2X06Gk=,tag:llG9C0jDW/qpZtHXgwSQuA==,type:str]",
+																	"name": "ENC[AES256_GCM,data:4NlzE6HK,iv:3b4uI2zDc9Xn+AnJcUgTT8oAgLm1xNTHFgCzDQ/CV44=,tag:Ek/1eHnjPDUsLjH2gc5yTQ==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:JXnY+824,iv:5DrYQo7CN83k0o39tU/RtdbLbdNWwyGrLveUJ5s4BU0=,tag:R5S8oLioiPzP6r18aeHXJg==,type:str]",
+																	"type": "ENC[AES256_GCM,data:9BwN3eNK,iv:tvvycYh/JCZMeTscYbp+7Zs8/L+97bwQXZL3DZsa2kM=,tag:XKylqa3Mug1gpIkIWVXd0A==,type:str]"
 																}
 															],
-															"serverURL": "ENC[AES256_GCM,data:u4ztptYX,iv:Ara7gMNkugz2of/2P1JQhrlf0Fqmw1dMk81+5NNoZ4E=,tag:/GgDZhcbVtPsEp4cutxk0g==,type:str]",
-															"username": [
-																"ENC[AES256_GCM,data:Oj54EnG9,iv:O2h2/9MSkq0UcqXLDiIXVxm4NWGe69uDOLzszjeswKs=,tag:5n8HT25UWuxKMWzmErwK9A==,type:str]",
+															"domain": "ENC[AES256_GCM,data:C4Upfpb9,iv:kTmLGRhH/KMcJrka2ke8C4MVWuv41AFk23/7mk2xQkQ=,tag:58fuN8ERMf6on90iNICKuQ==,type:str]",
+															"password": [
+																"ENC[AES256_GCM,data:mmNclnug,iv:QCIz8XXsnfe+L+qpnD0quWCZCFeSJVQlx8JUe58gNYo=,tag:HEaucakim9mXjPKmd/ideQ==,type:str]",
 																{
 																	"secretRef": [
-																		"ENC[AES256_GCM,data:mN+ToHyE,iv:lP6HkB8W5yVC1OEF0XlsoaNlBr991zjEynsTDac71ks=,tag:PxS99RSFulKgHszkSB2AeA==,type:str]",
+																		"ENC[AES256_GCM,data:U7Qv37/U,iv:cEuU/+z0kmE1ZYMzndzRV5VVddYqbynaExWMBJnb+xA=,tag:S3sFBa3u6cYS5JKRNrTfIg==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:0eEg04df,iv:ly73YMpZc+SiE4x1UMzKQvm+I4Qnkp0/je/OkQfu64g=,tag:kjFTEbUDqcuU1J4Pjki9pw==,type:str]",
-																			"name": "ENC[AES256_GCM,data:nhp91st8,iv:ZB4U8QjTzkJx8GZV/FoO9xeNKBU6cjLJepMY3OzZVPE=,tag:W6LuKqoSCuJypphoTBPWkw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:7qWieEuL,iv:BfR6V+ObUSOkCGF99JJWOSWk66OJAU8WQDwXrSryaqo=,tag:00JvRiyTQRq0AUQAnMDvRA==,type:str]"
+																			"key": "ENC[AES256_GCM,data:Pytz0CNx,iv:FdEwkK92rgthZYF5PjVrH4pUZ1Ke0f/IDG/jyxCvOtg=,tag:DYMmzrayEkV1NmDyTZPA5A==,type:str]",
+																			"name": "ENC[AES256_GCM,data:CgsquEZC,iv:LXPhEAcDTopH+M5rIecOz6MLgc4jrZAXiJJf6l5df9c=,tag:JdrY2YuX+swqB+H5fxXkrg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:gQuVr1+N,iv:xWiqP1MEtpuGvLj3Au/IPuN2St0Xy9TtxNeAxa/Y7Is=,tag:wahhhJ6fl6QxtyBVIxZWxQ==,type:str]"
 																		}
 																	],
-																	"value": "ENC[AES256_GCM,data:WYR7+lZG,iv:DmLf4lWEQjl64MyJATEFbXrXkRb7gVoSNFQvrrcGUlo=,tag:OiDeQA7JduR2/xAt0DheZw==,type:str]"
+																	"value": "ENC[AES256_GCM,data:HAt3LLYJ,iv:4AnWzg5jlsEXPhQvJvXuzrq/VfS1btdWqoZv5Gcw3D0=,tag:LIt9H5zVRZAE1Je8Htc3gA==,type:str]"
+																}
+															],
+															"serverURL": "ENC[AES256_GCM,data:CMsFaggo,iv:K7JPocXN++ofdSW6yiZFd/uJTNiwXE9giWu4SBzHlD8=,tag:sfHTTvFpUYGXlbfc7PQjDQ==,type:str]",
+															"username": [
+																"ENC[AES256_GCM,data:iW00lccT,iv:Ig6EP6ecpMvrXciP0Dg+v/91w79bbC/bfw2kI9jO6ng=,tag:ugMnYN6ulZ+beVROhN2ahA==,type:str]",
+																{
+																	"secretRef": [
+																		"ENC[AES256_GCM,data:Q1S6KNYH,iv:vzI+AY7XvyZofv7EKw7rXjYNJgkZhKnzSYZjAmoPGZ0=,tag:0mbRDo8oBTpMWdFCNZz60Q==,type:str]",
+																		{
+																			"key": "ENC[AES256_GCM,data:k7cpJ5ax,iv:UEL887Ww/KsPhN/rIgAWkd5BWbfIJLmtAIgNvddiM2Y=,tag:ABs6fC0waEnWyPOvhQtvMg==,type:str]",
+																			"name": "ENC[AES256_GCM,data:bp4g/KrV,iv:qJdPNGOyJ24ihb//J/kpSkT90RSD6+B1G4+LEraPxtg=,tag:tJTYzr7CUfYt7JiJBObdIA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:7JkNteKm,iv:Mb+/BI94eMSGS7nAubKgRyLpxBjqgJkR0qSeMx0SMQA=,tag:sw0gXru2So8y6RHwGFUJBQ==,type:str]"
+																		}
+																	],
+																	"value": "ENC[AES256_GCM,data:ddAFv+sT,iv:WqmHey/l5eqLzC5cBirVFb8mv/Q+XeBEfHp7mroUk5I=,tag:9QYDZQN2c4XoD/AZe9Oq0A==,type:str]"
 																}
 															]
 														}
 													],
 													"senhasegura": [
-														"ENC[AES256_GCM,data:U26x95rX,iv:9H4QYltj0DzKXjf1u+EDLnU0b0/Wdtv5vpAm4vKBJWM=,tag:FGGKw1V7KBMljjRE072Xkg==,type:str]",
+														"ENC[AES256_GCM,data:73Q60mpW,iv:KBWmQZkc4tt6qrDq7YWMyXicYH+Grp37Sd5PcJob+/w=,tag:78nIsQbJVgK+pfv6m7Z4lA==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:kEYtkUL/,iv:Nc3NjBs+tJsONVOvpkm2SifRxd7vRJgMWLnSWMAyDMk=,tag:KyN7VV4Hg3TbaOqQqUImiA==,type:str]",
+																"ENC[AES256_GCM,data:CQE2Te1x,iv:i48En1nBYdQl2ZkIU69R5juVNi0fomMfrnChXzT3sF8=,tag:bAt7VqJjPQI/NZw2RdQTug==,type:str]",
 																{
-																	"clientId": "ENC[AES256_GCM,data:qAJsFEKy,iv:4o7eg8NQhSKyqEi6OsMYQUORgNGZZAt+jaU/tHyipT4=,tag:8bKgQHvBLaNCXoDvQx68wg==,type:str]",
+																	"clientId": "ENC[AES256_GCM,data:RuPuSTM5,iv:XzTgv9EQEJ/M4jX+2YDlmzHD0pkFWu/gtUUYEbYhnPA=,tag:HHSafR7AnwXL0vMSuyjKjg==,type:str]",
 																	"clientSecretSecretRef": [
-																		"ENC[AES256_GCM,data:EsgzJ2jg,iv:OCmrp0I5IZcVE5zHTOGV5vtO/hsbaqEVe0Yt4P5Duwc=,tag:OhSLGAdtFXQt7idrmN8DBw==,type:str]",
+																		"ENC[AES256_GCM,data:5CR9TGZn,iv:uD+dKNMDE4AZoXtQ2lIWk1r7rbCYRbDVZNk/o55vZM0=,tag:QFHd4EaHPkZdfpTbQqpoyg==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:auetaKzJ,iv:8i46r34b555sueMmRhqyOtrYZajKUrl4XoIcyzo/Et0=,tag:tSzw0rh8+ojy1aPrckKBWA==,type:str]",
-																			"name": "ENC[AES256_GCM,data:riaDViEs,iv:neXlnKCL8Q3SjZN6QOjXPVO/8BTmPSJNFyLeL4TasJs=,tag:JnfahqIQk9zDTx6Hy0nY6Q==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:isWFCDx/,iv:uvDEFLkihcrV4pW4Q9AqFoBWHfkjygg4CNsUvKMLmrA=,tag:q+b2LhdhRe7Dw/C1dHWFSg==,type:str]"
+																			"key": "ENC[AES256_GCM,data:JnOW4f9F,iv:BO+SlYXUBHnXF5slj0iNb6bp5cWYGUJHgKmi68pPOfU=,tag:6HxbcR5kCDowcTbM+vNyDA==,type:str]",
+																			"name": "ENC[AES256_GCM,data:FIyO2bb0,iv:zm3wWuS/CXZSr7a/zY7xhLPd2hLOhWxwmdK664P/JOg=,tag:0yzgboLgEM056rsVGEe0iw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:LHklyJk7,iv:WG9m1g8Rs2qJKI2d1SND4ilVj/PunZnwkGu2LkFLiO0=,tag:nG6qminEV1t4tRgqZRGFGw==,type:str]"
 																		}
 																	]
 																}
 															],
-															"ignoreSslCertificate": "ENC[AES256_GCM,data:8Ogl3g==,iv:XMaCqodmvr0iDUkEvNJfq/iefZrw8O2Pwr3JxCfDCj8=,tag:kUa9F0a229J/Sia/wAFqiQ==,type:str]",
-															"module": "ENC[AES256_GCM,data:tte5IzsK,iv:VTSokTLydDadCq0k1WQQhbHheDdZO206IVNPqSl/+jg=,tag:1Ri5U9RSjeRmQAvcj/vLnw==,type:str]",
-															"url": "ENC[AES256_GCM,data:+IbStols,iv:l+bFg6DinXO6qO9h1MhWgQyYMPMace9HiDQ4nKB4RRo=,tag:k83ans70zg6GRFhbcBOJhg==,type:str]"
+															"ignoreSslCertificate": "ENC[AES256_GCM,data:JeZGRQ==,iv:cjkyMLYsgFgZs4yOZKoaQ4cHVJGo3Hbb0Nlsrlhe21M=,tag:nH9ixyIvP3Fy5PejVcLOQQ==,type:str]",
+															"module": "ENC[AES256_GCM,data:+6E5d9Vz,iv:BcVklqYguiba1/5VCYhCsgsHdVeoDb/kyiPZ1ATG7nQ=,tag:CqgDFZwhDRk8jGto97D7nQ==,type:str]",
+															"url": "ENC[AES256_GCM,data:5TrBF0Wf,iv:wIFtSpumilrCO2Cdm3LLdL0YwftKj4UVYIeOmGDYYy8=,tag:aeS1SZDkDklYgUr6krBUlQ==,type:str]"
 														}
 													],
 													"vault": [
-														"ENC[AES256_GCM,data:wZ0CMo8L,iv:TdCEYRtrJl8YVqhtA49uzuDJbS0qpeaZMIunUpUFQ58=,tag:ZRSTp6kr+0dQSgxsM4fWMQ==,type:str]",
+														"ENC[AES256_GCM,data:9UOupBkg,iv:I+t2CqatQ3nUcAQACOgaX6Nn9Qu1v0UO7sEhe8Zcmxo=,tag:3cSO0haA0O3q2GYCLIihwQ==,type:str]",
 														{
 															"auth": [
-																"ENC[AES256_GCM,data:ikx/ShJS,iv:NguWQtf0AqiSoaO5xenXX6+xKp6fnIa5PL+QdoVV4Ks=,tag:Pkm0JpoFeYd4Srj+Y4bRhw==,type:str]",
+																"ENC[AES256_GCM,data:FCPfh1JZ,iv:PwC+MAlDKBRVf/diJR37uiOaoYROLndfNjuM0MPn7nM=,tag:DXtM26bEvO5dMmR+0/0Ryg==,type:str]",
 																{
 																	"appRole": [
-																		"ENC[AES256_GCM,data:m7idYSmk,iv:Xb1e62PUvPd2rK19foQKt81aFdezB+rFCE6EsqU+wzo=,tag:TGntiGTaoAb7cAa4ax/aYg==,type:str]",
+																		"ENC[AES256_GCM,data:Pj2W3xUg,iv:rs4u3VKqTEw2Q1n2lXmY+9R4SLP0opsjf2oJd/GF1Fs=,tag:bp52LUb9bhpJb+bCdJPXIQ==,type:str]",
 																		{
-																			"path": "ENC[AES256_GCM,data:hoo9n2Th,iv:lGUY5+rLLb4UqWevXOXXC/QVJS98tX/wBskntxFQ214=,tag:8/SYNJ7ZARdr1n9iBfohfw==,type:str]",
-																			"roleId": "ENC[AES256_GCM,data:Hg890X2s,iv:HP6dorFbRbxmvNWdJEPBz5PvTOBBXnnxXv29Iw8EE5Q=,tag:dzuDgurz3uxkmTraMijSKA==,type:str]",
+																			"path": "ENC[AES256_GCM,data:MAJhzMPX,iv:UlWWoQJlqVSnHHxltTWPf+4iygYuWuMN76FA/vCpQmo=,tag:BQnMmAMEj+JrAt/nERP/3A==,type:str]",
+																			"roleId": "ENC[AES256_GCM,data:QLC/D7Q/,iv:1INJMmG5EmKuVk5Q1yecbKpF1RkVpaxi1smgPRQUUfg=,tag:YG/bXpPEudMU+RXb7CnL+A==,type:str]",
 																			"roleRef": [
-																				"ENC[AES256_GCM,data:tYpi8/NM,iv:YqgoXMEbvQCj9/4EOASRKQ56E7+l/YjXXQWsKbsq+v4=,tag:DiggS8dFTy8HgPg84rQ3VQ==,type:str]",
+																				"ENC[AES256_GCM,data:Tn6Ywka5,iv:S36/ntBRKmFIctN/UFwmSZTqT0aUEmwAQOcw/hjf238=,tag:EUe49slp9eCT0i8CUdF4Jw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:Noc1Xyvy,iv:nLU3OUsfnl442njfaQfawoLIavelGS0NhRjYsCYqmo4=,tag:vt/AGc+ldtX7aTS3P2WM8w==,type:str]",
-																					"name": "ENC[AES256_GCM,data:Ul4UJjMH,iv:LzHBdTw7tyKjiaxnbXHtetC9mtOBSuaumzDkShdT92c=,tag:4DomieGXIOZODUl31t3SJA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:zh0eTvj5,iv:ez82aD7ATj7GEDHrAnanW6IN4ZxNyavurnG9T2w2pS4=,tag:3S5hjqDRmJ9eIpoDUkEvVg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:p0+NN0gn,iv:oQz4yaU69TJrFY2DwnOOy/P8C4rDZM6l7W+loUnoQ2w=,tag:6ZYNVBpFktLm3V7QCi0Vpw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:bVW00Woi,iv:X8QQG66a/DM+KQXM8RJ1DEzlNuIlsbBTf+e2Zcpru5g=,tag:1p9ztc0hd2GrmFiQfeHm7g==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:VOCrflvi,iv:eFkoZaUXsqjNxy6Yzlo3RZHt3qai2QnexXlnVW+95Mc=,tag:foRqrwHpaMDgBWsgmJUrhg==,type:str]"
 																				}
 																			],
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:LFhYofvw,iv:Sgo6F0eu7TF1GwL1YP0pJUQG6y/JihEUriYGNdwNFCw=,tag:KljrWsQGUuEFovYDjMH0zw==,type:str]",
+																				"ENC[AES256_GCM,data:qUZlLUvp,iv:CH2R2RfhnkZ5xFiaOHpf6ktuXRiVTtMSF2yDn9SP5ho=,tag:gTvz6N6uZsAem6dTZ+O9jw==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:516+4aNg,iv:BWAXQeW6D5w89fFhFs5Y4tQqDDbvfwvutTHCYLajoKU=,tag:+7Su1v9gx19Tv+flTS0Pkw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:v6zyMzfK,iv:BThuBTvkZf9GizWCIxVD74JsZ5SI8H/DmG+qZVZH2go=,tag:o7MMDh2GHvaU8to7EUbPIQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:2qFM/hBy,iv:wl8ygwU5qpf68ZR0YP68px5/VG2x+BVzvXx8RNXmMEo=,tag:lukYLw2aO6vGMBRWBYByNQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:RdHQoQ2b,iv:z39tBWPuWcwWgxZK4uw60MKQ6fq/XQup25qY/miKm9I=,tag:rJWsL2Kf1irPMAD+fXpqNQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:bf3F4IB/,iv:kJHWGBHn0TX8JNs43L9+Zh69VwK2ipRNsnS5TdGMlaQ=,tag:sevWhfIYhqRQ1JjZQrPWWQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:lxurWD3f,iv:tJiVnqmuJW6nc/OjF1EKX1HT2++8UU7ZJeFpXpnJh+4=,tag:I62aa4Qz3hD6xHIlMz+lgQ==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"cert": [
-																		"ENC[AES256_GCM,data:8OJLs9LL,iv:1UPGhtX1D0ZAtFtjWptkbWqzRLD5Ku2f54Nt0QgmSkA=,tag:AOx1EBEz2FwAVYtuWMgJ2A==,type:str]",
+																		"ENC[AES256_GCM,data:llQkd3jF,iv:KIm1VnbDUo4TT1mTDeQaWXfyOb/GlGbFVj0HKyy7tKM=,tag:4NWCVR6ok3XZjCzw1r/8JA==,type:str]",
 																		{
 																			"clientCert": [
-																				"ENC[AES256_GCM,data:W9WNEUoJ,iv:d9jSQPMeD+OQ2s+EAA1gtW+YRU4KQeyY3BXzqkd+OSM=,tag:aqX36rkFGHMpNtWW3VRaLw==,type:str]",
+																				"ENC[AES256_GCM,data:HuAO12qa,iv:hziPsg7GkX71p8PAzRyUlGIR9oMR50bqOGyLYe4v77I=,tag:hWo8LIzH9QrIdRkTPaVc5Q==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:pxUWaKTI,iv:kJa3H/Djrqkf+lsl8O7Qnd52knNnM2UB58WCtTRLziQ=,tag:OubiKkoU/JrshOyHTnq1Pw==,type:str]",
-																					"name": "ENC[AES256_GCM,data:EdYIEAXC,iv:fMTmI5LJfne2oOGUv9qp+6uhyOIH1hzkBYWsF1xJ97A=,tag:pkjfBSNNL4RoWTvDmj+VeA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:7N7IHl16,iv:px/gLwCpRouvhjMoFb9sux5ydaFgHfMmzQ8RrwmufLE=,tag:2KctebqBqgF3ZR9pSuktJQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:PBf1tFJH,iv:wfmVbafbDFlmCjxgcHmneJhR6ZnDVdQ11D5ihIVgVGw=,tag:D1MfynAlnllo5du3yh1kHQ==,type:str]",
+																					"name": "ENC[AES256_GCM,data:5vK85qng,iv:IfKT36/QQ2wTrnDy3iIJv6OyCGOYyEhqniiU5nzl2/o=,tag:ehR09XBZkoGddDiv/z0YwQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:333XLvIK,iv:qTeSW2qaZI1rTAemLUAF3scxYw5p8A4K1Kb38odtzz0=,tag:spkoIXz8akUzgaHlSHIW6A==,type:str]"
 																				}
 																			],
+																			"path": "ENC[AES256_GCM,data:1mVAaOty,iv:8IFBCmY4PJ+0ULenIwOV+drJxib3D9zgFXoZFlOP0wE=,tag:hIyFH+3h+qlzkHqt042fsw==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:N4wF7Q+L,iv:q4zCZomZ+pmaKec46DollDh8x6U1d9sRXD1EF+rrTpM=,tag:eczfb5GjG4uQloTUvbRq/g==,type:str]",
+																				"ENC[AES256_GCM,data:VGk/bfPS,iv:Kl5ikzZGv7aJD1fIkRGEtvB4yV6cMtu6oy26yVrHvFU=,tag:b+yc2OrW5tZ4Lf75w38B1w==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:3QhrdYJH,iv:+ZvOPaUBI6b2LBT8DvvPESDCRFQ+Ap3fHMMZ2u3JtDY=,tag:0N2Gq0APsl92ys+uwu/nfg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:wcUjNHAg,iv:Ticnyks06l3Ek0xcALbeLyEN9MSv4zuLaWIB35qI69w=,tag:jwJ87sgtI/rulsRcZqgiWQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:pHVpHty1,iv:pE7RtyJmnODZaEUSrWEVLSrEabNSzn9IsljDiom9t6c=,tag:ae7np8pjbbcLxJgX1Jzlhg==,type:str]"
+																					"key": "ENC[AES256_GCM,data:lb4aidZA,iv:sUnWNS0VUgPNaxBoIrzBP9NDTrC9EzvoMcpnTKC+nWg=,tag:yUT7Cy7euaLsgJE4AQLtEg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:2bRmDm9L,iv:nJ4GTZBLHsjk/PX7Gti2WIgFFToO9YYXeziXvnQTjiA=,tag:/GElyag/6bh1BjunEA9rSg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:B/wGW3tC,iv:n/q/ZwF6/BSq1GxBlBdgpEmw5/Jo0v5xKUYOyCYhO90=,tag:RMSfk43q1FO29XlLC146wQ==,type:str]"
+																				}
+																			],
+																			"vaultRole": "ENC[AES256_GCM,data:eWO/9TTK,iv:5IqZBgAxZi0SybeVMPKnLuPldhczeE+oJCeBhdxy+ms=,tag:6/GuY1ZclipJMMmcJs9uCA==,type:str]"
+																		}
+																	],
+																	"gcp": [
+																		"ENC[AES256_GCM,data:fjDeNvvY,iv:3QqcVQ275zXo4Wqk6NNzqEMJYqQFycvZxPTU+TQgwC4=,tag:SomUSyNqHNCWDtADQkWbDA==,type:str]",
+																		{
+																			"location": "ENC[AES256_GCM,data:kM8bdmyo,iv:yWdUpB+lULOW1ssOhvFzCH1M2+eWbGA19mACbjk0a9I=,tag:mTb6bqYJf1+mMQH68UTqCg==,type:str]",
+																			"path": "ENC[AES256_GCM,data:0iF+HSqr,iv:O3p2wK9GIENJgkDMdoRYf+Ox7hjjir1xnob1fmj/SeY=,tag:XoE1dYWHSLWToO4NAq6A/A==,type:str]",
+																			"projectID": "ENC[AES256_GCM,data:zqckcdRc,iv:b79zAdZB5WB+ez4Bk9CTiFsFhzd1z3YQ/2NXuQKwwKM=,tag:BAw2QCCT5CnF8MZQ7L8bvw==,type:str]",
+																			"role": "ENC[AES256_GCM,data:sYM/bFD2,iv:NApCzkzO2juvSnOFgyBqUNb9m9UmQpua7nHD29FEjYQ=,tag:K9Ac70HSCSXp+K1WmO2jVg==,type:str]",
+																			"secretRef": [
+																				"ENC[AES256_GCM,data:vJXLqkIm,iv:YGdGZL/Q5s1jzd5r4ZkZQexC5bG+OWCIf1ou8DwMnlc=,tag:SolWEXhDsbD74Ign75LzzA==,type:str]",
+																				{
+																					"secretAccessKeySecretRef": [
+																						"ENC[AES256_GCM,data:F9acTu0Q,iv:NtNfcSuUrvpC6QI0r+eOmY9Pmshj6xaYhZAEIsb3mkQ=,tag:wAkuVqidFMLw0Cuktcg4Hg==,type:str]",
+																						{
+																							"key": "ENC[AES256_GCM,data:XmOLykII,iv:dOjEi+pkBksxj5W192RivQ04N6a2DpueTsUUblSvDNk=,tag:C6bcYG2mYhLusbBETDEXqQ==,type:str]",
+																							"name": "ENC[AES256_GCM,data:K/6oCSu2,iv:YngEy7pdGgKbdgQ0kpqYg4oAWL6O16AIsOeHBaN7Brs=,tag:2mR3dpMDHqI4MtybpAwrjg==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:chbxnWz7,iv:f22AGv0Jm0KsNMZ6Ne2nBgS+QFBO+5va+o8WDNRaWLQ=,tag:zatCtp/0Ooq1OPmD85ECeg==,type:str]"
+																						}
+																					]
+																				}
+																			],
+																			"serviceAccountRef": [
+																				"ENC[AES256_GCM,data:j2tYpofc,iv:QeItP3D7pOBQYfFcLdRmFNLG7vMxCc27IDprrtghPuw=,tag:W/StXYnio8j0CK0ezeHUEQ==,type:str]",
+																				{
+																					"audiences": [
+																						"ENC[AES256_GCM,data:z5ILKw==,iv:fzq3kt4/ue/dCF/Z9EK6TYPkI3H8S56WWazscbCXs7Q=,tag:QIMiVJz/Jitfw01u0N3KHg==,type:str]",
+																						"ENC[AES256_GCM,data:VlhvUZ4l,iv:qGMK6FNwcLisj3LaOeaymH4E5j7jfODFcWQHLunxwLw=,tag:jK2fK50VT+Rl2qpdFZLG3g==,type:str]"
+																					],
+																					"name": "ENC[AES256_GCM,data:RStfcXgP,iv:Hj4idjm5PYFImbipGYjadQ99wJA8nNnOs/Tj/AYzv0Y=,tag:1ZLDvoF298bM9fIBJ2GEfw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:MU4sFIQd,iv:K4w++UiLMAliOIRVZBDHIw4F/eKQAK2TT0awaZrtzE8=,tag:0DhdsFfBTmZgfJXaaKebNg==,type:str]"
+																				}
+																			],
+																			"workloadIdentity": [
+																				"ENC[AES256_GCM,data:OKHybWEg,iv:GX2BGTNUm7Vd79txcxiszze0D5OSPdiIilzfMBiC2Ps=,tag:JcIx6dnzUHMgVAiiBhErRQ==,type:str]",
+																				{
+																					"clusterLocation": "ENC[AES256_GCM,data:60jrTeLS,iv:0eWy+EWjbPVuiWT9MP2B8FF/EVf8H1vJOFTVkRmyj84=,tag:FTjKLc1n59lM6LGmVDxPzA==,type:str]",
+																					"clusterName": "ENC[AES256_GCM,data:FarzRu1f,iv:24XUAQVxima5rEIXAfPWXu/FEnE3zDCVqVGkfXZQZ9o=,tag:PojyJejUisqhBd+XO3InFw==,type:str]",
+																					"clusterProjectID": "ENC[AES256_GCM,data:U4Jdy69Y,iv:FFKeU4PXJP0lQZCDkg5C8UwOwlQwrynWlg2buS1m0gE=,tag:JqrQhreMLYOBSSiqYj5+ig==,type:str]",
+																					"serviceAccountRef": [
+																						"ENC[AES256_GCM,data:r4JLm1Py,iv:jpTJrl99Xy/PxSbQT1cyt+/jPBheP40ksRIoNFiw9xw=,tag:BESu7/WkK9FDiIWMTtXbew==,type:str]",
+																						{
+																							"audiences": [
+																								"ENC[AES256_GCM,data:JjsRiQ==,iv:bVQu42dLmyf97HglnS6PEF1vfk01/Pnzr0XjeXrMqpY=,tag:djFSk3sZfX7ZoT8nG1jWsw==,type:str]",
+																								"ENC[AES256_GCM,data:6uBQ09wp,iv:mnt+WXbOo4CuKDDv2PQ2khLl1KMJARJx/0mSPS5IbdU=,tag:VNGQ08w3lATzCErmfT5cAA==,type:str]"
+																							],
+																							"name": "ENC[AES256_GCM,data:CWKq3gdA,iv:HEFMIOP3ocUY9nWCkt+T2x/nL6YxxFDR7l0x6l1ovho=,tag:RdQVNoYSaMTdmaFxmkNZpA==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:8KOU9UkN,iv:LGbsdw7BV2hmWoEKtlVhAtFxwdm7WTYopK6xUnz57UA=,tag:cJqEemZE/WR+lNQ5RarKFA==,type:str]"
+																						}
+																					]
 																				}
 																			]
 																		}
 																	],
 																	"iam": [
-																		"ENC[AES256_GCM,data:a56ai00R,iv:9dkrUZkccN43JUMH7xI1QGG0/h9NY7gSaxk2SMZdZio=,tag:xSL3u1QTWMhfrmGz2y15Ew==,type:str]",
+																		"ENC[AES256_GCM,data:Svp6T82W,iv:gZA4ew6LJbNSPql4vPXYgt1Hr7erjBdgTTA0AFj8mtw=,tag:ONXIvWgRILdLyItnQRa9QQ==,type:str]",
 																		{
-																			"externalID": "ENC[AES256_GCM,data:f9yrInFU,iv:Lm1HSlvnYKgtfDrib6oqlFq/gh2GwR2CpPti4gEQn/E=,tag:WDd8HywSfRRiZhU3xkuuDg==,type:str]",
+																			"externalID": "ENC[AES256_GCM,data:Ooew1SkO,iv:K+AwmSWaW767Q+AnVGshON0AHOMsjpoNzGmp4vyGE48=,tag:nZVsgIGMB8HAnH+LqIjeLQ==,type:str]",
 																			"jwt": [
-																				"ENC[AES256_GCM,data:ocT+jG3U,iv:2ABbE0OzWQVTwOgg3rgGYsZzEzBWKa5tdFs0YNz4k5s=,tag:UNXO4Gu/mIhwh0uqkzn3jQ==,type:str]",
+																				"ENC[AES256_GCM,data:O6G+DBVL,iv:++E5ZgDO7QHfKP6qaWRVAjhYlO/4DaYc7EK4wApNPQE=,tag:U+37/bsevL71ti24EEnmMQ==,type:str]",
 																				{
 																					"serviceAccountRef": [
-																						"ENC[AES256_GCM,data:b5nmHseQ,iv:e6BI2GfKLAchNBi8E66uDbyvZ31TFOJNAIfe6WmcK4A=,tag:MZAnnD0RxG/8cuWv1qqvHw==,type:str]",
+																						"ENC[AES256_GCM,data:zaj1Grj3,iv:x3LBAQJGMZmS8U5MqdS8cSmBrDTKk7zE5J75B99ynwo=,tag:+nrTYF/VRZNNGKyfYMRX4g==,type:str]",
 																						{
 																							"audiences": [
-																								"ENC[AES256_GCM,data:GBhzKA==,iv:2VmX7Ypf0Z3BvpDEbE1aDoGyyQUT5rnOWGQ6VUN0DMg=,tag:KfAlR7DU4C7eMsZNM4056w==,type:str]",
-																								"ENC[AES256_GCM,data:9uhYl/FR,iv:C98CCMVhB/BpJYakFnIb5yBO6dLLEwtTvieID/X2Y8E=,tag:N6S7ei2kP/72LTpP7DuAMQ==,type:str]"
+																								"ENC[AES256_GCM,data:87cvmg==,iv:LiypL6/pP3N6q1HBMjYZ/F/ZLiYhijzAHAqYVgYlxHo=,tag:Okw06M/DRx/2h2Mryf0dAA==,type:str]",
+																								"ENC[AES256_GCM,data:Dnw7UHzs,iv:7SMpsooQHLL3oUy14wJ4gyFSwJdPBeeQlXwzoK1ujd4=,tag:GtGFzQEhw3jL5vP1qZ5eLA==,type:str]"
 																							],
-																							"name": "ENC[AES256_GCM,data:H5ab5dED,iv:bbdJXZ/qdA8Zcemroa5BZXhOp5xKdSEHlgXptY4UI7Y=,tag:fkg35bCs4yCH/qRbm6FtvA==,type:str]",
-																							"namespace": "ENC[AES256_GCM,data:ed+mGFJh,iv:Oa+qAq2aj7VRRRwfRMP348N4XXkU66gq2LZ+/cOtKy4=,tag:OZZ0Yqm6QyXbZe9lXtGd8Q==,type:str]"
+																							"name": "ENC[AES256_GCM,data:runR/gu+,iv:dFHkY4glNd4i0pqr+oNTpxC30XwZk9MVIO8+sDYv50c=,tag:XVVdRq/yqwQTRkhMo7ZrLQ==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:6lZkVz2m,iv:f482AomQ5Kk64IKKOhaRPAhcOk9/N2QBXTDSxOUvXlU=,tag:owlpLli2C/pIzCrCDFzXlw==,type:str]"
 																						}
 																					]
 																				}
 																			],
-																			"path": "ENC[AES256_GCM,data:AtItcuDa,iv:zGFLQ30bfu3KnNcTIk5nAoEX7G8g0o8kO7WX/fN0O+w=,tag:lrxQIxB+ya1NY32dv16Qhw==,type:str]",
-																			"region": "ENC[AES256_GCM,data:j8+8GkMh,iv:Yu1RHFuY3vHbLCtYouR1GgX1RDqE17xEZPGBlkjyfVc=,tag:aXyyY6VeG4P8bmnC9Xtv2w==,type:str]",
-																			"role": "ENC[AES256_GCM,data:CF/LH+Rc,iv:c5uHxo3v11LmDhGWzh7uuIl3dvLR+2l7660n5nud3Tk=,tag:9Rr4oABrPKDX80LTD7L3YA==,type:str]",
+																			"path": "ENC[AES256_GCM,data:lgLu18bq,iv:xxfMpXVPXeuWbRUtCEpTkzHARZ2wKPZtfiN5o7uj3MY=,tag:kfCWUUqdJeeATnRmaXb6KA==,type:str]",
+																			"region": "ENC[AES256_GCM,data:4cfSK7xT,iv:+yohi08FVZ10O4B0BOB72y9MspQJqIAuU4p0ErA2vXI=,tag:BQ7neqyxfKbW3POYdOL6mA==,type:str]",
+																			"role": "ENC[AES256_GCM,data:mVEz5pld,iv:VI0SY4GjHEeFTVE4EJw1/f7jgC/nYufPgtMkd7nMrOU=,tag:RK3qlJnuRuI4L72kyYL37g==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:3mRDQzyx,iv:O1NETY8Pc8febnOoBCfZyv8TIRMlr368AJuIyHPIrQ4=,tag:Mxxo7HCnA3Vt8yzJc1Djdg==,type:str]",
+																				"ENC[AES256_GCM,data:1SulveUD,iv:NMZP69LBpF6uH2EY8OF/vl6+tBsbSJgIbU+MpLViuZU=,tag:Zys9W2Hj9KlTvOn6DCalCQ==,type:str]",
 																				{
 																					"accessKeyIDSecretRef": [
-																						"ENC[AES256_GCM,data:5rbHGwZP,iv:NmHTt5paDN2sCIXyzdAm3gmrA666nYoGRoLv5PoR8F8=,tag:+kIqudLLMGDqKUwHzuxJOw==,type:str]",
+																						"ENC[AES256_GCM,data:/+zBdeFY,iv:6htFwD5I3b6furo1kPtZ60wcPO3HlalZT4Yz+47THlw=,tag:wSDSQ/POZj6ASGeeNaI2QQ==,type:str]",
 																						{
-																							"key": "ENC[AES256_GCM,data:Y4YqLSYX,iv:CDpoGh4CLoQP5i9W2IPKOKxg/GMku4o8d1aTqg/SWLc=,tag:br2ejOzjAhm4UmIvakwJCA==,type:str]",
-																							"name": "ENC[AES256_GCM,data:qoi+uep9,iv:9Ha6MGUuXUpgMIA71lbu+BcMSNCQMBiZeD/iTWJgG9c=,tag:fGUGvSvF3z4Rg+9kjw9peg==,type:str]",
-																							"namespace": "ENC[AES256_GCM,data:qqp85O8u,iv:tyKj3CRO1O3wVg7/N6KKxGsn5c9m4bxFIFsjwnTYnrA=,tag:tEAtxZ+CYz8RVQiBVL3xvQ==,type:str]"
+																							"key": "ENC[AES256_GCM,data:LXFiaWRs,iv:tkjfAj4keCGFHeC94gsF4J/qV0+UGsUZJ+phiGDryf4=,tag:ZgD636HaM3YzCfj5tXaxJA==,type:str]",
+																							"name": "ENC[AES256_GCM,data:q1cGBX5S,iv:UzbYxibWw1Wypojfhb0vZl8FToO5OxWt2ky6TG8UY3c=,tag:dtkP9zQlFvMLQz87ZmjEkA==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:G08kKSyd,iv:7jfagfL0yoo7DCikl/V1V/F34WhtrC0+j6eJcxkufpc=,tag:3VuZcGUuw/8+EazhKGuBEw==,type:str]"
 																						}
 																					],
 																					"secretAccessKeySecretRef": [
-																						"ENC[AES256_GCM,data:Z72XEqnA,iv:spqp2Pdq/XsiW2ztUnafq8qz3Ms9CrVVR7D9SLuLTpU=,tag:OCE1Bs+gKO/Px9ebvdLEcg==,type:str]",
+																						"ENC[AES256_GCM,data:KhXqNKu/,iv:4hISd3wgoAoOi1Jny1aIf5v9gTHPq3JJiXgsYaTXpW4=,tag:90cXzY6HPrSNKTYKC83o5g==,type:str]",
 																						{
-																							"key": "ENC[AES256_GCM,data:0bKBYtwe,iv:E++yUpEaZMOFfE2QWE0ygSqTYE5SUSLy9AFmACS/T5s=,tag:qqYJfLgGpmCQo4t0ymgSlg==,type:str]",
-																							"name": "ENC[AES256_GCM,data:W3O3Pk0L,iv:cqX5tAgCsuoNWqzocpS44aZkdFGTbxZNYSGCSxWw0Iw=,tag:gcjMcmCsD8IE0dGm341yaQ==,type:str]",
-																							"namespace": "ENC[AES256_GCM,data:jR4vhk8X,iv:DMA7EtLKTCEuxWXR92OrYDey9RV0b1+XTL/O6nUokeE=,tag:fJTkG2wmVNFiuWCBQwYI2w==,type:str]"
+																							"key": "ENC[AES256_GCM,data:UJgXW8xx,iv:gYvAJAdz2fCc0VN+39/pfIZOoYc1Tx2iEI+SsonBWBA=,tag:ir7qE10TJ5KfDwKvgZJvCA==,type:str]",
+																							"name": "ENC[AES256_GCM,data:6vi/+qpk,iv:qMCOj/dmwyVuUelVzBO8ZsjAbThJa3zjljx5CgwdJ7k=,tag:aRM2QTgDAiK+7tlWoSWV3g==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:+EJhz/QJ,iv:C+96g9LTjHb2wSgTPom4g362xyjZH9R/twKFrsTzE5I=,tag:jmH9hOzDmm9XmQk/ZkK8Lw==,type:str]"
 																						}
 																					],
 																					"sessionTokenSecretRef": [
-																						"ENC[AES256_GCM,data:NfXsvcPF,iv:SxLlWTTNKagJ99q1tYnxRwbrKPHviS7dqYgK7/3Lkmc=,tag:UmuPH1vcUfUCr8O7/6xloA==,type:str]",
+																						"ENC[AES256_GCM,data:Fc4H7wj+,iv:VuzRcrKme23lA578sBw8TSUkfLbl0598ZkrX5RViagY=,tag:c1p/+jlH6ynWhh+25L7qhw==,type:str]",
 																						{
-																							"key": "ENC[AES256_GCM,data:tD9pAvas,iv:KMe6mukNBnEhTAAGxz+Kwl22PGUcOn5JdmyDyGsYsLg=,tag:09j5AR+xsulG+f3U16fqaQ==,type:str]",
-																							"name": "ENC[AES256_GCM,data:fFwVP0eD,iv:pp/7EL/kO/pzH8uCl3ehcLgt1K1UEJxwJQVl2h1Fsn4=,tag:cYXsE+y7WrtX/pMguhu06Q==,type:str]",
-																							"namespace": "ENC[AES256_GCM,data:uUQPqOMK,iv:Z0i5Lei+zr4NJQ5T/DK1ph0iYReyc071zhuThANsToQ=,tag:gMqthunz5aFuNsMR0e0sGQ==,type:str]"
+																							"key": "ENC[AES256_GCM,data:MfaVCgef,iv:9ltbW74RaxoDBm8mOK5deTMDM5piPcgxNAPvO/wye1A=,tag:OiihFyFMEmf3/c2LvbaYnQ==,type:str]",
+																							"name": "ENC[AES256_GCM,data:fpFWS/wN,iv:3+04w61jtLfKLfiQVaG/tEDUdBrIUY+i+SfpMXb1R6w=,tag:POxQkCrz4ZZT4L5uKhFjzg==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:/t/7ZquG,iv:jTXz+BijShfyKPSMCCKPRgYNmtrac+s9KaYa76HjjME=,tag:RpFU0ylEDNNRuwECcS3/jQ==,type:str]"
 																						}
 																					]
 																				}
 																			],
-																			"vaultAwsIamServerID": "ENC[AES256_GCM,data:+YYkD3WY,iv:7a0SbohpOZYp3uqLZyHIy+BUqK1hg4wNQQ6OZCtLPEI=,tag:fuKrSNCi01dXM+vWQNYOkQ==,type:str]",
-																			"vaultRole": "ENC[AES256_GCM,data:o0Lr9LXW,iv:QP0xuTcvIgm2eAuUfs47aUIvlq3a3JjKBcOh9ZC2x2Q=,tag:b3pukrMBKu6fAhfBBEVIiA==,type:str]"
+																			"vaultAwsIamServerID": "ENC[AES256_GCM,data:ThsCYUn8,iv:PLRzAU5Afh/WVi7LleHDQr22H5dRuANLlOUI++DjWao=,tag:RdF9MWaartgxrX08kRv5vQ==,type:str]",
+																			"vaultRole": "ENC[AES256_GCM,data:PDsgMINf,iv:MmpyY9uS5AV+PSp0cWcF2Ahbt0Ah8ZvXkFzVsP3Z7HI=,tag:loQI58s1BWyyeFy0mle+ew==,type:str]"
 																		}
 																	],
 																	"jwt": [
-																		"ENC[AES256_GCM,data:fIyCTX7s,iv:8RvqV9tsm74lG/VpWKe+EaUwJBzsGPzI3GmAnlqkZg4=,tag:hOPnMoz9EvvdG2I/30GULg==,type:str]",
+																		"ENC[AES256_GCM,data:ZWdyFfbA,iv:IQDVfoxNLks3WPogrhz4pZX+gTgCKYPtPbHUfcH8pBQ=,tag:K+WxjFSJjHEFDD2TvObtFQ==,type:str]",
 																		{
 																			"kubernetesServiceAccountToken": [
-																				"ENC[AES256_GCM,data:2qVWK5FP,iv:M3piXdl03XzK4sZcsYqXvln6ynTryIVDkSHjIP4U98E=,tag:WcX10Qfg/n2/IJ3yXBqO5A==,type:str]",
+																				"ENC[AES256_GCM,data:ojAhB2qn,iv:Bbv1mL6pukdNQIzXVwjtmSxz6JF/+lVe+HZvIJFQodk=,tag:YRyT4FMqwvYMjUEFXiuM4w==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:q/FrKA==,iv:krRXl2mlPOnKtXIPyJetEzkIUuoiqUBAuVfhDeE0Hm8=,tag:Gvw4uz7WQUgj16Wk5wFf8g==,type:str]",
-																						"ENC[AES256_GCM,data:tr8HAu2Q,iv:H5v6N7IuoswUj8FZmrSohs0HJlNh14YbJB5EMjDbItI=,tag:g92jLLYKq6apPzPuLaqTeg==,type:str]"
+																						"ENC[AES256_GCM,data:Ulv0Jw==,iv:KILTYeAM8vH2Ha7cQM7BVPfCkITADU25UKJZ2tRuhiE=,tag:OCYs/9BPL9nOBfCj8BKGTA==,type:str]",
+																						"ENC[AES256_GCM,data:fXD2bTYX,iv:lZB9dMzb2MRCoWEc/CHS7Y0c6U+lPBpfr+CP1QIi0Ww=,tag:nadYrO5uGKLUGFRJkSZlVQ==,type:str]"
 																					],
-																					"expirationSeconds": "ENC[AES256_GCM,data:H+c7Dgay,iv:hp+/yeZtI7lxnHXMoEN7UjkBQA5CyKTJM1wytdrrhx4=,tag:doXoA/ITacLH7/3oqGLJow==,type:str]",
+																					"expirationSeconds": "ENC[AES256_GCM,data:Q5gOzuh0,iv:QIAly9LNQSvqkkZjTB83tpKqC4mgjPNlRqzKxPbM4cs=,tag:8x1nhqSFH1ngNUW4BK9RjA==,type:str]",
 																					"serviceAccountRef": [
-																						"ENC[AES256_GCM,data:0cizoQ8e,iv:BqExrXfv5WjaSe2RGPflULaU+Oab90PPSU9461nqBZ0=,tag:/6jMx3TT9mQ5rVgX5aQ5mA==,type:str]",
+																						"ENC[AES256_GCM,data:knPfc4dV,iv:ozp2nssK6gNgFaeQX/60Mu79Lif6nBqYX4pCDBFwwVc=,tag:9tGZKdVgm0tcUL+eDFVhrA==,type:str]",
 																						{
 																							"audiences": [
-																								"ENC[AES256_GCM,data:ZkCS7g==,iv:3sX/xt5mmSR1mxjpQA6G/bTnCLRE37n5w3sqbvstvrU=,tag:kJLB1/o1QALZTmGi1C7QdQ==,type:str]",
-																								"ENC[AES256_GCM,data:EDOHEmm4,iv:xMkFqVioPuRwptUQoB1nYpKZ+7oA3y+0s8gSpYD2amE=,tag:e0AsSPNLB2GGQPMIIcfDaw==,type:str]"
+																								"ENC[AES256_GCM,data:s0twSg==,iv:Uj3wV1WTE0uJEA8SkvJEgQyVEEw8EXHbHoTJksdW8Og=,tag:ksh5gdDiP3CoqtcqRCWmJA==,type:str]",
+																								"ENC[AES256_GCM,data:ApfOO3uG,iv:1RUYIPnhIZiVowQdo2f9L0NqYdtlTU51KBmVT17PiRM=,tag:NVgZv8IOjDSpSOrDm3wnUQ==,type:str]"
 																							],
-																							"name": "ENC[AES256_GCM,data:MIPt9hQ7,iv:sCdZYAPA/fp7HDRPkLRdDZUlfgPpxHdTA7/1mYpFnKc=,tag:HuIC9yStOFNQf2om26D5CA==,type:str]",
-																							"namespace": "ENC[AES256_GCM,data:2mDpSj3q,iv:SgWoMtpAAwFaSEFZanf3t4Rh0IUgB85VXJkM//LLFkQ=,tag:odQnCygtg9je3xklEZbtSA==,type:str]"
+																							"name": "ENC[AES256_GCM,data:8C1iQ3e+,iv:WGpepRL4JmXsnwS4z9q42zfFrQqcS0HrwWf6+5WOBJE=,tag:R6oB7LW4PpMDMsDs88/Nzg==,type:str]",
+																							"namespace": "ENC[AES256_GCM,data:Na5En5hV,iv:7dpT+bphFzLtEXVQ9xVjnS3QVxWhL95k06Edj4B0p6A=,tag:61SrARz5oaj8ZN++XZLZbw==,type:str]"
 																						}
 																					]
 																				}
 																			],
-																			"path": "ENC[AES256_GCM,data:E6bvTxNE,iv:I/OxVrIoqtvUK5Izr8BgD3NMoG9PVXHc8dXLm7N9bxk=,tag:x/Xm4m3EqbTPbNvhwndRRQ==,type:str]",
-																			"role": "ENC[AES256_GCM,data:RO/EzDOj,iv:DeJZ/2s/KqvXz2lVCZ1yFtJKMmZ0dAxsVOspjdheKZU=,tag:j7lnH78YiQ0NanlAkHLeYg==,type:str]",
+																			"path": "ENC[AES256_GCM,data:y3Y1a7ll,iv:jYZDj7F3x2lwdhEpIQfSUe+E9YgYjF1VXYH94YonY/Y=,tag:0b69OrHK45wXuBY0+msp+A==,type:str]",
+																			"role": "ENC[AES256_GCM,data:QXN8mwlQ,iv:6srUhAG7tDbL43+KxRPx9KVzk+RdwsQ86+7vZ7EgSwc=,tag:3NmfOSI0qUOfi0OOmSM8cQ==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:9Vde0VTc,iv:pb6DiE4bCb1kwrDM2RNlsPEMh0AknKIsc4GjLTtVoVU=,tag:aI3MACktA+nI1olQB9v5zg==,type:str]",
+																				"ENC[AES256_GCM,data:Ai1oYnC2,iv:b+iz7azWlaQkQiuzLOkK3qt+qGsgWQhzKmr0ROlawnE=,tag:o2OVwVbIp8nLLQiTtQHTQQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:T+R1iDQc,iv:qcE5FmvZlBec2kqXaMj6dk2dKs/chIRjkMjMzLVQCmI=,tag:TYvndPam2GdS5eNDYCpkHg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:5/0iTSGt,iv:PIza4LA6oDmAm8PY5g59yvD+0qZfl1YV4f7j5uDQ+9k=,tag:SP6YxxJ+MB7+ktRMmNXc3w==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:AHO7QK2t,iv:HQ/WdsIBCGh1+4/73yGv99JfUn/zg5ibti9tm9Z5duw=,tag:CSYB8glUD5Y8PBb08GeRsQ==,type:str]"
+																					"key": "ENC[AES256_GCM,data:Ycme4LCM,iv:PNW5NtblMo3hz+MARnl/8zaRhLNjQ5jrcQSwce98SWs=,tag:vox08TOzs1AGniYSMmATDw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:uHa3/re3,iv:AEOGUiFdbYMXVhebsr7XGFgnrOCY+HU+I5jWDB6WA+E=,tag:OoTqSiW7zQ+7q7FPS8DrFA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:3zsm4R6c,iv:F/PpjJ32G2A5bzJcoLx7y+iQ+8acjo+i2esWVQKfH2g=,tag:qS4REK/nLvlqCAvfooTIFg==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"kubernetes": [
-																		"ENC[AES256_GCM,data:zL2sDU0S,iv:wciGrSQ1YAt6ijOXSURTQ/5Sv8gWXtDCKiYxYtmM6fk=,tag:B9Y+te9ecSgADiS7HC7Gcg==,type:str]",
+																		"ENC[AES256_GCM,data:GwGlfagO,iv:3hVptx7dTkSh6vY8K/z9SnyD89wElFzEc7k8Uq7RsPc=,tag:clYdvJJ72cdlyS3SiF0faQ==,type:str]",
 																		{
-																			"mountPath": "ENC[AES256_GCM,data:jeD9IDkQ,iv:Bc69jqJw7R4hMSuxcKaKkkOa6pvF4Ci2zcM7LbZHfSY=,tag:nfNvozWKm90PSV1RU0w7Gg==,type:str]",
-																			"role": "ENC[AES256_GCM,data:8RSEYkL0,iv:tkOHtn0iMfBNWdPRSnu9N8vhFl7auyvUSLdJ/LP68lQ=,tag:Yz+KK1Uzsq/Lq7doZh7JXQ==,type:str]",
+																			"mountPath": "ENC[AES256_GCM,data:Am94aUg+,iv:lUQYwJksXCG8rie/Zy08WDosTO8hy7NcEIefPFqoUZs=,tag:hDtuZpoBMk5Cm6e98Ni/SQ==,type:str]",
+																			"role": "ENC[AES256_GCM,data:INavQLt9,iv:gqfapmutnuNUiFD4xBFUwKDNdd42bQ+O0HfwOjLU7Ic=,tag:D7Fq12bWnGGdkFAL15HC1g==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:mclPOe0O,iv:9wqHnpH1nMy3vY5zn1eufkQuwCYbSi1YCWo5H9QE+fo=,tag:k0qt6GPTrV9+WKYFMqTV+A==,type:str]",
+																				"ENC[AES256_GCM,data:/GPKWvzo,iv:15kdd5q0t57EroCIP3OvKuCdfzMG3Tf0HV+9Drhbkaw=,tag:GpDgPMjgDegaExM2P/r/ew==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:w8ssSO6p,iv:7afAGw96S9jh1dJXqkTSmPyeT3kMEUiGIJi3chubmH0=,tag:xuWfDcebMl6IKGLF6nhkpg==,type:str]",
-																					"name": "ENC[AES256_GCM,data:2XW7Mfbj,iv:bKJ4Bv569hdUKVIqFXkZBSLWUrk7GqRqdGlcETfG3MY=,tag:QNg6q3KSwxwTi8TL1S9n/A==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:eFV+p1ns,iv:lWTDQTQSUF5cdZ1oY+KFNGYsOdVPFkbpNTqa+jYFSyQ=,tag:3/brpGG0P28rtpL7nigB1w==,type:str]"
+																					"key": "ENC[AES256_GCM,data:kRXTSpdB,iv:WT4a9A80jOIxvIyxfbUXeGzztP7iD+vubXElvO0ZWZw=,tag:PF8vcMJwkRWLuErMmY9Q3g==,type:str]",
+																					"name": "ENC[AES256_GCM,data:zbGoWV/3,iv:5cc7Y0881XfIqy0zndt2JDCwFeiGZ5B+GLWiMgKRXLg=,tag:GvFOUDRYwIjJ8ylqxt8Osw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:E+4545fk,iv:xh3+MwBVEdmsH+Hx0rQyqfTUgobgWpD0hUMOat3Rv5g=,tag:aSdTIqSYQTiMn+T3r8l5Tw==,type:str]"
 																				}
 																			],
 																			"serviceAccountRef": [
-																				"ENC[AES256_GCM,data:qi0W/D72,iv:FPBa3Kqpnf1vz2zh3xF2MmMj/+MhfnDPRS8a84KdF/0=,tag:/pBhSkWvHiWs0eVof8eg7Q==,type:str]",
+																				"ENC[AES256_GCM,data:YpHnwo0+,iv:iuUnVPzjsqPE9GENuAIWJnmySud5c2ZhgPLAeJ03nPc=,tag:txT+91+xBQ8F9FzpLZm5Iw==,type:str]",
 																				{
 																					"audiences": [
-																						"ENC[AES256_GCM,data:BvUJdQ==,iv:koOfkMrm/xk+cfCDv0oqSRxvOH/1e1ifhujMhVxW9rk=,tag:jrpaMClJw/P9blA9G3qS/g==,type:str]",
-																						"ENC[AES256_GCM,data:dOLpBsZk,iv:ITD7KOLMlyW+jxWq62BC7x5RerkUUIB8YL4Er6GNy+E=,tag:4yCJkiUEfw4UIoWNvdLNTQ==,type:str]"
+																						"ENC[AES256_GCM,data:+eR4/Q==,iv:ZBqKgnMs166vakmyeXAHeK1BEgEgxjvpGXTHLYHDRLM=,tag:ok8UVTelt21JG8U7ztpuTw==,type:str]",
+																						"ENC[AES256_GCM,data:wI3r3Uz5,iv:AmJEoWcS2nTZJhEGBthfsCbb3JbcoKXzcyfHFo3iVqQ=,tag:6E++YU6KI0hyYGqzeJBGrw==,type:str]"
 																					],
-																					"name": "ENC[AES256_GCM,data:I/twG+Oq,iv:Ror+2hquzEj9wpDKNZD4QhiaWyZw9xtBp6VlEo2+pxY=,tag:AvEU3mu2H52/YFOpG3QVAw==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:awdGK2tV,iv:TZl2c5stcGvehBBE2Gmi5iZUpdJPhdCb7+UTRzRIc48=,tag:tcbm4eD6jdGdP+ZxAG3+2w==,type:str]"
+																					"name": "ENC[AES256_GCM,data:C3q+xIR7,iv:WftJbKp/031JVC8nuBcxyj4EOSiYsfDlxRHChfrhj6Y=,tag:K+WvgX9nPgBXENhWNblmWg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:lFWkT7q3,iv:VWsV+sag2TcYHkyn3ZtPxS2b6znprki1Yvbxc0u3WU8=,tag:s/1NrGryfd5j3p/v7Zo5TQ==,type:str]"
 																				}
 																			]
 																		}
 																	],
 																	"ldap": [
-																		"ENC[AES256_GCM,data:ngiy2k3m,iv:oi7XUAuIBR047GhPXLv9RjTxZO02+7lWbvy9U613NbM=,tag:Gya7EiLwdkVi+Z2Fp4mdAA==,type:str]",
+																		"ENC[AES256_GCM,data:0fmqjrJ6,iv:Bi/shKc7mbyqFmEFILswp0I/ZyP4v5fhM2scVvD+24g=,tag:Eh2ihaw88j+ctDdju+q8dg==,type:str]",
 																		{
-																			"path": "ENC[AES256_GCM,data:+imYoVju,iv:8f9MI40JTvHfrm6eW/DWka5l9loh8UXC4Vwg4V9km9A=,tag:IHIpAPYvZ6S1+uaFPQFOXg==,type:str]",
+																			"path": "ENC[AES256_GCM,data:Njkf8Kko,iv:f0gmtdtMPmkzrNhBogEx0/fT1Mp6IVPqh4y42aRwY78=,tag:6cvc2nQ2hBGOlBbbBRzchQ==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:AjPhK4zh,iv:F6+lZy5WDwzI1TWcIBs2rdVF2VG+PE20tgk7xIMG+ZA=,tag:3D3pA2EbsvU/txaB8TF5UQ==,type:str]",
+																				"ENC[AES256_GCM,data:PlF7zghx,iv:76QPJ5K42T+F5cZ0/S52BC8xchMma7ZDieW1dBd4Hhw=,tag:MvO5Oz1QACTviMzPYyupzg==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:51Ggf3oP,iv:DrofhqgAMr0MxgJBfDW6EPcPEWrdE+LfPMmittb8QDM=,tag:EqWfYI4mDqhMXcSLpgoejA==,type:str]",
-																					"name": "ENC[AES256_GCM,data:q0DuTqM4,iv:HvPdroCVGEya1QT1j78Yyc4av6VUgjslhTPH1DQ+4Rk=,tag:Q2hhOb1nqckg90Lopfz+BQ==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:wznAp78l,iv:vTwZ0en+4LaH7E/SouvLDlhsRQ+MCpOJGHZNySkAhEw=,tag:YI9F7O5qdaBEs7YqpLtkMA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:STzYkyGX,iv:dbzVuBiM3N9xtUfBvPeu/6++knNgRXJJPvm1XzsQeGY=,tag:hs7ue/XpTC29dcb11i+6pg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:X2/l3wKv,iv:pLDFCSaquxbF0KSUKjW0ueFoBDA6TvkM3nBFx8HAMZE=,tag:1+akuCJyvoU+bksyY7m+sQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:wC4K4yym,iv:KY4Icbhi0h+N5L3BBq9/EtnisEaH2NE9Q0W3RN+h4PQ=,tag:fECJPPR/b1vCe19Zcpq40A==,type:str]"
 																				}
 																			],
-																			"username": "ENC[AES256_GCM,data:cI6uINX2,iv:IK9f6Yz+XZsX6slNW6u0DGidCj5ScybcD5DFuDNFuQY=,tag:6LSUVI9ly9nWsE0ROUQSHg==,type:str]"
+																			"username": "ENC[AES256_GCM,data:b7qbADJs,iv:a0z59NNuz8ACkOEI3IT1aUryaU0fAjvujVvpWTRIXF8=,tag:tvT1qzI754UxiMVyZUY4cw==,type:str]"
 																		}
 																	],
-																	"namespace": "ENC[AES256_GCM,data:St33M+7M,iv:CpUOY0UTO5ZEXtlWLsPOXNFGw6SYasKH6m3jD574XU8=,tag:5yIiW2ybnepotHc+WGD7Cg==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:8NB7kyUT,iv:We0qWYI5NpCRnbhefMl35gH+BzN9M2esT+DmtBOxdOI=,tag:wJ2yxeWMj4dq/DZH6IYFYg==,type:str]",
 																	"tokenSecretRef": [
-																		"ENC[AES256_GCM,data:6C64Gj0E,iv:jS3a8+kTxY9jqrHMkunHNboR672+pWu39Ka2Ifprcok=,tag:YqzpSXDUZ6X7y6SJ7sYpLQ==,type:str]",
+																		"ENC[AES256_GCM,data:QJKoE5qg,iv:S3xRRA2b+bqbw3KMuYbXNRfefv2II3BeoDLC6s/HsPM=,tag:tcidYw/uKc5ODcH6YCTjiQ==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:UQAEwwMB,iv:SzdpPtirEtvddzA/YX+wkDxDl66d2L079wH8cE4eBCw=,tag:33y1S/wwYmOJ2AB+WGX84Q==,type:str]",
-																			"name": "ENC[AES256_GCM,data:7kqOHprJ,iv:1/WFCSSGlvwauQhgxKMjehxccZbHO8GpHJ73b72g1u8=,tag:SSie8ysr3ToydEgH+nAIeA==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:bXt10MTl,iv:Uo+dYVbCOqAKkLIPMzq6PKgy0SudSgSfAByKEt2Y1Pc=,tag:GD86oT3OvERbEwN3aWz/Ug==,type:str]"
+																			"key": "ENC[AES256_GCM,data:UN3PeVf0,iv:0FIs3S+ePjffKbNMmU/QFPe/0rqvM1snnfxokQOMjCQ=,tag:bIFGtsg28ikpatZyHxjiuw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:IeaPDC33,iv:KHHH5sLlkSh7PEaH/rPO6zTd/BSjpYdI9SxC97RvR/4=,tag:wxC9gzvd1kmfldJZx79UGw==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:6/HmNnfT,iv:WtMnO4vxtW6Whd4l1gU7BHm2pKd40B9P17aCvZYGLsw=,tag:Br7EOuFxRS8Z3apsrBC0/g==,type:str]"
 																		}
 																	],
 																	"userPass": [
-																		"ENC[AES256_GCM,data:LTzmJpq2,iv:EFW9q1CFuFyFEXAvqdpNG1edvJyjR05z/pTySwQOZcM=,tag:5zV/jTmZTSI5kRnIZDmdiA==,type:str]",
+																		"ENC[AES256_GCM,data:rxiEMeRp,iv:naDB/f4lD/WDw4pzFhCM+Zn+2jLvRAPI9nJ7igZ4VXM=,tag:X6fQFm+/IFEVBiJZ6/RgAA==,type:str]",
 																		{
-																			"path": "ENC[AES256_GCM,data:vGeVplrR,iv:WA9QLFp1q0YJEKfiE3BZ/L4eTZlwSNHe8iFNrWI2bbA=,tag:h9yocaQRNmx4LjglgRHc6g==,type:str]",
+																			"path": "ENC[AES256_GCM,data:xBlXaSu+,iv:y6y4h1dja0w8zJDyMjwyAvGuR2FLvSZGwLNtWGuiPyc=,tag:GgIGmEn17OFa+zB0a4+vfQ==,type:str]",
 																			"secretRef": [
-																				"ENC[AES256_GCM,data:chViJAYg,iv:ktFxlEJBGhLNthUMOWxVEPi/PzNVVjx8l4DTcLyvsIk=,tag:ob5v1bkh6k2cyTmusbviZA==,type:str]",
+																				"ENC[AES256_GCM,data:aQ9vFwJG,iv:RfOTLsr/Z+oI90M5k6DTFREPqD0yEr+847AZali3Eic=,tag:el3aGk2J+PRxORCmYX9bKQ==,type:str]",
 																				{
-																					"key": "ENC[AES256_GCM,data:S6/wpq/2,iv:60ONg0QhFNJWuRkgdg68qAB3vumD9dihOvwdiz4OnUQ=,tag:o62yOQqasjOfOAcdvZakfQ==,type:str]",
-																					"name": "ENC[AES256_GCM,data:+CEBEctH,iv:UTqe4n5bjtUnTQlvRM4xtIoyoxjSd5ZjLI2FIzRgig4=,tag:VmefbyCk/EoMh/Okd2JETA==,type:str]",
-																					"namespace": "ENC[AES256_GCM,data:luGI+7LH,iv:zmNGKGfGJIblyRTdvrtKXyBbNISdsv7JUdMvBCdvXFs=,tag:7EhJ8PZcKt3NPuQXrG4goA==,type:str]"
+																					"key": "ENC[AES256_GCM,data:wZbDRuLR,iv:HrclmN8l5JBpJ9efLYpDxxY3+DXwHIwTWf3/agHmihI=,tag:mSJ1T8xSBiuSRfDFY8hB4w==,type:str]",
+																					"name": "ENC[AES256_GCM,data:amlTHjH/,iv:AvXQsszDSWWQ0C0Fae8Vw++TztYxxfdmDf5AxtEGjO8=,tag:7GS5gyquFyu9CeRNIAIxWA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:3agb0aLd,iv:QQElEl+Kj9InUs6PpGJ7EGOqRxPsIDB63mfFPzMXyyU=,tag:tmocR44prPwYUMtd6I7C9g==,type:str]"
 																				}
 																			],
-																			"username": "ENC[AES256_GCM,data:KMJAMZ1V,iv:YEIeMdYF+XS/SdaNr3ixSq8XTB7YZduVL1cAy/X3qGs=,tag:nz3/qIMSixMrR8argKMhMw==,type:str]"
+																			"username": "ENC[AES256_GCM,data:Sa6Y6g1d,iv:0NDD1fMWsqj3XUFM+0Sis0GuSprVgwnm7eq/6SsOxWI=,tag:68FaJFba+rf3+WRMrkrzsA==,type:str]"
 																		}
 																	]
 																}
 															],
-															"caBundle": "ENC[AES256_GCM,data:VdnHRrxk,iv:0B/hmigvJfpKz0Ax2yin9hh404C/sKzR2zMH+LhRl7Q=,tag:It2if13tnw47eZiG1qcuRA==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:JwcPk8NX,iv:83qj4Rt1rvpbMPwfOx2tBFolxPA7jAqrVjkNGZABg70=,tag:pS/GFTFwbcOTFqOy90sI4A==,type:str]",
 															"caProvider": [
-																"ENC[AES256_GCM,data:nE02CRUd,iv:pPYps5jSvysBe43vw2V4ROWJgMLbKeDf+djs8DW42f0=,tag:KCvAv8KuFo0+nFp69REaNA==,type:str]",
+																"ENC[AES256_GCM,data:Zk3uZccQ,iv:B/0THmZwLmEdRory2MqrOCGzz20mByp2t4BAqea3sCY=,tag:yFT6gmcJTA03L11FVlN4qA==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:ZvHoO6V7,iv:jcqfM+Thm/qxR8TxDn2Zej2hvh0shqb8eFVN0+mK83k=,tag:sEr0tTVsrWT+qiY3+7+DHg==,type:str]",
-																	"name": "ENC[AES256_GCM,data:CuRyOe0J,iv:ltR++F1kwM1sUj+/PfgTVQOSYyUArwjAwBx8aEs3pYw=,tag:K+n2mztysD11PspdFPN4fg==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:M7Jk6plt,iv:kxtxUfHQYkXDZCO5+MNb3vGZ/eTAGtcm4XXpzlx2rqE=,tag:oBmGT837T/xNvGbgxUhbnw==,type:str]",
-																	"type": "ENC[AES256_GCM,data:tSrR64uY,iv:cXzAj/HZjd1UgUUMyb5KrY2rW9QWDib1oK3DccV8be0=,tag:Y4brfOY5RH5lLaF5lDYs8g==,type:str]"
+																	"key": "ENC[AES256_GCM,data:izszzNdH,iv:Q3v4HEJmHQrzcSgmkdF5eDKr/bK/34NeADLENyknJSY=,tag:y87kc1bVilUsSFWwYS3Viw==,type:str]",
+																	"name": "ENC[AES256_GCM,data:W3tcx3dm,iv:lm9e671bwmuu8aRdU/uKmF1Hn8z0ozVewDUdUbmIedc=,tag:N9IcJ12cJS/MuLgNPDdXPA==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:biyghEZG,iv:beGjU3ogkxEMQKdhDm+N3MPbudSHw67boYw0T1rAo5Y=,tag:48HDl62mbIeiDXJLsGPnyg==,type:str]",
+																	"type": "ENC[AES256_GCM,data:k6nUf5IJ,iv:GROPN3quZaUtBa/oS46yJVQUVHF9kGtyLAJ/RXV50J8=,tag:skQWJG9mrq730Xf1aX/19A==,type:str]"
 																}
 															],
-															"forwardInconsistent": "ENC[AES256_GCM,data:7LWJVg==,iv:yKVSEe8kDH8jFIuWAw+EUbuy0Ef0ObGeColZiJQJ3tA=,tag:mQ3irMKOpBHD5G+UN3jM/w==,type:str]",
-															"headers": [
-																"ENC[AES256_GCM,data:2RoR,iv:a1TMrw59lNXtBRXt2vb73DfaCnGppTfQcfbuY0nATBM=,tag:T936HTtV0U7+PWKUUe/wkg==,type:str]",
-																"ENC[AES256_GCM,data:+e9nmP7e,iv:9kdIGyQvA61uCk5WWc8LwUGl8k0zLSP3tRH6e1LkjhI=,tag:P56uZkO+YqxoXvjmynpsaQ==,type:str]"
+															"checkAndSet": [
+																"ENC[AES256_GCM,data:oI9i5vWz,iv:Z3P3fsn7Qi+aEFUxI3y889J6mHhJbs5KUDEGUMnvDZU=,tag:JJM+fcLs8H/qDywa895CLQ==,type:str]",
+																{
+																	"required": "ENC[AES256_GCM,data:EOT3VA==,iv:ZBcejeSOlAGiGAGNcAp4Cv1GGGAAI1KR7mTsyGyjKYo=,tag:+TRZ7SQvsWmvHwyn02A1hw==,type:str]"
+																}
 															],
-															"namespace": "ENC[AES256_GCM,data:CSzCrzhK,iv:JoJZ4qR4e9ZMbNMK/ArrnXewG7TvMCQQ+On2A/TFp2E=,tag:VZgyxa+jlrHKI3tOrfm0vw==,type:str]",
-															"path": "ENC[AES256_GCM,data:6VzKo/62,iv:ZTdYPUwKsFU9k5+GHgYxxiTs5JJXSP/itm2nFl9HdPQ=,tag:ECBR7xNugBSx/HrpaXUUrg==,type:str]",
-															"readYourWrites": "ENC[AES256_GCM,data:R9I95w==,iv:fomh7ZE9POXFk42Y5Dhj3Nr7uTaaMb+/Qs37dy/PiOQ=,tag:7WLGi+R9Lv8qAvEcQWg96A==,type:str]",
-															"server": "ENC[AES256_GCM,data:++B1hfhT,iv:CYGyIEIdF2t3dWQZ9UFTdgIhkhkBalpIx2lFxrIegW4=,tag:1SkxM8kF0Ee8/ZUxLYM35A==,type:str]",
+															"forwardInconsistent": "ENC[AES256_GCM,data:UVEEqA==,iv:kIxf5L5znfPSixo9kVwDx+AzaoK3eAAjiDdrW9bLKvo=,tag:RCTtATP2b2DNfF8iFDzr5w==,type:str]",
+															"headers": [
+																"ENC[AES256_GCM,data:rdvg,iv:2bngRg7ONIHNlEd1Q+31SQ4IFCuDMBUkmlEk9N0arek=,tag:8YbuExHs12Q0wvD+aAW/6Q==,type:str]",
+																"ENC[AES256_GCM,data:DAKIK3V2,iv:my1wSGiyOpXuBpvzuqarmLAMYrQuhbnFkZ2Lx6u+WYg=,tag:HmX9TCcesRc99ibi1qYH5A==,type:str]"
+															],
+															"namespace": "ENC[AES256_GCM,data:Pamia0gv,iv:cHn0DEB71sK85uP0ZIEHqOJPhr/fcw2x0E+u1XSXnF8=,tag:hqfbjbCdkF9ZMLlGcrNFRg==,type:str]",
+															"path": "ENC[AES256_GCM,data:RN16P23J,iv:Y9nvg+ksXGkM38gKjqwpot2/VfH/GxPXs2rRUoz1w9M=,tag:MJv4d0FLEIzm34eQuk9hgA==,type:str]",
+															"readYourWrites": "ENC[AES256_GCM,data:dJq6gQ==,iv:zoyYyv9jLMN7hx1E1Z1L727G3h7W8jbkmIm5IeuFrRk=,tag:Q9mkvxPW5PbKJsIzNEhsPg==,type:str]",
+															"server": "ENC[AES256_GCM,data:gQOcTbbK,iv:nAyxY38NqlMpQvQf19G22Q1udmCE5ynBntIoMu0F2XQ=,tag:jn5b1XWVFQLtDtSzdurDJg==,type:str]",
 															"tls": [
-																"ENC[AES256_GCM,data:LNlnWH06,iv:UCT938Sey7Dxt55qI17ppPuDQcbqKMteHlkuw2spvSY=,tag:ku9/dfU4/GuPZ8gE1qeQlg==,type:str]",
+																"ENC[AES256_GCM,data:kkBGSLQv,iv:/1fdIGirhoKCXC5SmlQ8duMk6TApo3Y7qhab2vT/WQI=,tag:r72ZhaJRFtZxvrDSUo9N7Q==,type:str]",
 																{
 																	"certSecretRef": [
-																		"ENC[AES256_GCM,data:WyyDUMHz,iv:uU4T7jha9B6UcXmyf1pLMyJyZagSaVhnDEH0QQ6oi0I=,tag:uHOZd2CEGccAeIsr8Sb9sg==,type:str]",
+																		"ENC[AES256_GCM,data:P+bihQBD,iv:Ta6NFwVt6H/A5e7znyiYVGNSWjSfgLezrQYkHWT40qY=,tag:xSv9Y3VNpXjPYBTyAxqqmw==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:tGQBNhV6,iv:JtSGB2lDsuNaSdgK4fjySp7bieOT8YeHwSXoYodpEVg=,tag:Q35Oal3cxLEpWCylGgJyAQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:7NvCct2s,iv:y+iSKMN48UlCOHi+q9dJX0ibmDCBMKBausMgg2Ecjfc=,tag:werCXLwxpwR8hl38yOKD1A==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:Gcy25viK,iv:FRrvLtqXsWXbQO06Qlvgo+lGEco0Ntbg3qQzAD9ESM0=,tag:t5vgBQr7UIBnZkR8TTTWZw==,type:str]"
+																			"key": "ENC[AES256_GCM,data:ZPfSw5Pk,iv:FOAP/+++rMgmmVwVxOlk4ZTelf0Vba4+Wr7ot86JN2E=,tag:7kQo/m7hsZwXktb5CZImMA==,type:str]",
+																			"name": "ENC[AES256_GCM,data:sZBC5cUd,iv:34Sswm4kEn25O1WWDAjhSC4onu/n4UKpBEIiiSpolDY=,tag:vNvDxcHZGYM9NeRu/rpmnQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:MKSH7Roj,iv:PS/ruB+pQZOS0UvuRRC8QzeaVXCcnvajz6Xw3JjAcRU=,tag:bOcX12FGZunFvkcW1nS69w==,type:str]"
 																		}
 																	],
 																	"keySecretRef": [
-																		"ENC[AES256_GCM,data:Q+lgTZKO,iv:n2//INusBLClB8qgdEcw+5KWEzk85XK0tHZ/TEdoOL4=,tag:OMhsDg7nwKEQ5wwVITlK/A==,type:str]",
+																		"ENC[AES256_GCM,data:8QwHSIRN,iv:WUe+1dLAglteGzEyj+K0rmevrZ6OI0SgNbSajhBHx0k=,tag:iW07FocQID9ee/ljHYuf6g==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:qp+4kBjh,iv:kfboJmwSlPJ3rjJXmKNmU3OQFXDfMdI/k2k49HFe5Mg=,tag:AuJNvbt2VdjVeN7ukqAFZQ==,type:str]",
-																			"name": "ENC[AES256_GCM,data:yuwweP8z,iv:S7XacrVzWN6MkRFJhll6jZMoY+TGsIKxK/YNK97/e1o=,tag:jkFGLCZrTjP9d9DUeV1FsQ==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:DkMLCcNh,iv:XCOsBkv2Ip1C6AvgtuLhJ3gvbawUCAtNgSwHNCgR/ls=,tag:1m6BFytRuFSu7YlTbEAcyw==,type:str]"
+																			"key": "ENC[AES256_GCM,data:FIJ5lB6r,iv:WOBD2UgyCqjtHdfdRGrJo/3YJDB8oEdajyAmi4EvFjo=,tag:KrqA6dtE8TcsK7YqJ/L2hw==,type:str]",
+																			"name": "ENC[AES256_GCM,data:jwzjjLhF,iv:FfWM7VIMsgiYNy1yg4GE1tQsMO37uReiMsupiq5GdGs=,tag:mIM46YItX6t/tIfwmqybwg==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:VtjD5neL,iv:7DH6/Flh5vaDO1mvJdulf87CKzN37eHDxdV0D9kuFkk=,tag:0XA6Q0knP1CJDKFyZ0VThg==,type:str]"
 																		}
 																	]
 																}
 															],
-															"version": "ENC[AES256_GCM,data:XDbVkLRc,iv:MPDjQp52rIDdygBIwZu1mbF5R3Jb43U5UEELdgu0Wx8=,tag:+XmUOsYirANVH1utaygMZg==,type:str]"
+															"version": "ENC[AES256_GCM,data:HP/54WoC,iv:y+uKDe7K4iJKhPWQfGAV/z09ZOHmHDNnPMf3fPugVfc=,tag:WCg2DKHK2rfkvOMvKEau+g==,type:str]"
+														}
+													],
+													"volcengine": [
+														"ENC[AES256_GCM,data:jUGzyzDR,iv:CzQwESrolsnWcapYobdvCVC+hwWW/2KOCVDqxtLbtEU=,tag:6cdHnvn+BToO5ShRToiOBg==,type:str]",
+														{
+															"auth": [
+																"ENC[AES256_GCM,data:1Ng1ofFI,iv:W7TapAf0XtmGx7pVvtJEybKRTWiPzke4xziQ3/U3o8M=,tag:+EwT8Q76WvksEUc5UUtAyA==,type:str]",
+																{
+																	"secretRef": [
+																		"ENC[AES256_GCM,data:mRjlgnIx,iv:nbQwVIrk8y2/tA2hL63osRPKCc8In6KC7fUPQhGDtjs=,tag:8uyw/sxLlKcIpAdKBfv3bg==,type:str]",
+																		{
+																			"accessKeyID": [
+																				"ENC[AES256_GCM,data:RpSuXSW1,iv:jqVhtwo396KdAgUDub/g1q3/qbJFJeZFxhCaCf2flZE=,tag:0qXpwSCyu06O6coLd76A/w==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:aHaN5pBg,iv:yFoq7liME6PTPu79vyYe9De5Bky1cN6tR3YY+eYjKaU=,tag:E2t+uY1d1m5JwoSUU1YkZw==,type:str]",
+																					"name": "ENC[AES256_GCM,data:Wl6stPcT,iv:0obHyDvGiVW0JmUC66GkSgOfGJCXOvDK4mfG+0wbCEM=,tag:7UqaYzkPI6Uy0IhDTj9OTQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:g835jL9v,iv:iJ2zLzcQzTu5GJ3undn8kZ7DjDjyeEKb6J0JccU2/ZA=,tag:Icu2dmCBujimM6bRruP7+Q==,type:str]"
+																				}
+																			],
+																			"secretAccessKey": [
+																				"ENC[AES256_GCM,data:1PdLlEH5,iv:APM/CSEddER9W4zEPotwklcLmhpDzAW13nVhuIaxyyI=,tag:qiw34WADRUaGaAcgYmYfRw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:2+cvwQDt,iv:tPy1yzc0pj3JW+yf5wEocoD5wrWJbGL0MkGHMxmOre0=,tag:hxuW3dEFvPn3ebqp3uvp6g==,type:str]",
+																					"name": "ENC[AES256_GCM,data:CiDuZ3m3,iv:YWIz0vAVFE3hwSNNv3r0wNgIwTsazo2ofJim5Y81pj4=,tag:ObTyaFJcneV3zU3wTzbYjA==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:hGB3We+t,iv:073Iev+bHk+WYWMt2VuLZlvr+s0oQFhyn20S/JIt6zI=,tag:P01o7s0wZWVnkx8M9kH+hA==,type:str]"
+																				}
+																			],
+																			"token": [
+																				"ENC[AES256_GCM,data:BrlZOnTm,iv:Cmd1+RjSkFfKONuVxFJtzgEpBCLwGKdbiABhb0554eY=,tag:w0MPfeIHMazxex4UdO8i8Q==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:t1rCcv2p,iv:VBSGDeqVms0mUdzQnagbcjPY3DVLWFoLK/bO/mFB8mo=,tag:1RscfbbHw/15MucR6oOJGg==,type:str]",
+																					"name": "ENC[AES256_GCM,data:ujgm+6YH,iv:sWePK5K+tnio2ZgcAUb8XBI2uRFxmoFriavcOimD44c=,tag:uziwnXBwMkIO0slRDuR6sQ==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:qiVrrnUC,iv:0TaSX06Z4V/Q7zWklLn7/VQDi2yOPOgiUxf3fWsscvg=,tag:W3AM+RtGWdYBsyeGAXnE8A==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"region": "ENC[AES256_GCM,data:AKUTwHQ1,iv:zbF6/gVOVZkxD49oQw5Id4m5LpHWwNx9Ioyp9J3LIUE=,tag:eryxmbI1JzwmWtFg4XspfQ==,type:str]"
 														}
 													],
 													"webhook": [
-														"ENC[AES256_GCM,data:COwVdlL3,iv:lSCAYarI+nwcPKrKZrZvbRx/XTlqg5K8jUixJ03u7Zg=,tag:ZmDzZUcQmroMUfXxITzBjw==,type:str]",
+														"ENC[AES256_GCM,data:0QU095P4,iv:fAcOs2OTGZ1xIjlYiovIZJj3tAmcJZUp05VzUwYvvOU=,tag:sq18roOFTmgyWvZkDTFS0Q==,type:str]",
 														{
-															"body": "ENC[AES256_GCM,data:on7HWQSz,iv:K14zwaHYUn9k4FnTY9Stb1NFGDY0g1+HEKrwQ9OV7XU=,tag:WyMaIyPT0IjAP1aANBC9Jg==,type:str]",
-															"caBundle": "ENC[AES256_GCM,data:aQp033g8,iv:qfN1f1rl9SlOdppURxd4X+9Jv50djLS11ImlnxySKPI=,tag:zXwEVR6XCav/oPYA0nlxzA==,type:str]",
-															"caProvider": [
-																"ENC[AES256_GCM,data:2bf80GGj,iv:S+cDq+NtKmSMfeC3FiVaFEBWekXcoE5wN0xH7mqhSk4=,tag:njR7jlo/SmRpsrbO6FOrQA==,type:str]",
+															"auth": [
+																"ENC[AES256_GCM,data:qzzuCWip,iv:GW6yopIcG8M9RreEPVTfgmgvpbjqwBxpchUVY6TWHGg=,tag:4sNQTH8dljGXf/zfD2UH9g==,type:str]",
 																{
-																	"key": "ENC[AES256_GCM,data:Hvsx+ulZ,iv:E26XV2sgeGssz/UK4wvPyWF4qFDMKYVO9hqPDBY9ZK0=,tag:xH1P90fcq/Q2C24XBePUPQ==,type:str]",
-																	"name": "ENC[AES256_GCM,data:oKHmAU4m,iv:ZejGroUg9bdBqwetLMV1MiQb7UswPhNAom/DNAzDiB8=,tag:IpkW6j54xFWtFE+8zFMkng==,type:str]",
-																	"namespace": "ENC[AES256_GCM,data:W/0xiU5H,iv:MWRAt2Xhy8wwMvxEo4lKZu3yxmQA11r6SgzgCPB34R0=,tag:QmYCM+Oks2u3ZLJG4iYJeA==,type:str]",
-																	"type": "ENC[AES256_GCM,data:cEuCHaeI,iv:4iwNmS40C754zm3Jta0EnHWcaBAMQ/kh6tM2+aD0ZtI=,tag:Ctw7qAUKRG11Gc66ECTCnA==,type:str]"
+																	"ntlm": [
+																		"ENC[AES256_GCM,data:2WInXtU/,iv:/WRhpfvxHIozLQJyjXX/cSUYrQ377k7Apj8HIXBuHBE=,tag:t+LWWAnZenP62QIWIMfqoQ==,type:str]",
+																		{
+																			"passwordSecret": [
+																				"ENC[AES256_GCM,data:175k5ViD,iv:MeVDpKL2mfB5BPujZIA7KTNmveoc0sO++Ib1+gHx6ys=,tag:3+4szqdWaS5L5MMLBI/4cQ==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:O9IexTJ0,iv:7loZ8PB6xxYBmHqRnCy1Hey0RBdIT8cjwO3nQe004Dw=,tag:Cnt8B0kyWPqdDGkIvF+r7A==,type:str]",
+																					"name": "ENC[AES256_GCM,data:tqz9IIjW,iv:Q+iQsvzGoczUiVfDZmCKeHu9oc0zmCwansbFVWU9OUY=,tag:twyToyJXly/RcYu5e/uqEw==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:tMR/z24b,iv:K1yY9Kea3CaHhY6HdoiQN06Ofy4vREyHe1boWausfKM=,tag:bgZvmJ5qrD/95ed8pm+MuA==,type:str]"
+																				}
+																			],
+																			"usernameSecret": [
+																				"ENC[AES256_GCM,data:l+Lvv/pk,iv:sBdcfHDCLy5P5yhyMY1pchdWZ0XZTLgCAMpjzwxAqvo=,tag:m/AGkFlQVv3GVBK9oP9dzw==,type:str]",
+																				{
+																					"key": "ENC[AES256_GCM,data:prEHfh3n,iv:kRjMhhqgkD02NNdxz4h5g4s6t7aHTZsHVnAA+gE/Ouw=,tag:vYkg3afw9fzZbZnvB/Se8A==,type:str]",
+																					"name": "ENC[AES256_GCM,data:sTNZvVo7,iv:kEmhtoMgN8ux+/+4Tlcdi9bmMULMnEbN+pJ6DKENoYI=,tag:E0h4wTwbn93F1Kkn64nzmg==,type:str]",
+																					"namespace": "ENC[AES256_GCM,data:cvZZLCsW,iv:zAwPG7665mnCD7k6sHUPeRK/IOsQX69PFwYOPedXWJ4=,tag:HBI+hdfWSTGtTIIHxZuH8w==,type:str]"
+																				}
+																			]
+																		}
+																	]
+																}
+															],
+															"body": "ENC[AES256_GCM,data:1YJjSJUj,iv:zIufLeWqyeSBpcrvr/2g12ck1nz4sMAk56NeKJJDjis=,tag:X4HXVvNt91+UBu2KErGWAA==,type:str]",
+															"caBundle": "ENC[AES256_GCM,data:e10Rk7N3,iv:DVX3OVFxYpsnI4DcXW476O4GeabllMs+tPz33YYj+WU=,tag:YnVPNDqq2bkHhlmb1JyurA==,type:str]",
+															"caProvider": [
+																"ENC[AES256_GCM,data:MVijeeKp,iv:Gr3O3SS9XcQZ9961bWquvNueDdSnqoFHXwZiM6jtREQ=,tag:wtPYYJwbWr2IQZqj5iN2YQ==,type:str]",
+																{
+																	"key": "ENC[AES256_GCM,data:YbGfbC++,iv:hdKpfm2pK5b2vV29kxW3IoF2Vd8jYVUsB90AmOooOW0=,tag:pFbyh18uXrX1JvD6yFFHFw==,type:str]",
+																	"name": "ENC[AES256_GCM,data:BT1XcNGq,iv:VfNJBblKAnsxCsQSwowvsW0uL9NICXklGP7H6LOHCeE=,tag:ZhtY58sl2WtqoKg3tCLAzA==,type:str]",
+																	"namespace": "ENC[AES256_GCM,data:qlFpuWay,iv:IFBtWnGk8j6XIFoUG493r6f5lbju3FmpnVTLu2lvzzI=,tag:5Z34fpSr4X/m4/MvJPh5CQ==,type:str]",
+																	"type": "ENC[AES256_GCM,data:67dTMNer,iv:bbE9JR8JEgbCZWOYbG7kHL175DVIC8C/xmdd1RXR8Xg=,tag:dIfvABpKNYXnSLu7TdVzZQ==,type:str]"
 																}
 															],
 															"headers": [
-																"ENC[AES256_GCM,data:xtof,iv:59Om89Dt1rMED7+N0yPq9Q7le8lv43QqjgWXDXItcfA=,tag:gcC6qvyL1EbhZ/5zL3o53A==,type:str]",
-																"ENC[AES256_GCM,data:xTt1T47s,iv:MiRDVabEsrcCAm5eyAaF74Fmxz86bqYw0NqXHa3BVwo=,tag:MF+rzHwQz433/f8lPSkaFA==,type:str]"
+																"ENC[AES256_GCM,data:pxKM,iv:6gCCB1lppo+qEE9BkaJAtLe1KQya11rm5EsBDvt1lpM=,tag:V5owoAP06QBJLtheQhNWXw==,type:str]",
+																"ENC[AES256_GCM,data:WFIACb55,iv:PPCeIjSUiKXfzw8jHn0p0zb+Ko0R9Jl/0bQGJfFtdzM=,tag:7E9yyH7JV7hSZJOl+XTkjQ==,type:str]"
 															],
-															"method": "ENC[AES256_GCM,data:KRRF3Am7,iv:8UJCpPC00Goe/1iBaeCAcpLTI0TfcgLEdoi3WhmMjKQ=,tag:XWvVtiLeJgP/RVMEUBVnOA==,type:str]",
+															"method": "ENC[AES256_GCM,data:xbMLH+T/,iv:q0AX9w2Y6ZTpdvb2m7TGtb14J7coyAK0YYBjfm7ieAE=,tag:3mFnxViASVxgGN8Or3GjsQ==,type:str]",
 															"result": [
-																"ENC[AES256_GCM,data:peHhFklH,iv:JIVuaffFM5r+CpFvlZc44UzJHkQGXP28djW09rre1yA=,tag:kh29mwZFR/u53xmoWxWDXQ==,type:str]",
+																"ENC[AES256_GCM,data:l17lYV5D,iv:bWlJUUtHyjICI1VwRFu/2e2uishSub4KYocslIZSWkY=,tag:7zKnqa1xRAXtSS0vuCOGzA==,type:str]",
 																{
-																	"jsonPath": "ENC[AES256_GCM,data:xSHZEYGW,iv:V/6Dx4gyBxfcnef9bX/NybveS25EMqlZ5of781f9kec=,tag:+sIHFL3/Hq6ChNyq/D1Whw==,type:str]"
+																	"jsonPath": "ENC[AES256_GCM,data:z/HgyFMQ,iv:tXtqGcwmFeFi40okJ0Rue2/qEDId4Zu/wp3xnOMQ4xg=,tag:ltHhdacuxaPvFnt+/s8+Bw==,type:str]"
 																}
 															],
 															"secrets": [
-																"ENC[AES256_GCM,data:CO1O7Q==,iv:xbxpVv2p3+BAgGUCGTVkdMFw7Yc3V+vk2FzXUMOK078=,tag:f3HlXFYoX29HjTLKtkNP5Q==,type:str]",
+																"ENC[AES256_GCM,data:pJ4nDw==,iv:FrDLyjHzDqRHekU9e97eyg+6dCTYJ0+2t4B/eDWmPr0=,tag:S26WBIyJZjOYJNBnyKfdgg==,type:str]",
 																[
-																	"ENC[AES256_GCM,data:I+RUsbGL,iv:ofUwifKrc7zJ7NEL6f7RmetI8psYULXKnuwEnqyjYG8=,tag:S9wcglsZdYLiB90MRVMISA==,type:str]",
+																	"ENC[AES256_GCM,data:nPpP860q,iv:ec5p7+JDAAlcHH/uPVZ1PcsjTrFbEQUMHBkuAUgx30g=,tag:iIXeCIoNemYEwDCil9YdpA==,type:str]",
 																	{
-																		"name": "ENC[AES256_GCM,data:bijEpbeF,iv:Y7C2AjLPwXI3s3dlmkBAieL+taySd6HKamj55AH51eo=,tag:rHRba2Qq2oqZqJljZ2D6xA==,type:str]",
+																		"name": "ENC[AES256_GCM,data:MQXfYdmB,iv:oszQ2iLw/Qw3Guq49gp7QSL65p7VazsjNwMJCPGCgRA=,tag:J6vWRT3m1pT4IH8V08mSfQ==,type:str]",
 																		"secretRef": [
-																			"ENC[AES256_GCM,data:YmprF7Ws,iv:A8SFxdmcryrB6liZZrMLtTg5oBMQtMBYNmVliRvsixo=,tag:92jn7p1JubD/ysUqEf7nQg==,type:str]",
+																			"ENC[AES256_GCM,data:uY29xZg8,iv:YW3qu83NVtpA8ks0IoCtZiXOG3Do7HKzoMeiRbRohLE=,tag:3oMJvcBinkXGt5yVrwI9Dw==,type:str]",
 																			{
-																				"key": "ENC[AES256_GCM,data:xo1y3ppP,iv:c+pW5k8RYenv0dZjIgMsyy28UxRprW+BkzIICKj+5gE=,tag:pDc2BDSQsbp9/5ArijGzfQ==,type:str]",
-																				"name": "ENC[AES256_GCM,data:lC7WGI8B,iv:eCNrJUvCbdZG/XMSGwVOIFLTW9TKZ4odvtoQFxxmCFg=,tag:04g+mvStu7xnN7+uzR1coA==,type:str]",
-																				"namespace": "ENC[AES256_GCM,data:GaxkLCky,iv:BuSL0Raqivtvl6WJM24BvbZDLv7UOgfpGraZzDerPYE=,tag:eoV1GCrzYuySgK6sj1f12A==,type:str]"
+																				"key": "ENC[AES256_GCM,data:5s+FOxxo,iv:lj4B1BacO5UOjg6riqkb69/UJg4irrr8QK8Xaeurke8=,tag:c1DVDgUtYrcSJo/NZD9BMw==,type:str]",
+																				"name": "ENC[AES256_GCM,data:4am6GwRV,iv:EbnjL/9vcMjV6flU8zSXQjmavmB7yOdN5+ObZE5HTu8=,tag:3mJFq9GwPKN89hZ/eKFhcQ==,type:str]",
+																				"namespace": "ENC[AES256_GCM,data:VhMAjORy,iv:W2/8s6PANZomzyNMxHUdCm7yrpsKnLyLpPrd2ZRAoao=,tag:Qr1JLHfkuBLEaiQJk1QcmQ==,type:str]"
 																			}
 																		]
 																	}
 																]
 															],
-															"timeout": "ENC[AES256_GCM,data:1qxDRoLe,iv:NARm2ePDX9VQRJQSGS+KByLrerqgK8s9bZgNcgL7V3E=,tag:099+dPUD0R85AYKvZic2FA==,type:str]",
-															"url": "ENC[AES256_GCM,data:yt3sczTh,iv:V9NzxBMU+gQ6+VgdCynUAtdd3y4EMIEY2XitiAUJUXA=,tag:G9L0vv0E/ZlczRh/KkVdmg==,type:str]"
+															"timeout": "ENC[AES256_GCM,data:Xm2VSev6,iv:1jEJBtMg749l87wFLo3nO/N97cZP8wkwrHbRnFKsArA=,tag:EoSxPj0Nwn5+eKF8kMi+ZA==,type:str]",
+															"url": "ENC[AES256_GCM,data:IYXp+7zl,iv:EGZyaNpb0tBQPUsGCmrS2Me5jpMlPrmGjRtjbsp4ATk=,tag:wstgcqgBWmsqTML7MqNT7Q==,type:str]"
 														}
 													],
 													"yandexcertificatemanager": [
-														"ENC[AES256_GCM,data:IinpnaP7,iv:h5kqtlyO4DJGP9nmz/YIrM4S1iDqHB7rX/Cr2HN8Ckc=,tag:RxeOmGeO7FWfVK2X4ZtgbQ==,type:str]",
+														"ENC[AES256_GCM,data:1PcthdtU,iv:4vGeL0Vo8aQIDMYO5noJJHI+SJLYhHgrPHRGhjkuGaQ=,tag:dRvbjNEOgINDO3t4vt8gLg==,type:str]",
 														{
-															"apiEndpoint": "ENC[AES256_GCM,data:oDIvlVMG,iv:9eWb0rjvyPbgA5LSHyEQL/ZyMOfsF2Eedqi9wVtHofY=,tag:1jvRXH4Oo6Sit4300JqrXg==,type:str]",
+															"apiEndpoint": "ENC[AES256_GCM,data:xXwtbA8b,iv:ibJJD7AIdHko7j2b5OZhAqXiBU+9S/7UzAUZCxEKYzc=,tag:arUyRzr/a+MZ5rLJL5qx6Q==,type:str]",
 															"auth": [
-																"ENC[AES256_GCM,data:6J2f6y6O,iv:G5GfWhYNf2bkyeXQmxy1d+eYFcm7ju7aQMk0y+EkZQ0=,tag:9RaEKhGTUFYRcWIpb/RY5w==,type:str]",
+																"ENC[AES256_GCM,data:IG2Bnjpy,iv:GfiSmUD6D484sR7Yyyvkv9nepR8fq312o0M34RiRSXw=,tag:zn9mYXZDS0We4fAuPWtmUQ==,type:str]",
 																{
 																	"authorizedKeySecretRef": [
-																		"ENC[AES256_GCM,data:Ce8JZZ5j,iv:g3JnaonH2mQDxhw3V2GIiG+TnbZYSy+LFyxfn+whbFU=,tag:6QD8nyUietpZak8sFvD/ug==,type:str]",
+																		"ENC[AES256_GCM,data:RkGMU7zI,iv:c0vXgDJC87zgBnTK4UeTnD4uKNpfkKfZRXgaz2aRU+0=,tag:6a5753D4VsVfkG4cZPMVDg==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:I7L/m9vD,iv:++iivv35Gk+vtMx3eH/aRgtG7MwC+vDg1jI2HLZ09+Q=,tag:oAvzygFBFql0tkqzG64I/g==,type:str]",
-																			"name": "ENC[AES256_GCM,data:tQO5ULrx,iv:mbxp71GijTXGS8SGXHADxYTMEwQY9LNtHKW9OEOnpzs=,tag:yrYF6kkB8ahOPJFotCbXqA==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:MohMMFBS,iv:E1yrp9vrf7N8ZfZE3EZB5lNWra2AwY5SPs/LcsLfBYg=,tag:vtB6LJkqgw3mj8dKpFsDaw==,type:str]"
+																			"key": "ENC[AES256_GCM,data:ya69RcHw,iv:ma86IH8hvoPWnqu5gIbFAIz1/DmSvUPeqqVBitqvUmc=,tag:PW4Pcgppli4HqgVhL3mR9Q==,type:str]",
+																			"name": "ENC[AES256_GCM,data:gu4oYEZL,iv:heM0xfAkwZkJpmv5WomZFDBdkPYbMOysWgPyEAA05lU=,tag:HUoW5uEjZFzICLrNeYbK0g==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:VA9vipxG,iv:qj4KN7eKMUqDq58dyU7NlIElpOnfl25AQr3vYXof/0s=,tag:DtFP2thy+a36dU5pXNSuVg==,type:str]"
 																		}
 																	]
 																}
 															],
 															"caProvider": [
-																"ENC[AES256_GCM,data:QxHhoyuY,iv:FtbRLJ4unw84h5TzUU4KrXASjlogZVV3dp/M7IQZYCk=,tag:S6M+nQ1LyhfTVTKuO07BCw==,type:str]",
+																"ENC[AES256_GCM,data:e3eKoF+x,iv:GZszMUp1DtNKewUXLTjAF05I9AP9HcwUQ4HzTpYP3xk=,tag:jREIYoOz0IAbkb0ojuqiAA==,type:str]",
 																{
 																	"certSecretRef": [
-																		"ENC[AES256_GCM,data:KvcDVGFx,iv:wDX+kXR4y7N2fyGaOZkiZeE53K13cubPeURutV0eTdQ=,tag:JP4Yw1Xr0eN9Z1H35oz8Nw==,type:str]",
+																		"ENC[AES256_GCM,data:q8A/UTUp,iv:D9ahU+aVNSWCYuL+BB2vU7N+b/HEVQLIqE7yId0nzA8=,tag:Mzlb6BYu+kSTBHZqZWH1jA==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:mJm/+uRf,iv:8RCYMtni1F6KN4TVjEcAAFnw8FB4mO6PwGPWf8l3kck=,tag:vWX1EhQRRnuH1bDNBT0zag==,type:str]",
-																			"name": "ENC[AES256_GCM,data:FCba91zb,iv:it5GtbaBWd8Aw8ZiRbZeqo4/T6569qwRPTCPQqhOYNs=,tag:gtLk1QE1DAij4gxqWRYNUQ==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:5hLGXl1d,iv:23JH2va0XPO+8dV80mQYaxrQIicd0lHXqabTSZJI3Hw=,tag:gIVPgng2ikX/s+G0tSF3rA==,type:str]"
+																			"key": "ENC[AES256_GCM,data:78wrdPOx,iv:q46sk+UXF1lgJplnaL8qweQHu4lNsec25AxbK6jWOWg=,tag:GPsEpmLFXPhHYWIwOPvh2Q==,type:str]",
+																			"name": "ENC[AES256_GCM,data:4IFmTv6X,iv:Jp2nG6E1B+UWZUXXVp4E1Y5p/llUKnzhf9xjeYsIx0U=,tag:BXHjOQocq0gm1VJ66LXIhQ==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:d6M1lHdA,iv:y0IsJ01FqC8gUz8Fmg8uUkctPR6SYGB2S/b2TkYp5NY=,tag:jsGl67n6gkkMBHy14ClADA==,type:str]"
+																		}
+																	]
+																}
+															],
+															"fetching": [
+																"ENC[AES256_GCM,data:hvobu0U+,iv:Dy9JDfKzvqCfxwB68kQ+MWGR96Q0DfZ71d7tjyOZVc8=,tag:cQX1D6QyMNBmwJ7Bg2d8GQ==,type:str]",
+																{
+																	"byID": "ENC[AES256_GCM,data:hlkL45Np5A==,iv:oQvk0dZ6NK2u7XWTvBco7mDh+OlZsnb2L7X8OOq9+YM=,tag:TzfWsG15K0Db83aRtOpt3A==,type:str]",
+																	"byName": [
+																		"ENC[AES256_GCM,data:roV4QCuX,iv:oo6N6SebrnmPeQMit8LNkkGmt8sYCRLYlkK8gHgS1YU=,tag:t6q5ecsztvzCdxEGkCyvgw==,type:str]",
+																		{
+																			"folderID": "ENC[AES256_GCM,data:9bFXk10T,iv:gnTvjV57Bmn3x6PagyUj1QbdQ8Df6rCnuKnJtAzmKhs=,tag:8TmOZ2q3EOyAhwONeCvoHQ==,type:str]"
 																		}
 																	]
 																}
@@ -5198,31 +7642,43 @@
 														}
 													],
 													"yandexlockbox": [
-														"ENC[AES256_GCM,data:JWmQw3xH,iv:sB0lsShLwoMJPJgtxPxrIhe3MEjc+8bP98nAAergcPM=,tag:eAWVveRGOqVA/RAaRAImXw==,type:str]",
+														"ENC[AES256_GCM,data:ElaVS20b,iv:hG4oLOwWsJUrmNkTOkoE6pybICZD+KWcrIkDKF599IA=,tag:JeL4S8kbRQlIy9o0dGQ5LA==,type:str]",
 														{
-															"apiEndpoint": "ENC[AES256_GCM,data:GWEhlejD,iv:lF25jocY93FKxo2O2XIVjoZQk0j15AJyucLY7RCxxVc=,tag:HuFOvf6latUy9OBTDoUZEg==,type:str]",
+															"apiEndpoint": "ENC[AES256_GCM,data:uYI8AU6n,iv:KA3qFxeHemK+vl/gDrVxGa6nDrb+syIs0b//ShZumC4=,tag:5uxD7kn4BpJxYA6ogZ4D9w==,type:str]",
 															"auth": [
-																"ENC[AES256_GCM,data:lvqJlhXv,iv:+YZYHVb+GsFCPxPz2WJUmCJSk7spZK/b4XR8pJ8FhD8=,tag:DNYolWakNLuwYs0jRS8teA==,type:str]",
+																"ENC[AES256_GCM,data:fScxKzUO,iv:DzhqTDev/3Ix9Gb5aYGN89ZO+70LXG8VzOksqmweUwM=,tag:9rmitBkpKHDuSnRNtcGWKw==,type:str]",
 																{
 																	"authorizedKeySecretRef": [
-																		"ENC[AES256_GCM,data:zMnQnKyo,iv:T4L8qvFVL9uIU8vQFVUn5A7dGn5V4+LL+kK4YDhbBrE=,tag:ZjM8AGwVCPl9JWyZ71O3hA==,type:str]",
+																		"ENC[AES256_GCM,data:bG+uFxQ+,iv:XF3QwNIThSPxyG9BJ+34XYiO/40RkFIc4vcmTInVS0U=,tag:vq8eSgASBNDRQsNuEJrWLA==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:c+N1DftE,iv:u0sUsIuNh0dRzrmG0JMMmDh/dmjns9TsZkQ2ReLXmnw=,tag:K+BHlOTj16nRFPajqCc9xw==,type:str]",
-																			"name": "ENC[AES256_GCM,data:jx70YqqM,iv:WhGu8Vswa++llx670LrmeORkteloAtz4OpkS+OYWZ7o=,tag:g4Zyslbtc4rNEpFWa1dv7w==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:bD9cYQmW,iv:x7qRhWpaTOvjOMh18CuXlGIc5XIbSlr36DzjO5dqqoY=,tag:DA0IJ/wRmOawYWrvZHlBTw==,type:str]"
+																			"key": "ENC[AES256_GCM,data:kh9SPOJn,iv:lsedKxLHi9313koLHlC3MuATnyUiXTDDhfXx8WGin4c=,tag:p3YTiea9qwHZ+O5hFy081g==,type:str]",
+																			"name": "ENC[AES256_GCM,data:cpzmslaO,iv:omWfPk9XR8w+tvCsodLyjdQIMQyw4uvRY/o6ScS0S28=,tag:7vpIDGlUDeW58rf9kGFb3A==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:7c4FkMpL,iv:BHUKYt8+ncsSF5zmFhI0qy76Nc40VVwzP7E4xz2KerE=,tag:GTO9r2YrLx3ySXzW7hQIbQ==,type:str]"
 																		}
 																	]
 																}
 															],
 															"caProvider": [
-																"ENC[AES256_GCM,data:+kd60sQE,iv:L10EBA6MxbRL1SHaE3clcBpsYMVV5Lmgi37nTpwrve8=,tag:e4ObNUu4B806SAwziIFEMA==,type:str]",
+																"ENC[AES256_GCM,data:dsoE9CuB,iv:7m9U7FSZPcXsifC1I+AtEV05jp9C1Xe040Upe1rqV1c=,tag:eKaXnjjBP9C8f3GtEvcvGg==,type:str]",
 																{
 																	"certSecretRef": [
-																		"ENC[AES256_GCM,data:j5QG+wFF,iv:MNwSmEN0+vWIpJI38ApuUSr53E7klo3WP+qXWod80SM=,tag:cDSsN+6ITDMQknb2hvLTcg==,type:str]",
+																		"ENC[AES256_GCM,data:FKdHqlJ3,iv:JpsokDbCyQB00jmK5wZkTXArWnLbsSVo2JUQ4C1X1ZI=,tag:EESYaoqRVdfXv0Jw3xAytg==,type:str]",
 																		{
-																			"key": "ENC[AES256_GCM,data:7k1o2bM+,iv:lM57/Bbq71g5gTlArqaPl8wigk3zJLyfhGsbQp7O210=,tag:I3PB5zW3GwzwcdwsAklTxw==,type:str]",
-																			"name": "ENC[AES256_GCM,data:losoj0eS,iv:36uNwmWaKE4DzgtcSdD7r+Nxd+qGfXUgPaCtoyPvgZE=,tag:GOQhHT6+xoiRiA3oqDRccw==,type:str]",
-																			"namespace": "ENC[AES256_GCM,data:96uDh5he,iv:wf9/nV4X10ziBYeO6I6uHIBphY5UwJB50YjxM1UJZ0I=,tag:Ssoql/b/8V2DxTkQa84yZg==,type:str]"
+																			"key": "ENC[AES256_GCM,data:kerpL1/T,iv:pOUf1FlIsRGpUX7Dr9M0ncV1HW0iBpX9YDXv/8Ca1fs=,tag:fGYEMuvMjh1LD3Tgv4yHOg==,type:str]",
+																			"name": "ENC[AES256_GCM,data:R0VD2Bmf,iv:ffhuOJeZH4Ehbb27ufysg8HX5q4gEgf8KCo6WDa6QbI=,tag:xOxIapj25WQEufV16Y42KA==,type:str]",
+																			"namespace": "ENC[AES256_GCM,data:x8owSPvl,iv:LSADfCzTLVLACZhUhYO0rKXkQ9PaSexcgbYLC4Y7Sjg=,tag:k9sHaVqOQUSnwy/XbX9nIg==,type:str]"
+																		}
+																	]
+																}
+															],
+															"fetching": [
+																"ENC[AES256_GCM,data:GoKLbnLq,iv:g3n608Wnhrim2ofJXpy6z2M/j9zJgKh18RD8tdXjdTQ=,tag:RM4SMVJfLhgzzOYQrHp5PQ==,type:str]",
+																{
+																	"byID": "ENC[AES256_GCM,data:ih/D/wjvcw==,iv:SU5me9O0FBktYbgcbnfIXM33dw9E9nSP7H9TVTHNFdE=,tag:wsPpx1X9iXDJH4kJr/O1NQ==,type:str]",
+																	"byName": [
+																		"ENC[AES256_GCM,data:+iXN7fVR,iv:IjXw1/tIMuN9kfVnWZFa8k0Vt72ZhIhQ5aGTpEK49oA=,tag:ING1TKZLg++YLOa3TrVKkA==,type:str]",
+																		{
+																			"folderID": "ENC[AES256_GCM,data:sZUpgXut,iv:Bw/X6YtYVJIXLrggPHxoK89b3Hc37Nb+Zw7zhPfzchE=,tag:Rc7LRF121KnkKJWdPvP7Qw==,type:str]"
 																		}
 																	]
 																}
@@ -5231,12 +7687,12 @@
 													]
 												}
 											],
-											"refreshInterval": "ENC[AES256_GCM,data:T9w7zDja,iv:yYUVysJDRNPZk+VfiHkrpmycbi0+qzDJN8pyPXc4Vwo=,tag:DdB0Z28bHTX6A38ZiJRaMw==,type:str]",
+											"refreshInterval": "ENC[AES256_GCM,data:iXdcMt/a,iv:nS2yNF4tBJRVJbZ4QKYS6zIrnSFC/MoGP6Qz0aGjYDc=,tag:NCQVmmqD1PuusoOcZLjfRA==,type:str]",
 											"retrySettings": [
-												"ENC[AES256_GCM,data:g8wOrLtv,iv:CZwpfQTRj1Zw8BQnCwFuKvz6XhzW4uZrIu5qcgQiyKE=,tag:4+9V1c0FPU5ZShMPVRqeRQ==,type:str]",
+												"ENC[AES256_GCM,data:dqgfxhcA,iv:ETLJddwdU7s+66iyj/095tkSmAl9xocNJIOI5GD9J1I=,tag:ZhCWPH2A9ByaAjBu+bkuDA==,type:str]",
 												{
-													"maxRetries": "ENC[AES256_GCM,data:bCOgQHat,iv:6v7Mp7cG88wzgzIQNNH9bDwjnmieqzAwv/4+yWGOVKk=,tag:3MzOydvozARsh9FeQhqlSA==,type:str]",
-													"retryInterval": "ENC[AES256_GCM,data:+YcxD8/s,iv:WYKRgiIIAz9vXy3EMLWgjdEMv39+43yBITLyxAT+Lbs=,tag:0ibwM0YFnz44Mv/LAhiZSw==,type:str]"
+													"maxRetries": "ENC[AES256_GCM,data:IWYG2sVQ,iv:LwuW2R+zZMNxtpvrbpkWAv5YfhTsuX3uQ2Ns2F00iOs=,tag:oLlRcfvOx3KqnszcTlVF7g==,type:str]",
+													"retryInterval": "ENC[AES256_GCM,data:Q/mKjaD7,iv:aOUanyDWdJp2FTLEVR9HRvWBB5jl/X+bxg2R51C+n3w=,tag:Bzx7t0iM23VwhmxmksOnjA==,type:str]"
 												}
 											]
 										}
@@ -5249,74 +7705,84 @@
 						"wait_for": null
 					},
 					"sensitive_attributes": [],
+					"identity_schema_version": "ENC[AES256_GCM,data:lQ==,iv:6xyUkLOTf/PpK6SNhBpnnV8h0sMyb9gmI/VyU8qsQrA=,tag:cL3YC+Ez1O4J8crFB1A/Sg==,type:float]",
+					"identity": {
+						"api_version": "ENC[AES256_GCM,data:szjM8EEHr34omijQsyZrTXE0z6vP2w==,iv:ohmmcHPqUjA6N9BfQM9efAWnWMhR5GuGAtQZJEhI1Hk=,tag:x9LplcGsTu5fIddNlPOKuQ==,type:str]",
+						"kind": "ENC[AES256_GCM,data:JNbss0PZ9OGnDvE4PkdD2JVV,iv:pKLmNJw9vR9YIjL9aSPhBHH8Z4idXBEtLLUs4UReRAw=,tag:IMwZEQejV4aN228j00ioNA==,type:str]",
+						"name": "ENC[AES256_GCM,data:c6JwFMe4t4s=,iv:xcygzf6V2b7EDsuiGGuGtLn04tZgiv7Ne1AT9Rhso0c=,tag:IV+RnFd+pCGK9UeaImeUuA==,type:str]",
+						"namespace": ""
+					},
 					"dependencies": [
-						"ENC[AES256_GCM,data:hsS6LaYLtUgcFqwklVg/VJcWrGBWdZ1PKVDRPcE=,iv:3GgzJCaauA1w8ZdqnjO6c1QsNLxIj7PtWcQlreGXhXI=,tag:Oz3I3ACnASialTw7NhW5/Q==,type:str]",
-						"ENC[AES256_GCM,data:dsatLQNsIx33DR7ZtK0/mm7wp3T9CGB7mjJOF0Jc6WvycA9Z4w==,iv:RoLaPWORn9Y77LfthGjyKWJJILAcnbKjRTnJ49l2egw=,tag:zDigHDwunEHr5loYzDaOfQ==,type:str]"
+						"ENC[AES256_GCM,data:ICDUlUz/9oFZBOgx6vX3KmJUOZfUM2+Y7EZdCjA=,iv:x07lG6Zfwg62XK/L8teDo9surNlli9z2VYWHRbR3lFE=,tag:caKmZhlGfzJ41Kp7iXJBYw==,type:str]",
+						"ENC[AES256_GCM,data:1Qc6EpLLRKqf+2uay9KEbXL+XdIL/MbE7VFwb7SqG10pynNYOQ==,iv:DxrN6VwMqGO3vHCD348o2u5v6qPaGdbgh3B/wLIBb2k=,tag:XJ7w8WZrCpa+Rt5s1DQpzA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:+swg82AVXg==,iv:E8+Iga+QpFlub1zjzLc9+1hzTDKS2hGwczTuylRnrxg=,tag:hgIEXfva44K7J4Xf8lpMVg==,type:str]",
-			"type": "ENC[AES256_GCM,data:PICye3pMK3zGMefICfZug3PZQJY=,iv:blVwiXRv4EG0ajGbOekWuAJdTlhwNXSfqttIJkyuxHo=,tag:CwCDFkk8OQQfMfdbfuwbJw==,type:str]",
-			"name": "ENC[AES256_GCM,data:x+Fj0w9YCjs6XlM0+TA93Q==,iv:D3IjnK6c9LXKkKlOWJbnG3jV53WHGXl+DPsYzKKVrYo=,tag:KFhv06eulPlDGxH0x4PLUQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:EnISYj82MLXTvInsDx5VhN60M7gzRqFjL2EN4t8RFAKIwihl6kX+7zsAVSgeEWqQIo777qSe,iv:9ZLXW7eA1z7kebNsf1oRB7gLo5Vvh6OSv4ix4LDVxOY=,tag:mDQcQysOPI9IxuPnOtGD0w==,type:str]",
+			"mode": "ENC[AES256_GCM,data:myTPG2JUOw==,iv:MoG/XSWJrVHD59r9SHUzmdtNmcGKpKEHkgYAD7lvrI0=,tag:pJU0KKj4x7S6UDB3RCniSw==,type:str]",
+			"type": "ENC[AES256_GCM,data:UnNwyDkG6V6P7ZL/CW3+DMqDjWs=,iv:BQEPXal2bqBCUInylpQB07z6yk4NE7MTgEQjNc0dEjM=,tag:5VK0AzyuYStMCs0NFwUw7g==,type:str]",
+			"name": "ENC[AES256_GCM,data:/X94rwg3pPh5Ktlk6LgG6Q==,iv:tsdEm2y1Pg8wdOlodaeLxPcm9NsdtJeFZw/on3HTrGE=,tag:aM9ZOaEHIDlYo/tAszDKzA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:dkQ59JuYtKVADXvesHboe/DK+cNjSYqJqoTXMp3lrxJwRrNRc16dDCvJ6/ff7PDXaz4X1l2n,iv:NRHO7JGzMXu1nqkSFq+9fTsXHYS9PLa0kbT/mO4MsrQ=,tag:mHk9jy34R5659/47v+RmCw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Rw==,iv:umvb6UmUfwsU1QMVImd6qc20VWaoI+hAsZkDskgKhLg=,tag:JIadpQ0U1vpgW/eCsqo8Jg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:DQ==,iv:FA6IKKz13FZd075coxyIcmKtXGoxP6EWLlnAq8N7l/4=,tag:VUnj2a/Kpvk2OdwVu01DcQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:zgqFCseGrGxaGC4+Thp2+Q==,iv:r8thBVzxVSMgZCtWGzAC+XVM2pJ7sLRWuoYdAsFaong=,tag:b29breaquuWd0t/aB2qN6Q==,type:str]",
+						"id": "ENC[AES256_GCM,data:iPlrlIX4vwp1rRVxHnmbWw==,iv:7+atOIN17H8jZN2slsgqFgwmagiZ4bwfyv+wDD2iqBo=,tag:n6NmdyoNBXCkZMkZiqJQ0A==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:8Q==,iv:tWfEI9EINEDrxPpdfMoH/MgDLP9oV5J7InIsXV5vZdA=,tag:fpq93p/5rnqez1wACKT2Vg==,type:float]",
+								"generation": "ENC[AES256_GCM,data:ow==,iv:NTGzbTjLaOaWSY2l3Ffb6MIQP52hASpUYL0ouzrliNg=,tag:QMkRrbktXZWI3mGyhBzAhw==,type:float]",
 								"labels": {
-									"goldilocks.fairwinds.com/vpa-update-mode": "ENC[AES256_GCM,data:qv3K,iv:c18JxQiq3wMpse+0tuM6jwh2W3wqf2v2TfmRIItQxIw=,tag:fIWgI5xNY/kjzVfED++oFw==,type:str]",
-									"tier": "ENC[AES256_GCM,data:/MbUQu0MHJbG,iv:4CiD2ZSa1aTiTeryemErgCzmckeQ+GLlbWBq3SpHwPI=,tag:FSI1ltgy19Z5CMAm+2FQ0Q==,type:str]"
+									"goldilocks.fairwinds.com/vpa-update-mode": "ENC[AES256_GCM,data:DjGs,iv:rlq04FeTI4ipRUAd2w1I3g0G+FiWTu8PSiRAUyVV8Ec=,tag:qmR9KBjHbdGTh8fCBx7RJA==,type:str]",
+									"keel.sh/enrolled": "ENC[AES256_GCM,data:imnBVw==,iv:cS0T+PY1aaJTdk+hPiFXQOhTyXHK7c/2ul/NBjQhRgk=,tag:4y6WnOP++wx3tCfp5kwcvQ==,type:str]",
+									"tier": "ENC[AES256_GCM,data:4On/3o/18mUe,iv:RAVP1vf6YkH8w3KVQMME5hFbUbhsExEkO33/XUNxJLg=,tag:19qxTAu4HLwEEYG0o0yJGg==,type:str]"
 								},
-								"name": "ENC[AES256_GCM,data:IJ5bNbPbBgrTutr7vBFWhQ==,iv:Mjk4VhSGgPKYmcZbIE2Re8QV46LIhI0K60r1CyuJiHs=,tag:fa02Wjm3oVJi9COsxARdeA==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:4y3+A7dEYfO+,iv:qAuXNdxoSXuSlM1oXJYZ6TukiBXQwzcyadylV0wF0BQ=,tag:YJ5Dl0xdX3kdpcV8eeQ3PQ==,type:str]",
-								"uid": "ENC[AES256_GCM,data:edhnKy0XH48DY+ZSCbhMB+Smd1yGXThkFpbeJrko+RCwKZoJ,iv:CnYvkq70PhgHS+6lf4Gqt2oU2AD1hafbGepjNGNgOA8=,tag:Kd+xqIvyTqgWP744YGLhxQ==,type:str]"
+								"name": "ENC[AES256_GCM,data:quVHrBF3N19a1nOteJ/bEw==,iv:Mlk1iEgyZ8eaVukQcF6YjbhfYPdfLYLPGHOrN5lrH1o=,tag:BDPEvx0IG7JcHO7HabevQw==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:dEfX/ubD5eQ3,iv:4EwX8PmOxGXBecAPyXh3LNRFAMH3vQ1tTQ6tZK/wcIE=,tag:SkS2+UyJ2z0R4whWg8IfgA==,type:str]",
+								"uid": "ENC[AES256_GCM,data:HbPpYxohTKwBvXT+GG7t7ac6/H+hrQ3EkY3ItK2BQ0yZwanX,iv:7IGirA0Yfthh4bEO4dYoqubkt1ONrqSj3oKlUOZUAe8=,tag:0N+qJH4EbLQXk9Xgb4QwMQ==,type:str]"
 							}
 						],
 						"timeouts": null,
-						"wait_for_default_service_account": "ENC[AES256_GCM,data:VJs0TUw=,iv:hcnJ/SAMMMoO3GndzexALZ+YEkzfkoDtuLRrZSGMbYU=,tag:Cl6HbzdqdT6Hvm/2+xiImg==,type:bool]"
+						"wait_for_default_service_account": "ENC[AES256_GCM,data:4KyKZ6o=,iv:EzddyTzO2K8b3knxLCsLzxaUS4i2p9bsniv+3QrsFAM=,tag:1nbwqiNOVg/1UsVBNg7eFA==,type:bool]"
 					},
 					"sensitive_attributes": [],
-					"private": "ENC[AES256_GCM,data:2gUh4P8tTCFE/zvnwGWjiEihfp9eYjMqi0KusZ0uO8QEg+udYUgPsmaxT+E+ULDN7yMglZLfNCdK2t0jJJuXgs6HaZ93ztvK45mVbfb1es3LGkAdAfG/sg==,iv:PezMlG8VOJV05eDmGALap0k8dMu+e7JyCpV0TQElWwY=,tag:fTbDuPPjTQ1C0Z4cjcTKMg==,type:str]"
+					"identity_schema_version": "ENC[AES256_GCM,data:Jw==,iv:c1MmDWYO0Zst8EY25N9cOGXwEH904NaLtrMWBo4E86M=,tag:z02SVgu4lCCulqamGeKXLw==,type:float]",
+					"identity": {
+						"api_version": "ENC[AES256_GCM,data:kwM=,iv:sQiGgcC04kkiDJxwHbIdB8TPn20ge/HUJl8RyELWjks=,tag:ZP2UJkTcs0e1s6ctJBZSBA==,type:str]",
+						"kind": "ENC[AES256_GCM,data:g628KUWW9HEU,iv:D+xoYH2+S4bmKSFPLvcpkvOsOa//mkHzHLjI8RdF4Zw=,tag:HHAFiADer7FG8DCmQckS+Q==,type:str]",
+						"name": "ENC[AES256_GCM,data:SBR2bVE6su0qmEEWlvuuWA==,iv:birET/RVVBbJwm0h+4NNP/PeWHszOVRlTloLqbFGTJ0=,tag:EOx7+yn0yQ7lLCBXUO8oDQ==,type:str]"
+					},
+					"private": "ENC[AES256_GCM,data:OQl6e/kaqh30NdDnERM8PLDnFr33GDUwgUyulhuPCEHghcjiYgEMb3etbuaOAoedDkVCB5I//KIQiSdwoU9Q5lsON1MXAwTjCo4oH5OWqcLAryyoOWe1WA==,iv:aBQchMToWO5PT3LsvoSG+Uv/dmoSUMB9sg0bDnR5CXo=,tag:7Wez6b7rCkwUQGuQksfdvQ==,type:str]"
 				}
 			]
 		}
 	],
 	"check_results": null,
 	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
 		"hc_vault": [
 			{
 				"vault_address": "https://vault.viktorbarzin.me",
 				"engine_path": "transit",
 				"key_name": "sops-state-external-secrets",
-				"created_at": "2026-03-21T11:23:18Z",
-				"enc": "vault:v1:klQGuG/P4c77eSIm041PimhcJbpSy6TLFVJKfxZ+KHKy0EFy7f0D6bRIEGAOqVXSQkcPxt4S2nxag7g6"
+				"created_at": "2026-06-23T09:53:36Z",
+				"enc": "vault:v1:ErF3+LzDi1PSi7jvybJdJJ5lUiBkWoJbiK2s538SPof9BpLrIJTWkrxiJhnJuO6+uwI7YrlbHMebFbav"
 			}
 		],
 		"age": [
 			{
 				"recipient": "age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmYnFQTCtnVU02eGtmVzdq\nN1BINUhWZHpGTloyUkZkbEc2SUJUbnp4eFdrCjJpdGErYWtYQ3k5WFFINitzVVFW\nN2syY0lxcFZQYVpQS1NaaHRZdkJkNmcKLS0tIHNxSCtPWndscWgwd3BBNHNvNUM3\nR1VwUlVsRzJXRTlPM3RCM2d2YkZoVUUKhALG6c/nMj4hCEitZdgyFzwdVRHdRoFc\npGcXs9EJRTQchnse2nVIbF/gHprBHTLgwvMOeFAiMBLTklGbZwdaWQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RGhGN254cXlpM3N0SVh3\nMUJjbTFraTRxbXg1YmRhWUhsOFFSamZaaW0wCjZwZFlQMlBLZFc2dEJ6TVFGRFVt\nemo4NmZxbE9wcHZQT0ZpdXhXZGZRV0EKLS0tIDZBbm5yaFI4bUxZQzBSUFhQcjZX\nUVp5dU4wNmZzdXo0Q0xzZ3QrVThmYTAKjFlQWHA9AAM9wvkGJSz3z/hEcWoNr9I9\n/1sY0Y4cPannEDb9GP+xgUPaXV3hEAXV3Mzl9uNsj1PUDKOVx3oc/A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1rekkad48r2wzhwqgfetw5yugu3ln3qlht4xg3txmx55tee8cveess60r90",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjU0dpQ1QrM296MXpRM1NQ\nUUFpajBrd1Npem1xcG1md0ZmM1VnUjhNZ1FnClpCNDlkM2xhWElvVHNhTWlaWmg5\nNUVvWkprdmhSMzNMS2pFbm55Z0x4d2MKLS0tIGdJYlMwZCtNb292YkQ1Z1I5SFVF\nUjljMjZwQ3pJdzdnYVZIcEl5bW1NbDgKlcHHnw+cweHcU4f6t3Y3s2yBAO5Y5FGn\npPyJq5kIYWxxgeHThGgDzMSEiQbyN6K+KR5B707WLSMKjUFqqD9IRw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5am54STRoaVhaQ01RRGJv\nN0hwNjBVaDN0M2tLcGJla2toVlVhb014aWtJCm84MUNDSTd0a2NBVmlrU05IckJx\nYWR4UGg2bnE2YmpPeFVUVTRpMklKVkUKLS0tIExEdGw5dUZtUEEwVEhvNFY3T0ZS\nQ1lxbUtIN1BLZ2VMOUJJQkNCU3dLM2cKzuRKEqWS6Yr1QQ7k8yMJ+omWaQtbk7jb\nOUQNQoDyZ0uIbxESq+vmFLvUGaignQYae1YIPKsFvfqa4GhUTgIhhw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2026-03-21T11:23:19Z",
-		"mac": "ENC[AES256_GCM,data:UtobIxrbP27zTRoSXQNDDZu7feJYPJn014MSg/ZathsQtTbYCf0l0gsITXsmCC6z6CYEitpvF30ngk9+B4qg+p5o9YHd1rPGfwasZKVQWJPn/4YEqPRQ78W5D5MP424d8Z781igrSXezv2PSaMkhNLZBrluYxZcd2KJDl34FzSw=,iv:3l5k8Xe25h4CFEr84b4J/OP16DVi2lQB+iu5ybzKglA=,tag:r0nlTNVOi0KBwronaFwUog==,type:str]",
-		"pgp": null,
+		"lastmodified": "2026-06-23T09:53:36Z",
+		"mac": "ENC[AES256_GCM,data:/PT+yzKIpfFrptiLoEgZ4r3Qw3pIWxUBR5ctOESboVd8RyWgMWwvVpNgt+APn1lG1gxaNMsnV0CuWwmn5EgJWDDiIzRRVwc+kxZKSL/RO2K0B3UESZaoIFhhSIAqqfOkqa3iiOauTssyD7SEqg9Wlpeo61yhS7MB7xMFygSOYzw=,iv:AoTEBMGbv8kQXeXis5uv8pFEAjLbeIrsKCe099j6YhY=,tag:GgWhXUp4fi67YiCt/j5qrg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
+		"version": "3.12.1"
 	}
-}
\ No newline at end of file
+}
diff --git a/state/stacks/infra/terraform.tfstate.enc b/state/stacks/infra/terraform.tfstate.enc
index 09081de2..6281bed7 100644
--- a/state/stacks/infra/terraform.tfstate.enc
+++ b/state/stacks/infra/terraform.tfstate.enc
@@ -1,758 +1,780 @@
 {
-	"version": "ENC[AES256_GCM,data:Bg==,iv:5XkdoMdK/C+qIM86Nry7asZNgMdFpXFp+5uQZ5X/f2E=,tag:toVbzSMd/CGcQ/sY+oe9hg==,type:float]",
-	"terraform_version": "ENC[AES256_GCM,data:mSg2r2WA,iv:7HplMYMX61QZOPPXgWh5vuWAWg8ztDdU05SxpKMVZWA=,tag:n4y0gPn/CURp2i66FLTl5g==,type:str]",
-	"serial": "ENC[AES256_GCM,data:xZc=,iv:9naB+jj40CVJgJw46uyGJEqqAuW6lc+8QdV6nW1xHtM=,tag:8InESNRUfSLw1A0Hxhnz0A==,type:float]",
-	"lineage": "ENC[AES256_GCM,data:73hGQxw1Jlgs0cQCow1RIfCBu7aiZF7iJaTMJeIfXwcb88IM,iv:0A83+pNMynGEwV/U1HLnh8UwYWwrPHMgpQeLIUNaCPk=,tag:gwtMrXol6nY4mkfqRFSuJQ==,type:str]",
+	"version": "ENC[AES256_GCM,data:Kg==,iv:ELcor4ETpCmpO3gJok5AakSoxrawEswe5zd4kUCNqfc=,tag:ewSfqVwDJFEfXBKtxjoo/w==,type:float]",
+	"terraform_version": "ENC[AES256_GCM,data:00pG/VgH,iv:tPyaITpSsdeVZ4mWm//t4SXy83NS9BkX6ccDiC9qAfY=,tag:osuxcLXpGsH6zN2qtJ7ovg==,type:str]",
+	"serial": "ENC[AES256_GCM,data:9AU=,iv:0gSuCS1DOoZTX20LbAhdWrFeRzUXq68iGroyowpadR4=,tag:VrGbUGcFiJVxC/HaJGtdpA==,type:float]",
+	"lineage": "ENC[AES256_GCM,data:Prc4EkdAyvv8PtJlXs7lRnsmbLkBTysOSMtGyJ6Rv5CKDBlx,iv:DdnU5uD0reKmyei/jUqNkK1iFICfPzTQI/vKr513KqY=,tag:Bq7P5w+dXHGvRsQVOpZuEQ==,type:str]",
 	"outputs": {},
 	"resources": [
 		{
-			"mode": "ENC[AES256_GCM,data:ICV2eA==,iv:jwZ52nCpqLT3XXYkN5ihkN1XLF59Fp2Dx23OifZRpQQ=,tag:Tqkk5kOTncxRaDnaDYFZTA==,type:str]",
-			"type": "ENC[AES256_GCM,data:FJSQXU6BtevsUIxvvPBbZFs4,iv:RD/3M7TqQew3fLRAna60ZRYn9SCx/u5z18NXYzaqRh8=,tag:M02KIWQP5pwYq1VVdFYrOw==,type:str]",
-			"name": "ENC[AES256_GCM,data:QxrIJGgTltyPH/E=,iv:rm0XcVI6ko8V4RUrj+SWQTXPZR8wJgrXYqedTYWGT5A=,tag:RgGUtiulOPNlwIB1S9cUSw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:oCcZsIhnGEZu0cI7Dh8rXMPs77As01ky+b2l/1LB88UPOF6GFXutKd9ELirquL4X9g==,iv:XKPMKA5PYNKWG53c/FNreUzB189yWS/OzgMWAksi6ng=,tag:/SWuvXJO8YlKKhZxUsYLyw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:kRvVoQ==,iv:SKm4D0Vpq/d3nYd2eZxa+lk4g0lbs3v64SdqvMGVu08=,tag:Y6hMkTieyPRLBUf+0h357Q==,type:str]",
+			"type": "ENC[AES256_GCM,data:x4Q+Q7V97tBGGIHLOwZJ53Ve,iv:qxnPqke7u+1o65WIqDyq6XIsWHIe0wBaZCcqsvFMqSQ=,tag:eqiPHvuynf5D51RJd2OMYQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:ujZvU6k9Q1KLyX8=,iv:inz13xOCo7bWRYGU/GDuggrbTYuIeZSccBCgx87Jqdk=,tag:alv7XW5hvmVb2saD0JJyKQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:xvZsEuOd72EkDeXhhrKDriSK2DsWCXgUnFDvFHA9W5ZOVF42xNO6STQrSoV1yX3nMg==,iv:di/cfqo0HtHYGc9JdqOXTXfWnx2xb2sBj3uF43JKBKU=,tag:EfQHiZyt3xVvp177lCGDBQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Xw==,iv:toWpidERMYn/w1xOyaoLW5to3zAM54wNjFT9cyXz1qY=,tag:e4b0ACDTni/GK2PNqqwGlA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:mw==,iv:RZ5bi4nV+/CuIXH6iigctTuIFdI5MM5EHiJjkDNFr28=,tag:VfuScNL6Pv1kxQh/iCaxpg==,type:float]",
 					"attributes": {
-						"created_time": "ENC[AES256_GCM,data:t0mhyv+oXXSGW5MGvx+9uBgXi5jf0LqWI9TIZYsf,iv:buSJqP4ULkHMlOoAFmUdqH9RuguPSbgLHF6i4z7wBm4=,tag:sP9r4a8n76pkp0toyvmstA==,type:str]",
+						"created_time": "ENC[AES256_GCM,data:JsSRG2QXISZQzEggPvqXceYkAyFA4YFlKb2w89sc,iv:EjektgMj7zcCV6myESigHxSklNec+nEbSKH47wMNkBI=,tag:j5/dM+lwajhdpGuWaEneJg==,type:str]",
 						"custom_metadata": null,
 						"data": {
-							"alertmanager_account_password": "ENC[AES256_GCM,data:oW0cP2kBhL/EiSOzJs0pg2n0ExI=,iv:PW+1HhzwmdzZae+8TB2ReM6qZ+6MOiIVUUWg1sVXTBc=,tag:A8Lzi4skglkE1O5tMmMNuw==,type:str]",
-							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:VHIZLDuoJZW0sRbdGG+kkfxRl77ioa+L6ulmUBmMmnTVxyx46jPrc03P7qVd5c9vM5QlYqvABOPQh8eW//2zlN2UQb4S8i6CEr6SD/KewAX1,iv:1Co1EE3daL6mThwDSOfpGtJNd0ajzQBRgaPlL8UnNPo=,tag:35mFoaKV9X2snCWPUmdEFA==,type:str]",
-							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:xx70lX5hh3Zs1j+CWBx5B15GpLWe3DazoCbLbQtgEZjI2mjnerDsj+DnbCRcDMsA0KJb+fTpUSvMly66vQvPzp9U,iv:lEO4jhCT/EzeBSdMBIthnD9ozbm6+6sQrbXd1wDFVpg=,tag:O8fyXkxsnoNKmeIQwKS7qw==,type:str]",
-							"authentik_postgres_password": "ENC[AES256_GCM,data:rT0Voos5sdupKiUgQXIOsw==,iv:5T+L0962Mc5jLKOIDRDnzlttgT3pfNYyZAm0YdtLXPA=,tag:o5bJGX7IGAc3vgFtX6qlAg==,type:str]",
-							"authentik_secret_key": "ENC[AES256_GCM,data:DpgFR28PTAo4BHAH8JK7SclsVCf/azWlA58DzCRA33xY2M3cWckL8RSfS58BfAfvifEL,iv:qJbGpIdC6wCOrodKQjRo1CoDpxN2d/qnqfyzP1i5ClQ=,tag:weZziwfRbogNUqj5Ay9VjA==,type:str]",
-							"cloudflare_api_key": "ENC[AES256_GCM,data:30UQ5I9TquddYWEWQUiKhz1ZS5rH9vTrioM2KZfx1Wf4R1Tmsw==,iv:sIockG/A9q1HEGvw3RYe7omiis+CXaM9BgnCETRcfYI=,tag:eD2v4//jRlBjdYjEJCs/wQ==,type:str]",
-							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:Yxrf6UOP3Q9LR+vQJvFEcaXO9k1s1JKHg2bXJRtHX8KZZ3F/5sB5wU3d0EY+MigsrG2QZhwk4J1fqUqftrNgwlCJw0C4S6JNjF9AKM976B68WNnBWMQxxLEPXPItCrbSBbAH1PxE8wlEpU5N/6mj/EBwIqMdF/0CASM/SluNVZi3eWtaz3NHLnQHBZQUm0Lp2jdMut+lkpuLCFY40twi3vajTDjVSGWadWHzi6pB4ZLk2WK0dfZANQ==,iv:QWt/+S/fJmRYnI7woq7dW7hXVByXsYpuJy0dsoxCeoA=,tag:B+40YXKcv2269hw4z8anGQ==,type:str]",
-							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:TQz/ReD22r67YzOier52YiXmm5MaViHgrDEs5FdtUNrEeHD2CnafWEPMYQ==,iv:txsX+hGjFg66tbKMvk7hE21FQ41E25h5oI+QTJ2i868=,tag:9BPHiIneFxFOAasvTlxiDA==,type:str]",
-							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:sdRtSm6I5FrNOYi2T6doAKivk2+BkxNRTHbRXV0=,iv:IIx8PkmqaMUZyfYx6m+vvu9rd1CHJuUQYoDbxoWYyBk=,tag:LMSzUJOEtJ9JwoVD/oiCjA==,type:str]",
-							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:wPgyXi5ki+wKrY5jt/9dyG4LWBNM/T8cq9X6cgpQ1MOCdiIeXEq/vXeqTTS0g4CQtU+Wt3jFKmorn3dxFOHGCQ==,iv:FyPwBYNdLT/iFgCjOtTfBjZOdOsPpTYGDf0ZL4y9KhI=,tag:phfzW7o+MwiXpy7mm9W7NQ==,type:str]",
-							"crowdsec_db_password": "ENC[AES256_GCM,data:Ge9128lneTaCaKFxk3o=,iv:BIVrecoRC9knljjmxfDYttjgF6AIZUM2IG540BL8bMM=,tag:L6gefCrYF19q5ENDxKX2Zg==,type:str]",
-							"crowdsec_enroll_key": "ENC[AES256_GCM,data:BBApnK34w9HgF7PAd6y/bS7FqmWY7bFcLA==,iv:bLjXqXVELKB0qSwl8t3HahdP/FmLUtU5nrekJvXbTYk=,tag:8EOvlQN7YyBhP+Bm28bzOg==,type:str]",
-							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:2cJPEeAMVuuLVHNmxCsnL4GE3ju51ojxk+Peb68ig5E=,iv:+wtXeo9L027SmJJR9FxEGzNZCwJk8+3xnT12qE2R7bY=,tag:O3430FGniu3NJFN1Z9mGuQ==,type:str]",
-							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:JavQ5n++fbRb0QSRCyy+LzuAVyxZDi0vSWo=,iv:KNet5YB7uV1gsKF9xLq8x7iiEVEqD5YySLll7I8AmUw=,tag:oQXk6U+c4KnK46YxM45+Pw==,type:str]",
-							"dbaas_root_password": "ENC[AES256_GCM,data:DFoh19HM5niOb2aOCLIn7kuXiHLRFMEwk3Agpw==,iv:EWP0umR+CQNNgN3EhokJtV9RQsEV/cEUTMGqCZ6mV/w=,tag:4+e/0tG/24x7ZvhcING8nA==,type:str]",
-							"grafana_admin_password": "ENC[AES256_GCM,data:aUsQab5S7apAiRb21rzWCqS3viM=,iv:lX93PWHGtIpWwQQJzdb0O9MI0JKdM3OkLoo2OdeFSd8=,tag:UlBpSsI4AZ+cAr0KSADMdQ==,type:str]",
-							"grafana_db_password": "ENC[AES256_GCM,data:pkOCUXYAV8jwqWSkY6VP3VlVPLd/,iv:Vs/y8IUEIZd87Z8wGZy8hBlY2MXjkFjX6IdRQQ1g6HM=,tag:i0g9nsI8OjRhPtv/YCckKg==,type:str]",
-							"haos_api_token": "ENC[AES256_GCM,data:ZuzkSXs4ha9QspT/rSY0VkkFIza6p6N0+yWautdXlN2mt0fyn6bu+daWuGU1OGg4PfEcXus0eSdU5C/UOxNX4Ryi8lHiA3/ISfhnPJZbhkRVzTGKGiMQnLU9V84Zrm/MI/vezWp46J3cpKiH7uG191mUJR0plwijg4x8o/OXlEqx1Dr+YxJ7Uj4r0SB7gTXAA8w1/1qqVFrshzX2zruzZBUTuGU2AStYGp1zcO8Qh6QBk/O3u+Ux,iv:vV9E5dVy9x528OwLEd7ItRJk0SCqAFNo69kbVKoXSRc=,tag:ZaO2stw1hFDRE39iLluzQw==,type:str]",
-							"headscale_acl": "ENC[AES256_GCM,data:yL3wiE8Faxu4fHUewuSthI1KWol0tnXeZpUtUl5RS5wpC5X5K0/BqED2wglA4DwxmX/wuYdk4c+Oi8vRI1HPnaJWD9cy+CZtV+jtJ9liCcwqA2z22Wv9xvzTqzvDtVT6QHgIKnIgfPfdQH9RYzHSSIyUZOJJJPyl2xzYYsdgoVbAM89ZAFCf8aklj4Ti0SPIdU48lsGrLAtIiaBsAMgX+eOS3o+ZLCZyr8pYzeurYDdp0OPUFZv6dQ8LWWp7tqHS0VCv1W6PCZmX4XDxPgnw3uOHXxKDBFMAviUhW4q0CIXK/DUPalpRVFex4AdcY/6y5flnLYc/6mTpu/i9h+EB6gXD6/Zp8Ek1d9tGkDJGZ4zjyCHL0u9KRwJg+bOGD9xR60xWKt6c/NOqRTDtpbYsNItDhzrxdTpwm+ZDYE65XfuOsafpNe61P/O8aVenzJ8B4g4XTIEzem16SPqV+ABxXguEsfFcNYpBfv7lW3DDqMhVzMwDfEuoeTYWNugWo2qA2UeVSNMYhazIbuIxqBpIYYyvXK2zSggZsUtP5YtwMnkgfvf7wNqsu25a4gx9u2oYaQgrRXRxrtaHJT+3TLNLrUGPLsKfVSS03JHCiHH7e42REFDEERCj6un68Fyu+6BJzZYse+Y+BqYW1ucPaRBxK0ITUYx0wVzainXykg7TaZ/PY957uztr2PHn6P4mDwBFG8PCJT6O+0mDLSaS7XMceV4HQIk+YOJTL6+HuBXt4v+iB7tqi8ttL62LaK/+TMtjfpLPBtCN0KxT9sbFXT0HEkn0W6gEIlsfvCFZfcl73huLJTMngjHOm/194d32LqOedtMEUw1y+1APcardPxRWhyQbomrK8Z4BLZDZbTvxgAUNvPHOofUopC6ixyng+p53Rf1f/C/PWPRqwLNkVHnoet+dm3Nj0//bfUbqFtQERAgOhVFTpgyhv4mn4AeAza202PFwEmCGu391mIXBUyPfBeDCnXWOHUdjTjl2898q9ZMw5aKuu+ZEF5bWKHEdEtP2+U4BIkrJ2zKNHyNpKUtRc98MspXfFzt8FPkSWfmP8hXCDr18eLt+Wk7YhXzG9hTHg8NfP3ImjGMdxOOGUGfqyW0bUffJuQo97ym+4vVsnBK4hKWVC04FVO9OV1KiIcuh52z7IPjCedeEkDiuGUVVmcIVyjIaYZ0/ueUcE1UCmwPOw9KeF/VBc8iBGpMZqjHFxbQwqm+f2+1D7O0ut/crzcurYF0GwswPbvnCFHC0dElLSo342QWKKF3hKILuzplWw7Cl8dqpeDga7nw5d/LFGfahcbhGGyYUdEf65wmAwU8HN3XTGEEhGpY6mXnOimRxzEadZPjjoDMmPF88M9OY6D6xq+bNvu9bpInKlXAJS5tL3eQgXdx8j5KW9uDS14eN9JGANgmKWKRzZzIcroGOcauO7KoFBlUT3QnIlPeDoHAnNyAt535lznBlF8jNSBQbxeSyorolrqoVxNRKviYNvW4bvMe/tWfUr2xV1bq/B9Dj1T5pVCLkbonvYs15ajSe/ekzBn4ical2KuvZL2vk3horPhYkYWph/OTxVM/6muGChkLMKrTGAufpEz+Dx7SH58n8EIOejXD0CbLK/3qJNmeSE5VwXa//yhI0x7hvR00BCFvUYk9jiMU7Rbzix65G+o3OTj+1v2+AoSHN4uKzlRCcA4r13C7xMBVr+EC2jRACwJEc74cqXDMjPeazLWBW2+hMH5H+zmTOmzQo4QA0gbS11kQ/PK85BRxqXw/n/xeElS5yEta9QqFPx5BjCwZgUrAVWT2iqrpy7HX8I2fz+AvSCEVyIDzyX+4ZY8f8lZc55jpVKDv5ca9NPTD3Hwdta3I8zkJ1d20GfSEeoZ8x765m225GC5iEYNXSBBjLeLEiHUm3swzsUFo8PdtcAx7b5AtTYCfh2DfYgeJ+sIS9tQC3wOBV+XiLf0hRsVt/d6mjedzZ7bLJcym+BaSoUPAfzdD7C9e2cBzMOCAT2QaRKrurcuTiTn2uFwvVfsGb8qDOt0LQORZIBlNN9Sxgzw4kmv9RzfaR9OoJNwzs4b2bIPUzCzOJ+HrRhNGDIQK5Qs6vjn1l2TDqtxcB2LlA7qpKAk5mhXyfrA79+aCV6lDPTh8IIAXYcCPY7cMEyP5/45eB3sYcJHKhKd7keTaEbCqGmTcSz8lWdU6qR0z2ox3DAydmKJoSh/kYKjQdpk8EZ5sot3hJwSx4CB0gzt2fmFueZb1MicfITcCdFaDsMCKW/Eh5+c+4HkLqpXMUNI8BqP/m5Z9lSjuhvGHprLO+BWa+jh+WmdpmFB61nC4KEQ6Z159Ls8QAOSL2czHRaVX/QPoMLrkVtvAA8bYTTWnML6j0r63uddjw7FrWr9Vr7Ba8PDILwC55zwaWN+dxR9aSjRS16EKTVbO70zo7EXKwBIvt65CGOjol23643pLyhI4JTtiJNyDrToN7C8vDkckPZrDMG/PrvkQSqy8GvM3K4oG57+sUxv3saPOFtyxysVVtQySZ/O7BJKHXtOmrw7gJcw26FSxZ0z/KNJA6ROaTfgIutkS1LzaWz1Q/iQJnjU912Shzc+N2/5DJPGRs/nmUitm66smnATuy+xF0ojlX+Th34Vo23Jv2nhRUGmSc0QkG0HY4NlZN8txUvjj6QUzXTwfEcIjd/ONx2tNyfRCi6YcG/zfHShDR/x3zCoR8gRkZY0frXQo1TkoQbMcsraI0DiTi2jlq65seI/ZGff3thAR7UYqffITpMgKdSO9evGID5MN5iy/I9IFhEAP7ZM5NujYhWJHhuQVax8koESU6ANhldmD4Hqu9Z0uQcG4VruBK6ktcweb8griBDtCzsRWgKFPHivlhCmRoGUeiirhm/PiZM2XmxLzTKry/Qi+SfaXwe/V9CId+WC7SF4JOF/jhaM+kp2jck9zU58mg3Npu4YTx8RBfvYuvJgMNpWhHJcFsGKKHYCkmk6ZEssWz/jKjXGE+++R+YGCL64ZfRpSe59jFyEHiDQJZOmxXZjzgWd/5CawcuZoFyZ7GwdjYDz/AVOUCK0eUTrzqU25z6f+n5MqnP4uI+9vwFcHZj1JXvjGhltPENbWWW8SQzTTZMG472IAEMWXAkLsjzzYM5bzwDmpqVAg7CnOfR+EIj7NI/yvkprnUhdtThZoCAAd05f+WiQdP25SLQxFQLqV46O0jAVaf7ANL51BQz62VDqdxM5AThCimL/FqUu/AsZdejYRCd63mlNotbN8SSO7AGmr/wd28w+bj0X/7yfxhxZ/z3qYrxHm6Zx/sHb4eeD8T/R9LoNXakxgQghKWs1gXyUzSJCjXU9uGGBmWxCaEN0tNgIJnwzK6m0o6AiM9oOM1M4xuYdCnHqIKFwa+75qyU+SioAW11UW3zJ7Wan3zsplCirG+MSW1UnIoo43q6Yel6kDY2deT6F7i9f/sp9FFk1N85qPHlB9wVB/SFkUx9Tdp1k4vQR7Urmroir7GQl/ykNKoS5RTpawcHLJi5gEsB1EAOMxUHSveBrJnOMxWm0xf0Dtsu8a04rfW7k5/jFgPBCRRvSHcsPawgGbaBWZECobkdGt3f4Y2YVhfHH2+Q0E2lVp3bUULqygek8wo1WHenHiM7Kp1JTLtmonirg+7rbSTPbDsfVZxmOQBH72COroR+5nuqAIhDSHx58NRNvOdETP9f6yCmWK7u+FwTHSohrhTCOT3Xrtms2xD+jd8yrbPqZ2YCG6dfV54axDuRxwJ9IlKfJ0fTJI3Ke04H988HYlBmVyP5RQiCCFkp5FAaBY4yvHOpNI8TAYXClvQRPxR3hsRFFTHDRxtqeqDw/ueRJHa/1kbRx8wCI4kx7A41AALrcZJiTyequy8F1XJ6U4/+KCNrpv3zQzTmzHhLK9fM5ilO2n+vePiL0Al5QDbQUfXiTcurOJjbHW7qeZkvKHnJ5i4llJ9qajSrRcreGgu5hatbjohGQre7l58XLAZ3Xo2alVgTOWpHSbH4/oqn43n7qUlVgA4acn81XykeoiKhFNMEXYvVVDo5IUhlRpQ9UvaohYI19DmXr9i7qwaBYoBJafV1jV0kCS4w3awrnF7LmUHpTke13jeMANS+HsQoGMswqR1xuxMQ8rdYUiJopfmI9NalCvLaBND68r9XfM4eY5bhpV95W9y64y0eotUFzFSJo1OPgoCOUYTkv7khCSGCOdvebc/9zbsTbvu809kvAU2WGivg3o9Tpa6NoXsXKOdS+vHaznJlQ5ba+Pr6+RIth3/2rXVetpyPNEBauAZsZ3qs9EBcdLwlMAfd7TUB/i3wAcEL4iJE1DGRxenGbb740B/BjW3PEzvqx2rA9TkGUOppRgAAFAzNR3EHvhe1j5/5SDFkkU6TeRzwmYhQ2DsqZQnuPcj5jWt4WgLz1sXPZPCs8wRROA8VAEEYd+LcPq+8qy3OpoLhEJRPTsdDUGWkpcLz8t0UxUxPr0us3uGn8W6hZhurELSFpqJkVetiaP5Frb09Tt9e1DnXfqdiBhEYSXWFI7Y9V5rKNOH60aIdS1YPoOe7TUcmwvAA7S4CAGsbrgs+CZOKpNpAJ0mHDep4EuSSVG2Zu5SJiMriBHtuHiCO6RO22VZoYnK9o9kq8e2rDtysirB7cOQuYaqfMx3VIPc+scGRE/3NUl4iDiZ19Aej6KpstuS2pRtP7ZgT9bM8JCGF2GanaKWi0oklC712WbfBAWJVQGhW7eCWBp8qtphgZuC1DdTZoP6BnTydjfvw6Us6AayaJa6V4bWC1UL9A4RDCsPLDldn3vKVLUfVdAIsPGFVMWJhuaYe82tFjvVa7PRCa7tI/3OdiTHYKE/b057Zr3cUHV4fd1ScGDcrrObbBNJYeNCyPZJV87AKn/FVOmn,iv:fnrIW0LoGP3QdcZ0ykTii1kzPecp0G2JgEtYdhWs3Gk=,tag:RY7JJXvEU/VFSRtcJcYNIA==,type:str]",
-							"headscale_config": "ENC[AES256_GCM,data:VsBJmX3ibHwKpycIgE8qdnVd6KtoGBcQTGyCdIwkT9NeXnRF+u3bgwP5H08D2TJ8ihr1BLULmgRr/HtalBy3+iCZizirC3adnf+an3iS5ibdNn2NMsYJQjWcIfa/nBlA5qmGTUwyqDziBAls+FiKdFfXyR1Rj01WByZrYJz5gn5bFmce7fUp4nNcygBczWzLlz9OjWqgukoeIvqdzOzYX6CESs+erZcYkwcYq0H1TD+8citY2D7ArmGxGuSSIzRjn99DhYz6Un3fZ0q8qeIlIkELdlbe/mKp5gJye+P2hxMds+pmEPymX3wSxzEjf9FytoLj8zRwWJhW1dwn3HBXAh7zBTMk2yQZ8UVSfL6t9uNnkh0lLz/lYeC4lIPMSx+mRQDddQmcofuSsSdMi6yov/3qo/bw3DxtW9aCLvwDc9oBUSuU2v1HKJf6XCbgBd9aczSc3zPCXY8VP+bRWxO9vpNkHBEvhU21No7oC/j2ok4/foP+fOBjI+ZPIjKLqj+TmSLz+pLQi++8hDITwcWAuunlL9b4iiw3AXvCqb+JJjn3JgVMGHUqiIC7MBtA+K8V1w5s9i7lZA5keDf7Grax/1sOMeGPhWeJgpyzD+unHDH/fawDjKSbs/aI9RMCsP/uYi3GKoSb+VYaD32CzwlNq4/Xsx32xbr3Egol0yHbYLFflHbrgQzbVCITGZr93dge0tE+tlMKOt4hBJE99Ilj4sRZ3eySbz37XG8H0GmDDdr6JZGxztokFU7/qQfTrK51AIokcsmgpMEtDrowJJ/sxv5sUoAZ92gJG5sz6Z+iwxzhPcRwsiMB6EejAKwbaxxxXOy9bnRniOD1nS00X6awDpMqL0blOJ8ZX2f1uB0HrRRxvuhTZCy4S6/+8C0WjYmjKwyyszeScEwJQ1i/6Kpi8/TS36zuPA7Pd4j24Yg78lmmB9nTIDgq8p9pL1DKyy8UykrcdtLfCnYwqLudiN1anW5TUHwVumYWjCQRvtqflGpbmlYDlEwrOrCUw8HfF4v912MMqPAeKnzPFLhtTT4kKGSAQISFHznZrqiaI6HEbq71RyxBVXjkiTSePQkUx1bgJVsvD3hWbv9ZHcG4fQkYqIQxabixNITxVF9yb73+oTwKkNLyV7+42Lal8/WitI58o5lbuJEJ0tEjuh5RumGtAYbqzdxqhvVILEZ6kYe1gjAFoc9Dklrt17GqPIgY/zKKxMncSYpc7yNia/fH9J9QeC1kh5/upjiqASIkMFrK4Jx0dGrwsR0SebfQxeL/L/wnIPKTa4eYCyc1JfeSkhWNIfmzzo+4j65ATzvdWSZvZH0UhEjGboI1E34kgcxmvSEqXnV+1mRaQWYIDB5UaKKgtBdVnXisssBi9ZlQnOOcqGhrPebQK2pLFQ2PJMjHWbTFvh7Q5nybnXtpswmiK2CYRO6mxHjPUJodkRvOzTdS+C3tTfFyX7RlHF3VxJSOhn9zLJWh2N0X7Uz6tPQuODRANmmcPz8eHW+XvseyoPJS1GOC7clByTCFVimuVmc1hqK38aVOcbbEsS+sXrrPiDrokC4sOxG45q4NGqCjS3yDIR1v+Zp8QUKXSjL6i/Q1QukUkbyx547coNjbnfm/GkWozA4gtsDS4ELM7WLOhVmX/fIOt8P4U2vM/qKB4dXT2Rp/DNdhKVBR1ffMWK1l8aZPFgtWMUEGBpPZ6hhr5tbpqCSt7szS30wOTJ/5yNvQSD6Vnjx5JvfxsKrMBGv/4qzFJls2BT84OVosiD6wov1rgdd9FQOEGtMSuP+afwy4y4C+hsk8CgFgzjvOdVQO3xrU2OgYVXUF1pxcUabmibYgeTYo4zvKSez40+N5e2wqZk/wMqBCbGtcZM1RW6o05dbsTMnSdTvXaxW3YhPzA5NZCUjoPV4xFAW4VNDujAv/J7kC4dhwgdHXqNYoLKlF2gPjxs9QlNb14JGboBuqbQTo24cMd8zClcclBLRuSnZIshNK/tPKUUEoYpmcvqMh7yS4rHphm+QZwOqK/syKHaKVHZBmhVqq9T11Yf9h6S/JbLOKvojCeC77m/Kf87tc18+bV8odKJGdqJKV8QhDvm4zzd3yCcSCl5e72Z6lBuZ43MDutnt6CmHwpjZBCbJMlwNW8AFdH9zmaCRjkA2BH1vpE+qGuV5lrjobVsLF8QMR5OYB2cO6BPhKjY7eijC+9W5WlqUQpjtjLS72dzE9U2aAdEMAba/ctTIZdx53OikuD+CX7tEfOx4WJ2nBZcKOVohwpH85EFG9NWluTcxxJGYk8e0GWiASfFlwVOBLf7XP/huOeMWwMn4UlqdN/S4j0PGRQAsUCWQDrTodTNUp9S83imuMW6DIv6JAqMtSaLTL3mAJf0B7t+DoqH36KdSobi980oiqgmbB3o1KSX37+lP5nRN4P/9paOAFArIyrt46Ssn/HapzkcaFoNlut367NebVY+ada4pV7O53Xyq/D4eGrV1f2QB+8XX15hHOk3CnjdOlwMe+fnVuQcDUYl0lyOIEMZBKvOYobnTcuXZd6d6RmeCAYhzflUhuP02pUitIYCzMgQ+4dvpQVU7ozC7IhlQnsUuIqFdOeSA9d1K2J0sNkGMfXxKMTtyUpoVE5sE1mFRJ1Y0LBcdV4UK8U/K++YA62WY1thbFoEAxXXApyEQHblZcohww0EHaqrepp5aNhSKH0p0iPobDdbV+IeQopptD+HTJegBNTmdJNZl4LUrgh3tg5w2GGmZcna0dKwXCMXNXQSEwNhEeTY75WYik3KAFJqXEl5lnvFS5PUgU2e/8ucu47NBey7v2Cjr5Vp00uB3lr5i0WgmgueeYVY4AP4oln8sLl9i/YDvkhx4kxgxivgypJlJzGxTiM+1vw6PPA9ZdS1PuM4p3PjlJA0gZOkibVd045v0U7gZW5Jswa8Mmb8CstgTNhW8eEp0CUR0yRgej2xBEKYC8cvnSVniNx/13rsPFHqYrK1x/Ty1UwmrKhEqjKCEzitXBRlRyNlOCac+q5riUP46anWDeonR4n5SnEs2tFpYyq341ghnYhNc0CF+41PR7hcTi164fgRps5LWfP42ZIb/gXPqGhYWr2Fxx0+ElxUJJyG2P0x0VCJx7gHDk/gBZJ7tlzb02jf3nRzsXb6Igf0AIJpcgbBDogqP+91aQJJW+F/I0NkN+ZF3SO3v2FZN/HJMJ2n/A9KyxZ22dkuWxrwbLb5vFrsnh2oZ4MN+DEUuTAkv7IH3l9Wb9fqHpVC6TXI5ZA1DCyj9qnWRI3pItTa7L4FMkpV7G/UONL/lUfhM/T2Tg7cY9crXK3MWUo8xvUmxUh2G7lKtWMty5k62WFU619g4Lhqzdvaf4WmhJI3qAmPzdc6SbVuK8sir/IvjMhHS20zmIc62+VHqb2/dDDmsnN78cHmep0b4Rf6a187FfXAgH/wfHx8q9NbmjDKc1Y1szv55L+VKVqZsMKL2BTuDgUuvkItj7JKqBLxTVH/U8CMddmbvwKKBKsVSKoNvQTTtlGKZw7ILfiWgW9UZl3jqltjKUrwpDU7Aa1JKg0x5JKZijx0iy58tMpe7l4CRj1zeWKy17flkbT7aXFwPr7z5i/oia+8a+wikjexkdIuv/8L483JJLtZwAPUJbVJMLx00WsJAEIG8Q8Hwv9Yqtn+ELl/VPxpXTBJBODpsdv4Sb8ZS9XfApXiUFHyyndHdHlNOVaw+9nIkN3kv5iDEBQfU8wlT7rL0xfrsM7IvcdgBTp4oplMq90ZJIci5sawot4WV56Y3IaaZYMHPzHqua9jN9aZZDoTYkPF/+o3xCJaEO37IYsMb9dH2CMY50gMia7PlsxfsONBCLJwsy0srqNW4eQePOtP4RKyu9NOZIDUbbn73mOvnx998fuRVxCcKmr+y0atiu9l0WlR/d9CoyyByrxeG3JOrkKvAJCorcyCBxZNFRX3dU1VU8Oz0IvnA4RIFMxIWrnfzrdUoCqpmBo739ziQt4AeguMrDBaJ82dQNRtS3HD46fVJ2V/HBgsdN9SgsQQ8blz+gZrn+danPcEYOG4BUYKBcFs0wdjXy8t1uHKpcivyo2kGhBrkH4QF7Tu5oAJisFxzw3VK7CEBiA7ErfdSg9r+Kl6MWnIRF4YBveZorVa+9nBdGcHXhg6sTVqwsMStDp9GgrQwirnBnL13WRSFO64OLVEFi8AU6IjRGztpKeITf93lBRMyXl5aGvROYpMo8s+y4JtpFE0Q8lRtPHUYcoDWpwATM9Ph9wzs61aHbaNTSgV99qwAYPPEpejNaiemH8Lbxzx9hziYyE/wQ4x+FgRofeihrxzoUWkEQMtXq7WJta1yMTEBcpIeIVaEmnjynAQZJGiM8id6/xOhdj2EmmTCQwTUr9H92v2h8kuJGdeQhcRbjAFLV+FB7ZBZMJ3FR3JOrDCG5/JFD1sSlvDgPNOjGzb9qpP630LXc4N0EhP7Li4blvKoMsADJpXOG/GwCBK6a96lJm/UlKosfxm4qXsvD+8CI/KRDbSNk3yl8CQA4heR3EY1uLJyvT+Uq1vZhZebzQxKUNWK53cSbuSfvNkmNY79XWIPSYozjTE4EXBe8NAmKGVhuS2QYeq/a8q5YUxRkwUMGOSxtlUKK97pTRzB1RV5ZjR3f55MEwTKUiP+21kxYWZRreo4QT0kNYkz8Zgslo2P5gdWJzbOeVb1wMWj8MzWHxG4xxpT3r49nHcihIGr44f+sTS+5U7kcMzPIn/GFrVm3BuYx8rcLCQrRMJiBiU/TkC5+bUAbNN6J7OhYHjrUs/lZkfUD8rJPpYcAmeq/ud1+6N58jePzWIaoijtIs9RyvuRX12rTPX3ralH3SzCuPcFl0VTk5yQpd94felNPiT+DidJ60rNNVuasCQTlbEnyJk12UhmHxEH8lxEVxjuWNxNOjI/J53+8kpqb5S/HbVpSy652IZcNxb9ISDxCCO8bHXQFztrNRwtgqqkVLSf7WkNYayx1DDvfblV8jaMDrPzNyCh35Y/GE2CsnC0bk0iC6aIahOHS872ekPaM+gdEclo6I3ylH4u79rRnecAy2Z5MJERFQuviy1zzlXmF0zna8hy46QfpadLJIe/WbJrmueHtqPWJN0UqCGY0cYT8nq1xub9+eW9MXdG2ovQeiFvDlbuiMQxyEtG18WW+SSMK7Ffszi6E36GjRSzmJ2QHK63VgWFGfaxWCW0hOY4RcFt/X3GD54GU7LbQ3eySC9mzpvV3dnS+jVBO8PU1Muv3Gv0LSHYtEY27qTdp3oo9g1ziY1/fJn2RbHDXT2SPP0tUGHCesRd4NS7zEZ7v3WVNjDHprzSWRvzPB+5ouzDrrTXRGxGeiFu6woB6pk1CY1RD2kbb+kKbWJh3LX4CeDMxe1dglSkAktPZCV6w2jJXWEz9/6ii6Vv8uNGj4zLraAHeFKr44a3NyJIruMDijOaN2V5UblNK0ednOXqDwAvraGL7xcLU7IAI5ZBG49E61xlOTcVDkQVa8FDlCJVbJWJVbZ+dZgYByBBR9q72WxB/Rmb+ADMLYnTE8mqa1tJWS7ePMMCErbVUq9afzI3poImdjpMb81ZIDFWA2sxfsMJ4ggqKJt2w8a/pub7MDgDNoj/zMm0W0idtBlbrCToyI/xMfyKfAPhfMrF495EapSNpG0PKBGfj/shPj40MQmvg4HbStPqxlAyaYKWUb3GxE7wv9cagh/HYTXfYfjzSDOoBzWdhIRerueADWkitpZ+peurpuH0noaUYndJbvwapzMBQNP1TpTQfS07y1xNH/OVc3QslEbxYf1hruGivGLrAtlzhbpfCQqZH+Ip+hw0/c+n2lUANwvBhSujcKbArZiV7iMkIig0cAIyE76ohQ4x02pmfvrcSf6eiikpXUgDfg/zHAwz59X63IQgtuBnyTRiHPg0IHf+ufTTEv7eNi2MqhBPBAaEMuL/RZwZmeKgetUsrBDkhcw7vzfN+njtbYACdsBjS0uolQKw1QX8iiOdmOAZCuIX5aTSNE0sWhG4JHy9OTyR+vHU5ovYgIbEH2oOMV9KRbkY4LVKNrddShCOmSuW3J5Tzu6ODCVrwo1KcZW8C8vgYTPQ6nLGenRS4bbnM6N7V8cvP9bpQQuRHrkFP0UZbvskVqEANiB5zC2KMUeBLPOfEzY9uiyFMmECDuvb/PS6tZVnbGcYVQxq3QNiFOuM6y/fE6t9nMsfM+O5lN87HzSkG/CDU4OCgNdUxFpLTKm8mwP2H6lsNCHI878uxJSaP+vYju6CFQjtcyS6z8VRlRTEk4qSYNbdTEmGZSgU+Et/dNaTtYs1uWqcMDFYSMYb66UxvFbuzMa+pc0L9WPvJt51NahXKNi8CHWPuvytZoWtFpbvfGQaNKqHZTZiNX9Vg8SR3WpoGB2TbIdlnTKrOU4UYimpKq/i1wm5IxJo9dwsGn+B+0p3ooJCIEJZF36sq/fgNYzGrBbLx/jtP7nwAnvLm1gEeVZ0amBfUp43871jUhwP0gjs+BSJPGoGIfG/FacSHIujvQl35NN2CyT6uqIRgvNlA6aZ+zSWMNLJ6xfMf6jc6EiDBoBufOGzCeAd194XFT000C3QpmxoTpMYo55f1YtQjFtsJj5HzuP/iPXHPDDCKYtTM3CBYtMYG9j9y/moYqBubvnjPUjPx22t5Kmp3RoVyvR2O1nHF/9iLcWXTVdG6Nyqc+crzqEcRdMjmzT5lB/qtpJn34wdzkg6kg05lUloFFasuBQsAbguYm99F6amY4FF5cNMkknF7IwNkmh9TEJkKogA9LvHWEoQRjbTdLwn8uIBmhvWdsVn9HvsNXn2OHYnivMqwh9zgb//f/qaGoLCz6whqNLk32w1dyRv0J5Hh5YcFbdAC8s/C566xlIGQOEIkDlikt9dGFDwiihiP0leeaePdds3zzq4582SPO2Kh7W91r7BvvOOx1wUTHSFsY/XIjWemMPSNll23YnNhwkQNp6WrqFstx2HgqyKKw3DLGpiHVdgArQYrcIj5BLmdJLxp1lFdBuku6AVrL2CvZOGnHt7vtdC3zuR5VsfOegI8ImocvUTp61qT9novtDLzfPLMrWguBPmabGE3syP7n/NOnXcoYla28ZfGTdhgMjFOHHFrw1BR3etlgfBnvYcpTW9UHF/hvvzX/ZHoBHTDH2mS2Ra5rTI3A7TkmvRCNz+VHhcyk2qjOQ1nXzxy/tgi6aIkolNmhA08Slce2GFhHW9T5BAptOUbPFX3QhYNtYfCzCp5TtjyGz72seBy9m/sv1kBodwoqoDysj3FQZhWxp6QyAX/zBjRC6ffdLdfAfIYJGiPvtcFeZh1VyCdJgVVLqsfaSl5cebPMM4I5EiYqA1DiIL7bWm7IRAgHWDu/lTub/aJb8t1z/lDjaprC0OwHVgQkvzOExUF5HRyu9up+CYCclT9pE0Ba/mHgaxw9koaUn74PpC4Xgw5IuKHNqbc+yBDS/w0VgIW8e0ir1jVrcQ7qWajvPIcvnF/2DMgQnKwcEX909DRLxU5CUCloLMih7+cP+FTTeosV+sanrSHS4NMIMIdk6rGRdXPJ/inzBRxpwdVSGmobgkwrHWCs7CkLwcF5MTDxlDQZ0oxgbWqzhLhyDl8JLNschKCp4U6aRY5YtQlPJix2Bn3DyeNpy0L3+ONHa56x44FXi+pWWmvMoobJ6ypKKNl+anouuoseXN7c2zgptyt0BJ3/Yc8S26C97Qth5rKVbq28T401qYW+GJ9ShVao4ChDb4uzkxvS9c1MkCJYeufURHlo5vJECMql3v01II5sWyTrkmT46EmM5qgzeQWgwQbuo72gdVFgs6qIyYF/WaHmwGA4kR+Hc/4OZXSOh5b7O4t1jKe9u1JEelF5vWZvDzeEq+t7vlxc9ZvJy/DAxAxXpxL8cKMQtLUBlGgMTm13xX1aukLwLPbNyxUgloLNauT1z9tvX/M8/gxH+PbCa59kHqhY1bPMKOEHbo97zALhPZaNFgN68MjLJ5jLnLgHPdDah80a0kkA2YxzVsgoFqTUifCXp2b1FddkngrZOJT+YaPIi2eBKCq2AOjQPND6L6Ndrg299WotJDyNw2pj4NtJ06TFB0otQGmAJgWghYA2E/CTLbPbpkU7uRBkFE/I35KY5dTviX3SRxOw/ReJCEOPF5EUbiY+ZWYvUE4vjZon7iPc/9F1DtV6EEBgZNI/CwBZ2iNLI0TJZdF9eL38FO/Y+G20jseJ0N/HjmZg0FaasFLLAKdD4G5lm9uKz+YSwXGS413JcYwww/Q04M306RhxTe9auWteWih6veZyJa5gdrRsaFELvmHRl8GA++2J5S7AKkIhZu+njmLDEFNo1yLXwNxnmcKNvQAHGAlGPHKGFAynOOtAlj7Sw13C235pU8Qp6Aysfya3tRz/wDHYlIj5mHirOmZYWRH262ir60iMqo2A9LsfIT3+3Qj3kxpGXeEhnlYK3TBsBQAC9ZjTMiX3oRf0Rl25Qs0836R7zzj5sA1Z1eKjT1JyTVK+IhHaeBLlA5D1QePROlvO26D5SGF/nI1SXf/XPS9e1H59MSlo2EPvzDqffUxWqBx/fAo39NbHiwV9vc959owezjsfj6oN5o1PQFQvK7PfQRjmNkjzZrgOGm5ms1ZjkXT4nhMo1MMFcfeC7CyDXE0VuSW9HfbNwEz9aSXLnwYuK9KJSmRIBJB6L6EOD5AEQIQCdVLouYSuvkzNsmmIN9R3Kc2wal1zh4FgymacK7qcb2ItXp8f1NXSQuX0xVoARmqQpnveL+WQir0MtcQiIEu25sLR8I+H76RX2xmKOjuBbIDlz7esTmzjBF+Vt5UZJjw7HK2DhkbZ5V10ptG5wZMiatPzuR2SiUVKWOPAgJCwUF+hi6Ebp6JeMMB7JqNMIQQyH7ujZeFaY0u2eNk4tPM940KUY2QSVCEG1fXdBBPi40b435Irt9ApumNl5jkitdh95LQV5v6d/VGU5jBegwsKXZUJ88IShYl1DXDLUZv3GptQ3VRurwTeX3mNeHzmUvVnh13fK44CSPYnY8DDPD7T5rVG4pDDo0aRrWsz1z7QIQvdO4x6d82qMiBMxrUsF33EZpEjq3mfixe3F79gXqdtmuT/dP+TB1XwwtUZLsa/lYhhc2FHn9ayCpo3yckopb9x+1yn6sUFkXjivr3HB0zdeOBigy4SJqwwUd18coI8wdF4P2pJRh3/byXE8hKKm2MKRcP9rThJ7ao8uQXYUrNHgCm7o5ATE9ljQ1IuswlQBnPaFmjQM2TFQPicaE+5ersVBesztP4NfcZBgMQRU06RqTQ16z7jJjcHTEvWux8125OeXVZBgz0VPSx7iqZZzGVDXlAcmlkNqoWZ2cUVzU0BqqS4FlHn9QvSA87wmyGVd3/yydrNmMSAyjeTu+yODrfeqLj4L6kmGJSC51ht5rvuM5WaMZnBB3fQ4VFOf3emd1rTZT6Usdc5sFi5hHTPovAahSof3eOCZLPDSCX4DJ5LCej8BmjIcXWnlpULMgynzlHL5twYM2JPVp/w34lfxhjbd+Jsy0rBRjwX2T0N5uqGohXkES8771xbca955gQ+sTxxmaDxH5W8FkQIsjexQt5GOwmHJ0G6ScnLUDGzjJwNRazPXXaS489jtfeYl/Xke+TGqOSOiAAUvSbxq/qHCuM77Ma+x+FaZEUH8Bu+JYnUgmvpDCAdJOmDnXpD3ordHOrTN3PdqGwPt2bKEZ4Vhy2OND2fupvZklBVFvUciAMDjOxQvEVkVeF3pi8LLZlYAgtsH3EcJwNy1dODqd5ZS0YIdmHfgDirEcaSzKnF0asJDW5VBifpTYGMI/MV5fgPfRGtbanHzm5FJmFbpjP+Wp3mA2cfbSBleQTF4O9Qm/OxkW8OVGxYQAHFhrx7gW37SDfdXsSijkPAlmZM82xn9juMuHPAHHhphreyHf0dZi1i6npmkRscgYyoemZckP7hPZW+2PxL3Hv168JjHJ3sgZP96wpvnEXLruo/11Tv0hXWsQOSY4BWfi91MFXmSpD00NJXbOwo3LpmB2dQFsaBjRGBgvedGQ4GgzYq1zUcxsuPfcLkrWGMYJz0Umh9R5J5tLQizOLqjxf2eCsBZ6TDI3nXa1E7QRkgayiPzOyhuD9OHCAheMv+KDV9lWK7wJko3JMXdn0AC4u+dAE8NdCP2bDwwKlFke9jPzAC5kYsFEV2uIi2mJaB7Ni5xUvtvjoftVjeDszNqMFx70fIQmbM5BtdkV4ccrgm/Wymr1PJHwJTM2M1Smtzg57YDcf1NLEQZvHSoOgAs6xNmuA/906imfvkiprjrIbMSPZ4dDL65uq2JeClKOMJVGA3Zdo9P+pJLdfzgMXL0pfUVQRxTunqfG0HBKf0hBoACM17wWz5JbexjezCWvPNVSQTSA3aTTLJWi+KMknO6M448A4uvPW8wP5hUzYo8OiA1Sco5a80xs08j+k1IRCJ55FcHPo9d1LYfY3dyI0Q/MakbFaNkqWE/TdyL0uMdyrwEULM3VcHE9XdfAH+AtJeBTJK8giui+GBn1ozCvQOHcJm3rk4dlOKPjDNEITX3LjkIbnKbqGIe/kiWR8PS4DQOjgRo8nluuW8wTSB8mtd2GLlQbJP58DkKO1zyLQiP1Sl2XwNdrKDxTLWVin09NU+pNRZXIVJTZCoNk9/GL3h5hLPO2+EiRFLEjdSQsZaItrjhHXDBZ6jSf/LlAw9mLj8bEMgb5X1QwNl/0mRlpN8ivId4l59I38qLTBP+iJWLkx4cx5QI4iK121COSy6MoANgzR2jMG5umlVZbyITNOJLD+pepmp0lQscRrBffcNcThcOkHpnifxFV4CudOndxweYVCrZ0I81VePW4JXVoOsG65PCL/strkkURV19G7ackUg5X+wwCfoz5AHufLf0KKIuSqv7PAfYOQhC1TDq/2b31OrQagQSOrTHktaAjYUTZctuhZtIo6K4br6IRRMSCgVDp9DJeN2TmG4+zH99WpCSXvyWhjojXfTCITXKI4hOi79NHnyhRQBsChITiEAEAVX93j4om4W1RsXHoRXBxRZ9D4M0IN0VJ1IHEvEvFZndao3hB99WqUhvA7gKX4qUTl6qAyYHbd42FJh8y7a1eFuRkTorOYh7DckteUothKXzChZtyrXc7w2T631259t/x1FeXndSN3J//GOGEC/jMUTXQxxbILxlANoX4Cta4J4fYoY7B2nTUxxl8wTDHafJ1wQGtjlunBtg2o1IniIKV2WFlM9gZXXexq3QNPq2ktndH+PvaJqfuMJEyIn1pFUmvroZ3XXsQxN+MnUAWuVHNdU06tfiVYGvPuK1lRL/HriwgFKYyYWJq515TwubrmMykiZmyPWsdXCEIYxDiU7XYDZvYIkjl0HNOU4D0FKbfPiG5FKivbVa9zPMTz2wJ9Nuk9AgOPw8yykbwzf8QR65E3rbmwBDrqj94tT02NZKS440VzNAjT5ttXMNv01Kxp5P0X/tXVpsxAjuKXgg224slBWFcxZDlZNT9V1vuhuiJB1x8/tv7o7uj8tpsSsXZdq/RcTtMvW3fi/k92+FCIUjzuXbDrxQQuIR0X+xOi8dg4fD5Io+2pRorhKsRlb4w6XmIjZcrlHjC9IWbIKQc4Db64bthFKPhEqQgseVr2/bcGfttna9ZmY9wwORayGA6qXZ7X5udBr7QAYZW8aOFUYT7c5qK6qnMiho0q92GB1dtx7u2QE0b1vJ3LyxO7e9dbmlC0nKOvuYRFZuVhQcDGXXB/XCz/ggZVnhNSMN8mug/3Pf/sk4NUlG3lkszipA1ROxko00e9NPyMi2WTA6n+UxJW/Y0I0d9QRIs0QpSFS67DP3a5JxmYr2CtfytYTbegvGXduCEE87lVVJil+ByWz9GrzOGGdId572+T2gr5NStdz0F76StMv19OTmLYPwAXJT/czUsHa+KRqo+zm1vIpF4Sob118rguGvsC9eLe1OIWhdZPq1yb2b3AdM2IGXnbuM0e5I097oJOJe9dH3cXiFRqtSFQYczBQGO1gpoTMlSCfGBg0m3kCf+JZoLXEb4zrgwSokQtqAkDLY1+27lSTKXsFuLIoKz9NvjsAQCqngooeYAqFeISKlfY/AwsnorU5H71mBwXqi5bqpYNNrtexE/gbxaoEBNdtXXIYxRnS8YJwVL7Jiu97nomOekVN/+/qklBKtwDVz2aCB/3b9LMUj60jQeBx0CI8rYQA7qAWPcx8YtivbFVeJsGrFC4eJG94hRsUILTjtw6uuInrIyJzwUfcgYEdf4PXwabiZg0TVK2QKzp5gIyJvbn/XrgxL2+ao+Y9P3B1AKNbKU1C9AntTUYk4ARw/3KKmGxM13AXDJJgL9lCephyvzLTzrXVpeo+IAktGcA1LN9ckDvBgGQQ9AP14tkM91dCVjTp4ijpLDjo4fC/KA/SQcbPihj9Xb37y4/N2Wt7axr6Q2RLo1tmCiHFiuI2Fk/Rxo9K1/6Zgoe+EBwsI+d/F7KrKxubNCOtwQfLF/vb2ehZLJQmaQWe75sNI3fgF61S0J3/qHTx8peTrEh6NcFJU2EeCjp4oXHgfRuWLd8bsupSaVJRmoMugQdW6Dclu3SBIgOx5KVQ0doPW4GEVIPWQVEd4XfbYwAq3Wdr8Xc4G2caLi+qVcYPUCNxpegP0sSPiqY44wWDUdJT6ifHJ/YpO6gyJ5CWdiUWKzcdxAzYXeTV2jXdbHeyB/NhjieyGY8uOAYUB2U3lrhlG14NYs5GFJ6VVfDMkclJyv0N5rpw5n+tDUS7c9e17iTgJtH2loB03znkhDlYjakkef9VcRuh2JpyiCYn+sl91+2lL8POE4lOg9XSd20sb1dMbYZKdTfXh2+H+UDWy5Q4ZO/b4a7y4h5gHrK8ubbQZZu4xw5sjhGTaPr2sEZKixsuTuA3bGiu23NAyyEmDIhC5ANIOb1x7LAzARZzpxESRUV6RS5+NbwXfHdyqBF5uEHHYKQ6R3LuFM1WSiQr6umEbY7V2PVIB/ScMy7MERYvKgRc3c2yj3bn59r8WgU3QylEiQrenxhYjeEI1SZ0P+FsCN+Ljsz9YZBj7bW0MlDqRg9WjVaiOgLq0n8s/cAuz4I07M4KWtvtNshEaQWdijY7ut0g3ZkQI6DhxMnFqRLUl9iNfV3qs35BDjlomgXxXbM1dCmL/t+Lh6rvMtNd+tcxw23KRlH91qWuW5Ig49jGmX0E4bAZeki1hhmeLABuEijNTWYTL1LrMIH+v7P0QAhIOQ6J12ANmi7JeKupjXe8ABWunDwpMO0lChX+BUkcjKpgJk+Wv0Y3zyJNYD8rsV9kRQ5KhjoUopSnFD6tajhzCiI2qf0S4tLumkbPJi/Ev3tgjWSglcwRaDoLyyubXUf3IZ0SvgDk8zHfLvEHwe6cWMbU67YREhz4OXiL6IoDV2my1mFMIg6IJ9f3FXe6fTg7sGs0wqZ3DjRl+slmPPCFIJF6URwci7Q38So6QjCyjVeJUNd04Vtt6NOrtOw1dIQESumbEHA36xxzRFK/ryZWDXXQNJh5QbkvwtEd9KKUZa8CdxnSD2wVkfIjuFdT8wXP/NV7yoQsjj3F64pq+ytL5GPCDfLOLTulvUVgS5VG72hQvZd2/bcl7JwNwJ1CFcjrZXGuw4yX3Lox8CNFSJpAd0zgNWiTLH7YyjH23GHPWnQpwmcDUyC3OxwKJGpepkpycOpn6cJEdSQpGwpVvN1yvcKPmiVWno51plxhUbaGvuAD4/fq5xVIf2KFBsgdZB43eAQ2SjK/TNpslqjdpKOL+ow77OFf8Y4S8MdFxnYhvV7SkkzTpAeBndE3awB18IMbeIUM4p7mT11NGdwek7mbbO1ur49vq7tHn7FMm+T0i6/0jWDpcW7RfF1VBZIO+/nC0Wls+6JTPYxAKXLMPMLMnyiLFx73SEMu+ru8Os5mQANGWIvk2i5pMcNPiKcAV95xaATcTYCi7aK3nVc1T69kWLf/kJshaKdDcBGXyfbK8ZhFVT0Mk3Fi1Tsp6ugNn1U6KvG/X4OZRlPvCqYbFoNoMy56ohprPxTuCqDbe9Hzo3TAesqJeXH31xyuqnXrzaJl7XvWjIejOsvoggF5J8uaIPLAE0JM8NgUXYSgDO2jIPZHPw4e/IPXJ8zvHewQIXDqszZy+yOmV3x21danW1z5hEDZs1IDJ4AbpoN925H7r8oINkRILXKt/iHJE2X4t1y3CYY3YADy2mRVPdA9kwv7GK0nJgdx4xjDXuQQmwd79bHiYJwaDKgjpmMOy0lqGuIIcFTd2MFqcTWIaZFmujASCYBE7P6B5daNk73iNf5hRTqHWYS6Kb5TyiU8+dN7Cg/4Rtv9kbFTjepz3zrMgF6BHB5kd+cA27JkEYehuECNfIjcJMTxHGQlwGKMG1av9gqrjMp6ECB7qarPL0A/rUVF6N0bY7LRS6shXE35zROVj162qvBGDGdCUyQqu/3gmf/B7DeXXqSd03y4C/lJ5s0/i6C+/TRKVwrpyBy1hTzynnDLudCSlk2CN4p7/WBN+bUJudkd6DzmAomJgjX5bw/2bVrHx9RhcTReYM16ZnbtHW5yydBhnL/PNl9paMtQ8xWVNaJ0DQVPnAt/htVsFDMLesV3XP0pgeO/dtzNW3Bj28QjdWVGLlabmvPd1vEzlwIm4KTFGAE8MDgPz7Ga3QTi0lzaaU0LkUTLZ2s4929rvnZpeW24JH7bhk5qNJ6ce5TmoYh/rIBJhb5f+IKnOMLVTsX2wslIssTglF+ktHhrO1OasmjdyYw1SQ8T0y9X02zRJDp1UFPEA84k+HfQC/bYAEd0nNQjgs8/yiSL2TZEti0ek76v9REtiknwBXD9521ZU5yspgQLQnBp6dhr6ycR6U5Vlv/wUAte1zabaM5RyTDzoor1p1qaqjqhlBNC6fv5AzcUs3Fheg2sDNpkgpOM79y2Bi/m8w37tO6kgiryehW6rFQxmlV46A222Dpf1AV9cFKVyPCOUJNzOgNJOG2XOYXtG4i4yqTL+fd6nzDWUWd6sdKsbH9SoAMPwWo/FtYuj5UJnt22ANE1CjYgmLt+/hnImXhs/gczZkL/yYEE/+sFxzM9Zo2C6KdXJXFlz0SvES/Dt9FZOOMjgWK/fmvzwPwyyVYbMMzVTRUkRLDA4tDVkK+xpF8qpIDYXB2xCW/fdwYbwWmmfSzTnop9i9C/YQgi8a4oxB6CrztqNCpas42YAsnRbZfGxUCa+NeQIYuvKCuFkrBigj3G0gpufY+Qd5hEG7guiaI+OmyRHArraqD0t3QlUBzTnRCps7/7aAHLpSyanxiy6RxC9PoZsCzYHyWv+h9ZGm61sbX9Mw/zAGk3bg3UJZre0UuC/rYDSj0qc6bO4e7Z1U5hpKdiI9jIw/6fT8T/Zr81Pf0WB5x3txDFayT1AffEoWSAILC/Jhf5t9A79XVb35DcYY9NtGcu/rRzXoOkkar6wPY0fNacverX5gC9bkPfuVPzyhAt35bEmosVe6pKqdfHC4d/rGY/ndwncPujC/7oq66lhtzSaUYmcXJgvy/3c6CWqpwlkLOx5YEjhq1M/GhLPNgQfdV7QFPVvikom2LoJEiJin0a+tnwIEU2vqk3ofM3lz3M9aDScoKPAcmprNEj8PQSHNekXa0BWvF3V+N7tSc2HxtndWvi+teeJq3wiMH7QEn+R1kxF7YGAnqDQ7RTEtA3G/cc+IpqW6/uWVCq3ywfjFF85LV7cyBBcC7enpgpGFSJji0flU4M+F2CNwCK9HMYwfaVh82gKyFuvqX/mJmrcb3DTlnYTmdVNc8G5aX8rGqzXMeBljgdeL4BJZzfSmKT1oiuGAOOtSoQoaYw8BaZzsudlejhJNE7t6nOfviUjXONrd4NbcU93mxAafgGY3G8t6PTv2GzYbY5qRnucPox8+uzQVbpA++fzG1pGPkH9N0o/BwwnkNNmjRqP2Fk5yuLEGw7LMKItXf2RX+3kKs8cFejcu1iVSaoEbyAVRvq22AWtJKWL0pEUkm7OoH2YCc7qPhakyAgZxXCbUF3zRXWwHlpmNCnAnWHpIGNQyNsF6Vh+88o5xe2s7xj8N00gYYT2gHQ/yK9qfIgs/VNV8MytB/Gyil65rkHaFTdJmD/oSmugYgCotvr6KC0YhpGZILG11C4cFxS/Z57ZGxDFE87t51ZZGw7aaCzZq2+VvIaMSXeYF1rQMmXRSq1u3Yo0nEJjpUX7aew9APFci7K2ZmBQ/0Yw6aAz3pwPeR24ivaOO+gtJQh2b16136C3FAtRkAX8CQFmF71n47OPw+vmbKV5EdTesh5es0qRZztvrNa+1yLEgvRt8wPfG7ZQ0J11Nky1O5UyjsC0Wm6hpEZgQYZoGQU9gUmuXmv5kKKzsIxFhUScfDXbItfePNSPml89T9mnm/f+sgptg+Ls6mFvdXFhcJ+Bprcw6YgWGcodja/CbURjDuaTWBBOLjxuOvpTlDTuk6LwRHlwStTkF/tmCtDLX7Ey+w/FdVsYfLrIXgpNsrbEI4gIGpF88AXZy7jN/gkMzfx+PA3Mh0D7xzuBxKu70la+lwJbVoi5DMaGVkHaQBSXwIDszpi1UrFj7Ki79+NI3IlFPyQqqrA625saDy4BbrhOUnDFIqA2+jFsmwGhrIukulTwoTGJ0kCfzPkAxIEGZ2lYyvEHEkfXtcQptotgCFkKbazTGX/LU7/ztvG6e96gOOAsHCtpvn4B8XIKUDnvZEhygZvChGk0U85AxREIz9WIAP8L6ckkfgctWMYuqBZZnmN4t0ZwnPMq7DElvyZiaUwCwcyME9qAF7hh8Q7eaqbz/yV9RxXVIzK3pOTK2ev8n9xJxAHoiEu8Px/vwgSSG6ShP2BOeCdQvgmz3Rl/peV429BeWxOTjmJJjQJ7uEXHZNbm8IL4G4M3pbd8ERQihHb6tJNUb9LDY1P2xqkdE7as8m382kZnPgFMb38VSuTTs4/o/l1aE16gBBlyBbRouT8Tvq86T3S8df3L8uF/o1vE5BOn/gdXF6BF5jGicZA4Ghc7Tdbg5HQk4gMW6MTSQAG5fJOljgFagrezqxk9yVms3FQU3ueCLpf+mQC30SWhhVF23cuNo3yha7KGRDxvVHPVSClFuiH7deFJD5DTFqVPwGHnxYdDpZ+kuCRB9PzY/XL3Il4wWTmLHtgpvxX2NDHv9EdsYULCwQ17X3XN/MV5ZFpM3RqSafEGBZ9rTfPrh6IwaSaFNOw1iXgJTLXfo7VPjjg08tgwBHNL7y1QiqRS6h2pLPcxgJDml3uvYFKRTx1/ZtNXFbdINSwY5ibi1ttiOZEpJZAo/xASjR1kEeIjTmTC5ucIZJu53h1rfiqh/dUESR4II8QVfjcCNjW65vMS4xhLo8eaK6IZ2cVnl2EPVCpCc47UVJi7s5FxnpeaY7vR1/IsMNsg==,iv:itGBloSxLfz8XvTSJxgAYlNl7eHfGlHGVXnYFreeN0o=,tag:BVKp5fYrK9jLA6RGvGtM3g==,type:str]",
-							"headscale_derp_map": "ENC[AES256_GCM,data:T06CeMTXaqIy9V+VCWIvAErAqFfUhmp+s3CBFHms6lekw/qioZ7xmugmRBkLIiwillE3vXNZYF1CkrsdQK58ssZtR7UeGv4mb7Ut4/0Ju0te0ZSwF8hl5rTtwwLKlbmpyF2vjjBBYxAjgUpbpnL0Jw3hDYvfUlUgUuFcn30rChkQJL33h7Z3PCAA7JIN4MtCzv+JMCNXHTwTQR14CSuzcBh4E0l/8dneWJi6c5t9IG9P5mv1Kd8Zf+QQJLuH6s2JcowU0QZrtqWNM+4WpbQEh3fboJvppk1e/gCKDnXxKAeWu16doCVGaA6YcuX+gYLmH3dGaXUorAP0NppvcCcFcSyfjnw1kbIBPhDiNdwBTO3xRXdZe7tIgZlEhVSHILtzEp2mUYzDFo9yrnlHRHGcqf1j4nQsSqUHb0tU2aMXHiH1Gw90LoUkB/Ou+iElx1fuQt33Vbyf2t21md1tiIqe3PtGjMiQqce4Z66GzoT2oLAywiUIu0VCSoow57YZ9BbAB7WgSc1SPj1Ppgshb0nzNIA93p1//MUzqV4of+lsYTEa8PUGRT/DJyAuj2uLW98pA+ti5iJstduaYY30B2CVBYnBvf4V6g+d9Y3QLZX4zpPUzzmKx9KiCL3nyDBNBHyD8IX7oyJ7QZ7rjEiM2UOBGtoEAmLzpOupoEW+j68abQ9aJBYw4JpLW7oKQv9vdcEzdCx4B+QItwV1tLiuCz0ouyzkLJt+Vs7ozdSCZjWmKfkrCyKBII9kYosj25OUHUVP305TEaDycnWRIuICAkr+tPgeeLrVdwdEpB9F5zkCARyK75DMeKhTS9rJJJd4RO7kScPpyJ49ee4YTHjxbfvcc3rOK9g2QmpZyDcyPs64mCvJh9Ri0PlmL/hej+FRfYo9JoG/h3dHDNN9CNNFTNHj8Skrn1LpZtO7CLUGglLjLl1n24ELD6T88abjLkAFw/N3cyZ0sqUlOVRrfB39wz6WhVIABrkunPqNC1ip4/Q1FU5woWz493N+6/oLxFi/zFAQpSlknEQQEJcITW3uha3z3iF2fXuKJ96JBQvQYhQwkSRR1cNGdebw0VbFtje289sboEZ6vGcSNpsQWa8khQ9El6s7IjtPKhyedpUVFR5zVk1pKYhqhHIlX1fycgaYnDpY2sYX2JcWXi2GSZiYUuZ36YO6r95MLPnooBwksDzB265u2c2xrLNl9GdgqsQk5W8JWYhaxpqzTg666Q7rBTXYNr0P2pimOSog+2fQ0SVTsWe2E2QYItRwpwnPlYLOZ7Lu75xrtOo1lxG2MBr/bCR+vNyb8683WynMESnJ2GVwABxrIkTMiT5PC/3jDJzlVEiZcv3ljIpZLxcfeQRR29mVU7eeGgo6IVmsRbhYXpTrR4koo3zgYS1KjI+Bq12IgdAwNYgNP2OikJncmBDHb1vVO1bX0i++E71pCc41uq3rSW76SXrXoSe+pWzH2ADniyH1LYZ/RwIKFH9blPZm6PQRiCELDLyzEt2zRE0mu/zyt3hD68ryrXVzNsiVCALDqKpd6QNGLKq7zaeN/kYw2cbayZ0BVZY780U7LcXV+zV48WoWnNa2ZNwivuQHChdn6dW2+iFuvWe6CYkZRsgYt3438kKwq/cHoULiZQL/JeO5mzEg/GkNvOPXmGYus8gXQMkCywnbTJJdau4SWM+YYAz1afn4z3X/Z5+DatVVAJV1pU90V8dCFJ3r0kwK3V89EuKr6OQEtO8r4D9pgWQfEB69uyIp7mPrD8BqXRyFV9J+QGML0M7o0q6eZfPyM0tcUJ2QseLU+vXcdyWdAle07DS3E01LG8caGnT/Am4TDfx+rdJi/dQQjiDWOOpNefYn8Ei2NKkGFis461uvjDXLgPDlQxwYSEmCnKUc9xjx5xCf7SKTLNvRXRzuhoEqI5N/BEIaP/pkR0ErM8w+IPVHxLzBvu2HLAxAU0PjwEK7EaYOlhNGbf9Cda7Zqygm68/oX7iTYX51MWCQx/DEsAJjBcei4+jxsWr5QsX9dEd6X92fgba39COC/MrzpoWRwuDHRN115e+RIm5LFqB7A6J80OUwHWd4sNZy17IVKm2qA/XdNEsQUkUWdzrw3sRzOaMSiVVNfSF8tpvtPod4h+eVh/I5dYRhpVIOL1r/RoJL97vZ1O1wjCLcLkN/sFYQWELq4oPIO8ljv9LdCHSrqWH1XGMP1V5SvltVvuodE+oqYXc6Dy4oKmvFl+UBhlMRHBlAikFPzbQGKU/JQTBk/5CMonxYONGSsiPVb6ha25sWXe8rGohw27mU/BC0xItqFDO7pQkUafS2ao2wAZSnYBr+OxeU8yReRJq1OqiotKGKv2g3cNnmoOVNS68PY4dW1Q1Cazrnx9j9GzEgy/Jkm2fGaFdK9oXVLkvbr/2zX7aryO3lBF/JXmr588Y8waeOZk2Wq9od0HHph3sQaTu+Gs71wpPFjdmVSScuMfC2nLdjK6aLzX0B6kAdBWVNSOx6RQugVgToe47KBQXZe2+hHLQktR78mnQzdOGtdu/kOeeIM1jQVaF2a84Y6LJVVLX8X5pQwWX6kMHYEyrSLcjH3ffNRxUhGN+DkD4Nphrer7y6vaJrCTcETnWsH18v5Numy29l05BVM/IBYQhhD9b3rbWP+gtUzU/QgcSeUeXqkqLuiS5JNEwXQCqM2mGnfoK9JO/cY4ibWRNPcDlMogaeYYf79cxtYeBkFxzNudafFee0N+F/eo47zBnpwGMjWKI+N0Kq8wZBBsiFz4FJ4j/z7SLv3oSlZAhqwuM9IbL2PV5lMXvQ9n6Ehd56NagyhdZLYjFY1IZd9JJOXetf+ccjg6avpqYeeWnsUG9Lta6KfO3JOyqz8LGrLVtPtiw5YNOHVrbDTutQ8z4QRq51Yr3QL9PONJ/5lXujhlKqD/0L21uSf80ohTssytPdt6sS2TLYWJNWpWDG/7Hg91CGMZTccdwlSjYik7OlNuX6n8+8ifAyUvskxyRhWGn5Zzv/bULoEZApsvf+52D72sRBX39NRtEQ1WVdQAkiMEVcc+M4QA2YJqneSRPJMB/2/5RE25LgHt/QEkDh3Szt2XTK4ytmTh8YECSnBi8if/gJj/F6bcte7P+OlHoYwQ7TWsEtBEo/ek71muN18+UB+xV3ZJEZCPKPr6pcXxyaoTO/JP5ZlpsST/AJGgqSLS/gpcEyAU79fr/Ey077QPRsM+HxacejKvq0P1MK8E9ele6pV/ivBV2rrzMyp2jCEuckRnaAcooRlSVa4ExMycNmy8LGCHGLbup6DitMB/QBsmdeg7GUTWGCcKXE6FEbl7MCmSkq5Vh524OpyYxKThzGYwaiX37YXFkFsq9ztmEZQ+45MPmMtFelNN/AFMv4/UeN1runuk8CEXG1sxP/7AyzYGsz1T8qQ+RN6Js8+9QViWg6Xh83E6aq2yLsXhu8n9oqPHm5gMYtJ2JbA/sr6pTLlzO4fMRYh9IE1Q8GfgcRA/h3HnZz2smRIAuGTOZB7agLQWjPiJUkRjngBKCnYshX+uBlu4ROD64eutZZcBpgMIaGjFYGfDyDt0deiC8zWUY6xRViLO0VnTNmi7QX0jbLl/XmYRQTs6uBBAlpPIku5yPoL/WD75tthCAINO+OJa72ew0FvNu73YsQAj9Xs+Of/7FQL20jsiCBR1CXnzZ9Bn8oDIigV2s3bfrZLapP04baNMMbrEEvHi5ivzrDsKFTE37CwEeqDMpK1MEqnZu8Pg/SNnrONM7Uox96OONRuffHFvnh/9QyS2+MTbZB3GFtiotmJOAvx/LRHgqcU4len+zgrraAg9mHhQUjma+VSj6N5qWpPwd/l3NyHp0frYQ8poTv37aRKnlfNVaKaxXiC3j4RqMcdgkF8LEX8jXnR8iJoGp8bTsqVyN6JPgD8RXAMhlNMFDjtwUXZaDbBGHmPlEMZxQxW038QbS2np/bq5NeAIMQL64A7Lwod+87EEggWu2c2+xfOfyVk5UzIKpc7C09S3CTJXITLKlBPQSPif5fgm76EjVgcxO7UjV8ObWNiuVM+MGZ8Zpw1RsmtzQQg1rDbnfEdQ2nyxOGPjE7UI8bnSmtg7FdisJyytgemw4cOAFQ/YdA5mZxZKYeiABxrdP574oLjZsZpFNrXjyxLxqYbcqsATUTRxlbIrcRURreq7Toq3IikR5esE6vz+0/1nOzDYdyEZzs1fcm0Cc5OQCAZ8GKSU8abu0JEN2brwmSY3pdoiH9aVk6/LJZnc0HPntAYhEaHJXHEmnuAir4rCuPp3tjSLdVyodZz1r8Fuju3l6NjeEhxCit1k2sl+jwFetN7LsLnjEacxCSosRs05u2IlQpZI3Gw02nZbe8/D9s6k6bswAVRULB8Aaj2tHV322H34RmbroB2k/w6bVvxaDiJoREbOy9qXxB/B9WSQ/h7kVGSCFxfUMC9zBS7BFVA7kFkI6y1dZBBCKf5T8+AZ5Sb3GpNyLzz8qvpdwSpIfUVlF5vtf7M9c8TkpHKT2Brok4a93CpeZNiMKGRaOySrnVI5d0NPLWqCtnTEAgpzcjCvkq0SLQvzmWR0Cwkho+UHVsybyRxFYWgrSk4HB8r4Lxgt7XwY6GSSymlK2iwMzkcF9uHO978N127PmCLkoTrYURp61QgDsiYamK0TcyrWOV6r74n7s/T7vBqwckA4UkNRFlCZL+Gr9zyzf2YX8yLu6w002X9oD2inWXDBiL3mE7tFBBTiw9vX1VfR7WnzPjGDDdkufA3o+iGtiYsWfn/CZuLnOZPdQyjiyw3n5ppjU3DRB2Ybq0pUmHwzw5ePXSyko69W/zzGAb4doGrLq9PdD4sqsjQYMQW//43vCa6Fxj3UyVfTreuhivhOIsr7Tkl7tz6cS9O+9f4XTkuxo1evIEVB/n0XW3uCnd3vVaOAg1QHhEZgLUshIy+/WnMU/XjxXZUYYXHuZIVhCgOeka2zyzUDhF6k14pgy3T057bo6vleXXA2h7Yjyert4ffRMvZfdxtv+lZFlZhPvECoWgaWiKzs4sp6zN2bredVBVbjVmmkPzDrEva0Co1kAx+WBlPmbMkkhxUsGf2ANy+NKnGQRtWIgSqiqeA/JCNNGqgdTNwocJU/gSEDWSgam6L5LatmlfFktLmh8Pao3T8hzMRbBN9q6YTShP8KLyY3xoFvpaJg55tyiUManf1C1FfAt5gOAqI0ApOK3jFfpg8IU4hyff8mCk7pZM06yn6HsdmmkPyd9q1UHs7DbmWT+Wpxta9ehub8vjt2GOrTUulfcEARAdnxmRQ2Wd9Z9ElC9y1XI98Qzf6ceubsjf66U7dNjn24ITNrXG2G7+3rxXQAerSmAxB2mTov/2yXke7r+J9glZTUFewZD1SiqZ//uU2x+s69LeuU4DGUi7VxCxgvZU/xZy4o494IZIJr3wAcCYDskyLZDFbDQSPlKJgz9WuKDLmZk2DqAHfw0Pe1dFp4g59cG+w9U2QlRdkN3IpcezfXyq/1KGdfHbRv/qbIfDNymrMD7oGqJ74Y3bLjwudyKm9jZkvpd+nUDlHGCDNdiqpeqsleRiw2T175P6okfZtxDA2DlzioO3gT/7tfCGO1WpKCFYwfBk4x2oX1jpeorikQ92rBCdri50dR1som55uYSTDE8fCbhhvM/pNE0fAEM35b2rADr8uWvWsZOSVoVPCHFwmpUm4qkhw6+LPW+BF2HWbsd895DXhZ6Bc0knwhJXFPFAtR2/i2IiZ3ZxcCIyLiAkF/LPhvO5v+L7kFpPOS6rygzGHStuJLgWlqB5ewjxWsBCNeWS2b7d+Jh8wCB6EGNK5GsCd9FjuwdA6CBdc6W0O6+dkA//V1BoDW4wQrAistPpMqlMKXD8NMhB6kJujJpltKcD1Ky8qiUT2N9ysH1E17yzioPw1xgFKj2g23CCvdxVqK2Ij/st4PyOf/XZPji1cZ3/lmqAm4ctw07b5p5ihY+W1u3r8cxcF6CFA58ns8o2k8XMRz15b976dZ307rJnhFTdc9sEcN44mOkMZ560H70cBLH94Oa/Iy5ht6UCQghJU+7ZTDRwVCJYZB7DaLUeChNesweX/Wxq6VU9HpIEg9qUQ9yR1bNQVwAa6gwIvYji4hehkzLnI0/3YCXFDTeXxTzUOcFwN5unxejDArx6rIRWFgzH6A2SX32jQSJwSSjXB5oNCf1DnWCV+y64ndLwG42ovpTkAfkkK51183oD1gp1skrwxc88lKnqJ+qg7+0MCgLbbzKsr2cCGt8mZNd4tu7MM71yB/Ae91NrUZYBtHgGEyoug/D14MR4DuLpgvS0ECyyuDrC15wI48GsxojeBABsvLvr8Z4lhzSTeDU46rDvyxq+Vmzy2VNUZ/Gf9pL2kOD7639er52Ts2KoRaNobCmNPr/o+FfI+5kM1kBxJ4BXl24b51kzA4WroRz1DqDMKnhk8CswY4PzV+0FBeqnaHSvqofoFj3Tk4/3VxZAiB5uD9cx41IaaH5m3PDlL+38QwwW0hZBlTByK6YsxSdpQE6BA52BiUTqvB/s/FyZAIx3vBqhDwn5p6r+IibKCfh+rnxrlxUeirFxHlwRHOftE9NYAslWhS9QDwxjXzfIYpJmiMcfOpKlxtuepQlJiBzyPxjGWs5sJ3FNnwxXBHZVqU08Lv61xdaYiYKOqIdB/1YHWPStEpsvel3wYNlQnnVU12wUku6pL3b/6ekASfag8/wmLyhcsjDoCqv3ek4ocRklvzDw2hI4qJGqtH4MU9L8MzoSft4ntfugm9GXKh0UHYo4cOFLxmtC0sUHU+JSD1M8a1dNVH6y7/jkwf+cwdEDfw89bnC6hRu2jIZ+EVDa6KGzKotY9I5tKJ0ao9GUojXRLwv27JVz8GfijxutdRpG8a31DT8oSHM6+5P3A29XECjCiwkbnon7h4yHQe5dAlVg5/m38P/RCkkOnZiKuwdZctKwSsjJNwLNCc6zDZgapeXz7b3lzgeO+XDdLJXBfsJMc4sVjuOr3lnhvG3e3rPYNNDAlUbjhNbMgU7ZhLh59LZDU5nF+z6hr0ocvrzidaZ2VSHJRR083YPUE0M+I82L6KaLnAjD3us4tghuChhTz2vxlytGn2T+7lj2jOP1n70fw6+Xq4PrplR9lvc6KFkphAZqvbYLwKWYQwo7pEQ8+E2eUPvyesDOlPHBfoM+5IGj5snO9RmoQoV8WiFr0YCOAp77JC5kacGZ2WO+TUxtzOeUZII1LqC0bEZint+1vs2d+KwiANAMgNN7Kp8ayGip30B0K8EuTh6pmpNvFK9lerFqLSlQcBcUah1oq+dAxF3M+3qfVKUo6LZWTrEcW/C/ZbAEYHlVjEf8kqRYvRKoXXwSI9K0t5vvX71TTHoUC0dXfOovHK5E3UDOVpMP+90ie3sQA2RJKB/DwTZhPhDBlOt10fiLbugTOA7etEqwKEsQSMkTUrgLtU7RA4syen/CC/pmKIdyEesQAQ2QYJAr0DQNIcMRZg6CD75ao7LVC4LuWiCsmZauI/G8WvIc0EYPIEEp2Y0MZ3Panmz/ZsvGfzbX8lwOLFtYMz69FwbFk1CzK6nXO0FSJlJGcSjKd5gWOFZBVcY9exjGZkAxn6oots1/7Nj267wMiLwOxvRIZG2i/0Yz9Vz2OyBiI89L3/bbCxqNJpZuD1n3r5x9gcx4b9seMn1mnzqiChUPNz3/ZU+txuS6htMTW8vKkJJ/VkSbX6VQfJNOFspXBBg1venBFoARVFBi4ViuGQaVnRWBOyGR/0nuBBKXQpxuzZ1185cmFD1/6IGbqRRxoKL9m+Qx8ST8+8FzJjdSfVeEuWtPZqKxnBelK4RoFwOwAKX5FieKDcNxrphcNXTYyE2Vo1UC+HpopDToUFG9OkaZb6j1nm1yzWNzFJ7ZKrKuz14ZAfIbVVpIsifAAq7rz+Pew+q5/OmOB8AkYJ+C2oasEoWo/m6CyrUr0N9BrbmQnitSqNOC6x71mWmjyXqcer8m5oSMrpRrXCrAdM1enuAM/oesuOpbKUUubMkFINUm2s4K5p6T533VoktA/0CJXHhvvvZNjIuFa4WAfRTT9HrHYaC+/ndxulgT/D9fxamRNFuWoC0xrNC8DDSFbKc3Yyo4nDK3Ocd8vD7IMO4LZywbmRs2GS+FGfYl1zPywQqE82Qr7qn5Nu1HfrdpBiTuVHJJqHXj4jksMN0vKfQTxDjlFDPiHV0+f1yWaxAx1Tnh8M3LWzb8Cu9isYaK2mV9swU6/IPgg87TZnR1in8fY0kqHdaPsh8TPd1lIjAQSqNyFW07Gnjyoo1uPp3x6dvdn927eAgtMNA2JdU4cLQgbQpvznm0MvU699Fb/YRWn/cjvz5+nFKFMXPmKb4eqsHwCv/udGf53213QwgUaxGTXOkO8oBHpamcBnKmGkOmJeIOC8Yxrux88FMqbfFG0e3nITda6PL2c2Zws3buMDNBYyNrphlkhYxp/2weIuqyLjRCfCEoBUJP8UHvSts+8WzhgaE3bB8MILkvgMBMzhMC7YdT/88in23J3OfsTdL/6+gQoyiAH+uEfCfBatOEAw+6YlEn54rKq4Fab1LM0hiiPWR/YR2Yc1ahE7GZr6l9tETKkDTTN+YPP1PJdetdGvs0tM/eAxk2QlFwIdzu7TOJE22uzq2GMcY90MALuPbcKVX9yL85zZ5ngGGdotjSIGJEHI1NaI4qWhzvH9xJ9RaPGuCcKbp74XlTFyQee22lgp4Q0SiNTvhdgeE2weU+oEEDZl5DUxw6qRwIIG+3GQgsbqyf2DiUuZcHgSGiP6lZYLD5NYBMcbuA1pW/l+361yzcUvicwizzl5oZfFh5ydAkyKhfzlQRh8KilrHowRP71zNJTtiDbAFj7+oBb//0S3yrj++LqZ4Tlj0Z+z6LsX5DOOQLZpGV0Yw0m3GHlivRbmA6RiixjcmPb1OWNeiJNl251CuOj3pUNc17qoNNPViSsAZAMr7Fz+FSGKaNciegUN2XdZj6pJ1Y6pPBanx0+dhIxBNB8xH7AHCvsOtwznE+rj6YyX6dzD9jJG9pWiNXac0fkd00wjxJXtX9h+WUVmyn/mfYMpq8HQ+2/ei9zrQb4oWQaviaWuTGyhTsDaPnBUf8YD/KEZOR6rkLjo2++9/al/qU+F/aOYSH7DukVjKuP8FwDNn9k42IBHA8NuTUpVcQA420+MnwQ6kqOQ4ZM79no6w11xWC6iF1XSzU/JGu3X80tCEfbWU+cGHt0KII1XT7DfUU6NtzDTQwH80zksGC8ZMVSxnCyOv5d10suFm4hy7nwnNx41Z1vqiwBKPXmlXNrBzyB9KOiiYVK+JQlSxM+Ih+nf6/OeixFTyc85WX2O8LcpnZVhdT0+WuuDgc2tChsi6TgHgodWrwGK+kSOYzXUDSUrcaUECAFMCxnNsmMSV7CW3nSNYCEptFrrmn0EuLyAq1CI/xm/OerVupICCwbCq6FT7NmQErHx4MWWJlAa1Rbu6KBj8LO67mjCKoqQc+V9Jw+j4SM9kpE5k9O14KvgTMHcOJrIapWjypofLcvdAGAPfUwdM/TMdXLJ/CdXjGcDqN6gBzC3jzch3ty+gDhe6g1Ireh+x89Mgo/NokF0vIe/J1HHv3eyJExdhHoKJMujdHI9mKfzCEdd3mlT94mHSfqVvV3QFmzYKOXnGJVURpDeR7S8u00rHOTR6AiUVPEJ8mCKCdIAvoDe5WFN5tsvKrC4NN3XAGb/9yFTh65wC6sVaK8AE2rprjPTQ16+xpNKKGOr08skltjlOlWgNlx5A8hh1Qe8PJzXuCjBJm98dHAISYWANtPklMtxXDSGrPD9PPVpZz2qlURwOpm6IbCwG3i0VDKSXcb2A3ICLArNcNUmP4LlnM0ocA88xRMCgibeqXTKCBKj0jfVczQ+l9b76BAcYFj/cyQv8=,iv:FXeR52WEHfSOX4MPPWHRp26hQ4QQIIRUawU8UDIX5rs=,tag:Gnt3fOvPpB9rGtRPDCLVhQ==,type:str]",
-							"headscale_ui_api_key": "ENC[AES256_GCM,data:9i+DItZ61CghVpj6HID3B7gz6s6zRSIjibhdzoul78iOQxQth//29/RHRfehDsxLM2KK04eWQUUCK3euBsZXFg==,iv:EAKDYKQDsa6To+hOBYRjGrJUFAzw2v1bU8OidJpleIY=,tag:3K2+DC5uBNiGoYBWEa/4Hg==,type:str]",
-							"headscale_ui_cookie_secret": "ENC[AES256_GCM,data:sk8D3WHSosKz3K/aA3oGPQArQDHh5jX7rzn++fO9InwStissgIQOlylE4w0OjjgTvlWn7ScTVAG7MwUpMBj2YQ==,iv:jcFvTt5EZUAgJIW4YfoXyeEDekr3O/iTP7/yQDVQJLs=,tag:lDO0G2Fj6A1z9/JSBVhsGA==,type:str]",
-							"homepage_credentials": "ENC[AES256_GCM,data:6oujNGxRKTcPrY5LMN1GBVnhYRFbxU/UacuDECxPv6m9eDihMHdw2rq1sJCBVXaCQy/Q+Gdt3ZBCeftarvWsW3ol5bY8hXl2lpd9Shj7WvvoHFnhDAWN0NIvckDfnNUot3/2elviM6QwXO+BA/2QuenBdfv1oHPeNc0lG9CY/OQQBC3YPRsOa+cJjh2HPLn6xtQgnIypYbDIX/clUG9PqOmR3l/r4KeDsjhsSLqSeGMoPNvhZyGweiLT1FBKvVY6c3d1sKnvsZ3ujSzIyEzcUwk5T/Kzdq11b+9XXTmEW0h6/dwMWJgVo/LBYYpY1sXm4gAbbKkT3jM/ZPtUXoUt/EaJ5RvUHKYY0JJo07IVGz1+FTlGzMV1TJ/MxL1YdjqZ+8R5d6phectoSXT7CyrWrw784ZhNp5amCUDpbaj61u93HHloINLCeDZeuaMtcv/rYly9ffPchOFPh5tlA3Ef8CBfy6115UUmBWXbfw8y3pb7JT82thST9Xsy+WaHf508FJSbeL9zLPc8gHutnGmKepRs2zsZq9dj6ZkPncJ3l/gdpIwSrllMxe679K2hQklDm88J6V6DQxCH5NkCSOWP/m5IyTdTw9VIZWmWmU/8U5jEr8hFy4M38dg52VMuX8reJlYG0hO6ZoNh5tlnWaBsc2F39cyKhbVxgUsswtQrPKurLYokwKQCdRzts7VGf6/EpyYhU+8hN5iNI4tV/Es4z5XVy0M1FrUCBUZT+xH8kPE0OW3sczmNv1KmHGIcHF3GfZyrzqGJjG2oQbmYpEy/RZ9RPlUAJHnJdVE1J9bMrVEf2XijMUBS79m5Q4MtCBYSyniyHAYuLVDoVT+vChDs5cFPryWU4rX3Vf8Fjea5PuoGE8Z1AHrIUmk7yF8j+l6V8Eo04varBokZqkiZHCSnOMB1ISlh4UhJl1h/Qi7DRAV9KfYJ/KpfvLYIJvn4fAXJgR4onjVPRtDzwe0EV2/bJLaTh7Eeq+AbikiwnE/yHpOyi95njHcHrTHFgdWo+LmEIN5HGGR8dX7syO4spiHGDPdneY+xBdhu+CWjIQ0OW/MMVqXWYDc8NNnt/wJXTpvFTcQrlF6cTvI8q/SvoAU1hkd+DRzP4Pn7h8pYUn79OtHe1lZYXnyXsX5mRaskVbiD72SYKlYtaYqzv1HZ+oWhK+9S7Wwx7lecUd+giQT77NQ/f5uwa93kGOvW+wmIYTU8BhXmvN+fDA0RU8CTdNDipXtOblRCW/e4bqKWqIheT9xKFpl82MaOrHj99IJO/Lfs0TXM3b+0dHe7xYFbTUe6z/OkVrzn84f1VjhIhlWlo9ong8uwT7mJUIZZ6i8frc5DYCWL+YWIXwx/Ec8zwlWcnky58trH5hn7SHi86hQUFdl7dK4XgT0OKzw1sClQdakB/6Ii+IthkPMw6OtQn3p108vfS5IcffrF8va340abc13svY4jtG7Hm7sNHpZeF4SZdjgf3zGKQANVfqTXc632FQlI80v3Az0X5L0Lr2YFKvjckfkC3yUM50fHtYXNYm4lRVytRNu5pnTbTjRfcj9eqMqpYVZW+F66Q88iAggFVQNckAw2P7zSKLv2gnjmzeU1oO7hmmabFixdSciZXQ1Uc8CMQ6k0uJlhp24URxcGNsDaNpOWrb+XnWIneQemD+tBcE0rbJc3rbdghd0em3qHIAGFJsk3V6n/g2PUGsmU01n3yLtkrZ7QDoRIURU3b7ZsfvMp/g1I0h73bDc1G40ojvSFpEXE9sid4ofkTXrNIapvJjTpOGUpCokAkR1viSrobUGIXY/DaxBKPqATLOxD0tcyVQ3TjFOFWoxSYAxexbh8v6iVir/zhPtTUki6bWMUvb44S0sxMT/AMNTddQRdNzek0m2YfAFgJzchIjSVXX7+ATU5Plb72extBlwEY4IsPlzZO55oC/wgg/Dvcj7YrFNg6QPKmxm5b2wXXy37GCQWrM9Up5q2afpW+cvlqUADVN9Cj7MYBQGBvA8kcsuRK8dQzWfVhbJkGUNJwSR9YbFavFbS/VWvOLD6fppdkUT7cuXQ6QHfXGtUP9VW76uXEQYIbXu3J2FiXrxJ4TMJZnEie/h0lqOAkxABnhcCQWEmboWmmnsxNmO4Ap+GiMZgwToh8iq65HKrHjPTl6eAs2D4J5Qg7T+DM0p2qJqpOBnNoptP5OkohODnI1IdP8HsNZ9qt5qgnBRRKAQxvvUWwwem3roQaI8adNjtdZrrFKdLSMyukFPz3WRRLIOqwV8/SnVz0TCVVDDgZFr+On/MiEpQSQBdPJxJV7OVupvC0Ohdo2JFM3IyViBtTE6ht8UH4d4vm+uCnl5EogPnUyaYcwtfGb9mHnV6X/SIJ9r7+3X2dd5Tm3N6cEzIb9uiqj/kIeAyTpkYcqlY5IzCHWdIp+GtFNLxXmBDIWqcg2em20JS1N927rjdBj29kRiiNhAfA1x2rRLLKXJwMITvUmDsVuu9bDHoreQUOTdudIdVWRM6nPVPtoryCHB26fhi7/YeT6EOJ6Ssx1TrIWriiBjNys788cgmdgo1dX6e5dZa5jS3x/4/ZS4E0jYn1VI9rdoOdJqt0EQ2pVornvp5UrLDDwmhc5VCYhsjl92maE+KfaEAqlQHZVbcnLEW85E/C0j86eNdZhaA73XUCaG7ZPWFWDdtVL/wh70PCleDIR3rAZMByY8P0lWdh7HOR9SfcrgZ95s05P4ZTXhUY8bvwCxwO/iwtT8hWpFp1/CgAM3vj0ozepQ=,iv:MunNl58rutHMBPcFP7xijCMS28m820dkvfGL8yIC+KE=,tag:LzU43ICuQyd+MmrwK3FbiQ==,type:str]",
-							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:Bp5G+9W4mOLAJNTpJafl7Sl6/FV0I2UJvwM+wtLK1VMxfGI5eKM84FJCrQ==,iv:4wyRdovTnEclDQyyv1hs1E1qU+Y5WaK5aiLPSpxWJe8=,tag:fep63we6PDBOvC4MA5hmQQ==,type:str]",
-							"k8s_users": "ENC[AES256_GCM,data:ZF7q1p+RsGHg/Aw8y7pKXElrm/ypaprNOPn5HRjEIiA/RuAImq8ss/L4tjE7Pk6rQMrZ+BSQGJsn83WEcx3pbCGNz7kdpUxpa1YFh2ytuv+lTRjzsDsnArJSP91L5XGWX+5owZ/cHg6gSBr3xBmifPGeUuznVrWJdNXJZgfGojFdssP5q7nCJDTuOXNGN+tohiKq7vhkOApkQ/iEXTxaC3LNCkpHnf4AkvY5o7GiuWYJ1igDYh9Lt3PV9J8kMi+3QCc7QB78M43kpZiS3OABL4Ivfry+QA/EAHWaNBs/Vq3s9QOghmFySapApxWuOjEbEBTRRq1LDVDyg+2AimV2duZLL/Am3cWkYUDJViK2BJqB84j9h8ofH8Pa2mjPhqL1ZARV9uoHMS7/awPe3BEtcwDgvd1pbS9vkwtk3VwuLlQxeGD/xyNeJuyWviGOmnkqDq19AMYQE0a6jtqc1T9h1vS/TmoT5tU2eoqU2DXpchx/C9rSI8fEEve5QEdlxxS5XZEEybQFAmP+XLbXUxfSGdk/3v9twnKijsT9hd1U2VcwzGK7+0SKeWDHECFPchLRDg6JZhnzT/xgNoHz86SNONaT7x5Wps4yL4CGOaB4E4xEM7yM2SZd/A7MRRZPau7lyZzeumMYKNxI2fwj/yR9D1i91QoPhPHhv38DN2ZWPEV+tEg=,iv:MYtQsLV7wG2+4f4XCf0NKyzWHv/9sxhx0PJ0LLuFvNg=,tag:X0wIuLvnRmgSsmtELPgcwQ==,type:str]",
-							"mailserver_accounts": "ENC[AES256_GCM,data:19IqTjjNCt+ZqqFScCOeHy/rYWoUwhPdgf6HexaQf3EvmzhlZzE64Q3rPg16ntXR+agzwENntNne7uLkt6fqPXxc4Q0AXurpY8K1POLMBbegg1b6hu29c80J+SYSQhzk98BH0QFbzZ+3RjBe+S5KbfoieVKFdOdrUlWGs41GzWZgsvSfd33dreR7lSvhJaPyj1NGYuYA1OMzv9eJeUo6pTWnywrgIKdO4/boiMqmyGGWsLMJbYhL/mNbzlULL7/sCIEG1z6hC6yTOCkmiq0tMOTzDRbM1giFkMdo4TEtiAgazkHqBNs6N1+uWXh4PMs4TrN8ZxaZIf8sJg5gkb+O+LY8QukKFRlMbky0fH6x1L82Q7XjABrljQip1SVnyWKvBz/bJFJZd+55lm7YuAyiuTcgG+nWPLOu4MvqkbXRfbDGcv1NTngTN5TVrMRZDmcSHMHyLbTvUjgLte3lIpJ2D6koaCv+1n4O9rQT6/uO36HRjlyoEcrpPx9bxbdqIeRIRiyBpyv4e0kld9731sFv3A8KkRd1FJdd4JFJujRsi1oJpiIE66MOZ0ZJXTiAF//tItAvRWlj0rx8D7QS1179A5/LzaCy74jfeZCSTy2QHhjA/JQaeQf1UIiEjI6C+sH3K9AUIwzG7sWgNLx5TKVWdZg/1YKREfb5Zw9mfOE3IMlu60Udvx1ZTU3WiXVruCHOhjHaZjZPrp97SU/pMt56pbyrijf/PU/48TGEJg5SpH68rUiG/IItsDN3c5uKdAvqiNLov8NtB7bA54XJnyZY543OLsHcRNiydCWMC/qSlMoFZC7lO3HuEibiVlFB4snhF6+uUttUqHtCiS42FC4BziQA7VxF71GfaO5dWQ/qo0qooiANljwPHi2NwizPVH1BIQE+zfpIkbxMs39ytXNX,iv:uyxbm0GCx8OCAw913wY4MP/kWyLWVPWgKJjplTBA7tI=,tag:dwL+94JmunDll/zp3bGu2g==,type:str]",
-							"mailserver_aliases": "ENC[AES256_GCM,data:aoEbaTdRykt6iUxF6vfnhgyk3TaYhYIhBdTg5pqN9N20SI2bBlFxddwoHjaq9fRuFcc8R3m7C/YZ8RoHG3kOJdl8bIu7eNlBUcmSEI5cJKjz7gzxI5yshg8EwMkM4nf673bbMjM9ShSS0hKCfKAXCEd/KcyIMKfPF04YJCg3EDC93W84CdQcpZAQanGBSpocc/A5czjcrTD+nderEF1d2EF2O40dUIj7dn+xoygofw2v4Aamtz3I1jtFlkBzSQv+7OI8kUuiiKtn2gSfGVM3ZEHqIAle+hn2ZevhkFgGovB8XISef6QD+6GQg2DNFFA66P+NA5TFX220ZUuFYoNvbbzMmYcyIOHM+2IAL0HJznG7G68c3G7yOAlns4WgbEo7XQNdfqNYYO4e+vJ5tmUdMEk7kq2RbJyrs6gyv7cJ3qrKPk3SOnO+M0h4g5iGJupWQDnlLHdETlKSQ155qyMk5OVTtgcG3Vyv9zOxNCujXZqBmbODcLBlxPUUl8RqpdPVwoIwcgxVhYjamDBgqsQJF/GrUN0cyk8dON1zfIWGEwY65fnrw/53cuqUFwHBWj1DIsIAVI1Wf9y/fgAX7Q4u/Pbcjvxa,iv:m8YsYOFyJ8rHLIT6jt2hfvX9s0ZGa9TmB23geyqFBP8=,tag:guehWTyl3lWYtp2bkAn98A==,type:str]",
-							"mailserver_opendkim_key": "ENC[AES256_GCM,data:wMpmaL/Hqda7T0a6RQwbNeusWCwZcfxKwyRKXb5kQcTQpz3lFiU1g9ZsplNa4rNCgnXoChQNmXto51TZfGf/BCw5b9U01MzT24K++t9Ke8KzL5La3evFJQpR+99GcSsQa/98NW1L74X/jtbJM5pf1ekyUHtDmD0Qk6Onr2qHDvBmronR6ScuWFB42b+4xY2ww1SYLEwPL+UP3JLIeIlL2r5fw1Axj07C3ZyL4ck/7BNqGOSOzskCkArK/cgfQgmQWugrfojYlvDQjXzfeZ/oYa/BrrOD9AH3czVjFUvPKVFVFp6TY2rpITQw8V+nfbqGwmiGJAO8bM79LXWXUlkf9Q/5DWgUaQuexWj1OkV3hynb523/9Bf1Y0eTeNTC9YsC3D1wLAGcukdgFf45Sc5KHE67lAPQqVKl6QoXPiJKj5mEecXSFB/sJGGNcdltBw4eFq+pXJ2z3BgnrOYZnJSVphZOWF5HVFBgb+7BFMaUeOoQUhKGdQ/8i84ztMe198NLbLJIIKquw8L9Goe80POhsqcqdXgrTWhCIbfQ3mLiYvHY67jhXyG4xFpEa5L0B3sDD8io+HgA9MWbo5mX6nN/i+GmJl7n/4T36bPy6nLfyJ/JKsZbcAVctl2dWCZjR9/yDzYG9PGPuQlF6Bkocdo/wfWS2VSi5+sVd1T5EOdnxk3mllY0qcgF4KXwLBPiVBc+rongGfjwRJn8xxT9P3uM5Khqc/TBEXs7IuKP2/1WC6A3a9zDFfKwrOMidGCwadzlch7wjX3G2uFVClHmnEsImn96JUu05XRvfEZjNnjSsQKnisHplkRnC3tSpj26jB0SN+b5VovJCP1ZMeul8dYO8/qtF58AqYSw8f2aXQtlNVRnMfVz9gPsmzNP8UfeFGKoRUwTOdG480Zm8Dh1lktigngwglFEXyz7WSpKWvvbWHKce+iytpQbQ5AdlCy5q84fqcqMsjD4EOtlh6pvDTBcVX6uf5fM6Hf9PEXJVGTpGX/5JELJ8Qj8Oh0RBE04nVmS9dpmZPSezI4AAGhNx6JsKmy89ZTQU95DyEPhkl+U4xLFG7vG7Iu0Xmdd7Y2sJMCq6oy+y20Ca9bUxXN2jHYP+sJ/85GVnG5ncmtcTi47bALWUJXHcYOX9rzdJi/Ld+CQu7Kpyr7p1bvmwjFGHEWdzC+Rf6y26kJI1iMpTj2cZKudyJB63C45xkRzJXEiSMzUJRk64ey0ukunbzZ6xeMpRRwWLn4HXlfzWz64I/MhBp/Zp4GAoEvof5k/W+ULGvGSzdz741euB8jn7FzfKPuZFdIYrqKvSq/CQwzjMWqYjw3NtVYN8CTAFAxpBXd13XGYZXK6+mj/E4AXrIJB82fEXbCrR8OdYDXpI8YPcB8F2rttJP1JVCDbqqeE+BAEQYi+y2O1GMb3HmKRNlLkC75WTrbyRlfHqG5b4NEpVLfLPykWzKInb0dwn2l9eBy7Uvznjnx1tLdr7uFjLp/Qy26O+nW6TK+Yz+vysLgbKq8cK3T6CA99Lu53luJZPDI11APlTVZN/Z9OAprNq+NFZkmYGEyifLTvhcn8jUKgpD6Kd/dRt6Kjkl1Afh1S2wJZLK5vIrpS7O8nwZRkYerxOUfVpxCCZfMkEgtqoeySYdsHxBmIQLxqKLMUWty4J0KWpljpjNlPX8/69BFyFu2IfPWXjYSPtuzU4qIC5TsKenlB7Mi1caW+Tp1k38IXWLKRC/2NEW36B8S2vrh0mGi9Wds430kDmJCR65PjXBW5H2+W/acigBtHV5NOGQXWS3G0aP7KhNj5AyTr3xLbQTON6ZYkA6OHQVpjeX6TJtNtmr0IGRWqiwPOJ6dEmcqwD+ku388xgAIV+QEMYy0aSjyjSU2YcYNM1uQkiOsO+SXbC6wE3a5y6Hlik+bIdUoej52PWgP8dvlF7sxcdLrpS2IqgfRywRD+hnfjJF41c9oIeeOEGA81A/DhukokCD8SCmTCzwKVIkwl1046PiRROK8u6tQ1tO+aqrj++35vjzc9LYu2g1HCOoeyhQi2ww1uxjThODl+lBACCJaBI8ItAIdLecZtosATRNLvTYE0DkMojhRMu3T7QQzFB3+mgSmao5+P/lX2KG/wIF573BtwjFb9VtZLhNN7eLaExqAXpCZMdDNpz5JTqlsg4tGqOccVZbptbctk0OWUkEjzLkxJnOpFGgY4H590nbMc7lZ294U2AyFONONgHCcLPfhBrq9RwuUhs1c9e/auhQqOQzYgkbfsrY2e9TCQAlMhhZCNWlWxOQ==,iv:Cq/h/eAFqGJs+80HWDT6lL8Iya/YhNDzcrVGmAo2z54=,tag:I2TmSkLunEH3n+xgXEwRCA==,type:str]",
-							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:Rj4N5aeVbjGZKKqWBn8=,iv:juA11Ydpnk73JWozvIhoG43PENsX8CsQL15tgS+AlB8=,tag:JRs8H2qm+bYbZ6pNioxGuA==,type:str]",
-							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:sHKsnejZK8DBgvROH5keZDstVwKEiCN80hQqviu5HAzwp78YTaH03sLdC4/CGJENW9cSY5+6S1+gKYb/SL0D+tMSYSI43djSB84zEdrZhRFSj7y2goQ2AD+aRp+Tw8p6IgqPJwAv14anEVEHIVpWWccn1d2cz6C67B4YRLrJh9eEMFlh6fYNzE5t/KOv9Gn/dmw=,iv:pabjD1qKfxm2Wv+ATT/HssW8Y+6VMB324mmCs7MLxM0=,tag:0q5tTNwCE/MXIt7t6DsPCA==,type:str]",
-							"monitoring_idrac_password": "ENC[AES256_GCM,data:2DhSYElJ,iv:5XLXhHDEuAT+drq8wL8N65AyOy0UeL6u5Dpn+CPOwAk=,tag:cAP0qjA3wtOlBAs5Z0YKQA==,type:str]",
-							"pve_password": "ENC[AES256_GCM,data:XkBMlAPRgZto4P794xjmZFrUXhpbk7Jwqmb/vQ==,iv:E8Kmfa2U+a+L/0uTxcPhQjH4bag6iLShrEU+DX2oNNk=,tag:UvSNiaNN64H55dbZYr109A==,type:str]",
-							"technitium_db_password": "ENC[AES256_GCM,data:eOJNFd0Bdkc14vwtVbk=,iv:DkLPgVZVxpGXZxmSoRdX4JgdIGCjHj+WaU9gNMod50A=,tag:RFY3RXE1/Py0wf/d6Ly51g==,type:str]",
-							"technitium_password": "ENC[AES256_GCM,data:iZAn5Op+aSUzC9nJ95+P7UvLp7iNUnw=,iv:t7abNHwl2IELKs991IhlcP+K3d/AuYebg49UwgehSdE=,tag:lnfTcwKRwaQGDkDaKWvdUw==,type:str]",
-							"technitium_username": "ENC[AES256_GCM,data:6mpxMxU=,iv:Zg5NoaTTqUsWXzA+k1aAqJHmp+31UjyfZK5SOP5MQyg=,tag:SShSYThCqGmeeQaDSFQWDw==,type:str]",
-							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:nesyH6dEXbJQD1oniWIRl3d27R5j0A==,iv:pzBWuLBWeaVpr8+j+Os5ETP7p3LVgLf4M/F166SU6c8=,tag:AC5Akp1n15FgG8OLoF3G0w==,type:str]",
-							"truenas_api_key": "ENC[AES256_GCM,data:pgh3NlfI9fx6GmMeIuJzqyj27IFMrscvVC4QTFDGRywoY7NimAABAuvni2HBIUA6Wjq+1FD26OOkvkePKqnBiO6U,iv:LWXxsZfdKNN0TT1YY6BJiuitut4pSxMJMsG4sEHZe30=,tag:xADcejYV/ISJXkzdm7FVoA==,type:str]",
-							"truenas_ssh_private_key": "ENC[AES256_GCM,data:5E9xWk4yq4+BMTvR78patc5H5+2mozi3v3c7ySE4HGwyrTzsnpED39szDcjc3Dvg89NwumvaLTO1MdSG6Mmr0WQaT/8LM5FTrAk2b7u/7m8euTcEKYTEH4PtvRjc5HDc4NkPWJJAUwINS/Uk/Mj1ekjiqBQukVwcQUklO1WHhdNbLT+RbXHpwSP59qOZSF7JGPcWlbhZHIdaNMNm3JnGVjRJI6+1p7siqmY8+TIZJS9omagTiA8wE8tKEImavg1VrbKE0HxkSI683SixkBlEs4xD2xZRgvWPPgKzMwjsaw0umFYuLy3x0jDuh4jGwOX1IxW5Nkqc9LuJlONzVEcnf2Ic0Ig1YxQ4WgHbYRBlopshTBo6lq3oZORkJgfBeKn6UTqaW/v4v7UjOBU8kVaEWVH57+t7fCT55D1FfzwP6lm8SxTsTXiSwHslbSdcwK1VqQsjgicPg3g03hvRbCGXihHiTGslvT0bZXcfbyu8c5Bv3gI1UvigzBytYkJURPBeoKcu89tzmrOMj6gkdbEibIm9IOBpvxcXQEbR,iv:aO4gjC1CwBjRz/SJoz18ozLr9OgP05B/le43dxdBLs8=,tag:zKNUv+adI9fJsImbMXkOow==,type:str]",
-							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:N0dSd1AjRS7RAa9NBrXvIMVRcW0=,iv:TkQanfLlHjXe62VruPMNmMhms+mEViveJuM76k7Txi0=,tag:k6u7MOvYC9T8MuWTo1Kk1A==,type:str]",
-							"webhook_handler_git_token": "ENC[AES256_GCM,data:BsdkzyMa1PYP3mkjWFZvv+GFUuKui3AowUQGEdemdBlsBWLG/tRVDw==,iv:62AR41yy4wB1dx2hfimEAAUznS1V9pe7JU3feXUtpNs=,tag:d0gfpgGIuGhMyG6S16AuQg==,type:str]",
-							"webhook_handler_git_user": "ENC[AES256_GCM,data:2VT07RQe7386jbJE,iv:edlHZGNKqkcKNfOsCTS+dM/JTpGa9Wg46K8eQzInjaY=,tag:7jMTRXlnKDoOshNW6ouQUQ==,type:str]",
-							"wireguard_firewall_sh": "ENC[AES256_GCM,data:57fnv4VvUss+RhFYcRsCCRDjFpZ2QZXzagt9yMXtiL8Zz+AekFYCXm04Dz7rhLTZv99uuOInm45aStMrHrMm/EPC4bVf8qQFPDBAKEPCaGBml1tHhwOzVSQLbs7uS0DL7j9jJZGgNGQLRwa6eCOFWMeg7pzvHzb9dlhV9NEuB4E/EUSPG1gCD0imU2aNAJSMQpREs//iy9e3q839z009PI7xFnKKLI2W+DQpyVZlKXG7fPtkQ+V1yuL3GRnD0gIdPc5FFhbz7Z6t1io7ZfZ5E1zjcENjs8Go8In6IQ/BL+9bo/rGN3SWzDVdIfmFnhi4QnE8vpMoIMTduf2WdUW8YFXtpSPOPis3xE2TaybIeMz0s3ZMfiEa/bgxc1umO+SkfqiBPzQbAF9ANczhUFtES/qzdcMaS2/AffBRAjDe/vqv5uuoMAIbCDDiiwT8wDXoOn6dYg5RGmZnR5p2haLsb9pzxVTfWb7mIta3rHKZlUYY2CiIzTlGhEiLuKmiRiCYw0dmEdKEGYfVvE8JeH8OC6IK0m05UVbMPwqlUA==,iv:4hHTx+viAOkkblvqdAOQMinlCCi7RV5BrOwP0Xfx14s=,tag:eI0MwzRwj45t1mbDKTa+tg==,type:str]",
-							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:gimS3q3xJLGOcI5z/Xiv2QxhuKI/wnAtnC1Y4lFzdBi3VQnZeVRfkH1R5cD3Ad2PGhdIu580hz0prx6/ECAYiIwlqretc/d8KZ/h8iKiB18sCiFXddrrWyWYNnAcNd0zW30dd4THYzpAKpF5OoJs3B+UPBC6zY+FY/zDwDUHyDT5elttEtfYY4R8ldi269Z8u1FWTW5WBFFXvyvCqzguh1TzY0IlizWQtmK8tMeYIzGO0ZcxaYspttr1xpbr4bqDzVEpoGH/KVJHEwDCc37PwbxhzOC64OBLa+un0D8DrcQ/km/gresx+Ip5V/t4gs0u5kMY+YnrfmfCSBVCVk+NT/SZHWVIX6eIFQltSEmQBsErPNzB01uLQY9kMSM+jF390XcUhlGsIVdP1X/esdGCUn5o2KGN81dDoZLr4TWcHoAIH4fGjXlWjBoUMuoJcB+c/O7+HXqzgqjUyVyKdhzAZfLW63eQdhI8E2MsWBRgq1akbeGxzdFzfch8iM253UzUAO9eU3J+eYhufbLzuIeV/baBbYQltUXRTQKh2ffMktdcJi0sDs/b5muHas71VxKfeOlrSwwEIYRBYsFy3h4W6nZly/MZEEE1nmPHOk5lUJbsHsMxTLfi+t02Pm6y1Xj/xBK81ppmTFOylD8gPFswI4TEyy5Qxp07zHL21dl/yt/E6i0Ha//loZyiN/4yD1h9D5C2gsN3xyppMhMQx7rU9Asx2SGTiq8dY7lOL3LUYYL+d8w2uqv3+HzClvXA+Igc56BuJwLv9bJnb5svQB6JHp0VE3v2l3AFswBPlkUXt462+vMcYRQf2aAUs6GSN5wJuihsbLFdn/4FWEogXsgF3DEXuVfdevriYVTuPvsjirabgcvo/Oyg1Up4aLdIAfn8iOb7cC1t+4TyR4re4KclqyZ3BHK00LtZP8eQ2pbLjYLoq/V0DtGNPure3jhzmPVfihvLa7dm0rs8Ke52xqDHwZyicdpKA2pBesbwxl5//4X9OiJcsxc9TKx/uuKrcsXK51LZj3cKv9m14Kq+PVx2/qJ6ScSpmkHcYQoPN+8HPAohPoAnzxbbUvUscW5UegCMDz9MihtMumoB80jqvszwRnoHk2kzc8LixiXDWBouxvQ+cVLuTrqISJX95EELR5h948NLgbuBJz1X5YPOvKmpQqE5JWLR2UJhvBaGG6mSrKE3II7Q6a0J5PhQ70EpiQdmwLRVRB+x1XM/hchvchpVJP2i4WiUgyuVksmOiS6LlO1gMQP8JgDKTV80IMtgQPaT+02fgAOcz+jdpQAXp+6pjh+1AdU3VO6d1J8N3CpQKQOsGjuE9m1cS2Rgd86daf9y3crRCrVQ7U/ByFdOEUzODukMNLfqUUVmgRvrAS7UBabAe58gFkcT8bg7biQ0JkVyfGa8QsqVI/1oB2StNCRRn0rhxqoFE0kv++rADb4Hb/SaYINILkj780O3oRwfOpje5YwRq6ch8LSFKGL6oyvGguN3BijWoEMYu/wMDYEdgd1XbeomBc7IV2GLIzCwlWcwa5+YluNVavF/B8usGiPJ5a7fihKrE4HhEye5uOTZ32wmZs/1I+ebmqS1cWxKDTdNMW+ck8AP+MWwOllJA/c2A+qoZhIXIQrQnhZ5uYSeQrnwDSqTfNldCvweZJWIcuO7xmMPU1tWvyBPBb5xLYPZDeT6Ea5ieZyucijbUSajtJpTqneSCygPopx6jKaNITdSMccEH9bmJrZCwHrHd3Mu7sf/3wA1OMivMa8DfsPvqTGipZeDUJ7IMTGEPFxGXC3qDxC7y4XdTtk8uhxjlV71tdLypQokF1UM3v00PW463a4LEANL/7ZHJTFavGbTwLSlxPI30SfOmolqgj6mEefwfGbcFo3hhxJdv3NXlScLICOl71CBV0O5r3R4+UgXlDcTr4I5Pthj15OGHTIKMBGRj5hJpqxbNfr36xmWWPt/LFVZw0AxruovpUVhk+JG9PvM1H+TgV1yeVyW2lkMHQdqipdEFa6tMeJp5EeWpb9MXEORg7yp5dV3BzuftZbX3SxqDv4pH0n3bgKe7ulGuwxt0YqzXukK6OP0mJw5VqjGApb3/GBIoJxXVnEB8+jiJ9Mq4JzLpZWnSnNyZ/dBbaYzH1DwMWNKuykjaZfZk24pzGrFo7qOS6J5kaZ/Y52OHjm0fcNOePEGgKmJ6PkUTB/xojmDIUERWdV1t0gP16v91jiHcOX2Sl+HTuurLYMPyBx+6oAkjkr92jFj8hCPKtOBD18t2QcMv2GQLcsVyJB+ojKbCDTFUqgn5StD/IEshN2hX2Sm0Xxor+grFbqSDUyH+wFNBDM6UlFD5ZYOsHA5aN4J/em3u3KNjdsAaRRvkJWW3hh0VJFsWmMWBZysDQR9vo3QlGE5e+B27Tptp1KrKAnpMOVXkBZz8I5d/yrrCOmQVcrnYXNsah4cgag/orWKGx8e+6VjOwD3BZONaacGKx3KcNjc/cSfzRGkYDO6LxzSUSmEbA+FZr/LXcZrWIcYs/d6OYhUEy/ImBLOm5zJ4ppKJDDq0C1B6AA/xtxrRKQafe9bJ1ORMiSY5Fio05xecBmlDIZpJkzTue9ztUYkvRZza+kPUhuA6eAKu0tZatzgslmLhEQI1vqyVrGui1PWoYa1KAJ8EUNKOMrBu/yNYb6oiorOYCQZzk0KwwJv1nAwjepRdd+mUWQ9XWgJh3N81sum5lNtwkKpMNLTWDLcYS2M3nquP3nN3sXlSdGkKCmk50g0MBEsp67DhfjhGcFGsZ6KbE3PrAXgqreDw8SHPX+kLQ+U2sfrcFh9L8MPyRqM9DHaz/RkZBO4TtZ2Dk1n+tGkl79mq3dEfn9CnpI/sI8aTRPbhjagTVa17wKN0D16T+bpC8Hw21ute16Fr+AgQra4YcHP1fsQkq3v8r9QGhKnZhYgtP1XrT+DKcR7sPfEkej6xTLQNxq5kt1TnTklLj+e6TBxgMpxXv1DQJfcwPw7qnKlyXsaGQF5R5dhwOO2yuKhEYYm9gcpTOfx9BDIw34WVSs4E3ffuJ9JKSg9O3MPUaDclSeOrbx5/JiwcT4OmVA0ezk0LpE2nQ7XsXPiyxgARDxwu3Lb01QbyhplMnpS5v1Kr5jkxSlH3hQBaL6UNlneUC26+IFGAwMf/h2UHjHIhUGHt/ctmJEkuAmgo1b/G9maaQ07LOd9svSDVOkCFQjBBh/RVn7GwNk5yRkEb3eNhtebr/mmvESZGS3mM/NlpB33/aogsmkbZExGC2sRFFP9TxChZqY6w4U48NP5Iu8YIt49/pmclV2BQ+w1zwyM4Z+s//JYMmuZAiP3LIOfeXzYi+ga5EmZZn6xACJyF3R2DojjRKA7856S4b6u7JUALpUDlXboSl0+1+HxrsKd3aCHWmuFvrnGn6niIjIvCShRwUGS0HfqSGowXC9Dnk3+N36TqIvSXzhDoFgATMsAQR409TT7SvCrLg==,iv:ew6bqJwkVYWNzPjoQo7WONw6ZwB20fNBoTApnuHiU70=,tag:PUlZ4c3ralgQXtQXiE8+eg==,type:str]",
-							"wireguard_wg_0_key": "ENC[AES256_GCM,data:SgQxGljjgBYS6Le7Q9ISOfxoinXObPYt0xC5YZJytPArlTCKeK0cqqhRVYY=,iv:8LoXqS4Y7z5lE3KzG0sHDakTvkOWD+pegSkQFEbdz5E=,tag:aOiMhs3FS4rPUS25BCl58Q==,type:str]",
-							"xray_reality_clients": "ENC[AES256_GCM,data:myiXQWbmbhCvvBft8zmn/d0G95QE3oI0Xbo+RvTEcBLtLDkmM7wscAVxcd4vq1c=,iv:isjjN/HPJ45Zy0jPufewf08psR46ewyRFdTtBVOLcvs=,tag:JD+koFUv3UbqdvBv8fV8pA==,type:str]",
-							"xray_reality_private_key": "ENC[AES256_GCM,data:+ISxK0pZ8VHJ1VILu+etttbV1RwBKzKUQEPVQyRzNKlmLoBYzaV6o8G9Pg==,iv:33ui+IGA+TqNvnJEJtM6uVJc+6ooj7MJX32h5ktUiB0=,tag:xVKDTCe31hqnnl7UXXy3jw==,type:str]",
-							"xray_reality_short_ids": "ENC[AES256_GCM,data:nw2dzu+BaIiKAC6mY7cQAhf+4zVPof01L+p4cwr/5ktXoBADZyHMP/TDRbGrcR05/jlu4QJ51DW8lPXrUUP6WIM=,iv:hqboAXprtEkhjd+vz5f15/RORjD2XUWCrNdw3PIl5Fo=,tag:UHXLc5qcs3TlzZULc+A/EQ==,type:str]"
+							"alertmanager_account_password": "ENC[AES256_GCM,data:2xlty33M0kC/rlECYjkt83iNIlI=,iv:Wq+QnraCat6GSnjQkreB48uzSwK2cyVjowb9fIrueRQ=,tag:7QgT8gQwR7KHovom3vCIMQ==,type:str]",
+							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:o/crK0xgpvTv0P1nR4PwO/cnwTsJg66krfFyMCbFqlg4IxF9HsKc9zt4wtkjhSXcDlUj7gLkpw9Ne/zpma3eNOBVspVxIj9MG4YYIjgHxjje,iv:NBoemSv326v7GvSneyYZro8Pi615TY4zFcsDU6GTRA0=,tag:x2BR1tMQaKJJAw3RDRqqRw==,type:str]",
+							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:JQli2TbkdERY/IIGohbePwg5PZ1imfVRun3s9Nahu0L7Zz9XHCW6U4GlrsLbvflAG4xpmDkyCiBMySjlBitqn+72,iv:B+L/FnDkVQFfQ4Uz0v2Zp8dax6+vGan0eelj0O/ntqY=,tag:Ky9LfrTzxc2AtHWrceG+hw==,type:str]",
+							"authentik_postgres_password": "ENC[AES256_GCM,data:1eQZavDfijrdLIlT5L9cWQ==,iv:y8HY9+PRplv6vO0W0qyPwRsiKQmNIhJeZW7u4dLsazQ=,tag:2Qs1HvlG3LavyfFnWoBMZg==,type:str]",
+							"authentik_secret_key": "ENC[AES256_GCM,data:tMga2wv8WhoETpde7pTrastGJnq8VZLMg7r5YX/J+tKKsc4Q7+dZhLW0CtyxaaS98JDK,iv:Pk9ZVOqXsoWUFNykrwbu4S0zdZX9FD3cwyvYRu8m4NQ=,tag:iFp8wUxmlF0SLV3KhkWTNQ==,type:str]",
+							"cloudflare_api_key": "ENC[AES256_GCM,data:Z4jMxf9hT6LErymJxJUieAvcYA3ftWyPwDtpdcPABB27YEW8dw==,iv:9HGaMD/BwwGSafUxZU4iC4ylQLV75+hMxh5sAiPSeNM=,tag:yQ5RgXCjDKXAQFUhJKbsBg==,type:str]",
+							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:cHTA89Yi8Ho79310JH/1XvykuXXxAOjlVezOM1LH+XJna3SV1iYyJdVjVIFjRJwyJzFpoHmS/s7Vop/JbvJxgD6XKdWXFVKXepc5+fuP7Rxu2TAE741GXVy3K2GfFrmr3GcqBhgMvMtDHB+daTZ8Qr/b2p/AFX8UwsXgGj3ABV8LQftiM3AyCOkmTGtNley1BHgOVAHC6guAXS94pU/9yY8UA2hARQHdNPzILzqD2W3SF9PxLyNMaQ==,iv:+U+I8361WAcmJuNNn23SFfy+DsHHIR2clhUJZu352K4=,tag:yQLjkiglUDS+kTam1YR3ug==,type:str]",
+							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:x4aDfoOL373UsAWSRKRnpW9HxsG9Mo5xB3KP0B+zL+U3Wp0+Mgx5guoJUA==,iv:7mrZXH3g36oysvPGEPq0AK8VIdKNDaViazDjg+MGdDU=,tag:RD2Tk6jwsasWPuTYiD97cQ==,type:str]",
+							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:0dtK8eS/rgJ1Zf/kNFEysBY/4BTTRsg3Ke2GfTo=,iv:nHAPS1BZTEQyxU80u00V1ziqdwlgo9qBpqHuFUkx1jw=,tag:NntXKuhejDybM+cS2jWOew==,type:str]",
+							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:MVKa/ucZKwc8msyHD86lg4IpfAdT60+1UPjD6BdIb5wgmo0hd+GzQ/SaHM4tJ7e2upgYM869hU69ZeKbkPp5wA==,iv:xtW9MFrZ4iFuqnvdUGjQ2kFRjwgszyq0EFNFW7QObN4=,tag:+u4cB0BI2ExNiLJy/KzNbw==,type:str]",
+							"crowdsec_db_password": "ENC[AES256_GCM,data:ZVEQMqpimnLQxvWIT84=,iv:4d/fwDSsIynZkt/3Fn4+7eJqn77OpRpcaj3vszn/JyA=,tag:wBJiYSpcVTz5o4Iaa8HcsA==,type:str]",
+							"crowdsec_enroll_key": "ENC[AES256_GCM,data:2k9M3lR9daoYvYemLopr2YmvSTcSIpT25g==,iv:r+mB3Sl8doAb7lMDvI3ozbD6Ff1e1geqyHGqMAwWTsc=,tag:n+gM9VCMwsxbQqysVkCSOg==,type:str]",
+							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:h6swIzahxb70Wg/VrXv3xNOEI5oojlJE+Mu+yNQw1LE=,iv:b6biCtjo74FqffDnZ4tDED59Z10OIX7Q/9ZfFF1MNYc=,tag:OM1DbX6JpDo/mTeQwmhmLA==,type:str]",
+							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:lKM5LXDrZYDLMJ9d1u0Rb4mUNSg0MB+QdFg=,iv:15zyzkP7iZlRzSJrcYpabuLXfL6sjNjB1zZ/bvtfDQ4=,tag:DZ6yORczfnSEk4AEFJNnhQ==,type:str]",
+							"dbaas_root_password": "ENC[AES256_GCM,data:gMTjZU1ImmCi5kjB82Fcpfr4pkpueb4shJfRPg==,iv:/UgoS62QHHhpcYOoBQq9wfbtQydCj+m258fdQKB4CB0=,tag:R+uHWGV4zINTxAjOX74utg==,type:str]",
+							"grafana_admin_password": "ENC[AES256_GCM,data:wXyriKIRhAOHjCgXrJGTY4u01yM=,iv:w9ypUyJNVUE4hhOPGN0m+ygKq64dkYOy06e/NQl0PlE=,tag:4uvpycKJS+A+ifVWoUYwmA==,type:str]",
+							"grafana_db_password": "ENC[AES256_GCM,data:OFQLyvhWVVn6lcadcNORrta6uXZv,iv:VAs9ibB6exn8aGZmcVqh7leIsWCozkJeNpaS9dRS0CY=,tag:4XCYu4QPTiePZC+ZHlfNfQ==,type:str]",
+							"haos_api_token": "ENC[AES256_GCM,data:1vd997oGwYz+d9NHm9PvJSuln6hJRKYknm5guGZXdo2slD1cjsKdxN/vvYH1v8470KrKNrjYvYPVYdrzTtGoHcjKxWfQZ98Vd7d4IQC8/HKdhtRbH3S1YGUlPJS4XDW3sv/ENHxZag3MiSWKe+HMUpo/nUaP08CO1FtmaC5aUGvI5SDlsX2A4DOI1uwElQNpLHL6s2Z1FSoUL2uYpgKcO/Re6vGseDVsBZLS/YK4t2xIn1KGs9sx,iv:vFquLNldD2BvV1naEa2pY2kwcEDaRn4fQWCXDR1uhps=,tag:g/d36uvHwCIsjV9VlYDt8A==,type:str]",
+							"headscale_acl": "ENC[AES256_GCM,data:rq+kWZ6gOQBXTLpcIO2JQ55ovQ0s+G0M4FvvVL8cBWW0eHklusMihDZrpqqxcSjevqQ9obmciOyk3/9M8dm9J7NNgMUj7anPkylFf6nMju/Jgj6yrxvURNPCL25fn0OVWe9KfBQJHMe8RkDgWDIeXiE1QWGeu8t7PjW7vcsXwi/9JOmFURtrmnin2F0yNlQqaxGKVcyYu3kwsNxXPMFvL60wSsvc6R5yL2nxEfxGzwIBmO/xASBI7LNcP/QUlpL/1KYzLmuvNEnMTc6Z85WxxnF3c3evQ/KVySI4f7SL1tRevs2KKLPe4JL6Qb8l7NbPreXgd8z8v+vfQX6PDNxCuF9+9HqczEZwUbdk5CRHXNhBwE3N+XcmVFWchLqYXSRqrrp4Khg1jl99vGEvRlG0n86ARIEfskQEkV6WyY+3XjT8ocS4kVtWs8OuDDUedJQynGRx7/zYAw/Ddmq6paHaHE4mPP6eSiyiOsJZHRV5qutT7/c35il6zJDFNTFZyxoRSC7IlqrVEuJ8IfBK/i4GXNSSC7/DRroPdch3xOPth30cL9GzDnFi8PrXY7U9Jzf6Si6C8BzjhLH6Vci2s+xqBmObWmc8rStBseE7Qprj482fUfUWKRZVmQe7mvCUkfdPYtswpcDfIehpBYnZnXHK4jL1i3Xchl1A/mYrskelsi4R93BbB4Zz/hevaz2oSyTEk/b6e5cAJy5cR3xX6OrybLnjicqpTfZctYbus52KYFk5h8fyihBlmGx8xUf/niL/MbhRmyKFuXKX6+pFzFgM4VUXfDaZtN98upYVOmmOPQK8Sv+2YvdU6iLxsEyM+TBBgSV8bWHt1kVsat134QM73y9JeX8fogCrzKHk1TscKFCmeIvpHfwC914OiHzdodLjV5nD9AgyP1ZKfy3USqZen03oCIATETt/5O5omv1GppCQ15fAdgchKfxwDswzgZy+R1SqWqABvQMmMJaxnexMqLeiNfYOUNTGFddwWXtTKVfnynkfSgWvm1ELeRiddk6xF83H5gebY2Jc+xOesA4lCGhV2m3hx7fZgp41ITfWUrWgWC7/+8dP6URh8e8Fsg/YGp662RAU3JgOpCooZjYMg4jVpIIMmWJrlKdqanzqXauEFjLo7z0HvynVCNhtUraNSD3nMlbaYdF9LNJLzrX6K3d/Q0HGgW/0ylLj111m5hyQwUQlyZA7onrABpyVdhWr9N60A6cvqcxruR3xxdNSALOIA3EE78ctuWV23OGMVpuPlPqBt3/hwkPmyyOLbbcfBQtb6wTgoozbK/DiT2s39igIua6UBgyZKmoLuK1vXDjkwAd1VU3M9IdbnpJ3boPZfYiqJ3sggctrUUBRerzGgdMmsCHwcG61GdqlBLbt7/eb/41ImqodeO0JedDew74zGJg3xyYhA7MIsLkdXky7F37vuCBxWwZ0ez56sOoJopjpAcLOaULTOaw3Sl7vy2MJUbQsUaagb4thSCgJ2C+T70/yoqBrMkLnpGj2Gxs/oHWrEVowcgTt76k8eHV/ustIzfn8LlqFIc39dncFmlnc0/cZw1G1Nd7MJ+Wq/Adri+eGv9WaevEfY3+DVABdm3xMPsXvsI6ecHwWVlNcSVSJg7oJwU0zlSB5raLJlpiT0VFfAhaEDGamRDrc4FWUsJh854XAM227t87NJQ4QfY+hNMofLg7hnTfuknjXFmleu6Gu/Tm11GgtCpgrItUeZJRqeaKjRNkrYzjiNxlAxdDmywF3j3PxTdnH6DPJ9jwPqn6qt/mA8/yOpw0FZhNmBNONSz1pFEcAhmw1BrrPeYSxfpIxKGzCwbz/Qn8R0cqq3yfQwmVE9ZPIg1xplHshiCVDREmwCf8HKDaXVDA6bFh1Inf2cB3rnmtCYk9VcqGopPncOXgCrqvIFFliyPAAiPaVf5u4jPwECRTSaNMK856HCNZD2JpAohNuONfYUG/PuQYsd5XMw/uLyLkT4dhdut79AB2Tg9t3Q7HZXkoq06Pmo08jhlFRh5ESY4in1emtBm+882g6IdzH9RHOIDXeb9rgV/3QR+PZ+YuUquK5ZkOhKf5V2KprYuaz1mBVU0K+5oYaexCsXAurEa5Lg5KDh5QbxcESycUMmerz44pXmi/wMyNzKKCROUhJuwNkUq3rPQJS11RRy5Z1vY5j29Sa708VU2LWa4X+khznNDSgWEjJ5LZRLTlhyMrvVhIn0F2cFcGJ7+/BBnisCxA2wYyus8dIXskTHS0hOJ3Do38ZoPU5qRaTeenei3RWqhPK/+y7sV/Qr1lkXsUIFcOJPifpm4I99/P+ISNQI+Ss/wdguC2Hv0tDmtl6Nx/paIT9Ihzr4g/qcC6qV8+k14QUjfrn6kASiOvf4uubimQxUJibdsKKmXHcf9FdxVCT7HqsnYh3cS2B+tVGuTBIJiFvg13Z01RrLX/7wZvn0ZbTHGG/WuEnU+HgY0bnrcMlm66dKaCn+WRSH12xbS+NVb3wfPRAt3RMhgAH7hyT+CKpEgKS4XFJsV/0zEDcPp1Z1GeK00BupRyIGYCNkP+66PU8my72i+cuJsk/oVAL/gJjBrW4/AWoNVPSeZG8zto51GPorKrsLpmenzbEyFru+AP3bkqLU3NU4cK8foGgntsoBuGNdiCuCY8SZDlm5MhOX/T1bCmfvj+p5oFS8Lt1rwfWfjFby1gl8keZjw6cFnrH+GmSEomJ5N7xINjGmopWB2Z4y4IRVedNMgrQZ+MjKV4ncgJMelecIJbwYutq+09NVhxNfnlPpX5igfc0TcCOKWQIjoWrx8Bbj2LWLEiTj7enuxUMjJYYzaKvosfzPID4PEyAAcWHNmTzwiOWEfMtTcgBfbzY+RN1YCvutGfOgyta2rwSPqhBt8lweGWH6333+9ccrSToqkRSQsqpE4H6SkngJ5aayD69KcYtZW/4lzTj8DRJ7jLPoY8SOZghZBW/4NyQ59IPAVkg2sLmgzgIZHq6p9pohgcYoFh0In4s+TDMiGYsA50tpE1giIRVOwLccBMI4Jb1eob01848BYdTGIeotpiJAUdBxKDEEsNoOoPxVpuY4U48d2Wn5xj3jMm3ylaqOj1qEzip6NYTxSOlGB5htkndtdwaUtffVLA8UnSt7VlcK9DsBCwGXKyC0tC+cHbd4K5fOV66/49vTlMHnQGmlDAB9ZXKhszIpDom0LrthysYOIxHKr+36SAC9Hd7wP/TqlrsGIi8dqtHmqtl8WPPZQ4VmstBTWSNcLVf/IKG/fWEO7VDetpPYmwVxpBmnP5MvUkfXA9IAD+1jgM17nJI6eCXPm03C3vLMVhznJY6MwfOIyaBXbFHVPk6PCyW4y316gFZHIBnag6Y7klso/Ca5/7ebKPkyKDtNAo7WKrSP9U4R619Z+8CH6AcdkKJE3cl65zrq3UH8TY3BCxT9okZB5hV35PzzyYAc6nc9sv4VFVTXuIxgpnBgMsGNfc4KReN7318vXrKrQPLtYeRFzNNGuadEO94pAQPLr3nc4KgWBdoo3eGrg4C2vvnnrrbjzLH/LIA0NPi/OqeTUrSDQZpj3KmWTisCEn8HzYt1bNklwcTf8ZW2eo20wLeSGP9V1nlZVuKeTpqELD3KO+nXSEy1hySq3iUkwPpVnO/68dznIT0agy45Mjxw9G+Vo/GECO8/rEfWsG0lW7aabF7W5ZTcI8LFutiRUu3MbYkSNvBjDzGXPPJIuaXJd0t7bHMtjCUq4ZXGt1OmfQnFStx+FRFDDQ9UNh7+zEE0cOLT/jgyfGeGga2dDEh4ytTYs3imGRpx4eB1er07ompL2zGn8RbmQ2fqHrO7Md1SGmLljS09JxF28rw6TXZLSt7J8d9QG5PVF+9yVYXCe9yErGF33dGO4B42yeFifDGuDh+VsrhYh9Tgknn1/PgZ3TRNRQrU4iuaj92/m3hTtkRsYt90teaMBRNU0UpbQomBcJymbusRsybOpfifXDd/DQQFW50+jU4jC7Yd3K32qE01n9TierhwMawk+XBCHS6tpN6vL21a4Kfnv6+yX4eZ1g9qpwPwFQUiCLfPjqe8OvcSrP2v77sOqM9lVh1ygNjWKUS5A9/K2hWyrUprYP/rJqcKNpgoGpajCuT+neP6bPFH+fzzc8/U9HuDwJ5FTxqkZEgEEHDimaQDig2DpL/hHpjH52MTqwGUhpCr9GvkMtKC9l/yIb3ikHNPnYTQ+KOjQlsVXE3/5oUyx+/5ooXwu8beYDN/oaFMV6psJ03ry8Xr+K5UFDrViFL9k+zQuM3A7KhVDjHV7a7MWF62im3JY4BYgM3SQ943/VBy6N0vIy9fzCWAs43uGGXP6IiFFRVjKETYARPebfUFXQ+rQUE35LGRGLURE47Cu47qoCn2Qi5ixpJsqhM2SX74DRHRym+eWjS+XZqPn06FETMFfcMiABfsbp35+0tEM+88xdTrk9TCKEqd+I+VOEGFZvH7UXbutiD/2aFeyX3c4ggNTcL5lSSZJ3+lPM3DPURnbMfwpDHWrfYQ98BohXlkOyEGvStpXkRTtI5Gc+M+oYjyuxkjiLmOAFBEUVOwkkem1UUBqGJEy65a6tzs99mqjSsI7GYxC5BL9/+CyZ+V+i11X7XznCJVPiviZFXm8EpMc/49uSMOrUXandPAhpRu33pWV/9kSsnsZuW7zHloDDzk3bUdnbidpBSJFD0SUueYnICRnfe41hlULTYoMer4Rmi5SqK/hgHd7MmQDSCqCEeMKmPffYw2r94cU1X7sh/0307Yk8ZrL3d5e6mkL1U/i5nM45Hx/Yi18jEEMMH9EJz3xdvSuJd1991J0+/WHcT43pcUvqkawrgQPIC47KeKLx06L8piOkYvqjxAw+ZZ9UlwoVX970VhmVqAy14WHdK,iv:7vp77BOFrPv67NBWxgEgF8TceuN0QfAreegjYDlj/qg=,tag:bPJDPBf1i5sl5C2HrUqd9w==,type:str]",
+							"headscale_config": "ENC[AES256_GCM,data:qvz0a9SfVbkCqM5QgiBo2i+GdytfCyloXNgyJjsPJaTUc1p05G+x2J2JgWKkZkT0dxy6pHcZ2G9lnlzt19pOZk4+KXwheBzimA5bsb+RszBhm5Cq8kfnZOKILvnutVXWGbEKIL3RYDsPQokeSTc3tYdI//66wKX27/DOF0GT92EofLLNJhYSjTKMbVy3xdnnYvW9gQl5aCB+iW8PL7cJgAQx5iovln8B2KVHGIhDAvW537HeFz60vVvw+FepVQRv4Oni4R0kpn8m35bYKEiYCOtrxk+/Hu8tgqiup8bWLTZh/Tfzb3XQwgfChrIDp/v2ZXGyBHnFvv4bUdDuizgesj5Oz6+WNHqag0rYhTt2d2h4za4uvF7SGYYLxjRoI/0QpA/TTEIPt3KN5RKZBfhutVBFGQNHAGVCTF20l2snRid+UjQOQddtLsbbDyAmHU/v9pN0qKAy/ui533CgBWMgJvRjAvurm6jADtdaAdpwBsL0FNkUBcNpx2Y5cPDM3t51OqOTPSNuA317z6nm6IdF2uGv7cqrLGHGQfXOPjgbeqduWF31JMuVf0dNkE87/LxioowjFA+aFukunVA9bP2SZ9bf3Q6elvJPw8mNTeKSJc01Fqd5jGc5sDQw+afi8bdjsKhJUVMWZXGjwphun5vFGzvG2dYRZD2RCVldNCwnqio5mAN0WVNEK8NcZdsAOHeNtnFJwnLg8k5w9k3lnZp4U79R1dxMMznzROPjjIIlOTNcTNsVVUm29jCaby04LXM/PeXuPd6DZ+5HVO3dzLJ+W9oOauw0t+5S84HMMWbmHTvGJXA7e1dq5AMJYR6A2HDb6sVfwBbTOfUG/vXX0I/PIlPpd0CWYgXydl0VzDtyu2bxB9LCXMY+BqaQub4LYDxMJYTop2AmLMiciHcq3EE+lXUij5WuUxcXKoHdwihuyu2LbGRxv+chuCp2IuGFm7cYkab8tsNRMYdYOcnGgbqhVuGQ4u8xLB0MJKSkK9ZZw2mT5ychy3f6gEHyZ3IC4K1wwWDH9Mqfh1R9OsKq13edHrF9qcjdPqhjpTQAcACBd5Og2rJTq5yPr0oIAfGeF8n5q6UxDrHRMStH5QH/kQzgRjYimpR7L3mNKwp0TT0dwcB7rc7Vdxj54HrBrSZwD16d/BGBTkJvlx0up+0HuLSI5noMAocEQR9oFySmAGRNRbk3DPpGVdi4gno81ZnpuQLZdT7dTDZbmFKz1veHO1m/SYAX9+sww4+k+N+8pNHXAG8OGFK/cUp2xWPjY5jfV74FfQ1JFsmrgnT8HuxKvkeAZrEGT1XtP5MlZjQZP8Un6ZTs+woFhPn+sIWZagD9pe7PEHUSxPhYd+w6u7vK56scm6HCCEIJT6OYrMtKJVUqspVVLNmSVAQ/x/XM5yLsHCWnPfOxphAgp7h/QibFq2ybOXo5A+o3lLymVGVzxBlJYP5aXNFTvqdaWspKBjfCGPn45zYU5g5sIWkJYHK4oQIpz3g0MdCqL6+0cBI52k3jZk00/eXbkxdiTZR1qOH8IgtXUutc0tvU98IlXRM5+GE2SqQ/T9BhXTLT73g4MTF1T1k2lpxuLPnD8g7JPkBhNy04ZmvhtD4HCAC94w2uiYxegW2RvSB9tO7DoA6W2gw88vlyA67Gwfk+oHQxMftQ5TFthZ7hSJLSiu2lckSyiLUvTXYfMTWO2S9L+L11UfhElU0PV5uYexY1B1FBmRae/ufiGzMGZ9MfCcfTPWrIXga533OlFrk9VOxYl1ot1aUKLeJVPLqnxpE7s3dwEDQWYaNsMeWDTig5XOOerouQqAEPUuFIl5UFNM0t80JbFwlTEvjb33UKCMJ4qKNODHRUD7KDwcaj1lHPXM/YEJx2sL5DeOkfeITF9abqLZEf8E1aPV4tnMRz6NsyMsJkbwCwgYtgSuuaUoLkl+vhy1EzfJf0YRZkArh6KFEoJwT3OL0mE4LrnYTp+CFzJy6mhme0/ZeUJ9lhUDX23c2Fbnxqxrr4h1exsfS/zf1ySglNrRAt5ouqsYR3NGxEdJZXO85x1UEV/SoI7TLMEUq8bvkIRyljDIXRY5e5/5xEHxK3pg3o3CfhFbR7ZY/WWiPTTooH3wG28DKUUYrjQhXVnx++rxa2Yy/6zH9smX4Ooq+ZKFq+oIXpd1WSYO3b2fF16PCxKQ3q+Q3RAODpakVRafmv/KD1WYM14VlCLX5XjDccdHS9oL6N31axnDyv7i//F9PVks8CA93tK3+U11k1IJwagC3tJwvUaPOjdXBDIKX8m3CwR5yKy+dQm/2Lj3jPU57LO6hgIJGei/LWxN6GI1dDZFIA2iRyvTEq2Xgdrdje9UvlD9p1nazGw6q9IT+YNtMpsoBH9MWG27bRfT/1Sio3MJI+qD0pLFae4UpUsMHPWMCVLVX1k3ClUKRBgMwiqIKvZPowQC7ffmgRAbPKXiYG9wWGNQhmip7udRPLPZUpOX6+xSTZ3cF1zAh1EYBtbmFdapHPLM9Su6n2DYuhnb32o4b6IhseS0GoExw+VqqUqRrUpeLcBLXYdQJOveX+8soOS29oO/dF83gasjOF9RJ7gV3TOgjEcAHiRvSBpS7HeaGT14tGe8WH6EjWSiUNlkoeKnmLbPi56BmLyAKsVShWobYohZbq1p9ze1Z3WWX55gyX6TUdHSj/Tkk+jWVDraHvyWGZ/nrcRxgUHOYFE6AugSEVXFjMQ6Tie19cGx7kGegEp1hv53Chd2BlGjGC2V0+H1ZHmvcVQAtqN2GvN9o5NtOHwAB6ha1oCTmD6S4PXpuhl9NNoH3/ZSmG7kXZUEOPhWX2FKEq1PoUxuul01kkWlafXjWbnV59EpXcVQie2VkXkIfSabmsyfF4BGLiGuIHKgAVwVij6t5201HBTknMan4+sUWB2ssd7FEXOu5Ea9msmb0dTLdKqPUL9nhnVsSF78Tysiaz7vu7vlv7GQwfvahkQOsWjmz1CN+XzogoiboM6VyoZim5ioEh+CkywiFW5ZtiZN0fW59GLFvGJkBb+t14HEVfowz+v4huoEBC4tD8gmEAo6FjkKPCwA2Akr/OEBogufXzKHaJ1ZGjVzCzn72n2hSasnNz2Rw0nV8CQjk+I6HZiRxf41u/0Kzrr0HczsLxoNYEqdWdjw+v39SmrVBnPB5AHlSKeC4uoRSk6YqIs0fYSJODa0KfuWWi+UktQrMJZD8kLYR06gy7LQf8co3svSvTfwfoVSe7oAu+2WDEbN5dg1KB0B+ymS2BF7OtJFvyvoVzG4leio+pTeAlXQlp5cHVMusuI7OvfILxqMFBgeWCxTOAAPJmRfFZKwmcR2OSC9VlvIyQz0dQtamQ6UXkt791jGBImypUH7MebDNwxA9sdxB5uw9kvTuiKiWJ/jrwmnioQWxyFHcS7+QBRNPLSdwMxmkGkCg1viKX7itpealCfRV22p7e/3xRHHBTbX5NY9c6RujH8qPSX1sGK/DfkLlSjKlDI3t7Q78q1+8MZimenrhKO+eSAL1UnGtua5oT9Nb4+uOch/6l1vS4DMvJuqvBTX7VbfJUYbdjU7OY6A7cfZMJ4FLzqD+8zw8yAG8IEAArxsruq/TddvpBcV5N7UI0C9TlsVpv43E2ZP8tDuqJhnxo9BKLq309SczCaR63uk9HLpp1lrs9DuQlIe2pV4qfDlwfC25NUVgwBvYDzadJRTUUywKfxAkKYVqzbEmxJT5NPPbnMOq4h1kY5i4Z4MnkNn0HzT4+1qHzGWPut0J0yBx0gb5YCorNKXGjr8ixl1bfH2/vGl5q0WAHytE75LClTshLOCu8A525Uyv0XaXJm1scQWeChhhEb6sU+nf5OIS12d8egWu39oWV2dFtAcmllphcPwffxuVKy55myrXO3hQdXoVQSQdFUulb9JA551StM8hXIfRVy2EsPA2aZGYKk0TR3QzGEJWF1I17JRmzf2HU76H0TlFHzNNlCk65/5N4Kmmn57tyjI09EBy1PKudCaFLB5x/vnB3uLglk5yINC0XT1FoGa12MoKBv4uJfxzepCXLJ9ekolXyCUDjgBtzOJ1H4AvBXjR+Nk8bYbO4TRRSyZM3JtUBGWEWqJiusHN1iGyiXbill8Dd5bRoxTEI8+5o4yMcE6VPheoJTkza3VLVMVN4hbliCoDGXdOkWlNDiTcmZwIwb0eCLhiYIFj0ucCyEaRAPG3AkzJsNtuDCLgF1MZtjeCXkXpFHY+Tcr4px2zNtszOAwRZ3T9VOYkmAvDwopkeIMKTGv5GqQl4iGGzqT0Gzi43R+KiscRp95QlojnxlV/UVxPHJzbv/jGZ+r36NncE1mI/2AToTKhFFHBv8Vc9WVlcxqE15frDPXOb+PHtITIi4nfq/MjEB/Ycv09qKS7IOaE8FQdJ2GfMNvC0m8OP02bMEMIcAoeXMEVg2LLMQmmQUS2AW7MVBl7WCGrPCsa1VAo3KJOC0kZvMX9s3DASzTMlAY917Ep37jBRbYtFzH87Limh3XtV+rKN73/RIojaVA4XJHfHBMf3lMrcy23pznqm+L+qSYsoend7PBA+09WTcE8jP3q6JiYJbAnEtnZ8NUODWSD0Z8SqsWbsy+nC7hNKGoBQ5X0MR4BqqeyBPVgwiN5B2C6Uhp8T/UzvgLIC0LVYZGX9n8J7KPH8HLaEoxEgMojxJyA8CpT1xx2Lr8XLK/Kpp2jfyy5KNoEcVa9O98nzmKd3N2Wf1v5K8TbEm9u0Jr67K9gqMEE5TF86F1GEMo3QyUk1umLKbbd8KP4yK2Enm30xXwfUp5tw4876z6eVGmRNBy5j2yg8bfu5SvngsT1dhMlyx1EV09lFb/HnQLs4xZvNnbctxExBcE9gDgCFkVmQ7GaPG2Ff0wG9YWDtYz1/KLujO7BShRxz+K/qBPyjUgKiHZOIp8XwyebpOolrefM/fbnVDwQCsbtq6jL5Zu0dSERxBjXciBbEXCbXRsK49zX1Ca1y3s9mKYV2kbnR6foMOhfHSKIKzPpxKNi4gmN3vtesrB4IfLWGtD/wtg0BlP52uYniMj8BZqoFXB4iuOdYdxDkbZkuJ45ZEEIHOzwEzXdh99qgFUb0l9Iq2mIwLleTcMnYHImZwDtrp6/AXCd8abFi/6m4+lIDl1fU1YsaOEvwFlNsnoBv9IhSY1fTcusi/fP5rDYPYzaaJ4N0opu9csibKEyupyK5wvLXIkJPt6G62RPxanK2BH/aeKivrUvsLj/9YIUnEO7uKX2thQDafSU/SmAJ84PDNY8hZ5OX2+932YPM/EHkKKdaRwI9sBTY+hBGxzZ6Z0Gl2mvYgsXdnaHgpMWYriTR/g2P5hj/aO7cFdH8Ez1cXTSzVQYLMFOrP5WvMHOfed4v3Plsjaou33iMJsQtgz966gs6n0/YAG4PnYIcM3F3Px8blC/3H7FP3TMOiIRr7Icb3Abp9eKL76aEjIfSVMp9c+b7rwuVaNvWeDkYmpT2oNqa1uKxscqvVDZdz1VuuSDd9JWFEaFp5inba23FPX4FiEyPbZOeBLb8yU0GoNlLXIDRL1smyMYJWUw8jv2B2FvEqHtmLN+WPnjq5MKR7Nqy6li/9fdnw6NRNMlcWWwYIPG6d7/PSka6Wn9VdaQ8wghmfkBL25wN6rs7CoK510nUhULTHF/wXROQ0TJr8oEHUJw0E2IBAwcw9JYEralq9g6u9V/fezdMhIJ1pl4j6Dw8TaiUvqPYfg1dwneN8I3FJmXTe9kp4P2JQ2TA3HJWq2Q6eNeqY9CY1swNc2NTeYS9yTbE7z7zOEtZScFuho9Ynxi6QaDCt4qPrBhjvUwnRZc3WCRiy6BuULt7+b0ZN2/yyZ2m2s14lGT5S3Ws/q0mXM9VWaPeK/ahfDQCLgX9yT9uWDT2Nmq1L+CQxLTv+pGCWF5Xl2yq5uUBZacUrHa4l/f1qLpodd6pb+LbY2RfWWR+kNOoiqM8EoNU3gAfsnMlO08SQaMt9ow8hCKhU+HX5fFRQNI0K7O/3gNeStX7nWd5W/mBgTggbh0lK2YfyUZb87elygcr4XL0omegUn51KQt6YBvxp52w3JHPzIVSKtmMLSGkYDguMGTLm8qSHzU4L+UtKCacWfLC/FZMx3xWt9X9+XKaL+CLoENNqPpsdV51LyQ4fBHoOLqIyZL7zom5oUUyEzND3nCs/2PiN7ujeLxjbAGiGLrWy0/Rn0JmozuQnXeo8ewV1jnwLNita8wXwhRi0p0TMDMegTW/kvP0OFpY6XwVS9Ksj9hU/f5EUutmYKi0gVADpc1R7eQyIIvXW4F6nXcnYKDiM8oAwUJ0VGMwNhZXttzK41z9XrFMYxBC8JQ+tz5XEzU2CXVKTL88O1ky9eJ0UFfNzz82IaM8KcNLw3JgIvO9d5Gu1RSeWYrqPqAPOZZL2EnNEFaSslP2dMCr1Nc1Ty7RxS3xLNkDeW8/UKh0i8nEx/PAivS/sdlK8lx8721/RFmJ+WzmSO2hPgFwiYDAaMLYaQ5F0hbhLSfIPnH1h9wchQGhg1OdPCmUB0k4+PVIZ1lOzgRgj3IshKyggLIu2B5rPhw+kknsqzQIGqke31cadVaIXSIxEmfP49ZPllvUQk4kh+lVMwh9hT/1rVkQI1mAz1FrZnWiP2tnyCt9EoqbA+y5m1qQ6Yb85q1/8H4Vr5TKDxdmp2Xh1ttr6jaELdkmNqhb5ZL5FzXVl8q3+Gdjo5OpwBe6/HQcLJg2RT65r1zTHlVPZnlD09K2A3/R9Ady1VRf4i4MaravwbmIsrcnwfvYiLZTlSngfWWVN8kHi0hB5wwYjZFjLE/AW28F90dpNatK+5VkJHp/l+m5M9KW0e45QhghqhtgqkBKcJle3XWNxnEoPLhr8ZOp6L5zhE0qKqCvBLUFCn7xzaJsW5fRnjelMwcj2XofMI9lIyjGYO3IqW0VWBiKMVdVWRC7fPGnLMEOLgKwRJQGomY5kyjyjkqTBFn3EyiRwj9Ja4BAZykgVYf1iW9R10RNW+YxKexUWVGKQKqKA3SdvJusHmBWEZDV+LbxUhyGZnQRo8/yYACIho3uPWyEDXCzYY0bsOKXOuQAorvHzGG0YqAIrIZSRhyKoxNNe85YrU3VVvX0DVo81wkgXKOClQMl9xIj7Sm/TSQW691Lucn6TegwkDDk5vuaN4iyrCPpvqXnON3cXjOuCr79Rd5eV18sRqaTwH7d9z8w/SZmnD8shik8Aq4rNifkEQ8wdq4W0vBMHPmuEkfyR8vx8xYnWyHGD/RHkoDfK45RLlkT/OnHGJIi7rnYNTo07ysPVJgsqMSj9ct1AaHVk51mSBhRKKlr+Li5VwyV9w2XCsmDdMEZFq9ho7ieWTiDzkSCyo0OvSgk+Xzaj0Akyi+Nh0k10st+JiNa7bqrDoUP9LkMGPhmmOQ0bufxk0EwwbmsJoZEGfCSByNTnKviyFGjNfkbht0OeTOM9WFRFo86KLnl3SNHrDVyycas9xDo0/PFCthicM/VOmEJb0T8QdvvbhTFIN3gz7ccd1gf9C1si3jLogGUA1DNrt3nWO6TvjOoY4ZQVFGPXpMtm75G//S5jJZ4BU9Gn7tNqyCGKxqL2atyh9qcJlmVIcBxrmvQG11Wxd8GA9no4rVcw4vg0mSIdohWqadJ1akpked3Vc5YYqvU0GvNZdA0QBkndOKAtT1AHoI7+p4ayH97mJNrgvkOpoRpz5Pr4JCGpouq4lF1j+24T8lToboPlZ/W9pV05USW+85ZR0bVLrmHYzgQo6pO1mr1ZeADM+/tzpxrMRp7b4IPVOoG1NzZeiI6q2XK9fK/PSLr5olL7AXuDN3LH/mapAYKzh2XJILVjgqjK+MkdT7eKntZjgwUU1T7Ly5sNncSGgHWiWO9ovQX4gbDeE4i0mMH6WNrw0un6pi73D+W1GzJhfkQOjbynvCrIeCaljK2appAfWdDE6aPzIUcaQDZ1Q5y99Ssy1UkhWPN/IO34jxcdlkjRlODyJXQWQ3wB1jvCmrIUPaBdzhlTIQiBClVlyzuWIgv+aDBRyW4AuWlgXv9I+5B2jJOx2cC6rElPqSVZofUw2SxKqImkZ0zFJ9tf9JD6+SQbVXJNNqDl3NEeG6Q88lmEoROjHYG2JP1Ce78n+2MT/+XcTxTvbgjrOPFJSJCTO29J+R0SJ/3NMHcKzF4MGykaGlElWLFP8ayLyq9tKLyF+gCYzZAzyHaTt6dvbkuMVF2wEN4US+LloLcvsKt7XQL0rSTXdTCqRCmR5CTkpvThSYN6bvPgTjxWins9PO0a2PnjnSctK93r/q8cpZg7+agtUOy7xkxkbk/c/1Kj3tRCpEM4Dz7456czfG/4TMzaXTfN9CzajsjDa97QOYTmvb1guRqOPDrsmjBs615Vliipe9uSzHbWrjbu354gM2LUcRSyYnNmo7PUeRzuVbeuB0wIVXass0i1jjOQoCyTEwVc/hj5veTS/MFx3i2LVdpUEa8oZ4twbrwjsM0mTudVexFXsCOspSANhKuiDD1D4hsXIGu3NrOIRtskR/te/mh/70KtxFhsLL1bjWlFKWwvTBWgpeOqgyovNTnq2tZgJzLz+BIcvlt63rSSYiKHTCCxoHdDrGSoxT3TpfkNcWE8CJyZ2UT53e6Pb9ufBzcvdkB+o1BwRdUy2/mehBLbiy/QteADyOBsKYx0A42kKHUPuzs/r3tVxTHNYudtpsBlm7mIbbVnLzbMyUXa+jtxDS7qAo96pdw2oEPEQd3DlXZKXYkVdlcf6782PR1luy/rsbo2tdITSKWh2NtG4qs2HIm9NKKIGIz8o2FmfyXuPKkratfaVc/MGbYfppFvAVeEqmSPcITKwpVGym3usrZmwv8lu2lk/AJvmFjfn8XsO4msSD49wipHZS6lWxgcHm/akeFB72wGBSlhUNwpsV4jZIPcE8x8tpneFenImHI8HdVbgWuSqCT8AVRUes2YU8oN34WPzx7VeZqnKH0+dsH4rjs332eELc7m7FrhInXznET/T+p3RHZG0trRyxJGH2ypKqq9A7xQl2c3X66ynbcmzOzxQXT0G+BBN5s1M0wmX4dwe8l/BpT+QypZhaodVfPCwT9SV5fvmTVkYLoqkaDphuUelEdu5mr5m9aRQoCLX7QHeUYYHRV+tXg8fK+DJGukksaoemaNt0DXxaGxP0wqoWDPvy/OkAJxPHfM80CW4toFImj0CsgoTaLzVatVyj02XaMvunOcvQ/D+KKTi0qZQZGTvRYktwKF9JC2l1yx9w+xIxNT9vxjhVmfnGxcCTTKuUyBOB/zXl7tyN4JnBf0m9d3mYAJfBuabbt7x5oPKkOtN6dkyL+wcyWsPI77P0GlFZLdQsCSpy39R6yHGC77sesTs+ZmhdKLowV+w0yr4UuVUx0AxB9QbI83FXDtygcR6WtjHN6Lmh3fum9gcAds7opxHqpyASgjkOvchP6sFIE46JVaYN89xzhcOVgQU0SJdobZuacAZu9qrzz4+AxLLGOJDpdf7nV9asWaOU0uJ+IA7ECn3cNLe/KZxsCA7RjOwq0K8vFjOmPfO2wb5S4McTvgUT+jAmzUo6ell+9ErpzdMlh8HCGInEy6LE/TkojB2T0Wp0RkQlyOnRATdgcFlSU56w+m7RWpm25H/kWa0s+znBjArQ0/S7PNiFhkcWuucfLxGuMMZ0aaVJXEvFKwQyCloitwKm0GIBozwqirQ5zVZh9hyLc1jc3ibxxpM7kgspEofIuBRialvugY+nER3hE7v1vrEHalqT4VPKVpTfTct+q7gWPt5QcoDu8s+kconv3XnkDGdtB5/CAUmkqa0ge4uXkohPyBeDLlSro7n172nh3wn33hWvgOG/YHhZqaQkRT8VRhMf3mNt0nPkao+oG1ADSBEH71hxuDa5UPwQ3uONqPYHMfKhNyvFsL6PvvxdV4JWhfOiAqr4PvRR5eq9XjeQrfGOaiXTObs2LUiZ/jXiZRzuPy2cYZK2oRucqB4QNdCf3OPoxT1owYv55C28AqOFJyRCZkemkifCtm6A1OB+U4mUPeaaFkKN6oocQ27PeU4JMu77L6YT/Xl2ToidyklVfo+XmAckNZpU+O27KjRJCl9v9/voj776Nrejj6s1yS97WhxMMe7fCHDd3Oh5AszQpdwm5kyhpvKQmZZRGalUEoT048ykV4VAxDDepngaQg/q/w63iSkrw9QGutt4wuMZFUJ+pB7SFIEYKwuqe9bhR1BfSboTlsDlb4l/l1C8TVuqbqroiVL/zk1/be2WIi1lRZXKCqqX/jUZmkTnSLUskSVQDmCs8JEiAbVjCKTCG7HwXbsHjim4SD4D/SWMFDHLjhiQJk0JfYd6cng6gy8SLiLOf3O3aMyAZykK50bx/sWIqqyBbEwVY1poNSoHKaKczdNPB24vVhhsfWNLQW5edjE1xt/d7pQVn2erJVHkq1hr3TwcI7C+aKZ58GUflJ8Janj2aDAbIr1t0nXhURKN1h1Zm3EQdsm0Amkj4wA1p8nELJYzfJ/GUX/i/CSvMw7qLaqN4BgBpzhE2JeF6ph0NH+MjOL/X3RA7Z1zGV2Hp2JMbokHA3O17xPQ5j1IDax4pcP5XNJ3s7ivmunJ1ma4x+UNDoENHjlxcqXOLyDD7q+TNXrqvXY/siD1FgGbwG5U0O4Y18FRcjFRFky8RJ+/i1YILvrsrAITAzYg6KPGORfJK/TDp2T/s7dsxokegAhd7oY+sJLzjEImghEtpr4C9b3y+2lJ6z2KNN66teoR2ZdEjopYmx9VrITG2qfBuymMAECjJQ5HRGgXzmo7dwT+u8jU04tjlCa2ALvhynmGyYbzWOTeoIZf4YG4akJsAy0/yGXzpbIeUkEfspr7d+F6PWo6vLfMmX/4Rwy+syM8bbZM9Y2ErljIgqx8lSRwycXcPJP6w/5uwpIhY/ZbAZBi5pe+lHB5NE/u3lZ+yJMWxo1HL5jLbU1DHJQFzbaBM1SJS+7ICrCSq2H3Q8+M7DWoYS/P2exgLveiMk1HG2a33YWkRaEsLiE1ZSvY0JJ81I2vAitMa/oc3D8XJF2Ids/xMc4vPW+jxc5A6arTo68RYsk1QYrRQ7Lavu3iT88+QWm2Iq1LNLnwlnBO5PgH1USZdmJ6PNqV8nYHnOOwySUXyrDgzkbHL+6RM2z53zVLkMQ9aQLtBdtjZIgfjOJCsm6jA92trvYPSWN+qjn8Bz9fW9ozF6t8RXEsIHOHsvMQLRM7AUFPhWTiZVprC9DNm0jJppk/5a9rdqaCeDLzFFNixHcjBaaWt/436w4f8v5+MTZddNOtlMwsEe+M7QoudCS/ySI5SNXUqD2Tob86mXvzKx8cqbxZFYcoxAmW4/QT5UjMMstAGIbBXJWXYLcutoCpFPoyNR7eqFSFQ784+PTQdqorVUjtU0FsBPGZb0VrS1l44mXVmmg/PXuUwKWgal1+2yy93xjK0h+RgVhrLWcvkobXwyp/z6qjCDsT584qVuB1Any8jk5dYAp89f9sIN973pzuEZ8uRa5dpFPrk57gPo0fwtFL7NyoVUJWg4UEd4peLH8eBH+Ar4qcSKoT/0JZnjG7pc8uQQCHvMw9wZ3xVKznmqoQCUmze6d5Dqlog1enpTfP96k2zII7CrBocEFICGb0mUjAsY2zdBDQC7oz5bRPjFsEiknWoWWbFak8cmlNYTXX70wR4kzYs3+NaGg4uAfnXJy0vUubKlQdhwRjlPiEYp119AbH9mNaCN3IiGXE4lcXyAOj8AckZleGQ7DXKE+y4whABiTVQ9euDcSc7a92Ghz/ZPRI/giqhBadaede3wv96DBScxOOm0Flr2zsskQpMMISYL+1nWI92sWMnXz0Wt7NGBLtYiFZSZFpKAZpAfTTfbZjxmgBydkZ//vHRyapv4JaZ8DeNN1lxPU24rU1xby/DnQS5C5yuoh419KSppSrzjAvHQzZIGobe9cf8NKjxRvdhStdX3Uxc4zwPluHP6iqajIIRC/QsIJ4bzRWUjZbF3XMJECyVrQtoU5nxeTXKCBHpJsF7AFGyO/BMjPTgJqWXC6jOV2GLuMAUYAQvWJoD8yQLmZpIciyopb4oxdpOmLzWAPlXgtShG4DNGSCsCfn59TbX0XowjrMGQqjxIq2BbBf+7ElPmK6ZGA5JKh0mja5+22S2Mq0zBlB1jUzDfl1RCjVxydQLnqwB/WPbAC4ZW9Fg51ZR/+4oxmcpOMnDoGEw/UHE+WHFQKuHXuzjfIRjdCv1QNv+gyEzcOC9vsO6VnCdE/pYvJWCOENSjWc9yZAoTb+W4vQE54uVggpp89YHkJ5cqasww3DnIJ39NEnbxMvm7Mm/mhW7wFp4CvZsiF+oMfMjv/0Ykz7CnUDC3SNnrz2LHyuSOzWhSE+3yg5DvCqVBCIvmLvveIxLhpyNtjYfcNlAmjJcvz6lOgTi6WtLvvzUQvWz9fNM2ypWFIc8AUqBHk72rjSEznfc0+ZVXxIumPDDd0VnJPBx0C1SHG0o7mgFj9WFsM3zBmmAQIEVde0SezRJeUB8lJsFlCysCgsv040SAfk+WlTLqXSDaVMFwS6iHJHhgha483ONqlvHlGEjnpEnc7FusLQY7idiJvB6aqVNmqxu0+6syzUwrklaqHPu5iUzQxqOnC/wYu+7h88lxkD/6E+1FW4Jp84xQk+m0QozZLyznjWXcoG5LaodhO6mAzxC1eI/Azd9g6JjAf6x24wWzCMPMqtCL0NqHXG29APeR+r6qagwL4Os//mdHZuvYK/GZ8AK031J/WrwkOBFQ1BhzQSaYyQQF3He7x+A5vWPZNAvEIziEqHxdb+kosdMfzPeRO0xK5ujy3wYFdP93TA/6OxUCPsLQgbCqRhmo9qNFjqkhMSmwMHg/NBPQR71Ohwf52r6n3shKd8U+65Wrj0qUJfDiHtwXRgHwx6A5yzKVWEG12vuIX6Sbsul7aYvtB+WpoDQhs87ypx2ZyKW7EtMbEy/H+HQ7ytQ5PUlB1/zeivB9G/ZL2W8fqkAFmMNBq67xcCYERPF3lMYXSuuf0mFrjGbyD9yRE2J4yoxxaJC4DOCwfac6G2os6TsKnc4oQ8+mPnUP89WmEMZfFnztn5IG7dBBjszQJbnnEIPyjnruU2YHnEcUxypyG5tVZpwm1FzUr35UEyXbJKYg2+zIBfmkNinB54ffC8hQuWsa3Uq1PCtER2y5kTM7VH9WV6A1vSyc0eemG1CmnJrghGrtMO6dZ4ICFAF2KxTSTolOv4T1d/E9yYetgBwe/viTB3oK0mGafZb0SVlCRzTGmpxCvNxSWK4Wu/Lcthf+j+2iAJNnkjbdQZabC4YQF6kvWAvJ+DQOvrDNDamteJgudc9TBjp2lHsqO5Lu5NUFHu+7nXZo+OBj2zJLkQHny40hwUlg4lQBQl0qf/fcaNtOwrOAL4kvHy1z6X7DPVOTkF6KQ+57TQCM1XfBQq9A/IVF6sEG2ovU2JdMfm+/oxjT9gmZiQkTfN7IFSre9klTp+go8CrJBtQSnrhhNsi7owimJT1tqUuKupf38RTEIUhIehwlSYX2eMZwPMXS++xGamwVFHIHz9mxw9OWEcg2HDgHiEzXwbDFo4CmJHsWM0tVptEXgu3Rr/dXCwtGHTjIn359wpocPd8NnrqP81z1E/HGEVvFclOT8qqKvBMv2MQqU/h26L9YhIsnCqntG08KYnRAXRaX8Vay6bmZojqgB1Su6owX5Rry3ryxASx6kZ/hPIOY3jkU1+kpnzwKU/9DjfLy32LZ1hksasLtxBE5i5b0X0ZUA9hop1lgqeiCD6SU3TDrB4A62GCJuNLZrxvir1YMLcMFp1F2oUqKg/cvNr9RPj+LHvmdqKADu54EdPFCZx/5Vn4QVnhapr/BvsOa4Ah7qYbz6PfsmX7zxs7PU2GCWbSnLQ+X6IBuRXNV5wzVXF53GsUzl7+bfdEFOgNcr9YX8FwbZBX9htBy0i7Wn5XkoX9Y66KToec9wp/nhAfstB6pkO//jQaJeUIgVJbs+H7DIWTXphPXIaZmHlV9XrCn/Ds5EqbCWb0dUvyvcSI6qNtoDqrHQ9Pi8j8eEE9q8jCGKPbSHrIPyJDdhm3bPC05y2WZMhSVpTA90ewI0cXvFSy6FecDcrWebyb5A7VG+f8wyccc8aoIsnZ5V5cMoxxjc8z/clqejUH2IPK+tYvw4dTxdZeCTLiGuX7aJhNs1nz2iRgFo0RAFhJruv5X1AEPVONS8COHdUO0g4DzmsugxPt38YR+fvRsOb59O2iL5PTqBmhEIqY+Dqu8r8qaSPlBE5Ao3qozjiTevhOYY4dEUmdg3zxvqJSDZ+S7Ps5qYw4UFquTA7yzdTdHOL1hcne7j9ggESSqPFcffPin1h7BsTA1SWSlj/3+1W5AjrERIiI/Y6Ohk3bTTVc1+91wHDoCmoZqgiTvo1CMca38+YEivGQ/FZLghPwrJ48VspxEEmQFwLbZPxTsf/B44/8mrli/Nq3/lZ/YAKRjp6Kt/BtcMRE+h8zlsWrEuSg9cia0rl2pCOcJvJBV9dgEZoVLj7y5Xgg3qF0O3F5m9gplJ5jw0AQjQaIkWPWplID9qwXsh4mluY37qKe4MAxUKsZFs0/CetsJL1xsgGmq+sWJRzumO+EOQir8WPgIZYtzc7LxeS0hGwOGYDcNr7zsOTTNobtdlGnCruSKuSt2fMTRF3QscJ5cOG9+EpvkA6Umcurwl8DJmAtVAnmF5PSmZS/NBCnmG5HGjdB+L3y1jxeqRct6T/s44YXztrNqqQ2OVJDLD//yJnhN1TYmNfHqHHXyXYQIJQGkDase3VteFOnjOnt9ydUL2atmHKDSe1piSKIyPqb+YMiYY/mYUQvX6GmSUzAQwIlHF0FTsKmV4UGyroIUID4kk1LWGW2eeT4FTbJ4hGgC3nh6xGtTCCRl1wM9Qg7OyauQyTK2EWraajpkJToPb3BwQrWRPoxKO2bO9V0DM+09/8tekJKif0RxCDqeBi0ka605ru44xWsNlzvOSn8/ubW3XVYuStV5Shjp8r/qwH+fFv6PMn9KBmB/2xnn7yVPZc4sCir09M+K4mkNDnVL3VYzAMih9LeX38kPPu2FE8OLIuvT8xAHuH5KtzWr/F3LsWgGo3xJnNb8WAXcHzW036DaGp0CWksfJUEZXCwgzd8vzIW5pSytugMmyi82+Jdz5Ch2z7f37cBXOKVadyWJNbjm2uTXgUZKNASAjhQOhB5i46DL4wEzAz9gUi+U39FZSElQpIo0lt1fFiuN5u5S+sbhP5KpcJf+GpM5OU7oTzV8+y+oxWTeP9dxObhm+AxH2n4q6QtiZEN+MkMeZTF6lVWTd1eERsquuVi9WbAIbOWpzum7UOc8foD2gBC0+vQ+wpHk5CMyNCIuw53iReNwaKcCcQgFtMYASuKaotTWXyxUdeYM8o5DUrA3fVXdryLf1y7exJCD2wnsZdMVqpZdmUA3b24qjhDx6FyBtMRLMWx6l6447IYnsq+aSZXHa3N/89YeKm7jAuSD6vXRLhtVFfR5W6xBLVOdzQXWVGOzeQjZRFxtY2HUtUqrzIE5emLwUru/jUYzQjrzLmkM9URxQKNXENa0P8Fludu9Jhd4Y59em8ViyjlapqQ0G8IFNHbflm0T2LJOQjG/iDQSMs9l7c7d9hVM/aIJEXUwE6atBQnnbkH/yEu7eujpefyygKwPAV26PCXe5h6WFhP0mcfOv2FelopNHxXYWeykujyAaCzXMhUKxI73BGfDx/T7WIk0N2O6E8v9noMel2w0p1lo1iqbt4zLbwK/ZcSa5cXKnjNGRKbJAWJHDBfZvTPb9mbxXzbvBYFIqiHdBnONmJL/a9OiIcJaMQ3888hDCAEPqMsTOVO+Y0Azgr15Cl951foaAkFn8UyvA61IgG4Tndoo5LHPsidbG81hTssTlbjeUeXiwGolE1B4Ls4owFnkSUmr0ibMNOFuZC9Jgc8Fh6Xjjb9tKwJJgrxtUCZUVrCm7KsHqabSZV6JaGntkAKGVlwZm5Vm2v5vE5P+sTNMJiIcwOXtKb3JCLcuFJa6c3XWUTHv15TfNLMs/1mhodTrvLhJ6U3dD5I6brSJAJBJG0t+287I5LZfSF7gEk77mb9t8u5ov/BTulg9AS2It7XplwDKDxwwjjEfXyVLHJjyKgGhds7dVzVXZX0f13hTGUPxISn6nwMQnwfpIWYkLBPkv6gjYICfFpkUUD9MNMeC+PAdaqTBgNsKNYey+SLFS2rt4N9Mmo/c5BMEQmbIDlymuDbfRa0QZZevfZ9BpT6p8sh2O9O8LVfJQXLiifg5KA9VDE6fsVvfqxZTfhv4izNXoJ5mGwm+obixlsub7duUJjrSGiAWmGCbW5584zuzWyW/TBDRdL7rp1w+biqwLyTDwgFqDk8MiO2HrrumY19tfJUClLzm3O/O9g6tAZKQZqlWFewU1Zfn+gKrlyELaHjjiT62+0+YZJ4bczMXhvQQH9aiol7dl+9969z1o8pOQX2WOBlIDGNKXzkkT3OuzkkD8HRverxsse1tVPhcc5qwLd5CnSMPPMyEs8v35nIxMqvsMLijnj2saZzu6J6g9O3d/gZ2WBdICWqgzOzQh2lJ5gf0FEu2CcITQLPyj9CxRoF81Tmx9XheKHbkB2jglpYY1gZZT9oSxH9NZELhNRv3pSMuAeDSCsr2x/yl4LCMOJY+dfCaxLMAYBBv0T2XYjk9RBLorh3RTknUSxQRddH59qhXXPRhN69SGk1SS4ZEsv2IZ/dDtbCBH6az8wzCaqYyO+ZkdpCpuWw0Eyssgl3wD0CxDAVAgsQckn/9MXxcMyJKyp5I9De1PPdX37sSVrd7EUls2jcbLHc4PU4XcJakI0vvvPB/r7JDZi0TIeqGmoWACHSodQMvUFYW6UHGR86opZ8idWEVSA0v03QM5eJXD2Z2PVV7Yg00jmdGP+lwfiMMd+i3zl1uoyRLyS6/1bO3R2KifBj8iGAuQmsU4dBreQ2LimI2GuBqK8HtK9VX7U2SjkjJgIXXixEhc+HoDiEL3h+hHSS8U/2zAeKG3DfjmucxDFAK484KY3CzdSUelbK5dwybX+AMZ3LCtW/Qbus7Osr0w0t014LVz3jI5CrksrWo/EcZaN6Gkh6XC3SGseUTOvjWrAO5rRIouAFH3TXiiHQEbMQDEFH/im3KT6C0agJvhlxoDp6udDVTsQNEOEwIw1BgGZGWv7Bn6M/1EmIhui3Q7iZXH2CQK1bqcEjw5Y+iBn6+U1RH531DFSHsFDH/ZRFs0ofVrtka+ZcIK/URjqd5v+2pveKQwBoTI2e5XbevzgBfu1c/vomtUsFwD+aL7BPQXeDcgBI1T2C4WCIhOeaYvsy4b8Wx0H4vatq68Fwqt2JmoyGg6wYNiApGI3bvgsjmFa8tCKXfJEyvJNeGsHh3w==,iv:vwrpzayhHJo+arXQoeRCe4JvQZ6onEG+QnG5A5gNLps=,tag:A2xvZvXjpthN1U02hQesng==,type:str]",
+							"headscale_derp_map": "ENC[AES256_GCM,data:JP+zvRtPVcmUCnxR6DbPl5E0lMXDoD0OfBCrY8Ve+6cR+0vslT7qf7M15LDVyo7CscjOKMGLTzffCQz5cc7BtoU/8EPucRjLCXMjigeGkhZINbsWFbPwj3mf9/p01KE3Y1OHgtaLz/GBjggFJ/W5vhugB3YxyocNGEAkXiMGenQDa8jUY7C0bwTHL7sLFT4sOx5nijZwibhRdanVQtM9RG63NVOhNr3fr7cEWDvA/IX3sXXmsVmQln5PMd31bkS6dGkLbSGVkSW6BtjtM+2kLdFytp05bvB6qQF7Xv8wZPLSkVRVfVXeekEEJzNpIJyUImcA5EfM+0V1p7fcu1d5dxp+Sfdn8wXfMKy6YXjqqcLDsX++pgPA6mRl4v9QTspI+sRTpdPi579Fak4bltp7G04lndkdnZnC7a1athTSWO7/d7++VaoLntdAfmMhGVKTRurXLB6Yt/hvLUF/Za9hsVI7rWKnanW9b33WM6d4w5u50ORuxXYudCamcFSPAMuCx5euYFIyxmr6w8bwUGHQLq1GJtOUnCf8mC3CvvrzRqDikVjka+q707/vuzCVvmi6oUzCu0vRrpD+W87qvMJ0Rk+AL94e/rj4kUidljdGlAqnCK5ZFCiEs6y4USO4RFCpexSYehv0pBSFpuQ0F6SnR7toAi9sIAygUaJlx22yr+RxTVZFlo2G5Jg6ubiPYPeUdOyvu1SSEL9RGi0LkMCe6E02Y3RsH/yIDaGX8J8EEYvo1PjckRU0Qr7SF/rEjVj2reLFcIgW7r/7VTs/akz8CzDobszxeEnRD8FTrbnkYWRCi18c1v+cyTWa56ezbLD+ztlsdCgfLR4eltPQTr4aTNAz5CvPu8lwWIT+GTkdxAbRi+Zrzwkqyh8vooGeQTbwVfPivfVZMx5QCLw3FMY0BC7f6rX4DUf4ZE0kqNKoWL86CWkBZbJGq3CdvARSvponEbn8JXptV28RbLTD/pfzIhN/fzOGWZ/yE23fqA//GoISmGIwhQO5zO1TpEV8B3yRnVccM0bMdOxBe5ATAcJguN8xJAs178i9A/triRPxnWSkUhOoJOwLn0NWmtmwkIAu13ADwkwhQz5FQfutss5V/deM98P+WmnS0RQm7aMl7EkrJ5wZZkD0Pb+5dob1w+oFrkfC0MI1Us6rHL12H8WYSkooWqPjOX4V9y5z/CRmVBpZGFZUqlkdZnv+FviCvUfNXpO1++z/60mqtV18Yb6plDF8P6Kr12IfdegTxALKjeADYfFbgD6c1hiQSeFuCtMjbiSVdOdZBF4jqzyU0WXSZolXxWG/4I5dtzOq62UzkkchzuHjUDoPn0JDPSh0BehuQQzFfSVq80iLrTpDQKSAePvbk9Gvi0PUN0jID98EpjqkVflquf31UHqcC2lNYK57JV/r+CpIaOhXD4lEa0p/Wc0uOEH9aTDBPCAKVM1v1WdeZGWOdrAhrihzDkRhM/LLZu3HrKwqwXBuBC+hLrGjiHisnzr5nrFjEgezwoSkc/2l56nfcx+FOKIFfrKxPeMuZ+kMlAASxauTEsgJwbzN0c8Xi7uG15meORN24grCM5rxs7b5jiyBjQh2dAnjJLlRTBJ44MYqJ4xRHOCnCe5yQyCNO22GpCNmVb5LeSkEcEGLUt9TUHCeDDYeSyiV3GBFqWp2oyqaQ50DWjvbbnKdgbcuEASwWqhbwPqP+X+pzDc2aDVkRXvm2KKX4LjLGJfmYXBLFY726xKyCa1ByG+YgWo1NC6i2NgSvc4x27X/oLuG1CtXV5SCE+147X1tQ0MO7fPJ8EQSUEBxJIrWkEwYfty49ZysZ/QqjPRdcIyVZy2/PsS1lqzTTbCVukLXH+K+YcgA1GIJECEV8GKrPdmU2DSZKdRDMSXkjACm21osLrcuWupJbM2RO6/cogu0k1/m45ziRJhpAMd88spkku9nWxWocTZ/vS+Ldza9C79/8w8gCWyl/eWGJJxQ4jvKYaWf+xDfIABk35BjD/yz6+WR0ri9j8oI4OZxtFc4iHpU7vKk1aJrRmJvfPYviC5UamP+PgBFxqZTkIvc0vDUgIIO/KjdfjNqCt17wX3szfj/xnvStii4v55RCjzMlDBgvKRQz1AJVSyoX57LXU1eAuu2sHNr2S+8PmXBNSWZUiJM5845fFTxonn9dDTwfj0mffhPLET8NkkSo/BTda+wloDcnLU2Afa9f8s/1M1HHV77Y77rDbLq24f43fIQrLlHt1qajc/oMIBQNRumEdx0uoSmwm0eIOl3CrJQQUqd59OkxnPbqUxtm4yqCHZQM6NiGdX9csS6mEJv3ZLpWl4l25tU7G041J289nXztsMESG4IdDe43uQySQL2v0flGOnGgoAX8oqpxUGIe62/l9QBLPEsYUXFKA8fKin676pss8KgMYSWGPfFiopmDB5sw/fDzJnAzxubS36FOSzR+evL4i5gUcWPxj/3AZeKH7YSN4JxavP82bGsqCsIZme/rjNps+1xoI7ZrY9wadzb7JGaiqvgUfT/U3GoUAn1DMHltBYQ+m3ZsGjB6eB1ta7vfRTo2CmMtyXtTV7HDDhEv2R0yNIIFsxJuxCdc5ZmdDJhmHvA80oibNDQl0otAAtKdekZWej+DT/zTLm/Vh9KWKDvPIU4GaSfixr1gtod+vN4y07IWyxrvxAWubxvp6Tb1yXLrYv8eus0qoFOpAO/ZFSzFn1MeUd1B6gK2eAKBxjvXV2ShIdKLuORmClBuw+F90R1zLJSYtKEhNaa6lIaMWG2JsWqkTxcgEDeXIbCe2Y9e0ElSN8RI0bupzouHfEI8iiNCXSQ/S7PXOkjWxL+UOfFRy/71TMkvga6xpmcCXabqOQx1bUrGbuKcGiISrI8aKi0eMOgPdNmvnF2wAMtXhA5BGbdxBNx0C3EuF/okbP6AAOKRSKGvEW7FETBAdFoWQSW69AtPLoWHhUBz2cMyuvuR7Cg1bFBVavx0BUnTnSYcMM2eFyNlZn4WI5AdNxfIsxfE6K5TMwYtc+KlaeqfsmPF79tLO5dA4ePZvc/wsWSgCKntIG50pq1goQBN7tfFCCLeRleXs6URIzvGJH4zpHDW6gy0ShB+f6OKiFBTRYc6gKVIpXlsWS+Ly0GDpLvL/Ma9dURffqnLA0hnNG4cZhp9wOf7gyDK3PCkYGSmqwO9u7TqUPThWiBFJarjN8Ya28PtmV3NDOrSOzvdba8cTOVbQtpZ8mpaMQW0leS84GF6B69AlHzu8+72MxPXZm9PP2I95r+9BYkl2mv3KjQnw1gx7WS2cY3gOuHHfTYeaLy+elgA/31xHO0b2WOKhF6buJv5y7dQHqNgKNNSZm9JdPXZmpc0IPTezvOLt7nEZuhNx988bMbuh2LCw/60i6nS1xm4mdXvaQChEbY2iSeFOeIq323CYZ52/odCNgI1bHI93yKNSLcAHn26Ie76S4iJxRkJ3QB4BDB34hiRRd4sePZV05x0fbgGtXqjnLjjJCvGTDZ4iaeOsCQkH5MvQlfmxNao7Pfjuh4hT9yAQxG+Tp26FyB6PerNneh7kYRT8DFiPH15TMAZmlUKE7Am9UKsPiIyFvP73TT836kOz7Biw8M6E05QOA9krRUAtBV9dThKDllrHSibg1QGpLRQ7O8xPd2GVRJITc+ha6kT8RqQKD/FSTTSVapYnswtDiuOJgOkrSTubkSQTUQT1lZacCGVEOJEDrQbaGesHM+vLt9Xme+LFLJWWviycCXNGiM1Jd1opZqUuK7O3LtjmINpLZ9kcyYYcqXUbYsPdn2eWl8DTJBpKc5iw8nkpTWLvyOr5JHS9HkaWrSY8ae3Ecr0Lnmssp4ylMAw23VSl5PO9BrpFFk1TI6l2kLU1xxKO6QwDAqw2yWkhFd4L5m8ENyUicim193ijX/LVxf2PP21iA5Qyz1nlldBRMOug7sFFO5CLGulZctFXUDHpLw+bspqvfCKDW4voNxiSAVzsWHMRpnPurJssrGaC3syxuMhx/5vweYDJ+7cDli8N7asMsuZkijn9+QVjNRWbwEPGbNTh39r0e90fBMvmiUa09TlY8CZXpUIX9CDHC3QCV+4JJzksc1yx3E/6D2NsvdCB8kr7b3xWpreE3rHhy5b74aW95oCf470udFz3mwQMOYGDOcfVAunCjEbeFaxNpZqEFBcaKkJXSvn+cJUsqF6hfEvjPzxrnAmwRaa/DZgDrfXZvmncAVCqnBKey60MsO1QBHcNYfFh6gYUhfGPos99eoXfVcbqCZZsjlf9OdpeyU2DcJF29MxIACGAw3qWPOU2LtGilIKU7F2Po+1xMclxXIvPbg+IL7dXQZzu3zWXx/nVtVRyAEkBy4XwmK0lwWsBMaFF0xbKmp/dYcJmSC/xQnBXvJ4NFokbDz2RJaqWZ0XBQyx7TBuQjqbnSCnASs7PI7VYV1ZK9SSEsKu1D6rPCrNaP2GOQW5JJ3qhdFq/CHcLKkCGSK3tFJmLD0lPrXuAm7XoC6InOA6+k3q9MhArWVKwwNmTXJPhWl+auhqDkjfZQxaoL6X4md0QULniwLasBzendxZkRi/d6odoGu8YBRirjrMx50Ve3nAbgemOWxNnt3jHCXNHg2G5FAXjaDRY7xoWQwzc5i05aWME7k5RFR4UUL+9sfG5PbVtnlVGv/wZfiI5cae0+MTIQjBt7fMDwcKZ7oJ4uzI9fVFk8j2q7MK78vpStHzRHEHOk+FuQhNxoT96dKuEEP3505MdfXmQHy3nZY5kmq2Ye52MOIHIthcsIqwNjm57VChFz0uw/McAUT7tGx40v52OX/ubTvLtKqgPN2k8AmLR+QEt43DmYwqhZuaACekxO2jk7BTt5ezjoVFkfJEXv5PXQycXc78gynWk28dOtQ2XO+A7eT0PJHE0R/73HBM/TThUv+2DEKRM/glGanycZh7/qP2+huG129chdEb4mHhvZB1mlU/aEDuJP3YyjS8GI7VdVxhrKmsf6HYeM6L0czDbF8WxUzRJXDOMwARXrRWN3Y4zxhbpBBKQTxWGzRgWc7a2O49dYjHB8n91T3a7pbuczhHvOz2PHBk9ODGhelpYP9vfsXmmnwbyRZ94a7DJyk+9NbUhhgZF0NloBYMPtZVghLJ4a5vWxxzUkFnR624eo0GZ7bu6KXPkhzGMbjrgYIOaI4vTfMwWKFIWucWubEGrPiKvKMk5YVRf6OGlyZIZK7+Lwo5IoAD6fDYCbCgyWl5fWmnGqvLJz8mK96tyCiX6G8S7fomop+OYxYjihOiH7yLuoWgExgPC3E/b/Gb9z223WzZ6LQgbW+PzRsnOoZjzpwWgz4B93jTJiDpBrMK3iBilPpyox2aAFlap1wpnhK6gOvLpsxjPC/1kPH+VqtK6MSXpfC3G1EAuiP2yPW6mJ/864vaR3NL5JrsMrb9kLpBHWppSrp4ms+IK440IT7QSZQp/TjCAzuSPiB8ub7oy9W62x3NCEY1UTvvKGzLtAfpmlIsuiHpzte3NzuXdGvzBlLktdOcP0IzGxrOsa1TFvRcFBClotzdosjX0xbJPd3HcAiC4E8l3nPngQrWXq05gxxAhTsiprOTxUEpTRpud7cVB5GC4FMxyGgj0Xw1AhiwYhZ72BJDi2MgkxcK/eQwXDgw5Wkxupnclklos9RQDWGEvIXvVrurEuJPCV/9/TkBHfvcW9fvp0wcf0Jv5UjiuFyESSWHkW26hL9rkEsb+YcbQwtu+klhxclnZkZ0xkAgoUdzCsdFEq6XEfWquL36fa4yqC2UBRBNzRXztM+C14M2hHqgvqWMfrDnrAmQRcs7ZmpvYH+QB9bsjk1J3N678KX6mn5MFWwS8X3Cu4Ai+aYIfeU3fIBWfg5TSPhgpznWoNdQt4V9XxYSyWdNtwbsZT9JuoTvGYPbEu+2DppcS39xTqINkJUH0HHZmYj/Qjkjl0295TPCXMQ5Y1cyWgDUjK6R3nq9ILXT4NrJngwRHrDd2ymRwb7Q6+NO4LSF57+dDt9UqiAiA5gVLVvQRl/wmXMtcBqpjD1qlTh9ps9ojuXCF2tOxxizIww/M8EaJ0M6ua+EGD3XvFbwzG2jgikRa5OBUkc5bZWTRJotGQsvh7TSI7MoZAwAUVzPO921piOi1RCmA6LcwO7gs9wE/fy0uuNiT3saGC5RgYHSabNtGtiHeHTJcF3nqfX053sQRpTWtDZK2GDitI1lRkLxRShyIhJBvlvHqEDAoBdOCMJ2z0UrgNbUiq9ecFC4ASxBloKGbC1eod614YF/m21LUsinl3Z+2ALoPUcqS+cfGo4M1AEvJBem98Pbt+aUtad+DD+jEuQllQyjZ3wn09jwLtuR5JgSr3ie8oq13nP7GZjQZneyMU0Aw36UdaZPPr8KsCMY4OyhVCf/Q1APW5XVtIOLEuWKVU+5+Mrf9cUisXYIYaU93XGHLE1tKe+tQfdyXSoEIPB+OJRzb6mUzsWpR1lawwYEWYchHqw0WPH+vbA9RgZfU/VIFe/3uKm9yaX72r7q6XKX4hygfFNrcQKpuS0wGaFZ5Rcnl4ZpPHGKXs2gThTPX1t1eMrxMgWkUsNaSfDIBOvjENBen2r5pQVr/WXn/VbtppzYr1KmcMa0kAKHMtOC6p5Y4nboL4tR/24U3dHsl5uyfzFiFff25Pg9gIlXlqJWJgISCJDOtyGZm3OqGlmAVShWQc0dapdr2SEzH/ILYVkROE3OYSpe9r4EUvs8B2+EXCC8ongNw2j+T0haL/BdSlm+hWg3IRNnotPKLwp3E9eurF5fvEPL682of9SpyJCKH2Jcw7kiLfJPrwFvsrRLFodWtDbUpoa7VtHow8Vd92GQPp9wEPb9XzXQwimdX67Nmvw34xs9qKNoCFLQMKpZDglxmmV0lnyVJTLnAVtwH/opA7PZHcgWh3utU4qCfNhQiPFBH/9Vpw1nmPFoYu0dxD3iiOt4hUeIrak7Kx6k38NQ1Jwz1Q/fcrTYMW5pD418nphZOvmU1XCspUOvhtK0EgJ7vKe7tG/dUdKfZ5eK7e9U3R7OJb9N8njhFJTJi46CfQDi2xQeK3I5Yi6KXeSl1lG7xP0K/rUzcf3F3yNhZkI48+rFXyE69TLOsIaV1XvUMy5a3ylZ41No/MitdTiNJkWU7vpvrSUOmBu+xG7LlGeA7BVAcWsUnqmm8yjB9b8lyAmHO2udk6/aAwvDzzLp0qUXmqLYJacIxrXZNrMbC1VXekI52WnYTJ5WQLkou9dw01t38y2wdi7mmUq1lmJyG9bjZ+c1KazapbHpKyFHYIfB1XzgI1CMnmymQtY0fxmY5cBYtJiwPo1czTSzPX0u9Y4fiEO5wm7FID+e8Tk+iE/lGhxeJer+ZmgG5skvvEZ0RJEd0ZHa7iMf02d1O4kMTiH62zXqf7g6pB1BZDPkPCZQqKubdQXkJXFqeiaj2E37TZI/Chw9WOVb77++tS/uSRBQIkK1H/KeSejqvAims2c1lBo1GADJim3s3Shdsh2LC/AjwCDRVyOckwbzvTgXyp8a+BGQdl7yUKbVOXyzjAHlxDdu2bWbcxsDpPyd3zduvXZN+s3f4nREsfhB+XrcnmvmqvE18dsNiNETcbNx+vrW7DPRZogAWVHgl3xluWubkkjKz7JmTwS8OLMNbx96tXDSXjdwmL5PYaEwWzbYsrhYbC0i56TdupqtT3f38pKHUP/9eRoD5TW06SZX/m3VjF5lfJUZ0LMe4Y3/LbxHlqi+vLDpoeiknti1RObVesJZWvBilug8z0YwmnTLSu7ed8b7hgfGl/gyo24m/9StxpMvxOhUs/D+fGIriMd0I1SikppISOIEZQuVdzOL+JMED7S0fI/RVvpC2nfUGZHAJjH+PwRQDyBomPFEa9FSo9wTUqpHqLsQGnE8pg3CNyfk0VDFsLd8KSu2afwJ49ysYlgY0m+EpuplnPBEpO1nNdb/G1ugRxvONy2wayCDDjpNXSBr7O/298dpp+nrARcxM2RND0E2N7EQL3Qgm7/cmhqIktxv/xgVr2/Npg6vbcZb7w3OnGLnY2R6Yx3oY3PyoTWVSPNiXQKoNiQqKYJ0UwV31iOHyhTP7bT6JrXSI0CmPbaWECco3MM+fT2ZCfIq4OQzKlgnTC19yttGmCt7/NwY929qAEt5Bl+VAmC7+9Gke3wvrsSqJ8ZBRu+oyEn0RmVBT9Wx4etVjEnC7Nb1FXn066LsNTrQcKIv6UtwyZi5+5VcI2N84VPV/yAujxUhdg4VZ4s7uwivXz7S1Omr6LonsBZzaavw8w8DTlmi8UY0dK+pvDSW7cHjzRxY/biXB80HWyQMwivPiJsjTnPmQnEp/+C8HZUsTFW7HrrYk4QawY/J18h/vkIhTycjklZpx7DdwwGD7E3gdy3q7psA93ess1DsUx5ROinrCmuXv5SBbs/mWnRA5RGpYP7lmGcXdGHjMt2TBdwCYZ1hoBTfhbqiIlcT5VPYWh1/cwyAX6FXAbfpzK3+Zly0YCEeXl6DrVzKljQsV7SnJSDtE5vZsUTs5Q99VwyOHXl2lAJUrZdKpVERQD4CzGapqy0AurTYLI7DCl3NnrwBFN+0ppA19u39Dlji3zlSu0Rd4uYaYqwYZ5Yif5Czr3F/zhQq5iZWuZinH93l6YJyt46aogk6S4XbswTLzKIHicgnDWyWYM4Qm4W5ekU+4LiPsmfXdpo55mew08G6a7cIZ4c+n5STcRkGFx2g6On9Ws29I98Y4g8aNHxxBItbD1Jy8h38DWFq+nb36O9xP0MFHA4XqhgknUG4NB5egqiEnET3xdnof2zVcZQgl/Mvy5GgFIHGjLdl3ITfVDEBp7o1A0EhlMfntwAaLdu7ZESXh3ncQCWbUXgQ3YWPOS2jFqC8XpXAw50CzMJxzbUBgf/8OauYF0+8wWN/nHJFDqF8wPezanIfXtKHaY312tyjxz2nI9T7o5malkZaM3khGCBgvh/drmFlTJtiKwTS1Z90CI+iOVxG1qkGVxuQCxGAYGKqwVG2/OuUePZgFOqmaQxDwjQz4S01GGfud8OjezHWe4F1MnSjZ4UXFt7JfXz4DXdsswJknrqRVvxXy3/lTq4C+nrwjR3Qfdxhf4gWD4MiEMzp9SAHkveha9HkvAnl0BPX2SA/4+AjYFY9QhB3ZT5sqpVtYXDAdVAXZYU/R+mk4IMIiar38/dorQg4n4iO0w4aaKSNE5k0P2qcRRpeYpv3ErF+8/sb/x5g6EfAAC58AwOiVNLvtQP3eUjsoqG1Fk6HZX9U58pKSbLYl46ba2n/S+dfrhDxencrHOHVZSqxVfp/9Lu853fz18zfo92OWXO6eie3RuitmuxlEuswYGOSYiQihYg70fCwwU0H6WQWS3klD8sQ8T4sWVevO3CgaJP1/qHD+m5j5Qfl5MlTCZk4mXs7Y5mJXCKUWb8LCmiosLd12ygBtDE2aEuST9D6puz5j8AoPblfg9cyHS3Q9TOhzE2tjVTsJUlheMcl0jVnO9n6MaquSCiGjizKzFl5+RQtFe1A3jgoHqY8b97ls0H2xQwsM89WHlClYDH+0XGmN42BaGfONTPH7OiTxol0vIfXxzI35ZnB/KcZZTmFVR4b5rg6twO7uAsK4zIF765DIckAp2f20fYqLE1/ZHrZBMFAWwG51MJjrhQfgCvWxdr9xOCbWOnjgjuuCGwHidJY9ILPeZJktplO9f9PrOkIOjxNln0QHsUfsZ5XA3lZQ295CVJ7LgZtVOdRrZoxiAKdUaCF0T3TdyywBDDca2rhvllfC5selbQxm39pm25T7nlaHM8NxHkmLgSr36Re7EE32iS+65fxzSW6nyET2v4MB7BXZp1rokVaVIVk7ESZ6iftpwzBcJgWJSx5umDs6t1oSIJxMmEssxa5bxUSlNFr4tOzeaSyuxTtX/AL2M4Xa74lEE=,iv:/ST/8uCl/cz0wOYqvuagWmxRg7mFqIq4NyisFgnvY34=,tag:MVnjORxhwq0ZfKlcDqqPbw==,type:str]",
+							"headscale_ui_api_key": "ENC[AES256_GCM,data:NLFiX7rILui4eiPpy53UfwtokAgg23U+E2jaxBWLMhGhbZMViVnkFNXZP6FAFviKMw4LckaL7m+51Ko3fB79Cg==,iv:hokclSWtaHYqOhhomMhfhFp6B7fztis+ECLmHwn4loY=,tag:CZTpXZT8KbSw//bhtvJ2XQ==,type:str]",
+							"headscale_ui_cookie_secret": "ENC[AES256_GCM,data:dkh1Z5e9EEVPIFu44Bp/lkxY5CRrplMr/yoKDUBDqqs+okx02hjQxd+RkBkL5KfIxAElyb79aa0pOt4Rdqt1Sw==,iv:bRWidrQNuarbdze40BSs0SOhpmzz+t+uFJQP+Vi9FUk=,tag:82yZWJVIOe75vP2pYJlmNw==,type:str]",
+							"homepage_credentials": "ENC[AES256_GCM,data:gqQw0eqlqkyV3vL92L6ZxClWiBRKYK9yzZIzZdpTBNStahhh0EzDoSY68XNO3ZNQGYxA0tmG1VHt4QqbwUXY2yol9qiqIZF8UOBye7+bsdcvpch+H79ZvF7eDDoxx6NkAB1gxdce3LjeiRZ/hdtTQyD+Ylqvi3zM1mp61mJD05iuoC34+sWrw7wuO9h0TkljaaiS6MzVsEDTT8I29VJkdLPBx8uZQI6dnPMI5bmrAm57bEdgNy3VN0uq1D7aI24TwP/wVB2rBZbAvr8IVN+FV+lWHRNYMnrXLjGnuoLWlOsQHvb6UbByFODboJSd4Vlgze8GMTT7rEmQcE8UaN0mzSmelAhCugqYEfkyK3cXy+L/2Fgnlt1sZ82JiZUmVSvqux+QQohxRX/LYwq8BR210P5FknMCYbBLAlrf0LBGzWV05hJbH8MVyKKEI/5bL9Bze0v2c5CZxzLQgPGPuhYDJmBX3PK3t7TBQf26hY28AFcHkdQpBBZeRUKX4Vkdtl/eiGkYyQD8+E0W9myQosrJE+VXQjXZZseWL6CrPVzzHvINZryP6Uzy+mAGPuLKeTenETOyYd3fbKzb++CuDjgi5A2StUgRhLA2jCl7gah6lOriNwRB1v/dpS+IIbM0vtKs8gLjK1bgWXAb6H3h8ibQ2METT/TiYNH2vqt2rA+we00LlU/0lcCQTgio7hPaA60/Ea8ftwJL5ZpLo0h3INuW+yPcHot+y+6UITrvgcZi671K/23i6Rx0Y/JdzZXXz3Fai3rT/5it49CeTJiO3N02mzzZM4nluMIek6QHS7cAgxbIuDlkZcr2udHgwt2FXqwDRQ8qxr5iyAXwJLptDYMuhcK+3bBy+NFwDLm/rl6zgfJcoa8y+JtqnONnzCtKjohN0NFH7VuyKuaebsRkor0siu18IjMFZ6wpEQ/bTyHqy2iKtoK+ZBBatoT7Uhb3lY3d7DQ+G4+BS8kCOrVT1vl5GsdLqE9KRv8iaVbURMgDguXezlvZJifFsdqGFaw1g527fZ9S59xee9EF9xXCnRI2TVUZj6oJOiZODE8T72Z7rzkHHvA9ORv9jXD333Jyp/Lo9IU4oJHsTkRqsmddpZfPodIDms1lAoYyNmHfLNzLVB3sSXd5FsSBHGuMTien9Eo9DEZot7bbq64/M8pqVpuaf4HS6eIaxfQaLjYR5dmryLmhVMjNplPxFwmilM2WmBgMg3lgJCfXDusIxOG/8l4k16/qpSDE/EHltge7pQ02an0R18xMStnLplrIUNMktDPKyhHPGWpQfdnO02dKcSq7hUF2h2qyxpbA+8F1ddpVOjwWrpAvazI9ScTd7yGpJ6sYIYocy3S9QniQe+NW7NldVqe3Rdk9uNhmlYy7qHJWPW0AR2xwbu/YbPlKqYX1dAXfmAR8fMOIQcp8aHDbGiyAKOLjRX2h4csyDAByJST8LUnnulrGOrSZFCaruqxPpF0GgYVQx6VWriJKp+AA7SgbfsqOAh9JmAulXJEye/pHzrFHgeTT97jn9RaDkRoXxWPIH4gZ6Iy6tO6S9RkebFRkcrhisVjtwPdR0uMhDqTNeGsfaGkVV57PK/T8/7JHWsxOUhSm+PmlV+H8rTQdeV4sAZI6zTMM5+cuO9T45u9ARQp70MeergfQyN0Te1tJ7BoApFJCHMr9OgeZ68k1MBRSvO/xV+w6XpKuy7Aq4inZay7UG9TV8BL6yN2L5IS1pHd1IJV4XedNR8Rv4Dfb+yjRgTz6QoLTMC0DHtAqjzAL+E1AZtmT6FNdk6Yc4zPyC4SKUxufcE4X5kfP/+DyMJ0bogT8Jhg2tigR9n9lth5/qoFotYwiQ2oUiaTZJi8Yv5VjckINhNPBiUgEXMy6rkTxrkPFeUbKFxEYWUz9CkKrNhqpdyzi4QkrtXtU5sUJS+dtLVzGBkyb1jt3iS6Petqp4NBKQjUYHbPHASzGscrKBz5nGfLL77+9OO0fEO9nNwIWYZVUT6bgInLayKMGbRONEcNddFwfqNrwU4kmnWQSPr1HmuawmVmz+gOIA3gS27G1OmAqQlEqqx7CuxAeA5Qv7hzg9R3OX/GoxT+wnw4aSj+YRv2hPp8JCg/4iCAHaNJSx3a/nhBsqEK5KzGX1UuPTlMLmPS87n0N2hg2poGdVPvxMdj8TPeaYF3COzttNv752SEo5ckLO8gGdJyYMnfxPxyFVquRXK6ddmeaXDPp8mxSB78/QZ3LCQ8ROyi0dVoiSwul3/pnuu++iO4wf3Y4l6GR4yWVHZybvpDACYF8VW3S6zEFKChFjn0mBn/b5mGgOroYr+vafzfanpm3QhtO9S3MfgN3+sHMEEaA3Zx03hKlphv5XyibTjLxu/I3Z9Nlb5NwDmBUUa6IiTyv604tVAtjO8l/wv0DAC/waHBc9Ir6SqBiixZmzIutgHx0TFE3fGUKANv2uqyoxWXpVEK7NbO4mDkEBqFtnt3Yoy8PJGLqI/B1975W/tZEW/UQfc/geF5XR6V6WcCJVLKJuPmO+6pT2JgsFWbUp5MkAx1LeNI7IQxOXFVIeeGgIlsCiTEUn72sSswUT46fBezgKMgTiy0VLV4t35XsX6ds7CMUeE5yZXPsHg9lsr9GJ497+x6L10iim4BOaxYCUvG3cCYmhsxbR9L+RZ5fRbkuLTV75+eYanwsGwWh/JucPY7HmYHTUwxDotGdesfLGB2lerVxKDknoxATK7wfpGvZGfvQHFc7TXjAfZucN9yRW0URiuHJfrg=,iv:JBwpLWcATa/rC4YZfd4SBvbE8etS43RuW44XeRKK5CA=,tag:lk4cXq5wHUqJmYuu0/udow==,type:str]",
+							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:XFMQAfw16q08EL7i2mt0qLgFENflBfDtAkeJ1xxlIgfAmBbXR47qA7htqg==,iv:UW6P7i4LQIxQzQCz/k5AtiARVl9KtphI007oGYoAh/w=,tag:BH+Azlt70cwpy+z+7eKHsA==,type:str]",
+							"k8s_users": "ENC[AES256_GCM,data:shTIwJDmbtCZ7sCabSsAv/weaeY6mQk2EFU/ra28eeL+MyxgGVpbpL+nLMkMQDStcbkUUg84UuhZgItNdYJLmO9fbci0DToNM8ZnPFL4Ac1sMMU78PSQedJ7rHHFRL5dNVmDZ41EA9UsMCpcYF3YnJnIaQc6apl3TO9vUV0N0ABoUmE04tR2W/vgE2pT8h6Jyn0ASe/QmW8hb+vtCvZKhc6g3jnAYiW4Vi73OEP4Icr+BAHo+hCZOL/fISrFn02fHPW002mjRj+SrO3ALTkdXcKH5tq19pVKWBm+UXfvquHMyrY0hFxRsqzjEXVPYRHYcrP6AL9eYlKBl5jepfolBYRAPcPj+iFN5uQXrW61+yM7IU2cR81U/TzflSzFAeHT5HNU6+n2DWb50FDbSBa6WWZR1008j3a7jFbDyElwABmQWaQHijEbsoVa/yiLl26wn/ST+P30YOLta9fmDultnS6OTMxRAMAzQEjkTE4U89YUvzU1xXydEY0Wbhs9ieQEXcYK+IEeYMfKhlr4MEaRp/HV6bcFlO4HsnHzNUy5HVY61a2K0GF4u/jb,iv:7qcZy2o5T1MS5JgrmkWnt+74Qyye3aFtFbJNdFy8yn4=,tag:2S0mySjaoutvbBmOR6F6cA==,type:str]",
+							"mailserver_accounts": "ENC[AES256_GCM,data:ib9puh9KbSF0PRAhQW/FaAtzp8Un59CremmQJCpGD6nKkZMxT7b3MAGog5KnkxB0rm8OQ0ChQt6QKSs228BrPnO8VoI3Kf3lXIs5q6xCJdKe/tJ2O/3q1c9dTA3sLipzXrlEYLrGkBoizT8CVPf+Azpxidx50QIxcSJdiPNuKz+ETFgXUHN/rRmyWA/CHbL8V2gPex/WPtEC7xdJL1CtUoYExM5BtLN2+zm4yMKq2XY4nCwS8oOZfbsJY90U/spa1feJkCUHz9HJYbgNkhsZ1bn7ZJ7Z05oK619vfgx0hMPtlWAP2mNxErwmiGmdyfhfSueBAq1BRUeEE/moh/JoJpSaf6HbLkerxl74tW1WXS7RDja/JgM0xR4YNgNbUIG9srI2s5WGLW2vla2cWF+Otc0wOgTyOgxu6n3B+dz7dqoNXvva0Xg+GfJoZ65rf+guSu2lzRKOG/1OK8Zb0pCzU9dUrm0Nb+wEDI/pJEzzbVRQDaRfEEqmT5ueNhQZu4uvMLCZK/+9aS8TRZAj9aq+yudH+8rdGcNtwK4iTrEgirPt9tLSjSMuaM6ahC3VIWS9yCDWdKam0VtsN88+NZ/MHjw+RLDkraSrRgvh2RSj1PZ3Wer5tA8XcTZ4ywUbkxWdCbXjLbc1vrLFJKLBul8RCuXS+0rK+NTUeCvcbNQjTJWHNiHUesdWqmOPKlGo0+GKgo+dRziJeHbZtNECXHGvfbZt31TkzlT9iF6jkWIKfu4rYBslxXFaAZiTYJoEwAzUv7K48PE57irhhcXseEjyjsUblUeY7tFgEhyyOXEo/MSPGrL3beyj7zPQX0zZWjarfFD5iD5S1yzQQ5KzkPTRkScBWhxoTBDYyyNiesT3CJVg2fJYh844MZa0GNV1XvPIuHX2y1LdAa1td1TdB6qTXAo/9O9lU6uHtXP6ctIMXLm43U6LuS3OFreJJJQBoTsiYg5DbtUfDKWcAnNsKOBKegwRi0quQBfZjwpWWHa6mpoeyv1fzUr1/PUfE6+pX1m9CkF+,iv:wM1ftwdGl6F+9N5PncNcIZpkro9FQMo1acKOX/Mya+8=,tag:pb7xTj5oXJxUHjjpmKdPKA==,type:str]",
+							"mailserver_aliases": "ENC[AES256_GCM,data:jUhdT4QlcKW8UkfP26/8mFXsCKlE6U6gEKUw1+4fWZRqJ4x60XcJXV1KDO+RqMN27lUR4BpuLVs9PCIn4eXKytF/qOViK1RqpLthV6QssnKhT2Wq63XyeeZqq62ob2NQ2lPe119WvIq8F5NoGRSVjeo8YX7IBcTeOp02D8TjjBjzwvg2lhGA61wyJhSEUT4rBkQFvmMCeWGH0wlzZMd+3Bh0QlCjov2xpR3muGG/o1bH4fuKcZkKJFrtliXdRU/CUVnZy0okh1DI+V2miOq+T3DEiS95Ok1f/+zDbSV0rR+P0+ByL1r49NY7TT8ptC5qOQZ0Va3OFppZ16RpX5YpWqlfXmnbDtbEr0Z05WBzzsXXr82OUlhbczTcHI1fmeyMCzOs/BQgwd/oLlZhcBaacBh6LeBwsPgWc/eqfEWrvpHcXaQPG7AZoz0Oq8Gv/wZNGnfj00xInPbdElXuSiVKnamTXEqjaDCAnXfndzm6ZvWjwi6CgliyNuws9QHaqgb7HqmdUgV4ykBuZrX/x44PspXbInqjgNQ4OyM53t8s5q7E+zvm0eKIkBcsz8QLoKBg6hvkq9GlTPx/PLs831Ee16ypWYb7,iv:4ByPWuZIWPPm4IuVl6jTz23zy7NvCBNmIcxOhW0Wy20=,tag:7J72ozf+99hnLxd02U7N0Q==,type:str]",
+							"mailserver_opendkim_key": "ENC[AES256_GCM,data:qqftlMc+9T0sa+Z6ZcE8bmssfUAr6kbDaBRQNycTey61B6orwKNPw7HSw+0pr3TjUHcaa4cp+6NowCv9VZb6m9NGJ1w+uFC/uuLHCfPYZ2flOpjs6+xCJMijmrWedz1CY6cT0Ot5zZJOjVQjlfvZMo5EGnDQJO4SyKkYX/swXjQHN++0J0yBLuSJXwG01+9VHIL7GnFrsvx7epcnmHyPATAXq1GDev9T+OeRczV8/ijy7wGavwSuarZGUV/YTpLiO200db8QHDN+GYnz3uU5Pog3MzJW3D6UFgsVBI9K3zERJwAmvmVoEZ3x3PJnUcH7XCVtuSpCbgYmUwKvhH+H4bS5zo32nBvmfvobpfS+3JycQIBP1YFlP0yFE5nkWwG4G0VmwXkjbGtcNdcqYg0UlGKZcf/NGvFzh07C/NNUuvsEDAuaECoARjk5SJiJLzb7AaWAONKniRKf+wnTkPEWRdNdHIfFTOJacbmPN5jp2hDYqYClRytVHNstobKkYxvk8n7yzv+NR3Wpu5Ebcszzk2d3y1/zUW36HFJrsEG7k7ryhbd/I+tlkKbLZB7kAjzJwkKRz3bEE6ycCXHxB47TIgED8w6INaOsWc382cWE3UhAQZizxyS1KfU9BEQ/EB7lPsR/z4EHelIYctH+8mV4Phems50EirXeipWxI/rOcjAEDuqK9G10IRyDONEZB2UG/dbd5yM0KUzmyuW0gecAy3C13LVaxsR8muK9/Mp3upfTJf3wp0IiYsIn2D3MjIrC129O8yoP/0P/Eep36UpmOsBkkFZwQ+OSS4HT8cPXXjCmULRZHMviE9Sxos3YCgc25ZdvXQsN+j3b89uENhA82P1spg090sYeJ3XuWrOcfMr/H7Yf+Xpg8/4pqNdwvW0sNSuNWluASO5LAqv68wFVUSPU7RbUG8SLgQ4C6ueprVjJNF80YehnoqkBbnPbi5pzf+Gy0vwutyBrUrqdWgTRwwlFqLf4PxSf84T/KVPtgNb08cHxNslcAd25kIw2xPj+HnzogQ687Dk8LLHRTfWOXQm92VOwY/2RsprU3TjAf/Eq5ghDR/MfuBuNBRyQ6EuqEkOKaD/jAGqRl8YorMxpc2zLeePr9wwldqwotzKSAfhlcCfySdSPr6qQHZDGr4495tcHydWWsZ4jXGJ/+69ATdrPoQEYU033CCdONMcylLQcWjCmdr8uYF/JYc74VJ9UMMoOZuFl//82xZjK5OhiCTbRzfdoDys5clty1Kf34DGJ8VGp9YNzbRdKM1iduP4AVvAPtRELwPWP2gLZfZGRsW8wy3xkjKtsG9cOP12Nx/EQSBvQk1T9USAGpRE3tZeQs3AryZKs0v7dAUEpAmfhpkqB4JlM2NKZotb9tSghc+Gt3jojf+UTzKY57Qv6FifBKynuemjIjjgj6eT4IKqnsLlgAoHKt9bQToK7HbgGY3iVLkyn6cU1MuyhOTPygK1wbkas9VLNwxaIqNCBAlhghwNZifEXnsfVqBPRMgo00PLVowEe6WyfzbfAkjxHmRqe46R6g5cxeVdQ9SZzO0KoPlwUMC0Y5IvrEAVIs48NzB9pjcchttwaZGpU5NMmS7aY+K4n0F0JxTBFHfFqRrxyrjueuDan/Rc0V8uglY3O+RF0QDFIA/4s5HpXlFLXzYkzebK5ZAEjxYMmcsoCwX7TpLbNkE1Zgpvm4IKYpcfQAX21HDle/KRZboGoS9EQhBYwZTUQbliSBGAjNgOvqygfXjYBexdhKyR4ScX58SqSLCseDseXI/OuwqQbPylIPx9VfpQNWYh+dVzqFVcxmOiXXfeDsp2WkW2/A2onZrVbDWt3guq7a5Tlcmy9A5bjJO8kjx5X5J91BEjFqs1pdgzUu2QOD3bkZ1b1w+eyj4zG6ah0TMxnk47UAorWlXpM9ctrYUWF/lGGf66Dds5NDS0LCxzIInHgVeTBqvPkIHCQIUls5GiwjBnvhBePv/GqaW5xzFw1YCQg3Z7s1sQZRof89qEBBlGPIyo789MKgPycAAWKuWCuNNl+zyn6BwDhSCA1jLPFmD65MvjemPKAjBLjjt+fDfh0JUXNNzTuZtlahfi+Zk+759LVd/5hX0fI5pJzzUv9kBMvFlbIsUq+qBA43ndhvoK8Y3aWPDjdJYmN+C6wAj4P4FZCE+mRpwSbfoT3MqL3ngYSgtxHqeEPNL8kKNj5PUdQIxG39oiAthsruVJdtxJtu1ORVMrlykQgy95E6KD34z4nAO+4phmxareXFJxXi5vzaS15MdyYBQ==,iv:Bzrfs9rp4dCWovsQ2AM1Vj84LNiFsSHpE+boMsvCvy8=,tag:/lG1o52Lu7FY5jPPEji1sw==,type:str]",
+							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:2Rc6eFbFfnB119doRgc=,iv:dUYtraBUPFtmyP6batIzbmarLcsIcYEEp/J062oduM8=,tag:pxu8cDus8w7lzK25DTmajA==,type:str]",
+							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:QKBwZboOy0ykhjJNw0ogMGYL+loYLUWL00hqK1qai00kA3Hcqutgu+9ihj09D0tdxNF8PcrUG1uSE1y8zHNSW3B7CNFjGWItnxfQkxR/Svvgp2oIScJKuM/wX1rR+gj5T3CZc78wIcfRqHPBWBy8Cxs49oCHCCoVm7SfZszqCPA8UUvFjdh+4X6p6+p5jm5v42E=,iv:fVlU5Kk+9iL7faxTTYQhso51rChRkD/Zu7BuDXWTaJs=,tag:njlXKbLVp+cYjLFsf8BqPg==,type:str]",
+							"monitoring_idrac_password": "ENC[AES256_GCM,data:X8kZt/OY,iv:F9Jws/AH3mTrHoQcfgKFUBVhkdXMiO+KIHoXaVZbbYU=,tag:VL1N6Q+LtTxw9RPMOBi69w==,type:str]",
+							"pve_password": "ENC[AES256_GCM,data:YEvOHTOvzzMnwpu22EoNWuO4AOlaEGv5N3rBmQ==,iv:VjDIZVrlxxl0Bl6IIcRWWdcRf7yKesbkOMS3lczeGp0=,tag:91D5El/VUUdxs50M6anqrQ==,type:str]",
+							"technitium_db_password": "ENC[AES256_GCM,data:9z6UwLsGYOPa5HIC7sA=,iv:gd1mMrudCM8Yo4EH8jRd1dTB6l9BnmQolIPDlyq+bVs=,tag:Uq0ufqLvOj+ygAbdpPsVQg==,type:str]",
+							"technitium_password": "ENC[AES256_GCM,data:qSfJ8YslVaJP6KN66d/wLOwOn4pVDcc=,iv:zg10E41ZX7gtKykoWIBI7ElONfFuwx2fFIWwj0p1K5A=,tag:Slqxu8KEa0VDWef0/BkYSQ==,type:str]",
+							"technitium_username": "ENC[AES256_GCM,data:V6yhyCA=,iv:mFEQBfclbcc0ulC7p5AgOqw0NtGLq2I8JRIq86iZdVo=,tag:aPcEjp6j6ZItDZYs1x1Fyw==,type:str]",
+							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:P9zePxRdcYyWx21dFppnz7StXL/FSQ==,iv:DkXJ9iGMW56d83F4fuhSm2aO9wlYCeo7UOLDQK1uXlE=,tag:pOxiD1sFyOfraqPhp5sDMA==,type:str]",
+							"truenas_api_key": "ENC[AES256_GCM,data:MgI3rVdmmmd2svepCIfDaTtLLEogVTYgsmo2Wic7L2zEoFMq0e+X8wALs2u8KmS8ZxfuUPV43i4BpliaV2w6ab43,iv:kobt+I8fFvo4Ms9noY7EVRvcfFZD7DnWE9kKWjjrQac=,tag:g8aMhGKArN/IuIhrVqoZPw==,type:str]",
+							"truenas_ssh_private_key": "ENC[AES256_GCM,data:TDNQ8gwjhfd1HA6/0qYkCXkZ5ACKjmY6jk6ulohhZRzc0FwnupYG6AQj5AOyxc2T2aR9mKzFBgaoiFtlAkCZiOGu9V+Am/I+UTa9Od/q2boPsxtzzineUMTNzYy+2JxImLy4ijXMIqVlsdy4TMbiHLm4fV18O8eHTQHOvuQDSIoLyDpgcXAMQHdQGCx4yt6p5fFzz8AZ/v143xLHMpkE+8CE1y7EuV5jY8PXGGISYTDN5NXBP1A6DdWIyqaTnfjNPt65X/Ttcl7qNlSc2uqBSlyibJgJ1PlK5y0UBE+V2pKumKIodHcouuZmIGeI5193ucGMsiWWlzPT6zgFir4/+MrZfvgFjghq3RT147LlZKa7+GH8gWxPvWD3ovA5mBZORPiTXZ/dvWdd9okEbRFlZbdKWW/6LQ5tO+hSQ/VEpz9HBKU5zebFWhwKIB5TzrxCOR5zQH94kz6TJxqO+wFIccw6Ly8g9Wjs3SnCdOtY/rai99yIlFbmsfYIOZPZKTjGi6YiBeSTFvi0x7C5e1plY5P9Gup6RxweUbol,iv:A7kY1ZZqr2Tt4VlojFlhPqaeqT4l4gIFg7SzjQte0k0=,tag:Ax/ztduvZw2QcO6bA00kfw==,type:str]",
+							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:yqFYQIEYRIRZpRZvrbOYGNFkCnU=,iv:BKsGn8cNjfYsIpnidUEwa5NqJtG/Eoo0W7SHPV6jZiE=,tag:yVyuBVMBzzpngVJFFHzYmg==,type:str]",
+							"webhook_handler_git_token": "ENC[AES256_GCM,data:CJJPuUhDwLMTgSuVaEIpM/HwtHmhNGg9DxjYfc+mCEizkXVunmFKaQ==,iv:QSqBHCLFf1vK9+1kMhns5DJxDQ5DyigGB4s8Pb1HFDg=,tag:dMPb0XdfvsILsOvtR7q/Iw==,type:str]",
+							"webhook_handler_git_user": "ENC[AES256_GCM,data:A4F2fOwzr6LXw9cf,iv:0OiN4nPQe0HC3J4EJV9mLageex10pQO/H4cloyf6Hk4=,tag:ivPIghYM1i3c73qqoo/XUQ==,type:str]",
+							"wireguard_firewall_sh": "ENC[AES256_GCM,data:48/4imWkYkJGOyeTVXOsbgnEUOsRaRSG8J2D3kZxvU6klLj1qhLm7es8PGP6tQnFka9o3qJ5uuKhLWxo0uV8qms1anXefEEmbicrGCcKWysMxCs+UVfT8eR4DgVUFWXgu+g6Rutuq5NE0lZLmb2PhDUoFAZbuslDp44UDYyIcgmwpiv9CRJ8a3r5tBVj3///ES3BoSDyapA6THjj/nCX1W/AarBzZkGq94WMbyVymNL9Dvk4C0/prXyumO/SGnjjNtKrbkCcbCKL0ARKE8hyrlsZvJl+zQPEAyZBp1ahCP/Q+RN8RwvrBYK9MaoOX3ZOiitDaPclX4REIxE0Kqav235CuHVETRAB6xvOmtarTvCr256hzc0DSEFLOv5a4Y3wJNTquM1taZHCzwMtRhmwkMXHc1yTeQ5SGYUzt+upMS5zuSUQp+3Gh2LCrsAIxOGduW+MSrXcbpal4lli0ydbzpV6haqXrPBJAxw/a43S92m99jqvukEStUjosfARarWXocFWfLSO5ak0i2r1SKL/NBgRxkUy9t3Af9pRoQ==,iv:PiDjkA3SknT5TFbQxtLEflYkLHg7GJDahgwr4//W+kU=,tag:UNpfxalOZ6bCk1MKXAenbw==,type:str]",
+							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:Ab6abwTLhhMmNYPTS33f0EQ9iKadoO9lY6+h9dx4WMLeKGOlQMEQsdcbJK1KzEfJICfYc8HpLxMD9LzwrezluIbb29Zuikq8jQsahYoVnoBudujFw+7AeLNEm0syIUv203dVI9Hz15lmb0xrpWYDt5HCmRWMVAidyLlu7BFLsf3CQsA2FYHtjgQrDqbTlSvhvROs0I4QFFjByycDjwfHTk4I+ZI1TpJJSFFR1YFq4CBpYsmWZjnKIms72+3haX0mpVkayXl3Oob7sZBywyRf8wUqZVYkJ2fTXJMa++yffRzRAlvKZH6QbWaxU1n6LacFPza2tkhijBlEjBeAP3AmtW1X25LYcnagNlq/aaZgIg6gT6Hs+0DTJ1WSVYA5kLiIjGQGWyheUwM0NxDbybc+aMqSLGv4nN/ojg4ND0gdPemlhSpM2MvYttjLPvAsdX7nXy1zfouOTaRB2mRpbIq+P+BxmmDu6sV0cUHPgnyRGkrDs062BRm+6036LRuEzB2OV6lHCIwNOhCRQZx+LbEBmnxotum+We/d+nniTdsuC/acco4lgP+I2DW0GbjrQ/yyMSipHL4+O34EoZ4S33PbHcarxYsdChDpKRxJJR6RTGD9GJ11mbY3FqfQAiaGdiNjkJ0xqJkJzTRzm6c0Nb0deywoRnsTE0w6dtScVZVXhdXzIsUUSV4nDjgJVFnrqLjN4aXaqi2NAFh3VF2bkNG9dPAGVFp1KhSEEgasNnUEtxpGEpoTJ0a/fOQ87VocBHQeizxfBsNZ9PvInNF+Y7znowWw6E6t2PqPvJyVC79tmjwhdXSVWx7oN9rxyhleaqYmUq4gm6zbzCOXgaYkGASwkM9NAT5xtSJcnXQgGmikXLXKihNl/m8NrLChlCSDcqdfziniEvsaLayI79lmN27EV5MVcwfd81MYMVz5C+9kKkCkoff0Fb7p2crSfjwTunadjh4YQUiGiRjl4xZW7Hll74PU5y4zNBoNNYAhUp+/F2LfM6kCY+/v5yUm5xrXepNhT5yheJdrEqM16g6VdszM28mmXaDZmQBCZ4Uzw4rRY4Sng7PLiQuFor7nAm8t14wtxQYdzocT8sj647N9HOMwW9w5SVTgpAYHdVt9nbVqVDZXGYqX9mNdxgg6ZiGesryKC3u+KKlBj4ZGOtlXNrkaU0ENZ0k4GdH0c0CKVJJjFRUGS9Ll20cLIQAR2sNFXZUn5ydhzQjB2ZKXQnixIyxYhwzLWeGsr0f5DNqY2KjQqHMvM3xF+vs2b/Up6Byrci5Nmah7K7m+87+uxFKuefoKCTYr0+7/WmX9L1dZZKuCDdxdJKfY2IVEpP2bmhn1sTelupxQfpaj8cRCWBK0Z849rY6OWsqGeugyybgTsF4dNbPXytprj+d/C5gn0noep1+5Lwx5IoVhaqCNbzOtDi+n3ReKeWGaDwiqUYHEzY3uP8TZ2gtafcNahQEBDe8tScOPFHSuih1IJANSoFV+hYInAbTUX25/NQE5ZSd/JHqTO3ex/p/qZF5LVrS8NmVUDduA+Ci7N4OJeXpvPMoFHPy6SG2i0E1iwPvr9OWcCcowixBZ5RRSbeaE4Lsf20/kotmHyav532zD3SFdIgXeBSmub04O5avF0QkaAQXj7kMNeM2JfLxnX2vIeEWXqGPcnw3tahJgxlTYM0jMwo9Bhlr3/9FYlAjeYI3kFbSSyMmWl1pJ55N9cq2tuiDkjZfZVZV1DmDro2IDKbGbl5rMk+qcRrJCYXqF2eHKBohuDLpjTcOzEA/PB5Di0aRy8+CfLpaj+6N9U1ZlmUg+5HlkWAeMz5X8RPTgHxlWT3UnsYZH1y6eslr7BqD747MxZvuj+Nm9qI/Y9++W8+HLWuA3O0sYonag/tgBlDE3Xa7bQY0naKjmfa9bVJDs1lRvOv9srYzKIx750SFrzhMjg09AQxcpxv6hVMQHM2Uy6g78ZuYu42VQPqfu0KDRHzKGciQCS6RfEA2GAjITUCOSnSmrfn5yzI+nOS3rk/AgVJqedbSzChfnj/OpmxcdCa3krOV/aOhJSdc/gxM3+sQ0SMX8t59SE7hLXOf60ZLXbJ0EqYisksuWFLAGT+oR6FFdluKhg8V7TuCc/Z4H5ULln/xu0+CPcROTHQB3PF6DhhXG6nVhgnWEPELF38fCIzgro9V3E8B1K4MOKtTWjJmhtO6R9uW0c06G0GOVsIb4voqSe11U2rs7schey9PkwgawDQVvFsDszY4egIhIL808ED5WjdPQvmyeSteYTgPDFaDeUdX7XJSzfD3oynxe9HjReEMeF8tgclfIj/o7qE6X5ax7Bk2COURnXz6qil6K7FHpPhK8tgpHMYydMgWEQia+HYn8qE25Ze4YJ4dxVkUdZ/B7/ZjGUP74xNi4Q2HfOsZvfbLz4xzsopXRYZ8PbfMvSBafnWkPTb5UL2yueFyaB+XygeVeOebSfCCsPKFkw8iDArKYAU5odnIi/RBemC7VN5GH+xQ/xdV2HFI2lmp7G2BJuBw12UIUQIolIuGvGLMU4RrGFm3LQzdaI3x4QVgJ2kp5ThtcHLmqCrQiSvLSTtaZW2cxuIJt6JuoB8T5ErKq6FjoxkqubO6gSgYiKROdwP/RI3+HQxI2xtfrSEut2eaGWIlwk/KO1nuaS0+2vcTJdWQHL1LaEFGgnZ+mcqLN/4/dNZRFJSpS0//qN8yfuwCRglMv6jWsgUeAJxd6bwMjDZu3mbacEAJ6Eddofn4ogtFq3nXkvpBT59D5QSjbj+8K5VOBgaoYUfAt7i9LhhEys4Qczy+k7YJEH9sSYR1vHKDz0vojBDuGaJvm66pFLuZ0J1NSFO7oOx/Ridxfgv1GQ0tBa8lqNlNotOGTPfhp1lLvWeHcG2dsEXkv+g9EkDArcdX+SBoX2fwmoQbfd3X2hZvvb4p/Y/vK49XSg9NIs0j8xmU/bSunPIWH0hJQX6aMmTj0sAMWvKXLLnDQYVNqyITwqLzJk4wMre0L7vV6BWAKJX9N2khD2oBgLyrGazeNhrum94yxWuadnSh+maCKDd6j/dMgYTq+kpJKGHFBx7CeOcjWnO2hxQ780GmJrIxyjSK01xWr6hOvTl6ICe9IzcmRJ7y1Fzx7swFYx63NfNX/KCemIMpTCtEJ9Jrsk/IJZrLPRTkMNFk9T/cRLi2cUiWGMXt++SmMg1y2Y1v0+Bi2k8NhuPzcldvcCYYYMHnkt3m9L8Xfm/kIT5eKKZGGOSYk298L1LxEMrQ3tgkNsqYezIpez1ih0+bKmTffe3aQmsBuuJpJboaFK07YPsHiCUduTNx6ldIKCl5HOCkNReqR2kzNJeBpG2YxEqA559VdzFE7bU4eTPmNdJsfZXjsCbIw77SyBvHeG1ZYl5dc0J7xY1pmodOCtE5ns4CmZ+Pgsr47con8lC2xh5MxJqYhsrFD0OIvKXUkdq076E1dyjlQle+mPpmnzYR0xDhHqQ==,iv:rJtfc5oqziOaCE9cEEhK3nY5XZzdklfuJWMIO2S0qRg=,tag:+wxblgB+Hrl/+h1qWvQaaQ==,type:str]",
+							"wireguard_wg_0_key": "ENC[AES256_GCM,data:gsDI+KQeQVVhQp4BBgnliLG2WE4m5mPoxu6M6w53QcyqYEZHsj3VHflae5E=,iv:au9UqQiYQpyxSoTYoNqofHvG65syh4ruIgyYaOsHuQE=,tag:q6gwIN6DX7fmxoWSJa7oSw==,type:str]",
+							"xray_reality_clients": "ENC[AES256_GCM,data:t+ySAcriUpCD3dNmKdT6ardgqltXs/YJO84Syv8LMl9dkBDUKgfFRWthzbSoIrU=,iv:SHtRYafaubJMYGQMhmh9jKS9JC5Xx9QcXPv3bTD5pno=,tag:X8joF3FNdOLLlWbC3SaurQ==,type:str]",
+							"xray_reality_private_key": "ENC[AES256_GCM,data:Y3bbIuulJT56+o9Gvj1qax0u7kR6J9ZyXZEKxI360QOnJe3aSquwbi6h+g==,iv:p0UCAJ+r4Wemd4tkZ9eb/2LN2+RAtHQnBjYb6mJyT90=,tag:MZ1G8UFccTnHJ3v8QinwsQ==,type:str]",
+							"xray_reality_short_ids": "ENC[AES256_GCM,data:M+Eh8uXqG3SwgoYTYiI1WeL73o3kOIgrJKwBDgLX+0nakdxCr6Y6mMt3StLVXwjCHBkaS3UROhemFlV0TQwL5ng=,iv:XOa+ko7GDByUjE40l8oJ2+QyPSbK3DGbwWPUm2FvH5Q=,tag:Yus9SAlukBFxvgsMbxhxZA==,type:str]"
 						},
-						"data_json": "ENC[AES256_GCM,data:wy/Wfe8i8lXsb8gm9qYuVJhcFJFqBobwj+G1kdQBcTQXuy7LVuZf7+SdISB5wtK/zc+nHJg1F8RpElK/t+pAksOmAr7uPeWGPEMU4rgoxI/HA8onRjyZVXgq354k9H6R6bgZpmkydFBiZ979aCekMXfnUm/sH9jJYW4SLyNLx0rQVE/9Td17MBuVY++UKtu1lFj6ITuf6uIJHOg8q+OxnUfsklogqqrwaoBbkDO9jOAHMOlrFvxLWg+JmvLEQ8tnOoOOv7kK/v7NsT4Rjj8fop2H6lnLIKu2AEIWHaO8YfE1SdU+5DTpmRAUXvETkYn0xEOhJbNBvwT6c85d27xCbypVt2nhmrIaxmcVnIdhMHARLCJjmsNI4snou/WpZYD/iw2hb27vOdGJVKEH27CmLPLtDyr7F2R+7y9ZYAwRkaBe3pn2aPuB1bm1IAPMjtefEaeGRNqKIBbDMrRfwbHMwwqeKN9H+kU6uv/S5N7fZKAS8mF01p/L06+K66zRARo20yz4ANbdgchN84Zh4vvhNnYBreDwkACduZ3v8E6Kx4gxHzyeqGYMeaM9FZoQLT9honx5wzmbhGHxoyJyTdDl4oyfcWeWlXjCGijZBHCHGxveTboznEbXVe/1tVoqEa+E1VUEXV6Y3H0J6++WvDUhtppoE84kTQYoI3GBj67qqabmFMh0DEjqOBIvZXNLXv3ydG0u3tQQg1C48mo71DF58NKFksEkFp91AbpmggCNRg9q7U/wlreGUiARQUATbmNC502OI8qBfXUqFfP3faWZmE3GanEeKQhs738ogewcqe2QVWqeNzvfptMhFqOliPV4mmJnmFstaqe2xMPi9unS9fb+dudbHdoFE0XtfDmLmht7CtcK41XNpYaXD/pOBj/r4X4CQCiIMBJI6rLsSLTR5x+cvtBnXGxLrb8dgXfl8bMBkgCGhHgIUbW8bhY18MCpuYDHNJYsfLW99Kuy+9VLL+SYErm1WtsJ1ew9NQPux9Sh4EyoAC7CztIRDEcIwXXuWhOmL1s1kdV+O7uel+I5sCHli6qskg9+qyvCZjrgLs08n0OpTU1Wrwo7RRCpgMZ1OiYVUfylVLE0ru44nZ/04wzsYlNING7r+7Pfe51D0wAdF8s7CqUPz+41bde1LMET+d96SdgXYMLjzFs5ctiHS68tNOFcb+B57DZ3KYwuuYOICEhN9SgrDQ3tYZe/KJUVb2soUT+LJITQBZgatUWuWkALVSJaZ/Qa6q0pD4URrgI5W83Sn+iYHLO82rkGT5G2hbVJXoqmI2AvPiUCSVhj4fQHAggWftYhZLx92H37fVQF9FlNb/tNZQ4uZXG2+lQizNdv9RIg9Dqbjr5Azx9fd5koBSSC+v60PQW7PBBOHUheC+yLywqYJJS4+EZbjIxly0rKGEYrNG5NeJC+ULCi08zLZw2tCUeqF9T1nNxl5UMVwm/eaB7qTcwatGG/k/h/khY8Tbv4/di8FdEgqukkxFvtgdLM0uIIQgf9OUsKDpvdVWUf3f9rQCnEU7V8djNw46/luLLiEqMjbN4ATavJ2AtE3NVab+grLmhvreOsIiu5dJOgfFQ7ykADgvO11rnSYzFFwQrwFS8jJ1c2I/vWaanKTux6NQOpAlQATMXfDWagIK/8K30RPQ5JPWtUFAKA/OzOHN3PGTxBHNLYrHDKmemY7rH+Mf/LV/xDHVwTqLVqFRViTL3X+syNmn5vfKj6w8F5zU52aTYBq1+mt7GB1R5Y1oR7bWLHpj53FHlkKK38LN6Qz0Al0Vw9K7p9dzTwkPbjWW8BTDmlZudFpcQ0BKEycXewTEG6gcu7Qv0tif+hW2Ixe96ipsiM7x0GyVung3mYDjDq0niEaZevgh+MDsD/qN6tW5iFGQs+KE8ubzp+508L0lQerc6lsuD1vEFw4lLkFcrViW0e8BHfe07nkytscDwBPCXIj1zKRmpgrYS8f3RpwilU7ShnNK/IpAr86KQQ4cxKcb7+t5AiHWbG2689uyvYYvnRNgbev7EN0QIL+5b5ifo1fu314ZIa/0LsmkDwdWeJJJ0Tt9dUe7o+p7cMBjLvnxPMyCV9OCVKlbUZulru28uQ3w9CcEHprKkLq2KFJw9nmWP2vmeNBjWhqBlMhx0MeR1aIUQ5OzsJ037tsGDuStZ3Ih2U+U3+HppwnXzuY+6bo4CMO+1fKoE4ffr3u3e4p+Hw/ONQzJZ3D8a+Y8cQ3apWwZEgukbpIkJsbUmifxG1YXlYyRTFxXDEYlGz7d5xSuM9WfHefSTkU/5S3kiZgcbI90vFCN2YKXyeIzsu8ti+OngRqE35ekj7iqHolrZq0xGAhTuaOjrj1GuxqTywM4v3MJvuKVZwsrSCmpU5rk+y0BHrgMQZTxqvD+SsYnnnNDujWJ5jWKAiG+J37VeyviPgClf9qLmEH9pj0N/lv3wi0lAaIO0HF/+oj/Vo/EiUrHr41/hRjD8gihYUCjYFRgQUA1kjyjaa1Z/9DiIaLHls8ZQu4SgIKPhyeAe69EJzCFVauuq4E3OnsA00dZURf7XzY1RWHOGa1uwsjCl+sdDGjbMMSyfHNtudQqbm55FeX8zBRXZmyPN2a7Ou6uf9GVoTsEHr7KRO8T3GdSkKK36TA1s6zs8uyyAJQPIp9FL7Cf2WgYtFezMGyb8+IUstcQ3it5kXM6cdEUX6/+Y0kETnvBYUiyHbXVO9h57T1WmbQByw9Lb1LdcBmCVD/j7rE9St0oIgHSfxlehRyFUmASzLK56u6fxel2vt+8cC439IhFgoC5knjharaGLNSqd0xALTggasVAegL8LtzOqe3SfUVuLe46LobLEZn5UZn7Fg7cf90JCnYrTOJQIfzJXctV4zKINdF94FUVH4PPhbhVwcQrlEjv0MoF8p/LMUEZwoaQoOFZq0/J61HH4ZSIyln62jAhTVEcftLyQmzWe62kmg6qcmXJUber7T3XBi3NOtwZGR5TdrZndtu0yH85nfTVyMvRNg8qU+wdUFNedBztO7LA6BKbLw7+J31r19yOR/h4zSPEFxeWUFOPX49edO+WOAyzjecd5cDLna+o4TXqd5cp8a/mFj+qLl6urLITosP6q+ErVIM6FGOzbiuW5a7FY+g11+iS7rM4ljUk24uLiqhHi4r7y65QiLFh6d212vu8c7y+RjO57NKxeNBZ+6ziCW/VwJFqhbP2PoTHORnokWufdaNrQqr0C1rQWJj4E3F6/skvRmhPGxblXdxC93OmQnspLsSKt8zSYofBQ7EKPmLTl3uZ5O5wZh5yRbrBorj+AHNh9iGJUGRtJ32s82js7ovJ5LPn3QLd5h9RocYv03Xzf3CRwIyqMIZ/MoNLGIoB0YkofMlW0kVMXaDcpd742Jd/XDEVgXx1qn8iOUL3ltlgDBCfzgf6znpuQHI1lMX0R63V5sTm45S5yfQRN3O9vKYBHVF6ogVrA3KnwCFNLMAXdBjXQOB1o4mxHFUD1Sxw6MiDVKGbKin1lvPTxyujwLgPZP6jZkoWO4I6yfghJ25xBu2aey6Eg5I1dRSAT41KUatt9S+C6hcVjtHOH6rmqzpK8iZnsmB8LWTUT3txo1QxVyXKFmKJeAOsC6kyaGHj3awZ17TfushHKUxcZmUyY7lqIFEPAtFDhNNz/KxmzquEt3nktdgzMllYjUOLvmii5Tc29nTbMlIb3+LWyI3gelMVOLP7ro8g7fQH4KZs3P5KFC/BriMsMZ2FlqC8keGrM0b6Fgykwc8C88dO2GNnlKkwhZUeo9hfnxDMffqGeWoQoc5Syhz+fEMWPTcMGIAdJJm9vj3mJh+M3fUeR9ovIRUAvA5FHq2Jgm5iAPAU6c2GcRXUPN0QNfomzgwTe79T87TeWL6xMIQv4Z7edURGw4Xvu1N9m5lj96WILWIL5ngrYpgo7I4C+Rou3Xm0+XSWNLmR2MQyhsXTXhdCLyrUNA8nrZFix4v/dmIWBWnAIVwiYZO0OWgfbLjUSXcJLUDR740k7YJHKJ53R8CCM3ANgSfMRcLW0Ye+E34F9jQZVZ35eUdAqwTvJYoqRepQMbLLX82hWn1+fcsrKXBTxVZOiACPIst0i6u+mqpJCIQSAoIj4hssrAXR0+meBqMoJfuFphXYU3+1WR1a+0jsBaJ/MkuU2ZxX8j4CvIeEdqWl9Lj3aO+d6f5gxkNmPxTZOKWL4C/qPRxgatdgfN7GIsuJGaNAM6YrxkCJshzP7u4AREMiCa50Jw+QPt9dmPxAR5aotgYGKXQIB7s+KG35B5mmatpnZC/dpTf2l+44NdVYwXPOUf7+cEqtJxx0dYJ3UFUtwQMoM0osj1rqxNvWZMy8KKpx5U8cqEF5XDd4kB945YZt+6dVLmwLDElyuU78a1b20323ih1hVymuNYNY9F23MTsdKYypPmunMnhYlzzoxUNEGh5GuHmksM5UDPlJ2v4WHNQy386ITKeK0JdFwO/e6yFxBKk1kiYF3bx2KMAcr1bFz3Raz7PDokyygLPoMwMsjkKL9PPI75vkbiYLQdinqdhfu4dyd5JwgAR1Oy2Eqr3py/cUs1VUtAP8l6oNP3VJhr3Oxy9/kQehTPpzdsvrlxzaJtJDKq6TVPKyPVS7h+hiBixKPTAlILNIdZzhs9DjNUCrxaTLPOlzgItBmyj082ux3MDoZcD7MLdrI4pfsJacyB+4u+JuJVwuT+M31tIVSi/OhkcSocyICk4oHKZa4Fa48KP4bRSOwA/UXy1pIi4H8EmdApLxXpU7b1ODJuwl2b1ugEjbpp0N2T2VBXJbSjEdob/LlQtm0Zc7qW7cVsAdkzTW2lqOLV518iGVcg/BSJEosrbdNAa2SMajMy/2IdDzNqWunTLoJ/jVEkZeLYXh4KrJBbN5f5scJfXZmhZsde+d7DmJd8jSnmj3Fk6CHlmPt/K8b/7VAAidPh3sPBMBHFoG7gLWGW7AupUfN/+UlEWzI9gzzcm+tsvv2ao3ShdlgV+mrKtPEQJHUpGBDRjm84NEJJGWhd2kcytFzBr0qFOgvZNKZmRDFDs96vBDLHiLF8dyt5klGtSjVoey6Zw2UkaFkCm07BJNnL8nUHH27j/e4Z16PJ6++I8ZY5H+muQoILrkCon9w6l8ZYhNXEMoZruI00mwl0xLXtCMKhO7RL0MLwpPD0tOBTOiR5icVOOPEQbtw77s+g3aUn8rjxzQ3MkNe5mBlHrrN/eK/6ArT5R8L2ZvlIHDg63Btlcd1sTMZCKMtvTcbX99K737FF0Oxx0RWqk3iTqN5ndS70cLP2tQ+u+3l2y+Itg5HMHOk0zDcX5vkltu26u+M9ac2aipD5Z2a6wRAZkOlZcF/j6LtGEEWichovi+C1kAaW7fkejxqg9eEAhjZCP7QESVZm2JColsQP0jh6lX0eAk4SiKKpalsxP4u+Pn292A6oeNv4i0Mau0iXm6sI8KsyQQdmeZBOFKArQrZvyLad7iPPWjN+ZmqJ4VPFk7A1WEVHIKxgnAufHVZ5Du3+N1vUss7BAdWh3ow/1hUEv2tG/tMlNDgkKfkrbhXshHfqe4X+1ONXo/LPh0T1g4DT6Lpp1B+QPE0Ci2HloMiRwmlQGmTBUmRbGCGjS7DuayBHxyGAjIgcIj0TQzYYEc1hx74jQFcTRtMHet3O5wMje+J57eeI8qpOrSTMDFe235G4duNruKvmsVT9DAjBB3ASTwh88IBju6uHlOgHxVQnrlZ/1cNb0IREFqMbF1qNbTMwgcTCWIZorYj6lF9D2fTjlQYDQC1F5AC4BY4bviLm/ZbdsN7XvOmRWzQivsgNhzBlSSVGiQCmepmLZKuA9UuBxa1M/Sko481LGDkfZS5UzuWFd5UTKRx+SAq7J9V7UEWELGXFTE2ZxxdBoLTBKc9XSRkFGOA+nQI8rh1PousRQzzsdJiXtppb0unm/T7KjwQSccTRue2ruJSWPeKG4hPB3GCOqJoZ9p7wiYY0hzfpOZ0WwQHTKQ44kWUXYjwSDufxyzuR5zfvP7ZYuf6XDgyhNrz8H4rA1PAx8wbJhy1NMVyDPhV78pVwLrwvumofONehFJmjn8htXj52vu4EboFVve1TBsxxDY61qJ386n6vzmksXi873R9kcManZei4UqfijKP8jOO8P9RxQ6nwey+BsXuJ3pArAHEtyic0IBa9hZIfy6zuqwuYiTDkZgUyzHWqQjZdgWZRx4Djy2w2QC2bPO88d9zgJSCopaeTzAlaqb1zZWDPlwiKFD4Vyd8tE8svIRrDuFNb6aw71DHFFfYGqt8Fo44QjJ+ZIBKGmzoFFT2QyOEfN27wTEaN6KtBy/uZrtbsZ03oYIAtbP7efB0sxQvroEDMZkvFq55t1VnTvTX0JFaP5A0yRP+0NGU1eQvNU9Pfvkq+lhDoTRC2is0bRPfpFdIdjqjLpcZ7Fn2eEfktruDAOfw2DAIYm0OzkqawDCUUbvmj25FySiEIilmJ9zTmyqebO9L1xh3nA+c9OESxJME5xGEyxl43j1D1V8wruhPXQ8TdydILJ0FgZUfLtxUGCPRuYr5Wo84CCPSBcV8YFrVnAIHtLCRT7AkCODYX1pUe4IhH8Z6nWLJT5KHccVmwu7Q1w3dEzey8N9z2yI//g6V4yslm9aosOxGvXQnp2YFh9DsQnq0OE35Cu930ChgjTZ7Qcp7xIauzSPTDnJM9ngJKLwG6DNRO6GDnsh0dJokuNKfLqehzf3XyoC0Wo0ZoCUOHTYFJN6eU5roGJaILG2KzNrJifp09AjZi0PexdPxWOsbMtiHn6w5/vYkp/i1frsjl2uonEw0nfrG1y+St1IUT0D6wmvrsmpzWOEAGPzjpWhzST4crUT/4VxXPj59ZOgWOLkpKsMHLSOfp3p04GG5vaaUJx06aM4kf6ClzjSJ3L584s+XaOU1Fk8Cbym3Xlt+R5UuHdhETOBbFKiKw9rN8JDZ83LxIHa0Dw++BCM7fINh5kgJHQ6youYvv9FcfYWpSaB3DUMbBtazu3A0NNb5/pFQ0bO7AP7s+n0ljRHVDBtlhm0H4FqFPOo+BNODkIOD76K5BQy72I5BslmZMJfFJnBZiKKpSpyjBxcVrvtcRTLAuFyNLndVNW945eD5fxnaDHljZVCNlATSN2HG5XJnMIhQVojyp7TqYXuGynHzsWkyq4whYEBclFhANM/jupiNKsKVSIiBFIYjfC4Y/hWTzTrndcnypcFCjUe0M16VWmaldbSDyaWFpzbNRpd48t39PE9q3kQsPpC4+cR652x3Aqj5ec1JBA1dNICv8vT2VTkFt350ItzovxegUigUUWkJYj8uqNHJWuMOHo9ZitsWlCjKd+0B8yzSAp2nWb3oX5hoHumZYgG9pCrvfgx44XIgWDSThadm4DthmWJdIHR1NeI/DGJm7CoFxmoV2lDE2b9Ck6Q2euUtHPcwu/sD9hTNdvv7qpFYRXOtAkq0sslokyWWUwmvmh6xnUzGEaa888CI7JvZ/M8RX8V6m3s0jc+i4U5tqDUnq+pBhcsrdohBHVBPkrJBXCggU6a+bFg5+yktyMjJ63RH7Ihd9COG7W4pAun6QCz17L4lRP7S2h0dyRygCjspS2FwCE5VhYkxndthiRhtvWMvPM3P35XQ+VY/j4C5xNK1LprHRjS/ZacjLdelDmL5xI2e8v8IJF6GCgPI7smR5kuPOwRncYNF/RnYpwVvNX8i1MJPMdsMkbpSbGxiFhuDweFjSrBxZxLK4BVMMYTRMnikmTvpfS3mVScDoZmgvoTh3m4EDIsiEO31FDq0yFNLA2Pg5Ox6qgo/lOuMRhOKXm3s85XlBByGYda4ny7E5EKJkWqwbm5mTYHsf8ZJsP9S7lBDoCpLRZOMNfHPUzZdsjbzObt4a+RANOl/muizZUEHAAdAcIc3CcFr+zS0zp7rqbgjjTCRkRun4CEa5v7+ExBfNOaKMgmthXpynAOaYFCSfglHAB9S3qOt3zjaP0HNdiiRX+4kLYvlwueRx5alMKMrsnLFgPYP+hRPm/EnXjag3VifsvBF8W6VsaxJr2y6gajkhEDiXZl3HVaW7TbZrl7T9C593uPb6QDzoPxgH2s6w4uLsBNvRVVGM/I8WYqv4gAobgNyjSDFGHU1rWXwPZBX7X6ZbAT8uMTGWWQfeDHBCWF4WYhcv7ijLCu3R5t90Yg+3VQgGenBUyufHmKPG37/hOlGCI5Dxm3a0GDVhgczz+Bav/LVxMrxWgmqwYDPbrsWPoxUTGNUPNgEz8+atwUGt0n+HJocdJ+bnSsecGzeGGcKuqEsL02+GtA7nBU4LfAi15uSRO21N8iLwl4nz5x88kTcQDXu9Q8soX6QAzyyRY2RJthxmIL8nkj/vM88ViZfOAE0MrR7TqPNGFIX8vmfPwA+T58+5WERwLW+6rE9f5VyyB3thhSJqRjhdyUCOWWE/uHwC5wkLDATkYwpMengVKyuIoXsrf9bN8r9KoWvRU6ReKoUB8R6JRQ1wAMKZdpdY8KzS8v1S+hHOGnjTS7imO97xcS8YNZbYv+EezrnqZMSufNPGWVdkQJ58mKePSudawKKCX7RdBtcngJ6u4MhCal/lkU5mrEhcdAePlerxJMOyFfD5jEKcDXTY9s+PrzFj+/GDfADVa6+B8+e45Qv3tabBtH5hrTFTWfbiHlZ3rPU9e2eulUJgYnVDhypx9B+pj6k/tbzg+XGbGrBCLuPZzUMslsgAsTxi+hPP+Oe4VMNIF/QyfYXtWRVXRbkTD4voCA3NteYqAU0z3DTrUUtYkbZJ9tZ0stk+XKiTpWbSfaCNlLrhvKYZHyYBVoLDYZNU8VeHZrFUHDdRDCp9RTgWTOg+CvttuKsn4d8hHP54UHrx1oTHgp97QtL0tYo9uO8mP9mRZO7ay/4htEwi+Nqox74wAP1E1QMNplBEKKp/uNCm+0XP5ULCJ7r8iiBeJTcZUqAGIL0mmaJJrkUNF3cIjRkqMdgfwJu66P7M5s0IXGbioWmxhaq04FfLROI0EkBrpc0zEtqQWaibAtyIiq1SS7Z16c/vQ8itXHLEg9MCo80tlabIyQB3X6X1GFgAOW5SI71LSEd8tdVrRRF5NMTMkrgc5+16qqN8g434k6cMEtifiDqFv8gcMgrC+nLM/xztgO0z4vcoDYe+SeQKHhsMt4wFq1avF1tfgWGJEMBP5EXuPWwOuMn78W0ss+GUT1W1v4N8r/EJSstCNG6FO3USfBSj0nDv5nUb3B913+FglxvAq3z1lPSTvJFh3eYiADv/jsoHxr32MvX/OPYm+vj845jG9yYDEFNlIbfv06yxkIeSQtO/fhn9ioMDbi89J9NHCMuOdM8rc6YuucpgE6BgoUa5hynPcZVHAUNhPwN89TjzWCXHlXXIZX6YNmbzzSKtcUVkdzA9ZVa61uWLqU7i6aKAgPVnxKTQYdp/X4EX/WGBQYKt2lHtgzN/SWl4fPMzgpzJc5hxcTyPJzF3cBQwxwtfvKvb8C/5G1WlySQ/iRD5kG6R0CluY4g/D2OuA9FzTni8B652JUjISX6tMM4kSsP2ArIK7L/EEhw26cjJcirBG1QcCnZucHYHyhI9vnqTKpeNl8gHlhKjdgRVlPmwU2k0MLt3Whtbz1TEeM4wrkNo7DgVqIGXLZCGCOSPcthAf31pnY1C0w8okh+MsPT4piXvw9JkgX4hmTKm0XkpseeSLuHzfIA1eAncF3KyGYB+/X1jre8rTniGQMaOEZGZcrNZyL1Q04SVw9RQMdJGgxXMVzhb0KsXTbN/32+Ebqprs2DUeOAY60SshQZU/i3QBJdj3Il+I/JaLmdUQ7typDTyWd9mzzNFJQ7oyL3g2wQ3Qv6ZHoAfQfA1KVEk0Ux5cbdII7IrNuFMUZ+Ygv5pXKF460rouLSPkexHQEWxmY2ERbEW+Yn3CLWWjan5ricxC19QL0NhR5Xh9o+o6Ypv/pZLy2GwXV9wxgLSncFQdtiUWnM6p6oo9G/1Vs4lc7YDXRBhKCFQi/GDvybpp9o7V15WM8vWvYdh3cgxhxW4Bhl/55dmdlZUTqKpTOCyl/lqQN6zlJpV/KNfd2K7u7omNpcdXQO8jDu+tMFFIrgMWOwvMMeauVe+dcph4qWHiZC2YgBfX4pIs9gMDX6N3F2fssdkTIkOqW9TvBka77LVXiaHJDH41BJeG+ZeE1LaU1D1mFHUY4Y0K72Jm0taV9mfFzDALaBc4jip5J5rGd51OZpxpSjtGJHljkbZ4I+Y3gairCS0K83jjy2eovVioyt2xNrHgvAigJzEuOR6py/0YR6vIiY7XZqQcNgWciIDhsfSIKhsHNJL1v/VnGkWl9Q2Xnm3H/dqCwkIzC1AP1P8XmZoSmAcYXqtSexP7Eq1ieWJ+4Cqc2fnn0D2Mb6yzYaJWigGcwoeqzNaDSe4mDE1Wf3GmWEXwrKZ5pfolQOiRUGsvwuobSD1RfsXPP5CTmJlmceIyuz4wbKTuuwbj1gQg3uBPVFQCUBxP+yye+wMSAwy8R3nLfQpK48y1+Bjuimku04ygz4VmSNgZnTQDSYndigzzBDqcVGxmbDgxGIftY1/MLz9j8kQbyf9M2loFiuA/gu5S3K4vLt9A4JPtzRCY0rnZ1xi04jKJcQwVKHvyhTfjzzK16v37reInIedv2TKBJiIfjIEMS1OdQRhJoCW8qKuxeunJFdC8ggMCHeOWOnNMM5ni3nGVDf/MhGNR3qeTTE0RjGYFrFDrDrSN+uVgQrwz4BlT8IOtidi+JZajZ51CEEbY967j1tsGK6B8ruSKFoz+tvSYV5fOeWkFSmLkwazDlR1QUI7+7bJn+5kmQml9lR5qB1eDdMeaREdkq4HyHSvT93+XthUY18m5PV5PW7Qi1JiXFgK1cy3JqP7/UvV8zRlK1KGTzZnc6hfXbbRp/3VOFOQWsnNHvtV6KCgaNl0bnUOnTnrQH7/+x479GuvQBcUTfyMitfnb6y04A4DdepaCoMwMV4EFb4N6cRnziwej2y7G1b2sQ+hCVj57SLNzoSi3sqWcTZQ1GlMjPun8k8+bijBSLXzR9ULfC8dzAOb7yCCq7F4MbH6mRbLLR/tPBtomh2PNCABqNTBWH1wyv2Z7Bo0BoCE9ZS9RRbBbGvmnaf2KuMUiBuK0cRUdJcq1gk9woKZWY8x04AXEEJmiKmrTnn8CxyTn+daDjUYiIuBP37UGb2qG8aAgX/ZMAvGTZCAnJz5thv4SiMqtLtG5CZWzoOSw5yaMjE0CnJslcM7zkI8t2dsmmpku7/AtpxEibB5BnOCibcj4NCFxTIQQl9V5Nyhsmb0NcfHsPD60+vXdvTivfgLerPz26aOnVtolelN2Aa/MG6KEnZfDMhO4JwycUVrYDyydwLQAbqaQqQpmNtRJrDPAVrH0J/CspsIbqMykvKBieJxzi8l0kgtImx//kjdQ+OodN22jHTGqmq8O5P4T68s6u5NpwlAumuzl49pmDRdZ79RmzDxYNEP+J30yiUq02jhih678v6Xbosf/H6wN6ZFhWu1xKLXnG+VFP5Qrb3Trr2likswfUji0CRwXF19W8pxqo+nNEr+v+zkfuIYxp8TmBuF94lNXS6hi1OIIXtbgN1zLGmNpyDmNWz8AWrrq3rCI7MqF3JqPP92b1P7Z70dWxk+w+S7LH98qBZ5YB/9CwzKxeI/v8QIQw40qgupAZ0hxuaUIplkSbvmNKGsrokUq+stVbdSo9NthcdY4RwKhiVpvuQ/07S/bG/pJSaIjRcsS0vccZQby7stN+5Cx9sQr8froX3CwRr2LRGCYFVQfGUZLj40B9c2diujUicaqQQds+Ig2qkIUBJ7Zf0voGoyX4zDvz65Lf0aSiryFH6vqtoiphxzu4BMXQIPNBsJjmRz82aipbz0YukQpfAsD3e92jTm/RII/imWmuFCmgZdgQ15mqPv6ZHF5RXSKgBbNbbXSxdG6xK5vXvtaQ1/zhOKiSf4rVwOIIeVCJ93uchinndjScHnUSFgf4MKhzFaozQbCApHuRMfwDIxfEUEUs0dtyDer9xcXXciQ5Jux3wUT6V80AhZykfl4D3TXMHtnjjQKcGuv4FqfQZeJWqsbp9eQbKlb0FjkIiprGR8R4PknXqFtPhO1ePtQE/CaQ2rDT+h84yPoxjOa1jjMDmifqlNskZuyvanhweZZA+b3gDK8O/+I7dIEUXKULU+pJzPwkPJ9DqBnU634KxEhyFAyC1I+ECpwSHvlcTxtT+Miv50S1G1kwlrHqnbSoxRMffkoAm7aRGLN4rRfPk5s/1i5BLMdgQJdhP1+43DbrHNdZm7zDtbA6CSnBcdeagAZgUVWrP7W0NWReTwZrJ6DgeD5o6bO0gGhjZMatQmOXHggEyFwW/eNmjbDCoH9DU9ID9SwmvmH1Lu+yC8VoueuqLXFBv1gdmJD/2G4xHOm7nJMnnpAYytLzd3FUPRxm3q/6WQ1M2cHybFwgpqLl8+nty9f1FKflW0Uqn57gurUoVVA5qJKQUGU6hiQD5wOrjGBbzsn9CRoyx2CZaf0sJfMxTUo9ozsYyTQ4+jdkfIUkfvCk9ZDlHLGUmkg5FHla+NE78C2ozwzCoKszhboDZ9LIaPaw58o803f/PPKcjdcaM9ntw0yIwRKIQJk2xjHcubNwQbc+hIME+jE39ky3yIfHghus5cZ1XDyIkwp+L1CzsLSaQnwuCsTViHtpqhF9vwKoJpBC3FrgfW1inkDzvKoR5iW70NuZSsACoFGx+HB4M9UeXOoo8in13ZXFLYyieNfFCBa3cKL9HPjSYMhyJbTSWHqTdz/507z1qNXf1sb1l3VS1dNPbhfDsQEhqyxKkR193mDoJTbzNf26kUaT55v+wpMb1zdWknMfelHWeUAJw/pDInUaAAL/i5k/dru3EaN8KdEuOcFwEIoNO3UgQs4vT7nMiABuDIPJWSbMIWAm3c4DR8Z9K7eIDVXKIwHlX4/J+2sr5TOhvoB0qGgSbOMRqnYP7zo9Ih1VoSCSbAJAIzVUpuk+jXE2baYdC89SuVBcSNWDmeulmcO32UtYiHN5T3OLCaaGSAkGhreXS8GnChgtj6jq17kwZ++hGNGSBeHgYcqQX/vRdbwoBWhoF3b7AA2RvStOQ0cqDun0WFYnOZxU1oQsuJvRdcQg/OuxSdJgrC77ba5XTNqM7NlhWDLPXMFcDAmc09yNO/WNnWN6bJsBdG06HQ+31LYBK+nEeMbbGyFkZVdK5XX3UuRR8NqlN4tecrlnThOuyphLyjDjSI9zWhO8irT8RG8JeU0MUhH23aDIB6FEPAsYUzP77b2oJmcdntMSPi68JAw1mm+8c4It7KY+WNagjB6+AykruRh6AJoXksopgj812whVU56BPHtUBlnWjsK2CHXWN4MZE7dxMRRVdqOytac8MCOF7YWaDy0ILBcpLnp6RERMDRxbyPSc5Ol0GMPHMEZZA88fmUn19OlZ7D1PTO58bL6DX5o6JPeKXklN1RZYZTRTOQawVGxUj+UCBEYqbT8bf5pSN4Yzqr0kyVPR3zz1R4Gc8EypPfW7BKyvGHX7RToKAmUHtl7nNKQT9rgyIVvKbXd2Q5zQmzvKoEFk0iCV90AuWZH3nbjNWVXOYA6F34D6vRU03rS3JmN48phyHYk2VWVk/Mm+42v2vPNyBj+fin7qqXsm8cFqGB92JBasQvLgnIIoxL+qZ6tSa4vL2qSmbQMBgxnJreTDZwS1EbGKw/9ByA+vq16hxzuXcUVrU8GZJOLf6O9WQXrFOB59K3F7g3yDp+YUmKFccImXuEHY7f8gCQfxVA2kqV6FoLO3wg2aTPsfoeaPmEgK50Uz/6oU6zTDURszMeM1bHcz4eXejvWSefdJ0jbZKg2WeypNgNMt1DW8RiT62Kku5dYXAiNcKzbl5YMytgfq4mXlNwgo0A1FoMfzEN3I9Nzd2RCutXzzZ0INOdX4StNrN12pjl2N5La4E3aFvSGjZVWx0tsEFOpWJDSyzRiE3ZR8llhjhWlRJCquMjO007+2lSzvlv222TLxv64jXp9r3MWp3jAcylhFFJMnuvoJqmgzJu60fyC3rR29TKI0fn6UZjAgiMdswlI4nzGu194U+AD16HkTbuzSjxZmT/jQ5OYbd2m45AlkrphVG3rDKpzj0D8A+4xVGYNwhC7Y9FFt/1RbfGY5PJafDp1uYA3HYwguxPtlT1eKAWDTbAAGEeGjAFk9cSbI95Rpgw+P7JWwquR/J0OoQjMRJsSwl39CbfobBPNnG8Nu1BVo9oq/vg6UPhjjChYpzrxo2w4NmUCgtID6Z3+GJhaXJ3LZEvqngLzNMhekRJaC3srBlkTmfctptR3EgCOfH3YwnZ0EjlX89/nvxJNTugOY98Ki4q6MJgMyUDBOy9wWYKKfIIGXWMlRHVdRiG9AjTFrDGgIZJoTMQz/T+nCS8J34Oq8M9SkhMVhC0iHIQTXDd0MpoOQAX3HkcADh4Flq1hxHR50o6Im0NClJ2ls9RIjfoXMsqZ+LlHCPa882Mbrw4zHuDXUKqXPizrpZHGtKYfOjrljHU2N6WKtMp79e+7MyZiZigIviZvYkBE1o+NdcTY478G8/NhQMSy9tdtBiDzi9hc7oMRm2WqipD8LvyIjhw4ox3KgYHK3EwT1XAtmgDiSnOmIvFQcP5TuxsXlrkGSq/XgSnDr4j8Dtl9Kdac+XDODyAd4xZ7cvhUb/eHePmFbzl/26ZyfOFk1r0BVPu1F7zkfkIB/4HtmFun4FTbzsfXuv1gc6U9dD14A9oVGbSHAj8msCT17CniIJFz2LL3KZCoFNSV5dqp/9hIvTmYhj0acA35f3ZGiOrAJP1FhhclStCyYTZ3d37/UIu0XfctRa4vg2W2CCeCobIAnRGfNzHsb7ebn+yNAlOOCaHzsaDXBpNqAsdJQUtRF0+56w+v2780DDDhYECV6U80cdx6kBpqu7Y/gAwhVxhHuFMBPGSCExyUskqCUpu4pdzncUc+Wc+Wvhrr50UWu1r49D0JP3eGMPM9HTEvElOmh6TsfB4pkLlsWTxK8FUChyZvDS87VLamCdZtXXsHLB7eqAGdsLXF4TFXxm2gwqbowG/svfV41a/V8FXZE40lyLSkqMqCcb4iR9TUC5qgH4s7p+spqHuTTaPAcUWzsn9hEfMlyAyOnn9GyPs/Q20+f7d55EaVYgs6P21zM0CLLdyb73nWFAP3KV9oOJ68ESCot+PCcmcI77ye0/adWUR8MVj88Z4q+BuzO8xwmN9DPy9xnsqDB80qVBQLB2WTA7aR6BwwKE2A4e9S6SBF8iR3zH9/8geUaA3UjXnOXFl1l/1AwIML1BBJJiJEqcn6mtnKYS7WI5YwDm1Nn+vVIu2TunilllLwislWqcUrlBfAvglZYnoqBTwr37R5MUXKql5ye0awLDdZsKri4dXJtstzPRaW092siFenl4Ftg9CPIeTLHdwPlyZgLtysPRZ/9Ds24C/GLp4570OZSUhjTE6ZJuk+qEB5HNRSHIIYykXGmvJcltCiUTnf6Phq1pph05b2X9mvyw5FhYOM/uFKK1gbzLWl8dCNAigY9ZXDNY8zupHJg+SShbhE5ndMyGYZqcRq7cTgQG2JhLH04cey3SlQGZrdJNJsSFDcKi20znKaY0bdXzMU5gJEA6c7X3Mlgomjx/Jv+Uzic8dhz6SxMF4bp/GHQ8sD/Jlfu8kj7x/04Bnnak4iB+PyiPVP8LQhORJ4NmvCbWyY55wIF56QJ2c7PTDil5p3fXqYnR7czGZGyqqgONGb3SR9tKYeNJoscOykCFfaWftAbRnrDQJgfzRmdwr5/2ddoZ5AoPsdxNO3ikfh/YuG4m9jJqz08ddfKZfs/ZuFc3k0z8wO+H1fLQrlCfjcwjmqrXU+MyL9xmzloCKRRrpb0lln2lVs1Z+hV3JW8asDMSdL7cmPYKRVEBiGBm0RrzFFCJalA+6K3eFrgZbznMlYc2kHIikUAZI5n1OjJZmCs4o5SU23gsGxOd83tPX8skDeHSk7UMqIMkFWGpmSIhcmhr3JKUx2UoJbsjRCV+nm4wRr+xn525SiFKEgBZeTp6XZX7vEiUPm1pi0P17t9UlIcYIg2yJ68qioROlhb+FmRco0rrmMJhpdbFnN4atJQrAB6odaFwLEcRcE0X2XB7idg52iRG9V5qkAUPqXhjHkR8AOVBwe3dH2bW5d9SZ9o/M3mccdXdNUCiMg4JWaqTdLzMDg6g6/0F2OlwrIqYKQp88iqBBgsZXQLdue6h0matKMRm3Xw8E48xJ7w3D5QgzL+M0KhGqFzqYIfSi04N4yh5pJf8IGlpLFthgK6cE97D0HPaWma50R6onLPfEsOW8cIODqGlBELc+nKmRwywiF0gyHH9HpBGOssn1Rho234fyM+tN803JfDyrvxJf0OnfZn7id53obHsuAQhYzsU6C+tAiu0SuamB70Di1+lCWtiu1FHnW9lSOPgCQtHg+0t6dAKikfEjckyzdGX7oZRjEmjw3rYy+63ucwdjI2/k64St6zdisBxj644AeUoxCvw5+xblLJwyNvsBqoCetiQc6TiDfG9aOi2l3TLuulXD2uVa75xW9+qZasvEem5QFYHu7jVETAr6y34av62FNp1zoWAr1Lt/qvfg19QiNxJwn1MRiZXi032N81pIuWCjw31XYWmBAIEe6PlAd8Yi12s21edgVM+TEalooEDDDHhBBYEbWkgay+MqWN0tj8IPrJ3eLzUhs50ZyJC2Jd0SxIM6f9dx8N5lYk1F+l5mC1RdefL8hO2+Svj07LVf6VvBsiD1QjJefVS+6iRvdOthStJunsM1ZIGfCn51DIVUJzJX/dMmfgRPiMwci3yerv8aY/aiIjh4TgCCj1c1lcuxKcYm3PYKHCtCqusWNK6pMD8iY7nQUgFdbgrnATy+/6jLORdlqNK2VDHYeXQYjB+YaMgnILt9OuFGau74tq0WVdJCSh3JKkPH1jc+8ZgS+FfLmWXB8tLiay55PxgAd1u1+hf1+ixS6LoelsCSMa19ZWt8Ytijg+6ka7Hu488gzHKygX878qp0dzyks5c2CF2GB4beNJ9MImhqizdgSkLDoEG+zKymODUm+OKpw0p2x4EpzQPxB4c339+c3+djKdOO8LxnSzXS5kGFCW0fU0LFZO+jBChF9ITVccOOR0k0zVcPldnOScNUZiWr02jg6102Q+LLrhxXKRwyS7XxEokJh4eVK3df4g1mnXzN9krfJjU24YbFj+Nj2LDnLG+MyPlPIOA6ikBvxkrx5134LAo0PQ+z4SaGhXmM/5U1+bipDBkdEb1Q0KfCa+wbyrTOPgCv2tv6zQka/Pb/DL7ahNgiITfSkRmLAGSv+lFl2zEntsJ+IH5ihXG4QaC9VbRAH9RNoUKVTwJ+vj9OQtzXHZds8KALLWYEQ7VG6jy5Q4IyEdJ9mJWBrKYZgPO4BWch77k8Le9WByNr5eD72b+EHATvTh2t2lmZk/xNGyjXRxfRsEelqTHSdeg0MeQ2wYYbk0IQTKtuMGZ8zuJZe0YLDqa2wBVvbUow2Ha6mXJBtsGdGeH22Lg254/x84VEWp6F/C0ttFvZ606KFHGYxW6PqmYYZTebf9xNQZUVdPyPmHG8AWQWRH/SqA8K1kb3hkBEFnATGAbSwbl9rnPfieeLpW3pmTqrN/FUiivlJ9ezWjpxpOmPOXrLKyvobUu0edmyVhH4CXKxECC9SE8tiycnOGmQfU7gWsH8XE0i9ws5nA6ik4Ujuih7eUStACI5o92x9oyl+zhrov6iRFnz6VHptsKIN3o+I+M82xD3SZRGezz7dr7bRBA6MRfecTRL92I1JatDERkYOyMHIUgMtpgWcpjO3qEEFJNr9ILPSL2HS6ZWNJHvvX5OPpvsllfCp2qRRTfqmsKMNxeDqeef/W8dJ82HlC9JhoD4EV7JZypqBspQE9m9MiXXT9lqnv8uLXdvROLpk2m5w2W6vdcu0p9iCbcFDmH1VPkLlChEGPgJmbnVrTl3IbfLWKgfdhM0ijL+ko4ncLhl9lLisbaoMSQIyqM5hV+xCNj8L7WFIYF38iBW5tdxVZLiiC+3e7Nsg4Lzk7BNrdrNAML3Ghc3idU7o5QDP/64Ff6qkivXn3JKnZ7ouUaV7cNNZDZLqCQ4DZPdXXImrwpaOogJwj2KfS4/4Xvp0ZmW6kC7MvMM/yKCW03e7h2SbPqKOGY3Pc5H9wRMvC3BMiOibcVmaKAwLO+z+Iz2DuldihHI4OXSBaDdGVJLg0GoujwLbrqChHbXvO5v0hyX0QYv5VpRv2XpsX8ziAnKgZVQ3fvh5RP01vh4xj5X5tXHNrmUupblb9tb5TgZmT9A0lGkZvpLG973BbjjqYvdaU/ImvJT8z6jymGDRsDqY6N328RMNqj2r9AXxVgT+FQ4fc3HongXhn7tAyBM85iB4WurtEHzgCD2JxRiHiZw1RjrWQwru2pINvrbNZLdzsMKjXyv73OFkx073KjhPPIKLlIymFWC8pYRIBCHLXW+YTFKi9WSdV8ypl3565D7JWsBQD2xsfc8zwv1SOuFsObiN5rGsfdr+MeecUDb1Bj4M/Kn1l60CXxWwq+h7u+wASBb6DKcEwKZXPY/ADVwn39mFqnMjYRMfxhXkeV1JbzB886hykna0if5AApsvEYI3A4g5lWAJxVSBDie3E7IOkuZMfUNtupHUzlWjvf6v9eTuG0e68qMGMS1mKim+th2iT09jW56ZSy0PD0QQXsxuk2Rg/oiX8plDy64FWKZvgEoUosjwV+AJlgT+X23Evpym2aJ/Lzy5pU03+e6GespgpBMfmVUHuaFFV1LC+DokajUfliK4fL7UdCDi0in4Cb4XxLIFIG8KE9YH4ur7PuzsCxUAYQxf2rB5gTfMN01ZxR2xxi72Y7qW80j0kyM3PJhOCv0xVSg8e18B+VsFucKcPVHe1mdHaeUJs8yMgi6TIHBkBDmpKAyfLxdU0bKShyhR9LAGNgNdAGEjvp1MbMdVvZZts/GCHdz5Ld4PEio911E3CJlIHzbOactDbWM+d4qOscUZBkJ+/tI5lDzt8TL4vBbF2f9bGW/eMmTNq1TBtkq7Q/sTjJ9E4oyoxvT4p8cubhFwLrzznU7Eg20gYhAl+czoPKRqacULHBhy8d2wy9ASEcBIJCoybhOgxlXeRL7K05f1QduvSNiFqIdpzmWPZJXpfZlKRu0tXkzzMN4U1pw+DzqgKL94TvMY2sVSBfW70r3SSz83XIemADUbEO5CWTw/7EtfY5+eOddBbiEhIoj4zR1FQw9T1qPunJO65VIJIZYJ0dkgQ3/JgLpT3RlmL320d336TlAkXlwgYOH43NAOw/BWAsrvfjxB9KZBIttwtmblHXrKBJlkBaL6Gee3CeV8C8SZIgEp2NJf6PctbpUNqg7ZDD/OcIJWZPTS4k0dEtWE6cTIO0v9f0224ADm+Y0a1swMPFsX4HacxLkGYx42IjVPVP6OiZd+18/BPozvGgpahCDBkaKa9DBFQC8TN7YRiDFFi1EqXU8fL168kcOqv5tEKXGrjoheVFePjmwXjBpRG5+wnVcnyP2SKKqHDP7sN1xpQ9CE2HsVsMh0eO0H6tNJYglQT806v7UdZxxe4065zR5UenEu9ynJpkYNoOnZ45/SgmI/WSUqF01FfKQ+QqymbCmy4pYjK6KAl05QN3U1qYSTJGVUETNHFHsXo8UzuNUjIHNKjpQIlZQDkx6ZH1AqpdHeU7FYrqWbZpGAHdMEAObMVpj9mY0iYJWonlW57ymXubBsV0Vu+pcI3miy3y2fP6P0TqhJudQYc+llJmhlSgAJk/xbgftNN3eGTagyPMGJqeHe+1+xsmkoFqZgECamAcXjZlCLsfXpAKyNM8/+Doajb+IqxwEIw7GA05bSUPuSTGuRoMyO9/jB150xX+DEiclioE+Lhxx7w4SRerGhbK/H/5wt/81ZakpHz2PG6Qu8OAI2OaJcIewHYB/9V7MBGO14EkSFquYJgawjboAXZ+aDtFyg8pCHFXHBITDDpx4OytO5zDKtMbkd+Ot1GM3u4hdRi4Y1VhLXIjSldACsmED9XriSUclG6nqH+JAJfoMPQgRhrroS2ZNKpd+InDkhJ/HPWX6KAHokkMaknlLJCNab1PfvBYteZY2DlegpbeROVFLI1/oQfrCBO1Fd2Bwze/tw9LQfce18JhR/QQ1pH0PFQNNKG6ObFYIdQej5QPmbdsWvyKOVpMaTLFoQ+rbCmmOh0WIVO2G1bog1X9ZTz+H93AfRhnldHbmtzXa9gCNHxFUwwqu5A3obpSaHBNl/ZlW5LPjd8MHfwVGJOJvFpFKMUb1t0yS0J9+VbiPvmnvx3NCnXxxR/dbcoP32RlQfkNL4LRrDSPofnRmdk1FUaKKw1SQJmPuQbTteEmeCPmWCvzNEbT0paOULdSEknIQyriwYuw0/ZWLHJMVtujq5MxqFiY86SYLdAFQO8/xaopEPO+6Ndatmsu/hbNM89G18LwBQ8GMfFGG71X6wfwbe9D5onJcEbiYlglw0zUN3+I6Xh6J6IJb9QrIp8BXVzkJIk/eWrtVrmml7hPvGOIuxlePnoEc3vvFwQyiYMkv85U8tj/CVwc76hoplo6Nw5Ve/k3d8l1iqDNha8+C2yFREgIs/8Ck8KYRwsPHZQnQ552DRYfv+oHC0/KEszjhiJOqpLgTDweME5+kyQYolNpHFqKPWTifuVlYtx5ksyaaq+rEZAp0E//ddZSQlkbntod9NhSIPGESItGpaEkH1vGeHHMWf+6GqvyQUR0yxBs2Sk80Rkhw2v39Q/5E8TduMNOkE2lZHbSBqe6qleze0yVs4eIC4IYGk426G9T1/nQAyk2sB80U7gr0Qod/2inf01ORbpOkdAox0rZEo1qhcdG9MLRbXTgoOIDcp8jPCiw6pYRr9JEO9miqgY7pfX2mdeV+OfhTOyZDCLhF8mEnOxkc8wnDwtuQoUK8gjAjdCjCUeKWpB68/kgEjpPvAykF0BiztdaHUW/BEqqOohlD3oH+/zG2uaJbjw4uYoGblUZLPTEUnygLtRH885j+vdYjC7U4qE/lKHDHJ1exWQK4ufkGXGQJnFCQrGcU9korUoQF4PdAQwazJmOy+alByN3+k8nmFPm6VyELMBiuJF/GrsU1ltQWK/oRgvRxLT97+Jsgl31uMake/LmqE+ZYtHgzbWvY/xeGlw4xb/nkzW9P2VKfb1jXVN0P6ZkJvrap4wl3dCrWs8/4X3TH+zblogomSIjYEuAboOah3hlw7WIn6/z7L7NP7QmDcxJKhAaTXdABDn6KdNYdodM8wPSenIgdxKLySIPjzMsLZ+jipICYemkSbty953kZU70kmlNyy89bQXvTzRo4tlZmwzVICTppb5aOe3KjswHJnxsPHuqr+qJwkGAwjEYJXZ+0pixvn4I2JoBQSsoZ6K9k10j+cj7qfC8i0qCJp4RRhRGoSLVaCneSUNNDF+kkZTXPE1Dd1MaQpthFwKj+gmUYgbGNgEr0T0hNpC22pOPvKaF/BKBEzA2kEPfRA4WIxrDHSI5L7DyfZgKVBu8dnJ6sd+c73hdmppNqNP5dw4sc/VufcSgeGDkGHkUlfPVFVEGTnyXC1SosZohJ1Aa8EmmZAmyyxMkGOQHt1NfW1PPfa+llbqEZgHcdC4VhBjwTMtMGu69xkYiYA3Orn+gUG7B7KyQOag/eXZian75OmJjCZfyGPUmyQeEI+r17PzLg6Hydtf9yHidkwLI+ywwad9U8z2IxSwGgQA7HLJP7FIGIHB9DtaXO5/Dk/cZa0ThILilcwKQAjWouPYlfvxKOXSDxKWnystvE8WT5SQe9z8Mpd86wVFAC2M6nHkRKbk1SlwH9OrwrkLneqysmFjTnx+XnOsEA9u5aP8aVeyT8oM2iILgCpdCRvu6FqePjya/pt04XnhUv6FLa2tbaNtOqtYv6nkmj80YZJyOvuz3f2wQZ4TphxNyb1dAkpUwctQp8uHWKZNxXm4c24UpyJKIY8JcHcByKUuXuUtLlC1/RiiUlHKV4vLZA0vmO9Vo0y255Z1idqm3uNYfsZpVv4cJVjiNQYdoNUX9Qn3Q0bVfY1JW5QZvSIa1CAOO3Igw994UBO5Edt/q4nnZG86n9nhI26juINcu90PqYurAFJ6VGkmeNA0uN4X8krEbcvfEpaJQr5J3rZHU2m6c1a5ok80yWGb9r72FUvDGxcUdBn7FjYN5tBT5AVLsimyYY1X94z8PhBgmDrseBHeTDklQEkRriMubuziFFc9CAZLkZ3QD1uiwp/LTHBi9SwvCvrE3J9E44WvDjxh65t3lzg6fE90CeWAaX8pDmBmWsT5gb2MKDlsAlZuv5Zi6HEnnTWSxOe+pH7VtA2VNoMeFyb2EKGys3/8ZX8eQVW7sJOLHBkCXIzy25+J5A+QQtQuffBgdVwSCg09fTRASlj351HSZ0eDj1RVKXCpc5wSs/Sywz2JnQBnmqImAjTzRCQVhuyprN2Sts8b7LmUItA8pjn97loPu8cThAA0SF92Kd2zeq+WtyCzD3td/fD/EJXWId88xtqRssHuIy7kVmF6ldpEbbV4VTZv3HcEK2UnlJCh7t5FH5tVMvtzO7kDRRGMf4C9iTtSqa2sT1E83lEU9gCbvK+XNdZpw9T2oT1U1u4uKy4X9ojfynaIKrmEaUpKKlGrv8Gp1BIQGJgYmoOj0j5IoaLyE03eIn3ccxttaqR451f8qZngXrJ61DDzfA4OieGM7hXEDDiL8ZZDGb7De4G6Nmjufjr0J1L2UbUawRLtDU6HHRuCJc1crGfNmhMDmE1N3+2Cmbm/GS9e58Tx5wCOOp4+WI+hXoHans1STxxe5XRLV4hiYNi24SUDzzFiBrkV6Gf+tt8E4r9YeS0nkTlGDGx+wL0uwh7eSUxhLLRWB1M78fL2DZ54y+oDQONp+kDyed5TmP4SDmLdQBfik2Ehb72ly1I/epQE5kBn5v4e+gxiPaIhq7WPyappSGl081qRs+aCRMTJwJr2frDgt5B6rVcAvmng1b4gaw3Ei9ivYpxws0I1YLBeC2fScDr7oIaAsME3SU/8m6Q3tLrOMNa3SyhaEkFvdz8HB512i5lMkbprUayzyNw5U3dDq79hhazAyP4UaFhTFQohiO6Uq41F2mXfOCEBEjSiZFaNWECcAlhtYt56G/gAtG4qDmRqrZ1ux5TsLRdQrkppjGOF+CRGSOjt98tPyXoGKlZIipJIqavjr/3OrGnmzjsKt/6ZRLlko7I7Z8wDd5q7V4MjfBRu/wp1Ic7RMWh4j5L7LCulnX53TNWmaLNvlTx2JLjgiolkVWJZEHXFmT8vB+GzHzOyHUYffEh7AbtjLOKBpCfIXLYFIGHbQ8EkOo1nezsPgXS3lkAjbAYM3tXplj3h03TxZzBD74Ig1/Cv7rapZRdViK/1auFmYcDL7M0G5pM0gd+9uG4+vOnbMfwP7uN/0HNAcKM4C6St46xpORXRFXipZeeepXEU1vAUDbBQteXZ7N4yUFMQFs1+HA3rFEamo1Vwn6NFO/PHlvW/CBBIgvqYaH4OA6VQIHfqI90sIHIS0oSy17z2AJR3ALJNxnMF4I1/lul9g9h0+ETJUDA177mFbGxGZ7jjvs+EFla35QPg6YmphHLW5eDkakvyhjTfxxr27YY5kLF58z/wwI/WrQNUBnf6Oc4JvI0OnqQBsXdizLYg31HG2dq3oxQPPhNrySmEaKjzuNK69W6BufsbuK4bf+yw6GDHQHZ5gOeeW2kuk8MoOgA/27oGZOmolDdPql6a/Nl8q/A5MFg0syrhTVJREwmX7uDA1MD6hlORNqPhVyjDa380EeSK0r4U48t7p+Z/PcUhoWNCFxeVwzLAqpOXyTfF3HoIaWdo/sMGGlR3Zf3TXluuPEQ9VDs6KTvbkWL/RV5KEjv+z4mUbWgms/o/VfA5h/3Xa7F58XJ8z7TYbupg3hc+QId5xxwOJd1lsbEO4GYANUKi9TissfucVlDUr5rsX/hKJoMJPkHtqnJMEVOifFQqu/oFo4SjfFmvEP7RGWvF0huy4iLncNJUgFp54V+gZeLjtrNL1lgRupMZhV2kDMrgJUInIzTDDRytba8fchshdg/Bn84eSGndIKPShY20s5OUwC+d0zhumXuIdTITg2k6EFOfTMBJfWabx8LbVkBhAmtWW/eyHGx8RrMPIZI9G/0qD9doh46HJoBianLMJ5w7ORMCkH0q5tS3cg5GPXdn8UxrGqUIOL35ZJxU2Fsfyaoc+9PI+FHji8KBJpxo9gEybY/ETxOQEw4BwRYc6v86SJH5DQ8IYK7SVG9hnENpOfIBDrnVS2lYizbHj//o3Meqwv/AmXzFBVXwsgtl5Rv/0THT+BA6H8peO3RXlC+nkvtKJS3p7xZqNlNxBIMcO33lJGdVFNN3FkmuWfoG9abdvzQGrCYRw4Xup6I5imtF0t9HWI8SAqM2nT2g48nLQPIRgYAw1kWGTbs8vjD8udRDwYBfiWoxdVqP/wqIgrG/gYMinNQtl5znmmvr++eCrG0jLsJjMh1Nwl67JfLgvmJPyvQ8WPKivvinHQZ4bLrY9RruIOXPOy/e7Qab7jYh8MArV0x3gBGNaAfba4a/xdH6zzY4zYX4hZv0t3bL0yIj8LKkvgv0itNiqPiEnnvIxBT+pZNEH4km0hk8IZhkIh1z2NNpbOGwb5mMTJHTYZ1dqa8AAAD5IEi4rYkun2/aJg8Eb/VDGxlgHuVhwUc1RNYrYQeP324IgK9FzyfOICb6IWFb/GUAANLWNrzceAl03x4uIROBKcvBGq+mBtHrdWs+alas9pucMuPD09DXlNuv0c0g7j5R+h9XcTnhvsJhLW2XSOy/zVKV3HVEKM+TkXhYVh9FqvKDzq09KOXPGWvc1pBDGy6AeFFMfqKWBKzPfXHbQjMGMaXph9k6L6jivu5+aSdHO8CW/GD11pVcsfk7ch3Sm5Oi4cKzCjmM3znEWj8Q1XCC9j2Pm0fKVL0qXwmICDkSkFlxBDVsuXZlU80g3RBoL+WIoDShU/LGeoNpnhITWG0ZkzFJDzlh6vfx33gCctU3Y7jf5qvAgGLLBtxeFIdyntZwLLyhh0wbNHAEKkiiuc1Lnm81NEm6qxAOR7tYxNs2q3dxDYb26uV80gIFhuuNL5cCLnfri/oM/cmUXyB1wPeRIWnKoRqLr65FpdLD6aViYkVIrpeoAGoRILPlxwSBCa2K36PVHpUntaPREeXTe5Z5o4dPQ/U4FQlCtmUzwug+0N7LlQ7iOc7C0DoQDi0aAOV2GLs/a7KszHE+JdoX2Iqxp/THEi1tjZKtypDj7GET0jrAc0ktmOdxPecIFuw3Y0vIyJSRbcFR/N9d6CHsL/79IhvgV9+J069SaT49GRL5x/OVxtLh4p95aXEnVZHirf2tk2/5k+WtwpNdaarBH2rz/VkJYiRUUex01pWmgPFoCT8C1M9tXFaeU02KLNHyr7HFijq1+5nJ7aFZv6CUNsIbKbTrxZxmFCY0klFGfNh3o8mfOPJQUEtIvlXUf+EkcNyQMZFnkeKpmC4ckAvlVnrQI0HWzRUcrV9IgevpXglZGHd1/Fio5Md2ExO/EhzsIF1sKXeQsTCnZOsGJPWDRwJBI6FQ42bAJu73hH36pfX4WRwG516YJ+8KY0I6itM+IcjSeFGQLHuNTwBp0LD3HgJtpjs5p2u3UiOLqE6vnY90rg2gMIOV+Xo1jA30/GmC6neEbGcGCRPrTVr9FwjRhTBowrN/1vsUz+L3s+zvMSMofnAe7IAjEhge3yobleFN5Rp+xGT5E/2NSPpH2lop2Nmd37bsgh/Wdg3KmbQAAVNni5CMS7gRpkAef2jL+aL/XK0ZYnjMcIyZmDHzZfmNwe4qlJy8qnrK+5C/xL4keL4dmfS0d4f4d+EaUcCRR5Oap0FUK5Rc96VJ27goJlWdJwkzZJ1nY1Zm/EcvbeiNb5miq6cF/Uq4/A5vsMOt00X1gMBWK1MlLDyfdRHGY3P1h7PHHlS0NHFVfa4oWWnfbK76w3XU7penlPvU6yjB/GdJ9FY/hTyz4VGG7ZBEgrpEOHNqpo4UXztr8Gq+rqwcKPXzJU8EC5QuxFSKgsYYOKzcTd0HlPhsM2SkDta3HkFoAt5XHbXp1B2K42R06KcsPo1ZZHeAb9lUS0ou0w56w5jqLZftgrKsqOPWw6+mp98IQoyfucF/+gOULwdb1ZS17ycKbgCKRPQsiWuWCWPyn/eJhHDZ+jQUMNo1utPgVdmxIUC03w5QdH0eoplm2DScoXchfBzMU6/Wc17FbTJjds8GQbkmLkiOB2OpVAUskqz9hHIqBhKSCuFq7KQEgZdbAhZWmEfSJBHjFvVsvhu00MiMq7aQXFJBycVtmhe9It4khN0mxoW46eyn9gJYAMJ2LW4IEDCZZnL9DmVt/W/zcfa1VgXEpiqN2DCkd0veYIkp66MiFsoOuxZwUba/rD63tGscsgOCUuuVLF/GgUs0qr36gQ5stR9AGTDVqMP/kHd1WPqr2oLWYiT5WMzWQrEnJajjJa92imCyLs+l1GGVNf8ABnF1iHcx5o9gpmlyjaCX3eCbdh1Hw2hYIG/IEdYjFkuCAEq0qcV/btW30FAYHYX8NtatRyppoSZRREZv77LC2JGtbYOqgQrnQXRVSHrqiuCm6t6kGmX/ledmvtEm/8PCKGA3pcjxpEfaYK5w0dyHWlSpiBlyO4DueBTiwafmn1v0qwperDhWomm9TgVgAzdxoFEpHENgqdgt+FcGnXxWpWiPWSF22SD5KECqwmyHp804V5mm/kL/tfRc4hRARKM3Ioa96njsRLaRRQ7rlLuO0MZ2cD/qxCCPcSCIntQdd28nuwQ3GP/aSiFTj5LgrXjocCorSOAr5tQfurHzgZaq429UVKcBoe50V1dmroY8lE8SXhYaf0fKHiPpQ3GltE5kjYe1quMNrb9fqGlFm6qa0Q4Va6R96hqk916dbSmcpFotRrP4HAA+PMOyijIZiJqylCkaZ+z7dco1rd7LZmk3zOg1C2sPndJuusFkf9GYd0sUL3xODDut/LmrVvT7M9rqn2B67mfNunHjoTInHa1uEYLXrKDtUgcH1mX6abwhVhcMyCIk89jo/UAm8+AnM33/y3JNctK/1U/Oxeg/Mw/ivzhY8Liu+fgfjSGGVXCO+SMAAfKenXFVfJhlc4uyHCu6ZeQUfCIcsaDpRC8FgkvM/q59JHDpfZpXtdOMawgQHzeHi0mxONc3vBLmGLuZjHqXNACaTbn4spZbzX1hcd1bssV9olUA44B4Sq1X8H3BHHsfwg/qQh7h5Mwz3CkFKDwf2XvNz3GsMouZ8lJpcGOhgjSAm3dddO945dMULco1ol3NOEjwyxJjOhHn/2RcqXN2RqgJTxIcMMX0abKLS/hH5Qrc/VD0NW/IQ146zB3gWUFKjsOZ6lFu2KeOqTtpYwxB9Em6L1QYM9zTpx8A/bEU0TNdhqDPsIaYVI+L6dmwwRD27WeR8YvsobDxQ5G+mXemskXpRMs99SiNM4RetDtjCMcI1tbvgeqRPQkKopFadIgddkotiJe3gGR+CcCkb7q1pyHOHN/AyoI0S3ghpShGMGstf16K/dYL1qCR7pzLCzQcw4czo+B2a1nCbpt4te73BFI0eafSF70UxX9I+WGaFzh+qE5ErL9iaeyZhxm1GhfN6k6aWS6Z4TUpEZCDWTRGBgBIInNKoPn+MfSgbzXpUvTqDOZn/T9KVDzYbrplOq9JIhEIEwEiBEu+CAF+DfOr/IyAgCFFTgHirNDJwSb34+AhNQtxGFdm3NnPZawx/J4ysnqz4cMlDTcK0C/qTPmo6LJPfuyEnuDAEH2tQfuH8LZYoGSnGvQOjNekAJqEmpY5QxrV8tRA9isYz1ETqR2o0ycBIOemUczpZ/xyC4f3ZKLPCcm7AFlElPp8kyvJOrogA9dQAAh1gRrf+Dp3zrzHmOp4cW4xQxl2CqyvPuEakZt60bIAKEcYKnnf6lC7RN1S7F0HparxrWvQG0cO8Ooxfx1gjm9p3vMCwedFevrj+4PvgqEv/74E2crtbLMCtR27cVWqdyqa0aUx6+Shhr6m8EWz+024MT/3Dc9E9jUb6jn/x3D9Ew6lXGCQJFU7tFsjTXJP19g2hAnuvt/dJIxBBK2dJVrRX82Lm4+R9m6RBiyN4X+Ylmm9v0PlzCvPbF7/U1EhYB7r348JFhfpYMY3IrpuO/VORkGd80wv5/tRidQSfxoGk1gGUcjfbLMw5LN5fKoK9P2NRLuA+/Ro/VYf2liU5/ND15Avz+YavuQ6wGBLbw2U5hW8UyC4cg4Vn66fj6WiTIfWvlwbydSbgVHVjxKtwYXk3gcKupAv7HA6Qu4tz7bGFN0gQ+Qp37+egy/xpGK1vlp2vNywu+QsZZxcSc5uWJiZjk1ETMNMhkt9lg4JjxuBTGm8pmSQyCMvk/ufPv18d1YozNY3mIBXIj9BRe3t2Ubgm6IDK4f866nW1kiFgHLheQzjmsA9qa+ZHDX6YagBU5bg3SlmcZHlUkOJRdsXoiM2ALr3NJUbIP2DWi7vbLJEjhfkfR6QnuT6wnUu+zM2k21o8h6TrA7QRn4jErtVhi0FfvPAGluFgVXguQE+QdOVZfALg8fylyoIovDhNyH0KhsCkd47sFULsD2G45jZHjGXkF76qc47whtm8ZRCwzjNXDdPrcNCJnsWOXE5TFUnBsHJ5GONCvTv2LoFHXL74IsbJAJty1uSUyI+ZMNW575A4Fq3E/ZwhW4gd3uD6oJ71Cr6L7PnbKC7dNcuZRPEQGZQhI+VZqjCg0FFQj1X1SQG2bzwy8418p3XRrj0fq0QniSjnJVDZ+pE/NCb1rEpN2B5rH5yfWxwVKuD5TCiZ5u29TAdFxJSSiKN9Mbfdkx6FuwThD+Bl2njF7AhyHj2dodff4U9pVVTtdmPU2Vi/khw46FAw7eyIZg1zVBcwRPb5GAVBjzy8y76YyBExeF+lMzA2kdKDhqMeFNx1cZJRqqyskcDEqo1BGSx9mKMJ15ckvdDqNwCDNoEErfp84WqDiiDlpaA0kpW4V/EB8W2qRIGt6PQN1qOP8cre93StPC0xuOZ7p+1QuR7y6ZtAvOkKf0c8XhA0efgJ+N8WOkvMk97KWzJSctlzAw63tICIHoeuKm0JwsOAQoAvyR/lgOdy3cAMKOtVbWigyqswvWrP/J1RZjqx0A+RHlnmlPVgEEk/+B8zT73fjqrzf4f/dKiOdSAPCpVEhxsiqKVjgLux8pVRg6hdRWIU1/8aOzOsTogLs/ne4Qu5fX0NXxmJwiA0J6cKyrr9TYFaBx486+9LKmdPMeuZI7mwn6Yt39LS/YsJMAJmqCT0MH2iY3YC8b3DT/stgml72nJOVubssWQWpu4rPJnWx5S5gqzHf4xnLvt69MBlJMA8D3Crk+C20l/DhvOHzKQ6/35ctL0eS0madJjajKF6Qdd4edONmFyo/3Xc95RFFNvG1q0+hBj4fVdzlj23Keqfc+tNhX4W0xCsn3wshGX12M83w0gcJwZarT5TvKzyGnIiRD6eRfo8mGgadnkbDc4w6i6MpRqealDS0fiSe8O6fr4O1a0ibPc1nHcR9fzqYMfFiKIvxQJrEMlMbSakEufOQL8/tzOL7exoVy803TVaqVOr2G+Ai2h20Tmx8l9s7OoAO26NPVP6lAMUJ4Q6ICvgOVDiD3xWgYJtipuIbKb+Hwt33kHfoUNfXI/zPnwShoylHhrlDHlxrSHM995AXeke3M0CTF5ke3MBU1pPP9EDUwC2dA1ZtBqGRdL45sj6eNWBG+knVdPDvXbFRKmRutZr/4yGthoJBUehZH7X80acm4WL3A6U/CfVDgmbwk59iYl3FqHiJdsmoOUqMHa9OouyMK6HqRMNNqDx5PVmbj2nwOgr+RZsm6AapHgtNPwqVN9b1XYbpUf873IMtB2XLMqFvuxorQYj4mS844qTT4DrcMZZHLA1N3DLtA8lR79ckIKr0pXtnh3D9+XfoDc8lQt1jeJktuohqf2qoW/k0Zu+2cmMZ3HglYxZFNHXinc35LSxVm0t1vVy4kCcBk+6PtDAymkr0/sPk94/0iPFonbpl6BysMuuLNl85DNUUisuB5NzD0TdVqgGyD4eMw0nDxMMcadPRb+UKjk95ELilneHcHcXrk/zzlyDhnrpzMktehTdSKyIqAALPQKh3/pSLsxkbo1JLON/CEzTD5dX6wu9NbBwB6OEgBB3P7ULi+JjMmNVO6N2KZrsw2r/EfUdTqG9QZKyOS/p4PmbyCVbtsh4KNMCycOMBkMKt++pp01+yhIO3RWHji4DSwDfmSuAu7Vw3UBYt0FFewiITtgGpPz++01m2pwiRzAPiyKk+u5P2EFBkJM628wyd3zoA4BASdK3CiO7v0lK9A7aSb9VL+CXF/OcR9Wc0XcC/Ju6Dgj0Vhqv/i/PT/CTjnSJaCS/OO4vD8iFTig5c/ijPeoGvGF6WEub5ssP6NYGLym+oWY55cUSl3CSyf/hbFOeUKc6UU+boo718NIOJl7j7gC/n3lDzmeNyGDG0iio6YF0C5LRVzo8doGem30msCN1vcW+kwHysu9XW+t8r7nTqAMNvXEwKc/92B8WOJyO7VVmxS1y6EvGbpTSf9O3Nadi3FmXxTqKMpzXpwfDpKZ3nSWFLKMuchPkOm6j0yeoU0wsSBXYUmXyPnskr3dXDQo6B5XjjOLu8wU/vSl/Ys5Wf2PC4DRIZ0sfFRPj9l1A3I5S1oYxBawNFSlYpJIuYUrbXy0YsbxtxMcwt4Yd6Anxrucz1AxBiXNq5OrPPyfR6ohispQdMe4rR5dxi1DGGOjrV5fYu9DcdusEaLyNUssVuIOIjFS75eya669mzOfUBFD57CkJOCDbWTIDfC8hIYc0cW+jXR4cUkfRW9p8atKsK4GhYqu1TZCJwqpWOlGQRsKJUek4CkwqEQ/uTrRoYkl+faSp1PlFj3b2JmwHLksTCx5/vphStiQebPmQ0Nm0AXDYs/EiFQWQF7aoXwaGTRBDClVJY88K1UwAoSr7cBoJHZpOMoF44QbxV3uUugXvtKq+SLL5Pfk2jXD2nxMDJ3Bzm5KKLzPrDRz3SMMNDWvZkg71nd0w5/3T9aGgN8dDmxkm67BKlVgnGNo0XCY2fMAms9FRqnwOXlaXw4IRxX6dC8LzPl03/euDFhU+vtV2uvsCzBwBwIjUA8kJUbGbyNhbrwJAiDjV+kLJUZDmOfvESkFzn0+ggnek2jhSN+Hxmd4W9tUAIjd/IT47m3H8ple2tknf2MAQ/3t7yRZKNKjUw9xs3d6mgQK+dr+NaDboHCAyBFEssL200rJwQUD7PiORgbPTvNm/xiJpP+C28t1ut+uvuO9ticBY+qWoUDBbv3cMxpiICQa8KU2ziaOnrDPf9r01cnyPDl09lcDlaw8W9cwtFCAxC6+igl9Cd2au3myQa9HmEC4dKOZ00fN8uTqnMIAk66x9Dra6grFNpoE35jNA+YCgcFmjOu0j1OdQzeWBlprkXI6NK4A39plVukEG1anTm0w8heiuP3y7QrW1XD2YoWjCtg8X0OeNG0Zo4xJDbkh+6ryMQYv4w73ZGV6kMwYjzmYLnlvgpP4PBE84Mooj2NtvLdNfJIBsPAWBbaV+0sVVh1jd8vPEw4F3kBc10wbeZpCWvgmAinSmOfOJApGKUQKqgGxBwkK71kWbBXUmyvqUR0qeuLbU04FA6PN+XrZLU5gAhX2DwUuMK9x0hG7HkKVB60hCXhkSQL7VMxoaE4G8oVhkb/CsGg+1TjHD1OTqA0mE1emmdfvcs+5L36dVN6Qz8cpe7g/KppeCgqnQQfxsMAInTpiUFwEc7Lsy1417bgAUPqTc9ZFrmyLX6Gp9A+HkgWDaNkOsr/C4qdpNiaNHu34keLh20lB+3c6EN8VcXXjp0Yqz1ZTE3tHHtmgaZj+gJcSK/HwefEhOBlI3iFD8Ei/abdlGpRk4QlBaPYW77QCpeZ2yJnomKSgWi2LrTIszwXBJERb0JWds7Beght1lju0C6wkgPOTMJcXa+V0K81J8jfodZrzL9tB4soSUgLj0v9x2AuNbxWy4ZjZXxIFd5Sp95vZR7T3Sury0K5DKfEq5FrSCxypIJSC7CiXkuhXBit6VORf6mfPdB7zygKT9I2+XUjFWpEIyhy3hWljeB/Zbu3crFBLt/g4z/H8UkV+2FhslxybU5gYL1kZ4Lenm1402Lf6MqXJ0HfIUzW8wgixBzIx16cG4XCcSJ6URcjjl+qK5iYwG+N0GI5zc4qCGmet3J2Ff5KaXQkJyBOPkTIZFNf5on6PaWXLRyLmgc5YizcdcBnPhfBsDiTJ3+VxiPsV8TlhXTKI4u6W8rvhGqsYKq3/EAf/DJNQJ9KrGN43Rx749Bgg6OJ4rt44SUgR7l59AewBB7RPWfyqqvlWLGqd5zWI7bIgNFG4xcTMQ610SEdLmS206Mqq7KKvO7jzlMRlvzxYmVfr2nRzcXJXekh2fpoHOZVEag8ddmJuENk055mJiBdQ/Lm6ZVEWyoEx2WfYUqJdHk/cgRXpx24ufEti+j+FrrHvWt8qIZgtImmvbIfidItFKIC72Em6kJj3ZE7fdljxjMJy1X3cvSSLLalIUSApgiR3yK2kcYyH5ZrWzmJOoKl++LASJJOiMYMDAMNLX/fHRrwJq2R1E0uiXcknbnwMfHXEiIxCM17Db5SNVyugb/4FlKYgYZT/iiJfr8S/wnayl7854LIKjCpWTitdZVFqhcCFM6nJNHhab95PiMcmajeH8xlHcdwkpOogaI9dkKFhfQRFsujgvRHt7hSCVxgoZSMEsNsIZvcNZSA1xBgm7r9TnQ5gqpKLHgpLlAfxWdSipPKinOiCqIaEzkryy5R6CofhFin9k0tOj/nX6bq3Ybrf/I/JKE15Iu/FB21hGtk0z3jlNlSj86cyb6B4CITsE1fLQvCftqDlDSSk6VgyiYOW3ooEYYZoJApPrNw275uY4HjsZVUYr4pbAhZiXxuEvVIfy2kXY44/iOB6ZtLloo93bM88tV3Xn6cw3rujF2FhRXGFZ9uHXTK8VobzvUh1KJ8Y6FbeF9Z8S2gnxX7zA9rjd8+bevqzV5SEqRapaB4LnjVN0GnAIDzv15Ytb6JkWeVb6kGF4EP2RDavh34iJpsaWR0FzPllDc4xmoIeOYj5LTK/2WZjjwZ628trRojhvK16plddETQr0FmeTk3A1YFUvLl9GcyP2KN4R85ythl8byTSLvO/HC/Xn1p5w6OKhwGcdXZrRXQTCYTwweC2mq8BLs2bSaH/e9wWOWfArECy7gx+fB2cN8ZA2owSgv32tT9MdIPcmQnYMv0qqMihGtSKnQjnusZuYIKufvDI+F2nZNmTM98XQ6eIvqPwGxGX6i9f4Yq8DGuE1HRgoG72lV9GLvpGgqykZtXs0vXmMLBijzjEXnSCSC4pTuDWyTCjUL1GSBNHAU/RTVbHmMra1X7uqNTWoCRMN0J2dhW5klAr+gv3NoV3iJryqy0wrld8H+Xi01Ak9LeahE2reaUgjgpXH1uHVCSDxFjx1tWLEM4MHobwgQKnkooByLyl+tBQroy0uFFl5P5hGYXOJSNdYyEaflizFzzNO12t0jxrkjV5aPiGmh5wJKzhThrZklUIP0HpjOw4lvKrFL4LSXQWvfLaU3NZ+04sz5wXnJM3ZYtY+hfKuwWlB3YpYI/4X4aKLbapNgowmgjl9Go8ouDzWNxle9uhvF91w+r666istIUvCUNjxyd9ErcF3Rwy8ogbbO1PrwMwUtQioDlVLXz7unoLk78IuRCZAY/1E1zR9abRBJ2DdBcGeISlXwk+VsSpvnnvE6Th1pnBYWp8QxPefmSMTzEdKbE+SV9lVap+r1phLU8BnfW3DEngSuNWIRmaPzgJRegUD+WABTbj26ZWn4KzUzsNLyasvbUa72bEgKlzQshXdmJeeroHB+UPlf8xm7oJJzDKFzeOnTaY6XMrCzF1CqiFchR1fUYjW0VZ2xJEkfHASXQELe+ro1JhN6I7Gxc5tvoHNgbNkBNHPT5o288KdNcXEUhG84TqDvCGd3rdqGxnCHvKJq5+bLp8IEd72IcOZUWHixb1YkgyTRarPUqt5YQDdrpebrThH8ExwL088KLuvjHkF0DfQ//5frPUr6lx0vfw0t0Z05dhYIkIcCl7MtJs1nHRqrdFHofzgWHxytoqTnNU3o8ZoO+KW7DgCY/AzzQJ0FHNC/p2u5RyNUze9IrzjPc5zwhh48rBB1Lg6YY2/xsOdN/leyloA6pFFbm8kfr85OKBKJr2utYNTHATwb1d7ugqu57yqFQGKV4Ig8HlqdrNwpFcPf3QCsUhKc54lfCC4Sqa01RUKtiCPjDAs4n/vVi7BGst2qZRZTWV9sHYxcrPj0+nr6gottHdgzlYdarDSzu6/U7K4Azvgqltmcfb5cvKHvmj1qGmI9Am87q8aGzn3gEuR573Um1lJNy6MnCLATFlWKL1hD4JU3vM6WCrFx1Eu9espienEAAcqJ/UyzHuUQCw4YZQ1vBQhe7B/4MkbTlbGwuyPFxkTuOJ0GIcolxassVbGbVd7OBYvuODq0rk4ZXBdJfcSXnhUERz3UEHvJ3zfxfMPqbtva4rfk6ZnQ1gHTDcpWp+BvZEVhkP3uv/wSYgObkwZCnVA5V4kS20RtJKdScVn/qyeyYTNac+TKs3YSzjtqN2zZ3YbT4W7cBcEgkwoHZYZ342LxW09Uv9/hpMUDO5z7oWVO/9E3wiuD7wzuHSarmPniWA8yU3czcRgKtwIX4kZH38ZLL2ZnQfZnNe93bK/DGHrdAzxMrEhohxASFwuUkz32ioOUSaDkGHC9RpjETbFPqlXBSgMhqLU2AMdcMiAZLPF7oKNSpV49ayLdXwvJBwbeRSYv0ov0/MHGhFZK6Z1nmb71Via9NiGqHkTOgz5eJj1EaAcz22cQidwhchndSZnUOazE27xr3NF1I6ic1nI0RXMnIQr5cqrn2SFFOBBtj+8ykEYVAfwhxuoaYWKNlF07JHy0dxDAOMDH36tp6X3MsLNhBulhnELwF0h/nw79lzAgTxZ/4gJ6W4CxvJYqtIuqN7VdOr8c0Vo3CWANov7o0fpllxZbVGUgrbGglUgBZTU9szf2NvDmYsaNvlsSkKyUXzzbGEygyDWCKIMI7BscVOOGARClsq5amAK0pT546/AlPuMCvgCNo6eN4j0AYSctau0kPIgNSB6HBlQlawXuaPTGkPSOA+pM1kCLK+6Hej+xGKy0h0wn52+WpY/4M+c64aJovrQzoytuANOTFwUSq30RMDsiGYL2HMy/zmF8G0si4VnDVnZWgY+Qg7q9/67efc5+dmg3ejbXcinAFzNnm3JhDWvhPx5zhgj9MtNt7A1Nbx42gXtp0QJherzXG3hVHi5VkrBZm2z3BJj8jaAJumnjnptQD7oEm+UJJr1eJ6ixs8Bvx9KfCBwnvlVaDwN31MuUu9td+jI/6hOXMZUkTyRgx2+S/pBvkr4QhzCnrjcUwfhsWJU3lzpvIywg8u6fQGQSPNgnpxGzSu/bKVocZ2w2NFh/zl41rZz2H27dnkxlFppRAiU/GdtGsLRJba/KN0MzzChwdDnZrb7JVxccjjiyHi9eWL4SgxvZ85rMB4dFAauVVm4iuPFfpuM/2AsiAm5uXgMm11qXEfRPR6lAA68W8SEHNbztQ2Tx/bUCqxst8GRoDvWIXkxwKl8XUP+epwmRL7/KnqSU/6K407ElccuvIBeMHK5qMCB+lE5d/Fp52vesMgGe9J2DyBq6lf2rsRtw/hagmtfC8VOBBeEFMuQ3elozCO8oWrUS2epqw6QILdNnJsC9TyJaaElNf6wa1dB2UOZscDtVM789w536qhx4jiIzOQRlJ93HTTnvarjA1sDd2LGRg53R2TKaMD3fPoHfAzBE/3mKgRngzz0Qm7ARHmcoXZQAMkUD+WgoYPq7Zd7vrWsNgI53dYewc9dHdfqG4JnlVExauOTxsuYaHI6fIs1wY8hYPuqKtA6sJl2eikFgjlbTzL4hP2aK+79FWv+QDYwNcEmFzQ7765EI37LomhqcR6HfcedzGOwnDNRXhbPf4d9vmaw4baO+joC8wFsM2efyAMYIhgG6rv+Es+kMZ8AaSjdDOGuSREwQld6wMkfePeFQnxaWg3AZh47F9QKmqJpb8zQDXbj056QMulAy+AuxkqoFzZwMgWhqBrjIFa4yQ2UI+t8vbuscslVc7elvXkO/4OsDV2XyXIZM6RB6rC6k1W/QK5hGiB3sh1VotLEHZ1WgClVXGxeq+iCAvft7JthFSLjObi7tbe/fFYAMg+zIn47fzwUP2eYIe/w4B01Yr0K7zYj4CTzU1nFzTM1HmAuBFbhAO/Ay1tCgz3QEcyN4K7tF043X5vEFF3DTMuo5jnFsbEhSVZSpAsBxirv1HK/LneoeBlH62s52SG/BqdHrtlcphoWNZU+WOEYwPFKMsbcC77e0G4xtR1bS7eIC2XiJM8aZL/637UOEOHcTcwN7WXNaYFDvUggeyjY+uUpmEOrQNlbCao57/DlVw/pH01hByemaEKztJscisKkCLDyP/TN8z0mzlQTiiLyeZGpKp3+w/GOTQQBfaxWqHODxstlWhpTOgacvM0enkDX+N1UOC82JLE4hWo1rkX5EMIlBPC6sJHX3byJ7cH9q9WhKRF1Pigdly52OeuWpOQww/UyApb3EqbV0lv1IcwK78Kf01Pp0WVVLM/JS9NXAXrK5r7djpAUzEfXA/aihmlugPRHl+K1sHUkITpw/qJC58kCUpWRaFdyxDAJedIRqd3L6BqbOdCZ+lYJXsFUAhvZr52J9Q2Mew7foYkBftzQVJqBF0CA0RJe0fd6A+wqyiwt6yj+l6e15PtLVXz3cjV/36sSQ45k5jG9O0oAVXtWUztqq820xXG7WG/XYFYQovs3Z1RwJ7eXb2lVGbLuU0L1TxE+qwXKgbxREZaXQhVw98bKf70CPoZlzO4Xan3qfh3UxvMgp9ANIP9DEIPxhEQPuutjMf13kI+N1Mt3BhvuOpgPT+58PfWRSS0x/xQGtIiP3b65FEBdTV2/pNJ7saEMhin0pXaec1bHz+saRDTi+UdRZ5MF26QaQq6QivsqkPZcofC9SK2gChb9bKHN/Lsf92xoT+dVHob9bD1I29j9beuVJcCLHQO5NQKVqsRkaYKvQlLpFMiJD7vA1M4aRTxDaAubToWXrgn/7LEf+owzOebNKVgPkkwWSiUzIo/+ke5o8x3DkVAn6yZr62Q3b9+PIEewtRQcitkl5rAWm+gy/KWp4QZnlyNh6DxEmq/6YkQNfU7enLQNAe/fPXhIrqzqT3WW7RYm6wSHupa49+wYCosp0ciQCv3JgZGrqwXyCE/gQvF/eKwni1DWkXaznJR51AqA4/ODf0xxuTXDJ7ov9zIK12PSV6gZmw7cQR46s91mGkveACIf0lbpJIfYVgtFE48lWzV8ZiTLIWb+cG1LUygf5hGm7OEKHoMhH1GiKULAxzJAJL8aDYVlRmO2G4qfZfEgtzjknLKjJ7GX0SChi4LAclWPAD4CUdsr/0m/x64VD2JK6K0CzSttiIqeIV/W8+cpvlB4RfqGqZTGYKOHXBD28n1Kb5P7lfW+I4Q9L+vW2ujAjV1T5n28n5b55rAop2wLLjmErYhxKjG3wBTyMPKurcMXvVxCfHNwJWtj4r7c+sWw+7+UjGGIynUxsBbx4yxCATJ2wF2rtnNkYHmgsvdTb9ErAfx9WhzlxdBZs8VfvqJP82Q4lLW+XuR70x6Jh55SMh5G6eOcxUfbjOqpH+be090hffxH8vVqv6wObaSux+nKPf0yJirlyIzoFIVw/DCMfEM4NAXt9tzxDF2fHnkWfUXaL9/nWW27NL+mcE2wpQBO7DSS1boMUjkMSy+mFeCWEIbasz6tjRMy7pEolnkefYX11boIieKe8hWIKgXw+MLuUNWVmZd82fHFEA4BNIIWd1lKqhcQ7fv7qKqxNGVAZ/6sja6d5Th33mLEEmbhIxuUO+lzakXdY/vjtBCnaA0E3cAV99Pt3eWSwHStvO88NB7CNgcLUB2kM5KgMohQ5zaxXjVvJUQhsYQUXbBPNwuDp+kj+xjLFrtZwbW1BVL7BemyDDTijJB/gk4Du7EA/e7U1xUtrGOIbAGOmoKimXmLMX/o99BhhPJRKMq/4zuqasYlaADQ8r2Hu+0gqvjieHRlCEspzkBr8OPWbgKyQWkjPyasU4XidCB+2kcg4as2x4f7IDsxu7KjSYr1JNdFkC1BqnlC9NM9Jxzsvq6uy3OUz1PW3mooY1wrjKcp6pZ/FUVeaBVAKmzvZs4gvJfV5S9Z29GJ04ombQi1lBEdTgSxPYfRZwLNTRYKfcIDyTEP5MZDTZgopwCvnDaYXFZmCy3EUa9fI9R3zpb9Grkrtw/B/apJdnVH3Q1rPOX9sRITqhUROzEk14+ob4Cb0F2NU0nzZg5rPb8d1Ro6FGDslWgM3EuCgifF85rMxAHrgTGLV6Oa/taQ6af4AVDFBLyO2iMac1YONMd5+CQoUmXZ/noz+/sYmkEOFrjI/7CiX+/dRo48tS7wyOoi6HBZC6UFGucXJyzk7y/nyIgX2YMMLGhpmbgpv2/vJawt3EJinjZS+SHwSmvFrLezrzHal8OonU2PBpoa2XLT+fZUQoDad4YH0r3M7O/8IOusHBTlqKTkcUHDawovpBvDG8C1vPZ44PO8Xgq2r7FOYSJHbdTXeSZSoAZEmOWS9HyvtoiJ92xK4QCYGeq5RSWWYNPR9vuOcITRobSFyp7oCr0OLUWnSvIaa0yqeXzq0DdzWxWyo20y9c7e4C6h/ubgK4CCk4/Cjq5AMrG+swQdJe9p6X1wdy9T7Bcm6KZdT+flSC8qGoWm+mtk0aekGy+Pa3ea6yPhx2kbnPpfCEGpqAlNDUOyMKqcTpjN2A7IoMGDl3GR6eo/K9rbBw0uFd4iqEiH1749n1Bv2nBDQM8XEN2dQlW0qtL6gJatG+LERBj6V05DRd9PzWj5E6iAfeSDlaBIcKKW1QpXr78yCFvJyvpwOUtMNIbGz4twxB045tX1KCFo35o+G14/AE8QSNnwrSa+i/Odr0OaMwl2iAexVd3N+U1OdVtTB5VPkgHYQYA5DpRhlJOLHdTPZ+vmgcGmQBNsFW+sYORQ8ce9aEtGxGDlgEcjc99MLiWQ4DEObP1aFfCyzX3sEmhKYpROCdpR1htp/jPkO4obFsuR10pwUfKRZhqNnI7INvfJlamD/j45C6NV75yO+7aPkgWJhr5J6S4iJJB080j6trOE9SVKdXVrgGXmYZ7q7YCif97bLqw5PiCL9G+KZj6e0VVU6FtcvC64QzL0rEjDlE0uLPlonLIZ0V7O1b5Fr1sk2hMpIOW47iWh12X4qe9j8vonFjQ+1BHU7IlMrjKstrrShL/aOTij68Dxv7GGqeU6TrVq6nrNX+tu0ily42vvYmSuwLBCLPFPo5nWVSPlls+pw9hKlW+ZYCDlhmqp/5avxp/wlpIdwiRPJbb2+LpTZKTzMTRiGpVAxrEoJsPz4hF3nRY7sUgHu/gfjQZR1YxCnQZ9qHDuSaLnJa1FwWuYsR1tOU2GS+gEajdyNpdyInovjDevoo6ydSfWJMPTNlBM3NXVfh/sn2iPuUOSbOfqWeTnfjCgKKCQ0Gl5NER+eJC1D2zKmwHDAHb9+xLttlXcS7Nw5embhR0jnKS8ppVQZjQp4HciTsacFYqmcDC1KewajYg/z91P1fVKngpm2SxI0ts5UxDF+kTdFprMSNfHnJAJYURpZPo+Z7t9FaaUjJhXx8IQXxDeu3vrJ6tXaLNeuWfnKJVUdD02C1U3Ns4us6dHKMU1pOITqQS+qJsYI7+uCz5rtx/MqoXq/UHahuiQQl6GAV2iXVrQL/H1D9uyWGKeSGPktHkCuIdFhhe9cv0IXAMGFD6xBE9bL5P7VteForJ3xEIqMw6ALUquEwVwzU5ALtHEYWk7skZTi+sQMB11HNiXV5kTnZeRWBv985OlLJyOWBrNvL51UR9o/UeVSn8/PYgZzWyuoea4RVZWKBUNApJQpT+ipknxTgIpoQ/lR/ggXwJBWI2lMzZUR51X1UdLYJdexrXCsopJGOIiJh7nZhGbp+jVhoF54Nb6NsPw8czz3bnBeUOroIzri+Ai2KukMRa6+Ni4DR3dyatMAZ7BzjCIBsuaxOEp9m3IvxRxv9XWKLA6VLlVbL07kVSRZEitzERZalXu8SEtDE0l77AvIIzdrd3mWRrVacT3GkKekUENs71G6dkBKd1b2ma86EIy+dm8FGs2jf6IOkzTCOBm3A7pfPw0EblknAvWZTRbluacY5D521PvlgauIV3D5zSNhvyL3ICmjzcZ1RjutnpfSYw6Zztq3G71YzOF5NEMTZ8SmV5UpZ79PJazIak9tn/gjKroqpC46lQriWD7BGKg3HBepWqyesZsLiwHLszuDxYw2K5zpRYEK2L65nsBoFb0uexeMXeZprBGc94FApnQxCcg8bxoWBkJ832RN/prXFE04/jUx5Jm11XU2Tno5zK3K1MAzJTLF2uQ7fUtHIk3Mcg0lVV7p04pgH9MtmP4CpoiVxon3vuURN78msSt3VdrlUpL2E7qcbl6UoJwpcsQgkyUe3Xf11qYRaGCsInTCZUoddBVN2o5W0G8Gj5zOKgEhUmrVrtyZSdPC7FPyfaqsxbFCaQ+jMQSLozHcUFDC/QSDhQDzWSsfFnG1SNi0d6NqzNhm5+dina6KedJcy9/gKqBcColYjwJlX4mw3onDTXeZkpJylzyQ/n4LhBEchqBfglLdR6ojjarJ1he9xdyL4zQbrDbpyYfNVWhjcTsJ16DMcx5E8cML81rnBk3SZx9zLAdgg+EUCjQnK7yNVTgQAr8aoPtkZHG3Tf3otsae5B9+5Vjvv/gCUKwHKKifpU98FJA1zUBrA0SjeXEnbtVc8SZD/P/WisjrAFKvaFHnDBOHWUFhXmhdYNdJ3a45ISx/Qne0WC+IJpy8ypxABlaQAOJvOOhMJw6rvxRd/J+CgOljz/YfnSYHVXNaJDqQu+8lcsbxeK3UfwvmkyV5FIsot/KppdckL+XrbFpq/40zY2k4DM0U1vnbtB/xZCp5nrctLe+MGE/IWLPf9qfApRH7VzJtRPju+n/TrI/OjP4w1TDUmFWQ73iNIfmSi8i9YRmM01eo4RVljXpW/B09uZEqjl9d+D6Skjf/EDzHcqYTCNuLCqtywwqF1JJDoXXRssMhW14MtT2Qa0T7N4OtgGiaQcwztrwnHNMKMj0hInXCLdGI5MZSedqRiHpU4tcs68hexMcrRNj4qkLin63XzHMF93ew6nfWqku6+xOKkdYMUpTUknVqLMt4CjXWlSyrWpazza5zqm5QQR0QPtPaoXl0D5c7qekTbWZnHOZlS6hl1035BogmSBRigZkZyLWdoJ7V082HRg2lfsuzLBdIXGkYbVrZDR5MW+s6VkgebC5PZ0xMyY5HBjvb0yUrMYaN0tCLBGu61mcxTzZMh9GWCEacB+7lBSbgsfhpsXgOpSfrEnHdolwg7WGLeFNpM2TKqG+DPYExwtkBr1vkeHXTi1Y4EwnYxrJeA+t4zaLhxqSY6+57xqeJiQ+Myd8EafIIP86ewEcblNaOcpCKUtL9i9r/jLKW+NhV9fQuKBLdm9AF3bszTiAeBSr4X6X3o2E41sCtyf9egMokFtO59wkamb3u4xEWamKNxByq6Pma6iUfujeXouU1dm4H8C1Hj1VtOai8G/N3n2rkTAcm16TraDIhZUvoWrpskswyWXk6SJoXvDfDjW8bWLzMA4PkF73uutQldGtEKvrlGVsOI1AucgNUlobA4j0rM7hXBiNLS6ZT5u9np3bE3hIcpmUg5HkZ1710sMPLaKge6FbnSiPEefb5SArDHzkqCKniXQKAURlS0TvvNB82UtN+ChtsJgStiQeBcgK29L2OYbuEB80JEhhYAc0YdeyThgWR009RGpmwT04TLyK++ML/BNlFb2m89OeBNSz0Gogef2caYohXPVslUyP/AVh+UKVRKjPtCR0XvdqcDqrdcVuKQWyUylyUJxu00LI5/No8rZF+n9BbIJihjuZ+j+o0fvsq8xth2voWGCzwU+Q+x2LubsKsfyr8rKCb2QH04cIs27aKsYUG2FlXm+InFgm5vRRZpRGGYYVLsBv4FP1wrOWtooP38FksBmmhqiYugWfSWGZxaxYEGeihuTB25Ojj9cflaZVEiEaJltx025Dse4XiSWjF3KL4DYE101kMfwumdaPeP5jQwSuG79p7kEBgmISNF2r3M/76C0w7iCYAcD9I7+J4372Jbi7OEH+aQPZn0IrEIyMq4aSrNLMEexPAA6jmWQXoi8GzV0fMezut50bC8JszuTjyYOQUSAHBHToGOylmQqgtXfTZOJfStBmuvUTXy09MAXHta9faQz2k5yQks5nAqDErNryN1WroCI+5GauR8LighI1CqbwnvFu1g+Vz0ko6H5p24/4J5lZ6XKDDwO6B1YMdR1NyRjhjBFXj46uOKFBzsdyunF2JOpv4PTdkkj1CruzaH29xt2z+T1fqi365kX8RkN4aEzRgO9nipQ6AW5F+/ZKpeVk1nURNY6PGRwNW3rmXl4VxCUnAp4iSa3gPto3NAX70K63kI/DomY2EJDwZzK8Di0AzO3DVgR59UElW2ZKuTZmlmQU8HtclkknodG8bYx62sCT047QbwnpzoZv87Z+9a/de2jLuyK6iJe2bMpRSEA5PVxuc4I7hNdY19zWR4cmLmejAzBLtG5XZMs+L9ylloVSKhXsJYZEFk6lwblfutY9Y7ZWhHyFuCSEnAk13Tp3y/6nDQhOgNTktaBE9tIHu7JFP8vfhm8pFyQu8GW23zOA27ryNNXvPXxml/zewLqEWvLdyvnsfpJSxPmUQhM7yMiGfIlqtCQhvNeWgh+8WwrJG8jBAgXzE0TZeZ0aK4XcHgpba7EqPLKJwgXJWHqDcT/rM0j0aFbPQiNw2vYazgp3IkA/jUpaVZY6w5BbbO53vfPR+xongkB842eZAVTddalvuiHO623dHHWeFNo4a1d/6XYizszVx3W2in2SNPjqjzLsE39lTTr8+JUigqPH6aOpxAtCkYDdZKB92VNBnAZijbC0eyn9hI6ycAZ8H3P6tSJmvp7mGQWg22zPB2XbGfRJZ3cGHjhxlA/lycytf1JSL9Ch7qEmrl/N3FLQJiXClSNMOS3GkEzIHiyMHexe+GC/5tlpTFTht1hMo1giNcGlK/ektjLmvt0M0YEYqe47cAG8Pu5UcOSyOpByc1pSFhWMD4pzJty5zaphivaD1fYZiUzojit3RDe86qh18QP6SvYu4xr64SY2AOKvFPaBuLJIb9KGR8uNP4z8VJsBj7VJLhFV1xSb05l/MJzHx0d/91OKuWINmeG9mDMHzBA7rwv684zonvHqxBHX9pWjOcc9J+1S9bjEpVU0E7DNT2uouqLzLNzcztzRBcRnbpImjkwR3jbnr+5yhP0dZQcPONH6G+KqFWQdxcWol3/i2xNSGgcmyKqpqPxC8iJqHEraKPy41GFvxZiNVZF0QhgPGmteZTajmuuoVEkDAwZjWBIrKkF1ip2LSbMHSLxc1gtqJGWBlBWpCIu1u2kziHz/Nh+T/owLE2xYvOY9nW2JbC5QhaE+zmDTWRyrtQdv/Wp10skuOy9R5CLf5r4H+dHv/CAYGFyrLdX6AxXnxsvXypsWHiLJ1lr6LwE7/2xoZi7nNcdGYJIRM3F+nSJxUH0Q0uanNNy9I/pnA8NqPs+/bPrqlRy7Fi/S8T43q51LYwhiPH3i/S2BFBMgO44ZTowZTsx3xwzOObrcLPVVyhLT+JDJXN6N7ROCOQ03NYek0OmEojTpy0feH3yEyRkuMwPl9D1RUvG4FErrD/WkrfCTSimg8ENIS+uu3lNpeJFeRZ4Xnjo2d9gV91nJFI7DLHzE0GzKKGJCgaMe7EoJ8OVrDGHPlCWFqCjjcC/GX4NVBOqWBAwR9wcu+Nz2nCjy94QPB0lDGNuRmuQ7iniiVO02L2x9NH4oua19Hz2d/HV65d8vbKYKUzCUug308hCbSGYJaRMvON33vvkwvadJHTUzO/Fujl3ZJY6KPMTtORfF/Zi/iOT2Bhug2xPsL1MCD6/R/xETKIlsyDiMB+/wRtQC6LVujjqD1WB8+zwBeXrNhIA/SP88OCFtTe4OzKhBJx0cKimQ9+o3WH7EscExnjamsbkaeQ2qtD1SxrqyjyIhHFDcFsTB7VBeEKSTQ+i4x4jc5m2w6tB/qqgOIwmBuMPB+NF9RqBvnJEL5FrW6/Jcwx0+faGq7uLCbGWSFEjL5dWpeiSK0D4xWZPsSj1tJjfNuWUbsfpA6ZajAQxEgTePcerRPhoH60JokXyZOVB1hRavVZjB8+GP69ps9M9GBXGOFHIMKrwdY4BFLSalKMra7OMwBxf84c0WY6cd5AZchz+KPTsZObwLia5K4z6MH4ngnw9240OSWYPyvhp8Zbyd/WbMmxIwe/d2iZDycQ6cK7YSe9Z2Bu0NYiRsR7qAA+gxWI2/JIQhsqBcJgl82MTkWi9/NA5606/9JWx+W9PNrxEbWkuqTudYk6KIDmmJW2nj/BnZfgXnTI+8OQmetgMcXnv6jFy5u6XuUaApGRlmQ1UNA4Q5AVmCB+53Q1HhVjuUMQRuhamLzsM04wXTe7uZ9DRY/xIX73sn/zfTxorXv5iBGdXjzguYBicbs0i2us4p2IwF5LAVJZB+fdHtlVsHz1gMfRsE6TU1u2F7pWMm19PrjybZa4qqrTEMq7RSV5Ib1eSwziKzFdQ4ubw50rCc7TnQ49IW4H+KCXSE3D/Oz6kn+eEINccUabpi6TwAiVNdDatgFvZcb4qmktHuFkqT6RqZIXDF37YUHAwiLN3AQFi8ftUMAp+SKuOlExWhBxUQpMfDEMcF1ateKE0aXjl+xVGp41agGonO/M9ByptD4ECtcSzylXBf2YWSfTIicrc3SV0e9asbYaeUkZqkh98dyDHE3KOe1XnTLlS4St8jYaI1iJTN/86V3zdYe4l/Cv2air55SiaHLGAf93MTLcX/oW/Lcuv23zGMFv2Yhix9ok+QDbPzJEsFauQ+9fgVcBfadlSfmQDf2bs9vxDAifYmFShjO1hfozke7vcas9ZyoI0HnVLTqA6O2fNX7Pgqje1WC8jLhHE99KevRCMhoWm6HKEHC4R05SfJZyEMZEy5RwWrsP0MXICYUi3WYFp6YLGP5ELC7IQRf5VmnjX6UIicTILOkGE9zjNnd/bc+P42OtQ93zBX8C+QzlGkjzR3+SBoYe1T0BDfzElAyS7uxQjSbdRRI+qS9uueK7xXBgwMxEShBEasGGaIQy9l9gSFbkhyS+krhDDUaVPB1k6D5G/DIksrfQDPHdMr9L3pS+J4OOA+FHlCqH61dtIyvh799KPjX1BClSdAy2/zO2LwApDYzjF0Ob3Nc+T0DruFwP9zuge+tnK87K145ANJH1gfRhrE2KjkIQ1SyXZIi457PduX0iKNmugY9ywHYAnRmEiOXxNXsG3el1s9PzPJ0Cgx2NCzJEg+j8nhflV61fXR2ydudzBAebH3K0e/FgYi7JniEuSSLCoFY1BVDInW9dNIisOfK8nDNnJ16DJ49JFoPssuHxbtKr59idzD955OAVOjA6eChHHm1hrj8vTntNQOMxXHh4knF18mXElyBKqcMfiD3ZERnn4XGwgIH5Vnj06wAiJGNTgN7U481JZfR23cbuPg6nTtQoUl5YFI9vFLFvWjXmtstaO+TnYyyA3NWwY2hqcEvV+jYM0vhAR7bumpt+Q4mYEUPxZw80YBK6e2/ZmEv8Mnk3ApF06p06kuMpYL9BoSflzJQg24e8EjXETbOqlu0qE1eIGnnENRgcOyYtCO4pjDtIMZ3Bh0VSBmfXh3IpFUeOok50Wio8obfbVC1dBzUKwhLaIH2TrCM5qtViuaNK9wQ0FBSEVnrKFKejsmi4pKD5hiBpEIElp4MIAtHM2TggIxikrwET/eQzS0LK4g77H9Sv5+Dpjx+JsZOLADkF3D1SuaPiDmLKjx2vtus2Uk0+Wv9l+Kc/fmclpYiHtTo5SdQ5cWOOVS7BialMNyt1wmOsgTPT8FJgzbFm81jAugxVswGiUd8sIy+qVM1fAHt0PnbMhZ1SqvGKyZdu9ZOPoDo+pIGUE1ZvsWDe6xyyWEbuozCQ+bds2Wcyp23Q6FH7zaO0lpimJQQt594vnp4lgvvUrwpOZS9+rZqyrVutUBs5ff8AMqyh8GWyatfQxjCVSDxs2A8+v2XGOxO2j/ywf5AEObHH3b5xwXRrr++P5ZL74cTsmpLCoi5TRQubyi5u7Ot1ydZyH6WDZ0cb/+WyAo8cZ+Z97fwfrWLRUAUByYWwU1kZuwyWHrqnwtyCZxT6o8TJ/OC8TdBgkQdTNhoGuIvoJQ+/NQT+fQuNdEUrX5APibXswRIkbBmvYpEm6s7t05BSn8m+FvKaCs2gwgbMvzLn9/9yo5dyS7MloIVtg63atqO4JH4PLXw1Bnp2hb19r3QKjnZK68BdiZiQUoXMX4FqGggyQwds8rpomKkUwjXLAKrDJPE4/Ml7gOtjYP2H/ReZzQLODIzFiYsoKuUY3g1oMOUbO2UaflhuIVb/t2C9K/n7zA2FuQh1otIokiMP/uW5Ad4yhOkNfQwztskzuBwk5oOcBbYwtdqbs6LEBarsPah0e6sWTli7xfhICnjpqE+wasaDYW5v3A7qqFe7ghuqDbwr5i/nMc5SRdljG7c89aLyvImVAfadMcOmTF0YhEJ5ZUlaceACDw1aqaTqrKR18FHNbxxpdrbU4p+dFyqCE81nhcfl+4yalZ7HlBmPPAj66xn657TSlZbrk9A3nzCCOXIbayoEymNQPntwmkU2C5pFCfiiQSthZw4Z41T4WhmjBEMAcebvyP+e7GeIKLN1HljxGa1ENl2QaR0/XyEPpUm27po1ACJgo47QoziVvS5/XmFVThu4d1S8Yjr8UII+Ycn4QpCiZnFuHsDcTPdrIM2IOkJQrDUzlVhmvrd/NJb6y68VzdXX0ppciITih+9xJcYNplZdtFsdCeryw3oVMurlaI7vsHqFbautmK9cWCkRgNAf/p2SqLLJoJdelzlZ/csSfO2a7cSqG4CBh1z+h2diNH/ePNd6p+v8txMqPSLtXYb3PDuObGziSQaSOS8xcI2GE2d1VfF1cV8vPNXx4hOuScbBfG4M4Brovsgkw8xNqMe0VeItE193D+Rj9CwMvnb70ywnjjSYfUJifXrnnrasmJS1bNcX0zugK0dhANP27eJQYGQFAjrqvQbe42UxHZwUjSqijpBmY6LX8MYsm042NLvgWH+YNQeOnNSZEkCJWz9j6KYYmx9nmOoln1LNswteOS3+AikhxaQNMmxZIlTKnby/GY0Fkn0XgME7fiBOCbp4Oxt2a5rU6cCY3YQ28F5MjllLNZuFSuOHseCX7N4Y83HnDlHwqhADrqDF6WUNhGSEJ9J0AEvOv8Au/9WwuJoPH+RMx4kqQQxASDvLtbmSyLTGt/+/fxGkH6B8lpToyzdd7vZ9MUa5KgPo00FsKx342Tdl18UE0qj6FSi6yU7Bi5xLnX8tmozFVqqwXJoawIcdNb7NSualEX3SahLA8sCGiKE+74ZcCb07NVfz/gP2ciocwM8IVagyTMwL7L8gHpSnfCOSuvgvgSNjAwxsfeiBT+nVY88gTqPWupc7CHxmNpNK544wt4ysJaasKr1heQNyh0qsJAgXQBMJGEi77hpLwkQ9IbK9juXRIqVFcuaw7oaT1v+IvGR29aQ7xWZr94cnn3W55vfZbQVtLFKuZ76UirwxcaGK7w2SjqFpIaCmaN7UtWMPe83eirdqrKsKMk2nFi1BLZLuWaI2SAY54fI9+QRSI44XeoyN/x46BXWS3Gpe3hWcVsFeg7p6o6laF6xMiPvt+3DFJCLAhwTqk+iTLLE0NdM4fi5Lmu5zRNwkaK1i39/tZr3msF4jKkZl1pCvOugsYBjJKOTHGEylGWATrifJ5W1Ye2dbIBLDolB50sBnKnEMNKD6NuFWwhx8XQoo4AJT30IWghbiC7CP+sR4uDVnqODEWqLe2aFTx9VaG8Z48Eny86BJLEfNbaSVidVV0xHmAYCNEvoFW9LNTdMov+LSsU29VtMGDCATILiY/fo6aiVp6dXm7OrLlXOQH9VEPGL0gp/pexB+J84O6EOp26SZvCH3UKe0mKQxmfEV0Q1gw5H0RTWWU+oJcXMz07T9lEvygZYJpTP9b3A7OAduyhiPlseCIWv3HBja/LCy3iYZh/BPSatXHtpB/rNIo5Hwji+MaWxLhl0PCA6zHKQdiY1jWI+blcswO9N9tmnSsmunFHXrPzIRpYMj0Ol+5Ew0IZp8xNWB/asNirwPFR2B8AciTgBlclmUKlvT0iJnV2qEtWkZP13o1aMq6ym89Ql5rBOKg1i+Gr7HIN7XQ9h93J67NmLBhiuTEaB8RbmhzhtDILZxTGOUe6Br6SF6fy7YSE9VssHRWr94fWyWu2IrA0B6yYsB2MPM75QuoDjC6wNRjXNgHkiplmK3aw0X54D9DVGkIn6iQ3UdkBhWiA/CoWu9Mfv4Jjdquh6+cWvmc6J5ioSOwwJOo5r7kQxVvEWDcsauqP/48hZg96i6AlzBCfwGQZ+d3JYMomPw2VG0hgw4jAaKJVZHc5H67H+bDxkg6vvFTrYYXzTsrgCSopXPM3asSZgcrPAA7i6j35Our4goIpH6nZPIxF1o4Rkoizq8J0wxlbNJ7BSOsRYzT5am7xmfBCW+wo7NQY1jWDnA2yv9AfSbC2zdOEGQ2GUfWBh1WG5YGfr19buaT5YugZBes5/x+6tbWq39baJzUsWlP0nIPO1frMv/HVvZrmHPfhnBPJBWVY4KUYedvEKoW1KsrWWmr4uK481z7CvEccEM95Vq75jVgVuyDP/xw6+urltcAfVvmaH7c0jhLMYyNvyRXEw+NWedHNWhdsw/wgH8ZR3mc2CK+LpVpTjbJ+/3DT1sltUBGASD7YlPLA2+An8oTMzEQsYY9qOlUasUu1j4ANIyqRbCwbI3RmFtrDvNjr69K0Lk7H6woH8WgdKKktuNhEEUMVa53HsryX+IOSa3UyZMKXRtvVa+Ht67iYY7RfohvCzNasb2d9HBid6HZwTtExx/MKb1Y3eMKWQGaV/iGrvyovvKmuc2YEIQqjtckDJmbGklOkdBmhtev72cHv7Xa6hLrcxRAmEBt8EoFvhYkWbbv50ukXAoValw5DCPKVHEAG+i/Dj90LZbLj5M/sH1F1ZQ4rn3XpSHjWKmGXJKVn2YR/iar92eFHG+ckBM675z32+gJPIM1SY/jjrjE91MnG/g0BCssc9+CFqDOd4dzuDTsDkrYon54Qteg2NgE3UfMkb2qw09BLnLJKm1ua34z+OdAoHkr0JTSBM7KGR3y1etJmK+4Rmg7EbrgSA9D1yQGYk+6/9hudGcCdFgmZ+IUTOAnkBkh41tVsJRFwPeDlvOGniVy3us2eG48m6KkeKZh1p9qLOFAvPIISmS3gsmILEpiGIsUWkYct7SlFRWxf8Wk6EwvBtDywELzsMmBtpkfFtrVWSzqh0i5teuUgRtadF+oYQJW/VsPWqXGnZEcfn5118bMG+iLMU7hLQ3LNINX9xEBGoUT+WDuN3Zl4Vvg4VdzOBOnBIaRO6Pju9fOjCRvnvR0gmCweiAOFyFKzRn2uDERB6k1k3FDfJgPrHDHmzoSigjbAOhEYtyRp70qaeePywtZRaZR045+uZvQnvm5/aarymhmk/Svxh4FpPSsFaPvKofIfWu4LU1JoNAmorBhumxqNfWNqx6DBtaUBP3Gxyzql7EgDoLQcNJLytQo3rIltbw0b51qaLO6/Nhk2BtN6P3kvd+QBda+bHTqLhp4QlmPT3NHrA2B96f52AFeLooYDtN6tlxQk3gANn0n53NSWlPKUhQwL/iMajQZTHWCxIO0c1y4hQuMziymB65VYKtlcsDlZzjzQJxcJ1xFexLuOCmjiQUOnwzM3r+kBxS1K0AWkspemP2PSjEyxKJd28yHI5hbDwPl+pf9UeCYAKRtgTzGnW4w0UzRsW0E2sEpQrwa3dXpKCZR99IihjZqzPEZX8Lu+/I2BJLVqOTVbU2jn94odPSBpxF9RzoWyka0kpG0PHmes6KQ+jonbLBcxifegVC3XbizyscaOsl//osjEv/+HV96WohF1ZJFLSDZ7q8w6BsT7x58L2ZqQPdIUYD91KQJMBqARgo1nU1d+8Blgw2XND2SSNxolRcUNmeT/vL1aeEUV9dxganzttYis3nTl2rcaRyqxtsUiGuvK46idx8znJsjA70w6TDzr8Hp2dcTwmyOVxZaWv/7E1Saw+5bF6I1dLkzOwmtg0WnB6hzHlN0NkbZWpvjC+lc9go0u668HasZCBH7DrqJDEeCxo4ClPSb27cnZcntW95S3qKiyzO8VdZZ/UZGka1DiRWebvMKyb09rtwdeWNJbsIOoYomX8N6ouzs1RyYQVlq/Baed1qwl8AAoesKzcVzX+Is4eeV/Tknei1cuzL6L/rLTSA8reWX0DiCg0FR8IJf7jOy4nJEjHxDrDqteRGqge8c3n8LLSEnGksxLDDc3ZFnvxeADzwY/HQHqnGvQbPfOEY74R1018laR7G91Giu0gPynnaIJKs5RKipVDevucIEpb7Zkw6tBKuoDEOSzYvIs7/ctysEytYxCr8jnWEeryFLQyG8k1X3oRg1M0P/uGTThKDb9NNPpzW3KNa82n4gk4BMF+X0u7ER9FumlHdpy3PiacKZ4NCk0eWCj6RmhORtv7SiElu/aH+57Pzedw2p2Zq0vPb4cXo/1m+fl7Da3oQ3BOYPhX6RzMOjOG4tES4Q0gwJeoLFs7DqGaydDQXdId59GpH0PBXzkQXogH1iSoAmx/BHNGJDSD+EOnSwPql8tpIgwDRLf/AON3/dXunKyBeI+plsHYKtwKc9H5mXxq2c9y3lqZwP04HiMHbFEkDHDSFozTz2N26ZvAFJlXDZZFwiAiZ7vL0gcqk/xoj/g7bxGfs2+WMzm98VSwa8sKFfKb1zTDVQSdrVQR1VyNZ5OM+nF2vxgNNlu9uLqfRE4lQ4j7G9LTfqvcTkMqbVwI3aMJVlH1f1kXz2B/jRXLPcsWrYBPcyUm8YuuC4yPoJ66X8cf/CSDiPZcsXWQWQwsZGQ7+xiOA0ys1ST7qx2czVQ6j+vo0wm0mJr7VC15qLJZ7nrUSeucmU6Pazgad6qPhme0deZsEUfMJYrPy1GPFEhcxGIwpUb6TlbC34NYZUtHzz4PTi4rXYw5DI5Z41nbntjLTgCfGT1MgP5r39LxEpX2TDUbZTSHOmcmY3BObqlyIiR/cd0xvOqpeC6tHMSRF9B/9ygD1MsraSbLbX8GavI7JjhU3fFA1p+4E+MIDpJRMTac2d6nrWcLJkXU2g==,iv:omzaC5etculqiGPHmMyqSGeo/DxjW6sF/Byp8yzP59w=,tag:CgPcAOgKcZb9b1tbVG6BaA==,type:str]",
+						"data_json": "ENC[AES256_GCM,data:dYkfcvbEQTetTPHGnieqZujti3NRE9ID1+fK8b7gEX5amyNgADzs3pWFOug3mCm9dGCOxtVFnNxNSNyky6O52GclKnvYqUvYonmzZQ61Lm/DlhBdRt1HS3o83lwc5U+TBhTcDLd8Xcipm0SztjbpEjAi7JquJCc99XoCf++XiTEOMPSYlhC+9X1agZ36oD3hN+dt69mlCNErT9/EVUhLFwJnttUEh0thD7+DpjKF+FxZ4O+C5KN4P5EiWGGswpe9CIt7qNLTi2+Twz2unacSLJP2BKc4Esb+uq5Jc5mF1QO/n+F22dvc5C2bMQrn6zxCgRKNdhypIUrgIJ14tB8iUvpS5YtYsLhDMKV5kIk4jOwi1astnqjDoGj4nmWZBbGAngJsLxqT0/YcE5igT8UqHqIQxhUHw8ZvnP7Ipzm6lMXSfrG1VlC1XgkYnCFWrfhmf3dTe1MGyO94IMq4jGyF4rMCOlkJx7OQ1P/l2vaTA37CpOQ3bSl2AKLkiVyvlENM5Q1jA6m8lP5ZFqRHVEVi+18ilz3KVMc9g9nRFl/Pr7pyqZPHGtVIt8LjLG6qt7Moh0KmnX8OaWY8rKGHfbhyll5P6e3Dlm374YpR5Lmm4SDpdHTYGEUtUotHrKu9LLLBl3VaVBIXoIrbut8mKM4PKS0ElXXdisn94cbSakpNlG0JnqUtwEyKGT3GictTCxWEaFV+o7t8Tsncz2qdW9Vk/mHg068DVLRng4THpFTbAeKcXA06E9JwsXOUln8ARRfd5VIhl1dYzdweBU4rBndczeGeSa7M10FfBD2cy2gQ7pW5DwC7bcTI2nv7PgoLmc3+XBH/n9cbR9FZUCZu8GWxTDRKAvZvCKSGo978kgT0LYHOO2VEoFyV0A+2IIsbxglf4YojJ/WD1tXaOUqfMNlnN4iLrvVZNLj6zdk4AAegDHQ+Qs3C+YvnhIiRKrQ7ijCMGoDeUtu0RvqOZt4Yw2YMGYy5172nj1lc4ytAAcLqnmiNalskNZ+Q8KEMHsbbwGAvlgrpJ0++c1ybxn3npuQv9i4fVw6gseWvXJzM4JT5yTi/fU6SaQKKhZCv46HQkIuV7EUItAXWL6w/awc7NVbemQpv3F9bp79f8+FLTOdlsteZoV6B9htuaEtMk9e+vEDCImwHw0t0bN6zFKUZYw4l50HZd2WOTZCW8u/lPEfY8FzezKupEA/HM3VB/RjELfyMCMczDviL0WGs6/6s96S3IxSP8wKhUdOg9XPDucr8q/VNb7Ny7HZSjJAJj4+vVtSFxuPyBhQDrTiY3bU5IuKWYRqr3qEONHeSjA6h/tEWw/tXTaENBTv6XYEcqo1foAdlnA9S7U2uvsKDNDqGpv60Fj9Yh8dFzEdJZJ2GrmVmTYmtUavXzk8dUv9qGJt9TDwutwhXYFfbIZBFjBjyr/Qywm5R9yT/WU7PwMpNz0XwVbq61lkK9Yi9ulvsRV4TFrGdzKaV7TCdtBVYJuRaRXRUOwJdGql3zc4KamuBUVLJ0LTA5aN2in0iDtGzHQQ0hatUbslSiKwTp3i5miaD4XxKhPt4h5DJszc/oRkyaBMSim3cl5RdTO3xz51v4aQMzSirKRWNGO4f2qT6itmgpsCiKM6kvr1908svq75/pzZpB3vGZNkyD1knP8iWCHLVXfaSobPlo6/uubI/omCWfyfIMl2vOLUeKzCqx9SP4lB4T6LEIVvRtOyMcZC82sj2VwoHiYNaZDbz7qiPSE1omZew2GiX0SUH1FBac0A6xEvLmEOiyDIIhYOouBjq9DkV8ZFAB8ukYICHZUoHXMl+8nxwnl3NP1yKMnpEx6FcazVucvYHj7dJ8k/TXR5s9WrIWXJIKSgwwFdk9F1UkGy4eb2NoAIkOtooUUz4tx1iSrmKGoUHqYLWWL1c0tZLWzrKrAMa22QOI61Jml5vLM7nNFkQLQu/YNMEmq1Ca56PoeHRyd5iryw/PNeV8blNiiUzPiW9gMDzMwTN1Mo/IHkgB10QBJYiVGySOR+TqvktH3SqR8gugow3MNCwjivLtv/lQxwNbwM4lNaSxbyUD7oOoDJV+O5wmvwLteNlAUp5X58CkTsRD8/8WWZbS0bQEkjJYOKzjLVkoNhV/Uedq4N4NxXL7Ky7Y5kxKcD1VyLUaDBwbJsnwXR7dRSj7MrIkkSIrYs+KaVi4MdfsuEQyXLbJ3GyjDN2LmzdwNNNtLHGlwcASIsgBtamQP+FSykx6zb2wDHVHuALDTXWwEDqSOmZjIbxcvXJfTKBcjZicEtcZm6i90E98YXlqvPGbLKfphefAsIMY4lX/0ZH1QYAGye1qg9zSryueDjmCoobahnjgXVwQQsvO3HHymle+3lSbDBqMKQel24BPuze9mWVh1Ac7asGa9VnpA0ScT02oOH5duDjXwtGUOxrpX0GXfaW2A2pARZHnM8yJenhZBu89BA0+R8KyEqPT5YwMLRuiAv0U60JPC/KiYobN6BWcyZN2j0rapVRNOQrW+OKO7B4deGkWanfZ2/37zR5Wy7ifA2cYriJYh/V8ZWp4l5EngKMzcYL84YYwgKBYI0i2QS8ZePX7PLPb1nz3IiWuNsx4T/k5Ngl2OUdpbZ1WqNjh8hnBv6fZtMGeZqLsLrcaYGu3ZNy3uJRo4fTSGdj+kTDJgrlxc5vlVY8gDxlMjc3p5sgbry5VtjFXNkthPszoOMqsL7XkDgyA1v1Bb3KDkePh8khRv3USvQKcvyoBE2Z+dHfgyWisNfnhZKOCoDRp37/K6EHM9On6lcswEiGasuD2PDvheRecIWd2ADAYXFAnHPPS61ve+8QZw4M/4I8IOA0UUjyCFV1SfomNs/e/tesbIl7ZJw/Da0Qu/q333hGRVroch8ai+3eUEz91BCFcnGgsJr1RO4tAQP3ZNc1MyamLTjucWqJl1cBvDhgh8l9WFsFOC6Y4XY4cLyojNmnepBU/SwjUBBRhFNxRgcLS+T1yeIwXB/iEORrEHNTM6uq40OThkEKFqDUifuCbrVxJEje3OqzHkBNIZGt8x/TNKsR2yLNt3L75nfhDSxJcmnp6j/xghJ1k4zLPMMgkJSn/Ayvn58zgqv97beXANKbyb+8z49mkr2/xdxmKQ+to0rbN3ate4RV/O5E2JuPUaFTsG+9cbQZBRuvSqkPA1riAQ6DTwvUGw6s3xatGaKHZmfvENTlGEX+AhbvwgX1mpvh8xtuoHUgYK0IrVooM4/M55gfmEoC2HuWWxg32ppW0K4ryb9Rxvo1wGVmhTyqCCrHDPpx63e4XfGeZ5+DolE9Jn0wk0506zY1C+7ZunZCIG8mgeB+GIGuNs10nABuRpDGAtzgU4vCOSlM0iGQQdBQRfwR7psjArTeMwcANXZap1FH7vwj8+2YDWcjezDy0Xr8P5QEOhJBN2iELKtTERmUJ89qdY7CVeKUqKzxluhL4ojmkPv/24mHgQH3fq3RaMHG0Yv4elHTXDsHg5EN+01TTtDnRXnbKaVFOzkQ1IWcuzfgRvmm0uWXNdzs+p74+S+EmRIlmcmLiqnYOG9T6go5ibImkWRd5QVDy0ODqayiZs9wOpJXbsdGJoXboaHTVVCWzytZHykCTlqketKGBaBjDNb/yHrnCfsMLlA5lIDWJIMZdvz9XdNPRB5tt85/VJonV1bPInIdZRUjFXFBorPUhGM7BJ31oLR0F6mj2SGE9+0cgDMQlLcvpAJTrY/IhMKjaWOYPJwe6ZMTP8Q5x4GGKLLhDBtO5dv9MuzvGcRCG2QQhcIuMYCwSOudEMtMgoSI18UVZYlff+hjwH4yy1+h0wbiRyReR0widuaysZzLEOTad49WrcoMljqic4o8bmaGgZZkC2r/TyRn8n2kjORc+4+EoWEm9ouhI/GCUC2ssUanDeT0l1YrF0sMf1lXIV1ypGylTUjB0CKx1VkaP4Jla5EghgnGMnqN7CwfavnZorD6VzPtdu5artK0/r01/99Fb9LgHSA4Y4bREf+V5paM/BPFqpJnh3jx4eA///5E0Fqm4R4U++4Fm+NVur8hXnrlJUrfPAb/MhW9TfU5pvkFjniE+XBN36qtOI5UnYottpXALZeaEg/rI+KVjFx3J+gNS8XtgdG6JOERB/8LTwYH9+yOp/VugHz6kaRB0qFMu4afTkRbEvIvEPnhYNQowSwNmWIf4vuyl/Xhp6RVPvOsH7x2dIZHhtHLJ0MkKMHhkWay83w5REM8FJvCsEpXTIwP+V9PwKZGXroDioEujbUWYxPpPTMT7N+3b+P7+S5y4Nux3DvaZ4Al5Hs8hZyGNDbycWMkyaRLmJg4cBaxiKSACN0lb++jeO7fENRhtAtgANQz7VrqKowYoEeTtrzshQnN998kQzoeAceqt8okOBv98CSn7pi3+bkbUasYDfRhIitJtjm7MCEOoYtWL7qWH4JIYMsMgYzgC0HbZQ49RBr2PwP0e+hes2MTB+w90gT/oq88ezkO/iX5FfiqSks6GVozEBZoacbaFFYQQyXcEIdkQRPBOKlF2VS2FdkeB7C2ftW26lr8KJedkynQPICiAm0GNfiOFpDqQKIBWlsgjT1tSLH8JcsGcWDSb8jbFzcyWlQNMtr5Mt+sP2bTB0zIMb4wB2qicjplQxCNGCQb5aP0VgD73a+wPxrO7PqpYfkAXigCa+0ujfaeAcJbZx4igYS8QigFWXNPH1CU4m/HWZLKxXLedjCdQi9B3rOv6gAh6OFMPuMRPOfNZzBDXrq2rXcC8biBg4ZwcbA5D2q+pQ+kBETzfIsTsC1T1iRy0vVlFIoIOaYCK8xL/brsazEStBTUGL/P+Qa2xDFMnu8QuDKvWaCkIT9EcmBypZ40fJns0Q7DCrfV7HOkTbpc5XddviHjf48D19X5ZebVM+UjGYyz9UKoZHoXghDvDZ9m8yf8o2lLXSIxGCRajMsC550fZHJz+w54mzy8MG45Hl3YgvwUfTWgrm3iqdwtXUIBO4jm2ezOADxTse78dxeMEjxTgIIzCdEDRoWzLVTtWt1WUmqoRQEcNWagjiL2aHtXBhQ6Jc6j/G49NdRoADfeHUI3BL9IJeXOkco2j2FMik3uLznALq36drlYoArpniDlLv2/JsHhAno6XsMROaBjRMYirngDoSUF99TOzYxWjnvpvbKRPlBDwe0woYDjhPAH7obWeCHYfmvXjkmv2/aQJyNTLqOWPh69Gq0qV2TH6CCGZcMCtuuGymAt5dLQ0pQbJAp3S/b2kNqhKrRTTHauLdSxsZgEIbJL7XA3V1bIdHF+H8tH11KxBZ66UvLkGRK/fYiW8ro+tC+VbySBoiMrUMaHarBSawcI3UDjxCD/mwwfwxIp61vu4c3Fys5uJd/4Hv2eISmcAkQfJasch5rNX0DOGt/upeYg/D4/XUwd+KkpvIobY8Z0Vaz0xjBwW9e2GAUy/Y+pdn5j29Ei4s6jzL0q/Uub975AdtDjqvc+9PdapvmYNGV2VImfGt/X05MDP6O630omvb/01jxkqbe8hsK9TDmQMd81nUIVX8Q6OIDPlc0HVecQO23KalwE5FHXbQNJrgGoevhhQ4HNIPr6US1CAT2/3fk7udmcAMGQeMC0LZrwtjpdAb3pQeiGyKPoTxTf+dTyQtll9DY4Kyjowcu6TtehGDwZHt4ud2+fGJdKvoa7ZeOHcwZLljIdnsL0xddHVA+u9D+3lGbdQ0IyNci/k4LcynHMFb80h7actDJGxtPBduP+m3TqXZeYLgTuRnZ92q8Q9A2kX7dkhBH6VlG9cNnQi6fIpVASjFOqSmpxW8gixWlfiCD3Ya5HQ8vYAl6beN++iTx3/XA7N0/CbrH6WlLK4xBpboKgu1NmLYIoDYCn1hcs7wYlTfQX76jWWfxnOu1ODW/zLbD2QoCQMN+INoQzEkKq2tsATBpHT0B1gl4SrYtjFGf28BKTrhfC9+yO6HKg3/xQfVH700T3U7z8ZKA2Wx0IJGqR1YW+Fm2eZqS6Tkg4749Ba0VAoGTdRrAIjx2oTxw879iMwkFrkozZnoeUhdiUiYED2n3UKE/+zKR15CBX35pDomchmEY/kP+T1CJJ/Xh0/rVphe6KgB3UuH79HYWjDwbz5G9Me2hycOGHg44Xiglg7YDOQK3oE7xv1uO1B0A92ha/fxCzcEkvSMjQD/jz422dlT2K8Dodvo7zyAfr1D5QLgCEqLhS3+OWxyCv2Vq2rmQCRDOIl6BXcVhYIdO76FcYajXu0xCsdGk4mV8jVq8DfoYTBs5RSzQEbSyrK3GfTRhHJnI8PfuN2uxdGY77jIfw8JAZoXGWjk296Ts7O7awrweKvI3pVvKQqF3YHwxHwROvr9Yzq1w+3SEp4Qdl1rdO7p3FGcH3aM7AF+/WXYikKUDtuz1Zz0nq9H+B2nGXZjLyjDIG3CLPI8Cog4PExaJdJltDun/O408rP6bkIL79s0Tyx02O85R/ybdkAEQi8m/DhjECbXyIzh0kHIxsB39VavzSgbtatLdMaqr1jeR5HZKqf2AY2U9HT7+5PvawSnhU7j8XwXLOzwihVPqsiWyo47Bd/FVUDlJUXb9P4YoI76QWo6oYX9MRDyCeZp64p6AufL3fIJAoZnBUxOwMVA7Rbs6PTgRK+F9hAxmagREJbhPzDqoJCCuPwFAFhOjNHQMuR23mvl0HQR2IKAwjfOHi5dv6DrlZlLXk5GV1luXwcWprLpdX738LYWq4o5IfODKelBFAo/6GRV2LR4/IVkG/B1YtF367+fjl66Tf6yRf/MAeJXXL7c+IzoSpJf1+YSkeWbH6rctbEIDSRG7ZBUD5HyTrokcdQ8GdxeCk3kuMDX4xUyRB98rlNxSnWD1JF+rAKSeIQiXCgYU51xp8HSuArJ1jcRhhK9M8maVmdvMehkckzgTXiMOBQp27ZNOFul7UDwZ2BER6GuYUDfC+flZURNABVgqvYdui9oLN6jsApMz3jmQipQRLG1lpC0ohpe52Hq1t9nFwRRd2Wru9VLYuPnRGQAbSHTx98OiYx2WCR/q3vQhEYVj2LqsRKLr8IdCPfGf+VX5eKVV9UgOEBWtQdJtjxkIH992K4NLXyO4n+FcbzXmb/BfEj9/Hac01KAyD6MkI6uBfEGsIvuCVD71Uqw6X8JVdF3psk1VATgt/1l4bcYSA+dh9FqLEZv1XuD9ilsC/jedpZJL8rWCmHbfwRZI9BJqlIYYvx/9ryeFWBS7EAPrAPblldPc+zpkP7ulXVKxbA6B2qC4OyhF5jTJCEFRIKTPLvc+25OyrCY9S8PTgQR4Vo636EPIzVkESSNFyYkxlVqbsLN2TFF61VJwlziPoUXHl//kzAdLTbWc7Tp1hdwkHuBYL6zUhUfNdlruhQiMAOE1DNaoZc/D3MuasKwh7Z6cTUqkugzXTBcmcP4/257jArbw7+2OqVyGGxLX5hXxjCTHxkkU3UKzDQWm5IxaBUeSv+SSL31fm3slu+RH20WELTVXX+ZSf62rvw/vU8nbKaQqKVHILjto/pPg/AhV6QVlRJuEELogWBrJYg+8J+VmcBinIEcjY+2tAR3f9biJglWUheu1GvyTsbS0EW1kBmgusr+2sc7rfEOLI5RQWr0itY7pi5XIe3BslG4pZpDXa6E9+YAtvkFN7ag4cWjku9K2aZwyxZElMokWSAixGjUvKrbX60JmLbmcKzTpKojwdFsfuFhSaAxIrEgIvBPmkcOTSj1rqkRiQNss8WmZRanLQfp6qSJaJJoqlcCBCPiNm6iUCblxgGUCdOnGc7aHa+u34TCwa549/0YohGryggg/5SGFWttBjU3n3gN1pVcNUXEY5FY4GlWEwbtQibjGUFEd3ud9v+Muz9BXj+WcfrRIrwXPok30xM/Sk1pz9ws91L2ZuCOEflgmAEURvdMlxEWMm5uZri1sJVd9G4wnVrGDu4ClR9xwB/DpJCfrv+Fy0qZelqHLeMuEAanw2XEMaj/HdmNytte6ZE/K2ndJklbx2uTHhbFHmoxOLHI+Aihc83jhwzd3Dy4rPB9gzeKpDJoqUI4bMXyDQvfNgivHgpKNUS0WAg22V3deA+QVZ5W8zPiYCIx2/S++pu3X+xJH1cI/a8t++fEv3BY8vOsBZpKAYJvM3uF2KdpF8uWok505xcgDyEtnGq5sKjp7o/axIOP2H6DWFThzpF+vwizLEQ4Mrr93QxFewk7t1yS6rlg/yAvzZdA6JJjFdP/8sERUdcw1sTVHX7DUmOE3zZHHTcU2dU/dEZGCt1Ff/2sjmvSvcP76/yApFS6RRsdb08gaASgmPMoRlYVA/P6OIB6C6SGrve9DU0EdEwUNNHb/xhhbrDmW7BVWwMbh7aPbSofQ0CVtuud+NAyAqBM+t1JQrUmazPOIIB/t+ZG9MIhE4kiV2H7SiWErgndPieAMa5Hymz4IXh9Qg+n0MlRCruGCGle7/MqFqq5sDFnMU8nzNCFfQ2nRuFOth4DQ1Sr3w+9YUgAOCilFpfKOcskYUCABiPdXzkHjQjsbtybJYwezNPs2cu/EIdnxG1i5C1sdZu3M8UZKLvPONRClBmZAU+IKXBNxJD7l6S4IOlVpcVkVeNm/IJ3h5fccmH/Qc4T/vRter4as2oGt2KxDU71BeQkXJ4oxxeujEib3+kwCt+xq+7dmZzHYT7eJpO6zykw+NWZOOU7ZfliGQDdMc3WhppC6z/bdHR1LowK9TDFaeejzDnQSfFIXjqc3E/C6fo+jdkazztjn3UIbJ4lKO2muKEMvfml27E6U4kWSUyrpBBRPQJwIqbsf3trDN29fsGRFSPTeA1BvG5ZVHEAoOSYUq+KUyVL5q9iDQA6iIlHI2yMeabz/+H0nDLJNGtcyiTXicdUYTnZ0VV4oOB5wWbmiyVoqPOEciS7G+/rIzn3S0TtXqxryQHAgpaMr85143mEiUI1SGcWAlTLjvkqq58sNorWj4G+0dSSLhHtVRpzbW3/Prj98tHowrrmTGNc+L0p41ifow3TYOhTHRyLPZS6HHRPDE9hRUePCufAVfn+1L8G2yQZGni/HJV3PspzBsdubXK96YiaeQ4gNndQVNQwNCSOg5GPAmk72hUsk71MIMksbEvQXuEnUTC4Mj688LVqxUyCdYxTFisckxGxxqZr6b8QRhkyhX12ZzM5tmmobMctq8fCQ+Ggulm4BgCj8TO65FN+LBWuUwIPaDN0Ib5stkt4WIa2EnEqLfPKHzdwAXKEsIeIfScXFGVTXXnKoFwE23MHr84yhtLeEpQ98B83GiLWmix1+x/GWW0A7V2R4/4u5ZmC4GMWUfYvSLqpn3yr7rJO91ul2+RH+HH17iX9sekHBgSMncRGoqhVusswUv9o4CMnKewxkE/R4W5tT6TqqNfKUKkSnqjsLSQfFkacJemD3HjNFkttqXC200HtQwji+ufcQQOeMdA00UE2lrvJ0Lu7Np6j+Hp4sHgtQLYuxeDkWjnUMokWr+DmhXgzQmG3EhboZ54pyJ77RqSvDRaD7GPjudK1hNeJSTrXTxvmSn0KZq1lztB6pAku0ge5J/1nPXF5IwOu+j6uIKWWD2HG4Kmgw8xr2q8x+swoYCi8+sLk3WBCMQtXfO+IR/8++LObSBFRgF0Vx45mxvJkKpbXNYIKaL+1eARXP5MZ93XuwVJn0HXLjZ4N2wmxKtUcStrU7GIiz9ezt/mND7QnmGszuPrkM73gBTl00s/t0+n3c/MPbm5vFwjcEp9/MzI3ThzsCAb6TiniVH1RqSGDxeBW26sBWw/iuDkDRZJTN6awYxbJzed6U5FuLZswGqhaLCnyk4sXI85meXJXmAaZVlhBqnttEFiu0mfB7kdzIJBHgyqDuyRNUF7o6klj2Ahy0wVOP/boRDFc3ZwMcGbDoILM2LDzCub0FaEZ15MAWQto9iDD5zTtTDAww4JHC3cLwDHaI/g/Ov1vgBr0WyQmj7XZJMFYhSzXlN3Srh2dkEwHx+VUg41lXj0pb3M4RXhWGTngi3M5PSR9UyAZgpiCY32ZgvBnSIs1A5YYiWcD9kNzwsYhNxbyGk63Ga+XnssQyBrBlz9DDmqFth3n405vvgErLujgIQ3wt0EN+h13dj/y4pE8O1FZHimC/5btFYUqOSmcBoTg1/RpdW+YMq4Nn3lek1xCAv3KJiToZIwzAm5F5OEca1cIPHqtwMqQ1yNAGtkXKwIjzKzL9o8r+wE/8TJOSrZdqPHZww0ZLz+Re6UaMvpdPLG0703rhEJaj9IigwE5zgnHI+SfSVxVnRMspIAcM6s4Syt4bmbZR2LGsQ4tDFXjrqBVbXghxMGlSNWGJ0b/FFx9rc4Ag8DtB1UM7Asn7XClGWtyGggL9RYJEh0NAJQhhzSgRClJCHfzf9cc9ar6tsVFCyZ+cqQcAX2F8mdq/aZpB/rvCblXnj1GpJmEzGjiLWw8saPw7gUAoxDfHLUCLRlvVkxc9hi4Nm02x+hz6gLYPYHRtM5LLl4qAg1lYI0MQs+D4kvTaIQjmh4u7AeSG3P/tMN9pqn6cZVzbur6WAd/060i0jfvVdPwfRWhb64DSRoJCl9o2/jCWZeQ9OC68fOQbQB2aKGLSh2NCcpoOrkT6ErgwMB+bThKJn9Xs4gVaNp7HfScOQqC6bUkB6ipt3P/wi7lchYYHLU7Ae0jUxhsYggAYmBANS3ZFp1+TXBzHjwqTat3zfZyEElaFdGHHY+0nS8YCUUeojg/3azK4T5ovsyYbWGeKGoaGxvjd92T1NzMLZgqCB5/3DttBDH7XL7lPz0imzUb34VBjm6Qx5E/H4TCwoIjC6zHtXqaOpTvXd/XRCOl1/1x2TVEX1EzUfXr05Or3c8nALkRBj9K3UqtohHr9aY+6gXD69qmc6re7vMpMe67y9nP3ni81YOMdRt2dnEBFywDhZQlDQT4m5qer/fkMuZ/73OLTRplHVgWrEHiQetxYDT/vVwE2fzswP3V3Bxm1SviVcBVYJV3UFoEz0JBmNQqAo+c4MhpaHhPFRo9XEj6PuHCvFfCHc1fGicVmszM13er/Uo9pvsGekY0J3I9UsRJ3FFV2R6cpxeqSbF9xOutthvvtW3nSxqkCI97gRbWBVrvfzP08jawiHap1mOfRNH4usQxYuk1gj1LTiJvmHVJGR7PMx39eEipNHo1mlDr7N9HBfjeKvob/14gVAAiP0xXpJwfCrlnP5tYmyW4V7OymwbbQPUmEUKzegLmvoKubUBZmQJ7c2dHLA+7EdY5ECcXbe4CqS9lX7i6aveS/jj/8ZA/d86UuES0D03GalMfqOh86h4u2FRZeVRhY+965vdpjwt0g5DdrWbNx+0qFDtznNV76bviiyqwgT08Rv7oRAAFltMciEtD95g8IAUMNT0FVyvzN2Gt89ZKF/kbL3UZln46JDeyV4hyrIvHUndyZRQBw/fCM4Nmtg740Kn+Pm/zuYyTptKlwyNMK5NTQiOzlnothn4izuoSP9CcJuCCv8RY/OVcVWazs4wxvr+3tIeBRjV7sNI/rKeRE6dhlTFyD2CJmrhPJo8l/ehM1O4ixO1PILmrpAhTZq+1XVT/9mlptC53ZJSu4kW5IfsodmXruJ6M87+yWrkOTWro4RyihRa915XVmJCW51CAtMzEmZyN7KSAmS7JTEL1RnDNg5E0ag5IWHWMUadmD8GsoMLFuzKfa5sRERY6ZbiJZUinxT28iZDnCjok+GUgCMZfnrzDqoX3iOhJMFR7sFy/DzH5BCP5CiOP3B0lU1/XQBWLCsfUcRxns7nCRmhrAB7r3QEm9bXn2CMpGe6Wes3Iv7nnzaajnxKJOkpvR+wT99t+XuVXk/avlKFkJNsGfXNru9Q0B/trK3Vlqzhb2ohh5/b0Wt92wNpQAMrpZZUhtzMeHU78N7vgvlH6FcRvP8H6J0x0ks1JA7Na62vMYOBbZa5ufhU7omPYYG6clFypkuKMsAH5HdXt7DcA4v/ejUGM5FyBxT5m1tMOfpM8giMRxJ93NO4YcytEyeVZUWug2VhNq0YT+IGOEAA7ypIkpfr3nrH4dgKGAzjQZMXUwLUdlxKoABnGJygmzBuVekxo8zCR6uO0aWR1mYdftEBYCci1mdUPO7AHfNVLBMmOXBOKs71dctGyWTF8xpJ0ojgyg7YX/GkW0pblr4rdVZqXEz05cMUIU9ngn6LIYrY4I7D+QNrPednYNYxmxjMk1IzHb6TmuAuOMfcb/PruLbCIFbUi+B89wJInDqbqdtrHVr+d/E59htPsFqZfngX+f/gWcSwWTMP+Pba73hQqUBiMP+9CnzjaxVm3kTc9UW1SsDw04+v6MhcSQripQipPs6xv44hDuDoBCGinSZYBFqY+RHlvI6fx37xG8dV60ktS+5E6tc4GVnFIevMkpwQAVnNAEzL2Iw6g7AQi8U+KE+AJO36JZPVAEYlsLJoOpOEGNmoRNdpvLiGzi0LLWhshNsGId2bASn1c2xyz5m+RXTmrdR6ESKDQtGBcgMVamj0VO4bRJ1DliyAPzTB3GeMZhZUwbwhz98KiVl2ort87TeJFBO7+wcd9YtFPkTZsez9QufnWQ3Hl8RVTxQHYFxpp+N+66pCCJyET54oxG8k+juZSQIA647woAtvWCNSW2kv5ugFLP0f6ZAbhZKow42YLrhRT1heRq51O2fTQjai5cAScsPXyeyV04ZrlH7Equtw52Jzxzgo/RUAaN288L48dnBBsE8DrEjbmVk1MCQY4p8hwPxfZqh/aWOhf0j+PHg3L4Ro7BSVV+5+2LzNMqv5rCaGtOcXR92OZSTvIKg/Iiyb7vA4ht/S8xD/fp3VSpcHT5dWXblK5uzEoIOKvpsvmYPgZlBB7A6g+QQqi7mdZtYpmK1tpuY/16H4Q6hHKnmlt187xrFkejMe9bvW/Fr40ELyb2GESQgUlzoR1/6MsuMXgoyWzbmxAAtAO7WFJs9lbZ3rB7T6fcS4qiZ3/Nb+p/T10wNtD80WLYbe4G+RyFNAWoYxXMcFLlnTKcClrQzW9XfT/V92sYzs5VP/RZn3PWgOCMBQa1c6LuuTbilCoKhcK8EUoQDcBexWrD2lRis48sFFxBkaxDJXgPrLHtMB9P/VhyUaODpSJzDx2AT2F3M0nZlxht8JaSAjtCkzEMhxDJVypwyMlVWdxS9qO3u81IHo+JHSYcXdZGLsthQgYV9ZCieRmtKgKzgyFJZOr1bIvHp4KtyCuEeuuDzsmoNKlxu2TYDsavsCrUqIV9r20ETE82gnmkqpqhMAITUCibPb8uckjjBvc/MKOeNYdI6/rXSSAr/SwnlBtfShE/KLIc2+/l0J5UvEz7tUrKS/BOqGlD2i4XhLf8ekEDbgO6a750GMvM/KXzxqYpBASrofN5uJZ9/s1NfT2pvSO+/fGZMVgWzqMkuuAt3ZIBz2vI+olsAPnYMOs21bhV43B8vYVJl//n1P42Z6ZlORoYiOKxPPw0dyRnQiPBZICdl3hCnYiU5I4gdoCzWPtG35zQ2fF/qYs2qEzaYGWbCWmTbgQ2q77qYL+rMWx0iM8qgzoreKie3tPxKD63PJcZ7VcL6koMM0F0vQ2hEvR97+xoqjcI6Nyej5ED2NEmpbeOrjJPmoz6XCu/D3V165z+DMwmS/oywgV7pk2idyeGieOR5qxdhX0rg2Py+HHKDASQ2nwZfZEpKGLn2XUwTgPQcV4jFqEq5vZ2QPq6H1f5JSdtvaH0ece4XwX2RxSwNg54KICVCIWpyjKfmuLhI+l5p7PNTaYWMFLJZvpZd3A2AW2+zTxMMEoSWo+dEli+Wo4cFEjFAmA57nyj+LlRWfQHZhvzIfgHLFmTzuVaUWhDff7jXr77+D62tDDxBnPIl8C3OG9t1jckFxWIWiBpx4ahHUcr3KGgttOILoXwwCszdP+ioUE2cRrpYdqjAQfg5QMdy1CSvAG9YenKtf7FRn+JLTxFer8x9inf0BP1T4OQJYUJ0o7I5SqhiE+XR4CzUjKYyizcCLnnM+Ja0a09x1emtFBBLJDB/BoJVOBADtgPO8FJ3I1NfQu29djuljfVm5DBB+v0TxSpt4G7URp5O9vFdWOw4jrJfbjYNxgM5h6i4i8Z4WGtpfgyCpokuqooGN36IpcoGT+D16aL22t2YST327mKuoaQozLKAJ+pS4rRvs9/wEleKFkTS4npEsUzVZ3MBRnSIH1aWBJBniX/qsop7JpBLlApDEuxO+gILoLAMa+wCGubslZ2aO0BP+vnAayKs5xrkOQ8YzRi+irJnSMiXRBrta1uLnkeXf+Zbd8WCKyhFPoJLCxI3ye9pMN1smvg9kFASN1HtCRCI2eKCWl0/1g6snZpbGvqFeFkKuEQq97rvw7+KX9H6QdJUc1ZaODbuAPs/QrFPrsUqbx0M3glflWa6ysqbnVHPh9LPvUFDI7a8Vw834hRR4PHSxh9v8gqIOsSbwEnJLRdcVUxp+kxgr/1tyA8LEyl7C58QCnL+d3zHzYyn8KWKIvIEpevjCmMhcQ/NAivFqs72wONRQJuArqge/gCHUSKe9WaQ1C/4KFCPnxPqRBdda/g/rV4n2kSTd0Wvo2sq+cdgW3vTov4WKoYYFNlS0XP+WSnhLO1NJSgQi82zLA/Iqw4dHmKCKkPbV7553PkH8/cDvVpPQPOoBKAcf/ZS0QVxEYZXHzDsmEFewwPS8EfzV0cgYA0eYtx0WcfbWPasB2XMxfYHKJHpjARKyxzb9LBci7um0aA5Ag/3sdXtYSHktzE9WBvkdphRxT+tMONKW2iCjO93FkxCjmS5J6oAybOYT4NX8mIoXqiOBmDn3EB1W5GgkcER//2OszL3XD9p8YNXEPdJUK8YZ+NOdYffiJ+46JhcG+958Kd0wWoMQ4ZTJR/adL9CV84/juGlUpGsegrQMrfOzMuKxa4AX1R9Oa8j/7z+NnvkV00MraBUmEbmscSCOmPq9YRphRyOi5kHrKowzTngzMR7HVzwDI/bklaeNqASwmJ8x7ROK19SUBW13d+AWT6C7DUIrZyWz5g4STF0oCrjFLfx1ZodDyyfVSvo+aUQW3PU0ihMRtx+WxlFbT6uoCDdFuYVhdVTXMrrYS7C0edwwVJaQM1pqUw89U1Y0P5b4EhzOQGoISEXVmICtdvHk/GifHT4xRXkY5udEzv3FCJ26jfMLgp5nyLo6JZb49YxfeBvklE1f7UKWqJL/NWkhMr81EfDJadyvXqBYIlTtd2WEyP/JQi6waZgi3efvxQdym4uVmBleZpZZLjCr/1zhChLLt76iDndzX7DFXREAyVd3N72nK8s1tCSPSy1+v8eZkwlv4TzZhIulAUVfdVa85co2FLQ4Ehp8BBG2S+HchHfBE7S9ICDGqFWWVu/ZFNtEDXHqJ+VXCQ4WvZeffmpXhh97YpAs0VMwTyRHrwcCperOuarRIqJqhYjEmkRrlfs6sfmgPONxai0dZNC0iHlNfyYEuDrMXtoQSda+AZOd1tbC0oX/7bR9K9ID+zMQF9jS8GgRe21MFH428Sc4FBwTqp5eoGvEOtMjsc0OIC7J7nxD56rKf2EPX+9/kc4Ddih7YGjNKZ9SKCZ5XIxQYLoZWNfwt6Vs6TZCejKa5rB6mqc21b8ilTz2g1DQgwUVRfTONGi8gzq+PnZkh1Muosc3Mg4jWGr8H2QrR9RwfcTZjBrYi2A5bm+vqK8ltJUBliQIXGPialGmEKzaMljygH909eYq8YwF6o/5irkHdBqq9jCRCNPLUPRYEB3G80vgxKJhyTctqGncuU+WAJ/IOym6qsqp0nnW2PdvKp/NLNn/UiTXtraAjVZLeejS4wr5fVLNoCNGX9Uy3dlkc17iFOwxZHMQFMWI9uXNxQrXUISnVDrFcH5bukJ/53sAWyEreh+CR6MgvpzcISLJpHK55aUaYAJ3QLgS8bm6XOK4iD8F9IOUCyiu3yjPHVLq9cBgvipO3+APRJ7hNXOCRyw3SHRrJ5qcfNVMwD1Wjiwnv4dgU6a0I8XYwZS1V9r/8n2NwX5lxbxqq5U5JdX7C0JrNtFgFvE6aeTNO/dOq46dwKaRMxmVdLR9wsgGgeGSBHUqRTNTivjWP+Jmqyy25UXC96Ct20bxZF7U+a+ll+T4szPIXt/xh2x5KwQEhNpIk99J8WTAjUqPCUNVHUClS+A7/WYa1hBkMOC56qik//9t/PLAJ0Dywu1SHNfmYWFb3/YrBVqyJOOQ6B2PWSLD17fuMa6Jjqq7p2cohSgo36aDluOWWkUaqnn90S7RfZcUYAeK514KbUPKAbbG1xfdtozNgLze3QTYiqcW8XREynn6KxOxL2g9LdybGo3rx+lodCM4MSsIPuk3p33mQHaCXqgcmUQFTDTplI2/bXFNpwoTzm5E5DNHkza4Bdbkr13VuGRxMThqxjqFajwsJ7xEmBg0+xC9rIQ5w+yJF8MbJaq49jx1KVjsLtbfHvJ0jf+Tc1Aeje17pLnYk7Ly1kVI84l/sIHd2Av5d9/qw1/lD9Boocz0hxqFRJHM/jbnui4L0FPPyCqsSLYx10pvu9qSziPAkZjnr8i8x1D/4lgiUTGXdpKIs/sLskaTWrQ3POuBi4dtCWXvA/iZsinMc7uwMsNmc1zQKqblwlw1QLgHVe9KXnTHcCv3X7QXU9SETyQMfq3rMDuUkX56RPxXasooFU0SZNp75Nkie6h6lMpx19M0LcHqQA7oo8KGbsctA4VpTRVBRdH7R6jBcpj3WUtmpk+sIubJQG9xS4FzaYIqqG28mAyLXk047X6uEDy0rp0X6GdZf3iBO1dx05k416ziJzbXJbE4j9Zkcoph58UaTmQ+cdCg35SvwS+xBwg6QPOagA6nWPSiQwRJg8IsHrdIKM7eVRL2I7+neL+7LkMjHwy2wg9H8R0DTTa3Ui9Qd3NKZbjVQTiBlVzckaVj0HArRwYlifMKpOqnCVtH7iX9a5CnVFA9SBh1tSoiriAFnZ4BYiFA/XA8pomyx5rPYKfQrw/rILb+WjH+RusjtjOqDg0trCTUnWPGIW7JRviZhf88gmU9XkOdb8I4QfmIeNi3YQ/4a57JDkVZ5FdKiN/Kqn81IJWXbktsD99uUJF6dO5xeE6TrzM8f0fe/JY63RHnz2PU/bxH9nppBSk7zi3ssZUsVB3RoRBjJ+79VN5CgZ5oATIuxgvCFSfOZTF5i6+X6kVkE6kK5ZWy2JRzp7HkytcgjgBUqXdpbOrpToPwbXunAx/6HVBrk1dMPWzJauJcmy5NdwclmuyqdlwfPF9fREzP3HedRstS3VCcE0utYGkvMObTWMNo8tTZZKiSHtm77UaEa9uCqwwXxp6mmPenEhIGOZ4A11WbU0IXATvQFa8H1GqVyhJYTAwDp70fDe+gMoFZ6XgX2+kgPTOTmgKD/LPXvioNfsWmPD8TqJ4VpE8zeC3/8Z2ubMng2hDVRhNuiV82C+l5uy0o2JL+QfBz5AuH0KEt/tfK97uJQjHhrf70ykpWVH75bj52XUK+XiDF7ddrXE/wfWkI+hg4qlxxqugkAuoOuUrRAk5lieZWGHKZuw2J7uEB/LFcYNaBcLdMUqIxS9WKMW+8jQRNBtNrfVzcY5o+y7BUxSyZTV9U+PptWJM0oS7zx9+0uxg9lEg1zCBbeYHarUSGZNETt8hc8uYdkD506L/MbenvQ/CcPVBZNyYGu3lX/26Q69HzVY+hGAdhqyEbgYaMvf3Kp9YAjJTmQaNKWyQICnLQq/3sj63VIkpcsJOZR8gQq0/DxWzF4keBwZJLGwQz8SuRXJeXXMAttigPdFH0/+FRXLtzdQLK+0LSNHeW5vPPR1v5UW78ZLRI8ZhJq3ZDaLG2NQPjYlQT7d1lQfIV0iVTza244tdfzaloin6Hz2c5Gn0SCnKO0fvHrOKFdjVDd5ocHPaxf14CgsaCk8INUN9DVGwQNGJttY5rI6EaDffWvYJCGVakxNJGUPP5zhza4fi0IMXiVgIuRf4s8uaHP94IY1pvzuo/TYO/ksqYOp8wrllBkR4xzs5EKkyqtz/mc5V5qmr0TWYDa0+AewWiW/mDEUnCTIzOfjYTnYwQM8QDWnyFtUMaV9kKPqoPsRUQ7rcsivWuvRzElsJcOMPbmrsCmjU0LFHEl6X4BMncXIF2u6FZ22H18h9NINd/MNY1s4D2ziUQ15czc2fPxrms0BoCPou8uJ5/1FB2pPs5jcwf6QcLLF06IA1xDfGfFmx4pVtvg0yvHsrHg5uxH9kjTPSohEzEdyBh132ZFZshkU/fKB1bsxwy7krbv7ocNHLdrT3VHQnkZDT5LZKPhvJuXl7GTZxs5JjrazGJNYo5LwfhOej9WVWfqLcJ8hsvJQ95HY91a72ZcsNv2V4WtXNJVFGOSz+25TNrqKPWrd/1t4yakQKszfJ6olcR4LeumaJKFWgJaVKeajcAvGxvAXgho3bBvAQqJw5/tM5ojvN7cYx951INPOudLoKhDpJuSwU8SwAWbhbHGJAJuKQd1MRc7sCxqnAVXbYZSy2L7QoKv3nkjRysu9XyYfyOnlSly6BOz2YXEgpl3sQQy8im7LZwmymUOIK9//OsUusq2liziI4raBiPEaGfzl9FyuMlPhd+U8YgG/6UtATnWHWlCcSLJBCBc6YiRhk6kn8D42ewtBpukXb0kSqWqFehRPhLqDkDCqyC7MsRqoXr+iJrDEyWqqeVUanqXgIYTmkEnteQEw18PRumtGQqIwPBUnRyrbZ1SoWUnBwKej/z5D2Vv4FPmroTB+OL9P+c3ZcivXdC3f14q+763CKHL2TM5ggp76EjVItbvphawbezmyOyGcUIlQTW0XCcCZ8JKIrSunr7JC0XuSqOpi+Q6rLkZdpky5RsUSv/Imyen+LaxMw8mOrQf848TXKJsFRbLu6VCe8iGe7w828NpJf/TT6n70Sh5V3PXsobS0Kx8GOaYQiuyC4MjIVxKjJgcyNjBv4ddqGpSYVYRWvV+MYwyNETkAb7YCIxcTLvIlqlUWCfnM22sR1khxzF0K+9BpHWgyKQlGfXyQRsRHQxp8EfzUshDz/7tzIzFMYlJK9yHuS00EyXoNG8EB7EpSbHHNcnq590038qedtT/N1AqOtNVqLi/2itnRAAnPv7jJoS3cyyKJ09fswvlkDnx7ZjyIUFTK1nlkjvTKX1wNS40D5hI4lIzS2aksPQqFAAW3XdxARppxXu3xL+J+QEyhI0qY+0SaBK7L/CiGc9lkdc8l/NQwLmpcVt67NDKfsJyyzvYKQ0IJ7TRivont25AN0fpEUZByffc8yE+Ym3FCkfD9mcKsrPquHVl2Mz8DNR2aINNA6vMXq5MxzriVSrclY9aaPIF5snw/n4OtZ6zDOBLYcVxqq2NSQoGOzfcmunvq63wq9zTI7bcUN8kErj4X3cZ/PodlzUHWbi1AjlFStSBLwDI8HpbUaC2Wjhzdop9AxHCEU9/PrQTo+LVhlhNDbOlipoCDGiLMxXKo92sVkohQX7Bw6Ssp5OLDos5AKrOYEjfthBbPUWwHNYuTA31gr6kqcMCSgokjwKKYrJA/M/xA5wkSjtX8yeKijnuYKTfPDe0dW5WpCfqe8u6AZWnKpKpI9Yy/VoqJWaM0C2MRFlFY3LbH/CFsT18ylWBEgzu+R3jzyASmOkMognGKxDgXGEo/FBqK7ZQa+c2uVYj0sCQm8XJWxg6zXdxEmexGq5J4yG+zExhTMkwGcl3C1tRYg7h5tDTgGe6V4wiLUmrFMqV2gTX6LmRZbk5VV1aZXKI3mbYLeNoePJgheWtHMxUsm9Z4RyuJNacZ7vGoBvXc/P/Mz2G/tLne9G+cWz8En6fMc1fX0CFgf7UyCmvymDgZtzze7BjaPyseM/itVn0hDs2cmREFas8fqz70/DPqGCBP8Lheoyo4i/8Ks2GE2KKDiccemYG9dBOqg9ltz4DVhFlQVu3Vn7w66NPRxQnRoYXqHQs9NNiIegFKR/XNdQuZrjkS/CLQSD2/lepSSfO9GjuJGcUKC7ufs4zU374ahvbpTsyp+AYL1A7SPuZg/W7ODRPh6B1GAN6k4+mfYzyD3Nna0rbLlIiiQkLUDFso1QzIRAjaX94HL3gJhUU4rNUKSCC6pmc58BeiMsoU1tW8QqKYi83Xer7Vdj1maieCgGMZ+h1uMgBbPEJYOBe9BJuOIni1H++sfaX/KSi0lVuW4rdq8fHMF3L0O2GzvyZjis8M+HfMf0puSAeyrxU+5AEC2u+NpUFwVySYpN/nNbR+lER9ke7+nVWr+TLW6+M1v09antO3ooqsbr7hP7aamfSJyCXl9ZloGIQx1Ab1JAgAcInmQSKxPOCIiP8aTTn5XzzO/+EuPPr/hh2hOuk6OYkD51Wr71/dYHkUicKk7OO7U0y5Iq1sFDzNRdTCYsSNp5xt61NYDSz3bwr/ygD3Ibd6XFLzeRcxZelR4eBc74A96TXzfAXaYD5Qy2GprDR89xxnLsETh1qRk+UrWcg+gwHbVwYlu8n1U05XS+Yp++gLQi0uq4k/ZEej+GCZF+9hJ+lbOVhv9v5LLHdyUQF8xIXYhxd4mGBP9Apfm36fHbek5IDichmbCgthPWSNqN/odZMOGzz87StbcRZtzkZFafNTPzR2iHFjFgi4peAw+bmtjs1K6CMsp4NcsAnHzkUwnvQsCUT1d/Bscthwi9IzSiuQ/CQVx+1BfIJCNtjKobQopP334zdeRu3ZYzNIwNcs/AS9xKDux/C8Aq9ngog1hwELxuBFRrARAZIuZOcCy8XoH4HAUo9mgZzA57/4XJnRLX3W15jycyVDZX2PmaXySEQItHkVs2P1DKpGmOBH06LegOR/Xqu/DDSMsv86VD/umi/nqulf1O/VueKwIMyyXSL3fS2wJO8t1CDiDlRyQS8sN7eFc/Uq+SxEVEhZBkJmG+j3VR7SUeW37Hb+20hGlTBdh4vhZAT5bUKFmkCy1aM/Fgvog/LWVjsk5lG9nw3j+P4/qVtAI2vF3FmiOLWGT2TYEv10G4KX18nkvZNLwhGo7aFas6jCtt6RuXmJ/aSKCvFbWw3BiNgZxBH/5kz3gSNGah/G36LsUOF0t9pqndS/r1HJgSYmNdi8lcPE2GFdEiMZHR2wnY7zcRaqQ/7ru94I70+3WCvJ0BxGdhTu46J/kfoQQ1sGXe4oJCfkdiUzhui+lo3KMZnOx8k3Q677IEx7844BUO0fSdmvQnlFfa9RJnc37crQMR7Ab1y2gpWeRehQvPMhIwOqaP7tuxzQWshxRS7BFQN7VFqD1YqMOCwijiqTq4MJyQTI0tCqRv6gF6Y9jj7ONd1LZyXLgBG+dy2+9H3DAd9dkYAwEFVd5Yp04Et826O2/5KqUjrmNi4LF0uQmEI4vOa6EzjWh3oOHnfBqmuDSFnabPnp/lGiUHZsu8dGzyUK/kCS4ePuRm2G2LHNNKuA4jbw9cuc6Mon5Tin2q0UnP3OzEyLqZQFWd7glKe29WrDen9TyEsK6bqRbYuszXYvbK6PLSN/W2wFP8LXaUeaYB2NNcyclAZaZYwG01uhtn2o2Km0bv3AthvzRIVKp3yxvfdUyx4XmKlyxeaYHEEWK3QAwYPsOFa8Fybk+7ZyOVienogaAJm654uiOTG6IYpiUV/aEkHRNYytBGsG9m9LSSoHEbAMcZ4chdl/GOsD3+JBXj9mozhj1TcC7tZMC/XjhA7lncSzjcYpFkCAIoHFkYjLl2mnjhrB4SxC2mi0KRrgcdLfJL2qYiuTTPUulqhF0OaZDEyMEuNW6bV8jhGvuXQWntZIuZP1Ys6SuXnPtkk1luzcQgKAT8A8d6otX9Bv/Dt+SEDgSqnrBAtkMNmhLskB5fQae7atGoDQ4nglGKOamlgskSenjaqXTRF/oYH4diUpfM+WVbKoLWS1t8DwDRdcOc7dKec1WRl9+uBaedANJvmjud/XpasPOwEVXP3SpuBhdf2eenB400ghNaCzFt8UGXWGBisOR6dpY37a7qG6NSOcHuJ/mutZEOLdJvKPSgquJTSWC9y+u13lTTXqL5JD4FV/+YjG/eOUHyllx87oc9fQ4hcGzhHzId6zpsOroob8RjGIa76lVNH2M1aNppeJQnnh/zDhpnogDmGvVbBNdtiAgWhluOh31XVh/42H4m1EhDPKR+s4nZxVBi5z5eLK8wvdHhHHj5+BGp+D29QEDJaCJTO9jbAeyPc5BBJLcCcaTfnWSuTfeDF9EuVlfXdxn+WonZhLs8gLUmyPFSP3ED9VRI5fkbG7ByQi+rE0cAUqM37JRr//pieDfoxBiXACu6y3b2Rv0FrbTAvkovJ/tRBnye+GeiUlnJWdznxXmTMc+drg7sqtzvA7sFTkfzW9FaIKyR4i49ZNgob50jsgZzSwd5eBU911R4wT647zoRd+uUlLCWTLpOou+R73e7QieJbpfa+QKveIJE7AvahysWrtGWuXc3SG8iEOlJTzJV/MHX8p3oMv0iCaUiv4enwHf5/eLqe8aoyPQq6rqBnGVMsTNvPoW71+jmf/VmAgA4Jd8yXZA1ksN1B5xzatO7M6i7JIT9gDn0IYf+bQs76tA0DxpeUj7Cak8zf3KXwWwEkG0VfpkHyZ1sJQ8b8RiCYZcSWMC7q78gwW53bJhwTiYGOJxCjiTwtmxxp9BcyBydyPgRV4wEPaxyObIj0qCT0bY/Oo0WFrhPfcyo6WhMZhaWYQPcBdydnvHrLCj7GYMZ6j1GUJm7HJhLtk2vgeP+ZMAI0Dmi/tcxXEW+9XQn1/OERxjOvEMOMc6nVpfdnyQkOXNy2c3JRGqmNN1rElwnvTbPWHefSLpubCTtfN8z9FzRYFeXgGk7qX8Sn+Nihv8Ij9jEycuM5VsqeP8RGpDRofYwe6HSmjZM7V8NzmpoNNRFu5sr5AvxxMiYwzsGgZW8oYKZiYNBTezuOmPptiH6MRBMnm3cTCCXxHw9pfk6XNwahDWvovs1p6wVBNUJNIdhXnhoWnyKHZxtTTLY0BmZvEQ+3scRseVLTfYdrIeoFEG0f4WHqNLffnvqEfKmCzFroQqZ0HagIED3WZRWpy/EdwFx/W/tnx42vDMHR7ElJ0LCoQvaJhp3Z+M9O3h3bgPlo+2TsdbFIq2ikp89jk/54Mt6XvolDoxb9pX4iXELZKqDJ2JrlNx0VBq2DUmNX7xQ+FSn94neTT3ZX9nehoS/KCRfjfItirDloiLZzNigSLu+mE26qW2OSfKMpwE1W0gPwZjHr+Xm6OMLmkPPqKzVLVVf7rvmiS1hUu9cplcNdT8WfhUqKO6jC/MhzYmOaF9m65MaLfCgj1nQJfoJHSXli0yMinaiQtzH9P38/icrE6Ed65qpj1UGaO8e97X3Yc9afzgTdFmz38Q1KdVaFGeN5s2DQmWqFzXmPrX6LeXk/i+/W70vK8PBRu2DSwFiOpTCyrXcWAokWkOyRZ5sgZPUs+qdTZxJMLAccvGL/ZCU2+zQobdVAdVLYiTW9CojsOyXTRmgb40vjKBVuIZf6Mj6coMZ/uBJyvOnNG4XMlSzqQap52/Ty98px9zNCO+qUaaWcw2DPfFFGU2GkBnzDAdWM07PHXj4ZvErlEct++ttCDjKLp5vAMUgIVirr2+kR4OTqjBEjCkaWKw2BKVv+RqtdKzud19NEgDcA7aZeo5PHqg+x5hCQJJc5LjYHmFpKisGsFNhFxj0oTl6DT/+rT5YFxWlyhaufcAVGP4K0NqU0ICSPjcFUBnvZeWrWdBpuOjwf5ockDopzc17YtxqNQ1EOMpwsW0RPAHry5eIMHB+E4lqLxMDA8ln838wtrOE3VfGu6mZ8P3nz0sGaRu5rjdb2++3j+6ERv9FRoApWbLwgOYK+HhEDT6E+WsuT+eFocTWe8DuKjj80WewsDmf/bMf3z47nW6si88vV4DmSNalulScFc+uj54CtCfdnVuMGsQ260WADTY+r5z2Tdp3iIws1Vgh2R/EzdBxcprgXSQCTwl04apLqaXoBhQYbJZ+oOQfpcPu02dkfe4MhL4aKv2BWJzlNILeImQsOGFJF8iyJxejFVlsRQGrLjw1XPQUgZs04nK5tpBzTdkFYHLcteBDs942Q109IAPUP1kcEmMRTj2pcMx5LfpoYPcGZu+7RZLmG5oMKnKlQJwkwyfNxdgBtLdPhLzOL/+7wBMkcIWZdZLdySvmmAmTy3YshMQTcu3mrnBAQ8ZoEjzm4Saldm7JWbboUTbVqjhYLX6GFv50DdGPaW2BdvnsUpK6l3YmMpQeY6l2EYX5Glai7QXYUkUI0Ddpv/vfnjLAXCoZKULBVHos17Mjc14AV8WMENgBaL7rNWhB7dSd9hHjcn/RjMPVRni7gyFZl6ihsw03uctfT1r52vuAW0WOqBzKXZLxRqN3V668z51SBaUilY6JGWtXcLJgmaT29FMhcCpEH7dE7Rwedr2xO50vfAXNsmjIEYvVcZsiBrF9bF+ZnOcgIUqsa/nxTRMzRZSsdxNUJUp5D1a71tqP+ad7lw2xW5YujUKH68O4giq67OoFUnskss3F7Ct85vKm54rb4BsqjxmMF7lvh6FuejTJSpu+ViHbEAeednmMCOBJgvGzajqHV/zvkYCQKGlMc/VMDZNaTTR2W7Vf3adJD7IXzHbQs6LUOTgV7pzlf6L/BzcMKTBAfzYp1/3quF5mbiE7gSmebUbo+POfALBn6agN5PuOlEsTKtOHYyZe7CztTEBctjXy4N+ICO+6HRF6dTz18T6TF1JkR5AVlQPabKIglbkqoE0aO3HDlpXo609EbfZBkiUS5NenpmxDg/KKxZAiRuylHP+SVB71l9/9RUUdPEn0XPVcVHMHXIV2PS0+2kokEUqSTtsz9OoEycIl441LG87ot/6kBPiquOR+i9MK/VHaF0BzYoiDLfFl7Vj8uP1bDVior9va0E17EBgpBOgyOJPnsMzRlkaz5zHFPGeqi/ElGi4mQF2PeyrcnnbHN5aWvZohGgPHMLznv/nDw1TBHTm3Rx4a/u+yj+PSI0P44dyE6puh9+InS+c8XXKNh3J+rUBB2PfroZapVW7B5DVpo5rc83t50PeyVReeabTndEioFqO4AOmZ6qa8jYZhjd9FajV6Ep1Rz/Qk0MZoZYFHNjA4LBiJ59ccZsHddIrSJd6P7Vv0iBFNRAeM9O9vIF2p+AIzPbxqzZujA9B13WYKItKkMwsWvdQ0NYDLEGxE+T0yDj0JKWFfh7G7W3622sQiaW3hkEb/izWQ5PxKXgK6OQl+ktu//QV1JMKXUuNR0JxeB6eNn/L+IErpjP9TQIdbrZNQVpySzeAtUj6hkEqsxjVcM8LgzjP0YCoZcDfsktkGNFcyCEiriKFPaiIw5lMia0Rdr11PshAs8msshqGf6SVqf2Q3CSwMWxaU6Kw233eTJ+WE3wR44KIGsodL+moCrhquv15gcrf2Y4aTdQGm3uiw2shFMpyzA4pjxIx4VRbdQ4Q1UnjIalAY4WYwAeT0GZkKlWydJ9UgHfyEl0d+ke7sOIbr6Fm2NcfP1w6QmfuNqd+U2GF/gVIvdRtBp0UwvdAA/h3d60tZ9sjZwZv2DVwPjNTPjWDxvqPqTo9zk8ghXYYjnGcH7pYnu9C/MlnqCsIub5pTCib3e9DgvOyHiV/H95eYh6NBakqo1R4Lvp7+KV7h6jcfIjLj8LmmGVyax8gyaK1x47Oqiz8ccpMmhI9NGkbfhh2LlFqd0o3IuEAQRUjT7IPKv/mdnQp2h2Qc5+zMHeaEr0J7gunVyQkaL3TWMaweKe3/Bix+MCWxYjyHRspOjm4Azbou1zOGeu3vzeZUQZOdNfj6lqDKmnS9ngJJhxT+xpecKoW9AuNdSFFH1iC4zXCOmoFRpo8CIkPMhQjIBKa+UY1yN5hTN/75KrCHA/SrhI/ztD8/hBULVidFmnmodl833BF+Y+MYh4jVb6ZaM6fhYQIKHPnjsb+qx5+0hv+iV05diGwN6kbGAnbmPPYjLMcbv1RY58FHe4NZ/Qm6XwjWRBraZ1sqe4dd86V7telOl2C0oqyoPaK9oBs5mLaR2YzlyeLMb3Brukv+KncOyNsVvVbnGKDw8QtTBvCCgbCdC51LfqylU54Q8/wXu0HtWj+RA9o/ayBZPoQP8cJUFQYnzCWMn5cnTJ6WAo1Ae1WItMVKuHG/7kYnduR2A0WXjobNkwYk59eSczwND11E4tf1SvUWDnRVuhS5iMt8404TB4ljy4+e8lyJlFg17Kep3pyZ+uQ0uk8AM5fMCj3UoBuopTm5JLhSeWotpMQLveHH8RG5Q7QCfk9zCFwsZ5G/76X5SeVTNaHzjcHG4XxakpgralPltvpKe2+k0g3IB307P1bZV1I+r6ImgMqP7NZskQiFETH2s1HT1MvXaqmEOTPRI3KPIB4ngeivZwLdEf+xK7qJxIfklk5vKo2iaAy1pomnRJ+iucmkGRvIrFDjuQN2vuFYVO6/zY4DFAmBI3pMlia+p7E557sYaakrkBOYz5+5vFq9dJ+Fnn9H2t77KosQvMbjcTNoqWOYJIgpGzaSE3gJGI/RqQACUbbj7G1+gawxv/GPLfyfMQ38heJ9QQfCPCH/aVk4jkmuQNi3nw0Vqb2l2FbzNyEQpYvk4vhM2r2butHwMRP5FpcVFyzhEGKiYzPYXJ+IaV74i4ECH/5qxi2Rc/VjOUsm4jwpSew33cQiJmdP8kN/5PL2vqkNgM7oKCVy/4uZughdYd7FLfnv10cVwHxCe74nUsslxXTG062K2jHID0DCzSVh2qc8tG6pc46nPwOO9qL9aVjMYbpLIsN/eSihj7OeE4y+RgH+2sCfwT/CUgFt2uJFuAralLEBO8Ry5vFSFYbyquVsd9halL48fqHFY9UgZgL/caiY86EqeYppLaCWPFIcqeeW3UUhOTXnbVblgV4ywtCLzCLVLg0HlirNozAxWlHZDNcjey/hIbrm+XWkxlvI1mMgBkupeemH1Rs2hDJ2YyzqQo1hvLnc+TAaCuVQ3uXyGnbQU80KFGdlVbe9Bn8emiQi4mxSURfA6AtN2FNGphbf2Wr5ztUrQXFzI1cydfheD09egpM2hVGbX7ouDATBpThYp0NcnYDSYvbyjALuL+UNPidUEsqJDOqzNjdr0/KAcblQvMQHaw3jDZ4fk33OpuesphAyl1hL1VagUJa1uPKL2JmtPCzh1YTIaIEyQA7FnfyxRbmjMQ5wpmHTYOM/i5H05SyzCWdWLuFN5he35c7TaxHvsVkBp2U9dmkGfgvrMA6ncBN1c7FvRwPS5JGLCPKkmR0mjR9/OCPa1VXfsFOUZBEihkexOBA15EdYDKSHY7v1NjutfnGKwrh4RBvZTiXVNm1ZVQFjqi92l6lFDbohPUPLrc8mNn547S2ueqhZwLKpCZpNJ5F5xnUiSwnh/Obh/i8gsQ6wSGGOqPVrULMybEbMvdc0SxjslzfHMSTgLDGjdnWwqj/XhegjsBm8rAaXvlHFlugaFYXBXEXJ95VJoQzn8ImRZ5fRnzAutm0XRFnaSNrZzkAyt0L3MLuDWr7mPFa1R/ftqzug8FHe6Jwi8MjVxkH4zroH7lvB48AmE6yh0KHdPyiS3StCPQphywSzMQ2JitS5xLT5jHcWHBcrV89TX3k/GuoIvq6mQc1wUiTyJEPlt5oaV10K8hfpf7pY1mpqMHicwA02JkLiq6SK6YMwrEZ6J0GS6UCjv1gHyR+wdSDbRU+Lc9ffxK8tENj1bJ2+8w2tAp/6BPNuHGoN1Jwy1zgKF/jSIFaJglK1AP5qAt7WFQLYcHu8QphDV0wQkFl3gccOpaU7/7SCPDkPOKmjxJ2Xv8m2hmtw0ijVVGlEv3YSUuSyczHtjTUjtXf6mh1lfJPD09qndTDWjSlgHpTEogrHDotsnsT6zNhojNPWpsl96g+pJwmnwzMzJXP9NsiXxR5tiCIGb/lX2SAqTbj95B9u/RoNXsMbvCAQTWolOQ44T25wHfCfKA45IMtXFn9/inTrl6ib0WjarEnUTKZTksSkuJ+GSPvMq4xGe7DeyDA1YyxhlYxT0dhHff+ClpTH0gcGRJEGY96nNSSCiktrwO6FHmYB1yLqJyeF4fmkq13T92kTsPtTGr/PnN7if+jdBQWMHtUR0oV/hZ9ZTLuflgF13AyQXumN4mqn2+W/ilhAIggizGUMjoJXgoov6IwVso9hs/ZfxHrJS4JocbeITjucAFYyzN/iyDBoi824NiAoXVwy1abP+T4EXBBK5AAf0W3EvjGSCtHJuwmmxBptW3HapiJWrbdiBV53O/n0csiOFeM9s4HF3poimjlBf3pHXNFwf7JslK0z2I3/g3chZkL26l3JuYvYTPkMdbFlnkZi+Rqors/AUyAxcyYllhXJAe1hmsxiChdHuoOoT3DulVy+6QO/M6h4XL5++f00p1Faju5HXf2AOfFErybPqIU9MmHPMrDXA7kHteHA8xqUcLwXax5rmi0kGRwQLPgMPiN0+LVudfF+4NWAyAdj/LTKvnBnyTA+dRcAyVfSM7jgTvbTLr9tlsQ2P1abQNuJtVarNIhUbwzGjPzWuEWrIg/hCK7Xjy+o2SsyJzTajcl0R9lgzDgG9jNlHgMSQ2XqD6KskGW8tmrk8FW3+g0W5GTtLpNsn9OUnqnYV39Hk4h+dyrG1J2kTlJsHFCXGK5hoFPMKtw2tq9Fkq4T1x8c3/jvGwamKiNEpS/zwYjESUhQpRsAKy6Qyb4HZqXvsOa8dTKbqedIpVuKcqAjyxKI+v5UjgAamuSHnfXcGhlM2r9AxqjYOxMG7Uae2tOR40hRr11NIz50Bjy/N4D1Z6cIDNuo9fzMhV7yGB6iydCmVcmsQRw/+9ekyALYk82Kv64s7YU1yKlrDyiVSwbvO0t4XmwvCc1ZLLpboTxr8lSiXJyRtB1uR8eyzB0HWE29aI2lgcQuG+pXFrYWlnw3baLuQK7THL4g4Z+xqOijOxHsoHwo2gleZStXD42jHz6jJictGqDZ9V1pAe/j928mduI4VWIla4qEImd/M6R0FvTjFnuHiUuBgkkYR+3hD8lm3HGtTRSrIXICTUBepS7tAVVvW7JExDErTNZDT92GvJQ8ZJ3h+vOdCO4sFC66b9IW9Nn7j4s0bmhxQuDnyq/fJc2Q492IbsKYlkZg2e9ojOhA2gQwi95ZG3OQMWWKcyKyxvY78x1fedGE3aquwyOLFuhLpGNZqmQuw5onEZHqBgPtTP5TUp6D22DL/r+1MQo5GIjd+XZNBB3c4HptZM6BoKcDeDccnXyoFbzLM9dV44wqiepzWiBHXI91gnwPdGupU69wC5PAkNhf7OPpNYiAjUIzmSLvatyC3P8CvdtFssUiF2A8qCmpbtir98PfzI2nVkOefoR0pYiJMYpu4734V+G2lnhv3yYWWPGKoRPwiGprDwXa6b+Uux6t3nEuB0RfXeTmtQ7NFPBw7PTNe0b7w0uez0enqa6csAkijjCaRr2VkhhDmAxBsH2IuQ7XzBFyItzLBeqRfwHs80Nhb++zBdfqr+ndM58fAZ1bSSVrcBKh70tvvcZ/v8YvynjSoDDtlHyvmgukncbuzbC9V8y70dRDEtuVVjBCqw5FYrAM7eNxOx8SAaLvu3P5VYDwK3tgR6HqP6IF/AUtkjiZ0L+pboJgtVCsdlj0DlLMw6H1kUwZF/3gdps8Cl1g3poXeyZZz/D83g+/52cTuMszPLIYDWkJW5qMYLlA45m8La563TM7YKeXhyHyHMu22SAddBalNpytTuKomA1PiCsRyKuKsyvWNNqZoEUBZvkvvfvNW3T+lEz69I6BNZXMWmHSyp3HWoAuS54bro3kQs8oPnhubesoBOKi53mGfpBnD2p0p9YswNVJ3WhWQBWUr0E98J0zv709DeKBND66RXDIDmBah3eQw6zJyO695NfClN7KWBXnXcD+y8PzYxp4o1InUq1cnOWGTdW02f4Lzk6ROuGap0958RqXiUZ9nSpKvNI+7QMERDU9R8S70v1JMT9Mtfy7azbjHfLkGprkB4XhlInA98OqBdl2hwuBcfwl2F+He7O1Xr8jBd0g9wkSMi+8zVPrZt6ruDHRdjzCxvTd/XBDBukzB2LwUHD798riTSI3drqlLoHhKQ2Ot7TKXb6XaIcQO/e+aSIldQX+hHblpeCsO3IBaeAQszWR1aE7nHgv8FDz2pJ1Anvi8lrmD66oKOY2kdStf4IsNUFZBfG6ofDqt0jTXvrWOWqh/0GozEodK72wJGI5gaZqWxFZ4cKIRnlTRIDzc3pyKYQIM6O/OsTyJrYdzuUp1XVKrj2TuMKoz2O5yugPJKbF04i7jHDH0yTag8Ovr5KoqgvFrDJCyB/pVyGuFTZUdPg2fMTc1twEYhvBrVuZlbVtRNhk5TThJEv/vcV0jWFkBp1fR0AiXq/J132b6pAsRdRVE712MtdjqbCcpX9WSHHfR8VTotfWbrfbg5KsW9qCJ+37/9O3Hrtr0861l1Jg0mrY8N/WNYF03owijh1pIwEloQuuh9s4it6sHYBfOsNgY4rWXPyT4e+iB71nl68wLjD075uXag/nFCiV+g5c5MxdhDedee8n4p0P8jaRC+prsMEraSAELcHnTGjkqdBtyhwrGH2xWBAl6wYdhoSlFGUOhnIGFk4Yvv8WeIjk3226adsWAPTWcaNy+7W9zWLFe3iQ/YSIwH1CDk4DhIyeismNE4+OQt5OPxdUGf66X1xBpUR2rtQDJlJxDgOYrdjlVTjgiv7Ukmqggf9Pl8TniKc/77/0RhfkcmrHLNnOw/jjWNkDn6lmgy8iXHThpTYxhvmdaGKD+If4upfB55O4au9DhX6S6KmcE80iTqrt0UEcePfpibOt2LDsbpErCN1HKnlI06ZsAkNdWZNZjRPQgVl0ubICXjedv6yq6jU9RdhqfdVJKqoXXLI0xaX4TMsUF/FpHKXZXkGPyhqq/0vS2ndnjjfEbNijTB0cUrFI32TOCZr9DJBXCC8569/ZHUNr2G8MS7BdhSaF3H9AxxfT8AbglkUqFQzR6j43/qasoGDzPfd2W46nnIebH9YTtzrHRaM4YGcgs+Bv+jjg3tzH21BRaPP4EvKZOV59mOJSC236uAz0EjzYYOwdyoSfjhDSCGUGrYGJRNA5iNv3zSPQyAPnfxd+SqhScFSJ2XPeuUEz5qrqpEymqs01QEivnPW/nA4U7N+ly2kNCNcPBiEm4WSznZm2wff1nvKh4UNPKHQNQmCwJInyOwHqdaMg2GsXGpNSTclMDwpuhgo6zcsjfBUhmION1LdGVP+muplzFd/Ux0cEF4Ok6Sj3288LbFruXST7qMkNCHBss9SEGzUxeCsq9blrP8+zTnWFQQrv7I+a1lPEPAOeAN2tXNebPB18nxIkgcdewqRBMwg1ZNexhTATOu8ImDvSDGgLh/8HXc4XGWlA6cTq1yStOrbFH0KCt6INrrnMxeE6X0kbJy6Q8Ysly7aZjWs51TuJPr6xMdH8ln9wVHAqnpkVmAevMLNaIS4TVaCygDFT2wi4Rntt8TWOXdYM6suZ6cs9dHpBsTcJU+2YsRwUYFqp4rztKFvvuiL4a+3iJ/83FvwVPJR2K/D4xgg0EzCnJERbCeN/gbhm0ADQPT5Ho8iDZII+Ky3E3nb8aIf186ExuW3sUSI2l+N/2fQhhCboD5j59l0+wDxAZk3zIvGEJsJMJlTUD6K/T267khnDTp9UTynAkqumormL8SRJyGLCB0V4ItmWtmfrYtfvYVQ3uQdBJq9OUy2dJ7wCWsrwg4PhFKY39Y9TxhHRGke+dPJsjvmvKXZ42N2sN4ecsMUdE9vLTjnVsxygfuIfhoDLYb+i2W1n/NWx56sb1jzWX2yb5n0DDnvhwbb0TpS9BJdPt+j8D/g4/TSarV1HUg8WL5Vyy7WhPjd/FA4q6HAR2ONjPqZZu2g/PCtTR/4oH3JX9rtGJcqsl9eUQbZs/g8xoNAtnk/AZIdUwzGNMNO6zpCnXCDvC+uDXGvZwaaJ1mkzlzO31QIXK9BmyG0IP3IfrLfYOh/Govsi2L/ZUQtLfMEuIOa9ybGrW0Mtal9syCUVIGWkYWHpN4/f3Oqtf+YC5Fmm3+c4qh6BFP/4WN+/XRPX0/hS4jZwsIK8xBPAEwtcu/hwgc0eLspBUsRm0pBDAY5tDP6z92qRgVyh3tIg8Whymwv2Ah+6OXYz7lfnFhsfA3feE3vJ6hPawSXC+pta74FkXfciQMb8aqYijwiyP+VjD+k4jiDQWRiHdlpP+7YAh7oxpyBg594sUTAHWIkRjTwyTlXaCePVSyrKAL6WghbUEiGWTxFhptXs6Mlz6F+Zafb91VsDFWHs+BlgFJLvgJztlPnmtGLiU8KGf9ZSATgPGCtC4kAWhhgobThviYeqRrdH4ecrgH0IJa2frs2Y/bp3h13isuHS3Xd3cEdabRpXtnwTneQDObibRkNh18KwaUu4Sex7FQ/3SCn0iydFqJMYZuX0W1mDjOf4cn0WeAcSwXFDjMS7AhN2k1FyATGLcbYJtkUMMIXboAT13vg1tC4ZvH8TwDOVd2DhddcPjoH7LdL7ilStYUWIAdFXUdyoC0/F9z1c40CX3VSxhEiBabdVv4aEeDkseCSvHqv1O5qDoSzDVVOpTWlIsca8CzbFZCc+pOT7R7DeMduADesJaTSH5WWS7w183kB4e4Co2mGBlCtUX00ixiCHnHvSRuNpdluG1yCtf1c4veMGcheAme2VEZdBSvrtezhvgTnJhEjtYcXWw+IDpE8BdN8SHUuuw7YLywqr9n98138y/WqYGaFkIoEfdNTMWtvkJKsjIKFywIUKNRrqhyXkdw4fxkLWkuASlcz/kFuvXCHjbb2MYJWZ9b5JE/sQAbMMn5bdLY9R1xaFMs0q7GYexj7RCunnyY/HmRPNDpXa/mLe6w9TDdHZF5uqD2IEIU8fODMSftGospvR8O/+nkWadMrCtoIOxQzytrroiAwS8WfIhYgMW9MUuKexVdT/FijteZL9Qc+X6TL/tPbv8rwccg4EVMYpeem/PJheR4XMqin/6FECQ8f9LiAKE8Zqmw15r435xQnsl6lKiUXEiRtdrwU6adqOQtO9SzQ45sWxw+KR0729ai4iiDAQDCq8mCSvFxi7Hc8ssm7sCscbd1/cIjo4ExcXo/ohuu/C4wO9ssMTmXW3Ivn5AYIeIy254O1Qo12oYaPXcW7ostm19ndbrjbrZzztO6JleU21RXfYIOOiZfpCb+itePqCwSg85PWo2sgfQ+XCvFLd9/QeocawDRDHmXmV5HMvAHBl0uuBEV5emHP0fLftNO3SQ8lVQwsxb5n9gB5Y/rc/mFPvmHXSkOreclTmHkm8RLWhWuf3exjYGTFNXApFgL+8BqDrg/KadRz8zww7zsxQppQzOAyT4eszhohyeUcczJr+dZL2qdb8SYPD4PF1D+8XhJJAAato3cEdk1ERek1Js0b2HlJJ+o+SAQzTuXV4i/mH7lXanrqxV5xJ6obQmPhaEPt33Gtuv0/e9kk8suEtZvKv7Bnh/T1yvCahUpzuXqIReDzewzfwLKWMY4qne77KxVeClr49yTCYdHxGJpPFNDEAX85r3HzW8pqlltXsrL/IwMQofJfKjxBJHDn2spnTXi0uOrzu5pUsTeB5+yBxTKJOjGegJ19pvBqJ2cFh9NeSV2KA5T+SfwurYGP2DISz5vT7+3qct+/SISX3+qtlXT/vYxklyY2Dq/tTNNd8Ik9jKMaoN6efYPTMFi6I8ryQLaLHbgjiLoi9oOHarAJHtLN4n9HzgS6efZsQeZQ3onQxAuWm8hum1CEUEOoPK4mg2p31u/5CfyOi28JmNmoxZ84dYHHiDyDlKkZkwvAEVmE5M3QTq5DBEEpqsonLrY4qz02RO9MbVD7vxojZpAwIMT0jjIK96RELabUwHg5fr93jmL6+7f8ESPyN0Fhu1vi3nxbDJYFudp7DQBeSB/mWR7YRD8xkovhRTOW3bafAW0C0bm39Q5oCpMoW5Lr9UNP8GIPDqYDZBWqUOfSFR2Asn3E1iB/zNKbdADCovuk2Wjmr4P0xeEL1OJaQQEgFv3lEDoGBQxof/PEXbYe2Av9SC9Ct4kGzB608WbabOI0VNLZy2NvMTm3EQeor45GO8efaA1BxazSW0ydA+2dFgqmF/1vaxk8WZb+P/Lf4+PMi+xSx6M9aodndpbKR01XsIQcNBNbqq43QxJjmFKuoPbj09NKTn7ZVzBJdStsQW212dCk8MAbOmy6Xdha5n44gW9dtuo96ihHekN/I6OEHPaEgEzKJAiWn5ijxqSG6zlWEcBjj/dfSZoSPS4nx6fVY2K7DJi7nLuCU3ZjqXk8I2Zjs5vlp8DyAjipzWhALQsp01hAyA72/KE8oMNV3VrCONLEUE+l/3A8vozcuvBcpkLColBEFdNH3yhDA0Udo9aK+8ZeUERKdsUCZ7QIdkN/i8TvsiZKxxaaNASjoPsiFgjG41BRr8P96RZBTgj2ubqksXqYJNVBScaE44FIvqlyqw9oZh0lnAqkU4MAGF0GwTbvJbn9Gu/84U7h4DExPXksT+mI5F34QOZq4KOVqBSaDE8WdeS2s7TMSf5ilxveFMK3gUniWMa/QwZmtCakkdkwIi8aDKMLUal2Ark0tbJeM5m371EvgsSRTjqddnPHo6PmGm7cZ+vXoJ+WK/V+o3ZpE5uGZ/O0CVC1l44qIun/wtiFlAuVe1JEsIs6YjmyaD9dabPXWu7J7a3lbRrurPI7rl7dXTMCjVnAf/3rdfJhchbv/zUI3ig+cekII0rk7zRYTULczgPCxKV3jeV+VuFw7pRlAwA8Yw66byoX0t+4jf2qiI7FOxbSxqfed0aasy5JPbGORwzcHB/k/aFoXz8aRPX7g0PDXgzIIFEp1eXAke1wHqjeReySCKr4hT92lLq6xZLN1aGoEjA5O22Kx8wWhYoR1Ijmku9DA7tijbOdCaffzYVFai3u4txl1byP+NBUvul7DcdV5OqDZxGGYmcVIXmhpJ3Qt+yCccs3o+AA66EM4H6jaCE8y2CxVx3HjsIUMLnxeNKVz6DN0sZgL+TwDRtA4i0Z+BrfzKdApONI221kEbUnL/meBUGpX2O+Yabs20JWRUWBWRPzIWUx2P5DCn4QwP0+cheRFuyrPMttnM8kHHZbCG+SpwAYsMpranNhPV6E4I8VDBhIeYzEOp66Aei5e58PaWFbq99VqQ9TWjLKxVqHkFvu7Anq4rSa1Cnw5VUZ3RcSlJ90A719x8KfLfUEZXKJmnqvI05hDrxteYUE/XYwonxXz/7KA1tl/HcYy+0l7CsMwFT+0O3+x8ZEF9c4eY/ubxRcmT+rVMebIQd2sJWr8rNNiriDJ/++fsb7tj9eq2Y3dmkEY+ybc1QsBHPDgXLN5gqtfjcBDcUSQ5Trkfl78PxCW9njFZfLGqn0w+xPH6nGdSPmw1kgGeRsXTT1p/M0lD+iwfxqXqTcoFVI/saHEWmskh+ejRTuTqEFrzQGG1xCSa0YOCWjX3DPYb/3B/MGDT39L0Ske0N0BPE6uQTI8L7ejrMP26or4IwXyuPXHl/UVIsp8w3N77RntbcWcAV9OCu2ayOXPuhnUR4Fg9mf69v+H1HM6fpbMMcIZH5DF9uoJfNJCSCVcDQo2yzVxahIyMfHOwxjOMFD0BEg7hiGl7t0EpCy1qdveY262jxaL5el3QlKxIjP+qv4nzec7gKyFWA9Nf1fuzg0wPCIurlAfSv6JASwuk6K2qrLjVquKN0tNad/PLIiHr2oyvfRCp9KX780FglymJ9wG6+q/S9FSktT7c49UK2oV3KUKJIRJtkq210u5iAQ53oYgfhKoCiXlPt5+qvu5Yv2b3OL+hNjzmmcFPns7bFCSWThUbRBMO57aFHBxSXkZIiAQh0heQlRNgdwNa/vrFK1lPW+GjHkbNjVmcohWFwOi8gKkfbwhKJJSnV6mx7CEg0qNs2LH8oHsQoBdnQG0+tcIbySeo+qt6PLLthbZV/TRRE9POqdfvI6MOiBFUBx7fHEEAAUxuC+q2eKGC1T4NvRmhE2Mg1Uiv/k1evKoY/NpngtPybq3etRXebXLKop4Q0TZyat7xNBIm0nh/Yb3h84+izjIRHeGswd6iKSU67lbcJ+Q+jB9OehU5jvHsgC+PYHtYUFQdEgOKBmvoLTX4GCoPFUr0XF3S3vIRHLjCEHW+kVgzuIi7uES4In9IiOqExdgk8dRqKawVSKX7oayfXF4mMZG4bOM6cOLGy2tMGFIkW4njhEegTyJsnHxmOGnham2H26mkYPOmy99V4ggXUyuFz0x8xPtkLG7IHq9H4cS6xJRpuS5DvySt7TPUFVS7GRzdNwfnzDkbhLCtpxgA4HRYx5WKJjVicn03WMoS9FtHwmO6s+sQ7Syaem7VcUYiV03AbPcwL5GJXJFPTgGmrKrcVQzbE/K0tdnSaWzHTzmFgJ2DhlwF1+nqu6qYTttjKvRJh4IpsvPseAj7tpNK9OZLyRec84BnhY2e646KohHhCYG91hTO2rdbuREApzg53CRiny1ANgbUO2Ci4KU1PjU/mVp+w2KvUvIy7T1wL5PsmoXiXR+/i4Uw+sg+t03F8pa8Em+V8VoSneZnSuCKsL9Niy1zoMYDIvNCIJ2fkG/Okl/Jm+hXVP9r6WNsNiiGs4NGHsjPlQYxJ1A2FfEdUYtZk59W+ASDCwI3xNKjNw1PUNqihVjkpm7BJwQJAQivx3DGXpYbpA7rnMvuH07m7/JlsWUV/M7PX5q1M3gm69IMUkqbVtFIOJoI145nDcKRB1YksxXRVVxtG8EB4FTwoF5ryXwUI3IMx0vrVHyXkc2/Rc/6zihJq0VY3Ynqy6QTCyhjiSf5gR9rrQpaD2gZFWpotsOntYwOe3LbdBzbJrLOkcmj/aBP0YBQqghSdDqcyt56SRbu9vmQ44e+xmXHbCAsxb8gFWyM1B9+MqmjrJc7sKycaL5UJxwnvMqYkIRkAx7rEp8cR6yBe0rVNBkZ2JkLSAWu1nhOVMSRcwok6yHPh80qkSQ7lnaSfIc9vl8FKe/QAz7zTHVG6pfy8kp7IlPpM1hhnnSOnpIfKkw7bkFRy0lSQjU7RtAoyP0A9H36hpxNQYi5SPSEFe7z0wa7B+Js1quPtn62DoDDPGSW2d4mitn6f0FWL0Ebg3JCwmMQ+O1P2S0Gblo+RpTiP0ZgSxdqpyvVsGq5Wrnv6nnujeMrZ/udzT8DjzLfI/NTkLahQI0/CNXpo9QLimOTc4CfbteUJQ0OEVNikcs3VMwy/dPPjy5atUf+nj9uHrur9ck1W7gXAl3bAeXETAytEY24DfZAuE9M6YU+fh6MtYqEsFfvxsRhFvbsGEvsbJ8t7U9MnI0D0E82FzNLCiqbtUNr84+ovECNQXXCiPPPg7VzjRmZDhDTZwF1wxoYEaOsfuzpiwd061NOIaJrTxMXyl8V8R0idDPGQEmx2iH/zcHHHrCe7bXPaxCNd0WeVl/EYIZ0YpI+yzEE502NP/w0FWyYfC9p8CWuVL239M/qbyP9US10/UmGKHqAUQYJAMLsXxJGF1nADBLMGRfy8kB0EJT7Uh+3OPTAOAM1mouYt0MwCJn8a5I0vqdAkEIclU+FKteVrzK+emzw0zxN+sCaK6dsLJQhCH807rEcbIRcPuSnd4iojBWmLdZrDkyu/mfYu/m8EfSWFZ9q3w65lFG2K8vDNYZwzTK8GSf6GuuxzLaOiMuJCgQ2rHbmGOQp66ndEiQRRU5yQmi2WcDgegUMicAHZ0k19xUQT39aWUHKQZKA7K22ERD6DXcjHiH8q2DfmLJ2dfwm+wp2clwvrhkHRwQNN8An0jNCCZJfWVt7cnnhNUxBGot7hyNpdhTPXZwTL7Ezj/5OdQpEMpi3znsS0c3upIdEkn9wAOVaIrIX2wttYOlqbjyP4f95Xy+n2rhKwUgMgL8wHUGH3uj6of5F3mujond1PmaTWlVlT+gT//Vzmw7xPNFa1lHddCs/XoCn+FWiMhttVYQy2n831UgyqsxuKmZN6A1Ky+WRgEfeFBE+VRkSiP0kD/AGpI0C4VgbdDQK/3D+TqDo7Tn3ddppNsVlWKXtXa+T3Efnfavxal+NF8OyYmZmJvm1uspGx9mQYGuLq35/6W4AJ6C/DFAiwHgcvDBjj2gOZKhXeOqkaRn/oiIxvzihy31GcsrAvuSMkpXfhjxF++3ihVaQua/qLXlrA3NAA5hLJkB8Fm6kvkknUS2TVmcv6gISsVxtEo1Qijuomk08Y42sH/B3xE9IvAwiJQKAvHazCPaOGgfAiRGVf0WF01MocqitwKhuidDwJ4J9e3hap3PtOXTmJMOq5G6bt10h0Pk/Q9Bi9A0+nlpGsJEt4lpEqcbA5B9ERAIpxadImocuou1UA/lFldzo4EA1DC4W7Ids2d1Pc1dSg07AGzj29QpucYsbMC3KMyrYrqvlet6n/GJeQXeOS9yLp8yCgDvmXbo9SSVVV86EZxTm7MS8od1e73RCVc0IFUrAyPpVZ8xJpDjCz7e67tCfWO04napxkOtDXSorzGoYd+ucOOjrt7l8eOr81AAwFLqriBbIDzLsFORGh7+WuuO9+v7aDlg1b8sUHJknDR3nkZkzkP5qrLyfWS+D6oko+cSrmfVtd8WTEOfiYAGupGPt45oBCtep2UJxa++P6J2ftiZpOTHg3nW60YfzWzTdbcn9hcu7KxjE6BwIUtYNNQtJM0O3dCuf7UFZ1aWeDFzm53qiehF2mi/PsEW3SfD+4kCJPIxzq81I3fOYL4R0UnzBxGgpgtaUE3XrHbX6WkJGIQjnZwfmYRBchCYYx0qpeQVnW03K3lauDJtS17l9WggC/bXQ3BnVQyQejMTKeJzy/XFBJNKpXkI7lYsd1CoYQXWFqGq7dJHF4ylducaW5V9crMy+1/hgZy2kA8ekF0jLY7XAEwripac9qs7iRcmEH1FVlfmv6ZBbDydl2N5leS/1gXGgBnQ7ltBKJyO6ocASZGzEPEk4BFRC2rmZWGDhaKznROmSJTnrWRspfRSIE2OuHqYxloTHcND+io7YGjZhqxN//lgoKCUqiAmK2keh08YDvt1zG3jcGUzAumMlWDaFkQ182CAxzUCA89k38v5CHS2UYgkHxwAq1X1osb/JAaZqKzWPDZb7qgglg+DE7MEMgEmhU/jRWbZVu2NYQ+xCwBh3+B84T0kRHJsYveMaY6JF11h2VrHzl6Ofbsrt0ZNRl4W+xErZaK7yzcgZfwvst2STb180u1y3R9zF5b0IBFp+7AM68CVWXTb+3HSrclvi4Yobds5aylveqEbjWdbpdOdNkHIaSjMbY2TBRTGHZ1jOO7e001IqJmpA4M3tZBeX6mGKoqTllbS0xuO/uLNanqIN/7K2YV90bUcwDaHf+6SIyd3pAXepIqDPCOR0ioztVAboHlJLByre0+988EuI8fRPi4ABikj9vu1BeQuz3PyFOB9U8EgU4YWJ8LBcVDWfTy2SmSxcK0Yv3s+wumeZ8mVMko637XCSlmIUeB2XHL9h/cl9ZkKjsHTt+VFogsJi0W6BOS/6SyhRXMHdNmeLWr06I01nrGipmN4Dwyz6qIPfYfpxve1uldBxoNOPOVfN+8k44Vx7oMWW+AiFmrOeF051yzerTRKsBqR/D88Rs6u35vNu8a+5BvBUh6kQIulDZomluupYcy3CQ7gIWFb2spz13Yvw9QtHu10XZRu0N2+aEmZ+bq/qrXVUqG9smhMexJZxAzTBA9RY2W3tu0ifTqZjQ4Z5JpMDRa+e//SxFFnecCq7eNSmvxUXqi+UmOw/7CEXu8xBLqIfGdCIhlOLKLuv5aLv++IrxOvZewwg+X1eoNCAfOByqvmdYMTiyc/aIooOfMXfO8GK2lI/dvrTQyXUWMSyh9IEE33O7KLvVAqWGFBVf2iG5fN/eAXrsQx8gHmRJC4XgJwEGZ5SfOqApB1Ho+6FaPz1eQYDt+n7Y24gq6+P8X+wiJKcNLLMM4Zto0TbSb1LqOpJMR/UhPrgglohYk9m1Zdz4I3ynUC+bXwX8oNVWOcfGacm5a9AHcRPZT7oEJHJ8nMEeszzwNQdZg7mmKJPeZ8C7zOSpo3i8P7ltVLNZkmBUQLJRYAwNtBCvCW4SPi8tCYLNTBFuI0f7+PI3KcwDcu4GIjDbGg0wW3w40hUXR24N2WufdqAbC4oFsRHRz44beDx5A0bMmVdtaBGqaae8DnxmQAMiYBCDFUD1crdVfQeTaZ8DKfHZlBmrErAKS7LxkWloI/MQNtiZUBSYRpVVKcc9Dv7zQwPrK2R0+WZ0IM/HpPQGIcn21togkAWPQL56ThGyofXBfZjb4OXmRyksTtHWIL5U9V8XaO/daoWGg13qCUgCnAmKvZLex/XcRaa8PbovRP+GEX/j96+IcaHLVIgIuylALo9BwDlHppK1TKXMG3+Su83nu7UFJuOU/Hv1/tVLs4MdYwxlltf6tvuLAUQtftyXHRDDI4VQ6vSSMI+6DNm98/5IgcZqyorgC2bxYUiPk6sWxFZeifDmNfockjGjSRJgsWZOMffpnGB7N+UEoG3NaC+d2HFnMOiP6dbrehe0jtTe2Gedb/ouYWQGcy/LSAa6w0+0Z+gyr1aQXc72dvbq9rk4hRjBSHoUp9Dk3gerK9MXy6+dWZt0twmM7sdTYtVFe/KTBQnoLLewIaEpOsr/J2GMc3PYUfFQKyroTdYSjFOg97Ooz+DwC3p6dtrXs7446dXzK3dLKW7S35ke6VLpdUGxY06v4+iOGJZ1Ki+uoE+FQla1YNRFs5JUuLcHewd23icoYgjmc4XkrvNKbWqyATv/KbteFOPcmo+nJ4ghSWyqWEB+U73Hk30Bh33ZAzU9uEpQdKSsQ/4nD3QXCMKBxOgIlxLJtcLuHsM5Z5942YbC2crfyYoiZjp8BT9cLr3zKACt+xdYRWV3oIeS/TGO0uuc2FGqdNJI0CGS5NBfUvtJfdH5czKHBxqjdUg3Z5HeD0CT/NRiPmbocgt2PGXkrfSntxRo3H/U79cxca5LnD1IqYs/tmJQ+heG6JG+nW5TV25oMFMdGV/w0Dm6e3Nj8wOjvsAik1C4QDbT2z1q7YvWMJmhi50brh410bjKxE8ACMHf/Ac6sWI8ecrdH0CTlh4hn9+Y3mb7OfrEEvFL4UGqDekoom40IioDWG5DOk8EU/m81SsMUem7L5dLPnCqubHQ2mH6pgO3BO41U91dkN8+GwsL8Ym3NKBtHu/tdKft6rNffzYtIuUkO28sfBLQ1y1wG7t94q+Uw9Z3PjIIqisgJ+9uGMm2wg9DEjjtwegZ9aHT98EHct1sAKDPF/KSejOrbNWaqPRtpW1JkfPE9l6wVAYfFGgYScxRKIquV5kPJ227VAPwZwBwGY6oAPG69kox5vmb5m/LIKMC6OkCHWPImwfF56MQ2opfDe2ry4OAvhpGL9dxWlsyP6pLPprZJx28gGvpHcKUzlM67insgxNazAu46hyh3frMVQe2NsA0Zq3jSnYWNAkbhrSWFBtrmjLvmBZzGYEBaHicMPfTIO6dBZv8Za4LgPN3S9Q4Q+hGmOJuvx92rIoY7X+Ao/r2xT/vh7Tl6E8oqM0uwdZAFP25jhecbzrmf20W1d2axhcrNkT+mnaXWOb5/2Tc3dCwUP4FCPkT7U7Ppvu91y7z5qmfBu5WEBNXvpLeYyuCm+2Luf+4dv0zFFRaa9Ee850NugYfMf3uGgSKf9X1sbQA0RtxOyqFmBhKuiKdTkUof6gK2T4HRFkya1fm3eaNTxALnGFKHqFFWeWpVmKT18DLttcSmQg23nIDO72cjDnSs96qE4umBCqtKkLeuzX676rIhIVsVlySi/awn9YftwV43jjzqUfibCz/Ai0M42qJM+0sWK4IgDj45gk8F3l1l97pGDuIAzNcrEFnQPA8eORabXCIFia0LXmOgU+0EZytv/ARE/uQbnbmCnmMXo1W70iJBHP6HaozhuPAlIyGsnaLCPGLf/25m8IRaaQkzWULf6vgg2Tj5kqCYbYKbXJKMY3pNoikHi+i4ac2du1glByuhtoE9VhRHe5KtCdjYh9uqHFr94mrGWjsiZht51PSoCIJ5M+Am/rOfX4ORrBXNW1xIzii+xVN6u2v3orN8rKId8hsKVpExJ7JoLupG3DAt6BeE6d5x1Tbv4qE6vbKuuGQkCaH62o4uOwB8RwEHCHXyoZgY4zSsO6y3fhpRnLEnSCfxMrdL5/qR7Q0ginMnCAKXuDRx2xiSmWiQ4Dj4CXEGH0PLYA38RGzlt7Gd1ZfUYE2vEKMQOz3WrDhwN/iTZMHrWKwrmuzk1zzXPn6DZDmbXGnU2XdWjHPOxFsqsytodkKx9+QT8trW4N3sCyom7BQF0IIV4BUTCXLBB0kGQL7NGXXA6I9eG2LMJR/K8lJJBGbR5EnJx5MpJ5c44OSjlpFUcKxCMult2s2P924GCck+QmpbpR+ZFgLZFiF7qHk47wu+uLaN+MaeRoEY9BmMoSrNgz9C7FqHpAu3AOAVpWdNMn6ryy1+n9k9D+1tZYZKfjWug+W8qSCM21xCJ65qc19qgIHTXJFSkrX6xSkUMfvhTvQtgMyeZaH/PGLoIYkmumqUBWpy+KCwSiVz63dyu2d7M/1yIsYYnr4JQGnl/gzf90IptuegB+Q1tE4WdYzw5RgUDYWw1b3ZGdl6hy7kSIpygCEpX+FZHeQCusUbNg+rjSotZb5em9ksHZCFdQqucl4X/rcpkC3U/XigVfXYKd1VyA75uPZLxqJ7HaNX7llAlaPe/5zyoY17fGeJGFiFh+YYRZc3jdv9JxU/pE+uEF6JxqGYcNJJOjNU3ZaxZ6cLpwC1CIEQL/DdHC6Y9izyFZamcil9CY/esKsmcO41nanlGmR8mP38tUSka2/JNm8mJc4/7SawUsyMKeTvvhLSesyV5sTcZq/l6Jot0ugLL0tK3zmNEdPRERIJVkIoFd1xoEQH2joELIKR5KbXHpMTehXm1SD7EdeQ3ZjM4dzkrXrQOtZeHL4EPZ7lQ7V41DLmOiNq9GGkRe9FSEYvkZKPiFCNjo44eqjMQkQd3/OlJmwVsGJ2HqRR0iZUHUdlId4gjocw4tWH1VSlMlSe6hkpr4Q8HotatX6FAZrH9+U7/LLLl/z/btNjkc5McC6owJLDBy5qm/5YkiDZIXkeOofSSADoaiaHsJLUinJF7t1B8oKf1fm0SwkUCdqEkFqg+KMXn+3lAP9YZPE8q+9ZXbMq19LR/U6F3UxtBfcqP42HtiZ+qGqPxnk0jJXY9Z1NdNj/dvMWDgjloB0cUZ5A4vGUnI255lo0jvuSqJo2PesBqkOwliM6ziG3NkWqr3LUecIOxiDzVpFgs6vz9v4cc/xcEsDVUOSUBtAhOcR2AsRlvw/bxkqw2O/PfmSP5SzjMcy0x3k8Ab3hrJiw8O7gmWkqM13B9BoWhsyViDad02gTFj+3K2GQaM2JSB1xj85FdklS3+ohPgcL1Do/gZLGGAVR+FDJb9tJx36CP5nlIHRKPphbKII815lS6s9OMqRnaX28SZCLAS4xB6CBR3aD9HGePHIYAFjcQX8vzBRQLBIQ09amcBzGyRH3hqYX1uQGvOA29AL7Z88rHSWsSEHdou8cfotwyFrl/Y28bQi34REp1MY0gR6z7KxDn2CcGlsnkRhUVRTzJnTZvUhcgtQ7D/OZETgTURsdicy42oxVNjK50BQwzUSw1TzDDOGqhP/zgrPlB7lURhank4/mtASkbPKCeuFkizJD/qfGya4fOUJg/PY0F3TFJ1HW2ECfDtYys8Kg2lh8RamjjcTMiNGYhk3Y4B5DE0C7YniX9XeskuhOECmDH8R3Wd7G+1ZOlJKygVpwEvhz2pDIKSqab1bY6+70jc7iyr5LNdH2Wy8JB/f1OgoqTiz6HW2W7x7YdnIJ6xsT9x0qMiSDQ0nlZMZvyyUi0l1mzZZth4neRtgo4Qy64fJAXqBa48O4Zby9WWc1bXovB0URqTV35IORgdp1o+IdDXWwIx7AQJGKY1Ftsy3DZtEkolEFr6J3l0NHkodJvmpOgDfBgr4rcDqgAH/kSRtdoaXJtDv/U6BA2mWxHG9UkAsr3bA3tIed9lBi8cHfSvQI/YYr9QsFlBsWjBDzq/qFFSaahU4I+lQiqG8U6LtI9Z46OpBkYPd8BhfohhQaw1yu5CUau7XJVvt+PQVuwY6PTRVXURtQy4CYBwNxWpNlJrjkfDnv8Un9KUEUjZBqzPHAw6BttCBZRDodSY8kSnmgll6yP0TsD+xGXmhVhDCrYq1Ge9flNuFPx8s7qk0URAF9SYWl65XmrM+n42kxr3HP1/e8fVCSzrr2PqNMe+XVMACsBpi9ygpJs8XbnfTZrSm6CtX5CNRPmyuIuXsF8BsllbQ+A+Hw+QD+c30ZBYaCXgQJZLYKN4xxWKkxZgpduWyWrCR48r/W/hQ7YijUXnoDhihmFrjFBOIqSdX6pKCn7UndYYJL6orc4kIoFmLW/0+Js6Lu8SPveqaasI1ceFEKshQFwHPH/QSLeJJQC/sZ9Te5ac/Z+9RZFLbRwGm4RMS9wBKxv2SryjUsG49IcjVYECeIwwsQ7tqq+mpLOIHw4luS1RNGrVZR7EiIVlNX50vkQu/v7g2nuzdobrM/UlG8kLcu0TeWVT3h1lBb9uiL6xbMjtJVEHnmtY5Gff9tEOvQ7fA3AQTNL+iSaSvWxvuZx3N3as+7+YKLEzsfU/nuoH7dE95RwxANS5IKdJeLy0W0atZElKxTAj/va/ayFkcPgYz8BLkdUUflNy3G5589pToi1DsVrY4a/HNWFLDyMuU7i9o01xoTgVH/fmLV1QvTvRAb6cMsWl2NiGPV4/8vht6eZCSvjNzTG7i3mIKfj3IiMItX0cJuCl5hUqdxvDCET3xCiiAUJcux1NrnJ1s7MAWDxaOXjULOKSLvRjRarRSD/fukEcMdosYljzedjezE5F1vWakqhS6vxw0SCmblUS96drXwQcoxF9BN9w9gKTWN7UD0YXJ1AD4/3Gk0+9ZFgh2w5hp9yR8Cs7IqM6U6b30LGKv1fGSpyJdr4Y9cyJsBdaXvJeTVSm7O0kIwNhZqIi8+q379EAyffbsIAhWKDMNBeqDCWCPC0/n6Mfhm4cHdASOmT2FdWzUGh46RggoeNku3pOpRE2NJQzSjxX57tk0bpUjSm337enkksydKmeXs0G9K2YRiW1fJ7gB0psBt784MRGQ4HJxdix5ZMYvW1jRUseOOBcEixJHAhcyTGjP7Oi22se1D6+r6RpWvokXnPpG4wRE/FWE4abghWVZeLwU9tXhkRirkXnM68pDJ7gXfAYvlXMHC+wLE3Pz7e9tx5Njp8h9WUk/m/ZwjmI8vOn1sf5emYHZAWTgEFnHUg4oIMg2Tq1g+lgE7dpk9SFK7z4imXgEHusrW+ihJsttqs274qGjQmytlJVEDBe2Sh9c8fik23pWSWusruNk9aKoQbIfkksh1PaasbhfGedhzbK4GzAV501KsxWl7b/d7jChH3DeNMMakqFLPF0D5jjpOy1jwtlDDnI9yxgqwXoJLOfE20fMBx1aq00sOqM4S3oBtAFSleKM6vbQOTbUencR/mL0N3mGS3xGJAYwr9rcPluEMMgmt9EW1SaZ/hJpQzf4Pt+uUYgaSER9YBTxmfbYNp0z5OGpZrowpH2Hz+qGWJYnf0PTQ51PCIKyszUUlsdcGsUKK6mm9G+Lp+3CAQbiufCJsCHc6MNUlupsOk8pOl5tawvEGvnkm33+SXa/SFlaklJJBKDcPtxnyqLKnnQImpuv83ttF81RfVLZRJ9+fiHA1+sI6R+dp4PqDVAg4I+FR1DeldyMf7PGMioTYB9dlf/tCHN/EwpFIiUKjUtAbpvVO/nyTcZL587gehnB2Z5uGZRcTHURKuXhj0O4Tp5dL8oIs0GsrT69Uz3MXiKN7N+mY081K8ZPPeMCbswpJ8GC2SJOTEBF5c1xI3EFvGdnrxOPgHmvkgYux0jjFhFfqLdD8IR3KTyf+lOtYNYRhkcdBE/55OJqU8/2ERrYvFR2FTMa9qB3H2uqs4wa8d4nXYl7s2ehnbSirTddxBEug9SIdfbkfLWgcbDbdvvKsK0sRfFo9cU0hn72PYPxU+2YQ/OD8Fu4BnCy7H+7A9I9DJUC4waHQTbeyvhWHIkc6oXp+aqjMGt6G3Np9dbCUYbDLNlZ2A5XkQ70LUXbsiN/dLwvK3mMXEOLfj2oHRS2XbfLWsxQQLt5IE0x39FLEt0QPUP66c9iLXXr5tjOzNFfo1wQepn8YjPGvz/ayB1EC0Q3NbAzpON5bZhwS3RlIlMVsWUn5h5UEUnEdlGkH3m9YD45EoJE9KlNebgrZdcj1OgghprdiDol04Sb+mgAIYITGZkXVeiQHKNtYz5klna/+T0Eoc4oSTDbLoKJXJD2uG5chEzgDRc574RWyS7s11LDKH/KlE7O+r0f6aefW+FLwj9rrI+DMwOqvs2XnZDM2cqOfMHmd1GQwK7pvIXP5KycBqfbZxRLEYLusZOpOAnrRLEYrIwgsU607bU+BUMxWLTAolZGrEQONvC5jnoSUqbk83uBdFfHsO/W5w8cZ88pTND7/jaCYlBQou3aM7u8clrmWDB1y7SS37hxMPlkIpYZfv9Yq+SebZUib1qMLUM1aUjFI/qzyi+M+RTpYuBAObe2r4yM60BlBFABrV3VzSU1LwwdHEm2M2vUkuFhhtvnZFVay/obPjwJX2JfcUKUM8v53rq6X7hXVnocXkeFHMwInWWcBCf+2JNY/qR0rQyBN5aGDHITLI9CDconvZ25aDCXVENrKB8fQxPa2GcEvIiw5GOp5Xa4Np5OMA2ACsd719s803/jvbIOAvtvbqrJ49dmYxVMLWDB6NizABv2mioAKJtVE4PDKA1eOFlPIWSeIs8xzk+4GMO5Nu4Y/HH9eTbyGpA3SmWgyR7c3Bt+pukp7WvY+z2SBgCUMC0yA0CLrmlX9/IISdowQGg614Sm+9MNx3DvkNzpnDx63vGVrUVSFvvmQjcX/W4B9Nfhp616kdbk1GKjuyWdICDx6+oJJ1kSO/U4Y6NGrbE3GiSMVu+VWggq0qyZtGoVFoljh22mlOV1RKi0PSqATNE6rBcX/hyfiDg0/0NPU33mmH6bI097Pf54k1XFyIPMXKGRf87qULqPRF1qyGC3cNsGdSDWuQPQlZfCkDZUsn9NlEyPu+PHAFkfHGXxzkcXyfkrXbltaZ2sAUfWBPCw8JRHSdFfgBEglsuKgJpVDmCS4xLQRbbUwGGqFyKWCVEcC8gVmmwsp1fD/FK7iz7knhLZGa+WENMvSPXI3n8fCLCiwaH80ErKvEMdWNBfHSh7TmyL0qgspo8ikkvfzIF7p3xb8LOBA8/WYc91UCE9hLHQSSs16qKkfjtc4SO6HrE/fhp6TPVdKbOHbwY3CIs5l7wZW52ZgyXZewQvIBCKmr/HS+R0/SyWKHHRKJ5FLf7xiAgSgK9PBTLx44J+0wyIJ5RiBGcHbJ8r2xByQDYSz+DiIeDOPcfLT4aVbD/1HrklPaOnj861IX+Bu90w6ZYD5Wng2u4aYw1s2gUcuJROBEF0JtZiAEZNRSN1RlUKUnWS4N2eim1jIXfCMv9UqoNYjzrdC8HszqCJy25udabmHDhnOLvvWEfdrF5WF1/CsDN6mwGn6oz3zR9vZiliZwuiId7irDVTdyAwapVoWkzpks6GsEilPtXSiKyYfCkfY9ZZhezEh1AOLNC/ep/xmf/D80gI+f0huSDdQTbID+fC/gOWKxxtnjInp5S7MZlFXEbZXg3rooeqdb2b1m3/GUQvRh0PMyEV04VhUnANhFyidt8Uge5FmAZVWs5eA/RRLB0mWOTa/UTu6GYOeCRgLC5DRaxTrc+h3lBiTw5j5f1Qi/OOhJTpCRmLldZpfkMha9pgBuSaqs4e7rzXpTy+/zRPr5cINi8bgOdVWiP3QLuPNyWmisqiBZpvMtYLGFOay/Eag6KpEPYlixZmWsRBRdmzBFlUsDBxv6islJBiNQG2io033VHkkSiSZdRPwZdpFmsrpk/YugjQpFm2tMXQWAooFBVYMI6I+C9HAVioaFo8sVUJaz9emFS5FPGkiErpMKB3jSx+cDsyrkYAgjIHNNwwQC7MzjNbDHaI8PwYaBKHh4Agxv3W+juTUNNGQ+/t/BfSZ8Q/Lbrz2/XinOosi331DQx21BabGviYFmWfdMIGCYqj1OP7UKDjmJTgRWYEcnso12grmgD1DFuZ5H1Lq9/wguOUoQCu3Wn/GGtqSMJtcV9X+6dfEPVfAjhy9tJoVYXc8/zAIbcdZDZ0eM7X3XGOuBftam0KdLN2wqBdgAXb64OQ8k5ydDvjsKgD9LyW71ilhIEeZDgHid6lIZ968prkMO2Aqj77y/9Ds51ilZFDh8QkOF7gf/8LaeY4TzVqIDOZ6Ey4yr4PKHHhBL9OO53sM25OSVQ62RsZ5rjBbmABhw8cRT41c82B6LH7uOZb179bjvcV4cvu2XiOqwJLg4l2r4U/DoQEOZnw+bGzaWJKPUgu3ZIyYpU+9p2pr1MqOj82p8GK8Dc4RAJUOQmJx8I0jiFETCkeCD2xBDVLmO2WMdDs5KxVxBKGkJuv7rYrNeJou0h/SW+E6uN7XJLzkzdxLpuiLpox6xoWBA55hURFWB1v86Y9SERzqtl7tpZeO6axEvG+iC/kP2Uc3bbD34rt+pWxjDPUiMxerf1pTXH96cYatiWImhRigxB44UImu2XvW0rgzSpdw2Mrm5ikqINvCH7E531PowMtiInSFLKnBKdKITvl+CApyYQRGQ4i78gDnMAyIn+Nmpv842LPCiOeRvhcG7SfL1fswwmqClO+VF/vvSBQ9tNHk/UYUA+bpWYHGrcl2seE2BwVe2xoIkQXrCH+w2yuFcvjKQ1OIY9tDC1bz2421Fk1trd2WBMUSq5wmet8BPzhhO33OHeCXMfKMR85CBUYVEXPUbrlzhxvpIOb15Rx3ZpTKogUrD81lnfLASMj8SItEJeFMqOe+gdaPVtjL98SN1MP2sUN/zT8oLLOUubQ/o0JicPvwmuMfzX/7RIvRGF3/QmdoKgkTT45JooAfrPUcfZmWqzXTmZmGYAvzfti5+pqPuFCqEKeMiEHwQuY/uoPZOzQpRDvu2/7fPBAmmDESo+4EKCD03UBXXOzl5SUjd7DHUOjIdIXvUVjZ5bR3g5t01UL41yWy3+iGg+Jd5qXYW7sAgWjryVT4KtVmbLSNXmZDcJyy4bZKqVxUq3t3YB59LfS0xdixMB3lZEFswiZSTunvl2M7FgSzkmn40e7+IKGXBhZMpzTSt207Ob8nlxqKUCFLFDu/7fE4fB/KrCTfz2KmAhNj+qNKT7xLmIt1kBvHteJMopxVSGyV6ptTU5DXnp41d50WXn6QVXdV2cOqZ7gMBhe4nM40TPp0bL8YfQQKfRuQ7U1eLjYrc8Bb/7Hi6pY1kbBIBKYl2XND9H1C0+xz192Rv1uJ5hJMXoFsHK5HyCqWinJZwW6IDFEdwWeL6wnXT0w6D6zpQGGJyq/Hb7wiuivfyzeRzg0D7UxrRPgc41YuDSTcSd5sNX/gmR2qwkTtcP3u7tnemcbfyZ8zjBr2FWpPB/hGm9cVITLfgxfJkEM6yk8oJybsh20h3Nmb5atHOij4jGQ5XYnXyS/5vl3TDSiwJh5BUen61sHW0kGd8XHDcGkTB4IJLrB/SxTofvwu0hKPDhjAKOorDWFao1pGppEQC+9oqI4T/H+mwWtEYmN73UtPLiH3HgIdPa9STCy3SmbzoPjm8ySFu1Qs6Ir8bJan0GsI+2nz4f9Tt8+uLtKaXdAzlfSZbviVbceoiBWG0zSA53lYq8zRsZM88cLkL/LzGaEeBWegRbnkgEy9fNpeSpggyFHap6EZht/XsokN0UKkYUs30eYJ0wOmx7Gb7F9fvd5h7Atmt0CfrZ2IYkkKFr2f+Y193BOWe6hcqPAi24mnp7soN4Syqy9Q73OYhT74qcqqOusgysTOquKUmoefuyOeO1tWbmG7Gx6/K8fjQxMLKRRThVZYQzIC+X1eW7E6fKv+G4htYsmAFQZJT8Iuu95VTXJSg9XAd+sVdadzvsZsvVucVvDlVCpyFm0ID9Y/GXuUaV4pZI7Exvk/2IijKU7tBn61IGyFhbOZBkG6Y9Z6h35M9E+DtAFzwYzsH2wjqhhsEo3nCDSDHmFfIF9MS6FQg5xVfU1wiDcSuPW9+viYlHIP5VCB7GYVJRCIsh4cNbtvR01OG7ceEl91g93aDcdmM5xVQnfJHv0AApiWsoofByq1aEvzxcrHi5TWOhY1ydcBSt4TG9r9WVHl3dmDfGSOXEPxB6/v3whv2irpdLfJe8uG0Rey+u5J6uS5DfmbWlDpnonLyF5tqhgRtoKumOXngO9tExb/lBmaMhYuDItNmMoiurr/SVj9RgmIGO7UWXGuzFV2FRKkErJEr7rGIVOoW36IHEZTKftCyxTOsTNE5zCs2Jt34uZy2ao6xKzSxs0uYK7dMGZd7vh12uRcPNKNwFawuWWmhii/DT4g4dE9p3Jett9VMoJy6dU8qsi8leGOQGgAz4D60h9clZ3Q6EVFDAhoZMV5pj6i9lRT5gzISAbuZu0VoxHB8keqbkl6qW+7ybnbf2XB/pFn/lLMZ4TV6WIpvWpWblEuvNvx6EyASqaDegIocfNidGjDpf5SSQLE8x0rpXwRdo3fft3UX7D2PYP5xaSC+OazPKDruUPLUm03VSW0u83iCtNK/ZoPZyMfJ4h8TYFwA/AOwu6wtdoDDgoNAeVGVAXNYyABGzL/W/+ikS8ena3OI3HgtoTthq3DGQTSnY+ZpecT9JgAIQPJEcNQ8/U/kGesMfFDcIRMi7dIGzeO2OrnkLq7YTH9XnCek32vxERA1eGNYLnFOk7x0QdoaX2Zx/6bB7vlxERPWWRAmQNZQqnuRxeFJVVjvihkjClxBGow3gQvFhkY/tthyLLPHgBfUYkJn+n9CPab7mQqOwDWk67+7xg995EGIfqy0wF8a0lhN7cKeZwufA1wz4O1p8xFo8WNS8n1IoqOR2N14rJH+1mKnlb84IluELkFC3fnLdWt8skYO70zHu7i68x8XMa+fOwfL8dzjK0WOqJVrcfLb3v2CeIi0wGIB4lG2q5WW6ZIX+gzuMoyC5G0ekGQp5yv7c0wRoe5wW3+OjSWxbHgF+r4oZBtFw0Xj2bITfoHXCwffzPgZkz1n+UY0SBsLZvRdE8caqgY4T6cUG+IjBnTsrz4I88xM2gFd4LZYkEllLupL7cOPJCwZjD+7IbRAGg6nbovYvpPc091QpitaeDUeBWFdAptADzPRtHRAeVP+z62osdYIfWxTgwQbwRBWsw0vED0BxfPk+4yZnRR7hMcw5IfBr2naheqgrFbBRcqUzMXJAt4OW8BUOtQbG0f8k9xNCM+9k49jBY5sDWjc+Qm6eZBNwvOD5PnSOx/b/EAKBtdaLqrv6dTxdatkgQ3WOO6wTsGQXZSUfaD2HOmzAc3wAKn5zmrOvuPMVPpozUzt40yv8yjWCEtiipWRBnHB6q3mDiPAWdL3NoRoHoqWg==,iv:Qiz6TjCl1p2o9SRtkftm6VEEK2VT8xTH5LKRalzVNSU=,tag:O1ocNXq7gPnaIWbw5R31Qg==,type:str]",
 						"deletion_time": "",
-						"destroyed": "ENC[AES256_GCM,data:dw2NDNk=,iv:D5gMDiM36Opob0MmJxMc2b3eV0suYnu5fk/lF6D+A6E=,tag:ANDUrBA3uupmH6P3lLFCpg==,type:bool]",
-						"id": "ENC[AES256_GCM,data:MgaGI/+XgBwD3iAEKfEfcmo+R+s=,iv:jNPhVSKt7NnMq+rzDbSwl8eNoNrCq1ECPzoFkc6YyyI=,tag:1hNddpLZq+esc1nGWNtKjg==,type:str]",
-						"mount": "ENC[AES256_GCM,data:mHUQn2WM,iv:ZD44lGb9HyDYuUHeQXQGiT6fKm3TT2d+Wgq/28K+JYQ=,tag:MbKoi5GMTaT6nqJ/BX+eZQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:cWUge/UR57o=,iv:Hm7LzqfY5FjzOgLggow7gJy0r95fGELLFxURFRgifyM=,tag:LTjhFFuez74MvfrGCC9PaQ==,type:str]",
+						"destroyed": "ENC[AES256_GCM,data:vT9TQHk=,iv:gdISDAmTiJUEUpbyqnaiiM8Sog9SBjP/n4GihdJEcJk=,tag:ZFu0BwN66RBEKYFIDrezuw==,type:bool]",
+						"id": "ENC[AES256_GCM,data:o/ZmOhpAg762XtuUeiusrNEX4yw=,iv:ZloGhcGdiPlH7SMr0PWPOdVthIjH8aNDF7WJfdhd+IM=,tag:o1xxdNz+vWln1/DcF+kYVg==,type:str]",
+						"mount": "ENC[AES256_GCM,data:6gz1SGaf,iv:RolZ4gdmp/rSKsFMI+CUUz+Zlmv0p1d7BRPuWH1nfwQ=,tag:Ozav6418J0Cy5PRmByPRXg==,type:str]",
+						"name": "ENC[AES256_GCM,data:zIF2eaQxlWI=,iv:tBX8mEBgqrnmxNz78xp8tAwR44Pt3aI1o0acjnJOarI=,tag:36neskhTp4mFOfhP6b17og==,type:str]",
 						"namespace": null,
-						"path": "ENC[AES256_GCM,data:AzCjYfMAOrsdkOzZEHU2jBPjBj8=,iv:tIkqAsfXeYN7GcOy17tLmlcW2XMa4WFsIKlBtVKKYYo=,tag:5/DQHYzORWBaYxPluvwPbg==,type:str]",
-						"version": "ENC[AES256_GCM,data:qzI=,iv:VahOhZ04vdVn0aloXJWO9xozY2im423/yZ/TNkFYkAE=,tag:bf8zcbKCXDNop7WuoQV03Q==,type:float]"
+						"path": "ENC[AES256_GCM,data:drwDt8VwOS1nVcMSc+0w0Qcn7Wc=,iv:JgdX0O79eNqfUgx/ZlPHJY9cPv6wLFhKkAj5Lyn6UUc=,tag:2+TGOftidlIPCSlEaYq5zA==,type:str]",
+						"version": "ENC[AES256_GCM,data:0AU=,iv:ISIGnSKWTneekcO1Vh829MLBPT41tE7Se6wgUKtvhJg=,tag:1IHWSb+1dKJgqpCBmPrZZw==,type:float]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:fWni+/W6+4s=,iv:L9oEpVdmMeU2X/IRUcIpvTWfs7mg8XPfPf/J84/RmDI=,tag:QyY7nxYq2fWuulxp0PhI6g==,type:str]",
-								"value": "ENC[AES256_GCM,data:jbS5pw==,iv:qFJA1o2hfzMZ2cLfnxnIKQvuvusrS7k+0ihV+UiHwGw=,tag:Z0cWkGQuG585hMvhzas5wg==,type:str]"
+								"type": "ENC[AES256_GCM,data:nheVDEU5Noc=,iv:umL4EVbea8Ji9HTS4h2SfvQ3D8NhYIHVcz/efbGQL1U=,tag:obcRMvBZz6lpHL+hL5HQxg==,type:str]",
+								"value": "ENC[AES256_GCM,data:S9VjKg==,iv:TCjL6CYsxO2kiECfcdeMD4jLZH2u4iIWz5gH/X3qRlI=,tag:uyQRrq0eGEdbf5+EbASA0g==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:rhFUPrbqQQc=,iv:kYZ7hmEvPli4uRIHiCQUl28IqKe58pPhHIx+8zWi0o8=,tag:OxDNLKt+3Ft0YDnDAOmoFg==,type:str]",
-								"value": "ENC[AES256_GCM,data:FEGs/wPv366V,iv:lFER+0lai8uSfKNfenI6bYzc7sOPTUDGOVpW61mGjxo=,tag:udezizxGB4a1QLakJbEMUQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:OYqip4szybI=,iv:xTXC8NuuYQFoXu3lSdVBBudT65p8FqpoDWCHDgrHYfE=,tag:Mfu5XLWmJmVUSL3kcRjFdw==,type:str]",
+								"value": "ENC[AES256_GCM,data:X9gNzU0oaYc0,iv:ZOufUsgcb4okPuAiA6a5zvh6DiMgrcLjXlEvMW3T/k4=,tag:w9XY+XWOnAO5IbenUhnMTw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:JQ==,iv:ctgLnmF/HuYsw6qUVHYYdKqDRQmZXGgAizdJxr9iXPA=,tag:lGgKN2QlX8tzmKdZooNwZA==,type:float]"
+					"identity_schema_version": "ENC[AES256_GCM,data:5w==,iv:/6tSdR12rBkuYcrAhWOl27XTcMBhqYvHqp0PaWBKu3U=,tag:VByJso2sArAWdmGqctqvHQ==,type:float]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:1BQQyQ==,iv:TGyjNRNwFB0UzT61mRUrTq+dOUZ26Gyt3Dt0bzdRCIA=,tag:bFX7Zq3VDMhwP84VE7dmgQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:tYdd7KssJEdo3D1al59LPMib,iv:1VR/eXNnUzW0kZZR+yfooQaHjhPlzy6s02APSCAvhDc=,tag:r2wCyQy5wnAzhuFxrDm2YQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:KlPKl2JetRt5JQ==,iv:DRtkBubjszldvaakxzSlspuJlMx8H5k5tMqVho2iuuQ=,tag:PQdI1nUlZ1i/z7EXtTSIsA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:qd0XoHEfKnVMjcbI2SufydSgV2rFhJtUP0YLUM10lDEutnbLHn4k99xTogkGhjcl6g==,iv:L7uSaZfVOOO5gihhQYfwJPhTLuK7XZ6L3teg9G3Aehw=,tag:dSoUJx88HcEcFYFFJvOH/g==,type:str]",
+			"mode": "ENC[AES256_GCM,data:5yPZzg==,iv:4pshhwVMUh+iB3ZXvsxGuPCx0E/zXYrf3w1VY2Y0iYY=,tag:8EdtZGZBgaumwSUNjNvSRg==,type:str]",
+			"type": "ENC[AES256_GCM,data:+BkCkwLYgsBV+4s7C5mUCvdc,iv:S2pVmleDiXctJ6GmxfVaKpp0G0+NQVJK8Z4ws5KPXxo=,tag:9BR65HsmjJzSp3SDMDGzOA==,type:str]",
+			"name": "ENC[AES256_GCM,data:7ldfDyYGn3oLoQ==,iv:D6ZdiOHB/MNBRUKcYGSlPw1cHUqhHpSdR1VDOd6kA3E=,tag:0dYvA3pmBSeIODkl4zJy4Q==,type:str]",
+			"provider": "ENC[AES256_GCM,data:Ki78YJqRHxl8lt0ALvhchbW54yYvu2QgLFFCiwRVztuFaUPHe7D71UBcSY/0P/kAcg==,iv:QqeS0Ek+EKnI6MWE38aeYdCOvX9yodoZbNOnnEvXbro=,tag:wxbor+2zj+8+iWI5+W7RUQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:/A==,iv:LV36/IHmmgHX5qbmdkomkHUvZZl8le9WkBddK/mBgLM=,tag:vb9nwBPDeI9vioLi4OlF0w==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:7A==,iv:ROdn/eBnm+DGB1WUHRL+UpEinomkZc2m8+aTUsN7DE4=,tag:t9w4KcBatqAyum+tlPH94A==,type:float]",
 					"attributes": {
-						"created_time": "ENC[AES256_GCM,data:IB32+5gtjAdczIluhghWlkCOosZVaLZnleKy3MA2,iv:IoBZHTeM0RWWhFOtcwDzVlweMS0Zjsi7yTKyF6nvxxQ=,tag:zIJm3+DDIBN/Qvpec3WKFg==,type:str]",
+						"created_time": "ENC[AES256_GCM,data:oT2AWGBQwrL/vNUikX/BEj86RcJqR2GYK+10E9Qd,iv:kfRDu9erxT99/v2w4kDVQPqxNVcWRh6iJDlkhkEOs1A=,tag:yNNIeX36tb4h1NM7OpMi2A==,type:str]",
 						"custom_metadata": null,
 						"data": {
-							"affine_postgresql_password": "ENC[AES256_GCM,data:B7mLZ1IifnX7osK5lfBQz2AO4Vw=,iv:DlkjZm67ExAKS2UCJzcgu0AZ80pA+FHQ8AJnr4BRJUQ=,tag:+ZfHKQfZbKcU7wBJAvBMiw==,type:str]",
-							"aiostreams_database_connection_string": "ENC[AES256_GCM,data:ZRaCvJG0HQ6iuT5KwLHy6/EAobr63Hlo+uZbxzvWKwlM+YY+f2saN2t1q3OYIDBDQ9OnvG+k5DKOl8Okb4mKKlDFCgQL9INk0rhKKxRdVgBXCyldvaETrA==,iv:2tPmgoBBNyWQFmnd4oFk3nKBpI7dWrWfVwN4zkvrquU=,tag:BXH2oGgI6BOrU9gK+nYNmA==,type:str]",
-							"aiostreams_password": "ENC[AES256_GCM,data:2Zu1NCcia6+8wa6gS6f+Bk/Za5Q=,iv:vl6KYa9coiAN0aOfxRsAD4oNKTvGrZd47tacMbsUXSA=,tag:wJEP4sE5TSX63DOM3/rqjg==,type:str]",
-							"aiostreams_uuid": "ENC[AES256_GCM,data:pV7vwWyXInqbyeZ4dbLA5MnZaOl4j0K44ZSWD0asiCPzvMs1,iv:bVCXzDr2MuHJu4TuR5pQZjigb5NXh+u1b7vPM5wbDKM=,tag:sC13yth4/JMlVFZW0eLp+Q==,type:str]",
-							"alertmanager_account_password": "ENC[AES256_GCM,data:E00fT3kDcRAArKCiRXbfnWsnu8o=,iv:tP4eSqu4WYxlNOGctKakMjVeQiJLdH75mXV2hg9ZVQs=,tag:mTfc14MqyBh2RS79fCP7Pw==,type:str]",
-							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:RGls1j/7xhNG+Hdc9VfCp8DD+hNf6GV6jYk7junGCMg6228zYVF1QIUBIK5LHhtEUcSVmWGlLVPHJcZuFO+ZOr9DZMQEayYAFmfUWgvxIOiR,iv:x/K4dBa4/x0QvslItTibVJjJJfrWC5yKWEWnJ3eZwJs=,tag:7yOiAKxRYSiKdoZ8cemvRg==,type:str]",
-							"anubis_ed25519_key": "ENC[AES256_GCM,data:zsBAtMxUrVnZDjYoY+BKJztaKu+VBvASRrO/TvemNTX6b1TKO7jnFtnC1ByArEb1MbMy43+PIIYhTSLK5nqPZQ==,iv:PhQAjnJei78NAu0uvvTr0y1maeBKC0d6HcYocEs0J28=,tag:xBPUjsIhghrj4MILp9AnmA==,type:str]",
-							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:GJF8+lBnJNyoFA+CvLuB+HqA+4S7H6JvH+Vv2fnJHnzMqIr8ZEadLkptSdfsjEYT7p5KnL9HKqqYodCAQ5/rrGrJ,iv:a2W2jIc2II1uSJaSiKVxHFjq9RThWjCuj+k2mY9nQV4=,tag:tmfpaYlZ04XxDpp5YRQG+A==,type:str]",
-							"authentik_api_token": "ENC[AES256_GCM,data:LAPjfw3OEeLrdKcifSnnMGJetmtH/DxlGbTWNsQt/0BO9DkkLxhy7rD9+VI1t7B4G2uq0WtXeDz2v8hD,iv:8RE36/rzwFsTXVq3LRYv4rE4ib+Y9RrjfktL5tWZKVE=,tag:ExltMt1OWm0MARlGwYxcmg==,type:str]",
-							"authentik_postgres_password": "ENC[AES256_GCM,data:niu8vOo+AP0Z6zeLI2Xs0g==,iv:VO2ce96QfgWXVgqD4+BU/N8/cxQ5f/78CbwhTlInTMU=,tag:wYSiyCO/o8YT+rhxxIxgZw==,type:str]",
-							"authentik_secret_key": "ENC[AES256_GCM,data:YFbxsmOTy1vL8I0myyfWt/QsaPumYZRxwBLxXTflV1RgvL0qQvXLopardAd8K9Y66FjI,iv:2iqkClP0TmDxdWC4MZsIEgLn5oLetngJrzNA9PbPV0I=,tag:TjCSs2b5+za+dhalrmB5Zg==,type:str]",
-							"bind_db_viktorbarzin_lan": "ENC[AES256_GCM,data:qOibZ2y/w5RBu+Alb3h7sZ5Pmko/r/5FmP3yyFdjaGoCogA/qudxp/O9hI5MSompi5Nl/kCKXXiYdO1/HBxl4RQpWS5X/7DYBrP3Bd4sbWbubZlPFzuLTPwg8rY8mAG8PEhHoaB93++GKy6Jgq21mfJfUHT5p8E6gbama2bCCgpHmg0q7HQ/qB8PHyUZdHCg4s3S1mLR1cOAc1fXv1sLQkriLLek8pADLO23KfjckXcjK9gV+kgx1euaahd3Syy8SxJBHOnyL+8oSnWFqohzXK0hyFktwBZxvrSzOcFKIYtIUxy9JDMZqo8FSM5zj+LFq8yZFufpHnE7Sbt6gPBmdp3JAfp4Gzx5Ryi043ctTIoE1VMyb6zhrwQfZsoKvG1SDU1LehNUmtCwrLbWxu+/GCAm9OH6HEszNFH7ffnptlvK1FAg9C9OachnA1m3qkt9o/YDSfPUz521NBLQJJZ/sRhvzK4gepLNAMmwEgNAIkpTRR9rdAfFoVv9NApyfPg2gw7qW4Ul7yWM+CvcTpUvaJzaNF177my6uG1WLnQ6ByOSv4YYzIoihycBCuHjHPJUvuir33FekRQixchxK0QhXtPqK8CTgvfoCgc5tyxqK+phsavG663W/fj1aWninVVGtLUkdVzGoZpn6kwgJqr672VeITzmh4C+W+emzdU8Wf6wxU1w4SWbC5c1Usf9viYiQoCI7birxTkb+6Fpj3HbAWKPMyXu1k1Jrkvb9edAFsFed22FTR/GvyFCcMfErdKXDzjOVxS1nIUNzAbDyj9cOepA1mPLdH0YrigdA/kDBRvj1nl5Nl8skd9Z6A5V3KZ2RXtQ8/2dgnDOItdA0XMO76Sv9fkxLEg1ZZ+9kC0ZeF2TtCKuWC9H0UHDjvusxT8bRAQRs5ZA0P3qZ66iwg2LuKZQ0Fvr6wtF4BnjG7W+ic0526SNvNAzTIJoqCTuZwhK6xh0htIlwBH2xzJ8B+RN5PXYMyuBOF5Sx4Z7Kx7Z8+LZtJ6QKP4ZO9W8Snka9kF2GT9tng8NAmDbJU+x5dNfBACsrwp8P5l46m9pP2VsCVVw/+wkWwz9ceW7TOXxC+1ETZwsQkFr3L4rqNZ+Gkyjb0ib1RVHleBS148VivGjtCksC68SVCVt6o84HFGsk3UIsphJjeYSuJL2RO8bTzyOEWzX0bwsXTz5dQKENrCuXGKtZGWjRYqaQV7GsH3RVz77BFwfVFWEUUZ4cLICvSRbqx06uhab9w20kgRVF6K5lHIJHf6Bp0yoaYVTyZf6HodZ9SfZ,iv:/pii/lw3eWVVGAHa8a0ahvh5IRC0w/MkhvKNBG8oIwg=,tag:elFdk/hbGGqYnTWrpS8QDw==,type:str]",
-							"bind_db_viktorbarzin_me": "ENC[AES256_GCM,data:oivgS0VNScgyCuq3zpwZwlYrArvJHmpljvnjx3B0tG8hgLtEkxwBgY10r44B/X7G6I9wWmfrU4Aum+xDiY8G3s5QT5zRY++WpLW7OJYpMqbrPHQIb/D9oFWdgLE6osMhVLEduLIPAVWmzBEidfG5pdX0SjI19933QjOrNH4XX5qtlAMS9jkBRhYc1iGnjhHCW016GTEtcQRQxmz/8FB/aECf+cyt39Ui8R5yKoqJdVMBPV7N4WW6YU3TvtGLzGb9ecgMqDAMUMGM4n9Iffkt3zf0SuApweMgoCjD13eq4zW4r7LuGxC0oGtJAjvYkj3e86y5ns98fSRbGIkWq1w+cam88eXmb/mYhVgEBBVFesLsZUpg+Ofxjug8mErUOXY3e/0mzaKa+HJDCEMw46Xm5z8P6gyGb61O+HaNStNU+u0vIHU07sbMWhI0iAtXsb5ns1kyQpTtqgPZuy06GbupthKArdOE+/h/rDmeTEFvirEPU83uc3IysIKGzbh99ihJkOaAdK/T2LaWzDMvxGaBvllIB5jMcAjE5uJc4MvUzcj/uPhoGydS4j9TutMAkUQyIbIVdVuzOkK6UNu0vxT0cjzHFYG+3z0CQhfxGGhGZu+NgtiR/3eACjtAqnusC9/wwN7k2MSVDkGpKH1/gx/4TWBboeVGITySsTHmYGK+dVqP85cZ+1JBd4trD4vyZgqRoz715FWoyGfbnCg4GfPRW/EZL548k8puR0Bc9zN4t+utkjvqqh98nTFz0WsNAzdGjBbk0tMxxodDlsQWo4/wqNpmMIUL//dddcGFofy4QhM708wqbmqrNgs1/ZLojUYQQ+mXfHD0Hq5bCyCefnMlgKhUrsh42CNvxfrDkVS0ak8bTv+KOFhADoCw5JJa+8j/6KzRT1BdBmsbvE9yU5MAv9eJnzbdZKynSPJtUjC5nrZO5mpbK2kHj7tWMIp3cbmnDZuL2uz+MducsbL1KTimtH8IW+GVmD4Qpv+3l3qwxMAmbYaYV+yVF/MN3O3WyeSIl1QIQBGK0ddAE3LZOPM+ozAw0Pk1lw7XuZx+7ikyr0cvQwm0eFWXPehNN+7aNBqpVaLCVAM1uXIfVaL357YartGLR9tH1zvhk2tF+3DPCQf3D0KjLsfOnxEBESBk/EACf9ym+s2/WOQWk41yHU6IWK4otVex+vjfwTa1FBJvIFNnI2Vtyh89IVq/dIaxbTEzdnBQRhxVF9LAafCQVmZHo1u3jAKXOG3d8KiPN0FE3mNczzwDsCV9No6DM7B3OOZRBnyJHcJYIrDu/l/vHWn8fmM44lTkte0UBrCjivfKhtTzzRyAFYK1vx/csCq6321uW/bwX+8u3q56ZOYcx8nhqAZrdYKowpYIzC7TPzUKmkBD9VUHBnRgv36mpqALOFVgUY65dOwJPLmMXYxTB1x8cn49lGDrbHLTeBeaDrPEb+R5pGL8W3DccK+aauEnBwJyVdbFKvl1JHgkuchA8Eqfe4E1rSyG3+ttW/3v5zkUVGVxuJhVVBg61SokIjlCFOIfUpm5R/swV+gDOyBSg6aQwWTE+csQtC1/nMrOersniPgfjWSNxAnvQz6nlFdYV22xnzymodPdVFMA/lbkkVDDLX8xXfYkNuU4S+pGBmz6vLulu0Vrm6AWlz2/Gl30K5ZUjK2xSl7ZS7MRqKh1wMd7ONtgP4uCJE9V+UBDCIdwBP7/n0BzmPLUpClUNh+2KX4Dn1HGI88jdITS3hAKj4rMwmuwKfU4fmJLLFESJOrg1KJNESF75XFnrFut+xyHvnOiuyj6llbKLuLPiCA/Ctf3IUaAA0EmqO4wqAH4dGvsk5IwqVHXpD54ctZyNmvJJNZFaEvFwQbk+PdyXGJFaQ6Iy3F7CAqWIAsbg8nJ/Fisgzw3vCnTTorHqRvpHAu1mKmNheLF+Qvsg3o6x1quhtv+vO5z3dWYhyOArrnCRZ79loXa8xGAo2eKxOYgFXiNVt5V9Ky/EPkNUtfhZRbVvWp3VkVA84P+cPaGgOw16xki3/W+AvjF21+aFIR2et+5nQU4RzO3ATGQfQ2eUyXQEXBK8GdozJORBEbTUybxANTfeZbJ1kMUAgQiEuYrxFwWQYHQjyBYY6N70KvR7u/nX5+F2tDkveuUXW5sLEpJEVh21u3lR+BQnLFGtrBigp1mxn5c9PBDoZvlRi1tQnUAhK9EptoYYtYEesVwmF41RUdb+zEPMCeud89nGPSW5vX+D2B2InQd+gnM1T/PKbC8aBfleQSFlJws5am+Bk92d5qmNLmGj/Tc6cZwwYdwZfikR18XZQ8yuDAgn3sv8u8jkOWRkvamYx33lSpxpiSgv4OvyIk6JnIjC+ivCdCTlHGu3ZTNkOLACi5tbHChngyQg9D/0iSmlzi3bqYe46LFLPo+yOm2njugS3+YF0V+ZK7H/hqamV5pGtCA7Oiu+TfHNZTsrgZu1lH9GSSydUDXOpzq5wFvOr8Io//cfugHdresMiy3GSx6Zr1t6mjiiD7tYh0P29E+998narScqiYgfSeVyt/9HTdSYVpLCuplifs6QJ7Se/VuwFee3Hh7M7C6Q1yvbCpq+sX9X9pVd5yuRsrUb5qalUfu1ta+POvKhMjgNczbykbqxKgZIii7xP4n4qFk4ud60VPM8Wwty4cNzT2qZYh+U3YHA02md90tvzzAqNYD8cD2prX2Ym+LqjhfLwPeUaAhjO5yL8HstXPtw/OQKhgE4B1Z1FHJNHHU2JjZNGtWYQQJdJiU+HOyy6jU1C+vUU+SIwDlcPoEjr+bbu4pVjcV1exYb0T4d09/DfF1OT7dwbNBbvGTOQIUiJRC0vGhYKosYb96Fd1aGI+M8BOO0hbdZWrUUVhezjUAUB9sC+B707aj9kDeA2OhkbUP/9ZMRfbGRXlNXJn7t5WkUPouwmom/VpPtIEYVVnQ1f2b2Wff5YSDg2loYCxVD2v+z+Vak/9mR7jXLpj/K+4SNM0V+Louelyndu0Vg9sefjCcwzP4Q6wWEYfKNeHxKvBl8GLVECQxTYmDreIfKD6gBR2e9lP8rnu/fmvCl1Ot6QMxi6nlivLATmT95ahp+SM+b8cydtAxKodA40Keqr83h6BdTtz2/GhaQQ3LPY4/xDDOOT6bFFR0osGrGNS+bY2Dr7nRTJalAClCoVZEWce9+h4dyigthSqLeZUmgpOCWbLtpGYXxwyvfj/A43g8FwIB1c1BrnWI36thWsA5H+lfKS8h02FfUJbMCadxK/ddR78DlffFGmTXVIRzYqGsINHT/uIOMUczFIWJ85EFJAjVZ8jJ6LNgevbnj1UXAX5ZsBtCiUZwghutotp2DZkSUKypMLn6JqEByx0gpfc95gAwn5cPHXd9/OnqOcUBBUNeGgprdOG+Q0KpBUuK6y82GqvGClo0ieIJATJn4FG39a7QBKbTRnlEKF5kb2ms5GGJcU9MgIfQiYfjLvaAfG6D2UedgJPGSiHFjK5JxvedPvDnhVY46KVUrY4cCSLJXoRktlNkgkKFSGLCMTXemAZILuwKWXZYne0KuKR7IJh5qZqs3Vwe6V8ViNE1ZEw65cvuDzp209/LGxorFZCF4bLeoOVmOiVsQgR6+wz9aE0/uBX+/zLylVfrawxm1CUfVbidRD/v5Sjc98MvKa8hHX6Sl93uU63OUtKnbmhBiC3joMnTRrLoOA93qsmz1bbkjO1/cZc50g39EZZaPP0dSN+YVV7Ph/ll8n2k7zOw4HBjNEZcksBuac6SVT71pjGwqwR2UjE4fnDPynccwxvr9aWxDAceih+LCjRxPqlluuYa5axSOxAy9q/rUcP/9jDV/pqmk1FmhC/07bKZcQebY4Cips+TFDNPvzZRewztwHJvB0PyIZzRlPtKna3cF+C/SwNeeZZj1ahMGYCfahMxEDHA20OuD67cVS23G3uhbulBy3lrGSAb0TciXUG3fVWgHXCHWnrnLAIz3O6yNnR1amvBixeDg1W+uTM/XXi2e6lWPyEQ9ACDxijytn6bRz3m+UQe5euM7pvNhLGtPj3VjtP/4JQ/peqXKp4aLA4R8pBTFC6yqwJvuHerDaoBh7+bFcH8MiI6U3+qtBGmNvGDe+4Jjp9T8f8TEg==,iv:D6QPxZ1XSafVvGFIRLOrORnZ43b3PSaKRcgqfufj8G4=,tag:5GDyzySHdH2j6BLnKp5NFA==,type:str]",
-							"bind_named_conf_options": "ENC[AES256_GCM,data:BLeya34fJVNN++IawPvGu6DIG4719Xvn8ygYIr8dcDlPVlstK0RLUvGiRXEGrs2TCM+GySBe1gecXn1dWEnKsbx1i2Vu9PfcgzIkavVT7rfyGYU3TTOUwCZyhY6CMkQD3hT4eFMZDGOk4iknmpElCjuaLgItZsynIN1WVngL0LxN5BCbeCIsSHXu1AqhewbMQNK71BYKCCvtrRIF3krKSUv6O2VdkuFHpk2mk0Ba7fBdCMmRS/7dr1k0PSb+A+ryulsGP4ai/7RcN4gKGYS/SFUG/wPsQYuQR2mJU+7oweDocs5iw2/Tj22Z4EsH1szcKT9yTQynW3VD1PoezLJ6977mKoIQqo164/vSghQRFPvjKqRLoMU6W6/eVNL/S8zKmn17rQzaB0x5N5DxYhsoYEBlOAd9LQ0TPhmONm7izKPlk4oAdDTal7hP1OU2LYNxUxwhAswC0L/02DGI9WA9VMvGMsaNtF6CV9p9b23XlzfeGQA9L0C2TYxlIzLaBXMHm0L0NDkgNuTTsNAj1qADUmAZtE92xRWYrbOoQxThPfZ27IupSSbsLu8BmBTW9rhKn3lf2l9xCBcybM1R+cni8uERmhtxjYhmvLENJJ3vgCPFUBSQGOBR85Mv/3WirspBGqTI5CZF2LNk3x75C8JMiNuOBWoEyOj950EqeJcQpldXb8s8YUVBVSCENyF3Y953/qLkSHO0bnR4aoBJfVXUIB9h1fjPP12glsywDx42Q4UZ6xE3jurJ4RvD/VkFNSIR+o7xoJiMjigPBl4s4X33pU6sQhHLAxWnNVtFD9P+pPXTxTvkWnoKO7xo10G7SSUea8oPuCwLd+4x6DIBbKeJUWzyI/I83Mu7oT327RXSwhjpk/ep++VIFQ8osUsAnvhUfPlIayqpPtL8n8F8ILqaHubBlH/Qi8LcJcKKksJOXjFOR7yrNHoyaPwErhjndwcSq6xecoggLk1Y1pKoqnh26KRQaW5oK4V3c+92+a2lR30CHoe2O+JqWctsLq5qXEpMcb4me+wKjO3xtNjzxadKLKtB8XizLhwegNpM0M0o9JyidtJ1LpkSWjZIXDCKb5oUZcLvkRCQRwSXd1t8QfYzyXSLBlkoFdjdJ/y1QsCT8nKzQENT0HKnQh5Z0YHXeraJfa7SsRtcgOG1wEGARJi5Rj8qTKMWkWHRqmGJV/KzB35aXtEzdg4Vi2VgTR/qPO5eSbfSOTQIUMOP10zSJQFy7YWpH2h79gml7nymvIgn4U+0reSutwIIRDIACedruXwU5NkWpgWSwMavBeUf+zE6b3b9FzA6f5Znz1qC6/1saZh4VuCD8dlFPIpCSfvW4ALkKSYB+tIBaCWJt5TArw+3Ap++WEj3sP3/qCUt6xu5udtqi4SMfgnKGpjtA8rVtWbuHpaU2uzU5zTQyKz8RV20Y0Eh/s0u8458JyiWfaWCLJN74o6kKr74borgC+4RRtM2lovG93CUALzxKEswaguYx7hC6ebDoorywm0fi3QiPYiXLcNBd58zrXb2EI5f9v9gAQf3nS4TnXGhraaniKek70emgHbq,iv:pfgLSx8SIh/CCT1mQHh9Snn2lKomyeRKnadtMqDpey8=,tag:zby+tawXL5qIxEKvRdSRXA==,type:str]",
-							"brave_api_key": "ENC[AES256_GCM,data:JAjQko2oQBcsKTLg5tL/hPIIUa59ZK+bRo430RGE9A==,iv:1Z0zwVNtz+TDmDMyPNVtNwkrn40mF8iUA7NJIATiQJA=,tag:ARaIOiOnCEYN7Sg67vc3HA==,type:str]",
-							"brevo_api_key": "ENC[AES256_GCM,data:GMP4286+NncaiNVaXdSog9FqxXXOoGuqi1HB6B5yjPM+1c7pVj7lHrEvPMGHF+JZwWPIl80fd2cTwZRnJckyHOdOBK+9r662SGha5fh3kXyGFSAOj5ACrsncevDowCUmJ8YJ7nIxmLgWgEIPQvIRalOLZJpVDup/jIkMsD9TXJkOAf1NbbW654wDxlg=,iv:RKnK58JEDn7fIANfr0JPE/tvJvRnKOXhjhXOMQAJ0bk=,tag:cz6wvSVUFxYRdZ/JeBfICw==,type:str]",
-							"claude_memory_api_key": "ENC[AES256_GCM,data:aNarFrYozo8yE6GclFRVdgOczXhv+R/cgEejCjlNrhmr0riT2cG6s99Bzh0=,iv:E0sVY1PIJcw37geYYu7mToRqX5TlHBYDxmSGxA4ylK8=,tag:u6MyN5zJ5kMa7+DgVIUnmw==,type:str]",
-							"claude_memory_db_password": "ENC[AES256_GCM,data:qw4wyYUUmQmKt70tQsxf/Ps+KyLBQjHoOKscFj32bmI=,iv:33qFAcTFaE9XjgId0PswGMUkM0CevycxweGt3JOyQ0A=,tag:zmItiKexPUmM/cuZRVPy3w==,type:str]",
-							"clickhouse_password": "ENC[AES256_GCM,data:eJfP3mNfEgxy3Wm/vPk=,iv:kt2s+e1a+c20xCyPDhEL/Pni/+5/3wHNefNisV0dpUM=,tag:Y7wcvOVtva6+oKXEK6NP/Q==,type:str]",
-							"clickhouse_postgres_password": "ENC[AES256_GCM,data:aHy5FCEINvM3X0Q3kso=,iv:cYdvdqX/5hqLSctEmbgDec1sfffafbee5tbkHtMJ9Gs=,tag:SiWxra5nQUlFQ1svr3C9cQ==,type:str]",
-							"cloudflare_api_key": "ENC[AES256_GCM,data:OhwfuOW1++KmbO1xuymZ1rN0NnMCBuii7cb06+e9M57fa3v7mA==,iv:Ng1RYlrieyf6QAY6PI3Z6sn+i0HWatbnQKTtt1knGDs=,tag:Vw6eFip+Zdkxi6OCGToY8g==,type:str]",
-							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:6FLhiSzLin+HyjpkFY0ZM1agyq5GAoKe39GDFKCIW06l/thFxHeSFb09R2s9s5RLFZpJdwKu0ffBOE4YNFeJoa4rQN3+P0rUretIBIoxv0eQoyzcrOqoIS6ZPEndJIKvvduGL8vVjAY9XVDj2BoX3+su9NeJn6/ge5QNRB1V+pAvC/+3Q2XQTpOaxcR/UwcVlax+6pviPsVmYMoAZU16DTJEC6OTAYBsDLIuVjPSiZPeGB/GQlZ9PA==,iv:DparvavWMTk0pXAoKmc7VvILJ2kROkzL1+u4EQ2HNME=,tag:lXLWnJ7FjyzYkJNJq+FbUA==,type:str]",
-							"coturn_turn_secret": "ENC[AES256_GCM,data:3IhY76N8EE1JPBJvTK6mgP3ZbfnqttYuzjwP7UxqqueTNQwMt8tjwjitTkRsdhIcXXwnj22kdOw4vsjVNicEmw==,iv:6DaoTAIipPaoz+tkbpMSqE1quoxLZwAOcSHH+ihYrGA=,tag:+PvgCOALdQwMWhL3C3BjxQ==,type:str]",
-							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:heKgnxSVerd0px1HmjZUllHclEHlUe9rlmoLNoo8w+EC48tzA/FgCUbMnQ==,iv:9QT5H+RRdnb1PZLFTH//CqZcwridfJ8mz06gk7X9IVc=,tag:5Vz8AjTxdb3B1OTOHpx/Kw==,type:str]",
-							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:VzQl/oJj/jQaUqNjlZuPD4qxKuaoaYQQgVwjazw=,iv:ckMeyhJGTJKdTrmmbj8Q+5Sl4wsGkHoYwjNQTz3Fnfc=,tag:V8813BV5cD53gE6jsXVvEQ==,type:str]",
-							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:3d+0EPb896fSoaYSj/mJbpbK1D8/mB7VEyoE77h+LtvwF3iM+lnQxuluxMaDJlrhTBMmuBNwPAc8Qye1pyhByA==,iv:wibsUn+nsjqd1YY8duN4Y+DyflHDYZ1dWbozLjF918U=,tag:q3Le5tzfSN4gHHCENH7HEQ==,type:str]",
-							"crowdsec_db_password": "ENC[AES256_GCM,data:z6z9Z+kYFxISUk9T1f4=,iv:rrSFiLTHJB72cTkLaYJjuswVWGie7Re1MTbseCcJ9c8=,tag:A8yqMfpsv+Z2IuA7oKywYw==,type:str]",
-							"crowdsec_enroll_key": "ENC[AES256_GCM,data:7zHyvsTgbXLRRxDbWu/gHiojf5/RD6RvQA==,iv:P8zSS9VU/8TpkpnXLZu8Q+C8PVD2A4aEu2JUepg3go0=,tag:T4Eqswvx0NlXLm0KZZN0bQ==,type:str]",
-							"dawarich_database_password": "ENC[AES256_GCM,data:Df5DJ18wi0zehWls3yRLE4TM9YMqloH6Hg==,iv:uWNfchJjx0R040jM4DGuQkR3JAkyn1osqIwb74BDae8=,tag:g7Y6VP+wC2Wj0BgIbZ3svQ==,type:str]",
-							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:Hj+euNt4osx8qwDcIucdsQhJsYRKjtqF7qykkt4/xTU=,iv:Uhb3HZKB/KXW0RvRYOAJ7j3p+zQ+4Tsz1Pj//FLXkmg=,tag:VnMG4RCqPeQzJoYQsJYVmw==,type:str]",
-							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:zN7n+Gzms/V/eIshPFIxFASqK+qLnAZQ2sw=,iv:7rTxtE9Xc1XCNwDHBSWARboRozVdRYMLdECSKWyB+T4=,tag:/WCFIU3QQPYOgfllXc5svA==,type:str]",
-							"dbaas_root_password": "ENC[AES256_GCM,data:y7LAYLz7YK2WJPGL4SqPMfzp+oXAi69O+kMBHw==,iv:rRINooMqu3ft+YM1g7hO03ccravaglsR+naHtzObp6c=,tag:kBXyj02dzrkps3r9VBDh9w==,type:str]",
-							"discord_user_token": "ENC[AES256_GCM,data:FZqLSXDCN15OWIczT/0WHcoTUMRn5blKOoxGX5oafyGT3SuSWrZuKrZU8hMQo036+NdjlqQbKMKVIU7IKaaqVCev/Es5XFv9,iv:ytC7MkO6UWv9/oXFcSCwQhTbjYv1sjJaQucLcxzBQl0=,tag:CEFkXi8paXCkfC/X6hr/Tg==,type:str]",
-							"diun_nfty_token": "ENC[AES256_GCM,data:hObY+JOYUv8P9SbVjJ4nNhuJncYvpgu1tKYQ62rn3S0=,iv:Qbp6/ilfYk3mfyQHyPNXADuiZKoq4+GE/FuukYTl3Rc=,tag:e/mhy4LEH88Zpru6HOz91Q==,type:str]",
-							"diun_slack_url": "ENC[AES256_GCM,data:UAfM8wgWql3iUyUWFeTGhRw8EV+5GXhktW+Iz0mnYzGbWA9Brlc0iG09G4vsaTvfoHbDYJ0/Z2uWHVWpkH2Knl7EWMYV7JAL4sSKgg2ywPES,iv:IACC8/cROEd/zFLk32eZpwrZUYgYY2GP/8JndYQsu2s=,tag:mZyCPjSrQidKmB44N5rsRg==,type:str]",
-							"dockerhub_registry_password": "ENC[AES256_GCM,data:w1KWVSC3UneHtTYfeLaSysc3/bh7JF1ZXNwAiEhIQI+6ta/q,iv:yMlKBtafJuO3mPhvh91ckxHTRNDzqC7FqN3NOzPwDAg=,tag:o3/jITfmfEsQGB76yKPjFw==,type:str]",
-							"finance_app_currency_converter_api_key": "ENC[AES256_GCM,data:cnMOIfe4EDNHs0CQa8vUUor2c9d3Mq7E,iv:USQPGnLnLx9TM8ylND/cp5oIsDuGLoG9y4BcBsdWYJM=,tag:AMWkdlbyqEa5cZoBG5GaLQ==,type:str]",
-							"finance_app_db_connection_string": "ENC[AES256_GCM,data:GTm0i7NCBkGU+gn+7my2mfyet5YU7cqbn3P5NjFq93VKubCVQuAkKKziu3hQcZUvbKUBGfhmLIXm4Hxs5z8rhVn8alHCUOa1MLqTotnZcfsR0IjCHdiTag==,iv:8huySrJxkHqjRkzYHJKnSwCwPwO7qT+P4xkFGN2lNYU=,tag:+7B+zLUWFj5/zkdGytc65Q==,type:str]",
-							"finance_app_gocardless_secret_id": "ENC[AES256_GCM,data:TG+PpKJnbrdjCJx4T8G7hrmAE0Af5hJS5ESbNw8mPld7uTT2,iv:a3TYXCcSK2z7E+dZ6+wGlxtlzit/D6GedVE9IFxMda8=,tag:duCsaEfq+AMHEOs+9fsJug==,type:str]",
-							"finance_app_gocardless_secret_key": "ENC[AES256_GCM,data:Ls0x8uJb1ZWrVXhfn2mMFKxMb+jlHestOZnpoCjcxfobatcKH2fbE0lJDgXkkKFAqVjlml8le3qhXsNuJV4ZA3ij0rGQj6iRJMTOTqi1ekmU/lT3epcO3BQflyRsl2JoBnqwMBVYXevIR/iqnA0hDQ3U9tbhB9LP3EitC40iHuo=,iv:ZShjfv43tGAu4UZHr5IqdsYANxwZz4+9FNXUjkvEKXs=,tag:+2zikmPUV6EuqIW620lu5A==,type:str]",
-							"finance_app_graphql_api_secret": "ENC[AES256_GCM,data:AmI18PzGaFDjSJt3y6IZnTfCh/4Q64b36YB9Qy2hNquA4Xl1Gus=,iv:TYLNCoGDUJeq8Z4HApwFAtuYpXDkznphZDzQjEys4NY=,tag:JVEHAWWkJahgy6wcisMf7w==,type:str]",
-							"forgejo_cleanup_token": "ENC[AES256_GCM,data:SxJezM2L4Vduz3XIRxlYb3X2huNQCBCLcTnrf4Z1B0EkWSOChvDqLQ==,iv:LgugUSYCGgrEAh0dtkWvXnL0UHY0sSdV6BAg3pO5/bY=,tag:9c/szqGT7efqGEYYCGo9mw==,type:str]",
-							"forgejo_pull_token": "ENC[AES256_GCM,data:nesNbg/pk1BTF17wIn6sFVB7RJVPr3D/s249++4OBvSkOsCSnrYY+w==,iv:y3AftvA09LCPfxO1NwLMphP72lzRSrRdiPIhEpQeJSs=,tag:EmiNBinDFNDtONJpHoDDmw==,type:str]",
-							"frigate_valchedrym_camera_credentials": "ENC[AES256_GCM,data:dr8uSbp3vta0Komt2SA/KraiJoq66Q==,iv:IoVACdykYEocTpRwkxG6BztBrMO5EtMa5v/yHkyQYWU=,tag:TNAHillYjseckC8T9CBiNA==,type:str]",
-							"gemini_api_key": "ENC[AES256_GCM,data:TseWEkJwH23ACC62HmUiec08k5Y8Z9uYI7XPwzGKzMPwst5EBGEA,iv:bgJcjfLYckrjG4ojEShW7sfC3Pn6s1thKGNmiQflA2k=,tag:rOe4oVkrwqCybyG5nCscWA==,type:str]",
-							"geoapify_api_key": "ENC[AES256_GCM,data:cTA+nbVMhgaTb5hDTM5rvY6dtizVhnyLgaW4V8m4p0g=,iv:pmmH0AAQpgk+40Cpz6bGPMNNKgRbYc80AK1LQyrJN5k=,tag:mS9OwdABwkI078vS6pPTXQ==,type:str]",
-							"github_pat": "ENC[AES256_GCM,data:fDzq1FaBGYgoCr9NFWLfpHfVNhHJLKOYKthiIhsbI8Ks1pjLIgWpeA==,iv:24kp7gloERAwMK9WravU0L2qS+mPhrJlgqVrkGF0H9M=,tag:OG35E4shvYeDir90Lh2wWw==,type:str]",
-							"grafana_admin_password": "ENC[AES256_GCM,data:PrVCDYE/jB6SkFLp5kMA9mEhMcM=,iv:g77fjcfPq/Hg15nYbUs/9eM2//xgK7zMQK8beCqn3YY=,tag:ZTVy74kLZAu1RgXwy3ROqA==,type:str]",
-							"grafana_db_password": "ENC[AES256_GCM,data:35R+awTMz4L3wf9xQQenPyXJ3NeR,iv:RyGFz4FvPWJVagcH3kd6g1t7JTGqWZA/w/xaydF1+9Y=,tag:dptVElGKTImqFiNBNODEDw==,type:str]",
-							"ha_london_ubus_password": "ENC[AES256_GCM,data:BH/Q5RRaauxuxYJwhO28s977+qpRg+KIK1obnPRj7EY=,iv:WwMhjrOsuHTxgdgpL9jbQetcmSR24b7emY1VKqPMQys=,tag:r9lf7xCa8wsm5pjnsgpmeg==,type:str]",
-							"hackmd_db_password": "ENC[AES256_GCM,data:bHdhN+vFaTklO4vYBlYI,iv:K3qQ5JVufSapQo10XBvZpIDQEkyTOjpDH+v4TVYUWmw=,tag:SjJClrRGmtnIqSqKSBUUcQ==,type:str]",
-							"haos_api_token": "ENC[AES256_GCM,data:8Tioaiv8b4omXgX1P/AuYAAxYwNcKtyQKF4rs5iS/F85+2CybSF2iJXqR6bDQuUQXd7aXsoi/C2BVWzhDzRnPE19GSpzqaaJTmFbE+Yf74MtANIAfLReBtimTqh+qBtBANehTkFXYYgUNe6r0gtQpBfj/rvyfVtNGKFQVoVEgqF3eAbpwsw7O0YCFHyCx4aZCQOe7BrelLPwjJVPfWq4ajG7YH5DZ3JQUxjs6jkjGrBGHut9HskE,iv:up68en5OMOwx+nk7LoPMbg4Fs8haHCaepd2G+/ie8jY=,tag:E/AV8DmxBSoH9+rDvHaefQ==,type:str]",
-							"headscale_acl": "ENC[AES256_GCM,data:9kPB8tHxTSGGl48yKdRTMdeqPjToIdgQU53QM+oEEEekZODGcujrHEV0x0gwTNYMC75QFcLKku6gt6I03/J3enyulm28KWwaFa4jV9xCgT/X+LqSRnY9tzLakDHblSwF/vTQH9ffbk2dRoltb+C0+UAZ4VdUYuhDF0sJXbKA2PwvzdamV889GJDRFRP2aLbSFNBSEHKpCISVKhOkSyk8Wde0pAcKHBjsXgph07+HV1njr1N+UyVmPdEUFOwoUxIDl9daQGIr4u+RS3GrJsU2WE5yTH5++9m4QsCewjoupIX9b21Pj06m41qFeMTjBSLlSU0nzSlPBET4F4bc1HAqlH6bZ4VwUzlGWl01hleEK3dbVtPBdXACgonJozSZ9p9+5tJ/G/VmEK4AW7BX17o7Muyh/LjPuFR0jTigDqFN59uyt7U9RM8whjlV+jU4k8YB49nTf0e3xcvoHbNb3NTVR+irZKH55tu0R9Rkvt3RFEDXEPoV/ve//SBaVNa0LKsiPvjiUssAmrEFGwPgW6N6rs6c7uapTsMcLIP0Ov+0axaEBtuSJLhlgvAAYJpA1BaVst83XhV+SumS0Q7ia+EdJbvAkHjmNBHorHXiOaS9uYazaXcwV+7Dskpfc2OrYx3a5jM97MKalXYKz+ewSHiWr9hHGOQGmBdls4FvExVzKJfnt1y6j2mBRxQBUyT4lucm79tNRDOz5KdVKTvKyNYxB8OFZb4bInS19cTC5yCzzmyVA1xAR16SCW6iUz7NvjtI07Vps/m7MCwy7Q3RZ/Z3h2VOMtUin46BsqW3WEhMn/oJGExxU6x5UB+XkKUcDe8txsbN/wFNEAL7z7gaxsAvcvF7XGSex2uzkOme20nawXme+wKBRb3wzK17RnAZTvgu1JfY2inMHJ7lZMdwVp9RmrioA30tIHf4sk/eOXwO0zRXrs1dqxvWhdODL1k7K9aWg9CrP5s5pUfv+RsJT9fXiKVErwj67B04azzbZFO02DjlhbzfloqoMh7gluSpJlmoOibjSzTbMqWfJ4R3x6mkjt8NB8jLikl/4/N0cEwu9wS3Yhm/bdFySDaCtyGPk8aAJ3CRol2qlrMFxBlHVVylTyjI/yN1b30+P20tYZU88lui+cf+xqu/Mbtt/uuPfLaajmPijBpiGfnpgFhqfGhs7FM4i90CN7sKKvP4SBBNVmxsYbqcD2zczg4MWVoiA7Y+f0i5KdAEQCLQnz5PIsmrPQCmyJj0Lc9L+Enh+Yf91MQUb82kfXUf2i4Q6L3aYgR4CzuzeSw/7Oa0VWH4TLIyol8vCK7xO2PedFySChBrbWAwPCpK0KXzf03IDqdLMiW0JftLTbccu/Stabkeb92P2LWvdK1h0sGSsDpNTRTaqEzmKZ6gXNCS6UC76ciUfD5tW03+bKfLts3O6FhZVp5bd+j3yKmDdcMOGvOgZYjK7Pku5zx42023JVzEcufRPp2k7ECQn3rM56SDkPhpqHb8/xywFj1HVEeS4/+wxFXzg34qK3pj2fKCvOZA2kv6/p6V0stjLl6tIMr2jucU9Kf2MWnYLfI8Nm/aXZVPcA7fwJDC/+Hy1m5ZlAyebpTiiyXpKt5V6WyapjZcUrRruFJX+Hl1ZJhUyzQuocqi2euS19rpB1Uf9IOSbG+ou49gQrQodSI9HiaHDhoXSwqzscGvweLYXlNfoo7GY8MDuzJzpwk6pvniGbl4D+kBReHp3uVR+5Hecym/DulcFtfWL3aBenI16X8SF5YVGiidaRSI0WS4gwkGfDOTDyIeQA9aIEq8KEduSltpxRMRhhyjCfhb9licCQPNLoMa8X2Mmo3yMXiacO2VGy9DgNOCtklKZNi82RBzBI7v9HRdeQv19BZ632TxysFmUj/zd2das5EaQ8qD1IRxjLNle/WcsoRQhGa6kVgtLnbBf18EryvFZBPx0Az9O2tg4W6rKAWYNZygI4ecz2fdoJgaw5vFrAN5y+POpPrDL197aSetZ4rZCD7KwzH+ZTkpSRjFWrpHb+EE1qwIwY4j5G3m/Qxra+2yJwS06FQmef1p2ArZ+U5EZROCbcR9rgwXEzOAPzde/XGioFrZkVKf1nFVor1debarMxBGcp9biNJ9mGtN/srn1svHpBxiD/Loqkk4tfBpozWWFO9zoqVw9F4priMkpzZ7ORckW+WO+SWJwncklg2kK02uCGxG6x9YeQDPplIuUYw3NyzBpPJMkYpcqpvDMF8HvQDLTPyun/wsQ5LODEeYR6etY1HMBhstRwqasYIztLDJ05Yk9rcMjsMb80rEHhsTWwc0u0NL7XimUca1bWJn9/wZqYcowMl4NfrpNHAbQ91QMd7xGL1E1A+Mr3FbKY6kRpNfEpBStbWjxvc8J0+e1xmEY2VwM4NCG70p7jDo5YxmEybmWbQ0MzpFA4SiKaALxGmz7uhDOUwdNdvhv7g0ciaaa2APX2+OnJA1JlB5zoC2vvfgchnwZ2q+F/IVHVGz5hXomkt0mv6YOtiriZmShLVmk3razi9lmu6Wbw1lGDOTB5IMRRNBFpfg4do1JqiUNHRRSSjx5kNHfJ7BNV+LpKyi+0gRsKirQgKOjjcElsPu/MAcp0WBOU64kgQ+GodSmltOkMZQeG86K+rMsdqYwGq2BIB7izzVnbbJpEHgXQAnpnNc/aaQyzQ4aT9WCW2+nIug2q7sqXKrN39WtqE3ePcJ7sh2++Y3iLwe38kSfs5qeDAeXPE3Bg7i3qFv1TKAsdjk2gktrsPLTxc2F5VdHxjk5QER4bciioauH1LVAS5Y8tg9UmG7EHQliKMy/LNyvxv0ud6NcdDzf9PgMfGbSQfirxWrXoV/X57rCqGuIimQ/EGWQAiaUdjhW9s6lySx1bj18KOuaARk0UVwfQ2S9S7L3+hKsc8kAWhSgJKc4Gho76h6YYv9smeG4QdQYzeB5O7F1sIg2GtfVqD/Uu6dTfRhbOJcN5WrGq2LV5x4SoKJQRAUYC7ML57fjouHZYTWyCY4QeT1MS5xKIuO/M/lkh4J74kzCam08Z4MSxoM8jDoEvvl50hY6swrZnCydCqWjMYAq5TuDPh2t6R4a7RUbcR7zkqKUhbWt6l3DETo1qPtiNmC9KejrFLpRmAayJ3PhpjMybQRseBzYolUpHbCbznpC7lWD8q/kRmmf1DLUXrNXJH375OE7EB1dWFTv+ZZ+IG2IUs80D0KKszScudcAx+Vt11ufq6Cw+ukfwnuNPSznS0CEi/PtlPbACJ6L1hw6ZWZXsi0Xob+lNKQ1X7o/6UrxGzCEI3b2obUVb9YegZe0j+UsK0NsdbePuqIme+txwqFWJXx9QjwIVfl05mqxWw5HxKW1+4We0it5S6xEtdf+TdwscS+40Vk6jEXusChVVD4qacdZdazxciap5SCNK8/hozH1vXjLIpJCaPWF5+NEKPdeBCZA8Hyy9Jg5K/AKOsPWi81Oz+OhBzmOFdpou4i2SB7H90VTWmjSjQ59VIvU4a/+E1ESchf4r0qVWn3Ihx2ZKMhICaoLS3vS8rn9JiK3Aj+ZUWPYBN4wVio+QUpX6MUk747Z7rok419iiqkNQOfc5jly17eA1bDBt9inB3VfD6UtlhNepYsvvWId4OmET8h/iAmEnUDwaS7H78J19mCRMDOioI8LKzxjr50lbekeaM1oRmm6y+82tPyCZ8+TXVyUXfV3p8bqwSy8isOJt+7H6Xq/MwaEyYzN1uM85nfJoWPvXdnEI6DKUbuvNmByMEEgOQsVWZPkaN/jDw1aiGLalAMG03bCbo8WELahgtzz3KizaMuGe/iH5XOAKKuXylcGfAlCUIb9NZkc3tdH6q7K7A7TQKREfLN+QXCTFGxvbhUQDHh6Nx2nz5DBA9ddu2bzy97STAyO+F9SNcF4SpCPQP9snr034OcScjMQIwWE61I9YZlLsTBNir9ZFSeUAcF0ux51bCFaQ/Ch8sLofjGRA0Xuv/Mks6ouCqpRWyLtj47D0jEg6I3SVADeab+Ny05oyBvLBfrWuojnoZDub4RimwtIV5KgZ36S08GOt6CB01YURZes7svGq66vQ69KkiuAsLzlerms43mYMxi/NPuPF5oMzyuOWd0YYSNN3uHm5vs8FGM9bReI6iOBO/pXqAe40ATxgn43bA0B1meDfwmxWv83TyMTOR5W7epaEGThX9Doaxj8Vvwr87GC27dTwjxcMhnD2sFTKCIFQavxbgImH5215OJDKl9ePGbNSoALLfYJTwvuhvCqlRNXVw6r+Gwvm9LeD7J4OfCToJfdR6VJpBsuYmKyris+iPq3e//ct02dlHC1i/4w47Xa1OszaR6zA7DcvgwwqiytxobDa9087dh6pEadq0ZS5pNM4LpNGx2xZIhzj5evk28qr9cdDEJpxF9Dw868ELM5o86sps+ZgPFfFJahfp9gZtso1bs1nRvJBpJiVpaaAPf2c46LWsNYEIum89ULOuuo1y8Fl102qfsbeTjvyoDCBW6If9UC5Nis2fzpY3CtCa02oGGjn+uEiVoWuBzJRSrsd4bYoiluSqDx7U6Gtaq10GFLe7zojjxGmQICWl5aYEQJe6JydS/LuxHrKS8VpqixVYgZzJAAQAgUisNbNBNc5dVQVVwTAdztO9UE7dyxNiNif5rXU47fKjXCAWh8FGBhjI+8JczFVajemIGB/349PUvQCRq3CHnXr/F8nkkGXE7H0fH8GHWfGAVGJEIM6nm7X7Z9oC6V9FhlKVo1I0WJ7oEzxnzt288kn8hlGxTmYB1fEbDiuwWfemp6itB7+RvYKgs1Typto/ylVbCZG6wior/lEqelp3rSsaj2ZiimtCVNhc1DSSoGBwO7X+itM2SUa9/hisz2FtkH/E+Kc/m9EM3PlzsJSGWp8cSDf5+IA7hmfI06DBNo5VWXEg=,iv:f8/dTZRrowMAK6JA0QI24Z41q3v8iiwuohMGjlNOdmQ=,tag:QKzDXXUtef38vaHp6jlLWA==,type:str]",
-							"health_postgresql_password": "ENC[AES256_GCM,data:3sFAZahbuhGBH/hQB7yDNoxagfMEgAejt50aawylQ1M=,iv:kZAOD91Pjdxw17cBZjRz/wji0FUBc0n62K8ibADeTMs=,tag:fIneuSmSokDh/huX6WbDPw==,type:str]",
-							"health_secret_key": "ENC[AES256_GCM,data:2ftpXWGxz4FPVw+QSclflre2Wf25uUkJmdipxlktajA5KCtmLpJbUfD0SisWRT8pDpLe1z5qqt0Ml18/q3AKSg==,iv:pt9lEBXlHWaQ6mIJ9p+zPr1TYvykrfP7QBo/WWgToho=,tag:I3hJy5YWQrgWeProi0+w/A==,type:str]",
-							"hmrc_mtd_sandbox_client_id": "ENC[AES256_GCM,data:jPGe/0fl0QkFbxM4jEvWJZBUYIh8lBDh+V9BUw==,iv:VpAP5ouARZ0+IHBI2ClNqXdNDNGacvVDKnpmjdMmZ7s=,tag:0klRhwD4Lw4QWgCbCATMEQ==,type:str]",
-							"hmrc_mtd_sandbox_client_secret": "ENC[AES256_GCM,data:+nu28+yNvb9rxY7OoBWErx5NIWj5i22k2aomGFC2a6A6EacA,iv:TjwRSGM9qliiYBstHbMp+yvQHcRZhVfRZ7TJYj2zmAg=,tag:w5dX8P62imhVlq0Khbn2Xg==,type:str]",
-							"hmrc_nino": "ENC[AES256_GCM,data:711+TEXDA4iz,iv:z6kEGtHRze3Im94WMJrBtasU/gJKVjzq2AzfFvJEG0I=,tag:b5yiF5f6YipJJxTBi66LZQ==,type:str]",
-							"home_assistant_configuration": "ENC[AES256_GCM,data:U6c4uqE26rD8Pj6QHEW0ysCW02mAL6B1s5Ozfabtfd4Kr33p/+wQolvjyrlHv9U8v68IIMCr5bEa10C6OWZ+Wj0b8WS5QN63u5s0/ye63R3X9uXV/qRR6hVpGkkkR/OX3POa+tcNaA7XkFWvwRGrKpiCM7cpk0VaRim7fmPREfla+L/o2/9cEKIBDuKsA/e6hKU0KzkcduP7hITyTPHY7IMeNDGOpPb96L0nh/c5THgYeNwlzemMHAo92WT9j4TQAGNiDNCBYKl/l4RuFKXOJHPupP/aVKYAxmEjB5lJ0raI+S9MmLolg3jN5f6x6u44vrhhWIprIf9udOjRqGKtrX0xcHk2EyCP6lyD490yaFTtJkUP+j4spwdwS/aqxDJHVvrJ1S2aih+OQevg/MEyMddwo0KkbbAyBmgLmw9ktDly+j6gLgHm6CChQwYx4l8zi0ji0OxndjFbffaILnNj9SFMEQ1J3NaC4ExRVfXQ0Pb6vIFbIYseIWLf89fjfFAg7ptmxOD+TpA3Iojp0RU13RBSqrxTI4gx/GhkRw==,iv:jyUj2CrsyUbcU0BGbueh0amieufewv25UHzkHgqfEJA=,tag:ZZONqFPGReGjqqIKIAjeuA==,type:str]",
-							"home_assistant_mcp_token": "ENC[AES256_GCM,data:yZbeoYur0e+wf0xZsTa/YAWrBwCed3mj/7d6wrV0vLmsawQ8pjIw3urRfg==,iv:oOY/T66SHF44bxreB17yxINC+zFmVvf5XROC335i6Qk=,tag:0Ate/YuwBbZuLq237eB3pA==,type:str]",
-							"hyperoptic_email": "ENC[AES256_GCM,data:S0kZYNxwjUQ+JgyqBdiZJXg=,iv:Vom6yHbXXsYaBOKzmNPGwWV/qEEUNnUcQoZo1iDkKyY=,tag:zr95dV2teduFzUWi2X2xSA==,type:str]",
-							"hyperoptic_password": "ENC[AES256_GCM,data:CCHEi4qu0EH8h7W5mDY=,iv:SqhjR5ovw1WrhJLA0OsYmSqPm1Avvsf8FdM9ebmJCLU=,tag:I/xIO20K9kYxU1f94/UMzg==,type:str]",
-							"immich_frame_api_key": "ENC[AES256_GCM,data:+QpM3yMG3XpS4uj8+Jb1gkfGaN64jpaxYjfBWctUlhxSUDJOUSZj,iv:GdesWkKKoh0tm/uTVAP6r+NmiwkME9WWyk5NkvUWxdo=,tag:xcZgsF6iyBrpY4eN8XDgdA==,type:str]",
-							"immich_postgresql_password": "ENC[AES256_GCM,data:Tr9u0pZF,iv:Soca4OM+IdQHxr0oPNruoRoZuUe/xSUys5E9wDa663Q=,tag:1QNd1yrQWu5VINltoqmIqg==,type:str]",
-							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:LUITrU071qLpprIJQfNv0VmrcsT/Dlblp9xBZVi8lpgacgRjqeW4tpaOJw==,iv:3RHUgSD8a9199f2jeV2B1fRQoTAWbJPI62UPnb9FuMw=,tag:9TrCM5bNlw/NSWZ8f26MOQ==,type:str]",
-							"kea_ddns_tsig_secret": "ENC[AES256_GCM,data:20Nv7GpwtXrNfgbdwXdPoSOgp71z2V5dqbK55DTBWvSHYP17DAGKiGyeawE=,iv:jMHMNCexMLkmpdyJnfC0yEuZOJFpUxUVKvbFOnNuKzw=,tag:Hs5UFBRu3G4gGwdHgGTpOg==,type:str]",
-							"kured_notify_url": "ENC[AES256_GCM,data:QA8xmGwvAoZ3fFP27XBAfcwJoJCgayYrDG/7TbbrhaAvLOGETYchOPiUSro7vZaROTOnyjcoHLFb4PpwnXBvNjipxXIrz0QD+iUkPRjKnpDC,iv:YhS1yFINcJbaIMFkl/Gr3g5EDfld9Cr2Y8TvF0ZAHhU=,tag:DYDObpcZsnQMvEcqH9ldRQ==,type:str]",
-							"linkwarden_authentik_client_id": "ENC[AES256_GCM,data:FH49jcoQPhCWEfk+nWmBCD2X95JqHrFNcmQrm5OCe6QZTsnUVDZvhw==,iv:2HVcLGKnAXL7ZMsQb5RQEodpEiWA6E9++GIuQjtZSEs=,tag:lrIdewQ/ApVZe0ndT7CbKA==,type:str]",
-							"linkwarden_authentik_client_secret": "ENC[AES256_GCM,data:gCnSzTLRqT3g35o6vpID1rww4VwX+T1/wz/+5CrW8laI0Kt36Xy58fVy5d1ubIe/J4yv0Hd1STnOlLf1J50LDGGnjazaSQzY51DCmdRTTmRFo5Q1sKObdCzL9/eM7143acUOgseLZ1bFjV1sCe/lwngrpV6QgWoGSyTiZ5B5Jh8=,iv:Ij4tgP7mWDsTSeHwEL4JFCnuUCJAHYXI7JTbEStzxx4=,tag:bHi6Waid3d0a7xXsXFJDgw==,type:str]",
-							"linkwarden_postgresql_password": "ENC[AES256_GCM,data:ceYdKcAOFDoOJAeHfHAPb3xjHVtHh8LfXHfgayZsDRsr9qwEO8TgP5yoZE65nLA5UWe/,iv:muBHXz0AyiFAmeC0raBvBjVW6LsWvKzxUtcePYk5sqY=,tag:8PpYyInrP8EOBGxSknglVg==,type:str]",
-							"llama_api_key": "ENC[AES256_GCM,data:3A4ILFpcAGMwSgB1KiyfO/D514N/CVzDTR1CF+6qR8ebdTe4XdFcqguEIvFz0j8c,iv:NqhgAjxlDho/TgWdO0reZGB4l5ysWNjLbTLIv8wgxqM=,tag:t/cXHE7xAkmzpynds+WLtQ==,type:str]",
-							"mailgun_api_key": "ENC[AES256_GCM,data:BRMqvr79ta+USW/i4wmGCUh2jzgaBIKrDfM6QVqMigC40YiGkX6wIkVvqNLDbFLxrZQ=,iv:q/UxtQNZ5EYT7Wlcc6lyT9EWVlTPv1m2cE4GgVTvofc=,tag:eG9Mut0tVnimJF9QR8gWCg==,type:str]",
-							"mailserver_aliases": "ENC[AES256_GCM,data:0NL17oTMg1hKupAKlTn72gQMd6lqQ6eiRQTksP3I8Wk1lm/cBV7TfrrEyjwdH3Hb5MGrQ5uqVOLB4I913RAPqLJKy3sYUqU2bLzIgNb0uzQzbDE30ehOivrdA4Y14s6thYww36FAaQ0wSTaZM7KtmXd6p/c5BHaEMcnis257rxkcRGuv54jAAAy7M5JwT5w3XQ/WgqZ3uvYh4j1rHmzh5RxzLyIaglfWtx2ESNTL9ufhdTxyFMsLFf1wberjYacnmPZYj0CFHAJg6MVJjOQCNCssN3O5zL/2kSK7073Ua3XjXteH7zU1TJCdWfRUDPkYmDwMalY46Bq0kemr+l2i4/F1oFEn73ypdogOmJEIfuX+wp0w5ZOEeopOAphbSXHh50osq5IhOeOicVgvlHS0ihgM5OD2MaCA3j0c8H4Yq7cAsC4BshkbyDNMaWOh8b2ytWoV7ZxBaKSJU+4vl+SehD5fCW+O7eaUV+0DHbcrVGlHz20yMMSBzyHvHfpbht01jG6oArLWNmqwMuONFSc8JXRwcqBJ6+PjMWm11foZmam+W1InRmF+RvwufXOQyXcmMjw+4R/ULSXJ,iv:BT/ZZNtlvTGRJIXflcLrdXfahojxKp07D3PsjBxoHqg=,tag:TFMWviBaNJ61KvQSo1cHRA==,type:str]",
-							"mailserver_opendkim_key": "ENC[AES256_GCM,data:tNkwHvcT806FeCzOSBTk4iifCJu6wEv0kvgxn4RgycXdLPvjS4X+S+yME4Zt2aof0/F12aXtWlojqdYJjr2Y23pC18LVXDN2z3gYZPR5MCWdEfT+VDKfIDqEDS7Hp7skh0Ojr6K26LtcPrq9qkh6VO/BHdnw3yMHETlCUCHbSEgmm9lDGKVxJKTHmuYczdAp9baAe3mpTQ5C6iSiVyRNyWqLveTQyNjlMhXvIYB4xOZhoPXCjKV8vZ4c7W5RqdUCHeQFZKX0b9t/1Oi9/0mPI7hqRCLkel7EzFCCYQQpn727JPeX3GnnbhNTJv8J7fX0TN6QTXaCx3xe5/0VOrW/QkzUJ+Zfg5cmiouhGPQOePQ8+3wGzqgcatdFX9fqGbRgr4g1m8f3hxKJFCLkMJnKwvSThQYko4bEkAQIe9OFRoH/n4RNO7IzGZOCdLmfGWXrhiDGqxSJewTnVHuNV5IasyQL0xuLgHN7yJBiYMkBlTIRkMcsSRgml3B/pPq3+723GTcxgazk/dQtHHGjzEG30Ei2c8cZuL+AOljqgcql3NRD++meeV0+9NrRwAdFd1TsLfrfim5BTy1gNfvNSgFdiQrq54N/qH2i8bbtwIZLm7zv7Ok2xGsqlCILiPLJqEaFgnwD65fDHeCDQuLK8G+TTZXLyPTJFmA9WtpKVoVa8R3D/EI5aEUbRRkn0dPSBfTHJH0bLUnr6UBQDgTRZLyI4ac4sAXHuhEXYJkuUhqoJbrQJvjjx/6y4+SrlrfDEaK+Ym8F0e/gKJstu2HOd26bqaVQ6t9V09e85O75qOopK9EK/A0E6W8c8gdT1w1JcfSGY9hbeo5Bh9d8bkmfx1OPTmVgfJ1tGWRuRwld9E7EPCp4jnEhhZ9iLtMYyyzPWnW+A93CB9XfGWYdMIHR5N0GeQhQs0oUGnGVlk/731dhDhxukhfZDur18afCi4PvBHjGgTtne/wyLIXErkch1CFx5TEQSwAw7ndDuoPpqQtJIAd2GjmvMR2BOtK3u3uFAsNyJ4aQsETOHoJoybtc+x+8Q/VeiR6HMEeOwyTgHKq2XSBnMzCx7pgu3JoeJfEnw1Ffdxd5WBWFYaA9H4FPiItczF0bRgI/1A4++5R3P4zeuu9K9VvBwdyMhxzgP73KthL7PAX/ksC4sL0NtkXgVHeHqKh0Dp54DRJSlWmGbltRi6GBvu899PiDN+v7sswcB+QOaiZi2YSG12ySt19elkCtmCB21F81UdMp+XvI9cIdzhtoU1u6gBTDKmw0v4/cWC2FfyDhZuaH73Wl/qofdmfHm3loX5HosK9qhbMdMymjURB/As2hTGOiaRU6pL+wUY7d5LKQa/qfklBDlmSOrZ6zi1nH2+KdBwQtyZ3TcJshM4ix7+xxzH+bd7CjFwrXHa86dWEURCaGxeGFMQfxEheRCxxseH22LV20EmQYC+YVCE4EB0Hpx0qo5KfeVtI/VFJjJ7u/W1lHifNx7F5IhBC2z6lZbwPmD3h2waCAOkiiCB1YVmBVTyQYJXy67dV3v0KZy82hUC3y3bMQvXtFizkfhgNbHXLFe0NrVvbFJ77jrLhqU31FBwu4ZLrtFlBm9a2l4eDvokELQTbV4vv+1S5/xLIzkqbyCl94/QumV3QweVgdXq2R9lC/UjJktZkbCipg+qNPK8u/2FPFqpd3xkIvBR6Xm1o8Rg+HxnGveES0uDi+Pd+CfJrDYMhaDlgJTD2EW04QcEie5e+wPx7NUb/9Z4jwOIYbjJ64D8+6ocrFdCHQ2ijG7P8FIQbIMz54T5/k8U0gzF0XREuY/BJPMpJ/37N2WRN5g+nPm1+Yzk8IXu8C4S8Dtuev+yiWZcWdzTSREniqLJtt8skiEBAmkML27EAYsGqquX+CFy4k9qFqaIN4Pkcizc+s2KOSssnJU+lflqN6SrHEVWDySWmXNTrj0sgsEMYWMUmDfyQ4M80HGtmOmFY9TUH4rkV0QHJmpi63NLsATgmyYs61HQeMEzLX+W0YbiH8DT1sCIj3/VTD0qZx383fx7P/220NmzuNlo8lwL1NtoWIUPpRQcvykUfYZdBfKdfeR/EnYi2h2kF5HubcOcWhqSXxyZdiZSS0RaoCW8PknMcL6LZnZN0pGfs1mGPEs0zwW+c/f+J7yvlfy0usJz0XgT968UZSrmH1vDsjNiPnn+vY+eGIktQAASDp6V37nsUs9gQRZqLqQQkWUi6PUfYT+s8jBSW1sPlvPA==,iv:mOjLwWEYJOWOVzslMzdMBxDzG7tLSUPbLXdWW/yLWks=,tag:+hmW3WkZW1o1P5dpYuiIEQ==,type:str]",
-							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:XZS8B5SpYGZ9rUYZDPU=,iv:hFpESuVjKeHp0Qy2XTp6i29xEy+SXUIvI+rBu5ZDYro=,tag:P7cNybI/eEOsh/Qzb5AwBg==,type:str]",
-							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:JSVHZpOqRGrnwyNlZsfc+Bw48gPPUHlW3bKonsehmwguQzBU4sNhBZ8QKbbxFpH1jmtw/1dU7HIkWGMFY4o6NJAfgCfZFHNZ15FJd0niik1mzhD7rlYLE/scsiPcpqQ=,iv:WfatBhNsaFcIYTfUT6VgUFtMCz9FSYDkiCk21JNGWNQ=,tag:WQZpllMNxTSxuH53AE292g==,type:str]",
-							"mcaptcha_captcha_salt": "ENC[AES256_GCM,data:h7CQlaHj4869EUJGnqME7sXGZS90l7X2R6sAMTaQVWmkcogZ3+kF52lnpztb8V5GuTOhUlLCrKgxoOqlCeODIA==,iv:h+yXw8NiUYPKrB4edkIaXT6IoSCRVVDvzBGYCFOZF2w=,tag:gC8gJo0bAqxzoXPHPk4k+Q==,type:str]",
-							"mcaptcha_cookie_secret": "ENC[AES256_GCM,data:gzFhUwEJO5efUcKQojzPzSnQJZt3WQ4byeawzW6cS/WffJHZ/5cxMLqZ/hOzj9TCOetPJJEa5qwOcGathfykpQ==,iv:gFU4jNRV4uiZEcnTMvwSq6j9PmNtJQqJxw5cy+8mkGs=,tag:kQ5u0zHK13hz2yAalZFOnA==,type:str]",
-							"mcaptcha_postgresql_password": "ENC[AES256_GCM,data:ziNUAF2qi4d8BerUKCvdqKPjoM0=,iv:4JFbYwfc5Wr5RRhyI4Cg5VqHjNwRBL11bAA6E6cYjvc=,tag:C4LLQVcLLw2lS7+57EGarw==,type:str]",
-							"mdblist_api_key": "ENC[AES256_GCM,data:raW6fBeeI6Y0PYtP1/UGYHZ3SfL5xpYyxg==,iv:XJfpZksxdmbfzyro8K5FfYugBazz0Xk7CG5TJFSXGD0=,tag:wkbBD1j6d094+pvhgpF8ww==,type:str]",
-							"modal_api_key": "ENC[AES256_GCM,data:6x514xqUWnz8743Mw72TNO5mvxHoIB6EhNcK4yU8Mg2LV6NSsBgXVQWh+JdmAZc7rEjrx9Rb5oZH,iv:OCCE5EItae/rVe4VZT2WnEWhSqOeoJbzasA5oIRQUR8=,tag:gXoG/Jhaq6zaj5bqqWXT7Q==,type:str]",
-							"monitoring_idrac_password": "ENC[AES256_GCM,data:eMEz/Mvp,iv:5vS+3zvfOXUMdWch8+uq+lWrYiL5cMnAYYbEnjz5tHU=,tag:Iqqp/twXyFvn5sZl4xFarQ==,type:str]",
-							"mysql_forgejo_password": "ENC[AES256_GCM,data:P8AMLEXLkYCv58IlYFI=,iv:chCqe0NEKhRZtEVaBnLyDhiy0uGjkPHZmxGgJc+XKyI=,tag:Jj6hUTtiF7BXmbJ1TbKf4A==,type:str]",
-							"mysql_roundcubemail_password": "ENC[AES256_GCM,data:x9KWtM+7jmQRgXM09rs=,iv:XXIy40xniSl7sxDhhdnYbsnFOlPqmdtyY3M8D0ynGek=,tag:J24jpngeKjanBKzLt/jdAA==,type:str]",
-							"n8n_postgresql_password": "ENC[AES256_GCM,data:zGsNs8Uu3a5f1vyhdng=,iv:LI+W+lVmKxETeEpv1mwlu4AmDxiVWkoEeAZRyGlekxE=,tag:ksheqfioBEyk9tKukmIkPg==,type:str]",
-							"netbox_db_password": "ENC[AES256_GCM,data:mrDAS3KhVunoDVm39ZdtCS2QBiRZwA==,iv:cCH0z7Ds0Fiu/+UkZypByGG0F+n7M5msQFFrdhffeRQ=,tag:gAIqcqQmMf93cYm0lvHtvA==,type:str]",
-							"netbox_superuser_password": "ENC[AES256_GCM,data:YdlTOMXi0+UVIL1qlcXX/NXVqr+oTOI2hFs=,iv:SKgil1uNIqfLZxs0jTpbk52dx9KfMJlt7jaGCZiIfmM=,tag:gGiLqar4AL3FHJQU6k+LqQ==,type:str]",
-							"nextcloud_db_password": "ENC[AES256_GCM,data:VgZ6B0RjAjAPx9+3aeEkjQ==,iv:80zJr7VaI7fz1OwUMXu6ugtvMRz+j+/rbn/ZWikk1W4=,tag:uBVW2yRxuwVxheU2yYXYwQ==,type:str]",
-							"nvidia_api_key": "ENC[AES256_GCM,data:Ch2h5RtgvPnS66+T/vwpB+G+sm0Q6RfVFeFeQf5dvdi6hMXe5alnGdg5STkO9VC7UKJ5b1/8bxYTYO1Ij0FGqjUHkNR6mQ==,iv:+oDhTtNW639/lbDZvXVxqeXRuqukNiFLavAYMmHpxSA=,tag:lYhIxOJZ+iMFoF2oGczgPQ==,type:str]",
-							"oauth2_proxy_authenticated_emails": "ENC[AES256_GCM,data:bBXqv+JoJN/6YvUFePKMLWtjXAiKZSiI4dm7Wq+2bx6J6e57PDqSwXHCdq5mfROIsZqRFzEcKLjN3O65wHPsVcLL1qdsSY/6tpzFB35fSjOTuzRIIXGiA2HYyOwP2c5+QhPpGdwtQrBhjrC5nFdZFa6wvuMDwEFsEjgwl22DvxqEy/eLoSxyg/r/ha/W9+m0JmXsl50th30VRqEyzW4Ylm/QN22QR1YvxIFK1Unns6oHXElCYgaFG5HcetwmbxOTzbsl5FzImgm2hwnyLgKgGdHjE+OGCBRaWM6AJEeSD6PGSqecvkNeGm0R+vnF1jQdtT5X08NInaCBdpA6X1lpi4fJh93VTwwOTP4oJpMR9unSLxwT366jRmZhNMKOGiS0pGkuZBahErxCCHEVamzOIqnn5acO/fHvivvIDF1bVXEPUEozZC8WAYv+k2CqJ2Z1uOiroSOW+6k/yZqHm7SPaYh7RC6aQm2V+7H858ptXvBi8pv2NGsfzg845zBqxmJ3AjreFb9eF/puhDo2SLWkHXHjCTAUwLyxD9lmCQ9GPRDeUG8/anmk3vpW1s4bpA0XwVLylh1bhccSiP8f0vuACMny7K9fi6hNez9mqk4cMXTPcankYmtbjT0EuRdAolUxDd7tCvCOArarMcxk7OUP6ZLkXnCIoaOQ01VorN4526euB+UWOOJBCzPO2N109E9r0ylIF2hoisWFcHBnBh2K4YxY8KAqHDmM154Y2SaPG9AJmM544nN/r2NEtEr1l3aD/drF3RBUprTGKDMOO+kzc/5fnwID+xYnY0086ho4QWRzN7HlBIiwIYVZuemuX3yH4ZhUoRDCCTe7fY7Y1nRbL609QZ9fvL8zUAY8B6p8vogCDMDaMf+0z+PiGwArvTgCWG/EY6dC16IfJAepK5KwAOW1AlTRkYrMXAhmjUotfszHYHGBJ6JX20WjAoYx3JCb+HybWc5dzVNr9AQJgAEIFS6YeZ46CtI0dXy8NBnJzNVlLbCq6gXWJuat6a0WKSe9HSL/EORy+XuLFuIvE2WGrv95sq33E9K3ZOegGYSIKzs7tz3WmuZiGWuAafPa+oTx9+jLCwkdPhleAGWfqyIMGyiVzLEk4JFFJ63MkRyUres0zfC9I3stBV3t5bhyyiKmm2qNtx34uk2VcHrdThr+9vMC+UYLNJzeMMOEjydVqr6ahHr1dJT8eNTryRTsfhF6fjcLXwG8kBiXwHclqLawKR9/uSL1sGsdNQQqq8s22opTvV/LsBwcRNm2BTbkbTJMQPHH3qPx0X0EdUFa2YQUpwsdZTByznlgdN8sEDtev9OL0+dP7NN6Vwmi58drXoOPWaXSvlFZSFfI+jYgbsmdXwj0btVJLxIEhj9qiSn2xi7vnMAJ8a+O31KUTR7j0cn68GHTFp8AS+o6zu00mgAIPR/M+xSz9rXJhvjopsrnWATZF9TY+UcaP/MWwoTeRKCDzAJBOaNGimBNV2uiFuyrYrVxV7M0AeJDmmQTLyVJsxPTuPi3bO3NSMVTky7C3nVKCJndkus26xNbmC+2uwRqGgvIUiM/+8SWOHYU14Gu3+gpFY86z8lm/TNKYY7FLwjLrwnPlpxoEG+zNVoT5ojMdYeHR+LQQO9CJEOUQzjTcHKWiVeU1V5mn8Z6rR/k5ZvX/zP4FskGyNf3BkziEVp9pnAo7D6IRWHwBWnTxy+FI1J+daIhjozH5mCyceJEdcbtBoRDNCfrnK1gZFremHGrs5tkQ3Nd1RyZqCJ7qd72ZilVsL+P0xoynDkMXNIhj766zIwUCq29IH8gCeQnZK8thJcFn/aLSBNIZNuoKg681sEp6b90LF9huZlq31tBJv+a4vghqz7/Bozi/dr/bQqXrJltQvSU/XUizcNmPeZx8V84WdJTEohw/Clae5AX8mqSFb5u+oAV541JsUInY0n3TW8tTGLMdhVHtY4WRIC+8SfZ/Wl7bpqDvmlPnEQm8ybxWbthtEPQuLmk/5Hnkt3E3zFZqFSclJUkZ6nvOVBMwVs0Wziix3Pku4DEPzWBB9cLpMJYYXPt/K3GA3C3kNpwlFeTJkUvjVMvnGrPFQlyW1g21x7IvxIl585BkyixZh+d9WC5bDmfF/KuzDkimzK/aiOeMAS0lsSWy9CcOy/8yyIyOoOKYm7qWT6feg3M6zzCe9AiveFB5IIvkuvkAUlg+wApnIgTRWbPgYu4Ui6UleBTTRBo8GzLmugy/q66fFeNufQTV90cZsqJpbdOkN3pnhbapT4ns+qWGCDOKXQXwcjTsQhlvNaJFACS1rPu6Ls7XuCloDuMsGqmqssBqf4KOSWw+jMBp02XWnz9+dRTUh6H4G/xqoTOCfjPC4hXn9hTHPRgFVgixONp8DQXbZW3DE0fLl2t+mkGCkBwo1kc,iv:hqPUyXpQL95XV2P+PeoD93+bn9zqan936pgh3WNsqVo=,tag:hVWOQ6Ap/MSCWAhvg3T6Tw==,type:str]",
-							"oauth2_proxy_client_id": "ENC[AES256_GCM,data:fsKifpvfb33ltDQ0QtgvglG5C3yCHbn8rCNL+ajYuHMX826/bBju0emaKCaN87ZDO1dnGUYsQ/Yll8bWZhnYWnodbNw2ntLE,iv:ff+ZXPT4kH6BlE5QXKydpwFEDkk7d+F2pllgnZzRpEE=,tag:4emPnnwAVR3bTnmWBGK+dg==,type:str]",
-							"oauth2_proxy_client_secret": "ENC[AES256_GCM,data:zyDfXchyQVemez+RNMxqyzZKtgXoowdUYNEuh5t0FF1iSBM=,iv:aLIl7DSLvn8HFpF/sCndKgG0HyKQqn+vhHjUorL3PDs=,tag:Q6V0IltCGr1rmkBkWOw8nw==,type:str]",
-							"onlyoffice_db_password": "ENC[AES256_GCM,data:6QfRMs2iL3vr1llr001+d+rTasGN,iv:gY2Y5jRXXS88+IpC3IAKceyfpxX0BRGIapvX5v671X8=,tag:NwwJFAce8tSIrL+b1UcFAw==,type:str]",
-							"onlyoffice_jwt_token": "ENC[AES256_GCM,data:jmCawbDO5k8vEk0lBq1M/woQ0cMM,iv:XpcCOvGHhRasvCljnbOReQrNsgJvqIGzcvZAbj7pZzk=,tag:xZQeK01Q1D0yivmT9PKQiQ==,type:str]",
-							"openclaw_ssh_key": "ENC[AES256_GCM,data:2NhzMPPGkmjZiSvKD/6VUpZ0h/8zb6up2t1oMQafmBZxOycajHLB2v2AZDGYoCVrq3ew9d8PWPZhhudLIBCthNmyY7VF3Pf8jNLwdwZ1FkbQ64M1rH1GF0CapscMQSSzxXmHsqF8xCgZo/AP85vqUZCw4caZoCdoz8bwdScBeiy5OAKi87YGX23bS9UAJ4oyHCmPfb/qkmU8hFjO7I6irZgiTPkxqX0gW/e6lPrcIyMYV8jBKLEKgiSIOXfjk2nSCMnDeQhUyQKrR4j6nRpe9jgrrBI71BQV/r6ar7GncbmKhab9WQfrwxX4DtTtMJQWSUAVcbfolsV53Q+teDq1dPO5I2+9yFMw9Km2ZkG41LcLUBFtEMHbHSbb/fcjLZ9ttL1qQCbuecaUniFt/EnmUDA11liX1CVqbrexJ5gjiV++ahtjhm8/Wi0d7ohi7DqMuFxtYaV9EHy9PFPJ3ydQ/VwgF7a8/Ec2qdAGyIixHGdSZkJ/lUuhLn1JFeMih9ZSgmTQX4yfve2G/Uyf+NvBcjmDtrEAv3Ak9H6ux21wYPUFJg==,iv:y7fqqntifJEtImtOajwnC0x19ooN9SaS2nklTJrGN4E=,tag:84O+Du1xdthYM0hXcYyZAQ==,type:str]",
-							"openclaw_telegram_bot_token": "ENC[AES256_GCM,data:FsxNnTHxpc3Ln3UVi01kVcTBl5H6gVBs0UVZcE4uquBOT0d+jQbMA+WXJleR8w==,iv:gT7hzSFuana6mAt750lcRVnJTe8AMIcozZ8CTnXFgPA=,tag:KAIO98yx8l+VCoQKb4rFqg==,type:str]",
-							"openlobster_graphql_token": "ENC[AES256_GCM,data:FiS53yLnV8NqULJSZf2FcI5KbiVb/d9WuP3V5Lt45r8=,iv:lpLUSUBAUekOXVk++AMJJpISoJesICBMZkvYm9GUmwk=,tag:H2ssVWGbhYAsm6s0z1Jsvg==,type:str]",
-							"openrouter_api_key": "ENC[AES256_GCM,data:WAqxcsRGvaKmZEJJkk8YvCQlLQ2XJ3qhj0t4rD3WUJB3Z7J1Cytxc++OPqDD9AHz4iGAtAI/HefzfECn7EsR7k5a1JjL25yHSQ==,iv:DgKktrqa81SMkWMUTO543ccjvH/Vzkrf+MKXTOGExE0=,tag:3S9CydYmb92dtwgCzLbLtw==,type:str]",
-							"paperless_db_password": "ENC[AES256_GCM,data:Ims8oqWSWp2IWFKPCM9MgmUlfnSOsA==,iv:dXilIUWVHodCbX4Z2/ay671O3YeL6CdTKI44crKVCac=,tag:h48o5G78YojWb0Vp/u6T0w==,type:str]",
-							"phpipam_admin_password": "ENC[AES256_GCM,data:SZ0NDK3OrdPzAwKai0C4I5aUx2KuzMDB,iv:PmDeJOM01IlHOLVoxHBAiZuHyVGRI3XV4dgRWqN1CX4=,tag:HZBL1CfzZQ9mg5f148WCig==,type:str]",
-							"phpipam_api_code": "ENC[AES256_GCM,data:mQH2iuPFuUC4ugvqnmP7qUD0KC/ldQ50+caFF9H3wpc=,iv:fC3xw+4jrPffay1lR4c8AAOf1VFNYMDEIjQXR5HczSM=,tag:ggsJP/7ZhtW3I8iS7ZoPBw==,type:str]",
-							"phpipam_pfsense_ssh_key": "ENC[AES256_GCM,data:+uqd8qPCUlCKvdALuHzl3P5GVql4oZd7HF/XbjZX/e6U7O97bOWU7NLcZ+rMhYw0OgwvwlKfhpaW8wXlTPfQx6mzs1geBUQA/70UjoTdnmwDoLOJ9l/mKbTNAuv729gV+Mps5A+cqUo6Z1EHAFEXviBN8Dt9YdOOfgdm3i+QjTaOHzN8uLl0dw9RiOmOT3gBTWpj1dLE2xOdncv0SBY48hK8jHFrue1Jt1fza5o+vQENuV1ScJjPFkz9hRTKece+oghZi3a/mMmm+4V60pk36WAd01kMCnny7Gg933ItKHu3NV5EMevkMwXIBqTu6gcb6QQOiyapdABbS2kiA7IznC4b3TxvLtrKzzHsgV5q84FLJLA6zKH/R0JxD4f5EQOBw9IYJGUbUrsp37BUHRj6a3m6bQlMQgM0cI5KkYugOZwmKQcwlY4fqr/qWG8FEenbIfjYMJXBJ9q0m66IbhL00y/eZHylMvXhpAhfyFnNJVy8UyCpUCEmzbnbwJCYNVSgdoI1JyIsQWQ7t2HEu5shntQygjHQPHrhY9t7TTZ0yrfSETYfkVd+9RanOAHUMU1UlV5nqz+DupapynhqherB1nRdKG28X3Nr2G6niooXaQSsku6JGqLCW1qf2W66gFPg5HxLnuXiJGBeQZbHkgFOFGPFBPsEWSgiwEowc23uJQrpgtzd130c+u4qEJ7TcjLyniZVOjLczypucK1cw+VBjYoS45USnoo2AeZvLibiuKlwrRfeNR7HdoZ0OysAYcLckngwMwjUC+v+hkxGuuJilpXzCgXjrblngvZyAuHRwItFb67GBlQRngtEGjPUWaYwIL5JwkUFVRE5GT5nPHD+/Ysxhb+AIibSPYfxRjIv1oiHY8kvlIWnL90Jkezh/fwHlHj9Uk6Z1iRY5HOt8fMoIW2wGfKC/2OBPVibcNIYRXASKE2uKXeuivNtPVsRvwfXvsckZacJV5T5yqsBdv0PkVYdWIIRV/qTbiUl7o09Hj0G2HMf+dYsktgGjaRZpb+QcRMEoe1vHtf/B89tvHvP0SLlsY/OEFxiXAzDRs9OfDT7r9bFKZBPmrgQ4T1hhVwjuZq+11vq3oCDl4yYDNXknvVnbKF5Vys3d28KKCPG6KaAMP01IsLAj2KX4usq/dqhRCtBFKw+02iWZ8GqNbfYZClDb1F53MDaBPwIiUh5F3LWv3cpBNNz5YhziFOXBYLMCQx6+PkQ9+VwbR746UMU9S4WhV7lv1TUH++25TAgrHWdDQj4UAsr6b3ipKvYmhBzrwOMvtk34SGV3JTw8loaoIzOaG43ANO6hAo655ZClaH6kFEWDi85i3AdL9ABP7r5cQ7zcrZ6Ea4Vc6GibtprvJD8gBdzvvr+Rg5+UGocy0kMiNSQIWKeWmut2bCc/TMWlg0BxQS9czlUUXJn+7dpG3baB5qXIK8Hn5IWq+PZ7ntQQMuyVvbfoTpPpxRm5q4WgmzMz1RCtKKcWo54Zz1tdu61twSmrTdNZrWC3dSPzsuy8Gte9AWbAUzXE4wq9AxkrrpqRTuQqjs813kNW7MZ06tQYHN/B0SGyz3vs5R0FnPm06AdjfC5xmb8MdsKoguYqyQ+0ihgpE9ox+LoUYbMN9jWUXMpL2Sd7oUJJd/+9qYT+IRpM/aVKLbDYbYOdUw5XlkNIUGVho9vt7cmj0bFxoiRlH3kVPBADAw9ZgrnPJyG8NhD1LAFG7IyiUJpZniikLT3uY8rF+HTmFu0+DqhvHSWLNDYfO6Mm1EjPP06Jh0d0y7tgpCSwjlo/cW3uyjAHQ4duRtedV28+t7MJrA2/EGY/2qG2eLUMaRE6DOYe37b8/dyD6ijIrEV4diFqR5JNno6yzN5AHITWawqx3RL6LngyaQknZlhZRkQzFSJXOsSgG8++PnhLMu09WQGjjsy0zkUKVMwNbbbeIz1FKxuyVYyJepK2WZcMdj4+nL3hpMjrmAYBGudCK6qh/74/cnZgisMPrmqE6K5CEZeJdkF8gUJut5u23yQzGVd4DrLAs2N8vNL4XdfaSmKU0I2OCx+Qc50TPRkLQHj1+AGUCdCXKeB8DH5wtksgRawrWoKs1Km8pktKG/eTRKVkLChWWXl3MIc2I5lADbsxomNcI+iDwipmvfaoBMBJnRvEYdqurijySMXq82zt5VcsOdlhkXY5c75wi8bl6QF+Tw0fhYIC8rjZyYU63QipZcOqYcI+zuFev4MfLKPfkjO,iv:dzDjyzBxcFxifrJO6nDuN/HUkCbGKLXMS/PCKR8dai4=,tag:iFAYFk6fSfdC10gHge9Vjg==,type:str]",
-							"pihole_web_password": "ENC[AES256_GCM,data:swuMEDjXRZ5udgbQW6BeaaAMRrQ=,iv:CAhk2VbKGshgQ4LB9yWjA2LJSXUIskNIYYq5iTzXm9U=,tag:xJloh2DUVitVEMhsxdujnw==,type:str]",
-							"plotting_book_google_client_id": "ENC[AES256_GCM,data:nKBS4YKPOth1sNsImNcUuJ6NXK6oaxjuYC8tyr+dbgc8YQ8xU4DjR5zS2t4HNhuHFl2X2o3gVZaGNTYPiuSa817iYEJHKBa6,iv:LMbOSgkZeU8jLve/K44t2hjvfUDhAm7fzeOfQ1gh968=,tag:bmnEabpywqjFCisBx5Inag==,type:str]",
-							"plotting_book_google_client_secret": "ENC[AES256_GCM,data:EmdYli5CYE39jlOxxwl8e1mW+AIcqMabAfmTG+cgPgghdwg=,iv:Ff9jjIvXPAsrsFPf09kUjV3m5nbuTd8kEm95CpBQXow=,tag:Dz5+jxSRBtmOIuowuQMaoQ==,type:str]",
-							"plotting_book_session_secret": "ENC[AES256_GCM,data:vwxnCrdeE6vFKnOLGyaD3XpABqyw2iMhEoOrDTq2yTRSbIXnrGcG5+xbicDTBa8iCN0wK2+ZiZTdAtYguoGuEA==,iv:a+CG8dY9mGt8/Y6Y2hoiaEY9b+9YzKnDlX2uPiU9iUY=,tag:Nc/tcrCEsuJtewXB1g5KZQ==,type:str]",
-							"proxmox_csi_encryption_passphrase": "ENC[AES256_GCM,data:yUtsJkY3sqtcyaiYfnhVWCIfclI6ioTDAqzz2vlHo64+PNYUZjGMf58mqqW5+YrI/stlh0N6+492vXqurBxnEw==,iv:GDHVgxdBPwHbVCRonPrkjpSkEEfQjLX1LXateDlrBcw=,tag:u51l2Ym2MOup5Zf22FjAxQ==,type:str]",
-							"proxmox_csi_token_id": "ENC[AES256_GCM,data:zNf9m+InEiKqhJrDNF5xKGc=,iv:/nKCLBOAvZjaD1CHvNtPGj4+ZnXh4CuMSRb0HQ/haYU=,tag:dMwQx7xH+8t3Z/KA+DBqaQ==,type:str]",
-							"proxmox_csi_token_secret": "ENC[AES256_GCM,data:rkKwRZ3TMGeBdrsyNZuqxaZBDGQBq0vmgtPimmmKBj8+SSxa,iv:41CwObdBbfgrkrl6NJdhYQtnpPNETHpBwt4DGq+Z2Aw=,tag:wHOnFern9Ukyxp4icJP1vQ==,type:str]",
-							"proxmox_pm_api_token_id": "ENC[AES256_GCM,data:glmVl31voLgaiZfdHMS+fYBC8k5DXZnrNwh8WuTi5cc=,iv:bAEfkQ74u+tGmoxqPHArpCXsPZmgmAzejmwla7YEyYc=,tag:scVI2T50c4wBwQBQws3pIA==,type:str]",
-							"proxmox_pm_api_token_secret": "ENC[AES256_GCM,data:z8kN1OQkLflv+r+huJ6OCN2L+XlZkmXhWWwCPaVabVAIpQ9c,iv:P9yGEpMCSx0qgfTSlfFOfPEOgNb92pFzX6LnAhCV/hM=,tag:QwzEnpE+zT2I8uuHqDVNFg==,type:str]",
-							"pve_password": "ENC[AES256_GCM,data:sKXU79wpntoqtgdjnTUarOYqNm2WJPbytc6Cgw==,iv:Up+4HkXp8RAXpChmsSKvqH85fxdTo+DnJXKd16pNV6c=,tag:VIMqyQsygPWnZiLz+upFZw==,type:str]",
-							"realestate_crawler_db_password": "ENC[AES256_GCM,data:xgOTNatz0bA1XtL/JjF8ig5uyyuL,iv:/5r1vq3i+L3SHflXhc6XLZE8uT6wImXk7IVZRFMqcsM=,tag:6zunYcx8+HtEy7sr5uPhEA==,type:str]",
-							"registry_password": "ENC[AES256_GCM,data:X5EvUZJ/gIZv8RYQPHfNcoUWXaIfS/r8wXndxssafw==,iv:lN5RelBOoM4iRoomN0w53tmm3FHD+S6alNdm6z+CcWk=,tag:Oh85nn9gp/drqEoc1k03Ag==,type:str]",
-							"registry_user": "ENC[AES256_GCM,data:sUutOljv,iv:N3h6VbFJ1J67ZIED0xAbK2goAWrLEl7rmmPlv3oHLZA=,tag:EYSjnRO/nOj40epqZqPxqQ==,type:str]",
-							"resume_auth_secret": "ENC[AES256_GCM,data:4cXiIlcscSpW2zpOrp3TyiiuJ3UcFPfsUfN+kXuB47Rl7nPOqXSbrBcVYiM=,iv:3x53OaCDJD0CJ/c4ntRMP0ylodW1iWEbQpxv44bDGDw=,tag:vmAP+qGRelYk4mdKR5tQOw==,type:str]",
-							"resume_database_password": "ENC[AES256_GCM,data:wZcerGCUlvZr/SrMn8k=,iv:DMyeOy0ceDfCNBQJG0JBBS3p6l8m9aqJWlx8GFiODG8=,tag:bbSLaWjiy+CKjhpEkYyRYQ==,type:str]",
-							"resume_database_url": "ENC[AES256_GCM,data:CzNY9t8B4DIfqukmOCQBK538zNgrCcip178ZnnAYk3fN+Zb6Y7bRZbVaZukAJMY7sByT/W8g5AKrOaDbQ3Ff1EoPwG0UdN+au8EPuEhyZJbb,iv:T4Upu5rhDyZfvLPflboIH5hjiY6rQlCjajyiHzZ5IrI=,tag:FJ8qMCkyo5IDhWFKNnPrEA==,type:str]",
-							"shadowsocks_password": "ENC[AES256_GCM,data:4EsjvuUfVkWz8pGgsiXt6RuhLv0=,iv:3KHE7TqRn4dai+THPCD2VyALwRJSpsXpk/MudjFEy98=,tag:n6hbvYdDFjxek/SNmXjfOg==,type:str]",
-							"slack_bot_token": "ENC[AES256_GCM,data:g10K5w9fJzBxzBhOqAyxCdi0J9/pW75PeeKZxqO2cUz/fBZhK7sBswIAEikqoDz3ZFqsQSPHiempgw==,iv:cjaS/5s4TYGTe2Fq6rQznGQOpoZdVOGPlIxASLrJ+ps=,tag:ENzBcuC5WK8duZD9XoVVtA==,type:str]",
-							"sops_age_key_devvm": "ENC[AES256_GCM,data:hORO41K2affjLtVzSZkz88XVP9e71qVyTzu/scdI1AnPVTuFe8xwGKhaz+rf6KnJcleatrVcRlskHVc048p67AWvxzN8yCn3ITQ=,iv:4MF/t3xMGvDzqQvuF6H7i/CbjIQosumu7zp+JMhuVCA=,tag:ys82yu6ou/gUNRH0pptOLQ==,type:str]",
-							"sops_age_key_laptop": "ENC[AES256_GCM,data:AIA/zm40HKpShYr/v+ZUSD+fbXVg+Mxe52EfgroIG4TRMl+SKYT0nl8jwmb5As0GbaL74EN3HexPXKsv1y6IgJSVECSyLgYdFyE=,iv:EwRiCQNfzbdPgYrx9gczPWhJm9dZJP4+kEO1zoYDW+w=,tag:k7ceB81mG9XXAYJufV6LiA==,type:str]",
-							"speedtest_db_password": "ENC[AES256_GCM,data:osgRcMa/kQaluR1M2Yg=,iv:SQTqzcl52xndr8dZ21H7W+aFuvYRAoxZe9k/lrGj10Y=,tag:lFNUazLw7mGDdT3lCRO1cw==,type:str]",
-							"ssh_public_key": "ENC[AES256_GCM,data:9JYivCKv4YPo/lZH/acqqr40zYdo4j3fQzcbewNeldbA1IIYtCejBNpCsXU1YBhP4y5VLgVYWnPt/aQRcJ/CPy+g4XxF2c30ZGy/MpwHZttjob1K8W+lV7+tdRG/uxn4/3k=,iv:eOxYDiujQA7qh0er7ade6FA6UEWRLdKoHXkZB28mAWo=,tag:BPwJP8MQVDZdgMXc5aRlTg==,type:str]",
-							"stremio_email": "ENC[AES256_GCM,data:FQY2osLANSvO3oNDTPhwLKJCW3YE7x4=,iv:FjSHeINBK0PFPGGYhA44bLnvOpwz4XN26o535YaSdeg=,tag:n+DIVVV79Ok1DRADAP1TkQ==,type:str]",
-							"stremio_password": "ENC[AES256_GCM,data:YASrMH6nA7BpedbkUY+9HT5eILI5TQDu6s8=,iv:CpH8sObEkRk49UcQf0Dtbx3JtNUVxO5zeptw7HsJumo=,tag:rTwz3SRUHU2d7nfCSTQ9wQ==,type:str]",
-							"synology_admin_password": "ENC[AES256_GCM,data:jf96TTfUVgc=,iv:l+3f+DC4qzBIjsLAJVQWKVe14s2BUpY46MPuqWIRD+w=,tag:Q9l21WL1sVb5sgpKSEHqDw==,type:str]",
-							"tandoor_database_password": "ENC[AES256_GCM,data:ERYSGhwpII0ENBkeSmd15y3xqYVBQmJERg==,iv:MpaqKRutaeyjrHklUZeeGvpfKdJ8MfJEpe2/KC7Thz4=,tag:Qq7bI+xpzODSN8jWAGq6rg==,type:str]",
-							"technitium_db_password": "ENC[AES256_GCM,data:GQO9LvR6wTPpOUUfu6U=,iv:wAPkNiKXzpsHQK0n4F8gxUfyuK1v5Cx0G11IFJzFo3A=,tag:ioW981243EX4oN9PlDPy4w==,type:str]",
-							"technitium_password": "ENC[AES256_GCM,data:II4F7AEYjvWHPmeB2LfqoeCScfziTt8=,iv:HjPE2q43IDbzskDMU2RK+SoI/7Crv+xncv4pktHO8e4=,tag:5ykmSG9q5KEkC3f9x6V4Yw==,type:str]",
-							"technitium_username": "ENC[AES256_GCM,data:05SHGV0=,iv:a6tNXaNbcY7Mxjr7y5je2wTYAoaD+0iio3Zs0ZggjHs=,tag:AYkonMhoIy98Dbu2s0MpHw==,type:str]",
-							"tiny_tuya_api_key": "ENC[AES256_GCM,data:cb0lSVl1H8MiQiEtTNHI0lv++Zw=,iv:xgKnvr7N4M2fOvSiBpH9XaQlO6pgClfk5Zuo0Nh6KZA=,tag:hXoigAcxBkY/XH6HI1Q0pQ==,type:str]",
-							"tiny_tuya_api_secret": "ENC[AES256_GCM,data:PbCIVOMUsK94NUWus6G/yvbXZY2GejOMO+miUL8FKmw=,iv:Cs/JUqBj3I7tnmolHsUH5/dW+Wt8i8HajBawnqisYRY=,tag:uMNUchc/roR6SB2YjS0npg==,type:str]",
-							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:Wrad8Uc4k1g5teXrT2oF9WRq2iULYw==,iv:4HIHCeO4ZELkmkqSRS3qOUjcqvnep8l3Yqw5YaEquI4=,tag:3AI7lltbLe+zr4BCv8DwCQ==,type:str]",
-							"tiny_tuya_slack_url": "ENC[AES256_GCM,data:xITSrQiiTrsZsWQ9b6J57uukR1YSQlyzJ+RkntIV3JIE2AYaSF0Q2ezaN/j6HBzaYRFCmSFqc7qRBHcWmq4VSqF9Rw+bvqTjKL1NeCdG9CrU,iv:2/OZmHHgfrzxJGtxZBEvSlgBmjb73tAoH6ApZgI5o3I=,tag:uEgop64jtqqBJwnzdG4Z5Q==,type:str]",
-							"trading_bot_alpaca_api_key": "ENC[AES256_GCM,data:yx0uUjYuV+tw8MHZb1ahOeQ0uxRAYZcOpHY=,iv:5JD9ntS2/rqfAhICcOG3BGsfsrIQoJdE7DkC3ZMHEp4=,tag:FsIIcXXbvt55ymHLdKvoXg==,type:str]",
-							"trading_bot_alpaca_secret_key": "ENC[AES256_GCM,data:/bDJ3Vbks5ug3wdMmPiJwatPATb3ZxIXYIBwkiqcC/nKxYIJxzpNOXnMWK8=,iv:i8Sor3mtgnixFW4SuT1BGP6drOptPDxV8guFzf2uu2E=,tag:hhYrL3vdMg6PF/FMUQZmLw==,type:str]",
-							"trading_bot_alpha_vantage_api_key": "ENC[AES256_GCM,data:dFXGZfFRWrdyBVLnL5KHNQ==,iv:rQheJt7wQQ4U2hRU+tmpav6r6MeHA0gJD1vDzxnMgBs=,tag:YvcDQz5E3kcqu6uC3BviPQ==,type:str]",
-							"trading_bot_db_password": "ENC[AES256_GCM,data:rCLyD/VoHpKuzlcxoByQl0nukC2qOZE3FXZB4oCqdIE=,iv:kvQiJlxNpynCg6plN3G3/WlfGC3M7rIqlmPJhTgpVNo=,tag:18cu0i8jWCY8LN6QUvZgcg==,type:str]",
-							"trading_bot_fmp_api_key": "ENC[AES256_GCM,data:dFxApTWl5R8tSfRbApHoGjztOTLqbqZStbY1RddekG8=,iv:KxV3YUd/7Q2lZ59N85zFV8eiarnfgGZE1fMktpMDvpo=,tag:lS4g03D1iWmpQkyRyg8WWg==,type:str]",
-							"trading_bot_jwt_secret": "ENC[AES256_GCM,data:6jP2qmRwxYy0mf8DaFGTsJD20xJERS/Mog76Q2ndOMuOSBmvEzzZ/SeUqnagV+gwN98fl6pfVbkwc4+rvOq/0w==,iv:QFfLZyS8b2TVpKakVvfLMh28mUBQLR0lHSDnZRafFxg=,tag:eiHbS49ekJB6DVhqagMNrw==,type:str]",
-							"trading_bot_reddit_client_id": "ENC[AES256_GCM,data:nRwAvilpnwMo,iv:XUSGBINnGXD6gUcihDgq9cPIY283r4gJJ0BRIBpyKwE=,tag:hf1NLVK1ijifhZO5/LD5Lg==,type:str]",
-							"trading_bot_reddit_client_secret": "ENC[AES256_GCM,data:BlCI+f49i06T,iv:TKFpIY3JM7dGnREHdNXZj5EkYhrBeyaF+SHhEg4lios=,tag:00dfYh3SEx78/cRJThnG5A==,type:str]",
-							"uptime_kuma_admin_password": "ENC[AES256_GCM,data:L8e3kLvGJXMoOTvfzS4QnA==,iv:7W1cvpR722vY8z1116njeA2PDsQ+pGA1XVTnbQ7vgI8=,tag:Ws0lH5zwCAczzY40iq1BzQ==,type:str]",
-							"uptimekuma_db_password": "ENC[AES256_GCM,data:neDvs4AvzymE+IXWwv73Kx8IXPFhKbzjDw==,iv:Fkv2Yan1mmiajQxVtO7sZ9fbFaZRAZ0U+xYgxt1yWxE=,tag:CiEMiRYUfvSzEmtECjRbeg==,type:str]",
-							"url_shortener_api_key": "ENC[AES256_GCM,data:HV1QmlEQP8pdMhlUIhFU3aFKLH02Lb8qvdEDqmhApBzWpDJO,iv:/rdzBls7ovz4QnvU8tp/haFHicMiT//6yucejw+4ApA=,tag:uBAHhJak2NRdJ2YWn25MBg==,type:str]",
-							"url_shortener_geolite_license_key": "ENC[AES256_GCM,data:DkweBeHSKcXKxxs1wxPK0Q==,iv:CXBjr7F2cQIHsL2wBJFiFv+Tkc83caTxt05e0lu2zbA=,tag:SRB+xK2Mc3z7tiM6RIYZaw==,type:str]",
-							"url_shortener_mysql_password": "ENC[AES256_GCM,data:yrOG659rdjsT4v55Tmt4xcu3VRU=,iv:H1A5+1yvZFcaB6c0Az8G27JWYJRMoUAV1H6PaR09NHo=,tag:PW7dWZDFzgNZ2TG6O7F6hw==,type:str]",
-							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:nZ55jDZ2XuzzGO5IjqkAdr1qg3E=,iv:iZwhFp0QPhNOiMMb89lK/MGadVwgnMWlrVs0s5ZG1p0=,tag:BjDynFZ043EhrBRTRVz/AQ==,type:str]",
-							"vm_wizard_password": "ENC[AES256_GCM,data:McwSJjOcHkW7Hb5b/aTWcC5agHBG8e/r/E0lsU17S/t83/bE1FW0HBQYL9Q7UPUIeYbykAj0KibFN7FxchzH9nPvzVAaOGry2A==,iv:42jLYBPY1T8gPjoahQe4n7TmGzVGFNHUocY8KN/HEvM=,tag:4+dH+GvG6KCPwozKmwLw3w==,type:str]",
-							"wealthfolio_password_hash": "ENC[AES256_GCM,data:EgyivO2hyeUs0+e1ubD1eB8izDVN5QyBTRUO+Sfb3BaHW7zVBAf4wouVc1PhsbDAgo9VE2Px4zKUlm/DQhhZlIq+6V9u130/5q5aAU5DNWugLt6p,iv:pB4DHxLG+bQxTsn00brGho4Z7XebA3Y70pdPmwwRtiQ=,tag:797aM2d4IaIggAsQu52kNQ==,type:str]",
-							"webhook_handler_fb_app_secret": "ENC[AES256_GCM,data:z2BKwyGyhYZZO/PfAltGbcJZ95q3Sf1fh2IwY62A7qI=,iv:Ax0yBLSdQyK5D+bPmLF5IPi1MgGbRb+bQDWVLPYENsg=,tag:xxAfgrhEKCgUGTC5AmwMAQ==,type:str]",
-							"webhook_handler_fb_page_token": "ENC[AES256_GCM,data:ss+aLxBnHn6/WoPu9qms+N6eLePtF51w5dzVW7u3V8bXnLQdQXUo/9nd9Aw2jIh5lDA3Trj0QjOUSKP9PMxHY0ZuJKZLcdZee2At45SSIecYz0u456JEazGmQc25hHyOJkgnqFlwEYF4YTzPQztcAggUbXPYlpz46nhBKO8lFJk5aMevjBQPWxFtZLEE6mk1axbc02QKEFoiau/cfzNzR3GiBXWCE+3wju5hiIaRfGNbT9WOqyWzMh3FeaMXODfFnqPsJEVqCl98u5CYW45d2QRJGTdl,iv:3LYe1Ln3YQJJgYRaWAeS83anSvJuly403El6kZqG/gc=,tag:gaGm8snPkUuUtOkMGkhvGw==,type:str]",
-							"webhook_handler_fb_verify_token": "ENC[AES256_GCM,data:XA9u83q+3UWBBLinY4CvNebOaIo=,iv:/I4bFq9+pgQRvsaOyHQPfvAXVk+j4EWf2qpURKQFUpg=,tag:9ooCmJh9o51zjZfLijzocg==,type:str]",
-							"webhook_handler_git_token": "ENC[AES256_GCM,data:kWWP1i1qInQfmKpphn+zqpk4mF8tO+UgLB9CBs4H4vyvLJp6RV4YgQ==,iv:Ddb6RIKHCR7jwjwPpRknuqJg6jJTQ4cyGxbnvkxe0VA=,tag:Bhk+RzQQ1VQNMCRTGwdrYQ==,type:str]",
-							"webhook_handler_git_user": "ENC[AES256_GCM,data:kXuaWH/ONRZiU4BH,iv:Po+K73p6PEOOkqmTUlnmwjPNeaPT2tJopXpXO2Rh54c=,tag:xrlzJvaJLAoYwCibMcxe9A==,type:str]",
-							"webhook_handler_secret": "ENC[AES256_GCM,data:oAu0z17GDQVBhvey3nxE+1biBiI=,iv:/f7GbA25hIRa02A7ziIpCY7n+Flons9DjyKDRa2Agr0=,tag:L3mEBij1ixjHS+083pYWIg==,type:str]",
-							"webhook_handler_ssh_key": "ENC[AES256_GCM,data:9UwBttbXHl4HXr8qJeZiFecn6MUqDFHLpYIHzwPjoEBz2CZCBemASWbHaTlXbMrobc+S+P7aIiiDQk6o710H8qyurqP8htCfNaRfJa4+cseslLkaldbOunNoIIfNsAnjZKV0nEbCOLtdE1UcYebQkUqu9dMr1+dXZ4dAcQMJHdIo01KXVVVa9bpf5aopIQvVz2wOsoR8xO7k8idW+9PmJ653eSuBYlRx6V/PEW5eArBCElTGoSQKC+vq9j0oaHzGFKzDPmhy9mYIR8iI5F3iR2IZ9J4UyaL7tcxkfth0HdgupeRT+i0sDpB2S4fNBSY2ixhht8CjpTtJDl6N9KG6BYjtwGzbqlxWfA8c037YnYPVUQL9HPr+GjC+tyCJnORp1+DlGYQk6mvjSe9Aca/0VzS3yv0RA0He105Hu4wj+ZFcfvkXztfXXPJCOp+u/K11jTHEhrX+PEGEBFEwKReTZA5Y37GdM2+YL+ufTXBEHmdF+PJPC32Jw955Aw0VLFQw3iHSOyF/niSk9iM0+yVpehrnRxtDMEfQ0PiXW9jVEFfgOTbfsieiVevYCzd6BGQC6V616WMwd1rsd8Mqgp4Zj+c3KAXet62XfR6kwFQWYWNAwmyEs8LyhlU4oy/vvtR+D0wHV/8Q41m4iDpnqx9P8EJUPme9kO1eN4LgSNks7Q1lyhdheVSgws4LaErJUm0dJr4oQUr3S/gp/L7OT5WMCyWtPnVhRaT4afr+GO2wyWQwhSOpX7A4tFEgLG2dSajtBb5T9tEL0n4/EXjXULQLzUCdzLnalFXnw8TCI/Dktn66Koe1MbVR21hDPXP+5Wvz4aFzBe9A7c8R70S2bWmVZO4QpDH58n99a9GQq8lQaJd/6Xv6OBj3aPIYIPpI38VJ+uwAdjX/LVtpY/z+aq5dA7e+nKgZ+aaoPW0vUJQ/AcNweL41jl68aszSR6UnJ/7Z+qjnhp+LFD6pXMf8VdiBDK03lTvdbfOM6e70VPd3yhO1O/2GsqU+jGYf5hcDaHpFrFPRj9JBJauwbVXMsnahnCbhL0WpP7irM9f6KEb1XudB0EbbNLnaWo4Yq0AbShbRBEzSavNodhwBwGSoBtuGmUvJN/9nYq/6m5NWopM+XR8erpK74D3F8Hk01c+XNMfgs8/zIR41GRkB8WpvfqDGE01FukilR5khAub3KSL79f4OJYH7vCJJdfB3Z6yf1MAJd4onZ4R7wWD4nVGaXBz+yYbgqxFSnMaUHTYE6/DCyohP7OdN9ZkcKY3rYL6uGmn9nff+LDJFnom0N5faoWlJnVM/jH8zerYloxrQzIebif/rRam4o4+7QBQVA2jsQI5sWb/PLTN33a1aAqVE8ERDSpdwS+LQQ0V+4DQjPWFH9B0lPeL7a2yvut/b8yamqbSdch9vgbJ5HJIrBvBVOK4yUjmgcCZrhvnqvB0W5IJy7DkN7eWD0+9+wza6VD4tcxn3tz7yQIM4gtYH4YBAJ1jLynVHZupn3Oy10XqP1e9NheVSH9UY6ohCcU0Op58/s7SJkHi32QoOy6kzHHHIcOt0xpMWaQ+XoyxIjvApMM9dm2biaWZPMxvp799nn3pFbQ5mrKL3vPzj0ImKLHtWYDi0Dr43fTzWqdFRAgW3Pj44kgvogwrnXY8NHiqVewhPOj+V9CJtLtf0WzaaS0jb43G3BcmDb8AmPwM2u266UFyv/ZVlu5hIJG5fdKOi6Xg4+zp84Px5iHCj4aQXZlD4LJxA2hSMNqkC1LnuRvu+tMeUObw2H5OewItNOkbyO3hgz3dWj49Ecu6Agxa5TCig8dJxGO+CWp7l+H9s+BEFmWE1AreT6Ib6h7QXtIQWASzM81hX4SHNziif+hFskDbGuBjyNmsue3wsBP3AYBOsaZwETTqm6097F+Rf114X/xJev2HNCh3QzvePbstGnHQG0aRWDU3cj3gTwFeZ2KRh0Td/jRCuImfj2lTOGsDwuUEQjcC4sJwyrfRtIGDry8XD+41Y8hy+RzYALDMYn+rJk+0Z3YUgKUDZVUPU+4LRsqFCsrBAgt/8y0jC/Zf1RSXaCCEXBVi+DiXLw2VANwnvd/HMIiEcG248Yu+mHQI5X5WIYjl0VodJLUY4IvVNmjpVGP9MY/I62OY8EepyJlJVthRPSqBf3p1BE7A52TyZNR0VtYJXrkotfCY0Tg+x4FvyQi2iYZzwkJses2SrwELLwbx9i+c5xNzeGMDPZLlHorK7V8QiRLS4wn2GD5RKSAnN5ioKyhjlDabP1JfXpqhs5lHpClEaIm5GHTt8HwUewZ+jmZR7nPuo+3aA+GbvyJQGRtKcanl+zBJSpCqklOQ4JgMtYMnMMOaZXK+KSpXA1EdOmc8E4aOkLTwx8b2N+5v/EISLEU7275ImiUMP42Y1TH/UrUO9dOyGBGhv7lgnBzJ9qUcbaTS2OoOLoW0SF4yYg4ZeDLFU0v4LZ0IAVJ4JitgpxJQqhb2C7n+cI3D4FCKKOeIugWmjOSe/cHdwuOPd9TtaZlpq6bS/raufmNAcOEequciiqjWv4vPq+jCTW0uPHkS8kn7njPpZHQnSt4mjzWAjxL/RTlDMD9kicDGGyStZ6zaY4crIyd0c0jSHHDotw3dAIfy/CRm1wBOs5sm+1mzNTapOv620RFk2rL7mAGV32HXm7pTbemVfDC9e85N1bn0Tr8mjSwgSbFrPheqaK+x847ZIF84gvllN4sUcxCnl12XzbMACCS/DrzGpz9Kx1JjnjX4oV8PgCBFCW/SEQ31wCHQ8ELOJRcxFhAa2jHffZQbB0X8neH9LplQz7ywq0XtMcZHUaOdCWZznh5ggrAjNp2mjw3D7ywBTFc5xAe1YRanP4VtkyBFCQcbA/SAAoYniLHbXFtgA8zMOLSUjfD+Kixnr+/bnvGztkQvrvMe3X7+JLpasFC4dNtYKixBz2/00AwqmfiRplbzIQFndBTAPvq5uoHMS8kw5sEqhWrrPJUitfmSinwPvMK/rz7V0yohjsltmP82YmLV1bbIE17edtWxQUcwMp0uXIJtTvG0vx963XuAspkByKUQcgEToBXNtBoE2YPWGsJ208WJPCuUsAD1di5CxfxKh0kSrGRGTV68cJXmmkyBcwy5ByHY1g++1xHJ9uA/8ZJG4cdZlBl7rWij+1UCRytMtfI07Q+WZWlzI38tXxIsJcM0U8CyQWD9DGNrfxqA6AbVZ2l5Wz84P0Fc1DL0jmGlCaO6wSobyjyII9k2k8gHocxmjk6b0/Qoyv+v0P3cOvE03VcEpOVl212hBZtHsxla39LwdzUWrlo2q5Kezyi/QDlhLZLkKPa7Cdfl1TfY3fJlML13GNJ4xpL9sTM47exYLBAKWhW2H1gQpQCH5u8aRMJMD4QY73mQcduQgCvYmea6SRFX6hHRqUCI/bawv5ejyA5rrX5z2jsFSjZTMhqsnP/Ql50PfeyODDOBPc29nhICdcgRDJ/B3z0IlnegHPTbyxocZW3Y=,iv:Y8uNjg9C3z3qB8QWugi33LhPB3jcsSZaxNb0rJtipmY=,tag:PwY/anNAY9LPRY9g4yQkbw==,type:str]",
-							"wireguard_firewall_sh": "ENC[AES256_GCM,data:24p2iqH5AGb/0/Qa89F3eDuDCGrIqSoDZg56MvG5WFDQoX6qnNqJbUk6t7W5SJebqT7q+N0pnvsGdPwYo/bGCOEOQuVww6cnP8n/LlkKzhZ5cwfggffmyjvK+pvQJQxejCVNLl/ZFGLjOskEqJsGaumoCf/ZkxTj1zx1CBfVTl2y7BwwfIDx5dLpL9e044DKwCkGqXOnGSwix7+pyJB87loL5h2QqqswYCAWJak6s1rCol02+L919Mi/wb+7AF3vNcIMsm+Drsi7Y2gfVeq1FGBu32UvsVrnUxbzrrq0Dn18NCb2QG4T5PfJ4zWKmc6MWWL1zzbJl7LngP2R8UaswZj3oUvj+Fmuc7nHlJax+R2ufgZPmASdGxyOtQ9u4xaxExCMN0fhwVCHIczgamDpJdUDyMTcQho2F3EVR/UiTVX9/ddFXy+3Q4QzOwcOqmI2e0vxtWlQv18t61t/bmqDD393JrIxEYA+JI3br/ggFMmzKu+zy5W2d/jS5Je3GHXajJ+Xwe4qsEAZMS4uMxSHPsSnQNd3M2GR5m8=,iv:GQecuTGPHJZlR/EN2rO5c/MoEtQDYIN4SO5dahGeNwg=,tag:/hMTLUTxDcp4i75RdxQczA==,type:str]",
-							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:xXs5bEFerJTlvNYjAb0CXy1+5P23Xi4ObTRdls/pATNVQpznkaFUC7YFgy/NhbwTxgRWyAmVCtYSkThJGhm9eymf5NbVqyticM35NXE9r9WEl9zW9fghjYhDKwgiWsl817QNAbTWSPs0mrn6PZTMIFbtsfed+g7PK/+3mF1mM+IzOttQnTCvx3sDjeJTrSEgQih+RNS7D1Je9LXTxbzV3cr4OOMfmlnUuqn9ve1A2OcuMoc6aCtlSpYrUB9bHcFnEF3SLXzM1vkCKowFxI2fvXqjEceH/LaeKINuHQSBXxnTSY59dueY2RrlFCk28qNz0Za3Wu+7jdYj9u5bHg37wsf9cr+7F4aulTdHj2zo9y7JZk/PPI/9Xf8KS+TDR8g6RRPwvzqfTNAyAq1se3wbxoXRNib5yN4Ch1VteUxhW6YQ17vV0HgyaPgS6VM9pQ1dUdjjKOFA2Mr+iY0qdnH6UAvcgSelx3c9x4Z3r/dIRucWqAL/yqcivcKB9ruL64pG53jNvTauvHGIPXSzXde6/lFuBVEiW6BjJXfn3AfpsHIJEtSk5Lm/65nfY7K5sFfPxdy4DJeOS4RGmqddvGT1I8nkEwNzf6tiHuC5zg+S9gT81wCI2kR0Sm5HJUewH0JkuODUJyYyWN3vDYjER1GMXimLW2apBpjZHHOxOapT7wTVbFL4VlKYIxrpfl+Nxe27IuqYqF1RyC/HM2b/eI2aMfrx5T4ul8cGIQP3DhFJzh1OI7yhadsEHhrwkM64gS/jZeiza0oLE0z/dGUEji5NqQizKTHIpGro3WarKY3K6z8KzQT4rA/kWbiAxowONqVykEreCifwjTKUzDlArkPCKApeHOoF0PO+hEz25F1VDoFTZ3TVt+ZWOsTOnsW0YnLkWxcb9keoG5UnX0nOdrl1djc4GGOFuwd9vObRpG/ws//ZaYn8cUFJo4Vhd9Jg90fT7S7QuOQsxWG5txTUR2ydMYhC77MeIoobrRMB2S7e4cYZJxV7ur6CyYKp9UptKvTkpeRVKDlf2aU8bv57cBLLWYCP2skzOJPEBQDMTUkXX10x6oKE1JWo7ovNHxGBusOUAwfwNtSjAHDTwVgqsS0BFdu6U0gJvhpMTHi7FVd9EBVzjCIM4F19SxaD7FiYAC67tJQUshTr/1knDQRRYncE2AbDQArlzjVgKOsFC7ugMvyZKoy/MrmzVr098mUMAYgGg/byyIdK06ejQd9aZdsTsrs6oscrffCicDyNeN1RXgug+JpytkJd9V+w2mZnZfR0VWRlsldpzamjOoS4yMBNLNY3/lsggq6VkTcQJFS1EMjKlrXX3Ln3NjyB1mZbkho9KVgW2ulyqC4RAfQaZiczmgotQ8qg83LAvS33ZjLchTiT5U0MEhITgsuTOdaWF+ARtMJDlYOIb5Zr3RjhdY1fMQ9/fEykryZBGS9EPpicfkHevt66pArEWlvm5k99yD22Z31yu+c4QMFQCI2zjpSILBEYkf4COXyb54slIcSLcPX4mdb4DgFuPpv/SpgzwcMY/tRlge1ne3woLoyYYL5+KDly0zBRvCO7tlGqVYhqMBFTmBVRX4AqOSOEn41/fNeRrhUYc4SAcj3bqKUZR72UvMMcTJqXVNGD0RVrT1pDBVlSVOO43dk59DPuQj50YSYY57McQQTcvcvKQp8WWAnR6oTWRzIkmMA5tJ/2v0WygJpNicKCKVWA/2SQwZQgkJP9azUYUtrm9BceGPXaFdu9y5sM68FTKv7AC1eSd9cljr90BVahMo3frS5SpHBp2OHDyuzMAjusRG+wsI8f2tOdvULgrECcaO57IWrmMNY1WsBLfFE1hueTrg56Gpl0wvr7jaytPbm1A/chakKPqsqu767ca3v+0Av/LkiG9m0Ewi3r3U3VTv6KPTjw27UjhIBUeR4NeduYQsW5E7elYcr0Dx68/Dk+6mfJ7llAF5NeLZoj6+XB0EErr+TPTxCJKTcZLcPzwjxUQs9rpJXGM6RBDm6sDHqOZfpqhDspj1AVCA1JmhJZejhNJjjKEyFrSlkxuEyBBjGw3Gnj2rxGUV39HdiHDbsxozB4D0/8H+BGHhiYSPv5j2ZIxFGFiC8xPckQTW/CqLd4dWooEhY0/uWyKL8W8bO06J5AyG6cfcVN/jwJSKkAJ3r/HnDC/08N1HjkmyiALiyv326ag/SltTqqqdYLcq8eGsBpIoUOSY/cjtlJ1SNQE39CsBGCkKlhecMSSQfBoGl2JcV2Az1NeK/18BgOZo6rxzNbVTinZuwJP1yieg87fh+o4tLzh0nNgwVXPEz8s2kw+Qmv047B+/Ty4yj+gPV1pgi07osX83DLK/veMUxsB704GnwhzL22l/TBRW2p6CfnpYNqCYYL8OtFzw5ZYibFZu9i1DLIMN/PBclBiGHZw6hL/cXEfp0h/Y/XN2jT0aI6ODpVef19qP47znCE7VA0bdmyB67huUPUyRT5qP1n5+RFF1ws3e+7RhkpzvEbadSTRT/zAYj4hfcoFyyG5pwq8S37P7DqLB4qKIS07G2IIOuTPwn8qWoG9FsRM0Dbi/h7gmlvH/ZOKbnR0uTApHSoN5PcJ5S+R81VkFgAnqWfcX+g8IOs7ezKAiucgaq+Dk71nmIfGdCGpsfvzUAPwNCcUW1NAGYEaeSzzTaaSvLIOrY5wW/vwTSVNO9DalvbZpBZcmSyP3nZ/BKNOoU0/subxgzPPNqKhazoq3Q+LIRXSKjlUPvt6nJMpgg8G2FkH+EkZlnJP1VgouC9bo8ijEirGqHyBxDCDfIHsAtxVX+j/bzyVDJ2L3F6JXspOK48PMw0X95kATZvZ1PSUq5BRm4R9m70SEFDJJ1tAEKGmNUcZcWl59Zj0Avl1udZSC1DC9jby80zYmwAGTXbTxM1vIYv76lrIASThd/22JQY71/NAumbmcncXucEhyThvQ82hkckfOATVwjoybpeELerbZw4bEbuJx5W6Fu1ZfmWMJxA9Fw6iC7zlUkfQdsIZFgYwhwtForPyS+0J/bJIqVlGQ1EegtVaDpanxgM6AdhU+z99c2n4ZYzibJWVSdmXYLUBBs4V64X3WQdbGs3PrPR9XS9fNR73R9HT0MEb1xrGzmjGcCpRogqRakqoPa+fd7t+Jhnuko/h6PwE92HBG6Xx+xGcDFq0F4frb+DuLQ7xxGZzjCKC2JD+UJyFyMFAMBHUGlL1Od276U7n86L0oG1imoVTOBbZE2YGEGJl6imqwjbkr6zfBLxJFJFLMWNEjjjW4DQiHuECoiTBjB8ayrF9XeLq6ZspOEfVix+/1SnSlpyHnNmexsBxeloiQyUOJ/L5jniewHn3tEm4mFZ9+pZEMGBockL9fmtVPbmABeweNS2iG7l/0QWsZFE4eUSftJDmX2c/BFB9OtLmp7ORtCsa9YHdNhUtnYyE1NQkND2XkHEB1fVoiPIY7xF0hytme52kjsjI5Wk,iv:t3VtSxClNxxZK90nZ92dknnQc/JF1EHYAOH8mIHC7ZY=,tag:SSKYCFoe1WH9TpXc1Uy+0A==,type:str]",
-							"wireguard_wg_0_key": "ENC[AES256_GCM,data:J+e+ngSbqvvtI0SxsTEFxFoMKSn3FzdFA2td0qy9/Rlc5qYfCigyXx+c07Q=,iv:UOz1G6gtOdRaXrvadUAHMxCs8NM7WYW0fjbAvHnBn+4=,tag:rU95wxz+PceZmd3KAEgNnA==,type:str]",
-							"woodpecker_agent_secret": "ENC[AES256_GCM,data:hFR4dQQuQq29tQsScnDGrnCjYhLgph3ORNCJ1CzrVqlvuFYVThtwzmVwzaNappN9T1Lzc5kSB7du9xWcG+1qCw==,iv:2YQL26PgP3odV1s4vrLprjVXdeJJE2wIY61hdd7n7No=,tag:+WOoNn25GWS3V/6yFCNFNw==,type:str]",
-							"woodpecker_db_password": "ENC[AES256_GCM,data:g0+RqXuTeqHdr7vbnmcN3AkOxPAWnntKBBqYbClcRXU=,iv:t7xYu6mbt0pIBdPwmMeQbrcIsqhWzfcfLEy/MihYRKo=,tag:MFWMYFcjJx6wKY/GJUptUg==,type:str]",
-							"woodpecker_forgejo_client_id": "ENC[AES256_GCM,data:nCjh6dzoXHPqDXnAGeobU6w7rwqqZ/6ubQWqv7Td47t1VClx,iv:UkAItZ4eFfHNDBL8NTX+8Msu9N0lVBXX2Wh0/9/jVxI=,tag:CkOf8qTnvBxz3tUoQmSa6w==,type:str]",
-							"woodpecker_forgejo_client_secret": "ENC[AES256_GCM,data:2OmtfqxlfzuGGfLDY6D6eBte6riJGtrYOHGJvSREQCC11bzQ6Wb+P9OYYjaBHfDc1C9ILflbvZk=,iv:WXj4VsLY3oUathLaL9mKzcFuS+SHeBZCLTy72tOLSBo=,tag:E5t115ZIQArtl66/RIMMZg==,type:str]",
-							"woodpecker_github_client_id": "ENC[AES256_GCM,data:P+WiTyFis9gkMT773SJFYg++cuI=,iv:snpbYSfsZrW9/IXsPqM6lPVxWsT6JTUyJqGddC45v2w=,tag:xLLqTBQwL+DmKQn2HVvUfQ==,type:str]",
-							"woodpecker_github_client_secret": "ENC[AES256_GCM,data:A6p9xNiY3uNfnii8VCXyc61KjuxIjm9ZW994ULzpHIOUESgziCvWfg==,iv:b7KJdiH+3/MOkObsCvbPRs07JvzxBPI50xkxI6QiK9k=,tag:CjCtdKuSAFCdUUvdreUGYw==,type:str]",
-							"x402_wallet_address": "ENC[AES256_GCM,data:BFI8itgoGkXl/4aGJ/7hl5LORnIIPZ+vi5YU8n8yO7zX2Ia64SWLeAx+,iv:pwH2aXx2qcr6Sob5osKQHRwEihzgclsM8LcpfS0ffsE=,tag:6reTpb5CmpMjYnQ4TqpyLA==,type:str]",
-							"xray_reality_private_key": "ENC[AES256_GCM,data:iu/5asuTRkKdhsf5e3T2ntN4qyEz7Od4ZAaE0sMSjJibmamAPDwm2Xe0Sg==,iv:izJawXSg729+UMbsA8BBxz/pZuw/YWyqC2XDezQaOic=,tag:1ubkZZ6GgEKaQGwDyDpNFg==,type:str]"
+							"affine_postgresql_password": "ENC[AES256_GCM,data:CkrR39/xwTlythf79UYIRLrxZ0E=,iv:B/b4WdYnYqJwzYPeY3gj00oOEKf6jsBxLEukoFtF42E=,tag:Z0FE4ubP2AAgQFsBSyh89A==,type:str]",
+							"aiostreams_database_connection_string": "ENC[AES256_GCM,data:m3jY3aU8+J3UzGbO0ImFX+QSmnIdKXtEdbkiEG4WQtp9Ry1WZkZ8b37o5hfz2mKMdmhhfW2wgkCJe/PDB90l5XP4xuiexgkiu3gzr5EiIdN+yE+8y9LClg==,iv:FMuouCAnBuwnZLA4jH78f7uQvuz4VMO/5DPnp2JmHhU=,tag:dTmZRX5xcpdPRcqsgrxDjg==,type:str]",
+							"aiostreams_password": "ENC[AES256_GCM,data:EoBK4cRvmf7zvxSmGGJ886NUBgs=,iv:cT2pWAnvY9kv+sU/Dl0QkdIHU0ir/WtJ8PWgWWNCjb0=,tag:75NN1bHG9HZCzQNVJhwk4Q==,type:str]",
+							"aiostreams_uuid": "ENC[AES256_GCM,data:OXYrD5Db1IInLy/765qyCuLzhPLYVebmjnhyuDZpwX61QK1b,iv:k/xlw82N7o6jdZPTbGkIiubo/iCbwFp+nGXUrCOihY4=,tag:X4aMAG0Nbpnn8LUCgPBTEw==,type:str]",
+							"alertmanager_account_password": "ENC[AES256_GCM,data:SsTC2wX6fjJ+xRQ70zuIOhYByXI=,iv:ClegE8f+nd3YP/RquUyjuZZ6LAXRWkK6vmpCIDkTZWQ=,tag:XEof7xeZPHLHr3XtxHFlvA==,type:str]",
+							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:cOaqZJEoMsKvC/KptAiSdzrAU5sVsSohA3gQsROtnoX3ohpYxMxlhBT38KCjTLhczt5L1HUdYxnL+lEM7nmypXHph+B3pQC63Nqruta3gC6z,iv:T7emtMG0Qw+vfroZbcEu+2VfVTvF5+JpfCMXrITOVdo=,tag:52+VxVwJBbY6h/pC8Nkhkw==,type:str]",
+							"anubis_ed25519_key": "ENC[AES256_GCM,data:qd7GwVSyi0/9V63rX7kSzjbnNE/SdnOOhIdm+VyGxP2dA7bJUuLMMBWeJtVzgx7afCq/9cqW1nQIsNYjMOP1eg==,iv:avqXhwNOZFwFJrLHmMHTStg9u1MepaH44cVqGin8Moc=,tag:lyutemXDYMuQxD9SmnM4kQ==,type:str]",
+							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:Uf5cEdwQn/wFMETb+/kEuTZk3bEFCQorQ9MhFrfoyvEPb66xD6yy+dVmeSzU59abofQr9Nic6Y+vLgcLiwIV7PQN,iv:1F6behgab+FxlpyT2fS4VkTmHi7kgVImLC+hrny/WgE=,tag:xczJNrJMWXNXY/LrZzXRMg==,type:str]",
+							"authentik_api_token": "ENC[AES256_GCM,data:HQ6rTmu2axKSG0A+Vhuz4Ys6xBMDvhe8Ua2wiSIZBbiRDN1rvlvWED+REGCN+oasv7LTrm8rZJRmdVj5,iv:k93wMFR9/CHLyA0l6zIIxbpAw2QNk82/q3JoS2Ul4QI=,tag:JjZ8XqcicDSQ7Em8MHi1xw==,type:str]",
+							"authentik_postgres_password": "ENC[AES256_GCM,data:zZSJVvq5pkPxeoA4AyjZqQ==,iv:ZJ+7iKfdNmJH4Al8cK95vfw194qdBCde1qJkEmHUa88=,tag:VeQuTJqY/vVYTM+agnB1uw==,type:str]",
+							"authentik_secret_key": "ENC[AES256_GCM,data:BQB/PIv1t3bSA4CBxV2vb8kz9QKj83RCXz8ueIaKgYwbQ4h1E6S3ZwVbVxZpuYjBAJ9P,iv:lcnAlC8hUtoh0mZKw4iR8Vso+oxvuQI5ThaUxuyWGxE=,tag:qXBKYu5RAo2V+LklNUK0Tg==,type:str]",
+							"bind_db_viktorbarzin_lan": "ENC[AES256_GCM,data:dZO0yWCyj/EHPVNmMUbhPXIgXyS4faquGtb46HpNKtvI0XYLiYTqYoz4ACmhcxvBJj2Emt2kfGJlpgq7qh3aAq/ni3u51Q1/21prstBk+CC+OilpQJHgCEv0yuzOd5h7xxR5ThnbrI33XyesAh4Hch7Zw2eHPeBUKsKRJVkvPu2AMDUhyE2QxyYI4E5NGfG9vZ3XzU5LeaVzSy9MrBib8Lv8OpsrE7YIwNNya2uiIoKKF/H6MQ500mfJqgZ6eOVBKXm8c6d8HfNOy6HXZfkE79Fl91xFdaPtzQnvsMuJR3l1awMF2oHo/blVcsTtZgDZF71oICk5N4qzPhT1o2DYKTgE6MFk1/Z6opV00+dHLoZRyRK9t1MyRPwWkE9xeZj79HNjCpJet+N6QDqwNkjdyvl8grQF8qv3TRlUbbdBI1Y65HL40fuJs9vcX39hZz5qat5bacL2buX7GIzfiN4kN06FC4TKKkSkgbzbuaWd0VSSx1CqfVoC7wI+EYMSQHpEgQx6/8xPAKJDnDBq0DXT+L8x+I8QS8hNnFW1zfLC5IPj5DWv7CYXIShJ932tsZHyxEkq4iz7rgL/pV6jLFG4R5vf8dQbguNxGCqVgxZZBYm0WWF38h+xj5caNGUhHglf+C2bTQAizFF7cxk54SJNnrq9lDQVgP1uIpJqwo+I+t/+0ORVuSU+INzxIVXrPoh7M8/fcpP3Flc1QXX0a5HM/IxiJ2yOnEGTT9tMrc8aDtyq7bcJX9tsocMErpOuKJSdF6NW3UKly7PbuYIsPqcA2UK5nhCA8n5e5wyV91g9OOveEZXsdP+OADqufQ2DXi5ns3LuBhX2ICCqvStgw98uqACKpj/8HZ/jxCp44TBXyINlzzikDZQUqz21VHOgvieAciIEBDmrpaNks09l9Z+abGG0el6OfQelcla+Y90xM57dPovM+597WeUlgVuQWeAXtYzi0IV//s3XeXXdcMQtujUfpXObJqdnbiWjLZmnFbwVypyZPUY/ru2Ye2MM5BOngXW8OjC3K0gpfsbzEfYgu7nnIdNvbojUNxmRb5cgcJKMhuFqJ5sbKVN7BNvOaJkYHPtRtG5vMoMu4XrWyn8EfRckVRIz6wVRHxyaly/Ap7WEmn7pAR0wuWQqvoA8Zp2ia4wWq+15TqsilXMYfbzl4HePJHDQTm+cX7xblK+X4x4OJJjMl3nYAo0Pha6GZp2VloR8aWWheJAo/ncmoTzbGQQRTYC6hxMJ+0z7Y7Sw0JZtO7kfgQAY9IEU5nRdSbiCKnLw,iv:lWbjNanXjbPXEIq+tY/RZyETQyaSAhjSZDEK0Br4TT0=,tag:ndVYejnLr3cUMCn1G1vQ2g==,type:str]",
+							"bind_db_viktorbarzin_me": "ENC[AES256_GCM,data:LfJunf9Mj3da6oGxjEVn7/ERKHgjLjZfZlGZkGyYqQ/0/gINLgEM0tRkUv6ETQ4YenzDDg2tI1WDA/d4bcGaDkpz35rAke9boHM4mlMU9ve95jr92nVYBNyRG5uWxmf+keC6mRdJR2kVln8/PwTBvXbxH37NWWdTr0Ps8SmQouukLiEYTNr2cs+4uHJeTvvWrABBDV8Z9c3GJ0qlf33jE2VIEUjZbJdhNn80LtJtWGFj+kPZKvQb//nMDxwRXTYtCQVBpIxmyYgQ10QJMOdh2HTtV6pwzqO69ge6YjVWR0FLX7rUokqDA0QT6bx770JpxheVbAbI1UjOMXncBJTHTjmpgWToVGFlLT3+mbMd1ICtZmppwg1Y1tzM8t9O7LqG98CK/JCqyyw58A6aVW7m2Mys7S4cxLJV1yKgCnaDjQVdQRYqi026U/J1sa4y5pm+9Z1ccFrFI0tiUWQz8rN/9DX6tg+Pyv5ufqPRsld0gD7aZjKV3uGApBaeykn0emSuikY2M+OS5+TqzhPleLvtiqG4QDW4G7mx7Py1l6jsao3hHCFElsyvRMy/uhT+QVfu2acJQi8znxU7zG3fp0KemHikWkC3XFg2U/S8POmw4iNm2XTK5rSRcoOoJLgYI3Ko3pOtbSWIOP6jabOcXKQXH3/l5HiqjPspPxSSCydnPwnreJhKRApnPbHjXdkuqpnAPyeuLn3ppDJARkJPd9Ukcx3KYBDkcSvfV2X0LyxRzeYMeWyLAJ43hMYQlbzAvCT0JJvJQ6QBe1b94QACmMuoAZm6qtt0P4DjEqBXV71KpR/xhP7FWOHpDOX1cWMZgXQ6eYuGhQ4mpaz3KIoo2aFzicY3lnMbIBGCM5n/DNt/Pwcwjf+BQjpJtoQ8NfPpWiACBhbb1ZDa8o3Ebmye0SzbzTgiG6IrSZX0d9CsFc+LP0tovraSAg1TyAGE5YB5HeAjowSoco2cNGcVk0V/dmLiPx1QcxQ3tA7y9ZtTFwEelfbvtygc0CL/GvsM2T1g7qibfT7iRH7o2VKvRnhMmJZ9ae5Bn0Yf2YH/QkP3067uLZ3IfciVITN/PxymE5kNvhaXs2HNYUYex3LPSPavLDS0XkPUnpCgWaSY0prByeydmKBIRX3tq7y6+FjboKl+VGWne359/41XnjgCwXaSLWifhkgsOgYF9zk0i90s6fTbPn04It1Q09P/Gx6Gu+cT7N2sst/h8zCvKDwOA2b/p9xdZWxe6U4eeUv5XdwUj6f4ecasCiT/S9/VIDrFKxJNkejihURcVMc3oLwTloRgouixOZmahfhF/HetGHnmIiNWxQ9izfH6XDcqUzHqQgfy6eUIQrUfmDedROTF3GiYSUdaNsbG5N/retA6SDj/g4OyrdSCcfNmsygMpeVTwQOgQWJn8M745DUZpQxxmccX07IoWTZnDViotbzNZreDwnACCEMSqGduv5CUn0InaaI1NaUizTkh2aMBr2cv4j1CPncBnjMWAclx3QjX+ktM946glKtwJKiOBg0xNJtqhaqy6vAZSj+Ue8dTyjYjZ9F3F+KYZ9gsSQxgrQNUS7tgieunEYmNsKlVEpvJIo1bUcDba+wHqstcXPt7FkXeXXyLsLMCm4EKHVibGgy3tWmd79zsZawyIrwSPxhB1AlWfKfCKZUlzc38cf27BX+WQGNLdBEOICeDl5neAbuTfUuiloiSyrz9u9DYne/YX8ye9XW9pN+7tUGGFi3SaBvuRqb/e4U63P0YQlAJTzjBJSf4AcXMd2EgCnnAYeNbOjubHIqBAuRhVABE7NkUGMwEyzMEYaotsOKBJQEqTovURP1yfwYaj4guzAc1r7Wvq3YeyTrg5MtrO7f8eahhIg1QigvTpljOCVvR1WRg7snKt6SVOIqo53AAwfEeiJZExbFHquqpt61eZW+JqVjd+gK9Jhg8nWHvdNs4Ud+Umid2EtPEVk1xZxdIAwXn1t0wmiUYKj4xp+OehGHOpY6EvjnM416IXUysOK//zLAtb5lNCep9i8eqdLQjCI48Zdm+mEa/R1122wGjIuLwepnphfDMMwgcCxe2EkmOvi0dzE3RJ1Y9rxcjUGYz9tfYpixULUy0VR5s9ayMEt0wHnPzXJKfexVFO4BNhdb6dRSJUGyCXnHNr4lra/y2bIrc/wXrQIgP/HLsQshAexGBCb6XN71jMd4C8y+Pik29vphPyOEZn/cgB7OW8IfnivRHW+b4tL91HIv6ZhYbt+dOe0rRC8xmk2xsLRmDggBHc775tq7/u+85nUPrYs1YvfXwyWnQe9GUmqJ4tPnE8I8irYVm9oT6J+Lva0sh4/alNFICMxgzoDsYsvBETADUV1j0E6P7OC/WFI7RzGTirytmTUwaxFrcOCw/n74CnTyQuGu3JTZUXCIL+KmeLI8ad2/O+/0a3xrd30xUyzac6xGHQjpAq0uwHqQipL64UCnd9wbW8M7/QBhB3PymmYetBT3EhtSSxb/ehFxLtWBTZom9uM1nSZOAEHUq+62PDEaplBVP8gVP9yRo6VzG0swLcTklGSOmBm7ZAXtUUp/wFA9IzViRlEMEE/PMaN7CihXUxBhpQtIQzC0iU7BfgO3avuGJnoBCD5PkKTxCL+sF0Lwg92/yuzZevA6yL3SfkBi2ugj5DUmQY51H9sUqkgzXUPrCNoMxIE9mVHw+GtGKlfORJWo9WjagkYTR7fxA4G+H2I0gNA0TQ3Xj3stbgJ8CEofqEKgF/PJGDX4anD25HOPGpJipQey/C8tpeoCEOAjlJulAWKuBZIpp6IeurTvrdgz9fRnVb8WgPLYKO3jC2JhFUgsDrSueq9ja7g0B36I/uQAJ4BBcJfHQ3jE7t7vF9M/XD/LJrkkBEjNiFlJrU+DUSH51+FKeFvc3Hd1A5zl72+ousx+lrQ/KcS25xXdsLNL0vLoykjkqdCxTopXhUvLS5m00URdmcfLpEcZGvqsovnXgSCdoh0yObOmZiz/qhup+BeueP4YWxfEGtzZKisW11cuQ51aipjCEQ3Fkj36RM+8izqGvpSfzIV5+zRqebbL1G+R7LPOouWQ1M0AGrLf+NHJv2VND9calRlivpuBqWcMZ/x/dImHR9X7I4wDJCRhEtHjFZGhoP9Aj4XRXxbQh4yX4YfW6ZzjNz4gPn1F+is/qrX8ctEBYp9R+cJ4ay82wwY5b/I6Hf/n7EzK1mi1AKyOueqmSEV/gLEEVC9XuAeuWrTilFA3T2ZkCqB7FJ7k+C09wMQd6Otvy+CGN/oNf+IDs4CDKISZCyq/g1uIzOe4TeyaiE+DIzeOoCNq2pGPyetnnTAa3LuyeCU+vgsjNdtiCoRNJ9WLJ1XjZoBdn8gWD+ZIY92UzHsPYMa5Ge0O+S/Av+DYb/++eBstuuGzxZNvBx5uCXRalwHuRCsHkkIhkyb+00VMdo0/EwbJNkZyDWpcDvc5+OSFJYiVjm38F5bjbtt9TMNGslElID/AqQmLZM7B+YaDnfl+ZRuRu3NQkUzQoUpKFCjmo/nuaIh4bGGnty++I6OSj7fR9g9omg/+6D8LspDIeMGWM5v3StF0nz4CH+VDGVYHuJydKwSx1eU7ZjvVGBujd0zTjpJpiTEA+4cyhgIk36UpQ1tkig2ccPxgj0c8UAicos18tzYn1sqctz490Fixh9lL5yf6dVc7eY7W3Is2fVoyuzh8ByHPKGgd6Poqzp/qbFmLKtFMRoNaOC3ax3xDBn1FX/9R2CzorB8+SXx8dYLEglLQM5ze6LnyWG2JTNHRHn0p7w3FUQA05m8KKHq1fpVq3sw1b3YI5BGDduShFXTL3TFCJSShm2kgL8eYlgjl/XkK1IXA+lkD+CdgSSmfRDuOU0aKUwqARb95kM4D/oszWVfkF4UmeAg/2vPCKIxJf/Fq2cSqUupULaN97QkM/u/k/5k4gu6IuqM9h5aS4RaqkGBMD1peJYYI5mEzniGyWaf3nUcUpquC01L8YalW7BMsvZRkvVfbQukS0TmZnNGsFQ6TyxG32RLkr9qgUSsIKTyjF4v5Krqjavx+qpsHBP0JF3Ta9yAKWqwUYRLVqQKvuVg32XWqCqXTOR5BM5iv1J9jmurMwBbFJzIpAlicBH70v6g==,iv:KV9m6Wzlk86xUm0CVjovfoSEFMDNqdB94dsJZVOB+8M=,tag:wbXOLFusH6zYA7dre1fQSw==,type:str]",
+							"bind_named_conf_options": "ENC[AES256_GCM,data:0BkQTXXWtVBBnPjkT8LYRTPbYkL6wyxNbjNn6Jtk0/T+uraqLtiWjzQjgvRZM5DaJFRA//yc6FGXe4K+cCKzOItV8X0SmvXIppnllxCkyYBi9cxJH42rRy6OeYBPqceiWzBZpTHKfabZ+oZFwylgrmE0eESKU8Li0d7bXawt/sN+NcP/V9RFA3V9pSnev8oFf23EgYc9oQZZqqOK/PznbjqFNbgbFc+0t9hjyg0WZhw4LUQYi6Wqhft8nfa+DLqm0m/XNGb3+jMdmOAuhNhVv7PCTBp6ZSNhaA+vjpP69DIkSwXkX9KvV3DrUTlr2cnIpUt9sZQJ74TLArwvUBIxVrN+zG7civOZrWrit98XaxtTPyYlgOj+wKHeaq9FNo426ltgQfQpY/iPoSEVnZGr4fvwobJBAj2PqTj4sWmcH8YW/UHSb9kcuM8tjOCLLmiacOrnvVKWPAWV/XsOdsVnwKv+d0n9gIPwG18o0XuvkC3yMrzwELFm8VSVNpHyc2+BqsqQoMBPPX9hcUiEAiBbyeO2FzTcIK28ko9WZ/6PNAObmLCV2JB5IDZs8yZ3ZBgyx5D12MdbLUIsLoMDSsVzp5mfay6K5wdtmFFtXId1WRsuBB+4qA4KdBgMGQ2harPFLrOsAkY4OWSPnS6zKJgHvEdGml0yDg8Mt7Rr5FUgcaJzl1DB4tOXJU++3qq0GBVBJd3oaCthQ9Z5xgMTs4Im7HAUclTv/wEFdIjWtvbnSqlRpWUuRXzxCkerEq0OHB+PEM3HIKxmj5AkyVGGf9bNd17K42XotEMDxUQpejyNN2ICsHiXO9azD/lXstBrfhUL7V90Bpmcm/CFqTTzCi3F3aFS7XMH6kXpKkSrG7nqiZAa2EwNf1Sun2vSXIzZK6W7Kg94PF6arqfJLtUhSg/zx6TgG1XZVwtK2CsN99ISws3/VPeL2xOCjaD7gtyhVdzQMJOCYEyKEULBzc6UM7S/4DKDM7Hox1QANr2HonF0KENsLD1mgqq3C0Ceok0vqCZDTf/liKBodOEvwiFQi+2rHjla610zd5gt9bj74myJQt3aDojcJ8tYDDmHo6dgkB5EMP4waoYl/0DlHbZ0hrF2ap9iLYKGH7uL2OLUmglfKGKenQltKuELIwF32kkHEjJxykazlRmph/2DS1lQXpuazVXT3CsP9IwgXTVhEDlYVdBq/NAso+rma/Ex6hi47+M9FugM678VYvPYetTpKuOz0I0NXnCjy6FhMueLbGNBAAlNIn7twQrwFYnBGA8Zv91qbx01CQ2xqv18tGv0nwGNRXLbK8gnTGLKhsd3ag8/9jJ98w8soUMzTkoTo+Xe6USmKWMkw0zF21NRSjTKSIEWHnU9QUAbFx2D5+aYhqoPQGxYCqIlLTsz/Y7AF1afL8aYiclYHXppi7PE7hYwVIQaRkzPzOGVR5slVXWEjJMClbHYixSp83KjLulZEEiFKs44Y+hJoWF4+g3sp7ciwKR9k4hjERfTa7eX5VWO4EVKHFayzJFn6NGW5Xh+rYozOyg62i8kul+n8mBhFnm+c+W+KFCHlz4c,iv:HQNiDL/zTMh3EyT+j2efB4gqGBpNVZ+HOGzjKSbc784=,tag:6tFmPO4efQoTQrrOlUZOjQ==,type:str]",
+							"brave_api_key": "ENC[AES256_GCM,data:WOfNyaH+NI1ZgvkuOz9a4W6Mkl4PNzqXfgSqRXt9og==,iv:+9Xa0pgSXDN4MtVKGKOi7bcZmFULjl1KOj1gm3KTCF0=,tag:FTyrj98bVHk33jt/rXWqfQ==,type:str]",
+							"breakglass_knock_sequence": "ENC[AES256_GCM,data:7GT1xRXsI3NUEYqf1YV/qyw=,iv:wjklBVwP4MhhJsYqR7hNIueUPphfizMdG7cbeuBgYOU=,tag:pXGaShzgVvJK8Lif2fGfqA==,type:str]",
+							"breakglass_ssh_privkey": "ENC[AES256_GCM,data:iXOh92PNEukSvELjUb8Ac+5pFVvUrzhlrI0naJGVuGQSE5XIus826/cR+6CANZd+FY4OsHHOJLbGUSjqhf3tUc23xNkMEoVLsbknJRhx3yR9870QyBDrRTC+5pz/NxBvp4PVnL2H0+Eck2n8Zb6/Vid3E9xuLQMcV1JmH34Mqs9b9p3tTZAE39NLuGd9HFKdQvNa4T/9cTH0SbpUXNCxnk0Oezmq0x24s82c4GXHOIGrQUaw6DFuRz8dOBOJ2/WLTaLvMYb4UDsQiqVGDb1/BeDpN3xfPWnAcmn4AOxg0hEddNalHip7KxuTREJFpnuqk7D/+rFJPe63ai0dIwInmuEpA4RXEqv8j3rvvZM2rQuG8MWbX+MYmZ4LosvhEVrvs+YWxy8KAqqTWD4kfY1J8kX2diJkvv57KdkE75AlmH1ocNubT4Aei8UqxjmZ+oreuoBl7tRJkar3wgLeppM0HDXl0EQsl1P9zCEkZdhAco7tU1E+h/Bm7Lb76fQ/04H5Ka2KdB3FTszLqnyyStf2kP7oDCNKGrCJ8THD,iv:f5q6vCtKggVULKr5gt/DnMrFBYjhddUVDq7Dl6qqjXs=,tag:jZn05an/JT8s+3PZOh7lYg==,type:str]",
+							"breakglass_ssh_pubkey": "ENC[AES256_GCM,data:zCFdpp7jDsJ+KWRLU3FdjyF9Pxf9QULzV4Tpj4Z1VBknw9ELVgT7slla0dshAFRaBfDx5glO9TCjHf4Rq5dYFX7LedhcCLPquyld1bCdyk7tZ+yb7tsZoxJquKfWRoVADeZN+w==,iv:dyumuInIpTuNyy/aMCwDbt/rEiyIR3jKPxihMRKQH+w=,tag:JcgPlMPJiJXXQISUP+P4Zg==,type:str]",
+							"brevo_api_key": "ENC[AES256_GCM,data:hGzIkcRjxQShoQJQqz6uaeh4vnX3YCyKFJCpLfstR+F6izEbWLA6OX6bVzilfOdhyR9Z7vv3adRhTQVXVSff2RuIAsZk85otLm9ka3eJe6NhjKuCT7LJTM1x8tJuxnTOq4ctbWRbEbi8V+mUGyWSv4aazpJdcHoUOrfFhUtOML4xDkaTq4mtobq/hRI=,iv:O2npjM2WKEl1y90ce7jDfauvEA2G3wVsjL/i2vYN+W0=,tag:8sWsSBDSUDhYfId0KsLT5w==,type:str]",
+							"claude_memory_api_key": "ENC[AES256_GCM,data:5g8MjN74prIGczpUNaWIgv3PEjqdGA7DaOC23NuIrxJ0J/QCGbVal7Wpy4o=,iv:U2Mut1NYy4X3AHtf6744tuSnJdR293+plMkChBzOFhA=,tag:qhdIKN3Wnb5NIyewo3mqvw==,type:str]",
+							"claude_memory_db_password": "ENC[AES256_GCM,data:0AoMT/K59GfaJmfI5NHrEjerRNxlyvyRbpoJjgQC3hQ=,iv:T0KUMgnybpm6GbtUMWqRZPDrhjhlU2gwecX+JPE+Z18=,tag:jwfi5ogS1BZbGOhuTClyKQ==,type:str]",
+							"clickhouse_password": "ENC[AES256_GCM,data:KCWSAK2r8bun/zwVAjA=,iv:43/c51Nx2aRIT4BxTQ/7N28LLzJLdYJbiDOXg6R4pik=,tag:AGtyow8H21/qrrzHr3BamQ==,type:str]",
+							"clickhouse_postgres_password": "ENC[AES256_GCM,data:JDmjiX5cfYdFxxhgZ14=,iv:DpKfsU7I0Arnhg3Juy3+cts/XHRHvdC4RkMVnGB4WXk=,tag:R3LYPrXjtpJe14G7yvWsGw==,type:str]",
+							"cloudflare_api_key": "ENC[AES256_GCM,data:2GCi/HtpAsmq5qH0ZowyY3PTX2+gsG+/uaIWabOzE2k7Aol9qw==,iv:NbVZJ96HK4GlGsHp9XeiI9kWZW5IX3MEqNancnj1lgU=,tag:hDwop6/NwwvJGD6EhIzi4w==,type:str]",
+							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:yIP1eyxDR7IpKajo9cm5fK8mWPdfA4+G3IoI3wCoqgWXrH1CozAIbTnl6ATC0dORM8Q3eobOY9ST4l/aN5OPfmPho4a3p/NmDLtju3E7HVuj6AoCR5fmZbDOV2r413QMtXTkssnOggtnI+EuXA8gpaNfdJKgpoRamQ7v9sTXcZZwInJj7s0ORj5YjLWP/zyWranSnZQiaCuEErlthaaWS8XnR8hGM28n1+JfEaLD48q9rvJBy4kVNA==,iv:ngVFK17nYZUrtPfqxpcqiMQTE2tk4ap+rnHj+MrTzGw=,tag:H9e2xU3UY1ctbLMdBLzZJA==,type:str]",
+							"coturn_turn_secret": "ENC[AES256_GCM,data:lg0sZgeZuNLWJjj5FEQHdVGouqfJaI2DZWpVwOlvo1jsXnwDbvne1W2yLADrcM0zMECI3HZ2jB4PnBBXBvmdCA==,iv:xFcy5iz+Xg6McE0846J6GEG//87Sj6qSA+Ck7vW5GzQ=,tag:nO58xLotJ2Mq5Hd0+bIj+A==,type:str]",
+							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:7DizoKFntqeNfUFm1XSCF2+sjL7DZfCIVQVvqYe5ZrvQ8hkyX23+BPKN4Q==,iv:LCuu96GaKiqQyibxV2nw4mmBDElk8kh0h6/BDbNX5BA=,tag:vU6t8z8bWJa2qULVcC36uQ==,type:str]",
+							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:+z+rWy/Uw6uygozz/DQOWt9GLAZIgRHVd1lGmxw=,iv:8I8qGyflPpYeSqjTdTd9fqreSzJ7WAIeFmD1X7gKrQg=,tag:p1w/DG9g0DXNmEmTwJlZPA==,type:str]",
+							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:Pr+0GScfJ8K9UvZYLEjGaQqYeKSGUp6FyhOmftAdEoNXInIQ5CkR3W4DDTMlt98ZR594JcRx2gbWeORlI2zI4w==,iv:eRXDxZ84feJG/VudKu858H6dXmVq7DKx1Ye6UwTtbgU=,tag:VUCiVUxTjcvUH6GtlOPImA==,type:str]",
+							"crowdsec_db_password": "ENC[AES256_GCM,data:8uWKNv9fRl9Fj6JWRbw=,iv:40h6qrU0jcH8mix9VFHJhaG4BV12qKA8lSGj/rw+E8A=,tag:xqwFmqXk019OgfJxblP0Yg==,type:str]",
+							"crowdsec_enroll_key": "ENC[AES256_GCM,data:TrGRm1wI8vnR8/6S/0eJ4fZtaSdVpfPvyQ==,iv:TEwUqIka50xbbdO2HP8HIf82sc/kEPM/IzoI0wz+8cU=,tag:XO4BFhq1DOe4kWI3XUBMjA==,type:str]",
+							"dawarich_database_password": "ENC[AES256_GCM,data:VISAFLNlvuIpT9dFoebMkBAK4Hzi3+LKlQ==,iv:A13YE/0N2ers0UgtOmZDKK5OdEcdmAMCecF8E4oC6mM=,tag:xB7fWkYn6ise1hRqtg9gqA==,type:str]",
+							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:Ng3kGxfeR41j4//BoOwbIBXYlYmc1jNr8/r/ZwokE/M=,iv:wrCWBLFinC2/VqGu+jr2jIBk/nGzOzh4THuG4412sZU=,tag:H2QYQMonY/EHg/U/xqhq/w==,type:str]",
+							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:6SwyLih/GKMZEeYFwrsQIusPZ8aGM1yrkgQ=,iv:lYXwyiwWWBsItKN4MhoT6P3cTMrjE5orz37VfTG511w=,tag:EOjHfnbSmqF/IGtMuRx/SQ==,type:str]",
+							"dbaas_root_password": "ENC[AES256_GCM,data:YdoRTC+dY1sG6ZMvJg4QsCCBdpDLhGd4DW52mA==,iv:JUQbdnLbBHqF9xuD+J7EIeZCBOfdPvw2GxOSTMm/kUQ=,tag:38rw6Dbc55gwZMs/bG9LfQ==,type:str]",
+							"discord_user_token": "ENC[AES256_GCM,data:LP9IplCW82kaIel+nkilNRo8w6eBI4RokNzaGRVefJKmr2t0ZvZZIp9b1Md0FIoC/o4NroOVwjnCXpeYqNen4Z15fkuqeTl2,iv:v1Q2aAM58vuvBCcfbC514RfCo8LjMy7S/6tiFf0GVMQ=,tag:/jIO+3pFl6SzvrDsP96BEQ==,type:str]",
+							"diun_nfty_token": "ENC[AES256_GCM,data:CGVSuExvDT0Mn4mz3NOBy76D8Yqd6oG0LnWQREfoNFk=,iv:fXXCLaitoStTr93NYoA+wOx2rNciFVUMN1f1sVujqcM=,tag:L2140TIy+/TNwhvqO7Tu/w==,type:str]",
+							"diun_slack_url": "ENC[AES256_GCM,data:F6Rhdq1uZL5I7AwuTXNC9fMWcwRwqEdCOcYBFjbct1jF4Jp7wYU/XCJd/Hm8/JUex6IdBnT5dwac4vbFmfLqsJAY7ZrDJ/9ktsU8GDu15dEA,iv:EtW3SSdr7XHk0XHCgrWdvxs/xRgOcvYzZhzEJk/R//o=,tag:IqbtwuIZbl4h6GlCE72xIQ==,type:str]",
+							"dockerhub_registry_password": "ENC[AES256_GCM,data:GKb9xX6h2V7Ez6paufN+OEt4v11ggA8HiruAm1tgsAK4UitG,iv:VvRGnqW0rkVKlylbZRL7oOfQFTJElf78kkQURayQBss=,tag:86r/5tY0sRZTPeNMQaByZw==,type:str]",
+							"edge_router_192_168_1_1_password": "ENC[AES256_GCM,data:Uz8+vGpxAl0=,iv:NTfvQ1oeHXtM61SpczCbR4g1dCxOeoruGBkdbAWPiXw=,tag:6awSPHWu+vIouxeNrFIHhA==,type:str]",
+							"finance_app_currency_converter_api_key": "ENC[AES256_GCM,data:ucUMCgcSHOo/Y4OKltMaBtAHcclkm1ph,iv:sUQc1F7FB8OG6YuodjHP4XuZDYTXwB98UYoVWw3T4aA=,tag:ce+GNxmLBBEF5Rcm6vjISQ==,type:str]",
+							"finance_app_db_connection_string": "ENC[AES256_GCM,data:gA5DeGDQaFDz8wcBkFVPgIZ8Cvug1umr8zbK4zSRIHS6ktJXY02eQSunHCE8ilBNv9m4yD1CQA0xmYmYMrWiMKC8D5lGWY2TgHKVttMALnms3cQxxAA7+g==,iv:/w4BSD6ESgYLpcrLj8SjFNsm1Ivy5djJNW5EJojEfpE=,tag:Ktje8vJ9UePDA4mRbe3LjQ==,type:str]",
+							"finance_app_gocardless_secret_id": "ENC[AES256_GCM,data:oYziJhzfD1fRitBIx/OOKmTRqHXJreFXc97f2ifRWH9iBff2,iv:7metH8O7P+yJoWFPDBVVHewWLHHILOhzuiwq+aX3quU=,tag:pd9kRFlL8nRcU0EylCbcgA==,type:str]",
+							"finance_app_gocardless_secret_key": "ENC[AES256_GCM,data:qmTqqu52hDOUX9FBMQsYeYnqgNRskykz0Hp/Tg53ZjjI8uuvQWOKOSpn81AR8EeqBxSMnTJFrOqfrA3PpabJV9K8rriob/auQXwWgMYV4QsGOKY/kbh2CG68TqbMbl4ajfqB3lQhGoXQO6IQRF0VLmEw4nMcm63csibnGaDL7Mw=,iv:dIiWGXlSUoHtJmLRH57XDKfBmgz6cVjkmuyIdrJojZ4=,tag:fK2m1n5o46sgB8MfF5SC1g==,type:str]",
+							"finance_app_graphql_api_secret": "ENC[AES256_GCM,data:PqATDSEd4EwoIuda4J0PfsWvKIbTpdgNeZlAlLKpcYH9zXHB3o4=,iv:/7ZFpySL183uoDpk2/Ut2GY8sNe2sj1VO8nHIbciBy4=,tag:OYqWuiA/ZA+Nplsxbls8yQ==,type:str]",
+							"forgejo_cleanup_token": "ENC[AES256_GCM,data:zUP/Z7Q6wBoxGhgErwWP3mLhfx828kK4jVCUccoDS3gCg76+9fCieg==,iv:4rlY8qE6ESEunm+S+88Wd8nU9HNOiZopY5MSPcdif3A=,tag:DlLQ5yyJwK8+HOwtZyphow==,type:str]",
+							"forgejo_pull_token": "ENC[AES256_GCM,data:kyFI9G+r8Fm9YczgdfdwyLG2YY3BXQqaVdOLuMQdqeum8veiV09Vxw==,iv:bgb++DVCjpjsVAOJkAB9YGgp3G7YfJ3o9mF8G0Rhkic=,tag:6EW792KV4BJlqiYcOZSqig==,type:str]",
+							"frigate_valchedrym_camera_credentials": "ENC[AES256_GCM,data:30BR2g/8Zd+O73vy8kcHbL+Ukl+piw==,iv:t1m/4kVob0V1ey6p/8kOPpF0TVmAV/3JwNKmKOOe3vk=,tag:uKUe8bd7RqOscBUaUlxVbw==,type:str]",
+							"gemini_api_key": "ENC[AES256_GCM,data:E1tJiukeRqPvSSKfza90bADItaq99/8JIdpr4bIqJ63vGjKXfdng,iv:r5Rel4wiZ9qzVxs13sgdtvVbv8ro+gIs7QGMIjoA4Qk=,tag:EqsuyOMEQ62qOXl1F1yRCQ==,type:str]",
+							"geoapify_api_key": "ENC[AES256_GCM,data:8rgmxdSqWIm/sk2KQWmtnNaHas9pVlnmztnnSjb/zJo=,iv:/ztaHfvRSl36abBUBRZ3PURfECh4TlKXvhMOk0NNnWk=,tag:V1utBAE/SwULLt/rmqVZbg==,type:str]",
+							"ghcr_pull_token": "ENC[AES256_GCM,data:zmzLozyYAKAR5KVYrkW4/zZkd0+5piAMQE0EClTZmd88Z1IV+DXPbw==,iv:NCBOH1/G5CNskGwnFcEtSh9kWvDEMiyrU0dI6CJFgwk=,tag:HPlVtx4fjYkW7tsWQyUALg==,type:str]",
+							"github_pat": "ENC[AES256_GCM,data:cTsYA5Yf/92UeKoolf4lbp9KzpBF7Eb1+NqSqoCRHzaxZAo8fWFOvA==,iv:nYKl9JmRahVKsv1fkNuXusssOaHNPYkGADQ3ocfruDA=,tag:AkejtWCL0L1Uin9tpxMsJQ==,type:str]",
+							"google_workspace_mcp_client_secret_json": "ENC[AES256_GCM,data:E4GaIb7I5A2mvWSDyKbQDpoTbcidvpTegGlRVejGiTVIwL/iSdoMztcWPkBwmIGQpm7Pn6CgTgzynE72W9X5O+RXgKfFTKeNq5/CKMpfXr/dmKpVP1ouYHqqLtzT3/lhssPmllY0cRXhOZnRlEOOKL1Ba3GnATeAs6yHGuoG6UNOEnDyRSkviWQ8vfqgh0JC74ISJlw6oJy3OWSzmuYDS+FISfzVtopILjsfGRLd1SjlqnptHniTx3aERz3+hFCJOufVnxxjKVwNqz7/rY5VDEkSDVdZYyGB+btvAxMXNXt5XYwOmsXqWVTGG/JNqxOGifFofL0l36G9TwD4GLlT/WsHVIgfLbXJLehRWw/X4bHcblzfGRzNJM3BpV2K7Z5BJv+FnfKLJNjakuxqQng0qnHlEjV4lj0y7pPi3AmZT/BoN5v29DksEQPBdlza1v4SdNupTczPWORlfV1QnltYsMktZE1TwSvV08rWsfmctRqaLJHWSOeebpLTrb+2yt6b4j7kAdH2g5PikGkM/5XD+QG82tIHJforDSGiIQ==,iv:uRI0xphw2Cphqll7nJScG9ZCiDhVYg+len4F96Yqjig=,tag:9wyx2WQlsHmty29RhCuxEQ==,type:str]",
+							"google_workspace_mcp_token_json": "ENC[AES256_GCM,data:/EhqT/qUW98V8KKdlmKJ0wzoAZtFvqFURPcwiu3u2fmMu6+qIir1RvK+WjoVZysjqgSWQT7hjMs2gOuYujlAInTVQKSsoxw1GkQINe/pERtQ1OQ8Fhlj3gXebhceGOK7wxFSLOGMvZMt0Srkq+DjPCfN1IAs3YW1gJJEPu5AmHXDBcIMWSjuD1ihEF3gy6ZIU+Ti96u/f3ccUNZXVC7OB5MMnRW5PsBKulsFqU4yoi2h4KbI7HabImqd/ZoBWKVbYX2hzU/BnZQDv3QVd8KV8TvhHluV9mp41tXFXDZefIybM0VukmGUe/LurPNKOVHVEJICpRvuJTJjvIj9aSutn4pG80Kj6xsKfHfoIedESlNgKFKQSv80g0QkpNnFZ4zN2IEM4kxls98FPndzI4vAX8Uu+cLZq9BQ8ju6XNY0cA5vYTOK/8nOZYB5ApKGISMUU2bjjq2p2q1/3qVmabAljbx4P8+uMe3rHzSjQvtlkQ431ACZRhJt+rOd8MIenGdjRavkE4mngVvnURQuU0daAm3Z424JXmrxpDjTQ97E/13JbBtcubSZxDhYpe9++tDsjouYG0YkEg5tuJNmcyQb8Zy2771S/xCqP3slQfwbVqKf9fPMv+hk3HFDzz8h/8hMeRvoWJjMPguVbkNLtZkCnpqy/igNVxkcrXdJq0D/9LYKaMk97T2R6iwmyvSYFm0Pn5JBikjFwrPPDp5qMd4M7dm9Dv2VpaxVxnj86jaXShvfAapA0DHdFIj0L6dQ25Dl+fTgDZV0E2x6HiexM00o8Ji2bz6G2Pyn34xDyIp1XQTErzhz4FvzbOeyp1AzbMW2yG/K3BAv7UWhorfJNPOt+Lu49Aud1TSwO41BtH0B2nUDByihpDOa38BauAbJeNiUP1yy6Yld8N1Q750KuUK3NixdDNLpOfc9awI8rXIze8GnEBAN++ma2lyyR/YwGocxVsL+dEmSwXJPOtGZTuVzi63XSYKsabWC6ryLb6m7rMOBAcKZZZavdCWypqAGV8gk7GMaqucVXtWmC+vjjP1dlnSVIyifiXM/I6H100RoaIk1JoYVVwDsQJO8YUs/HmjHAqLt+pBKzHcGRi3ckgZ+qqf+Dg13mOxpDmJgsUm9Httsh/P12PO4E4/Y2ZCVjO1qhs+58Pn/t0J4m4YMzntrX8lCJtp08Weq296+cu5K3tbYb5PUpL1PgWtM6L+oyNeAHneIim2mmUZ5ZUCpmEXdE/b3oHF3KcgCXFmV4DIAeBgI+MbiIQauT69VJ4PufI6EGDioqxKf7oHDpWOn6mRkxs+31qKkNIdaxGSQ9LRK7AfQxMb4bj3YtpXcoph+K1TGNMQa0eJoixnJ5/ith9tgMhCpEcTyX46CHhoC+6lu+agHm6+SdWcQKhmfvpkfoH8okeRNa42FF5kSnBy3sFC6GWav0Q9LA5I1Ss+57ZxBwcLJ1oKub0czsOOp+RXdOnp7y7Xc/b4CWowD7kUxXeVyqssqne0axWhoz9kBnHZHmD3Jz0xQ9bF8uuqA4UeTCwA9lvYJIjLkoW9yNrwQj3uVO5hAm6b8Djt50sKUh540IrpEBfRLrlujHSzB/qAAaH4qf6SQx1XFTLy2hKeIvHF1jf8C/uW1FBm7VRIkwt0gX95PuYV222WWWid9IftGwo+IjIZ72MjC3VPvJ4UnebgpXzQDxmqNgp4yHgWPvfhzQE/GsjjvMpKSIygyrpvoJGzp79L+mbNjpcAxkWKsZGSCgJ8sJt0B4AU47UzS18YOdp+aTsEbHT+q6G7ztRYLBUA3BdBHm82Ga6MoTGy3IJPQ1g8hGoSMBZtksQlo4XqEhxRfXmgYR8asEmPLqFMubmz2dzqq7pOSXnBPqZIrFq32e5fMlQaRxNiJPqRqxXWG2oCLT5QaVp0LqAIBKYNoOUVEteeAJHHWNHWT/TtWQWFCujjtlyH4fkaetqetl0XBkGCkgEX+pUcszp3tEC8XDVeN4TQVtoenadS40WWS6gd2bZ6RVrKieF/BZWg8JH06nO/+/sngRB3emsz/QlDZLtZvQ8QjyYBgMyAQhZYzMgbBdLxL7n+FnzmAST5yH5bnpn3UWPKiaqN2K4p3jJubTWJiPazU04tZmSTDDW/kAyWdYGlocTES3+j+txhco4dVcGtvDR9I8Va1Ik9GVB5fo/ZAVTS0uu+yVH0/bvtQTcv2iJpzRsAISFFuKfgHTKqyCbuj1TShAIkH18a4nlU0tl6Qynp33zAQvyWOAY/HD3G95VeXLTXUIf+jfZXgbeHgJ7KLCKqJwAUDIwdrakgMLtpZ16edfnoprFJWFIS5whQw1xOrAD/alQSReOqy96lkZoba9LV3Hz0kYuxnkvrKpeOcQXk9ImAoHalF56m7Q3BrZw9SJGWtOqdLi3XRt4E1xTgtj9+GRz8GBB7Ey6nRbLiLbyYX9udXG12npfS/nqmpfGb+7gIyWmrQV9JT7WmqQEGH3DY4RUo8Mmk+fKLueUXo5lLRm91RaIKPntWNiu0q5u4MltnPvKKMKBzHHrPFCnNzD8zqtI+u38YJDZSVNc8zOu+ScVp7pzV8KHj32V+CYrQSOcWo7hfOs4jt69lLty8+XMkOQT3ZnE7IPWE4t5DCxJV1uepyw7cdCWbuguhkZLlWYhjRem/9TI8H4Ib81DjvNYgRSNvoOFDhyvvBuUCnBMM4DsMeRfefXvFK9I4a7/vnYpwUtDNLLKknXDDyTwP/VsGmstI/vUnbXwwq0fzo/TIsfCLQ284YxVuceEbXZC9pKq1MUFU17ga4jyMA9l5dn/YJ/pEpzZsCDwwjHErhL43BiDH6Jdq84XTVBhPsGXMMnrbxk/1QWcEJ4Z2BS1vaQEsxYOVHeiwbfcgCkiH3XNxZu8rWWMt4lsNMRwWbndC4veQg6c4jVglRbd2+oQfXc9ooA6UeqYgLm3Hd2/TBzXxnTU8dNhdFbRVtXGUFrbv9laQH3MyS4j+BqYiHooZij2u0vU7a1PaLSh+inMNpKePUhbveIOD72e0zHG3dzyl1UOF2OeVUNnrc3LBZqVGRqo07/J72F6VPu2p8tJHO0W3x/D6+zoo/qLB/CSNS5QYD6Rvixz7SE1LVYQgeIcQojAM+YdOkPg==,iv:xfYpk/WQt6kHGdGWhrysiXA8ZRpxbRHVKJaRndJdABY=,tag:rE42Q5E1CtwIcbRs9Oxe0A==,type:str]",
+							"grafana_admin_password": "ENC[AES256_GCM,data:3n7dVew0wo6vXQIUo/uF3BoPV+4=,iv:ZPLBIaqxi+9zoDM7/lz89EdWZ8X4wSsE7lWOpy4MCDY=,tag:FO9fqyOm2y20WWbVyUzPDA==,type:str]",
+							"grafana_db_password": "ENC[AES256_GCM,data:VBx0ZT6apeP6zFg/OULn0lBbb/RE,iv:oURHXvYXJeUxt1UD4D9abJCIYHKnH2Dk4PwswDbLeU0=,tag:KOUICos+OW6tRRps/0pvFA==,type:str]",
+							"ha_london_ubus_password": "ENC[AES256_GCM,data:iXtMYxKjvQ9UHNfw/2lSIt23lON3nRg0zwypE0MJrYg=,iv:Pymv+83NZKEH6ElzNJqeTJhSXaQtVDZFd1bKqEEzpzM=,tag:uo7jZzPSloALaMKk8wbHlw==,type:str]",
+							"hackmd_db_password": "ENC[AES256_GCM,data:ouEjluatbzQQUZvkXRWp,iv:I1FeZe6CxWc4tla3yaLWZ/JlSJL8uqCHeh1PKp3UvhM=,tag:oV1tEnxfPxcMWxmzeUnLlA==,type:str]",
+							"haos_api_token": "ENC[AES256_GCM,data:6PzP5xQa/qlxxCGsuStmJ8K5tP/NWiNZKWJzz1rPbUuSkkCCUexx0X21NBgZM0KcAGIRNXRmEcUib0Rx3NLOLIa8p5fHHD+njwf1/s6cyzUkKF8ux+jDIyDvSN7Q3GIUE7+w9t3dK4GZimTQXMnhRNM4eqDNRN3y+XcW80SdKRseghyKNl11y/ByF7Oi7VA1oqWW8VfVBW/nOouekE/2tWRopie4zx7KpV3oxkT0BuHJ2MJui0Ox,iv:EnZgrkGynKVcEy1l7onlZPNAkIxJUS0awJI5uNZCp/c=,tag:PsANEO6NpUIakqbyNCbGTQ==,type:str]",
+							"headscale_acl": "ENC[AES256_GCM,data:PNd7kcMAozyovouO2FFk+AklQfAThZT7Q9mlbG5yurEW8Pgy6ClGgUYGInJ8ryWa1y+FcSP/AjpKvSHjhgTcEwUWYb4+X/e83OYZ1rNwHzsRGppoYP0kUPJps78BdeULNbBJvLKKffpzDOHSdxNNbr/XSsWMWoGW9bO8kd+avamBAqld5/TlxyzTJR1M0Dw2TIsZC4p1TWs12sG9mLqa1nTV2RlxbbuIjUByCjtSFJQN0XaY7MqprLGabiM0AlncJFm5x0pzRoueRIVe7cnqfURbfyHDo9HMNaOpkSvvmiwAWIOokYDk6yY5zRpSRK5NxsBMVS/v4lHdgYx4Gl0hr4F4ux3poRiaexT7imE9wSSt3Hj+ezdW00UkucaQ5Ye3exNXnQxgHUGniW/fTkEEF2Fb/tZ+NwVrFaUBomYb0S4W0Iq62Pi8dtBM2KcyqqEet42kNYTjypt9n0nNXowrOf2NxG1v/eNuMbKutWwkn7tNRp257h+RTO58oOCFfLrrBDDf3MgyS+ZrAFiXr7f9sNrbuElEWWRSSVLdYPb0ZvcZKISpf9EEt1lP11cfbB9svEETPzFrW/d/Ygif2Yf/fHdhNO3Swx1QEsAgqwM/H/i+me2OMAplvqVAxPgJ560GGIDLVhdUxsGM6qsn0/4pfdbdGAF38LncaBQfr5KNg13btahB86tw7cW5Shr6aqgmwrKAyGqr48+M1S2mAEnlGaXc6f6avjy1EJpLzVp6T1Wbd6tzHnZWuOTFht590Tb/NqSZtBWD/he8Jq7dq/azrdBwe4LhrsXjZzW6p7qOhMvp2F3GxsxJzAPj3HMMQaWRoV37ZiFi3j8hv9zAOvVZeB9o6kNfGBRIIoVwIme24C1l2qkueXQJK9lc38Z/5ikA9AioU/lvHi2wHF+00km70Rbi9CI/MVWNkGBYIrqJu+40ZS9VNucpR9AGP9OCbgQlUAiM9PLzy9ZK5d5gvidbZLh8yJSkD3/nu6u7mL3cKeKcCK6MjU9KWKToB9XOK71hQzYoSA35w9L8/R8g1au2nEY0tTkubAi6Gr5w+9KC6zcFq58GKRXgPoGz5X5QTFUG3AAjUfFhSvZecqomLm/4T/lXdpIxBRsAcFuTMN99Ffz3Hufk34UpOJ7dQgxksE7PnQO9yX67aPgW/Z0IZ8kpxVbz37FSziFGeN3oPXAesj9ex9Aj/Au+zXTabDZqwXXCLA8L/lZt27ddFOWWNGW4ZnVT78UvSuhdNIvSnT+6auwWvG8j1Z8s5yJbeUPdGvv7pYevFNQmRieOWB4DAOSYhgT0NQQR3uRegutvLEy5ggunr2OInsS9QSXSZKW3tDJqieRCvOUyh6LTDSyERnuRXqcYWsfpqmhaya2FJgfOq4pKdu2DeQ5FjV9StDHGxO2VHC4EdNlON14yu+Z7RKVZRYro+43ZKiaG7D4SVk4nJgTXg3MIzVLOlzHDca6jyQOEHtC1ovqwTLEn6M35TggZL142OFp01qhwHLXj58GirFaUNX4R4FmwQay+LzVnOxoLQYtqhrnlQjaLSpJ4QTsU7D2x32PLaRb4xP5f4LbuTPBB/szI6tDlDVSozDEBEET/Ck//Ykgc+vpiewVaMN+Fhtgu2AByAA7OPn7c4pIDCU8ycJOY3V47DErF+0Mdcd3rD+7S+5i+pNdoBC3Wo3VQWySlRZRtSqpRjesn2sW2WV6nGWUbY9/UZa00UyIOhDqf76TWKcRNxHcHBdnTH7uN2vNnTgAm1ivUxEMIbMMJ7dg+Mei5C0ecy2vQ53hntUPRft4Z6+LPz9ZnHRYE0ykNw5uzVLVVLL+6Lii/L6GgEwmabhBSLEedHT0x1IxDvfS+jMzM9LfJRrwAPuTKwKhoCgwHA6dTp4ZKAa3h3XgmApe60NZybIA35ggZYVGPopXCud+6w9wZ4sTJ+4/YVb7Tp2VrQWpmo/uwTLjVM4+IsKETZHPtzBC4OtU/jQcK4SmcJhYikPvGa+/pp9LQshNTld+0n/JJMs2pZZhrJkOGVxvqEav0rcA7+5wJF+DgxFQyb+N1h8HLQJ92j0j/V/ApjIzCGjYxrLE2+uNmf3pnpN/UT+lFqU+dm81jLKxBIec22DJgKmCfa5XxBylK+uTuAx5Sph3ZsNAmfdqfqbUzfxRIOfve+08P3azP/0cdQtvdCMfia94N74vwOkf2KPe531Bacon8MzQtpDfO5DetixdOXUhl92s4iCLZ5LWb/JSxNx5sns+9k6DKCjZtI65WK0kwYqySQjE4F0N1ntkE4wmiY+Ce7UTqXs00DZN8F4pVzjpsc/UJGVteqnPLJOGoEqx4KIL0Fb89rprpo/a0s1oz0eR9IUDYcxjiFdK/hBWTUcGxH+dtidUgC/uH1GfsxFFRi0wmFQ5z52KLa7f2Nn6CLCO5Wr4hAkXWJtF218hWXBjmk6SHc4Yej6X7o4xkZ7eZscIJV4lLx5+3D7mOxzQ11urdBz8gFB2qxpp0MTPpBsrY51DWMRYyvnW7HPYXSgZmLliCXiXrObgNCoDbgR0lcwn5WZYcvIU8nFifRnmS8bjvPj3x3YSBE4lc/i093Em5sJKmjChWc2Ep8zUACPVsjXhH7bIR+n8A/hEjlgU8gpyz8uIzBAIoUUCKOri3H4fB9/JpMNQsx9kQVHB3kXZY5UC8yAREahxP7wzSGjjbzBCwsq6JFludidITVnlhMFn7ZJ5H04cHBj8HKXeG3f+Ot78YLfdn596ziMdsPsZKIdRCBWjeL6zR9BMPPZT7qJlXBtgwUw2abTMvsdVzRBtAERw5vG5HRCoKVS9FEFGM+SIPXAzuBqZwl2B8NSpwK7wwZd183Hzxr76821rXlitgKhWgBjZsNevBZ5uJFWuMHIvIaZzA6dZWRGUSZUvWsY1nb4r/A7lT9JKKNAvnd92p/r/srlyqiu7nA9DjQO74mXL3cpXPLKvUYlob7aqh1skhZt5WpW67VaG3fdAnMH1ZyMvPAsmuZ6V4rJlF+w2nOZJCpEs1+vJ+CFK398iGFmEn6VrUMUL5h5xn3IglI50uFu9ASobOC4/otT/frq6BQ3ucmlwz19m413JAtCcHr+nqgjFS1aLKC/tKSIq9Q+PNo/kePynZcap/BaPNHs8z8qveEt6Img7w3+gR0xOq3MH/77qPdaOL3LRZ1qr2Q2fO9DJoY5ugowXQisj3FCmJJ6D8TxVRe6q3hQy+FJdvvFKYvIBDmAS6REXs1Xi71HdGpeTaNb1Lo+Shi6BwzHlw8El7VHXwupoe/mBuPWjCpveBx2NEQoADi3mmcWpY0Ebil/drhQ3XgpurKkTFi2HYdiVTlVQYiZgquGTnV48CctodBt/JpKu/Q8Zy2lUObUX+5UBj4F992pgh32xXJwlpIqbIis3PTu4/QKBMdG0yrb3JRO/FXUqRM+BYy5r4QopsO2nqEc3iU8nW86QEnaIRXZ0ZiqSPcdHYpi+vm4jfhmM5TmQQT9YwWMsh1EJS8+CnqXXY2EHfT7Ot3eWJGUm5RruvoLkhCefbquiESZ25wTJLukIeVnadWS21jR3zuOdUHGQoNUYudwRwJJS8MVYkxQqHy86GMXbOv8xpf3ghTi0JNcsnCr5I0H1R/GSNaUCIyuSoB8JwEH7QY9htTUnTnbkfbBJdDn8TNHvPSTgJKobPeIQxagJdtHMVDo+EhenftTN623H8s6ECsDC3OquHuMisf76eQEzPTeiK8SGqDQSWgb/WYHGdIhEr/4OpQ5fNYsvSR2h2Zqag8EcXmBr994OmjsLtr5YQor7ooqtGaWFHQho/y2cdi6BGISsMaAtJvzSwv8ENTLOj+s/k0K+0yPzzrhBu+ULwkBZhMRx+TGH6Q5hkprc1i5J40mB7I1+s0PMV6mKh9UvyKw1AlQR4DNZSakwWNSEzRq6MPoAJ4tMaWaLTijjJsATevc24vrD7cqfVagAme9GsTcFSf/+GY8vqDhFOtpESAtERamwAb+mZPW9cEe7sIt2jJIE31OTcX/IpnMEuEtWfOO+j3qERc8P7P/LCrjX5PaO4rH7F3TVs2w70XsL5xAN6S3WTmE7QeMLvaySNQwqJ51ieQtUafSAiI7FpSa8rY3ZjPax282WvSaEqGbOW1jWXk3u5cXfj4XdPpJ5hRoLXlOhHd+PHR+f7wMD6MGJBtUESTAD7n76E74xk8Bqa1QO9n5s704L/JIta3xF+Z2+GRGvo1aZSm02A1MwQ2YGctTXMvHu4ZPVlBrdL2HOp7RpBu5CKnpSIjVne+g5uyqon9zf1DU0ko4LYJrqiHUpvz9Hb9+3vUDXxTclDRVIcMuueiwSK0H6G3e6Ct+uHEAlKimUXmIdNXlkIxSsZG7sql7uZtURVjbaeDp1f+GSAPcHn5OvA4KbPBlFgwov60Jhykmj4HEi1Vfak6L1i5M5QhatKeCvuf/DnENJ+ViaFa//eLYuD9IiRYTPjAdC1exCxt+kiY4L9havJthCnUgaFYXjIc4vWY0DPMAmJsAphvuHVtPPTIALvX+VysM2XIdNz7tSpNQHN8QWCBr7fMbu651wWK1FsInAsljn9SeslQqV3nBfED15v1a663QfmLVsZ8Aa4gZa6AGjbXw4cVEm50Bmq1PuWZhSu4g61/p1Tik3IWOONUQnz8C0wSXkq6ohWRGVS+ulJ8yAaHqOd/S8mG8r4H1jFYaya1VQaOSfj8J5/wQX7Y9M+6cIkq18gm5BguVQHrMPm+TcWC4i97sKjEWdty9ZI8+XH0x5mP0eWA7B5Au4nn7TQPF3xWF5OfWELEaL6M0xVCBiEO0jwezJ2sY+rMhrg5tAY5Zxs7XkoImVSVr9TOeCtTdvGEA5gCdk2KkOsvJfLa6ns7hy6GVYMq2dxffHkc8RNsmdIWJmWBiIEYzOj+/Dtp3skDk0=,iv:pJpTuFzG5UOWW1Qj2lEA/mkuVk0rLC2qgbj/gPvb9ME=,tag:5IzVeOA72EdI37xNTs2FFA==,type:str]",
+							"health_postgresql_password": "ENC[AES256_GCM,data:joy8yyNGCtGGbZFEz0DGWbwgzHoZpVfhpkhu3U/QwEU=,iv:7gycw0RAfoKSh2bchFSnasPsDCoCkKoKajaOi2+ddJU=,tag:RnXceteRELDlWoKxQYBKjA==,type:str]",
+							"health_secret_key": "ENC[AES256_GCM,data:r3fQXpgvSfBc4cswLkFjUgQwuGpj6zUOGYsseUgqHupEjq8k7oFhgavbXEfp7iSyFKU1LXavssHIpdAgMj+xZg==,iv:RJGxKUT0WB829W97inrrXsK1GWlh82G5rstKgiXTj7g=,tag:yhtRoa9puoeoaMcuOJvjjA==,type:str]",
+							"hmrc_mtd_sandbox_client_id": "ENC[AES256_GCM,data:nTf0xVL1+QpEriopS69SgPwUxSdRq8AomsJNEw==,iv:/gsiOdsRVV3HH7KEtpcPqUz3UnetpBaAzhN93tD8hWA=,tag:FTupehBhOaztYAapaILpwA==,type:str]",
+							"hmrc_mtd_sandbox_client_secret": "ENC[AES256_GCM,data:8Ww2+fdekCuVqD5ApA/wUrKssa4t2PTSytfM7PRhjhKa2Yre,iv:dsIV73W7WyTYtXr1NP59wjYn/5U6JjQ0E2XEWULek5c=,tag:wFheqysw9wAegcRoUi1DMg==,type:str]",
+							"hmrc_nino": "ENC[AES256_GCM,data:RjxL78iotAfx,iv:tfN3DosllBLpyX5k2hBr605FOFSloTdv/teC5DVMNSI=,tag:susteuae5W3xqZb0kZzaBw==,type:str]",
+							"home_assistant_configuration": "ENC[AES256_GCM,data:uDgQS6ayKm5pKEbg/Ec73NtGBkpdbHqkDBrc4IRHLJ7pO1/XtSVr972GXzb3O0Net+dg+Ahck75sX+VYUb5+HZ4RYKiGgwZ/VM3TUHigJt+6owWo34+q7lcLYpaFpvlMv0rmmmLrOnBOt2gU1kuy6o0ILsolLPLd36UABYYqz4BAPN9zyhfrgGcifBBLshNN1W/OmOxhZiUbfweEaYG5jIlm9aU0VRQWUE5GQ0Hefxx9uqcG8oiKFoe7ZKzKESfsi3mrrcv94zybPdjG53JNMHtQey+5ycfhKcxJJXia8mmkBV/ikgU8X6EzwutiMPvGXLPRei9hbi6QjVVbIB8hTJ9IcJp6l3TQ0pRekjlHkNAK4+7MpbvyBWkWr0Po2EvyXvcphvMDdhN3suDHADExhsK8J9yKBvJxI0E4VFEc5TXrbBh5GJfZ8KeGUpsaPngY/2u3TfbRgeAO1nHjNFmW5ocgXZKTmGzMXECLDsrgjY5lBNOtsR2+JUiRMowZxq766F5Zzf1w2Km8JoTY7tvaPYZu0BgSFsQYIlRYew==,iv:k1uv4OOX0cOJ3PuWvNyeqSu9kGVZczxcTxTh0dUcgFM=,tag:/0I+FumJCloUUXG3AVnZ2A==,type:str]",
+							"home_assistant_london_password": "ENC[AES256_GCM,data:0zMmCSR0XdMcniTS5bbwLeDgrw5gPH6VVi/g5qe6jw==,iv:yt1weprWQu10j0W9cEEcftqs77HUTCMfmmrmbBboFvI=,tag:POQuj8X3C34OGoveNHHLOw==,type:str]",
+							"home_assistant_london_username": "ENC[AES256_GCM,data:zawIULXIbAvlmUgA,iv:cseUb7oGh8JpJt5kmJAUSP88kHcqb4N3laG4uNHSJd8=,tag:Kgnf/m+v3v77ZKAAa9dg+g==,type:str]",
+							"home_assistant_mcp_token": "ENC[AES256_GCM,data:q/plU6PdoSBDbKCv9fWHtdiEAKerSpfxe2DSzb21YhjAMzYd02vOkS7U9g==,iv:/TFBdwqrPGLK+sN4n2fHWiTEVPPdspQGPSB2Z6DyE7s=,tag:TKhJwntgPKDK3pxp3mxBgg==,type:str]",
+							"home_assistant_sofia_password": "ENC[AES256_GCM,data:PjrSxkGlO826L3jDAYGXXv0YVmo=,iv:kcodGCgZghDAt88v0y1OOS9K4+L0m/e3Up7vdZgPnv8=,tag:e6i7hQzVl6Xvie5ihOrzkQ==,type:str]",
+							"home_assistant_sofia_username": "ENC[AES256_GCM,data:m1KiJCD4YA==,iv:dv5cffdfHM3k60OVD7HbVrQ5F/IuTDYOp7ieUpN6ubg=,tag:0lUQJgFlxqHc5v86uOQiLg==,type:str]",
+							"hyperoptic_email": "ENC[AES256_GCM,data:p+mTsAdl88wkFwTzrv9C45A=,iv:Ng80JABa+8ov6Mhe7VjfZPCk/RkMC4S4DeA/8NsfLdI=,tag:8xg07C8U9P0AlR2DdmyzRA==,type:str]",
+							"hyperoptic_password": "ENC[AES256_GCM,data:8DT8FkA29V5DCrwgG4A=,iv:99XjHX1J4m58Jw9wtF25euv4wCIBhapxjnJg2TkzWO8=,tag:NS0ryTT4biRSLvyrURdBqQ==,type:str]",
+							"immich_frame_api_key": "ENC[AES256_GCM,data:i/82ao6vBRnXgLbGJan5Ll9cvjZh4a0pL2KEWfqcU39gIKRLUplZ,iv:159js+a3llxaX1J40vdVbbR04MiQ1RgKttXz3R7jQBk=,tag:2glgLrhp/ZgZv7+gcgYkfA==,type:str]",
+							"immich_postgresql_password": "ENC[AES256_GCM,data:OxKyyFSK,iv:FVIe+aaK7hEdzBbGwwh52qqjvPfd00dJp4hQTI7FWkU=,tag:og11OPRc7sBAwUizYR6+ZQ==,type:str]",
+							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:fKum67W3P/aHFqMJ6j0j1A65+DsZtp2mHIBrBphQoaHg3rWFWUzEb865bQ==,iv:5RjESQKYQ0ZlihzczbhvDIm270hDPM6YhnHmOtn7d/M=,tag:OFj8UzwgwwDkwoxkA5hOag==,type:str]",
+							"kea_ddns_tsig_secret": "ENC[AES256_GCM,data:Tac0kviu6x7QFqePfzyUiBqRFhXeNjffjiC2w5ASqnBwIbFvUboYRpT2FTg=,iv:DFbZmdSGcRApRQkMRump7Ehfz0szBO2m5EfCqEd0FwM=,tag:GYhyiBJOzpM5YrI45gfgCg==,type:str]",
+							"kured_notify_url": "ENC[AES256_GCM,data:FpChELuSC6S8uAniGzXmrO9SE4CDiTfdz1y+NOVvVaOabWf61CB19czBtqSiYVdf3uBGxN4P8vzcfTD77PJVE7nKt3X+3VNJYs4yzStJmH/D,iv:F3PO/RsRI5hBlocczPFtB5C5XTJcgYd5+pEis9/KOOk=,tag:Gnv1pAfIIL7TJIOKSEQQlA==,type:str]",
+							"linkwarden_authentik_client_id": "ENC[AES256_GCM,data:k7tY7epujZ/xv+JMpbGndU9l92amT+t8Z6lyIlUyIxG62FHCCr6D1A==,iv:2uvlQeMusB9YD95hCk3qCrPbznVVZpZ2zJ9L9y4xu8g=,tag:PZt7qtFds/LczdIm1eKsfg==,type:str]",
+							"linkwarden_authentik_client_secret": "ENC[AES256_GCM,data:XiQfNaxaaakqG0JoHBpXz8g7Fha22GxkMA9kREETkdy+5g9QbHKcdgElWGJNRPgj5AEysJ1HlSVV++k/GeAUgkLyODq+JOhR3Y9xxBO7XJEMtNRzukP+TB3MtU/oSKbj/QmkcgL5XPv3G5qem1aARrXv0O71tS01miMw6lQRvhg=,iv:1D+nfSCkXEJkQ7uT2PGALnpTOy768vSsloKNCGmvTCw=,tag:BrKNOFYSowH4+QkxqPz30w==,type:str]",
+							"linkwarden_postgresql_password": "ENC[AES256_GCM,data:q18gmq1lTVle1ZdOK+YpXtHsM25dRAqjEjltsyZyChQI2eygNooQ1c9bonWmf+rnFanJ,iv:Q4WX5uB4g3fCj8PBvTwl6ODGivWgK4cJW+MksRRuGWo=,tag:2vSPsgzzmjdEoNHferyxyw==,type:str]",
+							"llama_api_key": "ENC[AES256_GCM,data:iElP9Qm02yp8ktecZLiTS2Z5yFDaqBCbv9ZFewvs+hPunLn3bPmO1sPyT2gogff+,iv:J2G2FzqupMgI77+SzJrEXZ1VOoi6JhIhD9h3UB6t7V8=,tag:i1+E5v9DVw+QDYjHECUPAw==,type:str]",
+							"mailgun_api_key": "ENC[AES256_GCM,data:9lbJwjYpq5p/l9KRBt50/U686b7b+mIPQPc3tBISXCzHqhekhurPhpA2SkgancS1ycE=,iv:tqg770YG9zHsdRQom1jnnodbgNOyEa/4ajS3GfnS+r4=,tag:FhYJ0bpBx/eJxSMrZ8gDzg==,type:str]",
+							"mailserver_aliases": "ENC[AES256_GCM,data:Gq1+ytxWN+J+fFOXvdiEqNb2h1fL/if9Ukgx4+j/78/qDMbtqw1f2HIeDjqut/KU42ctNPyb9MfsqMqoUkRRMgEXKeDGxHXF1DshOEAFKgbiGRKYzaw8EE+/26iX/aOiDocATkKEUsNMSF1N415mSKrB+hGf3mDtdV1uw/pQ6mtpZKb46EPG2QyFNt9IPRdJqLrsSmSpC4F8TwD3dHz2TvP4T7RbJrv2pgcksgUczWmfLiQw2N3y8k/DgIh3bjaEk/7TgOUefJsK5eksL04tiyMYmYnzXEqupgFmYLEv/UCCJAi1gJaXAKNZJvrEa0jONWYcDhIChW5Rr7woMF6sH3D/5RT0QWP9ChmwsniJkzCdXrhvU10vRXWGa9Mh83yKTD6rpPfIV054Nz6wrQZTG0YHw3MHvlS95AJS+ThDdiV946efBfEeVsqBaG2kmFTJFYl9aJ1XSt/llkpirXE+bGOoVZhDyhd3S8pR0eU990V133OoWq0VPbH2Q8e6MZgHDHSE2osZBOgrR3xM4ELpuWTK/ks12xtxscdYX/dOdAdR1U/O5/fKc3rByMHEIUn0Jm9EWp6IX6Xc,iv:rnY2j9rHrqSraKdQcdSfvsoBfamgbQQ8XFijFC/2/XA=,tag:Ly+2M0yzlRbT6/wVhntTPA==,type:str]",
+							"mailserver_opendkim_key": "ENC[AES256_GCM,data:zNw6R9GLQAIv2UhGS4DTox59vDTuRe6R7AzSBzZW4hSJZIOoquVvv3LXEEmhT6FOUQ1ASYWsnAx+ZLHETjjns5yG5B7FnVHh7GQFqPQeWiH6tKQBTJqP6BK+jarxp8OsX1ogj5KBieZssUzFjbhuVPS5FW2hs697O2qXtotdVhK0JaTRYfjUdOm/PJUUn4c9n883N0GuiR0A4gxkhyYZOx8Ct2+Vcoqk6M/k58OZADDbW4fRSJyPzNQN5jXK/24ntzG3Yk+TCmaVOQdD8MlQFdoTllHHjSWBrxpoJWu/GNUXw/G7iXpH2f+pMKha6S8yZws/NmGvw/Z4sJgYd3mGlIMwoCLgZMCM3UUQbGCHVXzuj+5nw/da3xsUiVfEVdWTchHLtjp5ZA2tcUzu2N38x356zOyI/wAIFnjcpOypq/KQKJARj1OqqRAiA2g+g/Mi0zEFvWdUBcA75kX63WbM/hIN+OP7f0EhAKHx3ptDCEFbkplpGgMVGMMDVUFrkTKdpwzLdMDbT5DyJSVdq/pt/OOdr9h4szoqkWSTTnpFf7cyxOOhYMw0bTqbvpnYO46Gi+caTnJQq5kCZu2mM7FEqE9yKxWEpt7kxMmQM+IKXWc8ET1kBbQyDK2Nvq+Hdckli82U7Lo+5qbHSBUbAy7u2jnYqjtIvar5W83MIqJO+UJBrqCIu1hNLWwMkYGNU47FXkeUTwIk8wV3Fnb4V0VpGJyout/r429v+2kMDGnzbI/1Gb07aiR0LUBMdU8w01k4TdjkAx3V7Pgnx4U3aS+6+ypxAc5cIDFAX/5XVN6x+tDVUeAXUsMd+xqSIyL1sBZggPl0iefisgOjT02m2PZRmzJjCLcv9BhsJMH4ifLyzl+0xv8UuxeLFTpONJkDAwX5EuCINgC+muGdGOXPXjLv9G9h8Cn3qpR1WlIwvm9On1ahAq0Jkck5X+QU9auuWybgSVyQhGTvi1Z5n9K+IyY/GoCNHwDsNchAFrTeaIzGGWXD2nbrzOSJfleNaN+f6kXwbKqMCiFsTfzIZ+RX5zYHkRRsTfvEvJOh7Y9IqcN5wf76wDBHXK/JY5ePeJdIWQUaUN4pESLkXBXBI1jNaIA/4qbIwvy+AdRzN8yT91C0KYOJdhq5pH747c7l+uqqYsMDdy5Hg3vB0P243ByzaxUPopvWSlpz+EwWDTVnr6ZyBiFwPC+xo1wY+Mz3sd1iBUjShi1/Cicwuw1pQQ+R58RUKW6+uiq6siI92ItkCTpDSFareEOxKOC8GNXVEiRDPEwixQ2QsX6Ll2kc8BjIwzcZbzebESocZOHRevop9V8Zf12Rlnf6sv+ZgTfX7PWNUv2bIuvCC0iiCcI4mdqELEFCH61GCYaQJF97BBViAFKVMGVraIahFZHvnsIiTMBxjvWjx6kf8LHxTphkQcAT8pFlg535khcNdRb9ao3UnRiH83hxseaM2nLTCrwDpqt65COp0apPo8hoEN0zHfEggOfUHQsZkw9jzMsRrpq9zO73Ay8uqjdboIrEo+KaW24s4ySA7foLCJ0TGwOnXO3buxT3MTak1DxyqW2b9veJFv032ggptxAge2v0A87RX3TiErpPn8SduWkPwEpUGq3EgZozRh/RbOcJGCKGJljHO0V8oj2NMK+wfiCgbWhnx+jPsTDZpDwNJbmE8i2hQhcPDhJ4xrhtKHettVQHQmoX+/e2tQFmyo1tNj4aI33t2PB6vCKjSiuwp7CU6MsoGOrpIP1KIb+1QbCX5Qy6qvB3+WidPfW84w9qRxJeyDZl6m76kfrwukcSCp9IqeG0a3aVJBjgnIP/S/CHNNb0Yn/4H6whaLOa/mnCYOiM6Q3/dXkTHt9LqNNViLWRMooN6S0QeKp/NwSVLKqYQLItRbJxmiN/ThfD2xciW72A3SBWESFIc69LECVgEYIsL7rwE8mj9n9MhgxKwa5oeD/CFVuT783pGkChPMmGLvojs0+2NP8tlJ3zjL/AOOZr0MkzVmpLpWM4HBnu9FoMIHxYJnPvByosjZTtHFmGBD7h1md0SG7NqNkVrx0Dt2XeY0zUPHOtIrn4qZxV9tkbqDqoEFeA+sLGfKsqGW1aZtvpNxGAWMivI8d5sBlPlM2wHQEXPan1/jyjFKVCZ9E6NImfjq0naJWnUksp+Qg9IsbJLV5wYVMARZdGECD9yDt59p04A0MHQTLyv6wBA0YBH+7z+EGgvQA+ubwkgGCUjNNzE6zQuL9cKQ==,iv:dFGV+OxCNMMQAG6jYesOxFEIg4ntA+2eIRftV4ZcECU=,tag:+pU8BwSYHUYbJsm/rY/Znw==,type:str]",
+							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:Kdx5rr2y7Sb0zo4aFlQ=,iv:E5nr2JEGKBKCTCSV7KtmbUoovoGbf3taXw6Yw8PRysc=,tag:z/HIbucUk1Reb/2nfcepaQ==,type:str]",
+							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:r68uUL2xrmy1dygmkrG21AAz9Wo/XHnaIPoYRd++2+eY3V1vV5JTJRIgb4CTWSd30DQGaAcD4ME16v2rxAZjcNBpfGuol4olctukqq8mTLTwrWWnfxU0j5rCKQxIe3E=,iv:QP+p5HzYZ628WxkgMCA/6itrdHgzHh24Vb5bk9ws2Dk=,tag:J0bsIu5OED9C1BfU8oJwWg==,type:str]",
+							"mcaptcha_captcha_salt": "ENC[AES256_GCM,data:qYBXTjp4wZkpPEGI3HE+AQF7vpst/S96t3BUQ3lEEwhiTHdBfX64xZVzxrcV1HMAQt8SfWfOxqhhPB0Nw6qndA==,iv:/j8s8RTWGxhdEH+ac5uko1Bv1qXq3T5FoPNt6fQttL8=,tag:qIai6IqXmuDwnKRlLE2MSw==,type:str]",
+							"mcaptcha_cookie_secret": "ENC[AES256_GCM,data:T2sTArN1E83qImOAoDf5OVtnh2a0Jaeac1I3yvEqpq0ahPZtstukdvW2NkKMDME1lKCrw4f6vsioWwZ02iYpKg==,iv:pKK4LZ0pkQFKevL31MSeTFVC2YDNV0NFqgU4uDWvhKw=,tag:RQLeaWKACQ8cPPwf+Z1YHQ==,type:str]",
+							"mcaptcha_postgresql_password": "ENC[AES256_GCM,data:NoDCveuxw8rgZCDykBHSBTQaxDk=,iv:ZhbEW90Oj/izBKtVEJ2t/0o41lwL3ctmjD8Nm/CIMi8=,tag:C1085o3q//9P1BpiFQHyfw==,type:str]",
+							"mdblist_api_key": "ENC[AES256_GCM,data:Hty4V47iVikxhwmVTRn3+kUtbLB0ZkG7Xw==,iv:IPqNaFL7l4C8DqlEwbhJnogNuKDJyMmP36c4NidF55I=,tag:1P7jgG06U6BPFz4XZFmh4g==,type:str]",
+							"modal_api_key": "ENC[AES256_GCM,data:IBj5Y9y2UTPwETa7/pHKvGrf6CIZfSVLrST7wF1sUdpjEKbnEdDDgSNn2QMiVQDaZBvJaNrSnIom,iv:STeQpRSM1BLR+81gpI7sT231JTQUHDKBPXUF/BBBk3w=,tag:EBSu1juN8D3YCBbeCqkHuQ==,type:str]",
+							"monitoring_idrac_password": "ENC[AES256_GCM,data:8lKYbIa9,iv:Skzhhc89/PKctWZUMmFeYLhHjB8CwkHZbTdelTxnEaA=,tag:6TqhD149kxFnmVu5UKoJDA==,type:str]",
+							"mysql_forgejo_password": "ENC[AES256_GCM,data:8vtR/406kq9zxoewzQk=,iv:3udKGxm53DaDqbyQeKns49cOlCBfjcIDn7SIn8xMRhs=,tag:UaYK/wi7WR18v3LPgLjpyw==,type:str]",
+							"mysql_roundcubemail_password": "ENC[AES256_GCM,data:VLQ5DqwXg4cr/wAUYWg=,iv:hODdRdF8AU/iUzrtlKqZTz8f5CQA4EtZy+yjijFnV7Y=,tag:vzWgp4ijQ7FtpnvXoFFWHg==,type:str]",
+							"n8n_postgresql_password": "ENC[AES256_GCM,data:P9C5ii0d97iGXFZRMtU=,iv:+7QuTCNfhmktXgzUR41j6i8F/LzOy67uje+eJLbfh3c=,tag:mutn7AH2h3IaqOG9r4cshg==,type:str]",
+							"netbox_db_password": "ENC[AES256_GCM,data:1xybF4wNKA08LEI/68FmvVnVLfE1ow==,iv:9WFahjRiM+uKyGQ8nMs1aAH4SUnk45mqwDcHG436W7U=,tag:h3hoqeEDzbeAQ2qR0v8Vmg==,type:str]",
+							"netbox_superuser_password": "ENC[AES256_GCM,data:NORhl7uXhFzd6RyZQu5EDSfrY66tPRXDuuQ=,iv:asYVc/6syoVo1oUQsJ40QEw1YOj3l0EsesDCvyblVko=,tag:0iI5ZAT8t2oe3NZCaYXBLw==,type:str]",
+							"nextcloud_db_password": "ENC[AES256_GCM,data:SsYA0OfvPdi3XCbGKcMXVw==,iv:MfK2yrICZvQXy3U/4UuCvI402mEzwMGZUBbYiz7Hufw=,tag:BNN/qPnK8onksWPH3QT6eA==,type:str]",
+							"nvidia_api_key": "ENC[AES256_GCM,data:sQBg/lALo69RRS8NktqpbLw5QkLADM3z3YxW0Rg80ccQRAeZLE+oYwuayBbB1zmSQdnLwP9RikdtZDeWARsMZrKTzvP2Lw==,iv:VHJdlMzfXBFobW6I97tP3w7G75vxNCjaC0M60xkK+R8=,tag:O/QXN02qv5wOBht1wM3e/A==,type:str]",
+							"oauth2_proxy_authenticated_emails": "ENC[AES256_GCM,data:pQoUttahUwoXxsebcWcYZI/GSKJs6iynWzh3pCuEtxORsOPY83mSORuuV47cTq/NzF+/H5fqj0hvMp8G/bp5gNXXgzy8dSeWAXboQiz7RuyPYN7XZGiQ6U/1Qtq82ynsnGfmvF9/i5Dx8JMrAd98L2/y7uLcqmIDZwMd529WNiISCjphVYaNelBPMRsz4X4Saxqi+zvHcVSLItK2Pq8/O/f4M2nQ4omTDFSz57bhz44qrSAMu+3/rUWGyKnAhxCKn9wd/WvzLHqEVeMqjFZqoRfCFt0b1mRsWnY6eSomWwMZPGCIBWqCqk1iSrawF0MqWu2nFUp6wMrPFhfKtS/o6gUbARhk8NjWwb0h40Zf+9Qo+dMDdeYDbE9MHCcqkA3HAWI4oVSASHyP0gi7YOgscQXFCVifq7d+X0szjUlijiR+IGq92GXpYvYqRQNFlugMv8zZj4GTbTOiflNb+N7E+AA0ZgZfExP9M9vTymFR+YsZnOiiefWLRqXdfw+YKDZLiHERD34lFy5hOspYqK3pBMlIuY2dNwEj+iDLUv0SFUA628fkNM+xk1h4eg2Kz5R5+9+4/vma1+opqeqeA0h4XoiC0xB/Qrn7K+xg4xwKoi1Z8Hd389GsC6k94TxmHa62fR14vRv8Kw3fPp+ZOMqwn1QcNISucxbRfg1zAv7W2qbD1+mMn/BrtcGlHYYel7ooE1nRAVpS1syHmFpY/n9ksykzzPSUYVKgXUFYwZSl0FuoCORKFHnJAjtb63Y/H2pBJkVO+beKt9w7LjA2JT86285im+WgG4ReliXUOuUlwFAU10Da19S5PXdhGsr1zdwYi5vRJ3XbNemL/M5uOyTPG0T9Ihf4bQwcRXgqNHeKwRxC0XLdMl8CK7hnvppNB/Lny+ToEVE0n+vWkGr7rWFXuZZGWs8dtBnDdboqCIQPITmwTCgBeoNvmdFx1jH8uV77VuWHEiSGdlTOkV6VZ1PVlPDrEhYzSBp6Vw2I1OmH/Ya3NO8k/NAOVCjd5ompQgo4oZv1InSo+Zc1e5/OtFQ8ap6odcvmmH4FvYxJeyi+wuMeaawIAnpIwfoOHUmU0b0llgppZ6VKd3WDeyOIP+JskWdeeseRIlYKmZrhZv1UWP8ssrj8ARF3+T28w5FBawgADJxeiuVXFEvMYNSwmXu9InF2bsczM7FNdmloY7BHeK7l+uZdLsDtbACXc2iJeGTWFO0UrMYs5iaSvliY/SD3jYjukVN3V+tG79GKIxyAO0maxaHAt1aSOjrYq64lvGoV+goMa5gwPx+xTq2Kd3TIyRSQBTVvLwuNbtEmfBBoc9CJpNTJe4wrAZXVp/EHsLSbtywkVL5TSj+YC3Dc6BNunD4jYKCBaj/+DcqQEnWQTOhhpTKD/BIgDH4C7HXqfrk0gQx56SHPqeJACsfWlSLhjDLVZfE9MzjeLhtu8qYaDKPl5afRtqh1A7fgaNbTEZke7VEKiDJRtYWfHanoOCpyVdNZr3QJU5yg6sq8nbI/e0BU45Y+alR6GMiLh4fNVQGWdlOlrpW2Xmf4md196IRvX+TL/FMgOZ/5D9Fj3pWhZ/ZN6ob0Q7fxl7xFIv4OYpHMzxbiWVu7gLIblCME2V9epLNQSw9o+iVQYE83lNuvr///6ipSA79yt1Clowmrbr8e7aPqgyyXgszjI15k46jdfyh3pKlsWaCLLLkbVAGM7Va/e9POLy5+xIJoC+cePqOlGWPFr+kHtxZ6b8W2GOG1/bj2x0Cn9X0gqZJ7AbF/dFJDhJmMNL9420auq2vxPxulO2nWTOYdahunuOVgZsWdBKtmH8nry4iyJzE/DvBnKO9p9Hu3xxZYGIW8fOZn74bKHyeeWogZkOn7XpyeGqTixZCIkIwicMqWhXAkDNHgSk7Vbboec+lkRCiDT0aX0cLKSGG+Q/uzDEw1kNZ1w8gSKR/SfpdkeYS+Jf0SPH1EkuaH9Xzgx504ab8kTpMy2QdtDmKuInbO1rwJOUSrzPGssxdB1gyJT5D2ercsumTL/zGh1KsRd84M7mxaD60xvpGpkAP25IgynT9EGbw7ajFmTDJbkUR8rhCA6M1560Ey3qZJBPc52t9UWYZTAAlIsjO+kFd0wTNwi8GET5Hx0eZogJW3ndloWwFtf3Ro+O7wz/xA1hXHh021p2CeZDcHQnB2Ab+rr5jZulk02lZDhLSUU40J4VAMbimFahgxv/qhLFzyMaW6UL3TNOHhQ7MbED47/JqCNxJjz1XFx0ETexK6QYbIvrTO1hiAUHERAFLLQ2VeiahxsCXMREWRkTAGpBi/b9hZbcenRPlH+NSugOwm00SjYm2SgE2jRYxmRDimm3WFQ0xIx7qLNsDK5QEgU1P6WPs6QP0/NzAkC57y+0PWZyBeJrHpXkCoU2pJ/Uvl,iv:+q6hbQG6ZClW5T0ElOJ3K54OyLc/xFPRXu861GwZ/ZQ=,tag:JgDpDsNJWPjsrrHpWfUn0w==,type:str]",
+							"oauth2_proxy_client_id": "ENC[AES256_GCM,data:AAgndmaDnprcWJfAXkE5WciNB66vRTLu+PxiwMMLUxcY4WTdvZswwUfYa4g29OoMBDJxAjjk/Lub2S9oEim7PqIrOO5fcnAw,iv:V7PrtIJWDWUt5HKDyZaSJyTCi5wkkEBsY02NUi7SkXs=,tag:FJRI6Yc9tY21wxGTSAEFeA==,type:str]",
+							"oauth2_proxy_client_secret": "ENC[AES256_GCM,data:a+kQIYAqtQj5Fumgmxk9IfDuIpzahDXsAK4zcAtOeyYFcV4=,iv:oXRmA524fr/HZlifdICVeQ327MhIAv4is3PJURuUeDw=,tag:kyCAa1TpdCdcCYuv3Tocaw==,type:str]",
+							"onlyoffice_db_password": "ENC[AES256_GCM,data:R8d4Ro5htmwzzSggwVEwx0dVBnjn,iv:FOTZmfcPKNlffrfUEBZMjov4BQzV3k2Zh5fOFPtEL1g=,tag:18bbr+NwB2mUtOtTRTj10g==,type:str]",
+							"onlyoffice_jwt_token": "ENC[AES256_GCM,data:ir+B5M+zdXdAQ22dJR/HvUwqY15J,iv:NMz7kE2aIxMQqZZuRtGUzYn5AShL7abVWPeopyXF0p8=,tag:8c+g/DhDacA37XM6RiMXIQ==,type:str]",
+							"openclaw_ssh_key": "ENC[AES256_GCM,data:0+3K0Oo77U6ZG41foApPjrEjaH1wJcK/mLa6T91gMwNBWbIxosruhKwE8uPUjK2bbVC1XIv7AHI0FaryX7KbanQT7LHjSNpa48aNiTLAPBtqi9p60BqPenve9nplWtY6cdDvY7JeTxldtYQ1PcbwTvWNJk2AFMjHRJyrHwzspc2vAgRF5p1ewLeEfbPenBX4Rxiy61bihStvp0HFbHHwPQ3LX+qdOJ++XwoKV61kj4UoKqUy/ip7vDUKkxV8LPcK0OA0mPZpNwzzYfr2Y3HKF33LM3rNVNyOQ/utgHj3xHX6GdlOT8vG4NU89bgSsY3f8+UrMrZb2VbUtfe/a9mJdYD4undy4sbe0Wjz3RdzqtqVBErtVlFLkHejtYo+QVB7VOpgdhRBvyI0H0x0nlJ4ccUjnCKrutRvro2hGnaXvW7pdslR1aC0fJ09pm7r4uygCtdZ32oOdeUl+DjOFI/CQO5hpe7fQkGrLplMxc66cuZdLHUtWtGWLccn9g5ScTZe97eHQmvXtsW6PRnng2Bx/856GqbzNKp4472yeRXgDmQEFg==,iv:l5guNiV8xug0jzx+AyxX66LkvHJt+doO3rX8sR2+QPQ=,tag:5LwP3lRN/KB7wAgfGti8vg==,type:str]",
+							"openclaw_telegram_bot_token": "ENC[AES256_GCM,data:RlIBn+26tzfnpRcb70k39pvochFkNVX2For3W362PZAD2iTBArW5klDvICuxTw==,iv:yKVsZC4qzRJon6BUVNb3xe+1/AHO8q9/ZjfYFhBFR8U=,tag:k1etFTsDfw21iP8kDyMWbQ==,type:str]",
+							"openlobster_graphql_token": "ENC[AES256_GCM,data:4kG2OLsgW5QmNk+uwFURT+Hvr0oJCj7F9FTHcOYNBqU=,iv:NCU9FhenHNCGlfjxyhtywJxOyz5S5FMHUndcBfUyKF8=,tag:i/msOJSVCR6UtnkQYMeX6A==,type:str]",
+							"openrouter_api_key": "ENC[AES256_GCM,data:92oDFhHpnQIZzcbB7sZKYcUQbOSyoI8mJy/GGeFf/a4t83d5z5kQbxm57Bxt0Nekoce5II9WLAHUcmX6X74JThvkC7FaKss6ng==,iv:b9Lx/q/tdr9oRRDdi1h+uuB/hhaFJQWnNX9DBPHVnAg=,tag:JkSS3KoZeTddBl3Mvng3MQ==,type:str]",
+							"paperless_db_password": "ENC[AES256_GCM,data:PNW4UWZs+byBCTxxOqGQfJZw7Q7EJA==,iv:YlYJBUTLNtkvWiEE3M86GmCM/Ofi+UVr22OKV0SlcZU=,tag:/jUEYsmFysb9BNy+KKJn9g==,type:str]",
+							"phpipam_admin_password": "ENC[AES256_GCM,data:Dpx7UNiosNy6VK2YBLJmmXSOuxS9GrgM,iv:u0kRF4tGOKA4Y6mXIiSeLziTfzeSiHNdJIJ9je52RUA=,tag:P+wUHKQ7z5WppiIjvACM4g==,type:str]",
+							"phpipam_api_code": "ENC[AES256_GCM,data:JOMHq8v7jE2HO4o9DzYoG9buKTa5lvtI+vC+f2Ez08c=,iv:/cNQKq3xMT2aGyNCCD3+kP0JT0rqSfisj/T0vHLSzT8=,tag:Azcw0T6OsUpPC72ksDVwAA==,type:str]",
+							"phpipam_pfsense_ssh_key": "ENC[AES256_GCM,data:qDEgwz53MZ6QofQtmxE7K3YQ/PnQ+0SvcG2DogoysSa6xF2oXkWhh5UR9doOmIr+l8q1xg4vpMs+NGnJR6gbQMeAJ6AqwNXHGCLWdNUaAVqliyFRrDMnj12UYHLlDdeUsSyOAgX2Jhb/SYszG06Pfweo+gd32gkt9bps6PQdXhWOf5j3D9SiHlpVjlXrNMuVQst0k/mGH6SIJZIfEiLD8lnZ1uIabtkglPl+CClzHjrMIkY45qP9fA2tTkYHRCKVcRZSmCjyL08cEc3eMYkX1Hb9kiQ2FnGj51ESg7Ecs1OmIGbbVW6iB6fru3xEiaBH1svOS3DaV6XnmH4zfIyPPKYitZIsBtm85mHWvKkIDgMqnbOaW2qG22ZXP+X8nA0B1MVadP6Zq/QuffMm5pZRb6ECrKB7fkLtikVkJy3j5JRcYclOYU3k6kfEsWhzCbfIbLG2FgV0Mu4VaUms+K672/RXSgwqSO4n8BtU+5cVBIQMLpcqQoH021Bm9mQ3+gMz6UioUZD3Hg5EgZYmxorIfRUtXQIyrnhCxqDgKfqUdMDhXWU3SUWKleNkreMMhanlCjuprgRye2BpXzVqlvt/jTyThJf8T06i+GNGVg2shcdlx5xqa2hiJt8yWRekffeyYl+qQnexLQKu3vtOIXsSxcw6ik95BPLBjsW3qb6I3tjcR0Obb73t3o3eyStUUVWzJ/tmYrHj4EHLlDHePAWHTFSvVd6gQe3B+CkeS9wi8Wi7D99pgAq1IMWRvpwd44WuHwA0DClGS8zdjLPRbAulMdpwIohxF/zMYWOswyr+W8bL7dANgvRgmK6SlM0vtyNkMIwn4wOv55DS3AbTgAnM6hMeUO9xlngwOdDLH4+AOMc/aTJ2hDxnmHRe+5vOWCH71qejf8nPdpkhDtD5LkbJ9v9iAwVclvlMUdnT7rOtGTVPZ1RXGAMUb7YN1GIlZQ5CySvNz2c7vXNqZVffcW49WH0HCIpdHkgBoLD6R3CvCBe82Vagbc18mweODvYyrePduNCMSeerqkOfhKUa5ftJzq1z9/YviJg8t0vh7B3ueYTS4daRy85B9UPrSxs9Ms8S8KJvJoL4rrXtron8RgBe6Gh+dUMEUMh5TyP4MnRUb8C9ilxverxZGIuXcdoqisq4ZvkMqVw+F07/+jZOE6BxyfSmweovFa4WSRjKtJtk7eOBDdPKEIV+ybPHFvhI+OCgpOTAX+60tJwqt7XeWy1XTwwKHmEhF02pkjTAkAxcN55tLEGPpFYeF49aem8+Z2K7vTvUqXO9YbG6Qwvt0QdgsT/j7TYRPQ0vzTdiJi4vnKWBhBTVyCA7eWlRqC+vlQ77zpUsfcUyDQQc/0/xmTALqpufheqYKTCJRjpbNdsj4CFoxCUfrb8f4uY6luiPK8dnPaDyHYBmetegCpPLVeclNyQ1Ce2nc0n89PrjASTnxAD04RmYdqyIvJmA7yRj1m5Cht7pzNYleCg27wZqPSRu0vTRW8wnsZmrl/eQnW8gEeXKxNrQ1wrvRaxgv1toBrNv28gstQ3dYgkgt/F6JV/xyfL9uuvwUZy06tOGCTMLxVzg3B6AJXfaaLNrK/4T5diGZ+AAiaD0h1nH6j6C95K692TsyVUh9shqiJrn+fV6Dgnw3vblhbo9rcen1amIHXymSc2obkGZ9U1D3iVXO8DgLIok9uEFT/F6hQ0JUaATFlt1xfqPcT3OQXj1Ef01Cz9rOGxxUKcjPSvH3IrtvJZEZXWuzpNE3bZzWCPq8RfY3OkzJrs4Eq7iVLasInDc76OJRwnwEb/Dmk1fj3QIiQM4AndADBcsA3xG+qCd52nst+DsEpf/m4YrTkEAuCrjpIj07p7r2VdEpKCBe8pDCQvizD2jzLZQVf5+4vZAmzkh1BCBdkLTK25OEa+BrMcDPmMrmkcOy3kcxX8+7FfJKkC/x6cquuNXva/Pw8+/ztFqp6oX81hjU7C1cHqd97FBo/HHNQr9t2+MzvXQLaWWmrT2dkxA8PRCuNowLq54tyTDLbA7V1fJ+ycMygcG8j3W7rhKRjmzbRpEQwXNjJ9ESBsXbnoIS9EK/ymGW2MT8mpLOg6nSndVRS7dQwIBGxQG+92ekUprWXiQC1sb7evEDo5ohCLfK3XI41MZt92pnhK405YhazEgIKsvB1dgySCO9k8F9Df4zg/Oc7oxu/UHNfKngsbN6OPChXR5WBI4wo1n9vqKUyNesJkYQo+6,iv:6d4Atl81L5ltlwZG7Yz2mKGQSaGV3K3xzgzVPx+k1pE=,tag:hmcqnfk19UCQGVw1qiJDtw==,type:str]",
+							"pihole_web_password": "ENC[AES256_GCM,data:JAm5L1VzMM3qpKIHQryLCrw5/yM=,iv:HnU+K/bD+y7hz75RHb0P3p4raJPlWE8Fuy1WOyPRdM4=,tag:zVpjxk+gNFewzsqvi2MdBA==,type:str]",
+							"plotting_book_google_client_id": "ENC[AES256_GCM,data:5b8qJ1TaSjCQhTmNc/ho9Dt7+DopjrW5bH+8FvyYUl1ydzp7omxbd2c7fRmKpvdrrd2/I93VLJQpIpBZqPCRJKySnFw5D3q9,iv:+9ICtRfbeQDo35dH/EcJo1I5XdUuNO9ie0vU0vkX730=,tag:rpL8HlZl4Ide3t6laJ2Kig==,type:str]",
+							"plotting_book_google_client_secret": "ENC[AES256_GCM,data:YUpNxXRBbFirMiU3NI+mvnwD1tSqKksDUuWOPZleXrUXLBc=,iv:IqFzcR8iGmwkcs9mq6hUKoXMp3Ax1y8zRjxErUTSzMM=,tag:Cqe1O9wn2Qov915YTCSrzQ==,type:str]",
+							"plotting_book_session_secret": "ENC[AES256_GCM,data:Pto/YNkGYkdSal+MEVRScdO2TwMxSXbahCKXSvY1lnGmx5zaOEMIBWCNTFVSoBvtrOBiLeQfC04ZVIKi/6UsLA==,iv:hLH9itlGbZRIzf9GyZUAJE7/9l2Oc0qq4pTcjWRvZ5s=,tag:uA50zVBW+VUxP66BBRhkuw==,type:str]",
+							"proxmox_csi_encryption_passphrase": "ENC[AES256_GCM,data:nmukxzzrWanrncfSfn/SwfVxQTCK1QJZNVR9u5sk9yQ62DYoa0gN+b/5BebukrZ6lRdYh6ka9/5PXf6HjR9HoA==,iv:9nck8lx1Gc29llwIPFZur7MuzMA83pfahWSHSSFHYKc=,tag:LWTu1UFoTWWNQXlcVW7HHQ==,type:str]",
+							"proxmox_csi_token_id": "ENC[AES256_GCM,data:wAEFH8dqMpr7NmqHJJbWcl4=,iv:Ri4OSOII3xPDezvj6FFrxjqnwl4Sr5cp1bC3QzJQR3Q=,tag:KqiFvn6KKlq4Ocd6VSThuQ==,type:str]",
+							"proxmox_csi_token_secret": "ENC[AES256_GCM,data:7OE8SjnjAiwbX71Jhw/YezvEZ9U8ZGeojyt5HhvGm9H3/o0L,iv:VSGey3CCOaQleQJpjRz2RehMSwOhImKeJ8i5Xuz1XRE=,tag:lNkQiAcgKM9+SZr6SGlxjg==,type:str]",
+							"proxmox_pm_api_token_id": "ENC[AES256_GCM,data:RObFPO/Kv2108LPArmjcxcm2Cby1zRlAriuFcjfNM7w=,iv:DylrRkf3/Ky0nMuuUD+6PRkdjjbCqcPCEbA3FwhQLT0=,tag:VpUhTqgUh7XAkvyS9hNJwg==,type:str]",
+							"proxmox_pm_api_token_secret": "ENC[AES256_GCM,data:b1AiJU399vcAJWFCvG1JfHQjRGSX8N3+JC05StTLnNb8yFaP,iv:cH/JLZcrXVqw8U3CXIA3wFOk4xMzT+MjLCbbEbEBrl0=,tag:ptA+LZYtrNcMsgUUT7am7w==,type:str]",
+							"pve_password": "ENC[AES256_GCM,data:P0rqWj3v2mLIlDA8er+AYzv2rt7lGN4SS24EMw==,iv:3/gsF5VNfMWE4bZ06nia0KQJvknKmhCYi0oKMELebHw=,tag:mwQg4OdPscpBnE5PoK/lMg==,type:str]",
+							"realestate_crawler_db_password": "ENC[AES256_GCM,data:FZeeVq88OcCwUFK7GiyBk3Fj7j2D,iv:7BiPaev5Op+s3mhASaDwRI7FZ3z1BEzr7I3eONi/iag=,tag:1wvNxd3PnNjxSMeTkHvOMQ==,type:str]",
+							"registry_password": "ENC[AES256_GCM,data:DqqgTeFftsv4yLG+UZu0Gs5YJE3l4+IL7zHijwS4dw==,iv:wX4qxJjwkAVOGnErq63qsvhxjU4Ca5LAdiALH7TXxtA=,tag:WDkzDyjgVnOf7+bYeOdiig==,type:str]",
+							"registry_user": "ENC[AES256_GCM,data:cdiXHFBp,iv:M600XiwMqZe/Ky2lN9Lt5DSWuP/00YuucnEbSrDKaeg=,tag:hcXOXdazuwngK2U2UFbfIw==,type:str]",
+							"resume_auth_secret": "ENC[AES256_GCM,data:FxJI098P/00TC9VPflYFg8P94bbrvNfQ8D37XoFG5Mbp+beVfScMvMTc7N4=,iv:UYN4scek1p9iJXEPnSRqdUV8xCJvKXgV0Pk3rktYzQ0=,tag:Dmy5scFB+yXznCWuEHVvbQ==,type:str]",
+							"resume_database_password": "ENC[AES256_GCM,data:cyqbHrdWLgC7TEECBhQ=,iv:daJJzFalTA/2vwjE1keXgUXWjCLT4Cy78FLLP3eNHQ0=,tag:5c4LBz/kAige4dUGBWra6A==,type:str]",
+							"resume_database_url": "ENC[AES256_GCM,data:3mojjGvJALgMoJ37FSXErYg03GOue4m0/2qHMw7ootMI+DCVZ9C0jzNa5xv9nl1cjyp5Qw2KzdqaPMfIgzjCqBqsrw8N0FdhTZD2e7jF64gj,iv:l+M9wlsXk1YYnrDqHrZAcwLU4yZ3yIuqr62Pud8IkUI=,tag:3w4lJI6RdkH/vX1u3oAsQA==,type:str]",
+							"shadowsocks_password": "ENC[AES256_GCM,data:BR4udzHjL/FtgSTBzDpmT+sNXtQ=,iv:4rNbex39/kiwiYafmchMBr1POcLTfRllyydMQTjX6RU=,tag:Ebn2qofN54vvj+odbDeo8g==,type:str]",
+							"slack_bot_token": "ENC[AES256_GCM,data:OJcJy8GR0IxLaZRsIk8ZM+PEaSyUXcYKTQqERncpRblf0tcU22vKxSTKQBSTWSuu0c1dQz2f5kjvxA==,iv:bBqK5zabkdNRIvko+HXdaa/DUgLiQgeZOW4lZ5+73UU=,tag:+UGwWyICLJPUOOmKCxiIbg==,type:str]",
+							"sops_age_key_devvm": "ENC[AES256_GCM,data:G9SqGcOB2TdR08LbJG7Io5pt7TrrTzuuc3jW2xUrsPV8tRd4FVehVfvlxmr6UAu9EYFHI/9whDcrskQ1WlKRCBWUzTjcWcTjbUo=,iv:RwviiF+8Jjii/Sd09p4OmJh6m0X5iN5wz6sHKbUd6Tw=,tag:HC41btrJbQV3PNTpJrHO0g==,type:str]",
+							"sops_age_key_laptop": "ENC[AES256_GCM,data:fVE8BzjwwHNksm7clnLMtmXNcR26WYBYZTpJ67W7vzSVSB1SAQ3r+DQBajmogltpnP0vnckfRsuYXeAXr2EaYtdNmC7vAYK6ctc=,iv:VYpJd6XC2hNKdrVpvD/MscRttDFj635Fj1nyyBzi3cA=,tag:bFcoFhdL68XHrUBgLYW/ZQ==,type:str]",
+							"speedtest_db_password": "ENC[AES256_GCM,data:YZswtpS6r8cLytOajfk=,iv:nxMUraRiyfE/6JBqajfkdHS4BYj7X2+m22vmkgFmrqc=,tag:yXz2OouA8/pGwxpy4oYvlg==,type:str]",
+							"ssh_public_key": "ENC[AES256_GCM,data:9UwzXOeqLuK9yjJqkNugoRl+HC49nqaKUt5T+7wHPZgi8TCxxHMgZdxMAplHGH6nyXqWltMBZUfivAcBwN8A09euRmwdlSZNe8WXcyH/ZL216gjobMOWlgbz6xNDr8aEwaI=,iv:fUJp+FfdFiW1CwFA2atXtiWThhyWu/nkvo41VWrxPpI=,tag:f5Ndi6OKS6DhaB1q3D/ynA==,type:str]",
+							"stremio_email": "ENC[AES256_GCM,data:90m1J9A0fzIdPcFaoyoW2nFOa5HUCfQ=,iv:2l5P5IL761uKrl8B5mffhqaQI+LMpjM7GtyYEqsEcs0=,tag:bm1gcbdHLai12sH7ZF9H4Q==,type:str]",
+							"stremio_password": "ENC[AES256_GCM,data:Vayo1OANoyPeDe+DSNstsIcrPxn9fB4MqVw=,iv:eL/e5hVEzDMRRFAimEy6WMCTkaEG7uihkjNvG38zUN0=,tag:0KDZ0ldo4xa5bqN/4fqOtA==,type:str]",
+							"synology_admin_password": "ENC[AES256_GCM,data:91TdpO1uvl8=,iv:rIkaeTZPWHx/SsH9YCp1z5DFXoXmT6ktGAKGup+/azs=,tag:w2CX/AnbZvjuyEmOzmUPdQ==,type:str]",
+							"tandoor_database_password": "ENC[AES256_GCM,data:KVYCH/RfdXOQ/yoUiJrcfTGx6Gyk8VLVfw==,iv:wsgWSQUMnwTZNWPvq1sdAgkyF39EUot5ijdaivmB/34=,tag:FKTJq6Dy4NrJmK1cNhsmHw==,type:str]",
+							"technitium_db_password": "ENC[AES256_GCM,data:23dVoFAM2ifJhoCUEEM=,iv:ZAVDl2NS5in6F0EDfOVeRokQxrM2HSztBFpfjxK4A48=,tag:AnrOPm9+PkvKd8pOFO/ziA==,type:str]",
+							"technitium_password": "ENC[AES256_GCM,data:jaH6sc5vzj+8Bd2MFAOkXLCVnx0Ge+Q=,iv:jVChbxsWuJsOSA7PimYwfPZwpIDhdNcNsaBe9KRifK4=,tag:iI4o2SO1BceCcgxLIXYQtQ==,type:str]",
+							"technitium_username": "ENC[AES256_GCM,data:JpRyU5I=,iv:h5iGfSYNz56cSce0pJ5GDQRu7xpqwicJUkBfuqlTZWY=,tag:JS6on+Cob0Rm9Pl0dbwS9w==,type:str]",
+							"tiny_tuya_api_key": "ENC[AES256_GCM,data:SPdOXcs4KdVgI5A1v/rVlkQXqDM=,iv:/yZEN31kBDZqKsQ7JMoPLukWtpqq8IGXbPj4WbkxR+M=,tag:NCD0ujKcDA7hgOpQf6ns5w==,type:str]",
+							"tiny_tuya_api_secret": "ENC[AES256_GCM,data:zQWQsNVcmval82a0QAWcEWdR7a6Y/HzpBUs9X3I3UbA=,iv:49GBwFtCFY/iTeP4kJHN+wDHzlkJuS3Bi4p9Jx76uVc=,tag:Z1o3ZUbSW42scVVOACkBUA==,type:str]",
+							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:XHUSfNsnLeQoQjSc37xSrpS/Ndf9DA==,iv:BKSk+RE1DSTe6EjcPyLjQgZfoB7yvoNGspZFrqlq1mY=,tag:dUu8g8/MS4BE3Z1eRsXLiw==,type:str]",
+							"tiny_tuya_slack_url": "ENC[AES256_GCM,data:VchadvcobQn43v6OnYG8Oi82PqGzCXxGWRvFD47t1Bph7v8LNHR0lZcN4dzwRfc4o5bTSVGDgl5ps+zUVahGhKEBgXqYRvsPrirKzIo9E3lC,iv:JwDaoHHwho5qAJJhIUWl89/Gi8YNQFKxi9mBYJfJDNQ=,tag:KBd8M/WWd6M1/w9M+DhSUA==,type:str]",
+							"trading_bot_alpaca_api_key": "ENC[AES256_GCM,data:1PUtpDyTzv5AoxVbyLNd56J3xdCI/B2GZSI=,iv:3vketiZUp10ugmIJK6WsPOk5HrEyqGK+t7onoOgAXdE=,tag:JWR7dznLZlVhAebwmFxw1Q==,type:str]",
+							"trading_bot_alpaca_secret_key": "ENC[AES256_GCM,data:YwPpUuato45+dK9FckIaPQeO0sNAX5h3tx3r9cQ+3scZPqwdr+5A9VwPEak=,iv:SR/VXxCgNovz7ZhAWtaxNxvqfZJPFFQLcAPMsJesKqg=,tag:XjZIjIMsX8f3oXjoQ6Wnag==,type:str]",
+							"trading_bot_alpha_vantage_api_key": "ENC[AES256_GCM,data:U85Y1c/hvbi/82YUpOMi4A==,iv:CDVJAFKA1N4p761w6a3dG8cnogKMw+0G4eQYJptLkLQ=,tag:5Xh3wPShySgAes1qnY4nXA==,type:str]",
+							"trading_bot_db_password": "ENC[AES256_GCM,data:QVT1BiFEFGTyewk9PT+xkaKXLsdTvwu49sPsixyHvak=,iv:tz8SRjn1LTRo9emrz3SXBoK9bfeGaUTDbW43gIMTcKA=,tag:lxSZLjadvCY9EcqleZ4icA==,type:str]",
+							"trading_bot_fmp_api_key": "ENC[AES256_GCM,data:ImHpIYFiHA3L0PwTsWRu8jh0GHDzOm+3sEHsSIi5WVc=,iv:MicL5ymIi3tSuJpZKp+pGP5lkJG8nct1vQM8xJ47Zeg=,tag:nywQcRl7HEiREIdQgCigQw==,type:str]",
+							"trading_bot_jwt_secret": "ENC[AES256_GCM,data:xH4WJICSlnW8wEbo+VnUChv/mLVUdLpQBS1lo3z77vtvhfKxEocEJ38LT3aLRRPUCae7ZjUInpMSSkdyHxCiqQ==,iv:NgSOARwsRYh0iYYTREszFDcFz3m/LjsCDBeyWd2KOjA=,tag:5YyeXT3acrVBfGjW6usgnw==,type:str]",
+							"trading_bot_reddit_client_id": "ENC[AES256_GCM,data:JMmERlnBdKYVukigDLopiC4MXb8tdQ==,iv:4q6wA4uHvjeycViF0l6SUS9xSmz6GSRkPtHEio2rb1k=,tag:Jd/p4n8v1jECrYpvMJmSXg==,type:str]",
+							"trading_bot_reddit_client_secret": "ENC[AES256_GCM,data:jCU5OON+mUrbKeMjj4xgvYjOC6UTJCy2gYq4JK+R,iv:ZhgbQOdUx01z0GZuUYCkrS15bdH+pdxhYTKyC3Tf6fU=,tag:6k+rdklGUs98w57zfOWjmQ==,type:str]",
+							"uptime_kuma_admin_password": "ENC[AES256_GCM,data:TqRJmu70yjwAA6NvZ6ZiKg==,iv:mvooaVclz8zJGkpw1hqHFHdwPpNWL9hdcZyd1WafWE8=,tag:Q12Wh8EG+oJS5mCIrvxcFQ==,type:str]",
+							"uptimekuma_db_password": "ENC[AES256_GCM,data:J8MToPtZWzZjs4GI+3xlIFERogV/o5O5BQ==,iv:bX46P2em8+tt+QQnbBWyfKNpLE2B0sJWimziQazxFvc=,tag:LiHpVL6jyEk6LRyF8q9GOQ==,type:str]",
+							"url_shortener_api_key": "ENC[AES256_GCM,data:wIV7Xn/aD3zzb1y1fkQo/oVYch0xP8WGUCwn51Fej2VeKT7z,iv:yEfDu6xldbZ05FNPfACqNu2LS3ux0WNoCNPVmQCkIMM=,tag:Vf1fgqsj3KkVJVSRH0Vv4g==,type:str]",
+							"url_shortener_geolite_license_key": "ENC[AES256_GCM,data:faJBSI0Hqxsr60aFBpcPlg==,iv:hKiFZ1WiLUmzOszCead8oYnl2OJjCG3lHDzuAQHK5Ps=,tag:gxGXFI9WWpQF2F6OSQxeIQ==,type:str]",
+							"url_shortener_mysql_password": "ENC[AES256_GCM,data:8LGDkLNhqBF29KcqGoz+OyojdCA=,iv:doY48KZBMglWX659Ii0Fiytujnd1pSVKvbVZxoTKq5M=,tag:/4JLS4O1z+8MAcUWJcoTvw==,type:str]",
+							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:90UIXjdKm3c4Yy2ad2GI30o8p7g=,iv:33Qa20nJQcjBpBMIasouMfLs1OVvirETueFs479yos0=,tag:5yZ9YLXJfX9FajjzhQUM8w==,type:str]",
+							"vm_wizard_password": "ENC[AES256_GCM,data:Ercdva0UKuHnLys4DYDF2Aaw+hO2tiZ7nfC+5/BZNMESvrJclPOsCIhd9JqOqT4S94yYQVl69nDMm3+4jtSXBz6+MNUcIz9SZw==,iv:E85U2XrqhCpXNqXtBDfU9PvfNZdoOHkEGycGZR05Mwc=,tag:PmAKZacF6o17WdGtEGCbAw==,type:str]",
+							"wealthfolio_password_hash": "ENC[AES256_GCM,data:6D4c1Lb2S4MdhWtr+ghvnYzOyo6jZ7K2hs+Ln/1/DgRtCXwCJS66Jgtf53nFNFHMbHhK6e3atoa4iMm6qwdE6pXZ8khHXf8RqxWaobrva+CIln8n,iv:YAV0xyIBYOlPyFX/gvIgI+fGuySkJH0HlEOUKCgKepI=,tag:gSmBDovkOJFTWhn2hq5SMw==,type:str]",
+							"webhook_handler_fb_app_secret": "ENC[AES256_GCM,data:DFSINM0fQgBZ5YC7cqbH9pgTWdwoZGNFuEY+WgP1pmg=,iv:gcf37ZgM0mAuVxkV7M8hOMoGs4mVzkS7sggzXSi9FCE=,tag:BgTSo3zBoPIIox5UKdFoqw==,type:str]",
+							"webhook_handler_fb_page_token": "ENC[AES256_GCM,data:uhT/sVjIfqiu84lglLgURufef9r+blxUIYu9YOG7j9nPMvt4U2Zb28uxL78Tx6CdFFshoQy1hyOhLobXxW5WLLBTO74EwMBKJjwh1W4ZtS+p3QLCoeWt+jwCK7uUFV1CQYfc/zbHMU1Vfbd8RHKQV3RjqNL7d2PiKqbRdTiaHYTuAaW0by0UvMGyUriyMOK0NRDRFlal3R2OO/wKvvEEndv812YeE/zNd2I0wPGV1JaddqlxGcKYU+E3pIWyFKbTMsIEqQlCQXK2ZcJWdtNmbGdsiip4,iv:d7Vbv8y88qqKeiB3OubFVWKP+Z8FE+66Aot4Nr0Mnmg=,tag:H0oAt4h3Cn+VqEZhiilalA==,type:str]",
+							"webhook_handler_fb_verify_token": "ENC[AES256_GCM,data:BngeMXVvJgcBnyhABQbMY2BPXFI=,iv:unzYyN2ohl3UaOy66td6nLFbM4tSZyG84mlVM9bWpl4=,tag:aW3rDBgtjX92gJaEHZUReg==,type:str]",
+							"webhook_handler_git_token": "ENC[AES256_GCM,data:1XK3RkldbB4yPWzaavWFBd7kx9GItreLXamArf09wfFmcf5StH0G+g==,iv:+BKr3Ag4REumC5ZpEJWA/90Uwg/SFe87bUnFZpL8Xt4=,tag:X8yL3sILelsUSti1Lv2hog==,type:str]",
+							"webhook_handler_git_user": "ENC[AES256_GCM,data:hq1LDiIZ8n9fGOEA,iv:Vk5c3TapdZZ756CEikD7PfZgeS9kG8AE2i8q3mrFi+8=,tag:PYPP4x+xlCID5Wigbcxqfg==,type:str]",
+							"webhook_handler_secret": "ENC[AES256_GCM,data:c9cAhdH/medn51qSqLTBXMgzY3U=,iv:bLj8tRpT0YeHX/9LZPxDaQ9hFGbHu8lkIgByjNexqmM=,tag:bWijuXhAC73iTPTURTRlSg==,type:str]",
+							"webhook_handler_ssh_key": "ENC[AES256_GCM,data:joHyIxLwgYAwrILaYKL9M8lN/dTB3Z5C5jh0fXnLdbMpLWB4muINkejJs8FN6Hi4Ql+OCYsCz5ss1uwqIDHWMHr6mrmqxDnBvw5Qch6Gq9WysfsRSmChtKwC90l92unC9tLmOAIlDkVpgcnLAaEEc0fTGKTWTb4N6oN82kCscO5cK2/DSQ/O2MCb1PboAXiKysd4lI0WVF5CTw/Tlp+RJy8108Do5RaEcPApVtdX+w0hPzDCsqaxDXXTjEWbeoKqAs6sXPPXCxU5j7QC/TLvPTQA4IWU1ya0AiN8ads0j9EL43eKXqcIkX6jkowAlzVqn9hAWCGCbTJChk/CW3SwVf3RzkVY6uYcw178VFHbVq+3yNIHxJ2ALBTxnnxVDvCHfbBsIfHXOUrjf7Gw/zBp/H236bdJzGJpxHNrqfE8Z794R8iEfMz8gaw+mbauitYFKN5llRBSul3xj+N2p9YNA09D7tjRZ72RL0cEOi8Xf0u9uynCOJG148+u+epJGxpis79SmB44nfJM1UjauyeAkaKDJN3ETH9HB7745GF4//S7HuFsUfW2+TakUE199VlVfl3UeFgVSty+gFbbDC5X+APONTPRFGvVWEd5EbeAWCQsQdRMvdMYjIbbNNQOqJV4nk/PJ72ILeYR4UdVbSIHRqI9+SNuTxAdhumFDEN7Wy/oNRB14f+OJ14EhxSCRt+qOBnbu40xtxKQ+XygZHJQ5uLVSgq7wFNdnn7ASq66c28h8b+G+rGRDy7XTdco+7PWXMTYcTw7vxHFEHXBE6xoMBTtQQKtKZmALmUA1a3kJ8bH4GbNt6xRCdtG6oNrfvfYXWXNxTDvt8YgRj/4zn5tsPnhVruYKQhP7lVDKawHMOKxngSxrwa/mEWbSFq5M/yBn8S/58qmNz1DYj1/sBUGmo6pda3Ej1lAYqI/9nLXzC59DtnGjLSZ37c94/tIdR+fqtPYkmL0xcFu/QoZ6S7WpUwNPTFHFj7dZsekh7XRctxyvGkbqJms7iHROXGOGgKCdM8CHz+F30Kdj3luy04TsKnnNMTgjDVgEI9pi8/HxD4K08xYisSIOy70GXhpWNbd8IYlHNeACNX4bIWtmGXuSybeJYFDypUVuAkruOTlQSR1fqTT4U0j67e9nfw4GCg7xjcVmCIQgIaeYyddajKLZw6n+kjzEFEFI4xo71eq28VNuHbWQCJDeOGcyQ11lgVlY+xycsBDrU7i9kR4inZxyJrhjbE7kAXFiXZcZNAwD0VYfyFMQzDLOPn6cWeNEcpf8Qg+ls70vrcAIELdZA0pJbmjCAQUB3qyoMl7WbYrVkThpVVuSlWeP5ZTkiT0cYQyR+uhjUNWJuqtQjZmVD4ryH6npykXA++u0rgamzo58PkxKRN4evZq78K3TbTIdvyzcM2+8/K+FKWoVH96BqS6i1ynHW+2GpwyKtBgS/yo2OxN96h3xucJPrjoNFKL7OtUzYCfx+89j84yfidntZoj+DffDdyG9M2oMtX6EHQELzps4jSGL4+dInZjG+FDdnj8swWmgLTJjfHO5EUyCK83IjR9AtO8hme+fw824Np6Daox0T8qqLirTMTKuZvSkZC4dnbeda9otp9Fzj3KVizClye0EfvsZ5W/cUkwhLWMgMlkHhmaSRGHj5/RqJ0YMyu4m5LxGdPFHMR6/2TVkzrW+zMR1pwgrdJXnwPtDR/xkn/CdCAVf6gUi0Gd8GqUeoKSX27kHjGfQr/p9ZUkGKAxnOkpJvjWjyx0Fbta7qYtl9HKV6HDDBPOI+jN+QiMqX6snSsPnt77K57Az0DrSTb2TnUnQxVrLubG4zN8VBwkECP2nlKCM5FSpWwrlcPvhyhBUyIPWvkPJSvz2B1R8StuZnbY0ePYaC7WXihZgH6Dpk9oNdY8sykAAwwOcMj8SVUJpa5cC4H/HEGHomjzfFMx54MyL60bfncCoC3xeBYJ+UBKCJ4zB2iU4SITBM+QKnGgpaGDt6RCjgGsm5b2mkZQ50FvaSziSB3FkcMneD+KiwE6cUoMW/gF7+3BwWYOid12YDtBj1N7fSsdKrleJQ32Qs4HLxhrCJCXZ0qNgyTp930uRVzf/pW7zil+g5ovp0k1AP8SwYPVUpgjhAVWlxNwsNUow3JMvKCW3bFjJ4GeKIRB1tZ/R4XcJATIFuya53a1oH/d7gJ8eou4OZz7Q7WcCIgn5AaA1LL7+Bc+sf4JBoCvH6aQ9LVnmmAzhygJU3GXmyCx0eG9r93tdi6s54r0FWwo9klYAC2NZkAhznoo1RQXUEdDRB7oAIGIc7TZLlBzIYpqNDYbgpGNVRHglom6+mK02zq5FY4YUgvZ/KA5rPtZXBX9RgpRREjQ2P+boNY8W8uWpiuHmBJLFBhkqCg9m7pbPuDFKLo325dHDTkrqeQSqNRFDielHStSBQ79GgZ7cqVxqkcYq5dDdCsfhZoAqj3jhUZO75Dozyqbk28FBcLMM5D1T/rllnBTNvQFG0IzXG2QorjLqJ0wEqcWWHHWvMmepq+0Q1UpjZmFj2aio58pFZQD+xpsfsDsy4QIWVk2w80ndRQdoi7kWcB/5E6HKdZJsDwNGpDj7RXdZm5067bwC9gNiH6Qp9D07gvaq7zBf7Iqv8LgSsHNHfhwF+LTdW3Iho7b4jc5aOu7vcAArlIqby9+4Sn3ohk2m6wvhmaryCYVXhS3KGYHjHmROwuSCT9MIIK0k5W3DQnmGkAScK6XqifaC5ey9qdA3mYCHAd99hUd+FfTdTi46GF/X/QtTKqp7bOcaw/VZ4TwsKYGhJ4mwYjYAHol0vNfbs1D0A7B/B3yNFfIZzkLgryDn8YJRxB2vLdSf5+szB3SeHYMu8NyB9GITTWMhLwrEVZXEJgTYFOR8JeEQEtZ24D0ptB7QmqUCgu5sHXlwb3//UJyuIesHd7e2za00ohkIEKjGDpuRWZqe9/alLOk/+UgwjKRoVpxpqnvCULN4HOkO8COpUKsjOiGgUXOtbFIlTcJcxSJH9ecmXfO/MHpTpn0xrTvK3KqQiY584E6SOAl0irWsp1o+Z9IVT7b+KlWVFIaH+s0ZDPhMov0At+SsI2poOm94yp0CPYoFI8RRy/L6AYMcv6eNYagt9B5wZC6U/BsbDdllUaVpn6u7NP0rikYv1aUuLMKinF2OFuJHopk79UCw3ncRCwOgZiiCuYx1KZphQRuYuovLsmmBFZ70MPDak22U6wnWiusSzKRGAhtBFPnKmQS9ak25RtdwPA5e/58cKzGySxXyKN0vrrzYqGjiFejPW0aCtJWfE9b05xgSlZYo1y+8tZDddvpIgTokd8svjIK3KI5vBrwHdmUh6aMlkGKgddpzhrxJxZUn02TyirKMuwLyg/+akk00BRivSbFsP8vQMzbfOEJco/BJLg9JNmNe+/f4Nxn4qO+U0Qii2BwzbcZGjJI98hDkV0q8hhhYRXbx3PRF3U+kTAbeSQCocRnkvGM1SXZz+d9xTQuuyw=,iv:UaWw9zzKQqiUEpSD0rFqNwbDq0dYAbrBq/vsjAL8S7Y=,tag:U5tryjDpAcsHbncPfF8JyQ==,type:str]",
+							"wireguard_firewall_sh": "ENC[AES256_GCM,data:8741d8RZERnOZIjW5f6vrQQkmB79DnI9zRPPRbgoeag8CTtDZNMAdWxkka9W1TDnqoCtkg/UlVRj6HEPii6ZFZAxrzuPZLSYi8rsePjiK3bgFLOaL+EfnshTcwQhOYKOsfcJpjhUEYyyH8bebRNS95unr86w360DCz6nlfvOMt+dwKlKSaFgCKS0KaMLvJx1Z2zSB4QcYCyKydgpm1Wht21A3tkHNgeO6hzQwUas84hE6v9dtUxwQp1JidPjmHo/smMt9nI2djotiJwdnQaMBUzxIs3aY3QKseq80nJAX7CJfZF3Cwj9JIWAFPgnDxZiKMFjtc7FMMT7BA4OQBccQL6w0j0T5Jb4mPaEJ5+h8FS31gcIVfnhC0JWP4IyDKk3yzvvXdOgvCb7XTDGLiAiiuDWNz/YIQpZDvVgipRapttpQ5Tz9h1Hwf0Agfzs3QQSh7DNEoN9f2Jjq02SJJar6IRUUftgn/seF3J3LXjsDbWLWaw2QS13953PCzMhv93Avq0AKHVGo75oHee2FENUHgxsosHZk8WXvhY=,iv:vEHBPYhcHoERBG7pugidS23qSZILpAguTFO+pTELdDs=,tag:AnS0d0fvp6OuNgJjJjBqVw==,type:str]",
+							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:XIUdLXE2yhAaAo0pMp2ikV9/L6DPL69JVZoqc0hV3z4RLY09ll2fF8X77TDaeSLth9dCNGXGt1wfduSiUgYgvV2057ptwH/8e4jkWoI3cwcXWBwWWrWSG7Lb9935romewy3lgjIQ4+ZtEdQ8T2OtK3C4dkIl5rNV3sADAfMhhymP8ttr+sASEhDt7YpFUu+Dsu7hWxmP0kKy6Qxzegk4SyIHzg0bk9uEQi21ZbRD3kOuLm0WUe1MXwEMfHn+m005QS1ZxmLdveAQqznMDBZdsFIRznmVbGVEWZN+Wi+A25mcUdru+ZS9wOedc+e5sypgkq12YZ590rTu09EoMjsYFMpKGsD4jOjsTGpVeO094RteldkhZxryGAC8pjmg9x+djkj7Qy0oFYZT/76TiDZUrz4mALnEDTs/cwJM0lFvJYrFivX0elqH5X0tVuXc00NBBqpE8a2mC8Ak+NsVwDncx4j5lN938TsV4uV+VT785DQMVdOo2z0c5cnpnav+GzlHQ9EqmRJ28sJU5pR43yr0xATWOSlMQD+Ab2ZycKzVwR4rxVgmjTz6p4AIR0Frx7GE+3FfeN+I6Xj+Cud5/HXcutIpROeC4GCy1U4bjDBPilcfkcK7bvrNftSGSBXowOin8t0z3g7KId4kO6ApSbk+ULhMMR/5VAyCyLMSNoDbw7Wk2Ipa9NT4uHHIamqrNl1vtVVqZqFp5iq/8FgroBD82772y3e8tgX5YLPIOJfhFBgHiIXLAO/IL/519P3jQ7BrZrRs7jQ9LKg3AFnk7A8R4zZP3buDuFd9fOgNP0nCjcvURmme4iBjLxS9z47NVq5siOxE5iQiqS2Jq0/r5Kfafmran65ZXbSMbLqeFYrvW3kbegTZIZSSLPnKQy8SBsdSjGbN2Q81oNINeL8SV6LU0J1eT8GgqEkgk3pVxqOz8Gwxd/rtNAkHfHmnvl10GRpP+s0HOM0y8cvvvgpbZVt2FTYHQWPdZqvqypSzcp0uPDkaWQAKqCMo+nufS5l8MCt7MyQwVQuFt60to3BAUTWd1KSosbnha1D/sMPQ7mc3a4vTxB/73cKAJkNfWBiTmllkxxxQXsv1i65KxR806RArD4GQsmrz8MVHl1/LzO/KKBb4EVGVsnnpDCOJCdc7zttJ7k20is3/0FMpgFYLjXsUgxYO4u+NdPTzUbuFkTo5+z+DU+flDms0EDaC5+fZfcYYeSuRKy7S8SCfVEbJJpa13o3zTXOufmDh8C3KnTMD/cv9CAbHkHpNMm0axpf13V7utrX8gYHcwP4wsteODtLway8rUF8LUl6huC8+eWMmhycX+Fwf+GRiaXyuia/Mazw/aJKZC4kHmOu145cJj8YZxrog0RmjdyurkKGt6W5T8c6h+E+flr/HjNTcggZCamA/lQzMY81YSHRKEIfHQMmPzDt2plKvXCu/BN304xKgp/A9UZRhfbPEqlzhuLsuc+RbHfCa0jyM9qOl9SUe7WDjCfpC+8sa8repGs6MXLOWRMaVvnkdOwQxxBf0git4/d0+mB3Ib62G8cQj7SyjzQ7ycwgCE4no9+B0dITQc87ArqGDp6NYLz42vv8wRw/pjq80BJpVqihuwqtVLl4zTUywa8Wy92lU3cmE+AwljDeuQ2UbyaWQW24S4iYS+6wUPEuQxWQOjp2cH61Zy1PAPpXkjOoJ4vFnBDMQijsYeKoMsA+AZ1stOz9Y+9SLIfM/Pe7PnDwTqdIGcQn/ai7cUa8ZNadbQyulwh0CF3MWDPKvVQeLb6+/epqytjl9FWPYbTrczMThIu/5aKq5pGcrITPx8/+dR9F6KKe6QKCdVKwk1oUsAkRwQ4Hn/zrzZkgeX8xC1dISY+vA3oV1PAjK65YmqDtD20G46dWKJOaAUlDKr7vgjilMOHFN4HSmws3w3DpZYNxjHteuP0Fpb4uoAJ3N5b3FTjxPmFLc1AltcZu0R62f8ZHixsVh6qD8gIjizRFWP0gzFQrs9O5uxYD3ZWHzJzWfEuSr4X4wrVw85VGPc4162ozmzSJIsw+YR6OPzdvHLQfV07MrEXacksynrb54LWuulr6zsIBc6N5PE5LHSVoHGM+TGWC1NUQ5pcwGEZYnTWDCGX5SnTDeSuDHjst98Dfu9noUQ4vXtNTzb3RM8bC+N2r2jkztfE4fQZciEHUyWoNqiTpdvWXashWO+lRycp1K1TRxNnC109sxYsKCV7GwIs9ygqG7+CSOJ3io3g3rViQXNTDcWB/HsRhDJ76YE7gsO/FnBTBnIilVrmmsue/Gy65jv2pPqT/bKjECawzrHpyvlBqNJSlg8X+CqGxL/w7N3Og8iuUOUKkddHPxhdA7sODu5pbWbfx6Pdt2gi4/T9eFn5P37ZvUZNkB4M1jfwfeJUp2g1D7dJlyUNpcLhAGn2t875/DBr84EURl4l7rombHAqQ7ulabuERbYOxzX1jTnVz6ExZeyCdZis6c8TfbB/Q66STKZ6hBS7jpl6P17NheOLcvU78Ri1WK/4zozrx+AmQu8LYXB90DvMyNmSnXoMeNSM0U5TrqXQXWSMfnRXyystNHuZXp6rvahbZSm5C1mLDHALTT46t36iuJBUKVwKUuSnjznjTPApqOP6Js3LMwWY653rBol6A3UYkse3xF6PjCujzWo5Xl79InDenZO6h+GK9+z5BHg9KfJ0nV5fy5PuYRwFTFZxJF3XBqjeidQwhtHNqLg/8vz7tnpMsDa+3fGpRmYMrvkA6J3mBoymbJDSL4UDej4ON1aM5DfZg1qtlwjQy87TiJRh9hD2X8vNv1sdyyxk82lOI1geg/GvL4P70DqURkSu2geloQA8qlOmikP5kEZfHiYUssnx3fSLVx3ydzcWa5qPNZ2cOPlUNhFW7baQpyI5PNE4GUVI4V7Q9Lu/rjGbNJvCufW+Djvqhei3J8a57CzEABVBLs1QPqU43M96WhpG27tbBkpnhjsrzPOOvBpWGme9m10Mco4pPWcZLbpmueAZZ0wMqwKlNxrH4/6zt7vcz8uoMGmvroblWb3H+/Ob/wBymgIDd3kZ738kUz73vBC9+/OlfbANhyMTIAIGAkype3pCVAyb72nQ4QmtzCwHYKeH7z/Cvr9gVdCoCA8AFOqiTHkGMxKBrkgR039NtEX3LrIwnUufIdv3yAy8FqoN0/S4XglrFFUhKRHnSG6y++THdGqkXDSPc8w6SEC/F4qoRxYOXAFFUCs7tWX0UKPz/7TOsmwdjmWZrG05QxDqdiKvKn9BKJVRKTXmwW7mp+sE/7Tyug8VveIY6DuojR1Z8zgZ7bmbiNldv49aiV19kl6JS2UxeGTBk0XZKsXPxqX7BsShHPg2n4T0x/Mtpn2FDiEqt2xbGCJhMccDG8RJTrJqg9jP+s/PJkpVMqGKnVhJQs1eZMjIo7DV4yPXW1UbBqvCv4iPX9PLC9ZuZbCyZumFZ5AWGwWLMpwo+6W3M4,iv:yklNs8H01Pk1kvkZIZ12mrRYYe1d8qD1apQogZn5pas=,tag:/Wv7UWp/ilC8KDLtE93ZZA==,type:str]",
+							"wireguard_wg_0_key": "ENC[AES256_GCM,data:Wtw2IUOeUmyH+iaK+mcSIgur/ZfyNKqTccyr18yovqjwrvXadNObISLUAJc=,iv:r0gxx1Cwjzvo6nUWzdymXctaeq+jQpy+s7lXWlnzHsg=,tag:bTXDbhFhV5ywoFVMLBvh9g==,type:str]",
+							"woodpecker_agent_secret": "ENC[AES256_GCM,data:Nqqv1zfK46HK5ubo1qXM2mB5wAkzVhSAvrnOhJ8kh77uTGRp/PJs7DEN1zF/P2ktYQusb59OMFIsyboLuep49w==,iv:EPR61+XVxHJo1EHTCj5Rb3iPswt+s0R9rY//XAh/LtI=,tag:0ifL5iAaNb9JR9eS8Q0qwg==,type:str]",
+							"woodpecker_db_password": "ENC[AES256_GCM,data:NK4MkDQ5tUJTSuNQa9EquX47nGsnkVBX5ST0QGPLKxE=,iv:H/06Lht52PUSq8X+mqgeMSikfp5QoIxPImxu/9MF7ec=,tag:hMLFxQ8h0dHN/IR3nxzmow==,type:str]",
+							"woodpecker_forgejo_client_id": "ENC[AES256_GCM,data:5pp09LNr5lggbVLwzd1rKPKH8FJWcy1IYdb3yAZrSqL+0meh,iv:1tPd7D0pQjZLAm/ec9UoEDAZwydzqAjPo196MtbXhhQ=,tag:jaeYLIkWYbE+ZeMqCffmGg==,type:str]",
+							"woodpecker_forgejo_client_secret": "ENC[AES256_GCM,data:VV/VH6WBl2jtHVZHAP1/e2EfArMv/ZynfvwSpptra0UO+FPaNbAYLKeSZRNA4tkBbPuG74fw1X4=,iv:ATgPewV74d99pBqvhio2/nPL+p8vA88ler7hqbZka84=,tag:AbMmcQL6t8zCFEN707zS+g==,type:str]",
+							"woodpecker_github_client_id": "ENC[AES256_GCM,data:rjKTLt2xUOql6i1jLBIl5Dng0cg=,iv:n9bcG1iKIOPhpcUGXPXBcFksknZjPAcvS8ALe5GLY2Q=,tag:qGZtKL2ww3tpp8mqpasOOQ==,type:str]",
+							"woodpecker_github_client_secret": "ENC[AES256_GCM,data:dJh4si4nRs6iNu5bNzpvA8CYqYEd3cUmpuDqhRXv0nai23ZCyt/pjA==,iv:YQ3sqnC05IN/YqdOiMswavJhg0s6MyLVMxTa8nWqENk=,tag:IhHfSGLrdm6a9wjRI3BxmQ==,type:str]",
+							"x402_wallet_address": "ENC[AES256_GCM,data:OvXLNySohBcE6LL+aZnt5g6YjqwWv53kAZ+Ujs4/SnpWFFE7XdMxeSGL,iv:yltFwt4NMIR4fF1CBHXOKOrZUte/jBG0KMKUkOrkg2k=,tag:SLrK0fvwFtrg6ZeV7vb02g==,type:str]",
+							"xray_reality_private_key": "ENC[AES256_GCM,data:fmVSNYHih+Tn1XwsMhx7a1GYCxcIe+Hyx0KRYTTiGxZ0BqJzSmBoDCedTg==,iv:QkRo2/o8uHmzIky0i8rYsXmVJdhsRI3xC/Vkc4PCL20=,tag:AXP2FNRvfCVsW/apr447HQ==,type:str]"
 						},
-						"data_json": "ENC[AES256_GCM,data:TdMW6LrV9hDsjjkDcirfBZjoukc7NkgC/WNM5QeuxSKD1B2kE//yKeOsJP5UUp3QorNv3atTzH5mv+cmUgEjcuMtw23w/PBeEzTHPrAr/ZxMoAFshD2Xx2vtkPLVmToiuDip9pi1RpX378XzfgsRcEAV+xTHrn+Kx/JfgAGW/0SowTbKA9M6wCZVdVEbDsZqak3UUheANyLwJipxfVjVRwc8EYQf4Vwgx6SgUY5tqkFla7GIJcKhTvQM4z3MSXvntNSa30cehvLSPlNSKA/erJ4y6dAgpG6BfB5CYT2WWOK6oCcZFdgFVZo6b1Fn93pY6JogL3Yf2hrht3LvihwCpBOSDLRnpvV3oU8VCCWI7D1eerVxBnPl7FuabvJdctTR5xlr7Apr03W86C9FZaQpnXRtrnB9789Tr5b5jyRK8rGn8tJC1zffOvVWjy19ZfoWjfvuSTeNtrszFaAWRdjY3byefDA2OzAUCZjWsPQVnJthkLxJDTusBeZYzEhqee9jaJnxj1QZGO/lUKN3SZPyTNpov3u+yqv866E56DHEexHgUEHMcPeqwwD3xd8bpetana+TXN9k4Sb8jw0KP6QQTw8b/JnJimB6yegjBSf2354VV+zlIQ+AUhJm1CgsCO7gWV/5KW0mzj6UHpz0kotQkBTeU26I6OWgzGF0EGJ37cax9eQI+a4usutE1+UHIopvvyOndGfonlNULQY6aXCmQYtOKN4pNJ44uuWSPiECcW/JSXLYo3zqqN85UdR+GlWsTiDsBcDQQ9G9Ogq48mX1jcsIsz0BmGzXIksuAmPAjZxP+xxyq0ApR2B88t1wvZd6IpDtQrj5prJY2dke/8QxYiWxSs1KAKKTxMkr7qzurMXABZK9e5jhwBZmpMmHmLtMx+B1SwGcY7U0nzVFyURSIoElfJbjYs9MMATYjKg/dscOBr3sqChCuQRWw26tzTai1PW4vCtiSqTPAP2X4KALy8EINipoX74bIsycv4rIAB4jg0MiJSI5Q269LdtCxHGf/8SI3mubiQmAdcnKpS8v4vXAM61+C9BbfG1mX0Ce1peiGG2r82McqLAik2jUuwvq9YGReyP4/ahxp20Y8F8k1lai8iBgswl9als+IRxjio0NRSyd+mBcXZfxjRuLjbsz6id80BNsUfjQuJIYOGPBo2fBLnYc+31qgoi3BouDehGe11sIkOYhT3Xn4GxA20lgh+5EEl6y0yKpL4axIxAPu+Do+mHPrD3hy8oVvrmUfJBQxTz87HHDPJ2j+NK1sjK3/oJlQEp3RXQ9xbIQXMUV1So9hkgt4ZKVhTDZDC/1tVhV18HD2VRiEk/45+pXqOsiRaZR4wntmCIeZXeghpFLfXg70SeAOHrNogQS3XbojU1lB1Gye62KcZ0+JwmKDnJHouBm8ySziU6mcZ/5nan1fUHIXfq/b4FIxiijHqCye8qJtO2IMB99BN8AiDwqi3YkKLH/wmRP59muWb1fUoLLHvB0lkd4EgPZXVdRqpnhpcVW8ekVkKFUSITlxVCmBCjbbXOHMGtm2/9nUZBhwJOZlBDaBi7Ww5vNeHYXjVPHzxIlWmwZBNfkWb5ywg1VE2650mX12pZKsOeSSK2wleWZktfAnxKjUJhxOKdnRqIbfS27+qqM05R9shmFp46c4lnIrXPn183GE5E+neWYk0rIOD3lV5MxQEGsgoouZjjPRraP6QmQsZjLUZqsh3If/bNcydpaV0wCawwHaimkyLx02Ko0MBlGcF9m9/f6U54JZsrY/CdUxr2rE7Qc5PxyB1E5+4xnYV2msvJ97snvF2k6DzqlALJhPev6PpPdqY0cPPH/P/peCxYd2+Qi/NMn6dHU+jExYt/AMKl0va0o726zXZhoYC+IezlONRzaMpfZnZtBX6/I/sq3kbMgp0a/4Ve234cOA/4+LQJqJbXFye8JJcQwAKcDvRkd4E7PPUgO/BU81jNQFardfMyoAyMmxVvVuULnJ8QtguRiT/Tt+9C3hc5TbOzj1W+cYKIdXct74xM8YXr/8djOhLbIVmKSxeTNn4DY1vLzmB97wz3oASRf/aThaT/HiCryJHZl+MNEf3ZBXJLjKd7pwtOmQZQk5megh5uT0xxU7MBlOCzCf5EPqJY+vsd8W8OGEGwF7+70YeyAA9b+CkMSkLmwIsqgoG5pPKE7e36+ZhXpEeeL4QnXpsm4Q3rXefrbaV3GAVWtWdfBxrpmuvUiW4RxP6NV3C6uwfnHQIjvbFVLb1X98ObjNVwUdJ5QLkFBHAfD8Zh/ho08pRDUkte+WJVO178TY2Jdd/7I1hb2oRLOF0HGuNKPiDFooEW9J/0QhLACaCXqJFbzsp40sscydhJhUD3+1KNqPxJqX8rkeOo1KPJmD97a1kGWVfgj9p5d4hruUSlRHOjL2nPkJqnU2FR5xFEN2QoANqpaf7cpOt0O1T9LR6uaRfrMHv3wMTwprJAs1EHsPV7IFHlBLUT/XzD/BqIGQD8oMhkTeVRuYChIBCZiwE5LbGvIYrbnpl2rKEp422KOnyHcbLhR+92C6WHWNiK54KbHzevM6e7etocLgMCMRycEImN5aYV6QQRRsO/PExSM/pHJsVMSMSqwov+yOloR4jnAhsS4WwgO8Se5VNo9A1Ce8lbYNbt7OWgajXbgQAyi1LqSqtUlZUn03d52cpouPBM3TNBQX0nquf3RZpGpiPYNfU53sijsnLqGcnM7ViIZ7hXTKvgouu2fS011Ck/uSJQnIbkCKqg15nvB3Ue4rzuBWjJz/gVuPRGULo4Q+OQIEqssDyWDqyaxJYOtT0AgYN167zG+4J1ozS/B7+hHhzpOBT1yS6TwX0dtX7q5SbY2h0eqcLIEJApAyG9aT3OcAOhQI9+rwq9cuzRchf/qsisw8pLbCRm5c/dLOV9fUxuDbkpzOligvmVipaH4LkIfT4V0JNHHN0H2lqQKunGduVMky5M3Ll2m8oI3u/BqoQK+1qijKkrvW6WoDvlNVi+xFv0vgLsGJfbjhXX2V67mZk7rwP7OTEHdpLfkEeFspjbwU31aIX0IzaDgWWFKwtxWE9ll5j/KBpAAJVQxfvEO5TlJpTiV0ef9U9U6Ab65G43qUVSiRSNJWGQYrlS4Io++AVDZGHGPH/u9qducJ4dCFFwf3pri8Pkvzo4/vQcSWTHDGyPi4qvGS6AzINhPMIGsD2WE6p7ivleZuzYze+roKaPaFFUPKGt2GZnc6uZ9MMs9lhz9q8EvtEKUT4KDjXxvikJR0Axeezbyizydtvp0kEl0kF10kluNglPbGsKiArXNpS3Pr7pYbZEwsIFLM/rwBrKkacPBM7NPwpVocG9Gr6BSWZzs/mRC0k6O0HwYpXkw4CI5/BJPtwrpdO95nggGxP0a5VnFR97/wbqilNmEYRkLhrZaVVIkaIfKEtDP4A0dB9ond5ovYH1CBuf6KzfQL1Er8iMnxtTYxxxAhYNIMFk25q0Q/CKvngKPnZ4O6q8U73cAt1cOu6urnBOKWIPDgXe5rItV10+kQMpLdp1Vvpw6r8dG2G8mON7llVMDk/qctVP9T3RP8pev13zb06nYxCS70982P8QEuXbHVBI5tp0+P8z5I99y5M4gD3poL0mfuNyr9xouo0QFqMD9gxd96zoGE+u+07dCv5rGrp0PXfL8Cv8RorpoOvk0NU6wQqvRv3B8o5Og+xBvNsmQkQ9oPfoQ4/ClS9eNKQyo06fRJDM7o1VGr1HAosjsKF2Kql4fMcAmacTP+wV/cihpwsqLuB2FYM3cbScZulruP8OU3ty1JnnKMvVRr9hZzYl7eUN34g1et4JN2vhh9QvbvplkMuHrQ8XqaedJC9xVZ4eY9FpyJzyOzpojmkl9KVxD4eMc0V6pd4SzZuy7+g1mcWmsQ3DM1qy6CETbzmxysD2rZONItlZmn/EkWs7Pi6qmwgOUC3bQavmegcgVVmKbydcT9KeP/91fjoDU7njhAI/2+p1iz69iKKQSMVO7GM9PXYO7ET9yt6Rkuv0Yjs34aCQ9/TuTCLmvA9D0sBndHjxEgP+mKtUtjil7HiGqmftJUUDw2x/n4h4K88MpBY/DyUD2c7Oa6njr0p/jEUqbk+jkRnbshSAGZPpRrzi9LS/NQvOAWl/C3UsDV6G31BV+OcUZXsBS8nthwfSv73BGao9xGgVIBQj5VTbIY/vpcNgd12uvg0pHScRC8aPrAm8yyYEF9rkXcKGOdBuM1cZBW19/sZb8bAj35xzz2lX9kuWRtN55DuVDUvRLyYWe6lgtWF0BDpdlhtgC9XTKu7BGstD5HDienLx6xGTlqUV30isoLBXj9I+7Jn7wHyb2RP1TFDU/L1/U9P9+cdteXRcQhK3JEpanKU9awJu6Mxc5MT36t+Ig/+dxfASsm9+5zrF/H+6FMu2K6UxZxVcr3UQfgzy3MNLIkR8RpRuwBQzvSIBsVSE8UPKQTp5QMxqhORUcBQaRD0lRqpHYgfIHgBV8z04xH43SK7G0QaFVz2t3sBRwH3qQByUTb74ydAT2+0rHdUCbwX+ZOSUH+WSS5Un2JW7ex48eYPWBjKWOkB3T+zDvWz4hJxMw8XvCj9MhQ1DHg6B9zS2Ze77xW89Y2sV56sNq6JC5ce43/Q+L+tc9nKZnnGuiVD/KvF0YS5dvKzuyjVj6Xyaxi++1FSFs6NwrGTC7aYG6YI9ihB7iczi1U3uwKiNGvit4900V24yZifDC4aO8JErQIi8fnX1Yk9vlSgm7HmM+hQ07LQQM5OCe6mUunAw1iArUmUiAQMlnD2ORomC4o8OP44/+vt2RUJQpNOrSq8XY9ANmEPUWtDHjKz+QMhXYg0pHHWc6FfLUOZcIaZ+rCu9vxN/6dltgCZDiedCvgBekd7sgiplWY4hVXzAgHyaifFBe+phrgWb0ytojkfT5Ict73ErzeVUjSjIUR1fEFKCdk7K3CdCoq7rGXlkTagTcKuBaLAuW60FG9dB73LAy2OLzCqOv7MKxS5WAcRInoctBkJ91dNnSKlnyN9ypeM0wMsB0p3VeHphAYnf4Lue/gybThy7OYBrf3oXsquWQEF0pt7Z/jH4Qj1y/ooEy2T5IVdHNV+tvlW3kmJ6n/TpiXHWd1DNkdKIpQC/xgIuyIl3Bk6LdxccgFVB8BAyb8qJe2wwYKIdnhOA/0g1H/ZeCR16iLkKQrvPKDpuokEN6++bZOdTvS19MvVWGQ2ysSElmW+gFG3xdelkWdFOT0z2BwA0WHV5q7Lx+1IALBPRvq7qLRfFlBFXEBtDK19Dx1C/2H6PXdD0rHRoRNzlF/My/m63e4fN+sBhX60NjHYGmEKG2B/sZkj6VYT0Eg28uAuCcFgVEPN8y0btq4CIh+M0JKRz9xp1SNdpVCWfiqu9eDLXjwLkImtenBhv4vmvLM8cPHA0rnReexBKPR50VqNmFO/0jbaJrspuJ2tE5PI7m2yrhGkZErrRnFj0+1DiOXt4/HRncqtvDNyHat7tYU5L5R0Qdgt4bZQCQfSTIpJA0v4DaLYdljaPfTdUTRJhHEYA7oiDWJSIwjhGFVHDi57jCeaB+Q1OlfL35K3AVujVwNyCv6ei0gMIvCj5fL2MoPLrIhBBtMAO33mUCr3EuAiX4D9xQdb2jjMNCqEYtMbJCu7cdauX+l9BpnS9henZw7YZ3fCkJUepdZI/IOer1WF+5WFu86LgOEufyBQFQC9USTs8MpsNhmzNePxOO1rFIU6RhS9fTFGrSMnydAGF0sJG1HzUe13Zd5duiUgL5rNqf1GggEonj/csp1T7jTPfT30Kb14LL0qwiVpZSBMLVUwPQsFsjzOxwAc8IYIuUZ0PMzRg8OiB41zSJuMfnX7TJk+BxaoxeCeMu1VOz9dl/vl7JLdg/syD9H6BpoqBft29yapHqGX7FgFwyCcaHGfIvyeknTeBdcNX95QoxcZTIqTVudplPsMKRH3lZWjVxcFviGRbsZDyaEZCZ1Q34O1PUrEsct2xc1ITYEho5G9gW7WyXUCdC+Mj8cixL9a6nS3myaf9qX2QJLAyXyflZ2LyVltW/BDqGWa5FX1Smo/aVMoGKlKeB2Pxa1OQQZubiKCkKiYim2phe0t/r0d49MjQCZ6a1HyjP2Qq7pyMVEAbIPy9P8Km7tbVII9GRmFJtHoJcYZrdj1ed+16zG7izHKpzPyutCzdbAs5t7J8SQqF3XeKusXxpn6JZoWxKlcdBHqtxPgs1G0NRPUF8AtC36Jt6XrZ3njvSA1bnWO+VSXOZ/BbYsfQCX6h7Ape/7Lji3rLaPBu+Fcm3wg2FHMObFidV/eFqFPe/J4Ng1tIsc0XBeeAHmfKnf8e6mTM74R3fl/0jnSyQWy0ev1qdSGDwGKWMg8hV5uuU/Ozu+yvrq13lBxqebbzgb1jl4gdpTv5vTCGPDzpLE1DOR3QgLqEczAnCqRaUroO3PahkiFQlAFEfwCBntzqESIoO1aT+1hYjjNdMW3Khbt91lm6TgcsIuZt8HyPGktEmYp1nJtJFW0F1SlLlHlAv/rwArvaXpvC9CwdUuxPvv9zJxZOO1uaI7PPn88AUpn89UNbSBaFb+1CJAFIh+z5zab+c+HpvmXE4dsJ4lxNYob6Kwau9EuZStsVGd8t/9pHi74D9zrzKHz57Pb+mnqzPQtGtyhsTv/A9C+809MLJr73rCoqTXr2magVrlH2dFrT0JOXh8uGa3qlPBlFcNMrGjiEQETcVk/Fv3QKjDPk7vuaejzGWZnH23XiajVSgyFu3D92RIEYYs7soZF8aa4T5NynDtciAShwg6e0jyu8c7ZDvcoQugacR27okgj0HpVxcTxxPNaQHKgcz+Fw55VnYy6vTHJ3bB2UOF6IdiiqrlRL3ZIKfTM3dPb4I4dzUeHKF1CdyAF5a4NQRm3EwfGnFipbKDjArViStLiD4zG9vHPWrJSCbVzqpzj+NVm2RYkjH66hEnTCu9ws8MguDzwlomxqOtxL8BCyDsTl6wrZCW6n4lLsUEm9VhEfqX/nRAMt++383y6fxxsGXuROi/xRB/xfFqZvwrf9RchTwq9lFJ0fjw9rgDONlKw3fuhGmBDzd4w4h1efUUA86sHs1HBru9WTMT4VcSLPJxNET8Ap7pks2BiDRaGHapR+eW3rLtkWBk2erpvEOCmEnYMEODI9aai4f9HahB4msSnwn1AabNOx3Kh3vQIA5t1k4I3UPVZYKWWMpyEIt83qIIQCi+sCGCIYGfGLjsiHKtQ37UmixtxZCwYYLHZhFOMhjb9l9i+s6TUSk2Cn/2rVXszB6aRj8uB8hinrWpgNBlkAUogvnqcsDW6+JAXv5hsH6CupPNDPNR+uMZytX0F46ZFfzRcS/evwnMLAYuGq2mO3zK/1t6tfrApTckWE11qVyjkFzQC43lZT6oM4gWpDxBxubKjA4KZB+Zznhfno4WxtSzy89oNDAd1LPH2Ja0fVgRYwgPNeqIhGjWSGKbHlvwR0A0XZkmkbgv3tpXw3+hzAw8PX9p+SH2t/FcR7ZoLIxWRwrqJXxfBzb/16mmwtYBA7ru5LCRiBqeF7u+qow5xv91xGCoLKFVmCei5JyPeQBvwMKUrhou/ht8ZXhG5sxm1y71Md6Sb+T98DUkYmvnActVAPTjts4bhTlkd4g+HxbSFKq1AST8giLys1yYOpygzlPGfhx3UhMnnm75Nu8u4hyDu1tUX7rTYRHE4nPqQUc/gdMU2fA8mYkJynWgMKEIFIiH7FZ0PscehqR21WyyIU1lJwEQ29j6/adXByV/CzpFTMqzWfTj/Qc2gs0ftFCgFFb5kh4bAqiTHGi5VBO0XfV495VAANPrb50psm620UsU2Rokbx7DFiVR4j/LRMBVgfkkTVzkMTIFw8NXvIetrRnHQcaMvDbA7OycwZy0TWYU0a6e4VEeAJqHorEQZ+qWaDELuswUu8/276T3CTKdVDIEAMc9eSdRtzfHemsrAPmzM4L5trcbs+O2wN5wwkxARbuhjp0M6e+DgwHj64gL4+oB53Y5PaUVlFB+52oWjxBADDsN8viUWnFoEjYHvQnry/XI3xDJqmk3ffmLepK5SOeXLLgi+zXjUXoW3xp4Wsn3JNts4SiFP17jEazMvlRKMAsD1r24fnP0873cLeWdw8iaIg55mBw0gqk4OZVkFOOqCrvnWhQLGTuvMGUNEXNjwwrf4SPXQxrsVcEE1CAC25ZseYd7vEDIjrKWv91PqcBgU4ZYniDl3C6gKY+3dwqt3isdjaVyJwFgEC1QJnv1ULzw/ftogBEFTz1bROs449yNR3eLzM+82iLRfQMG2UHMBzuAMqYeqcfBPkQuNJ+6JNhcnCKnsaCOQbAX3oYtT+uKINLDgkWsmb2b/Exzc+RhNCz4LVW/2WysK8B6qO40jkJxtE8z6jPKYRN4QqyDKq8nM6xQBrH2SUN6fn9vfiYXxd8+KktiYaKrY/BU+knzSL6ik/y2v1vqFEQK52WbQNOQqXkCRZgMfi1QXn5OXTxux9yjAqoCbC+5/bNdYs2FkehmIAVRUZORSu4hL7HKeOz/QVUp4ri91vHQUYtBKqYSXwR3vc/ZKZEn4UjvxiPvzPzTnqLVKYkvJx2M2O5Li+FIqFpOwFekFVdYIJyk4a+J3ddH6Wi5WiWKTpl9NTK+F05SgTKbOAZxFKuAQdWDqrq7mlNt4vzM795PcIIIKvpZ69EvOfXvI5G53fOrFj6ubsCORPblN/wdwyBQQBvA+6hqggqibFeN8dRctNdYxXYmNYdxLkvTC/w+l1BlrC3riGQ8t0LZTlCz1cDxbTEBvLb9+Wfi6wjaOPbceMOuepgbyaQR2+mgcslTr5diwbEsID1UT+78UFSrBabLCKr8alELRUaTktca3lyGlaUxrSp+DPWiP/Peub1rWXaX/rKWFTNggsTcvMdNmS7pOGhxDnxusJyITankEvCnw7FGLQHjb1CMRsh0QPxuef++NA7N03BkK1CbrakDreDoa6I6En8DbT2D/whWs5YFFzMlqtLgP6acBSH7BzXYch2yW/3cvfgQtXH5ZiR/v89UJl6xmnaLizOMTZl+WGDL6ezuICvuuIcmfHg/oov0mYEMwsp2JDiNBENUIyIDVSbOu6U3H0bMaC16f2LTJv+FQU2QsbfXEVNQx8v6q4G8DAH47tUgmzqxF3NehTTQdj5OTNHlEzcQIPC6Wrhd1xITa6RBLIGqZbCdGy7rHcMBqdGiUY9rwUr70aLNs/8dE025KiFnIGQ+cZRIQ2NuXxAay5OUsGxWIDRtu0cFxQUH8VsWifSkHW9H7mseEGgzH54BVN/CjTPd81ZeS/3MQZLmaNi04KxuBiQdTanDyk/ff0RhHaKQgX0bJeJMUJnfUNFKXwnJB/DoUxmZJlGWVapI+pnHFHqAC3V71tSP63ZAjOvtlKpdl5z9XTeZfCBPgNzELNdYrsMVgGzQLUpB8jYT1+O22vLZoRl1+dXKi0lqxkQtn4N/L1li7qeNFZvwDBbXJQW3fIEjyjlwXAwIknbG8lXCL2qomzru6HnDGCQfepfmFdXk7oTDgOEJSFCIM9JgDlZ4BelSdvCcsejgHFeCeGp+dl9AiofD4plvywJOs8pMUSm/X3A2cfpd3F0Wee0718trU/D7agQn7G2yZdKY5P4xgjDmSwrXbo2s/+yk4N8e2kCpCCLJ1Zq2xd2L8n0kIMQ4DSZdnIDA9UxpBGNEH2eOoO0RedSyZ/uQFhiOxrAsEr/0CsgApQbFMoSWk3F5p84351Qh5qryhW+YxDKqLl5bZ9yUIu4IWqQLWdn7TDeXKTPVzh7sgeg7wUcJNRKHtUOjsu6aphp+nozudCfMRPM02YuyHX1//pS4kcorOWDV4tFe9FJkHE3r8+m4yiT9oPX7hfdvZaiW4esMtIKsjePOdHpDr1V1kQO/L1OcvoqB0t3+si65Nd2eTjfqddHVt43ogpz1Q51rttuuiYYlFvX2XliyYRKyK2fMyNvf6mMSkJK9D5lBFa2xsbT0sJn9pumzRzJbYn+CMYAXK3CZF3MwEdjMnZfwGZk+j6bOlksmZnJe1vyrwU7kUqSWWlrs7jLYNUrsVfxUuYgPoEco3Hf3Flg1TQeSPQZIIWVXsPfQx7mIFVwKO/G0o1rPdG17s+CRjBJSDhh/O66tL/OrPYDNzAxyXW2tUWErj0exqzc+C0HT8roZP6ei+/8GIlhoZ2hea8uxz2oQ3Qd8nKMb/YFLPHqZjBnmNq/xr/0cC6+NYw8yHXb8L7l3rbFE4WAuLC7giRD0/RVqnpE27aYoxwO1MgNEnmNBJWjRhxgE7J4fXShPDCerKBgWXyRNpCR/RmlNkZk2EA8D7/6VmD8ABR4LX1C2AGb5iwNLnFdhdHetwEh9HL+GV5Iijrx6W/vyQkwfcETkh74/sKl2tFIzrkjymet1FWGWn4YiXOqhRoKgL8NeXE/yYc27jyYQ9JauE1UM+25uXzqFv/UKji2G/EeCo2aQ+n5OQYLWveHl00JhMhgQBi4jI1bSs5D+8G+QObpI6btnkoWqH7lbqge3+DPxbsAMat/nksrOv/QAy2IfM0CEAH4gk87DDXPMsyGH+Z+W9fvlFQFUaVS+tO2ZzgkuDU++48yU0Cq1i8lHT5C2Oy3mkGirjBCRC3kOYF5tQ8B3EPeoJ/HN2c1DD9oS+KVkPxmYf1gKhr1VjQY2IDF0yj3PkhyUTaNyvyyCx/+7JEpT5ydFWQo28Kp2jQUZpM0WUtob7prc2fTqIfEV+hLLgc55Dd9bgQack8QHGLR5jHxtQoszQOPoL9TI0/sT9KVEBozzagi6vRlo+4cYwOmH1X4wStee1+tVOU5g+b2gY3s9ZbXAZAmgKtXWfhbs1mNcmn5NE5FEyngkQG72HlJgz/ehvA8DgX0CrjetWQ0PCWhMu4T2ZA4Z+0OxsPB04tDuM6NG4tgAH+zIxJGddYKt7WmhRsXXPV4frp78m9rqwPp41J1Ts2bbUVKq/FJ28DkCreldzH3QRpLMy5bnH5DBTMISFMCR4p0x7p+5vmcv+Th1dDaOliHwSxJEOC49xoA9hKs57atcl8XqN2z1mtmGDSjjSi0fCZZr3elFKck9M0qSJY44Na8WQ7NeTX2PKIdb4Wku/QGJEeVr85dwKsoGumQydnPgF6FzZjSXiT/z/CGolzItpr0acL1gN8DMiLOVW+/ktyJUa9GPnC361MYtvy6CIz/7SvTTKkI2CPX6CaGjc9z9RNyiJWuuxUKm6B4AWagd2HKtcRx4b7aOcHM1pYoQLZTrs9x8TplRrlEwVWaEtUPApbZqC/91UmMGbPwyjZ8lkQ9IzXZqc6YMcfZCDFJ32H0s+66NkBwSCJ/Cq7p+VL3tOTB6Sx2amLJDLHbmZLbgEo2uKz+jCamilObWe/YonuJf1qz7PJlOvhKda9F2x0JemZ4dgufqimunbdM/CuGhHCF4L3XBgqWspmS5wJzHLiFvXMOnBOrSiqFm/2I3jXnpozzAun45MwtUudsBV+6Imel2j2RsEgJqwMGQvm68/f/c17pTFr272Yu2CjhkqdUtvbRI9RLe04pymRi3rOiQfC4V5JfxqIUwjXRFcw6pVUztFpXzW+9WlgY93Lp0d6f/TBuzYT1q7WBBQI8XcRd6yhIOutP/py9M/PvMmCLwPEe7NzHyVfHDgi4guyDbuJZFRyWVeEfjey4mPSSq8B+hKN8HvQKfKhCywZLN5A+R1fENf4bX/aiDYsL/pKPa/0hODqIqeJr84fL6ugwreapjIUNXQbc1r/mpPws1Er1nviGoVI3XKfsrXvG9VB1Y35tqavPrWyCyGjDkzOduT3ZdUK1TDcC3eMQI/Ko5/Zrif2wAuZdQz2DD1MWVOPmhUdgJGia2kV09SJ+OllDLS3UiMX0W5Og68jDhUDZHz+E1K3JTT8olg2GZD+Ubj68GgTZbC7Ogyl+1vvK81d2rnWm90TWEqNSeb4J3jogrzl9+vDSTlkSDg2uNVeRA7CwdbuX9YjvZwbYImIyayGebknmVeTj9atArjYo6aEqM/wCQpnOqpKIAfvKQrfrgC/exO1D6tvLlKMke7dCTCmQ9BgQA0BgEQzGkvdOLOn/33nLHAp8Fxn3Ou/k7Md1+DBIyI7aG37wLMwUqMAsFi0Psyd2xSDvQpn96fcGX0+BX88cDR6m+4eCYh6ozO1Pzc8RVTfG7LdbQ38az5IPw1NZ2xz593AQJtk3b7K6TqEfBsSObD7uRcI0kVzmgpisZek0frFf75e70CNXKVHUlkCkp1/KKhZ5Yyesxcxu2Ac5BA7xpog83+Ey379uO6fnU0vF8r0RnkRFaICmuWpNJ+gIeS1mHWlQ9669n9dh8EEl7bCDs7Sfq7ExJ2Kg5tE3Me4EQ3ehP6f251bxcZT9ARKB/jumtFLdzWm/4IPbzatDps+5/BnOLmIbS6Kw5yN+GirzURH9oU1a77j/79C2mRWX+pUuK22E0qt5XlO+MXR1rcHf/Bbt3DFSuHP6FuIE2SmjFkOi3d+2KY/p1G/52t7AZPbxn/bkDpIqG6Zcin9dhXEHjl/ZQiLRms0Z03ts3Qak4DUtY0WKQjXodCrxuBTnxf7R6Dh5jgQK3bEZZt1WWWiCO8mRhVF/nVK8Xu9MBQp9Uy5HG6jaNEmubUS8TuLD4vz/Z7KkTTAM716wUCbbOrYzxs0AAfQr2NZDhC3wKrt6C0Vqq8td/QAqSkwWLI4PQ+y040nF58Xzzp9WSPj17rruWQOkDiARVoARvEE4vA+/D0vg8en+wFRAfYGxQpFYVmxcwvAYvZrtVzk5Ehb352T92nNGunrbIc54RvOvCh0uVZa1Gdkwqq3uoIaxfKd7SvwnG65+bA8OccNxsAfSK+FEwKr+kmqWfef5xI36Hy5Y1JaN6UFavjctQowmuR/i4kMooojz7KLg3VhBqclnssDVQlhDa3wJbTzrPCGVEMi2bwhnRVMGQNZcUhsxEnSD690HKxDLDCnxPXb52t+1ZkGrxNwtRfO2swC1p9A8H1UXr54Zm9wzczZDMNdschBDzuhmdKchszg5V8h31Nersd45rVqTbrE+gz4yRpwgO1bQapGsc/FpB1431hjS8IAjhFdr+2T1Zf0Oml32dtwrozLlVRiWgQo8FzbqwGC1CW0GQ/aabt2HqphlfYT91891Lxv5itNW5kk3unNoeQP+maJoMaukcQZSzChhBUHrIXcG9/jRR0DC6pp1GU0KKYUKJtO9LwqUjKv74FfMacru8oyYtroAOJSgEOqJ89KUB/9m9T3KF3YqCfHwTiIOEAcXQdNlYbbGNCGSkGDa43h49chjF2iVaclBD9bbf/STLA3kh9C0XpiQPJxHTDcHB1e1T50M/dPa6hXBhlZM7/9tiEHfrlJskToVM6sNNYuKInRSNqDth7+Wqg0fap1m3XRY+/8avroHYkG5Pe94XBe7uEp791rDfe4gZ0MeGZFwQhr8j9WP+FHrrTdS4BkFwQbsFgFwMna/YTkxDGH3GraTZm19hjvXNcCrloOS8vWbc5DHsDo6ujYoy8LKJXcbukdM/jU3VQyeXjTRXf8+q/BU530I9xG3nB6yELiPKiwSmIF/V8JvbSpeGxupUWFHPIatIE3MOYMKGdwaQX82DDeC6Udat+UhfSRD9gU2VwswYWY/E3x6ubRdU9EZaZmPXD/n6yWE+Z47H1U/SuIZXSpsL8G4T4ojE7PbiPTJcE/qvra+8m+kepHtl/zlixXDXRVn/Wu38fqi16S0Do9E+6aqJsD/T+kpwp3nTA7NjicINOMK0Sz3ol5M/VJpfXCBidCn7tMV7WZaKo89tq1H8j747GQp7UTBfh5vt+n/bL+1YyKToW0NkBfaT2FcRhAmmyCYrd9gx30g5GDNO02oyC7TLPVmqDa1cj3SpiOTtlvb9QHaScEcZZVtvGIuqtDwy1NGGMNFMSB8q9dwHqjaeuKW5GVciDAVzLG2htiupE+UfMcTpYz6aJJUUKiMrKLC6z1ej3hCU7Eh43LCCmdcMjh1SLKXPCNrBodL6DNzUT71khdmbhJ/xi72j1L9y6KoTNRVnW6KXufdOvIMBoptnieN/cDr6UZrJONG2i2Viplj4WCCEzwBp4tQQN/vIuvED1o2tXfJYexcKGBheh9NQHwTB6rhS/TufGw7I+mGjjupR1nTyNr4sIvewpkpM0ePnk9x4y40C9RVI16nAtyzNcT/9NP5kMma4PC5OBH99ChrN1HgGwBUIVQNqZ+uhmNyO1m0/wjjsnH6LHyPmp5p85eQLsXYp1zTFbqYvSEtZkRcImKSMFRjZK94dzWAH5Migm4NcmGY97CIUyuo42X/YStEjr9tRK5Uk5ulHEkaaN/lE596UdGrpQ7MJbQgKqcHayKqlTSdlWTIRBR2gZwhpuzgxbJtj72ebdQZ5aFXS+oLOp9rvB9ztNd3xot49TiMYXcfDs9ORk8OmcxS6Aq9YwrFGv22CJYwgn0fPQa5HLTAKPsui5A24RK1FOL7tMXS4YIc5uhIo6VxpPao684G88OI1Q7+aeppUjfNJgpuAGBODDx9e1WRJt/rJZdmHr1qFIZIuEpHtf2Kn/mIEle394Nyu9+gi6odan+OXy5RyxykO5d5vNF3NnNdm+UK9PTsnvGFqot9AzccL+283VeGJYv6SfFxapl+wjYqyywUSCvRhMM4lteoOSPt4M/I3lVHbPEHEZcoM3apKcYVPxXsmbr0g3alJO6REx9SGBLQVgvxreaz83dQJWcuT5hx1xiUk0qJIYE0hJWaJECYsdJDLefIweyAXouqA64XWavzTpyiQD0UW1e/cnw8L0gZOrYJ25nao4mpyKKq44GBBfjzSoc63CkpH4yfjGfMCwQMN2a5nRAwKlVxpHMM28NU2WDgSppodSyps7tF+gipK4tKxPsemdjeFY5HHC6WQicXimzAPZibXdY3uQpQuumPT7bOK4MyIrFxg0WevEt5L6Bp6w1c0Lcnu2p8AlvXC5hfGkiOXgav07MboQhiGJXFV0wlUDnWVEsBKpD66p5M6Jd2w9haTjQgTpXyCPWqEg/oZINXYDRl+zPwQEnxCbcVvgFNXpArRe9KsUFDTyNmDFi7kknVabqHpv4KdaLU0HDUBrlNyOA1k59cDVpVL2m/zqKt8SMixeHpXX6/JV2Gom1/JabUerm8eqd6WlEL0U6CmPRt0uw+sufhmZANyo1guIXI1GW/XT+N4ZmTh8Bj1KRSq5SPnfP6+SmCyIDvx9KwX9+BLVBbDEGJCLiJ8ULeYO8LMsNq8XKiJcA/SVqLATO4SOyAuGuom5njBvqABhufrIFPltDDBtjHp50qMhFL++mZzu1iBzhLXeopw4r1elk5RQej/v/T+wLswUdbum6Jc9CwJEcMkz9EivNk9nzpyo1ZPVnpn9kxprc/SRZ0/7V502oHZJBrrXJxdGghtF4P8Mz7lZV+rse71YB0QT7uh7QV05J4I7QGO7OBk6QIdXRt/X+OwWbjEAnAEOidLnwe0SiXBB54cYgMyS/R4lnB4xSVe82rp00S0owNrTPKtfYSXnhyvCSiiUojAkE1PoLsDHPlamLEFfV00BE4AZFjor7V1GcM1w9KHhKJO/UJ3DFLEhj+bvpWJSHTbZV0hRr+OGpyhiBQ52ZBqHFiezqMeGgr7c38yNl61wFG8kpJuTsxd1iij3SYx3vx0K/T8H/0+/CQ0Zg0g6lav6bWlyhSqLqiidw6Hd9Ik9y7Vn7GQ0Df8phJ9h1VCAa6S4vcJT2RUuC5dNXNPgBLR57BlSFRwzAv72xKxb5eLeWUOGEd10EApoao3P3XaXS3I9tIrmeSr7GOJ4o/SKjRtiM7wFO/KyHFlN7YZN74DNRugp4JLvDf4p9Jcrx9VUFHc4bYgizTXzjrI5yZSMmOthwEVDMuh+gpB6vaIUHHtqPuIBwTUcxPyScU2gp4OWo8k6rElyrGQjXN/SYy40QY/yJKmFgzU4FGJgjHp5n4vkCqXMH0mhn6XuC2/mzIgN1zQpCbRFoSyzPAZw4enhFnrezYVY0uUgtDd6gzpdFkkAPRNoNLoAzrIlOraoyOf4FwDwC9H7sdMaD32IG8sGXJNbAfDrvGGcNlQfjWZjNLtmlYBTCum3vAvdmugfgQeQGQhWBWe+NodKp9HqOzpxvI9b5xRUeaYHlHd36j3tI0ImsBFhpSU8hiYevFHwJuKU2pRdJc57xiB7jYeImV7bFZtUh7Qdt6kw0WYvRFcE1Y/lkTh6C7pRL/FqDBy7Dyw0KITnoVePQQRQaVSHyqJ1PA2TI5BIC6KIphg6U8Cv6Znt1zaKqCRJC3+7EFIJK6ccwjG4/LSsyPWTur6mqy1MQSYmFUHuW1Bn+IbGHhpPN3fXMKZxwTxknzi+qtBhRVQgYsMvOsLFN9uP9PWPWoP8sE/LBnOVhjbAAjpNZhGsaQ/gqu5jwXK6jzIiSoVAy9NbzYtdf55cyWeDGx6qVM1uhzhGn5GNbDGY1Lk+DjbUb4l9tcaiL+A7uWUf8k0A3jFo0SaY7lDqw3EdQoaSB0yf87qdAo4mGYwwIv0IdSlQybZGTMeaxrAY7uVfsO7SuCV7A96QcwNLLvioXXYRhdpZ3OgWnw5sU1/BColReU6lilOdWSH8bpR0pfA8zdu4AP/Gg1oX3Me/Xdl+2ZQbXGx8x9LEs9cF98K7FZG6vg4Q39hsz/N0IUj/xv14OqefzJrMNQ3DLsdj7RHEl8vRIVIN1xZrd/07YU0LBb7IQlSM/2ywJ/duubitxfc4d7eCuGj9HHOstVh1DbM+5uvJmGKcsyJ1Dm7odVeqi3TiZKCeQ0z925DxjGxSDVo3q4iLnOctXKanxB1MsW97Z5/e02oXBebUhPGPD+QtIX6Sx4J07K8VB6H2fSw8UHNZeA6C7Qm9A0eCSvpiLjGlbHEZKVq9g71XyeiiGF6JDEZ7nCfN69vkqU6KhSgv0qzafDpyUjFafSbvJW7OIK4gjFP1FLepCxDT/sya6328kGKaWgTcj5hTEJzvFCAsdixHXblbo01QzBHhCyYJ6+JfvRCA+F9bdZywkv15vBL/b3LSeKG493j2sIuSOAU7U0YxqTkqxeudoQQfS+AGRZYiJ9b8bTkO/79726Dm3RFUJK4Qe/R9Yp2LZ1ZiihH9GfKrYSgDzTqXik1jhvwsaU9AU/bUVjiENeG95NY9i3Mb4tavrnrB7hQOUfatV+gXK2ZspaLGiCN6ee6BPbhM0u/YWGToDBDiSbCIe/vEcCtJdQDICiHMwHt9FVcFvREY0OSTdnoeGWwwHpeuEIcYrQ+v0BalelUJawjx3vbL8yEoY6SAF0FN7JC6N2VucVp0ceYoy8QUFkQc0FIscQQwVHf5+0qPJsbcMhshjeBAan2f/PQLFTcjX57XeWLGgDPrWcKeEFnD8u0NSExVC0OML0bx/FHokiYuvVkalWZU84qHnw8CUFvKI41DoV+ykxeJYG57Bf/KT/b6Y1vNVZwczEk4oxrJFmscONVhgxJG4mNPSK3bThvzhxNYZ+PLMuLzhl8tctGMwiJBwkYDdl3vGQ/rgqQQFcOtZKPpfiBoN4Xa6O8EfP3JnEAKNpLOJnvaMhiXhnTbRd6biBH/hQXOPAEFg8sEjifBro04ghTHW9BXYP39+xQy0itpWyJQNT16wxS5EXGxrjv8oN2vRm4xSPV0d7vWeh/HK/EG5pXEEQkaWR4DRRAHMhG4+KM74TCK1A61fpxi667ODNfDX9BGZsFiNik1LD+ISzMcjfrtxt/GOfCrQKqSSkQa5UZ6e/NnmFi+an9OI6iz6ANrniCSrM7HguDZEBKaHKmlLunYqQ58uQdQeQOkIE+69sKYR19bienrGALT5uX41JYXFXZhRg2kgCq0It9B0qlU6Df/i3Xm93jefWNO6GWo36wKolG/0zI6EIRG2taBuL7NIZKJrMu/+1Lhg4NritEEmJKeRFhgT77i/YbHa/yv6kxbS4nNgBJ8tY4JLRDtHU3hh0mJLKyX5nqk6h80xCfrZ9HpHyVyYr/7EMOsMyrkNEmHU/xHHNJ8vZ4rRlyl6fCi+Tk4OTqdcHDckmpGRUg7ted4vqJmfYDmL1/fMXDK3JLAwCbONuL6ymR6YGdMSeSCh/qnKjCaOibfAN1c2slLMVqjrA85qGYNxJJxGubeGkrKfd3DcUlV13ttXR1vy7DalgLskLNsdL30Kb0wdQsXomWlZuBFv3Nba8x8N9ZquaVjTG7CNHYK5RNlqtkeho2a250foOOfMJ9rbj1PY0k+J1l8efIzkbsQZuhUNSq1SG+QjjXSF1OzB2CWMxaNW3G2I5fvOENgZm85G2uSrepQwaHsZid0XcxqOWu1hfr5aPxe08liHI46o9uRyFo+t3A7p7TOBDOG1hPA6T01yrd5qbuQFP3JfgkeZ8DqAOr5yjiDrCG2RW1Z5unudm/cubP1HvIF/iRLLkrLq4CjB2FzqD6yqHNTpw1wSVNv4SRMgGCNHi0iQL6lThMLBG/YmGgrW8H+65YPjtEZlX+0gN5UHmFKnoI4arAsK4aVGwlSKoOTokb4/lom2S1NDbpwqHbv9+pkn3WgWhB9pESCTRgSSSzorQGRzCuvIuJZt3+jrvcI+foeHoTKIuB5AYmi8LOlK7jbfvVb5fTVukJpduH6EjMySTQpKQNNj2fDR3RKwlw4rvchNbCGm8J15EF4pSkifJkBt+09R3XYi0jzWbWUpRt1akP60MkSOpmlD63fBC9LtN7pF+ZYHk8f9x02ygreiRi72At+/VIwcXIhbxa07HXyO/skeHxVh51QXvj0JULADDv3DzYQQPhBXM05Q5OROQQuJ0i1L+o78zKLDce85FW+Wkbp2BEFpMn/WkjBYq76xfyA/1DhCcAmu/Mqvqgtyb7kmNJbY/AgrI1Aj2XsuCE3/gMfyoUKkT9N5ED8tFqVp1yftj6xmsTA5EvzvAfXJudGT63VP0iMZBtMd70PE8Gyq6axiW2LGY3So+5IOxrhMYkLQp/Tg2HuWmO5tPCohAN4LOdqNiRcM7TOzufaRbAugHNByCvt0LtAzKxbFunVtPvOCQZ5ALyRGatUU3niFCr8kj80xpUxndd/3syPXGMW64Ipm6zGIW3x/9YsLMSaA8HwtmoNfVMUJlgRAlrHKoS0acreIs44TQNoD02Jq9ehaCFvdLKwRnM4CBVsqHEhmbSLb96qsdNW6lRDP5bebgOd4Bbp0N+kB7mAmfaGwiFa2YTpdnv9LGAkel/JjoHdPOPKV55anux2+YCQYbFDDqt1V/f6QYg4+V+kIRWaeVC5mvGBKN8dT2NJ2PbOICv4FN7jBOcS3QnKg2KaMbyIGPJxcJ/7CoTMCTlVlNHHnxx6AaAmyTq8S4SKs5hlKDJL4p/UxRE7Idd5gfn+U4DEWXizirM2C68Z4WDMZs71KwUkYXXiSb5FooUaBQbqmJg7EvXSYuZK4Ee9jD0IyQBtqtSdcGpyLdo1qOKGEV84s5t4N/fw+qGJ0WknKnLYI9AG4rIJcr1fpJgJgsyyvOqqvTuvIDvPWY86PIUMLXocCJVf1emkgmHaSfjkGOI1rnt59cPKeyk7xFtj5GMYOLkEWmg8bSW1+h9VAWOjyZk9L659U6oDD6dJNQcPFDxaRshMc7p7Az56D0JdJ3d+ULTQ8+Kkd5M1MR4uV51UEe+0hrT4hmBNBitU6h7xVCqCdTWu4WT5eLxDcBYeGuaQwOe+QSwxnAIVEwX5JsRoiWdPL2wagqGahveOTctI5VVUM1foFQxldzEhaljoVO3GdAZ/K0praWE0Vw/h2HOIicNYPeldbPYH1qfsZtDkvRfHI9uxDlKGOqaJaJPjXtjefQt8OK3Xh4ykAvG864U5J3weT7ZVx/C3UxpwqT3HlLJT4GRukon0pXB3pb+wWKdVFcBn6vvGpCOeeCVhkMMMMJo6o4Ozh7CK5R99axv6P8HrYI/68vXyqcC9gfJ+cbl4JSNBtip/NaZePgTzAIVsRJyCndodYSnqEk46wcgETKnKDswTN6L/hx6YvxqwIRwakw+2ezgRepVBFTV4oRBuyqJ8MUt3A7IW7jA6jL/RO94lT61QEadsNqiilYNT0vcp+5nbAqeAmaNboe89E2DmbPEXoenWW2KRgDQ3TZLoBYian0ovElplKN2bflhE+EyO+5dW+Zjq9Qqmk1VwY/ZJpK6fZzw0im8P7gn4KiFNZZWM4neTUBZ51ubPSWqto2r4+sOCJA+H+2EWGQ/xNAfHnPESw2hqAyeElI1DLn6JcGu+buRyqFs8Gr0j+8zqtig1uSFFsdySFmwY8TjI4Or51eyf46MPhVbIuJk77EKSmrKNFnBRVIqXfYf/Cxx8Nv1UVWfazrxKZSIJ+GLEYYCtqzhlEstcGdxdo0uf8LmTTE+tZ/13RKyG+Jv8mUHHGNzB45F4ZK4fFBjFobFwtCSYRpjPrSWPweBWsOM2dppHo0atF/Cr3c9pDH0Rcvy513R9NBanAGft+i1geKwi7G30GvJnE7oWzS2FBP4OTdVxu7jBJlr4he2Zbzt2pF6FXFBC4G/HDYjKCGTCcdIabmxbIeoanZLv7ZBT3SZJHUny2hWZpQ3gkUjZDyglOHxWVWuepenlJpUEOIw7Oi86TX+JHz4V3A/1S2sZGn2bCopnraRlGcFgvP19rnV4mbBaKKdQ3nVhtJKj30MI2TJSiEQdbXkNrLbVjkG2U0E3w8r13C3ZDXM6bUNweMruJt+HEynz/pLCckMH+GYcql0afO/bgPry6bElOk8+bWmcxjPhCBvidnMzBVEgxLWs9vTjMTiAQq0xbe/rUp7DLX+0IJbdwgM+qLVuapS0GtzeJj4Hibs9a6NAQvsH2iJa7uoHxjAFV0Nmw/+1TGQRD0v+1cqT4cc09gvOMaEpLOKprBVKMYD8moLQFoCCR7uiqPYQiufj++J4HgCIeTw+miy1k1ooaFTp5PWcY6rVkGd9VWkxURmjr8kWdpnSMHNktBPuAEtOMYtL9y2u0o8NiQs803r2LH5O3i7mQjJ+/QvuqzoMw7b+M1ywfp3Y3DTKblFIbqrLl9w4sAuSWoEkwjJBVjpiyOuVqd9gxjo5Z/QK86Wra1EIlJDSlXDbkSU9IBBjsiItLXD7O1/s/x23JHtRDvBi0bZnPyGntMoGFaApNDi62chJjJB3c69xvf1CAz9z733g8jWUEf2KXEMPpel0Lkt5ym4v1IhaqGgKCApB9UOmXyVGRQdDWtsyyu1IYwEk+YmPmXUjN7muBoYEhBEz+8NBw/llaVRuQgCp79OvpIN1kE0o+YxJWS9fPaL49dxRTPR2mWtGlfPbbu73qpswm6bVzj168r4KSkFxtJzvvvGfP56f/OAVZhF2il6o2wpLVCjJO9Z+oFCKRh7I4UzuCI2xA5LcqpOvMY+loIfwBrQCxBfkZVtLNxJvmBi+0t3yM7w/Bkqi/tFInu6Dypy9uEovKighvgdm3iIV4G/xZTbu+mIiTbvME5x92JDIpLpiZBpjMMG2m2ddCOzjjwd8fzQlf1QIYvj44CwuzvIsdsdE8EgQB5srQOMI0liRm5kDmbM07FAWOSXEjt1N9yL6m0JG485fXk0Ucs4s8gtsbRiuhTNwlwhwzN7ewb/zfgXTdomtLxpmvOu5jTYqDEZ7dy/9Rm1QqBfHYcif4DNcZaiG3gIKSWQjMY/klIMoudvfcOffPAElFHKAcp4+EjLt1X71peX6ZyxUOr+GFHzRww5MltKccyUh5Drg30hckcWYxi3st43ObsjAGLljX/LUAqXEwFd+wFtHeHRmy0y5DSn4F4nPyWUbuHf3cfjcKPWwjQG4DnxFkl0hTiL/DmUb+7vYQzspPomVhW2gsidQhl3li6XlYlpiexBKsOMJMyKnHHnejVMmhLBrLwDjL5LBcnzrL1/a1uDi52mmRhT1FH89+Lgaiu/mV0akAeGdvot6tBaf2OuVnKJZ28kX9/8+ZixWkH7INAxaGq3iNPMihTE61XU9/Qc5qN5jnwCiPAGuKxEU9IwBcNcfwomsXoOCLalxiMqyAWlUNeV1ZwYq1i/dxctlaP1R/R2t1c1NKMpxZ8airHOkz15qxRf6iVzzivVAIC9nTI3QoI41fAcHgijaTb0zXFbGLqWETmf1js12KfIBCK3yjzO6wGcFGLq2UFpEndMX409f5l0pD5bdp9GbJ6zcHit41aefpyrCdk0Kx9n9FpfxzZ4tc839/hqjHtcZrsabUWs5L91vxNRxFlrnM2vvtOfMWDbl6ywBZwxxXhse2OZbKKy799UO8Ughjs9NyL1Q9NT3kHp6+cBTIa09Qt1H1/9upssIwC8owfcqkQAo+1Z50W6k4uc1NL5nMo5cICyyFV22EXjtLeJEowSu1rZoUDeBzmwQAYfKV2Y0n9hpAkvNm6xRWWjtLfv5n/mjabumI+YeUlPiHvRVQOGplQGZW8hFp6DTV9ILmY7mnrgOV46uNYaQ35+3FVL5tVvMtJrsDCCAZ+0xdGkXBdCI0TfUzCEAnHHKOANSSBQSS7dpk8M42MXRHwNkoqzT7tQO+ZAiwLmJ9kIzGdcwGChUVk+284TMHdIEXh0QY7LUZl5TrG8BbQtTvJAB5Uc+whWaFo6TaZlSR6oVSIlQrspD+/R+yzkLLF5wS7EWlg662wWT0hRBEsfk/0/RQve2nQ44+TDptiLocc/qaF7UJFVQJBdMtR02lRfarPmYFY3UsKLE7RXs6WnBNfxW9kMekXLWpHJs5rkOfeR11qvNeVEk6KlAJtJ4tvnfy3SDzlr/wx9sEtqJ8me1QwEfbmZ5nnjhpYhlE+yrQ5p3FSuyYzBHo/cD2eBjfPrSkj3BLiN9Me1x4UYAVvzrpmZDoqcvEM2eGcVmJwyNzgp7PhJfWrhthqsULdfgw4yfkdSwYbE4ALD9heaNCNiFCpurgQZWFs6G9C2riIbYTd3yD2Tpmb5zfqaqTEXR/o25q9IyncetdHH/MVZjyjuagHWcbnFxLklApkiOInggYOWeB5DriLOXGC0scEV/U6C6cN8ZO/GPTzHi0L8DoA8XW6d7PE8mIQC33bDJIEmG427CmF+w6FxlPYFuMIyNsv9Fluwn5BbAcijzA66JWaC0IlneCGGzm8i3AOqlrEaLbG/NqprQQ4JUZIVRlmyLfJaAYmWvaPrpDMdn5Jlt9EQAyH2x2hz/7o8YeC7iWkju2IyfDljZrYh5z8JZD+YHggFjK4N/3/pGreGur3iALJfiq/Rr6Hom+chYDzv1K02ZfuczbkRFwPgumG+fXwQOV20EDyiFsdMUlxPAJK9v6snCEXs6/64ZKWCtIvIO0kYvTSA5vBxx8S1eoJ7zEcmZVlcRdmYU1yOZV1f1KMEbXfBeBfHixLMtV0og3Ab3xvl33AzazapJ03ODxfEd1Y3dO2Z3D+ixWMA+ih9/4qUOZhOfc5hLlS0LvhCOI4NB5omOqEuJp8+NIzh6nfG8GEusivNNWvg3ToU/3MN0ID7DLoaQQHveaC9vdMmmm4dqHzF3w6xw3zhSBn2RDyefN2dMEqWivXTcChlEeBFTFOep4TqZDpuBYs8yRdIYEW5psqsU8EUZRDEMKVe1VSFpPcJnP5q5C1YNo5DFO6kSo1QC1mPnBhwmnFitZpRNu/EzbLEhw+YL3xYZpGurkXajEs806dP/gJKiWXs/Up7IUmde6XtA/8muib2Jve/NpSGJjYsXDJpBW+7Vj8g+XXhNqXyD2NYXsMINamEBv60wxBnpn+3VqME30X57YfaXDDgQZ8mobvZEA5PFbD1uHHbUiP2nqsCqURN99BHH4GGCf70XPumLdnKzrX8wT9SG5pkn0RJWwriXO01i2c9mJ7eaq794knIINxwKvE2AZStAlvSil6hXX87ByZ1ABKgz48QfsWx+VqGyn3z2EZN5bbbhEkybNtRtEO05+Bzti9cfZfDzCmxy6htOKtW/Ik2igJfDXqp+9FNbrrROJzJASiX4372Zp+o4WN5NpgrUe0t6Zz/UWAYe7l7Uvv8tNm5IQ/J0ah2ekL3dtljL4W7vFoHdDK6cojJFReCwVniVf3jzLtMMQP5DbzDU0m3R+Gmw1RYtSDIvOG11KXrhPwNqIPg5aeiFqp2t7y/Q8OmzOi5jz3bqJx2AM+h2/m5v67jFOZfxWkupQqZ/DAsyA2YT3RZVXXw0YYb/JazpeQ0Nj7NmfW7jSoy7j7FmjuBFSQHRrvA55mUnP71Z7+oQ+EVEtB0I1yjGALsouaesc3FN0Uf0iN47A00WdLWBTUOL7oafKAjrijCsLBD87+ZIYrh8o6CkaBNl6ClQRA4iXyArZEfIUjTwl+W5LvABqYbJnu3gRAlirIgBBYyghRmZrDR5c2JslJ825iamFl9ixvoMRs0Mr6SlM749hnydG/dYfyasQ23oDi693xieyg/52qGJGHBjWxfKrJFzmgOOhoLg0osJoafBZNUXWuNcEOpJhBvx6Kx+FvX7M7xv5ep3OB149nFMUvN0zKODiVPLF4I56fC3ZxXUY4U8Q+J6V7ynX0rWZ3c8qjpJiM9/fYgI0Q5PII5SgHgtCg6vG4fBaHYgU566b9weBghTHeK7oMY7V4nNquipVybgsccBtBgqI3V2WLiXUVa47g4poDE0j5hHm5I+neXQsFVfFPI5XtKxHKd895COkIkEhwwKJz4aYPfRSCOl2Rbx2wErH1Y4tXXkPfDL/dmQyIExQkXyfNXvXYd+IgFpVkJJVybIdhiTdxSWDyytelfwKQyDKYPPr//4+miQt58HTYlJzNAxz+UEIbW5FI5Xl4zJyGWInKqMDdwCVK+eFlvJB4C5CoKFbR/2U8zQ/UisVAy5AuBJw+v6aVMsfGrbzIF9+fwazBJNj/+aEhkcHbquEJeTmIeHrIFCJCgU57GuGcK3fnPcAH+MKTOoZUAFHNmwwFukvTJI4y2yHnHOA6bXXF5yS9AUgiGTjsVOgWI/aPIx+Ua8qYbpmLdaHMsL/ybB2L6DEXSQsBvwEHCklBRXsJzdsfwYfNvbzH5aY2O6TBJ5iilMdL3Ocp421zQXH971rcWYpzqpnuxhTR+Z28B6tOSWXwTpCk3sroD/XIyMFRSMONHB67V8r4p4VWcY22ugF97mPdOTKj6tq5BDEsRv/OenY8jOxMduYaT6VElJRYDoUEqX/7duym0iqks0TCNMqihycmS8dALALteebeufiDayH+v+LqrgmZucPqgk+ZSNVIOGt6BJH3weHzBqlSoEG7ydZk66X+gTrh+ZuRnYViaA9aMAOswZURa362Kg19JS/yirrFphJq+VLL1pN3o7tMLdJAdDT0sfbAK5CBemteandg8MUTG0mrVewSt7JyjDnvj2Z04eLT6qwmdy1g9I6S85iafn7bYSc0/3PcOwOAzDCIgjDxJ5Un4DCOEwv3Wt6LcDXAyMPmTEVZyR2yw/bX8P3SGDko/4PDQ97HKDJ2K7Bzu14sR6+9wV3tMme0YYWIPtLA0OUqGGo0qbnJwyViJYZAjymEB+02ofa5iu9zqKkxm1I3FxZwmWH1sCHufF9MMeuWbasB1Q97ZKAhWCGn2rNKVOEqZ8WITYMDoIkJmlNa9kZF63DAgSRZUWKySMzWYJdD6dKmUP6BanHG1GpNZ/cQX9dwgzX/TcxbYvwDcjfolUHv2ZLyHwxQ/uVbCCk9MW7X/hakozBHkI9s2TlC2nGWVY8MUKfI3o1heD5gWsUlVGkZdKIrLihUhFfE/811yJI/dsBJ7gvlBcwNzxjyFNw1W5FIZ+eOvyV0CxSHo28QCDxTii/0o+4o0PHPjJGCHillB53G8DuIPGQlR4pvYfIjf9WWNNhcliU7+9DcxL+oYykJudd5nXddN2kMQtShMRxccuStwbWqnPuojKaiQ+gjGal3V9QZ0B44BCgyf9wFMU0N38sTBBiNiKBrb+GhxKfnCZCPkgEmr2uQwDzQZD0fnwE+7AqzyA0zORlccjT2RdjxuIb8Xm1/jY/njgeH2U8lkGwXXyr5hhmWxoWhPZaNYpePdmGkVsOO94rtch2lbGTXW0ZCOZZ9sjojayChzEjI66mKnZ+L+s3KHTs3f9wus8elR1We2mbK7Q0NIwcIYwt0j350Ds5uBqvLzeZqpglNY2BQsninaoH97Cn7V/wNZ4C/qTk0EJV24rzuyRVtggHD9QpyvoGtINLFemvDzCSzPm0zk3xEEhUMlN4SR45qGhKbFS+U3o8sCmGiVnaMe6d2LWEuaBPrlMEAO7w6i/mqHfUUkQ+aD043y7M8qkVRSmnP1eBdaflRHpvqvLeoSwhWONdxOcJKEN1/R3bZts8cqERU/9FVTs+i+u3DhYz1LRaNIneoqPsmEsrWbSTyrxI2o2gCosAoItljGyg3ux289jw8h4lCzESiB3ik58su+9lBlD/dTEyu+vrhl6XfLqne+W/c380XPI1Q0vtOHwfyT1LFQDvbxvHG5I3L/jkXafBPBkPUIXNr4hkm4wN979gydPtfkV5C6vwWWglW+MELSart7H0uiSLPJurEVwuV8MnvWCjbch3jLuqUTuSHulVl9TF3mbigifvlG54Qh50eKPRhKe0QH7vIegL2LUqh42RQp9hKozQMO4vh9zB9MOgPyABC1hifxIescl04DX0xOjuL68EGigRcdENYhgPLzxtUaWUC6UD0Ou8Y0AFMPmKyE1PknWBvBvXQ+J99TYE0BBJoEHfAiRfWwe269pQh6bO99x3wlmnzEU9dmfjMHY5+WQZhR+9GFCsTbmhCBtRGtPPp1rzbi1j6914Ci2ldLPZ66A2EnLS7SLHAGyaAKS96nC/KbiJ+V2RGFpFnfW1cdXywIramzky0yOg2GQDLU72kiwjVe0dQGw0C/XyMVieiS4zd7rmbDFEnzBAXXPK2PLR+PDtUUXa+h+apopDNDfcMD9KHmcrPngcLBVmAsrXCXnER5kta7h/eESEWaKY0CkyYjeejWzPm3il9d/M3X2ctC9CGOinYmneT4DpyhBL9rwR4CI1kNTMhkTaWSz2T8Q8ioG7NDPRvwcoNtJZohIQGy6u0033MgJ50XirOiD9W9qpgkliEZ5I9sqvRZf1n7y+/TIPJS/FxCeVPnUMqBLGcWieLOo1cdDRkcVbWt1UwTSHtKOfkaa03zaS76gMd0nqMlWdr42B9qo3K59Dx83CotdkGPahAsNojA2msYM8/Ltn/46rzkYDWx4tY3B9/Fc8rFgPWU7PucXhgtdxUN+GuRw5tPdaU+0eqKmwicG4JIaTwwMqaa0sM8o2X8kEeCEMOPwzX6h1UTcqJEeeIanWH2vnIwkMscXw7zAclpx4ZMrT5LdxQ6jX0jGvzNjYTk6yjx6aSCBiSLGCBIPE2qtuvsIQ3s7Goc+bQqdZYi8E/CBoOTl+F/neD3LION8kREiKFmJVkK/TAFos9FVs7v66AyX8T88woZu7C0XVrhuY+FYhiEbEehJNcc/pZbAafCadkiRIDBS4FcfOwJDLNqYEBtp7GAK1n3ULkDpIxuJ7EHxxUhQLJ03Dgk3jBZY32P4aMJfomq0hYGVQ1PI9KC/mJWeEveXP1DFRdowcA8FlIKC8O64rJq+byc4l8LtU4sSWpBfCKrQeu69TkuwGPgoHH8h4QWXDynxY/IHV2y2Dd3yzO7iYEnz3/xvZvOSNLw4XbWGW2uzLnTgUEv0346tBeeeYG+sx4xnunaBUkd7DbvoqvpFYqHhAqRLT9zi0G3rCfeIauoZtF+4MqfzigtB91N3Rk41Kis5O13IxhqXxuhKxBhgDbfEWze9B8O03pS6vYW+UWvBkcFmOmfX1tZHem0yACp/vNg4qFBrb4g5cQ8sPue1zmHEdKEd9vZdQD4DaNaogY7PjEBgtHpeYm7L5fZuGPDIPIIDKjUTCQm88iWT2AcOs9Dqs+kYs3SrWm1y9nzxYHxXai89PRHu4tTsjPCDYVzfa7wVk5psNEvfdP7SxOk0z4un/4zoN+N6CllMHOwAAWX5M8lBC2BeUqQibCHUg8H/A6zTRTBMTbp0jauPfNd7mAVSI//b9kZSzmCKxaR4iG3ExcEDA5PcuGZFUlNaxxl1eJgZyoZb7/E4W7Nv/fgBFbabE5wbqviAALUqpIVvBgyLdrNFP7qXum8e9l3rjJOUvum14i03NF9RH+1Mv6iNssUC3qd4o7PUz3UXT9SoqmUZOaeTk3F6fBY9ht2USEZ+VEJAZoWeDHn4Shwzw8g7ubCPmqKHwaHNbebsOHUteQxije7CkSwt/pufMql55npgEcdhhlFAX+nBD86a75am+6eqPC3ar4I3qKXWh8Qr2hfbrPu9uSGaCl69olojzUDERVAWGWGXamfRdmmRvArgA2MpCTXs54wsZ2f7pabJoxADYT2X14kWjmnpVcEC4i/ns0M4EkautYXYLoDtGw0GBkTI5VDlpKwUNsiZk2Ve1GJqFTzxbxJahsBA4FrHWuopkPgZBqROxRFC4tdFZJsHh+LXnuU2mJ3NmADRfb+K4hRA7TNMs+qOADIm8iueS7qaNGkeanS2795cyixWR10p81p48BGRU2K20L4KNp1os/MRpZrA/ZvQ5cLEBFJVB1aR+HLwsBJBYnqlHy3oeWxW2ZJjwhUirH/oHwzKlAYAO5jckhCU5wZnzA0yu/Zeyy20lcEn1QVbCuNtiG/pIYVtqg5Oue26kWuzogSeRYJVVTuBNnodlpZ2htJtggK6mLfoxKOj9of399H6Nk0LiarIImVLRFj/b+5cAUSFlkIQz6gw2XGNFpuNWnMG/zNWdqIb8nb7Y8bEzQcMKjIT0cbBsAm/87hWHAOxX2QUehIZPfnD31uI7rnhaU5HyYB4imrF8bPhXWZNJivlAfLvHwxVjv71ESci+Sq2cuPJy/6TGlun1B7Jr/CUp52orR2wi72BU5e0hDZ0baMKP+ojpwdtR+ZQQZRsfwhNU6SGZuFFQ24WqslD0F9mpxepN/SaShja64qH7aBsc76V3CP1f4lFRlQ5DPQC6TJxDuugapBubGjJZHDa1vcGgmW/jnLiQ/yW5IAahAxSdsYYZDyfHzv40oKfMxPqszrmPiDVDCAfQDeCmiX3btPnPjJAbOkiKMme+FwjGyzM01SLZwAtUPJtbRmEyVnKosLi7KiGbqxYG6+lm1xukl7hNytR6Sba8tHVg/O+HRkjZkQgSk6JRqsKRdsnFWX1jwEDgFGaN+960zyqdj0IMA+fxRmOsmFmXLRsNZWVqijq5nrrv6mzbVLOvo91AlEPw87PI89aKV9Gp0fUoP6HU2DPiUNOMWdb5dlbGRQ7BfJrweKlANUhxL2rP9JfX5ft08B5hR9fI4lqn+Mk1Evpg/PZDFrFGlWzmZsXc9pzvWZjMhTpn17IrsMO5Y0yliIPffpF3ptQMdKcZTC9Jx/M4jA2vdUaSTK7OKoLlPArMs9yflyKih/SnYjEOY3E+i64bqNKd8w+lv8+aSXQywubZKn6n+mm1gST48M4r5q/2PiTEuQUULPDwW7qEGhX6m7SPiQ6V7tY+8+HV1TaVLw3utIy8fUKM/yo9CFR5aMITLLEyRx9VB/nI06jXkN+23HmCzWAXOB/ZIpIEZMrKVfLo6kzQKHhWjRfC+UFNI94NBIt0owMHtoVCehti4ZzxwSEMW1Sdm6XfR9sWavZMjKBtIfNcXdi7+anr1S3kTHybI8GI48LTun4AIdexz7AUS6tk6o966TdgBXUzFVoua9O+OOvolkWJ5K4csJlqhsNFlYD/EUERY9qOQwvgFJEICqQf6Uwu2gxJHJCv6Opj2C9MI8mhL6LXceVBplvUvd/wYpidnRHPVLcmzkEa40odaHv1yxCYwnYabAGuVrAgApSZvFbu5lyRnln+YpC5N6yw2btIk5krodS/kInjqjScRiRxRFeZYE8EOrdbmkDcrvk3Axk3ARDLXSa5SiIKPTJgpadrWLRjmoSY5N3lr7wnqvbAds/J7ul70lLLa6FEKthkpIapqPmXh0/gYUg6cYc4yirDLVGLjNlUdqDcT4e2Ri4YOxD/7IB9WlGCpTLhIZtGmnllg0qfuAh9oR6RtSTHHHCbwILJzTlAk44gQSUAnvBzNiUBveKZQotGdmWPXJ/XeFn3dDStRof73i29X5h/uQfK2cOqU0tPbv+bJ0nafQATlwVOxVmVZqCG8okvEMksSpYqnz7DN/r1YNSgQvvYyWTs06wle2A69XiXJayQ7/FEJP4TSE4S4Fi4uv+qwiVLwCpTKZcFF356RM7lPK1UMT8fEcC1QU1FOw8dnFGJv+BXGs82eqSAFse8MbktbaCzxbMRHmvCPdfs/sEgSqffiYj/tqFGFzBspt9CI8Z4l9JIjid+qqlD7wD4iVi0kyydRQOTlHyiYS0aTUQPCe5soOKKN8ZWFeHpvFsZCIWNdgpzYTcB2oFBLtzV37BMLOqISiAYa6GPjmNT9XsCQcI42YRBBorb5ZRXp5I1IpNsY4wGSvbVkLVGJiQbK83iIaq7HdtF4Yexu6JtxiFfPMwsPyytu3nTSUcNVJYstWZSIs3hO9PHkcEsxJGtApBTwPSooKW2YblGe2TGNuYoLQxfm/D9uBHfItiC9WZmeznbrq9flosNet+HMevLieGQp7CVKhvQViHeD7vKzrDtVdxRqxu8Xr6oYJxjxU2TSBdxbBMV5ZNsQ/pEYMkp6GmMIhisfkfItxTEHMg7oj+VUXdZlOuKTO6gAbBHynFmoQ/xdgLbf/N9M7Bw7NYq7OEuQL7BTbC93k5xls50vxDhYG9NbgxJehVmMS9yP9qk2FDGrHmgQ9ZeudH5Kqb+a6F6COOzjKr8fM3xgmWmfLUeBupo4XLekjdIpb3Oeri/3V0gyqesIfgh2Zlzyx+lvYeky4lnKnP01mmSUsUop3/bPD+1zA0rcyvlvMMuCPtfBMqYvUoYXd3RQ/LbIuxmFS0ImFSZRuIqWVKgMmxKsQ/UlsrR4j3PFndOlNxNKuBqZBAUun821sofI7i1gAUpqalVjo7D0spHoJaxoSVlizeGPxWAnhM65N32peHgpV4KS5hwf9NUegnNolHwxH4OQqQJbCMQVkpJL6kQHvCVVAOt2XAXXqt4wacaB+XMwVvGLoNtxMZUvEIABIIKNWQ7HCQyl836/BxmVRKifmaic8vhvo3dj4OIHbvw47loglqiagn0iVK1lzCgxKBGvdshIpAQ+0vT/gBd5tokzfqLMdoH8sCzQqnzPNBsgooBiP8Rx78pizaW5pb4jaUnqOXRysaiNwdRwcalZrRp/UujF3ZNeQfFomn9R7KaBYGKWa9MsQyqLnXsOhWzRiDOOLu8l57TFkKNrRaaPAZEUm7C7zZxRRo0uhrYFBa45HTFNtMHlX5eIwlBwD6w5HsDpeAi43gMQ4HNVJiPh2r4DICCk06gHHqCdcfb6bSnj6gnlglOGjlezaOfLCHwhPXcJLjQRV03RPZ6onY7oSwuBbopgSxaKjCULhA3bVXQC12mqYEayK5nUijmX1aXtPtK4COjdf99HQ3HogxZQFss+IKr0JOMX4KB8hYBrzKYuu+nqLuH290NJRNJGvGe2IyHdspoKUlEAVlYxt+tU+rzyoT023Fo8TlDNAbrugbtcJ41HaBL7PrXnLgxH9jI+Nk5+Bz8xACv7w1ZihoXQDfvBL0KMXYM0g+naJZFBZS/v6pUF7CJa/wrIl528Uxb2KllnhIFt414NXTLf4dCZwsblA5vM5jUAz4gnJ5TcQvj2uBBdQrz1tMb7SZfgTXtBOPNO228NZVrppn5CDvvuO3vgC2x+roo9cpXx70XhcK8fy1lEyZI/u3n79rR3xAP0ugAKilFmnR2tZaZVs5+te45qFslamUX49o2iEZSz7MErm5X6kQppoW6L1crnIsW5FA/2sasZa8hYMrhr2YRRstVGcivdYUSFtc2BslNN2RwDFWR4YSSiMQ1lUtcKLHA5zuTz3KzG4mUyJEH5EcCyObM7x9F4a4rwaREqRJLN7OK8F7QUfIKlr+mhJjyRwjuVDStxQ6Hy10Ud13I4jfNFqRUOx3Be5uVBAfAOWTfY6RXFVATXJ1QKXG3WgswfN0OZ2bQdKicfjQgX5p/57BZCWz5+deamGcmVwxSkVxI8iTdpCsMP7tNwalyloOgKW7senHNoFAW4EsxdIDhlrEbU9KAtJ+0Yx0z+VZKkUajd646XsmQKgsRFuw7eDtPAu6CPC8uP1IKviLfLBCI26f8hY4Fgq9hNZtp5Hns6YbGU9lDiwm+S9GPSb0Vv6GWjpZIYfg61XNNaW+LAm6jQ4e+WDi6q1ADmozSV2FCvAzb+E0q1P2t/IhfN93amMHtY+b8UyDnEYBeLhBI9mYWgWMDWk5jLTCRydi8SYxcJmnnnqfBNngVAt1tkLoUVcKp5sIY5LHEtXBJxks17I2earp7MDKetLWhZbpMKzfiZAJu5Sjxi5SgSFC+az3p8gJbSAyyAJSr4ZsN/gaDfXZIJ2aNsR2YDTSQMmtTKZHBxJbDd9z9WGo8zvOD5rKc5eL6mgs20o82i1GiER/4XzG/x+3GCsGIN8xkh1A2PfMMlgP7GKT97upbEzSe260Z/FYs9sGrjnkCDZc30RehkQZnWOt8kG5sogoRfHvVeO57ObkT3IUoJm/xSQsshUZtMQjCxdRB1ncF4mxzhJFqVBrDu5bntVXuDSCdykJIwZ1MppS6aHNNnywGc0WXgnKiFO67DzXs86/Ln0WuKVZiedKp0EbiuEQN9pfS1v/GPDffhWRYYwdKA6ombZvHus9aJycRUPNzudL1L9rw7urks9qeKCxJyxboI69Ug+VLH5x59KJsqsZ8bqqooyE9X6FjCAyv2ufDmjWuzqm17YhmxijMJYMzSBAhwcjmyexGsnMiOVkZiczcWtFJ2cW9NpBpEO2ukzhE5Ty3iKBp+C7HHlDNiEyzs2QF62g8iwpI1yzCFBO+FmWlL3d28SGIf11Qz3auVAhVVOvmZzGl2YgUoZNzFkUhm6IsImeIJIMgFQwA6Gd/TnpUinbKz4q291+DZeje7yGjtHzCGHRCL3TU0QNftB/Yb47o/hkmZC7mLXzJoZ8QOBfWBPo3nlo/owuNDJn4l+mQuVCk3Gic3mUqibG1dQ2sjU2HSePN1Y7tbE60OTjfGwLZYeZa6eFSrQnXIDf02+eoIm5ehUuqhtxxFnGgYNzDDoKaNQQ++c4yzdJ15wczY5S8TGSp1EvmESQcMlg+KeSfVe2iXMttl7uKFX+rs5TQt0aKs/zqq+fKujGrpofo0xMdjfi969TDOGvtDwAf3BluECij05bz/EBE9RmqxBLIrGoeggko498e1lmcurHdRTZPsXv1q+Aap2PIba53C7/fJRRM2h81Y2ySm1rNTm4rWxdZntF0C0swWs5OBr6txnvopeFmpXxLgKY6oR4ah4xlZ8xS+fB523sak5CyHWs5ybA2pk+xb+l5Ojoa1zC+V8zYuDJZ2rJ0vxAEqAVrJOngqbbkE/ifkuVKybONOegZ2U5Xn6awVhcahCXkbZspP4r9AsTYIoOK8rdaleAlbKT014Qi1NJE6J55kQQooutKBQpksWmzveABs0GQLVOsGoSY1NNRpvnG1m2AqJBhAG5Uwij0cCbGeBSQRMtsoi0DOUQ8+c8AY8cxMZdPnuBPHkEPqIf8esAJzNreArhAx6nsXXxHMzAtKbt9pLNBf5Kc81vCdyUgqrOtHYMGSvdsztW5HTgCCD0I3cDpzx00wwLwHCnKxssITYL18czCLvf1nPqVpkLQq49ZSqzwJ4PLcx1nJWk19QJXK57hmdQlJB0jwQsuzYTev6JzVI1v99MuQyPtASYs8nMIMXugmtrZTLk8rfoZ2xDhcEWnmMyeaCV+WbHqpjBbwEu6mWt2vF6/G5+Ftntif4WRlVJRMB7GTkZt4MBgFf4RgRjfEDN+wOvmqwOBzsiu4VGlPcCRltPJsyd/PutntUsYSYRCNdkNRqZlYUzuid9x+jJZ7cWHosNtpFEkrvY4yc6YbHoaV/310XCfpAuykThidqIJScnYpYg78Ob66FCw4ltDlw3p1XCB/icHkUCoxW1YjAsLcL963CGDll303dFB5KuJll8DinaRDtpja1qBqN6VsmiV8BODzLox0VidOujrKvTkKZy3Nja/GLjZ7gACxCu25lHKN8THRPA9/0n1J62FHJ3yfjJNkd/4uh2dgbFrpmqNHsFWWeKR0em7jJqOegVM6Y+JkfrzuI91/DrtODWJoRDdfFJhoYuolsdFyyrajPnlqK1lHE29WifQNvazzyIOZpYHRc36HmuiJy7YLJ3iw/w8q6RUeoHLordlirDjrxIhm5FFomC6gz5HturWeM2EMm/5XmGoYT7V3DOVLgwD0mDTyJDEXpoIfQRYiM3UFpbm0IrK2zid1xkll0fVvePWdYTglmaiJCz0JkyM8lJCq1UC5dFRkSUizMGfIjvdwy2VfC650PVuZOAylE7SPIQ8ZxCgYV/ayOFG5N6TBc/b74Pt0sDz5sPft6/LDsqTNeYt+6pza5dn4/2vTxo+GWiEkBZ+6RBg6X4+hLFMama5TGTAxangTsh93X8tYflb0HlvpLB1iyNuSYIQw67otZ4sOpbQ1S0FROad7NfFQBg2zb73QElWOm9HQR5GG1Mbxngjz0rPKpCq+km6Qj8FB8C1WbOBed1l59xfBFIbd1kgo8z5LO2xV11iWyNdoj6indNa0vnNFs8Caw3Q4OvRsOjoLPnGHw7/duAamHKoHgHqBMVdQdam4/VxatF879easEmkL31JjZ6oPshl9WjAuXDye8VuAswYJCLCjnKkd7Tvi1ac+++Uk2L+wV3T2hHqgIHowENgwHBuftWBE4spcyF66tNcJroRcYYKkxHOuQZe2JfKk5Vctc9TzyYNwBu8x53MB8nfQRE/MmwLlpjO0LFxvSWdI0FbhMh/B5mmSHirCk5NHL7+dd9bj2nQdA2o+qdDwAFLNcNBgL2KIR/u7Z0aCL9oRGLR5SmaVOjL3FXuBe0Pnkxz/mP7H2688zdGDoF5hda+knBrONdFEWUu4HBftlWZH7MTuG4EULaDuR1oc9d66bdhe7YIs/oFFGyMq5K133mqZSigvrwAczyjXCsD/+yc2lDKrCDA0f8XMbvt6QizIHZ6FCWi34tdrdpFE1FaX9aLohnoMpqo6J/dUqpmy+zOBF79sOslNwaCF+/rwhrG1PqenTI9pM1T0udw6c9yi3sKzPJe/mOMMriX4wxpKdZV9MhfpKW+g4S58C8iImXjlDkshZdPH36uyVysqwyw1awSkS4u4XjtRmtJ56EpgNONglvi0LVw6cgUreX1de5aQhBCFbZ/78BgtMa111Tfl3p8EZfVUfkNy7OX0BgL+EMPk1EnKLbHY18Vh4LvHNTOudT537K/zCytxzSuzB8se8VIm+Lk7OwqNFTdMb74CSI700Lwij1tPQAQpeuvX+okEhoG68r8R3Ukn8UhZ3CZG+2PzIri/3UCLl/8C4q50dFUe4fTFu9/0/eqDjqcy4uhsBaP1Cq0gaEpJzVnLiErRmZtu7Lxr2bNtudiVnEcNzAcrLrcK43V1eM1/nL8UglcIuoPDVQoKBtlF+zt5LTYjBCr3OM0rYbVGV0zOtB3XKtN98yqcl1JmYZ/pDm7aNNB0YT6ueeb7zEe+XL9LaxvLqmFismkKT2xHFHCUJwllKXAO/k+KRA0pownAG3P3tkD6FHHkq9cqrJOuO5laxxbLPLg3/QSJq6x+m/TZQ8sehAlpBps6E4IxSOC4iUMIJBucAcN3I2zVC7glkGSsV7iAsquiOV3KYp/1Qr8yUmrkSOBQG/X+3OvdXsVyK3fwh6VtAjptTrInTUm4T8SFLjJnxcp7Wd8tl+MZBehVmcrsF3zrZX6kqvCmffv30HtBmRXKvJU/+FcaEhTokAhvJwH+vgAsjg8pESMaIf0tlt2ZH0WmdxAx22sAXa8zdOpN/9zJ2fSBDeEu83dRXp0s0OYdOYFWf1iFzB+DccVay8wFv1Cb5jE+Hj9jvZo4oOooeitpp+Cq/07K93h7KonqM0OboNFk2l2ivaHYqutbpXZjfxj49afYrbC4xhCbNL6CbdpSx2/YpnU3udhomFZcKmSWqtFBTw35mJPgfAAaPelp5pioKt5SSRNKCO/S9BItCtxsG2F5TBGN98m893XtOY26gUrJtuyIffe5KL7wVzhtrvPliZ10JJs4uBnWgTAIfKnI1v7yLx/C37E+3waU6ZAW1A42hu0BsO6k96czlxjhGiF0lKMxuMCYn3Y6DfFONNyPl/WRg45nWTQBwZSn659z+DnLYpH6AZX0Gm2wH2wULQ9t1JNobLhpDeg+KkFDJQBd3m7IkuZ8MFLD0IZU8CJ0BsHVzZHGG8SuBdS5WuHMTl7COVqVhJPc7Zg+V+jik68WwprXn8AdguZER+nZiPkI3RD2AXNqFoHhFZ959ySZyUNlfjqFtkRp5KwEM/lYD67CYm1wp/5Uq3iIHb49RdtcSRG0yfuax68Rz97DMcBWcWWqQA1vx5ZZHSwCDyWowVRh5DgFi2HnmKVqgZ6h5N9yAxn+P2Tf4n+O8LSIjKvUssol7zG8L1HWcKsaYwsom5Mmw6eoFeSsU+2DoVpJBy1OC/8kuu6qX7wxUx3wWxtpQZBj5BoVVZdJJr93FXOKxis29nuVyR9n+X7Z6e+PPattginCrJtzMbcA2Qhbf284XLTUrGdAyZ5rNApN2FawxUndq/Fe+SXb9jmZLxNomv9b7WQA4XfBT8lNVEMkYxIyAfYmpq7FcZX8rUDXiz5TRo2O4hUQfHAnqd/hZO1Ys+7f+wOEclqI/sguKXVW/Ztnj+XZFHetzwWEM0OlHtCsDPlFv5F0UT1ujUHMQUwGHHNhUrWoOaboTCHsAHxiCg2DxaLMQqMc8q3lpwadWAF/+NfQX2+dTqvayim3xw22o1c6haefKhSL4e2Ngmhuk8J3PfWxDgWMGtXBZ7Ayhw4DELW31nXEPxQjiNUHDf8WJIfnhWTHXplggw/kWbWZeBFXHw99jBUL4UYkD3wGL0nqYJTGr0qObnlXjfOxjO6BQ+IIQAenfznb8ESUFq0JiHsk6R09QMf3TF1muk4oUT7nFrLsw6NH8yu3dsRd8rgJRHqyrruo9yO3N5D6HeDp4GdAGqKZwUwdRXTwusEu+tWbuDbi+31vQVd91cYSGnS75d5g5d/yPKRADIqpgllbCbUb/mANUDBzaR0NZGpk2k7Eejo5gOL/x3+1lwOIC7Hx8u5NQ9HJuMZIiYg2nTTdycvBBr5zyu44o4/YgcNdOiagggorR01hPPpS0AcAmQ95xMxcOYkQeht44b2C9gbIVhysxRw6Pt2B4aW1GJWoohYUq4GmIzfTxX2NlnIMUa0FrLfC4hQbyQMZDa7JFH14eQd0Ny6EFAqG9tgpZmpUqsiC05MLk18nNuQVtHM+86yltPRmTh+9XSV2HJQsKiusMEmicFmCW7/biacH2UtAHlMeCWO0/mjyQPF6KQ0M6y4LcizA3rtfCDuTAUPUJnxw9elj1k9PmJKtTp4CFXjjsIVe19gUWuevJLKzZWmlSNxEx+QEJAJu+8y+Gdyk8jXUPQiZb4ydLzpOLDcG+grReMDYOCNhm+YFHUrnOcSrk53SAgLWV/3agDgZLDD3v3XZYKQ5z2hqF3RFW/8DYWqzwy1uI6Pju+FYnQcvaezBRpx+ODE5lN8Hs569egQeYFH7lTAQHAZUT4fX+HJLv2BQ7iI8Vtx55t3D5cqJGuWGTAlXDJr+36jADdeYsIUhdKq9zXppyJR9E7TFAio7193LibIqO5dluKy5Ex0DViWN96CQh4hr7RnrSmaPAAr/3zfbOmeMurOMtTxoLFxuOiRNkoLHPfV2hZyEI0vh5Zw+Ivm6q64LqRGzrlaRrfbsaYz5e+cUr5CrHe1p02AithOjIrgRDEtFPbqLygr1vXQRRsUxeZubJLb/RlpOxtu0TB7KITogB28S1rPe3FrSVhY1ZC/ISv1ATg2s62qyhkS6ENBoVCLUc+PGISBr896BKAFJTTsxB3MDR0R9OSbJAppARCaKXwcccxrO5jCREZQBEW+em23JEHSW4RhMSkjgtMDYthbRDtk0r3JeK58z06Ag45zOD5Gk2yciHaZg/GPeW2fFblzhKC9B1c86R/BJAofu0cV9u8sdVStfVxcrvmtpMfpDRHrzwkMHvJl45r8CT+QrX1X3CUWaoca0wRnq4JVyfXaXS2UOPD8g/wz/0Iej9YLMYLE/AcjH/nyG/zfycRoNnepxyVVFcPUV7N38cqkN7LiWwZTTZLRfCOS/pn5bzIDSvJCILYcjqP+LIdFrz8bZBmXAuQ6UrseWF54TCgd0rsa8a6wY6bJ8XSo9A+PNd4Ec1zTVOS88y7V3JFYMf2ZlJQG+7EG50jRDlo5Z3xTCxtBUiF3SLkpQCcOK+yKrw06EmFYR/XOCTy5rLiMRUyBfLDDT1zrOpxQFfytS48froHaO1ftDHUAy3WgZZuUXKJznxavXrpZXNJhmeoNasYowNg4R2kXHnTkMa0GxtYPktIpd16fuVWvjHBR2C1YPRZNVF/MOYIWIZEVD4Y/gDXIJfIAMq1PFO1xBAv0x1AFSAg0PzUqfMnxWfUFeQrSw4FanSYPzE5gx61fZH/PJRLUZ25iERn8F7c4vrkhZTL6lWVcW0A6/aYvx0VKQ3R5BY/oWs0jYWZ9JtgxZu6jYeIFmVuvOzTDM7ImbHfj5QlC27yzlngcUdQeo4t7Hkd5ChoWFbAOwe9NATfBMRdwNHtLpcQX7hJd4YLFRc0GNlyNHk7iDodaAgxaKs+zoO8+h3j2DYgUbCeKzJQU2w/nSg+oWtcZwEYecHjjahCbk4Ipp5OdNUBqG2mMIzRNJOAKKqu1vPIT6/98D91Wkrwx6ugh48obbmqptk+0ZXLlQNiijOfn/iYqmZcXm986xZmVkxtgwjUrfgm8ABGiCocjyZwXkioWMvPcuA2nF0mzYYJvuPTPkMvhsFbWwAgpeDT6RB9sP5jmv+mAj1Ti7ut3FDXWJiIRRJo9E+Rz0c7dSBSkck+cThlW4XDUT63QSBsSn6PNt9Bou3A+N5Oomw4KPjB6WMyjsBFmYBiIayug1x/OSIWJW+zjgb2mbJxMzT0Kj2n4vIRZOsWh4oBLENTTmlZagfs1Zdv2nI+tZqp9loGLpZIL/8dAZHznvCM0Xe792H2Evd5Yq8ipyiIMSxWpTkwPc2gvVBXGu9BalXs7LSP6x1jUCfA0CFjardiKwl5P5Mw5Z9sXQF6DTgOKH0SqhUfhgcC75jUMhiLgDNXwVSIUEYnQG+PAcNb4S82sRUlb8XzS+eEelvPQO3cK0aTpTwiKlpj66DwFjH0vn4C0GU5QXmcKcPto6JyzWHsvYdb9+R/9R5LXn4mjlm2Lu4f0jqLXX4NIyIemwJBVlNpoLTDErgi1vFvQoGxsusNPw+XeK//NelMlQNb0zS9OzcwlMbdqK3lUY8Y7kfXYBgGyme91jI4KVdIzyGZ25evTV8/WTdmAjTjPcbiXGvrY/27/aETlqbx87knpXZqhY58UbnDXrNdaR9HBCsZtnMhPqgMiFIOToPphfBBI+XMosiA62cUOERTF9G2nmtXdm5rTAD6O22MpzE2pDL+NVlJGwcJ6II7RsmSBudGOsXITFpKacKKU2iWUpSCje56cQGgy1cndUEXQVz2mEq8HJz0G2g56NlAVvZtrN2v6V5Dr4sFgl5qoYbatssmY/TvJfj2eMxBMFqxYICoVlFH5nlXgNV/s6kIdByYEOkGTxXQ7/5Xu7e6yOMZ+kZ2Y+DxTUO5zbu1uWnYIifKLv0DgnA3e1y1TxQC2+z60hC7g3d57hotci6fBFQL6YHkWCtUMxnp/GZpJgsuaRqSMu9rEBdNrWMDkxjc34Aq/4kLRkOR5Gu4tu7TLXiwqRvEOm5Zjbs8S94JTFeT3orNhj9GtP0WgQ52z4VOGF8hI6Rry+UHHnrcwrDn1yh7oATkV4uSgmjYpAnE++8yVCG9C/UJunwvF2ky38Fni+D8ZHxDFKAdxJhSG4ZiJWNKdgLO9Dc5Zy6U5aVJ09MADoF8szKcxSv9GELGxg1b6BAo6+ywpfR1mrkuMD1VHiGtKxAjYRQsd8s8TCHdJsaSSHCVY+VqZmdY0TL+t2P8Az+ZL6+EdlNbqO05rTo+EbiaoyF93DJfSvNSfE/v/BIC8qI9NFjvjzhH9DiUXRn7lworRye+LWpXfRfNdqKidKMGFBRIebTuqKGQ5ERQFwHjr7ZlKnx+JcCjPwEvzhQ4ACh0WhYE2qkLvmMlTMuzvb97v3T7OjCcqqtj6oH4B9260QFEtKGrC8/2eM4R3Uf5XqI7HcvFn/hWJjQMOnQ41g/LPeGgPodZrO8lMwZY86aWMiEyAgERtDbpmgq/aq5Q+3ycrLZaUB3ME85Fv0S4Paelx10ZTQPn8zdE2d95bArJs/B+L4j8LirgQeUfrlM7XwZQ4a6VWu6qkPjAJ4T5FQwtuB4huNXvD8xVcXv/6Bbxmli9ihA3yHLfqhK6c7fznaTVmBh50TeZBVUtrf5CYmp7mvwZBBJAknxZArrcqZkYCsqqgpPWao1fOqbAKp2OpkxKnCvnI1LXda8LIBwyR0AWaA+tx//KAfESARSrwUX/8oDo1QgkSw5YmaojTuRzwwcs7DS/5yXQc6yl4zpaufdepfT902dY8UUzCj6V+olN4hu6RnvyKwjJg1FE4rUu0zVovcN7yXEezi1MDgnQ1HvQGi7/ZzQHXyK0KC98DYuZseCmcEhcytDzV9NorVAEjd/EgiZ4Qbn0miKmPFWY2mFAqFkH30L0Px/rnjtCnenbnmjC3QK14MoPybPMHjct+RHSadE5d7dKUh0TXzUnRLrERYHelWbn/97BUlnK1YzU30TfvZ27GZxzztP5zV0j8YahIw04BJPhkYdW7+q3cuiEp7+oONsazm0ebsuVtrSieb77QZ9WmynqXhxBcI8Rh+V5djibBscLEjIriIa2tsBKLuhqHlGmXL7p3Gf/VViJstaHNXt8ybdvyAZsYVymzfJ4uCnZd/VgG1NXXMvdY9b0c1+r/9Fr9pwnK2V8j9Tk+d66Z9+DC2LOUaaFgnwwz1nfX76jRXd9klhlkWtR+Ui7YtrOLSyjNKGsCZNTfjmb39sfAe6wuDDeWkRdSbH3EH2+usE5JbXJmItY4MXADv/8gMDyQgBaKfpqiM9zvR4DTpl5tIkE1Uq0JM5SWfPGGwJw1N6JsNylZRsxaVvtHSE5whrrh5EV7Si4nCgAppR+KoBQajJ4L5HoJydAtTWnpO3Q/Dc7hqMAeoIlMT1eg97P4Z35OZ63fFLt9QyW8o62azroPz7EQOHh8blzgqkIRy7jYgNxh1D7eZXC//TRRC/wW01AeviSbiY0yp7kOqdEu1lUNmjAZ6SpeDIeAB2/jCqiokmraP9BZvUKXgucFeQkrUhDufzX/wlzZXAO2AvgVSoGXxB5T4zkxW4UIIOy0iycrCyKyTF4C28LP/cbcy2kyczBqF5ICX2NEB7fGgA5+LenT1C3BoSqOobkync2rXNjpAeAe1mf34EoLdnljM/yUlZPm30/CEUXJCie1qioERAzSgdpjlVJjpBN5RBwdeQA5PWOl/WCdDymg5JFGpTshRDm1la8ziCW4YxMIYpYVujfJqyW7KZ/LFwGeVix96HDJu3H7EaFsTUCJH4zEPNDxMRTBoleXr5BzXFwRCuaiO63VV+aJ0CUVzj6LialcBfsJTqeen+2vQ4eDo9/YIQGli4x+kJy5Nqky39rB4f5W/vNmYeK8zMx7Nb0WlFUO+QppZS96i7yKV0HexkgHs6Xnt5pQfBmgFCQarRET8BCB4DlAO6PuakXDmzoMxM58E+6rhnLGRzsEPKU+6Fq1mdcYXVBYP5UgrIK18y7qYXlnjy7VkkkJcqeanIIAtrGiEBkZN2t4WKjknEazowCVNYWB7YAlAOe4hNHKNUGPaXNkPFUroHj9Y2ColFv2FzqHTU/dRTAEtotRAYT00lEiqnp5ZFTd+AI8QBqS83nX+yFFycibDhdG5vEj1kX3mIKJesbXpLoomHAOh1Rt7OtV3Mg7tNFaOLAsVNvb6QNOXUw9EyrEDvBtUrgagIq5I35uqKMl+LmBhxATzE+aQC+zaKUcls4OPbipAUVEk6UORLDD6tbWMmse0YDa81XsnA68BpGVHZQJffPkh4vomuzuVThfOnjzYJARivSmcVTLtQ6/apZkJJAQ7LNLYQrRudSAWqytl5V4jyltlhTV86S4/i1MUTzQzNHPvCl0Rq1YXyXVmLzyv3P7qEUWjePREhDGZdhP3M3/+Z8+XnfizkMjfSce3htoVDNDjlbzsTdRxvq4FpMlGdUE11DdwQGW7a1pUZ3KV+FrQFRIOLsBoxKDawLuvTqL2m3CoAwvB2mCBWVPGnnFtk6zRH7+OGb0rrK8wVeIR4raOFYdObHbWeh4u8bVAQW5g93CQ28PUSYmHFiCr6ABLf1PCE25cs2d7fWB4GiiA4E2De4kROzC3cvYgbNpHqvB+h93Jpt/+oWpTbB1vA8AKtfW5bw1Hbly/Ri0QLP+vcGhDXQTRliWd/KbxrhgIdm3gdD4KAkD1oXWcDi0kUg/fbokTjE/PLa18leRofQzkK94MY5H2XAG9JS+ZLOpVMJLYlSqGW/SKOfr0WVusOABd2JR62MCI8yNEVpNj2VC3FQvz0yKizyYbJ2lp+gpwKSIQp+4gkdQS8fhwuFtl6A4USSSUETYDpJieJ2S5x4PBbyW/g0gVZpBGNKkmIO2hGNiHG8LINU5T5VTT4Sb2ntUYeOmWcNaMKoj8NpMcYTrxHAfsFua2D4uuNj9vNcqOmg2pslF/OHfgZxTGtWRmeDv8jcZL08WdkOPcaHlCE9yF0qLuSsMvITSLJxBTKW5BsSPfT9wgEJOW45JvHAxyOrRepOvUBgoKT3nS4DyJa0v+SgNyKtfpzAKw37irfDWdYPF6ZXb9XglSJlZKRkVrR+thvdHPyJi1YL8eFtBfvsBRpLpwcmmMdtKTOZ5Ex/dOKcMecoZG5ua7lZ18GRI5bSbacPQZ2LwT0ChIdw3s4ixhSQ+Oa4rAKcEE+s6MLBLcV+XSoBN0NPgConN83/13y/aApMjVb9k0R0payTWcfFxesZozEeCFVAwBJhpaCqRNhDpJQ8i0TNBq7+5n0yKUvG2wFBoQNQF+VkRFvlWfnUjmTCB9/6peqk+5eEc4cno4NOBW6DkgTyteXwoA1j1nGm1uOhV0F0h1xzh1E+RJbgoeVQnGUkgt/QTLlit5PXe7CekP0sh+HKYjxJxTELleTrMTRX2li55hBV16r/JjqCbd+PQirYz8RDhKZnqx7WkSEv3d82+A88L4HZ25zyKDcsLAyqPSvPHKbi/ASb5nQZYyWllJbBsDCmDrKynPeP6mEgHtqAKweI/NnuCqY8C0tIc3g00nNyc4kZy+v44rDs6gN8dPEnMgsFaaA6x5nIhcJlhPPGUPnHSz0gWbvkYeTGZTPop3JvOO4lIhVoK6C46b+/+eLTRxwbMuprdJhGUCr8ybICuqmhJfVkb0pCIAtQz4+rpfOkrU0RWv4TtCwmcmr9VUwaLK0H9TsKUKMVQ08QYM66NGYlsD9U637Ea570U94PTLjjwAj5pxFYcENgsJdo/RjOG1DiDgknPKqb4Ygxv0R3zLxbffRy/1Up7xH6n2kyxbtJsYrxYxq0gfAAJyjbz7Nt8URTULo+CjNMJpoEnT9e8XZ9tca4uccPVfLcUgYivJhbXfAhSsDJ13uMiK478JcUrEbd1zkPwUza+DMKQzVaQ7TvmrDvYepKaJ9GXk8AM1qBMN+mwNjONlzAUORAXnq7+m/M3AFXi4arn3CIfN6YwSzJV5Qppe0dQtEqc5JHewYqbyPM/wkqg6ynlOz24oTcIDyBMLwahShaDzfYHDONtuSNd7ENPDldiWxfRwwW1+Kk0ElX8a9uGvRz18gClY9UrsQRaaLysXckcRV3gSnKzcTf5Id32jOblPtra0b9dTCzP46Zx6cCwoj0zvHc0wAlTfo4i+EOYi1nFYkUmgyLa+tDQ5drSjVc7IjoSe8B1uRxVpubVxrVzAUq/0kOTMmaIwPwTUH0QqHSCc60t7SYa8RbQ34A4rBXoUh+WjiWuGPO2VUhl3YREtqx4u0+zDI+z2H4immn54H3+RxTAeSWOHWSSRlMgef6oXRBJfowUEDn1PK7n3efmSf4T1JVRhW8Vo0/Dcd7ZECX/yBj3jlj/WccY9X9zmzinZqyo+t2mUg+7jvqR38wEx/NaRC789AD/NjH7CmkGHkcOagZHu20LTXW+loqfceLJeeX4WyvPjrorFo6mp7Y3cI7P2xX9WUPXFrIDyF3j7j2xs/lJdWPnBhpyJwIiR4N8oOqecWVYpOneB2SSogsIbS84azlHQ7BzBfwEqXnDnH0JUMmRPMTyraFf7qObcPkSBPML5LFZtUX83WYHl6wVRo6WTxR530CFgpJVadOW95R9aHadP4/CiPZS8/wdgYqMkk3jza+ns+Gr75qOu6RtPODT9+aNB+DRiqQD9NiYt0slcLUUAdQVC8sjid110cTdUOrksZMJC7wLSoFPWkLw3X0z7wX2FFnfr9LJNUdh/UXhAzpXXqdzCPAYoBmV1EmotSiyhQaWyelnHvJNvr2X/ca0+kG6FYUBdrY4BPUPdhdKd/l9DMHosMir0b4pNX/c+yJ6hHeIEk/k4z9AZJBj1MEbc3OqHFXpuWYC8GvqVzG4oqmsUXRfD+5ER8pWd5xlgsJT2RJQL1ohZLceL7hyd6JFdZA/Ou8o8Plzzkc1nlHlyudLJvp8qQ5AN0D+nyIbfB/CDGKKxDDOpSzL6uF64/lOdTJVMIUYJJLVFj7Zpt7qKMAQH1FUcdEZqkemebIPG+RhbePlF47kBodSf44QmOUgHXVJJw1Vw4RmpwUsH3I7rOW1MP/NJAG69v06kRdIbvz/LKnCPe8IW9/OegXyL/7hqAzXKGDq+9Vev7MwGQkI0MHsy0dKtrp3wbZmpCKPJ/Y35tQKj5VG2P8n/G3pd9QNSKwtO6RDkrVtnUv90DumExJ3CpJnlEgxAyseZsxV1gGpj22SrIwwCUWI1tBaL2TsVHY27itY+WtcK3DQcj2cClnsOi13CFdQmos4tO1GMktIyRh33JKxS+Sx+R/6BsfVjFw==,iv:8vuvI3LSMJzLIqS50AQ0gWW+PtF5Y5nw3Kjr/A+t+Qw=,tag:uWa73A6d+xRuopK/yjQVVQ==,type:str]",
+						"data_json": "ENC[AES256_GCM,data:0USYsJ08vmkKpm4lz8L6IMUAaRDlr2bKnskLWtjHDdmag2JlwZYTTtKsnE4EBlFHtFKVT7RwqCjeA1CFXaB2hTJ2APHjTL9o5vFARP3nSh5qQIWhaWIKDAhNqt1Gpp1j7JotYRXUlVjj+u4Xl5z+Mg0jcDqoXnYO0v5hBFW9ySIu60TCJ2UGsxB47ASqJr2ERUpxxmUaFgs3UQt3f6GFOiVABwyaZyubDztFu2Ehs3nZ0LGhML8iCKlYOOEg3TjQpWaYWYvVm+z34nMoBi4saGFwdqQx1eOl5SqZ9vu9+/cuMwuiDYOFISKhROYsKFb6nD4zealaFW66dyGKUkJPyqVuFUUZytlwLfUkQTxSlDl5xo+DB8j5NHUfui7JHtVI3AHcapNbCfwV2e+GKH95Q2UTXpJrwdVOzEDWUuauSvBWdau3wQs8GNyMMoHXpvRtnIxW+Lo8Vr6NG5yuMPPv6nZlx8EBVfSPXjOaaIPpUDxUKflPnq6TaplaajPJpRCmhKdVa1lg3zBMZAG8Qx1vlxYa/mXaJwG8al+QVcS2JimARligiSp+WkKChtLYF2S2Sbs1qNiZo/LNjzI/+GbxyNd+szLVH9NmQIu+apOEYb+LHu7Z8mEXDZgKRRCCyWeb8DqYi0ky5FyN8CQfzfjTCqC1XEGCcrNJAg/4ESUe1as19nwujRWDaxGY176tfRukB1F/Hh7j9yDLhePybtGubPqXVbIjIV5dnexE4wZN81UFBH1vq9s4MmBTVoZb3mHXeYlGFtE7+TE77gt2weZVizv3DrUksJEBOgP8BTDj7H59oZCP0T4B5sR68M4bZDEUETlUogDW9fxcVr48djy5swT5czREi1lJciw+yDCoXVBjMrcZYdjgp29NN05SzpQs6hB3onkob4VtcQQ0CAWJ0RNTen1CnEXQlSm0WDprlFd9CmzRtHS9dAXjSL0Yw1J55bVlH/MpFvglrDGcA+fkJ6gzRvEMXR+8gL+ajYLdltJlY7Z2Joy+wYIn3SPFoZV9GqiINGI7LObfY0XIgIJ9XMM+sO0mPyI/PnTSffCSlha5QF1NcOnhZYHeTp08vaqmPzhJabfx8c1To0ROefvFTIbiJsl5E+vchltXeZ8oNxLOr3IZnoc3k0QMMcJxpVvIMDoUFpRrWJhNda0y4k6pcfN8NmeqyfxjY2Z+cdO9DawM0c7f3sneQgq+wgu7H9I3HA0sx2bOLEHmB3Iltrf98Sn7xfh4byj5E+AFpGX8ixfLvplWZi/wjMjFzVyGsg1hgL0EkVtTiAD6x91JBSMH2VuMJ/e8cUxFm0w1Peddpkac+fZT0IgSY08JDSiATthUzHAn4rZhKlvfmH6QyTQqNU10hQUg9sOiDaqa38SM4A/ukyaOy/TnYt9wJ8gNzzfbWMkoa1XX7BOenRKwu9XlSEMrfZAWi/S1m3fdNiZWsyKGBQJs+b74K6wVu/3aNxUeLGdHlU1kbRQV8AlAb1jzDLoLL44oxL+PYR6kd+tVurwhnrtFnctPK7xxmNfi+Xq2DheIu0g07bhPfXQPdLf1f0i+zBg5Oq3+0E9KPI+KWokeVdVFRSUpWCpyy3HDb19FO0h+OyuYd7hIp6Xg2JxOW+QlYufVfqD/DPMPchbit4aCs4zrkpk7aL6BT+rvIJtW6vJ0DCmkHiPeT9rYkbHbYiu5O9ZDI1kaUtVgz3twSYJpf6m47N6OLPJV7GYxFCa5BX/xhRhLpNINqLBGA8vpFM+joGknSK5GRPORFFm04JDAwqRJbIQsl9+SHEOrnQHC0qjDovn7wifj+XYxvmtkPo/3TkNzha0vXkqwPgB6P43qD5UDPxrhpHqp89j1DUkmu44s1ZkCxijP/MJzzngSQX9Tc2xkveGREwnECbelDGc6G84NmU8BQ6sk2RSxZnEVUD8T3cjKbFYftbcT9f72E6Rp3Vy4GvD7WIgtCUiiPEnMfz9Tem0yS7ccZn0R0QZKU2nkzLJGrnKpvKZol3ST4jU7PgrNnXeFhVrntQutRFxKtgX12KR5g8WS9aElXtu3GF1hB5wzh3HEc2f+2GYbnBrEQ50nZfRaFfSVZus8l56V7N5HpPE7W7beIU+LhHVYiwv1qStK49hgs9vXeVmtT5KJqFrbuW2YqgETg3oAV7NIJM9CIeDAneBxvFnBPzNb52nxHd5OTi4hbQ5TgvLUJYAHKhFhM9rxDSerU/r2c1jCy4VtWqF2+1Zf4wNDskc0bLlJb31nMtOY1VVRI7wL8mHgYigxkgZJxJuIpQRT4u0UUTg91MFTJVUkNp9SxZBR+djpa7LB0Clc8/X18gMOX5pxMmhFqiCiyyRuBupiT9ks/ZldU6BrqFGKZ4ua7pi7TKTR6/9bt7Pw55w+8AqvWm8VeUlXD2YwyHQeXcGPS00DYT/UyDCk6rk3WYVeOKAVZPghKANnmhX780ad3Bql6Ik/IQ0HoSLb/dtU5rLD0QnMbwELm5cunUe1MQNHbcmFzSEIo05L9bJgh0qIdt83mQXpnXexD1TFte1cREr/VaYdxnqacDTlCA81deRurCYh7FFBPi5Wz+5MhHILVaIGqsuOMZOCJoWqvi9Q2TfHov/WRYrBkXFFc2kGsJfLWsmZUI4i6v3cNaXK5PnT7yY9MvS6Q0IpCqbrcZ0Z2/G9AjmiCQZhlHmzEm0Y9wz4cM/wsfe1rYoZq2bdK30/UZ4DdLmWdmxHNvoBed+fWgWhR5S4ezt5VgWrLxb+uQIIROjJa5htW6M2MTAd2txDCfnIBDsEQLU1LW4asmm/gCL8/Prx8GQb19UUzIf2mEDpyUeZdACKeFio1gcEfy5xIz5ei/H8sturZS6MIQ9k2lVBOywVWQLp8B4H2UH6IqF0GQedQKQYOqgT+tqW+5DaBw7zmL6iytiR6i9RbZW6KkbiKWoXglwOG/TVIkaxye5SdcZIOgWAOgIgjYwq3FWQgT2tYNFxe/lrZ2WjFNkOFCwpvSkCKaTc/N6jHjuzMq2v6jBJ/QwLsocsDL8GsZnIr9CFdx/LSPPm+hb0npFtwO/qsVRsci7LHli8tT7dz/o0chrkKgAKCKwyjFYgJJjpjx/ovm3tx3FmcmOFc44c4gNjCHPvFky7dOAmeQxHsditTwXctSpMixJPJbJFfxALJYejqo0Pt4KHB2IV7mkgduW/PTfdoGuqXlRAdkt+QA1sJnuSHEIE17BjrEEda6cGiTrSgE9LJnrcEsse6y8CA0ox1hHf3RLkCoZMYNCaRj0Rm5yz4c6Yr5GBMefmqmPdY07ZMXUBX4DDty/NhH9uibqRpBMSHRCdX/cJraut6e5ITf5rovryy/XN/F7RDrTLUh0WJ4bkxtb+VCbbm4x5dQ6neugoUPB3aV/ntl+Vg3nmMuAoUvRH676aGFJvujhmJBeLrA8GtEWMHsa25mUccZqbzPRMmUyubq0vzsOAkqi0U+NvWyRpV+5fq/oddDJmE1nbLeT8SIs202HlaUzwPnakORfmxZttT4Px2Hf7RnQoH7l7npKujKo08tOV37sjoAdDHuyZ6UlcAEGboxwLbrbeoQsnmFZ6J/OnQB5C3OCe4rSch3vYLHitHRA9QlZfZ2eeTh29yB/HxyErO0MALaqI4Gyb6ugRFHFOxSa7+NSkWhQVFxZ1wowfiUK91dSnOKmElxiqhRY5eb1QZITNU1GpA78pyBFWr1OoHDvDB7hNREeOmASkGuzAV4F0rQ9u5sN7N1hYkRjDk7YPziPUmiMezTtX1MP2lu56EqJz9+FrBPdDLFCrukjRGkwqjuEoOATLC6SYHYmiEW69S33MFpK/lC84WI1cOhvKAfPja+EkFSTRtdgrnRawzvJUdklQspfBO0yLVSKv++gbc35bhtfbq6QDcnLZQmTcdB/F7gQMTxpgXhl+nqDg/whSmTOpMguiTCEHmUkiNxr6mwDcH2UQOTCWAqzp/0hcp03b6k/eppll7utboFvR0a4ZmhjDz/rc4/VNBsNnDKBsN3xcIcQ06LLhXKyncZghA5r2+hlfIqCf4SlV55lREUA7j5eeZnWBhSF8cjIUc8FtEuoB9e4HSSa1PUEmTIEbgB/Sx0ug371+qM3TVijHMkZVmJXCHKVJVxZ+epQg1ooyGyz+x5Kn0x3Srr788o8+0+vg9Q6f/3G5y6eojPXqK3ErSwC4DKSXWD5gZFDw+qYrbkNwpy2t/pVUY2ZbaMPvGOve/8bj0yP3v5saDxEx9mk+y/z9fGdb5etqdTC42uYCW8BeKC6wckDIgE678cai/+lKC4nYCI/SEeiNYkcDKtBGaJ9DutQ3JJzYEAQyEYKPb2ZwkUqJ7Himl5e2Pb9sSJn5kz9ojCSNmO0I2xMAx1Xl9PBJPdAQyLGb0L3MvbZUrTIa/W6mHwDNBm/Z5yGDWsr+ft/TxvB15hiWD9nqfevKMoTMVxcpzJxsCjB10NRLS5lQdsATXgbhaWANfZb2Tx1RP7x3BOFKkgSgyyK73+b59IYhh9TGVWJv9lRsjuDpNcfcvj90ZLil2exWmNi+cbm4kw9ZdPw08HawlWq2WPekNgVSkQs7jAH5KR3Aeg4wnJFF5aD57EBzhyp3Suf6cqTYK9lQugAlYKjYCnbIUNCsFxm/BwrouD8AnMX6PWdDlb64HGRQpuUXX+FAHR3xTqLhS5+ayXmH9v1ClS15oinOjSoSKDvg9wffrvljAeIPSvJC4IrRzHodQ8Rom3mwlwZDMNXhEjgcGK9XpYxBisxU4F8RVQokFqQ2DpnEbwZhbWdNFHQszNykUX+oDHZIlL/dq3w00ZruiZ0g3Fl2MhIhsMfS/5cV6YR9KGBSWwyvl9Ct4EswVCx0/kz1uTi6JojQ66iHqSHast4QMwK7bB0/tvm0uEzH57uVHYk+4doWlimybQ0zT8T9pcZ0veWzllt5AiUeuCe4OuMEyM6B9RdRe9+Fp3OqqSNeeMm56VF4wJiHUIGdTQ4B2BAYASr+0x0rYIbLlzwGdDO7OVv8ykO0k8JtRycR5KVVTmUhXvo4h93IXrPBQvd3dlKDFEuskdRP1srtaylWLbVdMACc7ZdXFogiPUV4nlvpA40HI7lyT5qOc31a1thC5tzOvr3m2DSYgSpaI6w+oxSbI9ky+KPjUbqcGGs3wAjTDjp9As170iL2Uu4itBSL8bOhl7kIZfnVSP6elxlBGiPDXOt5G9diuO/jOqIL79h4sOeq/0vK/Stlb8iUtejsB3rGTUZ5fGmACeTHCpShrzeJBZhDE1RSjxNF3Kf36xSZ3VGylM2fnYJTMMSUqvS/mkAB1EX8Oac2f/vKExWn0LBPfwhKVcDQdDG1riuPeZS8hxjvcZhqibPcPoG8TrEm7/PoAoG81++R9nnceXMi8evXzcqKO3PlAeNHtjt+YEyg+3OX0aVaXF5ohe0GR+oQG+ZkcptRvRYyLYVW+/4m6FY8AdoyPCiQd+NK0xlrQQLVyINzs10etOpRJ+sZjI+vWQDmLxn6UjGfyVavMdkQP7Hf7Jc39pHLmAFMZ14OpfinIf+WuBW7+aOsj8ds973IfgxncluUxjnXSonuSHcD3DmghV3reYNrrfxbBUFDrFjHBOeHjlqh/8pfMIWW4/kM8ZcflM+rZ/ZX/1YjnzLvL0Zt2hglIte9/y1NNjo+AQU4i60iN+ebgNM41mT85MHXKBsBu0t6mEMSEwnoxhPN4mHeImk9zRp65UILU3tB+CNuKTlng6Y4DFsYnnb0xqtkceVMsJfWmH2YkUltKNzqa7o2eM/qdgzo7ARFGHJWMXk7ZZAvMAZIvcnYDImAwyEWlZ0kCSQl5XukHdPvoL0yCQWxpNK9jHJel2f48/WAou6EppUks2HyUZmY/LmDoj5EZadX3FqXMV2rHMxpkrpYwnU5jFc6FIFgEAOjF5i54QU5jMus9OL7/KRmEaTFfx92j1D5tXmA75zRrjkP1DzZCsJsjbmaZ7fQmRHTqrD1c8um5J5Q6EOCzymc86kJurjz+b7WcpUJSF1Vxqvu1+QX6pNUHf/gqHyOu1Y2pfBMDfrHIw+3j+95l7316LRnOqw0BOs/H9s6QXu8P9RnBvMCbwGUhU0PR/VleHbfg0Th8KdzRbwTxJHa5Jtiilm2lJB2nMzx66UrMfPrm7jWU9kzAI1mebVrBvG9a/Sxx20Z+fwah77ql7M+9vg6daGhrVP0Gj50weeKfaikThO6Y+aDp7JZwxuQM4vdqHrwncf5L4eiBXL5EHNJuoObPnclkKzj9aTKnnitSfZGDgJC8FROZTq2F8C13gkxAi3/shjIH8O0XNiA4pFhMja+R7iCeswmExul4lP0aLI5r/pG0fELW3WW4QcIptdvB0nMq3bi8CgVz1l+9iUTgH0XVo7F23egDtZ8zZleBFg+pnFHdvyhWPN9M0eJumHMryeyWR5M7rDslIvtsODdHt5FGqjfD/FkZRlxQwRhdM5KM4xm3gNuqydYWBKX+idT/aw/K+/umYH7ar5q5LILxBnN2ttHEIW76ZYEAdtweKwYWZW8YLqtyKlPFG3Ip0du7T8OxSNFh5P8Beo8mLMKHjQ2HHS81rVmNtH4Chnj95mE6x22uT6CRG6W1JzDOO4Wwy3suIOIrw8NeJCR4ArinZkB2FI9Ofjgv0Ec3H5vWZrnWmGNH8px8Ls3DrzfPwa84ezYhxaWakxV9npgZ/E+Yng6yRwc5LCJOG6CRcq9hWZ/2N/+ZTfScVfyjwrhNQfkLPr/zRAUL6b0l6E9kw8ywHmRsgm1w6q2kcdSglnw/hN02YN1VBLIyZSHrICBURoJ/SFJQqN2YB+V5/O9Rebd5KELr00G5YAUdpR1wlevXf1ZImpDgQ5TbeeJwS7vruUB9/XAuOzpMAjCXQs3iE7WKRso6wEeYz//Y1KUWnQDdtjWWR0nStRTkCV8fl82bBe2JLsaajqisO/4vCFhh0kc8eDPDG1yN6H+AAMqnYvoJORm012yMf/y/wTUqBtFtptZ2su4OQWvlxKMAasnbesEYLw1ltXE1hv8x1Yxpw7dQ/6PI3YBwxP6KL0sh3QDsNbBHTg1BEL5PNwWPpJWkNE6IMZ0mby34YaOL5CAHe7RmFoQmW7GlnsKkMNLhY5h4CzQlaVKMUMbxSumqjcmlLOU2kUulAR3QsmW+2QSf7RK1DpHYjvyIlqggReSiUHbMHv2d+nw7dMS1p+YMh01scenAgjIDlxzQUkCJphGZUun5MdUC3gpc1H0mCYTjshFF5gR3fVWY97I4NYU+Gy9SC3Rsx6eqex1bxXpOgfH8ke7IPiMVUAecRcPE/LpvrZPgrITBDUpqQJPJioTSyqwsyG2oWKtvF24HyvTWfr3DR3yohr2Xay1WNyiC9h9b8Gmj5+nTBgnJV8JZI924juXIHYyNd7cR5+Ec6Qz23NWqNqCXhppqRI7s7FjGaDJjiO/OLDGCbiE0Sno4UGo6aizshUiksPYXRPPrxExJ1svzAr/YQP9QYwg+dwKbiFTTXuNf0upEOr/FRgRa1hC1klkUDysfiZYyWRGf43nERZigmFR+KwrBJUVnMZH6L2VOIgQZIdUIqOR2oSzL7XgpUNYDjIJzzkT3Qr7M3dRnQ2hvrc1nEIxCXLcUt2mj05fcMLC277YYfjBWOBaHdrIbwbKKdbQT4MZDku5qyuxQ+XG5eW4JApHJ1uRkBFYjX9Pfw0xXcsbTuBcLIoSDsp65qr2NVQKfsmDTAmPgzcnx3YAyCLn8+em5nZzYRScG4ONqo2lCAxO3UongShWO1GnPixbIcK7XuhQt/rF3sbNbeSALeKSolK34k6eQcjLgoQhCaKVEFOAYrf+kL8M1HFBwDJLgghrreAmwCXBR/fudEvKNO0gS+F3AtyLUQaYwkvbcQmOpTz04oMyV/a9hxH3hyJxUouBMWX9CIiFfZvlvhow9x/HfuwnT3RS8FrUFcYpzJcUdsfXscjQ/NPeGUINFP7RntwHOnzT8SQzDtTkz7PDQaI+Y7WpF+wshnsmHu5QV0Kc6cAFafTXeGe7DGfNkYaoP0pkRg+K+x2U/mnQu/pTE95dNE41AENgZe4rdm/Ax5Fmq0lv9A4mSoxvjmf/G+TG9/KPRwdXvyYN+fcCNt291fzLhGkspMi1TaWNzJpOwQKneBbXu368JcUS6Ja78dUjUOF5D+lsevXxVtK79VbOhd2Ce+xh005z6wWE2Xv3ZvaU/TzL7H9f99tr/hZe8iytEFn57aOHAg5RqBZ+oW5ZihKOCEJSyyV82yQmFpYRVVcR9bCNWYueuj5lJztNTD/0MexH6jlf0IJSa2uqperS9WfSA94gSbRlJjlzWofiVNwmG7MILDLkR2FQDCy25q2RNvKraCdXhMHuCoiS1uF12ebmRyJ+qTlBwvD4HSA58WmSoJZLau4nrg7Xw3HQfXsyrtbxq4VAw4wazYBgElWrjZVMipQrKCkMrcukwf4b/HFLPlUqbyPWV6BTNw85Hw652zkXp85RGQuZCTIR9YOHTUDxF5U7XoW8pbAxfCrAX8Bvova8aOh+LzSbE19XALXkE8+7O4x4bCeKTPaa0XQsW+YNK9I8E6W8vl7ckVIHT3rYkdTrKD3oLDlx2yZUkqgiUQfK38czkLjWFtFu0DhR5eoD1bnqrFBO/G7exgM66OSKhnnQ7jhXrP8SNrXkpD1mq+eTUCzBxXsZqApHGf6gWkFJh9JRZpGL7gkLdTr6Ez8yslSSnsnwqN14MfTx7ABuKeRnwb8bCHLkVD409VoJdizYG5C9OKqER4rI41/QVNgSrN6ORqHdH4z7hqWsAGImjZR5TqX84ZRZvRNFyFlzNgrkfpUNU5E9Mfvld7dR/2fc5/sC7GWpHnTITXcuzOYy2P0sma+c88FnnZB3vYP0H1KokzleU21TfW/ZwYo1IsOwwe1uA78IqhDaKQdG8gnZUeyYoB2Ze0ZmfZCgOliJ5c8VZFM/whG4I98D1QuBEXco6vc6n8Dpsj7RVz4+3JTJaZx1DDQSdOTpZapS0/8tEYwZsm5ImTFn2/iUrkheN5oqaDZIgU7b82Ec32ddekDfmN4PenSlMdNNDwItw5VHAjcTqddmYA8gk0XVe9lTZ4G9nMCGsilv62OOgGCMhylXFR3cAFKvPl5rUygkscjL3A9uBLEDiJ+xooARNfyB7hbDGIwc1nzUAedVtNaKXJehMI/sCZKujAB5VZEzt1X1QzdS+W4CQleIn8+hw5xK2zPOAGD3DxgkjZdUS4Qu45QviMBk73qeVwSYmIFRgRQdkRGrK+5y9XalVIOj6r2EvNWj6W6wKWWirGUiXh0NkyMCK8ZNNKB51EV/MVzvk5fVuhfqK8ux6i9bwqla5p4jFxziUmxvt+WtJdKdNbuWH77gsOxFKyZqDSZUh+sbcKa9k/16RCf8/lLYWNKp8UDYbwmQh7T2Nu2k0Q7q4IRlBrQLro4oqPqQ758sm44KlUqgcrnMjCQMEHflj9fVx9mqZ3kbHSI7E8UfCnI/PycByU9zNpeLOJkEfxJUJ68r1+r4ixzj3V3PZMHb8Tn+4bNaWWqX34uVd88dHVOFpPImAOoNsHYNX0OEH/H1WMdpNz5hvla4j4Y0wtzuvZWHLffJ5K2Aid/Lqw4WF1G3cgK78toeDeKlQhEy7BYeFRpGFI8bPR/DzeB9t1evrK8IMr3OX9IqSsL6RUeIDG+B3cjkqf5xJysMMK4942l8ptr0S491KIZz4BFd9Tq2U2sKTmCjtW1K95rgJMbx/6GzZ9lheoJUaWhNwX7BSJwlXG81fPwsM3/QRvbBKKzzBzF0mv3kTjukoRYe/gnJmtreRjZhFZfZUJfRG+udNKsHoIOd3YWOwCuiXBA6j6CWdT/bFz05u9Ngg+nx6Dt9dRYtWgwUpwB9h8RbEhJSGWEfebGCrc1EAYM4ZfWUFgrdIV28Ns2owojyo4HpkPoflErJn3Dyj8Rsmix6mgKpuUF0F0P96HbHdplY3ZGo7lQOzTUA2ROfbuhiZ170cqBBuo7nwOasxe5xq++6HFBCYeAiVmbaTeMBZkidZCjPSjYxV8tfSH3QZ/FvwngKSmRYhSkf0ZGM3kW6dhcwgS1diqXyOdTIPsbskIzUXiqQWIDRZOP5fp2O7Yimb2rNaC/HYNdn9pX/Ah6uaPga1szrcu/BEYasdaXguPbwanXXwFBqOtfTekB0muX4q+05ZkiAEeJA3HrCQINSGSleSAvWMSCNJgBzjO1dMCuy8sFkJu/ObSqy+RBI36mCsKH/k8RKsPTkXYbQqdwyqMWvbOg3F5SA0umfle/YM8ya+NZeqPbr58YS2/5dCb2yb0TLAHc37uzz3VHBVW7WLXSN1Oc05JC+OIMgLYWbvvPm47Es0Jql7RgHV97Dyu3UGCRgAuVB96zIexRC9WQt/NlMVSD9mhAKB30mm/0N2vxQSSMWspLiQILcS6vywfyHM9TlSmTXtnxrzixqbNlx5zq09ZVe5TwH3N9t+23btPcgblSIEnPqQ/sfJ6l9RHefmd+zaN/hWf+h332HVCbRWDEdYrKwQ+dMRVPJomepOMxxWajTz6jZAc0zxLyh+d+YamZ57rLrTzZF7xd8I4chm+GKZb+Rct1YIZf3h5ueY61PqkQSBp8wW8D1aBO9vbIXruOMDBfTm/eK171iZsVoivnQe9f5HyM2NmwrnvpOXhybiABY6Qs4Ittam7GN9XI8QfCHaDBjupbuHEzuEKzfUz1RVG38dhlILo3Hrm8pujgyaV4hcOKYaLKZY2P9QLqG728LOdDt6Nn4XVTmR57wpswUYZ50xr3U+KI0yIreIorZJe388Is1RPIaO0SFuN1BGndex/Qzvez9CLfqade1x6eHdhqIV3/UYnTLZjMLBX6buCBxirp52CnIWGZJEWS3uQ1SaRehZqeTIXx8yHMjt9KJnJeB1Ttp8T7B90ByAl0ilE3IkRJJGznK0poBSvKmy82gihxfck9xwWJmD597ih00lT/I4wBvFRVIhrDCkRcKjaoCTiFHhkmYKZw70TM3HKzEsqYUydklrXu8mCue/bCz3lpfFPt46uCiURv0bTraK9KvhHRfZuegRLBO8rJndYyCUUwidKfmVOzk3YuQlxKY91AqE8LanxBI4k1QPWpDdwhq/wsKzyQZSOILvRIcG3E7U+86XaEErzedklXjwkLQDtG5Q+Vw6FLsqL/I1zLEhtEPC7+V3AImh2VlHw9Lb92l/2h9og9hCx7ydmuXWDlkrjV0GKvbTgNgyjf+D+lpxZhlOvA/4zAdRuFAoLSA+2u32YCpp57/HxVzYL4tF3Ao0N/Us3MSvdiOe+BdLlIGQwCFZg9KgXiripxj9RZCU7s+7nPrxQxYVtoqGaLmo9PsZHtzSTh35kA1/Y50wzhwEV2aZ11/0WFjHzxZZqVSoroUbK5DG4NbHigarVVV+WDEunRhbBRHkXoX9/NMDa7FrleGLbOHy932pxdh+vb3tONpCeFl6UhCI16tMagKp0KBi9gJmlvZqIjEE3+F/VfJJLbHxVC/xOTOEwUzvBZMbFzkZLcena/ER153yWgd1vok5gBY3FND4QJ9JDSlFqxGBAWNtQOSHsndKzpRPXCkuPJRqEFs3GV2KHbcyflw+atU/6TJfNeQGkXCizwFhkAzulJ7/0lS12WeoZt8m4alIZfRJNfzF9IadqH4Sgah7vP8yVrEC8dXBYUgxbbs3xu//mCaG41QNmFvYFxPSvH02wVarvynGB9oS7sakbbkJbOkNI1TXn4zc2GXHuDlO29UBA+g0awGRWyUAFzEoZ7MX7qzSECJg2XPf5zSIW9ObOs6Sbu/DiXV+8VRJ4/xgSUfETOXszDCQ0XDqa3WJt9IDT8i5Msf4+7703GnXo1K+fpcdFYkq3ZBjCm7W9+F+NGkSrm6JckoFG/KGY3KqN4jr0XfrpnOrEBcqjsNEupchku5muUYtLeJbUg6zW3xv2qEKotydtVGvN6vcU/I560ZJUS5AfhoiR73WM/HpNT4f1x+vLxY9Y3WXpXjLHUvcsfdg1Bg03RdV8CNg4eX+2c+oRw/NqYPUu1QEq3Y42zIKC3CnwxE232+sHFOL98e3fdJ5t7ShbqT+xUR/lkKihzAPkLLCqw3oVfk2OciZTXGXyfGphqHdvEdQeXiYl05pKS+kYdHHCrguKQVsKW9sPVGOCq5pMempXGVkbTM8O3ZYI63X4UcU7lv2vyfOckpJzC2qwoulQ/ZAGUnSEryW2JJ9+2iJm/A2wdBHFv3s4iw+bGBm19/8n3deNzkZVbGPK+d4Zt0dcq/CLXdiYL4eZM4MK8kgBO3ublsgjF5kMUpojU3sSA06cVS9S1Bpj4qrudGDB86eZcub0rBg3x+kmPr9JYfy0wGzGuFn3LCa1mpUDvLIkfsXhVg3t/z3yvJ8dHk+snlzuwzBKdSkyV9L82XtZ0oteSibnOLWXozz7989AgYtUnW/naZIk15lCZ6LvaC9r9zpwQ7yamog0Ag/nhNhac+raJqRsHjWhk/oJBJDbGWuuScwdIwXXnnrMp/o44uepUNrlXw/ZThDirexRtuvo9F2G/Ssxggsq4EjI3SxGI3oGEErr8PqWxbMMD17W/bF94PBt740FmG8dUojiTOafXqPHDFrUPq4P0TfruRU8qgfOYPtWLZvW/8TxYaLzYANavUWaRhGhAzcYzoJTxBK2o+0yFKd+/HWTEHN7q/Hn93AaeX+nM4lx+I3h2/OLJo4Os8wF17rXCdb1w2uSHOhyH4bFGh/I98QcagOOeRv1txZFWkOz9LNMPI+R1QGM3GH3Nbv7cVwvKtzwSid1tcCxhGwnNFt5eZ+fN2PVCeUwpXgLv6tTTNi2wJl7vVLeMewB1Qe/yUD2MiupZVJUeMht0Q0sQFMnjy9d7r6OW5NO1cYyOLe00qNm79DwO2PsWZhnMBSXD60MJaBGglcZgY4m042+32QCuDoIOzieoBhdy2HeH5M+eBZcfKrW+5sUhobjuje5eVfMJgla9EzvRZwfmxzKelE0poBQd9X1QEP5WrSA6BwmSpjYgwXiiQMEqbutGnvYAxBxc0xYJ2D7es4Orq2Mz4viRYX9LnYa69dmZUkdIzEDM6QXc4RqbKj62YVP3zWZqE1PAV/PWCAiTDM0Qj3um2rvwqOYpZcs31ewY0sMYjgI58ftzAVyt60ltMR6EJ3li8itpJyPlj6zNpG2xqUluQoI+zu6qSyWY7ET5AE6ExTCEsOOyB614EQ1lwriFUPt+3OTZuAYcZk1HGoiwCaJIfB71RaoTdkgh7tK1c8uW+0z5nKUDCl3hL1B8rv7e5OhEJAqXPSA+32YViZSkKpyYMSD5p+Py6CZBUPsYZLIxTMpfHi5YmVo/PIk1m8jYHBP9LZxAcoQXW/9yoaeqy/J2OTQt9KahjDxnySbi9rIRF7E/HYRPOTf4fA8ewmLi9ctGeqp3jCkCJI+4otcsatRnm3EOo0izswtRHmDk7A5RWcy4HgBrSVNgf9YMaZZt8WrI9/tAr0FZ1Pi2zss0dRlqFSxGv4pRxWUo83lSTpVaUiSAaGzGPQNk+jfBu1r1s2qYLhbtv1lN5vvjI3qSQzTrtQqon4yGbZmibeGjkHxyuAOKfheBtZh7EeG1niXEQcc8D0QJNPDs87cr6OfLAAzcvHJpoGw/eAPZUW2+Aft/MryIaL7hvdElJ2pDK434F/3NEO3Wh1POKUdhxBtVU0XGp9LgqJgUCrr07r2dw2mf+wDDyYkSEYmSk2AexLyK9ghgLnOktzQQF9pWA712kDtjXsaCVkuW9nenTXjZHTwftAy471abj7kcCGk4KK7O5iHqiULg2BA7K96cV5Bc1mo/0u7/pLVI7YGehqTp2A2Uurhn7uBM3fO7HRnjaE1kgroc492C2j8s0COLYGEXBaF4JGOMGW6EJHZfQu9x+bn79+0rHn+FI//x7gkK6wVuHtx9IfQuelQvOdJCGeNBFyAEbVhjwGsytCv9/Vbm3JkLZMOHp+wl4LZsPGZMHcmNiaZ7gZkkSQMNuHh/J7mx0X2GsGuPLI8yYnVCq9pYwMMFmgGApgZzE+2TGY+lbLkRZTJXhW0a9U+kYmkKUyCufU4LavQVj/fPsaUuHcbZCk321ZFesQ1Otbapa7cCP+jY/+xNEfW4foNIQSqHJ4+FK8kKc4UTTjdFRkNIGZXkIcA2yDajHyorPXlCO5cRlDb0/4P/9lHJJlGGl5SQPUf7O6GLyuw5Rk9hdmH1ywM6iXMAgWiWancnshU3KNYnXuwAjpnamI0fl106h+dyudIKvoefY3CYQh8/9ReqTmXbEPaa/9Uic5wfywrrLrlivu3OflphJKYTLx5O05ft1Hb8qAQlr0iuNPuPIIlmvh73jp3JSnHDLr0myOVPE/UiOQgLL+dF+agQHPwQpEbiQG4ZuYEGdrojrC18dUgDcp8PohOSq/QXGzuJlcWaqRpPwy1kCooNJCojznb9+NwQRGYjM5hUF/OS3t7bePZ9LQC/BpatbT5SxQdQwPd88wDgrxVG0leMLe/VR9PjdjgbzKRwerOpcWDB/QRxKg9xbnzC1nRole9dKQQ0TGsisNXUfFRI7LpZ1QefOs7yp1Yhuqa0icjzQMXR3fxQrOjHk5EtsktORK8O7bHYcDP4w6m+Evc8sD1v9Mw5LxJ99DvULaRSv7HsDTQxK2TiDlywnPJYGg8popVuitGXRkXcCqAfkEk7I8LjiFedPJKAcPI/3mIebAQGeEpg2kk3v24rhYvq88KKFwz0oYvuHlhE4aB7UCTeM/6ZSO9Jv5KduGagXGCeHGa4kESO28L6gOyySLoZ2xW08PyQlHdYRbt/RX3K/Mo3vDTXoURCdTML+FvJrW026FNjO+QCpY51OcIR3SUGC63Fhy6bqrjMpBmmwCEI/pH04p+SAPAPaCyueZdzolcKP8zBWSiy+cgf7ik7O5O7eefMoGFU+RP+tvFc4WznNQSSAXLaZAL4Pc0b/9JhjBU6aCZMtJN7+GzC+lA/+H3YZTgx/5NvhApC5O+PDiop52mNZ3/T4UPRSH3izMIzYuM2ClyXBl2S2WdZJCA5IbYK2E++T1nT057lhx5NODFfxqgqLKNmURZqUOxD4evLDboMlVwSUmdjHjVoL344WhRUqmzqzmegiZru0B0pKBYw9l0Xux1HoVVD88OGBOQV6WEY3OGP6XFaTAUjQwJtS4k+IY3dW09DLoH9yjFnze4OPkUNrhI3B8xrVijIMIsGFI7tagLpyat0c+PAxqzshbXSFY/IZxS4Q3+doTMANf7UlzzgnOauNvwyeM3c/uaWjCPtx5bM+GrP1U6eaIN/nNL8qxE58NHwUwHNEXQvBWMx+4p+LyZKAgQAdh0VlsLQEt3Z3Hu3laZqFrFsgPwd8rJNgXUBglouC0gOorj0hJJ9DuV5XBIQXgoF6Fnh0ZtZJ41h8Klq2zAFGb9RB5x68idDZ7UrulWSJj2IyopS7/06IMZoEi9XKMlcKB5v32y/PLZrybr8LfuhpVDknaJ8aRRef+ynzovMEIrrpuL2fCRwRDfH0SUpM0Zy5fACANfzeNepHdnX1dtwvEU+QPpt+PU4Lv+EgLUlEmP9mhVAqSp+zMny+ECfwSMLFoDbgdfIKClRJT7gTUuWImMO1MEkxYdcpIi/EZoFSzDas95FooO82cIyYKKiiRsvKJ+GP/FRmP9W488fis89Bx7lzh6Bf6MzSX9yTMRY4SqGeRF3JRPSdf3l/zN70sRzv67CXwfsBOcTS1DjFT6EufyGNDHMIThm1D+Bijxv2JySnQ0R0f6K2U9CxUbSKZrE470GjaN9jc4DiIihVLfkVUcqHUlHmhKqDvwg11kubJEOajJ4MZo2amkPZ7+ydMo+Pio7bP3CnrBdLo1iVzvjGO8fAlniVd6/KW/oJ9U+Wb1cx4zhKQeduCFSRRL0Z1KLlA528jH6oIrXBb3/+TAVFMaisT/Z4bIM59W7Mw2+qT/DmykofFJkbgmAszZs8r9yz8oB8h6YvLEu1V4LjTNCXFbn3U0XR8SGr3/PohmbmhJpkJj+Oj7gl/7+0L9pbswPBvonKiMLfTWYx7pdFAN7Dz4O4b0QPyhlL5/AfeLHRqmfYyF1lr8iDVY0MQhGEEgK8L2vSAFUoogfJP4ddrI2UvxxR/ys9pININLdyBCmXcZfxD6+STEX/MuG436kQ3SqUTuEon3nB5gT5agAee/QW9ukccjbd2b+b8s0ywKcdRF4fysg/Uw8Gy2RopaWDUS9DWjca88T3rDakTTIuG9SOGc6kQ3CdygakF1/a2mWK1Dvn6rGsFVMNid8w+Qtv9xfi7oIC/3/taU2KiqL09jIJHGh3wKyOF2r+iHBXg7P4DQWK/3m788y+ozVLwEn14bUVKCQWxEmcJGCqabRhhrljU8gq1bPAQECeqzKMDaacZ9t35x6J+1fabGTlQCwzgUTcHXQxhS/WDyGHzyhFs7Wq7nZocM5TaC9fIRRaitYpqY9rqrKTU6Q70vkXyMLtrLyvwyLQBaynAMVTUU+OYQwgehcFOuxd/s99KgnD9jWvrC8/sZIOiitakQuPRRZxWYoSl3YO7SrWL3XVUW4VtC0TkfFu9jQjfKbM9lzbMbigGA1uRtJ2veGCWlPYQza5jELK+Z3ziJaRFLPBeJuboUQsipKy7O5vlDO44zQREeg8av+PeNUwidkb7PWdU2mZf8K17I9ZJCtT7331csbxbOc9HwB379TPfw2ssSgnYZ5Y0+oOWlNFJAuoCUEnyItiSuFZ/U6xI3P/ZGOJsPYrj71WXOsFhuCMp/GSIVev+XjHt6QUUnWPoKusWh7g9mIQUjO6/l5c8YvJ75mKBu6vG8zlOkR6W1GKfrSIzOuySGh/RXQXhkl9LjZ9wtD7P9F85wsLLJ3cwEGFYGQtTBAqKWCo2hxG9XQ04+GMv1dLBXkAW+CkBzYtHhnS7v0NAUQVEfBbj5WbomI7q+GSzTlPbc+FnaOpRIzkm4fT385JCljO22XP1VHOZkLuZO4QP4hxVtlktQJdkvEaX/mP25grTUp88fPMvNpXp4O7ic1CjMD+00OiG1gMM/6gb0+UmSojXaNGtq8yR8ITPiQPsCT0M8F6z2iiSLiCrNcGB9LaJ2pQVUiGzgB7VVkKcR9wYSYxGoVuqsK1usVt8PYKqYaO0XFhhaYxWK8RxISSQxPwWkoO0yB2Z9EPjKe+LLzNrUX+CJe8FoC5ku5PVxd3bypVgdUpER+UhWYRzHlo6fNEziwxImEYItOQnhAtXgJ0tVglIZgCLafrRcfL6MCBsI3UyxesSgnD6Z4SnvRa11NY6C2c8pgWTt6Yso9Y3DBshiUY94BZQ+yo9MKIrn2cLsWd6sIwA0LNw1w1brV54FwP6w7SACyQeFSvXs5RN7AWDrDMxIfUz+Z8YHdL7MhgEtCsqe5+1cbHf3SyeG+H+eTdLQem6RdNqVWhrtMwak7mil0yajtrY9lMg2z+pKOf3piqAV9yV+2fFy6QAoEZPI3Ll967lgsEWVWMoTl71PHgrqfhl/hSZNj91sqn3r1CFJxYwMR7y3jO4nL5Rt3ntw3Y8nN6WSyeOsEo6v/2uL3QoudTDyKuutZnLTvFVHrC7+3g+pf5Lh9MGQgETlW1vz1ldaiaD/QaG7HGoUpB86/elro+Xy+I4B/gd76VlOcUne/7e7+7AbT+JyehUbTV93qHjBOhWD6gNzFM00S9S1QT87jP17/85+UkvZpatrog69Zm+K9tixom7ryddSzSJf9AESWszNiZ0qDVqDniJKf81TRy8kXE283wFHxnvuetsH7NcaWeMCTAzK+GcVytgSYiUga7qttLXlZn6fgQnku+DMXVBzU10grT/3J57LXa8c1NvkEJhee0oX3JElUInZlFknhHSoKOBx2anAgYcujK//2ayvQyTqchaGqGS4OHq0vdMpFoQvTfy0UarcEBq266OV5Wet1979tWMqQf9mNr1QHZZRvokxDt4JilYoHQ171q3ZBPJ1WHX30IFS+43EmwpAXeIEAswqJEr2tMFYpwSoD+Nzf8AYKOB8jeMGk3cvhPjMgD8ARttHgli2MkkwPLfybj/BeM+24ACO5+SDxPQXc+bRqCvT13dUO38R7DMHMZzfi3cl9SjsNJhrr+OOpXevaRigbXo8aUXMy50M/CnREP6hbuoM/YStsPW7CUUToD5MbV+EXgc5k9PJ7epCpVagEcTaPQYBpLvBIVwTOAeqJPGC+NAz1uqhyEErK3wXpAcqbyfOfXgB/QI6Mvct/yXQR3OXBITu6CZ+Iy1xHOQunK4R8MeANAy7WfpEDv4Igv+0/2krGedTglmM3aantB6z9gCgKX5wRrZeVvEcspWi1tqfEKiqmKlqW+gJpGUX/l9q+ciZ0t3yrlLwyQfrWLAyW+F3/RMVO9jBbds2p29WAJCpVf4TkKdlp/buCgd7u8glJz5I+gsLADYwb19AnmQMIczX2+pKUVdoxoBq4SAHm+lSiQTxUdOwf1iIKbDx9PD6hMUhZTpWtfgLlzB1oGzGNto0tABCIoZDlnnB/6KWcTfO60XGQhvBVEBemwY7WSVOg9rDg5czDO+5OboslbcKayNqePKXMa5m/3rBczp8kkOxOKNL3g+COAD+eOWjXFUZ/LAixLnfDpbQJJx4AoHDr7ts6BpZPH4TlntrldrNlbuyAw+YKOpdEl13sXkdc0GgtMdMlIeH967mZ/lMjZna398Zkxx+ctW12SFxYbPVciC0DHnzlztVdtIDfRgBwAouUwG1zHQSHm0Z1docsyV5rqbFluHWff6oBsBMtop222c18+vuVQKEOpUNb5FVudS6Enzy3T2X7F2Xmr3p8jbdWjb6QUqySm0m4S/2IQI9nRFpY4edJkxuXD3FTj/s2otXAzCl6lKMZx7tBrVhfO6VnB2EqfYEUcaGE3MLmLvqowyknToJYxjRSOSoBCwrSHolItYtCfiJYrUz9Z+PF8FHqHBcUKCCmmDBCJFGH/5Hs5X8GRv0C7YEkIqtn0GjeBRQ6074vpOrTcV/Sff+EKoJ78kkMVtLCvUL7AphCpmO/AdZ+AQ54I2CeJJD05wrJ39lXCeRXhKm+dMbl6btMOuSYKU9gilyEkdIPPFhUN3sI7wTSV3EP3BB6szr8Yy2q2JOFwY2HoLuCfR6vR63o247vS0NhHgYXUROmtqWVwU3RFctPr5R5QLUTVWX0tCjLDyjfO64pv77CBXLWsOODk4w4ovrfXhiE6EXHkDTqrQmR0m8dRukBXw6O8dT8WTWxO6WpU3DiOZZmznQ6hHLSD0bc5qXHhnS2JFiPraQTWsfW9uOS3Pz5Kwk1zmjjLHtLitMWE0aX5Kvx0ZjSVnuQPPu+ZIJdkaE0gkG+1axIeKQzRECwqu2tXppC+8RqYzv9Q/9J5zSJz40in1sQXDUT1DZ6dRsBFoNDqbV+kxdqHb8hFXyl0UFi8qkbnKKHA+ITma3YqSX7fpj14+TzeMXFnYPPnzgdl84HQddirMAtiostFrMiiR3BupczFQfdjhOUvEP7D6Tb6ZFkeb/vRy3TbGg3tj0TZBLDqYieWtdEv1V1wvPIa7E7C1FDlOuYnIn5rOWADmQh/Hnt4kyRluhGd7IVu/I48Bnp4NeLyAMCQfmGZaxU5Zxb63PWtKMZx925s+kpdkZ2uQR205GrDPc+9WLcXlq5BWwv5rq/cxMwkXz074v+nieae2KZJNU6ziCO960+ko9Eg6iC6X22Lfatorqj+sYrhTgupedyA9RM3VzgsXW5qi/GlXt/c1gls9/lCcFjJ/F1ByKY/ewtxx+k2HGmn99AVYXKI/i8KzIsmatw48HhKrjLbec61aOVq4PWGLAJKEExiEiz6RdmuzZF/dKQ0Jv3cjtq5/kc7iKf5BtQlA42EbTFyLAUGFyyLU4aMjYx9bcQmDDN+0Oy+yZoEvMEotR7IppysgiVyE+ZGbu3MV971/Yqf63QTzHmCZnQN5OhefAo9EyXOZLosoumnc56tAsrZZNEOshvT6MVQI0g+lbGoJuZVObBn7cSMeSGoqlp1rCxtxR+elDSD3Z3c4uS9S8VK/aq29MWGHmuMuvFFIm8UWjfwioQTjF6JYKUDW2xFfS6HHyTArAaP7QJ1iUSC1z24xMX6NUxTORu3U2B6Hodkcmt746J25SNF1nwPl//i0rdcejoM9Ox6Xyq4GjAWXwD+uDDJnoIcFWtOftxaFy9zO8l1ZC/cdRxcIre6aXOhC84sHLMCTNASpovgsiACEIVNapRUcRxE2ubEcTYl7GsNwm7IFndNF+qYYXYFHTz55y63oF/svnRWAxDIJ3C4vbuW3lI5jzmwbSy9Q3IOFN+j2lWcHI8fwABSwkwpXyLKEt9iKQmmpovc6Hq8ds0lwbJcX9uSunabbdCDUXUtWzI1HXkQD3qAe5mXINlDLwZNzhOnoQWxMcDtWUZgwNH546oV7qKSRapb6IcPAzoZYe+weywkVs5YiogA+yfRaigbS8VYpyQyND7bPvKjRYP7Y96Jjd37OIUVfLsl1gN3yilqJuM2dG8cVs60m/V7PunN9xiD0TxkDAxmbbbZP0o7CqeMvlkgSFTmj4sueSjeTbzn6lNH/ibIDiTS+8/PDkIIZczA5MRr5cDQ3Tu7OqHrlNJTR3wjHYVP4s8wwJcnmHm79PsbCWiwOEOokAEoJpbaDW4RmFuna2I1s4MiBM06yhLCUFhkAtllF9uMKyb+8G70nzaKIKS715cjRDMZROGQ2/TFSYgzuGZoKcHkD3p87QudvZA8e+/jCUt8qi7LWH93D556HcdTnPYmtQNzXAuUWRyXu+FGvYIIgROnipkIiLIoYxzXC4M+mYusw7doCbQn21MxdeQbBqStJpI8rW4sSZsOrrVBsQwEPIU540noVLOj3jLT9VhmN9V8NqbuzgAUWGlW7gTrlO89SX0AKMZ5wsbffNWx00AGArd+3Px+ejwiGkEUVXSSCzT3KNhlDbrgqP412+KQbBa2aeOT8b+q33toLsiSkggv+BSPmoJi0jwEp1+pHSR7zDO5jOjvKgNn4CBU6O0dB9lvW37y6QPHMOy5/hCK04jVVb3itblDE/IbnKqucarXP+DmSvXWcL+1nyfG7NQHmcnuEdTGs08l6KKk+LjOOPgQ+GQUTO9qxeAgXIEHEEu/4MpizfFe8dI5ZI4jbDXgIuEDzIzVuHjuuRAQ/BGTpyDhIPpTJRWpmX3N5aYo4BSUHj1KJp906Kkq+G3ylciUnZXwtAK5+ujvD3XGx0nMNz0y8zkMANvtSKLSokVH1H9cR2DvpbePI84xj53FFODb4aEtxvNxhQDU+dkBKt+HUUi0FsARkbgZrbnwXkTZhEeXY0w1XO2hogwcptL5lSurGicczF4M3OuljwgvPScpQHYjvBJMxyJ7Eli6WnVygYsavf7vMyHF2uBvYoZNGsDUGS5v4PgV/iFoluKkZjG78vIodgeAwOJEwKskh2KYrBu6a0Whcw5My1n+Dmfh/D2gPe/yvNnto26wv++ouNJoeMG4TPqToMbnuMUvydx1cEaNth54PpA+tqYm41nHvAiT6JhkwNWILt86ff/5qiVSRWQfXuf7kJhEOEPyswgYu9h2zmzAsLiI9gcYVxi7pdJABpwC8Qoa6393yNBeEqV5xVPRRmc+w1GidK18i3ukoQGmgawG8dVbCB2ysC7j52+X4V/s4874w0EKBc1J5WHAcoD9GXhQ/6CiF1vX9Rj/lGzQEfUPaIkwyDQVX67heBQEHAyO+qHo9NC4E1LkJ55ClP9aLZXPTpkCyHDJ17LKMfjuaPOITkoJWnfIF7D8gHiS3a6MwDdpPVOghpW3OZh5mtLZA2jJXsbMzzWEdlBA/0PjBJaS3j3oRbKR8m13jluGes6Y1IUuDK3zGSXPc2HooKXKTvmDJDn2Qt0pxEcaX6jKA76hl73W5bgS9cipJddoX7IUjAI/lfqOSLZ5NUSq3ZtRPsA8DGy1H7wNSb6wSJbe7n8B8R5TitvDWBAuqfnsmAqFSuWOnaEaDBKtvOWMhmMeuqVw88rXl2DwzB7C1fP/VjCqNQAhJg3WtDYnk87mZkm6Zi6CsuEiX/oTtWxyvFUKiADX4bNgsTWLgQwLUpEQgpNtW552TVaCU08ieqPt5QasrobogUW65Kwyy4LEKcpYh4W/CweTT4Fz2h6EOR2HAUGdqO0RVz2nOSsYIawkYoeBfZ+h7SiaSO//TZu9LwzJGFaCQhGDNYuexTGWmfKEl88C3PVVUJ7oW5ZRpV6IYBL98J8AcqRFrIzxautMeLKsQsKhQkkpzij9yt44uptjQC4xOL1tYGX+GgKPYXNOMm1zCX/oqg4PRJxph+WnMkTfRtgtedZ1w+IoHppQ7Qt6EHYlbULu1reTKjw+CVwUdx4ub29a9LYX9JKwZE4UpLprW62AARGZVTpt6EulRL/0iXFrd1asAr9FoYKMV8+4KrvIMHUn6PbGsIecNwsbu+71zqCkV2dQNsLxVGLd+1ZQlKhEZjaGnidSHXTY7IOrXRObDEs2iRo/2F02RECrcimL+qyp0KfM2+1mumDInyFrgk5GcdFuGasET6nKETVxOHq/w8M5T4WA/4BCSSansi/PB3E+nOdJgg0hc1+BmMEnCeswliGmM4fXRFCdszKm9mqBX1jfyDT+0vmldPk9iCMbFE7D/xH+R3hwDT9TTuyQulwIxXEs5hsrCj6Y1/T+3hhCd7LSW7ECOddnVKGvFus19AkNqIv6wEpEDVgyQ4YqNxEE195Q6qkzQRTEhCkgnNy4+JRpj4tnjflnQWB1wFbfufQa3b2o/O6zHAqquzqwfckRz6XOY+VuZM3tEnERmwDyvMp/GigAh9kbwS10cUhlZCJYi0A3ol/1uFi+4P0ZJ0/R5C5z47xIXGpEH1BtvEjybP8UU7SzwrcK+wJ9F4VXISOcok5f+S9sQVvbq9l76vIqWdBdb+S2iRhxPYiSKK2hTITnsLySFjqfalaTba1WUjJVRuV0gFJ3KUrpom0c6wjeA4MXKpfURAcw+bDHAGomQfh120DgzaV+IzcMLzr1Blts4ENtfx9athROgVQiXntt3IkSf78myP6TeWsjCFuRMhDrVtWA5KmwfsvtQCARABgJkZxx8AP4OMrLt1MUZHIvZx67HUqjOkhwJM2kiR82lOEw6SzVj7UIl/2eKqQsJNE0s2XDF2uwtROdi4FYGRrodM0uwdkASdHWJqIZ0XWJAsbakM/4OTImJ1Z9khYz1KhS56YSHmxfcaDG75SAycH33/M8JReL13J2H1bRSZGQikkrZABFnIWvYz8BtxuXG0lGob3fGmLdFa2lHkhO7i7iwW2DyE7BKqY/vYz/TYsrTiNlAsa2RSCmU+7RhiWhY/rhhZyyijRS4C+CboJTmuk4mrxnZIM7svb2zCNpA1JFBR+kh9cI0OT1yYmy4mpx6oj6Vp9LhUAQ0W3czcxRNtNpEbPwpqZtAUt+B/MsdO/7p2pdfduGDuzvbkLY3xe3s9VKRrIbrhdvMvNWfrpkxGO9jW3qf4fuPEtUr0nVD5VbCj/zjtkfPWz72kyoStP9vINTkdouDy5n9cXcE7iVCSa+B1vTOhqwA7vo81VKW4GEJ4f6H7euZXUgu28YELSZGCfv34WN42CfkvNuTXiBS0/76r7i0RRwlD9Ti2kA2GJ0IzBky1hX2JYjIgnzGAONL0ATNyHHBocnPAiF+P+JhxbeUvctSK2OCqYyozOEeHt7LAtw4IZDJGsSlu9DK4x8dPhf5A2jUKhU3+rUuOi0mR4gjUjyZpLBZl2eY89YAgeex4u4wiGZdOj1jHK0rBjzSIwtb70eCmaYEYRXLVDWqpA15EHYgpNOsGKLJQswKa/jTfXjZjY5aS13LeAevSwUkc74msXG1m3Ghqf1peKr59bYUNTpv2htMUlyP70CHXqLdvPnFqRtY4uxI+WDOwS+EU6emqelvxWbYcYaiK30hn1UVHnJqG2V/zGc6tyEHkTkNfUyOl4jijPcvfOKCOiQfeKri/hlGDVNos6RQUPDjM0XEaWsORz9FNssUTtgcPnOSqiEcCer0xAilw52d5fyfcrFUepzlpg9FTgwDAKB4MTeIZSOkA5MStokDa655A2p64uTEuBCqqSq42MAFUTyY6uIsAzdRehY7R2tYmRcodalnlaQZ/2gJNnLE+aVN48nYlCwQiPzdb5AsiQOaY2BKiM2/I1Vy9qxiWCPi9ha/uhDDMiY08qPq2mECImHeNFppDIKLaivFiyKd2D7Hm2Azh4ard9SQdeEWbAizm7HksO0A6bUUBQyOfKCX4Waru+v4JAivSlT9NU+AbmBSeCdP9iI4opJVCLH3f8kBsuWXQ8TsBo28gu0N93lsK2LfqzsfoUAPJz3K0PS431JbzTe3nCuSyHIxilmrN57d98sIn4VNUNTtMFh7UK6/KPO/34oQx8oXHXdGi6jArTk5tPTbisGTAy5YeAkSz4Tsb8oP3RuqqIIavohq1jIGmsDTI/jp8txOnGsAkS6zq7XS+I61rf71e+54PbBhuetvl34dUPTOtLOnoX+vi7J22CqaCSvycowHVWTKpA3GHzrr87NCWrvoFiZKCPlKPH9E5BHl4ACZ95TZwUJd9yBOhX8tnQrDlMYWinEpQ3gzz5RPTZ73+3JsR4Grxf727Gww6DMqpscbQaduqp1hbrLYszJVOjJSoFWkBDHe5o5+iBaxACol/jd2+kKEEFa4GkpIe/vQqJGnQFofpPtxKlJ68i/cwngwA4Zr/FOHRHJVQFnL3FuwiDTl2zE475u+ZTlD4m2qjuN+4x4rIwzbafYfEhjCqgPuwd4srJTwTjYSLC8NoGlZ0Dk1E4BlpyePgN5ahlNp/ivjWH+cp6FnFhpe/YfkUg4UqKPLCBTv0NaAZu3YZrX1bUUZw2c3PC0bh54Ouu/JA/V6k7yZrHIlPtvL805I5iECzwUMYjDOxALxltoAfKWYwZJwhhaeQz43TDOY1xfvz2vL9gRhnHoRzMA52IqOGjzVQU2PBQ4qiIzsXtASyafEXbHOR+Di6pHb1pLk/zIpA+6uW2LieCB89Dy5iFHAEFROPwvXysWmpgTQSIVF0eMtTHi+eX3ki5ZxCBYLrypIJ4M9yaGSx+BxT5mhFD5qNLv9FpeFFB5qCh3f2TdOIhRP9W1brKEO2OKUJWgFqCM1uHN+CrfExPA0YKhgt72CFfTfoYQjFQtm+UcC+dHr6z4wPNSLGghNGTKLbtgSXEB+OYGG6JqlLX/aLB7unLJ/npXGR36br6aLH0wWdEu3zua4GLsdyXY5SU1ufz32AEkX/gRoXaPr9qKHDkfzmg3DLZXeCKim9KaGKcTafg8JoBNHsuw+xRPMTY/XWft2eHeO981CMrGHIZX1tzQWwyg1wxkiEobRSBltjCKye+1ExKNzXXKRdgsZdx0OZwyPVstww5vcTGxo9shCB5ZCuo5Wl4Q49UX0ifY4ue/TnJHIxRpToUOL6Q2UXLUjdwyznLe+suIFW/7o9+lD60/9gx5/qtJP/hD6DRgoWXBuCEYVECJakt8c0V+tumHHHlIQlWts26cjGTzcnMEZJyCbWolvr2ZCyv+e7CG0B331Qgqnez6LH2sWgAk+y7c/77xQikV/OkyDgM5y26GBoagioqqH0pb7m5x3+6PaodlNcPvpVZwxIGI0zw6dYTRFRrYrYFItWJhrHok/iiOfhBAVr/rKeYIpzf5PNe1a2GiVNaIW2x0YjKkSyO2EI/Z4imf44PDu6+/MVXE9IRvINlKdnp6gDiMOUUhidZEKFPq1+yKq+hkHGam5raUCIq/ZxgBxYhAj00zqC7lgOXbyeMnAHlfeuFM7Sf57qZ+izFrZfRqtpw1XUb2j45B5BX3k06aCANFv+6ONehXxhWVFsU4JDngq8WLjkjcQ5cVtIE4E0GN0H/z41LooA2GAIm+uMNMn21QQ45Ev6DApnqfRlQ2Ano91qu9zSHCJbLgVd0pXEDWEk+hSTj236CQnDSb+TnOiZ7NjC28grOZA10RpO55w2qya7O6XTFOFdQ9+H7VPhKQgGL63PjC82wmUlis2gSZ4BrzMxPP/BajuN4SbbL4xDD//9ZOEmatephP1q1zKDmRf5Zq/8MWV0qy+akYUJVZfsAgwnqo6qhmtOejXddGXu4gJ1Yb9d3yeZ9KiWQm36nS8hgT2umRDRMCi6yWw/Ae6GohaENsg31XzAaPf9j0cV5Rr/Z8ep1SwWD2AdGNMw5lARXqWPrA61nnO7P7ix/WNoij8PoIkFfeN3FihJJzOSlNb5BAE0USzpAwwrmv46sHkrr45YKqDEh2Cb1/E1BAt8xkivVh2nDBQ93+8G4QFW+K4iUMnrk2cLOQzrXMZgCXlPLXprgg/SQB/O21xS3V6lOLZ4GppOsb29PVQKiayHdTHvY9M3RHShc1kRrCrVxA8VhIPXzgwcgY5h1E4NQlniBavBwx2FlTtRevKva+kUH/qcGye5VXerTcwXK5pK5OBs21o5cO/+XTLI9TUL2aB6/oKUFynr7cCqaYanRAZEh17Q/9noq0H+Nzgk9tGwHnRY9cW97yBlwgr+sXWHKP2BwYpxMnAUXVFj2nF9X8t8WofXwcEPVduDdC6O8hnQtrefPzpPY1+mqG3Yca3J9gN8vBSkLhaBxJ7XukMwemMmvCSoWR1SzcU3EjQ5K0C7svGyQRuzxwETuCgs2z9XVl8pLreYFnVvVPKQMF+oAwy/h8AXXrX2p6raQchbjQW5KMV1T5uLyaT5Ze3RijPKFEFsLsaDz8MxrRel+XtFJiI3BATAs73gClTkOD/BON853KqLJnZMkGhndfrcN6OplWkmuk69616DKPbETMLk1ci1F6d+iOE9b9XvdscmSom1fe5wBclxS2tB6bGcNlzeqv8vCkg3xlRq2uBMJkxgJpZW8ZADZzZYIejDeVN1FBO0XjbxAOtw4yOsZ3NigFaUFlNroEHiWDoV18WkRsGwE7c7LWyBdsOlP6M3tHkH8egs7YPna5teUgO/oD3TiZGvOwIXQPVehpqe5n4kuGUIvIEKkBmibYrgQpLq1iOORgrY0G3T2hm5EoGe88pSOVyBgqhCWWOaJUfZidUByrGFnR5QdCCB3fFShIeEVQyaHG/5sDOFVavVGM243sO544R0twzwoYq72q/6SfcxKKhRFVe7w6oEwISDmFwBPBEAnA1lELZ7lAiN8BCQIbCdjJc+5B22ASF44GsqBsMdEbsVRxP7Mumwsq5kYIQY9OdaeqEwKPEIZEG9bFljlkO0aw7XGB9u0eh3B/+jlECp7Xk1WEh530c1PstfbExyHIGuti6UoiU6k7PIDTNXosCCMEfBcF0Eim2ogltBIgefvdZwxFzyp1ZGJgeUYtbwZYTRFITEFwSaclqSYjqBLLom5QiTKr86cLui4M67huymZryI2NmOCgzmqkWj8ENKxw7LU2pQu2VPiN/1eIEZow4naKwJPnq4BXsPHgwdZzqdI/bpyi7JMr4Iif1AtpOpdrTu3o3ZcEwmdMK/Xn85+AoQT6FtliWBRXo6xcmjL3P5umJhcfNWQg3yK2qZaEkRDWeCT+6llyzG1MX8fodL1FWTtXheOjhqbdx9nte3fJbq81S810+cPHQQOgAZNbrAppdYrcXMaPLVdcSYqGCQAZQFJzoQLTYFAs1JuSPvd+SIjX+bOYnV45eKW9BaGAUCBR38/NubFz1eWKIAKFcwVRWj6ugI3COesjPq7EscKfhqHuTEV9qkCJLF/QeNxqZSP7upD6QLV21oJDL8oyrAO+QkkblGu8beGWGcEJcJc0AF+5wnrmliNpoj6IEmg+wYuXWo4F+o/XtUbEq2lnVSuMRgIvG7RiCl5aIEPQKhWE6y2kMhMU91tHQnOQfh+vKCLga7PIqjfMKaL8SUfsFDBmYmcNASp230SMA2DZULHem6XSnZ3z6gYYhPcMSFwiqggu158j6CBN/KDWVZHYKG1W81gOY16VnKQDBOoT7JzZyKvPKcUHhIYGChfC2Iugttyc/6PG5hvxLy9GMF7Cxv282jVQ+rwFCh1Jl1n9umQQjlhKEmZC/5efgGAElhjXUIQTiGNF0CMfVQAQge8ImPndqTbkUKP6+W/0D6PblHvbyjAz4P3J9V2n/OGhmdJdDUsbPFTUalt+FBABe1oza8MY6c84fkhjDoZJYzETYVS19qHkS9CidMlrP3LcuFxGRMt0FjDBqIu5IX+O+iCVlShDOvDUEBqczRfII2QxYItXIVvU+x3xVvxVy0PaJkTzrfKm4+DwjnFumYw1fJbUtoU/Vxizef+c2Aq0VddkSypmXlMFfROtLaYVLOonJ5QLjXaUJZLvsI6YD4omNaXzfjpY0n8NIpt05uAxaHAQhKBroro6fuUqdKfqA1n7AB27H80wa1HBHjks3AOkks2AwyrmWHpoMl2RqL61xLxarzONtgAVMR3Ey3fOTuahS6H7PFXfEWqwgc0dhMX+tKPWTcEZBhojCMJo3R71qOHyuVSiiC9Ox/5PZFEY5BVnANMQ8i9KuPpLEId0KqdDiSGwmp7snHKe8TykKTCOgZ5y/W8Z5D49UlO6Ac8GrMdoAtZfVszcxywvI11n3HVTDbMtrpcwiGSgGMb19qdNNtbneRjcfCMIDSeUjD88ZK3rX2ta4PciOLjdP7dcOule7ZXjgDBsJnnJ1uuxoYlO4nt8HJEEoaxoFuvVWMFXPvTVawBYJcIV9w/R51sZDP1hiWxgFVOLjkgxiasesE/OyYzSMU072KFc0rEGpZk977MQwLEZiBSQeiZbVzZMSxB3S/uSXd10kUN/1ubLwweGMmVHbSTALoUU5OV8LhuA0yhTTWYTCAIGjg333G4tM7wZn+Yee2+2R1jhepElnHPPTj2kycrV8xmPBFF4AI3N45d3Xz5UnhElxrS1KXHnUjRGaR68EF1rY5mvbokAw/DvIMW5gzGUbedqDAWVlpqZ0TPwB/sHrEU3wylvBwEwswV8de5KoSXCBH7pMNDFmUkv83JjQo0aRQhQCjXPyAm5FNC+XqIZHKxDNwI2WSHTML5LmlfQlrXeCKWBLlpgIKwGpNjbrvvtQXaIVW8oM0pFV35LA98JSnYGhUr4uhoF6uf3cAwoJjVCSxAUnhurMnTSMrTmHKB84jEsBmosN/YvUB1cAL/czKHtpfdhc1mLyTA+AeArefe/usEGH+tU20VX5VNy3d4Y6+R5pH8QfoYpbYXCPiF82+a4omZOURgsLlOWKEo0exxNxXqhN2jXLMagKWzXeFq1ibwf13k9UryIsi2q1Jujp/fmQu4wslK4Rn6u24w3PwVCChtvrPgpEKFhJ0Gg8oKkCLTAuFjMr1coeEMU47HpHFctiNYC3U73a65XR1BRC1ClgAK/Sm7eo1YubtvKIr+vZflAWuigZlziyuO/qFL9NBb+4ZtD3J7FHNC/bRRlLq1xC+okZ1PyMtZ0thoSLxHDEtxTP95qjwx3r2muGaY+TBF4TRPMG3vgf3eafqmM95OMy14uAOEjh0O/zfNQuqo++ObJbE712BdjMBPNg9AvAcy5JUbBoJp2x/T6bg6+may9BWYiEdVuzkCSk2oW0lCrqUFy0wBWA/AcvAeth4fB7R8GHePTQ1zEvJCf+CqXT9+/VKGTNMXxUgw/ifJXmjkVsQ7Py3u//GnvLWCxYEOkcql56elb84W1AqkN9yH7nUKTYwBuuKfbyLdylyWtNZC6I82tNy0Ndr4hLP9HTyoA7PNX4on4J77KN5DPrJxD+cejy9t6h+ULh33SX63VtQ22grOp5uvAfK4pd3mMM5QSN5sQik5Yx9FxDruiZWmD8DJwtOMUDa/0TpjXvrg7pVO8ucBUVP3Pib5zJHK85w9l+tvwBN87H0sFaYsImrmpNcfbntYUMUTdgyG/+r8pM6kXZcH2gvV3wlXGFLgYPm+5MqvVv4PRlpPcErpvri6Aft7PLlAS4Y01jDuaxjyNyBpkK6GZpIHNs/83z2i1DnTnYmxsOGLH/9wHJxyDKZQ/ZzB3IzE4NwTty5ojCVKDqPvDIT2AgG7KKkl3wpnTaYGppeDYC2NoKdUJ4LhapouxfyzfBONvMSjU+xyAiZtBf7u3obaZrFN8JY9LgFWF4lEUzyJAbeJaSmB9PVXWjsf8gmWdiaG7n4ZkfU0qAMgfIxa8GrzV+SD6uiR96ufNwyM2Sn8PlwQwvXmglm8wXxwLAeUCVSIJmnUkfLRp6RqnyD18fSpa+NYAMYynqvzsG0ojqmZjn/3I4GkwXARvzokS5u6UGme2Pwc8d2rQlApRdxKOPu0oL3c/x1unjzl1eGbSvVWECZ9WiG1wc08sfCXJLyXBmMwwCeECJkOWYpUM8vJfgccuyOMRuXJ+4LdwaZmsWQjJ8S2uYIUv/amKvrE3icdaXG8HrW0KO+oubl8Ec+aDJL+mA+ncBGor9NKnOnAS2V104xVMM9603aqCwIriP86KY0f5EvK6z1NhtOXE+KyJqX+5FW4enZgeXGx9PkvOpHYi+cUXcRWk7aN3MWbuZvw9jlI7p1LcKF0jy2D/yw1dglysZ/k6xDl3D51ZVYBBr9JIm/1AYVXeshqoHMbK9xflfzpPUvFcumjuqk7t0YAVfG/EGOVaeA+bxq3P2OuYgi18T83FkyKmD4G3yZYSZgQQnTrUMdmZ3dxNbtEs0js3ui9h8ss7ii+QQbdzJB8yH3ARylbtInbB1NJ3ruTDa4Uu9Jom7bhsAmiOQzGYCbvs7otPX2pIV2HA0MRmPcH7MeGIx5VdreXIDZmGTe1YrEegArJ87L1MQ/GgldO+B03tJh+M0hCmeT+K3P3XFTmYjvbljxZCly6KGoq8XCbDz5skVVwPMkDYZLH1OjU0T53K+gnaUFe7SQ13T3aoBzpeQQI6zwKXiN8jo9e627YDNQQhQt9cQOdii2k4SW1cJd2c3VVr2DiE8uY3833bALLl1HHVWKCbNqJk370w5TqE3B2tZ4KqfwDweUhJBLYzfO/YCVkFppPkU22p/4CtkNFPHOYaUD9xr0YnaNhN0v5Vi4roFdjzWFPGTRrfVGlw8/MkU5wmGCBiPnIUf3Q6gFoT5FYDN4o5HWtpJoo6WwLNNFgZvd8AsHhfx6lz2oAyEhWGK0jClgUbcDRu2bsUUoKOxNcyanP3EiTB+KgVDjq9fE4pdRj6MI2LzuC7uEC0Or0vkI70sK3AouY1J1RnLqsmyby4tnv2C3qofWZP3s0Nufw2+I0ijbeadSTHjOSPij4yHFnCUdeF3jt9dsNELgjFg8C2FAxrxP/2JJ47iYgoKeWp84TfNaEeCNpX481eAXoUYwaHHibEK7LtPPtBWCUOmL9kkrn3JIpkCHEma6MDruJ161tur2XeRx9eZrNTk2RcFT6Y1LjsKTBY6LLqmJCMqMxahtNrKdXfk2AkTSpv3G1DDWl0X4e3VIgw5Bdh+1Fnvsn01VuIP5FsYtAwGoqnNuyIJtKRjDQOK91kwGZAR2qzx3HzUzbcEWVB7gOkO808nJuyRNXuoBbZCCCA84j6C+4+YLBn0s3W7uOVjw6jRn/r0AUwG7VYCiqNPAcWFDvBVLDjdIikF/Ur8pTt4EsTh7MfIpwgnRTE12Dv3D6b3+1fCmv0BMu3oegs/okmLLA+j3syQyHpMkAt5tp1NfjRvbPNaJEVron2FxQ8uGUK2HW17CaEx5z21jpX93KYDapTN7xtvA16dXN5oOK87LpPDZ8eLdnQWTWy1+uj4PHLaQLr+rmXLrI2r6lEKLAnTUGqPGQu5dbd5hIP/2psv5vCupYwNF4rXpow6/rjDdjd0ms+nMahhBPEgrhjrzW0Ycdhv5nCsrgJ+AXyf5OjyZi/s+iAUO4PrwzbK+2Qbwy1exxUo8iYEJHigc4DqFDaHDi+iS9OoSGkfwGn9CGiJiwr8lqSeLpT3/+/Ic2+IGcsmV2Cjdw8TDMpCd0b1S2eZImo5Rz8oRJ3cAKuQQYyqBaO5y4sIBXmquqCyapbzTEC1Z26u8wBsI5EB1NhwFlGXAgLssKLQ1gW4TDHh8T1cbY6rdo7yjH+x6c6rfw8JqG4xSvQoxCBrh8150ilji76xcqVPlgDBGUOzKvajbxrWmFlX4jfqNUARk7H4hPmnaPmDov4I/gldKZIsZ1ey8nZMqNcz5Ptjv+R3ACyiCjzLFcq/X4LJWrIoerSO+mTyivYCmfNnMZMC/qhrDQ0CHt3+FAah/T6cRpY1CDXy7SA4PYGBJSllHqv4NxTeJQLix5GuIN1IANgv+yVZfsctYbV+eduIMSbINoEO5izEcE9aQdz27FKsznBKW9E5Db0JmTbPCeAO4tTTg5jizYVb4zX3OvOnqB027ujMfoFvaDXGZcmEhASfge55+H7FyrKOA4TgpNroQDfk0kNYlrQLs4TFkCfQtFmajY4unoCEBw7pBJPJiTF3sB/EJYIM8lxYLRTrWapvOtEs2p4UrLb0rFp3Dbb+8W72PGygIDcW7eFAPLgr9ncII8/L1un8G2tGmXSAuE0tjDSDUDRN0oKM42bmGhYLkkdofIyFSCSsuZA1OrjVJQG6+CVk/QtfxKOgNgYcpHmUERe0wCcRnBs6GYmIh62+DrS2/IovZhOIuqe96CBmDo6zxZET+0fKXmy03hJtbKipBPvVSs+AztPSuR7TIteDBtycj+1npOisSly34XnzSIoDcRlFAp4ws63vCxmti60SO5vSwBJFSlsAePmotgUQb5uQwaqVfY2zB3rpYf/8+1B/YPaUtlxtsL8a20q5k9jBhnpOSrI7UOlYLRttCIrWX9+dBHfBmC/qGJu6dRVOx6Bok2w96tZqKLSHVJ8uFExEXXU8iU7prj64dmhzuDT4CUHZ/lXuosPbdzmURhu0ABa/sU9Wpt64+RR63fgJENDQUN2yzkVEEOFYaD7lupYSSlyXBcgB2iA2tihFcOqlbMFwdOzGb6Ug/0ZrLGyMqK6CYBdPFAzebOgjFMEpn9EJi7xG9xw9RBc8YWsQgRtcVF+z3ubGTka6hd31f0jdC5sa21FqyFyQFeWHqh6SY1lA4F28kDZ/s2L/S1svOrdl+3B5cTJjLRC9HGLQaB3D2vRwUawp2UVtueAB7BbnoWncA3zutPawMK05yPOutOvzrEG9gJYzK8m4pLNZ/qX0zhGLrAVj0BG1fn/tdmmBm8XyCuxymTicggcyyIWVce/pD46YRJEbJM8x/3GU+ijn3BwuVaby81yJDjH+YrTw1L3CHceGwBaN3rbD5/MkQpvpuWTFVQ4bvu8DzR77FESSmb3RemytDhTIgYbTbca3hJQhGaaOs7SlsEMcsNRdMJ64550fUtPHtSrX2MjafLBqPv5EcPFy2YveDzZlS2JnKKDCqKZH3fhgmBwXT1epAfBA6PBDPlze8s0Nt3W7TQGnnnzRrIvxB1e8yBP1M3CEZtvwFsBBmhzy0HnNn294d77d/pu3ue5HrcW3eglY2X7ucX86p/WEXAf9qbMQ+AKkdYDV1CHtU82Zr21jmQLv4q1Q/iWO90+lwiDP3h8e3FlXbdo1kgmUubhc0LNVCZJwbIZxgtjsaVMjSldJVfAzha0OPytMu/CQokQgA1XTkhRKMdDucWcF8RW0uC4UG5qpA6vY10sWXU0Ux79APIAQmKgV4Fv9uZw4o304xZBBvHNcGPVlAsZCOjdE2DgBerMwCte6kZhuUgQGu0Z7dHQLHWxjfy8Ugvj6Hz7bG9krFYQMu6UKivw6TahLwBf2K1WbQ+tLQiZRXcEWYUgJgloz+FWZ6fMsGbGRmzV5utS2Mxem6Bxt7PzR5wedEeL2hoTw/x2TjWURwm4Y9zmp4ZrBdcEAXYhYQ7RQD40IlvtY19WaVjGM0dcPLyIPEHfbE2kWOl/WFZ0IuiX93qE27kkSm0IFLpHPVjhclTAs07xoobunqB3TPn0CfnkuCtVnyfQ0EYyZtk3sfvPmeasPSg53Tpmy55pAClRU/fjifttiJtxpuatA7dferxdvogF49t3mw8s9QOj4twRBU2SSBLjHTHTwdoibq5Xa/MYM2hWBKWFAZ2m1b/9/JN5+7P0oqBc7mul3m1OAL9cGAljm1LmYQVZ93LlDcRoJzCrIEmpYLvkwDgNyXzbZFL0iyojrOI9lIkVggZ71ZcqWbb2pNrkW5n5FiNY6oeQ0tlCGNMQ2UWqOWfMGqIWuuUw2QnyExm0PCPzAS1LAsusy/GnlKStJWJYJqoQ70Qg5h/ssOXvV8IJHZ3YknOOhEurJIyIlirXcAWn6aWR4nlTtvev69bizzI/hKWvLA8XCeqIeVXOqJ5Cglv+MPKYtxwmaoq8M9e6UsLMEj7m1XpvOCJT/NAOyACW5SAf2QYO+VuCPlIrUw/5oxVPhCPEyxnUj/iSwRXoNHZltRrsgxymBQiaYtsXnIVY8TrD9QT/7TbwJUidqbMvmTyo0Szt/b4WZe/AiA+PzRDe3pH7OaPZ5XhM1YzVMJv4JTfSlZ2FZ+2d5dZpWbKhGUdIzEbWIkmSUi3IoI0vO7z+tFgeho98jOKWzWg7RSW0F3ISzMU8WeVWcI0AoG5nMUZ6UI7OQnqIgY05myOfkBMUwLZf6tX+loVES4k9GJhOglvMQvz4XwGCWLYnkdkkYrFnNy7amz2fGlFQBhrCQA326BKITRzMmH8AIFEL/ebSmC9meIkdgpatz9t7CS38sI00dY6XWIVcyCxWqmQox9WkdK+orm2wwpY1+V47QUO4MsxmlraP6lUXK0irL8TJz88KYtkepHyD963QKEmBitgZLLObdLj6HWyzDAh1rEK6U4BCjLdXG993pbHoiwaxz2al2l95zME5S5dX5DPrwrsjauNpAfKEtGbgkluryAqhrJOJV5kiubW0LTTTjsMNVEieH5kuwIj1bitY+uV6m5Yg1ilev70LKEAhzqng18zEPPSBsBAbhhmZYRunw/5vEmN4nmVCZlhh5B/lKBblsgI0cY9wUPBKqYjnLYyfzswjFf91B2YmSvSIEgAeBIhACItZFSVmaQ/odyR0ODVEVA2dDc6Azl1or5EGCjp4NQZpJ9OFQD2TAdYbsoK7kxzhHOKBybtd3LFy8R/Q2343tEWZrhMoIM7sVLqKHxT1okvuGkQgSJpuKXxHURLASIp+ih8CxKiqZJurFA+RGXoSIvIg9/56Zdro92h6mS4gMPkFOb6MkcezxUSmGKe9f2efDsDB1K+PXT0Z7vFVqn0Iv9WEfb/PEh/R/azZsN+grKerteJhn/lRTuh0CYYBKIRydtAERpRAnFiiIkUorYokYxzxrRB7p93WzfdlIpcLOJZZDlkKI/yKZuhUZSBfvBfvTYK3nQ6KqLXDCvSORwQ6qoaEhjGwc32sAcEaChPJlKdKWOnR+Nv8E/3Ic0DEseDyW/DGjzmZlSIGVjFK4SdCArpJSOo5u3T6/oCNH5rEOJmgfWoi62hZsbZDej82bs8iyat10IF/PHwGdUWrVO7z7dbHRuhhRiW/w3Xv2WHG96F+nJsospfTlXlm3sr432GCgyhv82HDf2NaQ0dVBtx8cwtJZJSw2KY7MZie4zIDL/wQfdvXbz8fF/jbPSABs1FWoIBNQMrgNuQxL60SVU4SSIQLfjXJelxSnD2ihH+tFA0uRaFkQzbgzSwyw+QlAZ/7gDyL+bCw7w14BSbNCu0cTvFf6Aj0KjiEkwXNz5FWQOSlWWzAizW9L5aiGwoWEZC9ua+oeTIQVYAWdhT4QGB9zfnffO1D/dh6s/4crqpgmeqdUpbbnmwoq+c/El/rfabm3XQxAWKNPMQFHB8T3S0w4Au45mLDxYyTsUeNIeNMGg39bh/imzwaMhQ1bufkqpIf9muOLVY8bRsWLuZKfvQ8HB79xFw/FCmzw2iLnv9hh1NblgK+8h7AZwaM8hAIruYi6eP9aTFAE+YlGw/DhpoKUrfnT2ou2BVKMgu6F3WcvDyF28KEHe8N6Zpn2lVgV1sMDa3NiOQguf/ZYnNGi06oYjC4ALPL9y53iGpdsMu9N5ykWVznLUMRapE9L1b551lHxgY6u8cWtHY+Vhm5hWeR99zDlA0+OgOQbye8ZPpUa75dkOhTvHO/XYOoI/EUEPx00GITdcIEFS0KcfEFKh5RlKWg7tFQ9JUTOcNagfvY1tJoOeL3rZAD1JY1p1PrIQxF2lEJsFDFZ83EtIAHMlQBK+VtwGP0LBJcsWAlLhUnV+w0xdJJkYo0DN2fxXmOhgvjwuXskiUI27R7eAqctBBUo0ZK8pzxtAdvqqAcqdh9ap3Ymzn0vNlFe9zxldYIGeUrZr8fZhtocKcDaQRQzEb0mmdOvBuMU0sh0Y9d8LzDx0cEnbNGDUWZmOQgEmkrM3IWF9fZNO02vmb4E+tEWb9RJBJQa/CAsQ2EDy8j+UODjxSGFXPe2CixmOPE2r5bR87dJ4Oxy53t30MXmDlAF+WBkboPjsYaKWLd/GJ4funKH41PVKmZ3qeTOlMS+mJTGz+2BZVdj6lZ1QJzu9D79cBlBdq580XVxFzu8P93fvUPI8bAIJ6YMobfcOTLzR3ZbHDa5oWDtF//b/A7mNqf0Vil1Q1LgjO4CDln5YJn37ywnJ/fDRz2EonPiH9rUFOudeuiicDS0i+8H5gvafnM/O7gl2jFzdWIkYdAkLy8GDMHbzFQG0OsLQKGCryYFT+ZP3MJ3ptKLjbojfyTNJjOhCCb/1eDQHxrCyyxq2pab9ESeg82KUaN1tVdpCQb4+jlSChlgFOtA8swGbOXoSb/HN8i2gb6bNcCnULD328nK4rjIwkaMRL8Iow55XnuV86H1C7TVka6A/gAN5VcVU0/iN1OAQh4H1Ki7hsM0o0qDqN7wOj0s9QOT0KIXzcHJuFE0TJJE6XMtK0/GOXCNPocBaPvQJ1fIYM4RaX+Zyx9AV3lSpO8rIdp7nlzJrfgPj8QeB5sBNeXt4vdXfhqCfeNkNeGA6FxgTp79CwnGh5yI+Bxmg+67k9QmVlrS1VSHbG1Q8/Qz/gVplCMM34G0MRGSMNa5KxgbL/KV2JsCevN0muXYNjLjI9IF/AcmNucM7wjB0xV6ctdfbThZqV7MRjr8QSdX9gHwxHQt86NTCx8u+Xp5cnKSIB0XafsrZYiostVsYthAddfJkjEPrDrXHkwArUjA6YKHiuWf6FhXNtb8V/yUUw3BozWv3sOLkkxc4LQp0pGN2f/jqedIzMHfo8mB/wTuEF04OzbM5XbTC4Ral07zIffIGAvW//1KMn9E1aWhgw0n3TCbr47FZhOEXpfUdQp8cjrYuf7jeBmdYdpd8k0TYe2HLWcAMW615CGlA5dFMyNHbL2+RyadcFkh9fQ9/uXGMwb/njLVOhE7PGsBC4g9NmJygLi8o++PebXrKLg5nyAxoz799MemfcsxzGgqsQOe5L1fwW1yhSQEnORKTpdI64OoZTayW1uG5ZoB6JyWIiNuMhEpN7qqe/IyCfw81RzJ98LFQoZUV3Q/2eJObm6sJWMSTBl82J04saakOdrlRljtE6vTrLRyqwgwpAzSogCP5ib+CeRz/4Ig56FqMV8o2mnQlDsToA4VxyoV/bn4lg0bAOfIV+sgTn99IIJPIx8a6V8jHUIYk/W8tV151oU3dnwsaTH/BFQSiPJ4m8d9mAShJIojVWs90aad/fR7QGqOYlcW67NsBn66A7Ptmr783+tmuXCMQLK8osaZVDjj5hofKk0+/aPB7yX2x6xnUhZTW5nKBMvpFrV2YCfdlV+3Ja9cCwDeZN30KzULaAWx5v/UfEAYVWbu5j+Zr+usXaSO0u9SrfvlX/dCgMxurz5LftBPLkVJQSP2IWN7GQRWBR/2E8fB8OKRIqb6ad5+ZOU8NZpcYTPS+rNVvZfj0xiAIBBpdFCRwr7/B///UFVIfOzKRXqDto/b5zPSVNaCms5akDEyJJKw+4ow93ueWytAKgPmgvuTSrsqppbcHRVoCX2fy2vdhCnKQL3aWz9ZxXAa1VxKswJq6b65zgKqnI5Cwn1MSVTiq8dkJiJNJjWktF2+QrPsqZioiIaM+DY5JwkbOxhFAL8dHMrmjA4ZqTGeT6sroV7PTw9kFdMtQLZbyGooux4bpBOqfDsK2kzVh4Po/NGIYrPJwO5xbw9V1fITebqyLKyEfdO8ONLKrwonrGaGds68oHU7wrjWGcj8XOVmZ/T2POkM+q01VWQBRhWIxYwMkPRBswSzGprIGhqXxtr6Fd9mudb2Vp5VUruKMNAkwVmwzGlAqSVJ9B9OK3T4LtLxCIyIeXpYN0LuNZTudnR8urpRQj/jzzJ8fJrekTWvjh9NlA0S0nSaZXMUu1d1MLI/yAXFCGAnaqNwb356IjrJvSSv4R9+0pY1UAoxrPYhv6hFjvvk4PEQfTfFNPMEaAr2Z1JFRpW0T4Uv751bp1PuRR1ZAi0o1AXxviwI5pHQwtXr2Z2flAkJntU6cLFZN0P3WRjKuF2TGLMLWGl7AKnGse2/5ZnjBxbbpwXbZ2JanRTlQbcOQm9wYi1CnBAaEHymDE92Heimk7BWrTXwyaIlcJpMmdydLMdJFJpqUFkbGiYAe5S2GxYf1talwvrL7lcpyczfgb5PR3CvkjCd54XRO/4w57nzQToszxTrEEVhnXKK/8vRB5q9XdJcG1C2egRvzu3Vn1AdHIf2qkYMpmAIcR3RuG5xI10G+oHy1FA34hm+4MuMu7tkg+OqA3WFE40l60ur2+mhIQLR/FJAR/iw0YIrv5BxktFlgxIlue/LJr6D0QvF7vw3XRqlPLqCu/8pMElUuW7ZhARh195hIedBeUnrmeYmpFqKs4T81Br0yxDI9LVNKPTbzJDbB28KSsB9ZlrWHn3HGpLWjO4G4PrR5w0GdjcqtUXUq1OVxqnk5urgcpdCMOSs8w+FQyCI/G58ghuaQ6Ynz0jgWTVCcJ6DwYsazKOV5ex6FZUGPshhn44Cc3+5UVAdgmaKU2q+gvhrtEt2meVkBwYDBjnkVxEDroYxZ0DE0jY/kdjWuPBCMFPmnlN06rbxjwSwxHj/LTXBGs9oS6CnNPeqO3WHizG47hjeUe7QZYb7MHwLEA1pU1Ndy+84ynaQeI8S+xG8UyKZUXq8RvjVbRWwoKLtsOwIdM89jYYI4GDjDxOGHAfHjYwdVWCMHHL49BnCy5sknAsq7EKjzm7hi4dXtFxu8/TgOijodkeKOrdO64dFz2m11yGNv7kNH081kww1GuaTDqwiJB3+TfyRDpWnlnep53CgRblf/20BJBghfFc0Lvis44k7c+jr9Kfq+ZgB9H4AW9Zy3fRNkfU6A+vGxmq4ZRXzLKf3RshUin2l/mzQ0XoFqHpag2Jbhk5wm3yzg8GX9TrJ8O9MDbDQ41skE77lZzwl0y74rZ769SGYw8VgIXiOda2+L8SJ97gQGHczJPX4Gx5CqMo55UHy4e0gKhDAp+XoCSBi0LgkUo1LjxXkOoEUpzaNXb8c68RzhfL5XaPOl6Wl2PYwsJ0OjnEFOjJvSePgC7aY3fSyWOSNCn/Fd8wTHQsWp/C2gCaU/e97RgijGTBWWCWLdsOwvaHRZVUnfmaPH1w61diLH8BBdWSQe6Ad2/8AyXO1UMAwFZzfZXLKuZnlQhs/JriK10SEwGqwYcMVd/1cI81/R8CheCe47eY68amA9mcnw1roTMJHOaHWRiXCW0ntBysqTimK9aX4uIUmk2twSAqz6+XuzB5CrJTS2hq5gtPsoUX6EW/fVL7R/yDhsJ77PFN+f/JIni2w7OhPHd2a5cfYpV7+9LEmJdvwhpyuMJTmzHzvyw9QXiEaua2I3abBzPlJW304hB/2R4o5WA9iycbcyR/5BfIr+rPVNRPkhp5oyKWTGgSUtHhQSRNjm6YywXkzme5IR0c1VmpsGda3sf8RneXJjBPUv+kstuy3nMtvwapegbT+FxTNTveAE8J/oS/rDduIOCX2y6uwPNtqqZidAjHza0vQ75mdpwVaBP2vlbLkk8b4SWIhr94z6PgIVa5vOiRkiTP9bXAZfuuKQzPg8jn6xTR4e/tbeKDt0TIx2BHrsEdd687TKxEweTqTaGvvKZ0m69DQnVzEWtuz7CMtMcLdwpZNkJIY0yCsj6L5+Nh7PzW50r65qKDZRbRI73UnskuOCZv4YvoWAqVjYVh6GM+1OnSZ23awUVM0kOgyGj/YAUPMYhHT1lZbGNCAo+BhXd+RJhoSPVOG0SxIMOOC5cTmfF6SwY2DV+9s5EE7t7ACD4nOfycuoj76NHkt57dNHC/A36UsuVwgyH7VP36qnyoZUme3DIkDWySIksinmqKm2ogmSGPa9+k9D/HCUhXLjiYTZKvX0is6cKkUPUpmpk3X9zGHkwawQXybTYbPMiDpo7KarBGoWEWPRV3ro7U7nP0o7+KzbTrHWDBwSQqjgj5FwQV/4BSlJ6ninEH9jeaKgZyn/sxTR3mrPQUd2aJACHEn4WLYjEzLrs6dZmfphG517hgphaaepWEzCnE6isD/d0rPyMUskZYqLymWvdyLwa3r+LvKjPcmbrSbhE5mCP0wfz6cFEQMbom0I9SkZ+wNXbFGsQO7taGnu/z0wZsaKrbrByxT278TaCwW86LLM8HeelGF+gvrLOUhBN2vg3ED6G2qwX5+4rdqLbQF4cwQkKfgTfM62G+ER4M629xCC1boqgzSkbZN68TEegvCUw/MKeUxsukNf/nXTjnaS4Qj9fs6Z1sLH3nqUxJu1vlWFEIhkgaWE+pgWDohywqFH0/EEcFFqOGdPeBbgkh4dwqSO9k+OmFMHRH279bZ8FV55eYHeibQ6jskWLZtpkp4qWtAOr9+vNaWRsMAWqQHze1yNo4Z6Czx+RPKSMqpGbn1lAWDEFHd9z6BS8y3kPiDwbtU2Ag5Fic9wkkIAOZwPBaL5Xj35XuWl+g1YbMRCld+5Kw64zlNApsksAdGSG9EPFkBTavJPg91TvQGJABJjqmhsmFqgmJvT9nLxmrFE78338n1IEb2UzA8rdaTUHHcoxZdU3W8u2UVnfKxvw/b3RBAB2wBQSGugtuZZsDiqETx3kcZdMc3vVpJJdberQNmWpDwGHEC2Cziombv0Q7eINEwYUwUVuAx3rRRXzSSpVX8o4DB27ps5ZTBlo85IWeZIgyHXxSFK9dnH+F++nIE2R68aK2IU4e8NYelC0tDntuB+ksvOFnfEM6fehlgHldjywKA8xwfF0sskC/MgJ87Dkz1toaqQGSrwacyT4c/Di34h59zHSBK/ZBUFF18+pEKtrOgb+w6a9CqDL2iMopGKdKQjSF0hU+RUN4MXE06cdOncZ7DSWkqnZpJku86Ai/2Ng1YOVsWOSdCG68CdNPvz73HKScfP5EWcUaifU2fIAs8+TigGOmtr4vh8ybfTDfSkd3iQdFmSKVPC7sy3YZIoEqkV3fd02VuhLobB6VlawIm3wIgNudVdKEOZBVTWlBekSgbe5tyksAvdRVqxx0UlK7Voyo12P8fgrW4BT0VxrhJQWgAoO4ySK86VYZ28wkdRAYwNegFRu/+OA//bkQgQdOoj6ik3ENr9uM+UmKvjdh882vQsumbMnSpFUohqrMyfm+mgk+SZXkRZya0ANHqRWBJo0+GM73/kXRbyYuaPT8CvKd58OF+MBkdPLW7qCTH80F1gVTNRdgDGItR48vHNYLZet0s9+RznmpS1jsXIW5ozxN7J518DmW77nfqJUiJQQ1P2jeugdEmbpoRdhG5Tryc5tVSnMLVRtXWt9LjjSQsbFaiAsvyuH/dnu/+oMCc2Yh+aRP7xZgzMZf2PDFYqTjNQM/rse8Xx79ShtQj9ece2USIylt4qZNTfq7+Kyk3cXzAMeeawy2HsgChtRd375mTn/aixLh704yfiWeGNd4jYKNcK3hjEcIzFE6w+PuKHXpTMEb4zC/NMoPWmEcPvd8a/9evrXhV6L/h8FMWkxSRolo8NOrQGAhCjqCpP1j75GdEHh0uk6/TrwXsIe3KVATjzrh5lo/RfxErEnqS05+oJfDTmHSdUttg56FV5fQvTdE2eWQHoLavV7vMd+LgT7ELa+W8Fw8Y5OkfJnbUdGgppljbk76nXYE+qJIPop0nw7qffKkb22pLedzVjOVppQ/gm57xt05OICBe3v6O3VAbgybTCd79Gvmr6PI0hsoKcYiW4URQQvqTunrHEpdFVZkmS4YxnQA421SIdHHRnbHrdzKwJJD9qcs5PwLURajvMcQzUTcZR4Os2nCUiowZP+nb6tBpnTW/nF43sMU33cnUkaxtHheqLHRCc0Q0tYxbRP0BnhR2/CERkmxxZ/zQs1EkMZS7yFQktSBG+phfgxcKw0c9RBMPHDOIJcdNuFwqreWnrke+kE3POJvazvITtxOOa+Pegwv4FjRufyzZa/ytxKqGCTkMSTylqkRATzL9tCe/SiYw0zutbq4szGBCSn0SeFgDgobmadcyqRrm5DXof71VEjSRTpSSUrbwNM0HhPWRgfModWDtybyaJTPw0eb+2wCjBQ1C4+RJLSRbCdX+Z3vEN4OBnv749Qv+Y4IY1gt9PE12hp1Tw34Dc6p3QnrLdg8Q6hFxL5ovF9EW84MGi3ZCWszR707Pv+MZS8j0jjE2piBCMPOEPRTLSQQSFH8dj71CN3j/BCbX4pgxoDOjXqQ4HSggvcElXO+OhLZ2UKSYjIpcRPRObi3KlJwyh954PHC38Iiyyr96utIb4Ai106F1dqhWkc0o4OrYNfjqK1sBRRRscR4rlhqyzsrCypM8FtGyaMeCEDqcuFWAsi9/gyLbco4FGfF4aR+NJeBRlSufZ4vCs7keUWzkWA851oD5F+lW1pONEiICCmuRd7wQH6rW3hiNmWYdMs5HZkn2NtvBuxfNPwRbTET6Oqzr2fKvyUppKYRY6YXMl4PjWCVC6+jEOgyvEE227stuJO/i4mGT3WM7zBO4Kxl7xKLGYwIe7gkDyBgm2RYCT4ep+rorr5uaWwmEyjHr+ihZ4Vo4w4KrJ2AZwoZ2g10fXM/ngB0cOIiyOa9tIBqBAZz8eDGSK5F0kAmFT280TxUXR+UjwzJjlsA9ApRzo+zJT69Ak1eerzjYm85jnuO5ept/e1gbrt901ZYs3E+6izLVnqxOLg16RaNQcbaMu6lNb/YupEcV1F6LH3g/sYhsRgiL7ljWabb/4MqAqaGvvtkQvAcSNTaJ/GQ5hB1LSx17bSCbtW+0EozkIsLHz9D24pPN/YpZmuP6SswWZ1GP0KALtrmVygJHA4EmTilIcOeOxhAKkPS+ebFfb+taht1Yjepjp+Y8e7CNYN+ijUVe18A84w9HqQTrb/V8R1Gy/tU3UD2criC70x6wFlUBEe92iQWkom0dG8e9y5Z9H6TOr+0BxW9CvW3+mjsXYEM7bgwWvUzvSZD/bRAnupoQahqTXbpPv+JVrXPLNieOYh+ONvv/eYc61NIdZ5hLfSuRIVAp++9c656BtjbamVS5LfuzpLENRPZUZ5ORAdo+DUsknB41l12QTprJQYjXCuaOd1EhZQS3SbJIy6cbGE/gaFK+/rDXnf0mMHNegYRVxBh5yCL6QuSbsfc4iPI2HgkLPSs9YTcKS5Qr5TZwQjpnUenXuz5SpZh//X4B4h/47kMQ/ePiI7yD8woD7+8Fa7uDvyrjR2gO1E7YgJVs8Pal3guBXemzBve51hkO0Y4K4JEpgl4F9NkI5VEZ3yR/geNlnq9vw6VRePEhUDGbNI4DjtRgOeb8NfpSg1b3bD94K6Cy8hRqFdSeGvkt4TX3Wj3g0MtM6bZgsGpvOrZcqvjRFJLHsjgx4zq4tqiBn9UmkWARRqiDADhnEBx7Audg+t7Sa9tibrLHwwJxthbATBolqsVbpXBDMyRghAzNjJJB82Js35rpXAdg2rgHKJApsnseYbzVCaNxmafHwqub5mfVrlz5Czofvb13T0YZ3wte+SwAccYkQ43DWnZKaNV/kCr+GM3EyTsXFbrIYRAzntynZ9iAL7aqvBmz5XZ6YH+/iWFE17HIQJL4WpYaEE3gWZcsW9i8GqkEH0QANfhxp+cB46WgHux0592NInNXirVH7nkznE2j2hcawvKuRGESoJ33hOdfqtlmcntbHi6qWi2ggoZkrXmiPaf8jjQUazNAtOcPsHXK/wNsFgmek3fB2tgIXiG0b2REVz4AhCYbqGtbYASi1egLFFeypvqc5NPvcCe1ga8ektROjgHk2I7+ormYyX+Q6p6OPbn21y4HvY616cCIWFDcR2w8gnYsUkMikgb62ONmyAsjEgaOl/1CEARd/XMXY7IEPZRimLLbQS8kCKzwjzyvN7u6s2x4+BVaYFIbNA6Hja1ptJ8l5Fqsn/vRrcC/g+KvKTSa+Y7DxA+bGF26xlwxL24ZNx3W0UswZsSVjGgR8qMcezih8GNgyj2iWjX1vO2s9jpd1Z//0zIcJgACY1aeAIeudDNMc9T0VA1W4t/R6JNSI3V9EO1mo4sJLdE7pBZOBQ3LGuY74oGMPI5vmZGTZD5DlOe1+Dx4c2vbj4DwelwVO2WCcDuWIHvkyU/C6HuraJtWJ34LEtUV/fVj9HIevPOgw0j/ExGty5AyUvY/xwADsM4PICzUQEvyLZ/vELImRvVFMlPcd1duZmPDW8PcpzAutsBp2iY5ygWtwNNRhDX/AHqltSawfh+WF5mb1anoYNjwNKX4gHmuBxVNU9UZcfJBR8VcIyQV26CKq41SSmDV5a6FXRp7R7J+XLcG47g7tEPbTCxlwRhkHdIXUjQ3qzM1tExpFARMwiiXZplE/jqyFbQMZyb2ACqow+zOlx5vodQK/p93Ej8K7pnQ3sFzjesgUgORZLxVA/MPc0uNQrYmwfLXdzncAGdeppukVN/MZV5ogWIPlAP9izc++z3IR8LoeVy9UbLKk42lWfJLO7bf5usNnGn5mqFeM/r01BOfYsGiG58w5Ze4Z/ubzWiYQJtrTndlJA+SCZ1/M1/KlOrt1BDaWB7YlKmJ5wf/fTK9KwVStDalLk1WO1LPHDW/JBYdkYgB11AoGNChj9b/5/ajywF46xPIoCQvaLI1Zfz0g1YaPVx1WeMbwR/x/3D313WnUrmeljR4nCU35jfYpogq5Ul7FbT+yZ/r4Fv94NYiWeg8P4uUgZAlY2rQlicWShTC+oCx0B3QaXAFjC0l/kIGVPLK7amSgCmmjSHXoxHOvcVjcJAGaSUNqDmpGWji31jW8tC9jCI4oE3b3kuBWaU1KYE/IXVkFfdzVmDXULXxYa2FITdbkLQCvcOBbUDbkxMjfLoQ0USadaYnd4srG8gg6bY59WNDiXxjMxEEWIdjc/vLIsUr7I3BlKouQcLaDmsSRvwHNidSkKkpaHLlVVOVWJocYLM+UUX0Tds0e6WeS4ccSW/U57L/1db3OdMJ84srkV9p1ItJFFgm3ivFeq3aEc/VhvNuDt1r7JLvwuaWYFsKqRdoieNgxzh621lsyuvCgHrivXgSB0njlGWCC/junWFpe1bqmoHENm8oC4UH3K87ROs7a3nmsC0DorYn+gYibGmasVgpdlSwUGXvZqLFwoX52ryo0xSbIE9SkhRFFuw9eAW73S09RNxyJzBJjhPcN4eWd5cXy+Vr+91Zq2gDzmGYwkBnGBjfB9tiu2eARYYABVOZ/rF5zy3N1CA4qmkPr7LQPVa52919T5HwMeVtMt33q7LQs/x8kR+aEk1s5Nz6c8oR+UEz9vclP9ng6tR/eSwBqLY6jQsLJpjf8UURejSNKDVeHAORrLnlHELhpDKDLyskP05bX4cnu9P0VItnNfA9kXiF8kKDYSquTXIhxgf2NEiN5F/1cAtzhI89JHeAloyhbCpirdaXw363iS1/8r2t6PWcgy0NYie5gIXyDyVk/mNQwJQziXCMDy4U4UcqGxGKjXftraC7lME8gP/Y0vDsk4HeWd3mPtIIXGQwjPm+5KkBNUj7r8uSfYlT5HaI4C25yTRhAKH9CBNGqcUR2tr9j5aYavB6Ya81+PPg4mYDVd1iEup0RNaJu2K2WNL6Ws6WV8qAiorQatGhA9Fp8mQCnnsUKOC3GEo6RC6/TGHv9gMjjH4R8cqqhoJZmvAlesrfV87QY1UjkZlCYXrLLZUx3BK0m+GmGbvjlLX4PoDmXTg4ipXe11bSxOygaK6WhGku0fES/8Ned5XY3fgi0fYE6w9Ia+MZIzQIC1JUSd7ELvXTPvfkyhJhmbdtaVxG7qexHACrnVnmYmsc6MzVZ+ph8y70djWEGr2cSfryu2qCY8HlpkCg/BqO5aLRe7Jl9ynqCa79vQO6DBH0T9d6zIxasnaixSNt67yifrMLZpl5OSxiOQQ257VcIKG47NBRC/8WqEuu7tuy56b4mPpEIqdg6VQ69ArIdY0D14d6yS/gzCl3vuRKn45hfYktd1/zd+Dg1qCsV+P3hGDTHMYx5OaU5OimZCcwcgck/x2puzqIziZnZldzl97x0YA8KEHuXBGILSCaYi92zUkmvXz1r8UPlXFv1BCH9qu6WFmDLzwk0vSBeEu3MIenFL6pPDLrqQ4bcA1+w0TnHSFzQsb2YD6pjo4zbmO4BK0ENUjm3Tx422BQYMTk7V8Eo1P+ZApabtgnd79+veuR6qsh4UFyWb6QMwmdbAKhbW9jws4kqOYCWNzXeeTd41yDcUg69MawfUIVjtSbp3j4cKZWBlx8rX+pWXTMiFPN1HgPPGinHE6+7Xf3RQEDD82ai1+pHP7XGqkbKdqjUJy/KeR/V284N5vzxhTy6BF651KYGzfblGlJDDZpHAX176osjbwxE744QbmQiv/UCKRzDwUNh0b2hCmJnldSR3FHPTzwXpVt2VwKLS8Fqczq8FXrHmjZGkpEZj4eD3EekH+V0OCmjdoS++ThELqIjvPdtewvNWBzz0QgwDpLMDd+COuGljHo6a2sNjjl7S8x2BPDFrZNskBZUejMo1H4cJ0BANnUN8V0Uub9ocjU9EkD/PdHsQF12WLvh4ZiZk8IyMHUUdVKPrUWRsycAMunSPsZHWFvR34yYi100GoBDNFCaVpij91cXXKVOTjGjXMOCiLahMbOmGMnkV2Ay7p0xnQrAD/UXLwi0I7mlyi2t/mPH5s/hfa8jxyt1k2f5y0DW/PXCPIHwoR4dKTCpGzffB+d4uioUOTEQVu1ynLjxayiMee+DyPBd3F2lAi6qHGl4Phlg56VoB8z6o02+VezCVxgRfYEjHHHjPAYHQpnOVuBH81xSsP690f9wubmgm/DNCMbDAgOaffaN32VAAZCyoKgkQnlxp8ZKfddi1FLDJcCO3fuZ9pHZNLM77F/0HdUs3FurTDIJW9cTSc0y9wZwQLqDL1JfODScweuWGSXi4s2mf5KcQ8E2Qxqc7pjnWBA12jrKg7mAmlmMJnPYGtjVqvn3jYwE39XGNpFvPBYv4pyelDlUKuyti2WDhDcz36M2M/jrs3ZNYMf7qoEH7zkxdZilflUbztgPnggydkEhgrWLuEF6XjMOMZ6DP3HgVhSupWfcQhqVT1bD210Q3Zl545smaXVGYKS+ATj/JQKmZr9kGA5bw21IsR1DZ42MbcvecvTln72gHBAubRUMzh3MuheoVWkZKLLA4kQrHRJ74N3y1M94OXqNpCYjJwUSX6MtSb4U2ZSX/n0Mx/t4QJ/a2bfv8dzWsvGZucsmwUniXaGuBY/q/TTqGttBRWQphkmf8zgZJTRrvQIVzVsinB4jscrcwIuMjusrDh6q+GWrnS9D27GbX3iNxjwuVKjkCyV7I0/mF9PS2mWTbcVbKsA/ygUCcZTWxzXsp5G5wMfN1zt4/CtrYmdpwzKlFKPJrsHivMHivjFmiC/YC7FZhuYkJpw8BJnl78a2myMdKePhTevONyjaDo24ueq6uDpaCXlrB9lpC3zJbk8xOdl8+4jYVvRN+GHUh9KldCfo10/wFwIMGRi6Rzya2eMumLlBoXqiZq53kiDPYMq1ijCEJi5slRic4SHUeMsn2nXOsqGx0etiL3vpt6t8bF6mmsP4oZuZHQYwh7NYYdPGhF/I0xDXMgXPEOK0NMoRJxYSf/SRaLrOEf6aRotP4hHuZ/t6yF01v9BCdZMQYrAV3jeJyZBiQj54pvfLsaNAr3CIW4CLlJiXR1xlwZB/THM3CHQzn0pAzj3wgAuZPkxFN8vGg2v/UJoaZUTXDElutHmMSMy9s1FwwwLIrR9wyb9oxv550u2arV0ev3cYfxTxlGHt19PBWSpIIFEW9FS0+lyAp3i8Zy6wRMB0wLVhj7aae77ZT86jYopk7Cstab3ZOEhRCbpxMWzOUV/08Zx3uRwpWJXNkht0KRq+IAQcGfXxcC0cCD+0h1Ij/dbhrDJuRaIZKQWRVlU0C/meABKSUXsj1W5qJ6npPLrFT+ejXCmZ7lGe2f/wYdsIw2Cy5tnvNZ19nRU0KfDkqikNdVAA0lsBYC63nS/vO9ZcdFeo0dIlMYX+LWCPIgaQJO4V5rB9/+YiE9GtfnpNeDu2Zv4V842CnDHc/mSSxcA2ldcVY8H/D40bONoWXBigxlh71dNTlfXeZ/YGXaII6jQk+hh82yjg/d4O1mQwOXI6v53MJ4AWKeQf22TtdjZ0IjdU4bk6zWkCRwwwmcID0K+ddmtpDqoGruSyEkdO99sBEwcgr2DglGDs82ZoFTIwbJ5sKLc3LohB7T7/TVmxMKqMBHsTm3eTUm5aQkkfHavebBrzMQkUC0lf7Z5lOwuxD/LDjZUSxbCkqbY0zmWFlhCRpl+M/xu/bE5ewaiIXOvHuE0rvgxfsmb+/+IaRn66nJ467GRRn6ez60XnEyyITngG0o5JLHiN44EzNNDhkKIJvlwjfx8nrjj+aPIpC4gZvozxKsd1uIoly0BlFWp10XnocKFjr9TJLSqpHGBfLI73U6A5WPVnB8IFcGDMUQlRGaZVIP8ZJLHxBJcZi5Hewnu/YUyGevj18UhtGOoTK4Bg3uNJofsXJePWH3B/wvAwHNl8cCe4iVgfjGVYeLY4eGy79q62dZn66eldWxo2p1MgIkhJBSW2aMstHLSMzLWJnGA3y5OR+dYxU1ylFrC9RDCZLNs3fpWNYzpYoGTaXiI5RL1AuzObvzbj3HD+jXuq7M2BY7ma8WJY5aznEcJKlLd9vV+dijR1CSKkZBlXoS4TXwpnRqFsTAu2BkcDpCVKK8Ot3JiFndkqhLJyXVqGImN+cpW/nt0RRfGvZG/dy0en4F56wE5ow/N/MnWqV+z+XSC8FnDaOBuLr4nNHVR71rqDwFRhd8NXlnmeBLxfeiA+xg3YskwQdSzrpkKT3jISRbeuGAFVi3k8cGyzxS+/B6/RHAHB2PnVdZ9EY5nq5PK/GULyvE2x9irHjpWV5DcpxiEMv0k89T8zjkg6JKBPjMgcU/1AgUFAypFR+rJMZLipVz5KJeR8QgtJCt5EFHcUlK+qgrnnYkUPFWmWvJfmI0D1NNVlhhJ/NfKcl7GNPzWLIJgzfBBEV2Q15iSakylxlxspzD6fetYmpYs5apw7ibkmDN72uzmnUJ/BN9BM6f+yiarp/UwVB43G2sIZKTWmjq747Y/52uek3xhJ/2Ds13c6OAhukArfgEkPcw96dDM578hBMyPz5ZlcLso2Mxc3GXFe1soRMzvMKT2lOpjGE2Y1pPSxom55pJCLDu9S7236d5WynIlYjWmqRF9R56Z77pah6WmWvn+g1d9Jx6S/GDM+3WSc/WFnCj2J7nxGpC0xf+ht9RXM7u5FZQ7epIoxebYrVEw38aenadasRhTn8kJQNKSbJ+LOyZc5BEvHJHxc0dv3y3xF2YlVfEIQNESArJ0HlBypT1McRSMhbN06zb3RYAw99ZfP2481m89yyksdCS0N4I6hpSyvBcKKDVAmSZv4eEj6Wlc8nrUFKxMx/ROc4vQ6esEuCgygopkKG3XgCpJSIQxX5VHa2la5Rcki5nK7ZAigD/l2NmJNEt1M6GlerZjTGt0dQKNuWAwnO0YeD3icv188ZKbKP4IQ+a1Qd4r/4GG4WL2VFgXzYGOdDwav956dDNsOvF2v0kFuLh6iLvFROaAhq3ObABR+ilONxUX5Ee4caWxMRnT1aeZpT3lZbO8uv8nWPsTfTjfuTBCAImJ/s4MEZufTzmnF0bgR4MXoPkgIRtEmE61mLPJ9pSLRZYKZbbHLPwRoIfsztfNOfkXmerL/077kTd4UfLqhxv5RWakXs8ENWuIkymLbx1mAzdPKiR02Gh4+nR1ZeWph/SJYzuxAvdw6+iQTYYZoIFhx79IMic81gNVNt98KmWokaL+XqZ6/aynFE8pYkKi0sv+OaCLnMRldVpFPmM6iZzJCpdeatFzPtZj3GCCcmr/SBNb547QgduT3sE1v7VsxO3emw0rUalpN+4KfEIUYM+Qa0Yzlg1csT1nJlkT5yjuHIMQ4CYIokYH3zW33NarrjTsw038DvGCDx4b1XYpAz9iykmug2b4ZLS+c2TtwPl7mgspb6Al69rzqMqLhxDrxUowCc/GV+Wl6vPUXLmJnOnqRj+AMTGoM3qaaAB1roONmrRAwLhjbFOFeak,iv:MWmiiKqhp9xF7lp84+dle+xGIc+f4flavMcSmSQQp74=,tag:uBH+LyYXuewPPzlOn+wDtQ==,type:str]",
 						"deletion_time": "",
-						"destroyed": "ENC[AES256_GCM,data:6xaeKU8=,iv:nmCK25JKrKo+05it17j9Lm/6tOGIVQasEd0xtKkrvlE=,tag:AECFFzeJef1CH5ikMaNPGA==,type:bool]",
-						"id": "ENC[AES256_GCM,data:K6X/c8Vq4e0mexOYtksmFw0D,iv:kaOtC6neliPi+EVdKeFMtLho/Bp7sH1KgsMn7baHytg=,tag:cuLsaiBu7WuBgQW6/LdmpQ==,type:str]",
-						"mount": "ENC[AES256_GCM,data:EDxjmopX,iv:R4TFsV1mcGoOF1avYuX2ERqKFxYSvZk4yvYaKwFO5l0=,tag:hc4k1PVgpJT6VC3gCsXITQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:3K2cfaGS,iv:oL4cw8M11irafGEDes/i0dLZnd89RRtRhXPdnyJb22M=,tag:kD9j2tksCsMsOgnc5nOEeA==,type:str]",
+						"destroyed": "ENC[AES256_GCM,data:yRr+LVc=,iv:ELuqJX1qnzPzPKlqBLc+ymUEqK3ff5mgphVYrJzISN8=,tag:qQ5tb60/97qohm54d5CtcQ==,type:bool]",
+						"id": "ENC[AES256_GCM,data:fFV7J5JNDMd0GiVcvnQANmcU,iv:eHufGTUqtL1XwUZRdihKllNhIFlaDtXciH1OD+z1Zto=,tag:iYcJPXjDQihU15bsP4woug==,type:str]",
+						"mount": "ENC[AES256_GCM,data:xBpkN6Fl,iv:3N5rXWMsX9B4w2JhJBY5boVKAgtvTpkAbCYN625lwJs=,tag:sdZo0fPVqoY2A4fSM6NdEw==,type:str]",
+						"name": "ENC[AES256_GCM,data:4swF3FZR,iv:cYChqgqdH+cQlvt094rndngVfHwANrOcW/BHeN444aA=,tag:1618iy2iSU3i5bNUBpgWeQ==,type:str]",
 						"namespace": null,
-						"path": "ENC[AES256_GCM,data:H2aZjkzGCbFzR/wDA9yGGUxU,iv:4lhcIxBAONdtD+FAoZn6Yd453/U6D2l92/0tgmhfFS8=,tag:uFE0BUeLcR0LCLizkb3Q5g==,type:str]",
-						"version": "ENC[AES256_GCM,data:RZQ=,iv:hsHL6zhKQPPJPK+SCwFnXegGujShEOOVfaOeCsiRlBc=,tag:XWIZykoM1Jt4Xs4TzdrFCQ==,type:float]"
+						"path": "ENC[AES256_GCM,data:k/PLhna4MeqBOpNWQLVbnrGw,iv:fn7oAckrnjrvd6vouRfaEop3gIuE4WE8YZ1WvwyZvxU=,tag:lmM17tYso8kpuikEACmiWw==,type:str]",
+						"version": "ENC[AES256_GCM,data:G/8=,iv:Ubvfg0oQkRjGXPq9LU+BIwZ4TNdZa3sCP/8rJmXPbOw=,tag:BVN91GeeeqksH5bUW/HQxQ==,type:float]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:v9dICIfXkSI=,iv:Yi0sfLaute+Y2BEqDHzOYs6D0Z5DOhmGV7TCM/svTYs=,tag:gyXPMJCtC7Jb8D/j8qN5Dg==,type:str]",
-								"value": "ENC[AES256_GCM,data:RKuRIg==,iv:/ctV7rfm3FcjWSHPJL3Ly4ZFBGBA3mnmxQKULprXPrU=,tag:f87HNT9E2mT0YDnARhbm0g==,type:str]"
+								"type": "ENC[AES256_GCM,data:zjWCi7pKk3E=,iv:f9q+hgdBSBTxSf9Obia5ZltvX/CRLIkPI4+5cy/6eJc=,tag:48JmKgWh3+6bMBkApLGOmA==,type:str]",
+								"value": "ENC[AES256_GCM,data:Kf6Lzw==,iv:EvV1fy2tn/k4VxsE1r68QppZXcd91zPJWkxjc1eb3zE=,tag:NjrMyLYH4LZYXionF3SCGQ==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:FZoEUJ30SGs=,iv:R9X2zbZA1Ugwt+sBnUWX7aUlIKGYtU2QnZm+nw4R18E=,tag:tOo6ClNL9VRDcmI0Gs8gow==,type:str]",
-								"value": "ENC[AES256_GCM,data:pQAxYqQQEuZP,iv:OtgiXhDnJMwR43U1w6ZhBlulezwvmJ2RZERWQWs/vvA=,tag:8mEM9lxBLRLPQaZHZxtuEg==,type:str]"
+								"type": "ENC[AES256_GCM,data:K8wo8rohksA=,iv:/6doiFpnLIrbDCQinAbzw+2pmQqlnA47dOCiUj1oHcs=,tag:sd1zSIOX9lT+Y2oe6WQB1A==,type:str]",
+								"value": "ENC[AES256_GCM,data:z+fdKglboJDV,iv:8rQKAXlulOSVMTXcjdQzUa9m1N7sKvIshKtdpykKIdg=,tag:LHg7LT3EdH4ZlW+UrJ9eRA==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:jg==,iv:SyOOtE5K8b9VbUaB4E3nyJkOaUiFD0GLyDpzSFC8wY0=,tag:R9oCf7seHkpcmYQzSOcFhw==,type:float]"
+					"identity_schema_version": "ENC[AES256_GCM,data:YA==,iv:78bH+cxPgec6Gs9TvOusXM6x2dnCkMSurYN1BBqPk3M=,tag:KQjFtHY4wtifn6UovpFMGQ==,type:float]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:G0Ifkg==,iv:VuwcQj4WYWZjekS4qBNbHWgFBY0xU20nOzB2oH4joD4=,tag:aUl6k7E7xBgKqQvQ5JrF2A==,type:str]",
-			"type": "ENC[AES256_GCM,data:VvJUDAt//fq4us3fulYADNqd,iv:wss9PXjN6DS+CwJTwtbdhI1dU099f9YrlsTP7GhCFRg=,tag:8v6SKAERSchgwSe1p/G4tg==,type:str]",
-			"name": "ENC[AES256_GCM,data:JlDEZXC4Xw==,iv:DknGjsFzwHeSzxm9J7Ea2ulbqvaVb/VyRl28zYC90zg=,tag:CpFmv5eZ/BYzGclvIQG5kw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:uq+oemY467YXUTnfqDBG1QA0hLxb0RmIAjyIBzyLhmgPNiV2kailXtyysb3z9pYulw==,iv:qoDoTauUnx3HLz+dNm2q4C2X9PaGtv8UMJWk/umPeUM=,tag:MNi+MbCnNyy2pmhOb6dO0Q==,type:str]",
+			"mode": "ENC[AES256_GCM,data:4ervMg==,iv:8NRZTTk00C5uQJHD5dqhTlFJ69t3hQ2hl53+Cr77lUc=,tag:7xTrRPTmVM78wn4/AxVuEg==,type:str]",
+			"type": "ENC[AES256_GCM,data:3jor7yonn8FOuZ/EWsA0iwi4,iv:+9dILB2i/m4zhWOuvIvDhyHiEkgCOl0LKFQI1MU4JA0=,tag:vn/Ma/dfzz0SpwEU3pt4iA==,type:str]",
+			"name": "ENC[AES256_GCM,data:FL77tvDa0Q==,iv:2xx8sefQIfQ+4Ewz5dxKGPKXur3ku/5WM11cskIsDFY=,tag:7+Tdk0iTlLIinzekh8U8PQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:pHNG/mDt/4RxrqWh+qXNpKHI9E9eVhhb1X426EUc3a19xEwl7mCqdp5HFlvaK3E5Dg==,iv:4Zl6KAP8jS+PGeMEK+Td5ad0FQcfs/Q3+MXq7BafLQU=,tag:dqAr6X8XMmDYFE+ZrJJObQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Sw==,iv:t5c4IOhTE5c3QEZgE0duiGdwR2FpXx5MdCe7bDVInv8=,tag:TEIBiErugmYlBUPmfiNg9g==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:2w==,iv:sR3GEcwsXj9X4SeB9zRhXcmBNHzO13k9+3IicyKAdqc=,tag:O+3btRV0G4/FUl1wBiJ2VQ==,type:float]",
 					"attributes": {
-						"created_time": "ENC[AES256_GCM,data:0PgzLYEEvnysIwSf+XMPucfsR0wyY1cp5X9DikKB,iv:+F4jXhFlmupkjr9P1vGvTWJHPTrLwWMuCRZeywcA8BA=,tag:djiZJH8X9nPzWkJhC4gnwQ==,type:str]",
+						"created_time": "ENC[AES256_GCM,data:wi9pwsvvEnPfF/1Hd0OGUxtLsWgkAILV9RgKseqc,iv:JI5XiNAsjjxlT5uslNSJ5qxy0Gxo4owqrqExk7QtzjU=,tag:jJ4bS2hOdmPALBTqM3jdlw==,type:str]",
 						"custom_metadata": null,
 						"data": {
-							"dockerhub_registry_password": "ENC[AES256_GCM,data:InNBZTj8WnpgMQpzZ4B95sSIZLMeQfDiQlruHixswEfK0lfJ,iv:h4c053wPXLxZtMc18HX4NQO8ko19AmeBMG+oKK1lziM=,tag:jOGQME1eDhNIyXo22aE9sA==,type:str]",
-							"ssh_private_key": "ENC[AES256_GCM,data:QHNVesB0X74uHA2e/agFLUOcyjzROhBFFp8+2MN3m0EF5aZAa0f4bYBfOmrmof99iLRbdc2zOZ7YM/5+DVynNY8KhqwEHoOi+PoBQ6ohms133O+f14C2AzkIcC4f82NZr8d/n2lJEVHA7XUNyMHcbQYGttyPFp6L6IemcNX4+7z06fnrijJshmmBkh0pVzJyjXINmSWIvyVxIKCqZzUHq2BnBSDk55GTFzEwy7zBTMRMaeg2V7cYyV2T2bEG7Z90Dw5hWw5YpsU5zu1Xt1cI018rKsEGGgP5Bj1jnueYjeBitPCG291Nf9lwMUh3P3/o1i+DJUHzaWkXpVWoIbNPGq68KztUNefOCwePsnRMSrJV7XqlWvnyFcX90cyU7hVLdjQuOSfStf3JeMBMdThiaRtb6RohijPSS3PypflHYTl054dcwfIMcVNOmH1gUW7h5VuSNV4Y8xEpMT1jf14ueIQ34pH34GxMgfMSjnA5N/jLNzXEp8D8B7xeUH9yi+REEPSZZVoHAjN57WrcvC+OuFy6WEoKA6Q1iBTto+dXeN5N8Q==,iv:fBKzlqTmYwWPcUerqvmkC4ndiorf/VURXe17K/kjtfc=,tag:L2m8RZkLB5T0loZ8JwI8Xw==,type:str]",
-							"vm_wizard_password": "ENC[AES256_GCM,data:TWJy6zJyHqpffM9pGDVA6+xsx0pLs86jITU7aGzLxmfrT4qv6NOJ7hT1RkbUTEn7BY2eEYV0x2ptBMRZ3YsZ9o8ZqhYnG8yXcQ==,iv:q4e/lBEwCi5YZGu2Akiluly+9lCnZ7Ka1efW30uye8A=,tag:N+LlzC4lYS43SgsjK6HZgA==,type:str]"
+							"dockerhub_registry_password": "ENC[AES256_GCM,data:m17dyMmff4TrRiLcirArNe8FypXYaygZx51Bd0XS8Q6weWYh,iv:BKkmct3k6nrfYnGZ1MIIyWJjqMJ46s1aimm444EkDhE=,tag:BsTK2X39MvCcodCZ8eoAOg==,type:str]",
+							"ssh_private_key": "ENC[AES256_GCM,data:V0mBYanc5Dtirf/oWHSJKBGs7GDvECeybqRGdWPmc0YhxNJon6fQVbe1TaJ2ldYzcO0qDUstGDqz7F6fBykZl8+0ycl4Cq27E8Wbc+QCme2qCfAR4rBhN8aKlypef7EelM3GnByjLo8Jnd5zxb8qYd4pH27WZoiCLZ9g6gtOMiUAweXOD/mwlwpDY7nSvS/gWkjjmh6fVtp+y0sMkqttoPLWXx3sw3+cZsT/jUxKfWtHItVSIVF9R+GjgifdsURBX33tqJ0JofwLaTSasWo/9K02GxnzGYb8OnZfJ2QeF0qHI413yVCR28JY/FlgwGp+zUppYEwPcekxN7XBxV8MCYQtvUFzCQ8Oj3HEvQBMNK8o5JLhj5mCCPrQ7dbLK3wvWVPnniSYWz61D2GN/3IPd/MdouG/4b93V6a8SyUqDyN7/rfPh3re+MC2A/9R9ShmnW1YAphhVoHRI9fZCbEsEL4joH6Jsn4BV2448BdLyaZYVcS3eUhuQu+7uMUmegys56u1a5vAlfAmX8kVcYxQABtcVY1XCsybaAshyLB5F7JCPQ==,iv:9RaO/7cwTmd0TObjBClZmYNj7mg+CO3H8glrbFIp8yg=,tag:tUlePdeNgDzyXMNfL+1nVQ==,type:str]",
+							"vm_wizard_password": "ENC[AES256_GCM,data:jC/Iop50NwNt3Q9NgHK81tKA1a9IsgRFppQmD8bnErFV/MnqBWbIcYr6jm0wz3tH+HltbLfjTr1ijr9WXCXFf8n9SZlEFYkpPg==,iv:kE7YWw/7yRCAz1QaNuR7Fn1O3KB7wJTzoaTKf6Gs4Gs=,tag:SuJ8/f3jwHLXSfkx2v1k7Q==,type:str]"
 						},
-						"data_json": "ENC[AES256_GCM,data:1hgWesINpkbrgtX7ds9hdPZZNay4d/swK7R/IhQmmT+N4KZ2NuD7X8My6XM92JqO/MO8c52Ax1eNfCezOu9uyk0Z9coG7GcDIgVlCcVBcz7/5IhjaKzHD/Rav2P9G1FkwW6366kbJ7jXThFkau6w0nYSMzjAlWzcb28GyN/TFS9Wrv6uIyEqLttZGUx4m5xBWA40dwBAetyZU0yDZeo00dMyegByHiEGU1y1lIQlG5JBz7O3zre1M2BN3VD806DJ8GUdZl6tIEV8gSko26PI+s5YpxKykZ+M/acEjVj7itzDOK6i7q74LlMCCgjlX8JsKy3ZI+yysAD7YYhD5AXpjSkWRR8vW2pTH9j8R734W9C1rosRGjV0M55SrZFmg9/3gfrBhzD8iO9O+KS5YfVuw11Yo8YBVUMNZaLRNSM2DG+T31XccJWX7xItVt5ynglHpBVf3nM/1GMYjW0623ycMzNay8pt10U9+OnsrzgVuqSDRwfF9bvhJV+PH+A1/NOJg3Zh1tyyWUoN93PFe4lW4oHBXj+lUKa/IbeAUVXE/XKgw9ZRI3tN80pCQ5CKvcFFG1KXM+tHAW0ncHFdDwsb8Q6UaS46cTH5LeDSqMiZoToYhArH33B4sx8P+Xro3hn3CrjKcwIQRCpa5GjmlAsmRQ6A7mDif5HZPBuOz795siJrXWKu+PFhY/GrU3E6MrlVx71KordUY5z3a+0ov+X3Kt6g976Vb7z4e6wiA8MSMa6nVb6iu+MJers3B6GHNgDmjZXWJmkhtKWq3TqXJPbFKot9aWq1jgcwyduq9JMlr0USJHR1,iv:hahpWSa3JfdaeOmvNu392mpJJ+Hqb9XfaovjDy6cv7o=,tag:MZAqSAh/oYNGTksx2IvcaA==,type:str]",
+						"data_json": "ENC[AES256_GCM,data:K7UGaui152giaNacEaDLTZZPc+iNxlm6BOb/tRcZtifh0rv6OpFjOiyLzqtRQqwabQBF3eUssD+9n/nulNVhpl3GQwaQYT49ZNL2zBAyHfXFi5iUOIRi5rVMDbN6rS7vcy4zta+5SP6c+xRPPjlsEfwBQUXfX085z4e8Tc8ty+6cwozyGiue0hRi3T1mycvANY6Kkw6iYgdjzv+L8TgmuVh+1EMKR0bBxAq7UWO56zgotDLJrxKOk38rbO0E31TJhGb2uZy8pcrMPIACIG8yuK7uUSRPIgRgOrwv75245mBU98oHqhsUXtg1lwrB3lVDZp+FJETdUDTpjKhP7ucxzzgv4750cX8u2+7vZ6DWaubxgsFxTi0CVE52O2kWTkNLiuoruxN4/aQWSJCHQQFR1KXYY3IODk6WAHKdijw0RvTGMQARAdMiFlLQk7Zz5DrfREdqF0Nw8NIeZw3jM1fI1S5HtPvOXi06SWDZBYfoLJ7OfgYuXGb1LPai7/8kJh5GFQe5VYszBtEFbiD9SlSnZy9jQUfv3azb8mHWcy0cISYn0fWQa710MPHQdmDt4amMIUOnJfGPI6OzI5iEXa3NmPsaGG1qKa4z53ALtapX4795TCby3AIB96Aaf4hBeUhZeY2u+recU0c9lHpRuwS70D5MuuhhAqu6REt2/2ITJjFSeMz0h5Q6N62kWU23LH9iYnQ93g8aL5lYLR7bnCVBe1UwVUIJXPjon1/c2zNA+IaU2L1yr5AhDPWRn7rGjZ+Y16nqWDQ7mjNhy/iLVdzzkFtrBbszVKZlxDtSVikmMihPL0d2,iv:VpI1MZKPDHyWsmb8iS6NPSxf5tdVQoC2hFRQjtoHxHE=,tag:lc0eAAusOqpebqReJkTiEg==,type:str]",
 						"deletion_time": "",
-						"destroyed": "ENC[AES256_GCM,data:4pi3w7o=,iv:aZKKxYxDH/Jdl1LEvfwYIC8UMBTYzX0ohO3YMnh9IKM=,tag:oHxUOk81r319kfBeDFABrg==,type:bool]",
-						"id": "ENC[AES256_GCM,data:vscYO3Nw1W/d2FjplacnA2U=,iv:MItae4tCIJJFL2AD3/BLRA+gUtK1heI7yOXX2/WDY6c=,tag:R+dS/7oPJ3Dtr/i4iOFtnw==,type:str]",
-						"mount": "ENC[AES256_GCM,data:K492M/3q,iv:jz7mT56fz2XWV20OhH2EPF1tUKl9zxC0lJIMPgbvW3s=,tag:dOSK8wUnhK9yM76273EpqA==,type:str]",
-						"name": "ENC[AES256_GCM,data:0HuWIU4=,iv:ft3qF80g5xFwg7dziLQ2lE/4L+iAhlVVA0MFEdDB6yo=,tag:Sazx19TOjEFiJv/4GKa64A==,type:str]",
+						"destroyed": "ENC[AES256_GCM,data:H4jUMo8=,iv:qwHkxWaS2e8n8bMSz10OxLUK2rq/tNsLNr7iicAJ/Yw=,tag:AdmGQ3VfbBs17CB+f6v/Hg==,type:bool]",
+						"id": "ENC[AES256_GCM,data:wR2eFh48Aj/S42YBAVh83tg=,iv:wzEU4qL3RJDCdCa4UjIxDVw0hoRxgO68q/24TcWgD+M=,tag:0pxQP85nlKsvcDIlOTLJlw==,type:str]",
+						"mount": "ENC[AES256_GCM,data:+w395LHM,iv:P+RQJ870+dq+UDDWqdZ7rYDkztE/8mhs9TvvTlrpgTU=,tag:VrfermZyxm+5wro9inG6RA==,type:str]",
+						"name": "ENC[AES256_GCM,data:663+Yu8=,iv:udZLbpo/k+dpkAZKsUnMBWM0JFfBBHOFG4RyGvfMJw8=,tag:GavuJ8PpD1nLThx9l1oXQA==,type:str]",
 						"namespace": null,
-						"path": "ENC[AES256_GCM,data:WBKCOGIpKR06NToD+T83X6o=,iv:LWVa90evbgwTEE2vsHVwXaKAd6Q6ypR9MitDVKIl8d8=,tag:F75fc6BI5awFtfJ0kCPp+Q==,type:str]",
-						"version": "ENC[AES256_GCM,data:rw==,iv:Jfwzw62B5HXl1EqxxM0OaJosC5t88yjH7BkKrARsk5w=,tag:NctCJBQI5f2JVun7aHLluw==,type:float]"
+						"path": "ENC[AES256_GCM,data:PGkSHJKki+D8C3WfWCSDRSI=,iv:JlSZy+nuiyh0j9Gesm3ThLIFKLaiqXbtKBNKEpCExgg=,tag:fRMB4329ExDNlbzcZi3g1A==,type:str]",
+						"version": "ENC[AES256_GCM,data:Tg==,iv:HqV9E32Fgvw43yRMHytI/xhS4kvewoihSLx1fFJUZd0=,tag:WQM3WhIbYHhXo2yCABd55w==,type:float]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:wFpFuNgU+ao=,iv:5hsuzAf5hBEKvzd/aTNsC8NoFbPeWVaBfCrbkGclIsU=,tag:JWU0KhNQabQfBmHgdQAFhA==,type:str]",
-								"value": "ENC[AES256_GCM,data:rJKkhw==,iv:CDV0Vm+I/qMuG96R1VGL4NyqdgbjAPF7DeGBwPhBOaA=,tag:OmFjkA8aj0vCwh6OEjx2SA==,type:str]"
+								"type": "ENC[AES256_GCM,data:xFQaoy1jVCo=,iv:9fsUsK9jwZ4FrYcR58QVr4K89IufVWkUD8UJ+0FYQvg=,tag:0KQQrf/AYZLlBtmR9Juurg==,type:str]",
+								"value": "ENC[AES256_GCM,data:LgU68Q==,iv:z4yeaRUzcRPIj0sORsxmvaCpX3UlAUWjuuRbJmMvYO0=,tag:vKxCDDBtQEOGC7SkY5fZ4g==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:Ue/HkmTlDRQ=,iv:qUokhEZWe3ha5/LuQr6dghadCGf5MYRkpWaUqg/EkTE=,tag:+07Uahz/96+D1Bm8TV+tEw==,type:str]",
-								"value": "ENC[AES256_GCM,data:sO5fQ2qqP9t2,iv:/7qn9QQJz7/YzVu3O12wiXXUV5/ZGsr3Luecv+HkxsI=,tag:OuRew30F+oeocvEalipfsA==,type:str]"
+								"type": "ENC[AES256_GCM,data:0FnclxgTSmc=,iv:k/ogtxiZDmU1rTanja9hkLtQ0JtBaq3+ApWHE8n/iKg=,tag:669/maPQbHiRCvcRqatxLg==,type:str]",
+								"value": "ENC[AES256_GCM,data:K0cQysdS2R3c,iv:TOqgSSDbUpt6TFIH18NV63zdqNaL/pEZNK3B28Vji0I=,tag:txcAguq4AGdQd0To2sOotg==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:Iw==,iv:AhAqxp/Wm+pZOeYjAwWiExA9ufI3DbtEDu2fg3QWGgY=,tag:yWxou2GF6w1Th3dIVAemeg==,type:float]"
+					"identity_schema_version": "ENC[AES256_GCM,data:4w==,iv:UPeRCInTxfheE62CrHNsRJ7btjQ14VB4P8dHtQA9Yhs=,tag:5oS6iTpeBOxTqPXbQi3c+A==,type:float]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:cVGwNQ==,iv:NqEiesao3z+gnxu5EEvwm2JMJ1efGSXwV7JZ6G4y/lc=,tag:KZ5Qo4c8K9pp1R/i8S5pWw==,type:str]",
-			"type": "ENC[AES256_GCM,data:8yy/HJC98KlluMoPMiJwRm+/,iv:P/0NV3yl+ePj1UGWCXZbKzWxsHv6jXW9iARzaOViBEg=,tag:8nCBl40UYIobQ8XbjqHrDQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:QUXKrs0m,iv:EX/j1QtMHi6tz8ZPnaQo3UmaDOq3sfkANDq9jJggc0E=,tag:o5cDPJnD+Kt64GmznDSMXg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:at1gl7d6m9ll/cC11IUv4jSvOGBVqZ5x3T8QVmRtq9YqJ22w7T2h94zvXSOFefni6w==,iv:+wVUZYCWH1EiitkaKE7gmHKfmR4/Xi7IXrXnHiR0j18=,tag:XL+WQJbP4WsQ73dsOlfBzQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:iaYl2g==,iv:ZbD9arcGilZ5bfRe2+HguzXMbbi/9M7Ju58x07qXOfg=,tag:pJIxyFPiXqCx05yujs5FgQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:ge3SrxsFntzpMeKRuN9D/42C,iv:Qyt6dKlg/SIgWZQBwJnRv1EU8gfJct5ceUSjwN8wbiY=,tag:5MiafxBnttNF7CTOPvHQRQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:c4e0yyT3,iv:VxWkzib6Get338+403kSIT4eq4q8Hpij5z7Wuz5bk1w=,tag:61TZc7KfZ2sGU8znyUTv7Q==,type:str]",
+			"provider": "ENC[AES256_GCM,data:2INwf7ahUxLaoginPuSoUsHWYGC0RfcPDzvYSuS+S2Pjv7sGWGrfdIdSSqLP738YDQ==,iv:FVqAjgrmIt/TJ/K2gIE4X5+uaKUNgj2Lid9WcBRH//Q=,tag:OOBtmWGCRYUBCvFcyPoLEQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:CA==,iv:3Jj1t6uwjVhgPno1kIoINSYc0s8x3VJdcPou0+bi858=,tag:xY274BGyhCc8Tv2XMO4XZg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Ng==,iv:kjUhsQembW7jkamsWwtoBDFIM5ofxVCu+SJ5r9ceOeI=,tag:OEkgouHecDCSSiUZ3yo2cQ==,type:float]",
 					"attributes": {
-						"created_time": "ENC[AES256_GCM,data:20nSKzue/oHCSFB9aSgJE4XjSDYbKPJD6bR8VJDy,iv:Bon+YDKUuO27ksh9+KohMZYbfcEU6fL8Xsj7jRNxVKM=,tag:xK2DWsTfqGOqVIsSz3yPjw==,type:str]",
+						"created_time": "ENC[AES256_GCM,data:f6rNO3fw0VpME1gv7U1RHiOmKGuuv5ybtklxW2+h,iv:g2lXnlA3O7PxckOKBnlYvsuv4FZZjh/NZWivPnKs+FE=,tag:Aweu0islOQdpLJRmEKH8qg==,type:str]",
 						"custom_metadata": null,
 						"data": {
-							"affine_postgresql_password": "ENC[AES256_GCM,data:CRfBE7q2QS4dl5n45NaJgRP+y8g=,iv:rx78TGZgEEmOeUCMeIOJjRtV/e6f9J5NVTWTNHZqlj4=,tag:8b0MJltJH+Xt1P/fm/EQ8A==,type:str]",
-							"aiostreams_database_connection_string": "ENC[AES256_GCM,data:tnrrll+wQSnSG3hZoDiaBfXntPmvgss8CzSiD6WMhC0ZhghuVmUAdzn3l2yFMTM0ibFQuQT5CL3SJB+Oys/nb5AF3FeoutoDjmpM+iaZdTCi//N7YOx4jw==,iv:AqGgBTzDbSGAQn4MY6+mlcAP6IuDGd5BF79CYxkfEu8=,tag:LwvARpXKPow/PddeaQkPlg==,type:str]",
-							"aiostreams_password": "ENC[AES256_GCM,data:cObgLsTeZG/tN18yzGIHbJDrOFg=,iv:bKsD/OmAQfEcVrIotA2Z0yIi+qL6wv9bTlSktQhyVvU=,tag:DUttIcjXBcmdeuCDT9Y03Q==,type:str]",
-							"aiostreams_uuid": "ENC[AES256_GCM,data:3URZkW59NFNNXJLb2cpQijCdI8OnXjpsu4A+l6QGEt0IqVye,iv:uNqA3snUXacju7h0JGCdkSKuyjnnRDvThrt9hTx2LhA=,tag:eZCQAmpkmW32jG7vM9zkwQ==,type:str]",
-							"alertmanager_account_password": "ENC[AES256_GCM,data:TfeXL8c5h7SyTPU2QSfsyeuRT1c=,iv:4mJibyGTklOf5co66JQ5xRuL1VUT3K0cWVEY2WhN4h0=,tag:t+8dEeyhiaSIT9DM15fIxQ==,type:str]",
-							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:Q3QJYVxARDGAiyj+XlZzoGp7OwaEnj7h/Qv2RFl5pO9gHpvWZuJf6zHDI4uy4B4e0wZapjWnUHPE1BV0H3FkISYstGxDyysLs0smDf7uyZFI,iv:XVMCKG9qQ68RB459r5n0LNFNsH390DM70L9pQG3Dfnk=,tag:TemrsWz4ULacpHaEp7yjSg==,type:str]",
-							"anubis_ed25519_key": "ENC[AES256_GCM,data:msGuZ6i39CvwyoHoMYXKtZdllR50n7jR8bf17nt8EfYkLxaPDPZWkk7ONYExWkMGue59aS5rES2WXUoaO3mGcg==,iv:bgqEHcZA7umh2iSrpIw4dEipSNWiV9EzN0S5CllNSCw=,tag:U1NpZW5dZZnoDUjrB8bv+g==,type:str]",
-							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:YXyWHJrjaY9/9yUBYclnwzXRPJLF6CgnXOqJOiJ1KRI6cf3O7x7SoLIGcDbL4xvipfhkVLpIknKniM/bSp5LJH0F,iv:n803xCSMoDFZbq/8BUxdmbYjCBz7u8NpSXmxC1hFszo=,tag:cuC/lMJYllbwf+WfopdkpA==,type:str]",
-							"authentik_api_token": "ENC[AES256_GCM,data:0e1U77XQtABaob8xQn3sR/HvzTb8yT3UsLG8LFGUxQc9lzxgzGeCa1K1cB+0t+I5UMd/AniZPEMVd1MK,iv:25cTEwGvMqNDKDQxzAzkFrVtD/Ih9Bu85S7TKlg5IhE=,tag:KB+/AtavUxe4huWLcRZneQ==,type:str]",
-							"authentik_postgres_password": "ENC[AES256_GCM,data:y89n3nGnNqJzsfqJi9Uf/g==,iv:UEC5/3PIfU4eF35V9mYJcR/VDSda9m4lKg8WfrUi8J4=,tag:NU601fpQJoQVeFhTtWSpeA==,type:str]",
-							"authentik_secret_key": "ENC[AES256_GCM,data:M3pgmXfotXz5LSlS22qhlcS6c6Vp4+bfuX+an6xP3jyk/VcfscYmNR5RHwFQsN65+bA9,iv:jcfKnce2E/hvCE2vDTjrtpihwIFe7hmNOQxclnpzIP4=,tag:OCT5mZ8tU1WI2QwaID/mvw==,type:str]",
-							"bind_db_viktorbarzin_lan": "ENC[AES256_GCM,data:dqhBJPt27z8rq3Pk4PqlvRVDxzYd7goLshrvA82cgWPxqC2NxD/8suJBhuvTbaLmmsUkoDhfsamu7LOM256lWhXHHtoDVVCOatTbIEI5hSiTYnQPv2lvre/0wmfizZd02El02EbxCpFWxQYcSa//57V9knn4TmQU+wNfjFrfADQUapHt60+QfBh6wWIjUfgQvsuvifRSWsBSohLFaUaIjqc1kT2nZT1L/LCOvHim1uYNq7KHuUawxm+0fKRo2rHFDKbFN5H7RNA1mAbhUqjT0aab9Y5bT+xFwt0uDinIFzxOEAh/Z2f3RlaKdvVDPxekux7FiEYre9JqBFowW2lvY5aGVtd6UVaupib/n5MOrl6p2CLAJ+aXKTOsExzusX0QR0F8X1iGKpTau5vB7iMZ/C/cXRFw91Ubmw5h4PMxFaLYkw1EpGndm5H8oW70ZNLatmQ9w5jTDkrP8RB5gtexNsD2VKZSy79CdO+am8/74xD41rBtCfOlatce9PxREYhagXC9sMMCZhqDCFvUqgMhxj32v3N47v6EurIUhYMvX+TuIIzfqGBT4Fa9gi7GEiY9l3lBdESTRZhAFU90AZSpQToKoWZhJGElPao8wFWmA1GQRYNfpC9clb5qOVTTzLkDDmQC2DmcKVDphletCfHhyad/3Gb3+htJpW2qFo3cM7k656KCzZL0kUvHX2X7wR7MaOONbKKMEsK3tAEnbV6r+L5aV1pasbeTIBT5kPLpYMQhUmwZrFayXaPBu1sH7YN2KgnJ1pzu1NDUZ/FP7vfkfOY8izqqNyZovwibXTbaeCgxLYrLYbLR5hx4X5UuSSJ744GE2i2njUE5AFgBaPZi+CiKH9GUBzRoh/Q0TkMs1hYUS4tX5cnf9mo6nIxpxoJUcZ0VVpVyQp2ZEPiGu9QmAfFo9W1zJApiNGgLxmQ3+dKz4uYnDsf03XGZBpGV+dfhDRGuDw7fMV+KO++cAYdidVEniGPMXRw6SciUTfBMCOb9rHC0D2Nj5vIirheyMez9y1IYC6wow7f54XVyAisJGI9VpY0ga+cAkFxjCc6cWsfuI0RJ3MJhOOoEipPOu3YQC+/R/veYsa3PrCG+aVwVrdeFzo7TDrSHPmHbKid8tddtNlKpWisnCJ4GkQSfvqq/UtVWVo3gjxFLfeCk9kse+PARIh1zRtGnSXNWTMLZAkCCasmOcFi/UioMEM0oGSGCBKnVf9AupUmOwT2AmbbkgutsOtbI8ggEEY4eU6n+LOnaOg++IJvYKnXJwzk7P/ojdxBK,iv:YETi/w4hjukvg7tp4YCJ+W8FtsOoRQBJbIyAKfoAU8Q=,tag:adFTzRFU7IvgcjEl9ZkBFw==,type:str]",
-							"bind_db_viktorbarzin_me": "ENC[AES256_GCM,data:naEvQaNmwFdj7/4hmkoissEUHxcRTduCu4/+LawIBi8gunZjQtneFjS8xkYQ49H+nXEU0FmehyCxvHdiw9+BGdKhuMNp+ESLflNg7AS1H8QSSeE9ZgNWrO31XvJ1HE4a/PZgFvatDbIcS1PClbZXPwm50KtUfibCGnoyN3X+hLijr0outjsfYpSawnE+sRNIRlw410DBlmDXDcC6MJBA0tHNglz2d54CRML94WAochXEX0689j6x63vs6GVj1d6AZKhwkkCWMG5nfXLhLg3vqywe2NCBSfKCY+lVc8Vl0u9OKstbwHylEWMVAwpeRMFgWoT9dzX++HO8Wwn8/LO+/z1yHnHKMjpj7lJGmSlV3R2Z3JEaEGZzQMmScFi2jdWTqvuJKPcB2xibAWNbgGlLWClqQNGUf5KUxbxNKaeuX7H26p3URlDyUN9nllPJEnHPITXHoR2U0TBeZL7pAah3edD8kqU7CZAwC/YEfrEkhQbYP8OvKeFMCua46IDZsNQwi8UdPq/3jZ3uYbUv+r6DBFFhULSJRFmJDyq7fa9+yzT3433JDXoj5mtqsRGPqXL3F44e4au2Ab9uHAuLlMBSPBmO+xwJtqXRHbc3CrF6CF2zqnjLHR3Ps3OEwtdk1BlqJxHCENMkn1L98Q2b2qwS5uICjjcnl1nlTZW7PQjwcmh/DpLfemTkoYP5fy+iGQCNHp4OQJppaIRFqUjk/tIAjfTibPuZUte27MpZwu++6DCG3YBFwBOW9TK/Bpf0fH5BlMFXVyR82KpQhzILBeGFEhC2kngX8M5Tth42tOBFk8cOONPsLFUCsWfU3PrYhz6C1ywLddstSGmwrEtpjMiWtoh2pX02P5QlKe9yCYscJXwV5MudjZ+FrhFtdFtcEpNOOqNK6oxYVzXwuD03kYyurHUv+EiVpxag79opixXd1rxubgEYxc2XIwscjIPMU9GYyJ+Du4X+s2nYpEuJsig47Iigv9xT6zYca69y5Mfjv/gyjjQriWZZru3ayyFe/qa5Ihiikn080XRuORuiPXY04/9ZairUoy6kQdwQcaA/NpGfP3aa5Vvg4AuYJw+EgeAFPgo6HbWzBr1SvBXNDMdq3VEllBUBFWuEeS2q3pRRhVkU50hVHQQVD74o0E4lUWhmbi1mzD5hwSlk9PcWZRbMgPKWL5LXtLYEcsrLhumiUda3sULYMa59qf//3INSP6VA3exNTEItJFlXYdf4wcVlNV0T9i1CLMCtQps6ij26UiRdL5rvYrXfpeI2wgAYmkcg1DBLh4VBUNPmWbOvkq/G4pkRn0FPDmEx/fpUs8iiwA5ME7pUT3qTsqcD/mTKnLXdL7FAdUke4ZxeUvpPViSkYVvl9m0MocnXTLOS59MfgQ01gYmsEC4oo4Z1X7tBBPO1HQOPciQQrZc7QjBK7t9UXe4udOR4liYluKeBhW28xCeuLCtKhbtAgL0DEBuyhdeLlbEOfczuCLPnySlwhjqi9vOiLdcz1GItUiGGnKVoy0JUc6jSGp3VC+saSctRYlumH5JuIYmlvy0IYKRJSlmcn5ni5CR/jh88yyWKyMZfV6v131QtCrW6FEZej+BNND2gbD/F0aEZYrkf3ftz0r7aaLmxdLs+BqtjsZOHZZbIQPKAWAL4wvtjf8kJC/8Tq5wwTVI+nRMzwyAD1EY9JtpGS+k3CVG+8ZNUwswbGRP60/GlcwXchUsPQiNG/yf+fIocxQbSsjIYDmFS+SrO+Vs0THA3aDB9T0iR181QGDnFBPqs7plwuuYcy7Yoixx8V1XPBEMEFIWyT5EbRFJJHAiJxGEQAt/onqZi74DOVKzg3kZGuUlTBQ4Dkhdp3KAsVbX8eT17nsNDr0CSAV+XONthA7Wf973Y0XBh5sAqGsmznYE5eHgCgYZaNuz3h6i/1Yh4hz1Ho4iyUNzlsYUduFUH8E+1ZAZidoOBQqKkkbgUmUahMPnqRKydBws3QYxdjnYlDRQHKoZ6Xd5S8YU+2CnlJJFu9eNRvODDTGL8YMonCyCPKB0LC/IKloK6k4tXGpMfBm6ENbIEso7iSgftNOUpGPtdtw7iR82twOB/d6l90koL0dWLi0cCq3opYjK4hpQHjmXMYGNUR8svVr+xGVPZUNQPEUewifw14octMw6D+XJ+SIXfa/cheQoxqEJCZwed9byVLeNkTRZQgQfPewID9ZGwPN0Xza8OESq+pK4KunaVnUw3RYhjUefWO/4evV/tic7rxRMpWZtQzAzpIsC8m8W+sldqFnkw4Y3kPfO3GwptUnfpc5uv5SQ8zwuIAJmrAk+BpIdtaAW/fZ8bFijT/ycgbchoXCnsjZTXX4NqEEsVyUiDh3ibwxthimhEa1BAhASFBfL+aGztpOggu2JWoEqOYTrak5maQcUD+DGTHK7ZmOcC2KDpoYMv1zCZTTL895QQjx6+6PozuhYQP5QYcCvKhvxAPTmHOgDLEwz2RT1zmTkS3DDw7xB8/CRdmUzukiBcpazhwWaR38MliDEmLA071wz/zOsZNJKtspAvCvtan/jp9eZOr6MgPaMyftePXmkVXI1OkyZobIhnxyhg7EXZfIdP2GDZdUWaaXU0c8hp5uX6BXZAa4c+JsahNHYM0wNrs8TIJV6UgvhE6FB8dA7tWbWAgnj90apx83dT0RELlIMSk7+1jR6dLpq9U0QkkK7BMfx2HdKBe6LRzZkdi5R5KmKCnJ2yqjzEosQnXIEpZIu8ZJunH/llaPQ1IvR2wAtdMOnd9bgar6YujaB6sl6IK4IXhgqctwZV3FM7Em3mtDZBi/ob8DMXLdSmiKea5VjcvL7tRd24B9iXpK5/aMu8h6fj+pO1Wnzspdft58qy+r7A+zbrPunzLn+ukz1itWgweqoBmklo/7UuRolrYFvlc9Te23TCJKIDLcLrqm0QQmQf3Hcd0lpVrdE9c87qeyK32V2vhdgsDboe6ZYnqXyJGA3vOL6r9T86MiImwKsrUbRhV+FbTaZWnuXBjAqXuSty8ZyicTjryBhXiEnjHKx2bbCFhsoQMyf7CCVkb6XcSjMEISS+dplFZ8Z4sKff3i3bRHUoC2lQ7+g0Gxm51GG9pMjK8d7PIGHAhFWHeGFqysFfUal3NeuNmx8OB6bus7LHpr3RSrdzdp9sdQUn93CqGYniRfHOpieM7rr8WfmYtTJiWBxsJ2mYdimnJr0OufgKwje5I0d9IW4vnFnPrHEoxPlXBroWleR7eNkL78jRMPhSOKxHZmr7x6p6q5N4kxEKgZAjbwPFaX4KTMvs8tQsiRL1fismGinP1Xp2dg5AeuiJPncJLgxrYHNr/oLtILfKS0iuZrmac5MTXnDtpXzxaCTVOHBsJemvmtiqri011TUhMFm9BoxHV3gSUCboYbaXgvtcAlnrlrcQQhA8U77nAzaFsK3A1uJMidO0z5turO6Wkhpik46xr8uDKdo7JzmgR2sWRsQF3pm1n8v/6oPn2F9cd7rvjjb/Li+o8KFOTZUUQfN857/i2DVQVFkKa9P3BCVzBRxHI+UUkw1y1Q1KmpHsgQz0XmKxhNqtroUqxOZtq9kxgmN3wznGeuIicqfIJy8e8Gbj1qirw+jMdG3CLEfSGKjTzv/ZIlRdRFezX4L8MvKWygyDkNXvBlpWH9l7K2EYRovHigroInGvyo5CawgG+vpBgBXRhz/1IDyVrQ5aZRXKBuB8utXZJB6c51ovEO/OFbfJWoHnnEzYa806nn9AMI98KEM0pzFsuZNmsYrFqgjhdX34fApwvxvz6c6avU2VrPuVPIkLKosLDkqYWVudaC+PAFpafcz0j/JnGz/rSblofFMoiopZQ0X28WMKuDr3HOBQqUbbT/0sKrQrnMmD1hNhGdykzXsLiCYFks600aYnc70oYZ3GKPiwatdgyvvEmSkvQNKZvhcw843yqqI+ZZn+03/EU6H5r2DIr7bi18KX7Y3ZXcnjZLKblpXKYEXkzkHRPgAji8mZQQH+9D73ncEg9+hBm1kuVP63UYG+hCPPs2S7EbPNh2LO0Mq0keSk5FLvRg4drh46Xh6gf+dC44a8TFvTljHBB7vbL4wXkhGFUpX6m33Lqq8J6WrxT14euIN78PCUPsNhCA==,iv:eNePl/kfBIZTd/o4xRuVcek2GF8hBaJp2DLmoFhTM4A=,tag:sslaOCk5Jt6UbkmHrB2UKw==,type:str]",
-							"bind_named_conf_options": "ENC[AES256_GCM,data:IQAqO3w9GROErfPhcEyfuJ5J2bm6sm+Qpz1adGb2bVc6lnPX4LCxlJ66yOvlcvW7Iwar/+r1xAMOK+pyECR1ShxfkHC8E3fkYbC1MfssNwLFbfg9yUHq/RvcQA8eGOWSqt8Eob13y3VyIDVs1khYM/G3neA9QWbMGYZF1cRatk6Yct5y3rhHfA51j5YIdGDUj8zq5BF521dbO4n0vVHwwmndvi124mLa3UhzvUN+Wti9i1jCU0qq5XpPNClIGu7hbdN09B5GuaH9ecjhDlivX2N07FgS16HFF5YSyQA3ysGdjPfE6jPxFNCEB8xdTD3EEqMl+Qi0iHRTkXE9hE7MAzmnN8jKzonJkrMjnaNY315Ypu9EibDsxhnlQkqQB67ZDK2AWvbw3Epv5TodLAXintKPN3gaten5Tv4IodNlamB/0M9UwK+1KWwf7P/p9fwcTRnzxMkgG5gCx86Cp3akoshysJlTkqRH5X1nKEuY9PuvU4b1jsdfDyPMbNMsjMd3051B+TgIHDs2Okeb8SZAUmTy2MLcioNwKTbs4VMsxpbiOeDMB5S6YLaHk7VK+cFaZsaVbrVy4yGlcVU5cDqTFGhxSaD/hR2CF7fxOautk6OkGJeuLFZ/5O+Wzql5uNOV/nzZowi2NQTVV16BNJj2H+WtjlgvvftV44v/o7sHmJam6FftiWclisN6aNcHxoSA8W/XbXZgR8oQi+IOr9MzYWim1SHdVW/ii3EiIwQEEeAqOnR9grYRVfAlNudsgbRTIBF+TSRYxXxqmcdJAOJsy3GdoY7d/vRT6lD/KXuY6KoR8VDDhk94kJPLZyj38MD77rF7sGvfh/viI85tkFBRamtJ8zWTFAABk7cQ7OAfogdZuUpsAoCnUk9BSDG+twNZjlx8qKuFBJWelTLrBQB4GE6sg1Hnb04TAk6Wik0fxTRr6sz4X4uXAPXxyfvGirXHvpQQRgrGjY82xkmSAZECJCrkKkLGgRgkkJsJhFjPMT8+TySxSNG/51o/JRNjCmfG0ii6O1hLY1PU/RFqWX/Aki0AKhSCDaXvUdReUwABrAqMWXasUzpeihKjFuzXFt7LN9AYxtvHFBge7Lbb86KkkSHTMoFR7oGMNI6w/NxeEo34oWGzQ1Ek7F5jIj0YFxltp3v9+2ZljzdnY8mTiKy/iOpeol/lOk6NU6qU9mdCTlq4Ka0fOmUYQc74AYbPLqGXwBXdliZKCNvsi7XNCu+GBsnndT3WdcfBksdnBxSy2WRRy3NNJzH6M+4KXjwL3CmSqTnOAXNNJxO1mspPeZd5JLphXtyoVFloeRsWn67MK4c0zn/0fUhHWJ3yZ1VampXaqI+sWZTQnbJZFOLkeaSP7vCiUgNFHTZrVvs3qYkKUaSusLrpN0qzU3hia75jCKdj1xwufwgFbipL10p6u3nz2plN2khqM9SHXqia1r3HdScGms1+Av3W++UQvWJstji+TxK3Z+qF1xgR7BAgx+CW1m41Yd6zGf+TESXm1LIMGiRWx+wTQeWYqBaEzCVVMQath5XIP6uhh3dhuEszJlT6JeYp+fJR,iv:mUQBc3zsn5O0NlyLEMe9wJiHpKHB8LXMEYGGneF38fw=,tag:GEZ00kkXmXlD9P3ITtGqMg==,type:str]",
-							"brave_api_key": "ENC[AES256_GCM,data:a6EnlJB7ezuo3VLoQBBpaiSJ5LTVjBgEyGqKHA7npw==,iv:qAk+UoKJOr5vWGRk2MndhZQxjp7t3oNFidFqbOB63mk=,tag:5iCtM/IJd2EWleyYBWYFUQ==,type:str]",
-							"brevo_api_key": "ENC[AES256_GCM,data:1P/ZVleaszojWyGhitK9PFxbl22JBVeblZ/McbA2PsSfjdN7rv76C0eBhmuW0cXVzOr8gx6gWVMXOoZdHpkPNGQJx2G+aikWt21g12JCq4kEoAavY2KJCCU2V3BSbpANsE1mOwIuSCeUkgugaAMz91io5ci7/Bef/XA1lqs7MXswQ+68zL0SDOgfTto=,iv:FE2U0YgGfO1q+XjkFcPvKu5+Ton2ZL0RiSio8+0ixvo=,tag:NcATHBNXvKgAnbPX1Fg0RQ==,type:str]",
-							"claude_memory_api_key": "ENC[AES256_GCM,data:HKjNAgZmbgkVguMuZszWxGvTnLF2pDyfl74W/nnb7OUlRH3W+ZU3vbMM3LI=,iv:dpXMEI6gQzP9XeExdP+EsDSCCj+sXlLSITYhf/EyxGA=,tag:VvDgeRHwVm3Tc77i2zclMg==,type:str]",
-							"claude_memory_db_password": "ENC[AES256_GCM,data:0vbe3OY8gQpgs2n7eMXLjLGYRkz9qsEkKqRmHSj5STs=,iv:T5IDfFT+fmHiXCjADsuwmo0b+kmeZKugcCt76hDVz0M=,tag:lnRlz3e/ycjIVZmhjwhjsw==,type:str]",
-							"clickhouse_password": "ENC[AES256_GCM,data:tYLlYaZ+k3h6hiqo5HA=,iv:O8+sgygZvjqvPi/jBlqqpr8+Xu8A/cVGQ+O1qzJqiAY=,tag:l068sSqUPdCgq9eQJaczVA==,type:str]",
-							"clickhouse_postgres_password": "ENC[AES256_GCM,data:FoQ+h4WCy+e7J4oPy4k=,iv:Y9TVsYT33q7VP8ZJ3+kp5mY2esm9l9tZomouWfrfQV4=,tag:lUDArbz+5NpgCwFnwmFQ1Q==,type:str]",
-							"cloudflare_api_key": "ENC[AES256_GCM,data:lWvNFbcR8lf08jR35sbil+h5cNeYB2JSJieXuuFPaMPkVVvjAg==,iv:qKhISNTaRHa7PbGIK3QZOVc0gJDkgrh+HYeYbmmnEV8=,tag:dKTdfxv/lEyU5t5CeU/6EA==,type:str]",
-							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:Dsob/sxmwhB4Bx+TX2SORvF1EYk3NUEw4OEkY9qAYaCJxgMO46alIdCj3mGGfqmqkG+XayWMivxvXRHafInzXrf7DbXyy0P3yKoaWbBc5h9Qf5YGTSHXRFalq3lJEQmlct8XaB8Lq0LbAk5HCFpH7qI7fmPijJoFxygKYqwl0r4UKEAEfVAYbA1GLlMFo2o1772Ps+kAjo2IQhhmOsBWXsRRMCEn/qIiMPv3QPG6KIChsRytIAY+rw==,iv:su7wBvMxaUglk1gZZfpudtlqMFIi6zvDCZEelmky3uI=,tag:80nXn2k69RJ/9Ot/GTOoEQ==,type:str]",
-							"coturn_turn_secret": "ENC[AES256_GCM,data:3HUFWXf7DPuw93Ej1DMGIfWCRa88tCaS6x0B2RY2mrDLDqL1xI+MTO+s/cexvGkGMx4a81El5y30wFXYVo7CZw==,iv:GZ/OSKwO0m+XAItzs/1IrJgGczHMFUN1nlUEWz6HD+Q=,tag:OlgwXrvddGXqCGd0kMyb2Q==,type:str]",
-							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:y9fjMQsaDBDKGVwTRdcwHMrIbHCHJNw7f5ZxaPkM/wFe0uiA3K601VIPKw==,iv:zU9uWcZoZ0+NoLS9kv326qeADFVMi+9U7A5pIP/32wg=,tag:1iTIxAp8+oSJ2CVeodVzEA==,type:str]",
-							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:he7KGzGnhymdOi4prG1I2ff3KDSCFO0aHfwsp2Q=,iv:lTrMhUuXGH3/LchcNJ0eOJMAyF4UQcTIZtnMGzCTAkk=,tag:rtohNrOdAklABVVV4SXK0Q==,type:str]",
-							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:RnqFpVGNA2ykPOclgcaoeRkg0r3O0We97a82q2zObo9xFibwd1vVystf4FPOOENx3ZPFehp7Fi+U8K/xzu8QWg==,iv:paRYtax10tlUhqbxVQyCTPGEOQE4iHJbIkSVhCf0vWU=,tag:YEzwn0eBVutFD4DAHEYpFw==,type:str]",
-							"crowdsec_db_password": "ENC[AES256_GCM,data:YwWDkDfBC5Dr0+7jNh8=,iv:Urd49BjaoFut0U5bHfqLvoN/1Vgp8BA3YvjP2Ni6fW8=,tag:i5Wsp6VPQCS1v/kmHJx8Jg==,type:str]",
-							"crowdsec_enroll_key": "ENC[AES256_GCM,data:TT+FlFBWFxVVIR5SDJpivXlspER7YaeZ+A==,iv:Gzfm6Xv6TxGeNvm801bHwn98ZcqpTkIbPR2ictOI89A=,tag:gl6ejcALrkvU/Qvj3O0xeA==,type:str]",
-							"dawarich_database_password": "ENC[AES256_GCM,data:1I7qCr81KeipnZD+c/o9jV/DTCxcYYARGQ==,iv:RJXn/DL4EGGJkFGTYHZzN969w4S2aAOn7l7w5WYiOY4=,tag:V3J2Ii68iYdYHu+HIE8Q4w==,type:str]",
-							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:jHYbzr42p8hJfKJll6phItU04Hf7vU0YIJUsHGJ9VTw=,iv:ypZwR9cY+9eTiZRWGql/Au+4uf9XnS228C2BmfNz3gY=,tag:cMR1FzU5BnLoi1UyA8E/FA==,type:str]",
-							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:i+tvwQ4OZzvPITrmCDRyOOViVnLil4YVyWE=,iv:p+iIFcf4f65USq8u2EVG7NeIzkoj5LppJoVhhFHuiHA=,tag:gUbTOYfC0znmYNxMEHlwzQ==,type:str]",
-							"dbaas_root_password": "ENC[AES256_GCM,data:KrUVtgSXR1R6Wqc4uawNz1K4glTQp7F/WL20Vw==,iv:ZAH+5R5UsXKJnRQ7Ssbbm3e5u4fr+n8bZjizsdVPo3E=,tag:Kb1wqTEVAZKqrvJgAbhc4A==,type:str]",
-							"discord_user_token": "ENC[AES256_GCM,data:NOh40S0dGUDLZTQOF882CytfmY8g6/L46mlybFXhY/Bexj0Ong61KxBIhR00eYc9ag4mSbq9HBT/MorbjB39SvF1+oOEn33Z,iv:X+hoj6aC15VGqN7idtZAUNOf8kVfT9tclEGVbyK9B2o=,tag:xsC5HvMrGYKCzEY5p7RunQ==,type:str]",
-							"diun_nfty_token": "ENC[AES256_GCM,data:BEpH5t8Al19RxGTRskT5H/0PhCA9wTZ1qCsN17Q3iEI=,iv:luUphNVKlzvjaR/47J36WDGAWPQ/RZetOA34EvZmtRI=,tag:M8hXaE3ZvthKSY+yUfy5Hw==,type:str]",
-							"diun_slack_url": "ENC[AES256_GCM,data:BGfE7pFGti3L0yjX8PddYYq2EkWxb5f52LL5WtLiSKr+OEctWVBSyl7D/HKB3jDJxiPUJOwLs2Wjh9yuM+T8iE3lZCsA6IVxkmAnRkV3wFrd,iv:oc2d3+EaoyOzGTGqn4S2Z1c4XV+TkSSMjc+VLUoXirQ=,tag:jjnWF4AmyVc/NOBfn8ax/A==,type:str]",
-							"dockerhub_registry_password": "ENC[AES256_GCM,data:/SwVzZZLYZrPDz5KhBEYwXWg2KH6Hb2ZeN1uxSlCJmj3deUb,iv:1GOUYasLel2QIaQxGRtLo4sNV4kqQfA7JgCPHBd5OVk=,tag:wcpE48seFseEMn2v+2XGVw==,type:str]",
-							"finance_app_currency_converter_api_key": "ENC[AES256_GCM,data:7Na4ZYRTTRIwZp8idE1u6VipLOrvl+c3,iv:7bxjpR9Hv3qQaxeipdaIMzJp+15mvijK3lpMtKWhdV4=,tag:9bvoq5Ck2gyrWlfcrEsTLA==,type:str]",
-							"finance_app_db_connection_string": "ENC[AES256_GCM,data:T1G7N3JDCeiozt9huE+wbM1YvHrLYMvkiWUBPSK6ZyB4A/h1NKZCjv5A6fIYIMXlLv02PmbPptJcG78oaHriwvqWu1TC21Ooqrmc30GJmOH3xqwkTHkDsA==,iv:Lmn2Gt/DZSBzoc7sklAyfGkxUltZ/qi7z6cPyrXv9Qk=,tag:fDw7rk8TNlGUla+RKTSAOw==,type:str]",
-							"finance_app_gocardless_secret_id": "ENC[AES256_GCM,data:6DGtiM8J40KuYaGfcf8Y7ysI730TOrG+xCYb47ZYYQR/XLRH,iv:f9qmnMi6qtKu/UWd8uqX4lxzq73xORLd/W1vClf4QZA=,tag:yei4ujTu4CzIaBtNn3D2XQ==,type:str]",
-							"finance_app_gocardless_secret_key": "ENC[AES256_GCM,data:ODMRz6zygvFjnv295KFym10LNuVj8g0yKEb53AsPVKoxPELNcCSsY3mSWjRv3rpcmCFGqg3RnE0hhnnUJh9XbHFXvjpozYG5qSeQ9vwJQtDlk0XxFZRy1rb/4C4YbcAp7tDzQyRhhi4iomNCRXPZhzWl8NgP738bE2WmfbPUaFo=,iv:U890NhdXpjYhFor6MHRd1xKwVxDxDL4jpMUK21jRJ94=,tag:vUC0Yth8edPd+fu7AFmiRQ==,type:str]",
-							"finance_app_graphql_api_secret": "ENC[AES256_GCM,data:6jiNEvjD6TR0sRCZKP2/jrZOopw6BkM4hRKZedLTauhkC0AxTyE=,iv:n71NuL2l5++actu2rXSCC+8WXuyo1nesUASI6ty0T4I=,tag:cIB0w5a7iKbC8xwi+JTNGQ==,type:str]",
-							"forgejo_cleanup_token": "ENC[AES256_GCM,data:HhaC8+jOnpsez0trp0/PpxpxAUg1D1O5tk5Xxnku7fupsMRj3jishA==,iv:lU82Sr7nWIwuq5eLqLouhTlAq6ZApLexRrNX8hSJrzU=,tag:n4WzgpXzXXWXpmaUVHbi5g==,type:str]",
-							"forgejo_pull_token": "ENC[AES256_GCM,data:7h8iw6CFQpOp4XATBHPcY51am6U5LCHqW0ez0FrAw5CULG5Q3yPCHQ==,iv:JxP8hWse9jTnlif8BukA2bo/KhM4CHwm/CgCDn9IDtY=,tag:AKrP2Zkr6veX0XCVR4Wc2Q==,type:str]",
-							"frigate_valchedrym_camera_credentials": "ENC[AES256_GCM,data:6rUTuKOo+F6SSK4QPgejEh+Z1pElNA==,iv:BfKIEIwc/GCGyGdPuxN0cXi61RVnwqonF0ruiGj1hLw=,tag:vRx8asbhoDTEcoh+XO773g==,type:str]",
-							"gemini_api_key": "ENC[AES256_GCM,data:cfiuyygdue8l90tM7RGGEqDuAU53d0boIRBwuwFBLu1dliTTeB1S,iv:wOHnH0sUFJ+5Nb33zulxRhG/Z0VZ5TRJ1HjSgTEnHyg=,tag:g8YTgW1/i5htwbQiuWayRg==,type:str]",
-							"geoapify_api_key": "ENC[AES256_GCM,data:q0RqNZCchglfdnftQb6tDNT0oINTXx575BwLrZU+Szs=,iv:YoId6h6hIeEYpZRT9bhE16fG/aPg4TsdosHTZcUurZo=,tag:iYHpyWNr6HjsMLwsd+LhCg==,type:str]",
-							"github_pat": "ENC[AES256_GCM,data:JSGHiLEZWYFChIpaoz0CZoRVCQjFBqbQ5pO/6gFup/f1AO+ag1HiEA==,iv:KvWVpLOHYjmPxSRXHE4S+2Bi33n0hw7i0P4MiY8x6N0=,tag:qNeKgpvvhbdW0ZUF+aOhSg==,type:str]",
-							"grafana_admin_password": "ENC[AES256_GCM,data:mL2lp4eBzm/am+06gzQkqrr13Kg=,iv:rgoBD4u/ruTOGWfRmF5bHeRpV+dDQSnc/FIZNLkqGi0=,tag:crIaEL2l3FHlZxZ0MxaA2A==,type:str]",
-							"grafana_db_password": "ENC[AES256_GCM,data:dffyPLvJF5Mun8eqpSTCVUvB+l52,iv:3einz0hxRmoML9AswFQ6jTJXjnuH/T21WcVBPq4JaI4=,tag:f1vIej7DBLbr96tmqOl11A==,type:str]",
-							"ha_london_ubus_password": "ENC[AES256_GCM,data:oanW6ptXhUv1g5lM7ravN0/LYcHFJd1Wg7uC7sUxx0g=,iv:4O8q27bbTeK5p51Cp3uZAQfTBuZH27oBxotLQJNpV38=,tag:bUqeTc1M3ujWYpJPslcwYA==,type:str]",
-							"hackmd_db_password": "ENC[AES256_GCM,data:Uyt6wCKIhZA4QGSu+ayw,iv:J/2XokL80cf6DvAwRR/D5P50JLO1R2+kuD7Kxa7UwMI=,tag:4dUXKghoVJOfsua6Jt+pNA==,type:str]",
-							"haos_api_token": "ENC[AES256_GCM,data:I+1LnNe5mPs1FHKm5XGpg8oBynGd1WpQsmo6JKu/jsOv4y7rdqa8bnY6vmPAFCBjFX/ntoNfbSTiJH6UQYkJLpLjAZ9Ua/HuHtdQceEG4ekp0ewedh3FGWstLrFg4AXw9ElKBAJe8m0vAHyOs7xbe/F/XVs5s2XCByI9zzO6T0aelv0NYPd0wc58fk2Yo/989ttdEMyI1MQcLAoY8xoghLUUCP9oivwItsJzgOizipw7p+B1dSx/,iv:NkX/tEc1zMZKFKIDuEQR1G99Iji8iA5n0KEtZytRXDk=,tag:bFIUCyMqq4to3WmoUK1BIg==,type:str]",
-							"headscale_acl": "ENC[AES256_GCM,data:Jn9ij7Yyr1Y7c2KwScVtdyI0hMtHN8CB+Xwh5WjUmYAoMS3GqY8aiGw8r4Dfi+JD4YukH6YgWy+nR1RByETkuQuXsOKPGSYmSxsXMQ51KNGgwdPxCL2KpRsblm0O8j2zHMP/kzcdl96AUqapFaKOUI36iYwe2JdcxhF+0XujJmAJFVVOgoD0phhXXUZLbRIlUY9KuMuYTan6SObhEYqy/TRoyp/XqBLV58pdY5i+ly/LGZBiRh9WP5/FYgOHPZCIgkvRNKriMlYVIwmrNXE/m8GGQZiKOPAFLqqMSyLFRK7qKbAbgfS/vVggwioBlZeecJDH4nTjtdUhgRktmscaFVQcBOtwRP46s1yF7HMFBbK2QXcePfr8oKh/wIbCOOyOhWzSmE+ACvNbIn6z260aVnFJH+a5/u1ch4pV+OQLVOpr9lSHaei2Dh3Odv91I6CoETkmYk6pTLu3b/UUNNwDEhvLn8QVLkuqcxor+2JxNhcuD73XBpUbPkiDrZEHuGBnPCfyAzIl4vMxHXF4GLSo/S+5YZLHzPJN+zEuQRzhB7NmAsEsYDwzBrnsbur08yE1knIFj7M+OWOdO2swjLUmEhKM/uNoFsEPWzZ1JlULdvtLSOiXhtId5hZ3dmxak3EAu6RbibZsT5buOfc7sc0Tg8sQPq1G+YjfG+h1e5khpdcFpmtqN8RqApnjjbOwuFtivhirq+8y8osF+cCjmOleeD9btd9axhlEldeOq8h2zQJe74h5Wq+mUongy53fPAxEeA/TEDPxEwg0wCwgCyHzNFpP+3LWKK79T6Qgj0fWGooZxB/NOeX2tyukBZVRQf3h6vFfukd0N15KwU9LZJiwN0L0hG+UaFqaqco687ddqN/H0OuIqDVeJPHcjapKELv7fmsXQcYD1T6Xa4JcArVv7mnF4/jxvI7dFVvBWRQqg+xnbqRW1vkk7FeC7P6/EBoH0KR3BbRXkzYomrNk8iNe8EjieS4X52WyCt4dTL01aNpD2eaPGm/l5Dr1Jo9MLIQp4SBuDqKZl8Pc4C4xB7skqeydQAuf0em/2URLIa44ouc3SwbuYOV8yDKKqhNj8+DxUp6iLEor2hrYMeMWVtk8WZboGxjLZX6TRQv5ALzEuJiZ14HMyZmZyZi7w+tBYzMse465fhm7/GpZGd5Y3S7Yu5MoSedkBr0L7JR3AkHTnQ+9+aW3R1nkZp5W3rMjAqFz8XZOOCPDT0oZk1f5SPCfxS4SFjpmB+LD53Ffe2cH38I890urMDChB28k3Z8s/dWjgP1YHvc3NJ2aMorah0U+W3yQ4FRlCtmWdbmC/OY6881iK+c78FzQKqGO3TqSOBEszMss31fw1g3TVcppZg9KmNstl1xrCAzM0TaoZV15gn92wOrGCtmUcbQ6V8EBvGqbE5HBA2qbIYr0f8cFDsCaUYnNzKov6vfV1furMlHez2+fbpNsxBHFzEtC+C/KkHVsf77eHwVfsxv0HWxZ1BcyD0hWrBNtJhBCKbevMZHjWTBKdeCiQkYb7Ra/vwUwPJe/ugMph1swhFVnrQk7TzA3FrUL0hxEHSjHr+suFTDIML/KMgbo8B6F09WdgLAHOkqryVz3N0DyZNehSw9xP8wiO3mlG6WYcFgk5Bd+UpyW3eRXO8hPHm21dKGyjpeUmlNmzVYGF9FmhHl1m2UDhcYDH7Dbk+67XW8/SWsgpin3MwZAanvN7Qv4VmXIkCE5iWuwHOqwjOTbIL3exjnu/sJJFWmtuYQZtWXOPt6WYE5UubEI2NEoDj2WN5qZ1oF3Kb9xpW/VnWDQNdYYsD6vHXROhJTORqnXJ4tkgFDQma3lji78fmemE55PuJu2wMSsSKie2uDfA2vKjWbX3CpDdaiYs/LJQDBInjZjjfsTr28lU6cta4qwFL69L8GI00ZNzkDub2HmjbiP6Weu3gaf+Occjr2+YENU9YHKRWEWJLparxyXhCgvXvF08KvWH+dBbmVGmCnCFKtssnCnjTk78y1VJaj8LbGI2U1ewYHQSQJz5IJmXZi/JuqS9jRYhl08Ij3mrANuj5qepotJRF/CWEWSFQNaWX1lfrwpwbnYJPCvLCbH1zInPa/fcpWsFUt5aAJL11Bo9KG00IBEggHhEvP2zwlbRbZ/4thGfgSg9HRH4kd1DC1EZi9MUk4EP52dn/iy9lmYFOJciCdEuAQ1zh0uSKRJh8fWlnYAAH/faS0uPM7i4NQvzOjdtlt4ROy3MgNBZJySZMhPnNr+YyPkbc2dh1be87qFYJRg4m/4qo+TozN7mtkj3ZGyggpkgCfBS4Zn1OSJhkvIIKAmi95yAwsVXNq05cSD7wj/7Y+ArCb+a4QZQRU4CMyOzNAotOane5nM09mYkCEcmsnwTU0Tc7/i5bjA1tfEYMXn2b3CiT0BIU2cmf6U0+QRUS3nmuA6s2lPegkFqizjCSAaJlGVlK89l4OW7jjFE0BQyEU5JjrcuwStA9IpkWCiPE7hiHHwUA44nFA2X77yNsalQg1pq2nX/BEW07hfKdgPlsxXly8JHAyqnlruWEvu1eHxTmdz5IkmCysttFTkAH4q0Uk5YCumux+5EWzgW8FAT+SgUjPRDwcA5s2Qc/JF/Jb2A3H6nXbF7EBIl/FV2ZnZ3yWJVGMjoK+cRb11AG+K+WGmIB6dDmF8EtR0nD3G8yUpgtGRKZMd58hz4VXicItj12IV2F21NCaPdxSuQKaMswJP81n4Yp4JwaKnEi+m1LapPuAowUl/JWOzApBDat/RUkZHw5ZV+Ae9G2povFZ6LiQtsNpqXIrd2xw58MM92XBRfqbgWKEUOqR8pETCADOnsF15FqkCwi5Gscd6O1Ujk+6APtlYmrdO9AWJjxKSFfNIiYFhpyfGjzqgd3Fh7PLtF9FptVQbfG0VXKrI7WfwVQf/weaZ37q9uoDsuuJIszcaj1QQ4VuwLNmkX7gnAZytFaH42Jt89s2TdK18uiEneb44r/C84zGNUNPtw74MABjboyC4NkLNfS0Qv5cfYVeojriMInYu6puEWSKE8fNV/cFa8eug0vDtl2Q01ot4I+FbF/335cQvD4s1df8AveRIuwGADzGsuum0MadWVgb+gNHzMEmP1J9I74gx+jfVPbSMwXniHevVrZMWoC+t2cVTiv42Uc0cGsTRE97AvsikFjm7lvwJW7Xn0LzkIn1l6wRZwlscpE+xd8ZUqe7F93Io0C8JpxwAjEe+tvnT9d/aK6h1TQ/b60AoMtsQsgksygI+UmgDPGm9FDvbF+223eBdhJVx182Q/51V51SKqX84sV4qqV+HLQkpi1PX+gEJCNjc+BbHtegNtw+KCyH15jAz9ggu8FlHABXgiUJd/U5WODEEU8kWVdIuElZ7DNtCnUFpYyezQ6+IIXwCBMS45jC9NEpxetGtIEJsu3XqMjIczp1pQpwojDpEoIRptFLadIkoQ8zgEk26qpbQB4nqNQZ9y42kmjpu+ZjGfCn/b41Oxjq8Bf+jjKw99laNKJfY9mZAMW27q74/DJKV0qM+eD7YHrCTYF1kYCJMSmK1N87HG9y7JTwZGBZ65fMFxczrpG5S/1SOGjug9/QFCmohIsoTUww2Hpfn0i5/MJroWl89zGN7AN14hHRn84TYj7kbtla3oIhAulrJACotNT0TqeHrFok/s7RqTnT/ei79g4QeLm5r5x8U7xv/A4ICZ1J4llWT9RGbnr2AeqsuOvWKYnPuW67esQGmMudGjCyzrmnCCtiyaGzKe6KILeUzw4/+QtzAEMjwmpjncH9ps9Pks6HlYwhWyhP1Ozq5Kq4ZVGcu1RHRqOuZdHydabawtZDccPI7gsCFbkt7MYztgzThdbmhAG3N9YG4AiILKqXvirE3Xi0vzRohiOkBmTo5yrD/WbkfQYcD2OIcnEljXtEx8UPlXSmc8+pZGvN8DBRFxojVrhKvtVNukoaEQb3Tum8A7Qm9mJ/KkKu0HEoj62SOy5YqLsydpUep6FxAXzuNr2a57tF/7ijKlnvFPKIbKe6NqLNiWmKfFkZOPwfy+OF/rmsNvwXQWinJkQFl25C2MI6nyKb5HRm7z+2uqQqtl3C1djWbCyWEvPXc3c1TjQQHe55eeJMdJS8hXGEXjPoU5nw2L75Xfc+dj0sZVJaV/fXBjgSzRHrIsZw049Ce7oOG2iGpqS51MVdtcBcE38bu6WFidoXPToTjHB8WeKhBlfT2kkCexi1w3wBhZ6D0r71x6kiEtU7PWf4R22AWg3uIcCG28lQh2L0+fgRMQwc4g6hfSIdRt3xbLrIvMm3jIkZxiRGkLH1u55BPl0WV0uI9bBr083JJ7OugUF3uKH1Sc25O5B4b/65/+cM+QbyqzmB6148N26UECIr2BiO8WLDPiFXhNH3BlZvyY5ITc03viTLXWk/VSn/s/YlGJmQpKcgPbFid/29QLzi1i7hK7H5+LvNm+05iF8CWFR7ouC3RBcM9D/sBDiSCvSnQoF8OJVO7w6lJ4246oWrYyv6OUsmO9HWAPHtQTXMWTQY4QgDaayQnL4knKztZN0wEBQ7WgffU211oAoDWx7nI9LNKoma4tU3kEMBkK4/QuklmZQx9T0Oq2oY9ODxsOzqeKyf8scfV34iKah7OTYauhWBX1fa639gLNpfay5r5dwmU5rP1Z5ZrRe+pEOUszQSLkWS2bfl5w25gqE8m3hxEDjK2z8SyyQeTRsvSiqTWyo/jQkwKdkZC/mlPfrz1ZBTZnBSGanyXhFTjBzImbBWYeBy//V7XoK64zvZW+SWv48LwZaEKo/HsNmkzWkBufOhgM9atTdP/xtxBJtvpt7k4xFMOL8EbhyiBjk1h4K3a05KbTO3S8oG2+sKsl7FCepbdfL04Q2dBo0nE67hbO8iprSlR7m0UKzQRlzRTgJxQaAk0f1XhlXY=,iv:+JPUGubJ1zkWiX1ue0ZqWUOXXE5Jh+UnnhQO+69N78U=,tag:vy+zmDIxWJtbp6rIfw1UOg==,type:str]",
-							"health_postgresql_password": "ENC[AES256_GCM,data:35d1kwGLZ9sNoKqA52EypuVg72UyNtLQyiWol/74TC4=,iv:5W4QjDuqCtqtUyADxUZUIhQt503sFu2ELbJz0cZaVN4=,tag:mY9EDExuiWYKcF01UOgkQQ==,type:str]",
-							"health_secret_key": "ENC[AES256_GCM,data:pVIakOvu2nc7TX96svxnRAahNukIr4avrfya6Hte3cZOZO3MpVJHMbXffdQpQnd+EuhsxJ/XMktGR88gE86ddg==,iv:4KQBNk6iFDWvlCrfK2vSIg5lsJxJjREZJ+6XKDkg6Dw=,tag:wvskHCg+wl5Cewl3UW9byw==,type:str]",
-							"hmrc_mtd_sandbox_client_id": "ENC[AES256_GCM,data:wuvfN6uULFL5mdGmy1nppc37nR37wFuJgjhA7A==,iv:mUsp8pzrq6mZyBCU0nAKkUMKAdzxIUOge6QLbBqIgaY=,tag:5aNi33TJHzkt/oPIah6pNg==,type:str]",
-							"hmrc_mtd_sandbox_client_secret": "ENC[AES256_GCM,data:e2TFZ89bsKAgTfEUH6Moidlo56/uCe66lJQQunuCVOcq6hSO,iv:r/AEWJCYRY3Cb4fYA1lNjxjzwEUdiZkRESrsva2dgwc=,tag:I0NJ8wyi3+ZZHwS71gdVew==,type:str]",
-							"hmrc_nino": "ENC[AES256_GCM,data:SerLbH8UaScP,iv:l+ENFF4agplTMyMgLYcqCmI8qEFlNYLHziCdnXUDKEY=,tag:UuXMgcUGkm9SRRmP9K7eMg==,type:str]",
-							"home_assistant_configuration": "ENC[AES256_GCM,data:GkNBQ4CIaqC4NHFbx6Jy0J5DH41sET4/EE7LPzuxP02XuZG27bAUEJsCzCW4HMiHBZCXediVopoghqqEgBa5fABTbRrKdF36hLTxsH3BSUhbFl9C8NzXKE3rkPBZxvCCBPMge5NLU923IPcmNCUjhwOtKRQbA78jo6lk/Yb56duiI+gB/2vg/eFohfvtpJbf52baS7bp0o9uSPHz+t1zcGV6T9UlEy1rIhMuoeQhJIHGTt/2q7WS1cBzb7e81tVkvsfsw3w/pSSHaIlTXAKi64c0jwwaUgawisekghGYH17SQ2iZl1vhqMqxLkwy33RXPvNkppgbYHKEpP9PGSvoR2wp3t0/rPob4xhnsTchGcWcVuVXAtEIW7x7oJLujeiLieLiKIq8MWO1DjwdV8hkHJRH4dYQnuGksmmd3G7B+pJ8g14WYH4aKVm7jWcxGqXSfrHTviM9i4wuJ+BJRBqamfjA2kZ8bSmv35dTeTsr4Tt/J3QKA5MicCCA+k2jtaX95nfP1SB+B58V7HSqxKiVkHfK5q6OQCSligY3QA==,iv:jUVc7cBxpJ3jjWWK59iID9WuN65lRV4h6XQvlhnGdGQ=,tag:jlWXfU/JG1D0WRI/hQW4Ug==,type:str]",
-							"home_assistant_mcp_token": "ENC[AES256_GCM,data:TJTsSnyMLtkdyhlFpOiicF6FaNhIXi6xXpVZUdqEC32cSvEJopgvnkyEzQ==,iv:V1R2xOksCPh2jSD3Ci04Dj7NlOW22N3+nw2Kz/RD1VA=,tag:s3hKU7gKVuSEtdXsygMMxQ==,type:str]",
-							"hyperoptic_email": "ENC[AES256_GCM,data:pB4RJbjLxGj3gMJa7Sxl8WU=,iv:dqbMdctFi8ZXowNGdc5lZlYPaN0Y1FqpENXH+ITk9XM=,tag:rdR556p9C4rqO9Au8Fjn5g==,type:str]",
-							"hyperoptic_password": "ENC[AES256_GCM,data:653CU/PCq+KupST/DTE=,iv:uT2SIYgb9PuY7ikyUF1blLKtSBYMsFX+6Aeu/ddn7m0=,tag:TM+cUY3o5r0ezZ57i6BgiA==,type:str]",
-							"immich_frame_api_key": "ENC[AES256_GCM,data:pL9ZV0y007f0bkpk4w2oznt5/5mnSR1Dg16nhCUAOCHfL/VfpW3w,iv:HGz+0QA2kErUcKFyzW6rA0/vgKamWPr7EyCO3fedcpA=,tag:9cUuKvaFY6yVhsI2wnTE5A==,type:str]",
-							"immich_postgresql_password": "ENC[AES256_GCM,data:maBEhlaq,iv:d8wLWwhUBVndMLhKwdBz4xLbKqEfo2/NriEa/h5gL0E=,tag:EZrlf6Ie00YDwlZKJp99MQ==,type:str]",
-							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:ZQZO7+OGR9IdJ0A0ULro1S6PdVjVT++fLdwSxMZIuHB1nKclZVo8Sewm6Q==,iv:ALSM/19SPbV6PC37OImQ0V7bMsB2dJnP5kFZY09rfTY=,tag:oTp4Rw7IAU6bjKy21T2Ltg==,type:str]",
-							"kea_ddns_tsig_secret": "ENC[AES256_GCM,data:xaM7N/ZuAsrcl0mXlg1iZ1GDkd7B3rPf+LXUy+N5posTzOQox2OtH3rr4do=,iv:iQii7R3v9Bkas2H/TWKylXTmwB1qDQbGwpAmorRYxyQ=,tag:D3ksR5ASWCuDooXOKnH8OQ==,type:str]",
-							"kured_notify_url": "ENC[AES256_GCM,data:mWlEptpKSwPfmdUb2q8++5S1POusua4M2+asK94WRdy7SmbHkswlWA6Y5DrZE331XBkG2nh7MO85CYt0BJksotqaI0PzMzXBFVx7gbk/ZCfa,iv:z/1zjBITfSwbD5wwH5yKjPImRb92OMhgbKYvZGKyvic=,tag:coTHQt6G0Kq3642Il59fhA==,type:str]",
-							"linkwarden_authentik_client_id": "ENC[AES256_GCM,data:Zp5EahvEptVf73cxh/JI+uq7VLcZO92VoQK8+un08j1zWoSG9wieMw==,iv:AoV/vaAcWZZuOv4FcRIlqoIvNNDzA2W5ypNSjExQ/00=,tag:1f44L5iYWmTQ3alZTtHEJw==,type:str]",
-							"linkwarden_authentik_client_secret": "ENC[AES256_GCM,data:KOVkmuKGRFlTOmZbhuw2Cn8kbFKvL9pZfD6aFVWDoha2N3hET+V7eMw2EOgA/gIsjslyKUqRP9G67zR64vM8LMlPTZOEQz8SjT4jkx6djsTwla/pXa6T3sXXvh28/LyFXmeTKtyCRmdyDCCUnR8qUzel/bezADsP+eweLuT/yKo=,iv:qKCXPSrSTzqB34rJ+kOolGMlyRQGrOQXb9rABq79hVM=,tag:ztfHIp7wIdwyXjEN26UuQg==,type:str]",
-							"linkwarden_postgresql_password": "ENC[AES256_GCM,data:kZS6wEtj6KOC/fi8cBkWRRadyAnP33ZfmwGoi/tQMhUU695oiN1DFFOalw6NP4GWahIB,iv:Ac1pKmAm6je82Jyyjg5JaQcIZDvUVYBvFzp2aPFPI48=,tag:4bz4dMyXejQD5f2kyedu2Q==,type:str]",
-							"llama_api_key": "ENC[AES256_GCM,data:+KKPA4bxTrAvtDxsMPFmGdSI72Vx4CV4WQ+Sk35AqXHp1s0qpVvptsAgb319/TWS,iv:Jr6d5Cu1pV/8b5BUyH5q5nUQqo7IXoPiKl8DnRsAEO0=,tag:SqZLz3auEtaiA3HbgEUrhg==,type:str]",
-							"mailgun_api_key": "ENC[AES256_GCM,data:kVnGM4hnn6GpL0vakTE5j5wLt8C+A5LfpLG6f0USOJ86eov26TA0Rrqu19cJaL17jPI=,iv:VzF+a6aVMW0eEj4zNgAGqzhI8hy2HNqEpX6Ow1M3QQ4=,tag:i1zv2M7+jnQpEyJrUJoWlA==,type:str]",
-							"mailserver_aliases": "ENC[AES256_GCM,data:j8McW+D09rDLI8d6eutZJ/b2bzo/ShZGGfnqquhCGK6Txmce2I+cjAi2aO1W1oD0kImYoi9aalSRI/u2A1wOyNYh7ZCYJcOV7HUGO16+TqTzfwxbMh/d0RGDY7oq+PNMZpdWJiicuYwcjbt1dnmDvVBYiReMDqXV9ZfH1G+WV5QyFYZwPZd/F7ED3LvUaS3YoISKyKDFEd3GuCee6ng+3w37Olef0cs25XHFLkmXpvAT772iK50OnLcG0G0rrK1JpZ1FoCAoNvyE3qh6AWONwBW5f6UDSmD0h/y5pt8Fki2ImQBKUWuIc7m0pOfwaCjDAiCQ+wp7gkSYkb+g6qe0DzNDT1EZ6XENy1dfOLlcnjLxiwvBEOQMOCDarWbkIweAVYNQzZyTIMTb1v0tg6c6e5Frd4JEbSj/WvO5XlkKOrG2r6QKpds/xf1wMEtgp/O5OVyjU6D6wTFF1/DmjcOEcJpjH/wGbYjIzTCO69R91KzPkM0MRLfrc25HwqRajWk8fyUKF61NOarG8rsym2YvhzGPVTrT2CtEq/88I1UdL+QpVQOIHVY7KIePfCUbz1CnYr4FCWgg5lLR,iv:2B7E6ZqbldBFEFGsh5VlvRsNoScIRyjEsS5nQTticF4=,tag:0nlxctfHBYtBDjyhv2IHZw==,type:str]",
-							"mailserver_opendkim_key": "ENC[AES256_GCM,data:oHAyFm8FISg5Aen8HI66eBTc1ginLrTBTKgvyedUNYCXDdWVOOe2MfBL/Ef0R670pmIG+gkKa66BHQF1VnkpvXRIcD+XtJ5QFrfQU5ef5tCRWqzErw7E0UozfRT3CKULplKpHvGg9Sbu0Y7QDP5I0FLsw9qxjkKxI4xiNJLPcpdMjjFlpbZlMg0y/KQsrBRjj0TDijWokXnZL/LNDHa8+MO/InpTRyfz09k4/SLJjez4S7x/9qeEMcGWTFqgkdZ2ZmwZ/qp98MHBmWOmLuu2gD+werBfHEmv9lE2aXWB1LfMekoFEjd5iWVIlmkDGszxGmhXdhXc3/5f0Q4s7lP5FUMUU1dhJ1DKJFx/XLix5PYQHLV5q/3ZJVTUnrc1GLdpuDD/qZIfpCnf+YO8mofUluMXU62s1cotXzS4e8CAT7kmXQ5G+kCDCOnK8TuyKJC+NNWM7iz1y+K+GH8dIVMfTfI1Xk6wgJxpiAb9Zn5XiLSjFEOoICZURNojnbOp89L4+0ZUcxAtDY6hr9vFCjaYJ82NHLZ4jnUPshl4+XPP1tiqFwazNt3B+bT7i7ovlIqrGCHFu/e1iAAYL+DDjSc4coK9jLkBJi4ET7mGr5R/LhijonPD+FORh9fyai4ulTKM2cuOOweQM7tpE/ggsLUcyzRIMDDSmAp69VErYHb+h9FkqORdcbxDfNsZmLi87ni9qSkFD9MWyQmGuJdXaMR/wkSTnCasH0cKy2M+DSY7ROc6aQ0FVI7jAFMtGLC8zBaP20g1rBR/MA90mYM2RI9taCUwQeX4KsPA91/QfOT/CQQnwHltsBDluHBbLK4UDitXngsj21MNC+BzUJ9W/Fu1z3CljK+GaWTo2kZZTR+tntpFAZAhSjbAFD32fLnXqvSH4Cqk6c3jwT5oKtYBRVxMcbNh/gdkjkxUZsJ2xT5QlKnwUWrvAdH2hpBUechLmq+61Zgg7uLHRmMHAn2O67swEbudI+uZCPeg2cqPC1I6PKKMNqLnioU6+49B4geEg28sl3hBfUM2+jA9LGM/wIQBYNtSACK9ec4XhXiI0rw2s7tz+8vn/eYpEGXL0eRBV3rwV3vFJA2bkzvundoSdbQVLoyxxE8lgn5U2nY3t6SNYfrGif7fO/c6F59/nEXCBZZzMVhm17fIMZUWzg2Kcogn1gI+O7Gt9eoRPC77ImPjG/tHQX/4/2dSngJls4kVgnswfIxLGlyy/M3EoTITbygqmVHaZHN0nadtH4cAl8VUAu7WLQuPaSsspc5tAnq2Tm5LTf/A8xNe3bdRQRV/lk+AXyi/94xd1KwfnRjsU37mphQVsQ58YBmFXkrG4hhZidsketxJJ7kWw86yNnOw6HcfcTFw19Nm2WHRSLfqFfFY/L8OgJuku5vQezFB3hy96Jeuk3lz2mdyHVJEg2xw/CuH3ed2qSg5YarI7x6fI2xJhBiJEoQHIf2dtzVKAicOBTWqK+iCgWiosD91sabs0fevHyPtckKHNoP6YoAWo8uWSmzTBops/u3GBG5ynNkr1eH8gjR7Gq89PVjAM5XOh54koJWRpmdgvg9o7E6p7/wz1FSN/YEs7N9N6DDJ9AmbeM/ShDT7aKaajcg48N7Jy42Ru+6uA5rLviwIndZueJWMjprKcvgJENQm/KrqdQxxN+NfHnK8gLfY9gQlXRgZnGOt/03AWOhFg8zPnbB/lamiFIDaUJutdeflQWR+8NxEjkEDQhfVaK0hzpTgNV/tlQe9gNaKZ2Tf4iwp/pxvNWPAE8sA09MVGJZPhPxaAGvwmt/UBgzJajZIX8S2KzASSImppHxNGsveCSERMkZIZgHGVi+UgpDj2E3Z2+4kuKS/vAYqg3nKok12Cf/cU/9WF4frutzzlFoZrnCUquIuZajkN5VU4jhECmW2PBsOQintSgi2ArC6iIt5XwLpKAesubugCbeYZEPly1GBljyVmTl36fXSq8Z8cd2SIqxVPd+dzBJGvhKJJ2b8njani3VaYoPQ4L8skzPPINFtXRHiKsZp8ChWw3J+vjkKRtRufvxWLqzs6pgqBJ/TTgF7y95FK3PD1yuobQxpbIK9OZsgedx9Se0732D7C7m4bh9sh+TBHyLnbDwpnFpcvvZRTBn9uepb7LudgdoUSLyl7N8msybaJWG22spnHDHe219hfGbeR7S7cnujY/a5skGPzJckQd07UKLtTYT04t9Li6iC3D7TvFjG2dvrz4zMvqxOicwJUw==,iv:nbRFDcjcg3laYNl+2sd1FQpsrV9r1j3s78X5L6I7ajs=,tag:yyHgiTWFVhdBHOr+ipyNWw==,type:str]",
-							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:vVJ368ktMDCpSJdQM+4=,iv:/l/a7Emkx0z+Uha37xaWjxGl1KZOMARRc3NZo6BOgcc=,tag:CoABFvy5IQxwkRKyBYIkOg==,type:str]",
-							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:T6163/ypd5Zkq2LSSu+RAZVrQyBN5pB412toz5P+e9+plvcX9Y6Ma+boSrNtV5+3XEU44y2j7MXMgK7pvMcIV3sk/jkjp5pPvF3sbhKPTdcZQ8YHBbBd+BvYDSkCVac=,iv:HbXC5+MCdeXDcVDMPRZp1MtG7+5Kd5QiSsmGYIX15Ww=,tag:C9Ll6QkjRW/72oOZdEa4Tg==,type:str]",
-							"mcaptcha_captcha_salt": "ENC[AES256_GCM,data:/Z9u2aPOyAEAvaWCPXJaColb1SWEMIYuscCfOuB7Q40f5Qc7SI8KOnHkMgGiH6xtlslfUbCpONBLDDxizIhm/w==,iv:lRqxeTR3RaouuydS45OgxFx7/l3KaAQeAYw0E41WrVw=,tag:vVQ2AMJtXP8pM33mD33XTg==,type:str]",
-							"mcaptcha_cookie_secret": "ENC[AES256_GCM,data:KPm7HG49t9Wdk0Z/EeZ7CJ2DiCV5xQdET4PDVivkHNVTdIm3RkCiq6thvV/2iTKo8NtiqHhoIL/RKY5KyUyauQ==,iv:V3B8ZGosG0Hokv48n11o58PcaA9QZX3UL5UzT3hHYCk=,tag:2qIxod6R7F0ZV3HUF9oDUQ==,type:str]",
-							"mcaptcha_postgresql_password": "ENC[AES256_GCM,data:PmlQC+MxekKNqHBTMTbOfFtLAGw=,iv:Y4u38Rzs9nNZst3LJ2cSUhPsJCHvszHQo41fZiGMBWs=,tag:5/ZgMr1r8s1wFMF8kcp+kg==,type:str]",
-							"mdblist_api_key": "ENC[AES256_GCM,data:QKPhtZsg54TgqKJEiND2qONPqVG1efJK4g==,iv:8Y0f0R/JrElWagaZzRoThPbrGrSix7KK6L9l3xtaRTc=,tag:sybdr5ZAlDvoIY8O80e3fw==,type:str]",
-							"modal_api_key": "ENC[AES256_GCM,data:1TIOKa1qcfhP1Um4f1iiivdVxzKFMs6zjcPhwDSACiojpO5hRenxA3Qk+Ai5JkseLhNdp0tA4Hpz,iv:FACdMfz1zi2gFroSB6TVkB6R4cf+Yc6yWzQv8YrtDXA=,tag:FlOL1TTNe2T9/jv6mwsKYQ==,type:str]",
-							"monitoring_idrac_password": "ENC[AES256_GCM,data:SkaaUJL6,iv:1F4PaiewQTKXzk6hzhCJdzcNFAPNMRln/ptZgLMVY6Y=,tag:6v+tdCZTunP25YYnzB79lQ==,type:str]",
-							"mysql_forgejo_password": "ENC[AES256_GCM,data:ea7toaHSMfeGVeKPyDo=,iv:8/+GZC/vfvYGIpczWO7SWTR1DWsS+tPqfWSXGZfjD+A=,tag:7kHJcPu4fWi8ms8vtjZjFA==,type:str]",
-							"mysql_roundcubemail_password": "ENC[AES256_GCM,data:hUbqyxuJXxdnCZSakjc=,iv:egyRYGXfaFKELCOF/rsBKsVYMCHIUPJtsVESLXpOSLo=,tag:xabB+3z3Sx6iubCkCH45SA==,type:str]",
-							"n8n_postgresql_password": "ENC[AES256_GCM,data:JBWhsJy+6Nd71KIk5DE=,iv:fnR6sQmLrftTHDQKMBQr3/CYL9I9IvaULMsOQOI07dg=,tag:pw18eTYf39B8OIXZZHC4CA==,type:str]",
-							"netbox_db_password": "ENC[AES256_GCM,data:fMc4DTax37QmIHhqhPTGaFA/oXFZNg==,iv:1GNz8y01bpa83BWAISlUt9HtWrPdhSbPskKNE1mntzo=,tag:nh5h39a9V58htZRX2jySEA==,type:str]",
-							"netbox_superuser_password": "ENC[AES256_GCM,data:x7AWqTIogVsOoKw1p3VZ13WZDlEAGAyrMdM=,iv:jL2oxh7YEycUXWSs03a+YhGYAEKcUIB9TvqQO5XzlJg=,tag:tSHVuDeMpMcZo5oSxniikQ==,type:str]",
-							"nextcloud_db_password": "ENC[AES256_GCM,data:pA5UY/qXjjp5q3+fWHskfA==,iv:mJ53+rZW3V1lFIdXBfoeYqRrXK25ZsQ27CLj98QrNT8=,tag:Oy2PFR1wa7mll0jF2pEjig==,type:str]",
-							"nvidia_api_key": "ENC[AES256_GCM,data:dj1DB1HHevUnjzvnjXP1F8NfF9YAbqHwnFf24TH7t1o/X1PMgV7pdoY2+itzdOEdQMd1r4CrjKwWjIEpCChdA1DuOHpSwA==,iv:oEZqMbcHH4vdzbcCS9qJ1m0707dqOoK/AzfSi4tWR/0=,tag:Y5sVla2buGC6jsmsJOmWMg==,type:str]",
-							"oauth2_proxy_authenticated_emails": "ENC[AES256_GCM,data:9gIsryGHTkXQZg06AQniOrZwZXvyoizqNJD+WObY5mlsrU9vBc/V4M55H3pv+uOoMORqyGEFsSONsxIKVp5TzrmcNHgufhn6cOwu0o3Sn2BC9E5ZASHbn3uCa5hMqp1XqEBX4UxGGEak8+NoxQEFUQ9Ts5qT7T/uwJtjlNsseCZkQ28JYInbMb2nf13npbXi6NejPWqIPHKXN4DnN7qkW+Jw379GUzd/kfyqRGGP4tmmtnW2FKgtv5i0P8zKq9VUZVUG1n+WU7DkYR1M1hIzIj6UEvcUz2rzEQEt539xbjHfdETDnP3YrFjIMKf84j8TBvMXzlhm8LvFS7qH7DWOskiii4iXl2/7ARvngb+51aLV+RMbbU2jeDmhjUXO4ecU80z85jfltaSf3xVu8RS74D2aCuzAwyrYlPw22oDAl23HfDfE7xhoON7Asv0DwXWJot+YfHwGFUjy8eoMYXoadGeDdIqUsA1CBnSDiy/5WBzjJI/PRBUB0zRWIndrlaM/7BmYtb46Z9lMojmm5RplpNHLFpC04XqBXsWjdGaqgnAEAv+wzJieztF6L/dSEWmynknFDphg4LfYadB1VLr24Ah+Fa9FFo5umIocuDkbjHMBpaDLQZvIwOH0olo6ks8JecDwBK1CTiq0c7i0acVezgOFDobhWPXY5UJtLj8PdJKlG166V53AcALXjuwsmFtlvppvx3oldkjG9S/JCefbk6CRQG+8s+OxmmbjkVnj0zt8/sx1g8j8GqFA7PZyONr4kDa9aMpUBKlu2B3iZEZQMXtD4f26oKanjtqpgxuAuwz2W9JHPkhG4U7H7ZMxuLRCuIS/Yo58gvAKVxCgqDVIE1AVQD1zKd9jCnzlb2R41xQ/yrE78r6bvmv/ZtMU+gjuBcwClKNAzKaMXQRjKdyOxpu++sNOfzA68+bxYfZzk5mdkUlAL1NNimuMHea2qvn1HRtnz9toMV3MuhVQu9p3c9L9oP30GODCpN6S6xFXymbcm4UeJILZBOZ1Zsdy/HstbiwnMxdfyUDuVJKqcdp72hSzjz6L3Oe/DhgpcvkTqlYW+o+NC1xxzA0ymRAZETqrSbwxjBqBpxOZCH74ePurALDSuvXPKO+r3B1Mnd290YPZjOZv1nBzOLdxBnyYqyB8FeqXJTkAzGqtLzN/wSCOP+uoxQVqujf5yONIWwVIE/WPYN4gZ6uh3IsvnZRJ/Jj24/320RnjDD3g0rkLtxZDLSSbDfiXzB0u0ubFQLAJaYUnu/zONeyqRhkcWgva9zdgvYF9I5AmHwLZzzlXMoKdX4/NjoEDiWp81Gghocg1VxKx/kJhb8TBN8+cjtBRt1dsohgdAW9xmQ2gIYJ0XHgKJsw5Lgd2L0WOI8XuD79Q5HAtyWLJZzuOcDzWdhr5xpg0G58Qf9paDf12tkU3Ck4SyooM2i1xF8zdurNmKEhGYMJwhf2H10yVa7igw+FUDHH01lWn+YxYqAG7NnmWZSR7R1ddsd6f5FD0YleIDz45YVuPkhEXK+5lCzXTgdb151Kqr9+NkyhOAnV+4aXylrqi41qUUwR4GSLluAjr8QxLHLyjhLGpc+W6dPGus7xTpePXNjomBOjmIS4aRo/pPj1Li0krsbCN+/5rYDrMbO5S14jJomb2RBrRxgXJqx/s0bVdHA8khahYkzSjnfx4vpzkLKNgzfm/BdXu9AMVQgFE1YW5Y01FUtkXcD2t40HVRCHkcI/BC91vrtFhgfwzrHWKfx5W5q1Rpv4rrF4om23Z5X71Ni7fE4UXy6ZbIy4zaUbNOKIYBa1JkzBDbk2YVG5CyveqM60mDc4jCO2bDn/wnlFt1Xr5b4dYEyy2qebo3RcVxG0XfVXbASnoB3XRjw/wqafk6VqJml4YvIcUswJ3nW5DSTsUAIAx7dg4xQyWMHbc3JC0coASpaCXIa7Xvf31LlK45bZnckzWEyRuLhOxvil8gmxPOpxxNyJvRyTTiQoUWgwu01jBYzDUjZ3GiVpW63RuEl9sH/gYhCVKG9AT29gXlaGZLxyIWEgqBdWdLWrZ8ylWTI/xDwsO2gJ87FtGPHfuquLoaNAoetXDndytcLf3QCNZ/zeYNIlTNvUKL1OVRnm/wddvLtj+zaUx3au41OuBPfqKtSe2/ICkfCbuqa/O6kg5cmFIUPYFVHyddI65Swq6ThkjVm1keB6XX0A67I6ibLcMEwSWFQQTzPIKGphhbbgCR3gI3cXHJgmKjPehmLWn7YASyq6USgY4/AgwoWPMuaPCuxgVGj83TP8+iNaljK5VEsea2MdxLceE7FDJvWoYCqkCqE6futUsOhWzzU8pUxk8LPE3v0Qr6k0B7319nrPK1TqzOaHllPN6XedDOMdAzNCduN1zsowzxKzRFPF29klPQRGQG2Qe/8/p,iv:4eD6k3UvstGrDNc6DtAHAZoLH1PFW8M1fmYRaYuO9Wg=,tag:/08Ae8jfA4bKiv92xAmPpw==,type:str]",
-							"oauth2_proxy_client_id": "ENC[AES256_GCM,data:fJymZRUpTeV1fU6W7sdF6USt4sOfElg99LB4Q/ipJGJhlr67D7cIiJcq+hdMoKXRRpk6l7EqIp6YOXkQ3viUbaO4bu7w3iNo,iv:W2aqJL/JEuiLdhZpS7CFYnoc3iqK8SjTtm+VxyFDg7g=,tag:gzERfigDxJeWGyo8/4sQng==,type:str]",
-							"oauth2_proxy_client_secret": "ENC[AES256_GCM,data:7oBrCDlmpsfeT9bA7D+TBDaM4wS2LyaC0Wxl6k7HhrUXnIE=,iv:8WVOMsCfZdvtOrmFQ4/xZ1TvRnmlfcU2Bp1cpLlh/K0=,tag:PUBLJGOPyt1nULPLfpmNhw==,type:str]",
-							"onlyoffice_db_password": "ENC[AES256_GCM,data:k8SqfT+R46TplvPbzAX7Z/uOT+u8,iv:TDP5VoXYPUCXLz57vfrD3AHbWgPkFAMs74cMGZXROsQ=,tag:B1/FktYfNOacDTzBg+qXHw==,type:str]",
-							"onlyoffice_jwt_token": "ENC[AES256_GCM,data:lXLojne8GVbjBVlLj8BMt+RO0vd0,iv:ca7EGOcVfDN0amPnC3ulQ0iisoUzF2kmb/iahmxBQ+I=,tag:gr5GwixjYBnxyedW65I5xQ==,type:str]",
-							"openclaw_ssh_key": "ENC[AES256_GCM,data:GqzX93/xFL0qoZ5fV14gNovPaEhs6HqaPzAYklDoxBo8Wkv9Z1WVkPd3MHI9UxX3RX3xoE0QBMQQeXq6Wb9Q4ICnphsZ+xnYNy0wFydfl11gEfifbSgiFWUxilkhA59Uo4lwVver20ic3GgfWrAEGMsB2W0eG8EnXTCDdXLAx5enY6dhg0b1b8GTOZBKxb1HVQae3p/uOIqeYZjuJv0v/7vHIUfF4Cn3zIAzmCw3C8tFvt08gJcnj5Zoz59xxbP1ZFD7tZ9i66qXxVp2kPNsGaW5usqzFIotXsAUfuxHab8X4l3b4mALxSb30H0QEh0NWRY2JqNeYFt6eVR2t0pEnoLZffzY1uJZgRCVAhjVtNtzuQoP+ih+DOeV8vRtMkcUD/X1QQsuxnJ3Ou0++Ufk2d31Ghe5TNWnPXzuX6XBcoaF1Bd/QUT8pAUlF+r4YQ/rhKhX7+AGkx5GSHZTp4KZuQ2DfHgdc5vTWvIghZ4cwN+ihRH6/rWONuX5K+6UUB2rhGAChjyrYQ5U4wopp+Zwx7aF88UTsopQXr5LL4oQyCVcjQ==,iv:9DhuPQMmdebYWVCujSAzQwYny0MV34PPZewciDqMCOw=,tag:R1ybn46tU3gJuxacrUlEUw==,type:str]",
-							"openclaw_telegram_bot_token": "ENC[AES256_GCM,data:raBgYqxPqSbt39mq2QxuGd6kWhOWrcN6flPBoPHbVhIqtw7VCUANHIsjLrAn0g==,iv:kBsMUvulZ+K9NVkOvSTilr1d+HiD09y3WC0TywkGlQw=,tag:uUktORoTJLPQ3/KxgEafTw==,type:str]",
-							"openlobster_graphql_token": "ENC[AES256_GCM,data:8+aoVpXKY7DGkxc+dX14+ohTT6TF89YE7H1WQOb3N0Q=,iv:feTvjxocQACmysDnBAgeG0k/aBhg3tvClqEcZXb5/H8=,tag:JJKeyQuzSdjxEUcncEKrBA==,type:str]",
-							"openrouter_api_key": "ENC[AES256_GCM,data:gFijQUrEdkzAnonunmDGMHXUBsz8HnaV1Px4h/dYCRs3C4P7K1DPVDyLDU8RWvWMGSFdKhDk5RPFLdo3YFEgfnFpxznWdIOieg==,iv:i9IktmXfMHIpMyvNr6nXwG56QiePM0JFAFW0KuxbUGg=,tag:Mqlg9v6+Bx7Hs3mFwTNICg==,type:str]",
-							"paperless_db_password": "ENC[AES256_GCM,data:0Uj1wfCTcK1O5eaYy5EgwCmo+wXFdg==,iv:Maw2ALnAq0jbZEUgrQPeFKld05cCnRfr54fwqlTe/uM=,tag:ByR4kQujDQveTOXqb6CPLw==,type:str]",
-							"phpipam_admin_password": "ENC[AES256_GCM,data:cuZXsxYign2WCp+UdsmRA57171wQdcSK,iv:lh1ezdIwOatW/8rL7npFN9CHKVb3DHWzvswZLaKZz2M=,tag:LEULiLbkReoKud7MfrzXfA==,type:str]",
-							"phpipam_api_code": "ENC[AES256_GCM,data:5Zbc5oPr2avN77He7pRpqcG1VBYnBxUkHJeJHRK9YvU=,iv:/cQ+kLh2ekSZ9t375SXvkWVgLsBagJbtJzWGaX6X25g=,tag:6F08hc6M4nn00Nc+ihKpgA==,type:str]",
-							"phpipam_pfsense_ssh_key": "ENC[AES256_GCM,data:guyQMA7+lXSJfYilajNmUsMUuSvlgdr9UEHVYE5bqTwym7L80clfdDK593iiKEd2bLXYa2XMRdTS1DqGn8E21TX/H7TmjnpfizbTvUCbp3f5MLWW7pxHvKlk5LHAFphHYAiHxt08yr77Oa8Y+GJ3wOTE0HD5egDS9sn9J4EgnDbhK2ZeiMKHbk0//9/DemJUvmPkzLA4bW9+eyIq3NzKJI2Y7YTugL7tunziKcpsbdq84Psf6lbv4I8YaGivZodfNduJDOdSz554pSnn9ihpps67yvPQHKkl3IiQcURYnG5J13Oic96fMch2+oBRGlkVOecAnoDeT/dUKo5YINXmP9FWjsCAC5jnKVjsIf5mIRbDzpLtAPgfZ030kluNHACROLCEWb7lbKpiz6MLC4+ODa6PXmMs7F3lCQrwk4rgM6z7c0vCrTvp74gRIWcaMNY68WNrMTSoCTBJhq/pqjvzH7gE9HjE8SHKCM+9TGTj9OkVANmb+HzMiCkYKyNLv2rQT/Ijf/5zU37Wx8r8L6I5loLBJsNFKUjZeS6dPuJR4AZ3BL0Jl/AW8BROdRN7lOvCqCKlj2a7ICWcA1E15IXfZJa/r0MF5SsE8hZXqcKCMtEneVFxJLMkQxVXU3ULAxSs8B0c25PJjOwpFSdUQfVgO0Dc2Hi3dz03JnSSetZKw89xr0CwxWXlFw0quRvv4Lz9EaA6QOZQkUzNoMu0WLY9u/GPO7h/cQHn3HGhevPFM1cLUby7qeKo3cwK3gaLfoyrb228ZL8H94ZaVG+w5wQEtjGqOztJeqGfnG1T7Z/jBHGd6G8e2t3o8c1SpbpzSUPtPlr3crQMjF1rAgz8SRJBme4nYPGHaXftt6Ph43K92vLybtoDHoTh+i6Ux4UoQ9o09xnS6QqOlkuQ2kVU2n/aCoP5EKJjpZ2TXS37X+8DbweDP1in1A4SQ594i3e1kuldGY4sI41uAENT47Z3AUiRTrYnGxmPn99jsxaCbfYe4uQ/uXu6vncAHGgS26JSEwdowmLGepGBXOrtVaYpWQ0scP/l2zkQHGaoMIT3uCnKrZMJRvV20zkZaHyTpObtQMUa6/CU0aNoHymrr5Zl+BKxjUct1tuSWezyflJvTZDDA7llBXbC9ozUwbGh+vaDE94nsHCCArFwXBW+r0T7kaxD+PUnuj4cXW636quIuVt4bU1f29dEKI6wXvfOSXVCvnP7wuKCagWRIjVwpWelMo5JWdAFoy35gOqTbmNt0L7h0biFNmz5NexX00PYNo9fnnU3/OjEcsFqe4aG9tEoFnzllypsgEoga6KZ4MMutme0PfvpPV5+Bjr8FoUC8cynlqmf0tW8eWlwsGP4LgePDU3YIVk7s6bgB4bBNKVjCmeOqZTwvNnDg0qnsuXyU2xW1Qym+B/eMW5etp8rLJriE1G860Iaa631ps5WH436GNSM2FzuvpbAzkZnqORvOF9mO6MUVP1ObphIDj4QbfTiff2m6CXdwHqnYtn5ApUFCH+LOFv6WnssnyItR9dMaxpqTPjH6wARwLYOHiNy3/viuaBQ12P+kym/WrSKvs/9d+JJvId5qpa5cTJxGbEYnqa/Tqkd1ildNFQtJDsLxgVpmiU6x8h34uCiwAG2Zg9q8qNcFpk/VpH2BtjwkfaDKkqeXQKHpYYFfM79JdeE0YEsxxDjJCZSxO+HFRXXOa5FOd0y0by/qYNpGJo0xPJRJAFpkF4duaEES3DBGrBiUS+zLTZVyrn1elpwRQ2+lEh5oUPzEVJQWEn06kFmLwrbmz+OSd2LIOiEkJWd9CQ+Squq3OdzDfNh7iefLFpyQelGFe63RzK+zerTDUKX4W2mDcml0PJDdbSST3V56S6oSwsuarOldDus2fhijR/c4y8rbMDVIrBiImeqD2q5wC+AqoaftK6oM5HpldadbcNgbbj2aIYzqezhhyPa88+RChz2NWQVvCxzLTl7OHxsqWGBUije4/D4oElpb8gXS6liBSmGxsZj51jsU0LZ15asHXB530Fc1HFvgyevNGmc/fEyM+gaXvtVf+3AM2YQY3VVTnOwHDwhwgwdyKNbPsSzncn994i/gH6xQ5a5Lm23tWb6yCn1Xqoesvh2Wlxc3HF/mwnj7rE3xUL3+FihFb11Cf+vOUn1GWf8ZL8D4hS1QoZCqe2fdwXqmVeF3WmM4jGUQ9kGAL5sm1cOgHzuRMN2JMVKZII/FdZ4zKXoxGoim2Nt,iv:RV9GQfOtI36nZ0/dJwVuUdSskE6lRzD5Q7mYIaroo5k=,tag:0YHOtwOE/XBv+95qPrM99A==,type:str]",
-							"pihole_web_password": "ENC[AES256_GCM,data:zrhn5Lc26m7zUAOHDOS8tyrbz3o=,iv:pQTX/itAkU99vDrRBDSqsc9qqfHxZ+C/rI/CsUeDMak=,tag:Ou+IEuZtrLPeNQlYIPzXIA==,type:str]",
-							"plotting_book_google_client_id": "ENC[AES256_GCM,data:vZkZUlajKssedbAm+Gfn9NWQlp6XmjDkPrx4C2DJyKdKE1fS/40ciraWu7G+dlwwyXcuQZwkBoZgfyTvaeYbgRkGOXmH2w3q,iv:RDz0zJGN6wntk7mNH+k/xWx3KDuod5gVqzWWink1tzM=,tag:c768KxaySsZUD/7sm6M36g==,type:str]",
-							"plotting_book_google_client_secret": "ENC[AES256_GCM,data:D0RF/7XBFjo1qyfp+2CUmqernDUXf53mmHqkmeqKAJCFgUc=,iv:/WCEp544XImcHLijW4ICQFjNhgcQkVu7wil8ZHHNyQA=,tag:LJiYmXsF7nx7Yai+cHzInQ==,type:str]",
-							"plotting_book_session_secret": "ENC[AES256_GCM,data:HHy2CN0R5dDN6j/Mg8ooeRAdMF+SfD11eCqHJS1UhkeMj7ddu0GHN1YMBeGJLhDx4wLkWJeJ0ZiFrBwXEzBlsA==,iv:qwE5cypjSqMfinf8IuHTfD7NsXrIu3iHpheh5Fxw5Cg=,tag:AdOztKigkMi/stWqWljLEA==,type:str]",
-							"proxmox_csi_encryption_passphrase": "ENC[AES256_GCM,data:yUvMsd8+NUxKzokyX0SSrBCnk+q3qaq6t4wD2+A1Q8RqCzm9VDxRb1HJ+MzNIdyf/nr+9e7APJmOZTxbF8g4DQ==,iv:K3IMblgyB4IKoFghFLCG2sEoZJvxmNN7GAecFfVo49c=,tag:bmnDz/IHqczBPzAOzGWGsQ==,type:str]",
-							"proxmox_csi_token_id": "ENC[AES256_GCM,data:GbDO/5rlWr5d0kmEoQhX1JE=,iv:mI3zDo8zVomWjaQbCBOoCBsR3AzQ5xiZ0WvKPRxCzpg=,tag:g2Y60K5Na009nXorBS7ajQ==,type:str]",
-							"proxmox_csi_token_secret": "ENC[AES256_GCM,data:jx4v1S5ucRT/Z/eJ4iuAD/Sr5pNUZUcJbCFeTOox2lIufZNE,iv:xRsp1EGUyUTaEWj0b2QunoEVHYQF23CVrEGvmdnAlL4=,tag:2EStNCIhWCjc5BT9JEuNvg==,type:str]",
-							"proxmox_pm_api_token_id": "ENC[AES256_GCM,data:DZfY028WFkVGaHkiu1pMp3loyfn3NnihJMDJn7Sgoqo=,iv:mlMeYr2XvUYZ2H8f6BiGXLmlhYhtmk35HADkpl8L3o0=,tag:xFSVrRl5ZitwJz/n3GHyjg==,type:str]",
-							"proxmox_pm_api_token_secret": "ENC[AES256_GCM,data:xdr/hb56Dej/S4m0KwvSAHzdjBQpMI0GBa1qwzdc5kRSfJJS,iv:Ie9hHFt2u1ysOhDG0O+YENqgKzjoGiUT2LXFLadYutU=,tag:NyVHQxvmeVab5JQAClZQIA==,type:str]",
-							"pve_password": "ENC[AES256_GCM,data:CVyf8RJ/CM+u/oRWwRmm1F5BBjWKhumJAFoX5w==,iv:v53vxaC1N4a0hS1blT8/WeTBMh/1wE2HFeDkOtH+ZlQ=,tag:z36c0FwkGCcpdqidyf6TyQ==,type:str]",
-							"realestate_crawler_db_password": "ENC[AES256_GCM,data:o9Avsm5r3BZCJCUHy9PjA3bP7J55,iv:aK+6RrbodkYcoPW2XzitxmJUxA7SSBo0nY7npclevl0=,tag:uzENpgaNol+Pk7KdQySKVQ==,type:str]",
-							"registry_password": "ENC[AES256_GCM,data:KfZH2z+Hp+ktuchmPKUSg1HE44RGKhuJEkSh0JXWEA==,iv:aR8dUVMRyhn+oJd2DRY4mueoDDQAzo1dTXjlCrYwGkY=,tag:/MAhwUi0QmAVZcZpqs3Zkw==,type:str]",
-							"registry_user": "ENC[AES256_GCM,data:EnTVawuf,iv:AfCHrF8FzmGomlHa47SJzoaAdyy1D+WR5L6H1VeM6w8=,tag:7BbjWzbmQzUz67BWM4RzTQ==,type:str]",
-							"resume_auth_secret": "ENC[AES256_GCM,data:A33DqgPDqg2WzCjrt1/qAwzl/ItunuiSICDjaDjBpbII4gQTEuhtj5bENxQ=,iv:0i4LWUtRJHCLM6jFe+0AWtW4kYaFRwm/89tv5VXzRfU=,tag:rPibbwn3nXDsBuqWMf+yBA==,type:str]",
-							"resume_database_password": "ENC[AES256_GCM,data:IM4t9XSiQjDuExIElqQ=,iv:ZCPfH7WwwXFWM1F8EL9OyCBF+YjvNXcnYZO9ndNYjiw=,tag:BgqEvZlqisBqdmmMgDm4BQ==,type:str]",
-							"resume_database_url": "ENC[AES256_GCM,data:C3ysU7qQrTNj3UN72h+btR90seCslxg0UZzDVpMiOwr/5IuoD+yOUwfnV7i8oKEIbpQQd2T43c8l5glvFGg3xrfUS5c3lCG0yoFzHXveOcuh,iv:+lQgGNrrUAxPLFjDgVieXEN4GAmk7/TLven0fVXWci4=,tag:61jcv2AtHsTLJN+AC7G5Ig==,type:str]",
-							"shadowsocks_password": "ENC[AES256_GCM,data:swVucZdY9vdm7araoLbVvrUjsuE=,iv:73aDGiOnA6hrXlTJ9SvPGpoi+p1nbrDfe68spY7kVVk=,tag:CNrZY9P4FQTFYQDzMXzO+w==,type:str]",
-							"slack_bot_token": "ENC[AES256_GCM,data:KPB5q/hxggTtzuGcveEUQRjVUgqzLSVYKqT5OTNzuK9v4/3yS730n7CjGbz6XlQGbSoy48O8QUfshA==,iv:6DP7W0x7URJH8UvUvwcLT4JMLuvAphnpMz1pjOM9tHc=,tag:Qkl12mIQOHQAl3pm6WU66g==,type:str]",
-							"sops_age_key_devvm": "ENC[AES256_GCM,data:3xlI4+T/xWd9Dp1G1S5jJ9bRb39TrgZeaaWvCnbG8LPASzHWSXigBKuCFZdw4bVwciDlyxYpkb5kHrbwCO2Dj0VPLw3oAX7mztM=,iv:rBRiLk6QaeQQ+qvl42wxLn7XydG6gnX/ymVeuGR0NFs=,tag:kqLXa1q6SevEd5oLX2ACFA==,type:str]",
-							"sops_age_key_laptop": "ENC[AES256_GCM,data:Wt3XI+t32/MsZxQ4EBiI2eBUFi3/NZ/VBeDlrXOnP2NMQKGjf8Wi9kioYI2v27gX1b335G9/7xg3h0CQdhkWrs7QWs++pWO0S/A=,iv:GkS/V/utMXvL+VaYELyclpI5sJnfkqJavWV71VlUdtY=,tag:T7mBEo2betUNcyfkK4Oekg==,type:str]",
-							"speedtest_db_password": "ENC[AES256_GCM,data:avFOM6Oz2atTOkT2+p4=,iv:/kyplf17yWgeM/vrVgGncK4EbAH+BaNh7wReivmXuUs=,tag:qwm07tzS42y2YL3I/1nQIQ==,type:str]",
-							"ssh_public_key": "ENC[AES256_GCM,data:7whOJGfLWFfspNcY/uzl/OqBiTOPDDcn7nJHChuFuAY3C2rh78BypWJmWjbafD2y3Up6ov2+MFETOk6U91hC2r8BWr0vgCnDIPR/771GiJrth/+R4RtRlk0bS3slhvYsYgU=,iv:3CRgbauC1lYj776AAlvBw4WpXhg9VLjfKd+1qJEiW74=,tag:f1nooZhkK/iNGaj3wt8+EQ==,type:str]",
-							"stremio_email": "ENC[AES256_GCM,data:9YkyW+sf41UfBUNJ5+3fa621KTO27Rw=,iv:CHSfzR+cX3ygF5bJbKNIMEuybZvx4GeH549Bv7GJ8R0=,tag:XYqGq3uujIvcnAUavDOKEg==,type:str]",
-							"stremio_password": "ENC[AES256_GCM,data:hF90BHvAYWCdCxZt3mv7cuMgoGBWJHbBok0=,iv:yiiXq6lWm+4AjbcE6QPdUnPXfPhJSriAjPqe/o0ly0M=,tag:XFGnCNAUkD5vybKyU/TNpg==,type:str]",
-							"synology_admin_password": "ENC[AES256_GCM,data:yIB2juu57VY=,iv:1EVaNum/N27YXt4acKiR0P5gxTd4rUXdUaT7yirnpA8=,tag:efNswIPacgzmQLPMF3DqkA==,type:str]",
-							"tandoor_database_password": "ENC[AES256_GCM,data:ZkP1v0jpPEZJftMZCzcY5E7dU+3rMCyyng==,iv:iUi6knIi/6aDdyzRhepRx68IIfOZpK+D8ZjGydKervU=,tag:E0XyhyhcaDCYx3s2z28FyA==,type:str]",
-							"technitium_db_password": "ENC[AES256_GCM,data:aF9MUB1RXpp7EimU2QE=,iv:9OF5aizJSeB7X/wlr/sWhj0wF5SDUx3rctEwWqqWadA=,tag:OZNOpfOVfIMsXKijZwgYGw==,type:str]",
-							"technitium_password": "ENC[AES256_GCM,data:d+5WPWZaKcuJ9GbE4rc1Y8talKUQKHY=,iv:fi15tfJkRjMBwDBihwlgncE9GSnJFI1KO5BEPtwW0KA=,tag:Q4T1NGjAxIRFAUuDrxfv3w==,type:str]",
-							"technitium_username": "ENC[AES256_GCM,data:c8cHmWE=,iv:4z+SM5W8a6DjZ17hny3Jfwy0Y9cVkGZB+E/xh3xe1x0=,tag:C91f/qwVqbw9P7cRxgcVCQ==,type:str]",
-							"tiny_tuya_api_key": "ENC[AES256_GCM,data:xouRoWdRbnduyEaZShWesJvezfs=,iv:CwFvR8IwM9luk0XOjCnjAXh/9YJkotWsByYXCpPRjTE=,tag:mBkeSY9WryjZdHz8zDGCCg==,type:str]",
-							"tiny_tuya_api_secret": "ENC[AES256_GCM,data:zAc5Iv5oJdYNrnlBn2yfDuXs3GKBjcOPqKc6YV+e/uw=,iv:65DJhD5f31AA20ba6f5QSxIiBQksE0MA7Cx6hEOTTdE=,tag:EHcZ9XArAps+881/Us+1iw==,type:str]",
-							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:iCM2L57XiOm7iwvKn+Eq05W4FQcBPA==,iv:wTkLy/TiNJNyLSRvG02U2kRoeysst6BQjjy6aybxQ9g=,tag:gYGvNwFD05gSNnipQLoByA==,type:str]",
-							"tiny_tuya_slack_url": "ENC[AES256_GCM,data:MbXxMe8JZH4ozr7KU5dquA+OhcYHPfsGuw/mBvcoj2BHKl4AvIAN1gT39Amg7lEddPS7WZVJVbv41g4mIqmtYCH89ZjNxB/H6Pn9DlXXv4Cg,iv:I3Q2SMXCejIDyWLhmDPaxUEwU0mOjLxTeSdp6cvD9AQ=,tag:RsWoBIZSJwl5MfdQaN12Xg==,type:str]",
-							"trading_bot_alpaca_api_key": "ENC[AES256_GCM,data:DOl5b2zWJQlUifgpngApdQ6XLD/exvrMzSQ=,iv:+uwTylH6Qs+veuzsPdqOxscUbvqH8T9a+UY9fa2ofN8=,tag:yHvhKBdwBgbRu8WDN4uXMA==,type:str]",
-							"trading_bot_alpaca_secret_key": "ENC[AES256_GCM,data:OhOfxpbVLzB+/hIembUModfd/d74ymzFeGBaaFeXfewa2vOEDNwuDgNTo1c=,iv:0EHxzdAsmnHstjnIz+1a+pDKJiwNEV78+Cdsy+o+wGk=,tag:5YAbWijgHX7lxThfNwlMJA==,type:str]",
-							"trading_bot_alpha_vantage_api_key": "ENC[AES256_GCM,data:hIjH7GFfQo5iPmipS+DJ5g==,iv:knvvUIDCYL3rjJPYB0KQgTpt4fajfDMxUBNQCAnscmw=,tag:I5EGdpfIwmcdpBeDHs4log==,type:str]",
-							"trading_bot_db_password": "ENC[AES256_GCM,data:2wmNpYNR9CdqW4KlCXqobf1okouyOR2E1crep+GKH7o=,iv:04vZwOQDJZCTdzCZZiUIYGvthMdWGTE5tKGSjVdayaY=,tag:cGIuPcIt0rroGkDmjyqtOA==,type:str]",
-							"trading_bot_fmp_api_key": "ENC[AES256_GCM,data:cqO5UlVS43YmjAb+t38w6kpv+Z1ak/+0ke3AM41TeIw=,iv:TK4FaTyXpn/6ukNP6X/v4C5cgpbKNN3ciKM7AhlzAq4=,tag:CtYDifU7mrghvCGKQn8N/A==,type:str]",
-							"trading_bot_jwt_secret": "ENC[AES256_GCM,data:8xl6Sk5XubYp665MVoHWKrrXw8Kq2Ecxwr62dp0JtRY6vWjSOJOAi7MEiJNu1xNfWf+TbIdxOCDns3ik6zwWmg==,iv:AK9dJX2zGRfR4LjIdslXv3g2aOn2n63bOISPuSTcD5I=,tag:JJf0O4+eDcarMFYxD/rBRQ==,type:str]",
-							"trading_bot_reddit_client_id": "ENC[AES256_GCM,data:ZLY2COswNWII,iv:I/a9wjPHo01OmQ/WzRMkuhD2Dm8yd3mb9R7aPklI2xU=,tag:j7/5gu/n38NbFZogwyf1ng==,type:str]",
-							"trading_bot_reddit_client_secret": "ENC[AES256_GCM,data:TNb6AU9vsdfs,iv:HHwlvLcHyIjn6Zkvz6ynR9OSUN7VXgQksyZ2I4uAWCk=,tag:hk44bvcie+7ZfgljxiVx2w==,type:str]",
-							"uptime_kuma_admin_password": "ENC[AES256_GCM,data:NV2v6o+87JpChdiz2QbeFQ==,iv:gpF5rQ3jZ5bATAs4/HP81gJmFY4TFIoWiddVokSRJgo=,tag:NOtn1yn+zjgGZMRwcZCNTA==,type:str]",
-							"uptimekuma_db_password": "ENC[AES256_GCM,data:LF2WFvv8ByrjI0eHuMx9xu0snAdEE+pcaQ==,iv:38jb9wI6fFMGVxA2AgqYvU88qbvkcS1iVS5Qo/KcQFo=,tag:pylU7gW6cCccJF/YuXuF1A==,type:str]",
-							"url_shortener_api_key": "ENC[AES256_GCM,data:tuIu+99Ib2sLSzloovXfaCm1bEU560uoVqwOcIP0RaA05Qf+,iv:6ny3VF7Q+RIPqPoSNVL18FAMje+jiISRRC8i7vYyJBU=,tag:GlhHH7DHc2cKt4SXVyTPuQ==,type:str]",
-							"url_shortener_geolite_license_key": "ENC[AES256_GCM,data:Vh/27Q+V4oMfeTwV+lZxxw==,iv:Fn9L18IgFTvnDvz52AiFUcT1uzJz7tgWbxiYE8xmHPQ=,tag:/MDyH6rAg2+LRYHP7Q3Dxw==,type:str]",
-							"url_shortener_mysql_password": "ENC[AES256_GCM,data:XL1l+x3qqdRNxhUuIa/YgLJx3z4=,iv:/azdlQxyn5vc1DoF05sk366nsKstlkVU1UZbUrowDYM=,tag:esgBY27Do8xVRwU/WLnDZA==,type:str]",
-							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:Ch3IhGUYNONRvzPkQC1HN5xdwSw=,iv:ROBHAWnuB+i32SgFQdlKgAv6JVzlVG0Xoqwfo+v4gPk=,tag:GLxi1qFYzGh3Zb4U9EaZLA==,type:str]",
-							"vm_wizard_password": "ENC[AES256_GCM,data:jKQiyHOkt0rqOIgndMITOVqSt9jZReAGMM/9q4lmxKTvBBjvfpSjYguI5+QiKPBEb1GNVS0ym/cpe3dNtsq+Ub/1UwrIbuMhdw==,iv:rhL6OSzIdJxbiCORbicxehOIDAk3DpyNrAIQuD2juwM=,tag:W3F3qjMrKuxv+KWQzeUZEQ==,type:str]",
-							"wealthfolio_password_hash": "ENC[AES256_GCM,data:nDSeqf36bgixiM7KWuHb74GEQ+ssfGNMi14W1zbnGUeVNYBAYDEx1xbVPWEfHuPjVCx7bHg+roeFggXwfFidWh/SZ7DMQjLPz11acvwUWUOSAEPF,iv:FmSYrUIdgZeBfo7LRfDOMqSDBA6RJQJUvq4YZlsKFh8=,tag:cXrLhjhY6f5a6uilB5/25Q==,type:str]",
-							"webhook_handler_fb_app_secret": "ENC[AES256_GCM,data:rEeZfHVa06+kQOwZAD8Lma4PfBPGXlCLWgRLZZhXXfU=,iv:HPtupmvSfW7Z9kizxmedKr9/gfYBX617KUWtwnp0i0E=,tag:QWj8lIEsycKDICj6kbUteg==,type:str]",
-							"webhook_handler_fb_page_token": "ENC[AES256_GCM,data:Mb5ynt7x8EJGe5g08nk92jXlOq4EZSPqb5VepCDry29xJEcsoamGqZXtuVYe3yhVPDamDfLiZG+0Z51SmxZ5D3UW9cUBlfTrlyf47XiPrUEfw7HZCDw4/xPzvam7vO8QwVVvb5zt7/aDshp2xGfMiZOyrVE4z+MH6935mhZxs8EQKAUbADaV1/Yd6aABR6lYUhw42lXIRGy2Gu229c7LxQpUN9NuQQjRS3Xr80Bw7ipA/sMPu8kLEl4Qq5C5NLyJ8ho9u+VP8V1tLZgsc1sjX52n1LWv,iv:JO5acJ47jmlGHjMuRl09YJR56ZnYIbQDFWHUgovpdNU=,tag:0Lurqj2+o+wd0rEgXl03Ug==,type:str]",
-							"webhook_handler_fb_verify_token": "ENC[AES256_GCM,data:XfX3HxDqTYMV0743lF4DaTeaj04=,iv:f6svjzVSmcu7qWL7LpPWK7plW4z7Xdxx6Jx3Te6cUO4=,tag:yDD7oSmHaADix01m8fplYw==,type:str]",
-							"webhook_handler_git_token": "ENC[AES256_GCM,data:pWRza6c3nMEZkbTC5GDTJzaJCa1kMqFSqcoTXy7QI0ST09RSN/suyw==,iv:t4+bKxRpmcrw7ASaya0yyOXGASyxzRUMMgOeUzpZQTQ=,tag:HZcmb2th3l0elNTcW6nzdQ==,type:str]",
-							"webhook_handler_git_user": "ENC[AES256_GCM,data:OxwVkhVdJB96K7Ku,iv:U1RIXaquENr+1YQts9aLqF4Q266v8proPW+B6RDVH0Y=,tag:79A6+xtujTqJWks2QdFH/g==,type:str]",
-							"webhook_handler_secret": "ENC[AES256_GCM,data:YOf9BI/vv2l6O5IK2i5WzlBpRt4=,iv:9y5eJmG/VbJbiReB6TU3CnIDX/ORHFk6rPntyTJ3Mbk=,tag:vRyuAIBXkOSdBnYBhw/DMw==,type:str]",
-							"webhook_handler_ssh_key": "ENC[AES256_GCM,data:FI/a7e/eh9R7NEzLiMO4v0aVw28Jjts1TPlOIpxHBQuC1OyTfW2npwQc/x7G7Q2L7pTRLxbssVJ5MDXY6n7iMgYA4DRx48n6WJQ+fsZdJlQpmdJHp4zzPpXSoY9ngpzA2odxHGZJPNh5UHED6mBCI0AKA+539L8FoGDxHc/x617AmSmTiRJVmlgS4wzqbAQnBEwNqChbXNqHdagQgM+LIE53ck4M+wXthmctJOKjcayBhuDyczQq7DrKzWTC5rNfnsO2j3O/4122q0U7tvO7eDf4EVZmtbI/G+GDYsW6mNQlUNDxwsjHYF5CKAY9AwJqMQl/2HdqPEzWQBTe9fov90P/JAZkoS4+GgyuwtdXy9DMFzbKAqIdDOsjqSgboYhDSQq4JkMXWELYV8qz+PeUnuS5vsIokA9i621pLVnWM37YzSTKGmrQP5Q/JJhPejDPq0NwZCbTvMQhcImZrIZ0iFT6LU+GfVLVR4qprEdkdKPRmlT7LpXYWcNzZtJhYQ0QaiD6zBYzAJVwdkDB0EerWX1lFdXrAr+3G1kiSZk3FpEybU906RMpU1CGdxhhMX2ArQqU+k5Z7L4P8tvyrnrdf/IwwpwKhVwqxLAMy+HF79DNU2BwTZszWkajX++rmdoHB08TEEoeBzmZ5O/sRunPCHdB0nBuGn0dXxH+hT1f+G+j3VIaS0BnfuNtl3iMxGf97r/dOXE+q3iYM1qktNRsFXrXSxG4p6NSSmVup4c1MJFT6VH/GJhj8kRvS5rJebAx12DPGF92/i8BRJ5ANcxFsb7Fu8CXZ5WAus1I/CflsD+y50PXW24JwgsC4u2uasSEyIVW9NtGfGZbTMh3YK51OYjJhYabJj9BgxRNc9TMpaGbCGftcJQlcTv88SUDjD/KOKpsQn0cvlUTd75RMAZ5qeRo+1rMgStISbQUqO6HlPdPFLjjO3cV/UcxzLLv5aZ25yxnaumS2w0a1k1y+xpbc6soK9uKOa1FqSer93HsTWpB+i5dTRpTJuzQIZSX5PUgVFufMC9wJwBvISNWTW9jI5u708He+CQEjLnILKEFNdoXE9B4rKC19NjfHFOHNyX5DdWh+uSKvY0XFp/jtrzdTF1VHpxm11Of3AFxXqNf4g+g4CyXw3fqKVqVOSJRVeE3sP9DRzkV0nGlsLJ9vS7cHyuRNXyDj6JhN/WhTZYMsoPYfEZy99TcoPUQtM4exmsPZO+2dZMP4wfGWUaOBN5+XUTPdiefBTVMJqRB1txIHBBFMhf9PiWN2GcoCUFHaDmvQbQ+zbFxUNL5mcTYtxA+RE2tE1DUirDvXYinqmkQZLWmmGSVvZpBgZ6W+DHtid8OhszFYkh7XKSahw8SQ09lSthlvBfauY/MwkAH+hekPLb0muL+IV9AKKoEOodwOgvufX6HBSlBIbuzdXk2lTPQmWXeeoe9EPfBua6CmmhA2oI8CxU6LL23ff++nEirmJT2Kv4p3WUMVMOW9GBE3BT8g9RxKUvq5efsnmLkTzil95AggDrWpllbGAdsK4momVAN91vGly9auPO9SNHjoyumiMgPkyU9viZC/JruJlsKoKJg1ZfH1IVKqLYV5cMvt6IteFl6q7mdii+g/jbNw3Jec5O2PAftllb9jkkpkssyBDFsRsrmykjOxbVpxNfR52HkaHthIDuf/h5ilhBIM/+LxMQwr/5k6Cdi43TWc7NDjhXvtIiNxH2j6aPxSkOOV54Sb27jpM9lKDQMxUGKj8vxZdwro6yKI6TQhCCUq2zxd2jZ25ZtzuEMeB+Hf08wHQa65/1SsygTl7WBK9dcj27tIgd5FBvxMo59bnMmL53/N8HgULN6ttjdQI8mwFNjC00i36aINuymxA9rjBeE/dHyORe1nLUF3mrEhrD5T9CDjo36U114pFspbWda9rjk3lN/eeE7OTu5Ca33AwheUb1ywk/sPhl5Y7ADW1+Pynx87Z9FBKchw1hbJ9jHcw4bMQKm4nrm+4+3rc73mFSU7uZymOK9Ik3d3+6rOOmlEKZxzBE9hFBLmg+ykDOonVBQgnfNjTDe2k8FgBjaGU+1sjS+lDIcVW2WfSucXS2QofdtwIidyBDKdYyRqPsc2QqqPhy6kBSjNpqUoeV2ZRukksPtdo6SpyASv1TlMRzPLhyKWew8ZSH9Ev+Fcus6nEJ4CBinhUQlgF8nM689RSAkR6OeoK1rcQHgcOf4ds/kA485YEamW5RWINvVFLJZbKGLNPrsaKTkdLMVPLlf3AB0GERTL+CuW1kiDZkoPilhXHCT+/CV2wUWGIiYBkBZOd8Rjp6ayXy8hTEVUNP0ImbEf4R0gJOaeVGWBAv0bKrSH8MD/YSVnMwzyOjO+2ZsyRuGDgsV65bCxuq3eHgUe2fpQFDfLNz/yQCPe1DVK/16U0MXULZiG7QCwTkY9PAkA75pKN2fgKK+Bp8vX1FlQAycHMMo9j6DBhqZ42f63zEGAPqX2LHscdlGAhESg0HW31dxnj/EburHYSt45W8HjZrwtJhEsZGfVgby+heiCnG9wHuX+HLJzk+X9ADq23dXLXQAMiGKjxz9ZUg/YlrrtcCOxhtK3/257tYJB4Ufi8WBnZWsio1gFiWV6sJo6utZusoTlGO0igFg730Zx21jJiR8irN68d5D0dgFIOsdZWPEeeTJk3XM88jDcbkau+DEa3oy67yooWc2h+8W382rubVx0VbDCE9sDBoGwnVQ0Iq80a2yrbchWWvgzXj1HCybdRx2G/lwT6YP6SkGAvjzGxew/5peTskmKoP2aNxNha2BywV6kmNQAhRY1xAkkPzLTTECy67KZQbDMS5Svhh3anZfT/1fEosEF1Mfp+82Co7dkqaCsUpZ28EEVSldcObzTvszV2vnmrOsYh6MUh/vEA7inlDcsY6zAqUkvYCKKtgkZ2gMbn3mW/Nch7Mc0bzX0QNbU4AN4lal8dR0ULhYxZQGwVw/cahYh70njZvBsFhfRHdTpAVRnWzShAKUYC7Vbv5beQGryt58aV9dyloGzFhDq6aaQAlupXVcjbT6kAlHHYbo7RZtLPWESP+mpKjO1rb+sw8AfUeIPPOBwp1Pv2q5vTydjZsUeneATPZ3lvHn1Z+EwOkEXhw6bMJBwstgepqbAU/NZ5lq1eyKBq8mPkHiSIqzi5dtyugX5/6jL+FZhf8N65zgUa58OD9LfgqGChk0cYq2AJiOB/VRuFiWdVUuhXpEq4WrMMl7k58REIz22wOIuc23rtcKoDYVPA05E/xPAypkMuhavP0vKGdfN24SSgSnL7qJVoUi+DAya/I1k3XJbEIGzYS3tEtPK+vDp5YbVhpj07nBpL26llMSv29n5u9lruW4IujGBQxFTH+LvE3NrGmXwWGkCpl1ElqnSWjDxSyn2/Yh8+XTol6Dp7Njv2NW4gj6PHXudv3A5BprYwKeMZmaQS78aIQ12ZYKQHxRE6YTReuYCEbdf2Wzc3jF2e/u9kk4RUXdbztjpmO1/L0=,iv:UtAMyEpcUKZdmP6rJ4x1xECToESy1rWvNhvW5Yiq6DQ=,tag:lxHpiXhnpb4MoruGtSYNAQ==,type:str]",
-							"wireguard_firewall_sh": "ENC[AES256_GCM,data:VYOZ6p4S33u7ytviWNL9m2+wam21l8yya+bjKvii4O45OTzhuLnM+NSxNTTwU1zCOH8BaFqhZlRBeiDgn2vWwO9aCqfZ5YRleSqrs30BieKVqvWMNJLTp/9ErWX0cKse6Qn2pQO+xw+iEwEzRBYTvLUcuxiC/lwiN8vVlD/iVNN9UjICPnBmRoU/YMrqZoOh7aXU8eroZp/fZrpWJHMARDM2dakfp94fM1PkeM30C65cQv7aUs+mTZpSob/XXlPKzQCIlZP9hLVfrBVaTtE7GQNY1QB4Eun+0xyLkTq/5HxI4+InH020ckfnWjnlYa0EwMKhcFlhp/w4VThlVOY5XO2cXLf4rSbQphVp5Hg1h9BN6UfoQ2l3FTikeQevC16uEpnIDK5ORPPDHcPUnm2euKyVDzRKMEGCJR0r9mbi8zruwwJWi9Ifb09sITLL/jLrKxxTDy4yHQ97HUSHjK2TkSwsgFLT3h6cr3vFyhk6rkpTEs274ZNc99UBvsCIarwn82E1YgokA5T97IUd2Ak3utlPI6rb6C7WASs=,iv:E8JkE6fyU5lcANtcxXSVPELNYgpsR8OzCwpMtKdDjCs=,tag:uToPF5W/NGYGf9KnLdOZ7g==,type:str]",
-							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:plMuAnOUV3ry8xoJnJqf6yHP02o3KJ636c1S3xvG36JfmfsguRXS9zBFID0uykkg3tGoT3PCAAw9etxF3cLOPHJ+D9qgKpFneq5eZIZCTEavJ2sLuq2yZ+K7wcesrbQtoILlHiPssD1GDJOMuA8Rx7dsc27zqKCVwSq9rW1cbbnoAG+HHUuRmX0fxi1outFVKWFMkPS/mMC4L+NxzWYMBfTZmmC1/EwFHroO1vxnwno3kQiFxppWHxay0GGfEewWMsi+RR/p082Zanyh51xPfCKXsk8n2/xeZi17beWTSSDnLB3A4E3tEDV5SbVWHQFse15qrlQTBkN7Q99ieyRxbfrgUUgg7G05TqfIqyTfTv2iZZKtLURuoS1ze8fSxtsETCeGWOBnxpZQfDVy/C9jJhuBPEYroBq5+13jSr9togFm0idueXsQOzzdAKW7eCIy1c195q2MPjaJc88XKaMlS5tyaT2pTEFrP/7kJuucl7yhyYhap7yUjL3fUVv7KeS11MTvyB4/aYsOxTdcQuIw+1PUmOGkjHG5ZOc/viNEG9P6/yohF9OQwnbmy0L3UsAovMy/BT7P6dkadPZRMP6BPfxB/z4Gxla8KOxBRlEAvtBG3T9rycvShgIlXQCKpnwoT2omV7nbn++zHY6TRDEK9NNDBtQNjazNm2FYptuHhmA5LQf80dzVCZB7QhwDFZJ1HVDJ2l4QJ6KJtbUnkT8fdDDVoPNBDJ3ahxJj+FBmwNfpJaAQc1WqxaTAZ89PpsRlIejgxFHGM/C6BkVmh7jGmR046gVON7+7EMluCTwyk0PUKrCQ7hiWpqhauBqQaZYw7ns3A8PuGQ0jbm2b/qIuGGB8H79XMFIzaEnjqrC88MqMqb3AUnMkW2cz16hhUucfr4wGDo9e+KnKaPnnGV89F/qHRc0bT54yFVrGW2AukoemtzdfLPqbcDI5bffZz4Txy04YaHdFTSQulXFAlZeHfM29Rtwk0485MIKAotgppsgcFrsv6VmlPK0Yl3nw0IjPbkFMAvGv6VFuqluBNWNEgUYfZqbBe+7jIG7Dc/nM09yU2aK9ZyYeWvV5Vvv56FK/Ym6KGzBtZw7ETnA7g4bcKO9CSdbKekUfHT7kpXK91xShEcMP3AgNzxP69YWYGi9pjuFeUdSRwnKycJ7m/0QXRDDKjWzrEqVeoP4UvN40IyY5wY+HfLJ40TX2CXPw8DqJNmTFx6PM/UUHLkgj9vLSPrTL8yABBIz2mUlbfGklYAMtQLBzuwf3ksPiEtmaKoRm5nYT1aK21y6XNeOQpaK1tB/dk+/xuxanfWcl+6HRo0OktHuUhM0X/IJjxoLL+7F7DDRo0iw5vPzNrNDfw0RWa4qo0NVA7vG8yh44sUhc62WpSSmAwBo7/Dxv3s5EjHoKZu68ct+WUS9mD0t06daEwpJTwbGIGHpXTYQQ8CfHoraXT295SOTlFrtxkh8FK8Az2mx9Ew+Lv1h9+3K0/E5cDIOLPsbeyJVSKQOpFgWlGxRK7Kb3hFoQ3A3DgoYdF1+VGg2DiHrVBZlK1NrS1rrpyHk4PSxg8xFAuMYf1do4J5tM06y3154rFSFHSXk+PnbQz8iD/s2yXKr/dITyVjS1zmZjIxmM/sh7SvR6NHq/i6EDO/D5915ZXZvLULtQv7cHuCTgD9BIQ03pZKZ779Oitp3RUA4ciiiGfiV9T87lSO/K0LaGVcl6cMhlHrPtSSTHhNy2Wr77gZ9zFygz2DvQNihA1/MAodULQl0SAkMxUvA8yuQB5NVkGD8ITL7atuvoEp7/vbvyXS5/KmBrJFWMOftCmUClwsheVCkax9nqyrTAai/DyYSfI07wk9X0fwpdMxQIt+1ProJwpaWVZdxe3p2EK+1/TUrTi8e3kPcOwYpvi87YKZRq0E8Jlcr/562YWSqd8kzvSFNbkRtyeKBi08tnQ5h06w5HutusNhCo8x1W2QSAEiVKNx0DXbdx6PJ6a+gIuGheqILJOWZzpTiXUc9hF5qeCAYfYWr6bzCz0PQ2zfYg4R1ZjQvY+tWGD6PiYpSgRmtTtLtBkbku3i88EPEinkxxUpcLjz4xLeT3HsrmqOVXpnh+O2JfVwJG60GN3KU8rG/J08p4EomnIgI/LEcx2u1sbv89JcC6vbEMB+C5nAcK1hl2o3jTOdK2p3bvff42qzgO8mHkuQW1GxLp5aJq9o2yr4XDLJ6izciM6kDkYJYvOvCHW+TcGVwqOvHyvqpnvc6G+OgJ19WkXdakwq6eQTXX/47RyCT1KNPIeTUY2FEZHWwTMkOt1NURD36IC5imSLEKg3aSxjD4qGvyIp7TUjKzb8gbtZqicVI9aYA530rASG9bbw6ZYH3ea+vtOc/6205aQXcawHdIOqw91Nq6uOO6m4a/2UfN2lAYt0jDu4JJaSMJQ0nsktZLlnYzw1fNW/Gizt8yHXR5eL1vo4V9VpWaNTOQOsFMHHZU12UEtN7tMuFId0hMfMWEU9VF+RBUVDQZJVANdw5NiYAzKB68MlP+0GBcNPK1JUBkf9mlJuKnsFrS3hF7FDj/ToTLwY47LKAgWkQBid4ECygSyuUG9pMIDH/xz/yrK4VBZMVuUMzsPLmHb2a1XrEFeJRCuU4JKhkQAt7pjhc9L9gNu/cr+jf++6rvN3OQDdTFetRR0IwsMB6JyvR7owErBLX6yKuiu+19iK3qVjfmiw67EA9p6OLDFCGXDa3pS9tuTGZR4PqXv9P2+OoOvCREl0/3UdUbBzTQfJDIZRhno1uGulIZUhUPqV5y8MqNkmd58t+ir9zqRRXjZlxYuKqM9UCwCY3M8Gq5lFEn95leCZcSq6PKqFUMLW8fFWyBZt4fEZei3rQqISAXylt7SYKzanKSnSonTpC1dFPSKtrGvbIk1pwfyBJ3eGnGJAOtdn44Nry+H6xCtfZwxJ2JkChhkBN1mAiE5MN609FO3cEvmkff9rYZX+rneRV/vM1xh9rLKrt576RU9lFqZ2QrvVUdlD4XhpIX3AdAlcXVYbtb9E/jMOpV0rYsToml6jQ1XomDHPryN4JXDoXOrryyVStPD2+YACFLvvC3aO3lxY7XZtrhvBHZE3E24twYrMC9szmvYY2jsfWHMrb8d9FOTqhFdaCZCPTfKwzPh6N5cXhsL0yxZ0B9a9Ex3hVRLS1Fkxq52fk5belUNI7gD8MTim5FZORq0cNzYwKitIiYyFc6VqpsHoovNQAQBv5i2F8RIp2hPE7gwV/8JEllVRKR8NX3Ls8/NmjOVvdzsJoS1hIbR/YbY4GuoAlDP+LXTslm5Zub+7cvL8dIlUNmV6yMvaCmgXlNnUpBia5XfeNkbEiaaLhIMofMmSom+PjNDRJUdsKwjizByIvhgqKGMXACXd4/TDE3MtcAVkQpd2FBbG8tXlYmVOYYuPlSNnjLwK+aipUx8OHUviCsGaisYl5NCsulSKRW/lXIgLiXAi9j,iv:8j0n9UM1sKW7nkUT5c5E2fqUt1lDIaLOjF5xvIc70qE=,tag:cYbaSRZUQajmwT55HVS+Hw==,type:str]",
-							"wireguard_wg_0_key": "ENC[AES256_GCM,data:twXYPTd2tmUIxgvOr8pjli4wfgsHkltcVN/TswgbYamrt6S+OCnZWUEaSAY=,iv:MBqSRQfA/AMosmp3qEBl1kV4LFAA2D7qmq6EDKD/MaY=,tag:yhbejoWFKkkBEYQVPzC++w==,type:str]",
-							"woodpecker_agent_secret": "ENC[AES256_GCM,data:7bF/ZvuJzQPa2qkSeg1AlC5VLjUkiiDeLtOK/A6a94gXal+jLqxjm6J9TfiZbONUAuNrJGP/KiImxo1jV+FATA==,iv:SQczg3V4gfBnOtgzRzCTGOV9Hj0bwDxkjlHuUtqT/5A=,tag:iLHYv2zBd9UsGoXiVCLvjg==,type:str]",
-							"woodpecker_db_password": "ENC[AES256_GCM,data:DPOj9sABnakjQmZ+fFU0nsVP2WV3nlknMUHut/UZioo=,iv:Pz0c3Xp7UhnN3TTeRZBsfEo6VR7j3apQHNGvkUxGEWc=,tag:+z9ZcqzcoNh43II+kTpUxg==,type:str]",
-							"woodpecker_forgejo_client_id": "ENC[AES256_GCM,data:TZIm4mdoEgbV/s2RPPNBBMAgg0t7/e4kB7SsRTCV0523gK4p,iv:CyISGxQDdD2YT1sX7u99vau1L6cZVN62+yajK3UiPuw=,tag:h6qb7gq8+nmmqs60zlJf2w==,type:str]",
-							"woodpecker_forgejo_client_secret": "ENC[AES256_GCM,data:sp8z6duI5/gS7u0S4ldesfZ8sEOQot8D1RtRWgiJPxmXyzPhrRxnqos30HNpMf2bDHAIHvb7OYU=,iv:rquLV1UhB2D2o7hTV++/NNW+TCYxnIDlLlazfciT+Nc=,tag:KVImnhmmTW6uNzG3jK/aKQ==,type:str]",
-							"woodpecker_github_client_id": "ENC[AES256_GCM,data:K+BeXP46aDG+KWIJD7hZa6PIjxA=,iv:T5hkWV4TkMZgGrOtK5g4zcbeEs75gMsAFBv0zHiEDgM=,tag:8GPVLg1scWqS+ZEC8doqww==,type:str]",
-							"woodpecker_github_client_secret": "ENC[AES256_GCM,data:R/8jnwqNHHxMNuNPMk0FF8QLx3Frjmrwu4jeyaVYlHozetXCssKQsg==,iv:+8hu8SEcDYDZKGx+L/42xIO+YGyXR96/H/IAYkWP9/s=,tag:ZBc45XFjaWcwzd462aoL4A==,type:str]",
-							"x402_wallet_address": "ENC[AES256_GCM,data:wRQf+ZYN5GdHQr9f3sLau5JJiwV8p8RduX7Ivl422fG3btMnTGrkPgkN,iv:xdWXixXtBB0wBHZVFBgw+NiR+38oSgjwHDGwV7UmtDo=,tag:fWz24neP+nmt5A5QvfBEOg==,type:str]",
-							"xray_reality_private_key": "ENC[AES256_GCM,data:OwbNJfmblAbYu9IVZF6CMr1amDVJ2N76MM5WHsWjZTZQfpKHjG4uJQF3Eg==,iv:MX5qdmPXjY7HyDt3mzUtdZqxbLRX1ekxcm4W1J4wNKE=,tag:fMYqx57XqnABI2GaX5ShKQ==,type:str]"
+							"affine_postgresql_password": "ENC[AES256_GCM,data:e7FQC1twTie0xHs6S/rvPz9wBus=,iv:4xs0m0lmplekSgWgNUq+7pLx1sLt2Q2dzs2TeHVjdlQ=,tag:rHZZ2HqbBsHUt6QtA8pRpQ==,type:str]",
+							"aiostreams_database_connection_string": "ENC[AES256_GCM,data:BElr1mN6jHxQbwQUUs5zkJycKs23whQa3xcxZf1mB97SSXeEMR5FcIozIA8ombrUZlamTIxyP4aWVFdOh1Mf8WB5O3FKc6ARgZKcfD3ixs2mvX/Sub3xqA==,iv:cvACtMjTaBOJd6I8p+Z2Po7zR2Jn5MiiuNDdIPUDFTQ=,tag:D7F1Suma1plrnNHzasO2aw==,type:str]",
+							"aiostreams_password": "ENC[AES256_GCM,data:CpbYGQ5I42n4VAZ1ZE+tC6ZS0sM=,iv:Rz8R3UX0sKaE4I6+RKcLoMEgyvhuVaWH5mlamfdrhNM=,tag:zryZ0hl2PSHqyCmBFSLy2w==,type:str]",
+							"aiostreams_uuid": "ENC[AES256_GCM,data:+D2+q6SdoSmBQsQtULGLeWRJ8oxIYYv6BftbEw4v0+JCaYbm,iv:3IBfrEMgGigcW9AQI54yQQ/s/qBww8clNdTPbVbPLEg=,tag:L8d7L3Lfnb3Q2+FguS9X8w==,type:str]",
+							"alertmanager_account_password": "ENC[AES256_GCM,data:RyqKNVxwEkoGGvLDzp3JR5fZw/Q=,iv:wZ423/soEZnA8O1KfQlhmyTzn+TXkvmfx4+qGyC1TrE=,tag:8lyyBy8YMCePKrfhzNPDOw==,type:str]",
+							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:CsNOeyhcYvy9VfMI2GluinDPsyJqDvbrbXy9maEN/0E4ak9cAv+qmw4eWVlwit4UDQfVJahUsrDpDbdhICxqhOuk14rIbp5sG3jdZ0kSyPaL,iv:QLEXtFDM2pS65wvtO41BRfRwlF0YAEi5EWjb9Uajy/g=,tag:sEEsCfST9f7DJvathOFmTA==,type:str]",
+							"anubis_ed25519_key": "ENC[AES256_GCM,data:f+o7EKeAkmyNTdO9JGCSrIsmv39IRez3kU2c5MpJPGz6UJc8nDeEHzIkVW4jkB3BR0092qXuSEX+aVtZubB77w==,iv:FEMlEJqxGw19D0mzbEKnl/0mq0eFLEXLUTkb0FJJ/mo=,tag:voDJw+J6uiiNBw4t7MDoyg==,type:str]",
+							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:efpQE4uj8/NpHLZ3nCVz9mWAsJzy5zayB1Ft6CwFq7qaFN52tATUNcU7j2ro+1u9p/MyvKVfvZE+2aUgC7IY/YLC,iv:e89YXzPLGYE7Ml15sz5CEk/QbgS/gTvMBR4UjJq/xR0=,tag:8FQ01mF2cw512j3sQPfrVw==,type:str]",
+							"authentik_api_token": "ENC[AES256_GCM,data:FA3LGWyVWwWyK81ARxlS5/vNQdUn41PS1giiNrUsK6kTlrIiOzdBUZd9Vbk8c3DlnL204atD2WDWvwtj,iv:oFUkSfJRu6y7+qlDrlgNTQGhAo/xK8pCyTLTS7RLnZw=,tag:7NipvydYgLLn1DuQZnU5kQ==,type:str]",
+							"authentik_postgres_password": "ENC[AES256_GCM,data:yLwyrWQr2qXDUpfDJzvf/w==,iv:AsW0Lhgb8ZTS2/P7Y01eJpoWBiCJxG/p5LybmXownYQ=,tag:hufqeKVvTCsp+jXouPawUQ==,type:str]",
+							"authentik_secret_key": "ENC[AES256_GCM,data:ZGlMSWnalgjeD90kkUxfaYBCkWPToz2WIXCNrd2P858umLIcM8rIkwEOdaBZEj2cuXOZ,iv:X0jIy6D8TNWgcX2lmaB+hQiSnOOMDgqrmaA2I8bVJSg=,tag:2XVP8hCVAgPCVmM/KXiLZw==,type:str]",
+							"bind_db_viktorbarzin_lan": "ENC[AES256_GCM,data:IDpTo6lLknH3RzSIgnslvB/f0vdNAWbRQbo3z9HJVVKLaadf6Poxo0QqdIYkziss48jBVe4AvQyx2T7frj3vGp+ilKavG1g+u5f3EaqNFLYStZ6mwroVmQhKK7ZQ+Sw4TbqNKJ5tyvoZy3kexa/953IE76Vu1mqYDvCkbeWZJb8c3PWxtWi/XerQ57kN/vEk52RLmWSj5EucVc+Mz+9gslAlHfu50N8O81xzB1A4pPeoFTR6jYY2CJVH9p3HGeMxBrIFGADv8lL8Nq7sz1ob7HPfPlbKsiyNl7dI7pIOWe3Le5jLP3MvS91zf9L1z08TfR+5v1Hhr9OmNHoQ8nJyfH/BeUHd2o/9vNXGBMe8pCeAjXCQmmc1YdPYSmgf+AhDlKQPQZj77LrMrgp99PdH4gZb2YpdWQrryOV5SvsxxIkAltpyQnOtWcf92LfTXxIy/yJaIFYvQE0+Qg35UgGkUhbCRDPdR1GAiylV6Wc+5/WBFSvPw59kb1kNbYUCw04XCCynUbzcr08z5CDotiBPWx5rsuHHx7+N347fnMcNZkQpV3+EZfsTdxHOqA/gNRPbUZIPvLx+77S7E7jqssphmYjsh0elhXJyOvHOl3KviOdNkq8WUK3goaS4pkIcdKpV6NbXs9lhqTLfvCu0xpp5jnjQbe1AYoCe3qpdVoefo1q/iazSEJWJW/lr6IirE6jYShKKpKwcWCZU9Hg8LmcMNZ6l+qS3vmrKHu9VBcqNscOmcChaZXX0gAlqJZ5QiJydps4Dw2EHKHRx0taPhML0jFGM0mcXtdl5LQB1q20htVhm/wiYCKCD4c0RCa2xwESquCgAbrgt/IjnKHr03toQZu1KA2UtOBXqprjHSv7siCSxfkrWMuWsHE66R63a7jzvVGsZiB9JxHGZYCXpd2KidtD3Bd5Vde2bZ5dB5HWg1eCLvCDvR8U7J9v8PnNiguy4QH3CZBqSKo9H/XVU/c16UCztBwbDQ4tdcMpTQdA09zJTHom4gc+9ULaveyHJll+RziKkYMVlTCtYb9HBgrwj3RE3idLD9IXIvMmGNhkVMk12x20CxQAa9WbBtoD7ZL0fshpJ3k1Pz6/KWTWRp5Hh5UMJPhd5qiTYJQBXVRDMBwmPvQjT0qU/ZGJlTJUlNL6Ie2c+j101c/ig/POsg2SchAC6a2n8xHKSflH1Oj+OEDbB9mPxpZz1di1GItMnPorX0T1ya5/H4pJYdxRxELDYm2fYc2+QkFwidgrCODOcQcZE3Mq9H9uyb6XQAVveLyokzQjX,iv:eN10K5ZHQmZHWpcmyA5w8E+n7OvKEBkdvqg1o98/3VM=,tag:rlbRc2bE5noXDY5JuDa58Q==,type:str]",
+							"bind_db_viktorbarzin_me": "ENC[AES256_GCM,data:h2oodusvR2OSMn6iKCf/Gfqv91j9Tc4NbXGJlVRlJAiUB5X4MyzIZ7Mo9KejJJzps6xWcYPkXALvarsJn3YRMKkWdhGmIPlimKcxdOdif2u27duQ6Qe2W8SnW/b5la7ni38RNz5Y+Y9wpSsDFAsIhsDRoVK7j7+WCVtV7kx0HmQhfh7pzU1cDxT1PsqkgQub9MLJo3ZNnU6ADKrnAyOf2k/MvWqykD+YRR1YEeeyV6X67PYm+J5pc2uMFm0ebHS5Ekhc3vVd7FZ8P7YPe6J3StT4MSnQ85Lum6bqLGh8MdQhjApy2hF3A/GGg9+STOTgq+kZUH5B8OguwGJ8z9YFJHi01dsle8uUHNB3Bsvqtea8ZSAS4MpPFvClqbH5nY34+hAuKfKVmTyvLU7GdU3/5VReQxHbuqosOy8MilZDWKXNGwJ0EtJl/fjEA/1vrifcRl2ctFoWStQCyiA4dGtNCPfGQXSdBmr7t+xZmymJRIigHj/Uf203pKl6wIKZf1JG6yw/gX73JWhTbGF4lGs1w77ISbWHL1QyiD39lHr9jtbThQ4neJBInu3Xa5K+H3ZR6PsOLbcVOKufp0knvYU4MqXHnCrYYfnNjLzcq7CGQiuswjngOGcH4o9wilEcFMDX4J/wSnKTzBuE8hwX5OTPJFOeV5MLFtE+ksP7UrAEgoq9E17Eewp+mugpxNfFNajRbXMlkFW4Fruc+Qgx4MPuk2IMGxnyv+8PHxaxj9rDQKhjvNLMAl+ZuiTV4q3yb8pT/6vmLvlKbu6D23yA6nHdMcMSg+Elo+OLjHWEZ9ZP2FzNmzsTB5knCTO66I5kWKmlqU1TbGZm7paTWsPDJIjI55r2AkNtRs5ePXSLeCZE7uQNwmIbrmaIa+SePo23oV5t1ur0U6FbH+2AE3FWIRYZgx6cgJdbJ+ykYTx6oiT2No2nAgI4kNUnZlSZ4KG0OoMxbBlG7Fhdj6+DrLVH8KExVVHJ4c9P/JQ5KQUOy/AXJO7R4J3/hJmacnHzFy0rqQF4uufcSIeJZw6AOae3PJQg8WeRmM6Zw8SqH5GT6Oa/hWF1h6KzWkBw2L1WFERudfSzCIf+mH+gCwzsK16pA29U4yIaEnNWGf8/2sWJo1L4ZwYc8KgLQjzvNi7UvHUq8MbLaSVT4tow/YMEOzAWfqI8BdlJzaURZSOfegTnbDXrP1boeTORpep19ya4oC/obzHAx6uFs2KBm5PNUI/glyIJnZa+dXgA4Y32SiiLfmdVL5pvxb/g6Vpj09lxzyQhNCnGDTEmzujLWTFo56tdR9K29n8/oOk3UZh3KPGbOkoJegiNtsJP+3EJ4sr+yg26bEtIxijv89e77Ej5TFYlaiAaSJa87kzPKIsYXATygTPHDepjiO5ihajfZKne2/R5Ni1Xl4GP36S9uVQquON7YatZiPLl+mzGwU1Ya+wg0u/WsXLnsuPNc8vp7/VkjvpnFR4VwHd5Gpce4T9m6sSBDn8ilzCdgP2g50BSLezjsh7zox9gzu71QFgqE9evfHLFQTKTdSlS5r2QL+7hxk0JoFfErjcQWOMGs7E/HOoKVHAzm0XG5fGAfYQFmcHbROW7sg5kROEeN5rirB6YiMrsCMfFkn4Jmlp/QwocUcSpgXq/3ccZjIbESNaytyCTZfJ/vaaCMlcz8UuZFoL3A+VrjHKRAtcSKPHdTHz9M4W1WJu4tc3acRFEiCSEs5NW0h0kbvZffuZNWbOJ0gEjOfM31aK5p19wq4PMJME4D0e2Od0TkFcl3fJ7QSG2B2qfsaY7WtsjkSQNLaBatAqx5Unh69xlf2kZFZ64d1aftUl9Wc1fU6PPOMQE18TGnLaU5OVNstVeVa1ehOouwye3SKN9oq0cPUezq1w5wIuPQ7ocks3O3f8hC7F63BIbDNpDRTR++GRx15S5cw9iJu5EBr1SecPzgMLY7ObEV80chQMW7fFtWOS9mFIP7W3eTDS1drGpYMmEzpx0OlsIqSkM/tV+tjNy2na9RA6FpeeJt17o6IcyYrhYV4Ug0pO9kIiEPjZ3eCczOusd9/BluEVNjv6xN8CKEHxwLuiYF9sDoyTvOYeMI3yVD88mFzV0RXUxfRobq75XdK6RZXPlcUDdM3yUDRLG01B7QXSg5OFQIOzJ2LZyhR0VF9WmSz8YadYRmQE+bQHY75qOstDu/va0IRwZ84dzYrCbadwjUD5cH7u+cKUWNkT7fhyT9mowASzlGKimiBCyX9sy0BuyW0KhObo1nOyjg36BdThCoLjGFB0hVjwAH8DsEFSbw30BWEPK317IiFzXJJs1ai5sPfRMgrB70TW0RP/KYXC9J3rG3SeWC42Jojx84JHzRAnOP5OJ/k4U8nIjxqKGlzzf6iNljLEPfyXh1n9581R6JZWdZbJkpyrtwuev/8APd4q9jzB5/CfVcke2YBYQPw/YYsnqbVTbdYgQqCGrWt0dZeZ3Ip7zf+MIwE0xu175HUFyjdQsW5VruBncHNbakzY/79vUMGmr4dk/zyva8kBvZfmIJM+Au5ODriLcfuTMNTPcVdNcrbAFuvIFSR5UlRhr/81aMuqcPTHdfz1uVzX0CIhjDTGbUybyLLp18TIS1eB7eT8+bCA4XAIHItzEMMRzA7QYIawVzmyNUTE4lESMVX55eBH1+THixrXMzOtgIoMm29dCFJB15eh/hBF/3f60riwT5IuBBDljJgxhsgEf7W2A8F5hG1V46ivYg2aOIpZk+qeZ3vjD/KqOa+62CxPJN9etbj1x14yaQzocFhTFK5fGssL3MSHoe1A1sCB5XKk4cs6LNPpjtmkFqIdzm6UKcqYMp9rrLPGdwQ4VcbVV+JiiQ2ByHW2GF4Ab3QcqE891HprPNrM/jUTjM3AVuD1YYh9DpmQz8rjgj/44guwwtG3I5z/SnIUWFMycXi9AsOiLP09VbfUW8rz7he5/HyTOQHQOeFR33FOXhldMeDEpszdcTu5ryKcNOX0HwUdQ3RlGV/iYHAod7NO1m1l0aCKKTZPcz9ZtScuA5YGeZh4JklV7Dd/KfDl4KHGEyXfzCf6YZroGg1nyDWdlLz5yFkD1/0wurtcfCHDypEkCsQmmX2ZjrhHWxvjABJ+XVeb7O27RMZiJ7MjOz54anIrbCSq9QiT0yBMe3akMOP7TRxBQUddLMkkjfa2ILQ0i+okNLdXLcI6+ylAc+yaJ30ukA3HQZSjSfgyd/Eyb6Ik5wl+BnM3IdshpdhicUqfvsAS7J/BJNrBmTnMH2JJQzytqj+BtSbCcwrtm2xBvvOnTrcRAQr7U3TsCLYPG9q8iP5E2lSW8Bnb390X24g4zqoJ0SlTgGHgeittV3DmfkG6s0k6VJsiNhjUs24o9tG4YkyYD2YhR+IBD+zwIGCJgjOnlj396qlUNZxcrtM10Z2mIwix+i4dpP5ER7Y2xeC2ZHLrMGpBCFjMKlNumhiQwGOaQPsywyC0ElosbtybfnjRF7dsitVGbHS/HU7gOC2cN0+0itJw/7JMzR32hG+izaU+0tCGv/gKE40hxqqdVdbMklvHytPknKcE/QK75EA0dx0dQg6sQI+cjf4nZkV4/xSRar3tQS+gZS3EnEOsWkncG9TY3n93yZkhz4Ae3LwzHNL61M+RsGiL5o2wIvsJuDzHVuJ+Nji6UhWOmwbwuJLij+dqRysgMIDpVbBL0TuLoXkU2OK+Kge7eks817BUNFcpVyzr7fZZu3tb/tMSA8BNPQ7rqP9WHzDpKB1mUtx1t2Lx9eBO0q+PbhAAn2+VybxKHranjQ8oAxFJKhUrXNIkPQftNgfDyoHvyxUCxXjNt+R+bXbvclSuxcB78n0VbNfUmp7sdZsOxUYMMJ7Ke1ev3FUJQm5XnaKHyR8nqMdb/Nly2s/ihvaqduqg+SdgzeJnhW07dk02LrQqedt4LdAfesUyuBE7HLp7He17J9CypgRmaox4Nwd1d3C4Bi+goe/j9EnIKSuBG/hM8e2nLDSiJ0HtAbK5ENeyLZa3qGiapJXcgLq9B9TLSzbMu+njRXHTfc9OZtpVNwHjSNGsrPx5v5nx1n1nnA2AFzyI15XqaiDyRkCopXhagYpZ50+a4P9yhbWywcDrXEcAb+pgX7g==,iv:ro/kxo9TjyG6mEj7xxUj+I0Fw8+Rftwa/O9l698nXlA=,tag:iyNMueZIy3ktpS3IbzH0DA==,type:str]",
+							"bind_named_conf_options": "ENC[AES256_GCM,data:IuObLV1Uap4tu6ePBantbGwcLlCaVnXOCx426T6a+atZm46VsEVwBZuKmiymB31SLgHMuNDfMacOWZ5Xh6tUWq7vhWZsm4OCxYgEhUyn3BnCngGjmZ4QIGVwhs1hxjefUSma/4f8e56FtROhNT2hbF1cGnj5Cv2SK/UyVwWNrarV7HO5AlXwqzGVsQYkjSmSNOG1V3FM1L7xEmr3nFgQUbTnJ34Detn6w9bojgSHQFqQG7DDfX/n5JgPSWXhhN9fn2b5z2PisiffShEpiXM2XUecU/Ysbg03VvXRPRmykqyfkZ2MLZz/5TfC6iWEG67rKp/NHROkyOZFVcKDRQUtjMkPYbu/6FLynZ7Wsodr/If1mk9n2xVNOhzVmTom4bjRUnN5ml+KdnKkHUCSNkzSArLHByFUsjUrKPS2uheFUSHQu+fYbP7w1145nAposqI0qhiX6etm02w3YI98rD/r7qOVL8zRiKF1fIMxW89FCnWyO6Nr3LlmrLNzZf289NniXA0THreQJRBV6viXPx05FVqHVxMuACtnmZw5C2xM1BWNfPNQlpmnMs/1C0luNfk6MnqD8zX3hfF1/eJaPPwRqWWpY+aPJBLARM190keFVOhRGP3hoUvrM2SxwqdpetFeC8mLHVvpkulUDdp0Tf8ujJuaNX++xBOzGsakUUHtXPUar4ae2i1ylXx62nq1rjtzBKQjK5Ah98axwM3WnEUvpjMgaI8HMPvbKH7xQdSckxmgmAZiOJIUGFAg0D6lINlSv469rb/K0+gNVsuV3bbJ6zzOzLph3actRz11PGg2Oh3YYJFv1ZibuSsxRXGAuOMIAnj16vGZ+UQbPGjklhvXE/zH1wF4IYD9rSB5VgPepuBzzmvAs2L6PM7CvQylsQMpbS/WqVZYiJtKHCuR4muiptE/7y6UvL7f3grsYKw5V5KMSYqPLztH34ifEBbsO0iCUv8sfgSh8/sEMTUCm4OsELpRQYFRf37wbBIWMpzGtiz6hcAvPBBH+NpSbQXg4JJUPdw/wdqsv1ZkN365ND2H9loplBs3hiTF0OpmJHOAjGv08AZbspfeYTBSFPg247grqTfrP/hL7H18NFNygqHIoaltQo8ZPUO51TGWVTLP/LAA85eFiavrn+dUEPReWeXQnUq8j3aHIA1P1OAvogTNjxL+esUzTSJFv+P+tsLCsvNVN8dpIYfJQDszlSYTn2kCZKIYiB1uo27uIkyVEUCTqy0R+TkuGIcIYyInJoFAfd9Lw0V27AfEtRPH1/hESgxeb4kfAhpy1yUXKrJdIfvC18TK/IPAgH/WIot43Xxh5Cse5zxfARDwvvUORJvtx96UdJwg1HHGvzpjGXWRgFckvT6Wn+oCORzIlcii9a/iy4g/ryu/xDG8qUugfFJsAK+0AYVOeA/gxkDfYkfGGtWChtRsQ/Z0Wa6zR0vDhJa0KVspAPzZclCIryr5EOzzcaej9E4MRDzs846D9OGoTQXJ+PTrh7z5+sgG+5keHAW3Ji+YN1p4XB7WBfS68wDLnc49HvhlWVl/kGa/1itwjhG21Izl1eQC,iv:pO7DjAlXHStlJuXCjbQNoQzeec6xYluAv9dy7TJ7wl4=,tag:y/F3BGFNoEITrm7jFnqAWw==,type:str]",
+							"brave_api_key": "ENC[AES256_GCM,data:XOqy6/a9xW/Ib3xn1CNdp1FAdyBXRkoZzZdE6NXd8Q==,iv:79R9pa19KyNZ9xS/656LFYbCbk5Lao5NfSLqCc2nOps=,tag:hA+j4Ds7e+F7Bqh6EYei5w==,type:str]",
+							"breakglass_knock_sequence": "ENC[AES256_GCM,data:8DwxDqQsuyU5XPpDoY4pbKk=,iv:Rb0o5o6tf9EKkpjggyJ7W/SuiXOvOehLu/O6c/sLYbg=,tag:k/t+s6kh/pWp0ScEhQxpyw==,type:str]",
+							"breakglass_ssh_privkey": "ENC[AES256_GCM,data:Oif2AMjMrREzNTo5nL5bdtA94HfBhfO7iEVZ4LVCykv5ZMKSqWKqjGvNDQXEAFXqtkjx7HO0xy4x6PaLNpqIBtab4pLh8StRtB8DItHpTbQXnx2BWV3hWsBSBIsqXISLhUW24Jrv6UJgE4i7P/3YpJ4WcZV7OKK5X565q8JHAQ1tU2ZMtEkxXIa2qCXUbfUD2WdNz6XEhs95Ndfia050nPfkrhQ6mN+wa0LQsLzBAIOuOOstUeh3b/GPsNk1bqZMKK8JZRPpJc+YHBSVWNSqVUb8hgpVxVaG8V+jNdC7G0GRqkVtk5kNx2KhZm6mSY6d5v01FVw2fHr5I9f5CnMgkUCQUEvKPpMdnkjTdnH5b+BxcjHTVe3yxKPeELwEoBEP4aZWeIAWAgo4GVwFU0I+zmuDeqigEkzJgpiuGqoc7PWKk0RtRUNr9EfdxBDbn1YeCGX4vT6MgOEdPRHEo6MznCnCgxpLAaD7XYj+vUyXt319g+hJzEdurE1RZGYmY5ezRvn8LKXSheFQaOqUkzlXZhe1nGplSHABmWSi,iv:sEhs57fh2JzliuFb620T2GI+3LPLDUyEy6Mg8Eguxus=,tag:HdHdPyeeaVHlt4wYYuzTcQ==,type:str]",
+							"breakglass_ssh_pubkey": "ENC[AES256_GCM,data:J3e18fDj0ZFPRKmSLPk7zyx4F8tkGw23zlJyQKril2UWdWpcJrXwZR/YsazfnCJSVk+QHHYkXQVeym9tos+Alw9iANFXchR3cVb3idiFHv69/4uU6N0Egu5DCAIUBVphTivnXw==,iv:X/0mKJ4ykJm2UUQLy8p391LbCXQVPfw2aczUN8uXDXU=,tag:LCciORF7Lz78OgdzXI4J5g==,type:str]",
+							"brevo_api_key": "ENC[AES256_GCM,data:B/wh3kGrFOvpprq/Zjmqfu72pi2yJp3soCzVCzgfm8v/RiPUhBVLh9J/yLRwTTTf7MRTu3xfybW7ttptacbK8sVr6TDovwn+pWddUeRPqRYs6F4lP3l+999FLL30Bb8/3JJAVBbzcJh1/04qULstmmd/I9rpQcv5hjdIHHSc4DhnqidArwx5Yt/FnVs=,iv:ZKyobB2SgO6Yzv/uZJdIuDNY5iKJrLeR2YDXOBD4w7M=,tag:ihUZW4RQiFw2tDTq11XEOw==,type:str]",
+							"claude_memory_api_key": "ENC[AES256_GCM,data:BViQiVKNECQzbUDNTrMLRup75OHb4h1jkgXtb6L29jmknwx3yGqT6BsxJ1k=,iv:bxZH7fzUddIEg46da+iLR3SFF5x1r88HAsOZarZqLUw=,tag:7kDYgxwqkcw0+cvBoce0TQ==,type:str]",
+							"claude_memory_db_password": "ENC[AES256_GCM,data:NaTp6V6MrLynPV1q3rVZcHsTR7xcREQkHoJ9wDc6DG4=,iv:6Qd5M4zuDJdUdzxOjLmPucGbFAjxUR8DCsLpIywZewc=,tag:7v4hgWUnjbjG5YngaCk2iw==,type:str]",
+							"clickhouse_password": "ENC[AES256_GCM,data:r7HSo7eXYeWiDnlO9hg=,iv:EYbd5vb5TdsGGysQqlpLdhBkIa5Rblm/REm98AwirGE=,tag:ZimRVrKOmFoY49+GNozM5Q==,type:str]",
+							"clickhouse_postgres_password": "ENC[AES256_GCM,data:WqAF+8ZQAANXe+5E8Vc=,iv:BVCeJo06ZsbQuCMDAj01yorewHcKU/zWHu83T9O2Bd4=,tag:IPXpUlrGiMow5lwuvFZYuw==,type:str]",
+							"cloudflare_api_key": "ENC[AES256_GCM,data:N0OKvlOy6rGpE1SEiZ84RG1eRZzvKx4xEsJU3wsLi6jmPEOX4w==,iv:6VjVCY2pPq1hI+OVixDUO+Sbf0NuYHhKLUP+3U206Og=,tag:/9mYPTa4poj4c97KWAIV7Q==,type:str]",
+							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:4ubRj59v/UnoVUN0uJtEuIa6y4+WtmfmDaCVBpfY/PVM2JdpPxG0yOgsCRLplUv7XLLG58vlD6wev/DaGUJIWtTP1MIo95jDVKmL5mRTJ61ll7uwlI3GuCsJYGNS4+hW9FTnzU3589rSIdYggTgBMC/jPb54cxXum1z766Fh9ie5nE7PUAJik55iLqnKRD+3kc5F748Lq3cZm6OfMTCuMocR0lKjUovpRqWlrCxgb6k1LxEnB14G2g==,iv:ZwqIeJu+mYHUtY/IXR3Z6UP5hGfBGwLexSJvEIkoQMU=,tag:4GwI7uWS+3y9li5MXuXA0g==,type:str]",
+							"coturn_turn_secret": "ENC[AES256_GCM,data:vuUxdBiGXc2EVRP53lFSt2Ie/gcDSl2IVBhojUxMJ0jcipwoQLTMc22n6avXqBTXQvJUu+54tRd7Is+mSrQ8AA==,iv:nY8S95sb3hp+JVzPt8xKKskQnnCT5LmtOnAo6TIwmT8=,tag:iFnX3gBvtrE/BTtC6o29TA==,type:str]",
+							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:wEU0ZrAHPCaQOpPmiiB0juUdM0IUmA7umD7geY/86NqkuwY4vRBGkbM1Pw==,iv:vMP0nPfLIlp50EawRIFPmxZEDkEK1wXw8+19JgZA55M=,tag:CI9XkiR8dTowb/1N9XFFRQ==,type:str]",
+							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:t1emoYDmymhgq8IrXxuNrz81gBlBzxgrTvQBZPA=,iv:fx8oBOLkq5fDvLkkdpOKg+nlEy9qHJ20jHwwkZP+sIQ=,tag:F7oxpRNpA+0pWht0jn7Lhg==,type:str]",
+							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:N6p9jJUzGUPaLUsm74x4/leB/y5OYYoVBHKG6p7vd3tK3kX4pCs8HEpRfJxoGXAO2gSL5Q9pVFk+c1+ULChzHQ==,iv:gjpoIoJwXsZvomq5tqCHW1vKQwcM/xYLGbUgMqAIK5Y=,tag:BR0VyQCF/zHLoX+jGG+JMA==,type:str]",
+							"crowdsec_db_password": "ENC[AES256_GCM,data:2ZgqjkOf9FjX4MIQAJ0=,iv:RjfvGOxStyJgvN02lwwljKcBvoBjamE8bG7Ac3lFhpA=,tag:Ok/AJ9oJOrV2kbAuE/iQ1g==,type:str]",
+							"crowdsec_enroll_key": "ENC[AES256_GCM,data:w7CFtthgEZLkC23O+xq1ogVsk/mJRz7E2A==,iv:zL3e9dFz8lZ7NLLtJEO/YBmC21/5Vk66ZlaivpmffbE=,tag:VWiaHe7yKXOybrbLa8jfTA==,type:str]",
+							"dawarich_database_password": "ENC[AES256_GCM,data:O5g0JAcgDoZRAoFJ/5kHf6ym4tGHBJk9BQ==,iv:ID1sIMtrUgZPPgrCrBzF1TP/5UVnjDvbuJGDIMdZWJM=,tag:Y4+9eZeQnqPVOG0tb7pIkA==,type:str]",
+							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:R7XCVBeuMww4+rucEpIxCH0t3F3SU5ZRncysQrkz4o4=,iv:/moAB0n0cQe30XNV9NyZhKvqvW+MVjnPzkD1rCHEJ24=,tag:Z9Ulz5XVZX6+aiFTXr7sBg==,type:str]",
+							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:xkOP456YEw6daAG8EbeTszRiKeJTcsLEqYM=,iv:K8/gOkEVXWCF5KBPr7xM6fldVBRvCZMUz3dLAuLXBTc=,tag:C9ogSwsCQtfGWRTmLvZQ7w==,type:str]",
+							"dbaas_root_password": "ENC[AES256_GCM,data:6jjYHRgmNcwl1Pd1rcisKbY/XpWOBzFypvQpqg==,iv:bZLuiAmnqaL0N2RmKXI+z7Js7bpHgvsituYx/Q/Hbic=,tag:TejuZcdxZG8zenQ6UmE/Gg==,type:str]",
+							"discord_user_token": "ENC[AES256_GCM,data:7I2m5V5ry1Vp/iEntxPUjIg+LuhHkwK5479Ydkzz+qYIp4TNl34Ptzr+3d74ldPJrax9E59U/9ib0u2L1lU58BM7Ko7CfU3V,iv:+9kEkErJ5vrofu412frF2meDiTB2mM7FKaPHWkHNV4Y=,tag:a1grWANZovu4PYNM2bigzQ==,type:str]",
+							"diun_nfty_token": "ENC[AES256_GCM,data:PblfehmuG1gz8IjQ5A0ihs4CXQCBSJJz7EEQLrwV1NE=,iv:MVru2iInjTTJFdotJR5Nq662z76Wgu0r+lAHWBnf/zM=,tag:CEQPXwbPTdF96gxMydlU4w==,type:str]",
+							"diun_slack_url": "ENC[AES256_GCM,data:0EpLGD2qB+3mZmmCBI96H89+r6w28ZzEBBiqrpP1SeYuMtGbY0qozl1oRPng0USSuDwag9Qyn4ZzeLYBCju2FJF3UyWaT8S9c29Qy0fg3O9D,iv:3xl4qMbjmM9/Csgc4UXuZtDI7dK6GY73lCzXJYSTMv0=,tag:YhBYNF0wRVHgqNkBd7QWlw==,type:str]",
+							"dockerhub_registry_password": "ENC[AES256_GCM,data:/Ibl5FiGuXcW1gFH/NHAv0RLUz8iWH3JV14/MGFE+CVl07Ib,iv:7mbWunPOjLgxKExrIX/hZ4Q1YcAcVNsG3L4igGPaExY=,tag:K8SxcTG/GRHYwolV9HkDpQ==,type:str]",
+							"edge_router_192_168_1_1_password": "ENC[AES256_GCM,data:/kEfyADkIUA=,iv:PJYQXgLLy5ygv+hXgWjlWM2LAkuK8KbrluG1LmYWCKA=,tag:x4MmWPTzZqorRqjZ44XyXw==,type:str]",
+							"finance_app_currency_converter_api_key": "ENC[AES256_GCM,data:vXLtbR7E5vtveplrlaj7dabykc0BSEOC,iv:bQZmzkbQZV3GZ9p6dyusQaMgSLBEXR9avTlkmIrjcRo=,tag:WEf8ZDGTqOg+O4vYxqUocw==,type:str]",
+							"finance_app_db_connection_string": "ENC[AES256_GCM,data:d67i8xZaxNSDMFfJb8iz1HbD1yy/vmrDnFrd5TXnd/s6lwH57DylOvo7Qsooiu737mMti8Ontwr2jBG7erCqU2U7BmNT+pOvfyFEIXBJ+X+fzEy59rAwhA==,iv:H3csM91IBjGf8mgMywc7dIIi/28C4VArSfVILenimW8=,tag:6tSGLvN6zm0lDdEwxCvxRQ==,type:str]",
+							"finance_app_gocardless_secret_id": "ENC[AES256_GCM,data:JCngjEiVxIjBOssd50wyafvR0wsq/fFxPMgK84FegY/kgDkX,iv:jy968P2k3tM4ory5b2Irce6PXvUQaycmpwDXiYP41xA=,tag:P8Jw292rm+vKAu2BD9W2IQ==,type:str]",
+							"finance_app_gocardless_secret_key": "ENC[AES256_GCM,data:0bGDLp//qMvU3iFHdo7/Ty+U7LYnWK6aFaBRtSBVezL4rOiUeRhk6UF2e0HvKBDzn/zkJqYOY3dScgb+eYqQMO2Tu0OqE3TWJ9+rbNmo4EXmMn4eLbCClWfcQiv9H1IHiR/tJLedvT7QRKizDWvCcO7mbUahFfgUl+KusENrOfw=,iv:J7prz34xkJwfRzcCSftM8MhgPT2w2sm5E8P4l5btgHc=,tag:fDysekCM8p3LOe4qgLvsVQ==,type:str]",
+							"finance_app_graphql_api_secret": "ENC[AES256_GCM,data:PMQ4LqcAwnnCM/Hsqvcj1oR4wz3g92E93bMi1KiA4zprv9WWiv4=,iv:fQz2ghJHibId4Qc8bfSYLypJL+8xb4kVcoKCxq+A4rw=,tag:dcHL7DMKIKMa0KYkq9GGxw==,type:str]",
+							"forgejo_cleanup_token": "ENC[AES256_GCM,data:N5TVLEV/r8Op8arGH3NC0YTvZ6tKDgrtt2DZOm/u7B8YWO/NVocgRw==,iv:BBg0imOoCK4F/vYPVPWKrMNjkdnMYYZLDxORtm5WSzE=,tag:XEJid823Vk5wh/iJXRMXBA==,type:str]",
+							"forgejo_pull_token": "ENC[AES256_GCM,data:qSafRsAL5L3Cnl4cL7bwkIdXye6NmJ+xfML4aTWOtwXHzmZvW+oAAA==,iv:3MSaG4p3S9b/6PyP/vvCmD0PybeskMtIElSPLvkowjs=,tag:zneWmzsQbYyiO10ZFCkuag==,type:str]",
+							"frigate_valchedrym_camera_credentials": "ENC[AES256_GCM,data:2oyflFwWeTBceaka+V8HEJ8997aq5g==,iv:2MLw4Obx3tYic6Plo081KHBgQ194gkiNQOat+739ceY=,tag:VdyFIijoDET4ZELYetPUpQ==,type:str]",
+							"gemini_api_key": "ENC[AES256_GCM,data:ap2XqbWRPikYl5ngOtqm7a7BO2GT3AdM+gX3GGD8DZjQmPu/iRy0,iv:6hFWd5MKBiGpNRCOrvMob51BZ5mF7tW3H2QpSzNdc8w=,tag:4mkL7ueOwImaZBTN1W9KSw==,type:str]",
+							"geoapify_api_key": "ENC[AES256_GCM,data:OGUM7pb8Chg7Y5WGTT9mwsbo5ZH/Vd+jRazkqZsYjsE=,iv:BUkvtXZKOFzwYQTAH9Fl01hyRkrzLKRNZhb9GfvRqV8=,tag:VvMBCTOdQCkN0OGX2sAiHw==,type:str]",
+							"ghcr_pull_token": "ENC[AES256_GCM,data:MfWKgJQTbSSwl9C2B/iwmwCB83xzMGbLkqTjDJwajX3P3mu/Et+sxQ==,iv:YBJFoUOULx3Tgu2xghegB6C74dri42FoKfiLhd/Kt/k=,tag:DO69fFWw2ALUFZCWtU921A==,type:str]",
+							"github_pat": "ENC[AES256_GCM,data:Nu5VIfCfgALcmQBups1cNGpZOmSv5isUcaJgWIu7P4ucUSKLyef9QA==,iv:qVxIlynEVQbD8/czHjvPrmRuquwR0SpUJMXtmMberso=,tag:v5KfajRQbk3F5vbhLVVfyw==,type:str]",
+							"google_workspace_mcp_client_secret_json": "ENC[AES256_GCM,data:DDo9C/MDiqZiBiNKxPrC3TqT6jKAeLI1p7JdeLkAfhIG7UxqRlM1PFw/UOrQ4oh8KNi0+IAmFvSwl3UnaqguoYXokHE8MJkIiF8zzzQ4eEniFazlFtoA4GSytzE/FODU++TZd8imOR4vxbzLdEoaZHT6XZz9TaAHtLO8WvI/J/UcGIUPuyiQkMrHL/GCLLSo2YNx12SMgLn+qxdVVOkozuSQ5HM3zZptsn2WbiaqD+Kom1iHY1A72H5z5L/ZeTdHqL0V6B4iTa50M8d58BFWIjXr4g0pz7Gm+JL09TPaP0cX5xg7XKDEKNuoxWsvVo0uNj6lX27lXZffAFw+EOX+l5ojXO/ZvM50hTafiWRxROkmWEHqZFTx9Ou9k5BkN8kLyAuP1LSRCIDSzYih2jDTidj8uJj0+P5Hy62quxOYuYpN6yImPGjwWoAkgPj/gbWnCSx8qxadEjSpICjSQ1ngBfdjWY9I4c1SNgsJhnF+m+2pFH/mOadiDH8MvCwCrlrmCG1cp0P8oS7kSG330LKwPB0F/oqBkwhnw7yroQ==,iv:yaN8flsFRi4TWAhz9EQR+lni/Vglj8caGfihXcWN4Zk=,tag:vMZ9hlxRtwj758abEx1R8A==,type:str]",
+							"google_workspace_mcp_token_json": "ENC[AES256_GCM,data:zCeRimBTBgMh9+shv0+++Vobaknr1YjNKojI4QybraCeKY2WOy7xpHxPLqNNI2F/6AD3C6YOnbcNTuMLTvfExv2BR8WLBiGnEUBviZqfufnN4Mkk6IdN+9/lyKyJRtNDHezPdOFGCz7duZOxHv4pqofQnVnSI2C6iI7PwVMHtqne9uQlyr4LqKsgvlKjiUPuHKvGTXvNxFtl57oAu5bYltr73UWQ6tw8vXp3zqPwPKR16wwV7HBjo+AjkBNgJnySU8e+pOZvwCFiJ38wH/qnpkWi+9af3bYZbQB+dwSY5I5uqGysnA3OzxAMlA6KuQSebyknigYplwaDZikWPHgMBBzvSaOqnC8ITJ5lQl1RjfaANXEy9pS57/b27Iy2s198CWeEMGp0LhbnQXq6Wrcxfnglntl38fp5TxHcWQh8OsmzdO6I8hAJlpIGyq+4267I/nPkGEKjYcfSaz0TnasqAbT4aPSqIpbagvIgLeWPodW01RVRxjn14ayemXRGMEVeaq/5QUdiVb5JaMwr05FW/zBIbAJDsDLI4snajzJEMciLIAshtKOw7qF2y4aNktsbdizX6wy4aidbN935LS+kJjQ8E63FrvhROMsLHQKnRbduDj9KJhpdCcP4Z6kM7kxPrbHtkAln3mgVEQqRbEY4FLSvELzNJP5HiqLp7+9wOovm33zO6EW4DgjqUH4zau0bwsqP6nb9l1Q7GLopNOD256WnL4pf4iQ3N+JUL64K5Azy4XSZuhDdWKM7xTJvAqIUuVIjKrSPmsSG66yoZ2vkJqhQF8hCdHHDWNiajJfGQInASyw+R23NQY7pxrU65VdiPST1ssFlTgl3OjDjLS+uehu5ytAf6bdEN9FIS8Etk2S2QtbK0pNCh68bSe0ayweouTNacfcUZ0Hcg7g2WRzV6G7UPO3dOBuuZjJp50EUfc3smgpD7r2AJDhD3Z54GpMETP950//gL2bGvn2nLFWHCKsZo9Jyn6r15YA77GFqmPLfk4hW4mZbqkyPRMUYcIX5PG4NIjfxyMC8FFRDFY/tP8R0odQ0W/av/zqQpkw0eo2eThEP/bnnxOAmZc1TdWxq87j7DOfazN2IhAlKrOC5cAWR1BJggoYwibvpdBs3dbpNMUOFBILP37O6PWibpPPcT8uMx9L1PugBxH66cEJBmAEVOGJ0nzSBSGDpHdA45kd8GrLAOFgkCx15KfaKfCl8qfzOwW2KVuaZCqxRJzDf67TgLUp4dSfIp5+A3e4ScQVHf6vCsVTez/cQ5WdI7/p30BEOFVU+D3HxLbmBbPCgBjYsPumCYgSjZvrCcbNOnaRE2p1xtI+NFdFIM5KwOg4N0lzewzS0UQ2pPuVXHhWrHDafx789WZ4fpRWzLSpg9lieJUy4+1TrkJ6Gov1tuWC+94xEmuAKx5ehkQYlECjbVos6khm1HwkOIcmchc9wJLWI1+ZO+nh7hv7x89ZF7nNC9KTqHmlBMw2BFeDPra6ksSHUxGzsTJhbQrh3B8kPJ9QSKClUlfUfQ6BGAct92hBfr5Wrd4/Ww1ils+FFBiMbHC+Xustz1XJiaTr6IB4l/bhYIcqC0b8FKejGwcBzv6H5xgkFqMKVqUfhjpT+x/1mSqAJItex1lv8SvtFEpfduzZu7XvXZ5RKFXVLWbKB5BaS3Kg2nxrKxwadg1YYjq4LVvRjdxUZvbKTFL11t5u3i2N5yS+Umf77+5Gmf+YbV7lZciWVKSfsZmy7yt3Nyie24mtIWHQoTSmtsyIt1NKJZNwkH3Y9SYsO3XDgnRjDzAIiBeAWMJHLU3lvBq/pR/hlhZIJUtzXo4BklR/qUKA4bRH0lVWTARo7pY7+BXTGunYHRYRwF5VK+X7+nL91ISUa7TMXVQZYhtPOvdUaLm6ALDbSPWc9Fg1HOJCGe7cgi/OMNIrm9WB7lnAym/Oi6nQHMd54oxNGciOy7wq6g9iagA8jOa9nvaUSkYUdWJdFoNple2XQs6BwzTUWKzoBnu1IzNU1nj/4W9kPcNKn3WZftRHTQGRfJIazmNaNthuYIE4bK9of6GbMoPmJXn+Mo043cQQNr+g9E0EoUVrUINVqD37juyYmHdp2QPdWHSWfe8vejb3Z/meoruCgO/VEtwlPx6Z009qQoso/DSV/l27rZY+fWoAYdPGx7YFN+qesU3vEf5K7UgYBzkJvkH7BbOhtOjDZmhhd25lcK5yWaGerL6k+hZKn6FZ0Wt22BrynWLKvDCqDz/pFrc8BeRz6wjoMN7DHG40R/QySHvvFvA4glROhX5lMu6JdoxErVpirmBNDxCcYFA7ANwKFfy3eL7LZRJMTfa9LeLM/VoXeKqg9Hl3jCsOcNIJKEqVkYBXUjIeJPt1w8bXIIr6+UfJzECJiTs9qUc0nToaDZd9J0OommCVQrYO+nZda5GTPq+fWEvkT1nga6Od5ZRTnWMo5pnvlgCO3ItQNYyPKjqNcbCFUMspqXEGsPzVdoRgXyFfEXv7UcDwIVpn3CM0YG8DSliDJ5rL6CTPdPT1fFuzt7XV+9SAsXMJKNKRXamjYfc5ENouML/KWtZuWgurTz3STMLl/mGf+Pxk2hWl5zJM+tBmXekk8KyFmgScvRdMOD/4o9JAxQaS5QkS+X1QVjOlSW6fkCO1XYu205YOujjo2XeuemsrKtGqEyq/mcwZyyL16DE+m4kBUZuCmvhb506xowogSzmRDDfD6mHEUSpfYsEBiCfBK7QkdLSkVB+DhYFoOiiXOEGB+KDNJMj284oqAnKuZfMbrhGiahCa2o0b+4ZHoIf93G3vLvz6jii2wRmHp3CCuA6VCSeuoQU7rAWZYghscY4Yx8o5UWQS+NDkel5z43Ulu3JnH6Ilpq5tnMGNhrTvAFbigfPbA6XOas0tKK1iQPi6Z6LsVg38DN2jiNz/j/mxRxdA6ozemf5sRdGzAVlpX/usGsnEHnoZfKRvMSj3U5kPtcyieP73+60zCDGvY50Tv7imhJJeFCD9cRV4uo7UyPdDk7A2eZvKu9VbKVuA5HilW7J75pzZHR6qbu6Az3L9XIo/NYQErHupV2/skBXZ25DY7XT/JIMxfjwX1AxTTP9PepUh/4uKkzF1OyD1bA2IKwMpnggmh2w==,iv:WvGeMm1wFc9ChF+DjKUg9Y7sU7KvLZuF0Mz3r5cnm2k=,tag:FGJ1n2xUGK5YWG7NWe0sYQ==,type:str]",
+							"grafana_admin_password": "ENC[AES256_GCM,data:Q719CLg2IGoAVGpGEgxBQswb4JU=,iv:HDfBPHrU5UkZrgTGPuBYJJJ6Wu/6k1J7BHNM8bUGmWc=,tag:gP/57m2J44g09YX7jLhB2w==,type:str]",
+							"grafana_db_password": "ENC[AES256_GCM,data:2v8Xa8F3a/TB2Qnl7MkCKQEM0SA4,iv:DX4rguLElfgsr29RpHSoQNb6qqZ+BH7aYpR0Q5YiZnM=,tag:0b8AEneaqjVTCkzuDFRxeA==,type:str]",
+							"ha_london_ubus_password": "ENC[AES256_GCM,data:8CLlp2sr7ph+LogvdNNR8Ybs985apB+JIrYLZn+EsqA=,iv:XchqBf5sjTvqTsOsi461nM6K+LKi+Hn0qVmyXOUEX3w=,tag:cfZhXzyCzPrhj2+41fTZwQ==,type:str]",
+							"hackmd_db_password": "ENC[AES256_GCM,data:AkKpSwDaFhoTBt3plPSL,iv:kcPdICaBAepFcNxOZOZMtS/E/sfLq3tFl0NRJqkzNPw=,tag:SS4BqRG09H1qjSrQi68rrw==,type:str]",
+							"haos_api_token": "ENC[AES256_GCM,data:EkgcGaPSKLn1zDB6S8Nl/RWpCEG8qEDIMtyNtEJJmVy6kTR8s0aZVM2L70vjLAr2LVaVBqZM+U9J/OR8OlB8UxQeVuyuOvHIMO8e021aW+mBDEhzc0xz3RMkfFj2X4tEx13zdWwi4d7SrsSrx0HHOZQBkb4J5H8gJHZ5D12y9qeV4JWGRRCK7jV2QYBe9QQ4Hv97/BKk82pir5YPYQ2rnrPFlvrLm0hvIFEx2Ge8lg4C1jCf5Qq+,iv:Mv2cNZibrjv5tJnw3RwKJfvXaRDzPARCzrzpSwyLMhk=,tag:sF9YtCVTlIo/EDkgMpPPbQ==,type:str]",
+							"headscale_acl": "ENC[AES256_GCM,data:AK5ic4iow/VbjskRN4qJD+NAFddTdnNFGAv5OtDmA6ZX1CdWgDg5IC5tK55VcGynYFEj4BxTyAAfmnwzA1eFvziP4oAyNc/5zgAi6OXJokUX1RSo0Xc4hVZFMtpqFmqYbldfFxNlQ/lxtiMl9aEz8zMetp2d2JUr1lRFfaKX0XuNRDq3RrdAPMRB+PXuT6XeEBToSiaGrYPAiQo2LWbyg50JYaNpQxv/BZ7MetUy1QrsCLgtA/ccwWNszP5XEdsA7tTdSlsZs+ame9BUkcbWe+xoul2XXepyukjXMa8uOTHdTIULy2EGxGBAFrZDMtbZnyNMNVZ1bbsBESirR8izf7p7hvLKc2UayHngTnqMIdVHZ+xiiaGZfZrzIMqvDRHr6pHfOuaCEE3+iUFIodhJV6jmzIEhXQPu97tZx+3yVJ1uadhcDiIruJx05oKEk1Gi2PBnZuSqvGKLtyMDvorlTDIItyazSLg1VZnqg07PEdyGPeEIHJwOVuNXNFIdQp/1HDBO+hvjeL1e6jBJmqv5eCVhNwDdTGEai2/0obiAMwdOUwN+YkbUCzBlk2Y87sO8TRrKfj0NhZLDsP12+1sRf0KtUzYgotnaTGf8vabPUQdzimekOcoOAHSnAIjYwy4+1v+RK8PFbGeMos5xd7zFxrHMwNfpE8nHOOR5iwB46mbKq/6435Hg6l+AWYpvOk5t/4UjYRFpvRvUOe0FDtVYf4klbsOIbOs5YiN9LDk69LS2KOYrwovgePhadOlKPCjCFCZqRGjj6ShA6byIHGaylkmSd81w8yp8TUm9lyqEykFsHvl+XGMbA4k1ZLbj09CN8jFLKrKzFpuDTRxaP02ggm0M+P54mXdaGNuKUUPznp0vLpwLJO8QkkhgT2xvtqZR0C41pHOOIpVd3l0KPkKPB7x/zaAU7aC3K/VAiCOp6Sdn6bZOohSsUGHu3Lpbxd5smCSE9aaxB/g29jPdv5RS8FRIT3+eOXamdilWQa77xx/+HFDLD8E4xSYC+Ke/uAmkOTjAi4Faj+XgJ55uZwN1Ng7pgoQvN/uCnpwbnvfYL/+dddFCdwHp2C3qT3GLGZUy0wmnG077DaDS8dIYOKU/P4cXa8E57vYpHguiCb8QkV9hFHKfFBER2bihopHBVxhrGq/73IY+EVyc133rYCU+J6nbNsT8S2dxIu0kmuzqfbwX4XBOsavJZLpHW/qNzvaAc9A+dXgjVXw0o9qBPp5YVm+AIUJgJORDUwi1OShc2WE6CY63X3I0E16BVsjRo/4hJtrKo/pTceLHVh9MwIqvqUUW16TfAw190gSyqJvSlSbgJnrQ6geTfEnsKhJaQqExjzoVYOtPNaY/0cxnxYTNorKAWMLs3lD3qcMBoKhn7IKTfDCbAEMwkmfyNVzelp8QR9R2or6Wqraq7XklMeFvQ2PJQVyaUzxksSAaJ8F76CIi6Q01UI9MXe5KqpAeuNoQ9d0DP9zATrRllbgvg6UtSKK2RzRuYkRXf8m7FfcHxmCRszuEdGiOdyus0bqJ3kJRsoNfZUBHo5Iym1/6JWRAJfaxwYwwyXHrsYAsgQ3iDSx2MnhfngPS2YkBBYVIhzHJWdzfKYbrT2h/74LtRDWmAC/g/lVWdTNCziPbkBzVGZ9x/Ya1jRyM4s0RR7YP3AjgXI1/LDj0m0J2NW7VR/cYbKL/IIBd74fuCerHPbJq0mAX8rU4VktFI1sMEJkqRBf1w9XzO3KXNVu7nIMJDzwxppE5WkFlEBV+PCnaKyTfpJQSoHBkeNRbj2gkjBVHcBmYZwcRer/v52ybZRnU9E+IxIkU+zDzDrOMrPprtPXwqmr8nA1IMzlkujjurkRVBuqC+LtAOdSCFnn/ysJ0L7afP8bopYPfJPlqCJ9DNAN4y4HPA6s1FTqrp+JdCSyxOHtiXVJsHBVgX2lZdistt3Nc3SIk9iNameLemHEc2FcxHw6ljU9P38lm3wDxPKsyahRy0qzFF2n3BJhN74kAepIT7GtzTGur+5LrQJN0ojkGuIsypSDFmpgwwLMQfD8ofvU7+LkDfopel/OuE8fM48GxYeoTzAG+aDvLch1wI5z00g7VUrGbNF7Nqve2Oz++jYPZgujHnwx6Kh2aEyYkzCIgubWbGxtfybhJK8yA2Ve3eTf7Vu7ASTUQ3FGZ2NYmNfaf5uQC5FaIBSPmMebC8kDEAAh/OXDFlI0zacUSkJT5Pfx5XAHdJi05mO/bQDOmrAXaTB3NzSNNJ+afFUuH9+t4Z2yyO79XOLb1b1aSoBFOab8oFEIzTWsfyEbvXxsYn6tRyd/8H1rqibIZ5S/EJB42FlrV5+uRH2tp1/slCwieGiGPl78izEBloKCj1fgMSEHm1UgFJyM1vQ2Q7idxe1BgAzV1sYPsxac816nltIk/lJ/6LXchjOI5UqlgxxsET25LqluWnnbZ52exj2rQCLGbokw/WPnlPm+bEespL0h56Vmk08KBR2xSkptAbzZ0mBn7Q2EmngBM3TkSMc6wTDqaqwoKRuiwoBUhnZfca6Q4IEwK3ypLLG1SZiiS4cm1w1Y0R9m0hK1oJNoRamOht/oxV0eqaFelgKQJJ93CONHKIp3liKH1DkbQgHfqwK+5FQnmKigtZICniePRXonv16y/gYKB2wAnjlN/VOv81jFqnwM0OnTNQONKrq9voWG4b8kb0cRkKrVw1nc9Dyd+37gv9lOdErzfUMTdqLaIT5lm9KekZQEqOcDJ4myejmHs62fcH0S/702flkK2BcTMK1MQIhwlJ8K7CJlNJ+FfEjvCuUoeTLz3u7h73S6ZMyP3GXDjlzOMk4aX9QcUrDQLQwvbUhZELjxMH8Yzp21jEvFQdm3D7T4/YmNKh14wbjHXdqhLIg8XW9Y4ucBWYNluxktDTZax9lFPagVo8dJRL/rySKc0IrfOSXOg+QspQlbbZ0fnrRDBsmtEjNVEcA4nd4QvaTMECV2YSRtdtRJuwn7guure7RcsHSVGxtJtlMA2J+WsTeAxIJdq9Zo+G4fGUx8zSVNzVS+hSx5tF2zC/yQnR3ffNwUP3SecEs3HJGO88Hd2n24pKOUb2yhyWbMNuwtxkguDU04oSCFp6B31G4cmDmCpAqN3Hsh1gt0HTFDyZpCKp8ZSPavJ0E4/tWGLaanEKMuQVapOo/EjiHwtdVX2X1uxiKYKUTTCypCTMW6ne1Gkgi1NNKFmXznVb2bl4Ug0gUKWIVUX589OOxNJ7q//961T7IIqPZ2j4SDTgxZOv7/4ONY4FlYw532jNnVFyrWBFQzwUl4dzW6dz+i13KCxEC7xRVRqyyvVkVY3ZLGg65haEWHoqAwKWDokx/GnO7MOaGAqnIMN+SG7ljKFKyTb3FOFHBx5q55teqjrIkSeaXoDpXAE70EEaqys33adlkM0VJXbZx967RudOx1hHFmKAcTnDbrW4qgdmSBBefjjkvT6+LWvb0XPg3eYAA46Gg/l2jY4LujGz3IDyATWsvs372Ek1LMeYegpaTuwPLMgyqUUhgss4CR0hE3WZ2tIcTjP585IAsc7XbUCcWu7aTDLAd7x/6AV7kn8ltZzEcZCdEDWrs7ODQE+MvKBV4wg8AUhgV4aQHqm+t3sOyCURnGyc1mdJIFiiZi3/hxSBdy0WivPuLVwWjarEVe4n3QdusY+xFoOASphHxAQ8731+yqAX9hOvEprxAv7zU3/ySnaoFj9frLYsWtUOPZTKsurm4olZNAtHOpqKaFgzkE3DGSD1XWhAyXelq/1jHjG+mw6s7GE8CbNnJgL3qMzqdj6yzWPW/5DhSclF90M/UJQVKJivaXo8HZetpK6PcpPijuRGhJVmJGWER0080RF+eo0axBoeJm+e3JwmfosR+NfI+wRR8zyaSPxSvy0yhgvdFdNLxWhROIP0AbCeVigk5Gi9UjitYaUzZPcJZR6RrvVsSA9uPuvdDxNO518NKyZu2rHZI5WpbH1nuKHIeSuetOHgm8V5CNtMHd8p+RdPK1QfgjVQdqyJv+aKacSk3+cjHguluWnek7MgaiySiRY1qyGhWYDaMDwH6S74YzyEUH7cQiq5m6Avaf3zPLzRY99xvwEXwh9SeggRHbxcACr+0eJegEnN4osMtIaylrBDAWoYpXDMofMDv2gyE0S8OxFXPEhW2zrFvoyyEnPGt1/i/EOyCWtZRfBpDpVighhgBCi9IIkF3m/ESbbbINk6XPpV3nt9WHSMNUV3Pzbsl6qtGnT/jdCsZcAs2pKdn6uPLFT9guQ7N73XRAst523bQOuGphAjfG9pFVxiZXJ48jBaKtzlqan0+nbob/gJgnEQXKFw8c0XeVBsgmf4GPJXzLqrQkIGs8838E49XBu2MuZO4vhxAofbF/+a1ZzZisAJwMY8NAzobUdMbM9JStHZAqnsdav17l8mV8f4TKj1Zxnd95n9teuL6JvgLhMsoHYHBKdd9VUpsn3s7KJue9ZZlqg6Moy0wCRRq6NKOiKLMisPl1oD2W4BWmQdn+eKwDKAXwhlNSUPxGbZrr26Eel7BuMupz8KvVcQWnj6LYY1hK4RsLj1svKhbbWZGzsbwOON3K/eh+YVkNy0FFx2L5UGKYr1dwBj2tMI9mB5K+cMsN/J5IdfD3+Pwv2lkeg0Tr4UvZnO14++oae+F+4v/HDWsomvLtjUUe9tGDIwSGlMobv6A9h/zELOT7a7oiRci5F5n3njtiOtGMC240Kfe0H7T14QPL8G+xuNSwmSJxDBX6AePlobAzoAgCX+qo+YJEXas6Qn2Sddgz3MLtxr7nEvlYK/UYgAij+1NGu0hHlxobtdt3YvHIePYpBO+qeR/Rc8phLfCvfbsDiEqJV/2D+T4ZP32/Ec53kU3twzzaPaLKprqiNByJhiP+KWYlYH/OPbspuCox0OJT4uA0bvNc=,iv:WvGJnmPlagiNAB3hwVpvTfzQHdp3hC50NHh5mS4/Z+E=,tag:7s4C9GdSZ7Ue3u695MQ3lw==,type:str]",
+							"health_postgresql_password": "ENC[AES256_GCM,data:Gfc3sCyjsjsj6E5q+1iqAZt+TQnQ+MlOutkv4Q62DLw=,iv:yrntDZ5U21A7bqHjwGMQ6rH557KUiP8rd4IOVX54YnM=,tag:LQu/iWffjxvL5b+b6DDFBw==,type:str]",
+							"health_secret_key": "ENC[AES256_GCM,data:CNZ25DVhI8LI+d1nbWGj5smmmc1lDlgPaYl6Iacra9Vlh9D0J//gwSgv8mMQSS5bpRqumrIwSD3i0QNH8WsrxA==,iv:lmlQ9X+A4O/ukdgRLz6qa8iLQDQB2ePsMiVampkp8N4=,tag:aHsn5LeRxGEIZP4QA/3Tfg==,type:str]",
+							"hmrc_mtd_sandbox_client_id": "ENC[AES256_GCM,data:rHszAyL1txWHl4fiA4yOQHGk95uxIRgm8jdo7g==,iv:rnZ1O/iWWxoZ00oHLnbuUIYNBstRaeYqB/gXsjQhfkI=,tag:TDrQd/0MEO8FI8ETHGcRwA==,type:str]",
+							"hmrc_mtd_sandbox_client_secret": "ENC[AES256_GCM,data:8MoHcr7PAUfyeikTf3JYHqIm+RTxBEaF9UOrECZZl+uoaakq,iv:La0Ikjh3NH+STuTsL+wbNLUaxNgF41Z5Kvx1xbozxHA=,tag:TBoXu4baiSCurYh7z6whyw==,type:str]",
+							"hmrc_nino": "ENC[AES256_GCM,data:DMF5OL8uumXw,iv:VfSKNhPIe9qy5JYAwCmfzmdpk2lqPC8Uhq9hAO7vHtE=,tag:heA134k19Anixq0tQH/OVw==,type:str]",
+							"home_assistant_configuration": "ENC[AES256_GCM,data:3aXj8IFxgC5sPjvFcI1WvwxIjyWJNxZ2Je7wK12ZGWLAEgBET11vqcCaJh1WkCZeGtRhZAJ2NLvI14b3syj7oAWDwaIhS+NPsVLxU/djbAAE1N13TOSXxAvx7fCSg5nYu3nyRtWLlxWPMwk9NnB0SMBjoqaLvfbYNQXRhjtJDTqgYo9jv8BoR0GWITQ/rZL77ryP2dnNEgAoAfEF9s1rMnW5z54GeC7lR3ymr5o7C5U8E9eu69d7YDxBDDgAA4J5xSCFvlbAB8OipD/Gdieig3tS4ZHDQLGFyhGtsQSbXohg0X9BNI80rFcNzbqwiHFQ+pb19KYAGUSf2AFkhPGzbkAbeQNxBP4gbp3XHf5iawF7WdJ+SoJ83W4LWopNrDHDHHd7F2pCLzV3TY2JJno//V7Le9Ph7XU9siobiSvBn+FF8i4+PK204/Q6cSkmXbmTU4tOqQG6qDlSm/8bUU4Ju/6Lj16qpnESb/vYR8xDt+VjAnaQn/RAzdHC/2th3Zpylj7jgAKxuJnFxfskFPOR+/6Dj0yJ+UUDLbLQhQ==,iv:jRGeT2gqMMvvTrJDfaCFYb3hrQd5cqAHTmdc/+3lAe0=,tag:rXpxG8q38c3T92JlEIgrrQ==,type:str]",
+							"home_assistant_london_password": "ENC[AES256_GCM,data:+llpooYiqMHlxpF/IkMlW8t04wOQl+1zR1rDd/uy2g==,iv:isilT70kjzVTzMTKwh9mKBORLpqeLdWyH9xlIhmhqvw=,tag:C8QuXg1p7E+oz7/dx5DZKg==,type:str]",
+							"home_assistant_london_username": "ENC[AES256_GCM,data:WijNLzP1fmHyhMo0,iv:znhAPJeK14jlR8eleN/GP0cG6eMtNpLccVKSVkszMMo=,tag:Xox4jX9Na2gWa7rrcZMTpg==,type:str]",
+							"home_assistant_mcp_token": "ENC[AES256_GCM,data:fXXKqlGVe7Xs/v7CQcJAwRyDCBVO22YdVnl/vHALbCjw98m+1uHNtM/0AA==,iv:S6EAXmJkxaPuoQvUzZSRllZ4MdT3qNUuMkjSLpm5ApA=,tag:qD9344LNfKTLD99w4nHJTw==,type:str]",
+							"home_assistant_sofia_password": "ENC[AES256_GCM,data:VWB+jIFVnDrW4QC890D+cE0w+bE=,iv:fbKkmVhC2fyno9Q+QGP/1P25a+7aOWNuUM+v73D68Zw=,tag:e6Cjm0xHY7j/wCPZGFWC6g==,type:str]",
+							"home_assistant_sofia_username": "ENC[AES256_GCM,data:UPUH6nhOJw==,iv:k7t325/x1PqkRmCSVVVg2PhhCF7cj67zIoeZ2swa9RM=,tag:PgjjIvtPnwjvLruwVxtpGw==,type:str]",
+							"hyperoptic_email": "ENC[AES256_GCM,data:Wo4JwncW7d5fcb6RUv2Ygig=,iv:ZiKjnLRn2e8goHoGWrBRTULD2usX20GBFw3qURVwPLk=,tag:saUdHZWdOUocjsmJSLdVVA==,type:str]",
+							"hyperoptic_password": "ENC[AES256_GCM,data:jA3bHm8y48Abl+3AkSU=,iv:muDbJ6Ku6IDU+PZrV5X20jojr91jr3O2LESMBWqBpvc=,tag:1oI1j3lr9yFWL+zDkvjW6A==,type:str]",
+							"immich_frame_api_key": "ENC[AES256_GCM,data:lxCskm8CUa1dhg74w7sRfMfarJUC8sC78sR93P+ir9tbyf3QTOnl,iv:IOVvMagxMpUDhmzZztukDIJwEwRyoXCgsewcXyWgC9k=,tag:iwUxj/VR1VqwLfFzSSmzvg==,type:str]",
+							"immich_postgresql_password": "ENC[AES256_GCM,data:ePoQ1RIm,iv:mCwtensKYMI/sYAwYikDaCXFp0ekvaoa4RreHfujUFM=,tag:S81wNCFVH13uiE1AUoh3sw==,type:str]",
+							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:UfvRXb8ZNgFed0hR3YNiOO5aJ8mXh3i4ylHSkVUuS2hpa6TQFJrnttPd0A==,iv:knm4o4Dnq3oJwlQTXXj5jkPk1HIjc5vHPS/eUAzaylw=,tag:U/4aAj6w/08qOKilVbUDMQ==,type:str]",
+							"kea_ddns_tsig_secret": "ENC[AES256_GCM,data:sYPOUZpZPy20h8dFhg9HGojpO//n2Og1OR8dJT93/ubhxt+LrjpRvl41VY4=,iv:hDGaMmkAWaEZRnndTG0ndc2cApbxBLR+4TGrhuilWcg=,tag:L/4PfacWW9DpMEU/bqUOTw==,type:str]",
+							"kured_notify_url": "ENC[AES256_GCM,data:lU8/NtMYrDgjWdOwbHsRjfpvBExVh1q8AZDykC/ROoGj/3HI1P2ZJAjUtA7KY00RMqJ7UNnbFKjCITb0SSg2Ur/XO7gUvsfLfAA15Opf/8K1,iv:YdnQ3MF+coUlOCLnkuQPVSGRV1FggZst/Z7lTVqGOoE=,tag:/Wj7BBTxri0qEHIkvFI29Q==,type:str]",
+							"linkwarden_authentik_client_id": "ENC[AES256_GCM,data:XCOUG60UBEe1F6axKQiC5eHB8vP7EUYoN3sANg5RO4a7LroAVTxG/w==,iv:2Dxx20ifRzi/yE0rp4RheoVyfMTGSXyDNVXFJHdfAGw=,tag:k7uZp4UayV89N+BYR8/iMw==,type:str]",
+							"linkwarden_authentik_client_secret": "ENC[AES256_GCM,data:dCeeYdje/wtUk5Y5v9356Qto1X3O861MUDvCLx6biSKhfT8eA/HhOfxxMSl1ACBx3Fh4OnDfXK+HoSwATEpFUq27DrsUs3a4mlnYtYVizluGsKYur61q8HkFzVrjgwPQc6jZ6cOIDaYJWqLIYKq2PmG3LwCNUatn3SUmq6j5a+8=,iv:tSwJp4ToNWFt03xqHBr5IgIri4CxLvc9lyHu9CwOv0A=,tag:gCPgGSwdq7t2H+7vtZlqiA==,type:str]",
+							"linkwarden_postgresql_password": "ENC[AES256_GCM,data:r0RBfzyGUhp9Qfw0/YEaWc15YrkervKE1XENtc+Ozyg6rtSss0+X9bXMqpRi0hbA4MaU,iv:VO1jSzfMqkOesOlylv/EznLm5aC5Te1KyBTTOzKzk08=,tag:rrwY9dssMYCV1vF04W9DuQ==,type:str]",
+							"llama_api_key": "ENC[AES256_GCM,data:QnCwXNrGYcoxJYou9sWOfiftFOi1OXSmb+QWfnSSdDtfuEFhqd+jc+59S4PHRZQX,iv:wvAHM1swcbzy6gwTJAJCGALwuPZ2NvgoboQlNJfgBH8=,tag:xl/w8p/CGA1dKjUQEmdIkw==,type:str]",
+							"mailgun_api_key": "ENC[AES256_GCM,data:qrPz9gomRoo5x2BEjxv+yXmzUOmz0yB8RQTcDGkRDD8hupoq7+w2K5UXVA9ibUGdoHE=,iv:5KJ538stw8C3UvdWf8m76vKLRiHXmBzDnxt8IFk3IMM=,tag:6E8PFtmkZZS4qCKSJmrPUQ==,type:str]",
+							"mailserver_aliases": "ENC[AES256_GCM,data:9b/Ynh/6CdXaVQ8R1MryGSjm3nIxB55DPuKTdxMlKvDrF/BR4l0r28bSHHFXHqYtyseQ/9DT2ZtQ/H9MVyNr5GCx3gowRGFRly8SCDM7OY0qPj1KFr2j+QXryQDaOWiy2yiA1+sTsFjX92WqyMzATzMDE+tMhErjscIyHnwSJu2sDh7JHmQ2/PVDICp/GkGLcFx4zUS2KNKhC8GZgSxSDx22wxVhcsICERWmQBHDChOX/7Go5g6L5AwZOwyRv+Uz4VVWxfbFnSlbYH1XZA7NiZHjMqdKXW+CoYUBR5UZjDNLEP7AFiOxwX62zmDlC3QIB2FaQxfq7ugyf02YjVhFDlVuQmpyKbhgTXM87U0EsztcnoEXiwRJhp+NI4Bf7+yT78uBvveRHMa7LT/qWBKNcK6gE+40wBwDtfkK895DViHijAC3Fhd9gjgBU5Z2Hd5r70fJUOUJZxoHFghOtbZ0Tkw2nm3VaOEpLb1VXxHxXC8443S3v49132xMbwSyzt4uclpsL5n+FChn7DN7uiMJ8hVJGPplQdmF/jvmSeKEwEwLx9xXrJEC8nt2wzXK9WGPN9mwV/9Pqbcm,iv:gU662LmWA6olzJgowh0HDYgQoM3n9xMK4roahZ/b7NU=,tag:k6YNJH59PRQgDK/c2PNfxw==,type:str]",
+							"mailserver_opendkim_key": "ENC[AES256_GCM,data:Bwg7H2PwdI4bbsXsmFnN9Wcn15FxA/Zg2JDmtKiAxkacVy9hG6OMYskbF2CCDP9QS2O9f+nF5Sry9viXnpfrmQezmsSYa9+BB7FYiB5EWUDYxfiI1wi0/dz669vA0TRH9ZsytS00lH4YDgTkp5DQnwbP3xL2MKkotCH58zAEy/vCFAnRF/HCDa+FITOU5p6WsOXytXmHfYcqJfzIsyvMKfdYx2K9+WoVKe4SUS0lfDSR1Iz9Oc20iCuOZqxr+VQDRhj9GBRqchkopMucUzjQ0vzQzZQ30KRAEzCX99gtMEMQo0nqzv0/TqpzwITkdWBCQpl4LyYmVbajBo0pNP9cmWYVdU7XGu9Vyv03W8wZ2GjKzsBU4zhF0HL0IfIgfYBApY7wqjWJuGdjoDC2RD2QCIjiPsKtygQGyZwKQSSXoac22bdH6GBQS1Oz5gSnVnjDTzdqgubtQ2FUrrw9si4xERSAGSxaglmDylNl26iUjJJlr6trkLog/O+pbK7UDhZgCuv2snSM/iA7wsm7x6YO3HOD94Wv19HTK+sqedaeJBAVEIfEcPaAKnV6EJhL9LvEIHlPy8bLleWYnm+eYsGuX7Nt5XKajcM6dTqtxeoTBuDsugbeLxmyT0mFujSs0tFi9X2MlDKCMcvkyK2Pk1FSXuj73gcD4HYr/pJWvabY1qdg8qsaSmnJ83Tfz7Y0/c7qXptMWQ53AbQxwElzbHgjji7i7gdeCh+Zb3/crIhj5l66UsRElAT50GnbBffvh7okvHja+ovWodFzrXddlpEgtiTda/eVEDNwAjqHF4N4ftot/nu9LdKA7SzE9UamXxUS1s6Mu6dYXth2iHqUsPTIBrXpivb87JrIHe1vD001extpNNWU3T9jWm/OrdLN7Xjo85KuRX3ONfP0eBdnXMTrDvXuVhotiHeLzwgP7p7VttYxaoUyQOSSiEIxCAuRHvuQS1fCNYNXlmAU/LZ6Cyc7IXw+1dQwvMC/FF+177Vvnr194gYlM+0w5XTPyPV1XjMtNfp5hJQ7UeRokVoQnBBr2A+wyyEhaAynVXyLdVFo5JUi6fX6l5U652iNnpf/22sYuKTBXxCLzQjboPe7vnNlULsIynYnwqZKDaIl7stbssPq7EhsbBGQhfF/VV9kejSIuCxilEGuYvBl2wcdCwB94IoAAh7EIffQx23ZoyTqTQB2X3Ji+A+aHqHNhBSXqCDrSahXcrJPevtM6fen+8YfrKgdTkEc+hcC6lHHzyyj9qOcwy98UOtLUkBF2X0XQBY19VjGP1AV1im/JY2PDA98wkpE8h+2TS61ObFNd6T2Kd9+xbbVrl+fc06vEO8WOIkNyBsLyJBmCtJf6fIxKn109oYiVQxtmuVap4cGlGyKIDxFL7iAJ7OQRVjGzQtGvXFRzltedSsk7VC/ATQ11YFX0P94KczBEH31+45MdFhdjMLVF2N87NOSGviCRdMufTaTDF7y2ViiBjo25N8s/gTVtH6mzP9zPv1yHmJsMWcJY5+ARjZ0rOvHLkd3/ng8SkDVPtxiADscOn31/rBsRcroTuCaGk06SCZE8M2t/U2YDprjyieRx3qOWUXvfYgQbUuMK/NFLqJGAsfFRnXyVM+uhHtq713UJ+hRMmZzoRN8D4qLJVtRGGsZO6PcbMFXUJI9VvB/2lfJD6dqBNp/7WNmlI8MWRTW3dzVkj1LYuHLrAnRVwS1wix+S71bXOuDkjOTYR2Qz9svDgFYMaML/0cx2ILxn8pWomvLrKNfmITxL+5Codxdoi0lwYRffvBnLXyfZRakJnf0LkOO7hIhxJPhktgudCXE3WD1d+J6DZEBaXMB5uiR8ICoEAYUf69Iyz0iag1V7cgiIaXYoEye08CFQf5t9kyKTOo2toAxL0s8o69rcOTDx6j5A8B5x+bC4wXPQz1jQJ1JKCCvr/y0Mm0hgQw8dX2ZyqVQnVl8L2iqMTKDnFsTkAofz4BITaQ4HTakujwiitXYMzi2PNtEbIZ2B4VHDoghgUMBXv9+ve72daZpfJ1nFHPhhfuJpzf7nNc/T4tyU9BreuS2K4ITRlXiFT3p7hMFJh4MqTJTbJ6Qe/zoxVJpJSP356AQynrIDMwpyrjFkFKLaWDq0a5GUWJcdigV/2PLFPKF9vbARERo6b+fVIyZoTKfIZ4Ew7LIBQNmGPf23BN31WeNfbxAu4ZvPReILWwFEx9TdAQMbLbwYIcOUlN52/q7eaedpDNXWQ==,iv:RygSZpC5mxE3nTyyKbkdH4mtO0oUULloYe3SW6CU9Zo=,tag:57q2on2HNvAInc8bDmm0Ag==,type:str]",
+							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:DtrUj8gigPWaLDZtc/c=,iv:ZrGSbQcDNZQnpon/gYvksqbBSujHm4hLgj9tHCF0Q1Y=,tag:YpjGrjQqqKoI4QVOxJfK5g==,type:str]",
+							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:hqVBwpw7qaMy1jMzy8NSfBaNkqMimyl8rlTsjBSdtisoLONXbowrth0+DBtfPEtBFmCSVForuy3H2YvrVRNpKm9A7UcZutX6LR0fSI8nwnnxJT/701dVNZ+PZOdgsIE=,iv:3EHg6veidIAX372ZUJ+O62hrTGfLSsNIGAhJ4HVHQXs=,tag:05xhHBlCeOafxtC7mhivQw==,type:str]",
+							"mcaptcha_captcha_salt": "ENC[AES256_GCM,data:pgNa+ZyMWqlAtW/sqXMdsoEVNemSVs984VzTus7J1G4jOFTekSrDaTU9oSPix5Mw0lJNQXBj/NP1t22VFCBaQw==,iv:/QGyaDV62sYBd6PprDDdqjLgJhMHriodjNllPkaJMC0=,tag:Ocq9wo1ecvLlcD7zBFk9OQ==,type:str]",
+							"mcaptcha_cookie_secret": "ENC[AES256_GCM,data:wHXlLg2xpCItdpC+KtMh/truwyfn7RMK4mJo+cDb54D/UuC3B6yza7g+ryiYOkaTLVb5eWwFNHU4B9lF3RNlfA==,iv:mzmq/B2MPCt3HBtkiKfbdKyOMkOiGWAsF8OIgSNoU/w=,tag:wOkViCAt6W2/a3rBK4U7pA==,type:str]",
+							"mcaptcha_postgresql_password": "ENC[AES256_GCM,data:RTwXzvTYggyVxcyOkZvDtp84jWU=,iv:x+s+R7cKOtqTxG+metfzuSECGxBBVMs5+9fjhSklarU=,tag:z5zxdZ0hpzRoFisy2e19Wg==,type:str]",
+							"mdblist_api_key": "ENC[AES256_GCM,data:mEaralRWS9JGX2VaE6kqL3ZsDHRmjHJcLg==,iv:PhxGUFt99VoEJKZmosBC1Px/qrZSgMwZZNBpl4sk85Q=,tag:FHrcpxd5PgN8UiZOQ7fwow==,type:str]",
+							"modal_api_key": "ENC[AES256_GCM,data:OtFNCHlcXYEnGhCVTBN/qq7ysPmLofHm5pfp7CvmovHeHeAoRiI2SkJ8EbGwIWKKuzXFci7V1NiF,iv:KbO9GD72syXIwieIWvGPrYeUoXs4koYzrN53WnslNEw=,tag:+iS8ABOKEQPOIoOk7JHl8A==,type:str]",
+							"monitoring_idrac_password": "ENC[AES256_GCM,data:cMDr1nnh,iv:tNjKKZupChdXFOFmkhFYjRUbABGjfKa6CqGxowK68S0=,tag:WWd1X5iUMnBfaaTraeGdwA==,type:str]",
+							"mysql_forgejo_password": "ENC[AES256_GCM,data:8tyaBdIxnWtA8QDRqFQ=,iv:JdziO9UFKE0SJkVZNXX3ZvPRydtVHLFOhEbIFciHBMQ=,tag:wBE2fAM5TAx2vPr5fS34CA==,type:str]",
+							"mysql_roundcubemail_password": "ENC[AES256_GCM,data:uSEmAiS6OqPh6rDsgJc=,iv:r/kbHWnrE1fViTuBJHIEqlHrmGZ4JYIR8nCG9+frxxc=,tag:kC1oBCuIAKrXKZ5L+wzlXA==,type:str]",
+							"n8n_postgresql_password": "ENC[AES256_GCM,data:nwwpZRXYAN7S4q7tcpY=,iv:rrs3fznOd2zy8Bqhq1YLw+v61yq6nksdAaPmyq9Dw7c=,tag:/vGcpUtVZTGJfjmaWedudA==,type:str]",
+							"netbox_db_password": "ENC[AES256_GCM,data:Wg0ZrUaodkJBZtDrNo/WQE0mDFrmHQ==,iv:K2XofanbuOjg1bp4RU9eNYiGriy2Owu6OnFEBuJByf8=,tag:URnhv87z9YQyO01nU+JmmQ==,type:str]",
+							"netbox_superuser_password": "ENC[AES256_GCM,data:JJap778nvFO/kECU0z8aOCi/uA6+iV3s3Dw=,iv:yUk3A2KVElzEPMaKlJxXMexXOW3bCs2SMhCmZSGk80M=,tag:PNLiYgJTrovgR78OwgMi1A==,type:str]",
+							"nextcloud_db_password": "ENC[AES256_GCM,data:IZlR/DVJK9qO/vR3Ltv86w==,iv:iovx+rNNJrA1JTJWnssEyoAvrNm+vdDdhmkOfzhROIw=,tag:qBhVgeFnFVUWgRDupZF/Gg==,type:str]",
+							"nvidia_api_key": "ENC[AES256_GCM,data:UPjOf8mg2bPBCUaO8189TnK8lYxezEPptnlZlMBg8J59mssAdqJGRfQwr2OmCILNp1u9eCWZ622kzWPdMFaMQJfMTV+fOg==,iv:0c5C3A2zAt7g/2cNhbfKJnEFD5qObAbWY6lw6Md4+OA=,tag:XQ5XKtO86m4dgtZb60hHlA==,type:str]",
+							"oauth2_proxy_authenticated_emails": "ENC[AES256_GCM,data:fWNqSnoh3iL9w2Iq3LqPPRvE0pYXq0y5MvE77ovaBQOWOfQdIbIRcVralD7YdLj4oCCT4IWBbsgWBam9yHrB2b6pWxKhlwdZ8mVWqX/XSewWrawXIsx/4ZNfB2ExqSJaD23oiDlUNn0x60KgNHmODFuszpwR870ozkMD9Lx0/mfEiuHkWaVL09ZSOjPQOu1gcrT2nBHPpM+75ZSMpbkyy6b06VAj86H+IkVWlBqyrvGKFMNWG7hyunNWgHLsLyUywhYa3LxvFEEszff4vdVrS+/PNDIj2iaDMroPU4AY5sc3eg9SA4Q4BVIYK6oUykhKM8iTLjPlKwyOs5ZpNyGNS05Rq0xh/eneMuevkKxWMPsfX5Nskxeb4QzbSZbKDbu2X9Djxr5QmiqcKvVDkNhiEUvIt+qvxmdfNoyqdpFT+hIbpCUZv5UKp1eSlktolUERAvcHvag/cOz0KcRU0CaeowCU4dWIX9LYQeBvhJkL2pDdEg3vQkyDmSR9/1nur6dsyALAQNb55V1hJWF/GTGelw3hZ0u+dcUrnqeuc2GQIh9mMcZwZoqFg5Yz5Mxst+7fU2aKhL9XQEuCNeM1UdBNXolAGD0txnwdDlaNcLKWzqJxreM7S37SV6AIJFxu3E+iKlUN+4fYgTtQwC7aznk0HW755opgIqhQ4+SwciO1vYd6QSQjyNG5AOdvOTrYdHjLI+/1HIXwb8cwuSxchZBbxinQZqyy9pp1i7DVY98zYW13QTHfxTjj/LeroS91RK5xD6MqVg+PoYiqNyOzfhCvR04aNxtOxSNfamyZtyZGg3cxvFdvF3IqJogYj3+Fxz7eh9dbbdSgddinWCow4XS3dxJVMiorA5yqFG0P30Od4foo4W4vJJNQkonDUcWY20qVx+uE+okbQbgvYR0uaSlRE9E5QvfIamScXMh3feVcWCbVtBOV6mqdY2yvgP8LNtqqMl4gLAJQAbaUeVb7oeDEv8wnzZ8p3ZaEm9a+6lvkmEJs27pZuUOj+BDp1q/ZlvSG3B0EG8Z3s+oiAbjxAQAEwFP8cS1+lNeRYo6MAeiXpBsnIcYKCdhKZJa+yaWrdoYxxB+ORBkRmweU3FdtSplI9KgQVsYCiXK+0layYinQ9HBzldm4jyD8GuXcwjww0dmgWQ0nmwKrGEsszYfxtZ4+QlS1hSlLkE5bMYvqjqk1lgdkyF9oTE4ZAHTXl9KyV5btWL1hiwvP4qeRDzvuCgKAOTcEcxOnp5NAm3jOvoywcR16aoXjjhXomOxrd30aqsqoDV5+wqtoQNy+ou60wcdX4cCCQIPKDrv5s319xAg87zpa7dRohaxbg2xe193WLW4FGsAlP05HKIRs6VcqHH2w9Zh/Txmoe1js259vvZzdOzjICsz8F8rgX2769GuGc740ER3J89F69jQMYNJR64atuJba1awJdud3/oUuNcH15ohny/FGef2uxTEbrFeQsmKMlLO8cy0xGAh8qebkwYEAZlAAoe9NRLQjJKkjEv4bol6Lm95cioqAGj97rUDq2jvqXCUbjXmLwQCm6FIykf2eNMLuor+JO/jhUxci5yFfLYIne4LG0gx2VH2uMjbypEat3FYtH6ZvIXXUJs+4W4yK8CbZUC3RPvibWiwZtdJ/Y+Z1nhUD0uh+Xvxcdh2Vqm3MP8m0MV4QeYp+udJkkF78we64klmT5qJ187buig321gPQJGvBPakd16zfqrIERDthhupqKMv9FsmHyMwsRk4cL0/jOoTfhRtNNtzZqWvi6+GbMv41r4T6aju+1NkINLDGipPbTkUYoVF6qll+ogAWg3xjduWMQgbhG3fC8thMvoi65ubd0C3GEOlC64PbpuCc8Eiyi2GfdLB6YSwvnFPs9AXukg51OzW4tIUrl3sAg3mRAQhhO/8W6n6oNmj3EQVGsOkScR5bSwiEwnyNwSesA42LqqQ4kPqI7ok5S7M45AOCIwLJIgKCM2bhbryz1dB/4x8ytNwMxF8nHKSwJkakLF/VsT8iEZjHyUCxV4YCcllB15HTmY/J2qzsLm9Qnci9RPHjV/X1jcwjkGW4M0YFFsyciC/ERMTIK2c0uFvQ1jKotvUXWp0WlzS3AFxSDoU2+tyl/YrX1y99cbtpUU1CQMLV8jb7Pq5RocfhIirNcEh/n7d8NtsSyl8s49TwIB6qKgoZq/ofJHDpvymOLT2h9YcU3StXJ58M2iP9v1iADWhrGfZgJAuXS4DHglig9F31fgwrKywiREiFkaJP/9twz0Z0N2mVTPYuTWTwrv7/Y0QJ0eFqGf5AFx7A/UKPNzHl5cj5txYhxcjkTzyYGjqmQr7T+dwYqwcHvEZuburmthNzXjnhkNb12trC8POfpdrPgQXwwppb5fkuCB5Ccw8ua7S8g2Hf7BCyoW//idVm,iv:Ll+Usp+DKb4g6jYVUaVlQEDC+F4+E7jllAThjmP6Qtk=,tag:ZhLga/R1NtB8TLFRyw2ZWA==,type:str]",
+							"oauth2_proxy_client_id": "ENC[AES256_GCM,data:KJmigFp3OnxxnawOWIAlLqCvMXFNinms0oL2jk3Olgiuzjdueu6lpFZgq9tG71B6O1iKST/bP4QF8bDmqZEOmFJNzua3TatP,iv:qWlTtouNjN142ixXOE11DuUNGFxyKPxjkujdB1pgVY4=,tag:0dm7992bfFB6bKQCprwp0g==,type:str]",
+							"oauth2_proxy_client_secret": "ENC[AES256_GCM,data:CN1etvPYzFudlc5Tnn484lsr9PV22VbS0HfDmBY0R6F8NZw=,iv:SfCoZNwJD9wbrs9jaoT1cXiOJlQqaPT/eAt1EN49rX0=,tag:Pf3mwyxaNwJsKVz3190OhQ==,type:str]",
+							"onlyoffice_db_password": "ENC[AES256_GCM,data:NM26m+kFn3+GF5eeEm4dqo5Xuxqc,iv:SKvCLzBw1DGDXLWNVWxADntI+HCJUQwUSSYJP+aSMmM=,tag:drqXsesvGhlmsrl7VoHPuQ==,type:str]",
+							"onlyoffice_jwt_token": "ENC[AES256_GCM,data:5AT1rBhBOEDMckIPwBIMLUiFjtjh,iv:BGr8tpmO2wp/VDJVeKqCdj2o8qhXe5AOJ/u70Ln8NKE=,tag:Vm10rczUMQHal3YQrBh7/Q==,type:str]",
+							"openclaw_ssh_key": "ENC[AES256_GCM,data:rUVQRQm/bpG4esnIkDndPZ2spLiQiwFwBUMGvtRMBuEnZ4/7kB+ePEvN2cl84QbrC4n3XHp5lL1mnRoajJin1Lc0bC6UmQphRIzIWQJYuBQ7egBM5DgVsWbVVeMGLbb01/3UgYkUUEmtf91W48GxLdCkchIS7JJlerP1veqagkd4bJHsVuNvM6+jUp59G4dzjW589LrQxGaI+slKnPtwD5okLFMsrGqtzV6tbwApgNWuhk7Lv4Ht4pa8Bs2HY8B2eU09IhHGcmyjXOWwa7Do6t31ObE7geVyMK89S6vUZqRVGuR+lhwlDXTaIC1pf34DvcUZddhLbbr1yNfkLgA+y48BnNjWp6iBj8vFzVD4RXG+VZEhuU7VN8IwPaaOkHk+qa3ARCwj++FYa2tTbp8zha7zf8M+si99Zm+f2md5noe5IzIXqqGMiiIL9OZQLcnnz5m7mhGiLUIXrpqU/XNNqv8rwrot8TrI5ULDmDyzgUyteQkoZTYfye/YwpI8iSDlq84reQ3Fdlpaszy+vd8q7CSOJmsTLwHiFWhS0U1oyQIitA==,iv:MuIGCDKFzykvzcw3xmEy4x6Ge9QvtXU8URdOPoF+xsY=,tag:RFQFJfTLGj9i5JlwZoNowA==,type:str]",
+							"openclaw_telegram_bot_token": "ENC[AES256_GCM,data:lFZc+7EKUol/20CJikeaWKgmCqAgAmAyqhwaZjLrW3MuF8nphb1Q2FKOfCu0BQ==,iv:l028OjWhjnLIDhgkSQDotkKR/5g51v2HnV5Z5GJ1Gcg=,tag:vMP5LVTdBybCKAAAy5ZtKg==,type:str]",
+							"openlobster_graphql_token": "ENC[AES256_GCM,data:Zo+TOIF9+6YkuhnMZUylWikWAYZJmhhnoxyN4HsiZLY=,iv:9zH4q44PEE5VYLxGbaS3TItEzfhKiIau45k5VaXoWTo=,tag:nZb4oHnj1pvNnBKLWUsYCQ==,type:str]",
+							"openrouter_api_key": "ENC[AES256_GCM,data:vtNCmkN23RXzvLKhdJKvhRn2xa1khK7K3K/f2k1BM30ZNWI1F3oSMRN2wdc3kJMP2efX1UvHXTXj8ylE+AFpdcLFQj8yloaDtQ==,iv:l8MswjA6m9DbK0jLEJhrd0l9du/+x88EXNrgBsuLRt4=,tag:tvtKWYBY8YHFiRC2yKP54w==,type:str]",
+							"paperless_db_password": "ENC[AES256_GCM,data:kx61uu6Almx5511Jltxf/0YFZjJRkA==,iv:pNnW29ACilF58aDcI4ysrf5l9P6dPBOxrEhwr1rK9DE=,tag:1grX6V2UutmXQcq1/85+KA==,type:str]",
+							"phpipam_admin_password": "ENC[AES256_GCM,data:vRRMPF/Y8WTa0Duw+9oY5bwkPbAcMWF/,iv:YQFie69jldnMD7LJd+v3H5H089oiNt26ZEzsLZ/rZmk=,tag:GMqsOygHar4/H4aVJvhgIw==,type:str]",
+							"phpipam_api_code": "ENC[AES256_GCM,data:H+qTVyVN9LZsDvcEBCsDWViRt/A+JpfItzwS5Is4+X4=,iv:MUba5eweiUTdERDrWiq/TeOV7RRmgQUF/XfGtFEaH6w=,tag:bqANhDCzkbR20Jl9TUHsGQ==,type:str]",
+							"phpipam_pfsense_ssh_key": "ENC[AES256_GCM,data:e5caXugby9/26fjruoQAVFDeKXHWsJR+DkneArg7492TVO0/bPyVYFHY2/CcUOYudEUaYhA6Ig8n9AneRpJ2RxLkORhf4YBthqRbjWSP3Tyd68GNzzPrbthnKEst0iTf5UMcEgiAUah0kui0nLxSrxPx5dHIS+RsP5gvCK+RQZV6IHEd2mOxvBxNOKFc3Slt2f/jXzCvR8D87D/3qakNAMCQmkFTVtsqnuCNbUSAL3bUuHVbN27gqq+MLm8vw8nt5RP2kcd3u2X0IW7rhGRtvc0C4+SNdFCAfffoFKow29zjBTK4SNM0FSTdo3boE3UnCnl95WvSqmoCF6v0nhUUMYqp+hR5uVD9gBXVlZZzQ9zPZcSg/684FOhWmZ9bTpx19drgbKJRPbYO4wk4y0kgHb2XTvRTOr6KC4Mtl+8vGDS4QhfxZupPCyHPIR4Wn5t4RwGL1HzXxQ9VUh2MiABcPNihCtvCcsPmq+o6Ktb7YVb+v0KaJYHHmo7yL6MZZxUal5/Bgm/hqbLCtT9S7hXjan3EU2YPSoCQ+Kj9YyEjOBduo06363u8B7wANlEU7kVTLR0jgjCtPUTiSar7ThG8V12Hqo20NXQDQLjGAQtZOaJ1kEYa5geiZW93FVNCp63z9Zi3BVMs6a6DmOfMmXLKcbxM92Do60yb42NC7VsXlVjBtFOhiwkHcx2rZsc8pr83RBQRak/+/AM9gI12XHZp2VDAp10IjJ2KAygXb1WY7tOqPiCY/0jKggniKmLLejsDGiEzuwuKx/Iz6VLdFX6Nh8mTyjc3CTQarOaNM5MujKpKSiPgpm3AmPt4YQwQvsSfPvWVreb9hEFgg1JKRMVu1yRnvrsCHbsptfz28swanbPw62OOb5cfxzQenH1LyPKsMUFD15CgKqKUIHY2sI8b7bNuix1o1JVgWMGXMLKqK0y0yJ9N/2i4/5kPjjMB8FWiIm+ThEtoGnRXZ6T1jQPSrNXKgGWxUH0y4kxPlvBAbtYPKP3hMMpjhGO7I/1f1CTtzwEeEJ7Or9uAowywkP6lF08WlAJkYvB15mZ07FfxLrwRI3WPIIKD1rsjoTrYUonbOmhf+ly1YgrdHnlyW0c3gqwMMv4q0FD+CTmWA0cnIPRua+K7nicb9Ud0X08udQ4WM24uscThDfWOwpUv3EDVXXQwxJk6BFMYvaHBfA6g+Wi+AtMOiGWXU6BgU7vu/6Aw/BUdgYTyndGSNebcb2tQGNC9BN1HQUX4ddXj8SppxuQg53s3R1MbhmSd79DFUM1hNOQnHlXqrDAXW1fTxbVljrpfDF7sHkcsFmuFtiL5JVAbodPYQrd6q/9FQSSYJoj9Etm4YZvzGuCM9g7qnL2IJjjDS2ApoQ0HOCAblC4eweGMFtsQAuvq9aJSZPBEmR9RPTWqPwLbKG1wxpgf8PC2VbPw/OK1OmkkHPF+bm1zLp4GLa39a5/n2cns0o9unsGyjv8wAb0pVzsUpQMU29k+hpPOWy3wEW5YLbc2N+4PqFhFFs286Z/0n5ydzf7yiJ9DkSQEWKGccYIbTiXjTZD3r+AakWxFPcZGcWp1N6f7u4+6VJBnkpF/+33Ph2SoCwc3pw1BzGqzhHn07ZAFhC2HjHWhfSkXIoqEsYAlDjaxM3AZPTGg2KkIxTHuVeNEQkOleyuPZyxkcQbaw0BEbb6Keoq2AbZMvenCuQWbUbOk8NyMP5jhdITT0Qm5fFc2trRdBe4DDilU0YugjTyqdCkZJhTIteKppMFlLsADVg69kjegotrg34n8HfGN6izmbfLpqXrg55Cp2E2OezJieZaPh2wngV3BcheZEHJTKwhjxxXt7SOiSDkfGXhFbucy4j1ZamfRGpccgg3xoN1Wx/kwSlVKB09jonhNvMtJVvmc1Wrc8wzBqXvzMc2pk8xVjm/3De6FAZOSn9dShq3+4Zg9yMlKM6kGcZ3e1GaFnpJbryfwz6deyO1shS9qGB8hJyWRZb195LFTZ26GWomVHTA8rEg95De/tpQ57d3gSPC9FXN4RrPPx27FqBTabyhKa4t8EApF18oWKEHDomhNM93ybGZujrqlkF6kVtQZHvGdujBzNObsGe2z/t0nx/zNByNrugAexcje6PPMR20CmMnV2Sc9Zd41uTAZBIyaz3aRmPhpX/RX9I0BC9sF1CmfN9/C6v0WQYnxdg1JoVkrYkbEtuI2H5p/ptS+R9+t+BU0V2XXC/L4U2W86QPk,iv:Texz6H7BX8QluO6AakNh41xU0sjHTw0MNS3B6kqyJEQ=,tag:zJi6bLoyKPoqfo3RSszCew==,type:str]",
+							"pihole_web_password": "ENC[AES256_GCM,data:f3r89SJLglDqnBa+vjlKrhbuWhY=,iv:UfGW87ozyc0PJSv64/nDNZfyOZiwaReblRedxBI8c/Y=,tag:0n3IIF/Y/JD9JmoCZ90XAg==,type:str]",
+							"plotting_book_google_client_id": "ENC[AES256_GCM,data:rMsOkmVMn6uswWA1StNleBkpFtymfy8iI0OhfYEebmNAAvryHk+V5nU3AM+BJfUKdpR+FBJt0VCEPXnmFYfX6FdtSIX6ts9a,iv:/lyq67wTds494bGutgx9zXmNBF5r/UnLJ4/pTlTXJnY=,tag:msFaWqirH6gcZHjDsALnGA==,type:str]",
+							"plotting_book_google_client_secret": "ENC[AES256_GCM,data:XDBTiIgWhhdvF7N75iSDDe+rSU+E/ZeiFXB0dsWUSh/VHfs=,iv:fbbgzPhoQzDfZbWb7sw9CHUoNtVOviQWGKuK91cDB3E=,tag:pBiH0TxdvG3kLyn0x6Ir3g==,type:str]",
+							"plotting_book_session_secret": "ENC[AES256_GCM,data:L/xLmjboKJ+kHE3EN2zr97hMQIBD7+3u3A1YHksfT7mUtHriz6PuAwTgrUr5q9H1YGS9PKOLPd6LvJclLW8SAw==,iv:iI/R0zeDHZClrDmPF/kfyCDRgcD28emLJnylxWQQufE=,tag:EWtFE6JvzUQC+hxy1cXwrA==,type:str]",
+							"proxmox_csi_encryption_passphrase": "ENC[AES256_GCM,data:i6A5vgL58D6bRqu0cSDbaerhKLEWW2wmor3Yyz3+nNJ//lK9L2t3l/g250kvuZ6IcktjdoMiNMD5ldjlGpcvGA==,iv:6GgGOIzx70U44yXM9bGIlHalnQJY+Zrzht2FkTvUVl4=,tag:9LoLQiKPLrZgRFgWVVcMtg==,type:str]",
+							"proxmox_csi_token_id": "ENC[AES256_GCM,data:2XcgSe3s/n9UP5P/fsJi2c0=,iv:kJsaKQmWFPj0/Q2yDTt7FrPpxelV1z3ESjb3+ceUlKU=,tag:6DUhjgOagEZ1r9jUlJ/Nqw==,type:str]",
+							"proxmox_csi_token_secret": "ENC[AES256_GCM,data:WiVZ3WBNf+bKfpQnsToi5K2+8FsmjKbd332Dju5ZyZFDTGyx,iv:SQh576ZRNJ6ajggWJHFjwRaqPXQzk37p+SWruLu4Q2E=,tag:AJ/zlCbc5T7jYLSI5r/wdA==,type:str]",
+							"proxmox_pm_api_token_id": "ENC[AES256_GCM,data:Hmz392w/nnSNrReCARAmJzz8sdYN90bwx/RLwfu30eM=,iv:C/S4lpH5Y1+GFO//2f6BpnbGNw1Lw3UKvQHC50cfBvU=,tag:9vo9XsD8/haGAhOvEeYWyA==,type:str]",
+							"proxmox_pm_api_token_secret": "ENC[AES256_GCM,data:VtMwT8rmXFprkfg41u/hMSpXVMcLPlPnjJi4hihOC0zof5ig,iv:8wEe/DbDLz6sh5jzV1M8Vd5eWNuscBjpZMOjMuGkkoo=,tag:igq2A/Yz9JJVjifUiQnuCA==,type:str]",
+							"pve_password": "ENC[AES256_GCM,data:1Td8XLzK49oOkaevG9rUKtYXKpdY9djPh5cb4Q==,iv:R8TnnXcU9UvGn2sA0CgNqSFy+dui5xHQWpirKjHe3y0=,tag:cxre9RHLdMEIMzw1abasSg==,type:str]",
+							"realestate_crawler_db_password": "ENC[AES256_GCM,data:ZPU4CO0/gPeH4xJ7u80WuETkJAQZ,iv:GfTG5Rmcu5Q2b30AEHnAe/wjpuJmX4a3jz5w+KEAbEU=,tag:NfaNOttHCECnZDvDR64bDw==,type:str]",
+							"registry_password": "ENC[AES256_GCM,data:YeOKY4y8dByMitwzDIXgXgMSk9KsUr+arI3W8Gwmzw==,iv:rVxp8Lgm0CKbtXa0mNrFo739xjon5gXbb02rMorTb/k=,tag:XSRUpN07x2V1m4cN/ShW8w==,type:str]",
+							"registry_user": "ENC[AES256_GCM,data:3s0q6/OI,iv:t2DH6g9DGa5qNULuX5Frfpl09/4ZosSudb9/GUeMvDw=,tag:kFuC4z3naAnu7C7bOad08A==,type:str]",
+							"resume_auth_secret": "ENC[AES256_GCM,data:wBEpSzbFFfy5D87bvkFnTyvxN7Qteogy5IdPvw0VHRTvqpscYrLhbKVgP80=,iv:E34x0NBPpuvOQaH2i6O+abUkZ7XK6kqH5VVoE+RBBpE=,tag:5Yi6f0jRVTWkXrqYyaTj0A==,type:str]",
+							"resume_database_password": "ENC[AES256_GCM,data:Km5N4e6xxFIMjxWFrps=,iv:RtHmZqd8e79+9mYDVruiYzp9eegm6sQ8rbwGaBid3Fk=,tag:Ue5LoCgbHsn1K8dBk/u1Pw==,type:str]",
+							"resume_database_url": "ENC[AES256_GCM,data:8AFh2gjtqa85EUKrjVCcf6e3B4PChSLGQGQOCmI6aSgLNrhtOxBq/Rzc/Qo2tI2QM+N8+xcWI+Xj/TaKwFh1epZepv+4ApdM9zJM4S6/SBXS,iv:ieW5ARNoHb5jg+QZ1vtkFk8+BQ3BPIHcGF2unRt7FMo=,tag:d6132OXnP9mTuhdY3PwfIQ==,type:str]",
+							"shadowsocks_password": "ENC[AES256_GCM,data:49lSNF79G5vJQHeJi32jT19gOLs=,iv:RUVkJtbUsxf4Phegu9LThJXMNJx+3dRtjVh6KYHFlVw=,tag:7soN5XIzu9x/Of2stWbu5g==,type:str]",
+							"slack_bot_token": "ENC[AES256_GCM,data:7XmGsLy6Mi4JKpOh8L3VosWMFb/9UCqiHlCx82IJjrSK7hURx2SwWgVL4xXLA+IfZhNcCb6WIxSp2w==,iv:1KMh3VKq6KuxZKeAmPREDuHixtLCNeVEyAWvQ8FRDkA=,tag:2uyoYDII5/RZNZPZk8gw3A==,type:str]",
+							"sops_age_key_devvm": "ENC[AES256_GCM,data:lCwJ7+9kFT5Q8MDRF5vuB+18Kt3zO/FtLP/o4BitJWMiPufstvFeJdymBegj3gQeEHlr2pm0KsJJDb/smLhu6hZy+nrQh3hLGSA=,iv:epNqSLa6cmiTtqgkhTRT++Ja8psKN1CG5CfVB1fE7Qk=,tag:T55pQcMh0P7JCdPVGATOmQ==,type:str]",
+							"sops_age_key_laptop": "ENC[AES256_GCM,data:DsXwBBYlc+ww2+A9PterpdGXtuu7JLoXJsXJ8u2Mid2yww77XcL6H4e7nuWLQJGg6y6CF/8I3R4jrx7d++xxvrKSUDJHXHP8YlE=,iv:gYjK4Wr8ItyBKH8GvArVAwc4vm9ojdVbsX6Rwj61msE=,tag:raj2k7jSHCycU3WULh5RoQ==,type:str]",
+							"speedtest_db_password": "ENC[AES256_GCM,data:lxNG9vD8+a/IdnDaCS8=,iv:GukrzxGe8am4Iqk/OHowT/LnHTLMV4EC8gheSpSwUIk=,tag:qKSuxDSwVJ/4ZQH41zpRNQ==,type:str]",
+							"ssh_public_key": "ENC[AES256_GCM,data:nrcdNONvB8IbEdz6RAnYBXOYf5kzp0rr2t+uCFqAANonF9vtp0Vvnq5XEYLW7QZmENjiG76GIObvg6ktYcQ1gXl4oEItC2KxstRY5QITBvURthdTEJ9LybFAJV44lWwvtgs=,iv:tJvab6jIBLu6StNZ1CM297kXLD+0ZvVLNJa9iBNSZ1k=,tag:WC5Fyuv5Hulmr55dKT2w9Q==,type:str]",
+							"stremio_email": "ENC[AES256_GCM,data:k91f8TSGrrCG0jafc9A0n4e4ZHvrv/c=,iv:xgp0PTqxBNmxBL9CO3Qesw7drU1tqCYvJZa6B9Zh0K8=,tag:zHeLTU6zHlUjkyhIkaDECw==,type:str]",
+							"stremio_password": "ENC[AES256_GCM,data:ZIXRgSThGI34shI/K6aBb0PAZNqcB/PzQSo=,iv:nz839j3n6zSx0r2/EJlI1Hk1IHNgRJK320w2Pl7M5Bw=,tag:BiR+kNV8T6tk2RdIeKm5Wg==,type:str]",
+							"synology_admin_password": "ENC[AES256_GCM,data:sKDtz/XkcWo=,iv:h8AZWjnohr/tz1l4aaC9txN7EvnGSd8hfTXYdt0PVtk=,tag:MW+vsG32quyBLhbHQLyrIQ==,type:str]",
+							"tandoor_database_password": "ENC[AES256_GCM,data:5q20BvQmIJc9yZPMiRXYtVB0tb5duOf1+g==,iv:/E3HtJ0xJg4jyYQW2IBaFI1hGfRw3e0Dp84wTmZ0Q8I=,tag:/tPlxCGkdSaRt71g3Ola7Q==,type:str]",
+							"technitium_db_password": "ENC[AES256_GCM,data:X/I1cKXBF+jTIn8i3OY=,iv:KDesi0AysvxuGW36xQnNL08dxYtnwKP/xUnrUgmUW/I=,tag:r/uZZ7QdbAprxihL7hNkxA==,type:str]",
+							"technitium_password": "ENC[AES256_GCM,data:Bvy99oTSIzntIns/LMBrBEHqPMp24Pc=,iv:iQ0XjFNnYM9YPVC+A8gGuYJzLWFMoEc12IjaKinzlQQ=,tag:hAznSNxGTR2h/Ep56loC2A==,type:str]",
+							"technitium_username": "ENC[AES256_GCM,data:K7HG+3o=,iv:j3EzFGJfxoNtu/+tkPZz0XEDrGrxYTo+8sHXG23rjFM=,tag:FyuU5gv4A7wMxAVr2EP8mQ==,type:str]",
+							"tiny_tuya_api_key": "ENC[AES256_GCM,data:mALIWsGuBDkxqZLnY5Pj784JJYg=,iv:QUBVtySlNtwWinvHolGYHbs6T+5Gt/Brs7TyRendGZQ=,tag:2EcZR5wuTKxX4VQBqz6sbQ==,type:str]",
+							"tiny_tuya_api_secret": "ENC[AES256_GCM,data:+GhrDZRTYKrqzeIBSlCOp2i4hytGqlDnpDaJ3HG3TAA=,iv:f1dzuLoGUZlBGcRdqR5qi7Pc2BXub/rgjvmM7nHpaHE=,tag:S5qHi0IAs6PxhITBf8MQWQ==,type:str]",
+							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:1S6Q0IjvJ2H8noDocc4CWdH8OaeDmg==,iv:drujDHOWO5rxy1MTgBw6bLRZR4c5juWqwZ1zso1p0c4=,tag:wKgAKpxLP+Pr6zZ+SLy7WA==,type:str]",
+							"tiny_tuya_slack_url": "ENC[AES256_GCM,data:08FPDYsI8ex4Gm2BxOtbBgpY2i88KGOS1SE3kk/c9MAp9yr433tqe5/BtkOk2sYvOUm2xI/+Rns1xN+YQKvA4tMdOb2sMIkiiGj5DEiqh9Vu,iv:ZrvM2iv1YiiBFMghe4GlzcIdsxkDw7AemTUcIbK9QQ8=,tag:HGv+Lx+DI8UGuDtfcXQrmA==,type:str]",
+							"trading_bot_alpaca_api_key": "ENC[AES256_GCM,data:82cpXY/gCGJVLWy5t/3hMx+8vR9I9K+z0J8=,iv:sv460jkFCllbnL4/fiItty/Ri3280crvnoQLnBbD7iY=,tag:kvt/xnvz2EKtoFJxwV3aeQ==,type:str]",
+							"trading_bot_alpaca_secret_key": "ENC[AES256_GCM,data:LKiEM0H6Fk5/YU81NnBV2HsQaOHWK8+4m2hYfVUAq2H1p0VggPfEKWpVBMI=,iv:9rfgZMZV0i165nBlWwt15jrbr/jkGd4e8UrwFoOSNKQ=,tag:atCqzXWUcTjzcX72Gn2NRg==,type:str]",
+							"trading_bot_alpha_vantage_api_key": "ENC[AES256_GCM,data:t+yRqQNN4eCL+UeuSR28yQ==,iv:5LjUgHomfQw609GKCSrbWOjZ1umhqUwbzO1s6dPpuFM=,tag:KPMXe+t9G2uyURMVDXvPeg==,type:str]",
+							"trading_bot_db_password": "ENC[AES256_GCM,data:/Gx4H5yiYTpxXhoLBNMJICssS+SCtCSiBhKaWl25CcQ=,iv:zg0+Zhr2qIVQChrQSasbXWvp+gA1SAlgSpuAomnS/L0=,tag:BOQ0fA6hQ92AYtfzfHEKWA==,type:str]",
+							"trading_bot_fmp_api_key": "ENC[AES256_GCM,data:BoQBXQ5W7znJpTXd+0nr4FAO6DJK6HOs3l2AQlrpwb4=,iv:qVUk9897z7cR8WKzcfI0IIu26JsYXpAzaQCt+wrmetk=,tag:0eRBLNBpJCUECfNwSY1fAw==,type:str]",
+							"trading_bot_jwt_secret": "ENC[AES256_GCM,data:1A7YVr298m6/GuaJMKpWjEcu7jvX78lrZc59yCftu4arX7uzufQcGiUZgNBKDalC6y164qtknZOpgjU7veFDjQ==,iv:9DyTi8x4rVqk6pXqz3tVbEM3kbRzSYNvFJxLR1XsrwU=,tag:fu4xuRTd07BQRXHD0MDYig==,type:str]",
+							"trading_bot_reddit_client_id": "ENC[AES256_GCM,data:20N9/AAQ/FblvebQuHgkk6cjoP5jdg==,iv:vklTKMmXPa2p4L2LGXiuRVA4Mefxtp8fQ/Y832O5RPU=,tag:PF060h7Ewa/bey/r84ZG9A==,type:str]",
+							"trading_bot_reddit_client_secret": "ENC[AES256_GCM,data:jj2zPuz1/P8Bjue6sPjiH2ZBi3+vNtmB4OP6knlH,iv:VLewnxRCTF9GucNFVnih13gcdoOGSWO/FRUgiAxT8jI=,tag:8q0FNnMr9aNmm0fUdxmilg==,type:str]",
+							"uptime_kuma_admin_password": "ENC[AES256_GCM,data:SIBSrSYguArjxpJB0XshYw==,iv:cRWiDnKx4/p5LFl2pIBfdOUyBwguxB36kazcuBUkqTU=,tag:g5RR8ouiRefEU36P0eJrYg==,type:str]",
+							"uptimekuma_db_password": "ENC[AES256_GCM,data:twui8z6DgOkF2Gaj5vwtqTwBSykBL5fLGQ==,iv:SCGhAxkbS/qrOlw1N6tGXpieiszgeQVV8414GZdKXQc=,tag:6wW6qJrlT2F0lGc1PZNuEA==,type:str]",
+							"url_shortener_api_key": "ENC[AES256_GCM,data:gpE+hs8w9pf6Ba1DlHL189oTSeu6scMj15Vg4dAC4Ub8i8Te,iv:bHB4kPR/Fy1PoKVwBSmxU74GS8hHGZi99e3a9/klvAs=,tag:lcatipOdh7dWnvHc9QAcRw==,type:str]",
+							"url_shortener_geolite_license_key": "ENC[AES256_GCM,data:hrEBO9b5j4/7PgiOXjiz0w==,iv:Z1t7qtdz5aDlVTFtuIfLM398BmijGyaMWSdYV/llz3A=,tag:BQCYeCtn9OgHcksRr3reMA==,type:str]",
+							"url_shortener_mysql_password": "ENC[AES256_GCM,data:RWooS11ZbL6yfhFbSH8UaYQt0Rk=,iv:ys7HKiT99LauU++XAmJQNNdJ5CMUZ6ourId+FHgXOUA=,tag:MagB3DrloD4NP1c2x73RqQ==,type:str]",
+							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:LQeKeRrRboRXo5HxZeWpl2XeoiE=,iv:2trKx5QjxgSlgjAJiPDrSU7+GneqzNfpqFAb3BB74jw=,tag:3e96Kg3o6rhWkiPrCWJgog==,type:str]",
+							"vm_wizard_password": "ENC[AES256_GCM,data:PU2FhHWBNS7Lmcl9cTbpyBTGTC3C9e7Ya23VHyPOX9dwAy8xKuvUYjJWo7Q2JI6CwzIgjsQvHq3zbkBzJ92fBYQq7vW9+UXdiQ==,iv:nbpTo6pmIZLkS4JxHsQt1K+AhGCE+yxqBgL9abRB9KI=,tag:0VwkOJTzaGjZwsBeK01HPA==,type:str]",
+							"wealthfolio_password_hash": "ENC[AES256_GCM,data:KKp1R3WrnaBDFDs7AjOqaZBf8nGW+PtK/YPkfzZGtyMnNYx8eiCAcP3RcpVmPjS7CfVc3Lm+RfWK/+xbroGZ03WRNH1iIQGDdSIRMelmDA6T2tRi,iv:DQ7M5/JRFDrCmkr0dXAjV5p+TOcsM30UqvUaUOmcga8=,tag:/16B3Cw/BFPKtv74KpHeDw==,type:str]",
+							"webhook_handler_fb_app_secret": "ENC[AES256_GCM,data:iUe0PL8johaArezkNhW7gSdL4qEJPZnDO5+uz4hD10I=,iv:1gSXnXccTucR7331LoUpUin8vt4rUm3abQ/n+tUX5XE=,tag:Vd3SLY7p91HNSQS3RCxqvw==,type:str]",
+							"webhook_handler_fb_page_token": "ENC[AES256_GCM,data:hXL6dVSPcCraKS+4zIVNPLy0yrzQDNCxVZtcueKQlQatd8vF8gPuLCGF+u4co0V/dO+zR5zaf+zRYtzGPyrIvqQI6dQnxCem5l10VMyngLihL9fb9rxRSG1bLWhegK3VVIMrqUUd6yjwqd61WEmaKDG2JPSQCf+4kUXmo949w3cz8HZyuc4PtNIo5BlZMXwtp484TbuC1jPqnIdxWqu/PF/1adlEXOHV2+kM6HViisWQyxtx3T7dONmjS37AcMoaLW/VEowvEl/V8Haqtl0yea6Z67km,iv:cCakUckd5KfB0sGCLVVOHZJAONNZXlvt52nFV90NH3o=,tag:92e41H0XNOtCAGB0vJArzw==,type:str]",
+							"webhook_handler_fb_verify_token": "ENC[AES256_GCM,data:VCXVekykMF2kBnEW/4x1apyEVwI=,iv:4dzVAm+NKtMRe65CAZkkua7odRcluqxQw9BB1q4lp30=,tag:yoD8EIEbRFT7Wt18gM2Tow==,type:str]",
+							"webhook_handler_git_token": "ENC[AES256_GCM,data:IVOrQnR8Gy9aOfL3y4Ckt1L2U8PsAgR7u9gZ6qkFqMEJ4lOT6zcMLA==,iv:cSPSVsYB9SUCTr5J2TpqlTpNDUGdLq6L3Hk37Ep3DoI=,tag:v4JjR6HjTlWVfJoLevz8Qg==,type:str]",
+							"webhook_handler_git_user": "ENC[AES256_GCM,data:bKoyXPrGUr4KO6oa,iv:9raYXE40SAcHIrIEcV2o5VOsCkyT91DWa48Wjx+llR4=,tag:72725LMvza1tWvfrgisIsA==,type:str]",
+							"webhook_handler_secret": "ENC[AES256_GCM,data:sBLj7rMKbpoGloQtWs8qdb91oms=,iv:lCAkGLz+8w3pcYqkEOrl4O1syIDfh0vCp04nsZLdHRM=,tag:vTI0CfJY98BNDy1zQ1EZkA==,type:str]",
+							"webhook_handler_ssh_key": "ENC[AES256_GCM,data:fRH9H6SSfjhU4A1snBp/lDyREk1M25EpM0ZLQIacKJTAsjHXaMST5pblFP9NvXE+7RZpuPP0lOoP4uiulaaorfP6r0bXnbITGM9oyuE7PHnPVHFgAlC6lpvGkTRXCWMm+Di3DRSGC6faWkPjmBD9DjEDcB73IkE9KHRnBIZXCP52deDIgwfW5PhB7doqlUWEd5CQlEAq81mxZWDboMOx4DeLJ+lQy/tUS/2SOkN7RcLajELxvvHewhfcAPvY6qDBTphhqgUZkDNNE+10BX5oejqkwwOYay7nQBBm/o+/xoYdayw//zgALO/YvbEfJ2Ui+fhdwj1RotCOttL3te9Xcx3luydsQeg/Z8PbFCIGMXwxN/4zRjNW01ZIsdi5mdapjAUGXQJ8N3hp12zBg9Ohh6sWIWj5lBsg82HOc+fSZJ8YMcA2iYbRxOCeOS5N3aQSRN2E0vY3IYqVFiQrh8Vnzjngk0i658rOCWM347AsSWv5HPsNwvQo806azQFwGuTOBQ1j3wUYX03p0RHqxeQ+1sOEzRPppO71Jy6KPJaKQpxdbKMinJNUb9/H9FDsDvOZclRywGG2S1UyBWyoWjlkQjej/UxSA2U81E3BMPcjmOGkskSQbhThTH/9uSalWILv/r3S5m9fgFoIfxRG26LQ5EJB0BQ2upBulJLSPJg89WXvHZDotRZqK9zHDaHzo0+IuU55n2E/7HDMFTqRW///8mra0FiTijFBNywVfDjX0E9cPAvRT4hKoI7heAtf9rLDvLnT+A+SD8j1WvUxRkK44h8DZ/TGzX3ZhICCTTXQj5DUUc/nD4+gg70NbkPqx2Q0ztCPaTOikK2eARifYoT2oq/hH3BdaFIPeizBqL1KlCtjJg+OtzBuNc/S7r2145bUF1hXePV3l2UaKfRGKxdvutvOAPrFZonXOL6qp8FOizvGBkiCGoacwKjGOsPLjuAUR7hs3WbxjmzJ6CkE9GxYxHaa1h/CnhMdfOD5NmSGa8Dxqmn/GbgOfeiYxAi6w0aNtvx4HVFWfqEdBcWrHH+kDloR6r9T1ZhUuTD1arCAPvkvGRC4biu5smxPEQ9W063O9maa0wf7a67j+ZWy0MDnB1q3btXSjEgxVdCwKr3V7LJ8XyqVmD03LRg+F1FMo3AUc6cuqjYhfsycBIfPdYpp0vQ6KNRfjxGj/j68nY2NcsVuisSADhMzhGuVh3d2QSLPBf2oFjWBdvDAnH+N9Ou0nZbIu9Lt+W+PHKqmRc3meGVHCOuDsajDs7cTrz3RWwQrWa2ahxbJtazRaSqnKrRyyC+P4R0FrHPCdsARq10Uq0dvwLY7/XGjyIugJUKYJLmddTB27aUMh2W357iyJoALXwUkfWgIKvQJm9BwUe48OE6S6WyDJcO9MUv5OAoOfAoap/w8WmTWJhQii9qAhoNwt4hBw89JGijaKJNOecwmtuV2brTMM58kToxYmPlWmTkxvZiON12bkwGosKk6MLemzuF5MkCPShqkseA+x4YdZVJ6ttgPvTjISpnObloZzPPpJNrmq8jCIcB3o9WOCL4RH4KfoNfMGxCN5Zbqwcbn0pc8O/ywtR52jBttk2yqf6TDT6sjHLxNYVTkQu2nhSVDzlQJQYme2soqUbKoTFzJnqveuEJ1VvcPRz6posKsmEpkP6KhqTxx0Sgid0EeC4ij0VhLvUb6zSGNwAcA/aPGOA2l1v0Dcg8GJUj6oteXquVAZFWkl8AcM3+lbjuiUZcLogOYFpQ6R7Oy9fFZ+IuVpZ1uCfHRrlqbvBjZf7W2Fs86GY/AfeAQ7R7QU8p5UtlQNgIqEKQY9imXTQ8eEwV98tIY1SC23yOr4UucBWf8PZqNYSPuowacPTgwiuW14sIGx3R2WB/Bd91M2GLpWHDPoVHxNEayp5csuHQa72HI/iA2zXI2qZygT1o1JGix6hytoHFQqKAz8cR6i3UcTXeSXJblh+Qf5bbuMwELxjIkPpxg4+2RgJN3NSOS25L5MvE8RZc+vkAl1Ma3O0EasHtW9ZmaotJEWffRr5n+V57zeBrS3ayHw2Zo879LXNu+LzjyzVQQkVdGCHwAct2dKaS8LsU3XOFSvUoAmuhbkIPvn8dcdfc3BbmJzL1AsVdQFBxvIex2N1Brm+gBO5ZUQM1+Hs7lKkxbj7xAKebhNZK570vAdbwtm/B7dRbM2H3Jem7CVMlCrrLVEC7VZkWQ9Y1iNA9FIzL9MxbDWUJMI6ALBvAzCZxUVPSCEC55dWHyua35iWLfyZiVI4v5b9+kBgpQ4KYFPESW5YdOxBcVrSXDbz+loZe0E2BNCo+IXK9MDPO59JtHyX3AVb99ea9cL+df1F36d+cwbS/av5bk9vTtGsUUvsfzn4MCHB8Z4ycFbr2DaOFi3bMpBMiFsTlu7e5hK5Z36XyT6ru0rTZrFLc2wDVMZEnJQOKBqOnPiAusXqcLqjYci+T54ouR4xu3aIse8wfqEqsKNYYSkupESGnmyFDeotv9vG2w4qgxuDZTn7RmzrtE5XJIcDMe78VkFoYQYiLzWKKv59b7gUSkh03zbNOTKHWWF8yQ9EeAAWc/sFu18EAyi+MioYfWTf7PpeXVeHt1+DL+DjJ/h/2ss1K5XnQiqZjVKal1IWbfg8T4qsJP+ta1/nibD+5++wYZIj/DKOLhWCjKZtb/oNYuyhkTsAlb2Dmf7Zx5CMVlHsFqMSZoxIfRgrKwkkGPkedv6KBvou1iBDk20EKpzLhZpTHeYf1Pvvxu0vBrG/EQzs+MHV9d6+nGJ1x1gf+zWhpSeRs9JEQqXbECs8Bb72IsGsTxDQO+ILTIZ4ac0w+3TCj3u3riNRdENn39kIXjmWJyfPZkiXLjHR8Xdzs0ffEbYc0sVXFiWtb42qCWV45LVFlqKeoiJwuA0AxHXXHiSnuDmI/9ZdJaI18iR+z3bS5ZdtryBKR7bM91FL6RxUHmIFUxJj93LaytAK79vV+MajyN4H4a4H4urSHQdOkxwQXhGLRJmFe6aVwGo2U4YcyU/9ma0vn/eh3sxDypSyMrcbNJyt2S5TOKfyJ8c8ygkRkg4Yuoq5f2LHHpZmfc4Aa/W+or/j6vDtVfNMphA//F8Vf99rTIRAimDpYnPHiHbBte+uUoLeigTEgNEIvF9c1/1JGiAc8J1drWdHuNK9E11/+mD35l+L5FhoSw1UZuYkw7DeWPSCG+RrATOne4hsm9lnd+PxFfuE7mS3fPsswK1gis5IONoMuoQnRvh3wpZGG0m4WUA4izlB/pokPnggWvMafBZiATDe3EFNEDPI9TFBO1HKfznGRlruCgxiqe2pYp4ScXMNd0kNzKa/kcDE8X+Dcju7EXYK327M2gBIBI8Ra5UYi9ukTx7tvEA65VEhdD/WiHi123R4oblNq5kOJlv5cTEjdpH7WjBeWgerkzRI/FokpuJ4oprlPBYRYm4YjZ6MNnAqbtAp3kCuEvUNuy0cYY68DLttkiUFabpudXc5ToBE8=,iv:K0CDRGabPIOyrHzbn1ySKPDWFUF4zqhH7dv0LiCjTVM=,tag:8IJzHPwbNnHwADxYdBdzhQ==,type:str]",
+							"wireguard_firewall_sh": "ENC[AES256_GCM,data:GAM8pZTJElGyTXAGio6Y6oGnNv0nsQ6pmGdIC9qFFAZRecDSPxchnH1Q9qf31dziJv3hlIzhZmZsAdN62RM698DzCTG7CjJyXshrh7KYlE1h+JjXNUxGYd2EmfgHSA9eEZo58L66q/lajifoVZ5p7NZGn4dmtN8veGmAnkJCHNMDQfSedNq/vGCO0Btq2NGuW9ZqaYJCC9a3RYJjA+j0wNzDjq/6CT4DqK9kci6DDBpLlUfMuKVw9RdsB3r5Idpo2N8MNw/YGM8y5CGKnmerCkbud8h3jD/vAPY9fJPmOdiqPodjA35JYUqSEozS9g1zK3W/faWt8KoL4qpsW/BiTufF8+DYwQnPb9vgUDbecw6hY9p6Y4FgPdhKtg8uRcbuxKWrLr1X+SWMARPvQTlSgHxMUD2Hj22ovp8wT/Ijpro6piNoP7hzcnW6ZFIm2HZ7d/RXokIbt49euMk4lrpdHcxqlCXJ5RxD3iZbdePIWi/dkv4TT1jOL1ojIUK50IhkFU+CE299W7gLa3T44K5/GQpil1Lh4QGanhU=,iv:TelcpAOJnOpeHIGOdsy6ry9ZaAXwtMWVpQyZ8JoQ+hY=,tag:OJWM2M3sfhM6dOXt1hNA2w==,type:str]",
+							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:5D2eIkZ0gbCDWVwm0A6Di2wQDCwspjbUSRFaR0J/dJYY8RNgBQDQJeQEJcR/mlVMvbDJDnqygF0xm20e8c2X4bax470t8Gw08+SdKA6vRKK76do/2b+W0xaz8G6IpjPssMCpDYUqdmoN7Q3vBg7wcXdcqeJ46rz6zvkRDS03BuKsUbmvOQ8rs99/nwhcAdHB9Bwc/z5TE8WHV5x50wnz7S5DDr/bsNL8adojbZRyi9WFuU+gpf4HnP6MrSv3KyRBEdSIf7AHp3eoVZEOKHThWTWyiVKF3V6ZjGgtEaF3JYFmvhgahaPgB6oZVU0paojM4QLVk3lDSuNhdSC7vGZAvranv3VA3oW9ExUarHay2I2p5vfmvdTI45UaHpWgnReZDNqpvGYNFP6tTJdNF75FCkzRKfJ1wqs4NlV/1YsH0uUo7n9R3yp6FEyXb0008kR2kO5fb5gft7daIziLyAgeKSXkTHVNfUQaplek2Fo9vcZQb3zn6sHRfrAbe7Tu3STPErtdu1LOlxhVtz/ji5Dbd4gTTaYcCrFMIxSvBC0hUNxJyUh9e7csK4Bik5vIK8YBuTpN8HXbRpok2knSfhyXGBskHii8iroDdrEVSj6v/8HVkro+TdtjTUMp9nNVJlow4mjgMzo0eKfaa+Yt+95jdavzySkaczvy1miz5n1ySA++k/mPsPUNIu2ln+jnFLqBjlRs2L/7uKM1Ya6/cfQ7l6d9Op4JlQKFyKIc/l9IbswjsUn5Xk7q2Ig8i/yqghCjDA/5mHgwQ6fdiH0xnG47fUOSWWcVAoUJiW+kTLsOnQtFlWESHhcRkAl4/IZiQOflfVCUvFMAoazPqNQrSZqBg7riU/SG2UeE+HQt72fd/bf+CGfQ0hozIZDUHioQ09UQUli/F+zDzulUiZfH1BwBHJECnM6JmcVwzX6R9sQV3pEJXCE99F/F3DP4imVZTYk1NTidxpbFVU17y45SWHztm2SKZOCITipz1Mlyc2PbEatqO3IEKJWXgjRd48K8OTj5q9eBOZ2I9mtDJGyDSXKpK9II7lmZS1cWUD0mqgItVPYpk6PoUfN5X6bVd9JzQNwgvpscN83sjywMyuwT5+w0bHD9aB9H36w0tKbgivwNBxdNR0TG52siQCbLTQ3uKaZc1+z3G9oaZ+xui8m9MxYNpTHMDZAM/RmYvy5rCr/YuECHbxx5mvq+1LIf3YSu8wFdWYNDkYOIiDvN2A7keFg79R1hrZKhNOygx/pbhzOzDtiT9FOEw96k1iM+nEHXtTWyRFCV0OxHCArPGG97awUrLRK/8NbDCeeDBZ+7plfZOc3qmv/p2AOItfqsL5DaehyQYEbzedLZ1wBjf+BdQS64VdKdJlVmqyDfjokCDmA61ZsK16bOSivzMHSy8cImhjXm+gSRNQxTZJWM6BPgpGlyjCEm8kvBLjSl+Rc0bE7QwMKwAoDHGOLo8MUf76gKMfYMGWmZhH+ydzy52RrWX1/YkUJE9zfbW0njqpAVWcxYpCEkPp0ArMuP1jHZMMTM+4ruSONSFY0wt1NDB3K3yfS2M3D2STrMsxcSwqejTm8ssVariigoK4YkxWkpZuvrfT7xzDZUIbTaOP1RGw+kw77nOtWbnqbbIHLmkfhhEtwE85aKlO7EVJPW2x4SsgPnK+guBYj4cdEWkEA3Ybn+TVbTnC4OtDixOJhXFVlKWmJ/VOdzunUcTnlgU+i1NwqwQi9tHveCfF43NjGskgc3a0FsRI3Fbz04bUsHzQqq6gPdakS8ZQWd+bPLLiPeFfI7E3equ8cUJN4spw0NlzA6hgHStDviaGR9JjHIepqIWfXXxKkw95ptO7VwDpssg+E/TPC4OuHaFOcs0cxoGfp9P2QKEP/243/+c9qvKMyTSPfnSU3FZSx7PAuVyZ90e0vC9EhDs1khEMz25tUbsdHu6NNOtcr3N3b5SUWzyXMYSUfU6VaVU6TyNm/o+6Ynlk6S8oVe8UUo/AIOYBC5sMginra28pe3DqADj/HItfVNjBMWhqfGOzKNclIbqmRQg0OOeIXVXM99nWUWEKYrbiTq5S/dTyXECQSoBj7AJ43i8qRt2CPausLwUTwD32jWQp45J0CA/UgxmL6oWuhUZlHAv8UjW/Wfmj32eY7b5OXiq0dRMEwUAa+8J6QPlo+AREkRiPRtz4BQAj1+0QTyd2ED65da9DQI1Ad4VucLl66CpnAjAzO+EKjhPGf/R593P7vhQHFWAu7kKBcNQL7zIpD+dlORykdY5HKlBXITaJRmAweRxVYx1qYa3i5NgVt0SJ453Uw6kgB21z/qP1S0MnLafGxlUHY1wXMj4iCxdGfyZgOoY67yXg63XypeJBf5Jy0oU6nB0BEE2pgQ2V0fpbVlu7vTSUrGTy+fKJ5zSJdYLNaGTGj3xh6XK6Y/KpmVaXKqG+wKjPmMtwDB7IpbI2gq6Kk+rGWbu/BFZgwOEKEbHZRaUlRA8hoOmHXgB6DgQWy5SYNSOMGYUKJnWctM2o4NHCrga4VTJeVrRFnBFFWm0xMo71mLvVklUTytH5AQSQycryuj+zMHX2Wp3lUGP+VHULEjdeyvWQRl4rmnrAKWYnYWAJxeRp4Q9W4qS/wsKA3mhOmO+wKM588VmEnrLVVEkq8a0j361YqiK8g5bgmi/I9nyUL7LzGTAUTWf2XO57dHgKhsx4zepnGj7Vxu6asUy05yVbreCIIlUR3l4MUgQrFNLuodptsRhlnlleGzdTnBKSNBN4yiiBivLv9OC7zJgkOzgI/V7531mWsRCux7fl3EH60eWo8a3c56MMc+HjGWEANrOpi8IjhOv98mIxmv9HFu45Fb7/MpJ5LWfGBDQKz8tJzvtQVBi5Q3edfagJciCFkBQb8pDV0bg94PysDuPjhjumKxueq9nFynZHpkQkHe3Q3JjlFPygQsp4KwApP0HmXx4vReqKIB8Ay2VHksQmJygwL1Zo/j/xSFhdLwxhqKYbKpxCBY+JZSbbVndeCyh+I7YIrQRsPb2m7uJ+0NJipZw+m+WzS/BV0y9/lb/DjnB4GGQN5C4rf8OxF23brGB67FMnyAS2a8mvQvvr9OfclToJzTYUywAwu2hN8CrkF71pDtg35AFtrDHoEQSmVOsxGztrT2HTr2XnwFNoXxCohD/9Ukk6i7qXgmb1I+YQXfF3N9xUuMtckO7SYPgYUxSrP+vzAl6OmUvObQmGRPnqhhvmhk5zZomegfryzKk0fczsrTL+PS6/7CCLy/HFY7S3Lhv5ZHPp+Co1X5cRMmTmeecYMTmP4ZbClj+DjjXH88JZZe+9P5JWAAUYAVfe4KKd6TfOLI7jwXukeNfPgqIyy46YNYVBWGahSkAUFlD53f+49kqpHmwIO7LjxoiJ4IgHgigwMqoFJx/0mxWJMLzYpKqqoQFyGBpoqDEQf8Jv5xBnnqSWK49sdy8ug08r2utDDgRU2CRo0ROtX5,iv:95mR+zMd3icXiXq8SMer6I8GQfD6sGot26h46tpOOnM=,tag:lkMUrD8+0e/N6KC3GeLrDg==,type:str]",
+							"wireguard_wg_0_key": "ENC[AES256_GCM,data:rOB435FEmUky1DMPzOsF0DSipV8SOQkQRlPuW/+VQnvJlKUxfjmdh6kZSJA=,iv:xCFsCjJG2XwYMdpzHnESnAqEy9Kf89oc7KIcgzwx/jY=,tag:jA2E7BBeIFXvy2mvxQxjSA==,type:str]",
+							"woodpecker_agent_secret": "ENC[AES256_GCM,data:Tu2Wlgi2UIvo7w7Q7V93YnzcetBduX28noVt0tUxn8z9QxJc8aLsmR4uWz2zYBYbKaDYUtPWRJyG1/Sguv/60g==,iv:PF/7LHcBw1nSiiLBymV73f2GTCKr6Ag2krfkif1mg8Y=,tag:T2pQYkdxVL1uTTK1luKjaw==,type:str]",
+							"woodpecker_db_password": "ENC[AES256_GCM,data:Zngb7Ulpbe+gQtSCWcXeTplJySpqm1nmz5HT7fTSeQ0=,iv:6IDo0zN0QEuV1rZyY+3aPFk2/Gf20Djh+GEENkiT4zA=,tag:RMKK1giIDa0rReb5qydlgg==,type:str]",
+							"woodpecker_forgejo_client_id": "ENC[AES256_GCM,data:GHn21Bwijs7wQZJ4GVhF5hr+gjk3puZhRJxoUMUCpvXas48H,iv:l6F/HNGClv+fH2RTm/HV3VYpW0CYGzF7impHi/wA5Zs=,tag:/c3EumdrBe1655kVykDohA==,type:str]",
+							"woodpecker_forgejo_client_secret": "ENC[AES256_GCM,data:H301EX/++sTBgu06mT4DN2xb2998+a9vPQ/esRLuLCCut0VAeiq6xFOlfVVD/iXnz4mwHyq/hKA=,iv:Druf9LO3yhp2FbSHsUP4M9c8YxLVQACl3hX+IvJGvKw=,tag:Fy4F2XgcL775mbgYN+R3tQ==,type:str]",
+							"woodpecker_github_client_id": "ENC[AES256_GCM,data:0T7/2oL329z0obnIDcytIa5Ewjc=,iv:BpQ6LmvSo0mflLf2d8TigbbSSWo/zCJWMqLWcX7X+b8=,tag:w5uHuPrJImwsYPz5CAziIw==,type:str]",
+							"woodpecker_github_client_secret": "ENC[AES256_GCM,data:kNWnxSQ2v4WTyTYukXXKKpLvrypsXu2MAU9y11Xb0Kt2lRIvqJljRg==,iv:TB72cpD56cvC/qdgY4tUcd7Qp2ljapuwPgm0CfbGJqs=,tag:nb0PONeUzlT8aYEJcktjkQ==,type:str]",
+							"x402_wallet_address": "ENC[AES256_GCM,data:LR2s/zwudihbADgncWf0ZqIo0Vh/0zyv9Viv4d39e4iXfrD67d51/Oip,iv:XNSVGN8x4JF3OEAudZ5bcFSYDC5JLhC42VwsS+aMnCk=,tag:aiLuZK9HODo/A08ZY9ekHg==,type:str]",
+							"xray_reality_private_key": "ENC[AES256_GCM,data:JIedz8I4tr7wjHqKH1D0abyQp78Mv1zgTBR3FDaAdrgluI/CWYMG8ax9AQ==,iv:3WdEToKBWsIahaUEqEQ3yYSv2hsek9iMmTNouwGkfKw=,tag:y0KTEfq7nrKR5SlSRsRs3w==,type:str]"
 						},
-						"data_json": "ENC[AES256_GCM,data:3w7riJZEvL14Mm52SL7PbFjTSlXJRFqyTeEfowDYytmf0/6KPs5upDQzk873cUHpPD3Y2Cd5FHyj7IHbRfvFvCjYQTh+4qxhkPcbmhYoxIu9ZYAt3SDSk6qMG0JulDqnBkB8hJkJTHhaL9KKYgr1O1cMXLd2vELZibq9eCN4HKazaktg9apww+KMz3k2QMhFcbuzdzdqIUETTo7YOcrz3tKwMIo3lcvvxO20jnJvoxI/PFL5CC1rVOIaAqSvA9/sOFXqjd6iGAHkt2jnCvtb8udJWnTKMdb6aSColUeKGoyvXsrSCQ+vBdtvdbKtc7gBnzUGk7MnqWXv7x3EPqS7hvJ+oIXAhN3L2TntoGSiApworJNAkirl2IvvDdf+5obKPJfV6RjiIWft6UjKlNy4huPWRReIKoaCJApWev2HDmam9vgCIA4PsHSB1xzL9wZ1NCicG1zJqCTbD8PPyFWJSuaroKF70nunrPLiVOH/pMnJ3pf9Pgci6nvQIDG1D2Ktbbx0I/C5OLA97mCvDAqCkDHsC8bJ0lY/DxXBIzN9hIMfNOPNvXDTrS8MUg68EXqRr8hFoOM9KdzjYZ0h5JgbcGbkz9O1QH+ihLCLYs8tVwB962oo/j2rSb4iFEvUNrs48Ka1qBcsVhae9Fu2YwXZh/kx9+GLQioCUTNm3JjidnF6DrwNqacSDpPKbR+3xU8W/ysKrPuvPCNhCpFup3tQBeH0f0E2J88tpchS+fsnNX+T90B1itvrQ2PeSCfeh1JVuMaVvwiA23UATvvpxNYAysrZ6NbsswOITqQbRrSMsxfBJVhGj1K/SaQYxYB1gA8KB4NRfuY/z+eqT5CH9NbHyIY7EakKhgh6/2PkJ0csJcmj0QLxfHTFvBMTt355VWwZu2Ww+wi+bfyPhNAj9u9i4AEGDFYcA6NJH6hB5SJmH/VAmeEC0xzT4sPWE6m+3GlGLpfNZlt6IOr9UQb5+tXXrL8JOlQLzTn61L2ZME/2fVit3VYiz4SQoGKcEOunGb3mdFoh2BtjpvyxFGAxoajmCdSrR9b5SmKUX6lhseNcRqYzRLTi5W1sSMrcy+6qTZhlRjeio2kZ0c1DgcWpobMuNuDdJzFS9g84MIVZkkTrvdvfb0ZxtHKJfoVEN7l8K3BHGdgycCSL7Nl9ogoU5dkgobcgMZ1trG2fssBAm/ldbuxP1vOJs1tkg+Gxdcg5RgS26qxu/pVfliRUuZzZlUEJ9Qu1WjchxoK/2MoFYXOZIHOFlV6Uk/WRBkUVvdQUCx5/xJKrvmExBPhHBA9SaEXL+hLtAkV6+CoznBSk5Im/rxIdesM7Q5uh2v7GgFdCWCaq/AvNFRQws2gSjOFUKhoqVU5C7ZIWUFREU/Ln4LRqGuVtIV/YSkK3ez6tJwSVZABj7uf3R9FSIpEgg27L4F1M8qImmh8qVP0W5BxdIZcinCeLOmwN26lej2dD3tUFNVThxja8dZsIQgSKSF92ky/7Ime7p2EwTOePzchhw24lc6+ffYZhzV9b2YzaTRIGAja/dm3H45GJAn8GuAdHjexUNBH5vKyzCAqSMP1Q+BGGA3iY6r5w8pgPuJraJ8T3P6EGj/y6IGRwTctd3w2sBZs+mnsk7Mgjrs/QBgW0l15btyZjibbZwil27dZRSTlw8h8tu66BaR3a5t8q6eRl8ixCSa9T+uveQR/dEtPi3DcaCj6C69baX49K8VRoZa92i7RrVde4YuUmiyKn6zI1URscZeXmUJ9cRw8+xOqGlcyYZ6Oz4PzX/AOFNJybdLyw+zHW4XdukMNtM7Voor9kajiqxx4EOLlmpIRdAIrzvw4DYhcDHOJkjr91xWPjHK80AdGbB1pQxPbD+F/Efz3iPXiOID2zKU+SoRxVxD+Qysr6X6fgbAMDNs65Rf36LoikJQnDSzftRm4WqjwzaSSknn4mAoGIvd6m0on3XzUoJoymaffdFHiq6tOMf52FdZ0/T4HUux1iNDDI/4HGPcg6PVBbhwSCe310Xs/wuvUWy88igFSVSBpit5Ko0ed0fFnvdfhRcbup+sGBB0Vg8p1u8jSH+7VXhIZz5Gvo0c1kLxrBrgzK/J9EVK0WMobmv8tmnnOj8oxS1mzBBolIV63NLLC7KGSqvrGeSOtRxwSJ1lbhGYXOvwxcCaiW8LVNG8PuUUJzYt3KcPLc0NW2csxJkz2jmw+tqRRk8aXpFHfDYkPB4AShAFnA/1q2IsE+jniUMRP2IXCyzZTlSq0aAcJ0uj8X8o6pq5xaYosL4NTQGDidITv/4IiaaUH4AEsaqCArWQ+S2t38brYcvsQipZHe/8wUGnbLiTnyFy6x9Nho+2ldlFZ6gWGz0dmul388gQNnZlPrsSJc3XorCDMgc5kkM76K/LYNnZLVEjsuiXN4hstzaTeMb2XL9dDOHkP9CIrOeT1NIbivNW+kEGBRZD2Pr1WUKvHOH9VJKqSXjvbUcrfoa0ru2nVT0fwjaDkEgsn+AvzpdbhkkUxj7anO7orNoOY5cRAuO23h4OfLsSOtM5OOmBiS9Zd9QsNkD1l6B/u31/StuiQDBdje/cQ1v5usxiG3WPsS18H9l1EoI/6siIbx4QTmL/9x2xJi5Awyo063FLk+25f8ri8oILVrAzE5iTk/r37fSF1/aORMhnkpFEgnnUKRuhSNkvBpAtLpavxuC7Dx8TxKQhmrXsNADEgF9la6wDhAMjDz6eUeXHiA8+rJkX4TfgNSsHLvIQtgemRivX7318dGPLuu76RpF5Q6qopCEV+8m4avFeY4hiOpMfTvmvq7C+rmYT7l2DSUDjKh+6pLsugmffefJ7wRA9dPoBFtSvwcWie4XZ/XT6rcPLeVhq1uVP4vfcPEz+kZxbj8oEd+aD/OYJR4efJYUKwqjWLtKtOk/DmRmkKg4aOAEbtFEExaIXNLeczKDB4ICu+Z2KkBHrJHDL/zTFEccReKzvxdbmBKqMNxskMT1o2KaJYqXMexxT/0uCRHHarSntSrfV7we6cRIztTbJy1+bsuIKT2DnoiPR2f0kX0xCKgyylmkQXmM9lfrlFN2Urou78iTzCCtIVmf+W1jAicuKb1G48/bO6c4tZgayx1MJtmpKME0D3qyg2F6yjmE+lHSfTwAihOT+YGg0mFgyO2i/2t+hHZJdiSuB629+8MybGy+M2lRHvCdO2I2ZIVz1em9GKOHMXcJYgCzclFEAo6hKsJ6kVIYT6HpqidRTsnuWtRB3e3ar+MHZNQdoxaJFIvITC5A7RoZHWwI3mOmz7iCd746iiQTiYh2AKUfMptxoPa1oFGt2WkaP/TbsqjHCmbygMgDOASRsZXSJjx1upYLhIrS5PscL7lDI4IjilBwKOjdJ0Fhf6TvqYQySENfOfFkzp/MHFggfU66fKRwJFW3dCsuUZeLqDtylQ34Z/TalAPovww6lPfK6tOdBXUGXaRSfR7A7sM0BqxPQkOOOurB9wy/3lwIGVpt9PufywcB0gcpfbD8sOVAtCRmZjBuMbCeTP8COpyTEgnXDUEQWo6AJnNJ3rd4gzaaWP42ceRead8EpRHwtI+ycC5L0jEVJW/QdpAA8PTzbJPuu6EIh1NOeu950bv96kdOW+ZgzwKpRQY/EtaOWwSLa1iiAlgj8iNvkHupn/ozjH0MSnjjlQeq4bXgtygdCQdOWwZEbCpI43Z+e4kfPss1/7iSPhSoSjnbjmsHDydP4XqIWSS9Zd3V4bhuEtBXFqdHUXpF/SDBeahx2fULRVEhUc9I3vkKwOa+Iy6uuwpPJMNVSdHkoOamhrOdCNzQGsk0ppD0O8u6Gj9agUsiVhChZ0wv2tOtfFnoVnwPCNQ6XLyAxzEbwiacBiCxG+E5aoeVqoxSUEXwbsftKcxhXn6W5jNettE55ofMtRbpWyXji0O+Vjw4T5W71spMpiXDU1u0kkUBXBjHljEcmn8l84reAVt4Ndf+dTVAdTxHVjnfO9RPM2QD53vWuSddoHAijaxmTyD/Dv4tsKuG1qkFn+tbvt1AKNQsgJKcuiaY33LJfzHW6J6ehUumNNsqAaZz+1KqY3U9x0/TBFdxpX+1bAZppXv47JyavPVoVZRKcdrq/LvsT5lHhX4cePCcVWCUQxBhdweDmXjFlvnAxyqMCe0ckENazgkUX0qJVnWW1nm0qJp1TyyqggZiKzV/FxDiSmVlwZNvLr/sZ4HhwEaYJc3cNdv3dPaoqL9RAsKQM244n9Pl/2XrOkv/4xXOC2CB/4dADurIWTim3KuezZ+USbxj1cnBy0hWwaeTtfwkuDKWvap6e8ZKwN47pN82FQP1Nwp5HL638cr172+FszOO9E3Xfe2lh2H8Ck6C9iYNXqsx1ixd9jiu4706WX9DzAxCEoGsw4VJpFvC8sjnx2EchdgSAgz/qmjmxd0sde4cUYvahSCk9jeJV7vQkyPJ5xd6Hmnw4t1I3yQI1LK652Qk+i6D9hgreDutK/FsQazLVybnYXDhK668O7O5NGsD5dY+8NAsaTinuqCAPTi9TuPQzVd4LmbA/dBGi/SxNTQDsCTomIgimVYP6Y3xk6Xc0Xx2a13hJlqdwVgJSi9SRoxWjCPBxW1bGmMaEketf1wZqc1I5aKo3Emk7WuElbB0PLEUsDYprA2zQxThix7g65xPLV1ZTxlxR2HrpWlqM6lh52kW1OPK8CuSFWYhZqilsGNEcJ8OZwfyeILS7IIQkqeZ0fioUlrcFsZiV911dH3j0f5UFNrdU1snhxSDk9caqWu64NQyDidyaRgwbm/X8sjYnmKxGZjnQAF3tvh5JGyQZQOjzV0ekU4g96YELiUwBRq0ka0nLYRUijxIqM812d+IXbhmXXRdYmhouKM2CdLsH+41N2zjNobv0Nbt5MW6j0KMQtrih1vU7NM/R8fyn8a+0LfTFw31AxRqAUZlidCCul4HVcmci1+l7511hftZBygFPuKP4LmNDQTkbjS2c9A3A+3bw7b4HwXWTAtRtdqZXJPBGEqG24PMOFPtoR4AbnD60eRwhKIghZPqG0N+3r5JAcUCKw0JJO0yuHTUURuzjly+oQ+tRnDJjX1jSk/GBx7oWo0DGDbKQdPYAZd5V9N6pFVFr+mYpN3s4SFItivevh/LQBEvO3K2x9iPUmLJ9/iGwHZJqvpHxc/vkr/z7QY6gnZGyYgmDuDG148xVTbu6OGlAz1vBLH/J3hMhIrv/euiRY9PSgeFPWHUEB7MZW5x63e2Z70IF7z4skGUriOtG3yZHaHYimziOBN+YxFceh0FXjy/eL56DgXv0EF8QLmnPL4a593bIuCPpgZEVhR9O2U3CITYXHu2b6z/OsAxBmvs072Te0KELs28bBgTD/8C9jUkYfg/9IoICILaLZA7qzy0veztpImReaM2Axbagl5OBkX0eYGQUy71yvB600Rs7rKn9Q0UX/sxQ4uGjPFRR+3BvL+XlLhE1uLkhfxwJd8JLNzTMlafJE1EHL/2aVodTHwgFTWEnK3OFH7maQ7CEs9ibejANquVxotuPlt2tQBGk3sULke7n+IF9OIlzawYoLsK1wyVA/vc+JOY7sBhy7UJXpBR1Vse2fQUIzWeOvtfCFWOJJtF0zGqocP1+pTmrjSCws3A97tjtTzPhhXIcuh0tEGSkOh4nQ9LhvufImbtF0hblDWIj0ij97CfQiYRxYhkxRsWArR5D0K70wU+YA/jzfCV3l9jXWg8DkZI4OR3k3kEG2BekSONXnis+gN1e+8VHXk38NYJYF68uAIiaUrPuri6Ez2PwINP609pbHVSciXtA0LDaGl2uHbvmkpPqdjb9fmb5CQhwdk/qBGWsrMHPZFOsmshqk8Va+obzvrbtIYOJze+KaOokwKRRVDSE+2LtKZdbbImwwZ5iSMiOCePahvbRVLaOAmCzflWOiwz1h/kO4yBKW+dZ2UFJ0J+ceqyZypSej8za60/YC0B1fmzdNw7yeHBED34weDZaws6BbHQvv0hRmb4bbJycuc95JxsNZH3nzhHR+c1T6CjOaNKjnu8Tvyt64DRIsLGJSOLsly57aiRtcx0R9NnEIc6/qAv5UZZe3id864ZcRvPoVD/Xf6F+v0lcmziiAN/Q8YMjYEbe64kI4TnRzq6lL/7o3aQFixBBbteNTGQ0FIcvzfrwFBbCWma3Kf9vo5FmcG9bUApwQRL6oH3Lq8zcPxJUG+ubw+CMVD1DYeRElxYuJ9xh97kyFzdenLd60AjbB0C3ZAFQIiT/E4eGsLOQZu8I0ArO4SFvKddQ8rWlOsiv3wQd62teNgAeN6c0TQScQIn7Zo3g9gTg6/E7sWbLG04yJSnh0by/wzfggXs4Dv9mNI2+qe3sriRDXiO3Ei1yZLWyHmPdUu+x7gFyfnM/Lz0jC2Q1G/UYJJGUyEVuypO4Jq9l8WN4qVRB6626UIWljAaC5+GhuJgyK45PUOxAJgZ3kXmekXiuYp3cvW1UQtsPkB99Q891dkizA7qdw532oehq9bbBZsKj7aopjWSqR+7vxc9f5xZfS7yqK9RnEw5n4TNWBrum6gr4JbyQqhrWqWB8uv3WABuWgtFCR4elKfKkqnI2wov2zi4vvD6Xwhy116sRAtfNV0xIXnBj3X65jGxXsoWNauiQoBbWqEIXkp9srEOTnxSmMzRk1w0kfzXBsRteukohnIqJVGITmsrNYbFOCoUI/oqwcT2TgADJz3vY+MKukaPh2DxE5Yn2UUHOKQXpfgjiZMd9k+JyIfZtokBIGAAFn+oOde3y+klLhOx+Ixcy/cwjtVIpb8VMKqVmTu62k8G1tqEzc7zE1h39wvqrXK/I9guPlSwl9x4JOymI4TvBozFT4ysDva3QfkPxdHBt2FqLyFtHoB/bgsBPoCwCpIdtcS+YyIo9JuOUfnKp+WuOJ8v0S2nEgk0lalp3jCSCKwY/IHe3knaZXoBHgMIav4+qvSzZd8m0F6BqEGABqWvxkQXff3q5fwERekqQvH8i3IfyOaAPPcThBCz7XCdLeVgm+38le/ceABvtGGv4Tfhds+k8jVI7cBml2H5APgTdLtn5mYMksQ6SxXFn3F1d5a94dHjj8ZT+M2l/R8TXJ8jjAxZvSWHNOEOxPXlUfirWSwaL+tJt5wmtlJxkWLDBazFqFYYQs3VrMd8debma+WfEYak2GmnfkhA85u5bwlx2q35quUC8LO+LD0fkbyDS79/zFrz08lc2jrhkKMzYr5a4vBiC4FR7bwTY5S2sticazzKAeDFymQkuQ4zPPsKs6wNUR6pa5Y9cThYfTbDOKDTpD80lIQ8grvKzUWThqoL9cRZbmrkXtvUuxmbgqb3hlnT43gySQJDFbRQxObcYzhlcOhD4RRlUtou0ynklG7sjeuPyMK/STG6fXgJR4+FhXu3XNU19+dvMgHdz4UczPunPXcoDuqvUtp2Ua32krbu7ffKBeBUwdy9AY1HhZXf7b4pJIAOjUXA915NlmujEdWDbxcA+BB5Yoc0nt49xCtEERrROE+xt8TRiJKHi6ti4KlX0k8olWGZHnNY1BlOZoRqNf6sVau77g6Ze84YU667bszgsZdIU8V6VQ+WiKbbDLb+PxJdjizzsFQpd0t1lfRRBZ7zjWdirM0jq6GJkqt6eAd7oxnOpoqVcmuSHdKCG1LzUKlDwDngkJzmlao/RgM6iuE4fVTrM5Or3F1qEd1l9Szh9Wb3AgzjDDPAnWPc/rGtKATZNo/Omvx1pOM3sQDRiRclHac+DbPEbPCdnGXmWWeFQzfh6DcjnOkkyiOdGPuRqY7tChnDjNf+PPpJ0RD8/Eo6f2z1ht008pQKNxfOt5kLeExH2RfEcxrt/OiptaSSoXfv8AWKYTx6zpO5hirKxQQWNApO1eH4/Zj9H8yHpUOX0bU75KdRf0Eytb2+ucqJGW0zcAboGTz1NOluBxA3739qLIvWtmktjzwdtd9Gk3W+AfKy4sVjnoIk6Uo6MUL8WO7cLyd2rNFL0wynJLuNGixbSaOWIA5jg3LozCGveC8oaPd1pmeB4MGXd/zFCANfWj7HkzyN8P0XTofjCvhbNRDr/jQRCoH6O7u55GEv5itbvPziNtJStwM5Z7DSfrMxJPimOxTVmK3jfbAOAUvWCq6ZM3aT7QtMAT0xLA6muljotthlpC8Kpv1DKIwxtX9e9D9uDzmxnhGXe6vvWaQpP5AEJYIRGwzSZGlbfVOwxJju6nol1g1ez+3L/msn5CBB2Cva3sBPfNCnKBLQHVcwZ64FwX+7TCpGM0tZdWCrGWjcHPbpcVXuOB9EtnPOe8c0re8l27WCzMYefsCtLvrUj+rGNKWIpYs6AxbojIO6SZgh9/GrAjOaUMQbpVvs3WvzVdbv5H3owtxIRy/ThQZnuOkR95MyunoPQC1GbioRukT3cFOyTqhBnYnfDHgVnHxcqTf5RqZEb1PEQi0GKEln+DjuoURLQoCgyCV4zQVAhtQhJwLtq7Eqvhab++OpYX9vDLLd2qDItdZfP73pgqVSLBLylwTvDVAVud3kvdLllizko4X9sqgOE7kh8462GzG4cL2hiK+L/3NZMMx/qKTiZNCIrHAsAaeJdaSeN+1MuoTATqnK5JSwuxBJ2QCnq4xMDD16rLNEw7P1K2cyUUzTJWat0BnSCaM9eSUmYU8Bm/srseUVAl8rN5XONH4CwFO2lGJVwcoSOkcLAo+lEpvC7dWAy1sdzZVYybvGI0RO+o0w+rQ0bOna3pjMO5CK6ZLx1w4WtfEiAvNDadpKEKJ87wCHKFerryzLvvDI6V2rdfZNDI0qFytra1s+0M+RVQOllIvGq8PHTN+ZMy1pmvZevJ49jtsZ/JquY7CTT1zNxc2MGvHjITQRJ4dkw0g39od4bnGcQG86osLkRgSt4+p21PZvQgb5rlLMqHnBXv+ZdNCsGPBW8BUx+qNJRh8IhxhX8dIWy+df7SIRoEtamQOWJy52gMbXa+cbErus6K9H82+VCPohpyGvJvivd75Hz+7OWHeFqLXSrJ/PGny9bdfpIEcQ+XWXoJ7gOV7n5DIM7R55a8i/ub/IzysKreiCX8X7hk2CprCz9fWsbslxR83EXFy3PvHwdT4eZotOW81Nh4UHnrMI9W6lNeXryMUwpHJBdJJDHxB+mRXR1QRaB4iN5JDalMiWbN+KxXyvR1RcW1SgtE0a4H24jYhEg/PdCRdMJx5BNFiZPkIlz8nFfNeYP2jfpfaKugbUEzm7l8VoRaymC+bBkIeWXJlA97IQUhFi0dLJ5FALWSHKyciwEqWQEkHUni9syPDWt1v2K6dxp1+lX/qGU0ZxNog91SpMib3o62g2eP3tP9EX4FflrjIgXQe0raEnaUtESGR4+0FCHd/x9rmsx4RAWEedjpYho5jDlvQnqLCTiEhGZTWvM5BsMokJLszuVQJCeoTtXBI5cDga2aeZvtDIALWdyLs0vpBf/yTRdFJerftUUAynVLHUplHbzkhO6yVDgqjML2cEaRlfTLslNPqEimNUH1S7aTWuFlzzgJZ1YdpQz0Oa6NfUe5yiJ2dH4wnLlYtKaj/ucUljrz0pNtd8iMMGK1NC5G6soG+qm8NUbUOQnJglw0HQb+plwPqs56hItFTnBOBPRexIQxNj/dXWraeKKKs7m7tL2z9s3CUow/A3cxQOSAB//veA3MuWvrOOsWzwN05NqbnMakYIQ9RhjaKQDtEVZFoKB0+JTQ4GB9hcR9z2VYkN3pKxYAgA9JlZAgqrnAribC9R2zPqPmwpxdMtOivf/cYpvyQ9B8OUSDl1meGdMDDnpMnujogCRx+flWAu8mkha5c9+9/2wJ3vatBgR4vfv9bUbrwKbMs/axhgbSavzH8wvpUP9MEijXThLiKznkDd2ZYRugYOiakEuRprGtUKJn/NfkfLC9D2WfObcd0SydWrJAjO+55Fa/lzQsi7JG90JsWQMdxJ/auWMllj/FSbWjV1wlbB306+EVyKUrU36y77+V4ELn2JtlpafCqTnKSTpSnVWWwtn+aQ/TWGB0iArRDqjHOcmU0b7XCKHJnrSKB3wu1AZ2lNPXcDZM2gOnm/4+kD5KAppad3e7leBJLOOsfrbnzhjLioZeeDlQoNwRzMUxA0KO3P0/gW9LFzv6J0kxUFOrA3i/lZsHiAB1cn5ovfVFRERrj2lqk00VLqPNhFwkEJWgEsM/MOlOgElzel3EZg3ohOahCFWFKdS/XbZ3rN2rB2xx1rUevQtARwosXLdBpxXFfOucfE0qsuugIbCFgZtAD3O6WxTLQqj+0ghIxT/Lqhw/M2qbV621y4rmDAtxoekr9vLr1DmmPerxX07wAYpEVAF8np45YHeHhQVX/avRuK92eQ0WqsJFjZRBfGCxv40+XYDhyvt+eV2keYaUP6t3jvG1vWOIutbHPW4X37uFGtIua/NKHwchBTTJ2Flyz84JGReYQIs+Z6WbfC50/yyRXPWIbShfo0At3WRXIGGmf5WhJFmdpMdGAfNtWJZcLDtxphWhOupijrqw7vVQzexZ185kqLDIu3KP0dLptdEQUqptLCdnnDGyMpE2sfkbpn2vh/+gkP/vSlZGDL3VxZIdf/wbKl8O5mec/CFVwhkc67s/NHidu8xjaLtNCb7CTZAQO8z5VaRwVyb9E9iSZfJl0oYZwVRgkVUHv4mA4zUITNSAdvObF94Z0zwJH53DTf0xZo6UmHRXYz0es0tuweMBnchQZixt4BK9Ann/YWBJ2phYLLS5MI/1CV/DSsqmtk6lEIDqCtrjPEuFRuk1XjEgVZTEw94F6J+DJKxXgg4U/bqGjgwObngvJBwOeTnCdCUj2M9PumeNFWiFfWnWfqP7i5gKpztepoxzVk2jcLyZQ9pDO5bOAZZnMC93wivh15uck7etyiHnWwGqIK/Gbn/++NvzYXjGOUPyIJmOPOm1OZjIyC1iGVhuj7jgDGEySiwuEYy4zkmYMhtIW2fe+moVGFseWFBz0RhHYan2GBmjke5PKVQBWNaI+FSQIo3/q9Ua8Us4U+Xi7Urq2JHL7eRSBYwXe+DxQYaMQhkDzKZSuH6TGaOlii6IxrmqRlW93p/71Kg8iaeRoqE5f12N5ks/Uk+krW4392ETi8S56B6QxA9HmGdau8u8cOydDimiNIDexgt2taGK/1fP5IK2u7zUNkqr3WqkE8EJ5sxA1s4jwbSObCujvlLaprs4iRl4OerHAeoEIphw1uKMlR7LDsXujvXjtYtnV4jBQWh7tVEHU+bvPEYZsH1UOf2ctTLnsDh+Ys/iIpbKMjnN55xX5u110QzVHkmhmHsXO+sN+j/AFOarURnqCdHAsgtWnSApAfKjADeCWyogvUf8bCWZRI4vNHVLThMLugjos4qODyrjBe7eZCmCZdzbElP1XHh8qqY6ZCQQNuWus1fYKbbycyVnlVPk/7dw4jyVIw3qlt3DgQWdL4y+f7O6vytanJq5rYLbSfK4upW+g88GO4BgOWhnHPimSB94o/9bov5sbcyqD5a+5pjq237PEJwkO63ni/eYjLWtCTKuwwjTO3GipQ5H/sVXOhKqfQZQ49HZmuZO9YGVTh4xNc7CGEGCtKTWHKu3pGPJ6VQOj3vhqLw3c9B1CvJaADWqeTCDjzimAspRu0d20pquTjiqBN9rbgXEkhF9S6KVwMFsmFi1aoFjeSqqwdSAvmK+JA4SKI+BlCqFuO/m/B/4cB7Ol1dPor0qDA2QmFpoqZh47HLrG+CSSPl4w9anjb6cdzahna7cakqqYtW/4BkLz/efX+e/v4mcc2TsfMqTbqJt0bxEZfKSaqAs5m7Wz1D8Qx1uCLB1mSPbYSOJ2car2BHTtKZMTvaHQMutEov0Jx0b/b3c4cJ8RnhY64iLBNphB5SZUl7Qx0TM//UBWI2jSWM0es90uEZp7r1/Wn+OulvmXa/ChKyTXzPk9D7tY8JfIHjvlIP9azQ4eci6/t4iC2U8BV9YYBDqbDoI5W2UOkIzRbvQ3/fwb/LTz42/6tsYtZfqkuJTLQcaZwypnwJSdrNKIpzraDtH80G3is4wJlTE2uT05nGRiHRDBNafWHsYuWRu1MVSOHVB6+6SqMBD4IA8ZvU4uS9JUDbIgh0GR+86nxblYLd+yq5+tjah36/rWDq1V+7w7AzWHTcmuAI/rVY0Al4woDlPuYWTrEhBiqxG9PWJn9bUPGjS6KvDBAR0buKbl7/bIGtguNVfevR5WhiBbThuEBiw8MIwcp04f030J5YtYX2UKhoClgRq8v+KvQ4cYsQYJWDAzPehgWLZKZl6ArBZHTYT3s+W0nwiBh+PkGkI1h7Ift2bRvDiMQpJTuBU1Hpi0JJSnOjexOGi1POVgtGVgxMZjwfpvq0ZzrZGFU6ZbsUh2ZoluKlA5AUc5eWjmE5MFYR25X6Y7wmfufruxW7NnJ2q9stUjsZvt11HiovQ94x+q9HZs5qy2KrR+vspHXWLCrbHRZkVy+0yFB6XSqcCDz9ak9IrMPsVIjEC9rIkHyWX/CjCF/N1HUmujs8mit10f9ysUUeTfE/ydhYLzCR4S2ITDvpmlB9qw5kzoPeu8K9f+oiu9poqgf9CHy4Nlf4wyLRfgwAYEGMNVDafyOBwZS92FxmufmeJunxstiw01izdF44tdxKHJSJ9VbfW0R9DP9mJcdX/U3qKN4g61Sf3/92bwRv1G7mZ1tPUNVdGB7H7w36/bbCnXItO3U6jjVm9GfMSb1WwwY77TtE+NeVeE6cBstufX43KPawme4heygcMjxDesPxmWzUdU3M6AS6HsAzAPs2KLl9qmt8w50oj5C+9oARvAMXS462nK4TZS0TT4EzXxoVqbc5hxgRn63fR2RBhNgRoZr/LpSQ2Hlu1VX27YL5mwS0iZtaQ5y2wpFA80hciJDqFk2CVPfpJBHeuO0VOozs0ZBoIBDp4Br2YCr51sYBe550X47NRhe/kgPrWjPPqY/7qLvUSm0F6fJeZKYiIsEuQLzhAHfwXra+VPAvcKVX71o+5k/soA573/EpcIaqdFgzUdHUNc6NjLY6QdSLntfDgY0tQubNa7cABFNiGnkgstrIwBGlM8noe8uB0Q0Ag4Gt+zlbZgaKhjDpijTTqM5DvQpqCFdumEnI01TYKykx0ZwhWsM9Al+XeY4gIm2h3mnNxSEriVItlo36IIK8cddwAOF4Mo70XnUqUQICgUHvZwlRSi4DJPGbub3FP73BCDZ7WkmfzEB0mhwPdshoz5sH3U4wjng7SF+dp1fbHi6onJ76mgaX/59beZ5XoucaCtinDwewUs3kuhxE6WKwPdy9Db3JQ2UxcaHyJC7wEdPvMDk1Qs3P3Ly+LxxoOA78yUpRd0TgkLBBu8IEZ/2PpgQnviSHS8gPKF0Wo7zR1JQBfwRGCtT5C70pamMIE52mbO0b35mYsxNSONGiulciq6ATk7mzMU8SapNWbGxu7i6gHacXuLne/BpSaHbFoF1GprVU8PcFS8mOlyhFl8QOSny9pSWqXQUJ4CovgRW/q+EbnDbPUSH3f/67VvZ+1nqUjBKyZBiXfInKSHi8VP4SjBjauC5yQXoepKZrue/vy+tL4WkJcLyKoJgzKsAmkTAAc5Ih1717LtPWFOoaEP4J1vaEs3ezdqy5W7+7ch7NCH4iD/Z+GK+KNbak1S3PEN9+aaFT5WB2kB5UEJOsrycYy7oLWZz3TfaKvNc25h3lygeaqOIVntyIjo0X/3OaRxkBF2SpVXA2qtzi8dzi4pV+ZVeB15XLSXeKvcDxovHiArbNljSwib/73PPi+2NzlxEr1VtYSiY2md57ck92jufWLzNHmQVIZ/oW4zA2ULn1DDLd6cMcyRWYxln43tX7oi7fOqW7aTDuT7jyWpw2/DBL9LRZTFSPCgvPyoSnsqdMpM4R/5muinircMebRtu4yg9GlLPTLEPrgFFHfdgyYYA/7wEoZVvYpIxjJI/zOPYYeUAVVY3lskAlrjSEy+0laH9daVmlU5U5zieTKb/L3e7qvJB6nWUPaPWMihsP9qX5WjBI+ESY7S5xhFUT1TBrp9sSC+XjVm97lZQJp1n+fMAJP/4+766AWkPdZia0ANY6+Yx/tX6G6NCOhi2Ag2ACC4v+GgkbvNYNFaRhjFvidI/hwtb3WtKypbNcLNGUda98VEmedA5BTLJy8lEQQkw2i5KsJSPBJMQKtJvL/sY0e/A8spj5teZoMDhYNZEGtO7bRIOPI1KcnItbCa/WSsnpT24nXjpKYINHYiVX53/Zb3AhXppt5RvJ8MpfX/CaAKybHyXQnVTv3H58wZcnpjY6ZWSukzkRjvRvquGNNqxjjz6XDvquNQCpPPE04PAARmMY7e6PqfcCeK2M5n3AiU0orcUOqSXzH5ZD5Jov/5PaMU0w/hxqhVXe0u4nC9Pb39zDqvcoFa3tli8AtCuikzZreoEkkJsMs6WNE48qmrty4Ebvk4IpYVlwcxwZBSsJo6hgmoB+uMx1R9tZ+rosjeZYWCoeatBt0XZu6mS6dtbyLBABWfM658NkZUGlf1JSUBaerAexr6ocWoA0xXg6CkuN3ocAaDAlJVs1Xc7T740y70AGJPKSNDC6NaK2V1bfH6P3UfiNLjwugrWkW4w6DIk64IIqTPr/uxREHtF4OSBfQD0+Fga4lYPEFxWSc82BwpyE46oxs+yzaWz9GFV8x0JA9kvkGKO84YnS1pOmTsH4QMKCq/RYZG8TNjJj+1Q1a61iRSxvtW1R7CVN38JgOf1qACY4BKrRvZkJBMb8Oh5xsBKHsY+NDThNdKfPTMWSTDd5pAt7S4ECheSvgLwIj+jDSZLkANmLdo92pk83s9NhjAQreJoEHWRQsU/2cn5+rQOy7VX+jZIM2AchLxMToiM5/nG8CXNPaiihu+CWjhFr3lTcaAUdi8zMuJZrIFOXxTcIVaIPah9XhzFZ/MTF9F3Wi2oKfQvXK1okd7SYq2xEo6FAvW2ZvFVAQcVWDtAfVz4dp4N69HxM0DYQZmXlzi48mpa8sYARyuUT6HgCcQdN5TkcFHJPvyeUPiKktPpDSP4Yfw9Ni9qGtyDWW5PRW8ldMtNivkPHrE6sfHrcW4POHMOZZv1Mk2p07MATWO8lKJnUDT2CUxA1Q5GdEEd6GbEH2gg3KaQhJoy1mnEDdlSfrKg2aR6bqOjWCWs/y2Nj6TdxAHbHcLOcQ+9xaWt/h7r1Nvz2Nsk8aJOi2OBa7fPskbIEpu/Kz1RYQlY26tQbopRL/vh9WIPyLnVpGqfc+gGzd4HIg/qz48TgpGDaIga6bhvv1xbL94wjUPhYEPGM9jAO1kI9nDDrqvg+W6MbEAvvJEu09FA708csK+4Vctfz2+A0VEqE/TlbUtC8MCcjz6cnBvRSqjCvjb7MR2Qfe2rgtrrlw0goHBmxr3CYlvt14CZLwN72eWCrGbS82n2iyZiumOIybkbXWp9O32bA3nb4nDZ7nKBTB0a8TofJlC7sIr/Q9onEv3r8w3p7YepH80tpyHPS/FfesIv5IAtaBd+h5/2nDyqH1ZavD72tNcxfVF8T+hcK2vk8dUmFWN3WhPlZVU53UkCLtWK9g2CyBY5IVD+nM5lvT7Ci/b2CV/5TLk4GSbp7M0VfQQNbhlC1U3nasoJRsVuXm/Yob/VUks/JnFPgrqNsBgqoNGp+B+NBwsUf55qdH5ToHedtWPfYrmyG+UfMbvNqO8m6tnhKlus79R7Hj2KrR8uKax02ofkujgzB9fyeOlcu9XU/BCjlXW9iPeVvTHfdKKyAPCZCdXdOXCL50o4jm1Yww8qDtr+cIBgHFBOvQrYDunUO25urVlR6CbyXu2a040/OkhxBOJ6hfphj+lM0xYmxMx+Fzoj4Eyr1aUXfbLxmcSWVve238V7/ul2greODYVNLu7DuPh3p1L8oJwet2HDWkiA+W0z7q5J6e9A5TJKtZnUcQHR98zl5QQarlz57HI+HHxUnGB0ipxsasuMosH2XVULqjIEaz7jlDjsCUsyAUZuIwOlNdqEl+rQZq8b0rI7FHa7wBWlEhPaBpDld3L0SPmiW1yD+jGhUIoHXBwpi5tFuh/3X1r9FxDgUTOR8/7HQ41B5CEljYlaKmdeK5z1E8uWGF3mKlr40eP2/AeEguT11dzBuGLjLD8z+qStKaI8ydOF5bQDPq+rW9D5qFRBUZYYmkhfmK0WLkbUbDo9t7e5067mlk0dFecIAZlUALbRXpZ3+AiVVhs0LLOgsTNmnCp06r+7/hUbQDptmXuKU051N5odt5uxBN95WiCD5NrN4ECwOjqQaWVjg+iuJ0DS1CDtTMWr0hmeb2+g3/GKKcXmHpYnHOptv48JYpx/ydT6fIb7crboW1OOUWwpIXZg90MFeQSF9Xj58Ur+uwc2+9Z7+eRZkbEMwqTv1tVtJ7H8YNcI/pUep4s+3Pr9Ltxc71e6Dz9rf3XSrHSdYCN7Ffy2Sokn7XaaLcnTa+r/lBl2QxtoiIrPpU8R5blnFgH7IfslH6c4ltqdEtq6FL17oHAoAUl+yOOqBCpJ2IuiPSE3NYpnK6ov84BachlmXMZ5rkqwYKmmgmm0U7bZfhkk0QFeShccKyzm0AmJ1R0Nc7nGtT9O7pGKyfY7rV7RSqY1bsMLSNGZo1AUSPbyB2wLYjgK0nIMvPEGoT2kY/OC2vr1O2SfvviPpd+JBHXXVdwAqpwvhRYYDBVnhV7fyzEDOZemzanuMdEjeoGRxlV1epO9+Gq/vcB8nlfxPdlzWLnxkFzcKcLkJ703ejZPqhLOX8CQlb4O57/eMQVvuJVbyNwE8xEAlG6igCtNU/YCNtexu1gur5J6O9hDdycF5vOq6CCE5CnASFPK/z7S37SwVY0Tx5FSZp/U3tArhThbxdszqMJdEyNOPPRfRCF6RABf6DKtX6Rp7iEgqyCksgklEWUZ+RrkwgqkBi8DIPVY3bNZTZN3Tk/y8lNefovx8a9omg6TPYrhqudVl6b4seBJGsoL0PEvyYxmOsJScfJXK7d/roOdBNLLqvJlsjHEsluDd0+4cu4rnb71aTDDeDT1s9QPBbkQofV5IsXRWHOgO8x9f2fQr3FiuI3iPR0TWLHybcbcV6TH4qgmOdH1zUqYGPtE+f2Tz6n/0kokJv9M8R4S3iJaTC17Uu1dAzucdnpIF7DH7phn3mlb5WTKOhmt22Z0XoulQazZtnnocM00KX44rHLC8DXNcp6+F99TA5sLYRtP9bgwOS3ljgwsZlB/B0Uabe7kR94v/PIpEej4O0WBuHBQVAehXkM8s2SkVOREli4cPGP6PjoM2rxP2n/HOYwBlRvlmnMozkvH+zz4hrTT1rPo4E1SXE2nJic/x2FUtKuG76Prn9SbSz5gg8Sd5V8EOlHdol46Fm8ARpXhMx4ztXlFKkaqiAj06tqXfnXzmHXDsxP5psTkO1YRU2cMsmJMbFyw8I+F1ym9hLASJTg/68soUrtC7spKvmAZZZ6FklJENc7U8+3eqksbqiorzW2E8q+pj8S8djuQhwivXh7vNEuciwgtsFUJLyT1J5dqeLFPErSEQjq7F1uwilxvnBD0TANyM79R0pwgPyoRVEiCpLA9s3Mf/ogx9BUmel6YsVFH4tUPplGK+YzdbdFDcJWbBxXMw0NgWAgw1zZUE3tjGcqdR52GtGi9S8mrnnRA+EJJ+b4YQFShrYaJp9rTSFkyw1Oe0GBdxFTDsZ3ilsG7aiyd/Jgl3+IpKpXGk5pfKwCOiVsh9w0BKNlAUNoyFtB9Pgwbiwoh+r/kpRwEfTMdqR8ah7GBbr9aVkDbLLKGNzDZY6hryZT1MgQOg8DxwwH/Ei+yLqzX4svHZfFIDur3q3ub/TVaEzriBrl0qBGX8rObghxc2U+gQFqVoWUlI0bfBy27QYWMNGfRz6ZXGkZCmuD2DJJ3z+GgSAcblCGBI0Nyz4q1xcL8E2tx0nxAu4V8YfIEEeUKGXC4e3C7VWioe98guxQOnf5otWFG750N00hOrEBKucjDExVFCobFpuw3+nwgjqdPWK57Vik7kzQzhgXnAOYTKY54wgx3Zkuuo/vurKcu4i112uA9lG6y9a/5q4z5GkJ/A6lDz+ifaTaLtfxu0b/dBFxoyfp9o3IA7H+3V3wcd77BYvvoZKLIlZu0P4dQWqA1tuQ9rTWL67TcuS9/iXHy67CDGTnZQmKw9toddyop6aP9NXN1aqm79vdb8SIgmpWfElir8+eZY7xpHXgk31L7fzDfN2pm63+GLrVEFMSJb2I7f14S2qc8nEG5dFtKbmTRRWFnzYMoTSzho4WXGA3jjAswRZxtMnMaoBPp4tthk/eC1bj2VM8lxMiHvmYtkW9LagxRrg4BZPWTWYvdQZGkREPFbdp6r6R/NNIE3V1iLnTWKo+T0z0wZObTRsaOnsTCs3u+SN4M0dFrtOGAa0CYD/DX1ECbuSO0b0VMf/vqHF3K7gdiK9KUn8G6HExU3mF+wEGBnxOZN+DeZ4HBfMxCB1ToPyOz+NdbQRe1eJKKOoz/cZ9OZ1wNszeOfG7/44lLoCywJklJDvQbsKpXx5Yksui1qRDEI4394Tw+8h2h0qncXDtpg2HKhGC/uGxYjst8GuYJmeQg/NxDrzzSsesuLZGjkcVpsxbHNIQeMTCey0N2hjgTdYiAVIpk5Ym2fWeTMv/i1q3Qq1rR7MS36Lph2C28Seq4tgmMJymWwvkKlUV6abgccY8+RLIGrdBJkerEz+jnwFnG9nKx/x2aHAbrEfNntHMfp5JrTfVqjqbgVFB8u8Nnew+9jgsoRJdnwKQaZ7TAdVRk85m3Pfsn2M3FWdIz6zHlqOfb/BjwIR1W/ZO4GTp9iyfk7SdbXOqCeas/55omk4urD1GXRSO/DFCA1Q3s9YUz6bFtZvTQ8dckKYmuHj5ed7TGzgAgPCWhHudiXGYki1TtMTN257UdkZmxJzWqr8/zz6RXlDC05nM4T/OK0vFX0OWGrbHBAEK+5xa4fYDHerSp6op+QoKl9FKuQHPCtpjvMEDiexM0gjgJr8FpUhMkvWuzK6UhvGSjsJyBpT7mA6867Ra8IjgbHpTLMiINzN9DZsqErc9WBFVjc2pnb+IZHqR82n1NGCk9oRvmIAnMPGfTC82k50bBfM/YUplLC5HV30cCiL8t8TN4fyqS3YX0tu0oBZ8b/hChQkHBuSJXGQdxB91PZY4IvEOJv1kenht8EzBcBd4UIKAhy2VaZ3B/yBrSQX/Na1vMRcZFHN/jojC9NJP3SRC98rECCFr8jkp047U9KwZjCERf5jl7J3ABBY7bavlSil0U3SWIVqJfsS3wNu2ObOeqXMnal1MzZp6Prsgzy8yAhvVtCwHdSuPXe+4QTRqgRuYWSO3euYzpiExt7bAo0u4Ivk7cOsvQtWgWf6QM3nRIRQwd+RFJQegYPGG9CgNi85s2hHz8DOYzhGes6yJEQ5QB1vlhMI2/fzVyffR/i+5kQGftM8+CgbViSQjPd0NRnQLjpPFQKXXPuFwcrA5LfxyTaqTcNALVihoJp10QRwDww/v8mHSf0XkB9voK4HXR+x7t2xoZAaSvqKjtOuSrv+QHZSXaVNxHUbtLiCcWHHHUGvmuEMQtrKl50u5HVipV8rbYcKI1F2Zz1SBZ1iNabgPmp9ByMIpWd+xpp74cvNzeBbPuvz6P1fbocJ15Mi0O0y4KAuHEdExiz5SkUb7KkPRgNl/XIrV8sYL/xMAuLS50JYMjZQxe0yhfaGrGCVx0zraLtwUuHAElxvD3TDTcTxoULKsn3Z4bagLqTumeHlkff3ZV8evVEUx8OFIKo45c1jiowvUCFmoZtZKMzN4x8otD78/kuy/d6rnf4RM822LCF+TNjLcKIw7Kk4cfjdU7THaTqNJLA0oFl+rF1uxtbtQkJsVm9EQvmPsDFASuRo07ePv26QbIt1s4YXZ/waycubYd8NCeSPOErys4ofK5X64BydNg+f07mSuwAxkm3GAzkcaeulmg5nM8DuAfnvRzNB6bWMIC+cyvxQzh74sXWiqYRyaLazweD3yUt6UlT2rvu6Yd6wiOIsoyCEaUmvYzwVBI7PuYdmRjXxpd6wTljMFKQU4/1cDLPgMmJKYtq5JZVGuStCSDSzHHJ8JVakK+B1xr1belXyGwoYfqSTTsuLLFTSoX0tZYsQC/lOHlpvhkDc3D+lKpNaTJ4UWXR3r0ee4776kIW3GA+41jiqURPt6HzoOu8S9JUwLV9Oyd1P/Jdjq2vrhY0EpupMvSLyFBtV/wsIKUcnKV/g+HwFMBa6S/lB8878onbXhkcDMi4Evm0v7VKVNpXEIHoqObw9raLwbvCMdgwkxrBh+LN0v8MaqXs7iVDufC8MwLLgvvQaIFCS65JYFVvRjl58i77PMEwbnZs2ZPJFwZjX3mYa/pEnRWhWDfo477gQ/WZTbE7HJZ1uvPj9TOK3hsdm8g4CkOa+lQP2HfX8BZRNOReTjPfaoK+m9ABcEMEo5ajVTCyEZ5P2CeKcW5ZqHWvo6lIgF4iGoDDoiB94Jel8obz5SxPVfyUdxAhwgaz9P2qljiPtzxbpc1drbwBZ7tCwxehHscv6KoY91lSlmtuQNeAuBUgy/LN/HuyiESyLbqAf3JxWWh0LxDV3kOOGJMT9Nf+ets8fNPjN86JhuG0RnebXrOT/3k0UVGyeWXtD7lNTHTQ8qFvDfceL1ZU9gHJ2H3t4E+3Xoa/5j3XzkegQxDlA89T9KhNyjH+xmJwU7XbsoqU/NmA1kZZHKQbJieNMOGFqp6fu4zqbPHA3eyffzDRgwZ39ZlNpcnFlNkeSR32BacZoBjUtClLQzBlM/ZXrMV+hIY9SWAfGSEZz2KUm8BrKR2IvC0xZlJqk6YTh/C/uAAAy94U2Up6b5HH4XBnHDfvyI2zJuWD4I0yi5tvd/SnYTL/q3T1tTzxRqnTpbD2uzVhMYLkEyqzb1iPnuLOvcQQ06Zme9M8Ph68Cu7NWjWYA9rqa0XDMNORMvKob1XtWOfPgRw3LcXlJvHGXxB/PMx2omj05hjcf24OYTq7vipRA+P+6y7VlPQIfbvJ3I0O9rkM08ZsOpdDhR/UKng02QdZYq/DLVUFUE1ZR6bNTUTlcoC01tMR5cw497reYwCm9wC8sQmTcwsN9OtzMKucZMppGhl/AtnLoDk7JDBMWh8zyXtRsDym+29WavoObrpPa3iuid5aZ6MUDccWWyMj23B09v5oUENO4ROgAmCD61dC7GvULy6UcNlAB8KV9IBsQinew1Y1hOBoG8WPgAXd0zzr+WAVGpl5hbZC8A3NP7nRPgwSU9bm1b56xCfGRWbw2o01Rp41a24hF/ENu8VESM3fwtezch1D0G9dl/3Y1O1/93/fe2vlkjOIsrka7Fo/XXbJG3iiGhT+5Qz33QHvSuGpbtu5qQHFi/tirTNw7Ia9u3RbbeStFkw4M5wnj8fAKfI6x+Z5O9tczY81I0p0gGeN2cmWvyXeDZcRJt2IJK2v1NObY7CwlFHAcDsoxtR/n/6fdFdV0LrZZ7TRh733gmxVFh12y6ev196pdKLd/iC6ZMJSvrxrSLMnWX/0wBGp4nHy7STq8FN1Uu4oYc27zJeufXJzmG6DTPcMpjxrWi6RapJhbnJ3G2wwvjgDfgqB3GQ4SUt8s0BLgWG4ImYjTd86jaFj63/3ApCeeKrk983jCFP9oMZ8xwgxRoXpm9ES2sQwlQP39hBOvv4s4bgRAp/9MUuTrAVAYYMivlfX4+V1QZ0FykiGk5qafYesFk+cfDhKFZdO5qqiVH7ilFEf945nvQRU32cbFYdOXe/DKr+Ek8L5DrOQePmtooHAq+fwlfwAoCbS/6bbQ4OO3gcYnwexUdq83uHGlBO2JA8q80/LuJqrk6fLU5xyUrp0UsFjCjGcIg73cqPccoEgvweV4YMx50wNZK3ghQ7k53uIWrLHfriEUa7X8C+cBGIJy2yASEhh8JeQD5J2phDP52Dh4Yx3rcj8ASOxI0ETiCVTGTY9LOs3OIo2IC95hLHecQ9x+eQMUBkmK8kE4Rp8KQHwa1iwUK1OJkDfQszPNVpM+LcDG7G0wyXdRZm7zjbTrBb/bImRnbYAFpfefp3DtB7qW5PjlUIRDLARecn0x9u5XW0TUiot3xsjMTvoixxnbo6wknTaraEWS9ex3zxFObt+gyykXdbkQnFuh135j15v+UuhbmToRedTGDdIL45A8w/mdZp37P1fMdZkJc9uC9u213b+PoQJK5LcxqC+njGH6rIGvnNlqnRt9uAKAZbpqXKiofLrYT+TRLR9oi4Z1/It0YskqLk791O7SgzAMTkE5NEG2j0xGjnkm4L8dnEXUq87TkRBQjXde0MP8OQqe2WpYbFfUNJQYxK11RCOmsq0gl4q1KWWF7bA98eWmvuexik74WU0RyQkCTDf4PoEDeQclhm5Mykrtx9ye14Fqz6DN+jjx3sBwdaZ6hdC7ttdej0hhEELOkqCZ/rwc0przvqU6kZmUSMfX6kGcnh4npxvqZhV4tBbTOp24Xfn5B+2QEmOMuKL8yPCDkmIgrlsgrNg97kKHvBfVA40oLUa09wax5PnIxLVMsfzSg2z1igx0XZNoJAgREmdFHyCQSGEa2CnSUmHK2XVoFxko7Mw8buPFHuFYgW6LZz9hqeaV6RI8eG8dVog4Im5KjHqc7HKxqJkaP072/0Lzv+XMgrNHRuKc36CFsQYddj8R0Cdki7ua8SEGLlhFzppTsCYukwGyxlcnZatVLmohZZ+OU1K62yMUgSJ/LL3ZWS+mPgi2TEY5rPKI8voQ6XUwrG2365EyZi13hMOtZMyvim/n+bl1gYY0uO3yYpsp28zXN1vPHZmLrkgY5+gN8T5UCFbIudLEqK3VBYG/qPPcae49GL6OI9h2koy/GtNvWTUMEqgMjOvLphtJU/vh+1nnSm3PgkE4Gu9OdjLr/JSSOeyglGlcatwQy9kzGyQG4UoK0t8BBB+T0By1B1ButTGpE4805qWXtq4qZaz48B/AmK/3X8sBEPA4KUphZ5OEo9qJN/jn4KJuh/EX966pKX0hT1SmQiZz2tM29vry25ReZkznOuy1sxuiUHLgH53a3WUzR6UceoiCAFy0e8Dgi4IK9rtpLASVy4DSjb8M2pdmS8DWdvY8M7+YHYiGIpEveQnaFzaVrEX7VKowvuw/9xQUEybuZvJZQY7/3DF1NqWQOhHgwPxFDQ++LH9POVqfTa2yPF7aqS8vrLd6hDZDnJQZVCC4K8NP0Fj4NzjT3aT0bWIZ8fJUMw854KK7Nlc/oJ0URWc/nBB871Tc0kJFtt15vIfoIxNUXEqv1H6yDw1vJO4sh3AOPdp+yh3IBer4pttxM7Opn9lx/AfF0ggzjIwVZdH5cwSvg3iDtxQA2gr9U+FDxuRuQttpINi3KO3NtIfZD8BzXMdSlv3oCjSsMdGetx68LZvreP9Q3xJvr3mk98Jz1AKvpdCkS1f6BJHB1WRhKMUDU+KelBU7OjfuJEQfj3bIRr+YQysNnJWQgLct3+p5SxucCh4hzsPasBu3FVcwmLS6JfUKFuH3SIRAEBgOXEUmPadlefyass/spS7JZpE5r3Ldbf3eHuRPGjtFqdTMUyb0TfqWqVp26WRzhj7rq+gnlv+trbKzkE+KIRi5Z/+BV5svGf5v7IOq1FWcI0McG6zxurrRa/6rh20sFNGFTzKnNZBKEWTF65C4NSt94ocMJFQQU/Qbwou4UR2ekiyRZ8PGy81BNEqOd8hdJE/fOaupmL2GaJsSaO8s4GFjJvT6qwCgMruadya+rC86pV+0zzlHt8eEkWY004XEi2OD/usYwJGFTqRB8Yu3sEvxFjot+pAal53Lt72PTTFBQpaDQw43TBuGrIJqe3abIVEtzZyoB3bYw61aw72oILIvL1HQtBIzPO1CQvte6dJ6cZ9YBQD1kLEFMvCgL9BNyeRAcAHZMcZMmc7F7t3hwb57fH1BaaP08WpLcEyC2ENlcRHbxSiGWiktG5nY8nS0w8o7raDwfNEwbsE29dCtfD9UZrhxrkgbdUaMwVOJgs0PRKzULHVJNrUbI9f+gK9ZE4HKBDZbnGwgIQQJrXyWLZIVbO9+1wK+CAF9M8Ob8yiyT8A3AFo5n57pvgACoX6eH3io6U8Uyitu4HJe/FoNjycXR38VxQsxtcrZ7PYfIOph8gFTVTiSL3xKQ5HCKMJ9jI9XlD0JqOGEOHtUwMYHpyujez0axR5LytheeiGnmgIPVOMidxGL2TvV9sFg/xOUNFFREu9Uz/XBvdPQa5pqT2Z2PUZvk41veUkB2Gxtb3mMVKYFJrlhRMrrNOXInjA3plqC1GKgX6O58SNNqutdEhnbYO1sWaONE/4Xs5psKpmkF9q2S4IBc5NYNbHx+J7RQGDevD3bDHdwO0ONj9zBoErF22Tje5TFvl3E9eGJwIJcRytr07dOq/7QIv6pWCFTd7cvcB78eL7NX1batjLxjySkBUA20FJdMwvHJByH/a4NGB8V+tlYUGi/2eTFLFPpqioFj9rl30eMalEeJ+BKgOVaPR92jP+0/hnOXbXIsnEIGDOi9m9Xig76xk66uv45DDGJ4xEEXaIa3SYhcEoZcc72lIgsgTP8ENnDvclKM0Pq+iTVgWRJbmdoPfN/TC1F+Z9UwMRyDazLV+vjvcIbh7VAqXrBGWj8/cPDj/oqcgTQDYNQaJZpgP+UlHNkEsAX2lf08hv0UvT35N2zobsyh6in1R01G+TQXffs/rtaCAvwPel8OS3t16eWKQMysuHg0N45jIk4iVi5BvEJvivubUrKoP0xTB7rLjw7O86fSKyD3Yx9w4J6zpiHJ7FmeeClGnC2eItozmx3DAcS7JsTENdwjs+MWGtTKCRsl0vXV6qutT6AWZHqAGBkP9BQFCdVkUsKkLtc/c8dwO8lzrx0kz0Tp6uNbJ5ANsvwLH5YpXffGOBRGbBZSXUe2YCtSXYUpnf3rl8qLuYUiRzTBH1OUlQVwuwKaEo26/Jah9+HZ2DtAmb62vTA6Ebf2GgvDjG6iagirLKowHZOjJv5KiA0aIUP3j00BvzQJE7O352Tz8mOdGOToNoPcfqN/w4ckiINlAT78XULlUEqK7lc+uQdukW/PH0jedocdu07szlRuCttMuxWU0PuRpXwUi85QHcfTJnCB12kfyASEMTbt1c8GoNyBHhXbrGr+UiDnI3RNavZjP86QyVdMJHrdq6FOELmMvIBNiRP1sge+qNVci4fvLACz45+tnJUR0jv+3tb47dF6NZeDPXh7SmNrfPUSxw5oGPPFqod8Qvajjd672WyOPc0eGH4TuPSG85dHrBFadV7t9JusmNKT1AdUfrdwO09vasOBmWUP/D+cwbFpv09MZH7mNh3dC4XErw7CK35CqtGfcoH7LyB1rKf0ea7Wdm7szLJB4d03WJs6CNkXHoXqmwePKKRcLNBJYv7BMHFpc6tk+DYVmrqFlai9rvnPO2XKv5H8MOdNvxddXs4k5foJUCkIWjlX7hT71NwS552Bi1JYySQUoPwRsOhZR0bRi8g0//YVQML+jT5dq2w7nClbuZ2RUoa4Df6BmX6nKo+uo9R80HJYF5V9XcYoYc6+EclAaF8bey7KzvlETYsP3qckEfPkW0RbjX/5ZolylrjP4PQl2tBvJsEC2GyDulyVRP2jS3hXk9PKG++zOV28wRWqnttGVrzFXXOKtmfDoVU7YA8+EtNh9mBmG+Zgip+Z4hKTIcc0w75kegBrPajk5HijjC38/7YR4/PyD4KHKLeGjVD1Qj6YIeS38+/1JLL6kBCkOPxvVY/+Hgpc28cUjZqakxvuYaCAT1j5WnMrDEWYEITQ42/Q16UTkqBXBLELZLmi7apuuSa2I1p7MqHva5fV/cKpG2CKLQPX1MXtN9QcmsAAvgIYWOqb4GHZz64TdeR5A39ouLYlP//0gvcpcFVRwHRd9RKXw9MwbyBbA/t/IUEy6IfEFaIx6Py9MU8lBdBnmBy7Erd710aqxDMdCboe7OLbBIVNE/WbF3sn4cDmpPEbA1pkxShHBPoTZ8g3w/n2T6kmjf2Z8AjHvq5jh2S4ZFRVWzBfxf0rOkkouRdStONFgrABjWA9oBoxLCj1T0NdgBFCzPu2sbLkE0ZO4Iv5pPDGSHFANGTABVrHDp1ikTNmpe2hqpXs1+wk/LAKwPd+SsCTEMF0Yzkv3jo4Iq++d0owcH/loVeo9Kz1Qz871uw+TP6WO+3htbtgWD8krgFrjAtisE+8kF6RlExvSTl5f7n6rPJXja21Roxa4NkiXoHHFp6ZuVHEwsWPUQFrJBW5VEa/GoEd1VCIaAJdiDCVyk5EihlztGW7FdxswwOd5knqTqHo+aos3QoP6TVADmctJvgKBFM1rbbUEfzV/FJqdlHi6gLGNL71qLCqsURWnjk6DThN0wzTiKxDHy/ugYgnI45ZC5OY7TtEqwmUYxQvEsQgjFYt0FYlamrdErCX3WnsQqblfLYlo0IsszceuCohrAilx8vKD+kGY409FCOtkBhsXMDWMqOaTbsxCIVZi7plVRFpiSz2O2L7w9kkCvrdv/yUPwzgE+ri0U51uVDLntjq+5mDIRyIuRmHMYLwQ2r5lcqJ9mZyyh5z5AnLskaP656fis+GkYmWO/z9xvHHBn0I+ADTQdiptXacYgBGtFteOWtc4+3TP40bCBA587gn/UwyOQgVNZUak9byIV943+jsXFpQz6Z9Wh1P4R7NePTGrzCes2lHrpJgR6l/TapKInH28fy835wpk8JHdt+tFKNF1PB5lLEo7OjDqSiVTAsJpGjGPdQ0W3lXNa39Ydxjxv2qF+5VllLwprOjN5gMVLOJKlPJIv/KvMJGYvdJTG7+GJ9ulWkedWVdMe1kNNHWmiAoZlfDrKvCEKfZVWfqfT2uqLCKefo+V6ZYiR4NWBdy7ZeBbYeXO5GgbcHqC7oOT8MVho9ng8XssfvbsjmPa3ds7Q2nHBf9YlSpnD4+fQ0+gN7XGFe8AsJaXPI+qJ7WWxd40a69F2ewgXb5VvBl/zA0pzqheyRKRtez+yP+Q9gEv+6rq3gOGpr0Ez88IStO91FPtIv0nsqc1Na+qtjrkJ+Z59sbHg3SwW+IZbkj+oje/tVqxG3G7ScFdGXwzxhRUDWp+DDrVVNpo4yvI2sHzyRssgYGdRnUVieJC0kgbq1FQ8oEfUrBWwbkcHYRQEFd4OGpCE0c8MdpmBjPKrWYlzrC8ynKq6BdelfACkCjhnrsJxx2YppC1/v6OB9PKyDu2Wf018u5RrDeJJhVBU2mYBF4qhXNIJXiuBiRqo6t0MPL4V6hW2GJbCIgiTnePI/1Mj+Z2JJosyYcvil7c97/mkv9QF4rqx2tnkXiBMz+3eew6WJPX60Y+xy2p8g9s08X8/+BoGLZCTHSydNx1iwKYa4VdhM1ViGmX4R4N2hj/wJRQ4z6kUVlQh6OmrOYBJQZxMU7AORrxB3GbQr49k8m17/LhnhoCND0xKvpk1Z/CmNxhBtm3eQkOFGVKiHDDTw6KZCdGYpg2tlB2n8PbPD+WUQ0jABjlTg75qU3X6Vk07plt7kIhNQUhlvAOT9m9SPJkPExoE/elQAWI7KQL/WuQKqZBk4ONgtk43r0weKhTwMoNTGWLU93KfkzxxACMeV4ucRFBdjWPWbkc8mU/WfT70zKJFZwKfW+fiIE5LShCPmxcYjAiDfFXSvLHiGFWe0x58wWQhUUCSycfZ9TWmoeKb7U3QOkghT+wWW2kb9GsoxrkHrvyaxkC5rE9a2VbZ8D+ob+eXOqX1+q2s2+Brja0vC2PmNq2FG6FsyAXxuMgfs6MoDc0guKmhK8xPu9WWG4T37prBJH/UKqCAQOqq5WnmAkq9SXcaxobItEUUoQtllJaxg/zwyiRI+vEgZxunvx2iMrQ/Qy+2xkRB/rrYWN7wL8apdLzZzKWccxIfBNIVuh0pE4H7irz1KNYgGvHIFByEKmLbBUOWvx9gm5T03ii/Hf6ZNx5Nj3wr3O/0mTKNvIS1OaFmRoEE+Z6Gyj1zmyx+AkGu8RItqKueZ1i6hr3NG4MEmQqcy1H1AEoRBOZpXNgy6SkFmk/wP2nu1p8fXkbjLZ4y7W+NBX/1SQ6bdK5ckJjBZbEnMAeZnWgGsyrQe2dtJV/87wvfb5bNYURUN8NdF4ph5LLn9JsOkjsB/bug+0JsOv5LWvWPjYxa0Y0V2WHSD/+GvIiw+zVii7DAp0ZSmTJ8v83Ot3YFANpVo6wbGoYKeBtZtcFp91y+EidFdSThjmRUcvKKrlyGTsNeLLRU5+jNX5/hhF/izvxyfq3zqZ185B+IuU9UZlbNPfQoYeuXTw7epoCTC1ohdQixe1mKgKyAlwfJ9FuSeIp1x62eHbFIZWu17f0X1Y/2Uvr7hh2nvtc1mD3yNL+hqWjRGltVh5tTRyT3B3928jtcW2CCU7MVXM73vTOFv/9bsr7HaWA+zmXd0reX9y0N4gclB840W5HqrG82pjZ52ZNegF0EwF5Gleq3LNBb1Hxc2iCV+VVa1INttB7GhKaeZ1OznxjaMrSTZy62JTFa9ZVMcESJuzb7T4IbqpDpj/yFEXnjHVXTBhZraCE0ubuTeqYwIc50y/y9FP9nFqYQoP9LZ4N/aXZ5LQMCvALMsmim5ktsvE60F7dOKKEh/ceTCoH8vf7MsfBfklCCOgFXuCy4RpUJbfZVCIcR5XQtB3SPOxxM2UOFet4KF1ZuaGqYGBYRNB/W0IvQz8EM+TFga4BY//OR7W39YwVgcSm3uQRWohRqIYQmexd0krRPP92j2BGC/DnFOxYTZplZbqGDQBpc3PAAdVzV2xWHlNOH6uVooBCvrYyh32TwEjVXpJapEnqw+2cfvuDD0JdMzxUeQB2F0LCbqWnLc/VTMJCDTevwD03LVHYh8q/VUkNKNvy6mtIIXaOcXlA2ZBXbdCW3AimaT9CQ/u8Vm3QZ1qOmz5pqwCj1QuYHHMrSuVQOJnmrt9OHUV6s4TEqH2/HkaMzq1k2Ib8wQydeerP85GmmJBvW4L4PUyyZ4sOZCSdZWdod34Af/r8ZaEDmD6ySCUW6rxvGcFv4oh4Yhp1PNexCEmlAoL/hPXfiT5JmQIp4CK13BtR1zORoO0BMz8yOtk2XLcnF2/WIfwxF+6OCRFslpfnMipyzhRprSbi1VriuIq4ytjZZFgUuBST7j7l7VpavUdo1ZvJ6EfX9DpVi8ka3AAxwEoS2/jw/mS9LD8KTFXnjos85zDIiOX4mTSJViRaY7O0S2YAw71JoK0IE0rhPXoZnsiLOSTHd5haKy1SAJub9gSe+MlPYQegKKtUOyDgn+fTN5FwtN3HmhtOkuy6lX5wvz7oRhoz8dpFY0mXOfSjuKq17HGfsGWsyuOlfbNBLmbnytFkFn4aAC4pyXKM2G924hgsseLtDc0xH1FpPB0c85kWg5eHblrr4wjZERpbaGkqQaoLn4+pSZ+x5RJjPS2s3VHEykX9h5a34HnfwANqZfJKoXvB8kPF4lxM2i6Oa3jFz/9wcR9zxq+u5XFSlmiu+fmBDP43FecRFxX/GwJKYbcPILTblNfMBvS7wvT7xgA4CsgJTF6VMAHgq29PjLIghzfvHX9sBkEOe3lQC03H2iuA8K0YZMufX8Xte/VAsQ8BIdiGJJp9xGWie/LiDAtJbhywhLEp2F1+3kbIXSOnPTvxs34vksAURGHvz3R3U5augojAZLbN/K1WuCNgcAE4Cb8dZFzNDeXq38H/n2ojLR0lVCI8T4E6XMPayd6x1COItKzeBwM6v2eZHGZ9+eonvq7VvKr4AgULGu1M04zXvdIpOcIw8w65DFgAXpqB11jBXrTBk9BqybuHA4t+bzn9H5s3jT0DDB4DjEw9t4n3EZx6Gu5s9FHzW+3TBw7ahbs6HcRuxTv0RE61P2VfdBs4fVYNQUdFslWrC/NNEhI1vs+mJZ8t6tISfx6Pqa3r+NHl+vlo4RtEZ0s90Rv5pJPusEvGHZTmVTipImI5q8JUJ7qxZCsCMZQwUmRNCYujMGg+97hZ36fxCtqjA6ZqJIAS/I6l0DSl/7NMoepxE1DX3WGq3f1nwHY78PAduES2LDmjmgjJla7u8XBFwCwZmDx4hnBy+wyuCSAr55HdfRTjDxxAp65g68DPlhPBdq2W9ZlZKqXJphu5DmvXzC4e5LIe4T4xrj0ypgDXhPV4zbVmyZn6kxoz9uzztd6IbL8PJ3KfhYW1D0UaR8D3C2+yzoq+D4C6FUf6kMea8hYbZ5Aa8EatwWDnocbeK3yRy1JYboAk5DIxoFEfGkkqoB9XXqMk4RY3C5BuomAqCrPKD15j9lGhpZpTEm87pPBIs+4CppMNizbjvQsrbApCCgj+XIznhscuCJ/U1Ux4jtEnKbzhNczjUxkxLY2xdfMap/TyDdz+fj0wzWWhZ0jHfjkJXrT2Z8KCdxRsyDiJysrdM1LQW/6HrlOIdSLbxWP9N3dmElFvpnAgkXvhj/DyoQ7ul3Km4GoyD0HYtdL59HyJqM5z594vFvgFmuDoRkglOOHwWjtbB7cUgQJMfxZT/WTi8Ejg5sQ8XHP25efQyliJkYFVJG8LVMv4RA4UkWstOyvTVnbMYl/9x2HuFCGR0N2owp6B4aC7a8I8aX1Hp8mvzLsO/y6GTVFzKAdV/hkBS+F3LnNkcFmIoF6mOP8GU/MXrZmMZ0+nXpG7/P+aV0M/Zlhtyw6Jw5VNIYhAhYAifoOTgC40XaPS44w4nd/dWpJpuRrAnlikOt6Pvgw3v3CwWdJX8yuz9wqC+pSD3Bv4Z4HZIX2a1Z9/WN5Fl67kB9d6kE5mt3d8H3d74EvjhbnxnbXWiqtDb4FHYVLZYmRgZ3ukMBxW/rOF5MtBRkTFTI8jP8H5ZTUdy1Sq9tC8UQvZjSX3DNSXNe5Qp1g1DJnb3twGUff1JNhaCnkPoeVKg8cpf/SKgYj7AJT0803O6GP/DS3jr+0b7O8RliSTI2+mstSKwVP3T56jgB+EjmcKVNic9qVqPBCYm7ltNDYOvr59Boa4YwQi0lDZpZl8swc13sFZHAB3W6PUUldDjrNy0r3BccA9QL6HZ+vZcvAIXuyWdmcNa/Wx28XDXHDNNerP1Xq0Cv6afH9d30BXorWfbZki9puUFPweOYDv/y/7riWAGU7sRULjqeqAW80tIwFDWd/exnPJ40Z1M+0Jf8AhP3ypz1QxGwvW+M9badETk0JeN5DZ92lymgyaXEC+uPWWrNIdnh5yfo7x+y+H7dkX2X6ZYalmIhe5F+DFjzxe1ueaCkBPX2Jw9kx59ddYQ4IRwQ8DlYZcpNTphth+21Z66X5ae+SeR3C4Ljdk7RA5te9KoMCYggsfysyYL4Bzk7GNVawauhIgkC7IMmCGYa2syXu2Z6IhwLQBKxgjCuxWuX6M2+ftjPgtKtgzK3FFa4naxKT/bAINAof6AwpIqQuzYwpdK6iTkDBhtRTj6W8v0rlAMnc++Pj24wLe2RNgKgSxelUbjPrBiWk8YVpnQVbRcp8Ucw8tESpqGBf0gXsxLrTFvNlG6sQyRYsOwNkrrh1EijP7ieGKqtUmr0dfIr5WxcKIkeps0W0ILRCtLkG59a+vadcz1FG1JPRMAoV558idcd9AFNX4TZidhpAWRkogiBW7YwO3TLqplLn7Oa6YC0RU31abAg/v67+hdcs/w0KIhu0dLKV7AvbnI0H5nmgSF1fIVZPmcIUHbbh6HZp+0nYdy5FPmMI0vrNU+HS8nXoBBIsy9eqPEaVWwOifT/kLr4//1HCR0s2+tW89YRyP/aSYmZvUtt7JMDrug3ltnwXpNAD0ABN6lVxO81SOFFRbFK0QBNmtNabO2zNKC1XX4S1HOfHwr8+0J9xJBrjdzmfapBzW4w6CnzPCOHQx39e2GddU+bpr2JQjivInXmsRD0/u9PFyuduAZIJKUS6f6T/qEKi+rUe3kxcRY2xB+zGpn6wVh+c6D8PoJ7/1aH0EXxlRVGohojDESlXjQtgdYI0PjYSn2AU0UANVPSO+Do7FCskX1R1jun/I0DL5n6HOqVXORHszYoUKxcNTOudw8yc0bq9EaJQOpDAiw4H99qG6eMv0DSnWzjNZC/biKACm7isP5iM3lXo4WHL8sLrTBi2/ZxvuRwr3o4w/z79tWURm1v+SMyDAQFakAPhWzGjUampQ7JZ9MxtO72OEZl0K0Jt5A31vcJKlpcFodc0jPMAI3OHcklQrJZKyvlt6Vj9NQryTnNzmKUgOy9c9ceL3ttwGdD6a8CMZ1SK/BD9NkVAr1Gbck2GwZg/zQPoR1q7Vk4S+/qillqDD6yABJEGTwdZEJqe/cbgCH64y12kXDV1THtK+NBQO6mN45YqLQUmJIyue2Ab0rw/XIWALmcx1/6uee4fdRmbREtLFem7W2dmlplz5aHAVhGIHH1pBEVa8qy11ganagxGt6bGNPaxvb70roo45Nkgau+Z/6+pWTATThAiLgjEpRxm2J6hdwHnBvMEapZNRKwi67kynf1hCZ0Lf7tlQ6RMM0UEGXhoZ8N2zHcZr3Xqh9LhjyLIh59u6mWIfd8wrlPM+oGFtV6NcsVvqUOWzRHmqoPIEoUYfc+RW0XMSSanY8RR+sKa4FaH3whsk2L0uSuLSu0Czixu/bZUIS6ISd/XvhBKPess4lLDp9v8UZS4lnslH6C31dxUTrp4jfV7CZtnuLGlBT0V8wvFJxvBDSLIBKYFKdTD8XJfk0I39I9F59Sv7bl+uQfkQb4xKsY/J6+h/wCtj0Zue5bN3aaqlmcjEl4CE/4iaQS4eCLuNhRZ7m7547Zo1t4jk8/IHAoQaisTf8W8Zb0qHxJ4MDziFGkcb7DWz0ExM4a7UcL6SesDftmRK75nAjS9d+3IwUt0mLsXRDOcAF4ZAvb0KR6lH4vOYAs17Tew4ufbYk/ubuy6iv7Z/CLRuovVwqp7eOdOVIbZIr5AwYj6qrLz5+9oCJMvkA7yDZHf/PWDGqC5Bky8YADPNGnY7ZUDD133vGazVrjRWKAR5zcSW4XQluD3//WXwQFB2fUT25yHt6+U3HIKesleWBWRc3ifnlNE+CUThr5B+A9z9lfmZ0DZhDjEDtFh3LEOgtx0gJa830Wjz5+oGG+Tw1RKzg93TokzjuVfc5rIDZP1Tsvnzb9gz12Ghxs4SKVx1XvC/1ZtRG3H7Fw4wU0MYqGQaIJ6oTRM1qsBdaODhnY1ByiaAKcdkzRxdV8w70/i2+bR3fhuz1eZMNQW0scOpxWQgY7TLTRp+GsPRwnsh2As2TBIXUzGQZ8yFqYWoGhN4FAbRkJmHKOvM1yDmSY0qK8NVAUZExkS0aUMRJY4C4NnGQ8OKawS8XE+w3DCi7fSWMSgCmeRw6ieB463WuflwHWsSni/s88egl7eTZedlfSEyP9PNv+6rAPS9z8zBDn4l7k5hIcXz/fIUQw+l1FwiGZcUCyheEORnyLgVxqSuP5NQs0So7j2ktuQmpBIt+AByZjQ2kVGfGp/s9anQyTWJ3Tka9KGP/urzZ2GOa0a9iCOAv/2IkMv2uJy6kevVKsgAUNROFXEQcXGhBSA1K5q/E8H1OZ+toOGtB9f1g1oN07U4HWUlCrCymxeHxt5k/sKqcVcXSNSyLMWwV4NjlYesoF2CY40/s0gDCtFizTbYat114sPxLM5JLCA5RJn0X2BI0ICyhQn1qKEyfSz8KbmoNgDhd/j+OAKGvb8UJtSko+cooLoJ6JZISitPxPfJ9lC0CyTqJeqbVQciJjic2TB6FKA6lhrTYmqcQPxSBkJTcJKrpP5+eoxGiwollNL+X7YbGdEM6DO/dXgk6/B6Q/Bp5wKT8YEw1Y9d/Yw8zrRzOCTqAC5oGijHjIGagsXTf5M0bSmnFi0JWP0rryhRBOhCNk6Ru3LrFPqVMD6bzoIMTMxVzUUL/jJe+IlBCfOHOEmQmaNrXItJUFDSPb10/aosnsVnmQ3MNdjzFKr+C4lNCpKLtKd52y+lFz+ahRkLzgRN48eVyPpo4Ki5RbHBel//eRcxwfNGMXeM7iZ+O9fMKh1C043uFIC8JQa0H2YQvgnacH6x1u1yU0ZyEScq3BTkHSbMCiHBdY6i9Vn2Yefn1xTk8CLggVLgGXFuj1JlJrogk7//q9EbMeyFYqrEYYsF9u2n8CVAEdRWz2/mNV4BLkI+CMUYa+SmUbv/F1BSyeHT6PbRqXdVzoaGpg1geuwaMwhCIq77xKzl1zsBLxzi/p0DbBPgiIFaoYutC/FziCgGyErlVsQ4vFlEDjKWmEPs13sfLSOana3op42e4FW5YJixrqUS46G5dtmhsRsAib8OL+6+abJ9mgMQ8UCqR0lD4B9S5tOadusRK7UXh42VvNIbUq+2ZJC+EO+2+wq1o3LqjsNolLHtxo/oUY48Wu1o1+aySw9mZDUDoFbOiPXdtwmMhDO5P7XE9UYAp44jCE78ReLkKG3xwtFvEPcUl5f2Aht2riVwNPYsBCZAg35js73lbuoLxrfy+ll3tPVnHzO8qMl3kJpQbtJ52BGuOUrTkRAKtI8+5P84OvdgWjLgnv3zZIrn+yagC0YZ+teRo/3jNDyNDFH9/YV2iqyofM1Y4sHNbEaxJObZz3x4x/gAE4A0OkClYEjQxqRIZYsj7vKP5Ge82PzUVhKxUy5WzZ47LajQQ3UyACvp7q7xFtkEqO3HstNhmxgvOCTgqC0mSVSuTdmRycP5pV24gDqylVyP2Qv2ki4FE/c/KyX483dFf1LmlsuniakUN1ihL+rVQmhQ84Eu/9eMjdHDPzXFrKzTT0TcZd24DxwsmObEGMSzynRmpZ1DAT86bytvdt13TXq15HvGhqeRGUH3Qr4fl9JBOHKgSUXjBIolPvE+K5Bjdh9vGjMKxrEKFsAp6sm5QB68Z2482YTJgg5lAUFaEeZIL13bKsaqLuGU/rkf/WAwVVwwHZcKamhiccPFXubt1t9FEWk/LBQLje4GRcHsmDRlnw5ifZusjYF1oXLUqazNysS3as3EMmGN1KCclt5yhRZARzyAnS7u9zvcSNE2rMo6JmXlCbniFCwCE1DXCLK0Was2hkKsOwlmi8o0W7FsLTorl6R5oMC164XNHJyiNzEpPaZcxVFOjIMVnw75cZUZRjGUWP6KgxxafVsbgSBTmSWkVaQML//T0ZHCg45b+r0wOQvXbvvc+Wb3uPTyQvxqchQ2hhC63EkoqmxNca/q9d+Z1M3R0k8+2JLnSVksW8dcP0fBGfjWMX8bsMxoIvN+uBUO8vDGjcOfbiafFuqN3Bwj3clWBsRa+nBvsWc2/58FBdakPihYYvtLM3+HyqGeHnu4FGcUfOQOi8bG74CwzEfaR92jv51YxKmFMb9WRHj2LZs/7PaK59yOxKFIhZZT8uJKyrN3zMaPHEwFo4tbtHPMGTYp9UuvEfV9bys/G7UC9QMJO7wCmM12BzDt2vkLXAbDolu4Zi/w9pM4K0a2NqooMFkkb+TvzjrOumDVNTs4LI3S/azp+MuwSfMydsSXTTPMKb4kUq531YmDrY6SoXVAI6THUMD5fPL2VHQsO1Bc99gBQQhpp59t2DffEKqBypMc0fJ/JyVpr9RdOh74Xe5/OxKxI5eBL0aG6BM2u8gUWqUgN8xspr6Rwrpgu7sGcC/ddqM5bpN4dykfSRmq03HQo+0xFVKq7iBomOXtHgv0QN1kkw8dOrQplHd+M3+u4Mzvt8veCWdKV6/C1WclNuWfy2q4eLBHKZfFuw4yAXEUU25W02ATT+xjRTKVR94ZK9Gppgg6l22hntM9CSMHAG8TyPr57zGnFfE+C9aJlB0yYSd0K+NBsxnIP+bIYcwKGr3p2fRGKdSEULmAdUSjVRPj565cmo9ky0vSVf65flw+GRTHM3DgtEfFIu68HehjSMuSXryZJEIx+ZaTDK6HjgUZSiroanh1ewIiOaEDMWN+ClxJrnRNciqGwURxbQLhEolZopOeDHn5y11MfmX+RwocfdBas4pknwCEAuXmn5RoIrlA3os1MgmH1RPtv1WHdSTxggEoqHQQiO0Niy/q8hv53MnmQpnIdZNDPQTWsBir3kjhF5XZn9tlA9T9LKsJMzkz7i8CRnDQjDGPHDpbpU9jFIA6/39d+IMQG+g7aHGpAhyTrMWZXkZdFpLAxRiAwZAUtqAfKy4uylbDml8gC9p7hahOYOkZ6ZvI3uzvgMmGxe6+1SIKHHO6WEAwpC+Kp4MGJCpHrxL73sDICIueaYuFLLaqKu0u8GDPjQmmvjaQaLE6u2HsTGe70Lmu107/GZ57cpkDMsMQG9D7j4LerTntd/lgaNjeQF4sFuRTsreZDBMVn1H8h/VetsI9pArIM1N0//puXAwSeWKATRKdz8hUm0LN9Bn8rbTuO6wRO20zVwSwrqM1bEwcwBJD2C7lIkEZDhSP36f1dAoVHtf4S0/bKEJDXsgFTieEcBE8DbfNPsVCJUwS4qw3kWtUkJL1z5MRiQbxRlgVtkgWMjkk+8w3AFTJSkG/N6GJJ7r1J6BjiyKEI/cTPd9lqtzef8WV3Szp1tBiYPedAbB+tPwPy7NjCq+V5M+qEqWnQpgt6oBcQwz74DLaxtbNJyLvd23+qT0Zp7ZJz0DVOC+ejE708oztf5Ppjo0fK6XKqPat4HjI/CRUE805JqLCLRGNzUQc0wCJFCmq0gHmdHB+yAaeAQ94tNrrVTxslQJkZrXKoCvMb7ptk1AGSvHvflYbKHCmXB6l/JgkB05H66S6xCCzSu8h/ntHaMpxTghBvLsvTxYGPhCl5gA+x8FirqUmRf2NItGkKTXeGSU2FJ0SXgJz+OmueTKZopZgn5rpFLUjCicw9qeGa6oVq+atLoE3Po77ZKukDrC53WjlH5lmEPX9Gd5XfmYlUOysWT8Wp+1FrByNoiSoYBc7i5Necnfm17qmn4REmP3dws5nn6EgYcWQhmV9/idNUMGLqBFZRHB1zkl5XE+VOEz13lE13q4/wigABBWiEKaavIhkmxtzsUh7xGnTjZQIoQohpjDJ9VVQOVyZ1oUuFHEP5x2ezKfpBoDZFKu/vVaa4MPxveLVbmknFj7zZG2o4ARQWYn060l5QBwxJfZL9BSr+ArrWYFeKH1IDAqU+KnhKNprIrnuZAabZMMBi1iRxeKM76+tF9uudeSMGBjmNoP31YF0xeFA1DW+RDOe5KIMzBm0z9EGtYO3K+rFBu+5JQQA4JWr18y+xsQQYddldhODq24kClAyDlumHhibhze4cBUaGIpOUsKdd6KnneY2kpOrvIVimrERGztM7ggKz9+FkC6on+Jcn+900RVyzc8Wz0+RD60GPJqtsWK8AfspJRmooRF7uHaYeHMZr3hvjoWoUieB2jXmR874HpTIUGRg8cLmSmUoNsDTK+MMbJ3pzZP5X6knhbrXsNKxKm9lDxbSArMBN0wzxNJb0ZkTO7/t+gf+w9IBNbW6IPtNnBzQ1sat1SSgvjc2yKuKBbTIAAX3Gg9o9QZHZ1BV1UmYZmWI4CEZMc/F4MRAbKOMnSziZf9lFPQ3SntkeRIfnlx/1LXMERYIaFKEPED0VItH5o9jwU84r6ZlfwNV5btQaCF1t2GDCJ9k15vbWilbOfwsTkE76caWF6TnmiSvReITmHuYBd0DzxYKkG0jfNTt5awEt/EpcweUCLFnJjU/qWuO6T1lbhGy+2Q7Q5jdnz1ltZy4BchAmnglm823nEm5nClprX4p76TyNVX6SrS6f7QY1sSID1Ih6xzXPpMACtG6HYLr22UrXXhNb7AMlMBixG/vN16s+ZM/jhvhD2cB+DsORKLTbpb48BReNs4cFvFiHT7av0muQ68zQoMITVaAzj6cd11LoBIjKEpGGr/cMWl9fydqsNryg3W7KSJKUvKXrcdWwhBc/1y89LEJysQ2IlVh88v6W7a2cMX02+zEyaGud+a4FJTQSpBYqNPASeQdxD37f39ewmisLyQSTrM5Y3E7six/yZEWykvqDe4ICUSJIyQI8qs2AaEXEcYZtx+cnVLvjg7a54juSXfEfOkfc9vW+gbo/YZiCkXBoa8Ehm4J4T9y31Inf9tTJpRNElJc5bUPc14ocpr2yNGHxZxGV4km+zGFrVBtWEPIEiwxE6AS0MN7NirMAGVWv+IcYGVyCZWXlyoq1bjhLx9G35WGaxNI2s+NjmIeVe5m+L/SWhtabioqPPP+2gfN/Z7HbdrEqzt9/nCXnq3uULtf2cDxG5iMVOtb6Y9tFLacg9HVGBPBjeMlyE/uKeGjuoncTIB0t1cBuwNaLFS+CT5LjQjxPAEHpd7n2fKWGZcy0iQaqN5JRNPNJoQ//zoTMmimD8EIJPlrQP9N/onJ3s/g3/DBsClBf+KXkeUXeepi+Bi8ORWLEacgdJstOzhmRGG9l54wTGh9A2Nm+c1uSDN0OxXiqZ+mszKn2oR6xJXzjbzmMuuxKcQ/0Uqs55e9jdfMFmgifdr8cpGNKdPB+J9Qv1WWIm3v3UX+JSAaIL1g4mk1HAAew/RXtC+pYEa4Uqwq6WpTkTSsI2IgnPfhLk0J4Uvrb09wH6b0gJ/Yqf5AW1d4SAkyjmwpiXN7CNgZ9JqhbPJbaadveFy5AxbrkA9ZVrHTkm55E2gTXIKEdci5t6uRKQdlLzMQpTWqKXcp4+BR+9JpHpVmMD9ZI38Q0jfWKNS/5/wdWj+iB+KKQkqP4+bcMKKymH8ae+W3LRxJSEEVuVadFWEsjgmW7TQGydlH+r9nSbGhry9OqxCv1FwgzdmreraUHfXoR/i140vyuQL8s/O/JDmwNNcVVaTODVrdNv/Kezah0AOz896WA8H+4D2kt4YA+1+kDVCE4bc0HDUUGG6frlDWxGHHsE6002ebQWSdGqwknyuGXeJorto8JQI2M3o4J0HgdtEv4paaJqKzNq75KnPGyplFB25HbbfsJmBpOu9/4xrhiUJ0uAw8IbrapVkCij/qBNcgbSnaacp6zRG3xyrezXr/8+fV1uEUid3SYZQeQN4wwR8vPUNrzyhbnbSK8/BSpL3SKawi5zUHaBDyCkzv/1HoqNrP0SaHs/ysqGH2a7B2Oznr+po7TeggglqQoz5ZlxsQhBYCYQyBoQzgXVWssEd4nvR038QYh5QoXIwibxOOF8bd+fUQDKfOBSfb44c0BH8kJls+qC/BTkKzWKar0KwuAPTXnkkZLQXWHAMSQ+bzJIHSq5ppTskjv5Ttjtj5XEJPFzySTs3CUlQ+o7zF61Yaho3E4h6/r1FJV+54xX4JZSRYdqlsSfx82YKS+kBwiHIGmgETXbbupVa+OjAjntByhQSf5wV7ilVB+4dgET1BrSiVOLyLY3XlKM0vZZZUEfW5J9Ke5T+VEpBP5nh8cF4YBd5OISKfqNLLYTqHTq5UdUVZAEpzrStkr94tC6q6hAyVk9qBYuLs58PBeY4NJwU6B8XT5PRMXqam0ZWpovmclcHRZd6FgLYjMtmjaGrJVxEI2iwOyQZDE/MTusqNw19ku3vGMore4OQycZJ2BbEigydlNhVEpcxky2my8F4NK8PKAv9jVeKhnsc/FTRP/J0Cw9xYag1vmAg0ru7DIMCqKxnpN2Bjm3ANHEC8NMYe1kFTRsrOS0PR0KSyus1idD1liXOvdABR+cQUm6DNVrM06bMyfRY6Ug/K/8UNIjjLovgnRb88AsmbgfTLVWQr5+vsSeMszxxbnoch3S3vlUJzbke6KhDlHUKLtBz9UltQ511HVF9F5Qe7YypuCxrKUICodUlmkQqTcjbjC2w01m/rWhX7Q7EVM7qhEhwtRKNIgkOnGJ0o3Z5i245FWgu5hEenZqfWVzomUwWlgUSDQVyD24iw8sIsjHgPgrvT+0ygBM9ImpAvg5MiYlpnhtxP1VQb60ZeW+4469uZ7S8h70PXsqV/rVcNnzuYRYIv2oIwRx6pXthiCKr6GHAemWlVJO7N0rb4MqO1UqxlO0E3a6ESEPteHEsIThgUlMN9uKlG6Q2AF13I+wR5Jftu8ndyGtgEYc6camyRmCCMV07NjU8MjIH5t09tMcZJd0Hurvk8QOqJeJsC+f7sPJpub7klA2QtEbiX3ghUxskmAvr6ZETPXDqlkC8x4ZXNpLgwGvsx7NzliKu8dqwF8PCEsuV11VCqVvYDc2Lb1Zc34MGcELs2+p3mX0QHakj5tPNCztYyl56F37ODJXt5RlPvBvLVfcua2JbCJ5g6OuQXUuT4c9W4R7/mDAmP5a2gjcbZSonX+GWx7bZF3mLEo4MiwbbGKcg/EyXo++pfkrMnf5Y9J26yeEOIEA5yarawSlc6PunKANaAvo+m1JdsyrYVt+nQ3tqUcyCjsqRYYKGQVGWpNmhUbkzd87cdqT8KFqt7IWOtSl6djJAjpGgH96wOvmzNUHjgRm/RdpJhns+6gWRsxMqSC6Z6kVFwWpvrsYKAQqbptDCRT4EEMaUAJa7BUUW7Rb833LmceipBYbZdHD6Gb0EmevIhwaVnVhi9Cjo+82o/U8gVNAEuUzIH9nFrIpgiEQNUHTmO/l3DvkJIREQNE8oBT8hnp2H9V+re3XliqJ5DKixE4xx+idFFedX+pHue+mquXIohyf9F3Sc5ku/qHw4N6QckJeQ/eaZg/vxPqwZMs+FomB8e39KbwGR7HgwPiR0Hep81WxQ3hbscciiva1jeMlq+awa/FLq1yyJXo6AmL66pUQhRMGSxgaFd8ET8EEpZabJI/juj24Mq+fnUpNWr1DpXqgQVE+DDhdNaTGk4MgGLAXOzn5+gDYK9wY1JtV2jl1/eKnhdMDcGBo1J8IlcOzeO/AoUTvqG7x6B9hpBeP2oW1cnIr4b14Mt4uft3VNTCmkrpqymJNqyxDz7/vHS4HSAC6FNJUcFtSD8DDU+7/x6xaV5+TvCEB/3at5kRDhPHUduARHCTsdD00oHy3uiislGDgkfVyUDTzxg7ng4mwsihi8xBwFD4itWxDHyGPfMFzDmq40dSZwAPdw/88OJGwmBzSNMwkmEqVVf78sk1Z/btIc5oVV7JzTy4gX0kuqFFLJ9FxnqkEZOYttgrjp+/XTOxSHZemnkGG01519J5ZnszGyS/a/yg6YcWdvmcpUdYVHp7esogYM2AmPz/nvMWQejJfzfPRzMBjuod3MB1t2lMY681kUyTO4OMKe+wbaJTdNcDm8cbw1A0xhC9jfJa5wVevUdza+OvNFirneoFHtpfsfdYangv14qrsox57DXdcmF15Ha3Y4Ww4Qk8s8vf1z0DilXZLs3JNY1Y3jmMG1LsjCIR6dcpCq+kBep4IClgJpStmbtu2cj5WjHGfDe3eND2XVUA9mymRBvVALXEmR6D/VTE3OqaiIveMDSeRuPsWLAFFfDoDptu9OfMqdx9BQRq2h8ifmLQLeYSp0uu/xsdHQHPflr1Rk+muM6mjzKgXFQE+Xy01GhpkkUZSeWqt7kjRdxEcszC99Ojf3E7d1EOY5YCW3tPys2+Ply0N3JqPNsjbJh5f9SIIxOqlD1A3VZORV4SFK4tUqqrGlM8WY5FN17rs0liSZy9UwpZjCCjp1kAtlzxSdh43NFHYqzRkcidXrU1yUQaXF8JcVtD7jJd2tEDhU7IfyR1trrJaO49O4Mxb2V5ZSvDuQJD1aGPPz1lXFptpDG0pI25+CLJBVBegZwxq2RIrOYtFm64PfSxUZNwcePSFofLtlrBH/5gh1kq3obNTHJEiINCTU/olRD2FIZogyCog46qKCnB5zW3RzwU4xU6YuEft4mBXHkc5YJdb69wd72zeq5+lGgxLhPeRF84gHcXn4eNjq2IGPZrlFf8BXDGRqIh5m8Y0W/Oexn/a1TPx+nC9/+ze+dem1tqsmHgNTBv59IwonIRYIBOb9c02Z9EP8eMQJCNZM9L7U9VIkJreOohHDnxuBVF/5bJEap2zqWDYI8sK1XAwkW3/JEDjlgsBuN3g8rqG0hgkCgHsEIi2emmwob6XZ6ugCXP/KyKMeJAootS+JOpmk6DERyhXkPRvxu3TsEquBG99tv0fQnTYo6mGUoYFJaWMzNKEK2Spogte9X7zvio5bdx01gvLRpTLePnFa7Lqq0RFdINyCLxwHaGaK9ExRrEDHgOzMJKh/XEZAsL92Q8UHC8wh6VMvJAd9MrguanoCizLBdBH+Q23oi4LZHMxVLVvEmzONXEAC1VSO/DmRsp3GXFz1Y1pS39J99q4ByaefoZKasRaHoJ2Kxh5sVrkbrWrSo8z9lx4POkkX+YK4HLeCO1hHSnJ829Ne5IInZnYncPZS0ozfgCxE0ytnc+tLRN2ABve++ov0iVMJbV/pIsaFIMmBC0ugz1X4U2aTDPnTgjIwuAXuz3vUIG3aijS8TF+XYwUc4aKAPIuvheAnsnGLmR2ZRfjojcrfOTozY7hcInLPRCYmDHgzwN8vayrBccQZUUVEmpnXxWjAcuzJpqv8cqSnoD8vCRYWMSwPbYJiSywedw5utzp1AtXw6zMSlRckSAq22Oe0qVfVo5s+LXi8OgMolOh5CX0kUa/gX7hqlo+nq8ZKlprOyEQgvEgutWWhwiLiGbRv7dJbrAeFbGgoYxEOYAcGid46SbaXC+Aa7CiPABRKku+D8xvrFqt28qCTpm7aqxjor+M6PiFub72dK4g1RFf5w2h3X9H7KuB8PFGeF3axveXXgvNzK/EUyYoPsjqkGM4meg8QHDNL9ecOTZyngpd3ZXj6RcspW86K4OX/P6PgEVAzrptlNool0acN2T3UIGesLPaDayiBwkwyJhHbT0EfSGkIMDs89tbkRdwfFzJMgxeeJfXshP+C+XmS8adU/7vIAtgrB8XUNjPaUCdIE5sqiDqncEG9PRDlIq03vPV7AcCotd/OP+ebtWvO0AWwa5vRapt/j00Cvnh/eKucKIxonjLthU4yNkkKHRVg+oIJ9+IVFkvgK1D8g5wa1k1kozmkbZKre0wOyvzkVjwHTwRH09wOSMpNS6nToRSwsSURigYutQAq0Zq0zOxvGXmUjOPAEODh7WoFAYWiPvxks5GhsE3a8D2gK13HpA+hdnCmxsuTAsCVhpvOMhszKEgIZXD33ehVoOQTW8qwd+aa+S2DLbrtNUmo81BT7uZxIYwa5U4hOsdp8gj0ph4JDCR4zz2TQU+4mH8W6YX+PdXtr5WR8v9hknbH046Up2U+N1fJTIaG5zNM++pWR0k0VsVWF8uvML60vNTHzTSshz4TL5G+/+w2Zf15VrNgrBj2ADXj+mB86q+KhIPs5Ah7z4z6g3ApUKbVScbFVm3F2QjN1z4NAB8El927Tvld+Xggfkm8jE4b+/KlPWmXZeThEXbSiTH5eQFdfzsyo+6jWHNDlN+mmrhvPQ6rZgM7uajYK0ULiae1wLxlRQQ1mGd/mhInUqvJMp3zQaA6IlGRLNtwOUxiY419FOpoEpfJfxDgHZaLizVi8BGOWi0F4gvSvvH8o0wAoF/cw7Sm172ifnVU1NIzNRlVF3IU4e7T8qoCeG/JoZehjfQOV93Eu5nvpYRZbo4Yf/Cu0IBmGzPtze8iXPU5AlawT+EYPWxqaUCzqgTR350Dd8iGZBCa5IDMoznQrHSIKNvNBvu7jyVyRYNY76BQbcva6QXufKT5aqbnZxxGk49Z1bjPGlBxv9fjJoqWgds3htn8GqO9QNm2VfIP/GCJIQ/bTHwf6Abl1Iotq7mCT2IDaZP4eP57s2aQUTnnIGzn7uExRwaLJkyM5NAO7B3RfJKMAs9Ya5TokYWlj2Ze4Pc65CosedLgopMUKPIDSFhaaU59ruWWFCrI2rVqNhN9EjWAKtSJpaXBzREolFQ++bY7XZkS0V+8Gk0KpFn/zcQG6xXiMZjhsYSz2CaFWS0RnAI87gMrpHikXtS1pQq/ElIg8tW71IyZW5TA4eAgqRLIhOK7UTBGPaTqkuMEuebWzfyuOP0edDGI6AD9TfZshHEwIvjUZTkdwG6k6q420xZ5k0WSvgLG3Z+e+XbyTn/GGAeTIL7ABrNP3BxPDgax8HuSoPgx20s8e6TkpQCaI9WmPetu5JJzFNqkmHdNS9hw3vKeRqa9X0UycoPypq/Nxz2KByxDutmlcVNYzB06PltsNlCKoEl9gIUn5JK9ZhVRxxSnh/8R7QKHe2cXT+VfcVklD3Df6h8loLO+6tMQLhiwkxuJRBC+Gsk836xqDPQ08w/b6td3GDrrjWpyPP+H3Zn2piLapR6eDNDOM++Nwhc/GY4sQulukrFo6zIfwuLvCBbxOlf5M1BBM8Fay2PGXX0Z/KGZVahWh3OusWZkw49JgO8xp9b9KpIbKTNukonJvu5JbsseKoIPRcIQiSFb2WdnBOljnCh7c9CQFgySy/J3wr/2rEqKLq7/9SPBf9RN/DEM3pKoy4uTHX7flKGm8MrSOLqP9HRlZDNUF9yfKzUWVh1cuoGFFIH0hM5NpAo//JEAVEd4iGCIW3lGEYaxGU708HHLpy5hplkqH5z/7KHMTIy66/K14oTZyaY7NMuphlgRK6shbtrUzAZjf57KkNzgoDv9IJEVG6mELZBvnrR6maYnh+A6WhjqjdcY/ZL6kVoBj4rdU4TXIP6YM0t3+bEORVXsNiEI3t7my8lCklsxpwpqPuspG2IQKN2Y0Ot2CXnieGw0ewp1cjvkzDF1Nl6slpj+Mk//Q9Lbkz+Ax17fAzqzua7PzMrK09881pHYYwiOJgQKFhzew8foUbD9MUl+ZCfrCUCWG9sTbWAMxWCrwbOQ+InNcpnkTpBvN8zrnjo0pkKFgD9GMDgj4Z0XNjKOr1iGqKlicdHkvPpX1CDN3kYXmmHfV/OMv+BMsU67EsewKjhcZB4Eh/CAdHRYHmFXf+6IxNwtkEZCKC2SfXtUNK0EI7IjZE8jUB9s+bFvR9Egv0bBfWras4Om745+I552U+RGlotmFtIL9xpDsxwgtY3ZfUng6XiuYV3jQQo9GzQHw8+JIRo5zqi8Fc88PTO8cOFxgCasG8GIgkrhWV6TQZquE6AFNpMg2OfWkXuPafjkpC6TdtWbXZA819xvj1ODkxTw3YXJO3oF4848X3qxRZ+VfDB1IKOud4LZ0wIPSMe7CpJ0DJODpGwHUHkjK6IRNBUh/FriaTYOoMmEEnJwaB39MycTtU3t2UrRwVI9e0xTXHKhHNCPhFDc0pKsuS+mH8ChULEiKTPgfUDR1aV/gIrjqJrip6hRTPzfdg93psbGrRNMZdyIj7H4lBOv5wC32X7Lj40KQiYyanVhqfFRyPsh35KMm+Lbg9BHo4lX3LU6H9IA6+KhNxu0uFRAAYx3A2knkzCv/ukHNw==,iv:KBWzGvqTnhIo7SO25CEhg8avKA2HX23XK0Li6QKQUjc=,tag:1pzo9y5d8Zr9mA3m17+FzA==,type:str]",
+						"data_json": "ENC[AES256_GCM,data:25rdl8pggCB6c5rJ4xZhzZqMuRJyyZFsk9a8woGAzisixD0ene9McuvNXlJoNVoONnPeUoNGeCUjczx5JJe+qhble1LKkIC3kTg70JcTauy3Z/Gw67AunKTvyJq14v8BgiFfzTt7GfbC+uagK7zojHq8P7OU1RkL9weDJa0lCNq0NnE7heEnu0KQli3xoNN5pG49oQEdcYsYoQrEWfa4EWCBrDMioHsMxDHJzDsyPKFuSY5xdlmXBlSdrBCdz5A//ebEAVbAPfKrusyJfhjAmRB+eDplW10XhHerAw+XT4oO6TvKRuNSZBB5S5Bkj30eAB4eau6mh3jjuKj437Hn0WHE2NvfS9W5MQ0/5dH4neUIb/D0nPdHtHXHMV4mQXaClg8omTIYMB2tJEpBEvjKvtlka+58AWHjV/m6MggtxWFdYzcPMtqSMFCHD0C1mBsgYMTZNWg47ceVswk7hrm8c4DzyCBVkPtisqtffZduUmw6asGZSE3GBg0ND/SVkXhLG/VnE2tTwi8L4oeOx5bVMT6c5nRmlu90uHVCaplKs4KguacqdNUfYfFnbKoJUEJfRVUVAbiau6P/HZRU9j25UNaY5IaN7XroaGuQyL9wX85WX9skLRDOtjDQNA/AEWLZfAKxo7FNsEjJsRNE5VRkrFqpvRFfgrThikqnOgt71qoEQ85ik1aYZBN3GIAW4uSBGUEIyzHG5glWu2VewCnalLYzJwoZORtyhCGdJcNBq1wMGpdzJ27pcKZFtJvvF7s3O+PhJW6MNwwEFFraebkaZRiAahn19mOXOSWEJBdvM1uqMYm4l0QZk2rVgj++kSgLn4gCZL7isfMGDp6odHGGwvYUccNjnO1XV4n26AJl1t7apFJOu929KjztnOhtt53izR709P4Yl5WutLv8Sx5fkDFEh8cT6oU6bwQQaOq7eAQ9UkNT1yeLNUmAVEpIoXCwz8dj14iSnzjuynZ85IwTDTdFRkMSXyR2GfKAQ0/7Z2i+ephLK6bPQg7SUY5hN3dab1BP8r5wDz0mwiLl9Kgkutz2Nvca7P2kTjT+Gx2kW5OwVdNu9qZDgVwmK6cZEHsNv4PuEsOYFl5TOJDZ8chtUOR38DOKnEM2uBGw+x8uxH2ypgPUdttNFgaeztJhho/GAn6FF4U80oB8ZlSuLj54BkY4y5cdAkmJdygm4iahniPAovLvAZUfgV0z2ePic1mW6N1hbKY4F+j9TwhzoeQXptjkVIhyAQ7JugV4G6+9LGfGAMIFNVfOqMhyT3ZOQANyJRM2W3AWEkpBXZrMmi3r/dEZBiL1lSVQbp5MEJnlA+gVAwIWpYTUCPevHK+oGgtbjJ/UtEasO1/8d87+mj7maicfsgFxWgcVOoHXDYDUFu2HF8/fEA4SCp1Li3SmwamGNmpuiVXwQbgECSGV0G0BYAO15OK5W/M5uErdeB8j50D1pVEokchXlDOJjTmSLCZXzQjg9sgtKgwEmXGoEml7VNEUxiUIRHNK2KJ9js0Mb1Dzeaw0C2+ZOC4T/ZE9+AcAH/1Dk2duQg7WOGGaTUL9+m+FifBKwgNxXd6qA/C4e5xStyMQj1fx1uRrAcGrppjRyTDbQRyXL3Lpp4csSfqXe3NoqWrgubFmUKL/ePx46upHfNbvBz9N0WpNK+qKCknfjUVt0AYkEJeYc83mxNdzF+DciHpQusFIkEw90+HKFRlXBOUaX9I7kFrmdB2E9NkFqX4HGRppFwX+v1UWSQAc3BEjv1WLeAny+Tr/C8hpF0A+lccOpoT8JD83D1wc6G4HY9ytNgRXpjDsnwji2YU5pSOrlsSqTEILKfq26TUDFfdr0+8tyjkd0ZcLHZBkQuS/z09oToc68aWMrs5yZEqnqIcu/PeeOGPhv4CHPRT142foKgFZH+PHPydEN3w1T/sBs5wka1LD2qoPhRuEHdv7nCcnjuHrxgOqD2JZ+1ON8QP50rFcFY+0lHU2wOOsbNt+YModpvcF1JmXSYcnwB/NysgpL1B/3J6MQywZ2bFdjEXbQIrZRayvZqBve+r8P0fGnqPUponAdNy1eE0WBo8Nvvv2cpGfBpPjKOduh3R302PEpAPpvmIjaGEttPIjA+O4kvgzeebFMvcymcvVhi8mG6SYgTHDjvaq35lqiVrqRRgerNfLXQkyMZSxaRIrH9R/W5OYvLfIbxExmxzByw5yrSKLr2c56nYSB8dJNgegT3MkJ23v+xYIjxDEgL2x4d+oysX2XjPRWTO14SUrLw9qRtuuUknoBtHa492mtSG8aO7VKdtSZMP6s6zA50KLAsOY3GW6uWv9k2lOEkOTvtPuQ/lmHn8Gw21dJuvoLGfacYglLu0cVyxrURcX6QJ+avP8x1ya4XMqHEaChxJrPWnhA7mCM/4JbJloCGA6iBVnXpuYAC5LyCW1mZHN6C5f97ORKunB9SIclnpmjWLTxrME0NZEF9DpLeq6812tuUn1kmKJXJS32nouAd5dMNol7wniVtLAu5JbAPyk+Af04cvhCJjRa0d/8wLvINBcop8tIuJBo9961nkrzDtHeKSanGQeFDAKEqDeBqO3BqafVbpTv//gkxokf4zHL+ua83jyHXVQDRyYXXbGhvsrMRLm5j1/3K8WPS70xk+D0x9YbqmnGeCTd6AzkBvOhtHCbJnW4ihRsCLXDritYQ9Vj7RZtaCz4Y75cauwhuDuU4UczzYJjO0q0ZXzX0vgEoGmpMcTwscBYX/o0OyaxRH/g60IU0h1GV7PhXYeChWG95yJ/O8LS4lc2+I93XYD+NQzrVnlibPXV0cwDEIxEFrVces0ualP+M4SjvggOOfB+NQ9rnVnBPTdIlxQPxw2NW0MQVllPL8+NYlIvDUEb6jOvVOH+3EH8dg7Zz8HV6YCByvlUQwgq4YPrUnm0XE7lnsWjGsrv2SVSSDWVvshaSyS6HeOAe90jwcSrQd6PXfBDUv0BbET8720AFRf/CwwbA+0plXMgM9GS8TGj+n+Gbl4W/wM6Ye+H0gXPJCzICGhDudBc44G7uRXf3EcVT1CK83/rhM+9/Q6WnE2p4bKzMW3Tdez6OGKEWMn4u1kudDcA+z4Yp9/kfDAxhkP4kLGAlz4wsG8JPWnvYR4sj1GP05CT8cNZAi+S+UP0FstJQY78B+RhoJ0lVkPNnMYuiHr1Yhu0gGywda4GDrJiqhJ5a17Ch7RYSvQwUEMn+uXp9996rEV3+L0YZ2/5IOyEAUsowAPgmOU3pQbaPioevQrAuCCjTjgNUr6jbJw2KoITak58cDvZVbbOHkwSbyv+Zz13eF+/CuUePRqUegbODC8cTI97W29pNjG4l09CbdLNtW9x/Rqhwqjpn3LbnS+67Dj82OdViOTVhPOfRlnL4VGhBfPhwGKmJHVM5/18RCRPj72qZ2M0UfpVbfyjng6vOGNPg/Uetw8MAPkjJWv605y5Q6805R0jRp3bDNwv2kO01fh3aYxel5AYkWBxfqkd9TZKRqWDUN/GKdWNnd4oT2eXHcPzBESvFxXO2jWZyQ4HyddGMPXaYIi9yq1ho7sTKYBcY68V25hw0BPw6AxHuDd6bs66rbx8rIDUI8xiUR0bAz+MWuFnwq788ncAXgPygx7eyIfOA7H43D85ZzG4lZLhSeJPiMiblAiepY8IJTbUmV/4isiSrxcfXhSJqEDqT8w0FQzVzQvh+r4+TGoIepY4ClwYk6rtFk6dCpEINd1cqHdZLrJg3xJiOJ/rdbrydBrgUQfpy9iiiDca1jRxjv0QfE25XWdip8wm5UPqyqhIQC4GdtOPCCr3kg/RFFotxPX23vl8NHiNldSjo2JQWNE2EOoYXmQ7x2EaJX3JEQxATNeYoZOz4hGTymNy+Kok9a97SKWTC9KO5HE4GCNnB4nJ/R730JeLq/idno+9d5QKPb66ukCq6Ooqn1etfRyPIas0mIczfTuHIZy7nS2MOfsp3vVhT0qXR7PJIVSeOVz5dfSVbkctrxzJ9N7+ZQDG2XEPc5R5y+XLUL8hBGfkZ3DWgAlWrmyQij5TtexuwYzRtKOmaYRwWNOLo1dSBPiOB9t5x7WzpjwddW2GNp9Is4tdRsCRH9k5uqFngkrQfnwUMydxLR2q3Rye9ACyntTJURoL69pyF0Ot427SLzsDz+VN3eexR+Pt1oCKUIi1ZFrsm/I9u7llc6euU94g13YOvF/m/7M72RFiods5SkAdYakQoOwcXJuPMHiW/hptzg1ECgtfOGwoIp10CBYT5OH8+0W84yoDLBwpALQj8pTCbK+9MDz7k+0UAXxb0inlJOmL6hAbPvgHnHHpIuSpXK6faiv+EA9s4Jci9ZsFeXTbjieZG+nMCDxM/HaA5cDUtRCZCt9scnMV5VeR7p6KsCO2YIMpYq9UPcBLFysUplppeHYX1GdF/Wu7lXp9MWQXu4av/ewwviORhCsIVl9q8uncWMQS6gA4nLzbtMZfq1ZohQyAWr2eNo41dFlyi48rsBJFxpB8n4agqBTPDwddy3ZYhCY48IuhtbwjTQaBnqhFAFvJFFmliQqKiqEpY4N6N42hM+XjgSSWkuRLgEgl+aG857M1cFGGy4q022mdItshY+wOf2noUQVtYaNal1gVqM/N9KAffGjz2ok5n5Qrht9Jg03ndpSyXrJWkzyInjkOoFdRmM9QuQP73Vsjx3CrLg/bIjdfgBjql1pzeaXTUv/al2Z1AOm6wnokoqcdDVmaVV/+PZByakS407edNQGvLW9FovD7T+d8smkjPkmQjyRNVxmdSZ8gK8UUGnN8s1mMpi5qpyvob+3sa0acc3yjgFWUo1LAqxak+00M5RN6ikGFq6wa4Ks8ggu49I5f1fv05iv4vFQAI26miJCf2ybc+6K2WRJmlLA1wOdtErIHDQbw9q6C9RiPrVh4RmslIzz09iXmpYyoh1OwyZIbyESJ3uqvXP7KiM9uVwQ/1iH2mtq2YOqAH3mX7rK++3cVz3SdgMoIHLVbV9TiLRSj9s9LhzSTTgnNWMGG6qNyOKawU7A7R1iCnG2UgeNCJgYwF8A1QEspCfZ30qvAEMUct08mNH0SshNxTDpzcW1QC1ngjVr4eeqwKPhFQY0nxOltSsamlhSiND43c5uUGS8XqV65K3tLXk2eP/bpHmBRAKS/xNKmFIJZr1UeJLPRf62FM2uAwJ8R+n2Uk6xIm+gOl7UADuAeIMsWfViaUTaLAaiSvOFpx6TEd3+Qse4Y9Oz29mwP7LwX0rue57cEHo8Q6P5veZLhIxjlPvLCg4DjQaoxQ25o870aY/KkuHDjb7tMMz4tPxmqKIqph/n+J6EqsHSBuckCWRCso07iq6OvkhwQbdMKiar4tnYSYVLnphMUoGpY49Qkk8GWqzOE/GicllJGhiImE6BO2hDpV8A97wRoItYLPx5BHMrrxBRkXO4GqFfSUmieT60UgmgBG6kzfWlYfjoDXl+ydWJ6cUfxmSOW3GigBTyfz8K1ZOpb4OXUdCYCaFr9iAP/ilSiSdBwl7vwzPkkytU9GQUA63JKwB/bPdRILnzcMZ9pZP25qQuvAuh9kHDWdXKbsLTlMud5ZiNpdjBsYMOP+Pl/yu+IkguMC3kFuFRFO2v37UinY6hk9TEAIyZGg0aScDN33ID/7PCd55inoI0hcvEURZZhAFrN988oAwMnhO2Nj7TrZOod1GUg1NaHV8goPio3QWIBroyatdEoeA2yMuoqWMV8C1CTayiC9i1jIbOqAGOirHZ37GBbMk4sS/L1dpywJqIVoDQWRhD+9zavORJHH5qKrjnbfXoY7AV4Gky21XZWtiPkZKnnrB7HxocFZyI0gxbfCH10cA5l5/M+9jAWpeh0igQKZLvldR76GuMpW5P2eJdNLa0qClAfYwlkG/hYUDk02lPd4wygGE7ep/5blHq8eDniavbi4kjFpxJ1fRkL9Qgpqdn4cPQr9p/I15KrMBqlL3zE0HxQGyQfpPusBX4L4SCeAycRUHcOY4N+d1RjoZTLV7oLByNhRl5Gkh4bpyhsozX0styKmEJUY5rS7ScXjG4mzxKyv6XJ961vc1PGOzekXnBT1j3K5w0vQD8/qURIDl4v+1aHOjUP9Otm9TmXD++MoklP022lpfuK4zm/KhM17zf1jkfZeKUlDM6DLvSm4dEaCKTcMCNRE7c1g1DVmvkR20MYqALwjgV7he91d4KLDaH9bbu0i75LyI0Kp3gzhSgSxiZIv6zv/nGCwbArLuqOc4V6TWJ45h8XN7RpqsdTi/N9uj3m9YMhO24Cs8L4M8/gVkzlsn3Y1s4IhRb+fYiby3fb3VN4fsXH19p0GnwN6bTDeMDRZJ85y8fz0nfa72qwEdDoEnCUuYP7myGMm+Q/kBbcHmWRtA4WaP/mpvlLAoAJ8u5WcVdtiuG+53ttf1lmY1+FoT9OUdHvyP4VEPI80svsQ4Wc6AqngGG4vriAHXhSzAuUGYe+F10Al3FB57KXZKzByb0gE0zdiGAjSsa3hIlDhT/y4rIt2Wut2qLJf7Fn1gfTtkZzyXADhErAg5nFPQdh2S8jAj+Iv4ANAiDDn8ynHE8uqIEwU2/h99DXxwR4trvLMypZx6WjJCHyj2P6fd7jS9y0QL/5V6tbsR5BwO9rSbbzhMlzfezRfwr222E0UKxgltAZvJDYeSC1mhJ9ZNqW60jbkZmGGJMfcUJ7mX7ETs7ndk4BBF9uNHHVuKHt3c8TTK4g7txK5pVu4vsb1IyI7qzylp/c2nl6kWPNbMiY4RB8b35pM7R0MzddF1VqCt6nTGELQjZwznHQYKG/XphYGZtbsykPzX36xEdaq1rSrG0V/Ij458L1bNH78maRABBD5jK0dBehgmyH2B/S6cS/6zAtg/7uJyTapDyHr84CdpUsY1stmHHUEM8byO0E5DKPQnVk80cwb7Cmhph5r4JrsLBXpyumFgerFQaADSb2NPh9ZRFiGiKFzpazYoMO0BOaJadRn398aqPGnpdF1928mFxCbE19a8PmaetsrIT0fliWdDGrR/Jv+Pgp5e2BZLi6tTST31JZUsw3j1IltiQhoOHch1/XndoOnnPx51T7VoydKHGHELAxaHQlMJycY6noOwRTRQn2Do91Q+t6jAd8BoShPWyMykwbwCw4ZSe1OFz/QeQcRT1J4Eygosxtx8cJgglFuTGa6W2mQPBFrw77FvKzxPBKQodV1TZZNAgg2IGDPzjTTPqG15CVAJRTjXjE5sVBs4E0EEJeaS29bbWfwUHI25uU0k/MukqOkLuXjeYfHORVkx12eX5LjCWNWYOSvhsy7Tp1b1CHmkjuJf5jCHYpaTY5OtknHRiFlap0/xioVNB/fJbKAUVQn8sHprPEAStFAr1lp1Na+EU8OfKiV3Oly2I8Cc0FZ2p2sRLJ9TFpihEY67yObGLoakB3AcnPk7Q4w0IpimiyHiDUy0OTd2z/j9PT5r+SQ17BJs8EF59cxWB2VVZ79Kdhvb50GhdO4c3Iao7WMSEPvOMh7ORs6+nPdbw1+LO8AFxJIiloy7ZwIyrgaCTmnm5Cp60Ej85dfQFBLfcYtZXDr/XgJZuWfS8uyIF2+5eyQg/GDJQ8abDRWphPoTEwdisasW8Wk1xt9XyW/IXnpoEGkSoMOV3iRG93hH4/+ikUT9fBjBqIkDiVas02mI1GDXxqfeSxoyO9JX7htjz47ZKBCcpKCvrfR+2p/crct8A8zZ5u9CRZij1DNEIoBWEPkBb4zfv9zr/sFN3aFUGSScbiBY2lktIECOTrLkHcb0wlKgr108f0nHJA6aPWP/DMzeq8bkatfXfd6zXXw1mCXPpi2JCRqv7FYFDBCkVfaNwWMKJXsjoVWnxEAhxPQqgc1jO8wE5XItAely2esW23VBpmeffK4NRNQ01FvghWG4cTkKOL6ZSnntpRgpxiMINzsoyqT7MAG5q6UEURJRlGRD5ojR/qnTtxKGdWiFC+S3jF7Y6OLJDpPtwaN4aWivh0tBuuPPS6E2B4AW0/LB5p+jKKJt83bMxMKxnKfb20pdnWZn/D3/cpuAu4M+Ff5dLMMNbxi8kVYl4W/DANIxamYe2EVwYxuIYnB51I7hoI7VvvH8XcdcsB9PrViYVKuntgm0jFzQP8+tu5BmuDUtwTOlNAygbk6otIjiup6fccecCDAs45cR4wivXmaT9S97YZ8Rr0qfX/Q0V1KNCtVamJj/Vf/B1bsmVLn2AwsUrOXe9rZNMIlGUvLtsvLTSU7PFkB8paz0iZ0gy8MqK8IrCoEBOeukwkglTuusFbvqlt6diyv4bebS8qW2gRK06lZOqFdJiUecJIg/Sx0HfHnSCTZR9CYOYAx/qjFdu81GA3n1xXnOKG4FTGP6tRmO896nQ1eAqOITT9RB4cIyL8vRxm6GuZmywtkbRmtqHoP7NobWrcp+HOrZ+pFgyDSNWQ0RwI6iURsOAEckmDaa5254AnaXKvQI0IlM4MUo3oTqzpU4y5y4LXzmox9EMB5WoNPUAudGKcz6C5qp5kmjFJ7cptgtuL7LfuF3r4mvQCzUNGPZogUjOPUNBbUvT35RZw5qEiCjLQ8fQIkL8HOJyPq7V8U9bQBYvWmH63rDlaRoSr9rv0Q4xLTakc2i2Exn0xWbA77ywb304Jz+i0ZDrGy+z5D/viYtp1jLuZKcuVT1uKdJF+XB9hKxL2DHZKQ48htBMBId1QPMHnJG7RXMfFyiBby2b829C4JgzQVD8Xys0onWhOrtX9AoLaijX8PMYVb9ibcN7w7jDDofsu27zTsIUBEEwlnFETlTjbEk2QWPzwsZiG3xAMY0I1dHtx63qWGP7dZ6ZZ8A1f7XpOckrCfMpvY3ZIOKTBvGHbeAdwRvtY3drM7eNKyBU6e59TIjVxCtoY02c0ukERoUo0K4ocQhbe3NYUaFAEMfdNntLCNcdPVaG5epvZqyL+SCbFDhBBF5KNsptrfcIkP0oYhlWajP2DD5ZZ9Uthrd+G+EehErm808ViGDagGk/pD1O53FyXrE4lpiR/ogDTdLL0kNpAn7v4vqA0yBxhjqxl7aMZLqNOg95/ALs3w/TE2uT5gmZjSh2uf7pqTyk/9zxiBKOO6D3tyeGwWCAuhjpnKqio8QOfpqfNS1DjNoN595xmZBF2msEBeczLYHy6d+/4dXt6byR1+Q1YuoQTagtwtmofyAG5wPC05vTo2FhDKpLwvaYKWXssGDKJvGyYBWOoZEMPorX1T9STwNEfTnvkpBUjgK28rihtkC8lQGQOYrfg+1F7utivCgNKzL/uHdjOfJP1Zm2t6DZxLJWcO9NnS2skv/lgfYRnhSVZKpaFZWNQCePFrfsj3piMRsb17alF75kD0+f5TEqft1y0DzK/4XfZqhv5EfBIBh6/I28L0rizJ1n/aaS46ZC5mZ+eIwgtdwcUC8YB8/CL4LIwImqY+akXtgt/7ovllSRG5SUS4bjMWYmWQCDq10GTvGB4vJY2/MlJtLbLbhWbafhu0VaZKsuTVKgEJnh4I6o4ibEa8xwHVfrIVMLi1fXL/yK7zHnQutXotXHD00SxNEpf+J9yePqCP8xEE5MzlZXFwoP4vf4IN9n3T/Mvi9ffR/jSSIryxfY5FWOKM7wP4FISbYJpKexaPTVpj8HCCsKuBwLBW3HGNKcoun6DPuEApUKYm2JxsHotn6IuQ32ytx2fiphsxuRkHXf+RJ682w/OWX47uvW2GZT6hCIj5gfbiN2YCDNMMUHhKvL+riia/dFrynL0xhpObqMLROB/3E44UWV9IU51RQEV490+iqrYSuICFRLZFKqlV0hpFBXx0WryMhwrQUOx0oVPpKDmU4+yUXN8hVDPABQZfD0AE0c8JnedxbBbGxVgc1zRQpg46Evr6tTttUGbnBZIozp63VidB8qQ63UdTRSFTfsDSdPg5B/R4U4kXImJw7cBUVquxtQ0E+/2dcB5r/qJsgv6AAan0bY8f8/xgp1zP8wOR10wFu94spijYQRj0bXdYN6F3oUiWFqt1hunr4MgBrDQGuVmzRIMKS8wmXvssrrUTk6OsctLgiq/4g+hPjvRcaSHrqgKMEDTJexjF3nLthj5JYlZlhf9RB7Bg2KCtE/xJAlc6ELxWSVq7em9lfrJu778PgADIB3UHqalWIQHRxGtj1lsjDyOzJttUJIZfYuS04JPWCzY11wbXeZAmG4h3pHo6HqstIrcngiMQ8AuV3Nr/NcKKGRmTTwg5Bcmn/wWPQlULMv4+DKxVIJ9egh17mh5FK0JUB2Odc2Wt7BcuZRL4iJr/tvDQzqydUt90EQaBDD+NxewKbqTf753eZu6+0dceUH1N8qAwepE710cBuHZCllx98WtbRRxaRy8KjERrPrH5JuMAlGXVNgtRvVTvhSlHQ4Oq9kX56gCWTMQ7sRqZBJyC5dQTU3rsBR3udYaIW7BHvwg9dfueAR5DEunEuUdj8Xe1Dm3sTil1p9N7id9xs5G/Sb6JANDInBcHDOSl1fxwxLn4KzRLWqXkbqFXMAadt8vDaXTGICLGX2RsT/L71GsbOzYLe/7OPdY+5Vv6j3UkDyrSbEo7RGSWxVG1VgkkeWIPBdyNOUSWMjKEChQ4kMEFzC5Gu3tsUuOXrSGw2VOzH8teNyiylbFWEw/JBIOPPdVJew7U00gogFlfm/aksEsMosVUOyO3dsqjJjEYNPy34/zKArY+OjzLU0wy+2wUP4zyCvhgXWUwr0Hp0ubml7Lmdp89A4kXUfTH0nv/VFctNU9V44NJgDcnd3zPFb67Hr1ZZePVyMlGx/S5mTwF0BEw40UUB+cwYUPHSuaiLsx5t5DyEcIWRa8hFBfSsOuqGtcskR5GmRltgNPGiXKwH49GEGKpInXo/hTQXh2Fb/Iucrg2rT/2giECrV2lAdeTkcKZbqZ+zFKFkhKzAC6NB9T8IIMmqj6MCaNALOa0FiUMbyKRr7TL76XuQU17BpBqd42SKhsO/PM1ShL3tEFPYqxyILQ2P9KP/E8CArqoSQNBLMk6Hz0JUoHBIp/6EaTnuLgWXHV9XbTthTx+Ze6bHEjOJEEY2rDA3U/fkPljY0iJmNTa3d+3Q0cLh/0EQ4VTMS+LfaGFkl8nQPmo7hdX3L9/aQKbX97CzyQRU9MAc5rzPTyfktQocl1bbQv1PQccRpZP6hK69YmbxRqNUDvCrTxGttE+jMQpdeYeSY7gNgidEmCOVczzxpJbSNEfuJy7cSSDNjUFo01mmjhXgtxnpTTcddKC8QFoo9uolqroRnue/E6D4nG5wUQEChomgxzm0A6w3dN2O5W8h/+xV1cys1an2/eQs+UAOaa85vKuIx1fFJYhnY7k1iqUOxmKgyaSYkRGRrJtglQhUSl7mQt7rrkbGFJxvxo9wlicKx3ha7ESPr/6MSmgStYjOMjD0vm8HdEM3GUjd+KJfOt1UWRaytzko6yqKDLEIN1Mn+5Y2ifysecvHHzQUdvJzgSNO5GLWFmDw6jF/HnGsx5N/rQrmN6HukigVk7PvzHlBa+YAOAb3QqMDSbSUVmAteeBw/aB9I5pcpHxTQuBqD8+P0dgvMHpatT59WFo4bGekTC4dzr/x8rgaIfWYMGKbRKrWYKxYf7EZrZyXwB/kgBtgtEHwLm3FJYDS7mnNiEGVyhu5wPA+p8tPh8Pgh3Y/02rMrDATbd7yjVT8Rie7FGTkNLPV9+7HPSKC+MYvagBblrPzLdmNovp+nEUF9uIFkORpYka0/E9+FPAT9f/RzIorDnWBilulvL25nEm77G35dYUPD5lCSWt59H2YusPKYIRf2mQ5YyamYulQDQ5W58P6Pg49051/UZC78kclHFt9XuG9UPlkT4RIeOqP7Acy6tOEY85lz50lsYxEYBmleTM04B1d3ZH4Bq0M+7+3ZCXEVdmWI4sHpP1sLHMtyFc27tfkRTqnAXA8llpB/qG7PlApv0ZreohOoEaT3qV3z4rlmHkviBA/B5XYhkKbKchPMmpW4MEDNZU6UVj78Wv1jeDV+Vj0dQBqLvZ2zooQB4dOYHlFVSnohgOa9hoGknS16tsAxqj5iTmCSrjfQOI2ks5W2fbodLEUKiiqmJ6jdMob/FaKQTB7Wq8gQuJ9Me7UFVjM5k9nrtKqvmDAxB4xsWG/fU7ND/y7Rq3flUFULReN3i+YiiZ7nGDBgj/67jFhuPya09tWlm5I40bYhwr7D93QZwjXmtvKmMfyBh4nVCxC8o+hYj0/nKBSxUtxV4V31xvQURm5cNrTVE6zFYNj05XDENq70mI1+7o+LQRCdjhOKSWrLbZvh4qNpIn8Jfz5YHc7qkCozuad5NIh3PqKxgnqJxlkKBPYfZUIP9YBbDUDxEg+BZsRkeDENRSWssDyOBE3jhBeAX9Y8QIhdHVeEncRv+JbZbAouZ3b+rFx8RSVwsbzQSGL4BXy7V5FbyRfvaoEpLHoOs1YIDQ/qBi6NIG5cxp1pOTj+ehW02bI7drtB1eZR5Prf5jguAfAopKVwKp0OXAyT3QMXdWN0fDPlyEjraqt1U/LspMGVwWzxvz0E3X2Jrwne94w9k/hjZTgoDQ8kEE8xwY9Z9aaf3J9cgxZWaZccb9i4VuJZozbwTRvavm7MXG5sdD4DIL/F+YdAnUP52ZYdOT8U8Xh0wSwENgeITTff7dv/Ryjjmv0Q0IOIUbwtIqIq4KigwmK94V1wTz1exJG5878jCOKq0h9nCnB7baf9HhyGGLANSDvrYR/1a/+FgMob73t29n6rLeGgezYaW/vtms8fG+0Uyq+gonc8Ej1wUTgivWKvQc15Ci0SwmWidaefZq+Hkre4SWg+c91s6O876cMjFVU05PZKU8Gy4w9CNdXlz4ngRZ2TRBgxmYPGtPn2Q5grOKPpugc9bh3FThHviQqv/L9G9vye0O6c/NLPN9DxhEBeIRxgFquZCwXMOvcon6J+Yh0vyjuE9+1oeTxWFH+gHd0yTQlLGgL/MyS6fI55rgUkaP6wXJ7qZn0HpTltSL+lzuYYRke9Derka+FVURX5LzN2dreJMoLtXh06SdlPrDQQoQFrHuus3HUDI+bnf23TIFiv2fFykEwWoEvYhIrhccAzro7uLN23oOhBoRq4CuVx8EnUe9Q2WbO9s2CwNPdOKLrgdq3gICjUyc5sYWODOTSohh23ahqzI/jFF/wQllH+pxlALH39a56gvooVpx99DAqI73LoHZ21A46hJegMJAUVlVt5kdnAxe90NuZXu0M9pnXYBkOMg0wE6WXIHv3OoshC+7WqmQnW61UJ7sAv0UHmx2gO+/HfaNuMJ7yLO5lBdxTSuC8y1Eg9xH/wGe5OA02SV6iiZGKbdWxiayqDg4o4DjGHBXYmkV5xlkBgtApk0VYFzec/u4HDOHkcCnrDcaPImsX4scB1AfeuqZbzCsNI9UhVRiL+5m0YTJcDnTM7ipztiikB4MQCYRqwHX2EbIIzp9hjwMm+y9LmvkQOkN1Z95qOeXavzs+CChWBMoFhUMNJwlRIZ30wvGfXikh9vr1hv+YOYvXzcxJ9DYM5V4HixYl+QQWwH4QDWnK7ks9dmKKoV9KZeLEUJbhCqzwVddoH8+9kJ0WuyeGKFR5cJFQEt26Y2c5duURa5WC+hsr5WfGM+JnDEpgfryfWZL0ds5IAemSxthHSg6n/iyk/xKYHVJRU5g9C/KVQPZjOcsjW41bYIfrIScY2ExHW9YFhwG1DjIIO0KZ5iku3G/eAqa9i5ZCm+ma0tEcHA032nrJ0HoTtVsmFnQEoyKJaFJb58J7hAymOCcESM8RYvObqOcSL86Pi2z7lGBGxKH2pCaZCb+Xd7Mmcd3VpDKU0/h6Miy/iC6iz8gfsv1yeLAtBUynPV01YOxeeEuU9e6ySEGmhfbkB18l7WQm4FjbtZ6iNVkBd4NPJoVfpeInFfysuCySu0oNkJq9m2mH5HpShS6+XboCiZMi6aF+rYwe3zlbVTrPgl1DZTTdFEt92GjM3mXMGXfMMxdXLLCqgokUtRNhER1YJ9VwnmAstbMAH+lNENx8q2/lWxUbL3ky0UnTY23Ogv60EJrB4MQvqEayCa42EKDFLH0pKibFpZrtMaZbWX4VXNMxmcLgtzelup5/VT1IwAmJYDH6oGrPwY/wudT7dNlLXCXk55iuX+c7/1yhnwHEJn4G/EMcSYTX2Nydt3s2yGgULLBNOXjuu7BFJRxyroRKTeLa9MxgdXvA1N/NJOE7Bm3lJz0dhCqFkXaQmN5KaI1yl5flluc5kvhFD+AFu5hnHdkMZx/vyeoPmU5/3bZc29T5hwjPjfQyhtI28j2+ANvNWI+T9j41Ctu1aWpcLwHB8IkAKOyh/PS8ZFM9vNmCzIvOCBqXps7cRrxSgC8ZCJu8BApMlW6qgUt0IaRmX7X1jdejle3rvm9uhGPL2SPFnmmxlfPt9NOfXxK1xUFfcL58mJ93u1cNXNXXfVDXOVvE2MoH0a323naDSkAyvyV4DM1fe82+eQWuqGizUzM1tN0LygBiFmFTFnyO16exPcgNNT8IdGnCwIZw7qP6oLRgQ8CBUJxZKpFta31D7ehhMuBYOLrLcPp922PByr2dd9DGqnoMKrJU42wuBpJXmv4/4k2ZPDti3/0dMj9nsmxHK3zWQ2F94nXUyulu7Z8EEiRYRz1QX0r5HLhTwkvAkyEy0NALfcCzC+AdNEKivLd1srgC7UUoKpLnaGlVevixFBpn69d3hWno35jpVjRK5iQkYWYr8inIvTnm6s6g+rDOWk/bWPgWiWM9blJFMrNd8VD9HibeY0tJ/Tdk3YRa3NbdgB58chm2YRPMCegKuUoMsYVwwqqR1RvaMbQ+otscSpN7TW992FjXTqMEgynM1EXBq1uk1Gp3MMpECPHnOGogOFetLyR43s1RGsMO70PmwqucATpZZUURhLvGRWQwUXWK4ul/sYBHpbOEiyqHPM8F8UGPSkqcBI46XRRTpYNe8NxrBtxK9AnT/wmdqeDxtvCTvwX4CiCnBZZEqPOaNCRnipsgRDFn5pa6JK4s654xfgcxydeJNYZB5qS4+vQ99t3MEougF0sxTZdeECNREDgNLGNhNKicAZJs6mEsZiLzJNyztydtlVt2+GrE1fX7GILDNxBylBxmTDlll2tc/5+/Z1pmpyCap89zhAN22e3LEydoR3V3kkvnK4UR2FoAAy6JL2yXCy91iwy0E0XMyXR8qZ4/KOaQvRRm6PTJLlzDUHIYohFMtdB0nD09A/O0n15BN5FuC9DKk07txvFPRO+ptIvVXVl/LZpzqzfxnxFPZFSc2rdiNQK2xJvcvJvqiU8Q0Y/cIpkRPFIpVO7mgH3DPESoKdDkvmb9zn4K096lkh+lGZf7oGWM1RCGuejlhfusrUJFyNIQDSVbkG0DqtU5dswgKODAaHFp5Mt78gte+r/2suD/LpwiA/wD+LbSBoyXzwu51cM/WvBLQPXpP4h/O/imwOSVtZyBdmeU0NfyVTWDycBKdf31JEImNgHtPwAA7bRy3tc4aBLpqSdygNZN0bLnQ5d5/6pw0l60FMyJuLT1esT48uMj3QN3UCxWUwpP9sAT+YiZt1E7GKx/nZBX9mm6pCXsGncPUDY+++SvYci+006BsqS8Y8e/olyMxRgi9KREw54enZRWi43zKa80TXJWPK0jE6pzkrYzA4ZpnuJ9WLPzcV4umR45NeTB21VJqVmNZe8rjFeWJL4VY51xHp5d+oGfzJbMMJ/+DLFMU9EAgJmVT6y5FTIFsVeRZrSsHUucWi1ArnagRvc+sDdAtbQp5IJMO7pfskSmZUy30Fx3y2TJtaMoIK29D557r/j1G80VGVyMr95Wp1kCxO2oEMX3wXLYrDfPfPPN2h7PbVHHHDSHFN63ciRKRqCPn0xtI2FUf5wxG3mjBwsp0zZQYrKcD/vxdmXOySQo5p5MU+Ful/noP0N7NqAqEj/g+ZtcpgsFGIr3mWumxxcEjCsdMVu1M+wqYRKwZCTm3DJnpxsssX7I9D5Wl2wh9AaQi9tjXNgxmTXbmwJmd4v00Xavy+DiAeUYCahdNivx+fz3Rq+WuCye56l6IEljjKbo8C20+kd9rlTa5wiy7qoHBvaksMxk5tcULjIn7Twvl0Di+172bViKlnO8g64HMFL38WYxEAucmcvUMpW/zX53iEeaAke49WN+NcZiqq8Dv3hOc04qUQRqzo9XQMkKIhZnRcb/mHNhap6YgzBGgtftVjTQW7wPVEVh6x4sCnR3zkNedA3I1Xaml0HF35S/kt1kbzoHTpJTfUWKAAhotGPLwX/iqhxKxSe/C4IgGfph6kfoOxV+QQGAcBGPUdRaHQo7LF3kiroNLUeqTN3sIqTiribl2sqC02hgF2E77NBxsHtfUCvOF/6RFP1x/D/vNqdp41QW9/82G7or7cfpYNF0z79Ei9guhOAm6tu0Ysz4aTK51UkGFhcRydjYyk7DFK+QL4po9YAt8jCRnfQ/Zcu5ilbkU2pn+mvlreWDtmdcYjJNVuRScBDoRVVGS9KKdNnHW1a1od8Wb/I/6BMn9zsDtuWLrvuQYfabd5dkcNqTupIOrAj88wrvKdTlILCInwsRWOJw3LhsXagGd8SWulnbzutTDBJtLrwBUc2bYw2bW9ISAQmJG/ebdM+ThsH/33WrdJHZqQZqBGFQNkXjmEfa0g7KTRxv8X/XiP8CAgDxjmtpyvTzmbW6XQyxkUJ6S5lgbEC5+HvLF6epunx0ytYcoXFwEDYoVCcT4cNBfZrta50/NVB4HDMym7DRMG3F5vQk+Fhsnm6ygrMpjZJ00A/rX6xIMqZU8brnnQh1KDDV8UtdZODYJRXHbtdQa+RSt0IKC7M+DK+ZnDyjGPE1DU/py0vnUTYoR68/oHF3j4mbdnEk01WMc0RXC8SqfHpq20TLyks0JIOmq/TZT3aCWSrZ0LfJr9Ow0VxMTAcyg8qn356SJPwSDDI5JnAxRe8U99Z6RGjW7/TVH+IbXvsCvxzs2jc3WRxx9emgRjUw0eNETMUcfJXXdpvW0P8XydKDUQU1BFX1yShtS1SK67Mr72OJ8Cv/ECytHOFBXwfrKuiyHUDEuFTHCZ6Y04huewkhVXGpiYrLxU+U4NazOycxp1LGeNUliKqD7FN4hGZ/naM8MYEo4fffwPf4JT71IecC1saqxZrkWRDLkIgNMeq64FqgJumyk3uCRb0CkgoJ6Bpmh+3T0iJwkXAkcGxIsVt/uO8SJGpr8FDZMCns/EV1wOgPyOFjsVOemFNtWeJVIv61PN1Vtd+ZQWiVcK5qLnLaOaankN0Z2fMpfe5xv25KPH2dS8GHA347GIsApkTrh15Z1yJyNCL0qO7OIoOVUbgg8hR8GU1c3UoPyV11oSijM7GgmNxZ/6P80Q9hgDZfL9mz6uCuyA68QlBl+QQvytArNkD20LOyJkuQornuPQF12iTcXqmMp2PaqfEbtwFMGPm72S5DmFmc9OHnU5efHqu47zEiBTMPldBqmBeCk0Z/ribKUDyYF5UONAk7tEdOjM+vkMc19nyqk+euZNxAhqhAwAszn3pTxdE6lTIDBVwGP/MDTBIJE7VTezSFfBAQZZoj+zxNqvpNcvOM1+44oa90MmOW/RLqx9QolgeC+1PNA6wbC9MsZOVKky+037/abBPjeUSSjL9sLFl75sQvFDZlKZGd5DTg+QJdSTRYIT3PU6MOZALVRD41R9bvBq90PMab9YmYijXC6rmUm/8Hk+ngyT7Js/xLX6Y8cYWoHULAIUhSvRYVv47hXSIWaUJ9fbHN5rgoZCeAzvoisKWX3UEPG1drGzp073iGa+g07Z23+VK9YNCoNaqblQF8ztoyYSHdLZgbpo92jlHshWh616Kz7+mdFeP/yB9swuTvy48SEZ3boeXLieCW9daOrwzm6+YbPVflOfwJP3Td3kzIKf2wfEdnyfP3jK3L//6DQBguN3ktfnnTd8vlLC78qlqyNa/SUBy3GctfsF2LVj41KoBtqrGgp9B/P4N97XYaDjphaqbncAJbunEaTOmjNuTN+In+V0kWvVxtz29f7oxtmpxX9SNVEmzQf27nJEHQbdTUElSphH7THjezoFClzMfoCuScLv+hZQfvlNaF9u1kHpuY22CPhoPJlUHfWareBzXh3XBw/SKXDoj4wTDy6AKYJ1+qLpBvjeYfG/9wzX8mflJshkV/2pWH1JM0R3HIF3wUl9UxjvJVzpqP6AE1n2+s6YWzfaU9AQPdK8yolVr+0Hj5QuPfsn7khPX5WKvjwsZSBzWMwhLbA+dwciMDzZb53aj4JqIhGzp8dktw9BvlsIZ3KZWElbCLOC8iIXg/hcH8gxcjjWKW+OShz6qXORj6/2PwfZObO9rZZZsnCsiexEkXw0xBJQeEdxdVLs9mFRfxkJeWqbcqCXLvFhlPqK5hheEnYOzMIPYN61KjQnciybSHRH3qL/kEl1g2UUDhwxvD/x9dN1IAfg1+ieaS+kEDYb6+B0tOAhlMA6g/CXZx4WEiRtlQeeBtbl5iVFsm2oPmBygEMaHTt6zz94XGrnIy2SokVokY5v7w54BmxE29hIUl+ni/wKL48vTfxsWXIuzVxe7pgUdeR3Hjb+jk8tkmX0zLXFH9YAz1XnkZ/f6fcQHAeqCRKqvnPW85pLRTFUrNSVKw2gy6/oGeuZ8pM5oTv6JnkmL6B93iEdmlg3izq6ZUe/Xcv2yET6goK8OEZrFb3HpRLJtQJGn62t4N+eeKJykqIKhhRwo5mzm/Au/HvDJ7wTmvifZdo+8wnWZhMkdV3Rgi/o9Q6sndSDnxtAPgvNGLKiwvZRsZp+/lXf8gnctQTxqIQxSv3TwwdFeDqniy2/Wgyin5izZiRnp0mO06RcadSoCwDunGd+SV46NekRMUoKeVUW3Jn09HeSSZ/Q1j5gpgFZp/id8YrDZxwwrlBa1pWghbYQaEfprdOB0emi0sVpAxlvHSX8nVZSD9oY1Wzuu9oz0UAgUaclMRg6+KGb9YJuftKCQWzorpHWhHpygcehCFg6uhJ4sYZ3eFWqL0zwHl8sKsc80rQhxI1cQ6rJqUvvc2C1HYVl7KRIk+qvs5PrZp0vNNqD9S8bpbf4AgaBLCYJpC6Wv1sESNM4QIQ5sn9fRwEol6zdb6OfleR5pAkCcuJH+HSnE0LtjsYx11fo+ZiiQQz/zLyb360KyGl0HBna7egIQbBSriHAxT4KbE42IoGeJ85dG2l6uWj/0KRWO5/cra97EDuJP/HmoZOJlhkfQ17iON49BmG2R0exBJPlJCUd2aroY8zrgbWRuVDFAeokZPzlZ5zL/OyqMqgvSLave42uDwY66sLtxVc86rHH8uCs1VDxIBbhRdZmuK7zJ/bgY5SsMEA90BCodwpXByAudS3jwvUyaaYbzSRAKnJ59wsB+hcibVvGvJM1ARWH4yIyVHEHzQWaXBhVEwdx9qir6S4v3gaEFAOPtou9ZeFQYIL2rJQOn2oIVepe+1F2qWjHYXbAdQxcthT27qftvnOMOVWtNJq4hj+yGdGzVzykfDUclnxS2FV8I37emKpk194E0tUek+UFTdt5NWLoMenqZ76idC5y/3LrNDHokjwSAAJMOAyAU039McDl6uvbjiCNAth12zxJiAsU/3Jo4MDtttyvkB7anLelCO3AjiBy5rWu4UKTkbG/R4VTUSB2BoRhRUoPTbcyDiw3V8zNIs9v2lFsZGLXlr2a/TUYSuqbpnO+BN0rZUc2Cv5q2Pe8FVi+lwsvyTalGwmOKe21iViSvEH2n51QxZIGX85f+bZvdy1af36pN9FqCn/kzXnGwQoC/iuq1fYvEXaV+50o1on6bAB/gaZ/PB+vXbzUBcY6YVw9peKKpG+hZe1BKbBxjcUIhb+oZ8gXk1UnGeDWPVAeQonkItgGeTAHZqWX8yDK9VNpiBFbQrTP9oBpzy7hwhM7rqdr/m1PF5ZkYKN0oRkXMAexrfKl3q5H4Ds0tLa04QGMY8ovl0OkMc9QIX05uYGJ+BXegSAjrMD85KJQgY9kP2gwPCnx6gGrD9fvoUvZhN+xNpmDP2E3lYn5+kRuSYFrM1t7/mCnUdLDAqI4WBb8y1u3PcatHmy817ShCcPAuilXxU9p+PvXqQFj7cScz3VpqgIpcCaerM9SYt8H6x195pqpSSrsHGSrt1GFJ25Jy20KBFsvZobyxpgTku5dmaWp9KTylPW64O7T/Rk+raJTp5WFmKEaev5JjUXFu+cm4C8wWHfVolWRkbax+dzc9SpILAtjnFcv/LJ20L1qz3VjCLE/3sO6g220TaTUynVmKGYlquxq/DLcdydAzJqL/Vetop053SwGtbOR+POniYhQfnt8xUGppuMCc6GwsJQdz2GplhhlSuuJs+zu2pqn1Tr0LNb6G3b+6aGcsZZNgC73ofvpwn3k9JRVHilxnTS1RGZ0niI1Oj2rrdFxtbMd/KU422zkmiJyjYcqZYh5IckhKHQy2Cv+zADBLymO/F+Bf9n4Nrt/Rkip8SXrioCgAdI3W9boC37Ofsmhpnyoa7Mxl4XxkUnGAMkglGs3sul/1uDi65mCAGvD5nFrnKlhm8F3U+O7uze0yxni6fjq/M+mQ62BZOeF5SkKEXKLLwDqiYDA91itJKx7gMOdkgmE8SK0wvrfN5b1ypv5mRqbtXX+DSidE16KqVM8tjjvR48KsXCeDSpmuDUkGDjn6oDIT235Vo61ij0guDe2gw4T9jfvuhV1ucVH6Jhn5NPaVICQZuCaRSxwZTWG009DfC+vz+Ut71YhhhFxCBPvLZ2U61ukOzHNpoPV//gTvP7QHy3ggTUZz9WrqkuGOZHou29ELvaza9oQqxOCHdY0EcQRMw+ki3x6FzeHhOMmws1rFHXkFLkUzQIpwpdZ9SCXHqGjVvREZFCw8csiE09fc8tPfQLrtRSN5UA6Xb9Wya2w3yXrpnC6h45IY7hANEwMZJqlPdGprQ4T00HciDWq8Bjw/WIXyXl4WiSJsxQSGo3lQnO8Asn6M/bu31uM8kxIAjC3zNJ9CtYNnbydguU6/8FuCLd4/5we+8w/v20qzs2BhNiuqWN0BKIseqLXQDM/35XjX/GF9wD0HR9gWnmsH2MCPfl7Veyzh1eICIQaIU8YazwSl25beyJ+s6eJKy1844FkOWTwaYhLY4AtjRaRMu05YBR08GPSnOE+hvTXEXgzXQSyB7hBWSZpNyZ0PwW2WBlzYuxOYWx//LrQB+ywsOdnL/5/KGx0sSSRJknNYUAD8saRMw7+l6Kqfo9M7WbQJD+tgQKsXGXxFykj4xwLPQIK9CNc1EeLVsdVRchEbL67i1vtrhwSNO5yfQXnLrsxhbLmlj6ZfaiEDQnYvFOYfML29ig+uEtkfkGTmGoeTrjNMu8dMGQU5+qJq/C1Cj0fvB7VyqQldlXAFetQJASwrRaioAbaYGii/kuNaRWrPwmJ5GzmfOOLZyF7Sz8jYVLzAA1UTgHN1lRPC6GSXZuc/pNm3+uaN+zY2yDmvy8s9qnU6jsWKj/Zdb4Gmu3EcVyui//z/lAYMwcaDMtdOmdCJB0CEfXvq1+2Ex5XiqwYoQ5LwSl9HvObZcp186H386lJlpeYisFjf02xbgiLx48+ZiM4IErh9DNIqO4ovOVLatANicyZX9HTQyV5Zhvq6EgLt1kfiXDp3ifi0xj5xGppsnz2Jg+kXGRyP+UEVxARXXnnWSXhwpEoJ9aNUjN2224uuoxCi5TqFhcKHRoAohrAp2iGo+KE8sE30cZII2DNKYZqiEHq9PpRVwJt6VbBkWriWvMoY64kWSEs41I/pCIjl/bZzhDCsT/kanbqjIhGMb2Qg8TPDbA973uoCEOmB4SQAxCqt3MZ1sqhRFEaNf2AdYtp1Xsib8Tz5z43WjBlk9sy10aIAo1ArfwcGSgrBtq8ammGD1zdHv+/7xKe/vxeZqa2YMD6vTmImik8Q6QMk+EhSnVk+K+A3ajNdxRzSk5xl+8pzNocc6kAoUeJOtjDiuXp/RteFpZMfhCQv7VdOBm4Oh4/u8lvbWTpH9ZAIJoB71PnUJiVlHmp+d4foOqGW65ywWUN5BeKyStCucCr2REMRvrbM/3j7G3EyE2rb5KIljHLZXCZlLm33vbzukhUCz4aTPy/+Z6lVZ8fjpREpoyFKdQpKP38nLvStp6LrS8J5+REyfj0Kpyd1/MpHdK23vohhkYI+cQsTdDIqRz5vpjaEr29PvmBAf0CNVG3tzfoB5Hjc/wrvhoxPySLTlBMMqTRY6xFbPVK6cKf+fbg4aVa5MQci8tYUy8jYwah2DgrHaHXl/CxulCSEn8XF/6P259znVkFGOFqyImPr3IorAAXJ4JB+yRtMvvBI5JRyZdZGtjKXtztWI6dfXnEedAF/1lE/bJMThvGrL/w/0NpPMeNMyTeWhsSIUIBTGTtxGPkoGbw4swXivRyRduNroyPHq9tNmr6MAhfwwe5oDDSsW7hGE08C2SLxLdFniAoPq0Y/S2WttkWu2S0FIfZLwVkQtKELW5bRFExifY4x7i9ccUH2naHXJA6yMSGJmBdfiZ0r8BTOI/PPkjoWvgiOUv7yIli8Ked/+tWageFTVtVwW3BVHmqwKRNNcwvJvgo8MJ/18e7KkSE+EASEkNGFJook0jHNwFbEHOdD5ebb6eTY/9HPsrEBvUZVIxTk5hoDCnPFb/omXILYyRzxu34BRXOuDiji+Au9yWAN2hzKwW3hlJZtLsm8AjCDOeuNi23YjzXHIIojkwOhO7outd+YyQaFF8wsJ/zkQpUrtbBSjrhHiD9ZHkuRet6R6pOb+W/V9Esfsz6M7Q7Z1e56l2ts8hTyKDfg8Knymd9AlOFzIxkL2usc+w4zJH0JejuxA4wqJUTYqPJW/0vPPigLuUVuhnU09YY1ayMSBS+7qpERAd6GexsFpeWzm8GTjaRGVEzr9XJi07V6RT6+BcVG9CJE3fH2jgXPJa4zxH+VSmVfe4NOslbZt4tVBCON8j9T2B/WvxyNz5JaIFDOTUf3LC7Q8rFxkAE4ehJB7mpiJcvqS+xOmVj86TqGVDdT054ppHCMuquw7UlEZxf3WrSezcfdmIXHhY836Cu7ad6d9diR5JYlrLvQA3lvhv3MXbPPlcPGOKs7K/s85agT+7RAqdHUZKmaubKMnB+w5MNkdG0eLX98FxeRQW5xXLJIZxaVZbYrqlClHpelcjcsARJccx+IoEqFX6vGx6uBYAknTFUE537bte1RSJ5OOsX3dp+9Z8o37hxelmpO01D9LWETe3KkfAp1UyhRYVNnxsefsLda8/4MAZmSGknwB5Hz5OBvjfWQbAHoDFifBV1lxg9hJke/6g5DdOyhlJTz9nvkvnVbO0v67Zb65+65Z8LQhLYaaQTMPJII7Nq3TXnuJbqfcjs/sHLsxf8Pn4suTy4qGs5EjgoR1epzB+TJ8O6m5f4X658gogdjNEde/Cx0t6ixt10EH4FZoPV8pEhPvLD4F+ZCf2JR9MnHzUQNJseSvETZBWp4IVlVMW/wkVsn0JwGj+7juJwO56wdKskk9/7sDffL9OAtrIX8Ergm7bhSKVAQ2jY+osuhqnwNZ4Fggj8XEgNIgTlYloOJhIb7oC5GlS87dFbFDANSFZYbihXNm4f+OLao8SiLAmrVgupl7J3Pk+NLzODld29awzeQ88ckPJTPM+N1pRkoqVLh/3S9uUUoU18CcP6EIzR1ZGhE5oQek1el9uak8RZYV7sGKQxdiGZFf3mEUIXTrA7YEPRpzAO5CHK96Sdk+Vf9feGf50G0nLMX+JWlZWVU3dOKhn6Qei7B3TO/oocW7r1iREqYUL+emuXs9t9+sB9jzHHE/HmcGoaHQZGZOSyzVIdaNGGY/Xb14k1EgygtllXEmuaWxwKZAD3j9HnxAsVgPuBmAwq6YkzI8iLPJ94Kwj+Y2W/yjgIcwl2c+C3QEhtoJJom4sJ7rG/8ozoMfa2a0QX0zy23uEOVKlQP7Ox/mYOv0hGZaTAbzZVzbXCqU/muomCuMnc3CKucMxEhw4wdHsrhyBX8oKRaYeao4ljxqqVYqV69P7W1N5lXhPv/BbobXaC1X0kSq2aAmvBcoO3wd/UdogHQethK0ysG1PzPC9zmpGLADtv64FoxIC4VpQ0I7aLlwKgSUEfwSH8oqrurn4lVSXqfefDeN1RqGPbbudClmgXRKwfTPFP2KxR16k8WWs6Mt5SrA1B9/6At2VIXWRB2tilKr9lEOYwMZ8dZbkWxfO06g2od506RB9K6eAwvjj40wPV8TiiXUqm0Wkmbc4NtjRhNgUgCYinmDu0JrdRlylD2LyZk0YfeBBuKrUGBurCNCEOSZL+NIapMr95w32QBJJswBjNvrK6qqhagYk8SMbg1lXSiCNLzxCBiL6lUTHDFx+2S4DFI5847wOHxNADtWbA7PVJE66la8NkPvs97E6VCvYT6D/ydM9BmFyqx3xw1QMiDHThuT9m8G2L/S2lojxSXSM2/s8fILrry99HOb1iwqT+5Q1lWhbs3m6Fm3xR3cp35OL8QlH00kjZHJPo5ooL++bqiloRtEB3FoCEwbjABXx5IR2EYW3J7w4ONVWbapK2gAW+ABygII4Dr1N0j1um5oWq9liLXwY14ooODfeFaWtLlbIahhXUeGU78WJXCqFD/0Iiiip+GRyEC81cE3zfOwjzA7rfO/YcVugYIA7JJIz445me/Bsvc+gd0TRBVqr9leeLz6p1p+8IRmICKQFhoS5PGxM2XEazdSkUVoJOoXA9X/4teUxCzN862tKfpiv9pWzpV9A9pbf4+X2tDptZGRQQpGnic1AZLmjX0Zx7arFCRcGvk20qLdwNXf60KMIt9hjm43XJO+NouIBbgSoqfuWREsfjFm2OUtEy17CkPU5gczgtj1Lef/TiFLzlAcPwuh3waki72urhHOcn2Deh4udS/jo2mApRK4u6/FEcXrFkHDgruPMRMYEElipCyiUZooTRbRKoZzs1si9fST3NTnC8t0MAJkNn2pp3kQblL8MRp2mypDDwiNRZdWKqaiUuJoqAK+CQtjr+2qggao/GBZTE7bH5DTYuLs+uZWQeYZXOxI670LEGOvLbQatOuO2wQnMrIIooBz54W+jq8A3bd8/27WL0zbOS9via7BlMujZ/pvP8iMkCbNymaPYzbYpaa/1M2W/5K3YjbLXLEpv7oqv32PIyUtKfeivbuj/7iHh5biCXelrziQzt5pHZ07SpJ0EBF23MmHilXjNuDzGelZjaaW5M882K9WIdzkJZXTvWkrltF+W2ysPPm4B4PkRIFwb7DfVr2G9S6lxq6tpW+mzpm/1yiDucNdsoQkezIPEb7fRgOqYmt8DK0OQcEw5PhESs6vgDaU1cD+3+qRNm+nH1y0fkBVJfOkr9Jk72m8dt1KGpTNox//IMcm4z5ZYKGZ08SUIG4zG+RLrd0uotr9JfUT2LWvIErJEXhzRm8Q4v/sUy0V9ctgqQRrMQd10dDobCJ2cGo2heOaeP0mm7GRIQ9m/NZgAPapMdooZXS6tuSZN0AKm14r1Rs96Uv6dqQ4frIXcZrwQAISY3e8uInM5IMNSMUxZQZfkAmqCnxcpmRAQH63UONundT/itvSjmkZG2ygCVsxe50deGw7YKtGSWOQaQ1RVELGwNgHwf02iEuAEyQ+dB/fdFDqpQRdDJHurfrH1r+r19H+/JWTEbqbnb1qsq4SmRfndRRt7rxg06Sb0rfMFroB6OJLiLzR1f7BaD2t4Hy2oCERXxRG6qHje0ZLKsldS65Dd/XJVm/2BwpMWy3VWiXOq0SOI9aHI9D6qDrqg+lOTpLEdkt6JeEbRNjm5XwrU+gStFQy7KynWkK2CH9Oy0au8BYp+bj2yTC8kCBEeUUpqrCBWh6PHeiUlb+bbOFRgy6J9zPZDyTQoGafBqi5UgZL47iAjzB1sDO/GtRwIf4qwQbNQwCLw5U68+ZnSDp/Ur8ZEGY35QzRvlN6JkRgxZtkBbrCt6rxCe0nOODA/DzB3M7e36r6DWbmMsa1ncfKYLin55Oo9o3JIIQnzH7gYNwZCHQs4N1joKEyTQMhb61MtWGEEjH3RIhQTiIJPEVFES2liKdRb5wkC33q6pXv4ayWe26x5jsXnw7jtQmsWEQz3sgld/4jHpOnXxO143y6eyRFyloTFc3ABfrQ6cuHPyBpCRf6WxWok3MBkWkcuqZh8Wi6BsKnZQHUWvwNfr8YoW/8gtBgIqd8qnYAPLLMWboNL1z346xZcUGMPL4FZz9kFqPz1Gm2KcLn0s7kejZ50SBwnfHtWCIfjKloNTLlbAVBkbwZ/ZvGT0HvpsYo07lWXR5kDfiCZHTmuXLmdLbLr50lBE7lfhmty5nC98UWu1ej4XgV1GlQVvK+bjtDeTm0klcfPtGLpIIFxnmu1hCMCXptvvKf2kVZygr598cXyDeNnsDZNKxn4HOcdkavEf5f4mkAkPiu/IrcyptISSjPLj9kT0YFjlCTuuoRyAsu3vTG8xcMUUnt5KOjYhF7/4OwCDTrhtZMPFsbDJD/6GKitizq6Uh3ZtN66NV8XFgUFsVNd5+L8ottiiLH+mcsshGHMEM/n76DHzdDDK5DbJNyusb1GtuLzLLx5I2a15LV+jYUPCdIFdftZQGJK8fArkhZ+mCehckjzzL15uKdTYs3fqFgrivpoBpTgd1wRtAblOxv1o/awzeWM8bCWXCbUSe0CmOlj46M3tc+CauqzWXru22ISpODz1ZWCQaDflWmNW4Sl0DkXQ3lKp9AWTyWP+dJBvvuuKbm6YrB043kBEVZIjgyX0XdmV0vt6RF6MtubeLCRoN8Ghm5+9KeSStA+BPw8EE6rpFZ+BrndpBOp1EijLC53uN1v9hXbihcQgrsPbTmFsVoBqNYYFECVD32VccBYM1REY5hL2MWWAsoiD4ioZJhuonaScd/jT2FH8YXElQzlkPmyfEZ2EoQFW8johtj/9nhbhBa0n8pvLtzQlNUEEkS2E2Ac8glRo/9TQY4NOewixWFZSz0rLSi3rtFr0FOrtYzHIIPoUdKs6RibmaUViROoftA1ESyMs+/+YYQF8jlGxzlpo1LtarIITaFObc8V4ZKcyXOkmXdv7qtjgrTb4ECd0y83zha/Xgz0RI63npsaVxAak5W6ilR1Q6higiPrtsN07KcU8Qsy/a0KcSn7Kck7FpWULlf9NWp1kDbhxda31zPlm5vilDLgqLZ0QvNfpYIymyrl+H019NpNuHD9pJLqwHaiAmgJWhpAqeMbV/QvQ76opkj4kHN9uUBDgLf5q5AvWSgmMN26DWKQ4Kr7D1r3W+UatyXPvV465c6ndfB5ahoBqJa4zVAPWWTOGaIPJX1nXvlb2MdMFRirSCMb+SVxLfIV8/m/9IjX5kIX7S4wnqNs6EQYvpaDXft9PYl8KIOXBWdEEMlZMZd8X5nA7kk+xMZdo4x2hudpjOT9lLbNrnU0+7uzcy/F7rpJosMlFWU3Fy9An5SrRFS4OMrwbeKmLvND383UoOp147i6idQw6CR12QdtI4vecnsDctqsHjqxIa9wOlD6CNq1u2ybhIlyMYq/c1sX0SqwqHlO3blegcsW3iVFlCuaZbiIgmaGYE5jtmkv4f+kYBN8pa2GtGYfHj4ONSqIBbs/sCAMo0cM1BT+nlwKlI9MdeUThDeN6ubG5lH0rncZX9yffGSd35ZRoi2IAC30dOVxY49oDYFKS+EIbDccgG2yDDi07r72qGF1r9Jz6m2FrYUQFauRk8pBY/ish4AeH7lRpTusLzFbeUdqWVK5Us0SqnKl0tfsGJ75erMiYCZTBGugDfG7+ag/uvhVcYiU+8WZxB22FFChT9dkMjM1SRbwrgpZBxmLg51HGC3X4aINONkdUnktUpExuEU+zMkFEwtFxQ0GveiPSvJNbttxfBJH8yJTnsSCgnwaSTtZRrQ4tQPgSE6hncJsdg3McbQGjJqr2ZXkiL0vyxJAZkAmzsBsvVDlBzbjlCgVcqjaVovK1uk31CjuKiVR87y6DOh3gFRa8mKOW+9DLS2oTuF6COXPwZt62AvdXJv54XgWnjhYG+lcTEix1RWHJjL0P3+Lblc5gMJfbglvZmsGQ2f+wTtdJlar0T2lR1EBU4GjuXrtKzMK3JzTn5GbSqqIHeAdnAMLJyPTAAtCgFIfpdT8hrlm56o7qtrhFOB3KqSSFkJYdJnaPXHoRlVHsWwjauOUQEGAaE7YcwF6muSOPpxdRWt9OlhuVsvrwF0oMGrGcILIfD2Uo+Jhk/pXV0rGDf/xm2m8NGe8L1wiPjn68PDpaIWGFAjno5yAMS/dVzRS3NCKnvfQQ0z4uQKh7T2eie7TKzrMsLWTiVFmyM5kQcGds8vjV24+Bp/DUR2VWZcsD/+qD6mIhmfxMTTYdFOT9QqPvmFTfc9zTu8zJTIdNaATG0lUhMRuSbHvlqqySfxcVStYzV0ayR8LjvSw8Bl6ZTGqZpm1hbohzEzJyz7O1YT8GDmxKuswZFAwvafOdqapOmTuiFprdMSX5kG5sZk2sGwu/MIDacJrIr/ujOZIyypAbc2Co6DmYREAHOdyfS90JrSmQGRxIozWwOyz8QvY/SborpHwLGFfeS3EYZ5wkwM/KNVJtIjXk0u2u9UBk8nzWvBA+BwfqFswg4YDpws0Ev1BJf4K2QbaJ2wcrxhju1M5pVxy8Cy0bZxfYsqlrU85z+f37ZmIsQURBYzB7WccZ69Wugb0oS38ST5POJrORLBDxYf770HUOmMNbKQiDlqgQo12TRi7Xt27effYpmMyD1tQg1EyUB8ID9cR6Qe604J45fPlZcsnY9y6YlXg+cvYTEF28WzgwtH5KLsEwpli+Cjttwng3XdzEZLEvukE8+/c+57NYf4il2LqwYCh7q5iBfLgLBEyU81fAMvt5+qnM9BX1qbXBt/vRxc4LX+YnfGMKYhqaiheqBGcmgiQRn5b1s4o7WpYDcAfkOpx8VcykmW4jGZGriy0iK9o5DGXWNV0NyV8Jja8YUmX04/kNJmqbTN/kUp6A3JHZ0Xxej2M3t/xKXCMnC3kHeZsiePUDWTuYA0PWc+1K2bENs4aobMCvZ2ogoSnrTCfTPv6FEklPu6JYG+TverKI58j4QgvJv1sFmabkQX6PUzrSPeRhZHr/L/2elRcUiet47gRHXNnil/YwFbtpklqWw9e3p6L80sLZP2iydyUSHi43jiLI9+EhU1PjLyJD7LDlb/RMSIX8f+d+gjOnti81VBsDyoY5H2rWx+feFdQ5AyXg9YQ+LyXfZ0RmK7Vb/zXndCOLwk7E0mQeG/iuuWoLCqIdMoUZJ2iVU67TFqc+VU7VfBP9pcrsQMTEJyHiHzh0iW337jFoQPl439yR30p72XP+mz9UHS7dA9BrvdW0UQId36Tor2wHl+/E01alh/2UxBxw86ugSVK0+MlPtcez9ukaMJp6ZUJ2NcN/0u3lDcUb3TSwtBYMlQwgruNxVSDhP8KdzufhK89e+LD9u226aImLZiW4zfgThluggBvyUnOLBda/1r27l1ZV7t3YofazhPGKQQljKq5nLwWdfKlm4kbaflZ/O3/bG013tLqSbvDqGUFLIo47UL3ZJ9RCQQ2nN1VlDZVujN6dWBYFUfDEfvo4WAeQcUlan4G/nJnN03zXDEHgUEHmBHZLwjhnTRRAOI8T/H5EZGro9oUPqdey1E7XbiHngrjjmfVXHgETUuUOyyfbiR07rGUq2la0vX5/683KoA384oKU7M1JVFaFc7wg9CyHDTIOKtVc9pEg91mEiXCr7Oww1OUEhIrlKsC5ZVlGTBFcfhoaYoAk58DiFwjCZvEBPwasJUpJKKdFpYAPg39QZVYQ1YjwAJmjeXB2pH/F/SmY2Bt5GLx74/z36PAt9cMe7yRAzk+wrRpVGPqO4on/IirfMo3CMFC5hEk4188AiF60o23nVU91X8JUa2XhAUJOokgX0oQz3iZG357OO8RItAVornwdCMOJ2Lhx2qKUKnJUCle40ySgzHcfkKm+29mBaXryoC26yHC4sIX2tUgymxUFqt1oX9EbkdvYRrWsIOd91ajFSsD+UhDU8AViTxVAf6LwsjSEFi37ylfQpT8Q6KWvWHTK8NyhSmsAALXNR8f75KPMybu9MUVvArTU12KhxLvrMorX80lZHnWRI2uNhGgbLqgItMfZoVNwgQbTkmlRtZGsDZO4izLuTQm2T9wIc52Vz7iZN7jH810ywP/XGXTQnVaZrbBWOzUdAqxbeMGsstNlpqhYkewy8UbqKTLvaX2FLTUtzBVT3DO2Bo3+KDktaaMpHNvuCTXFyA+p3EtaDbX+2fmsAkO275KlhKwP8ylAKrEqo2XVHqVhLQ789gHqTjKAG9cevA5jIY9OmOIokD/rlRdEgEc5dLrYCcw3taeI8zaLRDUETBrwIxzE+VF5DI3jkoCl/k0q9LKamsq5gGjUacRJMBEb78utDBxSinxeOFmhwiLV8RoIn0A0VF8W/KcTS/t0kGbQfYwnKx0ExkYDKFn1SbNCaYZKCh2YimAtEWwnQ+SJlDkFbY7h51AJfbImQcWdA31AThKd93huYRNNkr4m+6JESlq5YFmyflRtcrYsUiPzCi1x2omHHd/DLny2+blmJUWZ5faNygBxAe0B7OMETHanthROH4XIuseQpoOxTwaVg0ApQzVZGW5gBmxZBolEF5skHjWj802ySdjfRW73CLWjk9rGjIa0qllAN3Uzch0QT2mcHIkmI6JdVtaC3i67rwNKRMMCfjfNWC/CozaYGaqRliIa5T8hlUMXFrk3JMeOLo7GZog3mylbGH/Bg/A+8Dj/KKyBlD4q08KG61qQO78xRO7+c4K69XQGJqJ5DYdfw2SIpNlU9sntBC3gw3idCECbJKsFIudEasjWUgrBfEF7eRKv1NW7yXUSAWWlUxzsxcX+ppWnqpOkqBefH8NvmB0G70fHyjoixSsRhpxJh0ubrjTmhr36IFnxGQwPD298cHcdUIbMUYwYx7g0aXwtJu7VjnTtqSuJzpJvpmllo0mzi67xETRsBG8Eccy48AD4hi0TLaX2ioSNzY1Vun1ToKVNxjBXbMuPzIOdlkOuJOk+8CWYMTimWDtlWzpS7/m83aUtElpPx4Ka7Oa4RaOJ0LRrPf11LMeXCcvcEn46A/xxAU7slx+wkMACOMZn59AAdTIjAO32ImvVAug7nL6XJYknD/aK1z93oHC0gDXXm2KbnrQ2eATHmaicNWaKD6L+fxANrwAykE/H9mr1I81QRZ4Lsa2T6J436diKhH8fcZuYmn8y95t7utbNzfYEcgwIIxGPiej8FnEzSjhgmaTXccxDJGeLqUw2QMfKZ3dGMAEOuha4XWWi0NpBiCYkPI9eHKNd8u6WuNRTWEF4Y+McxmzYtxTU9nfbBj6nHegSAnp9cb7UGKmhxVYpcYw351Lv6vNiakZ1x69KGfzGSL07w5vOuNUslMgKGFaR73gf2bHCEjTGgkozu/C4rsuKi8wJkWEW2EcxJoJgqpzSdeAzqcsrE1SW5VVtzABbYqsKXZm6qejVqeblM8Rwo14ckUlK6EiQyQ7psrU84QjIwdGxxD99Uan2JgU1zF3KI616nOSMWVSM2hnfGPzMGEgWQZiO5ujX8wzmYIz4rSMdblwfCsJAgSOC7lUskLGW+Eh91Id3k1B5uwkC+i9ruDZX34XFM5qMcHE6M0qOU1UVnFfPsGLzpxYZM1oN2gOh4RRMtNNDb4SV64UULH6x5BCqWSdBFFS6ejZLSUbr1QmDck07+/kFzY1XQEsZknddm5AqtT2ctq8SZQHiHzc3HXbN0OcespMlLnNboEhV9XpiD6Svf8OdwVEVnseUZUPcSJm67iVwrSNUoCjDioFiWJEj3BbbynSqc8wQHPF5M8BjV4fz2PIiQxVfRfBTuNR6A6ZDiwEr+7+VKf9abkVBL9gfNQ5KZsqZVqm1Iz4kch39bmu5z9FAUFYlTH1GYrbLCbc+jMBhuiV0R2aAPpXjebIWL5AF79tcz+SNWk+Trn01Ten1yEmOi1t0iU47eZcOkGpyqHvOm6MjnhUVwKHV/ZDJn5IFisLOMyAvH7MG0OoLU6RQmqFyoULNMXWzvyhvT2oDh3I1lgTSmx6sRylRJvOzNqjEkUdy79nvuvVdBWfluhhysT2HSLPx3qhtpEGb9mb12pjGC6rMUUAysCLwOirAdeXMWkrfxi1gm4Vq8tsNuF6iJKBrWc/t/YqNvO3DnHMY2AxL9RxCxmxjQWfxYcYg4Dtds2nZ7iCSMkHJKDY1a3AwHNNekkvJ3AWwvQZ/NI2lo7RJtDRoejdiWPqNam0YIxIaxDhqXfAC2QcyenrhxSjAjs3P0On6kvTATUIl992oPE5aSH3QGlBkoyVUkVQxkF10f9ra00gV+8F9SlEeo6YC3Oyz3nwZjc1X3HTacTah52588TX1gqP4NftGSTJkm4SZgS2fgyhTg0uLLrDJXe8LSfp3c9vdDOix3XfqbRbFc+4HLf6Pt+nYtq5vge4VITqEvTFQTGdlAl77xTPzyR9W1J7VHSDkqB59/jJASoaeyvVqKAOcS+Yg2fp0n5CH51ceymjPE9Tl9s/KoUcNDKFFuAIIPmkvespA3ataQ1ixpsQb20ljlW27AI96Iku4X4Inn1/ws2uD13D17vXgbrf3SILYM1iTmkAfE76uiaRiZvmqK+BdxZCalFHgtNuEAN3u+XCTgxJ0rhL3pb4Ro9ftq9ReD2yl0U6baw5WF21Z2M0E1YgspLhKQH7ExloD6+ApTJw3Th4tNyy8AIHDh1YY4Oo9aQiYhX/3qiHuk6O9BXTrbjuv1+96KAJXfjruRTZxgzKr31izFom8YxWtMtvcr8RdK+EjuoUpY5XAGh42s7FoKfkYuKqPetychyuTIH4bY3ZWzhM8ojv8gPaAdiu/1TigsQ0AwPawP5d5sbXoXULfB/1VptE8VvzX8hRXCMCoqkY+0lWJ0UNU8l63Nmp1ikEn6FQG7MVA410mflnFWBZXaOkDB9x2CGK2S0yjWMLQZO6P1c+0G9fEZe8jTAn7qTpoYr9h9D96RraSSaktakeZfD1z9CwMG7wMFWjcL68SRCIEQuhN8FpwIIByxAjI1+lgMGE2Ap988t+rJz1tNNQpwRnEQSvn6gKI74lwWV+jKDYZ3yYuv86J6C4mOYNBv6AH7Scqn1nhC067BQBhSob7CRMQ1oxeDlijDtSyEFv7e8w6gpwjEITz3PRjqIdoA0cgJfXdBORhPWrWdCxBc63dOtnvSgHD1EnZX8SkvClfRHHuRIKh4UKhOM3e8VOzSJbPnjzJTWHbym+tPKQKk99gEVm25cGZEQYD5gn2LD5rAnh2lR2aFJvxE0gqZY/8TxqdERC5ry32bW9hUSjMpBP6C/HyX6GGRaUOeQ6iepMiQtwbqXDsCWAV0m/U4qvSiiQY+xvL1EGTxFFeVvs2MdNRZ9VUs8NLT8wsgZYk0ektnYoeuTtEYchphRqS2ohza1n5kwuez0BUhJ8VyEOhfQTxvGXPxpFQtMnkFXsH7nCBy0YzxMYkeyo9o3vkGE5PtFyy3xROOziMLhXFRtyWn3OkNYKK+zXQuoIpjYJKzvWpBDeaDq4R58CFk+qgVjhbemcyccTnqiILZ21J7DWKOYy1NzIK3TdFtIMQAOIRvbhXD9uP7DNd2LBBhzzyRMeeQFQpv2C1aZFAEa7jYveO8PBtJHG3c/AbjNPLAK7+Nnf8nch7oJhMi171J68V7V7l09H6mRRLKwSEPVJ2D/VU7CA83UE0zic4TXkD8i2f73nUUDPUzwk5fcc429/+90Pu0/zSnDHfCHxnfucT26haQohSKWUcuWz+GKuB0Z2MgD8lM4sOT92HVzo5m5d5umDyMCowaHVZMYFmgnwuTSylge5OivYU8MkINEsAZM5FRX/DNSLD1FBVg5FvSTOreLGIoyTQ2TKa9UdsxqA2dBHq+VQzFKOhGz6gFtk2sDaInZPbWwma8mo1JgYTpAFwxAv4KF8YEYb5g9irbAd7UBVgHFUdQ8cZoTVn0I3C5ZDXnrdj/w7LmGhTHg4Q4tHMxeAMkwC5NafSxmXSNDQ2QlsAvvkQgA7DSHABPt+EQFOnPKxFI4MIjPEqo9OsmtJgxbNwfuLqWSVRwHDkejqrEcpfqfjYri2VVplNxMoi6MY0yxoNkMx07MerPbHRbYNKR2jvoVPng5QASTh7EN8F7KifjkQssXwKhCnAHxST+gY+wb8FjCXx/jBERfBYkANm/4WyFdfTpUi5MTfVzQsZZDqQEKP+3dwMmaRAD2jNmaZYXXO+Y5aJKFUt2DNdb7qUDparyZt6ezBf7C+dOSF6RsnTvWweYU19bUJwD3e/8xbKh0FHZJLeIObZc0JND4kX12unNYFpNWpJWOJhX/KBoAnD2EKIByp1C9TpsLiCrVmQOVDODWlaqYb3xMLh0fL0zBEZZoO+FEuJqrNYKP6eOtHjXzQEQ7RoCyFg2un0lfba1icgIquONyj/oScdgH9BEmwAojrW8iGrq/qhd+J5FtpF2kCnv/y1BRj4xmx+naEIUenM5jyaa4YS8yuLvjICk5Dagqzb+V4v+w4nzDmJpIkDnq3JPEdsfKu8Ojt5YwkgTVbyLWRcqk/wxlIB0mhj9mUsM2dspq2FlOOJBMsvae1BpQZKpo/MJKUEoOC16SC5dm5o7+GYZ1sURlwzSG5Nnr/vfwEwDMMFnH3DUFEs5EzuX0o++v9iiKN54QBRpo5bp8rMOUDDqO4GL2bn8a0T6AA1itIhMIy3Wfpa17kDrdq5zS9EHcH2o0yxFk4bDpTSDz4KhlK65zq6UWQMYhj4LY3gKDis5Jvf5ofsmTYoi8tD4ti2/Jk9YD1Sk755I8rbhLzT85n/U6A6gmoZttyNnCbHlMja1dAAB54rBBPRYtvZ8PhLKan6j2Fi2XQRHvBn+/HGFvT+fG2eyLX8oKBKxMX5zGFU4A56Ij+tmCed35KyCTPt+qYoI8MwA7OTe2Bmnz2goOMoxpBO6B7kblgO5FVPNe4Vm2DowGxcosbp0vzqBELEVBBe+Tg1kZkVXP5a5EYL9rBHA6C2JVxNijg4N7mHExWSWxr/nFnWe+8mnfgbtwgOqW9P2bBVFnR3Vi6RbCyncAEXCUgbsMqh6G/TErkPqpKB+wcwvzLEOlSXXzWLCPJFHO6kC0ldqVExTh966axrfRd7I/jFc2YHC8ST3sHkkyT+bC+4A5M1wdsrzeUIpFBepW2Omj0rr/0871Z82Haf98+32he17n7g5sAh+rrEWGuIqQDRUVz1TqEsrkPw1bm1tOfupoMScuI1RPtJT+Jz7nL6rK9XBMjTAdUQIu7T66sNOuQVLcEdWESTqtl7npFjIrWI6uMUjJYygZLzQZkDS7RX1WZXPO/RD/TxLAD0Ce94nMwx/2v1S4D6OGqDbYssqFq4MNVB7Cw/QKSyeM2e1EMNBB9L94eoJGuevomRMEo4wqQ9Pk8VqmlhfFBykLCQVCeykkKzJiR8Jl/FOak4XEikjN7giBCWByhJhLXOia4ZloX9WDm9n5YN/enl1DZ+c0rcOT7PYgCUw9zVK2sWHAE5jzJGPXrtAq+dPfWsFVh2NJ54DnzfU7xAvl585dbEhvL5BFqPVtAW5sjisZekSJQiCAhj4jMNldcEos6w6POYN+7kH18K06/XD84Jc08i93BmS5ij+ZUdYDke3k2rIQVHBIwcJP2p451JcVnhr8DXEsAp/RrSwsBVzgmhzvfBmms3dhhtRSHp8U4iwmx/RQWaOoF9QFmIeqniYbjdmsFwMuGjvbkq68lavp0wa5RjFn2YtViqIawoeXZWN485xTu5bxoZQQP4LHkJH+2WhyaMGlAX/3cRAB+yFVecFXYeK6ZaX7vXV5ElRIkj9tbffYvlUZIoH8RhqRzrViMjIeQKqyp+n4Al0du6yGAW5bCB62f1eYdJc712Z2eLkarhmvmmYFmpGxRDulHSHsJFZ0655HngKs0lXCL/x2qI8UOERP+ziZUxyWko+qPqc3D+gsuvKsw3SbUj5re5OY5L/h/HgTWNFEmwCD6jrz9EBh2wFTmCdEaDnfWQYJ2NB4+7eUkAdW3+xRYV8XpZipj7PmzYum6J6zhjMI0vS1bp1p3s4B5KErf8KBQRm5j51esEDZJZ7kCQNhMrhLufadNZ3vxLMXV5I3zrJVloE9Uh+ML/vLXrtAWJps+0Jey5rAnFJtbJAAr2tily+FfupBBZwvd89UO5zxbEUsZaGBY5c7U8REIJ+RIajQ5/L0+ZvI9RXUM7yJIgU0/EJ1/Nd3F/4JbNjhm/I99Z9mTZmn9/L9PqXF3rCShnRTxgDmPQ3ltDP7we1+TmD98ANxYagX3fZ/G027snd0RPM/ykfUg/Dd+g+VoXefuOHImhu7L+QzK7Ks50hCclm1Wh1hD846ZyaIkbteMKLdz2SCWV2PQs2OjkbvpHFJlRvd1+8GDUQk0SMSAdlczz/sPnRLubAbpUFj7Lc7kaqhFUq2UQYv+PbDt2J3ygsPqJ+RTZDtwcSKYBMFvSOpnYjAu8wEiQUeu7/vZ5XKnJMjCyD4PgZOGJ+pmJUOA4z469QKlGpLqmLmbZoSgECjN1LQhTLgnOmn8yHCrZorP2+LswCh/lkpcmRX7C1No+MJmEiQSun7f9vLXgIKUMOh1bIYHWMqhmugZh4yJ5WykAC/+6b61KJNgeZbV/a9jScXpjiW3Iye+JKzlTrrUPuCU+Earpgdzg+GUZWLQJ32MNmOnJRCECYUnnVZZiOua805gcerGaV2LB7KJWsKHjat/SMchLrFMugCAERsxAE5ELG7ubMkDfnyiUjhAEsBdWtODhKns79JLNaQ9Oz89Y4Z7V1sL1RIFU9bwZSDRTmhnnH0w7xG4QNaJY04Pueh9DUM9ijuSCIqf/giFJFGZpjY0J/0/UU6jp1Ri94Edf975xK5Ih9hfDxwo9h6kIfTDaeObL0u1QcpPE208ADesRDLqvY36TPfPeQHq1AKGGedw9TCp4psCFOF+Q2Xq8FEtO3Ol7wT/Mgw6Phr5kO7mUgm/12SRW6AM9bjFmUTl7hdtnlOrG2O3OmjoJUPWhuiN+mAqryd/D7kZ/KtBeDNz8yiaZIwbmJ4vl34hs3WY1Py9tK61xweFgHr8saD78W8BzNZ9hQIzLL1UWLmI6Cji/HNTrCQDSNfdrNEADPDfFc6NRFfDLrmWR1aVakHw7WeKMf15mh9U029MUSmUdT8e94KgWUN4A9yHk/0gDPxfQyMdeloFQ65Ud9HN3fcynhA9aKGT0Y/t/rpfSF1WN+HyynogbtWpqTZUrK0loeowM+TjBbT5YVn3xViJ4dGhW1ZYxuB/NZeMo5RkPlZ57WdUioRDVXQc+u0QgctkpuotfHnhspy5lxU1jfCTRg1PodZ0CdCab8mrxzZDHBV7CG3U4B3cENia6YIVnaCWrowmnCcfoiZqzHG1kTb9gYmIrpAJGUWHibd/eaxc49Ivn+72yWA/enyiq00XYSkOIXnRDv/uyRGviC0O2iThRI8rX0f2nMOb2xvTNKdQmGEuzrJA4vagoIILhzlvPfs+yIZQTqNniXc+E++XmyqDg6k1vEa2oxaLFrEYO0e5pNAPHDqdhA98sCHvrcuAt4ff1OQjm47xA6P/0gCSbhmDinjWQQuDobIB1zi9sO1ueOfBNlcWe26Xpr2k2mxwUj97rf/xFUc0Q/YAWoM4bbP+7RiqmRa2HyZ5Ag3MpMzg9IHoDltfXVuTxPon1vsJ0xT79VgD0DgeeF9pJ2oRFOjtxqt7Ku1T0GtdYxIayuijV64AHUFRLq8LQlKOTxkvx9t/laOlY+NcMQY4DWLCPc8/VzcgfxlHenR3/TYJef7h4CPOCRGCp1DQjo3dO+wyY4jXd4xyi9MQ1MgDYt6DF6KDdczCyKqNSrm0LF9UQ+jM9NDPQfEGvLjLPgNHwJC7JNyMGQ3CSWyFejH18e0Q0bU/5iAv9gjMUFIS2WYotaCK6tWSNy/5Du9ZCWYYLYvqiW1a7UFFpCoPMpMiVj1V7t9gkb066rMaW3cvV8Ilg3LiQsPlKNRKYR/wMEJGKQklM+VeNyLizlsnPIb/rHuHp+rqUMBvTE0XIla+AtYRUGKFhqlT6IezAPU2qzwD/Kiu7T5JGhfA4aAuwmssHJMipc7J9b7GpvNNwS3xVbbyqFPEh5rlhl08mT1jqale6gnZ9FKragQCe1F4PQXcEkIaASwPdaMPsirNHPylx0pOvD3DmpPBVGLN035PToxhZw1oF4GgUSuIPTqp7eNIMa+ovDKz+87v2xSxhbyrJcJspYBNFy7lpVrboHpkFUlh4kT/A7ea09+pZZb2wc15YbCw1SKHHkCLct7EWCQM/Ty9t9Y/x7reVWPjnrmc9ZzuNYF8D821YYqpar44grVi7KFH9ZLUUS1DL+AVzYiwEMi32AC0qKjVdd4zqVqD4gUqVec6DS2TDErU44TRDFYWKW97NHBDLng8O3JuZEoPOrjwE873YQQlZob736v0moLaj361Im3hbfNODE3rTiCeZo2IFjE+RQ0KrBqGnf+iGZyLpChywoI5jQfbE/iz6lFkm6Fi9EfT66IPdzImMte3CW8Ovn8LExALuPP8PXw+WY7BWC3BwjXgbBsE3kigWgbzkc20nMsH18ecI+md4cBWkwxgURIIMHzg0LWhhqs9em1E2SlU3y8dKcDOPpFEnjibnNUngIlSNqt4tn7KgJMdKXY/5d/nBs9qvEGXZ2MIDuJ1uosj1Q7HgozbvqSL1LKklH0LTbEJeYuOpjP5aIj47kb9fZQ+6LBSrO4KCtFthBZYeutfOgKfDvayBoPDIJ7nFoGHs31LECW4gwrkFjYv7iqRHq/MpYNFZPHobiZ4Czy6c3RbsG7AAHQEjXGBN0CsRs5uLoq77vl9qHeKMcx4szrPWSR+ybsszUmMhB1cNd1dz6VfsVrXbP0E/O9M4mBx8ErJC1d4qfPc8xy6Z1ZCbzQ6GZFmTzxA4wBaRIzi4Ab6Rl4HtKE4SZQ4B6nI0eJyKZgCSCLxtSTLV3CR+R5ez96X6jlkEIWunlB1zjB7TZAJiolguNep0i4UrZrUrWGUymu38QuyAkAwzKBYZZiImWmwr5CGDCqy+JRYPz6MwYgZSLBNluN0QgFZH7eVaEE8MSH6Kjeqz/AFJdJDN6g/O6KtJtuXh0ZKVmW2mf30IOwjO6Q/XadldrBBD1P7yN38LEcIWtPTbqnvxV0xURSk5Wxb7EiIY7QmFo8Zp+SVKn0b9KC8c6HShWBLLtWun4cy1N6H6eSOhnwH2/gDxt/Fa32WrT7+gFhLH/4odaL9VoDGERKu7ynEyTT1ZnNaQAJjwwYa6fliC8HKIQ2/nuCOQGH351z13kqs77xj192SSgEryJmWjd3B2nnyulQNiUprZtjd2JaQhgeYX/OlD//PVTe6GUweBM4zCM2SHwewrownrXlmRGGbduEntYOA9oIElcm7g3e6cb2A1rxK9ZCFqYTBnXPogF/FbfslpPPFftkis6LKz3KeURRcgQIKdjmL173JTMTE5Ote5DvWXFFqEXPqQEhPQ031sGcJWuQC3h/8H37dJB6F10gshwTa+mUT+rW7f1DQwJzk7dpMJD2RXgHbGY6+SUNPp3anJex2Rh2WJAZ5Q6wpcj90fDzcIC440qnQAxrIVJpCxcL2e+Ea2lCJFG2mBYghxhWZ3HiWwORDX8a/OkwjS7bM/3SWuw4xVpV4LA1CcTX7WXr1mKoAWkR62I1od9L41u7id336eVFYbq6pjD/SNT+CEnTngxhMHTO4GrIp7eN66gDDjUExmAVuZCQUzUzxouj4ErBVeYDQ1UrcZi17cZ1nbY4cGppTT6L5lVsdX6cu6bTWhKOk4IyQ1WbvSWJjSsEYeH87WDC4bItd3EmBlC27GvgyhH6ap4URVi95sIxX15lB62wCBZU/NrnhhKoIN5njLhMveM9gpYDdTieLUQr61IB75JSpKCFaukL49NIw2frqvJBve/vWyRXuL7SFDRuaKpsk5bogM2s+45Y7WnoiKHGWsR2Rod5az1niU4bVzv25qKBIi7UAmkVX4NKUPj+Geo+/+faj7Go0dzUzXNNu//NBG1CgkMKSUwiP563p+fiWVDgMi4kNL6A/E3hTizfauXfryOhqqc4pJnSJQr4bIbDz3z4y9nczhQtAJTDnm7Da2OKkz+e14RJH8yNg3L3/DZ/7KAJwNG59hMuEQBst0YGJ+dfmyC8NrICZRUKvc9sx5DoOvAg4zSN34zFbwmb5ie9bUyBtDCgPVFHu2ucTx1hmf7pe3MEEj+MYbtjNVxJOfvIEcxCHsp7WK860fDMsOYwTPGDUvg16LhQURgRKk9scIlwFk043LYaO3Xbw5ruYX7NwF7uY67dlhU8QBTYyCcBI7gYc6xVjx66Y8+fyNTJeugwzJh6ImILPA0HkXXC1VVXpH3PT5h6ei4eLM/SvKzQpdsVJ66UbpUh72rUi6jlANwH5MdjucXbBVDr4n7oesvH1TP09uTx+BW3uDEpjyyclODdqAazAd0vr0OyxVAPYUyF6bv9zzFuSHzCKj1wR1Es84ffCAqYjrxhVqCViw3PCLsRy0aeKsN2Ghnq4c6BqXSyOwNtxqK1m09AvzhSogyJDIeXrCpZ5YPPzMfOvz4T58OIz+npW/buXpZ4S6wtFbhc49mTmvT+Zls8WumQJQ+DF03S0aiWIdXEINQz52stYnFjQMXUXSrTAgQaQefYavrbnXFxVuQRYmAwH5k5K7LOiB/+3fBAs6tXoRdZ1MjciTEJ28PO4k1vPETvjFumy18II5ZQpuFxeqACLuPkMatVqrUMS/R2jiVEwkP5e9YDQ92CWaP1aR+QcjcTARlhZQzzkiFYqpje7RW9L2G22FrPB2ZGcjAodttq5AE7KUafsznZtbwLGWEfY9TPTihWzIuoX4dTznuQ4/jTbWONJ02LHLAeb9Td6XrGO5GKUQdrGdvwaeTAmMBZjcs/jBLM75HT7vVqTKnHraFrlTVAoigApxpmL7IAZ5T2GApBx3ZWB/fwfOnd5Rb7bukd4KE3pHEapYEdHto7Mq5M3cLKKYR8kxbh+PkWkI7ss/xmhPDIHuimeMS2bQJ0ENR/f8qFITlbvziR9ztdg3PT40KhI5ln9LwSZgDgbPqXQu9UNhzniHyfET53UV6XgOrAh0RZe+UDaR9qlbB8hBd5Yg3V92Gf0eqRO8We/K/SRlx8pvo5f6OE8mvxBorFerFjq4+lxo2TCBYTnWWy0kDb4Esh3L11OUo8nNZWJsjtP3aCfbrsNKbA7rX2YJMm3oO38Jda3EbfTRYtB5it0rckXz7fcOlt/N4GqfgCmAYibuqtS34NwxHLvMYnHFospV92mfIVRIJsO6tBh2q3akn9/FfuycPLFpvx9BHS3PLp4N/eMopBKjZvcwj4i0QlKdnDXqSdbc4RLIwiOfTFxHzACNdAlws2VUja3z2nM4AOqrIZNZdXt0/PvqDsDGHsACJZWj+0X9FnjfpHOKR4BaxzJOa1quygvBEBXst2EnWEzQYYvamFVipInhFw0eaMffMI+9+sMuWEFaEj17tvRCSY6mnUGXoMqfyBmz1ZYXG34A8a99ZRf9t/L1I2zqyXeTd12i7CqIuUkcgEpFwk1kE5jpFtOkEZ1MOtCAm+7dlzDp6MiHNb2L6kORl3Q4IfrPRL951+BXCYYpGd73xwVs1dq9FCGLW9opPh3B3dFwybnvzxRTlt+Ab8n27Gm9JaAsuRhwB8In8M1WJRNkP0T9srxPEUG/gf31EnpOodwVnuFxpanHcX8uTat//u5NsrcuwPnhLzxDSAXNKTuHjDd3lOkZIuvVSNvUEIDryBrDXr9QyKFRvQMG3ki1a8cKFVQmlI9LNvQiTXQPSAa1v7L9pX011CWFSWo3wjofsmfB6IUMGEANO+/r2hVaMDqxrVNjC0NuXbPxRBCTWT5w5SpK44pgTVVGL1n2TxnG6+IOfRN0ohdLQLU4koXXQA82U/alCt3tKB4l/5jehpHMnl6lDuX0y+UFwsVoi3wdO2U6JBIgbmXBux6r9/xf8qOWWvXw8QX5WjTTK0evY3+SvZktBbodOVLKwCbpvNVQXc7mCGvmHZDnTrRM5vYONY2kS9VqkJKiG+i4Yp3I4PccuGVT7LidrWwmpTAkm3PNmaCX65dd+cQG6y3rCmea+CFnnWMW1js9hNxLWbbT8fLqiqo5G0N8DfEA/sNTu2YorASEgGs1LKDJI88BCFyDBHclVCDgvlQr09IDZVMZzldIwqvun+tHd+oT/JUasBW3lQ5zA4HozVVBhelAfIqMZQU551CWpavELJOHdhq3qyTaQQYEtDf3nOr4HY2CKtXRGMXnsHwdkbafp25lcSKrr7sFUsUuwbZNbqsSOtRB7vIaTtokPbE21r/HwWspUbKNexFwHDjxqS0KB5xhoE1PMAquxQF5bKgsv2WmOSqDjPU8NeRNK+koyQDIx+NsTq6nYGQZ6Y12iPNjAqRx/04hbVSbJAmKRi/+gDzyaqm4d0eijAOX/kVAcu4ynsz/tpma8iQIHqGq3lco5Xv0BHIPnVe+ZepkqZBXkXf5+lENoZDh3ac7CC7z2tnl1l4coMtxuS7iFO27k0PzOYb8jLy7nj3P/2YLW7rVEtLHKhUNz6zPLKnjRgBW6MZvEQZP3+BNNwFh0hO32wucNPpp3rOMuGHK63+u3gKnYNlxIiaShQg73aVY/I8XQBftP01/JI0mGrpetevrFEVklMjW37hHQcS2sR3XQuQ8mnbkQoI1oKx0wgSEb/jRqDov83vGBnXKcrpBk47cn7UDAPLpDjcQXoJtTUhm7xXMVlhuosh4mXTIhkoH1v5iRWk9i9/mGpVS6krc7BzexH/OQzTsvxRDtzjlOGqUZSJ8DrYcyCt7VrkMYx1nfKIV9SXCRE5NGaf4awo0E/Fb8LmYeSwi3mHcKw2Mc5hMHO5hsTuDPtzQkwfL+j8Wk5l+04qCKmlXUklHHea/Xf6pb4SsZgcfDFDluIX/TOx9/G2EwU29t1gxy17cFbmYU1kPeG/114XNUWefYMcJBu6alwrFzwU4yeLFmVRKS8VmipxVhhfT52cBzl29xtlxQOtaQCngKJxtvPJZvSUZXfttN3x+5vGNo9PTfgh4kDwadZfclhUtqWQv/yGppMM01qYt8a7l6NDPZ0Jxxk+o9B4vF7SzpqkiF79ct4r4MIOxAxnTlYXc+Q4bjMI/d3La1ploX7cyGvISGGvj8B2Ad0Hkauh/7m52bpuYibA5ZoGhzjrVjpUvwvohR+uQC/j0twpNhEwoSVNslIpqWe8LMcWyN6fF3sBHOjPfUPH7JU5maM8Mf8AIGBnG8U42XT599F9BuU3bM6m9Ao0e8WteQ1Yeh00sjotjWxy5Gm5uVcSJ0PU3n2kE+ApGjcb08ykToTPejjSIYVpY6cvrxkCNfbQM737bYBXTQnqlgKmXKTJLLqbtTmJab82Vn5Tbljo64EIBZq3RpidPGVbe2733c3sMeSLoRmSexRCLo+A7YzdloXIQUbxvnijGX22gPAqh2k+rSLx3osoXCSTk2XtqVacvpQIQpIZQfSfEV+e/YdphyHgZAidUeOWq3NCyam0PPQspOj+iO8RvWV9Bwwn6avVuHQGLzwzNUmDePEGzuR+kZILVp4Ga4TNUF+o0Fl2GXaQHlfKUoMHNpEtVc28jQfGDEwq9dZkfIgigc45unNWKzE9F9FdkGHR8rpdb3AdafXfzYNSA0NZgWObN+R60Q3pq8ipJKm7UBCCsjOvFmjrBjV/DhKstN7awNHOHJoMusc9Ela3HdQikpuQT4uXSGowRjbrTbx4xFs4PhFzEIxFBKtKZAuO8dDTMUBJyM49FLj4arg2czwXjhq75dyddW1Hm4iPkkiYRJcxgdv6ybhXha6gOfd1BB73eQlBqQ3FDNUXycqx7a7KDXkfFsIXKSHx5UafoeccRh78v2cU3muzs3PezkGxJVZKamhEGG+f3O1+tiqwtD9kP9WO1sFl1d3iUuSN+84my4+MO0wF77YCzN1+C18VCLIrVq1aceBzxzBK9aOSmZEnkkmayRAO5xiB07zGQmtLYhlsHFXdu8PcXVusZeKUgkC2ZqjPxfvveLfS6MZxxLFFMhqPveV5P2hwvI/8uV0vN/yxkyAqAvSTrw7KUJeM0sHS77E9m6xzXD9WANhHTOgLwCsH8FZd9AS2GUWUoQuCVxE1tMAJ3v5UtYwL9gcmGosbkvH9gmlMNXv+MSK1TJYuZA94haCEkiprrp8MQjllUyisY4/vbvIdvQ8RhoInfXimPu97AVgkZF5UZI8qIjroh2Nm+jqvF8KjiiX5US+MOEangiNOMtlJJUCJPiEdags3oMi46XV7PsrATgFw+zddR7j4uPacBj9pCukuheACBQUD1Q2yi2sAGuw6NTMCvDROSQGWrgwgqdSy4KV76jIkE03FM18zHOrhHS6WBxc5zEFp1f3iyonE/2LdUyVzW9W/YnOJJcijgr2jwKL4VNU+6qniu/VTRwf3gZcTa3yRm5GDe+rEJ3NLsRC3QnTCe83Qp/c10GIOc5qI5c+mFoZX8pwXlMJv2tV+IUX2usvUym0Beccs2GFtkDl6BkrROdn5TBOjn13eQdZufsCAKEveKz6U4Ewho0GZkEC0A1C9fUvhmXMgB4oSgPJkEGcLA4OMDOz6q7+jbIpqMt+stTkp3uJ7ccI8AZhJ6fkAaXp4yCcvUVgBPF6BFDuWt6mT0aBAA6382qnJoaQliZNiYaQLS47JJm8sc8nhd1Cm9eKT340IyA7ZlyQWeOHQIZxJnjfFIKFEMq/psDQQS1LCPY+LSoQ4QHXP30IJZHPAHCjosdkOJJhKgRPk3otny+J6mk+0Ejjh9iy3hAUdItXz63VE4hWV/ZjXXwBnES3FglYhqkf6Dn9X1SKC13DomPAw/AtWJ6OuVWDcHgWiPgC2jNqNH99ksb09VGPYDi2RGm6Mip4+uidALjSkc1KJgdoF6xgfAuPZK7o2bXIDdDv/OIDgkcmzDCaisYKAbLhlG3JyuMPnQDUe2h869B38urXay/gEYuORAMD2OcfNJil5oQy919cwh9l4MigDHgRMmcK9lmLWqu+MhGeDJs8g0umXOWd5Ns1Ff8qAZm8FVwomk3lN/GjgUtHMs2mTd0g4ha+PeF4btCXqcpuIlOxv8SGdLUAOqZRISL2f0qdwqZlENxSp0UV6bP9GgDQFihfDFmymW/sY9qcC33O1olsHTuCEbKpy389u+JthYRlqXFAQp0OWlUInDcXf+5d3/rwy3Le5xuKxMoIicMEYX9z1juk7G2rgSgYmnbtBK8i3xycbtwIzyjGUhDxd9eEdEuD+oPoUt17/snkvEhHzv7vJrAv2eHrQ0k2OHf47hOg1rznN78mKNZ7VUEt9DvSCKfGmPh8muv0DxTuPGBGbVttSaBh+xNl2PHPFphmHpnnOSmPEbCjM2Fectm+Wj1mtBC87gaE1HLShwgSBZ7/VV7/iucHQyPp47oXn8Wtg9EhZJCWZP6kgHtdarGmbakeaQtp6jx/xSNzBEe2vX7sjF3v5cAjnXOu32ZxAOYigEEljfMR7RVlXS6tpVhYksIljp0YvltzLI/xcsBiW4HLlFpL9xlAm068zHApzz+3+qRo870L1LPI2yDxvArqmAyTLjtXnvjSfKx4xe8+AYHsEPeiFuQrrHkXOnN7h57Et4okKZlS+VTbZPjb6uqCm813Ph6/Gr7msmzBuIUPXt5aOWn0hKTHbQ0NmDVIpW340KrkaGlXzp/0hxyGA9Bvp7adqnWiQT/EprHp5S/QKaEgroUR04PO2wbmiGlgibxZR8DAVwgYndn4IwXS84kCz/VsI2PI/Z7Iq3l5TXSmegvx94Iw3lcGOqMmfSZBj85Pe0QAIQVAHMF3XaA9nyOp5MXRxsLoe/0vO+qkWex62EDAsKKm2w4I/6Kg8a8Yd89ir7VmRx19oE+u/LCctPWEIBFRFsZKZk2ScnfQh2fvqWeG8owsCm64B+gaq+ruh/4Lv7v/0uLiakbWcuAsePxnQx4Md/Q8aA7hhuYnbjtnNmSG7FooteuGh7wQml5zT9zlD4oxTjLQUEXW+9krCFEPrqIZ51POLSOgksIMsyx/Y7hzEV1Zex1ubJpbnEKSXBH9pg5ISQou4V2GZL4RfPflpYySJlMFnBKmMy+kEaf9lWdt+Unf7y8fN3OgVk4jpWE1k7YSbmtBuLCU8kjOqupA4lS9+HIS7C25W1MvzVv26DJo5Zrw/TgcWT7XhVyqqXdhRneI/Kvmuu2fUZcdExkRj/058w9WG2gBjXxDjIIPoYh4xUw0xQhwtRCh7+eN00gbmUGuWsvBkDNVW94LHZIdv8VmV83SkNABNgTxGWoCvtR3RoVP6WhaTaSrze9jKPH7amAY1fRwL8IvXJoDH96KnM80oo01RwYD/xVy3BVQceeeo95IcJLonlYbSU4fuzP5UIgGgpZQShQ08UuBz+3KO3adkCMETK+ScskC5WlWZWDFPJ2xRr7xEusd1W9rwyJO/v9aJI3dMI/wlJrBaecpBWJConKdAyGKLKN2544yv0bdJYTVl+wGN5zq9unYRzN9U4wYK+zKiOzgPZIyFttrn+UaXIuxSfVuaGTSizyPNzpPgGqQMfXfQhLVqL0nOey5RaFVh85a1pgfvfKYBEp+yBcYQdJwjt5wjXJsQCtXc2n9F3cNH8wlS91BwlcZIS4EcBoXub5dvf4UW/9E37y8cm8Rks2FfTt37Wi/WnE4dQKN4NPUIVC82cCwiBIlYUCmttA86EbHlaIiN2ztp+VhW5lSMSW1R++Fzs6/Qy3Q7EQ6BYY8U8ce/lMe9GrdwQtRZCG5HKaMGezMhOobLeBwZmxvgEtArFFTWBIHdRIY2wekr04OqAHfS7K3Y25VsoPuQrivf72U3z3/Ka1VRQix1XmEgLr4Z5yfIZR/QuxefP8W9y6dNwmOEQTSX5VZTNLl0GLTvyLfZxLTTjGfITgt0cDJCjqqRgPwIl0YSTAcXbQTadT3+/pXrnnVLstoD9XVbUt2OPkpEV0LmnwB1LnNgVHI00GEmsSku2sHFUD2N5gGEEd4Rjm+b05uBtdEUvigrr4Yaduvp/QsrK9j2pAEtypj+k2YkQmm8fkjkegMKFuXQwEP0BCUpA1PohZ0u1d2OSNaWRSoTjV4q66oGD1tx0f72gjphonwlVcaTfYtxdtE3eaxXIpvllsSRP4Fc7xG7Ph3GWDMGBZtZMtpej9k10HApxDih7qscF3r+VHVQ7oYBi51ippojc5/eF0H/VOnwAY+KHQF95j4ALDDsXt5P7URXQT7ZF7y3NdMgCae2JMI1Oa0byfYJX+T25ouslkyvyltq7til7DliI/pGm5phshYsSPpR5QcDrGwfI2zXJjsxQFu9dBzJCcXFcFHGHs97w5Oqg2fS2yTIS73h/yeKAasljmtq4Mfa+GZoUZ39V6Nf7r7qQj7vxoirDVOi5aahbPaU4HjbREGE5U9Db4exQM+1m/jc2x++eGgV8/rIz+zKGQnWz6e99+dP0L6e7SWyyifYba+HjtJEQQiwz16ohX+pSFZyjQ44k6YUyiaeZqu1LiD9nxUZtwv5cDp1XEJGEb/HC0pHicYMDQyyq1ZexyeZjAPcCxXl9Cq33jZe4FxaX3HpffcrDkVW6mebThD/z3oD/SClEwJlFc8orDugzLfZCBtZ32bxIoUg6YU0DshkX3NKh6+io9PIPeaSv108F8StNEksXTxwvE6VxfbPDt92yLACwHUlmREZOYKzLLBpn3mOW81vLQUBwTcgu0rQmm7Ct1xBZ8xx5ddzZL5Uo5iVgEHkPdcSgD123dzM+UDPXMU9JgD4iM90OWqT8OBBrJIwYHfO+QtRmoWMxwOS1uRsmeKTPlfyXl3beqPUQVY69aKxd3Ez18zQgjQx32G537BK+oGvjqyMOUDCFby0612ZTJ+E4yor9HURd164R5GrDFFwzMReAORWOst0JLiBS+1xtWhRw66eA3FEZiYcohBNilawTXMwzIVWwlbWXTjdIBgCd3mBiyE0uw7H2TJKOiivcok/n5biFTG4na3+iA6qSvKcWJwqn0iK7z4XpusgoA9WuOawuOv/96rH9FnehnrottIo5a8wEHQ0+x2Stazf5F9wN1RCsGQnWPxaR15x0jDTKVVYIsoLkeZ9lBOs608zXx9c7nW23CqjIbKqfsIMq0sSEg0/iIHblDC89MykScWp/E2haSdt/PLLnQFyPSzmXd2Vva5OK4JAD3HExqe6twQLAWHyKFDZ+o05wu2qQ7oagWvQHkDYlxYrg8M6mA6UPjyPMVUYPJi+/wDRS0RWRqLodaQTGpEi3rtmEMdk8WPRMMp2Tk5BneDW/YHXh+032y056GrudNcpAf/8IcIUn2ayk77KGpCc/C/2iwazVrUeaEZaUeOkzJePjaUSxr+fIqH2tG+jK1pqmbqqoH25gevHoV2VQ5lRXQvOlPKht+a31MMwZTs1foLUzimnmrNz/AFv+qzCDvCfNQ2XvgOAl9y6jDYXgr131ieR3lxwK+POoysh70dV2Eff5ndKnbv2AWXWEC70SmRbEjk86I5bADHx/LrTaEfqmr9BkVb0hEnQXtoI/XqkO8mb1QRVLQ5qHI49T7YAeO/sQKwITfn0U+RJaEc3kAsZbPtUtvrDPaB4QS9llx9JcKwaLLfkCC94XNSfYwN37ypLeXAN5lkta6eFuFGfoFKhDBKoAyin7Tzrih8HBFMNJfX8wXeZ39wL8rBobYYst7aQDcF+Z/n43gibyk8dh3okt2Lfok8TsFO/qTptFFgXiLVKZwfTKQI49oqebCufv8K5pWyljMmsC1/OoC8GlHU985CF2HEdTQuj99gfW24NTO9VhEZkRmd0/dwjWmawNjsspayVizrGEGgpFV9QWu1CPInNlmICF2M20UChPijnIOZh8YWeTX2NJV42322w3KzY5UvPrche9RaYjlzmhkb07p+JvkP7OjnA1AOekrue1SN+l40vbA7IeF99pZmS7XhIL5gKqZNvL7AtXFPWQjlI1snPA+oDE7QPypxxsHuGU2sH5VNF4UP3BndMiLpjEdfAMD3wE5Vscv9bs7UuNG72aqqfEEuROKpJJS97pC6D+z0tVY60pgJqBQO0SykWnR+PrSqaBi2653eL5KsALlCTmGfMbsuTiduSiBkYTaldcPcJA70+LqRVtjxMQ8ZYOnzTdRPjtzemtuq/w7DXRsbm4sdvbdEYnUV/tCyjh5nUjo3uzWQnmX/aej78SE3cLUal2Y7VRS61JJqqnKSjPaAqjPrw/lvcALv45M+EKoJGjpZlMjjHn9wq2E5FvTvGs/Cog6oPiUGLnGXBJBc181jrNWaYzQ350n91Z8t9LU+v+OwRhhSbl7T5SUiKX0g1s5n8WR/XXP3GMGFGRHA+9NDIA1OCFezo4bgsZP3x7ZxEC5EEVyjpc9stOZCvTxt9fTRu/Me6VrFmVcx8HCyYkSJmYwN9BOkO92EHv/adS+Esxi09cOcbLUUnFVKFEkeTewvHldOPygbtahZN4PgBkxxn6+WwVnAvjHVwLfNIbHdkpAEgcQzOH/UXh/sz1goFSw5zZT7H1LoG3tEKAOgJKu0JrCi5uVGRTuDs6NdocZ6/PXXuCoSaFftgqO8T71uvqOWX3Fedm1hsgxfsTwBy+JQTRKh+DkmndsUPmbu3TANtnUroM3I8BnVRGbsYSovSa1C5B1zOXiUxi3Eq/6vxwKV5S7zzgn2F6UEZwoj3A1eSF80cJJc9JVrd6JqrxtCI0mGBi+0abu5WtcQRR1VQ07lWR9k8QZtW0wq9DncrcW0h+1gi9ImhHPikFOtEdfzxvc6xXm4lSkS+OjgFVRMWXfwkiUNQLi2MSYxI1HVRlTPkjuf5aAG0/fR1b2N9QrpCT7z1zCAdt3YkBAk3pT/hIQs/Yvu2WnHkUCh3yscuZyclZkkLv3SKzQtH/dPT9OVopOoi3qPOPJFbX3gw9WpBUkEtM+rPAHEFucgXzMVptRw/uK2RcYSgUFbUwUGAppJTWCRh74Y2WvGhFEoohufVBdVeGNt4037VrGmdt9DSg43hM07eNPo8RlKxTjV4WRy5EbDMDxHcVxf0qqHiP6iGEQ53EyZAxwubfB11Z/s8m1N1KY7Qt8MoIdA0CkTmL5Vh8vMt0FXUO5HVhwwdU2lXOeNaZ3A3PpPSwfRcfjT52dSWHZMAowuncyt06jaMJ+7oqKIq65cvb3KsZVo+gYdquEEY8Kwl9DJ0xqzGp1oyYyIRipH8hNOOyb9kpEoWs04/8gV98iM4yJv7iadFgSJtNl7ZW0UCyvJyFOQSA/yVnoo7F75mmIkUbvmoyNwZGLe0fbx9m50boR3w6XVHRDo7L4hwpqeastDGJ/cfkQWErJfjjI3O/bYzbceJSbLmhihF48jNhuifiSYnzi2swh6MBeYzVx0ucp4qzB5MXVAsTBUL,iv:wb1kjAVGo0tBnnCzp0VW+01Diw5tlx9yRnO/1Pp0+sg=,tag:J6KYuI34NCO9OZwOEeAEYw==,type:str]",
 						"deletion_time": "",
-						"destroyed": "ENC[AES256_GCM,data:X1Ucnb4=,iv:ezYccPFVKoqt5jGfbMK+Dbcc43xNHFhqQwaERYPr4OU=,tag:Oblq7FNOzV5Pj+Mds4Halg==,type:bool]",
-						"id": "ENC[AES256_GCM,data:Ryx98HGw+OHIHu15asmj/c07,iv:2sWn3oOgz+5gyDy5gFuqBKxDxpek9BiFEVmAElAK7d4=,tag:3AFYZcrzP7ZhG39XL7uvrg==,type:str]",
-						"mount": "ENC[AES256_GCM,data:eKhm3NK5,iv:ufpibAmW4H2/Yco0PHwMl04ekPt4S7g37sgfMQB/tI4=,tag:qctBGOREDdhGltJoNXaiVQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:S0FPrxMp,iv:ThljITkk4Lvk2Eu4+8bJfhMpKaAL6L4UhGba7bvzM04=,tag:0vTRfp66RIDRWGa3HPS/Ow==,type:str]",
+						"destroyed": "ENC[AES256_GCM,data:zEN+XS4=,iv:FVExxISRxJx7jnoVJgLGdTr8FmpH2Q7Y+w0C+sjM5YI=,tag:hYaAYYa3pvIW1zwFsH8Btw==,type:bool]",
+						"id": "ENC[AES256_GCM,data:6C/fL8yd1DBwLNVMvl74LZzS,iv:7Yy7SkdkkBeE4m9IlU0dB9BEAR11yjIGYMVRQlsV02A=,tag:RAIYiOQDFq1SJtAirinBpA==,type:str]",
+						"mount": "ENC[AES256_GCM,data:6oRVWAKN,iv:OiHwEz5CWh6PVe/kmTglJZs73WkQ4nc119lJ/ffSQFA=,tag:FGRxrzlJ9OQ4GEmABT9yIQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:xMYtL1CZ,iv:ODPgQCwNmyflhIzDVzBpgmnZu9y26zysYHGVlRZAbl8=,tag:1f4lOBjhqrbg2diHDQ/2MA==,type:str]",
 						"namespace": null,
-						"path": "ENC[AES256_GCM,data:jgzkGXb/W4c32kZAGUeXCMVo,iv:nlIVm/APyKun9+OYpcHlhYZB2niBl89+IKJxtUsNPus=,tag:Tn+K/7aO+Yw1NqqhpSC6VA==,type:str]",
-						"version": "ENC[AES256_GCM,data:XS4=,iv:lYB/uBV9l2h6KKCsaO0/6DdCbX57y3xBN3f5SWaonms=,tag:4h+0fiheomHILn0cnzlMhw==,type:float]"
+						"path": "ENC[AES256_GCM,data:JfGJLcAw67AafrBW0w08B6L5,iv:zjgpUvdi2cwpEp2DVQqBFobALo7hOF5wZM0gh/nOKck=,tag:6OKzifjGVwWhuzM9Il8Xvw==,type:str]",
+						"version": "ENC[AES256_GCM,data:ziw=,iv:6POUNMjQ+aa7MnszRekdSala0/3KaoLKWAWkEroh99o=,tag:e2yFF/DtQZD81ll6EV8hdg==,type:float]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:YSZ6r6PxND0=,iv:N8qOevZLIgsXiv+RL80ZBOIDgwt5yC+v2kJ4EL/+wKk=,tag:Kj5ebcacFjvFNHL1bMd8Kg==,type:str]",
-								"value": "ENC[AES256_GCM,data:K7DzrA==,iv:3OIuFDsammsuTfxHZ75SzxVBoYUG74xDsfdR5MfRVHM=,tag:i3v348RzS7817Zm0VAsrnw==,type:str]"
+								"type": "ENC[AES256_GCM,data:Kmh4WeGLWFk=,iv:EjkEAChY58vP/oD16niajbzqgUyat4jD95Ys30evkKM=,tag:my3hxkTyc3v9WPuQFx+nYg==,type:str]",
+								"value": "ENC[AES256_GCM,data:bpkr1A==,iv:TjZ6NVGwv2MiXYb3R9SM5fvUCCOxIDmrhT3SQEwEzvo=,tag:zm18h3ETajaFM4sUBNbZ4w==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:TEiXD3nUUo8=,iv:p4DiR1Y80bMDRxZEf6JS0VWYNdbUZbZ7pwYG5LAdDJY=,tag:5Rt8AEYeLvrjSpo4zdthpw==,type:str]",
-								"value": "ENC[AES256_GCM,data:X6qEzUYBWeyg,iv:EwpHtqe8inkWfSSN6lW3FuBpk+c8DKB9iWEIDdvVL+o=,tag:IqWw3NE6t/Es9gYbSLQJfw==,type:str]"
+								"type": "ENC[AES256_GCM,data:cUqyL7Hdc2k=,iv:srcoRkhml6CDsyTAUEVqidYVVz+M3wdmG8XA1d3xV/Q=,tag:s8K+8kzG3LGnm65qUaSxkA==,type:str]",
+								"value": "ENC[AES256_GCM,data:MmA4I0sD9Vv6,iv:cfqSK/MWnx7vICwj6QS6u2qOUtGlIW3dlCeN4FLwsOA=,tag:XjgVE71HY5lH51a7D9JZ1Q==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:/w==,iv:P07t4JNeBoHV/UMZa19UuCsJnHjMST3W9Hec5fNNfCQ=,tag:7UtE59XENqaiZYPHlcMwCw==,type:float]"
+					"identity_schema_version": "ENC[AES256_GCM,data:NA==,iv:Oen9o5nFUzPesZkirwlck4Vqn3be8x09cm0sanHRBl8=,tag:4x5onA1LRBKxah5tsMWnIg==,type:float]"
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:ThTB0UIodier2+Ry0MUC/+xqxWmhxz1UzTc0Iy7eNQ==,iv:QAtTXCVXL2A6eFkz8uRcaTNXotNX0UAJqwIJLZ6bJh8=,tag:UvLguPVhkMemRaNEKyeJPw==,type:str]",
-			"mode": "ENC[AES256_GCM,data:/60yeJQfBg==,iv:/2iYAKqazWPNZLbnM/p8G6YyfHgEI3hVFI0if5sZ/8E=,tag:hYtsX2oCSyzJ51+L8vhaqw==,type:str]",
-			"type": "ENC[AES256_GCM,data:79ywi/xH35gLQhm0eA==,iv:OcrrW85oJhXChDeOCTbu2kpCG4g7sP45AaslrRpQIOU=,tag:KfQfzMwUMxpLAAmtGryS9g==,type:str]",
-			"name": "ENC[AES256_GCM,data:SochaEzBw/EvaQEXyZKIAVa5jZIShw==,iv:jILgw0SUxPww2EYGh6T4pJOt1u3mg6RpacAajOq+FHQ=,tag:lYdIOEXaHfObZbajl+cErA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:xhPEm8OT0eUn2GCOtIjBnGBqhPLXAKAqGeCnNcwW4UiJG8Pg/pI6CdcwkTXTNClw,iv:FUVDfEhNwapvtL3nqcD6N8czdO9PWm/AAraC5PbOcG0=,tag:5jq1Ip/5xPA7x/svWoZebw==,type:str]",
+			"module": "ENC[AES256_GCM,data:08PPtwb5Lg7fTYVFOIYW2zeKQaUbH1VrqHVrVA+1WA==,iv:1Wuu/cYvNaPVS8gNEGKWwURMfqL2TTo0B1eKWJIEElw=,tag:vjQmhw7avt5SKQdVrhFsSw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:qWZM6kDX3w==,iv:r3aTEgSon9ZBAgYvL90E0ulGHxGZ0NviMuhIcRctz9Y=,tag:vsesx+MBbNjQp7PBccyQkQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:uRh6W/UDMtUdcWgHkg==,iv:uTXWuswQpjiDdS4SMABM/DwdaSz8BBR9+vgbBI6MoSI=,tag:Gt6ndPn5jZWdH6yQ49U6xA==,type:str]",
+			"name": "ENC[AES256_GCM,data:TOwoXYMABlmWl00x9nMVTkKqpwa2/A==,iv:ny0NcbFC63k8UY/V/SIqpBMx7fDNcUTWctbi84LfnS8=,tag:P1H0wg18yayrU48FFaz2ug==,type:str]",
+			"provider": "ENC[AES256_GCM,data:VdFWqBBqsoymwe48hfIHgucOL+7XsXpFqIRr63sEUAPS5dcl28tXQfB0TnmuZ1KA,iv:bHp3h8rsdWvVohcTWYnUH/9s7V/Llg+iKm9dbmN1rRs=,tag:YmJDdaM+gp8Nad9PeEwkbQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:fg==,iv:ISacNIgUV9mUb1sQ9aMADggMztehTCDwVd+8kwWrdy8=,tag:8wIEB5+yTwpJUAmejWm5TQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:RQ==,iv:/LNg/CmGGW/fL9k87le7C/f1sWbxB98j0Jl4ngY0BnU=,tag:tIrkTMiSdypG3DZzMOFw/w==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:sdq1YTnM1KW0eocu6ED2wqq2,iv:FE7mgDM382US8IErtIcpMA0LWVQlXq7Q5nZPlDCVaSo=,tag:V3X4GEB4H+QEhIwCcXcpLQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:SCdBjIm2It0bFwso4o3fg8tZ,iv:ItTrwSCoDps3zOBJebf6jV9aJAZ+xb8KlwVnw+M0Au8=,tag:oVaG+D0dDDkqyEaVYcgYKQ==,type:str]",
 						"triggers": null
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Dw==,iv:8hNF0KrhCkIfJijka9OMQMWL+RPSIpe9QIWQVBIkLDI=,tag:paMwJHURmal7kl+x0KgjWw==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Vg==,iv:7tMLjeMvM3Bgguw/FwLbQP8JzFsY/jrxrLDcL8f8mhI=,tag:KYwxioShsfmxONwzE5/e9A==,type:float]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:kVOF8HZniJTIpDKzITaapU9SMYSa8jobA5Ky0X3IcA==,iv:oAAN74NYbutzv9scRO+igWuqMZY3/SO28OcccQQdysE=,tag:0sLXvYBQimC9ZkP6o8wS3Q==,type:str]"
+						"ENC[AES256_GCM,data:lnOvk/X6n8rwCVM5IIWyx8Lt3qJVP6rT45FBOKSFRw==,iv:CL/6Q8WSagNGZfegm3mWGjgHKKhc/w7Q+58Qkxd672I=,tag:hNTGYfPFkSX1moLYk8uXXw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:Q7PwbF3IrEvkaCGGzrjdZk0kiyQWBDXaGc40OvQ4GQ==,iv:ALccXLgOS66KBSFtlDAerJ4FfXvXkoLOiY/N8sko2ec=,tag:TrSziK/7VdKBhXcCGe55QQ==,type:str]",
-			"mode": "ENC[AES256_GCM,data:tcLuGfjJ5w==,iv:huYUM2rJdMsZNGm5JrxPLPWIrJuJdLBl64ooxmvtAXg=,tag:BS0O8763cFsfx+mgdc8jKg==,type:str]",
-			"type": "ENC[AES256_GCM,data:fhgdJnfP4iEVsLYnpg==,iv:yDJUwHd0kttHrIkBxbYMzb1o1o/hlI04R8KaEWOOPR4=,tag:1QzP6JXywLRMKmCnzkQPRA==,type:str]",
-			"name": "ENC[AES256_GCM,data:uuccmFqgBDqAtc6mUC8tbD4=,iv:Kjg3e2VOT9fLsJHILsfsjxbE5BdXJvavSJ2FxUQqmQw=,tag:Hi05tpSncr65glIDEmjseA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:IZTHpAryxe56zWwcSqvfjmdS0xzijIluis/cVAepbPS+9LUyYftle5RTpXOYY9Xd,iv:30h45tuBegFQWR3wHij8bBBCbAJzmNJQcRwTejOsdC8=,tag:rN/JD7d5r2VMcAT72puujQ==,type:str]",
+			"module": "ENC[AES256_GCM,data:L/ymjzPOfFtdoD4NpXqnhFSPMRLbBGO/fs63slBcWg==,iv:RJKMNF8AOn6ewetv8drUgzQzaZGJ4Du3ni2smP0l24o=,tag:2/LD7Fu6/50EwA6WhQU+2A==,type:str]",
+			"mode": "ENC[AES256_GCM,data:Yx06KKqznQ==,iv:hsN1tk/jK3ZnFMdMP099E395oltxgFcKysqDBqZeq2w=,tag:p0/ykeAPFkz3SVsORKsR1A==,type:str]",
+			"type": "ENC[AES256_GCM,data:9qnP0PJ2pI7WIWHLwA==,iv:NxgyrGoLiNkxOsgQvsYRpNifHrRSgypAqLiWGjOMy5U=,tag:nrnaYdo52eISV2RNoNHJ2g==,type:str]",
+			"name": "ENC[AES256_GCM,data:hEFmxAtKAcEiD93wxPzFR4E=,iv:wiZlvTsoPrMVd8FD9QW5DKSm7tli/FLO6bdF6F7Nqes=,tag:OzLOqlHn1QYSCMP5FJTyww==,type:str]",
+			"provider": "ENC[AES256_GCM,data:ye9sOmjqj+f7SWsMW9KNiN7w3LUFfbdXfpjETQM8WkmHJoyDzyJkm26Io6tyQVNE,iv:/7weJZ11UmNyFhScl0KrC5OZxCs3atjKUD8BhL2xEJg=,tag:q6/QG+qH7HXDDLqI6S/oTQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Zw==,iv:7olOhHVHLKdVTdZ0m/Sdnp3nxwI55NMoCsa47DuwLPg=,tag:YEFKyoN3VJzMYGL/Q1H8Kw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:PQ==,iv:S2Byo0kJbvIvfufCFBHDRkG1GgkMAjNY/HDeSp+HE/o=,tag:bBvijHMqgOi/bAib2p1lLQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:mZquAYOWuctCEs0dN3RF6ibF6w==,iv:aX9FLb5pxtfhUgAXQ+hmYxpxVhqt2qJ9XJS2uze7+2E=,tag:rnFOWCImFQY11Tk1SGW1wA==,type:str]",
+						"id": "ENC[AES256_GCM,data:xmRluhwgGx7FeGFoN0Ghw0Yikg==,iv:VynZzEWGFln0Zc1pEbZwrRgBEhC/rRnc+1gY8qQrXNE=,tag:lRhk3NyL0QHEuiXLPGRJsg==,type:str]",
 						"triggers": {
-							"file_hash": "ENC[AES256_GCM,data:hJE5iF5+zHHpoK52LKqLWJ2ctCnQ/g2ws9mLLake8Tg2jSsC3NYKWgb3zZogBVXKvzKNVvKWlZJeM2/wF71bNA==,iv:+B9orrC4u0ihmoPfadMhoLDzN1gxiYv1iqzQ++tdJFM=,tag:xF81VQTgdvhK5tFw8FKN3A==,type:str]",
-							"is_k8s_template": "ENC[AES256_GCM,data:aLWufAM=,iv:JqLTI0fEyvxdt3dG2K+LdEinT9qDRvkz2QFoQBL3Kxc=,tag:yjaAhAepzEVt+BZA4/jJeQ==,type:str]",
+							"file_hash": "ENC[AES256_GCM,data:vw4Ncwz3KhR0ROh2DRGI8ijbgGvioTzCUUG3MdtsDQ64mxbFvOtZl2KaTNohEI4bBUqIBhCsjE3sXIeh49Xp1A==,iv:ze2zzJOw8gn9xYESNSB4WLU0bdYYSXTaPcL6qtFTiqM=,tag:GRHsDUsHa0J6jw1qAm9Ydw==,type:str]",
+							"is_k8s_template": "ENC[AES256_GCM,data:3InZ+UA=,iv:yGcSnNqhnvvXh0Klrqp4t7c9pJB+7Dx64wEXs5NMrQA=,tag:T/r/YDuIK9ZCdlsw15h2wg==,type:str]",
 							"k8s_join_command": "",
-							"passwd": "ENC[AES256_GCM,data:v80EJEk2B5WxfyYZLpYvZgD1Xt3ahbdeCIPr75AyqbpicwwhO6nUqhlYdh1f7psgTIzG/ZmNE+j/vqLVUs4WoimbgS3rsZNxJg==,iv:CCiW8f9PV9Sj2Mb6yQ+0UMGfiGwREh3FmiaPbZdbCN4=,tag:MSpcZHhNgx1IBXywJIQYbQ==,type:str]",
+							"passwd": "ENC[AES256_GCM,data:7zlM0z1IPC/z1/akcsp+7VRtRh2/245rNLfPKBL257LDbNdVcbCpffWAfvFLDTlyOlR6+3meNfdDengptHVjwRcKf6jdyJpjQw==,iv:8/AQvNnlESlIp3MxH0EvVsEyHgfCH0JPBv6QvzYfDVk=,tag:RRQA+6Q+GkvbpTMWtbhbaw==,type:str]",
 							"post_join_script_hash": "",
-							"provision_cmds": "ENC[AES256_GCM,data:MS4oHTvMWnkm3biUSRG36/m6hyDIAsvBcIfwmXN4YqFrvCgGupwwWvlfITHfAVGP7FUnTRsmG3cIGTK/J1UB/vh9hyrlS5ITUYYUkDohPOZ4R2KobPEHUTCCJEKTpZ+L6AE/P50GADr4awOlR65gaMG080A++4W17lM75Lwu0SCPbCV4nOVjAUsB+as+onsxiMDuZU7VP3m4I7z35CkkZd5SAXrxB2KchqhllMCTZq/yenxOrCIeFpkRsoHHDuxbwXbFywNfhuMMTn1uPpAyNfCMiWvJd4GHavs9QE3lr9oYeYknD2jOwEhLaquYoktB+TDBAATzx8N5i+EEUgLuIHajilZypmhDXQdPc8xjPX4+4C1BGlVbylaHNDN8rDNd/H8sRcI1pkkRb0pWVxUiv/XC7pAAnvcvVPdowrmpbGJvpGmjZufyBv6zKsMyz9YDwHDejW+89elKsrfo/cXa3LNkTO+UjPhnGQ9rMIvPWGUfWDobv7fG4TQ/x84ahzi/jl67S81aJR0ZZ+tx208ypJ6laSsTOgFhaVaSxddp7vRJb4fNs6s+7XaclzAC+x1dxdS7NQKKXBA+g9S8irP3tlLxW15qKlojWhbPv4qr9G/KYDmSd0onuI5xWhAlF6JLtLzjgMyAyRRaxR2+itIBT1uRPFTj8X8Ka2qJNLUh4Zs+f6r8x1HOAP/WbsD+m7D4w1nivb4ssFZQCAkWVBvK5f8KV0M40T2W9eaP2P9J1x3BCIuVV2VqnC7Ocw/S1FnKljYinxId5m+sZ5m/kI5rrl5ZHemwZVG4hjpXuIi2ApJz0SpAbYR15nDNRC450EPLIkbPx9XKsB7akmRma0TGvZsslXKOsYQ5ukCvPaq5fqvY9+rrqTzVd7sO9sGIyQa+9pglBqFceEAXVtEbj4B/zCbeW+yyFTb/UozPI6JWH4PC+jCoMtvlwixR0FI3T5Z17g5ZejFAN4vL3yZ4XutAMoibB3BtAIZ2Lo4j20nbFRHipME5wdWMsQHbvb3+JVWwWbGWqjAjZ92DNRT4d6RdOx3ZKHhApHRLxT0A3mM/H+MQpAX8+4h0sTLSci3vZ9eH/aMF8NMOf/rT1EQfktmYQL21LaA0AWuODB6Dk41AMPSOGiggNruG3aYZOawIOhhk/6MOOuP5QLcIdNiXhxPHaJvfwzRXGKWLEcdeQzMKH1LIHroKvvQwSOZIPvGntMW7N6nmC7QMrfG5nkVYjpmEyfDKQ7NIEgyymf8rk+sJwzkdosAbu/7dGHNE0Kdo9mayQqnRnXm7fTkT5iaI+OP4F8KMY/Zm+pUF58oVTXORA1aznnt9b/fzVEDgDJbIwhdhmTp+msl8L/dhGam8pOBZI+gJhVHqI9BPyLV1QzzXak6II7Gt6F1YBQvkIlf6dLUZvkltYCLS6qAB+PtneFhQO1TyEhItC1BCi0cx2AmBPN18PY9CtAW6M81xRk8uhV4hlBJ1AHMzu1KrWvWE1nZewFNl41oV3IqEUuxM8ScHC81Qvp3cc6raj0+6sNqWDslnU1bue1YdK1STm7ZKlneB/7TpZL/V3HeDAffEc2+12NhZb4mKzdOSrvgN9+mZWqWNUyXGEby6f2i0XvI4T4anF2JddBkFge/6HTxvXnpKzvjaEb1GoJT8wfhtNxzG+QmyY9NuAfZU+FpEbThZJlP7k+F8wxTif6KM9Mno62gbQcKy7dEFjs5ygmzdfN9r2x2uekr0n0zKOSUUu/hkKYAkhRVBmmULGh0A/mjczNbQqStMOYL8p5OQwe/cB7QTpCoqnCMdhzXv+EDnGeO/GjK2rJaTNx3vnM0f7fBlj6XBRFPV9R9QvBy9hRRDuOqFi3VlzT72aQ+USgDHUXBldksPWYYFvyfQ6LmiTQFDElVGUilK9+LDitE1vRBg0wflJZwCi/kdaU++sMdGIir1+BF5p4uxm+Gy0N5lEgM3ZWCSOMSTWplLD/k807nUBYZ0t/yhK5xwmFM8FBEsU/foGOCIQpNk2LAZCd0ri7KTISAKMuOEkMBNSKzFE7Wf4AmnNhha7PPYq+kNZCqv61OnI6LKY9LeJVQOpphpQYwc1IDgV3IQjFyRvpY8HSnXUUA7exKjpDl96dJEyH56NnnKjbms3CJBz4+Hq8AJrFAPoGbXqsiNDfCA8lSpZnvVYf1LbO621HZFUkrnz/OXGftddKlHTGtNQdZm6UgloqGdJ7rC+taVgLZyYJfju9l0ydoUNUepIEgDNQKvHzA3rr0cheHNPMWQrPZKD/x6S1Fm2MvoYT/BAdFshnFhktz3WdxLiSwdgCaWNgyHEktBYPOGlqW0oISAwZvrEWgMidLgLZzB5urKzTSHfkWCpbMnyO+QqIGCZvoUjPTnIEXGhzWlmYha8l96BYcs8ujaiDQMygKRupzOu903DvpY40NTegAYc2605TbZQ0Nvza+9+W9nQ7DHLaYNCX8NFrgMUiM1Cq5iBGmuceIlNp1VObvzQdtl2ESQO+6rriTgex5Y9aW4P+F0OPuwFpQrz30w+Kw7b/Bp0at+XLdg6x4r7nTpxA6N+Gxgz7Ytqz6DXaPmNxUNPEEnPh7S/VBVLlya1AfOGBeYtq+Wp2y218AFluQBeVM8bdJh+Ys7A+IgiZ26NPPYvQb05fvFY9GSaV+Qbm5DlBMMtsivi9feF+ks51E9PKP5b1/TvXuLoFXqsfAC1b8s+jXsjYEvDmqCwvkGrCmblWCvCLa2Y8bomaaM2hTDYUD/nDQBPZkZEv9rXyJzX7v4n57COfcvQeHlSbiRPego9VIsIe0QtpRiZto78nxLoi0M14E/0Ynv8W+e7mOJhy0DuepEs3Nj24zP8ELvx/HhekYKKLJjkb7Yys/jflYZJxPV5V75/PJeLyfl435evShyQ+K0F5xhba8RN0OOztJ85FOW01nfNgO2+TLgDEd+Mn66mm/AwTesz56AvpWK0/WFNj5k62xvTSuQqhEVDfsrOqHypdAlMif4U4pwYYaNBBfnsMPsm3XFoPvPptOv6JkD3WzJGOvTxr6drCCESloFd3zaVJKja8VQ5dqeVz0RPvLn2/vUwIjBnwm2XjQr+ulbo+isr+y/HQza/i7AJ0YacIAK32MUfuLkAePVS92ATQcqSeg3B60PdMyoBYvvLqYF4e9ebhA7I/c7uXffTdxEWZxnqzWgmjQMxJ8JJe3uj9EsiwbWUkPwa5cOvZMPYx2scAvcobAqxRwa24HXd5bAT+6owSG1bHv/51qRZiU1joMRbwdDHqUUF4/LyBS/iB+HbNmgeuWK4PNIzn2BfsHBp13Kq4SBbvJSkGXuvCal3HZeHJcG0Z5LYbauRqJ7z6utXH/tPlYGEdslH3cXiNcW1CKYwjhlaULVG6bAO7dDKkY8imVbqXfj1WWt7lY5/+rYoPNr3s+NejSw8gyNoDWz8hnx50wKGwRyBfsR1DC8xf9RwfwPTtx83+KvoYXMLkwLILurqMcE8Fib0lxWfO4AvlvusEzsXyxvXQLca7Vs0TUxis7U7p/WZ4HPpCIx9D7RKbHY912EF5+4gJTih4BYsgPIXCOwJQFzc+HfmP03LcZjycRkLuwMqnBv8HA3CrLcwOOtdLroPhw4t0yaqpyfdbz+e5DqFhaNctWipsF0844sDvAw2ozncBllyNr5WBtipzDq7ARpc4wOm3Z3v6dHjOM7sGVjAmyy9tepOjBFRMX2mTB5E+Kzks6DYiMZAsvx4BkDkgSvp9ZO/QfrRYAxlETf69vGR21JhoJHPQasuoz/K8UWuW0j3mrubFuaQerxovwEviLJeoc14c7S7qQYIyERPKeg/A+vNRAv/aw+B4uz0H00k3C1vgK9HwbsKW1O+No4OtZU9/3QccO3r20Oz5szXoZTnEo2lG5Q12xVJMe2dIpqLVIfh0rHcMHtnKZZUCh8j/O3c+bXoOqPq/2MvCO4M8TWqx+bm6ftV7PzYO/E19PdYjt5ZJ7A8s/mvbgY3wc3nODOia7RiW+AByNC2BPaAxyGRnSkndlEJytDPqVIPTKm9v+Mfz4SDCmXAGPA2MYrTode+VMjh8I82fQYpObgQaYSECKknLbCwtRa5pbN8y1nXWspCz+fepSvMdIw/gqTOoVBLLK4T5BN9D6OH4ccobwdFe0a+verTk3fmE8az8ssBR+SOzC97GGUPwG0O62KRXKczKZFpRbngQADGH7k/kjIhV9oK3URiCYFvDJ+oC4bFS53LssRYtxoy9LObPhDhKr/XQroH/KPWf25QTDWHBA9fzE1H0niuxcrHQHSyt0//oqqLZyh/nUZMqZ5slZvkWZzXhcb6WQCfqGNKvBpFzyAOMOiUYMQpfX3Jg49GUjhZ52VuQDlB8qjZp6icteGpgxbfs2MpYMoeYVf3t1g629sndA49eniiIPy/9QPAtx0kYWfPuB5cD9E/QkmO8RtuxhuP5hj5cRiG1pbHHOPpZ40aMlA6vy7VJ/bzlGizsa4ZpMU3N7QzxH7Rpvd9LEYk/RfOf6QbTQUFTWoxECyqSkRaBWn00Q/niT5EfkkF+ue8iHi5ArdwoZX9TO8Lo63wLOxx9yjNOq+SrBr0/6a8TVcgPPN4u6fvax6iA0WHbgo06rfZYNWcYtF9XbcuJrgd8MVQpc+aIHiA2yTWIs/UkpeLbdvjqPl9XNrVGPkBpuhvDhTifBYXiOBKEr4ROotREi6hiOnuurx9UFBfERYvR26hmFBe4PWXGPId7Hj77eOaZ+4I9t0v9+LDrZCbwQWg9pzE0LxKrINyhEOLub48VefLuVrBqtS9PqFNINYWg/sRmDs10AnbOeUY1b6UxeLnl+Ek1HltxaUudx6WZ8PQQr2bppWvEsuwWT6kwEVRWg/1252DZWUQvsEkSyKjj3/7QcgLNtvOKfHrqbRTX04WeZotCa4zjLIvRmlkeVS8p/0XyCjYKpUul/FqV0raEBAU+BVdeA+QUXS4/vwOdXwksShvq5ElgPL3klaXGdKFWkqodVqtvZAWSPS3gDS3cYwLT7RW2KwB9aJhJWtsbVHNAyXiRr5ixy2YqbZcLHS4oIj5BAA93gFZYNfsXngZLwUcee4shS9QLomZuRdAIsPDabwb4opj7D9ba4S2xD/1zTLYw9+vkPTri0dLS1Ilei4VIVSLfQuJO0bEjiKr0KySQehUbktGwSMjFUQ0rKQmqoIUKvRWPlHQzW8zz9hdeM+2mH6etVW4rr2bL3Hw8MNsv/GjWh0M9pTNPSiARKOBBqAyR4eYjiYBKsSOhAY3TcJS+SotMQiiLK94EJoMLdZPSMqdMG6v1rafoH1HiLE91odBh/jpKftaKjsBAxEqSQAAVC6InIJc8gAxw62UhEHAMllMwX69AGSIgwUg3Pdvs+4Esrl3eRJsxHneisO/KbcBUd1o13Z0rBAF63gsMOABfuMv8snFxaxFzzAB/pR6G0VNJ9YkX3dNU+iSh1bMeYuzSVpNSs3pCjjDyvPCdR4cCqeuuNICp00h9mm35l1SQVw2IUBkq1jCL0eYXsobYw3fr8NS5PsPtXvhTop+zo+o1A3Wcsy64+LQbGtwTxc6cf2pr3oBR77HfsRiwt4t+YGqp4MkBlnf+Kgxg0QHZHsBzo2WI2JxYu3861+MH/Krh3IY1tZCrY09uHtSTSOYsJIyCdu+CD3sdrXqE9y/LUCgD8ohJugYOGbKQsTBOT5CSAKBeu1Oe6QyQGM5Y2rwi62LD1TWroIXi+JG3TSVPyRRX3rqRHXf3awKlAE1OZaYtgj7ZdlRynKR/yif5OUAy7GfWsyDkC8je83Jz1qTwADFgtLc1C21qOKMFQBRRrEayDbIXV6fkmQvE6A0NKSFZPvO5CTVdTLvmdawPhcbFLlGZSzsWvCwhDb1g3j/5bUu0xmwTs+CANY0eO4xYf1MwRfR6x3EignaUUu+xfyGJSF3vssSYyR8P94aQNWZ4Yq8macYhphFScw/Jb0Hwyo9ECU9M2q7CHhBLpMFSlbJA9vePjws0I63oXcJvdXxgFzr8hMzjKu2iiC3f3QxW9qazv9JoYtZAhoZjSWMTSZyEIYJVxXiBIscOsMAd3G9P58rhZ1E0ccE4NcJiCMQvnLYsgGIOZ/w4PCv2jl3UxbKJb2Ypw00Lwl2JPF0MDIRZGmMciRq0HsD9JIAtpjFGK5JYbDC26LRuVbkNwWvH6YNZooEB79qJ9WfCBiDR455K2gLRT4em7+UGBEJvnSK9iB31hn8yX7AOJfFkc8+GrLi5nW+nh9eV/pDiFXJNPWaZ11V7xymb1pr4UFFJ3dtD80UI4D6l04ShR47reH0GE5QLyD39imhOxzR5fPA6sps6IX/Qf0crIFlB9r5ylhzyVdkiqw4TtGKqoQY+3+NZsdU1NXNPKyJMqVzxKP6da6uX1Ozyk776yOMu/CKpVAdM+SoEZj9k/L9IqcUJ/4HXZ/j/iGeqr0h1te4Btriu2aSyjt+NApijLmGJdA9Z4nMPG4f/PL2jczkBMtdkzrbxvMy+IuKEXgYHGBQjKhHreGKIt3/hpkpTi2rg6QuNyvJ2L4oQd3Qo250vM78Xl/cHwOtefm0s5Me0csShEwjo5R+dCebWeuPfRy+XFiuYAVfe7sToxcMIHegqFaqYoLNXoPk8So/hpJKMVSjUeeeY6u8nAqnw1o8IeuYyasGz+S7rWiWzFahWLIbEoBuQT14kFh1zXdqZrbrzj3kwlwN7kCr3UuQ+S2gwtouzmFWPlf5lrRHnGezsot4Gc3uSWaRmBCYVJtXi6otgHy77iV//ITiS+F3tp3JYbeqK9e7ZKam8l7uOcFTPGCR//tFB25Fs0CINzI/OgVqPD79HLmD7nOB0oZ3BtahzgkngvAhhnu5Yaa/DUHej7Z9RTV1wjndzNN4BJULVSWFsf438k34TQacqAv1395NBuN+8r402/bVMF8LmNW2yZtXIQ8oiu7SPIX4y0bRvNVW81pB51nJ6XOG/O60DYIr6oCepg1FLM7SZaLdUQdU1r8l1ia+ANOi2Gf1GGwm4GLZ8nw/EWzaIFXAqcXLTpM3Edi8e03HftAhLPsyWHf40BafNu9hGXjEB8zgwZBMbdAZA/eo1UShmEn5EwuBxJDHZWtPFKVbax4WW6xXno60LFBfNsdehjLxXtgMqzTjwwewRsWIS/x9lBI58NcP0xlH1EYLLXZibtyUojTUPIRUBFzUw9M5R8aCjayz3sPiENZFxkbci2GmQegTJe1k2KX5846UQUJtJSGgu1BGthJkHyRbrNlJBxiGnD1Y9Pzc6CuwVjlBTM4BrXkmfyNg1pv1jcY6GSXXDHRSHEDVcQjMM0sR9FgUrnlTO68Q/d34rDfQpYv9p5wZpKXJpPW4L4wgye8EkKq8vMkRbaXf1FmhzPJpSjK/h/vgIJk/mOfiafDp6fZAJRG1oZwprUmMkZni6Fka/OMGnbHOUGvAi6eXxQXViUEtEZr913hyv7aZivIYk+vT7km0ixZBOU4abQMoSbj7lf2UaPOTrCM0pV98htO6fY2WwOMiMILkW/OSrvv1j8+tNT2VcmhlJy1dQpPqSFRkHGpNjGpVUSiL3lnxjgpX47x7QVRtZaogVja+MFFTmfmTTTZy4cmiXEyUcE64UArAYZEF+ZvPkQ6w7UGdVgbSIqdAClfLJBT7A090oUzSErhPLyjuDNqSb1Xwr+ENRdhjHMvEHhpCk+6QGA9/N1T1nDqC76MQZJqZzHKufKV3/Mty3RXL0u+lsz3vEj8LK/sB3ttV0m3gAjWId88lbcltsF3qEqk8I3Ld0NhpEkpIm7vr+oHURL7JdpdD7ubQxPdi9nAvJA95Zb5C1p7jo5EQKxcUL9sOggfpus+D0IoN8FCU13qXprM0W2Y+KjTNkIGS8W7BNOQkqF9LXxN3UTeP9MW+cg8shTzQMwtEMumPdZgWql++5VukBcFWWXnRewwgapnuOq3u1tbuJ6YkpgF7C6zIbR1WGlgy/oN5LVZkgCv1u3F0qR8fLrDv1fdpuXHpTTT92qIgDwN1OnIwwpESKziL3IghmpbGA+MjWLwD2Zolwcyp0EknNC1U/qxgHkK/So7H446XWehwfIV09kchiEnKtRAEteCy/L1dSuzgYSyf7gHC3DWxDq7FBOZn2FbOn2zQzlUIvCETee98jkXzGb00yM6W7Si+4GgQ+/+TbIeK2hW6nOnUaPje1Gr/eXBEr/XAcMK1vz6DCs7kSvZVgI3c7ft3qeGooMiUkiHOelinG+Vcjj2jXKK+eDnGYP5OhgSpRicv3+jIVOBUUD5dG2QFJnzVNivxWTEvV5fyXCfcoxr3I98SGRCEJLiMOojbab+G7RsFlTuhSvwAxNp7t9m4BIZxvfRMUZ/oyhMKz5OB3xiTow+Ntl5JbdYWg2S9yZoj2tbaMa2ZgIku4qsGhmtM3JHBx3cqoftbqqr05V2WRXNkt2pIjsyltWadQ2mL5RznwGFmOK3GvRE+um/5jvoiFTpdha67KVU215ISECoGGHTC2hMb+GcIKNLi7U+ZGdpkUKmyi38oGhBBBvOyz2ubg856Y/SIGU4rxCgBJn9f2mxZCNHkKCaR0tcYCUaVcJXbLN73aJbg1J6YmjXvzoEoXzRT7VLA3+MMi6qqITrtKsTHq3eKjiW24OUm72qZT2qPaAsXy6OZTChDJfJCszW0P2pE8pVsjgA2N2KB4Qq/BNwcbPcz7HvfVoWsR0uISDvTjvIuKRaKhuTRKpCDkwsCD6uYIWuIuRLz2psIHw88eOg9Okch3QWjkcg/zPV0u5e+nbhRoRURyEDT4fB60d6+pdgrJXveIAdXwwPjG0/LwtrD8PR+6ZclwVcuZAOMuz+qr+ZvFKvK9B0qWpWGrJ+3rQFRUyo3VxkSXtKGilxpBxJiAEwR7RVg24wddZG00xphkGcppgWcHlDRo70L81fk0JdgCWBoFrCyXghNsNd9+mFQddlyvfreXSRis0l67v/FaSA1A+bSj1Ki3vkaqF8p8VT1G1CSKJlameMz8/+AKMCR7uhw6wWAegw0M/t62K3MiNxFjGWhFUGjhvbvhZDT19vV5EY/rVW4jpaz7B5ASo63YNKpxry3a49OWau65r0u6OlPhju2CLwU7gQcBy6c3GYlHxrTfwDyXWIm4fhVjrEBQee3wHs5yP1lWk1Su7+894Kd0Zn5TglzOXIGrwMuTWakBFvqrGlMmmAFJWxDgYPTaALPaL98sZ1rWbp3p57FgXaPXQhNK+qkYVu1kW/miBMqSl+Z2B9LIaX8hglV5okeko/cA4297cAaoI/Bpahcci2/xel+AbzXYW4PFvaG2RVcjnMh7fQ/Qxatg7rmQ9XpkVmEbX4CKav5o7ePvssE6n313opqf63XvRMIAuaWhTk633KETXfOe+1epVvTciJwxQTIw0CZdvsB6vJ/7BaN8+iBfLarV3Q/yAktH5lIDXUIUudNdIPzkD69LpVbDev91cZdAMdISDr2kuqnR9Hm5JfRpmRLMoHbjXG5ip+razfCcBseo5Plt4SRxpEw3oO1T72+54kCWfAoBy5/KNwCglORK2ppOr5GO1jNEy5tN2VxeYq8A/WbY3fAE22kliYt7NXDbX1qsuskp+ehaFnJQXfJpz/87831RfydDJ0Cj5i+q941JtMzGXDM1PaJWHPfSd8bCJjAanYJf4jrAA9Gm5ES5bAL+3i0HsjsrXWS5dgmfdSaRZUG5R0nk9me3f48A6kPFz348UXeUAp7Y4BmQLoj5XfEJF7ALTjyVxJ9qKmQrTg5q4aM/hLG67SVg+NCr/vvOMfM8z4YsxvxlV/95HKmKxstJjxzRfTtj6sgwFjc33YXfsLYVtoMvLOdgP+pS1Hm9Ue378jkqIuLvD2E+vuo4KqjE99zvFwVLx0WvitZmJsKP1OUKD3Fj4+axm25DS6aq4Ml+WaXT54Ui4aX4hvwHQOFaE22erZjtyZwWWIBh7IEVo5tHDJCWD8bzj6T8RcJHeFzLdnlKDHT/WEsJSfq5LYqRUrcElNgHNoJPRqWOzmU3MGcXznm/47HyPkfHE7qw4la+SOrsLxfowj6Thx8R2z5UOqyf5z23v1RYidgwV/7CjbYCNKeSahF1Fc6Z8KVA5AeeakDfosWLmRlNtqoPjjAaoLuHET9iF6oM3/FQ4NZcrWRnpWD+WBbs10K9FS98XL6ACIQbsXXe8BtreRBT5/Zg8PftdX4T8x6ilxwAh6uWOKj4D3qRERf8KpsvtSxyPkXsU9i/4KH92Ew3xrWcXxMFyOqwscS41FI5nDgCxTpf/+aUdWDoJYlhLNi86wZhOq1WuJCdxGsQzPy9tzml4czBYLWTLt05w+CX8SGipZzPmOBxK+Pro6dqE2tIJGzq8ITkN/O7plT2e6DnGcfzUzjbrIIiw30zL6W8m0shThejEujY34OeCEAVry53u5ymozAVgGB4TAKoP50WcL43tWX/D1lrk6ERVwsCTMZSrcnby053zNSePuyNExdGITzrPpWMP4l75sZIHZINXV//yQhF+jhkxHN7r7PbDqsNtnrAYWYEMMiRB5lzM3dHiGjc72brHgb9lL0BajGNmD+iTTGRRSfMO8AS9MNTEfFj1T5hhFuZV9J3K0eJSh77A++xv7VmGQyUBynX/DWdLzqixEzZyTAK8w3k7BZGXp9/7NeiNLYfjgYGPpMUaRYSGfgJEjL8nUsh5hqhTYAD5TBgzw+ezBxScui5r7XkG+xz1S+WEJ/ayaLxaxMTn8MDnKsVMjA3bghFfzso77TgAeNKVcR1fjwJlvYscqcuTmAowVmgD4Wn4RYyJxb++1Rfla2dk3Odok+ELjIeWGncn8jhz3rZCbSMQT0qKnC17/MJPmCCCjLxVCJqMthqeo7snpm3Nk3kguIB8aeq3zHwVwrgbq8J2WrVQn6t+d3SaxIErdHNIzSLwPGEnrEb6pXmeSW69P53WLMf3e0xu3LlcZXOWINpVNjqTT5DOTwsfO4OWW1coBO6sIZL3OdhjAN9M90LVhLHOSG8sBFJOOMPKeaDt52peghss461XNcO2jxE2piFt3ruyDnjX1AnoVrcYowt4bxjkVLxD5qzkq8xlPWhp6e3OP56m7HuZkx99vrwEecWl1nIjzd6fD9Zxd9gsx4FmmhJkPSy3AVdclZEKPjr7sGmmVoiw215ekG8Riex2zeDukipSmYeThMnyc0iwt6P5S6Fkbc8NZIz4AFZrqmRcL4s4e9JmmWGxQY1dqwpsvRBuXoUx54LTtPrgva5gxlRX7T731Fe+IJEc3J6BqqI3ad9P+8Kc1bOi3aCtJ6AhzeIawlvCv3MwzzrgQT540t5wvp819jZP74ApYduUBTkZi9je7shwTb0MTH26vVIL3VM9mWB6+6Qy7kYPS8dIdUsaAcVfVEM/Co/naGE05yilvgVdmwx7DntTB1dgP6vziuu1Hso06l9jn5IKC53u5egiczUKZ5ESoOqzq1D/TbkdEO95YmVxumN0s8CNoj3fQ7PHL+aJIZN+i48jS/TdNJUPt9Bhs7Az/Z0Gihf4zor5Ez2/EM8aMba4IXMvrKDIHS4T2Yvgl6kdu8ZrYxJW/fjMN5asqXumR/HUsK34PUrvdWpaj6YcJBYx9FKGEN2MxU4eTRV+aEIfmyMCCfK9Mn3oEugynslD/LmKr4yZQ7pyPbGa8ToMBUtIikj/jncZBGCU4O3AZyhBXAjGOXzxGJYRfA7j8EzKb0EDFA4J5GBIhRHV/j0Nt0lI9AshHrNQGDqIkajlidB7kwF5rA+1iar2LY86tnBOdQcwkIeIOgTzIBENls62SP0wCzujDFPs2pUElZbwYnwgJeBNw1hdB9GDYmD7eE9ggPoS7ofHHEKEcsrG4BDcAmUZpisScT64qEV26nC2ZRy+IOKZa6szUz74Dkzk1uxG7duVKWuzuR6hhytmgOn5Get9P8ozYi7giUrPh1BXzh9odKWi9RSePZ0KYkDftzXKiW3LKXW+aFZYeT71gUpMfkDj9Bh4JReGymS0AH0TJA7ZqaxwXcMEEiUhzc0woQmIAn6P2OQ49ofDCszrQvmniCjN4xdbj/Xl6qHn6ShVFaasNG1ExOH4Uf1Yh40oVJSlaC10Lfiv8LNrYRSxlVWrwcG9v7r+xg5N3o9np+MShftCtvhVE79RrG37fjFrCfF0kJ9nG0DQX9b1TtWKIJEd0J4B85ePM8q0mNtSNr44VL94HdFZGpijbPgW8HeUUgSwBXy7TlA/yUP6FnbwCI87zWuQrHRYdtQ2cHNouFY72gzIWKVGpLtVrRYNq+hWFUUjnQJxhv7RLknNC4KjEu2TSn5y2ZndRtYvift+e0RWGOgsN4Q/ByKa4bWsb/1zrKKz4XK/lRIuLhG0ogW4TzOYbf0wN60SFaqT3/QP+bSHpyzgUi08S0PNOWsfvb+V/dvljMfW4VdgmCQNq4J61kYDni43lsDtvQtr4C650FCJEKyiYlpjZzYsfWeRYGnd0fcM43JDgDR5EJuNmOr8K00qxBsqbWIpMq8J2JTtcEtAU2jH+SpMw4F8iNTvhIybVfWUYeGQlMHNrRZCVciEyIMDAX6Vg7Yumxz5VcZMLGa7207XH/Iqy54/H961FNnCu5uQNWUaXVxZw5zqNu55AFZJd2Y0uB022PmRqmCRsb5nVucFV7eLIuLG/BiM/mu8FEqk3WHA66viZXy1OwUo3VaSK9K42CqKsOpE/AyH7VrR0cbAFIlEquQW4DayJQ5NUv4Krv45hscJHrX8XEdoMZFTANq+hVGTH8YhUB8CfYAR/nhLnc3d9h2xIzM6qaEBkrD9c617umtOUggNsj3Xi2CvsjJrIdeJgVmjc9FwrWBaY3IGEMxVUxz9tHBReFLgk84jF0ISPP2Ovd8j9UMrSv+8GUs6FFKvfdovLT/B/pKBhSWvVyzI3eFTD4o/6FdSlSb0Nl/rbABfOGiozr2slZP5aIjqLIV7at8KG5ZELMwBfEWqxhHUbM4DPU04fLWstI/aOicHVxNSTD6z5c0kcePCNgLtLlUedLMNtFLhJsqftXaiCIzcCvAaeNQ3l7qUj0UiVoQU9Py7LvMWIH4+VX63gM91z7rQhDELMAk4cXxs9J9UxCoBjxu5QbwI4jJk7E/stbrxYz/ckSHLNtW2Kjy+kd/LX6Es+3pVqEWFDeF7UtclZtq095VN1cf7qKUwK6bzCUvKR53KV90IdpmCDCimIRz9FmLSorCOcdoS/BFyoJ3owUQCjzjS3QuL9kvebg+yPS6OPxljWFUOaUWmNhKvXpZaZ6BawTgTRT+FSqOqwA5d4crPjxbtZVLzwSJEDtD9ZRznDDxiw31umTfdsT77FWLlldkUvFWDZL/aFnDl21AU902Pam9CaRsmrweudXDMf1wikQAsPrDjpAQkJpOWEdvrN0r8tDAiPzVQ6zwe6RmF/JKl9lLhRC8ZKQWogDMue3cCRfWJLDjYHf44+aUFjhDTAvMlt9QjbtHN1dnJ5GPrFxb1hfS5kEO5Y324a2EqB6M+fLnf4iusEwaepb0TD8jR3PayYam0+LBSIt+XizBLbPBdn530uEN8Nj8hk+QHj+NoaqpEeHsW+5p3FK++mbyjlD1sQ6jFVdQmrwcVyaWhBYffybZh6qExwaknPmo71kaOt3iRuzR/igqhQATAAg/Qh/KDYU8IFZf2svEvluGIBPByG4cq/Sz2oNmXfXH++O5Stc2ymW4Yt0is9Bo3FAhOzmAweIoVADFWWw/45ZGFMr8N7P0LlZK79AWYXl2HBmUPIgyBwuKUdxkshrgRMnN8zscIBNRMtigiUNS6AdKJVc5cDisCzCFrF7ATavkhU2zIV8zgwZUFhVmNpHS/P7fkUuAcUxkMtttzoTkkyKlY1drEQNAL9+LxT9lI3LF1oqpwq0E4n7wGQBxH7Kss24UPfH/xuBvzIWLy4/0gkia0QGdfSevxyu+zwXX1NoROwUcPw9iQL0eA1IMnYMhyFQ+IgxD6qsogBAwlO515nGDaXksJg4aSzqg+lYYAWkD5FZXvloTrhsAgj6M6W4VtNgvotkVj9XrgXlOH6MYRURl5O5CMCttxwaVRo52DPbzryFLx8yBZlvIP15jgaKZI3VMks8K/NwUbt38QgoSb110lQl3JGLWTsmqU+t74O+INjhevo4k+eN9grx0QentgdcZhJCg6GrYC6njkcLSw0T+VmRJgKkdQzF/RNnE0IFFFsu8k5FEPk/XRVtt5ETy6YGLCzppWGCS6H0mBcP4YPSA7w8j6bI1ovU6KJv4GbfzVeja+Xr7KsrhQaxiwkbVn3neoG1lS0X4LpcIQVrhcNBwMbb2elHQpfenIb+OpYJ98PMINKoWkIdArNzXFXjBEkCeStfi8JnFvYKrLTwydwaeWWy4ME5p/IE8xJYbCamJwqR+tEeq/t9AdCGQVwPeBjzHoVQlNpxD1h1u1jhnntgzdKuU9KI27O+UcJxROzIQzd/1vJf7NCXsmvOrMRZGw176dIvluMg1rULSCIIm7XASLri+WZzefGaRcRfnMFUIWTFqRZFABnYwjhtbh7Kun/PUhmDrUT4YZ0gGcLmdZDM6AWn5LqdoMk6a7QltMMYfmn77qa106oMOp21s3evtvbpW24GD+OMRQW9xAWFkE6XNzIN9oEIAEOwYqiPBhSDXxf96Iz+IgyWtxSsRaHlrzYZ7rqKTYu7TzNJb7tDyPavSG6MbMv7VJHLvsOjJ329PKgWylUg/MU9YgurnqrxcSXJbiyPGnEje6QVCLYkjTrq6ACQ2ksI06d3fRQZY+TxwLTyY4zU1dtDvLsaNpSwqIKKfGRv7gyt71vqjeurxddd9Cn7WRVAqiQiAH/33EMNRGWM0GVJJHOp0BMv+RV0YH+12H9ChbaDDmgDQ8O6oqQ10bWb209DkYenu7o35lQJq/MSUvOjFOV9iHPWv9AIXuFh/6mKyjcaqGSMwXPEYeHkpY6cJkqTXuMgJLFlvdCykbKCLxWkLkRn/nv4+QR/cc3hUHHfixRVIvcvbUH/ypkZzqCHu0UsNLDiefbJQr3WT6DqnUkfIOko28oX8TVjaUV1ImzKntQGG1yyiPpIUnXc5tIFCkJPLQ7M76yitOrULTUn93zeTEkgG7fnn0XOZ6SWC31RcAB8V4rctr0Jqrn+1P8iSlZFZp5y9tAuwC7LuQi5T2A1993hG0VRXv/atlQgY/ujhTV9V5UK9C/gRa7kgdns2x5Sii3blYg/Nj3mJd2VlkyLq7NMK6n/ZkT1q7A7K+AyNpf4QYGBv2QmyeKn0CMDZniEKviYLet5ZGNXVe6aQ+KXzGWi6SHcM9t0fSNbgftY/px52WHgInJ6DJjduyiyimyRiiwilIP1/uIZUHECHK65poGaxES4bgYjHwUIVuTI/SCEoKSV8wJYTfYOaL9pl35yyv8jaTWIVpiF/G+ot6PeOsAYpS8ECfiRoxyHHn4Vr1FSt+WmXx0NcQvj4f/QeUVM76wiCdaXoclFSAuPBzk+xGJEXrqlP8fD8gXQ08HSudSMjYkfG1roCynvcagL0IS2rVHNGUtj2T9DRc1paeA9d1Pqb0gYVbKe3zTtRzHnd45tdDgXralCDnvEzp2xaO/zWzfmKrIIIRci8dZD2kCNfz9CTPfB2QuHF1defs5s7QwNnVObNTdIOxcm2BC3gLh+YujlRQIkxGb3CSC5G0rQjJA+9xnvZfmztEY7fHSSSw8/OhQoWrvhBuFOtg/2nZpnBKKB7pob9Trl4xHju4kXs70xfc08iL2yMlYnOZ6IkyrcLoUthgN4Kz60IYbCc0hM/5Tob1TY08HldUCB5HltktnYqWXcDwe28PsNLTcueVOnNF8uW08fmuZjPub/bOWwimmOcMop5EGlBJfgGLFBM8DwfosvYQzZU6FwTZWPWIcHKIotUREG9GZb98+h0AUfD9FWIE5o4tX+jxMDr06KopoClLVk4HLGOrVmdlFmuMWX3S9NfZkUf2Nkvj274z8j7hBMAahl9VHmG04cEB4jtvPpAhRK4s1kTmMuqN8hQMTvDkc5pA7MByNzBcXwdXucJLUjvHUNoGhx20xXpANlC6z56gQF5rQzSs2m5gatiMTgFw+18PAYqB12GC2lyYM390G7GHXzkq+ojdWkq/N+457kM8ErJ2j8758I4o1zoUHMQDNBVgsl0/YEa5iVIDDoKbdMQrE3QfLPMdo72RHP6tQrCaZVa9i1wjRVCruTSRpjnePZZhjVgF20ZFTRPUqhupG1egVxJwnkLghWZjZOJtuynqlKYNr8x4ZrOEpxjY2RCF8lFA4fVnz6RqZa1u/PAC2v3yfCSiXyzhCOPSNIKXdsolcS+BzxtyNtxlR6VLeSHHyT6Ul48KO53DLeK4xczxoFLMrawhmroR6E3TA1nyB4nCZMD2lL8vtRP3RpRqv7q8j8NfnhYyQRhDgdJBtfmEz5c12TUBEz810XSaMzB2L1Q2oYXluSZjFDJtKkC6vQ/2O7XQZVRBEHJRDZySnBa7y9nGR1U+pzeGvjYTDvKhhloaZTlzIFZkUJtpgWhwbiDUE25Usz+T5V7UVAi93fmFTdz9bhm/3HjBnqbNFY7/KkVY2vg+AwxB0WAchVnyhy3QQ8sgBv0MlZuCUYgvVhZhcMXlGUiWdnDboquEA20C0bEnvFU+yj2k79GKrM4GIavfK4c1fee5B0aVfc5pK3fJEsiyxJ98h8HSz82a9z20igu+VCrJJ9TF1upZFlc36/QsXfxqclYsMj0vLDAbzeKwj4rOoX+jj1b5MQ/VeL7ZIuOvMmdz3rA7U1rZxQ+Ug4wJeT+KiI8LFAUDDNMttAJM1Sd+7oophbP9YTJN8q9AcPK+XmXO8vcuiRbt7DDmG6sjLjxNY4jvrg7bm3GyNzaBwOHa4yQYNUk7Dqu+D0OSBkD4D0/FsmWDjsmsjMqlVDv3htVYB2Tra89hHm+xmDqqAkaquBAjeFcRCA1UTaTe8OfCKK8VgzPWUjLvvunGc+sKLchW4NCPCD9WzXyDkvSR1jzV1iqk7S8RNle2c76V4XxGvqTQXgPCT0Jcul8pqscfCPwHt1VkJwvUMpBojZjoIhYlW/24vZ2vvDliRqLUCLTuUxec2ipfXL6MWgRAhrLf/B9u2qv+ZxIp27gvN5eQFFWxCssKdZPYkL2eDSOQpUFdlh1r+0jLo5J3DAA2S+6xUPanRTep4J0eOnijzbplOCmAiFlTi6MVUD8WIvbBMX498i94kESZe1xCq/bG9WSD6+IZ1uYiABfkceYasO0EY8QdSQpxy46jgYfBRMRyW7Ax3xuk57cN9W6sav/F6ad6mAl5zEcZFrWKc/mtpLkRnBAa+BxQukWm/+poi2R2FTqs3aVfl1p8wzzevwEQp81XtKAaAQUaGhiR1juHa3KbXvNwqDDpMZ9EcmdVqnCOPzRPOAShmlU09xuZ6TByIvzxxt6ha+/Hke8rrKf18aZn2gN/zReRtECSnvrTrAmiy1RpqX0EEHj0AY2+7cpRb5znzSDJJmUTGBPUld6UhNjXisJN5MzSQrYxykwj2Sa6oWUtmpy/Zaiy5S5yDnvIURdG3uAZlVw7Ny+YaxoHewr7Qnew9EBJ6V9BvxaqlpfYVnWu726g5Ihow57kNLPjCN86191zauE4d316QCJdMm3ig2zmGeX7j2FATkAKOFOFxj8nmmm43npiU7ZZJ6AkAnDgAi/d7QPyGIKB+5PN1UmdnH60b+oEKO/4VIJ3c1lZoP0NxISysbRgs6Mt98nLT6LPEdTYTQrPqD+Ad6akIhVaih04VPGKSRAthxrZjmbiJhG5bQi2+SUCYjzb790AmHHNVxjcyD621JXQSSXTtw8lwuIlF1LitgC1HNI55BUuizc99Eb4cUWhlNEhQl24jM5lugE9O963fURZ0astua39cqDSiJrz9by7Py3oO1la5N1v6FUrrhgqaj319Sv7htAwoCQkyMG6k5Sk2I9CBueNZwd0vP9panH5BleHWEw90XTXE2V4cXhs8Zm3ZdG4y9PxyEbWjvTUQ7U/YttPy3nuS2SO3NJ6khPDmc230DuhNdCWl2NKABx9DzVcVVWWHAKykZ+TTv9FcvA/kT/8LTPBgn6CE02pdRfRVuXJoliLc8xLfm9U99D11lxf7tVh4lT908v1IQKJmypDCWUT+2916t6yhYyJXXK64LZz4nyjZ49IDvlW09EzTlKICq/UMIRjPsJIpF92A1voazCTRkJrYxE7+TrorEn55GAAgW9GSimcpw2/BbS9OmkyGVJxQcj3EeFFjRnrKi08jpH8Ex+QaHzPnBVYwRCkRr/QgjJk2tTIgnGZgyTIjieP3oPI8CMEimKeIRuLjIW0prZy/ASIbz0DbNr3WoM/bX/R31gYmtCXaYEYyb17uIaHkgE9YDaMaqUrtgLRy31lZl8du99Tefpie/hneghXujI79V2QJvw9YF4BronBDzLwQm+67xXbn9wfvEuvD/S+pxgIlObV/yuq9URjIc7Z5WJeKKX7k7nXlSqfS8vMVg5zRW9cFcpMzKW0hMLYeTxgPQJUKLqASYaWjzsSM3TmOdOIVt/t11813TielIZn/z1Vsf+oCQyBHf0bBcZbQOTRbfmTHvkYFzF2FifIv+MgJsdmVI4iceSTxtOZchr2GY5UuejX1kqqBrYPVCECOg4ELlr8h5jFkQL6+c/+rphRfm7++lsoD5+UA4PgWfwJgDov2I4wvYNmfofce2VoMpZ7kE+g1haXkkERUnf2EtkQiSM5/cwIAEIN/6KVwczP7RJCecxhmrPDLED0V1a/s1fNbQ3tcnA/OE1St8E2V1C7OlrW93kWSJs28wJPHFFLbTjRkCo1fq01uszaPxW0gUtydMJP3hZ8Oac4dbNn4H6tDbmlU4KWGiWsu1RNHPfxbZ1sQAIPPt/GUzDhejQveJSAyOXIPKVv5GVKjpCjSg33WGa/Ji2ueVI0hchwIbV8bFDlQJSZ36ieMaOqRXnmAns0CByvCaDlb+zAwhcqCTLoJ/rbpzKEEUj1GnJ6SkBP3+Q0MO/SAnAqT2MZ3VcTiowps1hKAwdBwrejF4ssDNmcAfcSnKQx9i3cSY30qfyt17FS9hk3ozxlDqMKDHH8ery7i24tCcT/Li6JEcPcbH0oKKnjr84XT1UutuCtHurJ7y8p9y2nJrehggzfbqGTNzXIXFxO9xpNOs1MxP2++9Xngsyytm/JDVlJlxwqMhlHSYIY+1SDasvVRNOSA/a+RDL2Qar7RpUv7+5Qc8FzmHk0YnoIfudInHMd9/EfjkMRqKmLHG/e4cylaHGC0f/E9mrAAytvTWR5m33GbrDJv2yq4vtvVZ5n7huA0IjU74PGMQ9AP4XI4HBFWaHCb2Jo4GtGIk7Ex1RQRHapQi1COsZpjrkFUKElsAabGg/bTt4TWdhJlMsbMcUJyCcxObwQxJpOyxhAQjEdelwoyVyEv2AQACtNULnhw5eEnn2q+y5bKlYTqDN6xOogNvgj1PHnwkhuVoubvNTU5Srz8rniw8ANV6W50rZZWmTuRjHyKAYW4d1dc8hZEUHQJWpstxDytSDOtAPZeQSElE2kOUQeoStYsmJKe9HnHJwoYjyLvUQoYwn4oGsbZjLt1N1bLzI+tljEawUVw9Sr+DXBZTX8XJRFxdHsLRPHd1K/Hnhon98gVxPN2asejbd4rDlthIhX7RQ+2SOjxyAvXkYBVMqjIAjH7WY6f7M7JbfryZFbiFrpO/1Fwc75EaItvTvN2VLLklFBoFoM1CBKdMcyN/QxEZq09W6i/whsxI3EBlCCcaS+K/nuR3cBdAxARGAohL+MvUlo0amA9TgJbHZGyoCGva0t4NbXLIuFdSiRoFMhgst51aWnbdkQ96cw6d8+ZH40VS/xu1ZVVPEPJFzUKwh645JoukufVG1UUBP2O6YgicmRl5RGuYk/qJAKILY+LwCjEylRTKQwdFzWsOqCG+HtjZBbM9qiSzYjYvOvHrJQXMcVM3m0CHKurxbF05XtMy9Trq8W/+Z1wMr5opLhA6Xl9DJKH5//QIsKx8LNXXyMWWsveTjGQJL32zYi8i/zyuBpAarGHNuGcj/MxVhmFMOBb4IxH3Iy15cX3X27cIn1G5Vt+mlG2IwV0mWoQX9IfCYv9sFoBQVTDTNk5M+Cq0rNLg84rooTtIrKo3xB5pAW855rgbqSYN3DmJasZtF+fh0ivWTaBUdrOqbawkn1qAhrkbsreY8CInUTeGaGriUwL42WaOAjWz2WJNGxKwX1FKVR2QcM8EmOAZ3PgPKHxY9cXFE32Ddgj3fOPTtEjdmPRm2pNkYg34IViRdNq8sbHJ7nti10Pd6Mo7629d61BQuQ9Brpnt3dmAjYTmx3iXOcZi0V42lMtL+YqwFZF/nqIiNxHW3NEnAWl2dtLit/Q2zIKLPVl4u/ZNBFf5sbn9PwNy2FQhaByUxGY4c33ZgW6TR6qv5BqerAFIm5O/AIZX3P5by7+cQU0SrbB0XPhTskZYaQ8+wHJYNyeN3h926ju+4yHYt8Z9OspQZADWCyP6AapvMpoZ0S0TddsC3JvymrNrNtVSuv5ImzR58BiBTVQPfLM03O+QOkDIvc4/2hNMZRnNvsES+9Dob5h4EaAp+yt7yiIlvY2quLd9k9kLSIKRM8FHZE/w52/TnyRMAJqd1XaI8sozgdMCz9awpE5mdMU048tKTNmXAQIl6A8l3xCw5LlAEeCRs0ssaIRkdhzLNbGoyBLkEegrlfsiO2X/8eaQvgiD1INg/Cw98pBqcBjWmUy1INGWNizK3FRLvnF98PW5NBcPpS8vAP98cxSpxCTPe4dqvmBKLK0YV/0a/gT5uqXWKJEHk15opG270Qe/EUm6pRioreTkdiopi502XoxxjE8RnjWh6LdgtdJgfA0VKpSLm9OAILKiCb9zK1ZMuHDEcEl6TR7p81eX1tMZMbEGQcC6rwQh/jtQ/WDkCrP+ItcrvgxUh2aLOgQzsgnPRiOLDu1C3a5xKXmgCVCcePSGCZQrZMYw6jcHB6vQlsBL7SEKBtWX8mcxus3kzQ/O9tlx08fFgYyMjxYeo5ZDnlOizJSg+6akrYxP3GlyvYL5A/daPP2oykvtDrt1tPX/+IwnYEl57kSmeKRhIpgmaMg3CJw9yqesNLifjZclRa7yUmqO2rTVfsXazVXvGOhHGREnVTgQWryW9z/NstZ4x/cH89anWYD2VbXyHRS5OO4X/7iKNtySp/w+cQJeb2BDVxbH5RCipoeUKnZnP3mhRe9KE84o5KHZ8tiBv/npoipbSOiM/gpSH0VU4Kp7Ib5V+QGOyT+r05NoFHfJ8j8bnIpdz6YrAI0LxmF90KmzEE50lop3eEbdIc+1Bzw9IZgZ3ZZCo5Z5m66QtLD1qdvAm7ixR2tBoLPd4DGmBe+gYDoaK31Apq9mHbcazckLO9GDeMwniqTvrK5p9w8Ay7BAGOi2qfvJ2aexEbIkjkogStxLx+/ixMoGzz+SIag3z80TsT7NYsXjE9F3FbVFF04WZHIVehmdjWP5YWLdHtm5IokORLMV0fuMqowSCbUY3aQGIgQbi1KXDZH1YkD03I7wRcbo9ohqiYNEpbyLvDJQuoluAzIUaXwShy7EOZX1ycu8yJQdSd3OOhWHZPWq3hsC8nKgRFLpl1qZauVbpjF7tG1eC5iw6kMUqZJGgP7RPIZluAbaaZugEHWDAkf5vQrgMzmkegI/QdLd6Lv7UdskZI8wl0tpn/R5ec9nUTDX4siRdrkm5bZk3Jv4fBg/OeiYTcA0SIas1I3nPx8cWR1TQsnCst3un8VQ/y3ku6ZW/WoIWM7GtArKH0hNBO2sluHXcjmjdVUV/fZsn/ZoyK5KkJeMauYjEUxe5SYSLkZ/uEwX0gGgTkR9o0kXOnFy8lmK4UW0OipZfO/uGWed6VkSpWZYTLsonRAaFIzRnep+dab7g6VCaxu+7TRg7VdtHwbzqke91HaueRra+wi+GMUU+aFzflajoiy/uQa+qfpu182Fr8yweOOWzeyMaz4FthIwwkaK+B7eQFcG+UM1JWYYs8T2GoBAwmCaL33h1tu2SEBj5iPp21yFa2Wl/5ru3OyMv0VzhTjnY5bMbu4sLQC/23lcLRcG6EOhoLZfm3r9Isu3gugSPa0sBDBrIvspg6Noijv1EPgcVb0R58okF2vewxnAoPOXKlsOh8DeVKhZWBxtIRBne6+1ZwDHan/2n6zRRXfUSnlYbV4F8jjDAkUCEf9zwINeHP5uadzZ8jcaVIsrbOGSWqzRSnAPuKGgttq899Fw046QSl5Uro66ED1MVBYwJc03m2e1IcHjNAO0B5vxh+mrf42j8WA/jICjfPErd/5cz/TyIIF99y0VJG8y+mAg3YnhqsOK2hYZNwauzCnPZxTjZgIuYTcYz/pCVpkKxe8VvX2smuNvZ4Dg5Dz1lDapqWHXu6uILeZ+ljaMPzFq7L53Wrl52lifdEGviG3byu8NsJ0Tnk9eCEMUNiOMW7Jcc8FASWVFiO7JY51fEya9q0zMdpVJOxY4YNk+IxEl0rgTAn65Uqw/wpSH438YoX/zmG9lqUBn6u1wCWr8aQuALjk9nzWmMq+PVau2ffS3x6w6RAX70FMINYmIbrOOpMVnK3DBLy8JdC9UPG7uoP8qsBgpNoXhAz+eKA3omBm6sKojt3LZUudcx9bEp+4c/Agj8usbpZxKZ4VyJkUgWitDX8uvdHCbmNLtQFcZOn9EahJ5YEjf03t3qFTPjk7DdwR/k0kZ8i1fOUeSv4TeUk64zDXxi7oqeVt78Wge0tj7oB5BvLe1XKBtkZG33BiGdVeulMeXdGlB9LNwAisfxDYsHU8lEVEubhoGcr9UL9G27kC9wj3hPEN03R+rBWJf29FmPd2DyD9rl0pRNT90mj/VwMMeOkEMwX/RFYt4wDQg0bMVSxCupYAsiFHT9dZMV0onjMpPAyxQP/99tNhqvr5c69S3SXYaasnnC4b+DUC4+O9EYUU4x/33LFtelcvQcEHJVoYe9VJNuSOaUGBni5Ynd9wnshRNYbx6/zuCS16tesdgkrQNGqLqmzKQgEmB5fw8JIAZwUwJuoHqGQNbxAe+NnYBgPcf5XvC3iezoDmxv7xxLh/sMXdfUMkzlos2LOZquJKAhiu9qYIYg4EkZzUMnEUripYT7+Sj5WC9u8emxdETabHhryO7+ZOOnky5FkNw1Xza6oayUCYGa344/k9Sc2aS7tAhT5F/9xxyttHiWfp5vg3pOn9h7E5GSMWgJ2GUaqSNGEkdWhljeCwGaTZVYorHHU5Zo/emJYuZfnCWARR/Vh9N75fraqs7S1r2zzNXvMKgZ1LG8i3FtehD3+VV8F4XKZZ2TuoG3gq2l3OdXv51BV5WXoDx1JdBLhygrflf6dJT8X82Qfl2OWbPOD8Zr8SoPnC6s/gzLRhThkAAWimzDezO3PNV59SuVPNo+zBCwx3vWUul5wSUbx7Vk/94y9sFc4HkNIGtksvhQuMscpSHkSW+z+alvb7RqFfyvgp6KGO1cEWCvB3oEPWjMHUpkrcY20QCiLtMfVoI0vUR0iYiw0AWiRq3U6cfTluUBxQM6DZub2iuUAICJQ/Vq2cLmitJVuWb93p9yymHkOPGlHdEAs7gJle5IDfXhD5vQfyawe9Uyk1XkvdjxYazRpND5NNwJKQO15klqncymIWouh1fxh32gv6m9X4oYWDT2+ez/wM+nFZtqtfTOek+k1+aTUtsVoQ0i42jW1TjqAq6AOfz7WVhZPia7HzYgrHGkCG/ACipGEaiPEABJ53YqarqRkxmKfoB8qkGKS1YfkGgptm4qh2X8H4LLjb45gUJ05vc+XuKck4zvuzuPqBlTzfIuLAahLRl8muulJM7byd9qL+KquRs4hU/x6O8VwUhBhMGbO5BawBYmI4I08/wHRmDoiqqeponJqgx8QJoqXhQ7LrWVaTxe+kqaUB6qOD6MkAkGO1g+0iDloMAJNffXQrlyoJ2d7HhkT9fmN/cSRR3YwyZe94DFQRVXYGeyxnIKkGnJATNxWXBB+LNCeGIPq0eYzTkQHlxFVeI/fkviC/CvCVJKJhsJFhhQixjlxC7/i+pyecOhkO9HrbK3vza+KnpfsYRIZr0v9glW6h8NYPjmNuhAmx0Tk0f9RjKVwl4LEgzrL++vWhOlCi24QbuCSpdKAv1p02Jq9CCvhcrwkurLrw8Tx5p4D5F3/pNV2ozhzOJF3NCMWa6jaQ7SDLHiNAmPPcnT12GwRmR1c0uEwVkokCGvOinPZoSj6bGNDyg6/F7bdjxLw1idd5gnEQni24CGSnAWXCWbU/w5ZGQy6BHXbRKaFOJnB9Jw1kyQQWSQTgMAfFGDtuKZrJqCAwyhQmOnrBddeU7ZavqayKo9RLj6PRWwlP4T9lKUJqveAKPx/89HPJRUgSUUTX7QpWbE0Ow5EluyYIcCTbeKhxdSdm9FE4MvMxq/vvx1sqmvVDPe5NjdSFr4DX4AYNn3geaWtgEC5DI5B6DlfEgFAX24511uZGA5sWCOxYHERmgWNZJOmvq9XwGakgxlBxgMn4O7972CkoJwiVM5YAsd3CaRIM8vFNd0TQ9dXGcIZxReKgQYR0MpTn2EMe2r5+J+kZTGGChdEX1lE7Dz7yKsqK9oj6O5RGTF9Xv2xj8GLxFIzDZ4euSFCBEurPSmCCFuaKLKqSq45KBP3Oc5oRns8tifyzr/GqGD9AYv3MgUHRLAYzyzU0soBlzbN8iPXOANMJHcXfm/A/IGA+ukD1oPywXK9SIE17EpG9Om7MaxDDequyPfap96/5Ahtdmp5sYAYGgQkc5an6dh1yS8EsRjDK2nV/poI5ky8ALVzLzc+KiMyDBzEoB72yF6C8nguQSefU7BObyULbylG6IotXfGf1WrnKIVZtXM2sGjJavn6Ot7sa9OgoxjNn6THcJGJlwpt6VnP9pBcyiX7oHBGiGXGWvYhFuo6zC2c5SIwq5cg/GUsPvfBM2OLPGeSCAIeTSf9Kigd1zpaqZjqgJSC8oghhRHgljTx+gusXutEog/kh73aBO4xv+jueswmmv3vL022wCcfjr9uzrCJ85rcpx7481czIFji/Qf6jk6BccyA6sF/KkrQ7nzf4AFav5nJQnasN89q78i2F5Otn8XlyYlfbEdq/463SmXRk5OY69exrqJKOrHrPuBQ/qYNjRlzh2eceuzobcX7njsO69ICyLnKkCDk7ijnzbfwsOrHyBaR2U4Rg8HlYU043ExSAUbt+cr3XgwaNw3KU+T9HZeTIakg/a540wPlt53GAWbzTYzwBdPorjjWGttNARca2krqsO71U07R8Gp1sgGZUI9BATNtMhJklxr/393/WK73ytse/Yg30Qb8Sayp7UjUZ/PAlRoXyVm+VWZJYeuQmwVygRADVqLxooj2G71ZGjykKkgCa4QtpuYUeGAF1cX9B0A1VGRPBi9ftW6O2+x5+wlcytTQr9WtPxeUYNwD4JS4KFdFy86nNo9b3nCouMBy4oQZBqq2UzZo+gEbwgEdHaEA1aqUlZjbv/rzZTqJj2fJHWetzQe8FfUFfC1sGFhmio0BR6oqQrWepX5ahT59poEnvvhfgnNssjZ753f+Ao1/fKwGUYuB34PLWN2m5OicrwFKxI5BeFY6Lsn57zaCho6KW+29UGse2YFuaryilS61FI9k10y8WajwQQJMWiX1qTK9/lGSw0xV2Yu5ZVA0X5Bd7//tEBSATmlIcpsJutHB/nGk90caDzFPVu0IwHgDSR9yAmdMm/ksGh8LUzwunoz12aTSTOubFF7anbVX7qFmIGDwWBBkwl1CFvLPS81s/4a5G+CBGqrPdlV/rWRH4wQwQX7nlaiZMoY7iW56rJO9+OZZhxfcMphLYhi+u7PGtza176mfQ8Xrn0/rjoyu/41wg+F4i2bM1E0rQAN0m9YT2nAGLzRATLFUbEm6Ij3Xfz3ZDIrbeD+UQ8bdC9i7x5lERcgCJGDutcvn49yVLRPEes7OLD1NVnPB8OxqMBAiVy2WKtWOnFerO3oJWJ9+a7gaZoR8VeFWs3Q5AKYi/nT6VCLS+FxWkywapbiLOOiDL34hJ4sDiY7w87mjXh1Xai4rwLTDsIJq4XqDML4BaxzIJJUDMg3tUUHHnFiruUcS6KGHLcYIfPL4Vspt+EtjBMt9LoiNQGC1yoIfHbV/l1XMW1ZaJgGczf5DLv+cWnih+Jsowc0K8IB6ctYhxVi3gtVwY9ex6A4nYKs8qzRpBhgRzGouDWapzhus1zUILs+vHppbSypbo682QMwKn/fNR4iwB44z6nyTcrpAHpkL2q5JHkZQu6y6HBHLwsEMW89ZBjZKGo7bCPMd8vopQ1CXStCOjf7hAD9wXzhxLCZ/gc/CtzlHy4F4Nph3Dbhc7tXMKqpHu/k4ddlHXnEMXzzyaX57e6udryJ1XjRKI1a/kAp1aHUS3FeqopT//4MqGF0KKNUdPchYBHHtlPVrRZSyWbTkFfTIXbjFWN3DQWFvl46u4Dk3Pmvv0o5h8NFXfHg/sqn0/1WBzJLWyMk0G9ypMzXMD1s7wVv5+kTtGzbav1MVcN7mPqkJiIFEAjyfYj9/vR1+ShKCa1bO1CAKlbhg4n0i8uyGrATIhIqvlpCaNwS/XOBn7gZ5WBxpuYpH/ileYVGzacspAw9LTphuC6zgBoLshPUPdhRNM3OQtB4g3Q2l5RTJ4S510JpsmA5K+UKLxx70TWkshEqYjftd1cRCtUo5VydlC/RraesY5zZ1aWmWZ9tbfkqmP+4n6KRa3f3uBT523J5UYlfXEbKM1nLe/xf+S8ApNecwEMHf+mZGr0khcC3SoioC5ov2+g39WzxjuMMmy3w7oGWNX/xeGsXyjkp+NMy/+j0ITVaVydKEuyG7NXx4OjDj1P3kZf/4JZkxGhh5raIVwG2DvngnSELqjVL5aVxwflxRd0Em2z9ntOLFI126CikJi5Zt/RgZr9cKFkPnYT9XTtdE1ivYrNpMdStvKmp1J7iBNhl32yMHbRWjJFIP57kBxBVhKbIVKeBhJAwIAACxYcbS+IeKatniJ1+mpmQNP0NA5KFof2hAs5V6k6mpqc3EisPwsAKYF9rt7vluitJXlEJBp8cqIE/CtpX6UsY5y5AxJOPcLy5IyZxkzJU1lf9b7fb3CvJPU1dACShKFWKJ238xQOsoYCPALt9u3tw2+xUpbd76g/VpeqFK3XL+nF/jFI03LVnZN4LduMBZUQzR5JSWH8w5zcl+RtYjO4RGP0JVVPtjNHSdxluwORJQst3/TFyuMV7mmtZ7dTGSghs6UDUXDYb7idsCYq4hZ5eb2lkOj4SwR24Zp29mmKN1wWga1ovMNT7NHY2NSbqcwWAG5oNWTfhbDMiMvIE4tG52l6lrHN0bdzZfRuuPuzeSV21GXKS1zkHKRcaq6THWNiIX4LvBF5Cy6FF14LwhhhdKyvKfnkvlwQ+lqdJdAnU9PE9puaLtA6uT4j9bgzorpZ1ZzaCfd4Inqiehs5j6TFcRHIs7U9e1xe9OVCDt9vkc3S3W3/zYxQ0svMSQvmf5QYiqwN1Nbw7YCq6R5HQ96ApwBQYrBxwPykjArX1JOjWhE6gQSMODhK/nKz2qBYJI+6PY4Xdmu37+ZSRHBlYJbpo3HYMja+Bb/VXFsjrKVvQ/Htee/GLZjD5216eSC88ryIO2ACTu1bj7UMSHec6ceUFgpAfl7fczHX3DYz6D1RMhrstUWKTu8yumGfyc46iUhgnXHLfyRDaGrNaYBeLwEje/0wF99Zgxns/kQ+bnvUvWEVecluv6kaRH7y7KQtkufUBdxr0Kux8nyHoNpna18bN2bTEoxwK9Ahiz2Kuk3Yvu3N64BJgL2+fv+eG78L6XiXnF3ynhsx0rtBHdEGvE/aes5WiYGqlWfpC5pGbJwxH/Q/+S8mAh/WiI1+lWRXsobgDGAJTs+m+UOxpdl3/tel0SGiV+gMmTRLURC6OjClrK3AyTSenLAHPq3XhqP3XFHhMJxKkMHJ9JYoKP2lAfKv+5G0cfM8vSQjwBWrmyCjYwUbK6yIVYkhk37Z/wn7S8AbBI0UYfdorM4oTFgrYGDHTyrRxqPT6uRyTFrKRQ9wjmx467iJQaqG3jqIIAbpnmxU99XDwMqo5EPgHoMam2iOEuTsmKjJmKoJgweD/R8dCISr6Enfu19WCNXQDI6tmNzIMY4OjidQUeKfosCriOwdgl4Ql1WmBPl7d1EVkizoPYQRdWS6nPDLSowwWr3MHxN6GOTzwlNv+4jORjU2sg+ZyLS4KsjqVEh9jntUJg0y/78hzpdFOEPCWwUPTRO9pE1SPcgWE5mT/zCZYF+AaiHQWKKIHQJvpXWbJRpS6rnyFZKP775GlxuqnZ89yeFmDvDx040GDzUmAth3DeKDEG7bc4ktTcfJunxo0c4DBsCel+/m0EzdPK+VqavFjKil0JnzHmHWqP3fwFt2S4WkZJ6m629NdsX7NaECZ6TXq1CWSal4DE1JuLAyhkELjsqIzbzd8+2h9+QIEKSQPqcUH8s+mWoVRfMHswkyJ+2lR3sxilv8YdceSyr6Z/aD+lLyv9/XxLbC5gGBC3HlOP0WoxA3zIvJ6kVYV4IrSlK6IHF8SKFaa3UfX1pZ+XfbOxnj0ZZA63qbGT+K20ngUOgqAsZjPZsySERQHq5QZantp5VqKWOLDZTC5bdCUD05lGLMWXhAEVEHeMUteo87idoOaPM7qDMc4LwAhs7W9Rpt7eENxZuPkDcbykFlCS63d8zyOZ7E/MYp7MHTrNWpDsKMfC215xKO6BgeHwxUtD3LcxqZn6spfem5hWqE4T8VWB6VWkIJZwSCl5eBRVP54EFaP8hCNbt53ZkuJV6CcjYVgue6TZceU3lAYdda29dPR1xuZp4Q48nR9lswBps9fgPPi0Mf5Yy+AcnYmBc29+liUDhQyEqdD/BPrZIYJBgYS9vV6uwUDB2D6zCKwQ1BMk5fk6bgknwac3pHvnp0T70ix+JGhOMhrSq1tfrdcoYmg3uAXxcHUJlxtK0AdmJnT10Cn+xpzjmrvYr9ai9BZ6AZgBTVuxqSrgM5iIch4HspNKUJ21yxvh3P2/8MNP1Mp+BeZMoBrGT9q/oA/PGrkvL5G2fspBI4f4D6U7fEcx+vvQUWlecvrYQt40uzAMDKTMl9ow58HpbQbeX7iw8CKGykCC38Yg9fUHl63wWlS/dC+7NskPvj/6Uft/D5YfkGZ64EbePTBuOVZnM3KY4E+XPm0w35995yVX2N71EaeizZTUTj4uZavfn3GOfIFi7CN3E3KNM70A8RPebkWmXZsEkYIa1MCUh6v1ILEmW1z++IYiS8lyny3J1sb0ahBL0mZOwTRD3h2IGVjNURq02xAd4e49wI/Bcx0A/PQdDCHEF5gH+0K5jXkHTM+5ET1oHOB769chubTddj+wA5ABlVfaiuVrV/DogyqR4DePPlxowUR8GOLE0WT6HNdtvjasLKHst/KiaVVVtB1E29260WtxYqrEz/FE0PEvDBwSO7iNtNUzkg5ce3z55pe6+lXbcjeXa83Jwf1V99a7d0h6Zf5uWxInZHxVBa/ZttdAVYZMH79aD2CmVaxj75P9gqr47ADD1lXsDlRQCY09ivxmV8xmj3UIdgQrwdjiPf7BEN5s4FpqsmEXpkw5SSHuMXdctlDL/STnhAsJEUEg4A//3vcdsQVyp4Jdpi6PH8IGBkvB9x1q8bVdgNNyPsVHdRIFACgZYOadsI2d9nkqi9J3As4r0VQv43YroIWHBIhneQz9LFTsAFS9/qydcL6Yfth5GtMpvB9L/MMD891+WH2ufyId+15qT20V3HQBIpL0BqP+T+ra+DUteTjYhjxYF+rQVuwvEKl9C2C6uWPf8FBBpkNpYO2lAvNr/9G/Q32RCVbf8EAcfwvKeF8JO5b8kAxWkADlh1TARPqBCT2oE6ofRgHvA5XUgCDGJAvNN7JOglefTd279MDVbdlZKoO5RWVKhGSE77rhzi+I559NZ142bxxeZlu1f/kg8ofqkBJ07DPkdcujeV7rUtk7+M3S5EMqARiaERxAbE95gvcNNJQGZ1rBeVs+9SmR8tDQmeX8Pm2vi5Ogfz9GgBKXEM5MaiJwBQHPFtbeATMyUn9ih+FZq/X9JLZOOeDVXOIwutxYphOf3kK0eN8QiZIh8khdhDpd/sSZGOJqohAo+lqWbv2jYzyR0/cjiBsmXXfydkTSfCDOI9RClVpFEs27xqh86+IJBE+BwBmPhFhgDGPfWt3gqvhcfW49oGz3Eg2QazIFphLWhaJ+NmhgkQ2kTq/T7ju4EzLAVQeAxyHtJIcZf/yh6L3rvo9dW1MdVSaWdSYY83z3wKlB1bCXE6C7OIY88SN9W/cbGjWPniOcmq3290x+/Yywlq/NH2rCXCT2bYCLNPZG4B00QFDPqHAgFVFTSDqngqn5SDoWCSvUchqrla6qNjxvEeqmEHusUJTGfkV8ANyHd/sQrsXM93CmdOEvbbyeIE/CJPX28gSs4u2L3/bZug/PgjfKfTPquOBPTZ+VHT8L2nJICnWo5Xl/J9rhEz5OEcvgOZoN9MrQOapwr1AZgivGGjeeD2La7VYeLIvTtbDMh/9D1yFFDTJhR6yJYdiu/V3aolYjT3u01DbHrm3nGa+iAiutT27BN3h3KjBNSrHKlhTK4yaUjL09rJhHaIQihOA4x60oQDmG6ocrHrVIl3wb88m5Tl5agkotwkql0Txy7d2jjaHDMecHdApK+wIYt/HpvRDl+TlEp7kL5gBkxql4DAFpwradO//sgYMLQvCJMDRTJVI95iunnPPbSSjhBkdgF+17voIE/10ctoFpUUiv+EUxADD061ho9GxW5hTGmnpjWvpG3RQhlIsT4s3PD/h7B21dUml6aozedhrWVrwLnV+wxd7eVxMmjTQjDnVym4+D4uV7XWiEHeXEjNMo1U0Gj9Ze970JuQHfDIIZsfditwQEf3hqFWZM3yLdqL8FLwXNCEMtq7r6qKm9UbdguKoyt5EPOeVINwExj2+JS72WRQ4OLZSq9KnY1tU285AnFx14nzxiC+oM2DyBuBgRVHUuwikmU8baOoCj/NC8oQX4TL+AJwklv8YrXm6Lhg+Xu/lwHKbZmZhbK7bJTk+/PXu79kaQsVVYyDl8tjbmmERv2FE7azmTX065JnYFrhP/a6QQ39jBFSUrjvNCtP+X38CtLbUNeUTux25ZI/aB4YH5J6RkBLwljSguI8dbmyvmGPI3jAd4vO+1y8DqJGA6jRlkcWBzTWAAJGsPNo2p9AKxauYqxSz3T/DCA2dwx/KRL4XUlJ2sOynMxhUoAomGqtWLhdTElKK8l25rr26i65IuWqlsALcG33mqlL+C5KJe2HShpUJshvYziYMcwbWcHAYclFHBwVWsh13snRzN8HBTlMw2N+iJJy51Gvxp6Qe8bC/rGWv7OxeeZc1UpUeDwqXfj+ruic77WYclvhKuRzg5oliVIp902ZGhZYbg3UMOamEa6uMG7Gg1EyqteJIATgFMERtLA+6kXJpyB7BHxXFnasnwiSe89z38z+lkrMEssJByY0pMrXuLOsLhgMl6PuIRtPleslVVupsVXHYBVS2DqEJNMDRdg8hDHjbdQ1D2MwHX4rj2xQFTofI8TbO6izd8hn6aeaXZYzJ38leBHNVZpVsFi0ONnKk9Dwb0vZjpaLKLabk7UAwUaadEQF8Iccz6IZ2JtNYbs7KSeAz+MtpS6WYqFU8wgtZObGu6HEp5rESJ0e3tsnVjmgxyvAJRM7Z3nBo0DYc93/s9jceP4aYB1zXtN3pF5xQ14lPui5bz3EHwWfBsnCHTYAHXoL5Czdb74TPkTUKBuRiaUBMDx5Z6GRIzsN1HiT0XvqpSv7WgdtMsZNbhwCovGVbUQD9gFVrfTKBWM/VNjDYbPkvTWRSQDBWXJsRhHvpLgjMoaElvP3RaKugKmhggcF0HvlQTzqgcgohcqQN2t37aD1C/3nb1nwL6rhbm5iap/TmC41kRTUPG4lI3Bf/LGI9PWICJkx1as4HxQ5Et5Nwom71u8wHy04hKqrjEcidLEJhAD5lFqHlVfyVPG0PFp0IeRBrUj96lg20YdSX/e20TpgQ614E8UqXcWoVN9WBqcanCS+hGOljyNMKziaQPAknP3ckCpsxo8qDN4yeIRZ7GyLcGnsGsNjNCbK873BMnL/14H+tg+AIH3P4fL2NDvTNDFP8MB1aMT841ENll04397RzWTYNZtSJ0j+9XLp9HcHlmSmwd5PTMYUWEye+a2vmo3W2tYfa2PQYFPzh98CgT2C7w1Gc+ZqgkhNETxsnyJSfKDrxMoz3mzTCKjRhoYwSeXO80TESbShVH3mLgzcWReBMNWo1vwaSMrV9Kyiv4mZ51wm35gGNC7CoOEd/+YpIof52UYAkI+x33TMI/c/v+pm7T/t0SZ2PyMIAIotgM1PDHvu6PkzAfBQiI83rcCQOYjSJt1qmtEe9ZD+lY6IF5Ry5Y+THUuhAJvA9afkolf135YUH/qadN2bRkOVgQ3IWS+D+tJ6CzmGPXv+PhEOoBgMb1bQYQTweBSQUCNBskH55dirWpgcg4F6dyOqIDditLciH8L21ZUUXGXXllAdEVTTcLll+MzoasLZd5KxlW7fjOGBxRfQiyikGgpml9WdtiZgnwq92PN9Dmp1+hxKL6j3zja2gxnjIJ8WweY9M70aJ1tH5WUsIWzrzVVf/95Bjok+VbROfe4Ohf8ru34DQ8JSVoY381iZ1IhJ/mtLa9xwQLOQwIXmdPDFEtI+fDW8kwPuMNT0bcvlPOVGMUzRkiMZ1vfeQnmN/1NsNzqqDlInJpNfId4X8/3gGnojwZaPVD9Ertv3n0hVUB1UE5HHGvO1CUvueURrV22MVZHQOlxS5anLrRqAQ/EH1r14IG8xIayzZF7hQi8wPiZfsL7Q+fe3ejkF7yV4lkrGrcyHQOf9gFWsehiQMU7ciu3K3KZ4sYsiRs6V4dZBRF4f6NQ267/fylZ902JA+jHDLqpZADZYtW3ry+OgUeS86JJ2x+jTdV0i9jNOiG8qAV2+YW5aTqQ5TMfded7ttX86y5xhTi/XahD+AyjtbgEW4j1N4obG6SE83X/watZ8t9w9RBPHlTKiX3E4575N2xhOS+BEDn02HgQrtwRGU66GMmbF9jiq1YJ7gE85ENVITCG3l8zDkXFQtzefgMo1aNErFPZt8RomJSjhVIon78xEFZ6MDJ6eZATXfCzoX58tzgbF4OhpXDzrH2v1e09xUjIIOCZbHZk7JjYvbDxcO/p9wZFSN/AqQW9NHhB6hvCaMv8o2jYFr0UDz3sbgeDSQZgc5CW61oFZk1mOQ8dpu+kn4BPpRNQ34JppMh7HyB9URlNWgchtI6f5UaT4EZL+w2Sm8NuUhlGV64RjUEZx85JTvw6dafteRwiBBnhD8UWLeDuVWLZ8VZlXs69OEnb0AIs1WPH+CVmxKSHdbDCFeVmHkozbtLhGX1kJQ1VgWJDVb8IGkLxEaPU2mNWSCKJwivOR++EEsC2Nhn4W1ZtalNodoYd/S1pNB017i2DzCOSc467Bw88k1MGyfu4je/uKjdJQBdEK5M2dn0lMdlVg6Bxz10eHZKRCmUGKAMZJOAniU2cd1fhvgmuasm33cJs473oR879OindFTdkmIKMPvyM9dmpbUQt/JBbwFPLiKL0Lwu7IBfiU4Sp5+L916f6aE4TOkiTWVenEPE8UbAziI6VD/tqAiTUxE/K0N1oSqM4xsRl0zPzSQGqdBmlgHo5vKZB7KjjPVJMcgwolfFXcBgum7QPXckdGbHH9OGx4829azvHcH2mtFUXAxi9jkovMc50JbedfzZdz5H0UfWZ45zYJU1pQmACLvfcpRMLcEn2oQ7bnGmBVHRFU8hznYiNGzCnu6I08Q22zps0PDjQ7XtFve+MxANWzfYQl1M7ZyF1XJMfGsg8f+1d9rRSVa9oPmt8qQKstspqhJ4YpL+nkV52Eqf41vlD2BV3CLzxIj7FVUeC1jItY6JIpkLRrqcI/bJL1Vf0Q09kjtvLFLQAGjklFD3k1Bzy0M1fNU85X3fATppwJViSNCDQACNNfJWxg0hcwECyZK256vIOkKmJJsAXHq2PhhJtrWWXXEOzg6luBZLi1Q3lf9q1MMaV/fhfHgtvIyGzX25uxaeHtCsDcF34yPM69EZTOtw0PNU4i1VYXdWH0STKfSI7otXhzCTW7NH0SrqwFmSKSOo006InTCMjn7ODe1DqbGUXP4nwKAHy3yH3delHQLqRC/YJqXVWmCjrruvKjveHQW0RWVqAV4S+gphSp9YrykafphYIqxcYQCnRD89jnLg3G6YnEvXSMRUmbo5Sh7ulH2NlHk36TNr8CH8NKjbLbSRtuRgsDowUyMI/rSgc5ialQANUHLSkux4qtqG6OVF59jnApP3+9nZlXu3A4Oc6XkJBXYk3MTKGmREppDfAeVfXnQXo242qVU27C21QE1YXJ/ygojcu7B7kDmYJrAI1tEg/i2PS9GLIV16fVtHFNi7CR0lsAmzN/irIumB91wvitawUfcv8Xhf+wnNCCN8sBm/+0qHcjw/a2H4Z8aNLsYOwEfHV3mHlc8EkI5GFq8Yn/gAMK1RPqrdcKWV3liL4YNwyKnQ0OHlFpJO5T4FoJe7Gml4agcxMK3IL5JNNaRtlI9YC03j+vxxxjpdTrHj8EkPxNQqWWF/brUzCvXGQ85zNi+DHpIKnwEy6SuCflSj5RNHgkTZpduV3Za2XYWzEkDXzxlKK4uAHhzNqS8XcWJmQiRMCqCIJF5bRcpdEZWqUseK6DJGkFmSPpzZogUV8+4665xXOkrA4b4AQ5VrxQhYZldwjvEBkLVsT0c2o71BI3X/K9wd+66IKosj227DircnTp9WVr6ahknLNHDVqZuo9w/p+FydDVVzc7qWnmfNcK8P0HRE02gOlsIV2kHpHAYNcdxp02HTM4P36I6Awxk04Q/eMwxnYoT1v64ALyjD/71KpkuSJ3jXvg4B+L9m9sUfIj9pmohk7VQyag2gpihMjQsD0X2cTBrKRqLaxRNNet9vNb/9X2K4QcOP+9FjlydAv0DEWN6zKg1zheCeK91aRbB/GC/jtOxtq5CqCPPkgLOZAdKW3T2cb96Yj1faPgr2tNfpiUlIDMq8iA0nmDJ+BXCTNFegjinDnbEujAqoeABIUka5VdiBGV7QvuRFlRdpW5azQytjTRfYjfrw2/u6t7R/5FkwyVOiVau3XAyYV7DKcK666yXAWJMQFrh6qqzVN0A+9N1MbM/LAOhhRdGg9O5OHv6VEJZ5SJdd2G8yYhJbSijgAO9HkFDrmbgNwbScLzIn5r8rKEBnaq7cSlaQBJpj3vt0NHAi0LLBrBUS5mz/KP1cfAj01CYlC1fiFJVT7JncxDTx2Gt+gdmEa0qjlmu5GJz6CpzbINsv8Cmwz8bSDwdiB97DTx8vY3VsBy/3w9mnDGMbftQAdV5rI1yVAmTMxQBW/9R1cABrVtI2uPj+sLODQXI3ayH90l/BGjdPMvRO09QLWyPSYRGn1h1L1q9QPoyEQMgbOAxfwewo6cfeZbYmECcp+T5ywvedQf3LHU1C6EUZEKthP/zexm/fhiC8v1Hp4pOYLVMSOdie6+Znrge6iInwC9UFLw4WEAkdtCWTQL7TuDVUInkd8uosWprZz+kuzJbICwi6+R5q2159nmxiW4W9cn7Vo1mpxSUAERpiqgqqEZ74L7BjOlN/3YKSdou/0UdH9e5NNL2KQvXK034wToGhwdAPSFTccbuexEvOB1bOE7R6+jgg5BNyQmnVRAUEEwy/3b4fFlLE/WIcWJr9uhby/FzEJdjBh2PM+OOBjWfQMuhG+nBd8rFIjzy/pxhIpOxBjIP3Qw/k/TqbpktaqbAQExlwN3M12dzzrVSwiZqTuJPWdXvGNrIIwpJ8e9D2utwq0vXLJfVgnFp7VvDM2CGby+VuKs+2/jJtlEaguMGI4OwNU3dscEOIBstTc9w4WwdmqD3y8WZWGvoH955KVjqC0clnYPIOPap52edO7RrFcynS74eNJx+msHIkOKkhV8FaalDGEGJKUPN3Tl5Ly3B3cNRKSt0yQ9J46m+aKE6FdVridepsXP5UhNk5n4RwCGRRTzBmp7dix1TXMdZW4153itVhI8kqf+7Tur3iFj2l3ghVdGjlhJ1A1viymP5VCuF7bsD1EONAUge4p5xFVowHPwdSZ8ewnSGj7e3P20EKtNohTDE66iAmbJZOsAicj8jVHXuNeV56ia2gCA/7+H1rPUkipek2IfBtMpBve8ZRLGDarxklRbsfkXfsSJbPSlOFQwIpEt/zKkKXkkSLmt4NWBpRxzUx1zkjGoCjuH8a5AMT2FVyfFsioWZsD13xflv7bkbKomTzTHuW1LleTHtMY0lvMumlhR3nNvYCTCG+mYCzNqNoHqeT8UNotTmW/PXoOAYcBLvqiWRbcTMzVeGdPf/CyKoZzS0KYwQ1E5l3hWNzsAmSiMyPUGE8uebwnBrGds4vygBws3bX8g50BOzxjIITxpMJIDKbIFITk/tn0ZgrRLbSVmTu8aDMujwLAWxKsMIwejq1VHiMm2+EqXen16zi3lOjAXJ10lQyxL4UKpxf9tPco288TzXnk7+uwbzUaBKypRrtLleVkIInDu1L+3JxeYcIT0VKScGi3mDnMz2kWoYFV9xNesy5UWaJAlp0ba/uhAYF8VsLSNouZnzXIiS4OzcgIX7OEYX22TxVgVexbd/RC4B3NfGIY+vMJV+UuQxzDi7k0Nidmb0+vjuygPkbE6KwyOkPw3IrGXS4C5ORlRQ6d4IInqRm6m5W14eAx6SmRCOcKarryFShfFWhCseeqeh5jUEopQ/BFRw8/1DyVtadSAFWjIx7vihwoR6viHV/G9Hoi9YmoLxLr5nKd4LdxdTVa526IpAizHnJYnqBcc6CYs2ILuv/FSmQt6BpXuV0Mt4qC8EkTy3ebNTRObmtHJALFpEH5+2ZbRA/K0YFAaGIMH+owGXS7QRNajokWQ4YhcIF2BHX3P3sXhEmOrFldB1wDZwqjU90Sc1IeaNas+8CEVsjsGRQwToScvDncRk9279fFF67ECmAJyMeGSXviN9RDRB/xLY3bOm1y8UnRCOOBes9yBoo0c2vaeU0zK9vI8yLGWDDPWKxnvlKSUJUjYc6vZXFrWoyRkpp961NC6H+ChxoXW2sJqHQcYoQ+7lNG6wOGrOwlAccmLidbHC7uM85XelrSZDJkNDizbWRm0Sgvg5/AdGAhTjHE2e+1EP8QqZe1hO8nTSgeyGLsehh2LphrRnmZUNeyQjKSox0FwYFZHjUiHfLekJTSUZArg3EospGbX8BiVyNBcSB2lJpR7rKE6dBWqHgijz9X/6A3efw2b6NEf4TTQRepIW3ye7C8FMtRmzgKdhf8DAK6o4LrKd1n1NRszxsG7IjbYKadiRFOIYCxgw3THZk8debdzIy7uF79JNXXZYevFLg/IG16xeCVwTce5DiKJ7AwE23GHkI+CoUZ4BtT6kTS67/rNQvVXhvxNzkwFYj4TjTSrcwBMOYQvg4iQr47E8TxFLwwm6+T2s92Q3dlOqYtmE0uTRhXzX5XIi+9WstfnjEQFkCOGxWcsDB/5l/H3r3zfoWjhTmMCEwO/AWib7jbXsKBecKrfqc/jHQbnVC7X7qnLOWU8XnkV2RaPnLieLWj2x/e2cKPP3mapEZ2cs9jBAuEkWBgEvIl4PLWDAmKNDd8w35bd8G5ZGBTw4Sv1EVHMb6fF55QeVzop3YCIWK+K7NeKqBOid0t/zv4NREintJLLgQ+fyaUZi9XA9OxX9enD82ZSCHXTy3jGoIVu3Bo01k9Q9qQcGiGCKdgz8HrIuOsGawSMxF7bTmpMI/a6a3/Rw+lHZo6KaRXr/pI1P8GAVekM5PrvWpjWPfcNhnlTiQ0/Wk26knNVbiJFmLC8AUWUwWRP/WeHrmdXmra5vVFbYLYZOEEHT+hw6YpV5x2WTAqjdVGAexqR2PHIzqe7fvqYg9B51jWN+Ph/YvsGn5sHOI2usAeILdF6tgRejZ8eunoeFnH26QoJchFZ5zNEnIgXFrhCTnIBTNp96QROknLLK173UP72VEOVazC0B/PEg/hzaFvtsf0K9mmrqWwT7i0f33pvOWZOC1b/4AYBWxr2JWCkdZsti7jKmiqTCAUQGv8sfbuv6uU94qgIn/AtxOI0/3az0cDELnyLXlGwdHPOC1uhATTdm65AuaPtwH1kXuZuUwqIHAZeKHLsA9brJPNOF1ITKY3XedBd+wdECdTKCvdGblCgcMUzEyoVY+XFQ4i+2mdR53ted8dKqk1Jrq7kqP0JC7fc18UdshRfCQljsiQI4oXYsLYbOMDfXLlUXo4qeeye/H67GRlbKVfGf107Bbz5ANkTw4IszKbyQXDN2NYcUhYIuzWpyMQpltDo/jOmn4CD9QLgtxT7OmjDaHHUjPzxiXolt+QlsVkambC9mvphsjfh6VYH6gvBCUMb3IauRwHJG/1aHsHy8WuwrvjbjcS0M2NotfBgRr/R+z5/amwoLUA7ikp42nFEWXIpf+kVztPBAuUhD45ZjiqcQUf48bdOTeVXy2sdyVTz/hL8NidhmBADQ/TF1VIAwzIEp/LM+TLn4J0iJQj4sZp2Ay0suPSmG2myAzO1+2Aah21mZ48sGfQlMcjVor5gn+nXH5NGsLvGff7EUMNiXcUwjleEJgMVwuOFe4r1blif9vd0aMCLmXjHaWslSaQpQh+o6emkWDr34gq2eqYSELUgbpMDkvH3ZjZikMtakYlbbtO+EDl1JfVAA6yQ4LgtK4V59VpBz9GUket91zhn1aE3Ygsb14JGXyO2P/hUPmjGwHcUwOYIbgqJbplr34Qa/IthZ6PwNMpBYQlN+P/dppSdSIrk5uwqMrD/5Sb+YFpu0AEIpuywY45juo37M97k9zCoqZQcpzVXGmkNKMnGXEVKkPieDl44Fcm1aasyNc8AZmVTwnU5p0fSMrsABGWnKQfvRaGXRrv/Uv2Ghwow1UpFwJKemmGxUF9f/pvlKK5iXAAIHTKB6/9Yqx/UvKYr933S7/ZlU3I3uOJrGfpeoTG+95hjY/iMynCn7L4sGOQ71ZDEZKSe6uUubU8q1qwXTVTvwl4zaJ80aj9qoCboq2H5WQvrBlinZ/kKigY4kYwMAt/cZx5Dm1ttTvJWSliAicuw4ClAWSPcDR2ACnT9qOENMaekLPOK/W7iTLG510VwlX1woYbTxxnDD7rt8IWcUGqEHWX65aHex/51Ikl7lMExZVbJqWoppF0ZejiX/CZNORvM5I8ziSu1Wu5/XeEsXwLD08+C2BA329zzcccQ20j2eE2/R9D4y7r2JNRSaIbDCbk3IN0sbRSWEltzWeCJYWA54zYWbV/jCe+CW33Cby0ONBwabWFA+Pf3C0UcA3n9LxBRXVvaR1PqTK5pSMulrJLZ8af204DmXJMNGr5L08MNln0rv0rPygxGreD4E/0Pn3exNJS7LyUlBV25avtO5pddyZ0AG+IZasvFdevM4j5rVsBnPLlaz2JlXqEvwwnMu7PD53Z9584KvtXUHkIRwUxyl+v1Lznlp4s7u3mO8SaY7iDZLVeT/EHEYCy6kHHwEa5TrWrfwBhaU42qC12Vrd8LoUeQwu+Q8/eKbCnLXDuQMPoL2U7JzuLjKLN72X6SRmIGMDsWepk/KrP0XqjcE9Ic1Pc01nbpupx/2alZIIcxtN35hgGW+l+r5n0ujPD13EJZ9QLt5LZtM5GEArwsdmnOim6lqkn02EAxWdmZwRaHIm9GnvyORcGnogPWanpATQub6LqazEHip4Z/FrDjs4gH9b6fK9RxD9KjscJwXs4rdTX/WR5N8ikduhjM8nnWc+X5iN13LKe2U3XCnZxzrSzXZ3oLGSaMLtC6awHmFGplVJ/Qjfu5bL8ju+dJyJbJSFQGE5/U2BA51cvMb+3dwHY2KpNRbkeiqJmQOCGGn1rHHmSY3KKHg8adbzz0pNGza0zNWy8dtGVOJygRyXovyrGpS5L+ypkbtvzf9/1MEEs+sikHfTjiatdDSj1hpPFA1Kjp5mRq6qFaIgT2z5ixxve39g1ieiSjGLSwi5tk/3qCWWPAXUKLfP5dx9t2suya6ikjXFB0OMKMJRtqjVd0tpq23cDzV9cmMlWF0395aLj6EdW1pIWx+E9eFfexiDV+73sRRe1Pja3ygbZN0Me4Mt67+nV/sOSDqO++naoorYwQfB0Lme78JTLxfIqDHHsIdfa5tNsJj1PZ3Q03K49aB94oMjwT0nmwMQJxDLN4jWL9OaFVkzjHSzUJjfaDg2tlviRHKSyXCn3rF02W+7LyllzpRblnHMS9mSyOt21b/C9lTpc7eGJN/PD8xfEnxJw/wIu9vX8/utiY/2sVIbKCcmbEI/jJRugpHwHjsYxWkCMABi0/mTsMkbhiRg37nqtKNHkff2s1xCIMi15mTQdjO62konRyvE5yNuDl5+PauGPnAnvhph4iSpdJFtDJ2BLiQVStHQ7n5C3im94ZLHBA+EGgDwcR1856qpDvQAreCshDooEPWxTPDPB0MoK6ayWJOjZYL2TdJMnUI4Yw9tjMrTkIsJ64xgdmoOLgtiSHsVllfrL3XQAvQ2JyV+wR5dKM/ples2tadnt7XjjKUyxxZhGFOoHhD4lPuwS8V/LL0JECJ9sf6f6ihMsLk0QimS+5QcPzZFWYAPUTtr9YHa1v+rtL0zmQNCBK2S2E0Urb13Hg7bQV+MkL8IPV8xlLoayRigyEv7h9jWPqkhanV1YT9QXQes3WMTJIg1zg/sdS84E2oJinkNmKBFoV2AWYHi6lslMql3fzI08J9iqQaWj7N7/JxtLI6Gc/aAhybzpZF1UijhFgwjTkuq80yJ5kut0VJtaKiTyCm2wSqNqEFCA9G55NtGW7c89vkUZe7AwaTASvc5BcOmG50cLE2zNqqMAIF7xKfrg87Vnxvy8MY+DbzuL0m0lbyT6y6d4vuvBKnYjTX7hd2u3AdvKWTyavWcHYE4ryz9FK+1J67Sio+w7mQVNnKyalsK+NeTyXQfyx/vlVTHJBUCz2+AJCwsNjUC2q77KmUTq5dYSZll3D2O9wFqbVLEw3wcNahvcu/5KEGFeXqyFN9zSXVaH5A08GJcGDG/XlrjbECr2BHowbY+0COAezCEVHQywcTMbxBH32WDQkjYdJmlM1xjhZiNIClMGCNA3D4u2yg8fOLpK5J0xGeveUI6NNUO8BBa6s3XQgWqVpBdKz6tGlLwChOSA2bl9IHcr/gyyzeFZjHeMjyeNKtJ/Y1W9zuoQOp/ExjUWHCqlqAGmHmMUw2zy3+Vqeo3UTfMHAnigiRHR6J+y4F5Mjk1z3iVWaju3qXteOipdvAyiZADUkQIKgifZ+cAhTcBdCy+F9OhgVnpWm1nE6hiyLeGYn7VkQSskygtqPcGT3c4+U0QOsyLVfivLPdgnjOUWUYJ6UdQFtUT2ZW9j3TYn3US99cF7lcDEorupM2T9R+yjqVz50tDCCQZJ8BiTemntzC2dKlNy9acPaJd0Wul4tolxGWGKSAr43k7ghB50IRT3eUhZzknjh5RrBPjfNBsHiaUXPjDULr6+3NmYFRPb9PsbUDGJOv5JWvdPYJY3r/491MnS2C6XNTdx03RhFbSFinOEGz4PYEduHBeVVKE4nbWv9ct1tmL4dqd7MdrA2fhMLelAX6KSAgDxw1+rrLqC9xPjBoe82PpT80CV8V33O+h/nx/il1FwXc6RgDT8ja9R10TLxTrV8FCCIGVr55Kdh3V5FsvmZnT9B6zCScqv+dJfxdhBzmxXbGRThvPGkXqnoSX8agfu0r16xl4AgIZEwavNaixpbAoiAG3pNVb8q6IPZlXWhR+JBT/ye1KBsQ9X37Rejfc62J1qJO85Q1u+AB83w2PK1k3VlM9w4lfP7VUOzLc6u0xVWcHEydXwCx51qXaBWyQkAbFHZmHc5BBjDqnmQqCqvwQ6PBpvzETiqnrvFWoK18ycIyqK3khjNhRxp2SIvdubYCL5wCsNaC49u75Iw5jYXiQBwAlpyoSC75N8btrb41Lx8iL1tAdcINWXNV8V9cNOQFz6feZCBDnZhOTxF3wuBKEv1xsYKX8XKdVhICFTO9cM76LinKS9NhCdm9SOyJ7FKMjuQ0VmRWe9xZSOG1g31AnmVGAMKF4D9VTEBrBbYvJ8S1RFF0WUKfBIFtzEuJlWl6GrsiiPHEG01QXVhUCGkbHOuSCLgHZ0jBABTKXBjNBxUjLb44wFS682UPlMInt8yvFi48IX842qjx7T9nY8EE/BgdLUB8lo9wbgTdCVwLTXQZ38ojMl+NrhBKkhbD27hPUP7ZK+AhzAIAhB84X2R0ZR7dIQhROWoA5q/uV+bE/Akc1ryqdv3XsKEam2Y1XncJA8TbambLhZ/tezIUG9GxCDk6Wp9zClAcRU4ZhXCmfnJ6MTdPb1C26nOLwmzXPE3mXSa4OWyxUGRy1ciXyJRGn4tZ1M5o6UBIWcJspEfmXLFrPZV40Ifkrs1hj05kK3D/a2d/AZVn0IculDm1wY+oU7v6852tbbpEHe+yv4XLh152srwDei0QBS803SiFPX1Yalfi05WS64+rd88eBs7hx6p2AxSjlgMWQIGbD+jT07vxrOv/NAoL4dQz6UFnj4f6Yzhp+v93e+zrPNSRUtkef3hfsFuXopphzIs/ubAmFAcCUf31eJsAd+Fr4okJHIIZbNuuVcPaHud/Yj/fS0I7qay4yXrCyJw3RKrg1KhoraAxBe7K1+b3OsivtAnEgWqNFbeQFy7VVCO+uowdg9gsjpKvuPqN/Guy2cITpSqfPvC1pkXoBwB/qhdaHiBPEpgp/SykCHO9CCvPHeHuO2Atj8tU761U9Kn6Wqala9Tg8ijbyZyK+/XO18W4/alKTVmwdtn0Y2aHWuFmJfOcazKnMnYPlMpkEwuDWBjhseYP1fYt6EpCCOEXcRx1IdmNirQKgQwGZivD76RDvTC7OEyLu6mcgOASt544rjuuseitl7SDozbWVxZCqVae78QmeZ/EXqXqiRjPpjgg3ACxGlbodD6ons9kpQVg/b+hWZmCs6TFuQCkFVV7Qn+Oq4QV17JeX2v3af7M61D+W8JFEIfCPCoGXd7ggkmaNaZQ4CgjTswSnC7nOfvUwJVL7Pdl+BlhcZi5C8eAo2jeUl/fQP9Wytsna9dABhScWI8ywzMBnrp5IX0jikVLkejafQvJhI9HU3GYvkvedGAza9FvWpZEXGg7jCwxgNGE5S1hc+EllqjINyrmrR+nxHIAvyGx2P/2YFL4TcPENNLYSKWxLogPW+rCQGN98w+C21tuAt3TKrnSbUlH62PquDU5ivj2YSoODD+ZePSkn2SnHgTLk7oSG3dsNXQpgi9G68Tq+urwY5Z+cMG09t52hTb6f440JtU3lcP08JQuyshmFGD/66Qhur1joLGsNgWGwJ1LyhFz8TAYgCoiiTZIuDeRmeZfYWkiNRkW5ryi//rNyJt25WZzaj2risCmH5DVVTzLeNygFtVLv8KSxLaEiqcA2Gp5bHMBE4JBkTK0WLjT0gxvejRhkJVTKiQ5VI4uYhfgepcj9kqM+HaQz6I5IRUR59+QGX6kF8KJ87NpzGuI3Fpfn7Qssb+eaWtS0PYh8T5LhVID6dytfQ4WFphU+ttNmrKD3Ea2jKp2KNdzKHWIkaSmoqSxriXZrKOsgRhEiGmaGtCWPkqYwm7YmkCs4RZx7MVPicR4M3ZDUqP6XP8/fBrAliXOHBXGJ09mAu3FkZnCcx5dZ2IHp3wUsYNI2ICVq4B8Ab6X8bwaw2jL200suxx26Qdqh4hVZW8Z3LwccTDNVKEwwrigkyNTIPiAJYoDIYT2sCNM7Lw1+IoKAP59AU4YIrCiXjUiO6vLsotK5VnhpKKXI4PvOk78BHMoiP0Xq/PN5YsHaiMxk+Ric2vuVp4sBrbl9Uk/pszaB3s6HKCsY3PuIlLCK1niU8HOPA39NgbP+Uk4buHEOo5Imn6S4s7NrGa2xsWKNLHO8ut6R2mpXMm88VUnLfppdJJafdgnXjVj500ZwTo+oXCAkvBkTvjPz9iSJFBNbE9Gpdk0YabW3HscWLiSKKgCyzgd/sMDN9oZFRwqgbaZqENgm/PmIIg1hnMDbQqvaeSjJi6LlEpTxQ+UBpd7+zRQrkvFSJBc2gCuWC+cZVHnxOHtL4Df05rGcr3YmtaslU9hoLVegUtu7Hxbwjr8twqQR7hstxlEjAAmSCL/Rqn4mQBerGUbPpdMBYerK7bZpfjC7UYrAYdYR9M2V14bp12K7MgNwUhwBrP+EbuIO0gB0zweBG9ZUvHbeaRCb14RORMwO7hvspn576jsvCMekGmdpvbi8Jq0g84uAtIuhY1eXjye4aAIt8xa3BrnZpIK2wyr85LoCfjNtnrgPm6tMnXsbcUwq8NGlBiA/MJQbS9KfJ4KEpWlLrn29LnjRmYprwLyElxYsmwaVH7yvF53Q/airs7q3CJQhBlnM0QrSC0Wtxs5LqOHpRl9yyy1PA/R0U2oLJEDl9jLaBQ8yiaE+9IWcp9EwSO6l3knwqAl0NYlmkrwZPuGQ2mdQBhuNdR4VDYPy6sJlGd/6/k2rAeJlzJtOfUZ3Tjc+8qn7C82pdEn8xNNg8rBZ4g1XmujsBl6iy49btAaD7A8gvTMOLHrv5amznIYDjxnkRNqpcZrk52ICgOotREeC6FIhfSoVNuUDLacucXg3OogFp4kvGtyl8D2uG6aBQuYnGN2ndl2bI900tyTMniyTekzOJkO3LZoLVdajiOF4qvo9W5QPV5n2nA4Q4dIfoAJY+ZZSw2s+mSAWj7dH14PBn4+7vtTDhC89pLdSGRz6Dpb5gmCn3kpfjOvqRrXkl6MfUDiVmRIJURVQ2wwEo1zHaO3eTB561B/NurbLUviscXi+6hyieHaoWvhuuDGrF16hfNV0P4hCij0nqBBO+uegiEZqx9H8+a9hDsqkZdJAYFpl7jDiO92epjidDcuyYZj0boZumdSzY6Fqlz+SMzUy49eFgoR96hj/fy8IycyIhdLqOmF9SkMPGgK75FzwAm0Y6kCVTOOi1GdsJDN7D3SMGIZIrfC12oOz4Y1v4r60gz0bedhzU8lv57z3dfDqPtArVHoG/JaMCLywmV2CJoeuQsqLTDKCkE/VTFkdaUTgX0Xo3Txma0xAo+pjzL2BHgwAXF7w8fjnjlifL9t0M/1Ht7SilCJruwSoLFe9mTJFFfqqGTwOWeZul+zFx8FHzbj7TvWPsHNG08U8H//sjz5OI9eT9gISVXZ22+ev1DjhNW4JuOAAsIFI9gZVnAGGwINE6Nv4Q49gmdvrUiDbxbLjJ6DwGJ/RduvpeK8pKNdGq1uK3uDA3W9PeS3+yuO0H0HTlJUjAhNsk6f7ppJL5lP68/e3lpvPj75kYYM8bbUQE/1oWti6lUeEtxaV+5y+rFsmcNeIYlzN8iiIwudjVBdI0vXmXvCizekdSzzQeQTX9gvVoNl+crGwsdMYoV+8EGs8BstfCxMzSyXO/hBWyxjik/RpurwptP+WoJJa896qb/3eN5J8OPOhkJOEXZnEMn5MwMDAPeWUX2xMI2BVuHHL+ki1EK42Y+F9bifQx7hQ3ZlOu2nBro3mtUAFTKgB6kXSi46GOGRZLhpNuPj3HkWBBXopT29MF9ImTzaoHFuz5vvKA4JZxoLsxcAaRT24IbrQaJEBuInawg2se2IkwhzHw9vC9wGm4E4F9YZkUQGVXNmI5BEXI30Rdcm2/3uWhz6FlfYL5ZOX6vmuinJoPQGYFjedxYXE6tb5AnEZFvBZpZZWuI/DmE2uv0NdbWWj4u9hZGE1dPVaR2iIv/BT8ze4imLpGB8Y+jcvGmnAbUnwOqOxO1sp0NI/HUHZxvdKX+6MFcfc6p9LIioCSHDP6ZQIm2MuIhfZhiJcV8N02/1bK/YbQtNaD44MQ+WR+1jKRcGQtPuy5BXjH5f1ocLz4DNAOTYSmL3BZw+HVIZN3Ox+yma4fDOQJKZH5CrpQRA/MWSEfyyINS/AOdp7KJft0pkopl8ezb3GcJnbMh/SbWQqtoaHxtebhsv7JYvJbpPTEKiLeFPoYCgq5F5Db3S49KSeBFKudeLf8IlQkoihTOJO9+M++mdS7MqmnuFTnAq1Oz6pIRayFY5odeTDbXOF82VKi1a3LBzCXkPyHSVcG0D2uwa/+c7nq1VobD8l//MmpOptFort7tX5SwhWPsoU16RmHE6xSEIB2Jgnyoz8IRN8H9XAe3G4NstSLlb37Tt3ju9j4WvNtybhNzdqj9ouzfls5slvHvwHPyYV92EL8B5vDjxHWhYheDJvVniaRgFiH0Eo/6Bc64wWyBZ8hd0EUnHM+7qGHHePX1ZhUUSmH6R0W2UYUIMstmB6aftuGFUDl0T0GTS49Mlh0Bw7oPxZ3Vi7DytQrlYocBEQPKma7lpy7mUZJeIbtpaTmF2QCxX8gerLYlIK1TYNDkblaHnFWNQfIW7nBaagl9Ac3rUSuwVc8iyrwMdMxQvjpVuLNRSKDerKec67zk9C0+ATy9CYeMQ2Mdru3OfTDhiaO+5DJ6VqOBzTodcmm8GKdf8CbwB4910JoUneQEwJgQO7CnRbARsJrvQoeWKEA9PJYLLrllgbL1KL0ptdPXfzCFAC5SUIT3bLahzUU3NCCQOsfaXmH5kToNEjo/rDf3o6II109Znw5nZd24yEoLdnoyNERQ1zLCs47fEqczWTfkP4Tyqx7vsGJ+G1hB+/JL1JDvhr9+mDPkYv7bgjsMg+P+dTV7m89f7amcuXOlglK635UssO+cpUkk2Ypxb0aWmze/2jp0pUXcPVnt1JFeoI9r+QqVPupc0FVnhB/r536pSSoyNwIOxYEKMycntmqSxJcb8uOrPrZqo8tif9bS/cdpaxvhkr88FNscZTt8n08OzlMy6H1LMqIRkPhK4Qok0pGTeLOZBO68HxglWnpfxTbR185YRriCA7vSc6qIaB5klDamiCl00qdLqfKyxRv5U3CFjKXmWlaz3DQu3mMBdnTaS7ulzLjTOJivzm+tS6S5iPYuDrQMjjmvGyi9uCVghPnw5dGJ+nr1aGCY8N6NEXiDYVjNnsV9g+gVLuiLwsWj6xeVT/ppm5nhVAhnz3ki5y+mLpaXazsHE75yVJGjLAtRd+3JU1uj1pBANB/SRMvQvk+Mwhd/vbit1LXYDC6qdqCYGq1o7mAC1M7wCJ8TLdm83WdJg3VOPzuIbhPc8bUHXl9hkvlTM+xN4iVoWqWpcK9BYz1g3Rit6KTv4krNU94HO1Q/gnc9z3ah411L44UEwXCYgX1q2tRKCKDnB162bWvmg+sfjmai2ECfsZBFh2wgL01Y6p9qCNYiIYUcOtOSVzj0Ow0uF830kNqB00gy4SgRxHdMTr6VTeYT1ecj5Woy5BJce4/MsYKwVdkWcmwKWUV82gVTX6+FOdM9IGGJHMe5gngKQFdG3CLRkSuo9xdwMhKN09FMlCAhhJR6iRw4xVrN6h/a0zIg0C88ucOMdjZLych8a5cFw1GHnNQ3YxKLCv+QOpBbOVdzDaTthz8oFmP1hKWmlCkUffG7kfMazWXR1N9fKUbCvqjyQWhKnITdSlODqRvCSyTMwrQdUoJqcQXHm1ZjKCEQhauhLMBwTcDx/bnpGgqvPZ1ZzgjkLgVMglL9q6eABsOmkDRT5TNyBs6n8JraKJc6PYx+wxT6kTS8Iq+/1N1V8hDWiL7ToSv0KLzmuxYsomDxq4Af2attXjWfPcLTLDMQ2UsMQRUDBA3NMhpeOiDot8MmXfp07656krq69pwJqPbM1InJbtu4JWc70nC7Uf+KCOXpHLk2fxKb0k8aGQTDkpBDyaUF+lCIF3PELXnafMhX3eckRgmwrgQMq4nF8WFzJCNsJAaRHn6DINtSLuygg9JTmboUdhHMPiV7MWgMYJiKdy2stzi6girsXDYFDfS9rWmX31PN3Gw5hBa754r8K4bX/6rEPwRRJFL80pkIAntsPDqNkF/2C0QKC/07M+FW/YgLyU9fUyRKewzULJR+jZ812t0rb8ae4AkyN0wHmmuBLZil39fEaMsn8If5aZcdxMQZ1gDzp1XTbzTNMfD+Guo+hZ+R31P6Habwmsi7IQ/3rtXIXMNPJj3qvvGM5LEMV4decfm7/nma3AutalK3hXF+Xj0Qea8+qYRvNN/QqjXfytsSOCnq2VMHsB0niP+uF9ObUQfv3goJFnv74s01j+w8CKj2xavSW3HBScKG8ovz+A2uVMHq5H7qJStlaYQI8GyEMcwJO1xmddNGwcRgWBMlalfy1KHUAC88j6zo2ndngw2oM6uOrORzoGvW6EDlMtd1hv69sDt/HbeLOTBenibnfixMLOh4zSnQOY3kub4Z9WTyj6F7lDmcCyBEd5bdg9bnKupnwCRU4XnHnb2MWVYJtT5TOO53LdzZC3m+3U6VsBQVlyr7wIsahzV8/d1EpxOfe2AZWN1qhiw70CliJ5nL+xpmEK4pHh4AXxxE37zu0WYWkw+P0PiCiRT+r9zm43/KNy7jirNk46JH9musZUT+QyzXRjJGYqefzyjgxIqnBOVimuZlxcNrg7tbzXTyxcsX4Ym5m4EZTclTfZjkvuAM68CFTJSJNpe4rVoadKY//hvssDyiYsMQuAy11Eu1nUmWN3W8QbboAS6WvDWnGPJbH+fGs/huR0AGJVRBSWK36mIQKkPYLMj2QiOqwQbra/TEh5LJXlr6EWMkQvJ/MCQqfhkdExKVyrkP9Ttfk6QLiNcSC4yiSK+EFMn34OcxjOuhI9YfyxaTqhOuLGvGgpOJRxTIy3D1G6kHDfmnHQxOKBQELqcWjCot6SZH4uAAVIZw4o+EWyVdey7w2c29zWt5Fxvb5HyZAz6w7tt0qqsQI46xjzJL0trrDmLfQn9klXCeXBSgezGJEwvEmk834rM3chjTLm2kGNsH+EOeh4FgeokXFHMW/E2zPDsrH+KnapPDKLGAFMXY8mnAfcgDHslAFUu5YSlqf0pnykAemeVnrqA2vYiXQOPYTs6gDvHdwytMoErQYZ/SNYXo1/dFrans4cVnmklXluO0z+gjpu0zMgZjaB2kOfa2Xx73v1jfzoyRSQAYPE6AuekFnTdqSoVYGNHGD9Haahz7U5IRdBv,iv:yPXeHvFcl06ZGy+jg2wHUcyxqJLnSphBObRJK617vQA=,tag:y9n3ps3rtblWNnLPg36NLw==,type:str]",
+							"provision_cmds": "ENC[AES256_GCM,data:v6QpENm86enZHhSfNAqNmh3lcIbBsfL5xDy+sk1ae0OMftZVS6TDMjIhhK46bgw3sdIGKMMzK4Knm854P8FvjewfJqz5L/NUHkR9BXGOw9OsXLWrN+xJCHhvYOm2bv1vRwHbWYOiuVJD4usFjmOE4lyUzEXbg/FmoZvyEpMpvS63jX3vye7FrhhlDdJdtd2ypE2C9xlQ9lFzAaD1eqSS0Oof9Ufb9vs4m2be4K8NSMugYQoRzzY9BQD/l3fM1Ceh5bFf7jq1HCqRsUwUjzAJ8R4z1nMmt3/XnPbeXOSiZalgD1JMPDwKK5wqc61HZjMAiToYMl7giKzr/Q8twNGuYFrTL+GvmD9+o1BqwO1cvLGtsZEbwZelMui6MeZSYwmih7cq2YlBs43i5QBy418YZ/wHc3QGtJE2s9wdbdnj1f1lhtumdqXafKrzRsRsE6ygoT8odRYir4zRwl5u9b3rSy7iU1Yjo3dfJDIpwolFiHk8+VPIY5SJcaV7pe2iu5+lvaxE56PJlVaXetWNDDkDY/tKu7PDvkmOsHWAO/cjzdniIgidooMTPOtD/LpE7wPg6dullJyJqq92Ls7yyedR46IviKvdqUCboAGoqYm/dxGy4i0bud7GEvtCjTd9/XeTsPs+7gTAIIDBgKpojg0FiGxG0a1jbaq1b8fgu0JLCLmu/5KdEMIIYcKjJoipHRiA9JV2wuZjAu0NQe8yP0+SyE/GKsRpmzLzRFYsg+KRrwUBLG50N3JPAwvRQwNKpmiK7jkmMQ2Xl7tvVA16jUF6LKHb/xrpB9/Y5AEn7i5TM0GwTSfq9D4h4qrS7RTIWLULqzx9L1HTwj8N6VQeHgaYSb/bvi0Q094lxJnClt+qed4TbB1/04M707UZJPvxMWJQpxGIMuknsx8bF4aRLe3e106GfxLVc39XVSZCne1QIoHgiMWzrf/1uE0EFYcLLGBeiApSHhn0xY5ZwywhC+PMfq65Rmc98xK4LDKxlV7DYDPihyjmSjjZSoilIIAyPSRehQFyh+F0V3hBiiTvt793kRfOQ2udmXvY+2nbCx9QDkEy+kvqJMaJsMIMudoRfAjXO7ZtOgRDs+V5Hyz9iwbJEQIz3IIGSq1w2CA+qTJOlnz3lY1xxOlwrBMClTvNmQl6FPofRO+dHTeXGYWUsDnTx69t4IqQ/FxVf8hB/RHsAE2KxcClEDStskBzbQdHPNw9T5Sz+HzKcsR+TcgyRqPm49Z6DRKewe7oU8gOPNO3nF5pClFiJBkxfj6U2zM7Xhlmtpiv7XtU5Fl5UFLAwvJdhT41qhUEaPfI5jp6xHLlntwdS2QxaPFsn8SzC/OoOGrbH4tSAnG+f9StPWhIWmTu3NcIS4qKobxcBGvUKEFXq3t9CNldHVyXmTG7tWuXsUPjobzvVvCvMfF/6L4uYSPClR6XYKUfXqGngD/G+nFqLrqmJh94GzTJuIRvpiN5dB6mFAc8zdDSRMy4bPOOyxfj8DAB3xkfRYK3vBvZSo7ZqLKaWrY2rUcpss0gRT9hD3V3J3BQ1EKFVLx31iO1DWIC4UW2r7HAUqYAAYGztQbLUv2gDbTqCsTtVBkR3ZvainfKHF9CFRtL8oT2rcypEJczNHMa74+uoJ+K9r8mzOwF5+20gpsTho4KrQVCkxCpbG9iHg73sxBhzp/sHkEDwYL5o8i/3hWEv2BS5iSARmkj8v7vU1ELfe3E12aXy8ObthH+dHpF0LtbGlSwJ8/vK+7ej3LO5aNdE3AnMz5bVq1gJxMDjkRwFkQIWPMPiVFAe5zeqj51W9VNQA2aWKihfpbPMYPwGjc+hbDxHgM1M1EfWa5mFU5e0v6OHjzyLPXl1vXS4Nr4N/3kCKJllKAekySrjdVmet9xTzld8kLsmhceOaz8PywqJqjyoAnirZuj8YXwqVZfUVUm3gOq5XLZyRRFrg1+Ftsr4CbVJnHReCvofIDerqkXq4gMH/iLPjKbLp1f43DC+ppMOO4BREDP5u8OKK1rMKCL1L3h0pQ61difssvwduzIDI2cJ9HAfBsLob2mGORsMhi2RownzDUWpZZOBCFUpZi2RoyP/S8MHZjG7dlRi6s0c2aCH0oY1GO/tlKyYGPn5qHtqS69DxOtVEBed2CT1HnAmQxSop2xu62wPx0PW1komY4i9xg72qwwi0huUG1JqcOVcv+KwQtB0ty/CmKAP2AWsQdfMcjB+WfsOLQocX1L1t4VFXHvLXYaI59SO1qHHGtblys/DMxos2EfCUlmeBLN8T/Z0cYgNpSZFOr80zRwvaYabnrYPywe2IuwbdSxLo0x3crQ07LMS5pOJBEm77mCSns6ts5DY4hcjNtTai0Ot0qsKDsco0gzUCvWlgcgZVMmFt5yUjoIzQd0stAZq+7z7PIjNRTLVp+6blRHVAQS6j+HJcrnXrdJiaZlcKv7+ti+8JIYb81wL0j2MNDSZCKxgnJPKpXmp7K1fTSZQKxS7iXXIgYJzg8tgt/PVhyzRWFYYEvlMhipEGhJsU7p7vVKdK+K3hK1JZgZMFi9/d1777BrWR6w8vPG/q4HyP4Noemdnha96UUCGV7J6XN3XFG1LHaZZ4KnNsrXwA/X/vInufbaMmbwG7xq41rILHTjBzdNFxoZo8Iv1xOBUqXF0Y7d+QogMlMre91aH/5rTMJ1HuT2+LT+BgnO3kbWULnsofraKIsjx6iIGMtQSyiZ6thadF7IKZ9FbbEjzRu7dunT6S7qDVOYi0Puc/WrnH8DjLMoW3manNXj8rt05Hy2WekDqb/PwEjy8mRgB1wNib1F3YJE+7xcy5xFin/kjqBhkA8fdoeJTundl+y1UVOmStJX08u5wubtO8QIBWZ4eTTAxoQvMZjaoVKlJqLbjCJQYj5gugEep3ICQoMvuqIRNLnyAWX3HOA+D4keOtVkPXx4arljX/oQa1KBpLCIYpxJc8+WhsdCVu1cefgTr0Nxj3h/oXPX97F7Iuse393HDH+Ui03q/kWnzRKNGUQNnJN5ooIS3uASTpfmUfFi0T8LfqA7M4wceBRUpmBR+dhQk9EmDEbFaTg/eTlajJU0rxcE0R8pcYalN0KIP1TQS+6vshiC9KGapv9w6WHhOEazg2hKHJtvrLJvCySMPw3phI0+Hhxgc7lbX7q245TwgBbJO5g4DpFvmJ6uqw9V0+YdWuBSmJ6aR9PMOyPVRcQT/UTeBudJ0RkqzLD0p34evgnJL310nGFLvu4xzM5TIHyGSKsD1cZhTJ8gMF0HEIIl84oFr0PRDdJgFLptONLjKCd+gtcEmlKJhOZTYjXJtOEOI07A+YtVjYySqi6flDi8amWyM2bm31PPwyvJIXenCVQYi1136hhMf13KkFkNn3OWdrFyQqPEbFZCo4MGgbtwXuINmBayPzv9zg1LHdWghpZeV/zqVWJZK0XlLUM5PPsWWYuhCZhXQ9OW5vKGivWHL+2lgIzWAr99Z254QNQMJxNlBGSw17tw9CXUVn8HI8kUMoDKY+OQbwk5lBuIfnrNXen5zntiudEofYZ3n+yPnZQWyenxas5EwIfD9vkHfiHSRIlK3dbmp2Z5QC8VKKZPXl1DY+VksJwsZfzJSB1Fgu6Hpo45kM7r3NZITkw4SmvqaluEXHpp43c9mo6cktdZte17XqufCV//s1Ej6l7H36UO6O32p+K7Ep18GaFYBnd98a86ftF755KFOy1McPGlJ8od1/G7/CYja4uf+NKYVax8tmvflLAqXDMHdzpzsM2wBXTdP064RZz4Q/O9NSlX6vjgSTfHilEZxMnnB8WabwwScPMkTi++G8uQTPJMCXV9yaxHYT6kYblhKIlUdyl8agaBIsN2patMkSoNzHHvOwK0xVotuRsTsF/rPfARAZntPNJJJjBWiwqCdWiCowkT+WPt1Bpvgc+OeY5kFjW7JqnIcOGJwqirBQQqnXdIXuRnzuqMYYJ8JPZlskBtjLEauuDMGtefQmdkT1BGLQFWFY+OVQ5OiJrVOb2zaZH4K77fMPlthQOkGFGkui23ric9J3XYR8TR4j8VXCnmFUhBxVEk6ZxBiARMkkdLL/PPgHrygZG4IYe5rMOQpy5p0ENjHmnl4ik/7L4SRXQQDQRP/6PyeqY6AsAESBewipxdBGOZc2NvKGuiqTvkt+OEp4qFaMBSZOWt6mwETITuVF6mnI9mt9v5AVVxL+U7RuvZAqR6JIyl23th/3aoAIrQQ+8LmSHGQ5CxCB4VDFGq9FDy56kzEGUqfxLsvoXsOM+P36FL2h8FCCrBj5pWEHMEqwmjibrjm14/rg2N5AC+3/XfhjNSMY+ldTZmwcmvjBjyU5Yd6Jfrbeh6LrI+kDInNXjpinwPD/ozhRytq9EDNzO650odZFgHnkFUZhXA4TNpgrH7BpanhgFDcGBJuWLmhEXxL6gCK+A5RjpAb4yI2yaqr+N+kBz9Qy53+oKMKDuD+1SgEJvQgp/Foee24JE5f1q9UIVC8rh5um10jb40s9bwJpmeh1vGwf7k0GHV2G5oYdzvJ82gQ4dbI4oDn7wTWEFqwSwSUOti+6i+earjvE30z+Gk+R6bfNGBS72YHpRThItjk5H/SQEnRWub1Yd36opWylq3pglSpw+eeckaIckPnB0hermDsXQMiqrsVZhoVVgU/YU0t8kkb58gbXNJZjOU0xsMj72laiSOq+RWqMP5VUZMUmRBMw/iIUcd2LHRLqqleaYdFWibvX8nMO4aG3p/Ft7jV6/w+H5AhawK1FwRKVkjJa3waRCyICOG44jBJ9A9Uebq9DUOc4h/4zRuYFlfwYsHohKhc/aMJEApRmwgsqGjksX62vmyBmjANsyG/URbiWzUCtwIpIfPznbMYxT8nwxXHx5pATymKR1uaezdYKrpMDJjQSMoTIQ1fAZcHleTGlA9SSIOhYLpF+YH/qvlrI/jHmZR2qnZ7wlKUSpors6zfSeDog+mnd2W+tp14QlFUtAesuAEXxLruEZLEpLXqcVYSlgk6xvsJiAVeUVv982EcsRH18Wn7Fv+EQjfYjhy2F9KMB3uqHbOvGVgK+ZmWByS6oGAI0mRSkY38uXcATiqz+rYQemQbhgM04vLakz1fjpIT2N5ZSiFDMo14HKjG8K8h6VokbrqL7bI2cPJ0P6CvWHEMe2gbGrSxdNydMIfXSEQmPIvIwSAB3p5uYKEMj4ZkXrw+OsXFpH7yPaH2fWSrcI+VIK/Z5Qzda6j+yR77DEnsF1jEqIc0PV2FNxwvign8qaMmjTwWah4UEp+NnPEO0+SfZLNTlmSE59CEorMzmrA9wa+RhUfak3t2FAYigG9/qIaDFdJfWYMQLkgqXKLnToYDYl4nfI8c8ZPM2GYReAhgYNMycp0lE2fLXPpY95184RTuypFIHqex8bYk6X3AFw2Fqps8EIDFi6I3orhO68lZzb2rHyYVGLPFo3WWnC7vgbP7bJrorvekvDV1dSy3ac5kaD3vEhYP5mPeYr+yolKNhN5vY3SPjZKbB0ynnz2ulQK+0ZWme5bXoG9cyMqMUxX2f6OYbLq63wGdcWt3lpWGOIyk+nhwc5zVPhLePO+fF0lqbRXOBzeeg9aE+CQdu3+QgenpJeJjxOuZ4ka8yO532YvT0ON9XfpQXz/axs+3s8TrI/cyZt0U9g4y7PWOkzh6gEAqDoFAis575Fyj/Ap+AhE9VbxKDsPNEMwLF7UiXpLJRj2uZmSiZVLaugQMu9+v2afF2Dfm5GCOgNU5kZZVyH5huqoDvWSKopr8NKhKDtT8FyH3szFDrztOAZjd0zjvVaV0ij2tyuyFrGsKz29Zombz+gHPOXgB7W9GUZPLzWXItsVbtXKEfWC4WuEvWbAwbBl3NXors3Knd2tIK2BbsAi7lNhrqEFksLc+BlvK1UzCREILLkJtq4SuhAl+MkAKz8mtbw7DlD269NwdN5uaLoO+xcrjD/FPq6Q17vWH7GLNaWkZQzs4QC+pkKFxdaz5ngRkqwVlAlheRpZ2IVi30Lv5XF3JsUmBgrXH9Nei+11FicrwqOuJRo18pdi+r435RhYk0mHARX6LkQ2/9A4oerhTgiExU/ZPLv5+GuL4dDkp4r91qxI4MtqS3aJIo6kVWIUz38qplqY4WjQgpTYV4CxelXrEpbogg3PBA9/LgrMJXAtoHsHE8wsaB/sCfSc1xkcV/TyTDQ+s4WbLwTguIaLGnRjmDlUlD+jEzQiC3m3xGnzugThDc5dxVajKGvFE0BHlCMXofmoPa/mSV1AR9/hW4mqUvSUPxVk2wMNeHm2LxOx0YwQXAI88gEkNeKpi9OcP9Sz86BrBcy5E4asv1NJHpurUvk+mIEmEi+UPkklWpKrIICW7NZmIh6Qwi5bJOrw0XxZRzeXQpoOhHflarIyMucKx87MkjjpFTL0JxLSDCdxMvSeyGZVTagthqDAgICuIz8UNZOwAplOHq/tT9pwK22LYw8Rqt7KHsgpa+HM1dUnjHBbAu8XBhqMzRmLwSNK2vfZI0Ct0//RcvFOT1kjCiGEajX10T0V+ruM9P2mUXljzkL+x+pLUEIkJVAx8PImCg8XLcm58jzCRWauhE+AABhApFij04y6AwomFzNmbG2QVdPcCJywMgOp44+wDCidc442n0XTjEiVQGCcS4GVg5msPcWKxyEQmxuXmWLT0msd/VwNiMHeqvw5dawITetFGNYz6gzGJDfUR6yek1KxG1TIrxpNB59n4mSzP3vjeVckRvDppXobHR3AjMI3xkaS9rbZtZY1Ss+iaIkDWQrfGGwsNn7vafIRyua1JuSTc2xQJek1naKlF5ogmLRSurucLTnFld8egW5FYqrvEo/1wcd5OoBHHswAflNq5+2KAWA4ol+xV3S5bCJGPJMx1jND3p8zYM1tEWi/4GxJgtw3la4CrfkvCOVUSfOjLZUsvXJVk/z8ffHUWfyqCWI+6ZwAEAxQ35le6zV1XEaLS9vb3oHTA8vht8zdbl7InIeaahFO87IyioO9B6c3GQB8Znp8ujEikOuTMTaJbBjLiS7Jg5/Rf+CdRAyO/zyXI6xpKP7+uUHPLI6ZuNy6kSLGWUyWwCdaTgA3UwCl1afpqVetz2gdNztham7bsCWeWq70DPuK6p9wFxQ3CZ8t1yHrBHTAYqWnovLRE7IXefTd3RI4nY3dYk0UX4kWBn7mn4kA5MU9vhTJ0U8VWitf14d9uOqMPbIYJQFOzpME30cWxCGn0WczvWvj0o7beYOxm8pJCbmvNEfcukXuMK18uaSELVczfQuWyGKc6Bo9umtPRY6Stq963yx71bM62TAWEphxROiRKSyawPonGqUwmZyqVNlzaSWB9Zh3Wl1FXQ4TQMJeXi/+nYQnQ6GvXhSwaQa/FhsYUzcu0YQuiRqL36I907JN/EFvyNS94B+f0b8i9pycwUbIhImAk3XCOsjxxLckzz3UFUhyyMdfVmlHReD/S/OpoulULSMlq2vdud+JEvnWcMNPjreQUaInP8qHs9rjz2J+EbPB3goazxa4iSUeZmX0ekT+5S/R7xcFWRGYeHCVppvvvM3m7bv9VTCMa1ZyytSCvUuED/0Lbc7dgRL2K8z7yYoNs/IkVBWeUt6k+eSFdd2nVXevDuIH8caGgq+GiEfJzMKRhuNktTloOqVq+02XglNlDhZN6P9dLwQVKmWz95zoUzaF/lfqIoiItoPO+8RqYy0SYJLl+ISoa25EoTDVPLrg3INtBBSFNq8W6BHWGqxTgTf3tgI5L+JOs/5+nSKH29+qG/SM1dadscijnk0XAol6d0JmtBHDjNXRtIAkGSXoJiUuzn/KvSmz5Se0K92EHRKNWVrTJuvap8dVH/xWz+/m0j+gEs7anxM8AulG1jrFKcwrpzUj6kTHAX/NBOnDNntBxVi3E5kBHrDItNaBXuPBowr6CuWND6mVI8e8Epvfx9RxfDXQjL8WxgTgrbCiVu8sru8ZgHEtbYmMty0fGb3eMBJoYCvSkLj8CLF1O4okwOB2iZj5XhWYh8hNvS8GuQuLKqBi763Im2JuNnzoNezvSV7xkYWQcl1i+ikaeH7J6iIHJm61+8io/ma3NtUJAF86Z3XcXOEPcng9v6E5VxWv0pWrmqL4CXWZCc2EIQlWpQJbVaV2FHS0v7e4C1dHV+6EEuDENY0g5hTyK/Zp/dSdOX5rW0+xT9Olh4W61XyIi14N+BEU7BJHCM9qaK60HO6LZ0HOEOFqR0xSGgCCFXkvG3R5VDcpNp8CaYT6h0BFhKXQlKCiB69R+sTKdVtSvMjPBHz+UWwUn61kPqMe/L8+c3jZcR3sOvr1/1j4ksHeBMjgryCaOUTHYsithKj/2twgNZ922L80hZHYwDFF+MXD/9FatoBBXvA52RM+GgSxQhlQr2TUyvRBiLD39kjNwMhnLQKoh/2S5vpGd+DIT/iaT+UbVvi8ixLQe0s99u1fgrEtcVCLLzDDMOxyP47p/kN6UWgNbdvZ6+XYwjqU8T8Tq/jIJPVjQVWqoD1iticjy1l5UU1JvNYDajpziEW6wOxltqAkDBQh9dVRWS+Zbr2qASWEBPb/1GWz9+oAHcuXdL3LWYiN2Dv+wL9vim7Y0RQAgp1/51kVL+zfN8qmVjPQD/++Aoils11kCxl2GWVgKrndapyK9LDq+9kKWu5BifZPNoCguufH8LCCWzgi6WUrS2Ot897NETz3eFTPU2ukOGPDj+YDoU4c8pBYsILLj+1o+P2u++1s6HXlbHXpLR5x/RjBKrzIlRA+Yj0o68971i36wAlAS4mPAdP65cAMeftf1ehUE1yEl4S1r9BvW3QJmAKJvOxIEBPf4M21eV3OwIES0r6GyKm52TY/zQ7zrrQi5FU/ssOH2v4ZgUoD8KQ+4rVHlHkv2erDmExqoI62TJjW/VrwQOvAueo9Oz6TXoYNKq2oneV1WUZn0t/jWCOKJgxIR4wlKaTyau2pnZpWQOha3um85bUUfsxiQFpeWyJ68HCDjCV0nlLcqp3jipRe2OFA3v/ztUONrjEXFcwFZfccvsKeb+rrgIM7k1nqv3jl98asop5SgaNOG4eRfjgT1wb/nvA75MLkxiOARgcDTQk90JHRyCycWDS+mBm6YksjdF9AkmEDFkJnT5dEjANQwkY7b10Ma7kBDcDU+flR4hFxldNWi5LEKkxwJw/BbGASGqmj05s41zkZglKhNBvW06sFBaIu5oFVCvmCpVvd+Ikn+wbb7JYF0aNlGOrxrvM2uLko7p1MCjJovSmYcq07Fkjch3fJNVDgPFpAkgIjXCeffZY5eNHP4+Wr3YS4ZJiAedVim6BeAdfT09+XQ5NGvF1P4EKcSTyQkUJpJSUb6JwIIMg+MK2nDIuW116FPlUMdnlJRLszUwza+PfhaZL9SwWOHyXE2jaCKi9hOJ/Vvv5hg0/Pf/c4+7YCvJ9AhHJhePwXqfuT7h4Qm9bG1bzWAGf2WgerrXompbKyehwAJPZkIyTYBV51CsRqAbEkGMsHY/pwxEPXPDYuz/v5J9whscEku45bIttji5r+nn3hp0/GHCuNkzIJ+zBQDgzhJbquXuXkdJZ0eAXV6X19VayWS2cT0xez+3RgWsGdK2GNrOpmfrx5zes1qzgGFfORHqLc1d1EW+85yyhIFwybsNgMMWfSfITK9S4Sv7cUJhSqxBf4+jm4jZO+RHQVXF9KbwkmD5/ZoNM9VyP/u/JioOHw/c0hus6hHk4OYml3OSCmiPbeFM4W9sqy/5Fe38kEJhGsFGBGKEpwkKZdYlnXT+q9xg8E2e8e1xgJWme3rAcSJr/uNonfDfcneWhApc+BtbXvNjNO5xAxLV1Z3IJDhUL6Pg/MnSaaBCqyp9G46OYOrCp4Eg7zeQOdW4J4igS0rqYW7UlEJ6Uapz5Vl5QvgszcIV5qQ4h2BEXE2LUL6l7EoYha6SSzKOMU17ZN/C0+cm0th8pRfqeQ4kz4T2IWsm0SFYr6Xd+eF6z9OLmSWr4mAInpf9R6vTcWR1aSPsVCRg+0nqE8XFbtdxr6qUuAH8fexluJvV6FA/Z1NbYN6E0QPZk5+0IDB7P6dcQB1D8nwIJpmmcdOZyK+aWye20ASCJv9P6mNYFIfQGfSvFNCc82USJbxTESXxOE29fpdHRcaSaiWjuPEzHzb5Bj1nVgrZJGCgn6ndlfuDWXGtU8+NVCvEwCtaQxAp2XJZuGFH0sxOYWfgnNX3h9wVzOuPof447fXB7kuBnInKEMX3uprqYvH3l7eLbSbFSfzHBsiXZ3iaiJcuWMDGHTyKGLY0ttoi4L+1oP7/9tffwdf5UviMVnhKgnXXQOEl2q5XSjPAZmBBw7bNDW2yA4JdaP+LE135EHFAdt8mUci+1bWJYsO8LNr56NMW96pitvwvBcD8w0aYt9hRwom1w+DNDWTEfWZfrNNFb/JjyrsSWhSTWS16hlossNVUw5zbr2z4fIuwnIMY4MB/YMM1WJbVOK1x5E96wj8mWeJom1ReYNFlzerf/XeN/qY+8kvdxQ3oOU1hAUae1xhFGyFkg/IgcwsWx1c5oOSHJz3FOnXEAK3JQrV8xcb0L9dTjc3QgjUPkyk6o2AQth2nb7+bsZCg/l9pB4B+ixeb56eta8aXJ7kEgulv0UOvxdi4otSzeMDV2CVdVuA0eIR0cflBTS3ygY0DsiiKVBDj/E2w+iv3hMCuwiCejfLx/V/gDh7wB426Pms/KlzKvKn8BkSU3ofz1jY0iq75q7kAtTPxjMQ25LvsyfRjS+ym0/2rRZWfPeGdAnJcGRwgaIn6WVUdIzzfI+0RdZaaxBz228AoiPnIhudki10ny9j+cDnJ+kXoi3lr3zWdULMeNRbpxUVWYHvagZoYO751n08Z/M/jD4z4PnpGpexQYwoYCi2h5mL7OHyXsczvdyXO0A61sHjNpdHZbZZ1iP802oIx7Pwh2OjRAvTZcpRRhPgiljhh9qD6YwFqoDCv+X8AoUpry56JgJ6H3OPCJZC+znNculV6Qjm4K6wqHJ6CVOyv4p6YqKCgmFKPz9XkrcHl32zud+kHv1R4EMcZ3GyxzYsyGyEIC+CsjpwvOcD19D6M8EwUcpogy2wCQZwyV+YLaMY85vXg0K0YGxG87OoGm4iAvNVk/1UYgfukMv3bRmFGymDHKF/0WsnuF6GteNX6BL+yTUMOLYvyRw3xPtvAY/r2h3c8s5hNVnfW4/G8vb62VZWIJu9KLQFKXQVg67aclpgCbTUo+rkQER9J4BXnKA4m3ZGmXCZg+B9M2by4K6xdjwSfiCa4uTgGJea87S9GBUb2o2RTwD5ogYUbqibkO/JdNjVscNEVK050IHjxv+AC0NeGNHx7wnPIiQvTi2Nh8kHjDSPSF97gThZwOqoQfMmDuyOghrWcwf7mjY2nVXx47599LhqeY4pNePosknSqa6ddT/hH4GeT+x42KQ9qHBiD45nZKpQGseyz9saNgpiGLKaswqfsW7+eZ9N4Z/Ul0TyEvZXShWLx1J04zcOfUkg3V2TbfpY2WnHkQXKczd9/NBCj7kZf6X3eb5/muqD5S/+hR7NMK3vIU9EJJLsPd5h+kJcoE3f/JTvwL5eVJrhn1Nf45VIJ9BRerrp1M2qxTmDGR+lT5BzTzrRhWQgKXx1BJj8ULXz+ZqayqIFmkgI9XcgEPmKw6JdpWOq/sZX0jwVBk+kEAEnYV2FqKPnOYs04gG5JsvhldjouHBwqrC/Gs1sfyhd/v2Y+FplPTdjnWrJDt/UbufJBn3LqjscgOeJ386aabBKunIN3FXFaeVsOo5keMgsrMbJAYVsWdVCF1yUrygZt+hKP769oXJ6ykjJ6/TaTKJ+HkZXFga9RjVJ4NqGWfnCvP6bpqtoGuFspJK+QU4tJJSbuv2z1bUW4f96ezCeZAFr9jckvO6BsfVoOayfB/rGCTkSRifhTHA7KagcTdTv91lHccrurNjUL+Rstg4YAJXhVAHywQ9GjxZbRlrOGEzC92pF5KVvWgPto7nnUjvkguepLddY69OnKBRekifaKU4oKh9Pgk2LSrMoAL+AyMLWweI5Sq7nPGg4cxUFYvu8MtPHLk+vz/muoSAsRmR4AVrlHvlQnx5rtO2lj9tQq0LAr0Ht6snoTToNGiHjAzdjCB2XygJxGtl3vn5A2LcfdGl/tH41AJ233WqbUWWdn9Mtah0UtvkJXGYou240AH6T623jQYY2ADbXjkBxhRpj6uLJyHlJpstszM51kZuf8R4IDl3fhMl4+LZmFWNPU2RbodoBQKDbsBYXIUZGJBpog06t5bk1P7zJHiveJwRsJObged7cacn2OFIlWk4c0jHNbAVVThw22t/fw0SLMIbmdRZZJeITLM50N7shgw7l6N+6AcFwHFyRey9/q8sFJAvYAy4wSLWVW6GENuUnNv8+hnRT7yX37ySGc8OLT+ZzaN1bxFTW/kYHypq4uy03ZLJybtndD0oGtjxnBbneom3TYKWwT+bm1ZWLz2smn8iw+35SkxuYwO3FXIB0lIzNHEEKWA51GU0dy3xfq4ayL2B8GK/DChVhxr4oMhCPSDICmZUSWgGfo2D+gNXdd/aKSO7b1P+ztl6TrssGq8qdZ+Ql6tZzCC0wqJX7be1QGp8ID+1wrDlkcNRjZh0K6jIDsRATXLej4uhd2GG84/+aXkO0JaqHM5YnG+/m3/9ApLy3vMjUqszCq+WkXLllLpp9wOj9ru5mD+42w0e5ZIWY80cgUyEAGKPGVxAKC0/AceSAS6O7ZhyJnG6RA03hNNJjPqPNJ3lf6X3r0w43CYKzRtqNz5MMkSYVPIwtGeV6lIuALxa8UQMlxEp2rostZZpw1KLDkYNEh37uBYUjcrTbHFZINe5nGWB+xGVy3QWlAIYKHy2XTqFkU7JZNjOv/V894B9FCzz00rZZis4EcB4VkYCE6uugF9hWDlHV79FSmNRvA/KFf+6lCyDSj0b+nXz8MJSysx/jk5s6xve1nTqfGgrmDbiMzRWfb0jy6kMh0S+Elwayr51ugR81+HCUbe9WHg1q4DekwL2mYBAuXaTY1HV69I0hF5vsZs31CjkACK4/Ub/GtS/OgBhikt23GenS+aasionfXtY5Cz1PYSTfFyUGevUsOuUKRU0plRegLs+KEi7Pip7gUpnJnEsdcUtIr13tAy8s460d1wFqBeh9QgSTekUo3MhSDDeD2FpgTc0q6rQySsmT5q3hl7+OoIvg4YBgrd8lvm3NMWFleqUAfM8wHVaTyjudAUPRNkFm/z++qbmBng/Mytf/e53otMAuOIZkhI2AaJsnhmhPxXIcyx/UZbXmqu4KXOo0K7825NNaaAAKbDAE7gV+jC4v1P0Q1BZeMjzdURTAxpToX+mZPBFdhGzZTlUdCq8qlmy7ju72Toit9iEplzKgGyPOtXIzxa8K537gkl8PWUwdCltZaNUxJ/ZZRQ4OZmADZE1kPFBQC7iQRUb4sSeRk5U/Y4gWFIk4IZ3fX0L7zQAIAEW+Z7wKgyCJlubcF5jnCKawgJF8YHkAX8aDhV26VNYtSMU4WidgrjhjHO3KkNE9MLPz5z4gPTb+L/8jIc3Z7UkMA1Gn+xJOtF0rt1LJJCRSehPxVuVKCP+nfNI2IfUazv6IN9WmL+udbwbhCRw7eMTOQTInO7yTI1UH+Vm9Me6MYxWd2wsa9/nyFBVOTtOdVZS/3OPsIoSGnmGS4egTTHrUvqcgA5XGqgj3fD28oT5lfW9E72H2cpKPoOtPwCwLqYBIfIrb+o+dhELoyMVkNcg5HiSWssKPf8VH28zBKFLIC2vbqK3rPRy9TbZdZ/PQeJ/NAYyTeg3/bVjmMwvvKY/9czl3qu720rNzO2RDN5TJT84xPB+DgxK90PtsfaMv/OSo0Vml/3WsbUtiuKM2bqWMDHxzdJyDYD+B8/qnkjWqjk7VMDAtDvAWr0jnzQ81Xc5KrWpY6llwxkx3YFFur5qrauMLToQrNQLZeQK86iV4iGk9cTh7TxtNI9od6C724iqPbf/ngbyaZ/zU2vufJxWPyO8UUpl05M0y86JTS0CoYewTIEbOV19CKaEJwGGPdJ/jHUe9ZMhIcWaL/rdKmPf97+CDHVJQjmmD/znaRzuLxlnogRcL6enpFOAJPzm+PgFzRrJ8kuY4wehABfuaTaMgaoy7M8rTBMxxoCnpe6FuocwoKV5yedlLaKhksk5QS+R9l0vkrQRRbAq7jIBVMFUDVkLdzOytCbvntyULRbWHuVT7MCZ+cpfEsl8G0wgpnIahjbX26uTraG1ptpzhUnxD6MboyEOFRSaVFNNlfkRkSKDuhaUP24DZ0Qb7VDzwJ5nNR0ZB8pWdOxDeYGAzuv+RSWRa1i48qPty+1o28s4ONSNeELgDs6ANj+KSwKRgePNUWqpSE6eIi2rPyLGRqcKbzZ3SbuS8KLuwsh24OJsDztppNaApnLmaFBAc7fMIpBmwXbPgvB+csbH2ugk35dQOCgvMlwrG8lc27mOHFiA+78pdiHxq0A9BnaRfbr8I6UYeP6yMWPpKliOKyhGk9npeXw5hv3TP+4aancWlsR2Ic5/B7Y/EjWK02wIgZ3nlJOC2TCiAOJX0MmBoMS4Vir91qdA14cuHhe8cT6LRYc95ZUcc28Cck2lixTCfqBY5tQ+QfPIpdlG9ri4KQmULW0poBYy7iXFhEUy6ZdKeRZkqH6e5z8K9xVGlbqhATqiOYnnhSJpUyig5WTD+n4aNvW8i9eYs5QPkjSROrLV+rY1I5nrS1FalEITWdL/BCXJkTJy7FUzYz7Y5B1SZESM+VVnrQAX3i4OmE9ApZr7jlgS01zv5Ccy4bV7bilFf6rPD+wW3agOqhgGEKvvaEALLOx6vWXUKaUXoFsWTYToahqAZ67NeJPyN4jMgNkXaqlfsSQJ6WJV4V4DF2Jg02CRJIc8eKpWl4u5kVtcwBriwla4zIg644XH7I9eBL4uKaHs9CtmW6+cHEYznYFgn/hA7ePP+3M749fiYTsNLcS1zolwL25ydnKNwe05LJ9V4ZMMrV1/OQpKWfJCQlA9xTdFTjKw1s7iT8OeauLQmWS4MhNn9J0Xk/y61DCBkAm3JJONoUDLCYOKXIuFX1ilRupReaMjGOpJ+vM/nG1l04jsl8h2POJS8fNMpk6mqPvoGAmDj9+GxjNzq/lLlVs0YqGzYL+ZR4gVp9rAGZaxVhOdOl0m2c3wVS8L3G4kJhyr5wzd0EKqW/OQI48wXWfby3wxei8KwyCQcoVKyGkISMbt8sh2Q1G6V5hobNpgNAh5ZjgA5Mnr2nOvGwGDMnnRSXU6oE0CRlPoTOwdotQ9fAHpfE5ZWHsa+i1HslIR0WU16JpjYoU73UBFNJM3APWX44HRp3PU9ji3xbcrNJVvjlTC+/C692h1sypwZyE6fBl0hMZY42082sHm0Dim6YJkAg+ceJRDJxMEv1JGjWMplnq9BLk2tgmnHH7Nqe7nq7YjU/XQ+3ymmcREC8+tNtvD2FsZEKLjSzjy/W8cx+HdlrFcC6tQvtPAjIPjlXUKFMgecurnOL9X9KR0WCv3xs0q9rqub3ZdR9yrw79ENocFa/OP3kYQkHtSZfFBrIgCYFvjxUHg3v+k+s0JRMrlzXX2WLmyY3O4usUYM051TkKlH/0VzjrCV4cJ5BofT12ns3RSj5VyokWIiSnt4kEdlcUtd+WgB3G3X3LIH/Et6nhbiZAfgtYp4All0PVo3EYmPqm32eRCxZOK3ayOVCMNwCo3k47o8FofDEajUw1GDGVlbAz/iKprzWIJNgW2x++I6OUiERDUeYzs2Mmg7GHc+Wk0KAZVPIJOeOX/D2kdlvPHWhynLPISMlmfgQPPU0oCclcGPy6IS7G1mPHAGxMlqfOP/LkVHrMwtCwl6zoaQ7dG+M6zYuxTy2W96U+yEodv7NJVOBPgcBHPPvhFLy0/5fhMMMYxLcouD00TpxzxzZK4BSj73K1RW+CV7vjpQRay7hhCuGNZQA/tB9GvuWeAWDD+5wOrRuqN77fa7x4kbmeeduakrykBAWjyHePW+4aQ//SDUtHikJzuO78Ga3Blk634ebGVQ+xW4IAX3HtRwI0Lq7i7Lixl+sjXLMQkLhR5fazSEBuSpW3cxebzyVthmlYLiGzIv+zD8gim6tIGNEh16nhh6jNR/sGzeKmkLCWQO7a4ubWLo5MZ0bgdPuWbmsVwRkgl4OyxnUARtasVuFLC68wuGI+gtIkihrRP5zdsTgyA9wbrGVPLDiklSWflGDE2WISShrBHSfEtbU8aXi1nuS/pM3TQnTNFZFsOk6dXyBL9NB1csqo+0dBRh6FuO+Cog/OyyvOjo2VzBWwSKDKSnaPAuXYC9MkhxOGTEKDrZupiCU5YQiNFQ1OBnpHxAk0eUMbpg2CDdetJBsgM+X92KysynesWsimVrH7Z7XEtdihi3RT2wpMPaVvaabY0FMur4rRNfSt4D9SchW9nKlzDjc7WIh8gER14vZX90FMKgjAYXsAwnlMWvvrYjuRMmAyEsVXioLF8b6egk5N+XgLg7NGFr71McgnVuJ4Eme6bqowcXl7WK1JGpUVAq7vebS/GRqi+gJLfTFxmXredIp5dyoHuTVDfLT4mJUxNWPh8z9t2VTL7eTeGIQ4PxkAZXjQg+xhzmXqnX3QYiONr3HoeeBXQxXlYLmYJa3QMtJxGR+0B5LHvfnWCRLyoJQGqDwtrLhDiyyIiVzMIo0rjaOKf9uS2hIvn3fV0dMUgcVs1vh84HdVfNLZymxGXV/dKFj506p/t9n442ykVSC7Pb9SXe/priOaPRsLgGz9y7CLMCetT6SFSWxKw3QiI5iwPxzFJYfISSFDOaqF/J55VfFGxgqo2WpVwN6zTloAvI30GCzAKD3Nlz5ts0N7wE6dcqoar277+TUxSDiuAJL1JBO0FQYC8zFVt5GOvdEtwl4uRvywVRWqqJPEQuUY31XRMhqGiy/FqeVMXHGivtqmSD/nGkEbUvNjbeMOBQ+x+9Z7k9iTH7E78ts3KBdz3PV0YSYy5PmRz7DJat4tH1LLm87lWiQQDvF0Xo3mXnVkHig1bz2OHJ8A1Wzv1CRD+WzbVomdHt6qsI734oWVMXGJkqzJDjYtkNt/Ks5lroHDisYk3d2vfec0nUUv4iYVpCqdsC71tHfWFRGh+c5gcY5XNO/t/vyMe8gEyCpn+YdWRiT2LCk+Enmm2rGhjikbbWSd/xS8GeXYVgsEJIPRgphk3A5EGDF7vUgyhryai5w2yigREbaNl/SeZIGEsQmJqAW20sN8S1ondvENWjvLy8dpUuajtCppISqGrZyHKkG0J86o0Xg61KnpDKUeZyqnjG592u3P08egHxb5Pj7RMr++BAzxLVsQ447qi1B/YsOesGlEjtqxwtk/oVZfO0F9CGoOHwzcpPU9RxVCZZdypiHQvmLydjVe/7xLteAQNDXeI78Op6pk31ORhnKyNAiYsz8AWWa2DHkxLzA/aYXA06VQAig17jm9ZsnorZFpDlBYXUFhCcjtQPGVyaBLDDnCg54cWaD977W3SR/GbRHnSqoQc6nrYRqL++E6J46PCYi+am9dzbRT+HRrwWxM+URladGCRmodqsGphv4jWkSoCIcB09Y9nDO8iCCeCVSPTXbMYyIbDG1vLmI0VbkhRtKz1fS084g0jj+8kFt2FTOoTdE5q/7FYQACzGCyUy0D1CFfd02GIIEsiHaJpjBCDGo8We4h6Fx2TSj98Hl0xAGoUKNHlllcXp5t8/seeCrnLfEgM6ySSY/Ce3QcF1JrsahllEprf7SLQ9O26Evipninkqs5UFJb8r8pJjvJEXKOeWcLi/lNKXaEyCwyI309moQvsIlYGk/m4Pv/a1K2ZkXij1z56+fGhFq8XLbBWmRySm0WfrM4P2M1Vcw726eGrlMytCuEarQ6mfMvO6e0M4jlawsdE5K4HrdxR7bo6ebMKPUnuuwLzPGzdlFb79evW2EGa31K/4XyCOrOqj9CA/+ek0t8iyFaoa++4qVmn8qx83MRC/Hq9MZvi0QdfBG6KIse6JJz5xQTmSxXdBjBERM7U94S+lveb1h4AFMrjCozG21flHZVOrzLScmxXN9Dq4wHz5HAcDMt5/owh+l6SXGezfbVnyZO6mthwsW+LVz3xUZV8NBIapd6U3FLvY142ezdLEh4oKvPsukg9XuAfIky+sF0bbW6tL80cUJU+qun0qDsbnJWxTHzyfnnrosnuptnNO3ehI+dJvKoZCOtSW1B/FSPtD3IRWcjPYy4WcFlHvXy4eaVu0CeZUu2vEvbo1z9uaXggzwf9uNTrgSGbBqS1S+/VGxwe3aIgcfBYjvHL6aZZlx1gUNJTjv+3vvZHF4n4Enrs54TX1Uf228jk+naCZo24papqeBWL7PuuHO1FiYsJjjhGhejthhQ5n/7HIDT3ZYIfm91/bAFMpblyXqYFuQe0pHfSFCCIkBP8O5dNSJgTRgk5cgUUu8mlP1AaGNxrRKhz2YuJc5muho8wHUmNCAXO5UxCmjj3E4guPbkNCYdC7VT27dYiaXjjHh956Z8d5N04LcRBiJgbuVw271c0FukIF7VRSWhiB8VzoD+WpOhrK1E/UE5HErrLaoRKemUyM+mvv5TlxBrha5FPR0k3pQhbjJRddSvb3sVcN4V3wtZ73IlUCDcYqkhNTI3vQ/FieKZ5HUG6yR2UjX21upm1B+BRb9h6PKEer3LjzKv4Yr0DE29zAkflvDbImBSl389eusFbCpEs6E2nNH5xwFnvmw0gX25BQowsvBy88ePKOLFu3pUxG9Fd3nHwa59k8gbfo4+C3RpDxL3qtPupCruVNJQo++fh7ezITdRXyWeDOdXsHB0+sAeTumovkSAI6VvHmtgSHxpPNqwJi8pSEqx6iTsKk9zHqJjncuDZQ8hu1KK2qHDJTW1oRb0GaD8QlxMJn/laoS2r7H49OX6PiCAiJJoCNCEHCaPNkmyOOonZTNkrJIwfeNYIn1wQdKfF/j0TCNDeCUes3zSdPOnFqxqeVxlM/NSaohQIMvlNtrP6L6goVk9RFyxPKVTP5scs8pGT9PwBFTIs5arZ/XK8C6ltsZjqYgxgrqZaq0XHkKVGYdGz1IOGf9n4Q6/zsbR90y+7LsNUv4uK4I5Jb0JHM89tGQT2wDjjWxys73Yae7+71LFbb1MLgCAXQNoqs6LmWwyjmP2oko2lGH/uVcU6c8NyIpVZpoXmD1qIsBykMS0X/4Tk6u+/aIizNDFr/hFQfIm2qA5D0OQKE1197TQEtropHcCCCOd5ZEnJteMVUzqd1Jc6hdcVRaVjXmUsvC2Gw0E77Bp6f3dl1nPazF7XUoDDoknuzX5upf5aI503/PV9DjB2QAFiavRUIXQU8IkjUhcv38hHWUSX3xm1S/Iml+coJT0lIku3JfbwS8G38b5g2d+mTzCOoR4kL8S02DiBTdhlTLayNLQG91gf7jmJfSFgvmNrApyjNMYMygSWKbyePGIUIb//w6wkhgTylfE/fwmC9nNKFWP0xV3UZRXg4vKLzkPd3I4iLuWoVVm9MEPM7zDeFz0/I4yDhnTWpZbmE6ULFfSNmYhIsR0lxLQwsFu36jBvnQVibd4whOybdkGnr8DIARGFwfaCbhRENnsAZJs0/LV3VWYxv37kEgkCls9wTadHCDHzg0QISggQ8C1ES1+oWxDkTL1nyAS7q7/UHa1ghZbnUJwpHXKhLXIWT1SNjd9mMedL8FOa3O+AXTPKl8gqsouvbQYLlOSlqnNekohv3BBNHquchlzJKfTR2K4hRpJG6Y/VmchA3fD9yhNxdtv1NIncHmGQSjfavyAidwgumiJB9EWJUVl6is5LUt+eN/g6VwqF7AwKJEtum4q/UwIAXvzAXrIJyAr7SP8svKkQuBLffWGZpEMOtwwVTYJ8+t8IffTaFPJ6EBi1f6oz/TuLuDvJJV+hwp7NiMITBP20DdbaCWMeWLh9OukrUtB7Isx4Lx8tkKtxmgIhXJl1vdrlFwRkyt5tRrAOsl/j8eZnptAwZ3zL74mzECgqYOWiRm2pV0GgT+cIB2n6/7SgLNPL+Y/3hploNNYn2XuGKDT0hZKi6+bXp1GOHX8cBgSYw0SzUjVe/PYmQn+EA0qwzE+S02AxtTozLjuZ/CgrWTfWVPjWHW13Vj7DW9I0RNNPX5U4kAFeTSnrmUWslSgQjG0FSm9FUOQbrCyaItQjz0G62+i2Uxut6ZhcQmk7mVzIXLWdveJowAzgkcvFnxfv2MbHim8tGX58PL6Muk4Ew4rqnzElVw5EtgPPMblTTLtbJQ1i8PnjRzuc//Voxe1t6YzKvGV0ZTWBhpxSSj8DAGpqPVM5tuzkGjagpCFKAuc6SIKdATCJ+Cw7CRxSLwCw5LKc2vdlE9TEZiEw/uicOd1H2w2abkWy77CDMOHaQvfn3JR2c8nBXQUKI08MvzWapf8SJO7wbVq42pbTa1Xwcx1L8AB3q6Zrzu/9H7JlKetDelrSeGlDNnuQXRRpYP2tHdMhNFfhdxF9mhIQ7bS9RmYyXt/XhPKiKrymyzh9E7jheXC5mGgg9jrzpNKCkUWBkRcTL5MKGt1HbFhvNdNCgi5D8yzJyQujK0Dz+pOeSh2hY/+66AIJ5zyC9mOal1oEwVW42ar03eEh5uIM0Lb3KzmzFBfg2BWFRiqmKs4DVFxaLn525NyaiDAf40g+eXDryDIbh9dVt85JaacchsesHfOCb3Jfag5CURWDyhhjoDuib2UN4miPNnbCmTnkj1L7MwzYTlwiCvPlT9b56Z6DjKc4H2vxxbLgtY9XIABPJOAQi4NvKeGHaHqkMVTzII2FUJCOBCQX9t+HDvdqWdrZdotWtOT7pJUunpEfUpPqYYSlW764SD4glWuN84FAj+ONMcgIY811yOXzjby5sUWrG7FvziB3FlupOKdnOcxZOy5ecLsZnB0w3O2lsMIyZ6z9LtdFGhTCiD1Oog1hw+vaK2lf1WY1y6+vm2l0EzKjnYq8XmSQpEUO2Ts/YFfHc3WP8rILTY2zC++qXhkb/UjwMs+5vWgadFiIJ3t2e5eSqgU2B/xHzbpfm7X7wWvBdK3sVgxl4g+Jzo/gHO2f6cirRHJpiOjaTv1dXdNEF6XAo5AKAX9IsCqkI3A/QO426JGpHRgC0bYGgz2zoyqMIcYx8jSNqKwxrLkIb/GOjwib0sbLTpv90zqQJv7cuLqzzvFSrcQg9/ygJ/9FfCxoPn3C1F5NOk0PsRNh6fP+S3cbSFiXskBBqbZQ8m/ZcbgywhA7lzUTICNgd8S/w+WX5rdOBQpB94azcpXwnAHC63MaORMXgU0jXLXAYl76OYopsGt4JrzfmVyfcv3ufxKuh6r06pQ1aBhk5S8V8Otqnt9ue/3SadCoUWSf/LhQ9wSnI0nc6lQnTv57tU7+Dy9pwRYUtHm2OzxRbp2BekuXeRZm+Ea5EdGaZTMcBSCa1RxfH3v5poAuGoT8a32t3RSTo9HoMNq0bVb9eMRaSyLEWDzZD0lZ9RIASVKtzrIFI1c9vhY7YBoP/h1Sh9BZ6OCckZLtMHsWeeZeSJqYotaq8T8bacgKkJpsO35InP8h1/l2CocuT8M7l7ACZvfo+0Cy441ZEWZFxFCNTUud4gbBhDDdal8CD4d+wfagN7jVyVxLx2ctAszTli09uJ09WlTZDckwDB5EXbU+SyrXo6eNZM6I1UEXvZ0jwXQvbufTc7e+hjk7Bp42lqhXLgu6L7CaH+6NLLjEw5ya/AK5IGihB2ndDluyS9TnPbGrL2+etDznv8d3J9/z8/DSKG4Tq3mV9sFf9gDz6ndwofLvI4EGRWKu6RNtLxL37s3R9hOMu2BU8scMTozYV9kpTmjpdVCGSdMOidAKsl4Ipg/SG0vlniqOFk/I9vOTMHCix9R+266SmHrE1EoS0BxX5Ff0sdfVtd/M9+jlQvRz9E6He8aQwx8w8uDAPdyW/yY3P+KFRkOPEd0+jgT2bEYlKUGTXX8d3FpLwIe++sO96v03YRdfQDhKQgU2kg5Nt8YX6qnDbynEHbbS1ATqkKu0+Nm1sjsVLeIsT78cZUiBXsJxmB9zr171N1JUK7CYrQEGo6HSORu6Zu7/C+kz4LaxpqWeDUeb4whPmuhuMLRQD+oRmNyryyYCL1bMlrhCD3MqKwqbs8xRil5siAm6Ncd2I32sei38u6JP6KaMbZ5Y/esGfgtCI2U7BX5wAp5XyLiyUyLFAd2bNLB9qswAHaKbQ8UzQ8Z3MdC7w6jY7enQfLvA0OGCoCd/mdV0gBhTf/f0hii9jUoM3sUh2xgcaykDJpRyDgssITuQ7Ls68j1EqX0eFBpUBvtD0twPyFkt3aJYdlQDLcla9r9MyRMzWM5fNhQgclZ0auoMFNvrWdh7FcvDW9S5UKhPslJjMbDVY2LwQ+WxPsy1IWld3I+aZXHRhuLrA6lB2yyh8q6eJxNLeQLWL2MveXzNQXsPpqKgTWlWVw+t/JbqWNRHLiGXEliPXL0IoK66nBdkwPfFdSuXk+2dEsfQ0flaKdjSon+/MC5u21RsCYDGo/02FzgsRJh4CHU4PJYuMVQ2uqWROvUHuZeKxfy7azh/8iKIwLK4oftfvTipH2olgEolrAFQSe3wsiIi78MZa35fsfEmhFWGBaeogMRHe3ButvFUIc8vMOn1WZKiQy7VDOMmiGn2rlYO35dvDlhZTvZuy0WMDlohuuMqGNrUdUHkJ2JYgBVWypw8PW00c+jQ9P4OUxkKk3A01XFNfJpx3fWdXQoKBcObjlIaCM1594+RzdX5r37JRwUD21WAWnq3o8lWaIkMgSNaYPNenBhvD059ntJrKdGPgB/CYuD6h6Kr3c/ypw2D8NEXf7CWMV2ztQqPACa0NoPpdVxckb9fK4IXJ/D7HoRFeaHn/KDULvR0tXTczZT6SxdOsd3ZfPPCa9VvOEo06wTJ5AtogO47b1/La7dQnWeI5pIVfUvvtDsKlsb4figFtDBz0mLRiAMWpBW7BlkmSBpC8e2XviMysOJLYg2dBVNOBWP6py4zcrSsGAgVholRkfF/hVW0RdvNxjIyetLCXkps/s5qAxjqU2Ons0NkSFyeZ4rQytRH3EZ8gfgB0gCfJDUDEMVby0OdyGQKw9soKUxr7tqApvXvkgRhalK7DETW3xAO/kq/v5dfaMEukiaBpf/yrRT1wrx0NSQUE2VaIcEcVUjpnVJifrjOrcIX1sAaLXYkLJ38W4DJbWoWuyUQM/dCZv935LuexEfVcQrQ9sZzmNvicyB86lf10Qo6T3q3oEVRKUW3LA3DA+oemrFugBaRxKZ34L3UDhfruFTh0CL+A687kxbdDJz1nXxBkiVWpLO0rZ+15YERmvp/oVEBKcwqVLigQinqmkNg4jy1nkP7Gk+yxE/vquJnsFugaFgJmYGMTo12ue59A5TUGmx+DB093u1I2Fal3o3lqcMaovBWCI8QSQeZcO6HkOfxhYDuxCeNIRkBwEGP/V4JX3V8gJm+iHaAKHam22YDK6zW+NEzM22hVDIS/RF/IPhwiftIsMhP3FPZRBDKmM2uPI8D5SR19L+sIOKv7MpHviE+jze4GJUhc6HDjCIgyFYVoy42hDuCCuVRHG6Y1PlcYvpcCgkXTWbCC7WLTXhTIPfm7vNxQGn59Ypb1av0TmmbkhuIpuf7PeMr68G87p/4899F/Vh60oh9byIk/m1irzMmukhgOWntDaSpEEH9Fvhzo9wniB0DnVFHSBdcG75Gn5/laBySgVyqFxR/Fo12UpiyO07y5IuG89hUmtg6Kp7grSTBWjqCVo5mshPv8bfj7FBQTqG4L2WvkPrTbn76KxcmqvVYHq8JOQ0Xiz2ENuC4CG9jOhcy4mJNp3ooim/pcfGAgLK4sqQZ+FzObJVYT6DLV3y7sQzElGjSJ6kbElULfMkIIqxmU6JUnYgIXbmfC+bRQ/fGPEDEgisPGM6I7xt1sWGrinscSDzEpvwvVtMtjasLJoSABmHjkfz0Ka4XpOb4K1TORfjTFr3v73v4HEp51gc82/YIgoslXmTLjl/tqUZLgRktO8Ht6OCCHcAWAvtWwjvfU8pcrxcw8AJ5bVodJxYUHGETj2jqgr89BfaY6YXFZQBrWQ6YfMdENRzzvRmiUp55WeSESxgFZoFzxZeobIEp5PSbIqXFbdgq72aBByZMG0ur5GJ3dcMFcLXhGEN60CCZhg7GSTP1n91DtFQCdM/V/jSyrvGA18k8la1Gn0mq/yUK7j/T9+M9omlF+EfECxfkJNq52Cx8O404yGn4J3m2oFs+qCG0iHeCBGVaeO/XUSkJs/4qbbmS/285nglPxw0uLAf/rZzsF9Qa38lp+2x6SfmXEe3oHAwbhTHwqW8xXDeluORYKJ+TH3BCUl0mbcH0BL2pbML3TayqXEuHIhGp+O1FfaSGt+F5OSVHwOwrtT6kceQflw253SU+/E3unalRSb2MPwiNgNfnvMqsIVHl0EFfn898qayD+w7yhDFFy27Z1P8Kq6FIJB0bSJcvRsMtyOJQ/Nf5250ilQMHNmnrXXJndrTcE7/jB24lheePX/4jS1fu7+U0gsDoIyfW+AxU3ff9GDn77ZUvrYYWeFbZB7tYo++MmE93GZ82ieyUOnsoJgcegC80DmtGX3MjSYzKPIMxFuUmNRc2+SbSacKYJH9OgwwkvIjQzECHfcY/AzXlOTvSk8YRRujEaclAItgLa4KVxmVcEVKLBNIMAXklVCd3eWFOjJOZEIBa5if3oYxZRmacsgvVgdEpAx3k4QBp5PXIKzGEMIMaaKI2/8+kv9FYG+4mXDaWq0PZE5S0F0pGiY/V9P9l9GcNpXP67WDw+GyjUBaepcXs99JlFD63MHFZREjsn6pCfYlwaT6k9tMfXFighd0N8bMRvN0xTN4rwnAsxmfJpYMMcZG0aXhP18j7Yg8NOweqng+LQhqPoZiS9JIPkAeCny/5PpF5DA5tKX9anutcgRzDcYaY6ltpwO9006eB+Soe4n+2utArqv4QKwYSojVHwFAIzXf21Tyg9DRNfRfjmkqtlbMui3593swghm/1TE7SJI1eD7L5urWnaAqpXZnsMiMWdWdWzLnsRahTdRaYItvTcJTEB4+VMZvVIii3u9xWv0KReyLa6pmORjJR8yDAvTphhNFcW3ZE2DMmx6hvHRu+3ZGOMW0gcipkNXrJb7BkxVmU7aorN7Fme+RbWN1jvhcSPpemf4AJ5eEjBP4ucdtduHxAZJK4RDZe2q7y9WTYU+8ZLfDEnjpSyk844h3FiNyk+YJOSWws8I+KbG2q+6uL9mFP/HT/3SrZX5/xlYnFRDfnwlMt8y2JlImZ8OHnIwgnT0X/wFXFdW7IT2RTPZVZUNCrW9HiglNMPZqWTLGuQkYJ8BfMk0AMrEXX+jukHv30nHIW3FaGOQa+KORFP/iBSk7PUXPY1NNjF4Z6aQqByC3RsEl9LA9XnY1MjNuCbga1+mr7EqtrpXz1Bx+Y6YvxU6xTRR+O59vvBU8w2TKZDwhYB46p8rplTxEFIsxPtsUtIzLpKhtUgv0u+Iys10Lz5wuaRjHKUvzSRki6fC1tuhKc24LC/AF6W6MSWUhBzOgbPkIbq7uOxDlhNwR5m+q1hlzwybB0+JFUUNSY21GnG9PvIgVKe96OYoV5jZ9wAVb8xDiQZ1ozwKIcSA3ZbNZB6d7wXSDc3fgwgwwzAtlFeSRogww7QBr2Ccr34wtx2SUDZPeNgmDJHhpilHOf+Ag16uFeuZaxvapdn8BiNAjh8AJUIoeU+2Bi077sFYXbw3Jd0uS/nvXtGjzlgPFlw4NSD34kYPgkOk+lNrHw3VB6Zo6vp25ikkqqhFW4nwWh3Rgdgt9BH4am1zya2YWNomokKw6ghXeGnBZGoWHmYsZgt9thJw2d5YF4L1QwKazebUGvUUy1p/IKxqPcWzeFDK90a0pHUtyLxnSRTHDhBBTSavwkG2GHWuuydnlepTreDyYUtZb97U5L3CBoilZBmxSJ9hM1Zy1GcP17l3nxQVMWxLAOJQ1hG++yNkQqiCPQvSKd0EyIYi2Yl0NY2QyNv0QDuVXhEYntuKYvxEtR/eyPPLWn4v/zvCCn5xiO7RMaGxRyfZM4QkBt5rHBG9zMxmfv+FcnltLpkDhXEGzrOo0yZNuec0bMr/Ta8NfU5y9886ghUk/a7W29Q1ZOMKrVtLb3lP19Vjl7VbhFmQkP7bfajoWUmp+WbK0cijorUJn2pDP4CYFTOEVPo5ezEicsXsQ3A/EcMWHqjJgw50mrDmZ+pe+bEAbvyietPseezMOLhrV+cGUJ/6AuTIqqMZFvLs5X5VgDU9QR8pAdXT46oFGAlDHftkSsE1W7EwojSRfm+3ftEIdvssYLHgvYlA8o/EmxEppN5tEUAQon9xLy5y4C9NttSevfRggkfabdmflw4+N0dCsKqGBqmr1Lw/1iSMd+81ujO8osld/IhDr09mgHMJBSuTrN3otylBhJMC14dFe/C3N+kHV3HAGK4UVRgNJMz4gywCh68ms4aoYSu9GDnjlYwHJhhfmN88oFOA4Y1L18URHqT6stwMJVRHLIr2eSO8qZhSP+MkV/I90Mu+mw6hzAIA6TgUOrlV5SILRE/FQH5R5FFF1E90wbFQxpw1n7gjgw8SlN2uwN8Vx/dlycl8ndJlLQmFnOGo0v9PovQKthIhWkWJE8Sjeleyipj0RrRvHLca5rjeD1u4ngPZMEB5I/RNnJSwjxX/uQ4UrFdoLKtKqgFJwlsteThwkob6EHRzaXU9ZBwyRFHmji3eso/BbI/88AibDfU6d31oeUEO2wfEz7iZbWvCyVI2ULfSW8vzvQpPRvcQl58pvig7nzCQuqV32nq8+Jl49kc70/HsL9B2G91Fn+9m5NCHUaXh5sZq/bQQA5MaYG1e9F9vTwnfROc7SYmhjiIG20dEXUEbuvxU/tyJLqfiNM1jr8FPof1S5jbYx8Tqia11Y+Xg+WIpJRfgmYM0r/U5djcPrjvBoFmWB9aV0ZMBfGrXHtper5E+yTJTE1x9U6WbPmMYFHn9pVXvBNMsaspXHL5eg92G+cyfAKAwtsNjaRkbqMSrdmWI2rz+ZwD/P3PcRGF6XtYHt3tFgI1JdJGu1Sk6IFBZOHWetDIlQow0kQ8ndO45fLEBGW7SX+hZA4uIwbZbhnVqND2WG87+Ox/1HijqhWe3bepzsnRf/PvUweyxXJqlZ/ZZc6kOnvAEhEK/4S3lEQizurXjv1E/fBXa0vO6x10Y65Oh40YNYaQZ0pWn7nl46MV4RIEEjgQhcgyHabBlB1YDf/n+bwoNgp4McHrz6zwtJmALjxBrL2/i1xQiMnaCALOV/4WBxb9CFVvQSCaX/G1kF86FI2gPuKc7rqwvGfTo1mrWyDJwLWhaP6rbzmzA1/OBCt5xDJTLwV1Q7shIjfWObTa+c+q5Y2DCte0dDtGxjVjQlid21LXmxMizzl7TndIScEtMMp0RBdQcThHAdMRqeLIOZ5zbDckQtOHfSpGUpm72+BpQpXBY05ZBCY/OMA1W1+dONNjvr/Jp+cCe59dsQxC2nibDQ3dgBHNKYBWqorc8U2kLym1HqSZQJbtXWsHc7ZyywZXDyW+NQw+SQ+tNugWWrhQ1C6pN/+W8URb38hke8S2w+AVVVSSGuhMxl1iEKYBt5t9qum11MsbPp4eYbvHzHvCJXWCPJI6zhbxDJ76va6PyqcIc78JG1hTZPHb/TY8Haul/1wBlQjcxbj5bommhqD+5KwOvLByjyOQ/yrA1Gxz2GA1U+x9MgQHqQ04VxLoigIhgeW1IPpl5XrNyLLO9e3o6KRXqLo6XToST1HU/1MSGS0PlnRmNy0ONeax+GANvQfWOSDeJCUgVHlnEks9hg+r0oBIOgPRw9Hhg7Tx13VsX+X2Ol/+dH0CRdhY1iIqh++yc3/v2Pp5umrStDCQUCPpqSRi+lg0UNvTkvBxhfw2+qWMFUU8Cx5bQm7yxv2YSwZkhOiD+9W+LMUeA3leiijK6w8eQ4onpYdFKxCEX6Sm9WePSmZIBMXAqJ3jZsiiXSToojSVPRf1Wkh/r527iZjl7QbTfdQB09CLxQferU48hfN1si8swge4Y8SkfR8SZ/TG62RsTtiLYICOuFa1oAIodt6Vnemif/pkuWQoJ9yXP/WrmT7trUTjXnFY9jiw8E+1hXapL3PqZhdZFZwQiY9K+hinIMLUWFoY07Phw0UKSmrBRtRwVIp5zilf8NeHEuOMoyN7aGyrUC7pftYyg1K2KVmcaAO30ik9z4Y39oSpKojX3BXXaXcymQJUwDBy+f0pKstBdEe5XpwXVkGnJezpx3NU6AskqHfs/Wo4F+Xu+bhKG22+q8cqmKYs8lsLSVQAYl4JPsYtO21QyEGc9lIlbiJsGKm9/DHny/TO8jmnYcNOcTNx0vOwUNdyrpPc5Rt332ljhULK6GO7qDEyXELggHofv483sq00f/zVtUlE/nqH+uo2RXO3tEqn15x6gmrQ9hpQi33Sq4chbXWoHnb98vmryGn4fibxHJMNVtPmIMDehGolZHP587e0T1twSZVc3SR0B7awy+g9fN7cnvwjIKvztYnOxoe4m0GLEH8w82mIyihtwhad9ysxHq9j3eqNJsxgBYWChuuZMAiLbNoPmpb2taRdSq6dlE7v4BHbPI/KOXM+7ZpBrT3h6F5Rz4P8BJ7d669q4ZXvHl2dxB8PV5U2XKOVTcr7RDUcQArOrStDToQ4de5CgQ9iFeU+mmEuJTDTO31r2t2DjQ10zu23WhOlmZiGolZa5ATeDQeLLk60OQq8YCAgRLchEjFrOKjM6FcgUZWzU9O6Yv3W3ZGuuEFRcBUmExLdqsf9hSJ4YHQ+r3LcZAexRYZG0gZADWiJnUhpmO8/BT/v1kyD/RHMbKGecjUu1ZVFv/GN0USY+QyO8UsPxn+ImMZrFkvZfZUOgXu9k8Pe0pu46WEdwege+Apx5sLnk6u2Z9vM7EM0Gdenb5lEBeJXYoq/D3XOOQmoqWfKPTIOwmfygRrs+Gp0AnFH/kTqUYAl4f/Sgp4Y0HDm9MKxD20viCqCAsZy6DJfamcQsc3eTqnYDSBsUfEYN27cAwjoK81l3USvnGSkKXp8RH7wTfO1QjwiJzAlIDj8IN+qRQaq6MvF0mk6y9z6DkfiFGzkFIdeL7IhhZTBQgM0AEA+RtMXRilcbWSp6EEZ7XQrhKiYE/ZN7rCw2BIKVj8UVnbv2PkDBephf1WvT990LM/otbP0x8d8Mj/vfTZKlVnwm1O+aTCTqqswNQQoYUrk8lMk1gMaPs5tmQvXYMDO6O/vPEwSSAsgLAEX6GoN3rxAuvvno26kpt/24BAdwfjVY/o35QGqZrjHRz3HI0tG4jJ89asd9eJuTETvRWTTOAiaWIdauk6Ec/IhqjGpJjqLxloMwwpVNrUGXnFIOaJ2e8XmcErLTVz+vac2hqTWC89pGaGtrdQcLi7yR0kPRaIdwZ9V96ctuAXyCaq/TRTzFlsbI/LbwACbZIfhuFMcseb8+rhQXyLG6mUrAWVj3IT/w2HxUuPWb5ZXvV+LokX+FOWgBxyYt+P0Yo5PHWnKHxyjokcLR0xcpUmeZJQofII5qw4h+KmDXYt6KiiXxuN7ApWyJXxaqGxCif75gP4nRBqI4ySox1AEtDfARRtR/spoorhe1Mnw1bexnhyq3qobaXHHoYg5/zfbyge8+FAF6JCkkSlrR5i3E924/g37BgUIqodimtjvhzLMTAnkZo+HixFwq453CE9QH5doi12m/YCgZJmZnpD0obOU0OdyjMLgo8IkHoXm3JmnhmatRu61YjoUq5GPv8zvFd5Kh2rq4j9guHFIG5PZH3vjZ6njBnuTQK2B+E87q8gkAd8xa8iSih/SlXhGdX05BMEmvBXDtkzLO49s4204TYsVmRDDdRYOfoKe1+K2L7CBTmUTfIPuc8BXU1tR2RKaBStNQosyQxqzf4mLCU8vXDzo35sEnl7rv9yvZIfdIfZU7U6fkFXI8buJhIMoMwkKC7bh/EjiZIIRBhZG7AGS2dAYuG/ihVMqp9g40dXmIJentxgucPnJFhbulccxo58bfhbOrSJxGSj8/YdZQ2ip66gH3wJpZUIRj/E9G5Nt0PBjL95ThI31WwAuJboY7L4OcxkfKCtkIoOSaAsE9hPvnNyatfR15J6RRKImRENuNzhZ2DeKLtPEAtZ0g8v9zcrOqeGL8RxelmfJDMUfAlKN714aVWocv/dcAoqqEFd9FNFD7dT2q2lrlk2amA7fNoOdD3qB0fHy0t82hLUiK30DSY5bVX8S67THdlhL358gOso/eqlyZUxbrFrzeFJKam6E5mUDonPp3mLtWtQ3XUO80KNNjrLbx9lfMrgjTZqn8j7dJ/8T/GCF54G7POktQt7nnPKz+bCFpUBaKFYmzvJ2KkejI4XnBdyFDCHwLwgQRdJ/3C6qKQZPlem5SqqTepUJZXOcOq9v8KXvvDvT8MUqfjiZP1rky4P8gifZy0UOGBBjt4iq/j+PvVvuWu9FePJ28ZgSK/rfhRxUJlvWVpyEZEegivpP5rOctNr4ftFL2GAtUq4cNYcvCpkjXIzpnYN5gQSIDJZ2xzPd4OP1BvECn6WlBLaXsfab/bCuCABdCxBlKi+9P2U1MYXlHNEiFLJoJI1Q2nBkAyRDHsemcqgI8wfrb9IVO7kV8VrLDa/u1i93u2EugrZhVOZkUEZut/w8werzi0QyvTUkGvGGGJzmrxyVu14lZM2UxPsRhhMT8MMjUju6oxel7zf3NgRRj6sVqS04utRZ3ffVgzWaENzwtPUnNMJJTCvZCpQWjzLJRA1K0kQggYVDJnqmLV3qCQhZJ1EihhJdcmRQlWtrTuCBG8WF4awV0aQAWfCtZiWgG8y/iEQk7bfSwoUoJCYUJsiC9mNzHypK9tZzm8Y5H8uKRgI+J6wn6p3L1d9FHj62TDLMz3vPzIXs9pRJ8pWaR25z+UxKhvFmoReyw6yzthzpZ2mBm+iji44M4O4MWGOjKfmazOBPC9T0ykBx1q3YpwbKrzYiZ7R7Nlfw8dJl+tqvE+FCrz0e/pWR4mXoBDRO1xmSuOY79yRqooFsLFcCsVy4kJrACy9jTDF57xaTEcJeclkPR96Mby6qqTwD1B3nHhq97mPDGpX6DLyJ9UaZrU8ZhJMzGIuDO6ANu2/50IW9Ko6hPnyas+VTc1AjuuKfwFnSkrcs0yQNdmUFDdYP1xBIzGoUxDAU0oLp89St9tWkCfedKPT2Os0GHqWrUDUpvF0Xo/6PYT7C6eWuuvTqIcfi+3v/AYXd/X+Y+S1kWYtORZBIMFNglGoMJfq64kY99R6XW4CnVGsR2djJBkaIRN81/at0zjQz6QQRLhpEs1D99NBpQ8fT3RcSvaaaysocDxLGlgCOguXfNquzdD+jm84tTqqE0IeIp9nk+PJYuDLcowDE8iFgeei+2zAICQde1AWXJyZ84cKDYS163hgBb9B5p5iOCRrnmDWZ8Ud0JewVmwPdPSn2NCas0mvYVmD5h3qwHNb44nuUg0PQ+EUSobxIbcg2Von/TCHB19To3zbkXEUggQnMTPms8u1V17RsaAxKiP6/6GCVgyLpW4ZU3V38aTFcESYLR1nYI+gMMhSCXAjKD1ds4az8Yc8ReRFvzSEJXxKKFICqV4k1nL7zxxki36O+XB1SrpcRgZKNobO0zs64XFzrB+KE8loZmM3Dd28wQp222bmMziKaBWnG1xsWG4y/d5bLBRyB+HdojoLuMAediqpSghTjlFmrm8RTKdli7zSvIYVkgoYDDp/+O9v6L+Q+pX3fmAngy8ag5wjLeiHQiPXCCOHi12qv6CQ6ZqevXTs9AusNTz/31iFr2LdxSMPYA60wLDnYFIiio9i6C++ykiaC3Alk8VnymMMi0TYzy2ydaCfOx8LEt25iQ4tKCkO9sfvfgDNLpyI84SaiiPaEWpqb6xuk9bWJWs3nTF7VxDgFV/mPAR2lRAWnD0dezmpLB2AlF5nwIeETJbps032qXjdku4fnHUMN4PGu1MFdhl/kU1cpn5NMis9/XHVErJhjpNXbREw1uLu6ziwy9PysIk/xpPhq+h+rIiTOuTKd6rJFiuvIU33G/TZSpEmVJz32z99FqnDkcDtvECgPyI4Rd4UjD4A16EM6fgPKoLYzOrYiAKOKwRXMdML4atxEynRdH2YW512ZX6+DqrwzwdWjw9anSQjRKquJJUfwneMPOvT3frS1kihNGlBvqDbcnKm6dGVZm253Rp8niNR25ZmJUNdNL2644yb5JXL1epRtGDFfVeTR66jb7q6GjiZOGk4JeImTf9g1mvgkn4JfJJrmWVCmiF690DnEzPLHAvWg60QaOQIyliDncEtZB7Je/gXpYdzhp6E6F+w0Nl9kHUHGgolAFgQjH5rjkdRVmQe6NrBeXCMjqEgww050kIdof3vIgDvsNXAwGUc+43H1lXrKYPbPZHEEGii3tXn20bGqZbYcbiTNHjghsTro3yNA159Ua1e3c4oXQpZ4XBiTY68lkIqX/8PQXNs718CT5/7EXMC/KKZa3LWrsdqF3F53x27j9WPrWhgxUDl8a0HpHJk+2iIcR/05Z7AZWVeZAq2jAL3ye6Le8GnsTRlGjEPAhKgoz2w4foNSDFD/HZ80Tndk3AH8g+3e4eW38UEuo2vhibUfPgr/ys6VkmFJ8Ey7dKrhT5h0lj3x8RcJJwOsHb21Mg7G/xkNGRqt4h2dhYbU44iU4x4/jMWuLXVsjSBbakyI9FcYImBLgfOdXxc7vbJodelqL8AHwKV+m/Tu4nyMZPJy0iWcRZSRsDy8h8zGpIA4dJySbMT8c68QuJ/aehGoFbQ3RowRYHO+NRg8Ds1RqK+UggDTEkLJ2T1LtmsCrh2BP0fcZrhgKpsrl2gwb7l1Owzq/9J6lDsUFiMsiFAGss+iaL4MmwboYOTAaMKZeSnLPUo4udxMlvCcEg2PHq5sVASlcy6B2NCSdDRFnYfLiFe1NuCk7ZdJazg1kipKFHwnD+U+p5xAdelaQ9JA7p7rhkiX5YvWcvBqbjidfy0AgqQGQdqK6O0P4pJzhU6rkZO7FEqVuFnmu0q+6APfxKHRKZ6MdeLl9i6QYOJcT7yg7XrlF2WfVnCYAARDtQGejTnfIu3J4GifvTcaOckFrJE4UxRZlDkYzBmQY/7s/PE2KVZTZXO4qVE4wkSetcfbdZ11p4RFoVo4O90Z/AQm/7jRlZWf2+wmyXWa36/pCO4SkIzde7AwSNTZsw4RCPO4o+Y96M1CdXp9hfsT5eX8AmdFn8qzkNHRFn7NZFMK8Jqe0ZN26XZ4FJ86daT+uaRn6TK3bE9c417OaDJ7mlQ9t6znF4rlV22l+2nQBA+WjqKKz5vHsCUVCobBZq+Lwf0ySrf4URK0FnV4P8DuAbZhpTXqxWK8VpcPgwmy+CWd1AeYaBd0LGuKSRwSppIB6qkG35JmmSHqyvsFvPBztU10b9SK3G7KhtcoX2w2orm9rPKORqg1tEj8qH495lEU0NDHRFa4gdwwMrCrJ+CRlQxiEcSsIBAe8z2ScV88w7toM3g7zjQXFa1siD9UmOhi+tt6XisfQD/zzb540ddYOCc7TvFtuJAc4/lBsW/60tCjO/PgFouqpS2ci7G9AgquVW6jtJXQN5tyZMwP0lhTjhIk5a+in9EV0bBWL3hnE2Maca3kZF8j2d/FIzS6bLfIJz8MXydrsQpuBfhHoOd0QSuLJuiGTfTjtMQ/pytfa+is+EgL0KQG2kwFxdw3SeVhcc4QCQXgZ/RlKinVSQE7Y9RaSjAis6p3ks5EPMbRz62l5MAVJ/nJkygVISbSQyEyuNItyOWzUOj8anVSWPsyZ/ZPVazngNvwrSWSlNWLVhleZ6XEZx77Abn+0EsWNerr8H/2oKCgKUnnEGI+X4iSKE7MjVHEOUwPA045B0ksbZELD7QQ+9s9FD/ZTZaOQLAiO8eJhuPVmf6i7AHJCgmG2azLKpJKOoEGUz9HvuRgm5etsH4N8n4yQvL9y2uBGiEuSM5lPkEqo84kloNlBMCd0nS7GQO0mCBhdypanBh1Rzj/1Q5AmYULcIV0bALAvaYTnp9eRXbNTswQLK3tcYLq53rPpQkXFmzqrdidZsuXZEvy9XWem+2XkKeL0Z7j59RXDwhyM4Fj+7kKeVoNeNv1ZfwBubYTD+ssIprwJLko0QYyt8IPMfZZjPc19koFPcIdr1eYOZLhWb0ruvahRS9KXgjeZrYIp5w7nhFQi5ZTM1TY3nZH6naSKMOsKlk+Gch2vqLQAErsX0jEsguYgMlq9T3aCefnHM1xFF5xkQVhoaAL4YSidM4dXaZ0p0ORUlr7Z+Pirr3rPuboCslWNucze340kvmOGzo/yGQLPQwSew/sSdqMbMbTpZN29DOzfLD6QuRZax+cTnf2yNsiLRlu3FYTB18fRcpQTY/eGLQ7izq+WYv5nXlWTvjC7pk087PLsiKBAFVjHXz2hhVeTtqs+1NjJdioKgw2064tBRJbaqFa3lfp/02IQmGv4JmSQ4IPgOPsLxgghlbqW+sifSPdLIIgNTEMJjJYkI45rkTBOgHe/LWFtXX3Q4y4WObdk8p9EH4fVPeJpn9dqnza74mMxT5uXLK2d052YXZrI5W7yjQj5WXuMzdczanRgQSCaRd+FhYpUtCU6lirEFcJurByiUvrZSXUl9u/84d7gHzId3TmydN+22o0LoknugkUykK379K5alP/CwYzAc4xIyC5Rzlq8ZMQ4Zb8mswI9xYPrkFvW9nWt36CbRWK2Byp1UAj2gF/+5g1bnstS7/zLTgzGlWmbAM1FpaZjh/KhvlEfvFVrxH0FgiJAYhNXGtggI70v3Dzfwvn4FIfjOtUPwBuscByrGgzSGybok3nDYdOWdM6neMA+nOio+B1Nr0dam5ctl/SwgsiSmCRT70YJVn9V66zKrzXdDIiO1NfW7l16Jk17wKaYrPMLXKn5dghWa5K7+YlhZ8BsjDZbZLji6HZ3FuMQ13Dt8gXkqUAXGooIWFw2t/a4ryOTIo2qNkJEXlKk36jVw8u7XaAGWft16hsSMdhGt/6ef52JHCZANUQxDdTKhZMujgVwtzia8/eBj8U8cpRSGUgDCWJA6e2DsY75946lHpGDLo2byDJ5fWj4mM6ikyn0tu/GUoUpv3qVsEfmDrDLUvXQseipmgQyWN/FsjMtpwFzrDRwmgx8BpwSlvH1oYrweRax9aTxaV/F7/JamhHMG2cmKpmHkU8lf0iNzP4k9ObTHyByjFOSlFVd/DpgGMbl2V+FBSS/pZncLM01p4gkv/bmLd2C60+pxSXMOBh7Re/hsMVeKx1chgBmffuL/pEr9bmedeuX++lultYnt15uzM25JMbgTGVVl3ydRiiOUFHeU+gSKJBXhI/DHOoEjo7BnqAGdETmNCmYJx0cjk+V/L3t+jGmYRGWVnKbRtqyb3moHJ3YvIIpt4tBkFQVDnVKFDc+aNtqmm1P11N2kROZWCEb+jg3pfSzl1Ggh9wAKMi+4lQrRIYyBph4gU7YGQfFVAwc0Vi5wp0ASX92vj70k26lxwrzNh6Hkzxbcj7YIR4gzTAubIMEE/o25mOl04A16QGMN/uy1Ox2u3CCpDCMjoNaQrTk3gZMe7uidqP0P38Jo7BwUw6wC9BUBvnRSfq6zD+PZTpx/ka0MOS5o7aOnE1lMGUt+SUR8avYdkqKaGC/MvlEQ7VsTnVNfFNCu/NUBF7Fuyb3fg8uYTs/gSL6m744eDRlv1sb3Fv1/KzidtUB+AqvaqlbXek/QDlRh2/2eZAfU8bA5gowMq81LWNAfculB3FXbMJq2Ws04ZjTuhVbnz3Ob2cfHjZ6BtiBgxH6heKEh9MGZJatnPwch04ls2wFZwDkeaquQsFbcAlMFMJJ703zfLIxLBWhf/FH+GHC8jrYLxMPtf1WXzFLCSkZuhdCS/bg+67Ylih56/H/srtAwUVv7QOya9iL/IN5HW9oyFjk8emH+NmdzJKAn9pvXqd0vn9zr6Wcsp5tcwLZClER8FHL/9uftPfFUDgV32UqNZ8DmxZv2XED8nxxIxS6nJycmttOyk6/+k82H5+wZ7scPsIWMpVoyOBW7sz57rhHsTgiknVWc6JuxA5wVrgb7/of0RFTem5ON7H5/t7zWTavXp1XWnZZMkxeKrcGf/YWwpGIQzEQl/CqMpEQ22zeYi7mg4yPuFWbmo9Z7pvMs681hHc4r16n1rfmeKFGRHsOqa9LT4G3OTbNOKSCCFXDExS39L65eS8y4sD4Nk3LwppmhtZh3DZlFBHYn2PLqd2GdR0nh6HYnAbScdb08TO/GnwOHM3wv0PjtTAt0xOYtPwHwWS4V50oqX4lltTaJ4xfzhXf3eP9YCsU1lP09ZnTT0wf0x8jYkaIdK4kEvNmHuXm6gRPkfqSg3T9CdPwIXhuOvk+8rLU9Guyi9t1vTz1BR8Fi7/MaPQ6dnPIJcFxtfB22yPfuS8EmRXJPpWr5DB3J/ccdRgLQIyTuBaT+xJLMq2dWbyPZpum1/Rin7d3puGFgtvDNbxrd03GqW+qcBWoWqxol/bQixSqb6VxPct+Un/CAfMW1EiBMONMZ+tt7V1rPKVhR2+nDjBklGH3m87gPE+iBU16F9xftXWX1PtNUabt3bX3RlsQ95LHPSSePck97i8OLjKkcAHtyRiWU7pKlMHh2bWMVQuieogKJUh2rPr4xCf5bfs4R07R9WQWkDEzjU38pyEmYZMVHbbSLnvXrM8/JisH24epMH3fMrBLA03w5xs1QE6DBNJZiMyEc45JVpe+eFfjEwGF2QK3BWPU5CuW5h5UJNAYVpcu0RY2CjMTMFEWAN+8++nt/XddEJcQN6Ndw6DIFUUW+yE1KPyHCeZo89liMIKz15oQb5JDUUILxJ1YbU4GhXT1M1negF5KA034vLIM2SpLK+BLbYr1nCdMrNGyBWW4Dr27EfKngFvv9edRmsTTrplIwKLIVsnE8mWesLGR7sieNZB6eCu7jxOKXi3wuRBY8Ig20lSTtSz+AkuTnZPAihQoFlqh3HpVQgVY54hUkOY4wOyx7c3AIkjFk4uIx9kB4W95z/dQXMdYJ75X7P6gdHa0uLFPb5xi7n2cFxAMzRa4RI/IxY8xdcx8gJmeFTPiAC5S4aE/GmT11DA/CdOXR8GVW1DrZ648IxVLvsEGwBulnsx9NeQ2TXEZfzBDIVByUFfY97eRNaQtn2EAF21E2BVnCjbanHDKWB37ARHsIkmVILBlhrZqNsn63yb0viLvI40DThFtGpcmUYRtDP+KKg5H1KPaW8/f8jd2Kzhu9+DAtvFTu4cTT4IByDoKPIYsY8g4TIttEnzsCe5iKJyr2+llmGIKMj9cj9uzRdEQoVb5XzjJQO+H/FoulW6FaEXf7jwTLR/CjYV2dfzVdXLubTUFkAZBfYDNQySuIsmltQXaZQN2mgTFCntGv47Wsn4Jnqet4gfn6sVDo9VfI1XmiuYuJNdRkTHexCMqh1NJYjUQvCxAMklpOdW8gvehuNz5rTk2QxThlq0baAR2OxFFFhQYsVBwjNbNXnyutPN0B8pUe+JFprTPHpZ0DXV2iDU23tdtIBy+hvpPgag/PXmpIN9bc3mvU0evMM61FQ7n0rOrfJUr7yrG2sW9Z5Fn/d97MCyzdr9XcVGjBEjmjPNVkZ0/QJSdJVp71yH0a+tny33NRgBIKkU7h4hF/ROedgRDQ5siNu1fHIrOMg7Ffy3XgkBI3ZdBll6F7OvIPpUQtyxwkNO73clTATRUyRMJaKQgsEU5Aup5A1sB4rfTAjV7sTUfVmEJVzmVIHmsL6xT64Wi4xpwJAGjMHyn6pk9ManYzoDr/gdSCEza+FUB0FZI8xaGmRrMBbAA9BQhJNr3VgMOXe78ZSND/cCFgRo15i7ApYLtQgGYeDFlHMnszN+bxgCoeIGd6A3yBQ1gkRBXouPhBmGdxuxNMTczzOe9KZvP6PB02R52MNAH8b2fDhvt8BzMTM0Mr4C23OTQJBSckIhivMyD1QxmmxtU8UEmM+6POjqT1zI/Ax65doLdD3bO9gTEkf/O49HMcfk8S9rRsv8FrO71LNMaAkIfcWi2X1pTNymvfjzNOOCzUDOj706n17LwoTInNF/MYCc3LXX48wgw5RjsjftP97Z0u/Q23iyI/zQoyoot3QgPFCl17fchpBkE6NROxkD11DBGEjwgGVjGsO3A0ej2NivfwKbHiZDZRb///6h65cA++pxzCw71ug7WXtjgvxBd5p8fe3Gs/S7ID1528/x8F0O+PChJfXwwwIf4p+1/RUdQ9YfhrgTKp2H8bVhz7+c5UfukiKKzkgMpUQD6H732M7atcENHsiX1CGAoiUgS3rpSpcxGUY+fuY+z0N53GYevab1RVg4U9IG5D7QJUsrAuzqQcmoDyYp1ARQYmyz8J4TPNn8UGbSCqjm7JGwdgl6p1oxYxm2KqgBZjTyQlv/jMTspLJxLUzTDBVP3gKX/GIORCgzco1Rcs9fVn8bcdfyBJjPhOYHx9OMTExdK9lTPVqGg4q+wIzVB8Uupl3BL6oZm6v2XzggJkPZDT+VeruSZFldMP6yys/VKNZAxqYRaXa0fITpker+yX1/1NqkaOgsHyzYcCNX5IPGXdNN0d40lF+PHCZZiw+lqQ144ukWLqyf2K4IoeOU6o5+Z30ei6fuL7Ldbjc+dG+3qWdbVkv/2Xs41mVW70AWGPcz5Lh+BHt6/ASL2jmZmhrxVqwhMjtPXAVTzuoBBIBEYnjlLRKLBib3ua8X4217DW+cghxW0Vmol0I5MPng5H6rQSm4dfnEocxRnqE/23Q3NAn5aWl7P+enWfXCP3w+f2lqwvfRwUI5oTVf7K6K+3EIAf06vDpyJlttgPbgMH23tz0M3AeJOPciVRe0xv3xyuwgsW1UmXHesxHi1+foQvbNk2BucvKYC6QDUJBL/6wo0kzUkR7Ma/JwZTxVz96iaMHbsOBj2OFl8TRB7bVUSzsPakzP0ksiROAmSzT+SGkJn3zvgpN12qd5U/rGH6gnb5NsnmcrTl3FrKgRSqHSGNCv11hmHNX9FDYU6Oj5p7kVDavQ/A+isabRQYZ+KmmiLCXXn9gwuwhTCsInbxLghW8NZg4hEaHffXGnSrMspYw2VK7Fdm2FgopD+KCMPPihcfcPjFe6yn29OWzYKO0Slsbw1aK2CcphfAXuWcqQjZQle6gXkGPKGEIOCWmB2KQjOXT7x+Oi9nOFUBLXeEjD8MUmsqEkT9rPsaqRtPK3rmphTtprKzS4zFppG8I5MeOiRFa0usF7NsfngASi74PxWABKtHfaNrNyTlGtud5Ut4+Ex88fRArEbjvdFa4sNhslf74l/Y29JR9X1BM+FDgFRbuU0GQHDajjl9mtzEksFJZsjm3p/vxbdBUOzPLJQenTCNhxINKXytt/ifSTwT7FUdiN0YdwbfVW33QVLisC4sUZwSxf240uI5vwygjFH+66CsCMFB3L4nejv+c1jluoNKSx237VJx30vEECIE/LBvr/9YxyyUYIwCaoom1JgDWxg94ZMPPLUiNLEBDLI4VyFMgh7WlSB0UlALrRuTrquzyxqHAHkhmyncQ5sXaokyWkVChHl8hlriWbJKHA/4luu+oGXWysLTmg074ZmBAyiqY85/jXS4D0AGQS7XttEJhOGDJAzpfo6oIcDFuoHev/ZDDpYaV6WofXV8t/wHqAuipmh2J8chumHH8PZcn6xazs96cmp621SpKtGYULiRpFBRVAXPM3ig5Eizwzqp6MIdh0Zk/pjDkLO/KMDrMtTePXDjtUtM1OTHr4x2LBpxtWXe9FK9hysY1FaWlEy/9ETdfS9PONUk4OIJaxb/5DAoNIV8/ufhVpcJzOeVOQMobqJD5uzfzQgHKbSI4FqKx/ectRr7zOGE2jjadadZDTHpptEhiRBytjlM6ZQkoe4ZbptRleyAGehEmyla8cgyP9ISDHDEpEYCPEozLO85J1YnQT4jx+5/JkXLnv7h3B/3dYB8eQTNmbIAnk0YSE0gqZvkywbuQCTwvy9hRuUZifhH9lSK+ese8TpxXpiZNCFuBkG/DJ81ZCdTEyLCBDLl8DbiERjokK7r8DFbMdeLZb2udJfBsc3IXLkyEiTwqYDGqQIgY9AmSuxImZ63J6pvIclzZYBOw0uAMJoSCOCjLzlcfvZiz9j0N+LA5CzNFLKsgh3mnzSua/RYWT19deMIDG59AH5xM190vlFxPPJZS126Oa77hFqtto3ezzaun/yED/l7AAh0LR1Joj4wON2t/3cwYdhINs6yVNicJgcuHLGA/jOCwozfMGvHLs/t0EMu5P4HjAm8//HIv9yfWx4jendxc4kl9fvg9t18qAIidZJLHENOhvMdMDariPG4dp7UoSRpwcQWb11Yptdhmkpad+FMbR9L2SjIbqSvGkghhDt1mzVCQgI8o6quvXLf5NHIgsCkwIg/Gys4wqP5eZPrP/z6gj99VHIOQVBJPnw6ol3aoAKgZL5CjMyYqwNz/7/GLS2dVg7wSBw/mzeiC4k0APGZb19KH+iO2T9/OUydB3len5nDsFbv3Utgi+CH/j2JdbUlR5IcYI+odD8A18Khs/fHDu8A2xceKfWBWv96Jz5+sFkbSPWgsNNfE8Ejmo6sUmxrGZMukI0Lg+bjGQXj14FOJZEi3/ByBdviK1kndJyYWvnTS6FbLYgsOiOSx4d59XSIiNtEUPPp4kLGHaeefgFmBmFZk2U+75vs0R4li+6OirdM0FZ+PJyrHnlRJAiiZDxnQ6jM3fScvHVsRPAvJ9ZAGdE9y9ecn0SmDgLrcNJ1tGjuSp368tJw+mE26mw5PblhZcdCQ/N5ygCwrvLLO5ASyCBSSwuTSdoW8LIh8S+AlCr7SQ8kFrz1+G0S4uktpShdqi9zd/sHjGhTCkTJRUY7S2/mHyheduN2GVcCrv4uQHexSuHWhxD10+KoLiR2XQ9b22GDzEaeZlzFIDqbjAS3AKOijYJLSvjqkwDJJu2Z5pxIm+AEhMYf2VkAJV8oqv/xrKzkIHVMTeuX5ptBpGDRjyiL71If7+66oTzK6pTA9u69VMcE2D88iwW48jMizZsidL7PoIrlo0+ashZcrmVjdTvieUFCLwEmd9x4OlQY7S62vCMxyAKpoH4doPk2HGnhgsvMZHNIzSLGMcmJDTSMNJbHGxf0ARu5QxhKJEVpJU5Otve/fJLgDdMUtzDA6MbA749KQUkMK2RMN+rcuxBWtFmCC1KDmf6hw0C30T2pZkoA8bF005wIZmTnDDllDxPdYDOAQAgsOQWqIaFDnVVOQIRtRYSiuQTb38oN/b/kwrlOVLSUw/UiJ0uZ/fLrV0cVeqgCuiN7jvzvDmk/8pMTJO4CBqFhkVKwWWgOoxe+apOkFYqHa+v7MC5fm/VBlg6HhJhcknGwPHNuH+TgXBIr5wOS2qgWeUyQffUw9QVf3e/EuYi4h11Q2/kGJtWe6jCKlgNpHcuwM/jeR/3FAE690O9Xeen8NTpteLt5l10o6d4hzll8Ftx0LBL1uL6PRUO+ONeM1EGcijplyPCyG70YuPhBFGuS09CXgVrdUZkvCbPENn9g2X5YFUNhHL+IBaHckPF2vDImOp1K8KFyaURq8GZ9bf6urkspTN69j0Wivu76hL+FC2tnkvx3RvRor35e1SXxZrz3vZBiC06bVru00RLTS9nJ2iXZJ4/W6K6WXj+D1OO/ZUd7whxy2fM0vGMlaDZL0D+SrOTg8UiliF78Ra+skLsHdvtJe1Kz0LDv7tE15ZyIZsa9tD+MfQu6WMQCmHL6K7O9twKyOuZau0V9ISflGskJlnJ5G6GEFwp79FeziWuW6NjqZNN3eV3DR7RNZK5a/cW7kLGMXZK1DOFpuKNwo/gl/mFw7ri3xd9I9ypJsR2FmBdm/qle78wMS8g6Y1hY2N8u8qbpULclEr+AM4Qo91ZzkcbN4meXTjpjaJbuv69ttKNvjXQKvcPkpVYA9kJZ5HizO1HFQ9HS54BBSXax7saImhatakwhJiVOygvG7V9MhQDY191bb9thSpCw5G1oXJYgZgTr4nbSTob3/bqnELKpdf4Jp5I7FtZ1ybuH6cf+CZBAyhwEtMAK/fFVKBX4Pt6rIm2Tm+eD+yqjLk62duuC/1w1qRj8Rwqj4KEW8CgLWio9VU2q2tIorNGmUUT33VzVcWOV4ZWe5rppNYe84dqZQYodSkxY/M2aL8AxMJsAU/vNQRIPH1afNZ9dR9dBttFdEHmseEXYvQmOqGsocy+DOizU7pcTE1RKKHgRk93Un7GrD+Ct2BiGNTD4worcZuB64XR4ahYFX5Ex2nNCfwHSuyhOFubGe+r1x6kLhUufU3cwAZNUQVzNxYAAt78in7vlBafUN2mnzou/LzTwXxtjOge5lBn/aYOR/0O3eNK/6eB5hXQliL44zamrbQBRAsZ8TTVmOyna5I7zVw62uoVZRcZp9UTLhNMhvYFcLMFXEvkgWOysfNb+6lGTYREOAwwnmVwLLNDWH1O+1auhEKrANJTNqVPFmT61zEdfMtIlTchmX7t7mZz4eVTqHdq6sGiyNAB9giGSCign/Tf4EEK2jOSiD2W7cEc9jOcL2eLElr/0YW2mnoRIQyAIPWxdGvHO9NNFYrGxhNJ47PMB++0gujn0wchBVaSAGGC89rD3jv2YiDTGzgPEsqYjJsMpdX89DvvWJ2nmUxV7kH14++8lUIZobVq1o3ecdmIwkjLs/oNM0gnbaROVsfk315ot7AbVdpbq3n3+AWvcgwDfOEjXH8ws+YCER/V8eCqSLsm/2oCfBqi7J1p2QVZhvgBEO6uwNxCTcKco16iw6PnsVmEKM+Qm4OvUy09Kk/eBEIMrcM4u+xRg10ToIngYHe/jxU24jju7YCF/wjb+4K6K0aIGW+6BTxG6Nz3tRQIli5yWOwEffkBJLux2TD+pdb5AugwlvvxcyFjyOPnOW8tDIP6tjQVE/+Ljeq6jYgSe0AIWfWPwbrnHlPvQrUUkdh7eNzcb4q9n+edp9mQc1tcBWPGM2FeNwltXOSahg9vJ3oHHB3FPFhJoJILPgRNRRLlRB30zFPy6/XvQ8on1K/7aVCc3ETnSIxv1ljXuAZAguN1fzvquLLLF8QBps5i3kiPc88KQI0xae11DWIM1RCcs1PGM0vNLml4jQGTvT3NVqNc5Dpu7XtcT5cdbPq8+yfllalFVPRZjVXfngJR92+9t9CJj6Dm0Cn6oNPXtLJmyiit8NxfHDtwBsllSrXreF8IZeMFFwdc5Y9xqlOx5KpqDlNYV2kassMkrd+SFROhax8McBb9TLcAH6V1mx3QuK475OrMOGDjVAw/iRVZxnY6XraRMAAeXUvyaMt7fPlCgkHsMC7cGW1C3ioYt+Bx3jHDjUcBb5kLaBQWluhiJLcriKbnkh+pfR/AQWTWs5IrCKNxmlItfiLp6aO7qam1dGIR3hhd8Awk4NxMsCaA8lwedgCXx3sbRZhhCK+wjTp4umNTm3m6//gvUvwW/Yiv/W4b5sYRe+To4LmsdJSE6MbplbHzcTXhzrTz4NiC64EmSuBQ0GW6iz/uMFtUnzHVxPQB9TxIIdtqFcCbv4ynPxn9vSQjR2T2BPvInm2P0DorGULJp43XWyChIQHY3Np7NF2vjHDV2BdV4md0dYNLX/uJjeBZR/WA8AwFs9uBBEM+0RjbkLbJgVma+IPovh0/pt2NNW4PsJrP42AEXVZ9Uq2ZOTkfcHcocCQpeaejO++4LASXQ5VZtUK89mQJdYCSQyFqXYmU77wBCcAnzk66xe7V8y3dFNNG7Hi68h2O7amzwx57sonC5zK8tGIjLkbLdGwh19y8dVsxmMky41GzMj/9CLqeTYba/mWSL09e/WjbmFnseDEho7TmmhQH4wK/rpYl1k2+xkAJKz09FqRpqGji8Deng7EK3sK8oFIdk+kwMWez9bJ+HMcwXy+jwq1oguir+exjhJvh+Owj793vfEIIgUT/dQIreyXgydpA2CWCUZyvVGNwo9atUOizwnEmOuNvk+Yzk1+Wu24Z5pSECt6qhJ8gpzWCUEzzIhAxYvtTkS4BLsvueAYIjydDpZ21nhOe17eaCGeW+9OHr6RIN+aUP3poS8yBjULy9nB7BqD51uaLrY99bkZ72gLkHhZLuhE9VSVnDtKpiYq1cKt2rHcPwsIVcHb0u7NP8yLE2k++Ik/YWSj8OULQiQUozlt3IoT1ldUlxBSYygA+3CX2vmG8hmh7+ovKrRHkG3yxRP3DzYz305NfSrnMtfC0OA+yfnI34vWP8M1WoTlhFYAqk/5Jh49uCLaLEhlyuUZWtnAqh4u3U4PUJLXDaYoXwIxJM7p3F0SXrxvapX1SioTZC9MXAIhlBUCzKAT1pJA9oSApKIPlhwpGJmGvNTU0QejuPu2rUzn4WBc7z27pQxEx3PU4E1VLoFqZUL5sbWVUNurjcbRLrjUMFaqPEaLXLvBy+mKEji9lYYx2RBgZBbIIYmUt7VoDL4oacHg0RDtZIXqePxsCzuKts2AarPzkJCJawz/x0TOopNFRZLO2KKsLSiOf70EgCaFWp+zYFxyfH4OV1o0wegXC1FdfrkuooZf7RLxbgU1NtTSD1LukmoWwRHSGphKPGEwT4DRcbcrmo/kVvkGzNIMSuMALQhFyi4oSvGthrFoFSeRxEMJFEusTTFBJT8Lh+acALyQ0iiQ9EypeqWJ0NmRkZ2+8paFOJF44gU21BwVR+qkllO/X57lPVBzQGukciVZSVsmdTlwX8QiU+8lMRLsdCHQJ+vuCJgrWYYIkET/CRB/saRkni+TRi2rZzvVdsSf6BSB9BeQA3faBFieZEcinjPcva+7f7F+zMeJGQiilUkGAluJx/tR6JQX6SgEZwC5GwAgX1PxU5E3nbHcohgSXL3d+fLbLFAFugVz5sQHup6fiZtL7z11caqxx2J2LD/zphmI0+kfvFHFdG9tBGrNlOqUFWy5v/d7F2tlJh91X7CfdQXwLcqPq4pCfweFdLf/2Jy4qlw6l3fVR/FGWvHpUnVCOeWVmhhs30enMu2zS14UHksHgLitimkjZZQSa4EW0HSR2O0RT5V7JWlZKOIEJsUcKn+NXWhR9tP18h8Tkaho07u4OrePvrC+WqZD1wSur8wCt3/+N0LlVXp7b1Z1Kw0bSQjiA/9b81zAbUgwIjpYNHCBcf1r4S8gE6kabW6sVtu25aSrIK+3gN3iDwQWmg1Qym2v5QrVW1Ajr1wyPPNtl5VB2gMPtfa/ZX+Rzy7T72i9qQldS3hPX3roiCcLxI/DV8izmMr4t7WHxaXMFknCg3Hzbdz6T0G3TLwBxIttPXEajKm3+ZnH38ulegE7gGqAaAsja9RB0LMVt8ZdZ0dgeuCDRj8V7EkFVzJ+AHCWWc+XOS1wujzm9QazWsM6vDZDcUYFi/4+FThWUT7NO5uS8q38SyE51+gFZv6/EzGaUhDdVeCYox21QshYH/EpGHj36Mi3Hv5y8K/hr/g1OpVQZjBN88VPMQdrDHpE5ILW1zPWMkxssjBMhY2lG4yJJjJI7g/z+Afn+DIpwA1NXUibduFgOePLFonc/QkgOOxOW5HmhtJ9uvUXQoEDXvkrHpFEsF8UltYUcu3hCKjHUf/la6s7nuvHnOgXaXHbbWni8YRvC3vFFw9Ayp1UiMnZU1Aa9TmLFC69Ae5xJKaYU2hPkI47+IlDJCDQsyBN43mMGV77A5TWfZuqcOdME1W658RKpg3fZRmIUtlGQ2pvhWZvUaBM+P89svJ45uVouL1ny09nf+yxGBNGwQ3nUMJlkMt2chawdS4zZpVsZAVgh+UzYvJaaBpujhesT3dKCs/NV2P3QYSqdzBLC4EcDnsJMcXpKUthdqGRedLeY3dLVtV59CRFYFBudZiWlLMplkBsOq2NwLMAPq6AvNoL2Z+/NIKjQ+RwrNDMsnCdWLTq+hhYHCzYecZqDqFs8Ambbea7kvPy2cXZ9wxQZC5d5/T/vJHvR/0h072SqbYCAjm7GwYYeiDbZAx/I8AP2qGbvTlF/9K1OvTZ2GMjfRBzh1fv4La/KjgF1+kdBW4b7YTGfOlqC60a8Wyn2eH9FKXyKfCiU4EATvcj3ORftFEjfvC3+lO0eHegSMzI1zjBOYc0fVbW5J0u7fPyq9RmQdy0P4OmbbHO/Bi12ngXpaTuEGIt6nj5TK9Z1FYFLGFpXgRvnOBCRNWNtQjJ86REBaN0BpRYvdAGo7S66VrwtEWEzeH3ztW+X699tq1fVovki3K2AE1XSPP1wBkuoxdz14IRD8l6qNg+6VFw966GwsdF3GhWgM+/eE29KxqliUh7ns2cBtAfeC4HdXVjLvwDI4uMy3zGiAbNHF50KfJq20YwBTDHz2HP9kKn/1gPgh3A8P3C9eVlHuLi8gEp3p9cRQTlkxCABAvnuc0kyP+6rWypbeR9Mmc0d5ndA7x3lRWAaAwyEimX0auuT/dXqQViYnKa1nbnW0lv6cYxtXAT2NMo4oaxrPXb40Z3H4YkrIk1Z2xFeF5dvn9K5LNhmyYK1VKstMjkPkiBCmTV+xQ5Lq64KxCAJ+tS+0nXorZcmkK/l6PMm/HsdOEe4lMVqd0Wh0XPQ7zm7t9z2vkdTLzx/cV0Caqn5a2OlbTBgG+b2A+TO97mqEzxV4mOsvhv12XvNrmbraIdihKIQ3F/Nj7RlS3F0Z2UmCAF/yFqf+VSEtV2+H6xU8LA7RcHXUhbXmINVQ/S2mEwbO17C1OPFmCIZ4PuQYNehXi0FwBl4oC0ctSoG5kZsWJ89ve4YqO+WJEUUxu5irbeGWeEimY/+U0zDHIUg9j6yjk1MgyLlzB9AQkmzLxJaiWQcZpovUcucfsrDyP+B1nyPB6Ycwim1PmR+72LI0ZbpTe6JDaDNSmZFmZkZgOCl2Zol2rwo6iIf7FUULUsh6x9uWsR8iPuhV225rmC9wToa18f4NhSo78/VVzmNeihu2jd0TS5DDtU51eZilvFTyZ7WxaprQYFgL/4f9yuYDdZvftTc6omjWLVQQ/Pv61R9JQnZDucwcZtvfDRXcfGmlgXvcmq5tE11wcgaCxaIvZTqYZrBJ6bGCp1iJE4oonPqwAfMyjg3Uk/jq5SbjyTkdpWgwE90a9qj3cScQEo+ZRmJgdeC7VxMfI73PjA3HFI4Lo+WbRx4yfd1uxvxq/opXoeFq+WjZxI2UjQbjc71bkS0/aebx5Y3VSp5Y2nK+OTFun12wjS56quUOzHN9lGd+TEdjrmd1LzuTLJkRy9smtKkKuje2S+XVK+wH1FTAsphUF6YZHEboh9LIRn+8sKJ6QL9ed19dBeMtAfixeCEK4qrj5J0jYQf+2DradNiuOJzjcU3Gmqi0rty6EgUp/EzGTqbXTIV46GZKoc2Bj4cq7PQEdEAvgLUF54f52t9tJ24A3c/wIB1ip7woRI2H83wHA7Ux8ndQoNs2VWYxkRqLz/FTOfO5M+zvJIdftkCX9o1xWvSJNeK4hEcs/1xNibepXb45er1nncUkOMlEUYJnySAcPF915bW7olaIOSaKJwPfwxSG6F8HCe8so1orKJlSjbjFUTWJG3svQ+YywCAmsIvVPcrpP9L7UITtFDWwo7X7d59iXW0G14jPrkPO5XtM7RP1Qp1Jb6NF0XSL+d1Uqhs9lPNXQ/H1jYLd+8YkPqKI2epYqLZ8LN6ov6IxWcIYh98cIy6ouWWyc7wjl2jo5HzFzFpWmnLnHy+ArDOKW+N18GW8OuTGRiFhf7loX7LVK2Ck6nCiUmjXUrtTvavZQ/cTy5yIlakvM0U04Qgh2j0KYxDESd/wZCA37vUdKu8WX6KImL3eyLqWHIXOx5yP4eOmwshqiEaP48n/4sddm77KR1LFspXbPbGkjs50HLAIZIcOI+xKfrYauyBAXGkNiElYm66cjoaYQ3GSvvfGhG8rcSYMZH6BLrdX4Locxl9KfzipL5gLQycCI+bZvBc8EwJKLfndDbDlpctklC13iXtqgIPf939ziItaVMVpalp9E6TJcZL7nYD3Y1/r7Ye/Z6IE9EfVUBTU7TAeX2dUPoGp0b7XE07NN8LUt9hcpMQaL6ObVbgWsNaDELIJ/I68OZtvF76ya4Y+xYIyUS7kuz7GnDUEMwmiLI6GhIVxv2+U6P32135fcsrbyzmAwi5bnO7ipSgfF5CgYr+or2YaSk9pphXF+LR2WLOUykhH7jlf7c5tE2UXh2HZLkRC5ZXFcxEbHgujj0987T/TVRFjN4+Mfrp0W+TpjfwrLhO4is7WtdebBEAeXBbLZe/ZXa30XBRR/NCFzTp44CMNP0WqSpScM83CbBANb0eI64oQcR0VJUA42wKdPR7HS4m02reY+cTUdDLw5dr+sWSBnCJVT/oFzMsChZrdfe+Q1yanfddjA1cd4khect/VfeM1EWvIndiy2u5fewSjaecqbd/zPUV5aWhaPB5xFa81bJlO+hVoWu2y148f7Xf04jH4hdiQlK0b5CppFbGqAnEiDAasFIU4dVltfFGNhwrmg/CxwJmtbmz68X0bGo04GEv9iOuXzonx6qLu/O2wvAweOOPKdve9BD3TfR0uD6uW/f/Uo3bt2ruLNokSy6h35rsuIWY+OzApmJUIUnn5XCrTRwQPe/onyWs3UmeR1xecW6BRXafWHaDgmbo3ufltFrjbbRtIwbs5cOp3zRFKNQLMyHmTg+nsdaPzz0Piou6yHUHbbSWsUoAc8tCglAWuq5zdBKAS8hvcTfotgk9cNRhVta+piDsHIN+JR+V0SBcF2eXY+E+a8Ed9Gv+a0h1vUO40luGjCz/EpbVs6cTJlSmI+FbFbum6eaIoImz7DxHgN5qEmZ/Ndi/5/g9MzT4C2uOiDFRRbNM27EiEAinypbB1Sg3r8ECNskdibYPeXhEhALoJ+WzA+lzY2CxxDIsA21WZgBAcLEn2/PtDvd41lMkiK67/2WolH2cTmEGcv7mcK0igaKoNQ4gPRBnsYv4orjFEV7pSE02sDi0zmBR9Gl/DfTdj0NS9TtAvkPk8Wzkv5tOEfadqPGuQVT07xIU0Yc3TRDRQ7dvrUtqgiKfgBWitKa2xg+3LxG++cs1sy0GNxcEBRUv1KBdJZz17uxI7MoiHou6dS40jcF/X+rGppUSq7asv27YihjYp7l/Nn6WFFuSRirJgGXr2mLt5KtfyR1UZmOhpezRcoK6L/hSg6ZxncuqHIh9Wai90eKWpZB1juO9jUF/WAauQCVfzEljYC6yhlzcFeAOuEaool+3MX/fukCA+BrPAQMBQVwHdjHmhIqCGx+3GT/LX8PQZ0DJlsckzQRUa+64Pl71BuD4Ltcq7gLtHo8eddp0/P2Ga+XqvoaZ78QLXa1LDP4Q9bT6aPdhco66zrxWI2t9cUxadBd8zwBFbagZ4Ko8qz2RgwKJWN9eiAVvUdiNPGkQFnYq+L1Z/uzOEMkpvzn72qwFhoTXEW8m8I6NIVqGOkrJxQWM4vkYGOuNZNK5aJLP7r0QCEqplcc8ytZyzwrNA0leF78rqc6tpA23K0Grk7RGkkKQW3XLp9hmQVjO2lJa7vrNqH5A8W64kjdRTMEGbfNYKdF+wUOZZDCF1WeOWVBwQtHu/0NMFa1aWW+6qpV05pmuCNAYS8gIdb+5Ex0cEtH7Kg7dX9ar17NEecAqkzalGiJgZcqHI1SWGagEAN0JQHDFW5qrHjrqeIiu2Zl3FmJgDpHMjAm6Xg87W39Xr+DWArMHlz4N0i61bnBoApP3+FrJJ28rLAm5TSg4sJ90Y1TgsVsuiwPOB9pdrgc8tSDFbMng/0Be53MJj4+Mkw+nDp5D6btY7ACQXAToT97fUtxGzxM7ZQJnEhRei1Fonq8XP0m5J/ai2TQJkUCRWDsAqdniFpiqc1m4WovUU6SpeHJ0IAJLkZx/Ry2sa8hCm6LKKm6CGBTVu209N+HAQJerGjg0vofkAVTaIR/ERGpdTqcyeqN25mjYWSjAjhngMHxcQiJtFQT2NniSDtASCcSZs+a0UQO4jy7Cc6Vuclj3al2+Y+ZPtNJB+VKQVCU1AWsNKBa2nXfz389dTTd9CTrM7PptMUWiB1XcceWtWc1axynO17s7X27kYCWVlSu5dqFg120owPsgkOJB8oKl7Piqd4nNSBIYeZf3JG2IeQ7n2K8LS8Vl8VqBEdCO13MxLQmay455G4TE7058jz91QvZA6AxU2IkIuP44BEceKLaXSJHRcFd98Kusk3PXXivejTylxZcm4v2YdAT9wYVagCX7nohaYcVEb9YPygg+8yQflu3v5GbQERCldypqiRFWmHbH2kAB2+qZOHN/k5UNkf8IcKQHfYivn1+FfjwmeLEt2a9aIf1mO/Feg+8tiqGLW8676Y1Pw+oNf+RE81zssBgHTAqJFtlB7nV4SdmkQqLMysrBgzdVfSP0691aAopMD9W5H97n+AlAexWWYNkfbcrL2Q2/gWYy1/urLJXV+9sfyB6hMohSFOiOk7GHrMFwQpe/UTDwJr9jhSbtr1HUtEqwKSw2d0U8+mwsLn1Z+9c3tpy0KzI+j3DQbsBRdszJKi3IxBpmSA/euva2KOK9m8gMA8ntosP65XwG2r7rdHUvknNkKhwOxYfOhy3Br5ZxG7YtnN5YXhFe4xSZxdeXViDiqxreI2wumuy/6NMk0PU9T4Ot0v82W5gAgqS5Nyry8jaykOzwqnbUdU+G4Kjh3fUcbgTo/fbRE3xIXNjOINrl6lQ1/NGutz48+Xr48dbH42odXH+/Ckx8sCiTYuwCbByKnWip9arwb9vUtQlIbLLdDe4yZlF+fmmv23biI6Iw0rJt+W6r1G6Xft5qcNvPJZsl3Wz4KjLziiijfh5HDQfO3Pkv5002+/Pl6p05C9F6qov+BQJXdVdX86lOXQkBVUo6rbUGG/ov+O9+Kom+MT0qNV5jQwPi9lsReCheAo2RhgFax63Vo6F4isTEjMOGjRb7e2z+3YtBnaxgwbBedGqazm9jLbtYV40eI45uQv0eW6S0LeeUkBfByiMBenhHRZv36Gdt5u8GKcvZY+xmC7ROKW/REflOXBDIVOWK8xyjaBTeO8OFRB5Hl9+qPYh0LWI23Tlx7NjRMbIM0gAe8jY8mbTgGwkaU2I/NFkT4ubdB3VzQ5AERagWkaxFia73oevRfKO47EUFeIjsCQKgxDkjOBfpR++b4+kxwujXvFH2YIaUgjT0tE4lr8wCsdYJaVw6XrD8XvpINGK+zj6RsJ42SvDRNb2cf6donbFpxLuh0V4cmvCDJykperotHDpttSmFzceXdLRmAl05lpRrZ2aUeHeHBK8skfv7a49iRD76qq7sVp0s1aCFAqtDW6FoXAcRuU5NnehOmuPHid/+sbRsk+m+KI8MyhXlcOsvXnEZ+DnvzJODtfxwXxqGRrHngKX9rw7UcZOixAs6U/IR0fi0aoRUsoIHlv3faQzng65vi1tYD71NhgFFKc0/XLtiXo+qmlSAYjD6qebTqDtlWyruiTEvy8M3nOs7566G4grzUzDl0xQZzf0aNdLIeiDuJqypNNTMAlOv54a8pHdV+KNU4wEWEx0d5lvEuN6XKHQDwEHEgppeAX2skqOxArcaxPETB8FVkYGJ+8pabmgF3U9jIPosaDR9ml93vK5N0qvrCCLteJYzRWY3HfMeWRzQt/xay/T+xnx7j/tWw7ch/s4LWOUdZ3+a2JJ4cQElkB6iqxoo1pokssYtqdU35/85NEIpXUtwsHZ4pBnu7+uA6MnyPuXOoh8sQhuGTGBXAroPD9astajo1GT3evW9G5f/wpqZFJoXqZPyoZ49tp6DeGE5iKZN8fwKk6IiQ2kI48TwngS7YoVoft81OOh8yWIV+UkZqJtFMv/v3QkyAnbGv1fL9NuQVKv3Fgad5dZQQRAPFUfR4FsNSYObEINk4SRXxR3CswSU7aODrKveagOk2AQkKivwUx7TL0epY2TULuudawGoqQWIrcMydUSa43V81qSNrC2gFp5jX1sg9TN7V6OCbDh5DCgSd8xIokXr8gKLXLjxLKAbrabFMsNX+gHex6A/LraVAN+F+iVwkcQgopfy3YSbAPivtfMhO7hXz7bG4vIKZ+rszWOrD9L8kw+rXh8CIVq+IUR5JpO4O8LavvUl7923qbN1Cl/A27bSPzGHxB4EfaEgDrtChzQbgXKqWrkMcJnzRLccsvnW1vbdjfVGb5lKJprVDPIsG7Xuuw5tx1jYwKz9wBw+ShYxvJjIw/N4xF1Cb2zic9vNn3+R4Rltw6jeLmoNYHrsm8qG8WJxidZXGHZkL8kf33dzelCIZO0yroZVbWyA0VMAW9JA5uuWJVIxcBjy5G+g2GREKdYgez67cFxpCpIaExJuBuE8daOSH2EXrDjSRh6rsAzrbaevzrnhWONfIHM/2qPp2oLztz19+smgZQsu4pjcT8FyVq6fTzyjg+SFGTk666HaAio4hqh5JxxJQL20AHz69iXfwrwZWgbsx9QFKoAJTOgRHO8QQcuaYPLhf3voOIzfp+OIKws8CbVEw+f6TF26w5gUJ+aKnGQLuyubDfrvpBdNjl06+FSLEknPkZ042Q9pOLoMR/tVw4OjBAgsDGJF8bodq4ESxxcevCvPQvuA9o4V/PWF7/2dpIlomhq/mgM6UCAGYJNEN6BYu5TDvIHM9nJZpBpLqaH8uwDwrT,iv:Dxt3xz7itE5amMis+25D961wMeOlhzRF7MPz5s7vXo8=,tag:jWzjIz+PBJTjdAuRhJSVmA==,type:str]",
 							"setup_script_hash": "",
-							"ssh_public_key": "ENC[AES256_GCM,data:MGtlnltkxwPl1/RIcRS2gG0BEvAPdUnsRvpxGKidrLatYJIlZHL/ZNiRFcxtJpOZk2T5ysx2fFQMvfrwx+bhQ7X4RscG0ejYTwe+WXXEdGdmrHvX20U=,iv:B6qpltuvTYTkftEoxwC3bbgXXGncCWkERLSOmBjz99I=,tag:ydsV/ztVrVCWGPEeipQnEA==,type:str]"
+							"ssh_public_key": "ENC[AES256_GCM,data:ebQ9e12krtcfaSBtxfXDOPm+IcY67gClPledzdOvV+8NV9asvzUQKqjfFhZyOJZpuUZtWZjZa/R+ZMcGyGQn2uWB8jNYvirwJoq7N9ODjpfPLWZ5fxU=,iv:Mi6oZz7/6p8q5N6vhK1W8FVDplL/mUOHedQOmF28EDE=,tag:2SkTq4k6ounAQZx43D/d4w==,type:str]"
 						}
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:oj7Angn0HAg=,iv:rbtrCe6ZMBPCd8fds3bb6vyGb48Ba5MMuejJ8q+aVRY=,tag:sg9yJdRnU8b3rTKEjhQtTw==,type:str]",
-								"value": "ENC[AES256_GCM,data:0YUG853esis=,iv:IAVKaJzuEo49E9wDymDX5H6+4zif8zx9zQmJC47wWwo=,tag:EfoNNirnYUtemWiwkN9K8w==,type:str]"
+								"type": "ENC[AES256_GCM,data:YzxfrxyLKZM=,iv:iZBjJe18v14SNCayT6oOKv165PclGe70o7g+AOln2sk=,tag:BqIEt4knSS52drFbEiD6Ow==,type:str]",
+								"value": "ENC[AES256_GCM,data:lmQwuh3M1/U=,iv:dkZ4FqeQ4oZMdyP1qG8/Z4rhNn6S7Cwsk5YvD7iGHMc=,tag:v+dkmBluyrwFTwzbHT4nCw==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:yqUtkxA=,iv:VA5fHF/lF4ZGKwx+KJxe4QbChpYgwSVcS+N5U9H+HoA=,tag:UA0fsGNkz9r68Uqk9F7IuQ==,type:str]",
+								"type": "ENC[AES256_GCM,data:d+FSow4=,iv:4Jp6ly/fDu9JAZ77KWC4augQfbRGgPlDAfZSrOOSl2I=,tag:HC9PRPV4YDbts7iSlKd7Mw==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:mgzLu39F,iv:KbQTS5qTHxDwV5Y9iSns8XECk9NFnXXpG6lR3RXmgyA=,tag:gVRwTk0AXT9/aDmPbJDUdA==,type:str]",
-									"type": "ENC[AES256_GCM,data:9Tze5FES,iv:VpvPjG1IW6kmh0aOwjK/jCZWDywbXoYtEpqzJMEe24A=,tag:UOQXvjoJWC43OOFyMCc+UQ==,type:str]"
+									"value": "ENC[AES256_GCM,data:scgehaeG,iv:jDYo1L5LqrzqejLqE73TvJriuYvTLXHaTS9rWLIPhYQ=,tag:yNfJuU+poZsTNlKwW4aI5Q==,type:str]",
+									"type": "ENC[AES256_GCM,data:LVhUqYsP,iv:AjGx+2qUGbSofUEW8Aj+3cPOxRsAeKlXtNHKbiMDlU8=,tag:7oo4X8bkw+d683WBhPP5jQ==,type:str]"
 								}
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:dA+Y4R02pnk=,iv:qGDcPE4IIG/tjjq+iGTBuT6CRK5NXWgrgg/84kqe/W8=,tag:c/I1M4yN8Be2YKiqOa3GSQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:qUgTReqik5k=,iv:witG1/rpjrRt0/my8QlAXdfzMcDQ3bYTgMRGwTyT5Ts=,tag:8sywAWpZ/MRdOHvwDXfmYA==,type:str]"
+								"type": "ENC[AES256_GCM,data:ktFj3Tter04=,iv:z2OyvwTp8Wj2++x1mgV5JsIbJ6PXYsp6r6P/2mSmKho=,tag:uAM5aKiYMR+5XDCeP2qVSw==,type:str]",
+								"value": "ENC[AES256_GCM,data:fdAiTH1XwJY=,iv:2OAnj6Utib5zK0rRRO0fxFt3+RJRfG+dfo37dm4YBv4=,tag:2f9yo4Y8ctX8gW9mGgMj7g==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:XlLtGsc=,iv:BiLVy5zJNKCjm+ZtxXLb31bAuy2Df4E3w5+UPmKTMCE=,tag:74nKOOIVdAMXK34JruLIBg==,type:str]",
+								"type": "ENC[AES256_GCM,data:pmnNRkM=,iv:G/auoOYriZuLisD5WJJqrglcHBae/wbPBfaHx2Cw2I0=,tag:xBCN0j8rYDQBms1RUG40Eg==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:fc2qqItDQpyyKreInqQ=,iv:9pFcmLDz9EvOKF3uMVOUdyMvvM4F0TL1j6bS2oC9IPM=,tag:+Fp7O093OM1XVRQYxoTZ+g==,type:str]",
-									"type": "ENC[AES256_GCM,data:U2wtZYzR,iv:SDci7eqOQGozHfFrNb6k3pHFSkHqrhxpXr13tD2R55A=,tag:S5/F6q2vVj3GRGNPlNvt9w==,type:str]"
+									"value": "ENC[AES256_GCM,data:ogCHaMXqJZq3FQaQ8OQ=,iv:SurGzJ2lMTo4Y8B7ZEurkYUA8x1V8YUybYCnvn9OKYc=,tag:M16Z0U7q4xhKYOXecvNY+g==,type:str]",
+									"type": "ENC[AES256_GCM,data:qA7v49pr,iv:sQQrmcg8ndKIG3WPE4hkC2lRcIl8Uh9L/WkNtvq0L0Y=,tag:jPSV/V/hhfw+8Q2wARrzYw==,type:str]"
 								}
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:rA==,iv:ZqKSWWGJIF8nWxzoac412COUZIqNgd5XzhuEPNOpe38=,tag:lsdtYLsOjyFswx5BAnSAZw==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:QA==,iv:3h+VDXLT/REXmCdUS+bXWjWnSuEPoxn3eG3fwpa7Fj0=,tag:BAYVOYtuae6wiJoUsKhxGQ==,type:float]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:Lne54lhoxg9OtpLekC/irEyISJ2dB4KQzCicRPE2BQ==,iv:ww/AfV6sPsVeVmiGY9YlvLcjTxVqxkaZgJgD5jjKwXg=,tag:dqzwMAfJ4ipfX5HBE9tBpg==,type:str]",
-						"ENC[AES256_GCM,data:cHMZ0nvvtreDIs2OGlAvb7+IDnouvq/p8mJwZCjl,iv:a54P1HssWd8bSfrTog6VJZANZGYMtRkmyHzccULwFF0=,tag:pFSSRdCR5TF6YRHKcjW+oQ==,type:str]"
+						"ENC[AES256_GCM,data:cfZjyRdPI3SnIjMgxCThS1H38drZfRkewIKj+TBgig==,iv:syJaKYvgy27iacr9iFQh4laZxDr1UB8XE97tGxHBT4Q=,tag:Ima8IOosTXqqNmlhJXNqPA==,type:str]",
+						"ENC[AES256_GCM,data:z2sZQ5uAQnL7so9gzYc6DlJX1qD5NPBEjf9UtpTv,iv:hOsFjLQ6dqlhxIKG2yTP1zy6axDB5dW8yXXNhKXdKFg=,tag:ps6ysc1dsTxb7Z/W4qwXqQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:Wzt3Tk1jrJTMV9Rr7/3rvenXRJo+orKU,iv:+i0UNkzsG1sxP//SY8OXIUYvi6zgtLg2ZKSmHCV5oE0=,tag:kP8DATK4+Iwx9vLbkf60og==,type:str]",
-			"mode": "ENC[AES256_GCM,data:DP5Pz3Lqrw==,iv:nu/cbXfLMIlR6JRW6lj0vpihZ90tcD6SkWQRovDCBMY=,tag:sRQUOLXMqQOe1YJFtKtClw==,type:str]",
-			"type": "ENC[AES256_GCM,data:KMFBFLCl3H7tFaUcQQ==,iv:lsXSiAiLOV7Px+cs23/ZPE8syVVB8Yu4SuhePZk/o5w=,tag:SFT+U9EfiHTry73atlPNdQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:rtn4vXLRFKa0QCQm8+6GBrGZecZ1kg==,iv:MmDSKijcnVEj1HwAWEWphOEg0Y4as430nIeUCtEV5CE=,tag:JSq/0H7iJSUZyL+su6eDuQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:te2z8wOYgkrAvOWdaEqy7MtFdGExkMIqww8WooTcy+mM+dYn6uSVmFunRfYWVtqE,iv:7YvWr6aKiArNeL2U5In2SgAWR1R3WqKLqoBjbY4CWx8=,tag:6aS2El0mnH0ILvLy78NrpA==,type:str]",
+			"module": "ENC[AES256_GCM,data:iR9CdGGGyxVCp3eui8xSZJsEJkFidX71,iv:wPPT437ZZtrAlhv6DH2q45knVUN/D4dv2vV57uBBkdw=,tag:fVhH/Af02zfpIAkqSXIPgQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:IijQ92R8CQ==,iv:FdtuU+BMb8WKudlRAmIvcc/+gbUUp/AfHbK6NqnzXY4=,tag:tpxH/cD6rgWbMIqgAebshg==,type:str]",
+			"type": "ENC[AES256_GCM,data:bmxdv7rlBJNMmWFKMw==,iv:Kjei/f5wSIBa9CQwoPAXiA0M5c/6WkOzxUrnPGkYDTI=,tag:aRBsU5ymqONuKShrtDV/CQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:WW2eNbv4uicx9Wk968dmWFAyPy44xA==,iv:oamfEi8IYql68LB1zaxz6cZatHGdKhsIWdF5vQLJLkE=,tag:zfnKP8CC5qkhQjui1PgfOA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:5N3D0JaH+//6efDSURJy2I7yNsn0f3TyiAfk6ZL3AbYyyPQUsos680I3MGf96Pgk,iv:ibM4MvQYPJDFgKoKq0yn9ddvOfKgr4LJipojO84MPIE=,tag:gC1W5sljiSuXNQRdZArrlw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:fg==,iv:hUYfCCQImHDki7fNLCzwUGwzzoc9mIv9iOM4W8GWKtE=,tag:dMddg8JbQhdcGKlfOazafQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:nw==,iv:PMBB7VH0/f9ouwcDnSaB63B0RlTCb7RJ4a1ouvafGX4=,tag:Giop8saBc9enh59Y9BiRVA==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:tlNC9f0vDNd99MmlTU7llwBngg==,iv:R+qTySRMItrRAIWCivGkbdsmgFWMgheBkF9Fzat4Zyc=,tag:PaXwHbvMb3YwcJ5dIlZiWw==,type:str]",
+						"id": "ENC[AES256_GCM,data:3x0PM7jz0D4Byi6ArcTXf8xBrg==,iv:z3Qj/wEShhtnxU7geCv2ThU7mws+fa2vuMelhNzp/TM=,tag:3hROcS9iMva44nGZ4d3gXA==,type:str]",
 						"triggers": null
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:aQ==,iv:Y2ypcLh2U70FLyz9GCRm9iG7JglSzDDnjVhLpaSGt0s=,tag:z3Uty4POkDfBOxCPYjXToA==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:7Q==,iv:BttNHgsj8E4n6qO+zwaheC6tS0Wdt/2gwGumjzt74Ho=,tag:q19a5UpCO273NqOOoJTtOQ==,type:float]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:qFHNrIKCowc+BWQEScgulxErsyg2jkdf0WlGJXkJ9Q==,iv:l9OGoJ573rfCxvkm5SwqlMcdfwXZyoedj0CTDxPKSqg=,tag:AxpW5DXjxHgQ+8/V9ssh8A==,type:str]"
+						"ENC[AES256_GCM,data:eR+jYC4LnwBy2j7q6+NSVacuI2onViy5GwtcCoKX9w==,iv:sOTHmGgeahr6VGV0kwosTT0HAwJ/O4wo703ueFyWOMg=,tag:R+XPRiY9up6Rtqh1coynfQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:RFRn8v9L8zQU4ySK93AxOpIxqjsSl16h,iv:koxiDgbLJArszBvJ/pFfwzArZ6MJsGac/o4tjwFo4mo=,tag:jcLdyvSmcytZxr9OFismxQ==,type:str]",
-			"mode": "ENC[AES256_GCM,data:w9Hc911h3Q==,iv:WivB2d/SFwXiTKjwKah2rYJY0M1of8ufkQL1Yu46uy4=,tag:XXUwd23nfNS+F7idYSzVRQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:aKtibIgafCqhQz6S9A==,iv:eEnJwU1cuip/uWKU0IFqoovGNz+BfHTcUSuyT1agO+U=,tag:uhaQxC00K5JlFO7JScPfDg==,type:str]",
-			"name": "ENC[AES256_GCM,data:zqwlHQgsNHhUoRNj9toAvzw=,iv:ewS3ICuRsiD7ptZrBG0HrhjES3VrIvvefDhuL6rtLnc=,tag:watFTgOkxfXbTyAy6LhLAg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:CeWxxl1CBgOsX/oin1SoAqQe/UUvfwx/Hv0f5ztSgdWPFaKBYzghtHO+xsfG9kwR,iv:sdnrQVrez2gteXBpiaciP7oqYCGsH4tcOrQr5C851no=,tag:lXZpdD954nFwE50Ka/ZJtg==,type:str]",
+			"module": "ENC[AES256_GCM,data:fGlWu+pnriPGYtwlT0r0XXDhpTtgRK0g,iv:Rzr1TaWEsYPz0bnICCRE+HmFOsVcjQ5wfkRQwIlo7nY=,tag:TU1GeHgHC4Ew8tjwCF4fDA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:t3W2eDIeOA==,iv:CcSLZA6xRpjDB/CiBelOWanAZQfMDtB7YNwF4nVQks4=,tag:3WkDKZee77lVyLMtwBN4rw==,type:str]",
+			"type": "ENC[AES256_GCM,data:qEzGqkRftp7k6Ta4ww==,iv:SHhZW4Bph6/381qp5Da+ZefGUfsP9MbwucuA0EZKrec=,tag:p1hUxeOvzQDkvxpH4rEdGw==,type:str]",
+			"name": "ENC[AES256_GCM,data:/T/H8eZ26B1kWyLbmZNBDDY=,iv:azzb/EbLvQYWVHRsj4md5UkqZQ/RfylAr6+P5crEMS8=,tag:JniZfcVlCZkNYycFmMHUwA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:lkm8hmZxz0or+xcO/IrwN1D/b2+GkAQgFCOM+uPLN9ZW1rrXuj1z6/qOhRlkBCyA,iv:bVsoWncTyybeBsX27yci3bILbIXHVtmHKPy2UAoy9Mc=,tag:eu1FFb2gL70V5c5JRlN53w==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:fw==,iv:nP84ep7TqAfyCDWnmubt/+k0pFyrJtMv+dbj3l1TCXY=,tag:FAMZvynv74Y0X96JqFhA7w==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:ZQ==,iv:Ampn8NKtr0rv1hMXHANzN7Wo9FFcr5hUTKvQcw7xwrg=,tag:Odt2RWP+Ctv6oyo0WKmqzw==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:qQlOWgjoo7hlaszmI2+XIo9OXQ==,iv:2hoYNtxWaCloNlWmnvd/PIhn5bkkTaFWNQ1w5JR5ZDs=,tag:KnRC5HoMCLOhO3orN41f9g==,type:str]",
+						"id": "ENC[AES256_GCM,data:XK7LdJv8kEoJMEuKEE20HKx4gg==,iv:ouaDId06RexyZ/LaSJQAytlAu2PRvb8CHvfvLMurwO4=,tag:KyXy/o4SzvYYP+9EUHnWWQ==,type:str]",
 						"triggers": {
-							"file_hash": "ENC[AES256_GCM,data:GabjCaKYYIIPIbRBWOnlCUDIkf2HQi2xOz4T/rOscATU++x+Iq1qza7qEvU/aV8VHumw9JQLL9z1dkfdJP9TLA==,iv:06svr0Vo5OZzYEiJirRNhAWbXDFphzVdrTmiRS9shqU=,tag:s9rLfdpcrangH38B3CAnxg==,type:str]",
-							"is_k8s_template": "ENC[AES256_GCM,data:0EudWw==,iv:3FIAFefp88/76mF8ZIoP4Wgh5kSdZkyD5Z77dD88y70=,tag:QWCPCznlL4ig72Gmwd0iJA==,type:str]",
-							"k8s_join_command": "ENC[AES256_GCM,data:lJ4KWlsKQTiea/rg1m5cpl/a/Do8sN3TGUMR3ht3/oNshBKY9MSFWUCqNB7qJvar0h7Qv/M6UBGyHCM5SKcA/RQkQB05hmVMFSKopQbj01PnLcxks5W2rfcLz67VYf26lNZsvWE/VRVQrJedf8F9T+CKtw2Po8qRlsydr4IpqBkQqGeVYQdqFo8LDLRUpzPeoEkvs1KUfSSOK90q7to3Yw8bofo=,iv:RSi+GeSXsr4ouWb6P1VoS1yBn4JR27UXaDvwBSvgRDg=,tag:Wyg5vkIl1cXvJFFRHujT2A==,type:str]",
-							"passwd": "ENC[AES256_GCM,data:3bIg1AMB1Gg1W/D3o1gdh917cdCV9DM71ThZ/gh/uYsP2xlYKMqPSLTazz4NEv7Ftjwo2dxrFQUC3/Q1aFQuZR6z0dNMXu9Ixg==,iv:1VaFViB1/czSCZ6F6Rw7XrlzizPBVgzrWSrBTGnqmZY=,tag:pOQgDOzHjC7gWAZe6zZHog==,type:str]",
-							"post_join_script_hash": "ENC[AES256_GCM,data:bT7Fxl1dwrvT9R2Or4Db+W4eBS+rNZbCVVVpvW0Y8QKwX2J6vw9qJlP5UImPJSz3G5KTwD58Bz/WPaAM0ZtOHQ==,iv:qFcGXJJsR1DAUKnZ4RFc/LqWzlfLfMVob7T2fsd56/8=,tag:wD405pVQcm4inrhaly/n1g==,type:str]",
+							"file_hash": "ENC[AES256_GCM,data:T5htzPCigwsdA5NNHzYnPJX2qxg5/rnHyS1KHUyW6KK2aXLr0tp6uaP2EPgx9rfQ8BMYBNEHZn5LuUQD1KnbVg==,iv:x2ECbsgeiNSGf4YZ5wB5QbcSnQFcbaNN4CokKGM5YWk=,tag:5jKtGKNfNGTo8Uan+VTyDw==,type:str]",
+							"is_k8s_template": "ENC[AES256_GCM,data:P2fujQ==,iv:1cSK3MjwqlIw8ub4QyeCTiYAGGa2YOFglraC62w+O3U=,tag:9nIR57z5kK7dBakFp2lqdw==,type:str]",
+							"k8s_join_command": "ENC[AES256_GCM,data:hVNHDEoNN1ghs4xmerC49q02lByJI49no0vCrwDL5B2WnlFaIp31+E50bhP9aZkdOYxUsEoyom7qQlwX+gOOc22T8yBw8IpfKRCvcFfa6FBHxWnJ9NFZ4M4NwlUtDIAqsWkJNMKZ6LKCWpPOFYNZZwva6+yL01k35piNOGQI5Qis9DgaLJKRF6zc0CZTZ9ctexmyWuJLhLJ0FPxh9YNQ0qsiipg=,iv:ALTxVJ9GuEFV/Y1bWlc6wRe6cXIgQO84ca7UWl4Sqps=,tag:HINGzvJJEMzvdmAbuwJjRA==,type:str]",
+							"passwd": "ENC[AES256_GCM,data:Sn3uXbqvTxKjc7R3foWIp6cFUBEe7VyCyU76G2Gey/yBv2vYn4GGBbhjXSvy9l3YRoipGm4IS3dclNQuGgbOxmBgSvlr4T5jGg==,iv:Tno0USw8YuIyG/S8DVNkU9MvwYZM21PqZ6kKhd97qxk=,tag:OUjk00Ur27L6jPKLTHtZwA==,type:str]",
+							"post_join_script_hash": "ENC[AES256_GCM,data:eMad+iHL9+UroFm2yVg73J/VGN/NYziqRWXXMqQs+y0AIExdwE7NWY36rcxp26DZeX4I6+4DXtX7hTB6UkdeXA==,iv:A93gzPwIo7l8gu33G6GBXWa7PT00HXbIN2bghrHX7tE=,tag:h1lW6DN5bpuV/gZ+xm0pDg==,type:str]",
 							"provision_cmds": "",
-							"setup_script_hash": "ENC[AES256_GCM,data:+4o9ji+JdJzRL9p6eLZgx5bOnMIHQ5pHyU3eMy3t/BrzhUFglK8ynuWP2vY1JOnGGa9ieuldSHH6nf84Krnuqg==,iv:/jiW8dO8fBVArg+CjN05GTFpoc4MP854SXih+oh79fc=,tag:RNToQAg+gwTsxkYwJITgog==,type:str]",
-							"ssh_public_key": "ENC[AES256_GCM,data:ytf6dXGUBvuht5NIMoFNhq22gAF2mCvwBZv6vvzEoS7UpkRlQuRCRrAf9Z6k+2Xj3aSf5aC9B+4cuD1gH6lispfLk9rErFKCkfwCP8WZMh+KiVQGMuTRzH3drHpu+QRTyf8=,iv:kHv/vgI8aT+oYv8mp0J9UQ5acEWNmWIV4kq5p0pWMe4=,tag:v6fHlgDWDd0bclFI2AZsMA==,type:str]"
+							"setup_script_hash": "ENC[AES256_GCM,data:J+JoC41P7FqHZJUUCbNxp+cp3Zt9hwM9Dk9cVm3tYtOaWPTKDHhkV+Lfv+oivCSbyOwQnijbyHsW/FRHKoEMiA==,iv:wqPv0YIRBP1XoN8m95JpceV+RH7rAwZ4Wo3winEM82g=,tag:6RmuOpew2Xc/AnPPVeJ5VA==,type:str]",
+							"ssh_public_key": "ENC[AES256_GCM,data:FwItu4nNt6Y0xcm8HexO1LoRh2Ngb9Oe8gNfEXRSmFfBy+hPx0SDOitn68FQl0P4kP/xxDsAFJ1ocsMujX3Qt1UI3dRskgRwNKpA9wZ1cvg0XTM8YiBBPteLrSTBHC+cp2k=,iv:Grpbqo/i78Jm3NGGzJxxNJduE4elMZemxXGux2LZZpE=,tag:USt6NWZ63Ei+kpsxTi/l9A==,type:str]"
 						}
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:Gg02UsgVY9k=,iv:xGgXHXKpo+BcG0xtqjzBYLt7YPv+grG1j2N/KfAH9Es=,tag:0yT9Mi/ktuarD9bbcFIqdw==,type:str]",
-								"value": "ENC[AES256_GCM,data:ChPnslJ1j+o=,iv:zmBG0/lK119PhJejzr13qwyq2zGsYGjt51EiD7UJQKU=,tag:l2b9L1ckV+uvaaOjZaHBbw==,type:str]"
+								"type": "ENC[AES256_GCM,data:AfZ2Qx5LuSo=,iv:VA/a2CNBS/LbdxM4koA/65nA5Nv8qVcUAd/H+LPCEm8=,tag:n2keO5WzHYU0mBOMp5D1fQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:z03AL6eGCYQ=,iv:S34tWfeeLZFyGuMlH6IoWilES77jV1LJ2Kcyh6EfG1M=,tag:GJw0k49wyXS+fL1EGdflfw==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:73rvj9M=,iv:Fw6MG1Dpmp3OSxveRla8/SBbKr64fsH3ro2+kO7yjr4=,tag:+t96jTkUBX9lTc0KWDFciA==,type:str]",
+								"type": "ENC[AES256_GCM,data:EabMAwc=,iv:3MRRbur0tImi7cgGkczOAlw0F5/oLPaTzSCJ855hdSU=,tag:y/m7ZT94dCsEmy3ppDt5Cg==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:jBZCWIWP,iv:NilvMlyYnmGRbiytJnRWuTEKpP5RfwwJd5aJ08D02a0=,tag:3qwTD7vGHAV/C5S+NezEEw==,type:str]",
-									"type": "ENC[AES256_GCM,data:RTFi/F3M,iv:JUEUckun4ozt76X8KUNreDqsAxPFGcltVixWa/HLHL0=,tag:hlIO7w9+iNYx2O/YzC8tug==,type:str]"
+									"value": "ENC[AES256_GCM,data:B528Vm/B,iv:R/uBFS0um8H0VHObNRERZx4TqSJ5qo+p35+8Y2c3gCw=,tag:E8IOE6Ikt4ewbGCRlTc8mw==,type:str]",
+									"type": "ENC[AES256_GCM,data:pOrbNy3y,iv:7wukvj14V268gFZ5cJ7OVEfWm1Qrm0WiouIYPlcMby8=,tag:xp6j2h+Bw7qZvmKQAI6UFA==,type:str]"
 								}
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:YEs8/2ewxG8=,iv:xalhzVzyvpNb9wCpSsofJZps1PHoKOiZ5ghQ4EdrOy8=,tag:idPQypXyNpb+5Bx42KKIeA==,type:str]",
-								"value": "ENC[AES256_GCM,data:J+YqYhuienA=,iv:F2GIr/pSltdVGJpurtzNDr80YSd8dd8juDGOCzt+gkc=,tag:5/Jts8X+R5ofNlzP4cU88A==,type:str]"
+								"type": "ENC[AES256_GCM,data:9AyQJBl9HW8=,iv:Rz2A9Nv8KxfEYB+8cHCUuv3TOwu5ovonVQxL4Y9bJtc=,tag:pUe3ZUEvs/oFiVaNkeu1EA==,type:str]",
+								"value": "ENC[AES256_GCM,data:BpkJduglcg8=,iv:etkAa2hDDQpBY6Gl/1BKmTL5+7vw4xzl4hsXTNXHQ28=,tag:a4yu9g/3Tu6zNw/eQOQr5g==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:3/juN4w=,iv:JqWmbesf8HpiMBTtVHvSeiQxGWupDyWEIjfG9LdCIeA=,tag:sgt5hdlLiA3nofGqOfYl4A==,type:str]",
+								"type": "ENC[AES256_GCM,data:eTM5ivM=,iv:5/MppxBh+PiqdbgRVe4vR1SS6PML5CIW/Qxh3Ut5GH8=,tag:Wduim47K1FiK6nnblQzwyw==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:k0rGwaA5ymMuesB7fUE=,iv:fENivcdneO51vQ0kA82OtmRyRO/XAkwXEbi+Zy64hlU=,tag:5M6fT7Stv+H/JsE3d5Ef4Q==,type:str]",
-									"type": "ENC[AES256_GCM,data:YnS7Gdq8,iv:uDacp7eJhKRNaZP0YaGraMouBv7iWQzQjH0ucajdcLQ=,tag:WeXqnc0O/udQ0NlRGqTzSQ==,type:str]"
+									"value": "ENC[AES256_GCM,data:/cFlhituw850AYtWG8g=,iv:ZS9xV349TP8ErdDTW/pPkW+1vd/0XBq1nCysmot51/I=,tag:Il6ooZOa7dNEN6VAjGVRSg==,type:str]",
+									"type": "ENC[AES256_GCM,data:l1L+F9AL,iv:dGaFCKyO/SldOE6lf/T8pmeiAuwKawTH1oPItu7rYFY=,tag:bprkj0E8UWmro2QueL1Drw==,type:str]"
 								}
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:IQ==,iv:Z1/F2iyHj582gdaYRLsCXTlQ/xfgS+10AAnMKj3UvxA=,tag:bwB6srWSGhTSGmUjwkfqsA==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:sw==,iv:1iPDpjXvup3Yk8OmCDKoNgtmA96S2hEZW/Fog2yd7MU=,tag:GnHNzDcEPYsAWZCu47ps+w==,type:float]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:Z552NzGHIvKBogKCFrvtBQdYq6s5nZi2gRyLnU0nlA==,iv:sKxWKd4xREd8fFmntACHrq5dN/k2nrII5OQ3BtUpWis=,tag:vtsSnVpQPF2TyI2HVYazww==,type:str]",
-						"ENC[AES256_GCM,data:eRX6/EcjV3ZDiHRTgSsHV/UALgRMdbLUuMCMm4aO,iv:+iPiOaEXTLc5lhYYz+d5Bd1QH9VADCV7VxgbRDDOBnI=,tag:SFLq6qFErPmSmB7Rav+shw==,type:str]"
+						"ENC[AES256_GCM,data:2aqObH7XmdPtVOcs3Q/dt3+cgVxEfC/jmZNUOD1NHg==,iv:P0XPKaS9BOpUSIwW+xgjyw1t/oAfzvS0+lVK79jRkT4=,tag:2ohM2FnuIoNjgnuNTgEYKA==,type:str]",
+						"ENC[AES256_GCM,data:xYp/wZgnA44vvSx+DVpOeBTSo3XFLzOEQpUWs8oZ,iv:/5KZZTufizNZlSFBsAnQ9PduMRO9AI+K83VFXcedfkU=,tag:+Vdn6y2X6Pz4E6ucfaA/5Q==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:2Smm+1N/ScLveErHlJ6yCq+VyZYHiFd7Rmn1mA==,iv:OG0zdTiCUp24VxFc1fKJHQglf5fJRF133C3zXNlS/zg=,tag:H8Z9BEc5Wjx2YVXdxISesA==,type:str]",
-			"mode": "ENC[AES256_GCM,data:41fI89roHQ==,iv:6eyUZShyOSYjHyzUBZulKn2bjv9MYyJyoR36EhtDX24=,tag:WPmhZWLACYwepQgjRXajvw==,type:str]",
-			"type": "ENC[AES256_GCM,data:hpj7itxyShrvTxVJXw==,iv:Ks8Kyp/7MEXbKfhPfULpcCF4TmMq39pfrQy0p61GhL0=,tag:5ZLEfZP5kpavujHoMS+IFw==,type:str]",
-			"name": "ENC[AES256_GCM,data:TuwxnwwdqWBToPzdWjBoGkhqxQ42dg==,iv:Q2tyipS/TzrJkWRgBckVwTm0X/SF/2/3qccmoq/apJU=,tag:ElxcmiuKvNL9WCjU1TI2Ng==,type:str]",
-			"provider": "ENC[AES256_GCM,data:b2AelJKpyHmbgFUjyPKrzqrNDmy7zhC7vAl7aIdOFREwT3rJ+eqhHhxemX/Z6uz+,iv:Pxt7GPFzF1wXHHw6u4rGPSFJ8ka9cnvROnOBu1bDCbk=,tag:3nJ+p5aql28nJrCgLSfF4Q==,type:str]",
+			"module": "ENC[AES256_GCM,data:hgo7a+xohMJWVXacETLH9NFEuGWI0QiJgcXf6A==,iv:dS9eFXvYi00iAxwbA/J5pPzD5r47kINb2/HNjvs6sPY=,tag:LIT7PfFQF9X64vZO2+H6wA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:+G2kvuQLcw==,iv:j/v9ji3JrSdPPAT2jODIeXQlo/1ZyBW6PkDtjkUgGv8=,tag:ZHYR2iClqMV27ovgE7k2BQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:Cot0IfGxe1xPhs4gGw==,iv:Ht9/NfcW66ZPJ//31EQ1gYsEqnaxdnkIIBbjOCYCYcw=,tag:5hIrvfm6gljkYS9+1M4RCQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:alt7cVfEy75Th2h1STlcLnFuqcajRA==,iv:4ph3dyeWRkcgm3gCOnPuDX9/D5T3zY4zf92+rmgomIU=,tag:R+0ozrtUxxxz2RJSoRK2/Q==,type:str]",
+			"provider": "ENC[AES256_GCM,data:f4stZs3ZrpFBcmAbntv2gENQeZ5LYpF+DKPwIIDXzEfh4T3o6qIBXrak8WKSzJtW,iv:NcPyEQ+h1E/wmopVd4KmCvqls01Lr8H5AtXPxuUVUTw=,tag:JvT/uRbo6fuamcPvAH930A==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:pw==,iv:TxouhCN4MrdwxO5QxX+4BQPbwtCSiF8PDGxBxmalUkg=,tag:yUfoi8HRFHI6LWSqdP0j3A==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:9A==,iv:DRlp92qNjXTwVSGV3x8gUkbCPD4uFTF9DM/08HyY9Ho=,tag:kdlIYcHineBG9pDbPniu/Q==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:WifQHd0EJZpDyKpZtdQtwEdFIQ==,iv:DuOkYaPH4sj66ZNS84g/4m+FtlwwWh1/FTQydbUNHY4=,tag:EaQNM7XvizB3DOBPN3aeVw==,type:str]",
+						"id": "ENC[AES256_GCM,data:yr0kptlek7VcbYtQ+aRvr1ADUQ==,iv:AsCO651uVkksw/bUGOi6gSG6fUJZOMgZvzjUjYRCuHg=,tag:QSgJD71GemwycPJtGbUG4g==,type:str]",
 						"triggers": null
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:yw==,iv:SzsjmR+TYqOSwzYKZfLLDt1ixyFDbu5WAz9kgYJOb8I=,tag:dD0I6pbx90HKzrE/+1P9vQ==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:ig==,iv:nY9oilxC4KFD2gFT2g7zAXrKLHVjxJVa39Pw11xjEeo=,tag:ouZmHjnNgpzafALwty6T3Q==,type:float]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:kfMcIjoLitJZvoVneozmhJWrbYaTak249joS/h6O2g==,iv:uU4dHBlRk0O489EYGA5nduwZUsOn3WkLB/0xSvJ8Olg=,tag:suEmFe3SlleelmmaQEOhsw==,type:str]"
+						"ENC[AES256_GCM,data:evv33O/IXm/Vrw9P1nTvqyz/ximOJueZMEbdIjjkbw==,iv:lxJxEoB/A7oDe0BxtSlQ10uIxc/32YmMsKAxvz/nC4Q=,tag:uu0biY1kaSUMzTrWYQ+pHw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:O9G7Eq2df1TMcTJ0h+2PMvtYvGyd5aIZDt7TMg==,iv:U6Ngn1sM6vYsVgWpF9k3ggR1V5qLf8ZFq2KSikjnyCI=,tag:lf4BzihJPq+QqWIrL1Hnbw==,type:str]",
-			"mode": "ENC[AES256_GCM,data:hSoO7yVzrQ==,iv:OvVFSduiEyT/o07qkHo6XjNOtzPgQiBDVxhBn8pq6qo=,tag:AYkfNfsUnIVjqC6f41jwpQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:QXEGAUvA8q5I3fc0Lg==,iv:lpnSddV82tMsiPMP1yUsnT0h6zl8it4HCrZX7DsBsBg=,tag:9LUpr+dHPev3aMHktaFj+A==,type:str]",
-			"name": "ENC[AES256_GCM,data:wFRxYp5MjAg0Y66GKeLAbVU=,iv:r5zNOSswoeWdYbIMHCjs2FAXCObCEHW1m3vG0j7gqOI=,tag:684Jwg5tNOAJQfZsAYMQeQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:yeC1J6zs9WVWzUHJUmaV9HKOV7qh6lTnnuSuGUNUEGbUtf6ERvANS2rBxBACENIs,iv:FwS1t606fZOfR7wNAVqtQQDmgUL8GBFkwzO6u2Emoyc=,tag:RGh9G4xHt+hT5vwLcNkvZA==,type:str]",
+			"module": "ENC[AES256_GCM,data:dbwOzlaXO8LZ39/jKUgV567XTplJ+eFdZ/HD5w==,iv:NCqulo14+gLiI0O3Kx9p8HZS27jI2XS8awqIB02BplI=,tag:AFsZAeb4/dRg1QY48vgiPA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:yx5Wdsbkng==,iv:SPFDBXqz23nWEInE28+lkQRh27Lb3T6cbj1aoCcHsi0=,tag:uqGJCkOCG0hiPtN+yuqMgA==,type:str]",
+			"type": "ENC[AES256_GCM,data:crsVBCGVD4EIyTLX/g==,iv:sQ6A7KzNJW3LvuPGDQnBzF0WeF1JVx44Hm1AJKDaZEI=,tag:3lsVH1B6sc87reDEGBixVQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:0jbSeE71JKyNH0tLTHQkmyE=,iv:yFRztplqItXqSuYUEDvs58CfM+vqxgaldtyc2YygbV4=,tag:SXyC8fQUw+3FsWRlxJ1vrg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:mC61ck4CvaT+wLfMhLKjw//s2ssHf8nu2xrjvs/s7zwT0ISUEFvnmgcZN0xr6fge,iv:vs2kCJxdLQJQs6rhbnbQQVnOPaY99ahCDPvncq9bUiY=,tag:FSLQF36Ob+RNKwcJ2b7Ygg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:LQ==,iv:glXTymqBX6a9cVRCwEU+jfdymzhcs5qQElhobT2HRhY=,tag:qEn8vrX8rhZiBn3fNewupw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:0Q==,iv:Az5L/K7oQaeKOZ1MxwgF0LxgwQbf79QqFd2NXrzg/AM=,tag:tRNo0SRpzmiA31b+sPvJxg==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:fWfDQ3OsyOKuntPml0L+kwEM/A==,iv:ku2baH3q4NOD1grpPIeSbymLZmDx2ictq/59Dem6mMc=,tag:vU2iJnAsDH3pyVu882r5TQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:1FcoBSKAK4se0oE7a8TWaw==,iv:17pX8SBZh/SMh/di3psQtKncfBGYIFfz8eTiE+wPFCI=,tag:SIMEXXynefemyabM0XnUEQ==,type:str]",
 						"triggers": {
-							"file_hash": "ENC[AES256_GCM,data:i8OT8XI/yeudlPPpDacS9xbsEH8+JyYB9RsyztO0tnMaCpwIeav8I+Uvxh+KyeaQqiqVreedSoxSh8SON3U3PQ==,iv:xuwK82tUwnfn0ytnZfIjUQGZnUmo3KDYSl+UX2FEIeY=,tag:+zKCvB3eR9sH7yidA5YenA==,type:str]",
-							"is_k8s_template": "ENC[AES256_GCM,data:78u5Ztw=,iv:rQoE5JfbmXo1BgE+3qMt7qKTf1fox78ay4Ov34pTMx8=,tag:SgE/SIekDHdOE1drQgkFFw==,type:str]",
+							"file_hash": "ENC[AES256_GCM,data:Ubq4aIQITuoTQOgcYH4hg/PvAcj2+70idiHhA76BdWIiI4U/8RMIhZGUqYE1LgQBnIEC5hUfJ97uy6CJ0mbyqg==,iv:nbPNhvjSeGKui+lCtYvJTG1QObnrZnXIvT9W90puAV0=,tag:xVecVI/HI9gTsoyEvLrB/A==,type:str]",
+							"is_k8s_template": "ENC[AES256_GCM,data:D8BEnBg=,iv:R66n9fUqInmqKBtyLO1iorYa2nHVRGc0z7NQrjkYUqM=,tag:ccNsn3wMHwvFwHyh1oBnJA==,type:str]",
 							"k8s_join_command": "",
-							"passwd": "ENC[AES256_GCM,data:XnjcU+f9YhtJXsG/QsHp9AfxGHW21qBNBCii9Tx8NVJklFoZJZH1a2jjlqHIfVgmigNMibgrSL5Dn2+uTcLNELJC96HNFKKisQ==,iv:5+P/bJFdV5mmOJJhfCmzpU6YFpP4+rQ2ZYISLrOQtkU=,tag:enhVJaQD+BQv1lluGQtoFw==,type:str]",
+							"passwd": "ENC[AES256_GCM,data:crUoMZChs7CAs82la+yzdS66mRbVOdzngAtray5/8sCdwFRklliIcr85/+j9it3FlHV1l6UpCsGSrpSSFLJe7DXla/p6h1aSNQ==,iv:qA6EL6Rk01EfDGZULuV9YKgnjYAiExBaBZdpfUhFhsg=,tag:i/S0DCFjHOSfhneIw+94zA==,type:str]",
 							"post_join_script_hash": "",
 							"provision_cmds": "",
 							"setup_script_hash": "",
@@ -762,21 +784,21 @@
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:SjuUKK5Hviw=,iv:4bnak4hE6iChQPxROQJVROA+CAIKNEhThjzVfi46iAw=,tag:A9c6kieMqOg4FrZLiKdwSQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:2wEV8V1zId4=,iv:dUzAXOJOCzKQsRgDclgxw/SHC4vUefN7n+/WAKtF/Tk=,tag:7rGxbUfR4HRLh6eb8whXbA==,type:str]"
+								"type": "ENC[AES256_GCM,data:z6tcIaMpg3w=,iv:1ilByqUntKVMRV9I4HGfRrVg62eROCL+bZ6736xO0lA=,tag:LeIIf47MmmPaiji4zChZ/Q==,type:str]",
+								"value": "ENC[AES256_GCM,data:p3u1QAK/Vq4=,iv:TmpkgPDBCnOrwHrYxU1MHRYDCP11i4BNZ5TfA1fi180=,tag:V57Z5YsvQdTA90kvucGLLg==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:7ywtExY=,iv:22XgxGvGo9pYC4YbrSjehJvmjnJgOVKEqzI8DD6WwQQ=,tag:eDAx1osNZhKHBaX7HlBnTQ==,type:str]",
+								"type": "ENC[AES256_GCM,data:3c/K6hY=,iv:TOHVlJqE6g+IAHjI/c/mWpJ90AQwsGjxtxC1hVlu60U=,tag:y5SEoAvs1ueDJJhTPjiI0g==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:8+xEPxGU,iv:Z4xZk7LdAzC+9ivGMe4kqivLAH4+/+QetMu0U/ffvtg=,tag:lzyoh16R+8i7OTzp/OH8qw==,type:str]",
-									"type": "ENC[AES256_GCM,data:O+MWRscb,iv:GwHE78VpiTqllm1UXuMbIXIdugqMHNADKVvNv/ASe+M=,tag:XNKtL5hzGluzpUThGagGAQ==,type:str]"
+									"value": "ENC[AES256_GCM,data:75BBKbun,iv:ZA7rXUt8LE2JVoiwfrDeXWX4LZoVwTzg738MU3n0eF0=,tag:0N4xe11CogbXwZr7bOWf4A==,type:str]",
+									"type": "ENC[AES256_GCM,data:Z5eWc18V,iv:HRCRkEi2gzLQ6eZoKu9msoYDH8htSUiLrXiT+D9GVZo=,tag:wi+QbBBg6xv5jvj/2HCq2g==,type:str]"
 								}
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:iw==,iv:mJYdO7yz9jDrqPGfYca4AgzuMnbTOJddxFuuFn/EjLA=,tag:r+nmDNd3ue/21CX8I7bIPw==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:qA==,iv:NeBzPC0LEeucGRVN0A/tsELlgLhnjik/zeiHGJDNDTg=,tag:skNrWB6ZfT13z8SmYldoBg==,type:float]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:FvHEpTYfjKsHrkJgsnZBMRxCri3UMTLDzqv+2Z5t9w==,iv:AlLpq9KcBFEAfnD+PmhNIr78yYeKcY6cQJTUbPkAI1U=,tag:PTQ86jIoerAHQ+uYcPlArQ==,type:str]"
+						"ENC[AES256_GCM,data:ST7XwgtYr7glv9u33yStSLql8yGnd55rBW57N9f+cA==,iv:YUd+uq7YZBnlztm+RV+s8rHAtVIslQH/PR+2Ujq0kZ4=,tag:ttDZU5RSQwHU9jaBVYKmrA==,type:str]"
 					]
 				}
 			]
@@ -789,22 +811,22 @@
 				"vault_address": "https://vault.viktorbarzin.me",
 				"engine_path": "transit",
 				"key_name": "sops-state-infra",
-				"created_at": "2026-05-26T11:48:55Z",
-				"enc": "vault:v1:F5Er5uGmmo2hMzXfh7zZJUiEMF8ygWcJjWAH+amZVGy6aT843Gs4rmKeAUejOe5FGzFDAIwDzmmpm/Ox"
+				"created_at": "2026-06-17T19:50:30Z",
+				"enc": "vault:v1:6ntUAKzSwaMNsO8Z5lo9DC5972CSZC+8Rtw5C8Nl7JWVDnw0U/VOUg9V85tWlL6kP6oZ7FXDJ49oQ9nf"
 			}
 		],
 		"age": [
 			{
 				"recipient": "age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJL0xlaUIxWnkyRUZLK1c4\nVVlVWElzU0dRazdodi9QZEpUNUYyeVA1OXdrCmZsc3FWUHdTa0xHS3RTVW9xVGdB\nUC81SlB5UmpSU2ZHVjBkUTdVODRsZDgKLS0tICtKZG0xUHJySHQ0QWU0MWIrUS9j\nRW9jYVF1VUMvUUxOUjhoaHRSWTEweU0KPfecGO/5Lr98otZroMXG82MEM+6kgiVf\npTXhUNyT/Qk6N3FKkzjA175TYny1Sb14/OvyiSmSgQrCytLSGue6DQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWkdCK2dEM1ZEUW5jY3V5\ndmlHZjNnOE1KSkhTOUphejBlYVdJUkttM2k4CnBvMHpTOU5Qemx1L09DbTFWbkp6\nVXRxOFpxZm1EQm1CeTZFRUp2S3E1SzQKLS0tIG03L2pSejFKRU5Tb1FmbWhaWEhV\nUUQwZzhoQThjOGkvVCtnMlFwd3VFWmcKusuWFD2k8jVICGM69BGEUlP9Lj11m1k/\naZ91/VclhibMCeTpOfHoLyD21iqUfP/oBURiFnqP70IrjTSCH4af/Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1rekkad48r2wzhwqgfetw5yugu3ln3qlht4xg3txmx55tee8cveess60r90",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRem9EQjBzYTJibFlDWEdi\nWGpQNld4cTJVb05wMUZQUnV2SS9lUlRlOG44Ck9XVHRTbUhQc3pqRUpKaXBBTkNj\ndnlYeVR5ZmRUY3VncXBMdUFnRUViSHcKLS0tIGVSM092bDNSRHdzdkxlSzBkMmZr\nZ2d4dzJYTGlMRUhOYXFwek5NcUZzaVkKYfz+vnbx9kgLizzgfDrPVap5bASb4Lyy\nTIGWJgRzQXnKLmjKLXR5HO+e3N11KctjJaOtKqVsuRpisw8bE7YXUA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZkdMOERIUm1ScVFHOSta\ncTMydnQzaHhSQWpMS0xxZ1dxOHphckZ2YTNjCjVXOGdpWG9vSTZBUGFhZWNhaXcr\nQWFoV0Q4TEwyUm42VzRUYlB5SnVRc0UKLS0tIFAzaWNUeXBTL0xjUkNzaVZvdjIy\nWXVUajVJOExmQk80ci9aY1RVMXYwckUKPN9LjoSQE/06aza1V1JJQC/DNv3qzztJ\n+1tmvT0lBqGFMx1bssUZ+AAlbfyy/LDHDo/CY0SSUdRTe1DieqlxAg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2026-05-26T11:48:55Z",
-		"mac": "ENC[AES256_GCM,data:9qP1+ohIs9Omt1qHCRKoWFOzbag0f7SRMs/YzYPCMnAdrUx7e+jOp2xGiyit0SDIOfHsppyXFfYkGSrpWepq1A3/6oW8hNxwWiUw0Mq4/AO0DxtKTHCBUfRdYi+3iBJE60aNjg39VruEClbILtvbZ9dpaiP3rE1x+FcXAT/l6lw=,iv:aRPVjGy8InY+ff1y0F+pXpCWzXwEgOTeEiuKgAgslWk=,tag:RBAQPli+HxPhwLwiJpLrMg==,type:str]",
+		"lastmodified": "2026-06-17T19:50:30Z",
+		"mac": "ENC[AES256_GCM,data:dR1brYafYfrZYWcBF+le8nmFgl9B9NuAV1OMBFWjcWx8si+3PLHD522R+MJprdpQSUDZqOYbw3aPWVzADdbp5ZiwDCz6gaiqp36VhraSHzcHo0WoiUnfk3JpMNAxcrGGeo7JKabbJtQ+eXzyy+w041olZZmpqT1/A502ctyXUgQ=,iv:RrHjpB9xyKofTXiIWjjet+7/9OXDjz5zrVorypx3pds=,tag:1XJ7iktNZ/ROH+cjBXzfpw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.12.1"
 	}
diff --git a/state/stacks/vault/terraform.tfstate.enc b/state/stacks/vault/terraform.tfstate.enc
index 826f6cf7..b2f209a2 100644
--- a/state/stacks/vault/terraform.tfstate.enc
+++ b/state/stacks/vault/terraform.tfstate.enc
@@ -1,458 +1,458 @@
 {
-	"version": "ENC[AES256_GCM,data:ow==,iv:sr6qGjAbcVb0DhjadRGmwOSRA8m/rfJpGQ29LLbVdO4=,tag:ZZKkOWs3ZUrQMSlsMSfUBQ==,type:float]",
-	"terraform_version": "ENC[AES256_GCM,data:XiERoNPS,iv:hiH1tvwR9vlrykzhMoo5E2dcoqkn89E2sgobs+GmME0=,tag:E60VBHceMe7vp12lgvusfg==,type:str]",
-	"serial": "ENC[AES256_GCM,data:vJHc,iv:oWhmw6QK0ZTx0Yyj7OQz1BHDIrcMbN0vXPou3f4exJk=,tag:pHefSS/6hn0TFcV2emyUUQ==,type:float]",
-	"lineage": "ENC[AES256_GCM,data:YI1P2Pn8b6rPXEPt6bCGY83WlKI5QLeQBu0YLJpS6I9g1dgw,iv:zGgC6hprk24NReTpKdfW1ME5bGAEhLrZ0plt5qTEig0=,tag:raXq/bOX4c9vVfNqONl11g==,type:str]",
+	"version": "ENC[AES256_GCM,data:jQ==,iv:FCcBVSYo19VTKyW0jhf4cBaK9VlDI7yQcy0IJZjm4h0=,tag:UhapBIWl+etXnXA9ZnIpBw==,type:float]",
+	"terraform_version": "ENC[AES256_GCM,data:IdJZVVZ1,iv:Jdq+oDMcs0a90h94lmny7Vs/JDFG7o80HMs7+DMa2LY=,tag:0yoWhYmXs50N6QYuoW4xYQ==,type:str]",
+	"serial": "ENC[AES256_GCM,data:2sXC,iv:4BJK+ORzNtvRSq2bvnKPYfvtTIMJ0uK4D76qI38+pQ0=,tag:2WUxQAuA9L9d2+jse6PR9Q==,type:float]",
+	"lineage": "ENC[AES256_GCM,data:D5A/aUF61u4nU+77XwxQ2+/pTk5MkyYS99IRf9BuJm2VZWFZ,iv:htJsGPrZplQjKmwQkvay26S4T90+xSFJbTQieqJrH3U=,tag:wki9JAVKR4rhXpBZSgagfg==,type:str]",
 	"outputs": {},
 	"resources": [
 		{
-			"mode": "ENC[AES256_GCM,data:oTnE2g==,iv:fqcMMNj2kFgBYcpb7ZFShZb4gZSj8TG547SJwFsTUfQ=,tag:zuPMrpWa9kaplBzxxZv7sA==,type:str]",
-			"type": "ENC[AES256_GCM,data:2o2VAl9LXWoCQOLmBtnd0K1t,iv:F53skz9WHteLPqY9OiI4YKTlPD3HpIBZPep4v118jIk=,tag:MpLcs9HSX2nYsy9ZflfMyA==,type:str]",
-			"name": "ENC[AES256_GCM,data:BTibELRkH6THHvo=,iv:yXhX83HBW+iQXIZ6eiMlwskvLhg0O92I24CHvlQBewo=,tag:E5iUphWIEFJ8OUYymKHpqg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:LHqk8SQw4JTCGXBd98Izj+R1/Aa+5G+gBeJpkNAItDiyLXewksw5u8OSxz0cU79t/Q==,iv:jRSJ23mB5SBhFirtmVemWwH3bFFafJe0YmiLVrFx7fc=,tag:kwM4rhXp4U7+9sK7o75tjA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:IgXWPw==,iv:DcUMaYof/Jqdwy6ApR603XvqWNKxJX5KCMh3WaMmqDE=,tag:XCMPRbuWtvWQ3Sh3E734BA==,type:str]",
+			"type": "ENC[AES256_GCM,data:B3YfPrXyRS5GCH91MBl5e1nx,iv:huaI1TUpFUHgyVIRtnZyokvTH1Kd4zDFM0eLxXjED2g=,tag:IbTgOY71ppAsChLQmRvy4w==,type:str]",
+			"name": "ENC[AES256_GCM,data:RO+XZj/OPIXoNN4=,iv:a1c++/9+rmXEWRHG2E3C7ViqD7IccMMbGGMXm5XTJnU=,tag:huZXN4Lvo/E06Q4w+srWvQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:bgJUeKHJI3cMEmy+1nuLUC+BEWqpuIGQl3YedgNFmwYCKA99jy1oYb9sZ4wCDnmvNw==,iv:Bdkk3vWy9pDOR8V4+VWkl1rk+PFO8k8/w3bmfWP3zr0=,tag:SdjCiXmtZ5FgyvwincmLPw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:7A==,iv:t7TsiOntIJnbF4yZSM0xMS6XyHOmUqmzvxggE7NHWKU=,tag:msaN4GC+xr1BdiSIto4EMg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:eQ==,iv:afTjFnEStqW1z/b3ZkLBBOfBMfjt2TcSN7Fp7XmrohY=,tag:1EOBwAakThQshUdUMnOtCA==,type:float]",
 					"attributes": {
-						"created_time": "ENC[AES256_GCM,data:F4NldcfdAS4eOjrFwBc/1GIL8EPS0I75FWDcqid9,iv:CE1F5z4J2dA3u01yrYsBQ/SVJTaBg+PxuXKwb3A8WEA=,tag:jO6jrP39t9bGs1uDX335CA==,type:str]",
+						"created_time": "ENC[AES256_GCM,data:RcFaJrRVmKbjkzsbpbprb8CX5ZRMo9N57h40/+ca,iv:YoihZw57ehi9DQeanUvOyvGmreKRDjMtV6p7+zzmZU4=,tag:Z4C53eLhBXWSLt+tpKYKeg==,type:str]",
 						"custom_metadata": null,
 						"data": {
-							"alertmanager_account_password": "ENC[AES256_GCM,data:QnjjkLvLzXnS97bQjgbw5JjvJLQ=,iv:XDtnYLIXWOGF/f7oSm5rUg7fMLtKmI0QMtxo/TnIMP0=,tag:LjUPee0/7/lBi1tm7IIyRw==,type:str]",
-							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:SdMFCLwqvpUJqbAURUJwNvzSuiZsfdUzKFx/mLTji2fIPUesgU4JZrPA9jL4v/BHK19rDVQHgpIn9M95KSROesvPPzoXbXTtYjgMmTirCxjU,iv:G3qPGjsBUmYFTYQ4v0eHzxn/WedgmkURu0OKgYNFSek=,tag:HL9NC/FzcIR7vGDEuzdHLQ==,type:str]",
-							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:vs8B3wqeaXHp3y3sbIMXLYA34FtdVWtjI7oZ4vdndnmhzt/wNrXi1KPFpKLaBEdW069+3k2su+t8Ltsax1o2lk8N,iv:aGgsCt7uoHZN0Z/iZyWf7RkbeJYRZMBioGgMBI+VLWA=,tag:TXZqhVVJ0a352x80wgoOdw==,type:str]",
-							"authentik_postgres_password": "ENC[AES256_GCM,data:pVsWhfE5PIp3HCG4H3VKtQ==,iv:MNgzftTGaWyH62RVXCsfvcYWoTtOaS9/J6dh5Ja7Bc4=,tag:HYhuTi+Saynk6htmmPeFeA==,type:str]",
-							"authentik_secret_key": "ENC[AES256_GCM,data:ktMmIFEN4tI6NFjWfa6y/cyVwpu3mQ+KTD1TimpYLXrGafaLs+NOrtZrThGW7da8z2Wg,iv:yWfZMqM+L3su236ArTPLklYvXHHeuEiJ7CB7Tlg/h3o=,tag:iuZR5JrEuNSgyoDmU9Q8+A==,type:str]",
-							"cloudflare_api_key": "ENC[AES256_GCM,data:rXF06/N8YRon+4S3HTiaweyLpscoHg7WaVYpE5rfTjXyVtVSBA==,iv:4GfdWxiDkteUN1g9rhuzRdwLIFvwzVFg75KW/p/guDA=,tag:MNgDZxsKiioyVVNW0xSToQ==,type:str]",
-							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:WTKJc/BKj7LKnBHPq+nnbIfT9MViWyz4lJMx+DQK/LCN2Y5CZNEGtgRjTperOTnXeMVs45f/eH5dN28SBTqfZ9m8MA116+t97RVKmpWWxrsjI27tx/vpNyDeOhYyiYz60gYJBL+3jHqJHINFHKnkQMCvhQ9QWI/5DYdM+cX8j/AMt3S8Ghu01lAy1FJJlNap3vP550BShBv3iZDnbqMP5LT/9s2xM5CQ2RpTtMj7i8yyDw3lRLhNHA==,iv:9XwGQ02daPxzB6GMuqNcF9iS8JeVRkUD7b5rSlC7bvA=,tag:4vQmlA6OgycqZlz2r43+8Q==,type:str]",
-							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:SFr83JoEgdwW3xFvds27kIwpEo2bCrE1zy4rArlrsFpvLlE7sRZNbXaNiw==,iv:r/a6xdTwXjjWaOfvyotlnfBg3g4Q43mLRqTC2AYgkbw=,tag:2R5p7lBhIDgHM3PwfSV1VQ==,type:str]",
-							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:DHZS/VZmiEjEy58/c1oVKOHJWXifpeKxsrTEsb0=,iv:zzlIK/8rcYAd+gSbZPIeRjChtlW805jnsdjlHNGrJ+c=,tag:bx0uSP3VvKoWTnP6BRNNFg==,type:str]",
-							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:3LbsNO+lqv8NfxfQdn7A85u2XMhK4nfFQrZvymZsUKKofHsg2j0JEp7sbFBHi5GmmsIrVhPkLTEGcg5gPOfNlA==,iv:OVPJCePy0ASUu6Dqw0PFgMnBQQiTIjbSezMknD6ytrk=,tag:3Sq5+QiIkXvrrRa+Ct6ioA==,type:str]",
-							"crowdsec_db_password": "ENC[AES256_GCM,data:PgR+84RwxfjWCp3hhp0=,iv:GHdYvsAEebAFQEoHrGyQNWbDQOLWJSXGoSunuEKhJRM=,tag:t6H4+uYhDdnRfcu9C7krdA==,type:str]",
-							"crowdsec_enroll_key": "ENC[AES256_GCM,data:8yGA3J+3bKzDnBL1FZXZ9h1YZYzWY4hZ8A==,iv:3587BeRMu3sJpBG51GMpcPCXkjx/8BUYwcdNjz6qFZA=,tag:hGQzQ5amJTJSbQ62itLoog==,type:str]",
-							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:qZDGVgMnHEnj/lbRnjxo/rDpuXX4RGne1DHfGVexSlQ=,iv:najBbnTlFt4nJbpsArf3Gv1S/T9xTZT7wb0gXUkzI+E=,tag:yRabNb/MkaM7VQj1mvSTGg==,type:str]",
-							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:+6dOk2PqJod6sC/LZCwNX/2RW/0oauu5DrE=,iv:8jSns4q2gwUQLc+l3R/ur0XNrZBLyFJN0mNUg4349oM=,tag:fgszZu+Iw0reksg1JrTZoA==,type:str]",
-							"dbaas_root_password": "ENC[AES256_GCM,data:yzL1wCn4LrhI89hXbMAt0V0fgsDw0lUQNzGf3w==,iv:6s5QX/UxU41haZOzzentGIR1il9DiFmIEjNv8Yi2v/0=,tag:hDbW4p5/qeOlpvNUQO3qTQ==,type:str]",
-							"grafana_admin_password": "ENC[AES256_GCM,data:unOxkjv5VDN5riXpScCA4QKjq1o=,iv:lZGfarHQLpxuBP3TPbJTRLNEkfdUloxG/VClp6nEmFc=,tag:jHqICRxB7v7lsIxIJDO86w==,type:str]",
-							"grafana_db_password": "ENC[AES256_GCM,data:IQSzQZ+DFYsyyxJb2lJicoTXWPQb,iv:R7Dm0R0jeDwhUrhz9h4L/nJB4sIxiMSC4B9DbCM6VZo=,tag:caiG3mn68giBGc7nrMzKjA==,type:str]",
-							"haos_api_token": "ENC[AES256_GCM,data:A6IiQpJ8PVGPRvbppigyEgA10stbd9Z18XuleeYMdPkPQFj2E5V5Lv6rqRNTdBPpugXtUUuup9laRTNw03QFknzo9JqdvOzlD1u5kjsIAlC8eotQeiMgm9uwjhbRSGjFodyw2E25B/k1LlQgR6kVDsk62/lUwGwsB3XvDb/mYIOzjXyZlvLFNsIOmUTKThirLtr2svGframfnetCrauukKNzX32FDNJNOg+NAjueo6/fwVSoBf3A,iv:QURXJplfYIWo9Myd2yrrlCdxAaBYUzd3R933D6Vykx8=,tag:+1q3jBaC/0ZIJ+zchXy7jQ==,type:str]",
-							"headscale_acl": "ENC[AES256_GCM,data:OdScx0ldG38I3sTyy+r0XRJ1NrbDPJnaqG4Cyq7kWoz2gfi7FdjZdEmptYC3ADLzMwFuPAaLc+Auu8TmYC+2OWAkVWeJzfqJL4gjdoq0+TWsZ+kijbUU5NsvwCgrMEIJvA9YSbIouMTgWtdZe46h/OpaNkrP9JBQjPf1SQJs/3z2E0eqn9ilE/TeF3lviGrL9Jj+o7gVTdk8SaWOxbUd7e6g4WFXCzHs8+GHQ4+p04mi4SB7a4Xa1JpK63py3sY7TOuI1/OHUWPMPLaNdMDL36DJRhisgVghJ12VZEO/jAw/v5gxjRS6Ufl09TxJqXreNg353IN5QTbwxT3Fe2t7u3wWZZCiS3BqEjnL/bz0i1gW7YfE10vGspHLdQcWf0DeUe65PyOum4JKnD9Y580o/rS9J0T0Y/FflU2Q7iupoOVL9A7jDjws82tvpzWfqA8YEqHJr7x1/87STwkNZVZdA1kI9ucezIlZpJ+yI7wxy77si2QnuiC1M7YDqUVxFWVoKFh0+YesPN3DIoK2zmFR/cBwFmaKFyEodUU5Nafi5HiwbwoJ+NstDEmvioaYY26HacHRAK26hpjZlTdyQk7Nw9ais/7jLgrJyr38JgsB8ydXyUCV/+GgT5xCTPG/MTOhfZ0hAkpbmNKq0D2AIVYwx4D/mY1Lm9a0rvGQzMBeKEr9hOtfSulbzKNu8KnuKz158rueI5z5EnLVUmyYz+ypYvIh45Mz3DVglxjmrMssDDdKNiIbrDnCYsxC3jnd+f5+G6g2p3lYeUVEchaPDc9fC6wHtjcwDb/ZbB8fo8+bz74sakjxWupJ9C8aCQOjyXxz9WOec93LC++MCdU6Bq14TQLC55GsbwjA3XBG1vMzt7DmJHDJ/pX7/hN4OOPXKAwRVg8v9jhEqUw4MvdANSOdizBqf5130BhntHgFSXZLmmvMw71IZfvQtHwpLjEes/Rf2hJDGGJUKy8onH29jUE/kxLfa5zRVlHUDvrpUI4/nGBTXwDDhU5nwnHfAcJHt1541t27jMlrf5/bWQil1KS3bcxRAK1tAntqyE9KYQi9OMmdW1bRP1Y4I6yMWJ8v6/Nry6VjF9+mO9nRTOpyiMp1DGjaB3yxDUEw0UZqrwRD/ke+yuM6h4D/TQX8rlcC2gtvNSp/LHt8WVA/TuLJGpfUF1wZ4wjLKiET4XX68hTWSMfexaV+rsIOCzwEQjzQF8L8MimKLAM8MXZ2Z/PiijgcR23hUNU5N6jMvk8M2rINFq5S+7HcMWTIQlKGqURCzMibZ1Atbb4hsuqQN/Gf3ofA6lug14qWoIqplEYejx6IGUQgbtYQKqcPBjVoVxPZ951ZTS1oYWYdJZNaylVlcS18TypPEamD22ocG/d1FpdEA9Y1fCjHeop1yRJ0F2OVjm4JZ/jiWTtrcifF2l808DogGga/rxfvidbEwfBP3SYRw4iuJTTTkeIvem9uCKnds2OJWC5W2AAwunvXWw3xlm0f+v5qgvTvhXOd0gzQTqtD9bnZ4ITZDA0zPMH3rJa80/uhvsceLwic/6ETSfcYUgJtQm9hFKJg8ZPQNSDiOHPIIwnT0+BAxd/hvl0blLF7RqC1M48IOl/SnQiB2Y1/CAk2aqeAK3crBabEAjTj6QJOEwEWY2L2AxR/No3kzn2T3Jym1eFya2nkIbKeWa6WIc4ROdqBJO6DvXkd6DEo/uW3hOvmFWR61osGb2+WF262xCUbFBynBX4XhaIjoRhi3eAz08VzCMGf6zBlzEj/0wXdXQ+uh12nTa3qukmxXfGvWpGWzv0YMrdnZM5FJJsgBDL90LklXC1wGEZW82BiZV5MnEsxDGdKuMCmDBOwi0MiCjbthkpEYHufxR7wslRdlL2BTKa+hDHWAfe9HRXPxdUhPvcAsIwhIGcT6pdoIFmYLLH1NYx8zzsXN1w/o469lC7tSy/67tLb/xKkDl8++Gsgsk4f8v42kqaFKq/BwVSZDgO4e68NXy0PrnjlIDEYbgc092ypkfmPZZHIIDJWVq0NP+SEhnKUklGb3LyzxeXs9YSKlvuxvW5Z+HyfwI9QBcX+cJ3rFzzXSjKMIolg4Eja7ySazaJCTMjSHZ44uZeM1IISqcW9vQIgMxmkvUnVY8p6JuGr2o3WQqX5fLundc3RC8QydxJ9xSw+dIN42lhIfSq6Iz7dYaorMFzIsNXnwhaXlDghpGs6l6w4wfw+OUVMWlSI8nakX5yoQsyHlFnBES8XN3hJwQmM0DwpGQ7pcVAX4teI0lI9uehiZUZ4UfLO4eG8+8R14Bjj2S+hGLGgqZel9UZeDq6LvHxrTcHktlrtztpW4TQkxZq9YPP9ErHBRB4rhQu044vZ4JjxWUqsVj0ZFVZ4bDy9p/cxxqcxuXiKPtPdENac7/dqA2LxYzFloNXPxWLfS5iEBWXMbBNRRgXF7JBOFBgEm0qnqz3OLjnYd2TN2vftjgu7aBpSCCRITx+HjuVWwjigemgreXUhDlRHdv6VPN/y87qZjO+VsW9LZKQw5qAGS/Rv2UPPri/OgSPYVPT/R13K7+eRaEhtZO6lVdfLIoyvstgHEguQOHIjRUQ7zEPrf44v9cB8tnFSbJc/OIbnwK2g85TSzSP8JukBdW2cqApdEJx5Zgsigy5EOFoVH2zAVBINW3LkeHZzBrftaL/UTZOQcve+9ooR8wEOQXEzuNNly6Q53nf/rtQpSmiX+FL7Sa/qhF24WWV8k8ivVlRs7P8Kd+o5AYelkxGmLU7EnCvvAlTfZZAc/1lawWp0kL2GNDlhLpUc5OPA3rQPO4JBbPbU4x6lNVHpNERDdVTGLFBs8VR8k6gQO4I8qFuKtm7jKc1KnN2lVXkvGhmruzZfF8w/4TKWYSBPky07UAdYn0HEg1+65PIDdqBLd0C9VmJMvWYOFCuqW93d9wirs01qCFwQQbrwX6XSDL9ODly9luAs/GeMmLvjVufOf2Oqb02Q44hS2Ax5b15FoiN+um1hohVIvP2ydN7F/4q0vdpLOUHn5O9jjrawYlVTnV11M21ZuNmM8bVthhS88CBxNLJZNZQ//u6W42ZjGK7EdatU9n1say7eEhRb19z/2t1WnDqYRLdeIJlnNMnk8duiFLqL4N4uslKGjRBkRgOpA8NKS/qKhRdR/zVzdtdufnW4ZoEIpBZjRw/znJ2igDyGPf90UOXqoWCAwYRwGfpHRkfD5cGN6jkof6jvCgb5u6sXUAZxvyPht/1fk9n49AyyVzj/5OO9zBB3E6Ht+0y2lFErqUU8pL+jjlSCz4qBQJ01UgXuMs8RWm4GAylSlK9PKgAaJAS2ixqazpOJkxJrFg8h+zPdSNZyTh739Zf9Tzo2fjvqjE1yhx8sthH01s2GzL2kLVB+cFmEmsXJkwIa3Du9pYrzAtDDLU3OmX+n6mFAKKZ1BTQyMxnjPUdgSmvHQN9M1GKvaMAOrnCBWTMUufzHoco3mfY5fRvtJwPo2iT2Br2CN+AviwkpaexgIQzHnhHTIwgL92FLbPbL2lHBxQ2rNcPkzHeYQR/ebgkKjeaWysmIUWociBuY35FmdXOiSmbvKYtBDPxqCe4XOGS96Ax5ajSIMQ8thb1ztmxZQesRWmiB+JZDF1Edrhh7WjoBHLTDgob/V1lkpQka/BPGrkV6JetYDVYxx8avh1jKi0qQrM2lrFaZsw+HdIQQGIDNcBqiXtCQ18a8o0Rf3/aFprMD/1YuflXZekLrQExHESxSdqD7LmraQsxob/VI0bLHTfe9YMj46yOTthV93FZGyKuKBv+M1ClAz9VjjVIM5saOr4Y/S5vsH5yF952JBI4fzg/5suhtDrmIXdtYc3xnTUrbBkeM/+dfA1T9G4EulDPcPgKUNJClw++cQFC5V44poc0QCS1/skqUXl2ZG6OVFX8CTVWh4i9Zi1766F7nNKfmCl74i3S30Pxet9tZkt1u/UWKXwSeRTBc2FcZYFRedCoZPqOXy8eGpQAjTJAkrW5a/Pp0uqV39BTA3t0LBWZb4unU0cEc/J9h3bOrCfKaxWv1a7LSmhexojEW+Vd96LmUCzrIJcVf/qVL60DSBaaSpH5uQ04aO9KZo7frLkL8MmOadLQvjeSmOVxZ9zRkqlxPiOq56A3FW7o7zud2WOGF/atXYTwszF82gRP5mnM4ePrx/vM/2AlM7IffxU8U74qLpf4EiMYXdLozvAdUfiEvWPb+Kxqw2JFEfL6/AqThpzDCPMsX0m5iwMi6nRRRvEmQ3ABHuzpihXrJcBzlYeJNzx0eL61p2b3Rxe18lwoLXpR4b48W00nY3Ey/Q1DztIEMuwwZcqJhz+Ar7f0osU0/jC8qEPtWnP0k4rIgH0iqnT1EPonauZyEyTbt7qWh9wENndWdmY+QikpkoblFDd8auLcBlOKGxrpVEhr7rCY0YZFS9rDMsRvmQadfmm34oT93F/k4nFB6gi3hEdmtBu8/810NPbKY2lzw12eilgddyIWCcfnByvg0ikx8lc/9Axgn+jztJUHEJxEP5mr2rnKtbKSLr8mn3EDums9sL4kVIt/GIKJeQcw7ezRPkMR6KXblXruTiglafohm46/ST12SqGIDDZlSKL9HdGjKouQeDQu5/oB+eI1vf3bPfBq5et0HmktYV6vx4vo8vVGTXAzqpbOJIXWrWhCfxKvDlAybEfg7mt/rfbU/I5ggzVBMXcAUZeLbTpB7nLNrzHhS5QwsqncSyZWnWHwxTUkYSwaJWCmbNc+l1UXsxfjMvmYVvpBY9Fz8GI/YaRbJx6ZZEAOB6/HwTsloMP6ovLG0VQ1ZTXqhpAQH47gXgIJakkK4Gw5P0G19Jt/Mg3SjKbh+VrdNqNI1pluyWmd7cDAmpUwYhYjWydy+3NhJ+fF34NSZ,iv:7L0ita53/6fCT8FdfexWvOSEPZNGwxDvodHgWbzeFQE=,tag:sSYGxq9yGrTsLjtkEY42SA==,type:str]",
-							"headscale_config": "ENC[AES256_GCM,data:VGnMG1uouspDeWWlrjCcRQWYDulJMxHA0ca8eBEylte9kK+INtty2G8FWIPQwnz9olIjcKpxNQI343mUMOPSXtkqDh6mqUadxb+BIQL8FkAt7whJA0LslNk/pHxniRm4COw9RHgJrJY4CnEbx2A8mFXXucjW9G2DIt4AhZThnBEFgoigYz29NlRBm+1sSqgLhG5EL+RHt6Fi99yIIRUeDCWNnftV5icB6hQWnf47TMXDEmpMGqMxtDK/0qOsOSxKWvNES0IntpRtPdyO2Yo3rr2HyJcL9rxe8rkNvyy7rBjSHdcKVnqxY7yIN3IyAdS+zg2lWP91/yPcUzcfxHp6pSLL8SPjyPpdXOCXMRWF+vENfDo+BRg1f8WdJ4245BA0OczuMKLdiCDR2PE0m61D86rTJ6T2wFzxZu8pbAgoLSP1zzSODazPUv8IuOiJfBFQ7IgAM8AJY5mufqXZhNr21UTS2cNhW3pSJAbUH26OBcMvQhW209XGxzi1zc0okbyAUd22wq/II6B4gRMzhCZlzCSiwD25G2x89VjhtHVkHayF6kHiKV0uFMPSvGfIxCA9kVnP3U92ryg+82UXo/B5SGUx0QvEpGFsVknNelOqcY+dVBs/FlPZdM8TuiNMRrjGqgh0CY3/d01yu3qfjodShjfRVp9tb0g9JETOimA7jZIZTbeiUEhW13EpIKawuQYHGq5wVLQUHN7CAj6d/6iot5Z30m6K8fxC2FAfEVylSbTmr8KEv72miIPQJ3JjG9GBGRqCq3OMssCz8mfdbBxrtsi13rRm0fIdRpDmz8f1lNLx8y8taItPkKOAArujWCyMq/wvAtSBXAu2nkBrEZV0mKyvCewMfJY2h6s0p027WscUfDPii+3hyxQAn37nzzD3wXSww1aEnaTN3s27JqEU1uvh4C1whCfx9qwk5Whrtg9uyafwjaRzb4p9crpgEs4CSnK3/VkDXBmOlQYaVFOrM1bitqQBSYbfEe8AGsRQWOABs82awX08ibF2Ybh9f89i+ZMPBgyOFfKPNTl2qJR2BT3au9ddkp0qIlaHc172DDGbhlTZBEGRcemhzrRO7Q+7Do/Ub8hjx+uPonhUcdSNjmLvokarHJHXyJvgZSbYOqZaW0c/yP2XX5QFxMUHyxWOKgD5sVkRtniwDyy12XU/QoQjG/P7cxsZDmKwdCcpS8rXx7vmuJ5nrs1MRWIda0iEeLqpoUoCn5NRQrOY/PzzcPVNxVEHBeEJ9QsdI2d2JPKPu6gXIh+G2hYGJKTAQoPo7b2xbl+S4+Pmrgdkfir8/ZQDpaa54g3sf6rts1XYhvbGSbSz1EnODOhJozmQrZPuADhMGDfp9t7mg9mAd/1BWtSNrtYyDkgYfiTY6zsUa1kXOcBq3Tqs2Nmgkp9+d/tEHnqp4XhxgGQDc52jyjePqwwXci9lhyazpywkYT7ucnWWWEhrxdH7MdvKtDMG1+FS0mDevGSQdXgxQ8isnAEAku1Hi4n8Z1N5RxtJ8lX/pbU1/chk0BUdswUppfgEz2/n1bIHFA6jIOv8aSq4vt+IY23Fe/6+0AxWKmjfySh15a5YNL8szZ/2VkoUYvNso7K01rW345hqtb+Wo7fuZ7vdE3Qq1VX8ifrg34x1YSQXhwm/puU6EXUH5Tu8yuf5qmkG718RGKS/RVNjcVgO8V6M92p2/NUcJLNC+NOm0Af6M7/jlUzHE80e6dlD+co7R+MamcVOsSegNEUlZhG/gn8pxuqQuFm7u8hL6qdBlV12C+IumlrMcRGnd+uhKwAv3hkYgyf9PMlGuRxAVGtsmUMvMCqtqs52QryXdqCpxi/0wdgKsx2A7vNiLAjrtMkj5CdzgHoVn7E5hUnnBM8WJmpFEeK3elARxIfnbvmnj28AoKwNl5ypON0sd6KKttS69ksctMOXOl7vg2eGt6RhZT8VErluZgYnOEO8mes35PIbClm18oncjvOi8Pz6QYn08/Ulf/FCihcuTAKvOHWmoQFSwJwj9pApbjcsMU5wNBZWUzlCXDKA6Rxn52fKQ2qG+030BYutmtC6u+ZbUz0UZqPQheeqjKFV2xfUW9s+ktNhKEwXjzJegt6fD2IKc8hA4yQPQSCRsQhli7e6jVsQK8j3v5N9XjLbvwwzvgRsvRoSAgp/mMc4se4Iy0RywmDfnOFRpboR+6F9IRMzeheX02aWa66RK5pgAbNCmsj80NjAjiPO4MP6uG1nCIGc52gcMNzbkwKhT15V+0oQ2lTqpuuHVVvec8KNeWw7nIP/9a8EtFS8tcmltxnaRut5B3HzEeCPipcQHc5gIcO9cfh4JujQ43o01J5k+SisQ55Ajq0a8j2kVbmgOc3nHVe1aIPvstAU0T+lSLMk72YRRtvHtsfqvFrtVGCDextdpuajvSsfCPTFiP44uFCQIPc8XTyq/SzMXXrFavaQ4ernM7p67PATm/3QwU7owp9/oNbnZieDCIngMz6JowYG9jQW1XS1HV6qAM7ZtWjeapBGyYDRzDGxWFxeOqy4Cje4pcWAij+B0EHSpGbWi8oFQYf8CS/iGV1GykS53JjRwy6Z5GUBPMR3LBlE28dyNVi26zWrUAtTWhD1s9o3ob6SRBGo2tWegVNtXdyIDUVvwqkTkfbofLei3Tk9NxuFUXShElmCW4aGB1mgyAUEaUfFgbuB5vO3qTdneYqlwoq8wdo/bVzTkQ2xHwLJzqq15En9kLZ1xiSrA/LMY6MCSIgPJJzeZFDmw6zaWyqZLaVLvFPkuV7Qa5Gc8nvYCNxzZMQuXfslIpGCd6Uq/KJ9vIcXmNjGnI4MIJLVuyMrlAkTSAm/dpCnfWYAV99qnCDXJZtQtXQ6XmLlsMXc/fkWmC3wSpW8pnG7OOBcJOKENcq1JOMjpwn02uCdq37mRMkhBu+Zj3bswaUL2JTuvyHFppME0w7zPRupolIL+n/VihuPH3e0TWlVa80wyJUHhOzLHT3ILw/jZXy9tFAWoi/QyAeOoBk7t7SHrTqXXyDdzKqSzmnApVKKJFgXdePZHEA9tki2Z865zyA5obBZC6lbdF/8OSNn7G5UKy7txW2hNwqi5kwEsYXmGYVWWV5kHlaGxobn1HAk45/1E2bFHwj+QNHxg1oFLlZ7qhkzhli5OwZiuO+SQCuIoKdddjpnE0HORA6zJF01FIiL8OooSfIbsz5glX5flwmseORgokuuhplmPjv4aVqpWUQeJ/kODHmFbgCnpGni+vK5s6mf3PSDVGKsKxH54/qbo1S52I2D4lj3h1GdhAu6DnrD1zPkgRbLNtxxqS1jaEJNAKvVRJ+wXuU6F8O/KZSSfZzREajTs2dznu8GS2O7/227oE2o0+19s52sJCga+9+SQ65KYDlOzWBU0eCGYNpfxtKIvXsVKM9WceAHbLC/1c3XbIwmUTqwo132QCIGzMDj2nn5tQHO1VczfcoRjz5PyJi1/CP5WJCViq770ZKqhaJI+g4zlqLtOOr7vyGnjB//KhFy6oTXVERRkrV6rXl0D3Cyxi+6Ow7p/L5w3dMtBEh4tjLRhs8cICxzZQ7EWaYjG9XaDhGi6e0Kkl2K54df1tHyCQ1j5VVsMlgIgckItbIaRc1RVjQVb8UT9a1C5OcScURtYM5WeM9komJsbA4Mmsy/wx6oOQqNWR2wKGY9aO1j/iAvY9ZGuOu8tUKTqRdURlPdg6aOIyLcKqilxvVXsFUUMUZC4kRrQqNInszReNGshZOz+V/3kwceSl2KUkwFaGLNuFQ2MQvNeFaXVTcTfy0cJk3PjGxk0eFHAGN15TsAPfrL2mAJOavOrXaPqjrBd1oSJLetQEFE14AGB6g7dubO+AliBLkFAE5oqvLvYWpuoAh8T8ilafSkYU++/kIIzdIEbVNNeEbfQ/9oaUouKk/ClQVWHdcB8mRQ2NbonsrJLtKN7w7BPj6YDc6KrxkMhhgHgNcBx64vVYDLsJSKHTxNMm5VUSOGZ48cvcv61WH8b3JjQzbOKpsAsaC2vVxelKoFkbXSgWVdFUUlgyjSRm25xK+7vJCX16YIMMCi/fl9rSgDmawvwXzxKJ7ssv6DzAd9JUwt86akr0kfRwfuoHrbeG1UR5ZkgM+5qrG5AJD0/U2MhvVYKbSVnm0zgJ1ttmz9+LDC/cGGGHRRr0iXjTYEuMN8Zdm1wFgH875b4+eppu8CddXK8CdK23JF0GO1LOa4yYPm0ilLEivhDfqWBeNdBuEmCFWCXpbsxphgquOvmauOUnVPP/iXQK6/SvjrptOiH9lLZ8SAaSkTHmToU4fPFib6DczcwmUhtrMnq5vkOXYU5Yh4dVwbEiZT/tEBMeMJm5jLHr1d74dTPO8N/TSKHad1uT4LXngkR6KcN1HlSqNkYQ5PhuupyOrkmeFk7v1pLCRkuBE2RJTATB7Ah9P0ewHKmInx+0U69cxBHIm6rnfZEXAwVrPw56jn6sggxZs21283sH9ldI9p5HfyMiRv34YA2/9b/Dau23O5BrqmXKZKUGVRhBxUi33F6+uhD04mfky+cF+gQKCMPmA/3V1HypPvioVVKluUtdIEsHEucYglqOxlQ7XS7TGMjz8Z75rKaRIpVYWK36lEIp0i3pVj9gxWBYOWL9iegple/T6pvqciB4yx/CLsPM461LObVDI6kV+74ZTnT7KvNZkgxMzGoGoCQi/V8aD3eNhl5qO+zWrVL16W5Tmjy682UJOjd1aER6b1nX2vzHMObM/pGnSD1z/TQhIbB8lofkb66EnuBMTpDxOsOSZLvEa88QR5ewYIl92FMhIlciALJjKx7Xs95cpU1uekkBHQBdU3FAXWjaaE/jw0nlvDKc2p3ntyOB/yA+oYBS7dbrHFZ7ku2u/vPgC3YFFeYd0ODGHhJDeWN96jQbv5hGWg7BZ4MBpsYxL2YOqZKQsyDGSB8/yebgq6019tT+FKzYmyES/WrhpkN7jshORxeYmhLAwMqV/PUC6MJp2oPiz8REpAszged06sbG8qCm2otxRCGUqGiBZamGCVEkdBXz/KPpL6Fbg0vXQTqpMe/lnDii0G/pivEpTUIOBAmNnNP3dCPGV4yeJEWYzTu8ztVrIv/UIrmLVBD4m+W79skLn1U8b4We0epwhb2AEGI170iCKpyr5B/psFOmzvDAUOyWCbnaqv5LKUDeHICicP6nCqw8Mtnu+21Xg/pGpD9oIfrqoez4ubexArAKJapm8mIymi72CM+ulDcpsMYytvxVw9vWbnJxuIhdjlYqiI7jv7g860Yi/yzjNV+u6XAt5eijO8oiy0gzE8fTLBOSPIBZsnKQGTXHLGWXvhucnYByKR7wjHdOgCdRw0QDNvuXRQQCK1QaDWqulD8dzEWXi1n67xt56D9cofudRLSW8eWR8kLrrSMWDBeSp0yIptzAntQX/DL3zxOFn6N53KRcI39lkZKMYfVlWuvxgRECSS1SiLp2kz8HYHhcF5SBckUtDhD4/LU5iE0lvh06HErHXi7Fx8GYegGXVFgoNHjPGIyOUb35sdTpZGXdbEUFXcCNO7nfK2UXZ/xHDwG+IVPIEFtREE7AX2uG3RBsFUevaa0uwRywrryLBK8fKX1ErUjRHMTFocGYUncJYSRLM4CZEjBvgNyhnvjcxiMEXGFu9lUPQ10STuAhHtNg0S/ua6j6TQMxrqe5abgDhHZ99/TLEqRKEqzoZ0Kz5EbT84m6xcQfAPXvvkyh9JXzBYiqdy2sp+PACVGex5sAhnJhA/jx6QBjSv9pqj472DJQoQkBuJyhBin82T0MgXK70ARzwlEJ6R2ny6WvlgSBDxUv4vxqIhkoFOWgUnGws8FhI2qegGr+JIKPNPhgt356hu/izdgY2cQqP9CcMj5qg/fGkp24n0MbOXvDnkVrdF1Qyigc5Ds3d+FXVnmCXcZyVWx1X2Hqk+cJdq2EQA0YXcUTg4QjirQpNGj9SET+24gsfVOTpy6bIyWv4OXpltAn8VbCxaQ1jUcrQ6zZCDMEmgHzQ0OwdJ3HjqSiuz6xzxW1QB/UoXsQDXZb/fPhRl/lgUA7LKJM8pp4vIP9czXIvZXJ77gK6LjG/6wC05G1sVVChUv9BZ097vc6LRbOwHULuGuwbnMdFw0hudPsp3puKZTdEI4DPCcYs6aTsvJGN8YgYIr0W6j1+z19QgnofYlEtR59nwjlOi9qLrMsLH6XOJ7ifgj4dWd3no4G/GMYlgicfMQ5QMDFNU/YT+wzENby3taJ8cVbf07DIoYmzDwEYBiDnGXosM0uOpd78ypdDfqRAfysq1A090iOTm4p652XkqAZG1O2FJHKegYJMUGeeDk0Z1/lyt0XrUC1DVJjFX8XX86K8CxGR4eoLATOVZuBU3yi8uLiGmq8/Ib0+DYVujy+jsEnvfyAFPDMJUxz0CjUrq3d8oLpmoOqC0yl6PDrXxneRSm1Weti5CxJN+RmnEE0whZQzNvHy9oUnqgpjrI0xhI4h6X+bw7GW8tFMn653/bc6yM5yk0czpLnIcO6wICjwK4tbfdrsHSE0mrOrFtweOEIotgv3huxqkxnfmMJn1MV6ARCTEoRS5hcu6ZUB0sG/peEsy1EaLGF7ukF+CNiHTtCklPx4a82ijxIxWYnUQ2ykhz+nCggtBPfzsZRvQkdfSQ+NJ62PjS5xN77Hb0yBjUwLSqno9qGfQIxbUQInhmkkVWW+ucUEVJ6pGwp/3WjaX8GZk8fn6DANS3J2xWvpgpaCPKhRDoM7OGSMS2mxiDOEIhofeNJ7I4R6AGWKbzG7TBOU7uU6QzGCMc1bTgoxhMK9/anW9yix3Jk6Dda7tgJHvZG346SHrKQ6HsL0HmAiEIiER1iK9GwrTcmxxwaD798ggIxVxpex2hUUDS0NJOTBUKAOfK3jzrE6gWlLONK4uINkdsC8BLubH28Ezlb4yZmKHuqoWXUliAB9pc5iIxBZf7xP89XsRM0Kiw1jiIWsLp3NE4kwUUg+trO9pD24mSxTeLAyGOJ9pX4ihHZ+Uz/khPU5D4sXRtCZhj/wI63Pc2lkJw22E8tTdV6zJ9UxjrPxlD9qjhPjCfRG+8YoP4j3PkIxde6ufNKv4v9X5+1/j6vvgAR2bxU/swRMkXMQR0/+vAq1//jQ6czHEn8lanIwHzmMdiwrxoTOOWi8pDP/ecV7Dq0DIlBrXCoAQe9qaMc1MFoIT94lM2gQkJr5CRc3Boe5YAGy6QSd2v3zDBHWW53iAkvz93XfD95kq2o4Brqkt4nOEW7aq23tTsmHzZmbz5usRwryoScblJQg5tvTdqy7/+ZyijI/p1bq6afHPOnroTU6XYQG3cAUvGZptZUPA+4rXxco2km4vaP7hjsg5BHMwtY1pubGQItGYtjRoRbsqDOlxOQvfUg8IGTXdVUSTasnRa3FDJ1DSfCxvBUUWPxMm756tPdClDYsZz6M+6S9qEGSbFt/8sPfx3KusSA2sTNMuGC/REoYYb3zMi8TNxxYlhBh7Rxi/1WogIh/Ocr5UkWsOzMUMhvLNhTt/UwS0wSKLaMSpAw1j4lTFa036Npt7ZnOouSXMJz4WEPUWfn2jdOTetYK7r8Bx2BoGOmzWBGqlXwoLHKpVdPqIm8VxfDD3Thil9c6lKbI0zQMRIwg7Zqrz0XVUCPd9LlzJmesczmMF5pCcxl4UXpTZ3V0WGwZ+OAxWdMFicrEmd/pnKcUAEhw8K/bDoSB0z3K6vOVBs6NhJTU5rIDwlPvcIhNfD9Ni8aLLUCx7rm9YA8IaTrsRZtDNy/gHLckNNHAmAMd7q1Zi7lClAHTUiaJrAiThOqt+vMBPRxat/byK0lJuRa4gLjIm75jsqOlOu81IeATCLgAdYpLIawLYTvPLpchWdmGox7hQRNRdPGMVlC3aB7gG70wJenjjOWn3U7mGnimeaTi6LYJRpoF2vCPRY/SmjGJVgD8qIpEXWXIQqJ2ziVzCFbOyhLIC3dunqHd1XCu5l5QShRx3ztuhjdUCuGK+5pLtgX3XSPedBubeDgabzu5TcGEfA4y8A5+9sKsLPFKndK4xtcQxoH95or/ArM8SJn0cbasvegsDaBUF9g78LBsYcrQUwJv/hY9G5VTE1ojt7m1l4HUwiCH4akvajgzrg76FSTDzKoMbv243qdNsuv2BDQc3m2fkoWFNvZasCcUkyGG1tb6rMdFwrbBrfqtyazLTl54L3kyuRJGPappA17lcrij4/5fOCIbMHr5XrZdrdHegw6fl/4wFrsY3R+Z9f3N9XdOrh0nyhzSwKTgBlTrbwv9wbC5tMeB8Ds4BfM0wu6rb+Z1dEhDhTmxLn6cIRQ8LbFsR1D7TeWR0X1488yoE4xvmx9ePprCcg+ITp8ncovr+bgL/qPjKa1XItqvitay6lqN4E7RI1jllZp2G8ploafw3U1sun0RHf6ttfJx7FRg3/YkRIxR4vLFh5JQGwPS5xMULyI8IdK9H4lo9Grrx+PhY6JPWClotcXFj021YM7acSIQXdEp7IUrXv55pDKQEAGbrFrdXMMLVK0uHL5xkjFwb5DE6jFCzpq6qGgxzkoF/cpxzgA0A8tJwEkhMc60MrPoRbfbK0T7KNE3ZtIIYpD0Mj7OJ9aJx69BP+ulDLE3StxPsyBW2jOJgnJmIP7vai2e1xl1P8PY+EwYuaWBMXli60vDuMNFuL6VAeytHvAKVMXt9p/Wi6MoH+DkqScnthXRi27ADhotpS3RinjP19yhzIeIqheU4L/vc97CLC8MnsEY131icmJyZVobXf5UjFlpYyKoxjvDgqavYXOs+tCxGJyoks1eGSIPO3DPQsHHJ2vSwhT9nIeSuxxSa8I9ZM8Y5Exqv4X7PBndyHRiTLr0E1YLEcUGhxQnV+p8+RTEkvixN4GOIXJC0xQIS1D4VCtmSlRsF4mnpzv+c+uYjaWLkONXGV3uUDpg4ur3xf8Ti0Xh+z5Tu7QZztDRKM1P+ZcS4AmdMlN5Mha6R/mZIIaa4lrVQhC4i3zOP2+euuTUDkYmaZq5deempg1MNjkTSscpdV6M+s9YMVL/u+BcnoKw5oVTKYzw2WwDj7UC9LFYV56Hj/80SIFB1gWIUdU5zElw7yPXYfJMtLP+C7ZL2jdKLOQ1Fp6LpaQFAIJoWYxJhbuRAM4XOhzuobfzN4jpyaB6mhXPpHNyXi1BNQNfF826lZSyoL9zUqdoRotqi9ApJQnVt7MpQHdZi9BlciibmSTALHlYsCpxrVdZGt2rqkFDKC8T2ZST6Y3VtFiAF7sDTbveJ8wcAYqMO6ooQ6Ddt/gjrJ24Lo/p+RcwSKeBdl8BlfhZ5ul7kY8fRvIjxbFpS22a1kJYQTF+QoecYKd3ApnyQDihm6/Nl4BsKrATkrrP5k4MD6CGrryBicM3SfYFEblM7m3J/kdyFR/3CyyuPKftfefd1AidRtmsr7TVwlm2+8wvToHJUtszqcXx+BA++AViT4RsyQKirvFj/b2txFx/F9JKCRVtB0WBA/p9PHN8LpMx+4+ckYpNBfUzo8ilJQ9gpWcbX/WncdbylhL2hBVYz2jb73aFvfv30zocGK8vnt0R4jj3/1yJKujpx0Veg/UdfJliZSrAfh3c4zS3cQuhVHxqfB/+WA9z+k9uJBpPjNXP6ehmNChVUDTh+3CkZ+1kKlPTtY3+qpPmJ3iiQlOKRtlcqczZeDBSZe1YNDLlWqnquLNzpycDlZTtszvYzQCNIWGQJFdhS+4YG3BLveXg1lJ2in34SzrXULHHRbyE4NT9KRm3iCHsJ7HX4uuHsZ6z5k86hXEW53e5yWwZrp+J2Oy4jJiGcKItFb1rb6x8nKLi0jivgmUPMdRO3ncjm2fKI06mYIGBVc2L4oi94TPBiF6cXEgPr7/b44jZi08PpRrLoLdcK0/DJ2icSQejGJxhybTpvJDwLGTy2BsLJIdokmDvu2kPRhjoKeLcMcXEAKvPfG7f0nj98bIV+4WttfwKTnamUgm9G/sXzDMB2plfCrNyyToozE/MhfwTwJNcIQ74S/Gd14b73dcGKStD7HzBHCaP5j/6VEQtLpFJiFyePEviKxxE9CZmjMl+covkYmVi6xH2W7B679oNKat1ZedlSQps3jkyMuECgkQMfnqBUZl8iXS3SArnjLPwhYmzO7XCJRQEc1YgEL9IkCsqTJvvPBpwZl0vdwXBP535qS1ANffAiGKCCDN0Rb+siAHyjXDrW9xROEd8lGb2N/b7KBHpxr8v/vWK+5kDTwQusRNVE8VZfFNUVSRxbo/2RwZgwtacIrd8djyOrqWyGEX4SP2aInwXxVYgWomSyYfsLNjI4cOvJxse9ptddAJwvJ/4iWruhLqYBXJXXWI/efnvOu5OLB8r30NL0pZSIKtAJazNDQDrU1L1cwpGSKZjHNyeNQUfdJ6WJ9cV1P5YW6uERQfZPpJYeSza3lczRBGaDthYfBN9xXf3zOyy8oo2cZg6X+9IUdHDxxkjsVchkPGR+J5z2BEPd0uYPxWrqEVmXrk+StunWKlznnRL+U03eBONzfzzZXoPOqJfpFVF6GbSDZ/PhHH8hrGFmSEONZ2s4lGRZFpuLNJVyIsWeb7ZjSiL1/8Fhtu6qr18U3dfrkUgXjEjBL0yFdOgvduJyLZnuiNO7ypP2dvTmOoiYgQIHw4qUqzhtwW+q8PJWaYd/38CSk8ywfsqhuvkRpK6pW5GRmeisIUQ3GWwv2BYS8lZdbgSkUrpQIOqQkGV1TEA+0bKTDwJ3/drfSEqcHEWTGxiA6L3VZ4Ty3o+FFsUY5gda5nPoMlWOnu2MrnJqm3nMnOG9E5+oxZWzbVXTlw4yVooiiPwVshPuTkfYSfAVVE2/1O51atm8B0ioNLkO2CVa3Npahod5foxgMkWyh6zmQKOcWKQ2c+bRuYRx9le4v8ENYohA9Ofl/hrYrjw/i1APywrh1JsjpfKXx6/oa6fMhP2oiOhEQOOkHjOMGkkhV3+tjQApfSP5Z+QNPtwz1+I3G1rfzz5SbogmVCdD25w7DjXMSiOUuYN7NTEXdmA75DyCj1v7mA7A9cQp0+167XfvL5TqVcyssQ6lwCcBlhoy9woUl2KVxJYM/qyaNV2W93tUEopdi76EEq7is/BfSRez3CiaJmNTeDe3H7VwBMlq47ttt1fbqC6uTJaZ7uKU78A9IE8/02Dd9XmQCOORH0sIfWO308K4HSuYea+5T80AhuxTPGtURvBpXNiTjmYA9u4THyO7mFmmhX2sEeZJd/+/yvaSg1q/y9BYkHhrUlBIZTlopgHh5+xbxPrgdOPTiF+fgAuNryWmohRTfcvgn7jc8SOx7AGcVKlcuDjU8FwucmZAfCCSBn4aa8D5KHg95f/hk+XD/ZfvkN1GDkvQv6Tiuji2/XBCPCSZ9VztZZLMe+OHspQrLB7NZjQ8qAdyNyuOvaXnm5JhqUa8B1gTGfv3n8rq4dUbzMf2BoVDbFECYKGlbz1Xcans0vZiZ3We8XqfjlXm20zyjn94jburnAwLLS/4Yr/1KvKus73/uIGrhvDdWIKximklydk6p3XS1V/j3gTj67vgjCf2ody2OCB0F58pbFXSJ4M7hDyhAC6a4uxhoTzPDq+dYbtqoDZzLWUF5j9ZNDh3X+bLT04JwBXCb8NVfg33IWNyiRNf9yXDRrNzY1+UJBZ2oAHHD3aFdo7GGPYB6lq0DSJIQ1MCrqm8bBVzfe42jSsz99KV/SBUUf0VdSsFcZiikTGZ2wpI496Y9JyQCf061dRPhCQwqvfNqAD2vU8YafT1zaAqwDt/zix1kgy3e46jpma93VbpXGuWK1gANhJjokt+5Qh5I5IN0b/ad2Ov02GZ2jt9Cb0whwT53HavFmWii2pZMs8Ur5NuZ91eHeBytwcOTpYRAyriZICy6v8qQfVAMrDUncL4U4TijWZaWnJO87ViT0cketCgSU4956eCjJ05ser1OJ3DoMnUAVDQ5dFkAI1EttdOebwNqnNA1YJlSInjotzaHmb4jGUxkxcYbtFNxJbilc0LCg3vzuBY6GCxSONX5rL84sIrpceW1PUsl6gIDlaVJNUy6mcu6P2d5vLmHQT2ofEEVjoqlrUoxwGqlic6ghJc12ur8PTpv/UY4+zlH3+61C4t+A4xKEsGTITKWJiKK1T7my65VbN9WZsBZc3nSronrbCXJtkePgm71Ghb2x6FYe8/u+3NuiWA31gAVBiRLQtH+MT5xDU6bqwQ5iRlWQJjDgCAQKyYM3m0jfTpzOFOKRt8knTPRGYyGgCbZwDqcd+kfSvC2qK5M5uAEtQ7C475f/XMvyBEQNV6n2IhF9dOkE1S97i0ujBZAM4HbyTTFSrLRjtVEPgS9toWFeCn/FEDPb0WXiPo94K/Hxy5fNB7iSxbG0qvYA2dyv0LWy6ZEOhLgjcPutanhPzeJ2I710y0V+Ttu6D9+8ZXSmUFHbsYGbCah+rhq74cx4riZBiCjL1bt/ZphT2MLnH93GKh/Cn2mj7V1rPXXQnTv+1vilpESvUxHJx/diMgCB3mdJZY25JFQuFxlNW2qsUziD6pvdk0L8oDWNIFLXA6kdJS5rfyH+2PRGJrHLJytOIskC3aGiHebIPfgrSCeTGyxxMTgXz/lyqLIedzVV05aIpdXGwalPhco/pAZ15tItfZSRLrU64Om9cQXwiDxw9uoN+sZ2taOVIS6MT2PA36UJzZbRj3DWVrwAxv9tpwikgUvLqgXHCVAG3c8DTz8gabEUWNZrhfLLBe/RdcsM8lAbUXMVlsZ1Ewe16NK4rXKyc3gcTOlYtdaUlCDRoX7/uMQaIo8sG0e9Ha/S0yXVzlabV9gkS+sUHMvOx0Sq11lsmakKAijlI4aI3ODtS+7azxCf/hBMP8ILkti+SR1XD239HVQyIptqwr/BNm/R2gdr8bWJ62ZiPq1sJoV7DsX13teAYgniQiuBRP5WT4tlKcochHOZ0cFUsqUCHsO4EmQBd6lUrxKj0qcTX0HH7FPZgC6SpTwYKmCE2vf7si9g3/xhYhPe/bpbl11vdM6M3RZi1wcswpZCMQTrvE1Jfzy1BcXsUzJOBpGtDTc7MyRRTbxRr60WBvbSryW3/zVhHezmL6szm5RjznRfpbeVKnN5WrsiIbhiTcipYu+ryKjM9tLXVyZxpnUunz3TlYcoR1l6EXLVl6Jgyq8BQUYNszPAv0lQPk0Ag1+97yFwdge75YmIYmUnmRXMQTb2CuGhbEQ0XNjTP7v62yL6Wnye4mSjxGcfkekEW90miB2piyx6xbIIKYEmhsxDORaYXxreRvDcNfncUbsmvSstzal9LCudzcD/PMV324x87wCnZdTPsDplXj9N6NNqFn4l9mDRBN48JMUidjj44hWcBl4iYf40SqZtqe1S+gAygEkLBhXG73fO65FM52mYg5x3MBFm2U07Fzljts0blR1JCWPS+/ZY5zF/Ncf5lbKYafdOwnfgLaWGA4135P1baAv8CUasm7ORNBlQLVerGo+wzINnp9CQJPMSrEUGwJEqdt/ilzWCWlAIu3i8u9zNqnkP25jRPjkRW3GJqbWq1ruy/hlCjZGyDxKIJMrGZgOM9PDRMO0KSUORmCptS9/ghAcLFjuSU3CdGfw0bArmIrIU8y11vZI6lsum6sXvDquTc0jRoXt86128TanEKmSQwCsRv0jLC+L5RVpynFJINVwhcrYNBlkl99gSC59DPrRnTDIjyoxg0b/zC1yiB0+sgo76FOVmyAf1+1UpH7ascRqoy7V79sCuTSuQHqfNDSmdV93YazYqOJxRY6Nw2t9royO2xhFPjCFWOrwVDMKcX3Ypb6WfqR+JFM6kuAvNmBGkyRCyBBM3TNwcLKz1RONUoPEGB0qK0ND5ICHrQSeqVzBhrNWV8AYTR81WKdidYtUt+6oZGYpFsLcjEKr0RyJnFIVbYZPZd1upoBBu0Rnke3w9ZiqGx9IB17wYN4Cav9vxp2UqoDY7u02SYLaP4xeDbPtce+uA4H2hDbtZqXb9i2pu4Bt0shQw/4DXU2WmmrCoU0iNjCNFg+sFoN9oFEjUjyjvVoWUOi/TLD5sy1OQMQwVkAT35WF5CHqFGsHACkfLk2oimixEC4zRsul2R+8zm6907VRxQH/Ze7jq2gyckPGh1Xa6wJTel+Gazyz4oVlLMT9XrniwGtaR4AzgjvOAHu5MmRvL+LodOszg8XBztwvtyBJTJ8fG287VU7sGecyHqFlsax6fQl5Cg4EAIperB+yiqKk4Q6bIvw/esxpp9A0vGKlOEF/WYpBxUClLoyCZvjTwYTxSh3IsEaHPncUG1vcL6rbzlCBoT2Kg9MNTLLkMGVWw9fPhbPLsvgSZz/8L+vByu/06tP0a94B2jeJCqHMl+VfXv1wvCx9CTzncoIBn5xCMAx1F+ymCW/ukfgB/jIGiAh75h2/cfdemuqsCXagic/c/B04bSaEEVW+0a0jhcdgW6fhOxIEB3JL7obHGcgpGOd87NGEuciFtQ806A/h8DlgUA2fRRpyQB/Ln5dezJeNZtXJBUbUZTEyf+WLsBxOHTL2luOq/xuRadV+nq3PdXNYjtEe9z43yEeJT5MY9emAn/y81r/O8sGKqLJg82dhQAXemEg3ySl0ol83PPFB5klqYzhcQ0ciBZp8fL81LTA5RrcW7XsTOzkEhmAi1XxT7EJep4Ow2ZQf2cZfB26Nl09RckTPUXogKihsklXcxFcUI32Mou1KSXKo+k4lvjeOQcnxyz930/8fmqCFtsI/cdpab/k02GGTf6FYqblXi3ezGHjJIB2MBQ+K2he0DJyKIceFdkJK7ZH7+ydXyPV/u90oP6zTrSlcIxK5dI1K0T25dAp4LkN4/P2A1J8SZdANofm+gP2+tEO+cNlspxQhCD4gf6OeQOCCnm+iiHnfXwm25ZPnrc0ZhyRIAj/Tjrh5aRP31uDJqpXb9L1jFeXQpLDNfX+9KCHiHguiI8EXDsh/LaShfobSM92CIUt4buASArfEgxm/ED5Qgsqj9DioTUw2vE4iX+RRL/cEnLYodjNy0ssTSyp1P1uz+LHujDnfR47s70pHus7ZEUMy3cm/fD6SxfxnlBkZ9Lwcgwg1Sz2HK7/61f8ReHjKXOceB0kHvedSq0135iuyONHLifa/s7KQ9ON3DibMV1iChATRbaOznX1dCgImM8yQpU1SLbTDbekuXZqWhizpXgR14KA+Xyslqk1X9RWhS3y3CyNDzNoNZNxOXi0ykl/ececGbW9F4mKlHFfUcUzdOjpqWescjEred88vcHLnq256cYtSLR8IfCK68to+0cIEMaodlk5nRlPQeOsMZUNoPS/k4r4wFfVUgdCOWMsYcoNdmrttfcs6wg0DBJDCy8pVUp+lvYsJDKS2fS0aRQWO8jnOdB/l1D4LJJNOTMd9cHbfKfzdMHk26YYm5wH5hi1pNII9NvMYCzqDqjBLlUaTR/vbhuUWqCmcBEtk5XbrPfv5EfczkfmTh3TcGKTo55+5xRytbqSgb9l2l6eKPUsNLWGm4IrYd8cbGPsQ0WTMTFF5/8CIwDXJxbjEECunH2DWPbx1quFH4qKJSvAfg07XdmtJq2EWtdcq+2XhJGVae1mzCbWQYI1UKnwg15ffx/TnkiDm8reTxDdmNaqxG32+3krjFnUCgwhur4wqcN/Zidq41Us6M+ckLeOkzvb+v4KmrT9VyL/d/B1o4adGWEmeoLjF6eX3KHQhoMR4wrygaQwT+KTeAob04KVeimHHM23TYKWfd4cu8kan5BT+ojm97LapExq1iQJV7k1jzig7c+EhWWdFfgehiIWGcahZYYMoMlKs6p75vSDj71I4nP4x+b9pZS819QfdD3FDa9JHmUHT3exEi+i4kj8yM9JMMHXhl944OxyZtuV81+3JnegKYPEA/hHcfG3Ui/MeCK/OViv+rkXZPjGr3ZUqo4vGbxfUjLyDKZfn6edmORsL/4gUkoGaM+Sgh1/iQT3ftLWzn3elHoTs+9ehnKsh8kXToyfe4VvA9C/6tL9IEH0SxLfafbECqm4fPr8N9+EIpQUF7LwiZrdNiarEpy6P65tL+Z5SbSVhb/faD61AZzD6PffoiypPl45KVlN1qQfHVX+Va5iBHPVV0CDLMeft0utImAgthGY7juPX5op1GNrE6aHXi5k1RC5NjASzNhPx/X0SPm6OkJ98fcna2+iIEwQ07GLVqfTXBuYrD3LqW6oKV6wpak6TQX0arNskPQp46RYjHbcm6B4WYJ6rnLOErzAHChYmlv5EkJnIdLme1zUnBhAgyuvEFOMvrCJgfgQVOmXvfOJ/5IBaSXJAtAJba+hZroxHej1mN1feilDkgctzmTdnIqONhIONFTlRB8mdDMaEMiVLRO5b2RgWl+etBKYVd9JVwbSnthgM6yMAluC9kt/yQQWK5bnTFhw9WOBdL95g4E644PpD5ld41Mh9kfQm7KzByxBiUrUvNo1RCW2k1yB9emF/va8xdS63YX3EvG2/ta4/6ywNUlv53cx+pHhKZS1QAqcUzgv66d6anIXiO2RHeKTTH1i8X8Fq9E4qyRWyGJDhPuxi+wiqyHBPe5U/wEUe2AMPnwtMT5GWaXeIFoVbeDfUY9kryFa7uRl7p/2ytSclFQPa/jzHx2aVi0V2shwaPaWJlcShY/OajfFQGEGs3qOBsdDrI3MjvjP78pmcVKfwjnsZsD6f7mh984+GwJaJ46n1HxneJgaxycPsqppx3/U+lxRT6qf9NxCd0AEw6ahj8q5HuIxqqhksgU/g2kKh+m4cxaWBzt+SV5gCm+fnHpMVllDMY9jIg7c2xhlGa3GkYxnerdpX5XimIdqzU0TCxBwjS76Bq7g2Na1kQb+EmGmHaeNTURLCNBc85rVuBoVctMfKwcFswodYz95eALLXkNhITQuMyTkYTJgVkW+Fe0n5e8OykmCrSjo+6Kmzbp4hd2Roldig8kmLGqfqfPnw/iYfdUkoqqJrZvprkrHSfH8160j9z+IIVOssh9fypOgSjHXX5IP9BB9YtJoIHTUg2nNPez85hDYf2wIgH09U8ScHaJpDQIxL6xQdkLINZfP0vAvf68nfX5ojF5/7Ak7IX5HYfv0xBmU0bKIe/a1bkiENSoIhlL6Rf226mQb6SwKK3hvwjLtznzbatBou9OFLtWbt3DVwOAo1dRLIiLuN1ZRgZPIF6tFS1mf+zsY6QgsuBzBgjog0UkXyieivyIJ1GRL2ju8Pl17H8et6mD5Azq1WQp+hoVJjzjWt8CaVoi097ugj/SF8xBYm/WSiTRcSqKWBkmtXHcCqVSOGOUSOZFhJ4CRWqPFKgN+q9d9U/fCOX9Y8Rbf0XnWr/nlQ6BSrxbDk44ucsgRFVaGFG0F3EU5dx1HmNXpFU6rWejmTRZumb1v0iPPsjuBrDsoAwfLnXq4lXdxx5vp2/pUmxcE4A==,iv:vNe88Z+14hUW1ckHBrQ2KEbxkrnc6q8HY9pVWXZs2e8=,tag:X3zRU2OUzCnHsWZvSmczaA==,type:str]",
-							"headscale_derp_map": "ENC[AES256_GCM,data:DBN0ECTsie3cAjdrGKobkbbw30DJ+N+D/G+SmpQwLbViVvXZYwfnDzh3Iul1q9OwsIU0Smm7Sgro7KYl+NazpgtEYMwyUZFWbPOwzfKAcz0cUvrIPF2JJ5Xm0P06MRebHgVZl/HvpMdn2svQepbRzrlCXCABOLbrYb6lByzAqL/+NKH9AgP8YBlsgOTZftNDMcKIspPqNrk2SpvwCX9D1FOFeM94WTCdAqLDh0H2SowIbiaA8dvrpPLs2y3jGC9bOCEw+Qdah1opyzPC5saVZgVoxVnVi/VrSUvjnbQympNWCpLsNpsyOA0qEVK0vFuLrajkF2uyLBr0CflqcXoKDGBLCd7yVosuEN0EZpfhlwwzAcCW2GEj/rpuyVTAZoKdpWPORIAV6mTIkN6O5ZCNkaChw/WgdUWrudf2yod10/rwNYwPSsSk8fpWHoDXEyQRPGiba1yb1zIki1AP5FjvWBttb4HdigQ2wkd26ZeygurDKq+0bt68lwE3LeD9CE1h6QrbsHj/VMtbMqr6mFbtLpct5hiO45PX+q0ZmJR/RQt4ey3XjOiX53QTyz7WCveLTeuW6mW3ncNFPFaoU3BitgtnQxKWFLIMnt0rhfe56Edj96qTjcaNtbFce7A4EiO8fndCeis4kuuY+LXkx8J6Iel7XeKR1PL8EE7KsgJSEeGJ5ailZofoD8lcQ/T3eTZ0MKWHkvwaWsbeIlaoVgGXl27isKo4aG2/Y3z5tCnZ/sIbZHlvfC8fIDsXpPRtDY8ZdwK6F0MmS3ZwcY3lzCZJMMpr9GOlzu1pYQ7UPDKz9pdZjElEe+/aT9wT4+KYkBwYr2dqOWedFCcH+kRJajAz05GVoE9bGJgvmJ+RNnVxpyH2FGfteNYwRep+BVqECdzdmxs+YrEV87rzfssqWgZvdQWoQBohStQEAtwzRI3LvSYap5KroeazqgjtfwrPqMxTMRCb11NjNoB+/HQdara4l0S4ccWcvAp172HTHkrfcbwo9+WgTDgZKG7OYxsTj5P+RfoLxkgXGbUY3xxv94pi+tN7ChWXN+u+efZvpz9WcbkmGhgW6g5YlddOf2cd6wdd0GAS7PXTocq6LN0+d1uwbmuce3urCnVtp4fJS+dwE/6DCu/TctcmgDUZphIgXac5QzNRybRzmjLECgOwVkIN4kk6rVq2NTe2kz1dM89fPxtL4uiMaORvW8sHiVw87lg8PI4YfOmKhbLp4FDuohpW1E/t/mtyf3IBEf7G2Co0LQ/hRZWgTtyvKI8xXVz8+p2p3SRcwe8M+otIiyXjLsdJU/EKEk8I/D41HwmaRYkYsGF4SDP/ai1C17ILJFt026to037KY6rM67rbV3d9N9Jp85H93lk3XcyJBgWr3yhyJhWxFkatk+Kmre8MUb/5pWDNbP8izo24VGfji0Fb267BgJOURuKljTRukJtpzbauzkITLoisd6TQQiTHtFbN3e2yIr08JkXt5gAKKYapCDdtFbfJjx3ZDzRBCsqZXq1mWvpmubXyXsrABwzrNMh1Rt66UW3EwMaUQxOlStUtbCq4b3DP3HFnt2N98mL4KIuiz9c9Pvb92kKhdri8ho2j4xXvSKw00tapJW9s8q8jeIQisGAkST5BHRYZoEjuWCHXWk0vgEZpr9ZNNLtaqmzCJkQIdg5VGvlC/ugYa2KW81Tp1eZ6+xk1NVPqQndP279GnALl5m7mVuVMmU+ukKkApkndojETWLUii05ZcQMbfqh83cp/47pUIWMu8BUrzqjSUzptsXucwJLihes4rUIxsWUsWcn/Vwz4XJRzrTX1pfByQpp9CfBrcWeIPjvQEnwCa4fdVElZ2xA2+y5+pzXwCjqf1uvpu8LGWmcqiQiJDQYMVGU9871/CNrk4lAo/UmTdjs6jfEtaFxmAcmyK8II5PMkskbbt2BG5QrND88Bi8NZpzyD05EBZ3Fktsvxk6J7uYa9Do5qNX/yrlaqqke9tlz+ZbUqZWTNku08HzJo28RxuNAUE9MsoVV/QVqG4+4IqkyHIYKgFwTzuy8TNTlsY0A7fouR501f8vKEm7R82rtSAx2OjL03H7VMR6vcy9V9vygARSDIyH00tXqj7jpuFeaoKTb8BYCPdoszyKWhoZ5JhJWU76tggGne/NJhM19RRkkR5t2zT8Q+cf2C2J6NtoZAWP6KB+q0/oMjhGkT+29QGcYn6P33aY5lYnvsSAgBsZp3HXYLZR6JdRbbdoxb2eZIsTqbCCJ+hBK8ZCTZvlNHtY5cGxVnK/GOEdTzUlxF7NJVvNiXXBJYVZLW56Cdne1Kear7p2E4XbnGrcIVJHdpM9LhqY26pWP6U2NZWdty02oC6MITSNxY/g1U+SEnEkN/qcyECFf/KmPK1osZ0m9Tp55Bi4S3BGYZpLeafLjAEsRUxt8RzhrSXQ8pbhV96bFMV6auafW5bfKcD5LdSsuAliRi5Qunjmht2bBdymJSlsT+9Y6lLlt20U3lFAPbtyaGATIxletTOYrNzb9h2SJphMPH0JrUE6KRA7uamwMa/9tDfi9vgNzLxslSmKl0A7OAVXdeUzB8x3C8/LA/+uwrRP1WWXb3BEONTtqQOpH1wJRdek42BEY2oSubkcbpNt3lvtJSBnqPXQx4pUW5bB8DHtwNvt5JYHWUZd6lbaVb8XThOfr+pvcL1igq576896EOganz+IzNa/jrkoDKlEOuUgZEun12k04jN6SH6pYfvNCDmxiflEGGEIdALAVrtPQCgceyKwfwVaoMnSDlKZOAZvq64jp8ySSwRY/R9fBCnOgyJ7fAq+WtMttfVCbzX6jr1EqCXXF9/h1It2l+gRqcO3+nB5cQSwZr2Dy0zcnQMt0ksvdqRWcvkI9H8qwGc+rksV3ruH2PBBK4JvO9QPeaRR26HStan/qi04KDM8iLtCkpn4zPd2bdgEFGrCrvZakwDC7hycWZYaYmykobww4GoriWL+DmkhbmLLpLtQLQcaWN4YxuySuBeydeAXRhxUFElQwVOFoJ1ZWmlx56sFkt5ClL+Boi5FEG/IaJWa5PLdfMoieb6bWnfQV9FLEZDXNfkcDPLVu7cO9fbbk2zbzNEw+JQrbmQilPB6xHZcVAVmMNWhJmmf/eIXmpNyK1euFQigYsvdlAGqklE6uNjIU/oqDNcaA4pXVUW9XeCqkBP8PDJMQyaJuRMP97amJHLNo4eMvQi7TUt3ZAh/V4nw2xWvGV+T/sG45MZbIY2SdlbyYQcxMPqoaDr3Hw7A7n7WuNi2PKaiw3JBO5tYqtRTU0Jk7ezRrECBemPX4MQSEmh4l3Plyh3uAPffDG8HC3SWar8sGERKSBIWQcCQej+GfGcUHz9VYhktg/oz3OlHU0j63q1+e/SA6dBzUgIBrjxyVp6dMo12aPFQLoHUDULUpPukcSZR3YoXs5GlI27HWUxzL9mPuoMYnm7O4wfWNPMmFhYbJWgL8BaWsfflG4cubTUuuNONqKcuLAlSNEbiS0u/WWClzIhXFVOEBiegFLY6gMjG515yDo6Y73S4D0tzcXlKAIo3DSQqzIvML0RuES8GVVoCDodMME3MnyGD5846ITj3fNy9kUEsaGM8Nymuu3StbzRz07ntz5Uyskzj8sLFOOvTo+NwjNOZd3bddSjj/p/A7sdXhLBIZ2yYleH2HvU1aZmYT9t0lp5KVB/q1w1xOHgoetjDAO2GRw+v+oL/IkcGrvzTjpJLy6cTYf93Hs8lOb+D7c/tICQAdiEjle43/+sNgsGighIHYSla1i0kiAjd0zHlcU2JKTOgap/Y2MRwz1uhVrTXH8QDgkOqL54EhQADSsqZRsNWWjlJTkSMeMCf8LX7zYpAAWt6yU9pa3fnveGpVkFD1VQc0AnUdUa3YWX46R9fJ35CvJmjrsLad/0azIq2LfYnkTABY/dUSo4GXE/7sdZq9PpN6nvPLj+89gtW3kcU4riVog8JK1z8c1jPSqzkg02HjpjdapByyUXUQHR350Q8BDPiDeettriJWqCZoWFNOtPSXv3RaYlePyke8jH89S9L7cKAFff84g/KmiGc39D2Oz0EWPW3WRZGXrtZJqSzSyWvr0HXKrlLTvDE3btyMTBrSKSuaBQBOexmGfFQHJ49feswa3JAvaCsNWeZYAoLdcy7Kc5v8wGcTXxICi/ClF3PTXSLlSpxcHL6s6GNKaYEpPhSDgWl9UddHUBO5WBwS+ZMduHu1FFMoUrfCYfdvvnVNndbHaW3pGpOxjWe+HYaYjbPue8V2diF3ywlTQbYTBC4WCbLjuB7GBWowj58CTS5LfS5h9l1aS8c7l4F1E1CW6/gR5H2HknzTsWmxs76PIDcS0nBuWnxTp43uleAVqv4amDJUZf1e4sRk1U4SVGpFhm8IMdUq1QCMQ93FPZBETZscDN37e4+Cj4uaToRg+i4J5vm/RuTILD9uefxNPNTQZCpbVzHNaEeVH7VtfzicGZukjbW2RORjQxCR2/4XlkQB46wc2R9BeFzHeFGyW6Vrbba2vPUMZytvHLGfrDK5TOYrXIjSaUE+GY4p77SpBbl6UyEwkhr04YsGfGJFZE24ZD/NPk2xtrMBbjB0SZSEPNSjtg063Ub5fcHhxIG4hrmEJvu+SCiMrP8c6M3STQvT3+aEPCi2FC7t9j+n1jYM1eb3wOjCOq4UO60Q0i3VbqH4mQ9+AC7rqMgfddwJAtgQJyhMIeoT2F/BbD4G6c1bihgKCiOkVTx8hKbph0gS8F6C5vhDd3Tlthwa6poW1xg+K2BZ1RPiZBJJzf4vXyLw7wexYrPkvVvd2eW8WFF98QSVPejHlQIOYN88jAscnJmK+Jxnty1+aDEDoSWG90cFLoWxg07qEyC2XHXTM1q59IyNjKoI/AfAe9vsH3X4ns174vzRlL6oDPvSk2i/8UZ/4aDxUc16oEtGvVuUjZcj8yHY/FObB9CEkelLHp/Tzej/XziJbOHriPcpKk7tt++HuC5tkwkUxwya19gvn9yj4cow8cLtx/aK7u5Etm2Nepg3qMU4nmMqoV5njTogksA+cvMKRFraaZ7LInKiYCzRdF9zNXsOTLm+U7F43oJHJ31WZPgptdPFTgmBjXt8MvbHQnn7wol3bZnS1QNg/H0pSqTBdXFzPePoQRvGoHktpVnzqSVOS84I7vgzK+IvkcJ4V2bdnssGLYoXR6wDAng9gGUe6ziZGiF/484bj5SBGVgVJdtTXz3ZTGfk4eFMDM9bpqe3Xq63jmsQIzA3oW5iA7iRakQD0jliEkK7y2zac8hT7jj/xhKx0480R7uGhQoithydtWPL4/6DY4yCz4mRaXA7SBcNZimy75gKTX3wJUoiaTUMJR/x5kxDitlayhs3SuB4QnYpUxQbjHPdmcpnhnk1mQCnxkXcUfwuu/pwDGzMLYdtM+rvEYMVerBvAuDmfxk8fW4+/IAfCdIk8miszaNxto8Qh3wtiICQ6jui30er9FIg37nXunX71ydObFIcS06rMI9yAezj0bm74rHjDMbMzuQStgvXLG+ZlIoSy3QNRcPfl1fOhvplIg78VtpgPLOMed99DxPrbJcR/+RMAPfw0VVJ11IJ6lbPb6EsevCaKmP2XHS4muCAERkbDO+bVWr8A0KK4/fRRWlcFuZPyEhQNyFEomGu1D+BHBX/MS+GbUewkCBo5/6zm6SMj2s7nEwsVUW7zph4G5mBHJnTSYvHdk6rkwbSKXpHaLSU0iqKqb+iZLIJ7cI5Rt5YZMiVGoDwIjU8eaUM4MPF+2BXO5I8pblgmlHMN+6wW4qymnVoD26tr1KgV9AYgdMblCDkUotXoLNKrFIMBE1tAC7cjRpgOxdvxhe8Sh8lqKculpJWFcIKVZ53eGxw+Fy6x4s+6KJ4wvhvOxcODbuNCuQGllguRbaduC96TgGonB+wc1JzYzF3STI/puOflJRKhglnb3vys2t20IHN9LBQFPmGdqklK+s1FpHsRw4jp+HI1vHHYM0jc4hSegkBNX4ONU4urJcsfmtbvAf+Djl3fdwCCcrnC76PHbXHvtFsJ1yGVuvQcAgxYRQp/KP8f22hl6EW1K7h1nYgbTz2oieUrVajCVpsSlNWZvAlNMcsbxGdEMMcsLIzOXgQxUZwXttmCckUOsBeZTPE9PDfHm2s8YfviCUZTfWMiwqExt47Sk9w8+rPQpTJkZ6HGB9v+RR+8CBNVro3bMc7HWbb6Eu8kkDwwNsaYV+FO904X4tWgfY9hY2JuiyULO+400GYG2QJTYQqXBaIjWqyOz0jhqSX1NqK0lRoAWBEkDwh+0S0D0kWUW+vAdsCwb4q7ykZmuD9oFr7GdnE66T1lFamhKxvjZtBmdF2GYqXVeDCdL/Hi4fIXxRaUKQSQdsoQyDnFzpNlxJYgZvCMh5XIkCpl0LoONFO5creNqBIm3x/hHq9lDeSsZVdD2uoFOXv5o7tpOumiQcFp6spz60U0Muh0ccoUNShd9mmLLin4ga1k+FghQPZizp5aqMxVwfJJgeZSKDYBA+u7MRelb1/gLqCKHdVOJ30TQVL/q5rXcVCl4WtRdyAk57vkPlZ58yxw4P65QrKoph6W9rK24G09X9dLIDQOb25YUYLm4onW2mhcnpAT71uBsPvKJ5MpyI58Gl+LWDJyoAejTsBC1ii2dyBWQPePUJJyzJn9H6JfEJ81O4QIxEC6usHo7YaHe3sX6q/N2igUQIuHmgVZJVBgzDyMwUBENucd3/feFsK6vhqyKB/Yflkagx0Uj8SJnNCeP/OSVIaiZzg1tuP2IGGy2FQXa1hKNFRC1b02QakHmNT+MYii1GN86rIZz4SGk8sTAl0wVbB3+mOF0+BrqH0Y8jCYCLASdb+2/idwhni4BmlYXQGqgIS1iE2bracMWelbFBzBeJffQGyt1eXFV2HtMLSVtI3O5VEtoZ33bqE0/jtTvqhTrpUmfYA5UI6AY9NZwErzEv5Rw0pEYp7KLvsV50o1XCABsSvbInB5z8BRNcMHaTuE9cDSDC+i1GDDgAL+tKtXCTHde+SYRlvNaGqoDyrauH2eOd+NXcm5qctu2qH7FAbVUUZEoj8zLTGtqPQAP5bTvwWasd+sBpi4H9eqKewuBEJp36YIrulAi4zQuLIugrTrZ7uJucC0kMc0udAsNoYUN7XE1lb2lEEJ6ek8dWvEe8JLboRfYf7CORk8Ty4GDblmCgz9FhXK5oNvSQtndctmthrBKjElBhz0tFYzUEA6bZy0lDri2GaLnW8niQ9Mgr56TT6YfpE0Y09kZSFvXw6Jf2z/KSqy/7qsQ2pMRIKQi9ozdL5ibGfE2WLTwdhKtjQ8XF8DxKMmAh3Bz/j1xRKqFYczk8HF74xG57k+7fiW6b4aStqtss3J9j61GbFREsh07YfQAnlgavfWrxp3hRHcQNLGtWaWbeTr0ITInnG4DUMlw6cAAFxV6Rh2kbinhk3AV1ZbDExH7BYYX6MZ2sRbg8mKRGIuqc5PpseR+kg9dHlIUcRDD/fH6l4NdY8b6wbBU46T5IPAnflb7hZG8Nl/rmfi3NTOrQRw3eJAMO7ts9V0t3aW+r5FtdAttemnS3D0iiRrwTT3sg0i41zNyKVqvP0kOpz2NvidkDmakYcf5COJBqNGvWBOXNTNJj0lJTN6zA3GrDr/7eQpW/zwF6Ep57pVphCEs4zWVmSoP+2B+O/ctQnJCaHqD3cYOAlgQJYJFRqTIoHNEM0C9wU09Sb/JcdXhbZJZ7xYFfz/p7BsSZGtlqDAWkfbawdL6/vBwONBL1iukTt+zajR+CZ4g10MJQdNu8I0UroVKApVB3LsV2npkKpeo0S0DtbCrcG4MeQ6Phj+YWUkENDjcWztiSMVXVzhbTcluddpbHrG/Kxnjo0H72BEV+TYvXrDim8VTn5myR5Tb0Sm24C96VPX93dc4o+PJWOsdRAD2MfCVMPc3zrGqJXA2Ium/aFx+51lU1G9xzPqgvR0m999mZFANN6znLAAJwgplxFYUJre0ZQpsoFhJbVLBFIU/ceuoqngZcuSA8kOOwKYMA53PtKwKGPwnPtp1C9IamVrH3O1s3FE+Bn8uVNA+TcRgCI/7LnavvyiDaJQnkvrUvDCEo657yJrRErLir869YLuzjrBsKD7TIAXoA4D2DSv7/0pphMuU7bPGtRgmogkfz5Fr1XnbFMvfmWlgdT+GavYB2ZAksJ6UoSbMkeYnojtHM8MPL58Z11ySoqcahZhnXLqlAFckTk02JdcI3BNN5yIx8Ewm9TrTXvwfH1e9XiKwBfHrFsLujtXeOp1bzVVJy1vxNZ4X2nbrLQBez6Y5tXLqfp45ohh7KwSK4i2WLRUdo/ct/15gvrBLiIxWwwBFRJiD9OovhnDVDQtyTXbtZvHqK3AWH8DFjvCRjK4PexNPZwSik8tryQRWEbWqmJpTW39/5npeW84O0t9y15M7KY0dBE5M/MgCyFhG8+BjVBwIB3RIDQyAJ5xRpAcxID3JvLanChaYcnIFuEPKPd8Z6FdkD7uUzSRHJQoM8tXy9j6ntdBhO5pmX9npDcOa38nYsoXkWlt1BUxoKtTFA2XP4SznHZ6en/N1RjB0aiHZY+jPq0cfoIsw1JQ8OYbBX4ReMP52ZtKhSAZm0Q4bIRKXiX+r7bIxMKq8iql40h5fXVy4TMIVkDFI52Ax5UlTbYZUQMXEvbIw7e3Vtvx5bwwVG0OiiNBevkjyMosrXcjHiXLjGaFbKdFYSDK8iJYCMPPRfzD6DrIlk0/8RDqW+Px8wAp8M8nNs25X0emxztU3LBIh5h2Q+R56ZbigKa0nMMOd+tekLtaJRphowcLwxwwJUhkD5QRckvEkYccKyg5pU7z14HA41jXI8bSQPSZpprKG55ONGUHNT+S3XyXMAiU0C3PAuvqWrzJBvZ8U5i53yb7MiOn40wMI2dTw33AGrjtf+0KYpvW1ra6nh+gnQ3BU+XmcBAtrk0Uj20aMbNxh4OBpH/1EgtVLnRR2bYBGct4s9DohhSjD6tri4Nge3t0Q3VcQbip7+MevYpyDwJhvZikApFv+5kijUZ9gdJ7Dh4qctc/WuPOtKVmQcz242j9Eo3pUx/QaEuXEOcEuKQDmxviZ+qEbZx0Qi1m6jSFGPalnwykstUlEE5yFwerPG1yRCZ8soG6Jl1JUtdRrzVMrnyIg04NPleHLH0XVKKfuWnYKx+SYIFhs1A88dAJc8bK8BniJV1VeuLXrTl/egwSiQyB5odg46PMGHVZjzO8hpHQtVYLbJSuzcE/pDOuVmX8jY/spRwX+uRzBlhjnZJzZJau92/V0a9SiNJtqZCrHbbzV+cMCghTjujSpBHfl0EapfZcJGCwo2mirqslmLoKuqI8osCLSGBqd2WiqTzrG10qfHWQsF18qf+24kiIBeP8BOycRcSillE97769ab0ey3vyw5GjJS3WhQSc1al9cvX1eUZwLBAbybOcoOivGZuRCfHUQ214jlmSC1LrFViVhT+YBLOQIAWAWFKOqdRGbbwfukDfn4mPbDkqEj1NgR7+0JiTqACe/kvvA/jw6wCVKrq9TVUNmKjBasq4rQ2Dg9MwqjTqzGkNQCV0nl15xQW8T47pLP20WCzdR2PTpnMmxJcxY/NjF3QwFXMBh2cYSe3ntuqSc2vGW4JTPOSoFNmgTeOXeKI5vbdgHCCXCpRmvZYHfrPIaQky+wyOueRZloCo/cxnR0E16n/9+ixBzTEBSroANi/UtLyJtcQCcE+s9xP0fKUjIEiAnhBJUFrFBfZ5FLvjPFIq/AM5PBHniZ85UO7uVfblfjQxuaDkeHWNSUMvIYpGCjsBarbMVVajEa6oDwjyvtkrYADk2wQB1jFwbZvJ0en/tSGnivtpy+0ieQ3TNHhC303HdsDCiqg7A1kpi0EcV/4iTPkDIf/RsvURdXA=,iv:qRIRjKcYKTKExhtH/n/NwIHHq5FfDuVkWBGQ8LtRmV8=,tag:7cPkG6z6XiRNBNiivmblJw==,type:str]",
-							"headscale_ui_api_key": "ENC[AES256_GCM,data:bIRp2SqcAvTlC5f0+tqVQEafT+3gOEqwyPH7cx7OEINNi9Qc3xJCq9rPp+8qNUILWbkah2DUiMBi+mNwruMCVw==,iv:Vq1Xeu9uXWta218G5Evnto+WBagaCQWCppmf6FHa/uU=,tag:CweCD+KxAvN9FROrJILuDg==,type:str]",
-							"headscale_ui_cookie_secret": "ENC[AES256_GCM,data:Xj2S9Iefz5rog7Wj2j+c45aDcrMeVbk9x4o/yDZpULq0hooKNNVDZNM6RIYIujOuLjcXmQP1uU9jDGMBsiChnw==,iv:QrkMGrMn0rShBL82klOKRpKZ5JqpTPvwbImlzgPoqfc=,tag:1YDHUXMejWeU0on9mczdQg==,type:str]",
-							"homepage_credentials": "ENC[AES256_GCM,data:pjDAnK+q8YB9pq3zzloPkyGPfNeXZdoiDMU05XeHS2m4rq2u3LeSmNJIfcVYRjm+Nig3bTLlTVq0QxGzvA8oTnBygZSljurvtGa2EJUd289VbY9c7YyJI1SaWNaN/jJ/3C1SarSjvQ3E/hxzzVR3wwy4l4ZKyOhMgw5qC21NRgj0H+luHJE4bINJwX1opC0x2G6pYg6Gcy0rP02782Au6bv8f+u6/Bfgvx+2vLLls3CjCwhUxDEnbT2pW1qDU2WR4g/++l9dUfmH74zwqQese3+PoURSbAitdqBIYcx4xEHQJXA2AFkJwm7yeJJIz+6B4NZmQwcOykTDS4UCFpil335KZ6c5wJhM6GTDee2D3Rku3wCHIQx7wWr2PAXtjWTNZskc8qOyKKD9sv1aC8GZcyj8bCNn85pwJxfcucrw5O+9EC7LW0e56MU9UVHSkX2hfHXvnwReExch5ssyzIqBoEvoSR4ljxtgtgtEig05mf1h/SMC4Emix7nmYA5Jhiq4DUgDuPE69M/ISpas5VLJu1bID/osKY85B/QXgrCnkyUGuHUyPWqdTlHJhouByR6cY4T4AFdX7rgWKiiJPMX/UboDDE3ePX1+iQQf8M4GH5x4VG23sIDudWFh+WXhSqIM4wmU/Rna7KxRcxRCfpxhsvHprvn3wl0C8VnLrlm4SGpTCcatOPn611B60wbqJpbWlnJAIA1sDrQgRoWRNJJKKaIwkWa13ZN5C6nBHadvn8fLh3zK41ERjvDUkGYSiO3eRJ+7kQC3OJd6vgr2IqXWkwsWOczPiXrQRvkpzrRod5QWRj5dqnqQfM5msdgHvQoCtfzW1c6K7tho8RZCa+AaIiMZS6Se768wShQIlFRYvXQb9F4DJT4dPAffsgfoc6Q217agEaqW0eHNyGJ6TifgRRhzvz9z4r8Ygw94lY+ToTYuglWEwGLyT7tZayRkZjyfS+KB2Fdh2DBn5uStIOWApxNF6eK1/m4S5eOx/ff2va0rSwrD/v6zyHA/r6AHEAwTmaaDHaE0pTCd4ozL1irhRMStDdKKIOi8uCIrb3tA97caLdeOzs31GymdVHEj9fAZuJHpzfukObrM6CU8d1r+N1FE9E16DjzzNMnFjeNi2lOoEperAuLImSUMgvZbb6AwXkQIZ6Br7r7NttLj253o2Zpd/LDlHaAPKmsOIYRjAwBLL/KIxoqyAhmYc2FZNHJs9yp0JdgwZnJaZYP++Pl5tZMTiWi+MPTVEtyMTVkDdR8saKCEyYXJaNLzPu5/Xw+aqB8qDDWVzjX8jU/+tGCTr0qqZUWobFnZ1Dpve15VqV+0cmT+A8PQFYDI0NeYW3a/sJx5UPOe/bLxGXtzgYJ3FQq55wH3FWx/Cktaz2aIcMCRtuBoK2PEfvfKPJiBOdlPjXMwyUNP9hFLxL7neor1+uKzJIglXaPCWP1EavEl95IRRDGRUwTDGGta8IQ9H2Doj/E3/SgxiZGiWurwkAwY9SVN3/7LvDkCRbaQFoiezgukt7kgVpUWCjxfRKaZEIWK334SvJR3VFykGtKCc2S39yXfSwhHU6dyOVs+06gKZ8AV2JSIKOZZS3aOR7OwQ/eYRkQ/xJ/U30Gv7ndmgnJCYECSx+kJLDmhYvnzhz8NeAyDdNEYlGk7tzXJlnzUNIAkAI3MBfvHIwnJlF1sXCb2xgSPWhMED/BtyRYQH5Cu9yqg3glqTsx6dorrWWmyXID7YH1H7G4dyifxnwMNNalWKgwH9SXbmHFIOM6S9gm/BpUx4iuGcnFhk2W6TY3hC1efWHnWMid+3pJNK5MG7MU0dURJlqck0rW58YrF7vOdnsAcog7VNe4+olp7DW+L6imPrRgz0dQ23oFEhCuc5/ZeQxEYBwXJNb23VqzwwARfaX3vKRtpkYQ/q1wv+mJ4qtmbSUH1f80akwakbs4dtIsHbqRZLK2wDFECes8DWMWuD/cu2MYuCBZcr2KKo12ATrYtXbLEcpSzSw4mMXqFkM+zVUNK+JmPSWVV4jl1llzCwGX4MABjegxhVmIWUNkADmu0dxJKgbKnkmOTMtTa3+fiaYUL2HdESj/CTOpYL+y37kSKAII2ITTMnfxNDAJg3S1p83kwk7B2EJtzdoOnIgNqvmT0ua4+sH1jQdqTRacLppIwtf4ys09oAHs/GAGVl8DbmmW32A9h9JmKCvkLqMSP9WkQ4B+asEJj17qSw+InAEPPeis6SwZttAZL93CaAMA20aaVQ6LDYRXlAiJJhRkIqqbgPd3cyPDhllDT70kpL8KgDtixOKRGKF0DDoU0wENxksu27AkEcvUjjQM7ZAYL665NrDucB83GboWXb8f1rB6AByXUy+cEQUOBTX+EkZsZhn75NuAa3qh4DiIeCPDaD6Vpl08qfSy6YV2GxAhFFE7kJXNKLT0yqt0T3OOF7O7IROvfp37LYN0Gtjm7TZDWyDKY9EMia7XCBB8Qm9Gh45DrRrD+KLiaZsOjsGmxVmFI7gIdQeBMOa4gTk+aGxWmsv0SkjPmhQxGTDPLFKswWt3hlh0woOgF4dAd3MdeMIJROxmYIl8Za2x2nqLM1hDTdwCJOB8qF12NyNP12ARCo0mMazKZw6IqKUI4SNbDbN/JFBPq3BcT/kYv3ocdNWgZLBktMypLORIWYAERW032xSge9zXocPbjNcf/QLGzFqVup3s/RajpgNA9w2ZjG50QnK40pp67g4uKagogNrS3WaJGVOYF3/8/FjOSlkG16Uf3Ois=,iv:0bZ0aug8GHOc3WVRLaZ80ClNulujsYDgi30b0B7Fm6s=,tag:5892gv18NMG5QeNeswfHeg==,type:str]",
-							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:Zjyc/PA36DHG3gTHs7V3hjdOypDG/+Ervb8DPQyU/SnC3m3SHv2ot3CifQ==,iv:lLEUSYle4t49kyVjp3a/3u6nK0BGzXL2wn1afRU/j/8=,tag:ScWb4P/+cPdsOSGV4ZxI/w==,type:str]",
-							"k8s_users": "ENC[AES256_GCM,data:Klr9xPpICv2mLCIdC3vnBeVxIFkdUFj6mBOkmo8zKJ6Xd8+2kFLpoI07AKIC6K/zuwf3p3myJ69QgwVueUdPXKT0R6psNS8nuABPVe2P77SkopF1/m3onDpQioGStICwDkMztf+2Z9fjcI6onPYcjNJl/on6huwc4dxsNnx6B17pzCvpPDayiCDA9K2/Emdl8++a3fCycOhBBfXDIOUY8g4J1gDUQWFUemFCSRHNXln3WKIjDlPqAv9sL1paj+r0YQ3CqRwWovpWjiV+hEDD0FbDD2OW9WZ/Ay57HC+NqJ8tg1zUF6Caz6ZYkfhW5FfbGLE8PYdnEdJn0AqdAjBTFL5zG0xdqN2oAgn8dmYQlLKg/3DFBAqW1a5LjhjtEYJeRfA5TqZ6yarohbEE1J+3IEg4iKmFyD+iPxDh/DGOXXBsnCmktB8hlfA8DwWxqFfEBJP3V+EKnycxwV1jl9j+pUHHO0emaG/Cwf/PpzVA7xv8dWiXsU1qVVnvh242ZXrWLRh6T3Jt0OHv1WYhpTS5rPCe8+IGy5CUD4qqFjM3Tkqd96WNMkN1+J+exvo8MlKJVJhFdIDmDBlDyxlrV5kYKvV4/w/c8B3rScNqfDsx9J7Mgj4E1Dfp/v06KXmEXQCXRlnktJvAzEyVWaEa6FOq9Pv1tPyJAqMSpkYuS7g4HQGoVrE=,iv:NyvUoYWvbbeV8KVHW3RYm6n90LmlvBSf39S1aTpMitk=,tag:TQgMMUQCuFP07hw4dJX/6w==,type:str]",
-							"mailserver_accounts": "ENC[AES256_GCM,data:oaFlHmBwpzUlKmf+Qv1e8bfLSY5yw6NNPVcpeONKJAi9CSZa594zFjHpOWc3O/oMi6LPL3E2XxmorzjKac5uzI4wTbaKn2dqf5KhelYhBPh8yg23csyzEgM4N/KUf1BNrSpbnq+tJavd90hhTmYe4F5SuwUuQDuEuKSB2Rhw87aIFaHKPPP+diGJ7hd3VNtJXVrMuvo//KMrmzw5tzGH3SsynTTnrhT0NMZBfXFZ3xKqClxc73tNB2NVGngp+rn0UNh6pRaEyF1zlIxyPBvaW6KFfDsM3TDH9t1mI5vv9583DOQJ66h66WKq7/Gt1h95IMzs5Og1bL3jLMIKthB3AdhPHR8gCTnLd53i8tijCLCqQKDh3DCvFHs2WbfHByZIy+ddVwSM6J114ttptZKDfyaXD8rWRFktOC+A3sZNQJdvJXYGKap7dQhM7z8ucDrRYo8WfZvFeRC3w7MHIQ+KT98yjHad+Ukemv0QTsCuqkyoDu7RE93oXk25mGEcp+mJILW6j/sksG8b//u2upNTdP+GnjdxTn9XwRlC3petezE/eO/4q02TteNO22s7sMNCmyxYDvXGYzSk6B88vTTsmOl7a4cDSHuNoLSaFt3AqSJrRZoUSx9VkD9PYhUIDeKgJqnj4Pda1RL+TECM7OJEnEtrYzTN6mqD5l2BW30q8ue6StWAE4G/0clxOa6XGfzCqqyZY0euHtTlNqaOn/SZpaZ2Dw2x1rxLPAeq/eIkEs90bJ2w6Levk2JMY/D01Y3Pgk9nnX4fXuVOUMVIsvan5AvHsg6NW8tdrvxtpdTbjf0colss+CMbkjhDg/GPjY1wsVBNExZTItBK1/7PI5knrYYLLbpQ34bkgDPmRz+V9bVeVZFFFUSrrl1TZrnxko7FwFbOmhik43WB8ajJZll7,iv:5oOH/E7AakN+m8MZu0XrxLa7PJV0E73ugewEeL7HB/A=,tag:xhYnZ0UMeaXvIg2SKe4UfA==,type:str]",
-							"mailserver_aliases": "ENC[AES256_GCM,data:i9ZFAr7qfCFNhge8QkMxxHux2QIsYjkKf/MoJmE3h0eP5G2FRMeD5iO7MOjTdogA/0i9frbrSAZm1hRXled8v7TLI9vfW36Xp9IPxFLtja22lhHVJWH1fPZ43PmzS/qk+Dlj2mpKH+ixU0NlmNy04AMPZABPzSaLHoeSijQTfAN1ku49o9cgxVNXxppo0pcX2rmCFzOqe9VDCWly23EXIHvpMxK71aScxyPAGWhtviZvdGAYPvFkTmmO4KHs7CpnbvKSd0Fvz9gIDLTgvOYJUpv4daUFeN5C9tL4YxQ+f5PN7RGEnl7D7F0CXbygdHTMp7GNbiFtG78rRGzzaDZuY/9JP4ae9xslt923poZmwLASKvO0E5XiHjfIim+9vC4kTHx8hbdaIi8mDSF9O5YCntFoel03hkGgpyPq4zwDSxMeMc4FFbwvW0RyC3O4nWjzE0PXmef5Txy8oqlkoofUSGdaJdiSc1A9gs/Aojcc3oVEg+OtxqO60rsWbAXgkoKle2E3YSKRBMR2XzEUlgj5Wghr4ZFPvzW/nEHHlRXNygV5Z9aqdyyDxXeVQy45pLxDs4IjeTqMyxk4pIvQOU9LimqW/pv6,iv:w+434VRbeZCfmuM4ST+T40V64qZ5FHoBsqJ1U5jJPqc=,tag:3b8M8WjrPKKQHkxR0C1R2Q==,type:str]",
-							"mailserver_opendkim_key": "ENC[AES256_GCM,data:3sgAQEs2oMv8TnbcDSvo4ztH6KsLfZz35MvK+mzmRkPRzcXg5Yy0ZiKiBsfNLyOIk4+9LHgNjyNLH0JyCbkemS0YRLNtmlSljpZzApqIiLxpSlJbJPuZKp53Tz1LkfLuiFYKUCc3w7t+i+NYjiPv5nktFxXLtjV7XbbEW32WD8b7mFqJ6E1oFhw6lPUaWwgLcvMybgW89g1UbAlXQ8kotmymhM6T2tbPgiLD1fj4uPG0RY0cyJZ9/HuqXu3xPbFWnS4wS46Fe4A/vStXrq7Guqnz35UktWVz7jKXtg4mUv46LpvhqrR3ZHa83o0pH0c8P65SMQUNFJihiJhQpAolwKeIPtk2gaJDA3YSHKV0WMeVQip67Er9Nv/27G4B5SdZ5E6C4fA5zgj/h7qoBL/z8Bmz0SooB0OGhCDcbeexu1cSnw0KfyOa/NIlxE1h874I0dIeoYB4VTTSg/0eOgY3KcFxqcv+BM1bQ0eFZEztTbazYPSTPlJ+FM9A+FlIA+E8FvrxYH2PpdfTJ42MNOX5OE/82SzBmwSb9wW2vI1XBgTha1yxQ91w367TEGzHl8Np/76IwTxRnNgwegtKi6nvxCj2urkPlD7wNrxO+gZ5jTYtcwKAivz++kfkf+ZqNu/MT6eAKJRHg1eihKpCQ02YkZOxszCa0uDu2TZnqECNRVRHPVp/Bx/u2pDHnmUDsY2npmZuTla0Ag1xjhgmEWH9rnZo4SKCJvMNxlqc12PlLZx3pVWs2PD5Op7fJ5PWm5cm8nhpeqh5I+Na+nBps/72ZKVB+etPOhJWCXHRb8hPjfnhdFsAi7Vru+7jdB47TUNq6lO+6L++b7Y8d1cbjS/UPI6nqze3fgo/LoWnawo/9nCZO2vFsPdM8V0KIShgJ7pXJ60MNBXLZhjJ9r3jSyZh6F6/okLDwW3SjCKqsPEbnqUtqZN4R4bg7hkcVnQsSEfSJdm4A/gBR3zN8NudqzjVMllC4vGXQd+ARlqXttviI9NqXnq6wFKbSs+PiSkVPJ0nL1K+Xb9BRpA0fpFfVMV8VO9tRWYlzLikCpHGa1vcvom5NiKRzZhMkeHHV00GufCPf2VGIfCgU5Tr60Cj3Uoa3Z7Zy4Umtu+zDjUY5OmkgHSzDypl+a5sLCNrKFih+iGw9SkgB03Kk+bG/eso/uWuBC0wR3jsQYsqBMKVXQXXZp4k2unOXs7CMpLrmK+tBaat5PqK5tu/hv1VSMyiVr6vFMhqvqR4rRlgVz2gRoUrskkvC2IIV4guE1haPJSViNWRyNAYoA5L5hJHP0pJk4N2aMWnI9CM7PLemPpl1gYLSXo3XcwoxCqD56DqlAb2lp5+MiinQNehNNBqfpzRWZkJEZ7Lihc9riP+ty/397fR3+60DB4rT23/uYABM65k36adg0Xmcf32359H70e6k6uZ5efkbBVBJRaLfDuCLH/RvyU04S2VAWH1a3xj3Aiu/SQWeAi8M9J7fJtrVhopNta9aVvjhlBbREybdPdgRijTto+023BBnGJ/R/Jtfd4jg0/voy4pNBlzfjvEDe668wB5q6/qxwbAEA68RTIspbhHUc6YhaGj/rQ21vujXhIX08ot3SxGX6yD39vo3wXlB2EiiwPgfBEd7ciDtj1Ym9wKTW6FMtBg35Yc59ZhvirEZN/sX6qMBc9n1eS1I47WOCAYG+oZyfigkBtEeV85zdgbVbONQ4dwn53MaQb5PmXrivbZTpbdxr0cUb6EIl8coB4N3zK18GbuI5i8nOGyPwTfwAc+2aYakZ7fcCNdaiOz1kDI+265Z4GFKxE+I+8y0wJVAtMZxwHP2SPQAwKHuCOHUbx33a25kNojcZZwHwiEF+m0VOI7HB0HwkPSYG6MwYUouzNAmuCclDavw5+YlCC2+mNLqc6UvZLxSb7QzjwPIH3iHJt/QYg3502iMuiMmh8GYvrRpmWMW3BN3sJZeHBK6k33+pGMi9yr6wszxTsn7Dq9AhCfGcTiksgTn3ZuX4Ia4YxmubgAlsvGS4kww51+kGwKcB14zB9eHRNMGJMEhyqSPRZFBqrHU3k6R8fumGF3s4IfqbB9zfSfCfCOOyXrrKdmUl0G249+5FaYhVamnrlLW4d+cnq+IXycscNEpvQdgdCfl4STl13sDM7XwKqoy/qx2RhZzaCu9jP2P6h+b26lfwaXCBNctSxRlc+HaTUywC/dyIYCOg9+VsRfIAC3FA4jilXQW27rqxd38TGy8703gEG11lPdelM7jfiqx0qLvun89aPEWE7pozNQjw==,iv:8UM2coZEyoPKdajyaK4mjxnPyFNlu2orVxx7J2Nb660=,tag:BNERO6fMbkhN4NYg8n9SDg==,type:str]",
-							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:fx8Vt9jjOqMUI4GyGbA=,iv:LD3LMs+J63bSxkoSWpcFwvRrBv8FCRWB7kqmyIVjalA=,tag:DCm3TIeE7GCOpkV8/hYxfQ==,type:str]",
-							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:GqlQqOQmG/nKP90QCglbV0cvhO9/K4YA7O3FUUJvdg4gjNgbDvU6U5rURvtdJ6QjoYwt6R/jYSlgaVW4DxaXtf/4F+DiQ8LkjcA5yqeWq1d3mP/QEfe+47x/IxNmexQxHPHOBqjQUzB/0pM58a4uIYM7NAGlWEwLpbUPYGG3Uz8oD4V2IX7IuyplUJrG1qtCefU=,iv:mxWDuLfe5mNHiAoANRNZF/zhi8jgMfLik2QTzkJw2Ec=,tag:g86nlJgTrCWum52xeY4ftw==,type:str]",
-							"monitoring_idrac_password": "ENC[AES256_GCM,data:DsRt1vFu,iv:PaolISZr8W1m+oTrsyToMKNMho8JgNESGYkm7Q2aN1E=,tag:3FLHk+IhDB95GzvlObEkNg==,type:str]",
-							"pve_password": "ENC[AES256_GCM,data:V+KqrjsA6EHaRc/J0+jEX519ZGQ3t8NUvdiN5w==,iv:IG1hzvXHw4Kkq0gQJ29cqwMJ1WTk7FB6puzG/CWl83U=,tag:D+LnPHt/V63OP3yBoxvIwg==,type:str]",
-							"technitium_db_password": "ENC[AES256_GCM,data:riJFgcgmjNP2ngfTbXw=,iv:vaxDjEJf53TbYgEqeGlXagdyO2VNcBT0RXh5toOKrjM=,tag:bba1T35hn6A2Uogs0ZSB/A==,type:str]",
-							"technitium_password": "ENC[AES256_GCM,data:7RM5wuZnQNFY+Y5gltyEgY1/eC+yltc=,iv:NjfqqlTBmiMhok0oj1CGnDn/Ba+TE1h2MmQUQiqRCgM=,tag:R4ppQqncdxvMkfOcbUTvRw==,type:str]",
-							"technitium_username": "ENC[AES256_GCM,data:yWLqawM=,iv:/hErVZhU9z4ac0LRG79n/1GhkhIodb+oyFYvv3MoHJ4=,tag:HpEcaMRmfreRTJM74PsUzg==,type:str]",
-							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:68hSeoo9FKj4ZvdpHnR45C4/DINSBw==,iv:8k86oi661RL5D4ugJ1fI/EGLGCStTyGpShwB2NrCyLM=,tag:+PF/GOeXsKLOJ8PDgW9ATg==,type:str]",
-							"truenas_api_key": "ENC[AES256_GCM,data:CTdngRsiKeWaUxnF56C1P3op6BGJJbMbR5BHQQhyQCUVdo+OVhocrtfp/M3GKPNrKc899XwlhHWYfyXo2IrreGyg,iv:+e+aCr9TYO+xlEylkmXhyKLKjq9YUImYDFDtr/PIn7k=,tag:X1hbwXVanaJ0CgkB4DkJqQ==,type:str]",
-							"truenas_ssh_private_key": "ENC[AES256_GCM,data:EKvftOIN4P/MtWPdNvZ/ixXQXtRj/Tvgo3NW52JDyGbJ1YmLcls5X8rRLn6a51M1y5+42qdVKY46v+QwqEWiQfSOi98aX45ukvkHwRwu8+locTYj9BC7rvhXMoGF2P6j41ZHFxsiq2c+bM+fpNtrETQDmTgNaY1SXNDS7i3KeyEkGZKN2dDgf5XAspPtNY32ErE7R1LP+KZbHX13L8yXqSjjZWebxKgqDC0hYbKrpkfL3qmFXmblSFfDg6VHvAZlv+cqmPSNjb4YyK5miOvkAeGCq5FLENz7M+dLjcfZ21m5ASx7HJgiptNziOtJuyythMON4NDCKZePRSmEdFeJg17IvnAHXUjDeAyubxk9lrNmW6zL06aoKhOA6fWtQB2SSa6uOvpOkQdchNGUZwzQ4eZgevrVgdcTj2p4kSgWs5WrGsnOFDRUft9ITp9YwsNfcyTWGkwJqww6agbnw+oHF8dAK2SwFnso0G5Fp+RmJJbgTFSNJYP862zFX39FEuFtMsLyV/FbQJtbdXkoQajDc3cOWboDlvYrbbIn,iv:8UUktwwJftro0hvH3OyeL2BQ4XXwTKxPoW4KH7R9oKE=,tag:1vEJf1Beko3Mokxok3ZQ1w==,type:str]",
-							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:mOI1m8eAB2P3YBdvHdX/yml4XS8=,iv:/h/6QPzUMr1cBszoMW2puAhyrqa2vyu4cBaKZ/SG8B8=,tag:CTNzFNy/pmvSy5ZkHxqeGw==,type:str]",
-							"webhook_handler_git_token": "ENC[AES256_GCM,data:L9AHcWVemmXxvU1D1jz47Aj96OAOP82i34IlXy5i7GgJXYJabnrfgQ==,iv:SdyUpXDSqR9bCCVRIuSAjYRkcnpeeWCuEEYVF/crPLk=,tag:e3/UM1H4y1bbcY1DudEQNg==,type:str]",
-							"webhook_handler_git_user": "ENC[AES256_GCM,data:lWC5bLXaIbhZ0y95,iv:5KZLe2ELSus5cZOvtlJP4gzrwgXiiKlfK6V2+PaJhMk=,tag:3yQD2HuODzEr8FMzG20HXQ==,type:str]",
-							"wireguard_firewall_sh": "ENC[AES256_GCM,data:sIQlvfRQgYrrywxlpk5uOhONvQviRFAccVdOziQ+FjhQHXA5DD/pOWlt5xvRfRhk6+2ki1/qiN9XiFxdvqzF6Fe6OsXH9cLc0QWyqiCxKwwqNw0Vmkpf0CZF+YD2mKe3sEXpBZkbWng2Ys3WZ6nJNLW/0PjoM5idfHTlJVFFQiwodRtmjvrWujNrfE5VFai4qv85/gAHk7p5g6rvjCHuFxExzWgDyUXPb1E6Pb3LqXKZ9+Y4iAwS7Ba7iVP5x2QNhzexf6Iw/GC2uiLUuFOJmGXSQUS8CZXvDyWN7SDy9yok+Xg8SyA/YfXl+mX+8eD+/PxEitYNVbPdm8vQMguYYb3ky5vinIq7ft44PwgSa3Qk27SsMgjsysGG4MnSKpKyGqnw65ArmjNE3yaXDlDOLf7NJO+8dlH1cA5o1URFP/J8oIun8H+9XCQM2pCZzCRDSxY+uYUVGpkggUJKniyyq+5SxfCvdBNWBG6YxDZU17fS3HJ0g9RjEgnN3R5JlvZ79gwaFPkxGtpW+KDtfabkvDGFNk46qKS9Uqstvg==,iv:Tr9JzPrDSruY3aTEIKcy+Pg3PvW4JDbxi0PhiZlmLfw=,tag:Xpd1eztaU5dBDPXQ+aj8iQ==,type:str]",
-							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:3VUuObkak+R+VZu2mbDOz2C51V2ai4svsyRtxcQ6V7RZCppxg0ffvEEBh3q6RqpVr9mviKm5R26UiPNwKUWXn+B7TsXVWpToIbnDcA2AhwmlERwktPTPbvVYbjBxeBxCDpyARaa+1LFsn0GkoLW4wycORPhU2PpLcxotEyKslg1s2ES8jMPDrSyX5zs5XU1DXxaP/SJJSGsDh5REuRVE+Z7pfRpEgKefAsfCM5p0IC3B7be4QO0KKL6+ggyo++n+xHbI/i3ZfyPYCI1BH6xTdklhkOV84EX1HgmvjdPLDf2Eb5hTHt+rEnJ4Y67Vjd4rK1t0iieza+DF5OkbElzYv0fIOoQzAxfdlXnK4aZQ+IIGATPLCzN3Gz0sMmASOi1jpZlNksBuxg+O1smY7yUUXKcItiMtonZPGD0TJvycG1VsroNprIIOtTwyxcJlzznOtOImZHr2xRTUKOVLXZOHgGD1ah4oeQGlvpIyrzKQ/uWRYY9OYeQmmuR7ijLhlGiQArpGlN/GjNIZ/1/NKzNyGS7WKjnUPzyY4IM2PTQq3w82US9RAr66IrAj0bhGnwVBQAvVkoaJI9d3AvbooX65OLtGEPV8zpaNG1kHVXKvp2+VhUpCmEQ6eynqTbm5rf4ZRn8gGBvz3pSHG1bdG0NT0KYx51xSvfsrQg/VvAZuTTV7cS/W4NGxM/FFoAjwQHZoo78e+UiBtps54HREfq8e/IYt7VuWyi16n1mh2Q4Zh/D3LpbPeVh5Vha+yFRRJ44a8M8WB6QkhNs07OPyg6HmUR4xxXXmH2S57/SFqWLei7wgeQifwp7pRAHZYUifjmzeLFCUON2h+6e0nZfVS4TxXRB1CUlKGYAIHDjfx0ZVZpfuj7efWoUTXvHV+8jP+/ELdiKvo/y8yI3HYXP/iTZzbUPcjznpm8Bra+9cOSv8IClNVGFhxkEwd0AvOD9ZX/oSQ6mv7o6owkR19WLyUQj7BLe5C9FlakrX7r4HxmyypsN0l/qjC71wlh0kD8y1zj6hIs73PJ4gSJ4DmP0gYtgckVSUef/oTxPIERwHqgRbRij73vuLs655LurNxO30ViN+p5cTs6L750fMmTfrvYfZ8rTTG1HlPmPY+16GTvYoIBkxtWPyCgv23bRgXCKLWoYjoHWX4IcDJ+yI4JVp3PlMmWjGBaap64DAjcQrOFeVFRG85o/d/87OZMvbDZvTba1rDpZOtSxEOPWvi+1htz/LR1WA9BudjFnswfqQ0nLMETqxELXbGo+1ZbSu/+hGoVaQan5Q0sr8M5mO7qDIWIo9eCRcjWxLQazsqd7P+logMHYnkksoM1YpzNmDLscT9mbShF0VvC5qltxMWrzuPE38ObkMpeI00zDWfRuKNoDlpwUhbvDBKCzBlNs73SYr7oR4i/mZwOTB+C5wuFegNVCTlFeFcBA0C8PSj/K0OfOOWH8MqwwmGszEcYA0/fG8na4nTjSKZOn6/NsrL3sACvBd9R8v8DWNXu3z0K1j3T3IJjcLmarTNXbiKbcs3Zu+ytnQx8nd1VZkj0MZQsbunADQsIuzdG15t+ralRycqLwjeZrdf4XllQZ/2piGG713+oJCGOflCxqqNhUNjR3PPAPgb0jZEEqxjxy+8ubkRLP83bdFLOmNb96DER6UqqQtCogwrLkq1EPWnIIWDTD5YxYHivXocdSQ3lR+AciATC48jM+Pe2JvovpdItApATPR3jxoCJE02D2ZRloRARWnOe5No6AB96V4/pMOqjQo8Z4zhfxI01b5UpyvTwoTfO+2rxpUctA5k6cvKPo12x+p6FtUN8DujRw5zc6nDhczqyngLThLFp370Y+ELyOWQPb39rlOggChsIBde4FbY6E4R79Ujk5JmAyTexXxTPBHOKU+AQfWzfyRYKr35vYZKB7eZkqVBoEG5uUV7bMTIqvOMsfY32Y1aNQPk/CTLlmeeIpQgwAG/dMau7RHb9iNNCWIzRcx7vBUVelbv/z1cCAcxuRARszDxNtEey+Zy7qU8eK8hT2//ddCTAFFFZvxDwP017nuwUpq/ETMntdS8mkaxfzSxZcIqEmgFDHzYQa8IU+DmBKY7e6rsBYTM2VC000Da3eH1bTQHp8sNNVI7LKnxN3vBcoyXHpyiwHC7WVWDC1nQtblJ/GxZBM9p1T0v6Yl56DqL41VBaMxHNi/l+opncSMuhqRJ+WXVti+zYzWKqoHHfEK6OH1HCZC4f4OPFeQ3nOt/EpFGzZonu7c7l9CkDC2xvKGOikze+PGJ0PZa+244VC0itKBi9gMIEvxy+LPdJ6EOey1xIMYS3LySdPnLhbfoMGoyKuWPevV+7ObSneL05z6iHlDyr7JU73E5CJcJMEB4q+PQLC4EaqAafSdD22L5lXxf67YnY+4c53j885y1fLMa3hxV3r8yL3+nAg5GTalnoCe0QYpYIf2cSS+MSTrnBExmx3EoqXH0mlbVVED+YAWOhWj8t9Y5ifRZgE04eGxtCSffYcsOfo/veY1P2/rOSsgLsPquWhEALtqox//7ZjVM7wNep/NmUdgmpJMbbERTd/s4oNl7IM7TaRvowAYstCR6hZEVNcHKYOKa9gqxAkQ00pHl8DKv53Ca6KnbzfPVnII7aIz3nC55rFi+Wf9L8UrTtowh0gwd7Ez/gz4OKMTlecj7dG0TkvXmSsCtKkJzgDwnHAt1zPYaNojZpLcjhWuzt+Ik4baseY7M+PSL4X5vNgGmfJcRI/JvILmDOAeucoeqRUwPh7/nxw8gDq21+qKsR5sQXBRZff8XVvF6TNSnNkPjLD0eN+rwfLXZ2dYIWQvla4pqdqqbP/SnL0dSnzckphxc/2qXdCjJu3ivGBo09XFU3AGhEbfS0ALdrk8tAMRzbP0eUooFuNMzsy1vioakQTbg4W9cCwetj4rv6kFxEilnJcO5kb22KY8XsiMF9PLemVYq0hHeCNpKjFwTjqJR2/Ndl7go51/lSrPXkVHEK/IVUB9durjLVtl28/Hp8wNZi+HYYTL1wkVgwYZhRCdRB2jtY36vUCkN+fjAQ3x2EVs+t+D7VKofBc5lxJ9n4vV+XIiAvKi+vmN2pvin6uCip/+WjMP3BxET3TKg3I7jGylF/c4VS2t7dFSHbAA13HE6Ag1C4NZgy82693xESxHwR8gq4eVu1X2epG8VCOg4MKBNP17yXnI9An0dFApmsgdGg4FN5OT7JIvOGbfw//o+snsotlThm+DT8e3QvOkgqG2gEDLVYpMv8JYnh5UpX+6lT9qEAsgvc/2wPfAg4GwAN8T072Q2OQy7FlVpirWDAldNerIS4k43HMlaK884SpRAVyxq5rnDkxJJw1A+YtqiJYECJUVly2bThnWTxcf2WEO91IMSJ+xiIBLZBFFOy0hX0cvnS7eRQSRia4NDxgdOLv9iVt82puAPDJfYmq5h96exO6PUmXRIRLNKzhxy8p++SwNHSH2ew==,iv:y52Pl5bqjDo02xO0QjiN8yj+NNZPs4W45u7iLGEOpFw=,tag:d56YLx+GkuchaYDjpXUgSQ==,type:str]",
-							"wireguard_wg_0_key": "ENC[AES256_GCM,data:IN/YAAOKh+2YuF+rVtBCYk8ib8sX1lm4qGKeWpOvwhCXr9Ih7eE5LPx6WII=,iv:b5r6WHnMCxl7n6PCwK1mzuV2IOTHVSTl5swcWL8UCBw=,tag:F23VjAFeo9Ue7mo0+wCEMQ==,type:str]",
-							"xray_reality_clients": "ENC[AES256_GCM,data:3yQOGcreKjnTYdZ+zqKbQhB8ujk8K6w+n14JNu0Ljy/PrpXx2LV1/aO988HSdK4=,iv:TKsl/SCw7QRdO4TplueZGkWNn9Se7AHRBnAsEtdGecQ=,tag:vFI7yc8Wh7jPBBT7M2Qh9w==,type:str]",
-							"xray_reality_private_key": "ENC[AES256_GCM,data:1L4wsy9SUzYb6iB7kv0uKfNcZCIDk3cTNspXWh7KN+Wd0/foZpJFfjSPlA==,iv:1hm9MH/C6Kdbd3MgzWCIYCTrzjGZjL2SWTjdIUCQipc=,tag:/niXhhmzs4y3cK2NPuo3IQ==,type:str]",
-							"xray_reality_short_ids": "ENC[AES256_GCM,data:QEJp7+ZozwOLT2hrazjLbG49LtItgMGgAMzKoCBFt/B0RP9YsDuSTUzQvS/psvwlP0SVO6COEbgtSv45eZkuA6A=,iv:Pgv1Cwkf8pIIgcKaV+YT98IlxxIRuvT9oWmgAYsoVSg=,tag:cLGng8iy8EeGWVZgFrBj+Q==,type:str]"
+							"alertmanager_account_password": "ENC[AES256_GCM,data:bSC98oHjvJlGFw+bDetnwYRRYTs=,iv:qyHlu2m0LB1Z4tFGanwdw4S4ExLc9lKampylNmldl9U=,tag:RzsNomZJgAXd9KiME2r3Zw==,type:str]",
+							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:ttU8rIHwtm3k0a/026iifusC7G13spLiprHw1WTyW7BS/gzb6AptUsTpVtbjexfZgGWD/DBN6JNnQUs2X3lWkJAkgmnqio08HfUduHGdg2c7,iv:OR59P7kOK6j6j8d53xYfLASilYJuCj3itxK88dp89nQ=,tag:VosACFiZwr1+MthPHaMgrw==,type:str]",
+							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:4T79G+7V/tN9acaLLqX5TC6jbgrVh3Cl4G2B5JOxA/dV/9j+o5jCPxY+jSPenz0z6hbm7uZ5Bs9RdATjk+s6RLrm,iv:StvVsU9rGlH3d+hfilDQtLLS2TiI9i7NZKuaSl8ccp4=,tag:oTkgFoTmhfBXKRDhr1mL3g==,type:str]",
+							"authentik_postgres_password": "ENC[AES256_GCM,data:2/aXk5fTYL6h8BHIvMKozg==,iv:foIFBLKLq3zK+jm6aRFyEMZc0vNV/YjHAQAFb9mTxCI=,tag:wERxlBV6C3R0oDvprXP6VA==,type:str]",
+							"authentik_secret_key": "ENC[AES256_GCM,data:29gcSIUlckY/lPvYCd30c9sxLK3+3iBZGLtUS/z96a4G7L1LGoQ9e54mntkrt1gnqweT,iv:EIehlaQimt4gMRbPdTvH+aK1UJdhgWXMd6PkQEH0oro=,tag:dDwGKuhBQj1dyFfcJBI8dQ==,type:str]",
+							"cloudflare_api_key": "ENC[AES256_GCM,data:iYwijhI2ZIakXhfaMOi1gzvUE/RYLLbM5uSP/Zia7j5Zj5b+Tw==,iv:Q0Y5LBAKq9QKcx7Yv2DoaDZ3F5MM59Bg5ZTLIch+Nq4=,tag:u4qrKRnhR1P/nLPlB95XFQ==,type:str]",
+							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:k1It5vyLYZw/7Vlht85fUl0/pjqJb6CdekeD/CuGkiTYRI+V8XXn0qcr6B2FWqp/dy/O8BZG5+cTqSRNvnkb+DY5I0B0x0EQLzwX9x86XFYREc2CjyCbhzW+F7iQVe+2/YvxHJrD2RyWr9gw+We83ClZ62oXiEJRR80bL9KjT0H203i4rsRjwjd2lnlolj+AjR/GJiesmAzOschC+Mn1+hkkeSxvR3tZZfgSlKccykJ3v+xDi/j6fg==,iv:PvKgKFKJDZvOe0ZzyimH0rMhRmn4oMbJkMItR2ftLM4=,tag:GFUF3SdPu4WDjI8k0CcGmg==,type:str]",
+							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:8Pn4yTQfVtSfYHo1oPHOsPvL9DCpnyIcHFoO7TsuLR2ZglYTfzU8a2oXIg==,iv:+sln4WJihEVFnbqAwYYQetwny8p5BohCuLPqDEMxNBo=,tag:tTxk/Pry6oIQPGfa7cUxpA==,type:str]",
+							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:q4ZdrZtNKC0euIHnFXRurkoOD4qhf+zIa35XJh4=,iv:wi6f0fraq0awxNWbjuIECdSJvw1LVapEjqJ8jDu59Mw=,tag:FaKXVLobgaoxlI/C4+vR1w==,type:str]",
+							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:GkwpduPpSXwEHBKqogh/adow2s2RFYYjjqA+Yh7UV3D7uGF8SP3/52MXlej93TlGQDGNLlCFUCgueIf0UDQEag==,iv:tkjDctlTgfnZ3BKx4EyWTwl10kIbQSpKz/W029qxrbE=,tag:HH6T3aZ6e/99OOkXtk9JiA==,type:str]",
+							"crowdsec_db_password": "ENC[AES256_GCM,data:x/cWOLDurV2xXeFsa4Y=,iv:xV1AVAAOsVMksBka3NJzMBMmoS/amwLjpQDvFopX7aU=,tag:hI5PIYyLiuVy5S1Ic8QTtQ==,type:str]",
+							"crowdsec_enroll_key": "ENC[AES256_GCM,data:nJbpxNnfD9Lgb8RC8s5yMYFWO4rKKiCBlw==,iv:oseijmcp/TbMF36zvPO3u6jcyCuhpqEInLULh0H81OA=,tag:RUG9tjGFmCkmii4uwQnImw==,type:str]",
+							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:HEnciMEu/1iLSR4XGi3S1rIj2U/e4Mv2Z9W+cRPkSdM=,iv:K+WoDDVz8swfIwd+rZncBYAqtboui4YvHXcJgZRuL8o=,tag:wyWqo2S/uFx2uBJ8ygTqAA==,type:str]",
+							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:RsXyMmI1lLhT3TYo2NcLMzRfV/8F66jSOYo=,iv:v2JOiOWqcf800bhW6Z06oEg0Cy07Z05WX+rm21l8fNU=,tag:VXh5kbdunehfH/U8+fEgCA==,type:str]",
+							"dbaas_root_password": "ENC[AES256_GCM,data:BqgLHBSAkxJryzx3Z9yom7Rzl5aXjKQV3FGXTg==,iv:V+Xf0yh1VYil0X49QnpHm7uMrJAAbocJvuGuGgQSBME=,tag:u7ji17FlyK/jK5dHYL0Ckg==,type:str]",
+							"grafana_admin_password": "ENC[AES256_GCM,data:cu8joYfruzUcCiJpWxUscvnq4zI=,iv:457kRkbZnED81YGWjlrwABALDIT8qU81SzeS1ChJ5pA=,tag:8i+vI/DQW5ji/gQLSxJOxw==,type:str]",
+							"grafana_db_password": "ENC[AES256_GCM,data:C+fD3gHetPt8OP074RLcu3OKwF2r,iv:Uj70FkXzSCXFFdM/6oFYw3aPqQcgpE/Gzs7nz/xCI/0=,tag:Jrd15JALCRRBWr2oDmrv4w==,type:str]",
+							"haos_api_token": "ENC[AES256_GCM,data:E7wkEu1WWWh0YGI0Yj/+QAlzdsnjjJwutj2izK5CX9CtM7thMrBunro9ZuJTiNbOEx1pbpjhEPHysGl/DxOjZRa/RD+GKDfdik/QABMjtnHl+CONc/f8Z0TlHGALi+fJusKa6eZ2Pki/3rM3v9A5cZ0VqhBst3IJu9R7NzthdSjA0NdEhHEdm9dUELAtdN6FaC5hyB69XUAylr3APdsw4qHoopYBPQpDXI/9y/2GNuPBIro2+ZRP,iv:oCaHWvpMbeHZE4usqbK9HNH06LSC0qaXj75XxMqIw+U=,tag:h+8gRClr2VIRzY/DgVmPzg==,type:str]",
+							"headscale_acl": "ENC[AES256_GCM,data:Yw+52fnncYyQhOPmpWkcIKuQEcYkgJ+TAhWzjEKrx5+T45Is+CJse0qkh4noqniMFWuKJc9vbOHA0zDyrR6ICbVEUjFwaRT4uuKqIzf/rrwWPAJHTctVT5Tq0msoKD0hnQSUCKUwCACCWDcNGfgD2YnVzabEUkBPVnrXV5Ffox4McXvJg22JnB+0wCpojkyP0vaN3mn9ojQLeDVhlvLxAQz8cLxXtGz+jh3Y/vthZ9ekVp9GIhQuaL6vtW2EdtRFAodSojZ97qqhwqhmdgkVLxovMjT41ueRhdL87kzWjY4YECs2oyZToEO6yEAB/EnLZiSZ6TU3jXqqGoIgYk/A1mJMDuVGxuazIhaQ4r1z33byJfrd4pvLRDU6Xupgh2TGIVLl4RDdFhd+RPYhZA9o3tHpPzQNbM1WvGHZLjskCfx3PY2FPX9uWKKkhIGApeOSMkrh8zRPUhdYawhwOXVV0exYdtYCyXgS+Lyk9Mhf/crgT7ApXetLM0iWdKxA5ZV2Uu/O0nXR+CFOrVtPtpnJavOh3tVtm9+wNSuKjQFRsawtEDNNgTP+DcGmzrbgR7il5j5k9YjultxhEG3uPKW0Mjg9X/fHGzdxEww44ds//BpgPv4Lx8SBDj6LnnJAKAkB2PwTHvXzzEAK/O2YdnoMU193Yu3d29Z9k1nh7/Zd06kEl9gbvZH/8ufa7Nnr5ibhSOnbHbtsArSYK+dfirPZb6gIaCgU6jJXNd8NHRiDswETAfyzzzbcMXHTTNTbe90j7jXviCrxUnxV3lnpcOG93cjH/E6q63Vb9ekpBy+/cPG+9B4UurwPthFLlY1A73hxeOyS5iU/VmbRsbSSHodnZK8u8YqjCMgHZs0PaB1j+cLiPOYxGSRilto2h28mWzW5p/u59iD45xVpdQx5r/nYDUexeZyXifSa7BZSJx4tGDE8lmdxpl7pCRrGCQ0mEMG1n7hL1tEJfekInXk9O/WosVqEhOTBXa+AFhPVttBui/YhXeyNiTKLE2E4Bqt9XgHUigVQLNsaneJJ2NLSy8n1XKwyDinNuR0eyMOBloqJtM2UY9W3mL/dxeEvCsYahNbteMG9dX70WUeO3S4PJ5vxjwzyD1a9cAU2se8+c2odPN6mQlcgAQtJAdlsAQGHYD+vVmKp79SYIZfc7W9ku9Em+fX1QS+NqdQ+szAKstenwKjxt3qZuMSjOZ/pLmdcb+pbYkohHJQl5k6yv2bRIB2hAEzuwlYm0jWQg62S3iJuarcKYhnmLYTBK4O9k2jc0T3dkqyrGsoGPM0eMX79r84JTneXNx44nuo+I4euc8jehyERC+nkNwCn3E8PQaWPQIRRbpG5CXNu58STtLZZiDY0LQGTV/Y5TX//cMKQ5moKzYdBXH0UVPT3dyVN7+Y9vCUYSGDDH8CIlmf4C47mbXfcG1jKFKc0f+PUyUh6mO2iYKrvBKytpNNwGhhvlu/at9E0qdTO6ReoSANrmGHTVZ51nIF6AAs7xHyuv2ukPNNAFioV+PZG5p4wFLLbWQfeAsUGnhnvuM8WoeDoKkXwcS9jDUZ9ZzEvqEtslDlD6GVG+wkajyHLigkzs79qfcBbKdIibpqjD2//dTVvPMyGST799hEVPwYwicBG0WE9GYFyvBbPH65SIKbr8mzpJo2JuksHcwiqb8kBniKfyWnOeEP5NzlIq5/57ryMR8OrOGZbCzxpRTU6DFAYwxFGQ3GqhIMCklOtIpbtZ8MVGL5m26WUebUEhANQi6G6+sZJ81lHjNqKy0YxAAVHFKW5wBrQY0S1scH7YwodzbJZW7HCMEkcvTJ9DCHp+5oS256BgT+lc5YL3uzIiZ4wm6G5gA3oGCj2Kq67YsSNvY2kwCs1RW0E5cva7KMTHk7cnvJS/5S0p6WZLWebx9tGzHcmJ2HxULSIdddAE6KirpPhp3znMacHuaMO0Irt99V26n669lzyNMLyEGhXxYCs/TQzSuA0gSLPzZClsVjIPzJfCYK+0MZtbGrbUeHjXIG5UyGvOxaiCR8A7yl6xF0mC1kNZmk2OcsARYaGKnbG83Pw7VbBkT0PJzAcI4+ojlNNNvJBFIzQvEj9UnNFipn/uFDehImcVNVbReDF0oZ4lSz+Qx+9eqWFHukDdoqiOyVIKwicYyvOB6Orf8ctVOgyEsYqs/pAX7ig+rNpL32o0sS5m7OIshdlspqw4FiM5XvEv+YruYPt+AwLkAHfM60Wtp38zQ2rqQUfV/lIfbyiTiDj9hkJSjQVKERgMh18H5ARLNV98G+wPcAnWc3OPvhEfkvonheViLPnrsr6XUj3cbkJoG1nxyEBn3X8gthMCjRbI8XoHIoxzSnDNtP6+dGqhxlD9tXFGlYzUmzd1JwhqYBE6PltMZ2KCuzXLpEVmTB6vmEbKjv6bBI+NnjOnQPYKcbpATBR6tpdV6VB/1lNk5Knchh0MiwqIOhFxtj+rEYTmqCycX4q85Uhpf0442+ublmv3HCVhF1BEROv2fVdjOGx77z8MEI8SJFtyoKIyQ6YL5DFurwEt+8AnFROFO7HoXtQOyXmp2jM6T3ZKuOgpPqd10qbxfDaAiCZtdSqZ3c3ijLw4CHNrTSqyNWnv8ahrko/05l8HDLSxqkWmLcukqrgkN8tEWeOXdx+Iw97Fqe1bTINGWImm0fAWEf14zYZSZiX/yRcJhmWXonNXtUjq3Zay1SbfApMQvXn6N3oJxLuSnWaud9tmbTSV/CnIPb3ruheQ2ywm8MOT7j6d33yT2hecIZTtniyA06Rl/m+UFWKNDbYdN/HSb19TFFiWfi2WH3CljwdfCoohxPFb+F+5eTV7iVCRrCRnzhWzgqPKMFMgvjlEa4H+Ftasx61GxEQt3SrqcxLlgDK2PB4T3a6jdJBcgbR0hzlsz3aLxdQqmZm1m7Wjk/tRnK71DGjykc4oT5y1q2nEhfhOz//SNPxy9gQkDvMdPPa9Kwu4soHyCeOkWTienQhxl2pZGPDLJ+0V+H2pzGTPPbLT2o8JVu1gqiZuixGk4Kk1b+kRoU6WWXJWhy8x/5G24PCRu6oijZyt8nlopLkNKcdYB85CgMFTdtEvJnkwwPqS/G6M0FCGSk6xTG0VPrQMdZsrMCPQKM34dP3mL7sJ74Ts5vY80Alj6fSjLUWfRlqtz08JPV1ntxVu/mSZWBgMUVaxIWzKQJDPZ8jX4R1HmsQTXWIP0aHpev8gPfUPwXj06l9Rnxvw0vQfvl9kwEwqssSi/OqJD5KffHGQJN5Yp35Ei0u2Dr6mz+FezISxgjWLpHWsmvtWRZ9M5AvXQlgsYL0NEDvsaSHxxhKGTenfh03MbCQwPxTZGgQ+DItipCf4OE5Q/Uo/xnKQyyFyMIIOPCydc+hb/Dh78q2XOtyhRvbi4jgkdxCft+urCTeEMdswZkb418oTBZoirkoXzK2WdsileWdPjJDqCS66sS9t6TV6yUdXO/fugX8Hi7JvuHvxxmvnN9Cmt4VKZqpevj7nswodhlyoR2a6mZd33HFgSxEyG6guAJxpBUMV7ZdTBHFGUUlynhhl5FLk9DXtRovaTrq5FcngPiaaCmYSeY1bp5eojGuKPU1SEIof5VljhSVj7CDg5Rh/iCs64YLGTU9nb/9rFjsRsvYSCYnchgk5bESq84pIQH6fJrTujEZLWs49yPA0pPhtj/uqxNmAf3wboIVk7U6cmpevPry9pFdxZJ18Pu4ww6elBtCx8yP5unAgquSBVtqXJXQEHkXTZ8FsWuDrAPfajpp2nR6SI2KJQL6XwdfYcTEDFDVjhRocCXXcQMwaguEYxp3YvXF83Gyj0tkvB09aB0Hq8OkumSCP/Tqa8hBjzivqc701UZqR7x5b7UhsEsr2YGLxxLM1VsgpXX9DUIoNCm6qTBQZI3sZTYvXzAy93zeY7nut4l26tRsqZqxjqODzkMmfCs2etdIQRip2Bb0BgBQHIB1ffwHe9xly66hVk+h8U1mfQ5sr12EuqjE4k+qqvKNOM1TKhBFbiaQcxmiWly3vli1KRZwkvR9XcgPwbVYcpQkq0y7VmEuJrnAjLrYsVkYYsve5OYFCnfsGih+PDcZRDeg1JtWB9l36kufOpRo3HKajFU9QGJeBe4riUhnRRdWpiTfBgF97ShIs6HjlJq1Vs3Ver4UrGnhwHCSfyU1fwmHyNkHJnNw8OD+12tmp6UK0WhPvbAHBvTGO5dtaIhXjmKDg8E6BC6LDPbzbQkSUUK4hznrfHaJBpPyExlsGsyD9u7ljDmtN6zrYcye0CZP3OqxVzs3g12D282lpnPSuGdostK5JrGxkdR4noSB7XWndZaaaIWxjlVt50mzETWYei9OC+Cnddh9jnyFlT/5IjlQZupAG8RVyzaAwFve4bJkG4qBVLOoVmEQ7cEVys1kh7nt3S0w2l+63wPis3Syc1B9NkF/Yw9cSGNSTv/kBNRgBxjcJCLk1ZGLkUbkp+tiPluPT4nXRMMw2gp+ptdeEfAruKqc/WpIp1/5GQfM+aAn71yvp5FoeklZAuKW3SpLJbprcQDHUpiZebr7dsQ9y9z/HeEj61XKGDnyYthz0TrW3b+xw8EiO0VkxFrcjzRITJBTwpPKMcATTcsV2MW2BfDCP7VbflvG0+JDzxqtCopTCFtoOpb6/PKSQ5sAvqXTaNj+H6rrMffiJUlF1Vbzimd0K+pRqPbEivTKdDyh61YT36K2TWD+fTI5FEikBqhlNRK5CS1ox/LnWBeeGIFZfBvFQSFrnX7H+3r0+h8mONvuQTP8zoA1kxu7MPh4aunzG1DvFEMNB1IfYlIa5K40Oqa0wgJMCAUnm86xpf5UtyUQhooiLjFd8IZ27OnL8/ddeKx3hKJBExkkAi7MOebsfloq7HSqIztr,iv:C9i5TCb/WnGZytLD+s0mPmt5XEY/Sr70OQzaKxDoGws=,tag:vPrBJUrq+tL0Rwj3LYPxjA==,type:str]",
+							"headscale_config": "ENC[AES256_GCM,data:JR//S1NbvPSmWlJYeQiolxITd1sVco69bm8EBbWm0z9vbzvi8PKLZpytnTpUMiDMPBgbJnq1TDNDjm2LmgEcaj4+6yGpkZsW0yMeWm3U0UZ4mJZkAllaYjAm35U09PlsR9MpJ14g3HkCVnYhQ8FpaPyGa/WaN9Mcy7EFvYvPTmh7JGa46b7PendfKZsmiwqWVNsvTkCao4HBONKICm/I0XdkhzhS8/gs39bQ4qxpnYrxRJx1uUQUfrUU7IJ4FxkrxanffluIg4i4q2TcaLGQcdiTaly6OzGQMIyblWEyljme/ONY08bCR2RvV8D9iKY+DkObR+NZvMzKuvGbp4sz+yIXgQZxDn+SiOi5xg1reR+lwZIGEEyB1aaf+FCYEuOxqDMqOQW8Cz6myCPuZfPbiNxW6FNiL0fZa/lLLSY54Qh9KPfBh0JxuoBpkvVXmfUjqu3t5KEoq+uTiiXMNRnbjhbQyQc1MOrxptgf58nZbJlOzZoAdnw5b3wnbRf3GsSEYr2QDSpeF1TWNXYD57+aCY2I3ezMWsk9h6NGYJyAhxgcahSMtHeurlhz4BtDzN6qYLHcc+ldfW76+1AOE5ZOMpaXMVIjdHJq5xdIPWPf+aVQQtfUQy2bKwxs3jrw5DeOZS8RXUnDwqJvuv6smpkfXzKFd5ecOQSI2qCcVm+PcbcDHYz6OVpNn2KDg66I3kl1XP5PqdtuBLGBpkcxBEUxIoYaWdxfpiQ6iL+jY0Z8XdLJztBJE3LsZj6zT/lE3/eVm8LXsQ9U9eTl6OJqMW3gGIbLLNDwZqtyUdojot0uPNAiQd0f+W0Ew+7kfbLjK93tQlsKcsTYZSOGz9DbbuegmOfQKcm17VrgfatCVRhnfSq/h+lCjzirk9MNX/VR6MaVkupaKe4vz7l+U+R2agHe3BowwNNVpZa+O9h6qPyrFUy6dgmHsbcVW2la+brp4OsDO7V+cZPx7WDuV1Urd0BRuKyJuZY9pzsAjHTrn9WQ1W36zqMnhASc03X/6ZskQQDZxX+qsUgRUVNDGMAe7IN1UAsYzVwYjY9B/iEgM6ofHzZoBrdaLOygX7v07unKEGfRjk5abOZtIvkf+EwfIsKKZGvZsnwzNTgYb8lUepV4d0NHlLTEBZoJGZkJDYp7PTzUfVOouLvvNnI1l4czGyKhBDOnIaYE9X6fwQyxiaw6xxN7S8uvJR7uRsHDR+psyhVNZg41q2qgB+6OhQeYvDTO54JyFK71bfrei4sqvkLNZZqzGUP3bHcGiW+/jXZOLoTNzF0isolHQlZf5++aau8xXZtvGS+/Y8wIjx6r8LcY9alkT0/bMnYMFciKEALg307lhvQ0YTEMSF1Tt+oHN5ogGwejxlN1nvx0zHMNkaAGT/KVOWlH08qPYI50jdxxG9+jp8PwLrgGzNkBqO2Fb4HJUHvXnLMgbHGPDDMAksToihuz+zrkjRn+dSlk8bZi5fhMVFyMjH/+fANdkyZNO6Ra20nsH1QoN9EHYsFLH5mtFqiHPaM9U6Qs0h0y/5gRBf7ii31RdcYJJYAdG3MHmy4PL94TtO4SYS/RzXGmJZvPC2CO127sOw6xy7rTkLRiDADQRMAjmojR9zyj6WSIgmw/T/0xEQviAAky2yp31jtqdZ5QYZQX9jn+/ptSZVdtNKelS/Fr4fMWmQ2roh+V+jhsJPx4UwKUJkWmF0HuIVVTJ4R8dUVx9uuuGlvJ8BoDF6KxmnboYmsmTD8WkwmEmYT4TEB0gR3/OyY/wP2chzAZEgbiMd7iRL5P0CCgBhPefZLIciwT7eI8oGm6b93aKGCGWCyFWVkW45PmlU4hTejRklei+A3XxiR0ZbShpYoqqEXQtvGGCQZo3FwIVnDabS5EeEyTZqia0/BQCnvNI1ugPiep1a1EbpXEr3HuH+7zf3O3pan0f4SsVWVbTQCNx9dtSBCPZaw6Y/bZZpZbwdMmyOt1/c6/XLKdxakr1gjZsLdh8kWUlYEDzR+lw5XBpk7+WV1+MeyMK0aDJs/Asd4TPgLMP5G2m4RcGEYT9vJg9ZCNEYmgb3VdHu2baeiXAKMupmhUfL18FMrqF2SnaFesIeu2TTMaBtJoPjG5Z5FLu4UrgwaPWwS5GyAit/0Yi1C7CQaaTnGjW2kFi2lLg/91JdBcC72G8TMtBAQgRvc6NI/imZAlVqrXzzcY5WEBzDacCa+AHV2u48RM49c8yhfYS09uMsggEpNIJ4IaM7xwUvQLH+izIaioo2h26to/DGMstjNGPXSJJPB5C1zzieJQDqAsIZDWi6x2djjX+sUDpjGqPreTQfV0IYa3bD5NUWXBE/1qkPqIQwB5g+8K2P6c/hpmkAiDtvCXZv/HgDrJ/QACUEPUJ2OjSeLQBjQHAcmQJR88vsPa2OkZUes/Yt6hpJFB5fZzem9H59LCCkbU/UZVX9gpwWjoC0gOtLO4/2c8RQ07yJtStfN9sSMi8ASxwUhPYAqA/93x7gYdL/k/Ei0Lm2pvuF4VAY52PTLV5za+540ljk9lYLl94AkkumyD2gLs1O9485QLQYODUHNV0DQn6bq+vhBojogJ56QiefxFsRcCd851p4MoGvki2jsfakQIsuGmRgbB4Mdy2t2OyyvoiAbkAT6UHmIQ2JbWE3wwByV8dp0bkIlqAkFaFclnld+e/I7nnAZqB8iMBP9Ruo31/8QglcZKQY4cpAluYFBElgsiU1+Erdbn2ASxONhMNu/eTEyXTGQ34mAI+wzBIR4BA0tThV0ALjSXMJzRcdM4unvZk1lJZaMl9isVWdgzVi7fX8NC85J/VIpMbNUbXtbdnOQSN321j10IREVOVhEpIPSC//7m3uM6usHzBQjfAW+yYmQEWjbfuU8hwXRxILyT0/xeFAJvE4/oF9eWCyn1XemsXLZ8WglRp8mA0rnA99NKhV1KwHf7k9davRwYCA8guWVjRRMnlPUzWWNmdIjKWv83WDQodmBz+pXLLQ9nJvFiGn1H2UtmAkvQ7d8n88w9MjHhcWMIoKmNPiEH3kYT5wWCdq7z9PgaR41a5LPea0COeO8dpvYtkSFu9of4Ce5Z8uzyy5IASa41A/ifTeDzzH6fAxo4P3Sqy6MDd4lV9gO8axnUdJwRGrZk89Bk+fXSt4CW80cBm5K8qGRMAegvm/Cp+MxufynQ3y22TEjnZHGT/YHzutEKhcH0yVjWHIjB70QyC8v9I6A0h2R1mkALkeKq38loDS+L8JhWi6H+vLNxy1A6bZytBYlpOGcOablRXEKF/sV8NC+jUC2DfxQizVHoSpYB2LvLrpBjV4q1hmHmce6F4IsCMe3JG61aPPXfvp7eY8R8LAbgu7gpGfPKWraikPKFng3QndfFPv1/nmGmO3pRZpMumGJMST+dLRFSPa6p1UKudyXtWpNe2pNFoP9X8KU7Abp2mSgzCi1o+9r3RfdEPYLfHprULVuXg16LUTBKvgNmIyLefuffD3DKfyi+oON4No34qVbzCa4ocNRl0as9ZEyoZ84Me6Hb7FVsS7EaaY4aO7w5zjocRmADxiaS/8dzxT4N8ZAQzPr1rnpN/+nuFjVhf1xVZMMLPfM/Jwmucz3VJUbGbDum6yKH3CgFOiOI6mC/ZQRLcPhD6GoeDUhvAlsgvIf5lAOa3Oj9L9PqLD0RdW5l9RVyLIavmgU6y2nuDZA38MUsP8LcDaodJNytplbAs0LiPN5J9zYm1B2OooatJG89WGSNyXoHq5ucDZOw+LcgfzKSrOVsNSyCydLOSWg4ln2OtiKcHGR0FBmWs9h5XyZbnI7M8rpWr4m4uJDd3iE/j2sApY+STcFOw+tB9ywS/qDYQBDjHuLc65Ed/i1iGDzkL/HQ7zCDGW7yOd+kA3VZvMgrUjNRO1imgNyThdOVphs/UMTGzS4T+T5odkviArEHmm6fAcFPoul567Qyx4LL/awsMzOY7RoYn+BYEdi+CL41WmvIft1aDDpOuHBeiXZP3GUpP0HUwjHGqMdqlK0aH7SBTWNV5KJLw36THVj0KM6FaemeCZZ6qmPI7cv9WoYLC6J2R0pAitZxgboeC6jJc4LZ4ZO5CHLXsCxdkgk7pU2Xknsf3b6p97JUMx5UxA+AHkOXWYStYVR34t2mC9sNNMM74GTPxcGZzZdEyunTlwtJeRQB2mLu445z3ypyRVtwYSTinQApWcbtlg+z4QJeGKZ9w/y5nlnMo6oHW1hCBsyaqPgkdU0Jt5uhKT+4FdOXyOkZSxeDjHE0ca2cd1cgZ2MNYGuvk7rKPuiaCwkL62wWGhk2hOR/hjig4k2yfdnrIOsHI7vNmj7fSfjUCAjgF+dQYMsyI31saKaXFA3cxl1EcXAVk7YvEzwZxNZ89F3Yy+SHKbh7BUlnhXQL06nqkK337C4NKvkeTonaqOvYVjwkpWsEI7uQXdUFP9IS3OYCpo2FrtyVf8kVzeLQXAqdDhZAtNR0ErAAIGrFZrxcuNACWePZfAn9dRmL+CWlogAdGwigkiXTYgeV3B4jcnQBaPamuhC58Os2sYSbPXMUG8N3uNTBsjrrnCvxhSaQ9QGsdoh/z2X5jqbpaLD4DHMtkjpY4kDFDYUK+dy6v56g8eOKUrbdHTlDiIbUlar4kziAEoDrVEx0iPT+j/IkJBpVhP1CWsD2PN1H60hA+C2Bb9Y3p5xzAiaFPeeJhlx7jbye35HPN5nXsaoloAnD3TObjPwd+tYH/oVQstvjkn3i3oI5puiiK9bAq9okzQig/u+4c79xz3nTKEreX2yRRFK4RrVH+jVbGcdqzLOQHmT5ZWFPC3cZ3bnV+U3M+FdrVBfstVVPSm2ABELpzsxd7gkFBwvYX8VwuhjnLfLZgt0fORafmBMFY5ckbSD/kzzvuiRSaBY4Sy490RLWjgL0AgluNigkyrCQ6DvSmBULHf53jSY2QbpjjRDmugmtkvOiQyGos2hsdY0H7ZZdSf/oiqyP9Uk8OivKRCWWsRkrAxUUnALx/KgrxYgdKB9mv8AsonzNq8nH/pF1jvyDKK1X3K6suiTNLaoGWIodXdD4Eem9Sq5lNEBz2zNnLKYeScXU0dymAaY+sTr/+hxlvjbVGRPlf4XKEhRSOeZp/qF2+7muE40BdNRm838R4RxVRyHsRZCPnnAeYBE/NZYrmBCdGQLpgwud9JmwIsE5oRAKGng5MypVWZFOyFxtpPlxfVXU/6K8szT2HzgDqe+uzIV5GNozBN8YrOwUamiduj7GtHKbeYbOqot13Td42LJImH4caxaVxLBNL1cGcpbXOWFHMJjmnvEzqyFBJdkem7sCfOirohzX2QZDEFnmNo1bBYiUL7QpAIxKOZrjiFx3Oy2g8rRcDmyH1SPFmZddda2GPh/sEF+3zXo1jRMz9Hl4K0zjUo6SLpQhxzG6POoDXAylbnunGf0AP6PUr4jO7/Kul3wbfOyEPo9qdnFcvRhwtDsebBiITSAa7zUYUkmKafxlroDnra9rqOPrbZPfXoWwRwOjwSBSzUXu4xPn6ZBSotzm+ZbIY549kYF8hrBkkgGXP5Z0KVtIX71LkzIcBmZjNmSCjW1gviDhoxFuP18Lx/2D6H67riBF+nyo/+aKc9NiDVuCMo50ROwGdK/NSDlDFIYXxt/MZrsPN8Yhg9M7Q4PfoZg0p0UlsuDBuMorwSM9cAHUbWsv7GQ3wQrznlwkd0OcCIcVMBdP+0RnDQVlpKiC6ZWRP2fK1mJiMAsScwp128IeiYJuajuNilD9OnleRG1zrJsCIza8LGSs7s3GLZ0HFiSDDBgGwiO+3k5EwYgOB1EDXX/Vph9Y5WJKjoFxWjam26aF8MS7P8VKsDQtyrep0N+ANW9ojtVBHBy6VOLzjtz7HkYkrCB6R/ZawtBDbuUqNOOrCF6UK0zEZ/xyJiyCT5abu/0ggZSu4Rl9xomzrz5A1r7Gmbm0tTK8MZQbtmCIZqZ+1yioLwnUcuf7FrYoOU+wlWNNynPg4av1poy5AP6ZrsvqBgFf5l7UXnSJi7r69AQA9gtxGe1RoRIRpnjvoYVBkeSQ6xZEzH+6mwVPwV0zdxCXOmqcVZVaB2RsHYLJaM1I8GZboHEW/7IUZdGJHCR84Z3Efhoiw5UHM3ZSzjuSwKeWS/QduN38wTu6q57aKg6qznyByGVBYaxc3cbcOPwl1fKozWUwNFx1p5iqymqRoTHYUdue0wGdgnTTLaPztIZgdW1yxsD2ekq4T/AxC7rSdlfcEnJGrBZdbXTIaFe7W7V1yYUA7F8F/mGLZUjwNktv6xXa/yaZh+CADIQYD7PyB1D55tV2UBe+fG/xstCANmm2yaK1pXA1ZXl2JwJfSvP56S3dGvZRaT9nLWsKljD8NUQiU1aeRYqXzHJOjtR92O8FfEIZHCim12Bkrv4iPn4xDXcRgl8V+4aNebQNZvnzbmJvgpSLpdrOfivnsWVC+AXu4e5Z95m+M/TRMjz+5Efz8q1kCjBZtHvnnDfFpUyYPINHdKC6dAimeB1Y3nMQd6zYFRE9xDgpWJEXPcbzglSF0bLB/svZO7yguTKmFpdujd3A8yQ5AyBKIX33u/A+TLvuTfgOykzrFxH7hZeUA3y3Mm8vAGYAZTA2FCUJiQGggPlS7wiL3BgZCfaR8IlEqqsFNvxAZLeUEcEax8bMOYNYw/XppQyf4nAblzZcoUFGTr0NZVSkUBft/WwIRV3s+ks+uoh4iOyCq/hcjYB0zC/KlssumNYxHnlCGJDinLfrI+D4UIAL2+40Pksi6GcHs77rJ2w2zhzgUgscuNcGPeGTbirW+b8TlW+C9p2Jw9DzU48oVFopUH/pJrYydIrv4kaX8NoVNkRP7DbhecHWi8xDiIFMT7o62T0QFce1efGyUU6Aft1nAhqc2OGyyt38onfxCYg+0wQo67r3f1WK0nNif0V71yqYwzD+59AFSn0gfU8jsx4wjYV3qyQ/43UOQLfaQokhSRfObGj1e0dnZBWsL6+7zeWnszLTUf1vtgfUxq/wRMspjmWdJ5moguywIw917N7O3ZddU6bs23ZRyHDXQkBQZXMk1v4cc/mBGb11z35N/5TvIZMdDQxO0Sn8BL3/B3HNks7XrH9JCb+5nynhFA0mAwD3DIdk6QV400v2S3Vijd2hwCplPzIbsAJdud4wW63aPqOXvVMe0fSNBkecYnsaS43dvYikrYc8Z4IHFqgv5djKyHvkF60hu9TOIjItDimGa1QI+AAf1JV/tx2bM4A11sR/4oS/ZozZHSWT8q3bFA/SVOhdWFZbB0gT7bKZXpKEJjLdwSmPS+gzZRW3anoX2A2QHIA23bhEanqHfuhdrfTLa1h+qfl8sT4bd13rASuFO+tlIzrOHBJF2OIEK5kJxeuOAy9FUB0I5xycGky3G5LkElrfWAKI1lX3yWQARwQhNLvWTsjXDIrBPbwNqR04H5gUAfU/CEQZ8aCqxWlgoHB+h/siQYDXQGCWPTXTklQye3Yr4SCHbTNSrexZ8uCUETr0FeXp6F3wv/c980qobCNLljUaTfdXT8X2hBbBFfyhVYQ64zaNV5+qVAaxjT2DGIMGZDCok3F7TLQCnMsmFYGaqjaWbG9eXlkWDOZXOAZ3AwLO0kOtKcvVwvX/LpqYqId+2FvEn8k8sv/xiDeJMJYZPclJ6pFRyH7deSnJ66QYEZ/2y0xgxaN/I56M3tChDFQ1Iv+dBDNfPiSJNqsYnyksb+bu9FsEP/y74dCvTWrUBHxWEbr0tbpZ7All546TjI/RQ6X+cquHq6zk0KPGxBQD3JlBHxe3Gbd3gDoFs3l8EQDIjthJtll4wTSJXpUmbMxr+jG7gjm5xcxKKcEUAiu1ogcWDIJAu1xwhly9wYRmFC1elnxHYfK3YUkem8+SeE5hqvVjwxhyf4yhchGLeDsYeABWPhqP9Xhp/E+Y3MsnDgZ59hALZYnzIkBSIPyHw+cs+IQp6C0pN2xWtYferamlvrQrf8QfqouC2Rufu3SJIj2N8NmzOr73dQTCrJBsgX9GmGJE3JPGS4cDK5hM4VaxMqMCqqM9PGknzS9GaPM1glU2UUtkyPGxrGnhQLhQa8SdU+n9LMRAb7RUapl0ropGBFdNDPcS9mLKfv/6dJvd75IPxdSOk5g0LdtxLwGTOS3Qt8o7T12uW+Uf1lPeKHlhL8WG3UCdGYD4ZZngMK+pcnfrUG1Jk887Q0GVD9AoO6b1zxdPO1X5uXONgBeZaXCViyRUt3d/hzRR6GAO6hUIj1Jqb/XpsI25pCCxlKN+Jqp3hbQjTdB2cFDOzQIMuyhF87r68v3UVQS7qo1LBE7PUVykg8joGqkgTksChnu5+VjURClSy+JM2el+8v0tMJMnQ+YV8Vnw/uf2qvmJfv5YNAdLjcyXF5+oRBpWetvL73ycjXHLcnQ4RgwRqouC/I7BamQUlFHYFOJP0XyU+tYwyF3QaKw9bj5uWwZMV8sz0nw7a+j69Jlox7UbSM1LrWDD9EzxrJdEsnO82NWbsdbXjhp8CycKULkYjaeAiwLuopWMg6yQ3AfdctzNPvHgbSz8RfDTn9ym/L5XKfKcvBGSu6kf1bvJ8um6Y0s622sohUKgNAAOmz7rHV/Zmf1yW/SUQyYyJKDZ4gm3/zrq722iUDe+Mf2Mt5Mpgax5TCiFJrbVNKVQukCcQ4u49CZq6I0M2J//hUZ1EP9q5WcZ0RCSx2TTDNfhxg68el0qWACNtCCXoB3kep9M65/WKu/gfhaofMlv/qn8b8VfpIfFX0h/PgJ55363it0U9gGAoyX8RTyZl6ZL8m9POno6OfOjXZVl8SKAO1ogt1jmxYOGHqdBeTdqdnyZTW4/rzpJqQ/fpgXwI4PRxzkcCMXui7FLe+fySMdcVt6pQgYsEF1RudvABoWMk0Y5FamgreNkqm5P2siurluRMgND/FDz3lNyf5eVLSxol0/3cb5UZNqBVuzcbjXTwiobg+U6tjcNT61xOGmCN+JJdrtjvf7xQYyjaLS67Hw0iMlI9pvG2JWcpaJBmbCmtAygrMlkoXTXxSXElwiADH8jGv/u+j3X2EJk04gFFcsmRno9WYZaX6qQ1BeLk2sn4/iVDIh9ZvhMJ7Cp6YVEmvORMRWJgAUL+uL16pVZSQwmUv5VhrdOww2bEvwT7CIo4M/aupsS2VkfZlIKoaG6rok96pFIg4qdlz1cV1fDPbcJYb43UD1gm4nRUxxWtcAliVtcd9HJyMURazAsaKEQfYoFG9RbJ/Rws1rmwkPXw0/leFcTtmXjcRQr4Wc2HyVlCJHeX7Bqkaetp6373C4Ux8qgZovWYEewcsjoJ8VoT1+NO5zT+77ihq8kZfzmHCLvas8LU8IaQGAIPy4nwRq34Z2u2Jbtn0uS5FYBeoPmT09isKdS2Q0qQNq7+t28keSCCmUYR/0myU6G4wjngGtByvg9Ao8GkzKwZ/czXMwjpNpwwQBqOXnkgAcgbZwVWdJQvXPk04EhVdFp2AmT13zMGHaVCRE6dyzyo9qKhrjNHpYuX7qrIsk3dCsQxs+0g63dOeJSlfHJAnAS5HpFN4K9NZ/m/6EZxA9ceWExlBGElIg9ebm3VJh/b+Gr2BVs8qh3vSBmRog737b1jTpsl5SKm4KP6kaD+5VNyafEVtj811eKBMoZSW+a6ThAfc+SgfcCmvn3IvLJGaKoF9E8mPEp6kyXZh+zj1DPsuI2SREk5hItLjyBa2C8ttWlZvzuTzUnF2CfRb0DSFbZRrfR3cYYPbDI0t9vuOV5fHqrISXgoN2y1Zh2uzT3Rmkul/7/LWxOylRjlNwqxxs17Ik0i0F16Pe4lTxF9DrXI+/A8P0avCoZjkXOdOrOr7R+plF7hRmrhgpQCbzqFEVVtF1g5FQUUEmKTmDi+wWUp9vBoJ+qoxmcj2xe/vU6if18+vxX2CLViS8WEkTMm2uHMmOPTYGmNCjlGXIP2ZlWPTko68PNARRLzSKv7hbCvfrO8f5khMMAGe12bC6gUtKtgX1b5jm43Jnd6ENLukJmHzl91+UKr8kyOEnfGT8vep1NyVmUR1oRpILT1/0gjmuq5lZa3f2rRaI0MDctKphv2kNDPzuiJ3mmoTA7FyMaiUKqDv9kAKEjqOhh8nTRGVwDY2Y3ofXKXjWp9Z4Kg9TyEINiiZwn85YFtSfi+loADnzIo8wc883qm7K+WOE8ermSVC4jzsVFdKjer9D1Vcm2R2jDlA3imu7Rl9WKZCFxJ9Gr6reItct1s9Y7MmbwIodtqwFaIb3aUjj/+PJTys8ALg1IFniSCTmgGgtTpK96SVNpxSU+b8VIkUJgR2WoQgQFTSl2/zmTID+ugqA12QWweEkrJVfzRu/Md1Qp7LwK8ieGcJM4LWeODEoJYy1SIlxeoCShEBGoFJxzUlFJqNuj9AYwVTfuMcK0xuEjSSY+VRO8/GZ5DDqP471gefSXpiJNmuaflBIiLyAxV6yTjDSCTWo7okH/2Jh1EWn79hyYCQ6ZsQ1cnhn4D4JxETLFl8LONM1OBIyjOkPYmMf6k9lnjQWodsMioyGkFhcGM5WBJU+NjylJWGBRxi9P7DLwWPiowK+k2woFGnfVSS0CDkYMmyFKBTygjogeYc0G+i8KV542SKLYR2c7VMMlIcob1lUppEukG9X01ELhMq17E9m+S1/755lF9VX4lgiCQ/fdgmJNo3pEcy+z3nsIi8uMmvrUWvsyKQ1Cnj9tQ1YFo+6ZqVuyXMM08ZHhdn3bqcuyhZYS/Al2yayxuBCDIm9ysE74sXxBBz0QHAWpXDQWhhQxGQZ0H1LIkc7ycEDdRtwg+hZr1zaGtQ8H8SiNMbIaarrmBLI1NIv16OedFLoKAj6V8QGtnp0quNJlS0d2O2b7r8p9fOs/lSIeh6cG+cxg9dXVcWo4dLZWpQPWx+0DNi9S0kkxmqAINCzMklPiiZPM6hblv4TtcEs7NdeDfk5LJTyvAgWE3XhaRxGTsAm5gbRelb8mm/9z9NyzfbfUIAJR4o04qYaLG88vkXcyqoMoF/AkO03ZfBlWDjMEgNnyh7vyPN/rXnJPyzz/SHD2j+ZCZT7z1fhvnHI35QMSr+DQndzucv9Deb+fbEH4qN1bG5k6H5gxRFhYFzBMG+2nNefUZZLlDRihM/hLsxxxqn0aoGSUSmkQMlO4z4uvqXiu8EQxiwDih+hwHCdvI7LrNNLSUsz9Yh6lkasFLUEZUuYP28JwkVkpDZyA/TKHVncnxkFLof/A76JIx3YPftmcn4B2C5jwk5701MbBytlkns7kxEmY5GL48z80JvnBSsZNjw3lXelbQKDkw0KzCZ0MfqQw+MLEpWKy1f0DeM0A8kQL2RFTFoD3xA9Et+8mquiIE1HKXtJ7UGfiAkEDbiHNtwWx/s6RoffN9PlgbjaEPtfYLYNp5yhuJFfJll9YgdUlsB+43uXx0JhPuVvnylqyb4AEaW+W81+TFDNejTceDJo3AT/Lm8wXaVuzZDnhhoJ+zO379oG6ug30AbtOfplQL9suYUXbz/+Gr2a5FoO0XFkdnJuYwQqgLFrKGxiYCyo97aw4NxZnUUgK2q2qU2T2WBPN33Ip0Rq/tMYsBiWvwOUEYk/bVtens3jid6ME6wYJB6iF3hM8AjjpH/86UOkWHTvzZJaxiRVsPBIPhXL5eo9MvM3vtzwU0wb7uQZWU3IjTRhugE6wYO11zeFCLnDSf3vNPY2+XTMqYxoftUNfjT9WwjoEFgSiYp80SeS/8CPLihJ35UpwCm+A4a+bYsMyUQet4FwoSuRd1gTQmt3sWhwMco1YP6DnRGtpHzNbRCad7yUOPnSk2NFfetC2ol0AnU7MxBS+XK3Jms/eUfv2ENOctahuOIoFES1oIeVRjKBstecx8v5TjdGSwc60Aa7ce98TS9AydT7il1jdu7Sv4A9Za7gkA+EsT9FaN2qm9jZ4h3QFwSjB/5OPh6Z9O9d3hluVWxBcSue3rrCHyBIlkQcd/ubhm/WYoVMkUmqrSN8DYyKvQZB5kmcXhzWdU4N6K5XCrh06nvDlDO6j2oQ6l8lPoU5nLDPl+BUvo+bn8/e3JLQHe5qC2NdtToro6PfoI9pbx+ttKQC/RjDCDrPDL8QjczdTModiEBeHWgAHfm0HnW6VRUjwzazQvOgJvt9Gvk7bHwE3tclcZHiSrq/oen4kBQEgdIwVd+y62mphWFfnoRSFzCl5qF/vpjDyp/ywnZg+sVu0gFZAmiLOFQToyOYVIltViMy83OGv5UtA860h5FQvWrhtPEQdh1sobnSVptRTnjbPeCRdbV5/o6R8jGv16eY3KjgeRt7gXYqsbhWDTHpaaH/1CsCrupe5ahXFvBC3QcY45BewsNLdgYCrZhzXm6USUGiZw6l2TSxhZFztkvOBZ1oWC4moOuq6/uehTxoNQWAe/lOHC6rnMfopSq5XMg/gZ1BsTP98YNH4DkruZGXsUa4ox98DQlETUkIgkuFkwtG/sZ3DVgpYiilgAirpZ8InQfYI58rmd0vTXpuEatSx36J1kSV++QQ2gMnB9XK2qpkSv6Mb1E/7rX3HoR3owsJmIQmDQMiqYeaREKDLFWlSP9/sdJ4AdX0CRgCIpotUF4crVU09DsAvzlfoZLpX4H/I4R7L/zk7zsTWfVZjvpaueHsYzILGfhiiI1psSW7Ccyfw5pNQlq7wYUWd/9mjM9Ka5AIVhpXRKQObnP8EJ4NOt8BztwUU1AXImHrLRTbtMmgK0+d7nvE2mEQ7ziuZOg19urPCFaJg9SBGIveqty32y/2rx1s1IQ6U98Tu6RYNHUm/sKp5JuASyqC3lrEggyxDKPukoZkuTSvwY0A1y0ZMKGvMEP17M/tOt8QEEFDa/4WP7ZC2uVPl8nE4VgqQ4L/msXHWJ6UHH5DowUr+ubyteYgzONbUbMNSqFfvuS4G3aX7dmQttHYdmaebKrNXCqa1jHrNSDzuP7IyVUakyM9zziDwRZy7sRQvxgf7S1LHsVJAttFmEahs1KCvbPN0f5NTitxvYh/ocos0Pn6JGyYxd45wpFos0V2PmKAXvTCcR2xjPOFuGFM8UG//mqu0TmhtQGbIpwLZK5l0v/kX/2wBt5Pb17MI4PSzrDHXQO/yXwnD8jz1wRxV4gXLidvFhOJanwgtmZNCEoKiZJFOTBNfntofZGXxbM2umPWpr+mD/i1qoK++7Rq1GX3o+EUNtk49VP5GhmrGUN2lOCGJl3CtpJCcYSHCs/IjexQMwA+vRSRkMjS+a8Zvi0HqWsVQnIbVT4qJoiKv9qXXWVjohrLtRAenTVNFHQlE4wIoN7AX8QOu62H3Iesg+9xxvv4toptGN4/EPZg49hogDPA5iTSGHdi0xd0a4ZrLcEQbxBs0z5Ry4dJV8i1uVwO7DUqN3AN3Tr8aYaFhGPvgDWXeKbqqECQ/oL6LqijDdTx5JWlco+0rCXfCp677uagxDfZsQO8JIBf18+i45CnT4BbcwC7B5eHKPrHZvGJ8vBzir4IOaELjKpzZPSxugR6t5oTDkWo1S9fmXcJCmF7KqvWbGJu5Fs2oYXhDrYiVA5OmsvVZ09WIkceX2FsE6F3wINwApc5MPNZexd8Y+m+qsZWho3LmHo+armK6euUop+WhOmgWPKiuSJzSM2L+BNX6U8EJ5FSFAhsUHfm/vnENPJvpsvUwgAK20PdzJMfIvGbIxJUD5vydUZVEw3I89/L2icXM5uccdEtM+2d3nxNYJH7WKNCNCXLEO7lcKsEO9Yl6B9SBBBIw33P9TuRvwMMvsGPpSvdxGhCxzzWKI1hPZRXjXG+XVxOK/UoVu+uHf140HBHeQah6ZedwkL1GhLj0DaEdw6rnHxN7YAkYwMxoxkIAIRTufJMJ5Dlj2xQK/eV+AfWIUVWAa9i5EIk2tVz5KEE4FRt5i9OCrAvyTPtb/YdLobttrPBmfbWiYRT7n95zU2aJZiB8YwsInLbROwJc25oTWRgKavyZq/peQZ1yeIqcpxS2S7dC7ZTvKRDcQlmzBzGwmcLPYw/wdCdfsWWSSGmy0VMlKUHnpCzJQyL2k4qoou8/0wsPyrRsYT/ibwmzxc8GvyxCS/qZ9UVbmUESvhlPxmiXrG3cADK4IzAZnA0BAkGUlH5R8Okrp6jyIK3ceHB7BBAucrprShqQFSgiPKPbu+0P0pm3bAtu+Q8DPnnKGoecgE0rgOt1AkkqRPeNAgrKGlU+Ke0iiYWWo1rpAvn2bQqVUZuNlx32QvQWgn3dL+LRH+fYgpM8gkvuAzQc/E2Jg4S+xRaACWVOm06oNm6vzCSgmSJN//BgaK9UI3wGMDaKse5afBXBRdmN4WMxhs6ds+Lgf8yZV4+qL0qfSfq3KD7l49QNzDbvSQgHS9wWTAVJYNrWhFAQm7LlmvP1cFg5bv5+Wup5RzzaDVbxUzOAFJ8UO5lsd8EbW/Iw5iJOsXQzJ8ZPGtIFMkz7P8j9lLl50rkyWgp75ABJI0k6DdIp7lu8nXZb0jM0YcrrzxUnbvR4AOhAwAD7KulPwC7nCaSSqd1TIh3zbUK7APBWVf19D2v6ygZSTkn0zXggU4cO6rpHpYQ5O7rlhldyOEiMWHomv2SCT4iz1lc4DH+2BHoKWip+LWfoYLkIT/rJokTYvowVedH0fhtO1zMJuAR2LzoQuf/nAbkDqaZ2wRQVYPk8cyMKXbOkLo9J95bNJACGnp7cRx3UHblgib0Xwp9znneCHgOsKdMTwEBv9ynpD+VdQEdrDfvG2rrBDaJ2KS9Hjb7cpJqftUYL48T1EX3ZFAb4iIUWlmmeiEw+/Uj6pqV8gijW+yfaChV7kfg3KKaeBnLZ1J/Ktj3kELK+ZMazmUK2UY73dpJLb/9Pg64hQi6r60RfU20MhPpC0NX+jFy9xLJ0b9QY/QczGRYNBmDnbiah2zX/IUefeS89hJrKTC29Sfi9F8QIJUT2NAfhwgUfEeu1iadjOCoFsrdcMf0SN+JgWR8NQf8IBO2viVKbG/aY3LFBtBG7TU7HntGcEwQxPtslpqQ3Xy1wAjsKxOPCuqZvwnajns+WN3efHbm1ICKlfMPf82ti/zY4G35ATF+8C2N90kNkhfJAz9w5FsT+FNQZkdvtVXNRkRZco2TuhJyfN78spe0ebgx3sHuZRdsJcp+np6FXLWoVE+sU4ToUDYuTWxhHBQ2Z+c60Lq6gOxHZZFl3aA18858XW5DRs98VVXcAlR64n04OEXPfAzcANkr3aaunnEuNxC5Y3v2gNnGxp3ZeFZR5vBz5ME3rN1GF2R7PBiDr+HX/Hpo2W40dmR6eGjTeyH8XZ1a/3ddeLEUUvZQVCiN3hEk11HpVnCNyLA+gDo4Ijfi/MrtpSWgKV9mMMtKM2tKiMoWVCaQc5W1FNU8H212FeXZHNBAluTgnAEjvo9XfkTXHXwXuAzS0z4euZqy+BB/OK2Xsj8EkuwHg5hY21YrPjSDzLCTdzFpPfNhBnSCjgZaewJ79rDxN53m1cMHr9y4SLjUqa5f0zUhyvEvk7UNxJPDxUzyqiTqVNFApybmE3lYTeBbGDuDPg/hROmG0GWutFaW69tWE7pTogUACQhFmX2dvipgfvTMP/fY6emnTeQM/zQGDumNQVkzrrWWm39nYIM6PDpcIH44B5f9dH1Clp8z2HCvKbkFgdK+D0+Ug98w8faWhrKuwuMrRiij95U5+JDsusIjyl+JTAGOtVH09XGPWgKfbmNCfAUXMPxG+bsokvoFhb8VuJwqofb5Qr6tb1r+Kdx5kZ5JqoQKwz1s1OfPgUPIq1jsqitjtTR5hJlYPkE7atdf1Y2/JCPhz9hbgcvV0+SzRFqUSoki8kpqVWAgFNBK5tsxTbq4YP8Icped74CmfGy6WfBCB0q8M9CwSWLzi9BIIZpWhjcUTREnKWJIYcySFVK0wyboWyTXQyxaZamB5gDnVWSdzQtFnAkyYByYm6FoxVeu2NzWTKiWzc//zbk+oo957LIer+tV4nwOTjKxwRzDrhTMpfrCoIlleWV1/jfH0LhG64p95qfAJV38VQn7e3Fd2TVrC5E2pvPti39+O2GdzdrBmMg2K5t0jKi/EgSqjLrQ4FcS//DMxrqV/dfrqjEl5eK2LFNg1wVjcA/ALj3OfYvsSvHSK4abLQFW2yMVpFo7LgXjtgppNuTf+CoHBZDdo63t0jHIIRrHCFCPs/Lqhw+3dcc6evV8hETxlSSV/55HA+iDBCSpoWYq1RS+YSIj9E+c4xtxKWffK6ojuQx66h2un0bAxEQORIAJp8OFLF/bIUTnXK6g7xKGg3a3+aMfn6NRGFYSZrQNegjaX6ajecZ6Ggwxwk3N7lcVl6DaUSbewDi/uCwHOfO3XsXWCn9n+fnKWmkkjvLbbn+6xTb2yDkrcGcZbeBBfUW87Ew0+jp4AYHgojGo4p1LEwAZSc8OVvriGf2nCDxhjqVvhLspjqb/QZ9yVsGZnRI9xmm8ZNqR6tP3rb4EBDqtF8Td9CcP1p4NRYBwnovF57695ZsHx+VAVMo6mXyoAbo7lalfHD/RZ1mdquQ+wnkAYEsfQU+AXSJzWva8zVk2G6NNesU1UOYcZzCSttGWoa8HtSmPa0JfGz3uR1Ee3ryJWgmCcRVLcW9GRGpEYqSKSBY30jCaP4PWgpksjNQcRCoegsUW4CFdKacEeSWIxEf1SOEAB5ZObRGkMpfart3PXq2MYx/V+ClCSNxIUc6pi1geRgixV55dmg9MSlXPxiMIY5oqyZ1qxVN55VCj8DtGSSYX+kbHxlHnhyhHVSv+iHdOWF9IBO8OSiEuB/cWtTk+/KNJsjiQpA8fzxWbT0KimQ8sxUEJCWN8Yzg3CjNJa9ecVno2pS2ON0yyTn+AGh5/Q/uSjKYPl0fXhvXu+eJrVM3JiHIzxBrQIM/WcuBxlcldEQHaUgOPDpuVdiXOh8HmsEBtrKdPW6MENDUrI7juvRsBmYDZPpacty57RBTKMBO4L5zZLiaN7Hd9OY64rSzIumSonV+8GZKW8xR1kHqPISWD/sLIVg4bmfED5EVOpUrWV20/sjUkY2O3sVQiqTmkfcaZR+nL9x98scojqIC60f4fzejDlpQnLx7C1q414nH5KMJplR+uD4sagX8YhOTvyg0ipJGdo3VMfqHOykQMGHTu4BsBqAqBPeI1mLG8pdrSEjyIxufu/qcaVbp6mQ1UHEsDM5W62Srnr9JIyJ25xFyHOOwQEGh16OaTtg2ZKv1BglSaX2DdmBezwNuOp7EyI3gw9EBy0eEmVdL+xfv3cI6GVcdnVSrMakrMlgggwDTJmaMEgyEWOQhCF1IIE5Sv2s7G1ZwhSwDT2aDtXEqZ3GQQolxAlxCl49TZ0iPb859Z7EreNLjUiwqXo9MHkvWHKxNZE1n4UhMCUHXc1oipaVXsZPUNJiYXajBvpLdcbL1LkfaMRj9W+X1KzU95tnw==,iv:bZTcZccsmWdXkaZWD3b7B8bzbrd0QlHIxe6f3eJxcxw=,tag:tyZOrCXs31YLe7k9jJ7Sqg==,type:str]",
+							"headscale_derp_map": "ENC[AES256_GCM,data:snKqv5PnD7RscFuMcMNzhQRHnwa9ZlL80ppprEcrTb0px2FlZavwUZkDqnWEwdLoznmBiLPLeN6CCf7xUjrotaLqxmtuHbuzhcJOOON8JK6tiblIgm/jpXoIETiZSValJ8qLdAqK1GrmdBd08J/0wA0aP/e3lRKzUTSOJiXw/7UvwzeOppxOlPKrtg+sOH3pRujsT5sdbnr1IuyPlfcSVHd7kJ+Jv8sjhV+Si5Fw/OP7cEIaklkYmQPaQsTpHWjdHgpoCnRW8KSoVamaFiOlJCckZx4v0LufqpaVtNBTrXdvvigDzxJt3EtHe8TQ0nuPDXETfB0LhJuNUM2ttDv3vYNKR2Rh5d/Hn+mt3xP1ycdItFeL00uyWUe+ijV0xIcxOfHG5IQPD1Q8p01FvOp/rQ2GJeAE4Aa3Wuy1C+QqUZhVa6dUnDi37E9vjLhn4kmSmkLGuYwGbtEhlmHHmzQyrNsCHl8/10NrAvoM7qKqg7W+Gwv3y+8ypD+1IfyPiDYaAEm2XtYP/5Ev84E1zAZpcfFmKWMS0mgrrmauvQwMqjHzxOjPnXuB7Ov0S0z64TteXHub1JrksAXoNpuxkYRJXs09ycbYdEGNCvT9EM+Y1Iw+yiqq7/j/tdaY1LCS6+avS8p0A2jOm5TIEdVO3q75H7b3QbDxB/AKeRQc2IJzM7/2VyYsEHrvR4e4K3firAXdX7P0JVHxjCJkaVPh9XAO2LVwwCbqrtDk6H61vvqwqbjNmJPzOWvdiTJABy7JUhh2ZnAwMW5jBNdBZtP2s0ZIBG560Y2VVkNptccgbP83qZ/AdIHaxYEQVKDll2MFwo0G8vD1hHfA8RgoqZUNoH5dyMie/Axu/OjjUK6pO91lVYxIzQAuXx31w0fdXeV+kbCWQ2wcvKgBEcFtbFxeuvbXkzyFAs7Kh81G9Qn8X+ojCurXf/heqMtMDZI3vDmyyPVwOnzlxrtxQlTaZvo1caEDJfjK4gNJwJ+tM3yzNMFMCTFduRoPIaaN/mrHM7vnwXFaEcaXsWNTMbSdr9lbNWUzazHLdYyg5uPoNPKboh+EUNQjWRB5X+WKqaVeg1wcYuAIdX/llWzRTwpGDhbiKCuv0uMnyjAZaExojFugbSASZN8sPWkuKnOqf77gBZKVfneD0QPE1ot45RpmY2RMbgrIjR8Pz0M2cfJ0ALfkHMDS8SXFuy2chPuG28nViZK7wVn50FWyHEtwFBgr6slyXqIKZd8rflttYMZxIPHrZ9t6+ekZcX1AMvXdcnZrkiBJZAbxXxN+U3QzS8xBBB/vW2v/sRIxZ1TZZiX7/FSRxJrDHrs8hxSHijyW4yx/d5ONHm3PG5HHcTpXvH49as0yUuZSrmdl0bMTEnkzk5RkLIP9UPX31efXRMiP3wFNCdoC21AUKFrpdp8ozvUxZP0CN2OlxEKhfXqBEGq8U1Z/w3EM0lXmD1ZtxKZtt/+KY8Qb1Ojwi3EY8+6d5rBzjtlnNuQ5VJGS0zfPOcb4sIZ0lAS4MaosMz3c8FHo6TTOozn6fRt2bd0HasCF9nBgk+MhmlrcMg1cMFCsn7t7bM7wjeuiHgv5iYRgd7xdrZfH6AEnXWbV/wMyOGvZNjv4vBxWrherDra+yA/xI6PE0mkJX24+bs5+H7pQoo8ZHWJAcDAYSVgsA/EfETKpsVaUiAF0afxuK2rrw/gPb1ph5xfzMY/9d2ju5U77+1/Yqjdc209FzXc/7NcoVDspaTNCHa2B30QUa81jkyN94Zl5xM9XRWZhUO48pRokdDAa0P8R0jLBnz4d0FDlYLS/p9HFCAbg1YweFRA1Duu4ZRHrg8h9JMUeyWMNX2RrwunDTVdsjim7bu3R0Gjl+/C2pgyyq8GvkBkKnMKfXR7zzLzJxpa+gQepxsnVdCFDN2pcXVl25yDrGdWSHCUL3lwg4YftoNi00yMHHdiuzHSeSj6woBF8BJHgi7WscFG44LpfzwngweWY5uasvDrXE2xH4gSp84//5BBS8GeT41x2calOQMcWy4WpKMKFlPEqHan2UY+5vbSk8KkuprX80pP9BPSp4kgE5leeKwIOF3N/NFssVEHgOH5R5+7WnTkfr7U9t+8IcVtTji4/L4mAwPu92Leoc0f2PKtBvSPKjRJL2Mwg+2rNgbfLzr760r342x1mkg7ZTqmnKCO40NpPaK4dqQOYDD277pv2cTPiY4qXAzvXyypsRO/gdIXw6L8lA84IEgu1fpic2G4+CL4Xj5VoYFfedKejJLcqTcvx3kfSmlmljTMcRlQ7y0a5sahqycNE98o47/wRodmE25w2425LjWYOaP0XdXnABRj5LCR62Wmv9RU2P+6vP+0VimQbdtmKWqREtZEkxDRA64ui7jDbSZ/8T5JYKSvFoFsF0tH4o4WSUi9qZMPzMrFzqcptztX4AdpLv+etOZy0bv5PEOiT1azGXM1lFyijCifaMZ+qf3vO4jiZvBc3c2jKLZML82tzb3oy+czuPx2oac38XF5A3w3TIVfpUfYvlLSEck8jkVT2HxfkAdo1rop0uu1rOarUD9dEcRCAmLbsopO0YpAHBz16f+NaP8g++OF9RLm+cCLOBMHMn58acZKLMNHGR+J3SgAfvgAiqppX2nSZ4xFcYpb1o2M2U50lENMbZnk8jEAY2zU9VbAMz6oP0Ha3dOaXf/stKWDXLSi9QLVF0Wz2necyjfYXUrBZHbffrEUApQoZmMWaSLPrrV/mF3yt83TAU+w6/9ExJRp0NGtvLf5+B0V6pK5tXxz+yOvwfA1/OkKvP8tfSh8/DppR+wT5y4p1idiKFwf2n/f2A7rc+V+8jYP6mlQxq3IFuCeUSV/HjKKMAyfTX7Mub3Fva2+7209aMJeXOc16npja1Zq1qBa8YVgE6uRwYiGOgwKupgGWOQzYEvTODOiperTTFhjKM4c0KRHmM/KbNQkhBdrSpTi/yH4HVAbW262d8oOykhJu9fi5WWMt7yXTaiba5p3vKqg8IfVn5EYMfwGct7n1lxN85rbGi29YPK0WS4PicFTHuh2Fc8tzW+OegbDNMlZLWsbC45Bt/PC4a/rFG6yR4j+WT80kQVHbR3HTEieD/2jeRO3HCjM+0RfcoCsqe1c3JMnufx7dIp9/+lRZ0LnQOEc3uJ4UiwVJPQ9x/nLsfKDe+FKWOucih3qL65h7px8GoMd5MMXhoDS3m9czHDJBYeXpX7ScKGzSh433SxWypKXJuVnbhiJXgxosD8PpbUkvjVwyZ9sj7sKedKpQmbEyJYrxKUw4OQgfqCSB0TI93Uj5vAVAeeFpu8eRI/PALhpQa8VWghVRRXwEi2B4ItPsE7pYowebIIFtFTu7xb1CCkY4hFSk/dpFrV3TtzWdmr1Hj+VK3vwfXEbgmzJsLgXe9sB4urm8URd0c0WFdwVp6Lv+hEuiQC0rTSg7pndTNDL94d5edgaqS0XhsFYYOCn6EMQApZ2tj2WBDW5XJZaBeac+ohqOY5djCgn7xH3ORlEvVRsSngOoxk4rEC2fhLVQf3sSnclx+86SgphpnM88CbSoKHKxO7dq2KQ7gYSbNP1LcQVFkSbn1hXjzfGKy52W8NSg08SvZwYk4qOrnmkSRMuFkeknNZ1rNz9g1aaj5CV6X2bQwp4Q0H2ID8iL5ZbmRSjqTq+AZ4bpBa4ZnSZmpcW9Crz480t+o8w4/amCVT9Fnuut28UWDig7wTifly806rUFcShvp5zkJh53DmA3/fzNO4PuZQzty0sRJ7HPD2ixCDydfvxurVOfgDG6gKdgOyf3H8z7tg4+RsbnldcCxNB8iNHVkKQzxOMm+RmnN2exC5IS2FYM5+dxuQaF1BQg3mnHdkqZ9/BLmqqOxMPsV+aCbQ3UgXE/aHkeIDjZY50vrYdkjlWkQ6FkgLQYbgBzJ+V8MiC7atxBMwvB4S1vUjDnf+yTPcAHfDP9izD6ekBQ9OsYGwLWlvNfXYMBN1Y9I/Y2xM/bEOEY+z3EORVtjcqBXne9SaB/elZukJLcKrH8ykiM9erRJ0zrMy8zp4d+kZHRpUxm3mUgfghNouQtmoaHyobAOHCQPnBkZ0GqDWIaSlzejt2DtnrqbDpZY+i14mzuSVXYzYv0VRv0q8g2S9wSsBcA59nCD2oBrzWCcnvLoTszAjVJTgN8evAGF2qu9wuvfmxwifPfGetr1cXBBdUsFZm1ZobnC5brv06hknVJHBg2cCSXVaQzy+QvUcoLblf+83+1TcS4dnsM0zh2fZmMdYo/GBrLJB0Md6L+W1BSbPFDpLSp5jWAqHWlzlGL/2uPAFI1W4fed7yWZHHUbn7PGllGP1O3zWpXO1aGSY14QWkAOH5Ei7yaT1IVPjCOxDyd7GhW0rFbLUb/nD5GS/Cpbf2TfdVwToMR2e31YSZ0fXOi6RD00U2KPZ0U/Sg3NLUXX0m2x7fA5jE6RLeWKkWRBV7ZAcZLRvPcDQge8jEWUAe8HOQku+NwUOePvnslrR3ET8p/ysLZ9E/Ofg9zV196dMfAtmMPQPJmJciPcvGSiN9onwUEEqUoqRYmd1X5mXJoI7O/mPDN9QDRSRUo49ETzbT94ot8NVfIjEHLUS9jiKKUQdlT0aIlM8Wtzu4+e58hGzOuLdta6t63rZCdJMkIIUZYr3NdLSQWfRcyDePnuQfCbqHOY7KUZNvBTnOvNNvSFzo2VLq3D44TZqiqBB0CEc0K2ECrW4vtmWA1Z/SvK071P1hUAvCdlDOACx0f5yf6rKeyJNRVO+8mEI8HFp5bAvFYjXKYP2F/p1H3Tp/utwkqfuuXLGVW54I7LizPEKkD4rJR7x3og1+DQlKOa3ZHFKOcpjh/mevBCg1bVmIYimQLntnrJvdUmhVVAWepLBMz5PX0kowgaH11YNEu2XNtHI6dXNgnTJJymY68xoxVAbZ7sdf2c2OvXLNDaS/wvsWCt1nlrnAgNrjL4LD8mkd9Jom76n4puuwmk65NAnVAYhKeCRO3BcHrTiwHMLcVQpAd+2e3bzTG8JJeb3Hm96Z0OBfGtT6sCMD5nitqos5yaPSwakj44K3kx/ZO1TaGh9spoUVrZGCFHTp/vhwbUfEjYsapnqJqhMl+2VGOuj8jWsU8cN8J2uEdTI16nGtnkqN+PB7Tp41zqnHk8/fbHjOga99DAbrMiYNF8ze+xHEiWsjAzG5Z1yBssvUQbOT+KVHnz6hMi/UvIK7Y7oipA4WqZZyDZTXgfSabEhl/U/KQSxFxurZUMGb8fxpJVdOa0aWGPL/wiKPySPofe+Fzupl4ay+7QchRE28hE9Kew7TCNugNUEVZfAEN4J85MBnfbmMVwPW/mQbyJOt886cQqnGdkh6yumBkOQvngzF0jJUvqcU+tY+MtOypeuMSiahGdgi6XTbcySNESE/L9WnhfOfpTvhQuh+dZUWjlF1Xi/QTSqu9NHTltVXr4kyiap3UbcV1JUOT7tHkwiqmp8NdLi0MsFj2E9squC81kx8rIqRGRf+D5+ZfSrhAt+sEGGJzk/JApQfHHvBc3qzYeQfh8YZCw5g8VR+SQKvE0fP3NZ60b1TZviqiCKBlmGu+wLyhOplCj3b3zr8UFp0IfJJTQGmX2+sVr++gTui6CdbVo735tzeuhtoHmLz1jF5aooRF/lIj6qflV4LFX7dMwmBMVmRS/CVOYFKLRWtzLYGt4QAJWRObw0rjycjuvDzVEiUZ6VNXfLGqs9xFml5MtoOc7jvIBFadGUPda+q76R1eEx2GHsdgGn1GS/IwAs9V2BPvY13vS4aQKlNfD6h/TjNinp6WEAniY8Te8jEWh+FGnCsovl0htozoY8mFBzaagpx3/WLhyy0EDAx9yIWjTuT9CzivsxjUQvpfA9HycD13LuZzd4K1fojwMkIX4PdX1KDPLx2eogFioe/FW8xa2+6mz6OmlAKHUQdou7KAhmJY9j3rLc08s+gwJDB1del5QANRnWLtMGJ3amsU7tmFkdsG7GzNGl69hZI+tbEqZm7tatgRKziCD7s4PanYvIZurBwMeFKWWr1aIM3P/CniPORaREyOoMrERydUXVfJvfDZGW/7dJolQ3OWvbZ5TDLi1Wsv0rfjY5qzTkc6M7nmym4P/D/n2ab8cltTLw2XZkGvvKquGli6KqfHrIF/te4PnV1hYlhOuqqNNxXSiMGzTnkI9W0dCEj1Doc2ze2v4kxb+LQohY1yXQdTq0D/hQXuMBVk8gKvT8P/uEWCD2mK8dvb+CZYoP3PwGpSDYqrnXC6OAahASwJtN+YFO03XP6IsEqX3aW6kcW4BAEPvc4Ie3tqBe9thbYSBfw+iyvXPNFm33jFDrr70gMEwHweFAVfViXM25WgAZMJFhGsB0mENlZAHX03YVwBixJPW89Abkg1iH6w3KxDLwgY/S7PpLrnVOoONUz75CvUwST28WWQH/N1R9eR+FIoHDxobn1Kq2UEhlETWAED0paOgElhfJoiSOJTGiVc3dPEMx4+Gk3/GFyoBRKvju05zsGrIZ4OqbEUt+g2FKTvC5qk2/NQed1E6KuyOHER4SKAJM9in74XeH1AVmLak42/EgeHdT0JqqDeHVJ8HVzd83emdWrWPryZF6QjYNXucHabvE7zgKKZSBL7XqqWHuiVXn1gB05S4C6/8dfFaajDmp9PaZBMfzwVT0SUVTrtNjF1PXjs5KMzVk43AShyVepOWnHT1abglyb+wYgrKtFj32ZwLtRkeAa+cds6TP3BvJQIGkYvvMW4bC5bdP9eEPhn3aHeEGiaH11oMlN5rs5Bz42E/ZzQkCtoDU9JIZCl+PaBIbm0M/fABR3UqINqFRFtRaSkXVgWzqNcvoV9zUwsQq/gOecmn22AkjCHu3AOPNsFmVYBHSHi0LS1rh87IPHi02Mw3cigYEpG49Ep/e4TpA0bR3tmnMTllOJwFdKfdU5JL/sBmLoAXGc2hbUN2pdOR6pt4Yx5idPzpE8uls+00SLJfTDAjRUlbDIPAHKsG6cRCF95v+JYCaaPFv9TIaQhQ92vHsBSF9OmVgsTSk3krnDuUuILSvfWToCMEY84DbCDlqz8mvWh+O1c+loU5ftE4yP0kNmogzbH+T0nlBpwG57VminNFoNKwlkiKoo+oYpA0CvO/UBK8t3jcFr3Qz0wy9YmNWWn1dzly4h6ADmz3p67330xNur+VTZfr3GPmDQKfq6ev6vYEMh3haQBbQmoOXgFPbJLvMSsenJtQnWj245GTWzFxK2WA9QAXf7SZhuSbcfuJY2v8WF9lYOOsEnJzBLddDNLx2TACX5JZpu9n8c9TGQeIdjwI5dIC6pvvS6l+f8FfH14HkXRHTuTpAm6TmGmlBisDmuKQ3zkCFeurALsoJfYVYBYPw/fiODXXobGcsNTRGuk1q6hz5M/LFJs3QTPoot+wc8nPfgcY64mNlyeJqY2eG47jO+Z9gCb3ikaHzGeH6V/8joQo8iq3ok2+c/C0AN2qm/tzshLrTTyVk4jfz8BnIAaJkRqIDYy5CgekFOxfzCdS5P+1KreISX/J4qdgfkPHIXO7qmfJDi0FyK+xCoBiRZZg4nRFp2m5wSs971d4X+bBAodvSOuSN0c/lPqg00AEWMOAjfWmPFZyyKCa5I3p3FPWboY6viFf7J8zfh8hPbG0dRwH1ge9HU2OSsYa+oSoyiyvz3lX2TZpQkkfGAmC7AWVSRDeXiFy2a2BG0SL8K6px5UItGITzegsNzUZJYvx6QRAMR76vxhWIdcxzqUSyBTSfjCo+npf9ouwgIqAykQKzd5qSsFl92cgY2msI6jPw78OrpDnOQdARyQQ63M+jSeAFIl41/VAWVzf3pa4kaurG3L5JGcwQMj+MSq553wCEicSex+63UU7Vqkh+7kgIh3fk2WZ62queQSL2RY5HtD10dwf1T1jI9qsSNVYlLSQ0SRZzSEFKZGn23xn80EFy5EStc9IO8EKMHzZn5AEyuIlw+6olu+E1ax2STliM2H458cE+f7zS5ydeuXhNrr7S91TTyBLvhktTNk0Aj4VGdd6TwoIXXQ3M3RPCmtUQ4HKRZMAGfliSb4f/AUXBf52HhR0c5Y86UEcEVPWEXEulXXeKkIhXgWkyQ6wDsLLwefiPSCfeorR3TjMmpuYG6f4jJ5bX7WeT0WhoauO5iEe2kbcL2WNtrj63ESIygc1nygotD8ABSRcVNJAAfL+UmO5+YaqaEfDF6Xej1eWYCxr+twt98hnMcre4S/fpPdwSW8aeNZPoBDqsiZ2pSCOuU5bjyo8X31LuSYCrc3M/ImwEll0nJcc4hhW377LfpAMkg/844WxDBLSHSDoYid4MjEc4LHvvR55jVCpA5Fc3VN57OIf4xb+ndiZwYPKK0dWnn/j9EDHaH7w/c3qiJY5UQ+h3OBNdAxFBfPdjU7gQDR+sHZHtZeaMJNldDdW/lkx5UTMbul8qTZNBrmugax+M4wcv+aGS+6UunmmUqcDXhTCIE7HtaSkRY2TnB+sedsqwHYfqDgiOaUksV98TKQE8SncdweWQFPQKTWX4eeggyGaqo4vZoGxAsjhQ9PkWaNMNTvlyPIwjUMFUG0sGf7RLgYA9dep0KcwwMOFYcyjTje2TLcAxbpcdQBiNZHi0XnAdZCyhr3xzr1Teq9/dcRg5v4jGDrroeN2KJz3vYn9FNkb0XkVPJ+os6K9NCH7cWELhga+zMd+lmwwuXUA6UQBXuJDCJamE3zmM7kT6Et2mqa+2WDCLvLv0XazMjcVHyoIFGctT5ipNcVEqZw2EpE2gcPF3TZ0fVo67P22DWM8QLjCI8DsisoXnHg/L4ncz6TYRVr/MaiyqWPna3w4lr55QfO7LbPpf+uFQ2qWQ9PUj9yPYM6IYlKsUiAUyCljsoRzqnw0eQLJ8sslWtFXSEH3amlJJMrZu3+ofGkzDBn0XLupxIDP5ml5n5ITe5HYoGNeHUcEK/TQ21o0/mfToLZA+TPLMuXw/iIfpy+cbn+tC3EGRFwTvUPE1PB2is7wD+mn93UpsjjaHqERW580OBMZlORhSDY41eVnO9xmYWytyIdMLyzSo86w2RcdOAZcwZIn67zMUVQT1qsIc+FPk3PFMTjbUAyLQJmNkyVewPoOv03neuLdxUIU5wKcP6FkIySdI8TJeg13bpZNg1ziLNLwQmhCI/JLhmynJ44v6Zg/522KE68uunLzBGOEE7CF2vIp/N+d5mLBgA8xmxlnjmJVnbZAPjrEZVb/P1KzvoaXXiF3A4x/+ZUlI6oLUZl63YG73nJFl8dD5rFd7jmUBz5GHO08rmdhMWEjoqqRLovnD88WnGLGFwqpo7V072yCAOBmCCBygnJSVdXcC8W4IEhonDCLNgmnEGVE7PndNKXdcYe2AvI9iM1YonOIPI27k8vnx40wWRbtL25jqdMynYycagXdAR9hNexQcIYmcmx4baNXRkvkLyfq47VAteepUMRAbDPeuR6d2UKPufBZbxCQN3FHe7ys0tpHEghG3wt7jcq9dwaPV3LvHsJEhel6Hf3Zvq79p8UUHPJNOd31Q4RCnOTGHoFlWJE4hz8WSLIFQaGlaKNLbtKUxQKLfMs48oz01P7DNBppd8qBZevUplKBp9VAx14O1nate7r3VQksy4kWfizI1P0bCJsgfYzB5pN/XPt/FCUcc/sLmthPA61ffPnWP+TPRxOsHbqyOQ+dLeyE3CA6jJVM7AEviAxqRBYAFP61yrd+t71R3N93Bd958rhBNIVG4D9X+D+UzKRQK0eVYhtgFJFG0K2DduRflDmtNVCuyLKhwNcB5ajKP6NdkTvZHuk3HRyo7cli/L2kRD2MtNbT8qA67MKQU8+03hoZoCpz3MsrIiq6ATSDg+EBI1HNPXUl4Z4CvZnJtNUBrh1z1pneTRZOGcn6lWyNyUFttT7/Wvl/uQsuZYKS5M=,iv:pwiibdw0huI0uV3Qa19t3g8Wbcx8uT6IfkN47jn+WFQ=,tag:7WdChQdP+Abz/zW9Vsf+hw==,type:str]",
+							"headscale_ui_api_key": "ENC[AES256_GCM,data:/BzVXFEkEAOt3Z6Q8z4KFd9f55X2KXpSS0+LfcvD5sUCgbis6L06BUC3j6pg3OhOr5gLYmHohA9jx9QxRO2nvg==,iv:DGm7AZ1bBzGAqAmFSa0kpR3LmPKcHiJ+JDH41oAurZ4=,tag:KiaiRJGUVHI1sXOEJEly2w==,type:str]",
+							"headscale_ui_cookie_secret": "ENC[AES256_GCM,data:hNlJ2nh/5oTW+he1mpjbR4TG6lMKIyfugLA3P5dF5/5LGvh5d2lugPUxQDYoHk2/CmZEitvihydy7nRgAo11xQ==,iv:a6v880/xkdvpZC2l2+X9do/tWnMgV8PoYojoyon79w4=,tag:pJl8IBNOd2H6NF5NFgPp4A==,type:str]",
+							"homepage_credentials": "ENC[AES256_GCM,data:9taL/QJkvBONtUrMaYQ60xBtnQ/ZkH//MB16KUdTul2pX90xXpANUcb9P31fYb++yVAbQP8kr8GiqH1La7qyI5pl00O+xfKe6+hOKM+OYAFRtt+x8peO7a+iTzUWUgxWOmT2Gk4v3LylRbe8sZe7sIoVONlaoOteOKSpeiX1tq5iNidWIN266bNHwwUrDho73VOPddtRmMXW1YgMV4OBiMSVxPmvICd5wxK9EqLAQrRONALElITjjb8oYx4GKTGdOE7lqTladeTiNaCau5Pdq3FiwQAVQZY6sIY4xDYJTGOYmouGFR2uwa6otlyqHMm2e25lWliOhn0iYye8nDt29dDC8Orpn9BgKFR2xCS8G5fxIbTDj5Rfs2HZz0cHj/t7nC/6UAPiWoUM80r1+DeXA4D9dm9KRec1/WL3vrB2ahJxqRv+63NSChxQrIcvGUpc/4PhVyqiAZxkoAlDFt0yLqdm0BEysIGBpPfH3KcqYwA6/Y/Tna0WX00EIyZlTGr4vre/LIz/N8Z7BQHnZSB63OoXFMObqIRfM9QPBJJnaXORyqYPYrDofhUaorlJDAS+b5LXh90HcqCrXUyQJw2IPQPYOWUkJCqY+f3lZP0bPA45hdG4294uvP7mw9naYkNBp39oWJe5BlBUGBkaZkSVsnRjJPgbokZyO/1kB+6mExRb6Ctzkuku6DECROGrZAwAHckUixI+K6jsCbZfYszD8DicZZaXXyy403mi0tlra+MpwwSgxDnX+u2bs+aFG0A1bD2FYASYPViSwk7RjPSESkwogSoUNd+JzG/0vyF4swHGX8s8ou4zpQI71ox+nY+TY2g5a9M5TIx2wzwnGoGAQzUwlNSumiMSrzJjX31Ouizq9AL3Td84jhuHtx1mKNySbKYqL0lrDvkrbDVOiTRs9IIJknmZNK/RwaSL/3PKFspYrHvjJExYoxc+1knlpIA5HMwvr4u5nJniyzrsC8wG+1kYfXLlEGYa5eD4OEWtxYgjyZvOPXBYYChGuByvxoMMvWcmvogUJreVl2HuFyMVuF/tgyULX3dTre0gY50RtcJYgIUawpOXtIgYytUhSDn0r1knbVXsIW5wKeEu/bqRcgfQUkapDnKMZJXyjCCgRu6BuNXgBxdma305tcicdfeUUOdgLCxhDgCt3Nh9MgyhhQWt5qGv2kWZKDLALLeJBUbz5Oh0EJHnh6u5aPBpSLSxidRR/on0IPeRcdra+uiFL7FKJFwiUnzrvlbMCHpzmK7FnYY7yKnOnFyE4uI87KlYWOo4q9DjyhzEdYF5d8QHaa8pWiBziHENdwEQv798Mmu7WSYw886stZn3Bbpz4pgZNDSJe2xNVUWZVkm/fDI2gS2LKF/hGA2CgA7rQzwqldQU27wfogFKldnQeyi13a28nckk1soWOIUy+D7DZlTS/cBu6q3Av1j3O+P4hJUS2Nd+CF1ZH2ZnyozPPFCH3cohYeXek2N5Q+eJQQwZYDr5/sTZ4yWgOoBvYBHq3qnzxih5up8ts4hicEZZ3v03NOhOHQfTi0ei3gl/QSX+4baB9Ds9g2Bjpc7Uqd1p3FPKeKSMHCeACAw3DB6QMGk6qY7iJitQ8OW6NqVY5674By2upQBBTGA1Zq08r206d71k/oT1OPreh7qvHkCOKJdqU579KThW6PmD5RlwizVXZDIXKRfPrv7i2a07fKBbXQ1DPYGaJYJvORcMMQMZ0ErFjt7h8jETrBz0sOb0lvEXPfW//cpNvbCj4drJRAqv68lGnHcyzcMVCJV0J+KSg9QujYvvsCIotiMU2mswnY501z0uaezgZ2Jikjg02LpKM1vCNI1Uh+UJ8ViZh90G3BrWCA/mPR6JX8dltdU8zprBOPDWhGng8ixOi/v5OvKwXWHgYUnxPutZgfGyT8cqP7mN9QEdFhp+z9fGJg5iq7ddsGAa9Li0rdswz/vZ0+DZmHXl5V4bk7PBQ+PAOoX42Jlam1Q+MP2me8HdUhfx4Dqdbg++oV2SpsADaGvq+DVe0F3cj86dsTzzLUa+A8QUYDa38X5GUu7lRHHeaBgGJyZA3KgZyk1n4hY2vq0+mYuI8Pg3Ijmo3XefnQBaCXFugNHuPzcOBg4Y3b6SX79UawvdmQFxXNJUBMxI087WHkhVe2hL5E0qY1OUw9z4ZwEs3KQfL9KzVLoJkbaa/5PHNnObrmGeZRCGygAMR1YD6AsE7xUpKVd2p/SV4THPDed6T+wVh2Uk9Zkz90d4uQoFsZ0cu/AGHKHgKsB7spgkhK22JhECdsa4SjYoR2AglGN7aqWyA/Q0w3FLBbaO9LSP4ZYijYr2afvfUsxsguVOZ1hYapg2ENRGyQPTZ/0qFQXAoAeo3C3epDEHhkarNUWgA5fQSXIIwHPUjgAcym8oEhu9Kp67pZyPCDKCUbWibp5tyqvRMISirz0z1v+0FOG/dMf1C/RUKJTEIbiJA9PPPcjsud1Eg1IeiGMhDEVb8/C0z/zxO4zlZqW1AzZd+7RszumOmZTRPmN7gD9LLwd20+e+bpBEqeeG+UPC4F2OnqkgSBo2bZr0t8RzuallRURR0gO7HBD+aWKsejX95+uhe7WW9/tXO/Fpu4e21RZGTMcW0tUdlZfBXTUczsS3p9z4AG+n/urKxXIHr6N1ZEsNbPZroIKemlMYgSfywOXJ1qL+eLkgwNRX5pFKWxJMsFAsbqoACQZkCfFnP0yhmGPZWle4x7jdnB8V6l2kU0LpEwx38Fh6i6CN7E0=,iv:b1qEhaR8Wo1iglMoZM+tR8sd/TGsWeLsbvLKhjjh050=,tag:IQS4KwxrZyeavG42u1p+FQ==,type:str]",
+							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:9k6WAR3LLhOgQiWumF2UlrHyWLRnGEi6f6UCRFMDn8VB3DwW07G6uViYMQ==,iv:hqfmX8eJ/dIna+/QOLtP29iWAB3V7+qQ9sE4KUWMFXk=,tag:LLk8W4oh0fW/N+9TwgAM8Q==,type:str]",
+							"k8s_users": "ENC[AES256_GCM,data:7CZVWpcV4l/GgNAHeBUixQUIF5CxIwJoyssPy2At8MsvzoYykSw5YHJgGv08C8a60LdP3wRNC4mbRIMCrlR1I5qCsvjuIUvY+1t9XgjTp9iBCwov0Xn3JLEzRmAKpQkTZ3goXKuMYJ3vThxgb0CUihvGw6z97Q5B2Coffk9altFo7/PVL/mIizZMoTHVA62TlNJ4ENVJNDz1fbRPRxJesLuhF+3uhK3XpGOb3NH8136DP6FEYdJPZeIsFf7xjLwwd33XBU5AG1HZe4cIGFk1GhZ6J9zhfxemQWgN09x3VwBueaKEPL1CK1372CIjbb9moTTztqxaA0yYCtW3D9yXn//WhEhli9IlnO2Bk5UawsbZ5/mb4Gxb0cn8XHjufYP7KWrEndPSjpq6s7/WpFEL2vCDdu4OWgksYAw2l+U94gqtNskU47GspBRxwwOtJNp8aHSZPQUXAYSk7ZyiYQHucGrXdSGHmRAYtt6ICq70TAFWqI7rJmNa3hyoNUsZGe9xK2MsI8PmXYp20gJPaD4rac6VhKwR4cG/R6wEy2ts6UPWsKT0cOpRF3e001mEqR/KouRKkZVP9b9+35ea7Iw77D3o8vxxix84xA9M2u0ss9Rq+sqHFcPU/q25RV01pEJalw4l3saYcXIqv7jfdhb5xSYZy/iaP+Stanyon7XpnOtzu94=,iv:lYMfG6g+2Sp/Kw+6lLhv7dBNFLRyICU00P9lTqDWBq4=,tag:I6uEsAgpV5STfyTBOhGQnQ==,type:str]",
+							"mailserver_accounts": "ENC[AES256_GCM,data:7aVBBgXW1S/7EEvyn2ihiS3hOx/KkPc9lO5+zbX5j7m+aBsr4xyZ2bqyeUHcDM7tl8DZMXmlJl0gWG0e+S+xNhRgeX7GZq0BwJJmDBGKLBU+ci1OkcsrAjHfihgUnBF04DAaWi810P0qoc5QjaQ4eFoWA5MlRYkWuUCO6DMGfempmVcC+TDn45Gb+2TWnyLqeMswGvBCAO5oPE424L475SRH2R+905IJnSXj3O4kn0AWEjAD3RdxwgibQbiGSokD9rMQxi2WK2r9bVxGUfQYpqlsDpu8sibT6iZpqHpQqlhXbZUqhV0h6l6IwBwzeLkDv0P+LbCqNBX6q1ryctFZKB8uoNhRIQ1pDW5z+D0+xek5uUe59Agj12WQry0v3PaLsqqNqRuha09JxphRCQBxteYSyhVLXvVtAO773U5E5kdPJInWS55gtOl6wU26Aq7C8pJ1N0S1ixQB4kllFwCpvoA2O8nfF8N3hLiXfkCRoByABbOriMHSCYzVRc6HlUFsK9uMduIVplE0V0p56H8f3pmjOQwkbFdmF0RIHZ1W7nzkIFrR6Dq1miXO/LQFWrdjUpQt8dxidt0r3pMSR0kSp07867GE/GDmLe4fsYGvk1mxWWQUfuaDy+4ORlmWAcZFkajfB/YelEtaIizOOxP4NN1ztzofauLbIuLC+Qr0kfyFELE5qY4IYJS1RlZIT8Yr3qHqNQzsePmt1qW3+hKCgQ7zRfhgHgeBEFamENn5V1rPEonkBZ6Jm2NdYj7oPWY8aX0usZc4Fakqkx6O00uTzz08ZYP1sPCV7OUvJysPCl11zJGpog73VhFq6+wrXVmwdWUMIVyggCxaf3SaYc9ulrJV7WMPy6U3S1CHGhS/lt1jh+T+wueGv3lM4yq5GMV7+xNH3DVtupf2GMC8XO1p,iv:4m2JPmR8HeDzAPm2Eol6Eb7bN7K//ISTUkbgzVNu2ZA=,tag:qPuy4CxC19a6wCrKkiVOcQ==,type:str]",
+							"mailserver_aliases": "ENC[AES256_GCM,data:73r0YHxy8ukC7oUMV8pvj+xRNypY7It4aMyVqZ/u5uhK3dio9R2Vaq7U7I8yti9BaZI6lyXXLSzR5l85/wQrJ06iGE4JZsvWw2gR1i93OPENtuXm0WJ3zK83NXLjkzQwLRhGlhe4g9do9vApyj7DkyptROy7gkHohAuVJrbWyxuZ3yAuvjNj3ewcEHqmlvJGx1DrMP+UcrqKVMtEqdjc/pGvMnIe+HwhQZR1Rnw6b/IBRXeGEfx44wkjZlJ8dduRa8tYUd7fKVkj9/kgv86nVfFTWSN2FK8XIm0H/KxDSUwtxv1rdx3M3M5NYOjRWz7807KFkXy1ZKStIptc0ILHPmsxZbzJRjMraL0biTBW5DX2L9wL0Wz0pMxyTbE0nq5fHefKeiPZTghHb5hPkoy1+ftw+kMElToIBFLRGBFJ43g4yFT+v0OweKHrie/j6aIkmLAaWraFESkn404+Aw6FDr99k9T5eIRMaKB46TNFqm40ZnfZb6h+55cxOlklQATM/GTYni2WlBDFPEu+47+hk8P3BdCMb955f/hb0cy+NAuhzOVdromVqKXUfc8miv3JwVTTng4FHCBcdUpTy33cEgvW0RFK,iv:E0h6obFxFmkFhlrFn7k6kzAr29PzpB6i34toO9BDV50=,tag:S6z3lH0sY+4aAIVYIUH0jw==,type:str]",
+							"mailserver_opendkim_key": "ENC[AES256_GCM,data:+CEta+CQMS1oA4hBLv5AEurFUHAnUI6UmpBuKRTy4oaPbPqHXHBFSes8uihLzeYrHY7drlz/fKm3NpocsOre7imtMTBSNp+lwZKeEMXyOe9qi9RlOdl1cvhPzeV0Nupfm7bCvWNhiU649aOlvUvN1NWzqMgRViAUsNtLEIRM11RiK2ZrRY/9RnOsI+MfUZOZlC9DqHCJOpQilo5md5vvNyW+a7YrBr4Z84ADleqoz6a8F/PGQvCJeJz9ZgBtL0vmJuWzPYnx8dVD6/hb67Vq9qOW1/Dur3I31Z6vhgoVZ4zZW5RxCZ/FbUm0DTJGTD8MzOAGNkpWKj5kootuaULKtCXE8JRJOsD+zBmeitowF8bNWGEX3TmFiFyJFG3x3NnRaT1JmC2A4xy586DiuI36C8T7BZxQ8vMZbjZPUyEejSk/QTQfB7CsG7uhhacfWxKotnqzrs0AbBkzFOClKSwizpNK2/jBw636Pvjmf0GGbH4L/sEEWZ1cArWzDP5Cv5dO5zhjkvjsYjU1xK0N+xW6DjMkBt3sPVboE1r5PhejKDhQhc+cQU+GzClz4igMDurYdeLAc2b5DraRxw8LmhZMBl7yuXZsWeozg357MMzxRvmSY/LOr6T2iXiaarD/pGhq6r0JXBc8OfgowsMWj3SsOG+Mz7DMFIRP4U5h3GMPV+le1Qf/DtM7xy7BEYPS/nuQk7buPZGX24KgQsQFWFTnEIFeV65XZr9GpXGUW2KDZtsyEkHHg+ct2wxT/hhlxicf0+yM2+svNbcMiG6W8OA9Do225T0VwNlXtSqwzKHWiiC75bxPiELxVdImtsyWWvY9GNy4PPg8e/8YW3ZzJbXdweu9JMRjG//zhVpecVMEn/cYoKcWrLWnTuqqk0Uz1UR4JUK/we5xFELPHzULszL416CknI7jbozPak8W6CRL0Vu7hPmsRnAIsn626XeosMB/GPaV1xgIgjqTyY+5q4SjTZNejzhVHNKd8Wj17uddTh9VAgy26o6HtPCX2pBUxvFhi43s/PVbx8WlRpAKaTFJtwczTTiVQFpTE5E2ya/Kv8+59dHUFSiakI1OI+Ow0eQLKf9LMgItihNpO10yW0z/69JgHs3Ep+4XjOT1RpgIDOL7PObM8Fly8RsdDnJ0HNgo3djF1xMxM8eKx2lC64mBR74VeRh97LL32T/b74o68cqW8bWRTU530rv7lLl1QvkTIod8wCuhPTIZxz1HNCxQss+Duav4wGZVtskGCxPNccz6UqFelFGAcCUzDOYTr8nzKgu7NcvMxfYupk7qAI5iGQWKzImSUA2vjQms8WmQH55w0ujJRCzIc3AYrE/V1y2/UfsaPpy0bKrlwEDRdLr5MjPDPcyHxX8TFSVn3kh4BmP6Myw5EEa70Qh+wAFJnOfNzgBvrPlCfx2gDlybbeI12LWOIo+tUk0fryQ+RGh+Owxh4vcQ2yWPwrwMAzBkZbuNZt3glXko9QYf5TYpc1vDOwIccKyV3EWw3eMuyqbY6MEdIP9FpFrcbyDkuNlQsbo53LCf6Ea9HJ9yB0Q8ECx4jhGpVacXoM8BwmEnAFa4mNJfQK0LfKUAoTAjPQpuOd869jq7rRGDQ/zXvG9AjZgmiEqLYG5sFCBI316rrHv6SP4RBCSps0K2gozIn1z3+ti/fCaiuFX1w84OdAES3rjSG6/2yNf8MoPOarmDVF+dm18ubhEwmJNjlTbST8MdTrmuifcygI3l5q47G56zmbJ9M6n7gvyq09F60D6/MuuPvnfhrq/P9gKt2R2j+IBu1iGsh45DRdbHptP/N/z0ZtyXkZyEnnRf6tqIKaQHTOHZjUILzzSTaTeWC0Qwc6drwUkwp/2rP0EKgY5ZOG1UppD/2pkCBLDpvKrnQrvoaBrgF+orUBVCHX70xaE3l6zmG+B8mO0+JuwGM1T+YGFYgznMA0heZqVdwDlD3jPWXy/2GE2X4yRP2Y7YPNYAg1BY+pY5OZ3OlCrRZ032/O+HUBvx5p22QohAX6eIkf1Q4CM/Zilc99l53uwze90Cv3EFPiHDwf2UNk4s4xyEFXPDgx97gK7y+38Y72f+5MgZu5RaecB+tOA9PrtFV+oLWirJicBpH+En73Mot8lF8N0LMTW9NQc9p4YkrVdTlAdZuW+oDEujuYfUzVsPGVw4m6+SCdABPCCbyrg124NWLKSGwkH3g7vcYXlN6ZDr4Jm3m6ExetTLPXK6t0KL4ap9ZxtoAk61N6xQOza3qH66jvVOEUd/V9/6U64cfYk+Yal1FA==,iv:SepW6DA9oaiIaPM3KNUhX8LL48qF17WWxBkX5v6rPKs=,tag:/Q/EEZ8D/xzD7F0cx2Ubzw==,type:str]",
+							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:XcvfvTH0ISKBslsOp30=,iv:Qw7CwkW27JVniWeyCDkyDM61oIaDfsYq/Be9a7k8j3w=,tag:ZOO7cBfLK0TB/AldL3Nxxw==,type:str]",
+							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:63x2U76ohnUnQI/oxJP/RrBbUuk8aKvXJZA5QUVhQi4MPXGeOUft6oS6GY1V0b0EzkIoCBGW4kdEiez1XufyN+OIa6wltemeu4iZLKL4p3SfSXt1HgncLOK9qyZt4+H68f1IgaWYf/Zf6a9q9nn0zBMWVeazaqE43KDQq/MqRmebp+sOnhWFLSKiOQQHadu9zYY=,iv:zbZCZul3UH55g+tcWJuza97i3x0C3kGuc/6xHIRMMT4=,tag:E2vss5wWDzGlRs8yxy7ggg==,type:str]",
+							"monitoring_idrac_password": "ENC[AES256_GCM,data:Am9/pLdX,iv:/uXEBTgsMuYshihYR9HM7JLtKtmY7RAtJJWOsmvehfY=,tag:ej26qdT7jNmEfQRf2WrsNQ==,type:str]",
+							"pve_password": "ENC[AES256_GCM,data:d2WSaqhVyhCepwVgPYR+l5JwAKthpCkXNbiEqw==,iv:3UWze1yohvSz4W1P4QRepZ2DThcGhPUosSm+2kehFKA=,tag:o93N1Mz4Wk6Ws9iQBhlLnw==,type:str]",
+							"technitium_db_password": "ENC[AES256_GCM,data:wpN2TMEfdRyZErss1Ws=,iv:uNxRpIzoifFjpZqVDHdEmk8s3swTp8POozmHu0SiZP4=,tag:kktoKZD6vVcQAKfBYOR5gQ==,type:str]",
+							"technitium_password": "ENC[AES256_GCM,data:wCYw7uHYpGu4dOMs+OaO6kS3l+5c97I=,iv:GxCuItU/0pVEd+qJJCwB7cfccErHq0/KBx6lmdHQmec=,tag:qml2sFDNuD017BubLJVTHA==,type:str]",
+							"technitium_username": "ENC[AES256_GCM,data:/0H6R6A=,iv:bAPIgbLA7Uv1fAQPpWgzp5AMUbJ2pgRdtcij3MSgkxc=,tag:EhoQtol3RYDXtpbqvtAVdQ==,type:str]",
+							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:zcKSO5MqOD88CKBpRYUyGzC56D215g==,iv:dey34wdqpZDLhZMgFFt7WOTF9FPpJ5ETQUga/pqd/8s=,tag:Kl75e8TkHWN1jmt6Q37DyQ==,type:str]",
+							"truenas_api_key": "ENC[AES256_GCM,data:SyhVpUFrpUJURBr2kx05HrvD+W2MjXpioEOU9e8i2KhKijoNRNkRvELHAx5kq7L/ZVr4UHZ05Fqe1vGfXMRcqXC+,iv:/vLhRYE45F7mCGFULEsnihp3XNhgXel4QDI48dmGEos=,tag:T15u0pqC5IMIh7l2bitcWw==,type:str]",
+							"truenas_ssh_private_key": "ENC[AES256_GCM,data:Snn2AZLIePc7GRxmNaBgeb2aTXsz0pjon8jbbIkHbuswAclGy8N/xDfK2Utv0yMK1uW4WypG+x4B+zzTtRaZiJQtmUxz+0iHwhCuYd8TLkZq2Y0hGMfct50aw147umTXi5q+51Wxvk3hQxQNrQkvQGrJvYby7CZt8cuzXJAEARy173Hkr/W+Lxzfj95WNtwa7AGGZ0PWc+a4VudSmvy80eHwaHtIWu7+QloFdESJpdKs+TPnVSF7GQr174z/r2Fj0hwIlbDYwQQ+kbm3Tn/aBvx1u2Q5NDpalPAgjRaObuMxm04z6/u7GpGCKeI8DKawGGRbVIFhoH2hJPaseyJi0lOiplueNvgnXIPvMEtmI8+F6z6Bc7HRG84t1AqEGraoiTN7C7keo85VaPFHwECgw5vYzw+PaFWVxN1FFaWC7CHNCRoogLjE5Y2rZlnil8YHnc6Xs9HHYL3e6omEIwOeJPROs4SbtzTO5twRYHoeqiryr/J+rEl2jXbn8mCj1RPJHGQruRq8NOOCmKF5QqZk99mdE7cBvG3SWxLZ,iv:QaPBfzvJqxl9Kju/XN8/QHwQ4cvpD+E77q0GWqRs95E=,tag:Ha6TuBnzcgpF+K2mgW5NkA==,type:str]",
+							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:/KQLOAAbWhR3HqJ+lamX9Gbv6R0=,iv:k/9F17UUr5DBd7Bst7gHa8R/zKxU9EWfGNTo+lx6dds=,tag:D/Oov8/dPHHmu5mJSnInaA==,type:str]",
+							"webhook_handler_git_token": "ENC[AES256_GCM,data:D8DEU/ZZBgz509h3atvxlTWcQyjWrpJHmfLY2N4eeHnOelEJLtVF5Q==,iv:Dkttdm0YpvSUs/bXc6kmmMM9mPdNQiJH0nSSu7Lc1nw=,tag:dZ+VhtwdFmtO6/tGDq7OZA==,type:str]",
+							"webhook_handler_git_user": "ENC[AES256_GCM,data:YpnU4YROr5+6TutU,iv:VFMxya7jlGawWHDvjpZy8oBBQuTv+nB2XmMi1y4/uOs=,tag:IeF0SRqcYhsql3v1PoXLyA==,type:str]",
+							"wireguard_firewall_sh": "ENC[AES256_GCM,data:SLjQhevGOhmwlyowIAUjNO3tgar6skuCvKdgptv5HBn7tAkY/i+Zlp215g79VFXFAbXmh2VT8Bxz4bHBEDsqgx5Es3Z5GgXTghnM8s1ws0AEksbRdgmgNIAIghQKmxcmDPYU9evLUiSEgJ9pjDMjsgu4OCCkTGP3H58T4nbuyiW5TkO2deX0SHBPlyonfiSALUqD2fxDr/LlUHidwlDB9zN7IkCgLgl7OH4EFAJJI9mMAjG5eYCS+b8XAe9UqjLsa8livxxuvyEoTGm2cS3Hz9DzOsssrSade6m7BVzBX7MfGpIY+rPyvOYlCuhOdE2qSBqe1BN2r5w3Pjfh7fde4UXwCeyIQIrPPMVytqn8/P+Qalwj++5d790EPYkuTGnfHIizFInKa1P2Wb1JqGhU2UAIdpUmKC1ow60/LhHx3AgG4LmkufDoiV4hAuWnQinLRJ21GJ0nG8Z/vmrwH7k880R0jqPDXWXFU88Kx02O3YvQhGxRVY7Y0B9QyYKB/zgkQEN47veOPSMedi1D5h5LEKkUhdypY0XmSsSsVQ==,iv:+7hC5S3iszx1HgJ2YUkOy/7Do4o0alSkhe5p6866q/k=,tag:WQ26JEKb4rp8zefYz4MnOw==,type:str]",
+							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:46qFfcZIfSLxJM4pU8wPhygaL4HudbYxWjBU/Jui2QCEyNObG6HFQvVQs9hAT94kqHnC+IzN95CwPTqQp52ZKVI8lOMt3NDjytgQwVa0FCaZmvsPy9H8hK/6fUKpLpMll5nFSq0/MVbuytQ95oH5UtM0Jh+M5aWYvPcMH2aGpEXGCvbo6ZgLRg1lqhl8HDVJM4l6bQRczC+is/8aF43ORbUEftXuWFa8FFoeo/lq/t6fxP3CRSiBgayMHjnNVoIpS/HmBb8XfE3T27L6+PfsZAvPT2LilsvekBF2Ne6VOXacReoel0oYfWCovunhDmMlM7QY9I9ma3midU4A5ImLNSlB6o7CkjqesDtrS5YT43srPQLwwZxDKib8037jWEiV5Ir67Gcj98qAjeTEKu7qDpfZTRxEan64vjOzMyIqgk8yd8D3rUxjKFvezCVDXIDX0NFNQ8CCfOp2hONghqdG55w416FQPSPhLuvLhKej87aFk1M4FxNJ1iQ6CWmTlEKdEXLTAAXUeLJhquwobITkZXWdandLr1RWgOliPUgOQFajTqujWxJYocpA7hWepMqDQ+8t//5HFbFUp3KvqTch1036xO4K07/nKMc+Txum1FEB0yXCv6UlRgfLnhzSRcPDL5zTef53VwjiPiWLlGUULIjGB1ylmGohfgLd73R8uDM5Uet29A4UzMWTK2hlAW0WL5OICv78r35uOvlYU6KpSywFO3Sdl1h20wQTi3N6IxlOwyAgKqsXIYS7grjQQvd7PiLuFzJkzjq/h2bhyLwPAUBvUmRrA9vNAIYkEy/fB41uurzgGMJor99RJ5TvNSxDWMNIovs6dcGMtA3feOyXlBNpCC0dxxO1/l06zr5QN+61IeUCBBFgZXqyoiBqz3Ijtif5ZopNc6oJ0UpULFGa9eJ63b6oGYh2nEOwmroBFUFs+QqR2cKY4Jj4uGsFYRnv2q6Icbu9Ary+NJR9xWRWiyYqsFhjaYsNsLRp7NaZeSfDkiSDLRLgD0/I189R4Qz+QYRtC9JD7BVdFc6EVh3x26C/RwRueAHZuB25KAAxGrH2XZEgeeMayB2QfFCFPARJ2VWJueDtfbayuLlAqfYTT8mLdI/oAZgP93G+sQgmtl/aRFZDTjzeXO9WQpjmLzvNMtwcLNb7O/CrghR7G15OjlOEIT6zwNZuuyEMIaYoYYZiusVBCzEE6OqPVJqICekM1HUyAghOSqkGLblaz/J59bFd5ohpZLurhj+NgW9nBVudqBxCI0FQIyOnvyh3Urkcz5KqH65Jfxswrq4gXSnHHPBfD1qbDmGNAh8j8YnC574bVaR7ikNT+/cTG6/+Mfq1Xo2V3/FanaXsfDbT5IDZ2s1eFHJb3Wk0GpaJqJ82drYkNy14cRPdorqkdX+48XovmMqtQdIyvw4+nx/MnYD3r5wD1TzcNJlbZvxZaHw8lfZVSDQgYJ5lxdPEXf8qD2Sg8uDTxgJcpxVWahIaEsPYMLMYhN3b35Expy+G9NnVk41sruiYJf6VX87SGFfnptRNPHW040g1kyPKingBTuvJXKgfSWBDQGo0K29adN+XXfo9r5AUhei25cumbcJ9Po6KaVFh4R+BMVhrne6I5rSn7Vt43jiBuLzvzON8XIuqEsM4swrv+YXGGOxNJH+sd9qdkD34vdrbvs1QewKq9E2Zxpnp+Jq+WsqPbLKYak5/Cq3TkHDO+kqSNt2mnUUrMTi7zzetOthXV7cHE4Rb6/g5v/L0VgHOhcHe6i0cMv4XSkCIALN8p4bMnf1VwwZYeZpk/umA6ITmOXnZjn1piL4OnRCcMaWSaSvmBLONxgHmSUoRZmIevS6VY4KQf4YEuxP8Oz7AJzBZkvjdCyU4j6hkmnexATWbUKvhMrEC/tSMNcQx7meWTq7hz1s3L2wMS6rROGdbXMpF3tB3/trzWMO392qFHWTRsmVNkZ+BJ46PbHgjCUhKSjV0m5Xmn35qyFbVSaBw71WH0GZKqvDDHbH4LrgwbOwS1GY4/R4PJ4OqmPAUNs6WigxWn5jD4AFy0ZLNOpVv2jWzFSI1Xd8w4BQg8Mym004AAm7l0VN13uL/RCYudwKOcC1XtxmKL9NEpZe5VBhHe/ggsswGWclTVw2IokrE5nMMKjz9oqWqNujt0fGC87PBvSUG5OCMxsWYx8R7UYtOSuOxHY6pRb/ZS2Mvvcr6IkHSXROwW1lxNKvwcMNoyJnxn88BLieBYQ5nvnlicIP1U72GN21eg3YH779/DddOD7mnPoImaNId0dHBaDjKF8IORY8ncUxlequ0TYRciNe990d5YfyILlcIVb++yxLrBZyvPOAXWMGx6j57aG63T1b2OQ8bMaziMzkZV1pL/zVOLkDezWThzcc61+2XOdBtwPbrTPrP7dCjhOmLK/g3l3KkrVLFPq7nuv7vxDG6H4gXYXr3I0txr25dQyPN40f4OZXlwVTMVd0puRqv2WXouNQEaTHJlH3298NfM1fMrYjY/IMijZvIMcJQeLNEwJulF5UybFS80WGGMxbN3FJNDNEJQfIikTGW+hst+GHf4AjVoNIOHXa1I5qqks8+O8+NLXZ3ZdAmQ5OT5GcIO/o7jjFrakTMUBE1vPAzRZwTdD1ySSdkIJkP5jNafhq5/FhrsfZD9F71I2mOSUIJ896YiH+4S8b78KnWWF3r9STASDIUmv2mcPhqFLw5RQVXtyNzlr7UvUcg9wDe056QtvC3U3jKp7yJZ1pa6AWhB7GHmLZu7mLkS0qNO6ooVj43kE0+GlNXhp6CuIYUTa2IcsKnv58uKDQ8IsyIAO75mf7UdL4zYOYMhCsJpeVLcWpLiQ4m/CA23qmjHrmbYrPvMgnqYlAK9unljbG5fE2RR+XWxCz2popbrsCxMvEQMasKX32ID7Jx8cjDrLim6CU7IAY3kDPAei0+UrJC3ASqoCQrgTkxlYBO09DCObbzq7k06UGKHrwE/rnq5xpqN8u3pZH7lMr5i8QSFfNEdd5a3t86YBMt4NLQ3u6JnRrkCDnbuZTUtmTA+K8+waY7Jn270uT6LIpnteidMaHlct4TCDXNedWQEIxQaEXmLQ0SSKjMMDZpr1WKAWPs8FGjdXgqjC34Q3rvQsu0Xr3W5mnv6ftLfe8zMBwm7ZMtBifppYHoPHk4/LtiT9xk0DwjiHizJ94tXzdCrX+STmDIvLz7DUAsU3PDiG7k7oGSxEEA3I6FO9LxeXnfcsf/r4bTYRkLObZSeZ/i4ceKrhMw1DZW9J/kMKyiODw6FOPKv9h8xxujW+reADZ2ZYIzAC/PrwExowZrxY+49/hWK+KGJ9+yx3NSfcB5FqWuVkSvxw47aWUSGouu8lmmahoA+J0odzPeaCN1BY/cRjGMgL/CkZ9WNaBOT5l39NW7U4QHa281S1sAN8IIY5C9A6uRYQcLJRywUyh4W32ZqKdA+xpeutXEoPMhyJDFsGynXU12dA==,iv:kaasKG4OeyCol4GB419nBy3si/B7M9AzHEja+jWX7lA=,tag:WeW5ikJA+WnthZaE6zTMZA==,type:str]",
+							"wireguard_wg_0_key": "ENC[AES256_GCM,data:PASPJFdMZ5SDU9A6jXSaofMdXYjIoLglCCozsf7rnbh0zbEuyGaei/40JH8=,iv:tUnci6tWAs42W+PXTQOp64Gm0N0tTM+FCDCKgLFV1o8=,tag:eWhAhW/3pMPeeEz503rv8w==,type:str]",
+							"xray_reality_clients": "ENC[AES256_GCM,data:dAVrJyVvZoGVR3NtqTpCmou5VeI9tgPw0ut2Vdc1d8WRmygHXW8nQopk48J4svI=,iv:H8ShKbU8UBjKqgtb8HsAQ0+3jcgRrfJQfQfkc/pkSJA=,tag:FvlzmsGIx77ydfjWNCcw4A==,type:str]",
+							"xray_reality_private_key": "ENC[AES256_GCM,data:xJoATC6kttH+iVdbBKHsO3PH0ut5N2Yw3jwffgYGZsgHKSbV1unLPFRcCw==,iv:tyEyI0aRPruTVPT/bkmMZ/UXk5H07EZGxBPkkR7WxAs=,tag:fFbw4tjEBN+6wrRSSbC8rg==,type:str]",
+							"xray_reality_short_ids": "ENC[AES256_GCM,data:bNipcozdq7ONo7e55tLvOH9hHKsYez+7gtec0+d10b3x6T8CEOszXIQFhqlJWLSTPMvEEBBKPRw6wkyNLrD2Wkk=,iv:YywSaNKryeiA0YjV+9Jnvjt5RjsQZhpLCmRDbqnwOq8=,tag:CdszHciO6QzJowRK8b+Gkg==,type:str]"
 						},
-						"data_json": "ENC[AES256_GCM,data:gvVWGSfRCvQ8LdQ52yKFnPA0PxLVEK6X3FhS3Sbq9WtrQhx2jIY9pdi849HZTn5rtYdb85c4wRv8wYysPGQqSPHupDH3WUj+BQIy8UjzQhj+KAPhEJo9aKyIZmsymMnBZKVP899BHAE9j0NvcKPXZM2DpaQE7X1p6/sf8mAMR2Rzx/htqQzg0DGUHPFrAD6pOv6schwVhcBCKoMv+u+fbkJ/7ux0bwWsv9s+tWPtP0+c+v8Il3XcrYK8T9qUkDTnw1r7i/AcmW5m6kdjK3XFkW+kp8AXJXN6FoGH7Ti09rxbrq001Gw9Vu60mc/TtDNtVlfoFc5n1BjxoRZMehKs5ny9T4fOxdkyuePMFhKXDt5Ca5lgckAuZss2xFJmJC3bmR7mYYOT8qeUWLajxCGDhUVb78XUn/sPPXcGHVPTlr/06roMY4RMW2uePp0MWdJuuludA3Rg7EcBgOQUHoeaxRc1kOnNuMl4E8KHTrCJMkcDvBr8xaeQMThc9KXTXFNgKKIFof4uuVC0CxWeCVZgWjLEibchY8E9CG1TM892MRrrNr6KQ7+YfUdsvrkKfg9JGvfExNckNj82fQXVfvPIWFNdgcZSVfIGjM0W5sXjDIAjXBFSz8wpqyhepQcMmB95+qZWRU7sngCntd44Om8JXqoO7mJ0zSFM1CPAnbzCRJQukWuBLRe2YOlDMupUcWmU0xyl3Ty+baJz/WNwAjsGkkt8CiyHyodTbaUY1XVNDgbVjLzYCOoKro5X6yalVrslfRqqcw1uCWagSgI/jWJYQaS3QZ5+SmHQ6wvSfG0bs8zqpuAHEPHKFIlqwS9mDo8N5+jxoGabP0KKBKwdEaMx14NYU1fBoD+ZGYBH8OB4+jYfamoLg7qiHpA2ZcEtsE0AI4hVZ/Lv+Y+4zoS51GonOo5MORormyNlcyRLXTFuV6UIuYFgkZ67fuzLm/Dbov2B4nrq8G5m0VsLjrHZJnmGsq53BRLG+avke7CAwWs1/FQVHyZACGYE/aSWVgfMhaiDYY+c7OfA3HHTcGsi4XxbuyCjfyzvP8nLeHoFlw8ZS+fvqU8hLwJzpp/tMtDsbFYi3ry2OfYUAm64c8e82jfEgPl6wKgpbHbZ2aoldLtESEhednrtjM8wEkzz8Y9A0IxddoQxB9oxLvIo/+S8fYGzEmq727PGWnM938nx43KTfqtNfzc7xh3JJooSebz3taKi4gaXKyWKGgEzbEVNyPLY20E4IuVls8AVknUDjxf3KPSqUeIrkYFlQcD2//5RV9uqZYrxLS7eCb0pePGb40TzCnTJ+HjU383crJ5yMiDireKEJDJ9YyZHPPtrvdedmThpoU3hHyxL3Xvab4bB8KM++iIe2XeFDMyVJmvYqm9MCCyZWcA3lWMfbBE6vshRBiXkrsA9tM/RcPYN973HWZP/BSZ4venZJ2WdNlX+t8DvUV0P0lfULcPng+9Wa2ZIUMwtFB2/oLY+gz53STHi7jPHjicH9ZtkydvNxucdHi4SbTRSQr78Mg9PPXh6nRHQVm7mKnal9TUi4GpHSVGNWk2LjpzrJiK8NEkSaSMpJlkbbjbRcA6zq6Eh1DdPjEOlUvpmA/meHcRkSoKGkGZXw1YlX1xwUtfc+VA3aaVRNx33VjwEts5AYGwKlydLKx/6Je4fqqKvzCQRx2dM2l5x8koD4PTrUm56FvNA3pKc/GpnMwKc2cDrhcrx+OFJUvqB1xHqAn9mC4Wm63NnOp2xhNPOVKujVjmn87WX+LouUT2T7kiBDlAj2sPt6NQpBSMTTGSDPtd8FdDaxmgxZch9C/1lHOLf/cwqPDfxbWY7K2LFrnnN3PNMgErvgzBLUnTBzZgEnC2u2RCFGgyhl9SUeeFbmS4bZsERfuXOOTbIApQ4uh6EUhu/E8ck0uselhgo/xCDRQ/lXEz7AbgSq7Ejlnjw03nrTBO/5iG4bUAcoEqoUD0YPu9q/LW0wKtNU+5+Ocyn2je2Edu60+Tjrzn6Rj+rMnee+VYpkFKhq6bpvGFrC7oy+ck4BPdT+FSr2sy2RRHevPlNJYHec6MUmB2krf0CSIv7PfzPi0V39ixWPKq5bo7mBuxuODvQNmZXgmq+DNWcv/6SazRIuRAA5MwZ1d/TtPj15J2G/SGb4qO/jkZ/i7rG6JUZKnqXo89qgSuLjMPyNo09JkdSkkRZyBtbx745pZ+YLmw92211qMYYMCWVVZt9j3KgFfBzjFIdilsmqchVeDXWPzNh+WdETlrCFIwFbwCoSfg9Qaa0CAlLxFd/hMr/WgpUbOw4ii7v8VJONkK7XPUTluoUuL/sKf0cAWaEmIwo5e3qaOHngGgO+l+35KW8BwARTRev687mXUdC2RajVzobQuc4u6fl3UcpgacoaJbjS3hqvJIOz0/LellK1SSJOLIh6kmKhPKGUHgkYB0Aqa3sOnuKnYV+gvtGUY6Itr3yAgcR09FLC/p2zLC/67Hr19te11KNm1wTyfFVdG2ZOiOzsnPNyLQcJsfY7eb2eoAfPzT7rg/dLKlqdUWDDa+0q/fYDMBBqm20QGj68aG1gsi88toC2dpufi0oCmYR8RQLk/HU6wQ/2FK8ghaqSv/mKQmV89Ww0FuSFTkm9saIq8R1T7cxwuSzDd+Jho5qyV7CkFzRCvV0EdF4X2uXvdM6U0bT1IF1UTdfZ6cWZ83kXWFiqSZVzyYqS91bAhMatRsAO18bKSEz+B172vIKuFZVxNMkg+lswIwcppc7WOiIChhw9E+J/BS6S44AUzP2ETrOJrI5aIRrCOYFi8srCJOnqwZu00SRmMsixOtVJhgnJ1+eAxrhfcomHiQivQaVZy3gaVVwmVDj1OTPPr9cVp+eTYN26EMaiXcg4o8XafOz0BpXXP60lRpd0LMvY38iBD5G2ak3UAJ+nXLj3xnkeebvr8Imtn5i/J+HTnkDdyYJN3yasoxuEbJfYEYaVFeDHfYfnlAbAktaK9pCVVxPKmtrIgMAie6uvSZytHqP+qIw9DbGi1S6EIUrK4WnGGhyfwzmcAt7w3wnwEDHbbXKf1r21bM6DmUivcBvKXu0C/8FAtR818qSMCc2Gbob7CzSQzdzvSafMWbfXVV4hYFvnyb0ffauDCDgU9nnDQVju9C1UVy+2JBQZG1ra33LzOkfprpI4Sc+TZZK3jdzpjQGUD0ScfdyOKXaqDfEVM89OsSHtYZlJAd6K3XvIOJzeDwdVcgkXCBo/GJiNAMnSmglgTU9/r8YKvrmYEpnSQ3XlhJpunKrBta23vNO/wRdwtWd1+tRUqS/Qm9+DWO+dcgPjbS73XVefqNFuotl/DXySuOUkiOtg2qIEnYhneierzqjitvZjpjMEm5pXzkurnWNJygSY7nUJxsKSIkN7qUAxQaAC3H1EbVtGZR5ooyXBW16RVGv3Sor5r5+4euHN4K6/gZHR8gJCchhJhuegLa00fp9FMhyEN1JXa6t+4Lkgnu+9HrLQOuRak3kfusr11Xj8olcXfEZ0LyuRDGVKkdFby6JvyY4Z2wP5E2EqcSiexVN8u30kTKLXeUQdQgKF4GRTEFWB0LF6qIs/V0oDuHeJaCzATDDi1YCNb/vc/dZwav/oAPqhgFSboxI7Dp/kmnozHUrNbT7t4aW4VrWleGScpvcsjkf4oFKuHuLCkBGFATPav9NF5sNUHfgftfi2d2JR3K0KlzqoZ3OSgo1gryoG1b/xJhtQKMf/8XXz9zzEKvNQjmScHdweD55LysGfcc2+FngYDbrLNcXvzkNBszXN1ypVRl2MINslfFgqt4ctsjTNuec5fDDni8yEiDYzVEoTdgyQK9mMV9yKYpPOlEHgGHF3io4RlCKcW2yV6e+KSGrDxxe33RxmrNlelGsYQief7hlWvA74k1XFPc31eTNnpxQVHJjSwM69BQCw0UhVA8fbIqhUbKgZDVR3n2xeAGDHmUwo4GJf92DYJPMw6dq2wGo0/osz8kHHe8YGLOzHvxMZ+yRrDjDsoH+4oQxZe4pQwmvifciScQzIbjt9HXhE9TC7OUirijE1vAHbO/eIHG4saFm1zYqf/EvKwJWVxCXTKn5QNfscXPxZbHpoTO2HESwP9vF1SibZJEBn1ix9TjzG2lInXg/KTbVJEoTyVItcT24bsyfjG3JSt1fT9oMx7l9qfVEuDupapC2Q72DtSGQU7vl3m+LA+avgDdSiesQrxoESwL24StIxcWUOXYPgIY9ySBX+qVUxqhscLNIPfuyQEaF2X1kzgtRJdkJvCjX87sQaCJE3JOC+oemnP/MFNk9WYeEheyzPeVfVR6n62uMud08gserVi4kONFAtWkWKqWLT/v6R3xDJKh1QiwYOrA5Na2OfF1NDy/gZNBD7Jbg2v6bu2z0M5HPR2TcCFcgDgj4PgxSuwWxZkV5d9NZhEcFpDZy2g+43mFKSiMr6gn/OpIoqTO1M7B9DI8eFXN3aqDL2P1WYjwCinl0QZyYKNOwvaq+SPY94NolxaYt7wPC8ZZ8/JaHXmEQZxGh1xtev1GopV470B9YdHT3qhsRBXVajbdiR/i4XhkrmQYSw2Lgm4kTiSN0gkp0AIKSXSzvZP/HPCjVHQxfbCVlCYvPXSTaoYnK5cmrcgll8B8nDauUubHnjk9mCDYBfTvGSGznNB8GuMBbSjTm9HCMQjoNK4qu2Bed1eSyQ30HYx0e3gOu90FH7MW+C26P6/dw+FlB631u0n+41epob9l3y1LLeAQ9NbCW0BBXXXNDfxAYS8hVoRchN415zUS86rECHojIRH/XFHI0MqPV5mypBr/2O4Pm55zGRUaZNvm0Z0iHCQEjA6W6qBukBqno8NHB/STU02nrnG3jxPxoFQsrcOksSrxkH0hNQQPNylnVaRM8B8oLQWPhnTHHIeQLOGFJTnK0lf+EYE+OgPTvBKoraxFBM7dn8i3UG6vasdWkcaDge5qgTKSbJ7jknqz3d+u3Wlnf9Pg9F91NW4n1yO2yZACDDwsZlPznKtCaPuP8buAal6N7uObw/EroLTHy0uo352EUC5beYR7qYMNyKNLzxTQeNc5A7XYc7OiJAOVKMJ7KKVdz6mQZ+XYS1h/rxT65h1PSTm2P3TuO7r6lTTEEbOElYln7cSPQjSmEo7VLbLg6yRRTkMsd6V6RpPzii0Ld/k0W5toNLA+n/kpU1iy9spcocX0MR1upW24fcYYrrRN7NOObkiuy/AjOeM79HsLldJ4HhW6apFDAggxpd/5N2pWDJmOk56APvIFbiryGllbjmNXp7oFv12pKzyTk/TP4OdeNVm1IzZPUZnpBrXk/jqYmVkQss9qA7leNGn6qVBGl6E+HwkVgeF3zHHUR1prtKGUCr9C03Vm8RkqXR7hbcNc7oSoEzTHrqWWkaPSI89N41r1ucWYGzpSwr/kxj0aJPVdzUnE8Ul7gBNfCu5TlNTHbnrfo6TbCNFpQjiGFv/hjzvIwsQaSux5RpQR9jL9h1GW26qc85KwFwR6ieaDKsOsfdUidHBCilQPlBK5GFNF7PbXeKSmw8T3Q/RtVFkxlAnp6vDcOO0IZV+vfhs0QQUb1ME3/OIMKUuVhvYAscFxlDB1h+d/cQ33Zsc+RL+Y8IzoLWuYhLT9TwYr5T//zReFiqoTjMT2JbsBX1/Kt0XKm3h0S90wO/z4YfcJ5eiUIK9J/E7naQmfOsv7Aw0Y8HDuUgzmN29RkwPAo30zvpoAZWxwdceDJVuHcDtPRJnSbxZDhJ8tix4ZqUZtcAQ3TUsh5m9e/2iVYjGj1MOimnzS5eikMnCqi8COXHmRYwqq0OJEzSbRQlF2aqn0VyX7i6q3JLu5Ar2a5KnIC4AZTLlxif0nRmcOdQxKIJFhUabBIc8od+BPGOwxWQUVVBkCgJD2/3L/j7MqbYlS2pVcmMfUnO36b0+M0EQO2qtOhbKUHk+5L4fEUwtm8ovGnanlTwm0cNya3AEN1Cn0HjkDZEs0yD1xryFw2hGVZTnFVlHJRKNANcoC58G8v9QuSy6Ep/2G5KRc2bdYO5Sp1iy0lY3bM+Z95MoN7ktmk58JdRxzviiS6G5gJnBq/CEaryrykkYwrvPrWOspbt715JJBixbu+3P5/4lRc4p2bm968tcccdgokMPaj6iI1GTFTKEIXzCowVS4Xag/d82GQ71U2wsUp2wjfwP2Tp8pz6ZQCsliTNxOci5oMb6f9S4hgfbsIvKSpYL6dNIx8ek5FBU9G6t6iNVAAjNMe6f1dBB9fQ732WACyG6e4gs6rasz9POcxFpH47BmYOYgRTt4ZObUcdgekM/hiCoHyeh4GpYYgtYQO6RQaUzO+jsJFZ6dg0etId0qOZZ7+HdZG11WyK1jeOTa9eF/LH0ws1kUVN8j69IWhGD0zWyo3u3Z0sEZ0eyWIqzfpjmvuNLxF2iuktu7qB5G1YXFXv9CeCG41JcqSYrTMiBOIQb/Hjp0AGWqUCFsDvtjKOqnERxS55PsbcOy3cAEpYB5nvQuqBAL/lklpxFj3ESkw8BRMyIjIJo5lFnHFW5u/ZntUAuipUdvlOyWKjaR6ZNQp1lrn8gyXJ9mZoyZwYkdf5keqUR4e/HoiLRld3BcGvpZDZdGUlPIlkkQ7MdtFIC7f6hIvrV29u6k2AvYFCzgWO8+YzE+Osx7Wp/eqwMtnbf1aMh/n5LnWlqtE3cw+w+F2Z6144IdJME9WdzwzcvkAMjaou7hYDs+BBG33I1l1hZ+rsNs1nQHp9iKEpd5aVp2oJBmYI6n2krAfuatAnGho5QAr4GVbKRGbWrCKHxhoMDBLVZYSsgSp4rWfRP8Qe2CZlcSeOl34TOd3b0QDNGpA3MQrop68r3mWMx5zizrr1HJPGI9iqjK0X72qBJRoK8a1ddgIl+4qEMZA1TiXPBb8rerPFWOnCe53l80TyCFx6Rz4VxizPKAm1NW+okGsh0dSSWqi685ZwxaYQpR4pt0C/ijmZB5xn56hj1e1+s2Qv5tKYpK5eRftWPh76sBwDNbmiRYgpvFYUBfdPxYwKjHc81VeEeqbTPhPCEUxiFy2Aki8oOnELmhH5Mn6TDjCdEp91JzZe8j0ooGHPoTloKeBaUCf9m9mTvU2hukk0hJDFV18v/4PU6lfDGyFjS9RnEbBjPo05c16RCNmR7Zs04RcPdF7zASIqgm34SYhaLsR3H/2itTYbIihkV3O77Yf6h3t8UILlBXDfqc6vxcZ1VCsM7py/kn9HBiKR7mua5BI8UwXdCYE0R/riDHkannxH50p+SuBxzPR4E4nfjhZzDttLYh1DlldPnP1NGjUn/D9uaDBR2GF1rbuie8UhQ4YON9f3WThFLWNeUmNB8pzI0wUPUpKvaiFWAAGBcodbxA4nKtJ+AdSB/y7Vm91/1c3n2V5auBB+PIMHsVOy//OFD4tk7Spy8lHaKPFva9d1sNSHONjjmDzGyVDELZKVNzupRibLTj9Ww+GmEo75lO5TciodHglDir6oKfV5t5LFVAqUTHbCms/aS6aD0VQOzzMM6KmrIhUzBGHoZRBogOWvrhPI0j0DdvZO8/KMDRY3vKAnqq5n966BnEHgxkQb4x5MWyQCimfuHB7tIhij4wbhTOG6LI8oyc1ovy9t62/IDChf+c+YE6S05Chd0r8qG/ey/pbsW0neWg+DT0d32eue1dnnE+1kNxvcDYgs+dS5gd5WNTxkvFLgDk+/XZJpHvPJCbja3wznUTMIj576qJbKCZVYTygTSoEFeRrbfItR6t8e0twLmRLv/USOKlaer36sX18bwGFChfEkOECkrdqOd9Of4fRzzbjuxx5IGX67RhWrcpYhCn/doFLsb0UpO6Qy9YIJ3zoNHS+nPF+q6RkcjyUM1FVfbe6kSdoEuLm7Ja9YCVzVISHJr7UXo2BfjjyLpKOPS7Dx5W/gQ/apRYsquMP3Xtg0PP3zecUuSpZTlreYFQB4+uul5YN7AA2ef9lSJl+ZQ1W8OJbXoFWrpPWZ16yeqmObVP5W1tDwFH46KlxYQFRSGiFyByskiWX8O7xW+XWDzsIGlVyEoplRyivIyqj5QEp8MXKEqqC6qlRcvhi7j5HI404edOILWatypMhU5OWPx+3eL3WlYm0Qsd+4pOfsU3xN3YvkQi1aGSrodo3YjBR97PDuH7BNnc+qRi4CGZeO5kdcMhdzw43MT5OjcsjXwLaKub7XvU9leHLVDgjWf7mSuqm6s7Mmb3HArtyaXBu1t89FR6jTvCSQihnkbn3xGgkYNBAwckTZ4uQ/DSUQ0Y1elz00W9wf5FvPbnPvgxLdq+LT+29AQ6rUp/mSJWRe8iPYgPMGv9PP4HptGii6LYzr6dEL2E+0S7i7bYx5u8mSGS5dzQkAPGU3ryvXLLu6YVgiw2TA5U7Kz5O3/hFFabkr/EMSlc6JvOsqFQq4GE63F6wmYqTJ8tPvnUk8gbeXSMlEViEp62YntcwpBHKk7E7483WPg9Y45b2Zkvitef3Z95qy5jJmJrM2YSoQ0W3jXmklfB+arg797V/Ss0gogzfGdDhM5Snu6ftiDunfizZggjcJYt7O5UbujU3+UOOJewN51pGRrgQT1QEWnXdRcyZ7/ygpMsVS2r3IeIXKXtH45002cxgVrIb4elnS/B2Gmp9hE1hbhl129s/qkox6rFRkIHoQ6eSAO9Y3tIU7AXp89yeCDfOER5aJUKt+IBCRPgGHbkVKcJnF2NVxTKYAkyQw87W6f1uP10JEJif6I4V6AI2H6jKsgtzOV9k5ToISLycJZUIgM8QrQcRMainmJjapM45VkVzcsLcND8lcXZVjH0EcRL5RrlgEo9SoUZSMTcwD+q9qDKxrT/TnP0Okk5gd1BWakL1P+s+EJdMNFxR/l99wyo14KcoKx4lAH3oJmEC+iJPybxko0aBrQH89hUXgsaVYebNfQDL7WZzICbAaAPWw3diW9ATEahU0G/9R++T/0Z3TJ+BTtUMZpJmk5fUff4GYy8kVt83/4laST+hlCcZxxDVWeYkVFUwD69aSIXUV1s7S19oIyRobfcCot8zDhxvOaagAr+ReGkW+EHVbCkqqpn35du+C2vqBhDOvGJH/dwpbqsI57utcFAy48czUyTCHJLQrNHPcvc2YT5Su+NPgJf1q/7/dyJiGVnZ69iJK7cY4B4O5WhtThsAHetdQbdKqvdE/5IFKZ745gdVCu4iQnylFRNsgQbtqmWxxOSyIZZy/7v73OZLA72SzzWf3V7nzWqRH5mvy+FokHCTaUs1DtD6pQxCEISztXmZlI1CCMkZV38OFKj+RgiBt/eViclcT74vSuLKLbfTcdGprHGjRoN7pdjxn0n/GeCedF+Wjny+RkyocHXMXFBF9YOiJVzmXiKB0IlTY7ktHrHvrBzdHGzLBuIEUwGMWYjnFCr5vH27zDwGBtc7La3usq4cXsSAuGSw07+Nazrvcf+mxGhXn2v4npW78QaIXdyxBXanrDv3Uwjle2o5Ln3Fp6TLxSQCOV49eH43JLZQ0FZTXG1m7UQnkHDJO3m2gyDjEbSQVgPVLuNxciTcjBcdtqQgX3R7yhF+ekfIwBbJ1krDwgTHZNdVQwztc0UAGRjXyZuoPHsLkZIvt3PKGfdW47y9X2vfjoNROZuXFQ5yC9Aqjp4yVisZwy2L9vYWKAEoa4kK9KQ3RZFyoU9egKKNdqAZeIE6aN2PSYWKso4pfR7jqMNj0+7dff09dg6WOXDxUEkvKyybQ3VyA88dHwomaFYrnjXmdSYLC8hjG+qqcY40Ztl0y71heoKxHz7LFJAarxXUm1ye76y5X7bWFx7Pa0r4DC33fIk5/45xSAZLBsgk6GDfsil0wLkLiOApJA9g4hQb5nKeplElew9wGZiwibFYBefXFAVyrWO7+5eoY/950X+ti6o1bUw4PG2zws53YSjjZrnQE2dAKgTes5vGvMj6V2hBtt2Ib8ueFWoRZpnsbXuw2N6qhGjcDugSJioV2oSXUV2P7DsDnlzlIjz02bKIZyJjpY4IaCDcHA9R9kjepvBT5oUqh3ZmCDSPk7nrjF6GIxoIc+vyOVwf6RPxmG+7XAsKVP0TgRYg6UafOtRX8vsO7oVo0MSkcc1/u8TvogIDwXgP23K8LasjW4nEhaDYPL2bd1jEqLmMkI8mCnZ+LhCB0gCkIo0miIzNl24wbeLXcLOaituym/HFtHSggWd5MY397v9Zs9OtGPGZPvu97nTF/KW4e5CvK8SHHm+PBYdeBkDoJY4SrWiZ6fjFe2TxVJ59yN05MrNk+7mbhF7OGwHzCN/0QDPiUigYTuGrZl+827gPziuc+XACvTcp13FDwWuCQy14Y8SttM7zpGH6pWEjVsM2dvcY3aDI9GfPIL9Z2Lah1lcIZ8OqSlaoezrTbrksz01iuqAyLr0fpNXbrALEGoBRvCwBeCcCs3lS6XoqL6rTT4PXd1Pja1ffE9P0tcZebdbDAoStlOLV+FDHPPAUCCHDBS9eT4moUAKnxoj23gaRSyfWPEsROkX+nOs1kkC1ug3LJ82l4e9L9zRwomKcDwXOMeG7MvcjCdh95mTZN18kbR/QaohRgn/wa2dSB9IoFbCDOFm48W8WiwvT1H/YQ8oWK6D+HCOFsiNzLGfeCf4ka5/qOjA8nOUTiGMnlNcFQ3MBVLaIMzPUIemGPV1DbEgTLdCYNmCDz2hMIf7WhLEj2U9eBoNcqqH27SV6DJxUcgtthpCH4r99jinpln0bCqts97arzrsYqPXOV6lg2j6GrdiP3hWJ5yUo2mwN9PjP3/h3mctAbgzXv4tPVeTDf1/Ll6Z5CKlHxUJcTcV0u8icZueGCZHQi7lajtvLjwGoyOrgoX7e460lc5oU0N9iYPbAY528IIeRZzuZyX0HEs/AZwZddzYHHcDbBA5W5DcfLqx/0KTXEpU+RMhnxCgSYTjHC+AHgyGPSUZsfXh0Ze/tc2aYZipDcUgh+KuAcXZ527f8GRZJM8z8BemIN9kLRQZXi25srGYJ8ev3wLqmFNWNd4ZQyVgNa/pXpOh4TmxEE+Q+MmXyK2we7eJ9PzFHMfcrlxAl/FFwlxf2oCg8j/t9bI1O3PDx3oUHExoadIYp68kV6m+qADb5pLxrbbDQ3fclrPJzf417F60bxNnU54X1tulV8dgb9//zpDyIxsJz+GyCoXfbR4zkC//T9IRrAr7Apbnjau0ZatQG9qnb3xy9q7kUOpS9Rni9vEBPzrFioquCxZbfo4z2sgGmBs53WhRsK4XfaWSV7NZo2fRAn9JzLgbG7A+FG9tpSvPf31tP2YqEqC+Ts3BhADfxphXkXlgcLR/3urmSMZl0tpoLNcu2vSRoaK9+coZ3hokOSC94qlSebNjQDx4X+ImrMhnAyYyZi2nx3XAq5HNB6S3tO4udL27yInD9HyxXULDtTm8THMviy79pxUUs9hBPeiCcKg4jHTddeDpRXUTAF1iSlZ66xfkhQuGVV9caOvEKdyDc7fr5WTQwHG6vOwFzX05aL8CLc96XuAGoFw9Es39DQWeGtR5rdwzBp9ZUogeSOWytCjEvBqA08cYpu9mAm6tSQ1PwiZyqRIYSXd8QIlVXaMD+IDraJrgFDl9jD+TPkf3/IyJab3qYiRPPkBjpUVwGInYY2SxpmnQikOZiq56j9e9Ul+VpH2VvgLnky4uBXXq37+daW/IWQ4VY5L8aG4Pwl3evOmStSrjtFK2GHXlM8y3B/cQAFK1T6B5wGasYwVqaFjvuWmE6oexrtsCWVw2JFC1dC1NuSw2fSyVkIZIH1rjpGX36fE33ILXAoIU+mNxOgfQir7JcJHXtm3U5Hl+mUpk+I+JWcN6lKPS6tyD3W/nRaRkkPWR+T/3R2GbQPv0yHwQuOcmQ6g69OOvGVXwyFPYxnyArgDYB+SdZn/oDhNOVOC+2a5hnyFCN8+5k+zR9rSa76FFNslGVmcwLyqXNgn/kygB+Vc+EXYxbD9D6A3nMRMExrRL2QJGcA0jKO9xhSFLZUvKtz4rb3YHenW2adyIgfhQzL+3V0Ztc/SSxv8Xgi5Za0SWxTcKUSt1Sf/cCyhRXE/Hw8BStpwol2ncXXbflPZalNpK6OwgjPccp9JXD2LTgoq2D1YxLLC5EHR6Q+3ajgqDfJoB2YmL8+f0o9msKshQSbT26/j+MDcdXBG0nlke60YtcI/UWh5C6L59/cjjl36NKE3/PhRmbh+8KYaRcGnBuu31JNvIBtdLPstPFLVPHyiul5libNWd9E5LIROW6ifdkUpPLJ3d6m9Yk7Cbj7RXNgaZp07K1IkHhcom0yDLuPUJzkYg3IgPrR2xK8R4W/GB3f2XBpKHyUo1VtYvCVAzzOeOAE+056QSANH2IEcR6togFZ7zLDETaoLc2ve7UtyYnGnTU9rrQkvmd1/uZgA/+rJ/P4N9KJxTPkRfvQ3701IG3cz9zeETrIcrpBPRLbVYH6xxqajD9v1M0RAq8u8TYPlwikwr+wC+n2HNl1VuDN2cmyXiF3qTsF0J9YnCBGNvWHGJuzwAWvZI7qWKqzSs//v3E90dHoiUM6cw6bjYjbJ7V8PbsNHliakSarF4YfypnHF9zyvLzzb4LR5FRMQ+Sbr5MZo0Bw2D0tdIvrLu85a5wRjbNK8H9ryGRCEh83q0J1780TXvMaenMw0GQTbJS5mMv5w87snDE1QfCrRSobT5D77fjoORjT7cTqu4wijKbvoMNg9tV3CBoTJuKih4oXGkT6ZnlZA+3GnPL0hV0qorlxfPJE+lovIWp+1HpK+BrkC2r1qoTxh89Fz6odAiiKu850YOruV8Fjp94ZM3JGRERjX5AV8vWVe8SFx/UHNbnArYF/UCmWUn+KWKDRSGCf9y/WR/P4tYoOiytdQhGTx0En2BP83of1Vnxp6ZXEw9h9qpPI/uIj5El1mm7fn6qHeSCzOnXZzWhUU0Qekm//FwMsMgh1HFVyuXYa83L45cwCjbyyHgGfNYQaLwwLydXxHOH+BArmYWl9PcuB4IoIj5Nh4Dm+I0PLjm/8cs9jgNXi97Y0C9xCZ5lPWz/1gzcJKmN76SNPGdguISlN4wTyjhIG+Qw5+FRxNScgn9qt0+05hJxdD7fbew5LH6Er4GTHarCRdupJLMh4XVH7cRf/ebuGYvNONNxt2CX2gSQ3M9fCJ+aRDOFjnSdt+ELRZ6Ehvpi5MxYZunhneJ3pCn/62lXCr/bYsAYyUolwis21SxRP9BNQBAkNIf4LGVky+ZQ0LIjvVdOywac/0QNx0nXi9B4CzIZtlhLi/VznXvyqYMPkaN5nXVPv2s8qNngGu/ERix0gsngjvlHl6wluVUhZ7YGNjC1lZNkx8SfktLphd9zjB38QQrMJLna989OCiDyKWRbi6VeXL3YTqLjmkiVEDmrAbw31GYfgalVDkY8KVjqpS/CVqpusbkX5GujujECMrZngG93bjwhRNi1yrxhrgph1MlbvHoZ/4WrQ2+oKvCuin5KWGAZxpP90KhJgJ+U8PaTVUq7xZlHJ4K5SFNqVJlKIjZqSD390VtYQJGuAS/yinS6w+mDBWAL4zdvHqXo3xuNh3S+Yl09apnAO+xwThf+1MF2RYkeKiDXJPgd+/tJSQ9E03TZM8CJR3KHX+JbGnOplt4xW/IEpG6orExzgw16mujGFfA70PWAr8tLUCp78Of0ghAu5P82+RD/lVfrWZloUU18UvRoqrtNHUZfUMFSgLOVPnCeQ2Aymi6uyO/HrJmc+dMyUpHgAGT9PgtaegKJ3/naWChhOWTNei4Kk3JZ1KYAhKNcTpyaohVHkDEyK0+QRX6zlR2sCsmNqQoKTB15TQa04ORXT3NYOSt1j7DVH3wVE6Eh3O8G2WGUWEjn41NljZaAvpYxQdeforjldejdhadm1qkjYBad3l+VHPc2Ln7drEV5yHrLuxDfg3d8MpTNOMIsVnx+rHaIalKxGx7GaAbi5oRl/57OMv3HMKWYqSlhbXUo1KtfciAMG7x61Sx8T2znShbViByf8dTt9eHPj04oECRZBJAxtk00MjxuANaovllsbLMYEh8ib+2E344QFb7bmRlEcIHKNtWB5lAOv1dHRFuRxIICH/DcQtKnttG/HLcx+m0lP+EAX1sHAiFzsqvh3NEpH6U4dTsHCbpi8WjXj/vE1IdiMuH6vVt+K/Yx9192JIqTT77GZNOUfF6Wu3q9RA04P/+HigYNjGdCVZKBfbTpCdNAQKwEIKIvqQUFUNtEyZJcd2vqh/XW6hU4C+IEQLt1W7W9ZMIQGFOoibKq8K0EMdlW4oew2LdNHj4Y7MzZKbYJmhDJ7KyWqFdGql+wYjXCV7+kkqy87MRYuWl74FnsEoBPkfk5V9JxpvF7X8zfM333zwVbwxW3P5WJNu50dg0BLhv2mRo9AH3mkD6bn9V38bOR05+iHgNMABX0hqeoDemlLUFglkSXIu24KN+5T43+oXH+JNfKfk7djFAQNbFZqY+V7zROSHNPZzVhg7sDvebUYqe0N4aPgXty+mISmY79w8sb1ACm+Z47ZvTaBVDZcr9sElp5I6FYb6vNoiIPidnPGyOtoQKDFcnfN5I04NgYNjWZC8Mq3ImTkbUXrBHhwJOJKXNL7ZcVTRT028RSxz3CBADkUN6LCoej3JvqkAjh/1Z0yRHQhCf7n8sYTChtkD6c/WZaYMiH3wD4rH3VCjfYNne52yoALhajFgmgvY+BNkY4ffp7nT7S3VtMxEi1Efoi9vg4mrjqc5jD+foZvvsjOqyIhkI18BtdU/K+u0FUUqe1OWi79RJ5Uk/4wZTvRyLTikkbIaX1zwV7YO5+QnNfa6kmmEfVJojL4SkizfhF/X+2ZD02K66GqkAoBqEMh2pNc6wRJbLSV+sdSsOVu3WRIJDasslxpO2DIS3c4WJJe7MDtL5iwya8FdQmhr6C9E/H4qWQbZS61aalkJzBbbLQY81jdq2WbYB5nu+f8+YQn65NUop5YHm1XUsbnQx6PAZZNhO6MVpCcnsxNf3L71En4c32glzg9SV6Q7zIfkefPik2Y3VOHb+dkHNyN6oDrky1eHsW4Z2iCx/0lHrF2KW9K2GlgZSRvQan7hSR7+9Ovt+/PykwwRa4RbZ0ZmYkxdmeI6R4Wct9k3Rpg/pUnmY/7VPEC4EYvEFQ4+ULUvmND5ppUVGgm5yoULqKQLQ5zkZwRtwTaXkvuxTdYkg/68jEw4orH9vrZPKRi/yrAa1OKP1Z3SJqe5WoaZwvacxzdkYhjA1os04CHFfD4H9k5IjdsDjHQeiPtTQKVH11XkyLjhGApK8lgTR2lRceQ7qYYRDQ32lPp0Hy33iu25roIUmE6X2y0XnYAMxg8beRwrOPYwXOTrROiw+Ma+zLaLto7KsxO0x3VO6tF8gnc0v2G8xGCKiu07asw4ILjXZ/pgBwey/VCq1wF+LfvqmBv5xknyHicZ2ptrlV2Ruwe45pwXW5PPrdNzWV66J9ulrbZqpxnlUWtgZsfjR9h7Pul5nZxQi9gWOJVOobuoOUDt+o/N8GtEzL4HpnYjAAta/jkIrWteJoTxYbjJxLUHpLMoW7z8Ub9ZLlBcBBVip+WgVQNWtjfxMPsm1KnPvqBojL6FHfN8vRQ49UFJVDOzAC9AsFj6rsb/mki/NvQDyNIW54OeatDJG/ywJsHOqTSocN6gQZwNWQQ2aiY6NR2XlY3bColjHhDdev9NA6XveOJcjY5bc6tN5S3k2yNFe5TMTJVfEpdebDaDlFtRMJ3l13XTeGbpCnLrydj0fdMxr7mLk7w3fDCtWS4704ANt6f4xyTCOG6nlP4Ff5vXpCaLLgmjE6e2zvtwV09ISkPE6QR3QgO5U3PEnyTTOtaoRgl714yGGFFyD2jkMIyoEQkO/LqsrKQPnRRfRc8Llsm6NJqu7zcVrMnwwtzltz5hfAltFaRHTaPiGrC+PAm47byc9oXMvmoOYyFzOsrT19LA1jOaUH6sL5yJDByfPcP/ri8ZBlvOSFQlh3cdcRZiMtgQlvK8UdvZzmeFnfJ1gzJUg3pjvlzs/YzJ18WlutXjtARciSfKiNgiSYt+wM+Cl0ZEadQAIV/VD7d5A/UYNYKT+4kMDwTJOMZT/c4g5gCzntM206ps8lRZ66JWYK8Y8a43WzVg62Qk+xEACTeAJ48/eBu+mm8xQuiRR5xxBf2G+nvlQsBeQ5PqbXMC9Wd9CLLyd53UMiH1WwDueMvp6ypQEdCDoKi3ernv8MKCq0n94DcJ3OGLXQegZA/FxGWdKCbXnF3GgqKi2xfb6sfqkcXUL8r+GveNbZjAWFY6s2MmU74PkeZoe5pJ7IGHSBchKGieaidg40mUQWYToayCXycLzU2/a8rxWDahEVfjypWaHggXZna972l/sNONHyj1Zz6xJpstu0Uft3eiZ4LJsQfhO38i9NmtB6ztGMqQ3OAo4nc/uWQqDJBCSbXPsrpfk65yAFnA98zOzzNc84/MtdFyli5FLEeEfO73uvq4ej7KEIf0ZZ4/svbF7gJMUbjSiAsusvNXkOTDDDzngIH45zw/23LexYbU4/05rRxkrvGnoRFSEoJaZlE47vVxQKEbyyOZXlh74Ghm7uL6U0cG2IJTl64zFgFUaFSn42VXdtt7vGhT7mXTgilBbwKACRsJ0IB/B6WKVFy6N87pQ+Oa6m7hL6z7ctJDojc3m1cPvvuSzmwvltHpk+nSs0iS1511NBqo8j68mR+swaf8LbcxCqOW2pilJMVXKyvcOWnCowU1h2MnUOMkEDI/dkmuwJryY092GdRNEgKGCfKvnj9t3e2Pzc9g0EPKDAe/iriueC9w7McmvTT+wRcdz2uRziWJ6pZTNoaaY2TGogQeZOP+4UyFR6RggWxREm+TsyikL/C1y28HvXTmmMOLk+7TjBSZtNNqkPsIwQJchpSWrZtixsHGNdp2ysBzVgh4Ciypg58/nYt6zuASQJbrXiKZPGfJlqq2/JZFvNoq44QOl3mOacF/A349yMkIsWY0bu7+zbzdsQOXMyTz9jJMdYxlqi0nGah144qd0HYNsDEcG382jU4DU+juoTHXJG+9jOtneQjRHDvtoDNJQaXGYBdCG2TW11O9h2IxqSa+yE3p540IHIkEIuAYD0bOxNJPdEBTqNa6mlozcJzD/eJS67E3+XdFrgJxWEhz1QDshHB7+OZ6S/ebkUO3B5ep2lXYX1i0Djft25AaPllONuOknlf3L9BFGasJDYIwq48VOzkQFJkfcjbJcNTb16mPcMv8rY6OY6dL1PSqQdNVHwK/L/KgEVjbdYLF2MuJ2fjsslUrknPHxeubf1Ax/oLCRwbTj1vVyJW7+x8CF4T5aBzoaRaM6Bx62k8k1xWtASTgBJ4Z3OWKGzvDcBowSxpnE3RckZTxl2M8SnKpe4QK5XaY1BWVEKxRFJLElZ8MOr8w2SDZLhaGH3k54Ia/QsrPH2njbRJ4e0GBA0bZM8fVcqm3kprx5uWMfv9TnNHGck7DhxMx8v6HUnjhSvvRuuXjWroHfplq/knLHCJA/scctLyBwor4nrIT/vUB+38onRuWUrrD5MiHYvFs6/NL0Wcj1tD7hqYAJM6ej2bVCwBEf2P7ZRAMddqlIw//sTUR/vn7Sz/g+yX+f94peDmblvCZUbYRnK6zs5PvC5k+eXNsuOJXpwqmIA8FGm3GaWsfMPmHOnnn5yIqGe6Xkr0O0VjTaSvJjjdHtxNsWtDISQKj/C9HcnqOEeZascgp7VK8A9RS1JfzJF1V+0yDO3hk17ZW5drYSBMCRdRTb50KCoZub+noLmdAliY+f4X77YXpE9aaHn0i1hEg20FsSl0snuJEJHbgcn+jLQ2QvByJIG0pgRaibZgpFdg8BVyK/lx1Djd7BbB3UgM8+06RKinfX/cANM0TEcQpczxfirLdfJahrCOH3TaUV1N0pQEHOfXkW9YUUqeMB0HHQP/kW8fdMiScLZ8SwvTHa2+EbMVF/644NP/kCxG1E/eI4tVteKqnqeL2Z0kUt8WYQmQyR2hywitNvDk3Z1vEWnVhbCh0/SMmC8lhkUy9P0Ge7uxmwazrMX18CNwreW76NySxoxanFuMsBr17wUuV3HWOpdMh91GBu54/CnoSj8wQ7fMNYu7D2I0+j0waBBto7mRzS4rBuBuVHHRAyRxHLpFoXJRh4T22fepjslHAPRCi8galRiI0D5OqOepF2G3vtqw3S6Y7pVZ4mjY7b5ym+GFSgT4tu3bSznflhcuyUoiM7wocCv+1yK6AROAa/0dEJ2bMOXQsrhM7BGy1PLhvReNqvUI1m3Ifvk2oDrKNZ5takcc0yYcvwslDpRrKY48D/oQKT6s/v0ZW2X2Sgcfd1YxYps3eTz/eYxQd14B9lE8Hvwiv7rubY4ysiA4NndpIrJFbyJB/y2W1kjabiEgBhkbLBKzTgBQwmfmEBoxuZ6ZkH2zd6iTTJ+0h/3LI/BQom5CGUB7S+PvlhX1rF9haN7Kzpj0ifOSTzjvpwleFlArYPD+84oT8HdliUpQ0gkJVm6JAw9AsY2zINBFj1jtNDLZasWH+MDiLIuQNdz4E3T022jGOcEVHxTvNliEcAj22BknGAgfL1tPd+rRlFZaE+9WYH/qwwjzmTBfrqn1ZgZ1EJNlw6jA27FxiOWtZr7CPksu9EnxCMMwWTBe6mroZWar5ExVMTzIyUl8U98Tp2l7RmY7fj1iEXdgAGO2l/q9q7bZsojn3Fh1bQ4MR12+4vURQlrg5wHT5CkrDCiyHGCfcTMgyTGjip9AncDaB/JGVm0iejIMBRgcKhWw+ScBQuXntYKOVySQSWezpnJGGaZsaxeewErlj3/mxcLJuh8UDssvYws25hwSGn8uJHAkI6MsYSO/5C3IvataC3s1hBWmQ7hmrRUdpIOtfOQZdenkA6h39/F2/n9zH1TR57HeL7cuiuivoZMYatXa73ti3rFF6l2apoN93E7v0Lhm9hhsx0ePTF1feEC/OX1JJoub5v5e6xuWne5lnYuJC3gGZjquva5UKpBZ7Q1yCGynKM1NQ711LEfuiVOc5QSmVGpLCu71SLP7voqhUtmdn/suFTF12N/WLzX1Prlv/OrLcAcgvyf1csef1irXDG9sUlu5c1aX1u2tcYXNcuNTn6fAERXObndYFRcwVf3H3D1cqO4jI2ecBMY4TSsHPEkqkNvggr7DRRR0tuRVe44wXfc6zfYE0/D8kAR4hxp86wXjWNlhALHjyEzwMBBM9dOGVkkecxTfHVwSD2PKEh7PlB3hzVltaPfxcY9LvJZ8ZISZBLg2WoIE3X2e4XT+4QBH+fBNQ7RFmyHosN2+uGTM/SPEh0QNP8xAdJphBDcbudcf1V85Z/z9arlQaa5Hw/BPGdb7M24EHfUQjvnqR+Qi639ta+yclvXdxKTYF5x0n0w8otpy+C6/LoChPVqGzR2ehtRVCqX0mMZHBti3TR65OiBNWXcMXyHTt9bhdffCRh2QQgfD3AkjmrFqb4wXPOX9MzZVhq9GRNd6q+jPcIblcVjZt7+e+yld/b6H2vECUff3TvQFVCLUCyu0DEEQI4GpoCdKqUmndid1vlwQaq0dshuZKoMDMBkDkpy7cE+v0E/1d3zAqdrx74NHdDuhv4Jf5tlWqIaB7IaQSH9Ww7ZXD6y86W0S4YpELfySyfOm7xmueK4vJCj0x4E2NLi6rwngIkjERTQYMNfR4DEeKPLQIXxoA67QnHyX8GNb1uNQxGnWmNWB9Bq8hSSCEqNBW9YxMQTC+0F1c70xoQJBUAEnAczPnyO/mtacWm+EvNbOrlFT8mE41bete/JM5mA1sTO0HJZwGIhJtRtBUmt2dbTAvn2tA8TC5kTA1YRsQdk2QENEOjYw4gCCutYrJ1s65SY66NiexfXiR8PBbEXFDXzZHUEKTF2AuECtTR4l9WsrpRy/mccvYucPF0tdCwWPhshtoqLr7yx9e1eiIdD2471rnsVxQogf8xjQWEwVqdCLrD0ysmlCEVDAGrGmZozmhBtjQ3xV9z1W1BvxHDKgeK98E9AxEn2kKIcYZJvHKhc0mDy4hGZgS2XWmVL1DnEIRFueYSMjpv7Thkujjps1axB5dKDDXzXsYnCpVSJ99i46oBC2/knPPxGvlUfBfSbaK0XqCl5BQaRwIHwwjat7k4IawzQQVec36RWK1rGyK+yBlWFmw7iw39aFbrqbjjeNIC25o1BjxsEf5No1a0+QA0ftb7jJe3Ytt/brVnXYgIsk658ksvrU9/WuVCzz0Ydvnr+QsU2ZXC3e+JJNry4XNMo6InpKIWZk9QODAWwA6nW/7sNcPdRWf8Q+77FhqP46muGkJPTSfP7GJ/lbtVB038YC+0qa7d6R9tBLMRZ+03c8R14L2CIt3DdkELVTy5vAAmM8lx62lpGIMHYqbfMOeMsxfa6m0s4hxz/izhgK/0fdd26tQaYWG+Joi2x16fZoc7VlucOhnqx4gv3yYb2Ojk7/0oMucNSEQ2iZu5cB0kficmE6298msZK82oAgSFK61AbH/Gn1KVRkLTLN9lF5UpoKaNOkuK7CJEsKRHFCa9hj3thVofNB87Ngrxa6ZcbOPG/vxup2oguU5ifbDDGdFci/70XhhRa6qGeinvmAj1srie+xzsrWbjK/Kt4yZ9PVR2i3i/Hum1h3eN+4JrBIVFFxALuQiyz89JsRxv/KNdKKhOpV1ng4v9rlgOVfXNZxhGgGlpTBwwRLjig1dUrahnon8Q10qo8lUIFlK4GytJGF/fysE//KYqX8kn1f4Od6IpNRYCQkURzWKesusChD8xNzJX9R6oR7jga7Uv3v7Ss8+Nxrh3i7yDwf7b29Z2O+Lo+Z8WcElh1TLXgvk+hyVYlc28yT2DSxZylt+PwatFmnvgCluizj0QtjE05uImZCZKAbjKhSgKf4wGR8S3q/V52vl2KAH5QC6WD0HXXgOyKoMxcG18TzEETYG/U9kwi7TEs4LCm8fxjWm/hqrwxFSVifR7iID9aODsNADFjVXygEcDB0vbjxj2p9msVqEFz3fjqW2QmeYwxAGALyQwU7ZmWud9TZkYVMLH2jr2j3/Sey6qAWfnC1CXx+tOV3cqNVNBzBuNFImuV2myaNoohGz4zpirimM9yiCwdYe8DReLlCbmJ582NmZ3CSQtmWAVFXbAO/fJLjayjmlA7ficaw5QBTmUWuP9x9v20+sv4hVvFoRn9ZZY403W65SLKAaLmFE22cTUTupkdbWS1/8Of1kzDVVFn6iEYwp5crcYjyQpjVGQtT5aPY1DU7QfQXYXUj55mwF4IoJWoutw7K1C2CkkwNSZ7KzxXq13MIblkz4w6tSXkbfZEBDdyUjBMqdvUgFLljBSzLnkrQUfrtuRUsD9l162ltAF0VMawkWdA7SuPzA96ldhpIElW7TyO/niqpQv6oFLZXCGw0eclzuRvKsrdCO//P2r5U4lG1ZrEtNDejEpzIk13BkSgC+WdGfiM+Vgo/obAMiump0sXCc0Bc23/rSkb/gWqg9Biqap5yF2YRX7VCXWXL3WFFfTzoq7u2VPcy1Mi3LRzSPiN+WYdvJd6ZuaA4T3bc8mR70nEgOw9MmnhNc4gHvn53Pz4vsN2RmfRbtQoqk+YfuRmgjDgg0itBs2XpA0t056YFRJXbWc02nqMttAyG/oilo8CIRz40hV5QwrZ1jYnCZk8pgh5/7gCMvycCc06r7ikhGf0fn/s6QfTvSsHWNsgzt0cdeizaXGr54VJpM4Oi52VfJyBih8Mv7Ei5aAr/KIwKHxXY/ofhMl4bU9LG8V+ptSwx/kdipRUdXSgsd6GdrQTOXEJuhKovP781O8TlF1EWW8x7KsM3tid/Kbacnlt56doV0xKVpiVhtqoKpzIl6d9IZe1AmOcqaNJWKVY+9+jrZQP/OIlQOytUgfb+58yGJikXLhzUWX65481+B+XxbGSj4024zK8I0Y/kOiH0r6kIHh7+OUHI92o7rLbq/3SJ8fChQbj8kzRbERQ9Uk3yAli2y8Fl0y7KM0ztlw1fMEanSLaeb2COp3UnTWaJdyHPvrPWXpyzE+uXVBITGckGSGSNbOzNckDRiDT2ZsvdjAXzOK3JtF36CmyJS6R4KASfCJm+TDkOGU6/QvYCZyN/7E/nSBREfkOXgeLChlOAyjVPMYN4vRg5QyuI8DI5KJzz3+LM09z/QMI8uQEntHVyn1dKLStnjUCe/rZwmMkzQyeddWJ7XV+pQ9TCR8qYVtuOVgRJAmBXg9W3UI5jHlGYBd41UKQsxA/aJi1PUN7/n3rRHFS2ABq4sXz0aZOqQWygtaLvnagyoEWoV9TxkTcamhPSaTtvPbDH1dFCaBUDKe7kx6y13s+JFCoOCO613SggciY+JKRDm9H1+xafl60wWwVh/dc2dPzAtbZTru75hVrszy4jdmavPOAUbmaOwWep4ivmPA970NHII8XKEHQJ37VE6CLnOB8PUi32qweLQF3SMX3v1/hat6/WcPPcCVgc2GXiDafBAIHOjSWR4IfRgwQ/VQJYodTPumoSgGq3kCEH1RaquRyr8GcFRMmUcy7xc2yJkfW4N0eRmnf+OwjA1xOZvyebp6vTc4he7DGNn5NBi3cNWqmS0fbOD0dncw/JTv93n7etLEeJTbrPC8SBwGJFJVkabxR/XGxbRTxLWKkDvTpXjJuN7m9bf4AW/u/2tI8YKl3F1IGHSK+vC0u/4h61jo7nGnBgKkjTTtsiAePOW6SXgPh5e2Na+h4hsKls20lApX3RXd0j6QMZk3eMFbTOrCD2HurcUKdjZNMSAvtg/xNKV2lnfyJmwVZv8MTBfDljpYRDrX0R5w6PHZwc8GzpD3z+g4f7ScM8Uflns7DcwgCWjmgmgp+27/NwKsyLXOb+cw51uo5gloyLl5hOxJS1tJyZ2PiXg7Qj1HP0HeRFrNWkA1EN2xxQEzxMT6eryMv9YJ/wWDaZiSu3qaC5Og6HpAQpjl8EwTFVpgDw3sr5U5o9N/LnauQlrTQj1Eg7FPwf9i6IfNHWbTn3VI1B1+BSkkySqS7OGqKp+D+WLy2Wxg10DvCidDE4jZc7VAdu28vW/g0e89YbMyf+MtU/Iy+gEpJmOr/fH0nVHqxkb5/sM5onRECLXR7BP3Rwf4Eb9yNeT3k90VprSw4wEordqKUMr/hWb5JXBcyzZdjPFL5JTpo8pdee/YFZF2qJLf/bRf4WJw+J5EPQTswbbSSBNdU+xTnAOsB8US2rNkKG9aWNlV3fLufLgI7M7LCM9fg23SPUM/L7LK6cunRE0ISSNXQSJBFlnBXnPYp+vQuSiB+iZtx8ghbafj6MuvBERln5CBA0/e2BfnVyZi+rve9vAHBiAlLgFK3Bim87UWt8TDkTljN5f0hZs0coWeaUWCFpM0XfH07KA2WcvMWYfbYyCeWMbz+67bFwesrFo6YmAoZT+Gj8hQvKd6gIdDbFFgriXzFns3cfXlR0WWGkeKgeLIYKGKerkPYPjizyTkrOexsd8kx6X8ZpKlf8siRljal38Ud1AH2o2qj3vEeZ8KcXb/taaPawHJTm6LfuoSqhursRS2b4YVvOV8eq6atn1qmPWiSmqjUPC3/btY+wosGZR1tdOhIHmMR7IBH+LtXaegq/cYRmYmXnQreOfe/uTnu+F7nAYGLL/LNH3WKKizxJMZBSW6ewrc94960MdCGjc581SLQ3GnhRDVTkS/NcEgq2KdiHvKpCTe105c/R2p4lG6op74caytbWW5p8FXBEUwmhI6dj1Jt/TB2kzkXnjKPWIAWzw6xxaAbojVStEtviRyo9R6tUMd7/bY26HBlj7cjHH3R2Enjl8IidYCQrBu81dPlPfUOkazU2tARe0l880gwf8eHxnkTCID/JT3fRBSQ+0/BTNqumTeyLv+nnzetT9UvE8cCOjD+jRvGz0uFLNdzVqGmGe/3DECgzJK3KQDvbT0r70R4ScMbFrKl+eCRVkbO7rYdL4Rd2kcFVAPTfLdsZhZqPreyQ3Rb71hnUBFERVYZBq7WBvaz5LTmOJfq9UxWjYDrMSPOpfP0xjvKoR+yoDtP3BJKhPqqnCJONKenvjk2OXWVaZLhGlqdkdL0Yqw+1Igu3gK10M0OxYexcDCRCorUZ3wmevQ0DFFF6W2xasUkeVfthZLuR789y1bYS6kL1FsOb81aHMKFti/qiPeODo2PUT7ka+bctjcVPZ6LYjPZgy587DF+Wgic2bLE+q5KKykXDplk4Qjqj0ngrYXsqk6iX5nvAkgo4lzMu084qtcMwljy4XyMUTqX0R3in4WAyT6JzY4dHYWap4oOoaoHB4T6fiE/Ol+CY87P7Ub3CFXcHyOOjVtw+gHAkAr+xRJf44J966OQE2UlyMy2wgNp1RNvmLQkEnOtokkx2qdKvwjh5iudr2W2RHqJfqIqCsm3hP3ZcAEuyRSovVadjbq0ZzjyE/JccAUG/NcwiqkvMGO2vNbnFdCILIWE/M3PmFpg2PeSMHgl01FESFOkwVnUfzhx/cefN92PomPNofPNg7cqKcI2bzpA3GBQf6uEE+10WDsxMOC8YrLFa2Rc0u9YIX+v0hp4cwwLGkWHkCxoGFWZsZ7qlMzi4yDelQ/CCHDYfwpys1vXBFCVfkapO7Qp+xqHEFqb+YY8qLEc7hfaa8fiQfuUauSoqzbD1oyOtYIXIQtSK32ntkFnEt3l6BrBbfdurTMnAFlVJchN9zgDfAFZVee1znwZ7R/uXhnJC8PC5yS6iU7OcbY418YF+Y+TLn6Ep2Fb0xYvn9ka9NGdqOzwGDBhgc/t6xSS60kXVv1NV6o2QaqSxDbU1AomjOTqakrE5uHh+VV6Kdz7jcxU7rDJRizPe5yi/1ds8BD8OPRJCYCU8+voOPBn180Qy9x9RldwWsUuILJaL7D7d58dP+BNogdWx/NxS00Sj1c1P3/3liPAMmheIWk9KL203ltpU0Ve3gocNTVzyJWViig6chY7c2iaJz+Yfy7yHzF5TV9fDmAS5JyjCHVtOUEdP2rtQcWD0t1XZSlQBfQ8j8SO2B2tClZVQ1ZgRoHUWrC9O/fCIcaY0EkXY6OZaVXVLQNprk+77lzX6sbr4BOXo1VFIp8Zhfoa2s0EE+eIJ/IjgHQEnp6oIaj/X2P9yTay5G8403XOUp0MumROrtdGdDNt+9/CrRKWNt+YhBVRlp6Vmexe6/2ViRe6zhpXZG2rbbl44y11nDN1liH3IJ2c/fLBcZcAESokKzwKaR4HkTP18N5I76B3uV3z9XBd83R/zc/WIdQXQ0pigUCKWXHUnnQobaw+31Wd5B1EwK0QzRBtkhOaDQJ6GqPO04T0SkLJ6DhMbheih4eGyqggWN9wgrS84iief7a4TLKWYYry5OTRMG6bnPiy4onnMGYjI9Rxk12LMulU+WqTNvdywrQfHhpKiBK3ERjJKq2pUUkRq1AZYFs1IR0K6AjrA7UbpfMb5JwlTXgOsiKE4MHR2TEPUh3Z63iaxS3AuWBLGcjoanwJNeVQKRNd9sZ7aR/F1jeuQKrN6tgn5uOibyoesY1tZHzo2R4pUSXYzub633oBI2QlrTjosx9+AdVs4cXdK30np2FgviVCmCpmAT+PgfA+s3EcAwCkAi/LskLWNsDzbGNNqbHeEoF4G260lMg2b/6XYJFh4NOqmdlq+69CCbo+I7cNYb0NJR0/Tm66tNyB2YXoBhkYt/gfARmQ73dtZ8oAD72P8rcUNHS9hYAHMn7xaNjeFskkgX+PQb5X6qiHsB9HHqiPPQC0w8FsyLjgVm9zWybrmGx/AxvkH4a1QQeHSeE/utWGH3VZ3tnuzGWGCAAwRiQ+ln2+44TGjUKfNQo/xgM14T5RScrICjCeBpf5ugWQdk7ap6Xw1HIkGtI56/Aah7cL76YOcs80Hb/3WDLzy4k+Mud/BMgR+ikaR94L4OWzSJn28bIDqPUeIRKx81AeyqwMNJ8MJ53rL61pCSj7EjFwBP/8JDo4voWz+QFlpCF/PjSInm18Is8la2r2Mm/zyJyXp4oje+K3i9n7qcbkZjHio9GXiRwzoDQsPm2xpi6D0ypeMCY6bhCHzYn2R4TqGAyEUJqXcjNtZcxMeelVhVTguopHlKKivK2V/4fv/989xtQizoJ7jwIlbFCqZlm1rt/L8M6VPi5xmiZ1h+/Z5lxpkDkG/1tYF1uX+nKyndQTMOVeElnJ3sETmO7qS6+/v1+6cjIB0W1ZqrXNmuJo6/WBFx1IpqFutqM6fEuqelVbJC48/qynOMOCddKcOhZSz1b0w8qukCD3uDDyaaAjOEZZV/EfFJexgxs9euH69V0hqZ8+NglzrDXYlciqtqI0wG8zl9pWcdoAlPHw4nveb7m5BDPYFye9Z8c7T2qbjUgjnW0cuqo7HztiL8WxJp7O0CkHgvEdphkOQ2IjbCEbBJmgHoOeXRFm4C4ZKNE5eD6ahdlvuoVvJjsdiwp+YmTq61plNISQtr/oGAyNdYXexHGIkJV0pD5ueZiLdL/Kw1POVuwpnc2vRaiToenB/dKXMEB8+yHvmrVhZDZtiMnMJ32eNOLjmsMFu7KdVzbxQR163mOiktb3xmoHZgqX7anse+ImQITkGAvr4/7oz6IaW5kFCC4Q6GehGldpVO6UNKsZZ94KPV5tUArkV5lDlW1IeRQOEcj+W8qsCdZKopbLuAgDmEBX3mlnD6BN1FMEfkfH6k0pzbSeCkHCHMYGZrR+womukp0zZ+iaHgRqyIDmgrx+eEn5WPsl28tmFrs1l+C0nr5j2pkZX+tl+LsBc6ReQAM93+assoVk6g+sTlO2Sd6fvuuAroB1jaWzSSA16hSv2Y4puo730SjBrlKp4zvViSI+MAMlPRS52D/lt2H4kQ/ivPPmr+5Rb4fVq0OamcyveBamMIvcUOMBgiPk+fh1ilaDacoz2TN4BgR1IZ1Fn3aEyJOEJqGBWlsBFnW10dCd7cuvLLKHggK13VNUBKfqgaAxLe99xyOOGwe8cFl9Y22/foSHCf3k/OG7ub0/Ho+rXc0JC9HeOlMbncnPKt7wbkAQsgCzeGYdTaHUK+UraPjnphXO9bkAVNTPhSPfdNSBRtfjRXVLSg/uCHpbRQf135tgqu3Tz7IGYsPtX8CbyEKFqksP8nU97kR82qAKutdgD9gr3grxAjlEI/N8zsh/TgwJi9bV2RQWLZogL0wJlcEp4DlJn9Vmipvy18sQbG/qYLw0OfONqqUYmZrYZD996qEcYWfzqFrvqlJqDJPnk8e/0LsZBICY/J0/RKxRwsbSU0mTxpEW3cU3b1va6EM92lBDo1HFp4lJVD0hRtcsFiEclfRAjdUUFVbMLb+PtpS93PZIPtE0au3TMO+AYdSFVKUPf833nyV0ukIPAMjMCy8J0pdj7LZrQEvK0Nop9Oa/CTbcoz/J92QtqYz1pDyELNTe1Pc0sBF5jiBEY4da23ckeF0pSy2wbOKh0Tp0QR3uyb2mqqFLe78289XMgl0Q7fZzG6CW/TA7ahZoVWdw7LKjPqg1KRd0tlRSplxRWFqdQH08DE0WMWfAY/TdBF2Rp85db5rlZoi2FNYio7oxeQsiimY+5znO4ilPQjmCpWHTWuLENBvLQC2vLgFCYqhUQkqfcbUSLpDQPwsUSyKdAtNCqYzEM6d4aC1lZS/aliGjsdZ/NR4T/1tWZ5B39IpcWc/moMtTq94RE5rhYWFYGZWk4EKvoqXY7dRKxIoPJGArcQboJxc4O27xjQDNBgH7hs5Ixh+mmNaDzZGY84ts4iFf2Kq+grScT7+Jx2uQforJoiy5jERn0iFo8p8qs/UXMYItJTseC3hQKxh76056aQDe4MM4zuabL+ADxzc+brpiczUSHl8qR48Y0rRQHeSY6FejWRAQWNYW2akjlAeqe6QLZIkUpVfBtOGX/Pb6xiCaNh9it2+GNzeLsL6/7v5IbRb4FmPBAnhMJR0ho6Bt6a1d1DL1C6/Zc51jbLjxuish+Jq+n9PNmKDgiOgPX/qdbYZyqiEd1U8bfZIAEAniE9aRLgjvA1iRYtySYWkOMxWgFtC8tGBACG+ZNC1nkk+JzM5CbHaf2hJ7khsL2eGjEKG25+mZm/VglFXMu+FPpGvfssQtNc/sR5PVMT/xHlVEg7rG9JLmz/SRCrOg8Q3D9CPE2/WL5MS7Lxcrpg9Xn2BwhuBl5vFXaDgwtbjqplZrPoVRYBl533YnJkvi5OhtfiOasZPkRuB8avsn9DvgRv6cDzHwtxhWdLylqk7GqT+C/Zj/8uUSS6EIuEGtLnxNkUrfIgF5gwQKy+vUfPKwX95PV7UoCEHOXoTepwPPYyeN54T69rMAr4HDpiTs12JGmw5rua1WhvPDP3Suyv7KY6335nOLQHQqq4uUKlOkAOnXtuVue78eDgU4qp+MlA46aHD8sNEDv1rl5gU8lhN0VJyhCimXRmFZTvfSjLW9Ho7be3QPKzqsLHL9NLEExbgRY/7JQLUaAbqpHW7ogcFQwAmq/x/PjHJTiPNVqlPvIcDHJ0L/ZQcHi/AkkiNbp6ia6YCoVWzLqUG+k80UpJMFPoI5wlvyPJdReesOIvsbBfcEJ0GUsbNxxzbxdS3z5o6/Ev+3vh/6cUV+8Tzjuburdlfg6E51RckqRye+J4wXE9Bmr5K2GhV8rmpPHO7wIiNLSrzbsjSNnnAsHBpDk/KQ9L34fSpdLA1be/fFGtVKqdU/vCLke53agVEMjCYOiX9xvvDVvKnTNiEjJZyN8pI6l6iApSCf/PiPSuTlFoWgUOvA84uHLX/qDNQO8oTWelXR6hooVwBL6PKBhpZdsE2iHWzUDGUZQiPKudExH3YHLUcYl/YBGbGLaRFfgTC+jkaKj2fTCO+SEHZSKsj0cIF4R9VEbp+VT5fzppazmyQ+Fb/zbfSfvKlzvbAUw9c4eEv47/iShuF8kW4Nu90dTK1etQaM0P6VutU5G86p6Q4EvGHcatQ6QpLTqi7eVBLi0c4grOoo/AIQdWqbWwqbAfLmyENtu5ICKMTzyKmODPrF3CMYG2McS8k8Gyq0alauCiQ0T6awh81DDFB66CgQtLzYltaG9+BoPoyekAPYGJ+DD0J/UbnHwQ2WEGXLiEch5XuwS6cNe7ctX9BeokScdVzwQDM8siX2sKhzw9NjOEfgjXoigBSL03OYXhKuU0i9MQSPhfzE64UcKbrzQM0ONO8ap4EtNYK6yzJXDhl5Ccye5dv54IFspdBgJWdtFv2cO+JWd/1IR+qhkNJ5bbUwF7BD9BVvUNORtA/G1QMYF8ScCt9908jsCQKDEz4H9BbSZyrK04YYZ8aPaSs+gVb9AcRJIltdKBmDNK7mGFh2SXBLDAcThEusf0OmMpvWlAQ5cVy+Ot5HjzRXU+63o/7hB/DfMG1OZWSdQ6H3llwxe1OrFWqwkbNM3D3YetCVXc8mUEIZy7lDn8XxD5ZncfWuRqOwyrmqsgVKo6UOd8N8UEhUplzOJKm+ugWgQZBk++oB3qYznLy9q6Moo1NdjZ7Y6KCrPYgiVQxVqpvOxnvCb5OTKE7WROccsEx9XXVvHQXTmT/TSHd9FmLNZyD2X5LFzDoUupHlk/CvAQ5KEjLxEqIfkYgyqpHWjkhlFcMFmuLzl3FoU1OXDJYajIPLePbCriMvo0uWH/Qe6k6s3YENNuzoIHsk9dtEhGrcjydnKY4KCjJxOwx2D5NkVUoLWwCeLVSrpJBxg07LC4VM9Y0hw5lIGGN0tosTWJ60dh4A7kXXVjJSuxvmjgJKrK/xM/VHi4uAjzoVjzQWvA/xIKoO+B6+dZpebbb1ahbWI//go2BQMlSys8NKOJ8G3iMnTkfnh/W44x7rDnd5Ag7ajBm93LLivHzbZ29UOFw2CHCbcqnyhjRoplV76MffyqMlOIqyLRF+t4Ig7MjPlFjYN4r+meujkcS7gteg7lacLhSgNXZ9cWUWfMQksbfl6uqCIH5vcxa72b/F1PmCGf86nCAUCkNfW/daw67F1nT5toR7p8cFCFxd0x+is9XKHrD5c9a6XSIT55jn7CoId7vf6MPPNqi0yB9ga9o2+rI2djAbWtgycQYiTFoFYvdwdy+L0XV8PeLXz4kiLKWZomUkxt5o3Z3gJaoDEH7FWz3gSJmUSVAz4XVNXFlPQ4Al7l6Gv/tszzNvPm/JbHMcK+3wWQFe/tkNNEDuMDJZpEsMTXH2OnQGZpEDnhrbmsaHQxdr8UspFMHvJGohmeIt9336SxGcmN4I0IgZ6WILXyCdvphMuXo0KLWWQuhldTYWgT2Xv9cX+Oo0RHcxLOql5kLJeeC+piCC25+dxLQ0wKHGzxmqJ2ySJZwXr/pNUSI+zFKa9RWMP3nEwPOQM56z8fPyR1vL3wq88cM1D9UI7AX1Q0KlMJ9ps+9STgxlfX3t0zAZyFtBainc6Kk2g9/L0BQbKehBHREsPFQiEo0hBsQwqc+7tnOsq62bdNsDJOeszbH98bHMnv0fjfVggPka6/eqBeCSlJ23sE1ikSwfMRGWgCFi66MK6Vh17z+ZiOzZEGwt1meE/erfVChUq5/up5qbqPO+eVYjanxGitWEeG2SOWj0ZeSHqMJDE8g45G7TcEEiysB9GM+9z2/DOBX7E43NsjDZtiFYrjgLqdLObBhSCn6qjSIlHQjL4KKYKBPp4+39VeA7DMavY7Qp6uClpfvZvObpyRFyhUAGUTLK+3dfjcPHzMEd/aW29WtoPdldwoqrgavMD3/rY24n4eZnRik2oYUlioaB19/Zajs6NlzobOmaYesAB2jmNt2xWhPdbOu4YA2qJs691EIRE4999C42d5eawCLiTIVLif6MozTJewZ3/gkTD8mEDk8RZNGLXjZWfH4X80vgWwq1Ur0E31fhuhOR3szv7SD3WT+nz77J4H/15p7tyVzI82UdYYGV2oE6l/551QoyYGX4n+wdGNeF2upbbuvxe4s3jixTZ4Dxwmh7IogAQG352edTzhb/T2wpcgALb8NIAlgn/mtUzfs6+pGSdAEd8N6+J874DyKAEM9C17Nmcn53GzuifyPSdKrBtEiCodBASDD+NCdylHXxVgko4nH/nJKhNiyjiZc3IK5ye02fN0PCAH1tU3tLtDISp3gxVItwI+h0Wfd+tbzXGYwOzJjS4hcxcrRFL7WFfdceV2Ed3Rvhm/A8+DljYj53mpMK5zQ7b7K+ioqX1v3Gn4K9iWZxZjVF0hxH4VxYSTqlmXt23i+rrtYK8uEaTHRVK5Mk04dtrTB4SN2a0S7YTzXKiCSzAzGkAZTP7GpEiYzATe6HC3fz3P17RXbzuRkX/PEM5TphUEdS0FVeG2BzKQf1oqcVc/WdFGOYllSqh67aKWgTGDOke8QSjaKtaSm7OPNjt3RBk1Vn3W9CYpnDzsO418PFjSHZKTCHCDJ5HjX2kdUzuV+2AoN2xvkGYWm7OrCOo/XnA/eAila89h/YjmcRIK87y55Zudjc+t2WD3Me0ukblywsiIfXXuy7ziLnhzaIE2ho64a73ASVhJ8M4RA+Xzq68Fs9SpdiABhtn+aHHgebxVL+WTs0+84nZ4+i5vCBNCiLjO6CZhAAUf7pIjsNME3e/C0Qe7FMb0BJbxkPvxHVDD5rGD/+z60NZcXmaAuOJhQjBkOcZ4WW9MqkL4I0SJ+8KxBD1ZRxnj+F3xI8WoYCI5JXRLZ+IwGqj1y4cTVhmH5onk6pyIGqYN5yq3jzWr4EzxmKKUFKSCJURk8mAaBfoZXerP/nscriMGTkxPTlob4gnEo8rh7Ho8awM4C24NYsoBswQYcWO3X86ZdeH8ATmmTXGxQ/S37NZ+fu/LZcWLtits2eQ/dgKrI9CznaQIj0+/KyTNx7LVJ0Wx4TZF9wAg0ojcZYX6YCU8AwqX3EuXyK3lKgP82XPfdcWJHzaefBTTujR5xZGQLNYXVxrawmBDKGXrtZsOWROofV4rF/taLfEUAKDIWslCHzbXj9BIc/1QJWQ683aoRdQpoQeI8aEf7Yls/9/SvtWTIsIErFzM7TfBEPrCz1A4xkKX1nXLjjDN8gbGKy0U0OQVlHzcC3ovT7hsOe8XQby/dq1NIAeI4e3DdnJIXEqbhKBQ+hgk7ng2+d5IvMj1tzgIWdWnmLhTvaSoUYZ3HolBIHjCk7AAb6r1fr3nen2leaoe94IjEu+ng7CMcC8Wi7JZnvhUNaas2vW1yytht6NSjDm5xpLZCDqyuV/Psu16C5y/Q4SClDP1a5E6NYo9el9g+muH5OGzarbUJDGDipdbou8DMl11vYHS79DqhcW3A4Ya5lld1BeTqNGWR1Hai1CBi+Bj6OQaDmKqoEUcgLOhxrT3Qm/Bk+lU+f/MNAL0oCNF1tDYLOGSkm/RSgHjx3nxhccOlJeO3Cx/uT6ZdMLLUkIoSL9g8ByqHfDXrs7BXm7DII+Asa613Bufly9L+Jgz5breeAwi3eGb8ReJMsG7/aPHMRtzxl+bKKbq9pWC2fzXl5AdPZkXCtLPU4CO4rqZoecZJ4fR/1yVPH8DFBm8nH91pk3fNu1SoX5Lgaw2oKfbPwugfoPiilvy0//pjFP0t6K7cnDb7moC9Tc8yEIESUxFf0I/CMYy6WXTl1g2MbXfw/P3IhySsObCGRRUonJ6syk0x3MePQMzxupBaxqF4zN30NmobB5/NnOxzVSBOlquz28o8MA1hkQvwIMpRycWJccBY9P5G4N49BF5jTJT8greA+tfS9hOodJPWNPejG6Siic7hXLlTcqMiK1DmRt3oJ4oaCvnOA3i7N6JI6rFcQzFmCLvCp4RB3LQBjEpm6iseF9YH8NzXk08C+xmZY74GDUmk7vMUwILwc2au4VcvqWv3+PuTxnOh4aoJAwyuumXKyQXS18GEcTabIxl73yHZTR8sP3STtDgVtH1/UmrRImAP9YPoAeWonB5WLDjutZiIeFvCAUAZ/6VLl9uyMyIxrugzADx/xM3i0ZUTec5z7yT6ntUQ9nsexcoUePvXoZ8sm5LKrLsAt8M/3pA6pIkWecuI6PZzmwbyzE13d7txV9iT822PuLxI3/kmaUfUXTAJyDfXh8l6ZzR1hzw2mOdpXEFdP4QtoGDLFgpZzGSkl/q0o+RfihqCfqTThNajgNxVjjOEizmD/rUBjMdZjttVL5Rq6bl79Yc3ofhClr4xRr4MjXNB5sq/17jpmSz93WWp0E3tbexfzjJaM23fO9kZpYgU379o21SiEu8Z5hf/zVtlWuTTq7TEY5ohxclQHG5eDZSwjD+ysrLI1XdxhN0njw5rOrLyaguhYblyD/H1lYBxmCkwT1oUC914XkbI1a4LvwadFpMpLfJllW2okr44twg/QvN1PidcFknn3LvEGscHLRUzcHy5vOxWjWLGP8uCh+nH1ZSh9QdmtVPeaTMH7tZqxZAMBRWMd5AVSoTU/8tesIo/NU7jZdRpeJa7TTHfNMCl3oKw2w+k537g9R0SzH/7/FZZav6/FbqJZ8aFICixa0aQqOz+o8B2/T6m+AG+LHnshubao7G8XzsViPvdwndxJZcLwnTMpyNbzJKWCOYlfYyjO4qaefip43XvsUDstYJdhAuoa9d/fTbVjNsTSQ4mwNiITe9TDLK/t/SIinWHG+VQXzc9Jgknc8RKAOkCHlKTozXjZQhvq+E+MkYt1w2x2PChcVlTo/t4w7FTd4BMFOCAhWregB4W3Vnc/RWX1ZW2rH/QJhzjxewgXEEzpGu/Dqz+4yCZyd43TQOqWa41uypvKyJlaHeVbyDs5v/JU85zwpq3unrCRfJppabN1rKQTK4xHy+FwJtlXrrNfwyCy7CM7nptFNwmK4lIrn/+3sgsz52YGXUraT5jsERU+vk7xwsB/Ofby26Vol29uSQLco4tPoTXHHtK9GBgEJAe7lZzj1RhNbFSDuak3BPyOtBvI+DJF2+dTklzM0wlzMWI01QYD/yRSaqfepOLmsmkcOKu4g6AObuMsK5TBTRJTQO2bJYtWVD+eqK2PIJPtFCiwM6NdScZEpn6n56obf0c7LOY94/uzXoSmGQ1Z+UQ7Y76tp61OmndLK4FXlPtwB5wZF9SwZrDFlSQgaLE8jYrO3nEjaPZLkWzW6r5RD2vD84ezWCQSW6/+sC1O8uXiGnoAzLJfvnD6KxJzi1ms4NWf3T1aX0rpJBwLfq2dy5vL5s1O9JhFp7u8om0+UUXUn4y38euRcBHAgE4gVJ0VVsy+rnGrkV1VCtR+lkG7jlCdqitKY1P9033Mjrne12bLy3riKhRvimilbO6jP9lmEVaXs0bFSr+Sd2LkFQavtJnFnssEVZjhCsb73O6anmdMfAEKhU+TuD4IY3VJwr7B14KYCRR7jbEvw/Vx6F4DVc53yR7lma+x89mR7SM2AdE59fDSrtoh5uYhHiIAAmd4pVGzb2ytsHyhX+kF5+qhuU6SLsCNw7yZSpxmI7GoQJbM/FgGaessgOhuNJxjLSSWi58LzLDCjgm4gTcK5kitT89nkUBNP4dbT5bvE7mL8UBlLGNbjUXvDZrVWqZLuFYSs/RGOnckSGSVMQTVhBGuYREvdDFDwUMYAoqCIam66ZrNzwiU4UN8zz5xf2uysQRfFaXPiunikXALRm8JnUIMfXjhsDcFY3MrMctfccCc2lU9WVB9okimovV5jKh0ynGfQnj9rAChRmcf7s4xfigWVEZLXiqLdAbPizYlX7t4n7nSpgnpv0y6GQczh/pBqzsbVRJd9T1oRGQ0htY8QqxPm5CExlunvHmUax5NL4EwLjp+kdI8ra5wBOkTm7KRjySmp6d6Lmb5ghXcAagokqujBtjkz/D7fysZKPAN8E3BFsUgIimc2mL9JYnelLqK2jhuHWDHvwDUMiO+dy7czA48cQGkcm9n0VUZOL7pSNFRRuODGcQjEcf1lYVJAXTfioVceuSlSEZKQXlocFxxnJD8EEaR7+AUd8ZkVG0xLCnsdmHWsdBRLO3GNWLd23LYvUUErd4Ex1iIjCcnw5hfJRDWRCqraVYbVYMD2j3NmHOpc2fBSNwZC6d6ca3K9kLKm8HI/jfgvIrEtzi8QwvdeLXhG6tgxscpTm1U4M03mpea/Fycr9bxY/sSiBObkKimsllpmZjgBOTsJZv2RCepqzBW3wZOrV8H8yUAkqUVbBqebgXhc1Ns5T3AssoGwOemrV1f725Vp9ZMOXDJ6IQbPh3g28w6sAoJQhKpAv9dP6Kg1AgfpA6evTro2Fl3OyhlRp0BFOraAXECiKHlqUfkhO8d7FsjxydsrOWq3rOToPtiVXRx3O3FJmefpSH+k34by6ZFpFF38f2FHQGyhxAEH7C9sY6KPlQrCuMIB/d9NaC8Hf2JEOZ0oO9hL0uWTz01omzKbHWtIN4DU3hy5xx9qatR29ALvmteoOXjyQBMCFCALbpl/YqFzp0lhQnaRRyQqUCkkTi9sbWtjMT90u1tqkhcZ0sFxbQ95gyBXJfognF5Tu/S0Jr+V9k7NdlaXYjU3yaJjdIxZeA9EuklvrH8cLY00yZrA3mBt9Rne6zFTlhthRiNX5t3Pd7nS8v5ofdVQ6aHpAccfZ81bDikuOGYf+0Hzh8Sk+KVKLv3hGTDdkXj/wWZFgWkdo/BtmxxOcG59v/+3Y1rRtl3/lICvn0pTsri8kPDAsg079t7qwPmDvPTlLvaVv8YOlxg6Dx2Fo1PP9YIqnWoC32PjQXrqEeF6ozcg5hOCmI/8fs7BitweYvDIY9bSUkvpbOca54VJHsuSgUbtZaoBzcAclruSkmM6NpZ8QZtdrQVmSxGNiNVjkOB2l1yc6hlACd4tVtfh86WhSSH+zykVQ+J6kjIOeQ5Zl/tSRJaqEIC5AvMx/69Qpk9sC9q5PROiOzurcnpUkL5ouaemzOOdDmNKoRL0HVJ3XIhORT2Nv1nVkVI6eejA+mwA2WGGorXUIy904Waemc6J9f+HEFIqR3sGtMDZmNfpmxxXvqBFQPFwNEH5sZ4ui60rW82Av+T2QhHLQiGmrvDINiRjxAsxnOtgm6Xu7jHvmewyW2rGI5ghG60wTuO5p0nX3yE6a5Hli5AKaA/dusUHkZ6h362+C+/d8+anVKrnc2kCjOYq1lSSGIaE4ORFxOJhXZzOUqpM2cJnEPN5H8AOG9V4/HyMhyZFIRE8GDRlBhrU+DYnYzCazsXsVvsxNfxin4a7dli69dULzH95Menti4Qz6hPrVvOK1SxhmBPzc1CQeDycMcxEId7rUkSR9xxWH20dlYnJ1ilAiSQ9GvRNdWRO1enQY1NH37LOfvdtlDGJPgdimdbCiCztBH/p+tTnt4myCmG6h6hOgjIhAHXjADnyj4yQ/LKoNyYS2EtzUvpzpTl67USGqCZr8wChRM+2ubLn8d/5HHaDVK5SbSBPlNJruLhzuVD4Qn+UjvSgjy4mRCT4C4Bf7mebrZAbmI7FvtskHJHf9LLdF/Nlz0vtcDWbSlpsuIGL5UlxwMqT6HxKbaGNBw5mS+IyvqEsX6Mfq/hSlRDkOReQ5UHcArURVx7bjiQc8+RO/gzAELRqr7t9KqVWV0X6Pir/MbBLcL9EWPVdbUSssHCMg3vKX91p+dvK9vL30yxCKpokB8mYsTIeXZUel2C+seWJhpa6pYn/TCwRVZRiaUh0/WHLRqya6wi67wBhnBuPso6pmm5AICHC55exEfNAYxtVwmbcKZqyT58AJ2P87/g6sYR/NXA6IJhE5GnaqWQw9nT4oRELeKsmwa3TXn4s7fjaL6pBAtSoJWk5j3EBDSKgijs+qiRXHVYKNdXlC043koJcRCAv4LSy90CGKUCtXK5CopqWG8OM6J/y4WG7ZGFmmko9Ko8Hz7wXn+tajOfzt5lA717wX4OJFVQ4hNKX9xB5LWYBgJyVCTLQAyw+F8vr82HmdNBzNhqgSD1L1VmOEMo0cXtaeaRWoaYyaB2CrBPtgBH7TzoXIBfnfIV7wzWkMzoqOqyzamKwW2x/txl74qiCZD8pHIZS+K8PCIJTHDMV2jUccxY7GWGpjl4h6W7jU7UZG9fZH34MllZDZopAzufxlLg8DzQlJRmSL5mph+Y0qHJYC1fWmFsDNTz1FEQeq/kN7KtqQbb/Qzlc2YIPEEiHceLOoV5Z9Y9r3yjHWyJmg9IN/xJs3omed3fi5vRuwNR0aUDUlvLe2om6gJw7ut4ZNUYcCC3o80TqeiuUvfF/CeHZPqFRnFeaAtKK9uBBGhtSBUhYyb1eFZGiiCkhSC8KySBOD7TbQHm4fnzsJzxHsbA8Y8iVWPK2UspODwCHWo9FsKMTJ7vfKYFGGXS2j8KBiI9JHY75nXsaaHrLBbv3kD7BWO/uEWW2dRj+yElW2TO0bs54ENj9FWGV246UIo+XACM1f1KZ72JFxvuseCv+HJlO8YW9g9RppasgcZvj6YobjXcM8MtUi4GRUszzr+Z8CzA2ICmgtiwoqfCYsxWRfqkjEOQBjuNRkKT/2gDflluGZd6gxc2z0BJBbL9DEkYQY9azdVPn+QTNy9IQYsM+XZUxcNX++zUDp/T34b2NrBqt+AI/AyNDADlebt5/a7WNRB7Kwsfg85j63HKrN/8TOitGu1jxWOADiOB2zaQ1acMsZinhqz+AhOUvmjlDZnkuG1tcES3+kUHYVcX9n6FUYeARF6j4sWIWzSp6iPJpiQULmXlrJjiTz18NNeRB9vtxUOBFChQjgBTskIFY4GVfhrIF0UoGS3W5VYPlEJV+GYGDYgJ4AZmteKuUsOTroZ8WVqEnNiTGHtCN8mhdZ5Dyl3QG2mLBVEhGPoyjigXjZJxP3nFA08w2EFjKZH2EzejWNMgUutFae2H5ixLZ9g3lDlvaHyA1f30+j+PfJntt1qLP1gczixX7D3E39FutUiaWtUFqDVeTcRDzxHKsrACoyid3FRQAyI0a+U4T4BNnld62Ix51SdnFHns1kjqI26N5duu33iALWgNRfOdZES/CuaFWNxsK/L96iERmu+dheuMIzdVyeYewrurMOneW/YLAIUyyrZPrBeQ+M1W/+9B5apjP6w1jtv0d+dqeEupCjsFJjHlu1yKyd6yQDyKpLqY6MmdkG/jW4K7g/7BcW6kGqcyDR9IGOf+Eg8i+0nBSrNC+Sj5ID5clIx5UA0PclEeG78X87VthpwnukqXG6toWmCxoSlMoje3ITdTlyeureI/5h4g5+EcCY463YV31xVrGY6gquxlSNXX6eIT19eofvyrGNPmnESSyhcV+ytPVueWlfSvfuHLB5ijZ72yVETegMpjaaYdxtgT3Mr8TwCNRdT5w5pAoIE6Llxqd204vveKKmfw1g+e2qog8tKP6iy+uQ68bbk0hxMcykYE9FefOeulqhZhi0epXtLNvDpG2lUF/XsA6Md3x1p3zk1UdYQDynlSy2ibUiqDGHPntsGYOQddwHA6U87+91BK1Mmsa395Q841IGdF2A6V+SsNtSx9uDNFX2yFg0KxV/Es6mK15eBejLPqMQmFQUQSXyZxMCuplkA3InAWI6f0vFTOZLokWs7PaxDEwKqj4UMdJzUtOA/oG1OBsLouo6xv5baGtKZFmD0CXcjzDGGoKjbzPYkkafLF72Efmgd3+Nfi93RDvc5ifcituxtUyQpQPfqBFVcyuEC0EAoiRqix3gXZFcXMJK8mN0dTLacsHcosMdxfSOvuB8eQNYUQfuOJlj1lMeS1itKbJesuxKkcbxRLmLo6pg0QFoUgzahXfD0Du4fIN89/K382q/qx1eQt8kcSMd97Tfx8MnM6ZPDuCnv10mMPslikxkPa8phSxaYqYTO0cEAPB8uYzzitNM6q2vLKSFhaIDGNwy8SkQMkExSv9dQMZ02CuF5n9xwDDp8Are2GU5oZNw2QF2eray02splve5owDXohb5I/buFUT2EbIw1xmc3Yfe5xiEPFevUvQFVcnAlXSm0bVdbwHF9DWaYycHbh7yhGOteIuH+tyP35Vh+6mKHg1YjmXqNfB9IBrXc5m60+EpePcimfWcRaHE/Xz5uz34sK9xGeKWYeG5WzAdI+IZ2SNvXhO14EBBsEZGsPw0S2dTLVNmJH+Y8RxFBrW9uyPGOBD5alpZGJO8V8e7lNsgkal/PpaoBpcQJ+UYYCKTQBxoqipU3bGb16IGUBMeccYQoWHLEQmwuuEqeKvYWChSKqNMHXlbShxsjaSlF4omDl0eFXoG/4Q5FmcLB7GSaXN3/l6z1fcO5P4ugN8cjbhKwd0KCjcb0HD8NrW9j68woCMf1TEfEexfVBt0EK4AeVmA39R4PlSGDLsaqpZDuvG7KK8gCh/PFseBHUCtL5SRHmVrCeXoy54DNEflB5p2Vc8a8bu+hEBTAsK6T4K++DTI2uYj1i3pF9sZIjO/ctuG0H9iiCUqq9FERiRUS3QVAXRJIv2ha0LHa8rsSqUMUbG9Q5TLLQgVWVXvN9kccwRVYietKfeV/jELMCu5KBFaYtPoaDa/cutG8hwBmDIB1zTmhdxoiQAec4raivtBgEmRbh7AuJVEEOS21wpGcuc0T/pAelZN2MXQDpPlZybOQyLnK1SSncEp//6aT3pycx0NvT/eIal6ItbVDW/ojWVSfIfSv//gtLurLlwFcXCb4ElCi+dltG7u8uaYV2iXHTrU1QpBJu9PR9NYBww2Rkm3B6eahssi/Xo3HfgVcuSD2C2mMPqPwBcsh01U0Ufmg+mkjEPFrQ6TOOZVgtwdQLxOmlu4tZXmmctjuEdrIpxsglvwW5w+tf41BHjPVXrG+70/uz/ogmYX40qYLMFjPFUhK6wwl3imLMsVGaQJqAgA3nemmch0//6rKzeHytbvVkFlX8a+jgBieMw+HmRXWzVbXzUo+txiRwtT6+cio7oj/XQoUNYDUtfKLWDzPEwCwnLTmFv2iDqSKGUC/qM06VCDqjvLxsqw6RA2tbWvsFpLt+qHlljSi7r+dW2lv7Xon6wlLVoBkB3993Ls+MxENB4cOSMETn7euNFhp2BGO13cbSnG/DkMj/nczppGm4V6yhqsmIZH68n9P/5HuuiAv74W7NckVRIbulUsDTFOBRFLOkpPHwPDsOgCU605F1t4eeRyDawi/oQRjaa2ii3R+C1uBkpEIiE9iDuh+xpT+hcPpe6eGHv4+b1yHuHOXBciGBXVnoDVtfmrsgDHE00eyUcoQJomQE4i88qkpaB6MYl7OcFcZGIMjMNGR9quGKWj6SyNnw7L7Bd5ALt3zRVD90LG7QYYQnwfN0U18U24a3PlenU3+Zfh8Shbycqv1zJt5FDOLLD/cLlUCvryMtelP4iqvOXWy1w8Gj3DSUfJyVwHWDmoqRG9B8baEkam0FXG1l9PR1U7B5BrAvCFC+lZW/2Bh7rvAD9npPFvGLmIPrWfLaElvnsW8JDzrHFaQQCl0fFhOMXmFYKaUxurDFnTnI5gjWvzvSn/i6F2GjPBMuYsjzlLIPiuR00AIAS9DUtwGQ+Yz1Ije73IUJ3+Aa5xdE2uznwtxivVM4XFANesVYcZKtIALeNeJAEXziaBg3kQdaSzYJ5qt7IgqgmotwdWTMK2u9p9EEXd6wim4dD+p2I28giIOZL9oto2yrrqB7pZcymTz8eUEl6conmtbsLhJejdpbpLV3EkY+0lN3WO3IMuoO4dgy0jGZ7bFMazLCPf4umPghCuAKH/oh2MB/UqnqatfiAP9m8jx1XQSAb3lXHCXJDoL7kjj4LUvkNopebUI2RxXjreQ2EAWk4U7Z78jcDizm+CG0p49bRsludTf47s+K3LMJEGQ+c+YmQHmX8wdLyjJjLeOXt1W46Iwzdo5jeLCbayC4BkXUdd3UxQJnE1h1R0y4GtlswTy4UNuogC0qMrDIxgq0aSz97knuQLPoDGNJi7Yb7p7JoRlvc8GOXBFO40hteszFZotK1E/1WoNQs7UiVumEXPg7edkru5BZafxsqh/+P0qh3Bk+XYGMxK/xG+HBWOuUzIKpFhTfw2psxvpgkF8r+u57p0awRQe1EPDuUCqpvsMfPOSyQiSp0aF374/b9P2ju3+y+C/xLYTqAwlSFoD6iKHr2cLN4vM4xh6rtLOsy2FEfsSFCVb5T8+3i6fsxvsrSFveHK1RxuCk/ctVQBy0ydNiNwp9tYBOrVgKpJP0Ox12RoP2JFfkJy7w7nPtnNKm/qi/jYqDvygOR0yzMCnMxyHDY0k9cOZ9qPIFG+IULP1r0Xvn7sB9dcIqh936c+eWaN+crHfbKXBo1WTaLVq3Y9QiFEO80k6d5MBQuZTtRuTabE2sYYedDwz5NbVAJ73eAR2pydPXu1bg67Z2K4UHnSpF2na39v6mtmayu2rQ23g/m03ZXMi9E/ROSIE76xdYsSTzdRsCDzXPRXA9kURw45wLekdw8zeuo/zHegaiBSlpVhG+cXlnop1+janZGvkSowCzl7y6padkP4BMqclzHSxIvPFUFbLxTbrfZ2PPoA3xG88TB6QLcLfN7pV6lfCL1zKSsOpnYS+BByirkCu5ANa10kEjIV0uglqbUkRj1KlREFWgaFQ8lb+w6+4oma1SsIFHFcU3dxlq8/nT5cNdxvdTmzGGk6qmmuzd6xTUl0bC7b7bL4794qNKsiYHa+AvakMuh99pgxpvYVs9Udfx/Y//QKfUMVMeQ5H7QlzuDlIWIIC9x3xUTXaXtrXG7HgnaUcH/u1g8scigu1tmdpI0vlfDJRhU8KWsESKpBZzO7rjqpa2tocHV9hIVDmGodcrtPHmVq3GXZ5o2mfsQWJj8rrnZtSYDLvPJML16DfYjfNNrvrEarP9GX3c/YpwhawxO2/fac43lgE3Dq+eNQUZJyhe7Nre4xtI3JUuDTFNRKXkbhamXe7125RVO27yipgxXKGQeq0XW6lxepD9VrN26tLu7FApwMEa8mRRNTRGjM9ziEhoEkKbE8LsxarKUVklDKu88SCWL3gzvH/6FF4SjzNNEup9zCI6M+oa89PpaZo4nV/8iJa7RtUHH0iiwlYF1SWDvIFrHCgwVyh+tWJtNMsPJAv67psNsgqNd4NYJkv7EGP4gL571mj02uiW2S90MR7EV3Q+AEkKJzOjQQV5FVAxk3HKyNt8U7SCAZ/22JwbGef9AK5hEGE/is9RkMnKlb6xJM7DAoPuUoLIYEqfOWhX2KoTKcQNTqiGJkVTWSdWNNzVD7iIs391auZ4QNqjkjwL5P5FUjYbSSX1Yd0fDbqfUsJzdyltM03ZfSQRp5ZwpVqyl6/18YosWw1eaI8iPPn+ME0jZUajiNJmJew6VSMlEFiPB/7Cl5zZ1RcK2CUMpCvKoAGzwEpLh5y8WumNwAIXQCyAdxgm5yizCmHbXzoe7teViyo/Nanme/eJdGfrTYmAiSumYeTmfrovjLLRKqKOeuF6WXFHawogC2ox89c0xHgyzSZtMQPFopnCEmsjAsm5VZuy6ZpM33VLfkvf3T4wjceV1SwD35KcqbVJsXZ8rAOJrv3dhGwb75aeUfAiYgPVfPwkeFVUQKc2oBgQ0YVRSq3CTGQolVksarD8e3aBkHu0ipwPFdP6JzIHls+qRgtiV89DS3KS71L3SAloB4MoAlW40AOQTKBEfUasMTHEzcX4CcBq3vUISGtCeS917JU4HfT/S+1VzJba3kYTRVZGoyEhWvPEEACLScDio1pBoC6HLt6s2CqrkjMvZAuMUq+IW4YFtdndyDUfOQovZ3W28e9nwubTNmNQuEhfD7IkonvBgLvod4EHj2xR2A1dzBqjjv8g76UpYdKCmKyZP7LrHAJLQGWAGLGKNZbPCUPafey+1B5TYbDF/2UM2P/Jpyl+EfRQCxkv7d7wCc6/DenUz6sVlfU/TmR5kRP/DiTcpdInx5jNpza/JEV2T+aYAxZKOcNMRXjJqI0FUq0OacfBY6IBQU+wu2Ra2GyQaS0rqTOnBrRumlCGewsTEn1RhRKCRpToJgKD0/EzDezZw26nU4XcGOo6l2Y1rkP50hrHUJsLr7MFMHTGj0+4VJ7aLRoKpR/JL/f4jtR9ztwQftkkVSo8cllFfqc9W/ftPEIum//XPqtTHl3Uf1y2+C4CyUv0NqsmScR+dJvSA3CdE8OwWv0SlLPlhTLoh3MK0ZK7lCTFvYqtZ7ssi+zxqU6qYyxQXuBSkUn0oH8mVYxtqx7cri04tn+Q936n1jwgRHAKEHn50dXUXByOY3CvLpeGGLjD4NjF37xFci3eg2f80sHu40Y12PxDvKGrSWO71XZpLk+pf6R502qcRmubywHcGWnYjCvC/xZ+urADXfPtMqkXrqXjDL7UVj2dWxyL7nmbsnT/QHeoONEYjNyi/3F/c5hUh5V5E7kcgZuDCZiR6GUPDJ1lEkCJJBVJSnUXApC5afc0kVy1foSvA1mpvNDUE+ZJHiNa9uBSIF3hAaZj6I87Or5LM/XXPGAcolyF5lOuo7WQeXCjbASQDivYyFAG1eoXEKX0UFf9gl2uKdNsQ7zbuurcWCcMEkQ3pNMInsj6LtoRv/QbuHLSEsI1VWV2GI7FA7quAiYdKpG84iWOd/pwLw6D7kIp/czwVqWLQV2BT+XIREryOwsDE0gyckGBzaMSwnyNo/RmokUKnpH4dvVhSUjc/Exw1psuF0CgutujFn74uSklQ6NxRQuCo1tLNN3hZ9NQvjgsuM2qGy8VGCbjZ5RxUaIgBEeJD5PKCDWgjngYK6CPYR33/tCmgu3y2cSLr+W9KwfDLUaB/U4deyAvQycn/t2eOYLQ5aHTbUGcXJ1kkP3fCOyRJ0gEfy6VHr2QLihclNptjh6SSzd2j3XciESZWKFCg+ANdR3TxnrC5LiFWVkIwMjEsDv8H+7oo0TWQLLxS+WiLeg6hO5SCmXeIOLLbZDZ0dPUQA9NpZGQwLqAMSpt8f/a937D5SHJFNrDD3UJK1oj+rQIqK4iEADSgaRcEkIrkG6xGdV/jVTOyvgwjyd0BNKBoxh3PB75AlMr/Adb3OaP6sJ9rEFv7HkBzvyRaKOwcs0fIOLbMypSBPsro3woykWEi/gPQf1u+qT6yVEqHPUhlL+P8krl9hT2dlZmcg3xYSd6CkfeaE6HQUYgimPQnk7qqvtIXOPAFQlUfSfwINp3bSyTMyUFeiDpnoyqXvSO9Q43XNMPlOJKGP065NBQ7aHfxN23W3CUVljGfMW2mA0EGLwj6RtoNNUHIEA10uKiiXSJzdVAgrTgiE5F5pOGcmgmkbR8BHWILF1iICUH6GKwDhS4pZ05XiSJOqYmsYXtQ0NDZa1ThqDNXrv7arfh2HdQ4a0sC7LA2vAhoLlOiq3t8SlbS9+qfJ1Ja3V8wyR9Z1W7hcAwydcLcDfFmLXbxnkPfyJ9JsqOjICfplKGL3tk5/RJYk4af5gK606ZQa5IpbI6e01IfoqjxjkQ3kt9hFvhnJ+dUUudbv+j7qBvHpXHlOG7Ecgo3K1yyDZhYroqYSMlbpihny1LfU2jkiX+wd8VD2SOpP2Fc5rOnT1E67KQCPcq76+9WwNEk1NNRFpytalLa1OUSeroBfHjBT1CpaJ6XLTSDtIAd7EDUrHrjJNN1CxaN8IXsPDrIZphq5XUzbs679aCX8RulPSQrnjvUs1y+227dCKY0iHsBPbwjmigaaqCLIsNiQIQB3QRuIKzqNq2G5PLLzsZph42eMNYP/6nmDVdykvXLbv+5akrlZOPhcdlGhJhyV6zEJpdMCEoYtNzQC2r8NamlRJ1eWUFtiys7Fl1R4yn8CXe4QT50OWd/X1Jkbnprajwi9+LYsuEV5cAIpb0/bfGidXKYfob/HRuygyQTybhQogHKOi4M6HdISe5WdnClilgkL90837nyacc/+Cb0gwb2FD9cp1W70G71OasEc6ChZccwaqFmE0lWbeRUDhTZmVhAb670abUEm4ZLkAg65tkTEe9cBmyyx4piUKEOhkn2v7UpARZKZXr7aKK3N7uReY2dmXbGlIAs1dJzV70OHCqOKe+bntBZBpsn/He+qugVZXyrbGkUXr9WEAAfGv0ETniXzO/OlvAjywxP4JrD0KDuQYMmGkk84ZwiaeNukvYyp89euVriyCMhgXKRZLdEO0tKZB7VsP4RkD3xUKcs9vBDrbtYAfXKU4L3JA8g8lhhvP+2Ef+ILfg1PJ7tgdAFhYWggqC8b1xkEdOT3MxtbDuD97RMB3cw4IZSUFjY59P+xSXFrWh/AEFjAqqv/86Tc9oQOHEyFhGE8Y31nxE+cbkHbrnNAkrh3j9G5FgbmeYJLuJOK/idGFt5mbTmmDFUIyexHafAGTvGYy9iGV0CnKM0cbxkjw6xsNI9K04pUokp6yhKVfn83XrTE/+77Iisjvhhnq3qRcmZ8fNGPWfiJZwEtLQsJlkUCWKpk/mhy6YPorEMJhjLTE1UmwkOqQtzg5XtEGTx24TkEZWRbnnb1ONpLrMGE4IHMIQl9CBag/P96iIZR2eyU5EbxNvtNxVbfb+WDW3B3CFcqw1IqQ5PtwSBLfBCwueeE/jBA+9QnwXenWaRffd8UKL2tjxW7RFNEG5W8XUZiav+arIu0pJ5PVwgM1/N1gi4l9NqLU4wjDo7MPmkKpAmaSM6NW/0f1epef6FpuyLiAD1GqZU1RYVbe+fUxhic9J43wSa5bwq7qJcFMbeimrEsZ2U8B+bODHCCBrKNpYM5YTgWifTatvVeVANxxLL26wMVVMz93E92xq177gkAiw45qopfnflCPqZmbh8S8zpfR09f2wmsmBpRUViinecbNAvYY4SS2FrUDvHh7tZlOP70C6mXhQLFnW05OBbl+HzF3vPrJt4C7D6CgHSlW655bBkUKXPAg/ZkeGOXj2oRgqJfWoTxK6Gz3zuoF/50iJ3I+2wgTFSnwcftN1HlczMZmOkVVeBM1K47FDx0Sn4JsWGbnlquC11qCUIUEI7miI+IFeHNB6COQjHwzouoSJJnOl22arOCjeBTSZVPoLBO7L6O72yFVPXrYtlSRYegwKZwvJ7zypCdC0g+DErP/u29bQBeosHfPFU3hH4AqaAzcXuZq8PFtyHtDjcOOR/nCvUwtgM1lG/g/4iqMjNFNmzAkDD5y5AGaNvp/qHLVI4zBcZ72FfbPnqc4gMznSpAzBdXb1HtG0JZPflSh5MZXCQ5B6OCrqZIglOAIfB4+CsUA9uywp8HZnGO/KAKJmtwcZS0nney1P4d0yxS24CqbjsJUIS4htI0k3lmA2yuEOd+YQJWhYK+WLu0mrlUUeqQGn0ls/kWRoQ68vFK2mprujwPhK6OHYxKX9Ypp6AO/SRanyK05Y2jB8TDfztlbL+4aMBX04YnpoBnOFy3oRO1333wbitdo8sO66/IoGWlJrzgOS+zfYWEY3ZYMp5nSZS1+OVqRrI0XK28c5PPWCbkmIh+x9jc7irkHy1WSV2AlxPFZx1t9v82rwWPMYhT8QV7WUHGS1VS0eEt9O46EKV6/5w5EfUQp2z2FLvtF8ktBETO7qQLNligZlFy+iMXq28vn/lOXnWZaPlLJLXIzJ7Knij+ERCsGztz2DkvRHFOfyvxRDD+WjMAK2WWNEVR/Q7QC4UELRIZMIlNtby0AUV8/bvTvYsZcbOygdARyeuDCc61xvd0oZsmvA4Sf0YniApxiex4SahFktH4LGZdoVwCa6t+j4m63SuBdIFG5wo55kW+J+7AGtlL2Fz0MZiKBvDD94xuqY/WB0lSm6u+r4wsqjc4BpD7qUvDAt/6redNxsMckDuO7fJ7UHLKYtKsASMFIvbkRF6fulQ3/cDolpCkONk8H7nVG+t6awSm6KOpM0iUkl03trLybIAkC/G4MK/PjUI4KeFKPBwfRNHhZkoweAmAmOj2DnAPeu8q07la5M3TDKpQhzeYlna0Y1C9lY8p1Aggi/O5GBMfQZS5XHE0wdj7ZSHgKTRc9TEr0PhksVtkWo/iQcmNC1GF+m/r1x10fy2eTyFx1ymFoUq6PpGNpc9Ua/b1nbsWllYRXqzORHkG6aP14CRDlZQP57ABHIt7JpTRc3Mjj+ZW1aG4sHa76E+Wymc4FWfnPEBHAvWInj9d8m1CYIrquqSFf/mgjuv2zCpy5JHrdxNqxAdCdkO1DPVl8vDLN3H0bWglNR4yG+KeFLrmu3psaIREbp4jrbHYoT8Z9vqZY1b6M3YQLJNaXydbRUAHzQkDjxvK1DVH4v3hadY2L99w6XSulghs9+7WPqW1pXCqQhtkhy2Of+M0OKDeN+dmyBcN2EVF68NY/+BV7w5gPi4jiLHatQCC/9crbRyijReiSh0xsvR0Uz3BhfLCjRfwDMajWA9m9yLNtJ9OJBIc5h7jKLBjKErjLIPyjeybIXfDZA3A/Is6g77AkV0EKR7/imUhNwmDHlKs1AmdQpA/KhfukUPGxl2d9QjzigFANG5sIaBHa0cPMDqGOz3KMeoHljUCJ9+xwAYxIbTiPFPmUjbrGOV3qgWzw4EMyLVRG9PEolOLUeryelgNZyeae/IexKtvxb+ahVK+K1188xe+HbcVTtHbQ5Jfeb2KJRFB0CCM2e63okcad14/Cqx3oD45B27pq37B8hKDckbrm2TtARXe+N/+wSEsG7/qfQLMxIw7i0iQZ30TzRilgD7AFOrAd91XGpLA6gBwy+QbwojRpvhiVx2EFmUjaDBMP3X2b3pqudOCHqFkKfeD2QtLvVP2vi7ljo4z2RXaIPW0s0vaHgp2IxJ6FKixhWyn75ykzapNoYKUY8cuOkf5Fvu5jMvsTRvwBBSPvtgrNvVCYDH4twMcoI8mBpEXoEXsIMqvkgQJi1mr2ZHlLOcBoUJoenZ/DvfMOyynJ6I6XJqpkwvqFH1WMzwmxHMZpItzhZ/0GCO+XZhjlAKFZ0/JbnUAky8GvomQfZtGnnSToscUy5u7nQY2GUyMJCj69oBTK8hEPRzieGZPxQfIRf0/LkN4fbTipUM/sz0fiqMjjQgGzbCV33VSCsxm65PO5EToedfE9kiiVzgYufL+O4iXeECpWoRXatoRaLLt5e0E3Sc/tsQa0LfNtXSL+NLqltKWzAPkQk22raB1jkY+mumvfZr86Jre9aRHbjUbUz78BYYz3dEeI07CBS8tKlC2lCT+//R4M59a5uqLRtc4PzhSkhvmL5l8JrW+qV57u07sybRlPRT+2I1BXw6c6LKDiucs78sV2U2IQQDgSgFhM+tyQc7SEOqnjJEL/cIcEBn9YBRRI581tfNYjlB/NNFBxzeGryYtSKyLfdP6EWPrXODoAJ4l8mSCSGbqLI+DIntVNXoa5Xj17jvCM/XRmPORQZLp13A4kN+TzIAqp7qN/KT8KVOoEkVez3FUHqTNUjrMQoWlOZz1upohvBbFeJfcx+11XL7Oi/a4YgqWfuD8aHI4nTbH/TJo07uJQMSp8c8EXskZQRQsQClAuEyogFXKrpCjhd7bysMYT4pKAA/k6kddQSsPNkTA7CubYMIGKHKJJYFvdw9lECfe1uKyiVF4O41NYM1biI8kIjqZYkqWHQOYloMSEaEmvBPqC5PQzPrsJJdMEPsRT7LzeUGPwYF2SjWxkzei2jILYMDcEwXhfYN81seniA2pD5XCTbT2qkiFUGN77FLp1loVDd7NLhk89USnIl5wIwtVMWWyRVnXRD1RTrPYhXEmt1h4LMhr34h5+2JSBqjTidajCkU0S5/pI+vf+A4i/6ChBuY/GXNpChcHsQUK1uyOpt1njhplskrLKzQuUXHDWhhokZ1TLDs34vmIosmtz1fYd2N6TL6/fyR5zJEGOIb7kisS8ypDxo3EAvaEnzGALh6T68GITvu3HkweASGejbhhWwE8Kg3ypXauAtDQKZrc66Qwtt7VPXtsmVqHG5O/q0titkQEde6Uiurj2rOcx69RtecfXBWQgr3tN6k4TENyYf+7Xz1dfOrToBYZfQzhHJSwJM23acBQSTnEUcZpQR+8OcWRpxRGeqzrOKPBkvPwqjE5YKXknP9ngjLWAx2MmAxhuoR+GMlXsyOSRC2y2xZ9m3jU6o01sN7By2cRWR0mw0NCxr7DYtkYTV0ZQhYkGjeWBE7CWc6SgNUmiaxLDG+LVf3ELVykDFb5U9079j2N9ASZqOap/7pycEggRT8hPOeUmX/IoAKBVaBYu7+rscE+EkV4oJY96cNV/PJPrhgzWUa2iTnVatOF5DYUrKfkLso7zOas0LtVQQIuk39EOeoBxOQjLzn2bw02WfxeM6vf2eOw+b3ZoC5HmCJjX5vSCos/QNwzLbamFPfvy6XLAm5Ob92UrYo0W/Y+d+nmUCHZMbRIMQTLkYuy7T+8rC6mHJBPe87RVdn+V0IqFzeUCaZw+ZCKQ7w0PVw3darOmCzwrsthZ0WuWG1VO0k2+atc/fzSiYKaavI1xNGUJzDZ6GRqkwyBjCTsyPuwH0FSdfHhTA7XqF5WeF2ATc+6J7kyCX8acP1xIcJIB01KDQfeDDPn1JRRYJHAyWnfjC6YkP+EVByhfh66lBt0/RyP9R7/5/7NU9eMwiyiZohzn1bPJSk2DgdQbgLReFjNcoBqKw2+vEj8R1q6ob6UhTY1f9PxWZSaWjS16e/HqXTYtF2yRdQBj2IaZlHAzxO3+tZTM816YFj+rfHtTDiA5ihSrL+7LSxUTyAlp9dnJCyOqGjW5nhErsTtGbGZzzTT09zDen8Vp3lbD0wpUSKKu49+KufGCPfqVg1iyzDCOKOeRExS1Diu3JM3dC0v6WEIRhdC5Cb1ZqYIE/1IsmfHnVnJF0QmVMI9RN2tZL+OnYd/5a3wQAy5KocByP+dKQpbGtPX9JT0lECpjqEYtoHzP4hNfvKX1FcbO6/2LxEFg5k5YKKjpwG6rHwxPasQY5gL4HLeLVRwX2mNS43A3xLyW1sBN0OMG8c/J5MZN9Fp0Cj+Ai3fj0meVyEnc3ysa3tTznWAnTUrfWrXpGzBdFgYwV17sX8qJiQOKF8CFyg8jJ+7H4iDH1zY1GznX2dPRuCHR5aHq3/ze+8HFzLNjp9qq8bHw3OM/rsscGC+PI6+qAG1xMFLjZZff8wiqjDCXJjGxognXhjQcsp5/vElVi/cSmgJCEWw6sDmLuziSHzmFCaFlbmhsCtD1SugYU9vtjwbGPlHTqsTKNaY1KO6x+1bsdvNaI/agPM30qdKWEaP06GTs3ZTNMNiGdjmblOWdNo9yYa2RCMr4X2pvz6pkKtcWl7jUWGPPeG3KRpyad8PMOj5XVzsKG0lFm7EHAfyZ3AP3f21dbzDe3QhaoNFIqxl+f+o7L8tor7seDy7EH1FDS2PJkgLj9QHX6gL89X7FQ+Zz2+MI9MuycOJclbwvM3ZuLpsya/veoZHbNUqew9c43zLr1JpjDoEbVn8R8yibsI538418G/hq2gzxyREaoqeHTESyzuBc6BeSFVOcydKHRdl6gbPcTpC8sQxybc1nMXl3NAWhvrzZAXm2DiBl/LB4bwcLsz9ZfH6BCmRf0S5OLellLEPn+AiHXMe6BIJY/TniGpHJhQYZrASfHChu4HMjc16DYZRLaa189+5H50SD6JJoOGhcVXyAXH6y6cUBFULi/mWj9t1VZoDqgMHsMHtoUNNVVJ9sBjK7fPrASKiXijwJCAitPvTwyw21vf0DKZRVDYpaJiWJJcmC4ZXCa4QuReLuQJw5jjD0b5BYcG3mbhWazRyUaea0VnIP1jNPGcsr9eqViFDLuD1PDt1AnLlML6aUtrhUiuUQ/WOLBH9CVsnzdILU0vglI/D4GwbGQLbBCLnM/1x2NBaHq7fxy1snojUaDpQq0h/4SlAVJALSkg3iQ3JXKLDPte1x6SlH+zeNZgf2m8tFlFHgxlfuztTCqqDO9oHW0xmv7a3NdnS8mHLUSFj3gHT/bjmhRCFf2bjLaxNc5qKGZry8rki9syPUXb4aPC/2qCG4UE9oEGmnXNoqaPZhbY/w3bY2vqAF50pERgyI2J3hQWDivgKtgvPE2J49vCdZbtYawHXsuPu7uKMb/PnYYIX9BzIyS7PzDyrdSacQFZwxFP9byCB8zU+nk2pkvbtT540lZTQR6YLVlE3xHTXNpGH7fRzAamw5BaGYEhSWQQdFlasljgqk3CfezLc0KDYTSrGGdgFCRPLTv/IpvgUX20fK4jglIrpjaJWZJGUu042UZ+Qi7hl+Az+vPswLarbp4iK3cC0euQYn9rcGH/3xDFdzZkZ4exRNH0hdMrT0dAjgAYUmQ1GiN1/2TmaZdlOA5Ns9C2hj2ueo1tRncL5zIfcbHqgTJX4+YO36Z6JF74fy/qkoUiT9YcEX1DN4/mOLzCmpyKjnzxYr010Z/VnULbloYMKmKN9kHxa8HCE/YVmqnnL9b5Wq8LsK3navzTqeLQZnoIfNpZCJavdFe9z4tlFMQvLyTeNlJQcLzwiF1j3qCFtl44y7kQa/d0tkp2f5bDV6gEYLRgoVGNCIwStw/3HRUkZZ9cfSHeAAR7JisNrS3eSXxseVMlkq0x8zEfzYXHzcazBcTDHFdEOWxcI5RynywOV91gFj1GLbtPtuWkLx5B04a9owZGchw/3mnmHqOI80VaT3jtfNggxZ7Btnfv8NMG4y4e7W0USfP/KO2VDLLvdnhqE8enezOQz928STg1nCpGeX/erbmGn/1p/oNdKnYdNNo2o2r6gMDvrY8bI+8YHrabZbyMygzzokNw6sY26DtV6TbPAYcLDFLlwdYbLjJe7tD5h5u+nZ3/kcHD+SpqteTRTCoCQ==,iv:egb8O6ELYBlXfW7v5xuLg5TRPPOcAi7kTQn4d8DxCRw=,tag:jhhk/ppbDQXz52WLXUFVfw==,type:str]",
+						"data_json": "ENC[AES256_GCM,data:GZ2kkHdPpjh2KKa4psh1lbsnNY5KD/bMJ0gsCoRoev61woI/RH4tM1eCfnxtnrbYw8o5AmIavexGQGfkXRNxv3q51K6F0OZA/+a+yZKALXknbOznPXCIyuR6r+HzH3usWL3cp11cWpxj+8r82JFLrTBIrLGHWq6ZWY97Q9mW24UVjuhqBwtXamVJqRFYnWdyVd6kz+kNw9fsery1MedNnopGfND0N2/DFcOSq4hOPy6h22Kz1A0XJedTsWjQgo+kTKr0c5oPgxuv6PogWaItg0eI7WHFhH6fzsApLGjKDnrmMfizOT3uXbi8+APJ1orx5yxTisFNmOfFJhHwg48XUZX81v+AKamaiIv3uE9w2efbbiCWSlI44ZT5kHTXDn4J0RoxXZlJA4CM/23suyyUQtqS46tPdSibA1vTcx2JM4osim1+yckybV+rug/i4V9udwXNVoKXqLuBoSBfFbQWJwWXTsoSqY/nGQMNP7uCoJjXUCSEjzId4pqHrOkhKQtUgE+Zkf04GGX44jrIBbzrmg7amVFlnbr9+hdFLOwyPHt65rJ/h44blU+CaiicErPZ0eFCcbSJPZXq8mpb92JP9COX5drnfrBp4t5iUucVvnIgfLtsC0BJl69TMreDICXUedrwea1EjqO0iQB0XuWSN7wxYTggsuVFYdRU0y0/zHoawgR9DIa6CQj8hgXKoyriUAVf9qxIXnXTNAkIskBD7EBTovfvFG2L6owIhLD/aGmP3LU6gBZpw+t0Bb9h/puQo1ySPk0XtFO7sh7Kzw9H+lyB1IPx73PiGnij/gRloCHtfNTBnnJnkAza4MtmpQ5+d0EFSmSeTgoRICui4WlSLzabgncbhB4GS3Ny819ugrvwyRig6CrfrIl7I66Gz4iM+EJR0m6vYvuxAy1uV8kTCVBJ9jWUpmETKmLM7Y9mvzkM9kVYJa05pn8c/CX7d3306rTXb7PO7l/M5AiGYIk/Iwrb7+kwzVpB56UlKZC38anm/h5giF+qa8zFlIEue+z3E2IvQhJY+FFIaHoQ78OONO1yjOd6iizP8/RUir4MqHOXe7YR1nory9ghbAGB2dyhxRRZnXsToDCiJ+EIwhq1k0ByxzpgWUZSzuDvL5VM4F7kVtPRijd6AeR5CmS9ArVTcdHPViNhhUTBpJ95yi3Ks0RwNzLrWOVr5yRv7xACvyxqEEdwGIGUf93W5t2+lKWtO+dWiAnkHuLTbplanKQJQmcBXjWRxNFzdt2WUKIaGS1uFIf7+n9sEg57U3gNPqmYPLGkNAGY9gJUm1jyIMjmgYClculUblqPiepxNJ7+adG7nFi/MvfbjEIJNIUiBGgusRr3D3bn9V6h5LnBSO7gdl1BH0pgx8SbzHaKoCNLikz3z3PbdHVWSG6l52h378ju2B9FJAeVN5IVmD2LcHpnNLWgVgEvVD+gY4PS2mC3rlI8ckTqX34GFA1jpUWl8zY9xonxfY9oqROTZ4gBeVMZKyXA6KcNNo4PdyJvwWjkeX4h4HOjN7zQ+romrLw1O9nTDDg/s7kHd5PMRSsJ+Pof/kgFs4B+uLSNH/SluYqEa0rRlSbHl1RxCOBnDgU+ofn0SpeyKFVlWNMyk/gN1/4GuHmbNO9sdbU25nbpN9cGdjuRnv9J7dgKAeO6oquJ3bt+zNUQUBIB+QmVKgcyJrqYL14t7jC7sIxL7vh8LvtHmZGQKNDColuDDcQlLgimvKcvsWYm3SPY0+VEpRmvUb/p+fx6/CGKE1sggLvC3afS8x6faX7vFkpG1ZlQ6J6BOYrLwjRfO94ZwLivIsh+zm5ID2YDoBaVN/GvtkbUOzXiQ5w+2zH7vsSMY1E48QWPthRzG8BOgAHMIZBD6YIybhyzYWHfK5aUU/nSFdC5xpB6sULu4/T75BpDBt1ZInliTECLXLSes8uJyQWpK7J/nP9lAOR0AfkqZAINxXRk/Ub3cefComzp2WD4A799G2cv6skrdPsC49EUMxTvVXbJujpFkh9p9bkKURZ27kfvlCLsbaExARzew1cLL6osvRr9+H6Tzw+jrRPDqWvGorYwnVvdrEEhVEfK/1aAp/ctJrb30fuzjoX7UbDP6i4qE+XDOG+QWrrl9xx3d9ElHV9HRUY3xF8zdnUbDmD7YELUmIpYBCVeOA9lstUTZDyc9f1iyNVdGlacVOcysK9kjokG4N5PV9cJiLK3A5OdOfMz9dQF0D928ILf9avA0BgDEeEJhlsu++acWWro2Oer5daU9JSw45bT+hslhlihptHjniofgz50d8F4IIYCaeF1OdTVocXdMQ33MkH3AHik4L73hKiXH+BGOaVyuUlJSxYdCXGVaqI6BPtmHfutG/J9414KfPVs0sH0o9GPTedUroxLfL9Lq1mpDBGMmVvqR17tTwOGKHdtBeotMAgAHwWei9s3VDaWUvDW0T3ZudctDVHCfFxzRX7Pvn5zE/7Ig2xdvhVKugusKufeCsB9SZuKHdeAW+Ch3pErmN2KAHUuCv+hLYNTBRfO43rNJsUKfv9SssSMTm/JVzBd1+LZZeurN7ttdO1tcU7AdGrf9U2n1kS+/djmQR2C3kC2x6bRXLq9IVFhBQU8cglVSX0+TMMmrc5EUJbOzlicMLBBbnL9sj3vzQ2827CRBkXk2DgGi/yWQIKW4VhMt6VaI9M6JMoZ2g+KXr4cnJH3bliQYJQ1F63lezsE8I5TYU0XxpmasJEm90xIlKy/mXytBjTBjR6vcaUm8rRKEHk9iZdsWqP2icZl/p4ZduTqx2bY2z1RH8n2GxOrJ/ZkVdMsFrFLRCeYeWccP1FqTgkIqBJ/7Fa+zMryMxqygJBD2TDGRvBnRDShBleplDtGIP9yiTmNLLT+2QItAXZCdOEbdFwctHZE/Hay72IW8qKk0gzwWaesv57C/RqpC5bTJL1BdfeUT9/QNNnNPYnGRKMXpQZA0sPUrDeH5sL+bRIP+pR7WekViqvuvbUm16wLW4P8jceECN3e00W/C/D50CHVc8mPg26YxUdXEBNW6v/+S+OZyEv9XtqxdhRP89MQol9R0tJ5aMX8D9zz3FUP4VlogHnwacinF38fIcAzoVqOzidwgJKv0pQSD1lQdI+NLHMfRq4boww8PDQ3ZCbh05VQV2zEHhHtv6sGW41jGUgQtyK3a8sWalGFTa8AbUc+9qju5rNWo2SZqpc7FLJ1cWsW4Hd4ULpPKZxEbIE5a1FftsihJPM3yO0cy5utjlpMy9i4sG+36sP0j8MW5wfG24Uz/TS5s62USDq7TcFZk3My2llNN+xwGCcuXA1KACzIHbsii5dQYAVPoMwkTlxlsGlirB+v94tQGL4ZqMugQodpl8svIeaqgXb3RcX3DChNSNfckKXlPFgPDeMLBpz4L1r314ZQoZeeUHULblJFjaaE1lnu/XbLdAJy4z7NyQHTnkorhBsuOz80BPBZQwwDdcEbuJJXP49CphZzTrc0P+/SfsVSls14n0DgpxiDyN1gz+VIlugkVw46OTU6piZkzkyALunSjCK6wp+52i3TnvLGRqJRRp6SK6FX8jdGWN3o9sTWkDYh93lN+jSrHg5F/kZoJb++rirhY6bP8Z9RbJlt1I9yoY3sRGiQ2cDTcHNsbERMh/6kC5z/R15LcCvAeOKfIoJWL1+XLQ2oqf4Fzry/l04nm8Xhxu7+ZPq+Lb+PYO8xvdVl+doeXBLfYlQw5bjdRmWSsdHm6fU5bsDiNV5EPBxtkf6rjXlmUKINEWCBf4I0NdjB8wYD0Fz0UDax272Mruui7UkU3BcEj8ZgV/XwfmWD2Ud9JxKlcPvWBpi0ok4n3/QQp3q79+kmkn9+EpPXSi2hEq74tjReYRxCvcWtr22HN/dSVkdm6CmI2bpBTy48fQzzahcBH7QTm/AFUqORiLMTcyGid+VASBLGDs5TuD/3uISE9+5zogPOLvK7HKtPisgCB3rcrh057C4QfsxbbLqk43/zGQrtngla9XXQqKAb05m5a0Vc9fmakKtCEsKF+VvNm3qZ1d5nKpU+B28fEtUyBs5J/qmo0BsYOuVCrx4GUlVqFMYOdBvUEpYuE87IxLYO7Ak8KXvwRYU40TV3oPsGEhEBZwaOUGS62gNElrLmEiFeicJkO0si0e5RWmsiowCBsXUCNFZJ6LphABpVzQCX8GzBlkNwxmeLqdiYD73PnHUmHiXnNrhSeClYVYasqufF0jv8CWzUYVBS1MYGmRzkcFu5xb+/jrUn8Ud81kCWxpWATvHntNHCnSJnUtbbR1UWrfuHhdMfIL1g1P785hkZav9Hc+v8rFMX2HEzLLKsbCJDPrJ0E4Iu5tiQUHyswqFP2Px/dRKjk14oiCIz26Engs5Pv2ipI+AzgzJqp6/WtoQzPHu/D6Xs1ryw1ma0nZvZquMwNH/2OTMOdD3YF7FbOPEAGcNND/AvSRNv/HOE+K2cnH1TLevddZWgVgJW9cLJLguAsPEJuqSv/PE7Woe496n0lYE3NDxWWBzMA+R2me33n04HPDHWeQfK2G4WRmk7w8nt0pKiezznbPbOewuAOMdNVVy+7kC64NDRh8XeUeGpnO9uZj9JROR0xZ8HOzG8TpIl3cpaOX0Ezovdb+nnPmU9M9mbff+rKlCTqHmNqjcvdOwRhNLWcou07PtRU2d2NoFbkFxiABPc4JGoEFOIVu1f8T/kfqPoUNimWe2ITPxjvjIcd2WwJOeDb7PbvjH/ebaCgvXJEBP3ax2R8YeBCM/Hrz40POWtAZkfrFPiP4D6Kmr3MnmQPERFwNPrGNjNF1kKKwXROtfZextpyutNwNus1lvE8TVX9Orp64e6/nGzOn+hn+CtovdrbkGymT2uh5mYol5MV+muZcz0JpEnASyycVY6EPkAoEv48gJzCyMZkGZFn8QGLSRS0MmdWN2y/WnE2VEb3g+EwecLq4zfMgU/3NIPZ/76tthUl998M1GkBqhh9vBOev1LDSoi/V59bUorxrD2o7V6ieMfe5nXbDcLCvD1JBck7qHOYAGrDG5NbRDCDsbNJ2CaYwGAaBPGAAqE4jWVWRgDeH7UZE37GnKvJvVWqwCjpL2QUNguecW40MHCzpCbmP/gTEhBdxjZtpYjQDAVprNAEKGEtp02PfN889JO9MgAUmfens++cnklnXljAgnM7/Z61BljgQtP0nPgFlFyeG6zpUfl5ES7/Cq3eHemOAgFheheQxQioYoHqnqi2shksHgjWHYIsvmGzEhVN/tVKs8A132tOjyq41lixmkgy7l48yD3EKgCiwt4E4z25r9yd7n4v2WQZQXk/Iko1j1p7b5RvwOIXIIK0lxn6c1QveOm1OOtG9NdSwMYODU72LOrYyYgrJrf1tC7fkL1rkGEUZGX1HGBoSOVh2EemLSugk7OSs76Adv8rZoeG3LfCqCiqydfAQJoNZqkdraWEG/yEzBiB9pWIBxlw7FtKR7DF9eFQJ6EAlA7K8ypz810ljvosv8kLLpQsPRdFMI0uOxPLRV3QfSRFo7xfPQjaB/BE/XirVt2xuBPoDXq2knPeZLa/EGeOqqpfvtRZ6CpnR1mGpTuMffl074l5RT198osH4yw/lyHFVZ5QGs25kDeD9Xk6/IX3pn8uLhBbcMkk8sQ2xeHr1ZQBQt4h/1lJROL4/E2fLy3aNi/oq8rSOcLRMALH5sgsdU2DBBBL6jZ9HSP1MDW/AbGHU4h61+cpUAUx6ZQ7KB9HmrVeCrDj6tqqQZC8f7INWbAc42mZSZHSHQhmy3ywowdlOBNQNV0KbY24avRAKr8xrFsDzGewlLyNwLaTPUvTldKaEXN7iWEOGaZO/3hguW1GOwo4jjVpJw9xQNfxyA0F96F6m1l2m4aHfbCIu+gjSVlH1W9PUhn/E3PbkbitcTKVgMTvqlhV/QCpHABwnyNBiuu4JiIkh8pgqIEAUjYmeo8fQEaUyawhNLxRhJixAqm1qEt9acz26c6jgmAReE3YF4ZV+clwkkNPb92Vtpo4hpHCcZRO4E84ZOFFCh0jqROAi+dXewk9YQMuAtb51kIhhy+1Wlu1KFHn+KU2onl1FsVwaRm7Gz4e9yuH45xnThljBbHj/bf/F60XDxdicv9tRwiKYHifrbH732aYYIKepBG23k4d3dMNLCtdG34/b7jTpivZxcn1krhucIOUcoeeX21nCvUeabUeTlgoQ06xlsSdsKyzrSVLew+dyG6A9TB4zrfFD6JJnPgtfVxlZK1b/xva+j056Lwd0GPppgFHaTII+TeNiDKlluXmnyvssvq/qAUD+4leA4N1VJrPYi0Lxkvy1Cjhp7h7ytdmYJolQFW8y9AL7xwEaY8TX/bvzh4DYnHd7NWHne8mfkyTmepijiPGekMx9Xfpi9zBoVBy7mF1aiOPrZ3l3g3tm1i3T5UIcSx6duosZMsIAVDo2N/UiNIKrvoguR8m3Xk4KmKSOIqQ/zgYX0n5W302e3HHH5vsIxp3YJKq/drXL/a10I9I/ij8W8b0DQV5k4B74iWU6iIy4JOVhfi8iPA6v/k3DOnsZv0K0kLuDIgf3Xzl7H6cNvEPKvQQuoUg+vn652oFCzoz4TU3rfPdwn6abJNECuKd3nNdh3UZx+dSSTSIPEca9dfJArxblJy5j4JRwe2xUYbFlNSCnYYxGHC9Gfj3pDZSJOEmmdvE5Une+iLhmu5wCrNEEfV/gpDwkQ3cE9NgCB+4m7A4zMc9o8BvHMfDZgd1He6fOMtaIqmWQDzyaQJ9TH1e2MQxcmII5w260m2RYyky+NsBU9KUNlkDCQBotF5Te2LBKi+hVzK4QuRA6waKwB+gMm/M/4wDdD4ma00Z3FjR6lqIwlMVDb/GHAgY2Dok7WgitFFcCrgUhU/Qey3qmPDNed0z2zGfXQ80B507nU2mICK9xWp+tj3YhJotLrws1eVsyZXzaFTdQ1iBXwqUqoeuWxp8AaRWo0UHDGZfIDF4kTR1ajdK8d6OoYRLDXfp7VFCcbYCjBkFUheEfwSkhgWC2Tbi4LDRgthxmtU0ffJizameRjs9HhhKLnlSjb2yFiTzVAsFvELLkPBQZ2FDhgotxZO6KZe9fa5xNq0tyLdKVsfDO16XjsLLRM6DYQbPaySHQxcrMFGQ0Y9Jlc18vvz6A29JwT/3+zTnaw9qFwLwt5yZSqWcqIQ+FWHdqjf3atz9BCD2Ewnok+QUZTYuA7eHzlpfL8BpkFiYI+dU3+tVfghle6t7Jq7KEecmG+cTb9QoRx9AWdYDZdivaMf9OA3PLoH9GBnByqJ74VZ1nSlmkxB1t7HAPSTgkT95er8enWs5R0mYKdqNkMGICGzi532ktZnIoo2JHSZDd8b2dhz+DmwqhPeRgUEfOhAtqNLmsOirGKn1Ims7FkF7N5UefraPw/CazarJP+YGvMCC9+dVWspBw0VCUsvTJuQSikY2FwS7Ihgmo52BJe+FM8IG0N6yUctoiE1TeGVt+OM3CijRYc3zkX5yen7N8tOkmBsJzTw7sjAr8rrwf+vc1axj+JscvL6sVkzZ2ORSSnyBSLVXpTxqN42L9RyIcoYk8etQpn1YLsaPUDxRfTz1Oh0yPx/faaaE+gNKGMSx5AY4Bxsub9OHj3zznob+4ZfoQWLX5UEc352kVKhVNYGx/3IkXF63xdL8dui4B1IRhc7K6EUGfTC7lS5Mu6X68d4s3s9MA4GCQJjqJc9aaFQrjmrfEHHKIwViuQt07VNLJTzS0O4KuYVVgKvmjSLW4hDv+nnjK3jEsSoDaokz9FuTZMN8fDbEMx4Qfu2Nh6IUE5AXekZk/Hcn5CmXNI7Zl/MoCdaZMoCKjObWF6UC9NOMJPq/xHSg6kbEvH9ia6uMlNkBn/j72Y0Hqdq0F0WtOHnVyVVqgq1u0CEpVze2NWQiPG3xiryetrWiS+O9N/bRYnmqVMD0tWfjQ7lPw4RQJYIWfB2i0OYupf6UWAt9CJdvYznnU5LezrYsWp7Mnk9T4EWccl3mHEKGnSGXQEfgY4vRkvd/8Rut/yY7HxzTzeK5tKSjMXH8Xo0NYXpAC/mbnaMU5nFcvm8S0YsE8k3GxS1dVPSPnjZzuKptdASsMHjjts5VWrC4SvBkRX8kwpdiWCNfmgtFXfwh22t84l0DHuFb416h3HpJpugzRzaKl7OHvKYi1G3INIZ28jtYM+K8s8CttINztkE8QBnCZauusNexo+LANiisFYKSYtXrwjL7++tHo1Bef94r844oGhvgwM6xSHyvYiKhJNgY84jFrhKlrE37cIqHlDcqadGwmOHuyPLG8uRm7Jd5xsk3YTntffgybU0tTcMe0mKIS7HgJQ7aMm+gUsbuqT4V3lx0ZgOwVf2E8+uS4tQJpPnWZ2pwjpYoa6bxz/PW+G1NxSdY/VaHREUH+CYoCT+ybyrsU9dcKzdZtnwQXv/OWdmkQ2IgY0KHsGXP0YmaF7gvcswqV4riLZvdrP90wXzj8gunV93Y5e54dHOz5zpoGs/HCJ+8NSYuAV1OkEzJSodREp09qxDPe/Pau0eN8v0zLJ/BNWsD13pCuqrsPv9O2UjunurGRamUE5i7WKK44Kp4B78csf6fpO9s1Qx+kJRFxR5JeEdB92XvpCiPW6VoqofCIo8BtjPJABW41sy0JamkMheIfKUx5wu/a1YVFzFmd0eLqBCol+kIan8HPOsR4SB/8R1tTIhdLWZLLhVJHWaUVwOpaIZpKa+YUey/bb6QJ8QnhtfFhBIoh7sp/DCEvqXuNcdOD/VDv6qoStWV+PMplOzjDA0X/3uCXExuhw/+S7dIlY98eVy/CH/pmDWi/1qv3bNaS0Ju2rYOkTAfYY6e+vUmaOKxLulqhzH68h5cYWcTCbD7Eur2KVDx5wCf845kpQv5NlocgSA5WwjQZEvNVcSAUIvBhEZInBx+wFL3k4Ve+Vk/qcx9fkcbIdddDzcznVJucSe0fEF48ozkRuV7Ffw3g5J7JhHNrlDWLSuE9tp45HFXSGT4KFWDP0OOPfbcs0lwuoxqzVJNZwMbMgp9rKpQKaQtagR6fXkVrmTyzpWXSf7Q/Wobb9kCqsbAUiGBqLJAd1K/j4pSUp/hUo3JF1agsWFozjwwsnoP0Y6Gst58tWVRE2C9TC0KP9CvuparmWG6/cYK8FLV6YIVuxVbumf8ykZflPNtHxJCLHlHbs41vIiKmtpuw8Az9MVhO1FUcqeRWlfCYrK/9rLhokLc6Y6a5Pve+pVDCfHSzEkn4GZWPFka2S55wzDADZehDOz6SKLwg22h/7u5d7M/XwOR8ZUoG2Y1W2nDqN0pPJjEHkWzhElKTt/e/cOpacvPuOU9B9ov2Y2T+WD1LvFLSPt9xoB6mVbzDiDYfJ21o59y4VkoGaBto9q5IW78HlqXytv/E5PYMLWxkIaNP7/BHSVUJXWGGkE78BFCQzO7+0cWcsljtTQ8ZE60O105wjtb9lRGG5InfPuiDYtI7YcAwd/awznUFZhxBJZ7CDEx6GiJZw5zYFY7YYAHbSXbYVvUrL04Bbz7Bt4AjrHEVeXA5xWnSe/HeqPlU3SIr9JucTdhxNBGMmWSpjH3ylH2Q3ClCRlkBN8jwFLxp9cg3JeuYj7+VYgp1HL5tS3ezMfGf3kdOUWMMG8bvtXWDxxlXthPXlw3z+1qNAExB8Q+Gsa1ApV6Zc+MWSCXh/dO/5p0YU6SwUc5ukUH2Omqea1lLV/WRY6DJVKSKSwG4xacqn6ty0+S6hhYwEVD2xntadsFjVc0zBf9zUSNgeOL1wAQSkusk0qz7C/2yWSEUJSFFEMrkaN5McRZdbUfGdsIFSYIWSQ32XQL6E7yH92baarQbcHtvgVmXdQ0IxC6CBwQzgzSRbyVbtTO7qM/oqKTufqcL0tswvK8uuuuEB257xvgx98nVkN7ssy86fgBVtgTK3ylbKW5yeUrAWk12WxVUlPOkHZHmprNtrjJIo98iUR8jReWA2DpXIHeZSf/GeNeDR+jZDPQ3JlQ+mRw3a+RAdLA90tHuhRdM/vItCxAnd5Re+OqQ40zOAF51SJnksU0gM6LREDURAgi/6HoWOAOZUQr62xa42E8+jziOH+rfcrrm9SaOoqHuergh36dMvAAtl/P+9/Z3teoVUn/EVQeKht24YbMRDC92b/o3DbaNQ2cuaxiNMXBVkezqZWCeeeAjT2OFN/Q2MwM20jwkMDIsIZFzozk29XE627C4PUAzVGianjaj+W6yk7j8j/6f/WiO9jPbwRDLCufTQbhLMCUfDYy81iy4uqRRqL9SEBypO1V7a2xSY113NIKVvnk2XxkKgJoVMqtKX1IIry84Udcz+HQZpNanC3zOSVz3mgzTD8C1G14pd+J/I0yXQQWe0u9HOTzHOlyoSDGovSRxY1iSzkkQYRcOnjNccSOh14R56fKJlntxMFs2xSSA+6cJly8UntI7R2tWBTwTeI2Dj/Se48DiwkY6/JQB9Bt/z1zj7JkIlddmlSn2P7aAixrIK9R8MGgk7IOr50F6enlDjQNBQoWB4eA5gYJo5WpelKFuooQn6xejlwOCq16EFmu8QEBrN6YJR3zy5sLT6KwAGNQDVYCTy3Ew/OQFQjUezyledapsANSZnnWwRKRGj4/nqAPS6ahGL1EeHmI5QznSSRm82N6XcGl2BpUGRNfJqVCZxcOHr6Q9P4z0SRHfA8Hq6+kukdwjthf66aeKAS01jCCk1evYZLYLv/I8GkyehokBrFY2/34F8OAn0N+SYmfoHK3RKkqAOPERs5+7UJZ0vcThdXCqvnoDxNJLkkmAFJd1M7AvxCB3OV1RsBGpVOHQvYeGFAm0GM96y7oNv9jAdcSGgqIl+ztFtoF3lUa1x+vGYCWemdiWRc7E1HHQ1b6UBRDaCg1J0IMEQzzlO31cOkg9l3OQA0GllvJkAqhlrMQNj+6lOWpEewFMn6BpxhfdLebDRUYn12OoFeWuRb2294M7MgaDdlOIe9epl1reCEUv9AAiwi1AaNKFvZyTcRwyQOBn+UDSonTujel2sutSyZDxwZyBqk4f+bc7tq9w3lX5Ny4cEA3vHie6CzjI0mTzqUYNa41KN5WCxnVVjSXPE302xW+lqxYKY4uvxdF+u3H7BS0rpoTTqVstCgoyidmj97ECbQ5u18f10k67CaduDgl2IVV7TWlYhS/6vO4iLOqOEQgcGXX04FtzyXu2n1oP464VxX1DTBorPf74oxH8rdOFsvXoK+lezkpUNm+XpjyLDseAYsUF4xb3LkRZ9ZOpzQOrmlpuK2VDdSbEFIAGgbJWmBKoPVKbbJITvA3Tsabtq42Cqs4dymP+h5lPQaOxa+sKJMXB1kGeYzLF/nVdrbENBDuEDb2zbQewurfRFD3B9AQxxPYCyl47x6Ahk2kj9uGl/97ZObEqsB/UrzodbThUDgp3gZbJvB31jgSBar2IYGFtIZvHUAWQJ+XxMimTMjJw/PHTBGqYtks41ij1G5SNVrnzWuwqfdfAoIfge99yBQ/3BTrjnU2yyQNxr23Ek1fUzATe8G0Y2jlduALZaaoQPXsSSmhZLShDRXwvjMUFClIh9OXHDIyR+5k1YEmP8eNiEMpZLpAMhO/A7MEgCcpPhe3eRnz5/siClwdQ9NY0nCYpMi8LsyCw5Oze5l+P6eM9Eu7SWBCiIjAsPGdt2LGz6smUzc7c9hMvwY55G4tSfhRSojJ6Usaw+JaE7+GcnHIuqH+lM7bzYoliDPIu0hVxUpI98ny9haLR4qeFMEmtCFzJbF+CHH72eS9KLwk4gPe19cfFnD3skDRLqY213iGCh9T3gDFhkk1YEHrC4yZuf8PD0nwFhU60iMhWjvVmcAJQk0FDni8kz6rH+M3g6nqra+xQPnOZsZ+QYYfpRMEKvXUMuf56FX8gK55+zOrAmZU4tEprfgIyN2FHOqoK2PUPx6hRDiAozPpd11NpY6ZtRP6gDo3FVQZfOXvYOrjoEwLKEJ0pH8AUVksPUMgQDgau1WEr6UTDbhuz3fR3Qz1Yx+K5+qdVhO8pvoCq5YPPx0eYs+DPBFN9cPVlkU3Tj/aP3iBE9gXZUy0fyubjb+PMUDuZB9vipaS8/w2NqWRzaWBRdA8/Khif3cHYMAHOSP4rhaZh9jFQ5GKZ68O3HoPvkpHnXfA94ByxvZctywZQUwubr/Hf3ya7TwbvZ66Coau3SQQLOqfTXHPIauhj1zjzdiJtKcQf5RP+tMYfij5spMB/RRgase2x2fqPYy+rjhwHF3lnDdiuuDfAEfhOa0buaXziwyJ4V/SFUylZrxqKrQvHA+qMNNHH2h2ylYWDAHGwVi9BZpVpREsv7N4uq3MWyFte7Ki8UuoLzGISeW2b2VwqC1R6EOBZxVPL30uvvv5D1snrbruQMrsJdCMvVKsMSRfM+Yw6XDW/ULddDdYCgZINidX1PZu5CKsXbtPoTqNKX4qVxeZHlwIiD+NTO34Oh4xP0/MeChEVF9Rp8TB+MvRJOuFNaObwHQVfQVambce2daDIVgGfKUdtPvcfRzorBm5WvE4JiFPoeUVn4grnxMKSjfwCW6kWNbywLTaCgZ3T7WHKxczh4GWlOK4n7QYfEXYxIHDrF7Z26UxDiuLHeM/aiy11AvRUg9WE40MV3//Mcy/pvtK0iUXmQgrKQDeQ0o0W4fVMrFRFj0+OWHc+aF8+puO+nI3dtu1FxwHz5UZ8AJneR0MxaHPmf80Da7R9jdj4wNIHSTORB6pL5wEq0ix7nZQ5J6dsGnHuwxQjRtpHXy8LwycBsdTgethDWl0HxYPp+tmw4TZ7RMDPA4QzDiXPrkXQN5TV+ew0fMkCYcQf8mZTUNq1PrXG9SSoYKvts/oZ5y4ZTZ8XqhASsw4zhdbAoo91wKleY6CzIhJVq4CtzdXQ5A0p6dZPKgwKtrsUO7IYdtV54jFK0rvviX/qZ1ZQGuVpQOKCCNw8VTDLozouPyHVEdtjZqg0AJLN8APX+QuSS5EaZd+40O3CAZPFr1MPO4ixdyrRWjyCI66pLpXTACJsXJ2jQ4AlhKDu1LYTIiPyIndd6EqAvMNijX6EDB7e12GwXkYj4GFFSKhbzEJLwXbfySR1Hboc7HpPB5puF3HiN9NYhVNfjVp3bXQg3h6j90vq+EqT37k8ffKAmMbKYvvUpf8yNk1bh46kbFWoiubdT0yATaNhNwc0pPXhRfafwqIcwyTXSkOYsWAr0pdwstXZ7oYIijfc34D6hVQtKIp8mxk3ppEyAxHdrs4GBSr9PHTdJjmH1pGuqaFoJDES/W+gNSCDuzZgi7yKSm9uiZ7DMNvmP/zdn9eHlNF9nexzENIl63MMzJHXiEO4og3hPZBcpcJpg9fPcLB5BNJUcASgVs7hmGqKjYpwppspP04xLCQo7B8HwHz9XG3Xy9Yff4iGuueEzrqioLuxjlq4rKEBhQRQp/kC09R0IqvTuYbJ7Ib9yg7HUfh2rGq/f5lZEjIUH/rNlD4Ebhdc7CnP8p2jXGVuOHVJRovePbN4OXbUO1yzrVk+oV3801BWEYzGUkBSGHukRFywu/hTM/jym4lSioqfKztYob+SlMh/+gOq+XThH/9XPgiC1XLEA2I4yfZlIpy0k75QytewkyGJQNgwe1F1LzDGgDRdBNvBFh8fvTPeYcaJ7xMwHDKXcSOHxUeZIn1HI+iq7gyVWTPyOVv0RNogD0TB/xjKAPKw8V3De9lOcV1rnBrnQhuuwuUdWEBsvr64dYw0epoX5hTrsBCqPx9PBvjHrD2l0SVFEt7RHvIoIim4qfqfh9i9Q7kPMPOSl/vMX/zMh+fVGUKRr9ysRdc8AchO0vDUhP6kMVTtBgGulo5X6fgSYhrzx4hzQoIIlavZnxpNkShJGuQtngQ+j1ewLpWxgtWfR4cOJjfTkcoQVw5x3bD98CqU4cHsNrosyFjKe6tWeOJKPxR8eGwdBetprLDGz887zyWxUZlBFVBAXFlMbHADHBPOVEbVtUKbi9On1wVp5SftXayI9strz4ZdJ4nqeHyUZszbeJMT9JDSoXxmmCZUV50Q9VV7Sqj9zi9JJjrxZdkJeX5P2kJ8OTl7cnfIEBLoQTnVUObpYnlrUy58ayfo9qVRwBYf94M0H/bijvQVOqJjAi8RVpJ+0r/dCikRUscvY89kgTlzJFEzPvGtBz8fg1upy/Ex70EKyDrBHYsA7+ecT7gCwGEN7WQh3/epIqwEqytNnB23UMuYpJ2dwQ/CQc8dOGsQ/Q1JMsbVAc3TWfxo6c4dqsnmGec3Kt+Up1y57SrEfEysJJ4dV1P5B2e2JtysgxbuRiBB9YD6ZaZFD5HhYicHqdqsouOUGKkPGCZJNVrvFjCNTvdl52vYTXfu7HbGpLINaFie8Ifnl1TeExJeKpXYBn3XZ5NFfI6ndTwYnXM1VrLzBDhT+YmW9JrQtWMEtFmZoco/VdWb6ppBjAjsAwdzIIxLreaQvS/vAKBueQ6/adPZMcuXQ93XO7g8WbFPTsjKRnDSuoUdbyMWEwzhV1sbG4iW/fFiqfk7Q7aigwiwrE3Ga/XW3aoW3TzGXmEDHcZlnKLJnVbb0XBtlzELvtBtz3GEPu1/bBFGtKbKLiRmbo9uHzERHToao9/qkqGKkZ8LGo2SEjGueGuMHAVtTHTXeZdwTIa2JeCNisQ68OwJ+CLVXzCPdjYIn+9EiQPe6cmMD5nezW1fU5W95q5+0IIKSwYHU9rUDITqhD8h35oAEhGZNPaTxoZOCpS2VLFxTvjUUP/+0uqC89rvZeS+OqYu3/1bQAjuEjQheBxAHhDRTWo8JsJ5dCWiEO0UfJ/zrCYHJ1dP/Ag6tG60okv2NgRuzOj6ocEAQx09Tn/gCmDwHgZVBW3doO8dFgyVIp7ANDC1mrbuwWMs2yhtObj96D22y3UujwR81BvRussKy17l2ZBym/8hO9xr2ZhP+1f/BqN+WJNIOFMgWeMAdiDdo3zMKaOrPwgjk9yKZKwi/zQ5QG7V+Cd6lla9VxwMRa+U+ZpN67xLMQ9hroklck60geMZY9GhPJl2qxIl50MGiI6/m+qPSXYW5k9lKsZmm9b0bpjCNNJnYN9TJQWsn6f4on1VLD5j+CT9Se+0XNZDEblqt+bF+d/phV8XMzsl5D85OvCIIHQCqtLuPSqxt9s1Ze4IxVwnrBuagMEQOexVlgggnIdXqX6kn8kvCzL1BMrc69pnF3M0mEdhLjatmQbU2aUZ1MeSNjsKokcabFlQc1E1oBlcGJOCq7yeFXtVpmy/KGo4h5aCFhyc6M1yKL/VGlLNORUwWCIAtSMFdL+i/lRiHlSprdsAHOdPjJdvlvwUwYDAHIms4jwGSkwFG+WMuRfU2Y/hO54HZofIqcsf2wUhTBqAeyC2vGn6zOHpJs2YJp1uNAi6G7qFIuw+QHdUfMDtoJV0laC2VbYu7njNbeCpUVdwn1dtxhgGy89i9i5INkkV6JjwNheStjDkyNgbCpr3CzCd+qTLrsG4m8n9qJr0yPugruG5+NFrSKLr3doRkJRJY6ZP8YiWAc59XR8UEQNH46Wk9dnWZ3Hd8q5zUnaEe7xeN4Js+IrnSIqgNFr9lAmcyHt7mDWIVjWCJE72UfQpehVMRemeXvqXeFEIRerum8mWJLKWm6sRLAnqg5dSiG82m2GH6WJ6SJpfA8z6QHhhiYMKvIHoMvBiLXri6sNMoBHgC4GBrtJUYlapuSKm371tHpSWo9eg7cXITtRzKQmz2kwJiGPN/Z/up+3Yz26nRkZ80KyljM0cmIa8XeLh1hS7SOj1gcVYNdZjqrQrnmiGy/2/psnn2wxMZS4BRuZo8uCanT4xHDXkV9SuW1SsazLPKA12g2H8TPQ00yVpEMNakp6CDxyBZJVmtCGRu43LUBov7ZWx5ajJkkseO8qnyZUvLeFCkjZIhBjS4yN8CyZUQ8tkmI9HV9VNT1FK7LCODagixpSAEcbTpHu9OD8fd/pqDSoJ8awQncYz7KXx7ZbmKvQ/0niV6tUW92qU1BCBq+u0XZM9poc770ItXPx0qdazYMACpuIuAaSpx/UTN7L8evO4vvbzQKO52A1ue56EoMwB0w7/18ttg3dJu8+pKmdGiGwhLkiCgyyrBvNDwpZhm50D79GudPTRPmsTfU5kr+3b2ENWVIm9hwZo7m973uiNku3BXl+AurkCSD9SWK1HilG7s+vVJIgu5J60RoADxzMZ7uspiF7AFSUxiACYMcRX9yK23uKmfqGT0uVh+pmpbBNGTDMbbUIgtVCqsCYGlhyJRJH9IivcEIsXmw9B61BBxp4cZrN1KE9verjajktTYVDkYJbpNoEfTno/ReUIQqMpSaaZaN79qjV/b++64xOCoYwtXzGN+dtvMT5V/M+zL67rotgDKuxl/O1IZZ0zNT0T+c7hKeQirxg2mI8h5wGq24K0kmiZspRZ/5rYP17Wi2iJwC2WXm4SyhZDYjrZqAsp/PQJyEANuBIYyMAxQSKHjmY1OKOYAhl2q8/Wt3PkTgDlglJSZmweuVkNxV6G327rmLI+zHl31anBWtM7zneFTaB9P6z6sSvn5uuf0LHKP1838cgmI9KN2UHWBwaEjgdnjO1IjNRRXCCsGb3WgmqV+IEm6qWG5SPUhex1AU62HsvPI/3q+GUpo9yrV+c4njroDQY8Jnf6nwm3SNdqLxfsX+IqgAu2sSBl4n318+LfOGckQ8GHryvbsohAmDngiTMs5GicS9x6jmyg9UTGroTPF/PTxHjznYBNODdJtzmLJsLY3gVv8sxdj/QkK592cFGuZ+IPpO585Xs9Mvkw7h1gAn8gfWLORA9XJ+C+nQTdy2dQguNqFsxvcrZDg6Ay944IgS5ugnIUcoRYKSYWOTgGX73B16v709LVvVQ/osuARKPWOUPw0DnoK2ah8oxZuI3Uc8MiYsarFuyta616Cf1Mnp2kGlmwyFEBvfhSYUfdutF0AZ964YilXVv31Na4GllJxaa7pCJwFFoLOymIygGMw61RAeRB8bOEDU/voiXohvQDwnRTEck2ztkYIImECKwrtDqUqvxdNTW+SYdc31pi59TeLgGlmPXwMprNbV42ttuQvCT7IWSEyyx8P6OrqFE4yseOKYiJH/Bq5DFISODhIB65t+d9Lk4rlBqWSLxAokBFg79vMbhKGUJKuUakLprLbk5iWwLX4TvpOLGgsWBiWHpX7GnMb1/jFXsx5JpRcnLYMU5N4ew9vOTvQ/Wa2f+bCx4HkM5eBG5GOaqJKyI4TQG+3n6BHbTyg6/VVUuhHQ9+5YOy7NGeuL94J5wmqyAUnVHIIX+ta6ZIL2gqYyZw9Xuduz9hDxkxst6iZgF0jun/MRcYhTa5Paq/G8c/Cj6ZP4HKh0OL0tt/+pU2XJnRUIkUBlYWXIzx5MErOYfolsI3ghmYtIMx2xX8LRZkvGDZRLHbIe9R1ZcFxSbBruLGfcbfEKW1m0WqoIPprY1KZZJV0qKmKZVwoYh+kyyaRnHQvv5V+USNbGXFRQ4mPRfR8aysTYaGi4QcdIvCdm7bwi8RbFX+veXjWYvcJlt2iTPeV+NUbWL6qF36NS3UN5B+eqWncgCe51HHcJtcAK6Y6H2+5GwKD8V72EJ+89PQt12B3uzrxa1sFiubgJQKZ5l+lwD5s8AIXqyBeDSQFYfZedPx/bSeM8xQxpYlkJ6Cdqpp9EyTRLkUoq+cTPzwDkavNAN85fnCBY6HC6COtfX1OoApvSpqu9i1JtIC0oAE1SiCAIaZuMrYDWxaE2QIWy4NXlPhBkauM1e6GAcDH/QIKADt6ia+NPpIJflDK6Kp9bykBeK32skM0cTEG+FKSBuiXNJZVbqfBxV6EcwylOZnUoUL3RtV/2vxM0LpSy2SNJ7hrhIA3A0DeAnyXSD9qZBGLM3MRfuGItr9ShCpDd75Sb9kt5nf4RFDz0c94u8WIhPVA3+SD/3EMrUV9OAeBN+kOMh6VE44y3q7uzBTOCMYMmHXPPOZvVoSX8ppTh4cq5+qFY/TFki4Jd8XvADlyejkCPnIgz3iRyuH8l+jR7zILpwdJlCGU8hSXYr/V0zvWOAIfeKKhVnseKLgKRPV+EsFFvdNrnaLBp0sPvTylK/CbSZV3HDKyNfDUcRBR6D7kAgm29XeeUz+id1k+I9ovgD+L1QwpI7QAwwAjwsXw4zbyDKz4LPftJodZTtY6RtwVBtT+BqBoSvtcP57tcRAGNGUSaC/b08ue1h0r9Hl2FPb16CFCgi0fpcSpVrBrbHR8XLHKnkTIlgPMWTN6PY8O6QdkeJXdgor3l+HoOUHCsTxYAIwebz+LJjVyJ1P022wqyzAVSrY0TVK/EDtYG/6f9cdZYN4Zh40kCCDlLdcz3/wx49r2WiCalEVadIp+itA8fZXYOVCb2jUkmeNj0V+bHalJyrr7RXOrIUHG+2VEbIa0/58Ixoac/rVWp7LCHzgXyKjjnqpMOx/eGsoN9Six73o/JQ336xfvIsXgF26hQdPcHJAS2j0Rcy3ogvLSItpA+f0KJwAXLXSzXV/QXx/c35WBRVx/W2viduvx3V/JUsr7ARxUUm2c/kxZDFxYcXuou5stUC7N7U1Ddq6VJBJtLqOHmCC9HPnXOYwdk89DHV5KTbEeDEy+oyLoqRd0ya23P2LtquE5Mr1OygKn6kxmZ7uYdccYDvSjO90rt9iLjh7+bVor/oYIQvr7tz/HBopE//BgMe361F1uo3rau/a90VwnUUR6nshJ4s7DOBREDiG09jUj8LYG2YL0I5qOFFYsZtMO4NhWoyuOdkFyAn70PbDkyoEamVaE8OsRHq8HRw2DIhrhHzvvP+sY2hDjpWkJ/FWBVYk0drMvThaKKOkdAdhG7ODsFtrKXBBReoFZhTa1YGjXNtPRCSNNcHPntsiPkoTCG2L+Toi9ewtRXFCgMkrMS8KzzOKFrhbnSLVlgJolUUXU3//iD1PDdpPfEA8a4ojDxpO8LtZ9J5GGXJUG07KktfLbQ1J5835KqEa6RkbFhvwpLf2VjQXFXYUdZICMj6+xpKo5+4seqbg54f1+kePUcniFwQMqqEDjAPEtctd9JmvzIi1OLXYkmMdN3HzHfAiMmutkR712fkBYdZVJypNA2EhHWd1CZxQvjee9wP4ZUMkUvjXYfiuZXW1zUZqmdidwxQwrWCfYZeIc/zRzs8rznWyc5Vd6cbHg4E4IxdWEFfuzQ4saJN574cgzYxtZ8DuoV5XJMvkEMeivtglSVE56bG5ZHakP0nGY2CVch1t2Sw3GW11687Z/t0tu7yq4dK1FLEPuQmXH3a8a91w2wbzQ4eK0o2c8cymhiWOozbFqJ7FgmfxYhBKaycJxvK8iSUxwnGRy0LZDXBVwDziwLM3qIkr3k0TlV5hbTIUVUixlceKduYHt9vUlJT0yTTL5nBZgCHa3jck2Tj00FNgUUee/g6vfHT39XbH0qVSIybuDg5jNQYfDQiskKMmSfoZjQmqo8pFoSLWPoUIz8fR/wtfIF6fioA+FXO2bXQ9pnfBa35r6DAI8GtgFNDhQkpU7yD2ABALFLw2OUA4bTQmxtPt8n9SdbGZEnCuEDxsATcsNcmX1hNf0MMMhAsXco2mscGJRdCGN/UzKW5Qp5vljPFr5bJJRSL908yMALcP3zmk8UsLLrZXRg7nqmiT+bky7Gm4MIjO4o6bH4+GsBooV42M+2A+Jaq+Dcaxx96YQ6pZGW4xW0RRIJXFLirjtwxdKChrvJDpZCW+6pb8yr6oSNkVMI/mKSrFpV/B9TTC7wVeVLFM/d3+k+zE9uGiQZFPlSKFVRH+0g64NHjLCIjF/1TzOyv6WZGAbohEe89AEW963N2brz04jjvAV3uzEw441I/AuP1WCgGSNRPoUMxjpXkBWQ0ovKwg5Qo+b9TcYcOsveVuN+OS9/6dxI1SGNIG0X1gD+D0Qnh7KvnRSBOWLnti8RfuTbvl1Iqm289QRl/UtZk3+ByTRcWdVLi5jyYUa3M5BgG5yuDoHZ5bygyJhqvgvA52CLqjDUuFx2CXX4XpbLw4Utzsk07RNQa51j+GbXFT8QLLaPeNqqi02bY6HEVRU6sbWCoHLXs9SyzLXohnSWgalFJO30FjohkZwGZOOoADFvH7ikwvKIIVAB9V0f+/oDqpYL5K/vE6vu3WxTih9yEU4TMliEtDqy7F7IXUl5gx79OfO5AiDBarDR3BePfNPIAc1SOqaa1C01yxCtlURBQe3XhYWeBtlGElxMZeFiDfAXa/s6EGBE5KCWrAmSov15VqirG64VhsB6EFQThTGmq7+1EZEALVlZq9pg+/PWbqtfyaYGrmd7nmAn7j39mzIaRDaKU4X23ER1fudhlHI4Vf5wMMLyAMuIaHP2gzz3VI5Wvvulcy7jllGJZ7j9vtm/hgDI4MYo+V2+eyRPX45mw6ArWcO9or7avJekb5E2oaXtr9kRQs9pubUIWwPopRpM/+RI4OLbyyWs011rE/BZlWlkc5nUOkcG5HiaBmD8hKEpZews9Xh2ODi0RZCckvTjejJdkSFdwDmo7xYtmnU0Yh5BQH2k+OeLCNE1uP0RyzRyooYzSuqJUdPDrKjzdlO+M/59kgiGnDsklWiBlNmLKF1bQT13iNRpTlzOomGnYnvFOpFC3usuongUendryUC8kRltfSz22+eG5ySgQabRWikt1NHk+CTe64p4AX3s2sl7/4DDOFVM77NtwZwY4AWGbj40X1PbJL2SN1e35/B2GLmxpILOA8poRGFAyV3HzyCFRpp1x4T66sqvcY+G8danhU+ImRZipviNqu6BuTFI4MC+zmetVRu9xCpapOxiAsE6xl8ryqUJCafnwgiu2Va2PwNvt6/y3yfaHVQJgXV6vrzqDhDJ4eJcsoUhGBeVCeGvdRLYWkvvG3ADdA74TKqj+D6Sw099Ixkxk2ReejmvAlMUpYQnP729sBtAjrQL/NsakARzKc9pBcjrK/ohwDlgCU+jCEadqR1NaCZZWLJRbvPN/ieKMf87oB+7N6Daa7z/8DoEgCVyu0ikC074Txe5+iNX0yDEr/CogdvU8p8/l6n7wFAw1tnPewHRK0EgiWANoOZMS5GMhtL9bE58SQRz5nW5LE269mlXUYX5YNOfEknOtAGeotI+f2f+EDYBm724Qocf7p73OFL25tRTHUsjmYhFTGGrfMqat0Rcaw3LnvaJQaRwNi7CRi7urIC4AdfdifF3/xYdRxnRD2IyXZ8CaWzh7SedYrI8DXfFjjV+dUWp+VBbr0Q8L7HMBUO/UUs9fWhWBYIBzCCHIg9SmdZoGW1nOANAVGREKEvt5pNwHXfVJV94nILuW2IvrZXvRZ+aJCzl4hYyXcBY/yicGRedka5hsOO8BWqEc71Xc7ABc2uNuB+W335011jBtOzLmqSN8khE5V9YQvmCf7996gHRDnRtEyHcfVrUnHMByjkK3yNEs9Iib/AXjP53Qx1J1TZ3epit2KfiNeGijyhc+nUjdKYJQcLyQJtUCvriOEAndSVGetv3EFUk9pQuN8K0PI8yhSSnG2nt1b/wi0RPpQ+efR4YQSDqQw8SX8DLdpRJCAVwoCYFsPYUCxpije7ikJOwsQ+0mD2eIQD5KAU3oStr2LuFFSAGDE0hzY3pYu/D277ElotomLANSUqTpPi6KvbD1B0Pd0Ea8s/QdnvwUPkT60HqLLeuBB8KSV54Cn0RD8lBgof75HlyeCL5pKbiQTiSTSvriuFBNB9W2+NSpSreNv/tgYThYsFeCX80T6Jd+REP82CMjsRGuSucKM+ErSLUtxPpC2wjFKHvoYjb4f/Z0V5vgRc0ARGVzM+SCAxJoiH9+hVaXmfMMT7uHxuCA2cVM6X4/n9UDWqpw57rvLWHktHQxFkXHs0uAaR3dixaK6XrJMCKpJ1RWHctHWpN05ryPa0jJHPSVXNiPTBnAufv8g9AqLhh97Vkf6xRQqoIQW0TvqrdSSNVbWSbaag7U0vrJIMO/DT5DhxvIFUfue43bsjdteeCCP8S6GrxaKCHcEVJxEzJbVGDT0Xel6PCyKsaRmx6LQYc0OrEs4JJ3cZIs7zxippcbThbn4Czd/E9igcIF1Z1rImCiDSsmLogEQs06dPKRy5y4ShjBWRx85izv483PjB2MJ1AK5HK6gfxPdB3fsTYQKx9BEXaakYPZ6n7jbb7DoMPil2uEmjOl+z6Wlhq3+Ymz58TjQ8nuVLIJPYjoAg42437beMgbvVmBR5avaAf0ghWRc/p/99NC2fkj4ZnTW7E7+QxG1U7s+GaFf2BmJdXfmYRMDnLZV1kemAKqysl1182JRrm5G3XNIeIJWcxXOnMZYxhWAEcItSGD51LyTnXkDW5mK26Ixrg0WtPo63boyux4Jab5rAcBLZNK/Qq7+JzIeSU2XVN1zkG5F+jIHtDBiwBKTQGizxwuGJeRU21yNaOXJvw6mDNvCjtOcaOQt6RwotEhrzN0PsbwGrPWgNgzciIjrqMPJphyGzLXUYQu4keRP6BYd807nKdytCMoSsLZS6XVY/tF2XjSMi5zWoFVOVv9XxYgNSuwDrvkoECQ66dOwbYciOSoKkCqnvf4NJEIRwI6LPzgT7IiN7nO+kd1rOmhoYmI73oeQNFRcDO4j7TeanZkaf7FmKCarYWFXlOY6TP3vdQKxbLtAcvHMFADPtARv1BBZgLtn8u6n2rsie35F1Uq21CZq8MyYfe55x3bUhn8yifbCh9ZW1GH/+6MYHMTAUp8jmYlCcohXvkCB/gSTFJqpYtmM0HGhc6tCro0bj40J5ZnJYI6wrkbeniTqNUDToXJLYnbKsDKwvPNFxUoQ9EmFKpOF43Pv+ZN/vCcTTeeEJ7KigFHKU3949c6PPyqDtdyLcMMw0rP9zCUXkdaXXQsb/+jTDhWNim50CpFOoTlDhtiscVfK8h4AwqjEzuj17s5+JUraf01d+qaWZxTa2YFCzztz4jHg0DNjWLgiN/W+DoIz1SJTw8uCJ5IzFP8ANOqD77ZFk0AFoRYTv7owieebRqK7KhjHoYjshN/bIlf0jSseD5qUL5QqgJJMw1rPMinClT6k+3ZoJUGyN35uiPKXL/vL5yUth8Mlet0JOmRcOh4jymfOlEgNm2r8yBZ5V6FXZD4uzvJWiI0a/tV8f+5MVtnJU4ZXwz9eU01bQfbQjlcCouzLQ1XyKHSGrp2ay0pz6G+Wa0mzyOPO/PuOxEKzjjI0HSiTc+JF7TfwpJrrBWdXGaSDccFbHLs97iLXgQgjXGj5Yk2pV0kgHOC40kX2pDOtzUH4PzN8KJfo2HDj0FXnNufLSFmqFkJ7qDNMXP01TCrOSZNj8n5IK1HJ2gbtbX9BrfJURSSKl7RKEylGa6Qt/WHFBje2n/Hf1s00gqB6+Z8kvSlaW8HkVFGGV84Ta+Ae195BoNd6aUBl7wY+7Db9kdy2Pb5v5RllqgTXocwizkJDcicBlswtii3ShObutavkzz3tqlfaSoUuu1tAWp5x/MlK9MN7tFY1HDIbfMp3fRpm5IZagyu5aLhjbxKjsd/Qeh4PhcG/t9OBKr4IUMsLp7/PNMfP4Va8r2gXpX1slkhNTkWkiTQ3a/f/psRciT/DyYvWHqnSLKewnSGZ/OZf1JR5hEIp4k0YQy1ThqG5Ntc5/vC6MQQU2vv+w704+ETbUZAktb3/qcbK/DwF3+kU8/ml/f9Y8fF9aHFWcMUuAXbj35wcbXVtqJ7uQXvrWRqObdjJehZ2307x4dciVIvXMgZiYwYq5kFqjCsNKxIvWJWRD6UdBRpN8XDxGtkHLOqhQ34avzSkaUabnsF2i7Db0BiwcFqKDSbUqgLQHTP1xJuw2y82hGiiX9aycIXBAaVT95y91B1FOeLIwGNfMj1LIpjk9OfVUba/14nA3I/1GSHD9R66n8idtdNyLOHJMrkcAkoqxtRkqdJ24hlf7kE21W+2Nz5lypENZuZaEKW+fQb+L3Az7Ta2yMPVQqWwwPK+ByqUrV0K+IZSraGWpjKyS6W6GQKQrl0rBqQjSXYl2UPSWB1bqDutxBlfiecSUV96beSpe7Y2vA/GR0EUfWtNXrF5MYNHofRmjxHiwUmjYCxfTiWLPP7maPHH6hJhca5/alS+WCKGtMAv8yUUD3xZxfyNi2d/TKu+zVQFyBKSbGmfrZL5W2SeUIDi/arFeGurLvmvBDXhEbpfM47nFoMgWH/iq+yav+upjkbErbck9UyHE3xoxpNw/iRjMMpS5Ei6v306rzF+PqOf6emhvjaahRLS44JaIxfnd0iMarAJXVWgQvJv3/TP/byYAc+G35vvgnoxOLa4gIFTuxT82qDhHCQ0NGhUjYMhCyygw5FJIeJTZIdBnmI1AXaSsK7x49kXDGHMUFzRCuni/5e6hsHme/f0u/CAAWfxnEqvrEximt+eOHRU+Y+vSMwffHof33yIkI03OF+vyoLGY1bRv6CA7GcReq/nXn4MFoCMfzMEpwmpXqWbLv9mGuJXGCNNA+42ghOi13z58xMFDv3zQMOavP6TvLicAkpoc6dW9PdfGyY+BpSd/3uCgrnAiGyJIlO+gzVvZpnk2XElRXRH6u2xqSGwXD/wEpHgvT+He5tVoTECharAB9bxiFdJdtOu7C10TRPAD7GEWYPSFwsNlAqDYyli+JepTwngvK6qsOALTo2UsjadQsU4SmRFG17/Azd6RkE5J/3U0Do5xWiFWoDPArXVFvt6P/BnHK+VoMRhC5b125JJzjks5sjBPedcDc/KoivzbcuWqC5x4VNjua2eL8P+Kr3pOnkBGogm74bhxIUUiX3gHerbhf0GmbsKTkTaAEi8URV8qA2X7YShjbMIXquToPOTPqX+nTwQp0LmYIoE5T9VkH+rnSP4+1pMhA1X0wlZjIVNnGxLP6crq5UY0dPc6l1vo3G3JzPzY6zP9UU/oocnkHHhwqyUVTZ/rYHk7E03Yon2AfT9vxnTl0yyMXczYpsh7mqSygqdAH8Vl0h/5HAlaSrg5qxCFrRw/JZKEG53T8gGSC0KNyKaVhXkMPRrE05vFGg44xQdc4uaP7ZMzB4gE391x8Au1TUnYBw0L9AZ77upyXiU8Y+3ieeH/i/wTTtoflW3zEmmG5XBWyhorKUkSfkFkW88waj9cgmg+E5Mzde9XRBpvlXJ4p/SRWqp29ipXgpAPL/f31LchfUFTW/y3xrZIaa0Wub1f3qn1L5kTJLNmbF14J/JqZGLD/+GTVPxvdfhmgdjny6qZCcormiiUrmNCR8doGRezE1Z+MeIULddLCN4J9NoSYDWUoR+p14LdnXI/jBsnqLDL1P1un0CBDHMFcdOQsRNJ25qsyfqfOZfSmQloSlWZjOHo1aaspy5Vs2NJmv+ORkqtn8yRzeqhqyP8jyF4NBWuEirUyctBy1c0B4q+5iYjg/8NwAzD59QWGN7+ION2md6zqVq8a9ww/5G63Tleqoy7FpR1c/0sRNMnAYF8KjdQNZ3Jgn66FG8We7PJPlE0+c4hTU/ZGDKa502v4U2oUrKEzedhr9Lx5rWIoTjLjnaTlIv7UHNfioHfWaY5Z6PRn96gQM30BwqJJ1jcRibCzvLg49dFAxR/xj7pz5/s0UjQDercxoZJ4fPevc8ZeYIKxALB4c4a5Ez2e7an8uGcD/KmxQ9oeJ2Hu4krnVN1GUtqJVIlaXRW2Fz5XoHuawlTkDTConPaaszVNoQbHvNm931P6Wok6LLKoRu7L6RUm6Dxi09a3EoIAOGGkVbH5vhegukb/W6eZEw8cKrw35yA9Fa1Pbj93Cf9VgVXZrpnNIT9BsjOzgS47Nklv6Bi53pE5Nnct24lHsl2dQmcBa8vcsFe6te2NOk8gVQnR8HFW80wDQQcoYOiICNOcwD4L3QAhLyPALJ44c5UVmoOU/DebOSinUoKN48i0FFfdNSgocDzw6dauLvF/ri9fSvuWlAbfbx87SxyL+B1FLHOWxsszu1cvT/jR87fcHvaXEviHBdk3nu+VrNjiIOpIyT4GR9paQ5PCGQQan4sruKZiWnHqB70aauQi6Y1c95AQELRND7/LbWcCIrDJ7uF+pE6B9WDD2dnAZXg8TyGPeqI2VTbIufSoraZDm1DTGhczMPCb+U6KFESACOBNSLQmGWZeHbFWBNsDphOV8yw0i1MCw0HPKT49cyeFJdEPrSmoJaZws6PjS+HuyIi8JjLuWOdy/KKyVzWGyBK42XURh9/6Oacu9NynYR4hFNLZnPsO/Ydt9WykLYO7QK+KcxOHuc07ZcggzaCmm8E6Tz9q4VzjP/TIe41FNAHrcZqwwfn14+3AVx6r6pV/YXVWK77nXY8v96qPMZ/6qozQav7+D/nvdZx4xvpL65aNOn69v/7bEwBSi/LKzn7bDbR6M8Y9wxTxaZ7gjd18ZN0l2MOawWX/AKTYXktzHgZSNPVy1zMvuD+UyVf08v+XHKw5DRIkrowHMo8ItVWGEAM8nDXKRgLtPBaYqWSXiP5ijVog/hIzFZ+cmDfD19gLnntyFw628wn8RBRPwXmy/7RBYzHa/VpmKg6RBoS2qylnezHAUUDAURsbk5spgH6uWyVhdGn6z7VXhMktffJNHYC6/hWFo4vn9p0OI99pqq/tCIB/ezBqiQK9p0JtsO3RB5YUM+/4zM4fkAviJWXdkVaa37idBsThVVEtrBj0BkWXMu8XeubvUfzW8FNs67i/0gRXNH4ZKF/uvKT/X5oj+SuZI0/3zfYvYEvj4QO7JzzuXmcEglLhFyp6x0oyqbSaCwlJ0gws7cIfTs388qc7iLz0uhMVOSLmUIQVcshbzfjxPElQPyDp8SbjfVJeGunnulqfPsORgMP970a7lrJSRKCQnGSKMdERfKE7tdma/ZQSkIVs8AdA4+5CqDOV4EzFNL2raH3UFGXmxrxCo8kI5EV+b3WzQxWE2J0qDOOkAUtK9DYQvgtQ7Gc6j6l8JcAIyx+yX19+8i5E0ung6ub40F/gFzs+3OHAVRzO3d8pOg1KQhNeyyBWx7AjEUmJogB8SU47hJuxeV7gNBAKbkoB29whzKZUyfkAx6BwMjFebMLwdCx8Mz0QjS1IqRAQ0CAzd/GMviUfaWUoNq1CwGlO/LeFQPyaxkb6ttw0YG0mJSovzvUp11s5a3x7QLYQvZwctwK+YuypvDWHL7VEwzfu7VrG+2tctXYs5i9IH4ZkmZcSYbZfHRM3y6nS+7TtPBuLP2UHvHNuKNQdz9zKFpsAMkB3fI3/CVfbit6Ua6MjnhSHp25CCVP9Y4ylNeuUbYzUOrhqb9VkVMvbiLS2fVTvDluSPiixeaqCae9B8hDnrZlJ6s4BMD9wVVPP4Tg2n+AIWNCD3osFOfjSeQS5RLl8V6dWt0KrCTFkHY1bj6GDNkS7Jg+99X9cnOOUs6KgNuzit6+Uu4M9cWuPI5xRbrZA+D7Zk/eRtE36EHn2VOaB6rDFJBrZSBFui2QilH45u33B6KcDBWYM9xZx0Lyfv1W2vzvbOrB3FNILx/BwTfvqHXrqmw6JHWbItG2tzH2T53CrmoWjqODIUi0N80WRVMPUwqS4OjLxyPuG7ZJ0Bb6dEgCO7yMKss4r2LhemjiZoShj8mZQcPUL0UqSng2TjYN7sE0PEeDUG6PaJO1gXfwJfVngMwQsEwCj+VNJyb9D6GZwMShvZxKtgkr2zEE7kRB4gwBQG0v6NZTWMvfqmm6qNeYOumomeeV4WTwgOhg+jKh1dT5x5OMYvOQ13+b0/bMB34JBLvIRMBKJF/1v35l6rhJu8qiuQ41ajy9OFS5GzuW5yba8p7Rio71TYneWp4XEFOeWyhVzbuwTZ2fxZABUqSR22/OLDRRrpvynqQ1IBzADSkrpgJI2QZNp6RubbOP2lrW/UvdrjBj9DupmBqrHS8Oxvx3RoZMVoJ25LGo7gR/be75KaStm3dZLJKPDC8h1XL7s3b+6BlR5XaAQ58hi8b9v3E1Fqdzzg8iJUMziYmFW2XKHH5OwmWdDEdxyUITeyOmmWK3V3xHs1xD0CrizO8YVbyNTMZmYs8TwMnvzT0PV28Y+3EH7Nmy52aX35s6vv9ggMYoVU8xo86Zk3LUwO00t0WP+5UPf0suvuzelBRXWdwHA08BI/sSlJjJw+5YZE8XYfjT4jLDjK16SgAHhn8zhz6CUWKbjxwbrlM7GbDSMdOeGvYhZ6DkalE83AwVaSLf3VXMsBRw6vPVLtSmjY3Sc5Ghdbu7pk9n4bKu/LIdTwq5AdSGWVg7g/KbL/tPku11Bi5NnwGGINojZSoiFpEhgy9wtCCgYEcakuLr/bnnhST9frPSG80vycnIckpoXcSI2BvMlJe9yB/WEDwCC69VnYma3ZegPVA5iojUjAu7VidJJidGs0AgNuvkbQr4jZNuW9bETaztT3I0Eg9f8p7Q1aqM6El+fW3FzI1fkZMRArsLiCMvDRPNOL8NVjeK7QhUfY1eTy2aJl6n30VOgqpnZQwlWQxMopQUGh68/2RMbpryVSnTO2DY39jqpwyZTFteF80eGl8LwtEwQyJMHUWbfAQ4hAuKrKTnThSLA/s39826PgwAP3GLBYJJQug+B/qpVFxfBs1o64OzhmTE3wxLnnCqXZnaxlN4i6eeEza0g9ArOZQJ5T1sj8YZVWMc1F2Psp3k7UNjxfJ1fG5DRdkg8kNoR8JdPTQTJnX7cKpD7qHbqc0bPN6XZzZPqDA+44Z2AM8M69iBMILjsebaygx4JAmqvUbivh32enm6KzSbc9bDBIO6Gv1+HqDA80iZ6wUpYceQkpAiZ3HE8fu0432AiFmy0Sf+ZPkGIDblNPWU9VUeO1uCN70WVCPscYmtwv5nQozBJbZHsx+IlEc7CM4wSgyR8fNOGtmimP5ydxt4xOWGCdNpNjBXpl1SmpSIzAGAzK9TXIuZMssJWebZg9nWzJLD7SkeTMpZtk78K1vYNhMSC/PLDT3d/vrHFynBL6l3vqDebI86GO/pK3RxQ8NEki6XFT+eNL7RsGE6j9cKNvqrJFSW+RIx4Vcgru2WjQT9ak0cE5erA58CNU/ucMjwtSjjltbummjBBWUfsdfi1zeNURsd2wNelxxKudDxbTCVAwjfpZyaQv9Q1qofRuwZvpH1w5dwIEx3+DFrn3F/EdJh0xwW4cJYvk6WITsGMPdZR/v/4jESR+u9Phy89uko801T2doEC2WYdrSTiK7BXoFR2zKIwUDSq/MreRNVh1ZLxQZn9YkHNItHW4klimlzF+ruaLGIlURgzBv6vdMEYy1i8CKvwKrqpz2ZlIyo3KV6yqq6YgdFdQ0xYQ69pkh2KSN1u7dwOzopViFAf0acPTRKwl+gPV4bFxlIKmpIRC3g1rLaORireMw1iz9KsAYX9cS1wditRYcsy271Bs2sPFTSzNtRwe6KRb8erOXxpYyvPmMsTf/ImsWzlsaXfYRWNkNihlyfFPLXu8DG/SCItVfDr8Z004bUE2q5HdYNnDLEZwhh0TR58X31B3M+ilvOKf7zU41cGKVVDjEPUnmmoIOlh7thrX04iaQ4JK7nT/mseUbdnc54q5QAOgfifyIVLhS/LSSKJas3zfU3lGamgnQgvpU808pvPjEeni9RP3ELK+Np/HGOGddx8JBlC/T60a6rLyYJ0z6vCx3pilTb4ZqMFYlzb6X5vzv5JD3AmmPfADrIqG0f508kHvYld76sWUod2l1l2soR70Zo/azXi/b+OboEDPKlfm2NKAtrhWDt0dq/hWWAQG3W4H08jB4eYjLeAFFWwMwMZUMyAL0N+tUIjDsyjOIU1ae0Az8JjS1swT5TH4+VyAHFBiw7mZNwYu4DU/IQ5M8JhFE7PDR1sHhGY1RicQHrTbg/4V9oH9U/Jp4cCniJegPm9NjSeq5PU5ivbQHkBTqSipo9WwkoD6SDAAqH25zvGTR6UhK5vSh2zI3DdQP7+Y3dZJFxrPZJyyHP+UPGVqzBQc9CQNyoR/w9l8JGtkIkE+UgLq9rYRVot1+1gdC9Q2YMxDBoFh0U1oackVqs3TrwMCnEazFQYJdyK1/U7vlYSnQSDqts7NND55CfAs6JFT3L1JLDOdRxJ69DYrp/K5UEsEu4BGziuaXh5Z4ZpLoVJ41QBr5E/iJrBQaFh1Eg5uZ/YGuBzbuafRO5fuaw4uGSCZvUQLTcl0XGeeUyP+KiDLiDUjpCiUMaRk6hQ57VMjgJlMZdDf6D313HQN5pz2yL+l/5arttrpC/WQ5Ha9jBd07EA9JMDk4ypZnuya1jB3bNsfT07el1STI05Jp8Y1mvMONGLjc6DCetBV3YH/HeonTEAX7PcrT0a3SpN2RESux+TWNOSObv5TPLg7UvpqU726e6i190cVaQdPUpjjA5mEI9L/7oseMktEadOxKsqxDR5Ijd/jdd7AnN8iQHL9eTk2S2T2kHy2Xh7ut42EiFnzzXTtQsBJ629yR5dUs9D/vXjkCa5xNAJ/bk6xsNUhz+C9cmrZL2h/ELOVUX6ZTuBkku9MLT+6dX2bsRB8LtLbLARHnDFM+Z1fri62QE7D/tkI0ktqMZTdkC2YzzNvawlu/6N4NHpN7oz4AHbEYZHdcQarvusDM7PHl6Fx8yFHAFIOo2o8aF3mHt3W6/kBXoDzziFiV4/y9kxn3g7o52NahpQZmF7VEaYgh1MThxa7VMq5CGv/Gx3d1mcE05a+K+rmAhBVc52pjn4oXL1NpHYM558pevRFUXjoxvK+TaCip7i3hvJyGJx/L8lWmPiUPfDIiwY2zBKAV2hrOBc1eXp5gxlSqZxramWwH9Op7wdFltfhUNLq739EbzgrqkJhIMK/fb3nHUg/RB+N8dbBRuxudJ4IXLnLt8qs6n58+RgVBurntCXWud2KsO1ltabhujem9KVGpbA4vb6xC+hou6J1aUiXeRJbqiTn26AmJC7FkQEGkDkuBu8theE1mVvuafY/kFTCH6S5o4REYI1pUClrI3VigbF+zhJulsbPb+JYwLYCM1i0PZp1seli5w9kduFQXGZ83ZWI03nc8egqIaeyhVv5pwisublJ2Z1xVEDFRJYkoPzjTxOeSwlZGgr1QJF9C8ZJ9E3B2B+XN8Rhm+z1F+A9i8bouj0HDnF0TLe7eh4fJ9yLReWRuix9fO7kS048tyHmO8k5UB33QBKI8bxShdpML2oIsHUPzLe7JxET18LzsX1MaSDClwHAZkiCnoTGQYSqWZeIlEsMtk3plBkRJuoUyBfMK+yJ/jOA6x+7ZhbJpswOg/WY5CUfccEZlAi4ObaGNNepA8W0+2i9PcAVSAftsvZLR3NLurIjn1bb1qjUAsqMgIvgZ0rsmxi0xwBcJ91JiSTEOfvIXAFEm0SxM+9JRiYW/0pu7ToMaXgvPVZ6yWIn3WAutKoAqpQL2zRQ7migLHg52CzPXMwFrb1bS3zvkgDRNmVpNJlcQlL/w/+4ohxtDPFArKzZQi1D6aBUIh4/PKbbb9ceM/zt9GxgmKRtBsHE2acXFUSaLf/DoHFk9GDos9rcBMg+tiUfRJZLDgIJcBTQiQe8c23bYnSiatasO0acbrkObLvxKzMIVoY1OQXCuUDNVTBuYBbK/z40ht1OWwioQQr4JI3z1edUy8cMqPWN5BMjXFo8pYH0mRWwLNYy53WU66scTrt6PHbZOArbUpZaJz+xYosUtm/a9gN/s+5fZYLxngEdzrYmbgmNX5J0j0CljZ/9z+AAfD4DDIklkpbQSPhTiHLEWCxoyw4DKZzE2Geb0DeeKYYdqj8BL/b1kmgwt8FsGd1AcnPsKOHeHfjVYuSXC95tVASbOoJRiRNNqFbHrnXiHdGHHZFARlYRsWuD2eFRE8ONBkI7mOQpYZAxt4CIOt6F8KOTq+puKFmWBzemFT0xYU6keaTkRahxWYRCM+xZ+2KTYe8JuaGxURZ9d/HaVpmqfgmFaCegT7ldRv/GAAwpDfdCG4XV/QiUHzhhnqJyjVNpRAZMLGvrxiqKPav2cI9/7bEbdN9QyOm4bDlNHAGSNdnl742cjMbwtrobx8J4S6PLrJlm55taWF7rhaY/FEI4RYnKPNvJ7/0nxIVlNYZ3w7ZTkgVsjZJyuy5g7RVxgJApguepht2TjtpkKG9HcKPf2daW3/y1JWfRR/7NnXjdhxolBSwIzVOf3f5CAySeERfrqQ+ZcwhxqbroVA5y6qAd8w2qSnqPu4eeBClU6gRVGzbhTJodDVgnT5S+nro4yNw0j/J8IazB0zf5eH5kngEnvhFzfy2359LYqBayGLp4bnJWxQ8cQ5Lr3X79k9a327CIilf1aku8NUIz/iEbQQAmvqeDDBOL0viiD5+qjZGs6XJjARz36pqJlm1QLDy/xKDo1QCaC904t0ziPSp+ymPbaNp8RMlz1DMNOusO7Qf8BixTCMecHVYNP0yCd5SnMmE0fIwutJI+2rR+JEyCXHGQLEdzJKdZYT13FDBBJ7heu14+sUGYssHF5PyTtIbgC1L5zwSOXtf0djH88H/eK9OSoHRduv5Cr1eXEdRzOdvQRiIn5u99j3Ssvyp8cbD7ESNtR8HMKw0l26eyVcfIGh6NdbU/xbY+WX4zgV3jAM+wHRdCmkqPIfO/4goKC1uuWlVrUkvkdge/eOXaQsqOvSd4Q+fVcZJhqqSkfFUmGJMn5rLjZSPYnmYg7I6fL7YQMLezzA8ZFRGx8a2q3VzCyPPX4k4oMDkFBYg2RZL5Jx4RL8fpaaz2OpbagXBf7bn0uLtsDw6EZvNOFKuLHaTC79KJISJTG9yXW3LPOEkcviFa5hQFOrm+v3J57YJds1Ou8DOwXHjpsQHwT+xZbktNXsFsKgBLdfM0+2kq4x3EWt5cIeqlQwG+osp0yhg2GXuqnbYmz4MP8+NdZo9VDkbFMDjvJYWyDmAWtCy3z4TrfLDmqIv5P2JkNdd0t/VbYCD0QKNMCHnTYa3oPGlOsigvsoZXh+9PkB6GrdTR+LgjQxpkixI7NoFV8cNZ7e6WOiMC+BiPIucQnMuwoS4Ojw0cAogTqdWvKcvr7v3QN9krNq5uSijvBae8QpTC7T3nl+WJRgydWv2QzCItx5YChIxkpBMZOnoZ8o7/fwaTU59o2ROn3whGtpB+72EXzbfhCaWoQSoAUfFyITpinVhKxBtPZptIZoM2kpwIzeUnC7v5fMM/DRmPTwdZwEpGohC400JLThESfpYDTAb/CtJnF3xfz73f4/U92EKjIUigYiA/s9ZAPoVqnkenwRtvuPKVqvc9COzL0kLfnOBCKXIxO91hkbHa2JXyzRnRBQftE0znsGPODztC5qlldLRZWWMQ0mL3i+kPQoN0DLh0DnYNx+q5OzFrppVrzRcoQuwrqsB0/rkHFXWmFyKA4UAiVk5TL44y0hBP9/iQrcsS6pfBKi5rgfG9ELT1SJkwfX6wGd0bQGeNMyHy8g+hZbleoy9BcOHhqSKPQqq3zliNk1Gmds6tHfMnSuSe3/0CKRG7tjNIJTW6QMGwQaGtOvdVRpRbbB/E+jSYatXE45AdWWyVkdZZbqSohJO4ywNW9RZgc1TmZL9wYp4tRFMI4LvbocwqILoxUjTrrQ8ErQCLZxdKsiYZUL6aNpi+5ptcUMqMF3ryrb2sb1P/tXVd1XO7Ua5gyHk/5rGDgady1Bcyn9NeyOY4sGEiWiqi52gr/UKQtSRvnKWNUe3v9ffR6wo/sZWBhGEPp5GE6NW5svm8m75NAebyqOqMtTS1oNooaN5tAMZwOo3CBuoaow2VYWVxZ2QrZccjhLt1lp696L39Sdh+W3T2K92YPqysBuTogWoJcjKYQX8b86rVdOxUSR6cw3y6oL+UtjWe/zsDVtnaNaiXGbV+VoAcU7uuZQcyjm+rwEx5mPtOcNrKHHeXihlM1P23JCZc8m1PpOfKvo3pXQxWcVqcmFRHJZPCpcIHaiFFYkTDW/B8UHTwQ2YUPFCcV6/T7jYTuOmh4J2vkoozxY7bGQuYTPaFrtThVhp4Rkxc0b6l/kqdlz6Cx1CVRUOWkg1IJZa/y2hUPAIuUTRdBnv6rWmjO6ADk8tYzOauF0qxq14Q20ITKwP/QuuXJMmI1FyMLd86aMl9AqyV8ybFHpFJygYKh2b4HXJUyxooJfsPoiqRkDqXbkGZghJbCRBxZG3yMvcwpwtF/6CrruDPyUstZFPEv+xBXvK/mNtQ5pLNjDPwL0ZLONqc1jD+ADmIqMG1MQ4n2uMjndbb9qNq+lWEj3uLf/zRkH3Haw3SxFBSOL+0oMxyxAxnVdIRAAonACIZo7rJn3s1Zr9oOt8fmz0lXPMdTLmn8yHq36hHx3ASwfOEm/v5vmer5g5oiTxPjYfMrDB9zNi47OHD9thvYrAosh3tRFT/+ty6bTaZCplrt/WEgIwZU/vATLRaZdV9lK7X+OmO5PdI5xPGEpcw3wmW+JenOIjfDyqn+C70WPGxdCqWXdBj1PAdzdYtOa0hJrqUXHTjqilYqS/LzkcWYA/gpS2MqBNVqWCMYQ4BWsw8xlr5dCwV/nZaqKr5nWXUj/ASyHF5x/TykketOCjoNKJIbAG8NJ30kco5zoFJApSeO+HL21MZbS3DsflTTvAkCIw4LDuabyjU/eTXknL0ftVemRgQgFcHND/0g+qMTW5eVXSWoafSFEZq1YvMV5iP6C0bTOCwIbhH3U6rU5yWYB5Gto31i+erkyHUyw7dssU9gIznpcgRtFAh4gSdQMEJJgM9A7jGJXZuAR+GlYhzMBeWHwRKi3gXKrxc2yxs09LPdk/ORWGdS/mlK+Mn8IhsrOtYZGEFlz8nrID8ap2FUykkUjVxU8Yr+KIlZjitu9jEtJ/BzZDREroE7DIv/XL4ncqaYZ9mmNY7AHMo5FM8zsQcLrUChMQzqAsMAnH0Zbql5CZ3pe09sJp0S6Hwwgl23neurPXXt1txZL8TEoBr9YQ2zRK0TXkVYk5SbKKjWgVaIaN5IHuWMRnT3YO0n7+nV/DaO/8e/qfitX0e/lhUI9nUGWqi4QYMP3e7VrkKX+rbBKqsqOerHB9OXrG/emMy8dZjaDpQLIztnOnb26y/RzdQj8oXK4VBkmcLnnP2G58n1agp4S4WShLQwX2Eykh/OcpXkhcqoI/+3guj8OR8gT+Hp6mwwModCSAYrqYsABB56b0ynBCNlJ5YxHj6LP54T7a2NdmQwko2xLmi5MZmO0DzpAu78e2nWdlrR2jCpea7vsXOAT+AKnIErdjc+xiW1Kkf8ekaObBqgThA2jTa0ULNUcgSZmlv1LLypG9Y/NLGSdDPrWc0bH1GrIXbT9VlJIfwLzEwtk6qWAc+LgirBMnbFaS4q0tQlUbP853QwNHgP9pxRunUzczFCvThuJW0NbTJAJIDwtSkhi9nhHpRXLP80QL/mMYxLXYBVuUF5SdZ1nvxkQuMKlIrugawYxBGCa65OOZHm3x7tOFD1eKiK5Vrk6iF+ejkhwcpzNBHrIkV/IUbljHNQGER3OP6KaZL+WgQbtHSFwYXDeDsxQYln6G405mZZ0yok57XeEeSouyS/FUU1qhMZwHMFaXZ9DRY6tmXJL6tMLZyb2rIht2My0uhnpw2PyXksuXL/eh4ukMMLK5FsINiloNSYixD8c+nZ7Vcv7mVv+XdGuqz11RbK0ilhVC5m+mzLbDh6pFLaA+YMT14pC29bEb6b62PRrlNbOdjMb0CfyK9C3o7/WUjwWUl0cGeUGfKUGeCkavywaZDGq39pwDTOHYg8vg29QS4Y0cHh+blLai+c7MniWnivAOzxJX1GvBJ6l1MNUHN2wGhZ1kMWvdPiPHUB9EIc7/SdCeRLP8tuozNO+vhdWpZQc/ScMozlYsblQ23aQHlm/qV0NBE8JCGCG0L2ay5eMPB1lnH4+KwYrvrweNr/ICqG5qwKTJhAMujjN5+sgqDypiKRktXFKWZ0zN8pt7mk/qt6tVAKjSf4vVMoKHX1lGyQa+6KQPAbEjnCDsPvK174d2zQzS0zZXrqrlIl8im4cASgt+P1c5OOFROS/ShIIhv22uwy5q/Mzk7Keb9V48xfhY8PgaF20ST5gERloeU5LJLznfuBg7pk9pJtAjO7e6zDOiY7Bv2z+VFvJhBvJpOPEEPtttdJbnJar0EHBhsT62/KKMSNtldB6xWEW0m94tL42O9QqrYdG9thKjbA0/j9BM5a6p9b2wagBVLMW3uTLjrk7NT128HBPxw+VJBj9Mu46GKcaRBJAX4lOoLBNualBmDdtY7TYZeARhWOQaw1U+2pXYMQsj+RmURBo2nHTo53qxmBRcNEI38802RZgDTzBery8f44vbxO2QTD0ZHxDzVM5oBdrlW6CScqUJ5IeIo4wSPLLW2t2gseVvEiRrxeh8Mw4/1RpavOeNhL2U5vyrxNC89bB9if1tEdfD9+t5A5u/Ck4piIrjiflGeEruZ+zF82FXto/tZdtIlirvPjAuu2CkdOLFj9mzr6duGSzv+MPIjMcpbupmemfgOXEG8HZgWp3kz0cF1AwuOijByIPF21/mEC5IhVn/5y2pHz1+bzlQe878LmqMbdtUSxV/PNw+FoF4hIEyOETdzdcfTAyxlLW62f4TTtPXfPEhPWuDd1fqe+JZF4RCTJQP19+11KSMHuXLtbpvSzxp+0SouB5ZTv/VJAGc7wKLc0lcgm1w6pLk0C9AJl0YSv5H0VgLKgGRxSjuINAK2uTUYMowE/SsUDtGgWBcx1M4hHdG8lkal6nXuviyufSSEsOpdTe3bMfSvQhXwOXtHQbD8RgkC0VZSOKadJEDYkWAB8sfJE96TYoyodzJkMGS2z0EWuaaC+eQrXRGqrPfQX3tIRzZTGhybrDf/N9wZROyRjmgDSbnWzK4N5UYigm7sUFVtspSbDIllH+Uu9ifSS/xn6k/Q1J8VNIDhXRdcRTTgKebYC0FIZ8XwBiULwX1Oikz3Cwg08TdDwBUAa6u/T0DOVl451V6jzT6hra4TTiRvWo0KvaMcG0fBr82DM+TtkkokTC3KuzgkiZ5LaWbr6QJs4ap3kxkR6Tn4eQVAhA8pORTnQshZxF97+HcBEVoffBVo5kNGY1uqBL+f5SVYzEpNVNjeL9OqHczCMrZ+/svjUlN/09F9GghBOqimrEM4eYOLbFHWNGuRskEbS7JSXLTlmi+XMq63UekozlMccW0YLyHGQa4wclJDRIpBfHo57L04fIkgFruw1XzdJfrGtpYXz99riCG24ODgVEAhHPGbI7O2ZErxTSDUvVltahgK77+R4NIjEoTKHNF9qA0YuhJs85KlyJrz92xuROOncgq9XvcePZrGjYW4Rl1nX+HSjd5VsemI//xjee5y/bY8wBjSElm2BDMMgGDFzXbBlQta56HxNwUTstsedVVzJOUzzBjZldBCm74u+I6o13aCfvylC43bSxdEk5GJWByQMxYC8obz+7w6PxnyPtLHyqG7rbWwYLDW29bPRV7m5WlD4gPvFiAt8R0iqSgZAy6Qzt955qD7ThtRpKAFcyM4YRyLpOJSvEZXvPJBQ8FsbRQXvWwAlQ+CfvBY5OoeeQNpFLlTsbQLqR97issMARgVAyJr1NgwwGZ4q/PhO6O70IcBm0rLbXfKjfOVNHO4jPcfX3na/ppOfRx8+omjVVq0edwnIZhS6J7CuEQNELPzTXt29GqNSCPoZ7hf/qAd88+gKrF1ew5b9HvxZ8WNuZNAkwmveWrXIQx8mkT9w0m8EngLHnizVc77xW5MezDzYvk6eOCJG3O1abfY5JLwZ2rZU9YxO28nSi78J8YWDJjo2TzeqNTeX5S0Wb8Ju7rcqzg8JCsGTZy6vTLTKhwluEJuLUPhW/fG235LG5TfEv/GqTWc4ANA5R3U8zAyOOxwxaPlwLnDW4vrVu8O2bB6m/8o00LC55oeJpjj/6Igah1JftS6yZ+9eG2aLGRsQwerYv2WfL+ke0sKTy6uogxlYgfaOc/NJucrZF0Vo+Vk/J4Zh/pXY97h7sq0a5gxxD5Wjd+jq+otqkL9xr/qxSOcKjidKso7DLMQqxzHFPIlikrV4ldbYDaC4a5iI0jUC7Yq8hvTu9kcl+NieeaQM5GfyLyvWgj4EJboeYnxZ86HbUjfDUFisJIhTQJ0NSl4lLgMHCYzlzVFnfW5UqAxg9bb2M/uM62kABQ1XuQFxeUHoITpUHOBiyXHHQ0148tXDE+aL8VOQO4s6rRY5DLEPl9F2Q/QDL3OA+xQycxcQgyk/I37WICniaYwu8H44Z8UqX3qZEQoaS+AnoxjCiKgexbuVOlNI6Av3M2C0wety/bYBBZV7xajxXFy1iINflaYDtFIUmTQRLIgfal2VOypaqrr9Te0+xeO2ook9gPQYF4cCClU7GkL/7OYVMeavEodQaGsfq8+TD6SdgL0lXxdDi4GSszCXVMiePe0tVWhR9F10RKbyoVAeTwjwcrj6mUlR4I1N8D5w1YgUfN1BhSw5alGFhWP5FK8QbUjN5n6jRCm0LfNpx0fVj2dJpvQqoSmr0TiaEaYKcbPEhaZpDd/r+M3bSLxmMqva1+JKs8EBV98jeNW0xsxhnedjs8GXZsU3z71LtGUljcCUPlPjU/YRHdrpqTtWuHmP+KYN1D3YhaRW43Tza4lH5I8jKawBpEFxc+63JZJnIlaSKGHheocwtfWDrgZCQPr/hkAAGLklG7d6yQtseAnQrjgoM9JqBkTC8WS5BBHukbBaylTw3dte3hO+erCTCBPIOXEr/XzDVTm3R1+PmtMvPU2oQi/6uAfRjEsYe5DxXBKC45pI+MXJml7t76FwDa0EyN1dT7G0R0lWrbk+UTnCAFiOwXT84Y04+IcaAq32hxS+aQMorPqCx7MlOTs5d4th/Mzw4aGUVxhRhU3EqWqmnzOajFSTb0YhDE9SQc1Qr9gkk3AZuW6F87vgS9kPDzPLzrNlmnENPp1fk4KMgrvNZw2kKPqrDZ2JXbwfyI+xL7/c+peHg8HWsker37ZCzCVEB1zMvbhEQ36VYC3DwOu+/qGeLynZ1W4U3WXvktK+nt5fKGhIZ0lStSbqKj+6Xie+sxPnbHTIgRzRhlzEivwj2fAPRjxAvKvlvnucmel5KUTQyMIxOspygkxktf1vFKi+JSdISvwSd2sU+YpwHieS5iENs6TKKeagBk+vmW6RYemPbWwQvORdQPnGYhIYt4rwxSVkQA939ZYqyWI3e/5QDw0ZOJVDaIsTdohoeuWAWwwETCquasbubUMiBgZlrZhEEXMDya4yTR6R4roR3MeoseIEWQ60DbT1Q5rvlX1kjFWU3rpBckkfiDQpO7cy4IvLnq/rLycxt922KE+uo47bwOvgOsXNu9gLqULBX6im86tpRWu2zs34fWM+VQvphSAAfJTfboMyIpC3Jn7ExqaaQ176qosEpvHhFfdL03QcHD1FvE0QpH4gzxfayANkXeTVSYjW0yeaUqvwZTcwDvjJRKvkBL7FuNEcLTU1KLJlwE6C4fxeq1LzVvBokzFTMPryhKt4VtGi7AE0Nbus1/LQDqREHfdiAobHEqoJ25FjtQz+1QdlX8u9Q+wivFxYVY72M46vKKv1CMRn7Y1y6OvzeDLHVw3bxH0+vioRD8QCDjQ8lFuyeiFNcH7MsBMXzIn4rnJLsoCmNE2uor/hWoBjY5GscWTTlv1+BiI0TeaFL3xfTulQh5SCK8Dh0FaPMyEaM9HhRZAdZfeZYMqNdkURaPw1xijT2aTGfgNfN0eRuw5DhCzGRDznNm0L+wjiWBx5MielL7bqcM2XmyIL/HX8/p+g1O6Trh1nlX6DWO5O4XnLK4eHN69qKc3WQSX1DTMuWJhN5dfLayhsW+jwQuCNnZsTXAcu7eG+bYgakSe8JpZpo+mVbJ1xhkJdLsZqkrIe8bfzZDt7YVz2caSQDojqCh9SqgV+9X/zsdtuto06q0h1yTUlMs329xQJXNPgSp6IUdHrKxb9UrViXkJm7TukUZUMg9Z4yxMF/uMiCAa+FSECv3JWxNjr0F04AgpyELoTE3o1p1aNRfPo/w4wSqKXmjdPsP69Jr5Hqjt6tUnxbIr3JUDnXCH3WRJAPy029VsSMqLDfYxga8jUsGx3RWGkeFZo31EQPKlbkgfurhFf5fiAruOoKreT6hTmS+u8d68axHMU4R2K6n1EmWulfjLDH76ts+S0hefX3CtuCGsj3JV4SWfPRgDzEexA01gB7zDp8A9XfgrRy7uNF1jSi7efyHOhVusbsDtDzh/gTi1tVCSKSj6XaMeEREe2qsb94/UVzorxY8LitCCOs+pALzjOyjcKuRsYe88XwswZd5/T0JZvQKcInjAkCUOuhEVvAVNwOo6pnR9XUQLtLD/tHlXkWoPp9mfNmeKe1SXWZ8xbXdd0Do98rHT+5qJjKreg6S9JngcRh2Zfq4w6jM2UW/6wCmCPoI4VF4JBb+EKMw8ezLVORbFAUTLug2oa/0EPsHYaHnHIY9lkHLw3G0FGjCWXLN4mOaAPdzijG75xRqBdT+wabo/dcbvIdvliWS40KMVzHEXTr0IBVjlKa0FAApBi7L9SvYn4pOyKPcV4aS+FbtaAxRZwV/VthhyVPXPKGBoP61w7Co7azYGncUvP6wnSuyLUIxM8ZO09gPlEuBRXKiBThK35dglhchOuJlsiPF8t+VTdY+S56TYV0NtWNeNjh2fT56EzZuJKpAK6w+r4CnaBGGKngqCBx4zwPDQScC7+elzKmyvY4kZT/Nkq+ne8UUAZsMq2kKkw5XoCQw3m3sR14DoIfiP6H5/WrI57+cn24J7dIpUhAThnthEXWpwq9GOk0RdYtoJeiYTbkh+cYnR/08lxCQniRw0F35YaNEkg7F4CIh7/SsyI1L+z7TDqt7j9C84QpEa6gXaj7F/zs+0Oktc8OYK4NAt+g//CJVP/55O0M0tEsMYSox+GFRiEDEypeSEtNKG/ddm1eNVByNEY+kwcg85pUoClSYxZOGE4tAl5N89Auu0DmpTQaFkbD8IZzQF0SlDBzEPZTRJIKF7J5tNrPnSnlAtifnHvdbTlCS5e8AtlLKa+LyPbmj7Wh6z7+zU1k0kpej/X4lgidgG6KihiZHctBc43CGb2a4T+Jt2XEjxIBTu457vdVggTDpT5Df0j2dvIjTXcYbK0ZX4wA65gVkJ3vXCh7UBWdv6VLcseUL9Rwh8bcoTXLZVhxqzjTN3UPD8XsP05tIOF9z0uqSAbNW8LfB5US9H7bfP+oL7shxTCUj+DFgjz5pCfGPvIWhqL2ZtYSGpYqFfSLfMbdzUDFJGk6yTEl/7HdA/LF15QlMZIobM8SDqujPlWe1eYRUhJ5SU05s6Iob6BbwaqyO5xsB+jN4JWRFwYwXN8LmNe/ymcX6NtFed7fI+MAGhZbBeJnogU/xjtyDwozWQYvadUw4UKk3xFkX9Z47vRvws7YjAaR+rFZByBENGc0YnYTGa4nCRX8cCk5B+Hh987PyaQ/bdKabElNfCceGJDVXdgimANJ8LmG0vUmUXOvmY95KRb/2+ak4JpzACM1Io6TF28R1VxeaqwhJi5wQ2IkHFQG47k0UKtrzz5hcrScWurm79MbpQdqxwM2f57B3DXJfYLlo+EILz+UlbTNlNNk98hb7aM0HcnUXeV+86l7rOj60yP34oJ55urs3thWBf6XM6FeY4ur2E6Np6r89K5lWbiWqZ+XI0cucIpQlkbhgTtwPil8xe04M/B2ZccnEqZRGKD+09E9QOwMNw5Ye9Z9sd4m5gA0cECga+Mb8gaN75jd5O3frA2prrVloYtSkqgnl4hpC1BGKXIiQ/XUcgKA5SjME8ay1v0rMqrqA5ZmpW9YmSao+00S+4cU19B3Pu3W4jS2xA1WX2l3T85kuV/+lu9+8ZEtGpDngvuu/N2PvcQtyq9NWVtfdhyWpLjSQ0OROPSvTN88nNbyExpXn8yqFb9qDIl+6VdCklgzb+gXp5ifPxHclVO2tLLgC5z8zRZb4F8RfnwkuOwNAloGXl/pGRo9x4AFUS7sn/zMvC4TuC19JyZB9oHWUYOLwrrfzesM7WMQBbLdG8I+BLcDKd/F89hDq1DP04L+PEbyJA52E6NIugH6Hq3+GkHM9NMT2ZSYzypvamRbbFXBEPoQCmSUXPdGm0EnqE8NF6D8KSCTwB1gz9Zm351LVxXNnCxFE4dr1JMtZ8EmVmaH8Rec/j+TY56Ft/2JxDtHOCmHNZyvnk77lamy2cMkoj876O1HJVc49gN9HXi1ww3lyFtlZi2/yQRhpGgYCyMblkmZaaKeyZ5z4wcTzS3bWj7Y3TgzgEDhY6Eb+jKoP6cjnuXo5MLrMJyQpfsxs3NmhystOjK84Sdoc8VPriMAnAiBiVzH3BOFYeSSVKbVjgm5arBk4ndyl42dMmWkXLgg9uBAF0/W4siCnGadcnq2e6ShGSZoGKYq9LePq4q9vwFIaTADmYP7GCinYNMb/dPFjewx2zsNW2hUGq4n/mgvbXGCm3PLfQuE1kHZ1F/zVvDmuVCvgDcrVu4sAGJoQUABYK2AsH0Plxnm2ddMttyeE5UThGWX31p/EzEcbhvZ/6QyPdXvS3EPq1s6MRU6I5If60EkfhG66w46xx4PinOSizgTAb8tWdlGaQyKIiVxuhG2LNZa0VwQxOuAsTTQwbYwfYDQoRKC8ilU6n9YSJKK3WkiaGaJq6FggVb+LduLCZBsA7Uusu+8LR6XUSk9oM5f8gF21kMwICdeNtoAY7eFMcKTBxmusbNg7odDhuG1SfQerU4AJpBrePDyb72gecxoacR5lFSchxWAGYchGqiPOEg9uDlacUKGAGps7wJTVdldzOFuVMgHBIM/J334Ep4gnlLIA4eFRGliY+8XwRVJeRYK4HNGXm5K4ChMNr2WdHKHAduAVc1mau6XG0KBroLMbfHCY9Gwbf2bJyv0gzx+p4NovH9PzW8k92hCkHg6vRWkOlD62a/NSyJVZBcPQwGPfnd4Ud83IalOuwhpfwJ00bOYjXZbeWXRm76TmjWfGIaee5XxZZn2WXtxaMA+/o9PX1MDJa857d/Y9OV6GtQ0rDmLeOG0A9pGGqNaiNIhkWsHR/RKJoP6d6AVJClz/prISTDjactjRN//Badv4UPIk4AoQJQf0lA5kLm0vMtUkRF4euZv2bhavGmufKJ7tOsJb8/SMdBHksQjKYxC0+mTvghh7zjXlid2jUHNHsBCqT9hf7ZnrhH7WhLQ+sjWa5EIDOJVcUhKobW0gyhuN1SRfVsG4L0K4LLJhMX2WArIZeSDNdhGuV6jo8tJyBms1kkHFmKiFPDai9oT2lSd/v8TABKKoEI2N676D4oZgb13NjLquJYrde7NTV2rPgpnLqO8HFGNO8Ay2BTfLIcQzP0iCFYUs4myUuyoYjefjcqUy31EuukZr+TNS76YY6EkxEN2GgYQeaceRTMXt+1pGRTqGLTP6F75Al+bCygrwGpJXII6VHb7aJpkMlle1fvSx4xwKtj3c1+LxrkN0U7eecICYkV7SSTePkqrtSKh5629MiyhXUhn9Xt3GWacciALBr+q9oTuCOLVCeJZ15E/Rnj8HdLOgJ1RuFMgQYyqrcKWcW/LOH2b04MAMtkMeMzM8e3T1btm995y5IB6KLIaNrPeOnHTP5uicJq7ZXxrQ8L8jpkctDS/BeIAjiN8XEYZm3mKTKqK7bw9XcmcdsrBxAF3i7fHmB5z+1sQuoorpWwUvnENRjjgeKfB2/mVKqoCFJm6vDPIcNpJHIftSti19/xhmD0Pv1ubF9a7c+Ub1YUXdjVDcssCRnypCtWM/zc2GXXwha+y3RR+Am3IF0u6G98hE63bSBqkQ0VW2WBGpiN2GN76jx8lu/sadxVFNm98jN50AF8q/tHDLVggNYTvv5jc2yLodiHIRE46ILfOj/L0FkOS62S1xHUSVwDgpnTQUm5plh2igij5QyZK3QBnn81NJIo9LvK7Y8LM3jWgV11F/cbPaerXiPundGzHKFxZWBWCWHcpqaA07V48rG0JK44hhOauE4HqGsUFpdbl0hr1JwylF7dTqu4dK8aVMKnMdY6V9vQiv5sC1drsJE2FTfLxj1lrOHyWXBIjXVpZh9/h6YxatlrNjvCcA6zYBtNADc7XGqSmUrT84UoHXSbSAGBKP2nXwhQxnEyhhSp7qFDXtUt9MA/c8qgE+NpkmFz1bQKByk1pJ4oAHwn4Fl+lcvUymIogJ9m6EZ9eRJTPWYfIMkv0ReXBWzRGHJrDPPGb1H6t6IpU+AY7K7O22ydl6iOD15DWPEpo1OEVI7qDXq7ynUIesxL3/wS1r2SaU2/nPoonG0PPWK2LdLTSClrfz0FEONfqDg61wXaOAUf0UMaPgiGpdjECAEGAZOkdGKsjI56zFhFgsOw3unXG42xX9ipbHbdaiTZquRU6cecBgQ1IxKwb2Ju7jMpGgVKy8Hb43y8/jv48m86nqHr9W7ljg4KinVTjZYef6RvLKCkPuhSOVXyAog84W/+nhF4Gftlg3jqDedGSVxu2R1FYlwSCMJRQ026xoyGsALnOwWACabE7Qvs4/i8huhoWd3q7ZN82eWogTotQ2/2Gydo39E6LuSed6TvGJI5VwQRHIip0JLeQTjb4JxVH+0E7s1P+A05FEqrsEHAzcuOUdN6byu2+E8soz12rlSdJyC9p1x41hmNCLwH2R4uMCHchczvuth7u8e3kcScZFbGpVSoLMbaOICokt8KFC2BX0t8zJUiHgJ5L4uOwqNj7yacS8WmQtu5UU+I6z5LfsISeU2BCZyeDrFg4TKs2TUJGNGEiKuMePLHfIWo4sQ5KPO0LCrHSAvs5xRqb7EuJY/ly7HamSAFHG/l3i9KLHV8IFo3BkW80pbSf2cKIia0uTv91ea8VtS2TDxgyZswf6kao78JWN94g8+ifu59b097dHP8DPGXWsLZiip/yu+Ok9nHmPz0KwJcD4dIXig036+xp0AadKuQzvNfAEUa98uy7GMbOhGFfqpG1h+Mb2EH1sZw9RFJzt8cWy35MjRtGzCSgemofDrpaZSZB6dT8b8fVCfuwOOup7XFvyXCkfYiBp0/4dUQqgKRvXgTAr0FKmBE51xuNcRiBYfOE1L21kvnRxmelS/rESjedAJIc0qSexgVMKHx4T8TKdPPlaPWzYpgpGnkRaDXN7BxXTr0yHguqdxKs3ZdPWltZiqZYUAHeCoZ6kRjJKhBNMcjrdDqOL6RVs1gSnoezlVnaMFlXOHiOxWZswBWaPJM/CUmClxidghFT5W014H8PsirgrZ9lldgEKMF59qHmWzEdutcTd/SASLUFETqZdHcUaoL6vLrsO4UVwJY7eAcIEKcvpuLVWF+UmBBlyRR0aW7IHOJIJ44R1Afmn6OFKhlNyyu6FiaM3iAlD/YY12W5zz1KKCswvX8qM9oSg4sddOlxU+ISPZf0fRoB9Gt9qiB9BIGBeAzy83swmL+r9LdUAUa1Q2eTuw9zd4FRRX9J8wq64M1xtacbFsQOWuwhW9NJCm5lwYzGAJl9HKRtAkt72Ti/GvexRO3YLo66fxyBJoW7dXSmQlHtkLk+pM7VM2F+EtQTG+rSPy3b5npmwDJAOOCoV9MtBuEI89rkcMnw8nVKcn/d1RrEplTfjHMwNpyTp9D5dhRFaYoRqbswLtcdB0cOC2UJnkV3MavqybjvCNDUrEFs01ITG6f7palk4RCwSUfxd66OWuOz8xldljQQJUykVNaLAmoYbiTyXDo5pCQDfYVv47L0I2hybjIup/jf1SdfopTmvjq0MzUQyBgsu0fg1eYCn7d21UCN9anI0CK/RZZ5YQpxiVHWAL30R/AGVKJO0MoucVAM9TlSZIlR/sG2z4YhaGK/B2E1dEf+9MUpRv4RK5Lj7X1uD58tbVhrLwJ1vjb/0mNAUR3HanTg7D0VX3C/NZY7uuyLwL7ROcP9R4AWXKxrrP8JXbTB/TSPTu/5jL1enuQ922hLX3w7EmlllrV4ptqY9adUl5q1mu6NhMR19o7m4eVEwxikvilaJu90d5b0PFA0mWmDfhgg8lUDndKK5BsLkH+zOAMuJotYRNTzAIF+rqoRKeh18ndIAAQJhhhZPbq5SIf+PxDHqWgSl/IbCRdo80a8W1723ixpKezZZK/BzuPT6aA1gPg+xawa7z8QCGJcUDyQDnxs7GB6EZLT9ANXR2p43vBMaS9lCfruG9xmIPHpZfAUBr8MrZUEnKstJNKxqBa6c2N3geKswkZDtwQ0AedoQoA6Y9VPzMc90esEy1bPQ/4xMzUsSVDhg5rUlczLbmivPvpq/i+rLkXFOyBrP3B+KyAVGuIviTo0i2vAQYRA82IZt759s/1xdblJlrsKRDDn0DIEMCyi98jS6hf37hvaCvKGyKH3ix6eIYUNNi2fOumWscWqZNS/8H/KqJJyNoXuMcTa+GN5G/KOs/ZMfktscNnzIa+2l0IlwOjhqgn3UuAT3muRpX4tI/SZCUkNnPdjfspHr1dVNK9NYenMfc3f6/P0JCKXK006B6pP1m/2JKnAi4Oc5XZHZCCMMzl1ODFYWmG46AMmjR//21CYY0f57tCD4IAK0AOwEqVQcHzLRsMjMcv/Rb54E/s+4aJx2QR0lP0ZecBdYinFRBCR1ZbMLFPZ5hcDUwZcOWMCVQjzeboGoN8PFHI0Kc/3tcoxuQ9k8zEsHpPL0TRs05uWimDI+PJ2nIFR+9/u69Bq4bAG4XBfl0xdAHe1dafee1+ZaxhoFDYuWnBpaR64DyCpuAHs0Q6GrUYL1Uf5hpIKS0UrQM4FXAMXGS+Y7HSoaLRpRUGxtL2EvnsNrHUZqvX4T09uZpmjytN1Zm6dol5RfZLC3x9yyqIvdhTy5PxPWJ6rX8tpXQjmOj7Rwk9qvBrDXlZR1QLd1PAoj1rhCUTIKze26kgAFzB2qptWe8ouuOaxLaaZuPLrBoF3ggiO4xE66yVxTWJjL+9gYM/uIoPhlpUOzlq3pMnJN11LcRd4x6hiHP2WCpZnsRtwsbxrSMjcLmPztDcXk+pbF5kU6i/8NqGHvUkkGhzekK92cxRMPgqE/WgArlL6V6jUWOQEOgIxyeKCkzPCkzWTJy8ovdgO1tUZD23VQF9mamyhypiMgP24rNYUFUMMjZYQ241gGtO5C2MKjmwStVfbqnZl3Q5sqrKPKuA9L8sTLk4jc6cFhLaSX+knj5JKpKWUfpQLcHw8MpkQqSlL22fGWXIYHaWw0zwIzmz29G62dIQDEgmuQKEk1IID6hB2fmAkCJcmEpUbKiKgwh6FY+xZF8l47gjAYAkPMxiZkCy6rh2HvDEH+Ss8SpDVdCPx3Wx81dAfiB84Qkkb1MNa9JBWwlDKAI4+Rxc9ELhnKFYohjQZKqDjaksV5GVzvIFwg2oF3d7Rb6tu65sJq+dpFE0B1FWFqC55ACYuNiV6a0OtGrlxlXsE/l/juj3BjN9C0gUG6fFXc0zvIBc6q09PF8SWQ94+MhTixrL2acE/F/sR5noxZNWlwBVjPXUkZZP4A1H9V/Ki02wngf7GHnD6SXHwKcxodEFEW4WO89nMuqtpU0l3LAMechcmyhEqeeKfqTZOqA7ac4fo8TZlMLqw2kCKqBa1tt9bl8d/ZBPPzlOE7GInUiD+ndQlPQCa+pqubgKr13k7kUOOu2X3SebputYQ/XkttSviIPa90p90/eu5VExZX03G98VGGjpXp6DdOnmKUn8A2FeIW18LPF0q7lGgxlK+DffOJy8cDC8jLYYxK2cIhJFgzFwTZW6MfTPpLpmxUtULEHi6FAZEAQlOCrnggNLjY514vMgxx9zZATysczl1zGyEEXwlNQx/SVEUSAP52Xomr2Za772gwXt4Oa50BKBi14/LH4riyB08jq+tmQU/FoymR3J8yJbdSMUfOP48062b784lsE8uJ6Ba0CTtucZdl+0Fpe8DGAGYgk1zmNWmjAmh0l5/Kfvk6JyRxecbaEd0nhKVmAihkCwyr8ZlIIRqrZuVa5iTzZxa0CbjVGIv61q5S/n/43gtsvRti/Zo3+764LQ7D8OqbeDsg3qAlnl5mG6OPIt21/LvtSaBx1vO+B8r0IbbCLzKK8eo/Qa5tinmwjbdf7zsRvV4fob8xqtz3zv83WWRdpB8n5BE5VWeK0/aLJw1IIxoEZ4AN49lzdQ321i+/w+Q+OahiGhdIxQ8ZSiJ3DmfdAzUCLbyiO0UbOyXQQCHHpsmh/38zL9DG4gpYv9mW9Dhg9EB2CYLNEk1q83QW9FjwhjOqfsTIFPqUOd+K2gTlXy/I5FP6/G2hjSISImbhUi32bxOiOrdIXRMaRYeWXMeYc4YNKdbI51KvonG9Ix9tZ/5mg9Zsc/sw/NO8RLAwQVxZaxZGQcqTjkg2boyVi8MUTCePrVH1IXCGg5FXUDu50uesKFmLGzeUm29XwNH1KR+tpCOtxKtEd3qZDTlHIkcKGrlq4oO8BYIVo15t+9xcXbyE+tLMxaraX7aqWaA2yYMcUml2V9zZi0bA0CEtREfntbu4Jh4NeYMBnRGCBRFNmNkhMEem5hQ78nXeR16vPUvKCnJeeQUvG8yqWNAfwzR9xoPZ5QsLChNpCV3f030XJvIAhZthP4yRLH0bCSYCnb/L5VZUhERKu7s0yAKO4c5pl/yNDbpVvKKQhga25Pekor94yPS45NgJtPK4UP/xR/VZfRoNs2xzaCzSq5EEtGs3eshT6NuueO4pTpuQouQLpD9d7NORnWa4sqG9OfcjXpF1QanWPP68HwSYBfeGU2QgpuBMvedbLtTLRk4RbddaMedm7kqAAj/Ei5l9TWwXNDGa76Ld1DoFcbFkKE+mF6hVwFESbXExIs5Ch6+ktpHl+YTlWPPwHixxVo/rlC70YF2YS6bfzjjuy4cWrUUSjKXaCDz2VWFt7RsigCRwNWB22jpHWJynKPJr5vpoBg7YGE5exJ1UwIvxUt7b7vLGvZNBYIBJjswK2PnpCtQv8pgEanQW3eqTfaq26vKCobipGci++CH7AUKZpZJaWThn2ZoxMqa94OOkNKsjjw7l240zrSOU7zlrDd2TyULs7lok1oYk3VBtYmj4qeca06v8OoKxe0ppOAVKtyz6X6fsbhQzmqCx/JRukZWnCY2peJlCQ+VTdxi0G/K3ne63rBKn7rYlN2sYgiNtWZasGy20GDajLDuwjnWQI+UW0JLmIMAtD83sFkUjj2B4ZcuAovowYbRxoIJyOh1WmAb6jkFU6QWWyPenZZbl01TpqZCPXcgVbHl2/psTGHELnpqxxFoEzReX/HZj2FhjUV+/DH9Qyi1d10f9zsv/dIOZhKp2tjdGHDqSXz9gzaiZrZF7C2cwlbaX4L+vlD50r2mFZINVAeZ79UqzZSO0oU5JPseFSY6nOojULmXiiVIi8bByeauxPheErbI6xWbQ3lOaR2SWGpsIXdj/cuNEXT15UCiostYonaWL2xUxQY9jErevmeRptpY53djan50IeLA/tqguREO7GPw8xyTas9vOxZq1/g/X0QLcqLBaxD2iaFnSEIPZyb5c8omZO5lmWYOwWHS4nsCAIrSyVQtd7j/P8/nEB3P9DfpL1X+3Spn4XnJgmz7De+jQqa2LiJCU3g44SlUiS1sNpCcLaOKS0FfN3TNH037o6hZn6zySDU6mxRX0XAKKM2F5AocMQMtHz41Ydqd2cn35zDLpwUh6TyTkRhxrwT7Iqto0cUOZ6aGEsWzqGxZzPwVHEmEOXatxQYrWh+R/6gymzl9DiPXN5Z1wlFrot7kwwskmA4vtPBpFCjEMTKitk3r+1TgL/S0QzeF8eBSTSvwIPEgAcxJkGrJb0zK2cdg+bUDNEo1OuWSkbaLA52Cyw7coYTIed+LCeTmFYFwqpasBGcHbZ0hruDrSRYXeM125Vb9LIcGD6s2dNP6o+wfkYrdcW3esRJnAFpO+2IVu+dwjuylASJl3XTBEUMZPVXqXv5BgQHyANJK7u2cL5cv6cndoYuMRBhS0kBNpfVoQOYpKWyQqUKiXD9wCoonRiDEbzOeFFIlOjYeXWR4F2JhDkwZf1pZ5uHiXSXXqlZ8id1Vhd/lcexPowB34kjwD0jX7ASYGwaZym89LCokINzBQfbmTBGR04XZyHJ8WM/EFWpbG/Yn59gVZn/NqH+u0r7KbduwzLmfIZJv867ywZg3BQKhns8oyf0hpkvcldTerqreVszV38ZPBLo07OL0nX9SrzrdedARGQ7al2BEdaiwF/yZH0NfY1IFFpLN/ECi/elxJZA6rhAbCF8VtbX//NsqqULTMQ6zni2Jzpc0FkX8YZ/QvjQjAFnGl/fUMukJfv4gpbFn/uTwVj0v6hdHQmX8iJIkOKiQntjGLt23Bjznp2lID0fE+YrYtv0jHMHHNn6ZB5U7Agmzq3s9HKi3rvMCjQSEkOIdkA0axRs2WbL9QkbopD7xOE8eAbwymFvRPoXtSuLgrSKBmtbYe1hjHnSqxE0BO9ZscJHMQq0LpSLAjNsIs+1WNCER9WKcsr0s4kJ9HFVU8zlf09WNonIlEz1JUiaa/opZtlglVYxr1qllloYHd3kiD/XlEi2soxe/cKZjVwezqtKONyf8Axjmp9Ol+2p+3bmmYfak0bP+CJ40FoHpOGRl9MnB1Ocz/4BTRfV6YOYriezWeDJHZ/kuB7JncjDUrTbwlZwHW54nTCDAIc8a+v5QpN4l0wYDZ2wo4JGzy9eUUp8uIek/wrSRuODGb7qcxuDYBLhuYb7UtXJOytkUU2LUsQ8AO/+9+Bsd6wZP869ehcHdmovgVG2aanCtPu1XVh50AE7ILtp6TMNqy/AEvUGRG7TvH/q+m6cgwxzDlGVgWIBbppBuhQm0T+DjIS3l1Q1zwj8tTqpMWc25eLDrPeMDEkxBnp1fY9/YCdF34RrzauZV4L+oi0St6k2MnunTck9IlENsGYKpqAV4fMrq6+QMvfQlV4zH8OJzfxwWR4ZKQl12nh/5yq3nc1l3sXRmj5k87pBWFEHzUrqD8NWEkvD+xXNneNfptCKyVnfz9GWjd3tumV+2nwNJw1eX2cOd43MnlYNWGFpm8okwn+awr2UZ4TnAoNEU2DFqjAEq8GILXf1Thvk4HKaJK70RzCOMAStIITxPXR6eWJfHFoDO9h4ETsktrMstlynNb14JWQeSADreRJ4t09a6qeOnr7jsf9Zw0lE6GwoN86DZGAUlqDHCXHDYQ6rnPrwC0P5lctPLK3c+fYCjiL2QwRt1fDQeKYrE3Rtsra2DT1gmxaeVFdkeVZx33d4DtF47C11Jsnn52H0QI3389LG/zCWZTpF//0+/hBMsIVDmgNptzpwpr1TtDI97ksBlX2j8yrVDVmDapzRWpB7A9Jzl+7RqXD4Z5jXB5iguPAmm8/bV1jHYYn2VvDdtj2+xl/tXPtmeXVs4OpHa5FvHFZxrP6qdPMxzedZcTCMV3GxUS7Uedbp/gvyZ0I9Jyx4rO8mu6eUj78r3gmq+42BmYtgCJUknB9uPa3v0gPMhmRRt/M+vgBrek1KwkepmwOi2tmsuKlvfKiCLJuQIzuv0hypKbLE8fFyo1mmdaGuYlPvFxKaJD7rpTBqsl85uO5aoWUFcc4S1rIb3U+FkhxO49VQBdLchXXdMEzLCE1Rz+EdFB86ip8BqaiLobLXVd6IlWXRDVA3Y2Hm9599KbG9lKA1Y7OR8BoyDmqMzvVgdPUYGEXWl7plfzZrmJUg==,iv:IlTdvKE3ZqduEkKhqOql0gPpWuXsqopG70r+Ve8zUnA=,tag:jv0N4ScMaCmXVnfdL1AWcg==,type:str]",
 						"deletion_time": "",
-						"destroyed": "ENC[AES256_GCM,data:omvu6W8=,iv:P4LukpiduUakgg2R2nZWZcNBgF/F25bD+V02CP8wexg=,tag:plep23kjTn9oX956BX/QCw==,type:bool]",
-						"id": "ENC[AES256_GCM,data:+oCTsQ4nNjR4f+Cx7srvqjBV4gg=,iv:5KW5BeZDPGJKpm03MTnxQqVr4xIQWMOFW6H6Zm08vXY=,tag:pxKMkN9jw/Ds81d2WqQsNw==,type:str]",
-						"mount": "ENC[AES256_GCM,data:AZ0nJKVC,iv:1sGPZ/N8Y6guWcJDhqXC+TA2ArzrrgxYpih+Cfcifzg=,tag:8i6lpF/9ichUj+w1qIdBUQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:XyGduOXx9QU=,iv:QKr7E+BkrG4ZZmmvmIVOAbBJk9bF6jjw9tAvgGqNkco=,tag:BdMGMp3WOVR/sIGxcDFxwg==,type:str]",
+						"destroyed": "ENC[AES256_GCM,data:Gbpt5pE=,iv:URIDrZPjP2qwRa5BW6wWhNbin1HsTGdDJfVLpcoeE6s=,tag:qTr7jqk4C07KkJHgL8Gv6A==,type:bool]",
+						"id": "ENC[AES256_GCM,data:tHBFSDJc9X3NShzTcqo3MGHeKiY=,iv:2QNI75LI+12GUYetbhX5EtUHQ5sUboflJNSEy3m5M7E=,tag:9/OnQV0h7EB5O8R1/JPQGQ==,type:str]",
+						"mount": "ENC[AES256_GCM,data:AgSII0L6,iv:W4gU6mMOpihccqwywQYHaIFJVjfoJxE5OYGp9lZmXBM=,tag:YSTQ9WsH5UoKO7VvGqEm2Q==,type:str]",
+						"name": "ENC[AES256_GCM,data:kuibi+47X/w=,iv:ob6ZuJ624pnY4U91LbvT71l4fmG+2uCNJNnxxOd3CDY=,tag:eg5HsXTNUGc67fhbUVEw0Q==,type:str]",
 						"namespace": null,
-						"path": "ENC[AES256_GCM,data:+O8rgkUUlXEDIFGOHxD27E6O82c=,iv:1ff1bWa+gpsXz1YR+4mzk1eChjCdJ754z2arETPU82s=,tag:Enc5qTgm4MZn4m2ziuluqw==,type:str]",
-						"version": "ENC[AES256_GCM,data:X/Y=,iv:T2kjL5oWuv6wNeaKUEXkshnvaMpvYWs5Lk8UMw7ENa8=,tag:w2dtKgJSL4V7HyIi0f3mbw==,type:float]"
+						"path": "ENC[AES256_GCM,data:WoRQWDMYBI3SqlhnwW5xcse6LIQ=,iv:pZTvRMTRhhDsWy7D3UpdxiLBUCdhGvMkd/qPUVe1IYY=,tag:5P32354bBgOn03IPty//Ew==,type:str]",
+						"version": "ENC[AES256_GCM,data:xQA=,iv:0cDQ8IlyRyAkyuVeHPIvOH2zbQCnIBjIJDKsiksAywo=,tag:znmqxFBLEi+cMTMNkO4Jxg==,type:float]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:MYS+OqhqLFA=,iv:fs5z6leP7PTK8pNN8Z/UezPSylSMWvnbOdo5jX4sqTQ=,tag:OV4BOPKpOHqXhn4YEfcEWA==,type:str]",
-								"value": "ENC[AES256_GCM,data:V4ActQ==,iv:n84+rwonjlfc7yDXaTp6gkBcMyYIaqA7CUdn5DnnacE=,tag:PGkzXpORzuGteXM+ElVFkQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:s4Z/kq7ip9k=,iv:30y2IKHzIIIrRU4JNQKAaLQG9hvfKFu0Y1OSPYnTBDk=,tag:cEAd/98zFl/TfPD5Vsf4IQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:7a/OmQ==,iv:9RD/tuhNhhZXn2B7Th4NhmSnRX0yaD0yRNIFzmuuXj0=,tag:VDwk0dlmCAUwNvB3TDUHDQ==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:3p9XFzC45Lc=,iv:taa0hhm9kbNHXaNREYFwglc5s468b38Lpx5Zr/vY6n8=,tag:YiP4V+6VzRiDnxBNy2b42A==,type:str]",
-								"value": "ENC[AES256_GCM,data:FQXsjxjex8JZ,iv:Xp06XXM9SpVDMJiVxIUl/Kvzo8rRIYEyy7I0wn44qC4=,tag:B+vI+NoQkpcYqCioNAyrog==,type:str]"
+								"type": "ENC[AES256_GCM,data:9i8BNRABtsI=,iv:7WS/kuKSLJ7pqXP/zHEGxesZxhDIfyCuw8kEYSiz8BI=,tag:Fh31sXPWtvfZyWZfdw8Kkg==,type:str]",
+								"value": "ENC[AES256_GCM,data:kNLtlVztsdPc,iv:mVq1WCI9h2NHD5pMIuHCyHSrX/fwPHHRteObrFQNypw=,tag:sDKRzzmok9wT4QBNP1x5Ug==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:fg==,iv:EygLWOsYVx01Ylb2ys/0APkqUZHl7n57ARAbD5Jci9U=,tag:uZ/jLRoayjaOGGFG9WkdhA==,type:float]"
+					"identity_schema_version": "ENC[AES256_GCM,data:Tg==,iv:MOouUmmGPFcNHI7xosEyoaWc1AP7sRSjJyAPWRQq1Rc=,tag:0wlMHmS67tpsd9921cepbQ==,type:float]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:CYMPXQ==,iv:omXw9WuvO3wtLWhzyLNUZI95hVyVnKRNUZTvORR8dTk=,tag:4yMQ3jlJH2wTaVlPexkhqw==,type:str]",
-			"type": "ENC[AES256_GCM,data:GzTFIF2DoweNkCxpNErOokOL,iv:dOsfYM7TQvf0xWxXl04/csyiUPsl/5VgS9o0gEXHrC0=,tag:tr03syJsvxY2jpN8kYCrQA==,type:str]",
-			"name": "ENC[AES256_GCM,data:VKqvXpzbeb0=,iv:IZ1wBli+h6JBMSctHfGdrnuCDMDQynoytYpZbJhs1g8=,tag:aMAKSA3xizu25q33V+OJ6g==,type:str]",
-			"provider": "ENC[AES256_GCM,data:xGMfI6xJcj1SgkdpQeXvQNOQubKf6kZORI7shwOsm3o/gf9Uz+y0xOdLU2GsxBnEXg==,iv:7IetbUDDC4ux0bS4NYgINgIUbDoNbLxtpmKJmiVujzc=,tag:cPHKXiy7GIDHM1Ye6QWO5w==,type:str]",
+			"mode": "ENC[AES256_GCM,data:tck0tA==,iv:ayXOA1Ft04TpAaUGcyk8HcJcxViqYEIOJNM2+/p+Ea8=,tag:PaJvlq2Ef28PaHZh4+hBQA==,type:str]",
+			"type": "ENC[AES256_GCM,data:V8+sWrZrqIH2TALlPSyfP2cn,iv:XGi7o9KTsjsXnT8r9xPcsSwd/V4GmhAFFh6syxQLTuc=,tag:XWvOt76EH7dpti6wPgXtcw==,type:str]",
+			"name": "ENC[AES256_GCM,data://90nEZuLbQ=,iv:8wS3wbTi5kgms7WQ8I3+TmoWsKJRT8SQrQ6jRTmijvY=,tag:uHQsfUYOpm9rkzHe0GOGBw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:mPRKg0MAe/8AaVUTkFGH2lkWIttHzaH6dFgIs4R1hWHaeyX9aKE/kdOurLvpNUmbpg==,iv:IfyABc1WJXHMmwe+Tq3Oxnz6SRJLp5fT+nh2N1uYoV0=,tag:05BVr9Jdf+gJ/WjiDBfgVQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:tw==,iv:JGyE/SP5UYc140FaXt7EGHQ4nYuGRPW5cM88etnbYWw=,tag:2SR8GesMeLY2WsTDCwKXYg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:IA==,iv:dYuPtmg0J3QwACbNKP0qg06CvnF0dZj9AsUvVXHWu98=,tag:wKSvjVFZ37Xejmp9n273jQ==,type:float]",
 					"attributes": {
-						"created_time": "ENC[AES256_GCM,data:eztxLoYd0weUHpYTUCK8Kye3Kq/n3NFYoPUQ8vTT,iv:QUbRhpWVy8O2uzez5iglKZhEwBnreCUPDiEBDrVQ9A0=,tag:2AUnjvfHMEuWQ2AEkedEug==,type:str]",
+						"created_time": "ENC[AES256_GCM,data:puM7CMs2x96ludQ46GTzFPNBjf02PO0ldnp04X/F,iv:5PPzvDtdPI2EdMz8Ht28NC7fVwzd8EdE5Z0kp7tAbcw=,tag:305KmlivuLUUVAabUNbu1Q==,type:str]",
 						"custom_metadata": null,
 						"data": {
-							"alertmanager_account_password": "ENC[AES256_GCM,data:ku/Cv01etf8uYrWfA5Nk32ehlwE=,iv:U9SanGmpWm1Pd0polrZDVv402Yv51+r5N7Z3Gb5A2aY=,tag:kcvaO1TaC0h96mFE9BFf9A==,type:str]",
-							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:s8fjVFKIvoLGuqipWsPPp574v3GJPQ+mOUDNNXQubIiaFbtrbb0HwSUn9SFBhr4qyVynoroa9T38RCHXIeYwdg3moj59KfED2/2pMl7FESs1,iv:jUoN9t7pppTjtLKkxbwva0YtYr1HcVi2lS2Esa6ZgMU=,tag:ynO29mxOD9SL0gsSjQRcSQ==,type:str]",
-							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:dFcMzJqXP+a3VZfWthZku+zklrPeLl5EWMDXDuktWCLQNqlF9HAxHPAvidEO84+JG3qRZv10Y5kOBkFd2Ga+3pmz,iv:POAOlXUA/hbHuajL4wICI1Lvti2xww1uuftHe2ikqN8=,tag:gFGKczI3WSM/vzJpd3naXA==,type:str]",
-							"authentik_postgres_password": "ENC[AES256_GCM,data:KEJKYheXvHHEdjIzpRmO2Q==,iv:bU0GGsNpB8QpYSMVi4ru81AW8iUNC2QoVdrILN/W5A4=,tag:5PD3refWyCokBCi80kq8gg==,type:str]",
-							"authentik_secret_key": "ENC[AES256_GCM,data:uQkGw6xQ+v47YmftPShwySxBPmIbmtRIzbg7vAvet+MM2oJRCs+RINfR6YSrDLU/WZlz,iv:+87tuBOujpOxa+kzWHFYtsdWQEonoNQoQyVeCX6gCRM=,tag:aA+TrpP+84yRXyny7GzQkw==,type:str]",
-							"cloudflare_api_key": "ENC[AES256_GCM,data:BAJWm5vM7mc2gn0VmvLJLYiA6atkMszPHUxQiNu7oSM4owruGw==,iv:TcMoMe+Z6uNLSeBzUaZayBF7tCJguQCbBNTUGJNb5ss=,tag:bCi+QVw+alXo8LofnRlzXQ==,type:str]",
-							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:FBfGqTjOxskIS2PaPphga4ZEpSQeqqRpUfIDMsNkycoVPTD608U43D+althbo+Z7Crkx++vjxYaMLTy1lazuejsGjQd2IJDI7cnmgtv4LTeY34mtrvmm5aCcFR5wE4XX/3TFgP3j3/Ts6gtZeyt9fD54z35ptuwcz1sTgM0i4j56to2Xd9TGhpg8jc32gXtyZ+g536GkJbHqxpxo3VdvQk7lQB4vjZSkTeV2zO43RhRsl+UcmH33Wg==,iv:ED+r5YneXpMUlYTkDqJfI2UO1BOj/L8LOlV7l8u5RE0=,tag:Z6IGYtakdZZ4BCW2rCeyVQ==,type:str]",
-							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:hP8tftTxlXDA6nKnj0SvZ12H2cklkilOijU8BaQgWZ1lE+Uwu6XrrBiWIQ==,iv:DZmyfmL6qumHdcdpc9VDFnwqXcy83U4vzEpWh/V1f40=,tag:rAtNiG+ToVkgLO+AA3EcbA==,type:str]",
-							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:dSvehZd8BLlyny9ZOMzIhPkUJEK/DNVJdj8lcwg=,iv:MtGtDTT6EDU5Iq9m85gGrZqMrVmIH5Lyh+wq7Iibdoo=,tag:P60W7CmIUnk54Bq9+36J+g==,type:str]",
-							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:ctr/JbrQduZ9zrGCYkEV4fLc00zWKUeQ2i4MYf+nQzLZQHvf9UMrc3J2bV5pUcLFGgfu4y5pRW/PSYepMD0fwg==,iv:d0B3CRWW51INGDC+2EhuwVWB1DegLiEoOYiA2l0cw5E=,tag:npnAkyO0GzhprFvYei73gg==,type:str]",
-							"crowdsec_db_password": "ENC[AES256_GCM,data:SXAJ4jvp7/kXb1e7uWQ=,iv:kzdI82F8jeADZB996zW4tm9R5gngJ3/ApVXb9bjofEo=,tag:S13UPkElAOuihp0Vhj8j1g==,type:str]",
-							"crowdsec_enroll_key": "ENC[AES256_GCM,data:1t1DR3Fhf11FAt5P0hlt+Ix1sW42Z9UyAg==,iv:YhCW+K2E5zI/4Md1t1xKiq/OVe/zESxIUWaSZ52UBn4=,tag:cyRU7GCe1bw3pENZ9NuH0w==,type:str]",
-							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:W3j9SMK5A1HsH26v8hUCStB5+T/VJ4ENrAQ7rHXr5Ek=,iv:sDMFZUnlFSwiIKqojUUsfjWfQm66IZY7pFlwbEc+Guw=,tag:BKHc0hRarnCJMoxd55PVPQ==,type:str]",
-							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:rmqL1t5sMqb9enmpzhsAzWktQA69c5dTTSU=,iv:M3aWSDB19ovr+UqMfgznKhvOyXwF7VjxfCsRchPzZaY=,tag:kS18gfscA+vNzQDDgXcf5w==,type:str]",
-							"dbaas_root_password": "ENC[AES256_GCM,data:HhZv1XPQpJsytg8YJXkVO+de+nXxwZGB0YoSCw==,iv:bDMuTPWxDc4J6Gq6fysEkAVZcCNtDJg/gsCDeFNAUUc=,tag:hMvSNZEI4kq6EEuP6r06pw==,type:str]",
-							"grafana_admin_password": "ENC[AES256_GCM,data:tHo8yLXDc5gT7+CSWQ3CW+nmjCw=,iv:RpW4XRlZklbNg/3ko6JNjXAQWDlrWfeUinUtKzoRg3c=,tag:j8i9jzcXRwtCgiv7N41COw==,type:str]",
-							"grafana_db_password": "ENC[AES256_GCM,data:xx3PvVotaor7q5e4Ju9k4F/5PJa7,iv:pTtkzyJEaSqK+QVvMc4lpi2WSDKBe7H8Qbr5s4hGZbU=,tag:pKS8rmrNbkM9p7rleMA9sA==,type:str]",
-							"haos_api_token": "ENC[AES256_GCM,data:RdNpHieiNO3MUuaT4ciqOjd6p+bonUP0G+ZLHUFooKEtNrz/UuC9NC1mK/y9aSQanD4atMw3kwOU+Cf1tVUTRu/GJb6sSJ+Xd0V3h7ZzUGZrhf79q3zvPRWcllzOM0oQi9TaNbklZD0fOPwZw3qJFGWAs2HZzcr+VYFZbofRtQDKIImO4uewLx52rlycms1QMqtti+hvHkkW8Iab9KTnRA0WALqica8BDuKqocOcsyVTb/lRDlT6,iv:8WEvXw89cOEWMalFfhxMpFdHc81j2NKL39qjFiXTFIs=,tag:ce507tAPK3QRzHExGNArtA==,type:str]",
-							"headscale_acl": "ENC[AES256_GCM,data:Uqn7m7Et87XeTdJeV/hzQ79sZ1G0JSZMzNam4GLGLVHs2nrATMlZkvdPo+2J9wi0TCaC/7FmuUaaQYbJZcJVJg3VTTvfzzuU1zOuWjke1iNTXjQUX5S7xB1hNMFRfNJy1O2Gj76KfFHS0fVEYzc70DXR7q8NTN/PlzOZFXDCeYsnBIWXbnem5sDIUeoprx8M0T1yuoxqjV/OQcavFg+9opgjIlqIKa5biZ23m+LRzANCiJOCRTG/yUKgCivwki2xVOGEpP664RR21z2r3FaETjUMEERmBcuD9loanxdueDWPfs+viAt9zmSQS6Cu+AJ1EbsiyGRNNNGHWv2fZ06QhxRWgbUTMPQsM4ArmoMNH0JYAcq/6vQ0lFSpx5IqgBoSLo772cF+cj4rzujF93txUknE48wiV1MSE4qlEGflm4xZp8E6U3dP8/SUrZFRNtl7wqJw7Wfsp+IkcdzFkdIWUzpn/QGfcUxSeipyuJTjAr3ZSqOrXdHEr602eODTFkYEz3q6gnQubl1UkoQqzAFfWXvUXKm45scJiBtwBgHYxxvYxdyqSlRolQlGpASj+Hi584cq6l/3sy2q07ecJ1I+153rdVMiAXcMtsH+ZUFmdgGQqL56vFv169CgyVzelpVfl/dIyVBOSJciCPt2h9ek6NYHARtaW+kszjW85gj8obYW3VKbOg1PAloieOIN7/JAChoCvcoY/ynuKew8Dvq/Ux2kmoYrVwat9Gl92a6aiTmtfCzd2AlTZfnS8NXoZ7I0wBN4XUI55NV5I2a8U5rg+MMJwnXUew0hsqEJrZhbMVe7g7EB75AJfuT0CbgZyzw28mdmxE+v0vcOQNZUpu8sdlgCzEW/0AoRHwm8A5omWnBp7eL/FvU2omJzA/dSnSOd/sZwei4jhwOSj7R7CYNz6cF5ABzqMn7PBcQd/B+ojmt/xgewOW7vx5ve0uNomNXpj3/tBRXo3KyXd121Lm5GWikFiFDNcpNLXQXOXWzei8b9PFA1N+2MkFOxW0PIxVAfqtiazqfxWOZZeSLCPULw4xoBEs4P5MUq6XnpG+Arb0ifNtbydHfvn3y1x4/udroP7Ap6VAdVdE1eI6DH8BndPDnfLphHfNQSAmxF3NEpPUtypInbG2vlhYqM9gfh0pyvhXPljvlgaOTNLxuH/5RbN4nxnHgbFA6emXEb/FAcONAxsLQRdhVJ6eNhAz+QlEk3TppgsDR3t9QWpbU2vdHBEoj0TXUIjImDFdYiTUoM8FnnVv5qJIhRjdtKcwP5ouT1DiqbkEhPC/5rgFJcR8MEpEmh97HFKw9mAc5yIiyDdiMdgI4YMlI+IWFkmr0wFBvh2Qgd4SihldW8btNOt7UY6YF8XY54XEE+mLu3eaRF25j1QySFc1u8xkLIpA3Dc/vVsMDoiRn1GrfPWstQNoGLFNSsO+EzwF9ELEmbF2OqhxgUd8bZXWyz2CLQiGwalLFp1+Gm0qN4p7cSjdmfmnwkgVsKCBNAXib4KH+Uz4u0zTxRjt/viULZc8QP6qU3ajavXnTh/pZcMMxVzpn/RM8an/SsTYPliOFK8StMoAGP8RkanGINWnxWnLgkTOcMv09Tt66EwzozYrX0hEFyEF/l0GIw3SoG2q7LW6dP6uTYWaAU+fDT9ZT9lx6iSC5Qj39rzi4qPEhRIPA/EEU+VsgQz/xKcZdwtqc2RF89viLpVs0pmefJkmK0baV1Jzz6UCJ2qemuxE7aZNDfTqQuOhbAIFXFHvcMd/iPxiZ5JLKY1oc/ExUwoV3mh7C+yB9cGTrDoXbb3uSQSXGHbtUHEt6/wyJoL2C5STuRtNXa2I3VIGfQD2/OUDGv2udBJV1gdZ6EVJrJKwGEkVnM+VLegkfwyIY/mKjhw/aTIyE74FfYVrx3mA4vAtclijSodPR/fSW95k1/t73d48HOhxLNLs3XBfNJjo1/hjLRwPVUsDzCdwBFAd9lBwn0cPY4lpZ3eBmOQvDWXtWI7+YBsmH7aRiKunAeRJdtjYbSkvZQpNyrVjbtIS2z9TLEAHvzBlwcEOyi+asAlDHtGv+MOSsV465ZDs5wh5NuyOn8sQIEzTwfohgAk9YdI8tT06krkwS30xlNhPxH9EmRP9GoQeHwMHAhfX0sS6H242cOomIPwy6QFl4bKQxtjY5yNalbSaQzhKv8VZrLGblpc+tpptrDg6T0W0N2Fs0EnkPMRg4nf2c+xhcGeX6y5cHki5A8PlpzVn08Yq47yAhF5DYLpS7Ums1bywpudzSN/G7UNCGDtv9p0F5s5PewxjkRQIaa7R2J7sf6xI8SJynTmg4qT90zpHe+12pRO3iCWuHT1TQSo/QB0vdpw3mzne9lGzY916LnDiMgF//ON0uGZ91aFg6qmqXABQZtwfFZRJNh+CgPFJ/stJEvmgIieMJBuqo5Jt0tMOrs6jWTPyPRTECv65T7R+F7yXCzeCa+cpLZaNSJnH7BerCwLdNUstW3lczThUPe1I9OH+lWOGPAS2ZyN9CkLwXEbaLeln5r2kHOa3ZjkfXN7QN6HmDrDi6bgMB4UV5PTMw3zhJAPZ6Ui3VIEtXBdbzfCUunyB5qaoLO1JF9A024OnGac7QueTwsmRa5AHE8HVRdTReOa2CCLqE1c9S3jGIIYxEeZAfFIHXj8aMmmHxJtEDC00izkJ2ntJ7NDYnCFsCkryjOfhvdteEIjDHxBZbEpQBoqiDhXg38NGx/kyvc1s7shEqULq9SeORegTUWhlvwdUXSIpoLnTt8Y6ufNd69hootV/puKnVkG6ymxYdH8zOgOqae+LXmtv4CStAYxn/rLMozT7jn6ih7uks0a6k/lK2XTz6p277HUPpguKXnOl4Eexzb+c/oa4UuNs1O5UmPj415PK4sdieYvlR5PMs+Pt2v0Hi5uuEBnBp4gSw1uWp/Y0AgeYDkTdBJ5mCHBNKGmdsLvTsFJU6dsCWSeh7oC7ZjLH2PaEB9BxDvKNH9thKvH9aSmoGJTUBbFkfS6Jn/jXsV0vStfp9Ky+zZVAbUnJ7TYniC4InyzjKTw/CNf561JTtzwjWq4YzPr9NpgNLX8XXBi33KFmrM511KMW88ivEsLTzJObWawkVTbt5O8pUO0o3KdTAh86D2CSrUa2lnjtcnQKQhHx/kbUBeYIyHX2Cyk6yQGXo8YAsMF5oBybVTZfUkTEt28Eihxqgo0oH6586g5BMn3uIwnxgFqPDD2uSUfGb73FQuvxEpldJy37gOE/HXW+qXGCCcx9qIv0Es/rJrbQtXkW2FnZGVWZN0mhhckfLCHMjH22bpYMdu7h+wWNCN4E8Wyk7rHe8jzTjwrBq48+aRlT77gFhgfqdn3zy32W5Gt//cAaSUsCQZY003XrmqQ2OW9yLYcIv+2WugkMJkeUjxo8fdxfCQ9K4cvKL2TuFRFTxfRWoHk3HwBgyxakR/ur2Kj6gAlU2DF890oigu9y/HlDXNZ2PuJAaA46hZZed1HCf1B6lWUsf6FhqLip96YnACNfD7pcFEasIL4xSZ0OCJWN3zqsWGdrv7m/kg0TdWba8+XyCvXeNkaNSoj31ny1d2YwZDLaGFIJGDlm+EgX4kMeh+MsoeFBK/2b0gXoLLHA6tqfQPvXy7rnIJtlz2pBC2zakEeuJBC5pvb1oF6ZoQweuxSwKrspmT4+z7fe7645SlWURnMx9CSZ61bU/G5KX2KkIuDarnt2cso7DTInjWKqE474H9t6yN+JNT26QN3oprPAhcAZdfhsxecTUDE3DmN6N9/M8AzFaYoLzFxiPCBI8qmqfrUlI1ZbflHT+H/zdGQuDdMPFTpkHtVC4UfJbt7JZ9SIee51/PIbFbk6NMMBkV2/r0mYuZoInEvbQ6oMAXC9Xja24mIuIB5E24ws7IkLtzueDoDoF3Z4ervUR58lOG2oQDTcKCY5CT4UEDbuS+lCoAuH+kDVOlYr2W0ZgF9BfZ1bxWuEdiUdfzj9bE2wFJqrDKkMF+/udKeLfrr+2uZLOqIgAp+Y7GVpq6vrDjjbac++r7WNwsHfBbLdB7NQ4JB3tqP5G+NrtPqh9jHOLP1LaVZs/KQWgh8BtHdTyLWCWx9AlAy2kV6N7xxLRxGZBPrnRA9ffXiOoUHZfkWGXPHpi/uJJ00xzfrlnCyOqo/wclc+G4+VP9XVvMXMWNM4Iz1ONBnqSZfK7INX6jwzCzPfa/g/5Ds0N6w/eDlOZ9VhfjJA/CpFr/0spfJIVFnVMthJDvXr86bcYVO+nv6K9zDPrUl+7TAQrzFXWaVskPpeBcNflaUir9eISGKq7ioNHWA7eLtyxqyjf+6Z/09FNKh2LDiot7TdD0rtDFd3g3zeMi0CVpF655nOagUJ9Qo+WU1bY3XhWW9OO2Le/Y7V8VqzqcFkR9PWCvjfQ1FXxHwN2W5Vm+de0tGTBDCSeXVz4e8aV/rFeWYe025fOTmekDig/D2s163pa7CNZJgJYhaBkUw4yb81ffNd0MxCaySlG9KUe44EIZnQPvSwYah4crARvKAa9SWguyhlmwz011Z73+Zw6xp5xXQVYl98bxWQ5URzysUUHi3KoGnpv2nrlEAxlG43QTa2ShKQHNNi3w3nR7ubhzB57SegRnv+IPxJ0h5Kyh9RbsJKpSN/Owkw2KyE3OtzDg73CZzAz+oeHczEl3A39rvJV+unB1V5l+htwq0cfox33dUQ4O4f7FjcGiduljleF2vyclBt8nsIIpyOBNSiAZP5wXJ6LOut8UDxG+lurLCtrXomYqjAmW5Zc7vM1egS8tyfCknwZb1mPefMTId8zZQflGZC9Ivr5KyfZv/a8px21k1NHyk+BEMrkY0XYf7jMYQ5kdo/CddKn+tIN4W/F+l8/jQB7RkMj5mgt699a/jby0,iv:Vqwy7UKcbqKOTJisSN0ToyPJNLjwSt8MwbO3iu9gCg0=,tag:InaWNkH/XLm+pgWrxdI86w==,type:str]",
-							"headscale_config": "ENC[AES256_GCM,data:hu56mGU1/RSBJrVU4dTbb2gFNxkDVJNbM5GGO9jDgBddeJEdxANP9v1UPw2ovwnSm3jLjQtu5XrG+YFKbLVH0PaxiW49xmWTz1ORSMZXFlQr4leb2NvJ5s6fct46vJNEYBh7KGdCfvGZjY139lgIPFjGXNSnT+9geqW1HMgaSZUNqGUhlx3dZJiO7gPg50l8UaHxtpGROu2vCjFaEhTJDtaT5ZvLFBm6junGUiXmY0pzndkKXqJlwyHwKTnazK/nMrFAsHr++FxQo2ibUkguwmwHXdkHMxuqHgLi1P5yfeaZ+8F0pkUYBs0uBr7lp2grCjFDISnzILgma3dEIE2RJEMd5GXmQQq7sJbSpbW340kRFPKIkYOZYXkYwiHsG8zDXVnrjkXlEwXX5bygQ9HUq+poOUMd2IWPMFRl21QE/GDu791O8K/LYLyxd/DsucE2mtZbtRWUSuEK7nlq81g+W9+utHdjw1AYcByQXrI2Hg/ACbRmkqnlixdFOQVmviZWPP2znHehIOonqnYdMFpuwlV4NCVYNh1d3lfLCe9uRcxqXRPeyPl8tA8N1L+LyL4Sq3sz1KUMva6Ks3EzaRghyLYMNNBeDZsPy+tVHxxVbpqBgunZhB8VqVlduiw9WH8usEapf8xgFm1/rCISb15cvBqmjzGCb+KF2aTnhTtwEYzO1y11h08FN/y/wM1No14oKcyGHHCQrz0pWHavFgdOyXlCjbpjKGKX6RaAPnE9W5k7A5BpWiDFW5qn3N58t7YFr2kjpcqBnF64btn6vymc4fLPFuQXnFtrWcHMS3gLZPFkAbBY3hbfs6aWNlpIpJ7JLZShnjmrYecSfqlKDo9mJExj28eHYdm07joA8SmG+fn9Vo3QPI7bGO/SPjzQqzliBJI56xBZau1R+9uZJrgStXEy29e+vSZGi9qHn+tALz477gclpRaTcFdzb8Xk1opXYFVo493PhqbkYM7HhBRKnV4HNxLY3PYFdrLZEnym9j4h5mLR8aFCENEhxrdpfYowJihzKRbnEJ6smlSmqsIftBF7c56Y2syRAml+W7KWFTTNE7B/45pxGjktp1ZczQLvckWHAxU8quE63bLoNx+3qUa3/71JBu0atr4nwsXkhADcOdMbe9ESGyzA+jb2EZ00JtUKqmrUEzrQV6RILrAulNqBtRNBqECs+FmuzmJABcLT1RCBvpTwPcwhWe3tpM1SNj8Kn3sPNJJHSAQp7bwD3RYEORLkge8yDxjuJW8lb0aQVnvKHhSAIfkyDN2DISggUweDGUXnc2WWcw0+X/JzrTc5j/f3IQmKmxgQUR2BgGJ7QYcjapVxo60uVsyo7Ot0Y2XvvXmoBU3kphJTQUkaCKd8UvEmD19e6v/oPOGoFT2zqlWMd4hfLFDB6CRA8bjkx5+9qjnACyNmrorXBVD6U+rXei3qpWg61PvNQ27QOqF2Igc7XXPYAaFeOeREdEzh6h39XhP/lRtCicMYJYgQZqJnUTL+DxhaqyvQyT+V0UG0M+b/L5sx1nRzuatl19zhCg6SgfSSyBtQIUf0KCxNnwkc6IiXSSNV+/O+f7MRIkzgSBBapt3Q70vyx0pQ95a2GzRlsfl7tC09gJtIR1Nik8TexSf3csOdvt37YLNI7oH55+Pl7jsRfMf+ZBRQfrYUU+UncRuRgu8dBbJFQsMO4011vyRq7FyiaJ6hNUnNB4gGMTRYzEHOksUiIhm3+KmaNNloypc6PWtBjnvHQS1q8dflvBke65L6VIpiPgireL+wMEem2RH86Mx2ttorrg8i6X0Flj22/Q/ZbIiP0w9/kKWVNI43x20tBWiHBx+z/6Ij0W+l+jabQJyBw9yDC5D0upHYZvdBHYzG+ocp/0T7zi0/Ldi0Y/Ic0ZwcXv15+UdDZhNtPx9odJr3SPSZUteXz3va7pNPPbA5sxpp3I4xfOrAEEWiVKISpu2+RUAHWuZMwnNJWDVcs1JJ5wFbFyBkb00OS77DN1c8j3c52Q6hmBfoY0Dti64m9m5xtS11B963UnZ+FX39uZO5z2zKIL57LuKlNebHJeqjKIuLZnStn7wkmqtTpvXfbTqwYTIfw0FTLVoUBQ7m5qQz3zLcqWQ64JmOoCziVzwmZZ076JBonRrQeqTP2iZEzygki5rboIXtTMQGvjtNVbvKv1wWLTOrijokWcKz5Iz4CZoToNBR/9kwStD8Igg6jOV8Ve9my9xOj+alC8prOr2Tk9/4mUw33s8wHHu2lYz3jIsb/QaqN9wdVG/xH2YnvEzM1kLXSuShqwPwZZ7bg6SLfQgjl1U3K8ZgUQVXy3/h0LprwUaxaehobfHWfF8xG4hq9pJEx3qD7UpBxclSsY6EkT3MTwkCS5Q/uQDtqpzvTQHtf3G4HVBdinqDkop45f3nwUO+UFhWRjjc6rhEnZHZOtY9w6HQ5u1d51Ard2x7vLlVpc7FSZy5Sd9O9WP3KKuMcPMVuURSsLlyt95mPFY0Fqo1cFu+4tlU/CT6BVPVihowfqo32zfDqTO9N5dfEDVFEyUXsrUJfG89aQG/q07oLT9Bq5td/MOG4YiCfK81JKmJ7ReKQ4NLUyelaeo/q8SSvMHQCzM1OoamHmWQ+2IO56V0GkvO+LbiEz1qQsP0QaRi1E5w04baO2LsHds2FktzCxUUn5BLvAanu6YXmj2CFMPDhERdEOISlOQPB4R+tqDouL//Qz72atWKpWY51BMIoTWtN98sIGEaZkkO+qLTR0dqyz2rt2W+eblsN+9JwO83cxmnvQR8gqZwr2LD0mPhHLbUBOVma+mKg/JkgTy+PZ0wI2sTGKxWDwc/L7Z5LSpTlxq64gaKQ7ZZ6f82LP8jrLA6LV+WXH3kFeLeo9pupjr0I2dZwg+02sFRIlZYvoQmhG+aQt+pRGe6nHSM13L3/KJ92Z/l0P5YkrOpDf17416pdm7mM3W0Hq5IcEuqYQQCQ+7ldd+S/1UUw5Z4xQrpb2RBsgCsWs03yQQhJzzFFWd91wGZP/b2Bk7y8+XmE20W0WiPWwh+yjK8ErM86q/kO3hA16m8mxaEFuN3WPc10RqPKCeVCssaWaq49PA3vynAz7uzLHR1bRyQZyJXfKnv3XDjCEloqTDG8gIlRgjxGoxL3X1ZyQTc4tcdtjC08UOCL2YgVX0oMtScpsQZvbd/xV0b3gu6eAcyTQ9Wc93/D9rlIpurz69sx7TxxFg7NoVEU3bBKHXeywLuBabS/Ji5YgdlRSuxFYnkwnhOxbzxJV0K7MeXCr9mc0EwhR/JPNyym4yr/3nv3iGww0Gt4G1NXd8DsogVvnKUs9pOzdpcyVT86TW6TWz57reUkuhgYNB8iFRD4ZKKqpa+FJNfYSWaQonsjapLqEMrQBiF4fd+vsXum7i/FALdJ8FPZz+BeKP+wI6lRjYZynDVCqL447i76JTY4bZCZjMeMh1vL1ejD/ZiWOpXafPUdaA4d2OM889H1/glIf8hddT6NeZSVgS+TcOhXWneDvVNANaZUn52AsXghswp/3X2hDtIuesLBxzJcLcIzhpWYWGBvyXxAi/Lec7mC/YJzCWwUofrKaxT1pJjmwhgVjhwkP6kJ+oSMc8iwX9NIFwoKrjDzGGlLMvp5LAhhsB8BdSGRYk8MT13x7GBWFoerRkyoxsFLqf2jzU2st5oOb7bgKCQfcf0fzvLfAtPKto753ZzpsOgtUxNm7spmnQqojyFG3tt6Iggk3dxpzm4qlbh2p7nNM4RYMkQ3KOZPhVm9YvfywVlaYRFXAqA3jPWBefLK2bFLY1nvUk3wYjh4RWz+BQut1wWiFcUZl7mUmoVmgN0ItBbzGBsYe9zZ3AKCB3cGZ4V2Yb5dDYiCEELEP3OYBPSeiun2cJ11l/9aLJJo7jGSRlpkZ9C/9pdpLkkmDIx9kUJldCk1+MqdIJmFD5PoqRTeLblAN7uXOfd13KAo1WQx3G4jxWPDwhI8Hmq+op0EdHUr69CTOiOpxZDAbGAjVQyDQwi9wRgVEj/km1ED5B8bJliDV2/6PygtNSMZb4eWzqMQ/KbvgRR61hU7YS64t53vGfqOLCRQruMv89hVp2YnJuO//x07PmrojnbhIY6KdLrP4owQJIS6yc42SCMKQOkzHbI1v5djeMEhhT1exRhOs3+NVAJkesa7zY1rv11TWZNtHEbAlUN/lxuw9Xu5Ro3HE9WZLPJsx+Ug5Ogp9FmbrrB1EHSgb6kZEKc/pTEUkblLKB2MWPWlij90RAr7C5BS62Ihllh98VBGFVrkOmDbVQDL1nA73kjhFxXGqrHkCG+ibIHNUOf9GRMNTx9zriScNtX7bLUGnFbEWjomHpSlGa0cLh5cqNgpUwu8LoWugJ1EiJklTUABhnzb3XQINXAEolfg+8pR7r6GgFtemxLFQ5QMfhV+UsbiqegOijNjZCQ5c/2D8AT8ij7dDVhFhaSfpDDb32bi5QZu/eA5jDRpecn1iKDEv7KodLB2mCY2XaN40erAHXcoizneRH8sEGCc5qDE/y+5YeKxRv2/iRemf+FPC8/RmYo9d9orQTkES46LE9yCRzlExsnVpwE5rJT/+UQAkvK1StLBzQxFbrkecNFXkzX47MSIgQbPO6JOYArCY40kfzr0zjMgzRvp1R2MPGzsDGZDRJKyzAJu5SY4L5P/P9PFGtRhWVQjTcglG+B6CVTjHxKxbxmfAohcN5jCeQrV0k1pbgxENDPnTQhXB1bYLSnDmpSOnW0dJNFKw3U3C43XB6Se+bnLo0OAPUJQ/MGrdNoUbZIKKGnF173sZvymC8iJhP1yC0tAutkDhmXu6Df2wQwbbElmIZuqbrFvUTzNPWs1O9lsda0cj+WCg21WrP2iEa5mzU5Vh0oJq4KFPONxNhp3RHuMh6k2fan8UAZQQG6bD25TujIQZizyuaFrftlEq4fOqrxMHvu3hGhnTlwD2tQySqbTr57pUiBAu4YMFLsh4TkUmOl8XZ6HNkMKGzyEXw+rSWJS3si9iF/5/xN770tmGTDQlDxZy+r5vDnT+gRelGX4X0zKkLw3HL29QJgWyomYvrupAb4wZh+4c+k9FnGpHtyNSw4povex7FzUFF+tVVAfFt9qX0WjgzOHIEQ2GB0IZVJ7YEXoz2q6Klrsy79m9zSVjvqayKsaGbzhbrS6NkxT5Yzp7KAQPnfyLh1Qi0fuzynUzTtBznPsGLexyYBR7C5Vw2N07ezLiwxDfFKxaRg1LwJj23IEntRjxbl3pycwBeMn2WeG8Kegr6rGVCCDPHJMdZnyZYrLIqtgOnIHr/dMCTc1kz1ETrsUBDFdDheZMm0U/5UYMW5cJSspVBTIZ6YMBFuRbPcjV3ImO/fN80LVtwAaRtbTdFUMei7xLED4tTqU5zB+De8mwsh/kD02aRcxn+Jz6kYi1420f5wPE+Uh4PubY7r8Fyrw6nLwKkSRYBvffGdL+A96hLeT+2fKDxh1KDUwLOwMlBiuny7niQ3EdqsLWE6YyFxzd13cIgayCMWJZgwc15eoYIZI00AVECH+W2u71Z5Mry/QhkZ+65mZaweuH9A8SB/n0cP5kcQV7unjE9/hlK1q9zTuRdRa3ER7pj0WiJlBJOl0WvMN1+JyHFhF7wWhqBMnwf9vSwUEFyMBGO8kYWhVhvlp0eVuUfApqfY0BXtCJPzCssvHGAZ0IB2+8RrzIpvgAmw3u1nuonyxTINqWQaesY+MrgIf7U86Q6ZHr7VpT4kyKequibo6PAZ8pUJuyJI3MJhTV1gSzY2fJwLb7QnGvv7SjB2s+hO8JvXRq3TTH1VfmexQJCtb2/JYTIOK2y2duT7h3MxOuTUU+l7MeWYbVae5dEwcINEvGnSNXOJbWWt/qqX8yDAOJmeDZ5MfQy66PCHdIzzQpwkreqR97TDfxaYnatif8/R8NkJH/7teoxmmubes2Q3VULK9ANKVr4xe+ZjfmY4o//+kvYcClMYM4XPMolLNOAk6jejuMpFr5giN5aYdZe6breh3ydIBdioSD7kcu11pAFE4FJN47klm95Ngwb1lYWgc7Tj3+YGHB/iENabcoBgg10jLp7z8uNxbx1WPWbEdL3Yw39hVceMnhpmTkIJbigZMNh9JBfavIFbYFRkiAyd5hpNbPX8x2FID8+y9bz8aqTa57E3OXgY8GTdMww27fFMvfFA7DaU878nT2fkzVGM6zRPl5QLDosISA8YoL2NZ09nniMLoFyI4CR1wpwyZ3hah8is+3bs/ds3GLSTWG5Ip8jOUw+1aqf+g6+yDKrE8yv+D+aSPyJ3W3gHJQUfV4D6JeIIagoQ/F06q07arpemQebdt7eDN3CPp6R3Up1WGyvSeTTMu5p4bVGzhZvoBoVJOEHAnpeDzEcj+RM7I0ZJBiqS5pmA4RTWZKqAvVhC5Tx2vvaamIxRGrlmswIl9okLKFHLVpR1VzgQcFysJVkyYWQD379VWfhco3QzV7yhhZq5J92asAHozMI3xYsxURZEx++x1Ee24fVk8t7oLL6SBbal/0vF4isoa0LxOFHMOpf+0jRtsaiji78PvQ56CFcu2S8FfYiwR7QehdIvnmufZR6EupGnvUY0eKP6PXVIMbCEeH9ulO8BYCW62qAD3C/RoYIrkoA2qjGYOe9Uk85fbXq8RdfSDrHO6UJW39WNZscKJ80/y1R/3vR47nN2tBh9fkbnWdhPiUawtmkE4f4KXCr6xLU7V+KJBIWDre7KzNFd6NlwPGfGq1wS6KosgHx0R/+5HCTwZQ4yOECoNzDrXkwCw2dIy0VgQnV2ffOQuPRL6yKWxgcRlenRtkrBaiDgfUv/oVYqLEHQurc8fjnlNI/q7a9R2/dUrwcJJDTFrsQm2aZgpnPexLXkWnI18KILbAfeY8nq+OJIp8wmiJEm2FLfUt+af02pNFkmbzMRtZ8IcRNozWmQxk5y2eDFQbvdtBo5dAsDt2XmlxCyNy360UzHfBBPhpvQ7Yt2xY3eCEtZwhSh0V7dyUAjZTW4rqYU3XvnuT300NyR2GSrsGg/W+v55CkTu8cw1ix2PzIvDIioHWhvl5sMqw8l6UKPrNGorHPLdfEPpLM2RCTmj+RMcr78oowBZ6mQ5BO5PkxCW1zMRmmLC4O/AQf1l9X7SCYnLbm5Bjl2R/zbNc3HdRM+sdFHqoYUt7/b7HeFJfzcJk+kpw+RdSd2/O6ZVS5/Zn5zqF8Xw33ngPMRdaJIvDJiK07OfMg1IzD4lLtGnTiWv0yz7cgxpReaszkOYI8z3ZBwVDP9PHQnficx5J7yRPVsqJXhWDBLEU476Ak+5AhBGtNnYakalOBKPEIt2nMiVIfeimLnRKJF9xZRyOILE1Tm7k37HlP8p3yqjw75VlCEcWh/vYIYex0OkUmdEwBa+5bFMrTR8j6utcacU6WgjQPN1iJ+6UMah9epTELfz1GckZR8qZ+VlFvaM9U9STqspdel9qS925wJUGr2Ap4Xb35F4lz3ajxQKjErt6QwBcyDgWK1xeYg5vEmlid1vUcurcXG3XvwYIZPlJ/Akml5eqvXc5Y0ZoMpuhit4v3M1zdXBNWZZUkoHOiga5ji2sioemJ8Qc1j/141HSqgmBZiZGV4t0OJ73fOYAfWC3AULWEQy4ZBSxyiCnLX4r6jT3AN8LWT9xRrLDxJJcBD+txqMPvGfec3yUjYlfzuLjPX2G4V7dWQ8K53rXmfpo+L0sUbgFMP+2TU5FzpdIK4akxhcN8HFHufowNWgkPAmqnJHHYc5BRdZP2J02BwFYC+opNhx2MzmzBpzZUn+Jd5ZqZ0Jy39TGHeR6FyCiSpe4K6k/ZJMi0rU1OaqIRjmQGweC/GU2Mp5qbhyCV4D2Sbcf7N4/Za3trjOLq6yv2gR5dZaRIYQGnxcR2lKNMo5FrU3LtNSnXBu+dS0YPGsRLS105ou/h/W45AZsBiGYiEPrHVFa0ZEUUmUkN2oraGTRqSK6KD3pMqz3wEO/oK9zmF7igcvqKgmivacJp7BijEWIH9z9KzNt4CdHw2q+kesJn/yWTr/gw4UAWO9kF7rNES56Tn7lb2gT0oKiA6BMNqWE4GzXUjYoM0GJLzZfIK9zBSaEjpcCwQ1iydhozylfwDXo+oTtPH+v5E+pVBZosNav/0X/Q7492emZMMhrw1vN/N7xZYDo2OPVuCVlB1dvJLSx9pkg/8nprXS3meeu8mI4HDO1EBfSMdHNGVDTNXeppgnsSqgTAaIDZ1R1g6RxnUZxvyBAzNw2OjoaaXjK+2wgUZOwL5G55YTl9s7r0FKLoaVTONfxOnfvKxmhDOdZMvdVkeLoSNo0jifR6mwhqtq+bTt342jQGGAydm5xI5yP0Es+tZGO64HLXSbXNOMzdmHCiD7bdzMHWy6dfAWq8JVTTN15PLeVYMIuL9CyTpHGotmccUP0iQf2dGmtMOJ/cHcjMTl8a9ZTWAUPQSoziVoVIYcqXGsqWIYorcqsRPdIPQOwnHI1Jm4AowCNO0UFc8VkKgCU8x/Jd/7X+VD0Tvxc4i83ipgi1ZfbvPaGDFeEKGeFGDdyOgMJKdvBV6ntd7+8CJjyHL+qU/iplCWmEK20QDDqinCFnjftiHOT1QFSj6qMFPl1AWGGjG0VkEvLEUqAwLIS3Pv10X89clJqNZWWi2qcgp3wJ/XXeoahrddDwpsg8eL8pc+Mzog9UOIb3y+ADrc7L5tR1VZj3FtZbRwaI+fpWflKeYkt+cKYQgRC6EYZppT4CcMMdFW0LQD8RYdVm+hkhGVAi/d3mCgOGvBLrXA8WcViHSvAOTgsNdzHGXI/XedNDCyXUgbKHCUz+X+To20HFYW/UfLMFNOcltu40US9V2P9aBX/tZXrwHr48w23s0LHn6pCc+HBwE1D7B8hrc3PvfYBjTnSWRJ9VVEbGlc7Egn5oR9OpXf16s0eWrwLxJzo1s7teYuI9snKLaj7cmPfn4adtYC0qk1PXFzbLOWb2IOg9/HeqrUKQ7GM/EnMg8VAziM83DvTcODNjF3PfUnpe1XbqbNWITwqQdWY6lJOo6y09vL/ofb+hwQOD5ne3J3lLyJamA046DQiNzfNaYnZDxdi9t/FkX4eY5CEOasgNfR8P599Ql0SH0GmO7ravDfIGrtdUb9PbEP5/D8Qky9F1IKhg52hCDOmfg23GystHbWiMYMx2VJtzGvQmXwAlTdG6mJS4bN2pqGM1CkdwrbzFFuYWtyrrt7pwULoVCxvEtWL5fLC33numqM5w2SiWd/b8Vp61pnoKU9v562+D/sifO2oYEBQGXBaqqg5yo/sU5ESlGNoH9KwoLxOTL8DgqBUwEN0GTIcXw04zIjynM/xwcrYSawxvZihxCqKGVYA/cWR4zftd2LOZr8x/aMcH9dov613NXQsaTPqOhteHFp8PdUt2V17eQaYoHZ0BXOQWqS7LrxhdkOL2L6nmELQ8ICNPTKNApeR1vmGlpiabwCkkvXad0Qk/0Iolk5hBbFXAJJqdj8S7JC/VoZjj4uL/gsa/MFhJjoOSL2aeAvEqRUdIkl0N9I7O5mOpuuS6w+UtC4IDqsH20PgsSiuYtRM4PhzaiF+3CyWj26ULCn/WZQPV/1pgTwuQjnpvCuzLM0DruWI/TRo2i8lX6PPgCX/u+2H6PBlElxzsqUy1aiJdP0IsTXy++0DKmmD1JIxUwZKJuzGQRvgaedMTv8Ovvu+vASA7DTgsLvuuo4g+BmQpNEa9NFSi48nCDJoYY0oeYjGVQIWLEKpWBwjoAG+arzGclC2mWwS/3lFQc+y2EyF7Hhwx+isp8R/Db9MOntxdwWNC9AHporfMEM2QRfiACJ1gmxx3dz5ULH/Zd5jhatOlKpf4OdOCqg3qEeK+E7TRtu91BjU8PhyobFmnBbiNXa5DIjVTd6dDnh0RqdCFltKO84LRdaGYqWEwErBXhTQKttzJmXJtkWkPfJtxfvdb4pfWcHfhu9hKPy3z8DTG6WzBg1QqtwvE+epj93Fa4gnM02nk5fVi+CnyCnAXR/8K+lU3WgOhg7HNlfOHXUF3X/ojvizAc3qo9y5bAY+UiIe3rliACDjNFFpVM7dKLNkCMggPI9WV5xUpx0yvf27CiY59Zoc2Ro/k/BC4JBaj0DSGLXBVcJorXQ39ZXcPvalmvbK2AmLTU8aHGzipo8X33UWrdshUFxX1/IKKa4/JC+hnIUFdiiKaBZ1pnbd7Z7HImcqrx808qfDjkEsiyKNMHXn+ysMbmA26uO9qMqKPH5/mWN3/c06b5HyKyLOIT5U/OgW0fZD/RsdoJsDoIhTknMa+B9ikGQ2nobwjwL+K+kgrsVrt/JtCPHORVFttoJiP6LiyBOAQ1zfdn/CietXIEaGwoGzNvu3dq2AnEkJR38+pO/YUbQ0CPgxhYA5btkOqgooZ9HpPPxcziLqckFlJKgm/+9dHZ/cIE1pOMBy2v6Ku0iBdqvVFlzxM/mBJRp2baq8Dhv4f9MnHoHePIOGkHJQwVxQ14zCslK6It028H5nwhbb/6noqSaZKO28LujnB+Oz9CKql41kiOJFa3SVBWTet/XvRT3/eGov4kdCN4JAnZOxxB+67KID8bDpMJKobAFQ+1brkgPq8TGQy4RLXkaMC7cFDUbodiktqOI0PUO012SjB0/cN+IhpVJf8Gaum86d7jKE+1ZkpGRes1bj+zAsJ9n+l4rcNg+2c9/klHvi06KJIBmsXKGg3PdYuNv6VJDKJTIP9KBfQ4ePXa0mS2vt4CvdIFN/kWxdDEBB2ICe/fiboIZi9PMg/hqudgYo3qNqLMjDlFUVcKdfKhoeQgvNAAvMrtSYZGTsredSlCIuK4INK+Y9IulJ/PScetkEdNN8ko05cDNzMceqkuUbBF36siHZgeD/z/+1P41rJisswuev0Z1Puo/eOXe+A1A6JAm6rCTeHtaIjntSTBxWSWcF/s0y6HWyfjnG4vE/WjPSAO3hLJZOHJQlZSfVNVfiDbRa9huvfO4ZKiFQgJQKlrxYqvM+ljVI7OQHvG3I/iYVu5azPRYq1IXoBO6YudLA1C4AL4+Wq+llAMDt+EvocnzgXt8nfaz7qJkmSby6m33W60woT7ps/7n2T6KM9coW/GK2RTYsO10hzPUggmj6v0gewou7U/BCKl1aYlJ3TR3wUMNA/aREpM8R6ty6qmZ8rHiNQofAhVLBUfrOxqoR6pTG0ZiPAasjudT2Ar/o62IgJRpbn3NGvV4SBaE84uino3f2IWQpbJVkPGiRhrc8QWx+GrkXc/L4RH9BBu5te3v5VF/89KibaOFOmtvUmWnLLV6uzsxM1yzuwNinWGpQqf+uA/V+ZjzOOsMIRpS65oX03MYDecRMLYoZqGD+uyRShBnAB9ZbvBsqy/GmciCT6iSJ8vya5iEshddBFUPt0SoEMUoIja51mqxQsnlVC7AH6jLKDachNLJDLLKK6rTa9h5NvBLPe8wYYAF44zmRntZM55GwAG50JAVmgeCJzbnSpV4sc/wuhz7D+/Ag0B6yisN3u8KT9DfzjLvHf4/NF8lBgxTMd9+sEFLbcFOW13olHm+1igefNUVKsbnJArO3lTpMGSboBCfnyGmE656/Z0aDvQQ1XnW3mU3IorPVEQ0pbIHau5ytGls2697pJsWMocTc09WLRCJocSbub8FF9URiTglm7ygPI1baZnFI5ygGcsXqMxlvDdkITPksRCoItvRha8CUboKOUdG6JZuINj9sLya2ndA3ncRM5hgOt8jcetXRkTA3uHURQ4lmhH22V0C/GJnOcq4oPQDkUL9ftivG1Xr4wM/p5UHP3hD7AiowwJtWuD00uOCVfwPhCteeLppnNJg9O74pvwL08fxY4cT1p8zk1nwtevY9QI0ATrGtanSTR1OFeZ67qX5POX8Jb6VVTtXx5kgribUloHUz9guelGoqY551Jig3vebynVpfetvwdTBc3rVJ3Vhc8SUSd4V3S+s6akWmMu4WrcIPY+SooqlQ2eO/DKQlZxr5H9kVegNR7aoBeoX1KHZ4LlUKCe0t4tufaxVkcSUG09dyW0M995jUBkppMwvE76rddPRGkwECDtynkK8+49QPQVlofKCGrUY/3QjBwBOo5Qy0u32jwTChE0PMS026oPgGEPqBPA2rui8bFD5hXOpaax8otuxInlewGtxKq+jZmQlmK0Roa2UPp3K4AYtk/pzvjWxP5rcs94sCpXtt0zusyE0dhxcTItj0RSSE61uiEWeWrYaHxERqNFEv6EqH8RJPOYtGsFx+e3+QhGdMs2zUexcIRLKcxNGR+DXIhbwYe5iaJidE/Iuey5rDrv7m50lotanwiR8FgPv3FwGcTfz/x1Mu1+4vkM2PSkewt6vLLA/36P7L3hvwZu0bnVCimK4b58w1qNVwrNGKlDnaKbPU+hWCWVF4HP6PxsWWI/VAMCkKI3UXqVYBdK/YOUUgxYnF7JvHDlMFjN8nmJDrKGRM+FJCiIcYMTlLt5YwiXfVlVvKJHmej+6NG4QHUin7NRnwSIf7EbYbNLPIz1dJkQzZm5g2LIZPJYbiDfpf3U92T+QWkswiRW5iRhff/HJkHZrp95QYa+IdNazsTzG8moPq9wba0Zh0NhYzwbhmq6XudaGCEMlImkBkHTCj1fAv4dRAud7nnuCOCyxIxP6vG4CUmbUT1FL1ro1LheHfjPS0VQu+FUR1YuhACJKWA3udQjoykLSrU3+/hKdTjKHid4VDjabbRb+NCBJBF84SjiIPx94HBmR9mkkK/FHYQVub3eatHPVJwyEh1wksuuHWhdTR9v8/8GGOcSTCUawXOORfzHQYv5H4J1tC+oIA5Lka5lAI34lPdSwrP/PHgEvalO3XXrvaSqEybUgey5cx/3j5wW5DqgcCGzN3iR4WJ/yZEqKUcFaaGTCJ8sylWZFQV96PKcCZP0HOmdSPCKWaDai4ckWjnc2/DsgUyNEMz35w3Huy8GvdauIlCKd7PGqjIarRExfvcspQ5qJLhI4b9KFd9GRp05gDjyloL7hP0LAm31fUS0bYqbSooIt4WIUmePgKKaVzJZ5SFiH+ic+DuIL4HVdhpO/cxAwXbeGZ8bfKg5RmQkYSa9+oFbAFce033irt+w7FLHFWedngINwVcMNRPrdbT0LSgEPOX/aBeshnlXHhZIHzPPIS3yRW4YcHjocScR8FXXKa2Gf8z0XVXurMTkED+hUWW0V5TJKvg5VmLzURdLdCoZzt1vQUI37Nz/Sd4MtRD/8Ue/hwr4gyDJnrvlLoeHpOv4jUart5uj8nYwLTIWU9J73uW5T+e4Ox0MaVFsLzI4vUJKOhqEtudq6jIHP5O59I4h5tq3TJZ6KOPvzoyGn/xMbQZoP+RYzNj3IBRdFs83Hu4HpGAu3ZjT+rmazj77bU9yRdzfyvJOHJYgHzHEZDp6Y262dHYGBeD9dSgVCwzYRxXsIMTVuI/nLWgCw4tjPbniyWENdHyrT5se8jGrLOSZhUqpwZVByT/JHV0vlxsw/1k8bTzVnCpscmJlLa+7V9iVVKjIq1SB8slDiSQGLXgbX5J5kdTxdWKMGMkhv5IH2Z/k1FrQ1m7seD/XNIN/SVCoAyJcs+O3QkrkzD8WtyU8KCiEISJ1dfrwAmlzhx93V/0dT4YZvL7dnU1WnIn5DNJ8fT8OSDBwrhhep5pRzfBjIsLdlcXox+7JeERLlud71QiQGNsTprGA1HR0u8dBv95hgTQXwJluRF3UaDMigJuyDDqXB/D6Twd8sRrKqlqvUEX/Bip6G+/KFXQynLrz87xaSjfB00+25alHiL9n3ZEsC2tY7BYcXrkp7QORi2XceO8QCwGq2KukYd7dNznb8C4/GOFy/3t4JhiMpQ3ONM6dIXZdIcAa2sf1tARbR4MHFJBzudordbmnYJYmggmaAFAnQhQU3Qjhrq1MLkq4CWrkNI8dmny+S4dhJyVBWgA/5I2URN1juOFyE+Zf0+/R6W8Eg9b5lx73MHrShC3jUn0HNCIY01AgaPmy3sSC2i8oOHYZyF0LpqMRrWzsrz0KPpbXYdXEI2JIxKbnJbIEp1OPkektvoIEX0cYTP078jvXZvnJ0/0a5qPh6+8/4lv6lL5B+DoCiwDCxnKRqpnH6OeoDRFW+hmgk08EZCGLPhzutixXoetyoYIFCRCNsisTK4pCcu1V+XGWgg/7w4bqN9YEGu9ArTVlPj9JAXGhMxUlIcTFiezCEyqT9Zc3sZwCFOZ8sNY4FISZeicVCQvGLkw4MwINwVMJk0InF15CC3jgUUGl1howrI46LGaWq9qCIBIfmifqzI5KUq+cCukvP1KATXFRiudAg4rstC5BMmOyxlUDj7qiJr47zs6uk0wWsgOhPaT8zKLcHFdZ9vPcuAOhvS7M81ywYlImNuKf0f8ul9E/DAAfgouYWquPnb49iWbflvsIFeQ5wmT+zRsYFI1Ni4eyB+s0h0p3PjBO9x0MRC0V4cAhoQPghPFbTEBKRurb3kngnYEDenXYN1/Te7JZQYkCpDQgyWn9NfsH/Y5zYcnlCJa6I/UcZlxCBXtCV7saLw5LVnzz3Phd6zMnb5je75P9xvJAiwe3HjlUwA0YnGaGt683y/NGy2Bro/drQNNChq61LWiNG+sX35KvBpDIRr54nzXtBD7MyFrVoYj0ta2OV6bvWxjYxMiXFRMPNMg61owL2SADfCBNJu++z+/tZX6bdBN2Cq2HIXUyeejQA13r8aamWB+TQmOz5UiLytRitholhZZkBuvYY8s2McZ2BvmZ6nq3umGjVvG2l0I9KtmY/ACJYpUNb9SeNj9UX6Z3twV+NLm3V/gPAyuMe8ImBDhk+FEqrpcAdRxrt8k81dl2KaktMw9kTiC3vQRH7vPOX0cLaWFkcL/frynhMB55QsJrflJvOr2G+a6NkFsV+hVBn3UZKJ2gx0PutN5SqyQr0koP208+5H6BcBd7uEG59cAzGq8l363yFMMWGAVbybmkdfwGeG5WdAw8lkwvktWHcU44gnt/SkWJ1wMiY2Qd/uVCHSqrWtvHSuuysZzUOQCNstsu9BVTRoyQsDXNEgg1b8e42ZL4g7j+vdK8wm5xepDvBw8GuwV6m5kypBkGwvmWpGpnpArdXVtzeMDCZZtiay2aiP6XRGHKabFw1+PFi5+btiaoArrlrPP7kuOCP9rfd5S/IkkJNHn/ThqKcw2Ufn1Y14U/BTCxOTYV13/ulYRRYmuvqzoMbNuVpFMMeR/dWS5yqWmxa+Tq5jj2j3kKjBJdHHzQkO3LpDay0m0fKI7CKiP1VOqobzimFv0WvA/2I2b0kl8wRe/BjM5Ah8YfLM+NdbmTeYr5YIYKimNCkPKuJ+FlFJ+L7iy4AKz+f6R8ljKXUU27etSORMT/15IFwQbVPAEb6wILmgxRAvD1LTIYsojs9E5c5evpZzSvDxekjy/5/LrexrZIcypmz1VkCZIf9O17JBwDAtu5Gd89f7K5IGTGPXf77dhL0qvmuannIdCrxe0CT6wbZxXJdBBImqVgDQJrbLu21mh5PaasHBNUky3+l7HbwN5v3oXQiZJrIp/q3FkNHmx9+MDtaecaIINBC+6CNrgMIZF60i9DFU851hfcaK7QBtdgHYevmf0CukCkDcrDBfQPUfS0d0nUhEOI41RiRZ6qx5G7BM0lPD2jCfhqlgxMDF4csNBKuP27ASoRZk0lrxCqM6YnmCtcmyQe6OF+fFouJRUOAKlb2R/wNnmDqXVXr/u2snhrmf4qxKMDyBnKMGYENMdanr02kPfEmaR18g4LGv/8T6FIjRPzoq+4vskEsuzKx6ShTUMefsy6O1vNEyJsPdU5MOyITbCuBqqn8uttGZlRmSV8XUqLISl7gLnm0dasQ5/CeZPjEu3e7DSki+TTo5eBNPKNv4VFW/vUL+AtjM6DdVX0fJqgEjtc356Z+xumV9pA9Slx+NXXT9d4IG1m+YUjEKsGUSJJnvxj2AfHLQ27vXgIamXIsBfGSNSNhzVw42afwN6zFimOmixo8B+rW4/160mQcZHX/Zmco9uE3TGEcytCBYx1fF2vI6X2FfEdeF1AvUTcHBlshD1FX1o2dcg1HcqkyixdnbI5FywvTmZeEWMojKDnA/S7mpY2eCbSBMHC29yXnEJyh9CqM2UYR/Ygss5k62+hC61JxKteAMuOFlxQ2yajbF/IxraNmbZBIs9gWlRdM5wfUTNRhmzfMB9DjzFQcY6a0TYN5LHmgYbivk5T4AXtOPV7hWh9ydrJlI774vxJmRuedTpRU+8m3CUSW3GpIs5O5X0gH3NZsSd7CqOXtreYTjZdflS/Q/I4GavmZBL0faYKsZWp0b3Xjkt01ovZ6NNz7SOOh3LFZ44TIZXdvxWem6to7ET2e6uvVjhA0qB9/5sYo+eSmi3A9iqaqRyD+MfJ7TJTsLR4BvED8RZ4uEjKzJJ9Ck4i51uGbLH/pXYJk3FgBemQptZ6Qzghzye9h1QgAwVoUOXIz8KWAsYCkdbNWDDuYIOtNAR9q0QSoDzLaYsKe2jzE6SCeTV7kGvTQOvoyp9iHtVpCFgukP/fMesPqnhv+y92dPJbyYV+fVDMYB9EIq5HQYz1nDo8Hhlrr8ug4hhwWShRznc3praPgvOM7mzhkJLYjhxz9Iu4mTu3ibtwtD8Qq9OpUuMUULAgF74+2M0Svtwm79TQPGaKQT7CcmeKvdHU8oo6NfM80/4WFf0e2LNP1mEV68izMEU4CLLKxINaVHPwOO1Q//OGaISAWMNXOPnzEXVc8oOefR9AomQrnFSwHtG1qQ4F4Oun4jNHgz5ZAzZIrk8lDtkZX6fO3xziizAoyemrqgRalgSgyoi9hMqlJg/ddwR5TCa/KUnkCuw3WoTclkm205qIHDm/fVuo1J4mbbZswXJfSBmXYCK+oIYNuJwCl0rgv7qRSOwvhdKWFUrqh79DLxyXecyw4YhVXcYhbFkpKGXFGfspgvi0dyuZmNurDmH7KA81gWtuh6WMV7ra4y5fspwRJpfaGrh/2UG0kDBGOq3LNuyUB8KO4vWZPeYKHFQSrbKJm3tNWWDsNPNSrfjoHPIPsCKWsp2wXA+m4V4fqmDWmNVic3eXJx3wQ8SYx0ur63lp9M10Q0YxIETQ1nO0naUu6ypXzs7pCtgbLnn3YAjYmY1VV/SxeSpmFfyYcPKNrj1+IVbgPIljUAK+cKc3NK23sMB+7W2Y6+YjBDfBpCXZvD/FFFXZKPaymmsNuMTlqC0mSzZUbF1s0baf8qqwEPwU9yaNBTqxjbcU09AuSoNdfwtUfRsFTvNiQmTHYJ7rBMfhnZXh25tWoyIoDkw/qfEWksxr+R63f6IRfwb5e0VY1odnaN8UMHDN33Xp9FjO+b1ZP/iU526ISJsZyymZRSjYQSEjSwRrGPs1cHUNIxq32myc5GCpY5cbpdvx+1DwCsSNmikcqw==,iv:BL661Jz8Jz2we1vLEANuqidPaTCK4CEvx5sSHNQG2PM=,tag:71yQ6gNxdDI1+xCLXp7yVg==,type:str]",
-							"headscale_derp_map": "ENC[AES256_GCM,data:xkVvsT8vFj+p/hndNhTXmn/23Hs6wutUS5LA2mgFF8WEiPelqejiMnOxTTSLV5IJ+sRwiCO8zaX4EK+rZRjDDpEnZadJ2E2xrb6e0qwqfCtxAs/+Rrem0gyKdHS5PFK9GMrd84uayoy6HN5RsjI884K58lnbTTwe5gOFcNl1zvnCCvdFLIjsT4MycmqgcUpGsR/VC06Z0FkFhNs6vZuMf6Xle430OfpKiLb2Qqu+sk/nv0eN9hBiZcvE4SytE+Q94PHZNzJnhp6xQVFREWhR3fE3vb+pc0yYnXRkY3G2quGv0U0+4jn4y8pAhxWcG5geivH2eD37/WBcLXhaNbuvBw7tbsq1zIIDDB+C+18KwND0kyd0qOC5wfqeKa58hm+/bn1BsngGbSmInE3H2O2tin7+JDmalJoVdr42aCKLA2t2Fw0VaVJ94Ju9BgrDWfuFnqauHdZAuxJsC1IzGpnZra8YJYQkcacgxkCz+zNHXOo+eSB6sZcZoq/MY6mxmqcfZOvCAb5fWxqZidJAhQwLQDqh0oVXLLZM+UYnzs03WQT+2Pa1Ful3Bb6c25cvajj7vTgwCPBfyKVrnFnj43dErAga/amqmOTIk2NGzotVOKb0nZbkMNuF+6vetdwA8gnejgD5jw7A7MsHkTKkWnZNksFlu2tTPyJH1nsXcgXc3nGfGeC4MvPbdkrW6LPLjqxlnHWTgm1BptoPKlsvG3BBkwbbMRuCr0tr362PjQ6JpoUQIAprlWptU5OApQFquMaJ8IN6VztIVS6XXhnFJ2c0lm/3EBNZfTuj6ZY7gI0fD7z2qxtz49DoGgwhIQrOOxC+F2IX3eDk355MGKudQWRrb45DpOvthxEPBPmM7TdAflzWbCCHsCduadJAfQrcYOJ0bwWMEYAZXRGm+Lj+YTjT/L8zBJocQExE/U5DM70oIWixP5Cd8l75E47naRoXdEyA1fvCtZ4IovlaGy1CbqAIihisnqnRji+2fRKqP81g6iX4Rwx2605+3KoyKede44/83quw5G0pBcbj3FhwnCQqrLlWRx3gvzTg8A46/ZgQhTenr69Hf/Q+28Y6TuDa9VP0prNCKjPNP0wgbE2rmN+F/NltSOqR25IMYIc/5P1c/2IJlIVF3BFiFoZ6k028ZVQz/QUJqllQb+oM0laD4DVzfLhsEDprfBAjMb9kGxbdp+dBrhNwaCiaiBvMeby4o6rtsCXQSWRNryft2t+gVAaRV4sX0zqhy5LRYZHmUDlYAoL545Pa4EwwWwKqrJD5s1cpvuY+eRCiHCUNKAzj2zKTMerxoJnpOYcZryl/5nImg62ykoSlzoDPkaM10Nf9FEmR0tptLdiDdmI7zYczznCithx0uJb9WUkX9yn2KqMMAjUGX0kucDZI5eY2ALvNV/E/nSdDbFKvf/LUn7AIeZSXfOu0shOJNYdBHuBX8NaOToDja1Gb0Owyru/rNR9PlN0NXkyBGojOP4/vAUKJX0ZJktMrdSq6rxSGkRFNDV73MzY9K5JMwbSMnFkdPJZd3NmTcijV9sgHm3EzQ3lFo4VxNTdgtyn3TImpJ81GLUscps+qSOpWzUQL/v0XePUdQVeVZdFpiv7onGBgDYybADZZuzEChXJiWd2DV3Ghsc3k4oN11wA1/w9IK5U7xE0Q56+s7HL8RLRvTKZvQps5U4PSGc/mOxnWxTRuBU12LdxtGkPblymvCKaqOMPTyiUxxIfkvMjcEgoN739lIXhrfE2SlESk3O2+sdXJxLOaC0cA8va+j8aR4fcjH6nfaE9lB5nCtgDVt2t6bkycaSc2cqYDzsAsgM/01wsge1xqVEZe9WfOAgqtjOIuB9JVohUIK9xfcEZJPA+Ogyd5s/kze/rEKWuLJtZGVuPqSRNhmBSpMbxAZklTTyMdvMsaWWFtzghcWlGThVVhbVWs2p5TYVLjL+UUeUQiwqnhVzjGvxrvxNfFmicibjmE2x6hDln5T84UC6kjZtddXiHd5vN7tLC7faTcHpa7xMdVJlIO32BeuRd0W+y5JcwSdCZBSmErchkNDEroVpEBOXTQ3WEAEMaU5ngN1QzUovEgHvW880kYS9CcPYf+S9+7Lmar5Embp/76WkAnHHg32VD3bojkgx8BjFRNz6xKVtqpk3Cioajmbb8nITwlSHOnABe1UMXm9keEy0ze2GDqLYNSZv1fEYTiwwu1yV28FG9I/Oqdyu7ki9WwB3ZalqnHK1Aqt+OcEfSj4UZ1Kvp2U0u0yUtjDnMtEw+FATTdPmIHpBqCMePVb9Eu354KJZk+D4Tk6Wz8uBSKSsIg4opBSDDqrf8w67I8+DlXrQoyxorg/33/QrNW1YhPXfDy15b3lexetLQifhF6JKmaEOheAVfHUNJl6f2nvywvA0ORodqNaXuDrwLKToHo5BP775ppjzmhPHmTGRP3iAzvcF/qtYj4mn4Tt98esWKoSP+fMVBkN4huYBSaiSqTGjKQS2MbYDlemiqEe2qwl2MLkSTY/m9JjbdV/yMXIGBc4qGZhffxrqh6op2qfKzew4bQBfda9lVD7726dBgyel0neU7Vhk4XU0EdHjvFX+FRohacgbXx/YfRzNGWFqFbVY6NWqn9VEAq/nZd6guL6LDp/Ti66qSzZrUQ/g9poepFd3DLfdaqt1XT2Ey2VPHkq/Wf4m02AzCMTqyaY0cxf9fZo1bk2sXfoiqN5tCGj/AXiXttxgEspgIAJAl2z7OEzocQisdjrHjjss1Iq220SazHEik1iTqEgUv8IGL9it9LJuFCNynxNnaagZC0xHO9Wxfn7UExcLYM8exPiq73vbZVOXfYva+veeg3cOADMWQmx6g2Cq4830r+TBvzosYC7UjUbwS6Uwg9tvp2OxFtfOwI4QCUuvZATCbS8qwURk/BP9fBJYiBLYWu29oJvI2bP2M3tf1gYCJmbPmBehQ4dJVRb2Y81ssntF8OViWhZAK4/XYmIvHDfcDNtdUoDfV2fF8GivPlgNT79bhlioxO/nMcRCQiUGpd2mh4mpASfta52ZcoKEyDiIGtvvxzyB7dFicZAWUZ8PuVxBiyUDxtbXcrY2F561Yun+7BmbikWd+IitgrgbGrNZkcyY726QtYtzKqqvbiCLw3Bo3fg4xfKNDhdM7eMucb/kY49slBR+J1UDZ5438kIydF7GUf2pOc9/IrTzRwLR/37ZaG4EsRhmIGvZPqffZsVZW0/nLozPGAMlhaUqLsLCCkdSyUN/vK4cXuSW3ESHBXDQPdbKVIORxnBtNaIP1ufVtG/EtZBy0/3Hpgh8pADBS4C52bUhzwJcLYAz045CRKyiySis+pd2UWuoqQdqOmrWBYmN/3g2KozNEKmNVTduRcHzAMkzh63QkRPnv0J72ewdfXEt1rbqYByWMRY2pKQ55HcetnkdiGRaUZ1W80UYICRQcitESgqAaeDugSvrkaIXnh7ZOX0ztB4EnYme7nEUd+UEJrI+U4Ihqi6KKhuWvBWT15ynULnkVRDMfeT391bOoFPWeTx9uIotJ5Wv4q6CMrhvIQXvigKjjr2U9YexmgxSifjBBq5yeS+aRgZDTICQ9oi3axqkuCeBG+X6VwW5NLuA1a3HnOoeFnPt5rVbDnavzjXYaVk6PkBGY7KoAaB89qNhOXJINa6kov8Bikccv7F1TQ0lwOX9JNhbl9BOgR29j+KtfWZNzRB3HXuyg9DiB+TLHUsuA0xTtNTHtt07A1uOX5pHswGLeyP2I1piUalF3G4BzgirWRi8ZZvkfqmeRKFEsYh4xa47LDdJ0EYiauRIq7NwliWjrZl6vmKVmXlC50Yv68P5JepQTvJ7I70kloOKhM+GeBBggRwH2oDMhhtYtE44tfE824zfiaOrhLexVtKz1RqPll9SbLgJEKzb4Uw6s49KpXavulGT1pDN45GGhc6uREwBLZsKp9K7qbtFcncpZrx7+JuhBlbC+JJELFQQElmTFxgDAZW4K9GzZNiVTfR/vPC61PL4KMWnH7nx1ecpjLIoTUcWZjSF6z0nGenMII0gytBcS01UeVjlD1r60Km+18CWFX26JJWcnbkMmErqaIw+xUfXQb0iYusL6fqMCcoM/yUN9pU8supBTC9HPlh1X1CElM9Af4e502UX17zcBmGMQx2RhEWSAbvn8wgJePP7DC6AgJAvzy/NahXFJVmOcAJyyRSTD9PE+DAgLSq3x6/8VgdO+7iARKrfEGunPNSacfpV3otY7KKfX5fFY0GIOx+GoccgmIE/TolgpM2niwFmPWKQbTuJP6RYEN87/xNrcXoa/JzlSGiDxYspuw8eWi4oZ6ycIMIfBcHtdwizB7w358JUMlrFueyc0+8dRSnMlphimJXe/gB/E+LJSSfkGTkLUM3WuppTUWNGcibtO49R38jQpRXjgtxDUl+SEicw6s4rcNYfPViBqHcUhZormHn97o4zd0NSjVD+L/o39EMuYuYxgc5gBn7rO5ji3VuI38VkflMDckneqba5D1eA9JM6kz3gCypc8D+rZUjbLL2FWpehbKo2lzK2pjKZGOjRpfNHXeJlhvG6t5HY91ftaN0wh2JHrakNHEAo3sewQSMR9jjD5ALOddlox5aWj842bXnfHNkyv/z6aCdGTRew7G4g6w/tHWrbfaSq25CXSSyyhKrUlWmsofyVNaKb5RihZwlHSQZUuwy4v1rbH68M76Tkcj9aNNW/bHCJTnJOyN9zaPuwU79bB/LO6Ma24K66C43+8bdM57zP/l+QdM08G+QEVCL0btRfihfmdijcYU9hCKS0chcG7HaR6qWJOJ2ibZioV2YSamFIYAOWouKRZ+bTY995vGR5A9qG/4a6xWvkZOryyZhE1HCgnEb8dkzX55txMrId9DEyNJo6F2GzaZb+iakaSwup6+R3+zqRpkpiXjBLYyEKf/5vb2xcarEIONgxaN/E9S7tXl8Mgd+FP1ADH82jcbqMGVtlWLd+ju9oVNp1wNNdPbpbKuUZlK13k+nDBZQLLc3PsW/Tznl4bUQIONaeVQuoYboK67eUvxM2v2izGjQb8JbZX3PVlZqOq5xESBkDKYf1nwX0mob/U98MhuJHO4Jf2HDOrHIXUk4VX4IPZwEvTSr2zUodi2G98TUxayWi0zKu9cRvzUmk2aeLSG/0HjqqPT2QjM+BA8RoUXwARo3vH0nKWz1jwah/KvrtKIBwNDDEJ/W5qjb/vhuoE6nUMIFvKxrEIw0yBOuFhbZGyZZhjThtrq+If+0OKG31pJhrPTi5jnjqZmUsLGNtHGiNpltXtMhYOl/uK5TM1FIuFISROtRJPVtRN5RGTuzhGoa81H8yat02D35wpMrpvgi+Ysx6UwBk0Go4dPBvHSfVCYbOjZNXrexSRfwV2kOQ1FILZ/96ePF3ps6g6dTR/bqFeo9XnApWlpE0ArSJTgWms00p5Qf2uEu4qqsiQd0AhifYdmClW2eCzmJ7ehZ0b23t0O3okZzfUnXh1rrs8byd0FADhVla20Uaja3MtLjOGCngYGw6c8BbsVbOlH/wIuZ8NuzbL5wKibZ7aWto4lbufklJojsvqST3xRWsyhaohrzWuUVygzf1Tr+8rIViSFdIz2at5Vnu41uAKkWuaLGLdBZiphP5WLmRpX9IHY6iShTiBa3Wp/emfLoPlEqxiJJrnmbfS/ATzcGooXjYyRw78PbGXlxEu0yUPxQSBPXXhX8DxDU9D9lUYkFfBlCzRzdt57yUVKeIq0ug4JNBmq+F6nNwiwoc0VgCa3Mx7gCpHvPoohwvxcCO03zDSQREubRLCjBiBU96GRZ09+9B2lGXVBWgo0zPWuGDeG4WSD8YY4BMWrRkgLAbczW2pqWqP8GhcJkDqtThCQjelES91GhJGtOAgsxfJhFy5q1ziz12IAzilayvnRT5IDqIeaMnLvik7Z8mNV3uienZIpz7dRUlB85s/ubJbjeraZAr6c3S3Es3RuQe+Tmu30LbEJDlXKe7r6KtDP4SZIXG12uJlbPSiCR2A1XP2YNsyxbq2rsdFVpVw/tdN+i5syL30CZNwxQf6xZn4KRnxmao0TrGlveL2x18m1k9RSpyebKue7eZh9x+2Rpc0tOVQ050qJOfwxHQGtGMzO57hm0BZDm6gjr/+U4hCe0GITy/uzCasHjkIOuonNTLJGGu8mDmBtYc1QQqbzh3xNbXY/nmKzIUgjLfntnrJ6qWopHOaCOEMFyi8R2kwaO4AyiqAasW6OMk8/LEKXebjcVmEXRdDVJlcUAfqZF7DPBMLLN6rAgTRylnw/rPPtHOU1IQfmjY7o2q2oZbqGVKBEOQmyZHYcd8kf+/WlAB69XPbByrA/leGbkwiceFyci0jAdezmicY/xnyyGfnvlsOL6jUkzrd6/K7EhqSDoSehd4emPZ3tE6ELLo0ItuCvDMiDXPgXqxzB1Q3PF+MXuZkpgm2Cyw1eRYfrrd8ZH5xIvxZt1Zkz5reinEer9T0S/ATl1SykVxWsjeypQPQx25kRboDkhXlOhT3vSBjxx8opKvIRzSA8QbnZLi65UNnfOSjrEUWVFt1IyMfkJs1QQQm2sfSN2r6Nu8Q/3gi2VmPiKEAEIGYPPWaJkA5EcLD8IYMtptW5KcnJl+W91nxsRils4Azx5NwWL4qOGA2BOP2mlPktwRaJX2bUJFV5Ih25Xp18O39hS2M4RcTqmzewJKubZ01mNMb8wz2M7SKJMKxh+FVqevwbB8BGanQQI8v2uG8sO0ZpXixOtV7YvUzjF1VmVDtsa5JESLScTdZGqkHua4pIpBqrH4QREsEVp9DtYvF+oZHLmpm0m64SryBYc/vohgZt37lxK3GHD7iJXTb72yIyTQoQfviTvWLiBO1XEnfW0iD62chIZsMw396zkyVfe8NRtEh5udE/ia+hzAyHHg4LJirh02xTG5qX5c2qI8ZfBA0ang9ZiXzUm2Er7P4EMy6Weoxk6cXffCPxU+1K/8TLw73bXRNauTgkYq80zMlj6yDVJW2rtqiP5Ra3K74RMP+OWg5kBk1x0WgxWH7j0/nFGrpQT/EDlYKlixasS+FRoxMc7LMNEiw5+0XVANzfVWxYjd21JjWJo9au0pwuaRAacaMPXO1ERj62iuTVhso/08uo6fPcEeyHepp/Xan0hVvr/4sQgQvN7wUQUubWkK7I9WxRGOlzovXdRwsA/RtCFue9ejBm4GIMFznUgQo6TVlPpWwknUTKkkUkmNWRurWaQr9RBoDqhElLpWfdAbOscrVcxW/IT1kiaF+UJjdsDyXyQfiyjkItVosOSNaDrflSkiioJH97yrGjd5qmI4pVHxS52EI+BH5ozE8zQkML0xdqXn+ufkvOb+BWY4VsAe8lM8dNkYHptzRSC8HFpeaZKwXrsVCbxlZwks+EBsyGxOQ/28RYK7yb93laljKZWERknO1EqOkpewZnY0O/ZaWj93QrV5bJ6o3p9KXtJqbpgMn96vyB6tXCqDyLBVbEEzjt7ffZ+IKnPn45w1gKb5lh6MKnzu4bn1LzXFmibPAF38ujBsy0YbMtD6SaahHM8p8K/0de8rncQRq/Ap9ffaqoexB8GwynB1gv27Oa45mWGJRbBgS5r27By06ZsHHyEP4FJWKLpMtEywNIl4Hb4MJ82ha+Me/zj4RFzdW6n+aX1ZtsMKTnU/3aWjsG8HHbfPWRwwA7UImfjizXVlJP37y12q7g0brYJYcGORjgnQIJKGiDViKMhPhp5t2dbbSWNXvJBoRLLkDjBb3WV712vuX6Z1jhEIb1Jb/2J5JudKEvSIv40WcC5PHyjxnSaIBsQny/JMTktJX4It4PqCsIeheJ2UktFEpbt4WZbJKG0RdmGxAXDVZnLlX6Ia7grGJGJeA1/rATjCrfxVt3GZBjdMc2dK3VlZnAFLA37qkZl5oMKK+r/mN4D4vOOqe2UhtT7jtXciukAJXT4C3IY6vTQQ7IQ88HYfqZFNgNTXkE0cU0VFGkx/zkAk0RPKj8PqPjDo2/FQBaJSfIbQ1cH4TjSZJcu0vF0Qa6KhU7G2L57nP34bcl832UtXaf8KHnxqRtyT+reGWwPQB3ZpZLCUgLZTIhZfCPj6X5SemBpsoYzIJ9qYDLp2M4tryBvcsbRmvuhVyWweFJVcgqzqjxcS3eK02cqa99cJX57P5//CFAFGtXVn7xvG/WFIljYL8gvaHz+XK0eYYZ72Y+JY5srtu423lp8rgN7FLVBjuC6tEleJ33OjO/eq/p2pzEsKjQGNdWvsY4Av1Ik73nYw5VQ1ailfxt1OXZE0yir2/MCwWjp2gRRRVBS2df7A1ZuAHXPexakZTT7jgGjbHVo82baEBhCcP6bCkhL+LdCM34jeRlFmH7ZgyGwzIxgae6gL0NiXihKn43hdtMe1ixHUKDvDAdrPTFROzgsdu0y9Ns4boC+tBqRcFwoWY9rhQrvwzVECt/XPDCMxz9ucKrrpB2cMpxtWZP48E/Egy1m+BLLC1A2xU3eMze/YTB0+F6XiVnlPk9Gjcvf/yvSUmYNpMoqrkh7Kj7NqPWJLVuAd2aVbFsBaJOKflzRjHtL9owyRPuAGivtqBAUq/gQ0NzO8mSaS9tbsouhUQvbc8qDwmnRTA1JKsyNoZQc6dtH60B3UYS8OmyvKJCj9B6pDcTrw+LsiDtZsUDocatuP420BiwQiouyCuuGjfx8J2R7r/uLszD/RUU7YrDcZtWOU6jYpUV8ARo3OmqFpW2SZSlOsQ7TjhY8gs1R7KGgBUi5t2M1LU6jkf36S/WawGNVyzF4XKdhcXTu9xbcGoqYVqA9P3JguKRUy6FKRcKtpVHouzzyw3DW6ytrvKhZdCILQ9kn16z2SBKLYBzqdx1cfjs9cHylV7FOfonb/KSNLifYSgu0f2Calup4bIicGBKoMArGbIfyanR1QVqin04rljI3F6eRV2zHADK3+LCQLmVa7Axfewyc8Q6QXDRRVp2xYVVlzDiBwjVGWKuXv9nyda9j9i0EYajpm8XNvKmtLKye2BpnCN537Shy8qMx7FWywibdHnDmClHvS86VFkNMJTPq015yGbt0A6UBRo3IG97Sxpny8l9ugwHyffbzP/3Ui0i/8ymvLNCq9XImH+FJVKTCS6FtJ3jJ+Desc0O8LC/t/sdHGEookS9xi5tHrZF+WYcZE/fRncEnEt7V38xMkK27XSlmiDPWN40Wag9FdHsue7xQePZwL5Eq2/i2VPDizYkl7Bp5AtAeQCDgYNALeNRlCCrjmBLskXOxSPEvM6G4hjJprEME1/ua5OFZWlIMahvjoJun54EfceLRrf0H6Sx0GDrcOsq3pnd5HjbZgHeweg9+sHLdpmI6RFIAiuJ4te/pbEJCjBCHIfYB+xZLmEWycjYi/AijCtT66cx4HOyvk7jtbKxW3bBYt7Wib6dxjMUoVaZ2m+Txk+oPIr+mm0WbFUmmtkNh6RrLMa+feZhhWlabvnhInKNE1mG5RVi9HbJZjjq1XvMhKlxrxzLgQ8HlHayTMHMW0cqQpXbTHsE8tf5VqXWPW7R8DEqgGP5NNHRgwsAqc8Oi8FOD7VHrjk2t0ztMLKNufMI8JIWJc6XovJHV+40T/Ghm5/CZBFWhXB1P/XkdKvfL2lWezg9xMAekmXOrG50IEifD71RXrpLakl4XeMj9aCJH6WY9QWKDDPWF4lZHxaSsQDzfAXAQ7hs6yIROOlws5ZhbWuruawvKY+22PeVJy5UzRvUgxAP+5XbG6Tp/CfxrXTw/XjsoJq3UtcoVdH0XWJacGvIrqS5OSBqdzQLJ1sa9hAMWckaTg7mgj57J06v/Ts89cplFte+t6eR23Z+MbaJH6trJzkPb1IG2bb0sFE+XWsdQ+gDk/yeJSEeX/w6nKcL5Cu0PjJD3VuCYK7lTxVOBdlIZKgOHAzym0h77Ag=,iv:BRLcmRd4Xc20bPFN3qVv/5SBMoSTZcv57M/voHMyOcg=,tag:NeVKLR5+eWsp4iBxkQD7oQ==,type:str]",
-							"headscale_ui_api_key": "ENC[AES256_GCM,data:vG6c7M++HFN8qsi6nGP+TeqkR4q+Uyh0AnH+jTbIpQQHsfWIgACwGZ//amEGdwf659+yj+30DULDWFxO3zaS5A==,iv:XtwNPwj/a8d53ibtRtX45tTHbNYsKn65Uh46Qmsaod8=,tag:CQbwTP+NgOPGn9sVocL3Eg==,type:str]",
-							"headscale_ui_cookie_secret": "ENC[AES256_GCM,data:ecXKnQL5XrgovNkRfWpEk5FzT2Q1vAf/3o2DsFbKjsiRKPYDPoh93nVoJA5XNSmko5ROBrl78PAeGpT1RpnNFg==,iv:PZJZN4g4GGGuhKaWEdE0rVc4TS52uyg7JERpAXEs2oo=,tag:58V9y/RnyLQopXqsXQeF/Q==,type:str]",
-							"homepage_credentials": "ENC[AES256_GCM,data:0hNhHTqoUb/QiwtpjEiQxaaP/uu9Sx8YSRrxj/h3tycQANYRZkmNLbFrrU8XM73X0eUl0ummV5LXhFkSu8m/k20hCHWlzRfSS90JJiGjnOXqrS6bGi+CTBbWvUjBZGw3rCYLeM+GMBDKT2Yxi9AKCeYl+m/wcVJAzdONPG2Wg9KJqjxXd3DdaiFCHzsu5Rs89RZI4WFIbCjNh7c0sfAg88SvPG6dLXbTj0s8rtMidG13UBJ51kRf+cRV2+fDh4js82LmJcLd6JvGwxVevMbIE/tWmRkjb7f7b1FTaJdFWJxrNGVRfTu/uXmMsBhDeG8mSbF57BzkoD5WbxDhvZ0O1x982fMleqr9u8orOJErziClBEdavnIxcL6SPcgdf9W3TrfM4WXIM8GnqNEmT0Akidubsxbu9DJ2ZNadMOAbW/++CKKUIXHSh8UfGd5l6CGyjlfxx6puxyaZcGFXnUQyB7GzuaqpFV61rYIF7Vt/B1yniKMnVOP8p1TUGtLdYwpR3Rppl8lt/LK7uQUFfEoiWsrydTl4ASdWTQf8+J55fcXtwPEF8wLaVP9nzpNE3PBm92QEV+znoGtowC8dNQ+z/TVz+l811J+ed5B5QgmEOsGnnWC9yW0fO6Zy3LRHWG/ZDbzfIv0c10J4IyJu8cjBivG5nUnaFzg/W6vkuJ1f0u6YTbi8pbTSGyN/5D6rsyQ/HvDOKgXIKjQIki6slP1nGoX8usTc6ctYsIeJPnNMtBevt0F62QYQN6IIirdHxKQpISlicJcMNV+8zzswsa4t8Fwl5Ed9Rt/2MwJNb2YPj13tSlX3X9OLnpH/Zaxz0dC8GSrsDDr+CtDfQAi0tAXwvheUsTah3p9Pkser28EBmM7kCYDrQnnMpz8meYJx4tqm9jA76nY/GrKaZKrbE8ZTwQTcPOtDzNOTAIyw0ci9JUOk+qGTnCAIWUd9SOlyaWRmw1Yoht62nOYr9VlPTCb17mUpkd8SEvYQ2vTrM0GDtJPGgxLsI6Y7gk291IjKwnXBYIm4whZiTQdEpVWHOGMzxnQbZSLX57TZ7ghEwQn/CwpycSMN6eg9JiQcA/GH3yAEMM+CZMzcxOctZcsmLfWcyubIKPV9FV7fZaID0jO07jEf95N0fNuPOwutSe64Po3/LMhjvziYqA5EoXZFsPtGkrKo4zpOc1GyyZcOotsVpILls/76k2OKYwDqjv4aMYZIT9w1AmcrUkQ0Adm+7hLr8cWUCXlY+xC3XmJCjxVfpwtH+g/BY3Jxf6VBiUSC1vXdLYXU9Ecyxgmcg/FZL2byO8FD9WCzWeR8UiTRneQG1lolzDmd6VqjWwpChMMCwEIG4Q5kF0oUDl5TqYyuAj9mYN7UtWid1c9iJRwbBJCtX5UQ7GIZ3DFoKrqk1fCSQ/GPoE8XbEIiFvqLIM7Uj8eM/Fc8BROi9vWg63TXNgcwLTvUYrLikOH0rl6bQwZAHyD2me9MggYgOfmOY2427Y/MaNDqTW+tptk9d0v7K0XvY7ymOje9dG0Pyyb0e785GUgF9r3eeFY5W1buOMqSvF5TQovdpCG7idaIbVIvO0NG7/1igRQr+AqR8PyvY0o6IU2isFKayvHtTvtmRai/yL+EqNqdLu42zMmvLHmKyj1Gi0W3yHnJsjn0u+IRPmTuIXPHkw5YlFUaJun7ohyBhIiNzvQz4V1h5EnQ9jHs4nBllSEpwPEdAsTe0eg66bqd4pH6cieeO1DjKHTmdaLangKFJe/x7forQFu/XmOIzH0LAtiFxejEL1XyftnTgmPcfhwVcyLpZQk7ZqKXZNzTIYSDNnivfVdfWwEhJ6tKZkkDaPoqRTClR0oZL7h2njiez8xC6PM2Okynzm+D8tw4yntWDRlIOqezv33N/upHmhZ99R27eJkO6ZLGS4W8LddBLa7V5s+bfW/33XXbzlaYqDujCLoCpF9MdASnu8DZkBATZBPvuL2Zq/40m3VFy/CWW9sqZ+Vo2hHlhbQ6QvDJVTashau2LsFx6CvisGfwI8D1gfoiNZMVapG7F1qExpzDDZ/AfKN6dC4hVoMJbitgrRQ5WnoMFLfj/1kQTkQ6JqEEBFg4Lr5NLIUnCzyIoOHocWvBtMBPtOy3UlnguUjrvM7ilopQdDU2xnUBOCv7Qptq5NIsX3Id44Rec0G7cLpnpiX3iuGQOGpqykTPFAoPeXTaYW8GBRlcaHAf+8Nx2+c5H0SGbIiOr1FJb2JKxinDIDZswRz+cW3KTfy2N5t9LMHIj3KIvWqcu5pQpmL6rWb4icsYWn3G1ZwXIts8DSi4Avee3ZSTDs+5d7fjKQJvmj4NQSXmzeE71QWC33LwHTdf5a/3dpYuPcTju8sTJ1HHcoe1NPr9enPykBpg6TXVw91j8ECDMGKrfE+6ZAUOpsyQPH64JTsfsLDrSI0r8Vt2KL+9NvzfU//VJZv4T4n36Wm6iEbHDe6qH00KBFCXSxdrq3Wqc8batC7V4QWefLXtITfFbv0lRR68kNevT3TPsnEv4l1aHiX64UolcgD9l3NWkwOQeCX8bPhr+USxU/daZJLpw1B1ttH3HjOV4WiWeD9NZ+2qgyzX4hkAkfPGJtG7YQLB2wilA9Lf+7La0HiCXCl4G4VMmOQxh0nSliKWG4+OUTHkZYvxdSvt3mtLSSmITH1BpV1z/+Q2URhzzx2sPrV3BOI0snOj9C/+1mwhEd4L9hH/qkUkbYNYCzGJshKE3Qu6jC2vlZzPV+4NSAhRLa0c9v0=,iv:6RZge83xkKT4USW8NEGt9zYExIsPVTiuR5sB9uYH83A=,tag:eYnC9AluUN3asyWC4hOLLw==,type:str]",
-							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:NuzXm2wDislxpHoUpi7cjSQ3MLvfqxMY0LqnYz94KSOSqiMIFsEwR20FEg==,iv:hO8N65nCv7oR3ulxqmqvggB1Wr/BjMSsmOxAKwgkJvY=,tag:c2Z8G1648KCaSuLM7OWf1g==,type:str]",
-							"k8s_users": "ENC[AES256_GCM,data:GmMSAWTlg4UhHDob8d4g1x/FjIGa7/PdUvRdOxxOvrGT4Zr7etoSeT7jo98UYvjFHDQptPKvcPb8vGfZr5lAITpyWnqOgvF6GCYT30PSwFJuqe8/bdwxcxprSrPOy6GjUIcyRI3KdhGZTRDux2MB76PH/m/+bThlVtBktCh8ZLLDb1N4/Kw8wO82gwhUELXu5fsRoyvn9IEfYIHgVQfa0vmFcWzwl85I/5lLE/B6W2UsW7maP5Wg1v1r1Ez+xmKW5+ksXp4LVVLnJ2tSOMxrPLmU4V1lH/w9y2Wj81pM2Gp9IkADxNrBv6NtOj9XfZFYUrm3H3nvgyKAoKFoK9/tA0vdaV1uOqMf6bD8D8j/sdWJSD3b72mTILQWT3JvDWg5IP+hv+IS8FBe1s10OqQ2XOTwoe7r18q28EJNbzjWRAGBeq5tFF0VNlpvtrz8+nucdrSe5DilDxiRCtCOh6zj7ZfxSSC/gX9lYTJdwige8h/CqF5ncFzedgeE09nPhBFF6xouM2JLOj1PaqldO2rnnHR0Ls70DJ15YO9aBV+cZrxd2ib/grpp5KISc/jHYJYUOBL6gwYyOeJgrRvbyxlejYBuit1DXXxPLA+fKb5eyfDCaBSgbKru4N7MAv2163yc9NgaDtRG80UTLaq89OjT/RV3Zs9z8w+BCaPzCm+lGuxF/KE=,iv:cE6MswuKdWkvcqaldaiObtPQ8DPxE8lWHypWolGfIkY=,tag:47r3vQNGtaCSlHt/B/WMiQ==,type:str]",
-							"mailserver_accounts": "ENC[AES256_GCM,data:bQYNYTB74xPM/8kBdpabiweeM78w8hWmzlBqLaN3vyMV92eZSOLdN8NA3dJCefgblckj+TpP9AcmGt8Otk5OJq6bNtYtguH00hegCywDHb0cy/pLBl/KnsaWMtahTo3+G+wb/bEn7voX3TFZcPif1d5wxTzS3c6IrH0pFbEspl+84WWIIYSGSBXrpqfzGUEAIbuYBoWKd4fgdtq5NA0Y1FVgxtKOv/ZgCXz89BeHVUGdSTE/K+lSlFesZADRHz5mfnKHF0e6jdGRvlNLHgYpxPcDKeAmISVBUd4hs8wi+Iu0N0XOlkxjnjIPlf0ayPwspdyvelgSS6Ark95E+rbzEz2f6gi79EEUiVsJ1Bvx3+k+XKkgqc0mlG+aIb+nPpzgKo5QZctQ4bFAUeGoohqA0u2E0qpFANYohSJKsYwJxNnR+yTNhe9BEktyuhZvQ0k3idSM6/i7bum/iMdnv89Hv44MsGVZ7NoA+M4ttf/A0Ga8Aqi1s5hR2CqfR/RcIwWSoLfFL7yo+ztfCCy2CLvnNJQwQ+3PJb58JpiCNva9oARlGLBw+5mtk/J9E9+80xJInJX3LZ69SE19qreM8msVCrMcPCPWsPQ9JjmRT13hnV0zw5GWUslCurgSJ0diabJtyHIllJCnriTgJ2gEilwlTootAD0AMy2g0HoZ/41DUB2C63myKHwHtzcFexKI8FWtFfyAwipP/nfxqjF2PVU5/k/m39dY0+42vA5zN7aXxFWX8FZFV+XlGvvTJSNNVID+7BU23bXTNouvufHv+8aa+kv+ZMi6rm26zJmvYW8OL463MUk3T6fNIlAgoGfD9TAX44EI4hoBnDErTaXZ+cLhYVscTOdBGIx0LuL6UXSPBVi6ZSbhDxeW3ZiNlKP9zKvDhpZyam/2TbhW0ecCD+ID,iv:YAFVYnKMtTnlatTs8tOldsmQSAnPpKhsryJtyWY53p8=,tag:6bXhQt7Kcxd6y/B9hjawlQ==,type:str]",
-							"mailserver_aliases": "ENC[AES256_GCM,data:deSqyALijE/ZBiKRCdQjQ6ri+JNWgX0Fyd5SPuBYHtyqGHi6dsvFVpwiOScq+eVRKs8Z6ju3OoRcMn6vwCTHuL3HS0YvvqWUWIZxVKEfGck3vKsnciph1TYo1WEqfYIWp1f1GPsOptjEs4NjRNt8RMOHhGpiKVBjyaeWlT1AocC0osIy1S2HCKhnMMm47c2Gh1cCLVjGALOYdZo9xsAnlLexiOOTrUoRoOvlaa+zw+DxYaKrOxehMSIbW/XLSMlu242ahRSNwFbmiVpGN5RAXSRNoySW+DLcSqiTdBW144ZahYQy8v6vroY0R5d1Nk88ADPKBuim26H2+jjFLev15eal0+q5gJaKJWX/sA5qFQ2yAwwFSJ2yGc+YlKxp5TeZ50XlUquagdJuBkLqNI2ednEqhQsWrAxEbx39P53nznnMuD9IZp+r7z7tv0ca3CvZAcx8q30PvJyPAhfz7voomv0mrrmysBse/1+XZO16GZVs+0sWNoO6LtHXMbaS5pvvJX6PVDYAAKpzLClWFA1i2eM1t5spHAunFdD32AR0dW0omfaWmoYiA5Fi8jnEcCGX5rkV4CK4eEVfhls67R3LjqKjGaLh,iv:Qb9iytaSFM86yrIGiGdKZj0jXTr9X9uVbgtkPl04phA=,tag:qW6eISchOQrB8OPt6MP6ig==,type:str]",
-							"mailserver_opendkim_key": "ENC[AES256_GCM,data:/y3vxatnsKuikQRdv3PmvLN4Wp2atHLJAWD3xT7OzB5bmuiaNFIDAa3zoFbt2QICH2HECEO7R70p3wPXucso32dkEySRfXR6Pl+IAnJbnSiyZd+Ivrxa9n9M0aouYhj9yyhcrSMmTerpzTu6wwhJ8rZEbueUo/qCBo2yC7y9bP026VybvmvmCeZKFRzVHaY+vq9kUFK/vZijD7dcodVPnJRrPjW2UCEeGcDHpn0AHuutNPpU4bxZ8Xvlh/E1RSi6UzVuOSfDwyrQQ+wQQju7krsHO6xVRC/JVZa03C0nFlMw5PgS4p/vpPuQl5EVuXXVFbpLHR+lhNUXgd8bgRB8LqI+v0YqYAFg2W24PATwvsk9N5HSVp/OY4ko+NMYOfSnuQKB6VApLBdqtJXhcopyy3I2pv/9MNyOjTduxVxOTbEe6vQqFY3APOlz2RxSeHeZhX/cgNuLFfDmKL583D+Z2UrbnaGsXLkpo2JhLZzmspsxQOFF5Do3Le751Oc7htbdICQEybB8SBtwSsjtY53jAZOftl8P/Yb3Tf91nVZHtdN0HhG8ZJkIwYz+62vqy9VDYgczPRH5Eho3v2a6GA0/f02wPWXf0TUKymt6MXIhWcTvL447e0ZmiybOVdth5RMAc3ecq/kP3Tjn9m+7iC+NiYOk1XSdIJbkXpoC2NatP6VQxh5Jb3jQMUHlwQ/1oc2jwaaVKb5xB0fk98/G+ruy3T+eLah14F7ZIivzqBkwP9Ay79GMKmqNGD+UNCghLSydPvjL8vxD2AtG+wpDbcwF/rxYbk/MbeVr++XYRaU20br7SeSCe3/Xctaolvk0TYqomwPL55IJyTmm6dbCmiuPg7I+a9BmuPXn3BCAm1naQuvLsf00xa6ISPZOps2+shAY4GrqYqAhrrV7QgzGKFkSq0AHpVVdjW6Hn+HV4bdOZxJw3zRu+sS31RKp8eTib0fwkYIRsDRKPLnAmAZ30pQ9RcNGFzuNE4XKrXHu4WhCcLv2qVmlN0O24o6jVvkINOma2m7NeuPCfo+8lEzyQkVOBKfNzO1PzGcBLUVhrfl4ki6XYxsc9xFU80FNHE0EWjfydWzyNShh2H1jjyWWUEeqxB0GRecNfcxS1QBirlzOQ/qsWG6fKXdMJCDsEh4WpE0DuZAgpP1bE+Wjhe8cXR6Rn9wIypDHQVZw55J8MNKHJAgn8ip9lCDePv4crakAH97DGKqo/SGMz0V1nS6xCulNVjO7F9iXfTDdHopuPm7x7wNtHrA933Arr8aNwiFTD86lwpPmbnosXOIAEqcqBI9vzsRQx5viSN04onRO/UQDntG7SvQGRSdgzGpRPZR/SpNlPgnbNdW3xdkO8Qy3UP9AeSEQQ+wsxS9hiWzwjdbq7WX8NE8z6aINSwjzXlPNtgIeuzAjuMzi1qd/uclmNfEAy8fv8jqwWaXjcVosvLrhfVg6/7sfp4Eb+WNYes0FQWEMh2/88vn/nwwXDGNSpPpSM5auAivcTIOg+vle8TLbCr7GHoS4MJDWP7hUp3Wi5tvzeo9McdaHg5UHQ6pMHsAVSDbo9QSni3F9Kg6S7dqx9yG/DCHgbOvwwTnpR9gn8QQiAQ9bt86XHLElKHcWa8jzYd2V8FpyJeCw11LuJAHDoYjWjMjV/uE7fAtfpjEX6li2/bejN0mRaowFHwUhi4Pt8cm3O0W6EOOvf8tv1h0nFRy0qNA6Ov4UgiiRYSda5pIEgyEfMLv6MfJHNYvbePmSpJ2+3h90kFPacxdSkKh6S1RZCaCxMHSjI8V8tpyy1XQmoYj5Q617/Mrc15L9ewuRIaRVorShWUWy5z4e1WMZKUbQXNJ+QcBUtQGe8+iAqANn4rA3uU/ftEHhs11M2ir0dNOjxIQ/j/Q6PBK6CIMPQsfInzcXEC7/V//WOUweWpnVinIhJ9oZN6td1dBDCXE+4d0Obtj7fYXhZSdd79l3D9/UXHauDQkDYDNLi6/FjmSvum5CmwkTSrPd2bUh+tT0F4FzYXv4vqFy1nTGuI6SCcgFQWB2UdnBuyIbDxHJwW4JvRc2eUDlaVCk0jQqidhEDmi9ZX68A3S7ItB0LYSS46f9YGDRODk/p40epzS2aIeJm44cjsBvM/EY3kqnXBpzGWABnRNqYaE58jjMOSRNN4Mp/NgTZ6lG+xTelnx6iRxhh3K4NTwMYXEKsh+8J96xRng9+Nhqz8AcN6x/AnSGEHSKx2rJIQFIwaeZ35ho4I5RlYUFJ6sZHCiMR3sPhWb7CdjpzSeHwxR+Hfa/+A==,iv:IEFk06DRjDHaPUQorotn67CGQFc0tdJdFXq0ff99lKw=,tag:wDJFEKGIKrjtHbIgYTPBXA==,type:str]",
-							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:zsBag913cvRX486KvlQ=,iv:CH0GzdWF2gVwGco3hLxEPiDH4BRynbdFZQlriuF+qVQ=,tag:3zg+qfF9E1WzHdWYQn7s4g==,type:str]",
-							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:XYs0egwGc42kwzf+7WW1BaEv/9d9lWy+zYq5BRsMIW5ZS+2zC4BWEr0wv6YW3+UVPI+vYDOVyDQZE38QOm52328Vu2TvK8R7iv4y/0gOtIiqPvkfyL6d8UvRwBh21vQ/A8EEiobpk+GKUYZNDfDOD35S1nAIQ8U1T4jX6DNmB8LVZR39sO+zH5qJ/OSfCM/sfEI=,iv:YPxGNTxevy+6XzC79jw1eWkRI2VUNDF3PAXvQA9k58A=,tag:VSz66zd3ezdXr9Y4Q9YDDw==,type:str]",
-							"monitoring_idrac_password": "ENC[AES256_GCM,data:nhGoOAvB,iv:NpUykhaJAaP0xcPWt6WOGv74c20bK5zvvCyhLxe7dFI=,tag:7jltNJDWjdr+kycdDMYx6Q==,type:str]",
-							"pve_password": "ENC[AES256_GCM,data:mx+KR3JnhOddBuCdiOoQt2LVV7jzK3eBv4G7Vw==,iv:0TalPXedpOOHqMq2w3gMJPw05Y0mr8+hserwCYh1aOg=,tag:0EktlrsjR24DQsimIh9mQg==,type:str]",
-							"technitium_db_password": "ENC[AES256_GCM,data:LklVgzzMGSFvvLQjaBg=,iv:1ENyIKZkpvFdn1qORVpKDfTk8uOURvsqO/IXJUsREhw=,tag:cR64cus3XIsod329+B1ukQ==,type:str]",
-							"technitium_password": "ENC[AES256_GCM,data:2fgs/AuIzX+6NXYj0bBhEmtQ3JsfndQ=,iv:3gu1NzLXTKsQbY51BKKINNQJUSdskkczxdnXIxN9JsY=,tag:1t+oRCMi/8q2IGDNujoOZQ==,type:str]",
-							"technitium_username": "ENC[AES256_GCM,data:NWeDP2A=,iv:9xdm9PckY+u/FSQqcp313y2QDh8HhqsDBEGAa7FZ6RM=,tag:QYGqJGektGoz30C/kRqIIg==,type:str]",
-							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:VRWTvJR8978yfYosifsOPV7gYJCwGw==,iv:T89wbP/i0wX8mfWRzW4y6owonMj1g6L8Tec4T7K+gK0=,tag:0vHHiI5GMbtF6oo2f3Mlsw==,type:str]",
-							"truenas_api_key": "ENC[AES256_GCM,data:h2lY3vLdCrYRCXpkEWhMZNHC8x0fuWmfKWKND4MQ9Y1Mbr4ZwI7X6x4hWfvoVSvHBRop6eHZmRo+7WCqkwPzb8YS,iv:mf6QRHiCHgmw2TvPJpv1oJW/4KQHlgPdNO1oOAXshYk=,tag:KzikZZZP9kDIKknziB1hIw==,type:str]",
-							"truenas_ssh_private_key": "ENC[AES256_GCM,data:A5E+nhWXQzxy1SQXRUs6nUzOiyxzhfp2OH1DzYGATUVcEwHPCzx7WAQsXn7mifdPhFBXZGn/XSZKj244ONeWqhMK5DdzEyOzgUEUrKfQWoZYJgiaAH/t7go2w2LIehkv0piKC3mY5Cv5C86tk3l7jhDxDz6Bhvw+5PhoagmtbAhVcqaFgkes5NK7DIrVRMD6UzQ8NhFLsD35msS2PaMm5oGuXbwCd2Yjqv9BpW2gn6Iod3VEsHs2oDI+61QsJL/+c3ezvqmIDIieZAegx1XwmjZCOTORvuK5m1QXqwPq+hiepI5Iq0A6g7H88BauIw6ANtoEq/XVznS6EoDKpZmaNJO5vOisP8efIKEJRl4D3aH0519+P8ftWkl/KX5Lyb4b3jfC+pgjWCVT+KWsdUywUunGsCXzT77LEUxsX9K3J2FVp0e9DkXlI0oTxLXSWtHU3lHbehUhI/rEoCLNpJmVyKFa37i/jf+nPibO3ueJTt+Ap/dTAQ74vE2tFxJtiRAeazYxKWM6LxASsp7DiooMDDZ8JzwHgBlWdtVL,iv:Zgmx038/ZXubU9JoD6+4xC2ltqm9+RWwCxAjzaUTcAY=,tag:gJZZU1xPsmEdSymcURg3UA==,type:str]",
-							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:YxbYK4rMlO5fZ2myN5eryMLJ+QQ=,iv:otzmeSBL6ZKdDD8XNeMsfN+rixn4kj9N4v6nscJ5dQY=,tag:UMC/nqgQdJ8AwJue7qfg5Q==,type:str]",
-							"webhook_handler_git_token": "ENC[AES256_GCM,data:3D7IJTma6pkkNY6WQ7Li2/7DUULQvMRnkAB++LbKbPztUJPCs7OUDQ==,iv:zcr0k6W4U5NjPQKgkKqKjxNE99Qc4CX/GECEpKz7SjM=,tag:5RNTlzjrc0PXQG/TFCwEaA==,type:str]",
-							"webhook_handler_git_user": "ENC[AES256_GCM,data:A37H2+EogWmKirgb,iv:VvGWpSay3lAHEYXewBfTHFJ6pD3hZuQmGOCt9Na8GxY=,tag:R4tOwS3dkthpcMfy38A6cg==,type:str]",
-							"wireguard_firewall_sh": "ENC[AES256_GCM,data:Ar2PPuXvgvYbyuDlPwXbobRF6L/A8R6bNt2mWlzDTmEYyjufWWwsxcBS21usGlrO/ufWDk2go+LAg1aHqCJkZGwO3b6HqzqBdwkeXKJx/pFCUrPNX5Ev7YFMNZXA/TwZ+2hq21EbprRcyMRzyEislZ3AxWX86jxYaVh5PswEDahm4PXrW5Sb/UpatOJsNhT5E2SzWeDDE2YFZXIsrYyrKhwjna94BdxgNd5Jzge4Io/5Wl5CoxuZ3yN0ovJSk31dHeVHtPfprWRsDXuHLZQ8lixn5eZZnvudb6nAvvvO8h1/UAUxgAp8XXXHVx/fsQ2MS4cU/BLt8veyyjh5bz16Ahnfj6t8MfqJ9Bkd9ha+1/EBwKA/+hZlNZPlxFIBjUV4pjwTmySl6gH86jeIxfMsKLqF8Dy4T79fMppKC83GbY9e0eCc5U9Gcxe2LdxH4eaQiEYhKeWQ0D8vZ0yL3nUsN+xs328/VqVGaUeXkUOVvY58kUsrhcOCkO1v6d6+SHyp4YBPMbgE959EWeDFea84gqmyHt2Yc60s6Gsfmg==,iv:q6duKgqmMOZ3MtypqbLmpDoVYtUPtrceeBJHOt3yZv8=,tag:kf0KkoEjHEgfGKXFLq3IoA==,type:str]",
-							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:GUWfD15WC9CxqPBG9YINpe8SUgEA8x5td/2AE0wCUTkfraaFZdLV7e0tKFrk7dcEyrsXUPp39nRF6qidapTqGs/g6HYhYGZ4a049AT3y1+2gSivZEGxB9nt1q8ZVz2Y8Et6VpsVfOdLwjvk1MivtlLIImUOul+jskkS1NSn5hvb7P+1q63qBl/h2rfCQq9Got12LvCWFbufjkkkg+fewfCEHUN39ykCBJlSPYAuJtmlLgjTsnsJeKWqFrurIgCrgOtttUC3phy37xSvCVw4fzMmlVa3+dMsmgqemZt0OvqYQdr5DyIbUqUyu+EQXB91uhiY2CT7e+NjvHawRFMvh6WyzIpgHaZ8Lywn5dGdW0WuGEYipNUFFFRismc2wxJkixr5p7R3WbpsiSKxhUK4+/Hqq1i9CRn+n5A/HPwgvks7FaqFstxxkK1ICxGeXxijeka8QxB/gOQWm2845KJtTXBK0Tk7U+qWwoBoagRykxpSVpkHmxy3oNS32LZoP8KAR3zMXTJCDeX6PGPr4ZgFb2wo3+k4t2//fPHFjrjhhzkvTsj4N0igu5tPd9CFn/cuAOQPkp3xNIbQrC9z9GtCeS1MEY1sVS17EX2iA4MFk2yPtL7KO2wxr6tC/ySMTZ1Ad/X80CtYgIyc9IWrr/XKVccwxOGP4upIc0vjjWNuwpSwkUpcHS3/JixIa407YtOQWS72TolZx0nDHUx7deh4zbSFIwNePmO0/56FetZa6fKYgvxk5HUieeCa7qQL47UzaxvjmrJzDpxkDoKnd9TvE+7BDo4DPAFo5JB9d880j8uscTstzYa6SkciGR2l0pu3BVxxvxksmHqMKlxf5n55StjYU12IXCm2AVr80kWfzhJ3x7f+SOAKwHh67FaS6xI2Oi/LyrTujz0I+xiEXtDUDvBYpRVWOneyD3A8JW6mCJJ4RWuV0ykIIieerG39YLdWColpC28GWquUkcMbQlC7+/xgTOP92ckXJNdt+mUX8e/sU+IzcN6BJvYYo2FzPmYFafOJrJ8SezaO0aOxMwPDK26lRgPpqy5SBh+lN5ZiNNC3T/oNCnxc+v1VwUZQuVmNmFc6SWHZAXFNjCm8uNWAr6jao4l5ZHdvfoQz5igOV6Jz7xbUxbT+G3oJiDUzVmxml6jtz0up9LhCEsGyhNH/6aSYJEvnfSN7CXbj5wZM98nU1sHrqnC2RaochLE5gCLI6IbqqcSf/yZfCPewHF5p+x70iCDBxqz1u83tqM0LaLBYJ9XR8Yq3PAs4NPcmSa+UDEmLjii4dfnhKHmpm3CAhm1ZFhLAiJno6CAiRcaBg+d1T96iekh+l9MRMxRdxojyNClKJPbLnuLX9nrwHAEUFpNncmVmvwEZUksCZnxw5Xa5E5N+VueCqSpN7K4YtX6CYtX3H1UIY/ODjwbUMXdvVh8KFPYIfcdX2ZGKLUe+27GHPUucIU7nbiVwCVD5fmhfSMadsXRXD9vjslnSb2DXkiv3re2l2PF5T/mFEBZ3McZeUVBj29TPHPuNFrRRzo/E8CbJuQybKgdgS8x6ZXLQjoo+bSP2UCOOIrGmbY2fRc2ibFfHf4JdJig65AFVJ4krA0/XOiEZbngEd7O+A2GjWcB/s9GrAXqyEyYpW5b0auND6cx2QkPw800oHe/WkdLTLu0w/ZBC0YjqVG0IFzKotcQR4eBJJNcTevih99UO+kj9R2BtRhnBN/d+p7atrWNGGZPrtOKsXE7GVkk3Rbs/IDPNmD98A71qkmJiP4hjfASjjxQqS8dnBShtJ9XB2+ktr746OxoMS4OlTmXPf187A+9oEcUBkNW5NtYdF634r8ZQiEq85hzmZeXIL4L2H4U81iww2IBnTTSnha81AAe2SUD+sW2QVmywZOsewlgSXioyJIAxFAFgrdbSAPHlFs1eUR1tTsBJPIb3HATc5GM28CBXbo0SqzdX7nAUdGPAr8IB9mJomtKG6B6ec7imHqGb0xMW1jVBDzCmGJY3XHRZe7M86pWxgZand0KHaE/3nywTUp05e05BJNbFT0idu+04X5OiYSvICF3hm9e+ywG++u+WVSKkmseySeT7ySudhEruFw2kJUSHNVMDw7vcJXysQFa+8YXoBNCuOWVdOuxiUjulJUuIGNkiR7YgOCeYYd5ANMrdWrQKHfJ3JiEQtceVNobKRbIbvwKKVJnS5xNCG4RrKP4FTUC1FC48vxtIyMKJglEy6TIbhd8HlpdCKA5mXzPQclghZ6EjYUPqKnWfRHCmc1+Gtwu3yRsM8LZsO1RVtfqZkqDimgA5FRqDHVjQ8lRlnrFjHt0nSr/7FeYvOI0KXs9iAdJyFed6poxeRQ7NXBdhwBWs0XFs8YDgl6NkbU3Hy3jS7i8IOgdh4pttfjxHV1ey4xXs5LTMDzglrLUg9KkpE7KOVZIBi8BIIGYi3ZhYGRYXBFvdR4NmpxURMeKnVnJgAI2OTD7owt+GH9OYYowlDFmVux2802NaLEQELw0ESH8Q71K6sQVd5WJjl6I4qoxj8vfW/x9kTrHU3iqvm9rB1Z+kp1dUw385fTenpWFBADHqEumlVgqiL9L1DjiQKgVbKQi3y1802JiXY6eueK+kHXaJWJYFh48/Bd9YqCQV90h1Nai2Ol4AKxo5z0QzT9K4I19gRQ5RFvTHfcDI7ukoHjiFISmOOmR3F+tSuCZd4RFhDWbexX5ieaJm7LQKKwOvyTFB3GE/EjSJp4yV9cigpqDStD61xj6QtNqvIETOMZMALW+HfSQSYZMyFgHWvQxi+UHwjp/Kyj6aZcrAvOWe6x38JG4zONTBsdMcXgzxPalidtdKY4/CZhH71q7+6JMMQrzxiDtjJRemtEEik2/+SbUwm9QDgnrjZMypH3DFe3OnnSn6JoNR6Cx/KCVGid7rq+G1YV3p9IsqYkxVWRiZAtBZJSQcSi82/UFKLr4nct6bp8rSbvcLU25KtO6oMkzwIPrBbqmLKS5tjL2GE1Wb67LE4cbd59d4GBZieqiaeUtnaIVDUfwRB1tKrfQpUvWLoNHqA0/SwKoxM4dfvFTrzOincWkY9JLRaQEFyEW8tBAgdrJIQhctPAyPHakeo960/Dv11QaRI+pPmeUJ91bPn4OtBfluYgN0crv+w3N724fChWaSI8jV0Qzl5UaKcty5OekEUIHEjyv6iVf7CNwjar2vidleTfWluhXRr/Xp8LRR/obcbs5X/f5YI6P+8ZepA2R4pD83RACDgEydP6CB5mcSoA6ebLUdgBKyoJ9TlEHryfauBENyDb3sX7g2JK07DhHH1XhjpRet+KnbY6qiapRqr9CtaduFOg+WPyWDe6HusJ205JepNlHt7s/ofYjxrl5SY1GnwE9kEIJoI0ewyko7mxDnw7tYSKHfpEzy+C1Ahl53kmZp3U0tV1+JxR2iitiCqLU1MwA4uIHrA62IRaAc4AK/eTCx1b2nyACzfYVUIfnMbYg==,iv:9zBAEkIJJ0LCF+GexyJDKeH4rqds/hD/ifxQwmCy7VY=,tag:X8+qdHGzziv993+yxY47Ng==,type:str]",
-							"wireguard_wg_0_key": "ENC[AES256_GCM,data:hGGdjVd0jLK/ryQoEgoLKS/vXhywix68idAPvfg5j5igRU8DqQ0G9GbAlRA=,iv:/enz33TEJdGD+0x2tsA4n0UTLRgDM8AePIXpCbNSpCY=,tag:a1jhx3jCbsf/rm8u5lOWeA==,type:str]",
-							"xray_reality_clients": "ENC[AES256_GCM,data:xKwSSIkUsaA17rSkIrRtjnYahlL1bgcgPZ+fBQpcQR0rRxz1Ts2GOBvneUFCUDk=,iv:CL0t8Xql8636jdMwFB9MhdMEesX2Y0GAyB3QSz5k+n8=,tag:I9Dz8YicSwIC0X4XLC+W8A==,type:str]",
-							"xray_reality_private_key": "ENC[AES256_GCM,data:PCKrcqg/vSJ4DTd+X8XcAqrJUuJF7hu8v12UD/PXYWapNkW/6QiFGpx1HQ==,iv:ld2XI9lXP4tce2hChll0b9dwCL89LZ+8HE8RLH8MMUg=,tag:QfUg+7W5tnOY737jbHh2AQ==,type:str]",
-							"xray_reality_short_ids": "ENC[AES256_GCM,data:ZEhz9Z6QcZUwM+IEOsDY7GC1FhsS27VJcRpedLbpQ7yNjkWXSRymMUcN1G3EMuWiL76XGfCcoSbnFOU1/L9hBkk=,iv:2YrI7VXHACkd76iISPChEKmOrS5uRSZQxJRu4G0yzOE=,tag:dOGQ1MNAOLDGgbQihjVv6g==,type:str]"
+							"alertmanager_account_password": "ENC[AES256_GCM,data:UuZtAFIjqlRprXV/UN8RV/453Lo=,iv:dyou0rhIDhzr4FF+asVPM9HMuGf/u/Cu4fr0AeBTqmw=,tag:O7bQaoJWDwFtPK1P85mLdA==,type:str]",
+							"alertmanager_slack_api_url": "ENC[AES256_GCM,data:SzNgH1dF+9rIvm/d8d7MlQeDT21Gr45/DYiX60HoC6Ow3KvpcVReSA8Y4tvwOt36l7Mx1v9KFPltLSFuuhMyUeh3+wm/JBkF1bk9UowzTvib,iv:z8nvMm/FsromrnPx5Mdhpd0UOJBX2UIfC0UmN7WOEGc=,tag:bDCRCvvJ4p4BurILsgc1pQ==,type:str]",
+							"auth_fallback_htpasswd": "ENC[AES256_GCM,data:ayOOqmmFAKmtP/+6Ri2iqre3btcVQl+8PZMGTGHkjs+LTzp2rpF6lGmzsPWC+cF2+IFZ/7SqNt62tuPcmmP5MLzU,iv:HG6h110SBeSTvScjP26hRrNgUK14GWnjLQqfEEgu3Yc=,tag:pHJbcG8rXsit2D8edG5B2Q==,type:str]",
+							"authentik_postgres_password": "ENC[AES256_GCM,data:dGBIyhnryEO2KIUZwc4xzQ==,iv:gG6GFM1hO46e/uJIdvWY0gaQIed+BQbriMgn/yy+PRI=,tag:LJrX8+89L5FwUsXz8StenA==,type:str]",
+							"authentik_secret_key": "ENC[AES256_GCM,data:2771KMqU9ZbT7bRhlEO6z/hcXWiZ3B0JpPWQ8CcmCimlgOUFucACuNzw9e3GrBMaPBM3,iv:uPWDXVv+ti1KTuCEQTlTU/YNo8aif0+FuAAnGSf1lRY=,tag:zoxKbvaR/L/FjBgMqySjpw==,type:str]",
+							"cloudflare_api_key": "ENC[AES256_GCM,data:GJwEk7SToO0EZAUv6OvMLjAEoMC18D/enICjJ8I23BlYepmpuQ==,iv:3TIKlReuCAKfBGukBiaY93c10wGGnAjm4s7X8DjU0LM=,tag:aF9cFtwae+zept24VxBDbQ==,type:str]",
+							"cloudflare_tunnel_token": "ENC[AES256_GCM,data:wavoTBNhLzmZ2N+SCSRiT5Wb4CJ9y+b1JxqyloeQ5ltRM9L2QS01YHJodNvSa+PVDeyTwWyjBhK5ysciSsRt29S5cDF32KhfYbSQgmHgvvJmROAbZvh8w8LBfEjB/RlPbApkbcCY5WXv+xg2ZvHZ/Sgmpl46lp52cMxDPDGOli7x+XtIiqT/rfJ+y/xLzgz4fdopWLFJD+j19bUxVN4FftYDjWfELmadwfwj3tgKRfXHSTrrI2EVpw==,iv:A2bktfTB+aAYDC7OktqB7NatnZWzY9Kv3MZL+r2xVQ0=,tag:Em6Hb4S+pwQnZtD243OTOg==,type:str]",
+							"crowdsec_dash_api_key": "ENC[AES256_GCM,data:NyJDhkN3Tz9fS7xJ/74IW+QZROjbBn38dN/QRUremMOdxHpJ6o5Uf7BXgg==,iv:Fjs0DhdDtS+H09pK0gZIfTE0//BZn+1VZodEETw9i/Q=,tag:LnX1Ae9UMIcRZWUXUg+0hg==,type:str]",
+							"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:8zHo+8TgcuosH8KCE9BIaUwicoVWJ4B1JYqy8MA=,iv:rezOiZa/7Y4kBiPHnHc7I3WVVnU8ukgB/GBFp94wLfU=,tag:eKG/Vwcj4MEb8rg0rBSdpg==,type:str]",
+							"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:ZaCXKiq8aUkUXEOacRFickAfzGQnQ4xvYEzHw8Doyusm2secryo1W4XEB7JvD0hqcNBcHeAWB0+2VnpwpZaofw==,iv:zsdqeGYdEziqVB3Rk3kmEBzhdVfkq8LNJSVGiRrcmIY=,tag:wsahYBUm4zKy3vfkm6VZmQ==,type:str]",
+							"crowdsec_db_password": "ENC[AES256_GCM,data:qlXuQXemH2IvjmZBB7c=,iv:Wh5bQR8aw7J61ZqQqXRQRa8CmmKyoCcWU0kRMkEJkgM=,tag:KRMgT0iyIU4S3x5anwjZ4g==,type:str]",
+							"crowdsec_enroll_key": "ENC[AES256_GCM,data:lr9iXk9kFm6MhIMAY9Tl/l7h1dxQ4C6plA==,iv:P19Exu6wjerMC24laoSN3zuMLwXoYo3aMMYghfzzmhc=,tag:9qhCJHI6wfGp23BMUbDtAg==,type:str]",
+							"dbaas_pgadmin_password": "ENC[AES256_GCM,data:DwiiM0h2fbmJPA7K+EtRZT26zUnKxVxABG5ECBQDiX4=,iv:OQef5XDy5LwOBfxyvCCvQI2zkAk/dCmL24dsszqxl+I=,tag:3bipW4SFhgh0KbjA51EirQ==,type:str]",
+							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:0xQPj5NdGt6GMqka3vlGonBi//uqNSU+28M=,iv:aVh1hChK1K/z/y0wT81etMyCWunUNQoiqIvGDOfCIZk=,tag:PZ289fLJFiYYWGfgSIQTCg==,type:str]",
+							"dbaas_root_password": "ENC[AES256_GCM,data:+NSFJ+yYbCksL8Cs02S5nYuyWEBcoh5y4AK4qg==,iv:p8UI2o9gWOTRtZn6VQx8Fy9jNeO781I14Ul37bebokk=,tag:+NRtxHJHwv1JggMiSfsQSA==,type:str]",
+							"grafana_admin_password": "ENC[AES256_GCM,data:+Wyv9Bj4xR8aonCEFjIwohEZsoE=,iv:A3sSU/WRqgmu1XDL8nm2syHZiQHJxNtC3BkJFVe5CMY=,tag:/yWsqiiUJDgORQ8xFeGMAA==,type:str]",
+							"grafana_db_password": "ENC[AES256_GCM,data:wEeG8+AiHKeJN9Egar1rfEaV3X7G,iv:NQfOViA1FcQY5s8VTmyjYgCgnPRhTC0qGEcaNtKKzeU=,tag:vdbgNJ+BPNHa2LQWot6X/g==,type:str]",
+							"haos_api_token": "ENC[AES256_GCM,data:18B1lw/Tei5jRSxW3sJnky3OBWni+2Q8QsSmfLAxuXaEps07ZulnV4hYfZgtkf/9W3PV2Q+Sc4HryOSA9ophTcfnd1FcF9g0y2z94hE9Hoib8xnCeaGvoYhQEBuBUqjvAohETCpdhYNDt9BzFLhy+MVojmWOhl6uTz4MTLl1QoSypu9oX0XaA5IVQr9NsT0RZ3zr43RvZVUDWpzHhYkFsKwkbcggVtlCBBGnLXRxqSclJqnD6rIL,iv:3V6QS9DYWW1+M3ZFsKzK81OEi9bz2fDTs/fe0yLcK4M=,tag:cmfAZzcKXO4/q3su6CiDvQ==,type:str]",
+							"headscale_acl": "ENC[AES256_GCM,data:1/FM/Nekmp5IVj52x1QNDM2M8LYyvb6lpnu3k9OSbrVBMQMnlXFCQgqEZ34/ak94bV3knqnlsnaKGXRta/yhcuqT4e8v58FrgT/TuPq8uQxuG6+/ClFk71idDwSEZG5Ynh0AAuBltUAxfrfPcS2fqk7SoiuBqDHax/ja75MK8B+UM5tqUosgB7NQ4+iEoUEd9ybsz1W++Ih5SAjTpfq7MZvPz+8J7YOvvDn1kZ39MNs6UDHkZpJJ5TYt6ekLgCFJg6UNjur53WE7641vQBjHu08XX0hwTL3oj7w7ExojjwNv9tJZjYBjEXDRWFMYWjK7SaOW71+WGT8HX5W6HESKEjqSXqFLA/TJO/f8+lrOS3D29sWzQaQp6MDNutl3/tczLPDmsvzOSVTI80tjpAfsbC3/jYlwDppNJ6lMzh8y8aj9qUFOSFX7LHpmdUslC5N3WSwS7mKDO1EflB/7f3MMLgOfjHTh6lZ2zuhQEbZSzqqOMguwFgCvpesuqx13ooUiwT96UT1oF7JM6NrOM2bp90RQlSxM4z3MLO1EtOHipDb77jCuODMlBvhJNG2ZpNaUam76Rw4Ny9L0Vse0su40X7poxE3y9X7hHAmt1pGKvBanEPFqnpdmkwarrvkOJ5PrH8WQBIm1hXAgKZ+9x7b9/xq3Z/MWfU+HmCw+RWnX28M+LRl6mrqhF7qjVBiKdZVPxDWgzod6HscgLDezarcmn2f6wiqA5FenSIhmwhw0SsnJJcnsUJqeBGT4Rc6vhnt7riWp3nWXsYR6g0MuY0w2K4cyfRpBLU9EGpSYpo5f/nFLOp5yWv1ix0Uf9pQV6fSFIRnYT7gJWrbXV8QhdmHbclHC4XVjurKWK6c7y6v1HaWliPVLeebX29sVuv0s3mHaqS2XXkUMY4sWjfRIJ6/i5jcXkioAru3YSZWWBmFG9iOrZ1ifNGyxh/2CM5jJlcbw6axuaKWJwd/TfxCiL0yxLPZ6dICEm44Gc0doCvAWBaafIN4fIUYKmalWOFPU6ohHeC5ArqzgdQnx/sHwBD0PRamtWZ/6h6HoDfCbBiVvmT+P0fZyabRAPJZkL1R1VSwfTJ+1GLS1MBQWHaRit1Tt0MChCMMjxSH+htqUEOQpJk9lK2KCVliJDdl0ajIF4EPXa6m+OmU5PtUBfP+ljGqO1lOMwEjQpwAjDAC72uIVMrBCujT+m1FSK3Tiezxch+UNZQR2QtI6sOJmL8MxXf/lmasMD5MfzJjbIA02S6FAIEOkKB7jh0VXJisI2opttgNEM2v0v/+Vnd9ZC54C4zHdqu8IxdnxcqW7o71aSLFVNtTxIoqmdiNnMdtcz2jApY6Kcfocet+Dm8T+5aZRAVQ15cOnLFiOAVi11UJTHKl/Rcrgs8lTga3bBLHyrbfht091XL0quhlLa87UYZhzFVXXLwN+70kSZyEOucNhDXFp4X5PfcCEkJazKiqPTEEjCoIAmcOJA02ftV1nnDdzfw41Bn1/1X4TpOr8ZgvZICm0vy0N5AP8mFmyE1pM/tY2H6KBNog9kYoWI4MXpD7UCK//qEJc/h1KOtfDg6nQX+c2nnq7YIpOTEybNXfM/WGwReNFzvYy2DLZ3HBRYP+OV52/oJl15+ibC1IaadVMDhH7ktkPIS5opP+jLsUVRuijeDNemRMJ7dVPLpZStkaDbQwblNXfwwou37a6FLfY+pK0KMEhZ6CUtqNHsT/DUSubh5p+fCutoJhCJy7toX0RM+5H6hQC9y2Ii/8+QUaJ1JMZtMUVdYrvDga2is+fXQzE5K2486mbQecDj/1WeahAo7zJAUptGF/cEHoKv16pRcJeym7vZ3/887OGCM56lI3eraL/3gFGCKdz0En82ia64oYkUOlFHN126BJSQtbY8lailvLF35RWLrVPAKm/J9NM9C1D7AjavTSg0B8VG+c6+qj+FM2GGDB2pRmr7xjgezkp8xKw2WRJfoWrw95fVt59YhUpBRbU8s6swMOaGqpsACws1DQIl91EJywaSuYBYl0y057VeWVgauee/9SeuG9BKw3RZVO7r6QBLp7dxAcQ5Yv2V8JcpJexT2kFR3LCJMu19lFsCZpBLLV1eSTTpI+0hFtLzOVqZ/gDZrde3A9ZFzZ+wgFvnmDpyovmqd+HpfKxbAE8sboK4jxN2+15OtTPX3fjNOxGUlB85WyOVM+77pLNymz47mPhCqqGa5ShwOuijFJkaYoZed3VjVEvCmL9Ha5ecZHeQqZVmKAcHKCOQA4FBVPyoOx6Ep7vDYL79owsNzriOPKgE9PhnqCVWhLnA3qrZA1orkOP4TtHbGap8GXB6C08pA1fq+xyLe1wnyZZ8IdJ2WiOUjfA9loodihTEz4n/J5SWS4QXS6TRJio+6C8osEYUfO3DynKLlm49Wdwgl/EhOq28y9r6KlQ4uj/jSR3t4OhOdExWXO8NlddNd9HFSco0jq9KBTEblD/DyYgQoV3BZSbyuInGAVDGS2wSxllAwiBEPMsc5Nx1dSx0+eufUZVU7F5mt4py0PCtytTsoR2UMx+c4Ty5HbDs8k4RrozKLOmCri0IqALmP00AgWoPAmq7rKr8mf/Z2TmEHNRfiBMLjT+fGQcpERYBZOXQr8fAk8T4QWwaJJACUDM8ctCzEJGgbPCPmRSfqVTHRNcdLfHuj09T4WAiApYdOES86tBmaQud4VvctQhM/RREGCwXdDx1q8dCuvghT9iY88LSKd7CVdjcv/cvpfpyaXRxPtmHw1wLipqEjbD39S5i779Cgwk9saP5Hy+uZ63RWq9lhfFBydZZP9GfXYg1oMQZ7P5LDzTpRc6Xcsj+izKqhSwRHdlpMlSSXZb7QDld82Fr6gF7eCdLRhHg1G5sxlUxGQGPNC8KkFtSC3AY5h5qu1sCDcw9mxq6LJQ/YbWAeXiEZOZ9DazvuXod7zQlU2rWP848/YkBdC6EIKCRqEEK0nRYtoPLSxkELaC6r1jXyJSuLvchCA1h8WxfNfPx1XbZVkKnjHg5FqhJ7GekNlX10AqF6u7gjP25AyNWTWSbwrtQhcwoFoWWSlTiBgU9pmkTNj2PinaMl+9fZTRrVfjoXT2fVd/8XRJ7hZ0DqnIpeNAqE/fUFp7OJoPyHIrXCy/eKBKGWPkqT2ChO1WA6gsVWwLY50MsGCk9DYi93wWOaTDXV1v625YK/4ivFIqqpzaB4ZTvGmPLZziCZZFUWK8mhxWdZvIuZPq/dC2p2nYs747mCagOWdUhNFnT88oDwDkhsZRIrfXDaWlCX3x3VKvlutxIGOLMfIgGq1NW1BzCvLQjScIySMjW4CEg76S4S3avTohcprh7k51Fb8mp01L5lL3vVj/PjmEJL3V4rEZB3obo3x/KkfEcqfL8rPhs3/UihSHc8Q55PISFtz2ddqnE0KHA02FTFRPexjd/GlEwXNEn2tRdwvGcNlCGVky9BigP5g+CEcVxkiS8EM7UOhR6Yfih1ZdMWJBO6GMg+RWNAqf5z1R9F6nx0o3enVvhMTk9PA2jH8jU+Gw4VDiVze1JJvX2fDml1v6EkVcfJOdst7zHAgAYKR93ImkHahT1zWS1amSL2MEFQyCU+C/6HuxOI0UZoxTT2d+ws7EhlMf/pTeZyxJIo3AhRwFXCa0PHLbGDOPCbsiiREQnm5wqLv7070kxjwAwrApFyUtf6D9FFa2h/ZEs65gqSNeKRcArtpq1wwYOGE5/rzoq9JWkZm0uKvLKBYN7tyVah7PWIwESCp6Q/Kj7f138PGoxh/7t3MbdXTrdO/AAgyPr2wOebDhMF03enq6dPTmHnDguYPNDy5G2ULk42YSIFCBNzUcA0+hbzZ79LvBS4InV29buDFsy9CQ7PHtOodShvWAqB0KbTw7u2zaYeGLOv1Za61tfu/6zEPz5rnYinFZ7bzFZ3lniDQkIDZuLgO7It8aguQiuppfz8cOuK9lrAe/lLPWuJZDSiOQ7Z9iF7GV1n7Le23lLHw9fojgbWcoeXBw6Lt/MErQsHwmMfkihCD6uTjA12bXIqh6cnPUZh7TDhWjGjvgQi8aolqPjHWnxeRP3TVfvmv/6NIkircM/NNLtimipiZ5KvG941lEoMDFrK9FcG7phPtMbIVq+Tf+45WXsaz5edB7KZTz3X4pE7YcAnnpXIIMF2VeCRoK56MBbd0tHXwegH4aVGyngWkmkyPySoUbTuGUG+7oPrYmb9VcC3IfiGXxx2DgrQ1o6zfrmd+xDauKRY9c0An+NXnDyqepz+p+XpDkK0eIYdHCJ7fedEh4RICFWabNzIgwaKJhnlhS3vtSDYuDh0OBXVB1/houq4yu1Qt+f64p6DmdF2pP9GfJkRtyEXpcbKLZhdLT5Ygna/6v4t5WAmCwhm1COmeC5DXyBpVBYlVgXzLvTPJ4ZA4W6RQZd75v+M5Img8hnU0N/G9sftwVA60ZeGzmiMZBOUW9RqHNuDO54CmtwO0zd28BlR8nnWoAencCez8884bsBqLxavOr0ZkMK4ZNqKiF4ucxzKpDWiYIoFZ6myX4uilfYO1W8lOg7DXZQaLYBm5c8ch3c7e5pa7ip87G7aQS1F7jwSEYde93DpgFGXssIO34QshAT1ga+dtu0byPxtS42DwAHR+HexKQfw+i5cWBtwEpHEhDjIzFnEYNQqcB75L4huZX8Ja/MExpEwOc9n2ZWajW/DFB4PUeWYQK3umFaITkHjWwZ5gSbmn7eZj9MnegSb6FbaSfoWpSLOxyt1fFaT02ZPhjc5t0zLC6i2Rcq2/wQiEux/jCr6JLlgqDl5u+os11RAq+hlAWuCliFXw4F6DTMBjbP/b3z7uJA4uWuKWyZLUFouAhZV5wlRRRVBEtdkFNjPATOjiUmuLDLqflbEBtFToi,iv:cCMYNtKhqBOHDVDjav8iqf/9oAZqJex0cDCymZJmdsQ=,tag:ztV8gUy4hBh+yocEjuEitQ==,type:str]",
+							"headscale_config": "ENC[AES256_GCM,data:tSuidi3S+exus96w/toddTKmNzfvwoo93P1F+VXpUQKG7hqRTwoA6kwyS0w4C61Av2RZwLVCdDXWxpi+Bf7axXR/8FqGq431Yw3bY0b8dHO6ljIm3dPlglFUA/IuLv5hNTuenqHstKmn+AJfCr5PgFUfq6B46ikzvBSrxncrpTzafxrLR+UGZBIsaogLJhFNr7NNMtOcuH+DcVPQT7b4tUPYTje+3xhr1pDyQiRVIEEBEQLBZhLuT4rKj4mlvDS7VbXiz256yv9P4007NR1Sbo48eWWD/kcV5AHY9vygtabBHO/d4X6fdwajTJekyvRMeo/+mPDAJ/OUytrEDPp8O7luIZRHdTIJ9Y0FMbQQjy28gTmaYDRLtgCHczYq3CTVCsdun5JhHbyf/k/f9JfdM1PqXJRKxr6PEfdb7J7wiSnvlxlqgV5rcbM9cGRuzRkUZaEADFdBdi5jjOxkfrVN+lLyqr2IZYuu3dNIlmL2XsJz2TutYIH2qDLWyJLAyq/DPQ6+6WwTk1glV3ycb/KCYdwBegZoKp0/+Qt6wAIn29O3w+Y7dFMyi5LwaSpbx4wEaax0/EzZGzLKfi6Qyn8LIeyphD6X6J0YdNnGkXHnnYrvxwiinlJWP1FxVMRno2lp8T9Me6dugZmMUhUPgStTs6W+A4MGZqdEZMv2KKO4wKBb9V3lltbCdUnRii73W+UOS6HtMuXKbfdhyEVBgJgMcZcHjqbMvC/011RTOG+AtEc7cp4GoJz7DrpRchJ7zQDbpBAJyOSbA0W/ARah1VelQwgwUV28OQZDHr4ERFSqNuiIp5BjNfJHMMWzc4lL8zxb+pilIrHHkMCsbnABVRtElfMcPirUtM3aecITY1ssE2PwGvKuW1JHOP2MVDiigsNisxbkEctAWYI1d88C7IAEUE5QJaMEL92g+cQPXRpbEsnCSp4RWfgk8xmHlbCpiVDg7Wg78AF79hPHQtb9Wgw4K6OL8uAP1e4WL+SbcJOlNXvWLbO6y9dMvs9Ds8kj/aoEIYJmb6m1WbTz4qCLTP78NK8b/OVLAY2Ck0Umh/tI5piBJphLpEpv1l22HMeUh9QUmXZmiRoEcU1o1Ck6wytcrUiWx21b1txTEfCaVh3pC2/bqM3aKsZoqY6OnNKufRIg5xtK4vrrHsuWcHcolLHc/qMGMshUqxMxY9HKeweoh21H8GZoqkoqeUmkqtsD/ZBZ+B94TXH2aktUs9E42VCfIAMqCXtWiuR9amC5e91RIRLjIjb3DPS6/+suVAKgsEVx5hOmNgXsZH2SKLe+jJW2+MuX1zvUcRI33FtPIRgi5Ic41z7pNbwShqfQBZkMhYPnIONbrpU5IZmPirNR4OgKJ1yun3UqqXJAOlIUe3TLE2yJAdcpXYFEjJY1QQ0gxMDr8C2YT+HuZwKwQW0K128xV7DfrKO9xOlyZq1kIaJrYA6HK7MSUg6awV5M+R0RbW4XRExG0Y0UGVcU7VD5Tq96gsHQZF/m6uPmmgHq+pzCx/aRZhV76MBW3ZM+XQ9PYWHCRJQ7feKH2fJCCi8fMb5yNPzYXKZsyrOmUshhoScXYSV5uPRe7YJveyZ6tRi/0Wa30QwqThcTHQ8Wy5NPmFpYSl2klMCRlkFc+PbCeDtDTmEbMMTFiHtEhgIlJfpxIELaes6f4ik+rbJ+je5zGPnW1L/aTcAz6oQ63qnt4Qsvb539txThO4acQL2MchK3D26LTdFcre43BPJjc+teem+8NewvTVuW+Ic5TkBzwEppM37fWe3MRsHtegeeBNX11ptYRkToVPS7FyoJI99f89qgWLtejWcf+YUua4IkopoY8JK+JMZcLQFlSqNo1GS/DW6SvlIfs4mK1CkLe38vdkSs7YUAUr9I8Go0eM3Fllcfj8SgiFyBZUQZVMzfPrQEAKnZh9pjXa9VJyA5BvYygR2Nvlkaz+Lbz7y3dorFoYuHVZxlG+4/14+QDGVwEnbj04AlTehDKc8paqeVsrzBT6PsVdF2ujS25HUakY9cqtzjL8WrEUFu3dOmeCPradGgRP3d/xEikfnB+MDPuKK2im8DMW//2B1uhUmpoywfQ5kHuJdJ7ml8Un7SMS7ittxTJQXM0LK/J3C4pf4fWWyN1sd64NmSmfDP9c0kCrPmZsJGiDIWSRwFponpENILZC7n5n3tJqyXjrzgtT9OlIRe11Sgx2QMsQD7Epsjma3hXzlYFByHoCOziYiyvj5PSrJE2hy/oon9ZI0oQNonxUAbsBOPBYOYKie7LH2PN2qPJqD8EJkTml0ThpGRtKUQGpZhH7Wjr6G3IPLwl5EIPy8sdBXWQ6dif93b9gNvryzGtZ/+jDo1DKFLFMwlRUXXeN5mwfE/zzDc67FYKkw8yUka6XrsnLtPInQTtT4X5XTg7cy7l/kOC9/eVClDjdEEdumolnk5TNflBTMl6GqBVsOoink5mOI3jjuMYaWOyS04WGsOHV0zVF6i8l+f5K3zgdYWfEdCTZb3m+8/uS6uBSHUGjT/80V+MAySvmsdysHBLoeXje9E2MpLiWv57h8+1RL4HEhBQJVUKbMqxTPKuMRdJ4BM5fZIe7SBDqgrJyr/Xz3NQsw0BZZN+SWWfutRUkqBJCcso0xRm2nxeQuOjx6mnM7l6x3vo7KBlJOcE59tGAvytNn8NgKYb4x0iTIn8ps9BremO72GCZn9neODEVpbGbYU+kiDSVsa7pCHqNmPFgggFftJkZFxqUIxaeeE3WxQYM7yKgz9K1OciU7aYB2siEylaql5G8hqbGC3ouyv+/XD1GCNpRCYYjqKQXQIvLS8jw6tXrxl6GLTIbYEbz8WvH3She82lfRLW1+3ILR0gpra48QwRjMFHSiCHEUNkiQCGVRgrLqGirtE3X1JlB3YYgfJ6BhQdYBtuFuL2r+AENKkxAWGy/z2HalsUvhS4F+f0mOMaW+esqwrxMRrz0/CIb2LTEV174ij76OOiokOvucIkgPzbkbPYj2s1ZQIsoYALngnIBLi4J+5/b9pq73+f+DHV2o/L3HbxqD7LE0U5uM+Mlwtf7wF350pOfU2glYDjumanXBdqMQUU+ir3sd+ZlYp/EcfRNPLTs1H1mczao0svLPVHQM+JMBCdEvIfbvxnkSVAVEkcvHf4VT2QZz1N/2j9u+OLYFH49/vjyDTY7fnGOTS7JBJCbJ/QdD+It1siN2C6jLD13iR3CHuTB9yfqR9pNcG9awkuaGxzp6jbLumv/2Mn4t4HR+2f92WYqIRfX4s8siva+m4dawGn68Kd+gp9yJL2Nt5Igxonu+a8WYAKJGHxkWP6hLo6bT2VZVIqpHRH4RPJj02RT6AHB25Yfsn3W5QvoDISiqpmK9mreBXbUZn9KMRPhzwkFrYVo1itw06LKk2bXptQ7HthoQjlit/GyMVzsT+5ELIAahk7tM2RRG7BX51ohxyaDTQ68eoLFblPf/BToNDDPs05LC+0u9iRAX9kABqbYjhk4ktuGgtz52Hq/N6/XgoY8YszsFAJilbfY5aeJhb9aE0TleLb5oBNlY1kDEtOGb1WB4sRSACXn7S9pFAKZwttIvIqO4lNHtlE2W6133dZzZbQju5tDjS31kjE1Jc1nVMfoiev2xjNQMwQl0Bq/pOeNVF+8AY2YZevMj25q0szv+sOlkVN2qRgqgoswopP8mfFe8d1aTC7nOvxwWXmBRhv0Y96czsSLZVjXiWiNCMobrOROdoqVuoGTv97xqQPbPgIR2NYnwlwf8rYRTZ622SQ/qgG5sXEswzzXSRq2CzQjVbysYcTTMD+sUZJrX2b8eA272JYZITAKWooEY3Ctxz3FuI7Kkz8rmMghvL1cLE9CF1ebRUvDhStc1I3pENODvaoML9h/W545F9cmrJfIcFFNYMdd2/Nf2rwTgfHbq7V4yuH5m7Ivcplcp6OaROsvEXlWxovC+xQ2QHPSc0yB5Rm/s3K2Z8wr5PjKDRqQ9fBueMeh+rpSv7SO0pHrcyLZ3syZpbXw0aoUobJbILuA3fUWJimvfPY83QRTOhe/UQsQBLQ5UfMFLspHaO24GrbzDo+OulyaseD2ZtFI7OwRE7NZnppU4M1gj3RVvpgx378gbI98xrfS/N6nAOMKZI1jfaSaLdvYiSNUss1UrjH6Kf12uNj76PLf8WLa6wU1129RS083FB/jHawEF3aw198PqJ+vQGONv5I5CtKFLRB4U4QrdpoC7cXp9Xj/PG79mKItx3sMzOmEUX/RkRz2ozQ/6JtcTTIRox4qVIVj8Ck9kxwllbV6r56qOi+9L7PxQzSmbsl8fJWbXf3v6YzRLZ1byzNioclqVKeaZiv5VedPRbYtWi5gCtMvU99S4lxZK6VFI098/ZfVnK+wSirXnPmodXmwSA8m4sgXv4d/C4oM0yRdKyQ0/fWLfeBxR7FTg1LbV+IBZ2mG64etkln25dqMa/kqcQta8Q/J+UxB3vwvZzwVVlwzNaK1kTheUX7uYgZcwP/nCy+LTeXz/BZeilRPRXQw6Pb/MKvW41MeSGoPRkEvlbnEPyFGJ8O5xriwkbxgq4gB75SUUbISAclUcq8UHFRWfSWafVa2iKuN+/U+tcaqrGsrgsy18qrcNkYlfah6SA5Y2/eku7I6sgRDjxwvIRtZzv7xORZsqzz/OYKQLvYfLio+8SQTFS+XcQnxRH0H9cm/uQQZZCeKhq1a5K2Kwh2zg0sw+kOclAFRtb50E9yerUbvPRGoyl/KzrElFHa7JSJMPXHfaYchbQi3UpV80zeXYJx+MQAMF5GJb718B9P7z5ba11yzFsMtWBhKUpt9Qlz8W2+GpuITgR1FmAdxKyTSKVNmLsapDfasxv+HcQe999NUjf91QKiwypC2ipHKEHI5upBLovxMFl7K0EaWvq/ijxQbE/lvFYtqY6tewdoMiPkhvYGOSY0+xUynU96y7zfNvLjVcfGTimF6uDYJmjfmcCBzQHWDrvv+In4kYN4mxS6zkknE6NtrC/jvwSBnShSunuaywj+3diZJlBn9lHP87MVXX0EjkHg7OWLBPIOzMzRofaKh03T578AhG+ZYX4cAZ9QdVCZYUZH9Va8x38R5K5t1FDFidvsAKg/hgHhFyM8Q4Yc1G8UJxaPRxVAzKhp10/QiQ2tb9VTd2vK3qLja36Rn9ZtIFxPzv//omLT14rLFJE9H7u8xRkpszmz53EF2B64wnCy3oh8Rd/MytjzewRgxpGmYRDWMOky4KMaguWWxqwJTP2FohHfweCT5XPMIDM3IKqyEG47Bp3MctRojyp0rcPT97sI3/20S5eLymbZWE4LPyyavniljRielhBshcBupSHz+IYh3xJPN1MeUNaI6ivnmoNDIOw8nUd+wmvjHrMLRCoRxkyPT9ljOpblfJuT9hT9UR8tY4yw56jBCaZFeuLTtJIaVxbZYvNvZjn+QJG0g45JZY5nlklsDKpuXOoJEtFgUomYZ5AGpJscdi+rRTxYsflJoID1X0IANidsBErCv8WCpsm5AvYfWa8ZQgFEgAoOse6TTD3xKgIQZu/IN4WS7WN3Sd9YMahMZeQ7jy2OgVKYHyLzl2Tvhf8AMe1VAuVBFtJtLgeZR92SZmbnk7eSA7i5AOesWoA3U87E5QbbKRRE0EQqwnLWnVHeMjH5zikcagQKzcrL/+K5lSHT9/tFwU755xrs+7LisjIm1Z+ou1kLT3m7A7j1SwF+yILmmck7h/9x72Du6/l7MaiAmtPu6+wyt12cIwPUU7RmFLOUJ/YvJePwGs/7bnRx8R0+1LZy16do2V2u3qXOfIaMZaVNJRX+suEaYy6SyqT4L+o3MDs0OxWSgyJl32oDcjNl+024FgzWZ70j9BLKiMxdvGjHBl+vrWTdPRnC2NB7wM+mwXZPu5QhDvrJC1Ud9aHkmgCsT3ijr/tTKzrYGE7HraFiVIqEznG8BT0JTNJ0fE9XHdUmf27A0DfObtOldPRDLxbec66M0EbzWD41FmMB1KUvXFlI6/5Ud17JqB+idYaSo9zr0BmUZuriPbdGr3ysdhetAQuOsKYHDVWF3PkdREzz9B/pPB4pLrfF1c/4ZLWFUS9sWkkB5m8VIK8RJwHGzkwwhh4KgDvtlsKXMxAA3xN2ja59CRszebb9IOBd5xrCqOrRDGFfnGb8wNdagnCCsDB6b777XkyGIC0iehdWo4a0YG9W76TpQshCpHX7ewYdUypEYrSZW5gky2nS867epXKiCTmVMcdjKYai3KYd9YwpSW6a912d4380Do5ZF/NGqXDc0z5W2xnB2Fj1amxtrXqbhIvkZc2IXlHKKD1wGxUmcnu1uzwlw15WteAZFCWxUiIXA2GjXdFFo3TB39aKYDZuR8sB8xHyw4LlA8a0osAy9wwCg4Mu4z2sm/brt1SVltmLHaooTedGOW0M7G32mNY5a399T5mgIgUq5zTIzKQXsoEkvgilFUdBQ2xKqtNba+PetN2O++t0D86fIOfzBXnxThS6mVNEEKgYprWxnxgipyj6dB4V4EqOFz3pXP9gM43WnywCvoRFNBhfS067d0OalsDhZlRJC6P7D8aV7PwDMRqa5gAtesFQS1qrzrj/zXCX6SaWdH5OT44+KCAhLLts+5yITHTu7+P5LL37U8je+3O6+T9zP1ZmRdv9LKUr3g4TvYguH89IBNUzWStn0e8K9t5p+hknRZWXSjrbzjHRIjpOB454MIEfDbBTx0rejQRQTtHSSagS5LTkMvhU8aFPOo7aYZ10TDyJ/X1/VDJWNsa7UYnPrXrdFzUN/O+ieF6QfKJk6Dl8FhENyH6lZbbWCZwafjv1E0HAOYSHnxCsG3rkjm8nb/sMCC4BzR44rVu9G7Tx9PTkHgmTDucgboZ6UOAabdxeja4k+3VbEybaPzLQdLgl+bpJJK4xe/BvHt/ksrU+KQyiHSJjsi/8onOdav7PURMHXtLey4q+Dg2loWQgNVJ59tmVIYrmHfvUkOixT87kM+xow756ev8Y90ddz6xS0KFMc4iukhiMtHWqEIMm+SJF7eqdp9B7BsUKG+rE/UcYz15E0ks0D8ASGywm6i5bZ44COcI1QUbFMokW+l+ze7PT3iXbHX/YcPVSN2J9qS1FjVB+wtxx42Rs0KqaFBxg6te8D3YdPxXW9OsYp5uZi3DrbPRgJdBle/EbgebPw3R/orEHpIa+1vOWRCi9r8Ko8Rwusx5xi6pU6CF0FtTu2EDIAvBauVGC8QNwg44J/K8nVOOLmmGVF4AwAahtHed8sJiKhssxVuHpWLhRPKtBQnH+iwZDjkei3oGJNkjuvTr5HCLyzzXo1oNu8RX1xARHJsfA8TZIclK/IAKrLHlUgkv6tewuDClnRWaQP6g75NIM3rWq/UMUqKPrtO2IxQ/gbi1DzB+cy2cl1ICanBnjqMaNnldjZ3hbD1BwPWoSCiXH8t28TGv3cJTzvwUxocpvt+IXYM38+MNkREqjSkl0QIfiWs0860lZ4+ldcLsfNfNm/ERfXUM9aTP9dMhLbmQW7ui9ciHM66ZoJ7IFmYLegthTj/S+hbdWDWJn3Sw/uEuclrKk0vZGDhcpDcZa2WdP0O+8NtpbziLsuBxR64UPnnTSGE4SA3FM8WvKlRorspZHNFbQxkBFT75d03a2PF8Exdc27NLFz4axyLSEGXh1iADKX/absJrw1dmpxjcS1CI1DTcFn55VRKkk27deggLSs7u17s9+KI/FNEgewAjFYKPAH3MZEK2Svg1NSIS6PuWi9pAGMyxD7zVAZkb+y7IvUxv69Ojkz8LUJxObrpTN5pU53KiBCrPg6c4Lo1NV+YL5R6mO4ABl/u8abX56kKKa7aqFFo5J3gCJX+mcaKTr1yjdKah8qKRiu8PEQxPuGFUZ6kiCUfDvwPeEEyFcLf/nkr02SxXM5/+3YXKxTF6i2JwK9BA8daEl3xdFlfZje+8m8uHrNMP/I0vCsHK/qgq5rq417ZS3gTD5gGIRQN4m4vVXSvOI0QVk5jI06VwcWXcQzLTLE15euDOnj0IB+toF+ZJ2gHlwWIwXuaaxHKgHmpasAOKqxqZsMVbIz41YiOZR7BiX7jkxZdRL/jd9HKuLDfplHL/Ino+OefQ2Tr3gz22A9ARlx9TYs5AFmD1EDW87mCVS4XJC/qF+gPUv77kFaA4VR80ldPSGi4sJz0UYlj+NabxlgV/TH/Rfqe1MqNEL6j9FYq0Sgr4ZejQig2uXOMx9KpXFnBvJtUmt9QW3jHCG1RPQObf0LwIyiiCu0GH0FTqRgpENSIR4tieMydrZQbtcBHIzsLYZe4DPHWO0MXbRVzI68bi9rK7UAzHzdemJcZ4lPVG3FVgAm44OIA/v6CAPEmbqZ6y3tYxc+bwzE2IcQCGIkj20qG0XEMbIm+hk8VNNyZ/boBxwG5LBfLKSr6zWnEq8596f3ZrkcuDMyoLclmpGLYvEpUh2yEsE+5swSKDBKOzUgeoAFc3b8XYCMaKkXnMrKWABuACfIGG+2OCxIXgMrwJzGkcNYH3OS4hqHFz/fmbHR9SQYWllhg3lzanmh+/HsLZPtNDSQH0UANM7bxxwGtD820TFxI9//FXSo/C+WN4Ss2Nziz1fRbWJfJnKf0JZOfwcdZ8PT+jfhS6r5GPU9pIZnKXtQNQ/WKw9/daeFE1rT8YRPiTYa8C/s2Ijz0HjkA9OUAigFLYS4E4OrlUiN81awJQZxTA5nH/u1/YvjVOy9eoGaPoXJsuaiRabQ4nrjHEqEGD1qsig474S7rXJSIFZc/va/8NetJ7xFReKjMAsuQVPyS9QON2cydC6iOgvmD0LKPmYw0ClXwgjoYYXLlwol2HkFeLs4FRMOgxAhjv3rXcgsXUWPr5sbE59r0pjFLHd5WqGFvM+1v51jt4YytD9aBa3PyDrua3xYv7APiBbobFwbtkRYYWre96Bjsobf/Zrajek3ooj6nD2zSdm+DpCFGDgKYycR6fC7bzzQ/awh91JfvrUm1S9/ZXZzL3YFoP/sbngroxTSd+6A1Hjk8PANWnCowUkkcJ2GVqCNf/fWUGyc29+bwwnFRsj4+i+Z+Rp/R8rIMotjG7rCOh++VvZP2J6CScIPDcYqemzSZKM5LnhwcBYOWVFClGydeCxZPPdmzVdqrWoTkZCGX1a0H+pXMx2YVt122ZuAoDcYcN222qI4CATaL0Tq0gYmiaH2TXJrLXArgfarLFbUBR4Aq2OkkInJ1yTlPMnJ4J5recJ1gng2p1zDsHrDeCVyq4j4B7wT9oqjKZ43497ModdvHLGEh94c+uPWep2WRK+CYkp4Y2E5KnrgrEOCcb656FH55Xn7AStG2zdg6KPEMKEvEgFpyYDO27soGtvbh5ACCEymCWCWnOzWdEFt9wQVpN5KqHolv7KxUmSeWPBbc6YVSWj7zxauepOVb45pznP9aTF7H6ccZbBL2CRHISxsHNF0HLYlZe8iqTbhfjuUUszyzc5GUMV1dKZrnVb+RbkIM0IT7yQY8P2dUUbjxfNgVSgd2kB1sSsm2foQ++3ekQZZTk7bQjWRgHI7y7ty5RYD06enK0beUeX/xOMXu96lSSiSxXsFuh9YXt9uC9gS732iMpxB2Yk2gOVHaEVgIG0G1K6+CU5ptLfSlFmrpuJQGXiOpax7k1adt8+Idq3aSkZtzopb6ZPoWEUh7SfYH0fvJqXt+WU9df83OX8n6GamDZwXV2z42jWMqGXsC8h0fnARpWQVjIW4DZEjI34xU5P9p+btQzzFfgJe2dH1FAQPQb+L9+Uq2P5PjXGL/6ZmsIKrmleO3FOxn46N3vVXxmhIt3U5OkTQH9VeFJfmJ3eAaU3cgN9NM0ghlrFnRSocR10zwmz4BohuOfJZ/8T1GerkUQFm/Dd1GL2Kw2l3KDKfX0dBne6a1eNYNBfMt1WGheQdiI5r+47nhIrFGU3fZBWXdP1yM5A8jD527KNzD0XLpp2BYNL735d+mgLONNVjBn8dNf33IjwlpqFIFNHsSz5svgySF38A0Ru2fqtqnAano/9ELqC7zzLtvNeHwuc1kc4zsmpCr7mnrcq5dVsmiNuxMLFK4eF+EUg+oa/Y3FAsZG6UmehyT5g0bEbumOadqLGRyqqxb34PVKyt/Zl0107QWCzhKdVtNdIispNoIbZPy8PD2ofgdjMZC5uEhNvkGFl0vyGem8G2slOQrPJKmmq4FtVjXITQYPHTWjnMXdT+iYWV4m77a1Ilg5rSb6Qnwut/MWHIpBynDWE1EvAlp4eIUh9FSBMK8novaiJzs7laa8u61GGLo5yNm9gbRT24lTvDBoYztwbLHGykg0A8to/K3+vPzDMSy4VKhk4CW1t2hsbVSLgni693MOtTMT54feh6vbucVzKErtUDiAdxgBczpoYzSXOAYY61r2UQxcWOWcGxPgZlpsfbyGdhcPGN/2BnHf2O7N9usdlq5MZWQ35GlHxNK9Gd22FAKH69U0ao9j/nN+yJVB1/mIorKl1Kox8gat/9FlmKS4m9W8nVQlT9u19RegxmyW+q8vKXigejCSY7chpcKGKyV+iNsK6IqsjEuWcY+I4VLvcDzsKSZkXFKlMw4nBjpm2YH58PefWVplO7FMPlvVCCsOtJZjFnG+ny3MMcyS0YfpyECg0rfA68YEkcGht8e3vzqCLrOv6nQhnoiVbdD5FbSORFPuNr2W4S7hFoGgfSGytkMtxGiiM6TjcwQ2/bUT+4tVWJGOJXyZ6gJbT/C/gnJihec0qPSHWdLU4LZfxAc22BM/b/ap3AEXTFo6zieSm4fs2+XD+Ruxvzd+1IeE3Sl4qroNSaVGkRC9JtE8q+YjpvecGiIJivnylS7b1y35kQ4SyaQeFP7+nVO25LZ62nnCoZdM8I/0SXePUcmjNootKuLxVTLYVUXH4xoR6YMExku0GureialrMSSd4f9drNVmJSTeBJ65GO11ZA7IqvX6rJuPIDjqkps+ADnHsxF+8m4aggsLugGeK/H5XWkeUVtxSnbTsduaf8iVscrBnbRzJw3CG63D5R7fwKF/mpgJfmUNIDE9bOda6JsIV6bBPoSn8HNj9bnuCaBHrKyNZCpYZuee666BmTcB95S9OPHJrOjfSWox/5HxouHfN08fWfRfCSPLoWDyh/7tBgKJqffs2pcAQknIy2GvtaG+MyJsjy66jz0DUfhIPQY6rILFM3qCmYKcDe4ewebJFa19sgOlUM1BnbyXbrzA9a8wYywIg8plbS1O8chL6vuVukMKK+/35EEcCZt7S0jD3dKF/gEPoSJu0kyFa6+4utfASQEaQCYSAO67/weu1+DX5ZS6xoD0y0NozuhRoXAqB4Rp2xCa0suwQhz+Xued7bAOndOMYyaf5u7bR8wmYYDWsJtyUgLckon7YSxqP2I3a455rdTCaSqXNlylB+RLQeZydzIlJzVlUEwv7JTsE/pRFHz+BVeADHcUoVD/aevhMFMdTOxVXoAQEmgMajYg2WZlgpeDjrZ2diRTd9qCX3QCuN4n1HghP1cOnor7imQuI/nLzkcAvpcR3TpfpohzP0xMUJDOK455SJ63t+pKr5Ol0VWWwqOekHVd8WQXVjlq8fTZdrTg9Yx2tKSJF/lcUmT+hadNMNd4LuTDtflHobyH5D9bU4D5Okf1gIl7CAoLxpCEOCATyvE+FeEbK88HtVPFCjt3CDm53Fsrla1FH5Xh41u+tY2YAlrqQSfh0wdW52lmI0NlTCQTUYvfOcnb/0olKr8+W69DH2gWnIoHDiNNu3qxGqT7APPAQapoRqUmXEStiioeNQg71OIEshYwz8fJnRMeX8r01BFkeIbyENqq2RrpAzRuDxxVKp8/PKDcYKijSeWR7E0NCzINFykiDAEDKJoZN4g/DD8D8/cS60vTjc2/hgVdPJQ6X5wSLLf5iZUbyYDP7Lma5hNrNRi0a7cMKWonqdlCPxU4DtdLI6cr+G9q+d3sEZLpV7S4u2ROP7sHwIXEsiJuNzsJAdsTFM398o7vR04wrmkEC+vp4whrydEjr8ekxgwOWY7LidsSFV4JKvM6l1t5xcWvWHLNNwOVQgWk4Lb+y+JD0CpfDXWBjvlII1+ik06PKbo0uOh7pzpxhjO2Swhiqj/WDvZ/Fm4zQwxqHtl/P/1h64L9BZ+ly55hNDShGMYFxvqeuJYbIQV/kTx/SAxQorvTeuxZXvIu7479Px5RQAVyLTIznTWWs0G28KGLjBmqtWEmruVnPi+mXynhrRY2XvwNFx2PciIOWwWfrU5+4zx2Xn6yIR3fWk9TECu59FHqyQWNU0udwvr76ExZmc3cQ+qv339Jf+rzgTl5KBGQIng80G/Md0jhNrsDl88LVwhJvw/dIVvfKivREyul7hD0x3WbUB7jQx9DhAXb9fFTEwLiv9tAG+rOURVGJcCxEidY6UIZAD3KUD41d4yyPcDZxXN7RvryNp+8g/vRI6tO6+UmZgs6fjwyy3IDIFm01zRK5mjalD/1SFo36/bf2/8qWrnSwGZbvqMUMkgXaw5DAh0LdSAMpqszrnKkf5mHqwNoPhDaZbR1KxHIkrEjPN29Gd1ixS0zn6QOSD4Z/BOZEME/GDnWSKirOEK2Kn3cSGXf6jAlpWY4Pyi4P+31zncVH66Lk+jedbTCyDgaGidZ0tRubNCBsqg7oUpvkxcu/oXi7nfos9sY1bM3OiNHy4ggZieuWWCRMZMAiT2XYiwjMnzppDcedd8S7c4YWTa1eRTWvLgTVCC2IUwir3X9Ipf0/Al8Q6adUyY+YYZK/GMDEVLA0sB0LMmBCQwfoVtk4cy7KH62aqyEhAEMC0y+rNRF2BLl1T/D/20SEUMblFvMv2LiIPOQ2gLSi1c97+ftWU0loi5zDtPN6USUj6YH2zpJMukL+B7Q54CbGs53TLoy1OL7BSOZzQcuruhhw6GOY3Tt+kZNzKGhj8eow1LXKVxBezBSnWi8d5cSzNHUvttGo7Ojv5Qs6JYnmHOovhI7F6rz80KQaKX5IgMkEi8A65FyXNRVFC64FWoChHhX29r79rigVQREjA7awT0jb0VRcV0v2oJmKYYUxvExtPQC8+ETZHytCN6C8/Z8goaCOw9u1MsEkwlp43VrkNjqszDlTDyLtkIIyxcHgzaGYklHX4xZoTKbbQ6lywhTehKlMSzun43JAsyznzl9KVWXDnPBThWqZfJ+4+pWg5e+ATZt4WSwuSWFDXo8Ir4FMiTtcAD7Hm1m0CUMhOrKZ9aLpNkRaaQk+w+wa5nj5VHVgreIxgkoTo1q5IvmhiVyles8S+hdLMO2nUL0iHUjeTnbaULtfq4LR8Uve9mxpDiNErUpZdaUJNvYdnvJK1EAzJ3iNFgKo/AuGztDwruWP/4VpEiAZqaxOyYpKVm6r2VHesIcTsEYto0aDYwikPH439oUKxBFJTQJyC0r6VEOPU1byeO9YezemJB3WqVprXUptM4/I3wxcpdK6tBcjcwPPB9wFUXbimEI1PqhN8OTlarAe9iVhalZlSEXcNN7aJ1UiwAF4+y5e0pcrZKeuZShv4XXtMChvBSsBAQicKtBMS+9f2LgyGGnkcyvCJZxyCUixG79/NaAaGdEmWU5iAyl8JselMAbqdJn/XXXXpGjt1QO5KIcvfmv9r3mxXUnR2Sgo/wwg5ewgefwmT4SD1XI0BECnYLevqW4REMp7j9+SLJDjjaWZpXLaaUqqrYUNEfAdM2YECkuXpfzFKhZeouJxEHh866v5OcwoqF0a2ZHRYAyUvxXupWC0JrghLt6fUTg6Pf566Uu/Xfb82JCUV1mp78LuMffQ/LgvokNMFso27DwfMYpga4KW4c40rCF+4X3o9Ijo40ixlGlf2AzS+o8ApsdTN4UUHpo+uomQIVmw1EhS96zruZnX7JKKukS5s8R8TAKBf8VH2zVkXi3tXfNejR5e5DKLWua1qoBTzchhYn9y5suOxYnCb8ZVdCjFfpvCSDEADjtErltSIcQwj3MsZUBwIX37I01ZABfSV0S/gsXevEKcpw1FdKY1QFz8w0uQR5a/EMP3mk1swDCwjjeCxxTOiXzacQXOFp/sI5aoDVVDkqYLKP4mZOlPweUmFRTnaMOGGaCrdrx3hMavkc8ARdB7ak9C0n6nbAnRKZpMZjLXChf3efqfgV+grB7bD8DuxWRrRoROg5ofOc2CtDc2sctK8n7RvfkxcBLP1LNZwFlty1+UM/7vYuBn/Ytzh+wcfczXF4eLSOwdi2nz4fas8FR16DKThq9Jj0wJVdk53MxqL+tOlsC5kNYmDdmxTEKihu6r3Fu2bFoQ5QCqT1wpnmXiaJk43iL73NtFNUiX+SZ6OdUv1G0Ft8z4PZM30DqpryayIP198bWyW/8IGhK2MU1aL7leNG0oQUHxWMQ8LUHWFjunw41DrdkxZnot+tPNYsbHa5xt/nnj0XuKOfwKpA1OkyX7LWA5QpccQ6rmSouzTILJ4oOsaJaqffyBW+y/jBmHkUCjKMOk2leRd6BiOX9iI9dIx+9qJcLFUy7DzJso66H2dO76lS9aMTt+ewo7bQDRe7eoRqxCsMp/B2Jcq6Cg4m5msxVVvpjL/YhoAhb7DG7rL9st9IayXwCH3CCuTT2Kkc/Pi1vActyoUjYsxqvVi5zgX7ML6/nWcah3KMfgrd14Jrm6xRAyGhu1woXexRR1CV9tIbo6hyk5fBKPbD56qlzuRkZiFsexoIp62DnNDz5CMCw3Y/CyOszagcEeBeUbMJyTANYGajgklbzAKrhxrVeb/u+KpF2+7Oc4Jjb78KVhNRAP9hxXrhS6bm4gQ+U0EHTpkAJpBwSzs5pUYg1YtfbnYW9Rus+xADQnn/3FU0volhPgP3YPy4D8DVnFRXUFKzdLXIZeNEG7e1dNJg5SCxm2xX6F7OApqviPhz0Xz897MROouCiZ4gUGsIRS5MUjEoIFIDLOo+QjoUp5CqGzTpH9XDF/Ih3zcYqiTdN6ibMsJNtRbqbk/C1LAMJE+5LVz4nBB5c3H72Q2INveZTB7UEaGjAuEouyItnDEjARSGhxSfmm9ojd04Rbq1aoZOoEbz0E7YBk/GIvMjcI7cQhiZneVVuthO33egxEtSLFRxCVLpt3OhoPwaLntK8nvHiykdCn5pHWuz6hSEn/SNKpjoPoUWEa5Pl8Z+eL1MJEvlurSQThJCew8Ir29gWARtmbBAMr676hX9DEO4Pk7DB+3NR0g8gNeRflHu6sZClnkBBEkqmZ5R+/I2IB64GbRULvFVuD/g86OVZyv6pkT6DpU0mHIbehx4SmLjvdkvfyt8GNnA2Ce4ZGLzdQAmRFc20aT1F4UBbUhJWDr0jNOSOhqPVEffwaPdoG4ck630Lsp2xE2tEb0+QbXQLwv9OiKvdPtdQAUUTsDXg+pfUY2eGhaolkpbwqk9X8aO7a1jeDx2k4ki3fGF5nWaD+7x8c4hSTy8SL8TSVjILvzA+HrZ9LXWBxy17DZDaJ2ieNQpSUC0FFTB/TZZYLZspy9q0vvhhXbAfzBCfVOKrjqElJ98sod+QHk4YhIu/ZK9QeWlPeaVnlzmldGUG5lrF7s2OKTSKETpjiFImP/7wlvDFpct67uiD8R2k+eJhNU9+/Ac+cb39sP9BzmZb4TvQ8F52wjgJhplWoYIgDUn85IG1GFljdjDkjVXvhaRKLv6DVrnU8vRbckvKDSEUOwKiFlNvxsiUQYII+SjYc1ol4n8/9jt2/EbTRLJ2IBf07Uoc9hNfGevFGZ7iXbuaxQPfdBGOOT9t2MccMhEEgHOhICYlkv9dmpXQ/AykyoA1BsWRIP9dZDyte6BqMxa4NzpOJOLAipIOjBEphsmdaW3l43tENiTN1hb6Qa8TCc2R9vhkhCi3u/JN5tZzNNW+sB2mEnyxv5dewu6r/bpFIb9oUZTKT1K96VSXIdt+16wbrJwC4wujl/b1jl8qmx8FvhB53Vg/AJwyi8hU2fHHNUSkv+8sVflg50WgAinzNkDqIcS5dcylueJIqtpNbMPGmIM16RFRCppBdG7CUzlgYjxUoInq7xorUyFYS4q/vnpIT/0S2fIbNPi47sATd81rC2YXxRIh7oT/ldyfdsLU3DySEzrY0T0nFF84iQpigE+MwzlbzQHba0fuSEDyU7Bhsc/0W9EIVn2xfdw+kxAR3+EOUeS+y8qWCY1JyG4zsYBPF+T2YXsSKdbP2n3OSeU2vOflxqI/5xnQE4k3eAI0YVGMomlS8yMrqU+O1pMzCWW0nVht1poJPyxMZLcplVxin2miP2tDT4nHFSmrWf3i382wQ2rq2XznnaUBQ5oktgUKLwHBoOHogsNg9j0YXxPTO3F+TIKE5sdjn1iGIaZCJzhXoG/56aNu7+yPRGET7rQwjsRxxBbp40d7m1IL3QhqwgMMfssGiwXB4Up+fiwOEuyC5iI7fuw2/gMJjMoN1kLJBi3c/k+HgIO6UxVGnnBiCSFIpprf3+xDvIhJJPKLBmYRdhRNb/Px6LcDlFymFbqB0kk9rynGuwDokzQC5nVkbCohNL3OjLxsf3tVP8BLvye9anPJvstbPFcnQJoF5qBf48hbXwmfOmMsGp9UeI5TZsmagFJbJN4DsYwL1r/vD2xW5ASuy9EC/jYTIR0cTHL/V7k2naZAiajlR8m2o+vuYu55godDTc0quHDeY0qTiNPlu0Z5+YhOAR3ovSj/DIvrLxcyRAW82vMUDrdcyhtqQNBDCKfO8PewLjunat765vPw3lymbmlD3ZjKdunJVRjrTSUXrvbZ64HcYFmIlfK+hB6O2AwlSlq6VKwTkaWdlDLTnVqyCWcdKHCrjx53wRu+3gU2B/m+fR+9L5+ztFRrYWtsErYxWdQayp4O0aqjZu6gMVcn5Mr/fxg+REN4t5Rtmpi/XiQ3VD9JQP80AB9WiWZ11OR4KAkT+o32TW8X2F1UTmSPCBZN3z5BX8q1zsTj++3tG2ypGa4GboXYmXA72C/scxq+8aEvcnhmAIk0qMEcseCvX6MO4v1tvhIHzPtJ43xTxrSNvPvpxxcXrFL52KkjHitnGgeeBOyZt60/Me6Yf+W3ErScMP3UgdtlAXaifuOQxP1m8/DRORs+r2nWzWaO2ppjQdwHkQK8WdgP51cHYxq6lC3oSJ5rnUKSIYrCjta4QjaLgl5c/OKSA93c4tj6qbddQjh+UrMbMTnBWMdyhdxRaxmJHopXlyO0DCA7433VdI5uWxh3mkN8dpdo/xfa12STY8d7vN244YcLLubBmCL6t8Vx/2BH5wJZNsaoV5C6bUGUAj3S6MWRz1hmScXha9q/vY10f0KVlcvfAcTOvOdOgr338NA5OMMC/6168Ydtxs2tfHieGqQedFdqlBGvt7JE+5s0S2D26Fhli47GCIXssntVaQUIGBXIvMrwRRYr+URWgGzzoj+73OGl2OgwAN57cg==,iv:Q44A93/+Mm/9OK9DT3FL1Wud/jrF2r8LmwEfGi2Uhp4=,tag:fIseI++rxOHtnylyWqgbrA==,type:str]",
+							"headscale_derp_map": "ENC[AES256_GCM,data:Uf7euNU+BXiSP2UCzkYlLWVm7GU6Ya/7TgOLtvsSkJzPHo8aOwU246fwFbZ/vAPTetMul1MguDqpxn1PvjndlLJuMQFy+qTETIc0a1SCVkatsgZHxVS2jfmp7L6+ZltK8zIgGSbSAKP/9eTOruriVidFoIflfOEfwczEAj0A1sJQKKYKABdYhXhFQXTM1OGDgNQsYsXzM/AV9Fm0ER4W+aed5Vip4rPq/9DNa+DcLhYqQ19h2O+0/qNuP2ub//7vJy7NuTSU29ADWK9hH9fYsMlTObC9bWHKXri7p43WWKJsA4s1zdu74CtJhiZw/WuLFZ/ixiUtMOzAXkIFMvIxCMaxV23erAKv6L2VIt13B4XQhMHt3942WI8uHkDNZa6p/A376buZVP+SMob0BvAvhZVIZV+iXjFiFf0QCnXcUTuhmf8k1+R+ER6/6VHz8nDDDva6RZxShN2glVZvLhvuaRy2GCshcZ9b1CjkwzqZsHX9BGFz/quUbR18sXuCbFYNhPQWfwzutx2NIbpLQSTvG5irvQapxUCR50zXTivsYs/2tW2gbCctM757APw1Zc2A5W1eWX4neHiF0pmhXPzPp/AGLe4iOs0neouEKPwZyIJH+Aa3SLsjjpEp08s1Df9BUg5Rlyb6d8rkpxf+1ERJKFK7zHtiDSV5mL3pB//StCrayGSibB/KGEZZIYr6RS0ReNiWrdXrT4tn8pLE62YuBqwvjWtVeKdVOPWaFCOyYSTkf8FaMm6ibRKnUx1+jKzD4jBLmFOxixnpuD/8/XDvwAPDXM4WKt1fXj+zzqJ+T4tlE/zY26YsNQknop4kMSvEmY1ezrZe4inrYqTebiS5ssbraxs33ruz0WD2FgNzU2pVpl4Nykmuuy2GwrtfkFr5z2VUjbFyu6bOVTsn6X0TZWLTqMF4TBHO7LrGxYbfYtRykSN/8npZLm7RubRtX77Ugp+RzVw3dI1+xV7DU/lPtfxrR95XTybUJBfak5SxN77IjDpDy4MlQyhiy/nc/YX/poibCdhTGXMwBNlJmkJ7WgIaVUnnmUNtQ7eUw2qURMrMpOOHqNKGYsTDl2uSiUe+ZJiaHUbm7+LoJxUd1dkU2dUm1LAtMRwrKpQK55y+20lmRw94U4Q4yaZKcpUM0H7+fOpLkSH4938Dhx97Xn8/Nbj5fS6MTLtbpGUQA8bRY2AEhepov5UCrE4mcTOX/udA9qW3yMuGR4EuhdFgC2u4RImr+sc26NYGLGvr5UM/Vf7GBUOvJhN8Occfl+49+8TwXmKmlYjvn4X58tia0vTlP5fmvzyR8N/HLpEVKmk845RgKKCZYC46aq8u5LCNMxClGwGT6GG5p57DjRqFB0RLFcUbYCM/QhBTQN40NOTWR23m9unQ+rdDKEAT/zR79B0kaf3qd+GFzb6148U6KnwQjBY0CclAgQtkyttMEAeyxqJHVPVx3urUgYX2P4YyzoealxoxPPDVm09sdHu6jmu5/xt06tfBLBnmaxnbKXu7gPqm9+/eBix51J8PSVGZqpz44wGqP8lfi7m+Wz67uWJYGWVuax4TQ9X0oZwbcF4h/x36yPdfwdPRCXA1QA67QCkGHRIB49AvKR5FesplRq6P1ahrd1FaBSv3BeHkC8TbdkzOc/O2XF+9EIEW1hqVrfaJHP0URjCDhkmlkCcLElf2rFUmA4XCzUH/7Of4f3RhXLbf+BrhcWLCt0kL5cc0MYuTXRiio7HC/TmITSgndh+5SNKHeQIYzdusd7s10d5gW/CtQejVaB3Zlb90YXQa2Q7h849TpF7oipTCKhkwOIBWEnYfJ5fPHXn+F+4Hc0mbHEOc+nITrOu2dRxHDKqRrS2wscP2QlMj22A3jnRWm+BJJA6DpjpABsPVJXeh/LtQcSpjS3d4MLp/Pw3w0a+cXJQAsiZqqSJb5EHr1cJ/gzvCmXhgTRFmU6stHBx2LbYDWbIeNXoQSarNvB//cq/0Bt/RJ/Jqj/UdxQ1zR0oBkyF5I5EDanm7OG/N50GYI5ieNa+InQ4VvhDZJwVozCbV2ijkBrQQ2p3AFMfrdaxAJLdsePcX1knhPiu9vc0pVeUwpjdSNpM7Q7xsag7FEM5t9J8bgZPpK9Vy+Blpb0JXrmCvcMVh0YP3+wYayKYDVwTCUuVSrA9z9Wj3CDqvDCD+/+oGKKQz14HbxOe86tbfGFYVOWZCHvuaQMCi/szzn6VbiNbSYh5njHuDvYY00rzB4AQ5NYAEEo5vr5BhG3R2GOvu9sL7EMTdYRz8w1hFJGhR1t9q9ePBp9Oav1MZnXmjyv4ADPMCZwj8zAKzKCsugB918LO2OXYulzD07Q7we6kaAOM0M71BF7blS7mqTV8pGtCegMPneucLkTDfu0NKcRko+pFHgc/bFXkVe5A1VEHTZx43KjvHc2p60zWVqYc/rRpAnl8Hv8mkWE1Evwr+wCWw/V5y5LZ98VHsRsirU2QgM4mG1TJyfYCKyYnQaNQy2/ctfKWNTxNfYfO4dKbQzhJv4SnrQbbRg0tb6QrdpPsaTp6S6+r+tVIqARY/cFbHIhFCW5I6wHdfcxtQoabQBWbYw2I1sy+gAN/WNwBzqe3nnG+RHJs7ZYlsUKR/QuMy4PIUfJe+WiBdKKffyHl5Sc/mGyLJEkX6AgC49hVmjMu9TZiAhcj9KiXVVPNJQh0TfvBplndPtILfOcf2MGM7CYcVnsLJ3WK1eM/fkjl37CUMHJWqL+qj7xHroatndCVkjTUrSzW0U7byTqIkSBPx2nmOHZ3RICF2fqDRfG5fKqsXcs9t3BlcLHQ9boyBI4ZNQc4CcIQC2SmAhfr+bMR28qCrsDmxmkIzkJkFuxNNx73vzzqQfBWidsk+csMGcu/OrpaBkDuCG63OL1PbFtgmwgG79qt2ESOVAbBDK4m9pe2AyMhwBXTmCbSsZFEf3fUTGiwQsf31ozzjcBTv7/c5bT9/w7gCEply0nJ4xho6pDKvAoIbQ1nDUCYmB5UY1kPuc5fTT1pCHfiKkA7FC7qNKzXeOcOzR7QhwRGpNYP5lCyLQEfTfy051ITiiKX79uk0RuXm+cD350LVLeu3AvyPWm5iSxSNEeWULVcTr+op1uBdjXaXlJb0pnia54qba6JmDdsyjlEKYLtDc1GDDJVBjpeuYfPhXgimgoYZ5idZeLAGNjZBGM2IaMGBo1LgypSeADudE6ghsnmB/UFi5ZBYIkuk8dSpwa7ZjPXysL84iJ7RTu2deWAjWTTkkppkMOCpmkpQe5enOyrOr7aGrsqAOvRIHKzVrVU/gzVzPYSI/mUAy3o40Y7ig/TYksgPez+2CQ4uTXHwHJeXLARuX9fyWYJrgRVwRXtcjke4ZZjgZAFNmc4+wCyrKu6V06Jp6WTbzhykR4nQMjyUKpYyt371cV1tIrGdMpINHVlSLPpTrv/NHfMX+GRPCP+z7glCKCjjVEjvFK7LVLAOxpMzNJUzEspNPGYfCFkNPQbV3N3D3795GdVgvj3rA3aNTJueb2BU1v0W2edS4DiSD2Luvezsz+z9CPEMOPohV27YoFiTAKKwTZEPPvNrOEepzC7mxrTIMts0Vkw09+Ku/9L87a/RW/17hFGqaKrQ/zhvynRK1gTCLWXfj+dB2KSeCbU2KOzKQoaQMZiMsSFpXQIEGZZT9CHSNOoBEOglCLiKGsEdnvj74iQgd8DobQfjhqwW68l/U3ukAOwdz0XOKa7nDWOZoJEiJlW8YEog4P0g+3S8JOJfSofUR7yW7JBzDOcr9+N2uscufv2rpNYDfCmn2GkAj6GURAcQqMGWiLBI9SUGSVUPSeV6jNjM/nNBqCDGpND4SZer46EqXWfC5tc9RTjEZsNk/J/EhYlzIRpyNllZJSQNNCPAA4A+D69lee/blChcDtw2vjeWGS147yDzOQ1rhxOJ/0ThEEUpjsLZgxMj/U8JjNbO/AS19w+taxwUabMf1DtWklFMqQ8O0M1aVH7sxh5RXe6VVzvzIX8iSUqzVbezt2tocfFVRoxhkHvKI1aj0YxrC3k19ItlPCD1s84JcOqfPUT8o+7pLbbFGfaIez+sqTbhhBeL5T2AVM/mzlb2ya56PTSqtlCIo9xIocjWG8hRz9OvGNTOxiQO89IHSWvJj77XBaSa3WgTzxK1TV54EpbqEGcreKYGTNFQ1qp4jbAhNH6z6/NzpVoZibXyGjoZXUZYarYebHhS+FvjrSKo4QXWcu1Mv4lI+e0E7/K+N37rgXvbRQAP30h9wHUPyG+UHkfJ02un800BElyBra0f/ZLPv3Gqv5DhHmHuSzckR/cw0DBH7PLYweDuzVd8HwMMNX05Oi+Zf0KNL8QNEBw/KVBzFduWoDez3dRGSvNKfcEk+BK148EYWeYulBXAWjxhOCMafTv9HxfcEVqI6wyZoh541cyDLJDNK5TyC90L9EqhsSSg5ZJacU/StuR2QiesFF2nJFMBJWwEguhrOCjVd+yaXQBlinqMvrdQaHwLQ2A4M6baOgCkz1nPiSysSLVMiN+8aBRnXCZAHTxRq41J5oHsgcKoXDXeODfasWpmakHs5mxS7YphkuRsO9qG04UXs34v+omfn58IwGYfck7Cu4KTSB8GDBf8yu+tmBmfKmR+16c4gRSsLkgqSMiwUsG/W8PMql51nl7I1Y7dzLUepnX61KN+D5aoTSWZ4owyLjeW4YsFvMMlDDVwxUwpENXuIJnkXg8jicnHdQOd6COmbQf1JnhjaoxhbP5i2/6mM2YSV/NO6oy9brUofHrFuNkqk++vLyBJhPImVAWnmo5iA6yO1oHYfXX9IW6F4nCfBvIsxmpww6OrV7jORialMBIZPGt32gos8txFomjSwR8komYtxH56Tr8owi4xqRxEL0g3u8QV+tvZeZAT8TN5HlbLOY2RIkrVe0FHeu+3PQKS21ypmzQCWC6iRV7LqHBzlya9xfwbnoU+u7PrJkRf2La/FRaxQy6bFFsgx+VHMIkHbPoCUENn7V9qDjSZ74KaBx6MUQNOUkV88bdowQz7X181hJpk5Rs1l3jebwQ0MGz3XQ12MKpZpSVpRy2Avlorsz2zvCtdAfMKXsghN/j8oa0oyFf1wwsRBHa/M8wJVdYzI7pIMVchuD0GPFwuVhuIGbcE2QRGsNMSZvWV1FWMocJyVkYBNivcyqD7xhOYUWpE8S27JOileSB/3n6XjqIBXgbWGFK05LsRBYp6xmuQG6oY4jO1+IhTeW1QGHa6V+gwrh9nHELTHCheHubj09hb1egtqVZbj1JbyYY4mDAy2f6RuY+4jIxZ4cUOwmenOXWXN3rLZZ2q/Wq/liL0YEJa5GjbRWM6JB+iyFlErVgixZaA+0tYVyyGuK45cQMgswi6J76OAPv+1OJ0cNegf9sEI1x2ZJrQYhg6ATMZ/hINoNgwm7t4bLzV5jbCx2PtfJ8mt63RKlXS3637XSmMRE9V/t+zgrQkq3c6Culwy5L2kUAyMw+ygwVpcSY4j/kNRVqBXiZyl+fl4HbBIuUNGq2k+7a67fHuSU+xx1hsWaTKC3lMlUGXVRicWAm4pwUaofCMsAvfUiG1YAn5LSx/X2uc80EkLZC1Bc70Gja2piQTK0KknOMlxGTeF/STyc14hnPzCXqQ5ifO/S8621lI+/gqXcMPGI1+0qbE88lR5jklDr7vNXYKB3xjuvTnwI4reDDzQivNX4PA0WQxdQtqhiB4uv9t7Qo+teFUw0XRJd9xqfxg/FsiErj2JEPVcGPi4dAd9jNw4LxsFChUKEU19ufAWUmLbO1lyIQSt0t8zYLtXm346dMWlay33iWS1Vvo0/d8RG9MsOtCdguXCqL3+eUN00iONfipQ/WMuTyvkmKpitaYVXkB3rETyCtO1bnvl7blhyAUXGrQgAoo+o9IPZBxdD/j/CNIEI77PdjFYmFiCJqjg3rG/3SSajWkuJudcxIoC0fld6JGVFrB1fB0u/dq7ksXiqY4PPl+NuHLwNRfBu/D0NN27ZHA+PMbPkEl6VWk6mfz6orJniCi/H0FlocRC4RNA/e64pBt+yd7RrXXSFheCjn+I1DAYwZPA5Ds9a7c0Ja+i3LXVLNXGwuYBlBuJIHHyO63Fg1fJCbqwTVsNkVfQ8yXOKSHCxLBQrQGYy6DIHDygGIHuWrDYeXyMT5+7uD26AZNoXA6vxTI6gzh2qxgBRFn0+yYmdKlTAquw+I5igN9qI0IC4fUjB7XOtdRinXy6uvUbaVxaZfDgpht4+oHgKEZfcQvDF/xNmam9Jpj0R/qdQ73W1ZMa9i1hwkRXIwUgoIJZAAq2OpMYq/hA+1qfA8bq5qexJ456X1ds3mS/W3kjd0SkE9xN8o7LQ6bNomZHoYoPsBfL+PFigiT2c5gfytIyyrrhP2tuEduFZ/GnYxSrB2PqtBlwII/0CmdcX05RjL0e0pPWuol/wewVHkKFaxfzQSSBIIhdPxzkeq+37Zc4OzpoSj2DpF2D2T4FputbzrOjC1kAxHmFXKYhzoPwSl4EXhIq/O6ZXiOB3suRlZC/DP88nrAOPkJeKSUF2eSfdSGiuCYwLaQVoSi9BuqkQxQRIGsyspphQNLlkUHVlCELJ01vpEvr1LffcIbsYkyK05r3iCVOWk9HXxbgCP55p6gkUDDHo0e8nOGyS7kuGSyPOLCmIHargus3mwfTHHdlqEJ3aXsatMUy6O4cYfWktThwXDhqH2FOgjxqGBd7JTylI6yoWUrU24EgXwVLrlaK9tr6WNVXqzm3MVULQrD3Sw/il+kBk3WiOsVZyCHDb/t5nfD6B57HysUIJzr2zVSKmyaXqDtDfHlcjeTHeYXG0hj1rwicOthB2WYIz3qJU1fO13feQmPV59VLlHq9hXMFGLKzlPqDEBHRuRG3xKa7D+sxzqWSLx40SPMuoBNIeYpCKYeol52GV7vDr7hxwi6wwLa0iNUev9iGs6JVDDn4cmUZBQ/3aX5EJKGu1yDMmIF80Ntxb2QdO0A0ghJZS7QsE01Gs/R6L2Xn0QSNcf1rFxDvyRpKIUaRCzACvXmTXwpn/tOznLTdRec5k4W5LHenlsWk0oDXk7Mi2jKCTgtVrMEtLVTmoe1XG8qtTvHcZ3SFrNJroV2M2WHw04bm0vJX29TAgyybmE9M0/nBAQ23e6jKYNhT2OwHf+6RIEnyU5uVgqPBdEZxALyNahHju3VIvSe0usBBZrnijS7KFvCnfS1qtmR0rCWMfCicrTfOlr95otVKEsFHvcO+nupSeycKig9mEp1m/pw+lWn3mUGTGNPP71m6Z6HzHAPjd9ukUj0qkN4mXB31I+KX/AVgCct+5FaShIDnoU59thZOetQOOwlHA6zDgmNEp9a5FM66xSDSiX5R/XZnVnrJSrkfFm1ihHEthV0yxjEiwMnYOKdADM0pED3Vc3DDTKdEINhcKngRL05vNgMthzsGuoO06Bb1r7rv74f5uFJsxW71x8IpUKgYCQJ4/GmoIHa2R15rL9vS731epJmGbb4kg1gRSpHSjM47/HRXLLcOBjALMj+5J7OFUoDzhr4HeP484gQU4rKQOsCr4wM5Em8hCvVt5Cq4FKHVnN7tshTeZtOe/vbqUSXix7Dx4SzJ0Ers+d7ZcwdX9gFc6boj5QdGqfFExUjsn51EYg70RqnruIObVU4SV3quejT1rpx0oSivXmlEi4ncJjpgDVDeZDVwreFZcHGoLC4I6pR4U2yho2gn1SHP8x6FWLILuqhXrJTsFUE8i/fA4VBsRiPOeirRQz2rZBywkz3uGVNahqoSgfU6OGJFdHu7+qlCWGhB6wg/+lppONvRt02zAxpA3x0FGp7EgwZLMHcxLQuq/ZF6T0x0kVMmU/BnO5j4RkD1cPM6dhgPaG4rCvMI+sTfY3yQuwHV+iqfOusEnfuk68TqqzT3uelW81BeIxZE0vNC+KlbolTQpAU8ng0daL3iVcOaEYQwaXXaByt+VkRbH/8a4t9EWLGenVHMcy+REMM1qcpYXdmVH5n4/TX3uSlMPs0mw+RfeIrqG4cOB80+dUECI6EZ3MFZmpf2O3rT90Vh5xA2H+EWxhFtJG5UHvCcRLPde/GbcTAWqDnsvb3NqclVuxsyTyujHMZZ/WZBLZevMYei59Yt/xsNsOxEixm8ad0aWhspu6kSNqmneF8c55ZhOlkousbtuyku7nR4P8eHw+b6ZD2eBAdLXMQEr6DG7nbFyHbiwENSjjyX1Tdy12PvPyRVciCKQtrCXKNb/lDGGOnZl57ihaLnWl6bYQDH0jbAwqg0H9q1g/FuI99AVOaPPxnkTud1XdRVTDuA4wn7pIMk/42U2/io3SVOJzHRcGcC5I+kYhup36Zokq7szkSK5S1mzuFyqKr2He5Kxl4979p0/C4705iqtGbp4EcBrWX2RGMCMm4TA/cESD0o1/uQNVLVNUARURaN+EgzsmUf/bD+u7J7NqjhaWITOvM5oHN6aZkpVDXiQDRXoV7nO4HaXcock6ozQ9WlSkUnXLdumVZ9jur7VgwL2f55ggX+mwwgTIypiF53yE7hzviD3Zevimx379T1ZxZQtb+jizyC4MUpz0ELTez7jJaP4ZfpeIoiEs6uFMv0TlLPWLp+S41QxezxW53L3bUJI0Dua60zntxt9DA0nuqDmMryFxF+oQ3o8rBdsnJjCZqVPnLoYBHY2/Vjh3OH+Mqm8Oej8gFptylLNuV/2Ilp/TY8GeQiDJlmKpb/nrsxfNfZdoF/NQcZKZ6tPUQbV5G2Axr3FRlMU79L4sDPzPIaQSX5x0yKNQYK1c9uo/WOLZb7m1W9JMDXS2lnUhqpQfZuoEAZx+j/4gv4rzttxTdFkNa3HESd1PEf5zbEJhJ6Zb6rRUCgDh8J18JWkSQO9SeDH0EJcEuT6oRYY+dnZCSXuQAEd34gZTVjAUasjScdQYTjzZyanSWalmHmjgxc26aFL2EamN4g4nu6Kyz9kxqHqKg/d6k8zXj2YLYUUgpNxNebJlkFsN3DkQ0QYtLjj0hjeNnXZGiRYgjP8NNgHe4oiNln0/q+Gi07ogOjHAqdxlLPGC0V93Py+B3qmgU068FU9GbfKAY9kNOTJngC2AMsgTi1+Ur1xDG/Vaao43MhVK0j69W0xIxnyn5bLr8vCMDBah2jwy2GwYg0KxSOL7EMdXdmhOl6FLsZXZcHYJlSQnh6/cFTUCLenDOT+PLSE58n9LSzIdJ2m41dDmaNnA7WdCufztQbP52wpikqVKfqd1qLDdCxholda7p1/TSu4bcAhRHGPh33F7AzN48YBzIhSL2oWnyenyQJ4/EKn57KfGOTVOsOWZW0H+Ofjblad3XGVFgzKunjZVp8hoHosZuyMJipo1ru5xRvN5a0f81tfb8Wrb57vwxucEDgKF6QzUVnBEATE59E24y3lpJ6n8pp9HJ8c3tw261XlZZNMsDnS24HV7vhyQCpkaW9GNXRJed1u2qRAfGwpZluuQJKPPNn75GQuFxLoqJ7yYBccnbq1N1sQ82/z3i7SP91hWQZ8GD9Rro4gNZVZH+X09QU5HCrEPAnURSEResfPavpYC9VgBN52iiKqq5Ir3Dmr5LEi9bmZ7jdpVUNhr9+Bz8eQK83QI8LjLwN1n0Y5pdYWbBWQe/s5XYgCuFyhtClo5bc5wZnCy9+nDkZed/dkUX5selmp6TMvLUJ/5vE0jhfaYw/W8d0PCTU7KNEUYkHXcS5OWNMQW/RU/WzNT8cfdn1zwJ8W8ONIrM2YjGFdwsXiue9Cefq/gBQdH7B1sqRbZFr28PZTIIWsh1fXBjOVByjGFf9dAn2Yi1y2Zm4heEO+VQ4EcJmce+FgAREsW+fQZAZ7V50gJe0mv0ZWRnQdJBUeBYBr1Hb1dRjsemhvBjIwtPg2oZxUMv6p0D280jt+iJgJdSqM5FRlEU6Go=,iv:q0VxE2XJ3OQXizqFyY620NkteUpbuhi3LV0sC4/r4ew=,tag:QFIm9e1UwnWWoZzDllPMNQ==,type:str]",
+							"headscale_ui_api_key": "ENC[AES256_GCM,data:4IkuB2IR1QJ6P7jjhc6Yhy7g+yK5dMOSFEln2iYILm4E8zP8uxGQQC8bofvbIcMKzl9w9L2oAyH0pQnW27ulWg==,iv:9vMLqESn/Po5LfEx5Vuuqko3QbFLJwwBEWbFhzncrfc=,tag:3L37R5tKzSdfR5+ve0/z1w==,type:str]",
+							"headscale_ui_cookie_secret": "ENC[AES256_GCM,data:4xo03wVuDfrKzDDJJhXQLOX+tlRRDgCmL4+NUpHOBL5K3czumtN0GjJDJGJoKcosuGHqgj97IHMlxoa4DSHShg==,iv:ln5bQZzMFtX9haBrCcrybyrhsCBg8Hgv8Y1xaTJQhj4=,tag:B+w4Sr2u/wTHNkmSUx3f7w==,type:str]",
+							"homepage_credentials": "ENC[AES256_GCM,data:0GfcLEBOFCZUb4GhJTQSl04pELjVyyF5dPlHqSGm4jeXO6ra/3vxyE4W3520OTzruSu+9APzh9T59Beq98qXjpI6Fa3jN89+/htgf0Pc9JoCE5J6zHQb/SZ7Iar0p29uOkGeRMODxNbswF3hshu+ZNespI7HzkDumeNfHAozkZOC86pt0b39FckNFB+n1/5Yhja5wKpZaT7mWQlSbuVm5tWq7ygzcWtAcIBviNh7NmlksDyJFYxkXjxb1McA5cechJgVAEod6hTDjDG4x+tlTUGIobJOTYLODsxgDb4IatSxZ18n6pNr91h1SwHgqCWOF3PRGi/AFStxV/KPoU7Hq2xHhSF+h9inFz/whgegpQ6pr7WMAshmhBwurfq5n8mf3na+WcdnE75++p05hBwLo8ulsLvlWEP8C+YMmA+ld/oINHd0a0iEy2O5WutaeJy6Dhdw5RU7o8vX2wiVBIxEsF2wIekEYItyUYjgGEEIocHF5nhrMMtrZBZWNdeveHsVSGPL1TmWC4+Yo0xHBFSqK9Z+4NypWH77puuO8utPCgxZFdVido9v8uAEirSa6O/mcoTyQyinBXtbskF2PrTNmRtTbsFSc4Ou2q+4M/wIykaW8g5zmV8UkJn0STioWRoKxq4E2PI70QsDp98cyuUgarBgEL36ldz/L/wWyVWIk5VF9dgNY+kNXzwO/wI40YWRqekiHldWPMBHs5LNyWRx7oj48hOrlnoR5y/Cq67vV6J2Xwtb+1nxG1VIBc4RGo79AiZo9ZZXF9tjYJYYNgcFmaMcAZ4q5PX9Siomw0iA+ZanepLspRGWGiyZBeqB+98jvP32e8LlxYI64NTujqnFjRbEsmBWTE956UcXKx7+Ltesbfl+SjnJk4h6QaHxONNa1l0dDZMN4Zb+gSVO5gX5XV1xQFi+46ovk8AatnlQ/ZaYstYW5o9hfXw7pvKrBdIO60oE5gs0MPuyDZcauXp69H9gy7HY0AXrgHk+ddov7cmIaPknA2pkMnZXb/HO9sosddvZtMXKGPQnEUn2wgEbopfXMZkCyMh2J138Y1dpWhpCVDOBYhQ2J7UaUJVKicuuKBgLm/iv4xOrSsWFqh3YuKy/WVxCXYG/7uqXG3Jzwvdm9OI8xavC7VOz1/eXpxuef3hgPofUUfAKXl6aFnKYsreuN0px5p93C92JTcOKZKqBkeyouFgw4T26ISiyD2duemsrfun5ScThANSSUg7MI9jyPizdv77jdFBxVzBwL2MsZNRl7qQL0nrBHYtaD5ipAShFCzBEdXia8mHIE5HXRNltOgC2VWODeqituCCsLlY4ZIgMGgvbM63MkE5TJuMxpN0QmgJk7GaraKU9tXT2KDja+x+dQT6f3xic4uugJwqA7Wqw997uH08ttUzZj04i9A5WpKepQBzq7GUGUpB3YNSkXnrgzSlueC4e0AmF4TCUqreIcwvlWcO2+8f8vm7f0CSOA5ILxc9MsMgXOJcYfqHUB/tEzbb88OhWi5Rh9R4ngsDYfMzm1/J+gv3FoiPJoSLTEmguEfwaBwScFJCtNwXE6VOTQDHZsRzrhydsyUjBORQC5oANqCNwI7VUQEjp1s32/pyZALsnOpZ+p3HEKK+E1gmcO47pXtWjbMRq32USCspr/7Cjn7jGqHo9BGEJmcrQkfLdVWOQm1tpkRVmXrR8lge5rXeu61sODkrZPwfL2lnHA/jL3xfRjgsKySS4ysfGYnaUlFTKXCrJIh6XZyUN7SSGn38aftTE9AEiHU12cKVv+AjajEVzBDepnawwpCRgZCCwYz32PPtsY9nDhI+DB8w9OHFmeqyd78JazTyB2fZW3w//GV9y0aPAmd7XB8dHJOsqb6zyxqs+4YPJT9GJCX2KlQ7DbpQUe+pYEWX6j/uPpGCH+mhe6/CbFYw1GI3GDBdZ4vHOGBjif3uXUBjYzxrcqGFgv2e6B2f4jFzygIRvRhOYiQPADTxscyujugtgAlwJPhKvkRmoPbe9lh/hv7PkVUXOXwSF4RUHcT/oDdE7VlG/TRyd4pPRs0qkkn/Z5dQq4va4p+EOoubPJRzbE7rdmo05nlcmTtV9U0u/T6PueErdtJ4bhGbx3kEul8BwKi3yoBLQ4+n5b+P9U93j9o3mcrDarBnstqIRD/gxux5MGHgIPHvZKaBR8pkzd60gf5bavo2mcVJ1WzasAepWwk2Dut1e6xaPAzhc1kWxypPg8CNyuFIFDnyYx3j9+5qOvgX4G4jfjwcPZNG40jKV2Hv5LjyYjc0ctt0h4ywIwTsrEeyn8vkDxIN38FzOP+gn4KzQKi72StciHB+irvBQSM3hEfe1JxSFaUuhKWvGPmNRHCsBZmSXfKYsa8D/2RQXLmElfhkIDEdJj2rBK7t9zq+Ed9lhnHya1ujKPjcC63S8QSWl5wip/1Jp7muvj8on3FHBhKofQGwygzvozugTc4RgW6TBjzmpn/gDEkedIBuxyB5oeuUT8LZRSmAYi/zPAb2uIvT1d64iWBjOqmPhrJuvAaz7fOiv6wKnAzALNWvURzyW5vYg2iKYobJwPMSPFF8om0pAv3uvJRiT90ZHZy13NY9PGX7fDX8Jy+6ryo65OgI48jac2aQvMhomNUgxDy1EuxATNf8QEvQXx8RIMWjh8KKRMXKqM8bge626UzI7294uIGT5xd6sptqYaEvZaLPFdr6wfcqxTgOiCuRuGiIkoJmmSbD2jgz7WAKsQFmT9S+XJNU4gfo9hb1WP7M=,iv:Hh3GwmrZZciovwjUsLSTUIiRHlVx9y576JlFwPCX2Dg=,tag:jE9M6hGi5y6I0vM57diPIQ==,type:str]",
+							"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:NCe9GVn/BiM7ELCnK0QcPd86NIM0o8Nn02rII9au+xA//bfkUeJ15ebNHw==,iv:t+UR79lVhl/8ugIX2vYPQJyNu/josbHylDN/BcchXB4=,tag:G2iVMtb8+Qw2+dCmEwIz8w==,type:str]",
+							"k8s_users": "ENC[AES256_GCM,data:c4PUD13I7SF8b2+E7tYcDfGgkHJTISSiDo23YeBuFvzyI/OcGHWDYrjQBanHrvrLWFBkjVyouxgg3l9hKIsuPf2MKGwb4U5qroYwTud+xj1Yo0chEkOl6ecPeRLAnuAOL24xjAjBARB0WURjxFnY5/e1e6aeSPCSR9o3RPNoizfifpnh2IIdTdjYTcQG/xHuQg3Isait3xG61411y6Lu2JM2SUH0uVXORokihnEdmKgD7Bxi24pUN/h1CSYTQAzOj1kIuTPC1LJkp7jCWPFHPalFjoHYgl2Q5zyY39jLQCofbPMxq04oypQN+m/yFZL7kCd1/9wC+z39nZEcWeS/yoanL0jo+lVsK1caX8q76UCsx0m0ENRlTQzYGGBfayTonOBJDSfODoWoR8+zgN61ACe+XuTuxJvKCIePVoGYyJGsKjNXB5OiumP4/Au2Obb3zEz25r6XnC5dMJqbK62bWsk5BvXRX+j1ADcF9Mc/UPqJyCWBac7+Ge2ByKwfxc7eh3HEVsjzdlGl4dIhzlGJBn9f/iDJfeXE0dkaVsAc5/99xS+vxx04OCpX1cRygpTsEdOyCQPL8nZhoc86L+FGO1jjsXCfnBOfElGMgijtjl9kL8Jzu9Vyo11kxzUHvJ50HniWojQBMN2LZOuah88mRduYOM4RrGvPvxFTjXriNvz2JdM=,iv:mvKALTjjxuA0J2UZnrXVawS/sQxzeUsDQV+Ar7UUF+Y=,tag:HWZEokYUkuevbQLKU/DB/g==,type:str]",
+							"mailserver_accounts": "ENC[AES256_GCM,data:WDwUc3yfYMDA8PDha1LHqjdoga8Z+hA3r5/NTtZf2qYgZDbv+IbDf16zfkKMlxauBOGvxZTeFh3/1iDcDiBK8IhMm1auNxzg+KeCQqlAYlL/9aaRZqevc3l9dQhyC8deGi9UeydN+M7UAyWQ8/X9QuY7bRWlqjjSCqjnoIbMU0kFq0bXzlyLesVm5rQ6nnPFqlcYVGROjzrjwl1Y0wjNutHX5bMUniRvYbSmD8dtjlyKY+YhH18zkT65n/9ss7Ij0vcXQjJjJHJ5tGq1WS2S6YcakDCVe8jIW+vFQuHze4O8dBdvH5la6oR9aCBqsJPRpdfLyt/Y0I//NeeAeKymEw+P2Yzk3R9g00P+QfLXKtTnR9poYgzVqKOxP7HhEI0a0MlTr/JSw+gmUZzzv3+BwRIrGH3KkbYKeClowiZBMr44duT0lJTQeSdh3P21fgQzFsjC0a6rj7awiO6TKg4a4llFxXNrLVA9BW0Y0bqNtCDY6+MHir0EkscJIryIwpPdvfQWLssjvEffIg6Di9/tP4tgcOlHS7jLQppYnzc1ZmOyR0qgkt4zO7W9Wxmz4MxU2YULI3kAsz1QhJnIhW1EqmarBalAYDHDwP01NdUWWBDCSZ1PxkojQKVIEAQP7AffJbRsXwEwg7NcM0+ZAVwHK6L77vo7qHy19+2Nz5rQX0dZJHt0AZwOCcrYtpB+ephiLLp+nwhBUMQ2dxm6jEqkgPWdFWV73bmvmCHg3mpmjL9oGghNzJFhwPPzYrWtRPlt55vL+CpHmbwUBVL2f4lkgiFf7XiDnhjfk8ck9/dTYTXkUZ/Ne9nxGf78k1OVfnD6k4vMjLVDNY29IjmgZJT6aSrENfsqvbUfTQ8VvBPLlKxA+3uBE8+u3dAxpen3jEWOjkRO5ZYFIK7gUTX9kYqm,iv:20eyCxpIP3qPKhdk8yss0bIaaYWvGgfTFowfH7N1284=,tag:WC3UYmrOD5sWs0KnRd82MA==,type:str]",
+							"mailserver_aliases": "ENC[AES256_GCM,data:4e/ch9HB4Q34PyMzfVwdBQyPom14jjgrfT2jaBqFZoNXfRQeG9QupOJiZjON7PlPGWWpXtf++pV6Mv7r9Xh+TztSESup2/s9RZ9QNrTrxZitG4F+vggiOd0EBKEfJt84IqKIuxfTD7DaMgTPV4MuVp+arJREQXlOunAsG0rFku+LFcdeTN8zkETQIUX3VCB/83cfdQ7px7oDFImFsp6mOKHiDzYLra+vXoSTKO1uxQ74sh+rEawvzBDapMdUwvGX6ag0lx9HWMrHnD8rJlDj+PpqT41Olx4/p37xst/k67kiQwD7gDxzGqBftLUxIUvtHy0QUl//gj8rWSU2jKeCNNpkPojaqnzw4TuDcM7fD66RKqNu64OpkCOOMLwO/J64RgBI5ujLGtlu9DnNhA/2gY+D4/Hrr6M8kPYXnKQyCW7qEJ+Ee6T44rF8OUcYZN7lV35KZbjhu/5teP0qbC0lZtesWPKfXSHGra7RdbhxxP8ne8GZuIuZucGZ0EZ4sWl5RbwbIJDdn2a7UQpk/Q2WJH0ZOiewP5Kn3vR0RyOEUmLnaXjmLgmhi9ZCu0DdOhO4e+8hZMT/a8S3oGN0O5DICL17P4PT,iv:6VZAvbjHiO4ejCXvvLJpOdoXEQTzP5hddIx7aK3R91w=,tag:mK/u/0GKgVhmNjHZBmHdUw==,type:str]",
+							"mailserver_opendkim_key": "ENC[AES256_GCM,data:umatDdvngS0YekR1o55btg2DcD1Bkpneru+xQnk7uxpK1BbKGLxt1V+vD8ejJ7nItaeizfBd/VMbBr/Y/ikMqWKt0v6tF8AovZMQzGcfIo8W2JIQB+DqO2yRZzBfkR2pT1dyfb/5R5hqogkL1ZNXIAoj/83xQwXor7hVzS9PBIYKZePHOvfKIhR5SFm5Co9vnT2hUQIR5NmynPucR/J3rqHkU6QWa9BtN/TGmkFcgRLBQatyEf5CEhkFA5kjTYC+NPeemzgfF9jwmIdwJwrrL11pAK1dTTYFWQ66cr6vSvWuMT8M7d5fmUGkpQsUovmfDBniYVMU2i1FZtVYEuWOmke543DtlBn9G1xAr8BYVLyCMyzEjmUwwhew/hvvTon+WyGsxpidUKJcvm/0ITn71uX0/HDKpC3o6gZdVwQhBn4KtSdTK48Nf/E7o1SpY2N9BNAUaJ5NcnCXHtL8YlCoMUm+EHmwx2lV39wNc/ba+YhHnP4VwGtpWsIIIioSYRYTK5yx3k3fyUC8l/Vy8dhjv3umjNGliphbdQXd/iEv/kG2LzBpaiVQSYphtDwxkRXmYj6LvNhtkq00XseFswEimczdL6OAd6cHCJvFyhp9ixSNtQQbo/Z3cJfenTQCDP0Udubg74ITlVFj+RwvQN6U3nemfQbwLdfEHLsXTiQBtZXyUXNLxlcAzPIGKfGetgps5Y0VX0zVI15OscqiBanPtCGo61wiTA4Yd39QYfeZJqKAwOGAerpKSZUoPGjM8E2IWgNpFUEGfrYJeIxZT8c3v7pyFl/tLnjzZHDDg3A+/G3EK8LdmwTyfIc75LIyEAchNMRCMAR4NI3693N3VmPhCFsmeKiE6IrPwXAVCh/uveS/A7vWHGf5wW6/FWCfv134Oc0KR2lIoiQASq5B7B6BOVLH+Mt6DoASvd5O+plLIB1P984Owz/u95YR1E5iWjXAFKPhOMmmBdxD3d/YEgbL2bKFCP+lCa5JMrdnDJT5+B5oxDneiFWRluLkAHPeH3rdb+XKwFdOymckIXweB/F7Q3NqwUrfdiazpHHxMjDjovjLA7qxZKIem8C5UceMJZgVQIjFP7ZciyCaWTHs/DnMwfVorX4q9pKdHiEA/8FIpKfPMeFKYAjEXELZytiUlKdyXD4teCD457QxsoBUF5JTEHAstv9s/LdyBDSk9KkStX3/p/eL20RHehe9f1G0y5fz/6UGttWQUmRR9ib9zVSm4cNaduZd+8IOoAwS21ct5UighfA6V0wMkRvkenuVCWJheoa1SngvCUOUxSDPLKQv6SjJq1JJVmKnK55cggbwgK7S7k6Xg7+Jkmp7M1HIT/5KezrPSq8jxjkQnZsN/96Sm+97wm79Go6DWdy0sdHkqEzPwji/Emx7aHe4Y3fbiALeS4aRE+RdiwhWouImPJLJYnCpT+tdILKTjROAfDuTIN8Zoyvz0at3NU0Sf+OP5B0NoPuxeb0K0u6NW0kUmzPQ0s4OFp1yDzD2uLd3kUuiWJnr6LpdBXg/YEELI7K3JAh0TMtb72gmjIWlp0HTM7rxmcKV+2vkL5upVpDQibz8AF5WexnpNvh+E/LoBEPCnYsov76YnAZX9jjvBpWpIta2nnDsLnhy8uoPD/EMsFpnIsYCQum9JWaOLcJt0SLdF3kzxqzQaU62dhRCqe7oS/m7cJw5YhdkmzzDJDp1O4JreT2p1yGWnrsLTHjW7zuyf3adxBy52RZgCuw1iW7/DNLJeP70g6sWEEF8WJ6fwPRayttiu5zm3HtsATOma7NekPlu2uNuw6D6YsrzWYXcYud1ymSD5NLsk7pIaBu02q0xp60E76u3yncMql95DAQlQPqNjJIOI0utX6Asndh4l6NFDqnjmKQ9GqGNq6PkE17vsw9fCiyxEiTmrPwdzg/GHu5DqXsPn/BKRXoVayMAOvgjfLSFo4Og+lZ2CoWDu8wDvtPdyYnnRu6gRas2C5M2QwnaF2y10Xan3ECAA7PnEOu5uBWGXlHauVknxROa8U77SMGNg7bzSw5Q3DNEM+hXeb5vCaIzvwZThWJW2wVgCE46bUEUfouHtxsKm4ZNKx8RQHYLWZEZdoEaKnrB1IpNOgLTf1olJxod82hzhxnfeMcVihxZFWkYH4dDrTZb3iD7JaPNoBSVg7fJEyPDU1LO4SXJPxzzKti9Zs+0q14crCyBKK6ACfTKmRRpKmyIOKCBQQWnnK6oGbDdt2o90PRlFIMPdXtwKxFdAP/oCrfSDwiI+Ylw+V4FOvbbisBRhQ==,iv:6tp5kuOS+n/N9/OqSH0jNsukmksYLdVO2P2eo6mqmkI=,tag:/MVUcbeP5jupA2KZ0Em1zw==,type:str]",
+							"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:R7484B4Uak6Uuoz3O4I=,iv:MXPCSHh+AT2W7ra8sgM1LoSHGLF8UpucZirpdTxo2VI=,tag:BoSgHVUJX+PA4GLPQFxCeQ==,type:str]",
+							"mailserver_sasl_passwd": "ENC[AES256_GCM,data:AlWTEOBuMYTDONrK1X+3i11WQCDE5SFOlFTDPh097DO3AD09sJHRBZMbEKLpEf66fYRXOjV/gkV/LGOj44tQ865v6gorYtipfhiuHA4HWbm10e08GbTbeYmpTlQo/R9d+2BLpTdCdoKRdr7KeP2jh+nDaADMx0ZVHLkEAqHZa6WSzsZvTorVrc2xPhggVQv48ys=,iv:QWpOOR0SES1YnnZOOeHlqfempLtv3oRMzSYAL9/l+1w=,tag:Rmv64fEI2pvKPvUJSEbwpw==,type:str]",
+							"monitoring_idrac_password": "ENC[AES256_GCM,data:6CAfhtkU,iv:pUe0Y0EqOcMiL/qlhPaxzP3JIm/3RVd18ekkzULAf+4=,tag:MYPGY1tUTYmnmI/MaB58jg==,type:str]",
+							"pve_password": "ENC[AES256_GCM,data:nvhF4njEAy3kUQMfafxtCeFXTu0o1vBVylfysg==,iv:Lhm/e4SIZMUvMN/gUa5O0C18mo5pkSi8YnrEOfoA0fg=,tag:p6AsxDwTY/V2eAPczSRcxA==,type:str]",
+							"technitium_db_password": "ENC[AES256_GCM,data:7cjOxkreK6GcSDyKXVU=,iv:qCU31wYxx1deKduRDDx3KejKW6V1BhgHWJnhcfFpTH8=,tag:1riARTixnzY57UDHcegOkQ==,type:str]",
+							"technitium_password": "ENC[AES256_GCM,data:cwOnasHAD2eUo2SNwPCB+ODJbWbyyfU=,iv:7mDqWt6WxgpeJhPuzjAI9XcF5xcmab5ZwX5gQF7dwKM=,tag:qpOJUDr2YVHciuE5X5XxpQ==,type:str]",
+							"technitium_username": "ENC[AES256_GCM,data:vuvz32E=,iv:pPwrU7WuynUgIZ+85p2iK2GQOT2Az9N5mGIsWE8Tq54=,tag:jRLrk8afLzINSauOsBRuTQ==,type:str]",
+							"tiny_tuya_service_secret": "ENC[AES256_GCM,data:cYM3tE85S42JLj4C6Bt9sHQtMrqGjA==,iv:qUCN2lAJ/x3BexTw76Evu+nmEjbDbWDoPzUYl4t+buw=,tag:OnaVSUOKHBwthuwo0kGySQ==,type:str]",
+							"truenas_api_key": "ENC[AES256_GCM,data:FBsSG+2YR9c+6iZ7vilQffc6Epz6ZNMVttEfMhbJFrQy9GM5MRiWF0HXhIbNZqdeTBazsIndZtnwrxgp0ir+x7Hk,iv:8KkdOgSPfkecU2UGqB9XKNdghR4GULUdnj91KFV0VAs=,tag:9DQpjt0gwW2mQ3nN8Exngw==,type:str]",
+							"truenas_ssh_private_key": "ENC[AES256_GCM,data:cHfX0327Wo5rOBJlBD3v2V8gxCu9/BbkHIX4WTwg6Z/X9UKQw7MJpLEiV0zaH6tju7GciGrWNNiRzdABFxbbvILGbH9ORMM7y7MoaCBRcnMEVwf9MrdS9mSOnvGla6/S9fi2JDkxVDKRN9kjfNXUk3ussPyMMdSH//aEEdq8qwHH7R1tU54U6ZuCbER0HeLHlXobXs9uT4H6raZ8AjUIP4RQbgZcyX+7i3+n9eO1yDdNApYXcb3fWWkx8mxSaerd59SFwTAdICba1p34qh8BkEV3cFGqf91QxmVIgtxlsnHwIdkvuCTvflk8HHWf/FwWwVAKLzC1JP149Rdy1bHgalA5NoRAYzpfkhfvrKZTyhhPNOHetc7sUYLZAsUvsmHfeiWwMu2Qp5HWv2NR3QYwU1Ao3eGJNGsTrJMIfEDTZHuya5P0nIj69ap/KC8T1R3nE4qkga5bQ1sVepOzTu/UBD0I/hFiGIr9BjOgsM5xXUhpODA968yU0F63d5LA1SGC4kcuCxa+qWD8bhtu8g35XCyVd+6HaFGDHpV7,iv:9DaVAsS66zA3L7RfumL+GL0L5cD5icoift6i3ENphKM=,tag:ek0RNTFmMFEHNX+EBbGPCw==,type:str]",
+							"vaultwarden_smtp_password": "ENC[AES256_GCM,data:hSNUIaLJT0pQjuCWqEIjMhISDb0=,iv:S9yidfmB7sERJxHpu1AC+IHx166ppSjP4fVU7HVroGg=,tag:NJPZ35fwzpym1j3w7LvTOg==,type:str]",
+							"webhook_handler_git_token": "ENC[AES256_GCM,data:xn6QaSbsQx/NMEZKxt9Cv/ukzzk5QcOz/NG8rIX9iElpPw8SmVTLvA==,iv:A3k/WxJ43DaGc/iiHgI0lUQnWSsM8aRtTq9QJIcaD50=,tag:6oxqbCcbNBWYGmrLaortQQ==,type:str]",
+							"webhook_handler_git_user": "ENC[AES256_GCM,data:VX8DA33CUuK3/ddU,iv:I+Z1ZgFHaCHHpH/BFe6oT4LlhCFXU8rSiP1JsEKJgyA=,tag:GVDVqXQsjyiPthY492EHAg==,type:str]",
+							"wireguard_firewall_sh": "ENC[AES256_GCM,data:aqrhnkQYmhJ1Uyd3QyzMTFx9joEcGEk2Fm5A9cXG3Hppoqd+Myu/IsdFRbHx8VNvVjM5vv9rB3wvSA+PNvzEr0kJ1VTGvhPl0ygvqolXrbi1GdspaI05lymq83wROFsZsuBBCpRkog/CrVtjLgzpI/yUnTUbcFo4ppXvD95z++wylCSjHdIdxvA4/L4vliwryDPV4/dNWNDBaNjnPLS6J5faYs+CDTWFtTI3UgNBnKKqpArgZq2SmUYR09KlwV9Xd5IchZtA9hqlHIDCqS6HWxrKHVt3V/PbiUdnAisp1BhxfoSOFRGBL3zvx0gGOQ+0yKneA/8fi05QO6fnICmNAzJ9c37FMoCV6sd5CFMXM3Ia2bre4ShT0W1QRB9Li7Bl8XX0xKVLLjUsP1AajbeL5SCNGKrYzh9yBVMlmI1R7JPVyfUdzr7q+0VyXlLAOiGWfub7EewVL6Qb6o6E0Pc6lpPI5i5wcujo7MnQIloL/rOt3IffUfrhkGOP6dezWHteCb5QN0mGRMBgOwAsCMGpsApwftuu5ivD33DA/A==,iv:FWsixBQHFbAnzTan40M0v9a5Hg9Y+qzkQLsRb/VAiZM=,tag:OmLi1rgSDI5lu8fsEUvXtA==,type:str]",
+							"wireguard_wg_0_conf": "ENC[AES256_GCM,data:8uS3ZrYZTQP6bgDCym8kgoxXgRshunL2ZQ8OQaBkksmxceH5JGVzzZiTppssrcrcTo4sNKozRwFfAZ3hIHEtKT2hsZSFwN812FujsNop7w02JgfcWTERYCb5J7JfPN3OIRfU4TTe35b/V0V0BZTUcx51mKLjxyAMRy9kM6sYaCnNAznzHp52/rFCtCGKAEaytNvd0aXhJ0EwN71ASeGm9Ba3CH/M0+doFyLSFddsTfwx+/426SIWva0KDQHZTm5x9LWOv/5e7sn6ctS9k2sJNONQ337tGJAXoVshhb28wAabOx3J0/G1FXmubll1XBN1C4UpMX/dJ9q3UzIY+iE1p3IlHMlI9SIWvUPrsSxJtjPvNcortyPm7A9bcdMNj2srh1xzOaG8kwWD0buNx+Yg5bSAmUWMpH+iXgsciuF4Xbzl/a+VLa2zWcn2p/IZaPERcCCjjWdGlzzDNg1qwl3mOjscxywgTgYSw4PVIQukm7ySx95fBKh839UIfe6i5kcVRWt1WZvpSgHbbrSETuK9j7vUN0mYKYOzWoTaN9CuLshQGr1HUbdeTYmkfT5lcI0lp4OZLKQwjh6PlqX2P+VHddIY88WrW9WALC4lOzutEf3X2WJO6IeKVgGI1oi1ZV+TulvU/s8vbjqbSo4HuSEOe7nhlsCjMFd0K91GSvfY3m/+CU1bKvGXCGXRW1JzpPf3aXTBqw4IYFFdKR6qEy5aaUGx9kFWAtEVvZFuTvq8IbeNTmAgrVK6zu8iNmLZrhRR19WU0FAs7Ejfy1+2CWuZ3gWOW2MEtSRhsth4oEAwaQOlGS6A2CKcU62fIiZw0r2hiPXR9qP3rjvbRodGX/JqcoSeRlho54n+STB3+aFYXHA51c4dla95+xSQkuRvapuP858fFDmmW0nCDJP1AFcpDPjezx85G3poAp/4bNHy9FGqTVdQJ6TPT/gQwQfBCZxZv3KL/9bCmQVOhUV0/q+s1xcyM4tSN+CLY0gT6SRF7qZfBlZVicFVGyroplh+hY+J0KisfOsk/NhTuXY1ARCxsxx9BYcpnML1zONlxDRm5xx1Nsd8Hv7Q7N4R1YFELwWN7DE6W9JQvlUCj7U74sFzWWAM1Ub1QlyASvcOXYjC4ltIGjUvaNHnirVThhtGrGQeZJ8ibDXFtVw9N6AKvqZYit8ppIuA1PWTTZtLWNVGT+URUyz6k1+K5cLwrMMc4laihW2rdQ92ZuEKsKkflAPkFnH9gXh2iff6rlP3yuxtZDcjJa0Akw4sWbzvcRs9I49T/qTuK2pMMR0B1q2zLbGFkx2YUMZzu96RF+ECx8+Ann93AhHjiwVJmeoGFICSH3UsM1RrCDzEE6ikkA3fbdK36OAmRLgTnY2VUeBpzQIBVilVLi+TDSIfihVZBbxhIXOXdWjkcIGPIZ1Cw00x4PvmFkplNYm45gFFVZvYESYLir4Nu/6tkzoepM/lu4Dvy7Mi6wOGRLFO1TqZ14asu12YVfD7XCcdxh67wyaGOTIsw/UYXQY8s0E6+5mpUi9NvfZRoFZ+Hrw5Admfmf5j+KSVG6nQpjiEC4j7ULI7RvmaJ73ttAXuc136PLAKi/STbQRXd0YeGRmcwYaKU17+66TowePn9bEvsY/RGWQhGJlHeTThu9Rlw3eMZtOQiKIbE4B9917SugNfHpxQ8l4XVLsEGWlwzyl3HIkP5Brg6cvyqWtVlYbAAjqsZi+ZisCuxhwBK1SoRd2gyXB1fJ7TOGEBNewLe6Glc9m3+PQgEScROej6UzVH1SAugrQK3ZRHTt5zeoZMf7ohOh9Nqv0i4nsX+F2V0ow707XqppWhRd+agZhexTgfIIKjtAJkB+/OSXEKQIKVnxyFLMNjy0boKwIKz+nJY+RhilHA0536HhCGAh7L/S94t3n+jv8QwdtIA6COPvqL3Cwi5pIvUGAGX+uMBSzr+cbpWtAWXtaRQXqIyG7U4stuZ36ky86arKXnTkYWxRRlUAK+C0nUhJJ0DJSeeJ5n1o/LGzIngU6Kso9sYDeHNbTLJV8ckCtiLLrwMyELeFuXbldSvKc3fCsNIO6o8JkvFgzz2+G+Na8Gms1Qjzq5fTidRw1HVE8fRPcs3CU1wxCUbg+MuErg9jXMZvH2GWVg0AfXqGt3TCJkYvWCDaEbURm7ZfuRFyCxkZ0fTOtzGVXhMdWt7PMZ1abg00yV8ReA4TR9k1dufa3LHBEfYh7Q8vZB11lq1mcwflDowCzlFdeycaTUZswigEq95dnNb+ZPv1MZcVotWsO/sdHzmlaBDu+NN6Q0ggmUc87qypQe87Dp4B+l4jaOIK1H/KxT7zu5IaqfJRl/weF7yAggX+GY8JEY5a5ZImNsPBFWZSgmaAjctq119RLpoLCJRiNqNG0KhYlWTuPu/j0IrrlkvjPM8OVpqZgG2H9wOrDPSr+s7U9J0400PMd+bn/vaFmFQ3Sihlu+N94lbfRWWUmskpPpgE3Slu8z48g0klkFfBpcHLlZUcbXkkYNEAS4SRu3DbJHOiyi6o4RS2O1sS9SFjfGeoLuZlsOF8O93zHuslK0lPp+0+riQia3vyrKw0E1r9AEDT2p3h3tX/imaJpBdpI45gvbiOndNIizyN4kZyC0YMRALMo4EvnA7yRBgOPpddZfDjkNc2+GS89tMlGBQH/9r56gPth7xir4a1qPx+J3q8z/FBMz0+nYxE+xDYQZY4cbOsKVdeptqZqbmE8LIMZhDyH47JIJJL1+ssYA0HPn57wYjhhj82AhwevBGECs9GrKzUosIQA2vsG56hkFwtLj7hLNj/HuzsOKSCQjx92eyforTWH5erMZVzBN82q5KxpJWMR4dgR8OVcR3M6JndOrybvH5oGX7U7cpUVw3Zb652HVPYAbFhi7jwtAJIjrZARtxDiBZVYzkYkWMFvC4EivaLdr/f+3P9YWbcyq4I01sWG5/RbHR/zp9le5Pn/YHCA1FhQW1mrH1LrFVgUlBxcu4xFTvWN9AKprwr+UJ6RdDOuO3kG/WHUVQhpDSsFi8OTpB7gJ7O7fNpiz8VgaUBvNODewIKGypjViPCqu4O/RSKi++mKt0AvgQBa6yWJQtDvYrQJMcZ9JfWnky/yKz1YMYvJRzd3Xdlb9yEqoI3976yns7182ESk7WXCQvyGWQk6bi+n3tCjGzVM+fg1wqoOxi26Rzlam4EONMknaP/YE9gi+vnVPOrdH+BnTJeAwArbvEXDk7FnlinwUAP63cgOjuDxZN31zLmbYl7UkdLBLveuhpRncAB5U9uA7caHzHhDqkbrYdhxglC2A4SVLewbOXvUq+u+C3WCpI6RpteepZpJu3c68WQQFWEm/1UZIYncazIcdYZAtzeRmSCA4LM8ufoAT2YJMKzjri/93jjar2bqceTmvG5/MwFYCxgN54imDgDXKpiAjhFEghO3rBGQya0HmNErjGOIl1AdQz69oO3qMXRw6eE9kJg==,iv:UPYM1OYcPO51wWxTW24dKlPBmL2SZwlGL8rNyWVd5k0=,tag:Ca9msJvmw+HX3ZJ+wfvaww==,type:str]",
+							"wireguard_wg_0_key": "ENC[AES256_GCM,data:e1ZuZAqdrG8SFwhOffjRNarprAnxiYoEf1795NhjC5fqwtK/fzSGf+tQkhg=,iv:HF+WnncEjEyNEuuwqycK0PoDRkFAX8N0m6J7yE/fNiI=,tag:hgvP+1QZ+qMGJJEFopeHQQ==,type:str]",
+							"xray_reality_clients": "ENC[AES256_GCM,data:xepCMOsQZcdf4jOtyV3K+PpvrzgIqrRx5b/d0LWZ2tltlSMXuBXESMthP6/J/0M=,iv:qdY2bH/LksA65FrQE9x9Iz17nuOlb8QjxBYgoRr9sQw=,tag:lh3RZtNZqNrK7KBkUMHQNA==,type:str]",
+							"xray_reality_private_key": "ENC[AES256_GCM,data:F76fPpZ4Bc2qp+DvbRsbmKnQvxdjUHuRx2uTmMb1bj9LQGcrG9Rgi4NV8w==,iv:Du6msKUfmyXZTyjFSGvjcItspw8tnhLHIyMHCg2AFJo=,tag:U68BVACE9K0l9y8P0pHAzw==,type:str]",
+							"xray_reality_short_ids": "ENC[AES256_GCM,data:v8dnGWYwvsP1IhjSlry4S0OrwrflUIRloZFinybCep2YlhZmhtiZAQNRTYEmA6YEdSnEIdHEy/qlLk9XI71eUL8=,iv:ZCWensNILHLnGFaJyObEVF3MEK+CzdL6/ACF5mUs92w=,tag:/KHHueiOYvOIrYz4OQ4+kg==,type:str]"
 						},
-						"data_json": "ENC[AES256_GCM,data:ekAIdnkfXyvY5R/EKI7zjF++731QeArkn8TgfEBODIMQEpl1APjaQJ64AI2DLNsmkWB5b1koXu5WXTBrFK8uWOWaaXXeB2zKc9aPXqXIx1ziPBqD4A3a/txNlTHxfScIEvoOxLNij2dwcYsrPjW6XvW+GWjINv/bSORMKwtqimOauK6Jom5Spm3BhuqPg8/vMFTzt4UztkOGztlKv+umThbYhesd1BuBlNhv1Sf8YVYsIP/G72hJD0G4gDisXcJhXCXssm3ompte0+YdijvpWooZKMtDCddEBIbD2n3neGvcnMei/XtCMcxRyYBoinKr9Ymgs/n4448LYEyxcZjSBjDpr4EUQMGfDCD6/EKQDZBuSWWgKa4hvFg1PldlJLTeCZNIEF8jTNvyEdBDt1j8fw4jXxF6wxWb5qKa4RO89izpPRHEXmpalJ5hHccETMKAgDApYLv2EbOXldZho5jdmmecm8e8+ffmOuUSgPmIau344G7Gff14nlxZu2rQLA6X+iu6cwOiwaKnHXLfqLJE3IyS5rzc/2ECyJvCm4jPuA+hreVnpWBA5G7I/HuSz9PaSCZxrIDqYEZGca1iRqRPLcEgk8YM23hWJcDKYujM+Fk1D4xa2vNy+5qIOKR73mjtfuv752XcxFalCcFQOYx09ZPTV3s5sKy9LPq/TZOT2HgYUn3/vgA6hniIrWhp/vseyeJ2yWx3S6/yKA5tXdvN+eNMdDB76Oy9IrqA7UIQG6045G2BCAaCxBEc6kiubqNZvdTIsk5CxWBaFjF7BO8y2HG29nA/i7xdz6dU+5xwIbzq82zQsrgj8zUdOkKYww6SLokTN62qKagjJPMYzxpph7usORLdY1vfBJ7j50y9VfgRl4W95SwtTKak/PTdRJUZNFvJ7TokX6axcYvEqKmWWeJQfksyz85C1zdnqsBbeMEN2G+r8IGCd+ga8uzISfZa9hUFmiu6iYIrjmVVtA2p4F9KuJpW4P/+SjB92A2qX+uA9Df3JF8mHVAntTAeYhwqEfqlfabvUbomrLUPh6wT/FTg1amrhKPYClpHrRie09MhPiIZfddLmBB5wTdVFK0BVKG/7YbSoX+qVlSmIoAhobuST6Zl8UIwf18HRheNChG5psbw8iSUSPwJJs1UTEj55e38omTTCcfZ9NVu01HwDcAC5HqaY/HZAb5JO2bUreSyYFLe/33G8I39xj1bBvqATZW2+tHdqT9j+SLetkPcL2PO/4TdgK7jhA3p0Uoyt8ySUiFx+hTGTsvoeSTrEZBaI+U/ObcH0CnzQnxrvOotKRCmKLP2BMx7wGPRJQIZZ8t5DnaIKXtSqS232z3Git0D2dLhA5aBXBN5YtzKfMtBsNsXTmwoPeRho3S1ACLPNGRWRa/NP4FMnC+F0P1RUoFH20CLCLKIMxJGR+5OCfdwTr5S5qoZ6OBxtXnp4QKwh+qHAIKh2d5ONd8Fk47NklQ5vHW4h3QIa3CSoNibZnSWns0U8aboD733v/8YaP9FyTJWjSW7d+55pNCcNJmEheuCblj+mohhHAKU/cn82F49ilvGE8aE/1RVaKsDhoz5qJv0Sl0wX41pOXQK5o5UK7gHMMyxHinl8ATkSKxYwQjd6/tHVedDRv/YjRK5cQLJUvqgiLP2lh8OFODefzwd++AtOjxgJHhFqQlwjRdo58K7JcJkqgM7fhlUg1jPksxAvc44RPXOVwhXJ8d2DI2WZAfe6clttpzW2V9AKfDdsjpUpmQa2b1H1ohXj0e/nE3S7OTJc0H0tR5JMGmxiLN92UshUw2vzYoEpXJ2pGRhdtYHm6aRhsNbNdHKfJ42o3UoSs5ScTkvWNxhBznE7iaAf/yFvZlEMg+BGSO7SWlkh5H+ei7D93BL3090aAbmezN+NbW05X3E+Q0bkztbQMSpsj4cCOuP3Zpbn5K8TV9J+M4oMA0JEgZIQcIJQHEG5+JRzEGiS6tlG45H/sDdGCswgwUdsBOSC+3xX2GZmmYuhFzPNbQz4t3Uyg0jLXFyxN6TAJUTu6LW7+8YFjGwh68TI7WffobNMiDTjthFsK2EXzBZrLCD/7B8J5vrXmK3lVLbSrFeRxKwzAA2OG8ihj4iHx1ZebAqrlBYQD3QlewV5FNleeoxQ1e4nj9W9gruVNrLIhK9ri1UK1xfHY9BHEg89MDI+KmLnL0GUw+0Bz4B/OGQPaLy4/602MupMxq37+wTeybrT/T3eeTvjHYQgGJ+iAHaBUHj4Mb7lFVnpzbnDW48ZL4aqsk9f0Q8ZmgCfrxAADDwQMbAnoO9RNF+gbmpgUrewIBnixxdAZOrqgE42iuS+OkpTdAXeLrnHzD4YMX0AjZYrP1gjk0ngCYXZbMz2Ho4MnS2zVepNzpyBWea1ysHjq/Ruh0fPMjUSXK9B28Ow9pbPw6OdkeIvdOBRGmkx5Ifc/CVgw82v31IzWMlSc9OQWag5htDs/CXBfcxxzy8g5yv9UJfnfbrx7Cs6ynWQSG+dyCBiAihCvkTJDxVn890LhczHPTJaGyGkC7fkBnhdLE2mUVVqfC+nvfxQIbc5YMaX6rFCEp4/mT0OPWbCXFL9+zHR7/gmYJQbOsrSbzBCw4eCF8Il2sLuaKOFnUbjDB9rdULX9X+ed98amFaVhshA5UoSg0EKrfSg2BRKfqKrgOmlj5F522HpDzjetaWvS491xMIq4E7cq7bSht8CDF7ceMlNY20h6lE4t34in3ukhF+gC7ZHYk/Vdxyw7gUuVCSiUxeDoYCYVK0uvtZ2oUq7pHu8y2Zb/plDE2qw1SE8eYQ0sAJOY3gZBF571C4m38nBWAN0aSY87ij5MmpWAhMP7FQN4YAT7lcF6IupL0wAi+YVMmdplpFCnKOXi+e3QiIlRASMjGbg9cnz41Ms0+StKUfwjr2u+N+hQhLW5akE5dhf68oLDeEh4+AgLRdf4C7lfs68vBZPKzv5cjbQGWV/m2hyY8NVUW4UxSb9tDhEX9me3APD0HRgjYFuQgui5b8lR+1xemagrLhpM7VxG2DRFLznkIDem3/hHIULnIvQtltkJ+sDfVVhIETjI2gMll6Fl50QWxJMjWutgWaX8r70rhWq4Y10ul03O/jup0FDCwC2c8B+CiTLJxDwgTeC5ag1UNMP9hsXhC7dzaTdvBGrpIAheP0gWEqsTsydJMbCCSw8OTw/74s6svU7nbxRiNK584mmu/cv9xccT90ShAqRxbmoeenhf4BaktR7mgOmuXRYECDvpRLOT0Fxqv2OmCMQgLxJBzGfmdXrRVWEgbzBXf9duV6zsZ/oFX+m3nEYViIf4tymxuCLgKGlaeFYU1srFi0k2PHKumXRtA09EJgm76CEteyUpjQPSfZUg5OKIyriS0YZiYo0Hv7Dg46Q2gc/R+5SOf8Wvpl/DGh/m8w7ZCz8xnE4rahmKbbePu+ZFp0lNAp1UhmDHtfb5bkZFcTtJCi7BG7Zza1yj4rps8DyYoIWcl0bl0LUcValydJZvqaOxv9L/wtVv6ZAb65GIcph7bFz6zrnXkz/SStWBvg1gqHbUSzJOsSjS/VRu2jb8z0TGT+IhTiPvFXxLUcHhgau8qiKNyM8yRPye0iOFOW70rN7WWpyfE1grpXwcpmA+XeH7OPVk6lxH40M7yyZAK7RXS496Wp4GfjxFNfyhrbolUKpy46sJdR/CpLxTFQ+tMCMEQNPJ+qCChtN20X/ymEks+FtM+ip5kY07V9O5dozYmBEi2fRCtk9se1MyV7yuBURng0W2bhWiU/ZIZ5+djUrTGxCEeX9QUIfdNTnJ5JhvBxGlmEXNBOsYzNddXcN57HKQGEA78UGiwBd0ntnurIRR1fLOmJ3+oxROaM8k7mSn9+sTq3ai83HwsvxRbGH5tvfFoxbghocOyNE+KJ2gyBQLAeUfpNPxFgsIJ8UbIt0qUN/eI4eJE3ZPL1Ggm2SOmpE/pf82I7iJyxTkhLUFyt8d2PS51c1HcXQ6FJIZwjhoJYybX+keBqCuaARm7Wnohw5J0GCHCrs/oatKnSKtOSg9NWWKm9fPbjSpJIr0nUPN9iCNI18mW71h/rq4h9Pw5E36c0HYkexBYv8xrM/XZd9n1O8f4Ytuw5eTXJ99RDq54LhQRIIFgqcwUaIsu1Fe3KTLDR+9CRoWsvlo5HVW5wWKSOr1WLS78Hb8vz1NLxRhW/MVvxYnfYazaKUkAZfhxauCCUT/EdkEK8O2sRnWGG89HKTR8sNhRRf948gU+IBoqfmQXBNDb3QD8/7SgihyuTHIHoiMKmw+vSyNR0cWpY25l5yZvteeWsGdgJw6Mit1o+DGInxcH93rZuAuGKhdFA5OyE0D4VGh/89Y5Q4BfAoPq7b0sYOvGzoYnSZJUeCaqF2wyqmoHtenMK0FwaSMZPIoQOv8wIZLLm0imkLgkF9+JQa8xZ5qrtZHjE7LN0e8P0+X7cxgPXjitCMrPK4oi3VsuOBzGJ7b2AQkY9OpBD7gg0iKLlgeA4MafxAYnfuqkYkVd7tCQDLimDtf+4MYYI1Vzay0Y+75UwK5IWzw4tGxw+38laqIBlyrz+ftaYmTsOeO7kXzd0puu6Q2Qz5+Wm1KBPWg4YkQfvRTIJtLs5Bcl6x7Y1AwA6cGqDG9nHC/BvaYghbgJpUSqomfNrCoZ5sWmFpk0XHm/wmKzAv8w4tC0qk3+dDmRd6aWZhumgKHkuOFb97HSP8aO410cDjFksMzsjdxz3XpTh9fyw5FzR57nduNdookU026O2YCjcQVTn2/rW6NSSVoa7A7OxpiPHplKlv1nWRm00pIQnZ8Jhn7svzDHQ63nwVb5K8vz/OqrLITJtlNn3amtSXciD1ZBPjXmuqPipTeazW24Aa+tMV+CUPZERiCYH3FhNAT/qrKxkPs5LcrX3zcCPG54pApcUgOZinLNAY6Un/yztInpOhC/gkYTmaoHGBdfHZP0xSwVUGduR7yLj7wrA2/UgofauU337Sjqy//I7Y14J+NJFAf708EWMLRUlZJTzuo9QNS9E3gOVveAppVmxRZnvAtU/Z2gdHZis8X4RwJVsEc5V+fQ4uTqB4Z7uAPt3RsDeulloTHdq3ZyGT2IRDgvhmXa+/QVS02RceOFnnpJeXARlsTMTSzmMRheEyu4FF1YfseX7oR6nxHbhsySnziSQFTmUlj7qcYlMomF7faqCgOfMpOU6rYHoXQIifaqy0//v2vyh1QM+iqyy7HRC9vdozOtJA40KDnArc1cf/HJdAg6bx/ZX/xtXG0rz9gVXwIbvRh9iwb7g3oT7QeS8piZ3XFuY8Jj7VrkvTZHqP969H2j7W/Qg6iFvHHQNsYY12H73OJa1MMMLqLkdAoP0nm9UaniaNGnneZQ3AFGoXDrlVmpGkojhPmctQewDrTbScjPYvJecHA7xYaJMZPQK+HIWUfsdc9P9LkmCCGgmoYo2fXTzPsdkzsUNi4dqUNADDzmNeaYEc5cK9iXZSQcnTt84C/lf1Lo7EENRIVCnc8bUnSXqNEKj/yZnJ0jXgfhkvAndAn64LXZ9uk7jhi9RklSPXcjSfR/sGV9p2KcLp/NaO+Bdb53NQa1pD3jAjFVqwz79QC7ecRFB+i9O4Gtiq6zNHLa46mgPtqdW1xpXcpCcI+x1xuo0aZGMwF1uy/8/e4cSgPSG0O7seKKu7u4c1Hw2kLL1c1YActjuz0I2AMBBD7w99n7poGqTmI9nQFzT3nKozKQOs8ZFLrN+YlvCdqkvrHXkBuvF2eXakczDzqChtzcwMnfPp5ILJOICVoEyVD4qn6WzlU5LvZOFHHB9H1aMUCU4E9qVnBd0xynvJrZ2j5rmO/mcBm8PA8s80IC5Nlt2J14pUQnLgpAdbTxtFtxyvTUvpbB3TlC27hxs+wRXnTn9WZ7oUwfB9xsrJQSUZ0Bbi1IfnV24b5FL1x18wgsKyoGWXjAjRwrrWF+wo4QP9zXpJDy1/3rfFOvW2+k3G+dPdxYFIWsiJ4zyQZ+MdhhOW1KN1ZdbeF6bfJCbRBNAEwfrVoZh6sEeRB1KuMzfoOtReN6p1thxBokdCzIOCoEqGFH6ff5qskXro4S6plGXnTIeWfQGVVTFNmykxxJCCi3fWSXXkEhGAbORKmpSF38rTWKVs3iIPeDUS8zdTLm2jKc5a9twR00Dfrzrk4N+uftq7aRiOSQY0WyCejRxzOMRevQV4QsYMfbmDlO7kCatlUcPZByPXoPOWMGfoHHJzEdSxQsBJ6JFKEh1z+n2Mmf8LjVKN9Ot41fOFg4XUKlxcbONUIttSMwEtux9YmelSLynsuQZu4zlKOtSjS2BATns3YYax3rHyymuoqxp7I/Dz97lPJLhm77gIG+gcIH8YqM7nIVEJ3c+qMcPK0piHcA10zi63wXJTAGQXhk7cE8m8wa5WAWxJxn28nrXmnE2IzPN7rjiniOYUbu7OMqEJYlLbJ9CJ5f0JKPkcMhikPoNGxPkFWJNGcKXgf+TwBDDowwJcy8QicHvIuPjcfMVeb/Of6P8ajVJmddhhTPrFe8PeT51QVFTx2bpaqiJVIthzNtRpC5VwZI9/oh2fyVds+k5YDG+OUyBABpcKLrY0jV2wzs3OJvWkZ2bynFcypVBfYRRt2GOmxlPxWGc+OyZMp9FNZMXkhctmIDy7XS8J9P9ETwzzc/aWiVK6gm6YIoz1bmA4ax8Ru5KOuiJpPOPN/xe/kicD5H3IfvuUWYooS6RrcLJm1oFwawybG6qcl/hIKOLFzYFzUxMownEMEqJfGo2s/iquX1LS3eINOdDbzssCS/AunEuQEWXfWC/tyhPMhW5vRimB3FtnkTx3qavHUbC4I9GybvhMacGMqVDi8PVuW5//QFViXWRbKh0b+OzVs7kZo/tMJvEoPobKbNttPF9aYPmXHX+DYJV0mBFgGs+JQ50aVTtwecGrOuHbaH3IhWHN7K2sJ+F1Q1xOnyD2v2Zuxw5pY7gQC7Ie+zR+lRJWWmny5NL+OEjqdBSlUVQ2nf5gF9/5xGynDxTUhDvAHN16Kan7hB8/pKthg6skke75sACBE7gzFjWUQzVpU1N6E5362cdKJBPyiBRMu9XGbmJdEpBAf84fLVJ50VbDnMpzbtmvhHxzrolPtWeL+9od256ZBss4nP7qHD4lghwuMQE/jiDYFiglb56Sa+N7BIQuRm4vSrRF2gkYsT8mFhJ1u+GDFfUQUuS8zuNxJxkeknDdfUfnkRVIGUYEHbhNybmDbHFyonTyuThxktCUBkJa4+MGzBObuDIHnmnIQPAAf+6/zG9tDk08xFMhY7w0EGM2FFieFc9XcW0Y2w/GQdhMYpTvyAjxk4pZas6AfZ3LP4h1JknHRc2UaKbEyJHG8Zn3m2BtQrdxcpObAMqA0xIyyurrFPP2M1JGPqrH5VQCkLGBacb7CfLKWHFqsKriEMAEWmUESiWrxV/CiWqfDR+ZtkugPfHch+lHrYYKSOubx54CDTcsSBe9YgvCMwdMpxkbpjZPvtvjN6BRAASFOiQUYNqjRvogmN1dI6WcQJ6SXKdnbd7AGXjOMS0KAwBhB5bCxkmh8BO3rEkBqmA7FInDFacG/LGQJmRdKi3vVh++YjirkzNJj6wRJ0CFd2soppaet3FVgCUZMZd4pESe2/2OhGyLQ4u3xZ5/MOd/LlgGsPFzUnQGPuu2kn6Sgt4/OH5EoeaYpO6jDSAZTL3/tGC3HRh2EWMDH07uc52Q9DDGPQyS6ZjR23qKWg+fEpVnwIa6cfFkD2Fj2kbYtnPY1q8sIfl0KAWGVhM+4cvQMX7uiDKsbU/oIF4DKSS9pX4L+2/kzVJqODcFbvxMT7Rj1yctp4pGVZCRZaRhqwMBuq+WAQqNDa94YWtdUSZUzCSsKo6avTgxOQqP+QKQrlXgfHwNaS+WqxA1kofq+N8GLEWwj7ClaIy1O//WFHiwrtnr1sV1nxrq7lqdhCPZ7kfW0nJWHi61ErQqlpoR2XZ1Kd7cQabwAfWHuHQ6KOHyzsOS9JI097atVCou2ve24GMXRYKNb0WHtUWIY4TAYbvGide1xORkhhFGAodVwyEYqb5GjSxkm6l4f+/dXabLt8cqU3TaMJZluAmT7BJ8/6D+ffikJPn9UVqlvwaysXmUVcgK+B+JxTDYTlwpewKdBhzuzdX5buuKVs7loDE650LKd2IFRvjhNqU4xH41HDuBop58DQNPQcDkKQiGr1hRcm4tSHuIWG17a2cOeL0Kj3wai2D+tDIDlODwbG2HEYieSx2yYUaZ/MCal+N3FJLVSlw5xSQ1HU22x8P5MIsYqBLoaxW1sBb05je3hNgidUY0r30Pm3lVXpVeQR2t6ijqP+JvH7WMv5ylzNklMhWBFy794jlSRIAqLOViBu1bhsNH8eIr5uqDleYUpaXL0i/+vVllO/eZng9Y2i2p57s+xrRC3D+80ThjqpmbIFS5mdsBRaPfbPhKB66T8GvtiTbMR9JnSGlTSe7NsOeEWTPaVxVH+cX/QdiH9n72Kb5Bo+h4bwNMAyYR8Q5ExX9vgWC0TDqRwUhrDRoeMc+uYSDU2HgYcht1fSnTVWkHCy+4Qjv5Bt7ccibQBEQUtSMYNzprE9ciu9zu7Y/qjdPSTq3izccPU68G0G++vTuLjiZmmJ8gtncbxDLP9KAwsz+TsJQcHwuR0BcigZJOihrARcRdFDH+aSUDY612N7lS8s4mM+phdKdWVDW8CseighPLNya+/nFul/wdb7Om1tsmmNQ955oIDMnV8ZfY/mr9cbf/z2bwV06/K11noL4O1I9gd9UI/O48cusicRI/BfSGWpAZy7TIaCCoZTHxH+ePPkP0iezQpKDqpK2wRw6NSixVrtK2br3fAhte9C95PWxpd4UYGP4D0vqJL31YzJXbXMu+4NwWjaarVmZEDWFSg8ZkEQrYNVu6HnXaUzcoxdAp2PkojQpz5HtxS3RTfC6zIzbUN31SYwVy02Zp3ZxtSqhiEAjwI7KF4Zki754VLXF9CDlz/nvndMNoBGCgwFTRGl7g0qmKgR+Hnp9hIKLKINl7KmL97qVBt+Q+msGKDBkAiSRav81ca7lXbpVaYn8+yAV1QaUSE6glufyZwvNNnrhbDdHNTgGCrzF9y+r4eOHyNHh520kkjrqLk/6+FK43dYmmBCmyyXoy6pyVnUJP9kKVIb3GEjnWVoTpuCU1kUAmcvGz88voskCtSysB0gfXElOEptWwl6L3HAW4E+a99QwP97WiHUqlMZnaENri5pm8zMqA3Aqlmg/Dtqk9ii2g1y4N2vgRjgfBUtt/LuOaITddqOu1yQzJ7nbGR19kH+WkY7O4CRP6S29BVYDieRPJYdyluX3+h9U+KmWyvzAaq4FEK+deZ4tfgQe2Q0ZmKZzvY1uH6lcFip7VSoj/zyfI6NSMTToF0nius4WHg2K4fD3Rnknz3kWCCWM6L0zpz2NkyT1XjkcU1UDZK7j2JAsyq9X8nuZrOERt5k+y0aUtDN3q8s6yMd33z7Br7tkQeG3pv+vlCue83qEcTd6m1/+Lf7wj6jRGQMv9jf4MKhiK5zJCcNcAImhsDOCQiwJmxqyYhPBKhiHsYKgMcinMy9gVqzzi7TXJ8WAjE3WKprB6+KksTFvNyfJ21n18DeH/nF4vgnUw2Q8/CfFwPtDL+GmuPliIu52HFzupAT98N0XvjtG6j6N2XmWN3YOj6tXgaWqRTmBEABDV6cKFTX8YAVNT3Y/WnjAsICmGq/XjAD0PGzk2DkF+CQLGGd2hN1hrn12B+19B+fn486YseNTF9QwRBvg0kfLW8rVYsL+FCKmBha4kLhFrCF2RRDjiFYOzVtsRbTub7ikJqdKnFAsZslhvmDJ4hwLTNrKkeLEmmtHPa1tzK1vh3hjaMmvEjedJPo+XkN5iSMPpBphRRITaLtlbwe20nW1KBeUzfgFrA0PgHn4RBlss5YMp5hIGDFlcWwKPpRFRIXndDAi8f7xjaSUoZmM7U5Yj9VClDc20+66MIFT5VzLoppsNvidO4wtkNoKVHtBORPgzUhdem1U9ZgPXYPxK75eKqJgXYTCkMRP1Wdz03Hyp0s21QmI/vWMQHo6vAjg1p5JrUA25BiCCU1hkmd7IKcfDuyPCDjXa3U0ICw64FVl7nA4rR43ICsk8eLeGqDD6Ms2mtngcDTpq12uMhDpYn8dGVwoU7DfCpAGtuZK4YdoM6XHaQvW7M12e3WEV5U0sn6ZQThAh4lj5p0zZLKSy3jGqRehykoaaF9+49J2f7DLOxGPbeFUONT5hTwzejCURRHtnVtaNMN2WcknMe3vP9GiFq2w5WsbFbwFtfhbOuiuNSl3pAtnyve2TRGdQU/KFy2MtmleZgwAHTF7v+y7M7V+LDGc2gJJuWvVCxd6mnf8PgtoNPM8i14y2IWMsqrEEYU8l42PeGuYHOTNL8/UX7006qQxbKD7/QjZ8CsURsJm4O1sMgRtYJ8D1RU75cRC/qTJhr9RSVDfzVlPqrggK+yoZRhJaaKtZSxOFjoV3uC574YGK5GKQL+WTzNbq7vp0kiRXu+WbRUKgPud5z7rLE73K5agshrMdkNeVvhn0n2MZB8SXWlQhEpLeZziZSSa/TZGV/xIemelA4FJv+Sb9z5JlJofSxJMEtTjf1sgBDWm2ySQn19GwGgGY5mppR+iuRIdhyg1xgJy/5BhdE1h8alHcyLn67hM1H9fTXziz4+z04fAProdYEkbSP4nD5NPdFiIlx8hbF7afM5O+/GJBYLUDMAuz4y98bxraY3J3pD38EQPQse0Dst48wOtTuxO+jAaHx7buhbZvOCLL+JhpXav97AfwNdDP6311BggpKMbdiFJG5JfpfGSxrkMkwr9F5PWRjsxgMYFhSBIaeZbZsvt6822oxZn1E/cCyD1ixSYcRN4H+XvhytJXjX6Kj2jPfooYL4REbzkt1D2fQwsz3KCocSFxDZBW6A55KoS85C9on2RBVD+s7l5EbXW73J7dcEMUP81prVSM1PaPHpl2wKkKnCbBrFePNq6LUsHEX8V4PQvE9QSTldHsqazPtWU4EMDiLUIV8iKe7Hgj/sHJJ0/1xIPGEsrzZGRTYuksAgYsjkzE4DHj5nP7deJv+RXNcK/Svdo1f9ksFZzTUrj0qUD/kPI2GI9hQ5W3XEuON16GnTzNWl6MI5NehiysFRpGwrc/P3ZFhpQg/4XVw+KHQIrYa/Eekv5ICKU0WAt10z7c1VIFMbpv2mD/K/6J3FziACR2d14sCuEJW4tqSfi1k6uY9hYunS6ORzYnsCSr+R6nE2CyLbEP0sR5EUAFT2iMKFKtryfhH3nL1yvbPVSeU7NarFZ6CmGx7badhwR8tXhUKBAZY1tn6sqDE8ZofIMiumeQDU9Hg/TySGv465qHQBXRmoBU6GmBd3gBMQ3WYLK9hrg22X+e4DT3ZE60k546eDRzk+8bVPM/U5KMuSaT5uXTLwtEMUQNL3GpOluil4z5dCTTizrZgd1tJTVfGZKG+b04PPpOcXaxzTk5Od8fqMvgXsFP7sxA2IQdc4HuKT9HLhjqelwVrG4TKmuayOhNGIJmZ3Ivaz4HEJuBPJ32qdOJJxMTPxUfLNSE9LBWTfQwaEAebu+jlutp+WfzmldNKgTBYaf+2Pn2KLKX2UIPVBJr/7MUjkLzDnMr/19sTKvIIli0AzQlLqplNYJsCXZ7/iOM/54O1PpYU4w9EqrHryE9xwvAUb6tGq5mPmhRsrS053ph/OHOKCdBV4FTp48fagBUMVI8vXXYRmeoOk+ONCbE0Yvl0jCF1C1c4w8z0GYAX6RWMsDVFzI2v5oGgjYATNznP3Y5u8cQI0moPxDN0QAYTn6FFzyXJsFYxXaE8PYe2K42ZrDBedh+yDdUoZAvxYEoo0hZcd3plzNTxymw1uVUR+UIKeUGTApBmDnHr/NQ3tsqHfRForIv9d4RcIGM+jgr0ePU0fk8Nj0O5/XFKM6SqVzv9Kz7IFW80GF6Jan+5fL4QcuT8d7+gAhY3KQ+OlwqNcuwBG09wBXva88Jsfc1WDFQtKMRAuO6EDbMseg1CUSnTqX/5lMU792gYJrs6AxDmlUdkC00qRFupaR0IqXHl7bKjTPKNxh8KjH5xhQU1vQJxtTqUBKUpG9qmGQp8TACNQcxNZRKBQNcCEUys+4R/pJJlcSg+i5vUsQ35JV28kjL2E4XDm7Gz/SMCQ5sn9qk4bYAPvg83Pui11gqzvKhiGZ8YxBk4cIAncHYZwLAT8xUT51rA8Cy8dO8CPZC/hM50jFpfi/TLowsAcW/pJn/u2IZiIxSS0slFRj95OCd5Q/d9OKTHWqFIeXkZ2yLv8xugVBy4HYgfSTwn4z/NuuvfXWEidIzsjmnFKkQM7B20+OYEs+6rK5srbV7SIFgIHlxyje8CyXE9GshCvmIA2WbCRS+/JDGMeM8UXTpt64vaiAlh29cZuE1tTXl9aBu41wHOkn1oboIHdCniCo+KZXkY9r80i/NQrPjirriDLJpzf+y4ujcWmwIqKzj3Ffv2ysY0BBF9URZ/1Lk0lxbxVBdc9y43f1PMDC1ozLEb6GgdfMOb98LpMQkhhh2BI0KdaxBYL5gMLZP18Hfg7qyqNL189rvpFDO0VNbn2wF6tndzhe9J8ogOveht2PpBchptl1vkWQpNJvX2D56JI5gXJSu3dA638Z1hvi1G/2zp5oM+0QUd1nHU6JIcMnnOgcCuRmKyKo0V0hZmxOjaMySKUTIwdUv95Sjz+9jahFgLK/e1aCc0XgGt8zBDtwR/DAuiXoQj8c04g1EduGwvtb1h7N/nesjw9nJTAFcgUNLQwvELVJeI5shTEZutMW6EmS0BGBH2+C9HjIPtd83TNqckREHuoiVvuLPl4Z6S55xinlh18YmEcb8kGZGVZ2w9NLoWQRIdfGMMg8Fe+55AqFYYRT51rcpRDFrTgUv7LfskWrGYwiPPL/hdTvCb1Ze953HH+qDjQxpdCvieIS2GKJ4X0tsok1I9ZqSzWCuAVTe0tXgkwRpb+KFBte4MGrDYVTRxk/mBZabEPYac3CLTuDamus8JPodhEejF2wwwX2WedUUNa6ajioPyLZtjasDfssOXG14aDSXOM0lPEpjKPzgfdL2Vkx1TLFEpi6EHV/BcdQqkpW8aQcMt/CcKD6nbBYvN14xHc8kYjFWV8uySKpeyJV1ar6Fgk22fNfC6ad9FySKZmUTX3LP9+y/Zh4k4wJLLm0EdMtTFzI8jZQ/PLvSR6Naj8xbaEmW8+1rUjHIPqnSKyfCsL3/0Ib0UjWt2jyfXzTvTZD/M1uqjCw5qzsCB6O2C6vXEHngRGsKon3prJMJi3I68Pp5aaA3k4wtVAKphweWLm8ru06pIoIOUB+zjgLgXV8xbva3pEimWYOPf9uP3KyQlzbRfh2tXSYbN63B5b3wJrTyjizx44rNJNLjoKoU4QLdjZr4Uhb0/58eUYe/7BWxHNgBeLwQP4kyIExwbCJ2hBeoW2J6Ch/V5iq6o36V5hSV2QsejnfomYFS/WyL74y9RZKeJnR8kzvF/bPQSrYmGTLk94EBMsJE949E7BylU3UcVp4aMzd2O1JpY/yi3V+QWFNMLSAWj7VYTvZJ5p3fRDlbSXVR1QWi2FWuPXsryvWma3MI/N2kGeqlgu6SzNuAXPICvWDdVIXf1G5mzXQM66OkyXyt/Uh5wpRzXFbzKkHghBo21lmbQzmvhXlrgQYOl+vCyZvM0YFDbVRz8aOiIIw2eIOtzDiaxWAEg4B1kBWCUz0zJitkV03bB9MyTGrF8P6qhZRoiBMupljoXfdR/HvA4fw0XGtToT06+sl9RSuwrrrb/QAgFYt4+hLHOV20egU03svsQIPaNO90vjbDRiRC1+7LzYF5RFCYHS+e3Vv0J9iKr39TOLoPIE1Y69vqiTw+waFGAE8dXOwiAJTF65CLSEdXzE3aJvYF4untJqibSGdHe/6YYzxpI+bcB2qpo3Fei3u4pQReLsZ+B9Ur/2zLqdbF8Y/qu1EKSppXkJ9sanLnnlDb4ftjrMnq7QS/qfP7h16Xf98CTn4BMEhIeIryK1Xv6P28gnRqRkrofZp40yi6w13Pq23KJ7mnq/ZV0tLazKgA3+lOEJpuN4bfNNNq9JnGNBG9U6Oa2p7VvbDzyM0XBWUpqCwfMs6MZsiQz5YvZ3snyNZHAZlhXb01H6nswGK1WUOCwugd4p20/uJY1uLcrdRjTdG4QfgooZMN1hgjOKEDJqX45YAzGIufcnL8sUHfPHQS5z808uxl9eK+sY0YRJSmRXIvi0tJVOHaE5sTWUkjXjwPSPqiFs9cqIHRgiEyzjytRcCiwaHZ1zWcftFDZNlM8MVGAF7Afx5LBVkUAKyndMJFRjDzVakrXDGuWCqcXWOQDgrTyob6Bk1GqN+LNfK/+hp54NaDc0HGfYRYQyWtTNcjXeO8rJPgrl2RJKgVQ9Uzt2p9BwzUt7TVBrA9sHzX9h3ot7w23fbhuy1Um3NI+LwipuLdG16gD6DCSfo/z8YJC3/8qCKdwQxOtr1WzJ5TJBea23NbYWofOI6VB4zuWJFgDIgZ0265jrYnpambUexWm5FQ9bPb3yBK1R4IfSB2/LEAwxBhYct+bhRbZ3dy01GpWhAveXkl3p1Cm/RqlpNMTqxUMDC2hiHlK1S8xgeOzjT2g/6wdceh6hxBYt+Yq05BET0NPqyNTUiAylFaS1s7NL0azrrWm8z7pQ22ITRk/1olIK2xCl+gwYxBZ09iqgmngG5Rimz/gede+ZPebu/XSgfICAi9eIIqPIAWU5UQkzB5B19hm1K+ix2ase/3KKWGHXEmXd5N7jdAMpzWAeIVVCR9lqmgDUUJB7HlKh0qzkxX16cBdPCC0p3uWhk0VCZe650tRuz818N1F6/3WnwFMzAILh7Z1IapBC/G8Zz89vAsL08JvwrFJYtnEPgeL/UlqoQs/CAQN4GU/HJetvavYbqKkQPpPpCGSy7lOEeZrE5AYSMordo4iIjITg4ygQ1eDTOMKLr6prHXLo6ijdkOJ2Edfhg0jUDx++vhWquaDwc9XXBvp8jitFUnp1+vVQOvSzqshxm+DvJ+aJGioHT5Ql5pmK8u8yJbibGe7SBTI6MfKppIzD+2uYK9Rv3b46woprC/VytyO9J437DNnNLN8uiRk/Nk/rCuXi+P7klno29u4jBaVEvEp2p2PEyv/QYOeKDucg2+umAkZp7dWOYYSS2tnJ5zQyzO+7pm8eOmrarymNRvWVjmfO+PJ6UIF3M9R+LMwmn+oBc+G9wOloUfQe4FZrdiGw6jkeKzrwJ+1G6Xx5YrWR/JalcF7YQzy6nEMOaJFOklK4iVmBv74wcq9wwESscIFK/YY5rqbmorUGjygJ57wo0RbHXkzWZd98HP+6aFS0IOWctOYti47z3OFLfvPZsdIvfrM0zx7JZ5uTS/e6LQ65Hdk/WXO2pu98aRkxGY7gyGYVz87ZzZ5B3godsR3cCaNvrmU4okm4gnsreeE/C1pngf5LD1lB4nUt1y+LpV+rFPKGxtmPTzSI46I+nXKtOka72lmz89bYJgfNFdFA9/McimWva9w1Ncp+mAMIrWi0gtv6qHVlyP7XFbwndJG8NOm/gZIBiyxYLAQo32efSkccFPL8t9HPHosYKnDwC2EQDUUYNPLX3zYumpTe7Ma2VO3j5IcstkbWMzqEHhFxXOnGaLMJGIKQtXX8iYGkQw3hAeZ5e6pEuySJxbMnw0T4FW+z4LjEdcwMJUdWR3/+VA6ihTsp/tybUZKL4ZV2NopjCtBBfnM7K3RKIFsD5l0A1hW55lWK0yoACkOtEkafT4uKrRahmWeEQHCwvSL/qK+3doNLXkm9T9trvxN8YxSgEdiSnP0c0j6qsRw8UlwJdZ/mehPQ6UoMqi5BxC2eBs6bkYxnSRhiLyHGwe0QMIJ3V98yAA20bDhKFkrDrzM7gBXD5S3YWUxeN5PTaodE06skRZqG9jPAp7g8XvBDsJOobvBTJicZ3ONC+FJchtj3jxA9nDeLe6OyVN+0n9n7N3AZGR4xw2jnHMtVvkXcpSjyND0ivpECnnG4sPP0WSR2LCkvrIealNvj/6KkVPlNwYYpEgNO3j3+R4puSSBbpYgh8rJKosdd8UqokH96QmyPnUspMMLAJqZx10VyCcJS8RJ1tOlXD0TWdawW34N9zidh3SViCIJYIbISFF16mLz9rHXM5lflFQXLrtDzun81RxAiCWOe5cPY5Dr0EYDj4UtFEnficW9Sjo1Iwwd5hLyGPYwEMUNCUDYhv/mkuPQCesOUZDQo9htUuc+V70g0l3XrX+uEGWonEK1eijSXFld+AVU/sRNKAFcGxz11+my13/8xBOq0mQGuUe3iXCu3T1jruCBilMafTBRc8knOVWz/tlCAneNS2qjNZ7bdNiswJtI2uPSZFe2vPQdjDbH4NmbZlmjD0gL6pYJK+OoapfWkiLVszYcVAlOuqrYFR1akhlXOYJ37Q54WIFpAkKCrJEVYkan1Jze5rShe/Z4cKz0p4FpUYlQGdFUnee848Y/6ScdaQ31MkiMqb54SlN1niGLLEolcauPEW9/zaKx8Q1ib3E/SPKMnT9jmXDE/Dbrg6CEFY7IGlf/FQWu80DOl6KmFWikwIhK01vKaMnSHt7OdtmMNJIUKLluKB5q7KdbJptFD6MQYEDOqrPX0wClbras+qdhIj1X7B/Bzn3SxUUgpB3EmmCeIy7lVp8Mfk0IHvgZnf/sXw/JR0DTCqFMQuk5ok+xU+6DBZUPxtvpoEZzTLDUv6+SLLH6Rv7FgzmwD5v/6UonPeU1+Ub52vvPUtZbl7CM1ZIw4Y95hmlpWs9g9EKMDGQ6yRlpj6NvLAVn6knCrY4W0Yw+fsPzXSRCS/X5H8cY6gKA0EArm6bGVEEK5Z4PynPq7d53MCHZfnLYz+eFWTgbi2uRa4bF+AfOJHYKsQWWH081kXjW4uzPkgClD9GL05uY5HbjaQ03J1+Uk0RBcQJO2ZJugZWe/Yhoh5hNnlE2+2qtpzxCXIWKBtd1GKKgzIchkofpVK35D6Wc33MkaVfoXkZMKqg/KzHyHK+bmsQgdjCgIB9PT78EPGnwORkmYvUi/JkbCmjRkzYa7t8u1doxg4KZjhzDn0D3HMlAoFJLgtCKVC1071zzUkdyoCndWCJfjlUKYprCK4A3YIK76fc6qW1K8adIb6eUhPRNijZ+tOQWDAC+uhP0ccKYkNOnbakyH/34nZ4YfTrr7Drcs2vU4mEJFsvRQfJrufDpK99e454Ruvxgo+2heRNVScyhDPLD5ilxz5kF7DOnFwKKKhQG12dPWADXpoulNV/h/U+1wulp6WHUS25e+chyECkJd7PEwsQb6QSWNurKiQj1+q88hDukoYWslhCnOzoK3oLTr0jbv8760pBEyJtaLkcodKQYgDRYR5tA1OwPIv7AYJOihUd8HqdTKXTdmtjPewZfUQ0Vp+hg2zZxIrZOi51a/NWN5z30Yzy4t/X3EgCCCmKWaO/GaOH1FZS9sS84fHFofL246Ye1o0RH5VybTRMZCF2yrmXCtWLn8r5COGw9Gn888de4ajaw+JXUZkDg7Lp0bIgoHVUMWzP9TEAXimfHSmhs3ciMj8qWEgihqkzV2SrNFjozBrk/6DFPeypq4uB/ezgf9SU66AT2h8yuu3RxUna/Y3n8A19JBd3/at8+gSVHCCMZFG29pkhr31MMu3Pb4Fk6BFfBJN0/zUyPf9eJD4uvJpILc6UtO3vGZmkLqQWtVSzwz/S3VzUUEbvGO3R0/OB2HLf9FjC8N9rKvi8sv/OLwvGQr77AKQRzLchouKJI+qvUnXXNI/12vImjs0Y586i0OMFQmUv0h7UgIvTIL9XnR2mLfF2i+NWRCBDWCsdiKgvWhPQzaq+rLAqKH+3Nb7KefccRnqeSVYmXtL07hQ31akWP7ps8a+h85qMoFqGkQB2nh1T5YDtwA5g4A2S+aX1mbDvtxEgqFz5ofU0vCF34wEKcaRQR5QtecRq6hdEzIyPjBib/2NGaxBcj42QIds85dESe5lPS28IrjGxcTGs/+zpWB/IVDabk7M7zZxBSEGsBwk5zkOULqcUET/SeG+opue5jiQG6fzpW8jaTeORrWZ47RfcJ6BaiNNuMl1qeX0j8IsgAP7I9/F29ahbsN76aA1J4seo5pBOPPigucv7QQfnLrw2EYXJ2QyzKsdcyptV5Es64lgInQstJRNxhd8fwcC/WhY99LFoZVyeOYjHruLuS3LpCzNrBaoLu9rrfLEQtHqzD7rwDmO/Qg3T07fg/sBjrlUs9Le4pouwyoJkaO2/To187N3W15chMN2JtPKzc9Xzqkt/D95GDWEWJzP+nrP2b4PV3P5jxpkyZMJRQXx6mWNHsmUnwIL7RxcNsn9tiyY08X89miyaXMHVNgiyJbDThBbIRBRo6F1L7vJ3Ms872or/vM7feUk//UTbVVNIb9XvWAL5XNCdlJ4c9aVVQTWISPwlsmXye8xY7O6PbYgqr4W3seSOoO7X2ZxDgmlQy7MqOLlCd/SHJExJPnxsS2h8EdUQ8zIPNBs6+COtu2kS8Mq+ZFsIFRmrkXYrLhDXB8u7cLpxnpQ9Tl0mWPdnURNVH5Py61hD9C5B6L4SddSJLCO1yFtXTyOx+jwJhTFA2qMxCrJpf38+jP3epCOfPHwCD+/CMCFAT3zEBaPoy+pMdK0loQZzyYNcTDB0vaIULR+KUROEBCt0Aumnj3fhmZ7SbTOT1nQeO1CCZ8kT+yy3sfgmP1JP0wlAw7Bn1Rh2xT3wf2K0hqnmgdQHo7QGmo64ktANu3d8Ocu/ahEFFiOrJuwlrhcOJo0o11khdIg41mjAnZKCVe08YspGKAKUfS+1vSwPVFC64hFIXcTZ+tPP7ewpc5/UvWMeAjD6FYlQyNF04UtKkG5cQFWcSyI+FInCckuzFIC6PCic/aYU8Wr2qnpQO8r+RYKD04UWgnDUqlWBKaYe8et5PE7KftkLk/u/w9oaqDJBhDIxwm+TY2hT2MHUfDK8uxYk522C9Imrryg1Wvj8NOC8k7JRB0FzgLceggVZzO6hcvNMtNIwuu/colZZf9PbulaRdwP2EPWz4hykzmK/q87OZGiIGx9sr8dK/E4tvwMaborYjmsZ087GoC57cO3OpWjyAaEBRjI4idh4hgT40Q4virjzsnOtbU02u7o4kin1ICakehSVc1kPotossE9H5JSP3NiDGgdsxjn9ygjML8J86KkkEUdK30W7j1a/rQatNHx6XfB+2Zv5a9P8E8GDnucmAYHoSGRSGwBrYjY8jkFRHLJKoszAEpoJCFKVaWkYA9mqe7j9FG8a3wVQXsxNKscfUlrE9rsYkQWafa3dHZso2yc1a4gwilEHgLjoF3vOjBvCewuAzhBXWRC/eFi9X35rV4hsf7NHMkBn16DmqXQSq7oVG/TTS8o540K8MqVuTjfqbfSZnfFWPPONlbcUqZjB95voDeDAzhelP1eiYC7RepRFwzbVlNKrvcnaqcWCq4IpBiRuUPY6rVHHpskM8wnkrPkrFvmeWnq29ig6h6INmrk+TqAdeuOGoOv1PIA+ZBN5BIXxk8wtElqGJJ0XpBbpvAcAqtm+vcRZ42HD8Zp/Y22Ubc4G3om2PT1wJflGfWH2cb62D0YnUovqXGmOjufUHJ7K07hAzFh/OajO7vLladuglZhBSiASRC7SK7B/IbQTuo+5u78WyZpdxndW0mb2IcGH8tpt0afKJIl9Vk/oGVOLYqkEZy78uVqsKHu7vGu9FNqX5yBmMK6oJe6ifhtNAiUsA+Ad9yOnEXAFAja5B8uW5hw2AoEHBwKovhR4Mf8y81CQRxfe0GsClJneiE3DaQo8TEHTTgXwfKueRqVmPeOgoDptjC+G3H9ekTw2vc86qW7ymlbHNKiRmaEX6+0yS5i+8K+tjZMR7uU1L8PMV56V2Sb3hgSsj9a16QoCrTBe+pBB7ac1D9xz6MloPr5rYSgAPm41fTg87fHsT3+zz7g4NT5ffqa+Dx5tEjG3GxCOxm2loKamVlYMCVRL/WHmnWtbQKfkhKQOgV6fmJtvwxuOEWMzKabQPSLX4B/g8oPziiS3rbP5vNhlCrCkJX1nPcEXBko+k/2cZN88VNnj87PuL3VhEZfG2nwtW0KGFDgDUsGxapQKdST/Ev4P0JlcQujQJb1AZfoT4vq0VlrESdzxIhJVVd1//+YQSNYmuA/HjQCQo/TD61FCK0du7Pd4leM9gTApl76W3NtNXUyAp6dc0CjwutgUSCWW/V9bz8va2wO+QrijbpgGw3FumI8xIj4NHyjJOHZeI4EdjORBm6Dv8GAxq4LCZ8k4wgd9A7VZ8Zn93qWh3w+mCz4EpKx4srVG2l02klqZ3wmzNROkXOKYiccdfRDl7CLzRNWjaTx1MfnqwXiokz6hz66WbfXgQE1j75vm5rMjFLIu1lYfYnDuGvYpwn90oPvfWSoGpM0g473smtD4/H0dKaVKdjM3caxD/BYlruEwMb56cbeph2I+iDzPbYmi4si9mVd9/uyXsbmIfbWOcl8qfZR1TjObxLH0+ZZHR7hMvSOs+JDqyvnWGL6EJGc/7x81ZewXFXGzgMeUiJfq0PxP1o52BKg3m546YCNvLFmO2jICvj3jH+JIsRuAIZzbc/LBnrw4uZ72L9s/vYzJ6dUeVsxt15je6IpFJ83PDYGFuQkLqj9zJjIru5WmDnCAZSXjSXhHaSpiOkUD9VcllnplDtWLYXVqAPlPIh3jKIV3FHXPbqt/Da37BkMO3xM/vSjQ7vPQ4hSFwEraqpxzYOsXAPLVrlw7xXoHFBcfb2r4hTzSwt6kmrLUXw/hmGgqGLdCpKKfZJuTYVbDfoBA/ZFqyLEy1Ec19Rga6qpw8O0REzau0st8XlM5gqO2o8S3fujyR1cwSyEwj+Tc4AAAi9xp3t91c3yBFrNYpZitrRmk/hhAeOifCWuAylcY3jIPh97kjPBESWCIsfC5jj2Qv+2sJDgBksomrlHD/WUBk2j2WEApJM1yIll//wrbO8t0bX1dYkgN06I+AvTLAoAo3z+zfK0zQ4gaezhHhMfCwbLpoWQpp8sGyJGwbXKgN4sgs2o0pfZsRIazSXMoz4w3GamvdZSnaURFHIdHqmcHsPMY9mZZ6Pm8xRKe744lY/Rx9WZKuYFOwKjgo2/8aasBhmsaqgXR1e696K3PVPgbIF/tSymxU2brEQIslWXkS0fQ+KPD5zyxPpDr44Q+67x7uVgod5fnIB9jMHByKlSui781bYqfre2ufy48n0tz9DfKMevUGcRGi3+T2hbvK1zb3yvV/xM7jnqS5fRgAqCfFwRDzzIOqyqifQNIua91bOFWnQTYFinszVGxG0Oa7JrCG7pfLN5H0SsG5KxONeG8XV6CGdgsjCaIpClVDXgJWtglXRHiByED4p0rFUQdWBjhgUqWZsGzX9SSS7seJARsWnax5ZJD2/qAZe6sjm7cQPYHVnJblbfAwlolrdgD7gDj+wrCJa5AwlwWEXT53hGhh0V649ZrLzk62kj367cNuf+FsxoZW+GjrrbhHTTFQu2VWRn2HwCJsmAbCQWdsAs7ZcDUQldHxk2WvrCKC5R3z4+mXuENDMWZLQaLsTUNOtQVwzKmh0atLuvzWmgFj8LXSyzDt+hMnHHTZXQ49PldUZSMV7IworwIlIiKfM+rYh/9zx4NxmO60EC8nSg/TGZaGLqDAR2cZPtgz9yTJb+/1snA2Soic9WcBJEjIet4VTmqeZ2vJkfZKtR+Fx+bDm+/O7wFe/r0IZQoEglqctvsN0abxGpnhq0/yR9yUv0VI7SZWm2VquNd/2lLTPCIokALqx4lO7Gaqx0E3+AVFh7wsU3uPNZgA88XVpAFlvURvDM1fW3JrPzzf55m0kmCZLHp5L4l7UCM5PVhMR20m+DhYjV9Kj0x7YU4jl22KXKa2dCu8r3MnE/eYjLAkrBxC0+zf3/40iDLHEO32ZW+tegf7V1RHfzqMyUVrabQYF9XPozRrdQbVQerwMuogW+F7PYGgzqhmNCLnid/W85DMg54SaCEknWMjnSVtKp27g1+VuxweU91xwIDg1g0kt7V0PRH8B2BPtEOvfesyXXYdBqaPP8t8r8oDKdHkWoZXtdkTO4GfKf9XqFyDtA8njD9Vcjv/0fMhNi+0Wbwfg0AE1Enz6c+NQPu1dR5fh83oYVdzPcovtyAmucPif8j6Pr+4Zk77oGoKgv7V1wAIXsV66oQzSM1w+B8VGSTvVwwIOMYbF2Bv9kQVdoshlvFmkqGzz50ZOCdic4AOW97iOuk1KW15FuE8xGXsVIf/5g3AdNw5KWrZTEqyiZR7ezQS2W3gU8xsYhhXtO3WoAzgZGZr3yC/5DMPzBbfgHZmaxBIq+4qmbY5CAXN6mgpOK8PWK+H04ZWwFJzlFxXMf2VFxmyzDDosSNM6ObXh0fB9CxjVmFsy0jIXaeyF9tfGnjAivupzW/8Z1RCng80oXPUFhwYKTVfHyiE/KfyOr7VNc81jLmKajJC/3fwsPUJAXiOgjqQhSNT5aetoH2PFl0jIOYLAIKZaTPjeRXHi2uxzm03PrPlBY+r/FhMf36xwXXY6A3AMyd/ZSGUuQvWQQxZEEajyE/AO1BpfEXFWVlmM6qsaMOGCUI8hxuEufNiRsCYJACyykwEC4M5Aj4cPhhyK+OkG0JWUkfUcRtx3AP2wbVnaaDLnJJhG0VpKYr36W5E64v2velb1WWLJECCLRpFDIknXuUcpw4t2BdBBwPcBvMToo6muwttKTYDCVEQraSeNjdajewrDAUpCGPFlqDD2KyQZa2Qr/UXD10en7HBVJB7rhyDmzNUE3sbE5RgXHQJ2ERK/z/CzWJhL1MKc4sdwKz2pNQjFKJr2/JvZdJUpI595IvJRiGLWjLa18j4ACmhXhjsKgSIFX0zjFArz3zNeEKiZSokCb0CWollvGtgyZOBX34ukfXz+Y7WppXdH4GpeHJkV380ci+5r4fo1cFu7nDtBagSfUkhmsU0yKVZ0hs5H3Itacao//Zx4/B1QHeToLsufr/0eeehdtNwswC6hwMhdtuAqU0b0zoAgnjjS2z6H7wuRbEb3FkDADFsT1khRcGbePvfHAw0MgjcUciD/WC8GWlmA4bM8E3y5spJzOJwu+wtUsvIECdT50jMEeIhhF8b+K60/HLBlZlUh+BvPHA3NRy2XUmIYimnCIiuo5UnCtOZthric24r2Zx1YExrcPckfZc/BFd9Xg+iJ1RjvLixwnifUJrgWREQorC/cNfUq2TpC6uHFoiwPJnmAS0A8uHdjt/Hh863bvSGmryjyiLHp8e/+3ZevCE/+9WuS2JvbuDfchpacUTxTTDj1eQWCUrbhJ9rJJzExDzqqq8Jjt8gN/ti7c9vAXEJsPWw5xZB0FALWS/ZKQzmfSInC4AuK431Ag0AWRdomrf3KJY6tq9cqzcOjFNkdy34LVVC8dSozy1EwShIXkHFKBykAWr6iL677fZRT/+mhLhfVp1GWO6M5iOikIuifaHzEA0UdFnayD0k2BZQy5yY2ou5vU8Xu8yKavU7kUStWbMj/+8Dtcn0AxovxCGD3AeVxYxp4MknbTuPBXCfBoXQNYn8x08VVCG7E9xKWD3RiDq/440TWTa4f0NczBrbnVzjmAIJpzd8e0nCTCqEX28GGIYWnYwj/iCPPH/CAMi4mKQUcn+gAnzZJZ53gBtF5lfOra1ficTva/lc+UnoCB6ZH0TL7yRsIzv/J+2OcpyazCxgamt9ThWcMKqWm6Tfe2oiDpj0uz7xgDMRs/fim9mJqTAtu/9OAyOeQGTp2ChMMisxHqU0wBw/A/SZr4dNLz3UUyLmZKJWlT5SSA8PV6epY26XYdbIKHIagq/5+vfJxvjE1mGSmfKEjmdHlsfFBv3sSYeILoEAa825OuQs48jWO6GkmS1QCIguVMJ2YxdyEydplkjT0GNK0sFgaNiUJGiZniAaYFkNPXQMlprn97h0OgGXKab8dTpmb3B4NVIpvELFMtArW3GHOIsT1gFwF5BAXDVM62nybHz7lV2JRzcvBE/YUOIhgwSPtejsHwcx2tMh0fhcz0H4abD6KAW8lTYHBoj8nQOhAV0ctZHLQFmBlYwYHZIqsARKxp4Ycqo+AfGuF4plE0GmGFs/rjQmJRoJN005iJYHXDk+QdEDwqGogj9D2oBbm8shHgFb+LjefKmimZWAh5EKyojq63Hw7MYJezy5MPyv6XcgAVywqjO18a7aZ5I2WcE9eoBu7Qf+pr5QLwILTMqQOWKTEdbd8gZ3juzQivzgIVRMHDaTgj1/zFDR6AXw3HzvX2kroLJNmDcGFlgF/Tm55d8FCcESrobVztN9BLuPgMfbq9V+/PoYSTDyKHExE9jwuRrBr1HnWckmYugRBZXnLx1yhRI9lqRwA8Xpiid8xP7iYWgNheq7S6hkcqfQbIDeKeeeElsy+w8ooWgcMjwOFTgXfxlMo1tFkNCJrqOa2O63MpNnDeuPKy9FGEYUXEnzm7lzhe/FvY/awQNdbeZkorPBvcDaBVZgn06eEsxedn+thcZcxTPbxjSEcRCK3gBM3tq0Le/y6QCYd0HJnPHZf/kwfVFvvKsuz3YuouOSQxQJ52XJCsd9hfA07CqX3PYPaPRUNYedU/NKhkwRie9s948ApnD4mDfWPl6/3hZg8dqlqAlyhbfIk87HwLRSe6LX8R7HtnngKWEcdP4M3o0LcoFBT+QIO/202dDx993UHNgfOasc8tuAXExvoXqVHfs02HMJlRvd9+x8M9m8RyASQm8FgYPIxfAw4H1puqkC9+vpq0MOLgJg3EdItdc0GK+D+mfPch+sA8XI0DtsmKp1rKocrHPsPz03dTrXQOlJjca+GzrKfG62OUj5M/lgQ8xcvfHbKPDD/aOBvFJHFTHyR+/jO5aMS5oJ2oAGrS9t1piJCgkxLIIS86RuufEd7wd1AQYEZcXHWnQ3fFO2BWggFDdw4TNSfm0iqHeUCnH1WVkVYysZhIUs6P1GCvqVQp7ZFhqJR9Zrv3pJjtiZz5Y2ao54twNXTLmaMRM2uYRykDIvNgJchnMXd0CO5sWhZvYLOk/NyytKq/UApmqCZx0zFK99apmc2LzieN765Ed9YozsL96ZJW0lhx+PW5HVoAH/4zAwD4vfEpnHzcztNljwehC1P3O9lNz0dFSGZDC19WHMjrnQ5rEaUT86Z48cxng8ffq0ifiQyZl3tTusPSQFeOp7gJqxAQIqnTvAJjhAaJQBrJFIFB2I1izhdAK+uKzBiHjs7JqG75FKHR828l+dMkrjVpm5VeuSoK05TejM0kJmWYnldgZlRxlzPzEzC1vArLJm3VFR4REXBhUqdb4aTOyzLAaNoXtrbIZtLxACUl3UxJX5HkEzWEpx9pYzmpV4imyVYZj3A3JI9KlFMG8n7H9/v/9FMdcr8Cd4l72gWLGGRPQKdILkrtMpwOBniWaWvUrUyST+VMPqjcJnfRQGPyhdhZMopmD3H7B71X35dv6pKIzm9EC0XdvGz+dkw/YXTzhJQfxP5jX5JbOeH5IRdnT+uBPhEuaOxIG9yfbFiDsF2ZyTrbU+AGG5QB69r2zvssPH4g4WvTPeblIvE8xltt2AJMfyUTtb3COMF+J5JAOKmEd2De4/KGNaqWbpjYSm960u4w+mdgVCoNQnftj8Lr7OPeiuJa1tCgYOzH97WXM0gGnKo/dUWEmORQ/69XeUB5bpDB0+43sSSGHSoT/AwwV2hpN/H9kpKsCBcA7pgEC93MQgfSMbzfV6P8P3kyPvg9vqJQsmtsLAS3Y8PR6v/u5b0vEpX04vfBa2mGfsIiVEfp8KvLzUE12w2zSj8cG5mx1sZtKeMhoJZWIECFYchYP79nJ47jeoGtF7xfJE0HjRDfmkpLm2VKsQU1meYi14C/sHfMgFa4bVvSA2lwyzKcustb/MzLfYghW0M+n8Phzd9gC0ewmBgxKtkBvp86JBOLTFjpJ1icye1Wj1oGnd0ZtW3AdhhpUOxeHjD+r45aUGE4Zdc0Vf/gFEgJ1up6HonAyZraGeD0FJSjBjr28O8SJ+Avb2h9ZMW/EBNQJx9seAAnR6/FmvaeF3Dr0j/lyLv+YAefXHcjnJyI5f8RyrdCVJVcVA/saD8LBJqJdkwWAKs+1HMl2UGXHywdkOwqczwfmXdGX94P3TNGlCxnaiOIlddgrwGgHUWblBXxgghvxN0iZqK9RIAv9bUDxhgWXiRChQdaVVyMXyA/LbEq0+TwKIOmrWK6dzD7qUrxwVuGzuq0sFRXMIohSb7OKkzRI07+pRkN9bLQe4Hjem9jPWxslwOGwU4IMnesCjMLlp4YDsgZV5Vi+ZLcZduc+t+2wEhWCk/zW7p5bgAdddng+8s9sdCfISovg/7LC7ULyZ2TwImjcQYyfIZwnDe6fuOD6kNFgT3Km44C409LeFATub6Ux3gpJgr58SFpPATzJ3zYMxpEb/psqzkuSkEbOqn6ZfhGV4cZvB6p0ewcfTYBV30ElxKRVd2BTOHtD2QwZ9pKogX6SngFU6XFnHdJTXDe6/wzKw02Wb0gPGIjfjAFiq6uFKkeohT4stnOKmcZAJK/sVgvDk5/sHD25kZpK+ylVjVFppNthFrBpF7Vpj4urIbNcZLMLvjSvtIKH4QqKmeTX2zIKHThswVc16aPyX1MmGvcQhAG7fBJd/vazsxbLylBVHiiZOfxYXKvRx1OvslgTtYAhPUMBdLSElqKmK1A7iWRySQwE9iu1Wb7RGTEXM6FJ/WX3hhGqduFH10imzVQeZYaiR7t28I+7EeLxDQqfWjbd3R56gYY8AK4xiJoA/oKjv3jkCU/BsLpH2glrguOd6UXfO1AhAXZEKYGOYXwAjHK9PRTRnb7FRFO5NiUxkSd+FbB71Hbq8/6Nv2nzT+zFRbRAe4r7gf7id6CdB2i0TJimrNL0mReP0roeHxM6gjRN/iSNP9p/Buig6xApwGgHCxSLX1xNIhIWZCfVTytciC6/rfhmbBgjsaQqKh5DdpX/q2IC+oHOnHSxeQsBFBMM0+xzd++KuWiToOLE9K9xz+YcsLJ0gaseArTbvkogMA/OPYfDuxkuw1GQKnpFBzvjJhooQV/haeRkdMZwxA9/8frf/LtsE8mwNAK5QKPUMbENS9BA9h6acIFMotOMA1k7+5VaKWlx1bgdMtYhLA+yOVRJ3fkX+TftK9O4rhZgCeHs5WXYGCBVFFRDXTdPedxBoIFS3E2TkQAHwQ22qax/TRV/YNWDoMdlsQi5K2KVvKNGR/PFg/U0Id65INsJubuHXyk90Dd1A/Q7JWoSve6dUxGXXyiSfHJR+7OuEcYre9snWwR0QZAmHRKKhhzK1wtbDCZYxMdOovKwxMq/9GIgRICz8iYkVqXKy6QGC48IgguB6l0nik0K7tLSVcNzsW/Ar08YKBp1OQ3Rt91zZzuiLE7VX1bsHh2oaGXGBzCrO62kEA1ywtL+8LM5A+0feQa4yUv5o4SBYlmW36gXlvWRrrgobNtoUm+FU94/OVBV/zLcJQ4d2OzIjv412Mhczq786c+fMIbhoT69CfWDDhSqKZn47HCXib/f1YdHDIwy36Mcj+uo5ntzsQ+qzqxn3rhsvW1y9+Ez7B2qtHvQ+BHYn1FuugxJr6/iJuNhtV07BhsfUZmA6zEp2Kg7U7VgnCa36rXLC3JUrWgOTIftsCbt12kXHPzisPEGd6/XJwgCEWxKzbU5Al0pGHRLsjaMOWElYYB/6aZbaDRXJ0BB85oLoEKt7XImWjuQYTDA3KSyOIQCYKr7zcx/Xw08wWju07o2uKZ9JC6w1YXlkBNnYmEqNaXrzm2ZcLPOROWPPS7Vi3d8gLpwOoqx6lJlVv4Xhs3lmTnJh6B5g5hhUvwdTs0ejnmxjKfCl/6ZcwOYSLKkaSi9OyzS796F8DSaPh3RF0niXD0p1tiYfIiWHw01Qkm+rIW+mXFaQ3hZebEJuhCc3CCRrJOUgdohkWmT+96qm0Gcr9MxAiy/4zxI21lS3/N0Q1qnSX6bh0wDgaoSPI5ZYsWSKoKwDCgUyqkiZQ24MP06EA1/WIOOFvrv4oWhpxCti/ezP4W67uOIHDVjtjZnIdwoQhYP5a0WYFPPRvwH3ebcZtRsNIafVXMj7GevI9u0/+Tm+MmGbl40shb4vmM8ZNplhq5/KGVg7fME9c2KHtdd/GrtyIw7PycCrpgxUr/9KfjpiV6PTwIaAlQrC4fW6c0AxT3ZVYpRU7JFdOjWs4euy1X3ohOEd3KPoDGvElobl+SkNQBCF67W1VtlHx/Z51PieHThsPcMMAnwK3ZgVkL6oCuhiOMGIDt7AVJZIXubmRIzAg62EQKI3rsD6BmrinhoO5IIr7SCM8RQhl1SFYi1xaktuEnh90kdIZoxUBELxIy5WnnHC5h+E+CC+jsTb7IB4qIh/WX0XpHkLXdCIP1LOFnwTQWRpXmtetvZ8IQVgqDtuPEmR9H4TuT2o4ozphMS/JcGDCrReqzNUKZPezsAMMrLZiUB6RpMBGBviVZqQ4f4dJ3sC1pG1NB7ww7ridHAGgLmdcaHd9qd5vLnr4rCgi8Bd6KYYDMuE++9kH5kWx1mKE5n3e+vKroouUHhg79nV3e9mNJMUl+H5a+He4QeFmLzOcRVgJO1fGCD6rMl3461uTylqnWEFLtAejzR/SowQp7aJJbtsSvh5JYwX9GUT11EotYmBLKWgM+VIDx5NrOqVrXUsLXm+qh1G4l4Ctdt3HJz412SQfHzIzAPJnauVcMk8q0DGP21UL9X8iJHOAbCkclI4qItj8lBljxxA6UvtWwp30kZslwwV+8h90GF2R/gI9vsLF2g7O67oRZeP3NHeZ2YCWZTghRgdLCHwmhrvLpEqLE6EE2All+H5DdRv1xqNnlUGTRLKDLn8qF3AhMm/+sm1AGP6KBZpIKlIF82L//sKSEVofRSUhWtxPd0QAH8WOVMaISt80xtIEnS7JUm35/Q+qhJAdJg2Kk6aOyjO9SAu7vevaxmn1Pu91vZ4DvsjIZ/zo7cxKe2Gr7240ms3N4WTSbl3pk12xq8rnxCW8Dj+eepnOZewwwvuPzbagfc+7Hk3JCnNhA7H0gddX5wFbYqzvJmdAKN54MPiIE3n8g8pVbCZXGYtZQasFWphuADyi2OFxJO+M1eOWsbFsIJ2Pig4mYNHZpUFkpzSfzTQbVXvD8mOhJPk1jm99kzPazLyxQoi29y827OLKSIv4VfYU2xOH6IqigsFkTKTJzKSadNUEByBPYQOmv6/gLjqZCcl9fkUrfRBZcFdgeDJbsp83ziu6Xd6TL95HtrPckfjMUZEA3DT5wVVj/tLN4MiRF/1XqYNxFIzSpyWy0Wiff7DSSzB23AZquNNX1LtyKAm3ycNg+nr+Bb62vqhaY5XrA6CGCFYYkZQgtIjqRAJnjHfxDfssG58Bj9klloMmqLok14rKDjfoqIWdJ7LRD4yX6txfwIh4E5mNZLyHYJ5eFwoNrPN6GA1UcBMga+NcpvCz8Wm08Xw6s+7S5Z/a3/SkTouUBhtP57H2dAREQ/hfhDNd0c+V0r0EJNp4hCe6ugAYxOUfK7C+1fAMbj6lActyp5GplSkAhzFTqyx1gE7VPncI8QeC4n5kKTEiSAsveTdPJHAFSiVbhewZlkWZkJsY0V7vqvS+2Ekw7BwRBtsV8xmMbVoVZ65mAuCkRiyHRRYdbnwL1Vg+RV4YmVaQFCMfM6CLsF2GnFhzWA5VTZ349hoH2ICxxbegJESlEhj3XjHx10tfj+FgVeiN9kxbEQ1GbkdPGK+Xo3Nv2UXeEW/GveZkI4qeZuBNt6mJrte+w/0VC1CqbS9xpL2jn+5llyin+RaC7JrRXrKl9YgWzSyjXXjB1RLM++yJSut6k4I8HJj0rOJ1Z27o5BbSCVpY+bwCXPdbqnTl20op5WS7aFV/gF3t0LoHEkga94PYJ/fQU0wqNlTNhy4LIvY6I/2dV0SGLibdLwTN5mHznFLS4fTGo/edg0fgGjAVP9heKwMruX3zmyRlZKDzQLiKdIxVLHyBuigI9ZBXWLfFhErhy0I3NuhFrRSS2ixax6N25u30g+cFJJNiHHNthbym54gtVkemhMhvWanNqBn+rz73NbyrVt9RqqMm/cjeDFros1bqaxZ60JRqgcs9acFEyNJYK9O1uMn5/zlLnh4kGxoKMJ1s3kChoBs6XhBMjnpz+AU56zdP21wF2ubqONnr4LYK1nPfuU2I3k0QHGzVg9ki985wjRZYf8nL6OVXPsFcmBblAI7xt8Nm5E+nx8INI65dfnZobxWVCz5BzRCh8VUO1nHvLVZZ8FtzbLkYAAqB7MdaT+OtCEONjICy1IB36uTitgVzt+BjeBzzk1A23A3pdeh0pGyVZqYCT6WUQu81nxcWmUb71xZiOijT2GDjCSJ16o1m2MA481xysZpZjVX+a4zrmZEM/w0KtTI90RKESaPFLYui7uts8Ttzg8E27jM9x96Ii+c9yYw+AkPNVZFth3Jeh1lSjEQpH7XGbkkAlHCKCgjr7QZj1lZsXHy/vJQdwXmc/7vzrCLM78Kt/Ax7nflTEGqtl5WbLpABWpXeBCcquKWTGaKUKf0rGwuLbfkWfeTB2zook6JAb6Fx2wvg5G3r37cJKejYnluFKdCoTUWBCfpryCiSWzW500DH8WDRLhgFXq6Tumyj97upfHoeFxEO82qyHhToaLZE4GI07yXwUzTeatyJ2HY/IBgBNxlSX2D8kUm9wSQgluQe1ZnHZGbDVMc4ExZ9D6K89GfFzxWZqtGOtYcl+fRuEUvb6b7ryJXOfDgDCslhPjJ/Qu6hxdkwzjCX6KkeIosfAJwhchoqhzFgmS8eZVMmcCpoh2PaPij93GTiKFQ2005QX8ME4AJ0z/yZlzT5a6o/1Iav76po6CiFDljoeJuKkFD4fT6QgyNQ+j4IBy+h66krCAm8hG6MoBHop8Vb/uSCxa/9pKRL8meiqir6tr0MKTFIyUmaL9RWGz2zm9V63CuF3m7et7/zeZuV+uLytbsQfJPmaNtdiHZ2nH/0QDwP5drRS/rpSaIrvwtN9Ng5abIn5epZaKGBbb7HE22/+xZKnsj1I1MFxk08ghplGCH60S60R6O1b1WFRHa0o8r6nScl/qEoVUg+OShS16UW2k1eXL/K+jzPwl6pnMjaZ0iGAPponI5g71oODV82F1oksW+eCWad/AEv2UDumYWwhsNMSsdl64aZcgSRktXqNo//pZEOL5CRkzfGdFBL0UxwUx/14O9k7p1lRjP1kMyd6nPAnYZtnrgO+BYdGx/iT59sztBjQ+l/+UYhp5J7XJqh8w1KDxLFpXvfSidcEemon3y+wm9TsWz2MAZ2GRZ1tFJRsDEmghI3I1O4JBEsLUSB4iuzDQgazROYo/VJ+kLlq0qUZZUaj/k6Eoce5rBnyzDZdxWZUyV9tpAKErSHklbPnqT7tKDGVF3T+K94+1tUCPki/0aN0nNSt3MWMVSNdqRCEj8CpGa3ODsgQ3dBfWqXrI64PobIFoLPDkAaovzXIomFLM/tof3+LHgGmBGaIW3LUigbk4gnq0+brKb3rAltuJ6XIF2zyk0YrVRAcM8AQ8ssQt46bs2f/1C85AWehsnbqNANeM56RbROn0wywtWtHOCHYqkgYLFwZ9px7Ckw4rOpFHbvutnCDVaNR7aX8IrXf4oaSA2HMpdSHU1e8XoPhXN2RWHElWJrxagrPy78GYDT3SSM0OyG9Mh99xEk6ZW/dKoWQBx1GwKjL4qsrtsjM3uyGpbhIk/jg1Ui0/heFz/ofh52/G9MYT045oXz0WaTOYxfeNslGoYnUq+cN7XnaVXOjWilS9VQZ9QlD3SHEMZzgeIxBp3GTtYvKwtTw5ONF6nw7x9VBlSREl2QUXwdE10lSpGyEtQ15d5t0aUzHs2wFkZA9N0ktfxrMju/MqA5+Yl0dlcZJTcQiHmBfB3Mh4vzCfS4VR07AS1w+igHZ3/XCPK5wEaaI1pIK6xd2AJ/MCQf/bIKQ+2Y6WgMXFcDsWISxEs1w9ccpFLxbMeYj8izuR9/GkI0C7m0r3RZmWgq4wZpwXN0cQiTxJRzVV0Y460sKeQUk565GKv+WqUsT1QKLeH7YkWr2HfNOAZhC6sZjHWh4Gu6pd6aUMMkUYajc5f0mBMENGDGLWbMPErmUhcZ43lcDiMAb7c39jYPkQKpANJMc7eL/HAcuna3yd1pzZWPaU4zxUvHprcmHn4G9eWmfaE1fm/GcC8baEN1r0RVsbfsf80VW9S0jQllelAXBs1LeNpaZRqFvXaKChlU5qerYrVQyTAyvVc2m2IAAFalap1hP/owN1vKN2oziuKB7bVz63yhFcamp29/4Mzo8LK2t4mWWbanik3fDdHhhPGmBNzTanwWiJozhPmQI+NYsBtkS4G6EK0B8V2xV5bNj7b1cc06SDb/QsLs4vVfvTO3AzDFNKMKUsOa+DCWMtfwaMvPyaXIuP5nXwISAgoKH5S15oZe21Ghlkgys7JpxMjTmpxtoL2LyyC0k96PnnQXxdhL7DATRc72KRxHlhZVXf1v4PkRLy8Y4YWh61cIPMW+QkiNt/N2BYQcBFR0thyD7YY1w/sN4cTbomkY0gTgiE2yK5+6sheqrOR54VFS9+8ZbAV1D+7lGqb3En9sgp2TINMrP7Ld1tNylabuuVCfxCEJ46pyyUVoFnPd2Y5i5UBt8XiClJOa3SZMzbodPUQCZ1r3BLrm/6wBAORTOo+eY3K1MUzzc49NQQ33ThlogXOBPytiR4cCdCPqW+dnAVxzNy/WCdZ5R+OIQ+iZy4C9uTADcFsDD9fCzLn+6gZTXTvvL/TO5UZOzyMWsGBpOHz0OC8vqCvlV+FfacCPfedT2+G3g6rSf0OZWOPgJ4ZBus3ThZ5AbKxk38cHifQmvAAgpR0G5cas7BI+ZnRvzk6671y6Nl/FvuUAiklEJ/LbVL6DCTggvQvMpQfequloX34qtjNmscVj+KDdlMHNmIcWnz1KytuBoeWSwbq2AznEwWo3JM/YD+bgDitfYSS7nUikMtpVoO3eK7XyyH9O/RwYiPFk8azLLuEmRN42smtE1zLJE1f9xVlxK2sSepoOSw+16DjjbXjnvKkkQxraZLswjt5ItjNhwyhW1uPgfUpsFEbASCwroIAxVrxaplPKBk9Uo9M/CbZlbDKeWI2tm4rKwQRylFh8mqalWdVZstYnasPRUPzCVgE2KSh0684Br2/oxNBfZmYvSVEEZsWljhY9yDNkunRTvVsduxYj3M8LpJ1SxjBM87pWGJ/sYt/NpicrQ6uIjlBm4nt0Dx1RkYGVBgfIfZW39XxTu0kg2hW33ZKVjc4ekDWSRBT9ov3Tqr6vfOM27f+iX+YtfnZiP1LGF/HQZx/TqDd0sczZUkCAiq6q1KSgm3d6hbA0P0FRf8Fhfio2cHbi5k/zj4efVCeM1w8yJqX0d+/6PouPMNQ0JT6iYmMPQGMBEZt08fv1tYO0X0u3631MQt9ViC6OdFrgncl1/H7CTZLAy8r+q2FLKduzmtM9FlobFOJPelQy0HTjbnZe+u3fgE07ZDVRPjFVF1RzN0KA+czjiQlCvTVOdqXoIggcZmkBKci875USrF+0LwJ68olQJWxRkjINOXyn86yJUJjLUf3q5xYo+7n0skaiZkby7TjkJTQqwhPz0jrQ4/PpCiy/AcqHoDZDfpBylMazcqdWshinRrTiylGim9yj6cgq9HaWsQURZypGhlikxtiizVEPU2oe4sMiTzJCi5x7VOSrXir4681WrBJMqQwFHTryy4nHttay+s+Z7tAQXzx3ErxQH32NoCN1g90TNsqN3PNkdssbVGkusGvEG9OeZq049Gjh5GEnwBhzC9AVEt4N0ew3EQDgIp15BPOQWLwJz6Iz2obffXIVupN1RwKKyLRkBIQ0narEaC/SeJressP0z8vNP+KA9wY8UgyZF6yOQ7kFfV9SU/fegbM+rt5imNOfyRbvMJ3KivytPWyez3KU/V6FaoN2NdirQfeLPCvZvmPKkLfgwq5HWB/NON+ZT6wKgIyqqq7EpXhTt2oz5UAlUsRLE3gG/Dc4OGVHlq/Sy1L0fGLySOtpOtiHp4BRkn+HBaoBGxTKqV/3KCZgKCeCQhagHAhJwAjkS2y6cjzgp5/C6CVIfETrLPluPeprKPEb8ocyIItCXIzQ2pIli4dxHhWIZN7ZMl+cx52DXHt6Hg8XBgr2shCh3kgo67Q80fyHeMAXd0hTyGIToxYrmmO5K1xE5vKUYNqEO3CfkxJgcp/SP0jYu9o/CDB+D74k8K6eR6OZk03lnVKFx8DAQzNXjtXPdswZe9Dz85chbr/j4AWz9G6KDlzzLkepZBEc5+y/Y6Chv9ip6pKHAZfHMgLw7s23G6oJegrWDDWhNTUC2UOXd9cLOel4Ylo4d+5xuPnDWVm2k3TLGGqd/l40AP6bIORgju33enlGSI+P+tsJ0UbjfaJhIp7EivWZUI8SgsRyo1+EzjF7L2Dd6jLk5QpheH4zX4x0P+Gb4U1pP9sChxAjMhxAeMkaICBtuqGYFZJj7Bavha4IHgsZjJkY2lDVYYMFT4gLoEaGdQJawd0n+Q2I8iEa0F2MJk4/pcC4tjkZcfcSA9P5gVxolITKxXJg+imgzmmJXxEfCRCYsBQAUg+v3mFQlBdUc42lqvUrFiQpeZJyXAwIPm8AzgdO5ugzQ5L3reiJhMV5Kp/vMCiOzQ6zxbq71Z8JkWt1sUVD5zUhfbVIhRkv9KM3p6tqkR5r94qxBM7GK4DuPx4iJuJXIhB/zggzR84vMz4/swyBY1lDZziVOBpXCCW6wzpHUtAbkf8yi/JYkxhaRwxo5KUg52Wfsn+H7IUFP+UJHTEh90QweL1KWNpI0ZjV3BHO/cRw3E790jKW9+AGRN59WlAA0nM9gellUKENccbm8Q7pJ2ZuVZjdYKFywLleEG4YRIA9Z8HxJKaXTUC6NdVbL2R9IqixrAos+F8fT0jCoZSFRh7YxveVe28LmsmztLt1WWEBFHc4rgsiBAU6sgGkQXZC3I1fxMM9fagsa0Dgjn5GsDPCzYONoBqIontPPSfdqrC/+sv56PDspr1gWuvkm2kXFTX5oQFKsH/lEzawT0UiSUILcC+OSGPI313VprJn43lyljFJSWLbaOQLnV59rXOx2cVi1SXrh0qe8KMNOiRjd3mR4s8S5jtSzbmlLe1nDsZUtxx2g4xRNRM/WJsng/KcZP4IVeMLHDKBF4QJ0et8WA6oPowdy0aGWGBBhCcdSY8SMcHphQhH7DcGAy1hjxyXKHuGKj90SrR8BhXKa0t+fDcOxgFGFf1tfbZ/bLYpVVcDH/F3CyJbf/wodbRi+8d36cdOKx8m2uqPw3Br1diItptftJR75waW6tA2jOlZZVgjIHe2WfeSqc0EGLAZBTrWaz2btgRdomxxlk1Vy/N3w08HyYWAo9kVLnIkrSuNbCobU3w6Rk+koW+E4lexvI9gyUf/QK0NhnS/7KvVrAVIKIAGkp005oCCHB7jRwFTQLI4+GMsXgpBZc4idZ5B965rCc1ki3WA0drsxN4WeCwTJTlobs/wD1yS+fYQS8tOixJUguW73NcIEs3jgf1/MC3ggNZmhsoQPQ6KsocERSYBZDmRpwNvF50vq1zCRr8SWzCb0Xw3ukd+doqK92YZ/iIxH+30Vzpl5piZJ308d8HpOALkkFpZGNWC+uVwG39/ErTcI+UZDTdENYpNg2FdNDL7D+FWBJnDUbiEQqaYGbq4SmpRdsyEoHk15t/XhPqzuBPA1q+75pxdgX5v5z2zsJoSP4gZjWfTznVJzqr/v4YvVHk0JUrV6o2QnXQefeyQE2UaCS+Ib/TQAb8l+rmDm6zm3e6YdNPxAad0XgATPRr2jLg2W1ZlGhWLo4MujYxGxfX0OKGHirBGoBtiWgdbuNDRqgOf5E3gw5Sm18zpVKlxUO4167Xfysz2Eyn5O8YqJij56xvbTTKDT1rlBRgoFKaNarPjfNqirelvEHOKqOAaPfRNIm1HYhIUBhIz16YzAGKSdBPXwGKG1qtLETn+g/gGApfLwO8u1INuNHEvHPFrJkxeqA0g+7JZm0UOzkUJhOe+6LLqp2xxf1U3rG0P6ZlILE2tHBTDXgfWyuTYL2ab8sG798xBmVSNtDfEHXfiikgVgIO8PuXSTOuurOxnpOdVP6EYjZzjXzUxAqm6lhl954yu+gf8FoCNPELnP61y1s8WUQmpqFkZn8ASv304e04Ahm1LoDdXc1m9G/54rUJqybVc++NY9bpJkDPIG+v9ZKzVCS1LUecJvF+S8MiswepwX7FSC52w2fW2ad8SYbC8NuYXVnmGMUhwYawr8TR5Dqem5JA1Di2WIc5M+7b098pLYnrTnuWvXdiWK2w47HCKBfeYAJ/n1tgOf18kdgBdcgI1SbC8VdRaj/qcw1pHjCJvJIZmlLLzY1HDqGW+bkQ8ScqWx4b10XxyLkXJmJU6HQMNtUpGJCJsBZOs76k2qjH5N8vOpNNLfjWO+z+vMM4RrhSMgfheCZUaFRsgJekFYc/hIGHZv5IvY5v9og2nzX7s9sC5+5Wo/meUcFqfv42tdYxo5yo0GHpibErIJ1IrxDlyZk17Ur5uFlRw/dkw/3S6myN8bRwGrk6wKvHGLpAwxjLHt9e2xYcVwBGWyjsteV0R1ts6y7QCXjpXPfYytxrBvoWFBCKQEsTsJuK4YckDVR6y6y1QB+8Xlv4pwVv01emFGKfPgQdEDtkMc8xt+11c3kiwFR/v/Nl8vN2wRPvMZlCGlrjUurqmYL3b4XnDA5zq1u93IMoZP3RwmcBFQWDAxRpSpLc+vY9gBuzrFO9kW401oGl2H0qDDSt6qiAsTb6n2bi0JwaRRhVd68CiKmckjCXKVJmYguuy3Z+fKqjcrP/Vmyt6lMUg2gUwvsiuu7/csSEDpPp3roVcXL0CBANW2WSm3FYBM/Kkxd9QkNqwVhhiOXHtZg2xVlhYIMNW1d1HXnejfNw+kcegM9/xjWo3lSBifc5GJefb4uixY1rDAnRWMCdYjynpPT5SQ/l6/2QxEFERD80DcnMpGd1tjbDJCXnb5VR/qhViCmWXOgBRnWyb9ZJNivWiAFhY1FwVyV2lLUJFebyRFb62lGcyt099mxIuSVgQryExCtijJ8b5e6I0HLpfPMtRbshPVwFyENClb/lPjs3CGbW0vcJMF+6XUc4jBTYdyOX/UiRgvTXpPu9RsAIeWvFV9LZjwTFQ2fmUbTePaxpdFIA5ZuSvBVn9Dt6ZLMzKC9t/69v86Zgbh6gtVG7ifabVzS+9FYQBBwTZX0iXNf7WcMEA70Kfv137WOLMxgsJeXXHUdT9CDEE/pD2zuW202ypfqYUr6E1hxM4I9ZNDb4b98Z0VP0UT6CrsH0IvEu9Ua/sR7EOmRqimNUleG6BfPz+c5WPLTrm0B4Lh/xRVqDIgXF7kq7lbo/iiQbZNgQXMG3JlxXqL/YdYb9n0xOO5Beyuz9PkIgRzzctsfQLqfj3/wr+ji6sCCjKRH8h0aCfhtYTbChzu7pIaqSNJrPqckn1gF7o4Boz/mz7iYXTaPMJDNz4klquktGsEcnygW4j+McIk5v/OOGXk6VNvVM+MLmIRUGcGMCaamYEl21mQ3r+/nK3eS51XmsOgHf/sIcVHCmjpuCYJ4u8NFXcrdBtOHo8L81gFp6+Jbmk/KmlOnkj525F8ww61bXaUgG5VgfHCeGhhrxA3jM6bKgJDEe4VdbmouQ5I9yYugPZrnXHABVmNL1N7Z9VVqZBAUxSs2yf61NHAqHo+E9uHA/C6W1bgcINjVf5/nSanrmW/VOAziJMtU6p5zKBD4mNTw0MU3gbTys9irf2G1wpEvt74V5FCbx2HVZvKUXDV8+QuIhwjvrM44nrvhyLgIAL12wmsu827jJ+kLTB47PeIyJ9SWEH4WI22BE38bN+eH+bQFnuZ436vxFsYij8ZJW7YXN2Dt/pXgNu3YJfnROv+OFwDLuz18sGlk3gC7ZV1NgyJAODRDbaUAlTLYddFyGClEfWcPGlAIn9eOU/DSIRDs+q+NwdGqkZBAJc8U9jp8ShQlF1vzSZU3gvidXRy628sO4zGIcX9nwP6l+97dbA0lHF/CDaQ3x796vudHPsX9plSWwgyOIcfme0GJxNZr1B8G/QqyxuM4t6J5lEr2H6KhilYdvocLieKWhnGbAqp948V5CCUIJZKBo+mBMtCJ8EKJuBJkwyEzjo1KiZ8D/fCYs5Wk79TBCc/b+A9W2fDozuLgmv4c5GjfwJnBErr177hbw9YE5OW3qoyjRA8Vxr2t5HPay/qnx++96o3RHzbPbk2wo3b5St9ZYjMTKDXzlXBeK8eJqu5ttBP8VsG/XGp9oqaLzMGVyHJwpW4J37i0S8HPNxsV4udcDJXpM0uC8HfiPfDk59frVtdgtfycbiz+KlYkWkINkf3Xzfd7eboHoJnbGimT1i5syQ2i+ovK1erl76hpiLa+2mVdNRiEtppXXvVmua29e6ksVqaacB7hnK/nnSUgsNiAKlbkVqfs4zXq8ZBW3j6Kkm3eIl9EATF31v2tMqJxddt4xDm5al2D9lKJS7zjR4n4mKlxajrXSDD3/z+vCHYzNnLueJQJJg2V31oYzyvvNJYPMQAG657zKHyKW+sVknYTy+1kAGyOSX5j1cR3gVM5jYqdyabbr8AbfFvrtLpjIojH2XV6VfoAMiFJ646wMIFPRBL2YjbOu/PKzWqZdAT8RY8L31NyqBdr6NbNIHciTTRrzfm7mosHp0M1VyYxK1tAHqwa1VUgY7Ra+dkmOOEepVC0+b+M3IbzPqZV0gKZ8Jqrhqc3XowhZbxasU6tIDlgYq5tyukFT5uRSP9ewU54qd2qI9LRAw65AfCBfRPwHO5J3byInIpTesKs0RK4parDUnsiozo7jZseczu7r/xBsmS+vGSSEnXnv5K8+J5NaFtoN1zeIdHQUKGfWKej4GhDFXbD4LEUvuAInvpoZRtID9C0/RHDY8uUPbQS9PFYLuTWpJG9mV6w9+g4lzJrd3TfNY7EGlBJVOgnU9EtKl3cP+neJhUROVM62JUFiPPuws4g5WU68TPWyIHjgfKz+Nqa94N6xIbcTSf6tLzIWZGjHTxkCKSaw1t6I8bVJSeQQ/YBCL76Ivqp4IcrAIA/Dhdl3OPVvvi1W3w9rI2acakL8Xa0X3r5tN4ZnA7TflbQTZ8TElaYbQ2hBDKqigoLbGiLmVMhJ8w9aZ1kjSIIpKOc/LQkzE5YZ3SDXDs8x+YkdBptspz4bchnRr9iluwSxWkzJPKNpLRYP2lV7eqlKyJnvgcyufSRzVz8C+NBCCIlCdU7wovQMaUOygcXBTCzQe/K1U5m2bb0wA/ayJmZEdwvrPrV4NkQH+L+kxO1NKy09zgaTRlm/dm/Xg5oKCf0QjBOQm33OySt2WqJ0pxv/vkawQDJtJgPx4M961Z0rX2u0TDswRJOOLP8Sq5UHuHjt0tq9mSst6HTj5dI9JiZQdizi+/uK+LlWAGPQoeGjlVxeHL+FnKq/N7Y/CQzGc/D40tMz9wAGhOCVVgZSvlt//oaMlD03Q/+2I5+RDpOle88eKxutAw0hL6OMaMiXjZ5xZgIPKnXMqcXB6ghMHkZLagB6dL/9fzlHZ++KMVLRcJayfq91RWPkFIiCpYX+RLxCuDkIw6wsjPI0NM2D3HKEl3vCDrttHjvM/i+FvrycLmpOut+9oFy7K/awG8UsE1pJywOWQvQrcuHGWiOsTa7JjaMQbVpwlhCRxtboYhe0o0BNyxwhlFTYoMayBldqsLO0xVcAYJGpFgfpRNKeqPxlNre/l2QQf1xGDgSHDKNk4wV5drZ58CzNrLaAVGeuFEurRYnZRwf0VXtM+m0NtLqR2NfbgwPwbtzc6vUQKrNXfJ+sq8sGoXRqElGYaYXjzH/EXwtkt8TVV2NHg+WG1NCbMwrJMD+LUnR8MieT0H04plRt9zBGpnPrx2tiAWBmGKObvw4Fjc1xEh389nIoQnY3/Qof6JdgoVDoSKQkXL610q7YUiTG2DUtpRTLtCFF3WAYoWPIbqBcFS8qSnQ8pG1i6CcX2PDqcxFptgk8DT4YxlH5L85zQ+qNgScMlZYO/GUnXUiJmttmV7u3hlGjOMz1cw0swfNMtc2vaRAGqcuNSTzHO+wgAZrI5Xr2vtAglyWWwW29Q5MwyAP5qmKLTwTnso8HLfDcsfkn05IQntgjP5/QbJ/MW2nlphnRefR0EFmeBtGVoY19nDek5ylqQ5DDIzAzCSbg/bLF4VQx8Sz7bvoqkmHbpVkH1pis++iCeknOXqyHl2V7FJkFvjltj1+vTMy8NWZOA5MBn2Dmq+t2WJ49+tFV7k/MSg66jDM1O7qqkaMml0C35hNSix30wEx7aPNalt51Fyd57/+3e59aV8W7GDp2+6q+yoDEUEqJPsg1KUlxbbdwTrqsTbU42WTHQ/wukbUlcDabKs+Sf4UnUXOWx5hsKG9TebONkV4EGXr5lPSuE4ZRKERUzyqMPOV8DpFUzOmUPe/n+dNILAPTD5cScikqufE3mNnhLbJm5IuSOSaUOCogBhJ4/1Y1DW00zz6GrI5Pg6gvEOhXP25Z4lsjSemtYSORqvefN1CC6whL6pJz4eCOdHu4daewlAdo9LDbxR0B3r3Flf82Vb8DZ00VhuQ8j21rLT1vBHJWuf6qHMNw3B1t4lrC6o+EIOjzzbqc/4jOHyFwSy+Gd93c851WLJvIgCsCwQZY25RXkk+SczCL6b0GCg1V7TNoEVoWbTmbfogXICtXKbPOnoMnWjv7qeyNtmBakvhc1TsyPCM0MRBkLo4eYGqhIIDJB8dos3mkXEbYL0iCTew9jjQlwX95rjsinyqLPgYQ7QxFg21D1PSAhKPt/YQG3/qgGybZc9M91Gu9NWBBNqctjNTLTSUKw3i6wbB1LqMVNY+labLDYMxp5GTogUw3SYk0AqygrP1TlGofV3++6PZ+BPLDF3WY82JurexIrqYPJrYYvpnXD2peT4HwXsmtIEarQVT+Zj6oX5gFd1CwvThQRSP16xamrScvVO534hDEZF+HniktXirrfaQc6d28lniOdK3K6xjzL07ATPWPScyIXs7b8j1RO9YtbYOeSRLBThfl0BvnQnXa9Tr4HEh6ZW+sCAuZe9XAax44q0CZTDen6ZzrrMQG9QvetG2s4Oc6DdKbZHNS4Jn1HU1uReGsfkFPZp3I0NjDLL7lYbfBtiLDMQDCkTH/VjRT3mJ3XpeLUlXkka8DWZByLW1S41KoCtP2CZoDk2IXKwVL6hpHjmBVd69+4ht4LgU6S1xO8aWJGOdLA8QYXMcJd4YyVYLJE7mcn/eeGg5LU8hg9XB/VC61c8aKVV887SY4g3E6QpE9jezN3fWzj+HksAs259AWnGGriwNVEiZUUHT12jo8nAtFStT//XjUtaN/I38ha46Z8LLmiBtQhdIGu9f3/8h/go0+tuuyHRbk1iYNl9HWwGCbmM9bPPsxDRo6wleV21ovJ85c10yGFxKLZ7rWbpAD4QZFvXmM8aVfXjxHCVGIR5We0qM6+5gvzFTV/1dFfdaCPiXG9HaGMPCAUtnA3N1wVbk2fNYatutvbh4UwV/8gRGCThSiE12FD2xj9vfNP+Ki+Ad0lvbAhp91yA/+zha0gcPurAZ0M3joginTDwyRSGwCemT4LIvHDt2XEeQ4aNxcE+PsTSDLMyd41YbR8MmG8AzrZTMsJnW7NsoPdKElYRs6q9elO7rCNpSfAL9Jb+EGGKHoeD/pD1ZyFQJig4p+c0z9U8RXmZe9lIp0C4BHPssoI3hqXGCqzJQLtF7wVIbp9jGN41saaLXm/hsV6GCWGjmax9Np2XBdUibDC5tnW0WG2pJ+7z0pOuttGJaTXpQYC6nahqDAmemIJGNX4dhaWqUPovcsgFS+QgVY8EM4GR3hwLnnji4Mg+id2lgjhode6rqxaqAlZfggJe9qQCijLXat0kN8VMpIvWjuW+0T73a9wIJ1tntKR14UjcbGmhWAJZ5EwU8zkfrlfHtf3GldkzTtne2vaPn1GLLohMT13OuNOZeIRRvFYy00WsIQ8W//mowDuaY1z1kCR+tTXsRSNiggZNgeCaplILGLtF1pOZ8vWoySNLGHs0xz9aWLAdQ09oFnRaKjrSFe+d2qxb48aG9SFYV3YGxafquBUEVZF6Mh5ETRDuqPJr8zT8pfHoBwUqk4f5FJN8pwRWddEjheGb0BHSJORz0zpXBELyJDMyC8wNDDgJ6OAH2x14SkqLN/madARD7uzFfZQpFqYkuV59ue1oAkilD+lVu/qX2mM1Zax5C0L//AdbDcRdXhVxRu47a0KUUDVTl59CCFJJwS5buKlQHYcko8A9hhae40ArIWQh0eSZxmf5tSwoAlIJv666YEEpjq7I+ImXK0z4UYPxFuyx8jn/9XMAuK0AYxgKD3nE8lXiU/W2CRi9NXJTUMxmoM3guHnWUg6Ex0BRp2cN1o44TMmJulsXlma/ymYVmCakacIRUVCT2PVyIpushM4svb7NRr905wFr0vC2HgfgV4NGTXxN+qe5WZ4D8odV4muZhGOhYS7M2txQs7BnVw8BGVzHmR3Q1Y8OcX78uK2fe6f7uMp59aSoE3rDmlf7EoINu3NJBuOg0XzNZa31/zWoMUe4v5dgamqxs0R+OwCNygK55OC8ZPFfaz8UYM4VhOH+yZLXGtYn1OgiH4ZnkDxtVNfhoRfNApX3XyhMhRBrKkGx6Gu6cAejtPfr79YjAmzpe5LvWNdQvVFSPmEytLhPvpkdKyelIbwZSbofpXDZWy1DzgeSZfdXUMmnR+4ISKOkVWztPjovtCW5lLBU47ltkEHF2empkjyCT0sHh07z+BAZXn4tmsE2MLG02gkyH0ZNhdaKVS0esNnmzmOyjPfo7GverXu4vkjqhmOAyly9JhvGAp9Ume+6UXHU9Aa7rDIvm4EudBC3f6KTP1YgM4XT+PJKSSsHZL7ZNyIIUA4bvwgh9g/7B1wy1BnWIqeIZLk0wv+OEBlqU3OQtZIOgyTyTFl/ubA1Lnshys4Lyl9LTKQ6YPJ4rdp4jRrNWYyVqrgHKvHxFaRnp6fvfIbkBcfEWF/dW5tCaalfr1ZRAGgtCoxiyUBrFuE6mvWL7nBTGEUFbIOWhPkNPEpYGjCst+FFM9vp0kjM9QCJJ5hEmrHYhEV+0LMEZpw+e4hBCHCWPU6Vs/RiGGCfp/pvYFZsaqbjj8aeF1b3UvPRRQBJwpCRxF30Ij08UMn5eX3cv0385Uwo29sil5Os3Le+Ge55SbD0EpXjxAHI+V3FBAH3xOerjaz6xa6Ntb4+9gLSo379vjCLllQMJ/h0xa7gA4M/FPyKMtm1SiYXPb+CgTG7DRhGNVVWanxkFYVS10szx9qBmSUC37Bytck8fJCjl7zw2DfS2QDs2wvjLaK6SGYHbcxWtBWON4hWwxaCZjxqyi6j5rTQO/AjJK45Wrekydp5YbkgJx8EAPmecU9ZjALFklJSbvj01dg97iOORi0blBQMiS/ig4ZE57UyWVhBfBcJJEMTZz/bNcQCEDkuOpvIjGGgEyEDNnCVZQ5Gx835AZAy9OVnFpe/yduCMwErpQKLdK7mOyD+dg6eI/sN9SsQcpia0Oaeo2zJi3jnBkL13pUCeDc8viabGS2//xN/wlQIbodWJs2vgQ/279hTpHAACKap1P9TY5Q5I2QTG3sea3nyj9MDdOfJH5bgdekzo0tX8g22AO8wCNhhPFigkjJB2EZbPxBIfON6D5zXAeu+KU0DKcVTMg4A8FTSrTK3R6eSet9ifcEGMGsLawswRTrBmzOV2CDQIjrUZUFYESQDz2qeTm6wv06fwZuzl9HSjtzXaNL8ebYiOVgswzqhaK/TcY8is8fU26jZ1i+pJ0FeV0FLKHqwOPj6uEoxTw0Y0EBX0V+HKu1JzOV307xRDvwCeF9Sz/cOfo1cNT76YwzGrrTcCdUjnWJrJHBNbAMLKEiO0wmQnGRkNKLug7o0C2EHHlL8QBrKsFIMyslXoC6igdI9Y+0yHzO0DVgxMZxJ2k0TRoAVZZpI5EA1tr7kF1MAcOsbDHBu+nacRL5H6MH+KfE7bterzj6PCQlya/ZzzkwMrx14aYgIFPqd82Ujrn8AazGFSKC1Rjr6lCf6oX9fIzMzBN/3rtnXo37Wm1jnG+8UrXiYKWnc8ESFCpNla+tR5uEWaeGk550+SP0hwMCb1BfAySaecIf7yhfUXACbdDMP7MMA/1KbdehtRJGZLchjyZ4FUhjkBrcq/5HgV27dImQd6x4no+PgLrNMaUGeNUTKkldLEoZKeh0PRWSzKGOaGTFpdyVaVFbevKbPr+hsHe04S3Fo9sK9AKS1QfmnLyhNPrPMfhbrgcY9rCWB62XBomYFEYzihJGRZvroe6KblPb6IX9LNmwDZ6IQc0hbVo6krf9SUamq9oGSzK2mk8ZzL4H6VFwYr2B1scAtk7iKiJfXAN9RRyV5CjLTsoW5orXpK0YCBV0Hh7ps+RIaUTJZSQRlLCIGhRN+MlwwyyK0qesOkuWRF9EJqjVfHRrW25JVoyRRzF2hZ8d4Wj/ObyiUxN7v4ie3x77tUVAr14z0l78WR+UVKaMBvdfWlF1OCWq89X0NhThrwWAozJmcxPHT4qmCpX/aKAFBQFFZi+5QgM21PrLvjguWWFyQyq6vyKA4dLqd2bTMhuSVwueP87OsAIxykBWaAGGBfTW8EKXNfOcYcECQscqnBNPFPvVJtB6HOjYsGtae2vQ/NMeQTdCRNIUdA8fTu5Ejc49cR+CKEA3f2hFF3hGFTW8Ebj721c351cSdmrn1km4PWFih+BWy9vk706ZdJB5ZsOiPy3Wjw8qyovTqOWQ28ccgQm/nwRj0JBGeE/AlqO5c7FrdqsPfNtFdF54hInd5SyiE07qgKDLXtH6yuJkoKA+tTn9sxL6RvP3zmsMbe4IGkldGVQZIhETimZufLig9U57EVAv+d0BooiBvdddnMtlOIpz34n5GFWslprZw+YICcr1H1lNI/Q4dsdi+2CPuJxtefHzvLcrAB+QFPcsipoDnpzPURnKzPF+GL3tc7rddpchjVZuIaStyrmygFuws8NO9ZueJ/o/OocYoAlFReBsA8nvFCpHN2U1dsElv/KnFebnuh99/HZWYFY4Lei79ixV3VADZmORA5hQNewwCh9ChuYMqiOhh+xq7hVTHxSl8OsaT/3GFkrjt00kZxglp6LAUeIs2qMhotSdmcMj2W/6ork8/Rc5gUWpVxFxzodNeyBvU2gfSrwq9OpWwKXhJVapYiWVnrHbw9pXlHjsr10Cg8zf08iGI1ucyi7qT5MlFITLJaAWUguXtWUkKwpLA/x3n+LyZGn9D7o7fjAvtKqUkGNoaR5CnBXIBNgUQ24xJiQXVta9e+t3DYsLvTp0Wy9WxNhyDHTjmVOnre0OWsMZtq8UobvA8GTElzWmbGjdum6U74E4593mlrl5u2z0Jb4EUEkSdS/95GA3PPbzZ0+ewiGO8zdgIF2feoQ16kNwdnzzwTTX7jQxEkr53C+1HCW16p0BaAtf1eho9ly2P0iMr9/g36zL7oAhttRBK57uFDZSpLEizS+irqaF0RUZ+yh7nS4p8OXClNoULY3mtxbilQ7KhCIrc90dDXJfTxeS/9RHSYtoo6lCXSyPJG1LXMUcrwwRnZtF5CB8ScBrgZq+Hh1wq82QeCVx+udKq07nwJ9fDVRAEkG2vCryt6Glbk5IWhj+2tF8uGIYqkA/eVU21qQ6Y6vryRAHwEawpFplIbcW0my8vmV4Aifvo78TIIpodXYkp0xKBmBoZqYM4Nw49S7ExTFlRgAf1BFMPuTqliHieJ0d+cqixr52DY1/ykR3vBKSrIKD60LXdQfdb3X649rgSP+Zce/+X042Lw58GA9XMpgIfR2Q7BUFTiW0vrMNZoveJCl8rdCCxduzk78G3j9aN9XNQTtRmf4F9oAZPcZpAY76NXb/N9SKDYeQgrmcQr9KSA43um7eJcLRAgbZCVfHfvJx08VdThtjm1CR5wQBKfk7RJN+C6RcMy4qS0nK+bEf4twb2HPLb/dGxIRwL/yeAvnyk0MUB24kBLw/vS4UHI4fq256mzYcFiEQksv/OZ2v8J3W98MXMM0JX4ZkcY+Kud/KBUo8c9oeaGfg8U2U3YJwSj0RtOlF3oWvemvdg0Qayywz06VsxOW6Vz5HBDrEX4YNEIJLRKvdRWBRSuMLXoMrpsMRJ1fKjXSfvGuk/Nuh48bF1qfhxTol+4nyJeDXVml4wMZTAUcoPLiGvrrzWocrGXO5jaIm6QjPZjflhFfZgsfwqucQOwcfD/CUkcBrsI+htDLx4c0WlqCccKOv+BZeqX8HwFnFUFWQI9tsLGrpXfSmdeW2nBzuZghG8zKZjHoKe3TTafKB6hd2e6iaesM1MN4alK+MvtaosmxAWBlPSqGGhOhFy28fMwCMV+1VsIQ5G9X88hAiRXui7jc20fR6BgiETegXCW72Ym3fjrnTUTL6zISfUd6AKmqS7HkVuN47a0Aw7a4mBoKYPpGiJqHKao1/l2Wsg1wqtXaisxAFxzKB+Q11yfrpacsG9R2tnFx4PSijUfkiWbXBwUsPtt+XsCeLo7N7oogGW9qyubpMNs/LP8lYQDcy49sLA2wRcq3mpywBAgIfL6vE/c0a/bO7LHLh+AIRjTgyo3hjLwspiS6+/eEZQ72Qy78GAtP92BcPgibtwD4w9c8ITczVyT441HBtUXkBACubWnpreKosqYuYbS2EXEQjPPG5NBQx2fKfkQnc6TKdvCWgVqxAJbjaD8VR0DcQPTCP26QL+9p4w/c/O0wovOjVvMjsVODHfm7Dh7eCuyeAKjM/pb3EWYxcunlAx1KPcEgvhS9ycAWpdZcO7p4yzCA/Sy+T/TD2FWDyHhzwxx0999pPG0soos1+L+S+AB6tJNP7jv9yOkCfXUwASDhjnzIO60+HXY/MJChy3xiL2ennVvJ+tTmT+7S9Ew5T0J9y0IxFfDGD+by8TujJSI2zGCV1y0If06LcsIkJN6qkDDQrGTBTkEsdE4fTz6Bm/4VusfnPlc59PBwZbZsp3V1B+z/sWf0BSfOcxpH7LAivu0eZ/F+zGgPFQiXqqvYWo+DHvLVL93uXDF1lrF/tAulawChrWN/5TFc1s/7AsS0MI35rY3eT3QsjSN6pb/B5oX8LRs5wNH0UacRFKD2TV5+Gy/jBZNBaUzTawK2Q0X5GwIvAdxWZ72PSbZZJigVswp6d2qQ/5zqMOBvWl7mZ85NKwvPMTEKOjOkgoRpkUq6PDWAT0dm+o8Ny46Wt7whX+w7Ccer0Fk2bwWjCTUYtj2UktlhVX78fTjFrhTWqjY2ZCJqVkgon73L9cQ54/Ib0LyYrga1CjBfm4TwigEqnKFM3K9C/PG+74A1FsXHVW9xFoNtM5ySuil6I6Y9SXFs4mtrOdfPzx2QnU6CB26xzEFVX6pcF4wzXWNZH4J5TfYRmHsCQOPlJaxU5cvsRuBfSYNFxwPTwddDR9HgaSQPAdi44VhvhhnE80chrb1EPsW0R5N/7l492w/W/Pua3AagsgpFMuo4oGe2yphrrAy6aMtxFYkXMe1gYFN23sYdhrPZ0ZD1Cyd69QyQmdKpDZBRtBr9Mi9BmLOyX3mqkN+GVwk4UfTMyc/ZkAUBxozwuib8cxg1G6rpWyoK6kqJ5OV+dLyaeWb1MsSwi1PfG2d3eOFnD/zh5HZzZkBAYiupcdAelqu+HnYb+RvFwXrYsxmTCVhHZHwAV2Z8oGhr5hG3YaZ/vctQKt86NFOLFSGfJHxEX48MutnV57WFI2gtM3ZB+9H+NSfz+35gWyKfz3ZxTLspp0T7Q8sdo/0xskWT+RS4bU4ftQlryy0CnUlsrRppqFSCTBItZWaXSNhKwqEPtFITn8//2cH0d6hZ221QtfI6Vkep6C3uwNpY/3TMoebFt1uQpqqIPnBNcRKqTDNy+vQRvbL2ixVjJw1JwlakHlzPU1j874hYfEcYJVSGj5X7YAniOZAxbC3zmN8T7NBw8zPqaDhzLq53HYvy7USLsjei+w91iXHFX0F0yj0cqXvOUrX3+IJAPeJXe14HoZ/YijYq2kNHkw1UJOgQ2yXVLgCEeZwnSr+uZU1tsjz2UFuRE5JVUTqROxHRZV3r5Ho03qF8lLdz1uCSmeJ7MaXzfn4gBfLvh54jqRi1d2KZYSSF2Samv51CbEa9hY4a2mK7mPmFQ4Fg7Y7umrdYfnwM2aArd5ldOUZm7vXKSKgk/NIuEhgDaLzBGvTNKPQ4QJUPHpYtE/AKYlKwtCNBR2yv3J99NNt7zVSP2SvhoRHxEQmRd/6+wfbzWY8Fkc6IIDX8g4oUqVnnS1zZatKJZPsJVIed0SOY+MPQi0QuyoOvI6U97gA+ZezzizwxfvdUcWyw9kt6ClQ2wKxQKUAV6ghe2lXptvQ4By/JTcYIHa9cSMhG7nixbx0Jhd33MOyAzc7DryUMWj4DXpnYrqRjZBWOYP1lCN+VTGrslx35Xk0njcZAd0gY6tn1iJy8ZhuD5Egcyyg3ymtlGiN8CLT85k3DJWLW5cBvw98yDjn04VT052UIT+Y8uCu8dUbOXQwWg5SP0ZQB+SKeh085CikI2Tb3U1jjXyADllKvHcNCahDz/DKbBEcvi8cL2wtKA/iflXUzMco2OoVbc1yakNZG/qS/tRWAcgSDbrsyqz1Sw3nTFS+rWCjJXK8qtoKKH3VX5Ggqb5twmptAoIteIKNkHIzKb5/D0Uzce4OOJApF5SndXZKxYf/naNtHfJK/sGMsMlZR5iIb4ncF36vFjqE5NjQif0oWYXvne/8op4y6Y03LSpW8mX3mG/pPUsuhZrYa+UUrtqLV2aSVQD/M9IVJ5VvKkU2MUGY01FJggy9PZzvLzMnHh2AepNYXBOqPQQkTWIw6pFfJkaemDv/+6tUo42qXXA4l+AMpvURwKBbr2Fy+yqAve2xNAASRpLOMUKOC7pGa436CvNGzAm/KFKs+IF3I3DBt5U4zJCaQO0XR5EmUx9FzCwTLdW0gCmIsl/u3lOqOOeoPXohASFJIzY1RkKj9RXA6CzLGa5/nweJSb61y9f+kTngIFtTJbg/lMgv0eoXUkWPE6YHSQKe2SwZHk4+uiHEXEpXTCbZEh38YYwkTXmozrgLk0JSpVddy/U4xlmlxFkY9G1zf0Uh2p6I6eRaSfx55UMMSSYudByAFovNESguKezKBTWXbiqLynk+4Yoyd884ToNNgfUM8dxUPlqLB8CWtWQLYDkcObH9kRGLAJRKpYz8GsL06elsr0s6TUU0DyeC6c3IYdhIBzHB3PkDJC3ouDMmwYrxNAswGI+HfIIaIvBjcZ9zEAS/EqQWfAaQoJfsNcJJqoIShN4Hi+5zVL50Ttql9ubaN4Bd3jLkzrPwKoGBUvWmhLMOf3PLRKiq8V4nvRHX2QQOSARoLo82Qlepxz6MzbWXjH1vtDJaPPm+JrVryHYCIkamYHbQsJiQWj46vpT08wdZc6o9Tfg+y9Cr2/UUtXVVP0ymjXjQzx79c/X/UAET/j/PObetzVf8oAwQ3qSPlyWPmhTYf5aNsD8REjmM/MTg78z09hOOGnjdrec/h4q3Z6+cgkJkdbRy7fBlcKuTPHIce1zoLgfm2H4SEhQCaJkd1DlzJypccBN+v1ciokRAr7yK6VTxFp/asVq4uGKOQYMtvizc8UoQYT3uBf99xPPW0sWpK6mAcf+xWYeZZTCX4UTG7VQRZBUoAs/RX+mHlsvvG851A6CYVmcbjCFh6dlDC3jIKCU48aDdUNGmOb2fYJxxO8BqCwIXqNKwPYh3w6BYDvaP9J3t9gVfUB4ZTqijD2gWZXFFJnvIUPYtufiWA3QG1SOzIitziBDRQ68D8FMdWy5yeMHvJXalSp/n+gWpxby9B6TpnVF63/mdkYWDM8jyf15iscqsIXUk8WJXnXC/UQwqn/zMyoWo4Jn8oFDqOme5hTB3j9u6ohUh639PFqeB9HbS5MCCqL1jzF0wn/4MxWty6ny8FEOI23ZSsW0aLvMpwBL9rxA+dplsgrF+uDrPB5BWJfh8rQeug7V8JigCjki7GhK9Ve4D6wtsRxhk/s/wFKGS8HRpE+q3J9jmK30CAsXFzf7shr0Uzj+eMu3iQay0P9ACK4Ak/UbvCVzQRNGLty/zB4hWy9sskYkWXmGMNjHUommpKw+SIWo/QiJqdrFMWt6q3Ka3f+rAqBPIo+3/SqDDGu/F/K4V3LyzbUDyn7cHAuGuEy9MAGYXRdM8c7EkAF57SNphfnpLb9DV6+DZdxCTn7Biw9UxNVSHIO64a3cR9rODFw+h81D3HhT0NWp3Ilz7+aGXCNGtnN27VKHY6JyKr3CcIZiD6QpzsYwheRlPzGn/mKKlrg//vWqPFZfbXuBwLezu5OHO06PdP+IKbxgAW9Z/1itt5UDABA4Mjc82Uw+ros4JXOMZCDbJSWPpwPUD8/CNf02YhHlgCBTIs8wt2zaX6aUap7tn7UeIZrzxzqboEhtplPaC1m6OJhAkvCFQptHgMTJNnsTDnRT7wXDR8ibPCz2YqswNm//pFy1Px7xbZsJdiMd+uoLaFzi2YNvwGqrCWthSh+X3JxjRp9kX+jbVYcWGv0H0JCUdDO26eRoUQoowZQUwk+4eR9sZ45EMwRRcdwR9xDDgKwQmmPXYoARUBkz9JcB41XXJ25UhE/Gv0OvYk8VRURRHKTmpVni9YJL7i2mOAmhZygQnxURKHHaDhnofSoDtvL4pGZQ5ienO1wrG6iociEThN/diqRxPvpBwsCUOgdZiN8gtek6962TaVDQDKYPFotKInshVvqJj1jWoa61ZanTd3K3BawyXFfAeo3HpLyRnBHN3PMaL2rKmdh8IXpuOol2080rdSHDGlLT21kHYeLkSV9mXzPZJ6ToksSYxN9gzy7bG+Hm7lLRDGwVXPJAkRFXj4C73nGOYhElRgXAOoxnV6Klig5blhyUSD6OhXVspBSoths1HvZRCxGI1wgili7vS08oWVtDxjH0QBATI12z7X5kfP6epGEq5TAkacYG67/WRPugom7YkzDqxRcMFkm5hKafAAb0G/lwbSTnJw38+1B+jnv/xRnnWCXaIuTi9RPU4uv85nWZvb9T8QqdGNSR1syxLSNqAdxcoDcDwNgesea4bc3t/QFvlCA7aZIVlrohLbTQHDSxXBxFe/H6cGQjnnOVlAa5TQ2Gi0r9BZ0R+ebOppCEUnDsilwMGB8X2udf1HkTvU2V2VKOTV9L2XVU1ANIEatFD8XMt9ntUvDxkdkh7Vqc1ZmZmWF6NryKCWSHUVzzJWOokrRINuoAXgRatACgSZrHtBiU9RNwK+I3LuGTTCsAjXClSbuiWTq56+MIjT98WgFxdEiDEKQj2AJIpCIKGEBqsABk/EQGOxukyKVI+yuzFZRt3eXWu8EX6bvDMbqI59iKuQ==,iv:1CkwzTzqyQdoKtduf4f+qSpvt7PAnJGHltU3KzBq9I4=,tag:8WilqHdjUHd6LXXarrtEeg==,type:str]",
+						"data_json": "ENC[AES256_GCM,data:pMUr5bQlWaUw0AvS+YpfgySk2+AjG0zHz395s2PhAr7Rh4JMIaSKKKJ5h0rBElbRTQDJJxNQujRTbF9J2UP0y+Z0ZtVHQKGB5RJHpQztvC1pmuzE96cX3ygFIq27Md25axEHEcHNub4RXqRDB3NS1Eq+ZZxb/nBkxJOzhLmmA7aNxPwrT3DoOLMNodZHvH9u0P/IMJua0ZmJm8zalSOFQtQsMrVQPOahRkjkDIXpEI+MkLp24qgCFSdwXbxUct5mchEeyZPulwhGg8fQh4s7gNox5q1LDOUnN/36xQFgfQ4gr6hZMbrfbDing9PomibMG7vJt+ye4J+qcKnK4XdOXq/Hep/dIAep7QKsgIJr2DOgeEwAi9szj16OZDZ1x3T+GgyiPjLi/6VnPIzp4/7iqn628wOONTU5iBQ8fMHh752JPcgCdxceM43XRs3z8jix7VvXRSCxT9Ml8amoy9WpE7hIE6/heCyMIEo8nvToRmss4aUbPkdpavi1vIMZnUKq40f9SxZYWl2p821v70ueoqWU5VYPZBfWPCzcfm09mawGxvtC5MHi0Zumcrb47D3W4ChasNAeVOT8LmIefz27B0QstKuX6si3yT25uZvDa9bRrpDL8Gweoq4xQv+srUY1UwZWlXpA2QDVvC8beESJgD6jeSYC+QmWnQHoBkQCVqarXfQDq+ZHOiDPsaghsdOTckzSKRGPPl89ZSs/9Pf0G0tG+kLIpWvRB34cjypf8h3VATTOQxfuznrrJOcGIwV87RFiluGO1aNbJGilKAGfa2inseHs7EFWWXDM4d0OfKJkn8UQi9HFUq/uPOG+rQ/yyh4TNqQmjAfMFvpSXeFcsWFWN9hyaiG4Wda7O8iPBzHyKlSYotTBUgxNvZ1GHt3u+gUQTy+EDlmqpRdowQhzRPAhxPH5ITbz5ciYKhEAykERt5ae/20c4p237PKAGfIFsq2M/OrdWsIR6Hm79HcQwSr0KIBxIsIt/K3XWUDw3PMYxLWJO1ZFvX6p65u/12/gVYY4BHpr97k15Rfc4hqIAMIqj/IORFnaFWs0ZTH291hBD7IM/Cq3ua9+RwTWrsZJvqs0O4gy6NlIyaVwebgLK5vDa6jdhGP2w9Rcb5AmxJueRq33kSXleWblGjXeUbGHwKl3m53GzaiB2rFGmaIlFkUq9rfeqnHlgg+DcTVjQ72AClPyTma4lPFjIjPZALj9qW4AoinK4nbiGNWNKv3UTO4TRzCzKE6L/rgd+SuQ2GFpnvYRJz9jDl4HNo1vKT/+ws5DK76jL1LDL41OLei5VkDgrwKF1pmEF1mIpAlol8ZVrO9CiaeBMCGOG7E6lPWARgn9J0C7bKiNhq98A+uLdVzfu+hN2sdZzRAdrN5kbhzAlaQZnp6XX3J599SoEA8TPEDvBafi7dJroU8nmj5MdvtkfVj7qikFDC2MWb2lqUGNFA67WxxHzDW8SLMDYmEBpAhpRYamrqK5kuUczLf4J2z/23hx1yC/cJwFA4KSKmMIXNsGnXEkWYBmAoVHqTwg/kmx0YQDY6Cx0DZ0CFgInOAD0/Mz8C9039wjCVfybJmpzlU3QVhMYDilNlMfxLJTj3HSAP1Sn2nT+NzI7l+8hgGwCg3FdMzV0b5atNfNA9fonboL8NJPdg1piW3QIs8k9jx0no+8ww6SLq1LecgncL4q/7EBMI8/dpPSs48goQr5uZUrpmZxtCLAeD2kOI4+fVGbbw8IVLX3V4ZZPfLsBkzcQBLge98U36BUhr21HD4NcZH3pN/L5wVuXpsAISqGUXOOCv42BICDq8tlIp6QdNqfI+qsi06MODv9YDi1FNJv2Eb+y3TVIv9j1UrA4h5khaBvSaBuz+or5FXyTFxSyrDZjwF01k092gOlnNpXyFpN7EeJ/8WzFPxd6T7Q/idJyNVKI4javiidUVY42E9upVhMEtSqTcPM/D+cIyGbaWnlglUa6p63KV1qiv5AcDS94temMD1K2vzenqmeVwFU4x8hXl1q+N7wLWdXoWadF7JFtVIRECuJq6K5i3DykBxdc5GaC+6fWOb3ANBWcG4xZNLTI19jFCQVRpI4UIMbEge1oahhztuGa6KYEABt6xGFSgiH0mUzLLuOTegbDGWjy1X6zIGD8dzaAUgAY2eXD0mtQ445MHIEll80aEbJYP40eurzJGQAcrWKBBy7XFN9blb8E/LIPQbvodQt+b055N6X/yBHJsRNGWxpL0iT4zfkCUay7V1pxYDeCSXigRS/MdWU4jkwsCQ2An128nioGwjkakdOFSeFw6NPkZ3FyvFXRbyutC7NXyDyL3baA9QLNcNqRMBXcDRWFTN3tBqdVmA5hTlMq/NPWcttMLnRR71tgpLr0SEzTzBbF+f22qtJgt9ovhmFruNge+fT2uHO4TF+JDft+FQjqaXwz6D70D47OpxTrOjgFZDCLRM8PBEX5mVIFTTdq6aaxxPaNvPoeEraBb8yJ4K5Z6WqLeHiiHpKbVMR3lweUoJlLd7RXWDLrOs/LL5uGrJGQCxSeyfSVlDFvy0PrvGqV2yEZCBAghgoW5pfvnmimG4l59YHmyIEjuIMUhPTOgneJifBKoFX8r/uPOKpOuSQHJ/ZFPeROrRUUi/GKyBQvkoHIfNSE65+PKxZm4ESSwTT+Ukp0mlVBJcqEnoLxM+YFbjrRgJfteL4reWNPA1MDhjrpxU3m4z2vxbLFY6p05ngUWEBTKMbUh6snuKKYaAfUIrkRqXbuKtpZZky9QmOhXRBfpjpyVIER1AajtcpLSxObg6mvuL7i5Iyq4yYSPAy7g+y3braSYfZTnwdkPxk/vS0lFXfuT31CtWa+pnRXpzUNfnibzYMG18iDSzmQy1+AMwprGpIp9PkYcUJJ4QaocOKuUmLFsUArnsP9Nyyu7dyPumpHal5HZd8Z9UuMS/84Pp9p00lNeAc6amv4g6QlbdDchAzXysiAP0juz7X8DX8XNr4OwkyUpAnwjonn390wArgOU11a9WUJs8SgF6+MQym425oI1Wn/gPShWOxb0GUu7dyIQ6MwfIie+9ALBtjkApTSmpExyEBhxGx4pj6B/t4Er5f+vbjDtxnrMhs9rwVBXJFZInuKy0bvciQ2t1Q1SwC3WJ5j8+P8LyEFU5BzDRnsNUrmjxdYDlOaFQRuWwnxhMs5LnupiJ5MRYiER1rEE6fV26EOdKadUs+qRMo7gcKsIjVHnpeyp6e56p09+WrPGpNQJGj5ksbf/mCjOa7B9Zt4ES+wZnxst5P3oXw3mIbXxMIcH/pnjhxY7PPmVadyJvESv//1t9Zpx9Pk70uBP5cPfiioAIi3uDo46l9Ex1paQwJNTb//fO8K5CqQUDTVe0aYSRV+S8zWLHFXZI1Wbn/eA/aISc8HCDLksQFu0CMFvY6LEG0wjLVioQ2kSlCYM+NIDgc8bgFUFuDFJSTatkBEaVYqsgGw/XlmSOPlE2tKvJGf2yaUYr7hVdp4E7Ttiw02+//vCPN2p+O/mDsbayZ7+pPg3M3UAaRXNL5LPx+X8rcjbvL3uNudGhsjF/YibmJXkn2adOnSutJUANv2PiVFcbeSW0BIuhgO4EiC/aIZFMITPqbJfFQZ4+2fq+PrfDybM91zN5l2slRcUQGHi9ahqOHHCccc+5vSf1QIY+n3qLC1j2+uTEXX+zACvtXWBG2JUSoLGGY+DIvrBgAyP4WSZTRKnoVumJuSDpDTyaW0ZSCkAd770ZzjUPC7UB3GgbGRSVM5UuAUlfW0JHQnM/NGxbSMfFfhuDfBGFGjC2ihBJtWFMS08fJts2y2kfhqiiT0Jrbx7HttoX+nVVudZTuYpRuCfdO1rc/QxGSu+xpO07ZYAjdmkiqTQTMDgGeYEu/zradO3Y1Gb0vjo/g9sao9HZINTqMUJIK0HLrVJIoYFhgSC5HkhTrrEgPWDP2VOXARKFPXm//CYiBskG0mgcMLHlEOSct1HuhFH2GpfdTuFM0XzF6cMUWw2ruenhdufhfGYFIUF54sm5MSSi1sDG1dGETPL4Vdj0RTniQjiipyypDeoNb8lt/GlPxNiyH4inpAANBf1qmNfrE3BZ19y6niEzHNXC9/fU/xOxhALT5TBRCxNs9RPPqnhPbR+d2GUNSLc5w5CKPPcQmd6ZuDs9YjcJlokIjcHmQ84K2Ctj1A1VYblStlLFFUksmnkoVgSBEB2+LOf3klb4CHAzoWXgD3ju1qC5Bf/SFhxiZgmk0DK99XJDrPSU9ttL6CZfA64L3yz6Wkmt8XszrbMDZSpyevmDa/EjkGjrsxyew7L23tvqaeDlz6veZIOQxfK/I5fMz4aHnIWxDa9SQYxUqjnl6YbvRu02/GEnu5yTkcqDL37vvmGKXZfQW7t3oxhNfvuvwcVYx0IVTZpb5jXosR9PGmNJXupDS08PmtEcn5ZR3WuRGviVswGXo58ReKIxv5SErcJk2bahjbKEacgBTRfLEongStl+RNVeo4c+gteYN2DfaBTHLkrxLOkZbuFvuBJfSMY+KWfeqtbxni15bbtM3Ups5Nuh4FhCpdcOeP3qi7vZa1NCy/SuXdIa6UcpZvkEqR+xjUcYKNjEh7cYMD96YsX2QWurep7z+fmSfWsXnlcpVqr5SyQ5UwYZVBjKcFDcqq4j58E6yWniGVIQVvDD+jdVpTBle3JXdi0s1TfpSLMPAvm46V6tT64IdieC6+cYb5i0XF5DrFKFxBjYDhJeKl2OwsnKDHH0iDsYj3al4+6DTpTVIamv9bF0P+gpFEJ5LDyAEuN1L3rujzxiPVtYOc508s7/aofyaS3/2pk/4AEgL6y+cmxyTZOedyTjQ7aKz9PjNyKlddxyjRCAH1oI06zSy/XwLMeFrvPMPsof6hPl2CiJe6ZI0ksCiLBqt+3m5QbVo3aehx8D+ANF9/fjazaByKRhQpkWbDuKNt0HUxAZ8MInpBmCvRKnEg01skH/bMNvSFEFSnR2EcDXQRGNCJ3xOMCe0ErIFHdGYNpejlzcC+Z7jvNT7fKJU1TsI2YnHXmufV7k3bHgNIQ7/ggxbp33II/chHUjRJgTeccQ5xDa29Y9n/ym6Gf8IB+K/YHflimX7bRRvf/NdkpsJoGdfWUPpBU4hyhDzdPF3x8Yh+19PiocoQHSbu+PFqcGUpTQURqXyDWZYhyBs8BAPKWcpHNo5+/IJBjWl0W4y2x2KUZMV6UgNcclcEccrwLBzDplEfNp5BhYkiv2duzsXKz5vOY7IlcxJU0wMxJyDQmuk1baU5aKrxfgOVOXtqdikqrIOCTSJlasAjw+ujzOjTFIo0zsI1FoziQ+XWbWj/oUYIkgCDh+R9CpDyDXdZbtzJYz9rV/VdPEslj7SGTYDop5NP1xoXjU8+dpRewkEhQ9xH243aEfvSCrzncPiNG/vmu3+hDdHb1yUATPl+rJ+pKePUuGlYhZi0P/+Ok2OenSouwMKJywPw9fjJ5+Dw05jLQD7duX9lCfr1DxoSq4q7vEEIkuIC8qODl517TEqRHDgqTVItuH0LfEqs9k2nXq69TUnpzrKQLQJ/rklfxl3DeR87jB/PkCvxzlmBl8/RHRrP9kTaOdIFe+MmgZbKhQ03sB1xUbLDtDIxyQtPE/L5K1WnGbkA90Hv4uyR6j12BdXrEYbAMgiQC9GQ2bIE9V7XTLaPoMHGiyVpbFSAnSKK3xV+jq4GY71rBQbE2tS2RbDpDhC2MxOT4pvZMQ7oM59ZURPvOPpEkfay9pNBJZa6+gw0BHMNJcqXK7V6d1rJAMdypQYXWEtLbJbTVY90KHmFdm0iWuyICYzNHMJpausj6v6q+YjQuqbTVTrTqIfB8z5VVsxgx7NW8LhAVw85HGmAeGqyxKwYhJaca/ulPJcZ5wRUV6IKJ4YFInmBzdINYOQ1uQHLvfOtEFEySAWkuYFYsMTnN5up72yHjrLcHzhA8+If2yYJSVJY+PM62VVyldtiW7j0nmyK/F5PB5RtJWHR4K+wNhw5dOyVbbg07Jv3ek8RS/9MZSXZjZO8Q/jsPat6xEAroBJhnAZ5jwuabkHCkuCOtpBHt1HAmIInnZadT/hVZw2hEo13lPh47srRJ+zioWOUF6hy8fp3jCo3AlzbXj7Vwq/+EHxJijg6iOI9zDuROGB8pOT50bNVVZwGJG9OyemUIsO3RvvOOO/K740dHAYFld8/dG/nRzeZkHasJX8p8XlbYOt7VZ2OtRRYqvekxoFvuNez/D0pcvtXL2WBGB17h4DqhWVn/LnN+yblZhE9eStd7uyV9fs/fXB4UXENj1HlrjUtL1nbjHtX4cYVoUQl0PRHR1J6caTUSpBE1JXJxXTQHWDZjD0m9Zvou1wJIDmpYERYcGS9PsB0CUH6BZO50bvGm1eeKU3yG87hmP1ja1iD6BnLeNHZIe8RveWk/sFziAJFpMVRCPr3CbicHY1ZnYxFcT64H+tCQjjmG2rxe5xLFmSEju9+ruKK+mTlbOP1dFkS3okw5K75hq3uSMKswr91j7eQndp08SG+MNqCJZeHNx7bnvHrOIuPgX/l6lf/gzNGQLD6qEXCvFn2NjW8KGDGdzUJWZ2AlORutXpq8mNXpl69wGuulMMDJkCBHylCriL6fRQgZycXMGspffAQ6Lf2YKfWfWodLUQMSG3ZE+3nr0hpBZFYPVpdfILfjnxuIfrkpa7i8fGsPTtS26kJIY/BS1Op2xib4rKjJ1w+YlBp9Y4RGxRnyja+4YV+WotdX76HXjm39qwyHu45RbwQhesTPp31aslPoE2OqgcmkFKVJbdT/2uKdloa1xxbDppXhijd8lgGQhAYnPljHfflyWcVK1QJp5g7NRaIOKPm8OOrvbWIb/r3p3Jf9GtriWc8RY++4y3dPFM5uXnTlH4z8xTxRelq53BEZ7DXh98i1AytEAqQ9kyfxzhOOZ8HRNTTVXKbyMcwda6QyxtCQ9UJzhMfQEuaCEaOSArP7ItiuVBWGVDDcbvTPN1z8KW/qmI+AoGua716crZ0F/cekPFvAoFf7HVdawAxgLeRLEUk2xrERnh86UAAJrafdy+XD9WxeQHDYj+fOsux7hFUa3QcCTNPUrDjEQM0XiUsRwckI3gh25/dTWymb/+SHmGt3WdBBuaM8LEzZk2X8JMTl42aodYd5TXOH/oLKgGkSq8+to25kgWuQduA4mIipWn7LJZsR4WttoktsFhnn12LTZN+yUu01RTf/E5N3BxbX+9I15w/Fz0LeGgq6EpltejY7DxN/E+jimNJgot0uLTJA4ha+xEx+0egogyfgNdsvEvoj2Hzllufk9c+agCiMu1M7lKKVnXr9WIISzCZYFfwFf/tNWCQFOhtxBOFGlXIe7jLPTfi+3O7WS9RLE/yKI7tRpK/3AK8aqou9l2G9ockqTOvfBUGnaIykd+/Vy+0e6jvfXxGe8XAZQChnGKXr7WJBxxufpgGMbJhpAWPYIfkwHbTt5N6hLA49WF1pFgREalc0cecP0tZO/yopaX7ErYZ5D6mtej+izg0cjxIB9dXFoWyaqDqNWDKokSVSuqZJFakcWRKukjBVUNGen6tb/qUiTCIsVBxoYO7dVAH493B0jHX2W9sIvF0UXfECFnEtq0rhYgqFTzJEf7I9472ANcQiGrJa1+DQ4jvRITtltojuwA48bOmyVsjs6U1jUP3j3aLL49zCbjUgk+We7sIwNoWReEAbIJmpcWOejgOLStJYSLT/FevNqwMI4TKC/vRAVVIsJBCbVs8IqjMNmGStFmhezN/bIUOCVuEU2uJJdMe0HNZixasKuBDZ/Yx50JwB4twSd1rGLdWlCX1+Ld03bf8WL/nIfrDmuvBScCW7b0acz+v6AsuwlvSCpK8xyL/+5L/7SEOXXcw+EyDsRwMzYKFq+Mykxd5aqmwfs0RDkuyahihb47AvobuMVXz202pSO35bJ5WjqQTyUrxltWjpnhVUpGufaHGOn59B4GRNwvSjNSnf+clH07luX2l8kgbVM2BZuv3PPioWMbxZm3W0uP9L01TAAZH4mdw1XemUPiUwisVoHzO6fUWZCgSPhG1BUo+YTauCBhKuhLzrXqiyGK9YVD70/JTT2CbpPpR5lHE0wEmVceHms+Ki60M4h+OOHjyQsdQmAnFbtdyQu7XNoYVfvaXZwUiukzR3bBnKb52QAAwli8FloyLGhO8+sUzh6wSZqwaQkusCTt+Ntt6u2jycClQ3Hl7OblR55YeGKma7yF73tB2WrI8T+DY8ENwUiqsHQT0Vd+wOLYXDk7KcOUrio1vzqMNKSNpa7pzncqTMcUwHRaAwoIYUjOupb+yGbv76hZlO4jmo0247TZ/xY44VZC+1ZChvBdh0KFlKmksFCB2VhjJEOEhu0E4tcQGyMfEBto2WnpRGj/RhgT44EtqwA3hgXS1Mcfg+ixRH/4Fb8RqyRUrrzvUjxXOQHz1hBo7uEx0eI4pwTYKvFH8yclaCcO/eLcJKbM7U956Mg/YY4uhnNIQkvoYBgzbw8yrbQJcKwtwiFeGBSvgWQ2Pcpg06rg3q53eqWun3djiMKdY3QH5ecRF5Azx9/fNhj+EUDCp53Pbyj+y8N5n0c8G3x+O8/+lkwZaivhK9ve/gURO/a2P2KcZ2SauJE0tE0Y0OZpdWa31QveQHh/6N7phcYu2nMC7SSstBje91SkTO8EUE4jv8aZt/6a6CnP8tjPzTvSACfFOL3djfAdNIdUfHxqJsBr0Lv0crS8vFa6lCzXS3n7hYuXDZ6OhqOaGEl623ugmkexTZjNBOivQvQiCtuRyunARSKMcpQH+WRuwFrXLde8i5to+OQylqNwk/ZwmrfXa384AJNKtzmX52ucDMbO+mrk9JSwHMTdr4treELixfTRhrz2PlZiz+f0EFq+Bfs4rc8jrg7+BkOmSkr2KH6QGYpY7KU8dijLatKuirQiF395kNvLwxArGrtjuMzmcABEG0EK8Vz9TeMsAjSndtaGEjCBfopKGyImv5yzSPpVOeAptNtKDU8N3t4VCrk2WiljzfJKkc0xtrlSeLZW9LbaM3KPrn2h699Cnf2Rvd4NuycNKquB0tUTk5wdzIl9PEuuzcQDixV1hE5w7j9UTi5iQ8dFnrfVWWjoLrGd1/iazHdcfOsDPpkuiITxurtsty+vjMKp9PlcDxYlyxdYtMWNkeTe+RoY3P0jwOsmytDtM0bQIrBO6DG8liTcB4i7qc9wcCFWC+Fz0cst0wx3X8PcbVRpOjY3KtNl8y5YfqWrB5t/Q8e8d6NGANxnNOWq3eOUYI+d21kgoLp9teLErfXHMEcwIaWone98yf1sLHAC7hti6lqsgQpFkTwG9aWA+gTrjlCHOp92UcU6e1X8HyOcR5WTyhH1he8UxEhzbmvo9I6AE2qRdvaS7j4ahxQ36AMBGTZ0ScpRQbL6oTrdAZx1Ufu8ToWyrz2e/91x9M5hy+I6pspao+kzJr8Li7i/oG+J+tx8jPkbxDvlOwi7affEmpvjH3Sb7JSgXJbF6APw3EYUR9XbtalVdttrpoIoqdQNDDq4jnPjtImP0FaFdvDfQdH+zjnZMQ/4XPaV/8v7Yv12XI3E0/EBHJ0s7Q3r2pEtLEyXf5l7sqxAeOCpE8bHSu4UBRkVlqEo9H93T1yTU8FbPxlNTYzOBYUcnYTJNC7r4yhoGrTSUTaLTWNiMFahS8zKtb27h1iBpt0Grnou/Ky7UNmWnV65AlXnBeKlWJNQLdPL190yzfCVhgpcbTuvUYSlOwIcVerVgfJi8oq/U2o74ccyoPtDcyPz/nyff/+lR0Oqw+U89nHjE2VCzJiaerW0L5//ioH35JyU5J8wAF9R0fydyMngn2h7V806VAHb57T5tcCsKbPADB3GynbiBLaU7E4G3z9bVkEoQ4hr20F45tefWfJccSEHCC4sPa6JIek7fUuvleGynyyXghh1lCgDyvTN1dacM6SnWpcVDo571MKCVeAnX8H1u76PpQ7tRLX+MhN0vd4CTRdzL/5wqevzzp0mbWwhkOcmDqhSu5OEPz/bI5YkWyzowETOJd2KAIOO+sFXkShkXsyipCx6rprfwiAhmWNBSlGBGMh+rr37u++lZBh34XtanBLHeJJFwf7IfR0JPPZ8UV4nApZjahlxbMEbzy276Qi8JLuSnlU6aKjlHhQubZJeh/Q1hsDOynvdFKfAoGYGYi4+EvBe2iUc5YOuO+f2WTFf5PqesHc0AdVnposQTwuXMBAZogjTVkl+8s92bUyoJtDs/5twyVtXqxtpmN70a5NbexLr0RDeBI6eQvDYvvhaLJi7vZ2E8z7HiMHnINo8SPSC8tOUGgUhncoA4H8Kh1iXHsg0itznlpUlyQV+8IrPwfx80LTC6O8w9kbr3fwgZ7ZAZTfoFa/gjwZqA1VBt6wMqCLLnZx2C9aZASAYMsHHk7EOgEcUpzwGuX98Bu7/eJnL2IIbsVHL47La2t566RKkIc7F2XZVbk/hk69qbHawXtGkzOAZSVfEaRCEPRcg5W6x8zGPTgCPAiOlfmJm1mv1bSPCxGSMkKrk5SkueMAZwghKQjh1os+WPOnhYrpz1dOGitFHI9ObBApiCHkkcfWQ2jeg3sdrF4vbmUFaScGNL5rihUblW3XaR7ofWYGSvigVvtlwqr4bESysniD1Rn6xhN8ocGI+4aaz01DnxoISRtTS1+XapdJp/Ryan+CcCT0C3bFwD2N53A4Fp3zlqK8u9gH4FIos4ulHB87r3uPTgZuYguNIlUtm97xUMe+DxOFfxrHZBAMwb5UCkjvCdR/GR4viZfQULYnZu1adL2lwQgp6cHKrQPP5KfMYKhLwRO1B+mA9lRpXytH34CdC+UQlMvIo2xy6HCrt188LPweL3pFh5RKmjMP23UM18RPBZ35F0IE4nOf9vd0eflTHIhyZkuCxQIMTR0MEZLBsxNP85f+knms3w2EaW2OV0h8+iNiOTBxxgmrufS+1KELyYVC3+cRhnoickBDpmOwStf1Btl7WpZXT5lxyO62VTPz3Ch15L4VSiYIDE34tBz4xT9puD7bPDRm2zTwmwI3JEkNrkUoaxpP5BwcEksBwKaeQQURG4/7cdWXnoRPAyK+ujyCNtsf8kQ+/IMZilx9OF7pDhMWabDrBVpXScZQJ30EnMSZ2uXBrui72+yiJQL0J7JaC809SWhaPHp1U54ijXhg0VMGb9F5niPIonrkhQn8u0t+gLhDwd/ZOtHs8DbhLYMq4jYMGnWLa85Dl9QZQuE7LIgTm8TmojU0ew1EiUgA1ByS0SH4tOtgnLoqkZdDENXyyzJZPsZnomgPiVDfcNBoRMnv5Qg2AeBojVf5zwjX/QuTK2PqWwEPJbKwahjnZQrr0fvzpVKsgEJ00fStcoR6FHmLzFf1Ew8XwCAMFSL5A+woeON0LA/FaImjH5M8QZspIRMq2Xzkc3vBrHu07Ny/Oe0ywX5Pw+3P851iQ2Jobq2zKtbwLTGKgpTOiiOcw0GgUkjAxo9/CC1TjwUqFaObmqWTjIqs93Snorc9VS6Cv6qtwYJdKKfVVpTSmSgIc0woOHXc0wK3lcd6Vrwk2eQ+33+OFhOEuphqmN1wvagL5gSKZB2csDod6a0XuAhriCj4d3e8nzVpjz7zFeKiEti8efLrBaAT5NwiohunfRJTUf06X876VkSfFSYMbsqJWo0R2hGQUi8zaUy2AcHkTENhy6yvnBj69xoiKcYywxsAl28bvhLMCNbW1SCJoCHtuL19gP8aX5E2ndKiFzJZD0r/y03CQCKc6yPJZSDO2O5lUZHUzDaG3qIsIwioLJNrtmdPRDTRw7BMKUr6mMWIsiC2/uKL+DUKaBwzm87gsgHFkviGbb/qi/9+oS2zu1q4KN46l8zwOiwDey9H37RM/q17UZXpsGxXwhaNzTQRj0tRIdG0yIWrEwUCHKVQk9nSz9CotdDAwSipGPUxsIeoSzxB74b9MVU1ZkBOFY0nBiOYYe+eCqnJxIFitX/6uXaBgIhRELbYSFHARW3GCKHc6wf3Cno/lkkbN6eIH5clLAIfJeokNgypzjrLSvG41ZF9R12p58Eh9Nkk8ynAozAgYQY20q/bxGx+ZuTyBz5pqpB8LH6PLHixqlc+95lgBpB2AMaqsniQiXS0WvDUdt+kHsNm9qOMPRDL9VqjwK1tTrdDtSabnovdm6dd6I7tiuxo/ND80pNzzRzU7cvH3uTLSK7btzpCu9oE3c7f0QEPciK9snoFld/UrZdaaH/A4E6Wh7nOs0l3dwKFUmL1fPoOl4sPR3OhA/CSjinM+5NVqpBjr28fT0J+58KYtZExN/YdV0Q9q3OjwY7JlH3vIdJ438/XNkIPk2o5R2Wc1F4Ux6RsF1KRPiDcghZBsMtAEf8TI8BGenZMliYjtCau2I+Yw54XB2dFCzQ+ln6Z7cQa9KZBK6qpr6NTxcFQb82ShVVildgy8THtZ/1iYHpFAQOdNHgNbfXJJ5mgXyvylMi1VrxBEQ3P5NHQ8VFW+vfTlLsiI4J4DI5FsrC4F+WjJxVjA4Qz0ZymgYZpMbXFKkehqB1KAJGJDmKqsgvHWptRW+hcQsmEZSKEtSeeClWDlF2aGX6D9tMoeha8jdjd6et76aHBQPRTY5SFUWiT7JR0THUxUzjMv51p5IxY9HaEgItPtlAZyBU7N1TURl5j5Kxe420gNSl4L9ALPb1SQOk+cmKBmpV+zszBR3afiaCExfd7vjJ7MbVFVfJPQu4DVGtEVqlO59xzqssv9+oetRb1S7R0dv63BqJvMgkwUNKOT8QEb6193tww844aVT1esF824GLWvvaukaIS8sfnfmdiOTwM5QASzr00ZrR5pGPV2Ub3nLYbs+KwODr/xlcG8v9XC7szN/BWSE9yeI5MLFuiGFVw038dQY/YXddxVmIvI740E2RoT/TjNh1Md60N9+catC3EwVTT04XRLKsDunnfHCiWUXhSGlJu97Xeys8gCYxO1PJdwIHYqijmgipljXckTYfpbSSn38d8Bj+NhDBFcutLsOHcDyxxB2tvOoNFZH4RP4DlifE4iibxsNVIoluV/ToAYCepWRghlKZLgvPkRR+KbJNFNp3GFsr7Z4tBrsrdYYSBJ8fj0jGtKH/uvBybbGwwMoWE17HqHsOd/txjqcyuJ2I300aUPYZd9OgWj9q901iVw8FNKtAceUCPyLqp/keNsfY+2grZ7rpjDb0ipzcF0h511yWfc2Ik9RDWpTEd587cKvnsIldoBlP6u9pE74q3pFEj21IqRYdPkBAieX5V0DFwvf0wWhq2a/ozIhPdrvy5kvIY5PZWaR8tHlyvdtTtnwSS2u9jhQNeemgH8Kw1aZMUVHDLciyjGjUfG//+EPyrPLiYggtb6a5a0B6J9a/v4M8HW5+MKRRQSK5YftIjUFCnCadQJ4VkM0g4IBX4z7zYFd/XIAM4ZedR/w6HyOzs6odxgFpNfo8Eh93sK8xhURnwRpocjXc33tAGSN/FfE5rkILtQIXsf0c8oUT8CdQ+BNmXa4+XWzz0UssgnMi39M4tuu6dTRZRCTH+InnvDrVHOSozF/ijTGNLGVu3yT1DPu0+O+r9xhsyK2hpw9yYCovXtOpvXwYGwhk0pyL314lMboD/q3KUz9ndu3YXe1I9iVPJyQGMQmvWgi0YwvVbqEy3cUSQPIYNBpsN7dhW9muzWtmAwvZTgaW0cST8cPfMp41mgHWyI7v44EsKoJyOkM9g6cn8eQrES9Yx/9wlOhMuzmTkSzHdJ1w2RGvwLpZdtYTQaUqzOlJOqHJYuCS1NeCow+FPobrEcPaeWq47fwFilaF00aB1MuDZ7kKoh1anwE1F8vgHC7Hf/ewKeVzx+Yvlv/RTkaq3q4sC30MXMcxArFH8QXgZczneL+JvjEaCyRyWqAIu9Zko8UnbOoiVoEs0ltIrbED/fsGXs4HLg0u61syEcGtl6/Dnx6EcPF3UitJcdTxG+N55nSEsd7Vlhq71XpyRyGh3ou/IuRBOCMJOijQVnIZLbOX4L2Tr0Xtej5bj0kzfm+3k3jnof0d3Y1Co5yEFVn9ubEu8wxplaHfBj5Ra2iShLohLek3lbAwyRoYP9OVdgbMmXz296ZmuMD7uJnzW61Djjd+ONhYSQmytsPhyP0iyEobl33xI82TgFPtP0veMiwL5yZA6E9nkKYj5B2377+Go55zZsTPWGEQvVK4FWf9OR6MZ4fI16RcoSqeZVKUoybHdNCauBT0JsHjeIW59xz58X7+1g157qG0jMwOvRiVT51OvyRNkc4VX0whaXwXMJPhCDFdptbcIWmw77C+GZxAspFmAY9Eq/k3MsPP4SxaE72mWOvyKnJV+fm0lNstl+x2Q+uW7NtiGqUiL+PsAxfN5ETeZLavNGgvKyiZYaZoQDMbvx1gRwgNRL8tLM540ec18+5EV9WW0doyF8h8lzaKhLdhSK5h7IMeqiep4m9ZJlzDlnoGAYEXvCUXPo/K/840qgYDPO9oYp51Q4xS3NtwCpa56ZEcWzVWUCIC+K8G5PkrMtI2af5UV8czFLedvOoRqmCiHon+42M3FiCZMs9HNh95bzdApvsKsaBbDoMBcTNc/4VdquczFxLK06LAb2GsmkohkVAJ6msg0IoU18ok3/5J97Jeb+3/tf2v1O8hHhoiDGAjbDosNX6FdX2jfPq8evxmEOnSISmhfkynODrguOD3yW2sJw5DJx0SQHZqh7p4IL+G4wQAX1YeGYzi8zzlPQshiefOu/4L0StXflq11nDRZSmOhetL2b58jh3NQqydCYK8dJGK81WGJ4DJt5YPfQZVr5MzT6NESyyXjL2IfSzum6J6yqkIo94/kgkZuVefDpSHLBPQC9xw7xo8taJTDk39rlEv1GpGG4PxNrij8gEP7OuEak+GsXlD7llIM0lyTA8auZzmBzQ6pPRxYd0yQp5Yt4p9Nto+dxWH7gowRAPTAlad38AEu2hjgHgEhldG01CBxIhmIA8gs1YSsxFgvA6PS/DOxKT+tzCuqcueIlZAkwEzv610R5ibHo3TdVfUEFUWTg7qKOayhTUAlcftq62dwvhDp0CWKzhkAt6mVDM5NrEaJScBRWNRRCQ4mR2uiZ1dchGCMdZieafmmTDGel0n4YlwsuhGzwh1Bn4o54oVrTeHbBOTIhIv06Vpdkel/dSn3Rf4PsFfibE9uvld1IUdatkQt4dNitAnsL6h+X/HKXenQYpd5yvEO9egzTxy1pKkS1wsHuyE8r5vfHXXqkVBX25Siu0+Xh16QtaAxYyWJcAfeskwBoTEWr6NraPIRt1pysL5ooaS457PudVxQTgg9ZC07VKhnhHSMeTUBf9aKnUZA6AyA6cwD6kuN0W3yza6yS82Tbg/uffOhOosT8HMseGdAbfij8SA3S3uEc5IN6A8SNURx5yzdNy1JR6PxHvlgCauDpA69tFScLaVdN6jhQOxpikJ4JeuwmlqpXhAmDwn4UMgs6R93YQdLCWNAI8IukyCeR3J+Fga2ma7BZxhtGBzBjpyoPQLwJ1MJGGdWD6NV/B243qRfQc8FBrR3e5RCMwX93o+eAtwy/FteLqGIClr6H+5TWF7AAEb+UqM7fIjTx8OOnq/2A9awaWXhjUvo/b7CvadKV7qSs7ehU81PYrH/q80B85j6HuP/4z2gY5NOD5Bmo50ibAygawDb2O9dKKwvZOvPIEw9WzdKD/jVuyK+B0YajS9ZrJOI9wcwuBHqUhqFzpEoGUP27h5LFVQvNasizPmSctLwdZFEkbuRs6bq3AnX3ZSY4YdVgAJsZb4DZTWkJC5pPLaDk2OqmI3wI452uE5q/6tLtFjh9UrxX7uLQJNxmJEq2uB97YfaGcSZLIbXG0uZXNJoVEpd7zUrZFubmh7zUlPk4x+U/PUu3cI3XBWcuarTD59F9d/vvVGk27jHKxJT4AI/JwTfAKdIgIAMIjaCYiSqo0wkq/DoPgi88Eo4r4EggQAclHcHpNi9QPindVaPlQD0nW4E+aLLLSK0bsAefjfx/6M4JCu4kVFWaXcjoXBq1EIb7EbNTu1R0gaHTnRCyU1zgkqflXfEW3TphjyNnozeKlOy9CVOEf1fQoidJVY7CbqsalEj+/Yhowyn9KH2xZtxj+nrdQ/ZtjVYzHqhhaVxoIz5XxK9X9BOIjLR255I6pqYQCHPWXiC6sYIlBTkAM/cO7fKnmufWMJCo7zd7mLHsVITvLBZpNFW4kpOTV3aj0QP20TLCRV6A3+pIOGy281ECdBB60oyeGGQ83Oq97vwuaHRyS9VHDnVB6hY86lvr/Jy+AI1zsAttYhFPvcZDHrn0EdTSI0kJzpYeHVOHVdQuknPO045DujlYsh7pLz5232hz5rWcv8V4VGb9IKl70YzIx3sFshSabF6dMi79L1oA6jz5rFeFrv0AzWq8sUVc0KHkZM2ddc4YqzTxXT8cZ2Rc8heP1AM/oAUmWe5VVv2zIS3ph9jamHJM16aCfTx2LEDCf0yb/lG3+wiTUJgPYFjctAZtCOx0l8tU099zbH0G+vdCuu838Ch7eSMKUPfB5f9+7ZDCKc9CpG47SKF0j1IWgljJlan8Uqj0xyXX058qMYwAaB8KsZ7L/uFf9iY9VXu5ZeKtxTzqRyiMaDG6xSZunGTQJL8IjZGE4voEoevHiIXMEX2I2rDl6SMf8UeNcVXewU6uZdqhcU8Lgv/lb6U1rbZHlstvWpWVa7S3mDLA7HG82pZ53+lQ294rrNFrg+dcice0G/JIJNlbaRp2FO/eo9qWlzLD6LlgWf4ONgdIFwKZfREaJLWKS3vt7S4emwDFZd/9w7He3Xby22NHFryic7/IqOwk41+YDK3qKrcIuPFeBXHNrS746YRalKObb9DesziyOmD5/ON/eQ/6jgwf1dpTQgG4bRNQeDp97hlAbqLVvGaJ+2zyUtn6QdHPq/dcRcNoFo/Pqt4rdt1AnoQTdez7+eaLmvXf7sFuvOKoGuuyBOFZJCk67X8DtEuMFMOJ27v+plpP4JlABsRTyGBPiqjvLjAwQ+kc72Dd8fmNgiTt5wczwtxRGncF7QYXLHjCxGZU30dvvZWwFV2QJyXDOqNXxfwmWmdRUTxSM2DGrHw7Fxeeg3mzFN20/eIxFDCQidylDtU2gYciOgAnn/nsXDCNWny4A+DVDPL2tn0u1VJyLVxoPOkeV4c4m4VZYri8vqv5xaQreNT745V5bynCP2YTSNNJnP9C6IRyqJx0s+dziBOMCTbcimSI6g6rzyKSG6M4vJzQM9B2x/lj4EkfKZk9obtGpux6i8JSpEypepnsqFzWQmkKPGmGdJCDd4HQKh9gux/D5nUlFyNd96mj+zBVglq65+hZ3ibyNG7TjNciei6asy4I/nbkShNcPLCyaM6Q292dGti3xNS2e5Pgy1npNV+dK6Wyy8mONnZeP+BVYThBXroFOG0n9dwnCml0VeBpJ/v1csIKrOhYgvI0Cqm4xRo2Cykt73STATxe4Z5KELJRjENy4VaVyATtNnXKgGi51N6H1Gn8n1nY9X6ew0J/ASfP1rmczLmLQHltoQ6nxTFfOGl3cqR9DgVWEdkfORsrr+NXsuQVZAlEmT2niVJG2ciEDBV1/ZKae7qTgMgFSjgIDR3FNpOLmUXM5NIAveQtI1fN0GuL2+hmJfqvmcODkGnSVA4Cy7/+zk3YK02e1NcvheduhE0WtHaev4ir37XerfekU9+94xG2rxZ/w1nrF/cqnmnFrkdbCSeGTAYG9LOegQPSHD1qmtwE9zKMLbXesWfrmiKVsE4HOkbmc4eiAakytbgxWNds7vyvlJmORjoUuw+kwR19SkMMnu7EUe/DJihM2fsRwmV/kyrmz1F3/UE9RsIaV7COTS6dIpRe2f5qp5mJiZMCZj6ZjIZT0mKbbU9OPSMI/H8CSK/J+Y0JSHbwWevMbfmmx2/E09fBzizYYPJms+fH8apKCyETcMcm2S7cj+KCCzC2chzxUgHY86sqZ/698WmQGucFa1r+ajcON6Js0JCQRkI+z5LzWoSxfMV0AcDuPKAz2nYZPdpXLO/9I96e+ADrIEIoVYB6TmfOr89qtJhOxP7D9nbvjva+M8G+LpvKEw8yCrn7AC44JP+U1RaXmhjHVpsseJ1Ad96/NP6Oa39Jf3B/mhQv4tEdJRhgY70TBI19D++968LcuvnyjrduIYgjJMxCnxQNT46Ws40gCnbH7yTHY56AiPU+NWuUlXkJ9Fhvwj6evKtMpy9RR2BbRIJ3JxhLhaUugTVNwb6KnPzix3V4YKCgkN4lPJmu2TV46Ir51nc03p8oWKR1hvH656Y+y3iuuCIXPhlkQenOPyNTxy9HNzbbKsefMlMORw7Y3UsS8bXmSTQ7slALZRb+w1zVzwcsvfZKxFtj//FySAEKWcXfnkCfqze7xCwyTFd2wEOe6K8zExooRn6Wy1bo0LlxR/r+aB44hBvoMm+SfYBYQ1wmn8+MNyizIlNTgWKbTz+d97sip5/7UjaJk6TlHdRjYSfuj7kM/1L+dOhVayvjxxuPOEK9ebcixxsrmj1FXDZz839ODSjWmGlZj52Lmkc7N4DzIWX5VF8FGbhPWw5qed97taz3IF52REUr0Ep337F/GRFAVmwUgRgHYifLG9Wcx93yBRyMeklM6/0LZUOH7eXHPawuaPibeM6svObz3lH1mPTzXipHGWcwZPGeA2Sg11+fiY00guN8wlmMskZESsFXRCpICvNJjJgHyPaaWOrXv4gx9QaAxc75RHeUkAGDJXpPvp+z5yXhDSiWpZ5nu7216rklMSEbHe3WoKrdqPMGdu/JEz8Y2k4anfQtsCZNzLuF+Cjzn26Er00UhKONZCSIpnFhF8zsNDzeJ7OHdxHQRkDJ5+HcPq0xx/Fp8d1EwhyKc0RrRAiC5YlQr+t6ilGocWD9q2hQM6uooURkqF2VkNxp0VKrEy5eFcP7s7No0UdpVLVff8ty+ONT/i9ouEwHZ7jHFNRNzcNPbTQqTIdSycG/Vss4RXYjMQn6jmenYvQON4qjMyEDGazdsOa2S8Rdz069nYQooDUSTMNGFySnJBcaAWK6gY6i9u7cpiu1tiPR02Za8+g+NUmRtHnbCYI+Pw3Af4IYtcLqLC99wZu9KRe6IlB4vYt5sqzfGZMFAySEDSNkeHmeAsBRjKK5I1SmZ/aNiNX7NMfshtUZQlS38vJlC6DBzEuQvVueKGwt5zN8/bxGT0tzkEXK0m+R4CL3cHun/yQFICihDkg8XmW74Oc2SfRqbhpXmEiFTGh+BcowrdtGvR0m3D80HtYEomrg0EDRoqzRUEsDAsdsYeGzJO7gTom8UvUsPO2wrLIfVGW+Q6PtwrevZB5zoMWgs1nWb4MN2Rv9DEzE5MQBX88nyfJBwldkAjAIMQZgNLyAC0SATbeKoBUJMvj9Nt0zv1myeYb6WNrMSo3YUIfGvqmy+S8TPkkDp2TmXnes3OFMsgn00kuSMGY47DJVZMsk7I6XbE5tkpv8K/H4yvmsJDNz+GusJTnKnT4pLn/RfOTEGxZXimJtfNtBnv/eIDjVb30+lT8bKplYDyUnxlHkMjG4v0AcSekhMbDmSRdkCpzUj05gfi9R4VU5Vm4BzCccBR6e0ryT7AgK0BhySLZ1TKhSOVYY8JxgEqlPgAOkh0zMT/b6gqz2FrrJqwUHu73S7u1qC+WoW+1IHuDiayE4GIXmo/CQrYSZo6N0abvosRCKpOPYDzJSRN1d6GKP/+R1nAhIbzK49f1L0x88mqm+Ma+PRgC14mxqBDZwe7R07lcLpBUOnMth8PVserID6UlGLPwY35ybyS/wGkj4r+IIKG1t3rcW8PFRfz+uTu0I75SPwbJ4EZJxVh/+dZ94+RgC1HzVSIa4AvXU4Dkjuu4Roh+Z4jnCbw6hrRguwUtYOhfwOpr19bM+dLJew9vLK1zNqchR1uSXtYt9NlwCRu1JtgxtcpHz4O7TOR8LHE/8QpW3n31OjGvmK5gym3ieKRAGUz17ItPhG8R0z5MwMx7Do+R+G1WJgjy153/FQYcWB6Y4RK8wGPSCW/vBAQLkKaPI5lhHd1vbg08P06RjRPppc3ZiMJlek9IRq7F6DgD4S1lXjsa3Zb4+tRUS1SsEapnTtxSuigNQrZEWO7GSRN57pDNkWBkp20XYgb4FuWvgkeySl/qu+6Nc58FMjiIFY829iD2GK0/AtG1H+aIOcXB0XWZ+F0Hna5izZqpuyV8nVflrHfT3XDCFVwRY0Gq5G1pVSvb6bFUQNisBQXCqudqRAq3WPn/koijn0QVZkYjd2r7iNmxP+xdJ5DH91jWbRrWPKiBk/RSvr6bHe3QKPHAyzgtSiryW//9RtaTalAyyY7gpP7bEsIyqtH978LnDRQOXEJfR3SCM5tzSqjfcm4JLAJiAancr2Qli04rByS88lGu+nmJ2BOn+AoUrqj+2mtJX0qnv0MpkoGx1+FDIu07l21b1exJdHhcesXgdas91QkDcWT1eLHQECS6DyJjuNwbzM/RjhsiuWLxx3PFix9dShEC3683o6uelbW6JYz4NqdHfgwWphmKOsk2zoGX+/m6T31QEw50h/uB9TQBYJHWRW1epDnPFOMu9AwuHJXhLYSR42kf89vACAgTOoY9wFWCFAPfR8Xx7tJwI+KSYa1570m3CbgzAlh7gugdRmNjAA1STc3DuU7qhYjrGcNwltfkvsXkbPKyNyrikJf77xEbHUInYQrEabMWCQOiJLJbV5M2jQQps08Pt/rYKSKRE31U8dIIv3rNGx2YSseE21NZ6LCrCvnyntdwFShUKfncJ0LI5goNpIraC4Tzc/pGQd30CbQN094SCd/mqhylg6kT/fZ4tff7jJTuPp/bvB0k1EYC4Yy8DmCbZ394ZoQuaTiy7W377TtC6nhzfHJGVBPb9hxhFMyepv2inKeLXUQjZj7cOmtPjRAw4qVMyA81LcrICu/Iet8jj52RNoy015tAc2gdacEDD8RrLJd6LV0YMM35ScQAX6EM7b5ZNzxoE/drDsfDqoAWkWdycAzj0xcqi2E4jP4zoyl+b03pDqBT2f/VeqJavhUmoHx1yIkl2mb/7i6SrDRavxbm+ddEtu1laopvrmKEPJGpVa1+ZKQm29e/Drz+pSySKEiX7Z4+6CW5FOBeoQzNH37nX/bpS1Xln+UnhBcb9KXdtu5BLmKvoxmaraA+0QDPyi9YSopCm5AE4+Zmmn1a+6LKoKUmfkJaTcui+vAoTlNgcb4O9gxDU7MC2xKUp/sAhh8WxKtxvmkDfenZ7/PaC9hLSNzFU80bz+zyXVHooAquSZXvIgFuwWyM1lKL1GwzW/eMMwln776FlUzM6PWlrk0P+dTzq061h6PMc4nfZvdi7YbWhURho17xXuaDAET/043h0csb4pLLbD+KfcKFoPDoz8IK7l/lLKYWT9RAt8wIk92S62T4rSCcIvRhsk9MFQknWARbBmAEQnxTyZVueZsH8jFLmP6GVKVtDsNPvHcCqPfV92BpQX2KH200uhSKyo9PHFVTwDNS59yPA126wQpGdHvo+if1bk25S0fpIsaJpwTWuykWAMCpcx5LsyK06YTqjr5CBZIAIqFoJb3XyS85V87q4j0S9KVLRWlq+QRS2C8bDktgn9AV+cydRoZDp/SJwRQWiW2FEBIlwEPizkx1NVgmQ8O1b4vIoM9OKJcJBcvghZZVUYrxTuNPyelRbv/1J03oY6dbuwNZVmP54UvsmjITI3PduGo2vncMKaSlpI3cFKoIUJmjElESfeadbNB6RhzaN9hi7uMfwkB0CXdGEPiO7BPICynWxpqxMU8azXundeCGIz9YHszt8FGBfK1JmRwPF+A5IsboGeWPx+I4JdxVucPcVOXDXSN9ntjXJ4o9e8WWiPsHu934UN10Gh8780v/eVepW/nN1vSfVlnxEEnSp6AV2yvJ0e8ftuWCrzuQYErNxDNKQIctJz/l5zEGXQc1yBV/42SBzOQh8GLeUDZMmyZgPWYciY9I1wOx1r/Q/yEPOWHa2F2zLbg9DVPywFMHxyHERBntPEjVx9WOa52nC9ne4GZpVVPiAWejZG0gbD9s8qaiyI0G/GzsXUs/nPOs1pHVkJ1CVAQ3bMBbJEG3TgMYHZamicRKnBt61MS9EI9goa+A1cdKFkpDKZ79JorsYbgW1olPg7ssdnyJpvTgJG5louXuQ0Bj5zUx/6rB1iNrpDNLS3aGLUA0ENRanXRthNHJle1Nw7NMEvbLLYTvHQ7b2LHERsx0VBKV12o2iLjcr7DeEGM4O0VdsbO38r3WNVqGx68+jboq2Lm89utVk8P50kWE1tk8CoBK5T3VWR//JKyeuPBEDoKrZztx19LP7qSOc0xEOmD2dpum1LiVg+AH8Fa7/atfajyHZjiMKyrN+YX9m/Baf3tF8m0NhGFFh5yumZeD0ztNHeEJy1alcemFkZFLecTd76XVn0wcUaxi16e2GoJkSr4f7O0WWqUlVdMXeEw+aTHs1TV33xsgHrc4xvjvvdjgskNfNIHE1mtO1NgUXYiqFWVwUsaYmQUQJJ+Vdlo9mchiNke2RypCz0NLmoYH4+hwYWGeUbbj2iMaCV2GK4yl4muLUFz1sRRyngYoiwv/Gn7jZL2dak8fDTz08oRdszXaq1zQC57eYhrB/2r8odJs977uQTCHnpzXEsXbkY2CfX/Rq09x0aHxaksK7clIPjkPu6aRIc2XY87+6JEC1covTX1bQ0TPZNLuzxSnE+jOlBSxEU1crm3JE0MB/u5UGlreNNbdoBdqmlswoQVLw19fsBLJksystJEPMhRxdjy3T/zfGcN67w8CvE485cw6zyyNgSphEJZpGg/cGJUrUS+cHJpQMaxMGm4U3O6nW89q6JaUawVuCVijVhr5225JY2ll4t5d6WtJ8DKFjitr/GvDC8AuSUghzIhAD64sEZMA+T7SQK3bF9uZYNLxNCcZp0RTMJ0lKBmlP8YOrUn5jifoFV+0aL9q5RDVlXgYp/P2ba2zmKp8Jd3pdCMYPTon2XSIl2EsBJgNs7/FZSUyg0RwU4xcHd39ruMehvowTqzl9DEBYN//7a5moDHtRP9uTDbJeo1HbT/XW4KihGwCBFrPw2O2VuB44kLKeubMnnFPBogsbeVqz5/AX60GHUMKc1f2KcGlyXPEjohBOZ8zSb6reRHdFtd7HXbi8RCiyKrF1bdmXp7nOmwayNiUFtazfxqGlpuXuSyiu7U1U6J3YsthkURnHtRQet3aVisO95JRfgwj/krI8mV1GUuGoHt8CSQXkmKEmBMU2NDyx9tGnoxbwdcJR8X9nearqTFBb0wmxYIkwbtvzOSO8t++Isgz9Ue29pRSeRlOByrEl0Y7pmAszj+12r3nrfx2REhgKk0l05UErtSjfO3Z2yREUGY09BVyCkilNuabF+OR4YKrRBpoMilwDc0QJWQW+1Ym21ZYCsmeuS2c0PNCDjughHuS/sekOx9M0tmVSjF8MxxBpujbgNdLmZw61BrKWyyTqoaLHB2Q9H1AziXImSaLrDWrBthgE9CjhRTOsyaJ51TIjjT+PayZAuvd2u+FmY9Cu6GhM2G6FLPgdbbi2Kv1MlDINRi1jJ7c7Re4HKiZwRTDRFaxNoy/mxvyZw79MPNmY7qmUWW9QU0P/+TYSAuoQNUkls5ADe1yDYJDlJjuPjfIbAi0jRfhNmVwU2ZWxHATUeI8bxQ1oaPnJ2SVzDKGqVN9QUYcoksQVmMXyPlwDjBjtHDnO4AtUeDNfpe+gnAQu33o18DHrHbHxOEQeRbo5RHHnWA2DbWT8js8oeWzfHfsuv/YscCB/Ht6vkrc8ClJIptUkUvvJR6zLGx6fdYdurUkyEusHcR26+UxwMdraf4MdHc/jJgkC1at8P4sOBbsIqObc03JCZCYauAOp9fWgHmkXwmU7bsLgbBhQ3sZiZ0Xrv9l8OBYHiJ/gpexH8o53L16WtQ/qBN4jW8TImPmZF12wxy3vsPB0aIXwMvqYY5LRzLXDSzi2gZL8PRp95MXZeBpcF1DzOpuakGXbMVJF8TUYAyymCIZF16DHegH85BgXZL9RRHkX1IHthf7DIJnSwH4FEl26z9vEQ/tyF37suuE/BU5Qe2jDjEQA6kVZb1jBmOecounW770vqB24oWQhFtFCH11gZUQGhIJyiyEXVya/sUKpcl4X7rbeVGWPjBelpZnc3/4YksLmzJXR3lFjAcKeBgecG1b3Na1aZbuN+R/zgxnMTG6lXCAwIuCg5tnLMrkk9I/xHQvjTxWTuWyzsmC5D2nE7YaXNY2HyLCIGjQTXiLQ6TS7FWCrg0ND/iV+MmOXIvQW2nSX2K6pgHDUwfEL8PdgGeKpWT6bG9kVHC+t03YjF4jZpQaoeSYHGqCuLbKimwL1t+S2eToD9mLMp1niXHYDk0Hm9KvYYo05Jeb+AySjHJua3X5zspwXJlgat65g4FL0rUpAtArRrfIdMLeYfn30yvJQi8Qe3ve2RIhru91TCPOVpfGkQ7dFAPE3uQc9YgH/qEg8kQ+O5ZNi0y9jPMsklDoDogVKYSuh6+aLVs0v9Mc9t2tdVx2pkcl9DakZaiL7Y7wBDLhm/dIq6YP/7AiHIpkgUcyhYke5LRmElEWYfnq/Nu2Qqn8dgO4z9bCtRPdCkEpM2nEYXbt2iYUJ88WastLPu60HLuHZjTFLebRLzyQHVDbSEMG8/gO7TaytxfOPPlzSamubnLy7Q46/iPwYT/NFNdF7ubKzpMY7vNbS0HOMyLveIqFGeqqb3HD6QOLqwtYksIkK5KYrXlO4RCtAnhtKPawdDcFGZRg2NdnYC4ZytF4PuWodsQPKQUmxjiuelP4W9RKssEYmysAvixjIaCeoLYYkwsUVoSCLBPSE1yGi6KjNNJ0PyjE4gLG3wiJgxc7pOTLYIMIvV6ka4OwybLK7P3wpYjZ334LxyFAx24QExBnNIx6nz8jZArFthYqIiy2vgtojoJG/KJ3+GtQ68jkyiQ5P4JJkseDgz96Ua5yU9xJAY3qxH6RB6yWQZfAO8O1+BvMM/qBLbiBJ0UYviVfB7cZUgO9RDwizSBBxj8/MM7vyqHQiGkGr2fx4uCVafkfE/V74W0ohpyJVp/oTnsVHTSRl2AT6e8Q0A3HMMyZ/9dzS99NGtil3U9dXXwQqg+ob8BIFD+j1O+zjPk1mfIunRrlPxxM9SzU0mtFDfdNKohjRrLDcU7izCca7MHQlQJ2Gh48/dhVsKaWKdhTHZCkIOmHHgIjEOfEp5L4whnHG+bqUfFI6AgIkQXBTB6Ey+2HKThahuT3tKf9zetYjSBVnxDZPeIjj5yMd+ywfwLpF7Xho7k0bvoO/syty572eAPYevWhNzIzB3SVBr22x9qwgGIzHc+nqDrNb43bfM+xgTKTAenQP9wayO/HxNo6Q5dP/wpFi0XtOSJte50l+d39SP8WJMqbxXHOQhS00+hxz7LQFAleqKUA2whvZtc83pqMfhmOL/GfVdyA5XTtRKQ/hWmhKe+Zw5j6mslRb9laMGKtpXsSO+1I1LVP89i9Up52PynPWLSAZQc9JvQSxkHFHhGjQ2CypvjTXXtm7+4P4D4eO+rlu3D+1iI7d2d8l5gkzZw4cLo9XTFGOMmekVXXw6bt0vDC+CccNbU+f9oE6pgA77j4KiLnJ8M55mUmT2s/etvRDwinCVZwooNw6LJxbG1Tz0OWccqATfafi+lzF4t+EDlrBm2jakKPnfoqPd8zGiaIzlgtejrfdLE1f+dvwd2i0dtzjdlQ136oDeHArhOS7YS2Bt+PNKy8fZw3XUmPzweq8F1Uxkt0EzscHOznV0bYxL6GlkA7l6F3Jec9JEpMRUni/H1oTaD+fpnyiw9xUKCO9Z4T/U30g/E2EolREkd6hMoyTNwOYKNzPaMw6TMtIreivrjg5r4R/Hgs/CFAkge2WGC70kJxFeyZ7kgUFk6vRSl+z6VCWIGOgGdU437c2yUfcfLCDXpm/M28e6MG+k9G1flUK60gbboPRN2LA3g/TdY5rMNaK3YXqZLUrd8zgB1ylXlanzxYMGrYsZI5byjYzDQ2SZl2ANE0rgVR2hLQB7FnbRw4c2YjNiK5Rnfrq3z/r6NTejhvWigOaa99dUXar/z/8mmcs3oUbnI5qZ+Ikmr1Hql39MdHcNF9gNygJ/Jr69Jstxm9NPGtG0qJN98xJt1cMvaJ7y/M5/NQmvq/DGqxrn/M7PJFg8BYrOEOgctiBwg5AMw1HkiwY0IevkDunRVpNZu3Leypdjvc/7NtDxtsRN0NedKNGQaFioV/p3ntwFyuNSnSFMts7X8VsDjPzo2/4hR4fDNen7ay4QqgqsOnd0AWdC1szOEkTnp55Rs1dLp6CKd74p1aaowHYWrCACrXRn3ICqMaBnTNLnsqND5Z8rajIGkOStgkjUiSW4S8m75uSfnzK4Md2jSrYDhArbjbIHPTXMqI2PUv1ajGTMZtoeqeqv1IiPz8KLqBS1ZrwVHMFzZFQ442UJCrBUT6c+2/KH5eE3bQqKHUBRuvFmKX8kCRAgev5O3J77UDH1kAHBGY4Tius92p4K6L7/jjAhEY9C9ry5dASANmUWC42Q8wnjvadPTw2YhYg+Hl5e8Lkzbu6XjhYh3g17NdUCdYOqGuEkpP8dMAKvgD6Oo7rXENiJ9/AhRayjVpVpl5A4dfsN+BpI5F6y5pll4gsguZJAHG1HIjH99XRuK1DRAuJxSfxiB18+6aFwd4So/i4GOb5bFLHM3C8kltsAia8feUYNm9nwNidElxq1yL5Mqqm9vO1+y1fNHC2Q4pccuyXd53ycs8oYg/Mrg9gf5MZAWPpmXFjJOtPmCNQZZHMmXyu+W7grg3fsKC2nb91EAV6vA9+T3XzcxI+G9ruHcZZmxiw9t5AT4LOGrAuvriwQuaFpMYuxqzBch1F/fwszFIO9gVqH0p+zIq3VThBWpOfOEGoLdd6sssXoQBsqaULcz1noZpRv17WqV1PWWP4MU4iYuot36RcXeb+pwpwJrSM46e2mFTkxradfjgj+Fs9IXF8+vI5SQbe+DTnJqaGlAf69zTd3tpvMBoQa5ELsThgNKh3yo7pgnqLyujNmp9EzrONoIlWg5n+k9qhO7S6BJupxWS4GycpDOMMnMIRD2ta4iFIYOa0FHNjtyEaUakT3+kcBHrjMWqMuS8NVTFbBSTbIKMP90pQTPzOURsYTOjDoazuKyfEyObkpkwEmKARd16By+o17t31SOYyupCZ+sfNpPoV8YsOv4i+hU8wD8+F4dCikjGEjJ/ytAx3T4es7uD1mD2/3vChnHM5YTTBw8bo24CcYlG+Nuoc6ad/ZmnmOeifw2xUNQZpYmL0uK57SdaPg3lx8nrKuE41WsMzNiyHt2Hj9UOw4rmqqp2l44kuFW1JyP2QAwPuFl5Fq+ztFXbz2Fa049y6K1ik1BVMeeejsOh+UTHZ8UllugRFAnCRX/XRM8Uui6JFuDFOLwlHhc9ACQM6sOCrE35fm56HRPlIx0d/3/vuwu/NOgq86qWiuTJvP+DRo74qNUBokGHSmaX0PXAaWeUUljMkW0jZa8Ir+Q7X7+UkE5ARjamErSzl1m2c2gD7485unlCauLLKgppMoAmTGROWQeA7n0pFbu++2DUTQUhz614emsrJeU0+WTjd3wi9RFpk2sM2H2G+WKNWiVg7Z9IgEFNiiI4JBCEixHw9MgTsjfIDNtq12GhRD+LfncSi4sF+qV5/O76wuBRgojXEKqbxWKKQ4xQ55oOZ/2PFlevaWB84nLmA7d4Q9HA3gTyqBUabEdlsONAygldueG2NBouipJdHfKD89XYe+3QYoUiwNVE85XpC7RZYjnH/xjmpPtgc+AWsteKxZshKzamqSWKd4wfxYaT9QPe9ts80I7umUN2QkDjiWu8MDArlNJzrXMUOTTcuimSUONmNIpsfIDOUE4nBOTtJWWI2IR8frbT6UnaxBbGRjbQsZhf/CPVRSgsWE6V2zoWu0nQshLBHK43N4ragSskdf8/Fu/nRZMsjHJxh6jEsIJ9lUZ/5+FDM+8lxcVBu/8EFIOkyh4/bBgqR+XElH3/SEwWeTUsDGIjFohE0IVr97gcbAtSukrkHQyWPS+RRxiHYZNuF3m4GTJDgp1Jz3qU4PGsUeM2mYY4a/x1eCfQSvmlbqUjqAx8tJA0wSR+oUc1CS8tOC3oHC+uwDn27YY8sf50ETGYnSZL1tUEBZ9b+dXyVzVDpUV8lJPglk98T1i9gV/PuY1F8P0w476JpmmaDHiwV4HX/fbLdbT7Chvb52fRGEEPUPV3md3DKyEaEb4ASVy0x6msWgwtxh3mnnsPCbMr1LajpXSdAo5cdhOjdyWzFyUFIVu0CmNW2GKwNNQkBaVSw4NrN0j4nYQaduZnBapLjNAgJFMdDYG/zltHQZUJdkOhkUmP9+YVOMYM79Y2oq+4rkrNljfXy16QN1guwLH6/ceDT3qkbFxjkHnG5WdIqYfubziNg/QKcHvKekuSUMMG0Z33GfgF+OA2UepimGXCLKURGBLQexGphkdxdHcU5GOa4LlefcJnCQOJ7sVnffqUEURNjbOBUzZygXNznF4CcqPa444G8K6of+OxQ4YQenZg8KRp/uZnMmo+SA8kIIy4LF66xKGnO6aavqQyLc95XETLaNwh3ox+Ic3nIlpPLSPL22jTvs7UuD42PVZS3fdFR/sTpPRr8UOHlWswdb0w0pucOUCfrv5Oh8Tu7iM1kA/ixp6+K5HAE3f59Ulj0jm7ICqTBy87qQzcDfcKmyv3c6SvQ33zR9rpMjwshaei1QhVmdooCv1jY9T9zo0FAdzB4fkUz5i0XDZnoA5gSzvVl9xaDdQ8pdMRiZvS5OfDi6xzBf1f4ks9ds3Zz4LW7qfQDcH2lkAVJHo/OmXOK/J11rLjFxmHbOZS2GiwpHXAbvAUFrmNy2ckppbE7IW5tD0vYSIvcwkv0DEluigPgj27u+nLq6cjiiWDpLMKNB1n/KMP9Y8X/6RR5ko/kORhC4c4G7bZKybNP+h8g2QdPkcY3XReucoqlH7IR/h9z/M0OPwyglFez8kEC46Wd3z6KHJ1lWYbpdUuhTqCnLUp4ScJr8QTt9LdYDI4JlGnrEjWe4fRoW6PRKMT8Oq610VUJIx+fZ9qClQ9KC6HhbVKQGsEAmib2208gyJrkn/Xzphvv5ZKKs/oW23v7wnQodmnFfclFZ6Jurfyd1RVrxInNUlJmWNLncacZ5cseZHdN75oYYA/qtckjLovl5bPuhvOJcKOjdwFZaUHLgB0IJyaddxmJvvWdGM6GUimWDNcmvAQRFV+ykMBR5LWt1FZp81nP561J0MGnQtxzSMtuinp7/doLtkgOQlqJWtbHNgCHeGgAB5IgCV4yYBSWj2cXPfdKRmqX+JCBZkrtEp2jwRABwEBUjhqDDjF+yYnKkGW/ZhsDG0f+pNKFkF40Fj1LHRGfR2XCZF6T+QnHANpBqBEwMLOOriftv89y6001tUqf+x1SrB2SzKqnSDKyY9n3brkoIb1hDKOWiiO55UZzdA4yqpLZwR1nlwpFc6smeKtMU5L167ISV8P9cGCh5FCVn9Z8BICW94D5OiIwGagipmB2uapGbZpEtn8xBkyjympR98LRT2JZ66P7txmPrfFWJhCgCKAnhjqQECCya85Om30Uci75TBKyavvJY8r1gVYf/+geP7GcORC2tigw/RmL1slfYFJQvOPFOeZjnYugcvZniZJo8FfgDdy+xQ2lioQiT+qwLFcDd6pyhBdrA131UQauCjPJKa1WKCxUDUJZIIj1927q8xbGa4k+IojWmsfJUTTlXvGGNtTwhLgLMHA31bN6SsUk0wunuAP//tAfOlCN/1KGrllg9FXy5La2bwamfMjw/ye8c+wg0CUZ2L5556Q7+49+S7awXrh9qw2JNuI8HsJRWGRNY0bH5W66SuLXK57qgH9SZS6V5DtwRWV5l3PTb5Q3hI5jc8DMmB5mgDNEgVzFrg1jui4hvIC9iOSfi2/znBwu7VxqrGS1DDwZYv8+39uuSrRkiQ/CMM3H1iSt+olfyWEMlfdoMO+ycGA+fC4X0V09b6taDVn/8IyNMBX5N6lGkF9+Ch2suSfmKkHu1r0VJA5Tt24tlgBfJmwJHx1IyeWh/2a0FmGGL/iVY9omUX6YII0JpiIyKmi60okwUghg74EfM8Chjiuv63gWZnqSxsNchq0Tj9APbGTA7soYerOhpsg/7rutmGrfVisBK8xzNnbotvhCqKLvQ3wEO84reHJvtPEQxhtpVEj43lQPSHe2+c8FO0z7kaVEjwNM1bk62A8+IE1vebIbx63ldvwJeLC5c56C1pDESTrX4FG8H0chc4u4g+DXEFo3qgQThsEjjg8fpa6Rl4IoXhF4HwxJrSpcrpvfJzgzYIb6FeBV0dkH0sv8n5Yp7hIPUogc6WNBHDbTL29eKLGs8Aa9RvnDhbNZkHPzuU8FBUM4HG8c+XtbkeMG/gJ3xdtQhYHPn7Lrq5bX1azeGa124m79pEWFAkIgKQUI6SbJnR3hIvcvJzL16is7FbxoAV0iEBsh1NWaed/NveHoegyac1uz1K0ROs06tWRPCSiZXH4uwan0v+j6j3EjY0VTzWMmX5JfePunap85vQPuT5ajHp/kB7MpLf2id/WrPT1pd6hedTJ9yqfeen4FfYJYNPJN2pRJj2dwZF+ncMYjDhEhwUGIapNngLovoCE+aa6JgKWwmJ0mKCb8737V4cXSg90+GSnPt92y/d64XzS0Ap/2iCJw78KMcCOVh+AHOsviu5diZilrtqn11uMBwQhQyYcsghKc3fKrlG/MY3Cwr2kYKIVUQJDJxaRznVyOZOs17gP3zaTG0FzOzHczAPbTO0DugGXMe8LnbmCy7LNsLEJzgJcg6eAYgkZbUXOWlTlprcJzlY4qQqscKQV+Y0oksmARqKzojueQwgFYzjQ8esz4MxL7nzWKBc9yfkPhQH7n5udgadRtDonqDaej3VbBQs1KQtuWSlEuaE+zfFHq24hKhHrWnGbzDW4YOx4kkbixuFS+Ryco88XpFEyWakSHzB7BGVgVuvteAY90+Lnvz6lQJDKV8Zr1TuRHYL1EgIqFCQvxnib0obTJrKJ0+wZHQENEZvlK29Y9NHJZcJ3A3Eum3N++NC9kmy/d22M/1hxBBI6YKovq8ZtLl6o0vmLBaRveQlGFzyARqrKKEdESK+l7JIBgmQ2Po6o2to2rZOKjmfaUIbR5fp7ISAc/2x8aBl3SiIND1TfvG7NSL5lfjpv5CEFdAhpKGwgjO2XGEJaqpK1jfzdZ4T3LmUturZns43i5I4iGvlGmu+7vx2TCj6ZLmMWCBaUNkkFBDTOix4ZQcsc5BR/XSSfjeOfMSXfYWsYmWyaRy1/C4l9lVBHV0giuwhWOiMTeRGMMC4Q3c8XZc2LfzE0TUpHgxwkhuUV/Wba2IJ0m6zWfipkrso1uDu1rZV9mTEfDxXeiN2GNvS8VlYBQ01XvsSKhhnO4jYGsRcirCt290fa7HmW2wnqrpMYv9KA5TxNTjtf+kVwQgtQ50jhGuWMkyHeZBfMNdLSDjjOGFNPPFbA+uBGUiTWUU/mnULskt7/UKtFuuxUJY9Tjq3JWJYz0B+2R2NsY+7TTN8LD8N7fwz70/l4uwGnMXTIG/Xf4ATozTP7OKqp7jt2wkxvFcUgsXzNqqzhv3eq5scDdDfxL+v0/Ptc5dsrmcR0FNvdNguAsj4zczqaZ7W5i6ScZphGS5Xw5oreqSMDoYfzh8yH2JF1NtGc0xbiWFLiStgxxhvJzSPBNwxhgCm2fjFO7F0KfOclFBY2ItIrlrquRx1+SDGZI5CVkKPgNs/UjqUzYkvPi9U2LacVPYWYxD1a6FrdifO26NbkjydvlDZBwmwhaT747Wr5ms9LsraDEMA0NVVC4XZBChpTaT9/cKUagc38faIpXNuLuprttWypDgdpbnKN51IiE/G1k0h38M7UQxNSv1bFTRP/Dwu3YJOgRY0v8Ug+lklsIEItl+JJAFwDoGcp/moL58v++2FJABUhsj5t8ghHKXzHxzRXadOl/Bd/vqdBMKFpf1l/3tr/I/hDOVDWCR6P869+yHnvVKoAMBCrVdzE1ZhnXKOtAx21311Bk3EODNguGDlv5DxaqUAhenUQ5pnY3aLo5I6ZRaZRKp+rrbkxsPXddzr/FBxiiPlL03d3QhZ1HSwvnR95ESaYsdrlWAWeikum4D7ziSfINuE05IBgn5t2/+4rVrEdXg5o1lLt7bY7k8XD5KlBxi8b82a0hyOBowIkW46VCBlla8vw+VntWfOVQjmPRAsRlx+mQwukl3waTJd53lWOGzvILdJkeBnZf/GwcpfnLvj7rMYERdViqptErXrb5KnbBYfeRc8y4noqk9l62GDXZq5uKkVuSpDjYsQiRphA570yxvtqjmE6sIVb8R3mSFJSxXh3B6cLs4q/NNu82wUIzUbj5asp6ISxgtek4bOdV36kRaIQX3UCM6W+Patq2Ak34Gt5td2GZkNcdCLc4l1Ad3ed3UWwLaWn2BGpHuAyp5qaYfVfCf6WOeDbbIl1FKPszdrhbSirh01zg8eUFxES+l6zZJ/nINl66hK0g9Nw3lUUaJ0HkL/SA4097B79EoWCoOPHogQ1jUViGCBSJoalx93Ad4mQIilW3lf8PKCTY173PGSZSX8fbF88+Cq3I1yK+GX7XLABmTspk6+AvTKxym+ypTM/k1phXnRPw2sws9imGC7Jr1AtqVNH1/NcHAeoy7Dbb3yHFXKfpk3b61a/sYLSLORr8TSt75aedUsTcgl1PYtum9ZUqIBjPfacRxrx6RDpziOs2HwymaJ57ztM9u4zZir46HRVrB0yA9w+7kgzFpX0k+7UlVZWgQP9FbB5sAUBOl10o021kX1pNskq0S9qEGR0ZwIcWbKMZ1M1Iw80CUDcAul3dZwOPfpnyrA3HbqomfAXE/qVE9xAqPSfeVxlbg0jBHCPq3F8++8plYiZPZsqunG1F2tf//+K3Ut+qJXbJ7ZaKNvL8SoGmKxyrcQsaVa/LA+5CvnuoZ1HYxo5wmUvKZC4xgKzy8rQU0fncWVH9AyacFD+TBq+YqOxGkDSHhRRp9b2vLsI1iU+1T9sSrcX0VwddY7vDrIDTUF6bd4xlaw0VSmvrqYKsA7ja6mjZyXkxg40KC/sVeDCK5Lg7xkgGTVpL0wbaPp1YN4FTKTFXVK9Paazk/IdzUJUojMFf0ZtyqKFH44WWoGzSJ9PHknxdJg7EQYFwDC4HRua7gpn/cERwBQU2AOsg4gTNB2CSiXuPPTUoa7hIoSBcjd7wYUWfyOMcBqzoEejnAaQNf8MLfNKFUvLB6zvhk1ZuJHGqtJyHhdn3UK1lFOjTQ/oeHegtV/tu6+ni9MBpXRIMMjlyJH+/GUdmkKgQOrjgAHVt2iLhfzQ1YekA7/Ty1ufPp/tqT+lsI7BnuOgFSnswN591MKeKGmflf/Z+cv2IkADGavUsNZdYEuST9rlZnHhtTtl/ysL+9xugHOZTIp3aCjWa8hLpC6gmfQdDh0S/3Kex67LWjo/myQIwch+keBc7T+DVXCXLFb8Wj0mmzzBBaKZ50evcmU/wx2wl1pVJoNvVGb2hjKU6qP+k3odykLOPvQzb5KkcV+OWvQFqp8Zww8WbfyG4fETjmDp1vb91+qLWS7gnCXgxJgbJjrJhlsC5G+qOY7FNFg+MsXzOmnLb+PiYcNVwRfZMwoGOxqH86jQB/tBO+guO29+tPcbC3f0cQOG2hq1Zp3mIdg2WpE6IBynCQ4TXZ4mu+ryAlUcpGH9R+GhXxEPLBw/ZWimzLPgn4F8/w52fObQ50ZUlSytaUfFTjDRj/dcTVZvmkSO91jBrwoHsahiCP0HvrkVBGN2GjPap82qbi3QI2TjyEZHmZ4wbf6CF0V0LgJpJYZW+OjHQDjER1lw+tKai5MPxGbha1UHporGgNygklJXWg81EwNvffbsYVecjX4E1T+R9r4FyOQXAlAkZgNLGxtJWOcNWMNEjzAxFP4cIxqWA0dpCIXDss/1Yox2BE2dxYhzGrVjpmoM8LBjSOH3NhZZjUvmOKy27ts5BXiNlLG8eEG2zU0skl8n8bzktO55PWmfxHcBfX4aX4jspTn/+f6SGwDQRaiWCdcBRF0p+1pr4+5Edc5HSVqAL/x3ebLSz1q/sFSEqxKkm64irPPOIqLQmO16oWRiPZWKw1LV0pB1L2fVYCbOannjhW5AJZiHZVQqiUkNf1W69y16qwQM8L1mApisLTBIrA9sVhN3uusbFhlfgOaAK3VAk1Gdn/5tT3tfllmwk7HiYV300jin2zGECnL3Sy31BsNH78mBx9uB5aV0LF33+N3VBXan+46hNq5oQU966qh++TklGpMPWlxBOzqF7e4AO4SGklgsNCHQ3ZX3HIZlUlyPnkL26EKv8BwLZfPTsJoEnzt+IQ2leZ0fWUv2yQvFpc2i5qvx6wEIFiC3xmwtqfmyyDMSt/n3LQySdZONF67mwwkOZvFUpdh8G+zm5gkLwWQaqU6ETotSrw120OwvMO6R2WiXTM3YgAQN1HNsgMOm0M1tPVt9RI6DJCMHkqde8U9RRo85IxSbOPjzE9qG6X+UwHQiR3hwj96Bi+/dU6900d5g7N07orS46zpg5k+RDKTTxIAJorWN31pVVfXAcDyKp/W417b2E8Y8s7qi9mNor4NGd8kKe7CvLRF8e1oOqtruVbbnTWac0pZY2ta/OdumK3Dts8PNvvOpN2er/d+FtrVxhQv4pI8hlefz+mXSUH0DL7NxXFMzT8ZLFEIlzFsj6XZqwuJY7bBxtsYi83rgISZvqWGPVQVErVkcvFzxnDFl0Z0/A+gusZ4fevbkLF9jcmtiXujwT9kpv2FFMbQJgkrtCSa9gTRcySKWhLrmwNV77gJoRkQWna4+rjg3yQPO77Wb4pbu0J8zAz/bGbQDEpyAq3syYMEXh91bHLP0I6scBylio14cFBFDfASzvo0OZSovOoxOK2VJUtRAK+jPNcRioIHcT/91FruHV0/iVaXzWDw+VakuRQxQhF5NuZxQMdYpEQ1wiIHE3E7vwxDCVu/SRzhNjdykdmVCzjakoRLWPjCrTbjCvOOc+iPzI/QJcTdPsQ49wPGuM/CibZRUSsaR6opvNUqjOjHrygp/FgtRxfqvBjuisNxvQcNvzqkgkk2349ZzP+xNBDkQvwDN6fCueQT9ceWxkiN6Yy9Iglza/lHLfvmkAICGFIwLdGECp76bDYWA87htPylTpjAGVvrQCtqOO90/+cuRJ+/bavH1iC9gW2rTf0azNfwGBKpkX4sZka5IfOW0lSe4d7w08iiRrz1oE3WNp07Bnia8cR/8hu+PuDps9vOfswc/8UHe4xOwdWHdFgZSqKWZaI7ZYfbZvWbJDVn/NyRN76CW0+3owyuL5aApcjzFVimszgQ4PtXAVS72H4Pef0vb1McM9R9l/jLivc+0yLFYd4H107/23MACq4frurfvj5s4tftwHLX07vcPStdEMCliUqiqM1lTtFmnUC21DxvPHe62TsAMYD3C8imIMycZdbD3pD3TffSsonL9HeIIMvXZqxh84YW7rOB0sldiSrW+zS42GiGg7u8LbFsl/VnFgNOjgkih0FHk5yZobFVCIYpph31NPt5I2zyv3NAYgn4HoYlb414remMpK2dOkcPg8YAitCm4usyh6wyeFng0WrutYVa2f50qc2Hk8U9LlWu6gp7CS2IIIyUoqFFARJf8HBHMXgF6FyPwfhqFQ8wZAob9gz0jM8+LIvzdcUUx6Rs6E9cmS8tCYH/zKjtLPgC44wYzMgno0BCTwcnGmqAYL5OhBkwiRXc1XuVEbnkjZvSXKxVIB7UdWFR8XRMmbEIpqu5tpaR3NXpjG3kZdtn/1Nh1tD4FiRTfHCpt/Wx0YErJJH2buGW3twFERl36x4z0p4CJwI53G0ar6KFmoWPWAMXuYqj49KZBQym9hrqSRLSMRz9BuhucdSKYxOgYLaVZ7+TJ4CSE3K8lDJiz6LXv+7uX3gleZmSbng5XvseiWtTh8RcqwxG9j82S4trid4e145IAIrVczV7frqCEhaZjjXlWokAMJwCUoe9cq4UCViQRwdUiA4AezUBH6LUxMwdgFi6AGTb+ofGsAeAyVCC2IfFZTsJzJ1LjIVxBf7MiuBZ6jq0FFlulUDajzAKP3M9W+Vqn+zb3kSxtvB30OK4FoVSNwQWzj1L0wAU59qaFoDNjNnDCqnaUZyu0rD/+ziH2RPVP7JJ3O1XfW5tD8JQJ0dkWX8mWADHzM5u2tdzgOHPQ58FwE8i43WRzBuIjOwDtdjJATFjxJwVK/DkELeGhkuadDXUPEvV9FvfPFrpgT6/OcyStRunvzhCIGQeC8VLTYcx5yOppUl03TToBaJRkLO9vVagcQtKW1BUBoecmSO/N8fy+TYoHplU2i1bmPW4vhB/C/Xq+QwHBcHwprhhWNmTt0YI65q0/OW7vOb06e+iHAOflJfPrs4f5yoyeUclgBzL+Z3HzePccn2WsJZUrGgLqE1rhUd9YTguw1MGFPMjL8sEoVeLtA2X9h3qFu8xYiOgEHrTgTAsEZG9i+FqaiBY44ioTd70Oz5RI8En1eEDbFh/oSMSXBHrcfdJpVf5/4zVIDTEunT0jmsAIQL9de2oDbPVXzWzXhP2NGcfRaBSmFKgyQEm8lGtBHBissKSu3O3MJSDKgToKeiCiPFe3ClcIYMTTYNAy76jVJRdMBIVWISFeuJmYYdZxYG6aDyB1ZM8zoW78mEBHlWRk1cbT4gJnISRqctwcj95LbNjCapFUtx9pJNDoPJQpLUVVGl8FA5Aup0ExXr/nF+mHFEMi/Zvbq4VVuxxaPn9caW6Jv2nWU7V8vXh/d0mfj9FSDQjgtPGjyZ+xp2U0GbxRPuxaVbDJsJtLqDDnpRP3eURMr8PlpgX7wTwa6WQEgNY2dB98KpHqxrZdyYVmavt5F++j34z2K/rUHCttAmT3AiGbIQtMM7H/4YrdnlJo7Hlb1PkRNflqgVyNkjEkJ30IBEK2e8UWeR5VwpAmHRbn883Dj1w3wToQ88GkiowvM3dFQC9QbkYEdsz5EV3Z6uNA5fc4UHBZNwP4b8dfiUHyCV+e+GXuqEvCkkZecVfVUOPmV0ZxnUl0qZY8XCE0J4VFeLYfUiEo0mpTJgdGujFutRgzytOoRerAwlY3D2LpkU8C4UIWSm43HxaMlAMSCt/qFA44MOfNUiGzMOHS07RacH13dQQ5cIdJm9Go34jeyG1jTTP0aWbYlf+TDJnoGJ0mgnhJODrrvwYKlA0ho5nZeDcNsi7L+5aLoH5KTN3tl3Wo8FBuSctLQx1aKs9F4wrfx4n207rI+KEIAA3oOefdLQwed75tboYAOxkuYaYUS+yjP8IH+mz61JDubkM5/3YR2MgatTXB3SvjzeKqt7jlUYviXhreqG2xq42125mmEzW6C7uCpQYiXEJfZb1WAU5hb5GKc4MHdn74d7KOlkcs+j8Xr6ZJErJYb0SFPPfUDV8LYEKmAE+bUb7ociYuXXP5s1L79sD3HRc3d1+9PjORN1AYigaKEOVrpCCs15ffnxLtcMoBNlW4WJQMTu8HkqMfzJMkHJeZnkN+SI38uJ0DkuA9ZrpSdzRm4ymUhvG5pn/iDv5jBRHGAjPdv9nN+41pt0x2si7iYTLL1g94s/iOVg+QGfkN0r8YCrgQhCitPwKa0h8SOMGzt8563/xMfu5uda942+55EyOXjmYrwR8mt8wbv78JmyPR8R3TfcmZzXcqFnnH13fHRjw3fMjjL4a0ENRAu+2RDDgngdXwNoMDHDvGBghCV26uwm03Pvt4JrJKuDk0lS+7jUViKyvv7UMplcjx/a9Ll64K/UjG4MAyaH2s2LROvQFi72cPBtz/zw5zyZeJygUMaAvtOdClWRqbyR3PVJk597hxVFPzDix9colAgyIywVRLrfVD1VVWv29i7gUuXLaRIs2Jaawmzqt7X7qIazqCdRnxoGndby+lKpM9QnMCGCdT0Ghy+Bzl6VAw0jcHHui+hdOiA0U/Lau/eO3k23U0E2/rGuiYdgBla9+1SahPV2lFefRKwoVAVu7jf7ZWv22Dkfq9bFErRYulROjFTI904/VLenTmRk4t4EjGUYNcSq3O1ZB934oMja/odn9341O44+LP1v0SQ1DVawxnocZxed8mISh8/Loz/YWLX9p4VpKQowity7pk1wU4ZSZvAtvNZYicxZUFsjBRk0ccLPTzEbUJWV99eQJe/ES03qE+cBze+Wt+4mS/Ssd8u5H6v/Wtp7wUbJC1T9LK80AaRBNG6FDxW5ip3yvs3QhGSFzz2yMAWDFpucGGIeN8MHOla79+QsFminC9Fr/4TnjREYef3E6bpW5Nx4I2AtyHLQi+BaXXLFGwymIdJN2Se7qrOv6veJafZlSh8drPru0MQSI9SWWgTIEmF0mfGaL3kYRNdf9sWQsnY8Sr0gry0DryEOh4/c+NRlVHfQ2EX1PVdISrCD93NjzH8bnu+fSyMfbiNQYgC3TQeIMUlm//C8bA0FjSzFDai8dyBdqg21m9K8f5EpiwrHTSnJDx/Hy/cDCy9XkZeQJq3B+rKkTq6OM3RXL0tih38w20319f6LTjiuIP59B9UhF36kt6wd2rrJTIw94MHibXJL+83WkIlBOdb4PaQhVe9hl5ng0O2pbdKQrWwDTwYLDtftaVWLb/Nd+TWehHYuF4BsJZh3zyW9/tjoAK8KYbEdTDT4gjo+Xom1ujTYaXRVEI1kPJlg+84ntpCXB3Zrm+gil2+C1UpYy+Sdu+GQjh3HsSX8b3bSqPkcKwZbfP21uKGMEj4zPs93VPsAImU8iT9zcU/03U5XQ6zMmFHa2ZBTXtzDd8XfziYX+sS+6ZmzVYziymkL5fdPmH/5cuikZdm2m9z34Fxthd4B8p4pbMgV3V0gF+kGwPEFtMZGymDC0ufWxF8+d/FXvuWV2Bph7bFlkroiDe51rYoUSNUzKz1meLKrPTuFicrm+AeRMoW3oJauicQD7eMwJtJ/0vGtGILXCYusTz9RYbVcCLq5AFsDjvEFl+/hWPGun6eG6W2eIW//xr7slPF5rWigAoMUF2/jXhNGJNDFQ8OlUlnijJvWoQLlc1UNX+mPymfy/GdYQQ+WLyaeAyC/XNtrl6A4TV7KG3r5w4rMrAIAQGAX5Fsdl6Nc1rjGE5zjc5ZdDK0TIXfz9G42NzgzH9Vzwkr//GBqcLKaJVYpgP9fTh60qWs8KN3S4GQRmh5XDglBnZ6xcmRjHuhoHhwoE9jIdFvSrqTJw5ewytxJTvmzKGENfBaVpYECko7ND7l6+rdL+Kx1jNe0pXg8xD9XMSNCpZ+47jIYAHrccOS6ylASTq6GpYxVhYWDoFaVAidTWLoI+Mn/rilEAwZONClh/mHPpoakBzcygFRoX7ohV5N8KE/TnclwtvfTYisjzUI/YEoBFn/S8JzBxhXEakzUXhpgyDPdqNcYHs22diDYdAtZ66NXMnWqqdN5vbG9IhaQMIq17wgTHrWXHoJ7e75hbBrWNu8Tqy5N1rEXDnS/aEponBhmtKZTMsYsYmGzmEzzDNHKczbx8ZNSSANl0qZ1NruQaOF0INCO+O+foGVbDJfT0s3cNkQyOwcFp3GF8szBCU11OJhCc2lYU4feZJZzUNgOz9NVbPnM+oYU9uWtlGS/6W2ZSCli7QQj0nhEjt0QpWLHdFF2tuPIastMlFaYOlP+Fx+/YSCP5Twf1qyOpzRxAqCQKURytWj6Pb94V6uPWC8NwH1rp4ar5ECyAQbtEcXWYnyTFHv98y+7pedMIo6PzlZxa5xBbGWu4Ym6S+YSw7hYb+o4nlIrBKLz3atN3p12bZV6IPkgtt9GWtsHMdoyNJ2IMZkB97nVnBMtuFbQysI8SPTkRkd7DXE8txnxMdHrBX29yPFR47nDNcaZIpb7i6f3qKFgWXI1BB/iZPhQvSjSadsQYiIk6l2B0PLxdbuN8cuhAOEa43dC7ZFyVLCkk3vlKzW98VwlZjX9RQ2Hd9Sz7yZQlCya3WVRT2bm4vIJif/qSjjlUMF4GjZOwfQu+NuwHEeJCu/Yo4aj3TKWUyoF93wZKpOteAPfGzWwJPUXRHR9pYkRz1jBWF0KsNwt3ZvW2++NHzIv+huKVF3UNxUjptOGKwyC7gY/Ii8eXNya4JIuOvA1ZI3AeVedbYVU+sVOyFfgYhk64s6CYY4SRqQ1NnnvHKijPkVNt0JiDnAqv/TQmGVZQl2JafD5gTuu6/kTpT0Cg0/8Bt5I119jHxJDh6DAPfMrg6/4aiF+9oiCvgkrgps/ocqLrGLrJqVK+wSmOhkjaBbSEkealHMNpMCrD9NJVMEfXVhVLo1KOrwA3rYtwrnTYzafZnBvFC0LS19MLr9i8NsuA3NE7WKn44DcssDajMJzzYpWmCkyDFxESmm5RApQptyr6D63VjHFLzZFXDLofJxAtXUmywFgkz1MhLAV1CnPw7hNH4wRNUPZ68wynik1656iv7BuPfc8Z0cLukBvTOAT3m8YWxRYW40Lm44Cz9g0Ymdd2oz+H/iWxu4QMq64apsVFTMmzndZqw6BmskSITLBwbjGIkNmGxisnu19NZbGY5o9YNeG/eEBeeXoPXXaJt92B/tocBPLUFgAzxx+IA7Qkgne0s5UJRvdcyHHkKZKl7T5UAabTryJDLIRCUXiwPcB6+ZxiPLAxQlo2/YYm/cm7fpWTcqPB4crHDfhmU/7PXr7/pJSxtU8dsjOzrEedInfL2BRsAM8f8jvJ8EQ39VA1QlizMWEG9PNTM0Hngig2FKuOf7pCk5jDs2M+uTcPkHrFcHvLuHDsHyae19JEyg/oYnuFkxB3HH7YN3R56J4A9y8k/Mwfp0UCPAL09+YpbqEEtXv+tb4k+fQNqexQz6PGRWMILQJqxGKv5+B5Mh/Z0Ozxmi6W5Rm+Hp+UrGtgRM1HXLbSx6yhc3XxMQWpfFvzQNA/f014huiVAKOuoLwzoSY4cvb9ooe4y9J2KeVDRfSFGIo1UGJu9KfXPsOK1y8oJyzz2d2BU90QrRKvU/KtZKUSmjZY7/66S0gvW8JYrwoon1abo37gtk1MbqjK4/lh9mIbLNTv2hOE+j7RSsllUaslmmRHI6HRd5R0E4MMKhJ2QHvTgkLbEWwUALBZtHzoZNhyyHoElO3fo29Y/nZJ5MFOaONEf/7hpMxZEGMt+GWHqnMqcNmw0OlIDOVap/tKrq7+CkopnS4z9ASW1Gyx09+hwvFL+mFnLATSH6ytm33Hnf4qIKhC/Yl20TswW3b1IOWvyi1gtLkO98p8+hgWn2eEoU2Ufp6TNF/qxk/7B6BZ59EDRqObSW4qxN4Y3fP3RHF0p890yB1uKVtkGliNaRRnOQWcQ8gM1lSx2T5S1Nht24kxb54bfEvyvW/YJBJGCOFkV64EkXI7ZLTBoUVghaK9ILB7UYwKTqV/zQV1UkWewpiw3+gEEynOd5Y8uIrYTGk1WBT5vaYypePSDdU9WHLt9Lo1IbkOtR/Yb3LhSI8/HUi4OXdJPdM+STaCvmDGH3iTqEICbBk+pDFYi4SmyyQOhRS5MhQQg0IZtNr6vZWO9dWSJNygQpoKeS1hxj5jjMFA3fPB0nPXPAC6FhUFFSqGNBfVjlami4Z2YbUcxT0w0Sf6PLfCeyQ18l+cYpItSuQ/BR3QpIeXR+5LyRD1C+0Cj0imnqXVmdCa0pMJIz3thmbqcMrTncHfCqSKMfW3QV2V/HWSkqy0HxuvEgW3sZpKc3NwNZn2wy4QVANK3nUizJ9AtYP3LxeSTvFoDXJsOEp18pMmPmgrTm+znH4F5lgDatJmMk2hySuAEWhf3BRMQNXsM/nYOi6Y8D4YZ4VOT4z2CKAG27TaAqwPJvt4D4/nmu//iPJae9T+WwNjupM0Srv7W+/Tv0CzchlP4K9su+Si1Z0mGbVt3tsvtyLXI5XMwxFziBse+fQr+nvMjoULIhVw2RKkIMaTJrP7yVucaYMMMOcpZrLXwubL+xLgTwr3fQnolDEJ/P7tS6abqkIFdJBeJWQSa7aAGmY1j0Uf6lqk1dV8eKuL7VelSyvWNUJXfQStyWODawEpS408objREIkIcUrQ90qzDgPGIqpd6UFHLqPXnVUJp6C33UsMeUFXrJU8YiGcfKPg4KaqiDnVbjVF1Tm4LnYcFGAEPQlhNpxi3eVfjXRxQBT09wo6/1kN5j6h/BJZdBY5lk+6Ofo31qXL/H7mwFVCHYkHqkK382k8NFdapMn76zdRlH5IRpKaZ4xl+wB0aWDGAiIBrHdERlpUOfeEq7ad8XdbRqDYLl0Ew/74Sz+fJ8kBE/kz9WTAQ0O0pNEnon0CZKqkhD7jR4G3VLJ+vpxM1RDt1afhPhK93QjrT7bsZPOmbeun3TUJHvFlaBoW1EXwEvXhEhuk5hbSzv9NjxE5nFNt5KVJLyOMVE23qYYwKgfPykeknLCdlufBKnAcsdcpIORzkgbz/HZsGg/WpQql0QfEylOJCJQ3wFdUnwzmC8qD7AFVHATd9ebs1pfSJZzu8toGZyeXGZUItJOrqCyqhc6RVetfVPNGlqusPNt09tmCGr0wcWwnlsm42MUl3AzuDEZGNuZxUoCGZ8q5H/7dG5MF9nQE8pt5M9i79QrgYZJfmXiZTYM5RzAerKqFgnokeQtMez4MuwAIUHTM0SA6fMXkG4hI34XPK0QqMe9PzYek6e7/xWFvP9c5Xhbh/C1CYbDKqrDnyyv6FNgF1ar49rFDTbaDdVKUTIg8EACFM4cZAH4s/b3Va9kWD83S1EVeAXentzOInu145czHdSku7A5d2MtMSFBiN3xQLGrTzw7hysML3cHu20xqflAO+Ah8z5Du4vrcY6bRrZXNR0cgxAAJtyrkybf2ykKUvHD5W+MDke3HMbGSoE3Q9RB2ciWMO07zBxAUdAru31I0V1dEh90HXucCDjo5bRvVf8BrjKhiFEulzIJlyItzsWjYMH5srhkkNZVXpHZH2fLBA1FTdKEBC4BkGLA6Ro8YRqgEeBU4uy7mIpLQq+fRfwau79Qwgc1vTqvYSyNEOdE9t0eKpb6Wd7dgl5W47B+4mfzodntrfn5rYjjLeOeYFUt1yTyrnLAs/1LyDm7Mta3CTArVAfrzwgI+PWkX7e5+sxFb73l8Cvc0hTPrjSEnaSxsziW26qUuEVfoppRiioMW03LruN9USOyRJItQ3HwbCtfMLnMKsKYIZOBGKl+RcSpKyuWmumaMKDRX6fbrklBeUJ7GKn2LK25ODFztF0hqzdVDmh/wLxZOu8LY8M3/29JFljv5EwCSF64M5Yq385mx+VQEDbwF0/vI3y1WYhDO4FWqnojKk2BUv5Qf0eW8C6yXKaxqHB1cqSI92e3rJk6I9pIgdThf6ZiyE43kHVYby9KULhZrFxzPiVbdVY9Q0Ddu1r4AMLSVTUB+PxQw8k5zFyVDgYOOXakxGHI/Z789gf1jCsdxIrFfwAQ+y1OOxXIyqRYmEaJZrZ2PIcCqBs5pe5ZK3eto09z6TsvPaiPVe/U6gzGIF+395laM1L4Wjlcd5/C0ahLN7yYxtlZ74oi4WE3RyZ27IawLGPd4hOl3hrJjaFL2e6nUDuQu0JxD38rRANgmJDh1YnaeRadzTdRJrqfdCHEsJ+JJMi5orbq/GI2eBbgxEzX9IDLi2UOMYVvptjTnVsRwst3civTz2qc9ndMBfEmfzZSJkJmGorpvmdmJxMipq7YaOD/aS8eybaVaH+PaVPOG3iMd5QSU5rFup4PkSr0KdzD5Pcw4NmpXz6vi96hBfaRKDF2NgPrtbY9CHMTDwz4VP+p+PcKosYlsi339acyBOXg7AcCfp/6EGh46TK6lgZnZChF9CmWG5l4einAeGGZTVv7NvaA+4QDAu/1BkQ6AjCksc8YdU7ZWW18IFRtcf3Bdbe6+NSY1u6BriGgubl+U7cA0A/uLfThKnhbxUcEwk4FMNiM1iptRqSZHFyZ+3qE0GtrzMYqItbDQA8FW7mTLQEhLyzN93oZb2cpTmOzGcwaZ2X5oUoGcqG3WrqdiBMSzsSsEYCuZgal3NhccJEUxDVJOnC8dK3f3ZNFkErAotLpcZSSS6Z9WdUqwsuORAju2r3zWm0QO0Ps3QYBKQXgiHQOQNFWs/0eFRtOALGtELSYIcF8II2gttXGVv95f03eoUuPnAJJb1wiW+EOA8VQZHrOjoXy1q4vopg+wLzZrH4+jrttmOdFZJuqjM96rMcFWuRowBzzfBHqAnDhtIV72wYDjbyJ5AX84Jiz/qyGJ4ljnPxlqPtQyUKX55skBZse7TfOyjIGWacztbOvApW7jyGp70tVs4zuSTfx4oKoKQUKWnyNPpbfHqpmeCBmNvfYP/vivdUA+5c9pYBbJ9Ctgq7hTiPAu/C62d7C8oyRZr3MgW6KxR3Q+NsRiYxQwtXEpveBq/G0CxIMTc7TaX6hDWRlfbt3GYVcwE+ufwQUEOgrreqlAycNP6kzYYfVrHDaM4NBzAC5cXGMu2KAbamgPr2wXDXw5tvbMyFvsSBVAHluUZYU+ii8l8834rlrU8zU9PWj6k9BVg4BL/l9EeANIv8ZjVM+0ASbADSYZ+EMP1bHGPWwsvspUoYxtaVBa5R0mDbaKGRawf+MdHeafj6WkaswXGRcDM8fWzcpEWPW8V6xwQ9oZUHtJ0f2rdr3PsnQXEsv1jbSxlTe8ywxV/qh4Vct5gA00yPTFUtPZ0nR7o3ty0+v87eWTug36cmrvUUqijqWTUCfdDmzrLAIpMSVhrDI7zuHOpxpXSK/5JIparVFNozmHnZSUrWFbt6aX288A3l+LzAAiq1qDlXzCUdkg/Li4NmcT+P1u6SJorlpfxmI5P9xBjHqWYupUVEELU/cjBjL2E1mYH43M5fjYb5Meyq8CxYYFeMUgKYUdKjhXFkQtN85364YutacY9IaBh5q1c3NXXpBSea7LGpy55OG2wcg4d1BE1+wezW+is8EzhPX9AgMuC7Qut0CCqP+WU55vbk+z41nz83t644yrMQNoVvdM/4L5nGhAADDfu63hlp8GYP4qQnpUZm9HPfnb6owZSQgj4AkaYDb45y4MYF1q5ifYRJsN6i5lZAK98XDkOsZSNDWr0u4wSyApcEruEmE+hm500E+3avsmsSJD76PeODOk9ISx/n5o/ljA3gyvVyaL+w2LDqNOQbtCqq1N+FKmYXAcyu7xJGFHFFNWIs76VWEeU7Pzy9kIoiGYQgfB1kOtENm54uBDLOeVo1I5S5gn0sjwK2FTzfz3bt7zX3t5Ig/8YH6IZ/fovxSy/c9eq3fqnuehJHOSUtz87Cy3oqE07ynhgsQdtOmknUjQX7iaR3qMQKZAqger/0ORSv+97lswHj29PieRayDZKqbR43Zcmdd/eRxbRoZTK6hhe4aoWXeTg/kTJDJMgzKHBF23h6s1+nXG6cmX6XCof/alRADg6naFtnuj2kxZ7VrliPomKSOv3el/TWM5UpRjRNZhYFfu8hm7zOcreR/HjKsd8/B17VkD9/fkW5N/5Ql+tWkj7tXMxXPr5Oqgr6vlnY8ccBCSbf1asLpL9912jAT4X8//9ydSLHHrT682gmhvt/JvsHkzfiUn6pqNwl76umIKSiOTEVMfhALqwfcrhVouUNHKx/PryAsNMwVXBzFY2aAyU3d6iIRp/cbQMLP8GCpSZ1BTyb1IpM3sXtQo3bed29NW04rQ/uRITguIiJYgaKVPiBhd3yQ6/m5hb32x/nYtoKKOSvy1PjspmhL1/bE5jcmHEuQnW4E1P9qx3GQpbXH0eccWi3Z6Im8AgnVnk+H8Zv+WCMTCTcnYMBYrLtFd/JXwv/7BfeXeuvTlBfyZmpWelaQINZOF30a95SjOb+6F43DlwBC732MzIZwOYNKaSHdE1SL8I6aO8ctrU/sOKpyeobmoXXLMoYa1TIhv8Js5aRHO10N8s3+z6pye86UxV4auZRGLFzmyh4z2Sjw9Rs730fCfn5fTWklfKxwwRq5inAL2srkoO9Q0sQtGpeFQbv3Dw/LFPAQ6SZWJ9YcfsyP2cPXQesO7gp2rNmMzLWfOo5KdvHmKOVhMfz51DCstMGGZgOW+x5XsoI6oonJ8pMd8EU6TEvaBfRzvDXBe6rrwsU8Q4Ewq/eJfJg5sOMnWGsmTCj1cNgjPzwLtLt0ryDo1fQV3549uQozzagDLczwBJ6T/tD5zHh5eFDVtKrEZuJ1v4YUShHtrwysFUbU62IDPKnMcVW48lLpDPKPqcBmYCc5jIWUN/rAOKVFkYthMGZ5MaeQdZc6ukLwDtPfgZiEjBHwSKxovTjxScJ35b3FDWkFc7XpP4aRpDsICR5GNY+f/6aCkyuK9Ti/qGldTDxRAE8XysMTPBOfL517xdKFi7ILJPqT4jv/aS03Y+rfvaQeCn8/0wTmu50w/o0ezIf8j1SdWBUOfz/9z4Q0bo5gTmg+8VAtpO0ER0pPeWc5YmtS3vQ0JQk0c2ZH1eXz0PEqadTXy96fD0a3LDNZ3pqDXBtNQB+zO8VPjntVKT0YzkiHFpnyne4zqD7NjxnsFUPiqwTwFZvVNiqZIyku/h1pJu+H2QI1OatYFTqcyVMmpg+HTwsOSeYyDsjFgAVPBt7ffGlVm+yMf7FSJC93PL50Pb4zXF1RiHMDFJnF6FnTlv12D097504Vi+czBCHt/CiL8L0VhBQX8wjMQ36tQRbLcwoonpbe6IO7oryHk7suRUodwVnzG+2FodQTfQK+6gW+9f6jUMAhriUm+FNb47W+B7URZUpfH9DKWs+wssIwNeATF1LsxAhpvs/MeIUS1vVcfs9QEwOujY9ShB7jEkGndzTOo/oxNHUdCh8gaBv/OzZw3PwciIvKe6Jg2/i34O3oiKYqbMTJeVL16PQwbVC2/EM2F3o/38QjCMHNGNBblbCkNrxWfkhZTEIRM9cOcucy3ioMiwsSoTjzCtAZdKTmKf0YZxZbJcpHNGKLCw/Ae8CiOCiT0/BUYrl3eHrHwjoTgZ8cgJ7UTtRXD5SVHnZDZRJ1/Vln189uHRW7lvnddYqMuvYxRD/YsV58nWG9Uh/8uov+0D7kCRdQmE6vOZxDe3CvIUTouJMrDfluVki8waZoNSbgt0BeuQGrK4ygrc7dYgi2z45HTzkEiyKhSaOLD0YL0ojivJg+nxYrzgx8rUIdZVNutOzoe8fbzYpc3eVBcv/+kmmAi5WaS5bxXTd4Sp0WgmkW4ALrajkamX2DcEIVHVEqsO68e2nZPiqN01f/e32M9wRYqenPQKSF5P/4LBTY0Pb2gfZ7kA34vTYsTLhqHFZzzwFwiMZRlhmr4qoXjVeTVPXMfPh97m3xew2glxNyFhJMoVjJKTeQ4Fm8TWLOwtY5NTQEeiCAKOuCQE1sx8KUek+6RifFAsTxbk5GeFTiiwPEFgUaTbBWbUMrPfYZFNUJoOL8ONQm9WLQF9CVVd+wTXEWMIjNRQ7dk8IgGw0Ps8xjrRYWEYPDPryNHTukNx8t5U4kL6BeznQzwf9F4YcDx3j3bAFZvWKDst/Csu46MXtrEym89EhMXrlmKEsA2iDJyPzL58wxGpbt5S0jYNkHyuvso46/kQR3YD3nn621SC3OCDRndYnBUm14p0u/Ajg9EZsbJAPqAqkJasJGv2Glmf2BioZeBAu4qOhw3iDVEycKGPqYlaBQ2iz2F56ShhN9yJPm35H+jSfAXtil0d0gae/l2SczYEU1OJ1CzSH+DgiXZi8+7WFgrXmIOqtES1WEQ2/SCawYURQ0BDBQ98yl5iAHAgTsj81CkTrrEjptNlAywKYKwi6gi7mF//Xj7zo4etFei+KtvTJc0F8eGw6kVkqmn5n03f0XEawl2PNS6bHRoVQRIQlv29eU/EhUN+k3nBJAwVTXBXcCxAcSNvF36WZNlvR2ZNxwU0UM8REIogJzSb0DV92IlNx2FJOWKP7KjaZ9QiN6qSp+lD6mgDgocCj8bcioQ5lRBWnEpRDPZvwON3w/2xtbfMVpLGGyem3AQYTW8ig6428EancL02xR0sOXjM5kIBvfihAOjfgGGuISUBRsR/RVnRrr3F2ewmPRbzfhHGcYH1USbdWYVMLs+ycSuSt82GwQNpl+ajEF4w6STvUvUUU6Cw8sCYHKKbqa1QuRT66MJXaePnClYQWUrbkBRaglAjtRBSF3emw9uey3z4VIbWCV5HYmHm5um8ZyYRzhASwGhorx5caVQAIlKklddCafEihT6h8g8ZjKuJ6XAtr/DJkh9nsvNeEoGIkqYZV2GTnU6MdGCQXRFETRivH6BUZB8grKWQSDMP1cY1H6eg1pCYBZQF4F5F8lMJaJULF+wZLbmt+mpy5iEAKrtNFTqNeF1nR9dApxV4cjIAzU0s0r+tTHvfEbVmrTypZZ+ltiUX2DAEp9QDQJm5ecEygCQyGpqarftTQlQC2KwgKwlJLLhQdNXDSkbynWppXjfFS4oCyLqa1079xcPJX401EVdg128VN8V9d05UHSueFl9gdBvCDujwn9HCa8ZwsvNkWYI/1LRWWd0A1AuOAp3SZUWGYiJBeo3cAqQ6+H/rGHj1nLmPHVD37eX/FWtlBy5SJMKd7RftEyCSFOZmGEzWe2ywuzBZsF2Pgd3aTmDUWRR4USaZ7ctK6Yyar0S9B7kUzn301QtsmASoLPG+R4UXeiUAmcphWrhiXnuKUH4jImboY1YLg0ivm3DsIX5ForqkaUnIKRAN1j+4tqTWjtyrBW4HdQKhndoe1inG7mtu+BttgXMqe87myG5zTIdUbQpgeSc18Q2w8VgXsZy8Xj/p9kdCStcRz/qCpS40Xe+UowU9YuuAzG7mTzUW6wvQL+5d2AAxQT14yCkbbRbDpZizlm0Rw/cExs8Z9VP6Bw3jX8LugjdOC9oYM2ce7UVl2DwEVt8JvyjnCOQl2r8YKAEAQRsy12XMiMNLb9++gpWuSv19CQDcPqoFeguRL+KX7w1tc7mIxMToDdDB90DNC5ZlbMg7alXSoc+tIGCpLrImqBO0CqnxZ88oCstgXRLf9NUm2Kl4IIrE4YRlVTHMDqhqY9SXCV2b5sPyGp022QdH+jOi+nEjY1Q+41F3y28/P5Bv59AHXle6sbJ6xIoKzxyc/QtVFQhqEuWoC6csAfxdr436xpxE/6oV2+h1LJkXAHWvvzBaJE8DvQ+iRX8RR8uyqxLpyL+6jN1XqyL9vK9/q+kYt4PAdHRf3uyQ3XlZfvskrRjsG6DWJXlbFPkzN+8CkJFKQN0RRL9y09LCU8O34Xjdj4SYSS+eu0XQ9vOj++aZhU0+DdVLvF83xxMnq+zICZ7REjH8wucyIO4w3qlAvha4HPlH4kxvrKUjoRJLAjJe66YUD+xB685kqT447lAoh49M2yLQ2NRsL/6rVbzAxDRdCLLJlvRVQOFWafd755dAf0w8eGpwSGV9pape39eQIuqMVRkoEZifHr1tWVyvpP04RPXP0o5fQyM/4KBLBXis7yZ8G3+JRmkSbNuS8UCQWqcbf5WrB+LNey3DFpd4z4ttLePDO37Bu++biTMxH/noTy/IPgjJUpFvM4LV3AODpwnu9XtwI5LalJIvIuzRgwLApYor9aoPIRTzMPZ/TyD17BRN2k67QFkxOM6nzA+qEOByOAcgxD/XwWsxFsnkCLXjdbYktE7l3qOcDX9My6+52wDghBuzl5Wyrs3ZPvgY55NgraxLC7OrlaT+RyNheyvDqcfU9SBnkzm7Axuyabp0x4D+/q74GE4Hx6D+ejSYzAun8bZpfzruJGwnueS2N/DQcTXHkFT51lSmjA4OlkCLtQ50nG2lAGN9VG0eFm4qBFfHXGs9LA5DgUDPkAkdDUPjghewxsvTxo0coerNQRDpiT1YmSQmCP0J86J/Ax8VX9IZ3wP2srHoNQiiN5lp3QnsXsQvsOttqAmDfGhyglfds/PEGOqmQXI2T3xLmsx7mKEnKEhXPsU9mE1FDkYSFerZp7AGmR26EgHVJkI1OlKGIgIn6U9Y7VVLRCiqzVFszfBflL7m16Kq4uGdx1n7uowAlvBwZ6B9OphzKSTlchpoLCCmfu+CuxDLzdnGbWeW9Cv4PUnWlfwUdYQwGMz/L8pjCalvr+PvSS73cokb0KUwZX3cWjL6HPg1/cY8GLg8rUa5rUd4UgYibyo6YCMZX7BabKDlfh3MY7/msvio86WKro66F30VeMo7QBN2qgXXDqcV9TUGg2iV5HMuvDeiqbDs9EW4dh2Mr9EIG+x9CX352H9fd7zNv6c8rjTn5IEgHKN7NbdpvFQKqf68vhwNOwJC9pY72s8o8J8HEG9V7a9LwO6tY2W8jszQytvLDa8edODQeWFSOIBjRTqzwRm1t/TtMJOrstNpdlhzisIOo0rrcu8t+jPHS2dSS3W2bU8NKPZPSgmrFk1k3p8RYIJNiqlURLuBA57LPlfovwyCeB80kbxNK18kMVgmF8cWbOiOrn/EcF0xm0C4jUqY3kzbuIbg+Zo/B0rFXoE611HfWVd8SMJ6etRDWeQi04lu1+ebkE1QAateS/pDiEghxB6iURddxcVx7FIRXsc57U0u2A1gxwS0McDePudqvR0lYio6GvaoVQ89YnsgFpTB/jLEFAzKRzIBcuJQPXbg2CGjfET20PX+XdkmRU1P1TNWX7l6NxJuDxe51TAfuECvnXz96GXDHTQ3ESDS/u3XDzsqLfakJo3sV3V5CMH2zOAvwfBCkwAPSSn+PR8+aUu6RxRHJX4bFBcPya8i+AXrzyoObT9cFGx5H0LUBj77ug5lUiuVQnv24IlNoryTNi9v8k6tLOwIrdMHpg2x3y/pvJgdmLtLyJ4IZTIeeC8Yt51ec9Ds6m11i+Xhryp5UwPL32C2GUAzMItmFHqHYGmsgxqCKHd5xkRH6QHM3tsUfA2d0q0QVkheOpyB7porqYxT1scdCS+fymJMkHWnUr0dpYokHgadYmhEYt5qMQmFWP4gmQ1RolOUJWE0meTLWJDu6bryTMkhQwGvQUk0l/rrCe/f77USXvxgFWfMFt7hTPo9nlPewgE83QbbZ/IUsHSy1i1BpxK5Ff3udwfHZ/uJtLVgRNn9m7REtu6r+81Sg+7Bii4RFvIFhwtokmXnDwNzbgeEVPR+YlJEOwRwuyd6MaRA/tyzYaKnLi9hoEpjp5ayxB6IpLwlAyz/O054jHRHS/XSe6ogINscol3LzbwFPn3M/WKN/dvltqlsds2qTLrzVXE5XchTUzNZDYUR29ttvLtyhnsd4O5Qa5QF0EPYjlFs21cBTASZ1a4pT2uFxlRseX38ju4WvJcLzbJdtKXka70W/hVs2S3dBKJNlCaenVtWS258SwLrABR5BJxKsE0zgbD5yyhEEXJDEPtCdkwGdQGzeHO40fkZkLZ96invSkZWr05JXIQ2drsP1DFz/1CHHQ+EaqmvhKcQt/BFY3DbG7pJpKNJfJuf+WIDUVDrr3CfDnnv8DFXpq3lrEevMoJGSaYqGJfnbh9CvlDyaew==,iv:v21+pucIFIyV6fKlRdrZAIr5KuWnsZZ6d6YqUfDI0SM=,tag:8xbOq2t1XbuJSDA0eg5p+Q==,type:str]",
 						"deletion_time": "",
-						"destroyed": "ENC[AES256_GCM,data:jEaSzXs=,iv:bt3f1ebfpmFUVxt5oRy2Z/fZbM+oYsHo2CX7XhLRUAo=,tag:AEimhNPuv82+fdqGkk+Kyg==,type:bool]",
-						"id": "ENC[AES256_GCM,data:mZgxfzoCPSXcfUmlpKsuoteWcnQ=,iv:KNw47f4fkCWL+bulwndc2bLWN1x3IHlKRqXwOCfGeRk=,tag:Rff/1Vh6EdLkZ5kvf5AdRA==,type:str]",
-						"mount": "ENC[AES256_GCM,data:bIe7SBu3,iv:StPKI+WMZivdFevG92+gcJEt8M9ovX7Y56+YBBVGAms=,tag:t6iTcfogkhfnRTsnlpz7Bw==,type:str]",
-						"name": "ENC[AES256_GCM,data:XqWGkleogL8=,iv:uPVuVPlW9vpwpCn0iD2mbUAnIJFVa4Z/OFLODgyY2Po=,tag:HLXcI3rC4yBM1DKtg5qMMw==,type:str]",
+						"destroyed": "ENC[AES256_GCM,data:EUgZcn0=,iv:51cyxDLG+PtE9aqv+CG0gMuwi9cngH4drTILqjsIDhU=,tag:WASDIYGP3hsGyVFajYaMbQ==,type:bool]",
+						"id": "ENC[AES256_GCM,data:AvaZmyu1suGyMSgctLYEAnJIHhs=,iv:2Ne0RHjlF9aY4MfwRIp8TkYIwQvgxrJGgGceXZ//00A=,tag:EtCUfyKfrLTGp/KNqJcXtw==,type:str]",
+						"mount": "ENC[AES256_GCM,data:PJQDcwFX,iv:TW2ySK1l2fqM2UHPCcMpMXP2TgH91T98cSmkHs8jPYU=,tag:voLtOFlplJkPXLFR2l41fw==,type:str]",
+						"name": "ENC[AES256_GCM,data:WJxXpoQX8es=,iv:zHd3Cd6iUgaRvTzNWHZD9H1lQ3mo/mWWks/IQmU7big=,tag:TfCIs6UpA9pEMeHDTHwEJQ==,type:str]",
 						"namespace": null,
-						"path": "ENC[AES256_GCM,data:Md3jU+w07rEsGGXShW+Z+bKm7BQ=,iv:z6zsbcEC5bCNrX/Ypa2ucSSyURuSzbqk/DRrLRfqGYg=,tag:gk/KYsJR/otS37U5OioacQ==,type:str]",
-						"version": "ENC[AES256_GCM,data:pFM=,iv:z0y9dTUs/DIKrqpA0av+OzSdylsIn0drdfhBZIROHHw=,tag:3YmkWDvfhGIOlDsj/1nyqA==,type:float]"
+						"path": "ENC[AES256_GCM,data:5ofxsVilb2ozKRT7RnBSTmlrCK4=,iv:csIoVXmp1qVr2Siz5WCcUjKmbCgyo8PYSXsnJrUpQ/c=,tag:/0xr6MIY9XkGlonYsnoftA==,type:str]",
+						"version": "ENC[AES256_GCM,data:K10=,iv:Nf7e9Atg3VcKUbAsn/HajbA+00yljzPxmSQPGzMGiWw=,tag:0MOtnnkVURM8V1RVjTxVpQ==,type:float]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:Ei790xnb2cI=,iv:TbEinT5mcMJnJ70bImEhS8nFqbqzPB08+9nLIRiuYZE=,tag:kjRc0rX7w0Lt/CsUYlkgOw==,type:str]",
-								"value": "ENC[AES256_GCM,data:oLrGlA==,iv:eYjMnfqWFaDykLT/Ox14xYeS8Uj8rbmE7X5lRoKfEpo=,tag:KQMyIGZkGQOKtSQGaDk2Aw==,type:str]"
+								"type": "ENC[AES256_GCM,data:T9Im3JzjHgE=,iv:1erS8O3MPtX++/0tvPypqezSqxJCBgKqWN1MPK/aKU0=,tag:g9bzX2JpMgp0pmGFmHRiHw==,type:str]",
+								"value": "ENC[AES256_GCM,data:XUD+fA==,iv:kb7thbtulkHrCr8TRzWr48rfcVRZ4JVObjG1hCB45kE=,tag:U8ZfCazjXUbe7uHZbALyiQ==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:CXzoGUI2Nxc=,iv:4lzZqt4QG6sSahEwE6zzDCRGQqaNbHp8k7oU6qLCE4c=,tag:WQtOXsqXUeXpR1+5ZPFItQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:ZCcs4ndw/cSQ,iv:oHuvacy+yfTUvNx9AKfT6iEbdQsvSfllHQaEEcQI7XQ=,tag:U15gHYZoWu43qeh3klKeEg==,type:str]"
+								"type": "ENC[AES256_GCM,data:Aut8NvvrQ/s=,iv:0Fo/N0vPVdxDoK9n01QWneZs4rNdgCSRnOgF1mu3kVQ=,tag:G9mmCzHT/wy2F32NhpIxtw==,type:str]",
+								"value": "ENC[AES256_GCM,data:He/YulH1+4f6,iv:+adbCFX7U7xWr0kqYZOu/wfOlxhpJBc98dXIAZtciZ8=,tag:0E1Uf6x2ruB/0RRfJKmh0g==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:Vg==,iv:xggOIaYD4MgbP0hwmJAVIPECb9TCMutOw4V4R6Bw6ZU=,tag:IVx3+ou4aiQSaVZ7RLF5HQ==,type:float]"
+					"identity_schema_version": "ENC[AES256_GCM,data:Bg==,iv:fXIAR4tXkF/CSkwySMW2iX9A2ohmEEdpt2YRj59Yx8U=,tag:FUGdDoBjv1YupPrAtfUVSw==,type:float]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:i6Iccw==,iv:bDanXGusjmYVrkVbL2mXq6JQ2yP19ttgrqHl2ZYAS5E=,tag:m+dQ0Naw3vYUM/FaMw0DIw==,type:str]",
-			"type": "ENC[AES256_GCM,data:0D870agVh293IaI1qouoalBL,iv:RX249mySQLIPbJlWfF5NlBSQ6qAQu4GOJ9MEW9YUkQc=,tag:t+L7pXG2jHPVkUcE0a5qOA==,type:str]",
-			"name": "ENC[AES256_GCM,data:tpzWVXw=,iv:VhWUVyUAIPtp4O595fcNAZhS7RWD7f82c4RuU3cw9h4=,tag:6vZGS1e/L6jtotbkm8551A==,type:str]",
-			"provider": "ENC[AES256_GCM,data:hQg28jtc8gQ1n1erzbH3m8d5IX2g4wMTgQNzstTBAS0v2xtITBUTWWIUoJjEEptR5g==,iv:+HE37F+gtU6grncauLBG+0Kz3nKZtvpZ6UGS51mduSQ=,tag:j/2o1TVXTw5ogOwqlBI0Sw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:5TBMuw==,iv:DWIVulvIOXBlXFHacJIewh3PGjLhLp0c5bZCI+AiP+Q=,tag:Q/b+LELnD7WOU17pXA4AfA==,type:str]",
+			"type": "ENC[AES256_GCM,data:9113AHylgJYYzleOhofXWW7k,iv:1ylixUdoItLCv8M+TgxSHmiVreYVemEwIre9zGrC+Hs=,tag:Zlx24ByZKDQxFC7kpgSHLg==,type:str]",
+			"name": "ENC[AES256_GCM,data:XF+bE9o=,iv:mgoLDJ2On7pQyQsKCBgZa8tFMRzVKVRmjJF91s9HDeA=,tag:GY6hoMstCG0xrS0umBLEnA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:g6ozG5vOGYtJ/D70fTPCXbkvLb0AuVMmaL2SgKxOkQYAJgzz+H4pijDUozYTOJxlNQ==,iv:h/0cNPLfRAiZOyVeCC0Vet9UixM17k8o09+ffPVO+pM=,tag:a5+JWSgxqiNsKcODvh4atA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:TQ==,iv:d1olwwd8+e4ZLghwZYPI8Wx9tvPrvUHqCT55bNHI/9I=,tag:TF0cUymAmUwuYNGCw15sUQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:0w==,iv:1KcCaiwg+GhSgNKTOP7dTVhA3XjGNi6J2jL7ajNzFLA=,tag:2M8FHZt3UQXrkfFMmMwRTA==,type:float]",
 					"attributes": {
-						"created_time": "ENC[AES256_GCM,data:zbmRC0cKa/YLglik9bCuzn6Aws+VSsRBd6snlCg8,iv:UP6Gm3UNDFdk3ECYQ1uJ3jrRC2pBkYO1KjK+yOB00/I=,tag:zPd8me/7LDpV5PRN+NFH4g==,type:str]",
+						"created_time": "ENC[AES256_GCM,data:zwAi5r6GqJlYZhafLF+VlWl2M35tO6yLhm3ypxHA,iv:OLNcttSpjyqzMxmLuek0VLYy0G3S2S5TyrC4auks7AQ=,tag:vffMLLRWecXZXwS1cJVxzA==,type:str]",
 						"custom_metadata": null,
 						"data": {
-							"authentik_client_id": "ENC[AES256_GCM,data:imfLpTQ8rtNr/V61cGPYEx0f5wA2fheuJCdZLZ/vM0wpss8mpTSeBA==,iv:FsenOzT1DoU6WcFo/15xSFsPPw4t8py5uUExLMxP8js=,tag:UFnOowMZdHhhZTedjw2MAQ==,type:str]",
-							"authentik_client_secret": "ENC[AES256_GCM,data:/EgjyxRk0NQGFLdvAW8fAoZtlW49YvkAezI5zyazJGI/DRvIiNsH+6kQROoJi5Yk2P5+g5DXOatugcw58h8nZwSZp/+w8r8gfuL2YZ07bxoWEWLIf0U5kEP7LpLLEOwF8p4800BZn6ZhCH0GtI2GRIcADFVsidBydp+OwlhAisg=,iv:RHT6h6vIrdOuB4B2usO5SEgQjhEt7aHNpv5ixqtFiYM=,tag:Qh/DZjfkxWh6bsGv3RIUFA==,type:str]",
-							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:xNAoz72f0LB9WWLOHidMc2e9lMt3poorxxciFQLoc3EjWQ3dwxikr9Brr9sAu072ZA2lcy0u6/z5f8oHApAUFA==,iv:EQ8WjZQMdoEflvx9dHSTiJthUdZ1o3bDTfdcSf+uH3A=,tag:RP+ziOMEBeYSYC/EIWL76Q==,type:str]",
-							"dbaas_root_password": "ENC[AES256_GCM,data:dkHOYuuDs8vG3bJrFyz2tK4qIjRLWHcfl662Mg==,iv:NiMVskqLpP8bRfvJmTVXXa6Sd8d2pycXPltxQJL7ft4=,tag:6mHST81BTujkIl9du1o8pw==,type:str]"
+							"authentik_client_id": "ENC[AES256_GCM,data:cKNmaMifPapZgN/K5ZsX25RK6yWU7BHtDP3bLjYHDv9QaW4BGUtz2A==,iv:X4K/jQiRcfjD1N9tICaxJJhXP9jkZKJOxobzzDDeXV4=,tag:2NNvbdd+j8LsjZAblByK3w==,type:str]",
+							"authentik_client_secret": "ENC[AES256_GCM,data:sA4Ahj2qI7k42usRjb+045ZxPB9FtNo/DZKcuWTW16mn0Kq6ETf0RbYXE5ZRkmZ8uDvD0hznnGg1jKCU6d5ksmEpGc/w8F8sxoOZWYUUCpWpP7wr+eNeynm9JuiKoMP5/RCA83fKgPqXj8NI+eL1VQQ8puFB2ayZDo8lYEcBBYc=,iv:OCVJljPLh8Poa5NzMOLOTXZMArlYwQxAkCGuXyXpc/Q=,tag:I4B7rU83XeLuvCZRGB8AcQ==,type:str]",
+							"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:eMfJkhoG0fknFXTWOwbZRGKV0c0ZamFNFUhtO/hyjqaFGWeHJ5PQVJRGYfnty667DYBySBuSQIa0yoJW0mzrpQ==,iv:2EdhfmqxNaUYc6GZG8is/TUhVELqOgA2sRf84/BlQmU=,tag:FW8MAGlo+TT5GKnVjGzVGQ==,type:str]",
+							"dbaas_root_password": "ENC[AES256_GCM,data:Cj7URwt9la6KK3n9r9+AftjbZM+kh6lRwcKiMg==,iv:tavzjHfNslrexRlskSthtP8/LbpcHvYA4ZHww45riuk=,tag:BCfHBdCj8yw3wv+zq9z/tg==,type:str]"
 						},
-						"data_json": "ENC[AES256_GCM,data:Dunpf8oqKLufIVAsDacmOWWlTDWUYf4qQhRyAfoKe+9GrUXyKlaEyB9kWIGJwB9HANrcEkSKIligi/if2kwpSiIon7Givd16rKOrqoxXMt9NaodJmrGyv4BfZ9trWxjV2b0CNK3qbDviMrNIUVKwCspuOTOcdzeh4QhnI3ldXAf48dZhyRjL0BAZK4fFSCvWCYidkF2i27i4u3LGN7G4yZEwbk03Y2c0t65q95BCQFWGVruOgMk2p5GFGVQG8vJMUNL9hOdWKU5OtM8/RVcw0pU85LfwD7sYGsDMr6U20WTr3IHYldz/M0jysk7G7rRtHuDGlBujFcoJ7ZSjlGufD3q+UDtmF0dJRu5b4FzQyHK/LQTxiAPOkyiUOV6rjr0seh6AY+V4cLpBqurPgi6of0jviOeNjC6DRSSPkdX4IJoAOepsPOBw2F/aGrwH/Y0p33PHgz8C/8yuAlkOdU6xMrrN9TBrzpoQx/JL8jgdh7fqxCLzg6HDCg==,iv:RqQyoEavkHnZWW742GqHPKdTmgcJrDEdAXKJxgDk8pI=,tag:030AQbdMSXYi4tUEz0XRrA==,type:str]",
+						"data_json": "ENC[AES256_GCM,data:8hXHDPn05sp539lz/mf7kkMhGxfJWDZt1FsIFyTQ54Husd97f5LnWYy7TaWRGqqtUiE69pSxwoJSpwiukDYvOhsps5hiRVqo/j5jLizisGhWqG0AyEWN67coCWMe2nl/cdYwdOgHdsiVDhARdZ59K+lo/xACcFSAn2ZNXhBbAnZv4mXh9LFbfS68T7cVm8/0bh1LGK65htbcjHCwoePJhkFIDZzaJgpRAhBpqVhfXDAdcIzaHHJF7Mac/iGaHFpyuGHqU6F3QbDyZUOhVPDCFPSX+J8nUUTiQ3qZ1N/TnJEG6nYCXkpKZ8g7s/a/e6cHjMAqnjpI3/eLYW6Co5snhAc08SrkOEShZdmbJgo48Bo6Pp5Y91fOokXIl7Kdh5DyAwGB62FIooIQEWaeB97ovi7Hy3ca0wzZogV8na9z0yHAqUiM/kQ3KczStuta3wbzSTJgVwrU6RhvxJQwV/ADMnGgRS5T9zYb91GYiGWsRt0gtliw5bFVJw==,iv:HSbniJKfnGbi8TV66r1Ya4oFRgqpQhCga7USr5c6FrQ=,tag:MAHv5MFudq3MdgSVHpLXEQ==,type:str]",
 						"deletion_time": "",
-						"destroyed": "ENC[AES256_GCM,data:LJwK3NM=,iv:8utxQJ/83Rh+cExWCZpTOsZQlITI6n1pb0ZvIMGL6Yc=,tag:BDbNYaDe+cWdXqZHL4P0MA==,type:bool]",
-						"id": "ENC[AES256_GCM,data:QmKzEh5T949aXebqJJZa76I=,iv:Bg/klXyhjU6Q4SkGaxmflb4IdISSW2d6N93UmgsL868=,tag:zUKAaC/y3Zm8o5H9A2gecg==,type:str]",
-						"mount": "ENC[AES256_GCM,data:r5g8RSZB,iv:lHUh7CxwvadDpVy+EzbGyngHBWjeppl5ZAbytdCCOAo=,tag:CWDqqzK7U1FP5OyRtL66lA==,type:str]",
-						"name": "ENC[AES256_GCM,data:4rD/7mE=,iv:PWcpt3bmaCyHeQzg6yUorgKcfZlJkC+vhOB2XT2wNuw=,tag:MqqnD+X7YYTcgEsg5FzNXA==,type:str]",
+						"destroyed": "ENC[AES256_GCM,data:7YqWwz8=,iv:3JnF0xezgILHzsVob3N81yenO8fqNrhVwxpxtbzUGAA=,tag:hIMyVl20s8/oE87Nh2yhIA==,type:bool]",
+						"id": "ENC[AES256_GCM,data:q0v+w3v8dEb8OwBulbNDp9Q=,iv:9eyxoe0FEebrPbRMXTifUUnVId9nHl25/jbMWkdZ+gc=,tag:SjmfuLW+jcL9durLdKAPSA==,type:str]",
+						"mount": "ENC[AES256_GCM,data:5VJNE9IA,iv:bWd/k7kd7RsiixbgzY690Ihgk9XsB8+AV12RNDIhSJg=,tag:s05vZ5U60E6T37wdhYy0ug==,type:str]",
+						"name": "ENC[AES256_GCM,data:0OVsJHE=,iv:qEmV4qF+sHkq3bjh2w2g6+b2betXqPPGnNSkmtg4LCU=,tag:ovOrYPuqz8JE8wKEduTq7w==,type:str]",
 						"namespace": null,
-						"path": "ENC[AES256_GCM,data:nA4hvTi1XLZlyRFeeADZvak=,iv:4KKTZI2uc+JKEAZb370eq5fy5D/XLdXE4M2UXDmQKo8=,tag:bBRWSm3yaUZbkSJNNMHV2w==,type:str]",
-						"version": "ENC[AES256_GCM,data:lQ==,iv:4r4PA6GJB5PrPMQKy52zO5k+zebTwJGEbs8RdkHNYP4=,tag:kUj3bP8jta1m3BMe4W7fSQ==,type:float]"
+						"path": "ENC[AES256_GCM,data:owjg/sk1gOgrPC7iziVih/w=,iv:20TyidG1UvpJTkgXU4BFkyrbotCXQQ5yPsNJd2oG5Qo=,tag:ZCGh/ddtCId/L/3p0PvJQA==,type:str]",
+						"version": "ENC[AES256_GCM,data:xw==,iv:g+NM0Md8GJ1ztvIEOUWNPr56y7z8C58RGsW8z2p8SvM=,tag:mmyn1h350IyKmyEIPp6VvQ==,type:float]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:K8Fpe1vMBCY=,iv:yXwM4I+YgBsjr65bgeo2yEe2XaRdmxfjxtmECl7Gmgw=,tag:XqB1UW4xVTkmUBys7FWjKw==,type:str]",
-								"value": "ENC[AES256_GCM,data:QRWTVA==,iv:wZMHoRSFsuSI+eSPtvQBiWaKSWsYmoKxcFEPT1Pz+xk=,tag:8DXQq6eSkQofowl5CcB/7Q==,type:str]"
+								"type": "ENC[AES256_GCM,data:uZ5cDrGqZQg=,iv:bJ1zjnlbYdfWdwDuYuOA6iaqLwiDxq7dU7ZVRH08Xe4=,tag:Kbqw9NMydVm7he/9WSLtOg==,type:str]",
+								"value": "ENC[AES256_GCM,data:A18VRg==,iv:gQi08CnYanuqhL8JWx9OpfjRwa+CsC/SeNsOQHJkgTM=,tag:LYsDxHBB1NmZa+/eGxgLhg==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:HgVl8JPHWKo=,iv:EHMNbZJrQEFwpwZGYkthVi3DBsXq1tbWmH/boW3Kvsk=,tag:SrvyynjYApKz/6nawyLorg==,type:str]",
-								"value": "ENC[AES256_GCM,data:L0Uqx+P1bDn8,iv:/zhU0nPmwLXeZG8/ZF6a4ui7IdEJmyN9Nk7CZdyRY2w=,tag:8I2OllhjZTSEOQU1qwvsnw==,type:str]"
+								"type": "ENC[AES256_GCM,data:ZitEU9RNIwU=,iv:Uu/HR08JT/mn5T0SLyFojDQ9DW/j+b3Lg+VXhyfUxYA=,tag:Kbfl8qIXzD7zaaThtPnIdg==,type:str]",
+								"value": "ENC[AES256_GCM,data:yTE/RVAuTRgo,iv:bX3NibZZjKSXQtrOML2hIXFSV0qquIkmCPC5inWc7W0=,tag:xcHAUNOE2/g/yHwrg84TfA==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:AA==,iv:JxKY7Mtol2Vdmpf6MmUah6iItqY2LCQH7OyH6QsBMYA=,tag:bQy4ImL+KR6El/Gz/D8qaw==,type:float]"
+					"identity_schema_version": "ENC[AES256_GCM,data:8w==,iv:nLwAoS1CpvRG0zC1Otak3kLoEEFg+YyBzB/aRzqb7CE=,tag:7yx9IQcuXbGylKIBm9lV8g==,type:float]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:ej5NO9wRag==,iv:rOJdUIqnmdvtwvypuVhuqxg+sui8ZLs+DV2NA6RKU/o=,tag:6PtFQ19i0fmZ5IEHmWbQYw==,type:str]",
-			"type": "ENC[AES256_GCM,data:BEbl5nba3sTxnKVz,iv:koO47S4yxz0PlmqJJllEeJpq1Pp9yJD0KP0fJ+dvHJU=,tag:LFS6Aw/6pknB8qMUx+93zw==,type:str]",
-			"name": "ENC[AES256_GCM,data:Edz8aKY=,iv:lzoDDtOl2PvItCrolsSbZhLCG6GYIKtDA76tkDtMVBo=,tag:bO8KlcKyDBYWe8cOZZcEIA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:mtBqtZjKGwTVtNozkOQvnXEMoHnSMrnzunoCGwG+PSRp+PdRNnzwxzEHkV6i9afW,iv:8vCSitLacaZIG8/FSJVLwNgb9xr/Fbq48HjwdFo8cUw=,tag:A/SJJZ0BDz4EvIIvnXIRtA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:YSoFtYrR1w==,iv:Nv8YYd1wl8ndS/79izRkRhGmx/HAOrvLXtkZpEN9sjQ=,tag:5WVXsZ1aiJk1zWu6jIwZgg==,type:str]",
+			"type": "ENC[AES256_GCM,data:aCIoO/3mxiWJsjyp,iv:2U+ld2yDX2VLbPGPfgO1Q3RyT4XcecDXaIfwLh7UDNg=,tag:ALKjVOSPnA6eOxguBL9ZSg==,type:str]",
+			"name": "ENC[AES256_GCM,data:mSM/90s=,iv:xCCG4IRTfyow4vFvH0dUr6SnRjjs87dPT8CeWZnWzRs=,tag:yGKeFsk4bagqiUq7KCqGZA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:d2XYvzAYDz8ibAkaM0Irh2OOaWAu2USogNem8mC1fNgKDL/xF90pwDjTpIFWrmsw,iv:XmLfXTy9MD6kxdVK6lJcWAM82aiz8Mevr+Bz7sJzVmA=,tag:rOxudgHO6hDfpcKJSobhsA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:iA==,iv:cKO7tbtWpF4B72wl4CIIDF+tJge/DeluSJbe7x4hEH4=,tag:lmrGvg4rIZfsAPcHLQm1SQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:zg==,iv:PGfkowF6K5bNvNwC/kaGSQrKSZ4cFLlDb0V8hjVS3Ks=,tag:sbjKHgt7jEU6zsY2umxfbQ==,type:float]",
 					"attributes": {
-						"atomic": "ENC[AES256_GCM,data:/8REIFo=,iv:qQF6Bi0AQdrv48etSmeUojVL3WqWTuGHMRVbkeDdX2c=,tag:h9EzJw5bOrxlQtfWKQqVkw==,type:bool]",
-						"chart": "ENC[AES256_GCM,data:KhFehLU=,iv:lrF0vVd/SWXwxaZo6y8Nr4WbpaHvn21DFCjjQUqqPaM=,tag:D75GQ4pJlirB9nv4ZfCVAg==,type:str]",
-						"cleanup_on_fail": "ENC[AES256_GCM,data:4MFlQdw=,iv:PiTfUFfLhBIOSqjdvNSEafNjJRTDiVKj7BAwvRBy6l8=,tag:m43KqJVRsx4dfErUZ7hcsw==,type:bool]",
-						"create_namespace": "ENC[AES256_GCM,data:2sAThiQ=,iv:mZB09RQJj5sQLmwD22TMH5TwLqA8bC7k1ZBYO2UW6co=,tag:KI3r9G8bn0ZivukwgQZVcQ==,type:bool]",
-						"dependency_update": "ENC[AES256_GCM,data:yTGxoIE=,iv:rH5b3yg6+DYkiwFJe9GKM3KdjIchj6oAxlY9ys2yvFE=,tag:5fskwqj8AVN8z/tWJJsn+g==,type:bool]",
+						"atomic": "ENC[AES256_GCM,data:bemO3fc=,iv:8YNRvG4qyARPz7ow0lbvjD0eiX0ztOMtS+NUlCU3DzU=,tag:8OODwYNDcFJsxVICea6tUA==,type:bool]",
+						"chart": "ENC[AES256_GCM,data:hG2d+zI=,iv:J4KbNfBBpHpYHfkjUXxEjcsqd1VbuYZVxGh7/9hIeSs=,tag:+eGxrEzOLv8Gnff3x7QsEA==,type:str]",
+						"cleanup_on_fail": "ENC[AES256_GCM,data:cGJ0eq4=,iv:jdu6FDMHsJ4PycAtghB6AtrEOgu7M3twqEuiKrlIsLc=,tag:J2ZT2oFw4aKrTn2dxod5DQ==,type:bool]",
+						"create_namespace": "ENC[AES256_GCM,data:7Yq/6E0=,iv:HU8xLDbWkbdsU+5UTYIxZs7QJ6rDeVoGN2sXg4Tz4vY=,tag:98AUA1ZLK8XYAnVwNXQQ2Q==,type:bool]",
+						"dependency_update": "ENC[AES256_GCM,data:d1bv1XY=,iv:E+GXrFYBhLUm6d9Fy958VOs3NH4FKCDtQJuauVVIA7k=,tag:aiPcLsJXasuPQm+eYtw17A==,type:bool]",
 						"description": null,
 						"devel": null,
-						"disable_crd_hooks": "ENC[AES256_GCM,data:1AiODUE=,iv:Rq8t/ST/6IBouCYEfIisq5mDmGS3l3LXImE6Wx5GtbQ=,tag:3J5zQsIRxlEZbOPkbnafbA==,type:bool]",
-						"disable_openapi_validation": "ENC[AES256_GCM,data:jQfAbQU=,iv:RLHQW16NiJg9II12JwRDcWR/fHiUgp+rX+VjWGkwxzk=,tag:y/HjBudcZfgsGFdHQC9p9Q==,type:bool]",
-						"disable_webhooks": "ENC[AES256_GCM,data:6MT9BlE=,iv:FADO4DKCbO/jcCjKBaTPpu/D1hq5uqxAJv8m8OS2q+E=,tag:EwMtwo5lnNDYLG6oUxJp4A==,type:bool]",
-						"force_update": "ENC[AES256_GCM,data:V/CoYq8=,iv:bZNyEO6ohA6eRP60gN6UFeCyBW3OtJx1ywXp9Gy5B9M=,tag:8RBTy2OTahBgl4FCuP8+vw==,type:bool]",
-						"id": "ENC[AES256_GCM,data:WWdziPo=,iv:83XWDXo9pGFedVUjH3iSswOYsZV5xvFIPag0HVNS9W0=,tag:1uIxiZXCpYGhn0vo9THzHQ==,type:str]",
+						"disable_crd_hooks": "ENC[AES256_GCM,data:2QcUOMY=,iv:7PcfWU4P0384kLQvDHyFUYNZqwwyavhPhGwn/DiYRps=,tag:q3UmZAzMTmELkyOcWj/xGw==,type:bool]",
+						"disable_openapi_validation": "ENC[AES256_GCM,data:5yfhW4A=,iv:+OqEdHhrtHTFtVTUuGm0c/cb2RlmM1CAutCUlw4lA1A=,tag:3zpzGF7UgMktsZko5Jw5jA==,type:bool]",
+						"disable_webhooks": "ENC[AES256_GCM,data:mi4lPdY=,iv:JtJiUpiqYSsc+xWElPtSUsExX8bpUbFarAHJu+Z8zjs=,tag:fNfKvCvJZ5TJgwBOqv8zNw==,type:bool]",
+						"force_update": "ENC[AES256_GCM,data:YqWFKLo=,iv:BJn8/G2BxJKh5GEK/46qaXfMnFMc8J92P62o94BN1Gg=,tag:cB9sUH3W3we2d1MsdMnsKQ==,type:bool]",
+						"id": "ENC[AES256_GCM,data:H77iLMY=,iv:IEWVfd+dMPFjaAsVxXWwKWOvOtOPakZbM2GFWH0fOlY=,tag:48Znc2JWmCgQh3oIyGvkzw==,type:str]",
 						"keyring": null,
-						"lint": "ENC[AES256_GCM,data:j52VZCU=,iv:rUQY9swIwQO6+yGDlEQNo/C2/IWNYdGuGpP7kikymWY=,tag:WoeqZJZwQCu1Yz/0PZRuCw==,type:bool]",
+						"lint": "ENC[AES256_GCM,data:hTTCHSw=,iv:56Q1Ya0B1mXwKiiac8EIH4ocYWs4DBNQ0gCyA1p3WTU=,tag:n620dyF5UvrQS0d3ClFB0g==,type:bool]",
 						"manifest": null,
-						"max_history": "ENC[AES256_GCM,data:WA==,iv:A2TJaZmuHrqaFuOgPnedayiJKshzaDDYtnEY621MY4Y=,tag:DY6wgHNxAMo2UnZynTWsXg==,type:float]",
+						"max_history": "ENC[AES256_GCM,data:JQ==,iv:a99AuplfAnyvCaVM1+vp/otFnUAIsKdg8LS6xLQm8Pw=,tag:ajuICZiZq4nDZNY/Aqcrwg==,type:float]",
 						"metadata": {
-							"app_version": "ENC[AES256_GCM,data:4piSrecS,iv:/RCW+JZ9Z9kBri0i1M+Smlwqjksl+xOsQyrl2gaOrz8=,tag:4LUBkBcZ5g9xbrmptM+COA==,type:str]",
-							"chart": "ENC[AES256_GCM,data:GgCcL1k=,iv:f4+107qgodZ7toPHiW931AmvFTLFJ5DB/bha7vMoRXY=,tag:3ckJlmNrWCYOqQ9kVrGzMw==,type:str]",
-							"first_deployed": "ENC[AES256_GCM,data:RqnnVR9vqZirMg==,iv:pzrn/TY8mFuLLWlDYSAmbkQ3gA+NeAEiQFWFZtho2lk=,tag:oqlRB88COZM0YWsRGcOC4A==,type:float]",
-							"last_deployed": "ENC[AES256_GCM,data:TTGxc4kWOuQMKg==,iv:Ws3YpIfencfWwQpedMzCJhu1FYLqFtDcpBF79ZwdS1M=,tag:RkiXEwaQiVKyPZXOQS14+A==,type:float]",
-							"name": "ENC[AES256_GCM,data:r2wcuz0=,iv:BIrXoYnvHTy/XlpRBuX+7ayrv7OsO+l7u3VBqO1w5eA=,tag:HIqpPfoSARZ5jzLpD0Er6w==,type:str]",
-							"namespace": "ENC[AES256_GCM,data:RDEiQQE=,iv:zotppIb5HP+EU6Sywhwd23+kCBTM90cEijrN3/TW7Fg=,tag:n5HTqK7UobmruryxdLjKVg==,type:str]",
-							"notes": "ENC[AES256_GCM,data:Cp4Vfa3rIFwxLpVYDhozzg5b3HzYCZcXXiFwR4si/jPJwx/ge645ck6e8ZQtFhgAwvnFAjZVAav6sVDZY9F359hBzcnFgBEpDYPmyY3c3it5emUNvQtoYfPeBQ/sCu1ep2SaMVjfbpmTtKwmcZDVYJNzStXkSneNfPO8n4Ffk4KD3O4v0f0cDoEt1dXtAiMBguODxJSFuAx6x+el964RRvzjnvv5OgUELSfQWbpYanHRHvXfHzyoODP4604TtxnAkZvRiUbPXZkObexiRfniy2b0ubqqin0sck0XOaCn9OUP1K9J69NtEONQ/q08JdoJZuRoQiYsvAERbBTGt6wU1V96oqp53YPeZfIBMS/4HRFzla33TKAvnk13KJEeW3zSiRNZ4qdoQMsIpLuHFTWCS6aMB4VshCKqD2xJX24IPe8=,iv:bfWZFX0Ws/bH/7CmKF/v8odlBx84jm6QQ1F1PhV5cDI=,tag:z94UJA6BBDTb9Lix+MOPEw==,type:str]",
-							"revision": "ENC[AES256_GCM,data:5iw=,iv:Rt3VRebxgdSabzUjjRXD/7JiZc3akztR6pGHedW12k8=,tag:7SlOLoDhEv5uK7wiWNULPA==,type:float]",
-							"values": "ENC[AES256_GCM,data:AQ1RK5P5F5d6+kED47kElhccM8d7FEQNG80jdRQV9d9HFf4F2f8w1mjn6ZvmHBAqQckvxsWOJdbXnpluZ/I7+YDwcPT0N5mMJ5WyyVDw/6rJpWfzLnIMLjmNwia75JicpsdkXhPF79918k6UJVV37SIvnCWDbQaDXSAXx9DB9lnAPXtPKhlGJt3Xdvh3SjWYx9sLltYfTfy1P1OqptRmb3tZjRNAV2FWASLKaaeNL8g8SWLD87xQpPV6+YINni7x/bXIeQs3svPu7JK3mT0/nwMcUZh2ikeDaQB8YXdqTTNRFY2s/WmZMq6QeUWgZYV4agkdE3bH2f4WplQPs8VEh8WuyVRhAOKTPkgi4W0dyiqeMZrxSMvp8d+yoVYhVZg4jGdCvYQvU6YiqO4KP5QvbJhX7qiVk+X1yqutfphkr6+kOIOoFkCgj/8OKE32cWoOu6IpAjH5wxw9TfIE1G9YafOcVNfPHA6n/3qnVFCVJSp7kooKLQB5mrH1kuLoiAszX5X6CnL/J7LwKMwUR7q960h3yqmrhxLFgFPlYPgYWcBvOKa7FpGoUbevQMTSJeWv9hC6qX4cwefBC8vylnovrcE31HdCUU1aP0SUIZHq+4E3XER1DzONPIph8M8jAQid+QJn0y9aDomlj7etZYdSC0d3fPXPybp12n2imrW7H8kh4kiMWDbBuN4FAOuqb4B2syYvSWFGXcXtYRe8RBSk5emoa7f8ZOImX+Wx+BsKEhkNWp6eazCoVc1xz9jWYao/s1UNjQekq+jTqOZiiWkYUZMBcM+QuZa9lS0AH8Q3+vf09bm79qcpYWm30rB80iG0Yrs9DtlvaNWXrNn+/FSUrU8ngFCaWjvHyFCQu4K6ysHEg5mka95Zfvozy1NWD3qLXingllLGdSpuHWn0Dw+iSjrSg6mfizPucSANcn9RvVWD3Xc0jbnfzg3C5gkXAb7ZQJBvKkRV2eDhHXjRHVTPYCRXDT814URfg094fO1hrVyxiB7JLWyI8B3IgoURJ2onMmwEbQNTpiVX16mp3KDCDTM+wK9b9+t8zC9dNPGSZfPdNA10GRq4Yp2t51SRNb5UwcWveME3gN2Y33xkXx4RKpwXaK6qjEiROfsmmuDMIZzcXTCpFMqW20M5Jp/ZUP6mSBCdg9vmm1teiXIFG4nWUBbjtaWpN5dINL38gSRm44j391EuNU3QqVGBAe+fzJ2lKE7yJPPllXHSUWLK2695aSwRYPZAn9d/VHwLkMwlChi2kregtxVqLpnsBIutnnrIlArraBAALxzrjUtARkiEwXFmCmyf0qi8s566jI2lmhXMzZ8jmuqiSQrGIznYVNaT3yCZ3lMRrtTz3+motN92pLPlCAQX2CrgCrWXL9CUB+nOYRjvvtERD5BKdJTBlt8Meh3o/cJ3CC1BD72b4e1awcr2st783i09EbTOSx07PJDSRWTugcTETPqjUB88EyZNqxHFQk7zAz6/GTX7pv1i4Q3RovjdHWAAb0lruDPpaVNDxw+msK8iTEJib0uun85Q05jKEc67de78Ybz856KXjHXEfwnmqp8OLPOJMKVCa68lM6xEV5lF6J8kHISVRvNywg7fGGztwKMcYdKZ0UQ7nRc2j1EQOW18NGKOZ4nMZi+s5cbzQdLjowxyENGMOS0kIsi0dUAwDL+8QTfGGYPscgWRb/eZm49CYhEGUaew9CD85yZI1G/MSkbKEaadMtF9BzHxRsUWuCJhwo9uqp+QIOQmPQJYEC2FG35xS1X9OUcMUOdboy/2ANP36w3h/gBtxLwbiOixYKdy49UGQ8N1E/HWM1aSuVvgBdaNoBNOwsiBFEoAAT8oSB0dUOH2Ou1aDoIE4ybq2Qta/nR37U1DxHc7vwFbp06oGaYyvISR+n0NNmT7+ToDuWivoRX7Yjern1wmDz+2Wt1so71R8ZohNzRisdQbBLQQVdGgYE/IFEqN71MXZ90aS6YRgjwsK7IsGdjPrTjqNGUrQP3V/Gh5jSI1i6BJqLtYQjtoUrJ/VVxksEzrqfWZc+CficSVVdfz8qQ4RNgfdBiyhNwBNjD93EnzQEvRnkAERgXbmohChqYSjYjq5G9bOLueSa/tODZ12ShqL8bVrVw5p8DnMvEcQE7cIYEv9We+KavR9ELzwf1RyCcSD34UqRzrbBOa2tuQt0I6JMxU8kw7lbfy+BqfDWAm+0yI0S9fLThzR7l3JiytpPTCR1xCm7UsfvALUuHF9RGzKDsY9eR31LlLTRjm1RNxkHOpczN03GopaylVYT7gfzciCX6oF/D1MPD590JAZLRlKbIGgZ0Sar263RX1iQkx45FGgMQaeBO5Zhk0xRUVu6FWVyi9/Zcpsd/D9KpXgeyMlRCF43FvSl15t0T7CwdmFbUxoKGUT7wX5lmE4n45bRavpFwBrreR9Dqss+Y6JMHIdiq8sSXLWY2I+C0igTVTgjUu0fEUC9QvnMbXvpsQ0HfgPJcbVAxckhdsptzLsT82Xr1WooZFyDJLLjirO0ULWcG8s6CP1BLjARHt1TO9lfofhNhXl0ubeufiI27BcYCdr2TIGTtKDWjtmuktTmDmCRV4PZWKW46cooDp5f55xoHzZAeDxTdiGRiJ9nFVlMHtCwS9K0R9Ha5h+TWjBUFBjOHax1mymRpJoW2NFnpZTT1YLs3HljGNIA63DTdzK1R5XvmpmVakk+AFHQVX71jenBgFElQav6uIeTWOBhAWJOMQUufgDMnS8s6D9XwqetgsZ3eJuDXcTkmREQ+sSR0OvpAf+l0ciIGfvfyENtDdOiW2amRVLFZxh0/a2U9J9VGnjMGkfpS7vOWNvPPBvMO3e2j3VIvNIQ42531THgC8RUY8q3561lhdsLkwCSNGD1KZFH//zq2Oi6zuVnt385LZHk3cek9kFp1HFBkELQBTrgsnyxPwxb4Lo6WAu3lBRNugCkflPSQena+1JHyq87ONFJLRY6BmJpYnF0w84wIzE5MLQPb5+IyrZaPWLG6LMUjwiwyUvAJINfXkWFJHDgWw1atp8cT8TXKEzgxBH4RfCD72SPb7nlRyrB7L5AwBPa35pAfaj1ijq0lopuqE8B/WTUL5A8xKkJRRa3CWOBLC2gHs/Fb24uX+uE3BW1ImOV1fuGaQ61T9m7UDreCEB2OMTU5yHuXRYQVbP7NHGgJuq7ZYBG47JyzGlnfovg4IC23b1Q5CqmqER/6DwR2eVzVI8/dL346DY0gd9XsWbNEtDx2DDcbw5eyW7ULd/YyJe//1EislXzIfeJQM2pY7lSkjfKZSrHXWLw6ZWTeK1my3hGA955Dx5ELEsIPnOZsdGY+vBLHh/4DjxwPlRq7CpHs79om+c06ikybfLPxvoNxpaAijYusvto4eHpxsfFMfMo8iMBO4C5BgeqLwkGm0aDYH0Mf8Nz6+KXx8L1HakTmTkil+yfX8MvGsckLrnP6c0ze6I5JYoJQLdRRaiYT57NJcZU5yMlYW9dHGrOZ9rEjy3NU7DKTxgMCYJrtuapEiX9ycPTA0yNTwiu69Tpdh3xM1pXhr2HUwSeHwwWUoMMOYWyWYBj5sSIjzMggrFRojKDwxLJuzFGQr4ljgIaTkVXSzzlFBS/FwFReKKdbGhHLvltXUuP2LZ5LSkTzsjoytp9Svs1O0laJaxIEczu+sOn+VzSIG/Chg8bPqTy+JE0h/BbdyE8mEMGlJu1C38/Mb4+s0JkTQ6HaybN2LpseBfwt0cJbEdOk5sJZpmB5c2ZtIC1zhZHJ48MjUhNYqElbNX+enDAtAAHjUgyq1twOdT6kgzw==,iv:Mc7ZSZCOEf2RP1RJYu+a1fXXmeIwMUFX3HovP3WIgrE=,tag:KDzSbcEtEHjw8uFA4s7efg==,type:str]",
-							"version": "ENC[AES256_GCM,data:rE75GJnN,iv:rXYr8UISJaZIP8oQr9+SEYGaPoOmDKk+HVxTco84UWU=,tag:Z3c84g3Rz0mt/pASqFN1Sg==,type:str]"
+							"app_version": "ENC[AES256_GCM,data:1TU+Tlnr,iv:gUpRuOTrwdxMqX2jfFj62RZikhFSxsVUKNK3fW9sxec=,tag:cCpWngo93YSUMSzxq8vqMw==,type:str]",
+							"chart": "ENC[AES256_GCM,data:1fdPd6M=,iv:1N9dDc9HPE3U0nXuGzPrzCv00lpfzeOCgTU58+G/XF4=,tag:yk2LeOWixo3IPncMtKQtyw==,type:str]",
+							"first_deployed": "ENC[AES256_GCM,data:SMtdwhr5HRR0iA==,iv:pda36Hp8WBNtCKpnk/XNqrtfeQte1d2Jckihy2A4yVU=,tag:Y++0qUZqdjrSP4JGyF7+rQ==,type:float]",
+							"last_deployed": "ENC[AES256_GCM,data:fxwQYXrp2RpcTA==,iv:vU3qhlf0A49MPPBEn9TbsGK0CQhlxWPSexZFBw2CeI0=,tag:W9woK2Jt+nrpXeUtazxXqQ==,type:float]",
+							"name": "ENC[AES256_GCM,data:3CQ4zS8=,iv:Lx3AKBeYenbJollY4iLGCc9vmvfTY+EsFj2H4YfxJqk=,tag:nMi/wAOTjyWDirBz6QKoyg==,type:str]",
+							"namespace": "ENC[AES256_GCM,data:wXKzRvM=,iv:I1/Tbg7zOBlOInX+ah7OfgDt0EhlmS7AAs5aNp1+vn4=,tag:5B8ASKvSEJgacvQOQHMA1Q==,type:str]",
+							"notes": "ENC[AES256_GCM,data:sING4rbvOxKibXMHKw7/vAarYelhraR6Gtr8eZPoXwOhj+6J7bvAtGXIayMoiY+MY0JRIZxQennYFJP9D2VgQ4qb+lyVpuiOsy9iDaWShYmwFukNtNotFpE6J1waOEJZK4wEGERNsHfX43hDW/g1y2hjLeY3YkdujMUqZEzBhSVbvK5+sbllB6sYyGcTqpH5oM/wRxQt/TiCo2xsB9lEVpzYnuYPO4yzm893m+P0bJ8goBfQ7P6rsID07iKh7gCBClbY4lQ0AOVUnDms/g7i1P0pMt3CkTl8YbWtcDgCPycFfk2CypMQ9U0InYsauuHBMxU6HNeeMH90yAJsPT8JapeikmY5QbSga1bGoMukFfgnJdE4CVxwCltawWI3tnr1Wl+n8ef9TI6eCQMsb5Gx3c96VZtufVzNjEkLzvYtuGk=,iv:Td2rMViUeqvjVW1bIzeJkJXhjYUtPpkiPIrcgnOWhqw=,tag:2UpTimEBSV2bQhTnMOpj0A==,type:str]",
+							"revision": "ENC[AES256_GCM,data:mG8=,iv:C+IXGok5Thac6NJh8Tz2dwRRwS4YpUbQ1mbdVrnsvZQ=,tag:KWbolbZwRaJ6E4kozcLPPA==,type:float]",
+							"values": "ENC[AES256_GCM,data:QcyIiQOq9R1lWpaPU/ssfkAH4cAA6Daru6YIRBzrfcbdEr0RiMelZNo6LyN5wnN4KzGrUpvMuJX5ZhUrgACvTOAoMBKyA2fXmP1emY9D6tIARCU+dshTYXfRN5XVbbzFtiTZ7LP6EpvUtnwDx5D8mA/CUcv4xReiR8GH8FByUCGEc2dMdBdyqx2TcYdcTAYLckabw8lIQ3eQ6x/Go3vXE+aOiUQflQgW+PnzrZPPDCEhAYviJxA7JB46Z8C5nUi5iUkT3WYZCVA3z5PZcKwI2GSvVBlL+vA3FbcwYnc193IXRYvo/9HUpGTJ8ebYbtNQaAgyZ2yEKY116cJPV1A0dJt3Ua+l45tS0y+u++UyJ52ys8fxnrNPG0Kc4WYS6YUDQIxJ/x8qBI7x8wkqfN0RocBTjaRHmsNE6VWOXUOdQUwLQ+295ts1cPCnS7xEuF0VXAaMHDZZ5FA+ho4M+UvGmIIscdekUrC4niwY4AKdjdCbREl6zdobfC9+Jydt3H1ux9TyWWlyy6PkIPTUrvJjPdXbJFWi0RB10d2AsFeANB9OSSP90ECB0xRqal3tPKIXSddX0SDVyZ9Y5rtzm3ABy60pfuMbGwtDvQ5rRb0sowpi/bEpPHKtvt05t7kByjtfMpZNhBNaqile6y5D2Y/x5sD5DhfyD852pcQ0O9z8iTYAxNIA3EBjCmLJqyInwcra9G8Wral9T1aCt2I75gpD+6twcIKHncRVCg6tpNmr0GdaN5Dw7IhGXSIQIZxNPzYB2X1/GVG8JIqY3iw4CgFgAzzRoufQd0nXud8oPSZ7eHj0lEPxNOnKitJfuKf4cC7Dw7aOsf7hiuJUuneHDebPiD+oSdbvQNQqO65DFQ79ZHq2hZu0IszGgprX4HHETMGCLbS/DsFEtAgJ5DX26gPguuBE8SZEht2vQWfR32iDvP++c6aDZpiHKpSgybVT4ZhqMKO2Z48Af7EpIeTSIpzwovl6XQDPz80imTdS2RgWaZBmHOKk4nCnNEgfgUyfhXG8R/c+W4sfcIvH2qobOfN0oDloKZ+xxgDpaQAx/PiUE8gxN2XKqghLgb1O5A1I00+3H0vfM/0JSakkw0keBEBhL0/Q8mAg2cyC/O7XIbB1TJ7Px9imlYB7Z2buqeQ85CMUk4/j4IJbFGpT/oUnS47OT20jjPemyWkeEJMAFlDZ9PpXW8NojOtM5Ba1WU/bthHWQrByV9BJzwg8b2IrY3t2a6MMLROcen3DhQyoGrtvxHaJa5ZxRVF6NFYtCHHJmj6zicI+Bxr/ERs8vXAD8yi2WOTnLFTFitghc9an30CMWdJUipS+eJOQsGj9AOG8Ix3y9C4xUeTe2oiZQwk/vz3wB1mkxLSYozYQNxK4uRl7FdRBPvXDiT3NboYQ7SXT5TFpjlcfSKGvV6a4dHG4BQgYvgW2yzdYu/5omy1A7R+rezrcsM34LS5dovG4QJhpjipZbKVJMUrMSmK6bUNZY1ffkBgftSNCBHLZnh3S0Mp760Lvl7oJzGWTjNQXyLpelOtWtGzsejedaRBldPvNPtZpenyjJY/WMUcCGSv4+F3cFdQt2wOQ7EQd7NRJk6Y45hRXaTmMwg073Way5QhiwVNOLMsMsjMPZyILOtiB+VTMM38wh3a1f8Uup7jR92/kx2da6DH/U4c1BOq7pEVOWgXN1ESx6k1hnSfK82SzJsrf5kE3oI9UqRhpzfNnbB4P3rq8ts72eFCd+bQ9KpQwvgm7cREVOXH89iVEkMgsLJpuYJ27f5ivmH7Vj0f7dy/MlAKnesUAoRYNBmRB6daSHQgq9jhIjrWk+q7wO6AXO2oiIQVCyoGG9wy2EhSrIJO1/+PzRdT8eWnniLibrkqccAZnaesZUpfy+tmJfJmdLRTgz8j2RLJwYjCfOk5RNUu/h+fThWl2gE4qnnGmXS8wxCygjrtDTf+iuMD5Stt/pn0j/tGp1NRWniELRhqdReS2onKmU8GMC0C0r0x7nX2hvTVU+kL83OMnNxBqbH181iDCSQE8/dz4eAs1Sbfg/j933UvFSdXDo7JcqghVPtVYiiLQGoUukvRMVmxJB3Y+9G5ibCWwkUcEgzXgxYnoVQV5jgVy5143Q+sMo6jLvbUquOvVKWqdC+/V9B3TzCV5PMZWrOqndUD3aGh6bnhpqMqlkH3jZ3BWGxrFpCN3x5B39TMHppAacdzwYuXGNlxPEbaanH9DvjwuMRX0NCUeAG7/PRilu124Dv3LmckoQlkinfVQqS/bTSQr5+NW78qAF6PUawYnbt5XLblhLDKhsLkUBv8j4Zi080wJtjYkcp8T4draUJBFcjo7RZdRwGiTk53Ns6me+j7jZln5W0bfIqYz36k/40hH1hk577Rq+g+zS8v08L7V6VXDEmYPBftnfvHbA/XargATx0Kasyw8trgZLzFsNdnAQaITmYIlF6f0kS0QhQeoti002P5VSz5Bb7Ng8DDPBv0Icq32WR3xSFk7g6fDfSvFQIPOIcrdx9J8GIz6ZikzqxfNnHD85EJC6Ccrwh55ddIYbpYBfIhu8S6hchwPZzpswBi36uYOoEQb5VomIokArWvsxcyngCaqxMDUBNde5G6ceQOSJFMWeiqL1iex3MfbRCu7S1Slu5qYihOdA6/7rJSwvQUV+fo6npMVSZZj3jn3fX4MLf9WhrEp5nAnF5exuh23IV06w6vCWKvg9hHtvyPG37TdrrfT0Liczj8etqpI+J9nZvY1VOjALR84OQedJ6llTJH/WUqM3Hxh/SAUQ8/noyCS+XcPTLhYZYnfB/WktJmC1wNVgYK8yXxOyqfflY+TYECZS4BIZgnz0TSlFX0qxOPJY3qe7JGz6B1ETrol6A2B9IntryrH2G8OdYhvkBolnlUKogEKok4FhtntFD2ptD0fkZYtBauIM5onD/UA0wNMg9rQypYuyOCBhiA9oAeyeoI+kDH9PeYaFGVFfVJz6mvYQ7Wjdk6fctxFC9CBt9qZWl85lzeZO3egN7agLJJUL9OXdYvrRWE566Exci2IWT1Z3Ko8jC8viieKgiU1pNsRVIIsmB1nmuBB3msyVq1RhLsKa4L3xbVQapXzzaEP1JbWKLt/1C1AQdEm9WdXqy58LPxuIjYwf1JQ4bbkOuNDWn9PBPmrWvHP5SkBROU+oLv0tQZBDF0pKiv8d3fDn6bvFp1iiPOa+9IZ+qL40Au7iJZx8IobFDnf06V6MGVFs2Oa3IwhTNliApmojBDYJCL11Y71kzZTV432Lk7ZTU4/s3oV/FEjVZxMlOJxQsOCybNNl2vJ7jgfGhjkkQamnnIKdS8WMzYATZJ9oOREShj1zHPfB2J7Y5Q7uMp3IChmXYOUPLeM/HHYa07cqodR+nyq+Tj5phhLAS+Q8E9SG1Zpte8PwS4VH1c4SU4vOiFCYGJ4tIV3UQiomjKdZk3s8unQscjKWcEkr6gaSPrcLkWeiV5j6j5KXTUPJyS1Xh5I7AN1MkGzYmCxujvOYwiUlYitQ94zG+AMZna4toOjsa177LyrGap8KeTikAO4QA5RJS4kBTvwQ81/Dwq9mQ0znnAKFa0H69C9gKGjMAEJ2UvvEsOiZaPQQfeJ0qf1C/HNKN+8g0Rro1nPYOkB8K1Xss2wSQJv/Y2m8Zph+V0NCDFV2CJ+T9NgMijcr+5CIXJ4zyA6me9/OvnZkSfXm+ES3LlguMiQ6geS844hnadpW03rArU2BwnB3mOCxV4LpwJwh6Dn8VCArjRPsfqX2qVDk/zi3r8aGZ2H4SxbPSNeWz/LkXXrJXQEnxkEW5xfJw==,iv:FQLGhvQ24Oai0jApJTquxa8Zszb0OXtKfFltu4qjy10=,tag:l77wGgZXbs12GXGih9qlMg==,type:str]",
+							"version": "ENC[AES256_GCM,data:YAPTnNOv,iv:ELJrZjRKXg1LlcRxlcpq0UnhXxvwssvvRBF346dqdOM=,tag:tmvE0Pci45K2y1VkA0n7Kg==,type:str]"
 						},
-						"name": "ENC[AES256_GCM,data:K+4MrWE=,iv:lWJ+bx1MnmBNUJQFsEgIIbJ6sMswKlC1BL0ReDCcUZ4=,tag:RmF/oVs+mIUZ/b9dRpZb2A==,type:str]",
-						"namespace": "ENC[AES256_GCM,data:GKzDmZU=,iv:uFV/0JwUkT7QfGODM6VIqkJ2iTsP4Arr1QdisIZi4wg=,tag:VL2aDmRaaC00KnsT42w//Q==,type:str]",
-						"pass_credentials": "ENC[AES256_GCM,data:wPz6Yfg=,iv:LoJ1BRtx6zCqk+NmZO8FWVDeD6DoNo9/W/f7/5E6A7o=,tag:8hcNu8ot94qSrMH/PuWDYg==,type:bool]",
+						"name": "ENC[AES256_GCM,data:qRWDkPc=,iv:ydp3MGUs27/ZpsUgNY0XswkQxHKuhZsORUmPZGKpCQA=,tag:5XfY4DVkYl3y2+0N4YSCYA==,type:str]",
+						"namespace": "ENC[AES256_GCM,data:0BQLrlE=,iv:MDh+eKz0CvpXBqranlfIfsm+U8Z3g+mu4oMymcPr1OA=,tag:bmbn6SZBhJpgPy38CKnwug==,type:str]",
+						"pass_credentials": "ENC[AES256_GCM,data:a6xjOwY=,iv:tA/saNDa1Bpn4yVbk+LGc/q7XxsO8Iru8/RsACSoRD0=,tag:fdGM66dw5F5Aw5mGZPC5yQ==,type:bool]",
 						"postrender": null,
-						"recreate_pods": "ENC[AES256_GCM,data:yXGpvjg=,iv:e7cO2fOlv5ow6CBVy+8/fUy6YN0XsGWdp35PNwXONI4=,tag:aU6LaT2KKenhdkOGV6lotQ==,type:bool]",
-						"render_subchart_notes": "ENC[AES256_GCM,data:fXeBqQ==,iv:ceXyZ7bAoEPSDkX6mEZUhrux8NGMwckLU4D995lDdeg=,tag:RqeFYqcyDz7fjqJnLF2SuA==,type:bool]",
-						"replace": "ENC[AES256_GCM,data:CqYq0sw=,iv:KiUOq8l/DqHwWQo7ih5ad0VcOES88hS2vpSEx0GM+QM=,tag:5u+InNXC2B3Cmi1qCO0SmQ==,type:bool]",
-						"repository": "ENC[AES256_GCM,data:uw4qycuILtcf2aR8Tj9iY/01sPdLIH2WN9r7OI2da3dSSKA=,iv:EmOW3hzhReQHITe5y80fkoINu1HtL2pt91uSLli+t0s=,tag:qBMjHZAtXVrjlJvx/OYohw==,type:str]",
+						"recreate_pods": "ENC[AES256_GCM,data:zYcKh5w=,iv:85AeAN+XBga29H2Lss7LdtrK+xD55VaCMBEgkRh6G98=,tag:Eyj2/kf7EsqQqLnNlnMt0A==,type:bool]",
+						"render_subchart_notes": "ENC[AES256_GCM,data:nveVEQ==,iv:ie6rF9ONtPq8IBjVGAVpgF0SIYUbyxlWlJ72UY1afsc=,tag:39f5Hj41F0nOehX+qpN2DA==,type:bool]",
+						"replace": "ENC[AES256_GCM,data:u9sb/H4=,iv:jkqfNW03XeKTlzGRH6V/8hlDtZBEsyXq76pSJzYdwL4=,tag:WsEPxvoLWbSwF5F4X7/6hA==,type:bool]",
+						"repository": "ENC[AES256_GCM,data:5ECLnckoqSWcotf9R0Qh3AGH7/ir6R6Oeh+MufChUdI/2+0=,iv:ITStn93snj2/c2v66Ler5g4vUw/bdZLzh3OEWA6vOqk=,tag:jR+n39Yz/O6N5DTdhsWunw==,type:str]",
 						"repository_ca_file": null,
 						"repository_cert_file": null,
 						"repository_key_file": null,
 						"repository_password": null,
 						"repository_username": null,
-						"reset_values": "ENC[AES256_GCM,data:NLrDK1Y=,iv:V+vM+EHrXp+TOi4p8mYK4ueES8HeiLb1T6EWZvFcvfQ=,tag:AtyVD62ImsSabaeFwL7vnw==,type:bool]",
+						"reset_values": "ENC[AES256_GCM,data:FZ/OfKM=,iv:kLeKhTnNztxCOmpyjBJXgy3uMe4ckvGNiKGbbTnxurU=,tag:Byp2EfCmQMv4h9mLvtqb2Q==,type:bool]",
 						"resources": null,
-						"reuse_values": "ENC[AES256_GCM,data:WVP/wGU=,iv:+YPmlEi0WkuH1qyXLb2JUy/MHhNRUX0EZwtaZv9UtcQ=,tag:TS23cBPxV/I0H3z0ZQjL0w==,type:bool]",
+						"reuse_values": "ENC[AES256_GCM,data:7BVRzJc=,iv:ahZGuOjCN73ia9dE/ZsQUaM6ZIi/jd9xrzQoTTMEwkI=,tag:B604TWN8yh+aVlMgBc89dg==,type:bool]",
 						"set": null,
 						"set_list": null,
 						"set_sensitive": null,
 						"set_wo": null,
 						"set_wo_revision": null,
-						"skip_crds": "ENC[AES256_GCM,data:t7A1AEk=,iv:7s3ZeEQ16xpPheVb10Ww1WY2NeUS0geNNWBiT99NUXA=,tag:3IqCzQNvt+rXhdDYkWS7nA==,type:bool]",
-						"status": "ENC[AES256_GCM,data:rujOOZlGRjg=,iv:4nLBQKN9Yn+CZbLmdDDYefVLxIonfJCHL1n78tEbz4A=,tag:gTR+4uwpQmTXfSaKCCQz2w==,type:str]",
-						"take_ownership": "ENC[AES256_GCM,data:jSKpqD4=,iv:fx1AYLfjvH0AQsvb6P3nx3h80ZVPlg2Ln+/lhbb3WoM=,tag:68LNpFmOzIiMlSDuQJGEPw==,type:bool]",
-						"timeout": "ENC[AES256_GCM,data:Yabw,iv:udxMh/9FPAtFCoWn1NjiVUqaOEAhPXvoEsxm0u5XlG0=,tag:OAtSYIfYQBFMAU9/JPevXQ==,type:float]",
+						"skip_crds": "ENC[AES256_GCM,data:a9Yp/44=,iv:M4ieSj5Ipi0fzc1EinD3l6cniV69OwAv7klp9PmmzYI=,tag:Ql17YaLvqeuD0xxY3aAMNA==,type:bool]",
+						"status": "ENC[AES256_GCM,data:cAMHmMAxhE8=,iv:jUjWVFQ1ckn2mwhHK2dTUr6QGHTw8VxvHh1A649EdaM=,tag:tiJpDd2k73vjMeGbHZ5Bmg==,type:str]",
+						"take_ownership": "ENC[AES256_GCM,data:ywKZ1XU=,iv:lFI4+/7ZAEVuX8K1I6KycCF+jmtpYllB7KR34R2/YIM=,tag:yqNI3njdQPyZLF2DRFqcow==,type:bool]",
+						"timeout": "ENC[AES256_GCM,data:UfPE,iv:hmBoY21c1z/Nmt/cSEh1OSDjfweTFldRPvwnGGEaQlY=,tag:yjfJOUnqLq/d6h314aO71A==,type:float]",
 						"timeouts": null,
-						"upgrade_install": "ENC[AES256_GCM,data:sHAadcE=,iv:nxw9rZ/X79t04l814PWLjIoGx8S45FRi9NgfhrhbT8Y=,tag:ikF/RHHrY/D8i+HMX9CMnw==,type:bool]",
+						"upgrade_install": "ENC[AES256_GCM,data:uvZ3PLk=,iv:JyDz9zsXjb+dDfFtUiIlHCnxfGv/MluGempZj03NURc=,tag:gfj9HRLwJp8m8CMOctvfXA==,type:bool]",
 						"values": [
-							"ENC[AES256_GCM,data:pluq1q7v+/lxBYMBvBE+SyRAU6H06NfjAbuKSGasdcRpB4CfZj4x1fZ3nf57E3t6O2NiFVQxXlQ7UWjCxiqWWUwd5D1UBUE7s06pE22G0JrU6vJiOQSmQDSFbxofAOxth/eehQlJ7X54/mctsXCLD419yDRuL+/jGsF5f6cBOtzzD1Z3/z6mrCMakPDiYeO7CX72I7N/M87lfmEIkh+QyxcGVTRQ4zC+zjeFShjfRI2QfgpP5h7+p86BWh+erHjVNc8VIc+DuwteHacjGgbYVZWjtItWr0yBWmdknLgqaBNoO+AsCuC0KzVmcgootUAA8+u4tHyUbUTZHJU+SwUXapUODDH6yuKUrxP1QsfmANHJShAmKTNuDCtHojlU6CRZKtgxt6QBDIRWdHmqj41AOtxvb+C+7QWg6Q0hRz2U/rJ5tL0yDOCYFTQoDpFlkTwkPsJzL/N2wpOX/u4nPuNOwg/tPsQ0VfjNrJ0nmgeBgRloMyZJoCjJUNhOttsYmyD2Q5hg2UJGqxAvoaMycPCgeNIqan6qeA5RM8plZwMs8SlTbW8Kd0v5IcgQb6JTHalZzZPR6tqaxvRwU3RPLQ5jRxDQrEmVHJhuTU9MyELPBE8FP4HfQwENRwIu4HF2xUGCvKJTkM10PZBlv+/e4lpLU+bEjd3QEIhtbmGRBug7d4FRdptp0LXnj4/kjTZqQqqFDBfxkZ7ntB0v/E3bYyZEWtskemKMRkhUCwqUitnj54CikS84hcuscM6+8zTfjnbJkuJQPRg0ASsA8jlpSiMytAv7LqR30psIR2XpAQ1wGpvFNOF0/s1JPwLk0iAycXk8EXlVnPxiEwltzTKrhwb2Pe8vEBJ8ThjnPoayZwCsISZQPY0dvamXrP2IWSkRhAOuxsh5LSR1IwXpg+k0RjNSQQ+kU85j84w041aUA8G753/hmHy1XbpmEusys06m1zqgs66bmXZGUV+wqeRjX9HW9S9aJonwcZwVcyPUhZrwQMUhkx2yIcs7UAyo8k04khSGdmjgAL17MhYH7lxrdQYirAI6RJgi4HLX0MJwYoXmKKj1ImMiCU+Az0luezgSxHsUop3CJJ4FQA/b1KaBwUlcmpNs4T6E0Rncltv4C5ZFkCUXhwGlbLjEpnOfbwwRkohlfgHJnGmRB4A6EiswBWtbrHkzS2Q04X8PllKiMd/M2qGGHOs/GD4vq1i1ESMh5UvZj94iNww3xUHTbotM4CunnYN5h1hf6yEmLi3XCfk8XvSInO0rV1spQ+MzK/+Gop6I2jT46uvTtDqzpQEJVHtEt0zvK8gFcu7XpUtCzwKu0NomgMWfr9WHIj5XM0OBmP7G6J5Nef3Of14kQm31UoA73P+7A0PwuvvGOBvx9DmCEkyZW9gWMhQYSel4EflXfynZj4qnFXAxH7le9unftZBIY4mkb28dgs3rg2lp4odKERCnbkUvJ/CgWdfu3MfREed2v8pw0s+obhEs79KLimn7hcuBaRgGbPcB/3vASKHhNr4H7Pd1NodnUboxNkNEDn3CSEm1M0J+J6AVc4BP8xfvM9qNzNMk6QnvzMDq7nFK1vuXXpt5kaYTpUrlvvggqFm5XZPOKwa/MTrs4Zp/X+XokbB0snT4vBIqkmNGUx3cC83GUJnH8YJaeRGutQYmMA1D3O4faeL2dvaCAdkPhSJTvS4RbUbv/xBT6OpzeFyzhmLbMK630tQC0/htbBrUGY0GL32PahixdTcaKvax+4lFRbUYJv1DdNuCCoFhHxvYlJ0f3QFygOI9tkgVKCmUW3Ir5/n45mXi6vMoXl7dOcxE29G6mJvhm+6L292cQICFoHDoZxzZ9bfxcHFtnsf2g7B9LAxlxgV68qMGjbxNoCL8UWAkkaOa+C6X2U5uthioglyHiLmL2lauFRt+n+hqeX2DnK0Q1o+1PZJ0tlgXSboWSWoAlrtoFLeloafH/f+GrcWULwq6bbVCUkPs1poAgWniy6NDEnUWgUVe825hVkCMSBoY1AfF3fKo2FwG1OuuZKBlCx7t0ut86dgtQrYMf9JbD2aEu9Qx2i9QmPyR8UC7Q9ZBXS7VMDMdCce2vb8bDJ+e6rLDG3rkTDdo/ZL7R6FqCyWPufd6f/OIKVVOi02KbbV1nwD2Kbc5Ya3ZEm/XTEiiqChuS3INMKPoC/Hwaic4mEWXfDbqN/PYtwWZYZZ5PhqZ1MK6IFnuz3c5f2w/PV39/L1dJgCcAANFPrfI193niHzzCUuw6TV0KPnipJEfJSAPB4p9ztkyTUApSwhC6cLigAed91usfdY9k818Tsf4UpGWt3Ii4KLqMoKtXkfBWS1GkhSazvQrNnt3kczR61D4c0M2YowLNJgi1lavGRRoS2R+zsOZ15sNbu2YKeg+c6TwgtWOlPehTJI09kQPv3clYpi2p96gEDlMWYHwMxqu9Wcd9auqqhj0ThOQ6rMjfFTpAfgMFYVH0VZpYJMFKylynvtwL6+YI7fJNaYSWxN5bUrKTCpj/Rfitj12hClczKrJSI883BbbqvBZdpzB4F+0lwrMVVohQUvl4RwOFd7yaJuptDRUXT8F3LsLVCxT3OL+giiVdd8AFrNVnyS1rnewbX9qw41R2RJpllhUsDzSxJfV/F5LVQj3vloerWZKLieP1nG3Ku0Ids80El1geKdqhlUzRGnFqYhswjgNsRcr6rIt2RoaClLFtnKxOXE8apat/J+PlMe55ZgzTDc9MsS9+GTRNezY7hP7jAttMHSKGsnqUoMcvxEGTkvKQ1dr3zWREqwgvPsaAQ0TB0OkaZlpEJ7kv+71nTh7yhJX65Hz5xwPzDE5dObXgza4GzTJuOgFi1zzz1Ep7YgPWttjBzFQgktMaZIhPmPdaIMbklyxHHVGjSP9cV3vED1UULN/VWbh/pSR7LyZsMmF0OehU3bjjMNQepdye0mRTK9KyuxgTtfm+n6ZaghwQaO8vnU9JpZQBS5nkV1eqtO40z7vG1ZEGy0UjYcORmtqgIlRLzmJ+O2eFPUw+WQrno53Mu0F1R4ydH2qtlqrOunmZgLjFXtWEKzPcKRR2jJUHLSEysN77MVWtQlZ3rcqBpVG7IrzoJgYwCscveR/KHNhh/V0ioPUIfsJoz0aGXtyfL0gB3iesEq+Zh8wmL5u4LtHxafG+idUf3GpU628lJR3aaZe5J4Lfb6JFEbhIHxhM8dkRZnO+SmWykhOlm0X06oR6zjtO6DtieZL/kk+8TYjwg9Kckgu/8Ba9IKF0A3mYZLVH3B5f1O/7n0P8hOAI1kMgUMt9+eJekW5QfndsJqZg3lj4qEkyKLzuqlz2vf9tN+/99kMSxkbk0hzbb0tvWRX/mDkLE5etD/BN0/HgXHHD7yu5O96wFiJJ62R5+GWTc+iQr8CSelB0IIHw5L7qK2F/B73aJy1hbJBHEzA6ZMLTLYXQoAYLWqY5FEzDDADzYlexQ8KIfEfaSX32mqO//XUJQ1lk1c17F3fP5g6xOfU5zlyZV9h65ALOY+nnHavVz3yYGPyoCdm+EoI78mIykCCJoe9SFqFjYBC5muDYw+yXTTSmYBy8ECzofmJ//cwp8p8nhY16tydO62OCtKYFZ0pVeLaQJeG+NhuwbHARo+nnovt4kEwDZ+b5AiCxtgU1qEi3kCqIyqFmgHb7sBMj/Ys57gn0i6JgH+jnqaOPvSICFL972adEgGFtioETTmwfRI/ReaUXHLHaF/QOSLzqoWipF4FS3FLYwM4VBPGFUwZlbvyL5R3ptCUuWVZdWLNAfyzsD72SI3SrZyDG83gBT4kLp4IrIkL5wdW536HRmd1oTvqm4YYbiaOKV3OD8IX80XKlT5lhb31qXVxg/VX80SEVvpsvGbmydUMlrnR8XvN8krMVLQc9fgu/bRhiwAsIrfYV0viA36BsosatKNeR8Jef3EwZuhQEMbpVH8u5O3T+oWFik4kRQ0K9AVnC6MOPLfEQNIEcTVR19Sq1NDUD2ZCKzL+HasPTxoLDcfd13PFLf7i7a30wSRojLj8qu9ZA+W73Zl6deUXW1WLu5mCjPwLm4Z7cBsHjeNiHeo/JycA+51iNGYX7vqhWTKwdiGa3f9HL/Tv/JetQXdJOXCqSb3Li+xWtnSCz7UdMNm6elIiFtfsIl/JJ3Q0OIJUsbFftfIkHlMkDLP8nzs2zRJz5v132WRISCJNxDS9ulYTzXBlzlTGXbn0W5EJen7EKouaZwCgTQDTK8LOstpycCdfyHWjrLMaWXtty9XuS2F7nMA4hHyyUkKKAYvZyg7iqAH4aMCp3oWYv5rhg86AViofsxleYl13ZBJ6S8owMZGP9PeO2GxzsbCkCVNKlKeS4ossPWxTuCVvtsQfZaSKz/NqUDcw8MbnecOTYrEzgx5XpijddzIW/q8cNhJPRC60zG9OK95O1TNp3TCIej8KO029JiLbeMFqWYszb0q3x89REe5EbEmiUAiJrMSSgnlAkwg5rZi83bdyr/SGg04nDjE6tbNYeIzNODy++CrAVjQjsEQ9yfEQho2ZTQiytZvf0OnX3g==,iv:HJBr6Vbu6s3L3Yv0cO0iygiEo1YxLu9bQrERXxs7H9s=,tag:nJOaDwQjxtss3OdtXQhn+g==,type:str]"
+							"ENC[AES256_GCM,data:6VIaSFBCVUrDqb0R4TiGkBUAQoEQ1sJahFLkil0jl8cdoGLb0JBekyv3oFQI5CtfHm9fT0mmtiUe5B4OD1zuvJO0szqD+8DqfEtkZc0KVqil7Be6mU45x336Zrsi33C3wEVKSTQsRkHMRIpEgP/zfNi0HIYWOMIZ8dPLqpuC6FoOmN0jiaT7UmtHD8h/3ZKd5z19zYEfi2kaUndy61+9dPVutX2diAjJ5bEjG7i9Bj9F846LFOAuVe67BbGYFv7+gi1ZNle6dvL273XvYa8dPX56fmW9cK4mErgXwJmOSNtDTLqIybgc65RRKsrYa/Fqy5R+f0AJcAQEXpQxZ4FTAH7r8HPemYU+8JtB7F12lXhs07c0gvIAq62kiSiTP83kcKfVn7pYO5kZtAjdc45Ufd/MJsy1g6JdRMGQbvju05GYAPp01JSi8ufsE1FyLBfgIPugvZ+DuX3j3Y8EQysHx1uRwdGTotMseY9Vqvqn4zU8aGAZCemeCzAQvCmyG+9bx2o3jgEU2fbhG4mDUU612qqMFtgWGwCkNwHSnhdUycf8DWm76FAVwWpLIr0Ffsan7rKFvjpr8vaXv8PU47CpA2iwxwi/fvQhDDXLvdfS+3s8SymQDDcsNw466osjftXVQM3VAd4dDpLMAD7xkicFY+lyYWW6MA432ti9sWD9maLmyot3T8V+9mpOrgANB2RuYWwGFx98eTHWxO+xZLKxdKK5xLiWYHjDfrAy9CPe48hviZFmjqc0mcotvWIsM8VcRUsfxkDzq37SKvOsJtijiA90TfPBXJAYGMWu8QEWDKxuA/5tJLyjwPJofGW98oktuVwYt7BppN+ki+QVz//DT9yttqbUcan9dxoI38t+C1xEM7S+K0ELWa+Xn5x8Lq1XaVoAasZtfZkSLru2QRlMSW4/3vsnEpHppgHa7opoWA3ghrQblyvIAGaoMFGTWqb5js2p1hHebiquF99sBjd0A6EYZmuHErsNWnsGiaPvArVS8LoFHFV71GYoVVv8n1Le6tB/ftDzV3KWEZ8+0bA1f/d5mj1tsQwXX8fGvKdOibquyNfWloQZ1hE+kPkiyCgQqpgp5dRRG6sBOei9jFtgmRMtzclJX0TiABBm9ty75bti6zdU4Vo67qmKMc1lQDPQeowLMYs70Vsen00HlSw/skyaJZP3nfzV7vYrEAr8lfHyILVfa58CJ3GGq43YWgFLFXrl2l1B/PFyGHTPuVUl2B4Y02IvfUU0FxrKMF2Zq4pSoZm/2OJl42zELpVYvkNESj6FKDJpz725RMfM6av8Gd7myXSd7mXTUea9G26gj/o8ZIQBff2wL6tiXPYTmAgpw13N0n8SfXSv8hlaBTtUTWIOollG5qm9zkkkxf9cvxMBQA2MHcHpEFuw0TrXptMMLGvxre6Vs+GvQWxbUIyTScEPUncn+GTuFzYfKKoKQ668ummijGqncS4TmYcmNn1zmQHaYuyLdEzIVMW8dgsLWZHwLi8Ys7XSt24Le63fZ7bESObHF/nSZJUuW+yh26LNxZ3moqxyu9D41SL4EYnRd0yVAZs1VdBisvdz9nh/edOg/D2F3OKO1DRKWXF+QB5C7y/RuZv5D2/m1KhyZXahDeVQKiU4936GlgfW1SupxSGH94XZgq+VxR4DZc0eT1dWx+IVpr+N5i3CYfJqOwg8fWy/srE+qQviouM5zOb41SV94XIMW4rX9KnHYeGoj1NNZeSTENywRRGZjLjTP6hMEMhS7Fwqka75+WDLolqjUQDUP5ifcHnyoy32H0mFIGJFC4o8q/5VlbObv/wxZ59Cvm9b6ZcqCQNkqH6w5jL+vX4UbnWiGM971SShozNn0ZS9EUU6mWKXEqiblF0mPr+zQUuFngIcmrG0uyU3FN+47cJ0tiJPjn1Kl2PPi03EWMiX/cPx+Z/UvhGl3XkH7ZqBZZG3aW2fxti9pfHz2mOMW9SCz/t+eV7HyFKCwHDmr/qkKSlfHd60xiEszW87/5LZGoLoS1g/OgGPKbxG+iTZT0KqqWKCCxjiyoGm0Y8unzpV8v9VZNFEI3m2h08DCvvgGZEHV210+325OApPhGh6bX6UQfD0TyVIZetomBaxE+12w71WdOOpjYq0wWB4/UQ8g7Cf0WrwGVXUnByVu4G3SmBEs6WGzMyAbVVXDtmR5Wgm6kObsBNJ1HaCOmshiKLSLkSMOltaLgrKpgbSqotO4D6VsB8TyrbhhKIQgCjUWW2BgzLf8eaR+eTk3nmsGGGeL3bG5LSV/oip0JeuoV1uw/6MnAWXXqQu9eGNrfrxI9c5igKC56ur2h8gO9FGOQxhYfRy2LlP6JMSMxS6VQc1M74VBxWz2XLz/ceBRY5Lg6kDJMT1ZjVJ8kdyWVQEzqGBv9NujuGcgynFFL2rVskweKPaKhd1MJn+39uZ9AVnwJhUYlkCPQo8A80aV99Jk2+bCEHcoFTHSLf+NjrF5ivb6iu7OPiw3JeA/uEbhe//RazNR2Pdo8zy9PP6lZMUCCEs2FfyzBap30LUkxPZgIxhFHI85T6GNhtHLe3dSFO03KgB6Gr1DBS/RizDd58T7buTFGSqreyo0xdVvXpS8yTxsW6wczdpahxmJKClpgSk0BTgBm4OJECz94YmEtPzmL3Rip6r4Q8RYEvjbBg7Y5EcVswC5esUcQCw+hZByt3ZifW9tiIOLUlOUZ5EHL04ADRjfOfKvwlK9u3TFxutnkR5ENHpO4UvIdRxSNkeU4I0hcmfglm8uAyC7sQWWJkO25wVcmr+bAHzgRIHVmR5AEZ3U0Q3GrUSoGl+aCD8Zdeckh01F623QH2Eti5l9ui5H8Vyd2jiJ0E5pH1MMwpHzf+GMcC6vFF0JuSSlaC9mLuNnG9ggLzoSUOlcW5ra7y+/UCk+iEuYmMExGKaU1ffaeR9CZn8ubYGfmocucPUxNkYqSUdBYrXqSkquYlhYq+vXj51Kr6R1Y7EgC5mdS65EzQlKa+jvuui9Bu/Is1fWWD94MFWa1K+dCrRZ7hAHd6g/zP7q8WoTKeJ71Pr1AsWhT0xlv7f29oX5xozuKENmBh1WMJoxVKV9ED3Lv22Myrosf3ZVurzX+Kldzum/MdPkEQycYCPMjmjaO5/X6KNQq1KegyHYOF10cGVll+WPBH8ZWjm8xEZB7ie173uzvzcM8kUQNFQPirUq2aYJwAf0V/KGvsEincFMGk96d5SP+0LeIMq09rLf2RYJgRSCv0g1m3DSmTKkkvyOasFp+kOP8ZmeUM032VcVeQmUQ92POF9fZr02tqQPZ49LCDNeS0qrlk5bzR185GUsBSIRyfqIgzB59Ni3an/R9F9jtkgguTnXX8LSgtqydjwzmzTHYjGkJjeF/hrpOcjALLe+9RcPJQXHPUQR/JzcVKEH7IDDKhzE5QrsYDQVwe0ZkT/rfrVVxS9W7NT0ZhDgwV0EhZ9y9DDJEnC2CYLp44qdwQmEi+8QV9sW8zxNTaXgAnZjh803fp1QYAA3nbBilwz617dtqfr+Pi5tpn9hEJA7PpzlOLt7bW/zDmfsikBzSjw/P6wzC3vXxT+0eoGzU2MrkdO+6avLE5qOR8C5zxXqkOahWQhxzyLcuA/rxkkjRmzCHW7TSMn9C9ErV4qSYKOS6Pixh3cUMJuCZ+zsOsI64zQJLXEWKi/ze4j2qIY24+2nOMppZMX6Gpq7Xi02t7DHK+5tEZBSoCKXjfCjjLWjSGZ946RagHAscOtsLcc72v1KE0sweNKTem+paf2q5Xcj0G1dWNPTKy3CIU38+BZDbSIo71/uYXs7DB+NLEQ+yMSa0XqJtaPBk9UkcGA5jbFjn7j6YLfJFqEz2om9J9XN1uNAqUyhB/E/iYwiOeUh4Mtt4SmM6d6MTKSFs8SMWv7+/0o5WWbV0yXkGaR3lLNfV2sbuxMUgd+ZoBt2q//kdSx/q0X/+F9ZanOUWLTmHhBcKVjn3FBBcl9QIbtWfuqyqdLtoQ5ie82utnSgnjkz2beIlO92d6seKWJSuvoQgdZAQspGQEjkUVkyBU6JdT1Vy6dncyW+/pkbL8rpJj7zjnXIC4vhikYtArqtlfgmqXe3ay/8dAsw+qOSadkBAqXqZim/eiBzmLljQQkpj2Sl2+fItSqGl+K9oZJS7RSp99ybgFS34i3vU/2FoMhxe3+l+/L6Tj4Uu4tS3VJr3gRoqs6lIJe51/3Pf1vsz0WHYj257386LiGwVoC6tYTc93bhHMqMKBnTWFl5VpRVWwnTfEn9S/Ic0PyKYfpSnBb71gz8wXDbJLjk1nXJ75hglZ4p1K0BLo4mXEifu5IhIJ7msG04Eaf3aYfVM9zs1MedPsqjEZLCAFuODZXM/42aQYJcGvROhLG94cTSSaCpPyEo/0SzLHAq9lOGPz9k0qNyv0epObac3Nk731ggjGFqP1UzflzV3hbOurgOjjgKL1uFgCcSFIsvIggqR8ynVDRkTR1kidAp8bTLmXc2ZIwwwK5H1zOt67F0FXv0ar/9WnpPG2g464niOJ7cA3640MAJWPd5svSHA==,iv:mhy2t3lytgTOoh+UQKUq9mUmM5XxpNY1PvZ6SMgBz+Q=,tag:OXWMCLHXWyJlV0jFDAoM8A==,type:str]"
 						],
-						"verify": "ENC[AES256_GCM,data:QWAMTp0=,iv:siWRUBAcj+RgAX4QOMb2lRWDAjKfzjCmevus0lTC5Fs=,tag:hFJwGXPL+Ho+9NyhXDzpUg==,type:bool]",
-						"version": "ENC[AES256_GCM,data:TDcBeeSa,iv:7C3x28rh0WRSNFjJtqnD9dCGVZgcOOS/TJUXQlOaGrc=,tag:68hBcdLLJee+ReVX01F5GQ==,type:str]",
-						"wait": "ENC[AES256_GCM,data:1esUVQ==,iv:rLt4iZgoMKnIzZkEFxeZ+PmslKVFSHrkeXOCZFCdvv8=,tag:izTiz2Icw0wPMfeuQ4/9WA==,type:bool]",
-						"wait_for_jobs": "ENC[AES256_GCM,data:3tObZHI=,iv:ppFyc59r9hThVvF8MxkOZ2OOpo6nExhvLw8yAUIjUN0=,tag:FdTLYYc8l9fMTlIMcW809w==,type:bool]"
+						"verify": "ENC[AES256_GCM,data:l0J8/hc=,iv:U1UG8YmMsvKYU0KICLkBvO57oBh9Zd4ysVpb/FwpHbI=,tag:s6fJUNchIMDeP3sZ+e28Jg==,type:bool]",
+						"version": "ENC[AES256_GCM,data:VRcv+6Qd,iv:ub3+ZKQq33AWonSlrQdJyAfjKDYSSVRpplOhbMoOhkU=,tag:+kTB+SFCvv9dH+BONArMZA==,type:str]",
+						"wait": "ENC[AES256_GCM,data:kRd+yA==,iv:XOT2YRG55354SCt/D6RG0guFkI/V7Ds0SqfE83w3zvk=,tag:5o//YfuLTcIszi7yqefsRA==,type:bool]",
+						"wait_for_jobs": "ENC[AES256_GCM,data:psXrwcc=,iv:3f5U1HvjvicLDnv5pogbbJ/XiUk5tb/9lDfNYx426JI=,tag:vIbFyAzJ4yfdlHL92OOjJQ==,type:bool]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:5TNzi+FaDvc=,iv:xJRzp0pR4Z7NVkBpu9cwgge4i6/MUznHNRJzWHEMLpI=,tag:y+rKCJ8cHW4ZypgsziLZHw==,type:str]",
-								"value": "ENC[AES256_GCM,data:J97DXsQLrc1m6o87qKrF+JrT9w==,iv:7w6orc452huoNJKnuFWs+joodwgpeHR1XV3bISGSxAY=,tag:FJErbkIwFdE/QMPA3hGR2Q==,type:str]"
+								"type": "ENC[AES256_GCM,data:ItAj1DdlAQ0=,iv:lxJqt1olnldtGOfMsuCvg+HotMILaEsef2GczFjgcIE=,tag:+rLr+bjsvFrFH1/kCQ4KvA==,type:str]",
+								"value": "ENC[AES256_GCM,data:scBKP5I9tO/IQ0TJdAWbmJhQVQ==,iv:QvrpMXyCcq9A/HTBCCfTmhvFytohgHbPxSis8zT9GEk=,tag:sc2dWVeLf20ZDgSX8nKCzw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:iQ==,iv:XY9DStPfPzl0983uXmPixRh2ohf28HOvDp5EDyuh/Pc=,tag:gTe56ooouLnyzel9iJkxKA==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:QA==,iv:6Do2x5HW9yW61PJeYMJ5rM/XnJDATLXRZvOTQS54NZY=,tag:WiWdB8F1+FzHkBboZSLTUw==,type:float]",
 					"identity": {
-						"namespace": "ENC[AES256_GCM,data:Ro/pJGU=,iv:zQEp/y2uI1lb9MM3xzFaIYdIp9ynA9J7+xKQGHpnagM=,tag:NADMD9itArB+twlfdmSSHw==,type:str]",
-						"release_name": "ENC[AES256_GCM,data:m1r2Zxg=,iv:x1CVObfDvZPBzi7KvvlRHzZhxY3XCCnZVux+zQvFIIQ=,tag:qgovulrrIO4zMa/oBgX+tg==,type:str]"
+						"namespace": "ENC[AES256_GCM,data:r3rkNH0=,iv:OPjk1Ej08ESQFpdrJkd+Uw1mbUK3HdXUuRjS1Iy6SW4=,tag:9+8Et7W5XWcY2ACF3RpFXg==,type:str]",
+						"release_name": "ENC[AES256_GCM,data:bZdDP1A=,iv:k7gN3eu5BaBjXffkD9UT2JCVaZa8LwZFzbuUhXyx7kE=,tag:N8SIhhUFHNabumKxJVRhgQ==,type:str]"
 					},
 					"dependencies": [
-						"ENC[AES256_GCM,data:syHHNiQ52aj1oVwCJdUFpQXCP7BTGNjfehc=,iv:uzEj2P1gyoMFlMxjSkkGidcYTc2JRJJwrfKXDf+JCNY=,tag:xWOGLaEORMuJZ7mI3Cmz/A==,type:str]"
+						"ENC[AES256_GCM,data:spHF0t94EPi1FEH5G1k4NIKi7h0o0fU5oxU=,iv:XozenqC8RyN+rjuUK1kwaUt70iOa3yTeNNFIwNo1gqo=,tag:oqy4MQWRGdb+tx+OSk56wQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:e3wZxh7JVw==,iv:MBtI4orjlTRUJ6boPZk9kuVqWKlMlcjxPXPXdwDbgHk=,tag:SUJ5tInmn38ia9e3wL6bBg==,type:str]",
-			"type": "ENC[AES256_GCM,data:lBNNqoOcb4mgYCQxa0iSmvrBQQU3vw==,iv:UePJ/U0HDgPaejOw5t/9T3LRhHryUPaTQldd3o3QU68=,tag:90evMwdOC9RDqiTlsMhkDQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:4oBRW2gtI8qQ10gPTDFb4sTqudbLifI=,iv:P/AACuwZfwPuhfH0yqkzZXsIl7+iAttcC6qsFNbOE1o=,tag:Q9IXGO7xJv//+Z1387N5MQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:g4xhYKYHLI6c7lNNQmbbEt6GTOZe/mc0Ni4qdzewmojNQQKmsC45sAJhzlivDZhSztMXzSCX,iv:u5lRG/M4Bt0dKAV6R52ryjHu41RAVwYqImX8egWmur8=,tag:p/rPijLVvL5jcqVcapRC+Q==,type:str]",
+			"mode": "ENC[AES256_GCM,data:Fc0YoXJE/A==,iv:MqdUoKmB3uKFog7JeND7x+hnqBqoKjN2gElCk8qAZiw=,tag:4SDl3jWeQxgsMS5Q4uYQjg==,type:str]",
+			"type": "ENC[AES256_GCM,data:1+DuF8GEoDLHslQbUizjYBOAkjEktQ==,iv:gnmOI5jMz2Hl0Ry7QkFBf6lMWVVemYG2NoLuF9UuaRk=,tag:J1T//rh/7aX9Q+W8mOBvhg==,type:str]",
+			"name": "ENC[AES256_GCM,data:2LY07a3ulCTk6BXgUAa3Iw9NL3+U1zo=,iv:pm8PTyvAnkHODOXjqEWC5Jfgm14tHboSGhnxsTFhqwk=,tag:0+oUynZ4gr2+7ojcYGGomw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:1ECiJEPwDuiXl6vdLKiLc1auqhsbL8XhkWwEp5sADNtO2mmNHEtGmtos8F4eYjnd4jhS/B6a,iv:Q0/j7AZY2rOltzXkBm55RI4zEUxawxnV3zX09gAURgQ=,tag:5FyklTRRxo5ozLkzoLPKkg==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:ig==,iv:0iYLrqRHcwjdwHo+B5mJcYzeyh+E1AvsotZjK/sJyo0=,tag:Rl6q6ZbKeGiqvkEYsHeeAw==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:Kw==,iv:6hKZ0X38vCqNIOYsB/u2L4QoBFDMdTkhnv4Nd27IZvE=,tag:F+NgrgIvPeba0ONQvKA0yg==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:Og==,iv:OLFHoarIF/PDSZtIeinxpNIGvvcrklcyprPneWEa0Gs=,tag:j5T3qqG3y39o8iMQl16ORA==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:rQ==,iv:dnHphn75/I7bub2l6Aw42n5V0prw/XlphvPuvDqL/QU=,tag:xtWJbcGtJju314k4KtO0Uw==,type:float]",
 					"attributes": {
 						"annotations": {
-							"resize.topolvm.io/increase": "ENC[AES256_GCM,data:uxwl1Q==,iv:aG+pfwV58Pa3yfetQDRl0wPi7ippArQfr7F6dzx6BNI=,tag:vDdtHDMqTRRWTtMliMc3LA==,type:str]",
-							"resize.topolvm.io/storage_limit": "ENC[AES256_GCM,data:SHIGsg==,iv:VW2UzGoVgZhmPDj+UvfdvZVdrYyi08x1w4dEEcZUE0w=,tag:9gkSUhOSib0EBtsEYfWzRg==,type:str]",
-							"resize.topolvm.io/threshold": "ENC[AES256_GCM,data:1EHm,iv:irJg43T4IzAbP/XPGqS2mF+iTSCiAccVUFH8OrWtuPM=,tag:Lvvwm+dB0EG+g8q2aWlk1w==,type:str]"
+							"resize.topolvm.io/increase": "ENC[AES256_GCM,data:s0/HBQ==,iv:OUhsNq7KVNccAAzbXBB3dWI2tkThkXVzUU1NED4pk4Y=,tag:AonL8oBgP2gTMZVC+jePqQ==,type:str]",
+							"resize.topolvm.io/storage_limit": "ENC[AES256_GCM,data:GrT0uQ==,iv:yfTb8fmdu5OIHeLg2uFWTlOIhv0Fwx82pxJi1a8stmY=,tag:tdgwdmK033mDOP9/ucRbnA==,type:str]",
+							"resize.topolvm.io/threshold": "ENC[AES256_GCM,data:gIa/,iv:+XbndePpOWkmg0WthfOrscelE2CAivwUtpNw4ShrmXs=,tag:rWtCU0gTST7uHKQtCqqGHQ==,type:str]"
 						},
-						"api_version": "ENC[AES256_GCM,data:9XQ=,iv:fsEB2PgW6HPFbJ+BTlHbwqkUUUQg8nWgVI5zTGQ6gMU=,tag:8kR125Mfiun5Sd/l53hK9A==,type:str]",
-						"field_manager": "ENC[AES256_GCM,data:Ur3Dt3DzNo82,iv:tNW4qQxeMAPyZ/I+u+uvZNr5AA1Muar9/tNUwqNZ5Zg=,tag:PMOuGz75ZnniALM64cTs1A==,type:str]",
-						"force": "ENC[AES256_GCM,data:cqGKCQ==,iv:3TT+hRwW7S2i7imwBCg6AkcWgA/BrRmC368x+LyB+RE=,tag:jsbdJNmiS1m+U09aVjsB4g==,type:bool]",
-						"id": "ENC[AES256_GCM,data:QJLnOlsPZg8Qd1Aoaa1AQGaa7/76a85vL9rVgCv64F8MmzdUrbYUcr7LMDiIjq/XJ0b/31oYpt/gCMopdi445gCH5NxRAhcCr6Lj,iv:0mhov0FsaN7ZWK81gWLiOCSf0NYlH/0QBn6fTBc0LFs=,tag:e2bebb23pE6reblsVJ9m9g==,type:str]",
-						"kind": "ENC[AES256_GCM,data:n2HBW3CMAuzKPaWLpEL/lBR2j2/3,iv:6bScO9Pe3wEjsUx4uS31XrabniI4mUN63cZdXekBCKU=,tag:zCiA9fAsKXv23xEXjpXLYg==,type:str]",
+						"api_version": "ENC[AES256_GCM,data:wig=,iv:anXpuw93C/ojmjrRyDjesgYelsifWPdfdA14et6SxA8=,tag:jbH36j17B5dEMHKOLT1yNg==,type:str]",
+						"field_manager": "ENC[AES256_GCM,data:bpOy6zkhzpi3,iv:/e95Al2ypEusnbMv+bBcesWDVcVXlvxK5gt8sODny2I=,tag:wAsF+8fo9HJiR7VcPP2Pgg==,type:str]",
+						"force": "ENC[AES256_GCM,data:jjoA2Q==,iv:CN2rwF8QeU25SA8/07dquL25gUMj58UmljOyQsQkwyw=,tag:8W7ZRIHHnsTdiP/tj2qvgA==,type:bool]",
+						"id": "ENC[AES256_GCM,data:3z2spghdJKzK4Q01L93Lq2QFvQ92dsGB59Y3an2czRZ49pJw23b6FwU6e3N9/7GmZmO7FxjPGUjtpQfaB356Of2jsKx8JKOybuMZ,iv:9DskGdbs8aMtVaMpypOSW4fj4MqMEOIv8wPsoFeBznM=,tag:aKaios6R/00joCnugzCxEA==,type:str]",
+						"kind": "ENC[AES256_GCM,data:DXoQrk2RboSG+9B1DkakIyIMYKXF,iv:NE/EvGikXxHOtlTMrgY+M9+vCFCSEXyx6anRcoN004M=,tag:EYJwXIyCsBh5mpuV6ny1CA==,type:str]",
 						"metadata": [
 							{
-								"name": "ENC[AES256_GCM,data:TBI/Op8m8MzM3g9EVw==,iv:ZVaxfmlnfWq5Z8x/XOrKUimro8Nd1ljCo7NQo0KeuVg=,tag:vGWFsu5FBJD9K1bjGkxsHQ==,type:str]",
-								"namespace": "ENC[AES256_GCM,data:9FT1s2U=,iv:z3VYtM5T5K7CZw208ol1C8ilxpytMA19+CHyN4dPdeU=,tag:r64rcttFKa/SXG+uF69cDw==,type:str]"
+								"name": "ENC[AES256_GCM,data:KY5u7vNJN+84JUBagA==,iv:9Pzqppyx2nyDu0RdXmCa7njIcFA92XmKhlUZb/Tk0eE=,tag:R9cBFRS1Sxftj/iK60JN7w==,type:str]",
+								"namespace": "ENC[AES256_GCM,data:v46t3qs=,iv:AaMf9A4JTsMvaUClP25LL1wpPudyMTzuJS9WCibpwrk=,tag:Fq8ofje2fvg28lyQp3N9xQ==,type:str]"
 							}
 						],
 						"template_annotations": {}
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Tg==,iv:kz3bG1czTFJldyitAYKwhS5myTcoEm4h6PgstpWEBuQ=,tag:Xw07+bRO07kksZp+VGE6ww==,type:float]",
-					"private": "ENC[AES256_GCM,data:046Gg57l688=,iv:2KqmNmwDJV+j15YmuBjglhR58Ulh+oXamH8qAegjr40=,tag:Xe/vnRq2kEZ5bp19t+CCbw==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:xA==,iv:+Orz5gYsa5Aib/WFdQLCk+T9SdMAZpPLCb+xfn1cOi0=,tag:SbqpWXIBzXkZqrYDoZWp2g==,type:float]",
+					"private": "ENC[AES256_GCM,data:iKDWlcwUYVE=,iv:dJl7vLlNs8nYwmv4iyQ5vf1fhvNDAZFUmJnIFJ5kAa0=,tag:IC68AnF6k5luqs0UKElJ8g==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:ssul2hF2bTL8JpFO8gf1a7JV,iv:eWJk5ulFOTQ0DyLknbcPNthuJKHeIhelRZ3wkvFZ/V8=,tag:AC31Vt3yjV+NRplzVFwAYQ==,type:str]",
-						"ENC[AES256_GCM,data:SWdJdBcuRzgob4npJUVeRUnNfL10ZRyoYsM=,iv:EDELbXrqBt9GWrBnJt7tyU7EU9ejU70VpaYkadFLxkM=,tag:Qq3v4mUWscl/IexvqVXD9A==,type:str]"
+						"ENC[AES256_GCM,data:Cm2i9cGAzITElugBc4mAdR0A,iv:NO5kHlLlca9+yiue6lktFOoOskT2iONOOv3ypq0LSHY=,tag:whDCoVWtJ0usN6wX4x7IOg==,type:str]",
+						"ENC[AES256_GCM,data:yE97sAdD+rTpau0O5HJIQ/loBi2d7JRg5xA=,iv:oQsujVyd3RdNhwVML3+5KL/82TEHta+37dXtRaYLu+w=,tag:wEw7a9sWfUqY+ku1UBu+zg==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:PQ==,iv:CFlC4HPRTzL4QTVfIhhsly2bTquyfF4YM3sJZd7LVQE=,tag:nPWZNcPb56lU1Hf7lbGGHw==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:ig==,iv:R/KU7Op5IsIt2Xw0day1yRPMLHL0sg2zG/cnwVrJuOM=,tag:RlUjhpvyPaIwLlGDKKm60Q==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:3w==,iv:GIzNnciWTijjOmsY/S7+ItjBi85vPQUxywlqyactn30=,tag:wA97a+hwSOTfNCijQPoTwA==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:sw==,iv:rGT4+7s5xZydCN0fQWy1IDUSu/bHVW2ZT5VQfCkEtYM=,tag:tKKDZCF99cV4u57Ndby1vw==,type:float]",
 					"attributes": {
 						"annotations": {
-							"resize.topolvm.io/increase": "ENC[AES256_GCM,data:+IswGw==,iv:M8i5K0Ljyda9yKlwd32K88El9yFRr0Hu5ta16ppuYsE=,tag:k+ntaV71eUifYDBhM2Mx2g==,type:str]",
-							"resize.topolvm.io/storage_limit": "ENC[AES256_GCM,data:4IDJSQ==,iv:484/z2IXg6+b9Oj4A4q8olzEx1bvpmEhpEectL42b0M=,tag:tV/S2iqmXxy/lOdAWEmmTA==,type:str]",
-							"resize.topolvm.io/threshold": "ENC[AES256_GCM,data:V7zL,iv:64xVZvMLeZPFrycQsvBsP1A1aPphp4RHdRt/OhZ80KI=,tag:jy0P+2CyFG33k2vFbCoimA==,type:str]"
+							"resize.topolvm.io/increase": "ENC[AES256_GCM,data:R3ALLw==,iv:9MYqXiZ2UoJYS0zEtlbT1TVBnwoMD+Xoyn3YAZFs4Kc=,tag:NcvjEjlRMPn5swWqKur1Fg==,type:str]",
+							"resize.topolvm.io/storage_limit": "ENC[AES256_GCM,data:uyQC6A==,iv:eeOElYw8Ly7D3YJG1AB/TMe2TJ5A7/nYrJ42r1utkl0=,tag:8GzgQXKpRVZlGzeaJDZX4g==,type:str]",
+							"resize.topolvm.io/threshold": "ENC[AES256_GCM,data:7eTt,iv:tCsACargz8Dr1mdA8V5ii09UleUas+LYSrkswAy0WjA=,tag:Q5q3ilzVdVW1p9HZUB1tiQ==,type:str]"
 						},
-						"api_version": "ENC[AES256_GCM,data:l1Q=,iv:V+FS72bQAcfx+tvpCi1JpbpWrTUDIxbGB4osdG5LXvM=,tag:VdwVQvx2xj69m0SfbxsS+g==,type:str]",
-						"field_manager": "ENC[AES256_GCM,data:o0G7YpqNCf3d,iv:ZBUWfdMjmd377sk3ecjdbwR69DTXzFXrOn6zldsjSaA=,tag:bQb1kDi3InqS8FHlVoYjlQ==,type:str]",
-						"force": "ENC[AES256_GCM,data:oH2rYQ==,iv:UrsQs8sksZVx6RdX89kMupwwhXrANUNjfPweHk44Bts=,tag:X7fvBO1F+Eac2sGTsNQ8kg==,type:bool]",
-						"id": "ENC[AES256_GCM,data:Wyg/6kIlm86Y8CZDch8OUzQjT8bejnRmVhkkf5NMRVERaHWqnse/UVVT/6uPvHwRpjdtFEGUgNeLm6vw3AqTkWAICDabfj2b64wl,iv:RoedQ9/UG7ZmFKjiq8mjsESzHwIXxvfG7N/SEcieobs=,tag:RXewaxan2ZhhCaSJF7Jr3Q==,type:str]",
-						"kind": "ENC[AES256_GCM,data:FNV8+9j5N8NVF4NxvuCZ8OThnHAO,iv:mGCwuCBDTkW8hk4T7dUXI4FCFT+SbP44mcqSdAlojTU=,tag:KbIUkNee0L6XVrCM8X3OBw==,type:str]",
+						"api_version": "ENC[AES256_GCM,data:U6U=,iv:xrRUt08ctMTUgzeRyl3L2Alf/On3X+Mm5y15JeEUS2A=,tag:EwYQ7WpSjtvqe2dePZbRIg==,type:str]",
+						"field_manager": "ENC[AES256_GCM,data:2IrfkEAWCZdm,iv:BSa2XEkgHEfs5VQhTMMGfROR6ZZsMyh64zZaA2PlNAY=,tag:4HI5Jbzl9fTjAnYxZebacQ==,type:str]",
+						"force": "ENC[AES256_GCM,data:68NqRg==,iv:gy1a9pIm0e9afLUByT4+8My0uF+f4x3giulUYPd1s90=,tag:csKr4Zk/ibK8eelCn6L2cw==,type:bool]",
+						"id": "ENC[AES256_GCM,data:QbMYKToDC6pjjvNYzBr6Dazv3CVC6mzoUKYrr96Y6+9NML8N1CQwCEdW+qFxJk5DJb+MgmtFpZOO1M+uXTRGsCoblwcKeCnEzOei,iv:/WKgVsG+QSWxPEfmuUbkOYjEo5OQywxQGX/s9/dPGXk=,tag:6kHWZwzLCw1euoMvTAqNfg==,type:str]",
+						"kind": "ENC[AES256_GCM,data:+Dfq6ndDyPcZQVFMYIw4Gu7XJser,iv:ebGELC71p7hQVYK7QIhbVRT3lp5YaTL4zdr6PB1UaZ4=,tag:RZQJz3Gdpzrq0/iCTg346Q==,type:str]",
 						"metadata": [
 							{
-								"name": "ENC[AES256_GCM,data:aJ8t+jwMH4r/XCqXqw==,iv:/MAoB78D5Ng+X+JCnSpioOv6y2NbVFyBOCw/6axFOLU=,tag:KXq7gfe8nNKPLrwti++w/w==,type:str]",
-								"namespace": "ENC[AES256_GCM,data:Mhy41Ho=,iv:dINrVlsLgKSCcB8e/pQFPfUe/mMHprT5En1sRglDSgE=,tag:SHtBresDOZiI4ZgwSn3JaA==,type:str]"
+								"name": "ENC[AES256_GCM,data:9dT3P1k1cGuIfep1dg==,iv:QfkL+k2g60PIwQFzJUIL70rhnjuXx5vu4tXPH86tWiw=,tag:hZLJd8Y9jrBsKrqUPhmpbA==,type:str]",
+								"namespace": "ENC[AES256_GCM,data:qqoT+O0=,iv:04jKXF7WZ5Lug4peQg/qVNXN9pcmyFeFUin46ZqQ/BE=,tag:gUdvWeVlppJcFQvqh3TLfw==,type:str]"
 							}
 						],
 						"template_annotations": {}
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:4Q==,iv:tWDLGdHyZWIt7alvflu699eZogVVkVjeSqx/3QDtJi8=,tag:qs2Tr9t3GjAm/Cctthm/Xw==,type:float]",
-					"private": "ENC[AES256_GCM,data:sSk5NH1UefE=,iv:gx6shf3ADMxMwNwjivW1BE64YeTZ4S1BbBEokusnAqI=,tag:PfFsWKqq7VEMXnbSq0veZQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:MA==,iv:QEeoq8RrxqxUkJkBHeQwIuDSuESW1WQvWw3KnmYM+B4=,tag:Mk5296lCP27qbU9eI50Djw==,type:float]",
+					"private": "ENC[AES256_GCM,data:fVyUueucMgo=,iv:zUG9Thva2U/nDR0JbREDSZOGMH5zini/ZWe6hd2QAnA=,tag:u3viHR9PXy8nIjPCiXmIwg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:L+0lYrJI0UKwz3KLYRJmH8rp,iv:H+z9pKiwozKcfaMH6E4iGXAy+b1iCjQQ56YyUvI/GDI=,tag:hcmq90LWu7rFSXmDL8P+Pg==,type:str]",
-						"ENC[AES256_GCM,data:n4xLOCk8eMgGej/BM/lLB0LLDWk9QmrNFNw=,iv:kEkDky7HSGJkut4yV0POoALji+lZUaK+iyGXxDtRZXI=,tag:gPaPUQR2Ejg1wySjyL7xVQ==,type:str]"
+						"ENC[AES256_GCM,data:nM/DkcNX+EY6Bq8UkmUig4I2,iv:yulY8nB7v8D3uDHLhZOw0mKAD2VtN7Lz2eRjculzt6I=,tag:gZT8c/GVM/Cr5OQn9HsRsg==,type:str]",
+						"ENC[AES256_GCM,data:Ga4rhqjW0tjK8a/mHJO5akbhs8pCn2I8HcY=,iv:KkN9QuKNuh46wpR5yxspCCvQcOezeEzOQwCjrq4cIFM=,tag:wgblWoUCAqvvqDYDidPhGg==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:uQ==,iv:8oQz5HZyqgqufuEj1AepICkv1rnAGic+ZtpqQ4ojwfY=,tag:TwW5aHF6CRULJnbc69DLWg==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:pA==,iv:la2unPhQrjtRDEafJUFYxjHTDMXoEtho8ejLek8F+/g=,tag:QigRvViEho89WupykVeWXg==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:IQ==,iv:2Sm5BcadjJBX0X3wsc1fDPdf163aw/Qll69ceVsDlCg=,tag:jz6oJ7z0UYe4s6UVr9dvZQ==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:Ew==,iv:xlBXSRF4D2JQjD6cer5ATRf5F7zh/6c2IfFqtGIA3LU=,tag:nubHMCgBnRps95zbzcOhNw==,type:float]",
 					"attributes": {
 						"annotations": {
-							"resize.topolvm.io/increase": "ENC[AES256_GCM,data:cJzOfA==,iv:r5n3B6X8QSxyOOh8yDf3EoXcBDOm0T3fwNMcwRQJIIw=,tag:6KMwFC1ZYsESzgkp9zoG9A==,type:str]",
-							"resize.topolvm.io/storage_limit": "ENC[AES256_GCM,data:i+3BHg==,iv:qbPncVfq5c+DfKT5SNWK85DGFUGQ5PKzOo/kMLWVh2A=,tag:NKcYCjHoJ8nzphhA9cosbg==,type:str]",
-							"resize.topolvm.io/threshold": "ENC[AES256_GCM,data:d0Re,iv:tpkHom9ESUm26++RsNaO9CQqiAB35E58N629FuDu4Uw=,tag:AVJkjCeNGkbIyVCqEWhcRQ==,type:str]"
+							"resize.topolvm.io/increase": "ENC[AES256_GCM,data:zY/2vQ==,iv:QsUrqMzySJ8dHAlSiCAug0m4tqCgqiIgsxIBhfSjOQA=,tag:B2CLmt7HGKzvQ/9FkVmD0w==,type:str]",
+							"resize.topolvm.io/storage_limit": "ENC[AES256_GCM,data:MCTOMw==,iv:PcpfkCyyWcsOvz9WhaH/57mg8uzRwYjyn5w+A897Pbs=,tag:8/HfhcfR0wslnBAI/fvmXw==,type:str]",
+							"resize.topolvm.io/threshold": "ENC[AES256_GCM,data:pb3e,iv:b+TpHIJeqg9jvqp5Q/FsEzkeWxmM9bCcOz/Q+vvqG2c=,tag:zNRb5dJOMcXmzg4fwdYeaA==,type:str]"
 						},
-						"api_version": "ENC[AES256_GCM,data:IqA=,iv:Pqj7X4JoImSjnnTIhky4c9OzkrV7VdUMHjOjfxXp1Mg=,tag:0bL9mEGeBMeBkPIs8k/TtQ==,type:str]",
-						"field_manager": "ENC[AES256_GCM,data:/PBnZH3B0b29,iv:8dPQM961I3F4q4pnnoQE3JwNLblf8dPepceN2tZdiYE=,tag:UtfCy5u0qCCL1yRqWGgdvg==,type:str]",
-						"force": "ENC[AES256_GCM,data:y/vHtw==,iv:Og7vml5ZF1ajjrNNkvqZMNnbW/hPssKcezCL5NqYwUQ=,tag:MFSxxC6TqoFRcH4HUJXy/w==,type:bool]",
-						"id": "ENC[AES256_GCM,data:LbdITsVk4lboBSDWnfUa9rtz3dWXUcx0aEErk5lxC+0y6OmAHKK0IkOfPrn/9bRPFG0Rr/LnGWCgQRrNdugN6gublkauEXs51hyu,iv:Se5GLF/FBvfuaiL8q2qg+i103UFMoRdCtV+Z1jeoWd4=,tag:WFzmKmgV5U6vSa9zeFApNA==,type:str]",
-						"kind": "ENC[AES256_GCM,data:x+FW5DuvR017Bh9Tnww5no8L05/v,iv:A5VPdcBx/lPZCOl9n9iM4NFwlWX4aMjFXbmP5xdNprw=,tag:IjJNKKapiqWwyTQplKAfHg==,type:str]",
+						"api_version": "ENC[AES256_GCM,data:zq4=,iv:73klKah2diq/e5vIjdtZK7fxERjfH5YO8UHHxrHLgCw=,tag:K3MHoUAeRDsKi82v3LPnSQ==,type:str]",
+						"field_manager": "ENC[AES256_GCM,data:5a/u43K6VYrS,iv:Alu6n7FW16DgpSC7qTo/IymGAE4cv+fKCUnPqTm4M+0=,tag:GlgmbId29kYu9wz9mtXBbA==,type:str]",
+						"force": "ENC[AES256_GCM,data:dPNvSQ==,iv:06JIsj/z8dgA/sPbnATktU8hy6IUuMj0Q90huL2FBFQ=,tag:W27EfzlhDhTzTkx1HFYcNg==,type:bool]",
+						"id": "ENC[AES256_GCM,data:ZvZgMhbWAhW5L+vPIMQuw5g+h1/dGi37MjVd8ZqUuB39Z5+M5lVo4NSVnigKuU/cln3+HsbXpdIroI/v1cQbLkiZKb613jvozRGq,iv:Jl1Y2fc6yxbPJykGa3oOe6cMCoohSuphTIv0GDB4Ny4=,tag:srYc8ub3fYCbTmGXA83vNQ==,type:str]",
+						"kind": "ENC[AES256_GCM,data:gHlK3NOZtBQOAax0XqxMFkzdW35U,iv:f65dOjNpeaRiwunHdSQ2Nh+B6Em3ksHRDVylVmcqZsk=,tag:mr2jlgzBLet0744HWg3Xnw==,type:str]",
 						"metadata": [
 							{
-								"name": "ENC[AES256_GCM,data:ZNurwEGBDKC0RNgMuQ==,iv:gp3wn82xDQit+aUNvSyg7Q79Yn2m63YEbyngaG946ms=,tag:tpPp8OlVqqVKB1+XBaLRkQ==,type:str]",
-								"namespace": "ENC[AES256_GCM,data:yWgXzxM=,iv:YPeYtGIG/wbbjv3yekOyAyS+6BS+gUANxmZe29mLghs=,tag:jwj8oTggAYO0PT4g4WHohQ==,type:str]"
+								"name": "ENC[AES256_GCM,data:FzTn7GasQApqLUV4tw==,iv:B5Px+SJkYOo1DI1akD44GzzggbV6CtNUVkQpPPWKmMk=,tag:BzwJCjCbU4bfwwfr9RQ21A==,type:str]",
+								"namespace": "ENC[AES256_GCM,data:BpCfZrg=,iv:xCyXPCR5xJZZCL0m63k8x8O2Jv7Tzppj4Se+ajWpO6c=,tag:q9tayf5tfbwW+dEK6iPYxA==,type:str]"
 							}
 						],
 						"template_annotations": {}
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:sQ==,iv:AiJoLoJa9C4vn0dUVLqUA09SC6NJqj90G/1lyZbEp8A=,tag:djZdPOdKwPhRmdLCzIqKBA==,type:float]",
-					"private": "ENC[AES256_GCM,data:2dA+XCntaTY=,iv:nFY+6+HHGK1M/J00JZAvyWwSVlg5Wox7ts5jnZM87fQ=,tag:vvJVVoSKj8gaHdg7AG4kPQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:WQ==,iv:4DvHk+b2vOScORlR/9+AQSKM84pLr66VQHkhf6wVPYs=,tag:/Vlf76x8nXRB6zqB7P4eSQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:WlgRA7x7kc4=,iv:ioULQSAOldv/ujgqUu1hC8xUw4dDMCJQSeAVVR0NG1Y=,tag:mLE3It8BjPgA2WpBHUS49w==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:KvDa2J5cv6q/vXGCZHJ1+bVD,iv:S5/UxkdvSQ1AknZ98em1+1cyt7/ZHpJwV78Vb7wwGlk=,tag:u/s71/FimTTnrSIIi9xSvA==,type:str]",
-						"ENC[AES256_GCM,data:hCx7A6TWT/20oh8IW9Mu3aLgPurli+hNih0=,iv:39VLV39X2XhqEWyAoRX/tm2KLxsZe5rgLD4ZYWg54Qg=,tag:0J0tVE5VgcvlISF85CbnWw==,type:str]"
+						"ENC[AES256_GCM,data:fTo8HvnxG/G+/kBdxWMUWyEz,iv:RVQ2ogriWznHrvWZC2ioMqv1TUHzM8gVd0VDXtd4Xug=,tag:KMw65HXx2zxAR0r12IdGsA==,type:str]",
+						"ENC[AES256_GCM,data:dIj8kmOb76toO64/M08frd5FUP1Urw1zFb0=,iv:8x7Alsk0lGA46Y5ao94P2Sh3sP31zL1l7xRVtoTwWPU=,tag:alYg+VsE2A8OdvulWZu+Bg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:15yyr+YzWA==,iv:Kd55EQlC2iUGpnUmz54+erycPYS+KJlqhZZl+12ZBkA=,tag:lxDbzGbKZM7NWtjH13XOIA==,type:str]",
-			"type": "ENC[AES256_GCM,data:XFnpSXEJ3/fFBBobxotXvbaswga3ED8=,iv:n5ZvGDtWAb3RbNf+gDO2r7ybwOHlkI7La7WogBrrrHI=,tag:ia+uhmm8/GA06PZEYlX8ew==,type:str]",
-			"name": "ENC[AES256_GCM,data:brdSP6+ihTVp4xQ=,iv:M1NWbRelE47gvQgw9C40Ys75RItsiy3bgj40rSlLaak=,tag:vGjhE/g5gJEUykrUGJFb4Q==,type:str]",
-			"provider": "ENC[AES256_GCM,data:mCDlpWHKbPTUJcsSDKEf3c+ahRsFl85HVj0vAt5dNGBYFbOuy9kZ6UPwlVOTjFqRhFYvbrsZ,iv:/Psqg7U8NB27MZPe+6uQsC2J+P1TlApi4UC4Y1htU6k=,tag:zP801aHniLSGYeeQPt+rgg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:0HjcVum2Fw==,iv:f+lE2vMSnIHA7ogtuOKib5KpfpfAcCuRH/g58e6zF8Y=,tag:/xP3DqED2i3amYHtRXA/hw==,type:str]",
+			"type": "ENC[AES256_GCM,data:fUIoDoi3gOj3QBIamwEDL8samBFv1k8=,iv:3Lwix5ovhHPGO5sFYV0SwGrfWW32wVaV5tOsu8KVDwo=,tag:ePa2oEy9LpP5DB7aDhIXBA==,type:str]",
+			"name": "ENC[AES256_GCM,data:PrCzM9IYoLN0We8=,iv:lDBu9ML5GVIya+VSgB5WK2z31lQM1BFd9mxG60hPUvI=,tag:f0t33l0oZjAyJpIxh4zHBg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:O/IE9C84lyRDThWezWYzNQuOdGT/HN0BQYAAAgC9EE4aEbbcDYmDuFcxDImAVCoOCIxU+c7V,iv:M0dSs6uR7VI26zmrVcqjRqqcGIqEU2dCaRhlZG1wGXM=,tag:9TiW8xBnbNsRxmpOTTSz4g==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:sQ==,iv:HWwANGI/uVZcXQ5g+kKzF94BZEXn1MrflKK872ScCmI=,tag:wrpL+IVbilDIWEv9j685hA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:jA==,iv:okGHp9qtxJQ0TQfSlYd2yPvCBkUPSv6tml0obD/TiA0=,tag:oBZuxUc+ySrhIrE/0tjjTg==,type:float]",
 					"attributes": {
 						"aggregation_rule": [],
-						"id": "ENC[AES256_GCM,data:ajJM/X8zGmg2mEY=,iv:gq+h1QNKPdTs1orv3vFwpWoqJ9yWFQL8lprcODNKzaQ=,tag:uKhDlzEz+GSmnx1vVDCmcQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:70+40QyEZJd8iS4=,iv:CY4JTgHXWiSx07nuE6Qgb3Mu5bAw2c3d30Z7WRIO3tE=,tag:2gBATj3Qgksbstyz7+NRgA==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:aA==,iv:vWIeGL6/Z//fZjZSVLD7bmArFDbgeusYI41xnomgTts=,tag:hsTdJDfaTWQGSDptkIo2gQ==,type:float]",
+								"generation": "ENC[AES256_GCM,data:GQ==,iv:t6dm+KG2E2/ZFUHLCPEzFHIDQdiRG6D5GigTx1watwM=,tag:7cBTxwqKOKSPmohK7UrezQ==,type:float]",
 								"labels": {},
-								"name": "ENC[AES256_GCM,data:1tC/HH5BN/NifmM=,iv:by5keAua1Exho5JmqMom08nHK+f2J7VNj1xZw67KP08=,tag:l2Zo500j/MsJhKVE0xF/EQ==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:5aQiVZI45ZXE,iv:8g8xgmAAFfgh06pC9eU+Iu6L/CglmoK+ZjZt7Xf4q0g=,tag:0jzAnnB85h6OGceR9UEeZA==,type:str]",
-								"uid": "ENC[AES256_GCM,data:kbWDLS/BdT0mKKOrfnk7AM7R46yjXxH/aSoS4lCLXgUykvZI,iv:zbmL9R/5KQtJCFgNMVtlaJYuf8IwSpCTlXCrfIe2pzs=,tag:idXUre+y0S/9JUqHlQBU9w==,type:str]"
+								"name": "ENC[AES256_GCM,data:kxLJrfAaNl0PccU=,iv:COpsK95/xLggrZwSefEbN/lfuBQeJxz3DSJGYzBQKmg=,tag:aEeAevQ8UNknvXDwx+u87w==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:ch+nD0Z5mItc,iv:piduPa0QxOTre6iG4xQv6Xngbw/eJRncFtMZzUXACIw=,tag:kWzhP7pSmd3MwZATywwaQA==,type:str]",
+								"uid": "ENC[AES256_GCM,data:37WrqYuKklG4kJhdhFcMt0A163HG6LJqERVsXqs3Xelf8gjz,iv:FVVAvSZeNIAvz6+oK33weo4j+veTFYu0iaFCglbfuWs=,tag:w/lFRIk9bT573djJAPsl3w==,type:str]"
 							}
 						],
 						"rule": [
 							{
 								"api_groups": [
-									"ENC[AES256_GCM,data:AxHigA==,iv:ibmM3RxB/uanvnFYfAGxcKE9KukbBjEH1OGyPspDqNA=,tag:/3hbhtOkKGktqFLrbfk0fQ==,type:str]"
+									"ENC[AES256_GCM,data:kDbXqA==,iv:49Kf7qFAKy9/1Pq0GE3QDdj242/dm7u/AuO6R6K/QAE=,tag:sLdcNqFLfbnXvsC3g8eb/g==,type:str]"
 								],
 								"non_resource_urls": [],
 								"resource_names": [],
 								"resources": [
-									"ENC[AES256_GCM,data:RlYuUodgdfVod7Y=,iv:fxHoMJxC6G3Xoi4AKrslv3lkMVZ3Fma+nZ1DCe6vWdQ=,tag:r4TI/kC5yL5TxhKZSXisrQ==,type:str]"
+									"ENC[AES256_GCM,data:OZtdJci2sM1lhLA=,iv:pkRnvWrfEUkn08zwO8n7JjWGdHtF8NGBKQAbY4P7FLc=,tag:QwSWnkbbu36Duk7CJ5xp4Q==,type:str]"
 								],
 								"verbs": [
-									"ENC[AES256_GCM,data:pkEG,iv:LP9ZoF+cjCe6kBkZQ4A+ekmARiQHDA8XclfEJk7m/Fk=,tag:uBrFRrO012XF5rD5vTMVAA==,type:str]",
-									"ENC[AES256_GCM,data:lAkbZw==,iv:3LKoc9f0rf+1aSrHYhJc8QeLsG6trmY/LKalUELLxss=,tag:W9/XzdluET0rN8Dt3Wg6cQ==,type:str]",
-									"ENC[AES256_GCM,data:+OVNxqU=,iv:Ls7qGUYtGAjfxEePunUtRMU5MPS9RQLyrawXxYVpppw=,tag:6QJIghmKGB/hAFUP27uCbA==,type:str]"
+									"ENC[AES256_GCM,data:S6vv,iv:l1hJ1LF/hO2xDA0HrLFp89CgqGA1FVWNhK2+gI2XivA=,tag:KrTQiP1Hya7oYow4aq2DIw==,type:str]",
+									"ENC[AES256_GCM,data:Y1zB7g==,iv:b4LJmttdt8c9IdrlU7dgdhKe99foEnqDY+SWBfQ0F1M=,tag:AVJ/DINpM0NKaG4sgJwRyw==,type:str]",
+									"ENC[AES256_GCM,data:2nc7QJ8=,iv:4cGGrlC+s/rRZNFB4/fMs5tLcNearxdvFkWPlUdbtc0=,tag:kv4fWYCWvcFbovlsW6DiiA==,type:str]"
 								]
 							},
 							{
@@ -462,46 +462,46 @@
 								"non_resource_urls": [],
 								"resource_names": [],
 								"resources": [
-									"ENC[AES256_GCM,data:dxYvZA==,iv:iHLjcoLsorufj/UgHezt1AP2B/YvXhxe8zlzqPI/FKo=,tag:3Z+J4giAPIOrC6UZr3I4Qw==,type:str]"
+									"ENC[AES256_GCM,data:KThG+w==,iv:blkFxFHn2lZwTQTsbmIX76C3V0UNul3FxpJbepOtQv0=,tag:FjKX82CFI9D78XHx7KuGag==,type:str]"
 								],
 								"verbs": [
-									"ENC[AES256_GCM,data:nEnL,iv:+922SZ7uh0EML6sstFReKWJLldLUgY8AiIZ+5gblTzI=,tag:wgh+TKBvUJNyA3+MKg541g==,type:str]",
-									"ENC[AES256_GCM,data:de1yJw==,iv:LvVjCKs+KO+l7UoWJHD/C93ixEHw3FUW7Fo5+pnIOko=,tag:yife1U8XF5iayjRf/cLpoA==,type:str]"
+									"ENC[AES256_GCM,data:4bUF,iv:F2tqu46KYtnO3CWZdvtxH10EQHxpCUXijBxoBMaarF4=,tag:TUjx6dmZAFky3RQjIPLvoQ==,type:str]",
+									"ENC[AES256_GCM,data:a2BVsw==,iv:nL5ol0kRJZsv3mBLNnFkj7UsSnjWGqEfqOPGGyg+Ri4=,tag:NZSlCvtBQN23y4GNHVCJ8Q==,type:str]"
 								]
 							}
 						]
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Tg==,iv:tm7RgjXXndhsiIpJxSjD/w0JkzBPX126GKPnk4SRboI=,tag:qgmLDSBe4JsNBQ/V0laMyQ==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:2w==,iv:W7nNnNcgZuDSWttRcdnnvdtHHBcVqmHS7zcMCycMQp0=,tag:dWTOptTYKR0Hrt7YfxymdA==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:cQbhYoDerZOLHQQga1G8+OJywcVLw8WQsmpF3A==,iv:HCzBJysXa18h/Sznea76N4YmKFp/UbBy9xDlVrlWbsQ=,tag:dHijvwUxdC60BvgFIw+XKQ==,type:str]",
-						"kind": "ENC[AES256_GCM,data:BZ04jDC5LML5CZQ=,iv:3t4pmo2cmiDSG1wkZC6klSGHr3AGxvcZjXRyO5ykXjc=,tag:vMnJoZjoKpAaAyk6dbsMJQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:ABkDQDlPctqp9K8=,iv:dbaPQHaFWTmFKDD80zSFkvrIaBv5cvUEz2ztN7SsBn0=,tag:80yhm67ffivOLa/TU6CO3g==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:2gXNOJnmVcOjRwVk7PQH/90zD42tlAA25Pl7VA==,iv:HoDKlxJDkrw4Jf3bKzoiH7exeh80sQYREQhgWyo8P1g=,tag:477ivIv01aBdQ7Jnxjp+bg==,type:str]",
+						"kind": "ENC[AES256_GCM,data:4N8C77mV3sw7oHg=,iv:JwfCsk3lwmbOryjmlAT4PhVY3CMnQa0jLRSFxOYfb8c=,tag:G6wt8WfaDpk/t4kahC/OPg==,type:str]",
+						"name": "ENC[AES256_GCM,data:t2WlhCbTblzPl3U=,iv:acb1wZHTKVF5KoQ3DMBw4vn412LCsUxnxPWYGmrSNpw=,tag:By5bRv3O7IOc+IX7C0wI7A==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:2mU0A/DLjVg=,iv:UF2m/REFZrEpAXNwsVTEf9bGuqYsHyvZCZ68aa2mLUY=,tag:2H6WgADAqGD6qxDf8IBSBA==,type:str]"
+					"private": "ENC[AES256_GCM,data:J8YxnrofADE=,iv:Jeg3+HPh0L7E7CzUJEi+YKle7nW94cHXmk6jS1OrOd4=,tag:Hoik123mfpkdvuA/Ft5YWQ==,type:str]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:4+HgL9wO0g==,iv:RSab18aRpHIjqHtFTBhGEm3NCjoeE3v0rRAu80Vt9P0=,tag:WJq6gdGg2RUnGVeCaAid5g==,type:str]",
-			"type": "ENC[AES256_GCM,data:98tEGudEdte6cRBIYENMwU8kv2WZVCo=,iv:RuvY/ZHLIGWcnrSaoNgtDbYs3YFIPAKsBwOkVCBrMHo=,tag:3omy4AtFN5xlY+C2h7o0ow==,type:str]",
-			"name": "ENC[AES256_GCM,data:7mrkyP93vHeul1NwaJKNXw==,iv:We7XJeBOr1H0YMn/gEC1yoPYAy+4X4QaUfRzmaj8UBc=,tag:kO98Wqe8/exxcZt01h/R9Q==,type:str]",
-			"provider": "ENC[AES256_GCM,data:8Bw/Vlj6b0vsrDZh7dh8iToEMMOfV50sXQENnMji0K5s2TSLG+3ibrf9W6tnWldzUEn20xjW,iv:0HaKKnZfqXdn3Qsr/hwOnTQXSMXkDwWbYKZdjyw0wns=,tag:XadEuQu3bP/Xn9gHQpJzag==,type:str]",
+			"mode": "ENC[AES256_GCM,data:qv+fxoU1qg==,iv:wyJG6I+YM57GqXDkdRJXOmUZa3am8TfkcVYe6VP49Ek=,tag:pjEYgp6EEqW8+h4CtKAGVQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:Tfh0aZpfwKOUaf6x+2c5jqgD5ZTTqek=,iv:O+eMVbTABz+Ome47YzQzkXj9XaGlaNCqDegdlavKWMk=,tag:ICMAMV29SJ5WKNgu4oXsTg==,type:str]",
+			"name": "ENC[AES256_GCM,data:MEHek79KrQSroraNSes7nQ==,iv:+Ro/H9E/7LX/pt4MAMKIHL7H54Lp+1/9TZgXkMOwjhQ=,tag:sxufYkhoQzXF0b3IgtUUYQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:4+u87+OPR6ZrGsfIhXiuufGsYdqAu7SogoH/gBV0nuGXNg220EYtyimLYO5MoO1FGrPyPWg6,iv:Li/aKJB8BGynDCza0hHWI97aRvHg4356+XvNwtnMgYg=,tag:rgO30Tfbf/yccuhRaqIdTA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Lg==,iv:qJ/AdSuQ8T2hMnPg/ZTvjhZUdLKMv7khwfOo7b7ku4w=,tag:91s3v4hNtHOntdonRi6wrw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:0Q==,iv:sVinKZEGxwTy5Ak7cq2ckGUIvgx8r1WDuIIvenK8xag=,tag:93er482BRH+fnZFBERd5Sw==,type:float]",
 					"attributes": {
 						"aggregation_rule": [],
-						"id": "ENC[AES256_GCM,data:9xShnsBXZig14EtxPXr0yQ==,iv:2rq4X/c7AfbFJYB5YaEh6bQ8BQbOi4EJnbJ8TWZLdyA=,tag:Db7H7ATuPWvZgtXjsUgyNQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:NaNXMgKf2rffyQajLtaIpw==,iv:S5ztoTHC+kWDbCFgaSBdg4wl6bNwYfC9heDtvvvNXz8=,tag:on1ob4iO0h5zb/YhKK0weA==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:fQ==,iv:0oirCtLREKEb95u2UqG18Ou419PmQCQZhscAxscP63s=,tag:/nA27vOmJXabHcBNLYmlZA==,type:float]",
+								"generation": "ENC[AES256_GCM,data:yQ==,iv:J/p8QjqGSMK/mu3yqagopt1q0TVy25Z7YlCjQOuxCz4=,tag:XkvJwTdhlU4NpX7Snn0GFg==,type:float]",
 								"labels": {},
-								"name": "ENC[AES256_GCM,data:zu//17/Y2Oxrt6akqKl6BQ==,iv:1KLTP/nXmigoOrJ9nON99jn/NUX5IXrNSQf5PaESbpo=,tag:ubdCUnuzBlStsRgHFaevYg==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:PJmjyLmXSynf,iv:AS/T+EGITWBwZAlaMg1Fs1UetQbHGso/kTxUkE+wfvY=,tag:KzzUSQ8eWV6m7VUwwCHVgA==,type:str]",
-								"uid": "ENC[AES256_GCM,data:zfkE47ZqbCpkcR3HioOtfDJnXV+btDBGNaqt+XWXdRWfXHEl,iv:qCJjiEOTJ1Bv4qaFcuk7rYEF8LpT9h2MkE/mlSwj0q8=,tag:cXA+XTrJ/nLqnLVAQQQklw==,type:str]"
+								"name": "ENC[AES256_GCM,data:rbijLQsAxeLHOcZMpdd3lg==,iv:NLJ0AnvSeU5jeDEN0hReoFp/XjgaHDqLXfzJCYLERpE=,tag:XwDIB/UzTmZvzlmnmc3oUg==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:IYckSEBhY1QU,iv:ecESvnDpXBMzBGCIjfhebKlwPcYst5DeQUB0U5qq9UY=,tag:f/7hC0NON76H0kc+rLt2eQ==,type:str]",
+								"uid": "ENC[AES256_GCM,data:xfdPOcZQZ2vNc01qwJTpVHfQiLmsod1eRy8WEEXicb4972ez,iv:F3zMn3jxsNjJZzRdkFEQEodYSTEzyhhs8pHDp2z3Q/4=,tag:nfAjUQkkWA6ZpxjU/6lZUw==,type:str]"
 							}
 						],
 						"rule": [
@@ -512,10 +512,10 @@
 								"non_resource_urls": [],
 								"resource_names": [],
 								"resources": [
-									"ENC[AES256_GCM,data:p9ps/GR+B/xBixe65rdn5ZwO0nz7,iv:cNeTvq5BQTD5nAP5mg+TW101njOXTa1HIGQRHi0cV6U=,tag:CNhg95C77v3WNFSTKlVKoQ==,type:str]"
+									"ENC[AES256_GCM,data:eZXBTATW1LcY7O5RtzJ3S5ABiD6c,iv:4rvrJdcrpNcnrPEkDoiY4ie0cEfYnrpXCdBAkLrw8Sk=,tag:vPsnNx1Fa3AxSHOZTD5uxQ==,type:str]"
 								],
 								"verbs": [
-									"ENC[AES256_GCM,data:UztTr1MM,iv:1m9vf562hqH4BVziyX3e9SFOGUhHqS5QxXlv5gPBdZk=,tag:R726Kj3/w4El2exi2eW+rw==,type:str]"
+									"ENC[AES256_GCM,data:hCBs6Yvm,iv:0GYX1kULV1McBbK1xkeD4oU6u/c6alpcUnSIbs371cQ=,tag:9HM42By099DGZBsmBfg/UQ==,type:str]"
 								]
 							},
 							{
@@ -525,144 +525,144 @@
 								"non_resource_urls": [],
 								"resource_names": [],
 								"resources": [
-									"ENC[AES256_GCM,data:Zgvz317nDdV6g2DCCexw,iv:Jv1hkeXGORi/Em+WRWQzM/toZnzynsab2v07OLr8Ogg=,tag:GwCJxCdoYXwSgoM/68hmwQ==,type:str]"
+									"ENC[AES256_GCM,data:mYu/GDAJE/rtrQ0a0R1S,iv:xxxZmY+mPJ5fvpjnWJeX3isDnFA3ROGha1fle0Ktqiw=,tag:+2mM67LBG0zYfZD6ligx6A==,type:str]"
 								],
 								"verbs": [
-									"ENC[AES256_GCM,data:OI5R,iv:y0tgMniQLU0ymHZ69Vwrx3XhcNk6ihQNsWvOPUPXvwE=,tag:h6w5fr8CYTE4Zw6SmFlz1g==,type:str]",
-									"ENC[AES256_GCM,data:rwagED4a,iv:ZxuI7M9MflHN3urcTUMsgUAHgYZKwWLwSgqlqu8VKOs=,tag:qpvN3zRLnIdUVc0wIWIGbA==,type:str]",
-									"ENC[AES256_GCM,data:4atYCRI7,iv:RJJSO4yvlFdkFbTWYA2/2oLUnTdUkonxb5l2X7aKLfo=,tag:KZqxl1uq3vPjgWFs267DxA==,type:str]",
-									"ENC[AES256_GCM,data:brB1b1/q,iv:VQzfpifwRqn0IcMUALVyG7J21GdkUC1bggh/FC6+lck=,tag:mrquEECzayvCEhnYvTX2/g==,type:str]"
+									"ENC[AES256_GCM,data:n2Qh,iv:XWNjdMG8gqZnEQXXoaZxvFgFgq9Tk23DkAl9v5GPLO4=,tag:TnXlA8oVh4B89EMDNFIAjw==,type:str]",
+									"ENC[AES256_GCM,data:tgUqJlHL,iv:58jNkjtoAiPcregbiabE94o7rtkCUr35I+ikzUGyx1w=,tag:5Q9xq46DrAnNtKA+QI+1Pg==,type:str]",
+									"ENC[AES256_GCM,data:b4gBelNb,iv:/FQptdlvVc+TzB/JIkLlmoLLfG+sKMN5w+crfh2s/RY=,tag:awAtB115EZDgu+oMnxe5yA==,type:str]",
+									"ENC[AES256_GCM,data:X2OREMKk,iv:OEC9ceCz8oiySfjc4upm8ITd6HqA5WOTelzAKDxKrrc=,tag:UuR1grkakHCP0NoN/1WQ8Q==,type:str]"
 								]
 							},
 							{
 								"api_groups": [
-									"ENC[AES256_GCM,data:9sxff+eciNkZep25pXncI0qsg1zxtYNoPQ==,iv:G71F6VjXCoQ42F5Ch0vE/cXAtsv/Ej2WPgxIcmMOd/o=,tag:3bdK0opMIpMKq/brgaki9g==,type:str]"
+									"ENC[AES256_GCM,data:64f6A6rwGT+Ag/gkm8OQOCRNEQznhnHS3w==,iv:8nVXqy+gfCyWXZEUBe8JR8UslMDDt9jWmwXET8V9Afk=,tag:ppjznVZpfy6xqRrBPClFkg==,type:str]"
 								],
 								"non_resource_urls": [],
 								"resource_names": [],
 								"resources": [
-									"ENC[AES256_GCM,data:PRM4T2tz67ogVdig,iv:rq0jEXxVHnR48Tdnz5dga8zEf6xEGtARRAbfEg91rOc=,tag:ugQvT7eyd+JmI2BfOW+9Gw==,type:str]",
-									"ENC[AES256_GCM,data:JK3lZZSsbIaXFli3lxLi67ULpw==,iv:MXha6PSVD8enkbWI9MR9yOTpL46EcNpvPobcYy6gFXQ=,tag:20RAZA4PIT1zmv6omqN/dQ==,type:str]"
+									"ENC[AES256_GCM,data:BYjQ/u3RisdF9OL5,iv:OL+1V/8yfqK/Ibd1Le0oVrMnj+i44x9OiKN7Ggfwto4=,tag:Ljb+Du6U7UGQMqImBLFzYw==,type:str]",
+									"ENC[AES256_GCM,data:SNIg2hFvaYXJfg9fPlpP9Kl+AQ==,iv:XDsjorVd4aP8o4o42hHoI/dbgy9AgA4GvJSzRtUCdsg=,tag:Axz+kVJtq74T/xmAV5lTWw==,type:str]"
 								],
 								"verbs": [
-									"ENC[AES256_GCM,data:Ne6QKKKi,iv:Ue/eFZuUL3q9TPfU1zqzJM3QNoC/dJCOMrCxuZ3i5cI=,tag:hEVRHsQG11GDs+d59YkalQ==,type:str]",
-									"ENC[AES256_GCM,data:LqtauIOd,iv:+AwcnXuzK7QoF8naA+GISdK5+8vSICrk4TQqpKZwDYc=,tag:HF0M0Es8CudTmfx6MC40dw==,type:str]",
-									"ENC[AES256_GCM,data:lNQ89WCs,iv:LspELIvGjDNcC/Gdf7VzpZX9k3Bl7/FkClnIMS3A0lk=,tag:uWgGN/S7itq3VlDF+OY3lg==,type:str]"
+									"ENC[AES256_GCM,data:h6WTNFD3,iv:1GRj2ntjwKvERMYLU2Y6EAtDRwPvwi4v6lZks8fc5WI=,tag:kbbfm1W7XP6/KjDboQT/rg==,type:str]",
+									"ENC[AES256_GCM,data:GKptXpNy,iv:9WhQNs9FEhTmzNF9l2+WkFZOgXCsoLV2W9lKScRGCc4=,tag:iLadIqGpRtr9odwQd/tBew==,type:str]",
+									"ENC[AES256_GCM,data:BkFcZQDt,iv:o4R61kcj4sL2ZZ9wXxQnqxbd6l14JenJqfCkDNapUnY=,tag:CbUlk8wVtHJocJF5kQLcjw==,type:str]"
 								]
 							},
 							{
 								"api_groups": [
-									"ENC[AES256_GCM,data:LbW+7s06FLfFmRingGQ5aD0hTCasm/WqCw==,iv:sgH5fdc9G9gGA+foPTFFGRS0FP0eyEpjMyuv/41i1R4=,tag:licW6rifAF4pd9OfHAbR2Q==,type:str]"
+									"ENC[AES256_GCM,data:0kl3hZUmHUhS5VoQC57mm45f+7rWc8tWsw==,iv:7B7Ek1P6R7g0I4qyjF2KCV0AfSarMFfpFXvROR0EQrU=,tag:H6BJDk5EOxfh338j01tvog==,type:str]"
 								],
 								"non_resource_urls": [],
 								"resource_names": [],
 								"resources": [
-									"ENC[AES256_GCM,data:hn7p5OU=,iv:cJOLwZZ/Q0LyBuTNCsYxnjaSmPYfsbxuaeQ3XLfBk0A=,tag:hiY1bkephacPas/ioGPEOg==,type:str]",
-									"ENC[AES256_GCM,data:l/nReu9KPijncwhY,iv:bptkE7YpSiopSOZsKXzGosLSSIyWF41sE65FqI6fiRo=,tag:mb9GdaLmUYVHCyaAVa6FNw==,type:str]"
+									"ENC[AES256_GCM,data:W0wo4mk=,iv:7p8rrPYTKlJ/DhyaI19wbuGj0FdqA9GKbsAK0ZtaR+Y=,tag:SZgAaqZ37AfWJP0ws9n0Kw==,type:str]",
+									"ENC[AES256_GCM,data:STNRfV3d3wlJcNI7,iv:cX+tPaiwX47BOX07306Ipz5Dq3NwdRKsqnExKFWUG2s=,tag:/9506gdqaoEgdwkQpYYcZQ==,type:str]"
 								],
 								"verbs": [
-									"ENC[AES256_GCM,data:3NL1zg==,iv:sZY0ARRIU7HeQnCsw/H1cuZlrUt4roe1Wb7f12tO5/k=,tag:WpgTizUWD2QXfRHCcg7lbA==,type:str]",
-									"ENC[AES256_GCM,data:lwWWvFH+xTU=,iv:CDNAYTXSbbgI/rHC0mBXTJW/ypAsDqwW15gEdGf5voU=,tag:IV60rINA6GawPnzhATAwyw==,type:str]"
+									"ENC[AES256_GCM,data:qEMPsg==,iv:EFUtOT5fd170UIoRseG21fcZ98rEczaQH+zOqSKjTrc=,tag:jvnR2VAnpEfMFW/Uy18kyQ==,type:str]",
+									"ENC[AES256_GCM,data:7w8mO9Sldww=,iv:y8wEo9Olxw4KqvdeTgXBab0uuhRbrDsHEcCn3GZFJz0=,tag:j/NhlIXZcHuKX+5EZ+NvPQ==,type:str]"
 								]
 							}
 						]
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:3Q==,iv:uqnLFmCydeAvkzJ5I7Dznw7X3W8AschnefNIG5Xiv3M=,tag:MFjyEtrSU7BD11f1Blg6DQ==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:mw==,iv:BXIXLgSTzEXZCqI7cL/stz4x7qJYkum2BSivSkJWbrw=,tag:iyxQs4Ci8xCu/vCneCL4zA==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:xDCghmjIwhTtggPP3iaVs4QRlFVOWKI0UG0X5w==,iv:Fgi4DBR+9/i4pywz8P/sHXCBrg4H3Nr6GyOXPR0ReJg=,tag:5Hn8OqbLyW3jCK2EGrBHwg==,type:str]",
-						"kind": "ENC[AES256_GCM,data:Y8upC8EGU38ySWQ=,iv:1rniPejpT+SSfFAGLuHYxv1UA+jEf7mq4pwuVU83LDA=,tag:5zC+vFEHuU4+xQQSc12Egg==,type:str]",
-						"name": "ENC[AES256_GCM,data:jKJrEMks7yQAW6oOK+s9Cw==,iv:XQ2KcmPzeE//M6lDM4z/oJ25BfzWJU9Dwz9hNndKaQk=,tag:yTHo/2VOxkVjhBc3Mer8Qg==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:r+bfYWGDaSoB/YKf0vJTuH9ZkpxyTbM6zSKjlg==,iv:lTDuJDXAdcD52Shlom23+crXYSe3Uzi/+ywrLBxN+WU=,tag:JqrVGJZW2HBo9mp2C5A8Yw==,type:str]",
+						"kind": "ENC[AES256_GCM,data:c5mmg9n8+BNa5/A=,iv:Jx+SNxpjTzaCJnkp3jIeGvlbp/7t8n+VKVowbcaWXpI=,tag:E9BYf0nZKv6szOXPVlHyxQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:8HmjEHBgDXOPa1qJD9s1ew==,iv:SXzdGTgL2nfbkwo9e+O4FzvM7bbrK36XW6tm4NF2sYc=,tag:dGAjiSjw3JksFiTJLgUNrQ==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:fPe9VKG9oy4=,iv:rdaabCWR1zGrmGjLtN1BV3XYApAxl+28amL9fOL3mjo=,tag:a9D23odrP3Tw1x1A1r3bPA==,type:str]"
+					"private": "ENC[AES256_GCM,data:aEwC47nXZOc=,iv:mygIKIImCsg1wicXs4NOJkyOyTJR5xBq6hsWJOis4Rg=,tag:as5ZpFFEfvNGlFardtNb3g==,type:str]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:zYgOaTj5rg==,iv:a/1+RcbPFh4UL1GZZ3sQ4ON5pMUZQ0QLM2DH71pG1Zc=,tag:h6hHOQj6dFVckqCWkTRFQA==,type:str]",
-			"type": "ENC[AES256_GCM,data:b2m3uYLTT/nG05Us20iN3ukeaANlv+MxcG3XU41bqQ==,iv:/RrGfCPr+pGG027HTlM/vGxjCtjQsIYjcD94F70hkg8=,tag:7+6B0caUZgEM6gSgvTOfqQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:iWe7C+GtFaBZdEWto1ogVA==,iv:X5033sWiyBQhzQ3tqoL9qnjywECk6tsvIH3KnsdaS08=,tag:QLhVuYVcM7TrMQF8PKrlVw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:hygU64QFFALw6Okep6IxJ9Ojwnhf0219a+fTSH0zWVBGTwq6q7+UkWKw/ar2rteQDPNyyuuw,iv:3KOwLXwkWGTz0dVrzbHYIAdMo7D7qWQkMmuFOH60rZs=,tag:d3rAlw1N9CXZE4TW52zcMQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:yFq7oLfu/g==,iv:5LM8gjvsHy73mr2mM4+3W+VwdtzKJdzSSkHom301NRY=,tag:UDvB2kPWtCegfwmB/sfSVQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:U/uOImAI0ZcRNE74a/s/QC/cG/LU4m8YcJ9CLhiGWw==,iv:jRoVD57JQiHoRzfCMtlpdWf1wz0aAn2VDKlqOwxwbow=,tag:FE8SAefUjtH6RiZhex/skw==,type:str]",
+			"name": "ENC[AES256_GCM,data:aWb/h6ZOmb8UrGdND9IDTg==,iv:gf3H/XaPS+b7hgy+PO2tyRKwKhnXdy5fVKzRm+pToNA=,tag:MuVsHkeL756u8ZC85AFBWA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:lIZiqxQK6StzT1qENcD67VVPC9kJAGJmMOFyZnWxin1rbk+n/dFCV2eiX7QOHkzSOXbSTvaB,iv:x79YHGszMndu21LL87HkugARHl3yzYq/8gKJ8tgj1sA=,tag:mBWtAIHkXHKUevPHudTj8g==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Lg==,iv:qr0xOSVtAsVHN07aMTXXM+PL4NNnRipBGdTGGWSUKOY=,tag:IAiPBTW4XmPEUdsy4ACNQQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:xw==,iv:NaZ538MdjpwvJ9AHDMM7iWxQGtNWifzdmS3pHh9iJrw=,tag:IP8R8yuYBHx1CcyIzmqxCg==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:6CkVLa946bpFFOl1Jyd9iQ==,iv:/ESepb+fTPRiutwhdq/h1JTjAbEDNRQpYIbBIMNZLkQ=,tag:XcaRpUJH55FGkAQAlCrfxA==,type:str]",
+						"id": "ENC[AES256_GCM,data:T6Y0x0q2BpIdwPRTYLr0cA==,iv:HkJZlQAKuHJ5zPz1mpisCR+V64PnfqsPE0vVa3af8sI=,tag:XHd7jmqkeQgKC206e1JwJg==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:dQ==,iv:uTX46TyPKasO1JuOlGpEma73UeuBF0CsuX/sYVqijlY=,tag:GLvsQFS3vgog3WRr/La8Pg==,type:float]",
+								"generation": "ENC[AES256_GCM,data:JA==,iv:mXjRN3Sv1DjEZPL+1v0R0QgLX86c05twIG97w3pc7e4=,tag:x8vdcbZ3BT8vX+cRzLsnbA==,type:float]",
 								"labels": {},
-								"name": "ENC[AES256_GCM,data:BLtQAtJGFoqoaJ5R5dk0Ww==,iv:bpGeKLEpuIoh63tTfLbWvPMduAmzdjZyEJrFmLlAACg=,tag:tmXUGMiKdL/VcX6d2NctkA==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:aF/hnn1QEDbM,iv:PhuVjoiNW5MBMra00J22o5GIHyBs4THljmfOPBXk5B0=,tag:PCkkaOAYuLQadnQ2kkpCtQ==,type:str]",
-								"uid": "ENC[AES256_GCM,data:hPYSfHcwYA1MnklPiVED3exItVEjSHZONae4aclC3eyd39Wv,iv:DPFhzh3lwbKnEb+ytzUVWsQsEQpcKkIjCfAFub604Xw=,tag:kTxtinOMiGTou9lsuzEdOg==,type:str]"
+								"name": "ENC[AES256_GCM,data:0+YVt6ageUq+ZOzOrn1tCw==,iv:9o6pkCby7RO1ZFbwb2Ka6oQRHcDQoxEcjWgczIlYCtM=,tag:dFI3EkSmcKVWm9WF2DGX0w==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:Opkr5suK6aaD,iv:rxoDl/5zScMBcxh4nw+7PRTs0qSlCvPK8E9+mczi1n8=,tag:CGDSUiHbkzdsl8hAxRwIRA==,type:str]",
+								"uid": "ENC[AES256_GCM,data:/4X3IRKJzsCkHqYdA8sQkjO6hiQ+dFLz7/NLXRlDB75rNhjN,iv:4zVq1O/oky4Pc9H6jBEpcZucK0ir7jArTyh9oc+PlaM=,tag:SashiGGZKAQFjKL49ZJCTA==,type:str]"
 							}
 						],
 						"role_ref": [
 							{
-								"api_group": "ENC[AES256_GCM,data:bsNR89nTsSJJ781+cHnUX914E+G4Cl2JKg==,iv:1WW5/HQF+xY8prXcBEWbKoN/r5XXvNgBA6/E/b2Gf8U=,tag:oohW7K8h5f9QWq6+z9tgRw==,type:str]",
-								"kind": "ENC[AES256_GCM,data:8QHJytKQFeywT9w=,iv:8uVeSiUsQ63d+vJy52T13VBpYdwnX1s8lzVrpCGLriU=,tag:cFk3bpcj2M3UklqzIQW1uQ==,type:str]",
-								"name": "ENC[AES256_GCM,data:681DWlu1LLvFLMDepzAB0Q==,iv:3YZ8QxSWQ/yMxhLVPPj3WViXq4gcRJfcJX347FLK5gI=,tag:jjtTap6UXl7aL1MDg8bqvA==,type:str]"
+								"api_group": "ENC[AES256_GCM,data:m0MaFRNjaoCP/guYCMnK4BeZZaopzz31fQ==,iv:xGfIy73XWwgFcpHfo7fMYu/KHTPZ3MiT/RHYx3hceaY=,tag:bo0LXx4VfYxl3DmaZOgf+A==,type:str]",
+								"kind": "ENC[AES256_GCM,data:57e4DASxOohqmfg=,iv:uXuJlXLPQiYUYFIApkC2H5t8zWZqYLTRicYK3lQWXpY=,tag:yliwlf/znVu6q7yb5eSe9A==,type:str]",
+								"name": "ENC[AES256_GCM,data:xdd9XQETj7REZDOxPMFtHQ==,iv:nhREXTtezoyJNkBg0HycjiMzG16lTLbn4MZoRhnfks4=,tag:kUCbhQadYxAshORpKs4xog==,type:str]"
 							}
 						],
 						"subject": [
 							{
 								"api_group": "",
-								"kind": "ENC[AES256_GCM,data:W2CKC9j2ZXo0U0Q3brQ=,iv:u/it7R96PaSqmWtuZenMhXVpEsBfR9q3WCA39OhIVAk=,tag:6mas7W2skG0Wh6lmABzCow==,type:str]",
-								"name": "ENC[AES256_GCM,data:+4ik17Q=,iv:Hq198O65rgwmKvgBvpZo6mzxz8218AYMRs1jRvE3Y3w=,tag:MxgNeQQwWwrBi2o3MwW1eQ==,type:str]",
-								"namespace": "ENC[AES256_GCM,data:YsZm5HM=,iv:7M7iTTNBuveaunS/OwgN/j1jXDbKJPH2DpoBoLuF52A=,tag:98sORRelX+ISauY715xkcg==,type:str]"
+								"kind": "ENC[AES256_GCM,data:ZCZKPVzWbmcI0+iJF5A=,iv:Su+9AQySCjmY3RoKaIW+Fa1nuYTFHS3bv5xzC+mqU54=,tag:cz+EMaaj/aLqMsXH+oeMdQ==,type:str]",
+								"name": "ENC[AES256_GCM,data:3XbVbU8=,iv:NMFyqvoPMNk0XuYx3jXwt34g153GQRMOt96vgdUNlyw=,tag:ugIYwUG/ox5jQq3vza60Nw==,type:str]",
+								"namespace": "ENC[AES256_GCM,data:kXG7a9k=,iv:UEg37EjP+9A9lQAskOW6Bt9Iiefn3FskJ0Zg4k4En4g=,tag:Ozld/BLOUaXMYzWbywxHQw==,type:str]"
 							}
 						]
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:LA==,iv:kToi+n/sYzQ49YW6cIPSlDy42QyuEnF24Ft2nT/fWDQ=,tag:tMhEFXmDYoFCHQIEYIVYCA==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Rw==,iv:+MQa/hH8sD/lUVtMd9jX9PipCPc/HKs5mKXNcSr08rM=,tag:NdAqO1TYzUAL1HV+2d87qQ==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:3e/RzUTOfHFPC5TBeNhP28622RKwZEzSWDIsqA==,iv:zb7KZEfW+x8dZ4Nz7rO6Nc0hWl2n7ZcDEcizDiPIK8c=,tag:5FhnnBOiFJn0grPHcaaQeA==,type:str]",
-						"kind": "ENC[AES256_GCM,data:Z2X2IeyOYDBHIl8mTS60nI6I,iv:6duAhnNYGaBw8S/fjvHUs+eJL0rjbXaGOLe6tBoJoOs=,tag:+zbrDkTEZaVXCJAw87K6ig==,type:str]",
-						"name": "ENC[AES256_GCM,data:xxr9btIrC51It7xjOgaKpQ==,iv:sR0aQCW4kkj2WLOym4U9t7Ck1qG9jtPrzr7NzGBzDjk=,tag:W2yVis8q2LQf3koU4WadEQ==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:NfALqKImGlcDSxriJpHc97RlJHDZoOZhsx4hdw==,iv:diT51NNizKQTMeNY5enSRQsI9NmAUJpVNIfi2egz/qY=,tag:8vOul4R7AEz/4VQDd3L3OQ==,type:str]",
+						"kind": "ENC[AES256_GCM,data:wck2RT8UPhR491DADndFki/1,iv:JMMDtXVS8DP5Q4XNvFGTWrgXAhNm7ZICEDZiyDtWDFA=,tag:gpJ9wCume5Q0Wla2r2DUpA==,type:str]",
+						"name": "ENC[AES256_GCM,data:iKfvWFD5ld3qew1O0yqnyw==,iv:ZTm2i9dtzvNGi/93TsRwbY8VLhDppSS1DMtMl9JPHpk=,tag:kvbehyzJ48P7jYcQYE847Q==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:DfoiMHbA5KI=,iv:LJhYXJ2EWpZpVpG1ur0XxdKfpUBXhSO7StdMXV+XtAw=,tag:0mNvixhoFPerjzuhzNjNMw==,type:str]",
+					"private": "ENC[AES256_GCM,data:MqImGuRsp3c=,iv:qTGdSqfR5RnEvgF24OK1FTS/At8KGHni/yzbNTMkJP4=,tag:oxD81qwBGJkqdHSNXbUkeQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:F+8vndgv+s4xM1kruOWDGGS9VNpALArIHa8VXwanmTSVH1EDA/XKVQ==,iv:cPb14RNxLtdcHCJQjnj21VGtSSEkDUNj8qsjt4qfJ8Y=,tag:vbNJwRePkiFkuEGlx28Kfw==,type:str]",
-						"ENC[AES256_GCM,data:+n40Xxq4yg9dGnLK4dId7QtKA7P7daLnpMI=,iv:WjZIwvSupRDFdwrqIOghQiQ10bIViPDNxSSiZyDss+A=,tag:toeIg3Qat+EX51NEmVUaRg==,type:str]"
+						"ENC[AES256_GCM,data:vOF32QjF6TAHyy/Bteh2chk3c6SI6MSSufrc1kRJOTIo90zR+Z5+Kg==,iv:4g71UhRCGjr1fbmiA+6nbFKYDFdpbh82st+d6BQ/n7Q=,tag:riUjJrzoKXImcAHSSV+wuw==,type:str]",
+						"ENC[AES256_GCM,data:KX7ehKLU+Y6VBGfSk9vhhR9um2ZjR7QkWrI=,iv:VujnBwMwTRS3uuvwHZjk9HQ2qCKkpMUS9SRYV4cuNiA=,tag:fEWg5gphzhrP0+CtuKrsgA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:hOuIszexiQ==,iv:rTd96f4LB8DTXQRocpIBow2NsTORkGmJuYv7vaiEVZA=,tag:WyjuYQksAIi1earnZ5IaYA==,type:str]",
-			"type": "ENC[AES256_GCM,data:JarU99P0/Yn02mqnqbeGIJ84AL7OxQ==,iv:R3j/jE2YaqW5v1M1nmzSHoL3epIX3Rk0S+F+dfH/bs8=,tag:6g6o9jRNdu6bDtWNRLMODg==,type:str]",
-			"name": "ENC[AES256_GCM,data:mlN//4VcJOtMRvQ6,iv:3aav59AoJw2Y5G0euH2tEsaTmQEVaBz5FHQYWuyz+Ws=,tag:th8X6xlH8iKasHtDcnxsJA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:WA+lQ1tQiVTIyCr1MIVHt1HygY+tJU3gW8om+jrfHBUftdQ6V2bxQhSbu6mfv8Bj3t1MbQAR,iv:/JWbp8jxuRSe2LLQRWkfPGfoWLeYhLkJC+KeRSP3CIU=,tag:xZmnYKh/qd1NXkL/bLf3/Q==,type:str]",
+			"mode": "ENC[AES256_GCM,data:zvlMkHkrhg==,iv:34H4lQaqd39L1Wo+v6YUDUqDM5V+Khho5janhQ+hmxg=,tag:C7w432DnZmSW/8mfNbKYHw==,type:str]",
+			"type": "ENC[AES256_GCM,data:vbVkKwPB+Ip4mClHUqx9zMOUzViBlQ==,iv:nO3bM+ADFp9Ki+enzbWWr1PVW1TMm2o3y1MPbsuIOT0=,tag:qsUuwR7te1bz/x5JyAtNbQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:aaRVTA0YsNNwTD23,iv:cOgjuY6Wa+408OZWHUS5xCxBW+Al2GYDvxFdp+kj90w=,tag:zPyZ0yAvyAMAT/WBX1K3vA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:SzDYaSTyJGnQCrL+7aimvD1spZo9VHEV/EcJi6kH6EWeLw9FeYL581P2WiQVUNT3QjTWHebl,iv:vqjAHw/XqkIdOMZBx5Tvr3xS3Bt7f6QBcMJql/Yp2xY=,tag:wbvo008mPK/hGqzIvc+cFQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:VA==,iv:98CuJwXvwefw3ZdtD4IYGLO1AY3xt9vKo7/bBTvAUnw=,tag:NfAcqNfS5C2zbu/O0kIQ5A==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:cA==,iv:N2TryfU+BNbuGLFRdwPFqCmEYhlJ9l6w3dAr5A0ls6c=,tag:FtEWERG62W7RBbKY+K1Wzg==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:GB9flhIE169xol10exj9CXsGa+WsSBg=,iv:/zLAuY76EiWd3bb/3z1izc6hpaKfTgwxARMO7ELDLK8=,tag:VZM7jXWklSv15kl3fzK7/w==,type:str]",
+						"id": "ENC[AES256_GCM,data:MoXOnMtOa8fYCWzRIWZ1Rhhw7fUpIwA=,iv:z3VlYJSe27zZfnZGKUHipnrOX/P0nGmNvSIQ865dlXs=,tag:l2jm2fVYKU6+7ErI0WpcWQ==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:QQ==,iv:NTirubIp5VlmbcqtkAG+sCUxHO1DFpkyXEh5dq6LfCs=,tag:hz77JPUpKR4Rl5b5JYvM9Q==,type:float]",
+								"generation": "ENC[AES256_GCM,data:Og==,iv:mbYj42e3fvo3dTGFTxQsfWN33rPuiUGyxuV8WyaNbxQ=,tag:O49ddGgZGB0NtxbOCSNVBw==,type:float]",
 								"labels": {},
-								"name": "ENC[AES256_GCM,data:WfGz2uQUlBCGnxA/pQDCCKo=,iv:7DFW7ju/ifAdlF0LAB5kxK/GqNr4SRTC7XIVkfBecRE=,tag:O3VqvvTazKLICmsJRQnlpw==,type:str]",
-								"namespace": "ENC[AES256_GCM,data:C76QcYQ=,iv:8idfsMuDeWVVRRdCgzFA+L/LedpOs0IsjCPz3L1HUf8=,tag:Ml+QOVfnn8s3tT+vEODqFw==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:ZBnrMLobABXW,iv:DnEAksMIehjCVCC/fyvVZLRzvE8y9NvaPxyR21FIxGY=,tag:Y1M/serZF0SnT2ngPSB3yg==,type:str]",
-								"uid": "ENC[AES256_GCM,data:s4Py6zMjtY9VX0J/7irgNf29RBIbZKrQmGrYqr0aUxh89uoB,iv:xjZuC6huw/t2ATqNnpD+clBG09aRqXNRybOo2W5j6v4=,tag:gpx/oCFStDmy1+bTvw1aVQ==,type:str]"
+								"name": "ENC[AES256_GCM,data:PWrmJtDeW0ENTpDVyrP3iTc=,iv:OUX1KHsUxOvpyar9I5thBJXppEk1GPzlrFHqeC56soA=,tag:o6Ny1laXzdS3s0PcXHF4Ig==,type:str]",
+								"namespace": "ENC[AES256_GCM,data:0hTNR/I=,iv:BAO9eq/EriJ0Wwkx//be2OmH6ZGNSxYMxI6XebvGIR0=,tag:Npf/HdCQejnffSVuojGGgA==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:75gWCt5xEAXL,iv:cmUYbb15hBpLzu8aDTxYjuQq03TjkFUV/jTvQpBOmTg=,tag:aUYCBPBcVN3BiTnpA3C+Qw==,type:str]",
+								"uid": "ENC[AES256_GCM,data:1KpzNXRD2cUMjPoBj7jsc2UNJG6inMB6CnJsVZV7xJwQaIyF,iv:sPV9liehCDwmZiLBMb/uE+lI5vx7J284WxIQQXfpBAU=,tag:YJRPvt3Ka4nP2N6nhf8Lzw==,type:str]"
 							}
 						],
 						"spec": [
 							{
-								"concurrency_policy": "ENC[AES256_GCM,data:X1JpicyB,iv:cgt+VXL3NXQyakLQ4Cyzvyg4ewvyvcgk2JjWKe/ykEI=,tag:tHe/vAiO3c8W0vx1A53TYA==,type:str]",
-								"failed_jobs_history_limit": "ENC[AES256_GCM,data:Lw==,iv:fE2/4KXRRB7xtzpLvSzYBMGsrH2rEamY/mZsNrX0gRw=,tag:C14j4wvm3PsPF5CPhkyEbg==,type:float]",
+								"concurrency_policy": "ENC[AES256_GCM,data:aRE4BO1Z,iv:xAQhccfqfMmnZiQPZwYKm6PCcwyVBOIbui4PWN86YeM=,tag:o78Dkh5Yl96wZwOuATjVmA==,type:str]",
+								"failed_jobs_history_limit": "ENC[AES256_GCM,data:Cw==,iv:ZgGcwL7qPIdtKP49QX32h14e8Xogon3czmo4637wZWI=,tag:UiCoI2okECSMfFiCkqQbxA==,type:float]",
 								"job_template": [
 									{
 										"metadata": [
 											{
 												"annotations": {},
 												"generate_name": "",
-												"generation": "ENC[AES256_GCM,data:Fg==,iv:DKpi46jf02GUeSCdZmOaAgPMx7CqzQaZ7VA/miKDwVE=,tag:0aAOBgyPJVghNjeFVOc8Lw==,type:float]",
+												"generation": "ENC[AES256_GCM,data:xw==,iv:CQhSFJbU27Qo4ocKiIWM6g5cEpbU/dE+L89DLOw1Z+Q=,tag:2Py8o6+BB6Z5MzWDn+k3Zg==,type:float]",
 												"labels": {},
 												"name": "",
 												"namespace": "",
@@ -672,14 +672,14 @@
 										],
 										"spec": [
 											{
-												"active_deadline_seconds": "ENC[AES256_GCM,data:Vg==,iv:uUHnZdZKwswsXy+pVotk/N4ZK1KlxZ+/4/N8bKWxpNA=,tag:MCmFBiSJ/512opbCiBnJyw==,type:float]",
-												"backoff_limit": "ENC[AES256_GCM,data:HA==,iv:XfWE44NX1RdhIBitKbsvdJMP9276fFAfeSsaRInVrQw=,tag:1F3jvMXRwY/U6YDfrku4Sw==,type:float]",
-												"backoff_limit_per_index": "ENC[AES256_GCM,data:gA==,iv:CqbNopL1rCIFkkDoGrUugcYubNg011RzatIPJtF2tm8=,tag:OGVNGtiA5VTIkaI8xraT5g==,type:float]",
+												"active_deadline_seconds": "ENC[AES256_GCM,data:xQ==,iv:3XhQ/18xdjT4yLP56MYmgSbTz7vseXCeM3VuUahP8Ic=,tag:QbNYSiaUa25S/IFjLS1FUg==,type:float]",
+												"backoff_limit": "ENC[AES256_GCM,data:dg==,iv:PAb6dqiFH66ytFUCWCaTpzocyO2KAW9H32EmkrQ1pkc=,tag:BwMPiFfRNXTolUeEy6RgWw==,type:float]",
+												"backoff_limit_per_index": "ENC[AES256_GCM,data:Fw==,iv:QTkJn4Hr/EcO/koFNzdzWutMd8Tb/wwoBhM92fYm46k=,tag:JX166YDxy1qFDqF4Jyf+3w==,type:float]",
 												"completion_mode": "",
-												"completions": "ENC[AES256_GCM,data:pg==,iv:nUmZdhi4qKh2HKPk82hawhpHle4VJ3duEHBTLJctKeM=,tag:4Fs7Prw9OZsDsmNAf/RQVQ==,type:float]",
-												"manual_selector": "ENC[AES256_GCM,data:BXWtkFI=,iv:zjHm44YHHPyyI0PZnWvP0Ywu5vKXvhcdmr6GmWi6S24=,tag:0wcP22rPm+8zICFvi/vCkQ==,type:bool]",
-												"max_failed_indexes": "ENC[AES256_GCM,data:tw==,iv:4R1034vqvyVjZAFgU25txvJI9KbFhP0wnZhkzdjfAnI=,tag:tJ9XbxF6FIOFRL6GQC5cmw==,type:float]",
-												"parallelism": "ENC[AES256_GCM,data:Dg==,iv:EbmodmVOho1lx//UWeUSmnQzY7hWfC0Ak3k7mLx0cXc=,tag:kdV2TDK+gtEmoN6vVDTG3g==,type:float]",
+												"completions": "ENC[AES256_GCM,data:dA==,iv:SaO2s9MecWXaEmVngymmAAcaRF02zW8QJHx+odjIvPk=,tag:umQgRUxUV6CIJ4MIbwPv7A==,type:float]",
+												"manual_selector": "ENC[AES256_GCM,data:GfJIwyg=,iv:iy0dLoDNtPQTR7jmCfF9bmU7iyBDxE6eJGoYJtxMTxU=,tag:bgPt1qfGTBbUkCPEqpk7DQ==,type:bool]",
+												"max_failed_indexes": "ENC[AES256_GCM,data:bw==,iv:QYmId3O73ozeuIif9UaB/xm6kmOJ6QnVfCL3fw8UC8U=,tag:qwdA2hoq5K5yXorKF71usQ==,type:float]",
+												"parallelism": "ENC[AES256_GCM,data:Mg==,iv:bOtNxzr2jpglyloE66dSdmfGLr4Qel1/rtM9LvOMPNc=,tag:SJ6jXkzXGNUy1ioLpNHkqw==,type:float]",
 												"pod_failure_policy": [],
 												"selector": [],
 												"template": [
@@ -688,7 +688,7 @@
 															{
 																"annotations": {},
 																"generate_name": "",
-																"generation": "ENC[AES256_GCM,data:Rw==,iv:CwJzP+ztCjM9tkkbZMPQgMNJcQeUpBgQBaMufCN3qWc=,tag:q2tshQg+Aqi38InorQEhfA==,type:float]",
+																"generation": "ENC[AES256_GCM,data:fw==,iv:4BePpISmw0swYRs61OPhNGfWnNyYUm1Fs8os0MmeeAw=,tag:DtwFiNTikiCWJ8MURDGAsQ==,type:float]",
 																"labels": {},
 																"name": "",
 																"resource_version": "",
@@ -697,25 +697,25 @@
 														],
 														"spec": [
 															{
-																"active_deadline_seconds": "ENC[AES256_GCM,data:0g==,iv:1iYyGLTRV0cPX5oFeUk+8Et96K6YrSFCXBZyCjilglc=,tag:iv84bWIeuYun+qwwWCSXtQ==,type:float]",
+																"active_deadline_seconds": "ENC[AES256_GCM,data:5g==,iv:gak9M+YMNjAFLjpXZHCiq1zQy2r8pCLvvkqKKqTB7Lg=,tag:QWmBHJE9JrCiNWQTzLHq2g==,type:float]",
 																"affinity": [],
-																"automount_service_account_token": "ENC[AES256_GCM,data:o0Ik+w==,iv:wWhu6UE7659FAwIseUXkYIkWd3lx8WrP0MNX2QxGNZg=,tag:y63HdJ5sKmzXYLmCkH/y+Q==,type:bool]",
+																"automount_service_account_token": "ENC[AES256_GCM,data:k7kH3A==,iv:j5+2LlUg36i5S7gNSRsvtxgADf9ulihnng3RL5TllQ0=,tag:b28NsWXPuuHaHHW8B6cWSA==,type:bool]",
 																"container": [
 																	{
 																		"args": [
-																			"ENC[AES256_GCM,data:hlQ/ptV8eP6uhQRZIHFAH/ghCCbgCqcKF7MOPSMVplaBkWH+slZSD+/oz/iH7gNGhwLYXA320OOcHqE73lkZVafvqydWNVgJ9+lE9LlSatCAo87ObYo/uEp5uzEViScS2yldBxsQKZ2zM9CedS9Lx2nVu7KDD0qTPoJKI7bOqnxF9yBxTIm26XgwM6laEMpx2O6rQlRMdoRZY+rMqIs9fq/wgY5B0zpMBLozd3mgyEShGBJAC3kdZU67iiMGxwEAUpve0XGXqgMTaNrKGRBVZXhKW78dbTmSWioirwlrXQ9twklFYklNWIpisnfb/aqcSyP8gD2gyArfXDaLRhwtkAdIjq5vSDC9MlIlQxlI1Z+py4KVF72o0b/WYMUxj0YZT+BUtOtxC0WvA6yzOXZZ66o6/pFJin1/oMmt80T8a2xedPCw7HrJOSB4KDPeuzPglN+FflYMuc1xGv88AG/nYoIqdA7ErS5TE/0OCEnVULp4lpU2MYXtsOl3tIU5ItKUclKArkvozGYIRCEUywZIDgiq9d2dLONl66vVLZea99L4e4n9ogks5ZVBgYfMz+o5vx1W/NoIwFIvHKIlUdoZrV/XUA/232rKJAAQwxf8u+OoWf5ke6lrgIPk2M/8AcFZ8uRvtTPi3rEDV7Qa56b9TAN//mIczSBPGg5bGkTK5wSIixyTfPbNY6hJLbDf1RQVmHES8Un8sMzC/ufW4+LjMkSbRIB0rWQvv1DJ/GWQTHfRtiv2+0P0m4m7IK7E/yMxwWZjMl2UIiK2AGkW6Nt9HrEHUrEH88xWCP1vcz8IdXblxDlB13ZSTf27qLMpqvT12ZVQrlNi2eRer66ScxK0bAEW4G1Ki6WnDtDKYR6gFrWEt75Zaf08not5Q0pPnEHfyNOAJ5FJ635GcrB2Hihs7Cn/g2et++GTn9IwS+X5pR2K+zX7Vv97MxmSAjifErNIF2oAclxV67zXkh7+UVTnPBK0Ix/8ugTt/UHh78VQ7FxjgbKZOig24V223/ru8rdn312qz8HEtONPXbWhMLHSCvFFVakD0a9hYncrOqAyR0NMNI0EUPR3FuDr1syjwBeivWWUfJR4oXCi+SSfFVnIHFzET1ZCBuytG8L49oQaxZn6pM+WtICCgGbqLZ5z0ifjmiJ5U96BnXlNxpN3chG2/md40QGVbep7DWVaShwtaHwebpiJpoD922KMyaizSYbwlH0rIIlNAbPNWtc6S+ASIbD4nPILZq2QB71D9N+eel8g6CCK+XHLEWsMZq8HcMMFRoc2PAKLc4zxEg6EZKVHerLk1PWLR1PS6cz/tCE64ahPh44SKjMKlVtHrIXVRaktH194NxMCK05t0XJ1Hg2OD2NGNC4QzPRiet6+uJckIeQVXQSPQV3LADmqPks+yvTLbyUEP/LZbfJJ5XxDMtl77DWTXtx6rVlNBm3RXojzo+qkxt71QCMeWqpA6Iej0LR/UcjE7IpEVi/UxiF66+oYEHSHyOedWHxbVF5OqLZ9Qbma+lfWrEKSC4US7UMlJr0MfCl95bRJlJirXnngg/evrG+JZyIMt+8l1i3VUFcI2RzYpuSWlGH92BHPpltVju9driUR7V1RUyORPTEW3M7FNQLXmDtv9FWFcSysaWxWZoX338LO8c+YCmd49rGtmpoSLLDOMkmk1M1gwlZPHJAoMRUBWiOdRvU+xRfsgvz7tkYssvMCtkKFq/Zl3OVn2d7BbyYi9nUhJw==,iv:HR6Xj4VGwXtskfC/uWhGQc8N+ub7hq5wxFSHgcy+Qos=,tag:Iu8XU7dra4d++dbH4WESNw==,type:str]"
+																			"ENC[AES256_GCM,data:FENmBcP7UwiL1P9qwiewHEcwoxC9kbR5R6uaRrhu2EjXMPO6Nia9hoABuX+u4VmskDn3dJexOBTWQZgw7sHcLUN1U6TGUG0qhItjthSraPxHGe/yXKYJ5WwQGjh7Vt8UEjGQBA+gPO+s5ZRat8WuWi4DzHD7xWUQJFFNfVLJmayfISyJfZzVcYAs1iwoo6YnIbY01Rl7xEJSCfT+/w6bEp1s1o9hEXBDgEOGNmLzueck0ZZsG8zv/JHXV6Ren+niimKKndlYYuUwQ6D/mWNchT4+9UxY0rBDh4J20uRIzXkfXeLeZT5B/o6Vf6vLXoR6INXaYIPxtVv6LjIJFzheMG1BxnPMLKpL09ZyZhLUat35ad/JPiTVBJ3ESOJ/1wkJ6OFm8Y8Ckr7rbOPld+h9ePUXe3uiO9+38Z+zMtQooZwKD09+yKtTXOyxyttmjdv3Q+F5WR/LYJc6VvYc8YaJH4dlxwRSYxituv7tY6veiqHWDRoKQnOtXxjNaukRpnbw6Ty1zDbwQEH7bX8y4oGicSA/sDWpmJ00nlWbD+/ePIBhcI6OMxQiXcirfHM4wpF+cy7c27YMgSGVD6Ogu8v96Bh5qQmRWm0cyj65doPnPyVEW85n6RH/qbYhc8dDQd7nCfbNJD9+mvzY8yAAqZgETlfiOccuTRaP0EpUsjPpOK7UF8+d1rY3T6AvQPn5QlrZrheXXLVQUm10xgnx6tBikU5cIj8CbH9k5Qj5wY3P11kYLs/6ao9ilb+pGqD0lhY5lbe34BVhIj1qxUk65pBx9re6cK24EqNC0ZbQB1hFtNhbRIrZHFYbDBhEkn58aX22NjaBdE0bNydkDJHk8UM0SR3sSwd0flCrM6mAlw+i15rLlL53C8rKKOZthONSQ3mHkCmw0FA3Q69c+OYvOOTvJmlsOm+kdN1KCHiMjWL5A89lwIeRSH5zbTai2A780KemgVvSGBM4jTm3gUFRyGjZb2GgTZgneOL+hHHhu65FND2AfqEm3gz/MHJyVBps91pKvbyalPdBaBq8j3SJ6P24RTieXhpUYVoWtSnz1jdIC+AD8Essmrc2Ffrq3L935+nBTR3vdTODd5PVL7fTjIzXcbAckhfHokVVworeX04NIWEzlROKxDRqKVB4EJPqCTnjupmERwBPG7oVSIVOBzWm+1jcM3+BwD7lIAxNLgJIDWeiMeuzGKQGotcatG774HuTckU/cSVV6eBWehUK0+fmmnszSRQVHukrMaPanTlQpeLB1t6PEn8zZeT9EvwY4gIl1UKYfWJ2oW+D/K/sV1xSWVLiSrSUqRT4PUSTetYjXTfVKODtFShrxIKN5jaioGI4ynywwCrVHEQpnkhNMbz/r56bY07oTZQfwIaoH6xtKcl9n3Qia48C7SHAuGIExwXHvrAK5+YQEu8cILVFnm+4fx0DntN0K/SjWBB1KbN5Ksth+3R9/C0XqxYPNZ4Ta9WcJxXVbNOfx1XI4wnAPpv2Hc/bV4W7zjqtAx243PyAx4saedvePM2lh+eajNTatBzkFRpui/AwFVV9qc9xBrNpsc0WpBK9PQQuIJ28TFNveTMX/TW5t3ySzJTDGSxh3y00cIQdqvCJayhNzDpTxE7tqAjYakwXVAZMmMCUd3EnaWTl9RD+tXDOLQuzCKgNeuW1fwMLX/OSCq4xNOURHhT1URCqbJzfwqVfsjh2jqWgMc3DpRMoCZFXlMpCAyW8jSjRfLaUfNnHKQ==,iv:SX9VhxCrDcR/6LcEKPjSjLe+/A4Pvh3UyxnN3Q3Fsvg=,tag:y7kH6Q7OkHhiyKSmgE6DHQ==,type:str]"
 																		],
 																		"command": [
-																			"ENC[AES256_GCM,data:qry2h4mn8w==,iv:SKg/ynAk+/EBxKh4yT7nE9NblcoQ5u9eVqmt4buGdcc=,tag:hgg0m1t5ya6UCoiZ2f/Nrg==,type:str]",
-																			"ENC[AES256_GCM,data:S4k=,iv:6YbjxJ4R2smvTdQdUgBneBIp/HjBiiz4sfZGwfa5pFc=,tag:k0b6O8t8yIV1OSCbdDtwzg==,type:str]"
+																			"ENC[AES256_GCM,data:vxLrJb11zQ==,iv:8oP1aTwdWf5D7U5KwB4nwD5Zks/hS9ItJj8TwoCTJPQ=,tag:exruLMbnL2UuILChsTnFNA==,type:str]",
+																			"ENC[AES256_GCM,data:m8Q=,iv:dZiOwbrIZhLTYwYokse2tmCwgKVQXCWOA301+/3h8O8=,tag:wU02jDUGfagrd2ynSkzaOw==,type:str]"
 																		],
 																		"env": [],
 																		"env_from": [],
-																		"image": "ENC[AES256_GCM,data:i+uZFYCscioKALnTCMURtmCqrarU+Q==,iv:56Mo+DEfUjEbGNGYuZvmHJN9f4oMz1GwdelKdETGlGc=,tag:Pnh5HfNOzAoEx8kmLl8MRw==,type:str]",
-																		"image_pull_policy": "ENC[AES256_GCM,data:b2umFOew6GKWMvst,iv:HUrA1jD9G2T1BIBKtrKOmJUHsLE4q83NqnlFeMulK+Q=,tag:pRkZzya0gi3GhVTp6QikMA==,type:str]",
+																		"image": "ENC[AES256_GCM,data:bnYApBOG9uIqKEQ+KJs5213a3R3SMA==,iv:oPsmvyzH/Ypey1pqHn5ENCpT3L+C4y//ifrYtuDu9TM=,tag:/UYLf8p8h9k+90pf/PjFRA==,type:str]",
+																		"image_pull_policy": "ENC[AES256_GCM,data:vDgUDS1fbsCS9UjT,iv:y1ZhturfA0aL+X/pDowPJ1e6C6d1Rt4SgIlf5knZXVQ=,tag:HQAOYViyosCHyjxzJBbcmQ==,type:str]",
 																		"lifecycle": [],
 																		"liveness_probe": [],
-																		"name": "ENC[AES256_GCM,data:a49q2831,iv:uEiCuC5veAkXJemuScLAi4VmfeeGW3IxUB2FtcibTd8=,tag:IfnDfv4QG+IAHRDBZww0sg==,type:str]",
+																		"name": "ENC[AES256_GCM,data:8NZgGyMe,iv:kzGxDK7a+ZIIhUgn4NWiriF5S8//Z/JdbiN3G3PPDWY=,tag:r+xIW4XBLwQLgQfYkArXAg==,type:str]",
 																		"port": [],
 																		"readiness_probe": [],
 																		"resources": [
@@ -727,26 +727,26 @@
 																		"restart_policy": "",
 																		"security_context": [],
 																		"startup_probe": [],
-																		"stdin": "ENC[AES256_GCM,data:us8dEMg=,iv:riv8p1sgqlOpEc3zXqrIZP2+a0b1qSWN15MlLTLW9S8=,tag:VuHp3g8yk47Dg+wp3t+bfQ==,type:bool]",
-																		"stdin_once": "ENC[AES256_GCM,data:4yaZQOk=,iv:q/Q5mQQt/sJ5iDs76ii1RJoYmMFml4NCPCtuR6C8YI0=,tag:1IuZf+i8F8DkRze4Pps9uA==,type:bool]",
-																		"termination_message_path": "ENC[AES256_GCM,data:nvRAzEd9l3/6gL+klBG5prAe9zs=,iv:RrztkVoGDngxlrSdsS7AWfbnmHafGw/3ZmmTwssg3PM=,tag:TFRqQleEsLE69c8HqpDm1w==,type:str]",
-																		"termination_message_policy": "ENC[AES256_GCM,data:kv8nQg==,iv:Qf4X6g9sDScnHYjnycEN0U/nbaPP3r23JDqt8JDyb74=,tag:pZjXTH28mxsEExTUXpd1jQ==,type:str]",
-																		"tty": "ENC[AES256_GCM,data:EX9JlB8=,iv:baBIoOewgsFEIHnWle5HLjDAybVY58j5lw95Fg+AmMc=,tag:yJ+qPP+P2cbJpx7LrEDFOg==,type:bool]",
+																		"stdin": "ENC[AES256_GCM,data:dOeMdZY=,iv:s55tjERXZ3LXwCv/3Anp9VcRuWEg78wUBRXo21PDRcI=,tag:IVA/Csapbk6oWSrVAV+/gQ==,type:bool]",
+																		"stdin_once": "ENC[AES256_GCM,data:9D/DwDo=,iv:4pID9fyrUhX2AKqp7BmLybo/gbCF5S62Xhm57irjMtc=,tag:SDNHv0Wu6WPiINsod/xopg==,type:bool]",
+																		"termination_message_path": "ENC[AES256_GCM,data:F5BBR6qAPiJB7EXJNZMjnB2HUyg=,iv:OpENpDJ7wI4b/A9M4oZgrIrFpSFTHBh2M7kk5XcdReQ=,tag:8E4ZrSClJz7jebUxotXtfw==,type:str]",
+																		"termination_message_policy": "ENC[AES256_GCM,data:IZ+rMw==,iv:PAjnodN6uiEY7H4XkLxQw/VZSMDZLaTaSyRD7TLyM7s=,tag:h67ofoMO05ktMxmh8P422Q==,type:str]",
+																		"tty": "ENC[AES256_GCM,data:CWrCbOY=,iv:qdpO2j2P9M/LkSnR6VozTobCNw6x3PG7y+7GifWHtjk=,tag:Z8RS0SOxF8AmibWhoK4k+A==,type:bool]",
 																		"volume_device": [],
 																		"volume_mount": [
 																			{
-																				"mount_path": "ENC[AES256_GCM,data:mZOMKLaqgA==,iv:16nm8OvZDO/6TY8f39bzleH6+6BfTrLTw7AuOcGEOig=,tag:skvS/OfZxv+8bhJig9yxeQ==,type:str]",
-																				"mount_propagation": "ENC[AES256_GCM,data:z6g2lw==,iv:WjrOcgUtAQ4dVkAk3LAzkyxWmi8WDyfWPxZIe3bixOk=,tag:bbzQ4xpfvphRLpC8uMd/eA==,type:str]",
-																				"name": "ENC[AES256_GCM,data:V6Gwtxg973IOayK7HJM=,iv:dWqqski9NezXhqCmEinfM5feE9xZHMk1UUoOJxq0gu0=,tag:1YTt6si69NS2+DEKGSiBNQ==,type:str]",
-																				"read_only": "ENC[AES256_GCM,data:wKijXq0=,iv:5i0J2i43FvUMG9pARnhN7kBJjv57J+JiubxTbcY4jRc=,tag:IPpPDcrQn/pIQnAtnjaqXA==,type:bool]",
+																				"mount_path": "ENC[AES256_GCM,data:OFk5zl8/7w==,iv:HQG7xprhuegQx3nCqFAsP4/TCZE6oAIJbIccaKZIFPY=,tag:4Q2eQvHDWvrO9kkNw5z3sw==,type:str]",
+																				"mount_propagation": "ENC[AES256_GCM,data:MNZ7zg==,iv:GmdZYEbbPlNtcyvrFwwA+w4QzQ6QuF7PSDZKSyKaeMU=,tag:K0rfc1aRfqMavL9WJPdkHA==,type:str]",
+																				"name": "ENC[AES256_GCM,data:XiT0mxnZcWVbP7H8YAo=,iv:N6v7qTl2pRTuo9QXuM8UW6TZn2lOl4i4OkqexDApT5w=,tag:5W/q2iH11mPXKQm3iFU6Ow==,type:str]",
+																				"read_only": "ENC[AES256_GCM,data:qm3g79w=,iv:kolpHq3M1ZYBqjuCpYgRhv4N0we2XY/hQcBMADOACt8=,tag:Nn+MDm9lii0h9enUim43WA==,type:bool]",
 																				"sub_path": "",
 																				"sub_path_expr": ""
 																			},
 																			{
-																				"mount_path": "ENC[AES256_GCM,data:nfv+ilsJyryyr5rA,iv:oR0imgKgxxG1/OhLQosljyk6snEyBmsgnfPJu4/g/VM=,tag:7srC5sAmpfQGXeVguBzz8g==,type:str]",
-																				"mount_propagation": "ENC[AES256_GCM,data:qjXF/g==,iv:KFeiF6NzxiW2OM5KKG9CGmrUxmEfDI4OnvanZYNYbVc=,tag:K9w6xXydKGZ2CHH1xWuMcA==,type:str]",
-																				"name": "ENC[AES256_GCM,data:jN/ht+mhHpkBrGI=,iv:yMJJQhUqYjYV6lIbiei4J+jb8mw+GEllnaQ/I+LeP9U=,tag:eY4vRLitNU1xfkobVmwSsw==,type:str]",
-																				"read_only": "ENC[AES256_GCM,data:ZenySA==,iv:tX9LVtce9laZNNdSgAQ4gxvQPOVPefTBSl9bL/x8b+I=,tag:YyhS77YuwDFjPawMFDWXJA==,type:bool]",
+																				"mount_path": "ENC[AES256_GCM,data:y3+kmCRmjpLH4wLI,iv:KMGd9e1r/XOOsGEndktuVn8I+wBMpoXg/NblAytvMqc=,tag:Qsp8zLEp1tBtX+Snukh0Cg==,type:str]",
+																				"mount_propagation": "ENC[AES256_GCM,data:YfJ7hQ==,iv:JkSBA5EDq7Yz+xbOVbXN6UfEFzqyhHfpt4MutVcaq28=,tag:2o/Fv5QFAHY6B06jFr0zAA==,type:str]",
+																				"name": "ENC[AES256_GCM,data:yBNOcQHtPU3S3U0=,iv:xO4LD4l9YTcCJmYAQDOo46xM594rZf5fDK9M4lvs0ks=,tag:njybtB4tdlY5Km5BdFOuxw==,type:str]",
+																				"read_only": "ENC[AES256_GCM,data:FXRESA==,iv:G0yQRDOuxXK0KhFopLfa63V513GXMmdg1Am5MEIqYok=,tag:SpdcyTVMM9fn1wm/q/e7Gg==,type:bool]",
 																				"sub_path": "",
 																				"sub_path_expr": ""
 																			}
@@ -759,19 +759,19 @@
 																		"nameservers": [],
 																		"option": [
 																			{
-																				"name": "ENC[AES256_GCM,data:SQ3IbYk=,iv:G6mia9vYKY1IM+QSATpOxU3hgP5A4vOwd8aNU6qx4cE=,tag:EpFOu4dXp2DKQ4/8MlODUw==,type:str]",
-																				"value": "ENC[AES256_GCM,data:iA==,iv:Ppu9x+FAuzCtcL+UAf8x3A+f+LG79bixQ/qDpBs9RXw=,tag:S7PzI2DUJ2heGOjfIKIYRw==,type:str]"
+																				"name": "ENC[AES256_GCM,data:InUAz5k=,iv:PaW4kRlJlB1W9voD6u+0joI91VBchP/Y2WLjhjTIOxU=,tag:+ATVK5SnsavExCv4Hk/qWA==,type:str]",
+																				"value": "ENC[AES256_GCM,data:xw==,iv:oY7jWS/Nr1FLW+YtPaC3K4J4JGB4IpLajc86oqnre4Y=,tag:eTBwm3am9H4PHuXmniI/Wg==,type:str]"
 																			}
 																		],
 																		"searches": []
 																	}
 																],
-																"dns_policy": "ENC[AES256_GCM,data:7uLR81osNwLoy4ZT,iv:ZSQ2dAfeEi/bsg7NWAcawPfmnWHNc6wVkEK2PeBZcB4=,tag:8bvk3Jv2S9m5p6sBQ+GAaA==,type:str]",
-																"enable_service_links": "ENC[AES256_GCM,data:C8ndlg==,iv:wSlzT3XIyjC/effPz+XJUcV6uJ7MpK00IrrgHTQazPs=,tag:2qKz4eLLc4wUzFzekL+o5Q==,type:bool]",
+																"dns_policy": "ENC[AES256_GCM,data:2iecPlCEgU4l9Qpw,iv:0SDw1O/AztE9ChhoI5gvXQRyNAHxxTV7xicA+kYIWaU=,tag:afsm7wefCAUb956CQU+/TA==,type:str]",
+																"enable_service_links": "ENC[AES256_GCM,data:CLht6w==,iv:LrTZ1sfWYDAFIeIkaDE86mLa+iQY+OjlwMmMTdNs8Y0=,tag:vrnaYQhzf7CkFhwhpGIF8A==,type:bool]",
 																"host_aliases": [],
-																"host_ipc": "ENC[AES256_GCM,data:+dDNFmo=,iv:Za8fCfHKRgf9/bQId1ImWRwhE8/IjsK0dqVEQZozFSc=,tag:HIspJ9gUkCT0JWjgzKaRhw==,type:bool]",
-																"host_network": "ENC[AES256_GCM,data:X9ds4xc=,iv:/Luftwas9ZgHuy+gSliFnk1iX0jz7cv2qaF2TB4gGuo=,tag:IW/x8bqqSaReZ9/sD73koQ==,type:bool]",
-																"host_pid": "ENC[AES256_GCM,data:pMjBx6o=,iv:HC3dWBM4yT0Ia2MrsNYB/BciHFuijzdnFNEh/R24f3E=,tag:0jR/+yeY9PVq5DlUMXAlhw==,type:bool]",
+																"host_ipc": "ENC[AES256_GCM,data:ST9NsN4=,iv:siSFGJIevBXgNxyYpqTYqulQI81ED5yMknKXzXk+5y8=,tag:7XQrhNReT9k1DqBksnYu1w==,type:bool]",
+																"host_network": "ENC[AES256_GCM,data:NzzD+UM=,iv:X3HlVoOeBYLe/QE6oKUMo+ziyiu+Di3h4hqIYm7yQO4=,tag:TpulaBKBQQ4geYnfpvJs4A==,type:bool]",
+																"host_pid": "ENC[AES256_GCM,data:HOuQZOA=,iv:SZmxeBp8b1AWK4IEIZP9DuMi+q0SZ08CWiEBqDWr+Is=,tag:Wp6IwDYcHZBDHNXdG5jIqA==,type:bool]",
 																"hostname": "",
 																"image_pull_secrets": [],
 																"init_container": [],
@@ -780,14 +780,14 @@
 																"os": [],
 																"priority_class_name": "",
 																"readiness_gate": [],
-																"restart_policy": "ENC[AES256_GCM,data:Sf8An9V5NWBZ,iv:RLYeDrBNL5M77fS0XOZFQhAjCLx+G2SPu9F1pntbxYQ=,tag:lqGaICNj6pVji7fE4u2Axw==,type:str]",
+																"restart_policy": "ENC[AES256_GCM,data:lVgZbxpO1TfP,iv:cWZUseQPkjb29y7YvkLZYRDjyGNcc2puwsABpDHjudA=,tag:XWajXEyEZOf9Na+Cgp+z3g==,type:str]",
 																"runtime_class_name": "",
-																"scheduler_name": "ENC[AES256_GCM,data:4NEne1AdP8YeEU3OL8xSsIY=,iv:zd9oJwgDuokncCrDr7dl5nG1I1oc/YxsNuPS5U1FnvY=,tag:t7AMaLZffcrDrcxWsxy5rw==,type:str]",
+																"scheduler_name": "ENC[AES256_GCM,data:qU3/vISF2yudOPf0t9DZGXg=,iv:Au6Ya2ciey/+qB8qLHN6BA8LlC37O5j9JAP4aqduha0=,tag:uyIZnilMglurf9eXnmJHqg==,type:str]",
 																"security_context": [],
 																"service_account_name": "",
-																"share_process_namespace": "ENC[AES256_GCM,data:a5WjlzI=,iv:4yuGkkCz83MVUc57zzGtrf3lQBLv8S/+1vPla+gIBD8=,tag:uRbl6jCoy0HYzGA0RaBsxA==,type:bool]",
+																"share_process_namespace": "ENC[AES256_GCM,data:5Kex5MQ=,iv:x5aKo1TfO/lX3pG0qxD3bdeFxYBb6M4DAjXiq5Q7e1Q=,tag:58D3rw6RVaGlKtqBOHOzMA==,type:bool]",
 																"subdomain": "",
-																"termination_grace_period_seconds": "ENC[AES256_GCM,data:kBQ=,iv:BA5eXDrZZlapOKThLbOCoPt0rtMgjNl/Pgvgrx/KjpE=,tag:+pd2QZLc5H966tME2Tgpiw==,type:float]",
+																"termination_grace_period_seconds": "ENC[AES256_GCM,data:ZoY=,iv:n0CRg6BtjdkM9brznFolHVz5s/FXtDT6qieQ7LhO8c0=,tag:/SvCmGjk5S9YhjhVH/GBWQ==,type:float]",
 																"toleration": [],
 																"topology_spread_constraint": [],
 																"volume": [
@@ -811,12 +811,12 @@
 																		"host_path": [],
 																		"iscsi": [],
 																		"local": [],
-																		"name": "ENC[AES256_GCM,data:btODlnbEXWboLcuIy0c=,iv:L/nvtvraTqK5OsWnTI8aWI6vMs386omlpaGc8wW1lM8=,tag:+8kDafZoq6hizKv0ea0G+A==,type:str]",
+																		"name": "ENC[AES256_GCM,data:FSnOtSShY1/15SRSTuU=,iv:/bkEZktso/2I+CGqPam3CXtIUDlSEibm5H0PGvHpvJA=,tag:gmHAeze7hOr7ZUtPdsSdMw==,type:str]",
 																		"nfs": [],
 																		"persistent_volume_claim": [
 																			{
-																				"claim_name": "ENC[AES256_GCM,data:IShoK+snz4OW5hPmUjJdo+g=,iv:kAGygbcrkOGHk2klNZCjtABQnH46VyLmIy1O0vG+l3k=,tag:VI8oXbU0F+XBKAnfJyWD7A==,type:str]",
-																				"read_only": "ENC[AES256_GCM,data:2za/gQQ=,iv:MHv4PkK/lUqFgzXtRiWmrTwZeHXTbHmcYoNTJdo381I=,tag:psuGq6dcC2SQPIVPBp38pg==,type:bool]"
+																				"claim_name": "ENC[AES256_GCM,data:aTd1scNvpuuKJ92HHtQxWok=,iv:29D3Y0RBY7ipIKYHiGlpXoHuXPEqL/+WHWRRjmGuMIo=,tag:NAwkyzzLqCEHSbkXW/h9Og==,type:str]",
+																				"read_only": "ENC[AES256_GCM,data:Rj9PFu0=,iv:Ib1Z+yABdxiQkZk7/0755PgT3UJNYJnzwKxV7SN5mtQ=,tag:7WjpZxWunHa9AO31ZuyIYA==,type:bool]"
 																			}
 																		],
 																		"photon_persistent_disk": [],
@@ -846,7 +846,7 @@
 																		"host_path": [],
 																		"iscsi": [],
 																		"local": [],
-																		"name": "ENC[AES256_GCM,data:fOQdqV7kZ9xhe1w=,iv:n9vMGCzY6ErlYigT9uqWwO5Z8A4w4QG7R/NJ+1tNwo4=,tag:8OVElE5w4gMzm5QzFgeXzA==,type:str]",
+																		"name": "ENC[AES256_GCM,data:C7ZkJwXNa9DfZwI=,iv:yjtedxM6TadJr++sTnTnrV3mzaZ5GZQaYZ9PbO1K6ps=,tag:NLgSJ19lNpd59OunA10FOQ==,type:str]",
 																		"nfs": [],
 																		"persistent_volume_claim": [],
 																		"photon_persistent_disk": [],
@@ -855,10 +855,10 @@
 																		"rbd": [],
 																		"secret": [
 																			{
-																				"default_mode": "ENC[AES256_GCM,data:Su8KiQ==,iv:htu7ccLBTg4pmXHJro4+sqGErCxsVWR1Ijp6DXi18WM=,tag:wmFPz9gFAzOA+47Gl2ZqFg==,type:str]",
+																				"default_mode": "ENC[AES256_GCM,data:sh0ngg==,iv:sCfOwbZ8BgcLyuxlxWJKG4p8fB+eEUrJB877mcIEFSc=,tag:k7OqW5OOi0zT8N9/u7AqeA==,type:str]",
 																				"items": [],
-																				"optional": "ENC[AES256_GCM,data:OntlQ/g=,iv:SHYg938m1TwyVSm1qAQr0gfq/gpgp8RWXh21646iV9k=,tag:nlnm8VdQD6VmMdLn/IYJgw==,type:bool]",
-																				"secret_name": "ENC[AES256_GCM,data:gUivUpHM7e/I2RNuVzuZgw==,iv:W0w9f2OnUBjYKeHfgpsTPNg/P4IlHir+mRzrNGDVPkA=,tag:ES9w4JHHVWmnEASHA12SKQ==,type:str]"
+																				"optional": "ENC[AES256_GCM,data:YJ57G1Y=,iv:QM++/TzxeLP+W7QTM8sbnHSHmOtaIln0qbhwZQhKv/k=,tag:4rp0s8yibZdnINH7VTXLNA==,type:bool]",
+																				"secret_name": "ENC[AES256_GCM,data:XU1OL+/DYFpWagiWvVdagA==,iv:aHtNFqNJSxOzW3S6aIIWuyeP0h2nlxWqniTpmriVNlY=,tag:uJFdp5L86wOh8VE7NkkdFw==,type:str]"
 																			}
 																		],
 																		"vsphere_volume": []
@@ -873,192 +873,192 @@
 										]
 									}
 								],
-								"schedule": "ENC[AES256_GCM,data:vqU2xZn0hWVH,iv:gcRPO3cyyDL4EkrepCAyNrhoL5PF+zFCWR0IPFjDDf4=,tag:mFt0zOG2Nqo8cAtCb+90Wg==,type:str]",
-								"starting_deadline_seconds": "ENC[AES256_GCM,data:pQ==,iv:kTlMErMhcY+Pxr5RNtk/0CLpcZzAdd/SrrMduLW3Eak=,tag:VrOgx6OYBlFoOhHjstxAWA==,type:float]",
-								"successful_jobs_history_limit": "ENC[AES256_GCM,data:Ig==,iv:i7UlnjYM3qYV7cgMReXcCRvNu0T/a9+yl8zx7waQREo=,tag:9u4+cQadYl9zHtBQmCVUcw==,type:float]",
-								"suspend": "ENC[AES256_GCM,data:61sU+iU=,iv:hofdc457C6doCxSi+NV7sbwvaO32XJ8W5/3PoOFMZMc=,tag:chLWrqwk94+0wgWH/oolsg==,type:bool]",
+								"schedule": "ENC[AES256_GCM,data:VVYMS5MNlIR+,iv:4jNX68PUVwUdjyaEx1jWyuubXQANWLTgB1Rv1QtC57Y=,tag:8W3zaDwI3R37fWzYjQbIxw==,type:str]",
+								"starting_deadline_seconds": "ENC[AES256_GCM,data:cg==,iv:UoGIsb61mohLmI0ubzpHT+EJ/ehNrt5FYQfsEFRRmB0=,tag:ehUVoDlz/JMZcFXEIkIAiw==,type:float]",
+								"successful_jobs_history_limit": "ENC[AES256_GCM,data:JA==,iv:3UR/WxPIeS4LiDnkPHAcXRIM+jrkUYIKn4u3xh81yUM=,tag:DEgEzN4QM1SwDHQzms+vVA==,type:float]",
+								"suspend": "ENC[AES256_GCM,data:cUojFCA=,iv:bmP8wq+MNjTgaPefPTFTu2Yj+sUNEX6ZBXy9PvYSMZU=,tag:y/vmC4/gA6TRZWORM6RRlg==,type:bool]",
 								"timezone": ""
 							}
 						],
 						"timeouts": null
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:2g==,iv:ni42NrD4K2CBGFj89/T1rFsRpq1RPCL5RCP/wfOXayA=,tag:Px3dNBJKhXERkt99cLuSfg==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Yw==,iv:xhOvscnqCMImL8IaX136/VNalPkCMGeHOX3JYU5cIhA=,tag:u4UP80ekqT3S5FDAFq6otw==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:hlXJlUrVXvQ=,iv:Hir/XYsoJPgAj/N9j9qw65GvSIQVdBpeiAkSpL2NqBA=,tag:BufbIu6eKewsyrohzkfmYw==,type:str]",
-						"kind": "ENC[AES256_GCM,data:iW2y6N16MQ==,iv:LSSjXAW16ZoxJqCk65F+/j3pWtWSFH9gbfCoigTSVLM=,tag:4HnHX6iYVbMce8hFp++HgA==,type:str]",
-						"name": "ENC[AES256_GCM,data:JJw8MLn5dLKcT4GwOFIY6Mw=,iv:YEOY+NL1eZRrN99V4aLJQ2H9mdPKmRzeU+rORDKPUt0=,tag:OPy8gc1lARS+6yOgykuMkQ==,type:str]",
-						"namespace": "ENC[AES256_GCM,data:twF4Tzc=,iv:h+JSOB1KdKhjjl6UUkPszuKsVPbryNJzS73YGRjNiKM=,tag:SewIPNTMV98h+8E6V4nXfg==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:bh1LshiIl3g=,iv:h8fLDGVQguItIVShPDwZUhO2BuCWu3pICIafcW+dVmk=,tag:P3wh2yV1bdBk2V3tNh+RAg==,type:str]",
+						"kind": "ENC[AES256_GCM,data:GuK1QEdH2A==,iv:DJmxzEsHoXoR304KLihoAzDfDFeYR3FbyXkLtejrBFk=,tag:CWIzyGggm5zGkNZ4jt33hg==,type:str]",
+						"name": "ENC[AES256_GCM,data:lAZdcrBAB17IQjTkP0HP8xQ=,iv:OClxSC3b9tO4GyR/lvdNNjVxv0iGGFIsB3fzQcYGmrc=,tag:bSk8ubGH7kjGJDTWuuP5Bw==,type:str]",
+						"namespace": "ENC[AES256_GCM,data:7FMx13E=,iv:oIGkc3MzJadG8bbgvVPmbkVBp4kbXoAjaS2IGvFuIew=,tag:dqna2JonmBIJgSdf7LCMEQ==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:MPxlJZ+xSLX/E0bWkg3Tt9L+grji0fTcEp5Ftse/TIxRw4CByUU17IRmCDD4uplTj0h5ajHZHNzzyMMDwlQeQsXMSGJL6MBg7Z8X+HcOZJVr3niq,iv:Z8P6MFwymVLXhibYT38dssWUiKczUnFlix61QWUkKCo=,tag:uYtbdRtZ1T1HvpNsvKQgZg==,type:str]",
+					"private": "ENC[AES256_GCM,data:/gEiLhBWJoYLMISGhSoMHLtWA+eXp60/Ey8+ChKeEBAAMcJovsBtbpk1fJ+EF1f+1FxnM+KkTzNRB2jh83aNPIldFNILKiosnsS1kReQ6BoWnGk1,iv:73IFcDRGGFPTahrs9rAV78SPLn0+gzahvwo8hhz4ANU=,tag:TGENg40aMjThzMnnBEZnsg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:223bW7S700aBxlKYTux96Rsqlo8/GuiAApE=,iv:pnhOL9REzjZ3g8+yar+V4Li4NT+A2208Fn1XhszQiVc=,tag:dcQi7rtPtf7SfFzaOk+28w==,type:str]",
-						"ENC[AES256_GCM,data:18nZuVZPeOK+QA1T+uBWWIucQv1ATbu+kP5oHS4uw8n8BYPE/I0LOqU4oDigapszd2kj8CO9jmbFdf8QGCo=,iv:pKKvAk8dmnaBzYXae+wkfHhRmNXn/4VhpeH5TvcZLuQ=,tag:nEyhQEAxIhIlIWk47CQeFA==,type:str]",
-						"ENC[AES256_GCM,data:ZQFTOZQTFlE8WFOEjqlLcWAeDmy0hmDIYDWGUYrrVpg7uEkQfoH1JUdovW+NREIl4qUumP949YHeg9GLw1pJ2Kltjxw=,iv:zuxiXPv44Yy6dL/VNGNAPtnLW/pHZc/pLGD1C5drJQA=,tag:899TB1vrpiJCDbasR75Qhg==,type:str]"
+						"ENC[AES256_GCM,data:F3ugfJ85MOzB57vk3ExHlQbXS8OXj6rDMWE=,iv:VetRYkr4xqTr5NBV5/uf+xxl9Brkoq2kMG/W7CIZmSw=,tag:XCT9AslU8GOPQvLZ6qyx7w==,type:str]",
+						"ENC[AES256_GCM,data:v7bBH7i3XM2Ilhp86LWjjUIV9CdF+Qmx6smp8eT+aqXvYWmCJyNdUFCtQJxnyG3N+5LP7qWYC+ibXo7yEco=,iv:Bta8P7Jv0RJXC+EQB66+YMxweI79Zr8L3tx9pauiTr0=,tag:9yjbrVvirLt0Wif4Rn2ovg==,type:str]",
+						"ENC[AES256_GCM,data:MdS+WTtv+EardeZbQXGeJIJIQpA13IT8uB/S+XPOon5PFaLhCDLYSm9h+8lCvStV0+n2GZ0cQJYWWDyXifeSEpLq930=,iv:oTxaazaINFAN5b/cwk4Q7aRxuhvbS1NA5cwXhCjHn04=,tag:CUzixquCpvYJXmcNJlnarw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:041MFhk8nw==,iv:8PkMxmyc+G9TgYF2ARMXotU72En/5EP6Gr5BnxXLbbU=,tag:A+nmalwtxv2ZCO6/wP11Mg==,type:str]",
-			"type": "ENC[AES256_GCM,data:K35IaY5dCyceU361ytGRMzZlUTE=,iv:6SZnN51iA7GVeTbOdyoq+OxbnoI6sj0mGCqIA/4+BII=,tag:jdngtCYY9XQesx8ULz4jsg==,type:str]",
-			"name": "ENC[AES256_GCM,data:VzRUiOZkDWXaZMQgz3I=,iv:Q/RA4lePtbtjdP6+lxWQDZefAwtfjttWtBF82JyAT4g=,tag:AHTlZ/u/MDSzLGFfSsyD9g==,type:str]",
-			"provider": "ENC[AES256_GCM,data:3UmEhCR2FJQnPEJxHyWUo6ui269YmSVBEwLrdZPlRi9z+5uJ3WGOTPmEFiab8fLp9OoZ9goG,iv:cLvkePfLRD9y4qoGkjL9JV415Qzv5tU2BdkGMwjTPk4=,tag:xS9PsSNVslJYOYvwoTAa8g==,type:str]",
+			"mode": "ENC[AES256_GCM,data:b/+rEhXwkw==,iv:1lSnrxNLXmtBPsElmKZ7BHxnEdPb0j5TPOUUsbIN6y0=,tag:ZIhcSQ/KcFxVgwEBEKQROQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:mlB605EffP/z/51DC9e/sN/H1TQ=,iv:2IoGPBQ8+S9EuQlGQf+VS7S8jPJMEpZhcj8L916U8aE=,tag:nneXTFvpBXR3Nuy8y5c79Q==,type:str]",
+			"name": "ENC[AES256_GCM,data:dNgSPp0K6z9SRmwjWtM=,iv:DMMgcJAue9E0NyfSbNqFFKmW9FnG4BNUZEWjZFodJB8=,tag:CVMStRrxTcJnXosbvHHGlw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:rhD3pZ6qNCV2jErPnJXt5c6vzpdkv5BY2ubhrXlMjPuAODusTqRDkK51+/F1+11oAvkl9B6/,iv:SPzhIQu7qZOaCNu0IMYMtKi9Um+b5BKaw6Lu9NA3tug=,tag:rbO0/EX8im0G50ta0hzmwQ==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:vEibKtBN2K1GHAM8ZQ==,iv:u/yn8ODfWmuRxyOBMQgMpPDaCoyjs6lKUOAVNimvddg=,tag:+FqJrfQdphYmwIEzHcP3mA==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:aQ==,iv:vZ/+3/5ceNm9sQM/aJ+OIP58hxlneaoMvdEM7Ot9ixE=,tag:lOgoKvaEVj6MyvL9pO8PiQ==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:P0vfNMsJ+4abTpPgqQ==,iv:9HUz0IaH41/xZopsqAA/g2A145abrXa9H7o5pwLmIVI=,tag:E9xG9iiAPifVqRK+xm0IbQ==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:oA==,iv:EPjPNnxzr8mzS0pBnFEuJAL31oCGWSMTy2gxovJO6mg=,tag:4PaYo2px/aNCfrdrDVcxJQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:Wx7y5nlrwMrBRuDvlw==,iv:IcBuMCuJ69cpGQNfEEUQpO0ABSReuo5r+PxaO3s3qtY=,tag:Alt53i1fuimrUbYcZOkSAA==,type:str]",
+						"id": "ENC[AES256_GCM,data:C7ROBVS/BRbX/yP2eQ==,iv:o6OMZeG0WWmRYcAovyHQNLLW9E5CxpTgFzkqugmj79M=,tag:VZCNmJwn52lieC1z1MPu5w==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:jA==,iv:ExQteuV/37lEi4YxMA/VZVPwtuElukN956uMZdXs1ps=,tag:EQXcL/SOFG2Wf23MeeZgsQ==,type:float]",
+								"generation": "ENC[AES256_GCM,data:mg==,iv:IB9usO/i7EBcVrIjIQ+anHZC5y7wKwQwBt7oc88+vKg=,tag:Cc1guJA2a8LsBgJHk5LIBQ==,type:float]",
 								"labels": {
-									"goldilocks.fairwinds.com/vpa-update-mode": "ENC[AES256_GCM,data:YNPu,iv:KU/t8zIUMpo+YjSyE3yfAIPjrWLj+Jl1w6qh44iT/dU=,tag:wGIBUQbeWwcTzZzERN1IjQ==,type:str]",
-									"managed-by": "ENC[AES256_GCM,data:yzJgmvvewHquJziqcuB5pXt2jk66,iv:SVkC2WPgvVOuHx/8+DKClIYYzQPdxcQU9guJl1n3cyo=,tag:Wyhu2n9Gv83mnDOPrVwt8Q==,type:str]",
-									"resource-governance/custom-quota": "ENC[AES256_GCM,data:knvmMw==,iv:UQRBPcG/YePHxmxfU6jkqgqZVLQYoCHP3jVWsSncLFk=,tag:ZiASsdvuZDxjsqP5VqothA==,type:str]",
-									"tier": "ENC[AES256_GCM,data:ogvJaqE=,iv:KOgs8jbcWrqMD/IWu3x06Uve3ptNknPGo5aw6xeMbbg=,tag:lci3fenWaEK2yXQcQk/lRw==,type:str]"
+									"goldilocks.fairwinds.com/vpa-update-mode": "ENC[AES256_GCM,data:egmv,iv:F4s3mJ3n4T4VM/7DnCt1koAKopLUZZ7LvhTCOYDvzC8=,tag:gQs6pM0ai2EvYgBUXnVAVQ==,type:str]",
+									"managed-by": "ENC[AES256_GCM,data:co3OHvZQhrjYBGA7YGUXMuP8grjm,iv:L/DFPntsS7bwWvegH2mIHQbn2C41Y/Ps8lR2ZtQQVn8=,tag:YFHLvTZdxO2Pg1Wv4u10+g==,type:str]",
+									"resource-governance/custom-quota": "ENC[AES256_GCM,data:yTqR6Q==,iv:+POxJ3eVNLepicMafpK4iMo/YPO+rcowhi3a19p8Tyo=,tag:6QYJoc5QNRwoDyx44eVUAA==,type:str]",
+									"tier": "ENC[AES256_GCM,data:Dh4T8RE=,iv:O3zI5qV7B9IpO9JDdXHMFIBcuAn6giLiXjjkX8n0ijE=,tag:2vDbj7O+8sWM+VbqEIUR+g==,type:str]"
 								},
-								"name": "ENC[AES256_GCM,data:QJgMvuqWbrLJTa3eqw==,iv:hgeP4R9YWXRbAOxKupUSVRce1jXK/ZWsFVTSpP13gmo=,tag:3CF+PH7xVIUoPj6F+jo5+w==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:wduxMMwS9T5I,iv:rXqJYL/aPjZVtkr42Ajd7MRlyGgbwMzfChNSidAyHVA=,tag:K3uspdaIJEheyxLtMyiSbA==,type:str]",
-								"uid": "ENC[AES256_GCM,data:rFLAVYm8+WqwFdAvFUvHNHPyDKw8D8ZEbtBj9BH6AvAD0PGT,iv:WkRQeeT/tWAf4w/VCkSSmZimqE5p/RL2yg4Qd3ObjX8=,tag:wungm2Vn37fntpOdCdg2ig==,type:str]"
+								"name": "ENC[AES256_GCM,data:up5dDBzPIxwLBW9oxQ==,iv:AZ79fxYDKIDn/IcvFTl0Uerehs1WieTj5rESCVcujdE=,tag:EstkdS9dRmlTdzmlLlCCOQ==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:nSiqCzkYxDKN,iv:sXvGSWdxGe+nN4O8joDlVBHkcn7uP7/2T36KOP4Ncgs=,tag:EnhSiYHhbXfTPUrbatxqcw==,type:str]",
+								"uid": "ENC[AES256_GCM,data:qZab4RBlEY9GNSc3Ef8q1P99Xu2XuVZhlOsqzxUPrdqUTaHz,iv:L7GfWr+YZZxInvLrSz/QpbajZ8TNsxMGRf5n0v9v0q4=,tag:kwJcThX+UUt4W6rz2YRFBQ==,type:str]"
 							}
 						],
 						"timeouts": null,
-						"wait_for_default_service_account": "ENC[AES256_GCM,data:YyERfLI=,iv:T5SShdN38Xe+Vp/myLE6rk5Or/enUT7rXaJPIfxHV/A=,tag:VSOlf/8yBrivlw3PopFM1w==,type:bool]"
+						"wait_for_default_service_account": "ENC[AES256_GCM,data:DVMVlTA=,iv:dG4BrEZB9h95cwhzjJTMV8G/bpm9aXlWlrlrt22jwCE=,tag:zY0kf/eJD7R/QDiGCy4KTg==,type:bool]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:PQ==,iv:Hxef1eQ8YKOWA61bNMZgYbXnTSk/HHYPjUy1dYgW6ao=,tag:1+ke/xAkMxNxzTsg8gyM0A==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:eg==,iv:NY06ZqBDKoooKU4HouqDVcBwjO57LGp6BC854DjAayI=,tag:kiQYgNSPTJN5iCRoLNMDXg==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:yBY=,iv:AzieiCLonf6BYNUTEP/9u690dBhouwyo4B8AgfHoDqw=,tag:fxQQ6E6FKyyURgYqMXL0Tg==,type:str]",
-						"kind": "ENC[AES256_GCM,data:OdPzblFMdjXw,iv:2GLif/a+Ax00xvLYN1qC4ojD+9PZ9h7QOxVc8FWgQkE=,tag:Fzebt3CBzNSkQ/reqihM9g==,type:str]",
-						"name": "ENC[AES256_GCM,data:EPR+AvkRMBgsboxA0w==,iv:DRV8OHut3MLE0dLqKHLnBSX0T7AOid3mkK9bmSbjihk=,tag:lf1iaZcdOUfhSvJvgr177w==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:nDo=,iv:QDb6qrGxQCM9EjTTuNez+ykxixzIKAlMl55j3KXYJUE=,tag:yR2dpOxFhkmxx4LNLVifLQ==,type:str]",
+						"kind": "ENC[AES256_GCM,data:DzH3iMoYrcnu,iv:Qhq7h72OMLqWyuWILanRdPx7aCEUlwbaCwIbyQEhlAI=,tag:Av/e9xslbH0ERLGs1JnKAQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:9QqmyDeEIPFwvuN9cg==,iv:J3YM7TXgYnsa/owcxtGeL8IEReoyBkZpxNITIS70CBA=,tag:/TLPaRHHz+lONOAr6DhUCA==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:B1r4AkZ8Hkps2z/1bINt/1DVtUook6Z9CBBWsYFAvXvA4PC0Bg0cUAk/uBw8KIvLw2UJD6l1rSctjVfmAnnZFVc8ggXHMuEZXQPwQRmeZ3Fln6RYOgzxdA==,iv:ybdGlqfRbPlr9Z2MtCFmFW0jwtFYYosrhV7R+aV0Owo=,tag:8yMuEZSdbF/8eDlT6rf4Ig==,type:str]",
+					"private": "ENC[AES256_GCM,data:S+NrQeOsI8o6ktpQVdiPX0SuLRuHrInRbMXPzwMnsekerhd/9xA43npbvMD2IWNSsymDYKO/9YhmjrxBBSxLuuKJQAOX3+ay6ROEMOLNG9gM1+SMEcrLDQ==,iv:mccatG+XJHdTh6K92I/nz+eEKyXwmzXyrqAwzrAZXhU=,tag:Uw8r+4e6QUm8iWWO+MXt+Q==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:c2N1m9Kcq6zII8CUGan4dUp9PPmqVHdCX6AgYgEZkH0=,iv:htyszUOMJcBQqceVnxC9Wy6nljrsNXSP2+zdYYJ6blw=,tag:V4LSRPeM5r3XUgtBmwjvdQ==,type:str]",
-						"ENC[AES256_GCM,data:XZ8G7suxj7nXhfXEnlGvcXP6,iv:mVnIe/sH0lY+xrdD08wwosYiAwAFdHEBDw1JjECESIs=,tag:JYlKQITam2svYZ5jR9pJJg==,type:str]",
-						"ENC[AES256_GCM,data:/GRp+gSS8TrOMs5vV8PZacZRNegrTi43/84=,iv:X9lF6QbdZYALbQihkkIovF5dIkfGcUCxOAdUNbOfx6k=,tag:J62z7vrZ2loyucBfDh/Ntw==,type:str]"
+						"ENC[AES256_GCM,data:6p5MmPujQMV3oVipgFOPyKTE2xAibXW5E/YRC/E0Gwk=,iv:QAR9mh3be3naFV5I/YpMSJk7OXtX8+4ekdy+l4F2P90=,tag:mWJuCLak5HE+Pu2h2uWkcA==,type:str]",
+						"ENC[AES256_GCM,data:9EGx4SGiXnUGuAVoDfgXHf5O,iv:+n5YxXPVCWeTG7AVt1Ja+vDYH7ukNTKsd+rL+c2uPaY=,tag:FGTk+q2cIrJV2tv4JCpwhA==,type:str]",
+						"ENC[AES256_GCM,data:cfo721uTdq4/vasN7wfzPzm/hRurLBZAMr8=,iv:Q53P9sRIKwj6Tjpr+2hbpsenzYGy372f6v3jQfO4XlM=,tag:aXEraR8IK2L7Us4T1ctJAw==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:7G6BgM/0iK0=,iv:GawgRnZDIR5+lcL/9wW19/kdkvXp03B4NISyvsuYR5I=,tag:TO7Zy1gohynJGXOcbqXQYg==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:hA==,iv:JicUl7aZgUbGgR4NDpH7b7hOk1QRnOCafEzzi42YIDM=,tag:hXTdRamMg3fKbFa5A+qoMA==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:MhupmrDOGFc=,iv:zGwd1rMTIRha9dmXsQ/21HO7eSJVsUxtVHdcpJF8/O4=,tag:nPZdF4Dl5MBROKAsI+gL5g==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:jg==,iv://I3ZobCpN/LHHpGGKs7DH4jICzmcHRW1OstFoKMVp0=,tag:RqoWFS6tFV7muJo8eOwjFQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:zWL7smwFADg=,iv:OR54xVmUfWlTmEKzKr5AMNO2aNIXp2Km4rUvCOp4QOE=,tag:a94zf3W8Imqvfp7Pg8kAyw==,type:str]",
+						"id": "ENC[AES256_GCM,data:StTWSIAE+es=,iv:wsTe3q6Li9j8bL/XA7FHlpsne1G946AWt4eGSvGIYGM=,tag:e4pwPUeK1FIWE3AhCrwIRA==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:VQ==,iv:F8T34l0iDhkOYoV4DvslgXOQE4q6NpjqEUKL3Ez3+6Q=,tag:2xcPyLK0DybF5uZ1MHotTg==,type:float]",
+								"generation": "ENC[AES256_GCM,data:3w==,iv:I2P8MgTuxkaMiYMOoeTbBuaFy948KkoW9EofQfDm6sk=,tag:KTnN6Uv8OcMDIsloNezxfw==,type:float]",
 								"labels": {
-									"goldilocks.fairwinds.com/vpa-update-mode": "ENC[AES256_GCM,data:cDx+,iv:ezM9OZmenbC+BsvDXeqRi2ZxiUkaPWW705d0nJdyKZk=,tag:TbSk6VVxg/7U2L8V/MSDUg==,type:str]",
-									"managed-by": "ENC[AES256_GCM,data:H+PZSf1F/vFMOejOClcSmmn0Z6tS,iv:Au7EyMx0l10ssMvKMFE7KjbL7GqU0s9OreaTHh0eGnc=,tag:EQkT3kDKEGC9ZfI+/ozpng==,type:str]",
-									"resource-governance/custom-quota": "ENC[AES256_GCM,data:2t23Pg==,iv:pVmt0YYf/wrVhuSvbxIU0U9fhNoUX78aaKQxKGNcRzI=,tag:FWlQpUeTIsTXQ7Re891BUg==,type:str]",
-									"tier": "ENC[AES256_GCM,data:N53JV4M=,iv:Ubt+jfCrVehDKAQt7ek6IAgBAtNm7vhs6BmOEk9iZVE=,tag:vvJ34ixnpVxpRpQOq1dqxA==,type:str]"
+									"goldilocks.fairwinds.com/vpa-update-mode": "ENC[AES256_GCM,data:EpLB,iv:p5zX8R07LqHL0wn9k8hOifjisawcovnTgW6R8smFpCE=,tag:j0ChnlrC0sgkkRj/JOS8xQ==,type:str]",
+									"managed-by": "ENC[AES256_GCM,data:qRGsqsGX773aOnrEd9BOWiLRtNPk,iv:G5WUTQvNv3/fm/zKQfraLqhpq1kmhdJfoU/Ua3ZzBcY=,tag:zlxh2A3Q5zeRtE7DZhAseQ==,type:str]",
+									"resource-governance/custom-quota": "ENC[AES256_GCM,data:NQ0Z/g==,iv:f2fx8QDSQAbJgKFY8QTTBPtpinQeZL1QJfyGjhhhIf8=,tag:elvhx+TWaRzXWtJlmbTNOQ==,type:str]",
+									"tier": "ENC[AES256_GCM,data:8nFOk2A=,iv:1yE9cc8OfgbphaxdMWIF2y00Z4MIVs18WAfTqj2cMnA=,tag:VeUNZtdTLOp8WAOZ5XXYWw==,type:str]"
 								},
-								"name": "ENC[AES256_GCM,data:b1yqOh9W5aE=,iv:jbWE9BEr0fzEntEO/+moUulkxYNxE3g4C6U+MbVDb80=,tag:g9mBwwA78/DGvCvX+EUB5Q==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:fVkzFh1hQ504,iv:/9uiv/e3E/snFRyJdAKFvNL53/fl+7GQ6pjPT9g4TXs=,tag:jYSOwiZRRgiJHoKFVvfVrQ==,type:str]",
-								"uid": "ENC[AES256_GCM,data:Ip8G0sxGPm07RIZ9A3K/XKwfaF03Hh7iJxQ3VmPGBJreAOhU,iv:R2x/sOe01vI5z16FozRylhwFicBESroVA4Zj6yJQuTk=,tag:4bWpZuPgyuHpZhVRg8+m+w==,type:str]"
+								"name": "ENC[AES256_GCM,data:7Ga40qPJ4a4=,iv:2nxChRd8DTwR0gKWNd0XV/b5/vKgPeM6e74+mwgaq6s=,tag:embSJnJJF2ygBws+moYyMA==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:EV28KrYKPFMt,iv:MfmBFwThnkqo8c81K7zwlaFZRg0Lk3UmXSBFW6nL7GA=,tag:ka7Xfiw/xGpYaFN9syXLRw==,type:str]",
+								"uid": "ENC[AES256_GCM,data:iv9Q1o6TyXpK6kH5jQlGcLp3PD+MMq+todJiFBLOWN9B9tit,iv:L7xYjCijXBdJaj0ywgXHDIuT+PZaVWhFnXja6wmLEv0=,tag:LSknEnAQTKD5g7bGgEWLtg==,type:str]"
 							}
 						],
 						"timeouts": null,
-						"wait_for_default_service_account": "ENC[AES256_GCM,data:Lq7jEmQ=,iv:cK1KNAsmUfhwlfMlW7C/Pxp/L2avHmSR81fdjjIAZeA=,tag:OPTosrRXFLBYRsHk6xfYwg==,type:bool]"
+						"wait_for_default_service_account": "ENC[AES256_GCM,data:YuPc/jU=,iv:C+kM0G0Dw9C7vz4HtTvI/gFzjRcoTLJG90/yfwq2cDo=,tag:B+t7jEbeGucgpQjsNcTlsg==,type:bool]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:1A==,iv:nQrmgnjMS4928Es4nZLcsiRf8SyjJR4oruNg4ETlSKg=,tag:KBIbNkiOH3MolUUMK0R+Ww==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:gA==,iv:GVXPA1jpaXFT+OX9gH60RTervGRTDThWWJTgPXNqrhU=,tag:/hL7n9BGYUut0xfb5tUfdg==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:3WI=,iv:31z4R4aUzL5Gzme29XeiqLcnn3ezZnhXg68EAFFPY6c=,tag:SNDrGfXtdJCnZ5/pR45+JQ==,type:str]",
-						"kind": "ENC[AES256_GCM,data:ZQZuh5/qVZAb,iv:o9y50AZKdFkPeHLdMoiHDGoFmyuyX7cvsZ/6LnoXwoU=,tag:jO4waP205SetNcvUpLFmqg==,type:str]",
-						"name": "ENC[AES256_GCM,data:WOlOJ8x0S1k=,iv:uSJpsyfZqg7Ctmw6SlmHMCZCVInlGfJaTEXn4qGnDAc=,tag:xHsfPswd8n16LM/iUhM6XQ==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:Bbo=,iv:Hy5HEzEZKJz77u+QNgQUi1Lcm96HKN1G8csjseWG7fk=,tag:6yxpxh6GIYvHA+qOVwwQdA==,type:str]",
+						"kind": "ENC[AES256_GCM,data:5cfGpxlGZMQX,iv:HlUer8RpGIpSrnCZOBhi2UT7Tt8F9WZtAXIFr9WnH4I=,tag:Hvrev+tQfj9xFqqIjYCkIg==,type:str]",
+						"name": "ENC[AES256_GCM,data:JT7WRrhifK4=,iv:6HbBw8rwGNNIrPEhZVY5VidpJIX4ll4MRnjjfn/nwOQ=,tag:h5dh/3O4n/hglUas4gtITQ==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:nuvwLOPHOOoEbZ5ZvQ9o7lXBDvUDROTrFG/SUPFgcz2SbsyUNECxeRXJ5Jyzhq7JgALosjHJh2v+CS9vWeb4sRQchFfa9m+a4ynYvvPQhsN6LFYEYUp02A==,iv:JOzvfHFIncPTNIyC41bOfNgaqpmqU/hLv9m/5sN1L3Y=,tag:wNBODV12lHyuDpKCOoS40g==,type:str]",
+					"private": "ENC[AES256_GCM,data:x1XaWIDA3UeAEtJwkc+0XbcqgD/mk5awpvHaDyid8nAJ9UIZXrTGyg/XgqmT7NWn0FNzFQAK8t6xuGJ+eGWnBSfw7iwjhXs3be7tt/6ZuCuQopfOQUVmJw==,iv:jNRG+HaUDWa1K4hsXdAtMr1gj+n0leQN+S+LJLQ1Ej0=,tag:rCWA6R7E+UBIIUaIAxnQ8w==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:Y/oUONAE97z78H+/QfefzJH5rU39CvuNLK8rwRCFy5Y=,iv:biLbfMf+3yCe2U03vXPf/nlzWuQEBKb5IDGQ8B/cX74=,tag:I0KbahX77xv+9vQJ/Yd+jw==,type:str]",
-						"ENC[AES256_GCM,data:iGIeF3gD/cLmRlW2WvL+j8In,iv:kZINWPW5/xP6nLToGqh0MEP5UIs2HGErl5BomCXVGuc=,tag:zOlsj9RqT10GgzGSkVU28w==,type:str]",
-						"ENC[AES256_GCM,data:AptcLUlDBHvq+Xh492uV4HTimCxprMtWcto=,iv:TNAkuggrWo8jlov2q+EeD5OqlrEWbIXkAasNHPes8WY=,tag:eiZJSjHIBg7ItHk7HADzIw==,type:str]"
+						"ENC[AES256_GCM,data:HRTD6PSls4b5t5t17KzYvf1S8Ts5Gd8Jx34uRph7hmc=,iv:dH5bArA9Qjy7pGkR8Z0DdDZUw0mBGiWxpyIvkKxxotU=,tag:6c3VEUONRkhTg/BS1D/iLw==,type:str]",
+						"ENC[AES256_GCM,data:C/5oUwiyQD1C3nkh+Hc2XUK5,iv:JPDMlZeBXGbganfhlwEzFcFSDGL3mTYPySUzxo4cb6k=,tag:s2ZoVLsa9L/Lv23HqBtHAA==,type:str]",
+						"ENC[AES256_GCM,data:EocjGPQn077I+HZqO4dVJS6v8O03loI7fgY=,iv:mX0FR5Fve97FzMn1SwVDL88hsQyaT7wGCFWWynw9+ow=,tag:QG1KZw+5Rvg6P0LafTjjIg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:2R0B6ynfDQ==,iv:XEjIQfPSltZSK7SahYT48v3mkRRuLQYCBufvsqv2VuY=,tag:NgZW5JfRqOJIzrKuXzE3eg==,type:str]",
-			"type": "ENC[AES256_GCM,data:DTN1g4HfQisKaDGeSUgF76XBl4c=,iv:Ofpxy2Wy++pq439bzenxmTs7TFJqYPq617Ab4LoXDGk=,tag:EvOA05tL00BAZgviKBbI4A==,type:str]",
-			"name": "ENC[AES256_GCM,data:yIaOTm4=,iv:TdXov+JecvllMoZK6OjtVglve0szcikdyQUTE3aLpjs=,tag:eBNbeQHD/nUPhS0rtgZGog==,type:str]",
-			"provider": "ENC[AES256_GCM,data:MJeGqtHeJguHERLP9heb1O7c/IlzxQBJ8Nt8Hif2Dqm2Ls6f/9mbuYivEV+GUwBXwzr2RBZj,iv:bmyc/bCNrUSQ4c/UmNwuTk+lHBrBg2zvyu+2MZsB2a8=,tag:INXGsYR/YLIthJCdU/+2Vw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:Mv2rIlfprQ==,iv:V0LSo1ubqC1fqhL4Q1+1sfPCXzsruu+Eev/WocOhu6Y=,tag:ZUXkkS+9RN8gzKjdCVxY6w==,type:str]",
+			"type": "ENC[AES256_GCM,data:JK5xkYwzOxEh3WA4Qn9VwZtO85s=,iv:XC4ESyl2xP0j/FEj1YEJ0Prj8OBc/Mk+LCkya5jEank=,tag:HY05CCHhip24ELKKt6pb/A==,type:str]",
+			"name": "ENC[AES256_GCM,data:58uYYuE=,iv:n/d5iWrZ/oQdwFN4IxAQ6wMzZI4AzxEHPWM5Y/IF4EA=,tag:YANpT/toWqM6TljP7nps9A==,type:str]",
+			"provider": "ENC[AES256_GCM,data:K9HIgSjRS+RgbgY1Oo8mlJ0jJ+ZhJcjsagPJPIuxrvGQVTlG41FtVwXuOJmqEU65uxvZXqPi,iv:lYNYoHUDQIqhJNqbt8+eAo0BIN482n4qQU2t/6mhBJk=,tag:kC7y6VQdA4UrLIuP2nsybw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:lQ==,iv:8e3PhtnldkXOetj3YEz+ykNI2rABL94LyxTVa54BRYY=,tag:Czo+QYS1U41FH9lS/ze0sA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:4g==,iv:i7s1BfWGljQwMQpA1/NPkt+XDb63vVhNsjtMEyapRSc=,tag:OsHBN32/AkD1lv8YW8OcLQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:EPVstg0=,iv:ZnlHu8R2MfdRQzNxCVIcO/2bfgwFBUA1NZ30M06fSBI=,tag:VAINaFvkTkqxunjk7vKdrw==,type:str]",
+						"id": "ENC[AES256_GCM,data:rymDBDw=,iv:v6jM4qq5jydMMdFAcUu3q4FPlNkrlZ3ID44YBkNvREY=,tag:pEJC6ThPaEAlbCUWZk7F9w==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:8w==,iv:jLpecSf1wFfH3DWWA/MqAzroFXvxhsqG1tI12OkYBW8=,tag:HPzPQUJML5I68xXpLk/ITw==,type:float]",
+								"generation": "ENC[AES256_GCM,data:bA==,iv:Uvt4HOfLVCMSGXXlfBtqWb6S8oYKifblElDLR59yQEY=,tag:5ahZZSmOowKMvqB09VppGA==,type:float]",
 								"labels": {
-									"goldilocks.fairwinds.com/vpa-update-mode": "ENC[AES256_GCM,data:cSS3,iv:C2VZTu+97sTQGyyE17LhvMZ+SvvCzr564+mdlTQ/YVw=,tag:dtQRp7NK/cGGmc07/8gRHw==,type:str]",
-									"keel.sh/enrolled": "ENC[AES256_GCM,data:kQtOnw==,iv:pXI7g/lKsTkBxcxKGnuZltKz5/S9Yy8vfOg1Yf4pnTA=,tag:SRXlrxxp3IARy7ZMkhtdHA==,type:str]",
-									"tier": "ENC[AES256_GCM,data:JR7sQWer,iv:GosllA8yIFnIUKtQJjseH8+1Uaklr1unApd+BU4EC7I=,tag:y8Zmfkx4IDggIEAN0o+1Pw==,type:str]"
+									"goldilocks.fairwinds.com/vpa-update-mode": "ENC[AES256_GCM,data:iSCI,iv:RsKXO4NvjmCnIcW2LC1JmwUxMcOl79BCvAG1cquApFY=,tag:WqZmKihuAa9UYWU0C3Ggjw==,type:str]",
+									"keel.sh/enrolled": "ENC[AES256_GCM,data:80bJVA==,iv:EUzJY97MBU1O2cd8+bYUB/gTdQCXUC+9qd8MPY1QNxU=,tag:CoxOVlEW/m0t/FYDPcXufw==,type:str]",
+									"tier": "ENC[AES256_GCM,data:A7fHL2Rs,iv:2xTAvoLWtw/cIkP//YfRCEQfgMJGy5UHZUq4qBmGcfw=,tag:hpTU71BW74cG3B7oYSlYwQ==,type:str]"
 								},
-								"name": "ENC[AES256_GCM,data:Nd52X0Y=,iv:NOJPg2p07pk13IMRRIh3gBo0VHzRvIVbvILwEViAQ10=,tag:/hGvIht9Hvy+IC9cu0tyaA==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:ffLtFRdZETYt,iv:yCkJYyOQ/6y7DwgnBNZwX0DMSzLcExVslIp8fGdHHgA=,tag:X0MbZVRc2rtaAc3iFP43Zw==,type:str]",
-								"uid": "ENC[AES256_GCM,data:r/Mn/ggagzFZ4X6AC7X3FdOXW8jWi1jZDpmVRyIJBQiex6MK,iv:N2X4JX/i8WMkVEaDsQZtVJ7wv7vYU2X9SAH6gJy88vE=,tag:cCuXHJHN2EHpDzMMpipgFQ==,type:str]"
+								"name": "ENC[AES256_GCM,data:NOUdLto=,iv:PZHCgiovFnO1D5Sevq1K1jppLRB+3NI9LCtqdNoVnHk=,tag:V2cgtmF3duIZkKMs3tX5Cw==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:kzS+tqXatWV2,iv:fhXto/JLTuav2V3nIAs6jWw4eyPVtFRXux7aHsEVWhQ=,tag:w4YYHvGbp7hEKp9fPE4JiQ==,type:str]",
+								"uid": "ENC[AES256_GCM,data:zgh08r/wegPbqw3G+VclIOF27gWeMpnT1/FrQb4vuIgVMXI9,iv:Od/8bG3BSDkeo9X/JPmwF9tTJHa+dW2+aTaN9vBciOM=,tag:gdlWny+9l8Bh9DeyDtSy6g==,type:str]"
 							}
 						],
 						"timeouts": null,
-						"wait_for_default_service_account": "ENC[AES256_GCM,data:3Dni3t4=,iv:AnLYjPn19VqaQAXDlk3KShABRA3gzy6PFkffFVbPZfo=,tag:C1CECASJG0n1wXY00D177g==,type:bool]"
+						"wait_for_default_service_account": "ENC[AES256_GCM,data:3AAwcos=,iv:DdR0Eixt5Ik8AqUx4HaxWqiS6SB+W6JhaGOqh+Eb6lE=,tag:wmXPQItc/h720vewXZVhVw==,type:bool]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:cA==,iv:IEu6I/ehe5YhF7c3t+AEugSodWWVzBwkS3vfysY/UIw=,tag:/VjategIHsbeXgk1/NluLg==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:DA==,iv:NoJEB80vrEmupjIfjY8+2v4dYdlAbZoLMZH7TpH2A+A=,tag:uW1hAwYjWbJ5iePgvFdWUg==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:VrY=,iv:so5k7jNEWYhvms/H3VjSfAr2gihz4a3Wg3fT9B9DBuI=,tag:V9mRO42ZhC0Ksp2F38p4/Q==,type:str]",
-						"kind": "ENC[AES256_GCM,data:K/gAL8Bko1um,iv:LD2OQ48l27mYFVnL+l46V7Yy35q1q0SX6gtDkTTFDJs=,tag:FcerB+TdXhUXVcXEwVafGA==,type:str]",
-						"name": "ENC[AES256_GCM,data:o83WWww=,iv:SlWx+QC5QewdnZUWVSmq9R/ufUHWQ7aBUUPcwUnwaG0=,tag:uJFsqhTGMLCi8aEbkKpx1g==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:HTM=,iv:e3k2O4hgzynPjPS6plLC23at2EmCuUY6GMyxLDMEGs8=,tag:TPvcb5FcbweeBEsVp9n9FA==,type:str]",
+						"kind": "ENC[AES256_GCM,data:hhoOn0XtADPL,iv:KaA3R0gbpUsOhS7laUDywFlJO6h/kn0X9gr4kzACGYs=,tag:+g3g/a/bwQ185gEDibT5Mg==,type:str]",
+						"name": "ENC[AES256_GCM,data:BTrrFXo=,iv:Ak2PRTLqgCxf+5kDidLpIX9Kci5CAw8sHbYlQr0Tf68=,tag:VrrVv1tU18QDRgNi32DCiA==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:3OizOf8qegemvROq2+RvQzB+h+sS53cYyddACirOKk1ptw6spIjSqZloYnnwn6pS6GDIpuhsgiXzwRYOu36MEd3JqtZks0nAzb5LzwWJwjX+nO5ioTn3AQ==,iv:23jbV1OcblT2UkzGIB5M/iQBaY0YHnBxsplOizbPTGc=,tag:idbU/EcApoPRJnBKq0a4+Q==,type:str]"
+					"private": "ENC[AES256_GCM,data:m/q44/Si5D1pHWI8mvZUElAIGoD2/tajx3bIEDr0i1o1DHftkBSeNp/a4Ril07rNu49fSCErtp4p4xup3HUMUykxv0+B1ITMxuVe3N4QLleQbG8aKndI9g==,iv:uvhIF1INRK+iW5YqunODqrP0jtmXuTlfYezmE2wnS1k=,tag:O2Q6/cQbr9InI4BvqeumdQ==,type:str]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:ryEGYQf7Bg==,iv:CGDsomUbkL8mSQwNTHk3+T+RNCihtEMdRW6VYTYVHf4=,tag:tiflhaA5RGt7e1lNA3cr+Q==,type:str]",
-			"type": "ENC[AES256_GCM,data:FbXVLROldRbC5TeTDb0+,iv:pTOa49iEbPWdvrF7QTSUc7ql5UxlU1KLVhAtkMY8Rg8=,tag:pFr0sP7lNuMmcdJEGlU61w==,type:str]",
-			"name": "ENC[AES256_GCM,data:ygKDgm37YyCZDzyCKA==,iv:hpVxwYenpqof3R9CAN69gZJcljeokpWKpiCGQTDetus=,tag:I5FcAkglhuqZFZgL+qvzdQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:R71/ocap8bxGicNhgjUlu1nlHmYL/uy4EXCMI4Xr1/ru4wBKZeqI5xWhwWxunrHON3LOx/Qg,iv:5T9tkJenm10pFv542iGCVDqUjhk9nZ3ceDIw/qQy4rc=,tag:s+cjdIaGUFfyBJMxhAtTbQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:l3mzLWToBw==,iv:qQsyxPdVnY55DwAHihLybfNWr83ciRVAwwPiUrjyEYA=,tag:O5olXYd1vOjc6IbEjSL6zw==,type:str]",
+			"type": "ENC[AES256_GCM,data:UsmrmPqzCvsnLAHVAlXY,iv:mHJ1zA8Oy+V1FXE91B+QcAoXTW0RXgyxpgaZYPrHRBk=,tag:uM/XMXQz2+n8qnndAiedfQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:bPrh/gWewwvKWKFJHw==,iv:+xtWmAvQf8UnlzzBgCBYWcBgyrO8k8/gFJccXcOqZP4=,tag:5mQWubcW27GJDuku9fsOpg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:u920CLUKZw7HcTwqmJFWyMw7gCVZckoBjJANOaJX1/aHeLPaR1IjGmd6h8ogFiq6zWe0+Kij,iv:vlIHABrDgzgkfEq3kTHO5wZMc3jrWHJovgQFA3Fs27o=,tag:5dCYD7GRdHgE0OEflU0Rrg==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:47tG6+OyUncZ5EzKTg==,iv:r0Wb0xFKfJtjNCOh9yj+ACcmld7YvXbwzGSXacaBDa4=,tag:Y5w2zwFCf8ZHISrn7fWZKw==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:4g==,iv:iZU9DuoDfLbe/04usTTDTpPLBA9gpcIVp3D5N1LEuKs=,tag:rRFie6HRXNqZR3Tv6KgAdg==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:RMB6+gAgOZevHnzwNw==,iv:BILIT5+bs2r+M6zpeAwh5L69HUZewkZNzjJRRhVz1SA=,tag:vT+vFx1LI9wJ2T1Z80SC/g==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:Vw==,iv:XPEJQx5fsGsvr6uydxXw9cyun3llWUbxK6SZh6VLhq4=,tag:2nUa/uoJVGmhHOEmFVX9UQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:7jUbTFd0Quxz0L4WY7FiEYHWUb4SscOJPvNgMS78sa48V9Lb,iv:C2vvKBM/Drnpl+BecJqKqKvkxKqHI8MrVP7UGfdvVY0=,tag:L74bzaJyqUtj4LSEdx8+Cw==,type:str]",
+						"id": "ENC[AES256_GCM,data:yID4dpqAalX9T20ESRLeNWNKIueXTxl2sFzBR6omNrp0rYvP,iv:hW20fMa07F6uxbm61UdYRqPZfU5bTkByvrJDM67o5BQ=,tag:f3E2X80v8I5wDRDn9B23qw==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:+A==,iv:o6GUDErXyP/gMWOfxYaUErpTtmTASCc9CuF/I4R0Yh0=,tag:+4kKbdpdmpZHTXrkz8VpLw==,type:float]",
+								"generation": "ENC[AES256_GCM,data:tA==,iv:sFQjTFghdJQjhDpL3tBeGX4PLnT4gMQ/47BZQ43i7S8=,tag:BNzEmNkN/ei9AHK2R+A9NQ==,type:float]",
 								"labels": {},
-								"name": "ENC[AES256_GCM,data:mb0DCmgv/0dFUcQYX32YUZypipuz0A==,iv:7vbEeTCxhs0DWn3mhOCIRu4U0/VTxgowlCg265JlG2E=,tag:hCUXxmSatA00AA83J2G37Q==,type:str]",
-								"namespace": "ENC[AES256_GCM,data:oK+TaRIw5b5SE4zHKA==,iv:AbEqSA8sV4WM9rVbM2KJ7zhHTyTTyTAemdjd57XawUQ=,tag:t2/ZSzacTCrstqAUvIlFFA==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:R3xkjxmDmWGT,iv:xVr31q5xmnDt6/7khEr1eq8LKzXvfbBgBGfiBnjCwRM=,tag:8FFg+ec7NEzy6MQ7HNLqDw==,type:str]",
-								"uid": "ENC[AES256_GCM,data:qvZqRU6a8P7nFc67Bak9/k4AF4iyxXV6PV/tPxrlFLBqxzlq,iv:wbfLMNhEBiWRtLt6r8VAfgrEiPo1BptIXWZgahKowNc=,tag:KbR4NvUbnu2W5V0vvLZhDw==,type:str]"
+								"name": "ENC[AES256_GCM,data:Mvp83iiPABQzXRrltl7b9AJr9IvjXQ==,iv:JANY21YlSWIiy+KVeXjtiUdPGnbouWiuJFWhg0xXnis=,tag:6m+rUiyPJg5P7MmQ6WxdKg==,type:str]",
+								"namespace": "ENC[AES256_GCM,data:AZ2JDQQfyjqYwxrG5A==,iv:5fmpWXX2pXWO79rr2z1Bxo5ajGUC9MDtDs9ZsNAkbbE=,tag:KEyN5t8Z6cC43uGIHM7WWg==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:oHJD2O2LAwbg,iv:O8XHT1bwRnWKHb8vmtyGIA74gxlqvG88C9zysenI0So=,tag:eISuONWCrxJiUh/GQaJ90g==,type:str]",
+								"uid": "ENC[AES256_GCM,data:GXcfNi699C6GxgWuQR/teoSVlSaU6G/hZwuokPqHByMUlPES,iv:mOdn7E4OuzTB2anbggAes3ePIDa38h6QRJ99HkbKxro=,tag:eZGk7tUIZONtUyDDtdMbeA==,type:str]"
 							}
 						],
 						"rule": [
 							{
 								"api_groups": [
-									"ENC[AES256_GCM,data:t5RPXQ==,iv:7XTGGI4NW/S6RRN+evj1pe7Kija2juz9FN4xI6YQwlY=,tag:/LLK+Gc52YGE37cGrdiIcA==,type:str]"
+									"ENC[AES256_GCM,data:07Rbug==,iv:eIQiYsIRsONHBvgQaktCSjuC36NhCkzSTavd86juKcs=,tag:WBt3zK4WUoPkrabkt2N5DQ==,type:str]"
 								],
 								"resource_names": [],
 								"resources": [
-									"ENC[AES256_GCM,data:SCY+0EuseMPpccU=,iv:fNdf5OhmW8EENz2hzWPAw/m/OO5PVTUpTzLRrmoagP8=,tag:UKu3j/wIWpFJ4sqAHBW4ag==,type:str]"
+									"ENC[AES256_GCM,data:g+DzqddhxvDrtWM=,iv:n63IXd4a+8jEe3g7HA4XUzbDqd4JXbNoOInqP6vLj9g=,tag:pJjAY+z0IqUKlKE4/L4btQ==,type:str]"
 								],
 								"verbs": [
-									"ENC[AES256_GCM,data:2dtE,iv:60tUtCS+DuX8yLA76t6+QkBaFxLoHYraShvqQl19jro=,tag:Mn+j21QQAyKtT1cB6e67Rg==,type:str]",
-									"ENC[AES256_GCM,data:FiKLxQ==,iv:alBzO3hci0A1bGNt2OHrkAxdlMb77y1RzK3eNALdX6c=,tag:ErkmkQiI4SCCDiUYlzDZtQ==,type:str]",
-									"ENC[AES256_GCM,data:y85TEFY=,iv:niSlxRhPAkqpmD0agw86uoPMLA9/WxUDuHukxVgvun8=,tag:9ahQ9Bf8orn8a3EBCdZvag==,type:str]",
-									"ENC[AES256_GCM,data:vvM8QTuH,iv:T6b09Kd31+6gdNreEgsBiWvQzHgaGtX7A71G7ZxPyVc=,tag:vzbCTqv0l2k/GsbF2dL2CQ==,type:str]"
+									"ENC[AES256_GCM,data:hVBa,iv:dKBxpRXiMxobne+PqRK0jJy4BdHeEC0I8Ut+R3DzEYc=,tag:6cqkdJ6VATU9yRH3sOtiZA==,type:str]",
+									"ENC[AES256_GCM,data:YK0JnQ==,iv:D1C1SFmBRAyg1zN1FdC3eWkXue5U+XEVNkS/CJ5b5YA=,tag:4zn3vvDufVisUolPUjIMTA==,type:str]",
+									"ENC[AES256_GCM,data:K51QKhE=,iv:r+/8QFemQ/LxIgUX7ZFcxhGC+7FrklxDhcy5hynxI94=,tag:iBnVV0JVLjoOpr7WJwQEHA==,type:str]",
+									"ENC[AES256_GCM,data:ZhYkJ+J3,iv:QeZtUxTajpjplEOmw6RAo6IQPTj2b5B8uCpOl1RwUYo=,tag:2qyo2iR6tkW0PNlLZmP2bQ==,type:str]"
 								]
 							},
 							{
@@ -1067,62 +1067,62 @@
 								],
 								"resource_names": [],
 								"resources": [
-									"ENC[AES256_GCM,data:d93Bvg==,iv:LzcsK3HLCNUWjrM6qpgeUf4F4Gk/cE3i6VWEe99kM5A=,tag:hdj8dA5uOxrGiqp7ZQWk2g==,type:str]"
+									"ENC[AES256_GCM,data:ofAx8A==,iv:xmYlyMUvZZ6bjyMxY7EFNyASda5hir7vvLo6vagrx5U=,tag:tbnxrI8wS/9e4E40mjh3SA==,type:str]"
 								],
 								"verbs": [
-									"ENC[AES256_GCM,data:8Q67,iv:jsSapULIctQU1CdkPGNHvPqkrgHe5CHRgEmlhXLascQ=,tag:mssLbrCck8BlHZhmcmiksA==,type:str]",
-									"ENC[AES256_GCM,data:/EFqkw==,iv:XLRINZVnpACgblJ+vdDHOnivw9FyYBupPH2I2LsNNuE=,tag:0yhf8O+VfxjAtbve0LS0kg==,type:str]"
+									"ENC[AES256_GCM,data:2R0f,iv:5YoRdX4oNWct3jjZ0sL6ZaBvSLuGSNJNw0Z9IZ40QIE=,tag:/aoJag2ofo5XJbpmg2ICWQ==,type:str]",
+									"ENC[AES256_GCM,data:tJ6eRQ==,iv:mgHqe3Z32J53du8YZNb5IaKIR3od8prAFnCIA3734gE=,tag:8wUdtF4Ahysj2GAPcrGDuQ==,type:str]"
 								]
 							}
 						]
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:1Q==,iv:uN1dOyT5MK2RBMLWkHxbdI2goK3fGI8updgEzxl2JdQ=,tag:At1hYQ/VfaMBPGBacYDJLA==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Zw==,iv:/3DPLICpznK0OMKSVNkQssDFdDUj76wEb4TYBH0e6Ok=,tag:sixM5zODCdVcXq4vCKd5ig==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:XnfIbu594M94KIKyOiS35Uk0Jzsnthp1P0BxuA==,iv:TXpzVTk9FhUhHVCRGwcBXgVVBzYpKTrJz0IB8HzjNjA=,tag:E5sE+5LEn7nWyFGPbz70iA==,type:str]",
-						"kind": "ENC[AES256_GCM,data:Ano/Gw==,iv:7Jg2zXr8SZzRLiJbIuMu/Md6T2j5wG7s0uaGgI3Cz8w=,tag:hRg0Z+knhoMpaW7s7i1FBw==,type:str]",
-						"name": "ENC[AES256_GCM,data:08re+fN9BX4w4hPUltsh3hhvFdnwEw==,iv:62ZNcJyGK7JXwNSg0SzUg3Ar3YbbTYPbSxWwmj+BvYA=,tag:CEGwAV7ZONygDbcMrUi9Sg==,type:str]",
-						"namespace": "ENC[AES256_GCM,data:gdBLSNK5yoihoOMYQw==,iv:6pC9n4XyTWQMqVO3vax1xTWogLR9/YW7RYvgbLx8EkI=,tag:eqgg1iinsKiqAl7zJ4cWuw==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:3OlMBJXBWOmYOTPdBCuwkSkpPMRrjvOAcOGSvw==,iv:F1EtT/mOfuc8j7GoPQzQ4sZxFb394sZmJoY3B2TVLio=,tag:VwfpMBDULsyBCv4Sk6NHJQ==,type:str]",
+						"kind": "ENC[AES256_GCM,data:56QBuw==,iv:JZohn2azJ/HfcjXzEaKimAVTAabj9BVpRKlsLMKTAmc=,tag:vxZmxc8YyXpkAPHF5hQtsA==,type:str]",
+						"name": "ENC[AES256_GCM,data:cVzrXxYlYOylm89lima11Y7nVsiROw==,iv:ammXcwgt39h14EpJ+wEdY8Jt2lfPsEdYw16xHJ4yz8o=,tag:yytRsma/RBhmjBNYHlxRYg==,type:str]",
+						"namespace": "ENC[AES256_GCM,data:IjAB+OceAcIL6DPivA==,iv:T7aDtB3OVGSRYydjR1OYFYVIxWrkqT6DUwdXSyybMt4=,tag:Gsz0aTcaB6Aeh0YiU4wVhw==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:bFIGWB9RvGx7Sx8BfCY9+wlC3E42meY1IIB7Cjx9DGE=,iv:Ua9WsJeNJaTb4fEwSyTpAiii1DKII7ekx8KOJsXRH3k=,tag:BvrhSR+H0+rUQAY61YTugQ==,type:str]",
+					"private": "ENC[AES256_GCM,data:qhH30RiPjZYCAAsl07jeZnX5EZsZV63gSuxKdpcy0Ug=,iv:CoTG2UWdNUzGh8YZ4j+doCV6wm7ix7NIuBdrbnEyR3c=,tag:PpDyXSSEJL9hlUBzA3SQRg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:S10hFxfLjsC1cdM/HYPDq6cL3dSn9eUT/T6ia7YKsk0=,iv:XmV5WX/IBHDtKguokbKwiv1RisXhYv1Qw8PuIGnh+vw=,tag:rHjOV4sB60FIf1+jdi4oeQ==,type:str]",
-						"ENC[AES256_GCM,data:Fol1I4VIYfwEeaNaW9p1EpeD,iv:aR0qMH2G033ijokDT8fNhkflE+Cu7xuNUuwNVNfJffI=,tag:EGzpuMQ+PBsmKEsIl/b/UA==,type:str]",
-						"ENC[AES256_GCM,data:v10rIlNc0hGHBD7Aa7JoHiej4K7AqRvEWrx+waeErtfyB4Y=,iv:2/3/tTTF4SSF+hSSiJ4FohXn9kOG4v4qvU/bM420qZM=,tag:USs+TtawFFKj1OFsduHaTg==,type:str]",
-						"ENC[AES256_GCM,data:VOp1p5cGvPW0QLJYTnmkjF1rcxsT4/YXw40=,iv:KM1rFOcTfdsKiboDAh5g+U52DtCJVYaebBhusjYJJtQ=,tag:lhblHT4zuJ2gZlfJ3k6RNw==,type:str]"
+						"ENC[AES256_GCM,data:LY7UwwXrGqv0Aj5X9L6BAm0/Joevg8hg14rQMq2pduY=,iv:EIOw2sZyw2FnmaWblaZvoRoSaVELn5vx/m87lSQ+aFo=,tag:E8ZHvd3nalnWvfpcX7ZOHQ==,type:str]",
+						"ENC[AES256_GCM,data:vTCE6eEop/VPk6+f6TRZSw6m,iv:xTdRFE2BfJsbxyYcByXqotuSTQvDAfwzKaRYWAzp6WQ=,tag:6xFieC7L1hARJK4DJt628Q==,type:str]",
+						"ENC[AES256_GCM,data:8CSwsuRV1xsIRRPULkLg5Y7wSbl9/CttySpcIkAfv/fm7is=,iv:NZ56hrXHe6qzsqn/vmpZ5Nj6rRgxvQsRtXVLLf2R5c8=,tag:kVDyBvk/EAc8IhJwc4j0Lg==,type:str]",
+						"ENC[AES256_GCM,data:6rBT++cWozubp8a001q9maQilzm+LhaQfyk=,iv:iudL6Te2EUcUdpbyzAf4AHHnFgIjOjyp9cqn+7yGIoc=,tag:2ibHd5ReOqPCAqZT8xHt+A==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:+7LRdvgeiNI=,iv:6B1GVn/qohp/cDEsst4eFzKtVYC4iTTeAjfleCLKdgE=,tag:Mt/cUOb/gYRLZkmbmM2MkA==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:Qw==,iv:havDcf1nlCt4dlvlwpb75NANjvnK+CFTh35pLqKY/8Y=,tag:5r8hrZasq2bodGryAULmvw==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:rnyW+ZMDW+Q=,iv:kpbCq3SJAqUwJCn9bY9w89li1+AcCuhvAbk/mZ4k63g=,tag:tsO7plNHHLbxUREnJWKZNg==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:CQ==,iv:9GrhgQyJ8If0pTiKTsCUjVT/ilLeKVdL0XMLed36fc0=,tag:3NBnWpPgwVD4TAqY9HHapQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:ex9Y2OPINdYnn3zVz5OMaeLBEL1KRjoEKnk=,iv:NfYXTE6hxawTz1BkwAyzjMk2+SmAGL8FAgbIwTcBsic=,tag:4WQKnZujlySNb3dzPfN59A==,type:str]",
+						"id": "ENC[AES256_GCM,data:KrOMCL1uEYv4BbjnK1dy5bhUpdCzJANL+dw=,iv:2HQ3aSu8s8/8heADkVl5K+o32Skin53UZHz4tjG1wsM=,tag:q4hVZ54uh+BCcFD8tnzi2w==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:YQ==,iv:dhpqc8YXPq3x0px2wNmXdFk4wj5ZD02eiGpr6qQ1oro=,tag:NXL8Tg0Ruf4yVDxuCvWmSA==,type:float]",
+								"generation": "ENC[AES256_GCM,data:Ww==,iv:dmQHj6Pjr3t6ha1yMRusJaNqWwBaikVE7RqXDDrKdKM=,tag:8eGnIC58eMndHS09ycnBsw==,type:float]",
 								"labels": {},
-								"name": "ENC[AES256_GCM,data:/LZkdc0g5nakM6mffG5sI2o=,iv:YD+n3UZpVEdVRkb/nbQbBizvZLKh7Pl5oLGZf7cyDzw=,tag:iM/a1gaOTMKG/KC0G+lhfw==,type:str]",
-								"namespace": "ENC[AES256_GCM,data:l3NYq4sJ6mw=,iv:S3t0nSETtgP4VE2yIHkiM55NF9mVJ9fnTX5tZmxYLTo=,tag:h9EiQnsIa4dvQs4kj3ZjIA==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:+5hVNJIMNVTl,iv:smT6wFpNxI5ejaF0lP57ZMf62IKEA9fFCIY3BDh4Vp8=,tag:eDbgpe9zxLEE8rNiXSyeFA==,type:str]",
-								"uid": "ENC[AES256_GCM,data:agW3qXjRPLllkn2gydX3o7yHWYL8AYGoNXx5K1JRsqg5x3FK,iv:GifoACDuzYMwifWHhLqXRsWf5oY2P0ZrRqGi2p9RHtQ=,tag:MpgSULUHByiL5mZhSihbcQ==,type:str]"
+								"name": "ENC[AES256_GCM,data:opLzEdufov4YJGcupERMgWY=,iv:+vagoezAeDYxSzwtYTc1H2G03HpLVttQ6I28oPEcT58=,tag:MVvXzow6jxl8AT3WvHC/YQ==,type:str]",
+								"namespace": "ENC[AES256_GCM,data:6snGeVTV96c=,iv:Ntn/80IooQB4C6LoJlNbPxD8184Yjs4W2DTr+KvVMWM=,tag:cFL1wNhDWthBbpYZojiqrw==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:81fJJKX8YEkq,iv:ywLyrDgo8OcsEcSTSfdM9XTjmn9afo9Z6QW8d0lJzMA=,tag:hDOYo57xo1gtVEi78wHOAw==,type:str]",
+								"uid": "ENC[AES256_GCM,data:pEHLHQxbUjTLEflJ5/o4IGXy3dUTrZTMfDsInza3Tsbeggyg,iv:3Y8uguMLzIvLtNztLTSdqGT2khQaowYVcYvU2Rb7kl0=,tag:ZxITIro+XRmZR5SX0uhgsg==,type:str]"
 							}
 						],
 						"rule": [
 							{
 								"api_groups": [
-									"ENC[AES256_GCM,data:uyhz8Q==,iv:qz2Urfs8edfDRZ+zKL3LiOsDXfNbfOYXUoReoynrdW4=,tag:5/w2LQAonACBNcV7DSC8+Q==,type:str]"
+									"ENC[AES256_GCM,data:xitM+A==,iv:P4Sb3STmeQn9w7c6W4SeyCATherrhUxGOO294VCrHPM=,tag:y6nN/ju0pY5G9Ugz2v0e7w==,type:str]"
 								],
 								"resource_names": [],
 								"resources": [
-									"ENC[AES256_GCM,data:mSqHADCNo2Z3YQs=,iv:j++raQ2myorpIKCrF7IVFULjcSJGdZofsmRFIPUBIlQ=,tag:OfdYUREpJAwjevefs5jUJA==,type:str]"
+									"ENC[AES256_GCM,data:lAJq3CpNfy7s+b0=,iv:Sc2SDAWO+CGbsLfYYzUpjhmBh/ga0xGlojEaHBUEZ8c=,tag:YICBUB1NqRaQ4sDHimyBtw==,type:str]"
 								],
 								"verbs": [
-									"ENC[AES256_GCM,data:4rU1,iv:1E2Uxc+texalac4g6KEd1z1Vx20XhW7ZJjPBgdMCMjI=,tag:UPi9eyPj80HMigbn2vx7Uw==,type:str]",
-									"ENC[AES256_GCM,data:dhOrrA==,iv:+WxObPrOTHOJ2hV1JwTnRofMPJChuW/1gODTllXpfqc=,tag:rGiBU8ATUNwnsdr8bRhmtw==,type:str]",
-									"ENC[AES256_GCM,data:fqSV/7Q=,iv:4krqVSEK6hkBphgq8cR/kkOyUNf2P7tu3rCGZh1I7wc=,tag:PnAV5Sbcg3LH6XvYCy0UQA==,type:str]",
-									"ENC[AES256_GCM,data:JKlgWACA,iv:EES1WjhkOcl1jUN33HJ9xxxay2eYnu8pEPAb+MEQqIs=,tag:aPBPMtpRp8FuY0zh5ndNSQ==,type:str]"
+									"ENC[AES256_GCM,data:dxbr,iv:XQZb20lz6dXGNQYhP/X14EPS3amcSsWNuALhXRvQle0=,tag:Yuqu7hZESs/MJ2kTyx+r8w==,type:str]",
+									"ENC[AES256_GCM,data:sTxdUA==,iv:UxNglXnyIN4i6sUw/vE7g9R1YhQavAH4X9GDUkkMmJo=,tag:hzZNrbdtViDJsdfh09ylng==,type:str]",
+									"ENC[AES256_GCM,data:ptbzA5k=,iv:pIP3+4xKFLbK9ds+gb28Lhwz/nRq3Zn1hHhbyZGolEE=,tag:GMmF+nmfGAS+zxbvhtnkYQ==,type:str]",
+									"ENC[AES256_GCM,data:++p+zQl6,iv:GlUsk+YPTG0vJ7UEQjC9s1aK5y7omQHO0dYEgxNfe1g=,tag:xs2h3Ll5JqZnwMRLN1xNZw==,type:str]"
 								]
 							},
 							{
@@ -1131,119 +1131,119 @@
 								],
 								"resource_names": [],
 								"resources": [
-									"ENC[AES256_GCM,data:GMpn5g==,iv:kpnQVlbDMndKJ1aRRnodWQQe7Ev2omEcZf0yKRs5mu0=,tag:Xc1AnfAYjyGL1j5LcsqCBA==,type:str]"
+									"ENC[AES256_GCM,data:FAmgIA==,iv:GQbCRSQtabCMLTezsaPwINvLh19gcWmoUU6SMRxwkaM=,tag:0vPRmKuZp5M9Sd8Q7WMlmQ==,type:str]"
 								],
 								"verbs": [
-									"ENC[AES256_GCM,data:5SVX,iv:VLxv6JD0tU1Khil60BEyA+SkIUXpzeVNbRzZU562mSg=,tag:l6JnPkSl5jmxwit/53BjEw==,type:str]",
-									"ENC[AES256_GCM,data:zavVRQ==,iv:AWwIjMGrMLK7lvQ8dl9SFiKaIX9XpVjGSaGeM/5zcYc=,tag:YcVQnKry+e+Wri9y3Wzyng==,type:str]"
+									"ENC[AES256_GCM,data:qFYC,iv:SZF1RGls/VHXkc+T2Op+ZCPCNM/F3Sn/MNPXXfClZKE=,tag:tbCoqqDs5QQ0CszVmCJh9A==,type:str]",
+									"ENC[AES256_GCM,data:s1NMTA==,iv:29ZgwLnKBglLxybc/SCAGLpmohbiZ6DH9a0PwbwoVFw=,tag:9D50hIT1ZYpbjBe3Br9zvQ==,type:str]"
 								]
 							}
 						]
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Dw==,iv:JIuvfcdHGrnLcA+X5CjRx9aqB/8Yx7OLxKTZ1KlOlrw=,tag:nvanJziqVlh53lsmM4lIuw==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:XQ==,iv:e1XqPpUzqrSnw5P/CoSca5nRnfrL0zf2zRbYyjM+29Q=,tag:n2T9zbPfu14c2PjB/3mk5g==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:7iMbizTtwiTKEip8soBdf7sDb2Gtcjgbqo2ycQ==,iv:HFp/Sq19fyjpD2786zNf1aBlHlE7SYLg85uaEbH2jkU=,tag:4vdZYG+unvMiCn4pQT6KVw==,type:str]",
-						"kind": "ENC[AES256_GCM,data:GEUH3g==,iv:myiXqE8JHVUURUHHmxrzQsl/IiVCFHdNUT4J14kU/3c=,tag:JMxCxyHkWZnnGhH3XM7RJg==,type:str]",
-						"name": "ENC[AES256_GCM,data:/kwnH6c2zs1PBDRooybq25Y=,iv:PfPtwDAh5/qpuSJn5WIbOiIHCy6Xu2wT0QhLAHERaQE=,tag:/JbuwPq8bgChWf6Bj98JGQ==,type:str]",
-						"namespace": "ENC[AES256_GCM,data:U2rPFF+vmuU=,iv:5VPgTk7RpovJpZiDFT0h+qw5QGpVWC6rHXGhKamQKNY=,tag:ZgBfM7FiArhiqaJK1uws7Q==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:M2ohcln8imbKNGpuwj7Ihit071hJ31j4Bc9CbQ==,iv:NrYf7pJ37NtwVtMA3UutSsWFGJjSv8cNwGHfByIIuuk=,tag:S5EdaPAvWNIe2jGbi/w1cg==,type:str]",
+						"kind": "ENC[AES256_GCM,data:TxLwOg==,iv:ym8JPJMxqUTVCZN2xPVYVwkwQ2zetpcuPqNU86DwFfM=,tag:zPuye00F9XXY9bUXclR0RQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:NltGi8/H1NJpXR1QaEvxTp0=,iv:PKB1xgrUFtRwBpIBAqehu8r/RjlPPJxI1w6WjxtKbOM=,tag:9WrpMc/DYgKXkffDlinLdQ==,type:str]",
+						"namespace": "ENC[AES256_GCM,data:Qyc6ypqwUPM=,iv:dnoOCM7agP0TCqtG4QfFBb9VEPhgmV57T6Vol1ijJjU=,tag:Qd0Z52sYX23xpw51vV2MyQ==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:8ra0oSPTjrVV/I6bL6xAnhZ9OGr0/QrJn2NdtlY5+c0=,iv:dfgowsn0VITWW4AlUWiwt6VxGo2EmxJfsIkoYvq4x04=,tag:32D8VGEdq041MQSVSvN8vg==,type:str]",
+					"private": "ENC[AES256_GCM,data:x52sg/vsMgRa16i9CWBkVo1J0uuy/m9gqZRicO16AYw=,iv:avlXLc3Dmn8lhiR2UzSfYEMe0xGPqSqI8aTs5v3MO18=,tag:ck1XyZ8bs3BIyKiXX6qL1Q==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:hClsA8E1vBPb11hp9IW60pYpQRhOmKDPISwsjNc8a8s=,iv:Be+N2fXJ4Zdt0F/qQaHfmIF2JVOz96S/9zzSKQi2rY4=,tag:CagjYaGPT3INq2oDUfqxVw==,type:str]",
-						"ENC[AES256_GCM,data:sQT9w3IeKHbvuBRV+QHBUYLJ,iv:uAe5nhx0p1T4yqWsqFP7kmqKUZsHNWYRPPX0Pb/sB6A=,tag:BJb6wOBgPYvWUmfYbUl61w==,type:str]",
-						"ENC[AES256_GCM,data:pFVQX7aB/x02ZFjS2dt5VbU6WBCDuiv5CCp+Ra629VS7HSo=,iv:F147N6U1s1reQMrer3UWImblx6Vlkn60IeE+M8VGP30=,tag:18oZXhxhxpI6YnEn4luPYA==,type:str]",
-						"ENC[AES256_GCM,data:SWta+l7hTo0Ch9xO1lSNmv946Z4kb1A7cws=,iv:hHDVVVeSWoNrLgDFVl5qdzjX8urzCVsD2if2rHfYgjE=,tag:Spi4+Xk3Lte3EQel1NNbXg==,type:str]"
+						"ENC[AES256_GCM,data:Y+RfAdjFG1wqnuSErndFHZdysnXImruXPQgzn7bZzuw=,iv:PzqmnE81s9um4XwfPJsREt1x9HgEbiKBs86O23lq1nw=,tag:X4Bv7XNpAOtUevY8M0EGJg==,type:str]",
+						"ENC[AES256_GCM,data:whHDtEc7//aaykEvPMezOJYo,iv:DkwKPQ7BB9r8AiPUiZNZNG5tPPcVOykFo7//K6R3/gk=,tag:XerkbbtAMlnPc63psFIecw==,type:str]",
+						"ENC[AES256_GCM,data:VmIHyJo5cGYgUzOOV5QQDHckVo6IUZ3iE2FPK+uBDIKwuec=,iv:oeE266s0gZCE1O7VrXA+2Qlu7nj/YzVPfdCg7CViO8U=,tag:oouh+zulxswqdw21D1Ry0g==,type:str]",
+						"ENC[AES256_GCM,data:jtf54Cm+3sdtqb7+3VfDi1EXCxMKLq1i4t4=,iv:RqgHr2BUirjg5yyb+wDLgV2MdGF7bQomaOoZFpXx83s=,tag:8GK5bilsF2KiAgQFYqcMlg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:7JeIXyxMaA==,iv:mjh5FTrlinABb7S0Ikqg9lKDvGNLHh6IYt5QjC5EB4M=,tag:z8ROT6/QgJBHOYsZImDo5w==,type:str]",
-			"type": "ENC[AES256_GCM,data:Kh32Wg+Fy2jlbBE=,iv:cvRz0ZZ0ycMCyt0IFV6qZr/odOSj2HpA22FJClVOVDE=,tag:e+ItWkiyNFHoNyhF/uZJrA==,type:str]",
-			"name": "ENC[AES256_GCM,data:WHqDCg==,iv:6XJO9ov5jDc4tA9PTjdwLZwRCcjpeuIgVxNI3uqmR0M=,tag:SYIMTRGE5do72hbUazbVug==,type:str]",
-			"provider": "ENC[AES256_GCM,data:PEbS38GEhCUeq4yn2bF9gQb7wrz7fxdSHD8qNsPPh7Bll6JA15nE7UT9sXDlRTnC0g==,iv:iaOAKaHfxbSXWpNhqL3HE0Q80eRctpi3DBTQZiZ82QI=,tag:7xPsC1dwodbmdvQrPy5lCQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:rQHF1ViuLA==,iv:sP0Kj1Qr7hOMnoQDIC1U1trvMkF8FC5e+UfLj58UplY=,tag:0Jrm1l/fBwnrfcxwg6wbyA==,type:str]",
+			"type": "ENC[AES256_GCM,data:OR+DOst1bMMAfVM=,iv:wMmtXzsmV9Ej2sDmO04dMejdMxZsEDwhEoctdQ5z2Gg=,tag:y8M8dk/Te92L2b7KGcwlhw==,type:str]",
+			"name": "ENC[AES256_GCM,data:1qd2DQ==,iv:IfJJo41xX5p2PGtnFUuBvkQ0kz5IJmVXzPk2mRi5e4w=,tag:flhTuuVc9NK3J71JedSeUg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:7X/ItQOepezlInaFOl5FMnEOuXoKyKYuLIu/3p35bL4J0bufvYZRzuqt6c6Bte2Qiw==,iv:coyDiX9qYfOTj41cfrluBdS4Zv9a8Kjy08V7Pm+Zn6c=,tag:J48gPy663Cb44vMzuSveZg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:kA==,iv:FQ73YlkjlKvQ0O0jiRmR4I17SETYWHYelUPQoF4Rg8k=,tag:xsfPcLvIV7BhPiQtDYxOPg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:JQ==,iv:1ucq1MXQXGvzP4R2O9xPDPgiWAML2FOwMl6cyWyxEAQ=,tag:iB7HCEJ6pctDhNqAkjEBaQ==,type:float]",
 					"attributes": {
 						"description": "",
-						"id": "ENC[AES256_GCM,data:pXVvtA==,iv:V1xEwEHO+HoD92bll4YDc6fLkbytxFMTJp2dheIlnJY=,tag:wsDBt/7WhOxy+AN/EF0NPA==,type:str]",
+						"id": "ENC[AES256_GCM,data:A95yMg==,iv:KI4L1rZ3UTlUZrsUzs97QEEzVIDVmnIJt4h32ACkPf0=,tag:qv+mzBeofzxIMcnzjlkFPw==,type:str]",
 						"local": null,
 						"namespace": null,
 						"options": {
-							"file_path": "ENC[AES256_GCM,data:psTmi7KwRGR1oLKXQUNS4nPFRHQYSxmNndfh7g==,iv:a8Kx14GRn5MR1upfMcwyEUdzmtNIvCztH1CjG/ScODE=,tag:qzo89pDzQ5frHcCL7UMBsg==,type:str]"
+							"file_path": "ENC[AES256_GCM,data:dAm5Jkj+dllVxfZhorwBWaSxewfgn89YaK+gaw==,iv:yseKI9k4nUJgNCiwAljT0t0G7/tBz77ILCh7PGeMd0I=,tag:tdZ0gJkrmmYwlWr+oKekdg==,type:str]"
 						},
-						"path": "ENC[AES256_GCM,data:1KmARg==,iv:ZA/U9xPDBySPBiv1UblO3ODGlKQdQbqCy9l5DxTioH4=,tag:bOr6CEvBR6r3saF4x/4d4w==,type:str]",
-						"type": "ENC[AES256_GCM,data:fXgP2g==,iv:RbxweDK6sRQzH0SNsZlQkhOvSl6yGTd0uEhT00/tP/Y=,tag:3h/yReyQ3ssHl2ZWggsYXg==,type:str]"
+						"path": "ENC[AES256_GCM,data:WHdk2A==,iv:ttd2V/Oafjw/YDuixPeB6Dgj/RFrK6912vyPm7R8GkM=,tag:wxnudP3EZbTN51fRGWq/LA==,type:str]",
+						"type": "ENC[AES256_GCM,data:DI8hJg==,iv:OyIkQxRrb029im7f6o/7+RW+Q8rPlGjbDhPNvKl+2TE=,tag:ej5fUSbQoG6ohDJYwgTG7w==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Sg==,iv:haBKfCRC8S2ePE7ZS39KrmcEtYct2ZpDhKwI2fPKuFs=,tag:6+jaDgU2CtwBmHg6VuIDRA==,type:float]",
-					"private": "ENC[AES256_GCM,data:FwVNuhDCbt8=,iv:k6mSQoCl1NCPvUbbT0cB7dc+kkRjx4VDrGqwPE733OI=,tag:6B0XEr2F7qWofwbzf3VvbQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:ig==,iv:/AKoON8QgVWqxcLxgKrUfMYNGL1ttGdfwh8d03Q0Rvc=,tag:JOMdc0R6BI/foM+07eeCXQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:O4VpMfjZJDk=,iv:+EeFzKNEs81N81Kc9HRVrqtpCML3tkk+PIvjARWAfP4=,tag:UTYiAskX2QbXQ7p0KgDBwg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:hpTx0SeIKy8ZDYY7tNx1m56P,iv:6nJ+jZK1iDr0jXhmgZl25RjZazd5jhLp7uYddVCQxag=,tag:CXLh/dmIo+emCLzjaieG2w==,type:str]",
-						"ENC[AES256_GCM,data:iTq6AHYWV53YGzzUs/DeU9sbaZz5wp4DSZ0=,iv:REPPTbujjaadyGsPW9dL7NBgv6f4FPde531Vca3Os/0=,tag:SYpCubP7iklBsjZhNu+0tw==,type:str]"
+						"ENC[AES256_GCM,data:bZ47+PHRJs0bJ1PPINGGlOBE,iv:Cdp4ZA7FUWglSZVTGhejxhwdtWfgBU97EQmPIMQwaqs=,tag:KooBqilZNebOywCYpnT/1A==,type:str]",
+						"ENC[AES256_GCM,data:2TEW34uXH/NShMUxZ8y7tHI35HL71pEg81A=,iv:nvL8Q5mgD2/PI+bVY6kPwIk0CMksgnumh656R/Kau2U=,tag:NcFCz2BPkcZcj7oLtA18vQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:1G6IoNLQVQ==,iv:FYEPt4gT8KkC6pXizz0FL71C2WMZvA5hVki3p82xgC8=,tag:f2Q+fwKzgALKnx6NMvChpQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:qJAn+e8mF64gvKwr5Bs00cja,iv:ds61EBJp+maU4Zc59PXxFD3g4G9AICJgPNwq57KqGSk=,tag:KYnIyktt4WR+dxvoRKW6Fg==,type:str]",
-			"name": "ENC[AES256_GCM,data:4cMt6w2VzuRpeQ==,iv:mbqj3RbS9fe6Kkvch4PpCZkPt9AQ9LG9nan69zE6qXA=,tag:S117PLEVElHS8JYFMP1s1Q==,type:str]",
-			"provider": "ENC[AES256_GCM,data:DJtt48yHcr44GfwO35A4g5GgfYplPmpCzi6BuX/B+YCt+IWZzo1Y0B9Yo9vY8yF+5w==,iv:AALa80hheaCjz/sfwr5z9W5KCgFtLWRF8mllnIP+Ljs=,tag:JfcQEppVze3tG4uCWNceMw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:L+ASmcFeUA==,iv:L6jMFqXXUw6ak0dw/FfSuii38mYAEr2yu1zgxLGEj8o=,tag:TxcARoNzqjzVeyvpV7jkBw==,type:str]",
+			"type": "ENC[AES256_GCM,data:ZndS/dfErBvAH1ZVMToJJj1d,iv:3bgDMRP60oOuoAuyIEzncFNO++Iew5Cxzc9QlNU6O+M=,tag:lD1hr85UKaCLWsFZf0q6mA==,type:str]",
+			"name": "ENC[AES256_GCM,data:jF/C966X8fd5Sw==,iv:m13Qw3hcXTVI/trIu1Hl2mQsqK6537ZxmYMSLUQPF1Y=,tag:EdBO9SPTAYoF8C0hG/orxA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:17+dgvXeUIxMUeOALC5ePo50qTppeW/K6LINjgVoEokBmo3ddIVhPFKXdGdUScUF2g==,iv:pTK0ZQWA9S725DdsftOHIL2C/TwaHT97qNhd4aw1PP8=,tag:ZZ+aGvKT2o8NrbaiK2bmwg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:wQ==,iv:wHdEZul8FTFRlf4xxTzLDkXQPijoMYUUkk6+MIiy6KQ=,tag:LaWU+nGEEdNyAtS2KpDavg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:8Q==,iv:2YkXyLsiwvnTa1qxesJ+4s2XseDZu/Ao7jFCF53lQhQ=,tag:azmQuMd7yKs03AyPScqIrA==,type:float]",
 					"attributes": {
-						"accessor": "ENC[AES256_GCM,data:tCppNfNwHS5jJL2NX6aaYgtHNvxYWV+z,iv:36+tgNRPwV2NPUA8z7jkMc7Ed5ZYVxVWlKVgW9H9EUs=,tag:yPVid6dTkxzUUMjocWL4RA==,type:str]",
+						"accessor": "ENC[AES256_GCM,data:da2OiRSXMH5kbXfeqnABX18/YyFh0DIS,iv:pN8s5/gvrfQm1/757yTNndiQBr62yCCewLpy5xGPRyA=,tag:lOTyBuCGQx5wKFdKaEy4fw==,type:str]",
 						"description": "",
-						"disable_remount": "ENC[AES256_GCM,data:Hi09CP0=,iv:USQk5UFc3FuzD8+GVXprLv2MWAqgXUHVd1YtYCS+7ps=,tag:Tx/y9gjOXTBce2vHa1RK3g==,type:bool]",
-						"id": "ENC[AES256_GCM,data:kBwHsmTqxLpl5w==,iv:zf6ndwH+KaSLneM0YfbidzeNHMWnL8wVHba7T6g8LEM=,tag:RJCWRBP9tEhQpxiWJRTEqw==,type:str]",
+						"disable_remount": "ENC[AES256_GCM,data:9UUik9o=,iv:hfyxJ3Nu5szX17v266p1AiBr0GjH9qloTGN2dqyQ7e0=,tag:aiRBGsgrI4GlzhEVaMmYQA==,type:bool]",
+						"id": "ENC[AES256_GCM,data:TFhZilc1jVhPBw==,iv:QNWD96G4Qpy7wWPS9rez6qmdM8v+8V4PNRs2tuaSa54=,tag:RSqwqV3RYeM1UaUdbp3X7A==,type:str]",
 						"identity_token_key": null,
-						"local": "ENC[AES256_GCM,data:BWjVgxY=,iv:SrbAEAuSMxx4S52MA/ZFyf/tFhPvWDfCnZ4Ky4j4T28=,tag:zrgGVhDMuWPGxuNo7bXJEA==,type:bool]",
+						"local": "ENC[AES256_GCM,data:UYulJxE=,iv:PcqPQOOwSeLs0zkV91iqrnO5mS2Ff+8UA6A7fhN+W5s=,tag:G0mFRtM098BLVrlxWHriwg==,type:bool]",
 						"namespace": null,
-						"path": "ENC[AES256_GCM,data:0CXpyLMjWT+T1Q==,iv:SoC8G1WJ4Arvb2gAdG9xQl7qps5X+gZ2A3cs24uNq90=,tag:HtTOE3ZrBOiKzTrtptpVJg==,type:str]",
+						"path": "ENC[AES256_GCM,data:e5774oAJ8/rekQ==,iv:WEg0phDkUHO+rvaLcxkfhUrO4tWOP6MnZzhRfavmerM=,tag:hGdxgCWu3QBO/XZaUbk92Q==,type:str]",
 						"tune": [],
-						"type": "ENC[AES256_GCM,data:j0pVBM+ArXH4Mw==,iv:qSS2nxDlxKFRiOTXyu8J5iJZkVkOx6NGX5bv2J5VmcQ=,tag:gi4qWsy8j593Oef3xN+ewA==,type:str]"
+						"type": "ENC[AES256_GCM,data:ihXZRQavLQNCog==,iv:qe3C3oi5XQ2lqobiTv7bq8H548ydrhsA2RNcZOrmDjw=,tag:mof3UHUdZYpnA1HuOKTv9Q==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:mw==,iv:MCDrzDVJxoATwFMt9e92bF92aFJPcVKCnbeOyl9YGk0=,tag:IxyCkJtzlgyLVep/gJDLUg==,type:float]",
-					"private": "ENC[AES256_GCM,data:TKfvqnGpNl20pcn0/dznALWMJp3yniLTxcOXKJZ8brQ=,iv:Vt8K9gR6Fb2TTLpu8YjW7q2KZGh17oEsS0riE0CQ8mw=,tag:QIh63pd8xSYdhW8o65NTOw==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:8Q==,iv:oAmE0nAigj4vkGwK1aGIRgv6NC+EWRoAR4GgUNv/Bh4=,tag:itE1o22RRPH+8Nyb7sFRKA==,type:float]",
+					"private": "ENC[AES256_GCM,data:/GxdKe9i4HvC20R3QVPbKBYM2CEtf4Vviu7aL2KEagY=,iv:1GCHrdi4y3VrHLRevaktRrVNMjjUE+4QcB654WHMo14=,tag:R5yA++Xm4E5SJWVh3578nQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:ni+9CKRVTxR01OurPmnwVe9p,iv:yktHHJ+REzu99nGvYK9K98Xn7bUSDMWVhvRD3CfQOAE=,tag:kxXaH5QhujRWffoqjGlsQg==,type:str]",
-						"ENC[AES256_GCM,data:WE/zIpw6p+j0dZQVqNrBWOhlZtVPiFECNeI=,iv:qJ3iIa2GMMVJoz/lcE7Q1HTNFVHvbOGlke35m4aNX9E=,tag:XSZ30MxyKLMcMNnqOY90JA==,type:str]"
+						"ENC[AES256_GCM,data:EuRxpcYvN+4VJsHolKg+ccas,iv:f83Id4Yw8t+LhzqPBuRpPK+SpHnYCeRjPd3zLWofidw=,tag:dAWn24YaUigxYHcEOy6qTQ==,type:str]",
+						"ENC[AES256_GCM,data:N6b+x2SPPxjkMCiiTLFlfR9pAf4uXPz02+4=,iv:SM1BXxlTV3gb/+JxLzx+WjaQGULbsACuniXxRXEkois=,tag:kJZ6fJdrNRn805K3q59u5g==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:GJ8aBLgx4w==,iv:XTcSCOFREW82Cn/ZQa+521SSpbg9liFXx+8ftMJnoig=,tag:HP9x+bt4jIZl2iLmmOPq4g==,type:str]",
-			"type": "ENC[AES256_GCM,data:SLzRFrs1+fBTxCtqlAX/4cTO/0RYHPSPE14SL5BvzZxZokSyfCJsKw==,iv:Kh42f8Q/OzBF7N6aZFusrksoeQK+NI7A+iuZFn0o7nk=,tag:UZHRFyRYTCY8VDvYbLd9rw==,type:str]",
-			"name": "ENC[AES256_GCM,data:5FEje1Q=,iv:VmfJ9ebRwEgO9eJHiCS9gsEwAW85nHa+7Tc67z9+ud4=,tag:X0SaEnuN2x0C+zhdyThlrg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:qpG+RA7LVwQZFx5DlLIH/u1PVEFaoaWnCMjAQgy/iFtb6w98JqEv1U07p9hWwZ9geA==,iv:a8Lvm9SnGjduePDZQ/jXphfLSqDMsvW5As+kJ/0hsU0=,tag:osT2FmJzj+BybShkg7LGtQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:286r+yp9Aw==,iv:moBeGBtkwpEi9MfrcpBaKck4Quuyk21JP/WyX29aVKg=,tag:fshsXuPDwh+KWp/vim8y0w==,type:str]",
+			"type": "ENC[AES256_GCM,data:00zhWiA8DZKc1orWjdo2bt2w6LnwqZC7MfsxAeqtUInku0i8a5TMuQ==,iv:lVUi/2q4KFkQpSbSXtGSNEBjT/E7KEyN7GpCuyavuvs=,tag:m90q3B2zC1/Ua0Kpc6fESA==,type:str]",
+			"name": "ENC[AES256_GCM,data:7csoTFw=,iv:PVcMbV0IMR4nNSlyKrAGhhvP+aHBBn7Ctk9dclJyX/c=,tag:Ay1xfiKcLLDF/HrfGX0aZg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:Uf0l9/JGmU+UoS2PZxZtB2VzXRvMJDhfst8hr/HIKY+VlE7tL3pYqoCgOJQYiauF/g==,iv:e5eRm3gXau1jLiBTh+avegiaMiXwWK5xs9HDSL3xKZ8=,tag:6cZGTtazGMpqCCtZLrvY8A==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:6g==,iv:UR3qPiQAGll+DLpPkVBjeUyRfZm4KFguMDKqNP4gVWE=,tag:P73gXtCcnoSG6IhZ92ob/g==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:jg==,iv:DIPnrRzOFp04gJMxQOQ7/FCrfrIAzQRYXaWLJZ5VO0U=,tag:aLHoaFchXLv5jz91IC5QVA==,type:float]",
 					"attributes": {
 						"allowed_roles": [
-							"ENC[AES256_GCM,data:BKmgZ6mUZdPK69rYOmzm,iv:WiEUJliR6AZfb/vzxDXIMUiMW84y3rt0FBQ1t6MqN9c=,tag:t4i1vEeEgA4bBW2/3m7pLg==,type:str]",
-							"ENC[AES256_GCM,data:sYhfNnoSmWKAzP4F7pbL,iv:7WJgp60TuJ38BXIiiMbp2rNi22+e5dVBDqfzqprFgUA=,tag:92QZys+Tb+/37OE5AUgpTg==,type:str]",
-							"ENC[AES256_GCM,data:Tij3BluRQ+9iWnoH,iv:iIN44ILtXk5IYB1NuVfp0VzA6uNjXUIjSnsPAjI/ESg=,tag:N92RGHil7nM0aCdeq2zUoA==,type:str]",
-							"ENC[AES256_GCM,data:1MWi5t69cxASdaePksgk,iv:h7JBEWDVjlsY2asrJQiwEDMx0b95pAvg7DVNc3BgEx8=,tag:pCwgkn/5IX5HXPK4HMCO3Q==,type:str]",
-							"ENC[AES256_GCM,data:u9DwwBNjvS/tO2oW,iv:SzT52EfpWl9Jp/emhpeJW/Ac0zFZWTXlriQQdMA08DU=,tag:nmpKUJdLzvO+UQnIYoJd7Q==,type:str]",
-							"ENC[AES256_GCM,data:mIbQWdoMPTHMWTZg3Q==,iv:Ydcsk4vgBLjHWnl4uJYkJ+JlEaMG9Vg+PnobQu4EtYs=,tag:vWqbvGFVbDyo+v6Vm91SZg==,type:str]",
-							"ENC[AES256_GCM,data:isQfXoPYJ5WZUS4n9QOMmg==,iv:Y8HYoYYFBCSX0oM/9/i0ZRNDHDE2k9QNl90xqL68MuQ=,tag:x1PXvhTCk2EEXT3IGlv5ug==,type:str]",
-							"ENC[AES256_GCM,data:ec21eSgWK8Xz8V+bXg==,iv:l2Xy/cYhFdS8PRagEM/id86D57TSPBbpzVpdVWKm5f0=,tag:1pWzA1T9H/AFOVNXJxKPNA==,type:str]"
+							"ENC[AES256_GCM,data:2r3ZA6b636KIo0DXwE98,iv:Md12lOQPkoHtpjCyTe90bLedIuGq3smpnIFEzu6NK/Y=,tag:Vxt2UJR8tWrX6CVKfwt54w==,type:str]",
+							"ENC[AES256_GCM,data:RTsKvU5FSbXfMjL2QSkj,iv:xP6F4rtQpi+EWrGMBUqPnnqHuhYuCHpEwS9xNEl4g1w=,tag:Wx77tK1ebN9nnzZG2jOKDQ==,type:str]",
+							"ENC[AES256_GCM,data:VbpvWWGn6c7pM5KB,iv:V3MQYdz3JmBmUiM2IICOkxSHyNRhKY0CofbW1e3ip58=,tag:KMRKnu4C5hVlzlKPClr7TQ==,type:str]",
+							"ENC[AES256_GCM,data:ipNAkcD+u5SshQSlGjKb,iv:Uk0xD/lQz/wECJuqe6/nIwVQjemKtPh43u0aH7VO+TY=,tag:KgNd9X0rd6Lsn04ZyanN/w==,type:str]",
+							"ENC[AES256_GCM,data:EWvuHzpM+g5kGKb4,iv:Z4OnIeYnTDJguvGCEIvcv7KXD0VrrslQDHw1a+Ta2gM=,tag:WrOSKt0YMY4V3f5CRK7r1Q==,type:str]",
+							"ENC[AES256_GCM,data:RzBYGCyflfFCXRbcQg==,iv:DjHsQNdabj1CrhQBnEiP0QkWBE+SvJuwKpoPMHSsk6g=,tag:G6pjXzfzrXBboPFyngbNAw==,type:str]",
+							"ENC[AES256_GCM,data:zurd4KXqWT5ZBg3ItigW8A==,iv:urVbnW3XQsnV+D1h6JyhQ8K3aPMa0qdX1OmQaONe5kI=,tag:kWFIo76V25uqjX76bT1nUA==,type:str]",
+							"ENC[AES256_GCM,data:pygFsHwTczWbS7Gg6g==,iv:vdLlES5kfTOKEGGJqlLY5MIKtpdmEmDw/F0SkOo2h4M=,tag:tBB4FfkBI1s2kEJ2ig5WkQ==,type:str]"
 						],
-						"backend": "ENC[AES256_GCM,data:JOb4YDjoLhE=,iv:OJMwqIonoWlsQLDj9xWk/A8o6G9913gZj45N+HAuIPw=,tag:9mOXBnsWNJQ/QMXDvUbsYg==,type:str]",
+						"backend": "ENC[AES256_GCM,data:iTtGWeEaz1w=,iv:lrNpRf85g+peDPnRucAAf+nqhBlofaX67vmPQOssE/Y=,tag:Q9VO5P3SSvJxIhnW4yBo4Q==,type:str]",
 						"cassandra": [],
 						"couchbase": [],
 						"data": {},
 						"disable_automated_rotation": null,
 						"elasticsearch": [],
 						"hana": [],
-						"id": "ENC[AES256_GCM,data:YtA1YsJXCoDpG3a4+AA7WUINv7MA,iv:JxVoI+kovLrM1aKMS7v8rVPFQO4TMz5tyGMH4ma7rfE=,tag:JNqYKxUV8mSr6zsf+FQqaQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:k14G/O55aff8gk9A7CaylKULd7vW,iv:A0ORlUvR2xCTbXZnpY0APbTpaf14sAIVYhkIWrXssFM=,tag:UhMZBdt1ougVDa85Uzb4lQ==,type:str]",
 						"influxdb": [],
 						"mongodb": [],
 						"mongodbatlas": [],
@@ -1251,25 +1251,25 @@
 						"mysql": [
 							{
 								"auth_type": "",
-								"connection_url": "ENC[AES256_GCM,data:PmHyA32GFKrfvRHN35j+g2ARcdbBKNAZg5AMzGqpNy0w6+ewE3fsiM0SPrPuD4iOKj/CzySmCxSXTb4IktXQTKDA,iv:uV1Vanw6TMfUTox6QvaWz0e+8WjNMhw2GXl1GR/gqh4=,tag:lLyYih/rSpF2oF0y/rr4nw==,type:str]",
-								"max_connection_lifetime": "ENC[AES256_GCM,data:Bw==,iv:0R+jTrirFkFno9NLq+6HwESpgf8rx8QaP4kv9Ygu3YI=,tag:VPh/RLy0/E/hmGfH+o0gfg==,type:float]",
-								"max_idle_connections": "ENC[AES256_GCM,data:kg==,iv:CnmkPVQptNAf2gcIO00ri650WRKuKcKVb2s7Z4otuyI=,tag:LMvrd8TWV0VTi4Hbf/3rJw==,type:float]",
-								"max_open_connections": "ENC[AES256_GCM,data:4Q==,iv:DiCJOaDBvtD3iT2+blsAObRhr4JWiIHf+yrqi6hRq9c=,tag:tmmdMElR9b6qJopfKWi5Jg==,type:float]",
-								"password": "ENC[AES256_GCM,data:EkFRtReJuZ/X/OYrI1k2tqKX7pnHuWO4qx6gFQ==,iv:I/aEH2I7uwLziaaPHbOMv+B2om+Ed2CTw/+Z2I4zbBc=,tag:P0UCDdJMQ0NiFZOzF/05LA==,type:str]",
+								"connection_url": "ENC[AES256_GCM,data:O7DanBiPO1N3DDBCfoaNhz8iTLPab/F2c3bopkQrjt+O4H9A1w/0cJ9FFDklEKeCYG0gSvXXKeRFxWbQds74b0/V,iv:53LgUyOyxjJ/kTmQWvmcrF8hWAJl0E1HGUd285AO+QA=,tag:T4kmhIZ3cLGC3zINFPaSqA==,type:str]",
+								"max_connection_lifetime": "ENC[AES256_GCM,data:MA==,iv:h/4rRUSq98obTQo+QO1FONu2Dc4XvVVAm/jv3nYbWHM=,tag:yKse8pI9uz8NlP4k7GXK3w==,type:float]",
+								"max_idle_connections": "ENC[AES256_GCM,data:ZA==,iv:ObZXLjlU2ItQsu1dNWOsy5o1JU5Cs1P/zGNcYWXkCOA=,tag:eJ1+PbDxVx5lD5Lq9tPqwQ==,type:float]",
+								"max_open_connections": "ENC[AES256_GCM,data:9w==,iv:CB6byh1fpHir+daZOvcn9lgyaP8+Qpyfq2PGxac1Fsc=,tag:8g/pMolDAGgMhVeP1Wuahg==,type:float]",
+								"password": "ENC[AES256_GCM,data:Sftqx5USEXJrSi7JA6z+4Gi8zOvvxhapO9VsJQ==,iv:R63A1yvS1OsMfmu9GKJc299S79iWFMqb1WJykpCAcjs=,tag:0/mWtW2qkR4C80v/p2IIlg==,type:str]",
 								"service_account_json": "",
 								"tls_ca": "",
 								"tls_certificate_key": "",
-								"username": "ENC[AES256_GCM,data:f8sQsQ==,iv:Fz8lDM/0S0q4nNN4r25sMfARXQEU/cCMYFsqAlGbOxw=,tag:SYy9CJAs0ADJm6DlrHz11w==,type:str]",
+								"username": "ENC[AES256_GCM,data:I6nnNg==,iv:+3bpDaZ7mAJIEdZ1nBqZOCILNUQ5X4JXlG/VXD614Mo=,tag:JyE6p+Hy8CBXjc+sP6yvbQ==,type:str]",
 								"username_template": ""
 							}
 						],
 						"mysql_aurora": [],
 						"mysql_legacy": [],
 						"mysql_rds": [],
-						"name": "ENC[AES256_GCM,data:Z5JVUIE=,iv:/y95WxuZr/WscD2fS0UFA2DfwHMyDHZPDWdiEVYd3QU=,tag:VVDrxyt3D9OTuXh616Wi/g==,type:str]",
+						"name": "ENC[AES256_GCM,data:NZRaqm0=,iv:U72YbWtbgRthAqPJTRP1Vi1b5Qh/xEtBinMFcZlegSk=,tag:yR0Lg+r/azD1miyxr10jOQ==,type:str]",
 						"namespace": null,
 						"oracle": [],
-						"plugin_name": "ENC[AES256_GCM,data:0YRV0HKNQF93bZh+upSGr2v3/VF4,iv:m1M4DHvzqgFe+UGQzNSQHqOhZFaLNA2vq6jdW3UMOa8=,tag:dzgj+9BzRg0DemvCv+ALaQ==,type:str]",
+						"plugin_name": "ENC[AES256_GCM,data:eTkiMebihgTrIXPABOHUxkj2G5rB,iv:c2boqIiUFYZ20cC3dmdmLuMv/V86Su1X4ZUd1dd3LQw=,tag:ZBM3qZ1TalzKDnaIfowLFw==,type:str]",
 						"postgresql": [],
 						"redis": [],
 						"redis_elasticache": [],
@@ -1279,108 +1279,109 @@
 						"rotation_schedule": null,
 						"rotation_window": null,
 						"snowflake": [],
-						"verify_connection": "ENC[AES256_GCM,data:QDWp5w==,iv:gykcReVhCLAXsAZVDITPMOr8I3F7sUd25OPQCtlcx8w=,tag:doj8pCG0JMPzyzmcK6B7Bg==,type:bool]"
+						"verify_connection": "ENC[AES256_GCM,data:Us78Og==,iv:961/4+rlSv5DWj2ILzcO+EreMcJFEIVKq3LkVVhJFPk=,tag:9pX2mewiQJ670egtNwD5SA==,type:bool]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:e0T57DwZ1jI=,iv:wVzjbJnJietryJ87dlt0tiIb1KJbCMpeKH8mJNX0d80=,tag:3n3AihUjHIb3SOZc2PlIxQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:9gMs30M=,iv:dDC172lRBP08NqnqmaqZCM1NeTz1Ie2sOp63yBghULM=,tag:PPsUT68gznv34F2YlIx8Jg==,type:str]"
+								"type": "ENC[AES256_GCM,data:D0IuD0SMYrk=,iv:/+YYzJgf3gqyR60mCN/Shctb6gTCIvzZpNpLVZKjDrk=,tag:yt1/3k42RAH7QxKle2OVUA==,type:str]",
+								"value": "ENC[AES256_GCM,data:B6I5rII=,iv:X/5DOJtkqHtVkKq6GjBG8tLLlWzCgFYHEgbwWmtXxxI=,tag:rx3mqvVo6ZK6GxNAM6n7Qw==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:6Wpuc2Y=,iv:7TFI3b+ba2i7wZXpV3VZ+d98yJembXdzffW0vdcCRN8=,tag:voj1LQZk6z/O3TaFiQmh1Q==,type:str]",
+								"type": "ENC[AES256_GCM,data:InHJaWs=,iv:vqEAbtcoCNFMMkGtbHO2exFUVTLxespL96zftoxtLmc=,tag:Bl6nEpw7z9p12LEq/ByDIw==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:Fw==,iv:JhCmlUBAWUt0mDLTjH9su0+R/1bpL8bU/cqQs9FyVqQ=,tag:kcmjCxVIXtlrIIG37XmDLg==,type:float]",
-									"type": "ENC[AES256_GCM,data:tWvLz1+D,iv:JscEpc5CYke9l68NYHAgnNKoMcphjvEhTOgck2AQIQ0=,tag:XWu5QVwuj0+6sQ2s2LviUQ==,type:str]"
+									"value": "ENC[AES256_GCM,data:XA==,iv:z5a8n+B6ZydRk4maqAbEc/euFVbITswsBwu+CsH3Hi4=,tag:y2V53Cjt2+t1bJD/pcBG9Q==,type:float]",
+									"type": "ENC[AES256_GCM,data:xl1n83b+,iv:xHgMNaWBF68RqzvrybhW+/eG4mI9wGHB/La8xiQCDwQ=,tag:N7CotwMtIcU4UaajJqZZjA==,type:str]"
 								}
 							},
 							{
-								"type": "ENC[AES256_GCM,data:cSvyF5j+RCY=,iv:ypjK8Vwu/gTLQuExaGiEkQP/R/c4NUuebze75BBSjT4=,tag:J503gRUa3NigJLBxIG9pVg==,type:str]",
-								"value": "ENC[AES256_GCM,data:VdKm2KvpRnY=,iv:eLgFrT5mn0WNyKpsrsQcPHp4c80xW+cj+6OrSYmyQRs=,tag:OxoFNDDZevrCXP5Keu+rvQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:H5mTqLZ6EUY=,iv:OJ+kC2CvgRXStlpVwshI3xeiczR5xVN2WdAFmYfMO5A=,tag:wB3HCNJeymaoSdjYkq7zbw==,type:str]",
+								"value": "ENC[AES256_GCM,data:9dcbRiJ7TYU=,iv:cv/BVPJFUPncSF/vcdN7H9ZSn05agNi5PoUKps8LhH0=,tag:qIB6SztMsPnEdvu4rftXaw==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:J6QLS0oPWuw=,iv:H1v21YoCn1YN9FTXOZOwq58I2rf1MgU+Z+KSjjEREXM=,tag:Y1cSva71MI7hXtmnIZ6tqg==,type:str]",
-								"value": "ENC[AES256_GCM,data:EkeurXM=,iv:1jCAAeXFkwPG4JbFTTEGCmVajoPQIaESVVE1+Tm5Akk=,tag:sWdy27JskCdsnJxX5OeTIA==,type:str]"
+								"type": "ENC[AES256_GCM,data:/F8heHHSo7c=,iv:JgkhQQaMA7wPkF5MvIpsHyKfBuXQ6e3E63OZsKbCLE4=,tag:EhnU49U5QRCiA6Q1aCfebg==,type:str]",
+								"value": "ENC[AES256_GCM,data:5Dd8vcE=,iv:hrACK6K+d83t7FNOh9JIOi1nsT9Y2INmgQ//2PX8PQ0=,tag:CjewOPZ4/jLIfEmEhLt+dA==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:CA1yYaw=,iv:dtW+nv4R7Gi6pbCqQ8ptu2UKHK0smhdcplQGScoF0GM=,tag:q0BEUIvRitIcOINA7YD4eQ==,type:str]",
+								"type": "ENC[AES256_GCM,data:6O7xZMw=,iv:Wng+OaaE7wFS/vXYb5xGy9d5Rs4oUbbeJ/e5drr4nSQ=,tag:85vVePfdsoufNQBUmE/0XQ==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:fQ==,iv:hgtnscmLfx4KflcIYodpYjzFSwxA2wARH2OymQr0mxw=,tag:ryFPQ1MsfBPD3YtiA50qRA==,type:float]",
-									"type": "ENC[AES256_GCM,data:0+WvNH//,iv:rSF09st16dUukkIvkwhN1lhzf9PD7kqfbyVqkgTKQYw=,tag:3weiglvYDLWjqzVxHVSo9w==,type:str]"
+									"value": "ENC[AES256_GCM,data:jQ==,iv:dejIL8EdAwAWj1PP6AH8Q/RYp1MXns26NlzFfbgy2bU=,tag:1ALl9lDcIFRh4JOCljIpEQ==,type:float]",
+									"type": "ENC[AES256_GCM,data:QRTi+Jqf,iv:lgaJ4QY2N92sbwqo40uqLnOwK3IG0ry1ajXv//K6S0I=,tag:6HPZZNmt3HbWQFrPmH0pOw==,type:str]"
 								}
 							},
 							{
-								"type": "ENC[AES256_GCM,data:847hvnIwY2g=,iv:Pf8bRwJdfT2tte7l+E1Hrz3G/jTs0m8gDW/W9wwwUuc=,tag:M2XijudPOn5XjTSJaVkbkw==,type:str]",
-								"value": "ENC[AES256_GCM,data:VyW4Kel7r5iagfLF8F5RHTcHY6E=,iv:k92WcVNdfXZJVtf8sgYhhMItb5meMfPx3zPZLjjaEXc=,tag:poECPKppZZmh3u8KVIaB/g==,type:str]"
+								"type": "ENC[AES256_GCM,data:+VrGsD31tDU=,iv:wtduzj6hfdrkR09SbPpanMjwooFljUihcj1OqE3sE8Q=,tag:syrIKoDflVX/wzp6+TUi1Q==,type:str]",
+								"value": "ENC[AES256_GCM,data:52jmuF3T5Hb+72z2/qXv6XjUTYM=,iv:SYxlknNrsYFQe/3fBZ1q7fGWWCFGq0gr7iyry9D6LK0=,tag:AyS88bGSN2C3iK+dh/+TwQ==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:A6Gd5eVeojM=,iv:XMbXaq50hDdHnVYXReWskmHtj9egBxvivmXA7SKLYE4=,tag:6hhflm+An6eIoZhA+Gt1ZQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:nUDW4RA=,iv:g59XoxMrlQS7ssBw4DT5I1GFXnWVpxoWXSLkABuZ0Dw=,tag:5Gmaommu4UmKNnPaGhsy3g==,type:str]"
+								"type": "ENC[AES256_GCM,data:bLtVCKZlUmQ=,iv:umz7q7e7wEpkhuyrQHMx6iMguXp923ajVuOnFlsBtow=,tag:V84U1G0UGKhMYl8AebfbuA==,type:str]",
+								"value": "ENC[AES256_GCM,data:Rfnhj/4=,iv:I9uxHHogv+e+GSPB3uIcoRc4eJ6oU8P9ubLBLaAAvTI=,tag:0Z70dC5L/vpjoZsy2OnMtA==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:TJIsBRQ=,iv:dsdMqKp2MIo6rO5tUlYfaDef+sesjZ/aLoH+JDSEqWo=,tag:DjnjCzGuvxCRnZXSvEFGIA==,type:str]",
+								"type": "ENC[AES256_GCM,data:2VH7tEc=,iv:O9DK0DSN4AH/hNwR3ZvhRz8b9dTll/5E5SejiR+ezU8=,tag:dVX/rcp/ceizJCuXDJZS3A==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:Zw==,iv:2N6d7t0AXU46756r5dGI9TYlBAZYsv+7R+oC7lWVlnA=,tag:J5enPAMJIrGwB5n0LThAgA==,type:float]",
-									"type": "ENC[AES256_GCM,data:oEfDp/8A,iv:e2HFGuvai4oyevh8PNOplcidFs18C1z38t6vzxg+nrs=,tag:ZsFeOMwJCewKOCA64lYOUA==,type:str]"
+									"value": "ENC[AES256_GCM,data:cw==,iv:hw3xUQhv1IdSJxHPbLVklU258FrWgrZfPArNvE1N9pw=,tag:C6frpa+89/IEPJfEU2x8+w==,type:float]",
+									"type": "ENC[AES256_GCM,data:ihg2kDIu,iv:unM4GTPZmiFqovux5dodHGcf0eeQtc87wgwrWRz235c=,tag:OapJI/hTU4JqEehJfkoHqg==,type:str]"
 								}
 							},
 							{
-								"type": "ENC[AES256_GCM,data:Zpo4hjwIEkw=,iv:rsju+hRZP5v5tJHgF6mes/UUv50CKY7RUVr5CyCdDW4=,tag:yEic6sa8uAUGUPtRJD5TFQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:2cxm56SOsrCQKKCz8patOdXscw==,iv:SV7562anDpegcsEOv7S1RQaoJPly7cQlNkd2WdlehhA=,tag:6UIaBoRx5cI2PEpPpQGlcQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:vNFq7zWfJr4=,iv:5iiVNHSaylX/mjktA3SrS0b5t1TBuXXwVvXrSV+xWUU=,tag:f47EQaxjeUdKb7HiR7kGPQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:BWojqs92FjyGNbkU1+65zZREOA==,iv:in4tlGsz6hGn2sQCW780yrB/YFh4jVMOPbB54tgkGO8=,tag:7GwgI6Q0+gVbllDSz9GsaQ==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:aw==,iv:mcd+K8Bnb7JZ/12Dn/stKRr7lGwOy6FGSOageOVF+8Y=,tag:4GwGS1pbU1vpxIYeDdow9Q==,type:float]",
-					"private": "ENC[AES256_GCM,data:usQUwsTajRk=,iv:kr4lpTFIi/Y7P8O4AiEr/GnRxKH+kOnIexuXjJmbpjc=,tag:RkfAslj0Uu6S+jYK2qCbhg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Hw==,iv:oz4fPXOPsc367AGYw+A0JYFBQKaPsKh8wm1ogO+0Bo0=,tag:v4arWc8EwsUMQqRIqIefpg==,type:float]",
+					"private": "ENC[AES256_GCM,data:8jolQZhgii4=,iv:jTVLBM8NKzqpmsYJf83MOvdNFfZ8krrXAGhQ+lkqU3Y=,tag:inCX9xhdmDnwiSclUVVvSQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:sEGkWZVXMBQzRY1nm21YkeMb60cm9q5vOhlZeHc=,iv:1xxtgsaMKWN/eFfyBCaKKnWcAFVWnRyQ+2IEnc+W788=,tag:PUX5GisbLVKv8/u3lGJrqw==,type:str]",
-						"ENC[AES256_GCM,data:YEuSCTfnqUPzl8heg7Ft2bhQ,iv:hsUQ3wp1zl0XqyEpETtIopAsJIrbbtxfAkUZ7vDTbw0=,tag:M4EqxTByr7chu2RlSyDYqg==,type:str]",
-						"ENC[AES256_GCM,data:hMhExF0p7wrPMV5sEaQ1+JJAeSYVlJPitcA=,iv:I0zu2eJOSZHtbh72cqwIFROoCz+Rm/FuOOQ9uUE6J/U=,tag:AeQ5hmebEydjZkcgHErayg==,type:str]",
-						"ENC[AES256_GCM,data:3R3rxsJtbtyz7Gaj9BfP4uWXMUg=,iv:PH1SXgd9A6dHpGmTwzFd61cKyQocij8GEqb6HaFfQEU=,tag:S46f5vso+EbZU0DLM1vhBQ==,type:str]"
+						"ENC[AES256_GCM,data:asODBtI2caE0avWjPs6Y1oQ/j5hjePI+mv/SYOA=,iv:994RG1nSyGEW9soxDXzFY2vE//IWnWfwAk5Pa1LmriM=,tag:wDrNSPiM744X8+Zw9W0GWw==,type:str]",
+						"ENC[AES256_GCM,data:Y3Fh3O3MPzeW7k9FCwFCHyNE,iv:RnEcWTbI/M22+IGA13yTiTKtZrhvCNwXLmhfiQc2+zg=,tag:Rr0iYBxiFqQ/xHbvzFwTrQ==,type:str]",
+						"ENC[AES256_GCM,data:cj7n75eOQ7+QxsNw4Y5WS/gswppsUqoy51Q=,iv:PMEo3GMJB3mUIdpjAfcSBvUGvIWPAMIxZOHd0D+Wqtw=,tag:NqCk3GWl5uUjnECBNcGR1g==,type:str]",
+						"ENC[AES256_GCM,data:9eq0c40yG9tUJIppJil+YmQIzRo=,iv:GClx50vsg9AVB+XJ1diZcO2w7U3VuaaRX/SM+z9yaow=,tag:+O26DU5xl8o8ncbT5ZBuBQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:1a8fKYINOg==,iv:C4+bB5WcYIusCfOpOlUZHz9ni9q2mGOPHTm31rQ2pHs=,tag:EQ1v56BNxLP+kkraOWjjSg==,type:str]",
-			"type": "ENC[AES256_GCM,data:sd4CLJnl2d8Ogo3mjsP+5zF9QzTO6kZ+XcVON8hc2rS9yvtUXYsCYg==,iv:8n2w7rfjG1nioj+rZwLkUVdqVNK2NnUZmbbKqHvwQAM=,tag:06kVTJx6yVzu1mLOjA8cOQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:4vyTzxrNqJlvWA==,iv:DL7OkuCKScyJbiZSePZ+xc5k0YKkI2FyOHxzdxK0qoI=,tag:p40oUWqZN/tm9E5Ju6wcVA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:DfZJ3Q9yUsFxnk5JWFElIq9w8/kccKPQawb+siePFkf5ZJ9sqlnJ/W78oGa5ydbsJQ==,iv:M9s28Iz/I9x19c3626K5Yz2/8S7mHWAjg+nbH+0bYeI=,tag:T/zpVa4tJFa2T5zub7DYbQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:g9AbXBIhyQ==,iv:yg5DVBEpZD2+HG0lAtpWYAdOv2cKzkBLL5rcwNxzuJA=,tag:/1RDgAAwA2ad/GJSGzmAwQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:pJf12BSnTWRTYpXRUzV2osi4K84AWO3e3KsJfzk4Cd+3TQCWf5iHYA==,iv:s0ud2skPirpdqgqjg6jTV2FuyUKqYrGR7FjUgD05sro=,tag:5S8ocj+zBTU83XvNcLHhbQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:ot7Pey7ZGJreVQ==,iv:HMzqbHYyfhgUllZ0dH5XF33b/1+uQRn498mBrHpnasY=,tag:02/e59cyIIqp5yvlR7DQYg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:tf5hLwAVn+xI7xHqVUsOscuO8nHtqpRcrmVaOhhScyPeifXZlixmCEw/SKDkLnxrrw==,iv:ySnpFZBEPpH2p/Xs+SXFJBOxRwtIVuaoZfMRbmvYIME=,tag:2HMHycVSL4M3XRoci/CCfg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:CA==,iv:fP4l3GHla0n+R0tZrgrlvTuAj+uf/FNAVYY/6LOZ1a0=,tag:Hxd0ytWL+c4JIVa8J0TVCg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:qw==,iv:8QnTAXIUbdVYnRfFFZBPlIbg85rtkqaqptR0f6ECopE=,tag:OgB6IRULpDy6Vqxp6xZEHA==,type:float]",
 					"attributes": {
 						"allowed_roles": [
-							"ENC[AES256_GCM,data:svpEgxbpIvICkQ==,iv:hXixZqOdlnB44SpSvvnS594mkIYTSmbAp8P/4daeoBk=,tag:2CdTVSGVV43u7EYbVyWNYQ==,type:str]",
-							"ENC[AES256_GCM,data:pnIInuPWZuxN,iv:22iRxMDK6gK8QiKoKK9ku/DA6MrsjIi/u/25NHJ1CYc=,tag:6AoGsFbphsoP3eFE5SjK6Q==,type:str]",
-							"ENC[AES256_GCM,data:51AinQ1PIAnsrNybog==,iv:rrzyrO+7OffbBNP0n6uddpU4b3eDndTniEK4OVhWOUU=,tag:0sps77ekli9P0RJrPrBihA==,type:str]",
-							"ENC[AES256_GCM,data:5kcioFKH5Zwh,iv:tklIm4PE5bOFBCh+SLI1ieKZJqNBDGsq3UP+uu5T9kM=,tag:k8h2MjkAe+7C4eIVdOD3zA==,type:str]",
-							"ENC[AES256_GCM,data:BhGyygRwhLeDk91t2A==,iv:pzRS27WJbNIKUytq3x2OaU9g/j1oAp+KnIxrOSUot+A=,tag:dxCzd2tjl3nlKIQsBAtvxA==,type:str]",
-							"ENC[AES256_GCM,data:sxCwgkwQB85uv4f56s2JcQ==,iv:cjG1Lb5J1/CyVtITQZlf05ToRyR9OgnYI5n0EEoiX9o=,tag:h4hd1qG2lLv7IrzK1gqZYA==,type:str]",
-							"ENC[AES256_GCM,data:YZgqcUFvsDR47ZCUxqkU2Zbb,iv:lJhZQ1sLFIc4cKgqu0iNZCs4RAaHaG8YAqhyeI66NXQ=,tag:Br7RySLtHuOInUXd3VR49g==,type:str]",
-							"ENC[AES256_GCM,data:WgGo4NI5I6iXAKcJL+r8z+M=,iv:Qq6phDKDG1NJpzbkx1f8T3G7uX+ranfVhFZuiZpIo3E=,tag:uZ/hieTN0YlOT0n8e8NYHg==,type:str]",
-							"ENC[AES256_GCM,data:mnIkAbr9Mmu8Y/KLfg==,iv:2b18n//2YNN7tKwodHcLWConJBocqPvJ6uR0d2CXjuI=,tag:5hhzmgSqE9HWczs2zTXwHQ==,type:str]",
-							"ENC[AES256_GCM,data:esrCWW8FDZif80eJvZaaHvVLwg==,iv:vzg9Ui1cQ2nIH4m8fbegXUAmsrJEoadEYw0wXwo+uQc=,tag:wsenntHmza19vfGjD8OkrQ==,type:str]",
-							"ENC[AES256_GCM,data:yOoukG3UYk8qDwOOubGm,iv:XvoQ20R4t/N90mX8+fR9xggTCGoHKA/8FGlhsYY06Uo=,tag:BwaiHaYDjas0mhe79btvHg==,type:str]",
-							"ENC[AES256_GCM,data:pimj5mloMNHB,iv:bWIHd2cPRG/pAi8CL2h1LJXCaplQD4Ud85hc4EB4zgE=,tag:jmc/KCeCisF57/m8M9BpPg==,type:str]",
-							"ENC[AES256_GCM,data:W8l+dvjFTO6Ir6uKTD9wJJ4V1Q==,iv:OoEUyiSk7z0vw/NKoNpxjj6le+OBDWFdvni+scqrgtA=,tag:U1HpzSZH4+r2/Ef9JQr2Qw==,type:str]",
-							"ENC[AES256_GCM,data:fxItIFgKqK9KUWqjYm8ztrC0PunU1Q==,iv:DmnCeXmL/bNOumjXXO+eecQGwW6ESvOCGEkY+MXaLWE=,tag:lts21VgPHxCH0fR+f/nYlQ==,type:str]",
-							"ENC[AES256_GCM,data:pJ+LkzXQFnps,iv:lMBqcLHOHyk6PKf7vvtNeuluNbV4/lt7j1vj4QzHAnk=,tag:n1IWWV0NPBx8V1uZqSc62w==,type:str]",
-							"ENC[AES256_GCM,data:KhZaLtMCY5Rz69KA/p5FXpUN,iv:4dX9PwaiY/0tzjg3IldbRfTArRouiHJ1MAgJnS5P+q0=,tag:gYorOp//gwNod8LlKJiBog==,type:str]",
-							"ENC[AES256_GCM,data:9Rro2PwqMoPDEHJLpg==,iv:bSJEJ4oOW7Nbnl/fbk4JctmZmuOC1odiRAP0cQ4rMkE=,tag:t4TRKSSr5LEOuNY4haa90Q==,type:str]"
+							"ENC[AES256_GCM,data:288j9cZRARWqJg==,iv:YQqwMiuVavuqgGqr8lodj39TlaUqy6Hn68IvU7t3ztU=,tag:sIO9MRXRQdkIlRXM/Ycm2A==,type:str]",
+							"ENC[AES256_GCM,data:zz/KQUvNbKKj,iv:466gH2EpZ47DYYebG08sHghj7JS7sGBTqQiYghUK1xs=,tag:iClSfR1OgdLeZEzFs4pNIw==,type:str]",
+							"ENC[AES256_GCM,data:YxijRUhbsFehiVfZ5A==,iv:zNSCDd706asoQYKGP/7Z/NOISCC538HaPEGYC3Xb8pE=,tag:UJB22CybjnjkPR0CH0F8IQ==,type:str]",
+							"ENC[AES256_GCM,data:5sCCferO+i7I,iv:N/06qch7k1I33WYYut6GQi6DsPxC8Im2kXfddIhNnwY=,tag:p89389/8ZwS2JTOtFoDj3w==,type:str]",
+							"ENC[AES256_GCM,data:+UM2oXP/ZybVA+rYjw==,iv:QQPLCYFXE3G9qdPyVWUSVw1haYG51ddIdJYFFnrP1ls=,tag:03PuLAUrubo77pa7pWnZgQ==,type:str]",
+							"ENC[AES256_GCM,data:BuTrznbPzSQ5uolnWffHcg==,iv:jdFGsfQZT00Xe4BeZw1MYVZ71m7IHNSdybUAKqtTTVc=,tag:OiUWzKmh38fesm57/eWR+g==,type:str]",
+							"ENC[AES256_GCM,data:HPDvG3d8vrCKWXU8ZsJN2rkm,iv:cMWYgqfut8xvI1YBCPYkdvmp0B7yQgj2iPYjYGZp/60=,tag:1RW5D6FAzRxWVJD6ultaqQ==,type:str]",
+							"ENC[AES256_GCM,data:4/sPvX0fNe6kz5xQ0p4CSYI=,iv:ThmWDEet1iH4I7Q20J0o8rVtaMOCwqYNsHLBa4RBm4E=,tag:DY69vvKTibGVabuYx1q0+A==,type:str]",
+							"ENC[AES256_GCM,data:3035rhC5t5ftbvsOLQ==,iv:g+GsNxk9DW8qT+2Yp3rSMJHX2X6WnfIqTQ7gT++/AhE=,tag:xqNwO0kTBFbWn8YFAJHPdg==,type:str]",
+							"ENC[AES256_GCM,data:Rgt/WIIq1Ii+ILzm7kOCgqpPIA==,iv:n/d3fNwaj6c4fcS6tlNF7O1A+AdWPgs4HmrHc8uQYZE=,tag:3GsfNGtCuPBjYz/6dYR2hA==,type:str]",
+							"ENC[AES256_GCM,data:zhayMT+9hkIHAGntDGfv,iv:k3lcuks2S/EQoJnCiMkOnEEm0G6dwrbCin/GxHrmDA8=,tag:nax6xKe5MEcpVVKDvQVZ8g==,type:str]",
+							"ENC[AES256_GCM,data:Fwnt/tBV4VEK,iv:WCMX6SBSNrlbJd7nf0hpY7lGichQVzhRt0cE5XoXHrQ=,tag:G5/+Sh5eLhMkW02ISb9jzg==,type:str]",
+							"ENC[AES256_GCM,data:dcinSQ0ccQMTjI5u8eOZn6Mxeg==,iv:WssxwpjU3JEKTmf9Pjzmz6ELEPYm3+RBf8oCDKonCpM=,tag:79xUnlflqV9TPk/wTPwMbA==,type:str]",
+							"ENC[AES256_GCM,data:YJ9Ue96LQOAL0CibTWQ+gbsVdr+LBw==,iv:S1gXt7gB2ml8efDge70Yi7hqTReGzXDrh9OKN4H/Zv0=,tag:0wm7MFdy5qeL7bEYoT/YTw==,type:str]",
+							"ENC[AES256_GCM,data:PadEkF/yiUmJ,iv:27LxIky8WR5AIcvdIuChWFgNiztPTQibU2387o4CFeE=,tag:mcaNmX20TS7k7mVsaGK6Fg==,type:str]",
+							"ENC[AES256_GCM,data:E7Sr+Lo1+CU3v4K5KfcTfzwl,iv:kkotRmWhhjZJgH3CYnef+g+8p1bbXe4PK3RKQQI6yhE=,tag:TDXEvo+UYiWUS8r0jstOXw==,type:str]",
+							"ENC[AES256_GCM,data:fSuxR+0flENmuCNM7w==,iv:DmTAZLLghz8If5Uk0ci4Aai6+nWXXOdAl67Lj/X7IIU=,tag:YWcn0AyFKBUkt+8tYqbvLA==,type:str]",
+							"ENC[AES256_GCM,data:xjIxnom07/K7KlFQKav6Ifk=,iv:q6i5zVFf3BqYUld4CdegcLNwiiTQaN3mGQzgDWCuJjs=,tag:tP7LQx5JcJViftreq1miCw==,type:str]"
 						],
-						"backend": "ENC[AES256_GCM,data:DuI+AYSCivo=,iv:As5W+hin85LgySRR72LY6QYNrFLljqsHf0tja0nd6bY=,tag:5mh1SnillA9SocCBt8YXvA==,type:str]",
+						"backend": "ENC[AES256_GCM,data:HUo7vHJoPEg=,iv:m/tZN43YyIMmz684k4r54NdyL1ULfXHXoozbrIsTqbQ=,tag:HI88uIuZA8jaixjX050giA==,type:str]",
 						"cassandra": [],
 						"couchbase": [],
 						"data": {},
 						"disable_automated_rotation": null,
 						"elasticsearch": [],
 						"hana": [],
-						"id": "ENC[AES256_GCM,data:l4dio8M7k9geSq/gYx8RNS9xxkuwMpqiTC0=,iv:Y3mx+/DMcORm68tD+VdN4CTEiklZKnCFgOol293NSNI=,tag:dBNBJwjcfDcPRfQRUqbMZQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:A/3RORHnJigXQmkwVpgIvIYpjG0ITYq43UU=,iv:SDrvPDBFBzpi0UsF8I+aH53hmdAdG5zcl/w614xNv+g=,tag:qZz2bgGm48ST7YzeECSKLA==,type:str]",
 						"influxdb": [],
 						"mongodb": [],
 						"mongodbatlas": [],
@@ -1389,26 +1390,26 @@
 						"mysql_aurora": [],
 						"mysql_legacy": [],
 						"mysql_rds": [],
-						"name": "ENC[AES256_GCM,data:6Rh8RA5gI2JnJQ==,iv:KouItc3VDVjBV2d95Uil0XtCkD0bvz7atIoAGQ/KfnA=,tag:QEkb0M41Zku384E+JT4crg==,type:str]",
+						"name": "ENC[AES256_GCM,data:ylVKkjkxduuu7g==,iv:N0AzgCbiQo3XTJ3z5472MaSwiNjoee3TcavvlFNYU3o=,tag:TN41NuGce0Nm05KNV2G7xQ==,type:str]",
 						"namespace": null,
 						"oracle": [],
-						"plugin_name": "ENC[AES256_GCM,data:criOJ5/Plf/lAOsq2s8qN5xvmkvzeH7H2PM=,iv:Ba9mC48TLAl0tySRJ3p8MvasrYuiQeviJRZQnjBOIEI=,tag:aB4Zex+xbdqvwsF9R3Jzqw==,type:str]",
+						"plugin_name": "ENC[AES256_GCM,data:v54a4f3jeAjkcPSIdY78fyeS2sA6PxroBsI=,iv:276HW7r0hv2NIhrceOKuIbMeF5U9vqUIMnMRrhNueNs=,tag:1+3UOU40uZBMXHsb09h3YQ==,type:str]",
 						"postgresql": [
 							{
 								"auth_type": "",
-								"connection_url": "ENC[AES256_GCM,data:2zH6bc5/DfBNv6DoJry/Y9UNocZ0pt5Y6yMYsBM8wu2WWVwFx0lf3REk4/qIEr/9Pk3JkVlQnk8ZkAGaV2+W4aUuBgXWocBkR35G27Ewu6uFfy6vx2xYLoyGYi3A1MTD+A9pBxr8lg==,iv:MTIdwtzJhnCuKYWBfPtq+mbI4HqD7B/rg7g5Y8ihXOU=,tag:vsGXAnJEJIRoB4/NiZevYA==,type:str]",
-								"disable_escaping": "ENC[AES256_GCM,data:jBYdzcY=,iv:V5KfcYgB+cuOuBYyNQSBCBDPv+9XeLOtG2yFyJtpUBk=,tag:HnW8k7BkUeYQo3MsFFLHPQ==,type:bool]",
-								"max_connection_lifetime": "ENC[AES256_GCM,data:tg==,iv:oeoV9SCHAzUdw+eLQhVZmXMi++rqz7X35iWX73RpRKk=,tag:LndesEfCPVAccLOfSF/Ogg==,type:float]",
-								"max_idle_connections": "ENC[AES256_GCM,data:hw==,iv:aWAqmaAcOtwAkb6pP/VuTHyy9UYRCjYeXJEA+cS6P4M=,tag:hLuKYYY5PXoolwcsoBYCew==,type:float]",
-								"max_open_connections": "ENC[AES256_GCM,data:FA==,iv:7yJM/giQgknu0tgnIYr4ntM9AyRApADrzLDDpRE661k=,tag:E7MsuUywS1aM0mE3KheeFA==,type:float]",
-								"password": "ENC[AES256_GCM,data:48HK47RAqSxtrIbxwPeLnrDIh8mUGAy15MDiIUa4xTGgpcgOct6y91NEOx1Sb3dBVsCjK3WeRX73/dli4HvzZw==,iv:MhLnk1YmKIHj63BcBu9HYdRBi8ZQGjEKVxGVqxMuEkw=,tag:1tQGyQSDlTG+xfuk13ifvg==,type:str]",
-								"password_authentication": "ENC[AES256_GCM,data:1Ip4aiCrk+4=,iv:CyUz13zwz8u5m8un++Z5LurrDul257oxuYNXQL/vWzA=,tag:xsXVcj6rYuMzZZ/A4WvkvQ==,type:str]",
+								"connection_url": "ENC[AES256_GCM,data:7KPgtIhf1vN93fd1zwiMB28bKfcu92aoLET2++QixE6q8WqGsAe8xZ5eDLP+2/YKQ8AVkdEl7gwqVP+o2LFx6imUUYHVSqAn6Mm76ojzRe+d8YNu94s0STIu41Lw8x21bqOubfY7yw==,iv:N/lsH/P37iY78CUzuNI15JflFiHZHLYykZbX8AHRtKo=,tag:nYo205EnRFr+pkMZVAutIg==,type:str]",
+								"disable_escaping": "ENC[AES256_GCM,data:cBS0EkY=,iv:suSRFtLIiyozBFrqYvyyM5Wb3wtpcoNlbHzFVR8kSjk=,tag:LWwKIWvPgD0KWkTOCjDDTA==,type:bool]",
+								"max_connection_lifetime": "ENC[AES256_GCM,data:BQ==,iv:2cZy7dwALnVkJtoeDbQ+T3NgsJsrzwKv0OTj6NJnw0E=,tag:R9I9goiHFdIN7Iw4z881ug==,type:float]",
+								"max_idle_connections": "ENC[AES256_GCM,data:aA==,iv:gyv7fnuX9aXPcDDvUVJf066C5XkYkTLeewF2Ojgoeec=,tag:buzpb/iZj9O4RQ3dwWUu4g==,type:float]",
+								"max_open_connections": "ENC[AES256_GCM,data:SA==,iv:3oN6tTKgi//iPCdccI6Fw5F5pELQi5SI1mwprPnnYkQ=,tag:uHqLJbtFroD7IFJYhxyfVg==,type:float]",
+								"password": "ENC[AES256_GCM,data:9c6B0a3udIU0PLBHI97sZMj4uYRFmQdxbthh1DXGh+MbkgELIEOePZAAI/8+kNYClhYNMV3Bi/sq2hoD1UiZmA==,iv:P9HCDsTqKcMIj4UrtkaG30wgLrUXvMeBdapgYyWaUbw=,tag:O9sW8d5VPwsJusLeUwEEVw==,type:str]",
+								"password_authentication": "ENC[AES256_GCM,data:D3H1RT/ePkw=,iv:r+wPTMWng3jtuRfDZbPST7IrwLB0gaBohqFwP0IvnbI=,tag:GgjuONc5X4H0DCH3I2v4aA==,type:str]",
 								"private_key": "",
-								"self_managed": "ENC[AES256_GCM,data:oLPlFPw=,iv:iVKJU//1JxpgJ2ICFQ2Et6uvLdC7DLxvH5KCruGfu/0=,tag:0dte0sPmbmJMq58sYI0Y0Q==,type:bool]",
+								"self_managed": "ENC[AES256_GCM,data:wXak/Lc=,iv:jhSzGTkbjgNILT7JUMW2bPn79Y31mceqOdmzXk4ExhA=,tag:CpyfVuhpBN54iXFsLXH3Hg==,type:bool]",
 								"service_account_json": "",
 								"tls_ca": "",
 								"tls_certificate": "",
-								"username": "ENC[AES256_GCM,data:KrQfkfECxUo=,iv:I1iuzgUFkkDpEjhPd9nte6UJmpzGcVvkRKwz6mMDYtQ=,tag:n67uKkbWDiYn1m00v5gefg==,type:str]",
+								"username": "ENC[AES256_GCM,data:28RO9awcQdA=,iv:xRowI1a4VYIN/Ix5AiVgks3Ttq3kOWzAS/jix/oqt6k=,tag:mw6diGAOTYmoWbx5+HRhCg==,type:str]",
 								"username_template": ""
 							}
 						],
@@ -1420,1505 +1421,1549 @@
 						"rotation_schedule": null,
 						"rotation_window": null,
 						"snowflake": [],
-						"verify_connection": "ENC[AES256_GCM,data:wsLKxA==,iv:MV0RFZqrTNjogX01c8eqvSDOqjRlY97uh6KoBFFtc5g=,tag:Fhu4IaSQizQcqunmiuwVrA==,type:bool]"
+						"verify_connection": "ENC[AES256_GCM,data:gBkfCQ==,iv:RnqovZwYGCAk65ncYMb0fO9KW6EVbpEJktCFEKxEiV8=,tag:lpmN+Y0c7yz45DvjuYFlXw==,type:bool]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:Ef5YN21K2cA=,iv:IKumHWKjkDT+nE5PQyveqwykfaCPW1Vr29oShGwXx5U=,tag:6B8XFpYeX1VhtFhSof6WkQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:Wga/3VyvQoOyNQ==,iv:Vw2r9UXmUr5rtV+s+C8Uhdo8cpkOcYjr5/JXJyj+ez4=,tag:BsKon4YKdZBPoul4KX176Q==,type:str]"
+								"type": "ENC[AES256_GCM,data:+KekyQO/2S8=,iv:GgkDGdmnGVM5Xwxfg9m0G/J0QH+BnAeW7cAsUhQsvdU=,tag:DTanzomGhB1MTF4gWGtuNw==,type:str]",
+								"value": "ENC[AES256_GCM,data:0ndw/29p7R6ukg==,iv:hJCgvIh8GGUc6nCPCJnlp+oKVzzFSVTQC/xf+x8PowM=,tag:nHE7jehNHGumlaurmwVPQA==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:DzSynjg=,iv:B7UWFUfgUSceUo/ulRk2FMmGe6grUlWuWiyXQxnP6Rw=,tag:sFxMLKoNWhD3w/6+np+e7A==,type:str]",
+								"type": "ENC[AES256_GCM,data:9vmGqJo=,iv:Atr5syq4hekMQMRB5YnNMgIsjCjpj66k6cDW2z4JEhA=,tag:jpdRfzRgnFNQAlAedrb9lw==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:Vw==,iv:8S1CXRW4NsLSKpcYk4g3laz68V9h5MjmiWMg0Km1hjc=,tag:WZVhopUcNtUJ7Xcu6nSVXg==,type:float]",
-									"type": "ENC[AES256_GCM,data:J0QZgW3Q,iv:+PBUTGLh4BZ+OxaBETcYLDNwq+oTEf8mTpRcgxZd2kM=,tag:h/0yMh1+XKcYJVEWr2C98Q==,type:str]"
+									"value": "ENC[AES256_GCM,data:3A==,iv:Rlmc10F60MRP7D219uXnc4zEJ+2E0wGe9Rvt5yGykEM=,tag:xJLNcdf276b22tM3ULHgDw==,type:float]",
+									"type": "ENC[AES256_GCM,data:v9nqOPkz,iv:U/ZkglumhIWLhEd1IX19vQPAQ5jJM3c47DsJYezF8i8=,tag:rMvteYOJYvd13opFW0xs6Q==,type:str]"
 								}
 							},
 							{
-								"type": "ENC[AES256_GCM,data:pHjXIzgZ9rA=,iv:lrSnwUWFx1yFSnXJVM5yHoXF8TbZ/g07ZcenOpbkMh0=,tag:utdxD5wjh8boIeEN4JnmpA==,type:str]",
-								"value": "ENC[AES256_GCM,data:WuryJvxcamk=,iv:BR3GJSW2pgAy/4wxLhbO8jpI/jYe3F9huHBAGPsPpEg=,tag:gQeQePBOSnmSd1GP3tBQUA==,type:str]"
+								"type": "ENC[AES256_GCM,data:7eApsCdPbfQ=,iv:AS8PcycU5EBvXEMryqwiqP8UhmnN7nfTl1LZuKNx0/s=,tag:2WHJnYvXk2wpOBJN0PiZXQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:KsgjUn7RQPI=,iv:XIFv92nfFY9Kpch8ZnVGjBHz8HSCkvrqAIVfhebytes=,tag:0m+KONd47rzPt4eHlW5qwA==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:3qP7wjLk6Do=,iv:6lvtccOFWbCoYveYxQJG0A7ORioiG9IavuZ+cq4AYfc=,tag:8hpl5h8SOxbhbVebMl/vvQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:73d1aw1ZHsosJw==,iv:k8nGbJy1pm8QrkRpbBF96AyVhWS+wB1z5YlYPuseOt4=,tag:RT9/5ggF9msmQ5GSt/KbUQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:wADo5uYouGQ=,iv:R5ILM8Scj04fhaOFApiY1fu/v9aKJ+/FNqRb4NDTrkY=,tag:VPYvUo6FJJHRyFUvuGJG+Q==,type:str]",
+								"value": "ENC[AES256_GCM,data:jKOfP6d+3GVgPw==,iv:TOMz7+afXxSKcLFh7QY6r1uF8L5cmQbLfhP11HNQjYQ=,tag:2xVDhck625xLBV3AKYdDHw==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:KsWzXFA=,iv:Lf/z3/+7g3vKYC1qKKFr3OELyyp3IDXhnt0eKLaLx5M=,tag:NfgraYGehWxb3hdQqSrZ+A==,type:str]",
+								"type": "ENC[AES256_GCM,data:M0JUyX0=,iv:4fbVSq7uxlRPjheolmP5y8TuSDfw1nEGPUjjdPDV4lY=,tag:AdtyagYaeVljSFsEPTRlaw==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:6w==,iv:nbAG6X60eB7hf3NMzwuvoDOqghGNY1KwbTfgfNX8mks=,tag:En50yxqOzWEwcAv1j7Lqgw==,type:float]",
-									"type": "ENC[AES256_GCM,data:BHTHePRE,iv:wwDOh6mM5JrnAzO4t36RhU616xooTWQ9EE2Z30w8WA0=,tag:Orij5gGEx0ijRDGqFgZEbQ==,type:str]"
+									"value": "ENC[AES256_GCM,data:sw==,iv:YeXs7sZXhR3NTr4YROM0/LSZKbu+lg2w/Z7xxrdIxPI=,tag:H0FZc87rM9+hCa3/YduGNw==,type:float]",
+									"type": "ENC[AES256_GCM,data:BjAsfKqF,iv:FI8b7MCID6seSnivyCXKiPaT0tlVzCc3Ucb22a059wM=,tag:X/EjU6H3zUGUYDyX+LykHA==,type:str]"
 								}
 							},
 							{
-								"type": "ENC[AES256_GCM,data:jwgTxCJnmkQ=,iv:vR+gjI0KBHGJC1iCZeYX1yuuhkTVefalSZ/6LNsoTuo=,tag:+0E/722tMeODYP9ZUqM/Fg==,type:str]",
-								"value": "ENC[AES256_GCM,data:oPkuZ/BgD/sNCAE=,iv:DTkpAKxEI6kh/MB6jAZ6jvgrchuDixVAU4AyE5e3W3U=,tag:lkqhFeyR6OyY8FfRZL9mag==,type:str]"
+								"type": "ENC[AES256_GCM,data:hNl4vjtAmU8=,iv:IFEw5CmYq+YmNtAgjHBWm8YWooqyLM9WFDBs1IAQw8M=,tag:6VYpkEFxW3BKCnO4qtGuEQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:JSnYfoZ/HLps1N0=,iv:4ghr61ZOEyJ1slqDgJKXKFFJz2jN2QtYaEC3akqMh94=,tag:eDV8F4Eaut0fX5URh7l28g==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:OgZvH8OZjAY=,iv:vWtNm2lf2L3ZDOibz5ROMRvgI0B8mNvOFtRS4PNtGIs=,tag:wpvPQ00v4VVNIsnGu43YJA==,type:str]",
-								"value": "ENC[AES256_GCM,data:0qUf0dBLoYr46w==,iv:JNXfrHeh8dxgm/y1zb5frw5tMiaB+kN7YM0PLaS3WY0=,tag:y4o6iZQLdZgobxmEuDUqFQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:P8NgZRfREhU=,iv:gxm2dmdA4uT4aBf0j1aey//Yd8GPwhdNnlV2KFVdx3M=,tag:E1+YHwduHy3TFeTVwkfRXg==,type:str]",
+								"value": "ENC[AES256_GCM,data:+ta3+ccN2VD5rg==,iv:yBtZCsDyxKOWIc/VXheIHk5RbprCBORo3o5BV9H3xiI=,tag:eNrD32mzyEJwcmVIh6sBjQ==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:tgP0jSw=,iv:NEVfxaA6mYkTEh65Gntk0AdcSDaFBJ5qlXI/QKubqPA=,tag:KDnciA4GsNStQvqDccGwtw==,type:str]",
+								"type": "ENC[AES256_GCM,data:n6fQd7Q=,iv:p2ddg/nbKx844mVRMpx/0+iYgdPJE6CEAKcscTV7c4w=,tag:bUCJiKsMRyQsFDAIyYuvbg==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:Ag==,iv:WDOB9KOpBOAoNtAQKWV3TaCH+YiwMpyOR+GlxlGpOgQ=,tag:9BaIXVxzRv2u9psiCJkFIg==,type:float]",
-									"type": "ENC[AES256_GCM,data:p3xsbpZi,iv:APFvkzGUG0RPoMicKeZ5ZZVCs90ei/9he/Y0bI8aE9I=,tag:EBC8OyXZsANs4cHMHJouoQ==,type:str]"
+									"value": "ENC[AES256_GCM,data:iQ==,iv:4gb8CfZErlwK1gqQosMnvCXpI0pZLUoCytD2oilq9z0=,tag:UPrhzG8+BIkjUtbJOhQKbg==,type:float]",
+									"type": "ENC[AES256_GCM,data:2CZABtKy,iv:9Hoj+Hr9esRIwL9TornMlRR1y95u4iFz1SKUeTGeYH4=,tag:nAuevtiMyxwHLDsICNf9hg==,type:str]"
 								}
 							},
 							{
-								"type": "ENC[AES256_GCM,data:6gbzSKSQd48=,iv:RBH92I9u22eRYiuEu6sibNvBgFennlWFJqgUaFLoomU=,tag:EZV+WZgcswfkp5hUhmxT3A==,type:str]",
-								"value": "ENC[AES256_GCM,data:CXAic1MWZ3DfHLXfSEIWkDSoKjk=,iv:54htAfFcGEhoI5SyQKmrIeQnhsAHBr3hV6wTdvtFEuA=,tag:3Vhymh7y25yGbY97EE5plA==,type:str]"
+								"type": "ENC[AES256_GCM,data:mxNIQc2m4zg=,iv:NvHeyNlMwx3TezXU28NnOd8TzYCHSxH1he1paNkVT0s=,tag:aQv8X5xO4c8N5tTbGTY2Bw==,type:str]",
+								"value": "ENC[AES256_GCM,data:2y2AoQLSxR190tXiBLKMJvFHnzA=,iv:M/NONF5CnXbTk+V20XlpFmMjj0faj0n0K2zL+fNC/g4=,tag:93GRQDRe+B6WYAECCjWy3w==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:JQ==,iv:Hyvl5OQ/QCCD+tLEplBG8h1sm+N8SsEktkMB621bAwo=,tag:jQkHvs+azJ+CLXuvkcqY/A==,type:float]",
-					"private": "ENC[AES256_GCM,data:3TW2Lcj4fd0=,iv:3Wa+OyV3vJMpPhKqv1zi2A6d9FVQxua7eKTZT92d0yk=,tag:cgS5/XyaftW0Nlj2T77NFA==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:XA==,iv:xVsjLCbUwXhEyaUIKzw5Z0UNQ67Qn4sScnOsqqQtEv8=,tag:MUwDKmzJiHRTuhRflE/nqg==,type:float]",
+					"private": "ENC[AES256_GCM,data:nhCOQ+jZWuo=,iv:BwnbCtBSj8TenPmX5v+fHWFlV/KQlhk0lM85Dyr84n4=,tag:IN1nwpCg2Lk8qF5+lP/gDg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:hL1LworH26FZnEDrzJWL15mGjqoQziB1QeDgcPU=,iv:J9lJzE8tsIoSnS3b0ryzwm/aOAtr9C14u8Q+5TqtR10=,tag:DMz/xvVZUdZpUx4HEq9GFQ==,type:str]",
-						"ENC[AES256_GCM,data:dn0PJv+vOJlE42T9YpvTN1Ce,iv:czJwxC+xkcQ88tRqNVN7n6xf8EX2SIjnKb4lzj+putY=,tag:PdIRIXNYRyoxJIU0tE8QJw==,type:str]",
-						"ENC[AES256_GCM,data:40Dm9nNRHzSdEOL0dFKrbzWDHGG3RwnuE90=,iv:fQYPKhDK8IruoXe28MIc3NecvWJd6yQYfnWkbKPLZi8=,tag:ywKFR1LQNdUuH4YRcDoGRQ==,type:str]",
-						"ENC[AES256_GCM,data:Z+mw9k0JTfilM7CMVasD4Y4Hw68=,iv:U0RYTzKTWquQkfyzdYQt9ZKWaZ7vFVGa/oY88Rh0wSQ=,tag:mRZR4ojeO4RrBRC98zCS8A==,type:str]"
+						"ENC[AES256_GCM,data:1oeaLTgr5HwOjPn6X/bzMr0Sh7qAygaWF79ndus=,iv:psUruVPdBHAi4N+cqX/sWuFDXmyZ1Vm4zUzc75yqAeA=,tag:PZU/rEw1hEnBPIorpzFfKQ==,type:str]",
+						"ENC[AES256_GCM,data:4UPS1K9r9prxijJAmnxOZUCH,iv:LH1dZbSFvB7DFrP3ku/Ny24c6bx7UpXj6nzYD0tHeQE=,tag:Bg3C9tAAPNbOa0QUcSaBjg==,type:str]",
+						"ENC[AES256_GCM,data:JLVJDDzOvGAhgrqNNtEI1wJ74s2kQ3SyBfE=,iv:J+vp3bJ36iehZFxEiPjFGWpdGCEhNV7WH2xr+dMa1mk=,tag:Red40LtuT7XfW5GKbjv4fg==,type:str]",
+						"ENC[AES256_GCM,data:oxvIpgJ3CxOlZFEFOOWqOpxOB5s=,iv:f1z/wEhXLYrV1PYDU329YTFneFQImjMlzD0ycAwYnSk=,tag:1eWQR+btcysgTpbdp9py3w==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:pBgS3tCbUQ==,iv:y+zVn5FXiS7KvBXjB1e3ikaoI6CgietFp4/QmexeBVA=,tag:qJCXdYJGVVWzj9JoNkjCSw==,type:str]",
-			"type": "ENC[AES256_GCM,data:srzdW3HopRu9ZdMhw+tqNlOKd6meX34LO3gue00gyXFpDhdW6nz0hK8=,iv:UUfTLAt1eoMQU2GbpIzmAJGFrLBFv8HBwXFfzArRwDw=,tag:xs04wUnKl91Ytt2F6ANZcQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:PODWa6R13nDLIoT/,iv:2jII2gd2zCnS4+6Px8UH4tsTcAd+5FjOmZDn8GRGng4=,tag:0xE+0L8UZuLkeAA+J8gQxg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:By62cxTLM8qQzfaj6+6Fn2bs76UHBLwR/NDOqyYbs2TbX96Vik7hjuhSu5HDCOMnjw==,iv:XbB7waefMg6Ox4qyZWWJ9cTwyLLzfJNzL7jBWwfnTmU=,tag:LcmgRqoy6w7Mj27HUA2wVA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:QgcKnalwGg==,iv:rRYire3AUDuQw1uk1RgYaIlFsTmYwIhxJEwBZOgnL4s=,tag:2/Y2otORTeMGbZ/WJT2/JA==,type:str]",
+			"type": "ENC[AES256_GCM,data:SUAF+JdKphGTnbmeSkaCvbE/J51FWIEr0XMtV022rlIMyy3vsG0JkN4=,iv:pWH8wuMh2imxjZrDfSaj3Z6VhXBB408R41v7y5addKU=,tag:XXzJThlNmfDjjNC402Lj9A==,type:str]",
+			"name": "ENC[AES256_GCM,data:0V80exWH7znshfjs,iv:DCZrqLd5zzM4HHWbBq2GyF0iSg0GRUvPDcI3zrpWPvY=,tag:EYD08wZgRoyCBCnSD4SrmQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:rIOmRvTFkL3797I98N29eqR42QpH67b5k5DH85VSLm+eEXb+Uu3j4MWmGq1VwZ3DlA==,iv:8mBW7R8oNTqI7crRvshC2jfQDV5Q3X10J/oSEXdHp+k=,tag:FHbteiK/ILiPSxWfFD7jfQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:QA==,iv:JSZ/gKSZfnN+kGeh5Nr4cqaDrCjpLWOJFZlmoyilQNI=,tag:niieaRNTukE4dvLy4136tg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Rg==,iv:GzCf5lWLzm50n3Wzao0p9IiMxpl/nN6O2XvzJVLkphs=,tag:RDrvPmQI1k+JSDHg0qb2Tg==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:2H4Q25gpjIM=,iv:CIPOiRnnMgqhQrhqeYfSfkrW+UKkqUMUbaSUdc9qmfw=,tag:iyNXsSOmFAo2UNztyC53Fw==,type:str]",
+						"backend": "ENC[AES256_GCM,data:CzzO9fiAMhQ=,iv:xjb/uYVPl1L7dhqGm8gaKN3RCI+GSx31e8RebgJG3ho=,tag:5Gh1TSwx/sYTIqYe+OtGFQ==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:J3uRCqdTLrk=,iv:vF01Bgr41fzQQebHInXat8Wz3BiDDyIXzo8cjFXeDRw=,tag:mVia3jVjzpvGjdVeg3/+fw==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:85ArF2E=,iv:Tf3fZeXe49+ANAduvyecPrxg6hzjXW/FIkDCKSrwabc=,tag:ugFysW/S9QqFjjwiEkKG+A==,type:str]",
-						"id": "ENC[AES256_GCM,data:32xHZ6egt+DJmXTwleQeAfhoMZ3QUIneAMJaWQETEOl4ug==,iv:KbFNjW0YdgHcyQ9OM+IWuPf5+l2MUNE3O7lvsUjZtgY=,tag:9OeL571gsgEIJtit/infkw==,type:str]",
-						"name": "ENC[AES256_GCM,data:Vbm9HC7qwiAgRAhs,iv:SoHQcTcLQZy1PjJnRYZkqBC7u9JFlURAUI6cjReSt6Q=,tag:flxBQB7uKKLYdLqLBto8LQ==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:CUS07KQnwRY=,iv:qzUb/YfoRkJ4OrZHhhiLtqXD75Kpzi1kBo5m73Wgq2g=,tag:aw8i5PnfiBSmKA31XOlytQ==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:KnopDZQ=,iv:QGzrNPEUXtGcl/e0dc5oCzVHVpHSJhBOp1L3LmjMkJo=,tag:WuOlkQ5Kr7TnYOcfhazXHA==,type:str]",
+						"id": "ENC[AES256_GCM,data:KMMAiB8PB57aMPNUHxutkipi3d3ZGJ+W0DyO3vwIOL0yLg==,iv:cNhLPDOwfVAJAO5rjvq1B+SYsM8HbXeqE1GqN68ZwTk=,tag:el11wjfYp8FHvEG4oY1gTQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:8J8Sii8paw/uRnrK,iv:RI2NGrzNW7kG3yJhLZn5QoIQkw5/Xz1DH3Cuks5zkiA=,tag:koheswvHeIO9ljwZqfD/ag==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:INB5rgmY,iv:UGSnQo+qPGpRbTqoA5490BvVuKqhIrhyA+2ecWDKIO8=,tag:eaiUxWt9Eyob+dBtBCC4yg==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:lqF9Goj1,iv:IzmRpw7+AWkacCt41LPfwJQFp8yLgvbn+0bd97XZj5Y=,tag:HPmH475MOUTXpLaY0+LkAw==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:5g==,iv:C8buVolcb+2d25hT87DRI7bhA9AGkvHNEUGsVIn2rIA=,tag:MOD2RyZovjs7V7x1IHxUmA==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:XQ==,iv:GWgo2OZkQxBnurT/sgsSN7jVdc0FGSr8lyAbBt5Mtsc=,tag:Kvrp/TzM6kOxXjK/1tgLhQ==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:iz/KTcl4,iv:DOTO6YWHiItVJxAi2QsQGt9cUOZplH5GuqTkeZJka2k=,tag:9NRda8GHvWuMjTFkqL4Ajg==,type:str]"
+						"username": "ENC[AES256_GCM,data:s8akep9X,iv:cC+vm4YoSbUKbGbjo3ixNfGsm4+nJTfdu1aQuo2M5aM=,tag:Qyl3SQgLe7EdgNHjLx++eQ==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:sofWcKEBWi8=,iv:pnxnRMkyyUorI75ZXs0wDzeAWhWKIVrAYAZu8ZSQnSg=,tag:WYiks2Hxa0coNApmZHEdOA==,type:str]",
-								"value": "ENC[AES256_GCM,data:68St27OlO9sZRphR/IATrAlt7tBk,iv:aHIUDdbFqkNzQOXu2dm62Ldk5NKaqxGDTt6UTOdt0Ds=,tag:3ZHKralpJZEYiBp1fw99PQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:E+hWttg7Ptc=,iv:P+KxApeu3xbcZaFGVIP9ikPzm2fcNsUkD71go6MwHOk=,tag:q6xEjmpqVJABiEqif3hI1g==,type:str]",
+								"value": "ENC[AES256_GCM,data:2MWZ2QcEp9dg7YSuePSuQyKcT6fX,iv:SSBKpSZnNq6JtL74X2X1j5QIX+Xb7kCxLelh6HXeD00=,tag:J7+Kz3WJXCUft//skh29Nw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:EA==,iv:uOg89Ew1+xhK0pNmup/PdmxELF6R6lTZVkzAWJqNqhs=,tag:Z9vXBUN3T5le1ID1GVmVqw==,type:float]",
-					"private": "ENC[AES256_GCM,data:PnwfI/miArM=,iv:YuorfAQVH/vmqfnSs0QlvLFdvq1fNdZkm6YAlKzgTQY=,tag:wamuH1vb/OylHEuk+YWvEQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:nQ==,iv:JnrQRkgJ/AsQtFruMWaNQueTSugKw7t6Yt0mj8l4Qy8=,tag:kIPUC5KbGe5YY/OKecGalg==,type:float]",
+					"private": "ENC[AES256_GCM,data:KYdsd61zLGw=,iv:FumcdSeCWKj3sP1bEfPxwSJUEq6gMAMall4OqHTqQao=,tag:tDsZPN9ASsQoFB39N4JozA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:HHQ+LHd2m7RgTjIsH+zP7uY0VkfMwgrTL/ksFOc=,iv:vX3QWT+jRCYJ+J/WNN41ReE2s1lLl8bMTfHrfmOjPS0=,tag:oYIN6w5tr9Q6fPZk6wseyQ==,type:str]",
-						"ENC[AES256_GCM,data:rPlRL80j1KXG1WRt6o283Pw1,iv:UrEx9F2Nn7iSWlUzlWt6JrQdLhCmfNTsKCfc46olvVM=,tag:NfQIf1BMt0/1xTNaEHrlMw==,type:str]",
-						"ENC[AES256_GCM,data:DBpcZvHYTDsdmTGxg+mqjKS+B2pHepmX/IU=,iv:a2wvr+D3cCyQB2kGjsCYxebvFtRYXzLl/sauQk0P5bU=,tag:0L3dMsYyTph5mVBOO7AjCw==,type:str]",
-						"ENC[AES256_GCM,data:ir9y7Z6k+tJoqdrk2ovHTOKTl4QhUopR6od9RfsfpGmxu5yOxF2SV0VxAEpolw==,iv:Dy3vMwy2TCkOwX28GshOIF9UOkYBhDSZk2qRd+aaD2g=,tag:GA+UzfH9Xsz7+aiaMSWu6A==,type:str]",
-						"ENC[AES256_GCM,data:pKETjr4MW5Syrk0+xMzY1yTFM6k=,iv:ddzwPW8K85YYu9vtFNHpuB9d/Hz3Dq1XUy1KnDXdyiQ=,tag:azDWCGvA3qz0qHEYK/a7Xw==,type:str]"
+						"ENC[AES256_GCM,data:lj/kHL84eX98hqNHy4C/lItkzNbD9Er4D3aDAYM=,iv:0NE8Fu+Km6LrG4EONNxUF6cIy+KbrXUaXuSFQuNosog=,tag:agfcP29M0rpSLTXh+0LgpQ==,type:str]",
+						"ENC[AES256_GCM,data:SsIeGPXzZ7Pgm7AxyOVW9QCq,iv:DPWBmWf7uYd/nDWpVwwv9yhE7Lyq92qQToFsK9DMxH8=,tag:G0TM64e9qxHG4h0I+VPNfw==,type:str]",
+						"ENC[AES256_GCM,data:crQyJo0OMAd5RN01zfEhsJLLRaMeYmP6Amo=,iv:tmVSsF+gx7pPO2080juj7d6JjLjV81KD6Q5Yxo4EemA=,tag:LrOP1eHfE8cqX6Lq/v1jmA==,type:str]",
+						"ENC[AES256_GCM,data:KyODaTB3+TpPe0EoVz6wRHHzhsULVnfkYKs+U4ivDLnGXypKGiMlEmVkqEQ6cQ==,iv:YwaDaXhRFd/48jydqXwTdotGspKNKVtUqEi3rafQNKM=,tag:2nEgKcn6NwAJFD+iKA1ynw==,type:str]",
+						"ENC[AES256_GCM,data:QfpkgKYoM99xhd/GZse9eaOAOcM=,iv:6yBvQmRkLXRjvWAefe+hs4rrtXq3KG+uwcBcH+NEz6s=,tag:ZetehiyD15sBbLhzNAaS6g==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:dKoZRTQPMA==,iv:jxjGRsLKkWUoB6C3hOK4ruMBLGlxPI201jgFvG/tgTw=,tag:j+qqxMvOL2MNbyNL9oKp/w==,type:str]",
-			"type": "ENC[AES256_GCM,data:vknt/Lc2+745X4tZ9iOQJLu5VlgNb6vWeANA1RtA4PWSUdfPLrlLlbs=,iv:XzIigj1NJRBS3yt4ZIzmLJAepz51PRrJvPFiLXBRf48=,tag:ANsX7HgwYu1WrLbDWbxcsg==,type:str]",
-			"name": "ENC[AES256_GCM,data:clMPGMmArrAlUCiQ6g==,iv:8OShT5bRlOtQqaHe2aKWDyskZ1RsL8WWS/ZtQi1peCE=,tag:8/qaWmgwVyFKIeMGEd0JYw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:7uhSR+g0ge3r2nGkwV11u23iWV2rVosirEzSKTFfYyY05zVGGz1cN0mltYGD98+2xw==,iv:O+gJqzeVEBZwJriGkVYsWiSgbTaBNdIMaG3WszlLHFc=,tag:0jBwE3ZXMV/U1JiuKcadog==,type:str]",
+			"mode": "ENC[AES256_GCM,data:cdnbaoiraA==,iv:dXCvYQ8FxwG3LAYkJ9xBFupx3vU7w9vpij2HIM3eQqs=,tag:a4/qnCNYqWDV2qPWuoT/gQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:Pfl05C7roUoKdJFPLFifgyrcOqFkBQoZ+LSfuu22bsg9CZJ1sokOQZU=,iv:nII7R40ctjFzPd6mQ6NeqjtOG16rfNm9iiMCM6YzSEI=,tag:BWMyJRH5GdGtk8l8ldP5kQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:Mr0UePWfyyAQxvGMuQ==,iv:eIJWcCTyI/lVC2uvOrf1KMdDYCy6ImaRNjeYDkH1R8c=,tag:3ysrn7Y9BbF/CZZWb2Z6/A==,type:str]",
+			"provider": "ENC[AES256_GCM,data:vlQ85K8LM1nLCFwPLCy1Yguzae1C0EHYwnpTsFrVb9HyAMuH7P9/RUtRZtM4zFuE9g==,iv:YgEVVjMPs//tsSUo19FVgXrIlatP3IV9DBKpXrziPLw=,tag:cY2UOGRCMvJ/ly/ST+LZTA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:iQ==,iv:EdJAzGEGKFEV0gxuwpJCYd5hHfbNLric3UeWEurXkVo=,tag:aZrf4ToJbMUkNv77YS1oiA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:YA==,iv:O87Btm7awTRo6v38bjeXGrN6YrhtFVcYVHB+BlJz+vk=,tag:tUKMgC/UVuEC4b/ZbxsTPg==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:mM4rRLzoCJY=,iv:19MQb0uzmG42WobGeYBOx1h4GNNEB/TbulT9vhq/L8c=,tag:Ur1XbD5ljBt/UInGNcm2Xw==,type:str]",
+						"backend": "ENC[AES256_GCM,data:K/qoWeryZ98=,iv:9AkyM0NphRgkJ7a95suPkDSiHFuxBJ7hufyMlwcB1f8=,tag:ZN9sUXzz3ZAe9VOl/nOXAA==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:/vXyLvzkNMw=,iv:Vc6vQ/MKbyQd/hyFgBda6xQF329jvwA2Vp/taAma9dc=,tag:xAQWn7k5KjfpszZhqQfbmQ==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:5VhSghg=,iv:5IMTskiYuz9BSnSkvLmpksftItQESiH1YiyDQEdWIfg=,tag:1uJxskKp5Zc+dIAQKxFjdQ==,type:str]",
-						"id": "ENC[AES256_GCM,data:VRbq3T7WHqK+YS6Qk1/cLVuy6MT2Etnjys3XMpXRF1HUu7E=,iv:x9IZPyT5Tuh16b7Bjjep+hnzqw3S4daZ0ADvJDzFYO4=,tag:pPYF3bMK98DZpw/4D5rpgw==,type:str]",
-						"name": "ENC[AES256_GCM,data:WSg7HjgpYKLbqle+cQ==,iv:uhv69ppfD+zPIvFFUzy9zui9IZ3sCXGvSHCfjBSg+Ek=,tag:VZ4AmooMTyOYBaLB0Jxibg==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:DetE6zyOciY=,iv:cUnY6GB83L15PHfHzj9kcvyx5j0z30o9JY0iX+lLEec=,tag:fLBbLieM2GRFppRW3/3sZw==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:q6PXzAk=,iv:WoHr3emAhziGS94b6T4t0BiMpW/iTB3d0n+Z/enEfcg=,tag:E0pv6Zb299oiE7eIoWDNyw==,type:str]",
+						"id": "ENC[AES256_GCM,data:MHsskJdLZyUDra1boEc7RSRS5ciFceEUYjYzf3Ekbs6q71w=,iv:03zy6jbvslp8xrIUwBtaRDKBy4OqxCsgT8VWMP+aoCQ=,tag:dn2Ls5BpoMYleUJW6Ue22A==,type:str]",
+						"name": "ENC[AES256_GCM,data:DUJv4fdmD+R4fkGJWg==,iv:53/ELVZnl8P3Ag0ksBAoE+SepRMuCA2WoH4WtGizxaU=,tag:U76RMvqrcKTBv6zNpd+tgA==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:VXFPwgFy,iv:8Pi/61K/RYaYbys5p2MDENOPaeC2ohQ7YhQDuB49+Qs=,tag:0ugEqX5JfzoV8fVnwryceQ==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:86znePQd,iv:0L+5qXe2k6OFzOVRjFbVODJw39pR19fCe8vZiYntY2Q=,tag:7p0rP5CbBTuC0qXkOgvDWg==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:ng==,iv:x9J9l6lnxurdnzfC/2/WqPKQlR3X9UA+9tNhD22yc6w=,tag:2HgJ3AUPyRQH1W41ixGYfA==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:Vg==,iv:evsihJH5cNon/9eS3nT/qHj9k1DSN9yEbBwhzb3BCME=,tag:RCDF4kO3EQE5WSNAU0mkCA==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:QYdQ/pvQFw==,iv:023TzbpJZaXyTfpwUsDO00zd2WCyuUKOz7ntBwJfaWo=,tag:BNBy1yOEs47nVRffvC/9NQ==,type:str]"
+						"username": "ENC[AES256_GCM,data:+nZLrjOa8g==,iv:NIynsDl6NOP39kftjyc5rijXeA+3/7Aik2UpxI0MBHo=,tag:dQF04ZJBGGQu1pQUBF/uFQ==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:Eth0gj7o+BU=,iv:Bp8a5+P9kRtwqA9AiByPU+R/AebnWSmLgOudyK/4ojE=,tag:2T+Qf6McgE+bC2v6p34miw==,type:str]",
-								"value": "ENC[AES256_GCM,data:AQbDIkRiqnWEbDOo37alOUy6nlaF,iv:bqHsJMLQKiyDgO4n9dtQmgXKVKU3/0w2XinQcsQNd78=,tag:pLhrZKS5cK825ggWMHs+HA==,type:str]"
+								"type": "ENC[AES256_GCM,data:cz4U20nHm2w=,iv:E+wTweuWiZwOXofAD/nxYCu59D9juvokxjsF18lkehM=,tag:D+G4tdZHFb9HgAeSldrrlw==,type:str]",
+								"value": "ENC[AES256_GCM,data:+bMJft/YbX5IR9OjNWhOzfqy/kuy,iv:g/uo56yI2GwfPwcB49DMg48r6DCHPFe29rc6z7rGYhc=,tag:K+oLcxcmsfcHScEt1jTFFw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:xg==,iv:+VHVLo71V2w/MJZzQEV4DBuLpq+z0BjBTTIrJjpG4V0=,tag:dTDvcyEg47eayErb3AhlPQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:ONlLwW+vr90=,iv:+28MrzlbqGAxoRURW2DWQbiayPDKgHpeVwaoMvG0dZ0=,tag:H8IToHLjHVjowp6RbE5RGg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:xg==,iv:WKVlZqjqWVUnim4LsuFwcJZJGccotAL74zyznP4ONH4=,tag:u95Qrj5v3LLmJZuVkbHtmg==,type:float]",
+					"private": "ENC[AES256_GCM,data:q7apvtLC9rw=,iv:qS+LBCkbcSd3nzO4Y2IfgcSBWoSrid0DzPXvLBOZYlg=,tag:Hv43xzHfps95YjRJ5eMvdA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:lgmjqH5z49OnkF/LUgT0U7rK5rLxNuJQyk8zA74=,iv:zwhUPGaxOWRNaZL/tyI5W4oX/UNPFUs1ZWttPfU7e04=,tag:5YhWTEUWpIXEdnZlup5dpA==,type:str]",
-						"ENC[AES256_GCM,data:plpgMS22u+VyxUpTUPBPvmYj,iv:jp6Tf8wvYa8O08tVgg876y26XjvzgIHnGH3tDflhtFM=,tag:GBnehwkKoF64E5RyQJr48g==,type:str]",
-						"ENC[AES256_GCM,data:3kJ/OKTATRHStAiebwl2HLvXuzP8QN6E5iU=,iv:on9b+Hne/lkNAaYyii/85kOeA5N4t1+LtgNKYHJBTEs=,tag:eDHzAXMoHpT+G+c53N9A5g==,type:str]",
-						"ENC[AES256_GCM,data:VBUy3JiSw1ZQMpckQIsghboiTu0PAbUbDUwKuReX2mdmM83diZw0IU9iM/vKXw==,iv:BlC8CtwHQY0/xMvGnX9/1cWzsFiKrdjiLcOsqiFbcUE=,tag:1lpznXz09z+Sw/vodtaLtQ==,type:str]",
-						"ENC[AES256_GCM,data:4rLPXrI8anjI2tBP0OK/n2Y7vls=,iv:DXcXVbsqzxtMxlUpoQ0IyvALWbraCcb4JWZsYvsVy3g=,tag:b7Q4cu9GdUc6u1SrYmovsw==,type:str]"
+						"ENC[AES256_GCM,data:nozHhgCfbo5fnkvzLf6JLhJa/Y3HwOcDVAFzfac=,iv:wDwKaML6UBi6zUZMRIXtFdlJSoPzp1vEmPKb0jy7NiM=,tag:FEGqCb2NghO9IpXfrBQC+w==,type:str]",
+						"ENC[AES256_GCM,data:ObNxlSi3Uc73mE1SseG2yRMn,iv:d4sI5ZCNLKH17GbTVtzoE/u0eWhWyTd2qKsCJBxwTIA=,tag:ZWGZmGghwvWALXFyz8IzIA==,type:str]",
+						"ENC[AES256_GCM,data:Ly1BUOXgniEzkG+ZreJnm7ESgr7jDJiBbao=,iv:VamqpkDKDM9Wg/An/drvc9nk8OOB8/GBojDBc14H6eI=,tag:6WYoncQIpi/EqXWtlIaSdQ==,type:str]",
+						"ENC[AES256_GCM,data:vj9Q+j3a7L0g/n3L3jCpMbb9id7MFc42LPg0e5XY8p1ApkalkgqWVluN4wVsGA==,iv:BMzhppenWNZN2jdVZdO3oSXn2wKIt6Ktpa7y7JgI+1A=,tag:c5jTGMEfh2F2lPPCcfbSHQ==,type:str]",
+						"ENC[AES256_GCM,data:1IKRN/Gqo8LCIwDzQ/lHUeK8Als=,iv:XcblWUlQ/EBpr0PGH+KDrDLo5iVLTiKjoxyZXcYYTg0=,tag:NidzB3P17+q2VWSSXmc0tw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:UcpV+tuj5Q==,iv:s5ovgf/9+xTB+GF+r9SeixNSIM20DZOQc7vYHwLuuXc=,tag:GvpuIO0W2goE4ugFaIhV7A==,type:str]",
-			"type": "ENC[AES256_GCM,data:7gT9ZiK3FEvJ6G4e4irQ+sZDWKAyBr7jIVdV+lYzosiy+5COP4fk55E=,iv:XYB7OWuvd8AJqlBvnhhmfTkI9f6RYegm/91S+jT4riw=,tag:q3va+TnynTPxS+wwXDvS1g==,type:str]",
-			"name": "ENC[AES256_GCM,data:YGGwujq7O1ykm6fGI7Vc,iv:mSR+kKdxW4U6LYtiL3I7a7RDI+oowZuiBdG3Y++TSes=,tag:Poh3OoAByEecFaxjKSiH1Q==,type:str]",
-			"provider": "ENC[AES256_GCM,data:uT2GS7T+OqcH6jrZ7Y5zvl9nZpRit151sZK6bq/Tsu114RlbNGQ2AtLrkrBBKrK85g==,iv:HocHBWQap3DdBfoebXKpvDBhGSo8yBtGaNSOqLNe0Ko=,tag:Iwha6QQKC6B5HCdjNw8nuw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:XET1U7r2Hw==,iv:ezbbttvEuLTCLVZmb+2ap5gNuYNM6KrcqgKV6hT9nJg=,tag:NLwR0IZeYjcV1k/0PeRICg==,type:str]",
+			"type": "ENC[AES256_GCM,data:6zgTFhUYMn4vnckZJAoczHp7HMnuicgHAvxBpGdlnojeN0sixrXIeNo=,iv:3+FURYa1Wls2caPbhVrdtM9P8N2T2sU50pTe5gYPX1o=,tag:gcLfNWILLOWM3MxTABwZ+w==,type:str]",
+			"name": "ENC[AES256_GCM,data:QxoBnSO10ikg6feblTV+,iv:tlnGHdta9f1eqddBTWIg3VYQztiqgt5OJwYxRQgXFUY=,tag:wL3H5cox26U1yH+Oi7imMA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:K8VbDMEXTj/HeHXHGYgg8Ls0r1INaQfGQzXZd88u44k2X2ckK5KCUR/DGvNBCkQPcQ==,iv:spEl8OI0WZfQnOTtyvql1Gvqfvysnj9vt/VczjUR4NY=,tag:Dh8GKaqfHed1TRhufQ4Aiw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Mw==,iv:ZGXr5f/jC+dVbr1iaGoOTNAGIz5ssgOXxpm6CMAjtDE=,tag:yK/m8Rz2nOAKck38DF+pJw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:3Q==,iv:Hy8ScoMSDfXpGmBd07RWgPK0aWXY4SvpOsDTKG2kL7A=,tag:aFws5Vs+alhG96iP5F9lCA==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:TwFpK+PN+Uw=,iv:5oObLP3IoVR8fNBJg9Gr3+ylIiR/vFYCjVU4o+RGBdQ=,tag:ny39gL4HVzlEEyVDdHHDMQ==,type:str]",
+						"backend": "ENC[AES256_GCM,data:ubyG1FzDhZ8=,iv:IQZ6QvT/tB+lf6HWwI4032TiPNOELeEf1tM5Mk5/Dvs=,tag:PSlV+aqOG2IO5qfz60rVPA==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:7rO6Qzp9DYY=,iv:EV/0xd8hU7X4AHyNo6ZTkjvl1la6KDgwTQYxVW76Mtw=,tag:skepPPQeNGNYlOEf7VcD9g==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:0sY21bs=,iv:609Da0XfVv1ABZFjv+8YhSP34lNobKAMMYVKdYBFS5Y=,tag:B1BwC6/Thph7VqBhBcTOCA==,type:str]",
-						"id": "ENC[AES256_GCM,data:rRAtlnHeJmowfj0cyyJisrulOkdUYBb3LoJgh+zou60Hrg2lpw==,iv:cwKVmDZaPA88OexSsmpsdLIS39vSGbEO0Vc1O1s6AxU=,tag:+J7GCA6GrtsdNhQ243A/ow==,type:str]",
-						"name": "ENC[AES256_GCM,data:AmIkgZPhwg1hh/E1jaQn,iv:dwhcuj92i6Nr+KUYRuZgmcuOQ/jAZs1FKvm3nu6JPwQ=,tag:SINsIMFEPkA49xtV8fe8eA==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:IOlSofF8CTc=,iv:xu9q6JAR1H8IEaq7+fulhSiuZ4l529KsqBRebPNyjDE=,tag:OrxMLBoAMktQtZrZZ8Q+WQ==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:lSlyONg=,iv:pvF4f1Jmx5SQFUPKfOPKDx63Y1VANIy+RNi4lVr18Yg=,tag:f9c4FQtng8k81+NDC035gQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:Kgfy/R8bya2MFUMxp88qFdkStI02fSUwnjb7CjuAbbZ4duWyVg==,iv:Stw69JFtqQquAxReUTgcbP6T+hvCA927ROgp3ydTa88=,tag:lyH35Pr61rB9gM4x/+R36g==,type:str]",
+						"name": "ENC[AES256_GCM,data:hnY9AnU4TzfeWChIoiJh,iv:4MKkf+ey0zzCoHtTJxQZPki9gRYI0ptkZmdJbE1EJDY=,tag:qtjmgulOgY6TMIvg//tIJA==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:gNtLUg/H,iv:2rLdgnS04lPeUAEAzTtD8zVkOkBEywYJfe9qh1EP3p0=,tag:yxlERVBo+K14kHEIy5kcGQ==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:f2iVQBhV,iv:f4M1z1XyiWLj18vhc1xGl1Yupi7XI2CM6nUOJFVi0xE=,tag:DPKSycI9jbaldXHPWRlgTg==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:RQ==,iv:2yN+NM0MwDl+8trTh1lLPXhptA2o+rhnhJtn1mWeonc=,tag:ZOyqBJJi07pFs3AajaCm/Q==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:Og==,iv:K/Tt1i7Ll/v1Ti+Ac8NEgY65TImhWu+irSqTagw4108=,tag:6UqXqBWVJIlggpvnJmGcxA==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:vXQYZV5sdETe,iv:oYfttd1gtApVI1nZ9DKd8u08cEfTFlFgsvXSrahPI0Y=,tag:3zKuXaeGE7PteIhAvBSZoA==,type:str]"
+						"username": "ENC[AES256_GCM,data:wHfrLsHPVJxu,iv:V2rlP4GpOrrtFeCQBtNhABgqBEhGPxyNyBorRTkOHSg=,tag:OzLexRCNyJuhD/JMdC0SsA==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:Ay1HcDwgkx8=,iv:7pobFrlMyaerz9DfqxqnDRPm+krntK1YppWmjFrsGos=,tag:SrD9tlzzrN90i4utcmR4Tw==,type:str]",
-								"value": "ENC[AES256_GCM,data:0fGxgNZ6VaBmmC17aZtBvLqiN8Jz,iv:49TO0gFwNEEJ6vEHdLG8gUPL/bMDaaCBNGOHJXOJNJs=,tag:KZ4xpW+7+6+nU0rNG7vmTQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:i5ZcsNjqvZM=,iv:JYEX8ocK08IKg6nk03GsBlLIAnggPIbTU5DADUBR7ms=,tag:aTQxT4JvzkQjEDuJyg6inA==,type:str]",
+								"value": "ENC[AES256_GCM,data:MlxVwpVM0P6lCPitHD6T0amyPV5J,iv:oRZjf9BO6bBnBIOHY8cQpQrH+KtenQUpUAJNEwisaHg=,tag:eJsnqPkePxMvapuTjyNPng==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:SA==,iv:qUxmviN06ti6lzYSa8H8L+PdRdsBmZFHKCRtXcSzXsQ=,tag:N26YeueTetBZObIa1Pb/OQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:SGt80eFsUcI=,iv:kViMfQonsMINhzYqd3QyZxdi0AmQYIb1WiUa2djJeLw=,tag:fHtnS5K6STa0virCpPVMjQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:OQ==,iv:bDa5L9md8n9/5+wnoF1UsttFHAJgknGOhq6PrE/qrXU=,tag:+oAgWLlpRlth6lPg9V0jdQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:25GuNTaZlCc=,iv:XooT+HOS+NLu+/zoX8z77YnmdHFwx5XpRnS3tvgGEAs=,tag:U8PXsWfOQel9KKg+PIqAhQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:YZPQccSgDsb9LsbQdzvnDAC6U5LclkFDU6YmWEo=,iv:vom9MlIJgG9J7UD8jBhKX5VpkIRdhgI66n+qp5+u81o=,tag:0GwS0mQkNV08URsxnTVMeQ==,type:str]",
-						"ENC[AES256_GCM,data:7788iRJpEHgOt+ODZ1qlTb4A,iv:bEKZdqpf80n2WxiD/WTEGRpYVF0fU2x8pmtH04PF0eg=,tag:KWEl1UWQ+VwV/DUFXxiKMg==,type:str]",
-						"ENC[AES256_GCM,data:A4kAyrueYslq2cWg8cKXFPPdZYqWeJBTUyg=,iv:KtnAFmXiTuz3tl+MKDOeHomKaK7qbVSfBWUc1LLc/Ns=,tag:2PTAvCTAEED2msap45fXZA==,type:str]",
-						"ENC[AES256_GCM,data:P6sbRixu23bhxsWJt9o+qWLnodHI/DbcgB/tY74KSR0mYvN0PnjWX79LdW244Q==,iv:0huLHEe+9LKlsvRIj3U3GPOM0xhwkfJ5UF5lnj2tB/k=,tag:YEV/s9pCVUH9Xz0GJX7Z1g==,type:str]",
-						"ENC[AES256_GCM,data:bBysXZLEhGLOPlQOIaGn82p7TZI=,iv:eFA4R39pvGeecBDORFOV1tYyOhTuMJwkRZm4vSI4Ev8=,tag:VTqq5mCZGaPkHJaWH2MCxg==,type:str]"
+						"ENC[AES256_GCM,data:mz3nbNomueaBCeLFd0Ud/zD3xofNzE4ltJf2zvE=,iv:SbraeqyBe2gw7STMA04lCZ6/awMWzx6cbzx1IJtzdY0=,tag:lSQYkR4Vm8PkGJdrj3enVw==,type:str]",
+						"ENC[AES256_GCM,data:AsUl37yjB3XNY9uodjDN6Edp,iv:HwxKMJ0XLGpPs1RBIoO7UvVDCogbVX2wNaqfhMJxonM=,tag:OTckQD4m+upSi+xVCh6FVA==,type:str]",
+						"ENC[AES256_GCM,data:GGW8C2SAekDwiJIL7H6JB5820DpMrGIEyTU=,iv:GngT4RVUD+9wqi4WGmkbVJSNai16ehsHfYH6JujId1Y=,tag:BfVIGGSFhHRu6TRh8tiLEw==,type:str]",
+						"ENC[AES256_GCM,data:CsE8Z3y8E4g//Vk5wnyHVKOTBZMkR6pwhiKduEp3Af0X2/RGXM3ybmsEv7Ih8g==,iv:YNCFRZNr0fDD+JF2uofz+MYfKkevFSzRxnvMKZ9g+qo=,tag:5m8yhduGnA9YARZelqYCaw==,type:str]",
+						"ENC[AES256_GCM,data:90VuTbM32STCiBO6bpAt+gKk/o4=,iv:JSFnVmWWKndH2QTQ/QLurJLqmPH9GYl38ofulutxEX4=,tag:8ppfhE6ulOjaSBaF4B4Qow==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:oaVO6GXC2g==,iv:Em8e0whc8UH0DkxCCpiaLyhmDN2zoeCrzB7FnR1JutI=,tag:S0W17icKj6D34WHoDzK4hQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:a+Ln1uzGKcrfcmZvpLQpvGwdzOagJcZ8OpYfauy/u1IPcrnYNGNhFg8=,iv:NY1CouuyEF/0zeeDItwf/JWW5Tuf1WEchQ55d8ryX3c=,tag:lyvWnHy8rk8Ra0iPVTfSMw==,type:str]",
-			"name": "ENC[AES256_GCM,data:W8C1RMv014utxt2OKA==,iv:23SIj+WTi7hT3DbPO7yPemtzv4OfYMWJ25D+iV82isY=,tag:oiEg89AnMxxwGXi3K496HQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:Fvxka8v2NZoFdhGkj6lUqCxSht5QRe6+PUQFHIdD+72X+4m8IPcadARo0xQJZIAG4Q==,iv:9pwDJvQk0P2Zk4KzuM+czcDt3Q+0drzc6rJmxA65f6Y=,tag:FIM4iRTwVm1zum9LlHfBkg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:Lzyma9paRw==,iv:zDGGSW+/Hs5rnk9XtUq6JxHXl4EF2VohuBxZnOx/b68=,tag:JjLlEnTowdKk+xSUGy1K2g==,type:str]",
+			"type": "ENC[AES256_GCM,data:32axqfdpSxqCPL/3V4tnubwTe3Udg6QPXj+ELspLQen7aM8nez9GrVY=,iv:nBGMirQ2UceCqDJu9ZxkvyuNAhK/3omgh/AUqPdG9cw=,tag:Hcibcdj1ELZww6zvM3EKuA==,type:str]",
+			"name": "ENC[AES256_GCM,data:SilurcwI0e9OQAy8Cg==,iv:ziXq2oW9qHga67uX/cjW+Gqo46eeCbOxLWWquG1uTsQ=,tag:78X2UGAJPEUHkIB4OadTmQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:NRCMuA7hnJhvEThgvibG99S4sNyvMzpzLkDd6BbQfco+/x7rBdfuTbVZr7xFlXvGwg==,iv:by4X958XbW/OZJUzMPUlYt7tZQ/+EaT1ThLiR6OsNxQ=,tag:lc+7uNY1wXpFhes0/WQBfw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:yw==,iv:1zIQ+o2gzaBsD/fGqQOIpJzBVMkBDlkxTzRmRfZfOGY=,tag:OmVpujEkpgKtLS2GxrBTig==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Ow==,iv:b4IH7vsBxPS5om1sP7kaJHn6YeE6sfPID2yhPSU/XBk=,tag:R4oC/lUQSEWKTIVZ2Lim3Q==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:mWcSZO3wmiU=,iv:20tzxQgOlb+scmk7m2Q0EBGb0V2xF+cMjuSsWSNYgfw=,tag:nwVkd0QWplKq9zejb8aoKQ==,type:str]",
+						"backend": "ENC[AES256_GCM,data:cnSCs7L6jQI=,iv:oRfQm4MhFQDXrNMzAhAyb45jj8JR04GBghbCen4+fZc=,tag:CcEjPyhSfnCeRacYm9770A==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:nj8eNXlrlbI=,iv:uO+q+SAp5NNIoVR8kNSV8PuCdsX1cPfB0k2eFwVYNS8=,tag:GNWeS67glHAwQpVTDZCctg==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:nrQr5ZI=,iv:jONrU5qKdJvsjdhVkhsEVkqAuDm4nMvWKPbMrJKfuec=,tag:ZI/c1X/Y0KzsoeVeyC8a6A==,type:str]",
-						"id": "ENC[AES256_GCM,data:uG3dwtbzurSPiUs1IeYyaX11iS+d2lX6EfT2oMP+8O03moE=,iv:8H/chERAR1uhgEVtCAeI+tlA/6W3KSEmV/6m7gUxegA=,tag:jFUPYU6V+LxAKOwFLG8iNw==,type:str]",
-						"name": "ENC[AES256_GCM,data:WxdO0IMv8kdCngZ9bQ==,iv:qJqUa2UyzpC+Dj1qRRJ0RDsda3U5vzptiAAfcn5jCj8=,tag:02EohRxzD75eiM0H7k5PFA==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:w3Qc1SUplAo=,iv:wC55xYF6F0QrRWrGV2EdGr/B6VVAKh9GuaOCOi9xpUU=,tag:Aew+xuGZrBdPhwE4Bl2FWg==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:3gGGI2k=,iv:+9dwv9TcF5OQqDekTw0+yB7HiVH+hXOS5ZrFOQcF3Mk=,tag:x37s3xJT28JEZM+CsnHxDQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:3rGe1QRk5KqCQ0wRh/yHzh3EwGlmZEVlqOCBz53oJTY5JcY=,iv:JjZDBVsTv5jg2cvKVBa4MZ4L6spXvIkwG0aO+ceYftE=,tag:TwUUpfWggpYAt+bcJGGpGA==,type:str]",
+						"name": "ENC[AES256_GCM,data:pax0MjunsywQDl0Bxg==,iv:Ai17i6hPk5+I05OVWYVLBbDgPrNTdeq/QJz5q7IW/HQ=,tag:ITde6MlEUq7Lu+j2TVYvSw==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:FaoegPQH,iv:Eiiqjsx8tYXBD3bgVt6VFqoVNy8ICO7T7+bagVQmlj0=,tag:AugFnYZ0m7/chXumsBXz1A==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:FxDuMPaR,iv:ZI2pCejN/sRwxqw4bIEqKderamPd5wd3QCQo/VlXFEA=,tag:lqrBo/OKwJl4snH7+Pmh5g==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:lQ==,iv:WHv8bMOJW5+7yb1chDdzbP9VPkFxY/Bd7uHuFrC6p5c=,tag:4kEXdPt9DNayhPy+LacdHQ==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:UQ==,iv:ggUdbYHuAjKxGHUhCqUG/igjcOHNcdVoDLT9LmTt1js=,tag:cgem4tAN8DRLo2KW+hFVdA==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:huYbC4IORw==,iv:6N4ptzkdRkF7ukMfX/AF+gmRwCsq+fO6a0S6F6mzUGU=,tag:aUHDyEmPFJFJFaqVtqDYgg==,type:str]"
+						"username": "ENC[AES256_GCM,data:MAQ9dnlpUg==,iv:Ss9IXc9zV5KuDHZj1lU7yiIVhi9WCCJ8v8obP6XDX4A=,tag:GCPXAfzQNgOnlLOcxDR43Q==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:xNsyhvFkZWY=,iv:4x+MA47YOLSYYbR+ipByXUJZHaHGqMuMGyY6TxItKZ4=,tag:ZSarQE7FCuFtX/rBGZasrw==,type:str]",
-								"value": "ENC[AES256_GCM,data:1arRQQ5neI/hYHNo6K4kXhkd7UVB,iv:KOVDfDdaPIGoI/+tTPhLg17gLYR59GTpOyFdtuN0lFQ=,tag:WZHgpIuWouLkzaScGay06g==,type:str]"
+								"type": "ENC[AES256_GCM,data:qcUPgnxLrzo=,iv:pOrRRyaFpwh9XCpZi1BGPeEg1aQPiPZS2++uQ0Lztqc=,tag:q7FnKGwgDq9NiJOldkT2nA==,type:str]",
+								"value": "ENC[AES256_GCM,data:U4kG8OJz6BvgsDZH2gLy4A1mDHLd,iv:Ez1TIFPhNuXupJzIcaZTHE+BHXiPMFIvL1+9trrQM94=,tag:6rGgHDOd4Y0yJCc14z2rbQ==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:Mw==,iv:f7KC0nkywtZHjsdJFCKdwyWyM5llxBRbp2gKGKRGOPs=,tag:cAzdLP4mjfGfmwbvF86yQw==,type:float]",
-					"private": "ENC[AES256_GCM,data:eq4dxMeB4Fw=,iv:JZsgfiD+nZNoOPiGjRWQPF6GSPQFC+eL4/kOFd+xqw8=,tag:VxKrK7yvh42cs0cDdkuwhQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:aA==,iv:bGfvskVgOzS0lto+smMwuIqhIdY5336+DKpKDT4xB3w=,tag:jbPZYBJhVeohAIaLTasr5w==,type:float]",
+					"private": "ENC[AES256_GCM,data:1R4j5H5rcXI=,iv:iWOC9CGUSs1ndaQNUBEhZNjKRV2qtWUfxVffe6L1tTg=,tag:XEe8sLbRmrCLdRVV1gW5RA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:XJA6JFyWrat0GAYuYlS+r+6+3wi7jhbCVcRcg2g=,iv:4t+T6eZZxA6qzRu27fzjtMTZGFRnX7Uymwg0dBQZG8U=,tag:EKg10lCHroyonZBblEbE6w==,type:str]",
-						"ENC[AES256_GCM,data:0p3ozjKnZUOfmEu6cWJw5AeD,iv:mY9xOp2dBMlPYz/e7dCyvCpoG+jwets5XB9Ni4TTmkA=,tag:dRS5EDCV2tI0Ox2pVWi4Kg==,type:str]",
-						"ENC[AES256_GCM,data:iiZspQqMNLzwJTIf0QfUxfPgsgkq8XA1ZFo=,iv:h8O7PUNvV1tnc8+r71B6wRWQPwQeUYi1LZOpSe04BEM=,tag:T2m20g4MZGyuD2TmFrx0Kw==,type:str]",
-						"ENC[AES256_GCM,data:rG3VlLh9UmLdaZkvtUmlnfXjVM8jLWi5cs7H+i3vrcwpw3xAYZZs8Sp37QyKEg==,iv:3GzPX96tblh4AnaBvZEMeu4YS2ZEiouONksbtZd0+b8=,tag:017gEG6TnXSnA0GdtJsyag==,type:str]",
-						"ENC[AES256_GCM,data:XT3uFITUROhWiI5TiDEmmotwv9E=,iv:kqPyDnMSkax0kRZeHAflgQ/JFaYpGQ7P+pZFSDwI5po=,tag:N3kp6j/hVN0Dn/YnFTIlIQ==,type:str]"
+						"ENC[AES256_GCM,data:kahKoJFqL3/C+vIR+vSJiBwBrN5ib9woGBwjbKI=,iv:CxyZkjPCDoK1CaOERkKCnPAtzBAPa+Gckeyr2m90+4M=,tag:pq0+Ao9AJ1xiC2tEiqYryw==,type:str]",
+						"ENC[AES256_GCM,data:qyOMH2e3u/Lrb7UsdrStBh2m,iv:BVg6Kqyq36YvmS8gE7wE2Vzr9ap+wUJa4NEryseZTJE=,tag:g2d75N61lz97RubLGL+RWw==,type:str]",
+						"ENC[AES256_GCM,data:eSEt4KHCKaVu7YzvOnNGmXNksE0fc2nmstA=,iv:ty56G9Z7z0Lw7zpnS7amZuA6UPj6TPZL4SRqIxp+jzQ=,tag:dj5bwKsDPPw2xIVDydIORQ==,type:str]",
+						"ENC[AES256_GCM,data:J8k3auWk6HRjfGgCVIDoZFMi+KPUcijzmTHImHtbvBwEnXWx5iev1yG0/G05sw==,iv:6WP9VcmlcYKdG1dnwQLZfdnHkuCPKDgaPtBfyZQwcvs=,tag:EuIIZbbhV+GF6dfDf84SzA==,type:str]",
+						"ENC[AES256_GCM,data:9xKij48+qsMBaCZol+aW3JhT09U=,iv:Bt99aTe6yZu15ByoQhnLBYI6C8vD1OG6e0moO9w11D0=,tag:GnN5E2ju3uTO771yhBpAiA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:HbQNWT4WCQ==,iv:s/opAECEf0mi2uKdTAF0oexgnffd2OUDNMnuznG8RkI=,tag:2KKE+PMhargrRWQXxxo7/w==,type:str]",
-			"type": "ENC[AES256_GCM,data:CJPDFU01LF1ko+NIQnroVTYPtOeh6yaiwy0oWID8dwh+WgCOUmr2zMI=,iv:V0KUn4wvd9pD/bck0UD0L/1A/CQIBbxzy1ntwn1d9X8=,tag:+dV3qLNRrtIHhXU3ZHke8w==,type:str]",
-			"name": "ENC[AES256_GCM,data:j2QOwJ3XMiR+oLyo,iv:jc7NMjpMqkmg+rYoFpuP2VtkJVmckXrvCHDz1TxrA30=,tag:ts0MGEin4JCChQYWbts9uw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:dC+5sd3rB/X+0kWkZswgjWEtWjvJF+jSV6Xv0qLVt0GQssDL5qBB8avXfX2WW+TuUg==,iv:R7rSLSmc8e1QXL4TUkoTomfoSFFltO+b094yF1otk6w=,tag:c0MmUlJei96g9HMLykTw8w==,type:str]",
+			"mode": "ENC[AES256_GCM,data:e0N9aoafww==,iv:W4vUbZ42dvA3IIghAWAMhPiN40YdrjYIswgRkoxYpeg=,tag:UA+cZKHEdc/XIn231cd+Nw==,type:str]",
+			"type": "ENC[AES256_GCM,data:VLPDX5zL1NiwvIWUzjSSPXkOZwxlKL2GWPE65Ezst4MKjEBHN/iIP6c=,iv:IT0lHNvKRviPwgS2jChhdJ8+J5u4o3VAqU8o91MEUdE=,tag:bcZhRavT2c7c2eU3xwJO5g==,type:str]",
+			"name": "ENC[AES256_GCM,data:LSakF8+s1/XUcEbD,iv:1WyEvOrW68yZL1FmTx59LNRWuvLgDWZz2PsLFPljRqc=,tag:WFlA6HbGX4WqXDTzT6tnbg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:K2uZfjE/Kysin4zDxy9vzJPjaUaqRxX7eINtNFDiz/gw81ADE93v/tkJGJlUZz6vBQ==,iv:tdFPF7pAvRnLaIqbXSCuLT7psmSHbod2uP2xMhbgYoQ=,tag:drcX4JCKr8C8IjMOxfg/Jw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:lw==,iv:JsSP0vxEVtIoPLYZ+kNTRMWaG9L+IGwVAznTouBJDAE=,tag:PurqGXi5hkMoWqzG0PArdw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:6A==,iv:xHSwxHEoO0rK8XAI2pK0Olu7L9A1APS4MaNf4El6hUA=,tag:lMow8WXmW5jxuX2kduiBhA==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:xH19Ms01Vow=,iv:Qn25GABk4+eQ5PfqOX2qkbwQIZ6+C0klvJLr0W3DHkI=,tag:oGUieMZ0uAgLTZhAShy13g==,type:str]",
+						"backend": "ENC[AES256_GCM,data:NbNx5pZcFs0=,iv:D1IBG5wHS7GA1cEY/dx9DTxEidxdiOHUbEqvzqERzk8=,tag:cIwblzcvuqsfH43+AOyLhg==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:8crmuP800y8=,iv:dCflRUkXlQ5vTsOCx9GMxaN4j2GgbN5cHOB3aWZE2a8=,tag:CMqeJvJfjX/CBO73S90vIw==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:jQ4Sutk=,iv:JXzOpNvTJhlOG4q7WvytRGw+IFfUnQ2PoLgwdCbdNPg=,tag:y4bGsx59McdkxsBOmf06tA==,type:str]",
-						"id": "ENC[AES256_GCM,data:GFEQbvywJtA8wo744pKu3eram1uMM8e9tzb+cYQu49Lomg==,iv:dxKSTAfFaGdo3ky+AF3x0QEQ2S1/hfG+ayAyzN8YnYg=,tag:ipB80xgIuq23rOUL0j7GwA==,type:str]",
-						"name": "ENC[AES256_GCM,data:/PLpKy8Zt/kmR7TR,iv:dMF6XuIUuF+iLuUKxLGOIPK3EMm2IT+H6go57ZJ40ig=,tag:XoAZqFTIz4kA/x8fgdy3GQ==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:8Z9wp7y+ros=,iv:cYPYmULeu/hLC7SSssvIzCNfm5r0bYTgg/dUUcgZ9bA=,tag:7B+zppsbhSTmJnRe1MIPPw==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:cg2B2K8=,iv:7gHQygKhWVrWsnM3YKKbJ2HfffgI19yn1Et9byyy7EM=,tag:FsybqCHNx0w11/M6HOy0BA==,type:str]",
+						"id": "ENC[AES256_GCM,data:0TbAcnA9m9SjxY96zR253k0QCCMxTcZGNDdhKcRZW/6IQw==,iv:Y9JV+hI/V0fxuyd8SWLQJ/V4q5KjCZFCjEnzi6U8ZNY=,tag:/cwAedILkAP7xk0J3V0cig==,type:str]",
+						"name": "ENC[AES256_GCM,data:GhHa6FeK1HTNSaIF,iv:Spuz7SNSVn//erIiJ2oBx6rw0uDRK30mQSilMKGjIwo=,tag:ON73DBuQoLyzMZKprFE+fQ==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:I1V99lyG,iv:xkkMVOhNgEmiiAh8ocYphtffaRDTjiCqsWi8qZ8mqDo=,tag:2fza0ob85yGteZhW/0SxoQ==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:Tdm9OTgZ,iv:toLrXCZSEYpj/RONTGZjKY9IeBV9ZKDb/B3uFapFNdY=,tag:OlLY8oUdqub24u/K+bNPpA==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:7w==,iv:c+H5jJF0svNd6fWWjrHpiuzRkaQ6GWGIN+6/x1WnsFU=,tag:j0eusQ+Ed6BEK9kKzYTZew==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:mw==,iv:ffIZJ+aO421wn3hBrYl+AjIcpjkCr2mpeilsdMsFm8Y=,tag:Pw2eDBTjIqSi2K8HP05yxg==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:Bv871xZX,iv:K3dYRj5ut/TY1mQYKwVCpLfX2Fwq+aeV5hRLjwlcsfI=,tag:/daKgTs9ZsPbg3PbSjq6zg==,type:str]"
+						"username": "ENC[AES256_GCM,data:On9Qd7FP,iv:lW4/+E2NL3W8x7G1anp2DpH7ORul4njdx61dQt0GUIY=,tag:GV8B+bJwYLH3v+Sl/pHAaQ==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:9o6wJV07oJE=,iv:R7ccb1ThYJORUmOP/4zEEoxIt9TSlqr91Y7MexSbZr8=,tag:i1lrIJ4reYwSejcMgQ7uzw==,type:str]",
-								"value": "ENC[AES256_GCM,data:wBpVHDZCtuOFYIO71rOOvhXSuNFB,iv:F/aV3JrLv7didYcIBvJZiJne2Zz5tj+7dpmrFYIbgpI=,tag:y7vBDomzetjXnNqMoB/4Dw==,type:str]"
+								"type": "ENC[AES256_GCM,data:5cBGZOGsSqM=,iv:FR0xBp1BAE0enWNePrHRzfQQSaHFMZ7l22Tf1ybdNdA=,tag:5JcZhdvHg17+3C57OMDSGQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:Pa7yXBF6tWgGjXPOBSSwWJpno71q,iv:BzMMxzStYTRwYpRNlHPc8qdn5SrJCFDE8YCvrrcyOdY=,tag:AEhglwHGsJo4ecLi3DyHEw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:VA==,iv:jKNUHYz7uvt4PInz1X6qiZV5ESN+K0LnsG1MSpmpb+U=,tag:pvQdLjGO7qcXpmqOSa1+iQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:pwohcA/Ximw=,iv:KDtXEcWHsfGKGYQkRqfq4uOn/4ecEZ0gWEo9xsNRaxA=,tag:1NUvtK63axMpxD6pyZXfdg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Dw==,iv:yark7vcnjOcvAegbS6wjrLHIdTHOog1grY2BLggK3K4=,tag:4mlWLnYBdpYVH1EnC25DOg==,type:float]",
+					"private": "ENC[AES256_GCM,data:r85wbhKFF5I=,iv:rwyLkwlz+rCNOKMv9/iyiMxp0gtHEUMwdOdhOU3d0Vw=,tag:T/RImqfAmbRlq2EzhlRQFA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:wHbHSb8TkJh6TJjqgzKTXP1xNPe4qYjdeXV9YV0=,iv:Y+QX7Y5tQ6t7GIGMN63/jFIB7Qply9Q5irAiRIecJYk=,tag:8bYYHby60Drc88+X6XuHjw==,type:str]",
-						"ENC[AES256_GCM,data:sF1m9hW3tjWduvzOp07MNns7,iv:M1FOchf3XkJj7OYirJbyFcRbi24NnOd6ZWoqBqcdZg0=,tag:HUXlSo3sUm/GMxY2ae8jcQ==,type:str]",
-						"ENC[AES256_GCM,data:3IFKTVDNiu9RBTOHgyo/qAlBS7+uSvCwUhY=,iv:MIIoLvPzPS/IkxxZtkW9k+C13sOAPIjvKAeUVA4sm1Y=,tag:thZp9DFqg4c7b5ZRaHoE3g==,type:str]",
-						"ENC[AES256_GCM,data:2g3kBIIqLlzB5TC0ixOW+U8tHFJ+wLBQEVy7uVf7isRSHGUkcNk5q3hS0/n0gg==,iv:I2Yh8/CU+8Q68xrpqFpOx0nYroRFQgHb6wgODBAyO3Q=,tag:kAw6p4Qd0HBrpHYCPKmrSw==,type:str]",
-						"ENC[AES256_GCM,data:yTSMNWLBLCWGxkmwEqSoTAShTTg=,iv:LqHUJJaP+QcjKsfBFewdyEa+KcmTLvvth6c/6W5szFw=,tag:uTQJzfxvCxVf6Ob9mCFivA==,type:str]"
+						"ENC[AES256_GCM,data:xkhHHNnqOMc6QNWF/x4kZBVdb2noeAHk9PfycV8=,iv:mvdhf47hhRMwXMo774wES+4CQIoXCzsKHZOZLm26tfw=,tag:GempaDLy80KCdHrxfxO/Bw==,type:str]",
+						"ENC[AES256_GCM,data:vwYCzG+aonQIytmONpw1NTd5,iv:jvB7UR7RnHRdZ7LM65IIklDBsUKUO/9CvjIgvc//i7I=,tag:5VLSWtEKuyxwO1dKsLY5rg==,type:str]",
+						"ENC[AES256_GCM,data:9Ow7xYth/plfQUlvUGGA4mkAeI2pRMfTtxY=,iv:74Jh9aKPK0L4F/CTDk6X/G0SALvlx9aUg5p3OTYa3Iw=,tag:4/9lIfqvRq+kbWGaf/jt0A==,type:str]",
+						"ENC[AES256_GCM,data:sYykW/c++th71DNd9oHjpnbm/XV5u46JVoXeFWAaBEaEw71tmQnfpgv1kZPJRg==,iv:v/f+DCaSPJxKYcLK8eyaP9D1mH8oxl5DhCYV7+cBB7E=,tag:lGLo3sGelh54GKXVrXRRbw==,type:str]",
+						"ENC[AES256_GCM,data:rCEja1Om8kPQ3+/GNunENv/DOyE=,iv:vjSTBUiKS5fAFs8kYv6rqOOAONszz/KCqfz5UUEaHZg=,tag:+iqkwcf9wFTf7blFLiNQzg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:NLsacoYJFQ==,iv:qss8KgwSgx6Qe4tUsXCkk8VIz8edpi+8E8Z2eovUv4U=,tag:BnmNpC1HRphRfxjHfBg60Q==,type:str]",
-			"type": "ENC[AES256_GCM,data:vRxaAyXh+WKRqn+IF5uO/5QB7F1BgmjpNx/wKol575vIILQCGIVjc1g=,iv:YDcrfBePMWTxcb7UXDJbx+CffeHPEGbE8d4YM+N1VOg=,tag:eynue9o/urBY73Hyl/0oJg==,type:str]",
-			"name": "ENC[AES256_GCM,data:7v6/F39TS4fboTiqtH1g,iv:shCOyKP84xbJ7d+uJaiN11FtDlqEekVlzqRmuwS1DgY=,tag:M0VY8MDs/AFS9Km8XZGF9g==,type:str]",
-			"provider": "ENC[AES256_GCM,data:Xj2DHv41T7q42zkXvH7bSgEKLF34nRcEJGquSZZLsLOOGHWzp24x0xd4WHCITeLkRQ==,iv:rBJFBgdFFrgp3F8sMC2u6f8hYwHPcFoY9WohB/YY1Ks=,tag:+LBc/U2ADR/zS19ze6T5VA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:P33DEKWU9A==,iv:lC6W7yxHP1LoyR+O1MdBRqmHUx+Q7jBd5A5Y4FLfYAQ=,tag:kB6/JK6xQvKEuDnKcaz4Ig==,type:str]",
+			"type": "ENC[AES256_GCM,data:yuOaehwVySa3k28W38mICswU6TxC3frSYqP7WTIXSVdUXG6Zcn+D958=,iv:61Y80OGB1ci7ZgUGUgmC14vNZqy7uoQr5qTi8sOKTCU=,tag:45+ZvqjROsu3ymneP46uBA==,type:str]",
+			"name": "ENC[AES256_GCM,data:wKEETNZpx4s+QTKcsf9N,iv:EKp+d18tgXf6ra3EqVxkASWMElDXJyhG8glk9GcQxig=,tag:aQ1axpA+MuzBFVEsnT+8xQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:AQRuduxzY35lTqfMbkp7APX9qNXaDxgNokin+KfyiSHgPMfhIjYXlIUz2sKWjodAxQ==,iv:/Z6QCp953CnNXy8z7Jr51RABIaPO/xkgdgNxYlbG/Hg=,tag:IonsiNTdyLww6GotjMZVCA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Dg==,iv:dS0NkWU6tSeURvKiKGOeNG3hbgwEmaDiJwI0gDGvZW4=,tag:VvG7w/yediyfqXCnEK8RbA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:QQ==,iv:7l8WCmyzq2cSj6XiAj2ComMkl2ltNWHG7xexUrgPDLU=,tag:pU4b015dSgW5eUWqQ7oJng==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:pM0q9do2N6s=,iv:AcHtsyNxSDKOxqZxEVr35GeuJ3f5OEWyNXXSog98T78=,tag:Ys246MT82xM0sZINOtZaYA==,type:str]",
+						"backend": "ENC[AES256_GCM,data:tKYHZV1sVe8=,iv:paU8FUbRN6p+M6LyerOPeH0PhXUCTFXiDI8lNId3eQM=,tag:RvRJPntvBCD5xYwBwq6X2Q==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:NTnmomx1biM=,iv:5xUpRNoT7FaiFqFRbkZk9B3PBP9OVz+c//nKYZtyFx4=,tag:LUyPRtY5leCC9j1E5G5A7Q==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:NwtRLBo=,iv:co9JITViqaOIrj4NGDeoiFSKCI06bi+1ZAtWLAgeW4A=,tag:UvWonBaK1rB11kGDWsCYrA==,type:str]",
-						"id": "ENC[AES256_GCM,data:Kc6ItjCNmGsd6zCLkojbGInBnDU9poq+Ql0kaU4CxUQZp/nDJg==,iv:hfiimf+UuIuA/8/Z1XumHP8gnEJItHUNlZbZ6+irYUg=,tag:0T74vsqAmsFzOskI4VvJIA==,type:str]",
-						"name": "ENC[AES256_GCM,data:n5rIhmv0NdDYWDh9oeir,iv:jLwKhLbJ5pAc6PXkEpyMRof1d1RJjeGE4SpKc8GNJs0=,tag:FQFCXLsmdjcBf4Hjf+rtQg==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:O1EHDd/x+4g=,iv:D6VnI3qtxbnpx+6z8PU/EKiVrHYIWaHwcqeGVhv/KkM=,tag:tppdA36QPZtBQAUG3fFWkg==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:b7Ms2b4=,iv:6yOTHg6CfEdnyHJpf4LtDL14KVsdhvsCfmwKoWVt2dk=,tag:RqaUHztDYBlEBy3moAwBQg==,type:str]",
+						"id": "ENC[AES256_GCM,data:/VHWRHuxx2PsEhLQtdeiiHcfC/hwarX1WA//wlDOsfacdNqETA==,iv:Z4H1mzATUeoKrLYcwLPARAr6d/ZKlO4G6HUtf465+Pw=,tag:9UaQxHUG2+6kqlpDM5NSxA==,type:str]",
+						"name": "ENC[AES256_GCM,data:1GgGlSXyjQuLH8we/6DL,iv:P0OEtFTRtI8r61HvOsNhVMm4MnnF9tteFQWL/d4cRe4=,tag:y3bipa1V0thyFllNyouqIg==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:gY3PRVOc,iv:QyqSptlxp1ng6hiCgVz2NXrORah2umXhJy2FowpvPa8=,tag:dowSX1m8GiOQj+KnWdmffA==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:iZPv3XV+,iv:7gHQ8903SyYPVT/7bqfAaN7hda3ES65dQ49DiY3iODU=,tag:uV2CRdZviepryy990x2xug==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:lA==,iv:AMuOxcWBpfPmrzI4AS+rgnhbVUnCxZai0AJHV21DbuI=,tag:fX193Ce+ipIjPkxTdg5AqQ==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:qg==,iv:ecqJ7zrbSx+KZgMWwFbDzh+ADsxqB1KG85onq5+KwaU=,tag:7am6LM6vgIsRDXODX7tySg==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:ygCCYbqCOplJ,iv:0gYj6Lju6oWnZ4afok5yCbMyI3tgxcBT0M2NRUKUE1E=,tag:OcHJ7umbpEft1GoOnUZgQQ==,type:str]"
+						"username": "ENC[AES256_GCM,data:r8JplevLlfTS,iv:/rNAi4ZVKsY8tlxr1L66YpkMvnIj/E+p9FeMG3B6OBY=,tag:7JCd5HDTKYhRhzttsjS+UA==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:vQUSxv1fons=,iv:t3EDKgGPD0tS+/rr5nQljzdV5Fp1qyuXiZd30PnAniA=,tag:uhsqVV3OPZv/EqJlbDIQPQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:gBYB4eO3Ti3LHA1jhgTT2b9l9/0c,iv:r6Kg8xVaggVeC+xOoHZn7c9xt57Z/TDNSPMNmHM+aoA=,tag:iIsRW18eYQ5e37q63sgngA==,type:str]"
+								"type": "ENC[AES256_GCM,data:NzYo94cCX/I=,iv:K2xQc2M42FIDuIauRAOazZ7NcenyHqktPIt89fMzOvg=,tag:xeh6RMDYAXBRiu5XQdATnA==,type:str]",
+								"value": "ENC[AES256_GCM,data:HoHa2hat858ekHPZMCMhR7MIJ8e1,iv:pPbURRZ7237JENTaBWU+xaKbVaqkIIi51d6394hBtXg=,tag:ZY418xj+ngMznnTzHQBGZA==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:Nw==,iv:rS5On1BuZuDUkZnIV8PCyLymPFlgvDDZhsNc/Uf24cE=,tag:E/I23ZKLlAEPNUokij+GAg==,type:float]",
-					"private": "ENC[AES256_GCM,data:YhFbwi3lfkI=,iv:CbbFXN/Tv+NQOWi5B98n5dNGePWOLDicj3no7uYY+O8=,tag:Kiof8sId/1r7LDyr/tCu4g==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:sQ==,iv:TfriP3Phm1bYfB+NQQxmjqNkP2msoCeZ1j++PyKShiE=,tag:fk8nY5AEgLlwKZqGusaJvg==,type:float]",
+					"private": "ENC[AES256_GCM,data:dF+VszIIO9c=,iv:nLnPha9y7LBdbMQPOXovMH0RaaHDYu5ifYpLzFqlC8A=,tag:O3bfiaUwXlEuRn17BwEhyQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:pWtySJrnLeD0mjvJbjSGZwAxigGNbzXLCJ83IIk=,iv:12av7LQ0y3A9paaMgTKzKS0woQqml80JOJlD/sUsh5w=,tag:OU91EA1IP9zOeRZnN3u5Zg==,type:str]",
-						"ENC[AES256_GCM,data:cE6YoaFj/ymMQJ5sHKT5AIiO,iv:qtFw5dfyUlq8SH/XUm3Cby3BRdQ0SnsoWUxBFzO5ej4=,tag:/HUQEMe2dypEKy9FBhAbpA==,type:str]",
-						"ENC[AES256_GCM,data:wTT8+6KuMfGfdZv4FRF8YHjVaTOCUjyRdSI=,iv:oPLY7tzk9+CBpc5/s2TDlMjmnT0ZUKgRjdlxJyKPkmg=,tag:AMa8xw8alPy/VSwDayWNdg==,type:str]",
-						"ENC[AES256_GCM,data:jPxlnBG0D3r/P/zdvM+ml/SOq7fOWd9AA9Xxzfi1LPXEOAggnMtgBngtfS/yOQ==,iv:VKdXK97HwND1UfJCGnOq1nQ8ja1LeH2T855bnAFbD5Y=,tag:0EbeHq1Czuc4h9hc7jOi8A==,type:str]",
-						"ENC[AES256_GCM,data:Tef1BgSlHjKzRRdCinYgcdCVzFI=,iv:6sNwmZgQBvTFqsW8Ct+nO8JUyRG9MeB3f4mzUV8X5GQ=,tag:VwisiRSETknptmpSYL4sKg==,type:str]"
+						"ENC[AES256_GCM,data:PM/IN0vbW6bxnLFLq3LlIVymMijwGWD7ShfOfIw=,iv:u4w3x2yVSi3OhthF5Zmx011xufV71NKudlMrj3Lm82M=,tag:slQ8HAR9VPiTYvIlv/d8kg==,type:str]",
+						"ENC[AES256_GCM,data:wiLVzxAiGO17CaxpvkEDpxzp,iv:DxPFcJxa4p2ThLFT9COAKUvwEg8qoqo8D21uEgLuY8U=,tag:dOG+VI7ce3Scy5LXqJDZHA==,type:str]",
+						"ENC[AES256_GCM,data:LiED3iA2LHmWS9zg0190QSMThtl2zGimn84=,iv:AKi3uY7sAeLw/ZuRdLXuJ+VfY31P6pM99g1nlnvkpmg=,tag:BEgKOnVwgOoXoPjrArbQrg==,type:str]",
+						"ENC[AES256_GCM,data:8zsB0gtAvpbvewrediTsnggrvjgJL4i5aWm0+mScX49WoX3tJ+77sDI977HkhQ==,iv:VbDFxmE6hzpjXiNOHMx7xX2Jj7Awzu56vSjKpi/Dsvs=,tag:ubqOnWahukL+ULqRHC/ohg==,type:str]",
+						"ENC[AES256_GCM,data:F1qOy3Rv/k/MS7AJgdDrhT7ANeo=,iv:aI225lgPybyO9TIgj8mg1aC1j8jMwcp/tgLghwADKy8=,tag:xyw0gqUJCFIVGfaLILl0Ug==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:iw7ln81cUQ==,iv:fXn7HPR713lXnVxzZGDU/H/7Pb/FRPj4blEuY3gypsE=,tag:J27tOSomoRq83a54A2DSCQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:ZZDg0b0syxVkGjlPbqh2LpcVyCE+XPUApHPal/mL0uSbIWk14LXULQA=,iv:nK6RoTAHsqJLTigKMj/5y0BQir9c8rIg7mDeFCSFjWg=,tag:wSyy7f433RcixfDFPqBL3g==,type:str]",
-			"name": "ENC[AES256_GCM,data:SboCWjhhhuStMj37tMSGhA==,iv:XSOyPzZvLMMaAF6HNrjdBASyMN2sqRQFw63NBDc90ps=,tag:g8W3CXaJ/K9UVtvxwwqGxA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:J1TtpAH7unwPV7SEZPqKWMuHdtKb2soQl4ZqECJbk+3DTZvnVXSc08CXAQcL0aYNQw==,iv:bdZf/JlBDXGZ0SjmLnMQ+k9OhKQ41gQTpYuTj72cszs=,tag:ubz0P1ct6Dg15eC38J4lwA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:TqI3FfMp7A==,iv:am5y64ilOG6tDQ+QoEioTkOmJHMNjnDxx2GyuCE8UAo=,tag:YiRUAtdXKcKRPwWtsFRHQw==,type:str]",
+			"type": "ENC[AES256_GCM,data:OthW+u6QTLFNKbzHcaNT7Pqj/hMSxdQ6gQsK0QnHpr6FIp63p/gcWf8=,iv:ybvli84g87+vflqwD1+zY9aXLipp6UGFBsemjMTzEqI=,tag:CMStCt5mBT5FYbHh+sEBIg==,type:str]",
+			"name": "ENC[AES256_GCM,data:ebUoQDsrKp8nV3y3m43DJQ==,iv:lUO1N7y/Pkl9QStoW6HUHBNjgcgb0JZKDl2ODt9EKcw=,tag:IEr45uIVRgfOkfpkJlQSOQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:tkw4K9UEzSUW9xuY5D3Gva+x++aPIIy1gm7R30torAWz/09CvHcEM4sopoIz64Ay+A==,iv:eXTEQXh9SCmSHobclBvMek5LnEES4KtyL+0JmBBQrvQ=,tag:UQugXdcutHyBPQ0XcrQM0A==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:BA==,iv:/2J2cmIW3/hxAWXBhkT9ktbUIlBXdK0f3xO1a9hArW8=,tag:z5OBUrmle+zeCzcGIC1f4w==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:TA==,iv:A0N0nQ9Sln343JPNI0mJykXuAHFuMfRDd7vSEz2vALo=,tag:gf9GUYFVzrODFtolp1m2+A==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:Mhg9i0bySVY=,iv:LQlhWY/mnaHopJHcHmWoIS9gaSwHyNdYoe62ctgSY6I=,tag:gLvvh2bRhryS2/0bFC1FQg==,type:str]",
+						"backend": "ENC[AES256_GCM,data:lr2oGnVNOLs=,iv:txvB0sz8WgagdQ163gsZ7A6+R+GnBfZkOQdWeP7QYuw=,tag:9GljyYbrxt2RmaX8yn3BFA==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:gefQurz6ujU=,iv:KgSfgfzihbYyty+0J/HGcjJlZo8UBTeI4/vKhVhBF3o=,tag:CioRQhe3uxvrbXpEO5c2NQ==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:Biyf5I0=,iv:U6eHzNblrpq+l+LCVUnA4x7/K6vdX7wITvhMZ2sw+wg=,tag:k2tAP7dll8uZvvYiAiwl9g==,type:str]",
-						"id": "ENC[AES256_GCM,data:ODBpVnE0V2sQx7xK+MBq2Y+MOYpsGf2D00Ak238ZNS8TdoRu2as=,iv:6KyohwJCd4BrDC6sEUc+pdFj+0fg6kMlioQFKIGVS6o=,tag:TkNv1aRAcXtWsgIIFPX+FA==,type:str]",
-						"name": "ENC[AES256_GCM,data:M2oG9PmtwToS4B12y7iW7A==,iv:F9NbcyfvPbgaHzrHyka1DDjZJyK56/k+aM9ixLUk0S8=,tag:z+NRWj37J0Ba7UB5RihPHA==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:RBOEiv94ItU=,iv:PDhr5t5EIIdOU9RWIXyLxPY2QJ5ZWzT0ZMGVUslunVk=,tag:/HpxfvWBaE71ijoBp6BodQ==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:pFoFWQE=,iv:fvWShkKQ7tEHUYL4+DDSYHgZDSEHf69LEPd4slj9k10=,tag:00tIaqQSb59Kmnqfh4/78A==,type:str]",
+						"id": "ENC[AES256_GCM,data:HRz3bV25U73V3DM0mcowhO8tR9bx3nfB7shF/vAkBaSN8UdWouw=,iv:6drFLfqcatzdnrmssoqKZH8HeAuiTGNKhvDIOe3jDW0=,tag:MxHGKTFZlN5EWtAycTRQHQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:0/g+I5ryEJepWoyDNZTeOg==,iv:rY5FCnTPsrCTafsyFuVfFmWbHHSVsGhRxlnhEAHLWns=,tag:8EDFhsi5r7yGF2XOPx1aXg==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:9Pnq+sGe,iv:Lao6dFALzdOtBAhRHMDIKs1bHp6d+1u1xHAYuE5ugXg=,tag:aLQdwAE4Df3pBEL7Z29D0g==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:befFLOD8,iv:ObzU/NIT1/M1FsuDWqCagESC+B9XosBpYtVhaAedDb8=,tag:MFeVtUxUPIE3u1JegCpNjA==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:Uw==,iv:njwV9jO/pkG4p5RkK0sekSzucacGZ1okbags9B5jQ4A=,tag:5YQt+OEW7l73J9o+Q3DRaw==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:RA==,iv:5lJ4PTR8/Br5NbWuPdpPF+NsTRUPQcK1jVccfPa1H2s=,tag:ec+On0BDzyfJYE0MJCQeHQ==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:sdvC+vbBVzbuaw==,iv:KUrNo0UjnjO95fPR6As8YPqnjY4frMOFC/pjamcMhz4=,tag:M6rT93nKr6IqwbgbTRJVvw==,type:str]"
+						"username": "ENC[AES256_GCM,data:N0pfltjnmcwbNA==,iv:HRtqq5MYrth2fxFSXM/1kqZDKcU0VuHXNgQfZ5i2mz8=,tag:dF0W1B7M3WQoU3WI0iOCMw==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:B6tdekddRrY=,iv:EtzLLMOtbA4p3/SIn7waVOhSljHbVF/BnhCkLMHhRPk=,tag:sPEo50E6P5ckyW1eDOyJaw==,type:str]",
-								"value": "ENC[AES256_GCM,data:PqcEmZSk/GA90Va0AOs4jkGbStm4,iv:yYoAz6xkCPy+rIJ9hdfgBEhSntTUKdkDoL3ZtZGBYD0=,tag:wfyjeipBm/zIZs1mEKsNwQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:SCNtr6w6srM=,iv:Y0bhVPpKXuhn2fJCJ3e+tpdjgXQUY89h4KjJ36zcrnM=,tag:gAxIewKtVuWvQ3bjk4ZXaw==,type:str]",
+								"value": "ENC[AES256_GCM,data:v75CGsToY0otPvZiGZBKvcKL9qfu,iv:kGCWSKiUkJjbtPVW28e9vX0L3aGGggeoDCYNax3q+bg=,tag:J30c4uZSVs8binZ1UvjEqw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:Lg==,iv:BT7qdyhgyxDNwtrjBcCZZijGvsAd3bs3PB+7S2Ep8M4=,tag:FA5dBBxrTH0xtMMHvz5/+w==,type:float]",
-					"private": "ENC[AES256_GCM,data:KaDW6rPL0Qk=,iv:sZkW6xw9Ruil9etdLkSeZ/pn1KVE1c5sIcD4rWfaJe4=,tag:G+QLAva627GYERLAiAH9rg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:bw==,iv:chmJrhHltiMJ44obTpoxDrRwNsEJrihDuL+hL8Znjpw=,tag:Z8bjl0oNEu+yqdl8PPkPgA==,type:float]",
+					"private": "ENC[AES256_GCM,data:GgfpoQo2Yy0=,iv:5g1QCTcaD+jXPkrV2uQtQxKpJaeVXAKmFqHw8jjIMrA=,tag:uHcxlPks97YEmJoe+aN+tg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:rNIH90zOyp5f1f1MHlA8+uJlnOe9Ou1mjHtGA04=,iv:8n8EoosxdnF+3HqO7zXKndxfI5Egu02oStY/4uaqiBk=,tag:ZU92l8RbFx8MRR6gxCYLIg==,type:str]",
-						"ENC[AES256_GCM,data:U9ZuRvq1Y97Li5z2rMfLgXIO,iv:HDWcxzDmZ52WsLnJs041T4GAlu7ZCrVTOr3RLaXMmF4=,tag:OO0Joyj7hAWW+y6JKFTwNA==,type:str]",
-						"ENC[AES256_GCM,data:xOV52YkRiZ8ZPDFnFaF4OHmxl/htLSEbpZY=,iv:BysE+8UCyXX+XJ/+sQt9ediogCyebYiEW1BBZz7hpTM=,tag:NinLRROoHubYKhPVEfO2ZA==,type:str]",
-						"ENC[AES256_GCM,data:5k5urhYhznRp6ZqSdY3DeupdHbEJiQZg/DgnsTobRv1JIaZ1IcPGDlw+XdW0MA==,iv:1Dt2+d7kf3jd3KW9SVZnRQsq1sIgT01kjx8xyWEzkSg=,tag:bdAhJnbjN1Xnv29xpkPepA==,type:str]",
-						"ENC[AES256_GCM,data:lFOusqxyBd34YcKf5UQjFJtj4kY=,iv:J9jBW2KOLW3Yb7qXZ4BTtkjzPej423I9W5L5zlaDYAs=,tag:7lTErrcS5Z1Hcvnv+Ooarg==,type:str]"
+						"ENC[AES256_GCM,data:4d8h6qUWqwU3jpODwsV0S7BhYOtu2xh/Drq7PIo=,iv:QnXtfnYM7EMiOIT0axty/vBLBpj05CfbCrlyGoYQgZk=,tag:QBEVtmEQpYxuRuFLGHGhtg==,type:str]",
+						"ENC[AES256_GCM,data:QFLOmwzkIzxZXfTKMaIibeyW,iv:z7kTex2hMM+lCaYryxwRPG3mH6U0wChCSzelM5RJvKk=,tag:xonKzI1x+jhkn3q6PxpU7Q==,type:str]",
+						"ENC[AES256_GCM,data:phDrIL/TaBprhgDCPkPrvR/yKf9W6mpxm5o=,iv:w3ijmfTjp+EYs3/OJ0gZc8RM7RMIksXGuyialtlanAg=,tag:ChNlTflpNAeQUyhCuf5FHQ==,type:str]",
+						"ENC[AES256_GCM,data:YzVuK0igBZ7erdUKAVAiz3t6CHu3SjWJoRn2C+DTQ9QFsGnikVVtBqVaCGwSVA==,iv:UnmQiGp0F5qYr+XQe8PmjFBO8KcHK9/EOZJlKSu7SIc=,tag:4/lsYfzJesIv+70an3Q7Ow==,type:str]",
+						"ENC[AES256_GCM,data:Oa+OhPn/Wc2vvtgduuEk9N/pXVY=,iv:AUMn/NRg+nRgeKFXifUkxb3CvH9FXGmr5dGw1oiutFU=,tag:ypWNFFqb96dJMaSvt/SuUA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:LCne5Tq/pQ==,iv:5xml85qBp+Q6Gb0OGrDF7KUiVM88mgZFlN7r+224uS8=,tag:WVKYp2SAPfd3LZ1iI+GGfw==,type:str]",
-			"type": "ENC[AES256_GCM,data:lgNkZQbKUdz76JVGpaiCYTAk93rVDHfzEVxqUIftH9TV1LR8iV9jZ08=,iv:5iyQxd771gLIlhVXk6iK0lssBgw+3+k3/3WU/EA2+d8=,tag:VudCuM6Iz7RUHQrgvtbmTw==,type:str]",
-			"name": "ENC[AES256_GCM,data:ZXf69iKgXsekhTzscloe,iv:7Rtrs5RrTImbUoa00qn8WB4mhvEiymFyhuwITCq4AZE=,tag:K6JvfiOnqxPlli0/nBv8FA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:dM7j7dbDD5Y9DdBhAUS45W+f7ZNpmJOo9Xygqpw8jqGeJFE5HPWC41vkm/LokV/ezQ==,iv:ZX2b7m9cGejaP9ETm1Yeznlw3tgdO57em9/ioSyQVNE=,tag:Lr+MaknQ4QZ8jUEkBGeCQg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:78oBg2XTUw==,iv:r6oikQb2wMmDH1IzDK/uM5O8iFM81WnllGweWkVngEo=,tag:yFodxOgTfNlKAhyRqSigiA==,type:str]",
+			"type": "ENC[AES256_GCM,data:bv5NFp7SNexeYOILLJvNFs4Dn8/3w+SCIMpTKnplv8HI278JGjAoFv8=,iv:F1EL6XSMUe0VuhSBtQOq0jYkub6eeGr9saY4SK1VZsk=,tag:OlziRCTGb9uIfSzRh8Gu8Q==,type:str]",
+			"name": "ENC[AES256_GCM,data:ilYs/zcEgbVQ+0qGGS8O,iv:tcRATXwqXBzpXD2p4UqAa+pmxZj3RlgiX5Fo6X0NM7w=,tag:GLopIJmrmOCHt3SM4IVAKA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:MY++AqUsFBMlnQcB+zXP3F82tAFPqjvwDkSmxq5Ld5JoHI8DN4LriaHB5DuVK+MVTA==,iv:CfozykeKIaXVvS8BU3Gjl2301AwagVlJGuPVL5PAyn4=,tag:v5l4+V0KTJbpY01x89jevg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:gg==,iv:0eR3d+1vRmsZHKAyMCmM1Z5Htp24uZGlHFeUEQtKph4=,tag:DpvVNGgIWrpcevZlKlVFpw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Pw==,iv:K+PjnST4sEaslKHv3qEHt9S9MGE6K7iXUKJpILvESJ4=,tag:VUcz1zYvS9IdmfLj33ZF4Q==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:3yQrVnWvTBE=,iv:i7zzpOIVXphZvPbjNBrqkDP73kZIfqPXJnjRXPXYPVU=,tag:1DQ16LvYIVqAxBkv8UncZw==,type:str]",
+						"backend": "ENC[AES256_GCM,data:aahSthCaIIQ=,iv:R67BXISoztk29mkPw8/rzZnF03KRUgcUnbDsZWMY3Qg=,tag:VxCebIKfhitaiik+caj+Lw==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:uJSxwu84kWw=,iv:NBmmU5dxfzPBOGQDOdS+mWi+CxZcZ6S27RySO8NY0Mc=,tag:wTTc7I6DFdN5mtsuLo+NTQ==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:gnWIjtc=,iv:vHxur57zpZmQJ5FJWVv2jctnQbrwwvGBTxv/Ikrsm+8=,tag:BlgqlSE24dbEMYnXDQ+EAQ==,type:str]",
-						"id": "ENC[AES256_GCM,data:5jNS0dbw0tC5kA+PDpLhiDmAcm2wtacasMsUOoOSYeue7B4qWA==,iv:xLCF0kU7X3fX8qFLO214aEI/3kjEXJTOpT08r+6+mMk=,tag:9zBs6dFElPJUWBFKFvFGqQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:7UpNhzhpC9WqfBzCxo8L,iv:YItCAB26vlLEUlQ7mY2DsimfRBQ+GLE4cM9Il32vx/U=,tag:Y5Cg6Ad1oQCdB+FSJvYXUQ==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:27YkcUSXs0w=,iv:5+YnnnzCYqnydmr5zIP4CMOMKM+Jd1NtUONwlGnAwk0=,tag:a3yfL8qnhTJxeMVsbDgADg==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:8oOb1FE=,iv:hfjllB/iytXga2nNmW5LumL2L29nXvurmMD7iZnTqjc=,tag:v9abtY4/0PIIalqLZ64U9w==,type:str]",
+						"id": "ENC[AES256_GCM,data:PVS+WM61LlKKFlz4DlklPa+eXyQdacO+7HG7iVnKhNvBNu3XWQ==,iv:nbddW6OMnB7SqUI/CARSt732doSUcU8aOonTNBjya0Y=,tag:q7qSBEE2n2mmZoUKBjwR5g==,type:str]",
+						"name": "ENC[AES256_GCM,data:WFIhFlYE01DOHaOpLCGi,iv:Y6Sm3JjJf4NHgbhE570NGscYO0aF8uDJ94HkWEe3/Ts=,tag:7MP/60f9VnpgjBvOWUVacw==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:sX8iq2eX,iv:6iAHdjgYu8VbcjvmxfyZfLe7V5kMCv3IEDr6rXdWjxE=,tag:suO+ynA9ol7lRRJZf5N2Lg==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:z5LYsEK4,iv:XOz4pCKbKxE3zpJQC8/ssiFaVBY1/jZQ2BAI1mImiHs=,tag:oX+8EM9TORJsk54sHbGtXg==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:IA==,iv:hI3GczWUQKZCJkAqObxShygwLK1bsNolYQLNfeQ94x4=,tag:tAv2FrvibdpN4MG+ybVckA==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:4Q==,iv:dMqdWxC/WJF/i5XZoS9aROYiOJUvL7TLHsLictM4tiI=,tag:ri1aR5G13AqI66sK2P2SDA==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:yMBDVWLqcPnV,iv:lCxZkmwbaGkcQXlSBrBDtnYGsZ9iFexiRXXmOUmierQ=,tag:CNAEbkYvNJFpVrmr9KwOOw==,type:str]"
+						"username": "ENC[AES256_GCM,data:D5GubB5FDWuM,iv:u5ISxBBGXFeg62HlRNG4gEURfhRwoUt4tXdawpd1G+U=,tag:BYaQRiaCiVm1PxIbFD5zsQ==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:4twT6tvdbUI=,iv:58uhg28F90yB+EjwAYg35uFZpg8c4WzdxOogenhPRpE=,tag:TQq7nvPFzh6s05XCeojcdQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:jNDHzVwQ3QZSF1VyOv65n6E9okIb,iv:TLQBMo+pl24+/i2+Y7xHLqqd2kftXwQOthGZdCA8IBI=,tag:0Qq4zjNvzUQLP7tCfmMf8Q==,type:str]"
+								"type": "ENC[AES256_GCM,data:XURm1GZSvz4=,iv:rGnX1t38yXmmbg3trOngw07GgAKGiUpqfG6VG++9BJU=,tag:4XgncZYS522ZvkChpJYM5Q==,type:str]",
+								"value": "ENC[AES256_GCM,data:CCN5ZYizi2tJNa7ydnDzPpd0vfXx,iv:9F5o0ji6CXz8F5NV6Q+rcJ2Wj37IEoltUpXFOQae+UQ=,tag:hrdn8EPOFYPs8ltGT9i0ew==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:cQ==,iv:nZisbcPQXSvT+EX5XMYwV+O3bGc22vMQ/6C5nrZjQ50=,tag:1r9RYr01z6I6C4BjiYR2/w==,type:float]",
-					"private": "ENC[AES256_GCM,data:mkhP6q8CO8Q=,iv:Y242FYJxOLxB8fHuBomdhgkhbkjWmiA4KIe2KfAzjuE=,tag:pAfB99Xp45fq3xnzKC5MVw==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:QA==,iv:rkfZasZGsmTzY09efipGe2lrIECAecCqCqNf45R1PSw=,tag:5Ngq6TeZbq6O4v9F4oca3g==,type:float]",
+					"private": "ENC[AES256_GCM,data:E1/t0ypcilM=,iv:u7CZZ/qOUSAnmU1KWzFBRUufIuhMmNgn0mO8HFedYhg=,tag:cGmAoeKjPfurE8QF/VupDQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:MJRLL5FddZGEvCYmw9lI60rycWNcGicpjIAyJsw=,iv:xvFiQIsCyIJ1ZCjrIFgK+6pbjPMdbR4Qp3uRaBnXlmY=,tag:s1r0J4sxQXgMGS0S/7OJOA==,type:str]",
-						"ENC[AES256_GCM,data:AeY51BfLlFYbin5fVXA6GSiy,iv:gpkAyI8s7+QaN4snh9uGZ9L4q/e8zgXOSLhAcag6lM4=,tag:d+xE2XabLCk2HgVUgZbRqQ==,type:str]",
-						"ENC[AES256_GCM,data:RDkXt9I6RSnDAe4BnpkQ0LPJ8+lfRgHBv84=,iv:phv8AeqN2T0qJCp6ksttHXMesIpwsavt+l+CpS92pps=,tag:KzjtsdffaMd5169QmIEwXw==,type:str]",
-						"ENC[AES256_GCM,data:ZOsSCFjSAsYR6n9tAvhQkzEJIKRs1w9PTYrHvT+RAC2gJzSzZj9Sx1LCJXWDCw==,iv:BetpkQBYMDgeOqO1PNM/rU2eTWPAA93UTZXdQ3SnLMw=,tag:fiZvQEG/xYaHEFWFV/YgrQ==,type:str]",
-						"ENC[AES256_GCM,data:MROJ4ixoQI46RRmApJI7psI5KM4=,iv:jROwMoPPQSn/bWyhUHhiCuQQScYVdZ3AjAI+kQPpeK8=,tag:95GUukXqlJRU3aoEe9ASUw==,type:str]"
+						"ENC[AES256_GCM,data:1Q+aSuse1Nzmbouk5MLzzaS1iHuzTWwEF/yjfwM=,iv:7mOHP7d11pFYWsgCy/+JHoim+vpzGV+WqhLjIJ+SQP0=,tag:o02vl9vRoqqGXj31WAaNFQ==,type:str]",
+						"ENC[AES256_GCM,data:Lj5rWkh6dm99yK1zOIlLDt14,iv:2F1ThLIl9JYLw9fwLt7hPLHg/Pz8C1yISE+P5nZdfq4=,tag:wPWczhmHQWPWxZ+Ri1Eg/Q==,type:str]",
+						"ENC[AES256_GCM,data:NxlPpUxMDpe0RH0fp+HOKdO+oIyzvBLRP18=,iv:ilpYoWaJ9kBXDYMCO5IXJCzBVDQQhV//c0e8n96krbU=,tag:MMkXX7gOkawKn62z0R1cLQ==,type:str]",
+						"ENC[AES256_GCM,data:J3h7m06xsaEajP0XwuJB4PM/1EsYLVUulJM930uQ3sMEebu9qI2jCFHbD/dupA==,iv:LQI8yQN97tiEPV7YC77e19aPuBxQKoRP0U4LLUH9Ep8=,tag:UYGVcxvtNI6zJaMr96MSrA==,type:str]",
+						"ENC[AES256_GCM,data:2tzI2CBgx5KBICrhoExWPeioQDc=,iv:I9MdglkePyui5Msk0vqRM8sqLVzWA8mGXmPwWYu38mA=,tag:kloW9JTGMRyHOpj/cH5jwg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:DxQV7G7HfQ==,iv:jGfz5zsxa3IJcGZTkIXwBw+xuJfwbAgpuMMbfxXGSA0=,tag:0/1ZGUX1skvlw2LJ4QtR+Q==,type:str]",
-			"type": "ENC[AES256_GCM,data:zkUU6T8GVw1TO33scF2WJ2uy92Z0fXph2O8a2eLaFPn26rp/FSyMRSs=,iv:lCFRFGqAzK/ZVs5uP5Z2QeewN64AIh+Pjkc3FJ+SztA=,tag:KICOvPvCOt92Le9q0dRXvA==,type:str]",
-			"name": "ENC[AES256_GCM,data:BlUhpu40fCv/,iv:YcM/JTXxh8cEGQ5oxN3TCHm50AiW3Km7CpOcuQi+OrI=,tag:KXzUzz1FbaMHtibBTEhvjg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:SUBsMNG8CtGcOI0EwkuXdqIoVhg4hPxtTBD2AvhzC/IEx2aLEWeTBLfXgJN6HuQC+Q==,iv:y5wZosKLVYNJkILps2g8zcKbIECskPIx5Sp1jnx5w2U=,tag:BJsDVOqBpQs5gGoH9LOJ2g==,type:str]",
+			"mode": "ENC[AES256_GCM,data:WdJKc4dVRA==,iv:L2wRWqdngUX60DVj5v41rETL0fjnRvNtHC1DYQ0+mD4=,tag:oLunA+K2N4WvfyxeYZCXyg==,type:str]",
+			"type": "ENC[AES256_GCM,data:gWrMrPGHx5q8QrLZN6zH7InoRI5cnTJ3vr/QfMTYtmlmD1oMcHiPR8Q=,iv://AmUEA50obfJiCW9ewEBsFq3HJk/riI61uzTKUDPAg=,tag:j7/DkfdSfOcA1VicWRgY2Q==,type:str]",
+			"name": "ENC[AES256_GCM,data:jnsRjDRQw9ed,iv:Z5p8/CcRXlYXDwI4oAjOjNhp/IkUev5RgEmauK4anO4=,tag:wR/kNJSYPuvO3cKTD140hg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:zpQNCuYtC2cq3J13BRv/KCIQyLaN8r9uN3B/P6bWrj6FQOkRZehJ6BSA3x9B8bk2tA==,iv:Od4SfCCTFzrM4DaOzgGxdTm4djC6vIGTZL8O3XSmArM=,tag:G8S27/Su+aXKcPo0NVguOg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:1w==,iv:RCcrW0OghB9hfbXkxJ8JCt/TwaoKQI2uR0IvO6En8Io=,tag:K0eX3ugiU/1F2pQmlEf3RQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:DA==,iv:fmaRHMZiXQXpcr9sVhyo/MajCmU8YKz8C5XVpVukvk4=,tag:YeKwsHFSHwywK+GeZ3ntzA==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:EdqkUgMP+fo=,iv:A+NwhA+zeysv6sEnnWHkgpR7+kwC5FI7aLdgN9cQQzM=,tag:MHH8rT53XXIVMzLk20+OKg==,type:str]",
+						"backend": "ENC[AES256_GCM,data:OpEXXAzwY+k=,iv:EQqYdEjAcWDySeoBqySes7d3Bgn1Wjg+f76Jsw3ht1c=,tag:X1CuFMOugWyFhaqn4l43jg==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:RYzn5MgwjdA=,iv:4RigvQOsokGXDA5pt8jWRLq9WSXRf+bE4zt0NEy3epI=,tag:9NHf4kV2wMpNyCUKT5S+ug==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:39p4S5zbuA3qaQ==,iv:IPbRuxwSrPbBalv1sUDVKF7bvDcXUsWrCiBX4JIAQSs=,tag:Voxisz0aiy/zYO1C/rO/iQ==,type:str]",
-						"id": "ENC[AES256_GCM,data:oPJMHsn6+w8GkJEH7urhxQ6qM/nvtnfHYHI+cRbc+Q==,iv:qLrEOLUCyBgtto3FOhr/9bopA9sZR92saxSv7pTcLfA=,tag:cvchUjjFSeJEQhP02S8SDw==,type:str]",
-						"name": "ENC[AES256_GCM,data:03ymwG4vlpV6,iv:LZumm2Kf4w3KkiD2Oz6zMLEgsMrThB3Wz3dh3EqsiHo=,tag:InL8S0bnHq5ouvLTrfg/fA==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:t7lOaGb9pR8=,iv:GOEigyKMe2mKmU2K7Wgi6DwHF1DVmEqk8RQ5IF8DYck=,tag:QYy+1Sv+C8bOG507zhKMeA==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:WZf3gfxxxV8HFg==,iv:egcHSkUZYuAixIh3vZr4fZemwXEM1z0LKgyO/9FjKPU=,tag:LAnexjjLK7SAA6/reWEdeg==,type:str]",
+						"id": "ENC[AES256_GCM,data:TvlGmpTg6mQl8oQhqCz/OrAhAcjGCqvrXyu12nUKXQ==,iv:1AzDQe/d2XDdWCkqLKt3vm72z+bOuqpZg6oJnWEbJN4=,tag:QINo4KeCIVAD/252m43lyw==,type:str]",
+						"name": "ENC[AES256_GCM,data:1N77407zHL2l,iv:kcR/MFbmtgepxGKGNPThz5pL+GhZAoSotZY/rzahbH8=,tag:3vKd7uC6g7ltO4AeEXD0Uw==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:KVdHxg9x,iv:BaXpxhmtROqGKT8k65wHOLkyaz+e1DRbo5r7W5/A6cA=,tag:4O2e/ZkMNu0lsIVeNo3WVA==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:yDvEkr+d,iv:6lREvwu6G6LqyfMe9cqkYw5ajXbxJ7X83Y0Xo/h180I=,tag:wbAC8NkU2tLvnZBNGdbihw==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:yw==,iv:blrDkutKmAFHjgOaJS62Y4CVSfNRTQwMX0JBu58EGEo=,tag:ySyk8K4XYjHUwlSu6SlRfA==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:oQ==,iv:riKhEekiMW6Ql4uQTbCR5nOJxdqVKqsVhET2ZCaDOd4=,tag:R+C7gG+W3nKBRkCWg8d6Zw==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:vQ8dtoWD,iv:M3y6n+MJzm6ZkjeagFNbNJHCP+U80jGjSIZnEbsDhmA=,tag:RPVd+qZWF+crmM2l44VDkw==,type:str]"
+						"username": "ENC[AES256_GCM,data:E57ZcgC7,iv:RSek28pHilvKV9yxb/S7TRCUQ46u01d8wa97R2N4qAk=,tag:xvbc5JjW8p6fyuwyTQHfvg==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:VyJO0hiH8P4=,iv:6l2dgBu/6TGw6qgwx2aKz8vy45y4guGtm+mqhDXK53Q=,tag:+/ppkOh5aD+qBphse05M8g==,type:str]",
-								"value": "ENC[AES256_GCM,data:lGlRU7BKL0SS/s1aV+kOgyg3Z633,iv:umnrIkyeDcEL6+ZJ0P6mU5b1ZUx/ygQW0mEpmnvOj04=,tag:W3EWBLf1mZ5VbzjSffBDZA==,type:str]"
+								"type": "ENC[AES256_GCM,data:5zpEjuOS4z4=,iv:EXRXrDUW5FjphcZ9ojZeldlF8xxBZTcKiiY3AisYDuk=,tag:2BNWU6G90pvM7kKtVkS2pA==,type:str]",
+								"value": "ENC[AES256_GCM,data:xAauhHIRRho1vXp19QqjtqH0Udop,iv:MrBLUo20APtBChidVYPH3SwNIkg7wgAcv5Mj9ZBNBzQ=,tag:KvbZhO+kUTekdyjdklJ83g==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:Fw==,iv:RdEtE5WHbnJkc8o18J20ET/5pNOuzMtqExPnhO9w/bk=,tag:p12IQeIFMux2E63EIRhWmQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:rKv9izaWiyk=,iv:P41/dcABUeeW1tsum0x7SSSB+fMmP909QCvU+t00gn0=,tag:L+HFFMlnMk9tY3ortipidQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:rA==,iv:BxZHEriRrLO/ZuzqVHiR0ruOhgXDEeUZD6FaenLhrKg=,tag:S7fzkGdmc23iFEUbj/d93A==,type:float]",
+					"private": "ENC[AES256_GCM,data:IwyYQdpH4bU=,iv:+ghMrsVzFsjPXpEKfgQXbVL/0BUG0IRk3HMbOXbq2XE=,tag:FrGACo4AHl7jcBSsgVmzVQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:qxbiZw26Dy7rx4x17vtbjbB8bee2I9RZu2UFuTc=,iv:zRm0HD4TSE821MAoxPYAGku0grpEmSD2arh2Yy4eLfc=,tag:XM4yDuX/4jWRyj5RfsMkIg==,type:str]",
-						"ENC[AES256_GCM,data:XARxLJRYfQF2tWo2tl/3GRSi,iv:0SoRkoShh6saLpwnCgQzqev6ibwtmkXJ6owVxYoLHYQ=,tag:42M2kozpAaSHTUe0XGHBFw==,type:str]",
-						"ENC[AES256_GCM,data:aY/eaDCL2IMTftBXxQJSyzoqTouGvSU7wTE=,iv:Ds7X4TkqLyMTX+ESFh2EsUNADh5Qq0VqL2v32Tr4NaU=,tag:d1wEZel3bqYf6wheeYidQQ==,type:str]",
-						"ENC[AES256_GCM,data:jNJMe+8Arr4geFvCJd91G4lXmLA5FR+8gC7d0i0+8MW/WBVAWBdTvovrp2ks4SOy9H+U,iv:ptcytykb8RDBjumqnq75A8vewvn0KOxuL56mZ7WzFpI=,tag:6oTm+vfT+8Rbu+WpWSlpKA==,type:str]",
-						"ENC[AES256_GCM,data:HwyNZaCjD2YSapOhJlPYsGdnB1I=,iv:ywnyz78QOaFQIHrIh0T94jEmlOLXBwfSstLRK+a+ARk=,tag:FUKOezzI1+IzUZ/gKc5cpQ==,type:str]"
+						"ENC[AES256_GCM,data:Kyiz4JzlmG/pcBDWfB+eZ0TxlIA3IppqWP/Uhhg=,iv:AAFEmxIeMjri9YKzrY4podQvbsCsBiQi9UJDzZGTf+U=,tag:IAj+oALG+ApUdG4vNIwwEQ==,type:str]",
+						"ENC[AES256_GCM,data:lC38IkjpNfhp0x36vhyMTvDu,iv:VZwowomh5XayNlwjEqL97saWnl5M+55YBbvNccWuRyM=,tag:r8eI4RvWVLZOvZdXGHeEig==,type:str]",
+						"ENC[AES256_GCM,data:8Wr0ovJjfcsIG0kdoSw0gioA6vTugbOSIn0=,iv:fWO+U7KaroG16kCDhGgj1NVLJsNvXg1VJj2+JOwcSDk=,tag:rPMrgreTwSEVSLDSCynTmw==,type:str]",
+						"ENC[AES256_GCM,data:GlcIhN7mLb45VKnxDlLtJaa9tyoAs+MT9piklslgz5ZruQuSltYk3XtTnQX3I99aS1aU,iv:qeU0UrFp7Nsr3ox5YGTEP+WV1qGs4KSE3FVN32WYB3M=,tag:lMiC/Xd2n++MtFRdnuDwoA==,type:str]",
+						"ENC[AES256_GCM,data:H5j5jnDUCzqz5gfetSiP9sJW8NQ=,iv:/UfkkM+bUte1jXhgQ5LyTAWE3Fcac4n2NW+tP3ttHcc=,tag:8izcuuugn6XXbV/UturWpg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:j9E27IOItw==,iv:7jOSd1hlUqbO7hvQwYkOPygSxIwafJDSJiA6kSNZDpc=,tag:MsBWvu+Ub9h/aCmZzBJXaw==,type:str]",
-			"type": "ENC[AES256_GCM,data:MhZH1Mkz0UI6pW2dTz4ne6lMHE1DQwXPE/4AURhgfgDHw2WyLmBzz/k=,iv:K5f4kkwVPQdvLzN4ombpr5XSOtUydSAj3kLO7HatjTA=,tag:9T2G5NaDAcWI9WlGo85+mw==,type:str]",
-			"name": "ENC[AES256_GCM,data:uQVsbw/spyIaK8riOCOhaw==,iv:0lslC2qw+MP+cydd0BEkaRXs2lLL8WodPlKzcHcmLJU=,tag:0M3r+CpDQC/C7Gt+t5EDQg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:vOy7gy4qG76Rtsnj3oIyARABF2FvzDlY79pljHXJ9aDz7MNFKJYn+SLBdVAEPaQfjg==,iv:61kTKEUER+4CqXGd9VrmHHHvJvSfek4H9+FSc8/KTC0=,tag:kk+5nIPeIwTHjT/CJP2oDQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:8h62ph6+Uw==,iv:rryrJmhdDBSs8CZkF77N34kM2La3Ywr4cDhJ9VTEIDg=,tag:Hd8hFjXT77utHfZsbslLgQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:YhC3FkDA2Fn4qdQ7YtsNAEQemrUMAS44+fGxHR4+Fa4kNna90qD5Ra0=,iv:U9cuDNFQaTHh3+rUchG+9WQGSS7Y3EYHFsLsbQ7vryA=,tag:YYmXksO4+8yRhU28lCoTeg==,type:str]",
+			"name": "ENC[AES256_GCM,data:VMM7VV9tFiKHBUXSbgT0lA==,iv:mCAj+3JnKt5FS8rVCCxKg7fW+90GJGQgwNVf5IlPg78=,tag:P8QxY+GfpkRLZZQeyJF1RA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:SVcAjuIyGraEmhKfregm5yFmKmvhVaD6F+qNJ25aiOT8jde1hr0r1C1anjt7V+IQHQ==,iv:f9/5X1EQY5Fpzw7D37lIocreSjD51S12TRQPXFCHfNA=,tag:2Td1CueMkUPwB6P5RivCvw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:6Q==,iv:Nfhs8IvDHECJtBqObR9poJwwjrkQMuS2mXxCFIu+1BQ=,tag:pSNCY/PBkOfTE71Xwr7ywg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:zQ==,iv:CEWLRRSF86A2Wy7FfzNLn9Rtg+dPwZUehvEntLFtecs=,tag:Odo2lS1wn2/kNqu06O/ZUw==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:oOwrnS1PMh0=,iv:vDExjyqbr1VRvEqI2dhHosV7rrsbMLrLnhR991xpRwc=,tag:vVLWoGsGsKzCX7EH89KYeA==,type:str]",
+						"backend": "ENC[AES256_GCM,data:slNagp8qrxE=,iv:jcGkApE11El3l3gsJ5JuTths6EbpF/i7NOVwM+NiBK8=,tag:sIS6ro2rzv9DG2ftJurQdQ==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:Mf+I0plV2TE=,iv:U5vH5FzbjYcViQ0AlQx6KouatDukDnAJZiVhfZanYk8=,tag:1vMbhMpf8MzWs6d2IlTzgg==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:HHJ3QOyGKk7v5w==,iv:3EiENeVsCiV93WYP6HNvTa1jmyE/sdtnO4n9s4GDOnk=,tag:G0Lvbh2VBaTqiuUmi+U5NA==,type:str]",
-						"id": "ENC[AES256_GCM,data:nDh2VymXQ9i1gTLqUG+vKWeizl1JbtG4UEPg1mrMFMsrkVnGpdc=,iv:c/Ac1WlFUiffBWC30qjzdFQ+oKI/UR4BY1/uta81k7g=,tag:xM6st4xd4brqkasn/G+I9Q==,type:str]",
-						"name": "ENC[AES256_GCM,data:TiCbO3GjPeIY8odVCxtIeg==,iv:KXFhTv3bbYyjHaT28S+UGaMY4KYmio57dsahVl4A6UY=,tag:HLJKLC+4ABak2T5+8qCF5A==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:w5hYVR9KgEM=,iv:F2ahoOtzxMsI/Libk7+UfxvScvffPfArO+SXyypir38=,tag:Gkf9mmWHH8mdFzli3upO8A==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:aysWcfi51gTU5g==,iv:oT1/yOKJDfyCeBlAlR42ZTii4D7czvV1LJ433fdmbwY=,tag:ahtm6tRJl+zk2ECXjaRmKg==,type:str]",
+						"id": "ENC[AES256_GCM,data:Z9LyLkaWTrU7a9J1gDm59we26yAfW4Bt0uZ0Sdy6hGWs1pYEYwI=,iv:MDxMVgRKv0Vi7d3dimpeqKIExJug4Re7t90amD0x1O8=,tag:c/kAsgSHkc+due84Fe7SqQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:QwRNE4UjFG7+DiAmQKEZsA==,iv:sfNPcHgwDbINeHO1FsywcJIElLzJfsINkluapNUgSyw=,tag:0Wbiml69b4qK2qW2xSKMfw==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:2mj1Xt9n,iv:D1WpXQCVMqW/tZjXj5WqCCKD92M+GFAKu4L30wglZ8Q=,tag:btBapGwweyhXVNpBzhqGEQ==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:rD/+RVoX,iv:M95/oxqg1AidVGb6O0mNOcAStt2JnoD0AO0NCioHYRg=,tag:q62OSxAMKfAF/oWN9xmslQ==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:9g==,iv:9iFZ2+peTYtaXmkH0UUl/+UQ72vJNaB7rJf3tsecvQs=,tag:J7r2rqnTfBr0SVqV2yLM5A==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:Qw==,iv:BJWTHt1u51l6abn+N6bgIZyVpiaoL4oCqVsX2f0sTlk=,tag:Iir/+6Oe80ApZXzcEKIRiA==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:PBqs2NwOrq2zXsiCqg==,iv:5WylTiuahd46w7cJekKwz3JWdIJFXvPU4DxXQyLGp7o=,tag:ElhDgUg78R5ad46k3SImfQ==,type:str]"
+						"username": "ENC[AES256_GCM,data:Ejkt3KK+vr7mjt6oNg==,iv:hH1fB8yImt/PmPOaEPxL4lnhOAil1E5A77GVHH18FjU=,tag:YThxSfNK1NZMIcSsAebgTQ==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:aW1ht2dSLec=,iv:7UT66ngBh72yVY7XEy+Tp9+0G7MfC/0QxerZxg/GtLc=,tag:Kh9aAGJVOixj1rLVN/e56w==,type:str]",
-								"value": "ENC[AES256_GCM,data:glLHTAoZhI0Eq3u8IfzX/Kf11ue3,iv:vHqW7BdAhzrJam2QdkanNJacetxmHe3PaNe0VzIWHzk=,tag:CGjQ/OfE/STM+CVDzjA5IA==,type:str]"
+								"type": "ENC[AES256_GCM,data:Xl0B0TteqgQ=,iv:H8YLLnB81tl1F9alRLuqnmAnG1mF20HatTt7spkFE0g=,tag:VM/1FhPh7Ehp90VPDe8E0A==,type:str]",
+								"value": "ENC[AES256_GCM,data:UItropAofvfCvrO7oVFhqPzS6Wqh,iv:sufGggIOhFsovwuQXhRlVdpeqs3Z4TGfOeyzikwtCsc=,tag:2KplTcjn3xaJrUAgEumwaA==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:9g==,iv:1Y+4Klf0fQXZ/R2oyxHj/cUCRe/6Dmqzzz/LPESMlhU=,tag:cYf/j1LQxQT/sgPcdjNccQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:O/5AYA+Gnx8=,iv:cJZSMOkoaNpYZO5rDqW9ll2vcpjfNQ5NCtppKYCrxHs=,tag:wQgYpfdJJLg2NkmPNXhKrw==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:dQ==,iv:CbQQzyOmz/qGKboybY/qZ94QwMC9aZR4h0Czfg3HNSc=,tag:lUg/prIaEQY3in45Bv+XBg==,type:float]",
+					"private": "ENC[AES256_GCM,data:IcbrdS3+EKo=,iv:RvUIwl3Rb+86QF9POHJBg9J/uKfTIrkEmS2EQilg+fo=,tag:nc8Yk6TH+P3m4uFhFuqRpQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:8Vq5rJAbgu/45jdnNwY05EYPWrKntC6BmWEUYBs=,iv:kA6K/ZTx9qkRbTh/5Y4HvQ1Kym/Atb+LpXfCo4xf/AM=,tag:gvbgn2uK5W0VkZj2fjGJew==,type:str]",
-						"ENC[AES256_GCM,data:C1CP8PREosMlvFpPS5goo0MS,iv:0KShcM0FQB73kAnXWXMujU9T/5drCaRDQfkS088VVS0=,tag:sRW+zP1wNrI7xGhQmyImHw==,type:str]",
-						"ENC[AES256_GCM,data:NegN2/kfa5cK1pQctVWS/2zBjMXkghFIye8=,iv:bApDwRXSGAnDpNeDLrfKEJLsduELowZlDd+HRoktHUE=,tag:6ICKnJwB53nQSvfhV0SC+A==,type:str]",
-						"ENC[AES256_GCM,data:TfFL5utvFiRQUdFsfXNWbzoctCkj4+11JRiG1I7L8/0W7F4sEUEZyUEBNdwyIsYgerk6,iv:jsqfFr6t528Lt0vA4KijWyd/fTkUbM5bYr8f7fcUZ2o=,tag:ep1f9i3Y2042/Wgzwhqwow==,type:str]",
-						"ENC[AES256_GCM,data:dMzZN6ga/TSpxZYFz31M3uGH7eE=,iv:7ybP+zdZsbo7656YMS94InaKBY9taJpwi26Ge6ssbJs=,tag:SvWv3HCXEV4xhVqsE82iGQ==,type:str]"
+						"ENC[AES256_GCM,data:gYpzpaNptZrFF6v1lN2DggduY+lP587JW9m2Rp8=,iv:PRmIdeHvBj9wJt2Gsw6s/tYNlu22+IXznEixUufCsRs=,tag:WHbHSWtFnZc+/feSz8jLdw==,type:str]",
+						"ENC[AES256_GCM,data:LmBfcksO3E3ZCWrn91CU33pe,iv:ePPrEc1nQn//7d7838Zoa0Hr9bR4bR86jTVla+oFkdg=,tag:2t1uDIGUjngPoCQJCt9Dfg==,type:str]",
+						"ENC[AES256_GCM,data:w5eXZfTysqvnbuSQfoLNHEMQb2XNcI0EdUM=,iv:GmIj+vEyfi+Ms2gi5uQ1hNrk7GbO+FNzmsZYSeDGgMQ=,tag:TMxYYE1TUKt3EI7fujboog==,type:str]",
+						"ENC[AES256_GCM,data:TumIBNh0JbTK9iUfYfHOseuFAnosVx/cWxeRxU9ZGrQksV6Ix19+xMWNC+BqkaUr1AIM,iv:Um43hLHRV8Wex3uzQec4oneCKzJL6mu8a/lokuXXzhI=,tag:pLi1gsE/TvMj0CEWG5x9XQ==,type:str]",
+						"ENC[AES256_GCM,data:3aqJ8lmEBGDJerPbeR3uinJYPSY=,iv:ZohZdWFtrDe0IizLAy4wNwkshmoCnZwnBDT7fpDVRbs=,tag:h+CBebTo3DtQnXtJYTvYSg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:HhpOjsNNvA==,iv:TsGFB+COjveghWkVtMU1zDbQUVUF0fgBytYOrIcuk8I=,tag:vnwlsrqQu6aJOTHx4o7lqQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:Vq/lmW6d3I0fuxV7PFc1lTPF388H0UhD5fruK/eE/nC4Xx1TpCcbBnI=,iv:7nF8uaBG5IAsr9FInX668K8NxExVhwaAhzNMnBxHuPg=,tag:eL9a4zVxspGTn9pfGu7FYw==,type:str]",
-			"name": "ENC[AES256_GCM,data:bc3o7t6H50qbIQn6zxQv,iv:LcLrbr2yvViYXB/E7zTPdbf8ajIW2YItkBUC8nrDLKQ=,tag:6UgILWEVtZyOWHKGmdUeww==,type:str]",
-			"provider": "ENC[AES256_GCM,data:+5HMMfTS/iG11deliHAx5vjNABjhB8uNL9IlK5hDC/41B/vxsoyP618pHxdBZD5gNw==,iv:RDrz7nOselK+rQzkuRkQyi5BQvLejzAxagJCLZ0BMto=,tag:OgaFW65V6azbXIz3st/NIw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:gledjPud4Q==,iv:/Wla1ejLXo/LwI9MX7tcxlxEeGJOnX1u8CwU7OK//mI=,tag:8t+v7PE3+9lu2jhPWeUJkg==,type:str]",
+			"type": "ENC[AES256_GCM,data:yGnUnT/jFDY9IxkoxYpOHUaa6lfl+mpyQCzaXBNji+ttJT++BYUh6C4=,iv:OjaJD+sh2O8tJRhOy0zTLsEMzmqFe16aKP9suwe938I=,tag:LIGqfFthgOc75wMJP1EqTg==,type:str]",
+			"name": "ENC[AES256_GCM,data:UcywBHkJBnoyHmOhOdlG,iv:eqzpXVeBODdRBOiAC6rr62dSYIvRysuz48GV18zybPY=,tag:LFaossAShZIPd8vDCTJFGw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:W0+lzBnhJiK21FX2xYkEzc6WiK0q122IGW5lxGd6FPjyYX0fhy6X5CKCPmmWx2u1oQ==,iv:R9I2rTtGlO3tbtw4Cb9SuYa3THzAiA5oDJLqnQsDN50=,tag:S2W/Xa07W6UZ5dT6H0rTRQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:DQ==,iv:/+o6E6C23ybwY6p7+AyrrQALRwg9sfWUsSYn3wzu7dA=,tag:2/wH1n0WXw+40jP6wwomxA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:iw==,iv:1mFnv+6UCceXnXyK7YI8xA5hDmkPQQd1gNwrNdg2/5M=,tag:JIl3vcF3+qqEFByKHIYbcw==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:Gp/zMJo3EbY=,iv:HZtrAELX6BVlyUXa4vWGPA2lcSkQ2RTtYgYDmmOyRL4=,tag:E7h8/PDCEZC2AzZkLa0LWg==,type:str]",
+						"backend": "ENC[AES256_GCM,data:zjrpn3CmJRk=,iv:ofWVhgyz8k8AmjFqUt1OaRAUV1l03JRnq8ABAFCQg7Y=,tag:Xd3/XS5f/O8QlYor1MxD4A==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:QJdi2g77PL0=,iv:UT15OuHRENlBVejqM4Gj0sE903oqiZcRSgLdKnQO81w=,tag:M4EXSNHRjYfZkcCpC0Ry8w==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:QMG0VbrKQD8tcA==,iv:XMMikwZHPUB7qUmb/QZOiwwbb0LcGfTIq78y4YHoTnI=,tag:IXZhzYUDWV3aREO6p3X/FA==,type:str]",
-						"id": "ENC[AES256_GCM,data:GeJ46VFUcr3fciLMDFHAj4CnFbiYy3AvuRsm1DD9keQYmiwHRw==,iv:fL8PJw2dWXo2MJHnY19+GxX5s8lwhXD/shKXueOlL88=,tag:6KH42TysxVT6ENLiY8wh4Q==,type:str]",
-						"name": "ENC[AES256_GCM,data:3xiUZ/ktV49fr840zCsh,iv:KvAsvYSXcnYSE2mKw34RHxNNwik+zpxvnOPwoB6BJ5M=,tag:h5ik5AYeexHRKqK3/aKPEA==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:Q4QVOhMjLDY=,iv:xrTQMu9zjB/FTU6dg6BCm/Q+wgeKRW4wZ+5xXmYnoxI=,tag:TGcNqceS2IWj4hNvJi5xdw==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:3VQ9mYuMrcIcEg==,iv:0T3UjE7W9HT4qL5UurORcDgmEvV+4ZTnWbAKYXt/+jo=,tag:HiwK6rfFeM289grHupPzLQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:DyKQQ+cv8P7tYefCgY3D6JNfWltVQxQuCazbnr5H9BXVNEnwJQ==,iv:mY8Q5b+zgnGpmdQGGuRiRRJgGWED07Z5wxexUliWsbw=,tag:57caX6B/L0T093G0AOclqA==,type:str]",
+						"name": "ENC[AES256_GCM,data:tVR2ZanOi3SrTwhLSJs5,iv:hKvVNy9xFHZ79ByoDXMwU/OvjWeQF5SaX2qugI48Y+w=,tag:9qrVHAXgwNqn2YE8EYDu6Q==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:IE26TLcM,iv:mMLnu8DTAlQBKb4l+5ve0He0NPMdzLLHTpsT26GEwZc=,tag:qThGafeK0e+XeqRHtlMKVA==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:DMKPE/cj,iv:4UzwIdh3wzbTrWXyPSapfvFDrhT9Er0I0HvvTY478SU=,tag:cSDzIgwIHQehxvJxTEK6yw==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:fg==,iv:7YXTqIzROJ7tVqoPWDFHWhcDbZJoTK2RWWWbmNfKcmQ=,tag:CC/G4X97ZryhvxFs/HXC3w==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:uw==,iv:zLUyEgMHItj5CiYmeRDsjZxFko4Qu9Aq7w6Naws1CL4=,tag:0Y1QSjvM/DBYGV5cNJNxpQ==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:y+EraDuqgg8QOv/Q,iv:yIz74m2tyskJW5Vr4SqzrMkvnzpsu0cS3L+yBFGTAeg=,tag:otkCb6mprubv7nxUs82LPw==,type:str]"
+						"username": "ENC[AES256_GCM,data:x+M5dbehH3lhvHvr,iv:3Cvo4iqHb+Pg5aYkmq7HJIgJmDaOOh+AHAyALk2Blbo=,tag:h2ZN0jcGROymqq09wwEEcw==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:j/l3ImOwttE=,iv:4HdaFq2ITSldzJGuoQVWCeNEuZIvz76aMYtSTgz9xOc=,tag:z9gOK3OvNTZ9p1qdgrjgSg==,type:str]",
-								"value": "ENC[AES256_GCM,data:KUIa0V8UySKZsNmsa/MXRAFVkB8k,iv:3s4Ubjmk5oviYOJAuc1+hOjQ8oAQtGAvY6OnvdOJYxQ=,tag:iLxdu06iU42nh7TpukBvMg==,type:str]"
+								"type": "ENC[AES256_GCM,data:DwiQwnEVzrU=,iv:Q2mSvDB5n2O03rqhmoXC1kVnxG97gURmNdoW7rnqdhU=,tag:lyWsVQ9AS2S08Gq56z/CCw==,type:str]",
+								"value": "ENC[AES256_GCM,data:UqfjjoqXYIZnRwhf5Zx8XAr6svKH,iv:MoOGhLlkm1uqv0NpZtV5cNgQX7TVqq9C4GgISfFB44I=,tag:0a8Sd63aMJqbhMoRYvTqWw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:CA==,iv:7soGF7fQUVnvdBJ6ekZ697MwlLvMROQxnjvLBktW2nk=,tag:k6R60XQHuDK3llfR+Nsd8A==,type:float]",
-					"private": "ENC[AES256_GCM,data:q4qpb9l57Kc=,iv:WXWhmusTiqrw8ezvznKCVgtbjBPn4c0RkiLTUp03mCA=,tag:AnH+4DoMx+qhd9/2RALRoA==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:zw==,iv:wwxXRLgnkM66AfudjT+z+031XoVeTZvP5kwcKyV6v6Y=,tag:N7FTRmkJeWdi0rxpFhBwhA==,type:float]",
+					"private": "ENC[AES256_GCM,data:7TZ012xq6KQ=,iv:VSCbGRcImZF5rHWuFizmztSPJm4QfU16Ry3xsZs9p9w=,tag:PFewnwSyei/y9b35cvDqFA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:Rlkidy4qS3nHMnlQpPXEPOBXi8bi8BmLWtDe5Ak=,iv:jeegL+LfFxOiw3J2kRrufowHocVvckIJOHiX1GROCRk=,tag:sj1yAIFil7irbnDDnxWEnQ==,type:str]",
-						"ENC[AES256_GCM,data:G6YnDpgbS8K/UunnxlDGQF71,iv:AcDzgnDujLqHrH8lQJ9TnoxlxlFjP8ZShgnyzGrpcCY=,tag:e7lPkGkPEadHUKwAJ+/8hg==,type:str]",
-						"ENC[AES256_GCM,data:yoULxj2PY9osgoH+IjdKBoLGBOo7si3+kHU=,iv:e5r0j1SbDpcuN8lC0xmXhP9kPo8kGz1XORm4UtKNUV0=,tag:bHAVSK2e9Lc/phCbpslUgw==,type:str]",
-						"ENC[AES256_GCM,data:qHs5Nf3tmBtr+6asRhs20r/SafMX5wDXBI2HeOxD5e1PQkGSBtiw1BJyR1YGMAP6Nbir,iv:VUCTFcluTS+FVF48d19D0i0YxTsivO5KHgpsMj+YEw4=,tag:BwHmvM/Ne4W9kGrFsEukUQ==,type:str]",
-						"ENC[AES256_GCM,data:ZIf+o0vxwDpJLEZUa047PmzKrro=,iv:wjI/jiGDFFft2gQq28pqiF5TMaj98fHdEQiUX1QF5I4=,tag:fAy+eAYHqPkEBycadMz7TA==,type:str]"
+						"ENC[AES256_GCM,data:UmI+Awlvx6+4vb6QUL8lzOIUyGL1GDsYJ2ghgLY=,iv:+UnB6MdY3rXxpu6QoJzISMkfGrWblkbahTZVw6jrR+U=,tag:BVCMFOHKqzyWDml3he3NFw==,type:str]",
+						"ENC[AES256_GCM,data:oy8yVmW92PkqDfzx+0ePN+pn,iv:huDpttoaMxHHlWHt1oi5rTn+QlDx4AkBdj7uzBtmVwM=,tag:D6JhMdJJmrwRIlwojywXLA==,type:str]",
+						"ENC[AES256_GCM,data:edZR0LQUS/o+B5I5bQAkMIhkeh5RiQaPTvc=,iv:HkvCbEa+ZmwXCTgMaalL0psvwoIX2MTcnmRoTW049dk=,tag:BVFNDthLgVg8Ll+v4iw9iQ==,type:str]",
+						"ENC[AES256_GCM,data:yvHr/eIhASd46QJAAxQq6W+V4ovQXySUyxYyl9T7wdUyZ+e43y7mnT4rQtNXwke17oO1,iv:Md8z7aUB+Njh7I3YOBI1z4d3bJJbR6qWqiTakcnDFYY=,tag:9a1hAacbV/ZwvybNN/FaFw==,type:str]",
+						"ENC[AES256_GCM,data:tZWJ+qo8NgWc19XYcoYneYesCD4=,iv:ZfizKgv5ty3VzdvI/ukVfLo9vsf2a1mqd+m3A4FC9II=,tag:c7/1UHgiFjEn7AnFrAiBlw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:b1+BjDR6Fg==,iv:Am+e3rtOptXYMkB83y7MI+tf3gCC8q8KyQS1zxL2GkM=,tag:9QmuX7e63DQNi/xMRWiUMA==,type:str]",
-			"type": "ENC[AES256_GCM,data:7d54b6hK2GEm9kygDSts0O2UINCbilse/fPwheXeoutHJmbVQ9fDhcU=,iv:oTJuCmQRDYAKD6kH7R0YG6eT3y0oiYHxt29LXREUyxI=,tag:B4b1+DXzBgGm6h5iMw+ykA==,type:str]",
-			"name": "ENC[AES256_GCM,data:ZLt+k5xQP0kL,iv:60WPxsRrknMqkRz1R1NgnAmie41/Mczxc4lLVKZ11IA=,tag:bwp3MA3wUBSQXedYU3SMrA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:+bGNxm1xR8b+c5tgV0vQBdfiH1iOS5OJM9QtEyaZOE8R34y12M4Nt9PVrb3F5tMgHQ==,iv:4NNC+OoxIdK6fdM879KHHdqD4m7mm64H2ur7fFag22Y=,tag:7sylrL8iMCdNsiZrugA/yA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:8jk8oWcMxg==,iv:5qzjOTwZ8+QKLvl9KBZ1zmB4JrR8gQHo3GNY81ShHpg=,tag:/twR2ap4Ipf+0LDPITj3bg==,type:str]",
+			"type": "ENC[AES256_GCM,data:2QyfT265mQgsg2ClhMGtEnRoh5bsqmmn3s+7LP97PrD/bwjpsofT4/w=,iv:83rf8sNamvrJNubNjHqroISuj0anQspj0e4SJnq5aFg=,tag:ltrbwZFK+X/3TvmFOO2r7w==,type:str]",
+			"name": "ENC[AES256_GCM,data:9pacjy3zNfiHmOeLML4/PoE=,iv:EfEow7s5Bg5z8AK9siYG9LrQlUH7SGRlULYX1pKBPwI=,tag:7Lvk/FEmSkkHfqDQqfjh0w==,type:str]",
+			"provider": "ENC[AES256_GCM,data:YdmqwlYWMb8x1H0Bg4eTrRXLrosQ9qRluHG9/S6F0p9FhyJJ3iWY9Je4NR9uZxrDIQ==,iv:aW7JCwJwPm9CQb4i2W/oogKr872tAqRmMLzFwpOUJDw=,tag:RmV2xEFl2eEJzxD6Dmxdaw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Zg==,iv:5QR6LNCgcaJ4deoOiG8ebh47FhOwQ8hZ43b9wndI93M=,tag:OY8fpGFMxVFabcxDSsm2ag==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:0g==,iv:SmJmV59fWp20fHe0L9aIMDwwGVDPQXxA7IXbYMLRxAI=,tag:ELZVdH5NbRhmipOAWKC/ig==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:DNAdp56HjBU=,iv:1nrehrmauQK3fIRebtyDIbrprpep05OaradPMsOiVTA=,tag:34v07Pai25Z+d5V+4LOiaQ==,type:str]",
+						"backend": "ENC[AES256_GCM,data:I7kvebOLsis=,iv:iRazaMTvg6m31f2qcE8hckzdQp5QSEllkQV9fcMVA9Q=,tag:z9koQ2J5JWMVOKfesl9KcQ==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:dD/SmgC0dT8=,iv:JdahX9fpC4pRpVJgxVjfQJkoKl21FvOKGmSA88ecvlU=,tag:7PPVtNhKvGc6khS9i/nBLA==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:MrjOXedEytdG5A==,iv:pYsK0RIEKWtnXsSwHAiY0uvoBCuws/06AXVVOSXQcC4=,tag:vFMwT1bxRxBeAF80UnQgvg==,type:str]",
-						"id": "ENC[AES256_GCM,data:U8vJGcgZT4Nu6Ehir/Fk81nw8g86qLdWP0ZLmWWP5w==,iv:/BH8nVLHgQ5p4AUYGae3OssqQjJIdR3SmjRGgilPK2M=,tag:kNHsie6Mc7z/b1E92A0BxQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:B3ZGLDfXdlvS,iv:toNtNSioxvDH/o+AyadVkYKjOy8m4KA4Km/CNzI2bCI=,tag:Ez3WBvNPFRGEeOzoxautJA==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:qykprLjrdEA=,iv:9k1zrpVLpZNtrGXxWEpBABKW0VDI9kMfZfkM+rD9q0M=,tag:TAPyIWyW/9pIqC7wVRmlqg==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:AjjkAHfjeKWa5g==,iv:+dwzU6xYEHTpcCORRJwK4DH095zp6KbNr1M850Ke2rc=,tag:jvajoeg7+E4IlxS0pCm3wg==,type:str]",
+						"id": "ENC[AES256_GCM,data:g1QtOUxX8dayx6+a+grr+MIzZN6N9jUEfXWlEeHw9X5CC5ZmFSuM,iv:g2KqQRWVwYhG0iUPykKE9vSOufsJ5M3yX4k2Ylx2d4Y=,tag:MXgvBUA1dvalwRQfiAy1og==,type:str]",
+						"name": "ENC[AES256_GCM,data:9GAnpsANXIUN3qa96khYz0E=,iv:GvyR9LyTfJjZeqbK1Ly4+LBY1FIHj5dqLhSLnovlZbY=,tag:xBdHWOqXytL3ZGnDI7RliQ==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:EgIJYWX/,iv:k0ilELcNDKs9jsfUGeXBxjlkKzrWOgbR3Rhr5Wzb9Io=,tag:1RGB2Vt8P9Da0tLF2zBQwg==,type:float]",
-						"rotation_schedule": "",
-						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:eQ==,iv:WSwPwhyPx9zBcTQawTZmKpBx7Va0URLa3/dh+diL9ts=,tag:M4YBv1qy9eK7C/cJPhiUjw==,type:float]",
-						"self_managed_password": null,
-						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:hxl2T5WY,iv:cfGnIVGuJuRmCW2GND3L6hW52jFaXwP1Hi0Hpq7pMRo=,tag:4kp+Y6PDACRFJ+HNZCqqjQ==,type:str]"
-					},
-					"sensitive_attributes": [
-						[
-							{
-								"type": "ENC[AES256_GCM,data:3/LvFpK92kI=,iv:j9gnvdAgO5/+RMtkes7akEHDnzZlcnhRxDRwLjptAKo=,tag:uL3sYGKu+FQpL35w5ZewfA==,type:str]",
-								"value": "ENC[AES256_GCM,data:XJtN+O4//RZkMxCtc70d947gU/JR,iv:FBDVnfyDaRrvbql+Kcvwfpfu4CaTx342Km1gXYJ/PY0=,tag:7hIpSWHVuuSCCWUV6RKKFw==,type:str]"
-							}
-						]
-					],
-					"identity_schema_version": "ENC[AES256_GCM,data:lA==,iv:pH5FC4VNQUQQHyVt0nRuot55qrA9RotdHr+XklbDt88=,tag:6FxJ5LVMFbwOGjE4rRVF7g==,type:float]",
-					"private": "ENC[AES256_GCM,data:5N61DvmsnkE=,iv:1pFxTpp0ZddEcHG6wK6TOi67IxTI63SQT3u9xSsKi9Y=,tag:wfLiN/GYiXGDtBHDKmVyGg==,type:str]",
-					"dependencies": [
-						"ENC[AES256_GCM,data:QouIRm8ogHWgqPTkee0hnDtKhWcuUKY15Jz/b8o=,iv:WEZb6xYkrt+wM576PMOD1VAWZ7xD9T9jSeplozCUef4=,tag:u3YprVDHh7BGYQJLcUKa0w==,type:str]",
-						"ENC[AES256_GCM,data:1QrNiKTQZhxnh0MUU4SI+NFr,iv:0V2ahEryaVvyO7uyKplOAYkn/lZnuZNjXiPKXc1tvUo=,tag:88g6tan5hd2CYLyT4pozrA==,type:str]",
-						"ENC[AES256_GCM,data:Y/nTPNo82X/Urs71RltovVIQqsbOPMrm1fs=,iv:oAVnhJjXWehyGWut/qXRH0DYWESinZXTjKF2Su1o+rg=,tag:6YKoXzHHUEECnvG8b1Wc2w==,type:str]",
-						"ENC[AES256_GCM,data:89lTQWUAt41kwfGRpGeL5WQRD0Q38CQLHLVSlH2RaUTP7grjeWAPDICy/aFKYpR+44kk,iv:o8pjh5wkdi9y4R7NVE5dePL+YGFBfRQUdTIQAboxJA8=,tag:bGw6B5KOwvNo9uwcOozY8w==,type:str]",
-						"ENC[AES256_GCM,data:45rYq8+7XA0ti21Ue1I2Iq6gKSY=,iv:tOtZ6nNQswbRjwUXI7rQ2u4e6WwNsJfJhLrUAJ0D/TI=,tag:ERyG8CIEhTNxpS0c7YzXMA==,type:str]"
-					]
-				}
-			]
-		},
-		{
-			"mode": "ENC[AES256_GCM,data:qe7YKsB6ew==,iv:3Du/m7nK9aXhni4wpgf//4uoXYVlqHpvfPeHFmyeEK0=,tag:9Uiro7Dp2iY3lMMIjUArqQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:L+NRyNbMxT6RmVOJXN8Z/Y2MVBvJ/Lia+U4AI6HHXShEduJZf5ERK08=,iv:Q21RnLAnnB5jCVfGhEFZrGJZ/0WXi62w4G4kWn8To98=,tag:1TPqGwE183Iwq4szYrijyA==,type:str]",
-			"name": "ENC[AES256_GCM,data:KLwyPvRVP/X1aePV+t1DVxrfUQ==,iv:QTYNrf7V3c6evF7nukby0wCmNqN+Yxg9pDT3MX1779o=,tag:laMJxos9LzkWp23rHfhQFw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:H7IZQuVQzOm55F5p3D1QvjY4VVd4wNsoHrFIq9SQikkDXNjIYXrlv/9Fn1cs69ztvA==,iv:radnK5jlNsTqpTzf05xkIAb7ExjWFA+0feTM8xXy+Rw=,tag:PbNOTRn00MP4I3Edi8dp8Q==,type:str]",
-			"instances": [
-				{
-					"schema_version": "ENC[AES256_GCM,data:oQ==,iv:gRPSYtSA4B9HH9TVwtKdsKFXUSjhFUKR5wazQzCMCuA=,tag:wuw40QuOSb16ZzcJeeI7yw==,type:float]",
-					"attributes": {
-						"backend": "ENC[AES256_GCM,data:AgQXDcBXerM=,iv:8180QjlikixD1YRnTHGEL4Egkap86uxdJPsb7zfqhuE=,tag:T+usZxPyw7d02D4fLIZfMg==,type:str]",
-						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:i7EMk9xf9JA=,iv:9lkgHIthMcEoL0am7/yJfQug5ua4yCgzQhEeWvNTUsM=,tag:YNI2iHFdSuv0FSx1cj2oVA==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:xhu5+wW5lmnwqg==,iv:VMxKtBBuF39bQLoN4VtrvlLmVtPhu2p9aUg0gvqvtkk=,tag:JjJGK+hXKswZHfwiHmt02g==,type:str]",
-						"id": "ENC[AES256_GCM,data:7nypM+Z/o3uXIODOwFEUY5HYc27d5Pzf0BFRkrcKf2dNKst2olqP6n0=,iv:Mu4TAysEd+UPUXaoFu5cjk3mDPUwWjUZe8uIapizm/0=,tag:ze4IvHSyqAl3tzCo/WiqHA==,type:str]",
-						"name": "ENC[AES256_GCM,data:PAo+LfdmKcV8h3AwT5iDpMh5Ug==,iv:pxq5m64b6xHhqfA6lUMHtPArErVunA+fL/vauTQFuo0=,tag:aRaFeCJ47gzugSzflDDsVQ==,type:str]",
-						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:mulb0qIy,iv:+liPAc3G2dq/Zl/xcofGbI4JrEi05fIpq0dcYeim1Bo=,tag:DZWtzLmSo3iZCpn2cJAwlw==,type:float]",
-						"rotation_schedule": "",
-						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:/Q==,iv:GbcygH66Ezn2xQz1UNuTPTGF4m0oAkG8FD14foH7/a8=,tag:DOA44+ZDbJoOmHV6cqDUvA==,type:float]",
-						"self_managed_password": null,
-						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:/M3aBhF8wmHr3y3Y5AQ20w==,iv:c8EW7gTJSMTJfm/yA5gZQpLIormlWSRwh3O7X2loR8E=,tag:8OYBrEB6bzA3Gfmjh0NIuQ==,type:str]"
-					},
-					"sensitive_attributes": [
-						[
-							{
-								"type": "ENC[AES256_GCM,data:cPrMrpqMU/Q=,iv:umrjQ8A2Hj2dDxxOzD5VASbkmaFlt/wOMC2N3qm3w7A=,tag:HIBuKSx4ZMvg4SDo2ANQ3A==,type:str]",
-								"value": "ENC[AES256_GCM,data:PLN52D7c25HaqmT2Qwyt1g/4BjbH,iv:IGpPM7ks8NspEgB/VmWahuPXJbERznKf8SIBudseoiQ=,tag:AD2BvVx3lT00UsvgGRaBOQ==,type:str]"
-							}
-						]
-					],
-					"identity_schema_version": "ENC[AES256_GCM,data:aQ==,iv:ub+em/1bJjTwr3gJ9Ooo15X35ixe4nhadJuZYOsha9I=,tag:bA0EZrvqaoyXnSFbRSaAig==,type:float]",
-					"private": "ENC[AES256_GCM,data:r3rTCReGJE4=,iv:I1K/CLubGJ51t3Jtkil3TO84uRA7fbJmB9/a5ZZ+jFA=,tag:Nf/AJ3OKtYh6AgXtp3HeWw==,type:str]",
-					"dependencies": [
-						"ENC[AES256_GCM,data:K0Cjr+np5gV3m6bhv1RUdZSBBQihTiHAyE+GlPk=,iv:YcmTL0wu1nC7N1XqE8rgj1IlSfV8m1qLYB/R2fTK3VA=,tag:Ehl8VBY434z5wHNpk8yikA==,type:str]",
-						"ENC[AES256_GCM,data:f0F5vaA4wnAQHukt42sP8KYd,iv:0cIT2BolAzdI0YPkfmuegUVVDf0hqKVor2Q5f68kBt4=,tag:21HDt+e57bCu40zJDm/bQg==,type:str]",
-						"ENC[AES256_GCM,data:g+CER9d2sh3aQSkyCLIh1x/bvbY+72xQ3J8=,iv:/OyEsaXU5eKeCOyVedKfRfvIhI2Q+KTAjBQ6b9wpDOc=,tag:S7svEkoR0/XUDCx43/X8CQ==,type:str]",
-						"ENC[AES256_GCM,data:rRoh9+sonupVvvLHU5d6WapQ8f29r1sXwIqCQr9Ix0HbIiUfOSoc1obze4W66CQL6u8+,iv:OINeyaxcHT1QfVJyiMmeeqoP7HlpgisI9iNnVEhBfXo=,tag:IzZpiJ+12t3AQI8z1ncS/w==,type:str]",
-						"ENC[AES256_GCM,data:amA3b+l+S3VRGMlHvb2ISdMXpaE=,iv:9hky6Qj4Np2Sief9z93H+Qx9HQB05ELDZnQbLJibZ/M=,tag:lm3RRDZQy4QN6nVcCi6F4w==,type:str]"
-					]
-				}
-			]
-		},
-		{
-			"mode": "ENC[AES256_GCM,data:/iX9AH7g5w==,iv:Rz7IyDmyMLvxHhlcBRnalUrvoT05V/G8yEqMl6q8x40=,tag:ZKB1ba1Hf09EbJkyodsbJw==,type:str]",
-			"type": "ENC[AES256_GCM,data:f80pm9OM1iiKC6BNDoU7DamU4zKEDlNlg4TWD1Mm+VsUtwz6lKQ2elQ=,iv:XyuZ5p4NmMYbKEFoYZhk8izTpIkwwpmbFCi45QsjZTM=,tag:5PPS6sz+GlFwGpBZvNVeSg==,type:str]",
-			"name": "ENC[AES256_GCM,data:BjLyIV6tkhBDgeJykA==,iv:JYEpVIEFe2ppkTHk7AWoU+BfYLY6TXawjPTGTKSgYgE=,tag:L7XPfT9LHhCFIJ9h6R96wA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:2vElgX6o0qzknKQ7b+Rs2HOaYo5UHxsdoAVLPp7QXswi0oVGc+7ns+MZDnEnUndIBA==,iv:TWKWcdaYtU6+oFVZdPB2kAxBY2xPbuWRYR/RW6T8CTM=,tag:6G2++eTejmqOYlc5U7rKIQ==,type:str]",
-			"instances": [
-				{
-					"schema_version": "ENC[AES256_GCM,data:cA==,iv:5ONCo/KKeu+kI3vIG9eJ50xiC4r1IwaMs6tX/ldzhP0=,tag:JiJG2utgKcXnAHl3cuNVxQ==,type:float]",
-					"attributes": {
-						"backend": "ENC[AES256_GCM,data:fdyD8/094/8=,iv:XOccnMSsqE/lU6jwKzxKbPWTOqTJK7GbL9YD8YW4xw0=,tag:0lXUuKj6VHS3phiLrab05Q==,type:str]",
-						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:C9TKfMGHtQE=,iv:rpEgHgt54nKV3omSx0s3ZFBQkTCNvHfuckxw3lJafvQ=,tag:YAuF9FDzQ8/51cEpmDkvPg==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:Wo4AfBd1MnMynQ==,iv:WgyNdZQsEkPqayPAj4e4OFhRt/Cfwhbi9SNu77jnv74=,tag:x0MpSwfw/kal97o+eJOe2g==,type:str]",
-						"id": "ENC[AES256_GCM,data:aR6mpZboJ7QJU4gR7pHMfzlrMsxSopsT1WhoB6KrXWbxI5Q=,iv:zDaHi8V2AvLXdkkHGK+pwy5nYpKvUT8CLBs/jD+9NSs=,tag:sImhLNjtCcMkRjuSwxaGDA==,type:str]",
-						"name": "ENC[AES256_GCM,data:078HWglZIim8Pa1gJA==,iv:jUWRgvQyikp17wYomxVlzQTIrgtOZOCjCxae4AKsSQM=,tag:TG9ypypydrVJSdYOGp2pzQ==,type:str]",
-						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:5DHnBqTr,iv:ycsK5EMUJxqLkbzxZHndPo957NKVJE93c6LzuHL+KiQ=,tag:9D6vakLOdz5HhQqZrCLPkA==,type:float]",
-						"rotation_schedule": "",
-						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:Ag==,iv:sM5z1/adQz4jL7QZCCMMZBl1rniWBhkRCgbcQ+ydDNs=,tag:z+wxmS12h4ZMCjLtf0qR3g==,type:float]",
-						"self_managed_password": null,
-						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:on6cNZBm3ZDE4g==,iv:VQz6SRvF6HSwKyPdzxJZC8CJSVeQlAhkE8OI8iSLOWM=,tag:I3/QloG9oMM8e5OVlpDKsQ==,type:str]"
-					},
-					"sensitive_attributes": [
-						[
-							{
-								"type": "ENC[AES256_GCM,data:K8FEuIKQkX4=,iv:hmEZw2GiqATumNoTpxT5yI+Z5gwf9vBCVaY40uP3TD4=,tag:G9KOI0mB4NdyMmhd2PPy7g==,type:str]",
-								"value": "ENC[AES256_GCM,data:Z63nG2+H359AMox1Od5iuSSvW3Cy,iv:H+B+6Z0V8SlaCAWJ5PY/S189huiEO5qVRlSdIolQAzw=,tag:GbwUs1ruIvIJLwvei8gF2g==,type:str]"
-							}
-						]
-					],
-					"identity_schema_version": "ENC[AES256_GCM,data:lQ==,iv:DY6Z1XU7yD3wQ62AoO8JOfa8iAAJrht7dP7k79lA2vc=,tag:NmznVjrLxzPcIqHqD0apHA==,type:float]",
-					"private": "ENC[AES256_GCM,data:DRr8cQg5lxE=,iv:POVAjx4WTGoPqoeZuO1+OwqoZfea20T8aTYpadeRza4=,tag:15h6P9vPv4TFNOtJH4w+Gg==,type:str]",
-					"dependencies": [
-						"ENC[AES256_GCM,data:VkBaUUFRELx8jZzgOu9DMp82T+XoEd5G9E3aZ90=,iv:rhvglsJAE9RP0+pU/7hsM6onZIy8IV4n8kpLPX4vr7Y=,tag:XaMkr9Vm37aFjK6dlMwIag==,type:str]",
-						"ENC[AES256_GCM,data:XLVmotaTIAXwUZNPaLbmXAVd,iv:85pYNPyDElKcmtRHmoBb/a9zBUEERx1vaV6lzzNdbDM=,tag:c5ZvnrGmgMLPp2yPifdiXA==,type:str]",
-						"ENC[AES256_GCM,data:iDxKY756cH6skXpTaEKKvd2y9x9KpdeUzeY=,iv:VKSs964MCY60bf/HctGL036CG+G9ymCBoSTmWbqdl+E=,tag:YzQHYzNaSn4qdl0wmPJIFg==,type:str]",
-						"ENC[AES256_GCM,data:ltVGicrkmH1hYAk1C9PRRJch/MyDcP/YESWX5gS1uyS4Fhn4ikFYq8nPXE9TamZLxhZR,iv:EB4BvGGCuwP1Kae8a7YOCFjrQGENHcn8jhnKNE2C/PU=,tag:qsP8puHNkQr7MyuqveCyOw==,type:str]",
-						"ENC[AES256_GCM,data:JPG2fXGoi6g+4wREzZrin972vA0=,iv:6xiV9r419xxzLh6Ke+9oof/0+nGLVrxvzTPeN9AWaWE=,tag:u/9XGMZtKdJR6LTgmip9wQ==,type:str]"
-					]
-				}
-			]
-		},
-		{
-			"mode": "ENC[AES256_GCM,data:9MDzuwZYjg==,iv:wjtRGYsKBN/tDjNj5U0K4WTXM4P0CHzxpxPLqSkGJuc=,tag:uV4K/WvhxOynWT/qHZkFRg==,type:str]",
-			"type": "ENC[AES256_GCM,data:1QcK/ugPHS2Jie17lfw1LJzRBqFeMZwydm2MURfvP9PM/Mdz9jkkhpw=,iv:pnWLbcRyaaDcYvLjViUALzSckNaCuHKHgXFIp1xlOrQ=,tag:FkIfdack+Arif8rvni0Bbw==,type:str]",
-			"name": "ENC[AES256_GCM,data:dDfISURX85RA9qKZug==,iv:E758Hxf7edNrr/EuNi3SY6ybJFCp+iKI4P/y9/neNbI=,tag:Bp9qH/p5jgSvR4B9XUzsiQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:MQiZbpNeYir15pDwV9CNQZk5CsAhPKQMWVxKVehwEhxj/ZPQXplKfulUXvma6iEUQg==,iv:CuUXjzCQbpB4FIZ5E2GQ/2hCoOY5iJrKwqEhWktTLxI=,tag:S3ifCrvKcj2iOy/RL3b/0w==,type:str]",
-			"instances": [
-				{
-					"schema_version": "ENC[AES256_GCM,data:VQ==,iv:j2ipxgbXizhgJZe9tKRGge6kdWygRDVjokkelqPcD2M=,tag:FnU1HQimz5AiK2nDaPNctA==,type:float]",
-					"attributes": {
-						"backend": "ENC[AES256_GCM,data:K/csryh/AeE=,iv:I4snZ5IVyct2iTJy3Nej9K4EcyGXuWoQ+epq7ILp0Jc=,tag:y8Z5UnGzRyQtgkV2NCCV3g==,type:str]",
-						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:NX0u7oHgOGY=,iv:iCLxCxjmL8QPSaVKMru0pwjZ2xpwVoPF0jFalqLwSYI=,tag:6mcL70CejbWoOcPF8lH53Q==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:bfF1dT/llUrWnQ==,iv:l3zbFAJAPETyG5jeTvSQmgtorp6+LBo+H8upE2hK39o=,tag:mUb7ctXysFln7bkUezj21g==,type:str]",
-						"id": "ENC[AES256_GCM,data:DSV0yhxLkF4M4Cqnqs/xIErnhrK/7hUaewp3VqEAC9EyeRk=,iv:N4+fZ+Fbzs49Se/enJyUV/v3MhlhgqrDa2Gr0Ast4co=,tag:DOJRKUZUKUQwg4BWQQ9JZw==,type:str]",
-						"name": "ENC[AES256_GCM,data:YUhP+RvK15vewdzJZw==,iv:N8qIDjZOwH3oSZ/wiNLIhJJdk+0DwQpVyGap1bCvm8Q=,tag:iLhclRirKI+tBYzGDEdzsg==,type:str]",
-						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:gFJhJwEU,iv:KXPebdenCV7O8AYVcvI9I5tU6XMVhTL4H6cnJs8xb5U=,tag:x+awkTkvkbMLvfwLcxZXzQ==,type:float]",
-						"rotation_schedule": "",
-						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:5A==,iv:0iXjuLigym2duS9FfWi249vk8nG8P5cSAfAEvhewl3Q=,tag:YuN+oeUJLqkn9pCKDlje2w==,type:float]",
-						"self_managed_password": null,
-						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:hUl4lIm0Lmr5iA==,iv:bggAkbLo2QU4OI3CgpE+bFSvsvJrw+VfPPqY84qHrzM=,tag:3+RbC8GNx4TS5Pv2IfPS1A==,type:str]"
-					},
-					"sensitive_attributes": [
-						[
-							{
-								"type": "ENC[AES256_GCM,data:v2BPdbq5vdM=,iv:ef5ZGvwiBynVExOumiK9Y1UnGW4kQSfpG0wJIwd7vOM=,tag:pR8WFfxsuCLCq0GaDZ1RKQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:ESEc61O267NjiTQA/UpLrxF9JuZ+,iv:kROmOAXdh4rWupE5Fzrq9QMADmgZFFlhFB/IEXRtD1M=,tag:rfylW6s6G7CO89L5qPflIA==,type:str]"
-							}
-						]
-					],
-					"identity_schema_version": "ENC[AES256_GCM,data:HQ==,iv:9f2/0pvY9c+xd4fwCafyXzBLFxlnb1P7pEWv7Hcv7N8=,tag:ueU83h+5WayF3yVELtdrUg==,type:float]",
-					"private": "ENC[AES256_GCM,data:fosGNagND8k=,iv:YN7TbPKd6FqnajcYP+9T5efl8U9K0y8+wSTcyEcehns=,tag:ZOeOssQPmoRBf3r7qbP2tg==,type:str]",
-					"dependencies": [
-						"ENC[AES256_GCM,data:zcoX5iZQBt8OXIjB9Nq6KTFlsD5yjYktL3hkB54=,iv:fMnEntfatZzXovikGgCZXngeq3zY8+7BK5nw3DdeZd4=,tag:RlcLvE0n20LzX37VWHcJNQ==,type:str]",
-						"ENC[AES256_GCM,data:CRjzLts5wJ9aiZgBBbA8UFXB,iv:hlL+KnZ1RUZs3Ey3QMWVu/hRsAN1xbcs43j2+3CKXGk=,tag:XeSjMoCzG1Co3V5U+r5Iwg==,type:str]",
-						"ENC[AES256_GCM,data:3TBGJhf2YXt3mTxHs6XG/L6L8tzz9wuENWU=,iv:MNl2F8kW41ZsQ+v7rdQdo+OTI66YWDX+3daemaSybkA=,tag:aomYCkUNRtpJ22oGpEoJoQ==,type:str]",
-						"ENC[AES256_GCM,data:0jMERnekruRR3teBXZ2l9lDklGrJq7+LkWIQgoIlC9vaulRQmeozkyCxgl4hYuopy2GJ,iv:/unZxL6NJnQX4Uw3lTQu4Fc4cNs2vmAapKGbOeBjsGA=,tag:z6Rno4Wh8+/Kj2x4E9aIWw==,type:str]",
-						"ENC[AES256_GCM,data:5f3NO1O1DIG88Ji1p/n38cEGMcE=,iv:MfaJwm/v6ecHlcU+1qELftVD3CxfhGQIRafQkYTd2UU=,tag:s5ZiPVaCDtZNYvCuELtiVA==,type:str]"
-					]
-				}
-			]
-		},
-		{
-			"mode": "ENC[AES256_GCM,data:mqjwE4HMTA==,iv:zUoCOIEqsQCJQ6g1ByFSzVoEmM1+TNPSEIX7ubFsJo8=,tag:dONzt3p4f5TT/KAfqv8rUg==,type:str]",
-			"type": "ENC[AES256_GCM,data:UCf5V28NcVemZVf2ftYD3nUPlu6lD+BaBG0rLrUNSbknwA/9VPnCL28=,iv:kE9+i0o3L5qYW1NpVirdpflaaJhL8N0Kymxxzhn9DQA=,tag:aTuUJN6cxm5hf/gcLP6UmA==,type:str]",
-			"name": "ENC[AES256_GCM,data:gSNeX7J4u2jg9utNtvDP3x12,iv:R8y+pAdu8sV8Tkrue/7hW/a5xOI2gB7naIG6vzdwQeM=,tag:nFT8NEeeYLgaZS/yY18UAg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:8J+3QftmbL3mr3BEyHy0J0J9Ohjy7SSo8i90ORxa7CJTdjvfyKjA+Iqy7YgRAEVZ2Q==,iv:L6kpddeFjpt6k3wyYQCRhGlvGpxaHyjOhfiviiISi9w=,tag:mjOxYBQmN+rmhZDVRWUTHQ==,type:str]",
-			"instances": [
-				{
-					"schema_version": "ENC[AES256_GCM,data:Ug==,iv:0P/jPFj9jjctTuLO/QL8XBGrD/gKdUoeVFtEaJGnIUc=,tag:8qUZAtWjkW58WcqdysfO3Q==,type:float]",
-					"attributes": {
-						"backend": "ENC[AES256_GCM,data:p7TLBzV1QjA=,iv:3XDahvI4w/RIhYX2excrZW4ThRMx6kAdQDzlnpIvZAo=,tag:+n3VbCMSgxkLRaL+0uCUwQ==,type:str]",
-						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:vyvg6QUeFH0=,iv:iR2EtpTNinppmsjFO8jgFg+ml9Ci1PM4lF4gPU7fzt0=,tag:cxLVCWAZSRVOH1n9aP5zWg==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:KHJ14EJ4PCa8YQ==,iv:R2qpOUbr5Y9i0ybEDlaFiJJWI0Mar2TPcAozyseBM3o=,tag:q0v2OS+nwZcw5YkURrb0NQ==,type:str]",
-						"id": "ENC[AES256_GCM,data:AP1zyKt/EsgXMHFKplE4/rC1CDqvUi+PuHmijB1cXkJ36YWSYtHzwQ==,iv:lte708h2/ScUTYAEwTX7368LBc0/rSHAa956lWQW6FE=,tag:9BdWHJOoJMVkbSpe23wyuw==,type:str]",
-						"name": "ENC[AES256_GCM,data:dEKm4627yEQC2PoFDvPhbIB3,iv:XcsfqiI6l2O6ZspZd/L9kDCXABa0n2wWO2u2FGVhp+Y=,tag:oFEHmi1ax0KaUloxX3/l0g==,type:str]",
-						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:U3g+1uH2,iv:oCl1l7VZPcaNWjAD0YUUAEoLPsA5dFmceXKUlaWviE0=,tag:WebWQKAmp628qh/a/azpKQ==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:Je3wANvp,iv:e4NsibrLLRleRKSJ8melgw0m8llagrzOl6sHSAjdMMo=,tag:GLL5WxBwz+RuHP92rE7K2A==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": null,
-						"rotation_window": "ENC[AES256_GCM,data:iw==,iv:36U7LuiNCgVMnKU11glwRA89FbW+05UqYwfR4ipAe5U=,tag:DdXDpj6DVCBDa3KtwujSBQ==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:eg==,iv:2JAkcjQnwNhVNqTBy5v7vOHTnW4USkxSYifkWjrYG18=,tag:ZY4mKvw9FHw/LstbCIr7dQ==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:l9reTuoElCYfI6blG1so,iv:tmiEsBbBs496/fAI3Pi0ivhMFQsR6iJlZAgpxvygOYE=,tag:ER95WYkXL+0xhOh8xCCltw==,type:str]"
+						"username": "ENC[AES256_GCM,data:xBzhhj90tNrMbYy7uhk=,iv:rc7HOhb72EO1D6JWYZ1dfk/axMgoBL3XhZR7RqRwauw=,tag:E3U78rmu5to1ILfXzSYDKg==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:DnltkZXHFZo=,iv:JVE9S/GtAJqKZBRZ5Q4ODuHNyMbejmzrABfI5hLsuWc=,tag:bTtgoyOjUSG3tsqoLGESBA==,type:str]",
-								"value": "ENC[AES256_GCM,data:SUynAW6Wf1EchvsoBU/KzJTOfsn8,iv:HnaqCKK0zdqElmXj139Kgl3MtM6hGRfDeswT2QzGFLw=,tag:jV/PkoXHwuzk2Zg4iR59fA==,type:str]"
+								"type": "ENC[AES256_GCM,data:aGy9IpAKRLE=,iv:ia/WK8UIxoTfc2fjN35ioXYmT5z46XFDqcJCrums8mk=,tag:1hgy4C8r4Q1edFN/CRQV2A==,type:str]",
+								"value": "ENC[AES256_GCM,data:ay1xHN8Rb1lDmKuwcKQDUqqDCb28,iv:j88NLaV2/ao2eZslIj/M0fnNFGkmqSZ2C+y7iQQL4KA=,tag:GcfzSYDccAq3eeB9NZnQBw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:+Q==,iv:234AL0568j+zwagTfkPgnnyKvWl9Gv1A47uz8bCoJMI=,tag:NeDLTnkpY46alOgCFPNSUg==,type:float]",
-					"private": "ENC[AES256_GCM,data:OsQewQ5mEuY=,iv:MmTD6Ybp3VZr1UUA6m5EZKEJ5g1nT/C7VOoaEniCHBk=,tag:1g6ZADHXZ4xGGBZ3UdzCdQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:kA==,iv:JVERgWQCC2Umbpg+1jpUMj2FTLoBfZVqc0TSCURT/Y0=,tag:1ZdCnaG6tqs7Wq5/CPstwg==,type:float]",
+					"private": "ENC[AES256_GCM,data:vQD/7ePQd/4=,iv:zOtDXzwih/VYolLW4BnWEy3YfFB1Fypw5W3sTo2hF/g=,tag:EJzUPmWa0Xf3hkDeEj7luQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:80NRGJoRwGDBwO6mO46b3rW4q4Wty1qIpNySNAY=,iv:VdsHs0OkJvpXGLog+/Xh4KzINkF3ixFauXOaaCxjHV4=,tag:Cf3Xm2qWb4YWEWByV9HV3w==,type:str]",
-						"ENC[AES256_GCM,data:p5W4Y/Jh8Fp34HCCCvvV8D5t,iv:KYl1niDgFoNkVrOd/EvvqBdyrismUTdt7zNxV5DMZus=,tag:I9aTGC3fravo+OaFjdwPWw==,type:str]",
-						"ENC[AES256_GCM,data:n5wfu5/eBOoLG8qOS4YL/pPc/6b4ps5UXkc=,iv:1qpu8UdN0SLUML1PsyxV4wDUQei7hcA4rODxv8jOink=,tag://k40oVz9zF+sXbg+kcXQA==,type:str]",
-						"ENC[AES256_GCM,data:yfywRX4DCBuBILSLP7OvhHEDUDF8d9VgNJW5Iu5drIaFEPqWVlrN24sZ/Dxmyyy+pTwV,iv:RzkFFlUZq6By9JuMBzRn/6SWiKsytITA5Ir7HNTn4Tk=,tag:5y/FuDPcBs7tX/8YT9wadw==,type:str]",
-						"ENC[AES256_GCM,data:pkvTENGEFOu63Xy7CWa8aWqF75Q=,iv:TMLMyJv5xToXyPHzdk53VTcTIwBnjTb/eyodw8aJmRU=,tag:IfslA55fx1bK15+tDrGWJA==,type:str]"
+						"ENC[AES256_GCM,data:vOIKr5cQMzWMXHateYVtdLUxHrsQ/sgb/m6kRBQ=,iv:AFr9jUBiy26Vh7YtbDVXZLX1WB3t5DgX6Ghheq+a3wg=,tag:sjmxaDLWFiyQXot7iEP/uA==,type:str]",
+						"ENC[AES256_GCM,data:aGAjYwg7U708GtteHayoD69P,iv:98P7xzMGR+OYQJmmNq2eN2reIxZwnvYOEqnHTgID6vA=,tag:Qz7sfcqp4xmCCVq1esNGWQ==,type:str]",
+						"ENC[AES256_GCM,data:xg+pibI4EPuivdCvWTL2riA1VfI7Np50ANE=,iv:rfjUkzYXWKwgIimkWTNTEMxF2Yu3obJk8ocQZ0UP4C4=,tag:0dOwt3J9uBFuXck3fACAgA==,type:str]",
+						"ENC[AES256_GCM,data:/rOccPQunlm1vxREaP5Tvg0A5fLAmP3Zrqd0p/w2xw1zqUQbUR8D3NGmlP5d2nMWsOD7,iv:AH/smjAtaQRId3spiBiqp+xs9RPiElaDlG7/pTkeA8o=,tag:n1P0zCo8gKOHj9MLh/tXVg==,type:str]",
+						"ENC[AES256_GCM,data:nqq7k0gtIojhdpojMNjamKciLm8=,iv:U+5DbhTbQYcHnf9LkQ2tRZCxHGfPlYYr7/a7aH9ogw8=,tag:KZe18Ajxi2wumlaIh0vdzg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:kJo25u619Q==,iv:cbbGLShBpSj8YuRKOwcO1OR5jE1kjOhYyceFsFZfvKU=,tag:FjaidW8G3SybOTw6qMMlDA==,type:str]",
-			"type": "ENC[AES256_GCM,data:dA+zfE1j/mhPr+sSbsb2EyryQByX2TsKeIagq9sc4mK+13ozTjZhJ/U=,iv:1UZo4/Bp/vOrhKYYpxLMj7ryMNHmvyIp0rpan2D7qkY=,tag:g0wYS86I9d/0MtnLAzxwzg==,type:str]",
-			"name": "ENC[AES256_GCM,data:Ga5KYnn2t+SoMQfIoiVj4Io=,iv:JdVh38LC6yJWmT65P2jaKNA7ejCcXln0Kt/vQlql+2A=,tag:zoaFd6VTuDnp48lDdf4nZQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:bV2ezNMb4aTrMR/gwgBb39pm3EbCz4kfomGU/X0jgQU50ngr9qjDhlPt5eo/j4yJRg==,iv:3QLwVihswcqJ1FazV6SOYufGhrZCA4sBG3eNU501zzU=,tag:BkiDZ2fycB5Zdw7XgJoTQQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:3AAz3peMyw==,iv:XZFNHtpZrYgq5ydVKclyzQpMLIemr+N0X4EEaG9X5OA=,tag:oRTrk58T8LXMdp6KB0Jjwg==,type:str]",
+			"type": "ENC[AES256_GCM,data:mjn0fxKX+Vq3fy+rel8aGs8T6P2FPfVtgygbQBK334uvYuNF2kcIQn0=,iv:ClxUU3n+ql/ibEpHZgrAaLIjenqWsvEStMYGMBnP/aY=,tag:gz+K/FixI7kENBqGA0RLgA==,type:str]",
+			"name": "ENC[AES256_GCM,data:udR1vPe73Lv8,iv:iki+drzeJkKisqyX5LiHgmZ1hBjWpqA7ceHU5M0ybcY=,tag:xJ6IkeCjwK6MArHSsqpAxg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:DuevRSMEwle/Bkkrwvz2jRVUCm+3BonyT1KkW5yJhTkgZsorZLvYFAaOLqNYR4KlQw==,iv:tFayMV/2D4/mReQn+x6wLwTETbJi2cv3SNDjLcIV7BM=,tag:v+gJfW4e3vruF2pykDseiQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Gw==,iv:p4OD3sMsv/dN7x3sxGcHpimcbXvkyrwjOiP6z3G2uiE=,tag:XZ/5lHo7BgNfWziyi6ji2A==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:zg==,iv:0LV7bSDD5Z/MtYeRacPYPGGbj9idp4v4wYvGAzMqDHo=,tag:g7KkcG+mqCaZLPFAQJ6GRQ==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:8JabrQ5TDIs=,iv:fzhJU3EDEsiFSwqEAkaab900XTmBVNGS/OBA1XONJWM=,tag:islfsekYvyqIbe3U8xZ03g==,type:str]",
+						"backend": "ENC[AES256_GCM,data:d0hoEK+2ntA=,iv:z14k28Xoy4/j1+WV0kIuO8w/3Tpzb+oVs49b8iK2eFI=,tag:XxdLASxrmkf0bM+lZyt6gA==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:feuOngJDphY=,iv:4ibO/vbHsFwc/GfdBB9VKm9HWNoRf4JE/BDZUgsGTwA=,tag:BwTgo6Usnoq0W0i6Q6md6w==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:nczVkQitUTLw3w==,iv:fzn0x+/EAVVUoi2c+HKeYJ/17T6+AZAnDaQ/Jgg73KY=,tag:saFRVKCSvX9SdKk9FcH4Fw==,type:str]",
-						"id": "ENC[AES256_GCM,data:zhCotrr/NTz43WqcqV9UYeQEFOuy3yV+gzQ/5ODG6Kj1EN6WGZt2,iv:KUJefUHp4HsPyz0nh6xkKSgSB0Evp0x6ohUnO6MRAPE=,tag:B6ysEoRUPsIj9bLx+dfeOQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:B4Rn+2TBL13YI9cb76fdP8Q=,iv:hM2EUqrvp27WXPnA6HsZu4qS3mNiZN5PQ8PdfR6QvV0=,tag:ydB188r+JZoizJ7MGnKydw==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:bZI35KyER8U=,iv:Tmckq8zUPF95RJkGYSszVj0tfWJr0Ogo/OYF+hDSrPQ=,tag:rDVSH9O1fRXkJ27Oeu+rmw==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:r/7henUAmvovlA==,iv:C7uSGLuEaxjCoKoDPqzWixB5jXRMzhBJAJnjX/5ga3s=,tag:niwWE4zw2O03j4mnamKVPg==,type:str]",
+						"id": "ENC[AES256_GCM,data:+zQGoidO/78GE3VI6JoVzfZPPFf8I3smb9TjpzT26Q==,iv:rXwH6+j2AB3+v+iUoiSweTXd/sC/WU1vMFxxRkNko3g=,tag:e9XMZlTOk6jV14A5+6l0dw==,type:str]",
+						"name": "ENC[AES256_GCM,data:xk13DvNjfmOe,iv:pl8hVxIdoGREyy6cRAlNlmu37l7TVJul0TAa9BrJ/b0=,tag:WmJIBgyUm+1jUnYHWI9A7g==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:OvCgTJuS,iv:7UJzHIQ7yCloz/uWbwdYInPA+/ghDHSJ39SisQQyUVY=,tag:TleTjtY5R8O+HTI4VZY0jA==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:mLRhp2nk,iv:UttZUVKsmeIwYrFiZx0kVfq89r5hOTV8bd3wxq351fw=,tag:t48l5yHy/8BpTxdM/dzWGw==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:0g==,iv:NfiBkEGHibAw2govGp/iIkFL0jhZXGZAS0cfgEMcsQg=,tag:aJx223T75dmPXhF2eMSCVw==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:0g==,iv:Ps3cjbuNmSzYZWWz8V5jRM7JZRrg8g7owxoH9Rs2J1E=,tag:abN3Vv8BQr3wbHEgypka3Q==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:gFr/4sU5gSVrzDk+OR4=,iv:l/l3VNMsf+22N8Ag2ceJzrpWQZWRHqsGAFhgImlaQlY=,tag:AxMzMjBLQuI+aU/Cuxc2sA==,type:str]"
+						"username": "ENC[AES256_GCM,data:/h8Bmym7,iv:TsIddcQqFqWs7POotGl1yexZdD41kW7FiEPHzsl6DdU=,tag:ZVOahbZN6HhzfEFHTYPdZg==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:HFfsTzem+bk=,iv:kaSqGtWOViTvwwfz/rkQ4G37cc2LfQsYCYddFMld9S8=,tag:bip6HZX8xtmRYtX1sMhQ2A==,type:str]",
-								"value": "ENC[AES256_GCM,data:VMaNtVRS0AVQg7n75PTbEOxiIE1/,iv:c26cT4W40+jEp6+Zu23SMrxHOvEckJDABoOAStXYeqc=,tag:mI20LLe2Bo3B9Nvzr+3+tw==,type:str]"
+								"type": "ENC[AES256_GCM,data:RjaNVXLJ3WE=,iv:+FtwZHhbFyJqc+S9AADM/OZ+ciF+hAapVtG8yrkaRxU=,tag:1PCFyaYJ8+V9Zx3k1fXF5A==,type:str]",
+								"value": "ENC[AES256_GCM,data:5aFPkvO/mqRmHpRXC7TU90YQ2qC9,iv:zezk24IBgPZv4K/ELg+fb4X+59AfYP+IK3yklMWPWpk=,tag:i7lCUefSCLu4VRPrnh/HoQ==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:Gg==,iv:qhU0WTtA7jEO/a6TIjYWkJS3PCsN9Rw940bvABu74sE=,tag:IQ63FLAW7zKv0S78NDyYbg==,type:float]",
-					"private": "ENC[AES256_GCM,data:bdDjU4d10bc=,iv:dE9V+9UN3g/BfHw3y83HFl/XEmRjI1wwQK+V3WRUni0=,tag:4lE41G9WJFgJWiGopfg+RA==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:3w==,iv:6D2xXNXmVyGMiWXZwkIz4l2Zp9WaVybTpMrhfVea3AU=,tag:9WWnjU4IhIor7Yjx+3JeJA==,type:float]",
+					"private": "ENC[AES256_GCM,data:6/vmHFsZNgI=,iv:ceEz588GI7+jcQigis/ArapxpWVFI5CkEt9YaOA5Ge8=,tag:k/4TKWwfKxim5NkZ9EZ43g==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:b1VGtoxmDAU4AMkNSuzkB1Q1LZmzIWQKuwEO46M=,iv:T4AAzGOKdqZQ34rdvlUKUmK1QXb8ezQ+wei3ZFwJLvw=,tag:+c2ydxOliyibq+L9JP2BwA==,type:str]",
-						"ENC[AES256_GCM,data:ZdN4B6r/iD1Ae3t5rgNLSfqQ,iv:73VJ2Bnev48Gr10jPbtvfJwNt6jleMbPEJQVh5V2pjM=,tag:0AtMZobp3jQ5zCluJPzZtg==,type:str]",
-						"ENC[AES256_GCM,data:1/MNUETf3Wbvt/mEqLgTy2ESZjy2B7DS3fk=,iv:kQ6bqeyNHaIyPg9pKSJZWf1wkOpG2622LOMm9atGuFA=,tag:ZtpzWAfTPEAD+/2iJOQMDA==,type:str]",
-						"ENC[AES256_GCM,data:gh/cwKi4I1D4fgH9CDk5nyEszyQ8nSFUIUgrq0INqXY8slZWQ5R36lJRKCRW/y57hu6S,iv:sBUgOaiYwGHOO/flV6Z/qkRxs7DknWhD3dEQ/nEMF1M=,tag:31EH7wCGd0jl5C0UYQxhUQ==,type:str]",
-						"ENC[AES256_GCM,data:4ibi3DB4Tq2f7Qynzl+8yOuLOEA=,iv:cqdHC+n6dgX4h31LK++3fIacUml360mI1MI3AawpHXA=,tag:uXe/3F8OFXSOLTSPC/RQqA==,type:str]"
+						"ENC[AES256_GCM,data:DJmiW80gyyOQS9C8hl1stsH7THyEEDysVBhXlgg=,iv:iHauVkkbUqawbVSN1b0rReIYaamH0873ARCEdekYbC8=,tag:rB7iPL5WTScI1Dt6ONU0vA==,type:str]",
+						"ENC[AES256_GCM,data:HGA1JWJFQftZlGCeIU+FFC8O,iv:uX5kNXxkcYVY/l4ynLd2TZG6Dl3EdRKIplDluVL/S4Q=,tag:lx+FGy6UvnVomGUgRpXbaQ==,type:str]",
+						"ENC[AES256_GCM,data:oXTDkBdTCXijTa7/udw9G/ZAFZtySjH3dHU=,iv:uQwcpg7raw7Gpe+lkzBYjn8nBFlKuj9zcqu+nzk3VwQ=,tag:m89vyDdSp502hrFENq1xDw==,type:str]",
+						"ENC[AES256_GCM,data:C3aHEBmn4OqT38MNjftqgsaKHRTgza0oz3/Cpy/5t3gzlt2kC+/FM8TwrRrkiPueWzcq,iv:Ro03KYmaIZWKY3qqBIvUab7fYMh0hGvOZ6FTR4A4nZ4=,tag:K0GxyoIaikc6lpY0yHFthA==,type:str]",
+						"ENC[AES256_GCM,data:niYmPlvgEl8xI4htaYc6edVihgk=,iv:qLZ8Yb9aOs4BdJxSaImFdnOC+BjASmmzCC2rcV1rOVQ=,tag:TwyjEQ8xKIVLI0hW1mF96w==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:LS/h9XwZ0w==,iv:1XI98NStscnb4WWPqlhzCJKfZbzi3pXe2xqH4sFEvBQ=,tag:3mp2RSrEFz0VBsKo/ghGdg==,type:str]",
-			"type": "ENC[AES256_GCM,data:iUxUKrRe7CtPIwzT7soesQ2K1waCE8g4JNQw3f0eRUrMfOv0VJl3PPY=,iv:FDGGYNLLWM9Q8Uv7uXvRrEF+nGWVcboA7CAB2N0TBW4=,tag:OdY3L/qYYoWUHZC0OxRB4g==,type:str]",
-			"name": "ENC[AES256_GCM,data:QiNez4mgLDvc,iv:p0DYeY3qnwq7N5yj37cJWxiIeeatHr6iNhD4p3E41I8=,tag:zcsBGNeCPBvT/TLTAg6rNw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:R9ouGdZQ/+V6TPN+aBxFt/rtgstl8Hj2aWbgKrUe+/22HMHLfZo6IqJ28YPx3pMUqQ==,iv:WHhElSqdNQO7J8A69SQ4C1PItF3h7SyDFAthYkfoan4=,tag:1VEM6TTKg8OFe7rpbOdebw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:pdhkt2x+QA==,iv:32g8VN1Q08MJ9akeY0HkKthcADeKJ69a3RD5N7jBqoI=,tag:3AU4S7fx34bmazH/p6erag==,type:str]",
+			"type": "ENC[AES256_GCM,data:OBu1vsO9ZiOWOH3DglAkUGgRGxUHd4eUjoqBwWGJK/0QibmDHvXhD2s=,iv:0jZsAOrrADNr0TiUIlCiTkWk82NcF+lx+jiA3HRF7QA=,tag:k8lg1ibTmU/uC0HnEEDJfw==,type:str]",
+			"name": "ENC[AES256_GCM,data:Yu0E32vpn7CadVS5dzBbqNZ6pA==,iv:v0xq3NYEXKe5uKsPlmQxZtpkhJXc1vFwGgfWnBJvV6M=,tag:J/fHHlt6QDeoHbObCyqRKw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:sQ1naGy3C1DfnBzyNnHZhPbb2G7ZBh3iWpH6Rc0QU45GxEa10zzdFnK7TNmusngefg==,iv:DEBpb3RCPS++5BHg2zEXBrPzgjuwtw3vMbQ/5rScG6w=,tag:qWn0b0c12mNy/c9yXpKFFw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:WQ==,iv:B0m61zfEIudSx9mHqzCGwxmMKtVMnnNc6aYf5Jn7f5E=,tag:B2GSU9pTiBcRwG3fNqFyhw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:eQ==,iv:458m/tEZXiM8PxTVfNgG0R+CRHVmJncHj01pzOCQJeY=,tag:J+mb83DuLPRoFdcRLVCj2Q==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:CsglOk/G1gc=,iv:uZDhwQKgPUjvlf9rITVhyN32YuZe3559MGUbKpEfzzA=,tag:62Q/i9PXVQvBt6hH89WYkA==,type:str]",
+						"backend": "ENC[AES256_GCM,data:K9oE6f5X8m4=,iv:uDkHYGvfhGsKuBMzWklK4gIJr3LAUblZvSgNIkm0OJg=,tag:kOFMBY/4gjLdT3pxH+PXFQ==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:PTu7jtmlRvg=,iv:PMYSSklTdf/LQcEaf0NVVPoVVeQ3gbiIZe05PTptf/Q=,tag:djyX46wIbdh/5Oc0aExorQ==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:07+gvSUbmejJlw==,iv:38v5kudqv08R5+OVnJNf0Ft3MmhGi/eSbFmtxwvSTVg=,tag:zy4fPKBtX6KmJAf1XnWPIQ==,type:str]",
-						"id": "ENC[AES256_GCM,data:5jaaiqLpyhwRcXZ6FznpabGL/6GFcgsTVi9cCpfKsw==,iv:7owX3jV2OnTPJKgvWXZfLrK7S4EcO/94LI71j/yRgWU=,tag:Xjud/cLVdJVfiVK2IJd2DQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:/vPlGfuwe/aP,iv:JdN/GiazON28flgfQd0k/JgSclMj9RQj7nkz70bl+AY=,tag:fEPHeidY5zYMTdFu/K4pHg==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:7gm8SfOKRA4=,iv:NAxqYpFRBAH5YHhjDjm2vjl07+qpRhMrsz6aMCwarOQ=,tag:UE4u5PzDZI9XJasXmziC2Q==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:nKGhuL7XUIerbw==,iv:68R3Wnf2pIyO9D5YsMockd0BSX5rlS7WjTZPernNYOo=,tag:UwJynANfjlPIbD7a0gMQyw==,type:str]",
+						"id": "ENC[AES256_GCM,data:bD3mLjHXEVpjS01B+oYD4cqtVuzTGmpe/y1atZGKyX2O0k0xJtHFR6w=,iv:5KY2L8uSZl8BnUjcTmUelRKRGTW97sQ7L5WdgYNRh5Q=,tag:/tDTdUZ4RLHhdsi88fPC3A==,type:str]",
+						"name": "ENC[AES256_GCM,data:QVppjY6Bwlz2YyFlYrxkQdwChg==,iv:BwkOBXPSUXt5YhoP2de2STLqca5tR1dQ35epf8O7NxQ=,tag:U6LJ3giJkz/lsW/DWTUy9w==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:sn4mF3mV,iv:sWu8ydLK7SMWtmJ4Q9twLXu37x9XPTIlXGZLUjNrAxY=,tag:WPLKbs6BPhmu787gukebOg==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:9ATASea2,iv:iSaLR5bblnpkY9sdll+y0/xUjTyd5oCgmpZt9s20EzQ=,tag:xa/+MW8XM7zv65je/8UppQ==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:QA==,iv:z3SPtcPRrd+Z9IoaxnyE7Ggo9vlVIXVTAzGQUWrZJDM=,tag:evaNoZ+OUB8gJYo1Ti+p6A==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:wg==,iv:0SZeq+mYrXwrxnyv5IB0RjMxyyoLWFoS3764nrV11/Y=,tag:p+DU58XPgKs42G41aNTS8Q==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:KAAlo3sd,iv:EHdIIj1ZQVKy8Kz5XoRlWpexNa/C6q6rDyhsWnOC528=,tag:Djq2aGjXRxAEYObgUmuvQA==,type:str]"
+						"username": "ENC[AES256_GCM,data:/I7yXkyAHwNdF1Ve06p6Ew==,iv:kIyBXO5w1tBKD5CqsB+yf3VDFKGvJ7a65k0WUdT2Eeg=,tag:2PxmUo7nV8BPmUKU87depA==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:zwyVn01RMiI=,iv:liPv+iCtlafKV4p6j/KnZq9ITpcrlYggVhvrUWbhm0c=,tag:roikabxQqAV3jq5cxbkDPg==,type:str]",
-								"value": "ENC[AES256_GCM,data:6GqrgwfELpU3Fn10UvnYEH3oyuy6,iv:jSC3nOeN9POVA3NOkk4DHDmibEgxX7meBn+ZbUG9t5c=,tag:akbA1ZsR1ytREf1P/eFjpQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:t+WCwRIeEAQ=,iv:KuQuwupOUZeLED5PvgOhrNnvmuLqkpL5EJTianiuiVY=,tag:76XVMfgewtWSOUsuFbzpWQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:K7pzn6sNmCu0hAzq5JmAmUuSFygc,iv:lcscW7UQcXzHBJYgIx8PVO/PHQG6QeGZRU1wi+Usuzk=,tag:o3iiX9GmAcHYX5y4OSi07Q==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:Cw==,iv:/vJ0lAGYihyyfnRZl/4Sd4v00sVtyzyk6d+qo4Hh07g=,tag:bQ9xGFYFd1QWz6Md218XBg==,type:float]",
-					"private": "ENC[AES256_GCM,data:+rSdvbC86mo=,iv:eQ96zHjsHdjzkdASbFRaXerg/dfw7oTxAr7M5DbZ3Xk=,tag:dVYG12SmvcchIF6Ay5yPRg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:0g==,iv:RbGhF1mBD5u2KasLAgaStn+n6NSkPHYd6smZxthdS54=,tag:hlNcxWe0aetlvpd0zV3A3w==,type:float]",
+					"private": "ENC[AES256_GCM,data:I7gbQf0zEr0=,iv:qilYnnpb6AKKXeuK1JzIxmCuyhEnfjDCKCJ5RDtJ2PA=,tag:Fml49x7h6Zky9dsbk0O9Pw==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:bqgKnGeUahZ2y26Cor73CFpqXExuYEDbPxOKAXo=,iv:lok3QgMII1xkhrU//2YojecG/QIsMMgo+/hlMTG+Oug=,tag:N4yJUrT2NsNWftqsWyFJJQ==,type:str]",
-						"ENC[AES256_GCM,data:sRT/BFBow5pRaZ7brk+OGsOT,iv:EaaJ20+sSNT1GuQH3Hgya3wqTPz3YRlem9kQPB/MlTA=,tag:/3WGnBnR1324BprwWbAnXA==,type:str]",
-						"ENC[AES256_GCM,data:LJrq0v/Gc+kSzdvCbe7+0KpxOFHyvvVNuDY=,iv:pTz2xdgwL2ftHPEbZBRw5VO4KEQo0sNnjrxpSTMvsAM=,tag:h4HwzaAR2PxKvOvJudnciQ==,type:str]",
-						"ENC[AES256_GCM,data:XxWgfn3rXOXMyH5WYQBcYpQr6JqjHKfIFV5ECRJq0c8Ugv5wsoMkY53s/EnH+5Lwr1+U,iv:tX+VbQO8I+lvGskhGC4qfKgYMTj6e4mI1YEvGrcOpIY=,tag:dRDxr4zgQJIQVbtUltNKSA==,type:str]",
-						"ENC[AES256_GCM,data:Tob1LxvaOPOEQc10+aTeuInMiG8=,iv:4HXzE9sIR9g8K+KWZ1pNaCdzVaGPI7A7w9KqtDbMRRA=,tag:TsxuKFJ2UhT87eSZxacYuA==,type:str]"
+						"ENC[AES256_GCM,data:Fr4z/HFJQBH3JsoDfXnvV7MmPd0igoSp+5WyAzo=,iv:K7fQpymUPPzorW4Ge8oQlpJbVbyR3AZ0kxxNrV9vIIA=,tag:A1fRbWPy6jMH6Slc+mdGRA==,type:str]",
+						"ENC[AES256_GCM,data:lr8uE+xluuvHRKyvTnNPv0sG,iv:6adNolFkqibsLp2KiySi/QEnpirkzUXuZJSmstBGAAg=,tag:IHQS9kk7uo43sKvbKCTVmA==,type:str]",
+						"ENC[AES256_GCM,data:iQvtVVVr6iCx64ULMeO4Icw+wSAaN5GGD54=,iv:QSEZsA1wYZkL/jI4bKtQMEFSdmNMlNCZAYZGkx30BrU=,tag:I8pUZ3CIiywq4Q2fzhDhig==,type:str]",
+						"ENC[AES256_GCM,data:Wril64SuO3i0itbTEuqn8ivkM+cAwPrPTbyV/A8/BjYPz+8wlw8lu2PR1L8BRjmkMxRB,iv:0ITPiHZpmHIIn4xZqdsVLl9r3wdgERBAvI34vpslwIU=,tag:Fe7JPz4hTWiGIS70jXNPFQ==,type:str]",
+						"ENC[AES256_GCM,data:H89Tv+6WfREYF+H1JDF1slZku7Q=,iv:jr+k9etOXiIkpF+mZkOpPG6RpeNoqlcYL9F/HhieHHw=,tag:E63P+6EMm8NdU4sWF10pTA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:uv2y+Mej3Q==,iv:dSH12asMhIml/V+bMYyppL6V0gdlgKQ9pII4Itrgex4=,tag:EM0vjnbCa38uM+1ZJ5G/zg==,type:str]",
-			"type": "ENC[AES256_GCM,data:2pZoT+tYbcf5gOA9Yf5/VgR9mxqe/qx4f/y7QlYoL9k76sn/s6vVZ4U=,iv:rjS80G5EkYklzfbqYCU16OXh8suDnVTHH8W80nEExkI=,tag:CuCwj6BGwnn/LGx+YqcGPA==,type:str]",
-			"name": "ENC[AES256_GCM,data:OMG1YooZzXsmXRxHMWOGmbqIp2aw4w==,iv:K/8GvNbStzJL2b4We2BlD7VLuYlsno2J0t2b3T3aTC8=,tag:7197OU9nrDlmjktMh/CPtQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:rBhECEJTi8rEEXSVwaqEduFiuEvnGJR9pdDYlv9dSDKCthaGiD/TwEgJOUecF0OvZQ==,iv:inEmx4bhJbVmI/sdd0opiKBEZ4WHVnV1rh4Au8yNP28=,tag:HhKKpc//n9Lbr2RSz/MAtA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:3z2TIyLSiA==,iv:+NnQxDjqTwgmvRivb7NSyIaNvuxPv0HA0B1fC/4X+VU=,tag:HShZ3m83cSSof0TRjgLb/A==,type:str]",
+			"type": "ENC[AES256_GCM,data:rp+e7LjK58rNHAdb0BpGd1k8Z8s8WzOutVKP+bjRtXZ2Pdl5ouenVws=,iv:tcIf4RJXYsVfq6qB6eTEQ7lKs1LZ4vJRveD6OLbfhVo=,tag:5ZZu95qxBQuNwgz1nsjMEA==,type:str]",
+			"name": "ENC[AES256_GCM,data:uxsYnRdCOp7NYCZyBQ==,iv:QWsEzAqORPKl+pNreKwGmVJm7iKQv6NZUfSego37Rsg=,tag:oe97RFCL6w6uFGurrOkm3g==,type:str]",
+			"provider": "ENC[AES256_GCM,data:r/uShEEXKT11FrPffRlKmaAShiNM7M0Cm4BBTK5JP36J+f9nOKDD3V04orxjML1KGg==,iv:mtZnJ/MamTdHX4atBHgbcnYRh331zWfo/hq+yFDemIg=,tag:iXjGQsMFdAWtVqfK6BX8fg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:UA==,iv:q29FHex4kDJm1VlWWBoC1Q+tyjQdsDtr1UmKKWCLEgc=,tag:OF2wEUJZKs5xoXfbb6U93A==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Bw==,iv:ey1zQYFcyZUoRxuwp9m2eiv3LgcYlhoqLiqP7T5w6OE=,tag:zWi1qMP6p7TIPjCRW9IS+Q==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:ey9MX7Bsgmc=,iv:AV7C5fHEKVuq9fKVwGjrSGdAFheLtYXW2+BWJjdNTS4=,tag:mdlb+jvuUXBPPKHE6OVSRQ==,type:str]",
+						"backend": "ENC[AES256_GCM,data:EiwI3DFwBgk=,iv:z7QEIlv0XpMQvIxzrtjEk01QOYH1veCPA229A9w/uNQ=,tag:/by4aM1GBRBugH9vQJwXBg==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:OtyJPdTaq4I=,iv:SbSrejz0ru9cez4o9BGW6GS5al+cDXgQXOmBzj0AXy8=,tag:kjSwKlmTvR9Vmid5xsyJ6g==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:c6DIYBxpFa/bMg==,iv:DVB4XGsUHkEdYWTtZaNAON93gkixo0DeRkF5rjXJOgc=,tag:HOhp2fBTEqMns6BoFsZ1ag==,type:str]",
-						"id": "ENC[AES256_GCM,data:1g1dmdBmQJfKIuCAKdMQ+dlgsklkWgspqka6N+SC8IiSi9WVZbtPa4Bo1Ps=,iv:QxfwOoQCd7zRHS9BtM4BB9bX/bA2QgezJCKz2YK22NA=,tag:o97aPxoXSPV48BD+keR8UQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:XTzqapTqHIgOApywWSDSl0uO+wEkSQ==,iv:7OoGGaCKj+1t2Tbwki/xGh2CA0L/SLGANP8bjheAGEQ=,tag:zOguP6Kxp2tSIPtwa+KY2A==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:bMF4CsOnA9I=,iv:fkEwOzY0tmdXKHlCb0pZ//EmU1upXzdMRfnUyOO4FbU=,tag:0iD46GoTTZYmfs7ZH48+QA==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:tWUAPgkl8jtUUg==,iv:cxUoYp2jIEB6tbgaiahpnAn9Z3uHgj8o1ArCtTEo4AU=,tag:3TlRQhvrmIJtrN2+VNHdZw==,type:str]",
+						"id": "ENC[AES256_GCM,data:1eTEw1Apw+IOqEeuT9uUsWpfmjWOBTlhzJvl8sacKb+st4c=,iv:xKguvWXGgFAla/gzit7hHUrfASXT49FrG+o5tOPUJXQ=,tag:QF7Ur2tZcwC47Qh9mBac+Q==,type:str]",
+						"name": "ENC[AES256_GCM,data:EueMzDGtMNQOcamp3Q==,iv:KdeOfG1jyYQ0atZnMzhgnqS8t2ayasz9LfclkDMsIf8=,tag:2IX5+y7JbJL7hgabBbfQhg==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:OHurVt3H,iv:w2mfhNkmR4a9JY7mDDgIxQsO9ymZIWout7laZAO+SgM=,tag:mt975WzhsTcximVgrWc7KQ==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:nVJLRpu/,iv:TR6FVQV4QLME/JPon/VmBs4tKxfM7SbJn+wvrhaI0Ho=,tag:ePXGxmr0YzQVzfY9T3eRwA==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:Ng==,iv:5WNlyNB3uL7LRo1CKW0WrdM01Eez56UllSYthDD85ks=,tag:WeZ34B4fZ5/G6dsAFeuecg==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:Gg==,iv:e3SVfCDY0pSTcb0lBtwM2nhYnIAdlD3I4BnH/vSS8sI=,tag:nW/vtPVU0xtiFIpwDjrAGA==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:Y1kIx1JgobZBKHikmolozo4UTA==,iv:KqCSL/v2rziyJb2gJhgMfE3LY/sEW9EG1xLLSXgDVjM=,tag:uhZ7JlPsWBmGUh0v6oD2+Q==,type:str]"
+						"username": "ENC[AES256_GCM,data:MTSSVlHiDoXFIQ==,iv:94+ltP2J/S8YgNVIWS2dFkuZmoxOGj9BwIHkiZZ1FsY=,tag:p6R/Zl9OPT3mNOq5nI6ZCg==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:BgCANSQzFwY=,iv:+wEEUWzWKeN4iT19z4bu3FCp0I6iTiB0woyQ+UPTJhE=,tag:X5bxlWc3qu91R/8DoZvM0g==,type:str]",
-								"value": "ENC[AES256_GCM,data:hnh81sB7jsu0LGxCXUetFApa5Rgr,iv:kt9OXCPO0La3gSZ0fIftT6LNRMq285blRXGQFUXbVNs=,tag:Xs/wTwo/jBj8bffEQE0YCQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:WWGi1CTMxR8=,iv:MYWZKPt99WRAhSdMjbxg2xR2EDO9OdsW1qU4SfmNZuU=,tag:GAaB9cVbwQe8dtovj4SkWw==,type:str]",
+								"value": "ENC[AES256_GCM,data:ETFW/wn8ngkLL55ZpaBKwZcW1JSW,iv:0GeCq0fr+3PWwVdFb1ptzn7cnFYkfTKR18aUvqkC3p8=,tag:n6dRI0Ob0Dv3C0BG6YLxIw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:pg==,iv:Eka5+4Hw6UDT9d9bApVzaJYjXOPGNlz7QGTFx6/5SrE=,tag:EMThAPD9+/9EKUe9djPvcQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:KpMX0/dnTwM=,iv:mrE+p0hC8Rs5mb5pW/CPupCMGORIZZjkEjhOfv8R2ak=,tag:VB8yql3FZh/ze+k2VQcg9g==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:cw==,iv:0EnWIiqP8lXvR3YICZf28Z3bgtqYF+4mItxGohWb0lU=,tag:DtKpurvWChgw7uzxoQ88Dw==,type:float]",
+					"private": "ENC[AES256_GCM,data:d7fSGnch11E=,iv:lLkXrFlF5zuEl64ENRHyF7NcjZNpkvf3yyNcHKJC1lg=,tag:IJ5UfS6dg4P0G0VkGvbkdg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:OG59Xdmc0wK9EKuOkC77G2jNh8MucE7AdLJZ4dk=,iv:zz8NnbygxgHeBS51z6y3Awi1QvcijTCIe/dUhoi2Mxo=,tag:8kVmKG3hFECNVozsQ+QhnA==,type:str]",
-						"ENC[AES256_GCM,data:P9fOOl85iyF94Y61ajoVrzR8,iv:ozC+lK/WUGBK4dV1ZtHTmMTItVHdrEwFNDmKCoLQv90=,tag:AAnMHYXEWNaTUbL6HGDH4g==,type:str]",
-						"ENC[AES256_GCM,data:L3b3gZ6BWFrxxYNxog9lqrs1t6egyI6q5Uw=,iv:kD54iKl68wW7oOYY7tK8EotwuYTwGANskrvs+zOstBE=,tag:mTH8JGrNObv3KwM/eyC0jQ==,type:str]",
-						"ENC[AES256_GCM,data:9ubwTRsZONHrfI+HMqqlp4MMW+D0a05saz0qNOizZlrWLOh3UnyDRcZlHEZ28t6bkUPP,iv:1e6J6t8bmzaL2qRhkF3QFdwMPsHO9EeM5svkqj48Gak=,tag:sSa+rQgsnEbp8GqczyZWmQ==,type:str]",
-						"ENC[AES256_GCM,data:oeZfvW2VX9SPJWdy6ZsmtB3bN4U=,iv:t0bWZxU+6BOxOjpPQ4uMt9lHG5iEhMJV7B9kffZdxkY=,tag:uHhBq7cBZYmgjdtuHVqAtg==,type:str]"
+						"ENC[AES256_GCM,data:s30EJp87nU4TALXj2N4NYA6ZLUuLSPw48TK6xL4=,iv:I9Z41q1W5FGXuzepJ83LaqUy3UzaCEkkGc4oWlAskuY=,tag:DNIYmrBZFMgK5tfS8FZyLg==,type:str]",
+						"ENC[AES256_GCM,data:ODGloBUWeGWwUNv5Ll4+5IA3,iv:01WEmYxWefJd8nNsPbeIDvGKTN2JosvuWoJ2Zjfbe4A=,tag:7A6QR7pk7VNl3sLyRAQXTA==,type:str]",
+						"ENC[AES256_GCM,data:tTYpir9ow99glE4Yz43/v6QrHppunGdvGTg=,iv:z1U0UChPtOWQ0hJQb2P/chxt6Q6BVYXkodsdEZ0vwmk=,tag:eewsk5cIl7tvY48FT9AEZg==,type:str]",
+						"ENC[AES256_GCM,data:AniKo1CDFTOi917KO7u1cWwQxsPLYiPzosfHd/0eacUUcmS5iVLYtBHGzEwvTPGJZhDZ,iv:Hrp9gzSPU9N/b5WVR2T3k76Y0vDANkw+xKKO/xxh7UA=,tag:onIayA/FUbQtOimqpWGqIg==,type:str]",
+						"ENC[AES256_GCM,data:LAqRS6sUO3tL2mb+2Qigz1IBGRU=,iv:pJcFegFurkiU7SJRrHjc0JJ1B5kuN6oWKljGYK1HXXg=,tag:niFBB0kvL1VoFAduJB/r4w==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:YoUGhPl47A==,iv:wQeMTp0NL/S4l3rTqNFoqHfgkqUv/m/4RDYG6kOLZG0=,tag:A2ViSr8eSjqhBEdqImh8og==,type:str]",
-			"type": "ENC[AES256_GCM,data:KDAgpkVym3YxkVcYAJC3xwQx51hO0S2JnfvNdQZrqItr/4WFIUJNYjs=,iv:5zDD0FXwfjMtWZLcVPV0Qr1oxTBdAkWO9Zcp5mil5+w=,tag:Wkvb/e1xk3JaEWlQkRvz5A==,type:str]",
-			"name": "ENC[AES256_GCM,data:oEAxw/D9jHrFVahU7g==,iv:XZsG/nm+WUMwYDS2wMCBbPnWDG7I0eCMs1ZTGjLFq68=,tag:Q0ie/NGL6wwG35ldsPMozQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:jZ3no9Oyw+HGVbEhqTYekIWgCA6TJ/XVt7zslhrWS8nizOR/syWxemPK6shp/YzHYA==,iv:DzvxBVwALr9r/J0zUFuMlJ1HSwvKDDgPjwEOjQgNDQU=,tag:vC3/ZlxNdf2pPtom5hK/Rg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:+MpXth/pMA==,iv:MFuSytn0IOnm1jyAhbrmSGNMeOnLRePD+ZX76vwEGKM=,tag:zBhqZIJSQjY5lgYbNm4PAw==,type:str]",
+			"type": "ENC[AES256_GCM,data:0GIB9W903TOye8iqgIfor9vjS7sCeBttwchv2JhuXpcZoeXzsVPvA3M=,iv:jXRHQa7JYI805C6IfMXQgwb9rvUP6Cp6LU86MxWrhVc=,tag:gcu5iPX429eWh6fmvptl3Q==,type:str]",
+			"name": "ENC[AES256_GCM,data:8mFpLusX0wKNj4YEGA==,iv:7c/3TGF7BWGQeO36HqdofDphF7mYQvh545uTiZ2Fwo4=,tag:cqMvVVLTLo3iHMuekxZzAA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:yCTXsne1y8LZHVJxMtzPuqlufqaBk2vLZtgim9h6vNGlH6smGebVqzbIegP2tG0t2g==,iv:Y9ZZhKpQmruBa7j4ls9QfvxNnpVk6+ENGjOC6XUk7pM=,tag:9iE3HQs6gYkfYTt8ef09Fg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:2Q==,iv:BG+tl02El0zauCpKYuQoW2gS+ZzebLUe3J3GB0dYvdU=,tag:re1hAegdJCASCzDWw/bjug==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:6Q==,iv:2g+cVq7O0EullODfuyc7e/R3o3QhsDVgjbVcc2NrzpQ=,tag:ai5MMgO+ymUY/dNcO6zC4A==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:5oqPOszsHuY=,iv:DSzfh5lmA4P4sRxxC++rFtOmstZ7E2Vrsa+SILd8o7A=,tag:2kg3pArrv4LP6YYDWcL2/g==,type:str]",
+						"backend": "ENC[AES256_GCM,data:mSy3ymUTPZk=,iv:EXoHXHXRpi7KdOODQ4Syxp9TAUpU8zGwY/ojFkmb59M=,tag:QqiGhI/nbuewwhIi3jgFKQ==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:I0Az35PHYmc=,iv:3JODVg1cX3JwDgODU+PvJfhcosVq89/neRUFyecDzy4=,tag:P3HYtNY7saG/1PxCnfr3xA==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:RGsvIpfS8Os3CQ==,iv:ioGqA7X1q536MAFWLmde1IO6dyZxSq82A2Q1LV8RdG4=,tag:VTIC32BlvFYQ7jorU9xccw==,type:str]",
-						"id": "ENC[AES256_GCM,data:rVbZj/zjxuJCsdtzl/Vq8Z3d79YdmK+0oKQ2yoQ1qSx3uMk=,iv:0QIJdqWMySPmThd/33UL6YAPSCO62tM2Ec2E9L0lUcA=,tag:+uFVXMbD9Ymv1f9fMkqZlQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:E6JKxc1aFX4LT4dv7g==,iv:XzBpRdQtJHqoe5BeysBcNWVYQd87OUfY6gv1lVso6pk=,tag:dH7kDr8tkB/DJ38UyTXcRQ==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:qwHIhPdnB+I=,iv:aFuR9rq/I53Ph7BYMF8XTToyMHfdLov0J8MdcugtBxE=,tag:3YaoC4ts2Nq6keQExhlj5g==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:nIebcX5LzRg2GA==,iv:fq9x3/iY60UHodkFbx7ZM/WjuXaL0WQYhMPV0efggeQ=,tag:buqsQjMzLVmkn9t5oz4r1A==,type:str]",
+						"id": "ENC[AES256_GCM,data:PYnwqe+cTw0MsvboJWzFRR8fi6oOEm5fEbKBTxNL7dY8/NY=,iv:ccaEvE36Ap/I/XMemH2svqfxmUWgiqLtPxz0f8pajLw=,tag:iw3R55+MnKFPDCToR5Da4w==,type:str]",
+						"name": "ENC[AES256_GCM,data:kOjs7Tev0fx+gpBftQ==,iv:V1hD6VkmFrf1Gvd3PZ4vkLUdI+j1yfLChZZgXgw3HGc=,tag:i7d8rzVkqk7s8Zd/o17xYg==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:bXp6cFTO,iv:YEjXm+zFbGwDwDvSY2K9f8MD+BA341bGkTVACd0aa5Q=,tag:4in5QN2ZdGYg7ZVvxN6H+A==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:2CPynSyl,iv:/X5YM0Km7gDFoAhDnn0zw6nCq69k3I/C22DlFqCp+l8=,tag:/k0PKCtrP0fSDPd7ykoGiQ==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:XA==,iv:oe5NfjF0MQBOxLcXXr791jIlPCIg+x4JVi8CGsNsNL0=,tag:DWUIISzjfWhfWd4jR3DJDg==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:1w==,iv:TCgE3s5mVJniq9oONLkUPvOpjNr8dR91Kylzs51OjV8=,tag:J0cfyh8GViaMrS5tYWBY+w==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:CfDXBOInlVYCcw==,iv:FZVlnNVFn1ZqXBOoTtKJSxguRF1fzuKd+YrQ8lPA+oQ=,tag:R3rP3hbi8v8NFajyhguKTg==,type:str]"
+						"username": "ENC[AES256_GCM,data:6AtaXBZ3y8Xmfg==,iv:i0rL8QvCFCEsfkOk8YLNB5Z0mls69l94XTwScqjovFI=,tag:fmQTqofbICrf6MAzztAPrg==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:xgR03gpZgnk=,iv:sLTNgr9rFilKBajtTIQm/BJUEUeX/IdBBtIcDP5sfxg=,tag:yLKm3gyfxLqbuOg5MYr4eg==,type:str]",
-								"value": "ENC[AES256_GCM,data:6IYMhlS8MFbvY5qCY8vhzBK7BEak,iv:O4SzQxS2RqXUhmJrYe0r/bcm36/Q+s3EP7Hjy6WiLzQ=,tag:NE5z9OfApmPNGbI04GRK5A==,type:str]"
+								"type": "ENC[AES256_GCM,data:QvUutJRVKhI=,iv:cUndoyivO+ML2IAkQO8nDuuObON0Oyzd7P2R7aSYq/A=,tag:e8B9jib6jTAk5UhN+vjy5w==,type:str]",
+								"value": "ENC[AES256_GCM,data:e1olVSb4uTQqs6VafotP0wE6d+CX,iv:ER7iZ6TJ7demcuKyqrkmya0zKDOe4/J7cUaZ2sdtDHY=,tag:5yC5N1sASa2icKBRqUPcEQ==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:PQ==,iv:knHt7HNH9WgNUEfbvL+dJXE9m4demOzwrEWgyQoQghk=,tag:B7EEUgWtLm0zXalgCI+xyg==,type:float]",
-					"private": "ENC[AES256_GCM,data:AQ23BrnlbEBu8dHnF7wXbpwGWp2woeJ7GScrUkNxfbM=,iv:JxUFV09dfVLOBWCZsatxjxMu0W4tTfSmFQF3mV3BiXU=,tag:55HyMxcdLwtaC6oEQ8HT6Q==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:pg==,iv:iKiCh2rlehmagnOjzvq7+eWsRRrK1d70eMH61NbORH4=,tag:AZjRx+kT3pSIuuDeps4I9g==,type:float]",
+					"private": "ENC[AES256_GCM,data:u33RPuv71Ko=,iv:onuXrTo8vzJwqEAygEtzQO4nxoJAKZRz+YLKu+8j7SY=,tag:qhS/WezOX5bfcyI77m/F0A==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:FXXHVyQ8zJOrBEwcjtMw1S3cPzEuzq441Tfk3IM=,iv:xyyUFKEvY7VwaXsOICYrUucds7XsLVSfGb8K/HXMuzE=,tag:fHZhVSfNr4jeFBcs4VVPPQ==,type:str]",
-						"ENC[AES256_GCM,data:EPMd9MeYDsGZNVORPfCYQE/S,iv:GCcZvnZAoti810cOdpep0TV1GQxTZTrcmwhxmmVYoQs=,tag:Ne5BsGnsC0+Zpvw0mnXANg==,type:str]",
-						"ENC[AES256_GCM,data:Eu+09N7jxBYwksc/cjRqDlN7PgtDLDJYUiM=,iv:27rVbIbqPQNLNa2I/bTQK2OGIfI/S4VXqcA1u/cv2Cg=,tag:Hd2oWel82HJMNPGCH347rw==,type:str]",
-						"ENC[AES256_GCM,data:QtrOm/chuRzUnR7inl+Ef+6ARDJkh0jBJIlqw5hCtt5BE8IF42h8mXEpBKArEMYo5ST1,iv:Obwpq6YRfWCOOD9va1v9tVzJjkqxYPN/gJteKcW0qe4=,tag:yPrGdUq5AW04uvj+j6tlYw==,type:str]",
-						"ENC[AES256_GCM,data:b1fb3bRKjhxe6eMTNHukTIJXF58=,iv:7DxUIamDC7IDno/8oGHZ+WnU+WCSWsf96V9n8XJygNg=,tag:ZFd73UIz1kutlfNgaTBX+w==,type:str]"
+						"ENC[AES256_GCM,data:FAFqiMlNuIKRhE4SkKaSw1tVToiDz+NxBXa8vz4=,iv:/k+QcAr49nwWKxBYVItYA3uHICaJEGYPdQEYffROV54=,tag:wmk7xZpBphruIdcqOX+dcw==,type:str]",
+						"ENC[AES256_GCM,data:5Yyp7N4h7PrCwvZsatKhp5PC,iv:s0OxMmEXijPcJQFzGXi9DQDVljK0lrCWSbtJfpsuwbA=,tag:gA55xU4RuwIRi9U/I2PyRg==,type:str]",
+						"ENC[AES256_GCM,data:ZF/c9N17kXunk0BeHquH4+UcEmkILRXKg9U=,iv:bZsiAPl38cSq+pFiLjhq+QpKMS8sAZkXEx3x7WxSPYg=,tag:7/hRBfgX9T33VdKF1D9dQw==,type:str]",
+						"ENC[AES256_GCM,data:NiKhtNeVOA0RfRSPlwBrXuREPc8/e3/CJ+0C4GfchAtLpyng3Ev6Enegazz3UjYsWORT,iv:HdA49jAWEeUYgsian1YwaGp26DSOZ37EMiEhvIlWyWg=,tag:oG5CKDTs9l22lyk6b24hHA==,type:str]",
+						"ENC[AES256_GCM,data:N9kFUWamxHiOCwOhz98znL8B0qA=,iv:No98AVVBOobPiQv4MEY6SDzRk3+ZuhBcdECT8nyb2bs=,tag:X4vlBoAGKxb8R6WBSBKWhA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:8IN1E8Vx9A==,iv:aqputpa0gXflj3BSvQwK230hTdTkrL2jaDCI6lKfaKE=,tag:BHLYqAQ2HBezH3ceFrt1Qg==,type:str]",
-			"type": "ENC[AES256_GCM,data:HL7K5VFzVgDXLZHjMZcj1U27ZkMYD6VpqeAe1zKeefDO0WAahsWbKTo=,iv:mMNzmyyR1hwGJCHIDabX9hf28jCIDoildHmmZicEQLE=,tag:9xTZHXyV7i+hIGNeBlBdJA==,type:str]",
-			"name": "ENC[AES256_GCM,data:/1K9Yu1kX4gUbqhC4P3IX6HN,iv:xBdZRq8XY/das2bQoedPCCYuYpBebRvlJovHjVIHRFc=,tag:aPABox/UVnc18HLN0LJprA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:bOnA5pfFhE9qqJP10qOlW6xmGNzVp0ZUQGAYJbeLd6kiU6rQ5XHuBkxi4x1LdXFJyA==,iv:8bsFnO74+thBdvwDEFxtvsYJlAkS+7ns3wRptFjmZHQ=,tag:tC/crYZ4t2HhMYFkQ8g2yQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:StCM7PMBPw==,iv:lzxe9SqBetjbuduF+dtzTTqJ2qmorwmkYKjRWbquMRQ=,tag:jeWYHR1FfacJDN+Xt8Yn/w==,type:str]",
+			"type": "ENC[AES256_GCM,data:i9bEJF4DOvsfII0Ak3EYb5lqqMK3XxHEDjF/LqsYj5109sH8wkSW0aQ=,iv:v2xITFY0Z7TYZMrghFpTTm5lWbkzSJZnlooT5AAg9+M=,tag:o+I5xavmDT5+Qj7GWu3b5Q==,type:str]",
+			"name": "ENC[AES256_GCM,data:rUX8tB3QX6qSkyoAfdnqRrOs,iv:EdCWjJ6+YLWf4I02zRlqmkhTIPKG9kqa/hAktUg8o7M=,tag:xEe7kbWRxoUHEcJkx1IVqw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:RnkpQzHU8DF5PDmuEtURxzHhY4sc5q+ZeJjHmvkck1cOMGN8gC8OLZ3teunGIQ8rDQ==,iv:qIro/BxAk4rmOzRmUN+EQ251Cd40ZsFQ2kIelF/5l0U=,tag:tJi2/Ety7DrAB7m0W7z4Sw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:mA==,iv:g5iB5jeoOwH1LuCXoILlnboAJpGqBFuyDZ+2JJGpsaI=,tag:xbgnakblfFdYbpzgEfuAKA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Mg==,iv:fUl0Ret0DQ6Fqj92R8THoTM4ti0hGvpIplpI6d7OEUA=,tag:HUBjljyQw5bEJv7gST7B3Q==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:MBKVr4kC/WU=,iv:y05VeJ9WsMC6FfgBOU7rUPHmRkY5OmfWBGK6H9dYTSU=,tag:IusKeLN3RladWiRdMk7vhQ==,type:str]",
+						"backend": "ENC[AES256_GCM,data:3MciN8gKAQ8=,iv:suw0IxTigyqwjMdX4RRKQpl/DO4eZ/bIajVJgAFTywo=,tag:GR9tlK51fYTHRWUgSwIuZQ==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:lZb6ujQ0wxc=,iv:J5A5z8MafqK7DIBmdnAhaw9E91yqJzbcMeu4z60shGs=,tag:AXIf5ZZCyh6z1hA5BI0+NA==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:ru6gfbClcOU4QA==,iv:TMYsDYFu6d6p6Rq7P2dQBFDtoQKg4CTig3tD1x9HgrQ=,tag:DRdzBXkTZID8iv3D6vg55Q==,type:str]",
-						"id": "ENC[AES256_GCM,data:C0xxmU0o/3WbomV7GzB3pTvffY9QErFWZF76gFTJQ0DKlyTI5Pw0lg==,iv:OcD9HL9ePAGrXN2sfPVeAoceFXQ4Owsg2DY7YG9EMxw=,tag:Wb/vnVX7RvleoMdbyUcaHw==,type:str]",
-						"name": "ENC[AES256_GCM,data:b6gyg35rCaSaSfFR9hqLHQ+C,iv:1TmeuPT5gljg6bcc8nT/yWDXx214me81LD3Nk9HY4z0=,tag:FCm0t5s/3Ex89ppZZVCcgg==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:vQCn02U32B0=,iv:x4rf4mkFf7AjUiJ6+YkqJzYJs5eTp8AUdtavr6i4xaM=,tag:s3yGM4XxeebXibZHHV7iIQ==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:guuc0LEvfF1Gyw==,iv:qYiQW4+Mj32ck+lwfM5Z/4MuNcNIeajP/ol8ZTQTuh0=,tag:0SbHF9dh4Db5kqPM0AaVtg==,type:str]",
+						"id": "ENC[AES256_GCM,data:mqwwIHaTYCZpasY/dvMy+TcqKwdfWm03NCi5q1jEi69/2zmbY6ts5A==,iv:YlJWRgYMO0hnVgOKJriC6en/+65Dzl4SuK+DDA99im4=,tag:ko8Zr8eYikEUNNG/9dbjtw==,type:str]",
+						"name": "ENC[AES256_GCM,data:RNC3vNm6kLwDCycL197NXZ70,iv:6BiyTWZSlN4g+vMZnJ6A4XBJaIZtgaoppegvUPODYUk=,tag:HCvDo335t2lyKsYWjgVbPA==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:9Ti4COS5,iv:yM2I0oA9VDLTZTghzObN8sH6iFhOk9w2sRL3ukfrZFY=,tag:IRrRjZx7cshLqWHaYadqLw==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:N9pqj2/h,iv:5uXksWZi75XTZZaifw+oEU9mJzhC/F2O919pLAdozF0=,tag:UkXPyt5071NtOBbKgI7Tvw==,type:float]",
+						"rotation_schedule": "",
+						"rotation_statements": null,
+						"rotation_window": "ENC[AES256_GCM,data:oA==,iv:MQPCml5p/j5VqXTORkgLjgwutdYR9koDH73dfYT0gqA=,tag:p3uEuZJr1/vh5y18P6fmSQ==,type:float]",
+						"self_managed_password": null,
+						"skip_import_rotation": null,
+						"username": "ENC[AES256_GCM,data:mp83yHIGlH/iGvsMZ/H+,iv:wdBEafcStbQLlX5y09DhTgAPdlJXpEE4HGvmMdcetS8=,tag:03n8IPmxXlDrTwrdWNkJ5w==,type:str]"
+					},
+					"sensitive_attributes": [
+						[
+							{
+								"type": "ENC[AES256_GCM,data:wWTrEXwo1kc=,iv:w4Q9stQtoywvKx76lx8eEz794ZT8sYgwH4fFM2e3NEU=,tag:91JbD5fN1gFXnVobeWmH4A==,type:str]",
+								"value": "ENC[AES256_GCM,data:5pHMvRMtrYLxV1PaemnWGQSEWeA+,iv:PNXrz3Hx+iWQ8NLJJ2XTGTnsNGiVhXepK0jJy45cYDE=,tag:3ALDu2QgHsy59Yzmafl3GA==,type:str]"
+							}
+						]
+					],
+					"identity_schema_version": "ENC[AES256_GCM,data:Sw==,iv:jMvSMftduBMYX3VDrdOiHsnDQd4wsjQcZG7R8fQIPrY=,tag:/Hz6sThZvrBuP9tNPKlMgg==,type:float]",
+					"private": "ENC[AES256_GCM,data:FASPHN8Lic0=,iv:/+N67qyeA5CosVbyRgjrteHR4dwpXCfc3/K8HuZ/jnM=,tag:T8tghaVJXGA8XRjtMeyu1w==,type:str]",
+					"dependencies": [
+						"ENC[AES256_GCM,data:bNuOGtXE4K6d+XWmEffy3t+Ego6SNCqB4rorzxk=,iv:VJklnw3JPA838mf7Fpa66PN2PqKEb8JCOX+lhnw75+o=,tag:KnlRaxQ3/bf9MpUA7gQkaQ==,type:str]",
+						"ENC[AES256_GCM,data:5F+MFIgU0twb18USE5/t1hJb,iv:nC/ITxsOUS8g0ugpHftQwzAxRtzLogjtPTBLg9AzRxQ=,tag:IP1trkr/O1hiHgVLD+TX0w==,type:str]",
+						"ENC[AES256_GCM,data:WythRZGs8UPt/vQW1rYlSCuok6mnRwyLk+w=,iv:tK6RFeLphvCrkzCFTSr88TGP6WpxPX6HJ1ErFjFRsrU=,tag:3j3zoKNYNGYPoQkow/gbjA==,type:str]",
+						"ENC[AES256_GCM,data:nEUY83XNfQTUa14Q7UbTqCMHJZS1/tsDKG2LiKr9ufND+0WuRzNQLjh4rdpAJOoFyZ0k,iv:T/OsULB/GKTPC8g1hPVmVLwfXGbngwLV7InQlOWDh6E=,tag:Sc+R2sVJ2e3fsDpo22dDgQ==,type:str]",
+						"ENC[AES256_GCM,data:hr8MplLCYVunupDrnN1n7pnjWF4=,iv:BX/iJnWG5eOHme6vfhLoz+VZainE4VOVuAkJoOFOTTc=,tag:70+6iZp0du4WGnGvEZIfhw==,type:str]"
+					]
+				}
+			]
+		},
+		{
+			"mode": "ENC[AES256_GCM,data:zlksTmI1zA==,iv:HHduAHaAJM1YuwBesULLCU+ncBZKNQmi1HOawa+OnlE=,tag:WCwrIHezXeZTyll2BRYiZQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:J0HaaM4cIohqMYzxDtSdnU6O+7FzQjW8LutEww3/URa1tnMktJNGShU=,iv:TWKOCSQvBA4VkPBF2QSXr4oLk8ZxoTNE9vPex6f4+5Q=,tag:RL//iYp9esM5wNIunJxlTg==,type:str]",
+			"name": "ENC[AES256_GCM,data:clRn8GgGfgf5jFEoIa+OKsY=,iv:0h+BFoANGHqoUKwG3g/zRCCsJxV0udS2FSmRVQehvp0=,tag:2O2ZZQgzve6MZof5sn7bdA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:UFCsRHPzxGos+v2ajuMBycaqCErBCi8JSyVUSBQZjoxX4+6D6O+i60qRtqGR+57zYQ==,iv:R6aC6dKEFlCw43lXmrQw5UMD++6WBA9EOPqdp+2YcuA=,tag:46vxLWOn2yMs6laZFRvDHg==,type:str]",
+			"instances": [
+				{
+					"schema_version": "ENC[AES256_GCM,data:5w==,iv:ETh41mtuAE6x7gmhCmuxSq4km+oNUm5iKBD5gpG3K+E=,tag:9nKcOhNTwMb1vo8YDBvUFA==,type:float]",
+					"attributes": {
+						"backend": "ENC[AES256_GCM,data:/oCHKpn3T3c=,iv:SmmuqbF6lmtA0/q/5Cq/lOTrofqZvmQHuk2NxcrLB5Q=,tag:IcVe7uPJhu4pWU2uu4WXOg==,type:str]",
+						"credential_config": null,
+						"credential_type": "ENC[AES256_GCM,data:udSII0sMdZI=,iv:GWaff+jUUkev+fUcpcCSS/T6cNwqp1iv57lajqcsG4s=,tag:xi2KKjQTP4Zq4zQNLQVxSg==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:XwBcieAgMOnHQw==,iv:tFXjhgfRng+pQpGXLB9xsc9m9B2rIj1O8hWY54joszU=,tag:x22LhRckmhJluUs79U/o2w==,type:str]",
+						"id": "ENC[AES256_GCM,data:Yhd+AFNNn93MCTiMVI7KOBpu98w4bYYPRdvPgV7BpRphzpy16GP4,iv:qvQvZ064fTYfKT42jIBv7b0zsYPYUo8k9rzGHT1zY0E=,tag:8LczDz8eSOKnyLHgMlTGcA==,type:str]",
+						"name": "ENC[AES256_GCM,data:bc7Twisuey+64DHJMWNBEaA=,iv:PmvNWGJPaIXCQl3CBXTWsgL+2j5udjPbHLjt6yrvcRI=,tag:+NgYgRtNYjrDgvXRVwdC3w==,type:str]",
+						"namespace": null,
+						"rotation_period": "ENC[AES256_GCM,data:bfJHC1D/,iv:A8JAScaDIh3oE/X/701nHOxamVVKu1fGXN2UPAVuwCY=,tag:jrfrplyQcSOBFHRrAEEfpQ==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:CQ==,iv:qcwPv1KN6RPIZhyFYoYhVKA0qVxFfUwvWVJqs4C3v1c=,tag:X3C3eGODzob8JKVd46DVPg==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:Dw==,iv:g2c1gBGdnVZ2/99gYVgOO2t5tgS5yk8XYngiSWMA62g=,tag:iC0/jaQ6nRrRZOYeYj6P2w==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:HqZjLq9gflHEuHNXF6/y,iv:DZo9+6WWoTrQm4WvoVqv0Sz1FiluS4QgdlR52LpJufc=,tag:N2gF9vbGrAg5xLCPhkWmdw==,type:str]"
+						"username": "ENC[AES256_GCM,data:r7obVoil6OJLBjXO1M8=,iv:1UjTI3H77J38zsOV+kbH8hHxkGdDs0vG0h9KdB1YOfY=,tag:2oArES+eQQurlqkALj8lBg==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:3IZy7QUrbJQ=,iv:C1pSR3yzofIOaBxuPA8QlYguwmaWS8UkCgNgCnaXz7Q=,tag:9PPa4K2LwwlAsi6nmg6esg==,type:str]",
-								"value": "ENC[AES256_GCM,data:rbbyDDeUdp+YiNECENdaMzceZh3j,iv:HQyZav3r8bn9dScnf3iK2edq/TLCr/vbXPFJiU4SMzw=,tag:+cTlx4z/dWbJE1zwqPLhGw==,type:str]"
+								"type": "ENC[AES256_GCM,data:9fAwx8etTEY=,iv:Z2weN7LrpaFP7AKhdKexttDtKkNaCbu5elvt0CmxwMA=,tag:18F5EfSfhFlqCQt8LmRWxA==,type:str]",
+								"value": "ENC[AES256_GCM,data:nFdTACQ1fCIhQPMmbYikH3TzFjOv,iv:b0sRNSnUYkX+9DNo1p9wZU02nQVmcqbBzGhcGWpBhSA=,tag:7zLQJteh2vTeSvRl9R2ykA==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:sw==,iv:U3rx1KvFyolhjwZLFsSwKC/sTZObapBfz/pp7TrRXYQ=,tag:PQv5zt402b44EwVGY83Xog==,type:float]",
-					"private": "ENC[AES256_GCM,data:6sOfQUgxhTo=,iv:VM2Hj2Aiqnzy23A6DHsvms4CR7MKK5nKNTsCb2sSwEM=,tag:fLBwkGbDQ/zEmRlPJIpDiA==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:wg==,iv:L3zi+vJOWM0+u4iQD/Hxogk8XyMW7ZVAysdDVyrO6sw=,tag:Jjdy8XrkxXCrR25lUqVPZg==,type:float]",
+					"private": "ENC[AES256_GCM,data:jnu+30nt5QE=,iv:bcr9GaQwMQwoPkA8jr7X4NrRVJQ+iWz3Mqnmgv+upKc=,tag:V9iOFnYyJ3rb6TbtIFDRaA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:+QRL7hOri1YtknpaaRdD2sL48Xmw5Tu635+S+Es=,iv:XCRDAavNum1utwWLJDkABudxjhDAtQ4o58uld7KUHOE=,tag:z0DAGsGX9twEP61Iu3bFcQ==,type:str]",
-						"ENC[AES256_GCM,data:dwgbuw/mpiDkYvUYmU9WTmCN,iv:t6wigOh8VfSLn6j2VzgeIboo5dCs8SMKo2RauLHo8fI=,tag:4QWKW+3gQShPeVrGNrrEQQ==,type:str]",
-						"ENC[AES256_GCM,data:EubIMd88kVaRle3CmWrqokH3eLr4qO2d07o=,iv:5MIEzUq4gp41NrynOQ4XylY1oQPSNUBm1EpNi/Q3tG4=,tag:zY3udjwKjE6+5NTaTMHKiQ==,type:str]",
-						"ENC[AES256_GCM,data:HCgZiLaG8U6KKMhg0/LlhQwRWJS5jyVgD5Y2mSZ5Xm43lEv/AJl0ZuY889Z81a1PE44i,iv:KiEqULrCyLU+oJOv39qgeWeDu8sYXwd2DTG/bAxl+Tc=,tag:WPysCiyqEtFvL0u0NFys4A==,type:str]",
-						"ENC[AES256_GCM,data:QsyxShWul44fv6rF0Rp7HOdtvJc=,iv:c/BB8LdNDLrmmGaHIu+FZXUjfld+VATbwX/N8zX/sRs=,tag:9izPxklkT9a6Ea+ixFmFPw==,type:str]"
+						"ENC[AES256_GCM,data:8A63TIU458h4ocSk7casGWqgh1NtGgu2renAIU8=,iv:T7xj1GEnSzvg3fMDwxed4nQTr1/482qDrnqKg0L4tFo=,tag:ss9TTPDj+WrVQWCHgCBdfw==,type:str]",
+						"ENC[AES256_GCM,data:NP+lLpB+ePatgOWxMUsRLHLA,iv:yXqQNp9S4GKcxy877/blXeOZ8+4TP1/JjSh/hqMQOIU=,tag:TjBPl4kdiSW1BKzzJ5W3YA==,type:str]",
+						"ENC[AES256_GCM,data:8qSplXnWg6LAoGla/mHJ+nldP7GgLi0dRkc=,iv:A+B251FMPdRNKeZyxpZuUM4fyXaJEqRlfQ4/Gy0wNOw=,tag:RaHAJEICmZTTdRd5vX6eGA==,type:str]",
+						"ENC[AES256_GCM,data:OJOl9F6saHd/kwSXbN7uQhHCcK9RGrTGTaYBi+w0HFIbhVQAiYb9HGzYD4DY+uQ/oMeh,iv:TwOJg2o2WucM/WaYnRWPmVtBaHaKMeQLCCAbjHTfzpQ=,tag:hnDq92Aydy3n6zrvHlnq0Q==,type:str]",
+						"ENC[AES256_GCM,data:/5Rm24K/ONjmTpcV/kZLZ8q4rwk=,iv:RE6tN/YY1em8drrzUEQdajn0Clr38HNhZapSBuc7YG8=,tag:XlDw2xGKvzJHKSAoe0h2pg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:Vw7hSLG+Jg==,iv:q3q7JA6M8ly9g2dn9jlSFFkP3d54vQj4HjsdS+DqAMM=,tag:58OntD6XiSh8pUoqxI7zCg==,type:str]",
-			"type": "ENC[AES256_GCM,data:4nq6JM48VquEAVXrYHyevUcnmOVl/kV6Kljk476Q6lZMQP1/tv/f44s=,iv:ee5Fkv9HzUjw8e59oPYrOTHchpf0kbMB/8aXzR4vW/g=,tag:ZgRNZffpMjhtjBqQ6DqaSw==,type:str]",
-			"name": "ENC[AES256_GCM,data:rfhCx8b1KsWq7A==,iv:aLtZfbD6lxLSiSP//bDF/PTwzEMK93F5/PPgCR4Bxeo=,tag:F96SSb6aNHzqFaBd4OpTuA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:X74Y0qpdF+jwDCSC8dlL7pJsOGj4sxsDABsmiJB0BGHKzdJXGpTrR0LXEyE/h0SwDQ==,iv:lApPXrP+NgTnA8uF/A1BfjKovNlzH5XD/Dra+6KjfrE=,tag:138W2udYthqzEswsUF5lsQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:wvOte1xPhg==,iv:UG/mXWpZ+xNXSDJs21h8gshW/ZATC086c83sRvZQMZk=,tag:/hTu/J+DS+s9tYox4PHGTg==,type:str]",
+			"type": "ENC[AES256_GCM,data:UjK5HDWkIp6WLKC69BYrOpR/WKVE7jDy9GK8+4MW/q+FbFQ2ktW04dg=,iv:ysq3EJWxRQGkZnO/ElRoYu06Nvdowwz14bt9i10K6zw=,tag:jf2gcbBraxMx5E3v89ET6g==,type:str]",
+			"name": "ENC[AES256_GCM,data:KUU4a08GNkrX,iv:n//SYZUKVX7dgwGpcA/sczYmYCiMDbL2EQvDpPl4ev8=,tag:JOONdac+Xa7nyl63lYO/wg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:o8g5y/tyVhET3s2p6/GUf82OJRP08oWNIPq3On54BU4fMGwS0IILeqNt/dtE2cqBtQ==,iv:xkrH+BvCm52Sugy4r/q6JYc62WXmnLeL5D7XUoB3bAg=,tag:lxPk9uA6q9vYZm5/J/xtzA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Xw==,iv:cCn7SMnYtqZoT7B6UrV7kbAtajyEiIwI5S0stF4RXLA=,tag:cccBosVaDaUB/BUoc4Mr2A==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:cQ==,iv:q28rQc4wufQ31nPAB1IMxJGxCHfFABxHrNw6tRjCCZE=,tag:qdOOMW6KW2XgtDN51UvRSA==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:IZWSoFzsqcE=,iv:M3XNLttEdNs1eCOSSRf2r8Rrdtd7Gkg9kwYXy2nI788=,tag:yyiB86YHuYB1EH53oOxarA==,type:str]",
+						"backend": "ENC[AES256_GCM,data:RBxrFlMr0t0=,iv:hQqvGyHM7npn8ZDlra1Gs6dD98VsuNGAyUDKHHdxn4A=,tag:jiYBbRyDIc5EpKQdmsUwrA==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:rArce+l5gWg=,iv:Mp2Suvpmm7YZ7LyU1aXNHF8Oyz8s24526aw3ppblGIQ=,tag:QIDmIL6h5a+dowk1ZpfZDg==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:J3lznWp5EsPtOQ==,iv:xPn+dZyLBPYYJs70AW0Vvad3aAl3X6EbOLD67GDyJj4=,tag:yMYlg6QzxE5fBSnaqkAgMg==,type:str]",
-						"id": "ENC[AES256_GCM,data:II22edUd497BgWtP7M/soMlE/Qy89amZREWfSQFVIeY=,iv:y27bg1RKAjz6YBr3fnAUh/LP5oUCvyjef7Ffqh3vfEM=,tag:PzdBHgE/m6FukYF9GfuSvQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:L0bB2aXD5DZADQ==,iv:aHWLSh4qteTKqB7M8S2jPEIc/i7NrRo5PKCL5iMJ8No=,tag:/H6JuZ/btzpgp+VbTzWQxw==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:fJMdttc9ELI=,iv:fnlBXlVixsuio1y1bYe+nT7LuWwaFbOTxOjQe4+z0Uk=,tag:2EEUyiwHv1KBtIhnpUPJPQ==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:iiVnuDw+AAkiXw==,iv:DfWMqZq0PfXvhNoQzuJ5R6jzL8FIVX7gRtghy/rWE+I=,tag:/QAPPc3sY7VY17sIk26XtQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:uPy2mYQDABpU2ZEZSbRrOZbkfsBubaI2d68U/N7dyw==,iv:FDCsUk/O5Y3n5qdp6B+ztOGyToCi9WqZt9y0HBxVM0E=,tag:LgbOvr+tePzO9rrU0tYjgw==,type:str]",
+						"name": "ENC[AES256_GCM,data:cPQLF0sS0w0v,iv:fv9RWZy9c7SonIN5g4MXZVTIuA1yvw2x+mgqEcgLmyI=,tag:henzvXwwINVtS5L/cNyAlA==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:e0xqCtzO,iv:BCPv9K+UjvTmSWa7qjeWaKDsDLPiiTUvigrfdx3Y+aw=,tag:rx0P0HqlOt/Mn1f590ZGFQ==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:wlTMIxb1,iv:IcEC9oZ6uEZpm3eNauAhs14zT9hx3gntkVIHzuSHVSY=,tag:C5rT0VNr3h09XyVXqEihDw==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:ZA==,iv:XdTRZhJkI7BOnNYTPRDaAMPJ65Axh3g3QhocOEhcZZk=,tag:xnZb85OBSrLuBFYy4Riu5Q==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:0Q==,iv:JYFJKHdOW2n+MUD9MpStKntQGxF35EnjkhU2aq82ItA=,tag:fxAy52qrTwc+4xMRfWgo5Q==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:MwxRLIJqzw==,iv:KCtZRaATTmWaSUokJ1tVb1lDdPyHwlCMv+oSVWZRaX8=,tag:/1wwp9EFq15HKn3dkZHZNQ==,type:str]"
+						"username": "ENC[AES256_GCM,data:FbBBO9Wz,iv:jrPslY9RfIh8MZ/6c1ktQHZYsKFUbsMs82PI1cKR5TY=,tag:n6y1JEd5lnrSq/51Hyt2mg==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:DVcZB2W6Tfc=,iv:4w7ZlCPKUGddrz6aVI7qIHLsrUr6IbhUm4Nc/FU1Lec=,tag:aPE5dr+ecl24ki169adcyA==,type:str]",
-								"value": "ENC[AES256_GCM,data:Jh5NXsLgHQiEkA91eP5t6P436KzL,iv:UuWdJJS4nwp1oHomAHxg4s3UfmPKeaXEM8YsXZ5RwZY=,tag:A3XK1wbFjPa0ZbSOc2WZuA==,type:str]"
+								"type": "ENC[AES256_GCM,data:W/YDPXnVfUo=,iv:aEOaOH4phIgZMEBCndmuEAGFWpb4GB4RD8RJjNl/dZQ=,tag:j4f48O2IdkuLXYmx/ea6JQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:FK9TAtnQe+THN7f/DP+4j1H4zVqQ,iv:vRNL894rb+EhEDoneriSMDnkH/e+teyb+wtPN5G54ic=,tag:r4EbyN7CxhVI/sHGUKRSUQ==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:sA==,iv:jZvSuEzT8lBPtlV5US1iVzma3MBu9UzSZKgkSDnlMJQ=,tag:fjvPnCFS0v7WV50nSb0NNw==,type:float]",
-					"private": "ENC[AES256_GCM,data:RL2i3IoAhDg=,iv:2ed5AsZyQfStKFryZb7Qc9PoVFGJSECWTzjKO0L2T6c=,tag:UBA6c22G8BSd67Be/P0jwg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Zw==,iv:tUyDTwYc8BLkanWW2oxkfve5zoxA5Ra7rC0jNN2K7PM=,tag:PC6U1e5XM1ePeislCvpqRQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:+m4to72R+vc=,iv:E+nuUoFy7aM+lcnzeqGYySGHVGS4L3nK/CXuxhtW0eM=,tag:5hWqiRZCjJObtvvwuhjpEg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:Vuf1E0JVybe/rCYH+gYOgtFHhyq9BWf0xuPUoM0=,iv:xIm9tWkeAxnUAs1rfoJGva5rn1EYGJlYl/b86qOQGQQ=,tag:jCXoX4uCowk3pW//1HC6eQ==,type:str]",
-						"ENC[AES256_GCM,data:8FHQaR67rHnjLLHln/xLpmPl,iv:waahKenbSEmMC2mG/TjBcwZ9ZDUqG1WZTeMRvcc1y78=,tag:CAq8Di7T7dAuDPHfjROe8Q==,type:str]",
-						"ENC[AES256_GCM,data:9aPZxzVYfp9g7CEEwNg8OyS0vKSNgxCw1lI=,iv:XxXejhI46caUev8BTVHjTB/kBeffNSx7JKa/nq/lFxI=,tag:qj7HtvYIEkpvp1pzPv336Q==,type:str]",
-						"ENC[AES256_GCM,data:9rb+m83gW3X5/hzsfmGImw227SLUx9gAobEjb7uhNx893nVGww32JBv94Os9YHCSLQWx,iv:/kbwh/xMcmYMR/Cln2VIzTA1YXrL39+lsf/LqoGBkdk=,tag:xuxwvj22DZ7QECFMcgLu+Q==,type:str]",
-						"ENC[AES256_GCM,data:Y+AFLQCPrO2gQoEGf5mFik8eSh8=,iv:hgUF3o+fHN1jZ5G/fFx2h77UyduZSfpCBgZDH23OyAE=,tag:T8ibBjtHLscTTS/F54q2XA==,type:str]"
+						"ENC[AES256_GCM,data:OIqFThdP4/6JIowmwEn7lMjAThPyrAXzQRTtNWI=,iv:U/CBiqmrQKbeDYxq4MGqhUBp+suzFUD0kiJTx25vXIs=,tag:GWLW/R1/rFjeqEl2SglBig==,type:str]",
+						"ENC[AES256_GCM,data:bYo1Wkq2YkVf7GoeV1u7221z,iv:/XSEKMiNF17oVTJcAGciDCDKCqlBzjvcD69vP6CUnIs=,tag:8zwKj5n5pO8FJUyt3UbYjw==,type:str]",
+						"ENC[AES256_GCM,data:Rx8VX9d75DDeIDHUiimiJV0+ga4DGs2J31o=,iv:7Vg4kbsj/g8MYw8MPh98YIo+Qi7ph+VytSjWE/bJ9Zw=,tag:/GuIHn4K5L/01AxpR2fYeQ==,type:str]",
+						"ENC[AES256_GCM,data:/9XYL/UZzd2TtT1huKi0hAe5L2Cqg3AxpWYS+oyyZmdGBzzX09qOA0l3RIIU6wtMX/5t,iv:Rsdi5lmVnzv6shHDqGy+J2lDOF9YZrrhJ3Hn0WhSmas=,tag:ZJwgMyfRVdxmkMmEN95Zyg==,type:str]",
+						"ENC[AES256_GCM,data:juZwKtBnlalRkUTkBSaiLFFtcj4=,iv:XhMmmzuzoV/p29vxKCHDA1wEIm5oy/Gb3UQX12wouaQ=,tag:6Kg3TIUpmWTGMZuVmiu7Dw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:rE+dZwbtCQ==,iv:Ee999OE3CVE8IxUIGBnZkxVsHtx+mfSdjzKWbUJ2eO4=,tag:im0O/AUUwFR/a6xa97lYug==,type:str]",
-			"type": "ENC[AES256_GCM,data:qQOHVb/qb8SJIZ1VxaD7NUpPwf1s1vUh/IH4hAcrWhq+fghFliTfVdQ=,iv:hGjbLnvapBDN21G49ccogjJ2NgXOUBNOaQ0UlaSBEtU=,tag:4LBML5z+HlTwvN6voFJubQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:S4kp8ydkO7BC,iv:pI1NA+Te0slR9/V8SJbwTnRLHacM12krbGb+Tl/vIhU=,tag:y2A0tPxQ2Qjw0xwhpNakhw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:OmhBlXtIywNHKgeWhe9JWsLpuDuNJfp2JnZF+/HEGJcG1LJ6H5f7Bod/3QGryU601g==,iv:9qng/E4uSRb8V7lePbBPucy8jzVzdtyTjjwDjxDFSVc=,tag:A4GKYISCMlgatfQIVh4YKw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:PGQA7jXNYA==,iv:aANls6gNrER1s5Tna0xhYvM+Fcv3AgyqIDExzDLqmmg=,tag:9sdG/OaoGItGCGScOwa4DQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:GRil+5lr4LyJFoufvuD5paqfRyfqfjusNa/ZnV0423wNhmZKHXaJ3mo=,iv:3+MJqr4UjxCl0T/AcVORe/DhdEzaj6vbWlAUMBzYQ9w=,tag:2/hB0MpHB65lEF4gaHWgZA==,type:str]",
+			"name": "ENC[AES256_GCM,data:SjfbBGlwu/QG673vKHFPu1X6p3epSw==,iv:DE0k04H2JTsCVOekENwLXT0FhqatcpgHVEEqBNpIHXc=,tag:bsZ/e1R6fmQyYwRWNWoBgg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:tjCyYYE64tZBKWJHJOgme1W6aJcFWHg5t8Sx2Q7kkHwVBWDZCATrYP/+svgaXyYocQ==,iv:VQEMB1PoTlCLOMKePkH/ryBkZQDTcsxqUb3BVyNyWL8=,tag:av0nwcgLI6zhZWGzaYrLvA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:XQ==,iv:NldstpAnSeWu6KDiyduC/fUXogrcPZ/5BVHYx3narks=,tag:AF6S1jKR3OkVT3RsdEecHw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:cg==,iv:j1vz8qOrWSz1/EVs35a38ru2fC7GyJ8kHtJ5umPTogM=,tag:hm2St5Ox2+k4HrxAIPE0/A==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:1HR7P7jpTzg=,iv:MTn/HQIqSB5BJWKeo3BBIPE2VlQovB9utPMAxW9de7I=,tag:1JnUwTf9UXQOj5sd+bKAzw==,type:str]",
+						"backend": "ENC[AES256_GCM,data:tMwbOZPreT8=,iv:VyZ/6FaXS0i+9ULe6hdR5M3mZElLuRuD4GGkMxE37x4=,tag:v+pYNSjz4R179IsPtwpvpQ==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:pJxLfwAs+VE=,iv:L+sSF3J9ib1BH/NgT9W8dNCcyscc+YK6r6qBQfNa8+Q=,tag:2Qmyuen/FS1BOnKJpIbLIw==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:z6GT9pr0A3L4YQ==,iv:9eIvk4nI/9msrFo1GbdOKkJaVa1MvDJbn9EwuhcPfGY=,tag:xQuSBLH+N1Tmjkm/RBvf4A==,type:str]",
-						"id": "ENC[AES256_GCM,data:Dd1+7ocXlszoSsz/fYyDfh4FGSGzLi4ZNFWtZM7cxA==,iv:aSVhi1g4Uz1Dcq02WDY/i2IBFPy61a704LuDSgMQVrs=,tag:c6bJiM7KqtLnzIgrCKJ5WA==,type:str]",
-						"name": "ENC[AES256_GCM,data:IpbgoorJymj+,iv:bTOlatcxsOX/9L8eR/LhwwckYloq/MCqNo6bLNr7xsk=,tag:PusjU5owJUVyVYPs2/uUDg==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:sLlVSbJHmv8=,iv:woAkHDHXcaYaagX2ye3eTI+iZjkt6A8QVx8pFyu12Mk=,tag:6TlJILsOxLOBPljg1elhWQ==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:J0BxPwQTuz6NSg==,iv:y+qEiGDw3Smm2gTSZA+t4NF1MGUfXo7UUPvyuOOCgc8=,tag:2KDRcC7eAHdXOh+DiKlfUA==,type:str]",
+						"id": "ENC[AES256_GCM,data:LnoRjyUC3W7B2ZyrRc4xzerGtIkQJrC1xmtXlijToZguSeiKZUEtb81w9No=,iv:uXORvw1HBhARVBm/UPPh7E/MCn8nrrXViuad3qPLRI8=,tag:Yq2SvJGh/Eg8qK8V0znPbQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:FqykOrfUP2V22FcZ9jaYEA7fFfg73w==,iv:P2wsN7SWLQGauSNQZjbJ93SHp7Ji0gP/ecJ6poAESwE=,tag:QFlR5HZBvC5QsMk5F2SDjg==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:x5vA86yV,iv:V8CgvNvzq8PAW4FvWeSEQS6NRptbeOwvzf2eQ/rDQ6k=,tag:Xcjc9tWfYdJytu7kIAxWbQ==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:As5uwTPa,iv:dbfpH/0iHAmAWyCxTmzrn6tzQYCER6XK+54XxudFGFg=,tag:cJOc5EAo0IU2vC95mkvYfQ==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:gQ==,iv:S9u7U7+kv6c7pQUS8YSJew5WSus13FB1Q19LT+q6m6o=,tag:+C3+GUEw+gVRI3wYNabNIw==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:yw==,iv:kFy3PngblfHqInN3K5N3P7jJqZiP5ikEXkpMrvJf7ss=,tag:ptUa9vXNULB2rNWx7RS1dA==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:b4TT+ZK5,iv:Q/yyfIq09qXojq0sebakISqATqbN0bK5cSypL9ono8c=,tag:qfV4Bbe4BbMXTOb+eesyzA==,type:str]"
+						"username": "ENC[AES256_GCM,data:m/+g1uJ6MTdRZ1Nd4y6oDoT4Lw==,iv:alqw2rqGBn4JcY24tYkkBCRL0w1jk6bNWNaYMjbZQvU=,tag:VJms8cV199oaVJH9QIPVLg==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:ncTewi0vTug=,iv:1d1w4DOo+S2Z0wAqf5A3Gnoz6Zoch+qG/FD+gwvgVaE=,tag:tFGXhYhJ4qgZvFy3+IxByA==,type:str]",
-								"value": "ENC[AES256_GCM,data:LzmDkCkSmupN1qqyCX490nDzoxU9,iv:AgvazTPUL6L0PjMIfwwEJQf7+sngDOIs1dxCmgXm56g=,tag:Zjnd9faGSfznwcggAiSsfg==,type:str]"
+								"type": "ENC[AES256_GCM,data:S3yKhkgi4zc=,iv:MeC8VABF1XEPQ+TG4TmSHzcoD7YkJT0/1WYSKNKMB4A=,tag:Lq8bJNwgYlSMvnfORHmCMQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:s4jtcoHnW6aD2e9hvqHuSerrBCJk,iv:9YuWetwiIGjDubg7NJDRMqgdNDDU8wiZ9Yr6m5IfyAE=,tag:hctzRUKp6q8Ro0q3gyv3nA==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:vQ==,iv:tQrXlwHGAON+7voIR6RdFg9KXJAExaZLC8C0QCIBIGI=,tag:rHi5mFxJzObnrkyGC5Mkhg==,type:float]",
-					"private": "ENC[AES256_GCM,data:WFku6tFveAg=,iv:e+TGxyhfWfVBDx34F3uKyAl7zTgusyEPGgCQ9drDvgk=,tag:jrjY4LVMg5WI2ifB4R1WUw==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:cw==,iv:Yf+vgneH71DsGs1iHbTsriv7eYBOnv+O4SE6nWHDh+I=,tag:briQdsCwsMfTEhhHw/zPeg==,type:float]",
+					"private": "ENC[AES256_GCM,data:1phG5eK+EAg=,iv:8fC5Yb3yf8yJp6dcJ2kUq9mzptEEuXDbOxdygOTLzw8=,tag:xPWTUWL/0A6mt3oVUklIxQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:VpT60Rf0EOeNwxFctzGqZVnFsvh0bqs8qu8uqu8=,iv:PA5SYzWJEUvr1AX8UL3B1+ZWM/bnmF2qHmq0uHcXIfY=,tag:Y4FJ15Iz7kMO6MBEi0j47Q==,type:str]",
-						"ENC[AES256_GCM,data:7+TCQwOPPJntBUoLIGf+TNfq,iv:gbFkVrxQttLOrcyG+wf1o7/Hh8aNyoQlRz8cwK7tYuU=,tag:IfuOkL4tF8FaDHhDM2jtow==,type:str]",
-						"ENC[AES256_GCM,data:xaF1GtxH26NFO7eAFOc++VxPQ8M+FlYCMiA=,iv:Xmfa3kkXmqWziwvw2J+HF5uopOcU7OFT3CsBwoq36c8=,tag:A+GrwjAdxqHWEyslpzKRrQ==,type:str]",
-						"ENC[AES256_GCM,data:twiAToLMEBdELeYYE1w3caCoeJ6vKIITUl5VQ6u3vCvQ9NOb+ZUgLKU5RTVTZDGNwL7a,iv:8Z07UnUS4nn/zy8EfNC5nJP+u9YdfI8oC3eDT0+lJrA=,tag:w0mc0LaEocsqRzvmbJwIug==,type:str]",
-						"ENC[AES256_GCM,data:DuU486toJmfXG83LBWOswuSk3/k=,iv:vAxA8EdHYIwwMFGTCVFvLQGdteYd7FXnk22fXftHcTY=,tag:Z7UGpg22Y7LmMQpkk2rQ/Q==,type:str]"
+						"ENC[AES256_GCM,data:lHVPsCbTn94FSxGgJZ2wsvXq8OJP5uTSHu8CZTM=,iv:WIZ6AYY6DIjWs7Z7mrVQm/AjuYXQ1i48XxglzavV2KA=,tag:cgaa/SljBHaLzwhg/tECfA==,type:str]",
+						"ENC[AES256_GCM,data:RD7KjAi3MSOMWwu1UV9dOnw+,iv:nfaZmNdyEpBCwOvWjWZBSpQtM5U7J7QLEXnsL6dTGmQ=,tag:bKwEKQo8VgoSFOuY63B1CA==,type:str]",
+						"ENC[AES256_GCM,data:HbsvTmg9Nk1Ml+d8M9o56UvsOFOmMeEg1sA=,iv:y2VnoRFftn738vF0w0WI4Q26bxhboQKrrRhoy0IEtIA=,tag:1lqcNTRqfrHZbuVlfz824w==,type:str]",
+						"ENC[AES256_GCM,data:ku1AuOad8URKaf2fv0lGG0o6919vVmv9feS7hHkMzpXIijiDfCEeMauc7Ky5q8xsLrVN,iv:xalWESLcBdGR/3POnMVWmzkQx0Yo+7MwfLVLIzHnHb4=,tag:g4EcjDXG6nDvQgpD06boBg==,type:str]",
+						"ENC[AES256_GCM,data:FhcAbYwRbMLmtcSR8xowKN8gD5k=,iv:Bo5NdXImeVWhF5WtJoQKdIOn7DxsD6Y9JUliolIp7Kc=,tag:V6X+vX8O6vkxN7W1Vt1/zg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:ComlpPSMng==,iv:S0NEMHHCJ4L3pY1vFPS6M/NeaPRsPfuny9va/pJEyM4=,tag:ryn8jnyIH9jZpAZLjaEwzQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:fzMF5jf1DBn+DYkYZrlwJEMKcVbJWXka/JOh3LJACSxe2grfoD/H7Y4=,iv:jpZH1q5O0crcCuY2ztuK8B5l9gKBieVahs/l14sF9Ig=,tag:lGv/Bl9ajjVOwt7GEHJl4Q==,type:str]",
-			"name": "ENC[AES256_GCM,data:IMUJHibz5VeCxFXo0c33u6v6cA==,iv:n98U/sytdlg3LrpUwbkVwnERILAhDgSKH3YMYzqqcN0=,tag:14XibzeON0tmEteAwqb5pQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:I60zWVkh6ixBrRPTKTG5dwo+geNZIWAU9GENFokG3pBGpf7FR83xxsf83/79eoMG6Q==,iv:XRXm+E38KYWGeCrv7zx78D3aM8IaPOJWmsYPyJaL/BQ=,tag:TMcmUTNBusrK06wtlH+Eeg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:bwem/+RScg==,iv:ERSW6xb3RZx4Y3i/mVmtWONP1AuLOkS/2Yk4o8dhhh4=,tag:CbJoR0mQAJbo6hiUsprhmw==,type:str]",
+			"type": "ENC[AES256_GCM,data:1fbu4Bv+T6cLcOvsap0m6RMTjigXGjEz7gPNO5htq0uD5/PMh4wc62E=,iv:gLtNVBXLsSgYM+kmOw2dE2rw6v5m+yCvnHZH4AWI3dc=,tag:JHQTuJc3Q23iyn/jVW7xJA==,type:str]",
+			"name": "ENC[AES256_GCM,data:FlJKEQjfjKpmtmZQ7w==,iv:jIJSr4rcE6jTjOhcBNNPiPLQn1bKzwxuamnpan2EJM8=,tag:ZGhg/JCsImWD8K12CFO6tA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:g8Vb3oclBjpDSVw5sPVkB4U4XUH/s89m7uuI7O2BrioMWUDAk5NZUeF3KRXhQplv9g==,iv:rsaEBlFDsgOb/FokxcEhu3FCMtDM88BDmBlw3S4cqqs=,tag:Ri4k3l+caYXoYs9s/hCMsQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:lQ==,iv:x2eD1+mSSxjarGkOGDIxQnUcRtLvE9UoGqrmRTBCF7c=,tag:fS+ZraIrxUZflbmlkkzQuw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Jg==,iv:7beLzvKAfEB4v1FtZD8MsiFqZKwZvZT4BRikMmcycqM=,tag:YG2bCWJXJeOYe4sMGUniuw==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:ASs5KQeCRbc=,iv:UCOL6hoQgD0ltu6gfMKxtUPKOK6iasKGDZgcsB+gTQs=,tag:aDq6af1Buhi9rX0reULZTQ==,type:str]",
+						"backend": "ENC[AES256_GCM,data:EVLJ6o0CRNU=,iv:VF2Uhkg1YV4Q3bdF+dEzukOkAs7QPFTL4f/urGivKF4=,tag:XculIezkwWUXZGKl7vCbHg==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:FDtj9CbYkiw=,iv:EqApNLu4gQDR9GqMhY6heh0GM6xQsIoZd+DcT1xA7RQ=,tag:pMNwYuYvQSaVeytM3vHb/A==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:1yGVl+N/nZGvuA==,iv:Q4y2qG+4aktUAv7T96vp7Twz43lVRYc04oM8h7spWak=,tag:pp1zclNU/zo786WCWHvCLA==,type:str]",
-						"id": "ENC[AES256_GCM,data:SUjgYRlU1m0NE9SEAZAUBGQdOL5mAGJyQh8mxHSe3lmOUNdp+2F0P5o=,iv:YW1DnkaWKNQuE3gZtSwHli1GiBz5jy58QQzh+bM31F4=,tag:5tKZa0spzGzvy/fC0qD6JQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:9nIZR68CqJyxQKFYHPzbsQYZhg==,iv:S44++gIrB7FdGslUeTKLGftlkHEDjIC4eDNKuxGOV0E=,tag:g+LxM7RQtQk+wfMdVJCzzQ==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:wxBI2yd4xlI=,iv:nN/LypCzFqvgkTsOcW3uVzQZO4d5Y/azYKih1eR7Giw=,tag:w9oUFCARS+YWwbOXf1ZzeA==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:xkTJjta2rdGrmA==,iv:hlNHMV2h7kKTC6YH7w/hQfGxm56ff+Xvd1R54B8fS3I=,tag:HX11mBAqKpdc9+fbLwINHA==,type:str]",
+						"id": "ENC[AES256_GCM,data:siqgLpdjcYBsIpsJeNadYZSSBk54D9hcTQYNDdNEvDlgM4g=,iv:6sbvTPe/NVSsa+0oNe+xucD34A/BAKCRvJQ+jACI0Yk=,tag:KnW3LPJBuKZqPF9q1bw86A==,type:str]",
+						"name": "ENC[AES256_GCM,data:Qtr89Q7gr4DqX9hy4A==,iv:EMuU1sC2KH1T2FWepqLPxh9NJ290kRllYYJ46JaXCrA=,tag:weVE+rcdJmpDP5s8UbsdSA==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:ifEXe4kw,iv:DZqY5HWZkZtyq9zF33HRYkYg8RxujVcbZhsMnq891dE=,tag:4IKo5IeJgCticKh8pRIFFA==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:kGjklpwO,iv:BWSY23taRDuBuoaxIpdfN3m0gDNxmfzpyf9d2bsADmI=,tag:8beGoreHc3FR0igIDUeDFw==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:Xw==,iv:1tvmwz4EaDC5k9esocvopKHQb5VCEUqZWiXurXs0WwY=,tag:4j+g/qWEYjdVjwkv12qcnw==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:Cg==,iv:+sajUEv0X+rOubVAg/PPdHZw0qoYhxHL+vMnqHPgc+c=,tag:Lb1K7RjActuetN9Voip+XQ==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:qoACKDTA7X3BReLpOh8odA==,iv:ia1/xBQTVqOl4Lm0g4FCnsJw3Azxg2NE2q912N1UsZQ=,tag:lu6wMWRArm1AdlYc6Pzc2g==,type:str]"
+						"username": "ENC[AES256_GCM,data:YWCqZMu0cU6EzQ==,iv:HVpFGFhCjpwBCPW48mqEXPXUwTLXnT3/dgyahgqt5zY=,tag:2nROzq+HDQrJ2N0PhFMlNQ==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:/EpCXWzAaME=,iv:swsovZ5dQjS++oP8e2s8Cc9tLPIAACCLnx/UroQpw0Y=,tag:XHQEi+BAZdQ5148WpBbmTg==,type:str]",
-								"value": "ENC[AES256_GCM,data:I+UNJw3i6z0PTztNw5rt476r8i77,iv:g5q7VPbMUFaxDbf1l9FlKFUIgtT0znLhR8TD/OboKpI=,tag:K2fjG4JBog1UL6TfUS1XqA==,type:str]"
+								"type": "ENC[AES256_GCM,data:bhbqoLocVS4=,iv:1BNx0JiQQSqvXHkxvjqD3wOCnF1NtHCSW7/mJB5ajKE=,tag:u8eH9vkW7eMOTBtytL6fEA==,type:str]",
+								"value": "ENC[AES256_GCM,data:PXBgpnMGW73OBMmbARD64f3DXh0G,iv:E4X6WXtmZU5Tm32RA23KM+IuPgbwnf+trLZSW87fMKQ=,tag:0NHexgPy1gReDDLmLcSP6w==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:QQ==,iv:vhQxbGKxjM3gdOPF9xItktBK9aF10CGFvV4+xNCEb+4=,tag:bX7tHRPtmQLSExpXGlnuhg==,type:float]",
-					"private": "ENC[AES256_GCM,data:80rf8zGHrrI=,iv:C2J6b3eYEkO63qBP3uISNGP1Rjas7yjO9/jrwrogv1o=,tag:f1cYNV4CupzzaT2YYgeGkQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:4w==,iv:ab3SoupbLx9f16fMNN72CmzZUxihUsruNMDqpK13tj0=,tag:oflJXpZIgWVBE8rqGaUr5A==,type:float]",
+					"private": "ENC[AES256_GCM,data:+5o6nXMMFrV8JhHzkAnTNLgBKKDjJVJDzWD9/W3Odx4=,iv:7E4w1If6ooR336Y9OtbcTskWy3bBeZik50d5XQcJscg=,tag:zX+x6GcSkiE17TWGsRmi1A==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:jva6io5rzSuLBr7ItWS7H2EpnzRAKgfAad+Cgts=,iv:mbfWqw7RbGWtM6ap0bmLOHStLS2nJ+yo/cU2AXSaxQk=,tag:cxLg7vArkNHK7opEmvZJjQ==,type:str]",
-						"ENC[AES256_GCM,data:nT5UhK88VEHoQW81mTVaCGPy,iv:Pim+r2P5MpW4Ic9AWDM6MrNVhGJMnAllE+lRkKUvZ30=,tag:Mtk66VLsAup/93DQdwitww==,type:str]",
-						"ENC[AES256_GCM,data:qVtYWAK7PxqdTcJ3tx2Q1weCboX9o+bCoVY=,iv:07sSW0iwOPtRIfs75FOeC8ZcgE+i9UOOad9r7DlFJeQ=,tag:GZ/EvkW1kWn9afVTf5Rxdg==,type:str]",
-						"ENC[AES256_GCM,data:k6dZQk6Tk95SBCCwJhapmV4DB85IHbfL0f5PbvxjolNBRv1m6C/Z0s4LtYGJaTNGwrph,iv:QE7Y60By9AdrPMW/7S4I2ubcu4e8a/PNKnVEfwD4Wz8=,tag:xYOyr6UdoRGz7VqKqXhcpQ==,type:str]",
-						"ENC[AES256_GCM,data:3e/3pUzIkukQxoNjEFEVGKi0UCQ=,iv:+fdwp4GD7KSVriu4zoZFkhrYvZHlLwTvTymIG66w3no=,tag:mAnBeh9YpIF00vZClpRjug==,type:str]"
+						"ENC[AES256_GCM,data:I5WXxKzWRYYuy4QUHTGW34bcqXpwI6ovmDUQfTE=,iv:bVughFtEfT4q7G76WzhfizssuDwLdcVW2fuGclJgLQE=,tag:Av0fKVoXhCMcLw3P2ob3WQ==,type:str]",
+						"ENC[AES256_GCM,data:9Wg5pJ0o/Zbq4IEMYZdDjW10,iv:LVps4eDTkU8eNXK0Clk4HYdTkOCRk6lFsyNEmJbRhUE=,tag:jqR/RtEql3Xf5U308lzwJQ==,type:str]",
+						"ENC[AES256_GCM,data:rZZ50dtCw+hg5gcUFbwAhzsBaqM4BycvMHk=,iv:Y83quh8g7yhTkhmfrJhpfVHu1YEgvT/rrYE8p3p2Hok=,tag:SKNPKXf01/n0keyJsoxVsQ==,type:str]",
+						"ENC[AES256_GCM,data:mfDhwBMYKDVNe4NAeJDKi5SXdMznY4J8YmKWMSSDThb9nxw1TZeLCvSSVt8LCwU+YtSp,iv:OTT39iCwrP+JO3LOTLDGhndo7bqGmcZymBVU1p3Hfks=,tag:C0/lmzKZe8mOzVr/xacE/g==,type:str]",
+						"ENC[AES256_GCM,data:/dMU/a6opCJmsTs3GjKLPbPmHyw=,iv:VhkULZ4/f3AC12olvl72Zc+mZXq/HEgpwOT0pOMdVTQ=,tag:GVhT1uaOywa+PJXYoBjVTw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:ogZ1jlpnIQ==,iv:PzcDqYbz7SS+cO0NBcYySUv9KcrHOua90teNAdqGMX4=,tag:nWsuzbRqejqRfMOCciGazA==,type:str]",
-			"type": "ENC[AES256_GCM,data:VljF+GL+dFnmegQs89IS+cccdEcZwiFxo6sOv+13VM6+/akM7VLCgwI=,iv:DWOuwc0dW+7C3xczw0yQOGP0oKA4m55i4soDpkhFQNw=,tag:Iqp4BsaUMlf1KEPngk4I6w==,type:str]",
-			"name": "ENC[AES256_GCM,data:Lib+5LfdVjKaTmeWWQ==,iv:/Hi+BK7W/WgIvlk1uDTj5uvr/VdqubmUdXMNOmmBd9g=,tag:eNCFs5yv6Ln2JUUbaXKcGg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:C3oX14EwTQoFaNuudAKQfdJ4pptCns6hM9vvhc6DZxLNKcyM+y94k575tyRCtOspxw==,iv:3No2PTLEwnCnfaeTdhdmrOWLYepiIYeLd0fd8N2y5o4=,tag:xIBgnFLq5DTSiDXY89ET8A==,type:str]",
+			"mode": "ENC[AES256_GCM,data:OpY5soSNmQ==,iv:2/ILZBBA0bGCBhnw1fTE8k/yXzJKWI92bot9OeKINdk=,tag:3Fw8dV3oulywgvGxWbxDSQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:lmWGmUUSJszNvcJqPBOPYpSsk0OtkzUL6hOBwHnhewkTGbbHRlN0uXM=,iv:guplavqfo+BsHTHF2zv0gEbRz1mbogLlQ0YJQo8RZrw=,tag:9cWUsLYb7VlHSFDSCyb9uw==,type:str]",
+			"name": "ENC[AES256_GCM,data:sxcOoceDBhUbBi+alBmB06hf,iv:inTZ07dJ5vLMXAGLH5f/2Aq2jpti85Tzk3wxns2LQMg=,tag:7CkINPtemNm+a+XVlaTi1A==,type:str]",
+			"provider": "ENC[AES256_GCM,data:YtwSNAkLSb+k/naf/bDJOlff/xuwJwX/cChio4eLI5+7uaIIUSA1jddF25jgpYo3+Q==,iv:vK5jXUtnSy2y/5CcnEzlxRmhMPZJM1qOWdysPy/ImsE=,tag:7loShaCpHelHvfT9z1p/CQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:/Q==,iv:vSxFDq85aLVdtRF5tCBRrhgOHv7DuQT7bWs4y2uaL/g=,tag:QW1ls3asOfr77tIz0ImIOw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:/A==,iv:/uc7skaL2kjk8lUk18oEQ+RNpoWPgniMAqd90DOlEz8=,tag:nczIiLUgJFY0+qWHHX2OXQ==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:g426mgaBN5Y=,iv:rmN1GVW0KF5VMzeleJJRlUChMPyqr0E3Y+Pi5iEGMDg=,tag:LHX3IVt78N2bmYdAIcQtFw==,type:str]",
+						"backend": "ENC[AES256_GCM,data:SrFmjXdFBec=,iv:FX0GfJWsvojMOk3EQJzX5mQsI69ybK2VrGRCQzAbTu4=,tag:VhpwMhCTQsrSx6kon0XcTw==,type:str]",
 						"credential_config": null,
-						"credential_type": "ENC[AES256_GCM,data:B2YZeq55/CE=,iv:YZ5+bVslSPZ9lyY+cI2c53bVDZSFy2Gd+4iIFkVFbLc=,tag:j9j71xUHg+t6aRONc64X5g==,type:str]",
-						"db_name": "ENC[AES256_GCM,data:S5SkYtZ7mTsYNg==,iv:Pk/0CQ/O/pAskiWsBTv9XuO74Qh1G7gVNvjswseZCUs=,tag:PafBOoJwL8xgXnEAHWBeiw==,type:str]",
-						"id": "ENC[AES256_GCM,data:eaBCfHNS1cyHXljS2igNjYXdnUjoVyiokL5mm99qfnyvUgs=,iv:8SBytA8ItDmue15sB8xIdBoJHEXCWJiKYR++L3/kHnA=,tag:cFfE+xeYOrx5BzbfSudYHg==,type:str]",
-						"name": "ENC[AES256_GCM,data:Dwn72boDH5IQvXZhiA==,iv:pYgEQu2/8Obo+erSl7mhrZ4q7kLvuqpAp94Ro/Z0Qkc=,tag:UyzD5pNx8PQNSo0/SbkExg==,type:str]",
+						"credential_type": "ENC[AES256_GCM,data:+ADHUp2Hoco=,iv:CRJi/TmQOzfAwVd8SyUhvEfXHBxs9jfB2fqcvRNKnBw=,tag:nnVsuBzHz00yIdJhGZIl6Q==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:pkM+kxfzWxatmQ==,iv:0mc6MRPZJWEhTfzbc5eM4HGI+ht0Uqm6JEETD5LQ+Lc=,tag:8cgTzcGzRjZ/2Buqi5WBHQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:se42/G+vaixgVMyR7TJngbdmok66Du8zyhtok1dYYNFyuAOEowvhDQ==,iv:w0hOpQ5ZL32XaLhYqAUH8CXXADmxDFd+JeY23rvX87s=,tag:5U9+Bro3+KHa8hhu7f6J7g==,type:str]",
+						"name": "ENC[AES256_GCM,data:CZpsNo8Hgzu5MS0M1ooSbc8P,iv:acAX1eKmCGbXGn3sRJa6eVaUSHsvONIVnN0qSL33Ixc=,tag:vuCDA7P34+SgIE4saoufxg==,type:str]",
 						"namespace": null,
-						"rotation_period": "ENC[AES256_GCM,data:JiaicP1M,iv:tkKRdkBDVZLxyblrgpGzObpt7ul1inqmxkFRK7JODrI=,tag:UiexWPEk+5mZwqWAXHbYuw==,type:float]",
+						"rotation_period": "ENC[AES256_GCM,data:wQDdFrYB,iv:1Q9EXyMSgCUghPuz1YJBiafaHMgwMLhoweX/jFe8Ub8=,tag:9SSJAsd9GSNrPrNvFrNMdw==,type:float]",
 						"rotation_schedule": "",
 						"rotation_statements": [],
-						"rotation_window": "ENC[AES256_GCM,data:EA==,iv:6cKoZPSokT/D8H4lZ8oQB40Q0/xtAMU8AbNtOQwP98A=,tag:WtWoVN/90AGHIch82jjlzg==,type:float]",
+						"rotation_window": "ENC[AES256_GCM,data:Xw==,iv:zD2fhdNacb8zX6k6ZPYWNGbun1nBvI6rHigJmqvPuvE=,tag:5qcQhWhVBNfEnRgCaI7vDg==,type:float]",
 						"self_managed_password": null,
 						"skip_import_rotation": null,
-						"username": "ENC[AES256_GCM,data:0L2F26UqwgB/HA==,iv:xIlYPZGvjtEhaz/YC6ZYXJo05CkbhV8fWbmaIq+uR0o=,tag:oxh93MUTXKFyV7VhaBB5Kg==,type:str]"
+						"username": "ENC[AES256_GCM,data:WS3X83tYRD+XtbxrytGC,iv:Oq9n4vLtvjUzh3Y5RhANz9w9vTmP68XEGspVXkhjkho=,tag:EdBeXnUfoc9Knjxtxcw3Cg==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:6t3W61QhVt0=,iv:xMs+bEvw5YSPYsRpsFh7tEJB98nwuL/SjLAEaJkV8Go=,tag:CD6MYwlYyhrgIl5AWzznrQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:mSG/p30FE3a9IO8tNAcrZvCqk96D,iv:Hz8uS/qKoT9EhHlnrb1gwd3nVcgZiv8mae9G5qcHVsw=,tag:BinowSNOh7wC3CDWfmzQ+g==,type:str]"
+								"type": "ENC[AES256_GCM,data:Gv8hcLcE8Gc=,iv:FTILC3lL6b2Pifq8zjiFwE+at2SU+Ib9DKAW9Y91dKA=,tag:c7VXPsZNGDEA0dcuFyvxIw==,type:str]",
+								"value": "ENC[AES256_GCM,data:WQIdI4Bm/vxvteZbBTKdnt4tiq4v,iv:FKIJNESixppJaGdlgBow1OcwaO5OkRwUZjYSLOx6UXs=,tag:Pb7+dGfh2GXTaYrAxhDZnw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:1Q==,iv:/tQo18AH8eJm0gRFyUBylYs8dtu3QIMDKwVAROPWFvM=,tag:jFN9E5InEObnJ0jmxerb6A==,type:float]",
-					"private": "ENC[AES256_GCM,data:a8jkWSsQqQ0=,iv:0nGvtPpKdUk2LBW/psmYzYywNkhGHbIzIGAgU1FJQn4=,tag:pv9tMADRzdkT45K+YRNkUQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:lw==,iv:oW3Lp0RBAfGGOHA7ugfHZvV2P7OsggrbGarya9Lc3Wo=,tag:gfFIoXouBLkdMwjt/HAatg==,type:float]",
+					"private": "ENC[AES256_GCM,data:QYQHnts3RPs=,iv:uZXV+vqO5NRaJY/iCtZ2fm3pmMsk7m8dLtO+RY++7z0=,tag:rUSkgYiXcXUiuh9u0PKmcA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:MDRyWSarcJsKOUX0wZXwYxp5qzdVV3b4AGCD+WI=,iv:x8t61BxG6mmT3HJ/whYMrYtFHx/87oOr3XEr2e2qggA=,tag:dSuo/jnxaqj4ujC6iJiGUA==,type:str]",
-						"ENC[AES256_GCM,data:XR6JFUT/ly5K3o671OUpVQeO,iv:JltLv0peCgycwZr38Oeywl0npWukO9uII5cTPxhnLrc=,tag:PwFbw2oWHMqghmJywm0AEA==,type:str]",
-						"ENC[AES256_GCM,data:OYxR1Ft6SbuMJrp+vyl98f6BRIP3iMHYBsg=,iv:Amxe2R92WX8LSvJ6tZU8lp3x2G7aaSdG4bV7E127Gj0=,tag:jCOax7kRfO+DK+rDo5SQbA==,type:str]",
-						"ENC[AES256_GCM,data:wzTEScc1Gi+bniUoeV8dVeck/weEAOSrtWbUd3P0d3a2P+AjEzW1qeFrZBWRKDc4Ebrq,iv:FcCpPtzEZdkSuKJhG4zTGA8kCgOEUSoL3jbWf6V0U74=,tag:zscuC88uhI0V1U0zBoqcNQ==,type:str]",
-						"ENC[AES256_GCM,data:ErmPavIZ7XLCDxMTVBEUOcmydZY=,iv:UpwsPMutXWswpXMsbwAgmFb7aLRecAJMEE2HL1fA0Dc=,tag:oqsw6Hk1h0b3usoSgBxhIQ==,type:str]"
+						"ENC[AES256_GCM,data:Fex93wk2yiQhQ+KhcrLcSi9ogcmh0C6+q3yN/j4=,iv:iGHQ/9hssGUjGdWDCN6cwhbXyLkX6LCcfNAAC4tfZso=,tag:9wwALkqO8bF1mLr+P0TA7A==,type:str]",
+						"ENC[AES256_GCM,data:/tIdWtwIlvx1bPezADbdN1XH,iv:SExQiWC98SZ+uKxESVn2d1gyau8L+zVP3CUdxLYF21E=,tag:Tjev28xMOXF4vQVAbku+GQ==,type:str]",
+						"ENC[AES256_GCM,data:/ZxMQ/64sQFIy8hzCxAyUwDLmORqiO9mj58=,iv:Qhq33t22Xsovioe9EiYADEcbF4K64zejLpOKVYOeXtQ=,tag:dbZMa2DC9DjYpSCWint2fg==,type:str]",
+						"ENC[AES256_GCM,data:b9z4LDND6QrB7H/UTUgaCXLrIDyRIfgGtrTE+19YDADhEuRUGGkI85F2URwWzJkCeUHM,iv:8QW84veZYbBNqLyPTrwgHATh+nFjT6SgHiopzvwpFr4=,tag:kaSp10bzuNa1WQEYxi3kWg==,type:str]",
+						"ENC[AES256_GCM,data:79r/s4iFadVz/jJOE4pPTudSZwY=,iv:axmmqakUTIsY8Vr4Bje6VweJLLrgi8ArlvL+2Rkh77k=,tag:8JjM13NseQkUhuIlPmrjxQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:F9XhTTRQ3w==,iv:E+iIgsTA99NOAHf6XIMBwrsK+OEZ/gOlhtPR3krcHUs=,tag:lKgKdYwtz2VuEmxAJ8erpw==,type:str]",
-			"type": "ENC[AES256_GCM,data:WhLu/aoaQERX2DsvEuxcNb6Moi1y,iv:V/R6kdo8IYEmbv5anseKzC50h6FKV2kkcS76pi0fogs=,tag:6q9h7k8EYJvVYCc3CANXkA==,type:str]",
-			"name": "ENC[AES256_GCM,data:FpsfG9G7X7N3odV/5FGK,iv:u9tYU2vifOCklnsST9NG8nM4Rjdm3uZqPwVVLnTAU+Q=,tag:7i7F6GKnDQthHVFobG+rBQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:Qu8eQ+YBo/0LRzgBfjYM7+7zpzeM1JIeUYn5yeJV4GrRoAtA3o+UNi5DZ+xdA4dI1A==,iv:lVe5XBmYsfkGC5linmQ9BCnSGadaBG4eeHg2JXBbeoY=,tag:g+citjE4KIXV4Jh/FejE9A==,type:str]",
+			"mode": "ENC[AES256_GCM,data:Mk5Lpl9tng==,iv:Ivs2kuYJY1a1PFKUOnSpSB0kHC+7THBgReUlf9NUhEA=,tag:CNII441CLhyDMkVFE51kAQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:ch5XFtlQzRh71qVdjpT9VAnjoCxw65gV0Hapk+qG+9qNojEJSjgdt2o=,iv:H+ll3cEzUrSoc8fSjGpiAg+cxON3igwVdF5py3nNzM4=,tag:f28IeKtiua6K2/QYiftyAg==,type:str]",
+			"name": "ENC[AES256_GCM,data:ecQ+3xRUqXAuOA==,iv:yTFRB0l7PCxBnC98761EuKIPpD26lm3m1oZWfD2hBHs=,tag:iKmcH9vC8Qn8GntXWTTAiw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:U1aTuA2PhIiIJCEFZt8D3xsg4Ld9CluDhVChcdH+lwNjHnA8iNwsrbilknP/2dmVHg==,iv:B7gxiB90BE83jX1zSMR4ZCmc+zvutDeD56wwRgYAUoU=,tag:VKgMfTYatSx6+pZ9YVoZmQ==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:cj+agg==,iv:f/UJUM5IvrKcQ9rp7fqGR7JmchVSCUg2UaosjzaXc7o=,tag:CdZci+fmKAcBXtFbPpFA7g==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:8A==,iv:dTql6J4CGJvkpyjcJnWhIwccMcFUl5Zxje3AtawFzI0=,tag:6RlEsd0eJgZqaJC1XpMBhg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:TA==,iv:l1cztd8RSS7L78zP3X4LLSet3CLUyzzCEyZnhIbiatM=,tag:fux4DiDNoe/A38HKAxeW+w==,type:float]",
 					"attributes": {
-						"disabled": "ENC[AES256_GCM,data:L3OMHDI=,iv:5XUJ6+juZsgK6hNw3IygTIHvmpdOgciAt+6NgZ1yqs8=,tag:jNPcd3WUEDKuYf6RraKGsg==,type:bool]",
+						"backend": "ENC[AES256_GCM,data:l6PwmUW4ewc=,iv:Cg0HF8Ih4maU057RYWGwK/59wlr+cmzUxOXI+0v0Ukw=,tag:bbEe7PCILoFR7g4MKP+izA==,type:str]",
+						"credential_config": null,
+						"credential_type": "ENC[AES256_GCM,data:D7yLkiFqa4A=,iv:sna6/63dyM6CWTQOre15eDwK5nBgYiy4CjCAHHsCAtk=,tag:7DcIHRqRcY1IyXwQ7bfCYQ==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:YhmnQfDnsYerNQ==,iv:zIfJT6AFKyXmoYz3ZR+Uwt7u/WZuiVrtvTTvWHaeQdk=,tag:ou3DyE7LA6mXzEceHocs/Q==,type:str]",
+						"id": "ENC[AES256_GCM,data:OY1y5xsRWa+NU3HRiYD3WQKHEnpFrjfDFThWan9Tn8M=,iv:1Q2NA0u5znIRDC1U4rwWYxABxwMfrFAV3g8n+S7RXbo=,tag:PEJbkIpk4DYF1E9/Hu8X1Q==,type:str]",
+						"name": "ENC[AES256_GCM,data:ckwUuP2uMijONg==,iv:X/byOvsbQjRkRVBmcr8XoDzQPsxtQ1lXPtj/9EFtmj8=,tag:pGEuxCZERraRxiMcF46DEg==,type:str]",
+						"namespace": null,
+						"rotation_period": "ENC[AES256_GCM,data:eJT5v7JV,iv:m3xhrGH9NxORHXFPump8gkmMMQRk1P8fQcRUtIySTzc=,tag:6EIVYho9zoUjCqMmtxqxaA==,type:float]",
+						"rotation_schedule": "",
+						"rotation_statements": [],
+						"rotation_window": "ENC[AES256_GCM,data:8g==,iv:QZVG39wPxVahLNGtqs11YG+deijM5bnCGIV4ATW+y48=,tag:j0sjCXWlkeR11vo7YtkfMw==,type:float]",
+						"self_managed_password": null,
+						"skip_import_rotation": null,
+						"username": "ENC[AES256_GCM,data:dit8m+FS6Q==,iv:PCqG0TWJTSgP5FJVKQ08C2PCnintXq6QvY7mW85zCws=,tag:ugNNc/aAV73iGiVc+C+QmQ==,type:str]"
+					},
+					"sensitive_attributes": [
+						[
+							{
+								"type": "ENC[AES256_GCM,data:+NtYac37WPg=,iv:O9glezvH6apHz2pw9qi097RSZrQx3NnxhJWwFviFGBI=,tag:QHD1BG6lhig3RTtLLuvNOA==,type:str]",
+								"value": "ENC[AES256_GCM,data:ZPrgzmRsjhSG6MGauU2ZqUqV5Qd8,iv:w/tWIAnPPk50jGrhOHAAZr8uO+SYWGTCSedrMf1fK9k=,tag:9EkaMO7NUfwNPEndEx9L+w==,type:str]"
+							}
+						]
+					],
+					"identity_schema_version": "ENC[AES256_GCM,data:VQ==,iv:kLlLsKXuQeMKikIqHVr74qasynIEnZxOBD2jqm7CnHI=,tag:PNzn/5XhpdIX6Pw3wO2/EQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:1ITEy2+0wLY=,iv:TVxzAYSfgeAJJ9/k3AulxVRMwAyb3W9GEuB1XlM0FX0=,tag:YJJ6d+H8jnkoe09O/eDN5A==,type:str]",
+					"dependencies": [
+						"ENC[AES256_GCM,data:RKX59rxpx4BfScewwKex0fvNVgpKNw7Z6/I/kaM=,iv:yQEOc4FoP68hedOsLxlkfEmprlpqb9m8BJqf5dxe9fE=,tag:RTZ09DgV2cZZtetUZq6eVQ==,type:str]",
+						"ENC[AES256_GCM,data:yAnEex1vJYa8LvwkfkxAir77,iv:wqCpOwIXpRyEKgUSClrTYtVwEWzSQQhx/+UhWEmH6rc=,tag:zB+gMqVkLWXDT/KNPFqf6g==,type:str]",
+						"ENC[AES256_GCM,data:w1DSm9W8I+eAtC52lGVoCcLpABdyePCVZwc=,iv:T7Dqr26DpJ3sau+KGcw+OFoWZC/zalxM2MA9nG/dRYA=,tag:rKefhnk2Mg5yxHirKrf8ew==,type:str]",
+						"ENC[AES256_GCM,data:Flzawr/x/ySgxex449r1YBAtSLsSq7A8j+T3onCFRWfn4wTZYYwttDSpTRAG1qI7fp8L,iv:qpUyFOd/G/htEtrW9/aN22WtfwzS17gTg6wBpKUEmGw=,tag:dSsrf69RWbIPWrRsQ6XxiA==,type:str]",
+						"ENC[AES256_GCM,data:hEweqpOpfCHkohDNWMZTmWRg81A=,iv:uxHEZt5aS++e0MOFAzO5ewm109DEdO355Yb6mvOr3SQ=,tag:sf5F5NhELlmE9EdOPHurpA==,type:str]"
+					]
+				}
+			]
+		},
+		{
+			"mode": "ENC[AES256_GCM,data:SYSpPf1LxA==,iv:x0c2c9LEoRqKWXyJOlxxfspqM/Ax/0zzNZds5ViaPEg=,tag:HH4VVmdH6nsObEcE/Mx7Xg==,type:str]",
+			"type": "ENC[AES256_GCM,data:pnxefyESC6gzgT9Dbr4wXLk4xz2BR1H3nucPZLMTB45OkJGmlJ6pfZw=,iv:jeqUttKljvVL7x+jUl9yCwCEtp9IkcVJojkPPd3AMD0=,tag:UvDI4/hkSV3yWYXOSD+HFA==,type:str]",
+			"name": "ENC[AES256_GCM,data:WC1esVZOJiwN,iv:UnsHpy8NcXViAanTa8BtEx22UQqlZ2umGouNYzLVNvs=,tag:uldmGuVAMLtMBvPz92kmiw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:4hALGJLO+whJZeNWJghukxoxvW1xaSDlzDmh7KWdJcNkefSgVNg+OdxSoD8SzGXSgg==,iv:pF+ZuN/YPl3Ve3Zo/2GTplD09S6LN+QKHAYSy9heNjw=,tag:83791YbvIjrovHKPn7FIMQ==,type:str]",
+			"instances": [
+				{
+					"schema_version": "ENC[AES256_GCM,data:2A==,iv:EKHPlr2eE1qL1nNSMcrcn/l3aTuK8lakiGR9xKQK98w=,tag:DlknkIa6GpTpt8xiUFiN+Q==,type:float]",
+					"attributes": {
+						"backend": "ENC[AES256_GCM,data:JDklQW448sM=,iv:KcdnMgbqL+CI9ibaH/3rzOl5mNO5XkNnrb8DCTH8xWU=,tag:o2s6nHSr3FZt+s7ZAKcALA==,type:str]",
+						"credential_config": null,
+						"credential_type": "ENC[AES256_GCM,data:LeTQypf5Jxk=,iv:Bcw74m/hpKDnK6iapR5q3IXyYWd82H024yk+W7Tn3w8=,tag:wlKrAfirO+Gz4iwHJCNHJQ==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:Wwkgobajt5yMYg==,iv:yryzZWAg7xRHsXENkaSce3xJBkTssanNJ4fE/nyHNVc=,tag:W9UwzM/8TEPvZO62wfyC7A==,type:str]",
+						"id": "ENC[AES256_GCM,data:UgfOI3ru/oTFahm66XQ0yqCTKftYV1R0KGBCiSaAoQ==,iv:u/ce9lMV9Coo79CmYrEMbzyIHY1VqLMDwIseHoLPzsg=,tag:ziuceVX5mZz/OoiCI/rJRQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:gN8Pp3pTPKBo,iv:Yrz/bxi3w5MnOYH8jDJRrGDAA5rINMOH+YA016hI8dY=,tag:aM09JajfjTd5bUZLpZuhyw==,type:str]",
+						"namespace": null,
+						"rotation_period": "ENC[AES256_GCM,data:JRQUoGLQ,iv:lbyaASlZUNCEIuUjmMDwJHAdNV2Li67SOu/0AE9KO2w=,tag:h4A2xMrsrlR2Yvkt1qnZeA==,type:float]",
+						"rotation_schedule": "",
+						"rotation_statements": [],
+						"rotation_window": "ENC[AES256_GCM,data:ZQ==,iv:p0aDdT3ldRu7tfmG10Hu4t63KgF4OCB+yBl7dsFD8Fo=,tag:OHeR8++JqHbI0P5/VJ5RGw==,type:float]",
+						"self_managed_password": null,
+						"skip_import_rotation": null,
+						"username": "ENC[AES256_GCM,data:BQeOZ7db,iv:WJ9nXwJnMvEn8liXSY6rI+sRY6KU3Lh2nRZweh9Fal0=,tag:tITwbooV3u+bquZ8ROS6jw==,type:str]"
+					},
+					"sensitive_attributes": [
+						[
+							{
+								"type": "ENC[AES256_GCM,data:4v+9u9YNuWI=,iv:JYyRf3QPW6ygejmHIIDqCN66sOnZVy8LAFJKQwEhb2I=,tag:aaat7V21T41wJC0ezIQN6Q==,type:str]",
+								"value": "ENC[AES256_GCM,data:keS6r/ppZZwHQmJ02yFN/LrjdaiD,iv:KjEFCmautAmP4o4T6T519lXOG4gp1EvRWGKtEunyKqI=,tag:y2+mjQAampfuHQnBLPMFoQ==,type:str]"
+							}
+						]
+					],
+					"identity_schema_version": "ENC[AES256_GCM,data:nw==,iv:u4kmoN6yQ3iy37M+fg8quNFt62DFjHowAfiuaCKACD0=,tag:kI15CbgJCpoTksXsXaG63Q==,type:float]",
+					"private": "ENC[AES256_GCM,data:ain/8xORpoo=,iv:BBsBKOy8NAjLO6Cyc+z2CG5+qgoW6gphdGueF49MP8A=,tag:Nv63MBGqMkF2C5H5YRPEGQ==,type:str]",
+					"dependencies": [
+						"ENC[AES256_GCM,data:60TuaJi0dc6g4qMI2TChqbRa1xZjgbcLrQq6xXY=,iv:eCrcuH5ILmTBpg+rBlizWVPtS8GMf41ZMzEK3ZfsiuM=,tag:jnt4ms/KOt1F2M/p0KJn9A==,type:str]",
+						"ENC[AES256_GCM,data:WVEas1JmwzE6kZ2QQsACSREJ,iv:l6sKsOO72BgZ+b8pUyqpC6+2utqxDKOVAyUaUyib1Nk=,tag:ARmVujPmAfNMs+dhITK/vQ==,type:str]",
+						"ENC[AES256_GCM,data:0WZwSxkSwcQHld2tAKLYoTAVs9wGF0hpLDY=,iv:0WQEIMIyjRV2eeoq9RtyPMEKvuJ8p3XOI3xpD3OzmJE=,tag:EEo/6kFslB8tGp2l/B77jA==,type:str]",
+						"ENC[AES256_GCM,data:mNm11VKaxmpfQ0ZJYjpAgLibsmc+Z3pgxbabPtoXq7FLRFv4nOUXm0tD8+PrJUw/oO6D,iv:bfGDjhGEWg+7+Lzkklci2LqsRLYzZQwrXvcYDOAfxtI=,tag:VA71n/rYByLZrpwxAXjl3Q==,type:str]",
+						"ENC[AES256_GCM,data:XuuCvMyIvrE45+76SrUqdKbIyHA=,iv:03Lqd0cS4u4HVywKWg3yTJQn8Gjs3UndQlK+vtfX8Lo=,tag:kGvwj3I4mA4OIApmRLYwXQ==,type:str]"
+					]
+				}
+			]
+		},
+		{
+			"mode": "ENC[AES256_GCM,data:JoYRneBU/A==,iv:UDEdjV6zAshf5G+IT8AIZ4u9p9LKYeKvnecgZWsMPHE=,tag:7N1WxWLC7XQJ/J9yAjDNrQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:6kRzaHvGG7SOsxCSsl70wrtOJFlHT8i8NrIdaeI9dwkMCOVa+TQAzcY=,iv:Glll5XpjLzfKdw0jMPi0z4gHbReksKFl3WHqjXcNPJI=,tag:6pzFbkFlNLR1fROM3tl93g==,type:str]",
+			"name": "ENC[AES256_GCM,data:DRK4WTMp+kFKw5Gb/SO0shwVkg==,iv:ENlUyodhLnN9aLS2JdyzPFLpRjSPuQy/W//zCF4FjlA=,tag:463jYhfHTvWF6yYOmRb/1A==,type:str]",
+			"provider": "ENC[AES256_GCM,data:VCs5JWAPy4cf71yT84S/0pksKTuc3Fdj9VrhktvN5IyBQ9JET+ZPzPeKW6NJ1a0/lg==,iv:dtevaAM42Qv0FHWlDewAxVRyjimn2+LQpTGShaqIfRc=,tag:tewlQmU0zxA6/BOokOJbVw==,type:str]",
+			"instances": [
+				{
+					"schema_version": "ENC[AES256_GCM,data:4g==,iv:WFgLLZE9yBi3f5Dfli/UoMhhIV8axyJgc7vGs87gA7A=,tag:PNcF6jYIb5ESybbG4HZQTQ==,type:float]",
+					"attributes": {
+						"backend": "ENC[AES256_GCM,data:JEYQjmhNVQM=,iv:c+Zmk6g5/fh79K43fBeNO3MvVGt6W74VOjJ1pBB3Cog=,tag:WzGF2e9R3nKnU5cRRvh9sQ==,type:str]",
+						"credential_config": null,
+						"credential_type": "ENC[AES256_GCM,data:lECK05u/K/A=,iv:kyrACxNoTK9D2u7zWF1Xpt7T05jXbGUEM+4BcBkVfIo=,tag:esUMAT5nM01vdwv//3MMkg==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:013E/+MqBTAYZA==,iv:i48PKSrZJ4kcBMMnzI9L8fM/TZY3CAa6ZkVPekVvjj4=,tag:daBS80QwNWz1EYNnJ7Jy9w==,type:str]",
+						"id": "ENC[AES256_GCM,data:PIPI5YXo0snKcranEVybgPmjD5VEKh0COAwAJamh0+HZfaRXYbRHuv8=,iv:nwItjceQcRz2psrYLWxsS/uNAmaF7PCbkCYQHCgYvjY=,tag:IdqmMWNOAhxbTEIb1B5vcw==,type:str]",
+						"name": "ENC[AES256_GCM,data:bS2R3QxVmVuJZE1ZT5CKSNEQ3A==,iv:NCqUrVi87fbKmJTt00Oo41VsXmVpJk2goh/woDtewZQ=,tag:FbwHQSs/m8ZnSZMWUPiprA==,type:str]",
+						"namespace": null,
+						"rotation_period": "ENC[AES256_GCM,data:fz6MTT3w,iv:DyJM5E+VPSjxPN4QN1xYToQGt1z9rSVPrb7FyU2UxPQ=,tag:DkZdjBccb8M/rFI2BjmzGw==,type:float]",
+						"rotation_schedule": "",
+						"rotation_statements": [],
+						"rotation_window": "ENC[AES256_GCM,data:mA==,iv:ZgJw0zvfj8cjtuwN8tlNRie/sTZjTbFM3HzF2yXXg+o=,tag:73h91/bbqJkVegaEzYEG4w==,type:float]",
+						"self_managed_password": null,
+						"skip_import_rotation": null,
+						"username": "ENC[AES256_GCM,data:BQ0+zlYM/CL1OTFtipIj1A==,iv:86120BVUULKDze4QlKij7KJ7U9wmZKPANfqlGwZ9rxQ=,tag:mMbJ7xOw/3In7YaN7g3E2w==,type:str]"
+					},
+					"sensitive_attributes": [
+						[
+							{
+								"type": "ENC[AES256_GCM,data:yk4+oNeGSRU=,iv:MxaK+qL3wx31krDybd++amoGM6iMAkr77+/fFUwJ1OE=,tag:i9qbJYTvouDDFB8vFij6WA==,type:str]",
+								"value": "ENC[AES256_GCM,data:y9HXSIUIhA3wJ7XNPgpFUIY4iezK,iv:tj+CTXG6my18LaHMeM4N5vmQbCCRH+DrEtoEyNpPB4I=,tag:lRLx/cOcxysvH0+oTJX/kA==,type:str]"
+							}
+						]
+					],
+					"identity_schema_version": "ENC[AES256_GCM,data:yg==,iv:tnPQp4T0ZACoQN2K4P1ZllK59cbb9XgFUBnpnB2zutw=,tag:Q9ukHqW4pTjG0fPyDJM4/w==,type:float]",
+					"private": "ENC[AES256_GCM,data:whKuCzCgTaA=,iv:4x+uao2KUcA5lVVPVbYECrz72AalTwJDFcnWC1n5NIQ=,tag:ZWotj1C3E6HFsp+U/a0zdA==,type:str]",
+					"dependencies": [
+						"ENC[AES256_GCM,data:F+kQad33opQk0OuhV7AfTSpXm835DYcafLhQx3o=,iv:vxkAlWWURBsPG0xnVLYwmaltcGNJvBqz2sfcg2dJ6Yg=,tag:afMfkfe+CcnXGYzXHrYopw==,type:str]",
+						"ENC[AES256_GCM,data:oDrS8PGdrpqYqUMIUWpO1sVZ,iv:rIZQK4sulyooS9X4atz5+Gv+yLaDpkyi7jQYTYlbVkQ=,tag:x0r4KiEz5wDIZv92NRhMkg==,type:str]",
+						"ENC[AES256_GCM,data:tdIkZmyMi7ZIERwC3fz3WrfkjjLbzfNOysg=,iv:vToMAXuDfIxlKhsvwDYiNgecXAc8DdCEh9YxJhZ7L3c=,tag:TLbLHixV1+6Af7wRKlht4g==,type:str]",
+						"ENC[AES256_GCM,data:L0y1ZqGyoG8p401tJUBQ5+zDSmO7Q+a21zl61BgCOXAkW7kS2rf5XNz+31yXcSjn9Dv3,iv:6Cm2TzTW2mENsaZS47w9bv1HKDUaK9kD9Fw/2XRUwdo=,tag:xp0KuSwPFJOj7eo5NOx+6w==,type:str]",
+						"ENC[AES256_GCM,data:7l+ldtwyrx46ePE6K935dUks8jE=,iv:UsNx9hddCpAGi+NST/aA0W1ZhJ4MKauAfVxuxU0RCfQ=,tag:NJwAjtBS4wclLQugOL0VwQ==,type:str]"
+					]
+				}
+			]
+		},
+		{
+			"mode": "ENC[AES256_GCM,data:dzryo7U8Mw==,iv:JDANRzlxC1p3p9hYZ6wV0/w+Hts/jFx3hujUf5WFh/w=,tag:+0kvbG6g/8OLyefZXeS33A==,type:str]",
+			"type": "ENC[AES256_GCM,data:KxC+51CUXV2OD1yk2whUuHC0I8XUCWB9IinGCJ23t5+Y9UnXuxXVKpE=,iv:IfktKLhhzAGTzhC7YUknpnSStRm/tH3LLvLCp2xYdhE=,tag:/37uYok7jI/geHoVh1iLZQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:stlpH5qleba78PMIFw==,iv:0+6xjWIsyKnDFh3zlBTy17UPNndUFQShxN3zpXBRVU4=,tag:66l3byhYMgIkaTArW9QnUw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:YNXmXnR6zrxTxuuALHf8feCRzm6jiK39JI/CxabE/IbkGSej+EgsKdTx+ww6/vJ3+g==,iv:Lk+mRH3Gpfeffgv2PmxxNCq5gTdhhw7fEUqy49ksUcQ=,tag:tz4gFq7ugSJNDh/Jm+HZyA==,type:str]",
+			"instances": [
+				{
+					"schema_version": "ENC[AES256_GCM,data:mA==,iv:B2oBlGpqPkjGNbRWFzU6slFu9dEiJFPBVUP8/F6Ifb0=,tag:/INslc3cJ2EMNRGae2SjQQ==,type:float]",
+					"attributes": {
+						"backend": "ENC[AES256_GCM,data:/K98Ri6LRNI=,iv:A+MCplvsCXyUzfjnenmHS5ZzrxEnuR7z2/bRMlMaZiw=,tag:IEvWhbjl8nYzATnWhG+m2Q==,type:str]",
+						"credential_config": null,
+						"credential_type": "ENC[AES256_GCM,data:XfoSvwTL+ig=,iv:RhcwMYGiEX7cpUBQJE4//lEQctnLoTZmncuUmVDG5Jo=,tag:i/r5o5FCHWaGp3RWtTbcag==,type:str]",
+						"db_name": "ENC[AES256_GCM,data:fekXADELcQP0KA==,iv:7ZZCcFeWZM3DnqyXXOSz6tKpRTrw+1MfzRwBFUSTye8=,tag:xfvdVLTJ0rXRu6ImoLfIpQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:xDzOUv95Hl6dt5/VvRvqYA694Pn5aqQSi0Ir/cyy7SVdVsU=,iv:ZnKxMJLK8QO2zPAsxU/9Yc1J4I2uvse2vtOfCF8afYA=,tag:mHL2viRomR2iiaBBvFiQ8g==,type:str]",
+						"name": "ENC[AES256_GCM,data:9W9NapG49WCpNNRjXQ==,iv:HABJO2KHKyY37F3aM+Y29yjBdSCnVBB+kRo6Wec19cc=,tag:L9JHPJJmvbHNs0mXr96/ug==,type:str]",
+						"namespace": null,
+						"rotation_period": "ENC[AES256_GCM,data:x6+29y08,iv:S/Ey77KVlLFh2o0qt8NKAynCfGyPqB7WeTNNHurk7X8=,tag:SC9WHV4H8El1rJgCWubPVg==,type:float]",
+						"rotation_schedule": "",
+						"rotation_statements": [],
+						"rotation_window": "ENC[AES256_GCM,data:CQ==,iv:WsvExzQ7pk0jt8w0lXlcwAlUSh+sNRFSWvdw5xiY6Xw=,tag:BpdEgvIcXxcMMDAjPRfCdA==,type:float]",
+						"self_managed_password": null,
+						"skip_import_rotation": null,
+						"username": "ENC[AES256_GCM,data:PtXALjZRci5VpQ==,iv:D5MQb5bPlPTiMxHhIGFvrTKk/5ljWSf454sxom0D68E=,tag:98aMSTyBvO1GXDyq0CA+Ew==,type:str]"
+					},
+					"sensitive_attributes": [
+						[
+							{
+								"type": "ENC[AES256_GCM,data:9M+RYkrNNps=,iv:31NcnTTp2f/PlXRm6FGJ1qymlPL5Zmn87RUbkU6/a1o=,tag:gdyu3u3Gx/TR7B2B30JVXQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:0FQMQLRWmrDLz/1uEIWcj+ll3ZJi,iv:mKCPGf/R3KPgf807T1CNgWMKag+hWuqLKorPQ8faYCU=,tag:iut8AYTzDMB3w/15qIYEBA==,type:str]"
+							}
+						]
+					],
+					"identity_schema_version": "ENC[AES256_GCM,data:4g==,iv:Jgo/d44ESzRWpLv6fI/YuK7EA2h60j0X76OHOCQLFlE=,tag:LKelLxwJD7VKS8rg/TbGxg==,type:float]",
+					"private": "ENC[AES256_GCM,data:ACZ0xdWREoE=,iv:7KuZZivN08enlTTG5tpEy9u9iCQIRgnz4si7fMwoAMc=,tag:KZ5eXDvlUysr1prrngO9AA==,type:str]",
+					"dependencies": [
+						"ENC[AES256_GCM,data:jUL8I7aKevn/uE3TooQ5DwjoUGCrnoDi7Q6qqbI=,iv:cGkhQh6eWbCTi3QOixfjN3fg8FeYfbYzh+A6E9iYOHQ=,tag:kOZwELVHflEDvpzUJSGH3g==,type:str]",
+						"ENC[AES256_GCM,data:Lq9ZTBnOSZOLnxDrxawlWJKa,iv:lUPdTh4lJVTXtJ8C63kv/V3Yxqi/eV/uhidWRUpdcAA=,tag:C/8/7ZD0oa43+zuaXGoDNg==,type:str]",
+						"ENC[AES256_GCM,data:U/zwZTN05UFCrYCFGV3/Z10Vq7IupDBXbfM=,iv:T1VZTQpBdmtyjbUW1KFu3r/hGDi2/eJq6OwhV4JUvGY=,tag:SCLIHFWuXB9kjNSWcX5+dQ==,type:str]",
+						"ENC[AES256_GCM,data:Ures+Jd3RgcGwLlJxIK9j8r+7fgTPWtlOjdB57ZFJ3Akq9QfYJC/sgkaTjWdLleas9+/,iv:kC7bWBD1hPHP7Eb1pC9grLv4jkqjRxLQO63KsxAmCW0=,tag:dVMaRofCKjvnPjHb2cJ52Q==,type:str]",
+						"ENC[AES256_GCM,data:FmMVnUmKqrYuzIlfgp4lvxM8DJg=,iv:LA5aSqDz2Vqa70RS+j07ykYwN+yrgJLcmhYgbh8aJXY=,tag:dWdmkINoJ1j+b5wf4Bu8Lw==,type:str]"
+					]
+				}
+			]
+		},
+		{
+			"mode": "ENC[AES256_GCM,data:Py/4F4otIw==,iv:1NgGlMn83TEXfzU7n9X7Km0U9X1dDT4SydEJqbJuO80=,tag:OifUKODoOg87CEZNLDItRA==,type:str]",
+			"type": "ENC[AES256_GCM,data:OOWo0mgkUDRhhwsQS9kUXHKOSaAN,iv:8/WqYrHewRlwGCBJ6Ku0wjmy2ijTA0tuyDqcqG3s0c4=,tag:O9ExkcnO473Drd/etnkwxQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:+ab6fX4bbgfYKF1UbCvY,iv:De2kA5/FOBewcDp+xSeH91izFsGtz0+eHOC6ZKslbyU=,tag:ljHMwvX9kMxnLiRqKylyYA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:B4LucgyvP/U2ZQ+ghKJ8ZNakd/saw04IPXqYwIRIBnJVVlsbLF6NkQsaHiM/tKryog==,iv:rguijOgS+ZvtwSFu4xdupo00afz5XAqRWUJxBD7KnOs=,tag:sVMzM8U5HkbKlQx1EW/piw==,type:str]",
+			"instances": [
+				{
+					"index_key": "ENC[AES256_GCM,data:esbonA==,iv:/RvIZrX25UERS9LP9eqnZtbvfIFSL0U1ZjVYcWkbxgY=,tag:njunRusXkruwkEVHmokKcQ==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:5g==,iv:wtyafWycXivHsikbv77mL5RJo1xd5cnGEOgRPAsS27E=,tag:1dYZqrSzQyJ2mtY8LXrltA==,type:float]",
+					"attributes": {
+						"disabled": "ENC[AES256_GCM,data:u57sy0A=,iv:XW6iygsFYBsgRPC21yTuxI89DFAcbLcpgfhwhMGMyzg=,tag:TJ9U+YrvDVusS0LCFQ8MoQ==,type:bool]",
 						"external_policies": null,
-						"id": "ENC[AES256_GCM,data:ayGwyaZYmfHrdwZHbGvTpd+zvw7FMwMZ3HGX7wbO/EU1ThlR,iv:qXwAuVJ/cKg/vNb6v1rWgXm92ZFpdxY0+T13hYtp3q0=,tag:100H1a0IAA4wozAZoCuTjQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:o70cIv1aVavw5jFiSA2jqEj3qqfk0M4r+WReHFyhReEdEAG6,iv:KUH59gSbmbERKt50rf+Kxd1kqC0tVlhX1kwuAreQRJM=,tag:d0hPNMkNjApCykGg97dFpQ==,type:str]",
 						"metadata": {},
-						"name": "ENC[AES256_GCM,data:o3pgOQ==,iv:oeqRZXK+Ltb5zrN5keROZDQB0nMabDYzgj2ZeOR6kuY=,tag:5rfQOSl8mrWX6zWh37quIA==,type:str]",
+						"name": "ENC[AES256_GCM,data:ust81g==,iv:2l34aNwIkZN54Lqh965tOfi/GxePql5nEynRGnvg0kY=,tag:VtQqp3UOoavVeLFEeQB0ig==,type:str]",
 						"namespace": null,
 						"policies": [
-							"ENC[AES256_GCM,data:G39CfghqSu3KcsMwRLSEeiBgnFU=,iv:tOJwalqsq3TLv4vw/cfM7LqgUwHetPlaexQjAae69dA=,tag:9fWgeKnFnUZ9pGsAy2W1Gw==,type:str]",
-							"ENC[AES256_GCM,data:bmiqyTxcZW90FyRI/Xs=,iv:oroMLnx4D3BLPQJl27FNzM4Ix2phCJHdQTPIK3kOjFM=,tag:fc4qzOTVBeDZHTShfMd35A==,type:str]"
+							"ENC[AES256_GCM,data:qtZXHVoNsB5fSxvhaCWY75sjuBU=,iv:cekY2UvIhSmSr1bTg3qHtmZcFmbtJbJezvlpOg9Pt5w=,tag:NARjY9D2U/iuP6CYej8P4A==,type:str]",
+							"ENC[AES256_GCM,data:OYlbHrMyYDHrLsMaFM0=,iv:Akx8lcBrGhbN8oixtrPo5Zsr7OCO+urD7e8R785sK18=,tag:s5+riWTa3J6atNA8Kcu92g==,type:str]"
 						]
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:NA==,iv:D8bzboXEcA7MFnOqaJCaqNGamw54TrXKv3qJC+9Ndg4=,tag:62eSKAbndiNUzHSkgzB2tQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:uHfOQ0acYITlI0uGu5FcHYeuI3vBkoNeqQjF5B8R4vM=,iv:nnzChCGdzCQbtQL6ur6QqNsyGFKwjkpROBrLdOwjnrk=,tag:QRbGkq6mYuCQndR6rvIdrQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:DQ==,iv:Yh1jEiUtO9d/rNeD0csFl8e3oL/6f5r3MonytpdYJ1s=,tag:/TBnguhBxrO4/gBRbT2UJQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:8BLXgWURjWRFg2hsNV78IxTqcUhbbE1oYpeeDdw17zU=,iv:eGOpmtPqw3rqzLFKGYeSsT5hlVpTPNJLCeLjitftqBw=,tag:1fzV16xoYJsaWJBcRFZeXQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:HnjU9Zb+mODsOjGAnJdFmAOV37vZmK3BXPU8iV4YCzE=,iv:auR/MLb2lc08qMhei/4283tJGPuciGCxlPBJyZxkilQ=,tag:EurrrZ3JxJ7feBsa+8MhBQ==,type:str]",
-						"ENC[AES256_GCM,data:Iql2bxxEsVmA3RJ7OIcCITeV,iv:5gOiGI/oupQU8IizHn4cQqlmzvV3RHFqK/HXyBzwpx0=,tag:AbUsMZ9QFNwoR0wnrwpPCQ==,type:str]",
-						"ENC[AES256_GCM,data:kCN0dNk7ieOwgXKWa2QULO9zIAkAv3tcu5M=,iv:qUZ7bGqJ7fjgBZouwqMMihp+mq35pIE04YXMw8OcIfE=,tag:6gkDgN72aJW5Il7sQ5J78Q==,type:str]",
-						"ENC[AES256_GCM,data:7HrqevyxPxBy0WgRS/zTl92zVD9eAwxmJ4Zb/A==,iv:L7HdKnmNT9z93UnrB48b8SLkRAI0pu7dhUbnwLG3eMI=,tag:AbtnlrebLS2IW2lDVPjm3Q==,type:str]",
-						"ENC[AES256_GCM,data:4kTgUojquH5DxAeGC+M3xBadjx5qIA==,iv:U3m/onhMPru9bayl4F9vSwJC+/FJLWRodt5VVZPpgsQ=,tag:nZbKCeoToV4XUNzB7PmamA==,type:str]"
+						"ENC[AES256_GCM,data:JQNdYvbCiQtltsH+2/I0xwQbzo7+gJoyC+rRmh+emUM=,iv:ajJ1kDp1q+dl6XEoXwV+oVKPlYL9G4kVG+VIx3IFd1c=,tag:8Fe0E68Bt23aO03jClgCaQ==,type:str]",
+						"ENC[AES256_GCM,data:Vxt5DIPgEp8+vRXNUzfVCvTt,iv:da/1i4h3dD9mEwCh+XtskpuJeK/vx3PTt7ZE4DFd0MQ=,tag:aCscjnGbmzn0/coFF34RSQ==,type:str]",
+						"ENC[AES256_GCM,data:mABRJp0E2zLiZ8aULlBafVFzUNmHOviLEls=,iv:t3/t//KbC7dEWG158zjcY4YBrdAN4kTj3cY9ovX6Lho=,tag:AwdkLuYvkI8Ts68tWfRMkg==,type:str]",
+						"ENC[AES256_GCM,data:dhKURfGccIXe4vlIuqVc9mAhuSawBCryHINPyg==,iv:u3QMJ1Up/TOi31o/DxX7gxI+eb8AyYO8YHBxLIIsQBU=,tag:6F9/dTqtgSpWnnZUqqY5sw==,type:str]",
+						"ENC[AES256_GCM,data:TxqrXL4eH4yxppi7hk+43OYHzfRtaw==,iv:pQjcM//nR5igkaYseW4Hl2LfXVCZUM8ziUbpU02YaXA=,tag:KOdWdafGm4ub2+K1AZI/GQ==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:EsvWvNwUWtk=,iv:Jo5HCveVDpDf7lXE8aatQpLSALYDEhNrVkzLxBO8JGU=,tag:m25DqJxhfwgFl5mlcriVag==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:lw==,iv:CZpazzDAjrXU08JUFraGKWMiBaeti7vqxY048Bb8Dow=,tag:ADRkO4P3pZ4oKCX5iLDlBA==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:kgVRNilfzcc=,iv:jJ+u9v1xYmcQVCBLA1DU19EaIjBuuur1xsO1w3UX5qw=,tag:sPF5fBwIxtzsJ2AKNpvM+g==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:mg==,iv:WKyjaFE8nZ68D4Q73MJbQ6qqkM7Dy/jm1Dj03AiK/0o=,tag:dDNG3k/wnQrw+9YkZsT6RQ==,type:float]",
 					"attributes": {
-						"disabled": "ENC[AES256_GCM,data:e6uEZyE=,iv:X+smp5Q2XbFwGpuyIrN1qapFqh3Xfm4hcU6M5yILIvQ=,tag:JOYW23wvoKrFQVryNYqT/Q==,type:bool]",
+						"disabled": "ENC[AES256_GCM,data:T3FB2k0=,iv:p5+jPjpoN6JKC0eJmcbLf7arxl+aZWxa77PVO0i3oiY=,tag:J21V9xO1qg5so0tIb3zokg==,type:bool]",
 						"external_policies": null,
-						"id": "ENC[AES256_GCM,data:Mh5rn/oKZqpUyvQ+ntr+uFiWPApNzVUPC8Z143bcuFmPBHVn,iv:bJSKUewQOQfBBI/G2sJFBmALZAE6ff1S03kUPdP34no=,tag:+8B05n/pmyd5v8LSfiaBuA==,type:str]",
+						"id": "ENC[AES256_GCM,data:wItIgJxikZI0xPaqjVXXbzBxrahLyPvS2KoWoUXy9jIwPiVX,iv:/fT7GvrKwhN+atwUIn/vW3ZgKH/HPgQcT+UCKwLIk94=,tag:hqLnIzbaXZ5LZtwkhyhAjA==,type:str]",
 						"metadata": {},
-						"name": "ENC[AES256_GCM,data:ocDPQ1u7Wko=,iv:VyVqjxZuzYQiUcK5KcMtWIUkeBwsr/5ZW4wApuwmFBY=,tag:eakGdo/amPvpWJcTTwWGFw==,type:str]",
+						"name": "ENC[AES256_GCM,data:XSd48BV2riw=,iv:kOFsscc4npR0w2TNBkawxMAPEoxGcce2QHB+5z0VJwM=,tag:FAIFzz5tpDo680QL8RY6cg==,type:str]",
 						"namespace": null,
 						"policies": [
-							"ENC[AES256_GCM,data:OqkuBZsgLh2icHywjr264B3FHc7aNIFB,iv:ZsHuas8XS9R6UOaOg2TXSDISbBqPXKnm315F5o3P71Y=,tag:EWgofa3lR5Lj738DaMZm+Q==,type:str]",
-							"ENC[AES256_GCM,data:HApkcjVsgFiih1Ym/4jgsF5b,iv:hSAPkIYTs10XygIqv1iBqJ/kZ1pfZIs2M6XV0iyRvrA=,tag:Do4m1biyMVFdvb1b24LpJw==,type:str]"
+							"ENC[AES256_GCM,data:NEZbarUYwI7d0Nb5kPrurfkZETrEqdEs,iv:R26/wSWPN0OI0JS1evSk/FbO+a8gZpZ1s+zGhH8mVo0=,tag://7Se/x38p2hFYfrzGO97g==,type:str]",
+							"ENC[AES256_GCM,data:mipdl2E2JEQJ+XFSms7g2VoP,iv:SfLRNsTevIxtycBjdy+Xyxi52ZIM3J4Y5xLNfa0yGTs=,tag:r4V7GRzFYwemi4v8xiK5yw==,type:str]"
 						]
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:XQ==,iv:DAAtLUbR4YL5If4rEbF9SAEmLdoipHtIbKlx/xjQsuI=,tag:fzMy20E0/N9ODXMRWaYHWg==,type:float]",
-					"private": "ENC[AES256_GCM,data:Y+tfweazq81DzK+p6Me3bL8Z4h5RaNb1UYXCDE3Y8Qw=,iv:IQrLuemY7vb7eObQWqCiUrj5AcFm2Psezn/Kjc/2klw=,tag:xIaqKplQv0Fl3KfxZnT8fg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Ag==,iv:8Ni3ZrgUtWUfm1nw0vat00oStsMdfhXHvi7Y6GHEjVw=,tag:kRkYFBMU6S2EyAxoEO5Z8w==,type:float]",
+					"private": "ENC[AES256_GCM,data:Zvsqo6tF6fWHOPpPOLq4zUl1vPEYvcdTbZYM5x0rYkY=,iv:0/KXu8BAygqOWg9uHXiP1f1qLG1HeN7Dmb0K3i7pTBY=,tag:Rg1MGd7ambKcHqm5l6kLkg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:oLZdAhqFUr2CtzWgIrQg31FQmpMcWI17yJBLZqNCgtI=,iv:x9luRr/fRL1VZE277tQC6qyBdP9nE9sqNlbFQ6QQ3fI=,tag:7EpNvbgAfLZxMLbC6NnsOA==,type:str]",
-						"ENC[AES256_GCM,data:7ILPSNyDsIzWOKNzzdBFyB03,iv:DteDwoAhIWWL2k0sLhGfiHrHLaqQUisSFgMkypobor0=,tag:o17ZrNiHXP1vc9x7bvBKdw==,type:str]",
-						"ENC[AES256_GCM,data:HFo1TbhLl+bPugjf8LOu6kc+VUgizMDe/pk=,iv:Zcg9ai22Zb11x3gB/8PfBnDTOBFEB+8KOXvGFe0LzFI=,tag:HzaP5NzvsDnsPfoRb+hbPg==,type:str]",
-						"ENC[AES256_GCM,data:RBrE8N3d2NAd7TIlERpbXmzBwP30s5Z6iVspeQ==,iv:a7C/Q/XaHtTPv9KYi0KqiU042ApW+gZS7F2p9Fpe7XI=,tag:bmWsshPNZ4a0Tne1jxyuLQ==,type:str]",
-						"ENC[AES256_GCM,data:L7d5NT7OmAquMeO/X15No4NMlLXP9g==,iv:UtykojZfuW+iFdHUApfqxzg1smXttIPbsHuJFsjs6ts=,tag:AcSjXFtRKr23PWBmGbXCvw==,type:str]"
+						"ENC[AES256_GCM,data:Ih5trulPQPugNg1Sct3xCiDEttOm43lC9ADuaiEQZv0=,iv:yc3KiP/oXTCIRZ8SvyW40ib5yvjDA5j4iVQjSaC9DHk=,tag:PEwmoejASKMKegnEmz4XdQ==,type:str]",
+						"ENC[AES256_GCM,data:zXvYok0UKe45E4xC74Qq6tyg,iv:HmT1RsY0Wif5YE1ylGVjJ46QoAdFlozdP/6mw0B1rO8=,tag:tYSiWHALn+ukubwFuv/fDQ==,type:str]",
+						"ENC[AES256_GCM,data:MQ2n0c5cGsOFGS3P4tzigAEmTH1uTxLxPFs=,iv:Zhu/3crBOsxQvrVIlALghMOF4LK7lQq00lmGsRWia9U=,tag:S6ijF5mKKuRw4PU3dEddFw==,type:str]",
+						"ENC[AES256_GCM,data:DV2k3ZkdwYw0MyYSXKatj5NCyckC7iXDzSifyw==,iv:Fm+OjJSMDIpo1WlZwp823fCFaUmt/nHwerJJz/pkqBM=,tag:uH7SANehsi1iVtZHZ+4zuQ==,type:str]",
+						"ENC[AES256_GCM,data:Zc3CwnBGwraX5LQFvjBJ2e4lS8R8wQ==,iv:6HO4mHaDAK1aNSCqKq6fVv1txPsQJHaXxeZXcqLNu+Y=,tag:meUt7qh+c1p0oUNQYmEqIw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:1NdgzDEuJQ==,iv:Bkjzsjn27ctZGi7293V8fC+5bSvTVPKeE7wqASWb8ZE=,tag:7qGKjqAYrk86UCzb18ohdw==,type:str]",
-			"type": "ENC[AES256_GCM,data:Q8uAaeHTPdg3MHTNajM8gEpqXDWQV2JumESs,iv:3PIwHnKXxJZx1KPtp3Lsq3rQEbUW1NgWm1DOE6jUsyI=,tag:GHrjaXhVphy3UaF7ncC27Q==,type:str]",
-			"name": "ENC[AES256_GCM,data:rAuw5JsWlHFXdKDVPrTi,iv:FCrE0oRvZnYSqzgoUgnJiUk3EW5CQ06bZFT+bQwYLiw=,tag:Sj1NPQ+Z+iEps5z0udt+gg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:O+WrzqsIlmqUwqtaiWr07i159bXf/2o9T/ymZM2g1KPu36kJKNMbx+sbyJ/clXcv0g==,iv:kqA3/plHyBPriW9IfVWUB6ddkxGy013JxqQo2JUrEyA=,tag:o+1UlDR2nJEsnuuLVD+LjQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:/mn5ToyKHA==,iv:/sC2NLlf/+5k30gDJZlbNLk9nTWR8NyzFykob73R2F8=,tag:o1j7hF32IU4fuDWOGxnfVQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:PANLCvFRqV3H7qOKskvEBA4v5RmY4Ms/La55,iv:m+kIDPqhmFKOtHyPrwFsnBwodbViuOw0rk5rVEURaCM=,tag:mBFbnygHwKT+ziMTg1/mrA==,type:str]",
+			"name": "ENC[AES256_GCM,data:K8W9/ZN9nITCzI+3D/4V,iv:Istyu9Xu1ydMph5uK7mGTld8P9MalrHnG4mlyCS21Yk=,tag:6+V1OA2Gttq93RFGMGD06A==,type:str]",
+			"provider": "ENC[AES256_GCM,data:VqdIgkRvwHvRl6D4JP7SQ+7G13O1ZWRk7zD3XCvANyb3XvL50kOy45oV+AzFVl9Kiw==,iv:UlxOYE54F8Lk7sgYuOT/e2Wp7BOGB7wDrKX9AsjQLnU=,tag:iZswwykjP3PXox6IpNsksA==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:p2DaRw==,iv:0G0UZ7yOCoFoLd1I70NJj/Ramb+IQ6WUBtk6RNr0x+c=,tag:A/RJ4uzSJD94cGnNStZOpg==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:aA==,iv:L/SG+fEXvWO0JyAMdkDXsCRM/EHtFGDRDHcdQy3o598=,tag:kzOrjzHqAjBC0Sb4SgsvGw==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:/S9j9Q==,iv:vTp9q8uZ91DC9m9dITHMQu98Mf57d7hHa4E1WtVYEGk=,tag:CGAGvVlkfsTfTNjBXvS6IQ==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:UQ==,iv:wyri+PUGrxL8VMUJeVZYEnBXKSfx2jfmU7kFE/9911Q=,tag:0tj8M0vPNJP7NUe+4ciXEw==,type:float]",
 					"attributes": {
-						"canonical_id": "ENC[AES256_GCM,data:OpAfm7LyXxTl8LpwbT7yb0HbHDAiXxe4N5ODlyzocmWD8/EA,iv:R9ccPdadeCPdjziSNS/CrG/BCyJ8WdRlBtRRINthNwo=,tag:+tEy8WIOceFRVosd+ENz5A==,type:str]",
+						"canonical_id": "ENC[AES256_GCM,data:IHVPVzcMeHsF8kOhGfL9qZh7vBs6YiKmrLSwUtPsRFIgQ2+S,iv:LBbc3elqeavEswpT7yj/jJICufXbGMAQSTGIr3A9bhg=,tag:wuL5fCeqqMwSkntznGTlCQ==,type:str]",
 						"custom_metadata": {},
-						"id": "ENC[AES256_GCM,data:q8NqBYv8xvU6JsIwcOWTDytPK84j+3KoeQhT4C/vZUUYmQfZ,iv:qAkHEEVIn7Xgzczki+TSaFdYS3dC/kazyPv21iSD4mw=,tag:FzIzfYrAi4lh8sZ5I/AtbA==,type:str]",
-						"mount_accessor": "ENC[AES256_GCM,data:RRrfE+OulsW7sjyDfkN+0tkg,iv:U13qSZY0TUewj8ne8A/REyYzGfXtUWGv000218s5oQE=,tag:1BNXIqqlSGc+BJ3PwjH5eg==,type:str]",
-						"name": "ENC[AES256_GCM,data:NNiGE/oB272p+zx+f3/lpEbltE25,iv:8JGHQ1DWa/plXdaW6kXHT1GMrWaIB9rkaka2IFIeQk8=,tag:IPNoCUfH6TWC9MJwNhaTAQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:OhZ3eNHuMAp90qtmGQ+Ry+5d8qEspDRtB9yqeNuKToel3X1X,iv:mY1Cc+YzmEyS94zXSlS2/fg8GbJTP/0J/yL0MWFpWX4=,tag:2d6NZn2vH8K1l3wbwZOJxw==,type:str]",
+						"mount_accessor": "ENC[AES256_GCM,data:dceVYlinwx0C2YyUDihFDP0d,iv:oAhJV3JRxUb8yNYxi1vxsulY/3jKJF38Med/42/8LKE=,tag:LTvXpRiSFcJfv7ID3q/6pw==,type:str]",
+						"name": "ENC[AES256_GCM,data:eTShFDTfa4mPsCDaXPNu1gXDW2s0,iv:v9y6/TP19gB6l1c9L9vfmXq/zCIwn7/sirROSRrw4dY=,tag:QsNqeMNcSyG4fMHK6/+nJw==,type:str]",
 						"namespace": null
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Yw==,iv:fcGTiy3PtPbO3jXrQhjxCSfFwK3Y0kU8ymR2OXHyPp8=,tag:N1YT084infIhRIAZ7p2Nlg==,type:float]",
-					"private": "ENC[AES256_GCM,data:FCONTPGubrHqhxzztzyBBrqJMhZhSzijVz9HfGbwADU=,iv:hC9rOyUXP04/LSuOHS7Th3m4DWuXMojzTNh4icue4g4=,tag:3cXz2KyWL/0kh90ndcTvVA==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:BA==,iv:XoE5UuO4Ijleup2xrVRUddekiH3+aUFcrzruWXKS6mE=,tag:1PJkq64sbPOYlFybgxU4+Q==,type:float]",
+					"private": "ENC[AES256_GCM,data:I5RJdGuDPNhHg8+EO2Vf7t6WSMvDJLb2OCqEVUSMRdw=,iv:pGsDLjAxLXtQj7Sk5zgXjuybdMngkNid5WZvWAsWJlk=,tag:nfYhCjLwe7//2P0gyJHBDA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:c47JufdqS+Zp1iPv6tLklkox6SN7yjq9ax6UcHJtR+8=,iv:VZFyuvnLJEDMQDJh/7HMgjwsb6gEsmj1L3luXnsjU/E=,tag:s5PHg+evwQKO+8iHu4rM/A==,type:str]",
-						"ENC[AES256_GCM,data:ZSjy0AR1DOPOyVEwk9X2WPija72ApYhFwI11sL0=,iv:u7Qvhfl5ECy8NfFCwzgMiFAbQP512WFdRbXEzAAAouI=,tag:ETClCtboE4C98LEHTm2ulA==,type:str]",
-						"ENC[AES256_GCM,data:9swww8SFX5szL9vOzOVDclLw,iv:fK40fHKmQuU+61uv0H463q6yx8Y4PDNZ/HuUlTVXbIc=,tag:jp6m33hwab4L5BA8BUFnPA==,type:str]",
-						"ENC[AES256_GCM,data:8k7uvfWiJBRW47Whaw7OT4m95z/7s91y/5A=,iv:LxKJtKYS9k59HR3KhX0oB7GVcLNdGWXmrOpButhYsUY=,tag:CLUqibDI7CTtGSMbYFHCGg==,type:str]",
-						"ENC[AES256_GCM,data:7qahLRZywi6Zhk1XgofQOnkwnB4lQVdhoh1FXZBL9yf3o6nZnw==,iv:9rdwK4YaKJ3VPQ6K644Xc0Dfaw43+XqVxsVRJcTf12Y=,tag:R5qbO8iJEaiVv7JL0+0ulw==,type:str]",
-						"ENC[AES256_GCM,data:DlVDwes7qIopsXj2lp9JKrKGEQl2edJfW7j7,iv:7KCHQ1twElO+me56IpmEcVRjw3abpYOKqleZy3ginJA=,tag:C7+S2A0oH3AUlCXtM4DQMQ==,type:str]",
-						"ENC[AES256_GCM,data:tm8J4IwuY2atfBRm9aTP2jDWaFsyYy1xJ4SotA==,iv:/dggkGqbT0V/pnPePBe+P7geQz3sg1W2jB/7S5AU/TY=,tag:++EjiKhWieyl56lWWoevxA==,type:str]",
-						"ENC[AES256_GCM,data:FdelFSFvI4PXbc73V5QxPvTdsoXaNA==,iv:CUluG+e6GAFl3aN2WtKC5M81K0uvlu4Oh6FqiHNIv6k=,tag:VBHGLDrDnFKBTH5bhDGelw==,type:str]"
+						"ENC[AES256_GCM,data:01fIxRGsyEIts1uEHt1tJI5kk6/pu6rLXeA3UMGuqwQ=,iv:x4X7JsnjeQimFsKH3gjVo4+C4QQeTN1TSQKfeR7RI7I=,tag:jnRzyVdiVwAD6c0QzfkLig==,type:str]",
+						"ENC[AES256_GCM,data:alg5VEeko7JDB2oduoId1vlmFXu3zCq+10iNktA=,iv:C6erU17VgHU/mx6KBGCuR4SvSvBZAIkxkb/0ucQWwxE=,tag:N8teTdOdJbuQwguW4NkYoQ==,type:str]",
+						"ENC[AES256_GCM,data:P6vOSzVAP/4p8ef30nTyWL1h,iv:DSJeuaqzv2+1JX2PHlosM2LbP4UQ5nMFep2m486KEiA=,tag:wipkyu9I07f8KKftI1UobQ==,type:str]",
+						"ENC[AES256_GCM,data:zYKx+yKaoD7BmuUZie55GD32Q8NkPUffNhE=,iv:hV3KnzvjhQETZNZriDZj7ErHsQWTQv8cNRtDVCokBqI=,tag:aB6N44+SFYPzALWIcARg3w==,type:str]",
+						"ENC[AES256_GCM,data:/KvgERLUilk1uA2mDavc1asCRt9Xlt448xdB/Arh4bMshj2KDA==,iv:D+yFELb84Z3vWAovGjSTeh2QKiR4JsVPO9XLyXLPBds=,tag:QMMnY+KL1yuwA4lfm55szg==,type:str]",
+						"ENC[AES256_GCM,data:w0pP0c/mdkb0Td1qcZwPQBSIaDBN222ImKUE,iv:DVS5sE5XZBkGeUY6Zl9ze9dXKWyeK+7X9Gkl+QxPD8A=,tag:l1heGZYFVaM8ij63s2Z1Rg==,type:str]",
+						"ENC[AES256_GCM,data:PaGXVxbaRF07TZNY+b46ZkFhsKQMi0oXMfXCcg==,iv:/vk+H2HVKg8c8QFqMFyCGX6EIx8V2LfvZ6XmAs4yvEs=,tag:e6tiUSrWv0kiUCgmMAImXw==,type:str]",
+						"ENC[AES256_GCM,data:OdN6XOI8jeYbMSJQ2mzNPV2S4zAgcQ==,iv:AWuxt7YDEBtPSrabsZcnXmpGkS8waIeIMqs0k4A6u+Y=,tag:Mxfsqnnkv7/0A5zrrjElsw==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:tOtW8NnW/A4=,iv:PKO9QShZBGwc/S/1dRLThdfyCqg2pDSSFNZ13WBUSw0=,tag:GVaDXRJcl6IBOV2GWXlpRw==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:Ww==,iv:VfsuzAQxxCZqTOwrrvjHiYG4rlBklhixvjjv8O9fRz0=,tag:xaloQWNEoNJ6nyD8ohsXxA==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:9CPlXZJjHmM=,iv:O+AIZmwCn8X2Gprj8+IsIpFH7n5qSSXOXZ/6hvSwxI4=,tag:xXDxImuhSyEeYvtwPi2mrg==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:rw==,iv:1O13X6wXsnHO2yOvxev+1jwPoSvrhNoZ+WQOqHljFVg=,tag:QwbhllEY+C+8tK5HtIg9LQ==,type:float]",
 					"attributes": {
-						"canonical_id": "ENC[AES256_GCM,data:PZRxSxf2VvheM+bNL+aon2qIYFkJ4tO1Nx8IjYTuCkJp2f0d,iv:BIdWCKAwIVb6qwKnttzIjLHOGTerUvCMNnHmRQgQIuM=,tag:MFuhYPm2nBq5NDuUo5EARA==,type:str]",
+						"canonical_id": "ENC[AES256_GCM,data:kLnoOCVMsb8Zcgp6eYeDNLDiKCL7ezaoDMJza+Bde72aGpKT,iv:C2EPHbN5/mMpMicGZkO+advp2Zsjp4LhoJMjgm2vv8E=,tag:nYtgIF7PDp4SwGhrWeZcpQ==,type:str]",
 						"custom_metadata": {},
-						"id": "ENC[AES256_GCM,data:3mSiHeRgiaW6CMmy3s/3ejBNLmMisR2nIJ+YtM1E1+lkLX6b,iv:GQ4+ESe0mbdHISw5rjbofZ1+ik4B6eS1cJm8ZTA4LVg=,tag:3+0nnDHEe5qXzuL9sRc3Tg==,type:str]",
-						"mount_accessor": "ENC[AES256_GCM,data:I+1qSWc9q/kxB+6+ajkFv6OL,iv:XDP0OesVPdsSZk8tWQmrJgIPY20tkhe8zpUcSl8PyE0=,tag:+qbgvBq7CVJYDd3veh0uNA==,type:str]",
-						"name": "ENC[AES256_GCM,data:Io9xkYeTUTjS55wkPo2M7T10,iv:69SBbJ3isjTigPDW3aNvngicYuBuf0cj5KcrS+4+5j8=,tag:WW4F3sS0b0nnMbLUOePSZQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:FqLT85Z799LFVtWUIkMZ1GCGN2nJS42LWpgrwaY9DO5l0RfG,iv:KCyk2kjF7CSgKCVN31e8LbPTkZbEXF/5aIyaivnvHm8=,tag:fJOJyaNUEtazCUSmeoD+PA==,type:str]",
+						"mount_accessor": "ENC[AES256_GCM,data:JoY9AXbhMTgypKua7juCulXL,iv:xFs+PCuoNQfRvE1+GM/mPxruwpGM2sOMLHGoMi28PD4=,tag:N2HSH+DIGu64e5Mm0wrhqg==,type:str]",
+						"name": "ENC[AES256_GCM,data:dT/xSmI7zUWqgxUtFrg6ZZpT,iv:uVyCBQNP1ytl7Oona3jl70y8u4dhKRrPn++hYRvGlEE=,tag:NkUkjBTb0rhmW/FM6qzD9g==,type:str]",
 						"namespace": null
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:4w==,iv:Z513jR+lvqnSOZVvJfGY12cWmEz3/4GnJneNl3YaF3Q=,tag:q/oZNVXNuH04EcB9S4/hWg==,type:float]",
-					"private": "ENC[AES256_GCM,data:PxeVpbJqCc4=,iv:ROETDPB3tjLBWCp/84+OQq2qjfCYeE7HaEckPFTFvog=,tag:BHGtPS6Wgzpllw+FqT9dGg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:oQ==,iv:46MUQ+21HjNNuQf2UuOcwASzPjYr9I2Ekeb7cxZDvGY=,tag:vWyiwjlJePP6Q0vY5r3azw==,type:float]",
+					"private": "ENC[AES256_GCM,data:l3veREiUl0k=,iv:rjKumZBYFTLvuz7x2WJ5Fmnx4oX4xXZN3sq9NjTuNII=,tag:D2B7UEt4us0Pbtl6R7yoyQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:j3926jlOiV48VlympVvJkJg1Uq5YzViVwkrtXMjIAAQ=,iv:7YqQ1Y3eq2EF7aLR1ubkUPNe+PA90k9gZTGDCS8VN7M=,tag:BrxSwMzixRVYBu/ZE5UtVQ==,type:str]",
-						"ENC[AES256_GCM,data:oZ9DbNY63fktfmGKk2uBIwVALno8s0pSS5Va0vM=,iv:DZrF5/IkUPz1jrRJv7Q4dtIbSO3EUD2it11kLCAZr7w=,tag:b8+c4KRFpr9q8sPhfT/g4w==,type:str]",
-						"ENC[AES256_GCM,data:Ri5tegr1PHykrAg8+x/B0aB0,iv:4rKtCzvyvjk8bLpxC8Y7iwySsQb60e4zzZTdbYYy0gw=,tag:1Jxz5GNt7HO/49Ol3PxrpA==,type:str]",
-						"ENC[AES256_GCM,data:oNSOwaZlKaWn4bbCA9+Xz+NGPt8nSGurrl0=,iv:KUJCXHtSg/QF+X40JrWLTnWo4DbvKj6GxGIFTRsfhiU=,tag:YPzXnstdgFmGvcNY62sLMA==,type:str]",
-						"ENC[AES256_GCM,data:Oz5BLa5tgyQnQWbrIz3KCfPdI9orhnVgyVxbiBr++e7n1++PvA==,iv:I4rlvOgHCTlj/+wOPPfp6JzJ6dnl3bpE6MJrBBnoECM=,tag:T7raqXiK0xXX5av1HgCHHQ==,type:str]",
-						"ENC[AES256_GCM,data:K9VoKv618L6ehvloymu/Fer05dZ8cSoy7RZB,iv:znGbyKxCeTMqL6WFs6kY6CwdbRPRxQdCBFMttcsTf94=,tag:K2k6oJPtv/qtiomGxIPO6w==,type:str]",
-						"ENC[AES256_GCM,data:y8x31fw2MnJ5z2/MTRYwd6IdySRYsr1+wbc1xg==,iv:QppmFcJNepjhG9xLOL4QkOc6XIJh1TEC52RaEu9Bkp8=,tag:Tx5vTzcMSKBM+f8aJdaJsw==,type:str]",
-						"ENC[AES256_GCM,data:7XKT5Brk701xx+XqP/SpZNLNSFbEqA==,iv:MXsYU7Q4drYGUwua3cppZL6vHcHIN9+1Q+UqYmDKYYQ=,tag:TxCZUgLQvCEA9zM4v49S4Q==,type:str]"
+						"ENC[AES256_GCM,data:XVB/vbGVAqfIXc1FeFamhH5/CI7SlIAtQ2G6fGGwECA=,iv:Gz3fCZvfOmqMu2910oj5m/9ueilrbG/efrFij66sMnU=,tag:BCmFI1ev/sNgzaJ/knumJw==,type:str]",
+						"ENC[AES256_GCM,data:P21tozTo8U57K5Iz0O76ID+hVyS6gZiyAWwOevE=,iv:gIpYoI+VmDcl4z8iZJdkHcXV70VEN8VJGNtonlGSAgI=,tag:fbIauUpRVcOPJO9QwrWbXA==,type:str]",
+						"ENC[AES256_GCM,data:LkBQd47PMejfiCzZZbY+XDr7,iv:/P5ZSHLiHD03LxyypigpwnuFk9jdctyWpenJ6P0r1yk=,tag:jRk8DO7zilYEBzYGg2nXLg==,type:str]",
+						"ENC[AES256_GCM,data:JSOLnSfDJVEEW/uqcY89cqCrw5uwKpu/qhs=,iv:OggcpMNny/uIDgCdl3ggtBFezWTyyispigR/zGUNipk=,tag:D6TwCWflEkSmbKC3cImf1Q==,type:str]",
+						"ENC[AES256_GCM,data:34Ex2v0dK2B002psUz7MTK819LFgcoJFh8ftgzRrAol9blU0wA==,iv:8MO/o+R7R6wqPfKWX1Lcd6mAxskfn/9D1fTbLpn2+bM=,tag:pyYG+2eYY4MLx/TYuSDF4w==,type:str]",
+						"ENC[AES256_GCM,data:/gw7gO5up+250F06yD5ukuA1BmP0TP2FICzm,iv:L9iejSNxA6NgJVmuzaxg6hXQfsodiVrXXt+iA6k53eQ=,tag:Tm1KpDHWHfBg6ITRLEhmiw==,type:str]",
+						"ENC[AES256_GCM,data:C1YDrcZ+ejWDKAi9v8GOmulRKNbNaj5zE9h06g==,iv:8JmDaSxV7ArC3sHMQ0Z4e2saF9tko6evp/kJGqLqow4=,tag:FroW1AN18AHACkVouOEcMw==,type:str]",
+						"ENC[AES256_GCM,data:J8EzcC4GL8c20at2VZRwjq7cH4BJ8Q==,iv:4mS1T7Rss9+KgdgJemxvT8BFgbCF2cedHpcZIcri5/I=,tag:ms8UFlfXR5ANO58aklK8qg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:6EDp532m8A==,iv:fy80BxvEkbRDnLLjRANxmVNND3jpei6RikndVILlKQA=,tag:XUhlJywDFcDqfKgRjpRuOQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:dGFn50KLOsenaez6BIxEUOpqVeE=,iv:m1A6mMlvhWo1xHVljf1lZbayHOkYbS9A9f4jml7H1ZI=,tag:82PAWsU6jqhoZT/MQAFfmg==,type:str]",
-			"name": "ENC[AES256_GCM,data:KTG+fDUC,iv:tcfJMgbvXcNIBG6lrZUr2hsffmm1yvIYn5DACt++Egg=,tag:ABdTtaJe3Xz57hqv4ENIYQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:oTQAl/7ruy0WY1adB8F4j/y7xOZsl1yuR3lWr4tSS9kPjxGfsiJOjyXY6HdSkdgfrw==,iv:mbF2xHizBfIH40Iz0ktkUrfYN4C5qwkNT1uPAdIfies=,tag:+QsCfCQCSDw3nnWb8dx/Xw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:hr+lkBOohg==,iv:mcv+wlEVULTTf/lhIxgjDopd2sAtCPN6sr7p7etcjY0=,tag:zlUGclkq09vwSHPSF0Wu6Q==,type:str]",
+			"type": "ENC[AES256_GCM,data:8CG51oKZ7dRW+Fuo/47+BxKMfgA=,iv:peddkK/AQD4WgDN5rm1Pyz36XGowfymeY3o4uPtJ8bA=,tag:qNCZ15aCYy0dEPbW/DtIuw==,type:str]",
+			"name": "ENC[AES256_GCM,data:4+bT1ggJ,iv:bTO2puDGI4woNxeOXu7L1jyBM5ZZLrdHVG2fZE8yhfQ=,tag:5mRHj2IPo7moimCQLyZdkw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:wKirg0QKs9CfVAQbjHACsIOReYfxTNiRPda/ZF7QJuCkbbnDYpwgEqzzlu6Qa9rUOw==,iv:LlG5HjmCP3piPUPJPqrHMDBcn/7DzTuVOha9y9fH2pA=,tag:B6Rps9Q7jhdcCnEdGKc8Tw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:aQ==,iv:Ska8TltZZl8wo4F/8wYcyidjLXnvNP+5FhsDc8T1AB0=,tag:KzjtcE/9ho7TBa0LAqhUTA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:qg==,iv:urq+ifyHWDi8m2ESpqdQ+mkbQ5G3VtmHYg36dZTbai4=,tag:sMvwjGoqEzqOjqQxMWb53w==,type:float]",
 					"attributes": {
-						"external_member_entity_ids": "ENC[AES256_GCM,data:HDbsbb0=,iv:J2kiL7KExVmg33+f5U6vxwKfHBv9PDbc3Q9JZf/TeQU=,tag:WJq2zPn4nO2vDpQnM4obLQ==,type:bool]",
-						"external_member_group_ids": "ENC[AES256_GCM,data:erv4J+s=,iv:vczqHbOg5nH6LznBp8+9GjGWpef4HKEkvidNN6GPZLM=,tag:fBo5Q11aTke9tycDiVohtg==,type:bool]",
-						"external_policies": "ENC[AES256_GCM,data:djY8kMc=,iv:6649GEk/vdAY8HzNL4EXG5T6Ccw99KbYddQYqbs6f5A=,tag:LPASvob/w30ycx/QjiCKSg==,type:bool]",
-						"id": "ENC[AES256_GCM,data:z8SXcOHLPpGWc101HZq30aprz/GxfuwR5ITTHlFxZPA6sUqe,iv:7ViffAlpNgA+JVLoWkn7sccAJBTE3EdpkcoFrxnccB8=,tag:TsodsXoMvUwOuDPHaRnajg==,type:str]",
+						"external_member_entity_ids": "ENC[AES256_GCM,data:8yVbrsk=,iv:/RSnygQ552LLobyzF8s2nwLSQR2DiHZ0zkT6Vff/xEc=,tag:OQZv+fxS6g3K/SGWt2ZYVA==,type:bool]",
+						"external_member_group_ids": "ENC[AES256_GCM,data:f4qyHCc=,iv:G418K3zvhK2k81cshCOfZeXX8ETDtsL6EEd5uhLS5nA=,tag:huGEVUJNLR5okq2BEgD1Ag==,type:bool]",
+						"external_policies": "ENC[AES256_GCM,data:UO8j5jA=,iv:BRrGRupiGVo4OhBAlhg5QyIZKz/X11dbtpdEDoFQcVs=,tag:rErQPCCk2pbN8eSj1hmC7Q==,type:bool]",
+						"id": "ENC[AES256_GCM,data:K2cH9f3btuuHDtFZEx6LdM9tJkSaW8G4lNpxD0Xr231iEHbi,iv:DysITc/RsX9xjG9Pc+bRVFahBAk7kfG/dpBKDx4kjf0=,tag:9yWHEMz37RDMyYQXBqmFHg==,type:str]",
 						"member_entity_ids": [
-							"ENC[AES256_GCM,data:6mysV4szUVLVdifkFDuRCprCUqklbSBwMsvoapI9XrfsxrDJ,iv:CuhZb3fEYQsnBVSCRxgwP10HZ1pgmJtydB/cgU0Nxwk=,tag:n3C0eVc3aP/rDUULwE+CYw==,type:str]"
+							"ENC[AES256_GCM,data:3Ejh8/2g4e4z/j2Yge63IOvNNuAZyLSFeiRJTqPK66WReyyM,iv:pV8TxxZt845anKrDapnoESZL8w3uu0/XaWfvvmUs5Fk=,tag:W6syMaED2mZAtMZS7N985g==,type:str]"
 						],
 						"member_group_ids": [],
 						"metadata": {},
-						"name": "ENC[AES256_GCM,data:c1Ai53pxcyg2kF9nd2dDnA==,iv:Qm84cpW75jFaHeRytvlx5nNFo9+Ez8cAsxuQsf8edMQ=,tag:i9jQMgaVwUReLS7cAF7URA==,type:str]",
+						"name": "ENC[AES256_GCM,data:Qx5c2dlN8KJFqGsrIEhIUw==,iv:DMfa7X9WBSOxthVDGElXxCkGjzzkGkdRBg2DxSHQO00=,tag:d0VhnueFpfzTDaaT6lA8uA==,type:str]",
 						"namespace": null,
 						"policies": [
-							"ENC[AES256_GCM,data:9XA54hwg/F11LA==,iv:5XCcw/2ifCA6IAVwqxFMTQsvUM1WTbAAgnEIzshqPmk=,tag:PJAnIUic5C1PpIpdoTViKA==,type:str]",
-							"ENC[AES256_GCM,data:wIp795phfmkFOjs=,iv:/Z91yy4gQAPyNocVpvN+SGBHqHsYIyG/+a6CBRNIpaA=,tag:GSBDt8YEl6rkMBlcL+wJnw==,type:str]"
+							"ENC[AES256_GCM,data:lOArN4phZKY5Yw==,iv:PWIW/XVqtwqI6ZJxvgQTAmlfOEtvov1Ew5cC1qPG+JA=,tag:/o2kedtyvoFGk3My5mhGzQ==,type:str]",
+							"ENC[AES256_GCM,data:XZ4rDDeQn4/uQjU=,iv:M1gdA/rdBYD2E23r04MlJXI3AvwGeRewildZ8PakWd4=,tag:J9gukgEGkjTFp7eZ987G4g==,type:str]"
 						],
-						"type": "ENC[AES256_GCM,data:fLUtJAjZiT8=,iv:RTvsToh99CR0pOSAGxRlf4dFHX6y6MkVrMUUeRZtSAM=,tag:b+M8vAUvivLsSv5gdtMP8Q==,type:str]"
+						"type": "ENC[AES256_GCM,data:HWTt0imddsQ=,iv:Hqmi7/OP6K1c+AhRAnp7UjrgBgnbwdX8O5xs1NbtLs4=,tag:OUSz0OqcLmdDuLtKo5pskw==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Tw==,iv:cJlLjRfJkHNzByVz84F1l770dB9wWH/jMVl0xCmly3Q=,tag:xqft3H3kj76iO2sKnOpdlg==,type:float]",
-					"private": "ENC[AES256_GCM,data:209k1npbCmUiB3VWO+pgdNDDQfMXD8jhopNqoslZMHM=,iv:bW8+Ch9MgNL64fjBFLmiJdZ6rzW0ol9PD3A8Bp/o+u0=,tag:fq9yTr+B5/SlsY3P82wdcg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:PA==,iv:6ccuci4Xy+4y49tF6a+Jy5TpH9oibvEP3YIQXE+LdEU=,tag:MP42UtqkfBBhQqKYYEdxOA==,type:float]",
+					"private": "ENC[AES256_GCM,data:ctroFCXQx9hdqqjrL+IBAIzVlev9fRXPmFtzhTmN+9Q=,iv:Y0AhP037CrwSUjQS/0SxvlmRfrw/v05IYOhvFKTSghQ=,tag:UBQFTCxTw5RjSeNJ7RgwxA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:ayQ6j4Z2ZvngJIxe3Caz00wT,iv:mfeV7amAq+64U6GZCFbzcDd7e7NQVR3FTQ7L0lUumKk=,tag:wUQAwxzCbIzCpNYrAuR2kA==,type:str]",
-						"ENC[AES256_GCM,data:+cRnX2zz9e0YO0PB+rQhZ3sLS8ini2Y=,iv:e9HTqNuIcv7zBczSgQBQjuq368SUxGt1TQmtuT+DOJM=,tag:4tnV/eVXaD3aateLy0ECXg==,type:str]"
+						"ENC[AES256_GCM,data:kKdHwupo0X2cumX9vDXDt93E,iv:Fdp35bl2H0qWkdfArw5z7lv/OP2Olv8MiFsOUmSj7pA=,tag:rUTO1sjRLjXiQQ4AC8CIpA==,type:str]",
+						"ENC[AES256_GCM,data:16slRp4kBwE39Zftw12JknwmOoMO2gE=,iv:0dvVd0AhtF0ldTilJxqTV14CDWtPfvRFVEPnfaA61c0=,tag:cxX5YXdW5hPFVjC7WWEzgg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:H2rXuIhPqg==,iv:GZKiVD13TYK6flw3Z4lJIisltOzf45YOt3/RM/psHyU=,tag:QGxUgQxYCpW1bG87bo3f7A==,type:str]",
-			"type": "ENC[AES256_GCM,data:w6QXi3bVvKxJOhOFVpqBM7z2UEs=,iv:vWSeLmcbIN21HZ7JvOtpts03M6CpjhV4wmd9Vo9WGDU=,tag:LmGvRhKovZu7LzDRGNx3fw==,type:str]",
-			"name": "ENC[AES256_GCM,data:KcRIbZO9t0Va,iv:GlzBmnpUENshRCgLmkS19dT6/XYHEtXjDFEfJqmhF70=,tag:ioPa2E4OZsKV+GbS60qeWQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:uobNIRtOf2fQzHU25U8o74BMYSDLMBJnBa6nB/sHbf8v6p+vXKtcvr+qAky35ZHjuQ==,iv:HV+wUBi+W01hf0+uOK9NfQnqMzc+62/2pf8lRDpONP4=,tag:VYSXQoCw7to6tj5PwlTJHg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:QjgvWTTleg==,iv:RF9cYqQQB0DmbF2ajG4BLAE+4OWJ5U6okJqKngBB1BA=,tag:Lj4UoNro6HKLU2ouDwdWLQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:gDJK72TuFO2cJwwAtQjLYFtpuJ0=,iv:CivU9PiIM/skOuSsIONAoB5zUsELDdVsGqVZ3yjZpnQ=,tag:pIVqgtivy66HbDUvy4skHw==,type:str]",
+			"name": "ENC[AES256_GCM,data:MNOCZb/LXeQ/,iv:IiEANQLaBMkqEJ/prfyU3mPTNKpNkutm68GdVwM9wW4=,tag:J982jJAxRBmlVaZuZe+RDw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:XSZwiwS2ZtAkJ2UA5ddqqk4fwdQTAEgzAfVL2knh4vTE7W5M9+AdE4xT9BoXU5jemQ==,iv:Vmzh+krypaVPwc1jPDB72PGrMX4VGdFd3lMv8VUjxSc=,tag:Gz3l9ab01o/EiqUShV0qHg==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:w3xqNQ==,iv://e+1vDqTdB/SXlYbukLJ35nQxNq9SG4fVMWTdpvsCo=,tag:cNADt11/lzDmWu29U28ufw==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:5Q==,iv:i+DsM+FppM+qf7ksDT207DiBTDQhmTYsPsbQNqGhbrk=,tag:K5xgdTLO25QQnHJ/tVQ1Tg==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:8AOG4A==,iv:acKFxNJmDy3zutETy1DD/b3M5nQsJp937aq2PTL7iCo=,tag:475+gujqVJUqyxiSonUS2w==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:eQ==,iv:E0AamG2Aysgk/cQC2fd/qXe9xAz2kegtEzuOsiv/boI=,tag:sUEMyPPqt5pK1yMZVBltHg==,type:float]",
 					"attributes": {
 						"external_member_entity_ids": null,
 						"external_member_group_ids": null,
 						"external_policies": null,
-						"id": "ENC[AES256_GCM,data:RucAyOYWTY6BQwR0NOZ2a+KMZ9fb8A8wAXoAok1lKYIzJ4wk,iv:Zgleuo/10/o3Ie6D9sMYpdaqIIfwrjFZGQenC8PSDcQ=,tag:jDgl7bILcBMJWYH9GgBZtg==,type:str]",
+						"id": "ENC[AES256_GCM,data:x27Rj1eIjygehUcCldDvkPlLgN55Ei+xKZlbVUFtD3rijHP5,iv:6RB7TY8RBEPjQ+R4Q38wVXT07L6b/NGjmCsjBj+xRJ0=,tag:x+h3cdMqFaqqNUeguEPjRA==,type:str]",
 						"member_entity_ids": [],
 						"member_group_ids": [],
 						"metadata": {},
-						"name": "ENC[AES256_GCM,data:9fY29UqoGqIj,iv:5VtKlmzf1h+UesdBmq1ccVSf5H8NONhT3LxIDvIn5wc=,tag:5d5VXpPmUaEiLOWVIzdVlQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:p+4ncVAa4msx,iv:uV3rV5/iVdbt7iRZCn0jNo9rdksloKUH16ntRNe3NOs=,tag:ZKprzOr1Ei3hcW90QbgpoA==,type:str]",
 						"namespace": null,
 						"policies": [
-							"ENC[AES256_GCM,data:gd+SG+h2LlbUF/ayBcY=,iv:88VO7jtgadYzYqDwyHuadw8qkGNqHxUKX4fFU5/Ha/k=,tag:OX1CoigKPBWb1FGs9Xl7Ng==,type:str]"
+							"ENC[AES256_GCM,data:YPvzwt2hWIhFKGO5sy0=,iv:w+p1niMsZjB1xwzEFQGsHB2gwVawXuA6rmjpN2uwzXU=,tag:DL9YmJ4YiEU5HgDb6v66/w==,type:str]"
 						],
-						"type": "ENC[AES256_GCM,data:nn5mDSb0BXw=,iv:4zvULhvUyhS+GCDnFTOGpxP3MC4BVeLv7uYNxKc0Ghc=,tag:hpmZqKbtvL3sHXGad+rYmA==,type:str]"
+						"type": "ENC[AES256_GCM,data:MWwE6d9ipvg=,iv:hSwKtrI4puw3WvdC3cv7jxCDtzJhcL8cQhH8ek+qlAA=,tag:zQtV9NsRPb0nBCs547A9vg==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Mg==,iv:wJy0LsRHOO1DKFsPsdPYhagt9GsS5smwlv9E37sKF+k=,tag:4efN+yY4TrFnL5lzcS1UbQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:LSo8cPhbVg+B9ty1rt6fviKV03bJy3X9oxxS0C4EI1s=,iv:LuXVY0cAIB+mc3FNoPNknAtHflGhzWBSzoCKe2soRkg=,tag:u9PZ7Tvp+ZzrYLTdPZB4wQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:qA==,iv:oF33+yIEDNwSCXT39A74GYxsb76VBZd/fkpbyEHPGcY=,tag:nUSLyddPP5SuHru3T7EAzA==,type:float]",
+					"private": "ENC[AES256_GCM,data:ljyEw3VTzZrM8i4WXQfzPu4gMUO4P/7WA9hOjuj8c7I=,iv:l1zgoUu9IEHqAZsQKRUSGdz2X60JE0tgFm5SVOGlnhA=,tag:bs2T1F0cQstV4pYG+7Qg9A==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:JMQC1i5WDoAuwwjke/i8dJJ7pWaL80e2j4p9v2btpyA=,iv:2m8jAcT3fsCTMmhIB3sj9rcbN4x5p9p6HM7LehbyYxQ=,tag:pj3pIVBt/dp6y+QR3UJ9Ug==,type:str]",
-						"ENC[AES256_GCM,data:uv/YZ4q8eSB+YQay7c2JSgsy,iv:pv2tWA1QTxqFfFKrSYJptvwFXnYyg3pr3Xmpm03lwy8=,tag:Eu5NGdS7HSwUAxf1262AAg==,type:str]",
-						"ENC[AES256_GCM,data:rqoTgT51jV9x2e1oR+LGMLzchjlZE+KhDqE=,iv:iu4K5m1AF/AO15LAxMM2qyUfsgQd5Bvh5O/iw4nkn58=,tag:+KgUB06kQocg7K/0LkhfOw==,type:str]",
-						"ENC[AES256_GCM,data:kj3k5RPDzYbb1tOwhxS5URbdcBx6yA==,iv:AnxlLEl+44rLT3JX6eA/2Zv2qovwr2IE4Bm2SYrdq6Q=,tag:Vlo8Sj8kQQyVH4XMKkYxGA==,type:str]"
+						"ENC[AES256_GCM,data:IvJT2rl6LjwSVJFc1nYrOBEWEM8JKBFb3fzYgI1iNCQ=,iv:mW1IZ8eeoesw9jl6plZdn7+O0fcB+0liwflxbHjPnLk=,tag:mg+Dih/+f3d82/NIVLEyyw==,type:str]",
+						"ENC[AES256_GCM,data:eivwOcbm/fRxnPwwRGCTqFsl,iv:oehUGxM08JgP4uA9HNUdZzK/x5Y1f+BhfOp/cFQotok=,tag:IacT7CA9ufrZO7rVaBzL7A==,type:str]",
+						"ENC[AES256_GCM,data:z1uYVujMjhO88O7N6YL57sAGXX4hRtYtW1U=,iv:7rid7E+CZfY0AIGsdy2cv3MjojpHmPmz42eKzyuxgrk=,tag:D3UPFGiec0DP7vv3elg6IQ==,type:str]",
+						"ENC[AES256_GCM,data:DTe8KYKWh6UK7Hx3/TRpkr13FRstiw==,iv:PWUj5MuFvMLMqTmnMmULwVcCfrjKlcK7Bp0sMM18dLw=,tag:WJRfcbvQKimRr7BTEvxcrg==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:RpQ3NjiNh8s=,iv:uQ1s283eswh4Iznoy92u1DYQKhoMNx1chHxKMi0+BtU=,tag:lL0zC9O1Yh6mtk1mnrwf+w==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:zg==,iv:hN+0K2xAAc+1oCvOJ6cfLzItCSge/THlbhR4Ou7T5BQ=,tag:YyUyYqgQ/gfrDm7L4TgffA==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:3F0LD3roTW4=,iv:ukdsn7uOox3cUCFy10l/eUb6FPeQgh9GIkmaZMjPv2Y=,tag:FntLZcJtdW8FLK+xJh0Ybw==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:/Q==,iv:6btB98juBDWLJGLqvnHSrHgjrHL7lbVCbLFfbFEK/n4=,tag:K5NXpNJY4YyHgcla90x5pA==,type:float]",
 					"attributes": {
 						"external_member_entity_ids": null,
 						"external_member_group_ids": null,
 						"external_policies": null,
-						"id": "ENC[AES256_GCM,data:I/t9kdkPZ4T315imOtMPuiIcayWHQ1bS0CVNhmksoF4NKhGY,iv:eqxDUXY8MlzYsSVL7bLXv4uix1bGFKE/N8kQXd1bNJY=,tag:I0e+2BGEqIcyBDw0sFHGPQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:zYBIHbAsw+f8799rFvufno8mnruwvn4WmzD+LGkx+q25DV9x,iv:34cOKtoygYr3/Qi2pAyTvk2feBSbIydaYXhah9nvWDw=,tag:LLlDaIkgGQFlONsHUgiwTg==,type:str]",
 						"member_entity_ids": [
-							"ENC[AES256_GCM,data:eMyYUFgwHX7MCZ5p+zrPQziaVEWji6Q3iP4bbz+ZqD7hJBhd,iv:7W5ZoHRhH/00UxymizyiZzSDAUjda0fCX3iJYZhtC5Y=,tag:9uI0vjE2NvBhoUThQOhaIA==,type:str]"
+							"ENC[AES256_GCM,data:R5EhcfZtH6oPD7B878/zuAp4HbVOniF5j/6MHOY50/SKMKLN,iv:uRBzHxeJb2DSM04vWRLNWE1su/iUhsuOiupD4HSCovI=,tag:44iGHXQAIB2AE1Y33CoHJA==,type:str]"
 						],
 						"member_group_ids": [],
 						"metadata": {},
-						"name": "ENC[AES256_GCM,data:VSWde/0YTJ7Vz94Iuw==,iv:OIc1wdNND8KHt74nk/2TCaqxWRZ1F+sX17l2hJooxnM=,tag:dAXhhUdEFJUtzI7d9mphIA==,type:str]",
+						"name": "ENC[AES256_GCM,data:vV/RVipDdSBsTc1DeQ==,iv:afXL/44jpKgrzDOorGCEPFuAIjKUD3ScS/gvHaBtQkw=,tag:FW6yl44U64+Nvg36Di3uDQ==,type:str]",
 						"namespace": null,
 						"policies": [
-							"ENC[AES256_GCM,data:DE3BtcdvtSNn24knsXW05BHa,iv:I08CH0UQdrSW8ggrN9OZU55okL0c7EjRfHh/UTP7iMY=,tag:R7qa+TpeQe9WlXEu/jrY9Q==,type:str]"
+							"ENC[AES256_GCM,data:y91hhb3DlH/+0Ck1S0s8sZod,iv:q/i/eD+VbI1xLoGtt1YdG2ctCVMgySvb538WZBFVfoU=,tag:D+2OtDvqgIixpLw+kKydUQ==,type:str]"
 						],
-						"type": "ENC[AES256_GCM,data:YsqCINBe0hk=,iv:gQErcSYotVckkxw/p00vMowjS9gYSeVQO3ZvvhAVACs=,tag:eMAsRg6GalJ2YwiDcPcvYg==,type:str]"
+						"type": "ENC[AES256_GCM,data:8OaK+QUBBRI=,iv:mtgFvlUcuXn0QIGFf8lYLsUS9CRcQkEzwobfvsCtxS4=,tag:1dT5NzmoHCFobUFtAq+0Sg==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:qQ==,iv:Bwa2ek/7H+wuHxeeHInHIHjk2fWo7hHidHQxY5Hc2xA=,tag:4bMrFYYc/AGmzzE+7sbnnQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:ckA9b7AI47gd61A/aavD/S29zc1NJonKjlBAwtSOdpQ=,iv:a38EvwFiD7tE/pO1yHuvpYOxlG0AY9l+3Xf4J5DTt8A=,tag:iI5mLNOIF6Nkuu3q2+/gVg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:zA==,iv:6PkMrgkcfHrDGQtme2i0dzZOUw3X0/OZsXOKFndywLs=,tag:vhaxy78syKSgGvGgMvJf3Q==,type:float]",
+					"private": "ENC[AES256_GCM,data:txaEC9Zq2/a4WHuQT77Y/Bg3uyvnS5Bav/96YQXfWjM=,iv:Aa29pjRJddq6hJb+Z3Wjj9YOsO1zHO9DsVFuvoTxWRM=,tag:BNXjbR7rmvJYwKhRde3EoQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:BC9a3cDjD7KEwF+SGeu3eugMI76LIjTZrsSJuqyg2VY=,iv:fKlNnTud0UaQ/JjwBOaZ/r8LInU0KmbrOYuev2McB3o=,tag:0uvMwkfttUothY6soqXoHA==,type:str]",
-						"ENC[AES256_GCM,data:zYuTb2W2ThiVJYlSagpsgP/y,iv:5YSs+9En1Ku4f3aCyEbmXBvT0ok5iPn9XZPH99cIXPE=,tag:141kWMnaoTIN/JNFden+8A==,type:str]",
-						"ENC[AES256_GCM,data:kUheLQ83UuP1TL3ABxEIfjSXVjCzvD0Dric=,iv:SxETpgdPSjogyuTY+hehK4uVyKVsfazwbSujvm/+VbM=,tag:dFD8O5ZaaQhvQa9MibuKUg==,type:str]",
-						"ENC[AES256_GCM,data:OaaiPKsBi0pvvD5JuwcwuW7Dc/oNhA==,iv:yIMkTucUbaxsYxpByracKlZfrdw8HHFQmRS8Zyp8gOU=,tag:8+IAWITbi8Ui9PqIvULxxA==,type:str]"
+						"ENC[AES256_GCM,data:qFCcYckX5bKdg8kg9O5wnCUgP+FXegKOXLNoUmy+vPw=,iv:RrrTR1sGhgFMUavH2WYZZm93o+aiXBPyD9HsIpkSa1E=,tag:wRxA0H9HCZEWmVlHBufMBg==,type:str]",
+						"ENC[AES256_GCM,data:UpID4AJXeVpH44gT/PeuD3aP,iv:MyOdy9vShzmZo4wPvk44g6FyroevXxRGHkrRcP02kI4=,tag:YHy2vzuiorkI09hZf5Hsrg==,type:str]",
+						"ENC[AES256_GCM,data:PJ8CNX0o+NyTwnze6Muw0AtXxt6aYy0LJ6A=,iv:zhaIpdwM4CwPKu5R6y2d/nQzZJpHkj9l0LRZaa2H54s=,tag:ufNZzLRaSDYvoYTcGXtNgA==,type:str]",
+						"ENC[AES256_GCM,data:0/LSna0sQ2JS1r0T0z4q+MUsF8Lnhw==,iv:DkgoWsG4Q65+2thO1lAkpEcs3iT26+jH7mK5OpExLcI=,tag:LIzqcuB8MYt/zrIijVBrWA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:u6EjyMJjsw==,iv:HU+NEZ49vvguM8sSjs1sZl4CwnaFdhWYWekPhgHlDms=,tag:8qSC4ZWHj7Z8K1QIWr2XwA==,type:str]",
-			"type": "ENC[AES256_GCM,data:mx6nekdGBUlSBeGptisAzyeBwWs8nNj7KcQ=,iv:uVQ60xbPW1vzJqjm2GHtRv88+QWVngZ2e4/ZibQ2xEk=,tag:k/6mImJPGokrt+uCCOB3Aw==,type:str]",
-			"name": "ENC[AES256_GCM,data:s7VDEv7i,iv:tNP1pUtp7OCAkBkX6h04SPlcF7g2N57aXggg8qlL/pA=,tag://JSy1XwT9z5lSEkuaY8PQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:l9pvxSTNdxdbeLV0k2NW/Z0eimY4CxyV3qyiu45re+zgHIeaLmZwqOWWfAAylnlO4g==,iv:HteXV5Yjm75RRMrYqRb4XwWNj+iIhrfzcFWnLQjU7FE=,tag:H3GPc3MI/TUlp6s1O29uFw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:/m26sZdSNg==,iv:2x9hzk5JM89h9dE4nyWCP+YbrDhe7c+0ixnkZ2uVYxQ=,tag:Ot2NKUnmIm2cGobgHPJsRQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:q5RtbMlzHq3rE1wW6PhPSvUdyvkLTnKjyP4=,iv:hziTQTV+MdsiqP3CtV2dF1aWWZiwQsbp475TU9Fk6cM=,tag:QZZttRVHVyDuVW/kTMMEHQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:ZAbWyPUg,iv:NIk85rHx/hmo4rsY3opUVDp9wPj1S2r/QoT3FLU2HuE=,tag:DEty9US5B9TE99jf/FRQ1g==,type:str]",
+			"provider": "ENC[AES256_GCM,data:O9oI7mJbw4HlGtFyZesajtFFFG/2j/AzCNr8kDBDSarc2leasrAXoBlLyhHIzWyTeA==,iv:IO0bG0y4RjtFzaB5VxxjoKXgT/P6hKQy4fR588+qJLc=,tag:fwzB37n1KE0zjng4akB3hQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Sg==,iv:HbLgkyBYg9z6Xq9cvQSEOM2YOhjzlK7nxa2rO/Sv28g=,tag:vqHtRZOSNIqdlQIM8ISH6A==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:3w==,iv:nNiWxdcjF+45/CfzwTTPZ+SdBWxibtGi9BE3turU3F8=,tag:aSVU9N8p2U2EC3hWWkMQMQ==,type:float]",
 					"attributes": {
-						"canonical_id": "ENC[AES256_GCM,data:B8Ib53bwK7zxmqUaVBpxHkaiF6Mg5rx2zj7YsmUP8cah7K19,iv:y5O1wkKSwto9b8ZuJAf9POO51sq5+sMRVWgU1v8GKpU=,tag:ZhrBgu6+13H6F5nSYA+ucA==,type:str]",
-						"id": "ENC[AES256_GCM,data:ydpPqJ++8+nRbbUJSuaWeeLcJAVge8MEkNiith+HtrNRfUtR,iv:cZJNvwBUSrdbEheC6jfrx4i49Zbdn/88n0+J469ypVE=,tag:0I5Y1OHkAJas5gKCgjOSNQ==,type:str]",
-						"mount_accessor": "ENC[AES256_GCM,data:FhaA13XxzLF4Sjg0C4w/UdKL,iv:DAUflUOratdErjT21R0zfL+JRIgJD3xRkGGei7KPQmw=,tag:7ZEwSh/Rt4wP6liuklatSg==,type:str]",
-						"name": "ENC[AES256_GCM,data:3ohzcYbYMWm6mfdhrRNU7Q==,iv:XisD5rXBgwD9TVNADNV0TuG6OXVSObz8QyPrCwc3JQQ=,tag:auqcOF1TM/PcPctUDm4kKg==,type:str]",
+						"canonical_id": "ENC[AES256_GCM,data:U/I+g7iM/tdMc462oLUErMY6avlNv2FMPxD/uQlYGMgthYdU,iv:R3w+W6x0QY0aJQGjD53YNc4WsoZasZe57vhOnTHXB8c=,tag:LKz65w+GWnj2q+vLkGsnTA==,type:str]",
+						"id": "ENC[AES256_GCM,data:cL/ED+2LrMruy5RX1L0vTDEwfiPmKhR/sWVqWTCMHz/W30BZ,iv:fqrLB3OrehNWUjZdogEiBr7+EgAcz6nspuMZR/neD5k=,tag:zfwg639IlSd3dqd3tMYOUg==,type:str]",
+						"mount_accessor": "ENC[AES256_GCM,data:nkaRa6e2mvr4SFtlH3w2l+tA,iv:sQC534czVDFdjWPYD+8a5YS+xqH7RB75NgC5xSrsWLo=,tag:MC+iJtVYlLVxe5Jjxvizpw==,type:str]",
+						"name": "ENC[AES256_GCM,data:nGusLu48MJPbGgaY1E5zqg==,iv:jPPg+L64nlhiR6dqIm/1WabJO75BWPioPbw0KUSwBSQ=,tag:flyRrEyDbj4/sKkmCjpcCQ==,type:str]",
 						"namespace": null
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:/w==,iv:qPdu5O6hayMPyxQTZs0HgiCl9uSvGEAdl+oRwYD+KW0=,tag:RSDVcHtC/OG0ugzWRMvkBA==,type:float]",
-					"private": "ENC[AES256_GCM,data:iHne0fN1jgI=,iv:OdE+KlpjePg20Ip0xwrBZ3/h1aq1IEAwN++1OdW0fAU=,tag:cHpbIrwUpxW4w02ge+qybw==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:yQ==,iv:BRXOW4JmfxbXM+6it+oDrVMgwnx/KFzIPNjMDjFYvq4=,tag:vYsbYiGrLZ3Du6kpQi4egw==,type:float]",
+					"private": "ENC[AES256_GCM,data:wYoED0Y8KKA=,iv:PAHkspRUZSI+H1WR1jLqvdYE8UodUE+qdWb1sSr541c=,tag:Lae9wwUqndws3SeHi2Jzjg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:vdVMOXWi0L3N6VPrf4nGlXy/jJ65w6uQPsSvzLs=,iv:YtPObrck7X6hfGTEBrEC4sfmNb6lnBGTTvv+63xnx4o=,tag:+0/Ac2SPqesieysEL9cb4g==,type:str]",
-						"ENC[AES256_GCM,data:dKpEi0hGgzvFENtI3sux91IS,iv:SE0N7pdeWYNxPcWwU4yHtLx8CZ3P7G11gXCRDG4bxxE=,tag:wpy/2tszT/HH3SqDEqH0hw==,type:str]",
-						"ENC[AES256_GCM,data:zZgSg39MypEAi52oNbdZB25W1x7+IRmkY6s=,iv:FJAaX2z7LDTfiqYqHaIFBohz0zRIeTdxFI/LVfcq5AA=,tag:yfg6xHdR9lPgFu5feQw8yQ==,type:str]",
-						"ENC[AES256_GCM,data:Z15+EIVTZmuBeMQzPt0N46f099ZBfRAFhpul,iv:Ss40XRn2qAO+2VFdE3hvkyxGM/BQDRpY9hzHdgQdB2c=,tag:TjMyrOmDHk/DNfcynA7msA==,type:str]",
-						"ENC[AES256_GCM,data:7ocdlDWdSD8koZBHv5nLvdFpWFSJTefeGeeh,iv:n0B5dozq1coG6JfVlsrWFDtZ7vfrzpKH4m4KlOIknlQ=,tag:TFnm67daIbHVMCRd+Vu/HA==,type:str]",
-						"ENC[AES256_GCM,data:eyg0n2QHL+vHCXjhNnZQSZAU,iv:PHM8xMzCkuIxxHeIjn6JkZQPECEpuq/793SWRrfeT8A=,tag:harHiljz8/nACTWBXwYEkA==,type:str]",
-						"ENC[AES256_GCM,data:TCiicqxMUJCLs2ljaCguV+AsrI+XyGs=,iv:Khrr7Qtw6Z31yRmOZoY0a+yIEX8slEAzj1mRO454EZc=,tag:LTQgULeR0YWjw3k3op+N8g==,type:str]"
+						"ENC[AES256_GCM,data:iNbBfi8WXFe+irQ4z9nUvcuxUdRcXd4eSQkLnjQ=,iv:MRWf7/uYSGy6+sJn3U70vSpZH0VP0ikdKaO6gKJi1NU=,tag:rJd6w3X1j67tymCvdWT78A==,type:str]",
+						"ENC[AES256_GCM,data:+sj/GD/WLHReqm05MPOqTOe7,iv:wFhfE/D8YvjquCR3xlgMHfO1aQ1tgkOUfXUzY7AuZFI=,tag:aU3StHFG/GLtnrXVJwMB6w==,type:str]",
+						"ENC[AES256_GCM,data:Q3idAgv8wih2hd+X4dW38JhnfjOF3GF7F34=,iv:SZ1usYPZld46LNp7ZzFCZLFQmFOjbLvtUFWDKczd6mI=,tag:iRS4JwxTcW0lc9h1EVn6ew==,type:str]",
+						"ENC[AES256_GCM,data:oDHcgOi9SxC37/ZSEsu9FkbOOmTuqPTufbyw,iv:zEVBuSqdjE/S50la7CLco4LnNXSX6eXXsrIyxqwudW0=,tag:xa28OUvGQzazv3mABcpY5A==,type:str]",
+						"ENC[AES256_GCM,data:P/YxZd5ZZsRzSTkzhOlY3iOq1FwEBm4Yhg+l,iv:SUuCSrUwvjynno2uxNiBfzlh697EzDZDCieinR9svfM=,tag:AS6Zvu+7MYGVLysUHDQJZQ==,type:str]",
+						"ENC[AES256_GCM,data:LxZp/g8JoJQg1LGYoqeE+jAU,iv:x9FQsmaAs+1BX/NF6KzUcG5eXV6B+UcVOL0UNJOmCJM=,tag:ns1GnscR5ogPVLLRkh+3Mw==,type:str]",
+						"ENC[AES256_GCM,data:4UvkmmaiLacD9Lf9gzDljOjnusZ0yU8=,iv:g6xOL3ADEfVBJOCn5+vjUhNUgYZpRXzq2bWnW8bXyeE=,tag:NXKU1HJv8VnpurJGF1wcRw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:2rst+3sCqA==,iv:fXGdsCDrGpxBoyB9lgwgn25BBWTVXm2l04djiZhIxu8=,tag:WivHoxZh/Gr1n5a/fvSuCw==,type:str]",
-			"type": "ENC[AES256_GCM,data:5/+2eCO6oFCkLiVT0U3z+TNeKWUskUCqvb0=,iv:L5Y1Xe0Luaw2n9q2n+fV6hefdLM4vrBMSgKU4BBCbX0=,tag:j8Ix6UxcA0GkwBBEKvMJfQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:kOn+7ad3rVy2,iv:h9KqEbjuNYw2o0273y/YlceIksQX1EXhZrk/Qny4tDY=,tag:STMgrKhhc7pGXvIH/HFmhw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:6Fd5hMr3rdgAN1qb2jF9YrBg1QGE/9B0wUD4FgYzzzW4z6Ay0OoiOdbuCwyV5wlAcA==,iv:Rpcz3D7AUnI43H/lUJwy2haLQGDOKriu+6Dl9HEDSKA=,tag:825KDzcEk+ESa3UHuAVSaQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:94Idfid6Rg==,iv:t4RaX/F9s9aWOYVL9v5Od3IBQz2mV4StE5HemuzJUlw=,tag:CSIlNmNcrC24t1L7kLF8FA==,type:str]",
+			"type": "ENC[AES256_GCM,data:u7uDroe4h4u9lBQAlA4BlZnV7z8FuNdxSQo=,iv:Iz7GOKrgqpGD2ZQToFjLyDiubxOPe+1St9Wy1qm+kKw=,tag:5x473CKFByHVC5yv3eKGoQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:lAj+g8zktQHp,iv:SGlTw0OhwQtgsSmL9PFUx7QfCOPsmdY3/iH6HM1jmws=,tag:X+fitRDHjGyFIpb30H/Aog==,type:str]",
+			"provider": "ENC[AES256_GCM,data:KcHarg3RU2tTCVs/VI8smql9IIFWBQTEXrgDjwlZGlaoIGw69a/kgRr7gPZ0autg/w==,iv:plCssqk+jN/hnI5hI2RBejgeukIqFdFvZeXkxbCaPms=,tag:Evi65Pz/ToYwfQc8KJF9UQ==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:b52/jg==,iv:PXs6CsYExX+C/yWs0i8zNQt/U5CWHNW2t9iQDXEtCxQ=,tag:DEp2w4nn7KUNKA/kW+zfoA==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:RA==,iv:fLhG8vbodH/oQiV78U3qK/lbduIVEkgEHhND0AiINc8=,tag:J5w97CdQ12hV9Y4MtyQDLw==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:deDu6A==,iv:pFeAzyZoVWllQYksUu7g4Mw8iFc1nqWip0CKiIrtcT4=,tag:urdq4a7DB59qhjSYs9Wd7w==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:xA==,iv:77anpSzX6E0XLO20n4CYvGFpyQvgpz7jeUinmJ7dQh4=,tag:2WvBnztb+R1M0d6sNi35+w==,type:float]",
 					"attributes": {
-						"canonical_id": "ENC[AES256_GCM,data:zgn7KIeH0nLnC/FHDq21isUjda6iUGp4ZQQ32L4PrCvTs2IQ,iv:YAx+RYH5CNU3u3Dcm/F5OBd5i/Jzm/aP79smxGxf8tw=,tag:tBrQ6uq10RA1/3lqGta7iw==,type:str]",
-						"id": "ENC[AES256_GCM,data:QWT+39McrKFzdYsAXP4/VhlDkXcnTn6hU7TE9eR1T9FP0fDg,iv:d/E2GXuXl3ebYG3e/qE6/bdwT3s0SRFOh6EF98EgI34=,tag:/ekKlrFj9HHA8ciqrB/jnw==,type:str]",
-						"mount_accessor": "ENC[AES256_GCM,data:8V4u4WHux+uIJ/9nJ18QNb5Z,iv:8sfzk6wFTJQXsK3aO2LNQiABK2bgKWPVcgSA21dg08E=,tag:OA4fJRUZjGa6RcB18CqGxQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:UaTi91wcK7W7,iv:k4CPfsRDgayjedqLGg3Viqc1fXAM92J3xZ5sAhPeGqY=,tag:gOAUWrWYB3iPWQPfN2w3+g==,type:str]",
+						"canonical_id": "ENC[AES256_GCM,data:xCcwyawjxvbPiGQ3fieKxhVBrCveDcIaytl86cZde5GKGciR,iv:eBu9T9k5vrCEsClYk8yc5Az1fUZf83XgylP7y5b6G0w=,tag:yFQlqcYFZLN9CVS7B01ODw==,type:str]",
+						"id": "ENC[AES256_GCM,data:A+DivTbq6Zx8gk64Eu1mZunV8gVXjdjz0IAeLbaCv+XFhzwB,iv:IQceNxjoHxDzYTGiwbxKZ0LqRtFk0j6JU9HWYskqe+Y=,tag:zCtXFmas4Q9Nrn2fHRQbCw==,type:str]",
+						"mount_accessor": "ENC[AES256_GCM,data:Wsm4K/GCVBgz//eARfqs9A9V,iv:KDXUaCaF4/r7kvPlNUUC743U9j95c69bEIBYKvQpa84=,tag:h//AA7kQD6J9Ax3KwjgzQw==,type:str]",
+						"name": "ENC[AES256_GCM,data:P7rUNafvCL2d,iv:+1Up8IWpCmkYc1qxoPssqo00JT40WE582qtHWCYh/TU=,tag:ZpHejf7AKjOhC34lX0mNNA==,type:str]",
 						"namespace": null
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:fg==,iv:KxT9n6ktAgZh1f5heK7uDphd/cmc5mTNI5i5wDtcXoE=,tag:TyQRDWZdO34XBC6IDsNQEw==,type:float]",
-					"private": "ENC[AES256_GCM,data:a0uKMtCnXPDdvDKXk5v0Tg9MFxZi4bE3UCmklYJgmuY=,iv:dzjcdtttciidr3FJmj2GwDmSNyEIcy/xnOdmfYwZInk=,tag:r0H8XZskzrIQkPlyMIAeQQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:dw==,iv:29hl6D2lEZvf5+CUuSUCUnbH0BTYsW9moXJ5zNPybwA=,tag:vK26DR9Al68QZXP318ENoA==,type:float]",
+					"private": "ENC[AES256_GCM,data:tuagYu1hllBHouUMLO42Vrz7H7h+b3ehIM8USaDTfH4=,iv:Wt9cgeGdFPYAaoGepnCJI6qEYB/B+1x3Zas2t/lUarQ=,tag:r9zHV+ggY/cswpJ/YEgwEg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:2AbKDVvfabGRqV6eXlVohwacpWeBZJc0CgSJSonHSoc=,iv:yoPZa0lyd9QBeWrG49BCIUgXxLZqaNBnp6kmRcMPaHo=,tag:HaCGSuuPDyAFJEMxV6XxwA==,type:str]",
-						"ENC[AES256_GCM,data:ZrV5WLXIuAtgsQqbUoWOZJcXnDtzQWqsyZ6Gncc=,iv:ovRozP4gRkcLIbUob3FD6qq7YyjISCqsgLvxMFk5NKk=,tag:En/9yaYSYX52ikQSn1AWjw==,type:str]",
-						"ENC[AES256_GCM,data:TuJXu7/s09LLxoxOA3k6lhMs,iv:egf6Sx0x4vWZyN3tYXRmSJJd7P8YMWHJI0ebRhJedpw=,tag:2r4qb3gnS97Dv9tnVeRkmA==,type:str]",
-						"ENC[AES256_GCM,data:omvTl238H0rU2UqB95gJSuXOd/7ZqgNqIh0=,iv:a8IPH5k7r4oMlL9LW+d2H5FmgMgfz9By2srRGgCEEpw=,tag:qulJzsfsGdvN3Lo9tJIWrA==,type:str]",
-						"ENC[AES256_GCM,data:qrfIX2RlZMYnM5Lv1wj8q0DMwR6UE5ztZ96LO4+k,iv:HgsKheSkBG5s82DZ+h/2iYnBXWAU1JnsXf+jY9greMI=,tag:uSdGv/dy9HYJeI6WHMqH3w==,type:str]",
-						"ENC[AES256_GCM,data:r8CPo8U1EBnBp80vm6cS8TkL6QyGZC9Fm37U,iv:VNfDXBAyFphi1CcMkkP1wj5VGH7K+0SqMseJalRa9fk=,tag:bNl7qiYgiS0G6OmCKBs7kg==,type:str]",
-						"ENC[AES256_GCM,data:riYeM785uIli5GL61vrclqdRW1CKTw==,iv:q1UZpAak48vNa1fpKZ29+x8DcM473IFSiVqilZm7YS0=,tag:WDFKFWUsZj2inCq0z2+DLA==,type:str]"
+						"ENC[AES256_GCM,data:iuPIiGdSqlTRBxqrIV6Pk5EsFf16qgYlWBI+K+DRMuk=,iv:UIacw2ZaWXh6m/sx00gD1iRF5VxZcyrBvtr18jHfytI=,tag:f0YEn3DdEfUGopZ1seZiXA==,type:str]",
+						"ENC[AES256_GCM,data:dW1t+AOvmrs2SJk2tpBxLFezWs7sP7JcTdPCWRE=,iv:wt3Zsti5Ows8pcfmFADN3FSft93K9NRqQOT4Z3tjMVc=,tag:IBrzifxMgn3bIvX5lO9bdQ==,type:str]",
+						"ENC[AES256_GCM,data:h/aSszsgcRK8kaumhNfPSEnE,iv:NWwpt1vvzN4kbEd1YKEXxUqf8CFnGvhkeWxd+b1WMNY=,tag:6U+8zPvtDjmAFad5FOnhVA==,type:str]",
+						"ENC[AES256_GCM,data:zGrtUq9L57zoEMmeqY0pn5CBnPsHirnCU4o=,iv:UK+y+K04O1+2hxdM/cjqWv8GYlVS9NUXEuiFGRGgAC0=,tag:o47+Kvere8CzNn+Yh15iVQ==,type:str]",
+						"ENC[AES256_GCM,data:qfAT4nl6rnT7LI+mPW1Pr7A2fEIerHbM7xg5ug8o,iv:KUADxKzQEodvNKn6M4HO/sA657HdamlzAt1K54tpLls=,tag:DtoN7QGssjVR3gG3b973OQ==,type:str]",
+						"ENC[AES256_GCM,data:LpH/pj6bJ2vEtOYiFumGjP3hGdIubymmLwsR,iv:5cQ2JjZfUWBFXM2Lh2EMEOm/PxBWp+rp0RobKV7CPqI=,tag:0n8EWerUw4auTksiIz/5HA==,type:str]",
+						"ENC[AES256_GCM,data:ComLjDmHJuJMP42CVYiD5SBDG8/v8w==,iv:0p7iOcknDqPvi69sUf6VfnWTqRBZkTYAHrBc2H9DZyo=,tag:I4afjiXlgsi+PwNkpNOajA==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:0TFleN4NTwY=,iv:ubjpWpLTo8Z6iWB1OFUQv+i7EO/OSMUPnt/f44ATCpE=,tag:CJVcu8ZNrOumgMVc7MZAGQ==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:AA==,iv:Us1/cXB4UybmUvgWmnxLJGvBYtKaBaexzcP3gKmmNa8=,tag:BQTdY8PQ38olI6F4au+xiw==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:DeKzRY+doWw=,iv:9R2EGl+kTxlaNK4XmgJ6xRLqT3ELM2nwED86prhrXxE=,tag:1seD1P8MdNNYkJ1t0i057Q==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:sQ==,iv:c1iNyP+FDOP8qiANRWV+DDt0x4UMxsFOqO2gdY9k98s=,tag:K6+jTfD/CyuXC9/rhJNJlg==,type:float]",
 					"attributes": {
-						"canonical_id": "ENC[AES256_GCM,data:GCHI50MovQxztFYwI/9tnu/Q8thes+NyyQ/1Sg+dkCVZtF8W,iv:Oz+L8N4Cb/dIwN2PsdeyGuG55u+l5unhW4LzVY8Wgpo=,tag:VQOcwlnFt7CvP5Ac2jG7cw==,type:str]",
-						"id": "ENC[AES256_GCM,data:/7f9MqLepImaFOgA9rN4yuijVzRrFLXOcvVZChEL9Yp36+AP,iv:YR1SZLMlxleWjYAf3xHtympVth77duGswRVARL1hRwA=,tag:6KaIcA3GMKAGCU4z8uK/+g==,type:str]",
-						"mount_accessor": "ENC[AES256_GCM,data:mgmjb7+KxLFQyh+nYwIVGksj,iv:451pAdK+JOH/nMXt7BhGfroPsO1LidPMOADlcahPVB4=,tag:72iYQz7llE6yDVmaoUCszg==,type:str]",
-						"name": "ENC[AES256_GCM,data:z0d2xJK/bN9gsQMYQQ==,iv:H5LsFCjBNRyrEALK7jN8LBTsVF+IA32i7c1rJeHLBNo=,tag:CUM9ZvOUwP/ga4g+blN09g==,type:str]",
+						"canonical_id": "ENC[AES256_GCM,data:G22YvKCDlcEwZUFpSk3LRpYfiK7tskx09ajSY9IW43F8t170,iv:GcfBkKgXzTdeJVU+7EzbCuazZQsKlleLX027asH1ILs=,tag:KStSQfydxaLnZ9ARSSeO1Q==,type:str]",
+						"id": "ENC[AES256_GCM,data:NmssmdP2a4Bv/24lgaxh3fzqi9vY32MijleW/Pvex9KzwEWB,iv:ifQjF7lPMF/Fba+44mR5onUcndDeAq6p2wSQGup9F3c=,tag:c6xueq/w40pjjS/12h2XcA==,type:str]",
+						"mount_accessor": "ENC[AES256_GCM,data:fM+S6rbuSRfeEvrwgwRSrgCl,iv:L+klYVDGX2CyjHY1SpEcP/XeLsw4DzJIFArohhZS+BQ=,tag:qdO8hSFYaQAlGyW4rUG3Zg==,type:str]",
+						"name": "ENC[AES256_GCM,data:gnmZZP51dt2yrAj3RA==,iv:PqMb8ho+g0BdnifEV71yUE3H110s9McNamvm0pPpZII=,tag:785JSGUCtSUO+ejCFOCckA==,type:str]",
 						"namespace": null
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Sg==,iv:usjjkXS1pF+Lpu96/Rka6q4m3KXDHd9rGCWdRfms5y4=,tag:CXtTcqBT128R4rzCOVqhCw==,type:float]",
-					"private": "ENC[AES256_GCM,data:rUnzkyefXZQ=,iv:ortg/C7HYuBffoSK3EKIHlsp47E/ZoFkIIc44J/Bbwg=,tag:ZzyIsz7SVyYENzzyvfiZug==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:VQ==,iv:qycX8IYDfmUyGoYi0klfn1Zr1N7LY72m+UEhfpbB7Xs=,tag:okoRq6yhwwnBzsbnBKwPeA==,type:float]",
+					"private": "ENC[AES256_GCM,data:qlrGt2OVs4k=,iv:jTsvdLLKmMwBI/ixj3vBaEi2/YMSkl3lUkFhYF342S0=,tag:RcuCbcxJFaK7UY3cVkQz/w==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:NDJjih0DeEbvShY5A16reEyortptPNa74XXIgPtykRU=,iv:WC5cZMX9lm/RMewlBVd+bdUxGp8mpjQ9xE0Sy5Wt8E4=,tag:lCXDHVlSasRzZGOcEuC4CA==,type:str]",
-						"ENC[AES256_GCM,data:WWMD+bRl9Epm6wXh67szeSSqpmnkqthV1BW5Mak=,iv:Dzvjc0OjigCvLnRisVvHxdoBmpWPWMFo67IHqRsk/Fs=,tag:KwQgKRjB/laJvP8uNQHuxg==,type:str]",
-						"ENC[AES256_GCM,data:5tueBSDLBEV9ZwUbEJrxGT0A,iv:ylbLDJjtiLNaG1//BjHumFChnkivGYDocDLpYbxJ1dA=,tag:Ii+HWDlb/w+YP8cK7wdCaA==,type:str]",
-						"ENC[AES256_GCM,data:F7y3aSn14Fxod+v37FKEGA4ocXbM/UGeEKM=,iv:IqwIpODZSkYQvGuuAnTILEY4zfhcKzGhOE4t2FdZmZY=,tag:TnfGw5LD6rjvG2ZuUprTgQ==,type:str]",
-						"ENC[AES256_GCM,data:ECC9TMde3+rgT+Yb5jZNH8AOh1IQoRwHq59eCIAb,iv:OcpxXsut4SAiOckzbbCkHe2QQ/jqs49kPxlR2zyEL8g=,tag:9LvyYNwr56c6zx/7xKEFmw==,type:str]",
-						"ENC[AES256_GCM,data:QU8RMjqbqM+tNC9srNQgSXDLbQfbriINmzwK,iv:o7zP95Q2bOGxFTuO4n5YTdo2ydpCLWWXV3i+siaXJog=,tag:+GSzdKC2UWDRLdjxcq/qbw==,type:str]",
-						"ENC[AES256_GCM,data:85W7HUwApTWef0Fr9zSEDjQNQIs2Bw==,iv:ZxiAnEHu6hYZQIX7dW6e7VTX09tL4SQiLLzODRW/tdo=,tag:KpcUSQOWX5yDIwkUbxwkGA==,type:str]"
+						"ENC[AES256_GCM,data:cScrlAFamLNYsLVALu1ftCs7WxMzW2SKpDwJNmZYGOw=,iv:KOkLr1aDREJUUVMFvEvNBY/ykeqO7dEx7O1aMwZyvmo=,tag:EYv0KMp9wqZ+sG9Dd7e30Q==,type:str]",
+						"ENC[AES256_GCM,data:+vULIoo/nLxnlwzYBGMWFgNVENB4o9CP/b4SSFg=,iv:BeCRSBwFOZ3vxz1RTOlH9FoWUIfMPbFbNCqKFhJ/FIY=,tag:TOuN8UXz+ZPaM3zZhSVf3g==,type:str]",
+						"ENC[AES256_GCM,data:NJNrQPuc8R/NyP2al2VrS+28,iv:4BSiifZ8cjNhIRJgxqwlwNIWfIPcL9jegZXp6ZZNa28=,tag:MiF43qWP72UEi+RjWFtPXA==,type:str]",
+						"ENC[AES256_GCM,data:LkvOVMCpxnLRn1wrzXseTJ6T/tzjpyBe+Rk=,iv:nJccnhGHwTMjL4MBCuHrzkWfaDaAHmnFGb9jSlvAfD0=,tag:Ix/CnZRNdcrlTi7zJsIx5Q==,type:str]",
+						"ENC[AES256_GCM,data:9KvOzXEIaAlb44jHXfdwXXOBRFrrICdK/aHBUf5+,iv:+kxGqsenEN8UpD+y11vV0oqqlLi1pbSg/xyUH696oLE=,tag:4D0QorcngENPFCH1nXkRDg==,type:str]",
+						"ENC[AES256_GCM,data:NOIWlZ/5STOjFXOwd2tKuiP1bF6sD3tjyaty,iv:8T5C7MeZobxjAigH56M/glG91aiyZQ1DLNSpbdv3mE4=,tag:y1dJBMMtvrepLHp+JmM7NA==,type:str]",
+						"ENC[AES256_GCM,data:HTYPohz0Gkxymrrld4MJjt5EKrKBJw==,iv:ScJRmMX02SErltaoe+4xFu5kBco7Klwe0La2oxpXzZs=,tag:VHJEvkWRSEvo3DS7yKKAMQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:GKe1dZIOzA==,iv:rFIuiZnahCbfbIZEo3oT49zhe8Muaxx1B/W40XldekM=,tag:b44kqbCxDREh3Pzfu07ICw==,type:str]",
-			"type": "ENC[AES256_GCM,data:iLvjJxXtPX3FgcD7PhdAhpUNUw4Scg==,iv:WJl4YTukVPTQAmwuXA+Z45X8jlf3PRm3xUtEUfYfsSs=,tag:o6gIZMRF1t8nn1gw8QLYXg==,type:str]",
-			"name": "ENC[AES256_GCM,data:4BgZpA==,iv:QnBgH4UGqDux84CX0CZM00XecddJsU8RLDeOuLEwezg=,tag:Zny+N/ErjClBXEl5HTORCg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:5XqnlucxMUAmPeOoLNKP8EP+6Lg8NKXE8I6jdnyVTLJNXIFTVE4e9VT8KUhR8ITR6g==,iv:3psQhGXOnYDx0VaPJwTlACtwjNFJq11Thy0U9OwpWts=,tag:mrkuBFsHX23Qmo8zro0P9Q==,type:str]",
+			"mode": "ENC[AES256_GCM,data:pmTFReM+JA==,iv:fT1dcvTraZyrVyY8qgbIJMK654xC4xO6ixSevMI7x0Q=,tag:+bf83psksYwSN62x33j8bg==,type:str]",
+			"type": "ENC[AES256_GCM,data:brRVuHw8Sc1i3ntaB9P0RHacSS+CRQ==,iv:Y671NiC8ev6xeh9jPX2kkBQc/FOMZtnrETy8BEZt8Gw=,tag:KSugiSBbqi8DgV/TaAljow==,type:str]",
+			"name": "ENC[AES256_GCM,data:fl08YA==,iv:A3/A+ukNfA0HugLr8CZRWFlFEFFZjtPFehp5+MK7P2k=,tag:3V110Mc1SyqnTOdOqPvX6g==,type:str]",
+			"provider": "ENC[AES256_GCM,data:JSkAWCzBl5OLr4dLp9t8WWl4stQV3tfGwgzYbLf/TsLZXaBvNm1sAS40koQyFEB3EA==,iv:kc0ZYjys7CpZGePiHPLbWLQr/bF71fjO3I3qHEWw+sE=,tag:Fk/iXXVdF2tSw9eke+RQ8Q==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:6w==,iv:H8Jwbcs1bZUnF97XFSyVGW+IKS3/Q1hm3MFx5Ms6+aE=,tag:dUXf1gk0nzeN32t3Vz0ECg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:jA==,iv:v8KinD8kVr7FcfnUHAIvlwT0umWwTDdms/GkOD4cCTk=,tag:tLngcA9bSYax8DitA6k8Dw==,type:float]",
 					"attributes": {
-						"accessor": "ENC[AES256_GCM,data:Sexg1cWks/n76/BgR+P1ub0/,iv:1v1X8TV155Sp7uhCOAnA5FyE3Nq8aA+zU+B62nvc8qQ=,tag:T89h5UEaaXjaFth+Waindw==,type:str]",
+						"accessor": "ENC[AES256_GCM,data:IG7ybbbwK6Idmlt/HBJb8WLj,iv:ErPOySLHxSY93iWupBSOrqqEnFusQQS7VS+V0ILlJbI=,tag:4DG8aO7M0SxUjL81ckLUNg==,type:str]",
 						"bound_issuer": "",
-						"default_role": "ENC[AES256_GCM,data:ThxcwCK/sg==,iv:8GCYT0g5m0uK9h+rIvOQHmiG2JrQf/JW+L6/9jJYNiI=,tag:vVAuq5B0uZL3W0hN4U7New==,type:str]",
+						"default_role": "ENC[AES256_GCM,data:uwk02ZMmJQ==,iv:i26FP9EGAk5thmFDyM+fguopunYfLWZT0pv5M6MemS0=,tag:VGHEJbfFLiavSFQTjE3YAw==,type:str]",
 						"description": null,
-						"disable_remount": "ENC[AES256_GCM,data:Tf+3mUc=,iv:K4STQIBbdlojJ/Vtn6sQwn/V8X0ucpJwQh97e1MTVeE=,tag:EVM7CJIeRPlAxMc8MPgMJQ==,type:bool]",
-						"id": "ENC[AES256_GCM,data:JEW0Cw==,iv:cRxzrbtUr4ERIeqLKHyySqfbK0R62y1jbK1nCYbeKHc=,tag:sQKaUgnN4T3ak5OAdXUtQw==,type:str]",
+						"disable_remount": "ENC[AES256_GCM,data:QVdTBFw=,iv:GQ1OMIaidcaNwWbUJY742nPkrO5c8+qCA3l4J1lQpkE=,tag:oCPc9Hc273oF7fewny8CyQ==,type:bool]",
+						"id": "ENC[AES256_GCM,data:ZC6ZZw==,iv:SjyLeSggk6f3DZlr1nMgJ0eDIa8QqLdich7QswcqCWk=,tag:p1PqTio8zyKhkaIz1eST+Q==,type:str]",
 						"jwks_ca_pem": "",
 						"jwks_url": "",
 						"jwt_supported_algs": [],
 						"jwt_validation_pubkeys": [],
-						"local": "ENC[AES256_GCM,data:YDiGZ9A=,iv:Pizp0FS1TCGSmrxw509sMepNgJ6B/hs92S9nuGExckY=,tag:w+bN5KMIhlw8pxXtXuFGow==,type:bool]",
+						"local": "ENC[AES256_GCM,data:2vsox7E=,iv:JWYjM65OPDb8c2FvNk6e/8+ikqvAhmkCauVxHDaxeY4=,tag:76tC+P9hJwxLJjs7mRU3aA==,type:bool]",
 						"namespace": null,
-						"namespace_in_state": "ENC[AES256_GCM,data:qNUsXQ==,iv:eLKPq2bFobKY589nl8EKRtJXAT1hCOAcaybrJxTB5s8=,tag:Avy54/ZBvNzlV53kn12nsQ==,type:bool]",
-						"oidc_client_id": "ENC[AES256_GCM,data:LcYJ0GKeJbfFHOd62yACil7fZQGkQF1bhpj26Ho0jCLqPzBnP9SrGQ==,iv:oh7oQkoMvV7EStP4yOXAdgh9iLMCNCHV5SJ1aNvoLvs=,tag:kXu4H84ZF35BBOjon1ILXA==,type:str]",
-						"oidc_client_secret": "ENC[AES256_GCM,data:LPtB34EOcQ/zxZxs6rTOvUXo2IdkbIcPsrvX0O6Vk7wRn9zVOfUkOzeT363vv3a1tKsDbHCsSBkUd5C6viIxHMIuvVrkMHp+5Rpwi0nX6UYL6+poraMVdUy7eZSsY3afjG0+p5Xq8Turmz8HW46b8tJh3aYCrZYpocTU/OrmeGo=,iv:adLt08aVOAwQzr179SqJCzN4f50F1i6Mu52p61rltC8=,tag:7MeQNGq+k1zOLY71spPjkA==,type:str]",
+						"namespace_in_state": "ENC[AES256_GCM,data:a4+s/Q==,iv:ymH6HPsGekDrB/pp1cwP3cEiUl9aHxGKY0u7lKRZpyY=,tag:x3VmQlxpVZ8Z1F3ZvE7G0Q==,type:bool]",
+						"oidc_client_id": "ENC[AES256_GCM,data:l9qr1bmPIjoKtJ5ojm0pn7ekjfxClt7BgHviamg+6PgRW7sseU3Gpg==,iv:ZDjehPh/armrgfGn2H0wYLG6lBw/Blfjblg9oZMhlpI=,tag:07JoR9f7qIGXcEwWL5I4Ag==,type:str]",
+						"oidc_client_secret": "ENC[AES256_GCM,data:P/uueEnExZL59D2o0IZaLh8EGUSPaFRPNo897VLB62Ck4hzt6VQNXLp6++cmClZoSGA4hezGWfr2U0tXSdqPzpAS69TMk1G3evtqQMCEtClCJb3iHS6iVHJkaX7W8zxhJbg3kyytRPRYjR0ZtTex6f3Bac5v/lZF3a6+hu05BJE=,iv:36EB7FxH3X17VG9TJEbcET/YcVGld+SbVDzEB4I6faU=,tag:pdd9JG9rBPa7tw2isqwbeQ==,type:str]",
 						"oidc_discovery_ca_pem": "",
-						"oidc_discovery_url": "ENC[AES256_GCM,data:+3Uqp5eN7536wfal1MomqimFZZhXwLxB20M6wEaDHzKYvjtWfgpTvAvG1p2OxYbLpqFc8M3m,iv:qUJVWy854QliQRowmyqHb/4c7M57A1OguUia/kDWNg0=,tag:wfJ2RUZIv0JP3oLve1miwQ==,type:str]",
+						"oidc_discovery_url": "ENC[AES256_GCM,data:AnDWR7BnxPNebZpHEC+oPSsYZQxAIRYS/PwDLSJqMpYmgp6dd0POgFtuZE2OlfGxIJJQuth8,iv:b4FJ04uGqIHC5OJWjdEP+NTa6xrIdzhVaHAt0cF2yQU=,tag:OBTRI3SNJC3RMXuktE7HAA==,type:str]",
 						"oidc_response_mode": "",
 						"oidc_response_types": [],
-						"path": "ENC[AES256_GCM,data:oUqcSw==,iv:6Htkyjb4oWGuSzgTAx7Qd0L8Gtg07jgXs4oCCH9Wlns=,tag:7lbfZYf/ZJUP7srZQQj/LQ==,type:str]",
+						"path": "ENC[AES256_GCM,data:7+EuJg==,iv:7TuIbFbGwypfgV19oIDKlbpey06F2zaLnyHSr6YrXAk=,tag:1MDEbLSr7nv8XBRz8GZtwg==,type:str]",
 						"provider_config": {},
 						"tune": [
 							{
@@ -2926,1132 +2971,1179 @@
 								"audit_non_hmac_request_keys": [],
 								"audit_non_hmac_response_keys": [],
 								"default_lease_ttl": "",
-								"listing_visibility": "ENC[AES256_GCM,data:W59VSEWc,iv:sVNt3EJzUbq3+yOEX0354rvcqqhtVYnRzooVeG680VA=,tag:cZ+UfHKz/GyGMcMesZ3g5w==,type:str]",
+								"listing_visibility": "ENC[AES256_GCM,data:PpZzYOyS,iv:E+ZvIWkrUMDN24h+XXWJVXlkxHQUVqyKcPdU+wGmFUM=,tag:G5gsx56NW29ahyios7wN1w==,type:str]",
 								"max_lease_ttl": "",
 								"passthrough_request_headers": [],
 								"token_type": ""
 							}
 						],
-						"type": "ENC[AES256_GCM,data:raVslA==,iv:/jUiXy028zRSyr8nUoKAM4FSClmsGZMWS7pzUZ82LX4=,tag:aujfUp7/eltQXetmkZwu/w==,type:str]"
+						"type": "ENC[AES256_GCM,data:fSyEVg==,iv:05tKxUsRNdctP02oRZsVzs9RPd7jsJ5VsErVhK+vxCU=,tag:kcJ8Us/Kq05ACF0HMwqDYw==,type:str]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:mArZpIxpB+M=,iv:aIivRDB1uQms9VLGwpuuV1aAUmwHSrSRsyb6RWRndeM=,tag:NPI3gDrkMW5JmUEnQdI8nQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:i/tRThUUP0OIedoNoIw=,iv:tgNyeEqhUafWKCHMuJyTp5IfFCS5SvW9jHOOZ/MPx1I=,tag:37bydsf9R6vu0JjDBQ3wwQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:OIIMKVTF8j8=,iv:5MfJxKc90l3kZdHrWbcHnHKh89iGQWPb+TY8+h+p7QQ=,tag:7dG/PXiRbNIQWZZZPnWdIw==,type:str]",
+								"value": "ENC[AES256_GCM,data:KfrvPYOQkwV7AqwrQ4E=,iv:6GPEK4JWK9nmfx3L5hhmO/U+iE4+8dlyQIWx4znTW+I=,tag:nrgWvwyhOZsjcivwHLG8hw==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:z4bVsVRStYo=,iv:mLrFlj48j7/kJTzxYDclv1Sl36mKiTlc/1/4Vpl38ng=,tag:BabM42/9Xrm0PFS/8dkGSw==,type:str]",
-								"value": "ENC[AES256_GCM,data:iUvabnNh67CFc7md6abINCi/,iv:BzJvcKoFW7rPnGiYTnzv/AVBBfs+rwU9/1xh9yDJl0w=,tag:qqI0EWw58v4cLqN6Dk6G8A==,type:str]"
+								"type": "ENC[AES256_GCM,data:dtXNWpo1gtc=,iv:LklCy9kpQ0RDa5i82qwR/H1LIP6iiO/IFz7HCGnas1M=,tag:0+tCeZInuqlvOz4CmmochA==,type:str]",
+								"value": "ENC[AES256_GCM,data:Pq2hfMTRJi0YQrMy58N9wICP,iv:BjavV7iOoKJpwbFhVU2GJ2dEM1jpObM9YuHxXeurcy0=,tag:Spmmlh6WcQGlaXhC0yzYoA==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:3g==,iv:XHUrUaf8yM2ygEa+TZgxE000nDNr1sjAFUGJ1QUapIE=,tag:VRd5sdlJp0/ZxTxcojYVxw==,type:float]",
-					"private": "ENC[AES256_GCM,data:JNMKRGPgLf4Pd8IBJByyDTD9OWoBZGpYMm/H4/uzDW0=,iv:r64+51XJ4/o9zeFBaohTLBAW1F8Ji30nP9yZfDLX+44=,tag:zDfTnS68Xn/+GYrZveXh/A==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:jg==,iv:uC95iNdxABElYWl4LpwHQ4Gu8RQHIsrz9BLKgOKrBv8=,tag:P6bXQVG5Nb8rh2AcLS8bow==,type:float]",
+					"private": "ENC[AES256_GCM,data:6NEbiZWyl1EXDPPhOFBMMiunZULYBJvLtYKMOJ88hcQ=,iv:RAym65MlwDV/LyHPpPOrt6Z8EVtAXCVvtdaCgkBjqqk=,tag:mmuVdD6Ln+eUkdFUu9ohtg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:XvvKU/RUXtqIrSBriPhSj4H2o/Sc1cs07kRH0Z0=,iv:rUC/7NlWdmb36+flGxSnevus5FvIsOem+e/iGcqhZPk=,tag:DP//ndk/ljv6LQy9m84zuw==,type:str]",
-						"ENC[AES256_GCM,data:oork08msOxnUuX6asdjheLdM,iv:yEZyAMfSeo7HaPiwz3YHe9BXgHKoD31prnXNV79cJ98=,tag:0tnnFm88/7pBY3TIp/jbpw==,type:str]",
-						"ENC[AES256_GCM,data:bQWuVjG0Bx0MPCyYL8Txg3MkF37qm1+0F1o=,iv:6qjFe4Y0ez/6OyTT8ayCJuVf2WZVHjMBYlg6mnLcz/c=,tag:/m5P1sNPLqKF7iIT4rMRJA==,type:str]"
+						"ENC[AES256_GCM,data:ZP21AsNsBHVFOg2r1hINtyunWR1hh30/hcHs1nY=,iv:2LspZJI7rsnbCENIqov2lfeZCif2eLfwGM4v83gODoA=,tag:n6duClaBflc4cG34D3kfkw==,type:str]",
+						"ENC[AES256_GCM,data:ZvEfI7VkbKWhxdzNOFnbetsE,iv:bqL0Rq7AKyiP4bHAJvxFsuxe3gR5zweaYeKfxXK54wY=,tag:SgxF3sJ5dJMUhPBDibGTew==,type:str]",
+						"ENC[AES256_GCM,data:mmA5CCAHPiAT8S3IWskVX4L9cuJ1G6sQAN4=,iv:JC3D/6/hP3PkZ6ar2j86GcjV7zix2unlS0ik/Nhm3gw=,tag:xAa7ML5dH+N5sDuaFNXFaw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:ezNksbfTCQ==,iv:+3XYz5vVV6/vs5YS1DbSocBJhSZ1lFmmfALNOJKUTH4=,tag:s++/0Pg//fNNbdfJcHHxDQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:4rqoPaQMP98B8t/zHzlkltCjljDwULCP+PHc,iv:uSQPOce0nrljKYX5+545YlWT6GsUR3l/W/IMpEqdMnM=,tag:xwLCjG1cj3QfiUcGvFQAqw==,type:str]",
-			"name": "ENC[AES256_GCM,data:3BbkE8REyg==,iv:yzSE8c4xj7o3uX5GPMA+Naza3cXFWSZP29juqwecgxQ=,tag:m1YgVSpGAkbvNHwgWOudRA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:133aFtGX+GG0eJh/sN5j6RU7tOKcUykFfFGiDPQIbnOhCKb5Ru0ffRIUtgTjzLIH4Q==,iv:7P4jJkBLRdwUaQO6LKqE3EBeiAwFz4LgHuUv3k1W9oY=,tag:FbSQJbu7dYKcKblhrpf7Qw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:8q5tLwHE9w==,iv:xANqT8gya++LDbDQSvTaUvRNJg56YXX+PUiAflmGI1U=,tag:Tp/4hgGAFA0Sk0D5X+XHfQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:hSiZLK+bTPDp41WS7qijru1jGcud6w/SP7yH,iv:+ZKuNMXPxzMg5fMSUzjSkJ26eL8J/vEEujG0XzP5uMw=,tag:cq1624mAFpnN03sfXepnqw==,type:str]",
+			"name": "ENC[AES256_GCM,data:qUrHDNVWng==,iv:XmBO5wyDiCYZZEvaGx7vQ7x9tyD1EZ00u5095rydcMY=,tag:VnRI/5cyz5Swm6io2vkBrA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:zRruIwT72ydCzdWi/OS6zi8wSQS5HvZJ6WgNmIryJ00xrCqM0BABL7TsNrawmK6XpA==,iv:FJKJuA0c8/OfDfDZQyoq3rwK1J0fsirgWEIkK1ymjnY=,tag:u8l7sgUg+t/5F9ZzU5bAJA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:nQ==,iv:lf1VLO3932jLudZIVaXRj6T1f+rtXDVDLaAV5mzQLgs=,tag:Cwn0AWYs/ssjPt3LYMvTbQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:JQ==,iv:tnXUOsZIoAFWgefGMK+KtDDLMqFlBtGg+5GGaGG/NUo=,tag:K3cYpUFGxsrnJQVOLQsa9w==,type:float]",
 					"attributes": {
 						"allowed_redirect_uris": [
-							"ENC[AES256_GCM,data:dV8gX6YXdFYgThKwtkDawX1Su+tiFoCNZo92uUPMgG4UCs0=,iv:3FQAce+ANnr8yEHzT0m/lqqTz6TP1U6YQZI1A0rmVSM=,tag:vYMZEsDjDAX48Y7NzusH4Q==,type:str]",
-							"ENC[AES256_GCM,data:09VRtBwOuLSVT769gJdOYMtYSXE5q6M51IfHjzfy5Xmoky4tsDIvgcXU3YP/kbHX699MtP5h0te8nrvrStc=,iv:ppcNL8PwD6MmDz1SYBlroj8eDZE3go4NhezUfiwVy9Q=,tag:4Tb6NQHK177t9/usov3YBA==,type:str]"
+							"ENC[AES256_GCM,data:aLbBpVnfc47ctyFA2a5s8alVX8OWReuVQYhsxMegkKX8ipE=,iv:E6N3i8bTQkU5dlgbB+//Av6Wvu6c90KTjaEMH9oC2M8=,tag:zvuDdtoqbR2TXuH9FnDnUg==,type:str]",
+							"ENC[AES256_GCM,data:rCuxhS/AmeW3EULE6TcR1WyYWmLhQBxdHiP12jMvc1Ddu6sgjpwd0DZqOOssu+oB9drxJnBewuKWhgd27Rc=,iv:YWTUbZF49/0mc3iU0g4zZBCTGki9Avs1xCod2Pn4A3I=,tag:lmg1YubOgEFj9fzL769RRA==,type:str]"
 						],
-						"backend": "ENC[AES256_GCM,data:UC44uw==,iv:89f+ycNfU96Y0gCZmHn9/75Mo/vTfm1Ti4l0lUx2g04=,tag:7LZHh4xJV6xvyA7DshBS+w==,type:str]",
+						"backend": "ENC[AES256_GCM,data:0AWnRA==,iv:5dWHBXex2nFqzdQTOJy1DFsFtJLPQVGAewtGe2BjaEI=,tag:9HKULsWDlyjljShPARgFxQ==,type:str]",
 						"bound_audiences": [],
 						"bound_claims": {},
-						"bound_claims_type": "ENC[AES256_GCM,data:NuvxH5hB,iv:WtoGadpD/gBigDcS7Vk0U9sgW/S/Vfw0E+SXpraUzkg=,tag:MId/gxhvy0i/KkIm6y49Vg==,type:str]",
+						"bound_claims_type": "ENC[AES256_GCM,data:WTD9sc23,iv:MuhsQrM0isf80n9Exi/k1EZCjFUZfEA+5hW1P09wPk8=,tag:443rTj5sophxAg5NUdxbOw==,type:str]",
 						"bound_subject": "",
 						"claim_mappings": null,
-						"clock_skew_leeway": "ENC[AES256_GCM,data:1g==,iv:RXfNfDfZx/A/Siw3YNcFLl1JNSjgicH0eV8SqHl/OrY=,tag:VdYCmXbyOUmLYPCwoY8r8Q==,type:float]",
-						"disable_bound_claims_parsing": "ENC[AES256_GCM,data:X7q6DoM=,iv:MxZ1ou2rzA/qjKwdjfJJqJbFQWXpQ1XcEXqLSJmo2rM=,tag:0ZXGyOuQN2QLJGzN5WZGzA==,type:bool]",
-						"expiration_leeway": "ENC[AES256_GCM,data:Iw==,iv://3S2D1nFqFEIKcdOA9OfJ3uYNxcGsvBAfH+aIcvD6U=,tag:lE17aHQp3F7ST+vr2ZX3vQ==,type:float]",
-						"groups_claim": "ENC[AES256_GCM,data:isiRqhIW,iv:TjvwT4QYXZ4sSI2CXC825YCN9rr1a6VZWpHptIl8daE=,tag:tNo92cuSIChlJhRiPl1lIQ==,type:str]",
-						"id": "ENC[AES256_GCM,data:jM9At+i/RlQ2VGeqXLIYsFRzV7P6Jw==,iv:sjRL0O6LsWCuruQhKLMHwxRmAE8TKjZG8dbHw/jvZz4=,tag:1D7LP/9DtaFnAUMqkzmQRA==,type:str]",
-						"max_age": "ENC[AES256_GCM,data:cQ==,iv:rb398MHSnWRsOEdbldXatJJ3U8frCkJROcDe3T+B04k=,tag:5VT2qAa9Oo5DeSHKD54T9A==,type:float]",
+						"clock_skew_leeway": "ENC[AES256_GCM,data:sQ==,iv:9TZF92wdQm3b659YbVmxfKV+CrWlpc1T2CKOUqXcwbI=,tag:mPSZaZjm9UrArr6vd76gEQ==,type:float]",
+						"disable_bound_claims_parsing": "ENC[AES256_GCM,data:pWfEFJ4=,iv:K7Ijp8LiEpVHqV4swsaRmivVI5oXNSri8Yon1Ip41ak=,tag:wcOAxezEmnUklsqXz1eMvA==,type:bool]",
+						"expiration_leeway": "ENC[AES256_GCM,data:dw==,iv:W2aAxPl2qmgx8mr1ZpqE0yIq6k6w7xtBjym1OhCSmjI=,tag:bj9vwG8wp+dmUznFZV6lfA==,type:float]",
+						"groups_claim": "ENC[AES256_GCM,data:A2drXv8A,iv:1vdNl7BXbDZVDXcMFIoJ16wndS3f1PHkhC/n1VG3nzQ=,tag:cTdpqB5tKKxl2eWY5LJ0MA==,type:str]",
+						"id": "ENC[AES256_GCM,data:5lxSPoabgCEbJCxu5+VIBNYgSQSE6g==,iv:IBVUM1evC9CvpSUZO/r6SDhfgguIHkciKyhW3fvRpMo=,tag:k67ARD8jOSZLMKM78XZXgA==,type:str]",
+						"max_age": "ENC[AES256_GCM,data:2A==,iv:WIs1WZkF5f17DouscbHDuCTWfoFimAtSJbOc1RWpgRo=,tag:hXyw+0VrZGI0izEz3RZ/+Q==,type:float]",
 						"namespace": null,
-						"not_before_leeway": "ENC[AES256_GCM,data:BA==,iv:s1cfrPZm3KchzdkNOo8Xb0KJ+1+FbnKGUqwBF4O3WdY=,tag:7NuPeaC+Q5Mn0xG/AuPehA==,type:float]",
+						"not_before_leeway": "ENC[AES256_GCM,data:4w==,iv:DkeMhWbeRqR97sGyD494FGPf3O6OY0RMLoROE5Isdg0=,tag:IdxaeF5sXvAzrCTce3wO5Q==,type:float]",
 						"oidc_scopes": [
-							"ENC[AES256_GCM,data:STUVNvI=,iv:kVa5WT7IgSqeqidT9btVN34/hzMVpPhGDDv1T0MgrnE=,tag:oSI5G8olBvNUrbbo4Dvd4g==,type:str]",
-							"ENC[AES256_GCM,data:4VukYV5P,iv:DVQQHL8vOSA1L3Kpriit1D9d4EdTAuJxP0k7oTBz3Xc=,tag:xe8Y7/KyW/wzUaHj22a0RQ==,type:str]",
-							"ENC[AES256_GCM,data:LkwWgJpiyg==,iv:h5ezhlWOP3qp9YoVu2IGy09Li0zqdNxkvHFEMUQ+PAM=,tag:Z4hksqFlbNkXwZy/W0RS8Q==,type:str]"
+							"ENC[AES256_GCM,data:fDYTytU=,iv:Tquw4UGyODHnenDsofVmt4q6y0ZwxzwVhXp6BcAndgg=,tag:mwaOT5fPynLLrkMFNSeT2g==,type:str]",
+							"ENC[AES256_GCM,data:HPO192DM,iv:tzKDpcYcvmFLjbmc6JxMREfrcmBwB30bh9YJHw4ibAE=,tag:RCrb7hH4YthJfNdc8Evykg==,type:str]",
+							"ENC[AES256_GCM,data:VsavHJGtDQ==,iv:GRUV975fv6kcnBpBf/Ht+QXLJW0n7hHRzzcBf40xeeA=,tag:a3F7+e3q2C0K0unuJBJpYw==,type:str]"
 						],
-						"role_name": "ENC[AES256_GCM,data:xlBZpAnUkw==,iv:KxvMSUrC1jcPdkMt8Q9v3+QaQqQCPejcY8BwsRqxXRo=,tag:jelZqULMM3NIK5ZkrmdZjA==,type:str]",
-						"role_type": "ENC[AES256_GCM,data:+o5B3A==,iv:tfPA4kCPPVfoJd7E5SUGkpVm525FWelrch/FBwJ9u+Q=,tag:G+krlrw3DMMdk2W0pLUNBQ==,type:str]",
+						"role_name": "ENC[AES256_GCM,data:MoU76DLr0g==,iv:WqfUbRcSA9n9noSOsWp70gKrhExvABtXCBsYqEyxMWs=,tag:CO1szLD9HqKb0ZAvnWooJg==,type:str]",
+						"role_type": "ENC[AES256_GCM,data:B+dqZg==,iv:OE1h0y+JretDde76o/eQ+Yqs9EuiI2dNlWM8EqGxCzM=,tag:/RIDOAGwSU+YP6w0I/4v0w==,type:str]",
 						"token_bound_cidrs": [],
-						"token_explicit_max_ttl": "ENC[AES256_GCM,data:4A==,iv:dsFBWX6ycrx7+mlaIjSJ9W42IRMJh8hWcJzx+5zaJaA=,tag:Lme/QsMb1LqlMllFo36qJg==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:KY/y2/zV,iv:bLKSfLG4IIrJkEuwGPeCoa8HDI4Lyjl7CRrdUrpERRY=,tag:6RlQWmGpOYMyoTANl/qhGg==,type:float]",
-						"token_no_default_policy": "ENC[AES256_GCM,data:pp6yJIc=,iv:6auG1WY3NIvabzVV1IiVBW5+NPvHJMpYB40AsJF9nnI=,tag:mD11xyz8/umQ451mRqH61w==,type:bool]",
-						"token_num_uses": "ENC[AES256_GCM,data:zQ==,iv:KmNp9jMQ3M2+sEnUrPbnY+ZffOK0s/IKlxrSZ/WUuMc=,tag:rJI+IbfI2lP+Y9QtBTtSEg==,type:float]",
-						"token_period": "ENC[AES256_GCM,data:cg==,iv:vesjhA+PwyDzIMSoQIT2KK1BY7uHwpAYW56+133x3+E=,tag:km0jCNapyor/QzQmuEJMww==,type:float]",
+						"token_explicit_max_ttl": "ENC[AES256_GCM,data:5g==,iv:jGPPpbb+cS1PDcrNYs/ivqanAEFY8QOuHEyQuzMW/EE=,tag:rVewSpd7Sj8E28kl3ixjpQ==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:hd0m2RPW,iv:gT4JcHm4n3BEt4Z6eAEsqKZ8x1ucqRq6AHElSj0LSg0=,tag:yyr4vxADPARUb1PGv9LzQQ==,type:float]",
+						"token_no_default_policy": "ENC[AES256_GCM,data:49hYr0o=,iv:M6bS8kjOC/FIKUmHvvK9NgA5BJ6/03vEhKuHJp+RYlQ=,tag:zV8GhWgTV6Qg8rxXs+GLHg==,type:bool]",
+						"token_num_uses": "ENC[AES256_GCM,data:AQ==,iv:zCB9TYpa6D6tWFoyt4UrH5Uajf4N4vR5q7J858BiGpk=,tag:7K9scTgB1nWLRZChNAcHHg==,type:float]",
+						"token_period": "ENC[AES256_GCM,data:Gg==,iv:5bwjgZCR3942a5yt7wfKwmznZEBS6aVRhG8tQSH8BoQ=,tag:9H0O2TqLp7v1jY7OdvibSw==,type:float]",
 						"token_policies": [
-							"ENC[AES256_GCM,data:GM80Kzbkbw==,iv:TJaevidvIEaE0XjJCwmgYoUW2LsjvCof8NR6zIABsJM=,tag:KQd+RA/1d/lDOy0HuKL16g==,type:str]"
+							"ENC[AES256_GCM,data:E3pUg3zs6Q==,iv:xZ4b+L9n3YRvKOCZv6skXAUd43S/BaFkEugsJIa/uYA=,tag:Au2tnVLY9gCJ0u9VRcsA9A==,type:str]"
 						],
-						"token_ttl": "ENC[AES256_GCM,data:/QOJsRPa,iv:0fWm4o82WdwaS5nnuK12lSBDO8S+q+aexH5TpOAYof8=,tag:iMs7hkLEHjM6JiEIO4b53w==,type:float]",
-						"token_type": "ENC[AES256_GCM,data:DPiI8iiudQ==,iv:amuD8D+E3276a9ZhKllDkRYXaSvnPsjzH4E58dwnW3k=,tag:RiI00W1TIpEv1xtHiin+KA==,type:str]",
-						"user_claim": "ENC[AES256_GCM,data:Ng5ysZM=,iv:pyQblLuYEHiUfwBp8mmAXfmYcozqKZPDQTCfMSZiNSQ=,tag:dcRQyFPUQH4ya1rTmFFGMQ==,type:str]",
-						"user_claim_json_pointer": "ENC[AES256_GCM,data:kjIWeaM=,iv:AjhgAZzZ6r/hd9tLJ2Jfdl9u4s+0jakq2Q298tLz8tY=,tag:G0jh1ImILmRqesT59YlfYw==,type:bool]",
-						"verbose_oidc_logging": "ENC[AES256_GCM,data:DDfok/M=,iv:lc5GZy+OF+B+E8V6eMcWGHTyCyQ8urbM9TltEu+4C8U=,tag:LrtYEbUzeRUyqfR+mMSpCg==,type:bool]"
+						"token_ttl": "ENC[AES256_GCM,data:l3amEoIT,iv:Xv5/awla6/q3n91l3TuYMBIawi0UAu8bpabWfEnnKEU=,tag:dMU+4aOIrOW8oWBfyKNRTw==,type:float]",
+						"token_type": "ENC[AES256_GCM,data:BD1y9Eep3g==,iv:ft+7MpAvlh4YRKlmZMsZnZQEXSTJm5GtQv8H8vPXwt8=,tag:bFs1ojQxKh2ZagWo1BcmWw==,type:str]",
+						"user_claim": "ENC[AES256_GCM,data:l0WttGI=,iv:BxViQbH7GykMmisWpt6jeev9QFZGxyp5UP/vlFwyQ0g=,tag:Ki/W+XlDrXfiTMaqdneN0A==,type:str]",
+						"user_claim_json_pointer": "ENC[AES256_GCM,data:APziELc=,iv:8ilO1QhEnoEb+cFTF0VLSS0DVCN6mSiHSWT4of8n9BA=,tag:DSs1tlK0PG0T2QFKRYgjRw==,type:bool]",
+						"verbose_oidc_logging": "ENC[AES256_GCM,data:dfCW2cc=,iv:B8bOB/qLo2Xromib8alV+GyTjgbDanVm8UM6FNWVofw=,tag:1iEszSh7CLeX4Eg+Z3aWQg==,type:bool]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:lA==,iv:Q5fsIO1FXYT932b39RzmxXxNzT+zjNA2+Rxu+c6AAjk=,tag:chDtGoej8wCPIGaA0w6A9g==,type:float]",
-					"private": "ENC[AES256_GCM,data:MR2qqzOi4aI=,iv:oHqqWfApFBMQbmr6vzmfgykp5NzBjd32B3lv1UKoVHc=,tag:zQCER93wxE6Wb+vFBlX/xw==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:SQ==,iv:FkXOsj4CKDGiIvZP+bUEyQ84/Dcr/pWcvHkdDVlOuEM=,tag:k4FgZEWt+c6w25u9caKGWw==,type:float]",
+					"private": "ENC[AES256_GCM,data:Y/9X2h8TsrY=,iv:Fn/Wk5EZNL/DXTc1rxFVa1jFgposPqxDVSymF4Ux6qc=,tag:Ig9+1HRXS0pPo68lNb2cWw==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:zArH321oyePbJApCojJiGIMbjFrZgPvnFtzbEDw=,iv:20r8WSVLyk5sLj416UIrsbMJt9PwG5n/aZfXqPnii5M=,tag:pkWbDUDHaCamt/L7wTIWcw==,type:str]",
-						"ENC[AES256_GCM,data:L/MzCZZnSVnR1rk3YFK14OZr,iv:kWXlZjGWeHyxGK2JLfD3mbeTaOK8maHdVcvvAJVrAJ0=,tag:ckckHP/O50J80NHMrPdC8w==,type:str]",
-						"ENC[AES256_GCM,data:RdZ3jrqOWpi7zfe3bix+T8sgl1oX6eFAD0s=,iv:9Qxr4YExkGU7rNtEKVm/h0mEa9QZW08NbQJhvwSBYNM=,tag:e1GGzAuWs0hJl2/nFthVEg==,type:str]",
-						"ENC[AES256_GCM,data:HpN29+dUMXL1GlZ0ooSLYBFBiDsRA8NeTN9n,iv:MlXEjAzb/0Aw0UNvz0RN4t7FTyqXYCAv5DkbI2dm1iU=,tag:AEx+gtY3X5gAesn/bZPR9Q==,type:str]"
+						"ENC[AES256_GCM,data:QF1y2KDWShzdb1rVQt+mDXWaeXfyUKIMdZ+NAHs=,iv:1LY9jxQ9SMnXl9aKz/EK6L2kCkMTPQM5Aodg8wTMfCg=,tag:LXEGN6J8a6U2kBONjXUWgw==,type:str]",
+						"ENC[AES256_GCM,data:acAxkdrTvvKLZh7fBld3liA5,iv:oSlVrAozk7p9Lrmv5eG3uUdq/NYM2dJtSRITa2OjugQ=,tag:mq2Rmd42wqDbav4aSUo5WA==,type:str]",
+						"ENC[AES256_GCM,data:YlGmKkV/CUuUrCOy663Rn9YPUvaxk+KVXc8=,iv:+esl/DWwSFX3uXjQvCYQJRIVjIT78TTIx1WDPNZ5/uk=,tag:CblzQ0lMx+T9IRYWBDbnkQ==,type:str]",
+						"ENC[AES256_GCM,data:58BzY5ozx1yR1dSvYvgwKVG7pe2B/Q3bi7Pg,iv:QOH1QKdDFU7R2DQxCZa25Y8nb0PpaLv8BcobU2DiNMY=,tag:XlSWlv8tpiqqdE/XwQi6hA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:ZLotyPP13w==,iv:V1Reg4uCYfKk4Jb3L2VR4myi6emAL/6PJVNwlnZZMOs=,tag:sAmZKn/DeUUxVr49LfY2qA==,type:str]",
-			"type": "ENC[AES256_GCM,data:Wkhy5XpQev7dFHmQfCGJSTxaRpYLJXu6uh/Gy/ITOI/197NE,iv:oWx3rbT7qCMK0ZWINqoDncyDZSSb/yivyIRToKx3r48=,tag:eDkx3V0CunzPqmPwEiQQXw==,type:str]",
-			"name": "ENC[AES256_GCM,data:ZByu,iv:Hg1+XYx7BTVzJZlIsJA5ff+h+8RFVnOOx5Cs3nANAfM=,tag:9ZSaOzBIj4rrUvVdhTUW+w==,type:str]",
-			"provider": "ENC[AES256_GCM,data:3YIl1g63PizmJJuOJGwVmqXF5KlPMCpOIsx2s8bWJxoATkRjDI6uFqEPIRVk8OX7UQ==,iv:uA02RODwm5LeuEbPXubz59f4ROSEMeOkBISKEvr74DU=,tag:0q/ZtjjMlV8j9I6c3lnfhQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:IkNF18cRGg==,iv:cQKathRYj3QyccNOP1m6wOCPp43j7uknGvWteYW+NDk=,tag:MY4lajHA4vxSyUq+0EdTlw==,type:str]",
+			"type": "ENC[AES256_GCM,data:9Ffi+cFdL/XxpoJpcfHvmndPiGMGMmisknQCjX4UA+yJ+qZD,iv:h2NuppRz8GjLHtnxqmI6p9C92WMH0bKOlqtYom/fca4=,tag:00PE1uc+0vWxvvWET3vqSQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:oxV2,iv:xkywJFVB9ke9ySOCAJijqPnthX3/RBt2WhAIN5aG5is=,tag:T69lTL0DZNOqIN2WHAxYmQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:41iu8KXHWprCqYjRz1E31JCANExRD3jw+NnE5zsmbv9MB2b2THCQHopHUl776H+/Qg==,iv:rbEaVpcuYKCup7ErXM348w5C+TFNtvKegzzjGyU2ecA=,tag:JGjR9dhF3J3cy8hPi3+9sg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Nw==,iv:PUdRYB0JnaCEsP7G07PZnGkfwUh+6qKy1I62gS5HtrE=,tag:BMyN3ZKN2ijJXbs6LlC/qQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Kw==,iv:eZL+8uEcKzToh/o22QzeU9hmbZHLRqfboArv9KvBhBc=,tag:HyZk1Y7T/IwknGhqsDwU0w==,type:float]",
 					"attributes": {
-						"backend": "ENC[AES256_GCM,data:2EVBPG75yYETnw==,iv:bvYyhuztAeTT9REnZw2B6aDt3wbc1teFdI3Qc5emaLc=,tag:vEKYYOTkA0AggcQG9KfzZA==,type:str]",
-						"disable_iss_validation": "ENC[AES256_GCM,data:9OcJ/gM=,iv:TLKqH4R+lq+6cuKl+tFbs4kHKpAQMe3XBItR9fB3Vww=,tag:XbqdjSL/IvGfxiKfBHK9bw==,type:bool]",
-						"disable_local_ca_jwt": "ENC[AES256_GCM,data:0c15Lsg=,iv:2F9H4Wz/7c4rfbvTArmOHyW7l9GU+zl6v54ax4bVblE=,tag:2G1nVVq86TzF8X9lKBzang==,type:bool]",
-						"id": "ENC[AES256_GCM,data:Q9UE97y5eLJ9ZrUJXB7h0cVDqhn4Bw==,iv:KXxPQTg0VGTAooF+kKLaUz7Rdz4ZyJ01qHtXSSoQSAo=,tag:a27CT/NiUt9nFByUL0whRg==,type:str]",
+						"backend": "ENC[AES256_GCM,data:ZwMoPGu1n2GuVg==,iv:w4ZYifI8GR68gzQOIu5/64UYg+kGz5lM4OtmALk4rvg=,tag:pyp5VEPm7HrW0IwjJzk+iQ==,type:str]",
+						"disable_iss_validation": "ENC[AES256_GCM,data:ODmybeQ=,iv:aQ25pZTtyL9Bl1CALYlRkxR8Z3p08xlUenVaJluHrL0=,tag:EmS2IF9LZ/6gmvwOk2Wwlw==,type:bool]",
+						"disable_local_ca_jwt": "ENC[AES256_GCM,data:d2zBOCU=,iv:sumljUKdLwg20sSyp5dX4Zxa7q0RRL6FIbFyB1zyXu0=,tag:Urya32sp7X1PuSsRNFhOTQ==,type:bool]",
+						"id": "ENC[AES256_GCM,data:GlJ5G0faJYAqDNISs5nlOKQhNSOu6A==,iv:S2lSjKw8cSZ+JcxYcoAaWB/rgJI1lDJgjKWWivZ50Gk=,tag:rDMzSWRb00BcjG3JRI7hBQ==,type:str]",
 						"issuer": "",
 						"kubernetes_ca_cert": "",
-						"kubernetes_host": "ENC[AES256_GCM,data:JaWoj+Je4WY5ONfPTAbTxIYHD/IhOG69fSX5F/hf,iv:+dOVW4wVREXGS1TwiGAtoHDF1FYgjBX8k/AzIe8BU20=,tag:FEY5ZRz6C7kIlZqBUZlawA==,type:str]",
+						"kubernetes_host": "ENC[AES256_GCM,data:nyqLrEftm+LZD96EIYjkGo1DcjRGVnq0siZniK01,iv:jz3QTROq4nNKj2sOLFTd3RNlxH0LezXwV3l5E8ltTws=,tag:EFti7wLBWvbAfuxa4tkksQ==,type:str]",
 						"namespace": null,
 						"pem_keys": [],
 						"token_reviewer_jwt": "",
-						"use_annotations_as_alias_metadata": "ENC[AES256_GCM,data:WQRXJII=,iv:rDv57igHiQfHylhXwjPPal2AWrD42BgKshA9NOKDVcA=,tag:Q8l2tdVkLKNf6dKQCReMAQ==,type:bool]"
+						"use_annotations_as_alias_metadata": "ENC[AES256_GCM,data:6cGsylU=,iv:OXCvayy+ciNyvwzU9JwyhViXYJ2LQ2skRx0jLaAaoF8=,tag:JtZUTR1hLMrs968XCGYV+g==,type:bool]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:wFz3NldV2FI=,iv:5Ng8fp4VL41fuhhfm0P66qEqzTR8ASrWkuYFyta2M/0=,tag:yMBWofWB0RT/jbyAQMET6Q==,type:str]",
-								"value": "ENC[AES256_GCM,data:ICEmhg6bryJjFbiTtc3imcyA,iv:Guwd9Pomh4j5wPGBwV8GfRhND4k0iLjqwnLrYE2Jw9s=,tag:+CHQYrQFctf2F+5c+e614Q==,type:str]"
+								"type": "ENC[AES256_GCM,data:Re7Vx/iJotc=,iv:WhumteNPIOsAxQHAmzx0/IRnscQ8D3SG1ZSKUHr4s0A=,tag:iwyoTUXKpQT6X41cfIPHOw==,type:str]",
+								"value": "ENC[AES256_GCM,data:c9Luv4x5QEBOpAPWsqFJCVMI,iv:nuO2pwu1YF3OwYQPSWbB4T/etDRSKoq7YCm2AvqqmaM=,tag:uweBEcC6GwBebD0gRJin1A==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:AA==,iv:ipL7epnJjEihal7oFw66EMAwKwTGX7lwHOkjfuZz4YE=,tag:6rzehRGqBD+vo5xAZpoOfw==,type:float]",
-					"private": "ENC[AES256_GCM,data:9vxS4Wr283g=,iv:SArMiRyLl+o1lP9xRCgpK2AFyv7P4QaulCdWvKe2EiU=,tag:rzaE0EuSIPWYEN/aPaUeXw==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Sw==,iv:OMQspzyGL09kKeiSXi3Uwy+/00gjjtrU5JDoaJDPDfY=,tag:IJaOT60jCtCHssyO1Wwvmg==,type:float]",
+					"private": "ENC[AES256_GCM,data:dVWahQF7bek=,iv:HecfqSG5Gho1tqyJNblUIxGc7tkSdGvP1RU+ZxETcqA=,tag:wEbotkk/YSd1wK5KbqJaMQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:Lkq/xlxlkd9LnQAIf8pk0egV,iv:Vra96kPhjDIaE3xCdYN8Y57DzQtIs5/IOTScemlZMiE=,tag:EAkJUjyVIIFQeu+2ahDrNQ==,type:str]",
-						"ENC[AES256_GCM,data:a3i4reJOUA25pyvb2HdtZuTU9hOw9v//iMc=,iv:0FaydkJ+0CSPb3zup/PA0NDLSFsoxQ0S/EtGizx5YNg=,tag:VnGwLatapJfheLaZRNbxzg==,type:str]",
-						"ENC[AES256_GCM,data:2FEKyZk61M2omV2GfFIfECAF/qeO2Gbtcr7pmbc=,iv:KOIWfBR/9j0NAZ9ac+tG7MquR5B6h1NlE0XXg8H/Qu4=,tag:3WCIt9XE/xk2RFIbLe9pyA==,type:str]"
+						"ENC[AES256_GCM,data:XWe0ai+Xy7yA9iUZzgFXNnXs,iv:+hXf+9VTQLSOaMC8pHq8tfv0e8uSPIn9xraBbhN9IiA=,tag:BegWgdL8JDvSJYTI0/Zclg==,type:str]",
+						"ENC[AES256_GCM,data:aEaIV4bKkGSCxwZPSieVUW8ErA8JbpQ1G04=,iv:XEIDyk0j7yPViQ+MyLdBnBrdjy8txY4iLJ5erEck7GQ=,tag:gBmWHxWiTVO9bqdR2UafOA==,type:str]",
+						"ENC[AES256_GCM,data:S03MxyaqACiHNUkCEakXpTFBkVHetoeSnJn29fY=,iv:RBb+BXENUjeLS001yLHXuYsopzTkEgYDAfnrV+xQoKE=,tag:AZKby1pPIUE0mgS+DKrUqA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:z70wC9iczw==,iv:YA8fjRDE86BB1ZZx1O9K1loiAYIdR3TIp+AoQdBoolY=,tag:Slv3WUnEua6ptH8TF/kYgA==,type:str]",
-			"type": "ENC[AES256_GCM,data:+VvmGCjhcp+8KkSWhOhpMZfIaBkrKGUXlt/cMILZiKGxZg==,iv:4OB8jIoNiliPT9h3bxi9CgjOepvjSuTxwYpwXeBLO14=,tag:g/MZ9f3FsdCSWlETJnQbng==,type:str]",
-			"name": "ENC[AES256_GCM,data:WqI=,iv:+zOuhqE12+t8TgIz6mAKwJ2pqfHaSew+Onh30daJn+k=,tag:7mhqnP3hl4sPZW6aqw2ldA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:+N+sc7S12H/baWA1AjrrFhEPWwXB1+vP8iES0uLTSV39IRoakMcP+EjpZZYiPNpUSw==,iv:/vtxZ16Lt9JmDr+KHIMiXFrZN2Zemj7BLjcj1g5mcZI=,tag:Xf7xjC9UlqV77GyLf7L2iQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:yZ5AM95Q5A==,iv:ofvGVf0W7/YXTnu0JFs5ZlSOGaARoVpNfQwruD/AbRo=,tag:LHAuihxP9D9o1t7lm5k9IA==,type:str]",
+			"type": "ENC[AES256_GCM,data:tKkPDNsq43XVdqs6CVF4kT0kAucVwbUceeMO2gQLh072Eg==,iv:KGCbGh8BQo/VOXOIBDegwflh61YccfxiZRAXz5eArEw=,tag:yXc6EiFBgjkF0mmkhbaSYg==,type:str]",
+			"name": "ENC[AES256_GCM,data:k4s=,iv:aag5bnSKJI8VfKZcgjyzLIqUcUOlRxvEkGveHdBvrAQ=,tag:34RyCir5d91Jdgu+Dp8Tsw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:qwN3KxyG6ubP/Wfp+AdENG/UjCO77G4wjawYvnw0dkYlPwQdqhwRowL3GnjcfY0oPQ==,iv:C5cozCB9nvKSXBf+Xw10M0mp5CYi4U5ZQ1rS257NrZw=,tag:ger5ds7sjs905vPbF99fQQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:zA==,iv:qx3gt4ZdvA8mLnmnmc74O+k4pKrRkfIz7M8JO3HSNZY=,tag:8JbdFvku+ALetrQ9SEJJSw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:ew==,iv:mKetwBnX242tzPdda9xt6ZvOXqXzU8VaUuuVLqHDOHM=,tag:G4Ql5Hb1eSCQvh38EEkETQ==,type:float]",
 					"attributes": {
-						"alias_name_source": "ENC[AES256_GCM,data:wErpvHrp0q8vijBak1J61CCU,iv:hz8QGNuWmsNJw11XClGeBwxuhzo9VlPdboDSEI9ciew=,tag:z8mcwOb+3VkNOaHVwjSq0g==,type:str]",
+						"alias_name_source": "ENC[AES256_GCM,data:m1RipkElfjh0+dB1ojGOa8JR,iv:c9RQ/WA9Nz6dfk4Hk3l0SVm45INKOk9+dHlyniPGvyo=,tag:deJUHL4bpiQx5vgkrCFz8g==,type:str]",
 						"audience": null,
-						"backend": "ENC[AES256_GCM,data:atW4cUaokSPKaw==,iv:HmAiDqU8y74EFMlKOiUnpyhUu9MPZX4I5SR51o04gMo=,tag:PB2er9aCca7ye0PZVdIi3g==,type:str]",
+						"backend": "ENC[AES256_GCM,data:4J8kxxI5AsXbog==,iv:cJy+utSGGaZkg5OTSFBZpfeDhiq+5zi/032m7Fs9Uew=,tag:zQeVK91ILUA6ZG3NwWq+6Q==,type:str]",
 						"bound_service_account_names": [
-							"ENC[AES256_GCM,data:bSh5A2RQ7w==,iv:5IfnTL9IOzvz3Y5tHM4N6SmhWueEKhCliHsjm/pp7FY=,tag:uXU0LOUxEzRs/4NbBYEfsg==,type:str]"
+							"ENC[AES256_GCM,data:N8jG02cCtw==,iv:C3ivRE0eDLoqXBCYpdYIxPvQL8J2vYgmzLp0OdJYw5s=,tag:ATRunsSbZMt9uZjXQladNw==,type:str]"
 						],
 						"bound_service_account_namespaces": [
-							"ENC[AES256_GCM,data:PpDPU+4/zOpVVw==,iv:debUZemQ6/hlsPzwKPbRBIW987L8wXgyV9CM9aLJTl0=,tag:+z9Djf/c7mMS5ZvKucm+0w==,type:str]"
+							"ENC[AES256_GCM,data:nL2i5V2jtJFp+Q==,iv:uQOGVfSy25oRX4fpVGKlIxuOKOjmGfCLoUso42/AZNU=,tag:zN4LFBGeV/vHi72722Etkw==,type:str]"
 						],
-						"id": "ENC[AES256_GCM,data:sV+jsQGHVTKW2HtU9cb6cAjM1WwAXso=,iv:wvO8f6SXR6/rNQiFlCrGClx9Aou3geJpobzYYqn9KYs=,tag:N/lmBjQhVjVNQ8mr+oABJg==,type:str]",
+						"id": "ENC[AES256_GCM,data:8lxWu/1eJIky7UdwQscQUeb6fxe5DGs=,iv:FjIEeeF9vNG3D+v8Yc4m12LTqYN7F15sq2DNvk/9LiE=,tag:i0PTazZxAVwrr13RlMdvTg==,type:str]",
 						"namespace": null,
-						"role_name": "ENC[AES256_GCM,data:+DY=,iv:eOVJyl3aogB4YSrpdXv2EIBiNc6+47ilqV2nmLUn4Qw=,tag:eeSOJUgPGmrKxzBG5Tq1CA==,type:str]",
+						"role_name": "ENC[AES256_GCM,data:BLI=,iv:Owtw3oFJG+RzWvYVXx298sNpwzuexAF21i1SDf82aj8=,tag:pIGvXDYo9zEi0RTlq2yKCQ==,type:str]",
 						"token_bound_cidrs": [],
-						"token_explicit_max_ttl": "ENC[AES256_GCM,data:Zg==,iv:vLtEIgNr3rpisV9N4C8I1TXs+++IL8dpU0mX1YOGmDU=,tag:znmX+sreoShfxwBCw4g7NQ==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:mg==,iv:ImNN3OEG2hGfYPfLDbeUmCqEZ8simbBGEcxJTcHcdS0=,tag:+eM0ecRku5EaLBjrCa9iAQ==,type:float]",
-						"token_no_default_policy": "ENC[AES256_GCM,data:6rxIkgc=,iv:V9u0KZ7vn8LiXMMEGq12JDUv/LiD6ADbVZvF+TMNOQ4=,tag:60/4khGsyAmcSns30Azw1Q==,type:bool]",
-						"token_num_uses": "ENC[AES256_GCM,data:CQ==,iv:yfulqzBKYiw5ZtwrCuX8ksFz/ZLjmqtYKLrVlgDYPcE=,tag:Ps3WtROwyehBhOvBrLZG1w==,type:float]",
-						"token_period": "ENC[AES256_GCM,data:xIu5Qdrt,iv:wnV2qjbLNVFDYuMPsq2WcZIWszxsoWH8DAb/vhGUH2Q=,tag:E7niFBOkSOaLH1MefdKKWQ==,type:float]",
+						"token_explicit_max_ttl": "ENC[AES256_GCM,data:GA==,iv:lDWys4XYWvJjLc+orCQRY7xwaSLiv8CidPiTcV3z3Rc=,tag:cgeSB5VPWZtx2m6b4dcV+w==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:4Q==,iv:WlKyguquILKIZFZ7TpluzfwHxFOCxoFxb5vdOwSPBEw=,tag:k+LCra7yoXIuJGdy1IJowA==,type:float]",
+						"token_no_default_policy": "ENC[AES256_GCM,data:7VNwLmw=,iv:W22vbrr1TX3OematZ/NZ7PlBaoyi6vq4u2OkmRuxCe0=,tag:00SJYhreOFa7hGHAp1eT8A==,type:bool]",
+						"token_num_uses": "ENC[AES256_GCM,data:Tg==,iv:vuG8eSlGSsbPxkSglzHPpHV14fVj9RdyuZzTCL5PDCs=,tag:+eb8ULViTmWwtzQnnI8Pzw==,type:float]",
+						"token_period": "ENC[AES256_GCM,data:wylE/I7z,iv:5M+5Y/8gymXdwjbOLjqohGGkrPoSTfjcvYWJGSRsmvQ=,tag:J8TgaD059mm6NloPqrUsQw==,type:float]",
 						"token_policies": [
-							"ENC[AES256_GCM,data:y3M=,iv:NwxeFX7fdCFYbQwOTVkM1hd25cPQgfXSQ+Jictb0iTA=,tag:u5ERrQXYi9ZtpesQIygArg==,type:str]",
-							"ENC[AES256_GCM,data:ZLs66KRmnnMyXOoLBFsJ,iv:GUBrBeyGoablqVjiVDMIYg81XJ+M/5MubgYDqvK+EQ4=,tag:v/25Q3UOKS4bXgNou3fM9Q==,type:str]"
+							"ENC[AES256_GCM,data:Baw=,iv:Rc3rju116RrfpZgUaE7lcFpG/xfbKzmvZUHJ+5dA3fU=,tag:q3QlbohuQYGfCkd9BOf3Rw==,type:str]",
+							"ENC[AES256_GCM,data:ZK6ACK9BGqUHU0pPvD9w,iv:uoY2a4bsoByBfa5cYXtAS026L6wLWajLqnIbUOGosIg=,tag:PnEOFdqKR4V3bUfTCU9LXQ==,type:str]"
 						],
-						"token_ttl": "ENC[AES256_GCM,data:6LNKc9uh,iv:L5KZ4OXVcgkU7qR1dyhC/s0kE7FZf60oGwjg8WA9EGQ=,tag:7InY1SDG/06cIVRUOO4/hA==,type:float]",
-						"token_type": "ENC[AES256_GCM,data:ZmCGnwffdA==,iv:pDlmRCVxq3R7h8QKi02iUdC+pZIKADHPL+8KKDB0MAw=,tag:Qjy4JSI9Ng2iB123aeuJgA==,type:str]"
+						"token_ttl": "ENC[AES256_GCM,data:NwM+ZXyO,iv:Xm5CKUVP/p9uV9/07CJt6qH/32EKNlO2FO9kTAvsQXE=,tag:xOUqqazEfi+L94pHMyKrwA==,type:float]",
+						"token_type": "ENC[AES256_GCM,data:8Cu+73cItA==,iv:XFtnHuALCcTCbwWb8Dv3u1OQInGwYwuLT0qEKuQOCdM=,tag:wj/kNHXiHEJa3AF6Mtst7w==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:0Q==,iv:ROoi+kqiVV+ARYgNU7J+Zi9Zu7daJrmZ8COQ8vtro78=,tag:UVfroXjgthIkIkQp2KPDZw==,type:float]",
-					"private": "ENC[AES256_GCM,data:f8DBNhtXB3g=,iv:Sn6pSUSjuDblM0igA76TeBVSNWMntsBZN3Lfhr/3MlM=,tag:xMEYwmzW/nSX3ilRFhVnAg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:SA==,iv:G7hupP+fHrXExb2nOd2o2oAngqX8uHkpnBn3hpCItrQ=,tag:GrS6dveerENhePUiGGtFnA==,type:float]",
+					"private": "ENC[AES256_GCM,data:CXYHZR8seig=,iv:n0PB7F3rr8ku6cmN6GFyrh/Q2XrtPhjEWzwYebAFuOI=,tag:CypDLa+Bd9jmkC144TbTcQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:zf/Mpd75kgT6w80CJSlckzWY,iv:IiRdf0QQllABKvvdizvue11OElJcxTukXzm72/AJnis=,tag:hkb2ZCQCW6EF/PSi5cLw8Q==,type:str]",
-						"ENC[AES256_GCM,data:RiasfTM/izNhciXdDdSUF4y1SHc4mhbEj0w=,iv:OYdTSLSJTsnqpXku0O5wjnGE5MvCUqxhLpsKvpGj2BM=,tag:LqJ9/r6JY9CSAR9mQtGGJg==,type:str]",
-						"ENC[AES256_GCM,data:WLoE8JTBlUe1V+x2UdAGW2QPYZNaOGS7FqOidhQ=,iv:muvA+lrVZfsbFyjgVn/BcXdYIY7fG6wrt5ckFfa0Jac=,tag:CzMPMEeW9K4WrilGzq0TKQ==,type:str]",
-						"ENC[AES256_GCM,data:W4rYLOsP8AcxxOcoQri9,iv:+u6rXIpEMMezsiSaz4rejUycSrjdiU++C2+yA5+D4FI=,tag:JhJxfLcNOrJhMm8nRVGohg==,type:str]",
-						"ENC[AES256_GCM,data:G2YVndrJd/Wstt2vLJ0ovF5P677g2uzfgDn1hw==,iv:052jm5PqSPDuywiN7mO1aouxJHMWcGn3WjVBDxJwk2o=,tag:7z6BMx+qIPKZ3v8BgIZP/A==,type:str]"
+						"ENC[AES256_GCM,data:96shubUUD24i20I2AJCfxbvK,iv:Fe3G3h8yWm2F68LuAuykP565TelEAmWsLslhKSuVrdk=,tag:hgSP8ErxNEWYg11/lqYtmA==,type:str]",
+						"ENC[AES256_GCM,data:kOV/vNLj/BgF/hN0fve5Rl8flNmTyCrcpoM=,iv:SdYp7Mw82LhAxIiC/wF2kfGrWuMInpBpdvtyHvYoDd8=,tag:R23DyM5hM3DG/sw/kylSxA==,type:str]",
+						"ENC[AES256_GCM,data:DKlff3jZlTmFIjPcOSzc8tqQHVeIkEClX3WCxVE=,iv:m5irq1b2ttBr3DO57wSAtPr465vW2mKgNGE/orKQBZc=,tag:WoeGpnIwFaznHCroxN2FIQ==,type:str]",
+						"ENC[AES256_GCM,data:QRPH1+5tDT605WLZrBTt,iv:jUUfvFkQBWdNr2aVEEbIA6b5OGEW40kRhtvmYQlgR0Y=,tag:WFdclx1FJcPYa7QrC89IfQ==,type:str]",
+						"ENC[AES256_GCM,data:NzkdCcSnT6HYGTIELX7oayO0aZFALXPY1pKyXw==,iv:MtrMfPJjBzuRUfV2nnA/VroC2VXVXmRJeb8gOIddFJY=,tag:kMCBoMyWJcROBpvHM57lpg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:OYC4dWi2Ng==,iv:+bYOlMNJdTKlBCNcuu1Ob0v0f0YshOD8J5PMWa3CLBw=,tag:p0sUnxwrq1snx5qjSlV3HA==,type:str]",
-			"type": "ENC[AES256_GCM,data:w6rsza8SJD8uRcHws/iIyVco1+Mau4r6RSsRMIE81Zi1yQ==,iv:A1B+z/jZ0t/BWzAzFquJ8gLkxIqp7wIpBJxSlEMZPkk=,tag:+l9sPbmkJ2+7Q6HfXBOuIQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:HSvK,iv:4lXm3fObvpos8PzRQ5XGqEEbuT1ITvgCjRTtIor9z7Y=,tag:C2DvCgx9ilinNYI1tud/qw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:Tr26R9yMgYOjRSZInqjzXZ5oPPDK6u8IfsZtPpV3izKWhvze+kQTezBItjuvmIKi1A==,iv:m5LPC4TTpmTjS7VKKgye2tAcULb9sJuN1W6vTvQm3+g=,tag:63bah+UnFxatK9E5S/ue9w==,type:str]",
+			"mode": "ENC[AES256_GCM,data:azL7jjUDcw==,iv:9hCP7B3gijmiGq3wu7BLeWxALap5wI6JyNreFTrT/d0=,tag:XdwrJS8k8yxH0YbKJe8ZGQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:ezMVaG6nPTjaQbofYpFvXkAN/3UAw7ysfK/4VrZtKv+bYQ==,iv:C5h2M58g3dQUo+Zh65KcSuVPVTRwrTnNfil7XOUGm44=,tag:cnxDy/e5GVorcKJL0ZZgxw==,type:str]",
+			"name": "ENC[AES256_GCM,data:qLtj,iv:YKbx44ZBNpw8ndulq+gR6cZo64SQMkDlGssZCx8HS2g=,tag:xM/dqUW3EN/WFpOMWpcvWQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:oYubfdBVUnMH8Ojn1nPaZyksNQKu0j77nJW07zt55HDSjXkPVvt2la+NMludoxbQ+A==,iv:1yeCkw2SOUhpzkJgHkV+Kt0mLzzLxRK7Ky9A6uZHSvs=,tag:JwlZ6Ercjg3XoeMWek22ww==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:hg==,iv:yLX+LRTLV5jLc+aub6KbU03tTUDrqT9UxP1x6SKX5w8=,tag:Vipk9KJGZ4csA2g/0Oebiw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:WQ==,iv:dh6oQWa12xxkBFDFABsGGtgjR7VC6IfE60fDc0eDGRg=,tag:EpOFXEHnfHjTfEJG7zO1cg==,type:float]",
 					"attributes": {
-						"alias_name_source": "ENC[AES256_GCM,data:QGmVcTmkKZ039dx8siDn371x,iv:tkeZV+hrU395EEx1pjLwUO6tHMm+EttIfwUvB5CfRWc=,tag:NRMmXK6PPBYRefFh7jM8mA==,type:str]",
+						"alias_name_source": "ENC[AES256_GCM,data:tfhUqZVfFrkNq4Q92VVDjcXV,iv:a3Ynj8nPg2s0BawGAlmSDJF7F43B/TA3XCZrScFzIZo=,tag:8QFU8Z0VUxjw3KaZDLVJcQ==,type:str]",
 						"audience": null,
-						"backend": "ENC[AES256_GCM,data:yOpnCOAuXFDwbg==,iv:MaCvG1A+AZEWAodvUpTo1YOuXYVjsAjLym7B51UqCVw=,tag:5R5Ym8UtGfljSbk6hHUFow==,type:str]",
+						"backend": "ENC[AES256_GCM,data:361ztpBa7G1JRQ==,iv:nAwJ8k/xN3H6uiuVkE8E2tYfNsj6OCAa0vOaFWrDRvQ=,tag:k0R2CjTtCP+go+RXbZkWUg==,type:str]",
 						"bound_service_account_names": [
-							"ENC[AES256_GCM,data:w7ILuJ+A5le/CLhZfu1gnw==,iv:KZcubWJUqW7LCqtS2ysba+hNj7gOlUs/IFoMd/aZ6/E=,tag:S+YoABHvO4MDOU2hrzASnQ==,type:str]"
+							"ENC[AES256_GCM,data:5VVyY6IybQQwpyitIUitVg==,iv:VLTFwOVFvQM5VT/XMf2Lt1J54hjDpI8Qj0cPPNLOHGU=,tag:JqO9za4fKZaQ/OQJOg/5NA==,type:str]"
 						],
 						"bound_service_account_namespaces": [
-							"ENC[AES256_GCM,data:8BBKA1qDJ3MbkrsK+gIgEg==,iv:P5ZLtDp+IIP7WS5L8YlIeYqMZUx9px1ppohARbXnFTY=,tag:f3T2HWT9KcMdbKhirhbJLg==,type:str]"
+							"ENC[AES256_GCM,data:O+ZQaUOnbRWM+fJ9CwpfWA==,iv:cWQW2neeeUdz2JEkhynaZvWQ10/fOduIpuR8LxI8LB0=,tag:lrmtHIB9pKYoV/Om0V1cGQ==,type:str]"
 						],
-						"id": "ENC[AES256_GCM,data:NS6ajPVFNnsP0tBVIsxt+p7iTTQc0420,iv:CQ5U2DVJHLJqbrtMmX6CTXBPNTR3iYs08g+Alox7zCc=,tag:Kv4fciQVrvBN+NtOt6qkAw==,type:str]",
+						"id": "ENC[AES256_GCM,data:pvQ1jj+DM3/T/BDTxAWWRAZ+wopFpVPg,iv:YWhj42GW7mbEWz6/2I+J6T5xbha4VKjVhCFrwy7dcJk=,tag:9G8XnZdsU1l86VK/5qpqtw==,type:str]",
 						"namespace": null,
-						"role_name": "ENC[AES256_GCM,data:5Rb1,iv:dEMHPJUA90Ne3/SO+IVsiHlwEZdtYyOuLrb6RuDwWaI=,tag:VbUAcoArLUJ3ycVGlItfng==,type:str]",
+						"role_name": "ENC[AES256_GCM,data:66mM,iv:e+0IyfgDPLiESgmV3nX0xpLj/3Oqnd/QHaTw6ZAnesQ=,tag:Y9j9SGHoiP+IHuKn9jj1fg==,type:str]",
 						"token_bound_cidrs": [],
-						"token_explicit_max_ttl": "ENC[AES256_GCM,data:zw==,iv:e9AOIu5PJGCjWrvaCEG//som/m1CTy3y7vESXDNFtA0=,tag:c39d4CqviyYcqJYckcTYJA==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:ZA==,iv:R4FbgDMkrWi0jNMBW/MHmdim7VhfkMsjuasds7lGnx0=,tag:6IAAwW1nSf1b9BMuXOqjcw==,type:float]",
-						"token_no_default_policy": "ENC[AES256_GCM,data:w0wc6Ro=,iv:eTKpbX35B/yPbu9OSDjRIWIujxDeWdz805oGn6cKr60=,tag:CQpg5o/m2w7gfHJ7wMyMKQ==,type:bool]",
-						"token_num_uses": "ENC[AES256_GCM,data:rA==,iv:6RK4Xs8AI/TgcBOIEy+0c8dYK/SQs6R6wls/j4mZDzY=,tag:ellb/KrT2kzXqyHOE634Vg==,type:float]",
-						"token_period": "ENC[AES256_GCM,data:uzXbWLZ6,iv:0XLbBXQ7PGDE4nWP4N8sknpAmAeeBIKVH8U47ouARUo=,tag:EU0Ca+azdW8ISaVNvGxuGQ==,type:float]",
+						"token_explicit_max_ttl": "ENC[AES256_GCM,data:pA==,iv:u9QimAoqXVn4vyj937YfaVUEXZOCEKN/KUFCfkc/9Sc=,tag:Wrpxy8BVmOWBxLwTzp7lwg==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:0w==,iv:H/r1iFnOjMVQaJY+pjL2J7ernXrsMjmFEXIpXRGlv04=,tag:p6NaQEgkUNkEGi5MupsycA==,type:float]",
+						"token_no_default_policy": "ENC[AES256_GCM,data:2WMXI1I=,iv:Aumal0xp9/F63EUzvOxbJGV3mWeadL6ZziuS5e2l3vg=,tag:smJ1jFNxi2MtV17+qy+fUw==,type:bool]",
+						"token_num_uses": "ENC[AES256_GCM,data:aQ==,iv:fg6/XZ7KBhsHjBcjL2wrrrH85ZRZQgYy1cjx27aCerI=,tag:9UdIB8lsKpNNkVYQneVRcA==,type:float]",
+						"token_period": "ENC[AES256_GCM,data:ztdTNk1E,iv:BgIpNm8Dz2qxu8QxU0dLaotWViVLLAbNELxCoQK/Ojw=,tag:LXTRovkyT0wd+bB92m1t7Q==,type:float]",
 						"token_policies": [
-							"ENC[AES256_GCM,data:7uBXDAICYnOZRw==,iv:ZbK+6/JnUfeJyF4fyhgmGiftPEoKUAxYQn3w7nvH+8c=,tag:1YnOWNsWYVfTNnnT67G/Fw==,type:str]"
+							"ENC[AES256_GCM,data:oQvbAgO8EpJRBg==,iv:uHSX/3pkkf5dQ91c/og8ggiMb8bQjpoV8UnmaBuISq0=,tag:xbjSoPFC+VmErdAxFcEfAA==,type:str]"
 						],
-						"token_ttl": "ENC[AES256_GCM,data:FSUS6gta,iv:4YDZ3YZDF2OVkpJpETOtVbBtEmNLECHQjB25Ktzfaqs=,tag:o6GddBUxrmHMT+DSMbwCRQ==,type:float]",
-						"token_type": "ENC[AES256_GCM,data:UKOm2El7WQ==,iv:j9RISQ4EK9YTOuisziYBmxoKTjqP3LGLmlDQzwaUq3U=,tag:EdbZxjrnHreK+k7pFLvA7Q==,type:str]"
+						"token_ttl": "ENC[AES256_GCM,data:gloLDMKK,iv:uMqo1qvzwdwq9MgNWhOnZG1T0urWRoA5RGikiCB0w20=,tag:g4JQtDeJignXEENTwUAJhQ==,type:float]",
+						"token_type": "ENC[AES256_GCM,data:CTPkwO21aw==,iv:s4E0OuobWMofo4/X4n/pLjN949KUhvD+xGRyWS1fWv0=,tag:FHyn4UWl1dvMFDdhy/tQZA==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:KA==,iv:bY+4kuIsYNdesGSzaQHpHpZSVY/HnMxUrxbuhi1ut8Y=,tag:rUqRePrqc1XmYbbH80jUNQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:7QaRPERMn7w=,iv:kiAjcbD4SXvp3bNSHxLR5V2CKl1zj+/HuK0pY5GA2bM=,tag:zTvNJsDd8SsI2UTA6aqJ8g==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:2Q==,iv:X92EVoTYBfOVe0W5X0NX3ZP/yx062kL1N+58foKUALE=,tag:Cj8IXvNiRBkFDXSPb9q2aA==,type:float]",
+					"private": "ENC[AES256_GCM,data:BAKYNjaZgDI=,iv:E48wjI3q0Lyl9Jf4fU/HFOfPQwq04zNqcBgLj7UEcv4=,tag:XFwDBV8nOcAeSSdc0YEybw==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:qd8tXoTmW3z5YqUsuHw9joam,iv:Bu6T9SOlSGTlMzPIagGMt799Gyf9MReiWLhszIpDSCA=,tag:Rnv5vLXQmBZSbMBEsArCug==,type:str]",
-						"ENC[AES256_GCM,data:xBIbfXbLXCNgJirglxBQcC8AreRWsAeWeLk=,iv:zL6a060aaxMzR/dIYOlbTGsx9cL36wIJjItv32I+qdQ=,tag:Mcoldmtkwcbbt4euDyF8qw==,type:str]",
-						"ENC[AES256_GCM,data:89otBRTuf0JkESUeNc45OZjKW+atFq3J2hA0K7o=,iv:CqAGF0tcKtldMZwwTbpZwwwY7wDkAafYoe0j1XHK4OE=,tag:HzbJeoJEdq9a9XrYS9LVgQ==,type:str]",
-						"ENC[AES256_GCM,data:HKUfqZWp5CY3jku1tKyylUmgdW5OkHU=,iv:U0YcOEEl23/WMSvY/qC/BfYoT54D9UUAV1UX0Y5JG64=,tag:zJ3r4+ySfKUg1qt/WpbTPQ==,type:str]"
+						"ENC[AES256_GCM,data:HuYSJ6bhHti72ijmMoowEgwo,iv:dbltpAXFYck2WAUbsvkwWs2dP1GfrNh7yn5CFKveQR8=,tag:xZaI/GUNSTXTKDEiA7NJpw==,type:str]",
+						"ENC[AES256_GCM,data:x5VI1vR3gI449UQuET+5+l6O2iy4xBEeWfw=,iv:xBoDHBgnrCOVRlXsK7wcXVVV5BiwfRp2t1ruJVLH3iU=,tag:Ttw8jRoI98d+blH88OkJPw==,type:str]",
+						"ENC[AES256_GCM,data:k7YEQkPPGVd01REAk94u79UXutG9bOZYvF5wDwI=,iv:tsaZdXOqut7+Sgnz8OTnqWqa3SvNIpd5tvEs3l8MbGA=,tag:5m5zTr3eplIspYzw6GnOKA==,type:str]",
+						"ENC[AES256_GCM,data:CoRQFlaQHM/mYsnIqSnffrFc2kSlflY=,iv:HWWD4CtzXZp4+hWcM6y7qU7CC5DdG9fh2G/NThTs6z8=,tag:JaBj515AHOgVP8DgjER8aQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:9ryXCBQD6w==,iv:GXw8N3vRbquUWWGPS3wVhqZbm5CaeAJx9lIG8TiyXKU=,tag:dE49rYTFGco4hnNZUkWp8w==,type:str]",
-			"type": "ENC[AES256_GCM,data:yRgAOGg6Vud2692AMi5HPKWD+289joUK+ySfic1FoNPxvw==,iv:EfxSK5ZSTLGhokdFgdfYTiJB3pNPbEiUmIhdvVoPk1M=,tag:lzL6VLYLoctOce/zvbx3FQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:oHePHEh0pv4=,iv:6sO4gWCmSkPVxRYc34x3wky8xg0himvZBX5cPZo5hB4=,tag:K8/AWL66jLuE9qPpGitszg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:+HW6R2qa833esCopgIlq6ORqkH+qVBnbSvxPsxe04OTtiXj3+JfWDCUfBcdUWjyGXw==,iv:plA5yP+xcq0jI90kHK8n1KrxW+6XI+qPyzdZXHNG2sY=,tag:+Q6H6cqR3biO6cE+V2T8EA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:D8TioO5BvA==,iv:vvIdNzOM2vX93GoJgv8tnRDyUruI9yQ229mi74P/UFo=,tag:zz5lYo/IGmF8o6JptvO5HQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:d8999YO1meC8EXh6wN6UcajdLq2SWCtwvJ48en89mHt8gQ==,iv:BU+aQ+ps/niPeHJay2HtiQhSWG1MNXyA7axwiK0V8lg=,tag:L++KJeA8N+SecDzP98fc6w==,type:str]",
+			"name": "ENC[AES256_GCM,data:D426DaoJDLo=,iv:Ccxrl8Fk2nTavZePzOgmIfnl9GRwS9lFrq6dfwbW3Yo=,tag:VXRV8o7yv5W5gZAOIrHaAQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:buJp4LRosqFME/i5r69aoIoMQd9dlAoCP2yFA50glO+erBvZnRg9tH/QBxv4n/AC+Q==,iv:l7ON44ojJqJsgcG4p5cAmAiFy60/Ih5xHhIALWFRXK0=,tag:Znm9BWevhCLd8nADxj3r9g==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:RQ==,iv:76lGEWwkbHxfuJzbRrrG/J1Eu6ieUaSi6JtRJnLGFVw=,tag:KpWxS87cmlPxK8KczBdyeA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:2Q==,iv:Y3Foj4VapuGn/qjwqyKAJedvCIdQUnOLxIo2en5MnrM=,tag:kud9zrpsv/RRcOGFcbXTkw==,type:float]",
 					"attributes": {
-						"alias_name_source": "ENC[AES256_GCM,data:Abpl+CRyBegp+Y0oxIcVEdKb,iv:InKYzq2EZBneMURODr94CB0kL7Xvka0iOSEI2sQ6SBs=,tag:rsgiElEutGW7ircqNqYeKQ==,type:str]",
+						"alias_name_source": "ENC[AES256_GCM,data:X+N8jNcSbnsdVulHlXnVuUit,iv:0q75oAKxGcMr2Fi/Q3Elu0GbPCrqI4++RvvZwZ4+frU=,tag:bvNSR+zlI0B3xR4HfhRN/Q==,type:str]",
 						"audience": null,
-						"backend": "ENC[AES256_GCM,data:xxSdN4AVde3c+A==,iv:QJEncEFCiWIXpeTqipfXkbdpLEi+qnoJyUYtbjCAAe4=,tag:QvU1d+LptU/9fd1/Yk93aw==,type:str]",
+						"backend": "ENC[AES256_GCM,data:LWEya0D49+MDtw==,iv:R9FKDu7JNtNtmczi+ZEVYOABCmr6h9A3SwTZbB67/jk=,tag:hXMbUHD1eNhTLX7QyZEijg==,type:str]",
 						"bound_service_account_names": [
-							"ENC[AES256_GCM,data:nJ14pFsrhhw=,iv:bboF99RalrCCcqT8Qtz4XxL1HxW+MtaBm5RlPpu1ASg=,tag:FuC3b8kvzbB4JkviCWXGmA==,type:str]"
+							"ENC[AES256_GCM,data:CCzYFKzZNyA=,iv:KyEsp+dvg2CzVlxsETzb/Lr24c1Si3xiUf+8E3IJbgU=,tag:8Rd0YhTIBTUbC+XTe4Gmvg==,type:str]"
 						],
 						"bound_service_account_namespaces": [
-							"ENC[AES256_GCM,data:Vpm/fArEuX0=,iv:6xr8HSUQYyiNtI4ffshKpIvgWu3Sxic7maM2xHvTENY=,tag:g5bGOnN3Y79jdUPG8+tmZw==,type:str]"
+							"ENC[AES256_GCM,data:iQ5/69JQOvQ=,iv:3q2TcGNPsyiVXxaUDT2SA8AWcR7RMuR9tRyscCS7D6g=,tag:xLt4RqixEYbRvVeJh/MJcQ==,type:str]"
 						],
-						"id": "ENC[AES256_GCM,data:HWoxNA8VHjBgnv8msG352R9yPfQ3zYctMhRGPXg=,iv:GBeB+g9ZmK5tLUQjD2elQuCUbHNqGgN5UcdFCUgnZyc=,tag:sydfRdQ6SKBAay5RAiee/w==,type:str]",
+						"id": "ENC[AES256_GCM,data:TEJuxDxVw8fSiS7ONafF6Ql/+u0kRuAad2EolSE=,iv:OtIiHt5jJkt65KKAkM1uElfJVaJqnju6lG2yLYgW1mE=,tag:B6sC2kKckmlw1iKeW9huhQ==,type:str]",
 						"namespace": null,
-						"role_name": "ENC[AES256_GCM,data:MRnv0Mosxj4=,iv:mYt/M2Ttd5/ujyWrGJFK11xXQHkwH/IJT3YuUtk6VSM=,tag:aUM3iWkogvfG7a9Ka2/3cA==,type:str]",
+						"role_name": "ENC[AES256_GCM,data:/trwCPeflW0=,iv:+j3BzEXnGmY+/dmu7kRvYcH+gII6pduFALrCefaMU7Y=,tag:N6hcaqb8oO/+/6cDNSPsBA==,type:str]",
 						"token_bound_cidrs": [],
-						"token_explicit_max_ttl": "ENC[AES256_GCM,data:MA==,iv:puWyCZNQmSs2a8aAn2KM1SihJkoMQO5io0xNzlbjrRU=,tag:G+Cpk/YcpTRfT6jQZIDItQ==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:TQ==,iv:hmO+bnyhq8P0PGQWsFePkveY5kpFzYM2Nz4c1TFf8fg=,tag:ySq6MpjvFD6lOU2Sy82ZJw==,type:float]",
-						"token_no_default_policy": "ENC[AES256_GCM,data:t+vxj94=,iv:1AvNe2xg1j2+UdOIshZGTLHGlEudpoaDknZtg7oMMk4=,tag:Crx4n9BuDc0qq9jwLp7MKg==,type:bool]",
-						"token_num_uses": "ENC[AES256_GCM,data:1w==,iv:RxfeytylnFjDopNFbdi4S/tinpCBhzN+ekPQcAlT4BA=,tag:AkVqCX8aM3eHDLvo4rK2nw==,type:float]",
-						"token_period": "ENC[AES256_GCM,data:luXnpVgf,iv:FWYiBdllaMXdZii6zNe7KH3kQP8Jf1V4M3dGW/UpyI4=,tag:6Ifq11NwevodJP1TmRgaXw==,type:float]",
+						"token_explicit_max_ttl": "ENC[AES256_GCM,data:MA==,iv:csQsFYMGWUS1KHtwp8gC/UBBj2+bpcyZ3CqusLmLk8Q=,tag:KnMNXgD8t2TdCEGSlT2Exg==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:+A==,iv:jjQdPJM4RhSIBcejMlYH2EDaujem2hk62HoHtlG5mz4=,tag:OlFh77rs9SMr4vu49zR0+Q==,type:float]",
+						"token_no_default_policy": "ENC[AES256_GCM,data:g7fImC8=,iv:C89k1A9V5eSggkkIlvJIApJK+Xp1iGxII8AxhxQe7sg=,tag:rXvhGdnXnJDXIAPM28NbvQ==,type:bool]",
+						"token_num_uses": "ENC[AES256_GCM,data:+A==,iv:3riG32IgtWB+8Q7ORDefc3rrkgQ1DDy99wYcJ/59J1Y=,tag:jS3qyQnSlf4nhxBxoquHow==,type:float]",
+						"token_period": "ENC[AES256_GCM,data:v5OQQnVM,iv:YhX2ZQ41vgObrckpZtXzWxCZxdFxwnHymokBiucjt1U=,tag:UHkfXmIqoH/pk1mkOCWn8Q==,type:float]",
 						"token_policies": [
-							"ENC[AES256_GCM,data:LnFhrAjVzrU1l015,iv:g2GUkfS4Lb5+bhiREqTtYays1+qLZGDvbYcU9o0AABs=,tag:RC9xIpdrA50yC9+lvsrgeQ==,type:str]"
+							"ENC[AES256_GCM,data:+Q/wsHKPfTU7XhmX,iv:EPRka/5QFixPxgPveUZP0BhMw6sZFHRc85nate4j2Rc=,tag:Ay7o1LDXUrnwlxUmM+jdaw==,type:str]"
 						],
-						"token_ttl": "ENC[AES256_GCM,data:WNRWSOrl,iv:c137WqrVro37X88dyjMDZIRbXRxvpFHa+1CAUBepVDI=,tag:y6vUS7ONRfC5GpiYRoFTcA==,type:float]",
-						"token_type": "ENC[AES256_GCM,data:L/m7OEXMVw==,iv:lcgosnKZ+jLecf9GuG+6tutSgLzYSTFtd8Dev1ZvLrk=,tag:uB7Gr0GJRBjGi6RXQXMHZQ==,type:str]"
+						"token_ttl": "ENC[AES256_GCM,data:ZYLfdUDH,iv:nP9bh9BUNubYH6qCii6ZfeP5gDKP1gBe3sgZhV7N7co=,tag:jBfiCHKPhe33DPq9C5cX3Q==,type:float]",
+						"token_type": "ENC[AES256_GCM,data:TXwXZX4moA==,iv:GHZqUfbuE35tZhpKIwGNRbO7A3ExLjw2aPTqstjiH+c=,tag:cuPbSzpjdv9pckZGkebIXA==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Nw==,iv:j7ViifTlD8jDO0U4pFOvjtGgDk1GHCRy/7UttUmAhZ0=,tag:famx3Uzjb0H90PbJ41f6iw==,type:float]",
-					"private": "ENC[AES256_GCM,data:KBcGBBnTi4w=,iv:okAbaRjb8l3Bgh7g9J8HrlXrGFh+VuIgAWBemuo8Xe8=,tag:R5jVcf8PEZIs08kueeQKCA==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:5g==,iv:Vm6ON3oQ6BVnv5AvtkpPF9ex9DPMBMTWYhQHpsuOyoI=,tag:tOf3f4e8z2Vltu9llG/JAA==,type:float]",
+					"private": "ENC[AES256_GCM,data:fXfoSSoy8MI=,iv:9Ea0J9FGzC5WVHp9ZV/aITlUxfyNfGTbQcf6KDeby3o=,tag:NTtfMtm8Kj3F3tzZ8UQp4Q==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:xs9RcEcTYrM1ax0ALfyfocHB,iv:JbrSRDkZ3h0RVyvWRm+F7CBHPM6CwDFwjohdvCBYrs4=,tag:+U1Ns5qvGz28DKvSSoOpdQ==,type:str]",
-						"ENC[AES256_GCM,data:N1oqUac/jEhV7T6yxsmEDIKSYvx3JwR9cVI=,iv:a8+nfSlEhmi5eH4uHZsl50WrFB6iWQ8Ku2b/B1JQYQA=,tag:WmRLZUJsV5uJ+rOaJE3tIA==,type:str]",
-						"ENC[AES256_GCM,data:7lJoNceneR3mh03wWao7ts4etx7v48Ac7QbRkNc=,iv:aPLoj+ZE1dd6iUKZZpY0i8DF0kzt+eEZksquS0KJID0=,tag:xzYAbe8jPV/MMfQUbkbTKg==,type:str]",
-						"ENC[AES256_GCM,data:IfFFsbu7T11uH3x1H4unbQgWQCsdH/A55Q==,iv:ELLBGNBrzto9+/lHHZr5tLoaTSIkOkR4Bqr22GWxJZY=,tag:a1d1Ed1t+sVrkAkWRMoP0w==,type:str]"
+						"ENC[AES256_GCM,data:UOq3K5OERf/JX3RVmi7zECDe,iv:p/ERQmsyC9VHorJrmXKFJJ5IZ1+PJtbjQKRKsePZONM=,tag:pbR2m4LUkXQDuwV2HzeUXA==,type:str]",
+						"ENC[AES256_GCM,data:8kzK7yRt5lUDkfuD3AtaBKGZJDa2sAxvj60=,iv:jNe5iHOH2yXpU6XjwPK/wS2YZwLegG9YQUkVAfN4jR0=,tag:3Fz2N6Cn3TdCuehIMSrj9g==,type:str]",
+						"ENC[AES256_GCM,data:dZS4FKophXHgwRBnz4eeoFOzYL+EQAtWHSdNqFY=,iv:k67dVCE1z+ksdPgTtRQeYpKUXaw6M7j/imIFloUF7Cw=,tag:iCBzFAyM9R4yMW+IK3aztA==,type:str]",
+						"ENC[AES256_GCM,data:XMjpjU7HsFwnovM/rADJCFfYV7H5mURhvw==,iv:hTAuXkJjhFFttG4oK26nGA2HnfKhJIdAIIEFEcXtfa8=,tag:A2WdwNyNFWfHMmgqAdND5Q==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:jQihvTaWzQ==,iv:MVCcDY95FLIiXLFNNebbk/hlwIwGfVeBqPXHRYCqV58=,tag:A5DlW9T0XEELKYNIoLLwxA==,type:str]",
-			"type": "ENC[AES256_GCM,data:9lBZMeinCYyjbc74dBWwassz5caf5xQFYNXGwOL5iq6Y5Q==,iv:ICMHQjjGdPmlZW/557aHuYM3F4UvJ4+gRHYIGWZrzVE=,tag:3UKGCVTXJ2TSuoCmko4jtA==,type:str]",
-			"name": "ENC[AES256_GCM,data:diqn+/KfwecQ99qSCPG/,iv:7QWtdT8OqGM5NIJew0MzsKin9rLxfzBPWTf3GcFPEZQ=,tag:62zg+C76a8N85Sok5yPp8w==,type:str]",
-			"provider": "ENC[AES256_GCM,data:Q+ZSVPdLTHPUdda95Q9RZ5s1FNXkfTZomyEZjpFZn7//rsBd1oBlpWiiJMX21zqrvw==,iv:10mVYnZuhtHlzw5tBOqLu4nCuijP1oQhdf+GkanlqYc=,tag:IITXS04zp7FPSJTXZAshZg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:9t3joE7hxQ==,iv:I4xx9sMB8x25W9rED4qZgGoZsSI9HjOWIhZqz2l/go4=,tag:bbj7UwdWCbex+eQOvepeng==,type:str]",
+			"type": "ENC[AES256_GCM,data:B/MVjIVcO05RPwCR+q6Csk4D/9Qg9GxM8upgZkZBuyZf3A==,iv:j07opa3xW94eG0gPEFR4G3bn0wpAkhGJ1qVsBARSiic=,tag:L99LUAmsLJog14nVjs1GbQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:8cPHFjvpQeU1kfCJePo5,iv:M+Y4z9eG7jZ5C+Wfv3jhsCeMf9ywZPflTM2BHpn67KU=,tag:zx7pfXG9pk/0aIdkWYGZtw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:NNh5ifrOwi86UQWWHXu/YjLOzabOTDWtDaLoY8egiNxtrem32ovDSzsLNXloYAOpNg==,iv:dB22mH1AKmpqk4EL5XtpSL7hyMuavF6RibURSBRhQUE=,tag:GFKkRXpuj5+Pf+J79QFBUA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:sQ==,iv:mBD5viaDCFK7BEepHoFjlyXKjgDPuU4Ey8Pu4i8RAkA=,tag:cWXCVWXxgd3nkMwrAyoaJQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:BQ==,iv:+Ghj3hCchZoSxAcUFM3LEiMvKqZjVavVlkAi2ulHwk8=,tag:0ZL3JXALw8qstG2y8Urv7Q==,type:float]",
 					"attributes": {
-						"alias_name_source": "ENC[AES256_GCM,data:O3ZL6xqtaEM0MJqRQj+wmsxQ,iv:TRhQ5GweQKhMrCtb3JKF1CsUjpVvGMmyVDiO03OJSDg=,tag:qVgvF998GtdunsR6DxzniQ==,type:str]",
+						"alias_name_source": "ENC[AES256_GCM,data:VuEYvhGuy1cPbfPdmWSRwi79,iv:isnSkt6/JqQNHB9u6eiKcHftT4NTYC2DE7vHtZ5Ihyg=,tag:i/7aoNh6WdYrEQuY1ZMbTw==,type:str]",
 						"audience": null,
-						"backend": "ENC[AES256_GCM,data:QW7N0iK9/f7r9w==,iv:gb2/587fM9uMh6h92CAjEC5uFfZeoIboCPV17xXa0Q4=,tag:TiC1we69tn8QkOergmo2TQ==,type:str]",
+						"backend": "ENC[AES256_GCM,data:90/Fi9FgWkscLg==,iv:rI/vSgkyTX6lhfGHpZ/0cAD3jTzOf0hLwcF/EqLgdsQ=,tag:Q3BzPP/Kl0RZpVhMQ5wOzg==,type:str]",
 						"bound_service_account_names": [
-							"ENC[AES256_GCM,data:y+XW4sR+WaF4ov8m,iv:w/P2Y0WM5d0Tn2qXXVpqsC7zr5SqOn9xBtp1WRps/40=,tag:vc0UzdYm3Ok2AriHd1W4Ng==,type:str]",
-							"ENC[AES256_GCM,data:kl1AlMLMAw==,iv:+OGkC2goMNlfEorLcGGeovn9Qc20ex2Lq/+bz/zOKEY=,tag:5VPsBTBQ+nllbchsusc/gw==,type:str]"
+							"ENC[AES256_GCM,data:olNP9cquIgLlxn3e,iv:Zs10gWRc7LssxjNWdTdPdjjyis0Aw5E/D80JlVBXmZ0=,tag:LP76Dw1vjygahUbpQy62GQ==,type:str]",
+							"ENC[AES256_GCM,data:ts4x2/0htQ==,iv:LyH7FCcEl3kVTu6onwm4rxHxQikMXcfgTcZhMJ0ltYA=,tag:9yU3gtxKeqRntowu9bZehA==,type:str]"
 						],
 						"bound_service_account_namespaces": [
-							"ENC[AES256_GCM,data:BuoSRzMjIkkdqXjo,iv:IYxqumPNdjR0byo9/mEa4yKkltFSHO9ld9sN1GWOczQ=,tag:RmSFQfqKyXzuzt1QE1Y+Qg==,type:str]"
+							"ENC[AES256_GCM,data:Gn9TnFvFi8FDxwRv,iv:52R3zLa2M7tmH2lCykg7295KNL3Py6gHmNfAyW0+OQg=,tag:HxZ/5GsRMYs9A1k1UAMW6w==,type:str]"
 						],
-						"id": "ENC[AES256_GCM,data:f3qL+gclhTeZjpkJYfpqvcsMaU15g0/ukqAHpOKvvlNHDip0,iv:QW9pEz+62kLeE5RzV1ODIyp9flDK3ntz781QD/ddjcM=,tag:pnS6YtaKEhwHy7Fjzso17Q==,type:str]",
+						"id": "ENC[AES256_GCM,data:DbC6aXbdGvyWUkBs2YzxvKcL54+4QjyZQWKTv+E9kttvrhZ9,iv:27ezPZNc3+OSOyOOVjfuiphxRM7nRm+mECvLGWYyrMQ=,tag:GcLUeNhQgf5Nj2C1EaVs7g==,type:str]",
 						"namespace": null,
-						"role_name": "ENC[AES256_GCM,data:Oopqeunwhim/y6GZj+PZ,iv:6fmZk5pj6XCfAS8feaUbFv3vOvkfzvBseHQLdJqU7gU=,tag:73F1eqWmvSh19MZ2kapTLQ==,type:str]",
+						"role_name": "ENC[AES256_GCM,data:05AURXDiNGcGW03LYImg,iv:7ACHpTRuUPi9YBeT6bJsirTn8ck7tCi4nyV3XfDAwXQ=,tag:s/iOQf1PX32Gv2iJO8ckzw==,type:str]",
 						"token_bound_cidrs": [],
-						"token_explicit_max_ttl": "ENC[AES256_GCM,data:hg==,iv:bqWNUAVL2FFZiDSdBHCrgcnkyue0ckbuZU8ZUjuM2rc=,tag:e+W1HXbtZcAAmX/UrEllrw==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:rA==,iv:uEEmaE0wpt4kXSZ1SyYM/x19wMF2pOZznz2iESr1TeY=,tag:kg9WLYM1UWSRg4xeNqziZw==,type:float]",
-						"token_no_default_policy": "ENC[AES256_GCM,data:ugNSYHo=,iv:XfnRMFA7k2cHP0Z0FdKBHpV3LZDMQD429Yr9n5mi1NM=,tag:9oxAsVFkTGP+iVAYr9Bpdg==,type:bool]",
-						"token_num_uses": "ENC[AES256_GCM,data:1g==,iv:8teO/5P9389jQELWR6luHAix4T23uA34wn0CCjowbaE=,tag:f0HGY+KN8XHUyncTbCz4ug==,type:float]",
-						"token_period": "ENC[AES256_GCM,data:QGBOPZbc,iv:FpwA/o/v4UDQY/ajqnjf0aBnx9DIzK6v8W1HpbL7fVk=,tag:U2JjAe+nrQoVqRKGYHqIiw==,type:float]",
+						"token_explicit_max_ttl": "ENC[AES256_GCM,data:Qg==,iv:ERZst9qKzZ3hYL4QJotRz0a4BvbJQRJEATg0DtfbSQs=,tag:42uSPhX7BKyTHV6KNwKbcw==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:6w==,iv:wOh6P5CwbgoL3lCLCSuExTmRzT5ULXgfTRINuVvnda8=,tag:Nou6/66FseBkFggsl9XHng==,type:float]",
+						"token_no_default_policy": "ENC[AES256_GCM,data:AjL5/Fc=,iv:hzB9YVTSOXlpsimMXGu3NydDqoP0JdaAPWAKk1rzJyQ=,tag:Fj2AcqCokvVDQy3jdl5qXw==,type:bool]",
+						"token_num_uses": "ENC[AES256_GCM,data:3w==,iv:NnLNuyZLdqn5+r58aTXDVw1VVe2cXSLWN/rd92XaVBo=,tag:KHD93HXJjY06o3x364LE3A==,type:float]",
+						"token_period": "ENC[AES256_GCM,data:8yMZzeXN,iv:+Fik83fcXreICWwZveT9fHGI7UMe8FDSSi/P7bbxzQ8=,tag:fTqgAy0YX6gKlkAT69m5Vg==,type:float]",
 						"token_policies": [
-							"ENC[AES256_GCM,data:bbbamUVKXHyeYzAjwPt9,iv:6UbpI4LffYEajFXPQurd949AWRxM3PiLuRFdvhAnE3s=,tag:2Mokof4xI/7WormUxN8BhQ==,type:str]"
+							"ENC[AES256_GCM,data:Ykm+aXIJ+FXqUfWrQ39O,iv:4karlRm1TPMJm3buNER8lz2mwaYZNXvbuU94qJx/bd4=,tag:Htqv5d6gFxmRRxDf6PRKGw==,type:str]"
 						],
-						"token_ttl": "ENC[AES256_GCM,data:Kx2oQvBJ,iv:kNjYkobgi5JlPEDH6aoObnGJ59Bl7lvK5Cz89Q6Expo=,tag:BG4kcwdFDk/EhegW2N3ppg==,type:float]",
-						"token_type": "ENC[AES256_GCM,data:J8Wrvj+6Fw==,iv:6+AH8bEV7vWYrMAjjkFBLFxQiah+3B4K4zitF1GP9JY=,tag:lGzH6Zyfc1/7pGArvtbZjg==,type:str]"
+						"token_ttl": "ENC[AES256_GCM,data:BfQicWY8,iv:ofJn2keeZZQaYHYaRLmqCPJUctVhKr6N5o5eAAbrsb0=,tag:6TNUvK84k/Lus5pOx8jFgw==,type:float]",
+						"token_type": "ENC[AES256_GCM,data:gcPYB0KNyQ==,iv:oEAajMORw1ID1DCyGreHjVYV4jNX7u9yHr/puEBfxuU=,tag:MAaEY+R4TP7ChcdNUADfFA==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:GQ==,iv:B1lGxIDyuBIlIiEkXFUVXtV2xZTSC5r8J6jZCNF4nmY=,tag:+ifJokAQbKjtSB5bROI1+A==,type:float]",
-					"private": "ENC[AES256_GCM,data:fptUEksq6DE=,iv:Xz8iUMcS/uZ/htTnFQvhFIXjfOP4LigHXSePnv9rKgA=,tag:vGsqAuv41ukYA9nTuDawyQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:/Q==,iv:T8LvwdXcuA1x4gNrXSyfY7EUl0pyQj4XKbZwon6OMPg=,tag:ZcTGstOXb4/HrWOpuw+NtA==,type:float]",
+					"private": "ENC[AES256_GCM,data:kexWHvtJWJ0=,iv:Uxovg0/B8gLkctgMFw25sTpkivaf/Z6UCk1mzPwYqhA=,tag:UeaAR4ae8P2SUXggjC8KCw==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:SVUTPBhEpy/7oG4Amzm4jECf,iv:xyjDg1hVxhrWKF4c0HNmpuSO2DmZTDvnhtr6jZeOJUQ=,tag:dNzJrqZtK8YnxR8HN2JBxw==,type:str]",
-						"ENC[AES256_GCM,data:7Io28jnRbYRm1chK+KTDWnZ+YpvDnVw2r8w=,iv:9r42yRFMsl5ZEgxermyAFTyR54QzK8KRMRSo2UiLJrg=,tag:eGWViiVdMUU7EQLKSTjhdA==,type:str]",
-						"ENC[AES256_GCM,data:GvlKvsse9ca6xpoRGSfn31zB93/TsY4OD25Zze8=,iv:llQ/q+qniOttKA7+Yy9u11wmvSUGUxo/mJ9OzgmbGkk=,tag:R9UZ1gixA7DhqdtlGaF3qA==,type:str]",
-						"ENC[AES256_GCM,data:jogi6lB/XrDwYdcWzCpZwLQM8eLx/qKqrbUO8g==,iv:I82fBnnEzSk2WmGMKrSfRDV2GBhoFSELkoHomiq5Ljk=,tag:qgfyTsPwOo/RKyi6rJ+yUA==,type:str]"
+						"ENC[AES256_GCM,data:IMef2SkAt/qzIcl5xXwsozlP,iv:hDvQzGPJo77YrJKDCP/0iiiitsSYyVv3L/GrUip8C/8=,tag:VcbiqFcBINtknuJkBuovYw==,type:str]",
+						"ENC[AES256_GCM,data:pvkfjWBrkFN+C+MF5yLPFnIbr5ycRTLeq4I=,iv:2Kw9/cFVfaYTgQc+w9tk5UbsXyvrqfir07kBZcgdcxY=,tag:NiBMv/4z57B9ThtXXhGkgA==,type:str]",
+						"ENC[AES256_GCM,data:2ytObMM+Ku0TWTSR8FzbZFPrBAMw2LR2nmOwx6Y=,iv:hIgH1+FnvsKV7w0nvdloXPw8CvUTQCcplLPnAszr3lI=,tag:d0Jy82cgqEDVWjJOCPWK3A==,type:str]",
+						"ENC[AES256_GCM,data:GMQMyp3uUiMJ/oAF3lN5M7iNe3OPLjmrpxU5dA==,iv:UQiV2Mev1zWDbC3spkwV2sU1MUemQgHMnoZfxyAMoeQ=,tag:sEjx2ybY+g0k6zXqrgDnLQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:tXzzZA7YCQ==,iv:yyyvYJVWEAoEol9H6Q26nyBS8Hy1h5v0jDopzZaZ1SU=,tag:vlTO/1MIRTNsWg3LZUmXzA==,type:str]",
-			"type": "ENC[AES256_GCM,data:voxMLBe/B0NUzmdbS49SNev3jsmc46pWNe3qgwJdTeqOQw==,iv:Dn6pdNmK0q5ZjFvq7Y/pQtjb3Fv5EGGiizddm9KOp4g=,tag:YaYVKQD1GRZ3scVuIP+TaA==,type:str]",
-			"name": "ENC[AES256_GCM,data:TY0bpFZtmXACPmMCzpqG,iv:TzQRexwJNl9X0I5EcYmR7ddrYUsKdetq4dDMMtbNJr4=,tag:Li32FJvSJ+sK9hxw/F6VTg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:zOLcDPWz1ipkiGTM0RQWzORi2xWGA8Z1A4bW6Dg8I2K1EsjYJPM1Lhtw1B10NVC0eA==,iv:e2vZxhnEkUVRP8XWq63REAE3IyRY5pq6kSgIi8TWaVo=,tag:C8cTyaP8uGipkrCO0BArAg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:lI8vWq/2dw==,iv:monM3+VuvohOX4wjr8TOv+c+uSPgJQeKF+kfAi298u8=,tag:xAJhsgc7fbFk80GI3updpg==,type:str]",
+			"type": "ENC[AES256_GCM,data:r2xreZmU+zy9Ov8SfnrvzUEGUatR2zvhCEkIj64yotn7Ww==,iv:GxngBxBzfC8kHtU1beFgT789X0MbbVTTcc0nuBOabAA=,tag:FfT40UiqaMUqqBnmnNqnwg==,type:str]",
+			"name": "ENC[AES256_GCM,data:5HfQjEeNGt2eDudm2Q+S,iv:mST4/V1g958fEH9giGk14T8BRHNLjAEupt2OI0B0C2Q=,tag:Jx05RLsfZwGjkm/Ld5/MSQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:iGF8cpv3q7pvH3lCAgix8ezMHugJmEgjVnyzNAkfje+7ovfy0grttMwQ4+6Vxj4Dfw==,iv:LNt7fQ8JeCJHjw8bKmvsHM8z2WAYtRj3lvdTpMxXzO4=,tag:RO/ayZ5IakB46NEkhwlfJQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:pg==,iv:538er7cWw+QM50ntTOLheiMi0jsE13TGnJs9ZIE9NNw=,tag:QzOZdhiNxwL8mjL/1hciaw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:gQ==,iv:MUWTq17TUTrv69VzIm3zB7Y38G0yWsgYEFaGCAAtK2A=,tag:IvErWEuN9nOm2jEKqbzJLg==,type:float]",
 					"attributes": {
-						"alias_name_source": "ENC[AES256_GCM,data:GwV66KTB3dQ7KS3WNjzBbyHe,iv:mGxX6PN8OUvQpigkAgxqkhnv6EelHnBMfj6jEac7QX0=,tag:U7eu+qH8agz8p5jDVgohMg==,type:str]",
+						"alias_name_source": "ENC[AES256_GCM,data:x2hnryRFtVsPPn5n3Mxw9u2q,iv:mTmJTTUC1hQyOHMBU9SZDPQCdqKavurnL/nLVnCks/w=,tag:wtetlqSmbmapyjtDYf8ayw==,type:str]",
 						"audience": null,
-						"backend": "ENC[AES256_GCM,data:AD5QolBe1Qx09w==,iv:Et4IVdoox/m6cI2gxe4CbWxr/EntSJetHVYgpV3v2ig=,tag:B/RaIFLolDb5bW8HCT13rw==,type:str]",
+						"backend": "ENC[AES256_GCM,data:55v60Nz37XAXBg==,iv:BueL7nQTgbrE4i9aAgaKBSNZ3Qq80QfTIT97uSs9pQ4=,tag:76WTwsvBhs0dGSg13dBaOw==,type:str]",
 						"bound_service_account_names": [
-							"ENC[AES256_GCM,data:eYXhWvG/4w==,iv:ttvJkxkah+KM2AB0+l5zUK1JN+0bJPDvCDOQdZwpR/8=,tag:4Rolf5y9R0h5F/7gXHdLoA==,type:str]"
+							"ENC[AES256_GCM,data:Iwmnpw+l8A==,iv:VBTUoAAWsHYpI5ZsYm5naUo/0AMeR1B8pmWAvTYyvmg=,tag:tSvWOVnP0O/tQxR6LqgidQ==,type:str]"
 						],
 						"bound_service_account_namespaces": [
-							"ENC[AES256_GCM,data:cJ5ed1+0FPMsbQ==,iv:3xRhQumLtQksoOIQ7+RPZFjgFmt6y09ZiuzPQyBldCU=,tag:y2SEvqbLTqAMjSpOsYuItQ==,type:str]"
+							"ENC[AES256_GCM,data:6aDF3EdkAZVcCQ==,iv:stWtuskHxtBR1wHGORwmj+d11oe/LR09pLMqjFRe+uc=,tag:q0hhc30hTsylWriXD2HYoQ==,type:str]"
 						],
-						"id": "ENC[AES256_GCM,data:RlRnI8ZKiOCNS25SujVUFmCvgdDyl5l7Fak9s5pVL/NOh6Nn,iv:L838ds7nZw0OQ1mFzWA3wEWrA9Q7knKLsCVUFMsIevU=,tag:ISCZiiTwOkeu4JpwtHUB4A==,type:str]",
+						"id": "ENC[AES256_GCM,data:gvDmMiANB34bfpffareRauO0RZ8a1gjJ0LJa58Vs+/0Ce9qY,iv:8nYDwCuImlYxEd71t1/TRUWs27zroNJqMW3CmG6HK2U=,tag:Jr2hxsRAsNXQ+By7KVCETA==,type:str]",
 						"namespace": null,
-						"role_name": "ENC[AES256_GCM,data:FFXtGuu7Es4rjl/44ljR,iv:qyvLHexoAvp56IKNUdAyg305sEWVbyzUdb24GFPmZ7Q=,tag:QnyC+LC7v4mMCpt+aRbZVQ==,type:str]",
+						"role_name": "ENC[AES256_GCM,data:Z9r4M5vHphUjzK10D9WN,iv:i1+kPQz9KeO+jhV7FT40O2MZPHltPJhf+Nb6ZcKu8jY=,tag:K0tXhnnx+tRqtcJt1odTaw==,type:str]",
 						"token_bound_cidrs": [],
-						"token_explicit_max_ttl": "ENC[AES256_GCM,data:iw==,iv:mRHQ/lJrekeAehn1zImxvG26MUTVL8MOX9KsWBzySz0=,tag:jJJOjGAfz+DUXTTNvn9hFg==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:IQ==,iv:4tQDVuaOc7ZBymcg9QjL00B2e9se3JHo7Y9GlVok81I=,tag:87P6PDtE7fhGKBTQ7Rqktg==,type:float]",
-						"token_no_default_policy": "ENC[AES256_GCM,data:5x0Qb8c=,iv:+KMPDr303tigbJU1+27ub9TSib0S/TtxZD/QztL0QSE=,tag:Z8nlApi5DEr50QVRXI54/Q==,type:bool]",
-						"token_num_uses": "ENC[AES256_GCM,data:Fw==,iv:rnlUfJCpJSJj/3J2pt0uXe/xl+ufe+ILacXJ8FRfeWk=,tag:EVDAIT5+C6/28k1ANVfMgg==,type:float]",
-						"token_period": "ENC[AES256_GCM,data:6IIrFIsl,iv:QLhKvWYdV+SFMnKCTX/yWf645JcDNKLe0LPQ5TjOLMk=,tag:cZlUg0a2NIoFeusp+vGiWA==,type:float]",
+						"token_explicit_max_ttl": "ENC[AES256_GCM,data:8g==,iv:pyfJ9zpg3ftq41DcI5wbhaSpaGETg2XalN08TFeEkJk=,tag:WvwKyL5T8+uJUdHUxwH4vg==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:Zg==,iv:+1bNcc0HoGPLiY8lge8Vp0HamcmyGtN3qzv6z9ejXJ4=,tag:Qp3webCLSsfgEI0Sk7LoSw==,type:float]",
+						"token_no_default_policy": "ENC[AES256_GCM,data:GcFFrbs=,iv:7c4urLYIXNAL3VXiEnIq1s8+gy4pPKIKtAdbZ8QL2tQ=,tag:Ct7lZt+/KGOm7F/XhMu/xA==,type:bool]",
+						"token_num_uses": "ENC[AES256_GCM,data:QA==,iv:GZ7AfaZGYy0HvgcKz/QFjqX89yMfFmPQqpl2Y7Ptu1E=,tag:TRHnM+dXF/355V5ArMSWTQ==,type:float]",
+						"token_period": "ENC[AES256_GCM,data:01oNer4t,iv:HTJkBPAxcuQc1wx1rpYt1svUWCJc0UDuNUVztChyYb4=,tag:7gSHy+mI7k0UfANin1l2Sg==,type:float]",
 						"token_policies": [
-							"ENC[AES256_GCM,data:WqE7G2Z+uyWMIymAD6GB,iv:PiRE+FIe4ohF05+JDCXuzJSFqVRATcDKd2ehW/UJi2A=,tag:N6ZT6KQnNfnzGUu86nv4zA==,type:str]"
+							"ENC[AES256_GCM,data:opEY36HIE8j/PWtRP6F2,iv:Br0EhcI7Ohn3S+cL6KVsksCIVSxSDBaVYvTYXS5WejQ=,tag:wf6c7L5llVDo1dHSZpg2GQ==,type:str]"
 						],
-						"token_ttl": "ENC[AES256_GCM,data:5nc/Osy+,iv:Ub2qgb7dK7raas04JOtNBn7C7RS9HCmlhwxg+gcEiNA=,tag:on6ErWGTIYshHn2r2ryrlA==,type:float]",
-						"token_type": "ENC[AES256_GCM,data:tZlQhdqYYg==,iv:8LoNLFYLl8zeI0+GcvfuljzijsZ46kAcFGwDOF21Kwc=,tag:ZNRLtPE6NQCpLivvbTSzNQ==,type:str]"
+						"token_ttl": "ENC[AES256_GCM,data:wd7BJzKM,iv:SLtfocjNounrVRSBYV2/rROuu+Utaasb+kGRT0btimc=,tag:NN3cvphK5S/LMBgWGO4Ypw==,type:float]",
+						"token_type": "ENC[AES256_GCM,data:HOMDufhIVw==,iv:JsQaZ2yQvCuOy4DOSUMDKL/3QLD6ISovvgHEWDy3OyE=,tag:CnT8F24kBy4M9nVKh/fNTw==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:AQ==,iv:G0XAsco6VDnXOJU06sm4dje7ebOdVaoz5pQeUF17cG0=,tag:ZY3Wxi5eGhgL+Ee/Qbwmfg==,type:float]",
-					"private": "ENC[AES256_GCM,data:4pni5hYYKoY=,iv:MqxvzXYfJLMweDwkK7fg8X6YM0Y0ER5fNh8va5EGxBM=,tag:cc1ixU/cXqY0aS9Gnblfow==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:uA==,iv:ZEQhnzP0g2oyQ4vuetvAuIx4VXjv5EwDs4STpfpV/gQ=,tag:JaP/6SSBaBTXG4WwiltP/A==,type:float]",
+					"private": "ENC[AES256_GCM,data:O7qoD4/yNbM=,iv:8q2KTl1iLPiMDJ95IgZP/nREAvKInRIt0v7Dv63J38c=,tag:P8c3WT7sr7stXRw7vchfQA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:hF6md81A5vjUnR2WlQUHZ/iK,iv:MmXDtqxp+/YG91Nk3CEntwJvdYDlafkpizLK+VCD4aw=,tag:+yiwdSDnT/jnRrc+4vkuRQ==,type:str]",
-						"ENC[AES256_GCM,data:2eWDlMxh8N98HdU/UbKqN9kPvP/vv0IOciQ=,iv:IeEhb2Sc7CwD5QUzAwokGSqEzRN9ykInHN2pTG3k8W0=,tag:jkAuD7qIXb+j229T+wKajg==,type:str]",
-						"ENC[AES256_GCM,data:Q4T0T6fuPPJb6njtvFeexNMLvip7Y6Mgw7NwYfE=,iv:w8bsihJ9rPA3qAtXD0lH63shOYxFxDAq5W4+f2t8xGs=,tag:EXo0Jey9h0oLKM+PXDJFOA==,type:str]",
-						"ENC[AES256_GCM,data:9+l5dx+xMLe+5R5ZEm+AIAkgapT1qayY6eABig==,iv:UbV+KCuXn3WpEKpxGGQN5+uSLAT/y/5xu0f4hTEQwKE=,tag:F9t0FPSPrAByUUxiDBgbcQ==,type:str]"
+						"ENC[AES256_GCM,data:Cck9G1Onew4SgwNHR5Ij/K+p,iv:mjTJ4quqfrJME0O1dpxeYR+iiKLRHrcT/TbSgc0VTqQ=,tag:E3bfqSNo80sKcldUur1b/A==,type:str]",
+						"ENC[AES256_GCM,data:CyCNdLMIvnSop+ZzqF/4o1+RccQqg5XMi1o=,iv:X0pJrBN30szD7HDrx49alktcgJhIM7xMRzL9nr/aGyQ=,tag:4YJzsOsMGVc7fqv6ydPnmw==,type:str]",
+						"ENC[AES256_GCM,data:Qppf9VcF5EZIhIBBwo/1k8RDzzCeZOWVCD/H+NI=,iv:HZoXklPRSXSKVZ8aq+KSc4X2n8p45YhGbAzm3XneU1I=,tag:K50bnco2RbtCZQCzV8ctVA==,type:str]",
+						"ENC[AES256_GCM,data:6+576JxTXsBBBH53Sny24/3wIBUn+YcDlXHu4w==,iv:MEW/Tv84Rs+uaFS4+tiZYgHXt3OyS/ExzvWoptcDXFk=,tag:2efcAh7tp+lFZUK4TkGbGw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:ryf7aFugMA==,iv:03JI8ehAEIbq/sP21stxwVaeIPm02OuWuKQVE8jN3F0=,tag:TTQr/sq24eYk78fgHE4LfQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:PSDqK005N1VXwB1+GlMGXvTaYPDA+mMKXDqEyboYRg==,iv:Kosv+EiHjrgnj6s2Y57L88oPoBDWcf9HeUjOlMZvJzs=,tag:JFmqITLXQBx7cjsXVWJwNg==,type:str]",
-			"name": "ENC[AES256_GCM,data:xGeI,iv:AQp6/4GYi6m20dpqMcAOV1ZI36y8R4ji74dWV62+n6w=,tag:W6GQdIrbqxsbmntaYElKLQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:jYvvDnjywRkdyAizfscTLNonj+oEVTXjA2d0nO4uyYiShqVXb+lgHyreaq2z3fLVNA==,iv:K/c4Hc5Iq3wnUtl8gX40WiKuT0YOy57uvQYZQr2WveM=,tag:Uf+cUyiS+suwJytd1f9cZA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:g3hOPQ27Sg==,iv:t5kSYQJa67qePrkX1eyzjeHND3VNEsGe9kVJF+gR0i0=,tag:XAqFvc+5rsmzMQMHdulsWQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:2AlIqX4GuYj1XY5DDa1H6zwzicP/drxRQQmPKXw6HQ==,iv:UoPqVhhvkhRhSmqMAQxP9RKgOF2fS38LUf+ndWP1JSo=,tag:gLjcq1UV8LqUsB1vZjAuew==,type:str]",
+			"name": "ENC[AES256_GCM,data:rmdW,iv:vVZREnMZi0dkbHgoGpbQaGxgZM9GunrMv23PEE9KA5c=,tag:ENTciKk9fDyv7+CKYtsqcg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:b0AxRL3uBpt577gzMRiVULDC42MhRhCdt18u84N6a9zreOBFZsl3aaVLzGJ1v7ql5A==,iv:JF3jTWMhdliiyFuXla2a6z2sVvMKLZqxj4FstS/J+CE=,tag:VhP7ViZEF5LEaa006U5PJA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:YQ==,iv:hHOCZPQN0PuPRnlbP6E5pHCVfeWZOJMe/FHUkfkN3bA=,tag:oBlKdyiSIM5JlDsZ8B7iEg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Rg==,iv:LUXXZnfmJ8n7PEvsnSIrZReeZBl3oGi1HEjPtAWwv6E=,tag:/gnZ0sfZjwWZ4k4/ppFpmQ==,type:float]",
 					"attributes": {
-						"accessor": "ENC[AES256_GCM,data:uS4UAUg5ZmJ4H2Icr/Jncn77Kw==,iv:XVEsOukL2GxehQe56MsLBdQZ5YKyIoE8rFE/+yctdUo=,tag:xJA8G6FUHfk3UI7XuOlzww==,type:str]",
+						"accessor": "ENC[AES256_GCM,data:BdZnkYH60GY/yyOVd9ZlTsLhbQ==,iv:NiOHpBv9JlhnttPsaupmGAI0I3qhJCl90r3ht9mlQKU=,tag:/hV3jBErtzrb1eAMa8Krqg==,type:str]",
 						"allowed_managed_keys": [],
 						"allowed_response_headers": [],
 						"audit_non_hmac_request_keys": [],
 						"audit_non_hmac_response_keys": [],
-						"default_lease_ttl_seconds": "ENC[AES256_GCM,data:Wg==,iv:Ag4KUEcxYZ3FNeLPeV2wX40ey9J1f1X8VF7K/HBGw5I=,tag:cLRL/Dq5qkePFCEBhHRjoQ==,type:float]",
+						"default_lease_ttl_seconds": "ENC[AES256_GCM,data:IA==,iv:zFdpSojebn2+HqdBcy6ho7plBQJdDj8Oh613Ev4iBzI=,tag:1gSisZMrACxuFjZ2lp5Ihw==,type:float]",
 						"delegated_auth_accessors": null,
 						"description": "",
-						"disable_local_ca_jwt": "ENC[AES256_GCM,data:jy313Qo=,iv:xaCqVRhe8WqeVz+/PV05nQOAMyqB53kxWXhGY6FuZig=,tag:9mziGQvrPlcGIVa6ssZVoA==,type:bool]",
-						"external_entropy_access": "ENC[AES256_GCM,data:pCy1vtE=,iv:3gasAixfJ8R2Jp77Jj2M2H9cdcZ57WfHp0Y/Uxt8Cfs=,tag:EXux4wrTpJRoPalzy8uSpA==,type:bool]",
-						"id": "ENC[AES256_GCM,data:/gmbRrTuMTnmYA==,iv:R6eAPbUWM2L/lT8CfTOX2zVkOfYoCK3AJ2N3lqdTAFM=,tag:hFjZCG3waGAr2L9uaB4C6Q==,type:str]",
+						"disable_local_ca_jwt": "ENC[AES256_GCM,data:QGJr25U=,iv:HR6l9VW5BUOQiWBMyidMQXB5JiPhcnGDC7TT8dJy+mQ=,tag:eEW2MvqrKQIKFebjpBymOA==,type:bool]",
+						"external_entropy_access": "ENC[AES256_GCM,data:0MhvAqU=,iv:xb7sGJ6Q+XEk/oESj7M97MY0YjaAqIXl3SXSg4rgMiY=,tag:bp0o3NE1NOWd9A44+yajQw==,type:bool]",
+						"id": "ENC[AES256_GCM,data:WCqF5dW7PAP30g==,iv:WCBOenKfqwE09oBbDlL7u3mdAbDwfsjhZFSizdjpkBQ=,tag:8Sk8RAa4GmxMdN/08aEF9g==,type:str]",
 						"identity_token_key": "",
 						"kubernetes_ca_cert": "",
-						"kubernetes_host": "ENC[AES256_GCM,data:Bry8SE4H6jiwEwpR0effGfBGhuqp4Iq4AJcB6YK4,iv:vS4+iiKKFesShxdlfynOjQ13o3Ryv/jYpb2PM80ZvOs=,tag:l5YEuILuPwoYr/ZmE6v3xQ==,type:str]",
+						"kubernetes_host": "ENC[AES256_GCM,data:psXVjqYgH/BLji3yBmCTjKUC7/q95ibCsjtqeRHE,iv:CbPz0WxO1/Y4M90AZYH+zUEFHmwmACptv+lwZHA0f8U=,tag:b3zRi6R1s7tArDzRDfVtDw==,type:str]",
 						"listing_visibility": "",
-						"local": "ENC[AES256_GCM,data:T0P/Wfg=,iv:zf2E9cvtnhK3xdhO5QIE6T9fmzI/XeQamVqyREy7OnY=,tag:cYYN4J8ZKsbMzeghRt5YbA==,type:bool]",
-						"max_lease_ttl_seconds": "ENC[AES256_GCM,data:OQ==,iv:6UVuZyS2mLByNiU57BfefwjZWOPjJZEwiTTJ/4RMcZ0=,tag:Ba4NhN69/yEs01ae06mFfQ==,type:float]",
+						"local": "ENC[AES256_GCM,data:bUyoJ1A=,iv:oW/KD31qZ6rRCkB8CZoWvkURSYfNL4fx+NgEZlIGJXs=,tag:Hw/iI6gFw/NxobpHoamDNA==,type:bool]",
+						"max_lease_ttl_seconds": "ENC[AES256_GCM,data:Dw==,iv:ZgTYK092MhO8oPNjte2Qr8zXYo/WDFJnVqqJ+joNElg=,tag:StYFlnAPgNpP5LMlRALt4A==,type:float]",
 						"namespace": null,
 						"options": {},
 						"passthrough_request_headers": [],
-						"path": "ENC[AES256_GCM,data:yXmbQYUKGdam1Q==,iv:TF+sS+U02vbkTnzlryg3+oOEqw4vdeZkORnhB08gass=,tag:q7NrJuBjIuzb46v3iTOiaw==,type:str]",
+						"path": "ENC[AES256_GCM,data:3r7XyZ71gHhQnw==,iv:pemp0OZMFEOoiK5Ej3MiL5lTQQnhNRqFqhYxoVvva+Q=,tag:zGeLlMRxlgc4luCH/XqNTQ==,type:str]",
 						"plugin_version": null,
-						"seal_wrap": "ENC[AES256_GCM,data:qu6kmwQ=,iv:uuuC4HSAh7quRjw65Pk2xfB6XIngIWiAzJGKuFJ65Y8=,tag:oTB8pKtP/4aN2E0wfG7FDA==,type:bool]",
+						"seal_wrap": "ENC[AES256_GCM,data:Baj/fEY=,iv:/wcmBv1aVdyd/eplVVL684h0rsUJEIIdMbhkrh4rZRQ=,tag:tpehFr6jZgqelV8GEuqekA==,type:bool]",
 						"service_account_jwt": null
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:ju+xbjEN1q0=,iv:smUL7qGKTovHZ9gQFcHHG/FBi4+n+EqynwyPC8iU8Ds=,tag:Dxwcgx0NUYxC8TiBXQLHVA==,type:str]",
-								"value": "ENC[AES256_GCM,data:OCRM6C/SZubQHFrDc3JjEuAwOw==,iv:XH8W8PNNkma8zSsoet0JUPGIQhnhnXNV7iHERLw1UOU=,tag:2SCZxvbSJBzqcSGGJAHv/g==,type:str]"
+								"type": "ENC[AES256_GCM,data:eFOjU6y/Uo8=,iv:/mpIJzzHXuwf329MXJRC4rmlEB7bd56Dc8SeoreLqnA=,tag:kue92W1QMzPfFyhgbcddYw==,type:str]",
+								"value": "ENC[AES256_GCM,data:mvgygN8tLLz3lFLIKH1/jd/1JA==,iv:AKSunE6dhg0bF6E7eFTDNLFLeUk075HCRLngP0IsD/U=,tag:SDo2WHCF8x1OeqhQ3vf/0A==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:qQ==,iv:vQ6+4jIHxrzQsKBdgcX0FAA88j2/pIhFRpthwwCH/sc=,tag:pRx4P6X70mxeqoaMZ6tY9A==,type:float]",
-					"private": "ENC[AES256_GCM,data:aozTTAx8YVo=,iv:XN+QghiE5L3B+WfUpl4tMiVvqc/wlEy9zgEUxYWiro4=,tag:LWRGr2billJyY/qmxzfP8A==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:gg==,iv:+qRKebfpyq7Ha9NnuXJR6bBm8eS5joMbWQfwyuuIBic=,tag:2ZNspgEAXpqE4hja0+uqRQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:dkks2TtF4sc=,iv:Oe7skFbPJ25hU7kWaQPWN97E4nkT8uCKLCGQ3zmHNXA=,tag:HsK0XIPCOYdJDl7h5lwqQg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:a8vsM0NLhcAB8yh/tbFGDH8W,iv:J6Oq7WJ0tgLQu1wh0mNkgDUxIYCfgM1UCJDFB7HQjZE=,tag:ISAinlL8XhLCcfDuLOrE3w==,type:str]",
-						"ENC[AES256_GCM,data:YjbmQh6hqkmr7AKyWon9xlQ5TYOnhtLaa9k=,iv:HJWVJHJ/uRaBd7bM1U2vwKDaN8F617zs1HfTS/Iwe5U=,tag:AVDv/DBA48qyCAiap8oIFg==,type:str]"
+						"ENC[AES256_GCM,data:32oJbWUSL1/bCSLVfwZfDhxV,iv:PBYvTDcWoyHLxyStM/iJOYRv3daqwBTqeLmhWYDOY84=,tag:hAcoFitFp8LpkAQHgCp0ZA==,type:str]",
+						"ENC[AES256_GCM,data:WzvC8AlY98JZ5mBp1lMImwjSeDHXWd9TvMk=,iv:Dsr1G1UKT1t/5ZSM+s0SH6Ercjvhol6EDs1Fc7XE1P4=,tag:zT9kBSXoWeMrBT9etQmAlQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:0ST8ojGnMQ==,iv:Fc0XqupTbXOJQu/lRmy27dIGJpOBeF0QV5vaj26xWfk=,tag:r41jgN4mqtwqzx54as5rOg==,type:str]",
-			"type": "ENC[AES256_GCM,data:fhC4Tbx6ZPlHYa+9Fx+8zW0wB56iHWWvLVrH0THvEe5VXwTF,iv:G6Z9fC96xvwBKarrI5c5DgL2WUwWzWaxIzAVrdgSQ2Y=,tag:Xw0BLH+oy7pNdTC6zOlgTQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:hVhY9Uel9hn5Hjo=,iv:WqKxjFj7BoSHzyOT7jSgMlMCRTEtAA+KaGM6Khx0DKQ=,tag:Y86zxuAT8mRNdC19ThXD2g==,type:str]",
-			"provider": "ENC[AES256_GCM,data:67bPzIUhGaFw3ravXE870C22YWuTbEu8His/rS3/jObUaz8D3/YDJzFiy7Gh5p3HeA==,iv:1j8jalPC+C3OiHI2UehO+Z7kA4XZ8YhJPIrsKzd1XM0=,tag:JpbSVKqbW90iiwO+zPT4Lg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:qZnI0s0jBA==,iv:4NMc5Uf620DoBgqGpSscZJa8NkzoWr5gsBhIFlKDpGA=,tag:Icl0EjAgEJ//jqwdtvo9Hw==,type:str]",
+			"type": "ENC[AES256_GCM,data:y+FLq9EM1LjIh13Qgl0OGVF+2WKmMcKfiry+sMcb+XY2sgzR,iv:Zi8jtC6MxE7psu2AnxuGNIfV8URjc4/6eBppvLj3f18=,tag:M4z1fDXhpurAf7fKo19vCg==,type:str]",
+			"name": "ENC[AES256_GCM,data:dplgl1ZutmbbQ3o=,iv:cIFK282BpxSsQnOZtpUDWyAs1czqIZAZiuMhvaG+RnA=,tag:4ZOjMp0Rvln1Ws49tGbPcA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:lqdvfgmuZyBpBFCBOGa+XY0f3Wp866jP/KOju1xTJSNsKxBlbwxWI/9Wr6pWF7DTJw==,iv:YaQ2Tfo1q8I20g4MvKkeZJZDkXWQUQpUTcTZR+pwZk0=,tag:b2iPasvHEkGiObpvzIKRtQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:8A==,iv:3MH6AyWZb+ufTsGlUAMJTcQ3fZHh9GhXr5yuVDfxh7Y=,tag:RswQHHBNWcQRJCGjGzSX4A==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Gw==,iv:9Ufq9RILRUpu/PqG32we97V7EOCU/frigfJONh7KccM=,tag:vfYP3Ze5T3J4tkyESamIqw==,type:float]",
 					"attributes": {
 						"allowed_kubernetes_namespace_selector": "",
 						"allowed_kubernetes_namespaces": [
-							"ENC[AES256_GCM,data:Aw==,iv:GGMdifoTZcrFKwAt03YTCAXHnZisqt95XS5gZfJqb2M=,tag:CAECwzuLAvYd8J20I4MtPg==,type:str]"
+							"ENC[AES256_GCM,data:2w==,iv:kK/BBMaDZm3KRTA1Ew2OIVjkxv7VG23FMp+lD9KB9Cs=,tag:n/QoHiXarLbafDiodCqzQA==,type:str]"
 						],
-						"backend": "ENC[AES256_GCM,data:OhZ7pzl6AQp12A==,iv:xvQCiDIILpFp+BHp69qTXlhROHYELewEZZ1TOARM21g=,tag:AKSQt34BkPO7DbAlkchdxw==,type:str]",
+						"backend": "ENC[AES256_GCM,data:2/cMY/C3lqkIMw==,iv:gfcM3N1YhpdYYNLMdP/HUbTupL6ACogGLFxrhbppBno=,tag:zwP3An55Ckejnd/kQvoW1g==,type:str]",
 						"extra_annotations": {},
 						"extra_labels": {},
 						"generated_role_rules": "",
-						"id": "ENC[AES256_GCM,data:s7zMmlWzHmbLppmIcuYEXcVU9lgAHNi3To3UOQ==,iv:lF2AemtCbU5H6SZbLFIZFazqXV+7z1SwSnHbLGbX4pI=,tag:qthw6gx0hou/4nwo9lJDrA==,type:str]",
-						"kubernetes_role_name": "ENC[AES256_GCM,data:iHh0pTgt+UczasY=,iv:r0FFxP55+hALSJ0WPCCWaaVCKAzGEK3KsdHjykd6Zhk=,tag:aqKwBszAw/sKCZcf+8OvdA==,type:str]",
-						"kubernetes_role_type": "ENC[AES256_GCM,data:bc0t5D5Xd4X90Qs=,iv:PhodXff1lf3T9ppxXYk3E+corbqBWQafv+KJzUCVw0U=,tag:MEXBu4LMNVJpY6iLPsf18w==,type:str]",
-						"name": "ENC[AES256_GCM,data:UGvoI2QR5PeDhGc=,iv:KKooYr89LA79SYhYDxvQsdEEpvw9CSlt5p3LVFoZ+20=,tag:P6s+SZNcDVk7O1HHL6fpJg==,type:str]",
+						"id": "ENC[AES256_GCM,data:zCkQH2uAwNyrYpFo+P0LzpqxnmZQV/ON5YbxAw==,iv:yJspOwqVCfQGqKdLnD9E1XKYdiGrlM9ebg3vs55BBuY=,tag:zkpLEbJ5tmTR563eO6KCXg==,type:str]",
+						"kubernetes_role_name": "ENC[AES256_GCM,data:V6jHfJZ1PWmf0qg=,iv:fyHEiX0RZt7NstZv6IGRhQIYXVr8Iz13Dn6qw7Rz/KM=,tag:/UvfV+GAqI5DRkwkUf05cQ==,type:str]",
+						"kubernetes_role_type": "ENC[AES256_GCM,data:iuOvMYTeiKa/UWk=,iv:VITMXM/DAVPkuGEnMUijWE5E2VYSL6HZHGJy61n8hgU=,tag:W0dt6G01XFO35PvnHTrZsg==,type:str]",
+						"name": "ENC[AES256_GCM,data:I7+TkySSAG65gzA=,iv:BL/D5lVIp1LlQnUOEcI0YwXZmDF8anj41bdHU22i7h8=,tag:Ou9RG/gbPN0IXTCSoUp6Vw==,type:str]",
 						"name_template": "",
 						"namespace": null,
 						"service_account_name": "",
-						"token_default_ttl": "ENC[AES256_GCM,data:M+n2bQ==,iv:FV3Ki02wNSVnnq4kgkCR4GyE0HoNUApaRj3alfX5XI0=,tag:TZ/FWmGuWVgPZe4e4rcuCg==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:tghsEg==,iv:sB/X5ApgEsxx8a/078quyRgOPKSAmjhbim02XIBAwbY=,tag:/iWCtURQdZ1oLjvju9b2Qw==,type:float]"
+						"token_default_ttl": "ENC[AES256_GCM,data:L6Ujog==,iv:UQeu/ye8V6dqycD/dYnEygOriV/ueyzCbxdVuDrPEs8=,tag:caX1vZSMB4f9UF+jJZH0/w==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:VhKM9w==,iv:rj8paB50Q65pgJ/Q4LNYDTmzU70lmoR6MFeMGNrweno=,tag:Sncr9rGxxGT05HAzXIf8oA==,type:float]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:iA==,iv:rRIXr2OuMR1ob9qv5dd6BgtFsfjMCBfaWL4orJ/ayjU=,tag:jTN/31LmgOrVJSjVqCgJ7A==,type:float]",
-					"private": "ENC[AES256_GCM,data:M591mOf5QNg=,iv:cS19DB0I8Nsq8FEds2UbHoeexZvlEMjqOZrv0/h+4nY=,tag:tugcDhyXl4UTOuEqoRL2wg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:tA==,iv:50Pdvf/1wfFqXT3/7ZPI5xms0IxymH3E17Aytx8miXU=,tag:hb7kf12NQxjdVQqrX/QLiQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:qeMtY1lYny8=,iv:BVUJ1N5R58uKxuLp/KBsz9CBjMyB3RK9g71iVcVu81c=,tag:pM1imgdr2tBWlnw9yOTvMA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:7K+wTVtJeY4Xhtx7BQdOHJoE,iv:xT05K1AC1eIANbhyW0xo1ZdTvB194LmOXWcDDQM12gU=,tag:KufunGbziLUDY5LgwiLX3g==,type:str]",
-						"ENC[AES256_GCM,data:Y9e0Y0akZdxJCq4iQnqZQI2tyggFSx3vfHxkk8nOYedIGfg=,iv:0/fDwVkO95iYMzzNSs9X+RIMfgHm+xFnoDwza5cgJ4E=,tag:7pzXW8azkSBef2VZ590dJQ==,type:str]",
-						"ENC[AES256_GCM,data:jwqDyF14jTwYNEMhkFZvoi6UR29wtM9xhes=,iv:TGm7y5ur04h/uoCKR6zHEb3mFFKHZIwU9jcRE//+7F8=,tag:C0UNSyJ4qFxThVBnGRdxKA==,type:str]",
-						"ENC[AES256_GCM,data:mP/8DHPjxctDI2ab/e7W84kwXkfhPUbak++l8nvJwhkG4Dg=,iv:h/+6PpgckkDzfkz7pdrPlU14M5u6HieHCA5t4OrT1tU=,tag:M5KzckQUZHmCPmOpjQ/4og==,type:str]"
+						"ENC[AES256_GCM,data:eULm7NJwHb6IThvOGjjMAQSA,iv:vfd8suVq2EgTMQ+4q33kkmWvBbxyNyXa7ik3MCYoJjY=,tag:UFfr93rTHBGAfpTXGUL6dg==,type:str]",
+						"ENC[AES256_GCM,data:+nqnSY744fc7JmCkbYd2oDK1Lw4UUpnBW65nKQlUqGAVtC4=,iv:ZpleCiwXdNwZpo9hGg//2p2WZ2tnu7z4LxwHRlHfNGk=,tag:740HLUe/UYCvevustWDGyA==,type:str]",
+						"ENC[AES256_GCM,data:jt5JCc4svdoSGKN7kUJX34zCzBp4QzpKPyw=,iv:/wEapGAF1Qn0kk02o0BqANFZ/RR5GWboVBQE0ClONTE=,tag:pvulZljUyYUDUXz7coo7bw==,type:str]",
+						"ENC[AES256_GCM,data:Gw68l25lmRzkYOdKCndaIPr615EMnevXnf/qGu4ghpiF4/Q=,iv:WUeF2gCkeyFLKM3DeFt6deXN1mVJ85dIDgwnj1HYbdQ=,tag:D/VYZBjEhq4yPxLsMdTQaA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:rfmhgnyltg==,iv:f7X0iVYSwP+S17HyxNJfcbehX3lL2O65blp2r/ljt9k=,tag:oPkpCBKIOcfS/Cbnro3Biw==,type:str]",
-			"type": "ENC[AES256_GCM,data:Aqrl+fzF9LzJFR+aCf89ZH3n+yoH6YHge3gwKkDtaIIZc39V,iv:TRUAZvEEcFQ6t5lgXudr0WwF7SOGve0pJK7xkW395G0=,tag:5SYI5gXAELUVKK18eYaZqg==,type:str]",
-			"name": "ENC[AES256_GCM,data:qslffyFLxL7zkvUmdadz,iv:f7fPd5aVZgFajQoeZApe8/P6PElOaWZpG5qkuBfc89s=,tag:56Mfp3zreNPt8VMa6x0cRQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:xOQwyuqN9n+O3Qcj4l74ZVRxP7Ji/2ryaskhU+MNgMuxkzJBR7XkkakRl9vsZBUu6g==,iv:D4eQuxx9gOFylHUW+5HSMkCO6nPlvlVXsDp0uTWuQlE=,tag:oDQ8/XU5TMoyqRQEvtgJUg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:gF1m0UlOng==,iv:8Ruen51xD6m3Tm7MEoB/X/UngHGTh8ZdjpUm31SNYmw=,tag:pTy/hoUM4Ll0BM+BZladbw==,type:str]",
+			"type": "ENC[AES256_GCM,data:TKBKIuKXwGwUvF/y/V4BK17tiGBKpsQMlB+W3xi1JpdwKV9g,iv:WGc/7RSap230JybiuDmm7g0a+e0Hn3DhSKty5Hw9Mgk=,tag:/xXlr/sIc1JalNS4N2qi4g==,type:str]",
+			"name": "ENC[AES256_GCM,data:Z/nRppoQYz8o3yBe0YZx,iv:T+0siMPV4tQezulO3Rmw73j502Jn3+u7hPVkvlrfilE=,tag:wUZadkcZWt0xXPfJ05d/AQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:o477AC149OoKfl2bTshIhXBHh29JuYgzjNeTgVAfmvZWt9q9vDGMIwdQLVBYFh9tXg==,iv:/puNKm/qRrMBTArmj7JRcX2feh8q+ETWaNyPEFVLErk=,tag:wLjNxuFQy3XGAXYGRwtOUg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:vg==,iv:ExNcO11+WcoTADQkjj9zKJ1P3LbKSq4aZJZbPVzuc3U=,tag:41Cxis1/audhxniO6aufsg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Pw==,iv:UpO61WbEzFCoK/vN5fh1ea6/8R8CwzVmCpoHg+b8km4=,tag:C+Ec0WuGJYl86en0dXCdww==,type:float]",
 					"attributes": {
 						"allowed_kubernetes_namespace_selector": "",
 						"allowed_kubernetes_namespaces": [
-							"ENC[AES256_GCM,data:ZilPijHThhTSR+FvrJfGMM4oPxs=,iv:xcptQb+UZO+1V5ZJy1wFktrdzSuc7iaAjiJwI5fwCk0=,tag:4sMV4o43pvBMFj36/0KUyQ==,type:str]"
+							"ENC[AES256_GCM,data:whwEVm0jrgeD49p8u8e6JEqYTOw=,iv:Df1FpaqqRi0yJyeOqxCgFp3BntWb5JDhuGt8UKBTKBo=,tag:sbK+1KDLCBO19LOCG17gPA==,type:str]"
 						],
-						"backend": "ENC[AES256_GCM,data:gEzuAjRfUv0Lyg==,iv:dEBa2JQQ3MkKAjkFo3kDbX1qbijBLuFcJ5TOwSaYirA=,tag:XogXa2QFoGBY6G2xXmU+DA==,type:str]",
+						"backend": "ENC[AES256_GCM,data:P5YmqQ1PdwY00g==,iv:R34RUwlxMRPhjCOxbR3sgDTTSkt+8Y2fnZfX2kwvt+M=,tag:2G0PDcNs2WGzj0xjs0nUZg==,type:str]",
 						"extra_annotations": {},
 						"extra_labels": {},
 						"generated_role_rules": "",
-						"id": "ENC[AES256_GCM,data:Vl7fDR4QjwvXXwzoBGuLCvQigbmVMkFM4xTnaqJlI84=,iv:kIuT7gx008PlpQs3lLTlC1DBs3XYU3v5TCQXVlP0G14=,tag:9lM325UhhVM0slrWTkVVnQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:5hIEwJJzaQR6AlgJIWWN+DsnPqoC3KRRs4l/OnWYuKk=,iv:/VDr4FiYqiZL/+ZUZe9S6Hl7dXp7Ul3AIMZROZ+S1ac=,tag:NXTQZVTPO0jQKOjsWMSF/w==,type:str]",
 						"kubernetes_role_name": "",
-						"kubernetes_role_type": "ENC[AES256_GCM,data:lepdXg==,iv:LfROWKg2Pq8m0kmuspGW5Y8W6UEwtP5N6zyybroMUJY=,tag:RThN6MhlCqKSL9PBiiFRtg==,type:str]",
-						"name": "ENC[AES256_GCM,data:WOk84C9xCS+1nxYYPdhx,iv:GpGFPzTEt/B2ph88KfunKe67mpk/LvTz8sg7FMV0h6g=,tag:9wlNzzrU2PegDWRgKaj7xA==,type:str]",
+						"kubernetes_role_type": "ENC[AES256_GCM,data:n5AuQQ==,iv:XA16ZyO4GR6jH9h4L5R9c6LWmAPVTrgieo61DW7Sm50=,tag:WTGuCGJxjVBOWz+qtTNC3w==,type:str]",
+						"name": "ENC[AES256_GCM,data:vB/FQl5l65K7fSi2VjuH,iv:/0dWRpdD62rckitWuJZgph3GcHcUOOEXpWyT5Qvztpo=,tag:Tr+EdgYzp5DfuRW2OcpjeA==,type:str]",
 						"name_template": "",
 						"namespace": null,
-						"service_account_name": "ENC[AES256_GCM,data:MSBOGmt5bYC1cPbZqiHtHEjb8lk=,iv:gl1+kfFO6CXDJsObXSqMba03NvtFeACFgNkJFW4btYQ=,tag:BfvsEncYSmG0QtBmY89jEw==,type:str]",
-						"token_default_ttl": "ENC[AES256_GCM,data:iSn/aQ==,iv:RS16QDNIHYWrBF8iRoEbJksn0yHZC5L9U0i32W5f2Pg=,tag:Z1LAWI74+P3Kc/CRBrc25g==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:HVZ6lHk=,iv:K+Jn989H4EO8Dvg441hN6T3mSbDKo987110A1QOrPDc=,tag:uDEPzfiZEyWTIFZaJd7qLQ==,type:float]"
+						"service_account_name": "ENC[AES256_GCM,data:nhGCDAOHloCFv7lVC9CTEYEAWnk=,iv:dlXd0Do2+pKLAq14/5YxilFZL94buTafTCu2TDY2ChY=,tag:XcZqjMZUfJx3aqFnGZoN1Q==,type:str]",
+						"token_default_ttl": "ENC[AES256_GCM,data:3zI/hQ==,iv:R/LLAbHV3jDPyLFUB/estBnjFkIMWhFYilWYHLqOnQE=,tag:JlsfzdFfgvNgN/+42Bw+JQ==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:D8z7i9g=,iv:8EzwO4VaqzseKovlHNNTBTFpsymOK3+dVJLIU1XqXWc=,tag:2y6h/w4cwm0Ga+iLV+5ydA==,type:float]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Gg==,iv:ifcAw8nQWxtWMRrKGP8QSdoLEUQFskQJU31IuIYif7M=,tag:unihcPlly945JudRDIh+ag==,type:float]",
-					"private": "ENC[AES256_GCM,data:qkv4+MnLVOU=,iv:ecapXf6l87vocHvxwa6M5ERa8OuKO0XWmpVjCfV5Mo8=,tag:V2FYd+MdkRlnzOvHqNHgzg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:zQ==,iv:bsy5iYkrWuri7pO42kkofcY552oMgMz2Y3tWIMhjCo4=,tag:QG5R+ZiLnaj5IBCuISdKyA==,type:float]",
+					"private": "ENC[AES256_GCM,data:Vh9KvxLrJSA=,iv:iOVi3Yhz7w6WSNCvIpOyqQIYJYvziUXeGIaFjrbN+6g=,tag:mHJtGfsLCvxrcShKt0XV9Q==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:0aHuFYsVFrpNOwwveab5UrnL,iv:GRgoSxiocKkgBKFKHzqEHZhWWPKa/KrD8N2CJm6vhzs=,tag:alyLtn4zoRMK0L9Xel/xYw==,type:str]",
-						"ENC[AES256_GCM,data:w9l53qHn26J+N2BWDNQ/HoBPcEcF2VJ6Plg=,iv:CAPBRq69F2FOZE/MRaV2UreMK+EWB8v6OTLanjDPeQo=,tag:ahKH/ZJU5HYbXVq0lS8NlA==,type:str]",
-						"ENC[AES256_GCM,data:ZhgMcBDb/qFc2rehCbPF6RNs3f/1qffklnoJvWO5zmebkXw=,iv:tdqNhbIXSjMsB7/U9Yti9KxMPqRpkziJW3sSeImWBA0=,tag:7Ifzcd6N/Pna+AbviOak3g==,type:str]"
+						"ENC[AES256_GCM,data:Tp8mr6O5/kMh4dMhvQYYwtxi,iv:3Y7vVBeNhH5nM8UBIiguyN2KATaiJkKhRdvT06P0WhI=,tag:2lkrcz3tgrRiej8XY9y6Ng==,type:str]",
+						"ENC[AES256_GCM,data:ImcYjkMMifxsIzD+5zyjVm+GvCn2tbYel9Y=,iv:MyaK85ii4r/jrX8INNbkHzwf1iwNzVZuelHj78SQmjU=,tag:8VNvZbz62XoG+xbNX3NJEg==,type:str]",
+						"ENC[AES256_GCM,data:/KUdso8nJkDunf9bSfFqaJlxa+G2a5MBpgT/cacrkrANGI4=,iv:SHLPAze7d+W3Ii4rJzXdW/RNXMGux8KhA/pTsJ3Jur0=,tag:nEomz9gRc+hRSVLvKtZ0Vw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:udr47vMK9g==,iv:uHO0LDV+TqVwa/VaWJXLDowYDitwZsO5ntW9PRu2vg8=,tag:do5vTaBYwIXKGulDrxtIxw==,type:str]",
-			"type": "ENC[AES256_GCM,data:oEYy5BGidTSZs00Zwe24lfqzwzh+j1y1XfAQZQ+DPPwrquK5,iv:uX4EDX3HVuRxVDfbu5EFAJ7QY1qcRV4vnG9q0+QW8gI=,tag:KniJHzJGa9JFtuz3NetmuQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:KMdQYkyUEu6ZOr4=,iv:qg9UEL+olyXk4Q5fzwtzEIcSqm9EBigt+7WwLGQHbFo=,tag:bYqdOAmksEQV47aLXrq1/A==,type:str]",
-			"provider": "ENC[AES256_GCM,data:9NSVZNrxjasRf+1uKf2aK8xVN7SyKKT5GOgkHZ578+ZLVKTWI+GBa+0sdmsEXevFKQ==,iv:d/ywxDZNVaC70su4Jbc2zirS7Lq1LHyWKJwm6S9i9mM=,tag:D0RU3Dus39ofybyJBTA8fw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:gf1JR8KnuA==,iv:i5kaKgmP7zWmiJqehuE2pMvI2Qr3ty2vYgVgT9z1zuk=,tag:rup5aKnRgjEDMhCkZsQsHQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:nbWJBQXb5yRxSweLD37+hsvMFzhWilXLpasKnOSvSScndiK/,iv:y8tjAkQ7r2dk11guXqSTzkowR8/4z9qAxD8eUo4ir9I=,tag:F3+3S3J00xhDYLKWjdMIdw==,type:str]",
+			"name": "ENC[AES256_GCM,data:xiuVP1qHaHEZbEw=,iv:Nogs4peq39BtoPKTiPviF/UHUU6BbnV5/LKcr0S5F9U=,tag:GQEmYUYgVaK7SbC+z6ZgIw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:yq3Z6M6lwjhSHB8cyRxsFtTKyNkeNGee6BgqUF2PREBVjl1gRSr+AECSIUy3DN8ikA==,iv:iJO9SinU2tj0Jsv5MyAnc8U8ks4pPd/iFnNV07WV4Tc=,tag:oBs+jLxKffxdjQtN7W9MOw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:ag==,iv:6i4K19pR+2n13xBPpAvVY2NLs46V07LQ9N28xSc/z9A=,tag:dTAZF1grGNURKSdRSsj0UQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:ag==,iv:k/evLgDjNDZxQyABZ1gnPGVMZHJCEPrarU+oNUaKv6c=,tag:kp8HB3q7UKG8cd3uVQ0AFw==,type:float]",
 					"attributes": {
 						"allowed_kubernetes_namespace_selector": "",
 						"allowed_kubernetes_namespaces": [
-							"ENC[AES256_GCM,data:sw==,iv:vjdMwnNzDTsj9L2qp3h3qU0F/b7AS/e+nN1+EYI/PsY=,tag:l3okl2slDI7ASaWFtseAVQ==,type:str]"
+							"ENC[AES256_GCM,data:Rw==,iv:v11JJ6r9R2C8Nj/Udq86T1b3DzuDXkXeNonVEgKgb4Y=,tag:ZxJ2Z5yXQ7AoPLS+bbS6jw==,type:str]"
 						],
-						"backend": "ENC[AES256_GCM,data:AXR/B1O8mP00uQ==,iv:iOjhxiScVDaupSlMGVH2NBpeihH7SO7Q0pSb1Vfumgs=,tag:CU2c2fYkT44chNqS49LbsQ==,type:str]",
+						"backend": "ENC[AES256_GCM,data:URjHTGLONRflLA==,iv:+S0lcg08B1tbrGdaHHHJYITBuEsZeozvmkmI1Y0OORA=,tag:rCkWjdEsI74dUeifJMmxnw==,type:str]",
 						"extra_annotations": {},
 						"extra_labels": {},
 						"generated_role_rules": "",
-						"id": "ENC[AES256_GCM,data:C3RnK8ZTDMwCk1qCwZDPJQvJTNPHLRXfFGbq/g==,iv:Q6HqFkTKzQTjFlGfiRVrO5ywb92sfdcK8MtTAT61Qbs=,tag:W0AX17v2LoDooOpWZPMBhg==,type:str]",
-						"kubernetes_role_name": "ENC[AES256_GCM,data:PgDj6UcULoySXKieKw==,iv:XJ+OGteC00FcZwezVj5tXn6KHzeGK3jX5tgIclbrmL0=,tag:2HDQSTWmUzesydgfTivlbA==,type:str]",
-						"kubernetes_role_type": "ENC[AES256_GCM,data:25PdeWgyj+uXeRY=,iv:896ybC584hSGGtK/40ece89+7AzC4eB4kirsW1X7XPM=,tag:ti6GlzsLhj1i8ny2vYIFRg==,type:str]",
-						"name": "ENC[AES256_GCM,data:Wlr4eCKDVBoVU5I=,iv:POsRVo8Jhn+IuRK3DgqjHMFRV0/x0qkgOYM45fuGWyk=,tag:S80tDeOryd3nY9VbseA73w==,type:str]",
+						"id": "ENC[AES256_GCM,data:b0auw6U9Ms0VWr6v4ClbfCnyBUeqY5PVy7wkyA==,iv:RiHRsfr12/d+xcbuLk5PKHlWfCjFIdprdcLPG44eYFM=,tag:Tnha27jo3DsZlIsfnHklTw==,type:str]",
+						"kubernetes_role_name": "ENC[AES256_GCM,data:if9nik6AnhxxjOd9/Q==,iv:5PxSuGGKe6WeWEe1GvZ2kKQi+C9Y3xxKGHw30rWu4d4=,tag:07oE3PC++3eGS2ZTZ1XJJQ==,type:str]",
+						"kubernetes_role_type": "ENC[AES256_GCM,data:tC1cIPlPYYHDZcM=,iv:KEUtcia2/vYy5hE/OXyG/S5a6YSYrcf/cLTE/+M4M5s=,tag:nCR1sniSp3SeRCvmD6Coyw==,type:str]",
+						"name": "ENC[AES256_GCM,data:ZwvyzDTa3BBzaPY=,iv:6Q9uUBsNSSKgY9uQ7xpwl432ZJIOz3PY+GA3OhJFF6g=,tag:JJaoz4MUwHMaYB0D08gALQ==,type:str]",
 						"name_template": "",
 						"namespace": null,
 						"service_account_name": "",
-						"token_default_ttl": "ENC[AES256_GCM,data:SdXnVw==,iv:RnjHsDmyyHnG0FcTPvBEWVar5hzVGe5/HxJ7AhFQr78=,tag:pycCfLwxmpXqJ8clLIfS+w==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:K9Tzyxg=,iv:nHXZQOJnqQpmIKOjjmhOj5I2kBkVV4oaEf21M9TJHoY=,tag:BVDDTsLljKRTFO5Pm0yrUQ==,type:float]"
+						"token_default_ttl": "ENC[AES256_GCM,data:Jw8KOg==,iv:OAmsnpBF2avClvB8uPJ5IWBesfqRRkNTH9nh1IJtxsc=,tag:AXcNpXx1kkV0A1l8ThfOwA==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:4KS/tO0=,iv:DYVG7PeWugeYREBnvsDr+A+K76yhks2N0IDWxQRBOnA=,tag:OhGuWcBLH2+7Ca3jyb+5sg==,type:float]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Ow==,iv:EJm69PAR1eYCcRRZHVSP4YrNK+CDqKckMn7kGAfVCkY=,tag:nmdD+SK/CMhQLfOu6HBkwQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:ZE/AvPNaww8=,iv:ZzwJqluweyPod6vrSdE1VSYSD0O/dis3J59tilms3Mk=,tag:tsDISWHDvlAAxFnXMXdjlg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Bg==,iv:pYQwKm+OurkT16NgBkGTfpWc62U7NW0U+FM3EsHagCw=,tag:3UhLSIYIJJc0n8Zu5C4v4w==,type:float]",
+					"private": "ENC[AES256_GCM,data:5Y3CBxI0pKw=,iv:T21pS4qP1ExJT6l37klrJ9ConiVKbGtLugA34Xtd+04=,tag:+d7XE/1AWClmnJDpdeRG8Q==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:J4+9IP93GKNGhsK2Ex6sjYEK,iv:iMsxxMD2qBfFNOql94Y6+L4Xar/1SfkNEYioUpi1Rb8=,tag:PrnU1aoPttTbhqpP72FFpg==,type:str]",
-						"ENC[AES256_GCM,data:AqzdlYB9j1Yx7V5YTY8eKpnd6qlKxlM8Y9w=,iv:Sjq/dWp41Sxi1BP5jMr86AAj49XKelJ5I+ilfm7EUBA=,tag:7c++QokXT5S30nImJ891YQ==,type:str]",
-						"ENC[AES256_GCM,data:JlE36IcEHlCHKHX3T1Wv06v8shRBc8E9uhvOIqPtpXltDkQ=,iv:lnMr5fl2QUO2MZ6bmZQuzp1t8funbgUt45hhlEwrI6I=,tag:RYVAo0cEDnvVQJ0REY8PAA==,type:str]"
+						"ENC[AES256_GCM,data:bBRyF/Byh2Gv8wuYUTXALjzU,iv:PLIBJt5Awy+pGSafrzdV62rAsJ0gfncvDVKc0TpHEHU=,tag:9jnyewwnb1EHqF96eVN5HA==,type:str]",
+						"ENC[AES256_GCM,data:s1OVydoEXbcS+jCdpXRFD/vcQD3HelBicYE=,iv:WHNQcDDuHEzj+XnY6Vw59j4WpsKiqvpC/ZTM8BbYqSU=,tag:50VZYKKrTwVl71wcG3jn5g==,type:str]",
+						"ENC[AES256_GCM,data:3MGshXy3AxgK5Oy5YVeQ68S6BV9oN6B8IkD+RHzuGxTZRZY=,iv:ZgcUT+uOkJH5Z1AAgVDbLYl7Szv6h0OmaOZ7d7GQ2Vc=,tag:PYatmmHrIVDTso9cUJeyWw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:NWVZpnaBrw==,iv:FYI3EyleI2OsewzbBoHOqstP5khtYV2ieNbT4gCe92Y=,tag:EipgdYmvbooVrjQS/qw8Zw==,type:str]",
-			"type": "ENC[AES256_GCM,data:U3bKAqH9sfibONrAUhQ1G07hweHTHm8u4ricm7BTAH34tDgv,iv:f1Js3f4of1RJfV4cHuipEcY10vMorUiccHjtPme0KRM=,tag:1NZPF/AGWbNRZBv6LfOXzA==,type:str]",
-			"name": "ENC[AES256_GCM,data:h7cQe5XTquo=,iv:F6UY5sGxpNTCP47X6jd2w/n/V3/dHPI6f2SGIu4pw0Y=,tag:ee1GfWm3wCW871F3ia7veQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:nMqBv6YNrX+lzMTipXloRWX28dUpMkqeXrgQxd/Fy20E97ozKu/F4D79FNiYCmt4WQ==,iv:JGLsfHJA69erEMnhpWJ0l5Isqp5mNFkZfDvID4figiM=,tag:0YcRvZDR3gc1zCi4CIh/Yw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:aVOISNaUfA==,iv:aZHc3vMFK4KPQt2cu+n5e38xevGEsKaq+Llvtb98kno=,tag:KtX3U+iD1oDb5pB/omhZPQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:7Fs3/xsn5Y8qz+dTBb0gf4tmdKaCDrU0uINnisISO8+OCrxP,iv:g14fD4bfa+3netf2PwLF3qWdgOtcczXOCSL9+f9LRIo=,tag:EWhas0Tk5r+99hSv/AS45Q==,type:str]",
+			"name": "ENC[AES256_GCM,data:JK+mQYAx4kg=,iv:wv8MHjBNIyePXOTOD+bUsRJPZgsyvV4FIJtC5QuZwcI=,tag:Vd8e2pxvz5Vjpwd5BK9h2w==,type:str]",
+			"provider": "ENC[AES256_GCM,data:d91vT47wSlLDJgOzxT/UuxTxBY3fNNWA0lYJv7zJqZ8V8OjLGFBW0Ay54bMklNvuxg==,iv:L/ASz1nXuajsQPYDsTMExAz8sbBKRNALQGb1KKMtVkE=,tag:EgTAoUzdtM05i2PpW37GNw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:BA==,iv:VaM1jQReox9k1ILQGtlcwCbLKNt+EDA1lM7kHJ0G0G4=,tag:kYf2esoZhMoKmRfbQQFLxg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Tg==,iv:+IQtjOdNwU6SkvCK+f1oqySv99AAfU90Swy8tpVL464=,tag:oqhoc9O5zx3eVQqP87bFEg==,type:float]",
 					"attributes": {
 						"allowed_kubernetes_namespace_selector": "",
 						"allowed_kubernetes_namespaces": [
-							"ENC[AES256_GCM,data:oQ==,iv:hbgd6RzVMUueffIHWLzjwbtpG0cSTpLb/KVq1Ncot3c=,tag:hKpKwAcwvIwJ/C6q5tvIVw==,type:str]"
+							"ENC[AES256_GCM,data:cQ==,iv:fR9OXi6wwCqiOUHf+Zaem/vnhPMyU/dXBCyX7Ka8GtM=,tag:x0CbUAiJFLY4FM0S0LcAVw==,type:str]"
 						],
-						"backend": "ENC[AES256_GCM,data:IvH5rNMqcIMjfg==,iv:LrepY6W0lqmdQMWcBFGnSjzImkjdrKKFr6APnSOps9M=,tag:qoWvrcV5MGteRGzuTyq4Ig==,type:str]",
+						"backend": "ENC[AES256_GCM,data:oFGI32xAMhW12g==,iv:dqCg2sd8PRGyJwBOh3SIXZUt9xCGT0LqaoMa6F8fN1c=,tag:QjZm/BMJ3Err0iz8ArpOXQ==,type:str]",
 						"extra_annotations": {},
 						"extra_labels": {},
 						"generated_role_rules": "",
-						"id": "ENC[AES256_GCM,data:HsyvYRF8fiCD/w3Wx6hyvZ8oHVYnUrWyzQ==,iv:lD0ElnyH40CreEPfqECaep1jsu1U10MuSxL4kryEC88=,tag:avZevPpwbtmMPM7S1fJr5A==,type:str]",
+						"id": "ENC[AES256_GCM,data:L8WPknFnlcrutlJi0IYmLjVVgYNcINFacQ==,iv:nGqmFeaz48x1ha0CWrlYzSSQTPxFtdIH83qbkTPxcqM=,tag:1oyY+HGFCvN4m8zjteb43g==,type:str]",
 						"kubernetes_role_name": "",
-						"kubernetes_role_type": "ENC[AES256_GCM,data:+mFscg==,iv:FowFPXqPXis1R6YEAfKS4dLiNa/LX5Anm6XkSs8LI08=,tag:xx9oaxNeLlNHwdqMQgSnhA==,type:str]",
-						"name": "ENC[AES256_GCM,data:20g7pVqxEbU=,iv:CFPOEw+iUZUx+jkrrr8wfYIS0yFpoGKzZMzBFblkt0g=,tag:m2XuMsVw1t7QnpSdDc+ulQ==,type:str]",
+						"kubernetes_role_type": "ENC[AES256_GCM,data:/khOyA==,iv:rXYtWsR7RAHJGVJQV6HXakpy2TQ5O5cdbFxpw1WVT7A=,tag:8ZB/MjWW53A0kTCsOR8V2w==,type:str]",
+						"name": "ENC[AES256_GCM,data:q6jKtvL5e6k=,iv:TFTHc1zevX5DBsiPCcr5zQEpQMuB+DOyPjj0V1BoAq0=,tag:eVEc0m2r5lHZ9fCFVA3srw==,type:str]",
 						"name_template": "",
 						"namespace": null,
-						"service_account_name": "ENC[AES256_GCM,data:OeeFRjgI70Y=,iv:HGnijLaVExkq3Mq928URnjtuAkpHjyNf9DLq64VSW1Q=,tag:0W01sqKKNnm2VPwrkW+OqA==,type:str]",
-						"token_default_ttl": "ENC[AES256_GCM,data:fNkzkQ==,iv:U9KKLOL8srqiGW63oqUDlqcx7PbDYA9VibKTWHJPARI=,tag:+y9YJoizPh1oom3SaWNX4g==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:nQ4W3nI=,iv:AvgJZW248L/dQO+WOfj1jc3sYthslHJiTx52Tflm7JE=,tag:BqB5RaJXYnC2suyRRw84tQ==,type:float]"
+						"service_account_name": "ENC[AES256_GCM,data:pCEnZTSsrmY=,iv:CjHttn8gcOIsvYNPF+3WM81kGAGlKtlwYW70K5glMH0=,tag:MMSZeAUxrsom1Wy1ogurCQ==,type:str]",
+						"token_default_ttl": "ENC[AES256_GCM,data:717jIg==,iv:A6DlVZvP2II4yAYNaAMeAB06pypstd5d3T3GmesR9ic=,tag:A/6Er3qnEWF9YKFNhcP8jA==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:skRcCug=,iv:1Pp/9476ZQiOFif/wsCjkFkU4jg1iOfDZzwJaFP5Wjc=,tag:BescGcew15sYmSFS3CDZug==,type:float]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:/w==,iv:w1wFbJzGz1qZYH9Rnyx7HGktiqqr1lWGzdm5pa46KBs=,tag:+0eXhmmg9NjEqOFhSkWcjA==,type:float]",
-					"private": "ENC[AES256_GCM,data:5wYNzV1IfoI=,iv:sAlSxtE5vVKgh3QlVd1Eq2uVWTT5AvcFi0GxLVYJqqk=,tag:dPI+44aEixVbxsvKJiGt6g==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:8g==,iv:KHcB9/YZTU+D2KiScEQRze0nIdkAxh4Tnm7jAkLeXzI=,tag:vFsc4uGYSYQNHCdRtahSGg==,type:float]",
+					"private": "ENC[AES256_GCM,data:UaiacOqGzmM=,iv:zqOxJE1rUA/odlOsFihinifS/TS9XzNryrI1oRmj94Y=,tag:utqW4hQOta6MISwKmxs0Pg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:0wS35AuUBxlfQTY3Hx40TF9+,iv:QiBJpobPJrx73cYEuwDc2KK9AJKSKHMwcRrCrRcSgto=,tag:gwmn5DwylMm3Irc+bxp4jQ==,type:str]",
-						"ENC[AES256_GCM,data:41I/uLfB/XO3mYQfy5rjxu5GY7LKgwJxhgc=,iv:8UG3wSKpTrEPLbYeAolcPT2VCPHUzw6kczF5yOSRw+U=,tag:cAi9Zxaz/4oYX21DqpfxTQ==,type:str]",
-						"ENC[AES256_GCM,data:uzXXHepFbrmBE59n0p300qccprL2XUm7mfFtzM9APkw/z6k=,iv:OcnZLclsphRsYpV5WwdREBW6ZL+jJincLx8vX75KRyk=,tag:5EzK/TII0kykXVX9eiED5Q==,type:str]"
+						"ENC[AES256_GCM,data:QuZOva18lEskgUBxPKdp9QIS,iv:URiATxc3sWaL2qvP8my7mUXHv5KDMLF4rEz0HY9b2rs=,tag:CNU5JUos6/DiqPz9+IyhjQ==,type:str]",
+						"ENC[AES256_GCM,data:HucHwc+y2EMgQcWO5ovGNo9P/qs0wC3qx8Q=,iv:SWXR6elywKyqoWONF2IS4wOcYgeHyUIrZQTch9WkpYg=,tag:WMRJfMsBUubvG4njIBqcLQ==,type:str]",
+						"ENC[AES256_GCM,data:VWylfthQWTjBt5ubWgHsWV6KTuEjUbbbRMCQIH61B+McYls=,iv:9QbiVRl7vi1sX9Tlpp/5hQLZOHSABxf3dscec2SZg2I=,tag:iw4IkneBl0qezzJm9qUtpA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:byYbsksQ3g==,iv:1hTkKwUcj0oETOBRY92P30sbeu0ZvkVR26xfMMDKQ/w=,tag:sYZVw3/O/SuCyLjL5hc/Ig==,type:str]",
-			"type": "ENC[AES256_GCM,data:5AtQ9KbZvQ1Mk2sxaYrZVF4oa2FguPFSXfANPi/HQvSWVTgx,iv:26opks7iI67Y7X8XxdD4/Tlwc+p9T7gfmBhExs8yy+Y=,tag:zgCtknfuPIReCYikfCMdYQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:iosqU+94eLokGGEujg==,iv:wIfw0JhTTCuo411GWRHem4iigF+IoJlWybRwpkjghaA=,tag:SFql9sZi8SFK5s0Ejazyvw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:hZrqapEwZq0mxEeYk6QIEA8V1KnoZXULUoQrKz90c9AXInssKbgjMZls3hJJzUB4xw==,iv:ahzUYSWAG2Ys72cEr9VV5kL6NRBMsjBKHI/2+arX1BM=,tag:s/3xatcT29mbhkBSE/dM3w==,type:str]",
+			"mode": "ENC[AES256_GCM,data:J7cusUxybQ==,iv:MWQ4o71SsSfTIHH80GUkinH10X/GOXgkJnle13Q1nV0=,tag:JCmN1ylg+niEtDccWikTMw==,type:str]",
+			"type": "ENC[AES256_GCM,data:nWAZmyuZq4uY4GvoakGPJ+zN5Kdj30LzP7LjQ9W+Cdh8x+2S,iv:lhY5UhcqRDVdBWPGwNVHa4dfg3aa90b9weujFK8z8EA=,tag:YvnYyKpJCXqGIALTnqw5+A==,type:str]",
+			"name": "ENC[AES256_GCM,data:demQ4E3Ns5qK6Cg0PQ==,iv:O18d9m8P3xeGmjsTJHH2TwrD3USjZHtj9HF9LDERlz8=,tag:p13+Ve0tepfL9u15xOHfbA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:A7qMwhkVxkOu5rp7nkUv2DvD76sXmie2FOgMfXENqVZ0rGCNZGXgQYOtnSGP0+IjYw==,iv:7awS0cSvFWsewuh/uha35K+8Lw1j6yxFxgCwoPCI6BY=,tag:kqR7jbDWDaz2ILJWnXIMvQ==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:0ZeRVJd4XeRb8suUIw==,iv:vvYjQc/qpyw4j4Y1KmwgY+6yJODyd8cunTM9+lR0fkM=,tag:hMiH+0BzH3ibPvPSR076rQ==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:/w==,iv:G0M1zWmhzUCYMa4iA0CqgIQYGwTh1DdF8qFpxB7T+fA=,tag:WIM+iqAguuATPxrkHwisIA==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:VTvioUY9uWuWQKPqkg==,iv:pjnZOJIVj4y573MNruMWvFW6Y4qoY2X75TaEqKP0+xA=,tag:yzDxHwMYTRGkHR+W12uixA==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:2g==,iv:sSC0HKerAV+7tqOe6icGe/9pBpQtHlwIWau8mDKdVqE=,tag:J0OgSAXVNPY04dq1Xfh4Kw==,type:float]",
 					"attributes": {
 						"allowed_kubernetes_namespace_selector": "",
 						"allowed_kubernetes_namespaces": [
-							"ENC[AES256_GCM,data:2doo3lLoKQmxOFZitg==,iv:F3NqiH18hh2Tw77DUWjND+LDGBQLwb/kmVAQIemo5fs=,tag:ydibU+bm5gG+GSDxyhH5xg==,type:str]"
+							"ENC[AES256_GCM,data:1lz4zSQvi7zXWyyMNw==,iv:Qa6QURQhzsNzcSpe6l6SRGA4QlZLAmqWZmmwbZJY0bw=,tag:u+Siy97ojA/dgz1FWwy6+A==,type:str]"
 						],
-						"backend": "ENC[AES256_GCM,data:SkzbmDWRu9J1fA==,iv:WlacjM7EZSsYgl2vFkxOx8lIu0Aki9rLmSAaaAGm4/Q=,tag:X7lAB+jMRWhxcqVyzC/jwg==,type:str]",
+						"backend": "ENC[AES256_GCM,data:3ke38VT9L8YA/Q==,iv:zinacOGxhxFYzstORyJV9+n2RMQEaJq5PW0cNAxjYtA=,tag:vnzX9XplEyjNLlEzcNG5IQ==,type:str]",
 						"extra_annotations": {},
 						"extra_labels": {},
 						"generated_role_rules": "",
-						"id": "ENC[AES256_GCM,data:7488koONHmsVMjQy77ailNbuZSMS/Zkr3ySiYOFI9TEzhe1/9gnE,iv:Usz0fLqADKZC97anbdfEiBlS2V2aJwlf08LCzC/X34M=,tag:UPPcuKyPWcy/g92DdeNO6Q==,type:str]",
-						"kubernetes_role_name": "ENC[AES256_GCM,data:WBfN0OkyeGKNSTa3ayrlP38+Ufeq8A==,iv:7LGWiH1IsSA6qnO+Sz0cDTNg8MSFF/k2hO0v8p0F8GY=,tag:qXrObO3JqkGHiG9P/CjuXg==,type:str]",
-						"kubernetes_role_type": "ENC[AES256_GCM,data:R/k++g==,iv:6+9hOSE/0uYgTz6LkiYYxABUaDMaLLSk+2DrarWqgsw=,tag:a+SjPF7482llWJYbIeQCMg==,type:str]",
-						"name": "ENC[AES256_GCM,data:efi5qwmlO235nG7NZfxCoOz0x1+d2Q==,iv:4C6M9nJe0+rZbxMVu6fEQ1uzADY06DOB+KJX1SMOVso=,tag:n7JVU/09FzVBdmxlfuothQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:rJ9aENn9KzcPhukM1JP0UeuGtO01ePrvMUq3eiDsgqDmXcjupEcG,iv:iqSsYQeGD+LtHHucn0kit4L4LQ0EgWunyTCyzatwmWA=,tag:SMQ2oDnmQsMPqkQQ2GNW7A==,type:str]",
+						"kubernetes_role_name": "ENC[AES256_GCM,data:+Olbq1bkN68OsUnEDqUc+kuiMmo/5Q==,iv:98qGfdkCOsLTT5PX0TpPklaKnBgno/K9HGIXuFoZS7g=,tag:/zPFyAAkt9QVftMoy0CBow==,type:str]",
+						"kubernetes_role_type": "ENC[AES256_GCM,data:oYs8ag==,iv:3ee5lQJ6Q58qbSmaU8ZEx6xxRc7Diq7u7PPScS8Kwdw=,tag:oCBOMdDiRoUWVA5UjAEV1g==,type:str]",
+						"name": "ENC[AES256_GCM,data:KFFWLdstCufHx+DuvLLJSli36q64sw==,iv:XHzZaoWakAc0+GilnXQOXWNGRad6I8cYuCJX8Vy6Q4A=,tag:sCvon7daRSMwkYf9QtvD3A==,type:str]",
 						"name_template": "",
 						"namespace": null,
 						"service_account_name": "",
-						"token_default_ttl": "ENC[AES256_GCM,data:0fd7zQ==,iv:aUM9c9jR7IamAmDvJ4WQyst0dIQyCIWglBbj/fqutUE=,tag:atSANDQ3uLm9Jj0gRnjywQ==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:rPw1Zw==,iv:ky4MPswL66Rmy3e++gYKn3JN7RLCzsbgkPSOUSqF4hg=,tag:8zURE2r6ZMNnBbisSUI0BQ==,type:float]"
+						"token_default_ttl": "ENC[AES256_GCM,data:LMYBSA==,iv:AQcRylGF5qoU3mknz3yytsqyY1ZsCPTu90eKBROGUME=,tag:zpAMCMK/ViRGCPOgcwVCfw==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:7wH5sA==,iv:oH6UrmztSnM5T2/rgFEVSr611yy+qANJL9gV0OjQTuw=,tag:m8Lhe9yIx87iX92RAtr7vw==,type:float]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:EA==,iv:cd1QI/aTQSQonj4FR3ZGwD9/6nicCr78XKQpPyKMHOQ=,tag:M9byzdP37Jd4pF9zEZaXfA==,type:float]",
-					"private": "ENC[AES256_GCM,data:s6SMk+H2JyI=,iv:9eFyASqYpnQOxiFEalCOKBlL2pEF/PRJHWfEhgIlrG8=,tag:WKm8Zogw8gu76fDQGAfpjA==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:gg==,iv:49nxqPCxfr/YiUaFCX/I4fUueSAwiZcsD+O702/5yDM=,tag:eYidpMUckRgc4CpkyuQA1Q==,type:float]",
+					"private": "ENC[AES256_GCM,data:uMIHit3B+Os=,iv:WjuUuET351mSlihrksd25urggj8FSLRdBNiaGXC+mP8=,tag:vl2H1Gaq20KAMNn5GCYYmg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:tcLHSrEgnZGDqMbo9mjx1DUut8tKEyBcLHOJIDPBwko=,iv:2oHb/GGRQ2NnL3BlmFQx4Y5nWegrew0zXymN+wRNQWY=,tag:9Glc3WtOvXbeCmC/ZPkRYg==,type:str]",
-						"ENC[AES256_GCM,data:RMU/ddruEXsL/AYuW40JzDGn,iv:4Zbm6rA1+7qmY6QEGgoJs8EItXocofqutnei3GxzxG4=,tag:lcsFIQ3HNSbMo/HGnPljPA==,type:str]",
-						"ENC[AES256_GCM,data:GuG9KJ94cyXvSk0y377G6VN4HTtMDEKoSFKHsaakRJ+g7Wc=,iv:CpSwuR9zvPvf8CUXPURgwqyWD8VHschGBRoGRkDP//Q=,tag:zdHlI6cSHgxssC4J9AjE+Q==,type:str]",
-						"ENC[AES256_GCM,data:2vS0rckDcrCO8wVaBmm3GIl6EKKGu+CApKU=,iv:OOCJ82pZT78go30mVMgMllHkwY/tzLqteA9Spp783RA=,tag:MBTwyI8huK9WtkM78PPMdA==,type:str]",
-						"ENC[AES256_GCM,data:pMSrvoEQn0HRB29cLc+7Lz/Dq3eK00Tm54rmP9Q=,iv:BtkmDT6xN5qxMJBEXXAOozFs31XicaCCzsudKdh/eGY=,tag:o/LWQvjzIQid0BGy2JL89w==,type:str]",
-						"ENC[AES256_GCM,data:vNK6Ews0tBMT8UFgkqLVJVLM3EztnI4GhOWWQN554gjDi8s=,iv:goP+wjE4/uaqQ1EXJ+yoYm3biHLeDOh+0lFRiW5rDVs=,tag:lK8aHDW7B0x8QHIBU+qDVQ==,type:str]"
+						"ENC[AES256_GCM,data:5i+sDTl+1xOIF6K+pIyogdR9PDjA2RvceP3bakkjLPM=,iv:vfcr531pEP/TmOCvlh7AhutTuHG7FI+djOUE9RjJA1s=,tag:NzRjiijo8PN7Grt+OqlsgQ==,type:str]",
+						"ENC[AES256_GCM,data:TfyGN02R39pDemNs6eqCGe//,iv:SSQ03z5IpABjG5FyFrOgAWd0nvbnA2XLcHVo7sjm0Sk=,tag:7GZvtM/kXeqt4SRyTr3K4A==,type:str]",
+						"ENC[AES256_GCM,data:nHnO4V+vW9XCpVeZsg3xb+fqYlxp25xpXFJGqPHVszZ3Mbk=,iv:BHP12vYRmGPGZvr0ztv0/xjpJ4vXeGw1Cg84K9RwRTo=,tag:F4cESN6eEZg82aLKxXnvbg==,type:str]",
+						"ENC[AES256_GCM,data:RuWWg6Wx5OG2QXqVlyXn3IgSoE0kJUIs7sU=,iv:452WIcOgbFXEIXbt2+/iA4qoE958YdcDCCXGmC5oUkk=,tag:YzpHGiXwXRnSdSIvW33KXg==,type:str]",
+						"ENC[AES256_GCM,data:/w1BTM/cEA2ZvqBvvIPZh6icdxWsRs0lmTAGgTs=,iv:lu0f/tm+TRD4BE4blihUg8+zY1iL7ML50o24eDj0eFY=,tag:Rm2wJLN1NSGGTB1db3eAYQ==,type:str]",
+						"ENC[AES256_GCM,data:V/yr7AbG96z+9m6DMz9fvAVCrl6iGguGcXKiWY/Xdg0ja9c=,iv:wBEFWZhvVWrbTE/pMREqt7ZZ7roJjkB2cvxRcBoGy+8=,tag:scwsplNskCyZoD3VenWlrg==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:Sw39I6vnp50=,iv:T7wy8z8+U3diHamtz7hHNoO36lW86KSnGt1YHtRZ2jU=,tag:JlF9RJDfzNljjtWzJSFOVQ==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:/Q==,iv:PIDmeuTupDCqO/V0xOUfOT2bGzu6orXu9VyK0oFcq4Y=,tag:xg+TYqm0xlSgpvIuClz7mg==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:FaZ1Auiwckw=,iv:q0kaTMj66+zSWImClw2r884vDkq5LcaavN7Xlt3cUy0=,tag:9QiUfi7HVHV+UrfMCDUEuw==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:IA==,iv:/9tvgA9W2eDGAMTcUv2IxI2SaRiN1WC6bx3on8t8qzA=,tag:PAg09xAEuI2Bp/X0+jrAaw==,type:float]",
 					"attributes": {
 						"allowed_kubernetes_namespace_selector": "",
 						"allowed_kubernetes_namespaces": [
-							"ENC[AES256_GCM,data:F/MBkx7uats=,iv:qnzQ8N5QTglJrA+kG5j47+TeRcTuOSh1+WPYDPwvSJo=,tag:INv+RjwAsrDQTQ8x/aKPZQ==,type:str]"
+							"ENC[AES256_GCM,data:fPFHGjRO+Hs=,iv:ljLfyedO6CjOsVa3rlfzSfrUCQuw8AhmCRK+kJO3pnw=,tag:/sNFjwTY5SLvFerX215/2g==,type:str]"
 						],
-						"backend": "ENC[AES256_GCM,data:8DH/JPY8o8eZxQ==,iv:f+36u+iGzRtgpTRnSGjEiFRsq5d/y0NAwI60mEeElO8=,tag:XKGdRaSqO1tDLsuk3exiwg==,type:str]",
+						"backend": "ENC[AES256_GCM,data:zW2f7EwH5JsyJQ==,iv:5NiFR+tcXOFcrpEgY6iWwAksxZBScLvtee964zI87K8=,tag:X21hf14CIgj91zymrmv6eg==,type:str]",
 						"extra_annotations": {},
 						"extra_labels": {},
 						"generated_role_rules": "",
-						"id": "ENC[AES256_GCM,data:mu5Ag3jQyRi4Baw1E4OxVI626wvuHawWo7MRp36KitYD9w==,iv:2uG7ZKWjjfc0o4anLSjb5LV6Evyy+DOJsuLZTu5+x1A=,tag:Gv19PPJEQ24gIIOQKSieow==,type:str]",
-						"kubernetes_role_name": "ENC[AES256_GCM,data:qYHKANHgAPJTO15nABSpuV0=,iv:CZME3cwrVDzQSvRGE5QQu5jtdbEjYZUq3+AVrLYQZX8=,tag:oubP0JTmIHMTRIz/R+8HMA==,type:str]",
-						"kubernetes_role_type": "ENC[AES256_GCM,data:NXzzEw==,iv:U9+vdmlEHnjzp4W9731X19HdikyijZCTTg/GzW4YbqM=,tag:DveaGHTv/h+hd/8qmSpIvw==,type:str]",
-						"name": "ENC[AES256_GCM,data:ImOFW14Wu2Rv8U5ourADGyY=,iv:DOsbbheQJSz5kjjVI4voSm9Tz+STz8/teAxJL/rO7l0=,tag:h2oRLADbYrsVLJs/CQdviA==,type:str]",
+						"id": "ENC[AES256_GCM,data:ekJcWHoU24RWwCLBHUi2RPRzV7Tf8efwggRsYxEjW2Oi0Q==,iv:lOK9hK+YVgLlLxY+fkbh/1d80Fjq/2SS89pwW8skH/Q=,tag:p/KFS33VLSfPa9ZzXRZxUA==,type:str]",
+						"kubernetes_role_name": "ENC[AES256_GCM,data:aeuD0WIrV+MMk4gIMkr3p2Q=,iv:iwZufkttSz7JqrT6+Z05kXhIEPOjQpVyRi34OhcXVlQ=,tag:6Gza1y92efZ/TJWlw7eP7A==,type:str]",
+						"kubernetes_role_type": "ENC[AES256_GCM,data:zbHS3w==,iv:gO7y6Lumj5CjTPS/L0vNuafk5nV18FENQF+BE5eum4M=,tag:n0itniFjdAfB1SG/AI6X3Q==,type:str]",
+						"name": "ENC[AES256_GCM,data:3859+7LeO89R42e1Nxw7E+o=,iv:jIn337PZupB+yOu8eE2WUZRQFnQHMJQaAPagVlbVOWk=,tag:sHTNmQ4o5I85oumYWPh23g==,type:str]",
 						"name_template": "",
 						"namespace": null,
 						"service_account_name": "",
-						"token_default_ttl": "ENC[AES256_GCM,data:SRcQCg==,iv:9DvYV7aVvJ4frMpWFzPzaJbX0qCkQOvIF4Xg93ghuoQ=,tag:KPadqUcaD5+bjunyKcjKsQ==,type:float]",
-						"token_max_ttl": "ENC[AES256_GCM,data:P2sbrw==,iv:4U+8t9RUGgMDqA/moYcZxB6YFjZEP9BDIn8bKqfHiOQ=,tag:6o7+F31S2t5yXpQRkoGASA==,type:float]"
+						"token_default_ttl": "ENC[AES256_GCM,data:9OalKg==,iv:YGqwkmBA0ILcqn52kKfwBrfCszPmFZBU6Tf7cEoQe9M=,tag:bztFSv9ef3ctLeWmOT82aA==,type:float]",
+						"token_max_ttl": "ENC[AES256_GCM,data:xgG8aA==,iv:u6O7p+Clukh0kpLAMqUrQRfhoy5SCMjnE2Tpf9M8W88=,tag:6jNBkOjfLfMI2aGjYH+fNw==,type:float]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:BQ==,iv:J6yZNsVA/vW6bXEf3qjYR3QdZoj490ZaqAgJpWdKR00=,tag:8QiNZcDwZNXvueCn11EkEQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:8U+Rj3wwaIE=,iv:mYt0yS0n87Rnv3XuHPB1gsCim9UF/rurNFUl8eZGnYs=,tag:fBd6s42cY9XifStuoYvGcQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Gg==,iv:Hozt8+wANnOM/ZcEw3D3wd+yeyqGrmgqYefREmPb/Pk=,tag:VcxGgqGZDST06EYSXobBVw==,type:float]",
+					"private": "ENC[AES256_GCM,data:KMqG4MwKJf8=,iv:/LZXF9icU6TPafwf+mkyAWF9TK7hPu+InygeD0z2CSU=,tag:sUZRe8VD2O5LgFvIpoGarw==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:mbxDwuIA7eiy6zgifKqXsOf1Fc4su3DSK/3/Hq1kP8s=,iv:TGwCw5YVyQ1FAkGONVBfugPa/snMAN6GpS5iOOdtwxU=,tag:LH7qH6nhoOzMsJo4rHHSvg==,type:str]",
-						"ENC[AES256_GCM,data:LR+8HRxPWFvBCTcxHsroFD+T,iv:F6Fh9HVzL4vK06lQSRl7ZthvoEGPGc0npYOVW4AQvfc=,tag:kdy95ozEifLf30iwoGUlwQ==,type:str]",
-						"ENC[AES256_GCM,data:2nHoXudJVt9ps5GCRrppes5dzT0eL5wG29wfN8U3HEwLbXg=,iv:5pLmF1FpSw/c4E0oHnDSVNo4vsTGxFrEyMTz3iE89EA=,tag:5xALrNg4N1lCtbMXerqWpQ==,type:str]",
-						"ENC[AES256_GCM,data:zi++lD22rUD/FUIQzdRMaiVRi4h/GORmVGs=,iv:i9bmiGNP4srsgcfplhoTrtpoX4jTCn+nhnQJBOZ/wag=,tag:S4tCKFnZv8TSZFeEtK03ag==,type:str]",
-						"ENC[AES256_GCM,data:Pd1PILEeRVmqMwYl9yfycAqqW9JtkaFEOUpC1Wk=,iv:Csik0z4gQOprEm1hqS7tcFKX5dHZFjtIHPMjS/w8iFQ=,tag:d9vCo+KP10xYDXhv+VhpEA==,type:str]",
-						"ENC[AES256_GCM,data:X3iajDbP9jPiLebQ0gGjofZAh0tSMkFm+2IUXBk9pBZIYvo=,iv:nWXcB7Aew2vK7mrbt9IJxXrZ3OB1hMSWrsseOgB/HR8=,tag:Zde3hY8hOLTaIt5Hs3PApQ==,type:str]"
+						"ENC[AES256_GCM,data:JbeTW88uno044hfbLXgxVUSJNApXXcVxA6wMvJuBYDE=,iv:GAeX+5aujU89qbNAudtpfHfujyrTyOafdhXMmr8qww0=,tag:OZgAWQCbk77AoqLp1GrecA==,type:str]",
+						"ENC[AES256_GCM,data:lnTm7kRizWtoK3YhUhaNTW31,iv:Yx2nWCsP4sG0+kRCC1uNNyY6bRSA8aC71skxQ9fTJjk=,tag:RpKbLt7DFZveXpiuNSk05Q==,type:str]",
+						"ENC[AES256_GCM,data:SJHnsV3Jp7/5BpnG8B6e1w/Zry4zmHyJ3wLwifOOzi1qxUI=,iv:p/eq5PKtn945ZMoTrU8RK1fB9fgkb0Y+Q4Tli6IHc3A=,tag:Azki6sQb4eUBR9LIT/BKBw==,type:str]",
+						"ENC[AES256_GCM,data:SN3ZTvr3xBIsHkmBiYiTk7/Hn04AaY2bvZ0=,iv:eO82H9pEkN3Bg+aeBvgd17nd8E3AkXpJIPuwKcY7qFM=,tag:KbL6Q3eQcqu/dTpHJg86OQ==,type:str]",
+						"ENC[AES256_GCM,data:nSLRJBapDoFim3o5SGRgzwUVgjYezlJ2tPIu5Lk=,iv:3TDv+IMfRClxtuCVvaIZWT0fJrZ29CVKhBd4kS4WHa0=,tag:p55oXiVLq2FexYAusfSmnQ==,type:str]",
+						"ENC[AES256_GCM,data:mA+mnBuht8XeIDUCGf4urCyCdIy1cn0KG2Nshq2EW492mn8=,iv:ERuRNmxGPj8DfHXFrt9oGtcjrZ1nAnYfxu0fXNSp144=,tag:m7O80Iq4Q/6YiR+EU9hxFg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:mrfaPPZS5A==,iv:aUgdI6Rd7/aljQ0xMiP91BKTgMQ4+jcRzm5ceGtz80s=,tag:wqWDRbIyXflI3ojsp7xZCw==,type:str]",
-			"type": "ENC[AES256_GCM,data:NFEVUJgH4tscsfI=,iv:ilf43wGnULBinw2/gKUvYs4HCnz+ltO7H63n6UKQW7E=,tag:Rty5DoKgbe5fvDeIs82WDA==,type:str]",
-			"name": "ENC[AES256_GCM,data:ELIYxChrL70=,iv:xuDMuwXin4Imf6BTYQIj0aVQLbSOqWiBB79tPGRL4mE=,tag:rPBcZ8h3EHKHowlSrrM9rA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:YtmysznVwkts60UJ7bObdiaryWrRTUjqDNBsy7RRyn2rFMdip8/UeRIPp5m8HNK5MA==,iv:zCrmoQ6iOeoUWcFDr3lITW21qbc5WwRsluBrckARGx4=,tag:cccL2ak7710+RpHWCrfEJw==,type:str]",
+			"mode": "ENC[AES256_GCM,data:xuvhcYf3NQ==,iv:IwQZGn3Zk3ozLvUiJ37bazmJsYXjBGBmuIWszw6fc8M=,tag:irXfZOq3qBYWyW5RhldSBQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:xJtazngYiNKKBmE=,iv:PKcso/BxjjTNMB7fMojWB1CCm0WcsrJUETuwol6XUVA=,tag:0m6EjQCKgCUQz0aCtmoQKQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:+9UOHXWX5lk=,iv:V2kK/zeMYTmZ+thf8uKReg/MWGs4EITpPGoeKihKUUU=,tag:lOGmwjV3deEyrmRV3w7K6Q==,type:str]",
+			"provider": "ENC[AES256_GCM,data:6TERn3QDOmtmIKxMrGsoES3NDcPejCAN20CR6XniagfjgcUB1qKdsX2nCxK0t2QEeQ==,iv:IC3faZGOps6p0lP+PU65FhBReJyfpTybvCSDGhsmk0g=,tag:X3/6uoXSXRUwoinZmHwNGQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:PA==,iv:DhvmAHCvTvYUzoSDNLIsdf4pR1cTRXJRpxWphY5BaCw=,tag:AzKGZZMBdbum1Kq2RvxdfA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:PQ==,iv:P9/UrxLZq2BJ7cHwvw28WLhVHip54FmkJF1BA/tNLT4=,tag:6jKSWwwBfoIDO757oZuA6Q==,type:float]",
 					"attributes": {
-						"accessor": "ENC[AES256_GCM,data:Hl3PN6IrqxK7aCQk0uvq9Gw=,iv:WrLjzoAXLHuvFOODJnw/e98PqifMEgoa836Nd3lGpno=,tag:9UI8PG+i1yARP103G03kFQ==,type:str]",
+						"accessor": "ENC[AES256_GCM,data:8RXj0v5EyUUTTkk7JI2OKK0=,iv:JfILSH9qjaipBPqKcoWjgy8ebfnSbdr0T0vKteXTw00=,tag:oGZ9Cs7/qghs8W7W60uraA==,type:str]",
 						"allowed_managed_keys": [],
 						"allowed_response_headers": [],
 						"audit_non_hmac_request_keys": [],
 						"audit_non_hmac_response_keys": [],
-						"default_lease_ttl_seconds": "ENC[AES256_GCM,data:xQ==,iv:MetN4OoYlnLWfP/5VU7gvzcAotRPhNtzlRbV3HWADI0=,tag:aLcUS9oMLcI8+4PPM6x9uQ==,type:float]",
+						"default_lease_ttl_seconds": "ENC[AES256_GCM,data:3g==,iv:lIwmLzXzttcxlK6z8l0WKX4q0hjVlE9wgQlyn2TKft4=,tag:TA7kAnujSKEDtWTJyzC0YA==,type:float]",
 						"delegated_auth_accessors": null,
 						"description": "",
-						"external_entropy_access": "ENC[AES256_GCM,data:JJSjwUA=,iv:1f1J15F2rhol7tImDwtiFSnCxtssLe4jULRgVTjRQU8=,tag:v0tOK5WqK0uDWZnkL7S47Q==,type:bool]",
-						"id": "ENC[AES256_GCM,data:/g/MP8CLXNU=,iv:tSzbQ8a9Grt5FNYnnKDkFvb/Iwf1jY7HB9n273JPSpk=,tag:nkzYJLRJUIacwGPR8Iv9Gg==,type:str]",
+						"external_entropy_access": "ENC[AES256_GCM,data:ioedD6U=,iv:FPAwaZEXDzZjSugDm60/3740MSTn8J1Qe/jN0cUIrz4=,tag:qv3s+0S6AWcks7X0hR/GfA==,type:bool]",
+						"id": "ENC[AES256_GCM,data:LHHodxwnmws=,iv:wbsCwU+k/ZBWAiXcTuh+8o4nbYVBg7ID7V0CPZgI7Pg=,tag:1Ar6q+ADRJZhjck7z5d+xA==,type:str]",
 						"identity_token_key": "",
 						"listing_visibility": "",
-						"local": "ENC[AES256_GCM,data:5iTv1DU=,iv:FFOO7SSqfzH8LLusTTePHGP/Ib37g0TN6mknglvGQ0I=,tag:bk3Xl1yROcHCAZqz5remWw==,type:bool]",
-						"max_lease_ttl_seconds": "ENC[AES256_GCM,data:eA==,iv:6cnp/TPp7aZnxgVdwzhRR0tqo5AAgwfShdiIT0QDreY=,tag:NCth50YRG5l5tS1VNqkozg==,type:float]",
+						"local": "ENC[AES256_GCM,data:NT4QqrM=,iv:DLRkHhtPZNChEVYd6OyhDGtifJhBLQqYYVMbDegyGbE=,tag:puJwaPPKEITAc3FlHAfeQw==,type:bool]",
+						"max_lease_ttl_seconds": "ENC[AES256_GCM,data:dA==,iv:zFZk5ZTBe0IDi8BTH3enKhKQqc6OJ+W6Bxxu6VLACuU=,tag:iIZpO83KzFaJg/0YDCdEBA==,type:float]",
 						"namespace": null,
 						"options": {},
 						"passthrough_request_headers": [],
-						"path": "ENC[AES256_GCM,data:YMhuMaOLiZ4=,iv:1P+3WZ2W2U/FUl0yG6sL1qDfOT40HNt+YSBYJwr25jw=,tag:oVNQlrjVKP+d6YQRyu/0oA==,type:str]",
+						"path": "ENC[AES256_GCM,data:rcOSeJHuvOY=,iv:BBWFQOcsuQ5ung2ihqLXT9ra6LbPhDcRduSNUhoNQK4=,tag:Dx7kF7QjRhMBULHR6RqpRA==,type:str]",
 						"plugin_version": null,
-						"seal_wrap": "ENC[AES256_GCM,data:Mo1QxOs=,iv:GfcW4XvKk3VijlJl/M8fWHLltB9874w1tyEkKkr607o=,tag:ebLedlWQjdLSnAfyxtvnFA==,type:bool]",
-						"type": "ENC[AES256_GCM,data:oOmr2MLLDe0=,iv:ewlQtMmFS+L9IdRawgqOmLwMXrC47+sLqfxlgRIkfwA=,tag:2K47rgbvBK9zZGcO8TUhDQ==,type:str]"
+						"seal_wrap": "ENC[AES256_GCM,data:5MAlQ7c=,iv:2fQgdAegbGljOFRmFJr0TovU4psgcAyGtH6M/WxgDjQ=,tag:iH982BGu9ICsu7v5u5Ng1Q==,type:bool]",
+						"type": "ENC[AES256_GCM,data:tWOYhsfvbl8=,iv:iumi1Njrw3aTE1BBpp+8yjdPL+6n/JkHpbDD8Hn0kWk=,tag:xv72mndTbHeUDjtegDddDQ==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:9w==,iv:1uwxnzKS90mbc/lxEml1TGHqMOT210ox8p944sEUIWY=,tag:a2JjzCgA1Fgg3qa7pFY+Gg==,type:float]",
-					"private": "ENC[AES256_GCM,data:rBodQN+ay0g=,iv:Alkr8Ag/mHjcRtdl4x29q88pJD6VyaLE/BaT/MczxPU=,tag:YmU4yq0BOEIACUBRrbWlKw==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Eg==,iv:bEqOfDDU9NPBUDgiW5UWWTAYYH3y6xGvfRiA1MRRMNI=,tag:AtsnkjB45g5b0Dym5p+mUA==,type:float]",
+					"private": "ENC[AES256_GCM,data:39x75ChB8tQ=,iv:3kx+Ii3UsOxCTNBI6m9PkCoaDsjjEkAd7Jxqvt6U+8w=,tag:iy8yRWRIL+oxqANPJCngRw==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:aP1O8MjcjX36fDICV2qZ/JcL,iv:4L9vtAj6aJAV37XKn47llSkhibMKzsvfjLRbH5MLk94=,tag:Jp+55X9Q06JGQtEtiqupMw==,type:str]",
-						"ENC[AES256_GCM,data:a6nn0q7M11GtgGOLv2ZhDqif3JeQk484k1g=,iv:be194n4AQ8a3MbDU83dmYZl9r8NCVcBaLDVb8SUn9Rg=,tag:Hj27nyyVtSENUkk9ixIq2A==,type:str]"
+						"ENC[AES256_GCM,data:PuAPgRTTtrl+YQ80AhfByaKr,iv:LP17XSISR029xZ5MQvsmHPU9mZqzw0yT8+X/NoTTLb8=,tag:qaGKaHWHwYAHbCGKYpTV+Q==,type:str]",
+						"ENC[AES256_GCM,data:ya8zQmh0GFqzsPTGUoUHkPRhwkOejykV3Do=,iv:1R0Vw/RW2kAUwW79WOuhPBptyIopoZ3MOg+Vw3Iqsog=,tag:wmsPmBl+xRqbRltd0wATUg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:Ef5kkE1ewQ==,iv:s8JBIGoxanTYMuIrbPkSlstOGe2wgiUExKV+VkQCCNk=,tag:CCDZwvus2/BNS0euoob8ZA==,type:str]",
-			"type": "ENC[AES256_GCM,data:gkYgePqmxK/WwgU=,iv:nsS8tBe6xQ1e16FAYQLYv72RmeK6Nxhkh0XJU6OVKJs=,tag:8NieE6HDLJ4oh7X3Tv4vGA==,type:str]",
-			"name": "ENC[AES256_GCM,data:XSbkJ+f5aw==,iv:gJTsy+6cljUxuQ9RkCk5JWAvKhsjTkQz+tnEKwiQYYY=,tag:F3qmCKTcnUV48qaCBcvOZQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:Afw8hTpcWWnG/oNQLnWPpWuBia7wEpz8h4dWw06dwUCesIS1mbULQEXig5ofz4Vdcw==,iv:SGbgI06kRCw+gt7wshHgZ9codyTG7+LEp496Ncv8QAQ=,tag:MXksaqog04qufItKrgNAQQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:dG8PtaWIzg==,iv:323LwuujCn4ByzJh/6zje5FTfCYCoEO7zalYhUFd6to=,tag:tqZFJUtT6A4fldgESK58nA==,type:str]",
+			"type": "ENC[AES256_GCM,data:NYPdCFInzlLYIe8=,iv:m02Y/8dWnIaZ2UsTLiUPYsmtXCOwQieTMnracg/+FyY=,tag:yokn+sPSk7OXco44yxsMCA==,type:str]",
+			"name": "ENC[AES256_GCM,data:oTHO+966+g==,iv:4v+yWlA0vz3yU7h4HoiCEkElJfuVlqqXxCu0MMY+N04=,tag:v3lqsSfa9Kj3jBiwz+TiBg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:QvyMr6nzS61l90/fSfLYne2xvYkUeITueK9Yze5tGkYb+GyP5zGBexSog1hTZzTRRQ==,iv:J4UYsGAzCS19Kb0syFqwJzD+a2qhg1QYA+xUWNWLOwA=,tag:Kf5AfA7sNMpCT5sIptHqKQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:8g==,iv:wmTQbNTcR5UqnbxHHTDBFXXHCoisnB8NJKizeN9Zlhs=,tag:2AzbF424A450f6bhy4O8Tg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Jg==,iv:CHiFwsTz+FhNAbPHGC5i2Bl95ydTI8tQnuHYSZHPGNw=,tag:f4Zjlr46WVh5VfKnS8/JVw==,type:float]",
 					"attributes": {
-						"accessor": "ENC[AES256_GCM,data:ZBAhfsURRAEMLKZumwWEhg==,iv:ZZ8qyKReakYbyLkEKGfd75vxfe630cF5a7VnfD1No78=,tag:oCMM2FXsimBxHLa1F5XnRA==,type:str]",
+						"accessor": "ENC[AES256_GCM,data:rDVRIZrVwd62w89gGy2dsQ==,iv:/aXlg4ifMhWCiq/SDXhmSPJsNfsvL+0rQXTHzvcW/74=,tag:IVUKrg8/Pc/44rB1aW9+gQ==,type:str]",
 						"allowed_managed_keys": [],
 						"allowed_response_headers": [],
 						"audit_non_hmac_request_keys": [],
 						"audit_non_hmac_response_keys": [],
-						"default_lease_ttl_seconds": "ENC[AES256_GCM,data:Ew==,iv:hfKOMgJMr+ojL7WfKuEPssgYEomosH+lHdsufrS+UiM=,tag:+AZllL41bkkloXE592mUzQ==,type:float]",
+						"default_lease_ttl_seconds": "ENC[AES256_GCM,data:gA==,iv:S4rB4s2BuKuT+8AuY8Tp0uFw6lCp7evDigM6BJhWY3o=,tag:FSgp+bJu8qtrQv09EkjsSg==,type:float]",
 						"delegated_auth_accessors": null,
 						"description": "",
-						"external_entropy_access": "ENC[AES256_GCM,data:mT9qHYc=,iv:B/AjFTDF+SCFrE4wK3WvzUswPNL9IWceNvwwYhaffUE=,tag:kHD34xSoCaXAlepjxJSngQ==,type:bool]",
-						"id": "ENC[AES256_GCM,data:iKvV/0KbNw==,iv:7o0mTwE8MsjK8oayWZJ3LyC00PxuPKqcjVaHPzDgYQ8=,tag:bhEnu4KPVBHZtLnSno7izw==,type:str]",
+						"external_entropy_access": "ENC[AES256_GCM,data:KSpNcFE=,iv:aBzoWm43kr+8aHvV10l/6Bxq4dv6aQ9k7qxFVRhsUgQ=,tag:WOdbl83WO+Omok9IA1wthw==,type:bool]",
+						"id": "ENC[AES256_GCM,data:jgGOvKK0dA==,iv:jptuRGQPNpv5HBQYRHtp21eZBhLuR0a2BMr5wRV2pxM=,tag:keGgk6bTy1CyN6dxSKufLA==,type:str]",
 						"identity_token_key": "",
 						"listing_visibility": "",
-						"local": "ENC[AES256_GCM,data:zXNlxmQ=,iv:F8x6eN42xy5WOn5F5sd9/INX0Q0DjMOv2ZnIU2k4XRk=,tag:nEMGlz6wjBOJ5zCpnP2jeg==,type:bool]",
-						"max_lease_ttl_seconds": "ENC[AES256_GCM,data:cw==,iv:6fR0FK5S4jussrR/yrvuGc5JoXxCGwMCqYybACt53a8=,tag:1hDvESXIofmh2WBQfBkULQ==,type:float]",
+						"local": "ENC[AES256_GCM,data:mqVSUqw=,iv:OlIN7lAAuf7hNxYcJxxAmXlyaw+8/nmctt32WcL7fJA=,tag:03iFu7RbnFXXgIcXGqPevw==,type:bool]",
+						"max_lease_ttl_seconds": "ENC[AES256_GCM,data:kQ==,iv:rzgUnkA6Zrl/vvjUoHfvCeiY7Q3OVcjabfJAGle+SiE=,tag:WFZZzfHW6ICc1X/fZsA57w==,type:float]",
 						"namespace": null,
 						"options": {},
 						"passthrough_request_headers": [],
-						"path": "ENC[AES256_GCM,data:gJEQXUGwpw==,iv:sgeB9QXIGVvClCEtYJmkE0v8Gm98KxF+MqVmNsozjgY=,tag:6FONyOEaKG2s4Tf4wi2ohw==,type:str]",
+						"path": "ENC[AES256_GCM,data:wVdVxafgNQ==,iv:J5JojsK8f96OSOOvzA6t2hYkRgYH3Peps3ORAe26p78=,tag:nAS7yVyPKOo8qjt6G3xQaA==,type:str]",
 						"plugin_version": null,
-						"seal_wrap": "ENC[AES256_GCM,data:euhAUW4=,iv:x3w9pkTm8oaBD5dddzxkFAEnqnnzueokpaGQW3Z5i/k=,tag:YoKVDv3aH1Vks2HoSyba5w==,type:bool]",
-						"type": "ENC[AES256_GCM,data:shXL9am+pA==,iv:p6Lit09dH56NjqsHfmeBXhFBN81BvxLOpZoV9UF8cnc=,tag:ldOe8doHNg8HWgdllF9KrA==,type:str]"
+						"seal_wrap": "ENC[AES256_GCM,data:GL4hIQk=,iv:EN7a3ik/rKbFZaOe2wkKDBUNtE2JjXuCtKK91ABZXTs=,tag:ZMvnpYZfjtTlFiWFHFYSZA==,type:bool]",
+						"type": "ENC[AES256_GCM,data:qIMfuTUC5Q==,iv:x0dYkU08QxIb9Dk9U8gJQLWitztnIs5ZyQefKYmuVOQ=,tag:DgtEjNONXR+VBYAaqM/laA==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:4Q==,iv:V6QbZrPAexQHvE6yvzwBInElapd1ClF0VH0MFszV0h0=,tag:VKSBRfFwEMumL2ghbhQ9XA==,type:float]",
-					"private": "ENC[AES256_GCM,data:f0kF2XCMo+ccgGgFO1NXsE08zkL3+yxAmBNutDeI9v4=,iv:u/Xrhd2txjO7eh/Waavvi5M6wEysRzn8pQgoGswEQf8=,tag:IocZlOvJ2/UqYXcslNxIpg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:5A==,iv:PDGy8HlPWzzR8ci7dB5SYITwgGEwzzBwGFB4yh0wY8Y=,tag:z1LJW3dR12Kj4Rcl90XtHQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:DHDGsKrqra3uLRCKEh+lvfIO32AKHI9m4vag2E4pc/o=,iv:YyWj8qWHKEKvQO4Glhc7k2zviIjfGOikqk3Kfmp73ow=,tag:H8i6eFgQ/zQCZJcWj2DMmA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:hL6l2G2vqdG7F9y6ltMGtco7,iv:KPoeftlQo2BXc79LvlOF6NIG6Sp+4RbtrGAGXODLlM0=,tag:iippxhcPlkQmC2/9XxI6qw==,type:str]",
-						"ENC[AES256_GCM,data:XLvIQOlzu1pBuRn7pZ2q9KVEizYrKOiEgIY=,iv:Yfdi/mf6d9sH6bB3ucdYNa84jyDiBTx27jrKNKPLsPQ=,tag:NjjkQqdoLZjx2KTQvkIe6g==,type:str]"
+						"ENC[AES256_GCM,data:yfKlSR1C8BQO0+Grek9yEM1J,iv:vGkUP4Xiqd7UGPz+J2dfWli+GP/dC+1+hQ9ZuUNrEA4=,tag:TNcVBcASbT7QcPIz14oaMg==,type:str]",
+						"ENC[AES256_GCM,data:l/zd5t9d0S6/R61Hl+6tQJxeJlZhlvHozvg=,iv:qLHa5IzbOlFGMHQufc4KdfR8wtqyl+QHZfZ7gLxgitk=,tag:L8W3bE/YsVQT9MNfOzoRBA==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:m9f1huXZaQ==,iv:eqfhuWrKvHFxZfntEpBNHIWSZ6swNiD1mcYU3tiRFl8=,tag:Bf5+siWGuY1/32nu1a1Xbg==,type:str]",
-			"type": "ENC[AES256_GCM,data:0ksVBCZhmaCkbSzq,iv:IfkoCAKFor7ObeiBVXyiXP59xnFE53I9PkZy3bZeA5Q=,tag:FGHIpsTv2/8Z2MwG2abcWQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:gTec3ao=,iv:gO/HVJoSbvIu1NT673+LuC93Rc55F1a1Jyr95c2wa9w=,tag:hx/9GQ8+jSlRva0/FT+F1g==,type:str]",
-			"provider": "ENC[AES256_GCM,data:py5d6cJzQop8cSzCZsFw5ZMFHXDEdiH97riUYqycmcqyKWMXzu3XqJykUI3mnZyfVw==,iv:SKmFr+Uq24aBGI/Vj136eX1gbwqh+8QvJv64DGD+9BQ=,tag:sCZkyAi+pJNn6sdmdNTadg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:9Abfd9PykQ==,iv:MW2HInsj1crkHQh8WdPcbhTD5tCdVxnHOpgaZhxKkWQ=,tag:wLt14zdM+vdRC92lCCfndA==,type:str]",
+			"type": "ENC[AES256_GCM,data:z6pIWxcM1fe3114Z,iv:GAP8vSRPtbYhGcxuAtmt4crzyjT8luMVq7a/HMHxzM0=,tag:+9Fb4VGxrTjfH9ZfslyXrQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:J2VYZuQ=,iv:XemMjTkdH2z5ULFEa6tsxsXbyUcOk27FFzCDzTCw/Hk=,tag:rWCVBoeojsqa2FrNJI1umw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:8cqO7SK9jEVXg6+1/+bMPkZaevSsHRR3wB7/YYJIaSBayX/RwXbqRDsH6JHF6A3/HQ==,iv:AoYzwdHddVRBx9VyH36UTQwJlh2edYp605MRjQb12sA=,tag:webVAWSOkExKOi61z2qMGQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:lA==,iv:ZgJQQT9XrEopTUqDab5aXOqxbN6SMLW3CAOWXIpei7o=,tag:dbNaG7+K4Pp1+cHQY8Qimw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:7Q==,iv:Nu22nsKxj7H/uMUqgaZoEPFLP/BNC6GWIVoNcPviKCw=,tag:wR0FUGGO0fgs+AMPD6ifMQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:48jY9V5C/4GQNjM=,iv:vH/0/3VByBJxemETsqQRMKuL+jKktB4r6jc2w5Xprgg=,tag:fY3bsp/Elh35b6p1t4jysw==,type:str]",
-						"name": "ENC[AES256_GCM,data:UIKrJcWK26BLSsk=,iv:ZwUfPXuhIk3bo5YBhamD/YtEBZHw3KzqYfXPCZy0iEU=,tag:jpirkPdrlMtRg1EzfQY/5Q==,type:str]",
+						"id": "ENC[AES256_GCM,data:NjWwqFapL3K6P2Y=,iv:UtEJwB3E9Xytwl91Q5soAfozi9PUYfSmCDaNSvRi6tI=,tag:EOmWf7YS5a0dfq+05Y0Y0w==,type:str]",
+						"name": "ENC[AES256_GCM,data:umbSjSC77HXlYcU=,iv:Xj7aZ++8kjtF+Si0wbhtSpy8xgOyWU7Sd6rG5bTnh/s=,tag:GLpSsffF0PC0/KcPnqNlpg==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:K7UsGT/adPn2QxgZ11lNUrS0/yoirmLpkkBaGVvUTQHHh9rEO/7RhHE/Hw8ZbykqgRgkmNG58GdfVerVQ+yUCllu1bqx03qZdi7YAYifrsIr3/yRvQ==,iv:sWewsERwnMfWO78039E4OtjwMVouInuCXJTzw99/j4M=,tag:wfFnbIT8/o+5vmOXi731Gw==,type:str]"
+						"policy": "ENC[AES256_GCM,data:CKz7RvLoQYOOsQCh79jseI8E+jcy9w9HwXoKmJUcSgnk0JfWdGihQ7EuHVWu3zqSJzY1U48QdOo7Ny7//uJLxQzI2q5jaRmG0rWHOYH5LUmV90eqEg==,iv:dONpkZDZ7Dxm4Wi/6+2mZMp+nHlZQgEAy7xJXuawU3Y=,tag:edCMLTkphamk3iBtOe10xg==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:4A==,iv:rGiFHmJMdB4qGxauA8E+AKPspgsnJBGnrqZnv/Aa9rs=,tag:gjxc3MD8ji4cPBSj2SN4hg==,type:float]",
-					"private": "ENC[AES256_GCM,data:ds+pxw+TYsk=,iv:lml/GJym+bdA7hhn0UQv1bJ0GuuzdfWvd3r/MkUluYs=,tag:8kYRG8zFC+BbH4rDLN3SqQ==,type:str]"
+					"identity_schema_version": "ENC[AES256_GCM,data:gA==,iv:SCZdiaaJMr2ZnQH8L9/WwXKnnuQ1Art7mYB1WGQGO9A=,tag:jQPa6Hbv4TCQ2dpn2UvzQA==,type:float]",
+					"private": "ENC[AES256_GCM,data:bj+cpFdgr6E=,iv:QyprCKxVMHGsRfQHXD+Wg0FjkSq1PKHMDpSn46ADPfo=,tag:lNFUkqyfvxqt6LgzhUBIHg==,type:str]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:16+PkwnShA==,iv:iPkJtBBSY8XcvrWBD/PuEbh/7QD0cmYI+ZrO7xTvd70=,tag:rpdpr+ASUIVvzcb5QC94ng==,type:str]",
-			"type": "ENC[AES256_GCM,data:dWO/pgMAtyCmOheN,iv:4v1nPFh9EBAkfGNukI45ZD7Of5OXD2Jx3QnUEjpzttI=,tag:D0YbLUG7U8orOO1qMOD98w==,type:str]",
-			"name": "ENC[AES256_GCM,data:JAY=,iv:vzzAX0d26773T2qQwCereeAnbJyF8gz/ybftWg4Vg0c=,tag:uG67PYQ9DBQyQZUEI+KJ0A==,type:str]",
-			"provider": "ENC[AES256_GCM,data:ugdyeL/TV2qLheljvRFdI+E5FW+ZDh27tFKeZ0mVW7I3UykB4KYHJJ5IBtKpzcfMzw==,iv:SnJdiTz9VygZAh6sJyTF8FXWXK0Gg3qsCFnyI+m/GQM=,tag:ItLhSV9N8jyMe3FmTkVrRQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:v3r4/yjSVA==,iv:MyQrvf60vvPBWAM4VLyysjYF88g2kzqj6JH88VrPrVg=,tag:DFI7cxZ5GFaC6ZVqgniJtw==,type:str]",
+			"type": "ENC[AES256_GCM,data:Fe7LW2v8rTqlw42x,iv:4vY2uo7iOME1/cKXF/XdaGAIlzBNOPX2WyM3AL35n7I=,tag:zeYosU0NueNUcS33wh2WOg==,type:str]",
+			"name": "ENC[AES256_GCM,data:6mo=,iv:y+TJglbMDDFIlrOEvdMACIAlFAeA3+CIB/qKf9eNTII=,tag:h3dVredjorugs8bGz1zIbQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:cRDSyuPm/r0SZII4YUWWwOmbh0DSY4CHlAQfTa3lHTtUyh8MgXwawH4/b/aY1lZIqw==,iv:/oCgtt2M92vSkSwZW7aw9vFjqEVjl3fPn9xGDGky3QI=,tag:uOGa5q8ETZbgMyHiNWz+CA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:PQ==,iv:/tEGBl6gMaxajTzclnLl2SrhDISsESUH7vBkJ05xUmk=,tag:Wd3e06feqTAOonGzAPBajQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:fw==,iv:C9VgrUy5y7aTBGW2d9p6Hp3F14lTVBVmwBuvE8WXluc=,tag:K1IPjCBTXjpkPTBFm2+2PQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:OP8=,iv:5kznrW44O/DlbOWvBVmxYZZgLeKA8D1DVDNsrA6wU8g=,tag:sTANmjyT1AWM8TuieUCzkg==,type:str]",
-						"name": "ENC[AES256_GCM,data:fQg=,iv:yNyIu4kiqp2iQd+1DxuqGPsTvodPHlpJs1nwTspAf2E=,tag:btetVVWfuN6bgcxg5gIdkw==,type:str]",
+						"id": "ENC[AES256_GCM,data:5m4=,iv:xy38YOvs5bWsKQInPjuBLE00xMU1y+TJHrKrjDpQnzE=,tag:rbw9xYZTUeOe18PAPhG0yg==,type:str]",
+						"name": "ENC[AES256_GCM,data:uK4=,iv:AJ9qK6FaBshIN1Z6Ds/3bZeKZbplK2Irmdngwe1OQmE=,tag:KydfOoT+WO+PtJrsnWXAig==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:4wsTZ/k1uNJ3E+c2Vrl3dNRJY2v2WFFJ9PAfNw8dg0i9eBiqjAAh6pz55AmAvtb94Vwu6SkcFutvB80ftd8MPflRaMLNtQ9cKXeKbrYqXFEVn+zkGbyx/FFkqsEas/5wwNSscNomUuDI8fN7rdTIOlMELv4X+Klf5D+qc5GFkIHE2j4sqBd2mFTllLxC5+mmW+nLRbDeWmbl6L/u594qQpbWXqXr3pHfDMStIPuay1w7zlYRgxlPN6ra74DBlBFzmPaMq1mQwcK0PX0TfnrZ9YavJoUUqdrmXwJM5tEuuCZCJdUbfNgkNXRv1WTX+wqbyPTppYIVdG2+9XcMBIFJ5+aGi/Qg4ES0HD3wV1uERBSqQj/vrQkSs06wKcxiPefsPsJ1zst/dnx6mEeYsswqpX5KEjgz21jvwQX5VFmlU+cDCuaiouCENUFgfi0SEl+Qnqa0iGgOUA1A08HwSjpgAtTCEd5gQvOq+/XEiCYpOJCpGM0e0v5ISJhnaVeXTa5gbwFto0+I4RCt4MJrMNZGRaFGLQn3KWubFTlLdeDD1lCIt1cJXnIzsEN1mSCBZvfhTjvkxomcQHrYfSwS4OIurDGjDXm1lL4iGgEOAyV8SYOTyBoEazasJIIHkg9Ajc2BY4g0iQm3rC3tZMfX/ga/PXX32I5F97YEJMFBe0xHcRP97UmMHHsyWrcAoD/XFiyu4bPc8FOJioY1rxKt5pT+/8+cTG8C8Vb2KMKkoWkf/wrZiYYOfpZUcsWmH0+FqtuLSGqmU9OysrKJgoElbcj6RhRCty31Gtd9eAoTm1noCM76WmSuKAAvZfDEtYPx8plsjtVcOiYICpAOVPM9UixN,iv:lactJdgxLk3pIR6+DMKRXzROxE3XBqbZLF9VZsbxR+Q=,tag:bhPaH0unnVtVL4RmyWUwNQ==,type:str]"
+						"policy": "ENC[AES256_GCM,data:+Hbn/ncV/9XCK+2UJPdF7r8POSo9gEHyVjnrJSkTDRfs//QJiOx+oCSxK3au54zXJgWDJenrReS4JVe/cmRhWB/JKLmC59suLtwc0AZpDdyAS7GpBVNCcn08hHMrUr2bWVkp0bdj5TlDJclE36G4VXvFB6b/ByYiErFsLqnAAKWaGMX165B9NCEVz5vyQYJhFmhtc8dGkRFs0n2CLmUeYS0eGlfvvku76cP5vjfupdhedQI7JI66fey4z+VqsUtqHuAErzz87bdst9A9X2vpcfOv41Hsdi13x8xPEekfvFaLT7jqS2ThtAQDzks/ToTGqngCU6tfRDIKE1QzKWh3WQY9aMaYmw7AzAmYZQHdW/CleFdlPM1XQ0U3cdzQIxAnQEXRs+AXIlPQJpuBsvzvlZ74Yxivpr2vVJA4YwTA9VgCBsYx2oVfEqib1tbmwU1HjZo/S5KXe/oItq9hZHXDYUmz0PfNRvDDNCPbC9Pt2CB7IDXVtDExeBRwCt0TLZjE4nJul2ULTRZ6fnHXqfJwAuCJVL91HNTDPHO30NFYN9Y3CSeNVrvMEQXHPaUdIF20PwtDQcgjiAcSlgrvHSPELdl56VxoTN9p1hgy8yXFWo/6Mk737R/MRhp15K10TVfE5aWtIYW1pOhc+kSRzYcoMQ5qmP4gKWbtUkoqbLWFegZkn0Mp6mqmr/hNsSbx1HHRJplKi+0juICM+iybbVNQE9Mx04r2RVTLJ8fCDWW2VHttSZJ0c0fZvL0H1DkAasFU1yyRwRmqzSHx4t76KsFD6E35NJQ//qpwkVzSCH58OlX97F0sJ603QS7d64T4ezJCtQywIianaDrDunmP9x9+,iv:rvfhfddmsRVg7G4wKL1SJxxJTeHcZs1f9DIMmOQ+4vM=,tag:z1jDFxFNuV2YCsl7vO1obQ==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:yw==,iv:+yVhgtb/vqxGcFtGX9RsOuDm3FFtZ12la4ERwQS5saE=,tag:GRPil9HsO5O1PCsZdiDf/Q==,type:float]",
-					"private": "ENC[AES256_GCM,data:PB8J/PJTzGU=,iv:YhUVdGNMhK31AWQbng3Qa/yhwc7QGs3jRKlROqlKW08=,tag:VKENRvH+QD/lz+kq7BkKxw==,type:str]"
+					"identity_schema_version": "ENC[AES256_GCM,data:BQ==,iv:y6vQvIHIng/LahZ48ntdVG1wAXcuSvyRg8Rf3+ichX4=,tag:gvti7QFiRe9EfihPNTmw+w==,type:float]",
+					"private": "ENC[AES256_GCM,data:kWjs7LPb/ao=,iv:QndwmZKqv+VlPwZw7aTTF++HJetGIEdTUU2saCBFTGw=,tag:x4H2MGIiiTp+iGQO3hJA6w==,type:str]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:t59KEKcqbA==,iv:bu5cvYpsfOO6yLsZYOx8KGRQrVW7QeGBo3yW10aTynU=,tag:STdICuPp+JJ+Rx3fMuwgbg==,type:str]",
-			"type": "ENC[AES256_GCM,data:56knTq642HWv6rMB,iv:5bW525SumTECE57tEoYOlaQDrNVN7MismWvjzJFDVbo=,tag:VqOw/3MX91CYWI4vkJOhdg==,type:str]",
-			"name": "ENC[AES256_GCM,data:1XM5alN6rHa7zA==,iv:XcJtg3hsscZRyuNVSV3eBSjinLCQ3fdOCUlgDFDRv1o=,tag:YktuhSwqx2q+z5QiTMeblw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:bSJBH/JnvKZoTaqMVoc6Vr/4T+tnxReoq6XUitH6rflbmpyGynA8c8WeFo6+IHfDSQ==,iv:2Xhi7kAM6Byiz9D+qFUOFP4+N9cf8fuNhY4Qs0UUxfc=,tag:mqSCzvqOUjJceibBKt29mQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:TC1bNufv6Q==,iv:xz8zfg3EfuPaRv0bT+WbCxXnf1hZYVdQgGfmaD6nTEU=,tag:WNrNM9lMN8dUh1JqGOCzyA==,type:str]",
+			"type": "ENC[AES256_GCM,data:vk5zU38pqvTETEIF,iv:kb/H/D+1RfEtibWJN4vCaa7kHRY0AaAgxyZzfEatpXA=,tag:cVF8UQW/zPTaIbr3Ulr+QQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:n3ndmoOFrARdUw==,iv:qGLDZn8EdwyUSDMuN+B1RMhz8rstfJr4YU5/qKFBIfc=,tag:1NSE4BWJTN7cuGwaGe6i0g==,type:str]",
+			"provider": "ENC[AES256_GCM,data:uaRYpWHU6DweK1c79o/7ZQgbae1KbK34d6LMAc08RPAmD7FrJIF4Gb52hQaW9+60nQ==,iv:1hAZhXlRcd+zd0PNqA823k6z7uDi4YyLpdcM8YMu65A=,tag:VVh+kCyD6oDokYKS0HriyQ==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:Hw==,iv:ycIVAL0a4jb3e+dURg9VzIGkNff9ymqdfWMaT7nGPEs=,tag:6lwU8EzDrqijcUzpwn85wA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:RA==,iv:T8WMgfoRY6CR7O8PyogiJaFfC3+he5/ROBZZils12Ds=,tag:yJcTDI1h18LTSL6R81n+Zw==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:F5DgfLLnfNSKOg==,iv:W+JeElN07FTBKZNKZXI5QgBzEQQg51Yc6k4pCryAU9o=,tag:I51IRYDRsoE4ipY4UvlDqg==,type:str]",
-						"name": "ENC[AES256_GCM,data:RCAQKq98bW8DWQ==,iv:1w2tVoxbIPruixG43KgykRV6+HLNPubo/mNYy2/KzE4=,tag:br4jKZMjjnHAtxrU+7bfMw==,type:str]",
+						"id": "ENC[AES256_GCM,data:D+ANc+pNBmfmgA==,iv:LUYLIyNdAa6xNed4vs57bGmuvslJQa+e/Z5WQIlvz18=,tag:8N8jyFVhYaWktRu8gW/KfQ==,type:str]",
+						"name": "ENC[AES256_GCM,data:tEMhiDz/wQZo+g==,iv:SXhAXMRQsoSirIiM6gdY/b/qDWp4W140Qbo9JovMkPc=,tag:oR2HkPahZuWNtvfe7X018A==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:c4zgnQb+0Qo9k4hDXV+HdhhSAiW5OYwT1Mt2LNEAy6TvuPQQSoXjJlm8UT6loLFe+fAmZ3yWf+zVN3io5PLUl+VQIx/+6S7QkB5sYnrY3KnnCetXwAaYLd6BaMkJRWX4u24/iG2sTKO+R2uSnNhdUkl1UO0cHH/AiT21mgSPhMJ0sJ3GdtlztpNyPgrrn45+O0gfVj4gRp+IjZSATUH+QtszzES78B8OhUM6+5MImIyF1/opTUuyjF0s5QhMNxwqPJ8mizUBepFvcWniLZsFyRjvplxClIauwVZpKseE32cYccaUFIo5WZtFMXI=,iv:XADbwkuc3hH8oyaPTGZoBRc4rAb285JPU4vQvEfS5n4=,tag:7NWuiojgEU2rQd7h+UX7KQ==,type:str]"
+						"policy": "ENC[AES256_GCM,data:G4wH8qmBvAr75Xa8CxD5miA6EFN9lIIJAzMRhcKHNGjmhpszZY3D+ylfYyTcYBOeTLfqqdANX/Q7d+KNlLv+rmHl1eD8zHbwlkhcTvyoAoPc0ay21VsgIVfFq3D85lmc01iEQGi/LnVdMxgcWPVtVsHMmBbdWCw4gAq95FS3QW+NvICoyrgYEueXBmgOJG9NGA+oQxGzK65cOf+lY6C7rtoSZKY2667QDFeS9g1+EW32GaEs9QxxCD+MKFmnGvYVHKRN/Y0xa3ABxJbwfdHMFN2dhPjP/EvN8iTF0U/CR9VxhbcRRNYLJD+MN5o=,iv:mZy8c2w2K9trXuhcjLVKmsnqJ/5Auhsc4YHToN+CEHU=,tag:+uP7qiYmWRyOUQfM49ko0w==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:aA==,iv:Ui+v4CE1XdDQa+s57JsAChbKvyRzwZU+zkgSBiaaeAo=,tag:Lt2GiG9wlFaIx7EWB/PTSg==,type:float]",
-					"private": "ENC[AES256_GCM,data:COwGCa1iPaw=,iv:Tx0FzYJpdXhEXP/n1DS93FEO2+YyOFh0aAzuJXRZu0w=,tag:kfho8SySJKvGKY3EUBlzcg==,type:str]"
+					"identity_schema_version": "ENC[AES256_GCM,data:6g==,iv:U8Uz2VljP6SNVBq6NTqqaZDIBIVuroYLQdM6fsIV1v8=,tag:nT40acPYRgNhkrC7KtWmTw==,type:float]",
+					"private": "ENC[AES256_GCM,data:tO8eEQts+BY=,iv:DXo+Ro/BthCxu9PCDDqwjinfVHql8MS0UogLt12o8Mg=,tag:H/0MtyvpH0cjFzNMsX3vwA==,type:str]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:8+wntFDQaw==,iv:TYl+B55eEx23gsmnHk6Mz532FWHtng4MtPOZQjp/cNg=,tag:EbX0vn4JaUEwFeHlKWQM+g==,type:str]",
-			"type": "ENC[AES256_GCM,data:+39GiBFGCJF5vTi/,iv:Sj6DuUXArcSscPGjTKETMjPwTqnAhEj+JBFGZu8bYjE=,tag:oSZcMPA5BPWkqplkVjO0CA==,type:str]",
-			"name": "ENC[AES256_GCM,data:Y9YvKGdEirTjpD/UKgYO,iv:MO/n+GQdgb91SRUZOCybmJoGQmEz7rVPWedXDSmTwUI=,tag:qKZj+3e3pV17cYJ8DnVTIA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:2cqpzZAtWejynWgw7pSNFF3DRLbs05qvVF6ObILdoWNuN+g1Qpy09H04Rmovnx3LXA==,iv:Dv5KJ6dWdV4zRJNk91x6L2EuqTuUlbKpcHttfZn7lvU=,tag:MX/ptc8dl9snd7CJsfhxFA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:f466Tdc7UA==,iv:DFHkVcHX/qBAy9BF8jRgTK87ISj+1ZQZgF6NJF8UhUU=,tag:8iZ8k/Pn2KnUeGLL0PJPpA==,type:str]",
+			"type": "ENC[AES256_GCM,data:7BoFLcdcPyn1siOo,iv:5KsqNlm1MF1I5EJr1yzq0Dmxh10QMf9JwcYDoKhaNGQ=,tag:VqZcf2A9SBXojiOFCF6ySA==,type:str]",
+			"name": "ENC[AES256_GCM,data:cVS/2MlOQw/ogLlHNFFs,iv:kMHIR/5/x/mn1NszxkSbC9C1Y19mrhmL5FCetemWuzc=,tag:5dKCGeRAPHe2H4VNj9+Hng==,type:str]",
+			"provider": "ENC[AES256_GCM,data:tasKZ3M8oWLvw8AGcqEM7rTnzHChKOQY7a2cmwDpPlMNu8W2LCPINkXg+XA7uGkXvg==,iv:2jcEYm73ltZjfYAscveuOSA8BbaWhgkdb43MTlXZPAc=,tag:+1O9SBmB+gLIbK1OhA2boQ==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:mKHG9w==,iv:OEQ5E6Ozz4Dk+wcEZjdC4zQGShHlRyLUsNcm891zLtE=,tag:IeuuPMcRdQKPUpSl51eIOw==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:fA==,iv:N1pPxxUgPXciZGFZJdwOaFTozh6G27qpm2X2geSR4C0=,tag:jInCfzOuNKyGvYFtOSg61A==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:awnayg==,iv:uERM3928fdWAUkKZom2cXDubIrtsjpXco2nMQuppZzg=,tag:HX+iYyE0rPh2UTEBk0Fq/w==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:oQ==,iv:cAM/6/iYZ8OsIKIW2yEbo3sDMuxDgYfqJujuB+2AiuQ=,tag:QzdsF+QK7E5HTEU0YeDCPg==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:FomLLzzB6aYtEo4nimyDQjGQkvw=,iv:fRBmpAJLeTBVbOEgzsLvZHsb4+xkfsbu5SyD1DMSzjM=,tag:2OoB9LLq/iS3x2SAmjZpGA==,type:str]",
-						"name": "ENC[AES256_GCM,data:JXcXFRvtqKZos1v5Eeac34XaDUE=,iv:Nupi9OCSbbR/wSdn3tSRznvCLBehmIr7R4KCZPPIO6o=,tag:KNxGiuw1om655jXpBvlNFg==,type:str]",
+						"id": "ENC[AES256_GCM,data:SKdk0eU21MqT5DD653Mlfi8oTrs=,iv:LAH81+o3E0YlfOlDhosWFqbSGjiRQkmKsAmvssCZVck=,tag:3SK8WSidq2yCIrv8ZiSWpw==,type:str]",
+						"name": "ENC[AES256_GCM,data:NlxeaEGp0g+l+GBXqw9CwQmIFRk=,iv:2oglLAT6x+zWTZgVqKJDEWdkjE7OrEVBcwaxXemBqDY=,tag:krE7nJF2e86MAc/4u9K84Q==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:qSKxTIc8Qi+RGQe4pVJV5N8ULuqVcDc3fCjJyKtoiCekeQqzzPW9Wt9XADw5i5TXGFPox+gxdS72Yr4day0RCwXbndC21JNiw67AKmB2su3dluxgh6j9KwhxBGcM+gZMKIcC8yY8GHwpY22SkE6Vg0QDUkGM83sKja2rtPIVaRBHcbRy5iILRa6DoEsHQbAnScoiGvkax5Ii/wsBYm4oeUQ5KXPNImLw/xR7CvtwI2SbWtDgLAe0z2RBaudWE3Oukk0UsFOsLRfxqokhpKLgPhjmvmZd6me4tAjEFEcSq+3bCz9QPu67gRFxMVy7ntynMDixaGo3m+qijbjb+lYPc8iAfCx0FZ6x1H0sPPav4MTcYe93ZJQzKaSCQTA4SeaWsSHUvHOxYnbFVP42HJUijEFsTKVI4FIEe0/FSnS+apCi6qBKHrAuRIqLa01i14Bu66Ly0/y71EcWygUm2q855KCKBuv6bKGkfJ1/7crMTAsNlObZbEQusuHidqGr4l49qPSqRTgR7BD+iaggVIosyvdADCO9tWGZzgocclLBlXLJ/rrrgz+m2KQhTZdSo+n/TZMibbgBN4Ysa9Gmj+jLXuTG2f4XrnmD2d+YhaVWGFqIt8XbGJs7pyyEv8DV7kuin3pAlonngi9HAmuhdUnWe7NH,iv:CJePQQHocyGDK1GkMCDM8J5qbNUjNQVyhQ54RLt5vSA=,tag:LC/32Z59DiUEkZNNZD6z1w==,type:str]"
+						"policy": "ENC[AES256_GCM,data:nTIImvmNzLlohWGuDTGkex25ioQDbZNTK9qCfZaVguAy4hTvQKHLW9BJNaOztiW42aTMqO6tInBYilyvccNYzCnyK83p7avnq9IEZhbHBTyAyeiamgL0vCnJGfbfRYrve+34EQjCkmCcOy73XJesBv0IY+YK/3OXZUdn1jU9MZNT92e9kuyZ5rHNu9kp9YPnxxBLo8F0g6aJGOD3Hwe5CSCKDxV2Q1FFg4JJKx98e2FyBlX3mo/MPqqgwnJa3nwHW7jIsbNf5Y56XJU04cJY5Yu7AoDIH4OyDj9tmIROjeJvi8QkQwTH6tEH/GL/wskpBaWiXH6XssD1XJUQfGF9zGWgL+4nTD9yjUDrDlNCS51HR8JQ8TLqXJKNG6W57+roYrLiULNzwbMwd0pjDCKORTwV+WqCZU4SvCE96ZHTuNDI0cV7ZRpvPfYIivnkMP61TSd2QAZpHT2YladuVBKbPSVr74S/s2/BDJd+LfCEfKbgdYb5dBzzDdHmo7cuuchEeiakGgUCPeKupdtkxlgfi1NO5XZYs/nQmekqFa9DcTML3MnP43czwVhvOvK6qY95rxk5Ic7JAlcoPwZU49WbhlbrznAff0cp2B2ar6QwfQ6pxqLb3Se7TerjCilqdnI7V0mag6FXyAEboVrnFjbmKEZL,iv:pu6yRQ6sjtc/9pQDi+/LMxK7zQLwNI55u6V4yl+c2u8=,tag:7Y89+KkzhJMsR3kap+awjQ==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:aQ==,iv:pp63D/ph9YqEDsdOYxM7w13DFNFOnyzXod6XQAGRxn0=,tag:BunRxL0qXb/ZF0GGaRUhrQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:U9IXboaWyhs=,iv:ZbOGLgSgtvGzlVLMo7nfGkDzeZzIfrkqIAuaOkAhCM4=,tag:uWpTRq2lkqUo2N+gQJJxYw==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Qw==,iv:9Xx27zGZdCTyt0s63LACRP9NJ7I5vOZzg4Mqx1tYB/0=,tag:xOYXFYxKcLRBJBblu9O88Q==,type:float]",
+					"private": "ENC[AES256_GCM,data:WLT4UdjIAPI=,iv:gmkS8424Nzo9f5wnzKdHxXSlyRfgGN8lizBgm6c+jR0=,tag:t72+PUSH+S9D/hAHpQw7Qg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:nz/UVNznW8pncksydkp0RJz3ORTZ0Tp9jK86bS2rGSM=,iv:BaBO1L3bBYW5J9+eedNsKdRMyzdpSEPoyEnMuCaVtqY=,tag:Cjt5KR35hl9cwsogB46Ktw==,type:str]",
-						"ENC[AES256_GCM,data:aDgmotAsuqjuT5Eah/HaqfKL,iv:WOroREMDneujAVPVxKOHx/8NhAdipj+N6bjp5Yrx/kU=,tag:hkqRsjZdjvSAroNson3xIQ==,type:str]",
-						"ENC[AES256_GCM,data:Ur4hHg2LLNzucY2izQqGBo2KydajAQ3WJ7U=,iv:S2nhQ5KgblL9Y9Do7Gl6ELqmhrgrVoWF/26eynU0H+A=,tag:0L5M8A8g8bHo1mWxWKyAfw==,type:str]"
+						"ENC[AES256_GCM,data:YrYeDLVGSJfWVBk/pe5K94LlH9B7I6WDZ8TQGVRpJlI=,iv:J22rzk8HHRCmizKHEbDhNRvdFucO5Mh5KEqQgp4B4Mw=,tag:F6IuOKD55yh3pe3050ttkQ==,type:str]",
+						"ENC[AES256_GCM,data:KOqvXVHv1tveq/kK6N+ftk1X,iv:x6BiMqNIa2dxcaiIf9GOohldmrfr4agy1WXn6Qj8S38=,tag:2rVZ1DNXLdNJoKVq6EBlLA==,type:str]",
+						"ENC[AES256_GCM,data:GBnJqvxlNaH7F/Rs5bCidZNes5kfGIqjhWs=,iv:pZGtsF4WP7uR8y1aHiWylt9ZecPJkWG7Dny6bqNlw3g=,tag:pdjBibvwpcTZxoZSLSBV/A==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:XQbO8mjb3xs=,iv:yHblUld4GX+f8ldJFrr9+sGjdnn7gUvii2Ju4U/qmog=,tag:ZrIg4b1yppDKlCFi6Ft0/A==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:bw==,iv:ZoPiq82ERyubXFxrYNbNFzruP+FvYRZXK46GRbs572o=,tag:cy8rdMU6QWWDS12uGNHV2Q==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:Ntgy5R//eOc=,iv:7F5gKMMc2bgR+esmYSg9O57QfAIOZqHhTHbLwcFvmhA=,tag:6BHE6dA7jeqaHpugWCVF7w==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:6A==,iv:5zE2sdqkyBHZpH+pkUKgp8k+HrX5wUyP8pnDo6Dilr4=,tag:FMY5+83REyN/xsfolOX2vQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:LpCHlnQgtlXonptHpicdxg9v/6eXTutX,iv:u4BtBF8Wto0idYPS3xJPnHdCru+Qiukmh2EYgLgBoJ8=,tag:bVysu1w7t6JV1T5dAMkjXg==,type:str]",
-						"name": "ENC[AES256_GCM,data:baUEGeijRkAfMNTjJjWdqlQNdH313nvI,iv:YxPg4L4Xb8VeEQ5LJwhZazsc8BN33Cv1UJ8GGQMhN/4=,tag:bVDPtSHLaQvbzt1LgLUrZw==,type:str]",
+						"id": "ENC[AES256_GCM,data:z6c+QpbEHbNvQUBazwdijQS0aP9fbP6d,iv:I67Hx8C/wcbce6mhjp2ZWSmR+dduZE4hVnhRWodLXXI=,tag:G+k4g3gAxfsjlbh0pFKrAA==,type:str]",
+						"name": "ENC[AES256_GCM,data:30tLud6tsYwpjYc3tyuJdD7S2fQqAm74,iv:yRVzsigwi8bu03FxB6djJIjRrBEi0KpIKXkb/VgHGhI=,tag:s87BQHbaD65kYJWq/6HDIw==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:l+D28wzKOcL+U7TPlFfjHsVPmI9AqIJ3bN5PVuj7eKAZs+qSot/OXI/x88YQJfhCLNOJCSQNDxsQbZxaAL1k8UVHEG/Tgfn9MX5usn2ZbQ3MizQwe97YzqKtdfQyrGL3cuUqmn3BsoH3mzmZGtB7NI5Sc+aR77zk22IrHMId0TAQJ98onvODymNuD8ooT/bYzKG5MS4s3IVBu0lyR7aQJIjjgTctNM25+32DS54SnDSTs0uBWl/SxNhuP2Rk18PIrM6+QLvJKL7BtEC83w8rViEX+tepHljAtsKcFJwY0u9ECTrx1qjummT2K2bp5jgq5rjo7b0YkQFZNefWvGdr/7G2rzk/u2JzNA9ZcEC+5HQQ5mDk2XmTyucKVLHkg8ZHQ8VvJskFp/Cn7ZCD/8BaV58gu2yN8E6doa71hykMSrIz1nmOZ45na6EUNm8E0B4aOrb+pSSHLbcu4BL3X8cwDnLGiNdZD5mxvrCGPwBaNpQ4k+Kx6daqALXUslzSfs6cAmsulPzlLGqIuNBGAasfAhyMZ7fFqcm6dqyYf66gjKaKjFUT6pyoGQixk3ZwXr7A+uqq2n5yh/4OoJHg+7nOMenmABG3GsczqV/7O/g4S7CmLx3qgqRAOLb47cDB60B0RXxgFv6g4izxkkqEh4FhUVpTEhXwopWE,iv:zLyEKJk2lxdJN39zlqxu2hzD0EkA4ARzu1EMztsCnQg=,tag:9EyAkSX6ohryTPE4LCjbQQ==,type:str]"
+						"policy": "ENC[AES256_GCM,data:gvg8pPXkqaSoXHelCTfSemTZ4pJFqRg8naNBPW1im8dw9P7bwb+HraX3J0Mm6zKmqvkCwsqrUqoPtCCccesRWaYjtCHc1nn/sdHq7bWIx+UJRr/NfJdbE2qaXHKvqLiU6VO4lx0yz4mWUFuIt3Ze9WKsoljg/rn41d3vQL79AL3Ly6TROTzYdxIkOZHM17g7UDtJFduZecEv81V2xvuUqSZW9Dx0VeGWqWLjC6ThdRuTv21ipHbk9Cm7TOmJRMH0SYycVokMGvkKeHJGNahgwpUwl/s5UqyFiIU1Sc5Tj3qqDGrnQPj4O2kNigyzWGrbYjPo5iOUWmmW1OFM2AJ2wvyHtBDnRQUIZsvEYdwyGrU2Id+1rVuT5cOM5qOCknsK6hLl14q7HLFrKHy9+IBiVtdANwNu3997/Rm6uFE6mywB0hsijN0qqByQvX7zPLqabqlO3gcdVQrn2ljjuzpewyRh6AmIpCbwoKcd3x1pvwgnr6hV41XqIDpqEzPQYKoOIcS6GBpoHUfo9A/WkCD0A57R52/beOdnaw7du1B5VPxdw1ceOv9fPec1SJt/0kq6/3AbqRCv3PneB0U+IjaRFokvX2tDsiGgmIv3WFFIQlWSOedDifV1OeQpG3RI8TwAzqVJ3c7QpjBIR8ueKVcEYCkGJhug3eVY,iv:ZWrMU9NVOZq46zoCnCSVBA92qnaA8lAt1nFgaQw7wvU=,tag:KR8eqMCY0VL+vDhh4o+0aw==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:gw==,iv:FDN3vahorHxWm2kz12j8WYPaa7fMekAh1YCbv1GbR88=,tag:WrQ+q+j9hC/tC6hQcZiBLg==,type:float]",
-					"private": "ENC[AES256_GCM,data:dc4+xHTnnhg=,iv:0xHm/eVyAjQtPjRo8z7cf4Zo34xzyqBRauOPQgx/TH0=,tag:ouSLEs08ApenToM6Nil2Ig==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:XQ==,iv:MiUuP7EvBhUIiGieiKsiEL0vhFjapzT0BsZJ4BC/cPc=,tag:1ebUu6759HL8XhL0+EJV6A==,type:float]",
+					"private": "ENC[AES256_GCM,data:LESvBt2ua6s=,iv:zO9Y7dpLuLyB74/eT9GLD65a6etYIaX7puHc1tbj/j0=,tag:UxDzrQoX5mKv2wUABvfXFA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:n9m6RcDHb3YVKwaFr4CnNn4b1Rt2LoBLDQ963LbT1wQ=,iv:OMXq5HALfXtxSvt9fLJMWoqiGkliV9q+/jD+uO1Odxc=,tag:cblECRLjEIXkEP085Hp4ag==,type:str]",
-						"ENC[AES256_GCM,data:Z78u8xLhnsdcjHFqshiP3asS,iv:qT/EhrzfUgukBudcigGYKT6PO6ah6G011bg7GxzKWNc=,tag:S3FQzK2VwLITHidzUObN/A==,type:str]",
-						"ENC[AES256_GCM,data:5ARsLGv1IGkO2BriGMzfmB0ktLQuyg81l08=,iv:9ySMQx3LH+hoCcXaQIrj9YPjP1tGPTzMls9jHGa/8Wk=,tag:jwxXUERm4lz+P0VHAbW8vw==,type:str]"
+						"ENC[AES256_GCM,data:JCHh2Jfhw6Pe6Vi4OlQRrqb1lPbToYOncfNY/vvaVEg=,iv:IMQCdgjzvDdmCYsclf05HnXezCPuOAJ0VQX3zjIrRXE=,tag:yC5iv6v4/Qij3YUbnff1KQ==,type:str]",
+						"ENC[AES256_GCM,data:5odFRHpFVIuFcsvLN8wlbrIQ,iv:a3KiFJ+Sh+FuA4nsjy7L2pkA/HFhbQnkW6sIxX1s2bA=,tag:2bfxRBFs5LcPaoM33MD/mQ==,type:str]",
+						"ENC[AES256_GCM,data:5IdGgGZZgbVbAl5LZaTXoJT5gXM8CMJAckI=,iv:48KVfCoE+9pHsfBTjHfjEk/Z7Nzxi2yRq5TSF7jOoRI=,tag:lFWLi+zXju1ZQWN/Wtk1tg==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:6YAP8EoTTA==,iv:bAjUBzX13WKJPLJEbqPIGp0OeiaoPkRoP6v1Yfj1tFE=,tag:hEK447aWvXq7sacze67MwQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:NcueCBuL6NF7Ufme,iv:hK4HW+zEIaO2Ek/hyA9L3l58B+5iORRKbwscLbKATKY=,tag:wG3yTDQuxeZk8fSEJCtumw==,type:str]",
-			"name": "ENC[AES256_GCM,data:pIZb/keXbZlNbdFb,iv:qEEFJMHT0ZLs7HHUCMFIbtjC147AIHrHhR/B44TmW7w=,tag:4+c23NF4zfqX+qhMGEvnjQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:+JsuGvQoSD3d88vYSFBvodcShgBS7ZdRXDVGakKvwFMy7Ux2rpZ7MMX6tscfcw7H6w==,iv:siy9elUcP6f+9GEoXaP3965XkjktQ437eMGdfryIr3w=,tag:S7OSxadeeO3SaA8vQW353g==,type:str]",
+			"mode": "ENC[AES256_GCM,data:mYoB4N38zw==,iv:iT4YW8cnAJoios20tDr74THMihgJ3aibZmMH3EyiuAI=,tag:Bv6aGThVo+5Varx5fb94hg==,type:str]",
+			"type": "ENC[AES256_GCM,data:sXAtCSkAJfVX+hEk,iv:ARTMKf0Bew1lsgaD3q4BEQBJNe2BW5zoEijfF+8qfCk=,tag:lb3HLN3KExfcy+RXu3xA1g==,type:str]",
+			"name": "ENC[AES256_GCM,data:0WonLZwTGk7/ufSW,iv:dsjO5eVmbUtaITZnq5I4BTpE5tmnmYvRJ+T/a7CFY7U=,tag:dCT2SMrith9UlneIw88K8g==,type:str]",
+			"provider": "ENC[AES256_GCM,data:mXSTV37WSv0alKkRJo/iZGHg7HY9cKdhoinw+s6jzfEmRoPMPHUL98BvMnIxelvtvA==,iv:pRxVuKoKJCgFa0JeO2ODWFXdkLZ2eaOJkLvmByy7xKQ=,tag:IH06pbV67DTTFyKAMbjI6w==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:JA==,iv:iMV5V5CWB6NJGUJS08I4rxLAJP6AYBkyRFHpVPlH46g=,tag:zgU2EPWJNY5zB7T0TJV/Lg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:YQ==,iv:UwjyMtsyTpuSsKXCLvTMhV2g971MpFoiHmJ+1fk+Xuk=,tag:UAmYFW2/6kElgI9qtKP3yw==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:FR9gfR/FHblG4oL5,iv:SLU6TazBVAWR7zRcqNOgW4vLHm4+fj7TZ9xliJdjimY=,tag:8m50OTcrpJ6KvjLADnrqHA==,type:str]",
-						"name": "ENC[AES256_GCM,data:Swqk1eqV38341S8t,iv:RERy7GL+2GWsEzSX5Rh3c77Kck3fiulcn6+DTHMpI0A=,tag:R3IikZ3CDTp0VY5Ct7eW8g==,type:str]",
+						"id": "ENC[AES256_GCM,data:kBM5S/cgCF9nkoFz,iv:9zXRa17MJ2LtoqRiigV+T/mYiHv8dKvGb7bLhkVFdaY=,tag:JYtSuF0eGJ7pkPGVE2Wzfg==,type:str]",
+						"name": "ENC[AES256_GCM,data:JH+M2pHNPKUuGJC1,iv:XCY2t9uiay5jCEWH4mYxcHzVbnDiLa3bTW0/9alDsXg=,tag:Mj4UdNyVVVMD5qYy12pfEw==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:t5pB+zIAqFDKElQ5ifnS6VpkYi+kDAss5TzEAoVL6o4Bw/7dygbrE5HsPF0E9p4VHcHGye96JQW/J85GXDB0Xu5IBzswotqZ/U03zOf4VBIlpqb7/Jd28QY5y56o0mcx9bsmIWOHNTcbUY9OVd2cxiDUbC571Mld/4w=,iv:hbDIbQ0pp/OtKiueJkt7OQSuih30kzxffO40klVf3CQ=,tag:1catngbABikfrnUoGl3qbA==,type:str]"
+						"policy": "ENC[AES256_GCM,data:gmmwQaaZR2dvvIOv/8mgBrezOYfZ9wHsxgYx88Mux4156WAsBIBQCTIawbj90FV1o5V/P7+U4dXoiWnjFh0ay+bxKKW7goLfaQVLWxKMZyQ9fhAlKr248E6aJmgAPJ31tmKDa3mCyAq8i5/5EOouGkaei3XevrmuBTU=,iv:8dhV5z/7Nwz7/dSG9VxKrraoPRS/7/JnUbKHATycfqk=,tag:etvkg5yR3RhVrG2wqOrQ0w==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:fw==,iv:8QG0PHaP5uVnZMoYxe5K7pGEeVcfTbHykc8go5Y2+z4=,tag:OFkbhIW2ajHDGVqdUHzWLQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:nfoa4Ftk8pw=,iv:ibpzRFD45l2/SUou9dE1u997iPdxrqQqrVsjoV4iOm8=,tag:adC/rbPZ1HRJX7OiBP4G0w==,type:str]"
+					"identity_schema_version": "ENC[AES256_GCM,data:BQ==,iv:XOgEig1lMOru++7GmdDPtYxQsJUw/DLSAaHPIHj3SBg=,tag:uL8Io21X53Uqaxfigqk3fQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:nzkUvpsjJfY=,iv:os8tqrjyQlFKYbXyaOOndioC0hQju8e1pFfgzybod8U=,tag:3vE5fnKVrQN15oa/nrH28Q==,type:str]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:2IjrevbHTw==,iv:iYVhVCW7w0w3WvYb1OLdoVQgtH/8Fk20rYl99w442ns=,tag:BOAl7Ghhjld3Fmz9Y2lv5A==,type:str]",
-			"type": "ENC[AES256_GCM,data:xqtKwZCQBTOjidj2,iv:52rEwGu2mRssp/UkD/9MlOxn24//xdQ5pEspsiTxSbs=,tag:8XApVEfN5sj9EAJzt1pFoQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:HDF7S4f5X7Qbuw==,iv:whw5C4HPfg5JxsOWXIMr8TzzCWB9ErpwoIZF3F8faF8=,tag:fPpnid/uoYd55rnRVa5ZWA==,type:str]",
-			"provider": "ENC[AES256_GCM,data:gNRhMKSlMNF+WQpp3vxEG2vq70di8CfsoguQRIK2i4THXm3ZHCFEVhwXEyPDzS5zeQ==,iv:CBSQ3jf4ONoC9cqSxSNJszr3xkYQp6PKt/WwJ6OB9Ww=,tag:J8XgQ9voI7qGJP4QmDudXA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:RBM/x6thqw==,iv:dFv2oj/QvZNWs8tRWfgv960iF9P+iurOgeB5RHNr6Sc=,tag:1mXzcwx2NI4uvywWQHIu6w==,type:str]",
+			"type": "ENC[AES256_GCM,data:gQ+5UQGCqNuGddnQ,iv:pXQyQ6DyxxVhoZMoTNgr/wYxCq5M34BHHrUvA8OejzQ=,tag:81+uFPTRaW/YStEcVCPtdg==,type:str]",
+			"name": "ENC[AES256_GCM,data:g6F8Egm4wtToew==,iv:gLCTqgT2E5JXfKjMob46fhYpSkBgwCRSW/L77lrgJmI=,tag:zAumaFoYLxf8OybtkyIGyw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:cNCUfUcoTFnH70hTtxY+xAx/LWTmoSf6aRRccTSYsehnA32ggp2k5n5We7rVHrHlcg==,iv:BaFccDIzVmHl5t8qds1pc+rbzRj7MhiEYKPc+UJaOEU=,tag:y4NwDNJFTW1NnwKAWPa9zg==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:cw==,iv:y4ry6zPSX18RQAXzDGOr0zY9AWdg4nXJGJV1AawCGhk=,tag:ihQuQQ4uucxkxhTsFnlEaQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Gg==,iv:1K1XI3Z+78FxzDbWpEKn4rxNu5iYHqcfDGL8zODoOr4=,tag:OWM6A2db3sUWOePbHOxU2w==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:ZKcoWu3qSxrAfg==,iv:G89yxiTifUnSd9L8zT74kLALKhc0BC8Jr0D34RdQZ10=,tag:ijOI4qnVcKr1oEuO2m0MqA==,type:str]",
-						"name": "ENC[AES256_GCM,data:LW4OKDm9/BkHwA==,iv:Q8F1ZgOwp9/UaquS6Yym7RxQLPvYzJWCHadTDAGEQKw=,tag:ArH1MNCKVNgc+ZRBrJ07vg==,type:str]",
+						"id": "ENC[AES256_GCM,data:XgFCtEX1sTzcIw==,iv:q22OKDfccLa6grMKCHILw9eNIkKSw/h2e3pE1tYhrw8=,tag:KRuspkWXaVCO+H23iZb76g==,type:str]",
+						"name": "ENC[AES256_GCM,data:ROZ5vOOGmnwB9g==,iv:JJtD0iJICjVIMS7RW/0O05IIvPDjQOL56w4xgB45lTM=,tag:AbSqc77BMRI9sh72QXCycw==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:xymB/yVFrSGNrCtcMfHjfY1vXlcR6YSEpY66DWT1fQk8EvPdAfzPXhYguWIQILtpARfCcWXXcI+8asB0mfx6Bg8XAy7pPMvKL+mE4cP+pzKZJJ7f4Qb8Wr/OE4opksj6kgmWzsMQr7EMsEuB9LgAoAlk/bJeKhMeSOGfULC3cuoYMfQHksCo73oLouDOhBNql9EXRz4nJnFc3UE7DkAcVIFW/yeewTSQolDwPKRWq0q5XsL/M8oKkRTin57RN/7kffpBqSCnZApCB5dlcb+/3IDAWWDsoWmc,iv:Y4gbHVmA8Cf25N9oMpe59DGBdIzKVGmF3L6vjEVR6Gs=,tag:3pmPfMs1YYRipN/2/IQUCA==,type:str]"
+						"policy": "ENC[AES256_GCM,data:BERny8FOZRNkbMDxoGaL15TSy6Jwv4iJ2Ds+TgWe1WdamAv83JMV1ZCe9IwBaFs+p8qOlMVlzGh3xh06MBXuQruspRTzVoY510A2iz3UnrxYnzbaHIdb+iUt4GAuMQGJ0jwsar141yeHkdyQxwttBWMyW/eWejxRmjXO/AHOriH1w5B+cDOR3tYf8uBoY98GG27jxXhRdaZx37dl0x5AgrMeS7d87QFszyhIEohFt1KQ+pDbyC6upO4P27kSwJ23Jmi7h67KYAWvb7htnoHd7q53IoNAq0jR,iv:eVf6MzVjXDoMreOmId54v36Nu2heUxpk4dFA+d9Pio8=,tag:h6jfcmprZlwtWgV/NlHa3Q==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Sw==,iv:BEZOVMR6tYawuWx5H1+08oO8YjOsKvBV4Bge23EMK0Q=,tag:eJYdGfhBxeGcWdHq/TF5XQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:VfpKlWQP6XU=,iv:7p1Cut1olthnWZd7hwLZoyuAr982o0j1PMjghQpHLtM=,tag:iy4B+l85bFzs0ol6tTY7ZA==,type:str]"
+					"identity_schema_version": "ENC[AES256_GCM,data:IA==,iv:IwOgtJaMQKadD45Sr2cy4zrv9IxvKKN8lNOAyEcgJcw=,tag:IUK+j3VwUO9z4O1c9DmYLA==,type:float]",
+					"private": "ENC[AES256_GCM,data:nlLujK+TrPQ=,iv:wWQ/3tmhg9nfBUwRbJ0kqVFy/q2qBLtnaQh3uN2G5+s=,tag:wdkRgoT5+Q8dRbBtbr4RXw==,type:str]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:pUpmBnkTVg==,iv:CE1pkIqPnQAbbzBjLyDWlqlDxy+usNXYD/yU1mvEQ44=,tag:HyPr2O8Bu2IFDoycrAY7Sg==,type:str]",
-			"type": "ENC[AES256_GCM,data:U3rOJDXfVRTgQsB8,iv:HqIxtMC9mvxtyP3sfwlN+ufvZEcqktRN/DZ0QdmD2N4=,tag:Cjy7H57rJbQ8w0GMXJ6xbw==,type:str]",
-			"name": "ENC[AES256_GCM,data:BUQqTDC0mU4b,iv:E+W0IGMkAU50X2/c0pbi/Liz5Dzh4Zd7aQnsFIh9ImE=,tag:QdrrB+EFvH9D1I0Hz5dMBg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:27uZPSSaROgjcy1NBFl/3k86/+rmOgVK8bj+go3PDkivh2A3+nMlr5aHdoNIpJ/4WQ==,iv:DFfqnhgn/hNnKe8ZGMfryntvnxOLBdjKOLurFcEBeeM=,tag:hb/vdF5tK5KR753VwxB2wQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:tjXZExs7vQ==,iv:vUcwfGy8Mkgdng96ZzVzcdK0xll6K4zQlQ8wVE1zTdE=,tag:zApa0bG1LbMNg+e9WpnIrw==,type:str]",
+			"type": "ENC[AES256_GCM,data:diLVK2G3vifWLeGf,iv:KnCfstyFp90QSHuvqw8cVxTKRsLmCe0zfhAjrw7/Nuk=,tag:RYHYZke3onYtnI/FFrUe5A==,type:str]",
+			"name": "ENC[AES256_GCM,data:w0oTD+H3BAqG,iv:PLR9J6yW8MNxREnKbaV+HCjE9nJkoyEDQvDI8ceTzkk=,tag:m1+yxX4U76BX0OPWSjkM9w==,type:str]",
+			"provider": "ENC[AES256_GCM,data:KSqsFh+WF+NkypqWccd86Hdb58f/c3hixpIQkgA1LL8e0uoPAAlVjALpFW769+n+ww==,iv:UVqA2e211YTG0av/dis9r4jKhOX0YiajQOI/v2/tPRM=,tag:gcKhBo9F/JocanYo21bG7Q==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:xy3OIg==,iv:AMeKrCcI+cHg7CSzOc4BiwirIRVOzTFSiAT9rXATIPI=,tag:ASZ2wOdnkPGU8pZ2r2balw==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:nA==,iv:rhuK6GqnuL28QR5eJhOOeth99Pd4RsFtUwyxE/IAisk=,tag:x35eKQvurVJSB+kZj8uZbg==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:lFtBtw==,iv:sp4kUTEZ+fgZeq8k/NGK/ka0SmnvCF8jjtwaMbE5OR4=,tag:GF+kshJ6GFZMloR4ywNJAQ==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:IQ==,iv:V4XUZa3RrX3iAFdbRgROjbbis5CSTpdelLy0fJZESII=,tag:hfEYmbAVxUk2mkdpoqFZdQ==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:/YRFlqsPXXf0OjL3Nlo=,iv:t20GIJrHVb8bd0Ag0xcKDU51uaZa2PgMeplHjOQ7niI=,tag:rsz+F5bkK2a/3reTWmfkzg==,type:str]",
-						"name": "ENC[AES256_GCM,data:UPr1U02cJdhbZVJMahM=,iv:GkbyBdbN5MnmOUVGbRI8sK4hEJy/W7651xQ1ZgaD/OU=,tag:AtTuTw6aiCwwBEmtFbJ0jA==,type:str]",
+						"id": "ENC[AES256_GCM,data:UA401JKPCRTCeaILjYc=,iv:mrDs/K25tI7OQyTcKeHGavXHcFCwSex9AGxiqeyQnuI=,tag:5Ye4NDrGKuDx2MYyBeagQw==,type:str]",
+						"name": "ENC[AES256_GCM,data:WbQyYxkAhVO1q3RBGm8=,iv:+WcQXhKHNqFDRkMzp/HIXv8de3ict/lzFOvOGnvdNJM=,tag:87c3/gnHyQ6i8GxcNfAwPQ==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:yQzeHvFFR2Iag7h5p0mWSgINDrwm78sHmOw1cSVY9RKk7j9EAiokePMNh2lrlgTZyq5vCXw7BHHMBZSqxLOkwG5uzOPe/j08sPMqpNFDYFmChGFlfqCpzmaPPOqUPDFq4T9/+xbc01xJ7zcSFmA/dZtzYgd2LWQdeO36UALkM1jg9d5aglcXC0kUGJFIj2UqUQHwZZ7sMj85nK/nvQ+kLd4cmB9eAknj8KMyg7MQDjarC5js5kBIHZ22t1uMkODExfluj8DH6o04ND3GpC/yn9kUnyJG8QuiV9uXdQP+ChpX0CpqeZmuig==,iv:J7SzHjEwXRCKqDIAD+q04Y9DfKo0FBt9h88BfeuUYAM=,tag:BD2IqdskcXOW91JKnmZYHw==,type:str]"
+						"policy": "ENC[AES256_GCM,data:SAu6jRdH1T6QdA9eluoyUEJ4ZlKVJId96H/UQghjuMmzVguKTMNFls/bawJbKn6qPGK1yQ08P9sNL/naJehX42lwNOvyZyQqiX3l1GFTYIW9KwSdL1/r83eODL+vifmh9/5KrBpcnnLhlkT23XJswrvjdPnrnW5+dSQ5T1P7tYUWQOOGdcea+/55YQo0rfjeBfcCwJfDMaqVgEtkknuFXRn0j49EsDg39LOJ+XnHH34UucAfDzrVjFTY4SlZvdDkl6WYK4PUs5dMtNS382fvaZvZSa7r0N+pcXpQDNootBc6WXbr292VVg==,iv:luhUXH0Sw525sHeIwr7OFybhJvYgn3XZvS6wLXqEmgY=,tag:EKym89tz3EafiIOyZR5Ceg==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:OA==,iv:QNPHGx8mDf7H4uDSpp20spc+8pvxgzZb6wZ01hq2CUA=,tag:53uwjYuIg9Fb5vYhxi4MpA==,type:float]",
-					"private": "ENC[AES256_GCM,data:Pa21RA6xjuU=,iv:S7fA0iiy9iOEbAGzWmrVprdMAdmNUo06DCebz7BXbq8=,tag:MRmT6td7E6jHaKTJ59V33Q==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:eg==,iv:FN7XpSYVGKarJhZKwfUnQ6MXUrqgADbefYpIsRKWLxE=,tag:QeHDXhKmvoooYNrDO1l/9A==,type:float]",
+					"private": "ENC[AES256_GCM,data:FBLpTm8XQeU=,iv:Qu93Ua4xzJgRXNS5Ea0auAw7kHMtItL8simlNo2z45I=,tag:iKzYbVwNVQNHW3kD2Afmow==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:suIEzqAClVC8JDmoRntCGa180lXpyoBbe6A+os9QLTA=,iv:4wZ3aCeloknw7U2LENHwiHncQCliXv9EFAvVasp0u88=,tag:L4H8xs2ZruKuVK/YXWyaCw==,type:str]",
-						"ENC[AES256_GCM,data:qNZNXV8wQEIJbht5z5GkOASz,iv:Wn73S2Dr9J4M9dwQOxYad4aRzdzEHzhqc6Pmuz6oQC4=,tag:b7RHdPe8sfTK+AxU26z28g==,type:str]",
-						"ENC[AES256_GCM,data:Q838gppc5ndZJQB4s+rCtP4Il7T7oiwGQpc=,iv:5omOVBccVI0fzIBAtMKKofnsvbcIW//pNat8LvkxM+A=,tag:gNjInAjdVzDziqxRqydEcA==,type:str]"
+						"ENC[AES256_GCM,data:DmKDg4RpuRlyClPlkV56yEZx/NNGm8DOJ9L3vNCQCZQ=,iv:9x5KknD+0u9Psytw9NSaMj3Gbx5CN3AS+zMyF1z6COw=,tag:OjsUIX9CNzlCOlb5osfIDg==,type:str]",
+						"ENC[AES256_GCM,data:OlWdAtawcA2HDEQt36CeXG5B,iv:tQLaGydih3QTZn8YMiUYdcpOu+KrVIAQhdfamS6hRFs=,tag:vz4EHa1J+X5w7a5szVoTgQ==,type:str]",
+						"ENC[AES256_GCM,data:Y/qL0Ie8e89lFzWt5Fk1+h6bgJGJ7dZtHJ0=,iv:men2tXEvU47XNktJA79+Mmr6eVKtij9h5qR1BNFi6+U=,tag:DdIrscF2WzoYEvY+TcZCvQ==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:5eaqSvQ8tVU=,iv:1lB/7dhc91OelP6C3TQDAh/2bKfaUFl3Dw3Evp0WOqc=,tag:7Tf1u9V0k+sfE8PuOX6xtQ==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:ww==,iv:TzdpeoE8igQN3VKrDWp6ZImnl3epW8g+iJNILE+OrE0=,tag:LNnXJ5smDujFHIliwWXURQ==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:r1gsebj5DRI=,iv:PJZtNjRoGyfpuZM9eCx4iQgMMKg+FjLBr0bks7MMgDU=,tag:1zw9yd2EX9yLIsgunZeo3g==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:Ww==,iv:NHE22dpDPgynUDblGXH48A/1MjOu8XK39tnXietRcy4=,tag:D/PG4wKINlZgRkqj4ghhnw==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:byoFBXKK4BDc74EzAThO0iB9,iv:FKUkIA2Xpqm5mFYMJGBM5lxr8WihgH5UgtNlfct44ig=,tag:3mOXlZ0Ig6k43OlyPD5KNg==,type:str]",
-						"name": "ENC[AES256_GCM,data:2ka+RC55TrxvjoUJanu2GRSy,iv:Q8b3F8WlFG6KlQCY/4z1HdYnFnAUDuhWmKtQrho3MBI=,tag:M7tOKNt+qQZEspyYQAFkxw==,type:str]",
+						"id": "ENC[AES256_GCM,data:AMXFXntI4gtsn8D5FA9N/1B2,iv:hdyHzMEWWAzWQvofGHg1wv7fyJPbrkvGtL3If+AjZas=,tag:PS4gQvdVukSL886+gQYpgw==,type:str]",
+						"name": "ENC[AES256_GCM,data:rn7jAWpcpAryOY6MPY95s/Pw,iv:WTxiEmcRuhVH4xa2vKRct7i+vhwRPcsmSOtuRoKx6JM=,tag:gO5ChYZfgrjHCo+4MHinQg==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:co2uY5beOkRVpHumztYJhtijL4V359iAsLuNGYWiw5tSdDiTQXspsoOR7ynMAcWBifSL4JTjpcZzoID6XIe4sXdIxFKB24Mi+FE2dmTSTzEyGxGBlTinxPylfE4SmLqfI63TrXCJCswKl+tQj5/qLJLYZeFdwuQ518h/RWQelb3B396A6G4mmuR0RWXgPGJiK0AEzYrfz39bzABzR2WFaZq9ak3KS0w/h7SorCQrjwIdqWT3OPUDIdlJpgO/LZ1zeAonm0Og/QSFVrmme+u8Z5GGLzpSBi7VnA==,iv:+H+poiO4bV9kJ+WEObDT21apY3gRssfE2zii1d/JbL0=,tag:9s8MAucTMpIdGk5TRkSYLA==,type:str]"
+						"policy": "ENC[AES256_GCM,data:GPFQtDhAsFUaRy8JQzbfjCMYPKQUAV5RQ8j+7T0+pJ3Auilv34AQu/5ORuno866rp3pJS9n/sT2tZvpdwWxwBKVEYRLA8SX6hf8lV1WzSJsc0SW2lkGDMwFILxabsR7P06VswkxulmG5kXF7bwhIxo2snICQfEwYjbndrTZbCJZDDDKUGTaaH5tx98bUJxWxIa+i7DeI7BFdRuxVOB/OXCVUVNCgfZYABLjgAfnsWncDwt18HTVBYUQ9WwKJQW69jGNETsS1PuCw+QRAmtgn2MilrelMhVrUOg==,iv:+zYbm31wXF6WzcwbRZs8Md0T4eFvWG+WhBPsvswG2uc=,tag:xdsGjnTesMKH8qNMFTcE9w==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:oA==,iv:T7uS4o9zOTFiQ/3uR6jGsnBqKEDHLMP39ntmbA2LxtA=,tag:BiBvFCLMchWWg/q/Axlj8A==,type:float]",
-					"private": "ENC[AES256_GCM,data:H0S4NglmjgM=,iv:8+OWXqmMJmtaHmg1meQ0AzcR9UPok2bKm4K/3NMBve4=,tag:MqlYfE3dQkxgnb06YahovQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:aA==,iv:YpUeS/BCHPqN0KoaHhITPjdQzNySiOS95swr+ZGtbq0=,tag:EESVF0RZzNTzF65YuSL9mg==,type:float]",
+					"private": "ENC[AES256_GCM,data:okM6A1ZiiVw=,iv:tcMqO+BicKnnetiEShUM6BVkYuAvliSd6BITxQE24DI=,tag:e+7jglI5hOlU2FqZcpBP7g==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:a21wljryHKoR1bdNcTHhq3rLjc8dQ9PqBReWPLfG9B4=,iv:HgMyxSQPpAVia+FtIwFhTQMFXysqlANiGzY0B9Ic1MU=,tag:MTz4v6TpaMc09Ttwfd6zEg==,type:str]",
-						"ENC[AES256_GCM,data:UmavpikO0sccI8P0cXV0H0hu,iv:apCWl9nBE6K2lHPNGkZQXEPHLEhxsdOodyqRb5HVLTA=,tag:oLCICuYWnhMyX0fOqpeDDw==,type:str]",
-						"ENC[AES256_GCM,data:MW7NXEpBumtWW/g3SFEux17kHUMgsihYAgs=,iv:R3dGfNMSSOt3HBCV3TQq0ogs7u5hpu/PzCNfL3LdB80=,tag:EQih+qLIepkdsOVMFXXS0Q==,type:str]"
+						"ENC[AES256_GCM,data:JAP1C+mrMQ0wBkBqV9KU3mol3lwR3WfRLrsiyHa4hO4=,iv:z22NRtApZKC7bGL8DFuedB3spMKFJqfFTMV045awGPQ=,tag:rD5hiQXMYZuFazNqIBaDXQ==,type:str]",
+						"ENC[AES256_GCM,data:xHZIvtO3z30jVpSI4uFOj4nI,iv:dO2kYtCL18QHZRb4gbJU3bA1akrMVHN9+vs08MQ4emk=,tag:JMZLHEHRBmeKGaCOIhVDgQ==,type:str]",
+						"ENC[AES256_GCM,data:aXhBuXsu5ysXAqa/dFP1ajLBH4SY4hypnDg=,iv:ceSEF099pAJ/v+GYp2i+BMF/UQJDmvUQfj7gfLJcNfs=,tag:gBpxuyFWpaCk0kPKQtcY/Q==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:wf1KfT6pRQ==,iv:aQZaCKoJiKVeC9p6bbqLOZjZFaktsM9n1XnG98NvQbc=,tag:fk1XP+7V/Vqh2BjtQm0XRQ==,type:str]",
-			"type": "ENC[AES256_GCM,data:aOoXfl7Rl0VwUjZi,iv:rI+s9q+CMC1P5oVb/F2R9zW7sqaxadUf8UPtcSF03LY=,tag:tY4fwqXq3ZqAEax7rQFcFQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:GudiUQyNsoedrfW5jpOT,iv:+P7EkVnScCAPTnHUYqgUFY2YUSXbxgzQRnQbJmPjUf8=,tag:lhssOfdpeksGwbeGGuWm9g==,type:str]",
-			"provider": "ENC[AES256_GCM,data:PXwcdY2fnl+2UJWeRep1s9cAjCiWjJUxr8ceIB2IwzM0A6n9FAJJZfwGWPWveIxnGA==,iv:JjLVL/IuAv9rygPcvzHgHc/bKyqrDV2y+whAlE4ApxQ=,tag:R7dFv3t0MPPHFjEsMtxoGA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:fyzi/UhI2g==,iv:9bk67b/XGl3uwDbhWxNuW8mPxhYJHJiv6SevmB4MQSY=,tag:g1E+1/6dL9vvmU18pQ9gLQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:rndzpQYCBuDkoiEi,iv:UajtntFhdIdhtpqPM1NrEboUaIfdKBY17v0KDO7ZeFw=,tag:HvgNEYmGihP290nXk7gK9g==,type:str]",
+			"name": "ENC[AES256_GCM,data:iGjrpwjUerP33Pmtah1t,iv:zPxDp2HIXr7T0Bty7gEr2p+7HKGxsHxedywrD6WQID4=,tag:yGP2Kr/H1wM3KHkflL8kQw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:ZSskZ4mPCT0jfxiYuOY4a6vQifmqqZPr4QmW3DOPVuKUTJnZirgsuiCfO2R10JTULQ==,iv:mpm7WmOOup3rM4SuWvDIlAlbBDyzkA0Q639ChTMXWOw=,tag:ygZmx6Y1osgfVV+Bjq3gzA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:PA==,iv:qSQh81Lo4lpX9Oa0KeB+ptTzqx3LRLlmDa6Fp5C/hWg=,tag:iAM13v0wGWMdlVVHOk5sdQ==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:mw==,iv:WdGws1R7fTcsBuRHVV87oazyyRKtQm6Fu1N/Y3PKOGo=,tag:HSDRJ5EYKiynIQeEl8Ivaw==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:7pqxQDvgwLUJDpHjdi3v,iv:D+0oswqVDLo4SHdwAhOuoGgt7pfTujfaavHGBuXuqUs=,tag:7PBh0GgVpXr7DpPXOvZEBQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:HRv2agZ/dPM65LO1R0FQ,iv:OEVM0/kWVOkRz87x5j6qe2OsF4Dn3aGo6sr4bFYFcJ0=,tag:r943DSUbsJrJ+fsD4hmR/g==,type:str]",
+						"id": "ENC[AES256_GCM,data:UJen1ypvY9bxcljIfcUl,iv:KnMqLCl+m1mTucfmS95PeSUzj/pVF5md4TFc7cQ0+1M=,tag:ByD+bD6MjPFoQLPHL5Wd5A==,type:str]",
+						"name": "ENC[AES256_GCM,data:imPNOgW2zOlGQ37M2XqX,iv:Wb1oeTTBYsET/K+7V2hmU19I3a45Gj0gB16l/XqFyUQ=,tag:OugiwqbpxrqKZItVZ2CPDA==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:I5b/8vxU+VQVKvUMne8WyJZpIVMLh8/Gw6JilPSn+8GQuDqgkBaWv59mP8jRHq05r6LaLi8f1729cpfUaUI8ynEDn3lHJuLFJPwY2SF2NWaIogi/dz8RskL9yS8weHFyGlwT7vrdn1q5KEJ9sbgB+NjP6E6IO1txqe/FbgiVBqo5mQkK7d1FGNgk7Wl0vv2v0btqT9gNX2fjlzYJyhfGOGukm8Ul8c5FYjWkhtwrIeXpw+kGC+jjGOn0GZgrECcfMrS3E0fHl5ymBYZ0lkuPPLccunlZf7mgEkGCt91OIEhJRBGCa/y4lZmU0zVbx1HDZV4zcJKkBqcRQeRF4cxLp2q0YcRyZRZfVmen+zbw5Zvi/UDyVoqv+BMxeURqwlZjqHeC1OjH/oGNI8hoMVQDTEj+QNE2AbniB0hAbC6N1TXH+D/tkZ451cTXkVivU8XJN5RZg2MmxNUXEpuZh7MmsmY1lQSMtAFYv0ALML8dMMF/KisCGmgtrvf6OjR3zdacj06Qd1w+gODTl3ePAQlD25LRZroNelTq+j4nzyKlxb5ZV/Xuwvrac202NS+cjsPVZonn99CUz9r6EM4ANsTqztcUkan9gt4MNdbyKpmKXhQVLH/+SuL8+ne7lZxW2rwxAZ2w2PkNR0iEKAIQnP2oeCXzQUdOmk35FgCj/oZWKBuVHb85pkJUYlMA/5hwZN9lhsTybuOuUnp1usjRQZdPMrauyglonnp3DAmCMHl8Zk9tyYqE9b55pNtkRUrWzWzc68wMhrmmLJtejqRpHL7FRzCDNbaoMDu/ca5+F6fUDXNBPDLs8w==,iv:KMsZBbpTwWiH88Bt7Ljd9oYoBZrppHhylKLIJx+dY/8=,tag:KBpdnTJbgpKjtxxqEDXmMA==,type:str]"
+						"policy": "ENC[AES256_GCM,data:SpjfZwoxCgaE08rSUF9iYSzEggaU/vQnKAcNtYIPF+rAwFA2AbdxwARhlAoq+uEfOURFBaCXNQkBM/8f5ZNi5HeDSqXV1XTEt+O5DcOy2vSIvVO5+qdAFYSQKNk1Ql1YZt+44sR8IXuNHbi3KUQUCOGhAer6EEk6NrNAGsGukWPZsHSNM/Z8AcTNvqsxmmMGPCIk02gufzHB2Z4l4UTeq5WqRL3AAhqmhTIpTv3t48UHk91wOoMvxA5rZjNQBWKSVBducaFjNiDgvCdX9IlcBf5VRb4WxSxrXHNi9r0/6PBOiOVmIx2Bt//hrWoMmXQTcJDeIAPaytB0wUDB+3OgHh80WwCr2hxzEwIypzTvt/k/O4pgNwysdz5ce+n1uK89G5uk3BeZOT2gItyf+4dFW0TwB0CDS9R/Qz8ELIgxMqudHtCr8lOlAJSV9CbIIq4Us9hwjAyCOXX0kdDQZI7x5GGk1uZ35DxZgS49P+MdfNHhMjJ9LOjXdueahT57oHj/WUINTxRvzPQPTPOSpSmEs1iVWAO+gZUQPA+8f/R/2zXmyUewG5NLvWD/HBK/zo+AxA9SWI+w3StKvnUmStSiJL26f/XFfamhZo2A4nQvnEG6FO3M83nME1driBZraVwsVqprqu3gK7EGLq+0P6XAZ1n1nRAo1BDHQVtqt1BaFfbgb+riO0NQ7Q+0oMgIs/g6o8wW1ak4Wns8p6Dqn/fddfK3txumd7oY5zznFihrbpCv4SUEmfLj8Ys9kqq1bl+VfCX0Kk5ddyRXAy8AyJ7fxW75DrkdVUywFH6RYjXrqYnwiMkOTg==,iv:OI/HrOXwdJ8IEEIH8i3HwZQ0XjAVeB0w91f79sOhbi0=,tag:iCd42I7SnFNoZkpIztB+pQ==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Aw==,iv:jpQtB/IfQxEOxbZA0EAbz5bbLbKXk1fPNC3i6cti2/M=,tag:WQric1uDxc5/7821313auA==,type:float]",
-					"private": "ENC[AES256_GCM,data:SFfDg0Ya4Mo=,iv:YZrLM6BQMfa9pZjzSXWrYMT59NEdh8y1GEqI+3fipLw=,tag:y0AHpMAR5N3rBR2euJjE7g==,type:str]"
+					"identity_schema_version": "ENC[AES256_GCM,data:Fw==,iv:QajyCHqFGPPv3EVB4Hg9BBydsVgr/exmAdUAsMvheGM=,tag:eDZV5AToNypIixC7aEzXjw==,type:float]",
+					"private": "ENC[AES256_GCM,data:qvJy+WjKIgE=,iv:tR2x3wRHUVsU/s6jCXe55i0shrDJ5PISrSYQjiEKfBo=,tag:9WQrJCA6yPFvH4fPUA98Pg==,type:str]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:3Gc+DUf+Ag==,iv:jm5u2qA7dfdiF8wbT/CiEnp9M3+K+qIxV5NV3gCMUnE=,tag:yL+3/ljxIfctDUOq0rCpdg==,type:str]",
-			"type": "ENC[AES256_GCM,data:18NcZlRW7FarSWgl,iv:rtkYg04ReI9iOabIllSDW+ttFjPU+pCs0ZVjflm4xuE=,tag:f3XwmRvBD/tGake9cLf14g==,type:str]",
-			"name": "ENC[AES256_GCM,data:XgDNdiMxwjY8rajmhUHE,iv:4UTNvMNanC6DIrTwkwKE87YZ1xyWNe9q8lMeguYmZPo=,tag:eypbVVeEFn4+Fkkxs9YTgg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:hIFDYdeia5T1mzicaEf+oNliWz+gifI3RXTKaEGHsODiSYcItvftsJVg6UXQjLCR+Q==,iv:nwmq/vrRj1IZW/cBP/EeMtz5N6shPYLElGXgcx/5iSw=,tag:++fbUNqeswBJIu2HsvW48Q==,type:str]",
+			"mode": "ENC[AES256_GCM,data:8nXd4vS8fQ==,iv:1l5jj7cg3vMhh2jo4z8im3qJ8z2RTovnb8WzsisB3SI=,tag:jYV1BJqM6vShIIauZTgUyA==,type:str]",
+			"type": "ENC[AES256_GCM,data:s4hKrxEldfeMUq6w,iv:r5HgqIvLZX+rRyXAtpOeC4OHPAFs6agWQAi1hPn3laA=,tag:LiXGl5oLSzSzeKh+jE+jOQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:LL5r75aQW7wONDlkcj5H,iv:86RGpHVBZzPse5o+8Ew8U8Mz36GnAyUFeFB2aEWMO24=,tag:yZSTNGgNogUqbn47uhhtdQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:R2w+/hflNeGpPTOS7m5EO2Lz/cs2MYqOYuineE/63gnQPZqIQPJvWTCTExBCaUZ16A==,iv:rbhckPaE5j8MYGwNuspjWmNXLMuc9ZqzdrqlryKScb4=,tag:NMDdqoT+OiZQo1uZpv0EAA==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:6Q==,iv:g1dEhBgcX+ZW7UHBPfiY+T1pKBwQH6DYKFXvg7zxvTA=,tag:KPBxVc/gxRHLVK386wl21Q==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:PQ==,iv:AT9kXym4lD9/bQkyS7H8muyEyH6xqQHMHdlziAHeGUA=,tag:G63MBO9Ayr4rEjC88otpPg==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:WQHGEGdBCIp2k8vd7kg+,iv:X5xkiGu4qBCJ0YTl0G0E7hBRh1hogNmvCFsN3fKP7fE=,tag:AwEfXNcJb992NnXn/H69Gw==,type:str]",
-						"name": "ENC[AES256_GCM,data:leKFi8Wzvw89j7jVjumk,iv:BUPgTwUgwCnOe17Ut7QxbxxutWbzXF9TOiTtJ6b3LYI=,tag:ER8sSTR9RYPP81ZDCw8HIg==,type:str]",
+						"id": "ENC[AES256_GCM,data:SRxlWYnXxPaxsm0xw0Fm,iv:YnmUZmvGNI++GjVXN8Ued2e8+AzD/7HSte4Piz7ieJE=,tag:Ob+AjR+xgVrHhtrHejYOOg==,type:str]",
+						"name": "ENC[AES256_GCM,data:ah6GVCEzol9+YhtiK7xO,iv:UDAISrq0xVJWQDxPN5YmqU/euIq+EketclL40y0qLcg=,tag:Vv6Oojnf+37pOi9iJBSlOA==,type:str]",
 						"namespace": null,
-						"policy": "ENC[AES256_GCM,data:9j/UYDCDden+/TeNEipbKPM7QAgFViBtab/L6mHPvFPXtFtMvwJh1Sw7cRL3UVUBUMYEFeZfA28T9PRF1vw=,iv:FNHuWdsst6dYcKHTKqLy/FvSljId2EO2SjrQEswx2aM=,tag:KzK+vbcLS9xfUvwbyyM7SQ==,type:str]"
+						"policy": "ENC[AES256_GCM,data:QNtGzSXNlSXAGC7BLVd3BbkF2psseXgjNveUawnnF5ZFuEteH16JUuBItUCwqKvRpwULEgKj4hZaswRsDME=,iv:mGwgSaY+0fZAaUj0acpbM/BIxzBuOBzOWQ3n5zzpRsU=,tag:V8SP2mp8SG5WeGXSQ6L4gw==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:ug==,iv:bl8ofcXcvDSqiHOF5YjLTeQpcFHossK5u0azcLZ+kQk=,tag:Ub1RwVTtLqOpsXZascXnMQ==,type:float]",
-					"private": "ENC[AES256_GCM,data:aOpD0HaXAJA=,iv:+DTAnOVOsVBho6ggZfZ1kr98+oSC+rQQKdcR87TML8E=,tag:c316EmXEfvwvBFH12MK1Sg==,type:str]"
+					"identity_schema_version": "ENC[AES256_GCM,data:Og==,iv:/LJKEhcwx8ZRpYgBzCUuRw3UClQ1t7d27SHSJRuR0Ww=,tag:WZdtgcJ3E3jKlAmWViIg7w==,type:float]",
+					"private": "ENC[AES256_GCM,data:txNNiCmUhGk=,iv:fnbGdyMS1gp7Xt//vctMqrxUaOQ4xEG3J57lK3GvUAw=,tag:bxRpBApm78dELCOZkKYT9w==,type:str]"
 				}
 			]
 		},
 		{
-			"mode": "ENC[AES256_GCM,data:jMpXd2neCg==,iv:UZA6iNy6YjTwyKmmvJBOUTCH5feX7pi9tN//c0nqNx4=,tag:cSktOxlpkaWz/E+um9ec0g==,type:str]",
-			"type": "ENC[AES256_GCM,data:EM6wUSXG/R9ZO+lKc02ddxk/3dqPBbI9REUc83wRufU=,iv:Fx5uhrWZ6t2e+GRpu3XGdkOd3GGXjxyFmE+JAkC34ic=,tag:QwpV6rMDpIfjVcIfipB9rQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:rU9N6ymPCNbGQNAEiBon,iv:LsdSsBr83zyvY23ThHejmW3nDWDC2NKy5zV6RL5a2xA=,tag:JgCQu8956qyGaeL9QrIU9Q==,type:str]",
-			"provider": "ENC[AES256_GCM,data:PWai2Op38yf8Vsz0BZgnWyZQOeUKDfQ5FkGA5LQfAEQd73gPUkdQPCzt+ictZkwPbA==,iv:GlPeq01P8sj0uGYOFTZRwjDorAgY7tWx0IT4qjGYBIs=,tag:XUD4gIkEMQ5uZDaRM5U2EQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:JUNIkYTXVw==,iv:kyTH4A2DMpYt4ujQd204TzyrLa6gNFeMLgTKKlYEfs8=,tag:A3EMmgl60T5l34AdvO9NMg==,type:str]",
+			"type": "ENC[AES256_GCM,data:mgtoLipU1ANhNTo5,iv:vFu0izxosgfDAtRfRVaWHYfh1/eah0nwSPc2eEz6yMI=,tag:jjuof/ayY1rOMZleuIdB6Q==,type:str]",
+			"name": "ENC[AES256_GCM,data:X9IByTN8vihwR4D9rF/SPKTw,iv:fVwkgyCon93LZfZz3Q7Jncb//X9p90yNQA9Sss5QWes=,tag:eXWPJqXtVCyQ5sHRDmfHOw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:yRgGo/ddr8zOdKWV/qmNOBD5w3NtGEZDK7GD2ydkhE7pszEO1qH1RVpSvv0Kh0M17A==,iv:t+FeMo9YVzwQQWvzdbvL9V3I/VuXnamBA/j8iFEVuJw=,tag:ym03OKfvJHzgQKfWfylkwg==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:41oFLsxxhsXOn4gwAA==,iv:Qw6FJ7NwCA3fY8OEefKhqL3uyTlD0OSXeH7s/wFfPHU=,tag:OMvmLkrIx35vD0BNl7fFwg==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:8Q==,iv:5y4p6KfqEnQYX6HC2P0l9Xyb6TFaqhWUlXVsJb0giiY=,tag:VQbEXLg4BlhV8TUO8TbsJw==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:8TWF7+aysiiB,iv:w4s8UyGRhm66LmujJVTp79Cirig2soPd5Z5Z2tujjH0=,tag:Cc5poo+SHZwRyBdsJzQwKQ==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:zA==,iv:b4oVRCef97bwDoJyw/QH1qkY2qI+6pZ0x1XoHZUAcsw=,tag:FWewniOzG+NDb4P3lc8DNw==,type:float]",
 					"attributes": {
-						"allow_plaintext_backup": "ENC[AES256_GCM,data:Via+HVE=,iv:GSU9ugTb0AuzupOTHhIzebW1S1r0UXDhNtkJdMSaBXY=,tag:vuw13qGpA45YPafuFXzfFg==,type:bool]",
-						"auto_rotate_period": "ENC[AES256_GCM,data:Og==,iv:4+vdbTO4r+FjVDaFbJSRwytYYd284Ix2wibHsG6c5jM=,tag:+p1FWaVjpnJRoTq+nV+EUw==,type:float]",
-						"backend": "ENC[AES256_GCM,data:6WcoI8g1ZQ==,iv:LcvkZbyMhLnEcH8DnlsCCaWXboVvy3ioqfvgC6FDN/k=,tag:04iheueoa2KNnqhN5v38pQ==,type:str]",
-						"convergent_encryption": "ENC[AES256_GCM,data:Qt8qukI=,iv:6BzVz7Jzggh91EYOLrrjuReSUU91fT+8ElbcKqzjUXI=,tag:Iu6aQSnVlPpkjBe1qxRUsg==,type:bool]",
-						"deletion_allowed": "ENC[AES256_GCM,data:Z/LgEnw=,iv:7W8DeztVhDZ1V2Uq/ThmVp5H+iqznLEgyiwTouQST2k=,tag:2kjdbZcTmRqABCnMxhG1hA==,type:bool]",
-						"derived": "ENC[AES256_GCM,data:UFzdWEA=,iv:1szSyNYWKJPOYxRDCEH74OEcOBwxHH8XcToaOFPqTQc=,tag:ISkkxh52yqbPmjVegl8s8w==,type:bool]",
-						"exportable": "ENC[AES256_GCM,data:k1Ll78Y=,iv:uPSmtjTio2Na4F7cgITj/T4nXpUsfpHTZ+0wRZC+T60=,tag:J9gPcQkTb/HKn4SzEkhqQA==,type:bool]",
+						"id": "ENC[AES256_GCM,data:GdkuJ/sQfOWZHYOHAjDqlzdJHB86msYq1WGIKA==,iv:GLC0W+CJK1VGlJ8KNCDJVBob+9SFk49/mReJw8kecgo=,tag:QD5zx9H+GF5j9/5Pw97wBA==,type:str]",
+						"name": "ENC[AES256_GCM,data:8zOHd+aoM8hg0MOnWp10LiFQHG8Yp1ei/yZyfw==,iv:nrcHtLBxDKk008beZuGlqIhcGca/ukHxRmzHSWKk9mg=,tag:OivZw/vmUDHdBaScmF8Nfw==,type:str]",
+						"namespace": null,
+						"policy": "ENC[AES256_GCM,data:nhhejMvCBUQolixg4mOGqEFos7boXZBKWnuLHlLO1qlSqs5ImYhA/uH/+dAlE5ChTeCbB21LuWbRgRSqar/Y2o/hcx1WfiEhcBTExIezhUklmHCYlXF1NJB/jB3PlzcVY+uGLVA1FOS+BSCyNkNqcwq+5J0pUMZqHDN9WajgF0TjpU6rNnit5YUV+mb+FUUfelTU1I6DsbX5Ck59Z//vjl4iLZZZ2FkgDAxpktJ0xZAsyHg4xvf+Jc4tk4nNwjElpTpWAvPzo4BdzkTdD9xNJxtVoXxT4KhItP1AJbZuOqWyVcbp6WdeVoQMPYBUTlxmjEuSEPuQx8Imn2ceZiSwHnZ/mFxQGNmOO6cAIM+Hx57kMv1v0firX2cwa0dr06SjKTpAp7VryUhSYuQKgR51SNtpdYECckH58Q==,iv:SCxFCBhbLAn2mSB1LOSPAxpEhI7S4s0UVpQ8/BoF0GA=,tag:9CmIP7tZHKorgzccqQqntQ==,type:str]"
+					},
+					"sensitive_attributes": [],
+					"identity_schema_version": "ENC[AES256_GCM,data:OA==,iv:x7F7M8gxLlA7QHe0LLKrMlQxiP1TE1vU2MEMK8eK9Yg=,tag:Tg5p4+g76ySVBG/Oz6orlg==,type:float]",
+					"private": "ENC[AES256_GCM,data:0cmkKaweHMA=,iv:tV84tqxknojoi7DGiaY+dVacMqNw2CBFBDInl6mCIZw=,tag:5ZBAtoomeQB1vAGF4nmaUQ==,type:str]"
+				},
+				{
+					"index_key": "ENC[AES256_GCM,data:F6yq,iv:8yUOgWfHM4KqEzauEu0+wUCCY085Sg1nQUYqQTtt69o=,tag:O0qg+32kz9ggbZVUJjzpcw==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:9w==,iv:ivWfUqkvWlJJQY8mXWtuiYQ5bvcBCaDmupM9/c/c2P8=,tag:F4PeaTIKd3nfjW1EE1TXcg==,type:float]",
+					"attributes": {
+						"id": "ENC[AES256_GCM,data:vA39/X+6HtE3WYAEWcLfTs/ksB0GKg==,iv:AMOhKVolnaNBxYGhl3NCU+6tnxI4zETbRrcd9J8WDRk=,tag:aEFQUhQ6DoW1Y28wuGKAkw==,type:str]",
+						"name": "ENC[AES256_GCM,data:5t6B1HTq3JMF/hbcQZKFaNDVhq1Tdw==,iv:F+He8hyQnpBvscTgu20A4E6yaQPaHOnM0PCbKeeU3gE=,tag:BcAgOLUrp6+WfS4Zud2LTg==,type:str]",
+						"namespace": null,
+						"policy": "ENC[AES256_GCM,data:Ooq7o8b/HEa+NMU3UPDgoyxGvlAAYHey16JDQBDUAFHDSx5MouaXZKKxlup5Mn/3atcvYxAI3Wvfeskb2N9gUM/DXT1k1ThNtDi5zyoRP1mC2JM36I0lnTibH3aq3C+8GiIYMF9P0BTpdKOkCrixzV/hTEl19H1GMOuFXIqzlRCpwBSH4WvnvP3QEMmakM3x7V6gtaDVEDzSXmQWMqvGP/WoyuaURhcXyExsvzvUWGeOHV8FpchRgnecEDm498/4LaoGoVyhBQX5hGVc1x6MjiCzzTm0h8CrPXxD2dinJO7eZyLa4lBVvFDFongqGr6hqxHuQQA8NUH05a1+rnHcnN/OPmVcJ1o4gcue+4ekqd1maqzFhGDzvuZ6wxP1Cy7JKde2nPvaDe2TOcz60g==,iv:B9dySEsLwHf+H+oX9idyjQ6y9mpjYxOsI8VPjqRIp+I=,tag:GcF+WFFVjFxZ0uU1J/29WA==,type:str]"
+					},
+					"sensitive_attributes": [],
+					"identity_schema_version": "ENC[AES256_GCM,data:vA==,iv:LgDij2kFht9lZNoGooNYiCZbVilSETT5ZPvsAiWJofI=,tag:05odSGVPepA956MXiWjyLg==,type:float]",
+					"private": "ENC[AES256_GCM,data:fr2SlFXxNrM=,iv:dooCx3HFRuqnzxCCPoPDennYMSzzhqQ1x6di+L8gL5A=,tag:/lmKiaH2i5Icu+dzRSfXDw==,type:str]"
+				},
+				{
+					"index_key": "ENC[AES256_GCM,data:kHpZn28X,iv:1swKiY6ZbZzU62z/igw/77WEeofQ7FgZBdDNNBquWwU=,tag:/J0gM6NJRydyKJBah93HHA==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:Pw==,iv:VTx5//3Pt6jrQzSxxo8hzV1spk0pXMqBJ3Ct9AEEv8k=,tag:yDTtzsQxim9QrgvyPiD4KA==,type:float]",
+					"attributes": {
+						"id": "ENC[AES256_GCM,data:aJ8l3JjxKOJky/ka7oboGjzsiqZIwt0v4w==,iv:xPeXQslhfaEo8sJzKYimTdk9L+aAm6doRf06N1ga4Ik=,tag:G30p7ifv+tLYUSBg2cr32Q==,type:str]",
+						"name": "ENC[AES256_GCM,data:hbftlGwjzMHSPNpPtsRaPVFUaW2ifBKTPg==,iv:vvTavnptgwKXsjE/Um9SY1scnbf/hmS7xpmIfhyoFlw=,tag:U09uWJSOzHXaG4zMbrfQMg==,type:str]",
+						"namespace": null,
+						"policy": "ENC[AES256_GCM,data:vUosjPGBG29YnRjQJSorB24EOWUGMVZM+LCQ2Ra6hWAYZT8ZP7DxsONblgrL10/5w9J6LFfGlSAaYEIYRrzEvcSqBB0iYvQLjmSoIyhRSAu3NZXkUvzZ5J4dNujz/37Gyg0j+ZzIZuab++W4b+ag36hW1Nq8mj8lD7L9A7DnqHwFZm9zIl2P9mSAbQvAn7GnqgfXVsDovJGbd+pKAvmzsoa9AHOStdd8bDjvIzEAJWYu9d4rBDivnemPjg9eoXwhUOVulzD99O+TBL/+ueD65Ywy5A4Bylik8HUCHNaePluZzJyg9sIr7m9N3ye2hU3/2N6Iym2FUR5GQEec49pBI2DbCSqUuMrndFZirgUdwNvBaqVa+f1pW5Z0VipQnJGmx3c8yMlKC5csHfxnqYVlK5y/1w==,iv:2FeHQm7DDcrRLOSE4vFWlxd1v+41P4+Ief79jxnzAxI=,tag:bcIZieoOElO5Nuro0hy24A==,type:str]"
+					},
+					"sensitive_attributes": [],
+					"identity_schema_version": "ENC[AES256_GCM,data:4g==,iv:t8L4MBbeHdn+J3JlyJyhdzf/YJSfcbSWPfn3NvmurPk=,tag:YkBfwOVWLfAFQGsENZgKCw==,type:float]",
+					"private": "ENC[AES256_GCM,data:fNERWkV0L4k=,iv:jVLxXAUvcP/x/4k3oKct1gbuO5YGdVfNEcT2nSFVbwo=,tag:QyKVyf0sGpDpQtxlrddl0w==,type:str]"
+				}
+			]
+		},
+		{
+			"mode": "ENC[AES256_GCM,data:9R9yeY7fKw==,iv:a9Bqu0sbzoEeaV7scROfFRhNZUQv4sihHTmWZO+cH/E=,tag:SSiiQtD36QEe0RovF6vOFg==,type:str]",
+			"type": "ENC[AES256_GCM,data:n7mtJEkBGJLYqXGXhAnkyKZz2FqJDZ6RliewMhBEMiU=,iv:bfSPfG1YgHPt/IpAgMh4+WX8wHWXU/h0XBCY5hjh97Q=,tag:B337xYtBrNhLmZy5bOVFJg==,type:str]",
+			"name": "ENC[AES256_GCM,data:6znwIeUv5HWut8nCKZQE,iv:RbyTSRADrXYXxk9PTbY87QOK0W9BK1lsImFuaAmgq6Q=,tag:WIpib7O7N0M4N0M1l5Drlw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:Htb5lk9AiwgjULfnf4HYTaM6AXiECcq7g6nk7nnCZkbV6VlQFDo+uq6h192RBTTv3Q==,iv:xOvNd/bjbjICEDRncyQZ45wty3Gj5ts+IB91zGgto3s=,tag:CMEQwXrBzGd2rbXrRHJ6wA==,type:str]",
+			"instances": [
+				{
+					"index_key": "ENC[AES256_GCM,data:AXF/Wu3XjHcnFOlVjA==,iv:pieY2aYui5vSbP6AWUjm4EA9EZby91yUdc0rm/QZT2w=,tag:Bgm9W+93IkVPwDXoVshGLw==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:1A==,iv:qV+fz1HNaYB8lYdD9UqQtPhpRnVxijgWaUyhmt/R/78=,tag:HFJplKDcoe3q26hlniartg==,type:float]",
+					"attributes": {
+						"allow_plaintext_backup": "ENC[AES256_GCM,data:fOhraWA=,iv:TT65nrnWi39d4+jxExnlu/xOiO3KcU+UuKOsplXxbJs=,tag:0qPpy3qPTw1DhPHzAzHqvA==,type:bool]",
+						"auto_rotate_period": "ENC[AES256_GCM,data:GQ==,iv:NhodqXeULETpP4c+Sk25G+cCpbYqATN7ocCIHxxSAWg=,tag:288oss0xUXZ+tF91WE/fYg==,type:float]",
+						"backend": "ENC[AES256_GCM,data:DgSWfTHWGw==,iv:GG8504u/Iaa4alaZvbyG915cnO54TZx5X/b78EIq11I=,tag:nyE/qnldLP0PfVbcdSUTxQ==,type:str]",
+						"convergent_encryption": "ENC[AES256_GCM,data:BElQHQU=,iv:zMHhkJMdVlV6pWOxmLU168hYXIhDfTIN+x5ka0XQeoA=,tag:4nr37mJZNalPOMSzHyrbBw==,type:bool]",
+						"deletion_allowed": "ENC[AES256_GCM,data:f4+RisA=,iv:gPjsGHRiatSfY/Bilr/JwyKl5lJ6of+WAQ5ysCDMJ3g=,tag:NOwCPl8dRNJvu9qkGccDCw==,type:bool]",
+						"derived": "ENC[AES256_GCM,data:+54iY4Y=,iv:PZLZGPg6jplh7CGNG5czsNAgCWjq0cl++64CM/Y4m6o=,tag:ne2xCC9GpF5rIGsfJNsohA==,type:bool]",
+						"exportable": "ENC[AES256_GCM,data:5zZVHss=,iv:1IQ0Rkx00os+a3AAZ4d4cxSKnsSjOccPcil5fZ+z2zA=,tag:0ZXFa6Jl5fBcgWzQnFW4Ig==,type:bool]",
 						"hybrid_key_type_ec": null,
 						"hybrid_key_type_pqc": null,
-						"id": "ENC[AES256_GCM,data:BpI2W4fDEwjNYZSKjC9NHwWujmwMrjDgxe1ocp6uXLdS+AIu5g==,iv:4ESNZBNsj657L3TRcW58/yhNgOLl/T3ZDdKihs/wdc4=,tag:vC7oRdhDwZwSfkfUSTMXlg==,type:str]",
+						"id": "ENC[AES256_GCM,data:xP7upKMCeTHhXLHrwhI1ujJamoRJw48wE9ixSUWvHlRZmKsTiA==,iv:wfjsnx1ACpIKitKH7P06hosODA4Lq9NE+qRfHc+dNYs=,tag:BVoe03QmDO8usnTqeBBQsQ==,type:str]",
 						"key_size": null,
 						"keys": [
 							{
-								"id": "ENC[AES256_GCM,data:Vx+U3YtAdN1jFg==,iv:mYSzU3BKRrICr/meoNWDwbagm9S9ytX2ENJheb2sD94=,tag:5xZbLm4+ySsIIHsbkLGAkg==,type:str]"
+								"id": "ENC[AES256_GCM,data:aDwXEJt2n1BsJw==,iv:/UvuMT55l8crlezt0JZKZ9teYvEBftW48FTUWBgM6y4=,tag:ToCOvGKqXD2xh47mUKQ50w==,type:str]"
 							}
 						],
-						"latest_version": "ENC[AES256_GCM,data:BQ==,iv:hsE7cqQz23xlIEIdDoFQpobIHIYm5Qzf2a32Svgotxc=,tag:Fh+CkXrB+G0qNyAV85chwQ==,type:float]",
-						"min_available_version": "ENC[AES256_GCM,data:2A==,iv:P2eJn6VkjQQ5DW4hWZM6AQJ0qVm/GS3GFBrv9bexDFY=,tag:6syQnTMgR0Ce9WsFr8DKJA==,type:float]",
-						"min_decryption_version": "ENC[AES256_GCM,data:Sw==,iv:DszZvXYVCxjBcifrkc40C8QbAgCdhQWzecfRwEJCIps=,tag:aDVt56Hi4XxUqdVze2tSLQ==,type:float]",
-						"min_encryption_version": "ENC[AES256_GCM,data:/w==,iv:m2MBWanS0wyVuNjFFFqVOpjLWClM9jMC6XglgDUdIF8=,tag:OYvH9aLM49yKCPtBXnlNrg==,type:float]",
-						"name": "ENC[AES256_GCM,data:yXpJSPoL+NSvsG5dMKlgN2ZTxi5EFmjF,iv:MOTBtP6ZlCwpEJ3fBaEa0gW139nG4vth/ODTiFuaavE=,tag:0IuntmeOpeyz05cIzze8Zw==,type:str]",
+						"latest_version": "ENC[AES256_GCM,data:sQ==,iv:pJNrPxsPIftRETx8b7ovneGm1zDOuIV/4w5jHHHlN3Q=,tag:i+IL9DJXJb94BNyWSaBF+A==,type:float]",
+						"min_available_version": "ENC[AES256_GCM,data:bw==,iv:HYdAqC9DEeRdOZiMTNdnu1Z1WWQqR/fP7n73Od1tRwE=,tag:m5Zf4pIYJx1upGZRZHK6fg==,type:float]",
+						"min_decryption_version": "ENC[AES256_GCM,data:RQ==,iv:yBx5ClGdTd3NbwYJXz7XTcOxppnFJ0zpHrQRuG0odBM=,tag:2F0Q+bUJxeSpannI2a1V0w==,type:float]",
+						"min_encryption_version": "ENC[AES256_GCM,data:SQ==,iv:7lqRJ547DtI6uxgE32QzUaxsAkfRMbYwal8enpTMAak=,tag:drNmtdU4KCGeFhq6/C3ozQ==,type:float]",
+						"name": "ENC[AES256_GCM,data:IZW2cktJPMdCFNw825byZAxW4FdLWjxP,iv:jrKkDuhc+yBoebXQjq5yb+0HXrQRind8L7D6OGauvY8=,tag:/Zh59Xd4y+9390SCxB+o1w==,type:str]",
 						"namespace": null,
 						"parameter_set": null,
-						"supports_decryption": "ENC[AES256_GCM,data:iWQIIA==,iv:T7t6bxrGr6nQQ9caW3jaKp8qoFjI39k96BXSuZ4ToNk=,tag:+EeE2l1wN3tzv6OZp80kmA==,type:bool]",
-						"supports_derivation": "ENC[AES256_GCM,data:QG3UiA==,iv:yOXJz17oEbNx/V0P3G8wGBPg9jYyEEvC3qfwtGYFFmk=,tag:PluOYrEu/f39QLubWyPI4g==,type:bool]",
-						"supports_encryption": "ENC[AES256_GCM,data:KRxyag==,iv:R49omgrICmfOpbyq4O/GSFAhF9sGucaPSX1L4M8AK30=,tag:vyuR6Tb14Nrm3mH/TxUNKg==,type:bool]",
-						"supports_signing": "ENC[AES256_GCM,data:S1LkmMo=,iv:/opY5YxxO0vHq2a2EztrNlb7jroIMUKSfyn4tEkRmAg=,tag:9CUZybnZualb6tbANFAxJQ==,type:bool]",
-						"type": "ENC[AES256_GCM,data:lwUni9Jw8J/BoXrY,iv:Sf7VHDRjiFd2ggClLaHtF2D9rMp2qyXaEGlimlgvqYY=,tag:lUZGQBnuNPv7fSblqjucVg==,type:str]"
+						"supports_decryption": "ENC[AES256_GCM,data:Ub1v7g==,iv:JT9WXEcfvZZ2xAvhDzmzXRQfXyzX7NXEfNlgIK6u6/w=,tag:b+YD2Ez3gPiMdEbSFNDLLw==,type:bool]",
+						"supports_derivation": "ENC[AES256_GCM,data:68lrTA==,iv:tyKTjxptAElkqPFA/YAFGhMcRo552NfZsCMvQWpRgTA=,tag:nPCiAaqPGbV5d9K7VuC3CQ==,type:bool]",
+						"supports_encryption": "ENC[AES256_GCM,data:idHBtw==,iv:leJC6Yn+uxuV66Hcac/Byalouiz6481A7Wn2B6xYuqY=,tag:9iJY2G63uEoeJDHtXWfhcQ==,type:bool]",
+						"supports_signing": "ENC[AES256_GCM,data:BY47BmI=,iv:B0k2YiNiCNJ4H+ZWbCILef40gEUprfm0XkpeE8Zelrg=,tag:wHgYf1TlkCKOtUeyoCTG9A==,type:bool]",
+						"type": "ENC[AES256_GCM,data:5ipGb35Um7YbqQnd,iv:JjDDKAUVjSqCrFcdR3ehkaH0ZqTTks2fJJDx7AJSdKY=,tag:+zh3TvnfAmTzZc9Ggk1uMw==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:tQ==,iv:RhWk2YemEDorFAllvWSMrY9ZpYoFgX2WnlRFPOb0hfY=,tag:vWv3246qo0O94EpAkW33qw==,type:float]",
-					"private": "ENC[AES256_GCM,data:/QezPeieZZd0oXvAjhs7RzbX/PKX6bLhxnTMOiTLypw=,iv:UIQwdmGNNED1n89VpSq3JU1CBg46yEah+ObyxQESyh4=,tag:91vRoYtwHriKTGO30FhkvA==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:4A==,iv:WPTcVOY1+jZDUl2Wl7lizUpU6/kWTXsrcqUPHLT3b1M=,tag:/m2ICDEY29U2T3X3s7NL8g==,type:float]",
+					"private": "ENC[AES256_GCM,data:53wlZ16WawxFDBVdSmVFh/DCAUjGX0xaEUrV/9B/F30=,iv:7RlPdnmK+f0LTI4+LQA8V23J4tQFzujeFuwQE5GkXiU=,tag:J//G6u0Hk+x+8Id+ZA1mNg==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:X5l/HfwSy33xoDSR7tJnRrsnRgpIRV950yWBnQuGjoc=,iv:gzuqmID3gIv78k5xe5GTrdyhfEi0v8bw/PTGNyFvkgw=,tag:qVeolOHnZVQEl2i4CG7eFA==,type:str]",
-						"ENC[AES256_GCM,data:0rHUr/tyzzzD5G+lgTorCi1C,iv:NclA/3ZF5J4GeR0DjrcGVrgIPckcDh3EMTFETvO2Jm4=,tag:3aO2QhaM/5BE4kyxgXOxNw==,type:str]",
-						"ENC[AES256_GCM,data:GII38/pOEVRzXPSXgOmhdR0lLlMgRlOmy0k=,iv:Qipnq0JQqgsGXEHKCPl+qBFqAMI3OK0VUmgbwqGZv80=,tag:cN9Mvt/7DpFnqbjmWaMH+g==,type:str]",
-						"ENC[AES256_GCM,data:UgJEghLZblqiWd++IbsSDs7z3A==,iv:VDWJLDOa3cdhrPty8t6BGyKrOlahIbqI793hG5vxRgw=,tag:EXc8NuFrhNpVTtVcCZYLAA==,type:str]"
+						"ENC[AES256_GCM,data:2Xlr2lL1ACYyIUzLazbAGicFbL5Gx5kp8tYtaBdwlG4=,iv:cS2rXYzr/BR4l2rwtOGnwPuIICjZVdxv63D8xhkoIQs=,tag:mCOjQMJiY5c6k4RS7wviVw==,type:str]",
+						"ENC[AES256_GCM,data:Gv8tKtG0bbRxNr4wkbqmWXkw,iv:4Mkx54YDZL71XB1qk6/DEWw4RfG6eGuZDgQOAB9i+1M=,tag:rIo+N03xdM4SPU5liWr8AQ==,type:str]",
+						"ENC[AES256_GCM,data:LL7h0t2MNhtbLEwneAm9tHTXncsOAL0mrcM=,iv:3H39LwXZgPxJFrSrHxhUU+a4A7oSs8pMgdBWLLkscIg=,tag:a2jN41RUw2IgQ9bvv/pRvg==,type:str]",
+						"ENC[AES256_GCM,data:NJZW9W7gHMD+XhWnFi0MqJDpKQ==,iv:/bpFn3eDTfRHbqIc1B1OH4C6gVTVhRw7pjF5aYZKlQM=,tag:8JBfkoaji/itBt47QRvykg==,type:str]"
 					]
 				},
 				{
-					"index_key": "ENC[AES256_GCM,data:QJPmFobLAqo=,iv:9kBmZAn3o3dimQCBd10JFUTXnqS/Xquk2ytMRM9mIYI=,tag:nNav+JjWZTOV2zOXKGoYvw==,type:str]",
-					"schema_version": "ENC[AES256_GCM,data:eA==,iv:9TBsS9i1VGMq8Ugf/ijwz7d6bYgc93FN7Ejak7CKxz0=,tag:w5Yb6OKs2iRCQSIPhS9eEQ==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:ckuFgDZ1tIQ=,iv:XLOCZPuOrpMXS0Tyd6opM011DVpy7Qit6kdIeMqvEXk=,tag:JMvHbt+2/23flIJyO9ie/w==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:KA==,iv:6X8LabalhJrHKF81njzllsxnXgJRHdTLkaa4rauy4Iw=,tag:QK7NwKA0n4ZQXXkFo+v8Qg==,type:float]",
 					"attributes": {
-						"allow_plaintext_backup": "ENC[AES256_GCM,data:q1xF0kg=,iv:LJegQ03QpnqNcSv6NdB/ADcdqy8gO8YPsSlkaAFqOGk=,tag:cOHkruWKnQCdKGt6/euFoA==,type:bool]",
-						"auto_rotate_period": "ENC[AES256_GCM,data:rw==,iv:V+yZ03x/MAI+Lzhur094/f5tNqgUnR2KfAdjtXOm1Cc=,tag:lYDCpeeKfDh+RPGME231Gw==,type:float]",
-						"backend": "ENC[AES256_GCM,data:0yM0ZjBA6g==,iv:t1aAaws5RjcYSv53YOEF0wnSF4caRgvLgQnyXD1LNRc=,tag:Bm1sdA5SlE/ZCgyzZPFUJA==,type:str]",
-						"convergent_encryption": "ENC[AES256_GCM,data:8J7DmPc=,iv:5iad2a0dWkObHtBj3lofgbgdfOJiU+EJMfgz70JhqgU=,tag:OTb+602f4rrR6gYV9K/oxA==,type:bool]",
-						"deletion_allowed": "ENC[AES256_GCM,data:N6lRd/Y=,iv:i9eUh1FcyUFNcd2Xsm42ytDtK/TMLH49gOCiUfxL2AQ=,tag:pVGH7S5h0MFkMFZKfbp5Lg==,type:bool]",
-						"derived": "ENC[AES256_GCM,data:Pk4I3xc=,iv:QPX0QjqYzOR0UpVpnHfca7OH9njuvqsEmHXPcMV2XGM=,tag:ohJj6IhM37pRiizw2oYuOQ==,type:bool]",
-						"exportable": "ENC[AES256_GCM,data:eG0W2kI=,iv:kLkX2JOe61lxji9Udmqz50Y0SmNHWHDZoHM9CFWuRXk=,tag:aAv+LMuwklNON1Q3wvc/SA==,type:bool]",
+						"allow_plaintext_backup": "ENC[AES256_GCM,data:/pH0Z2s=,iv:QzsuChbE5zvDbrHntTXMqewSQhuifyF+ie8kTQTyfMI=,tag:tYUrTyiH25hRFMrzJhuRdw==,type:bool]",
+						"auto_rotate_period": "ENC[AES256_GCM,data:CA==,iv:aYKbbgjzHzPzlVc8NXaDQKQzbj2uso837xSaxLe4qXs=,tag:abCSNYs7Fp15SR2JiRMzMw==,type:float]",
+						"backend": "ENC[AES256_GCM,data:JFt4+Jtkig==,iv:4v0nl6DOg0x1MoV12AmHHV9s4+BWTs0Bc6uh/0QX7Yk=,tag:MhpxGJokwswn0qtXYgVwoQ==,type:str]",
+						"convergent_encryption": "ENC[AES256_GCM,data:bJcMWBs=,iv:DzpThZsif/1Xl/HBYufyPloqDybIPbIzWJFjXbQLESE=,tag:bifoKQaYiNlResGyZmWSQg==,type:bool]",
+						"deletion_allowed": "ENC[AES256_GCM,data:5Nzy0Uc=,iv:ejY0YlDMkGDNIdyDPNlsGMPTaDufHkiLjlhes7xLfVI=,tag:TOU/Q+ikjIrpOx1jZNSyDw==,type:bool]",
+						"derived": "ENC[AES256_GCM,data:uB3GGEI=,iv:SBiHc1nYvi8OjVV7cyMfQU8V+KFkKL9XLkWdTrqLvlM=,tag:LAyhn/Z6oU2g5oIH4uYu5g==,type:bool]",
+						"exportable": "ENC[AES256_GCM,data:qNxksO4=,iv:9V27/s6WudqqS81AoZs++nezSFVatGXBwQbbh5fgKQk=,tag:Fu66JlBsEOqyZR5In6edyA==,type:bool]",
 						"hybrid_key_type_ec": null,
 						"hybrid_key_type_pqc": null,
-						"id": "ENC[AES256_GCM,data:3iZBg+3fC60VbNkUiX2CJ17w/NSMwFnSdjSJLY8Jjes=,iv:qipJ4XXQVHZ6lVISEKyVt39bKU0cG4whxJJNVBhd7TI=,tag:qxg6AxuLstqJvi+eEaJ4lw==,type:str]",
+						"id": "ENC[AES256_GCM,data:Q7zWbdxvaOs4/zjCwvhVaS4Tug4Fm8fXtIQSA1EmZDo=,iv:85yjYAbBMsvqfLUpC1NaA5W2BBqvx4tabGbejUeY+l0=,tag:epGBQ8Qu/DEKD64hHbphvw==,type:str]",
 						"key_size": null,
 						"keys": [
 							{
-								"id": "ENC[AES256_GCM,data:KGoLT32AjnZkKQ==,iv:gWOIwoqXiO7LOp88SIAN/nLaj7LtCBTJcaVBICahGOw=,tag:jKrLdG2U8sjH+mr3T4XZbA==,type:str]"
+								"id": "ENC[AES256_GCM,data:EQnU4As3pSeoEw==,iv:I5sELNK8a0ZM5dbbBVA7/kwYxBy0WmEsoJP7iDoFkIc=,tag:g9HCbW/m7qqpXuhMn7h9TA==,type:str]"
 							}
 						],
-						"latest_version": "ENC[AES256_GCM,data:nA==,iv:ynODR/TTqZNlK7yej1AG+Y/6G+eWnfiovVk4pwXSm4A=,tag:/UfBT5r0v3bVcX7hILPNAA==,type:float]",
-						"min_available_version": "ENC[AES256_GCM,data:LQ==,iv:Yw8FNUiM7mMzaYi6X4YDYyPKDLSAFQOp2MrSjBimM5U=,tag:I+lN/L0hdZlxFUGOfOjLCA==,type:float]",
-						"min_decryption_version": "ENC[AES256_GCM,data:PA==,iv:/7bLVRlivuWXysCR0qWHrpI8+kBTRVtm8X8wzr4ojR8=,tag:x0aB1W6AxGklbebV8KHLyg==,type:float]",
-						"min_encryption_version": "ENC[AES256_GCM,data:Tg==,iv:W4GSjobpfVAg23aqoY3EceSyh/isNJRKZrFj1dM0rlg=,tag:aTofCFLMqiYOXm9Q0TPGag==,type:float]",
-						"name": "ENC[AES256_GCM,data:HzvmxsAFTBth+r9w0hxAZN7jnQ==,iv:WkUmq3Io22rJgo6QUYk4BEfekpZFO8RIvk6tIAbeGGQ=,tag:fGE3hMymkUmd65vKYzVACg==,type:str]",
+						"latest_version": "ENC[AES256_GCM,data:zg==,iv:hjrSXY0C6YSC15MA/GKIR5ZD6VWeXmB7u7BtdCUVRck=,tag:/cIXX3LW0OdO+U15NQVp6Q==,type:float]",
+						"min_available_version": "ENC[AES256_GCM,data:8g==,iv:0ynthHg+dQjzIypAU+ht65bU2CEiVftOwTs37fffxMc=,tag:QB7oJ9LxMXZ76HNCsldPQA==,type:float]",
+						"min_decryption_version": "ENC[AES256_GCM,data:Jw==,iv:4VeLgOyIS8pG5Y9UJSLRXwWrGuux8XluvgymOrlIoZQ=,tag:LX7carH/7lYtDZoCXkccoQ==,type:float]",
+						"min_encryption_version": "ENC[AES256_GCM,data:eg==,iv:I1dyi7yAdhL9q96J+iBH2Jg2Xr1bBac2siPxphqTVNM=,tag:7EhQZG5spJPNREh//CYc4A==,type:float]",
+						"name": "ENC[AES256_GCM,data:6wOdhrUtbwqV94ROlgIao8jQnA==,iv:qfM7G2ZyhtubAofwp8sIc9zOTfjCcEVvq84A/pLY918=,tag:1qotJxlkipFQqZ3A28pyKQ==,type:str]",
 						"namespace": null,
 						"parameter_set": null,
-						"supports_decryption": "ENC[AES256_GCM,data:jf7u2g==,iv:DDc8kYaQkjn5dTKngzH1sCfP/cGXvI3tsQxXTXgh50Y=,tag:PTHFeFSf4V7GW6GjltzRHw==,type:bool]",
-						"supports_derivation": "ENC[AES256_GCM,data:B2xoxw==,iv:o/NvKjsvv+Ka6OqlQbGH5JVRjtwDIpwTGyWYNbTYXXI=,tag:JJUPGHlwYVTII4CppSImuw==,type:bool]",
-						"supports_encryption": "ENC[AES256_GCM,data:w/LTEw==,iv:N50uotk2fCaic1AdSakuIS3RuH+X84M/IJpODw1Gcds=,tag:T6XHFtUyBYURSgy8eevGBQ==,type:bool]",
-						"supports_signing": "ENC[AES256_GCM,data:IDGbndM=,iv:oF3dD8Qw8nVFL2UY6/fY+QG9Ntc/nsLtxjF5v3eZ3Jo=,tag:WWTdERdGzsV921iujMf9cQ==,type:bool]",
-						"type": "ENC[AES256_GCM,data:mDuum6hiHSqzKAac,iv:CiK8l/4Asj1dQvMcqoTyx8f++dac/jI64X92VbjiSMU=,tag:57roVBx17DjJZJ/j9QTPPg==,type:str]"
+						"supports_decryption": "ENC[AES256_GCM,data:xI52rw==,iv:/ycmVHZctJu2WEHth0Aj+VOBfULE01xWljpOQH0czvA=,tag:RLzGgQo/4OdR/HfDOLJ9YA==,type:bool]",
+						"supports_derivation": "ENC[AES256_GCM,data:SL0mww==,iv:Qg6fnW6nFFPrFIh9AAMOuCvLMmyBD6HzHAV92PhLLGE=,tag:/QasnV4OzgcreHIgqz2vAQ==,type:bool]",
+						"supports_encryption": "ENC[AES256_GCM,data:jgPH+w==,iv:L2siC7hspzKVqkn1cV+7fNweeRQokuYqxrccsT5GBag=,tag:mKrvPLOgBNduEQJpF1Gstw==,type:bool]",
+						"supports_signing": "ENC[AES256_GCM,data:VjlQPuI=,iv:eSwAU+rLK9N21mwbm1nKkBJfHUjlV0nYSk0V61C/ZM0=,tag:O6CcAX5id2FsAuusDoz4RA==,type:bool]",
+						"type": "ENC[AES256_GCM,data:RazUAOYQc9w8Ul/A,iv:M+mdofb+cI+VCYQWC04PXNK10UGBz7UakuBnU35Fgbk=,tag:fCNcA6iz2tmkjLzW4L4vfA==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Fg==,iv:svfDng2UPJmQCns8kNxPMZW6egXyMAexYAv2N3IuUCU=,tag:M7RrWIg2aDQ+OOTgnRsshA==,type:float]",
-					"private": "ENC[AES256_GCM,data:fjIVAqjeyruXO2OpJ7W/owk34zpu7N2fotR7VEEArAE=,iv:AxNvp6wRO5OFydzaJ94PKrWLE8mGvblA6lhtOieDIaM=,tag:8MpCO83e39RmRvMgjsGFbQ==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Lw==,iv:Mm7f8aL1BrgV3QdlYfHJ8DxUimBZQKm4kM/gZTtfasA=,tag:ce+/OehDguJ+5J22SNT7aQ==,type:float]",
+					"private": "ENC[AES256_GCM,data:3iEs6+tzEZWV1t62N5b2lAu/OP6eJm76XGXHIZhFZgg=,iv:ps/6BNWRAQ/BuLGhKcZvLMNBsrwAw0uHuX7aX8Etets=,tag:zxy8AL83FbdsNYgT5Azr2g==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:NrB71SwVe35k4chEjjSHZRdhonNhHU37CuND9RXm9k0=,iv:N9JKU6+oy7HZBZiAyjB3bxkhjkS4s7chQWBGm7CFpXQ=,tag:tDFvmuejjVu4C8/SoTUKQQ==,type:str]",
-						"ENC[AES256_GCM,data:kTDEYBqSqj1gVan+Uh9LQcnm,iv:aRwgeUWUw5ya5uIDuS5zjyXFp/t67Vu0yoLdr7/moA0=,tag:VFM0NTL6xLwSk9b99k1tyg==,type:str]",
-						"ENC[AES256_GCM,data:8awV56OowpUsZ6vICZrCXj7b2FdwWzZGZwA=,iv:GR4fxjGs6CF4uYak8xdyyVK+hjThfTOc2NkLqXqcAio=,tag:hPpITQjKNuPuFgKSGJ616Q==,type:str]",
-						"ENC[AES256_GCM,data:hOmvdEG03gqSq+Mi1r0p/OF77Q==,iv:23G8JmNRZasKsdqG9s4BMgHHVYacj0WoAu8YZp8A99E=,tag:+n5gv3uh5jKiJ/CC4gf0lw==,type:str]"
+						"ENC[AES256_GCM,data:PQ6Q67T3C7qnic6YaI+5WawsYxexVu5VDw1LR55vXIE=,iv:uG0o0jsbeCLzB6vV91C+FHHyXPzTGQkA6NORmhOI+3o=,tag:QOz/En9CyTFvGx2iRyTjOg==,type:str]",
+						"ENC[AES256_GCM,data:Z9PLRxNS8j8uQSPjcA7kkEt4,iv:lzJyvoM0yCU3/20qc/rim+Dv2dK6V+ya576yGMEjD3s=,tag:+t5/B6rLEAzIT6M/wklPbg==,type:str]",
+						"ENC[AES256_GCM,data:GIzEwjoj3kX2ay09L3qegiXMJ9HaZloBX7Y=,iv:THGiSWkQE5wJbF1t0YR9YhZvIS/+7KgVW7HyiyH9HYo=,tag:jjQ6kvTxBzUhWEtqgy7AHw==,type:str]",
+						"ENC[AES256_GCM,data:UH7AEVgklNNyJRaBis7qMFnlWg==,iv:YVjC8+gDoxzSydxoTSebHOoktT1F2M8DDlyPuFciX6A=,tag:PYySTJKwtA1caevMWu+UaQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:qp5n/14cYQUWJ97UY2U=,iv:6CYmR17BmnhhR8ZPeMElfwgy+bo2Er4HSyL4YuCxXtg=,tag:cifqYcY72lcqBDkTmeeVzA==,type:str]",
-			"mode": "ENC[AES256_GCM,data:yuO9FxNp6A==,iv:bK3T1FOt7fp4s5Zpl3Jgo13uKZ9lqXkeKEp7hC63VJU=,tag:KMZyQydiJ5mzslhHne8IdA==,type:str]",
-			"type": "ENC[AES256_GCM,data:8u+mwU0A9uyFYQ9rN6Qvc1A=,iv:24g1d7qDTy//TBLSiua/mUPp6E5REwPgAOa86RIOhTs=,tag:lhUGzK7JwlBPnRYS5qX1Wg==,type:str]",
-			"name": "ENC[AES256_GCM,data:H2w1oaQfNg==,iv:M7DsaW1y8fQNKv3URHchchDCJeo23Nu4XO5mYV+ddWU=,tag:gxfyrdMGZny02Ugtzf4a9g==,type:str]",
-			"provider": "ENC[AES256_GCM,data:nllc9iib7aWMxiM9vdlwM1+fE4aKRThIPq5YyooSWNbPX8D1n+xh+w9bYqpr1MWja83ZBVMgyA==,iv:lwaLbvJcHzvL5JME+7iiuT58W8Pw278AMFQovid6Xxc=,tag:W1iLidhfzUm2NmbLn4Ey7w==,type:str]",
+			"module": "ENC[AES256_GCM,data:UgrSwyMNcGqBPEnMbYc=,iv:pHv6YR4rRxPdUaKnUdW2oQWRVZe0bt4OLr0BTg0vUXg=,tag:+FCHJv+JNA79V09An0ZWvA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:eh0LF8ywSw==,iv:x8PQj04loRw6EE8bm1MEgdnArVY2VNJbDCInDFyHMwg=,tag:+rZ9wjd//CGW3RM6rbVg5w==,type:str]",
+			"type": "ENC[AES256_GCM,data:QIEZWSktuGdaNetXYhEFJ0w=,iv:l2pPM+U6vA8f29pigp1ptLgttZ8mCEDYpoWc3OVBFxU=,tag:2QtwCaQcXw17lCcr5xmYDQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:Pe9VEy/Blw==,iv:sruL5+d3dsbS1qG4V8SDS/gjLepIGGTZzPSKl7qOlyk=,tag:XsW8XMJracKdaRAnLrjQvg==,type:str]",
+			"provider": "ENC[AES256_GCM,data:gmlDE8Reis+FZ0oWPhiG8eN+SAgP9PrWnYgvgF8iBjuliNoiN9Z26cWFN9fA9LEbaDgRPEjupQ==,iv:OjEJ10dWIxpgwndQrNRA3IlYy0+i4bjFI6GiigzK+CQ=,tag:hJJndEiCzwbU3XWr47oBDA==,type:str]",
 			"instances": [
 				{
-					"index_key": "ENC[AES256_GCM,data:Rg==,iv:8K5Vqm9eMAqnoN8fcUwTXrXDRk2BkygM+acdOzP1e7o=,tag:LYjYbUlfSddK6Qc/aO4qFQ==,type:float]",
-					"schema_version": "ENC[AES256_GCM,data:JA==,iv:X/4EnYJXqLUKOcXOb/hOd0s81w1P6ZpptIRNX4aH9zI=,tag:GB5nFOhVk8crNg4tGHY8wA==,type:float]",
+					"index_key": "ENC[AES256_GCM,data:qQ==,iv:f6p7zGFyu6GvywZ041xOXKs0oFXwS20VCA1fmlRvgNs=,tag:FYVwIZcG9ExYK4o9LTMs4A==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:aQ==,iv:HXNoILBEvqyD8iSP8klq0djnFDWHY91GWbw/9k+E7NM=,tag:WODBDb+og4l7hDVQ8xuRuw==,type:float]",
 					"attributes": {
-						"allow_overwrite": "ENC[AES256_GCM,data:iYP+lg==,iv:K8TUkVmaOZsKu//bXhjuw5gCYeakhCBu8yShubpgONg=,tag:NeER67GaCoXX1jvYdPCArg==,type:bool]",
+						"allow_overwrite": "ENC[AES256_GCM,data:NYDIUA==,iv:pe9wn0nKwx3C7RJLejLOMdqq3h5oFlFXdXvM99a9GPk=,tag:rbe2ErTo95EhwGu3gIU74Q==,type:bool]",
 						"comment": "",
-						"content": "ENC[AES256_GCM,data:x40hogWTiz9VMp6ytuBbKdL8MPFg5MAnIP2kY+ljWFSTzsa8aRXUMPW7vTpt37DLkSUo+9E=,iv:YufvooXcBMgDnoRN5fo8/a9GSAmxWKTZL2khptcesYA=,tag:VfaLq/Fvi79zLVRNWvIVlQ==,type:str]",
-						"created_on": "ENC[AES256_GCM,data:duSrbQvmWO+KZM20k5TCcLahcz90VG3yWgm0,iv:cmEaH6C/5VM5tj1OAq1Iustj9hBN4RxOvxykLNGurho=,tag:zpoRU7uXa+rOKJ3YoYKeBA==,type:str]",
+						"content": "ENC[AES256_GCM,data:lE/y/BBn1Sije66l1e9VMYQcugb9Y3ut9IckBwf/JCDaBoNeLm4p8lLKMvqJ1UVfMsZFSBY=,iv:4Cc3aosYYcvpp8Y5Qqi4qLwdxNnu+B/xpu0J9E/atTs=,tag:45aq0rc6v0Gt0FN6E/3D0w==,type:str]",
+						"created_on": "ENC[AES256_GCM,data:2jDlH1x2o703ayGcN3s60yZ/zJ96AnMEzGxz,iv:h1WBGybVr0Wj8DV+QeREO3+w4bDSS+Xu/nHI6W0xMu8=,tag:LgrtzXDi8P5UT+6bPqQ+Mw==,type:str]",
 						"data": [],
-						"hostname": "ENC[AES256_GCM,data:MEDqXHLItqa6/pTgSJMYInQeYT3f,iv:YHrmkaCkQ8GTP9jB3d5d3vVERpEuVbWkjSxAqo8byfE=,tag:VM68A35zkb6VczsGaGqPhg==,type:str]",
-						"id": "ENC[AES256_GCM,data:sSyxh1exbBzJTfpOR9ZtR5KCyzNbyJaZo5SB774Zczo=,iv:ZWqC1mLnSR7alWqZbTnp2CBO5d87kv3zvHSBauzdREw=,tag:i04ibDMnrzcbGTAX1JGZQA==,type:str]",
+						"hostname": "ENC[AES256_GCM,data:FuEChZTI/gqZMsIL107dME7SdLNs,iv:a8U4AMy8lK+vU/tCqjX9gstiz5e+YKUzU1SgjBOZq9g=,tag:DRfRcqyQy/oqHjD/gMNw6A==,type:str]",
+						"id": "ENC[AES256_GCM,data:Ld5KZq4L9z6Elss/bC+dIUwGfWF0sbfGqtnX6Pxt7MI=,iv:I9pfqrETI+N5p4AEerFzziNxA/7kX4I6swek6R7RQbQ=,tag:RKLFln+yOBAekWFrZYW+qw==,type:str]",
 						"metadata": {},
-						"modified_on": "ENC[AES256_GCM,data:v9c2ub4LfGLnvAIFSxT57BWB06DUDt5b2B+f,iv:LZgppUSUTXtsG7iWOAqYLBAmx9SaXv4V7B1WxY924cg=,tag:G9CZ1xwQ77q12a855Sf2Tg==,type:str]",
-						"name": "ENC[AES256_GCM,data:aK/hdxM=,iv:7OHrgbHByk+pf0JvRYNEklGxEuu/qpvZ6c0iSql+gQ8=,tag:AvJgWl44q/+YzpOibRCb0g==,type:str]",
+						"modified_on": "ENC[AES256_GCM,data:3OOk6woofRUPK0z9OTT7EIpRKewz45ml9EQL,iv:218reB8cctVWHF9gfUjw40B9HWUYxvpPPD7/HXW0l3s=,tag:OfQHJVpkVefYI1bkAGDohg==,type:str]",
+						"name": "ENC[AES256_GCM,data:+p2lIhY=,iv:Te1SbOTx5yE0KBJE31+HOOM3Eq8/C0AEHd30lYP+8aE=,tag:bt35iPUZI06zIX8betE8TA==,type:str]",
 						"priority": null,
-						"proxiable": "ENC[AES256_GCM,data:YFL5EQ==,iv:uiVqlV2HwZPe7gP3zeobioy9sMr37nnUTVP88eYx7bE=,tag:MryLDjB6Mb5643OliEVpVA==,type:bool]",
-						"proxied": "ENC[AES256_GCM,data:I7Lj/w==,iv:X+tQQPy6Upv4FJ7OO3W3HSSDB+VaLt8+K8MYPNinazQ=,tag:Yu+ikCCBzbYCN/esVq8MXw==,type:bool]",
+						"proxiable": "ENC[AES256_GCM,data:TX2P3g==,iv:KCA5auJ/HC/+1nrnKNhWix3hQukLf8Fw7Hov+UvwwDw=,tag:04AyI156znYLyPIKXNhXQw==,type:bool]",
+						"proxied": "ENC[AES256_GCM,data:q9+h9Q==,iv:A6gSHOyaKcrbqzSA/4GbEZqfgyj2oCYp4oXbBvjUoA8=,tag:vduL/mBSkuLgBhib3zK6mg==,type:bool]",
 						"tags": [],
 						"timeouts": null,
-						"ttl": "ENC[AES256_GCM,data:Rg==,iv:Rwmx8v+bgUbfQQwaGw86o0XadNCvt8ud6Lej70z9xBw=,tag:rTuXSsvMVMTHFdMvVF+X6A==,type:float]",
-						"type": "ENC[AES256_GCM,data:lk1gXCM=,iv:XWWvSFK6iod/Hx39mZSPJGkePBecdUR9J5WoMW46ZQ8=,tag:evr8C8fpRRq0XkBfe9Eo/g==,type:str]",
+						"ttl": "ENC[AES256_GCM,data:Rg==,iv:x64ifsoMBh4KlLPMbxRtBAsJ9aZDV2xYfeg7H25X4Pk=,tag:7sZpnxtYRLjbA6gw/xlE9Q==,type:float]",
+						"type": "ENC[AES256_GCM,data:m2A/zP0=,iv:XbTAut8sfxoC3DZ6d5vk2j1v/Z8oYjBsI7aKVeOS9t4=,tag:b2ALGE5MRijheaIMFTQqQw==,type:str]",
 						"value": null,
-						"zone_id": "ENC[AES256_GCM,data:J4ULGoSO3vnrsJRTt/hSNzOHI+I1C/6mIlrMTvVWA4Y=,iv:tvX3CTUT3Jd5P+iaxpvcjI/xAW+uU5thD0VTsXvGtT0=,tag:Q8LTvG2/Wr7kikKrrENU6w==,type:str]"
+						"zone_id": "ENC[AES256_GCM,data:vAAeGqaaMgmk70NNPPokcDnxITLfQV21sdk3R5tCi/g=,iv:KUBVtKrKC/Pam57xVT7dGQi7JfgUM9bNEnsKsA2qYUA=,tag:rMceA8Dp+W45U1WjGoCurw==,type:str]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Fg==,iv:7vp7QaWSDSvslGhx4rjTbF7/y1tQR5I/jpfwT5i5Fdw=,tag:dUyxtTGt097Kc1JHoNN6Ig==,type:float]",
-					"private": "ENC[AES256_GCM,data:CmISV3B1ehtOrq1R4eLTyXdFfrFdmgRDcsp7rD4kLPyQLZC7NIMKsvtstlpGwl4uSrd/0UCjmJyn/y5NmXPsnafCgAo36BY/J+T1NyuP6XKsEyxPa99cxeZZu+DqCH3+RhGuu7cJCwMjIz6tkFoJoVgX3VNBKY0icwfPNEGuN/59DY4/bHTgd3r2BDk=,iv:eda5fZA6vNTxninTMSrD5cIEEgtNnRF36hilkhpyJQI=,tag:IrO7ubqvBrcEnT+Vd91EmA==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:kA==,iv:Ye/lJKCnGHXpiSnzGZWhGxRIr7Wc6m63GN99/Ojv/QA=,tag:QJogjlf06eLQvcGp3kGllw==,type:float]",
+					"private": "ENC[AES256_GCM,data:H9BkqHEu3RDZi2zGWQ16gKOc6qhCxa8PD0xoRgNSbiAJNCedEVQLhLPViMCZw2dlC71dZgxxOh0y1GkPFCg0AFKmOZBBFSTTeJ4MlIeQjVNiKBDp5P5culK2Cj+aGcFqu0D7njN+/99o/MWhAqgZqdG+7lVQb4FllW1sOfhOWIhNN9JNFHL9+NjXSAU=,iv:ttCE7nD9zIpzbevengl2V1uDYTW7dsBRdjztjDLDlR8=,tag:uwqiL4+s3HpsB9A+p712gQ==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:fy9Co4BH8s+tH1YYYxDTxbPdbuwRtBgExDJZWJ2FzAinKnM=,iv:h/npt/htX7n6TI7QnUZN62ywWh17i+3Dbrta64FhlyI=,tag:uGVtlBol285uc8RPai+JqQ==,type:str]"
+						"ENC[AES256_GCM,data:olQC0dF4Y9AG/18ZjYeMejhzF2skxEVOAEKjESMvKCiHZOA=,iv:cHoYjUJ0OB5yk4aRcZnljTBlHAGVPWQAU2UpMB0E5Qo=,tag:w+Z1VTfHKMUSV1HkI0BcTQ==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:YIP0Sg+bjXqAOaht3eM=,iv:d2Tab+Hj8IB+hx6OkS9+ZIkmNXPap+IM7Xi30bFJqb8=,tag:GaLwE8McJNsbYMCQzTCPsg==,type:str]",
-			"mode": "ENC[AES256_GCM,data:PnskPKEyeA==,iv:lFyIcIpSTxi/R8AJJnhAmXM+RnZi+GUP99NichyZgKI=,tag:G9b5Jd15OlYCT9WqNvRkSw==,type:str]",
-			"type": "ENC[AES256_GCM,data:7BbKVg6tRW7lU345o9kpR3zPJsNi,iv:Wmp2vPQbSFgmgc7LFtjeZaNXYPgxJyyM01Ssl7VYAQY=,tag:g3lp00fYY3a8alAG1gHN2w==,type:str]",
-			"name": "ENC[AES256_GCM,data:ghecfB5codtKEmOL2AIv,iv:UJQDrlZH1qKXUDzGWCEV6R1jYP2RPfW9BnAD4PqrxgM=,tag:Tk3B7LVcHk1NbCaJFzhEiQ==,type:str]",
-			"provider": "ENC[AES256_GCM,data:zBYkrt0CfurMS4P7UVqHTh/1Bv8tDni1D7X45TFR4vLkDTA7KAmLTzsUSj8EFcBziWWwtBya,iv:LJAEOUxNEDn4XjOUfN9Bg2UT6oMOm22XNtkK8Uy7yKk=,tag:GoPKNkwcnJgXr59JqD3nLw==,type:str]",
+			"module": "ENC[AES256_GCM,data:rHgaoA6nsHlh4iwxoIU=,iv:sKMHhXKmBI9SRHWk1yTgUEorP+SXiABn5sQZLruvymM=,tag:sL+gUDPi2H3r/jZF7ABEtA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:sSf7sXquyA==,iv:heOA8VSEqpO396uwnNQE+j4LHwqLG/lXvhWPsZfHsbU=,tag:dfNv/RhdpyJglFwlFyFGdQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:AiCWbAPUX8WjzbjcOCBIprddFOdV,iv:WvfkOiwB4BWSzino41jp7VyM9KNZ44kHTitYDtVx1KE=,tag:7JmTqc1sqzLUvIPxQ62Icw==,type:str]",
+			"name": "ENC[AES256_GCM,data:jwmI4Fl2Ngo6o4gnlOtm,iv:fhCswjLB2sKJB5GDP3Q+7xgx3iihW7En4uozzG/HmZI=,tag:3BEoHkuxETlevfIOTxaOiw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:Ce8QGenr0qJLjaI8oT/R2C3411eBCrm/oC0szD8sIowO408jna5VY8mlA07LUzNbIBW/9nQC,iv:BSZTUrQ0N3OleRycFCq5AmMLgI/P270UYETt0lGttCA=,tag:Ib3fD6jmQveakE0abO6FXw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:uQ==,iv:23W794oUMGksmwbQMdhNsuvapd5Em60c2TdM3sVY8ZM=,tag:i8f6jeo3X3gXAC4zQzX5zA==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:hQ==,iv:tYyrelsdISaq1RwO7jqeAHzmAmF1M3YvQtFw3NcEI9g=,tag:2Pvxt2sYMle33Ov9rk2+7A==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:ek7UJjdnRRVGOpg=,iv:qeiRsAm1/gty6Fawgv8BEks/rpllqlXEKLi5WJb20jw=,tag:hKbmDicn5dMP7vFRiVMoyA==,type:str]",
+						"id": "ENC[AES256_GCM,data:85DdSPdDUqTNQts=,iv:O/gdD4cHtOwrbj+LQI8uw3GY+sgRLrd+nh6v75UtMlw=,tag:FBMh09YApngOEdBbz5O6Xw==,type:str]",
 						"metadata": [
 							{
 								"annotations": {
-									"cloudflare.viktorbarzin.me/dns-type": "ENC[AES256_GCM,data:LGLeO3Rc/Q==,iv:4/qka3jlY3zKsl46jNcXcFuc+hbSZCfFFxhukKuiDks=,tag:MBvcJfBM4GUBXV05+lGD/Q==,type:str]",
-									"gethomepage.dev/description": "ENC[AES256_GCM,data:cholMKPJSjsvtacMJLhuRJv4j0GwsbnA8DtHq+MIp2y7GkgY,iv:Kh9f2Rl8nkSJz5Iy9qgoslblgQZ16DUXMTpcb6IXxJg=,tag:MrlkuHvzkunNgvKicportQ==,type:str]",
-									"gethomepage.dev/enabled": "ENC[AES256_GCM,data:MgZeQw==,iv:AnbIefSZML2CT7i/dspz31femC+EKNAZsMxmy7gG/RQ=,tag:AtqSnR0kBcU1QCux1bx2+Q==,type:str]",
-									"gethomepage.dev/group": "ENC[AES256_GCM,data:Uj3yy6pqDrX/aKD3ig==,iv:BenJO4b0FnHM5vhGKCE5cUf8l1qF65nWSVVrLlgtPdE=,tag:O8Yx86jgIxfCh0xyBy0oJA==,type:str]",
-									"gethomepage.dev/href": "ENC[AES256_GCM,data:wQnEVSX2y8OL4DjiWZk/zNu3wjoRmgQ7zkqa+6I=,iv:x0hFsp+pNMWolv7XXNLzDxBIDpMEfaZ6S+mihMOPOv4=,tag:zkb9ngbF4txXw2iKBRthAw==,type:str]",
-									"gethomepage.dev/icon": "ENC[AES256_GCM,data:Ne6el4FH//6o,iv:TUlM9qXU5pY7fuBgbiFjElCMOVYed6GVBgTpFEpFHH0=,tag:Ej/2M+KZmSWaaxbvjyMExQ==,type:str]",
-									"gethomepage.dev/name": "ENC[AES256_GCM,data:as72Pmk=,iv:4YAyDi/HgoY2zPSLQdwPImmzFlP+4OA7ClvCer59UY8=,tag:haYm1l6l2SYvyzwK0es5yA==,type:str]",
+									"cloudflare.viktorbarzin.me/dns-type": "ENC[AES256_GCM,data:H0g45oc6fQ==,iv:i41uVyhoTQ6UypR14sUhrrsA7ElMvLov6Ux4FVTg5aM=,tag:ji8rSUyewldSQ5nGiDg2Lw==,type:str]",
+									"gethomepage.dev/description": "ENC[AES256_GCM,data:waih3OMLoUyE8fs7V6Gg9bPWJUmQzkIEQDzcomJhMMP94u1x,iv:pgvMUP1J1R3AOzWkMwfSI95AsMCCXquqbfxvlwTbNgI=,tag:gb7PWnEX6k61FBb75aC4/Q==,type:str]",
+									"gethomepage.dev/enabled": "ENC[AES256_GCM,data:gD6JZA==,iv:qAJ8DGZyWxUccN/XT7NKyBpPlvbZLudlgz5Gudm+iWM=,tag:jvV8eOscfvL5p/S6RBJuIQ==,type:str]",
+									"gethomepage.dev/group": "ENC[AES256_GCM,data:KXW4hYt7WXBZ95GPGQ==,iv:cvtZWwqH5nWNygVsCVTZz/NmJ1Sp3HmUZ7OUsLOkU2g=,tag:3kYx2b5N8rFvP3BL3iJ0tw==,type:str]",
+									"gethomepage.dev/href": "ENC[AES256_GCM,data:P74Djgqb0nxkyxf8A/hx6Rou+D8TARv6tZcTCtk=,iv:zdRvMAU/cOotalBa/Y98svI+99RHkNxwaAXL//CLgj0=,tag:RNhrUejxsMHhgq6WSFE5HA==,type:str]",
+									"gethomepage.dev/icon": "ENC[AES256_GCM,data:nKaoyXIE4M2n,iv:l/Cqq7AcTH+UWyVRuzOz0yhV+GoVDRmqif1bJCCuiec=,tag:epO2dmcoW5//9D43jRuZJA==,type:str]",
+									"gethomepage.dev/name": "ENC[AES256_GCM,data:8mGzqjc=,iv:QtKys2bECCO2BfED5H3UpTBa4y3vM5I3QW50iArv4+Q=,tag:lrT4EuLee7CvphmpudbLdg==,type:str]",
 									"gethomepage.dev/pod-selector": "",
-									"traefik.ingress.kubernetes.io/router.entrypoints": "ENC[AES256_GCM,data:qxIpml1MBUNM,iv:lAm9C6+bKSkEElNIQdYUuDcch2HXGys3hcE9Lhqoonc=,tag:ylI9hYZR2GPoKspr7c8Lsg==,type:str]",
-									"traefik.ingress.kubernetes.io/router.middlewares": "ENC[AES256_GCM,data:XQywNNiJgzIVHna8ed6OLJ90ADikCo+GlVjKbOx+vsVwjYWu6GMNcnzySM+d3wx4PyGfmuqOKotbrYM/zREiHbE0mCqIXINAt6eIVI89jFoIWa+0HxgeAzJdrAT3lOJhEwphshDV+AAX/3AFgCfHIo9/ArOl/krT+ncDnpoEG+1GtObrk2R/fSn4v2YIAizpx0rRw4fd8ZpDI/lBfmb2bi7exOeqoqoM1bOwaxrTcRLJWBpErFf/DvPCtUJor3wvCeFVeHyU4D2PB8ssAceOakJW4srQOpjfVAPQC1jS9rfrRzYbOTolzg==,iv:uwXauvDbfpZLhcdsn3EAs/sIbWTp2/ZVYlUjL1iMzJA=,tag:XyACWnb5fnoLtJ0cdhKg1Q==,type:str]",
-									"uptime.viktorbarzin.me/external-monitor": "ENC[AES256_GCM,data:Z0m06w==,iv:s6iEXnYsMnkwPg39wCmhRd+8MbhtF59GUOo1FL1rssI=,tag:WOlhg/yXzoZrWtqb9VdTWA==,type:str]"
+									"traefik.ingress.kubernetes.io/router.entrypoints": "ENC[AES256_GCM,data:Ulk4yopbP13k,iv:ATRGWdufC1tL1aD4MkERAH96kX0ZzVSJjFut5yaRDWk=,tag:s3p9hP80xP5bOjzKeWutJQ==,type:str]",
+									"traefik.ingress.kubernetes.io/router.middlewares": "ENC[AES256_GCM,data:gzvOsW3xAWVNl7si+4uJrJvKV6psS2vc6vMCK+PtDSIU97lB8+xe27s+8ajAzEAa7kD/WAeDc7+uZPIpHf6V2xsJLNmbGz2O1vV1b5O++AdcsYDEtc5DgZdmttEqlE5z7YwnL5BqtJ9j9baNDd8VT7BH1aEPopNMwCiNGT8SPBcMaGwnehy5D1jhwIbnMg4X+WfwLkH7Yn8miqtPSLKuQ605JjpRXBhfK/OfKFYUcGy6Bm4+HSvtwhmFrnSShJaRpUwIpyWYCb6U,iv:fFLcFG0opz6Ucb11Mr6ZO+8rFap5BMc0jxCzgCaHtzU=,tag:B9HOW1E3lcvVsDfdzIRoHg==,type:str]",
+									"uptime.viktorbarzin.me/external-monitor": "ENC[AES256_GCM,data:UyWOLQ==,iv:oSULfpPk3eacjTbdRWeqgDyEkE19gwOqHfyju5Z9lJQ=,tag:vPoPOOxB1j7Vs5PcVuzdHw==,type:str]"
 								},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:YA==,iv:JZw5qeOkx8wI83yIWEdjb65om4dzosJJUUSKGZKsmzA=,tag:xcMakjFLWUsTUj3Zqo8hkA==,type:float]",
+								"generation": "ENC[AES256_GCM,data:Fg==,iv:M+AU8cbZuF4jarxtLAlVDXv9kWyEtlFHQUzcuxulbgQ=,tag:VA9nRiFY2qVzfQTQQMzAGg==,type:float]",
 								"labels": {},
-								"name": "ENC[AES256_GCM,data:ZCl4rgU=,iv:Yyy5rZbXHUXegOhSrsmI38PD/x9jxaPx9hH+cQ0M0J4=,tag:T5plDr9qiwx39VmQsnTJYA==,type:str]",
-								"namespace": "ENC[AES256_GCM,data:SOnf72Y=,iv:QIy6CdMRTC60x/MS3js4Wp4Z4QbjLXAuLh1Ds3EK5s4=,tag:w4f9Glwce0ih32jx7P0vaA==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:GLn+g0PTtkv2,iv:Yd7p5Cgvj1vAbEjgXfwWTuo5ef6s3VzWP3c5C15+g48=,tag:ufO9ynnkmeCZn2KuTpf0xg==,type:str]",
-								"uid": "ENC[AES256_GCM,data:xxmOybAzS6umh43H1myRUsjXKrgaGgnvRiVTmGepQZAEMYxs,iv:HUGL/W0vWB9XUwEPkVEtnh0HjE2DL6W/PSjWUEI9jCk=,tag:gEnGI+2o7ljubhLYTIzs1w==,type:str]"
+								"name": "ENC[AES256_GCM,data:tZMPmys=,iv:CMdDqi9a4yl0aYgTp9d6dtXuG8Ty4NkgAD7bpi/E1VI=,tag:W5dm0J4ODHpJC+R6Np9VFA==,type:str]",
+								"namespace": "ENC[AES256_GCM,data:JVHOTbw=,iv:pp79OWljy/2orlCIUytFXdNyveXElRLCDqJWLZ2YgrU=,tag:CBRkire0UFM+kQTdMZWyVg==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:w+ZjyzvJyyJ0,iv:ru2Ah6epX0/PNoyJh6bsZZqUfCdKb9I+IS01q+5eXsA=,tag:VkEoEp5zeLfDKw/FLHDLTw==,type:str]",
+								"uid": "ENC[AES256_GCM,data:BooqFou+Ay+R4uGrHVcv/YArlYSE+BvGP2DLdJRw+3PKYGYP,iv:l+WHhtK0fXsuReVoQ7v7ac3sMcmUPRFs3qu4uh60404=,tag:O9xhdRbtxPACVyoiotK0dA==,type:str]"
 							}
 						],
 						"spec": [
 							{
 								"default_backend": [],
-								"ingress_class_name": "ENC[AES256_GCM,data:1F52LXbI5g==,iv:XqgLN2BEYy5U++v2nJaJM+doG7/bMHEPJrtZVHnd8D4=,tag:WILZkV6vhNGlGCYaeEw3NQ==,type:str]",
+								"ingress_class_name": "ENC[AES256_GCM,data:plKQmRV4eQ==,iv:BityOyyw+ffBFxX4IRHP571wegKH4Xu133dmybmNfGw=,tag:4cZ0VrmuMV7VZSrB7IGk9w==,type:str]",
 								"rule": [
 									{
-										"host": "ENC[AES256_GCM,data:GDHjNRcaSJ7aQTjiczaaMS8dwoo3,iv:68FenPRxfLA5L8xS0fRGpWohavVlUsuWXbCp0mUc30M=,tag:SZhMR1eR067DZr5ClDSAbw==,type:str]",
+										"host": "ENC[AES256_GCM,data:c/Hpdm7zF3jGxasY/azdhnP14EHi,iv:VwF8of+sIKaO6L2ONFviJ21vlhkqKJ9qWRE3olVlmao=,tag:zKPWLXjKU/JWTrx6XhyBqA==,type:str]",
 										"http": [
 											{
 												"path": [
@@ -4061,19 +4153,19 @@
 																"resource": [],
 																"service": [
 																	{
-																		"name": "ENC[AES256_GCM,data:uWOxvYM0YmcDnG1J,iv:Qj0ln/OZf3fJ5GLUWa7JxS6NqeWCmX6LK5c2X9lCSkY=,tag:moxFwyeU1Rlit1qqfR2fkA==,type:str]",
+																		"name": "ENC[AES256_GCM,data:Tv3oVaWg+rwmxk/S,iv:6WuRdg84hdlfyC7c2Y3fARN47g8ZKDg2diLfaS4iLe8=,tag:SHTfaG0/ubVERJn3Zmr+/g==,type:str]",
 																		"port": [
 																			{
 																				"name": "",
-																				"number": "ENC[AES256_GCM,data:32WQhw==,iv:+YTdvI3OO850DiEg5hcnUi8Pv9gdoJKtxkb8bpA8kMg=,tag:xWnsRgM9rDxuNoARDGYIMQ==,type:float]"
+																				"number": "ENC[AES256_GCM,data:DwLkPw==,iv:8fR66wuLxqLMCnwtREmbd+JkKoAwYHLo+qLasBGlHZ8=,tag:Bh1NOeTgI6JrvyrwurHV1Q==,type:float]"
 																			}
 																		]
 																	}
 																]
 															}
 														],
-														"path": "ENC[AES256_GCM,data:EA==,iv:sbMAMIF/trQgw69xMtZ4or5sxFO01eGUjE11hFCzoyc=,tag:AybQH+wkx0SUPzTOqD06Sw==,type:str]",
-														"path_type": "ENC[AES256_GCM,data:PMybKWu/B4a3dHOe4PF81FtYwBJPyQ==,iv:qujS/0Ab7gvCC2OcUma3PAivM3TY73AvWX52SLuKViM=,tag:T1dO1YHI83hiiujrvhPjrA==,type:str]"
+														"path": "ENC[AES256_GCM,data:gw==,iv:amF1HTsflnozKZEoRQUYES6TpJNA+xO70uGTh1ZygG8=,tag:krYB0kbQp3pNMKNb3obMoQ==,type:str]",
+														"path_type": "ENC[AES256_GCM,data:Wb/ePTefkF9X6U2i5d/JduaeVyGSCw==,iv:kNRDoK2ZvCrO86Q3cd2AmNEoszedlwUZ9/IDgVOHWYc=,tag:bGhLimhtd07alAEXiGEAvw==,type:str]"
 													}
 												]
 											}
@@ -4083,9 +4175,9 @@
 								"tls": [
 									{
 										"hosts": [
-											"ENC[AES256_GCM,data:dY+4FgZIRhoSjVxjCaOUOM0+pQHE,iv:H4h7BKZ+rr97NApvbb/22cT0IPEdk+15EJ31H9zdSgw=,tag:oJTHzs4hg7ab674Havq8xA==,type:str]"
+											"ENC[AES256_GCM,data:e06gtpMtJ94i1goAYhNAU3QTFhCf,iv:PbcaB/NDBqRBJXio5SvYpm4I2xDcxnITVK6b32qV43M=,tag:nI8Tn7GKiM7cSVTpdyz1cQ==,type:str]"
 										],
-										"secret_name": "ENC[AES256_GCM,data:HXTrExfYHD+qWA==,iv:ZMNHIF62Y4kaaObMIjw/OIjZBFVxsVK6xqID86NHDWI=,tag:mDlGFGj6ULPDP8E3X6Awyw==,type:str]"
+										"secret_name": "ENC[AES256_GCM,data:Z3N8jDzcOzszfQ==,iv:LlLGfCnS8thJytmxSiG3y2kOK6UpAPb8MuurpwfRm2o=,tag:NDDi8G5cX4rOOpweU1j6Gw==,type:str]"
 									}
 								]
 							}
@@ -4097,7 +4189,7 @@
 										"ingress": [
 											{
 												"hostname": "",
-												"ip": "ENC[AES256_GCM,data:axtzOoaJfr2z0t0=,iv:T4YznT2UGB5shRyzSAfASO/H3gAy9zz7DNAKqN1KLTs=,tag:v0b6t+5sruvCGoJBYD2v0w==,type:str]"
+												"ip": "ENC[AES256_GCM,data:P55CCpPODSYvQPY=,iv:YPFv2Ok1oyuTHFlGGyx85EOqVKLqwenwTh6t6YgaBUw=,tag:/Nbfs/BHpkvf0G6uzoinmw==,type:str]"
 											}
 										]
 									}
@@ -4110,189 +4202,189 @@
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:u7dpp6hmJKk=,iv:IsKl2i4DBPpC9o3YC/tnnu3WSu+WixLM1NQ7dtTVcJc=,tag:YVyYRHd2xVfeuRxvaOXCQQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:YPaytw==,iv:usemxw/nonbOEpgPflZXecvkMDRZUcTOB0i1f+d/H7o=,tag:uOqZ8U/iCTLALuSm2N7KZQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:VtSJhQC8zoI=,iv:o34SpJzlSZstnrSqfkCWAOGAHbVl//NJVJvUQMDXu0o=,tag:M/55sDiRpbuaLVOFEEjn6w==,type:str]",
+								"value": "ENC[AES256_GCM,data:IAA10w==,iv:hEmgd3pGDtQ35yZm/EFHLHewE3/V3ga01JPz+EV86g0=,tag:tcQJBhOhh5pcgr1DeMf7ig==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:OUMFflY=,iv:UhJ5Ef7piIUBrk9vpaCFabQPNYLTRNvY9uEjcgFt3jc=,tag:xoAiWrAxVVT4XEawJLAh3A==,type:str]",
+								"type": "ENC[AES256_GCM,data:qejH+WM=,iv:uRiT2MOEuUp+U5ytNHZ4YjAZOXNKaxooBpMF19fqAHY=,tag:yIerOaznWDsUHZHOQCqITQ==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:Bw==,iv:efJWfq2fR4RedFHAmevzHxj+ru/RcXod7aTUv8ZZLec=,tag:7EC7CXVsE6yGsBgvK/g6Vw==,type:float]",
-									"type": "ENC[AES256_GCM,data:JO0Qghok,iv:x2QzWIAKucwm/ls6uFVHeE2Aq6y0Z1M6SWYJBI/GNJs=,tag:MQUBFr33NGJM3oINmjkQsQ==,type:str]"
+									"value": "ENC[AES256_GCM,data:LA==,iv:g8r+p7CUb+bYksMvSu5JI7R86Hf6Fzgii1EnRo+jvoU=,tag:re5GfVMWKsYbTuaEPlFPyw==,type:float]",
+									"type": "ENC[AES256_GCM,data:K3YH53lU,iv:fVEcCNoUqYhOBz1kaq+3b/4p21K+7igTvhwBmwPXD6w=,tag:80YzHqYbWfT8i2pRDuLrtg==,type:str]"
 								}
 							},
 							{
-								"type": "ENC[AES256_GCM,data:JZ6gXSZdghU=,iv:VlyycvwdYBS7Ucf8lOCugSHsSdncoP0ofMsTWvX783s=,tag:Am1JEQDgOkn74zWtrzahqA==,type:str]",
-								"value": "ENC[AES256_GCM,data:X1ZE,iv:Nyaj++YqQOgfEPsY6ERiEsWAhopvMftL7C4P5Fpd78g=,tag:+5Au96uLgRzrflqKKYwh8g==,type:str]"
+								"type": "ENC[AES256_GCM,data:6JSoLWLnrCM=,iv:TKy7jppWFDPTpnb55lEJoMagQQr/Xe1eP94JnLR8J1g=,tag:Hgzt1RIBb7yuMFF+Wk7Smg==,type:str]",
+								"value": "ENC[AES256_GCM,data:CRI9,iv:tnHHjduWOxDcYCuIDUwDzpdIYH7bObjS68uG/+kU2DE=,tag:vW+awgiNiEzAuwxrlXg96w==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:3UKeH3k=,iv:a10ugwo/vMBZyPUL3sAOJe0AI+c6euxQCX9r4iBN9K0=,tag:+lmzlNCTZDXANtwO9afqnQ==,type:str]",
+								"type": "ENC[AES256_GCM,data:h3SgwxI=,iv:zXzO4vtq7HLtM+4eaL+21XekUo0KLCVH4AJ3yWxRin0=,tag:G85N30wHLz29cDq9c7aiew==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:cg==,iv:d8dSUgbIQ/hDBkPKCzQddx1riC/Rt/o5q4InE3RlNBQ=,tag:0ivbmFenoxnsXIrF2r76rw==,type:float]",
-									"type": "ENC[AES256_GCM,data:1/dwIiW4,iv:VnnjBWLzd4GJVpc69btOt5ugZ7syL//kynvgNTS9hbo=,tag:Aufl8yqQF7BOL2MAv3I1nQ==,type:str]"
+									"value": "ENC[AES256_GCM,data:mw==,iv:vZjbbIekUZgCHnb/j3RDhzlFIGy4gP0+4RDzbFUhoQM=,tag:wjTWPUI1bBJXrFjaAyNP1Q==,type:float]",
+									"type": "ENC[AES256_GCM,data:OqF/Gp/d,iv:ExYE6lowJNmA33bQHXMfeYUquY0A/q6cdX/5kbhFsNY=,tag:FAL5UgwvVEqoprbqfiKzKQ==,type:str]"
 								}
 							},
 							{
-								"type": "ENC[AES256_GCM,data:1dw9ZSkw8o8=,iv:DHHSL96/PSOUG6OhDgITJJUiXJeNrRqzhdP7aw2trrM=,tag:C69uTfuC8+2vbQLGk3CjHQ==,type:str]",
-								"value": "ENC[AES256_GCM,data:KOYqBrEY7ZKmMRI=,iv:dFITRx4tAA+deIWMgDSkuibE6vgfyzH+QAOgP4+IqYU=,tag:kZ0GdX3nb5+0I+2tmVQGuQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:KMtd3oy+sag=,iv:rkyToo7AOfGaD0ps9dbNPuPozRR3kY7C7XLTquFCLzg=,tag:17avHbTBq6IIOeLSrkjUGg==,type:str]",
+								"value": "ENC[AES256_GCM,data:fyl+XTUYbB0nhtk=,iv:hy1t61aFrjzPlKHSxzaUTuJnJhGtdO8duEYumtfztxU=,tag:ipEyaQcLW/XkRuTRM0Y4xw==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:Ig==,iv:UhMiRCgO+ghXnGkhb/NYjrt9ZlYu8kv84HbhMpkoS2E=,tag:aQhxeKG15jeUu24cl+TWTQ==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:tg==,iv:1nIMUmbKBBthHSEA+V/E8zNyATdU0EdfO/jm7xMyOlM=,tag:hOhhkAIPpy3FaHp6r4tFFA==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:qvVh4DLxen7Hk4R/kdLuPIRCpEk=,iv:QxkB0ECwbfLrq9SoMBqvMnVKRj+7+KCBixxKieWQlB8=,tag:pbQ2z0w1zKfAQ53s06NMqA==,type:str]",
-						"kind": "ENC[AES256_GCM,data:LNVCsauUUQ==,iv:l8Jdb5iOeZ5BdyjKVkum2ZPKWVN1JoEIC0UUAYq+rGk=,tag:bkBIEtw+YS6JWe/bWPL6eQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:aVK4ecQ=,iv:qybUxjoAmXRuqS3asoWGLFlx/FvStkckKTDbZ3Wigy4=,tag:Qz/gmqWiZ8ENzl5ec9cSUA==,type:str]",
-						"namespace": "ENC[AES256_GCM,data:MsApa0Q=,iv:XUneS878vL3n3MyUkqmCwlZoFp/ZfJ6d7IZXhO60AZI=,tag:53zZFgkyOdb36rwZ1i+Gow==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:Uk4SdHD4l7sOAC36t7vhQjZl+WU=,iv:P4bEtdXqeFKyEinru3xPOwtoKA10zqUivzsmmenqgUk=,tag:GKSLxX4SfyEBi1QFPUTaKQ==,type:str]",
+						"kind": "ENC[AES256_GCM,data:m8cTJVFTFg==,iv:m0wSRxZIHGBj/kPHFKJ0ZXLu2EuWODWoI8ugQq+Cp70=,tag:+eJIjkZ8UDuFgqf8UR0e6A==,type:str]",
+						"name": "ENC[AES256_GCM,data:IZ0yaso=,iv:Rl/T3GpKpam2i4ERGj9DlNuQphirW+6zWuegm6V3VR8=,tag:xrZ6CMdx1QL1Rj3BwGSUMg==,type:str]",
+						"namespace": "ENC[AES256_GCM,data:v3Vc+CQ=,iv:QEUsIM7mkfFSEU3LVXRzHehCYiwi4F8+AE0wA6xegpw=,tag:KifjwAIkjiHWkijwjC/XCw==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:uDJknrThESxzOsdbCPrfbrvSDMIGjh+khHQXHTk9SORXde3dRBIx4TSwIUmVXY4pAhOrunQMchGO4fSlIpuXv8GWkLZNza45OrJCTZs5qCcZakyanBdBgLNX0+i+8A5wcyuEtnfq8uP2wg9xTj8SmWNwz8N5G01A,iv:C5sMYq3CiSbbRhtTjep2RbP+hlolaUoXbQWJu/So1Io=,tag:34eXZDdzFbQHwOAgMXdovg==,type:str]",
+					"private": "ENC[AES256_GCM,data:9vmpIdaa3212tESoa/k3hitXSy25Xge0X09hmXrk4On/pLl71YOmSb2JpOKoVoWcnR0o5PzD4/SQy6HJ22Ty1lAYPDcLaEboC/kyGizIsWyF39SUw6i1NHPZPnj50TUqbtxQ9kSgjadAbMefI68lDLw6JKgqQo0J,iv:rePyDUaCr5HyLz572iyNgBKdP/V8Fh3vNTYyHGwL1As=,tag:QuLUM4lrK+dmH6VYdvy22Q==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:1C1jQFrJ/Zl7BxTr/+79mp1rWK1V8aZiOeI=,iv:ltuu9hVPHPuEOUX8epYG3yZfn7pNwddn+67E685HFVU=,tag:SNw6iuTT4myoI4Osx3hMAA==,type:str]"
+						"ENC[AES256_GCM,data:gwADcP70kOS1A1Keqp/wQmo3NuIQmRBX4Bg=,iv:SeNi/CKz4sUgoatS/CMOPevTBjvkfe4XiI2SeWMoK94=,tag:8uoX1o2msoAD4cnm9gorHw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:0ZlYI/dLu4GtHg7oBinvcPc=,iv:f+iwiPiTCSqWFat1qPVK3yj3cuIkpGOVYez+KMt7wFk=,tag:jncNLTybm9pyAtcyWRYMNA==,type:str]",
-			"mode": "ENC[AES256_GCM,data:zpPcmsrCoQ==,iv:ciuiooz9wRxe3bmlFdozOEPZOvOdQLvZeqxip//SlOo=,tag:L6K53q3DAyTA2O8Cx12P0w==,type:str]",
-			"type": "ENC[AES256_GCM,data:eoH0CK+2CuCuzk4BmrfIP+w=,iv:Qgw+qSXZsunO6gESBtSqBo3E5CwGrBe3/2enboFtj9M=,tag:3rOKC8MD7D+rBhytvb29ZQ==,type:str]",
-			"name": "ENC[AES256_GCM,data:/eagJ8e5r2bAtg==,iv:84836KxCkqMxu/RPVm75jRkxwDDaTKm3SxJFq3+fTq0=,tag:pG8pZBtQOrDrgCTFGxU4Xw==,type:str]",
-			"provider": "ENC[AES256_GCM,data:l8wwN/8VDgsroZbJnGFO1Qtolcpmc9uBB74gc2NBRHJuLtThpBY7B39IcMbHpz0mRCh8MJEd,iv:80x/qRa+BseIizhaqlNYlIyJ8wPZ5oFC05ojkoCs8GA=,tag:jphsBEZYzg+T6/p+qm98Cw==,type:str]",
+			"module": "ENC[AES256_GCM,data:zqQlI/THtqFHe7wQ0O7DgIE=,iv:w0ORxcYiNQ5v8h7bwmD4st37irsWZM3/GbkH3WHDHXc=,tag:GxlVqsEFKCsHrJppZzNDWA==,type:str]",
+			"mode": "ENC[AES256_GCM,data:uV5WGO0cHQ==,iv:vTbCypwvDGrirFbA3GQxRR5WThuxxh9w5CJPPnNDLpY=,tag:itezZhGBUKrgOR627I9mzQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:2JQDHpOm4u18Y7zCPVfBGHg=,iv:oJoyzl+OKBI4f/dBvGQ4G+xCySGk+TMqqBFtudsfois=,tag:Lfi3x0Xt7i2BYgYNfdLPsg==,type:str]",
+			"name": "ENC[AES256_GCM,data:SyWm2xIfyByEKA==,iv:oD2uxMbbEoAP9rwiceuRpBAcYlRwyzH1FE+PW940a34=,tag:N4j2Ho/DhPSPhMqwL09dQw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:8NL/21R8FonQhzs0eK7A550u2lAJdeSMMeBxzpP/yYo60CFtG8JGVDQCj96dehOsxJL0MTWe,iv:6PrrBlHSS6C8kv7raVw6oNqsxKY/Sts9Yo23BW/dwyA=,tag:+uhywgqNcC0N1QwyJ4slgw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:xw==,iv:y/fZ8r+pAq91xIdqHAW4M0U7iK+404ZTHQLX69l0ux4=,tag:2PzyAu6nueIHzL/orC0I+g==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:SQ==,iv:mjR7tv1S+DvpJM5uVp8Bslif3TQ5/Tw2ndoJgvsvme4=,tag:TfNR8JIMaWHeoUzjP73qfQ==,type:float]",
 					"attributes": {
 						"binary_data": null,
 						"binary_data_wo": null,
 						"binary_data_wo_revision": null,
 						"data": {
-							"tls.crt": "ENC[AES256_GCM,data:1evphiVvDA7hvfqEebiCQtG8Fp0/kavqB9MtgWvxpvLr2WA8LixSaw9jT2aHqn5vyh5zKrHSvPEJq4YnMtsQi25ugkyHUOL3X8lOe8K0ES157ob5AHL5odXTKv76rRlkcAIrlPyMOyH5v3NywE98aG+TUkhsejELLuzg6TGVNHdcBiTEsPzGrzyzvC4XRejjBXHTOpM/pGFMQJj65dG7FshZ3W0oqPgFUXnI3dUR6dtn/8t8GCc/NKlodRMGIjWGu0oDocHYH7rZeQxAc5AdeQHX8dRGUDVNVD5q581h9Klqz64SP4FiXkjX0OZFwhgsVj2993pUXHDcNc7AQsbnOBCMcRgW6LEhQ+7UP8Wk/KPSNh/v/m01JaDKpEdoh8ItFga82NjqpF5SFX6vqxAl5CdrhjAvgOZZCkb8d/wYp2NJkxgBVE5RO/onUn0M96dPLtIQI6Bl6plKRVKJFpkjpe9jloCVnCwI0zoOMrnZiswtPZ0LY7tsWVhLAmgJI8Cm1046cQse99UixxfJLdzyGqI9dbCzhPWKo/LvheBEpvtwnJK3ari3wdnnaqOg4OMvCNhvDh447mNIeYOXOuo3hwh0VZPK/VavbrtbZo5v/CUNU0Ez+PZLEQy384unML8adKTWNWlW8t4JJRdX/rIajZ2skSnkS46OYNktj6tSYbD25DUEMiGM8jyoMttSpRsNr0uS5215jn00tT0i3hHjSNCXj22VMK8GX2bgP4YKPP83WwIPytnc05c43QSNGGHmVhHW051b8Ta8RLW1q88SYN67hA5M95DKy7Ff9ruYUqaTq0gGsLkZamUSbVi+Yg/UrvYISnXCb3x0oEwOohjA07ITzB0DY9YDc2to5Xcu5e8i4RVAwfeL5A7054acsw2oDgPEV1Ou0ly2oL3uWoV8sgOOTEy/H9EwNdYCNP7EK96oQEey2Sy8+LlTLF3ZMe5mZ6JgiqEgZjs9UXKeC2oNMDOdXdXy+3QHbupmUVmkXl37jKnyzv80PmxXwo8ZPh/c2eo1p0fU8Hp2kacE4mX0SJP/2wq8YTVvjjlxnj8/FUWgHwKyVYrPL1822u6G6BaeMWZqF+JHy8H77tUgbHdz22O5rtr2ON9tVAk7fFeWNmSzpcpF0yuxgZjTPDVgjHe8SUo/+NVq+8IrCQpaq2nFwumYNkyD8dV9rLzv2Ph3LKH9BgPhTNJQ+rPRPvgpxebXuaa5pB5lUpxZ6dHazyihvvGJf7iRvNVONlf6VeDsyxL4X5XHGqvh61t4aZp3Cgo1M47M8RQQ+9tj/Gh0Wgp9g/aklDucrQor23Myzby4VWiUELrki6nVJeGzXDzfMeJWvF/mfELw8oYzQCV2Vy8ZQPlWBdihytJEEf/i7YU689j4FygLcrUjZ5eyMfAAqwf3oZiiNxsMPviwpHzPiO0X9EVSL5xr3Yi8YyLnVWcQb1wcLq42r8gKwepZGgFRDW5+1ZQXU9XBPdENkLSCKJEOlpCy1JdJgY8yRc9dKhBtxp5YtePybrLmztmOjzgz/kOzu7ynslPmQ4tE2aPANoMYKu6KLK+p9U2uYp8IFAi2COKF0wCsB8Y2AuOVK8tNx7yP8CI1aOXRXP7EsWHCCuh6nx4NfFFOHp7EdSI63OKHihP2DymMC1h53KnGXwk2IQVY7RVfkyU9czHVMlSCHBaOZ+ufLaLv318qBuJvPUGKT6+5k1tMaiJixI9B67PxRcWIYcbafsicaNHtYroqsxMlN6xr1x3HvTB0Y1KIykm7p5eAc5y2w5/9ZX58U5avTzoDYtF9jHTMWP2laZJRLCBstWAu91G7MBEW1Y87q7wGId8Dcd/8vEyWKXNGzAyEvnN7quMPxcONMPVAb6vT5wx//BiGpRFaMibwzbLf0crsi+lSREUC1U06RUIAgcHQyyrulvhfJxq3cMZ2Xz2O9tpfHsyQEEAHctYLKvW571xax8fhLmgrAym6Joe67nLO2RTI+jX3OdRfj9L/II/WnqafSSHhjG5yv4X2DtLKUmN/qm/T47rKepYSwttOnQ4UyOIh/jIbTl0USGzAJm2EoClE0dTkhXM7el2qYxG1MnjjhR8CZzMnHqR0csBK4LHluiSJY6r/2XCTo1JzMKvYkSxzN+Ye2FX4VQcgz9sozRP7kh4tl+PDLsgFAUVaKaYioOSSr9oC049DCY0gfM2Hpz/IZsSR6JC98ioqelQ65iSiQw+pDTNlgNl18EEQNxwdCwsn8SA8TW8ZbHu/MeK7+IhzbkzgeQqt4itSQK+gWuIQmuQPWv2yFeX5+yYxC1niMzjwps+y93lnW40NQrWLMLP42a/nER18c6NSPqzlKsCvRI7h6+cDsSoLNSz46xLyzV7K8hnN5/a1U4RmurivickSv/qbZZMZavI011Nub2bVlwN/ODmh9ZyGnuEssrsqRJIHtmgQjPPVeo7XONRaAIx1O0sk5svZZcbpPVBUHWb3P6IaytAU3OP77vgZQ5KWrx4/TqzWwr701g+eGDICFXz5BFvW7464GFPYSZ2Lefh0tvQQS9bKRwjdanUxBBAPEx7+m6/rINW3UtR20U6nrpj9c+fD/HB87rxkmSQPpm0h5IGpSsM9KfxDxfYWDn9xK5o1g7aF+P40wWwJuMWDUlLEulj5+EI/DHFnSE3RcOly51kvvnYn/MmoClES4Y3fcrm/MDPee/Jh/M8sHMw+mVKpKfFuFKIzLOd0t4HzyzwsLqNTn9vnWUuEEY0mO6MrqtDeLHATr0vmlvi4u8nMnny5gCVAEAh4RGupZn7l4BsYwBOjQUdwbIwk07s7QK0uwH7Q6M/p4qVAs4dSP4MDYamImGStRW6mgWRCdB05B6NnTOOuPny+VOoUWd+ozX7UL7E8yE40m2/0a/dhdPhNOWA/Zyo4QwKcCgd8aE/2Oea1JBBYWLoNXOogA7AYqeWLrN4+g4VrlfY7uLCEiHnWGoGMYe3mZ6JeSO6wPlCvDe7Y3TwwFY7QslGkKPwnJ2TeS//XDS888gzn3ZgyEuUUSkHPqxTipExblWJwrH8n2DbBNziFmnAmNLOWKhE2YWuteVCEiOvZcSZkDqpFYJnVxzKLTzYy7egSJkq2ZPDf45M7I4A2zapKJvFkDpx2K/8aM3HlxIWLDDp9B0mWVko6Wrz4NGiUND5vkikkti7ETBhQYqGvIo0TMuwoHmLk1oRlxo/LMw+dd23qs/37wE1iw/+oi0HoQEZI3iX8nLTCSOX/nF1c4zMNksywvIWXGmB5Pm7fbWPuOrDLvaNW+YQVGcPa5XrW59UtySs9k+ZNstu/6oRHJfC7MDhr8vPslC21fx+PWJ4zq+t+BiM3TCT/IAXlIfpe2o3CvvfnQfPQ0cz0JXGMhQWn3uC5EioccuZXDOU6cyQV0jEqV3WcUJ+C6tkiw1gzbeGffYP2cvuJTeX5temXNPV9IuRoan173iH91QqfCEGZK2la2n4d5zNkpsH35NJ6ubfv4USQz4AjjaPPBkI+lZzmRke89Oy/cGvGuJgKAH0lMmYKfMYVl3pE4HoeUAfrGKy6sdCOfweNUPi3nH7FMkRvRzxnZAM0q1DsNHt+cNAttRCYzJ6WFwEnjLG6EVaJyQGq4rZueTixX3ouM9UR5n7sjHvAmT5+/cmMkHoWNBHh7sEZQpWddIZbkK8fEY/cjGczFCJ1a3yF0MXb7VUvqGjC98b2njSsx/c5GijRUJbWU9akU+RCs6iO3haZqd0KWDUmL35VsVwGgrvGZ1bURn6RZ9P7WmtRoKbR3+EsY1sDqWV30cQi8toL11ffCOZrYhiqIXKq0woh7IiUtFBl5Q9fuGw8Zad3Ag9wG/cLLOqGLmREpyajDV5wo8sF0RGydizkqizkMDSbCYp+JURpvY3Dy0bIA23FWalGRTeTDu7Vg7U5ThLEyexpTtH2NXwyPEgAsYukjbHwnE7ty2dH2pqOOWkrWPXlLwCHVcm484dCBk/yEoIq8H4OFHFSuTmbmUyxrPvBmL0nra9RWXzCdHspi++v0zcxQpQA9jMwv+mCyO/bbbls9YfKvlOTYa0ARt7gXkisz+7ClqmCDzMg2M6JVSNX2xEaPSq0r6hYyCCgwZM1FwIEjcDuzkIkL2kzhw5TcDzuffEqS9OPUWmUfRDpkxmykYAQq0ggczfAqaNYjX5bk7bHF+GWVm2GLWv5YVEviZGtbJJC0I4pS5qAnABcLCAtsdm+h+QVDXO5+ukSDt38U/nIQrfWteH6i1DI6ERIIVQFtw3+dq7fXzx5/btachLwMeAz4Unj2t1TBovP3wlLnTz/gk33e6d3qUsmiA0i52kyd0Bq4Wg3lBjRYSxRvHZqGeoYvCtGcazjh8T2ZHaXeC392YwxkiA08VlYMvv4XZ6H09v1253+lTsR8ufhz+Lz5QKOeblIqgaRg9vv6KiCYp8a05ovgUKv3kats2l89hzvjlJtvwMS+zspBLkefr6snGYM52wZoS0UlQqxJkwBbxpF1IslfFA3i7e0G0ubVSKUUXghMXZyuXyCLe3lBC+NEaMlNW0i+iRiMYO7Q4GPKfqBa3Fol9mO6q4R9DerTK7pqbcIERe3KK9wqGdkEczXTr8LwS0OAk1s5D4EaAYE0TkwDpHDa+WZnG0Md5/rmy18tyjHANEp/nPrBS29PXn3b15U8bpfu6l7ui/YR3Q2AQtaM0pZ8n+XNnjwlNbUG6HPCJQNPcZ5ZKiYM9ovzV6AOvMf5sEwhz42C6qphl57ERr+DXfYo+5MrLnUsLB5aDVm/av8oL5tpKQVBMT4J4iFHLN0JYQ5HPccNCTPLi2NZ4dqxnnBuf9wXpjHLpgwM4wohTEwJN/Ai3iUwQ5x6HvjhG/yzaw0neDkNOs44OZQOY5HW8gSQJsutDM2wSuktGxZzyFfUAEKD5B3xfIlAKe0msgrPhKbb5ulyV08ZomUzfN5wCAhxlxeAH6OzmF5kxkd3DFqAoXEO5Nr1qdpV0UHqal1lR4kjVXFRy2RTnsb2HmZ/yj9gWXxob8UbzMbPvp1gRuglXyzLCGhdjoMiNddjVwHg7mUXv6Z+gkrk2nkfDwNm0wjNI6T2sET26969qU+NMmH6VF0eG23CpNXYCXZvcOkIgD1GxBiOLRjBX1OQ5w2Oe09CqInZQj5i6eOYQIWp61vf/SafeuWwgzMpayODHQmFWJyolm1Gb1QrUbXYi/z3RD1p5Z5K+FBxPAWuEHBEpqz3rnBrc8OABKgm/2AHG8OHByg1LlnHJvoEqev/F/XEvTmeXHSlogGlZrKaynvD6GhG7bfL48KECbiWf9euoFvqIDwa2oLqCZfECrDhEc5DfkTawzAlPbMd3r6Ls0aUZqZEN+asF0JiBv1UFRoDQZRK7zQwo4dogvPnE7AVV7y48UvYB5Oh1OtfZUbtw1LeFSUHOR3kCAsK6dOwipEJ2ywuerrHjj17ZGJKcrZP+tEelK0aeOKTkjLyRga13STN4lYGaC431tDOLneoCd9OaQ6ndPjsN22gW62vTvxk6Rt/K65TjZ+zCxPWksJIp/tZwseYpOPuc8YirE2cTLF6oCqCNvLbK8yeqwLsIRZi8W13WkhwJI+f4mWkIgMqBHle+QGGZgegRf5k+svHicQX8kfTWNjE7qMjhSHo99LZqltIHFaQ7jv/ZffyJZrjm0JXQy6lwf5prLqb7HZMJczy/nzrtfJ6VlN93WnOSOC1x0LlKguz/5L6lLKxCGH1+vE10eOmel52JxDCo+O4Tt0pXYHfQepi678c/lDgyauT+dOBkVc+uySW7+PYvKdYliBSlepDWySSXeuzI7mz04A5h3Q42xJdDRTQcxf9I1Q/FwUITo86AOYg9coocymKvWMp97+/hICpLE1llftAR7uyGT2mIw7XNqH5jOrtWxjq7f3hqkZMabf0g4SI1zwFFA6cssn834niWuV/LH1qSYRfekhaa0xsnKcV1wd1S6mRkiX+yhcKMQ520VvD6/9DnTjKlI8MEOah9/PET7mPbEZl6QmIlnvHoj6ISn10r9vzOoyoyTX2CcJvjVlYTpNt7lj+HdOMRasbXSTfHQRS5m+7Qw8hJlCcMafGtpK+kggpBGtZNYGGv5aEjq9UYmkkz+ctBi5OkbSgTG5pRcs7ilqesUzKMfp8sd/X6dh5szxtz11dY12vfh4SU9lP/LjKWD4Cz87+HQqFvOM+T9xx9WHZOULkXVgRQddlfvI2v/kHvnDpvCsB4hictpf5KhSwCe/SSE0qzbZvHX20F7P7rBFgYlJnZshS6i4PonDmbFXDUiedMUr/j2uCnM8g8RTsZlsOcjZboq6HC+XgXl5YEGICIKUwuOfjRsYOFYvdBh+PtcLfIAlUNrd0bTpRpBAPPKwFjcyXHahk9dIfsO+uoEygJa5KxVul2BQwNDltKc748rrkkIBEFvzlVqwM0yn6STBmEMqinOLSV5KtMvz0g==,iv:aAhnUNQNhJ4A+toQhuie6s/zj8YEQ61H6eNxJMltpKE=,tag:UDveks3WqTYAQmQvfzvfmA==,type:str]",
-							"tls.key": "ENC[AES256_GCM,data:5wjhc2A+QBZQ0gC/ZW3q+hZw/9r6F+Cwx3pGcm/8Z1v+wNtTHFGZiL2IcGaJ9zQjqRHUM1x4AH3ZY3Pko1x3PPOMF3D6OZ4zUY1LvaoXTrKM6V2jXlBykNE3mtn7bUZkQgbHt3LH+u9IKuoStygchDxPC1dAmHPMVbjrbsDuHWlG7bYeNCuHtuugFcGm81g+sxI9Dk7zxGVCWOYlr/bJGeQo80TBkD4MiEdfNDpR/0B2/PMoVAh7gRYu0T0qDkxme3TSxGsWrXidXxGR913fAKu9Z/850AjhQ6KsKeigPNZQtm1UVlBitJpz/DywLfouWw==,iv:4X9Fs506AyQWGUJsmQmX/BPQXurcK231VX73LX68KRE=,tag:/uzH1NLxuuOMd+7wokzYcg==,type:str]"
+							"tls.crt": "ENC[AES256_GCM,data:jOjvpH/Y9l4GRzZkRxKQmVdt2e3m1ya4SbVX4vG7BvbiZHsYFNXrxxGKOzTAQ5gkfmJ08jPr7u9sg1NSpOK5F+R+2qLi1GLDIfR7am9v6vb7Cj/yuOX5c0WEiaR87uR8hCMdLU2c9cUyfffFyThTFd6S0bl7C0MRpHApltZkon11YztvqsSCoICwmhCzJbp7cZOqGx2lvJzHhciSM3cJbN63XFzf6yGWmpNAS4luFg7m3pxS9pObxMnMI1CP+mNcRfPOpWjejaKqlYgQAuFA4B2PdPUsthWyW7tbS1Y7W4A5R73xNi7sYlowl6X7yzAl/z23JkkEPJ0CxkqnJ6RDRT5IU2F4/0olkAkEthGK1w2KTRgogw4jVPjmvc6RGz+2+V5Eto66A6xMsJHBfLj+TvZGLsv+5TjwrdwyJEx66B4scnpzodiu3aJTTeNqgjvZGxyNt96JTCFK15tcq+aQZ9BRxOz/Ep9yO28PtNoZFeEQICqa6+t2bNxD8HejSwyxhkpVsqSHfv2M+6PDPNmDmqum1cECa2EmmaPXMulmam/evV/V7kYOcX9fJd7u7pcJN/7YRR4rWkwe5PyeZum9cqp5x0MmcU/CAox9yJwRTibobXmLs0vHNOaT/8fVKbBY/8oFE4O66xRToj7VSTa3SzSMuLnOdBdgK6F1Zy88noIghvEQa0QZrkmIVYgWDs0CnsxHvuIBVKDY5jkWtzrj0gCHQLG3DFTTKONyNov+IaW0fseSTZrOODK9c48FpFh8l6KoORDmRYGdQsMoAghWTvXN0un62YYKhxboDdvspu24HSSmXKrrNqjzRFSwg/XcRFCzHFmzhnFoQPbau0IeFbPBIIE3EQtMVHs+bgGy08sqkpIUpqkCq2Z20z9ecVDzYNKQ0fIVabylO0YUygWJa/l13+Nv9HEkmG+oTMSxO9hkOwf02Q8bekHr7JkDrYYtySYBx4ZNw2UeLl+EKAB6rYYwdB9cSnZ67ssuZP+cDdFv2Sn3L43i1PPsFB4Gnn747fHLtWusMjYuar1lnF1U7H0O+dzOOAnXnp/IubetpPOVlOY2IUz677eE/ASRsb3Vf1OPJUCEH3t+hx7XY7x6BS2fY3i7S6kVsT3LAldW24kb3AdQwhVQ67hITRgLxdxJ/xXp+9G7CW1pptjX5BRSEDovdfgCqKX9Y+yAGfZG85GSx8xqi2tIVTvkCshhhw/rYHWxrB8o8YV8cZD9rLlAg9IU09uAvYxY3aX1hADgmJ8bVd9re3n+XaSHHCql4J/wKGLEfXf8HOlSnygjWYoG+xziz/4bEqAw0I7hxEafI8JptObjNHK9UlRQtFJ0PPxVhagRt0oX4sdQOKKptmwzbVRihWzXMKG5RDtwVEbtZjCSpZ0WIXmvhXHPbm+14vg1apg8scovzQInS1VGtiWWR3Ssb4Va3Rtt5NBLXOXvVpr9AGJtVcRZVfzVQIWED6q8ZkGTvBW3EhUEmCkvywK9ZnlR8AgqACePv2GMeFHaA3cJd1hEOAdTE8Ys7ng+HaEJ4sxU2Zn78uLeIX6ZxsrMjsOP0D1rENxjeHexiRC2JoA7Wt4pnIk7lq13qJkCtpVbQyzWbsFGkm/2frZPLWX/3ocsbHaB69Nro1YpsIy4Et3E/PLpvPEdO6GJFN/X5k4/MINS55jQx2BaaNbOV0+XCrCBcewuglqZxLTzFuW85QVcIw7bAfUOkUcqd97YtK8+caMbxlk9FLYEAXTRIl/9lp/aSHjhtHEExm+AUEwniEnJoq3S3fzjLwjEnd3rrHQ6sgmmrBZ6oejoQSv8yvvaObJAjDqM/5l7i2fvt9QXSURkgbzQPDRIn573ZsI5m/lMoxkbyPfzjeOOmhucznUcJ1qclEBMxKBDL4ium6nJF9SB3L2ttgE8U/RDTCaoc65xef8Yq5eReoyqIdz1Fvy0wGO+lpxeU5dWGkyoUPuxBZPi3T8SVhyifDD7JKuTM1rEgeb30muWG0hhxPCEDiG3mKMXDL1Mf5XMRVgHp+R/boAQW6SdjbjK69+8Ot6Wk3mSlRspI8ZiitXcw3M4Nh6f345MtebKg+pe6N5/DG3XRmxh4td/WxxzEQG3o1Nr1pfpsyZw2Heu4QTADSJkf82Rh7gB0p6jk2yyO82aNo+btwu+xV8fWJ8v5jPB1SzhiJDndapdQteYzCUO20qDEWeXWpuTMgiPb4g0xARBp2rDcT7bSg7EPSCwku4uJSJQyfXwrjD+/MfwHLy7zp/DwNi1PBuiwBC67cfz9PI+Tr6ZWcuvMNDC9JhX6OuJmX/hUKhRwUNqjqHIyKoecIcZQ9ifNPcjGLGNDTs0ZowVz3Ba56P2s8oYB2/s7wpI2hCcj980k+ftr7C1GVr4z+qWUEaNNnSRJiPkaBsjXdmX4TSCt+q/41t8GbjVPcv2byoMk7wyIR7xX0bfv5eSy3dHHp4qv4ZQOoW0SFv/FmSNbMckbydUSlo6q9+uKyiR/1NTs9ATqsz4L2IyFWChKx4VyPtQapFqSzG21zGKMV/5Yr6MsnaoviV5CtTjhXwkStnu1aWXd1rzTgB3trXVda4hiiorY10iSUhzZnL3hgTNc5dKF4tpTb95EinfyJ23/DWRJ2tpzWeNVuuHXDwBBWECVHCh9RF2nk4KY8RMhSzazM/kJB6cmgUPGuCGDvHm0ivOD7LBS6Z2PkkBU/s0JgFdGRlc+inFIZzT1J6VpPohMxjEAbggWmebff8otuLDOt8NA2S3aCR2lBAOy0OKdoqsFhN6Gd4F7jdT5vGbBgI1mTGorrvc9aKngWs/kCyoQodgco1+UzQQOmnGnVEvH5oNU/ApoOOv4MIJGqFK87MsP1/+VXmecHeMPvkXz94viFDKoRkrSit7yNl/aV5+85GxZTIcd/1yizqJDIG9/A395wBfKaEdctdj2Db33tWd2SxJgVRIeeQNe1M5s4z25d6JMZPqaDW76ABK3ectNpbMgkVH2hh6vkO309/KXAbq08rcVRfN0/BGwT+hlZ9u2CXNMjeGWR7Fn44sNcC4CvhhJOUoGOfnZ5smD7SHl1qUQmD6tCQStydEIqQMqRoRvwD7vzm3NdH7DrKpwhuYSsj9HbxlO96vU+3uewne2T4gl1NPEYEB6bYTvpj/H/nESnhovNaxG/co2Q3jR7int6idvtf1hbtC/lVhf3zehogBnbbVfIy9jRHsIJ7AvZzSJNyVWj3t18CAWmf/24+eAptwyC+AWUePbkQujQZ2PNw30XYTAPZ5mdp/yCgT37oj3zDgSV0QJvAdvYZlFofb3g9Doey+tSm0DMbNULBGX1rh477Ed4B9eTtUUzlW2abvrIY7C/7rvyKf9DQz3N/+sUeZGdpsh8yLb2/Ho6nXV43ojRRN1W/432WxKk82iHpgv4C9jXeE3TtHF9au4J9DjZxtV2cMfQPB2ZjlNgTqb0Y8Z8r77YRpXXW7ms9VV/Q/VxLVeolCby2ht69P5s0Rsc5L48OmJCO0NaKweO2lr9NdhKGkYZP8ZXv3z78A3VzOGlrMKaaAQGEgPo9U1/hEBjuYSI0XEbTOhVcC1GCHbCZHb2/HPoz0t4AsQOw13t8L17aEaUSsDlnf/r+CYGYATQdoNt+QdJ4GniUqCgYRUb7+G1z0eQY0LvvzN/ZhNb80o1PRCJnlgKcFLhvdLKFLEvPeIEKAtLU+Xed5o2+8RwUqTz/zi/CxZkxP2kkSIjCoveJSlnMHISLcbSeblD5fRTQupbQPm8Fu5tLg7bSOLvNxkizBrLRn2h0T18gFdJYYg0GiAIu6VytlXFkiGWunTFZ1EiK8WBGufMHS+wn14if5dCNeV15/Ah5iXx4/ye78opDGPcrpDziphy26nG2GPL7HqqUJGeMxHz09T5NIYhYYjy0duIbOfhAYmCofDbewS4c3nM7yqtkrfNBJXYqZxnft2KJyOW6osJQ0UgVQIZ0nJ1/Xcd2TSsRQ+fPCn52wV9fpW8Ks5QKDwH4YXuEAkGvowDBPdn4Hv3YGU2q19mpRVTzctVefSinr8sfsrFx77Jn582ciGJcNdQflqRG4QtBA29+AqqU4K+GQ9VuPz0EobMUhKauz8bbWfYsBHBx6QDdjgFrgozcCk9MkoM5OzcrS7ESDJW3sxupm3m33d2fXN9HxyL6n6bA0e0xByvdSu/IuO9VpAQLtUROx8y4j2b2gZKVtdHR8o0bEIiURQe6UH/GJKC9AwbAVOQwm/QKrcEXqW/B4bOzDAO3L8OHdxNChoEeJhjY4lmcHrZHKKOiU7EQf8y4/uxcr6VpDyw+rctllCNiHzRth2HaKThoEr8owUw3kCIM5gi6Dz2ALetOpGDm2bcWIUDs/KwD5mUWBX5EhBLdnC26IjsijxOdIW9s5WN6iEgvV3dXZB7XB8j3ulWoU2xrIVEQ+ra7OpLUAquUGmg0Hr2xozyxArEPmdtx6pHAr5Kq1iqc6egs9FEyA3w+pU95M3MqWW8iG7fUn2U+jAy33zBxLr9ZYRoWxwf3sCPz+80Xbp0sabHCiCphnOv2fBe9yMPqaSkgtFfZXI7J2LfSfBIEXN3Grcb6q+2X+SG3H2xitmDnbKfO3aWFFe5bdrJD7Vltx21nGBOPkY4rLtvNZ7AcUFgP3Id6USxe3cgGCkPLJZHlLDv3OmHmg5d5+CkZ2DBdbRJ2V/3dBx6gvUOk3cQdlabtcuzeKQiCf7VhBm4MwYN9huu33gqojog74O14PnKQK/qBsmQQmdzQJTltRm3hAZeI5nTBF3/y8aOJsiSHrOtkoF3SJEsi6bdgHAWks3fLCFAuWuM77FhBVaJgztGyNsTkhR5TP8nQGaXIbNR9fzA52VeL80m6z7g/wreHnFwq0K7cnXb5HWMzs5/AgpreuRS2PpVQaE/rET2l8ghL4irHJR6x0VVhrEF2bpG22E76BAjGSaUNoaj5quNq4M6imeM78y0Jp7S3eaL90BDKG90h6c8uyYud/HZCxHYOsiGQ+ZING5POPBIrOcI/YdZ6yPa7uYodBiSMAdtsCJQZqHIRb520i6vLxplWHOowkcvAB7PgBdmSQxwjndqXIQX2RfZemCDve//FaGr2isRE1Bd/fwX1udI+/YJyhFBNE6uI1b/JgxAr4iYpKnDITm5Y7VP/i95AB7pxFA+7il7roRHvit+TYhPjr0yfdX/+0SjhCq/IpuxnLXUhT2ezGP039zVTCfeU0sOkzBg4oocBIh6N2pbDDKjADQRSGsT93UT5T6E/pRqeK+ObRmjfqvXsRg2BW1/1bF7XB7in6MdDrdYIZEwxbUgtJVcYYRcByLjwHwuU2ivmC50c39UqzSfkq62Q/PCwLkf9zt2EGh0ALcGKG8FbPV5WRu8tXTrNV8zLbu6go18upbIHFbQ6zFbxq+XgEbtDSWfSsIuYvdGF3e2c7LF6QvecOHdp4IylX7sUF1372rizSIG7/OjxNaVD8MhPPE6dfqLPgRDt9YaUv+3cZIlWKQpes+uYfCpKyMvzXwpJJOVku5Hu279M68w3gNFFOnqbtwIW3x29AU8izR1+gX/844RxYNKsIup429Ep56qNzG3RfMqs6jb+gWlT3KV2N7aQ3lbOJPNdE7Pbs6U2kD8kdPPKQhQkyJ+OGmdr2s1/CIefUWdOViPaUhKHLP4qqbR4kZvOSHTghmDDVHRM0F1hqnbTnhYYxIXU0r81hDmapv2itcUFb2S7hQGLIudyAw9hUHJM84Xqn3xfI1pp3NChjdF3MTIFHWsjI5dJS3PKGK/feQHUop7OAj1D1SXmRowBmrWx+t59952ffWjW0toE/LhvlR4c5bPM1Q+CG5hMczrTd/6eZ8sbgIkGNNZuUI0LFUnw5ESSKnqJI5MQmEow+T1PASVBm3utOVofvWyOV1HLCGVBKMSVxxkqSN+j/WxYcXnl1tHsgwng0bqGV9QaEy8vxii1W0gSDXrps6rJ8Ao6dwq6vxw8njeE/nFnONmcoKxI0NEYM/a58wXpfX23CzBjjKbsSmnpFRjPXhM591Nxiq2HbI4NdNs8y6b+dIgmqAKTkkMR2fCZceNryY8CN8QUPcgSjL4/20992Eze49bNftm2HHoiZkGNn1+NK6zIQvXEZ8c84m6i5KEhrUBCMUgpdGVGFYehO4z3G3Ta40mYuyH0Ugkx51CS5VzLELoQROgiQA9lhEyruHQaTs4ETy83lMhw5kER2HRcTY+goXALdNWMut3xu+nzsxCv6zMQA2JCV007NMX54tebfVS8YL9s/xyGh7nAe/Zkv8afZsdlKKwht1bFVs+xxLNMKux9ld+in0DC3u2kT4j02NocTPZRQDwbOFyg/OJiOVrVd/Bnm5ZgzuQTR+U+DxKG9ivl6KXSFsgN7y+UqrpTSnWlhsVNn7MkY0CP4ZK19xgBCWDyhAZqDZSgwbHJr28LslCYCcxiCCQn9gHEXva39ZQ==,iv:Op1zRa0yZe+Kpt62jIMm6QyCCwUT1OaoVBoKUrqRrAc=,tag:lOzuShZR7KZYKIdMBhYiXw==,type:str]",
+							"tls.key": "ENC[AES256_GCM,data:aeV5pP3lyNTEgxC0D5446edqaYwQgAT0luujxc8jymPnjme3C8Slana6MnBbBWKeVLaA2BAfx8sRIRn65lRnEJAAsmskDh2iLojPXpENCHjpOMq/4ZdwWnEB8DM0dAliTO30k8iIhP6HwghI4zfodX+SK4xn1HmpqkGSH41E23vtuPWkWG04XuL1jiPE8TGqN1EcFL7Nh1fYuAeBTAIR3hCvCR76bR+2dCRa5r6lhMX5TD1FH5NjwiuVZ5gAGJy97uyJ5ApJXZRcqapXNZza9pKkzZBskAopj9xxnp5vYhSXb9zWYNe8u0f6KQQbOkrVuw==,iv:oIgqI2r+DrYTqizKEnnmuREXgJGmN2z83jGnqFqCyXs=,tag:FJiKyeO+pJb0+uWiOIbLmA==,type:str]"
 						},
 						"data_wo": null,
 						"data_wo_revision": null,
-						"id": "ENC[AES256_GCM,data:xDpcevhuQS7yHwkQZPy+VA==,iv:9P/eKRGNNjwwVBbnDw4C6DS1JW7NUxJS6BFGFH3LQjc=,tag:nT33pvN3c8cLaIsz8WQGvw==,type:str]",
-						"immutable": "ENC[AES256_GCM,data:0Ph6pbs=,iv:r7eUjNLDGy4f2AicM5L3L3iz7bMJhYMR3yg/7R0FqII=,tag:SoRR0CLsSya71QnOSMYgSQ==,type:bool]",
+						"id": "ENC[AES256_GCM,data:2O2+H3wH5Nuw2mjB/jpViQ==,iv:wW1BpGQQVyrxiEadd4BdeMf1fuSXTp8OtVSQeOoi9K4=,tag:bymXyJ0HF6cugUf8XaPY/g==,type:str]",
+						"immutable": "ENC[AES256_GCM,data:Wci4cw4=,iv:lBekaxa0KVZGT0Q7cuuGnQbb8Thd3y1HDhp8PnNbpcc=,tag:+6wHNgr3fOdfrqLOREOyYQ==,type:bool]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:pg==,iv:kPIG81hw2i1MH6H03idSEXByfTqEjymm6wzz48B03bs=,tag:aCsXOOjtSWiJW80FEePx2g==,type:float]",
+								"generation": "ENC[AES256_GCM,data:Jg==,iv:9iN+6u3o/jUmsswmhlHmC6wTUl73zCSBWH73lA9iQwg=,tag:Xn8wGCZW1HYF+B/HC9qxTQ==,type:float]",
 								"labels": {
-									"app.kubernetes.io/managed-by": "ENC[AES256_GCM,data:LxuS8hMnLA==,iv:kSjYjOFLJMmofrEgZ7SMgM+JhCOnz4N0kU/SjT7KCRk=,tag:UUthwHEb22qKB/seyiEgtQ==,type:str]",
+									"app.kubernetes.io/managed-by": "ENC[AES256_GCM,data:MAnrnHSerw==,iv:2vFh6RPmD83BsDDl6SiMqPRXYxX3bCzrIWphDW7VRlQ=,tag:EjrF1L7W+7lmLSli8iexDw==,type:str]",
 									"generate.kyverno.io/clone-source": "",
-									"generate.kyverno.io/policy-name": "ENC[AES256_GCM,data:H8jrHI9jGyoTRI0LHMQT,iv:7OkbumxC1tq/atvZp2IO3MgGvfSvyXAgHbj7Z0mZ5g8=,tag:QLbUJ1NrWZsAhNCpgXaDsQ==,type:str]",
+									"generate.kyverno.io/policy-name": "ENC[AES256_GCM,data:OKDj0vjMzWXURbMnaRTU,iv:EOWPE7coafjT4uJJfYqCSfTeOruA6UAopejr1koD6cI=,tag:354Kolv6diOTWfa/QvyZSw==,type:str]",
 									"generate.kyverno.io/policy-namespace": "",
-									"generate.kyverno.io/rule-name": "ENC[AES256_GCM,data:KEQww2BEKC+HktnM9M09,iv:t6XDtW+lZbsNju+CeUVMZxyMgWQdPVCfvspHTpp0SB8=,tag:k8EVg+Df8493c0gBw1zkjg==,type:str]",
+									"generate.kyverno.io/rule-name": "ENC[AES256_GCM,data:BeO9Ih+j0UhY9diiuezZ,iv:y5oLw0eH+GXGneZzXkm2yYqCPyI/+p2MYRUCUliDOeo=,tag:9B3i+kGPOj2vTtlzduAtKg==,type:str]",
 									"generate.kyverno.io/source-group": "",
-									"generate.kyverno.io/source-kind": "ENC[AES256_GCM,data:VDrqMr0j,iv:7Uaji1I6Un7veyCmePX3klebyfDTS0ngaHgqGPaRjY8=,tag:VdLmNQ4449P9NmnMHk36PQ==,type:str]",
-									"generate.kyverno.io/source-namespace": "ENC[AES256_GCM,data:gIDP3oxIAw==,iv:d97f+FMBF0IKS/mYxZ0f3v5a7Kczf6qGVfak0Tg0nMU=,tag:bXlu3z0VtAxH+DNgtHXLRg==,type:str]",
-									"generate.kyverno.io/source-uid": "ENC[AES256_GCM,data:hRlx4yILgJ5cY2uPjWnlwxUS/I8OpKAr/YYZrXM5iR5KZ9Tu,iv:VsVuoAF98GR0hFXeJ+fRjZytJ4gHzbJnd20l0FRtizo=,tag:JSonuCHWQOWJUTU13SWSAQ==,type:str]",
-									"generate.kyverno.io/source-version": "ENC[AES256_GCM,data:Nq8=,iv:RpobQuYm/iL3CTED3GBPbOYyoIwRGt8PGcw4+qj7vNs=,tag:SF7CveTsJLgAeMYG9KNvQg==,type:str]",
+									"generate.kyverno.io/source-kind": "ENC[AES256_GCM,data:7vg4Q4bE,iv:vqpTj71WDQByevSKGJiEI/13zbXfAYcfMGLZd2pGwPE=,tag:LmjRU5l+ouqSusAR5GArPA==,type:str]",
+									"generate.kyverno.io/source-namespace": "ENC[AES256_GCM,data:7C2nt9Hxog==,iv:2/2plJaci7BbScvRNGXd8SIPQnTrAhB/MFgnaV0DysI=,tag:bO8qsrlR9im5I5mmATdnPw==,type:str]",
+									"generate.kyverno.io/source-uid": "ENC[AES256_GCM,data:boxsbHeckhnr7Jfix7eWpRSOmlOL5mEy7trmU1nfMN1pbmVb,iv:qAWJuhXl/q7ed2FM7EQs39D7/TUOsqrE9IeSANPoqho=,tag:ht7kfnkODE6EbdNwvPQNXg==,type:str]",
+									"generate.kyverno.io/source-version": "ENC[AES256_GCM,data:9cE=,iv:bhcU585myk7VeBmFtAKWTUKXfkLbLeE5uk5atbq1rQ4=,tag:KvviKuvF7jh+G1h61UZlJA==,type:str]",
 									"generate.kyverno.io/trigger-group": "",
-									"generate.kyverno.io/trigger-kind": "ENC[AES256_GCM,data:kq1bLx7zZyG8,iv:XW6/GZyFUb9bLMMcv1NRSRH0FQLvCijLEe6bKjGiNZ0=,tag:owvTfXVcHcrSl9EgJ9KXKg==,type:str]",
+									"generate.kyverno.io/trigger-kind": "ENC[AES256_GCM,data:gg4yXegK94WZ,iv:sMfI4+SjwPMcLoMied/P+0njQiwbo0LAei12r2XFXlw=,tag:w8E3S7CeE8fGE6ior69Fvg==,type:str]",
 									"generate.kyverno.io/trigger-namespace": "",
-									"generate.kyverno.io/trigger-uid": "ENC[AES256_GCM,data:znqysWL0o4tWF6jtz+OQXoRx3107in0cggncQEsSY5B1huvB,iv:XA1rC/+MiO3frK3+n3aTck8bUM2UX8I+H3HlRdDRHH8=,tag:atlRrcFiZ5jwO2G0Ng0+Ng==,type:str]",
-									"generate.kyverno.io/trigger-version": "ENC[AES256_GCM,data:gW8=,iv:SBuy2yU4QTMBjSwcznk+CgDaYoUzm6tntzhDOzTCfMg=,tag:7052GDBg778UbUUEfVrm6g==,type:str]"
+									"generate.kyverno.io/trigger-uid": "ENC[AES256_GCM,data:F8sKPk3JCDZZX6wapBML2kz0j7Rc1FsdKDE7CjdUcupHocy3,iv:YrbjGL/dZr7Xao2RfiTtpwhuof1MozK2canDfZfN+vk=,tag:kKiNkVEygGWR57rdL/KiJg==,type:str]",
+									"generate.kyverno.io/trigger-version": "ENC[AES256_GCM,data:8m4=,iv:bisURp3Q39ekDR5Sr0PdVI71bVoJL6Hnz0UlqPa57m0=,tag:pbb10ObvxrJVPi0CMZGFUA==,type:str]"
 								},
-								"name": "ENC[AES256_GCM,data:eGzwtVGz6p7v1A==,iv:1TeBCg5VlgNKxFi04PZCPbWk/XN1puTW88sePnSwRXc=,tag:DQrZ2I1vqhnbDiaSsIkhfg==,type:str]",
-								"namespace": "ENC[AES256_GCM,data:pcsGcjI=,iv:O3fC6wvhIId8s9LGvKYSaJZ86lFWv5Bhp7eV/dmbi/Q=,tag:wQE8P+f5cRiqciSrILosoA==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:wkSOrtDUdaNV,iv:QvwXZPEQa7wSNmaKu4x/fl8aC3R717dHq0Kq6K/sL8g=,tag:2nPfVb9srihQoLzKqc1S1g==,type:str]",
-								"uid": "ENC[AES256_GCM,data:W1oeUOL2i6lW3r2FCev5CH6rKtiNe739sqh8LBNBywsMEu5b,iv:jjTrXdn7gVRoaOM66olYnRAfwtSpq+xzmN8OM2EknH4=,tag:z7NMFD/SI/KPgR/u8piGHA==,type:str]"
+								"name": "ENC[AES256_GCM,data:a035xRk/2jk2Kw==,iv:VWskgYwHVesL2nHVTMbYYrWo7C47rha3NzSwgFotqRM=,tag:QE7p+PPRdghyOKDCWCK4ig==,type:str]",
+								"namespace": "ENC[AES256_GCM,data:1PkGqgw=,iv:+ctMV6Qv40USO1N+EAYegsW0I5MyeaSoUWU0Qnf6NB4=,tag:lTYejJprL5+4H8qCB3QEBA==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:bH55NHJ0TDG+,iv:fvLHxzURPiZ4/o6+bAOqcrdCrbWbdTjv0Qdvz5CalV8=,tag:UbwOeL2ul7hVZtWENw5dbw==,type:str]",
+								"uid": "ENC[AES256_GCM,data:9Z+sDjhw3vMCWDEwkM8yvrJus2q/PkTdBMl4VyWnkrV6JXBO,iv:PAONuv5m0Kt/6jrF3Oc8sch8p7UV6j+OBQ6P3qdrIJ4=,tag:g3VgO9ottbcxm5oNjTG3Pg==,type:str]"
 							}
 						],
 						"timeouts": null,
-						"type": "ENC[AES256_GCM,data:OS7gtXWUAg7ivp5+79E+pT8=,iv:1buYyHGgXQmb5Pzbdx/NU0YNjBn8ENzYncXk2jTI52k=,tag:RWUbF4TAHU9/EspAewaigg==,type:str]",
-						"wait_for_service_account_token": "ENC[AES256_GCM,data:eNXfBw==,iv:95bgzVPihqwruokaXiV/P5HWJLxrjEOiFlRO0Jd5Sy0=,tag:1yVmNYKQOvYVmI1fxtsfjw==,type:bool]"
+						"type": "ENC[AES256_GCM,data:k4HfMpKyuN/8iRQ/VWFGNh8=,iv:tIEqHKmaLmM/ugj5m2gPJ+R9/PXjuo0ZAasOSnAU+DU=,tag:ACoJTZ7Hikw8hVUovhqvGA==,type:str]",
+						"wait_for_service_account_token": "ENC[AES256_GCM,data:7IFvWw==,iv:CCHFRHqOEvypVhZwK4scxHmYsUEDtKEker4NTATPl04=,tag:psJO8/gj5low0St4X5fTPg==,type:bool]"
 					},
 					"sensitive_attributes": [
 						[
 							{
-								"type": "ENC[AES256_GCM,data:NEd1iaEQI84=,iv:qaLI9RigVFq/LVy1sG3jZRa6FsX7YNzsp5P1K6QxKCI=,tag:Xlpumusw+AQufDL84BRcOw==,type:str]",
-								"value": "ENC[AES256_GCM,data:56Pyl7WHSEa+c98=,iv:xzqdY70qzuUA1anlCHasHRrkrWfVyp3CJGJ83Yps+6Y=,tag:ovb/G8BEX+sskJ/TcJqHsQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:fjkdAv/T5fk=,iv:eCh+bhIlBoZy9p20RxQbr6IfPx7CexNLj84nG49Ku7Q=,tag:Oy2lxvtBZu7T1JcAsPYGTw==,type:str]",
+								"value": "ENC[AES256_GCM,data:FwV6gGeiN/sIVd0=,iv:LeyEJnkfnm0CpacbCGNiXI/hWftBiuqR1sVL83wzbuE=,tag:fxFG/+ZAzAHzsRhID7iubw==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:MTCpmHqAY9c=,iv:gSSIAY5E3jseLzR2WR5Vo2c64F+eWZXf1CYaChv4FEw=,tag:NdDhqCwUlioIiWTFUwRu6Q==,type:str]",
-								"value": "ENC[AES256_GCM,data:iYe0Rw==,iv:utmVPgNhuSYUKRCLf1D0RO0qMBoDGNy6xPCVWh2aa34=,tag:obYhvMs1v3Kwqd+pV1eE5Q==,type:str]"
+								"type": "ENC[AES256_GCM,data:ugc7pPFKlec=,iv:CrsfD8bHLv37448qGhMmfLqPP18cHh6LiaQOGR/Rqlo=,tag:uPCg2lx+plPhnDLjLUXcLg==,type:str]",
+								"value": "ENC[AES256_GCM,data:C5+STw==,iv:40jBevnIjqzQwYfBnjOU2cdRt95MaHnblnNcVFPpjYY=,tag:dsByFbD4Ez/xffRHOlnEeg==,type:str]"
 							}
 						],
 						[
 							{
-								"type": "ENC[AES256_GCM,data:PddQ5MOkwOM=,iv:bJKVHh+bVWyR8vBDb/0BaVub2aXWK4wei9EZ3PqGMlM=,tag:lXal1x9ZaooUTWAPjaM+WA==,type:str]",
-								"value": "ENC[AES256_GCM,data:qQadXVr03MA=,iv:kfqRyoMuHFp82R6AhylZjjsIu5D1mElhTi/IMaZLWmQ=,tag:VpoGb007g6Y94Yl8+coYrw==,type:str]"
+								"type": "ENC[AES256_GCM,data:TgwWMPFPlHU=,iv:aFrmKkTJYHkKvls8RjjRvy65tPMA5DlWsalT2XDzvSk=,tag:aZLs0T4FmOVJGi24c0vhBQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:XxkpdPIE808=,iv:NYM4wG5i6hBGdLhxVGvlrJTTo0RgYYm+D7Y/GvYkQBE=,tag:CN1/cFPkWqO2KHJfytKdXQ==,type:str]"
 							},
 							{
-								"type": "ENC[AES256_GCM,data:+UgKcnA=,iv:oOhOZFxMivHdlVI3FKAgCoPfnkmr/97W38TKYynnWWY=,tag:8KY++0fP3+JQAy6qkaamcA==,type:str]",
+								"type": "ENC[AES256_GCM,data:alB9Ul0=,iv:2pznFIQeS0qszS53/HMle7LlBBgnvj21lXKkoTixsd4=,tag:UwFhkV0jdvvi0xZuZUdEfg==,type:str]",
 								"value": {
-									"value": "ENC[AES256_GCM,data:3w==,iv:VU39STnHZUFvwLcUsUD7B2bop+OL6ZDrNHQ//XfY13Q=,tag:dIzLPJaS8m0zHNtD0PUntg==,type:float]",
-									"type": "ENC[AES256_GCM,data:h9KloRQ3,iv:m+9YJYMZdpDOv36GINOy40DBULeO3IYv3qXIbbK4MaE=,tag:VcGc6S9swSWd4vMj9dmukg==,type:str]"
+									"value": "ENC[AES256_GCM,data:+g==,iv:GyKLRuMp+Esfrv7Z3BWK93LRpcB1H7o0aZ4jFOYNv/A=,tag:tD3QEkoEg/XQAI7IBt2/OA==,type:float]",
+									"type": "ENC[AES256_GCM,data:VPHP2sMf,iv:2l6IR5yUecYRuMXP1rPoYqucf/MDL23fKl2gofmXUls=,tag:n6Qp/EXJRVdJLcHWmFWk2A==,type:str]"
 								}
 							},
 							{
-								"type": "ENC[AES256_GCM,data:BFDWbV+euBM=,iv:sQNJOXinoHCGTY05RPGeDzuduWYyhRPthbhhXCpqW+4=,tag:5aQvbxbXyJWo744BTDbjIg==,type:str]",
-								"value": "ENC[AES256_GCM,data:t2ybQQ==,iv:kPcJiLgb/9xhjVDaxS5eeiJLL5ZEoB/M5LilrkHzhlg=,tag:ETizI3AX7TS1J+XCRvnucQ==,type:str]"
+								"type": "ENC[AES256_GCM,data:C3w0jJUtISo=,iv:JHjoGsL/umCEa6p3RdaQPtxWcxqV/l/htAbddbkLmSs=,tag:IsYDE/uPFXoJmBZjalVpKQ==,type:str]",
+								"value": "ENC[AES256_GCM,data:Z0jUFg==,iv:zRN7GTIysvLaCcBwSrrYgIW6Pgosu+JMyS6/iGxz4Mo=,tag:Fd7sdNxsX9byRNHObU2BHA==,type:str]"
 							}
 						]
 					],
-					"identity_schema_version": "ENC[AES256_GCM,data:sw==,iv:cbgJv4lKZpDnjH5CSmmZaR4p8ina8Wf4thWxNKSDkJ0=,tag:58SBQ3Uik0wIOsIBtWVPZw==,type:float]",
+					"identity_schema_version": "ENC[AES256_GCM,data:Ww==,iv:3ovJuacEjCxmxnTv5KpRw41CStIRU8+TCjM1Znn5N4s=,tag:R4Z6I7Y5DrFzQb6+0r8Z6A==,type:float]",
 					"identity": {
-						"api_version": "ENC[AES256_GCM,data:vbA=,iv:jA/+d/lRsDKj6fZReiD+Pn1VXyKlYRnuuREZJ33m1gw=,tag:FyyvrJ8exmZrhJoIDUw0hg==,type:str]",
-						"kind": "ENC[AES256_GCM,data:Adn7Rrd6,iv:UJolUZ3tpPH8Jh61mT4WFvjeBiMNmr53KZzVynr6Krc=,tag:0o13W/tQqK20o02R9oWSAQ==,type:str]",
-						"name": "ENC[AES256_GCM,data:8bJzNvLRP05qqQ==,iv:M13mIYMg/tYDiYxR2cXwhK0DJFIb4rBpLDPg3jd0vik=,tag:VuxZSnDnt2mNOZzWZ4ACBA==,type:str]",
-						"namespace": "ENC[AES256_GCM,data:WeUoImY=,iv:fs7Kv85y1Sv29HT+n3mQbWa5ch2xaXXsVxdkir9w2V4=,tag:8NZ66ymXnEjSV/lHuPCpQA==,type:str]"
+						"api_version": "ENC[AES256_GCM,data:8ws=,iv:Mx4VGjrIKPuBL8emF3GMz+QDJh3/kg+IHQFO2+WLpGM=,tag:EZB/uiX71mcI0CZ2OciGig==,type:str]",
+						"kind": "ENC[AES256_GCM,data:hi6j2jqQ,iv:uyPjNv9Kus3GQ3ipv+0uU7pboOO8I3S9WaWMrXIKb7I=,tag:4dTdD1FTRoe4mpCUIArNUA==,type:str]",
+						"name": "ENC[AES256_GCM,data:CgpyN3/JrbV9qw==,iv:sM9nXCFzzodh0G4gPUdR99Mkk97AE0zA59PZ7a12RHo=,tag:NJtIRJwNBeESfJqt2d+1og==,type:str]",
+						"namespace": "ENC[AES256_GCM,data:CaeWt3o=,iv:pf9N0OnHLdT4D8uT0VTpYVHprQPEYBgBW4yh1z5Y9bE=,tag:m8qfzReZZW+GAEkBSlrk1Q==,type:str]"
 					},
-					"private": "ENC[AES256_GCM,data:avsaWUy664J6pATU2thKkuFGVyOdrlN/dpbqjSoD4v3H1kzNeSE8AnGtWN3pTrxlDu4G/MqEOw50HNCvyUAtxVXY81jXzitecyhOIKW5dP4adhaG,iv:r2HHs7a9Sp+bJ30wDOYmzjoslqwr6hwmwEmnhXS1BuM=,tag:CaHi2bPfccK8pjwnFSXM7g==,type:str]",
+					"private": "ENC[AES256_GCM,data:GCNg4KVvL+gwDDPGlC3CUf3ROx/fWaQQoYgAlymT88CCMkzvqs3szSbKkzO8WWtkWhe0jAb9yol/5P5VhEcYoT5kX+4l3rLWOFqaAXi51w0OnhlD,iv:vv9zp56k1VSC7TMlEwroxX1vFRAglDqeVnDfXpNHVso=,tag:+lpFE2LllHtt/iwKsHBOWA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:tcTEprAaFkeT3aY3rBWmby0imHCMNNi3StE=,iv:9bXPPWlqwmZIIth9WRQpzKNMNf2dtK9PvFHJrqMnLP4=,tag:52740Cr9x8JyhGncYE9IEA==,type:str]"
+						"ENC[AES256_GCM,data:7yC7nkFFN9Y5bE+Z0PCqZKksMxGSxRdpg3c=,iv:8Gu5eYmV0AvXLrJ5s/SmTrDlypON7mAoMHovOc9qWQ4=,tag:hEFVmM+KbLz/Dl3oSAk2Sw==,type:str]"
 					]
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:qe0xFakGtFEOSvQRTZuRm648335nwdLbX1hVrw==,iv:yYKY6bIPZ0yIrkCWiJbjMbt4XuLCp3FHQ5/SNiXRMHU=,tag:+mrWqZjQsRUeVW74lxtUAA==,type:str]",
-			"mode": "ENC[AES256_GCM,data:MjQ6vABniw==,iv:5IdzJSbzeoLDnqdiWIai98QuZGoyqVlMUqkUkk69who=,tag:nXH7sCDO/9d2gN1YEJSFLg==,type:str]",
-			"type": "ENC[AES256_GCM,data:ofyZW03o1R9VsL1fuiIGPOoflxvb7uddL/wetA==,iv:XxPoR//Y93SYGSHvgPZP8ZDKBsIg6U8eU1m9bzR7m0c=,tag:XXTH0fR9KJb1CKq0vMuJJw==,type:str]",
-			"name": "ENC[AES256_GCM,data:T9jzxw==,iv:6js5P2PCFa/Jk20Nm22hZUDOOouhY6jGlCLzvQklgeo=,tag:djKHbX2POipvVtIBpkxZ3A==,type:str]",
-			"provider": "ENC[AES256_GCM,data:tyNvorhetSZUxD+M21o3XpAfKA3J1Yj50X2nXh4Qkx+QiilDn/mGix6jEB0TC9tjdtY9WArQ,iv:gg/fHs0d1dKLA7+AogJ2ts+Qy1qq4yuXcWsOOGML+2U=,tag:ZogkGt8lYui2PrV7XFX88g==,type:str]",
+			"module": "ENC[AES256_GCM,data:dfggOINyEep1c10rFAvM+Hcov53uiRBuWdUyfg==,iv:2X3m9heKEcDOspCpI07IeILINDnzRoO0aGHAOSjJHVk=,tag:A+e8mfNjg7p58rWOGmNIFQ==,type:str]",
+			"mode": "ENC[AES256_GCM,data:V1mbDRexGw==,iv:JuyhWXNq6zmJR7kYa3tnm31m/DrInuKgPWLVIip/oOQ=,tag:uFLoSRLm7doTso54vNOG5A==,type:str]",
+			"type": "ENC[AES256_GCM,data:35rUMXKdAVQ9DTB6u8g5p3h1kXnzvp1ITVONmQ==,iv:BY+ZaFu8i16CWFgj88Y9M8EoDGK9YUQu6z2MGJmi+sU=,tag:jfwPYXMbyf9TKAzWSDqQuw==,type:str]",
+			"name": "ENC[AES256_GCM,data:EerNPQ==,iv:AUrYqdScxMDZIXTW2ykS+Y8gCSoCocp0KiyDf4/pdOk=,tag:NhwVLRCabLoRWhdwP5KF0Q==,type:str]",
+			"provider": "ENC[AES256_GCM,data:3BfPGQgYlnLjJ889GL6HGLynRNglDP7OquFgLbFSO2v1LHTgj/hj3HO5OijeMB+eAcuiVCKP,iv:nOgfoT+IJ1GqzXp7zrJ/Sj5daL6tdSITPYLWmmSWdQA=,tag:lmLgKssPcSEs+wQ5MP38Yw==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:FA==,iv:fCRTFXhYUf3ObgK12a2Y1rF1rm4zAPFoHxzRfP0YALo=,tag:kxLm1y7ELDPlasoMeMsxRw==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:hQ==,iv:7k4uXM/PPit7ElKEpIbd6UHEzfVWjz3H04rBSFZKLvY=,tag:ZTw7mRv9WBSPhVo6nXpMXg==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:WQB78+OClouTZrMV2RjNbu4=,iv:ZYDSK7oVDtcgqktMY+nYF1GXGYdqE7yZ2RiDDZVDmeY=,tag:tjthfOoLdJluvv7HPJNXLQ==,type:str]",
+						"id": "ENC[AES256_GCM,data:4Cqg25l4/L3Q4kyEOW8Ztxg=,iv:pkL+95sm4uM6nxOnDpAaITgOQZ4jYwUMrs+gjVA7gbs=,tag:Rk6MtlyyAnao/vBpKpP2qw==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
-								"generation": "ENC[AES256_GCM,data:9w==,iv:pJ6Q9KAoJwnWdIda4nJlGYxQhYDexS589lz1gY/VwjQ=,tag:HL0X8NtIPraTpfAVJoREsg==,type:float]",
+								"generation": "ENC[AES256_GCM,data:YA==,iv:EnpCAx6XA0Zbj2qR4zdUtVIUW68m/K+IL1vqMqSZm/g=,tag:tIOCxpVJQEPnGoTSVZVlTA==,type:float]",
 								"labels": {},
-								"name": "ENC[AES256_GCM,data:QOQsHET5LFGJD8cbmBygK5Q=,iv:NG5Hf6NOnxjfXEV63x9JNVVJJKwAUpIWi/f8uvabpKg=,tag:MPa/OWqxLJIXbBFizesd3A==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:S0xbCzVgRM+u,iv:SvKhj2fd79Z9bOFXYf8qxtcHYiaOLTX7CHQmVICdhy8=,tag:2jdHdH+WIJOt+uJjI38vnA==,type:str]",
-								"uid": "ENC[AES256_GCM,data:krYcLzDsRZIKe8Hk1mv7OjT0QYys24iH6oFi+LDL7mecg3+y,iv:CfkZLTTEXjSElsboX2xDJ7yGuNf79egLVUCPaeilX0Y=,tag:EJCj4tkKQvJ8ks6GoWNwLA==,type:str]"
+								"name": "ENC[AES256_GCM,data:odNY6WWJbr3uDj0IxnDh0f0=,iv:zkEGtPAu0s6EYjuXVQaEeoRYuZt7P6O5tMB2kXF6eKE=,tag:tfG+vthExJwUOya0KV9FGA==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:byQnKaBgGGfG,iv:x/QtMrXHc+42zDphqYgOmeXCABXzPC/Bxg8iyOJUXhc=,tag:Sd1IPMVsrtytzkhzueSb9g==,type:str]",
+								"uid": "ENC[AES256_GCM,data:IvLwlzmj6DBgp28fi8w8JQ76DGB7edtv683vDSHD/+2AOHRK,iv:SixymNiUmBpvQmgKYtosy48c/WbzU/SvEXv1ydS3J08=,tag:Xvmse/03C2oouc+4A8N5cQ==,type:str]"
 							}
 						],
 						"spec": [
 							{
 								"access_modes": [
-									"ENC[AES256_GCM,data:hfiaBAzN8gy5sBwnLw==,iv:wSkpYSkj69+J+pVPG/nprqO5GSYakLyirh1NK2c/NRQ=,tag:g8ZPXBLc2ggxLofvu8ESkA==,type:str]"
+									"ENC[AES256_GCM,data:rUJm17xH4GKDbq+2ZQ==,iv:jyndXG1Isq4OvFXdlWQouENx1dsPdmfuMHX6QjpC3f4=,tag:rRRhG4bHmLsn+rIeRbzAZw==,type:str]"
 								],
 								"capacity": {
-									"storage": "ENC[AES256_GCM,data:jspT,iv:C1sSrHDwm0K2Vr8Mfvg50IyZuCzOsrUjy3S2OZ1kNz4=,tag:i0PzllR+ZdWPSHaTji4ajQ==,type:str]"
+									"storage": "ENC[AES256_GCM,data:PPgk,iv:4PupaDIkK+p6wApDU4c/tyAk7myHuPQPuKIas39Y+8Y=,tag:YRtAu83R48GcPKfnBOU3rg==,type:str]"
 								},
 								"claim_ref": [
 									{
-										"name": "ENC[AES256_GCM,data:EGC0jSUs1FlSsZbEG3WSEc0=,iv:yF5frWdBlQEpL33F9TB1pZOilx/VuoNY9qvGlQEeDo4=,tag:dE7wHZJfQFnNrvh1kcTwjw==,type:str]",
-										"namespace": "ENC[AES256_GCM,data:BeVRTMo=,iv:w8utK6P2CWNO8KkHZW9NowkrbOxfGjvyABve20N2ro8=,tag:NG/yvw5YLHxmybxZuI4Seg==,type:str]"
+										"name": "ENC[AES256_GCM,data:YWjROwo+JZtF+SY7BCLx2Ks=,iv:XsfL0Swu8BqrOyZoFLGyw8U3j3cxaCJPmzP+sDJBTxU=,tag:k0Kse50EeRboYt4yOtX4Sw==,type:str]",
+										"namespace": "ENC[AES256_GCM,data:BnHefUc=,iv:Gf6MaURGNckY+1BMja/CdDyPemSJGA2BP/EVNDR7e1A=,tag:OnGGl3w8apqLYJORk5BuTQ==,type:str]"
 									}
 								],
 								"mount_options": [
-									"ENC[AES256_GCM,data:ES5xcRBkWfE3,iv:CPBN/tphQlX+rFMONxmrVk6C6QRsnJxScV7vaiDTpCw=,tag:fFl8XyyR0z/41sJEwmVDeQ==,type:str]",
-									"ENC[AES256_GCM,data:A/zAkRsnSkWH,iv:qbgUfbwkloCjHKNwTXM2THyk4n/x4WF9AXggEwGNqTA=,tag:PwmVcn++d3320vBlvVNalg==,type:str]",
-									"ENC[AES256_GCM,data:eq0lIOnsdq0V,iv:sA8oj30+FiJEjrg0VaJQDnUD2hpHn42BJfspywXmmhU=,tag:TPqj5DO3PBBvqN/WuIRu8w==,type:str]",
-									"ENC[AES256_GCM,data:JUxZhw==,iv:dX4rLRmtaIY894dL/hLMXjWVebC95yLU1FLE2SI1tiI=,tag:66jvMdotP4OrnpRT73cJgA==,type:str]",
-									"ENC[AES256_GCM,data:aI/dfyS47mw=,iv:GfB2In1clFbiIYNrgdXQiLXAqAm23imI+iCTy6OT6B0=,tag:vJmHR+dkFSKlPjQTAlAGJw==,type:str]"
+									"ENC[AES256_GCM,data:xTNOr94kNY1R,iv:0jCnnCneDRQEpuh3XOZCy8VWeru0czVUAfAJwz1S6kM=,tag:XHk2NgUS7wqZN36EQbelkg==,type:str]",
+									"ENC[AES256_GCM,data:KdcHZ2xovmik,iv:IP7xN0dK84D2ecoCZ/X9kg4hL7fVw79ILoUVaHzp2I8=,tag:ruT9zaKo6u9f+MVyUcC6eg==,type:str]",
+									"ENC[AES256_GCM,data:Tt2v2DcsuFGi,iv:ElrJV726FTxeDgbZk0WhbaFnSgqocLvQSQUuMTkuLjY=,tag:v7NdjyCgweo155h+ZFXCkw==,type:str]",
+									"ENC[AES256_GCM,data:g1xDVA==,iv:ycrNlOL3N56Hs0Whi8n6W1zGyJfl0IzL6+9geGU1EbA=,tag:Dz6x99/5E74dj/O103rWCw==,type:str]",
+									"ENC[AES256_GCM,data:ekK3QtQTkM8=,iv:DKlYCyYdDRWCoJB/quIUSsQ6wHxsXORWy91t3LmG9so=,tag:KP5eratnJYjlavkFoI4ydg==,type:str]"
 								],
 								"node_affinity": [],
-								"persistent_volume_reclaim_policy": "ENC[AES256_GCM,data:ABPWa6m+,iv:6MA3YwoJEMpf3uDQJFSRNUmlo/E0XV7v9kNyueohq8I=,tag:jF/HFl9kLRUkZrzTwRJ6ag==,type:str]",
+								"persistent_volume_reclaim_policy": "ENC[AES256_GCM,data:A+q4vxCO,iv:tLguzxzoHV0p8F3sb/WCbXdGZVOTJ8Z8HMmYbaGNV4k=,tag:HJ1MwVvZghapqdpnb3Y29g==,type:str]",
 								"persistent_volume_source": [
 									{
 										"aws_elastic_block_store": [],
@@ -4304,16 +4396,16 @@
 											{
 												"controller_expand_secret_ref": [],
 												"controller_publish_secret_ref": [],
-												"driver": "ENC[AES256_GCM,data:WTSrNQTa3aoWkobIvqc=,iv:1T7jUBCHFx1WN5SzrbNe75ExpM3DWN147fCMfGuxr7g=,tag:xdtzOupg8XffknvLpbar1w==,type:str]",
+												"driver": "ENC[AES256_GCM,data:wl27PajBfID/qifnGkE=,iv:x+0tJzu+2hK12IkRHWP0E0CoWG2u5v4ELx8mGi9jhHM=,tag:3kawjdKAmW3Z8R/9UMYkqQ==,type:str]",
 												"fs_type": "",
 												"node_publish_secret_ref": [],
 												"node_stage_secret_ref": [],
-												"read_only": "ENC[AES256_GCM,data:wrwfDN4=,iv:ZR+wNl5rCZbWK+DWyROwZLhnCgYBJXsKhAXQOqeWqL4=,tag:oI0RVm5sYq3YlxccKmUZXg==,type:bool]",
+												"read_only": "ENC[AES256_GCM,data:3hiFE44=,iv:SwskuepZFIYmXWMsrhNxFCyc4qs0fjnYVtZisOYJkJ0=,tag:LTmQpeTvuGynT0AWEIhOJA==,type:bool]",
 												"volume_attributes": {
-													"server": "ENC[AES256_GCM,data:cCh1slnlHUo3F18YPg==,iv:gJTWYtKYRYCH1UxUsIFq0+EYpmbiILgmrhAaqMK9+uY=,tag:Bf/2fLmIo0JN/4uIh3NgFQ==,type:str]",
-													"share": "ENC[AES256_GCM,data:1H4XfPYEyBs+7ZO9BJPbhUa6yIYL,iv:kSdSi0nlJrdrHPJRujoIt81SOJ6bAxoVVxqJvKuv6fc=,tag:V+Qn21UJZPTyHwVfGXOLgQ==,type:str]"
+													"server": "ENC[AES256_GCM,data:VsigHKb2XFOIMiMyXA==,iv:cpwmaV51yF8+0qxgI8gtPEnnWN0xqUVvf5UbNZYtLQI=,tag:mw8KvC+tIqbc5NqDa65J/Q==,type:str]",
+													"share": "ENC[AES256_GCM,data:HDR0Qch+nvyXp6jSj/AohsK+m/rH,iv:TYBAT250VjIJ8M7FYYvOXqSqIahpmT+ze1BOd9Gp5a4=,tag:/LIo6/9ecSQCh+L0ANMrrw==,type:str]"
 												},
-												"volume_handle": "ENC[AES256_GCM,data:DiywIIRj56nN46BbdlyORdc=,iv:9p1pVM8Ot4i884/DEk0n3uesSyV7YAODkQlk8WsoL58=,tag:38cDBNi0K2uBHodVOV/C4A==,type:str]"
+												"volume_handle": "ENC[AES256_GCM,data:bDAN1jeaeXOodAm0PasbWuw=,iv:YmZ2QHIwBidaJ3BwE6Hjrku1f1rzev53Noi7yu4g/h8=,tag:nnL9mtde/+fkWNpxtfRk3w==,type:str]"
 											}
 										],
 										"fc": [],
@@ -4331,69 +4423,69 @@
 										"vsphere_volume": []
 									}
 								],
-								"storage_class_name": "ENC[AES256_GCM,data:8hmdChSnnVJsF84=,iv:cTvLMlHa7cXddYS8Ud8taLcH1SLWOVgCx7GmIfIVza8=,tag:5AvSj6MAkbdaYbkLa4egJQ==,type:str]",
-								"volume_mode": "ENC[AES256_GCM,data:mqsar1h1JfrOGA==,iv:AziPk5eJUlmUsPonV+AtRG/YHZfv85AMkwBy037mPBE=,tag:TrGCUyl16lewmHGKiEtggQ==,type:str]"
+								"storage_class_name": "ENC[AES256_GCM,data:ahR3NYa82gMf9Xg=,iv:Et/VbRPkdBbQRo9ZbZk+rAAw0xvTT+ql06X3I2xXgTU=,tag:XZJ0wJ2UnZeOfdheXvFOZg==,type:str]",
+								"volume_mode": "ENC[AES256_GCM,data:x48DGoiuxAaYSQ==,iv:XdTxR4vEyNSJVgFl24VOhqqcNt90V/p0ft8VZmzOsL0=,tag:aQoixaDEjKZ+O2k/Pqo0ZQ==,type:str]"
 							}
 						],
 						"timeouts": null
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:RQ==,iv:3iEmGKC3TmwjHEkQcww0Plos3WrjTnTiLoqLCgEbIk8=,tag:0J/2V/JTr9ymVSFBukPtsg==,type:float]",
-					"private": "ENC[AES256_GCM,data:TOgmSyrPFERi2x4GOmgXwMfp2yCDf6RRdTTVuNFDRGw+98twm8TyLA5jM5h2/ZNnRIJ4K6vDbhiTdQsLVLI4YtoqGFqnXW1oHEsBqyeBqWVuQGOq3jHh/w==,iv:zGpD+SR4vti4IRrvomuZnHmOROjVgSFwPLUMzO+cpig=,tag:aAJyI06UNkXTwthxqb/j9w==,type:str]"
+					"identity_schema_version": "ENC[AES256_GCM,data:uA==,iv:/VhoEVDsSuRDeBp27ZgBRwVDkBeRAV0aroRUHfCHNWk=,tag:FWybFQ3uoeFO3tCAOdH84g==,type:float]",
+					"private": "ENC[AES256_GCM,data:jF2ARZnyIkqfnP6hoLb9bKuNfbKO/5FXHjsI8k7K91Jz7kF1AOryw7VMzU/kwvWwW1hPku2MI9UPuvqhYpjFf9kREkKiSMztMZv6OLS7crjtz/MgvXM9PQ==,iv:8twX9PKSbWB3dKvVpuplGhL4vgZUgRv9eiyrdoTaivY=,tag:cT9dWLahQnsaq33uejdZ3A==,type:str]"
 				}
 			]
 		},
 		{
-			"module": "ENC[AES256_GCM,data:7razK3mRcdbbEuL5PeKYvn263N+Sq69dLdWHng==,iv:ef0iuZWaOckJkG9WYVIBPbM9h6qoyEvYOD6nzBfclmI=,tag:Qb8lAHwOnKxvDe5tWlByyA==,type:str]",
-			"mode": "ENC[AES256_GCM,data:jabarvh6QQ==,iv:wqrEPkGN4a3Z6CAR8OWu5V6mkODsKcP55XU1eztlK0s=,tag:1xyoT6h7LYITWudyLIkyrw==,type:str]",
-			"type": "ENC[AES256_GCM,data:CETf704TxTlIFbBdoIRl7cVPF2dbeSlOpLBlwYQDrDShFg==,iv:wCnNBLE8gnu4vnn3XRidL6Ib7+g5YMOsG7HqAoeGRJk=,tag:708iOnWFQZZvftmIizkV4Q==,type:str]",
-			"name": "ENC[AES256_GCM,data:T6prHA==,iv:GbQ2KUhdXMNGJp2kUe02XyB6Oe0qP8kD9CxtPqESCFY=,tag:XtQLy4DSc5r4yGnX39y5Rg==,type:str]",
-			"provider": "ENC[AES256_GCM,data:QtB69CZl02y3gIU5EJK5TVR4CZnVgdJ48OMt4vipao3CZIKmwJA+N1HkV+uLyvBKFbX+KL58,iv:y7/nN40+0sZw6ZVdQEQh5AN9oUEAOIDMnC5hXIyt9xQ=,tag:b0ysZ5CXURfCbf45lQ54jg==,type:str]",
+			"module": "ENC[AES256_GCM,data:TFikhx6r3T3vnD/RG4ip8rSQNns/nG1TIWETjw==,iv:/VqaZ9g+YcpMq8ENXUb/WFeRl1q3o0s1Q/VCihdciHA=,tag:p3Wh71yb5wMAKnLMxt7Prg==,type:str]",
+			"mode": "ENC[AES256_GCM,data:HZw/HWtVIg==,iv:hmSNh2AD/092hgErt119lQUsA5fgx1h3eVAZ0kuTiLA=,tag:PEIFW55vbm0mzcX0tDBt7w==,type:str]",
+			"type": "ENC[AES256_GCM,data:NUNOL2x5p4RU3MB0YSjJBycCuPws57ddlNxCgf2Hqbj2wQ==,iv:fFPfs65xLmaIvaZEAId3nt65MYEi7xVwyt52g9bed8U=,tag:gGNdVLfbGtt4TqQOoJQsJw==,type:str]",
+			"name": "ENC[AES256_GCM,data:xw3bfQ==,iv:mbMZrq6N7ezM0C+UIe+JGX7dkGzHdpGU6ZIWJLj16y4=,tag:wpMAohawtUc1qwxgIjV0QQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:jN0t+AB+0uFM66/KGA2xWPxdd5D+zSBoh0PBA1SUCDJYkbiOfpxhHSLyxrIm9g7e0hgtcbAp,iv:teXHlGb88oMWK+3F83W6uog3x7Te/R5HuLKQ3f1iE5g=,tag:bYok0yuqUEnZSdwfwRS4ew==,type:str]",
 			"instances": [
 				{
-					"schema_version": "ENC[AES256_GCM,data:fw==,iv:xEamGCfZY4t/o/ie2d37c/jncYe/iaR09C+CTwh88YM=,tag:VV3Qo/B6r2OIvf0U4SyDQg==,type:float]",
+					"schema_version": "ENC[AES256_GCM,data:Kw==,iv:lRo3lv46VqhfDIInbWH1R50Fk9jDVtiZiMkdox1pcgE=,tag:Jva8GRSqdUt8Oe3YY4q98Q==,type:float]",
 					"attributes": {
-						"id": "ENC[AES256_GCM,data:draovadYIUhJ//yeegp6tJb7azvNVss=,iv:uipmdXdqPxddblDwHXiDe+q20eI5jUaRtrPSNSHBv08=,tag:WSx4g3iBQ48G1/zQBz7tbg==,type:str]",
+						"id": "ENC[AES256_GCM,data:CQ3GACig12u1isBeFJWLeNCgx0Tcj1s=,iv:eUGUFieGoAd1YN8574OlTFggFxyu+0TFZp3qlD+jmIY=,tag:Ut6PX7OkMPb5ASeqOF5jDA==,type:str]",
 						"metadata": [
 							{
 								"annotations": {},
 								"generate_name": "",
-								"generation": "ENC[AES256_GCM,data:ow==,iv:3mcOKqK3b5w8DQLwiXOx91X+1zXrYEmoM7QFCMq0vio=,tag:03BJ8TCvZrEQ0NflGFr0UA==,type:float]",
+								"generation": "ENC[AES256_GCM,data:Gg==,iv:xankoAeZ5aqaYRy0QhiPEMzMhoE99/+kXu1Gz5fE2KU=,tag:WGta9IotljRcLU8M6s/CYQ==,type:float]",
 								"labels": {},
-								"name": "ENC[AES256_GCM,data:G2AlPWvsSZQdFLjzCd/YyUM=,iv:A7PIzgvjKPCb6FabrpvfA7Zx01mx899cI53tBAoxLS4=,tag:DYYSGX20lEuaOdvQBUcugQ==,type:str]",
-								"namespace": "ENC[AES256_GCM,data:jio4UDQ=,iv:DrcWnySx6d8YrQd8qk2+L+LLs/DzvmWxWKd/bZLuQDc=,tag:oeP0Qy82pNZY5Pw35TBa5A==,type:str]",
-								"resource_version": "ENC[AES256_GCM,data:9UHdmfLOJ6nd,iv:4jXb8yk1nRRMw33hr/u9CShbftJZRSgbw+1KqTROkG4=,tag:fTwbAl82Fqb3JuXSOe6WyA==,type:str]",
-								"uid": "ENC[AES256_GCM,data:U7XtJwqJbNH/TPPBa7gdcmFLXRufAaChwQC5P74QsE82VMKv,iv:cG9W/CYPpUlfvX2hsSffoLeFVxDfA+STlne2IS+JyWU=,tag:hYvf373CmnOAKyuiOIz7cQ==,type:str]"
+								"name": "ENC[AES256_GCM,data:MKXFwxbPyIsfqAyuFAOIquY=,iv:07BnhvTa+bhM1TfJ0JMCgbf6zjeCUkApaU+7kjAXnd0=,tag:moAo2MhZw99TrlG0fqKAOw==,type:str]",
+								"namespace": "ENC[AES256_GCM,data:tSNjzC8=,iv:aGUj3Ix8Qy67JG2hqSOy2XLueic1+ngE35QioFyHSy0=,tag:iAARtz+2XGw/o1JMYuPf3A==,type:str]",
+								"resource_version": "ENC[AES256_GCM,data:q2XLrGypAe36,iv:ROs6xpSesxHNbdSsXi7QOs9AeE6r4r1UyfznCSfgqxA=,tag:T38FM6Xsra+0LIIUX4Fxog==,type:str]",
+								"uid": "ENC[AES256_GCM,data:DGrb9upuylCGhEXPI/c9o1d3RbN3aIwDkU/ppSN9/XT7uo1V,iv:CSqgokEatf90yAb2XGhWOmVpndMFe8pKUz/qYcHvRqM=,tag:iuEFhUc+2+AOnuUcOZYj3w==,type:str]"
 							}
 						],
 						"spec": [
 							{
 								"access_modes": [
-									"ENC[AES256_GCM,data:VRXKh7ZnHI5YGsL2dw==,iv:TGn3kOyDQgi9wJkIOb1Z6EoHqBuRBK6nxDDyXgENprk=,tag:JRgcUpdZQs2ioWenv+YMjA==,type:str]"
+									"ENC[AES256_GCM,data:k+oN8sIv9BbH1qR88A==,iv:o4QQ/nBRWKPDUZbc1GHU4F99PqqBlqbjY/XwOmPa2Ko=,tag:duRqFiQnc8b4jnJLXrH9HA==,type:str]"
 								],
 								"resources": [
 									{
 										"limits": {},
 										"requests": {
-											"storage": "ENC[AES256_GCM,data:dpf8,iv:UvjtVspY6zkptwoeqfmsDFhVCD5MZteQcaRrUPVXm+s=,tag:Bz9vA8/tZLOiyCE8o8W1ew==,type:str]"
+											"storage": "ENC[AES256_GCM,data:clPT,iv:ipcSleD3VCK23FZC9KiqFaK3t6WHI4IHFd1flmIA3B0=,tag:EZ08ztYUOOkJ6BW4SF0x3A==,type:str]"
 										}
 									}
 								],
 								"selector": [],
-								"storage_class_name": "ENC[AES256_GCM,data:GComX2dnpQ8jcOw=,iv:wgc8n5oK3+NIHG7bS4wkxarE+DcBZeHHDEPzT3R6bNs=,tag:3SaafgbqT/tnFPqW93nZOg==,type:str]",
-								"volume_mode": "ENC[AES256_GCM,data:s1Nx1GM+bOriBA==,iv:ePpZKVqZgVyct7oQkAzITMnG1UOU3sJXzh8V7y2XayY=,tag:y0haEdOOdEkO9wtOzTR35A==,type:str]",
-								"volume_name": "ENC[AES256_GCM,data:5o5YH88Be98HCOneYWu3bys=,iv:qBM0XVkS8T7HtEZhuec5CYWtjoElPTEX5KI8A2L5M9s=,tag:JLwle2t7q1Y34DeNjrxuMQ==,type:str]"
+								"storage_class_name": "ENC[AES256_GCM,data:2583Ni2b1N+6XBg=,iv:x/QfXr6FLF293Z5sSY1WIKXOo4Poop2SDcBIkCKS0J8=,tag:tvNh83A1YHkZ0S+3oCNcmw==,type:str]",
+								"volume_mode": "ENC[AES256_GCM,data:gLPqRFIsYJq7ow==,iv:OoQULvuHXesyAZQjQYCK343elWgKiLoJ9fwFYN+hWlU=,tag:evCBC1Km8Wyk+P4m0Q31RA==,type:str]",
+								"volume_name": "ENC[AES256_GCM,data:4ZAjAV1Dx+29xNTxcxxDutA=,iv:e4I2VWRmVJawrp4GeEINtzz2hGxuP3sL7PS+DBjjpRA=,tag:jtwpDPUvd1Ivi12LTSE+xg==,type:str]"
 							}
 						],
 						"timeouts": null,
-						"wait_until_bound": "ENC[AES256_GCM,data:Z4fnvg==,iv:WYiQtyrHUmsFb3j+UczJgJUmRrp7xToS5KxW9djDFI8=,tag:o9zsOhkrVCtBZzCg65TGMg==,type:bool]"
+						"wait_until_bound": "ENC[AES256_GCM,data:49e8xA==,iv:/dLczgUxGewBJ1DAKmVy6a5OwdxX46t8G4bAsJYnl+w=,tag:Y5KlaxdD8kKHb/TiQ9SmMw==,type:bool]"
 					},
 					"sensitive_attributes": [],
-					"identity_schema_version": "ENC[AES256_GCM,data:Dg==,iv:2E9vdkBo0iueUYrJT+0DR9w5seNMxJqg3gV1f0tGKW4=,tag:3d0eOwF+dipe6hn7bb2Ywg==,type:float]",
-					"private": "ENC[AES256_GCM,data:YRTUqCZ0vZDg/yW+yYXHW1pMOk/Y/TXzGpcj8Kff5aSnKF6W09sSsA4AhhC9lIP1fey0wqY8eqXTrc4LlW7yUjiMIOgrBDCC3HfqLoChO03eOXwg/faH/A==,iv:y7SYyeHZRvHlRvQqcw8GjdQgUTAL9+2jwFiNZhyUlR0=,tag:aUTcUKX+fQQVSy553CITFg==,type:str]",
+					"identity_schema_version": "ENC[AES256_GCM,data:+w==,iv:FibdOkytaduRbgYLj13RxsVYAXjyf3xZu398y4cwmIo=,tag:B/S8G9o9TPWMSqpsDvT+eg==,type:float]",
+					"private": "ENC[AES256_GCM,data:sKkU+Sz0oVeOShx66MbBNXn9nM1EVepR1XTnHV/x6KN/r1yO3Rcu5xutw+mShsOR3xPKAS2tHgPXXkdSIB80e7s3w12oeX/PHq/vALuNHyMLYXESDYV2rg==,iv:T0oSkb8VImuPfVr/kx6xw58nGD3u0bA3EPIE0aOc5gM=,tag:dZUL0TDftQ0kUNWjr9BsCA==,type:str]",
 					"dependencies": [
-						"ENC[AES256_GCM,data:XACDkbFkTxqMx0GPWgDRoMMo91kUi4xzZmM=,iv:dXqwxt1hNxTLdlYUFIqvvUWn6L/WpRUlyYatU6ihEvQ=,tag:TQVvutvuHRw+lchvhmdDJQ==,type:str]",
-						"ENC[AES256_GCM,data:cZFE0HCAIhH8RMNHzVKsak1ucQXMKnfez00Jd3uge5Tq0JLAf3dm+gOv3HhkeSEZsiTIAze7R7YM8sU8T3k=,iv:8lgAcqKkFFD7qr8b3g8CIHl6/Zo8ZyLcgVMchPJt+7c=,tag:q5j6Tf/4Jr29929c9vdksg==,type:str]"
+						"ENC[AES256_GCM,data:qKQhAR7Jt4WAXnqgTPTW700WlPOflIkLjZU=,iv:iC+RrhKkr1zYyyE+DqBX7n+0xdYacTeKmwi+c/0uNDg=,tag:EgPKlN40IMNQMD7eRrg/kw==,type:str]",
+						"ENC[AES256_GCM,data:R/gSyzu5W1FN2cOWQa1+FEgWob0dRtOIgrnB9l79yk6s2gtZLoJZgM6euMjZLkWpExDDq67fiGmYcGgdr/I=,iv:paZQ7FiMjScm3Tdzx0gMYH76pSPY/Bxa766C/avPCTU=,tag:gtbrQZYTBq6rM8RCIINU/w==,type:str]"
 					]
 				}
 			]
@@ -4401,15 +4493,15 @@
 	],
 	"check_results": [
 		{
-			"object_kind": "ENC[AES256_GCM,data:fpbm,iv:dlAGbPj73067dwPv5DmSO9TsGdRPDPVktJLsjq08jO8=,tag:w4RUeM3eKTzqKTWO20ckwQ==,type:str]",
-			"config_addr": "ENC[AES256_GCM,data:cD/426jZYhO2wy2SI8ENMYQ6tdyMstMFTKl6,iv:YuQK9Qcw1IoY0iR4jdf18oJI+LIFdNpMhHLeDcRyxJk=,tag:MnJYT7kn3/TA5GyVNeUFYQ==,type:str]",
-			"status": "ENC[AES256_GCM,data:FH0zLTmvgA==,iv:HR/7qas1G4e322ChE3842D/8YJ1kau1CCrCUxO5dqZM=,tag:kye6ZOK0qOMq1nX1tvwF4A==,type:str]",
+			"object_kind": "ENC[AES256_GCM,data:V6fU,iv:bBdJcSVWsdcBqyIvO5q/nwgCVIRMToOjBi0LO3ol61I=,tag:V93KS+INRPnrQb/hkifAAw==,type:str]",
+			"config_addr": "ENC[AES256_GCM,data:UiMY35sBoUhy3kgegm01f50A0m5k3qXGmEXp,iv:XcTIom6f45cXTQrxyzX9u/L+O60l7Hi+C+TtMs0UlfI=,tag:VXiWcODC/ZIjJcG64vsUrA==,type:str]",
+			"status": "ENC[AES256_GCM,data:X5uOOcXkDQ==,iv:KwJJJbCU0kQi9fEO2LryTO4cn4097cAUv5TSalNiIhQ=,tag:G6eTIz1PTwW9ZEhCPQ8uZA==,type:str]",
 			"objects": null
 		},
 		{
-			"object_kind": "ENC[AES256_GCM,data:zaR+,iv:6Hq3A4q9kg6lB+vhqxxafrOOQ+J5ustcPFxrXjtqV1A=,tag:ux9WthiN3W0yYvQz9D7E6A==,type:str]",
-			"config_addr": "ENC[AES256_GCM,data:OFKwBI2mYGhGz8EZZdF89JZF8ysRzt4=,iv:kgGR+k+cADwGpaTO+tnjxAiuG5zb0x9kz+PTnYETiqc=,tag:5W6K2R+yW/5DTPql9jjV2g==,type:str]",
-			"status": "ENC[AES256_GCM,data:KEdEqvevlQ==,iv:XwaMUBhsbw4xJhx1keZ8/KOTYYRh2izbecpBGxrj6Vk=,tag:QOzIj0RabHh6IqaekjbBTg==,type:str]",
+			"object_kind": "ENC[AES256_GCM,data:wEyP,iv:7/lF0YfE4KpcjU0JmpObhEEOPDVBZOBueeLajjHDFPU=,tag:uSPeKUtUJOZZcIK6rc6tqQ==,type:str]",
+			"config_addr": "ENC[AES256_GCM,data:Yc9jsshxdELEfYumCqIu0PdDbL85CCs=,iv:pWO2c2sRc9jr1TFlnb2pDdLcGl8RLKpnCqfkWIbhzj0=,tag:rJBotwwPrNGuDw5lyK62jg==,type:str]",
+			"status": "ENC[AES256_GCM,data:vCWny7HENA==,iv:Svskes2OiNc1iCXnBs/HvivI6Tm37KJF/i/1v34Wvbo=,tag:yXRHM+5F0Yz/KZz+DT/UrQ==,type:str]",
 			"objects": null
 		}
 	],
@@ -4419,22 +4511,22 @@
 				"vault_address": "https://vault.viktorbarzin.me",
 				"engine_path": "transit",
 				"key_name": "sops-state-vault",
-				"created_at": "2026-06-08T11:51:06Z",
-				"enc": "vault:v1:LP0o7mFZ+jRQKq3+ADVk+rMJOKiBBD/mwYm+4HUIokMlWqZrKXk5+qMVlfSMlc9Icpaiq1QK0/7Lsywi"
+				"created_at": "2026-06-24T20:55:38Z",
+				"enc": "vault:v1:x9d3sK8Jyw19Xumn3bab91p6rP9jwQ+VeWlx4eP7Rq2NRQDPMd5GptywV7+Zsoc1aDRXz9rNrMEitzPY"
 			}
 		],
 		"age": [
 			{
 				"recipient": "age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTnhLM2Z0NXU3NlN0QUZi\nWm8yZ0ZpcDJnYXlHSlFHZStobWt5SHg4ZUE4CllwZU1GZWQySUlNRFpKSEEwSi8v\nNkVtbWcveGVFNGJEdkx0VlprSjJUcXcKLS0tIEVtVjFaaUR0SDlJZjBVR3pPZkxT\nRGwvR01TSFlad1BUZnJQdDZvc01DRmsKtJT8iqsMVLfT4Ux3NDKsMB5pj87qUtpe\njQCTjcOXQeuAdTlkLNXTnndIHmm1LhcbZGKrmYPSI4yEuEbUMSGSvQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCV01IL1NRR2hvUTRyY0M0\nMllCekpNOEdEMTJ3a2IxM2c4d0RuYkVhcGo4CjFkU3hXYU4zSFl5OEdoSFZDcTh0\nMlg1K0hHTWJiWXpVUWhJUmNjRXd6NDAKLS0tIDZHMFRLcEtJeUJENUMxb2RGUnZD\naTN4UTVybXZjTWEzM2R3dWtYeUhQMlkKmOb7tFMSXC+2oRgsFsk8Igoaii76gq5X\nqtyVf0NQlUWeWQajjRitmeLq0N2YRbR30h5zKyFvfEve8dfWpn873w==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1rekkad48r2wzhwqgfetw5yugu3ln3qlht4xg3txmx55tee8cveess60r90",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcnN6SUF0bzJabDVTK1pW\ndzBlelFqV1pDd0crT0pHbDJuK2pNSUtjcTJjCk80RlcxRDkvOHlLNmVxSTlpdHR0\naUlMRllYK0p5V0l2OVhvdHV5eVZ1Zm8KLS0tIENZK0EzTXh2Uzd3VkFWVGhCSkFo\neHZlTzVLeGpBRTE0c3NER2xXSUxzMlEKAL1yqCrn8co/gsI6XLXoAPL0psIIR1Tb\nQiXnLOnrNDu6//9YyXKyw7q2nOQR2QrYPNRyvUWOpwuonKjzMevqmA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWNXVXR2ZLTVFLN094aU9w\nV3AzSUoxUzZHRUw0MjJtVW02VEdzNUo2elc0ClZLUmdCWC9yQU5FQnF2MWlCbkZa\nd2ZCK2NBSU1ETjdtaTNXamRMVHZyK3cKLS0tIEI3QUdmeVdSN0RDYlRyVDVnUUhv\nblc3ZjZobFRtUVVtZHJxY3BRc001QjQKqsaFT+DFZPnfo8ycDYG451m7kxkoCz8L\nvc8geFxmTaGoJy+YGhbzLPV/TvgDhBrW1Tg6ag/5e+w3q9rPu0S+9Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2026-06-08T11:51:06Z",
-		"mac": "ENC[AES256_GCM,data:0LUzKwvXpyzTa94/0DKcLOk1NBX5ggtTcroKGwLBPJPxhwyEOiUowAhpHSFxv0SsvQ5O0OjFc+Nk7cPVGLoQCwMiL/WypobQ8XgPnUcMCXngt6yAcOnnARZVRMSDPHO3CcGiyEWWScmCwd97z6BvIr45TnswMTodz6DwwABeGeM=,iv:Yl/BIcoESuOVpvaB1dLafCtgHyPDnsq8I/f5B/H0iNg=,tag:c/nMf98KHAuCFoasBVW7Ow==,type:str]",
+		"lastmodified": "2026-06-24T20:55:38Z",
+		"mac": "ENC[AES256_GCM,data:0eWERYCAdOWMQX7nqrrBLDr3hZnQY4CicFzhN2yjmuH2y/8v+WMEFm/GoVpFUP8r6qtiA7qH3bZl9xOqP3I0NgxPJak53CwYADqOFITJqwIffl98GmoCF9lYv8QqatPB5kmkH47MKgSuEVc6w8vP+HOU3UYlO49E3084KA1Hc6o=,iv:WtTx9NSJJEMoLbfQf9Y1irGdGvlBwUvghXQMRMAGE5g=,tag:244LI3MRRdJmJp4gsbYCKA==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.12.1"
 	}
diff --git a/tests/t3-migrate-idle-gate.test.sh b/tests/t3-migrate-idle-gate.test.sh
new file mode 100644
index 00000000..a36f95cb
--- /dev/null
+++ b/tests/t3-migrate-idle-gate.test.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# Pure-bash unit tests for the t3-migrate-idle gate. No root, no bats, no Docker.
+# Sources t3-migrate-idle.sh (main-guarded) with the lib path pointed at the worktree.
+set -uo pipefail
+HERE="$(cd "$(dirname "$0")/.." && pwd)"   # repo root (tests/ is one level down)
+export T3_SAFE_RESTART_LIB="$HERE/scripts/t3-safe-restart.sh"
+# shellcheck source=/dev/null
+. "$HERE/scripts/t3-migrate-idle.sh"        # defines functions; main-guard prevents the drain from running
+
+pass=0; fail=0
+ok()   { if "$@"; then pass=$((pass+1)); else fail=$((fail+1)); echo "FAIL: $*"; fi; }
+notok(){ if "$@"; then fail=$((fail+1)); echo "FAIL (expected non-zero): $*"; else pass=$((pass+1)); fi; }
+
+# --- gate_is_safe <active> <idle_seconds> with QUIET_SECONDS=900 ---
+QUIET_SECONDS=900
+ok    gate_is_safe 0 1000      # idle, quiet long enough -> safe
+notok gate_is_safe 1 1000      # a turn in flight -> unsafe
+notok gate_is_safe 0 100       # idle but not quiet enough -> unsafe
+ok    gate_is_safe 0 ""        # no threads at all (NULL idle) -> safe
+notok gate_is_safe x 1000      # unparseable active -> unsafe
+notok gate_is_safe 0 -30       # negative idle (clock skew) -> unsafe
+
+# --- gate_query <db> against fixture SQLite DBs ---
+TMP="$(mktemp -d)"; trap 'rm -rf "$TMP"' EXIT
+mkfix() { # mkfix <file> ; reads rows "active_turn_id|updated_at" on stdin
+  local f="$1"; sqlite3 "$f" "CREATE TABLE projection_thread_sessions(active_turn_id TEXT, updated_at TEXT NOT NULL);"
+  while IFS='|' read -r a u; do sqlite3 "$f" "INSERT INTO projection_thread_sessions VALUES ($([ "$a" = NULL ] && echo NULL || echo "'$a'"), '$u');"; done
+}
+NOW="$(date -u +%Y-%m-%dT%H:%M:%S.000Z)"
+OLD="$(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S.000Z)"
+
+# active turn present -> "1|<small idle>"
+printf '%s\n' "abc|$NOW" "NULL|$OLD" | mkfix "$TMP/active.db"
+res="$(gate_query "$TMP/active.db")"; ok test "${res%%|*}" = "1"
+
+# all idle, last activity 1h ago -> "0|>=3500"
+printf '%s\n' "NULL|$OLD" "NULL|$OLD" | mkfix "$TMP/idle.db"
+res="$(gate_query "$TMP/idle.db")"; ok test "${res%%|*}" = "0"; ok test "${res##*|}" -ge 3500
+
+# empty table -> "0|" (NULL idle)
+sqlite3 "$TMP/empty.db" "CREATE TABLE projection_thread_sessions(active_turn_id TEXT, updated_at TEXT NOT NULL);"
+res="$(gate_query "$TMP/empty.db")"; ok test "${res%%|*}" = "0"
+
+echo "PASS=$pass FAIL=$fail"; [ "$fail" -eq 0 ]